Put an upper limit on how many sessions we will allocate before we just

drop new connections summarily. The parameter is session_max, default is 100k and the stats variable client_drop counts how many sessions were dropped. This is mostly an anti-DoS measure and your feedback and experience with it is most welcome. git-svn-id: http://www.varnish-cache.org/svn/trunk/varnish-cache@4070 d4fa192b-c00b-0410-8231-f00ffab90ce4

Put an upper limit on how many sessions we will allocate before we just
drop new connections summarily. The parameter is session_max, default is 100k and the stats variable client_drop counts how many sessions were dropped. This is mostly an anti-DoS measure and your feedback and experience with it is most welcome. git-svn-id: http://www.varnish-cache.org/svn/trunk/varnish-cache@4070 d4fa192b-c00b-0410-8231-f00ffab90ce4
5c0fe1fa · Poul-Henning Kamp · 32038aec · 5c0fe1fa · 5c0fe1fa · 5c0fe1fa
Commit 5c0fe1fa authored May 11, 2009 by Poul-Henning Kamp
5 changed files
--- a/bin/varnishd/cache_acceptor.c
+++ b/bin/varnishd/cache_acceptor.c
@@ -241,8 +241,11 @@ vca_acct(void *arg)
 				continue;
 			}
 			sp = SES_New(addr, l);
-			XXXAN(sp);
-
+			if (sp == NULL) {
+				AZ(close(i));
+				VSL_stats->client_drop++;
+				continue;
+			}
 			sp->fd = i;
 			sp->id = i;
 			sp->t_open = now;

--- a/bin/varnishd/cache_session.c
+++ b/bin/varnishd/cache_session.c
@@ -111,6 +111,8 @@ ses_setup(struct sessmem *sm, const struct sockaddr *addr, unsigned len)
 	volatile unsigned u;

 	if (sm == NULL) {
+		if (VSL_stats->n_sess_mem >= params->max_sess)
+			return (NULL);
 		/*
 		 * It is not necessary to lock mem_workspace, but we
 		 * need to cache it locally, to make sure we get a

--- a/bin/varnishd/heritage.h
+++ b/bin/varnishd/heritage.h
@@ -82,6 +82,9 @@ struct params {
 	/* TTL used for synthesized error pages */
 	unsigned		err_ttl;

+	/* Maximum concurrent sessions */
+	unsigned		max_sess;
+
 	/* Worker threads and pool */
 	unsigned		wthread_min;
 	unsigned		wthread_max;

--- a/bin/varnishd/mgt_param.c
+++ b/bin/varnishd/mgt_param.c
@@ -676,6 +676,15 @@ static const struct parspec input_parspec[] = {
 		"have both IPv4 and IPv6 addresses.",
 		0,
 		"off", "bool" },
+	{ "session_max", tweak_uint,
+		&master.max_sess, 1000, UINT_MAX,
+		"Maximum number of sessions we will allocate "
+		"before just dropping connections.\n"
+		"This is mostly an anti-DoS measure, and setting it plenty "
+		"high should not hurt, as long as you have the memory for "
+		"it.\n",
+		0,
+		"100000", "sessions" },
 	{ "session_linger", tweak_uint,
 		&master.session_linger,0, UINT_MAX,
 		"How long time the workerthread lingers on the session "

--- a/include/stat_field.h
+++ b/include/stat_field.h
@@ -30,6 +30,7 @@
 */

 MAC_STAT(client_conn,		uint64_t, 0, 'a', "Client connections accepted")
+MAC_STAT(client_drop,		uint64_t, 0, 'a', "Connection dropped, no sess")
 MAC_STAT(client_req,		uint64_t, 0, 'a', "Client requests received")

 MAC_STAT(cache_hit,		uint64_t, 0, 'a', "Cache hits")