Ulimit file descriptor limit not being applied for redsocks2 process

[john-d13]

HI,

I opened a case earlier this year in regards to the issue facing file descriptor limit for redsocks2 process. Seems the software is hard coding soft/hard limits to 1024 and 4096 respectively with disregard to /etc/security/limits set to particular redsocks2 user.

A good reference article that explains why it wont work: https://serverfault.com/questions/641899/ulimit-file-descriptor-limits-not-being-applied-for-particular-process

I had to configure the following parameter in systemd service in order for it to work on service start. LimitNOFILE=51200

You can also use "prlimit" to set runtime FD limit for a given pidof.

Here is a copy of my service configuration file for those who are interested:

/usr/lib/systemd/system/redsocks2.service [Unit] Description=Transparent redirector of any TCP connection to proxy using your firewall Wants=openvpn@server.service After=network.target openvpn@server.service

[Service] User=root Group=root Type=forking EnvironmentFile=/etc/default/redsocks ExecStartPre=/usr/local/redsocks2/redsocks2 -t -c $REDSOCKS_CONF ExecStartPre=/bin/sleep 10 ExecStart=/usr/local/redsocks2/redsocks2 -c $REDSOCKS_CONF Restart=on-abort LimitNOFILE=51200

[Install] WantedBy=multi-user.target

Confirmation that FD limits applied on startup

pidof redsocks2

3438

cat /proc/3438/limits Limit Soft Limit Hard Limit Units Max cpu time unlimited unlimited seconds Max file size unlimited unlimited bytes Max data size unlimited unlimited bytes Max stack size 8388608 unlimited bytes Max core file size 0 unlimited bytes Max resident set unlimited unlimited bytes Max processes 1845 1845 processes Max open files 51200 51200 files Max locked memory 65536 65536 bytes Max address space unlimited unlimited bytes Max file locks unlimited unlimited locks Max pending signals 1845 1845 signals Max msgqueue size 819200 819200 bytes Max nice priority 0 0 Max realtime priority 0 0 Max realtime timeout unlimited unlimited us

So question, I'm running one of the latest forks of redsocks2. I tried using some hardening parameters in the config file to drop stale idle connections but its not taking it. Have these been deprecated or built into the kernel as non writable?

rlimit_nofile redsocks_conn_max connpres_idle_timeout max_accept_backoff

[semigodking]

redsocks has configuration regarding TCP keepalive. Have you tried these settings?

    /* Override per-socket values for TCP_KEEPIDLE, TCP_KEEPCNT,
     * and TCP_KEEPINTVL. see man 7 tcp for details.
     * `redsocks' relies on SO_KEEPALIVE option heavily. */
    //tcp_keepalive_time = 0;
    //tcp_keepalive_probes = 0;
    //tcp_keepalive_intvl = 0;

If these settings does not work, you can reduce audit interval defined by redsocks2.

define REDSOCKS_AUDIT_INTERVAL 60*2

If your server serves large amount of connections, you may shorten this interval to reduce number of stale TCP connections.

[john-d13]

Semi,

What values would you suggest? I notice a large number of "Time Wait" connections. For example, for every Established connection I get 100 "Time Wait"

I tried setting uncommenting "define REDSOCKS_AUDIT_INTERVAL 60*2" in the redsocks.conf but its not taking it. Something wrong with the syntax ?

Here are the default settings in my config file. What does redsocks use as default and what do you recommend?

//tcp_keepalive_time = 2; //tcp_keepalive_probes = 2; //tcp_keepalive_intvl = 2;

When trying to set a connection limit, it seems these attributes are no longer working in redsocks2. What arguments can i use to restrict number of active connections to the destination proxy server?

// Set maximum number of served connections. Default is to deduce safe // limit from splice setting and RLIMIT_NOFILE. // redsocks_conn_max = 0;

/usr/local/redsocks2/redsocks2 -v redsocks.git/release-0.66-33-g10a4678 OpenSSL Built with libevent-2.0.21-stable Runs with libevent-2.0.21-stable

[john-d13]

Sorry for the dumb question, but where can I configure this attribute? Attempted in the redsocks.conf but failed.

If these settings does not work, you can reduce audit interval defined by redsocks2.

define REDSOCKS_AUDIT_INTERVAL 60*2

[semigodking]

Sorry for late response. It is defined in redsocks.c. You need to edit that file and recompile.

[john-d13]

Ok ill try that, thanks for your support.

I also tried setting TCP Keepalive to a lower setting than the kernel (default 1400) but get an error in the console logs

tcp_keepalive_time = 600; tcp_keepalive_probes = 30; tcp_keepalive_intvl = 9;

1562939726.469701 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument 1562939726.469790 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument 1562939726.469935 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument 1562939726.575640 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument 1562939726.575748 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument 1562939726.669319 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument 1562939726.786908 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument 1562939726.869245 warning base.c:279 apply_tcp_keepalive(...) setsockopt(8, 6, 6, &150, 4): Invalid argument

Will doing this make much of a difference with the stale connections in TIME_WAIT state?

[semigodking]

For the setsockopt error, i will check that when i have time. For TIME_WAIT, as I mentioned, it is part of TCP protocol, these options do not help.