[MINOR] frontend: count denied TCP requests separately

It's very disturbing to see the "denied req" counter increase without
any other session counter moving. In fact, we can't count a rejected
TCP connection as "denied req" as we have not yet instanciated any
session at all. Let's use a new counter for that.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 7aa12a7..a9a5793 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5225,8 +5225,10 @@ tcp-request reject [{if | unless} <condition>]
   connection, which implies that the "tcp-request accept" statement will only
   make sense when combined with another "tcp-request reject" statement.
 
-  Rejected connections are accounted in stats but are not logged. The reason is
-  that these rules should only be used to filter extremely high connection
+  Rejected connections do not even become a session, which is why they are
+  accounted separately for in the stats, as "denied connections". They are not
+  considered for the session rate-limit and are not logged either. The reason
+  is that these rules should only be used to filter extremely high connection
   rates such as the ones encountered during a massive DDoS attack. Under these
   conditions, the simple action of logging each event would make the system
   collapse and would considerably lower the filtering capacity. If logging is

diff --git a/include/types/counters.h b/include/types/counters.h
index 7a0ff1d..a333219 100644 (file)
--- a/include/types/counters.h
+++ b/include/types/counters.h
@@ -40,6 +40,7 @@ struct pxcounters {
 
        long long denied_req, denied_resp;      /* blocked requests/responses because of security concerns */
        long long failed_req;                   /* failed requests (eg: invalid or timeout) */
+       long long denied_conn;                  /* denied connection requests (tcp-req rules) */
 
        union {
                struct {
@@ -63,6 +64,7 @@ struct licounters {
 
        long long denied_req, denied_resp;      /* blocked requests/responses because of security concerns */
        long long failed_req;                   /* failed requests (eg: invalid or timeout) */
+       long long denied_conn;                  /* denied connection requests (tcp-req rules) */
 };
 
 struct srvcounters {

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 3a1abad..1c93396 100644 (file)
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -731,9 +731,9 @@ int tcp_exec_req_rules(struct session *s)
                if (ret) {
                        /* we have a matching rule. */
                        if (rule->action == TCP_ACT_REJECT) {
-                               s->fe->counters.denied_req++;
+                               s->fe->counters.denied_conn++;
                                if (s->listener->counters)
-                                       s->listener->counters->denied_req++;
+                                       s->listener->counters->denied_conn++;
 
                                if (!(s->flags & SN_ERR_MASK))
                                        s->flags |= SN_ERR_PRXCOND;