1 /*
2 * services/cache/infra.c - infrastructure cache, server rtt and capabilities
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 /**
37 * \file
38 *
39 * This file contains the infrastructure cache.
40 */
41 #include "config.h"
42 #include "sldns/rrdef.h"
43 #include "sldns/str2wire.h"
44 #include "sldns/sbuffer.h"
45 #include "sldns/wire2str.h"
46 #include "services/cache/infra.h"
47 #include "util/storage/slabhash.h"
48 #include "util/storage/lookup3.h"
49 #include "util/data/dname.h"
50 #include "util/log.h"
51 #include "util/net_help.h"
52 #include "util/config_file.h"
53 #include "iterator/iterator.h"
54
55 /** Timeout when only a single probe query per IP is allowed. */
56 #define PROBE_MAXRTO 12000 /* in msec */
57
58 /** number of timeouts for a type when the domain can be blocked ;
59 * even if another type has completely rtt maxed it, the different type
60 * can do this number of packets (until those all timeout too) */
61 #define TIMEOUT_COUNT_MAX 3
62
63 /** Minus 1000 because that is outside of the RTTBAND, so
64 * blacklisted servers stay blacklisted if this is chosen.
65 * If USEFUL_SERVER_TOP_TIMEOUT is below 1000 (configured via RTT_MAX_TIMEOUT,
66 * infra-cache-max-rtt) change it to just above the RTT_BAND. */
67 #define STILL_USEFUL_TIMEOUT ( \
68 USEFUL_SERVER_TOP_TIMEOUT < 1000 || \
69 USEFUL_SERVER_TOP_TIMEOUT - 1000 <= RTT_BAND \
70 ?RTT_BAND + 1 \
71 :USEFUL_SERVER_TOP_TIMEOUT - 1000)
72
73 /** ratelimit value for delegation point */
74 int infra_dp_ratelimit = 0;
75
76 /** ratelimit value for client ip addresses,
77 * in queries per second. */
78 int infra_ip_ratelimit = 0;
79
80 /** ratelimit value for client ip addresses,
81 * in queries per second.
82 * For clients with a valid DNS Cookie. */
83 int infra_ip_ratelimit_cookie = 0;
84
85 size_t
infra_sizefunc(void * k,void * ATTR_UNUSED (d))86 infra_sizefunc(void* k, void* ATTR_UNUSED(d))
87 {
88 struct infra_key* key = (struct infra_key*)k;
89 return sizeof(*key) + sizeof(struct infra_data) + key->namelen
90 + lock_get_mem(&key->entry.lock);
91 }
92
93 int
infra_compfunc(void * key1,void * key2)94 infra_compfunc(void* key1, void* key2)
95 {
96 struct infra_key* k1 = (struct infra_key*)key1;
97 struct infra_key* k2 = (struct infra_key*)key2;
98 int r = sockaddr_cmp(&k1->addr, k1->addrlen, &k2->addr, k2->addrlen);
99 if(r != 0)
100 return r;
101 if(k1->namelen != k2->namelen) {
102 if(k1->namelen < k2->namelen)
103 return -1;
104 return 1;
105 }
106 return query_dname_compare(k1->zonename, k2->zonename);
107 }
108
109 void
infra_delkeyfunc(void * k,void * ATTR_UNUSED (arg))110 infra_delkeyfunc(void* k, void* ATTR_UNUSED(arg))
111 {
112 struct infra_key* key = (struct infra_key*)k;
113 if(!key)
114 return;
115 lock_rw_destroy(&key->entry.lock);
116 free(key->zonename);
117 free(key);
118 }
119
120 void
infra_deldatafunc(void * d,void * ATTR_UNUSED (arg))121 infra_deldatafunc(void* d, void* ATTR_UNUSED(arg))
122 {
123 struct infra_data* data = (struct infra_data*)d;
124 free(data);
125 }
126
127 size_t
rate_sizefunc(void * k,void * ATTR_UNUSED (d))128 rate_sizefunc(void* k, void* ATTR_UNUSED(d))
129 {
130 struct rate_key* key = (struct rate_key*)k;
131 return sizeof(*key) + sizeof(struct rate_data) + key->namelen
132 + lock_get_mem(&key->entry.lock);
133 }
134
135 int
rate_compfunc(void * key1,void * key2)136 rate_compfunc(void* key1, void* key2)
137 {
138 struct rate_key* k1 = (struct rate_key*)key1;
139 struct rate_key* k2 = (struct rate_key*)key2;
140 if(k1->namelen != k2->namelen) {
141 if(k1->namelen < k2->namelen)
142 return -1;
143 return 1;
144 }
145 return query_dname_compare(k1->name, k2->name);
146 }
147
148 void
rate_delkeyfunc(void * k,void * ATTR_UNUSED (arg))149 rate_delkeyfunc(void* k, void* ATTR_UNUSED(arg))
150 {
151 struct rate_key* key = (struct rate_key*)k;
152 if(!key)
153 return;
154 lock_rw_destroy(&key->entry.lock);
155 free(key->name);
156 free(key);
157 }
158
159 void
rate_deldatafunc(void * d,void * ATTR_UNUSED (arg))160 rate_deldatafunc(void* d, void* ATTR_UNUSED(arg))
161 {
162 struct rate_data* data = (struct rate_data*)d;
163 free(data);
164 }
165
166 /** find or create element in domainlimit tree */
domain_limit_findcreate(struct infra_cache * infra,char * name)167 static struct domain_limit_data* domain_limit_findcreate(
168 struct infra_cache* infra, char* name)
169 {
170 uint8_t* nm;
171 int labs;
172 size_t nmlen;
173 struct domain_limit_data* d;
174
175 /* parse name */
176 nm = sldns_str2wire_dname(name, &nmlen);
177 if(!nm) {
178 log_err("could not parse %s", name);
179 return NULL;
180 }
181 labs = dname_count_labels(nm);
182
183 /* can we find it? */
184 d = (struct domain_limit_data*)name_tree_find(&infra->domain_limits,
185 nm, nmlen, labs, LDNS_RR_CLASS_IN);
186 if(d) {
187 free(nm);
188 return d;
189 }
190
191 /* create it */
192 d = (struct domain_limit_data*)calloc(1, sizeof(*d));
193 if(!d) {
194 free(nm);
195 return NULL;
196 }
197 d->node.node.key = &d->node;
198 d->node.name = nm;
199 d->node.len = nmlen;
200 d->node.labs = labs;
201 d->node.dclass = LDNS_RR_CLASS_IN;
202 d->lim = -1;
203 d->below = -1;
204 if(!name_tree_insert(&infra->domain_limits, &d->node, nm, nmlen,
205 labs, LDNS_RR_CLASS_IN)) {
206 log_err("duplicate element in domainlimit tree");
