testing ratelimiting

[Fredrik Pettai]

Hi Ralph,

> On 4 Sep 2018, at 11:17, Ralph Dolmans via Unbound-users <unbound-users at nlnetlabs.nl> wrote:
> 
> Hi Fredrik,
> 
> On 03-09-18 16:19, Fredrik Pettai via Unbound-users wrote:
>> Hi,
>> 
>> I’m experimenting a bit with the ratelimit features in unbound (1.6.7), 
>> I just configured example suggestions to see how it turns out. 
>> 
>> server:
>>    ratelimit: 1000
>>    ip-ratelimit: 100
>> 
>> So for instance, I see this in the log:
>> 
>> Sep  3 08:43:09 rl-test unbound: [21732:0] notice: ratelimit exceeded 172.17.0.3 100
>> Sep  3 08:43:09 rl-test unbound: [21732:1] notice: ip_ratelimit allowed through for ip address 172.17.0.3
>> Sep  3 08:43:09 rl-test unbound: [21732:1] notice: ip_ratelimit allowed through for ip address 172.17.0.3
>> Sep  3 08:43:09 rl-test unbound: [21732:2] notice: ip_ratelimit allowed through for ip address 172.17.0.3
>> Sep  3 08:43:10 rl-test unbound: [21732:0] notice: ip_ratelimit allowed through for ip address 172.17.0.3
>> Sep  3 08:43:10 rl-test unbound: [21732:0] notice: ip_ratelimit allowed through for ip address 172.17.0.3
>> 
>> First line indicate that thread 0 reports that 172.17.0.3 exceeded the ip-ratelimit of 100 qps. 
>> Second to sixth line indicate that thread 0-2 reports that the enforcement is released. 
>> 
>> I'm thinking / wondering...
>> - Wouldn’t be good if first line could mention that it’s the ip-ratelimit that kicked in?
> 
> Yes, that would make the logging more consistent. I changed the log line
> to "ip_ratelimit exceeded"
> 
>> - Why the repeated/duplicate messages (logged the same second) about "allowed through” ? (bug?)
> 
> This is not the release of the limit but the queries that are allowed to
> pass based on your ip-ratelimit-factor setting.

Ah, thanks for clarifying.

Re,
/P