mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
- For #762: Interaction between DNS Cookies and source IP ratelimiting
by allowing Cookies to bypass the ratelimit, but still allowing ratelimit to valid DNS Cookie clients via the new ip-ratelimit-cookie option.
This commit is contained in:
parent
81e219827e
commit
49e4258102
@ -1319,6 +1319,40 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
|
|||||||
worker, repinfo, acladdr, ede, check_result);
|
worker, repinfo, acladdr, ede, check_result);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Returns 1 if the ip rate limit check can happen before EDNS parsing,
|
||||||
|
* else 0 */
|
||||||
|
static int
|
||||||
|
pre_edns_ip_ratelimit_check(enum acl_access acl)
|
||||||
|
{
|
||||||
|
if(acl == acl_allow_cookie) return 0;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Check if the query is blocked by source IP rate limiting.
|
||||||
|
* Returns 1 if it passes the check, 0 otherwise. */
|
||||||
|
static int
|
||||||
|
check_ip_ratelimit(struct worker* worker, struct sockaddr_storage* addr,
|
||||||
|
socklen_t addrlen, int has_cookie, sldns_buffer* pkt)
|
||||||
|
{
|
||||||
|
if(!infra_ip_ratelimit_inc(worker->env.infra_cache, addr, addrlen,
|
||||||
|
*worker->env.now, has_cookie,
|
||||||
|
worker->env.cfg->ip_ratelimit_backoff, pkt)) {
|
||||||
|
/* See if we can pass through with slip factor */
|
||||||
|
if(!has_cookie && worker->env.cfg->ip_ratelimit_factor != 0 &&
|
||||||
|
ub_random_max(worker->env.rnd,
|
||||||
|
worker->env.cfg->ip_ratelimit_factor) == 0) {
|
||||||
|
char addrbuf[128];
|
||||||
|
addr_to_str(addr, addrlen, addrbuf, sizeof(addrbuf));
|
||||||
|
verbose(VERB_QUERY, "ip_ratelimit allowed through for "
|
||||||
|
"ip address %s because of slip in "
|
||||||
|
"ip_ratelimit_factor", addrbuf);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
worker_handle_request(struct comm_point* c, void* arg, int error,
|
worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||||
struct comm_reply* repinfo)
|
struct comm_reply* repinfo)
|
||||||
@ -1332,6 +1366,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||||||
struct edns_option* original_edns_list = NULL;
|
struct edns_option* original_edns_list = NULL;
|
||||||
enum acl_access acl;
|
enum acl_access acl;
|
||||||
struct acl_addr* acladdr;
|
struct acl_addr* acladdr;
|
||||||
|
int pre_edns_ip_ratelimit = 1;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
int need_drop = 0;
|
int need_drop = 0;
|
||||||
int is_expired_answer = 0;
|
int is_expired_answer = 0;
|
||||||
@ -1456,33 +1491,21 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||||||
}
|
}
|
||||||
|
|
||||||
worker->stats.num_queries++;
|
worker->stats.num_queries++;
|
||||||
|
pre_edns_ip_ratelimit = pre_edns_ip_ratelimit_check(acl);
|
||||||
|
|
||||||
/* check if this query should be dropped based on source ip rate limiting
|
/* If the IP rate limiting check needs extra EDNS information (e.g.,
|
||||||
* NOTE: we always check the repinfo->client_address. IP ratelimiting is
|
* DNS Cookies) postpone the check until after EDNS is parsed. */
|
||||||
* implicitly disabled for proxies. */
|
if(pre_edns_ip_ratelimit) {
|
||||||
if(!infra_ip_ratelimit_inc(worker->env.infra_cache,
|
/* NOTE: we always check the repinfo->client_address.
|
||||||
&repinfo->client_addr, repinfo->client_addrlen,
|
* IP ratelimiting is implicitly disabled for proxies. */
|
||||||
*worker->env.now,
|
if(!check_ip_ratelimit(worker, &repinfo->client_addr,
|
||||||
worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
|
repinfo->client_addrlen, 0, c->buffer)) {
|
||||||
/* See if we are passed through with slip factor */
|
|
||||||
if(worker->env.cfg->ip_ratelimit_factor != 0 &&
|
|
||||||
ub_random_max(worker->env.rnd,
|
|
||||||
worker->env.cfg->ip_ratelimit_factor) == 0) {
|
|
||||||
char addrbuf[128];
|
|
||||||
addr_to_str(&repinfo->client_addr,
|
|
||||||
repinfo->client_addrlen, addrbuf,
|
|
||||||
sizeof(addrbuf));
|
|
||||||
verbose(VERB_QUERY, "ip_ratelimit allowed through for "
|
|
||||||
"ip address %s because of slip in "
|
|
||||||
"ip_ratelimit_factor", addrbuf);
|
|
||||||
} else {
|
|
||||||
worker->stats.num_queries_ip_ratelimited++;
|
worker->stats.num_queries_ip_ratelimited++;
|
||||||
comm_point_drop_reply(repinfo);
|
comm_point_drop_reply(repinfo);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* see if query is in the cache */
|
|
||||||
if(!query_info_parse(&qinfo, c->buffer)) {
|
if(!query_info_parse(&qinfo, c->buffer)) {
|
||||||
verbose(VERB_ALGO, "worker parse request: formerror.");
|
verbose(VERB_ALGO, "worker parse request: formerror.");
|
||||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||||
@ -1579,6 +1602,19 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* If the IP rate limiting check was postponed, check now. */
|
||||||
|
if(!pre_edns_ip_ratelimit) {
|
||||||
|
/* NOTE: we always check the repinfo->client_address.