207 free(nm);
208 free(d);
209 return NULL;
210 }
211 return d;
212 }
213
214 /** insert rate limit configuration into lookup tree */
infra_ratelimit_cfg_insert(struct infra_cache * infra,struct config_file * cfg)215 static int infra_ratelimit_cfg_insert(struct infra_cache* infra,
216 struct config_file* cfg)
217 {
218 struct config_str2list* p;
219 struct domain_limit_data* d;
220 for(p = cfg->ratelimit_for_domain; p; p = p->next) {
221 d = domain_limit_findcreate(infra, p->str);
222 if(!d)
223 return 0;
224 d->lim = atoi(p->str2);
225 }
226 for(p = cfg->ratelimit_below_domain; p; p = p->next) {
227 d = domain_limit_findcreate(infra, p->str);
228 if(!d)
229 return 0;
230 d->below = atoi(p->str2);
231 }
232 return 1;
233 }
234
235 /** setup domain limits tree (0 on failure) */
236 static int
setup_domain_limits(struct infra_cache * infra,struct config_file * cfg)237 setup_domain_limits(struct infra_cache* infra, struct config_file* cfg)
238 {
239 name_tree_init(&infra->domain_limits);
240 if(!infra_ratelimit_cfg_insert(infra, cfg)) {
241 return 0;
242 }
243 name_tree_init_parents(&infra->domain_limits);
244 return 1;
245 }
246
247 /** find or create element in wait limit netblock tree */
248 static struct wait_limit_netblock_info*
wait_limit_netblock_findcreate(struct infra_cache * infra,char * str,int cookie)249 wait_limit_netblock_findcreate(struct infra_cache* infra, char* str,
250 int cookie)
251 {
252 rbtree_type* tree;
253 struct sockaddr_storage addr;
254 int net;
255 socklen_t addrlen;
256 struct wait_limit_netblock_info* d;
257
258 if(!netblockstrtoaddr(str, 0, &addr, &addrlen, &net)) {
259 log_err("cannot parse wait limit netblock '%s'", str);
260 return 0;
261 }
262
263 /* can we find it? */
264 if(cookie)
265 tree = &infra->wait_limits_cookie_netblock;
266 else
267 tree = &infra->wait_limits_netblock;
268 d = (struct wait_limit_netblock_info*)addr_tree_find(tree, &addr,
269 addrlen, net);
270 if(d)
271 return d;
272
273 /* create it */
274 d = (struct wait_limit_netblock_info*)calloc(1, sizeof(*d));
275 if(!d)
276 return NULL;
277 d->limit = -1;
278 if(!addr_tree_insert(tree, &d->node, &addr, addrlen, net)) {
279 log_err("duplicate element in domainlimit tree");
280 free(d);
281 return NULL;
282 }
283 return d;
284 }
285
286
287 /** insert wait limit information into lookup tree */
288 static int
infra_wait_limit_netblock_insert(struct infra_cache * infra,struct config_file * cfg)289 infra_wait_limit_netblock_insert(struct infra_cache* infra,
290 struct config_file* cfg)
291 {
292 struct config_str2list* p;
293 struct wait_limit_netblock_info* d;
294 for(p = cfg->wait_limit_netblock; p; p = p->next) {
295 d = wait_limit_netblock_findcreate(infra, p->str, 0);
296 if(!d)
297 return 0;
298 d->limit = atoi(p->str2);
299 }
300 for(p = cfg->wait_limit_cookie_netblock; p; p = p->next) {
301 d = wait_limit_netblock_findcreate(infra, p->str, 1);
302 if(!d)
303 return 0;
304 d->limit = atoi(p->str2);
305 }
306 return 1;
307 }
308
309 /** setup wait limits tree (0 on failure) */
310 static int
setup_wait_limits(struct infra_cache * infra,struct config_file * cfg)311 setup_wait_limits(struct infra_cache* infra, struct config_file* cfg)
312 {
313 addr_tree_init(&infra->wait_limits_netblock);
314 addr_tree_init(&infra->wait_limits_cookie_netblock);
315 if(!infra_wait_limit_netblock_insert(infra, cfg))
316 return 0;
317 addr_tree_init_parents(&infra->wait_limits_netblock);
318 addr_tree_init_parents(&infra->wait_limits_cookie_netblock);
319 return 1;
320 }
321
322 struct infra_cache*
infra_create(struct config_file * cfg)323 infra_create(struct config_file* cfg)
324 {
325 struct infra_cache* infra = (struct infra_cache*)calloc(1,
326 sizeof(struct infra_cache));
327 size_t maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
328 sizeof(struct infra_data)+INFRA_BYTES_NAME);
329 if(!infra) {
330 return NULL;
331 }
332 infra->hosts = slabhash_create(cfg->infra_cache_slabs,
333 INFRA_HOST_STARTSIZE, maxmem, &infra_sizefunc, &infra_compfunc,
334 &infra_delkeyfunc, &infra_deldatafunc, NULL);
335 if(!infra->hosts) {
336 free(infra);
337 return NULL;
338 }
339 infra->host_ttl = cfg->host_ttl;
340 infra->infra_keep_probing = cfg->infra_keep_probing;
341 infra_dp_ratelimit = cfg->ratelimit;
342 infra->domain_rates = slabhash_create(cfg->ratelimit_slabs,
343 INFRA_HOST_STARTSIZE, cfg->ratelimit_size,
344 &rate_sizefunc, &rate_compfunc, &rate_delkeyfunc,
345 &rate_deldatafunc, NULL);
346 if(!infra->domain_rates) {
347 infra_delete(infra);
348 return NULL;
349 }
350 /* insert config data into ratelimits */
351 if(!setup_domain_limits(infra, cfg)) {
352 infra_delete(infra);
353 return NULL;
354 }
355 if(!setup_wait_limits(infra, cfg)) {
356 infra_delete(infra);
357 return NULL;
358 }
359 infra_ip_ratelimit = cfg->ip_ratelimit;
360 infra_ip_ratelimit_cookie = cfg->ip_ratelimit_cookie;
361 infra->client_ip_rates = slabhash_create(cfg->ip_ratelimit_slabs,
362 INFRA_HOST_STARTSIZE, cfg->ip_ratelimit_size, &ip_rate_sizefunc,
363 &ip_rate_compfunc, &ip_rate_delkeyfunc, &ip_rate_deldatafunc, NULL);
364 if(!infra->client_ip_rates) {
365 infra_delete(infra);
366 return NULL;
367 }
368 return infra;
369 }
370
371 /** delete domain_limit entries */
