Pull request 2060: 6368-conf-ratelimit-subnet-len

Updates #6368. Squashed commit of the following: commit def3bd7c746c671efaf655c3cfbb1a7664becd85 Merge: 59d678c95 d3862614e Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Thu Nov 9 16:27:36 2023 +0300 Merge branch 'master' into 6368-conf-ratelimit-subnet-len commit 59d678c95978d4ab21b952ef0cae70cad1ad50d8 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Nov 8 18:16:40 2023 +0300 all: imp chlog commit 69d6a57d7facbdc6038612f31796f727adcb107f Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Nov 8 17:48:19 2023 +0300 all: upd chlog commit fa1998352618c839e248eb86c84e75933e0a5d0f Merge: 236ba3bce f8fe9bfc8 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Nov 8 16:22:31 2023 +0300 Merge branch 'master' into 6368-conf-ratelimit-subnet-len commit 236ba3bceefbe6f9eeb6c70150f5a371f014f60d Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Wed Nov 8 16:21:09 2023 +0300 all: upd dnsproxy commit 771af632f7795af6cdd53ffd81d0294165441439 Merge: 5a23b039e cbcc17a58 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Nov 7 17:51:56 2023 +0300 Merge branch 'master' into 6368-conf-ratelimit-subnet-len commit 5a23b039e59d1ec5cb2bfea3942da7104db3b9bd Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Tue Nov 7 17:49:27 2023 +0300 all: upd dnsproxy commit 8b7aca3fbd21897183378470fd687380630602eb Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Nov 3 16:37:41 2023 +0300 all: upd chlog commit bd7d23bacc08d8f907e0e7e07a48259bb9ed17e8 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Nov 3 15:52:06 2023 +0300 all: conf ratelimit subnet len
2024-08-16 22:20:30 +03:00 · 2023-11-09 16:44:28 +03:00 · 2023-11-09 16:44:28 +03:00 · 53170d8711
commit 53170d8711
parent d3862614e5
6 changed files with 50 additions and 26 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -25,6 +25,8 @@ NOTE: Add new changes BELOW THIS COMMENT.

 ### Added

+- Ability to specify subnet lengths for IPv4 and IPv6 addresses, used for rate
+  limiting requests, in the configuration file ([#6368]).
 - Ability to specify multiple domain specific upstreams per line, e.g.
  `[/domain1/../domain2/]upstream1 upstream2 .. upstreamN` ([#4977]).

@ -33,6 +35,11 @@ NOTE: Add new changes BELOW THIS COMMENT.
 - The height of ready-to-use filter lists has been increased ([#6358]).
 - Improved authentication failure logging ([#6357]).

+#### Configuration Changes
+
+- New properties `dns.ratelimit_subnet_len_ipv4` and
+  `dns.ratelimit_subnet_len_ipv6` in the configuration file ([#6368]).
+
 ### Fixed

 - Average request processing time calculation ([#6220]).
@ -52,6 +59,7 @@ NOTE: Add new changes BELOW THIS COMMENT.
 [#6338]: https://github.com/AdguardTeam/AdGuardHome/issues/6338
 [#6357]: https://github.com/AdguardTeam/AdGuardHome/issues/6357
 [#6358]: https://github.com/AdguardTeam/AdGuardHome/issues/6358
+[#6368]: https://github.com/AdguardTeam/AdGuardHome/issues/6368

 <!--
 NOTE: Add new changes ABOVE THIS COMMENT.
--- a/go.mod
+++ b/go.mod
@ -3,8 +3,7 @@ module github.com/AdguardTeam/AdGuardHome
 go 1.20

 require (
-	// TODO(e.burkov):  Update to v0.57.3.
-	github.com/AdguardTeam/dnsproxy v0.56.4-0.20231031121835-8d20902c442f
+	github.com/AdguardTeam/dnsproxy v0.57.3
 	github.com/AdguardTeam/golibs v0.17.2
 	github.com/AdguardTeam/urlfilter v0.17.3
 	github.com/NYTimes/gziphandler v1.1.1
--- a/go.sum
+++ b/go.sum
@ -1,5 +1,5 @@
-github.com/AdguardTeam/dnsproxy v0.56.4-0.20231031121835-8d20902c442f h1:0fgscvsWpMq5G8Ab653inTgo2TXB6RxM2PjYArfs7t4=
-github.com/AdguardTeam/dnsproxy v0.56.4-0.20231031121835-8d20902c442f/go.mod h1:ZvkbM71HwpilgkCnTubDiR4Ba6x5Qvnhy2iasMWaTDM=
+github.com/AdguardTeam/dnsproxy v0.57.3 h1:0v7D+LQrOL2k2fvkG3Ft3Cn3ayUsvAdlOlJR+gLxSGA=
+github.com/AdguardTeam/dnsproxy v0.57.3/go.mod h1:ZvkbM71HwpilgkCnTubDiR4Ba6x5Qvnhy2iasMWaTDM=
 github.com/AdguardTeam/golibs v0.17.2 h1:vg6wHMjUKscnyPGRvxS5kAt7Uw4YxcJiITZliZ476W8=
 github.com/AdguardTeam/golibs v0.17.2/go.mod h1:DKhCIXHcUYtBhU8ibTLKh1paUL96n5zhQBlx763sj+U=
 github.com/AdguardTeam/urlfilter v0.17.3 h1:fg/ObbnO0Cv6aw0tW6N/ETDMhhNvmcUUOZ7HlmKC3rw=
--- a/internal/confmigrate/migrator_test.go
+++ b/internal/confmigrate/migrator_test.go
@ -7,11 +7,16 @@ import (
 	"testing"

 	"github.com/AdguardTeam/AdGuardHome/internal/confmigrate"
+	"github.com/AdguardTeam/golibs/testutil"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/bcrypt"
 	yaml "gopkg.in/yaml.v3"
 )

+func TestMain(m *testing.M) {
+	testutil.DiscardLogOutput(m)
+}
+
 // testdata is a virtual filesystem containing test data.
 var testdata = os.DirFS("testdata")

--- a/internal/dnsforward/config.go
+++ b/internal/dnsforward/config.go
@ -46,6 +46,14 @@ type Config struct {
 	// (0 to disable).
 	Ratelimit uint32 `yaml:"ratelimit"`

+	// RatelimitSubnetLenIPv4 is a subnet length for IPv4 addresses used for
+	// rate limiting requests.
+	RatelimitSubnetLenIPv4 int `yaml:"ratelimit_subnet_len_ipv4"`
+
+	// RatelimitSubnetLenIPv6 is a subnet length for IPv6 addresses used for
+	// rate limiting requests.
+	RatelimitSubnetLenIPv6 int `yaml:"ratelimit_subnet_len_ipv6"`
+
 	// RatelimitWhitelist is the list of whitelisted client IP addresses.
 	RatelimitWhitelist []string `yaml:"ratelimit_whitelist"`

@ -275,24 +283,26 @@ type ServerConfig struct {
 func (s *Server) createProxyConfig() (conf proxy.Config, err error) {
 	srvConf := s.conf
 	conf = proxy.Config{
-		UDPListenAddr:          srvConf.UDPListenAddrs,
-		TCPListenAddr:          srvConf.TCPListenAddrs,
-		HTTP3:                  srvConf.ServeHTTP3,
-		Ratelimit:              int(srvConf.Ratelimit),
-		RatelimitWhitelist:     srvConf.RatelimitWhitelist,
-		RefuseAny:              srvConf.RefuseAny,
-		TrustedProxies:         srvConf.TrustedProxies,
-		CacheMinTTL:            srvConf.CacheMinTTL,
-		CacheMaxTTL:            srvConf.CacheMaxTTL,
-		CacheOptimistic:        srvConf.CacheOptimistic,
-		UpstreamConfig:         srvConf.UpstreamConfig,
-		BeforeRequestHandler:   s.beforeRequestHandler,
-		RequestHandler:         s.handleDNSRequest,
-		HTTPSServerName:        aghhttp.UserAgent(),
-		EnableEDNSClientSubnet: srvConf.EDNSClientSubnet.Enabled,
-		MaxGoroutines:          int(srvConf.MaxGoroutines),
-		UseDNS64:               srvConf.UseDNS64,
-		DNS64Prefs:             srvConf.DNS64Prefixes,
+		UDPListenAddr:           srvConf.UDPListenAddrs,
+		TCPListenAddr:           srvConf.TCPListenAddrs,
+		HTTP3:                   srvConf.ServeHTTP3,
+		Ratelimit:               int(srvConf.Ratelimit),
+		RatelimitSubnetMaskIPv4: net.CIDRMask(srvConf.RatelimitSubnetLenIPv4, netutil.IPv4BitLen),
+		RatelimitSubnetMaskIPv6: net.CIDRMask(srvConf.RatelimitSubnetLenIPv6, netutil.IPv6BitLen),
+		RatelimitWhitelist:      srvConf.RatelimitWhitelist,
+		RefuseAny:               srvConf.RefuseAny,
+		TrustedProxies:          srvConf.TrustedProxies,
+		CacheMinTTL:             srvConf.CacheMinTTL,
+		CacheMaxTTL:             srvConf.CacheMaxTTL,
+		CacheOptimistic:         srvConf.CacheOptimistic,
+		UpstreamConfig:          srvConf.UpstreamConfig,
+		BeforeRequestHandler:    s.beforeRequestHandler,
+		RequestHandler:          s.handleDNSRequest,
+		HTTPSServerName:         aghhttp.UserAgent(),
+		EnableEDNSClientSubnet:  srvConf.EDNSClientSubnet.Enabled,
+		MaxGoroutines:           int(srvConf.MaxGoroutines),
+		UseDNS64:                srvConf.UseDNS64,
+		DNS64Prefs:              srvConf.DNS64Prefixes,
 	}

 	if srvConf.EDNSClientSubnet.UseCustom {
--- a/internal/home/config.go
+++ b/internal/home/config.go
@ -306,10 +306,12 @@ var config = &configuration{
 		BindHosts: []netip.Addr{netip.IPv4Unspecified()},
 		Port:      defaultPortDNS,
 		Config: dnsforward.Config{
-			Ratelimit:  20,
-			RefuseAny:  true,
-			AllServers: false,
-			HandleDDR:  true,
+			Ratelimit:              20,
+			RatelimitSubnetLenIPv4: 24,
+			RatelimitSubnetLenIPv6: 56,
+			RefuseAny:              true,
+			AllServers:             false,
+			HandleDDR:              true,
 			FastestTimeout: timeutil.Duration{
 				Duration: fastip.DefaultPingWaitTimeout,
 			},