2 * services/cache/infra.c - infrastructure cache, server rtt and capabilities
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
6 * This software is open source.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
39 * This file contains the infrastructure cache.
42 #include "sldns/rrdef.h"
43 #include "sldns/str2wire.h"
44 #include "services/cache/infra.h"
45 #include "util/storage/slabhash.h"
46 #include "util/storage/lookup3.h"
47 #include "util/data/dname.h"
49 #include "util/net_help.h"
50 #include "util/config_file.h"
51 #include "iterator/iterator.h"
53 /** Timeout when only a single probe query per IP is allowed. */
54 #define PROBE_MAXRTO 12000 /* in msec */
56 /** number of timeouts for a type when the domain can be blocked ;
57 * even if another type has completely rtt maxed it, the different type
58 * can do this number of packets (until those all timeout too) */
59 #define TIMEOUT_COUNT_MAX 3
61 /** ratelimit value for delegation point */
62 int infra_dp_ratelimit = 0;
64 /** ratelimit value for client ip addresses,
65 * in queries per second. */
66 int infra_ip_ratelimit = 0;
69 infra_sizefunc(void* k, void* ATTR_UNUSED(d))
71 struct infra_key* key = (struct infra_key*)k;
72 return sizeof(*key) + sizeof(struct infra_data) + key->namelen
73 + lock_get_mem(&key->entry.lock);
77 infra_compfunc(void* key1, void* key2)
79 struct infra_key* k1 = (struct infra_key*)key1;
80 struct infra_key* k2 = (struct infra_key*)key2;
81 int r = sockaddr_cmp(&k1->addr, k1->addrlen, &k2->addr, k2->addrlen);
84 if(k1->namelen != k2->namelen) {
85 if(k1->namelen < k2->namelen)
89 return query_dname_compare(k1->zonename, k2->zonename);
93 infra_delkeyfunc(void* k, void* ATTR_UNUSED(arg))
95 struct infra_key* key = (struct infra_key*)k;
98 lock_rw_destroy(&key->entry.lock);
104 infra_deldatafunc(void* d, void* ATTR_UNUSED(arg))
106 struct infra_data* data = (struct infra_data*)d;
111 rate_sizefunc(void* k, void* ATTR_UNUSED(d))
113 struct rate_key* key = (struct rate_key*)k;
114 return sizeof(*key) + sizeof(struct rate_data) + key->namelen
115 + lock_get_mem(&key->entry.lock);
119 rate_compfunc(void* key1, void* key2)
121 struct rate_key* k1 = (struct rate_key*)key1;
122 struct rate_key* k2 = (struct rate_key*)key2;
123 if(k1->namelen != k2->namelen) {
124 if(k1->namelen < k2->namelen)
128 return query_dname_compare(k1->name, k2->name);
132 rate_delkeyfunc(void* k, void* ATTR_UNUSED(arg))
134 struct rate_key* key = (struct rate_key*)k;
137 lock_rw_destroy(&key->entry.lock);
143 rate_deldatafunc(void* d, void* ATTR_UNUSED(arg))
145 struct rate_data* data = (struct rate_data*)d;
149 /** find or create element in domainlimit tree */
150 static struct domain_limit_data* domain_limit_findcreate(
151 struct infra_cache* infra, char* name)
156 struct domain_limit_data* d;
159 nm = sldns_str2wire_dname(name, &nmlen);
161 log_err("could not parse %s", name);
164 labs = dname_count_labels(nm);
166 /* can we find it? */
167 d = (struct domain_limit_data*)name_tree_find(&infra->domain_limits,
168 nm, nmlen, labs, LDNS_RR_CLASS_IN);
175 d = (struct domain_limit_data*)calloc(1, sizeof(*d));
180 d->node.node.key = &d->node;
184 d->node.dclass = LDNS_RR_CLASS_IN;
187 if(!name_tree_insert(&infra->domain_limits, &d->node, nm, nmlen,
188 labs, LDNS_RR_CLASS_IN)) {
189 log_err("duplicate element in domainlimit tree");
197 /** insert rate limit configuration into lookup tree */
198 static int infra_ratelimit_cfg_insert(struct infra_cache* infra,
199 struct config_file* cfg)
201 struct config_str2list* p;