domain_limit_free(rbnode_type * n,void * ATTR_UNUSED (arg))372 static void domain_limit_free(rbnode_type* n, void* ATTR_UNUSED(arg))
373 {
374 if(n) {
375 free(((struct domain_limit_data*)n)->node.name);
376 free(n);
377 }
378 }
379
380 /** delete wait_limit_netblock_info entries */
wait_limit_netblock_del(rbnode_type * n,void * ATTR_UNUSED (arg))381 static void wait_limit_netblock_del(rbnode_type* n, void* ATTR_UNUSED(arg))
382 {
383 free(n);
384 }
385
386 void
infra_delete(struct infra_cache * infra)387 infra_delete(struct infra_cache* infra)
388 {
389 if(!infra)
390 return;
391 slabhash_delete(infra->hosts);
392 slabhash_delete(infra->domain_rates);
393 traverse_postorder(&infra->domain_limits, domain_limit_free, NULL);
394 slabhash_delete(infra->client_ip_rates);
395 traverse_postorder(&infra->wait_limits_netblock,
396 wait_limit_netblock_del, NULL);
397 traverse_postorder(&infra->wait_limits_cookie_netblock,
398 wait_limit_netblock_del, NULL);
399 free(infra);
400 }
401
402 struct infra_cache*
infra_adjust(struct infra_cache * infra,struct config_file * cfg)403 infra_adjust(struct infra_cache* infra, struct config_file* cfg)
404 {
405 size_t maxmem;
406 if(!infra)
407 return infra_create(cfg);
408 infra->host_ttl = cfg->host_ttl;
409 infra->infra_keep_probing = cfg->infra_keep_probing;
410 infra_dp_ratelimit = cfg->ratelimit;
411 infra_ip_ratelimit = cfg->ip_ratelimit;
412 infra_ip_ratelimit_cookie = cfg->ip_ratelimit_cookie;
413 maxmem = cfg->infra_cache_numhosts * (sizeof(struct infra_key)+
414 sizeof(struct infra_data)+INFRA_BYTES_NAME);
415 /* divide cachesize by slabs and multiply by slabs, because if the
416 * cachesize is not an even multiple of slabs, that is the resulting
417 * size of the slabhash */
418 if(!slabhash_is_size(infra->hosts, maxmem, cfg->infra_cache_slabs) ||
419 !slabhash_is_size(infra->domain_rates, cfg->ratelimit_size,
420 cfg->ratelimit_slabs) ||
421 !slabhash_is_size(infra->client_ip_rates, cfg->ip_ratelimit_size,
422 cfg->ip_ratelimit_slabs)) {
423 infra_delete(infra);
424 infra = infra_create(cfg);
425 } else {
426 /* reapply domain limits */
427 traverse_postorder(&infra->domain_limits, domain_limit_free,
428 NULL);
429 if(!setup_domain_limits(infra, cfg)) {
430 infra_delete(infra);
431 return NULL;
432 }
433 }
434 return infra;
435 }
436
437 /** calculate the hash value for a host key
438 * set use_port to a non-0 number to use the port in
439 * the hash calculation; 0 to ignore the port.*/
440 static hashvalue_type
hash_addr(struct sockaddr_storage * addr,socklen_t addrlen,int use_port)441 hash_addr(struct sockaddr_storage* addr, socklen_t addrlen,
442 int use_port)
443 {
444 hashvalue_type h = 0xab;
445 /* select the pieces to hash, some OS have changing data inside */
446 if(addr_is_ip6(addr, addrlen)) {
447 struct sockaddr_in6* in6 = (struct sockaddr_in6*)addr;
448 h = hashlittle(&in6->sin6_family, sizeof(in6->sin6_family), h);
449 if(use_port){
450 h = hashlittle(&in6->sin6_port, sizeof(in6->sin6_port), h);
451 }
452 h = hashlittle(&in6->sin6_addr, INET6_SIZE, h);
453 } else {
454 struct sockaddr_in* in = (struct sockaddr_in*)addr;
455 h = hashlittle(&in->sin_family, sizeof(in->sin_family), h);
456 if(use_port){
457 h = hashlittle(&in->sin_port, sizeof(in->sin_port), h);
458 }
459 h = hashlittle(&in->sin_addr, INET_SIZE, h);
460 }
461 return h;
462 }
463
464 /** calculate infra hash for a key */
465 static hashvalue_type
hash_infra(struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * name)466 hash_infra(struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* name)
467 {
468 return dname_query_hash(name, hash_addr(addr, addrlen, 1));
469 }
470
471 /** lookup version that does not check host ttl (you check it) */
472 struct lruhash_entry*
infra_lookup_nottl(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * name,size_t namelen,int wr)473 infra_lookup_nottl(struct infra_cache* infra, struct sockaddr_storage* addr,
474 socklen_t addrlen, uint8_t* name, size_t namelen, int wr)
475 {
476 struct infra_key k;
477 k.addrlen = addrlen;
478 memcpy(&k.addr, addr, addrlen);
479 k.namelen = namelen;
480 k.zonename = name;
481 k.entry.hash = hash_infra(addr, addrlen, name);
482 k.entry.key = (void*)&k;
483 k.entry.data = NULL;
484 return slabhash_lookup(infra->hosts, k.entry.hash, &k, wr);
485 }
486
487 /** init the data elements */
488 static void
data_entry_init(struct infra_cache * infra,struct lruhash_entry * e,time_t timenow)489 data_entry_init(struct infra_cache* infra, struct lruhash_entry* e,
490 time_t timenow)
491 {
492 struct infra_data* data = (struct infra_data*)e->data;
493 data->ttl = timenow + infra->host_ttl;
494 rtt_init(&data->rtt);
495 data->edns_version = 0;
496 data->edns_lame_known = 0;
497 data->probedelay = 0;
498 data->isdnsseclame = 0;
499 data->rec_lame = 0;
500 data->lame_type_A = 0;
501 data->lame_other = 0;
502 data->timeout_A = 0;
503 data->timeout_AAAA = 0;
504 data->timeout_other = 0;
505 }
506
507 /**
508 * Create and init a new entry for a host
509 * @param infra: infra structure with config parameters.
510 * @param addr: host address.
511 * @param addrlen: length of addr.
512 * @param name: name of zone
513 * @param namelen: length of name.
514 * @param tm: time now.
515 * @return: the new entry or NULL on malloc failure.
516 */
517 static struct lruhash_entry*
new_entry(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * name,size_t namelen,time_t tm)518 new_entry(struct infra_cache* infra, struct sockaddr_storage* addr,
519 socklen_t addrlen, uint8_t* name, size_t namelen, time_t tm)
520 {
521 struct infra_data* data;
522 struct infra_key* key = (struct infra_key*)malloc(sizeof(*key));
523 if(!key)
524 return NULL;
525 data = (struct infra_data*)malloc(sizeof(struct infra_data));
526 if(!data) {
527 free(key);
528 return NULL;
529 }
530 key->zonename = memdup(name, namelen);
531 if(!key->zonename) {
532 free(key);
533 free(data);
534 return NULL;
535 }
536 key->namelen = namelen;
537 lock_rw_init(&key->entry.lock);
538 key->entry.hash = hash_infra(addr, addrlen, name);
539 key->entry.key = (void*)key;
540 key->entry.data = (void*)data;
541 key->addrlen = addrlen;
542 memcpy(&key->addr, addr, addrlen);
543 data_entry_init(infra, &key->entry, tm);
544 return &key->entry;
545 }
546
547 int
infra_host(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * nm,size_t nmlen,time_t timenow,int * edns_vs,uint8_t * edns_lame_known,int * to)548 infra_host(struct infra_cache* infra, struct sockaddr_storage* addr,
549 socklen_t addrlen, uint8_t* nm, size_t nmlen, time_t timenow,
550 int* edns_vs, uint8_t* edns_lame_known, int* to)
551 {
552 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
553 nm, nmlen, 0);
554 struct infra_data* data;
555 int wr = 0;
556 if(e && ((struct infra_data*)e->data)->ttl < timenow) {
557 /* it expired, try to reuse existing entry */
558 int old = ((struct infra_data*)e->data)->rtt.rto;
559 time_t tprobe = ((struct infra_data*)e->data)->probedelay;
560 uint8_t tA = ((struct infra_data*)e->data)->timeout_A;
561 uint8_t tAAAA = ((struct infra_data*)e->data)->timeout_AAAA;
562 uint8_t tother = ((struct infra_data*)e->data)->timeout_other;
563 lock_rw_unlock(&e->lock);
564 e = infra_lookup_nottl(infra, addr, addrlen, nm, nmlen, 1);
565 if(e) {
566 /* if its still there we have a writelock, init */
567 /* re-initialise */
568 /* do not touch lameness, it may be valid still */
569 data_entry_init(infra, e, timenow);
570 wr = 1;
571 /* TOP_TIMEOUT remains on reuse */
572 if(old >= USEFUL_SERVER_TOP_TIMEOUT) {
573 ((struct infra_data*)e->data)->rtt.rto
574 = USEFUL_SERVER_TOP_TIMEOUT;
575 ((struct infra_data*)e->data)->probedelay = tprobe;
576 ((struct infra_data*)e->data)->timeout_A = tA;
577 ((struct infra_data*)e->data)->timeout_AAAA = tAAAA;
578 ((struct infra_data*)e->data)->timeout_other = tother;
579 }
580 }
581 }
582 if(!e) {
583 /* insert new entry */
584 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
585 return 0;
586 data = (struct infra_data*)e->data;
587 *edns_vs = data->edns_version;
588 *edns_lame_known = data->edns_lame_known;
589 *to = rtt_timeout(&data->rtt);
590 slabhash_insert(infra->hosts, e->hash, e, data, NULL);
591 return 1;
592 }
593 /* use existing entry */
594 data = (struct infra_data*)e->data;
595 *edns_vs = data->edns_version;
596 *edns_lame_known = data->edns_lame_known;
597 *to = rtt_timeout(&data->rtt);
598 if(*to >= PROBE_MAXRTO && (infra->infra_keep_probing ||
599 rtt_notimeout(&data->rtt)*4 <= *to)) {
600 /* delay other queries, this is the probe query */
601 if(!wr) {
602 lock_rw_unlock(&e->lock);
603 e = infra_lookup_nottl(infra, addr,addrlen,nm,nmlen, 1);
604 if(!e) { /* flushed from cache real fast, no use to
605 allocate just for the probedelay */
606 return 1;
607 }
608 data = (struct infra_data*)e->data;
609 }
610 /* add 999 to round up the timeout value from msec to sec,
611 * then add a whole second so it is certain that this probe
612 * has timed out before the next is allowed */
613 data->probedelay = timenow + ((*to)+1999)/1000;
614 }
615 lock_rw_unlock(&e->lock);
616 return 1;
617 }
618
619 int
infra_set_lame(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * nm,size_t nmlen,time_t timenow,int dnsseclame,int reclame,uint16_t qtype)620 infra_set_lame(struct infra_cache* infra, struct sockaddr_storage* addr,
621 socklen_t addrlen, uint8_t* nm, size_t nmlen, time_t timenow,
622 int dnsseclame, int reclame, uint16_t qtype)
623 {
624 struct infra_data* data;
625 struct lruhash_entry* e;
626 int needtoinsert = 0;
627 e = infra_lookup_nottl(infra, addr, addrlen, nm, nmlen, 1);
628 if(!e) {
629 /* insert it */
630 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow))) {
631 log_err("set_lame: malloc failure");
632 return 0;
633 }
634 needtoinsert = 1;
635 } else if( ((struct infra_data*)e->data)->ttl < timenow) {
636 /* expired, reuse existing entry */
637 data_entry_init(infra, e, timenow);
638 }
639 /* got an entry, now set the zone lame */
640 data = (struct infra_data*)e->data;
641 /* merge data (if any) */
642 if(dnsseclame)
643 data->isdnsseclame = 1;
644 if(reclame)
645 data->rec_lame = 1;
646 if(!dnsseclame && !reclame && qtype == LDNS_RR_TYPE_A)
647 data->lame_type_A = 1;
648 if(!dnsseclame && !reclame && qtype != LDNS_RR_TYPE_A)
649 data->lame_other = 1;
650 /* done */
651 if(needtoinsert)
652 slabhash_insert(infra->hosts, e->hash, e, e->data, NULL);
653 else { lock_rw_unlock(&e->lock); }
654 return 1;
655 }
656
657 void
infra_update_tcp_works(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * nm,size_t nmlen)658 infra_update_tcp_works(struct infra_cache* infra,
659 struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* nm,
660 size_t nmlen)
661 {
662 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
663 nm, nmlen, 1);
664 struct infra_data* data;
665 if(!e)
666 return; /* doesn't exist */
