tcpserver — format of tcpserver component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the tcpserver component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in tcpserver configuration directives:
Configuration of tcpserver library component consists of following prototypes:
tcpserver { ... }
tcpserver {
queue-size ... ;
init-children ... ;
max-children ... ;
max-children-per-ip ... ;
min-idle ... ;
max-idle ... ;
parent-cycle ... ;
info-cycle ... ;
min-start-rate ... ;
max-start-rate ... ;
kill-rate ... ;
fork-wait ... ;
fork-retries ... ;
lock ... ;
alt-lock ... ;
listener ... ;
conn-rate ... ;
conn-rate-per-ip ... ;
conn-rate-table ... ;
terminate-wait ... ;
}
General TCP server parameters.
INIT-CHILDREN must be within 0 < INIT-CHILDREN <= MAX-CHILDREN.
Idle-values must be within 0 < MIN-IDLE < MAX-IDLE <= MAX-CHILDREN.
MIN-START-RATE must be within 0 < MIN-START-RATE <= MAX-START-RATE.
Connection rate limitation is allowed only in LISTENER mode.
CONN-RATE-PER-IP must not be greater than CONN-RATE.
MAX-CHILDREN-PER-IP is allowed only in LISTENER mode.
MAX-CHILDREN-PER-IP must not be greater than MAX-CHILDREN.
queue-size [value];Queue length for listen(2) syscall.
value (type: uint16, optional, default: 2000)init-children [value];Initially started number of child processes.
value (type: uint16, optional, default: 5)max-children [value];Maximum number of running child processes.
value (type: uint16, optional, default: 400)max-children-per-ip [value];Maximum number of running child processes per client.
When this limit is reached, no more connections from the client are accepted.
Setting to zero switches the check off.
value (type: uint16, optional, default: 150)min-idle [value];Minimum number of idle child processes.
value (type: uint16, optional, default: 5)max-idle [value];Maximum number of idle child processes.
value (type: uint16, optional, default: 10)parent-cycle [value];Interval after which parent checks child processes.
value (type: uint16, optional, default: 1000)(milliseconds)
info-cycle [value];Number of parent cycles after which process statistics are reported.
value (type: uint16, optional, default: 3600)(0 = do not report statistics)
min-start-rate [value];Minimum number of child processes forked per parent-cycle.
value (type: uint16, optional, default: 8)max-start-rate [value];Maximum number of child processes forked per parent-cycle.
value (type: uint16, optional, default: 64)kill-rate [value];Number of child processes killed per parent-cycle.
value (type: uint16, optional, default: 1)KILL-RATE must be positive.
fork-wait [value];Pause after unsuccessful fork(2) before next call.
value (type: uint16, optional, default: 10000)(milliseconds)
fork-retries [value];Maximum number of retries after unsuccessfull fork(2).
value (type: uint8, optional, default: 1)lock [path];Lock file for exclusive access to select/accept loop.
path (type: str, optional, default: <NULL>)If set to directory, file in that directory is created with name PREFIX.PID.XXXXXX, where PREFIX is a string defined by the proxy, PID is the proxy parent process ID and X is a random suffix. If not set, directory /tmp is assumed. Automatic generation of lock file name is strongly recommended, because each lock must have a unique name.
alt-lock none;alt-lock semaphore;alt-lock lock2 [path];alt-lock [multilock2] [path];An alternative implemetation of locks.
lock-type, optional, default: multilock2)path (type: str, optional, default: <NULL>)If set to directory, file in that directory is created with name PREFIX.PID.XXXXXX, where PREFIX is a string defined by the proxy, PID is the proxy parent process ID and X is a random suffix. If not set, directory /tmp is assumed. Automatic generation of lock file name is strongly recommended, because each lock must have a unique name.
listener no;listener [yes];Use a listener process for accepting clients. If enabled then sysctl kern.ipc.soacceptqueue value should be at least MAX-CHILDREN.
yes-no, optional, default: yes)conn-rate value;Maximum number of connections during one second.
When this limit is reached, no more new connections are accepted within the current second.
If omitted, the value is set to roundup( MAX-CHILDREN / 6 ), setting to zero switches the check off.
value (type: uint16)conn-rate-per-ip value;Maximum number of connections from one address during one second.
When this limit is reached, no more new connections from the client is accepted within the current nad next second.
If omitted, the value is set to roundup( MAX-CHILDREN-PER-IP / 3 ), setting to zero switches the check off.
value (type: uint16)conn-rate-table [size size] [search search];Parameters for per-ip incoming connection rate statistics.
size size (type: uint32, optional, default: 65536)table size (in addresses)
search search (type: uint32, optional, default: 20)maximum table search steps
terminate-wait value;Each child process waits up to this time when terminating at proxy stop, restart, or reload. It limits the number of processes that are terminating at the same time.
value (type: uint16)(milliseconds)
[End of section tcpserver description.]