202 struct domain_limit_data* d;
203 for(p = cfg->ratelimit_for_domain; p; p = p->next) {
204 d = domain_limit_findcreate(infra, p->str);
207 d->lim = atoi(p->str2);
209 for(p = cfg->ratelimit_below_domain; p; p = p->next) {
210 d = domain_limit_findcreate(infra, p->str);
213 d->below = atoi(p->str2);
218 /** setup domain limits tree (0 on failure) */
220 setup_domain_limits(struct infra_cache* infra, struct config_file* cfg)
222 name_tree_init(&infra->domain_limits);
223 if(!infra_ratelimit_cfg_insert(infra, cfg)) {
226 name_tree_init_parents(&infra->domain_limits);
231 infra_create(struct config_file* cfg)
233 struct infra_cache* infra = (struct infra_cache*)calloc(1,
234 sizeof(struct infra_cache));
235 size_t maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
236 sizeof(struct infra_data)+INFRA_BYTES_NAME);
237 infra->hosts = slabhash_create(cfg->infra_cache_slabs,
238 INFRA_HOST_STARTSIZE, maxmem, &infra_sizefunc, &infra_compfunc,
239 &infra_delkeyfunc, &infra_deldatafunc, NULL);
244 infra->host_ttl = cfg->host_ttl;
245 infra_dp_ratelimit = cfg->ratelimit;
246 infra->domain_rates = slabhash_create(cfg->ratelimit_slabs,
247 INFRA_HOST_STARTSIZE, cfg->ratelimit_size,
248 &rate_sizefunc, &rate_compfunc, &rate_delkeyfunc,
249 &rate_deldatafunc, NULL);
250 if(!infra->domain_rates) {
254 /* insert config data into ratelimits */
255 if(!setup_domain_limits(infra, cfg)) {
259 infra_ip_ratelimit = cfg->ip_ratelimit;
260 infra->client_ip_rates = slabhash_create(cfg->ip_ratelimit_slabs,
261 INFRA_HOST_STARTSIZE, cfg->ip_ratelimit_size, &ip_rate_sizefunc,
262 &ip_rate_compfunc, &ip_rate_delkeyfunc, &ip_rate_deldatafunc, NULL);
263 if(!infra->client_ip_rates) {
270 /** delete domain_limit entries */
271 static void domain_limit_free(rbnode_type* n, void* ATTR_UNUSED(arg))
274 free(((struct domain_limit_data*)n)->node.name);
280 infra_delete(struct infra_cache* infra)
284 slabhash_delete(infra->hosts);
285 slabhash_delete(infra->domain_rates);
286 traverse_postorder(&infra->domain_limits, domain_limit_free, NULL);
287 slabhash_delete(infra->client_ip_rates);
292 infra_adjust(struct infra_cache* infra, struct config_file* cfg)
296 return infra_create(cfg);
297 infra->host_ttl = cfg->host_ttl;
298 infra_dp_ratelimit = cfg->ratelimit;
299 infra_ip_ratelimit = cfg->ip_ratelimit;
300 maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
301 sizeof(struct infra_data)+INFRA_BYTES_NAME);
302 /* divide cachesize by slabs and multiply by slabs, because if the
303 * cachesize is not an even multiple of slabs, that is the resulting
304 * size of the slabhash */
305 if(!slabhash_is_size(infra->hosts, maxmem, cfg->infra_cache_slabs) ||
306 !slabhash_is_size(infra->domain_rates, cfg->ratelimit_size,
307 cfg->ratelimit_slabs) ||
308 !slabhash_is_size(infra->client_ip_rates, cfg->ip_ratelimit_size,
309 cfg->ip_ratelimit_slabs)) {
311 infra = infra_create(cfg);
313 /* reapply domain limits */
314 traverse_postorder(&infra->domain_limits, domain_limit_free,
316 if(!setup_domain_limits(infra, cfg)) {
324 /** calculate the hash value for a host key
325 * set use_port to a non-0 number to use the port in
326 * the hash calculation; 0 to ignore the port.*/
327 static hashvalue_type
328 hash_addr(struct sockaddr_storage* addr, socklen_t addrlen,
331 hashvalue_type h = 0xab;
332 /* select the pieces to hash, some OS have changing data inside */
333 if(addr_is_ip6(addr, addrlen)) {
334 struct sockaddr_in6* in6 = (struct sockaddr_in6*)addr;
335 h = hashlittle(&in6->sin6_family, sizeof(in6->sin6_family), h);