|
||||||
|
* IP ratelimiting is implicitly disabled for proxies. */
|
||||||
|
if(!check_ip_ratelimit(worker, &repinfo->client_addr,
|
||||||
|
repinfo->client_addrlen, edns.cookie_valid,
|
||||||
|
c->buffer)) {
|
||||||
|
worker->stats.num_queries_ip_ratelimited++;
|
||||||
|
comm_point_drop_reply(repinfo);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* "if, else if" sequence below deals with downstream DNS Cookies */
|
/* "if, else if" sequence below deals with downstream DNS Cookies */
|
||||||
if(acl != acl_allow_cookie)
|
if(acl != acl_allow_cookie)
|
||||||
; /* pass; No cookie downstream processing whatsoever */
|
; /* pass; No cookie downstream processing whatsoever */
|
||||||
|
@ -747,6 +747,10 @@ generated DNS Cookie, allowing clients to retry with that DNS Cookie.
|
|||||||
The \fIallow_cookie\fR action will also accept requests over stateful
|
The \fIallow_cookie\fR action will also accept requests over stateful
|
||||||
transports, regardless of the presence of an DNS Cookie and regardless of the
|
transports, regardless of the presence of an DNS Cookie and regardless of the
|
||||||
\fBanswer\-cookie\fR setting.
|
\fBanswer\-cookie\fR setting.
|
||||||
|
If \fBip\-ratelimit\fR is used, clients with a valid DNS Cookie will bypass the
|
||||||
|
ratelimit.
|
||||||
|
If a ratelimit for such clients is still needed, \fBip\-ratelimit\-cookie\fR
|
||||||
|
can be used instead.
|
||||||
.IP
|
.IP
|
||||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||||
@ -1816,11 +1820,27 @@ A value of 0 will disable ratelimiting for domain names that end in this name.
|
|||||||
.TP 5
|
.TP 5
|
||||||
.B ip\-ratelimit: \fI<number or 0>
|
.B ip\-ratelimit: \fI<number or 0>
|
||||||
Enable global ratelimiting of queries accepted per IP address.
|
Enable global ratelimiting of queries accepted per IP address.
|
||||||
If 0, the default, it is disabled. This option is experimental at this time.
|
This option is experimental at this time.
|
||||||
The ratelimit is in queries per second that are allowed. More queries are
|
The ratelimit is in queries per second that are allowed. More queries are
|
||||||
completely dropped and will not receive a reply, SERVFAIL or otherwise.
|
completely dropped and will not receive a reply, SERVFAIL or otherwise.
|
||||||
IP ratelimiting happens before looking in the cache. This may be useful for
|
IP ratelimiting happens before looking in the cache. This may be useful for
|
||||||
mitigating amplification attacks.
|
mitigating amplification attacks.
|
||||||
|
Default is 0 (disabled).
|
||||||
|
.TP 5
|
||||||
|
.B ip\-ratelimit\-cookie: \fI<number or 0>
|
||||||
|
Enable global ratelimiting of queries accepted per IP address with a valid DNS
|
||||||
|
Cookie.
|
||||||
|
This option is experimental at this time.
|
||||||
|
The ratelimit is in queries per second that are allowed.
|
||||||
|
More queries are completely dropped and will not receive a reply, SERVFAIL or
|
||||||
|
otherwise.
|
||||||
|
IP ratelimiting happens before looking in the cache.
|
||||||
|
This option could be useful in combination with \fIallow_cookie\fR in an
|
||||||
|
attempt to mitigate other amplification attacks than UDP reflections (e.g.,
|
||||||
|
attacks targeting Unbound itself) which are already handled with DNS Cookies.
|
||||||
|
If used, the value is suggested to be higher than \fBip\-ratelimit\fR e.g.,
|
||||||
|
tenfold.
|
||||||
|
Default is 0 (disabled).
|
||||||
.TP 5
|
.TP 5
|
||||||
.B ip\-ratelimit\-size: \fI<memory size>
|
.B ip\-ratelimit\-size: \fI<memory size>
|
||||||
Give the size of the data structure in which the current ongoing rates are
|
Give the size of the data structure in which the current ongoing rates are
|
||||||
|
75
services/cache/infra.c
vendored
75
services/cache/infra.c
vendored
@ -67,6 +67,11 @@ int infra_dp_ratelimit = 0;
|
|||||||
* in queries per second. */
|
* in queries per second. */
|
||||||
int infra_ip_ratelimit = 0;
|
int infra_ip_ratelimit = 0;
|
||||||
|
|
||||||
|
/** ratelimit value for client ip addresses,
|
||||||
|
* in queries per second.
