upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Print query name and IP address when domain rate limit exceeded.

Browse source 
git-svn-id: file:///svn/unbound/trunk@5117 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2019-02-18 15:53:02 +00:00
parent d1e92a0ebd
commit 91e863138b
4 changed files with 23 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
doc/Changelog
View file

@ -1,6 +1,7 @@
18 February 2019: Wouter 18 February 2019: Wouter
- Print query name with ip_ratelimit exceeded log lines. - Print query name with ip_ratelimit exceeded log lines.
- Spaces instead of tabs in that log message. - Spaces instead of tabs in that log message.
- Print query name and IP address when domain rate limit exceeded.
14 February 2019: Wouter 14 February 2019: Wouter
- Fix capsforid canonical sort qsort callback. - Fix capsforid canonical sort qsort callback.

6
iterator/iterator.c
View file

@ -1448,7 +1448,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
* now will also exceed the rate, keeping cache fresh */ * now will also exceed the rate, keeping cache fresh */
(void)infra_ratelimit_inc(qstate->env->infra_cache, (void)infra_ratelimit_inc(qstate->env->infra_cache,
iq->dp->name, iq->dp->namelen, iq->dp->name, iq->dp->namelen,
*qstate->env->now); *qstate->env->now, &qstate->qinfo,
qstate->reply);
/* see if we are passed through with slip factor */ /* see if we are passed through with slip factor */
if(qstate->env->cfg->ratelimit_factor != 0 && if(qstate->env->cfg->ratelimit_factor != 0 &&
ub_random_max(qstate->env->rnd, ub_random_max(qstate->env->rnd,
@ -2487,7 +2488,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
/* if not forwarding, check ratelimits per delegationpoint name */ /* if not forwarding, check ratelimits per delegationpoint name */
if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) {
if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name, if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name,
iq->dp->namelen, *qstate->env->now)) { iq->dp->namelen, *qstate->env->now, &qstate->qinfo,
qstate->reply)) {
lock_basic_lock(&ie->queries_ratelimit_lock); lock_basic_lock(&ie->queries_ratelimit_lock);
ie->num_queries_ratelimited++; ie->num_queries_ratelimited++;
lock_basic_unlock(&ie->queries_ratelimit_lock); lock_basic_unlock(&ie->queries_ratelimit_lock);

17
services/cache/infra.c vendored
View file

@ -909,7 +909,8 @@ int infra_rate_max(void* data, time_t now)
} }
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow) size_t namelen, time_t timenow, struct query_info* qinfo,
struct comm_reply* replylist)
{ {
int lim, max; int lim, max;
struct lruhash_entry* entry; struct lruhash_entry* entry;
@ -932,9 +933,19 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
lock_rw_unlock(&entry->lock); lock_rw_unlock(&entry->lock);
if(premax < lim && max >= lim) { if(premax < lim && max >= lim) {
char buf[257]; char buf[257], qnm[257], ts[12], cs[12], ip[128];
dname_str(name, buf); dname_str(name, buf);
verbose(VERB_OPS, "ratelimit exceeded %s %d", buf, lim); dname_str(qinfo->qname, qnm);
sldns_wire2str_type_buf(qinfo->qtype, ts, sizeof(ts));
sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs));
ip[0]=0;
if(replylist) {
addr_to_str((struct sockaddr_storage *)&replylist->addr,
replylist->addrlen, ip, sizeof(ip));
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip);
} else {
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
}
} }
return (max < lim); return (max < lim);
} }

5
services/cache/infra.h vendored
View file

@ -366,12 +366,15 @@ long long infra_get_host_rto(struct infra_cache* infra,
* @param name: zone name * @param name: zone name
* @param namelen: zone name length * @param namelen: zone name length
* @param timenow: what time it is now. * @param timenow: what time it is now.
* @param qinfo: for logging, query name.
* @param replylist: for logging, querier's address (if any).
* @return 1 if it could be incremented. 0 if the increment overshot the * @return 1 if it could be incremented. 0 if the increment overshot the
* ratelimit or if in the previous second the ratelimit was exceeded. * ratelimit or if in the previous second the ratelimit was exceeded.
* Failures like alloc failures are not returned (probably as 1). * Failures like alloc failures are not returned (probably as 1).
*/ */
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow); size_t namelen, time_t timenow, struct query_info* qinfo,
struct comm_reply* replylist);
/** /**
* Decrement the query rate counter for a delegation point. * Decrement the query rate counter for a delegation point.