337 h = hashlittle(&in6->sin6_port, sizeof(in6->sin6_port), h);
339 h = hashlittle(&in6->sin6_addr, INET6_SIZE, h);
341 struct sockaddr_in* in = (struct sockaddr_in*)addr;
342 h = hashlittle(&in->sin_family, sizeof(in->sin_family), h);
344 h = hashlittle(&in->sin_port, sizeof(in->sin_port), h);
346 h = hashlittle(&in->sin_addr, INET_SIZE, h);
351 /** calculate infra hash for a key */
352 static hashvalue_type
353 hash_infra(struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* name)
355 return dname_query_hash(name, hash_addr(addr, addrlen, 1));
358 /** lookup version that does not check host ttl (you check it) */
359 struct lruhash_entry*
360 infra_lookup_nottl(struct infra_cache* infra, struct sockaddr_storage* addr,
361 socklen_t addrlen, uint8_t* name, size_t namelen, int wr)
365 memcpy(&k.addr, addr, addrlen);
368 k.entry.hash = hash_infra(addr, addrlen, name);
369 k.entry.key = (void*)&k;
371 return slabhash_lookup(infra->hosts, k.entry.hash, &k, wr);
374 /** init the data elements */
376 data_entry_init(struct infra_cache* infra, struct lruhash_entry* e,
379 struct infra_data* data = (struct infra_data*)e->data;
380 data->ttl = timenow + infra->host_ttl;
381 rtt_init(&data->rtt);
382 data->edns_version = 0;
383 data->edns_lame_known = 0;
384 data->probedelay = 0;
385 data->isdnsseclame = 0;
387 data->lame_type_A = 0;
388 data->lame_other = 0;
390 data->timeout_AAAA = 0;
391 data->timeout_other = 0;
395 * Create and init a new entry for a host
396 * @param infra: infra structure with config parameters.
397 * @param addr: host address.
398 * @param addrlen: length of addr.
399 * @param name: name of zone
400 * @param namelen: length of name.
401 * @param tm: time now.
402 * @return: the new entry or NULL on malloc failure.
404 static struct lruhash_entry*
405 new_entry(struct infra_cache* infra, struct sockaddr_storage* addr,
406 socklen_t addrlen, uint8_t* name, size_t namelen, time_t tm)
408 struct infra_data* data;
409 struct infra_key* key = (struct infra_key*)malloc(sizeof(*key));
412 data = (struct infra_data*)malloc(sizeof(struct infra_data));
417 key->zonename = memdup(name, namelen);
423 key->namelen = namelen;
424 lock_rw_init(&key->entry.lock);
425 key->entry.hash = hash_infra(addr, addrlen, name);
426 key->entry.key = (void*)key;
427 key->entry.data = (void*)data;
428 key->addrlen = addrlen;
429 memcpy(&key->addr, addr, addrlen);
430 data_entry_init(infra, &key->entry, tm);
435 infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
436 socklen_t addrlen, uint8_t* nm, size_t nmlen, time_t timenow,
437 int* edns_vs, uint8_t* edns_lame_known, int* to)
439 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
441 struct infra_data* data;
443 if(e && ((struct infra_data*)e->data)->ttl < timenow) {
444 /* it expired, try to reuse existing entry */
445 int old = ((struct infra_data*)e->data)->rtt.rto;
446 uint8_t tA = ((struct infra_data*)e->data)->timeout_A;
447 uint8_t tAAAA = ((struct infra_data*)e->data)->timeout_AAAA;
448 uint8_t tother = ((struct infra_data*)e->data)->timeout_other;
449 lock_rw_unlock(&e->lock);
450 e = infra_lookup_nottl(infra, addr, addrlen, nm, nmlen, 1);
452 /* if its still there we have a writelock, init */
454 /* do not touch lameness, it may be valid still */
455 data_entry_init(infra, e, timenow);
457 /* TOP_TIMEOUT remains on reuse */
458 if(old >= USEFUL_SERVER_TOP_TIMEOUT) {
459 ((struct infra_data*)e->data)->rtt.rto
460 = USEFUL_SERVER_TOP_TIMEOUT;
461 ((struct infra_data*)e->data)->timeout_A = tA;
462 ((struct infra_data*)e->data)->timeout_AAAA = tAAAA;