|
||||||
|
* For clients with a valid DNS Cookie. */
|
||||||
|
int infra_ip_ratelimit_cookie = 0;
|
||||||
|
|
||||||
size_t
|
size_t
|
||||||
infra_sizefunc(void* k, void* ATTR_UNUSED(d))
|
infra_sizefunc(void* k, void* ATTR_UNUSED(d))
|
||||||
{
|
{
|
||||||
@ -1051,9 +1056,50 @@ infra_get_mem(struct infra_cache* infra)
|
|||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Returns 1 if the limit has not been exceeded, 0 otherwise. */
|
||||||
|
static int
|
||||||
|
check_ip_ratelimit(struct sockaddr_storage* addr, socklen_t addrlen,
|
||||||
|
struct sldns_buffer* buffer, int premax, int max, int has_cookie)
|
||||||
|
{
|
||||||
|
int limit;
|
||||||
|
|
||||||
|
if(has_cookie) limit = infra_ip_ratelimit_cookie;
|
||||||
|
else limit = infra_ip_ratelimit;
|
||||||
|
|
||||||
|
/* Disabled */
|
||||||
|
if(limit == 0) return 1;
|
||||||
|
|
||||||
|
if(premax <= limit && max > limit) {
|
||||||
|
char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
|
||||||
|
addr_to_str(addr, addrlen, client_ip, sizeof(client_ip));
|
||||||
|
qnm[0]=0;
|
||||||
|
if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
|
||||||
|
LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
|
||||||
|
(void)sldns_wire2str_rrquestion_buf(
|
||||||
|
sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
|
||||||
|
sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
|
||||||
|
qnm, sizeof(qnm));
|
||||||
|
if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
|
||||||
|
qnm[strlen(qnm)-1] = 0; /*remove newline*/
|
||||||
|
if(strchr(qnm, '\t'))
|
||||||
|
*strchr(qnm, '\t') = ' ';
|
||||||
|
if(strchr(qnm, '\t'))
|
||||||
|
*strchr(qnm, '\t') = ' ';
|
||||||
|
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d%s %s",
|
||||||
|
client_ip, limit,
|
||||||
|
has_cookie?"(cookie)":"", qnm);
|
||||||
|
} else {
|
||||||
|
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d%s (no query name)",
|
||||||
|
client_ip, limit,
|
||||||
|
has_cookie?"(cookie)":"");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return (max <= limit);
|
||||||
|
}
|
||||||
|
|
||||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||||
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
||||||
int backoff, struct sldns_buffer* buffer)
|
int has_cookie, int backoff, struct sldns_buffer* buffer)
|
||||||
{
|
{
|
||||||
int max;
|
int max;
|
||||||
struct lruhash_entry* entry;
|
struct lruhash_entry* entry;
|
||||||
@ -1070,31 +1116,8 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
|||||||
(*cur)++;
|
(*cur)++;
|
||||||
max = infra_rate_max(entry->data, timenow, backoff);
|
max = infra_rate_max(entry->data, timenow, backoff);
|
||||||
lock_rw_unlock(&entry->lock);
|
lock_rw_unlock(&entry->lock);
|
||||||
|
return check_ip_ratelimit(addr, addrlen, buffer, premax, max,
|
||||||
if(premax <= infra_ip_ratelimit && max > infra_ip_ratelimit) {
|
has_cookie);
|
||||||
char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
|
|
||||||
addr_to_str(addr, addrlen, client_ip, sizeof(client_ip));
|
|
||||||
qnm[0]=0;
|
|
||||||
if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
|
|
||||||
LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
|
|
||||||
(void)sldns_wire2str_rrquestion_buf(
|
|
||||||
sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
|
|
||||||
sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
|
|
||||||
qnm, sizeof(qnm));
|
|
||||||
if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
|
|
||||||
qnm[strlen(qnm)-1] = 0; /*remove newline*/
|
|
||||||
if(strchr(qnm, '\t'))
|
|
||||||
*strchr(qnm, '\t') = ' ';
|
|
||||||
if(strchr(qnm, '\t'))
|
|
||||||
*strchr(qnm, '\t') = ' ';
|
|
||||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d %s",
|
|
||||||
client_ip, infra_ip_ratelimit, qnm);
|
|
||||||
} else {
|
|
||||||
verbose(VERB_OPS, "ip_ratelimit exceeded %s %d (no query name)",
|
|
||||||
client_ip, infra_ip_ratelimit);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return (max <= infra_ip_ratelimit);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* create */
|
/* create */
|
||||||
|
5
services/cache/infra.h
vendored
5
services/cache/infra.h
vendored
@ -153,6 +153,8 @@ struct rate_key {
|
|||||||
|
|
||||||
/** ip ratelimit, 0 is off */
|
/** ip ratelimit, 0 is off */
|
||||||
extern int infra_ip_ratelimit;
|
extern int infra_ip_ratelimit;
|
||||||
|
/** ip ratelimit for DNS Cookie clients, 0 is off */
|
||||||
|
extern int infra_ip_ratelimit_cookie;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* key for ip_ratelimit lookups, a source IP.
|
* key for ip_ratelimit lookups, a source IP.
