Better ratelimiting? (again)

Luiz Fernando Softov fernando at softov.com.br
Sat Dec 15 08:55:40 UTC 2018


When I first read the code, I noticed that each IP has its own structure
(in a hashtable), with the qps.
The source is using a global to store and lookup the limit
(infra_ip_ratelimit).

In my case, ip-ratelimit need some filter by network prefix, like
access-control does.

access-control: 192.168.0.0/16 allow
access-control: 192.168.1.0/24 deny
access-control: 192.168.2.0/24 deny

Using the low prefix to match cases.

ip-ratelimit: [prefix] <max-limit>/<second>

ip-ratelimit: 192.168.0.0/16 5/1
ip-ratelimit: 192.168.1.0/24 10/1
ip-ratelimit: 192.168.2.0/24 20/1

This way, each /32 will have limits according with the match rule.
I know there are many source to be written, such as a rbtree_t to store
limits like acl_list does, configs, lookups, etc.
As well as the main need to define how the functionality will be and what
resources it will have.

I can write this code, but due to my projects, I will only have time after
February or March 2019.

Until then, if someone has not written the functionality, we can define
with the community and see if the unbound team approves the idea, since I
do not know the impact that changes like these can bring.




Em sex, 14 de dez de 2018 às 13:20, Daisuke HIGASHI via Unbound-users <
unbound-users at nlnetlabs.nl> escreveu:

> Hi,
>
> > I personally like the per-subnet option the most, as it gives full
> control over ip-ratelimiting.
>
>   I believe that when we need such complicated rate-limiting feature
> we should use other software component built for such purpose.
>
>   dnsdist  (https://dnsdist.org) can do per-subnet query rate-limiting
> like below.
>
> =====================
> -- dnsdist.conf
>
> -- queries forwarded to 8.8.8.8
>
> newServer({address="8.8.8.8"})
> addLocal("0.0.0.0:53")
> addLocal("[::]:53")
>
> -- ACL for dnsdist service
> addACL("10.0.0.0/8")
> addACL("192.168.0.0/16")
>
> -- Mobile users limit is 1 qps per one IP (/32)
> mobile = newNMG()
> mobile:addMask("10.0.0.0/24")
> mobile:addMask("10.0.1.0/24")
> mobile:addMask("10.0.2.0/24")
> addAction(AndRule({NetmaskGroupRule(mobile), MaxQPSIPRule(1, 32)}),
> DropAction())
>
> -- business users limit is 5 qps per 8 IP (/29)
> business = newNMG()
> business:addMask("192.168.0.0/24")
> addAction(AndRule({NetmaskGroupRule(business), MaxQPSIPRule(5, 29)}),
> DropAction())
> ==============
>
> Regards,
> --
> Daisuke HIGASHI
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181215/69e352e9/attachment.htm>


More information about the Unbound-users mailing list