Too many chilli process on high load

[irongomme]

I'm facing an issue, but I don't really undestand how it triggers ... Sometimes, there are hundred of chilli subprocess, and some of them have some subprocess too. It results on unavailabity of chilli service for several minutes, and sometimes a crash of the router.

Here is some chilli smaples logs when it happens :

Resource temporarily unavailable: could not read packet
11 net_read_eth(fd=2, len=65497, mtu=1500) == -1
No message of desired type: fork() returned -1!
Authenticator 2E695568F4264101F5EA03BA8808D8C5(pkt) != FECCBA1B589DBDAEF3C151829774D2A7(calc)
RADIUS id 117 was not found in queue!
Authenticator does not match! req-id=124 res-id=124

Has someone an explaination to this behavior ?

[irongomme]

I've probably found one working solution. With some unauthenticated devices, we have a lot opened tcp connections on port 3990. In real life, people have some app (facebook, instagram, twitter, etc...) which lives in background, doing hundred and hundred of requests. I think this make a bottleneck in chilli input. So I've added a new iptables rules to limit parrallel connections on port 3990 :

iptables -I INPUT -i tun11 -d 192.168.180.1 -p tcp --syn --dport 3990 -m connlimit --connlimit-above 5 -j REJECT

For now there is a positive result ! I will wait to see if we can rely on it.