At least on vanilla FreeBSD kern.ipc.soacceptqueue merely specifies an upper limit,
it does not prevent the application from requesting a smaller one.

Many applications use a hardcoded value like 128 without checking
if a higher value would work.

For details see the "listen" and "getsockopt" man pages.

I've checked multiple jails on my system, which include CouchPotato, Plex and Transmission and all have the same max of 128, yet when running sysctl kern.ipc.soacceptqueue it says that is 2048.  I find it highly unlikely that 3 separate applications are applying limits to the jails.

Comment 3 Eugene Grosbein 2017-05-31 02:43:06 UTC

kern.ipc.soacceptqueue is SYSCTL_PROC defined in sys/kern/uipc_socket.c without CTLFLAG_VNET, so it is not VIMAGE/VNET-aware currently.

That makes more sense.  Is there a way around this or a way to increase the connection queue in a jail that has VIMAGE enabled?

Comment 5 Eugene Grosbein 2017-05-31 13:21:19 UTC

(In reply to john.leo from comment #4)

You could just patch sys/sys/socket.h and increase value on a line "#define SOMAXCONN 128" (this is used to specify initial value for a sysctl only).

Or, if you are curious enough, you can add CTLFLAG_VNET flag to declaration of soacceptqueue in sys/kern/uipc_socket.c and see if it will work or crash :-)

That is, until SomeOne (TM) prepares complete solution.

Comment 6 Eugene Grosbein 2017-05-31 14:22:30 UTC

Created attachment 183099 [details]
make per-VNET soacceptqueue/somaxconn and numopensockets

At attempt to make sysctl soacceptqueue (somaxconn) and numopensockets per-VNET/VIMAGE instead of global.

Comment 7 Eugene Grosbein 2017-05-31 14:23:33 UTC

(In reply to john.leo from comment #4)

You may also try attached patch. Beware, as it is compile-only tested.

Thanks, would this be for the main OS itself or for use in the jail?  Also I'm having trouble finding that file within the OS, I couldn't find it at the path you provided.

Comment 9 Eugene Grosbein 2017-05-31 14:40:22 UTC

(In reply to john.leo from comment #8)

The patch is for sys/kern/uipc_socket.c - that is, for kernel. Jails do not have own kernels, there is only one kernel in running system. You need to rebuild and reinstall kernel after patch and reboot the system to apply changes.

Comment 10 Eugene Grosbein 2017-05-31 14:41:21 UTC

That is, for main OS and /usr/src/sys/kern/uipc_socket.c

Thanks, for some reason it is showing that /usr/src is an empty directory on my system.  I think I'd also like to set up a dev system to test this out rather than run it in production.

Comment 12 Bjoern A. Zeeb 2017-05-31 14:48:09 UTC

Making these variables per-VNET is not necessarily a good idea;  it means a VNET-jail consumer could possibly DoS the system without the administrator having a chance to prevent this easily by exceeding resources.

Need to be very careful.  I'd hope if this should go into HEAD that there'll be a way to "cap" the values or reject excessive requests by some metric at least.

Comment 13 Eugene Grosbein 2017-05-31 15:12:08 UTC

(In reply to Bjoern A. Zeeb from comment #12)

These variables are global currently but this does not mean the limits they impose are "global" in any way: static u_int somaxconn is just default for per-socket backlog limit so->so_qlimit (struct socket *so) and this change makes it possible to assign different defaults per-jail.

Yes, increase of such limit allows jailed root to get more space in the queue of not accepted yet sockets but theres is already plenty ways to consume such resources (f.e. by creating listening socket and making tons of local connections). Perhaps, this sysctl should be made read-only for jailed root, if possible.

V_numopensockets is purely informational.