463 ((struct infra_data*)e->data)->timeout_other = tother;
468 /* insert new entry */
469 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
471 data = (struct infra_data*)e->data;
472 *edns_vs = data->edns_version;
473 *edns_lame_known = data->edns_lame_known;
474 *to = rtt_timeout(&data->rtt);
475 slabhash_insert(infra->hosts, e->hash, e, data, NULL);
478 /* use existing entry */
479 data = (struct infra_data*)e->data;
480 *edns_vs = data->edns_version;
481 *edns_lame_known = data->edns_lame_known;
482 *to = rtt_timeout(&data->rtt);
483 if(*to >= PROBE_MAXRTO && rtt_notimeout(&data->rtt)*4 <= *to) {
484 /* delay other queries, this is the probe query */
486 lock_rw_unlock(&e->lock);
487 e = infra_lookup_nottl(infra, addr,addrlen,nm,nmlen, 1);
488 if(!e) { /* flushed from cache real fast, no use to
489 allocate just for the probedelay */
492 data = (struct infra_data*)e->data;
494 /* add 999 to round up the timeout value from msec to sec,
495 * then add a whole second so it is certain that this probe
496 * has timed out before the next is allowed */
497 data->probedelay = timenow + ((*to)+1999)/1000;
499 lock_rw_unlock(&e->lock);
504 infra_set_lame(struct infra_cache* infra, struct sockaddr_storage* addr,
505 socklen_t addrlen, uint8_t* nm, size_t nmlen, time_t timenow,
506 int dnsseclame, int reclame, uint16_t qtype)
508 struct infra_data* data;
509 struct lruhash_entry* e;
510 int needtoinsert = 0;
511 e = infra_lookup_nottl(infra, addr, addrlen, nm, nmlen, 1);
514 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow))) {
515 log_err("set_lame: malloc failure");
519 } else if( ((struct infra_data*)e->data)->ttl < timenow) {
520 /* expired, reuse existing entry */
521 data_entry_init(infra, e, timenow);
523 /* got an entry, now set the zone lame */
524 data = (struct infra_data*)e->data;
525 /* merge data (if any) */
527 data->isdnsseclame = 1;
530 if(!dnsseclame && !reclame && qtype == LDNS_RR_TYPE_A)
531 data->lame_type_A = 1;
532 if(!dnsseclame && !reclame && qtype != LDNS_RR_TYPE_A)
533 data->lame_other = 1;
536 slabhash_insert(infra->hosts, e->hash, e, e->data, NULL);
537 else { lock_rw_unlock(&e->lock); }
542 infra_update_tcp_works(struct infra_cache* infra,
543 struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* nm,
546 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
548 struct infra_data* data;
550 return; /* doesn't exist */
551 data = (struct infra_data*)e->data;
552 if(data->rtt.rto >= RTT_MAX_TIMEOUT)
553 /* do not disqualify this server altogether, it is better
555 data->rtt.rto = RTT_MAX_TIMEOUT-1000;
556 lock_rw_unlock(&e->lock);
560 infra_rtt_update(struct infra_cache* infra, struct sockaddr_storage* addr,
561 socklen_t addrlen, uint8_t* nm, size_t nmlen, int qtype,
562 int roundtrip, int orig_rtt, time_t timenow)
564 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
566 struct infra_data* data;
567 int needtoinsert = 0;
570 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
573 } else if(((struct infra_data*)e->data)->ttl < timenow) {
574 data_entry_init(infra, e, timenow);
576 /* have an entry, update the rtt */
577 data = (struct infra_data*)e->data;
578 if(roundtrip == -1) {
579 rtt_lost(&data->rtt, orig_rtt);
580 if(qtype == LDNS_RR_TYPE_A) {
581 if(data->timeout_A < TIMEOUT_COUNT_MAX)
583 } else if(qtype == LDNS_RR_TYPE_AAAA) {
584 if(data->timeout_AAAA < TIMEOUT_COUNT_MAX)
585 data->timeout_AAAA++;
587 if(data->timeout_other < TIMEOUT_COUNT_MAX)
588 data->timeout_other++;
591 /* if we got a reply, but the old timeout was above server