667 data = (struct infra_data*)e->data;
668 if(data->rtt.rto >= RTT_MAX_TIMEOUT)
669 /* do not disqualify this server altogether, it is better
670 * than nothing */
671 data->rtt.rto = STILL_USEFUL_TIMEOUT;
672 lock_rw_unlock(&e->lock);
673 }
674
675 int
infra_rtt_update(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * nm,size_t nmlen,int qtype,int roundtrip,int orig_rtt,time_t timenow)676 infra_rtt_update(struct infra_cache* infra, struct sockaddr_storage* addr,
677 socklen_t addrlen, uint8_t* nm, size_t nmlen, int qtype,
678 int roundtrip, int orig_rtt, time_t timenow)
679 {
680 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
681 nm, nmlen, 1);
682 struct infra_data* data;
683 int needtoinsert = 0, expired = 0;
684 int rto = 1;
685 time_t oldprobedelay = 0;
686 if(!e) {
687 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
688 return 0;
689 needtoinsert = 1;
690 } else if(((struct infra_data*)e->data)->ttl < timenow) {
691 oldprobedelay = ((struct infra_data*)e->data)->probedelay;
692 data_entry_init(infra, e, timenow);
693 expired = 1;
694 }
695 /* have an entry, update the rtt */
696 data = (struct infra_data*)e->data;
697 if(roundtrip == -1) {
698 if(needtoinsert || expired) {
699 /* timeout on entry that has expired before the timer
700 * keep old timeout from the function caller */
701 data->rtt.rto = orig_rtt;
702 data->probedelay = oldprobedelay;
703 }
704 rtt_lost(&data->rtt, orig_rtt);
705 if(qtype == LDNS_RR_TYPE_A) {
706 if(data->timeout_A < TIMEOUT_COUNT_MAX)
707 data->timeout_A++;
708 } else if(qtype == LDNS_RR_TYPE_AAAA) {
709 if(data->timeout_AAAA < TIMEOUT_COUNT_MAX)
710 data->timeout_AAAA++;
711 } else {
712 if(data->timeout_other < TIMEOUT_COUNT_MAX)
713 data->timeout_other++;
714 }
715 } else {
716 /* if we got a reply, but the old timeout was above server
717 * selection height, delete the timeout so the server is
718 * fully available again */
719 if(rtt_unclamped(&data->rtt) >= USEFUL_SERVER_TOP_TIMEOUT)
720 rtt_init(&data->rtt);
721 rtt_update(&data->rtt, roundtrip);
722 data->probedelay = 0;
723 if(qtype == LDNS_RR_TYPE_A)
724 data->timeout_A = 0;
725 else if(qtype == LDNS_RR_TYPE_AAAA)
726 data->timeout_AAAA = 0;
727 else data->timeout_other = 0;
728 }
729 if(data->rtt.rto > 0)
730 rto = data->rtt.rto;
731
732 if(needtoinsert)
733 slabhash_insert(infra->hosts, e->hash, e, e->data, NULL);
734 else { lock_rw_unlock(&e->lock); }
735 return rto;
736 }
737
infra_get_host_rto(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * nm,size_t nmlen,struct rtt_info * rtt,int * delay,time_t timenow,int * tA,int * tAAAA,int * tother)738 long long infra_get_host_rto(struct infra_cache* infra,
739 struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* nm,
740 size_t nmlen, struct rtt_info* rtt, int* delay, time_t timenow,
741 int* tA, int* tAAAA, int* tother)
742 {
743 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
744 nm, nmlen, 0);
745 struct infra_data* data;
746 long long ttl = -2;
747 if(!e) return -1;
748 data = (struct infra_data*)e->data;
749 if(data->ttl >= timenow) {
750 ttl = (long long)(data->ttl - timenow);
751 memmove(rtt, &data->rtt, sizeof(*rtt));
752 if(timenow < data->probedelay)
753 *delay = (int)(data->probedelay - timenow);
754 else *delay = 0;
755 }
756 *tA = (int)data->timeout_A;
757 *tAAAA = (int)data->timeout_AAAA;
758 *tother = (int)data->timeout_other;
759 lock_rw_unlock(&e->lock);
760 return ttl;
761 }
762
763 int
infra_edns_update(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * nm,size_t nmlen,int edns_version,time_t timenow)764 infra_edns_update(struct infra_cache* infra, struct sockaddr_storage* addr,
765 socklen_t addrlen, uint8_t* nm, size_t nmlen, int edns_version,
766 time_t timenow)
767 {
768 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
769 nm, nmlen, 1);
770 struct infra_data* data;
771 int needtoinsert = 0;
772 if(!e) {
773 if(!(e = new_entry(infra, addr, addrlen, nm, nmlen, timenow)))
774 return 0;
775 needtoinsert = 1;
776 } else if(((struct infra_data*)e->data)->ttl < timenow) {
777 data_entry_init(infra, e, timenow);
778 }
779 /* have an entry, update the rtt, and the ttl */
780 data = (struct infra_data*)e->data;
781 /* do not update if noEDNS and stored is yesEDNS */
782 if(!(edns_version == -1 && (data->edns_version != -1 &&
783 data->edns_lame_known))) {
784 data->edns_version = edns_version;
785 data->edns_lame_known = 1;
786 }
787
788 if(needtoinsert)
789 slabhash_insert(infra->hosts, e->hash, e, e->data, NULL);
790 else { lock_rw_unlock(&e->lock); }
791 return 1;
792 }
793
794 int
infra_get_lame_rtt(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,uint8_t * name,size_t namelen,uint16_t qtype,int * lame,int * dnsseclame,int * reclame,int * rtt,time_t timenow)795 infra_get_lame_rtt(struct infra_cache* infra,
796 struct sockaddr_storage* addr, socklen_t addrlen,
797 uint8_t* name, size_t namelen, uint16_t qtype,
798 int* lame, int* dnsseclame, int* reclame, int* rtt, time_t timenow)
799 {
800 struct infra_data* host;
801 struct lruhash_entry* e = infra_lookup_nottl(infra, addr, addrlen,
802 name, namelen, 0);
803 if(!e)
804 return 0;
805 host = (struct infra_data*)e->data;
806 *rtt = rtt_unclamped(&host->rtt);
807 if(host->rtt.rto >= PROBE_MAXRTO && timenow >= host->probedelay
808 && infra->infra_keep_probing) {
809 /* single probe, keep probing */
810 if(*rtt >= USEFUL_SERVER_TOP_TIMEOUT)
811 *rtt = STILL_USEFUL_TIMEOUT;
812 } else if(host->rtt.rto >= PROBE_MAXRTO && timenow < host->probedelay
813 && rtt_notimeout(&host->rtt)*4 <= host->rtt.rto) {