|
||||||
@ -419,13 +421,14 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
|
|||||||
* @param addr: client address
|
* @param addr: client address
|
||||||
* @param addrlen: client address length
|
* @param addrlen: client address length
|
||||||
* @param timenow: what time it is now.
|
* @param timenow: what time it is now.
|
||||||
|
* @param has_cookie: if the request came with a DNS Cookie.
|
||||||
* @param backoff: if backoff is enabled.
|
* @param backoff: if backoff is enabled.
|
||||||
* @param buffer: with query for logging.
|
* @param buffer: with query for logging.
|
||||||
* @return 1 if it could be incremented. 0 if the increment overshot the
|
* @return 1 if it could be incremented. 0 if the increment overshot the
|
||||||
* ratelimit and the query should be dropped. */
|
* ratelimit and the query should be dropped. */
|
||||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||||
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
||||||
int backoff, struct sldns_buffer* buffer);
|
int has_cookie, int backoff, struct sldns_buffer* buffer);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get memory used by the infra cache.
|
* Get memory used by the infra cache.
|
||||||
|
2
testdata/edns_downstream_cookies.rpl
vendored
2
testdata/edns_downstream_cookies.rpl
vendored
@ -134,7 +134,7 @@ HEX_EDNSDATA_BEGIN
|
|||||||
00 0a ; Opcode 10
|
00 0a ; Opcode 10
|
||||||
00 18 ; Length 24
|
00 18 ; Length 24
|
||||||
31 32 33 34 35 36 37 38 ; Random bits
|
31 32 33 34 35 36 37 38 ; Random bits
|
||||||
01 00 00 00 ; wrong version
|
01 00 00 00 ; Version/Reserved
|
||||||
00 00 00 00 ; Timestamp
|
00 00 00 00 ; Timestamp
|
||||||
38 52 7b a8 c6 a4 ea 96 ; Hash
|
38 52 7b a8 c6 a4 ea 96 ; Hash
|
||||||
HEX_EDNSDATA_END
|
HEX_EDNSDATA_END
|
||||||
|
28
testdata/ip_ratelimit.tdir/ip_ratelimit.conf
vendored
Normal file
28
testdata/ip_ratelimit.tdir/ip_ratelimit.conf
vendored
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
server:
|
||||||
|
verbosity: 5
|
||||||
|
# num-threads: 1
|
||||||
|
interface: 127.0.0.1
|
||||||
|
port: @PORT@
|
||||||
|
use-syslog: no
|
||||||
|
directory: .
|
||||||
|
pidfile: "unbound.pid"
|
||||||
|
chroot: ""
|
||||||
|
username: ""
|
||||||
|
local-data: "test. IN TXT localdata"
|
||||||
|
|
||||||
|
ip-ratelimit: 1
|
||||||
|
ip-ratelimit-cookie: 0
|
||||||
|
ip-ratelimit-factor: 0
|
||||||
|
ip-ratelimit-backoff: yes
|
||||||
|
answer-cookie: yes
|
||||||
|
access-control: 127.0.0.0/8 allow_cookie
|
||||||
|
|
||||||
|
remote-control:
|
||||||
|
control-enable: yes
|
||||||
|
control-interface: 127.0.0.1
|
||||||
|
# control-interface: ::1
|
||||||
|
control-port: @CONTROL_PORT@
|
||||||
|
server-key-file: "unbound_server.key"
|
||||||
|
server-cert-file: "unbound_server.pem"
|
||||||
|
control-key-file: "unbound_control.key"
|
||||||
|
control-cert-file: "unbound_control.pem"
|
16
testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
vendored
Normal file
16
testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
vendored
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
BaseName: ip_ratelimit
|
||||||
|
Version: 1.0
|
||||||
|
Description: Test IP source ratelimit.
|
||||||
|
CreationDate: Tue Aug 8 00:00:00 CET 2023
|
||||||
|
Maintainer: Yorgos Thessalonikefs
|
||||||
|
Category:
|
||||||
|
Component:
|
||||||
|
CmdDepends:
|
||||||
|
Depends:
|
||||||
|
Help:
|
||||||
|
Pre: ip_ratelimit.pre
|
||||||
|
Post: ip_ratelimit.post
|
||||||
|
Test: ip_ratelimit.test
|
||||||
|
AuxFiles:
|
||||||
|
Passed:
|
||||||
|
Failure:
|
13
testdata/ip_ratelimit.tdir/ip_ratelimit.post
vendored
Normal file
13
testdata/ip_ratelimit.tdir/ip_ratelimit.post
vendored
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# #-- ip_ratelimit.post --#
|
||||||
|
# source the master var file when it's there
|
||||||
|
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||||
|
# source the test var file when it's there
|
||||||
|
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||||
|
#
|
||||||
|
# do your teardown here
|
||||||
|
. ../common.sh
|
||||||
|
kill_pid $UNBOUND_PID
|
||||||
|
if test -f unbound.log; then
|
||||||
|
echo ">>> unbound log"
|
||||||
|
cat unbound.log
|
||||||
|
fi
|
24
testdata/ip_ratelimit.tdir/ip_ratelimit.pre
vendored
Normal file
24
testdata/ip_ratelimit.tdir/ip_ratelimit.pre
vendored
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
# #-- ip_ratelimit.pre--#
|
||||||
|
# source the master var file when it's there
|
||||||
|
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||||
|
# use .tpkg.var.test for in test variable passing
|
||||||
|
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||||
|
|
||||||
|
PRE="../.."
