rpms / systemd

Clone
Source Code
GIT

Blame 0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch

c10s-sig-hyperscale c10s-sig-hyperscale-v255 c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-v255
  1.   99506ee643a7ff1eff6ab00d6401735eebba3642
  2.   0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch
Blob History Raw
Zbigniew Jędrzejewski-Szmek bb2f5f 
From f6b09a2ed646f0a0b54605d4c19a898ab2bbf192 Mon Sep 17 00:00:00 2001
Zbigniew Jędrzejewski-Szmek bb2f5f 
From: Lennart Poettering <lennart@poettering.net>
Zbigniew Jędrzejewski-Szmek bb2f5f 
Date: Mon, 18 Sep 2023 17:51:49 +0200
Zbigniew Jędrzejewski-Szmek bb2f5f 
Subject: [PATCH 2/3] man: document the new
Zbigniew Jędrzejewski-Szmek bb2f5f 
 PollLimitIntervalSec=/PollLimitBurst= settings
Zbigniew Jędrzejewski-Szmek bb2f5f
Zbigniew Jędrzejewski-Szmek bb2f5f 
(cherry picked from commit 9373fce68de183a615d44fe100dcf22e3c9b8c3e)
Zbigniew Jędrzejewski-Szmek bb2f5f 
---
Zbigniew Jędrzejewski-Szmek bb2f5f 
 man/systemd.socket.xml | 58 ++++++++++++++++++++++++++++++++++--------
Zbigniew Jędrzejewski-Szmek bb2f5f 
 1 file changed, 47 insertions(+), 11 deletions(-)
Zbigniew Jędrzejewski-Szmek bb2f5f
Zbigniew Jędrzejewski-Szmek bb2f5f 
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
Zbigniew Jędrzejewski-Szmek bb2f5f 
index 45555302f1..462978d438 100644
Zbigniew Jędrzejewski-Szmek bb2f5f 
--- a/man/systemd.socket.xml
Zbigniew Jędrzejewski-Szmek bb2f5f 
+++ b/man/systemd.socket.xml
Zbigniew Jędrzejewski-Szmek bb2f5f 
@@ -830,17 +830,53 @@
Zbigniew Jędrzejewski-Szmek bb2f5f 
         <term><varname>TriggerLimitIntervalSec=</varname></term>
Zbigniew Jędrzejewski-Szmek bb2f5f 
         <term><varname>TriggerLimitBurst=</varname></term>
Zbigniew Jędrzejewski-Szmek bb2f5f
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        <listitem><para>Configures a limit on how often this socket unit may be activated within a specific time
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        interval. The <varname>TriggerLimitIntervalSec=</varname> may be used to configure the length of the time
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        interval in the usual time units <literal>us</literal>, <literal>ms</literal>, <literal>s</literal>,
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for details on
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        the various time units understood). The <varname>TriggerLimitBurst=</varname> setting takes a positive integer
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        value and specifies the number of permitted activations per time interval, and defaults to 200 for
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        <varname>Accept=yes</varname> sockets (thus by default permitting 200 activations per 2s), and 20 otherwise (20
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        activations per 2s). Set either to 0 to disable any form of trigger rate limiting. If the limit is hit, the
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        socket unit is placed into a failure mode, and will not be connectible anymore until restarted. Note that this
Zbigniew Jędrzejewski-Szmek bb2f5f 
-        limit is enforced before the service activation is enqueued.</para></listitem>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <listitem><para>Configures a limit on how often this socket unit may be activated within a specific
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        time interval. The <varname>TriggerLimitIntervalSec=</varname> setting may be used to configure the
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        length of the time interval in the usual time units <literal>us</literal>, <literal>ms</literal>,
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <literal>s</literal>, <literal>min</literal>, <literal>h</literal>, … and defaults to 2s (See
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry> for
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        details on the various time units understood). The <varname>TriggerLimitBurst=</varname> setting
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        takes a positive integer value and specifies the number of permitted activations per time interval,
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        and defaults to 200 for <varname>Accept=yes</varname> sockets (thus by default permitting 200
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        activations per 2s), and 20 otherwise (20 activations per 2s). Set either to 0 to disable any form of
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        trigger rate limiting.</para>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <para>If the limit is hit, the socket unit is placed into a failure mode, and will not be connectible
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        anymore until restarted. Note that this limit is enforced before the service activation is
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        enqueued.</para>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <para>Compare with <varname>PollLimitIntervalSec=</varname>/<varname>PollLimitBurst=</varname>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        described below, which implements a temporary slowdown if a socket unit is flooded with incoming
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        traffic, as opposed to the permanent failure state
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> results in.</para>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        </listitem>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+      </varlistentry>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+
Zbigniew Jędrzejewski-Szmek bb2f5f 
+      <varlistentry>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <term><varname>PollLimitIntervalSec=</varname></term>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <term><varname>PollLimitBurst=</varname></term>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <listitem><para>Configures a limit on how often polling events on the file descriptors backing this
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        socket unit will be considered. This pair of settings is similar to
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <varname>TriggerLimitIntervalSec=</varname>/<varname>TriggerLimitBurst=</varname> but instead of
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        putting a (fatal) limit on the activation frequency puts a (transient) limit on the polling
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        frequency. The expected parameter syntax and range are identical to that of the aforementioned
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        options, and can be disabled the same way.</para>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <para>If the polling limit is hit polling is temporarily disabled on it until the specified time
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        window passes. The polling limit hence slows down connection attempts if hit, but unlike the trigger
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        limit won't cause permanent failures. It's the recommended mechanism to deal with DoS attempts
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        through packet flooding.</para>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <para>The polling limit is enforced per file descriptor to listen on, as opposed to the trigger limit
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        which is enforced for the entire socket unit. This distinction matters for socket units that listen
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        on multiple file descriptors (i.e. have multiple <varname>ListenXYZ=</varname> stanzas).</para>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        <para>These setting defaults to 150 (in case of <varname>Accept=yes</varname>) and 15 (otherwise)
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        polling events per 2s. This is considerably lower than the default values for the trigger limit (see
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        above) and means that the polling limit should typically ensure the trigger limit is never hit,
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        unless one of them is reconfigured or disabled.</para>
Zbigniew Jędrzejewski-Szmek bb2f5f 
+        </listitem>
Zbigniew Jędrzejewski-Szmek bb2f5f 
       </varlistentry>
Zbigniew Jędrzejewski-Szmek bb2f5f
Zbigniew Jędrzejewski-Szmek bb2f5f 
     </variablelist>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation