author | Matthew Wild <mwild1@gmail.com> |
Fri, 18 Mar 2016 09:59:42 +0000 | |
changeset 2135 | ba42c8882026 |
parent 2134 | 9239893a2400 |
child 2374 | 5fe483b73fd2 |
permissions | -rw-r--r-- |
2083
edec9de0220a
mod_firewall: Silence warnings about unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1867
diff
changeset
|
1 |
|
edec9de0220a
mod_firewall: Silence warnings about unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1867
diff
changeset
|
2 |
-- Name arguments are unused here |
edec9de0220a
mod_firewall: Silence warnings about unused arguments [luacheck]
Kim Alvefur <zash@zash.se>
parents:
1867
diff
changeset
|
3 |
-- luacheck: ignore 212 |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
local definition_handlers = {}; |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
|
1867
92602cfac751
mod_firewall: Fix missing import of util.set (used to be global)
Kim Alvefur <zash@zash.se>
parents:
999
diff
changeset
|
7 |
local set = require"util.set"; |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
local new_throttle = require "util.throttle".create; |
2132
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
9 |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
10 |
local multirate_cache_size = module:get_option_number("firewall_multirate_cache_limit", 1000); |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
function definition_handlers.ZONE(zone_name, zone_members) |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
local zone_member_list = {}; |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
for member in zone_members:gmatch("[^, ]+") do |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 |
zone_member_list[#zone_member_list+1] = member; |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
return set.new(zone_member_list)._items; |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 |
|
2132
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
20 |
-- Helper function used by RATE handler |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
21 |
local function evict_only_unthrottled(name, throttle) |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
22 |
throttle:update(); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
23 |
-- Check whether the throttle is at max balance (i.e. totally safe to forget about it) |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
24 |
if throttle.balance < throttle.max then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
25 |
-- Not safe to forget |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
26 |
return false; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
27 |
end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
28 |
end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
29 |
|
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
function definition_handlers.RATE(name, line) |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
local rate = assert(tonumber(line:match("([%d.]+)")), "Unable to parse rate"); |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
local burst = tonumber(line:match("%(%s*burst%s+([%d.]+)%s*%)")) or 1; |
2132
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
33 |
local max_throttles = tonumber(line:match("%(%s*entries%s+([%d]+)%s*%)")) or multirate_cache_size; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
34 |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
35 |
return { |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
36 |
single = function () |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
37 |
return new_throttle(rate*burst, burst); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
38 |
end; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
39 |
|
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
40 |
multi = function () |
2135
ba42c8882026
mod_firewall: Fix another unprotected use of util.cache
Matthew Wild <mwild1@gmail.com>
parents:
2134
diff
changeset
|
41 |
local cache = require "util.cache".new(max_throttles, evict_only_unthrottled); |
2132
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
42 |
return { |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
43 |
poll_on = function (_, key, amount) |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
44 |
assert(key, "no key"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
45 |
local throttle = cache:get(key); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
46 |
if not throttle then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
47 |
throttle = new_throttle(rate*burst, burst); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
48 |
if not cache:set(key, throttle) then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
49 |
module:log("warn", "Multirate '%s' has hit its maximum number of active throttles (%d), denying new events", name, max_throttles); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
50 |
return false; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
51 |
end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
52 |
end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
53 |
return throttle:poll(amount); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
54 |
end; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
55 |
} |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
56 |
end; |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2083
diff
changeset
|
57 |
}; |
999
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
end |
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
|
197af8440ffb
mod_firewall: Make defining objects generic (currently zones and rate limits), so more can easily be added. Also a syntax change... definition lines must begin with %
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
return definition_handlers; |
2135
ba42c8882026
mod_firewall: Fix another unprotected use of util.cache
Matthew Wild <mwild1@gmail.com>
parents:
2134
diff
changeset
|
61 |