|
||||||
|
. ../common.sh
|
||||||
|
get_random_port 2
|
||||||
|
UNBOUND_PORT=$RND_PORT
|
||||||
|
CONTROL_PORT=$(($RND_PORT + 1))
|
||||||
|
echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
|
||||||
|
echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
|
||||||
|
|
||||||
|
# make config file
|
||||||
|
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ip_ratelimit.conf > ub.conf
|
||||||
|
# start unbound in the background
|
||||||
|
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
|
||||||
|
UNBOUND_PID=$!
|
||||||
|
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
|
||||||
|
|
||||||
|
wait_unbound_up unbound.log
|
||||||
|
|
||||||
|
cat .tpkg.var.test
|
159
testdata/ip_ratelimit.tdir/ip_ratelimit.test
vendored
Normal file
159
testdata/ip_ratelimit.tdir/ip_ratelimit.test
vendored
Normal file
@ -0,0 +1,159 @@
|
|||||||
|
# #-- ip_ratelimit.test --#
|
||||||
|
# source the master var file when it's there
|
||||||
|
[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
|
||||||
|
# use .tpkg.var.test for in test variable passing
|
||||||
|
[ -f .tpkg.var.test ] && source .tpkg.var.test
|
||||||
|
|
||||||
|
PRE="../.."
|
||||||
|
. ../common.sh
|
||||||
|
|
||||||
|
get_make
|
||||||
|
(cd $PRE; $MAKE streamtcp)
|
||||||
|
|
||||||
|
# These tests rely on second time precision. To combat false negatives the
|
||||||
|
# tests run multiple times and we allow 1/3 of the runs to fail.
|
||||||
|
total_runs=6
|
||||||
|
success_threshold=4 # 2/3*total_runs
|
||||||
|
|
||||||
|
echo "> First get a valid cookie"
|
||||||
|
dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:0102030405060708 +tcp +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||||
|
if test "$?" -ne 0; then
|
||||||
|
echo "exit status not OK"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Not OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if test `grep "COOKIE: " outfile | wc -l` -ne 1; then
|
||||||
|
echo "Could not get cookie"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Not OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
cookie=`grep "COOKIE: " outfile | cut -d ' ' -f 3`
|
||||||
|
|
||||||
|
successes=0
|
||||||
|
echo "> Three parallel queries with backoff and cookie"
|
||||||
|
# For this test we send three parallel queries. The ratelimit should be reached
|
||||||
|
# for that second. We send a query to verify that there is no reply.
|
||||||
|
# Then for the next second we again send three parallel queries and we expect
|
||||||
|
# none of them to be allowed through because of the backoff logic that keeps
|
||||||
|
# rolling the RATE_WINDOW based on demand.
|
||||||
|
# Again we send another query but with a valid cookie and we expect to receive
|
||||||
|
# an answer.
|
||||||
|
for i in $(seq 1 $total_runs); do
|
||||||
|
# Try to hit limit
|
||||||
|
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||||
|
if test "$?" -ne 0; then
|
||||||
|
echo "exit status not OK"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Not OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# Expect no answer because of limit
|
||||||
|
dig @127.0.0.1 -p $UNBOUND_PORT +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||||
|
if test "$?" -eq 0; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
# Try to keep limit
|
||||||
|
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||||
|
if test "$?" -ne 0; then
|
||||||
|
echo "exit status not OK"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Not OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# Expect answer because of DNS cookie
|
||||||
|
dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||||
|
if test "$?" -ne 0; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
((successes++))
|
||||||
|
# We don't have to wait for all the runs to complete if we know
|
||||||
|
# we passed the threshold.
|
||||||
|
if test $successes -ge $success_threshold; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if test $successes -ge $success_threshold; then
|
||||||
|
echo "Three parallel queries with backoff and cookie OK"
|
||||||
|
else
|
||||||
|
echo "Three parallel queries with backoff and cookie NOT OK"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Three parallel queries with backoff and cookie NOT OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "> Activating ip-ratelimit-cookie"
|
||||||
|
echo "$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1"
|
||||||
|
$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1
|
||||||
|
if test $? -ne 0; then
|
||||||
|
echo "wrong exit value after success"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
successes=0
|
||||||
|
echo "> Three parallel queries with backoff and cookie with ip-ratelimit-cookie"