592 * selection height, delete the timeout so the server is
593 * fully available again */
594 if(rtt_unclamped(&data->rtt) >= USEFUL_SERVER_TOP_TIMEOUT)
595 rtt_init(&data->rtt);
596 rtt_update(&data->rtt, roundtrip);
597 data->probedelay = 0;
598 if(qtype == LDNS_RR_TYPE_A)
600 else if(qtype == LDNS_RR_TYPE_AAAA)
601 data->timeout_AAAA = 0;
602 else data->timeout_other = 0;
604 if(data->rtt.rto > 0)
608 slabhash_insert(infra->hosts, e->hash, e, e->data, NULL);
609 else { lock_rw_unlock(&e->lock); }
613 long long infra_get_host_rto(struct infra_cache* infra,
614 struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* nm,
615 size_t nmlen, struct rtt_info* rtt, int* delay, time_t timenow,
616 int* tA, int* tAAAA, int* tother)
618 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
620 struct infra_data* data;
623 data = (struct infra_data*)e->data;
624 if(data->ttl >= timenow) {
625 ttl = (long long)(data->ttl - timenow);
626 memmove(rtt, &data->rtt, sizeof(*rtt));
627 if(timenow < data->probedelay)
628 *delay = (int)(data->probedelay - timenow);
631 *tA = (int)data->timeout_A;
632 *tAAAA = (int)data->timeout_AAAA;
633 *tother = (int)data->timeout_other;
634 lock_rw_unlock(&e->lock);
639 infra_edns_update(struct infra_cache* infra, struct sockaddr_storage* addr,
640 socklen_t addrlen, uint8_t* nm, size_t nmlen, int edns_version,
643 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
645 struct infra_data* data;
646 int needtoinsert = 0;
648 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
651 } else if(((struct infra_data*)e->data)->ttl < timenow) {
652 data_entry_init(infra, e, timenow);
654 /* have an entry, update the rtt, and the ttl */
655 data = (struct infra_data*)e->data;
656 /* do not update if noEDNS and stored is yesEDNS */
657 if(!(edns_version == -1 && (data->edns_version != -1 &&
658 data->edns_lame_known))) {
659 data->edns_version = edns_version;
660 data->edns_lame_known = 1;
664 slabhash_insert(infra->hosts, e->hash, e, e->data, NULL);
665 else { lock_rw_unlock(&e->lock); }
670 infra_get_lame_rtt(struct infra_cache* infra,
671 struct sockaddr_storage* addr, socklen_t addrlen,
672 uint8_t* name, size_t namelen, uint16_t qtype,
673 int* lame, int* dnsseclame, int* reclame, int* rtt, time_t timenow)
675 struct infra_data* host;
676 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
680 host = (struct infra_data*)e->data;
681 *rtt = rtt_unclamped(&host->rtt);
682 if(host->rtt.rto >= PROBE_MAXRTO && timenow < host->probedelay
683 && rtt_notimeout(&host->rtt)*4 <= host->rtt.rto) {
684 /* single probe for this domain, and we are not probing */
685 /* unless the query type allows a probe to happen */
686 if(qtype == LDNS_RR_TYPE_A) {
687 if(host->timeout_A >= TIMEOUT_COUNT_MAX)
688 *rtt = USEFUL_SERVER_TOP_TIMEOUT;
689 else *rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
690 } else if(qtype == LDNS_RR_TYPE_AAAA) {
691 if(host->timeout_AAAA >= TIMEOUT_COUNT_MAX)
692 *rtt = USEFUL_SERVER_TOP_TIMEOUT;
693 else *rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
695 if(host->timeout_other >= TIMEOUT_COUNT_MAX)
696 *rtt = USEFUL_SERVER_TOP_TIMEOUT;
697 else *rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
700 if(timenow > host->ttl) {
702 /* see if this can be a re-probe of an unresponsive server */
703 /* minus 1000 because that is outside of the RTTBAND, so
704 * blacklisted servers stay blacklisted if this is chosen */
705 if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
706 lock_rw_unlock(&e->lock);
707 *rtt = USEFUL_SERVER_TOP_TIMEOUT-1000;
