-1

I have a process greedyprocess that is always run as user greedyuser that uses too many NAT connections. They aren't using too much bandwidth, instead they are clogging up the router's NAT table. Is it possible to limit the user to, say, 1000 open connections? I would prefer some kind of kernel limit on the number of sockets that greedyuser can have open.

Server running debian jessie (stable branch at the time of writing). No, I cannot work around the NAT as I do not control the router.

User's open file limit is 166,384 and I prefer not to reduce this if possible. I only want to limit open sockets, not all open files.

nullUser
  • 236
  • 1
  • 7
  • Can you get rid of the NAT? – Michael Hampton Feb 10 '17 at 17:31
  • @MichaelHampton unfortunately no, I control the server but not the router. – nullUser Feb 10 '17 at 17:33
  • Hm. If the router is choking after just 1000 connections, it must be a pretty low quality device. Are you sure you're in the right place? This site is for business IT questions. – Michael Hampton Feb 10 '17 at 17:36
  • @MichaelHampton, 1000 was an arbitrary number I picked. Limiting the user to 50,000 connections would also be fine. – nullUser Feb 10 '17 at 17:37
  • Unless you already changed something, the default limit would be 1024 open files. Maybe you should explain what's really going on here. – Michael Hampton Feb 10 '17 at 17:43
  • @MichaelHampton The user's open file limit is 166,384. Would reducing their open file limit down to 50,000 also limit the number of sockets they could have open? Ideally I do not want to restrict the user's number of open files though, only the number of open sockets. – nullUser Feb 10 '17 at 17:49
  • It's the same thing. Opening a socket _is_ opening a file. Again, we've come back to: what are you really doing? – Michael Hampton Feb 10 '17 at 17:52
  • @MichaelHampton, no it is not the same thing. Opening a socket is opening a file. Opening a file does not mean opening a network socket. I only want to reduce open network sockets, not all open files (if possible). – nullUser Feb 10 '17 at 17:53
  • @MichaelHampton, do you disagree? Do you think that opening any file also opens a network socket? For such a high-rep user your responses have been extremely unhelpful. Your suggestions were: stop NATing, your hardware sucks, number of open files is not the default, and that all files open network sockets, and downvoting. Not once did you try to answer the question within the constraints posed. If the answer is "the kernel doesn't have an option for that, best you can do it limit open files," then so be it, just say that. Don't have a hissy fit that my situation is different from yours. – nullUser Feb 10 '17 at 19:39
  • Not having a hissy fit is a good idea, so you should stop doing it. I don't _think_ there is any other way, but I'm not 100% sure about that, so I've left this alone for someone else to possibly answer. As for downvoting, you'll have to ask the downvoter why they did it. – Michael Hampton Feb 10 '17 at 19:48
  • It is a basic UNIX design principle that everything is a file. So, network sockets are files too, just files with different properties. – Tero Kilkanen Feb 11 '17 at 01:21

1 Answers1

0

iptables with the connlimit and owner extensions may help. Something like that (not tested):

iptables -A OUTPUT -m owner --uid-owner greedyuser -m connlimit --connlimit-above 1000 -j REJECT
Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43