|
||||||
|
# This is the exact same test as above with the exception that we don't expect
|
||||||
|
# an answer on the last query because ip-ratelimit-cookie is now enabled.
|
||||||
|
for i in $(seq 1 $total_runs); do
|
||||||
|
# Try to hit limit
|
||||||
|
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||||
|
if test "$?" -ne 0; then
|
||||||
|
echo "exit status not OK"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Not OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# Expect no answer because of limit
|
||||||
|
dig @127.0.0.1 -p $UNBOUND_PORT +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||||
|
if test "$?" -eq 0; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
# Try to keep limit
|
||||||
|
$PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
|
||||||
|
if test "$?" -ne 0; then
|
||||||
|
echo "exit status not OK"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Not OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
# Expect no answer because of ip-ratelimit-cookie
|
||||||
|
dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie +retry=0 +time=1 test. TXT >outfile 2>&1
|
||||||
|
if test "$?" -eq 0; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
((successes++))
|
||||||
|
# We don't have to wait for all the runs to complete if we know
|
||||||
|
# we passed the threshold.
|
||||||
|
if test $successes -ge $success_threshold; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if test $successes -ge $success_threshold; then
|
||||||
|
echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie OK"
|
||||||
|
else
|
||||||
|
echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
|
||||||
|
echo "> cat logfiles"
|
||||||
|
cat outfile
|
||||||
|
cat unbound.log
|
||||||
|
echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
39
testdata/ip_ratelimit.tdir/unbound_control.key
vendored
Normal file
39
testdata/ip_ratelimit.tdir/unbound_control.key
vendored
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
|
||||||
|
1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
|
||||||
|
F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
|
||||||
|
ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
|
||||||
|
vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
|
||||||
|
IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
|
||||||
|
cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
|
||||||
|
lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
|
||||||
|
15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
|
||||||
|
LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
|
||||||
|
Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
|
||||||
|
YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
|
||||||
|
whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
|
||||||
|
lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
|
||||||
|
tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
|
||||||
|
U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
|
||||||
|
Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
|
||||||
|
Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
|
||||||
|
ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
|
||||||
|
1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
|
||||||
|
b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
|
||||||
|
ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
|
||||||
|
TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
|
||||||
|
tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
|
||||||
|
aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
|
||||||
|
A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
|
||||||
|
LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
|
||||||
|
R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
|
||||||
|
7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
|
||||||
|
7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
|
||||||
|
jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
|
||||||
|
BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
|
||||||
|
kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
|
||||||
|
qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
|
||||||
|
VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
|
||||||
|
MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
|
||||||
|
C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
22
testdata/ip_ratelimit.tdir/unbound_control.pem
vendored
Normal file
22
testdata/ip_ratelimit.tdir/unbound_control.pem
vendored
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
|
||||||
|
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
|
||||||
|
WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
|
||||||
|
A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
|
||||||
|
OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
|
||||||
|
1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
|
||||||
|
NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
|
||||||
|
A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
|
||||||
|
Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
|
||||||
|
TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
|
||||||
|
nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
|
||||||
|
+i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
|
||||||
|
4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
|
||||||
|
hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
|
||||||
|
9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
|
||||||
|
ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
|
||||||
|
pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
|
||||||
|
72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
|
||||||
|
muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
|
||||||
|
uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
|
||||||
|
-----END CERTIFICATE-----
|
39
testdata/ip_ratelimit.tdir/unbound_server.key
vendored
Normal file
39
testdata/ip_ratelimit.tdir/unbound_server.key
vendored
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
|
||||||
|
0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
|
||||||
|
GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
|
||||||
|
uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
|
||||||
|
WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
|
||||||
|
FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
|
||||||
|
q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
|
||||||
|
A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
|
||||||
|
7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
|
||||||
|
XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
|
||||||
|
iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
|
||||||
|
2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
|
||||||
|
MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
|
||||||
|
WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
|
||||||
|
O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
|
||||||
|
IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
|
||||||
|
qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
|
||||||
|
dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
|
||||||
|
bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
|
||||||
|
YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
|
||||||
|
7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
|
||||||
|
gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
|
||||||
|
5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
|
||||||
|
ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
|
||||||
|
oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
|
||||||
|
s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
|
||||||
|
zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
|
||||||
|
ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
|
||||||
|
oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
|
||||||
|
BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
|
||||||
|
mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
|
||||||
|
kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
|
||||||
|
7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
|
||||||
|
RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
|
||||||
|
jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
|
||||||
|
O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
|
||||||
|
MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
|
||||||
|
-----END RSA PRIVATE KEY-----
|
22
testdata/ip_ratelimit.tdir/unbound_server.pem
vendored
Normal file
22
testdata/ip_ratelimit.tdir/unbound_server.pem
vendored
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
|
||||||
|
EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
|
||||||
|
WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
|
||||||
|
igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
|
||||||
|
a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
|
||||||
|
4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
|
||||||
|
aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
|
||||||
|
TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
|
||||||
|
uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
|
||||||
|
+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
|
||||||
|
XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
|
||||||
|
dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
|
||||||
|
84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
|
||||||
|
JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
|
||||||
|
fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
|
||||||
|
XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
|
||||||
|
qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
|
||||||
|
sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
|
||||||
|
yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
|
||||||
|
CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
|
||||||
|
-----END CERTIFICATE-----
|
@ -330,6 +330,7 @@ config_create(void)
|
|||||||
cfg->dnstap_bidirectional = 1;
|
cfg->dnstap_bidirectional = 1;
|
||||||
cfg->dnstap_tls = 1;
|
cfg->dnstap_tls = 1;
|
||||||
cfg->disable_dnssec_lame_check = 0;
|
cfg->disable_dnssec_lame_check = 0;
|
||||||
|
cfg->ip_ratelimit_cookie = 0;
|
||||||
cfg->ip_ratelimit = 0;
|
cfg->ip_ratelimit = 0;
|
||||||
cfg->ratelimit = 0;
|
cfg->ratelimit = 0;
|
||||||
cfg->ip_ratelimit_slabs = 4;
|
cfg->ip_ratelimit_slabs = 4;
|
||||||
@ -779,6 +780,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
|||||||
else S_POW2("dnscrypt-nonce-cache-slabs:",
|
else S_POW2("dnscrypt-nonce-cache-slabs:",
|
||||||
dnscrypt_nonce_cache_slabs)
|
dnscrypt_nonce_cache_slabs)
|
||||||
#endif
|
#endif
|
||||||
|
else if(strcmp(opt, "ip-ratelimit-cookie:") == 0) {
|
||||||
|
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit_cookie = atoi(val);
|
||||||
|
infra_ip_ratelimit_cookie=cfg->ip_ratelimit_cookie;
|
||||||
|
}
|
||||||
else if(strcmp(opt, "ip-ratelimit:") == 0) {
|
else if(strcmp(opt, "ip-ratelimit:") == 0) {
|
||||||
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
|
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
|
||||||
infra_ip_ratelimit=cfg->ip_ratelimit;
|
infra_ip_ratelimit=cfg->ip_ratelimit;
|
||||||
@ -1248,6 +1253,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
|||||||
else O_LST(opt, "python-script", python_script)
|
else O_LST(opt, "python-script", python_script)
|
||||||
else O_LST(opt, "dynlib-file", dynlib_file)
|
else O_LST(opt, "dynlib-file", dynlib_file)
|
||||||
else O_YNO(opt, "disable-dnssec-lame-check", disable_dnssec_lame_check)
|
else O_YNO(opt, "disable-dnssec-lame-check", disable_dnssec_lame_check)
|
||||||
|
else O_DEC(opt, "ip-ratelimit-cookie", ip_ratelimit_cookie)
|
||||||
else O_DEC(opt, "ip-ratelimit", ip_ratelimit)
|
else O_DEC(opt, "ip-ratelimit", ip_ratelimit)
|
||||||
else O_DEC(opt, "ratelimit", ratelimit)
|
else O_DEC(opt, "ratelimit", ratelimit)
|
||||||
else O_MEM(opt, "ip-ratelimit-size", ip_ratelimit_size)
|
else O_MEM(opt, "ip-ratelimit-size", ip_ratelimit_size)
|
||||||
|
@ -590,6 +590,9 @@ struct config_file {
|
|||||||
|
|
||||||
/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
|
/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
|
||||||
int ip_ratelimit;
|
int ip_ratelimit;
|
||||||
|
/** ratelimit for ip addresses with a valid DNS Cookie. 0 is off,
|
||||||
|
* otherwise qps (unless overridden) */
|
||||||
|
int ip_ratelimit_cookie;
|
||||||
/** number of slabs for ip_ratelimit cache */
|
/** number of slabs for ip_ratelimit cache */
|
||||||
size_t ip_ratelimit_slabs;
|
size_t ip_ratelimit_slabs;
|
||||||
/** memory size in bytes for ip_ratelimit cache */
|