713 lock_rw_unlock(&e->lock);
716 /* check lameness first */
717 if(host->lame_type_A && qtype == LDNS_RR_TYPE_A) {
718 lock_rw_unlock(&e->lock);
723 } else if(host->lame_other && qtype != LDNS_RR_TYPE_A) {
724 lock_rw_unlock(&e->lock);
729 } else if(host->isdnsseclame) {
730 lock_rw_unlock(&e->lock);
735 } else if(host->rec_lame) {
736 lock_rw_unlock(&e->lock);
742 /* no lameness for this type of query */
743 lock_rw_unlock(&e->lock);
750 int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
753 int labs = dname_count_labels(name);
754 struct domain_limit_data* d = (struct domain_limit_data*)
755 name_tree_lookup(&infra->domain_limits, name, namelen, labs,
757 if(!d) return infra_dp_ratelimit;
759 if(d->node.labs == labs && d->lim != -1)
760 return d->lim; /* exact match */
762 /* find 'below match' */
763 if(d->node.labs == labs)
764 d = (struct domain_limit_data*)d->node.parent;
768 d = (struct domain_limit_data*)d->node.parent;
770 return infra_dp_ratelimit;
773 size_t ip_rate_sizefunc(void* k, void* ATTR_UNUSED(d))
775 struct ip_rate_key* key = (struct ip_rate_key*)k;
776 return sizeof(*key) + sizeof(struct ip_rate_data)
777 + lock_get_mem(&key->entry.lock);
780 int ip_rate_compfunc(void* key1, void* key2)
782 struct ip_rate_key* k1 = (struct ip_rate_key*)key1;
783 struct ip_rate_key* k2 = (struct ip_rate_key*)key2;
784 return sockaddr_cmp_addr(&k1->addr, k1->addrlen,
785 &k2->addr, k2->addrlen);
788 void ip_rate_delkeyfunc(void* k, void* ATTR_UNUSED(arg))
790 struct ip_rate_key* key = (struct ip_rate_key*)k;
793 lock_rw_destroy(&key->entry.lock);
797 /** find data item in array, for write access, caller unlocks */
798 static struct lruhash_entry* infra_find_ratedata(struct infra_cache* infra,
799 uint8_t* name, size_t namelen, int wr)
802 hashvalue_type h = dname_query_hash(name, 0xab);
803 memset(&key, 0, sizeof(key));
805 key.namelen = namelen;
807 return slabhash_lookup(infra->domain_rates, h, &key, wr);
810 /** find data item in array for ip addresses */
811 static struct lruhash_entry* infra_find_ip_ratedata(struct infra_cache* infra,
812 struct comm_reply* repinfo, int wr)
814 struct ip_rate_key key;
815 hashvalue_type h = hash_addr(&(repinfo->addr),
816 repinfo->addrlen, 0);
817 memset(&key, 0, sizeof(key));
818 key.addr = repinfo->addr;
819 key.addrlen = repinfo->addrlen;
821 return slabhash_lookup(infra->client_ip_rates, h, &key, wr);
824 /** create rate data item for name, number 1 in now */
825 static void infra_create_ratedata(struct infra_cache* infra,
826 uint8_t* name, size_t namelen, time_t timenow)
828 hashvalue_type h = dname_query_hash(name, 0xab);
829 struct rate_key* k = (struct rate_key*)calloc(1, sizeof(*k));
830 struct rate_data* d = (struct rate_data*)calloc(1, sizeof(*d));
834 return; /* alloc failure */
836 k->namelen = namelen;
837 k->name = memdup(name, namelen);
841 return; /* alloc failure */
843 lock_rw_init(&k->entry.lock);
848 d->timestamp[0] = timenow;
849 slabhash_insert(infra->domain_rates, h, &k->entry, d, NULL);
852 /** create rate data item for ip address */
853 static void infra_ip_create_ratedata(struct infra_cache* infra,
854 struct comm_reply* repinfo, time_t timenow)
856 hashvalue_type h = hash_addr(&(repinfo->addr),
857 repinfo->addrlen, 0);
858 struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k));
859 struct ip_rate_data* d = (struct ip_rate_data*)calloc(1, sizeof(*d));
863 return; /* alloc failure */
865 k->addr = repinfo->addr;
866 k->addrlen = repinfo->addrlen;
867 lock_rw_init(&k->entry.lock);
872 d->timestamp[0] = timenow;
