<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><font face="monospace, monospace"><span class="gmail_default" style="font-family:monospace,monospace"></span>When I first read the code, I noticed that each IP has its own structure<span class="gmail_default" style="font-family:monospace,monospace"> (in a </span>hashtable</font><span class="gmail_default" style="font-family:monospace,monospace">), with the qps</span><span style="font-family:monospace,monospace">.</span></div><div dir="ltr"><font face="monospace, monospace">The source is using a global to store<span class="gmail_default" style="font-family:monospace,monospace"> and lookup</span> the limit (infra_ip_ratelimit)<span class="gmail_default" style="font-family:monospace,monospace"></span>.<br><br><span class="gmail_default" style="font-family:monospace,monospace"></span></font><span class="gmail_default" style="font-family:monospace,monospace"></span><span style="font-family:monospace,monospace">In my case, ip-ratelimit need some filter by network prefix, like access-control does.</span></div><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">access-control: <a href="http://192.168.0.0/16">192.168.0.0/16</a> allow</span><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">access-control: <a href="http://192.168.1.0/24">192.168.1.0/24</a> deny</span><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">access-control: <a href="http://192.168.2.0/24">192.168.2.0/24</a> deny</span><br style="font-family:monospace,monospace"><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">Using the low prefix to match cases.</span><br style="font-family:monospace,monospace"><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">ip-ratelimit: [prefix] <max-limit>/<second></span><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace"> </span><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">ip-ratelimit: <a href="http://192.168.0.0/16">192.168.0.0/16</a> <span class="gmail_default" style="font-family:monospace,monospace">5</span>/1</span><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">ip-ratelimit: <a href="http://192.168.1.0/24">192.168.1.0/24</a> 10/1</span><br style="font-family:monospace,monospace"><span style="font-family:monospace,monospace">ip-ratelimit: <a href="http://192.168.2.0/24">192.168.2.0/24</a> <span class="gmail_default" style="font-family:monospace,monospace">20</span>/1</span><br style="font-family:monospace,monospace"><br style="font-family:monospace,monospace"><div dir="ltr"><span style="font-family:monospace,monospace">This way, each /32 will have limits according with the match rule.<br></span><font face="monospace, monospace"><span class="gmail_default" style="font-family:monospace,monospace"></span><span class="gmail_default" style="font-family:monospace,monospace"></span><span class="gmail_default" style="font-family:monospace,monospace"></span></font></div><div dir="ltr"><font face="monospace, monospace">I know there are many <span class="gmail_default" style="font-family:monospace,monospace">source </span>to be written, such as <span class="gmail_default" style="font-family:monospace,monospace">a</span><span class="gmail_default" style="font-family:monospace,monospace"> </span><span class="gmail_default" style="font-family:monospace,monospace"></span></font><span class="gmail_default"><font face="monospace, monospace">rbtree_t to store limits like acl_list does, configs, lookups, etc</font></span><span style="font-family:monospace,monospace">.<br></span><span style="font-family:monospace,monospace">As well as the main need to define how the functionality will be and what resources it will have.</span><span style="font-family:monospace,monospace"><br></span></div><div dir="ltr"><font face="monospace, monospace"><br></font></div><div dir="ltr"><font face="monospace, monospace">I can write this code, but due to my projects, I will only have time after February or March 2019.</font></div><div dir="ltr"><font face="monospace, monospace"><br></font></div><div dir="ltr"><font face="monospace, monospace">Until then, if someone has not written the functionality, we can define with the community and see if the unbound team approves the idea, since I do not know the impact that changes like these can bring.</font></div><div dir="ltr"><font face="monospace, monospace"><br></font></div><div dir="ltr"><font face="monospace, monospace"><br></font></div><div dir="ltr"><font face="monospace, monospace"><br></font></div></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">Em sex, 14 de dez de 2018 às 13:20, Daisuke HIGASHI via Unbound-users <<a href="mailto:unbound-users@nlnetlabs.nl">unbound-users@nlnetlabs.nl</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
> I personally like the per-subnet option the most, as it gives full control over ip-ratelimiting.<br>
<br>
I believe that when we need such complicated rate-limiting feature<br>
we should use other software component built for such purpose.<br>
<br>
dnsdist (<a href="https://dnsdist.org" rel="noreferrer" target="_blank">https://dnsdist.org</a>) can do per-subnet query rate-limiting<br>
like below.<br>
<br>
=====================<br>
-- dnsdist.conf<br>
<br>
-- queries forwarded to 8.8.8.8<br>
<br>
newServer({address="8.8.8.8"})<br>
addLocal("<a href="http://0.0.0.0:53" rel="noreferrer" target="_blank">0.0.0.0:53</a>")<br>
addLocal("[::]:53")<br>
<br>
-- ACL for dnsdist service<br>
addACL("<a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a>")<br>
addACL("<a href="http://192.168.0.0/16" rel="noreferrer" target="_blank">192.168.0.0/16</a>")<br>
<br>
-- Mobile users limit is 1 qps per one IP (/32)<br>
mobile = newNMG()<br>
mobile:addMask("<a href="http://10.0.0.0/24" rel="noreferrer" target="_blank">10.0.0.0/24</a>")<br>
mobile:addMask("<a href="http://10.0.1.0/24" rel="noreferrer" target="_blank">10.0.1.0/24</a>")<br>
mobile:addMask("<a href="http://10.0.2.0/24" rel="noreferrer" target="_blank">10.0.2.0/24</a>")<br>
addAction(AndRule({NetmaskGroupRule(mobile), MaxQPSIPRule(1, 32)}),<br>
DropAction())<br>
<br>
-- business users limit is 5 qps per 8 IP (/29)<br>
business = newNMG()<br>
business:addMask("<a href="http://192.168.0.0/24" rel="noreferrer" target="_blank">192.168.0.0/24</a>")<br>
addAction(AndRule({NetmaskGroupRule(business), MaxQPSIPRule(5, 29)}),<br>
DropAction())<br>
==============<br>
<br>
Regards,<br>
-- <br>
Daisuke HIGASHI<br>
</blockquote></div>