/** memory size in bytes for ip_ratelimit cache */
|
||||||
|
@ -507,6 +507,7 @@ dnstap-log-forwarder-response-messages{COLON} {
|
|||||||
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
|
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
|
||||||
disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
|
disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
|
||||||
ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) }
|
ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) }
|
||||||
|
ip-ratelimit-cookie{COLON} { YDVAR(1, VAR_IP_RATELIMIT_COOKIE) }
|
||||||
ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) }
|
ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) }
|
||||||
ip-ratelimit-slabs{COLON} { YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
|
ip-ratelimit-slabs{COLON} { YDVAR(1, VAR_IP_RATELIMIT_SLABS) }
|
||||||
ratelimit-slabs{COLON} { YDVAR(1, VAR_RATELIMIT_SLABS) }
|
ratelimit-slabs{COLON} { YDVAR(1, VAR_RATELIMIT_SLABS) }
|
||||||
|
@ -184,7 +184,7 @@ extern struct config_parser_state* cfg_parser;
|
|||||||
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
|
%token VAR_FALLBACK_ENABLED VAR_TLS_ADDITIONAL_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
|
||||||
%token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
|
%token VAR_FAST_SERVER_PERMIL VAR_FAST_SERVER_NUM
|
||||||
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
|
%token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT VAR_TCP_CONNECTION_LIMIT
|
||||||
%token VAR_ANSWER_COOKIE VAR_COOKIE_SECRET
|
%token VAR_ANSWER_COOKIE VAR_COOKIE_SECRET VAR_IP_RATELIMIT_COOKIE
|
||||||
%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
|
%token VAR_FORWARD_NO_CACHE VAR_STUB_NO_CACHE VAR_LOG_SERVFAIL VAR_DENY_ANY
|
||||||
%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
|
%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
|
||||||
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
|
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
|
||||||
@ -325,7 +325,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
|||||||
server_unknown_server_time_limit | server_log_tag_queryreply |
|
server_unknown_server_time_limit | server_log_tag_queryreply |
|
||||||
server_stream_wait_size | server_tls_ciphers |
|
server_stream_wait_size | server_tls_ciphers |
|
||||||
server_tls_ciphersuites | server_tls_session_ticket_keys |
|
server_tls_ciphersuites | server_tls_session_ticket_keys |
|
||||||
server_answer_cookie | server_cookie_secret |
|
server_answer_cookie | server_cookie_secret | server_ip_ratelimit_cookie |
|
||||||
server_tls_use_sni | server_edns_client_string |
|
server_tls_use_sni | server_edns_client_string |
|
||||||
server_edns_client_string_opcode | server_nsid |
|
server_edns_client_string_opcode | server_nsid |
|
||||||
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
|
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
|
||||||
@ -1163,7 +1163,7 @@ server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG
|
|||||||
yyerror("expected yes or no.");
|
yyerror("expected yes or no.");
|
||||||
else cfg_parser->cfg->http_nodelay = (strcmp($2, "yes")==0);
|
else cfg_parser->cfg->http_nodelay = (strcmp($2, "yes")==0);
|
||||||
free($2);
|
free($2);
|
||||||
}
|
};
|
||||||
server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
|
server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_http_notls_downstream:%s)\n", $2));
|
OUTYY(("P(server_http_notls_downstream:%s)\n", $2));
|
||||||
@ -2210,6 +2210,7 @@ server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG
|
|||||||
(strcmp($2, "yes")==0);
|
(strcmp($2, "yes")==0);
|
||||||
free($2);
|
free($2);
|
||||||
}
|
}
|
||||||
|
;
|
||||||
server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
|
server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_key_cache_size:%s)\n", $2));
|
OUTYY(("P(server_key_cache_size:%s)\n", $2));
|
||||||
@ -2567,6 +2568,15 @@ server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG
|
|||||||
free($2);
|
free($2);
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
server_ip_ratelimit_cookie: VAR_IP_RATELIMIT_COOKIE STRING_ARG
|
||||||
|
{
|
||||||
|
OUTYY(("P(server_ip_ratelimit_cookie:%s)\n", $2));
|
||||||
|
if(atoi($2) == 0 && strcmp($2, "0") != 0)
|
||||||
|
yyerror("number expected");
|
||||||
|
else cfg_parser->cfg->ip_ratelimit_cookie = atoi($2);
|
||||||
|
free($2);
|
||||||
|
}
|
||||||
|
;
|
||||||
server_ratelimit: VAR_RATELIMIT STRING_ARG
|
server_ratelimit: VAR_RATELIMIT STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_ratelimit:%s)\n", $2));
|
OUTYY(("P(server_ratelimit:%s)\n", $2));
|
||||||
@ -3520,6 +3530,7 @@ py_script: VAR_PYTHON_SCRIPT STRING_ARG
|
|||||||
if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, $2))
|
if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, $2))
|
||||||
yyerror("out of memory");
|
yyerror("out of memory");
|
||||||
}
|
}
|
||||||
|
;
|
||||||
dynlibstart: VAR_DYNLIB
|
dynlibstart: VAR_DYNLIB
|
||||||
{
|
{
|
||||||
OUTYY(("\nP(dynlib:)\n"));
|
OUTYY(("\nP(dynlib:)\n"));
|
||||||
@ -3536,6 +3547,7 @@ dl_file: VAR_DYNLIB_FILE STRING_ARG
|
|||||||
if(!cfg_strlist_append_ex(&cfg_parser->cfg->dynlib_file, $2))
|
if(!cfg_strlist_append_ex(&cfg_parser->cfg->dynlib_file, $2))
|
||||||
yyerror("out of memory");
|
yyerror("out of memory");
|
||||||
}
|
}
|
||||||
|
;
|
||||||
server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG
|
server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(disable_dnssec_lame_check:%s)\n", $2));
|
OUTYY(("P(disable_dnssec_lame_check:%s)\n", $2));
|
||||||
@ -3596,7 +3608,6 @@ dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
|
|||||||
free($2);
|
free($2);
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
|
||||||
dnsc_dnscrypt_port: VAR_DNSCRYPT_PORT STRING_ARG
|
dnsc_dnscrypt_port: VAR_DNSCRYPT_PORT STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(dnsc_dnscrypt_port:%s)\n", $2));
|
OUTYY(("P(dnsc_dnscrypt_port:%s)\n", $2));
|
||||||
@ -3828,6 +3839,7 @@ server_cookie_secret: VAR_COOKIE_SECRET STRING_ARG
|
|||||||
}
|
}
|
||||||
free($2);
|
free($2);
|
||||||
}
|
}
|
||||||
|
;
|
||||||
ipsetstart: VAR_IPSET
|
ipsetstart: VAR_IPSET
|
||||||
{
|
{
|
||||||
OUTYY(("\nP(ipset:)\n"));
|
OUTYY(("\nP(ipset:)\n"));
|
||||||
|
Loading…
Reference in New Issue
Block a user