814 /* single probe for this domain, and we are not probing */
815 /* unless the query type allows a probe to happen */
816 if(qtype == LDNS_RR_TYPE_A) {
817 if(host->timeout_A >= TIMEOUT_COUNT_MAX)
818 *rtt = USEFUL_SERVER_TOP_TIMEOUT;
819 else *rtt = STILL_USEFUL_TIMEOUT;
820 } else if(qtype == LDNS_RR_TYPE_AAAA) {
821 if(host->timeout_AAAA >= TIMEOUT_COUNT_MAX)
822 *rtt = USEFUL_SERVER_TOP_TIMEOUT;
823 else *rtt = STILL_USEFUL_TIMEOUT;
824 } else {
825 if(host->timeout_other >= TIMEOUT_COUNT_MAX)
826 *rtt = USEFUL_SERVER_TOP_TIMEOUT;
827 else *rtt = STILL_USEFUL_TIMEOUT;
828 }
829 }
830 /* expired entry */
831 if(timenow > host->ttl) {
832 /* see if this can be a re-probe of an unresponsive server */
833 if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) {
834 lock_rw_unlock(&e->lock);
835 *rtt = STILL_USEFUL_TIMEOUT;
836 *lame = 0;
837 *dnsseclame = 0;
838 *reclame = 0;
839 return 1;
840 }
841 lock_rw_unlock(&e->lock);
842 return 0;
843 }
844 /* check lameness first */
845 if(host->lame_type_A && qtype == LDNS_RR_TYPE_A) {
846 lock_rw_unlock(&e->lock);
847 *lame = 1;
848 *dnsseclame = 0;
849 *reclame = 0;
850 return 1;
851 } else if(host->lame_other && qtype != LDNS_RR_TYPE_A) {
852 lock_rw_unlock(&e->lock);
853 *lame = 1;
854 *dnsseclame = 0;
855 *reclame = 0;
856 return 1;
857 } else if(host->isdnsseclame) {
858 lock_rw_unlock(&e->lock);
859 *lame = 0;
860 *dnsseclame = 1;
861 *reclame = 0;
862 return 1;
863 } else if(host->rec_lame) {
864 lock_rw_unlock(&e->lock);
865 *lame = 0;
866 *dnsseclame = 0;
867 *reclame = 1;
868 return 1;
869 }
870 /* no lameness for this type of query */
871 lock_rw_unlock(&e->lock);
872 *lame = 0;
873 *dnsseclame = 0;
874 *reclame = 0;
875 return 1;
876 }
877
infra_find_ratelimit(struct infra_cache * infra,uint8_t * name,size_t namelen)878 int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
879 size_t namelen)
880 {
881 int labs = dname_count_labels(name);
882 struct domain_limit_data* d = (struct domain_limit_data*)
883 name_tree_lookup(&infra->domain_limits, name, namelen, labs,
884 LDNS_RR_CLASS_IN);
885 if(!d) return infra_dp_ratelimit;
886
887 if(d->node.labs == labs && d->lim != -1)
888 return d->lim; /* exact match */
889
890 /* find 'below match' */
891 if(d->node.labs == labs)
892 d = (struct domain_limit_data*)d->node.parent;
893 while(d) {
894 if(d->below != -1)
895 return d->below;
896 d = (struct domain_limit_data*)d->node.parent;
897 }
898 return infra_dp_ratelimit;
899 }
900
ip_rate_sizefunc(void * k,void * ATTR_UNUSED (d))901 size_t ip_rate_sizefunc(void* k, void* ATTR_UNUSED(d))
902 {
903 struct ip_rate_key* key = (struct ip_rate_key*)k;
904 return sizeof(*key) + sizeof(struct ip_rate_data)
905 + lock_get_mem(&key->entry.lock);
906 }
907
ip_rate_compfunc(void * key1,void * key2)908 int ip_rate_compfunc(void* key1, void* key2)
909 {
910 struct ip_rate_key* k1 = (struct ip_rate_key*)key1;
911 struct ip_rate_key* k2 = (struct ip_rate_key*)key2;
912 return sockaddr_cmp_addr(&k1->addr, k1->addrlen,
913 &k2->addr, k2->addrlen);
914 }
915
ip_rate_delkeyfunc(void * k,void * ATTR_UNUSED (arg))916 void ip_rate_delkeyfunc(void* k, void* ATTR_UNUSED(arg))
917 {
918 struct ip_rate_key* key = (struct ip_rate_key*)k;
919 if(!key)
920 return;
921 lock_rw_destroy(&key->entry.lock);
922 free(key);
923 }
924
925 /** find data item in array, for write access, caller unlocks */
infra_find_ratedata(struct infra_cache * infra,uint8_t * name,size_t namelen,int wr)926 static struct lruhash_entry* infra_find_ratedata(struct infra_cache* infra,
927 uint8_t* name, size_t namelen, int wr)
928 {
929 struct rate_key key;
930 hashvalue_type h = dname_query_hash(name, 0xab);
931 memset(&key, 0, sizeof(key));
932 key.name = name;
933 key.namelen = namelen;
934 key.entry.hash = h;
935 return slabhash_lookup(infra->domain_rates, h, &key, wr);
936 }
937
938 /** find data item in array for ip addresses */
infra_find_ip_ratedata(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,int wr)939 static struct lruhash_entry* infra_find_ip_ratedata(struct infra_cache* infra,
940 struct sockaddr_storage* addr, socklen_t addrlen, int wr)
941 {
942 struct ip_rate_key key;
943 hashvalue_type h = hash_addr(addr, addrlen, 0);
944 memset(&key, 0, sizeof(key));
945 key.addr = *addr;
946 key.addrlen = addrlen;
947 key.entry.hash = h;
948 return slabhash_lookup(infra->client_ip_rates, h, &key, wr);
949 }
950
951 /** create rate data item for name, number 1 in now */
infra_create_ratedata(struct infra_cache * infra,uint8_t * name,size_t namelen,time_t timenow)952 static void infra_create_ratedata(struct infra_cache* infra,
953 uint8_t* name, size_t namelen, time_t timenow)
954 {
955 hashvalue_type h = dname_query_hash(name, 0xab);
956 struct rate_key* k = (struct rate_key*)calloc(1, sizeof(*k));
957 struct rate_data* d = (struct rate_data*)calloc(1, sizeof(*d));
958 if(!k || !d) {
959 free(k);
960 free(d);
961 return; /* alloc failure */
962 }
963 k->namelen = namelen;
964 k->name = memdup(name, namelen);
965 if(!k->name) {
966 free(k);
967 free(d);
968 return; /* alloc failure */
969 }
970 lock_rw_init(&k->entry.lock);
971 k->entry.hash = h;
972 k->entry.key = k;
973 k->entry.data = d;
974 d->qps[0] = 1;
975 d->timestamp[0] = timenow;
976 slabhash_insert(infra->domain_rates, h, &k->entry, d, NULL);
977 }
978
979 /** create rate data item for ip address */
infra_ip_create_ratedata(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,time_t timenow,int mesh_wait)980 static void infra_ip_create_ratedata(struct infra_cache* infra,
981 struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
