diff --git a/doc/configuration.txt b/doc/configuration.txt index 7aa12a71a..a9a5793b0 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -5225,8 +5225,10 @@ tcp-request reject [{if | unless} ] connection, which implies that the "tcp-request accept" statement will only make sense when combined with another "tcp-request reject" statement. - Rejected connections are accounted in stats but are not logged. The reason is - that these rules should only be used to filter extremely high connection + Rejected connections do not even become a session, which is why they are + accounted separately for in the stats, as "denied connections". They are not + considered for the session rate-limit and are not logged either. The reason + is that these rules should only be used to filter extremely high connection rates such as the ones encountered during a massive DDoS attack. Under these conditions, the simple action of logging each event would make the system collapse and would considerably lower the filtering capacity. If logging is diff --git a/include/types/counters.h b/include/types/counters.h index 7a0ff1d34..a333219cb 100644 --- a/include/types/counters.h +++ b/include/types/counters.h @@ -40,6 +40,7 @@ struct pxcounters { long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */ long long failed_req; /* failed requests (eg: invalid or timeout) */ + long long denied_conn; /* denied connection requests (tcp-req rules) */ union { struct { @@ -63,6 +64,7 @@ struct licounters { long long denied_req, denied_resp; /* blocked requests/responses because of security concerns */ long long failed_req; /* failed requests (eg: invalid or timeout) */ + long long denied_conn; /* denied connection requests (tcp-req rules) */ }; struct srvcounters { diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 3a1abad9e..1c9339608 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -731,9 +731,9 @@ int tcp_exec_req_rules(struct session *s) if (ret) { /* we have a matching rule. */ if (rule->action == TCP_ACT_REJECT) { - s->fe->counters.denied_req++; + s->fe->counters.denied_conn++; if (s->listener->counters) - s->listener->counters->denied_req++; + s->listener->counters->denied_conn++; if (!(s->flags & SN_ERR_MASK)) s->flags |= SN_ERR_PRXCOND;