[MINOR] frontend: count denied TCP requests separately
It's very disturbing to see the "denied req" counter increase without
any other session counter moving. In fact, we can't count a rejected
TCP connection as "denied req" as we have not yet instanciated any
session at all. Let's use a new counter for that.
diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7aa12a7..a9a5793 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5225,8 +5225,10 @@
connection, which implies that the "tcp-request accept" statement will only
make sense when combined with another "tcp-request reject" statement.
- Rejected connections are accounted in stats but are not logged. The reason is
- that these rules should only be used to filter extremely high connection
+ Rejected connections do not even become a session, which is why they are
+ accounted separately for in the stats, as "denied connections". They are not
+ considered for the session rate-limit and are not logged either. The reason
+ is that these rules should only be used to filter extremely high connection
rates such as the ones encountered during a massive DDoS attack. Under these
conditions, the simple action of logging each event would make the system
collapse and would considerably lower the filtering capacity. If logging is
diff --git a/include/types/counters.h b/include/types/counters.h
index 7a0ff1d..a333219 100644
--- a/include/types/counters.h
+++ b/include/types/counters.h
@@ -40,6 +40,7 @@
long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */
long long failed_req; /* failed requests (eg: invalid or timeout) */
+ long long denied_conn; /* denied connection requests (tcp-req rules) */
union {
struct {
@@ -63,6 +64,7 @@
long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */
long long failed_req; /* failed requests (eg: invalid or timeout) */
+ long long denied_conn; /* denied connection requests (tcp-req rules) */
};
struct srvcounters {
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 3a1abad..1c93396 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -731,9 +731,9 @@
if (ret) {
/* we have a matching rule. */
if (rule->action == TCP_ACT_REJECT) {
- s->fe->counters.denied_req++;
+ s->fe->counters.denied_conn++;
if (s->listener->counters)
- s->listener->counters->denied_req++;
+ s->listener->counters->denied_conn++;
if (!(s->flags & SN_ERR_MASK))
s->flags |= SN_ERR_PRXCOND;