982 int mesh_wait)
983 {
984 hashvalue_type h = hash_addr(addr, addrlen, 0);
985 struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k));
986 struct ip_rate_data* d = (struct ip_rate_data*)calloc(1, sizeof(*d));
987 if(!k || !d) {
988 free(k);
989 free(d);
990 return; /* alloc failure */
991 }
992 k->addr = *addr;
993 k->addrlen = addrlen;
994 lock_rw_init(&k->entry.lock);
995 k->entry.hash = h;
996 k->entry.key = k;
997 k->entry.data = d;
998 d->qps[0] = 1;
999 d->timestamp[0] = timenow;
1000 d->mesh_wait = mesh_wait;
1001 slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
1002 }
1003
1004 /** Find the second and return its rate counter. If none and should_add, remove
1005 * oldest to accommodate. Else return none. */
infra_rate_find_second_or_none(void * data,time_t t,int should_add)1006 static int* infra_rate_find_second_or_none(void* data, time_t t, int should_add)
1007 {
1008 struct rate_data* d = (struct rate_data*)data;
1009 int i, oldest;
1010 for(i=0; i<RATE_WINDOW; i++) {
1011 if(d->timestamp[i] == t)
1012 return &(d->qps[i]);
1013 }
1014 if(!should_add) return NULL;
1015 /* remove oldest timestamp, and insert it at t with 0 qps */
1016 oldest = 0;
1017 for(i=0; i<RATE_WINDOW; i++) {
1018 if(d->timestamp[i] < d->timestamp[oldest])
1019 oldest = i;
1020 }
1021 d->timestamp[oldest] = t;
1022 d->qps[oldest] = 0;
1023 return &(d->qps[oldest]);
1024 }
1025
1026 /** find the second and return its rate counter, if none, remove oldest to
1027 * accommodate */
infra_rate_give_second(void * data,time_t t)1028 static int* infra_rate_give_second(void* data, time_t t)
1029 {
1030 return infra_rate_find_second_or_none(data, t, 1);
1031 }
1032
1033 /** find the second and return its rate counter only if it exists. Caller
1034 * should check for NULL return value */
infra_rate_get_second(void * data,time_t t)1035 static int* infra_rate_get_second(void* data, time_t t)
1036 {
1037 return infra_rate_find_second_or_none(data, t, 0);
1038 }
1039
infra_rate_max(void * data,time_t now,int backoff)1040 int infra_rate_max(void* data, time_t now, int backoff)
1041 {
1042 struct rate_data* d = (struct rate_data*)data;
1043 int i, max = 0;
1044 for(i=0; i<RATE_WINDOW; i++) {
1045 if(backoff) {
1046 if(now-d->timestamp[i] <= RATE_WINDOW &&
1047 d->qps[i] > max) {
1048 max = d->qps[i];
1049 }
1050 } else {
1051 if(now == d->timestamp[i]) {
1052 return d->qps[i];
1053 }
1054 }
1055 }
1056 return max;
1057 }
1058
infra_ratelimit_inc(struct infra_cache * infra,uint8_t * name,size_t namelen,time_t timenow,int backoff,struct query_info * qinfo,struct comm_reply * replylist)1059 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
1060 size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
1061 struct comm_reply* replylist)
1062 {
1063 int lim, max;
1064 struct lruhash_entry* entry;
1065
1066 if(!infra_dp_ratelimit)
1067 return 1; /* not enabled */
1068
1069 /* find ratelimit */
1070 lim = infra_find_ratelimit(infra, name, namelen);
1071 if(!lim)
1072 return 1; /* disabled for this domain */
1073
1074 /* find or insert ratedata */
1075 entry = infra_find_ratedata(infra, name, namelen, 1);
1076 if(entry) {
1077 int premax = infra_rate_max(entry->data, timenow, backoff);
1078 int* cur = infra_rate_give_second(entry->data, timenow);
1079 (*cur)++;
1080 max = infra_rate_max(entry->data, timenow, backoff);
1081 lock_rw_unlock(&entry->lock);
1082
1083 if(premax <= lim && max > lim) {
1084 char buf[257], qnm[257], ts[12], cs[12], ip[128];
1085 dname_str(name, buf);
1086 dname_str(qinfo->qname, qnm);
1087 sldns_wire2str_type_buf(qinfo->qtype, ts, sizeof(ts));
1088 sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs));
1089 ip[0]=0;
1090 if(replylist) {
1091 addr_to_str((struct sockaddr_storage *)&replylist->remote_addr,
1092 replylist->remote_addrlen, ip, sizeof(ip));
1093 verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip);
1094 } else {
1095 verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
1096 }
1097 }
1098 return (max <= lim);
1099 }
1100
1101 /* create */
1102 infra_create_ratedata(infra, name, namelen, timenow);
1103 return (1 <= lim);
1104 }
1105
infra_ratelimit_dec(struct infra_cache * infra,uint8_t * name,size_t namelen,time_t timenow)1106 void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
1107 size_t namelen, time_t timenow)
1108 {
1109 struct lruhash_entry* entry;
1110 int* cur;
1111 if(!infra_dp_ratelimit)
1112 return; /* not enabled */
1113 entry = infra_find_ratedata(infra, name, namelen, 1);
1114 if(!entry) return; /* not cached */
1115 cur = infra_rate_get_second(entry->data, timenow);
1116 if(cur == NULL) {
1117 /* our timenow is not available anymore; nothing to decrease */
1118 lock_rw_unlock(&entry->lock);
1119 return;
1120 }
1121 if((*cur) > 0)
1122 (*cur)--;
1123 lock_rw_unlock(&entry->lock);
1124 }
1125
infra_ratelimit_exceeded(struct infra_cache * infra,uint8_t * name,size_t namelen,time_t timenow,int backoff)1126 int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
1127 size_t namelen, time_t timenow, int backoff)
1128 {
1129 struct lruhash_entry* entry;
1130 int lim, max;
1131 if(!infra_dp_ratelimit)
1132 return 0; /* not enabled */
1133
1134 /* find ratelimit */
1135 lim = infra_find_ratelimit(infra, name, namelen);
1136 if(!lim)
1137 return 0; /* disabled for this domain */
1138
1139 /* find current rate */
1140 entry = infra_find_ratedata(infra, name, namelen, 0);
1141 if(!entry)
1142 return 0; /* not cached */
1143 max = infra_rate_max(entry->data, timenow, backoff);
1144 lock_rw_unlock(&entry->lock);
