|
|
@@ -6,67 +6,71 @@
|
|
|
#
|
|
|
|
|
|
Overview
|
|
|
+--------
|
|
|
|
|
|
The destination blacklist (dst_blacklist) is used to try to mark bad
|
|
|
- destination and avoid possible future expensive send operation to them.
|
|
|
- A destination is added to the blacklist when trying to send to it fails (e.g.
|
|
|
- timeout while trying to send or connect on tcp), or when a sip timeout occurs
|
|
|
- while trying to forward statefully an invite (using tm) and the remote side
|
|
|
+ destinations and avoid possible future expensive send operation to them.
|
|
|
+ A destination is added to the blacklist when an attempt to send to it fails (e.g.
|
|
|
+ timeout while trying to send or connect on TCP), or when a SIP timeout occurs
|
|
|
+ while trying to forward statefully an INVITE (using tm) and the remote side
|
|
|
doesn't send back any response.
|
|
|
- The blacklist (if enabled) is checked before any send attempt.
|
|
|
|
|
|
+ The blacklist (if enabled) is checked before any send attempt.
|
|
|
|
|
|
Drawbacks
|
|
|
-
|
|
|
+---------
|
|
|
|
|
|
Using the destination blacklist will cause some performance degradation,
|
|
|
especially on multi cpu machines. If you don't need it you can easily
|
|
|
- disable it, either in ser's config or at compile time. Disabling it at
|
|
|
- compile time is slightly better (but not in a "measurable" way) then
|
|
|
- disabling it at runtime, from the config file.
|
|
|
- Whether the destination blacklist is better to be on or off depends a lot
|
|
|
- on the setup. In general is better to turn it on when:
|
|
|
- - sending to clients that don't respond is expensive (e.g. lots of clients
|
|
|
- use tcp and they have the habit of silently discarding tcp traffic from time
|
|
|
- to time)
|
|
|
- - statefull forwarding is used (tm) and lower memory usage is desired
|
|
|
- (a transaction will fail immediately if the destination is already
|
|
|
- blacklisted by a previous transaction to the same destination that failed
|
|
|
- due to timeout)
|
|
|
- - faster dns failover is desired, especially when statefull forwarding (tm)
|
|
|
- and udp are used
|
|
|
- - better chances of DOS survival are important
|
|
|
+ disable it, either in sip-router's config or at compile time. Disabling it at
|
|
|
+ compile time is slightly better (but not in a "measurable" way) than
|
|
|
+ disabling it at runtime, from the config file.
|
|
|
|
|
|
+ Whether the destination blacklist is a good solution for you depends a lot
|
|
|
+ on the setup. In general it is better to turn it on when:
|
|
|
+ - sending to clients that don't respond is expensive (e.g. lots of clients
|
|
|
+ use tcp and they have the habit of silently discarding tcp traffic from time
|
|
|
+ to time)
|
|
|
+ - stateful forwarding is used (tm) and lower memory usage is desired
|
|
|
+ (a transaction will fail immediately if the destination is already
|
|
|
+ blacklisted by a previous transaction to the same destination that failed
|
|
|
+ due to timeout)
|
|
|
+ - faster dns failover is desired, especially when stateful forwarding (tm)
|
|
|
+ and UDP are used
|
|
|
+ - better chances of DOS attack survival are important
|
|
|
|
|
|
Config Variables
|
|
|
+----------------
|
|
|
|
|
|
use_dst_blacklist = on | off (default off) - enable the destination blacklist:
|
|
|
- if on each failed send attempt will cause the destination to be blacklisted.
|
|
|
- Before any send this blacklist will be checked and if a match is found the
|
|
|
+ If on each failed send attempt will cause the destination to be blacklisted.
|
|
|
+ Before any send operation this blacklist will be checked and if a match is found the
|
|
|
send is no longer attempted (an error is returned immediately).
|
|
|
Note: using the blacklist incurs a small performance penalty.
|
|
|
|
|
|
dst_blacklist_mem = size in Kb (default 250 Kb) - maximum
|
|
|
shared memory amount used for keeping the blacklisted destinations.
|
|
|
|
|
|
- dst_blacklist_expire = time in s (default 60 s) - how much time a
|
|
|
+ dst_blacklist_expire = time in s (default 60 s) - how long time a
|
|
|
blacklisted destination will be kept in the blacklist (w/o any update).
|
|
|
|
|
|
dst_blacklist_gc_interval = time in s (default 60 s) - how often the
|
|
|
garbage collection will run (eliminating old, expired entries).
|
|
|
|
|
|
dst_blacklist_init = on | off (default on) - if off, the blacklist
|
|
|
- is not initialized at startup and cannot be enabled runtime,
|
|
|
- that saves some memory.
|
|
|
+ is not initialized at startup and cannot be enabled at runtime,
|
|
|
+ which saves some memory.
|
|
|
|
|
|
-Compile Options
|
|
|
+Compile Time Options
|
|
|
+--------------------
|
|
|
|
|
|
USE_DST_BLACKLIST - if defined the blacklist support will be compiled-in
|
|
|
(default).
|
|
|
|
|
|
|
|
|
- Note: To remove a compile options, edit ser's Makefile.defs and remove it
|
|
|
- form DEFS list. To add a compile options add it to the make command line,
|
|
|
+ Note: To remove a compile time option, edit the file Makefile.defs and remove
|
|
|
+ USE_DST_BLACKLIST from the list named DEFS.
|
|
|
+ To add a compile time option, just add it to the make command line,
|
|
|
e.g.: make proper; make all extra_defs=-DUSE_DNS_FAILOVER
|
|
|
- or for a permanent solution, edit Makefile.defs and add it to DEFS
|
|
|
- (don't forget to prefix it with -D).
|
|
|
+ or for a permanent solution, edit Makefile.defs and add it to DEFS
|
|
|
+ (don't forget to prefix it with -D).
|
oej