[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
Looks ok for me. If you push it, then you have to update the wiki core books section for it as well. Cheers, Daniel On 19.10.23 09:14, Juha Heinanen via sr-dev wrote: > How about the diff below? > > Also, is there plan to backport ksr_tcp_msg_data_timeout, > ksr_tcp_msg_read_timeout, and ksr_tcp_check_timer to 5.7, since they can > help in protecting from DoS attacks that we have seen in the wild. > > -- Juha > > diff --git a/src/main.c b/src/main.c > index 0fa2da6ec2..f3cddf8bad 100644 > --- a/src/main.c > +++ b/src/main.c > @@ -535,7 +535,7 @@ int ksr_tcp_msg_read_timeout = 20; /* timeout (secs) to > read SIP message */ > int ksr_tcp_msg_data_timeout = > 20; /* timeout (secs) to receive first msg data */ > int ksr_tcp_accept_iplimit = 1024; /* limit of accepted connections per IP */ > -int ksr_tcp_check_timer = 10; /* seconds to check tcp connections > */ > +int ksr_tcp_check_timer = -1; /* seconds to check tcp connections > */ > > /* memory manager */ > #define SR_MEMMNG_DEFAULT "qm" > @@ -1726,12 +1726,22 @@ int main_loop(void) > cfg_main_reset_local(); > > #ifdef USE_TCP > - if(!tcp_disable && ksr_tcp_check_timer > 0) { > - if(sr_wtimer_add( > + if(!tcp_disable) { > + if(ksr_tcp_check_timer == -1) { > + if(ksr_tcp_msg_data_timeout > 0 && > ksr_tcp_msg_read_timeout > 0) > + ksr_tcp_check_timer = > + MIN(ksr_tcp_msg_data_timeout, > ksr_tcp_msg_read_timeout) / 2; > + else > + ksr_tcp_check_timer = > ksr_tcp_msg_data_timeout > 0 ? > + ksr_tcp_msg_data_timeout / 2 : > ksr_tcp_msg_read_timeout / 2; > + } > + if(ksr_tcp_check_timer > 0) { > + if(sr_wtimer_add( > tcp_timer_check_connections, NULL, > ksr_tcp_check_timer) > - < 0) { > - LM_CRIT("cannot add timer for tcp connection > checks\n"); > - goto error; > +< 0) { > + LM_CRIT("cannot add timer for tcp > connection checks\n"); > + goto error; > + } > } > } > #endif > ___ > Kamailio (SER) - Development Mailing List > To unsubscribe send an email to sr-dev-le...@lists.kamailio.org -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
How about the diff below? Also, is there plan to backport ksr_tcp_msg_data_timeout, ksr_tcp_msg_read_timeout, and ksr_tcp_check_timer to 5.7, since they can help in protecting from DoS attacks that we have seen in the wild. -- Juha diff --git a/src/main.c b/src/main.c index 0fa2da6ec2..f3cddf8bad 100644 --- a/src/main.c +++ b/src/main.c @@ -535,7 +535,7 @@ int ksr_tcp_msg_read_timeout = 20; /* timeout (secs) to read SIP message */ int ksr_tcp_msg_data_timeout = 20; /* timeout (secs) to receive first msg data */ int ksr_tcp_accept_iplimit = 1024; /* limit of accepted connections per IP */ -int ksr_tcp_check_timer = 10; /* seconds to check tcp connections */ +int ksr_tcp_check_timer = -1; /* seconds to check tcp connections */ /* memory manager */ #define SR_MEMMNG_DEFAULT "qm" @@ -1726,12 +1726,22 @@ int main_loop(void) cfg_main_reset_local(); #ifdef USE_TCP - if(!tcp_disable && ksr_tcp_check_timer > 0) { - if(sr_wtimer_add( + if(!tcp_disable) { + if(ksr_tcp_check_timer == -1) { + if(ksr_tcp_msg_data_timeout > 0 && ksr_tcp_msg_read_timeout > 0) + ksr_tcp_check_timer = + MIN(ksr_tcp_msg_data_timeout, ksr_tcp_msg_read_timeout) / 2; + else + ksr_tcp_check_timer = ksr_tcp_msg_data_timeout > 0 ? + ksr_tcp_msg_data_timeout / 2 : ksr_tcp_msg_read_timeout / 2; + } + if(ksr_tcp_check_timer > 0) { + if(sr_wtimer_add( tcp_timer_check_connections, NULL, ksr_tcp_check_timer) - < 0) { - LM_CRIT("cannot add timer for tcp connection checks\n"); - goto error; + < 0) { + LM_CRIT("cannot add timer for tcp connection checks\n"); + goto error; + } } } #endif ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
On 16.10.23 12:44, Juha Heinanen wrote: > Daniel-Constantin Mierla writes: > >>> In order to make configuration simpler, how about having a dynamic default >>> as I suggested? >> Default is half (hardcoded), but its own parameter gives more >> flexibility for granularity -- one extra parameter is not adding much >> complexity, imo, and case by case one may want more often checks to >> clean up those that end up in timeout. > I didn't suggest to remove the parameter, but change its default value > if the parameter is not given. You can add such behaviour if you want. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
Daniel-Constantin Mierla writes: > > In order to make configuration simpler, how about having a dynamic default > > as I suggested? > > Default is half (hardcoded), but its own parameter gives more > flexibility for granularity -- one extra parameter is not adding much > complexity, imo, and case by case one may want more often checks to > clean up those that end up in timeout. I didn't suggest to remove the parameter, but change its default value if the parameter is not given. ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
On 16.10.23 12:27, Juha Heinanen wrote: > Daniel-Constantin Mierla writes: > >> Smaller is recommended for better accuracy. > In order to make configuration simpler, how about having a dynamic default > as I suggested? Default is half (hardcoded), but its own parameter gives more flexibility for granularity -- one extra parameter is not adding much complexity, imo, and case by case one may want more often checks to clean up those that end up in timeout. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
Daniel-Constantin Mierla writes: > Smaller is recommended for better accuracy. In order to make configuration simpler, how about having a dynamic default as I suggested? ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
On 16.10.23 10:25, Juha Heinanen wrote: > Daniel-Constantin Mierla via sr-dev writes: > >> core: added tcp_check_timer parameter >> >> - set the check interval (in seconds) for tcp connections >> - default 10 > Does this need to be smaller than tcp_msg_read_timeout and > tcp_msg_data_timeout in order for them to have effect? They will have anyhow effect, but can be later -- you have to consider always the value of tcp_check_timeras a possible delay. Smaller is recommended for better accuracy. Cheers, Daniel -- Daniel-Constantin Mierla (@ asipto.com) twitter.com/miconda -- linkedin.com/in/miconda Kamailio Consultancy and Development Services Kamailio Advanced Training - Online - Nov 14-16, 2023 -- asipto.com ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org
[sr-dev] Re: git:master:1acede64: core: added tcp_check_timer parameter
If so, how about defaulting to half of tcp_msg_read_timeout or tcp_msg_data_timeout whichever is smallest? ___ Kamailio (SER) - Development Mailing List To unsubscribe send an email to sr-dev-le...@lists.kamailio.org