1145
1146 return (max > lim);
1147 }
1148
1149 size_t
infra_get_mem(struct infra_cache * infra)1150 infra_get_mem(struct infra_cache* infra)
1151 {
1152 size_t s = sizeof(*infra) + slabhash_get_mem(infra->hosts);
1153 if(infra->domain_rates) s += slabhash_get_mem(infra->domain_rates);
1154 if(infra->client_ip_rates) s += slabhash_get_mem(infra->client_ip_rates);
1155 /* ignore domain_limits because walk through tree is big */
1156 return s;
1157 }
1158
1159 /* Returns 1 if the limit has not been exceeded, 0 otherwise. */
1160 static int
check_ip_ratelimit(struct sockaddr_storage * addr,socklen_t addrlen,struct sldns_buffer * buffer,int premax,int max,int has_cookie)1161 check_ip_ratelimit(struct sockaddr_storage* addr, socklen_t addrlen,
1162 struct sldns_buffer* buffer, int premax, int max, int has_cookie)
1163 {
1164 int limit;
1165
1166 if(has_cookie) limit = infra_ip_ratelimit_cookie;
1167 else limit = infra_ip_ratelimit;
1168
1169 /* Disabled */
1170 if(limit == 0) return 1;
1171
1172 if(premax <= limit && max > limit) {
1173 char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
1174 addr_to_str(addr, addrlen, client_ip, sizeof(client_ip));
1175 qnm[0]=0;
1176 if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
1177 LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
1178 (void)sldns_wire2str_rrquestion_buf(
1179 sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
1180 sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
1181 qnm, sizeof(qnm));
1182 if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
1183 qnm[strlen(qnm)-1] = 0; /*remove newline*/
1184 if(strchr(qnm, '\t'))
1185 *strchr(qnm, '\t') = ' ';
1186 if(strchr(qnm, '\t'))
1187 *strchr(qnm, '\t') = ' ';
1188 verbose(VERB_OPS, "ip_ratelimit exceeded %s %d%s %s",
1189 client_ip, limit,
1190 has_cookie?"(cookie)":"", qnm);
1191 } else {
1192 verbose(VERB_OPS, "ip_ratelimit exceeded %s %d%s (no query name)",
1193 client_ip, limit,
1194 has_cookie?"(cookie)":"");
1195 }
1196 }
1197 return (max <= limit);
1198 }
1199
infra_ip_ratelimit_inc(struct infra_cache * infra,struct sockaddr_storage * addr,socklen_t addrlen,time_t timenow,int has_cookie,int backoff,struct sldns_buffer * buffer)1200 int infra_ip_ratelimit_inc(struct infra_cache* infra,
1201 struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
1202 int has_cookie, int backoff, struct sldns_buffer* buffer)
1203 {
1204 int max;
1205 struct lruhash_entry* entry;
1206
1207 /* not enabled */
1208 if(!infra_ip_ratelimit) {
1209 return 1;
1210 }
1211 /* find or insert ratedata */
1212 entry = infra_find_ip_ratedata(infra, addr, addrlen, 1);
1213 if(entry) {
1214 int premax = infra_rate_max(entry->data, timenow, backoff);
1215 int* cur = infra_rate_give_second(entry->data, timenow);
1216 (*cur)++;
1217 max = infra_rate_max(entry->data, timenow, backoff);
1218 lock_rw_unlock(&entry->lock);
1219 return check_ip_ratelimit(addr, addrlen, buffer, premax, max,
1220 has_cookie);
1221 }
1222
1223 /* create */
1224 infra_ip_create_ratedata(infra, addr, addrlen, timenow, 0);
1225 return 1;
1226 }
1227
infra_wait_limit_allowed(struct infra_cache * infra,struct comm_reply * rep,int cookie_valid,struct config_file * cfg)1228 int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
1229 int cookie_valid, struct config_file* cfg)
1230 {
1231 struct lruhash_entry* entry;
1232 if(cfg->wait_limit == 0)
1233 return 1;
1234
1235 entry = infra_find_ip_ratedata(infra, &rep->client_addr,
1236 rep->client_addrlen, 0);
1237 if(entry) {
1238 rbtree_type* tree;
1239 struct wait_limit_netblock_info* w;
1240 struct rate_data* d = (struct rate_data*)entry->data;
1241 int mesh_wait = d->mesh_wait;
1242 lock_rw_unlock(&entry->lock);
1243
1244 /* have the wait amount, check how much is allowed */
1245 if(cookie_valid)
1246 tree = &infra->wait_limits_cookie_netblock;
1247 else tree = &infra->wait_limits_netblock;
1248 w = (struct wait_limit_netblock_info*)addr_tree_lookup(tree,
1249 &rep->client_addr, rep->client_addrlen);
1250 if(w) {
1251 if(w->limit != -1 && mesh_wait > w->limit)
1252 return 0;
1253 } else {
1254 /* if there is no IP netblock specific information,
1255 * use the configured value. */
1256 if(mesh_wait > (cookie_valid?cfg->wait_limit_cookie:
1257 cfg->wait_limit))
1258 return 0;
1259 }
1260 }
1261 return 1;
1262 }
1263
infra_wait_limit_inc(struct infra_cache * infra,struct comm_reply * rep,time_t timenow,struct config_file * cfg)1264 void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
1265 time_t timenow, struct config_file* cfg)
1266 {
1267 struct lruhash_entry* entry;
1268 if(cfg->wait_limit == 0)
1269 return;
1270
1271 /* Find it */
1272 entry = infra_find_ip_ratedata(infra, &rep->client_addr,
1273 rep->client_addrlen, 1);
1274 if(entry) {
1275 struct rate_data* d = (struct rate_data*)entry->data;
1276 d->mesh_wait++;
1277 lock_rw_unlock(&entry->lock);
1278 return;
1279 }
1280
1281 /* Create it */
1282 infra_ip_create_ratedata(infra, &rep->client_addr,
1283 rep->client_addrlen, timenow, 1);
1284 }
1285
infra_wait_limit_dec(struct infra_cache * infra,struct comm_reply * rep,struct config_file * cfg)1286 void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
1287 struct config_file* cfg)
1288 {
1289 struct lruhash_entry* entry;
1290 if(cfg->wait_limit == 0)
1291 return;
1292
1293 entry = infra_find_ip_ratedata(infra, &rep->client_addr,
1294 rep->client_addrlen, 1);
1295 if(entry) {
1296 struct rate_data* d = (struct rate_data*)entry->data;
1297 if(d->mesh_wait > 0)
1298 d->mesh_wait--;
1299 lock_rw_unlock(&entry->lock);
1300 }
1301 }
1302