873 slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
876 /** find the second and return its rate counter, if none, remove oldest */
877 static int* infra_rate_find_second(void* data, time_t t)
879 struct rate_data* d = (struct rate_data*)data;
881 for(i=0; i<RATE_WINDOW; i++) {
882 if(d->timestamp[i] == t)
885 /* remove oldest timestamp, and insert it at t with 0 qps */
887 for(i=0; i<RATE_WINDOW; i++) {
888 if(d->timestamp[i] < d->timestamp[oldest])
891 d->timestamp[oldest] = t;
893 return &(d->qps[oldest]);
896 int infra_rate_max(void* data, time_t now)
898 struct rate_data* d = (struct rate_data*)data;
900 for(i=0; i<RATE_WINDOW; i++) {
901 if(now-d->timestamp[i] <= RATE_WINDOW) {
909 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
910 size_t namelen, time_t timenow)
913 struct lruhash_entry* entry;
915 if(!infra_dp_ratelimit)
916 return 1; /* not enabled */
919 lim = infra_find_ratelimit(infra, name, namelen);
921 return 1; /* disabled for this domain */
923 /* find or insert ratedata */
924 entry = infra_find_ratedata(infra, name, namelen, 1);
926 int premax = infra_rate_max(entry->data, timenow);
927 int* cur = infra_rate_find_second(entry->data, timenow);
929 max = infra_rate_max(entry->data, timenow);
930 lock_rw_unlock(&entry->lock);
932 if(premax < lim && max >= lim) {
934 dname_str(name, buf);
935 verbose(VERB_OPS, "ratelimit exceeded %s %d", buf, lim);
941 infra_create_ratedata(infra, name, namelen, timenow);
945 void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
946 size_t namelen, time_t timenow)
948 struct lruhash_entry* entry;
950 if(!infra_dp_ratelimit)
951 return; /* not enabled */
952 entry = infra_find_ratedata(infra, name, namelen, 1);
953 if(!entry) return; /* not cached */
954 cur = infra_rate_find_second(entry->data, timenow);
957 lock_rw_unlock(&entry->lock);
960 int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
961 size_t namelen, time_t timenow)
963 struct lruhash_entry* entry;
965 if(!infra_dp_ratelimit)
966 return 0; /* not enabled */
969 lim = infra_find_ratelimit(infra, name, namelen);
971 return 0; /* disabled for this domain */
973 /* find current rate */
974 entry = infra_find_ratedata(infra, name, namelen, 0);
976 return 0; /* not cached */
977 max = infra_rate_max(entry->data, timenow);
978 lock_rw_unlock(&entry->lock);
984 infra_get_mem(struct infra_cache* infra)
986 size_t s = sizeof(*infra) + slabhash_get_mem(infra->hosts);
987 if(infra->domain_rates) s += slabhash_get_mem(infra->domain_rates);
988 if(infra->client_ip_rates) s += slabhash_get_mem(infra->client_ip_rates);
989 /* ignore domain_limits because walk through tree is big */
993 int infra_ip_ratelimit_inc(struct infra_cache* infra,
994 struct comm_reply* repinfo, time_t timenow)
997 struct lruhash_entry* entry;
1000 if(!infra_ip_ratelimit) {
1003 /* find or insert ratedata */
1004 entry = infra_find_ip_ratedata(infra, repinfo, 1);
1006 int premax = infra_rate_max(entry->data, timenow);
1007 int* cur = infra_rate_find_second(entry->data, timenow);
1009 max = infra_rate_max(entry->data, timenow);
1010 lock_rw_unlock(&entry->lock);
1012 if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
1013 char client_ip[128];
1014 addr_to_str((struct sockaddr_storage *)&repinfo->addr,
1015 repinfo->addrlen, client_ip, sizeof(client_ip));
1016 verbose(VERB_OPS, "ip_ratelimit exceeded %s %d",
1017 client_ip, infra_ip_ratelimit);
1019 return (max <= infra_ip_ratelimit);
1023 infra_ip_create_ratedata(infra, repinfo, timenow);
projects / FreeBSD / FreeBSD.git / blob