diff options
| -rw-r--r-- | daemon/lua/kres-gen-30.lua | 1 | ||||
| -rw-r--r-- | daemon/lua/kres-gen-31.lua | 1 | ||||
| -rw-r--r-- | daemon/lua/kres-gen-32.lua | 1 | ||||
| -rwxr-xr-x | daemon/lua/kres-gen.sh | 1 | ||||
| -rw-r--r-- | daemon/rrl/api.c | 34 | ||||
| -rw-r--r-- | daemon/rrl/api.h | 8 | ||||
| -rw-r--r-- | daemon/rrl/meson.build | 1 | ||||
| -rw-r--r-- | modules/policy/policy.lua | 4 |
8 files changed, 50 insertions, 1 deletions
diff --git a/daemon/lua/kres-gen-30.lua b/daemon/lua/kres-gen-30.lua index ae182a37..65c6ac5a 100644 --- a/daemon/lua/kres-gen-30.lua +++ b/daemon/lua/kres-gen-30.lua @@ -579,6 +579,7 @@ int worker_resolve_exec(struct qr_task *, knot_pkt_t *); knot_pkt_t *worker_resolve_mk_pkt(const char *, uint16_t, uint16_t, const struct kr_qflags *); struct qr_task *worker_resolve_start(knot_pkt_t *, struct kr_qflags); int zi_zone_import(const zi_config_t); +_Bool kr_rrl_request_begin(struct kr_request *); struct engine { char _stub[]; }; diff --git a/daemon/lua/kres-gen-31.lua b/daemon/lua/kres-gen-31.lua index 1033e104..cb96adf1 100644 --- a/daemon/lua/kres-gen-31.lua +++ b/daemon/lua/kres-gen-31.lua @@ -579,6 +579,7 @@ int worker_resolve_exec(struct qr_task *, knot_pkt_t *); knot_pkt_t *worker_resolve_mk_pkt(const char *, uint16_t, uint16_t, const struct kr_qflags *); struct qr_task *worker_resolve_start(knot_pkt_t *, struct kr_qflags); int zi_zone_import(const zi_config_t); +_Bool kr_rrl_request_begin(struct kr_request *); struct engine { char _stub[]; }; diff --git a/daemon/lua/kres-gen-32.lua b/daemon/lua/kres-gen-32.lua index 23a338f0..7a416079 100644 --- a/daemon/lua/kres-gen-32.lua +++ b/daemon/lua/kres-gen-32.lua @@ -580,6 +580,7 @@ int worker_resolve_exec(struct qr_task *, knot_pkt_t *); knot_pkt_t *worker_resolve_mk_pkt(const char *, uint16_t, uint16_t, const struct kr_qflags *); struct qr_task *worker_resolve_start(knot_pkt_t *, struct kr_qflags); int zi_zone_import(const zi_config_t); +_Bool kr_rrl_request_begin(struct kr_request *); struct engine { char _stub[]; }; diff --git a/daemon/lua/kres-gen.sh b/daemon/lua/kres-gen.sh index 5939dc65..75294497 100755 --- a/daemon/lua/kres-gen.sh +++ b/daemon/lua/kres-gen.sh @@ -334,6 +334,7 @@ ${CDEFS} ${KRESD} functions <<-EOF worker_resolve_mk_pkt worker_resolve_start zi_zone_import + kr_rrl_request_begin EOF echo "struct engine" | ${CDEFS} ${KRESD} types | sed '/module_array_t/,$ d' diff --git a/daemon/rrl/api.c b/daemon/rrl/api.c new file mode 100644 index 00000000..74b2ef6f --- /dev/null +++ b/daemon/rrl/api.c @@ -0,0 +1,34 @@ +#include "daemon/rrl/api.h" +#include "daemon/rrl/kru.h" +#include "lib/resolve.h" + +struct kru *the_rrl_kru = NULL; + +// FIXME: add C API that takes configuration parameters and initializes the KRU; +// it will then get called from the generated Lua config file. + +bool kr_rrl_request_begin(struct kr_request *req) +{ + if (!req->qsource.addr) + return false; // don't consider internal requests + const bool limited = true; + if (!limited && the_rrl_kru) { + // FIXME: process limiting via KRU.limited* + } + if (!limited) return limited; + + knot_pkt_t *answer = kr_request_ensure_answer(req); + if (!answer) { // something bad; TODO: perhaps improve recovery from this + kr_assert(false); + return limited; + } + // at this point the packet should be pretty clear + + // Example limiting: REFUSED. + knot_wire_set_rcode(answer->wire, KNOT_RCODE_REFUSED); + kr_request_set_extended_error(req, KNOT_EDNS_EDE_OTHER, "YRAA: rate-limited"); + + req->state = KR_STATE_DONE; + + return limited; +} diff --git a/daemon/rrl/api.h b/daemon/rrl/api.h new file mode 100644 index 00000000..0d155d09 --- /dev/null +++ b/daemon/rrl/api.h @@ -0,0 +1,8 @@ + +#include <stdbool.h> +#include <lib/defines.h> +struct kr_request; + +/** Do rate-limiting, during knot_layer_api::begin. */ +KR_EXPORT +bool kr_rrl_request_begin(struct kr_request *req); diff --git a/daemon/rrl/meson.build b/daemon/rrl/meson.build index 959ac7e0..707fa2cc 100644 --- a/daemon/rrl/meson.build +++ b/daemon/rrl/meson.build @@ -2,6 +2,7 @@ # rate limiting code kresd_src += files([ + 'api.c', 'kru-generic.c', 'kru-avx2.c', '../../contrib/openbsd/siphash.c', diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua index 60b03478..10755556 100644 --- a/modules/policy/policy.lua +++ b/modules/policy/policy.lua @@ -934,9 +934,11 @@ policy.layer = { if ffi.C.kr_view_select_action(req, view_action_buf) == 0 then local act_str = ffi.string(view_action_buf[0].data, view_action_buf[0].len) - return loadstring('return '..act_str)()(state, req) + loadstring('return ' .. act_str)()(state, req) end + if ffi.C.kr_rrl_request_begin(req) then return end + local qry = req:initial() -- same as :current() but more descriptive return policy.evaluate(policy.rules, req, qry, state) or state |