From: Willy Tarreau Date: Sun, 20 Jun 2010 09:19:22 +0000 (+0200) Subject: [MEDIUM] session counters: add conn_rate and sess_rate counters X-Git-Tag: v1.5-dev8~514 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91c43d7fe4e5a33c87a9dd82a52156e4daac9b81;p=thirdparty%2Fhaproxy.git [MEDIUM] session counters: add conn_rate and sess_rate counters These counters maintain incoming connection rates and session rates in a stick-table, over a period which is defined in the configuration (2 ms to 24 days). They can be used to detect service abuse and enforce a certain accept rate per source address for instance, and block if the rate is passed over. Example : # block if more than 50 requests per 5 seconds from a source. stick-table type ip size 200k expire 1m store conn_rate(5s),sess_rate(5s) tcp-request track-counters src tcp-request reject if { trk_conn_rate gt 50 } # cause a 3 seconds pause to requests from sources in excess of 20 requests/5s tcp-request inspect-delay 3s tcp-request content accept if { trk_sess_rate gt 20 } WAIT_END --- diff --git a/include/proto/session.h b/include/proto/session.h index 6d5de3abff..133e6c9c88 100644 --- a/include/proto/session.h +++ b/include/proto/session.h @@ -25,6 +25,7 @@ #include #include #include +#include #include extern struct pool_head *pool2_session; @@ -81,6 +82,11 @@ static inline void session_track_counters(struct session *s, struct stktable *t, if (ptr) stktable_data_cast(ptr, conn_cnt)++; + ptr = stktable_data_ptr(t, ts, STKTABLE_DT_CONN_RATE); + if (ptr) + update_freq_ctr_period(&stktable_data_cast(ptr, conn_rate), + t->data_arg[STKTABLE_DT_CONN_RATE].u, 1); + if (tick_isset(t->expire)) ts->expire = tick_add(now_ms, MS_TO_TICKS(t->expire)); } diff --git a/include/types/stick_table.h b/include/types/stick_table.h index caca0bea0c..0501adc2f7 100644 --- a/include/types/stick_table.h +++ b/include/types/stick_table.h @@ -30,6 +30,7 @@ #include #include #include +#include /* stick table key types */ enum { @@ -43,8 +44,10 @@ enum { enum { STKTABLE_DT_SERVER_ID, /* the server ID to use with this session if > 0 */ STKTABLE_DT_CONN_CNT, /* cumulated number of connections */ + STKTABLE_DT_CONN_RATE, /* incoming connection rate */ STKTABLE_DT_CONN_CUR, /* concurrent number of connections */ STKTABLE_DT_SESS_CNT, /* cumulated number of sessions (accepted connections) */ + STKTABLE_DT_SESS_RATE, /* accepted sessions rate */ STKTABLE_DT_BYTES_IN_CNT, /* cumulated bytes count from client to servers */ STKTABLE_DT_BYTES_OUT_CNT,/* cumulated bytes count from servers to client */ STKTABLE_DATA_TYPES /* Number of data types, must always be last */ @@ -61,8 +64,10 @@ enum { union stktable_data { int server_id; unsigned int conn_cnt; + struct freq_ctr_period conn_rate; unsigned int conn_cur; unsigned int sess_cnt; + struct freq_ctr_period sess_rate; unsigned long long bytes_in_cnt; unsigned long long bytes_out_cnt; }; diff --git a/src/session.c b/src/session.c index ed854d981a..6c7a91d5ce 100644 --- a/src/session.c +++ b/src/session.c @@ -26,6 +26,7 @@ #include #include #include +#include #include #include #include @@ -135,9 +136,16 @@ int session_accept(struct listener *l, int cfd, struct sockaddr_storage *addr) p->counters.feconn_max = p->feconn; proxy_inc_fe_sess_ctr(l, p); if (s->tracked_counters) { - void *ptr = stktable_data_ptr(s->tracked_table, s->tracked_counters, STKTABLE_DT_SESS_CNT); + void *ptr; + + ptr = stktable_data_ptr(s->tracked_table, s->tracked_counters, STKTABLE_DT_SESS_CNT); if (ptr) stktable_data_cast(ptr, sess_cnt)++; + + ptr = stktable_data_ptr(s->tracked_table, s->tracked_counters, STKTABLE_DT_SESS_RATE); + if (ptr) + update_freq_ctr_period(&stktable_data_cast(ptr, sess_rate), + s->tracked_table->data_arg[STKTABLE_DT_SESS_RATE].u, 1); } /* this part should be common with other protocols */ @@ -2124,6 +2132,57 @@ acl_fetch_src_conn_cnt(struct proxy *px, struct session *l4, void *l7, int dir, return acl_fetch_conn_cnt(&px->table, test, stktable_lookup_key(&px->table, key)); } +/* set test->i to the connection rate in the stksess entry over the configured period */ +static int +acl_fetch_conn_rate(struct stktable *table, struct acl_test *test, struct stksess *ts) +{ + test->flags = ACL_TEST_F_VOL_TEST; + test->i = 0; + if (ts != NULL) { + void *ptr = stktable_data_ptr(table, ts, STKTABLE_DT_CONN_RATE); + if (!ptr) + return 0; /* parameter not stored */ + test->i = read_freq_ctr_period(&stktable_data_cast(ptr, conn_rate), + table->data_arg[STKTABLE_DT_CONN_RATE].u); + } + return 1; +} + +/* set test->i to the connection rate from the session's tracked counters over + * the configured period. + */ +static int +acl_fetch_trk_conn_rate(struct proxy *px, struct session *l4, void *l7, int dir, + struct acl_expr *expr, struct acl_test *test) +{ + if (!l4->tracked_counters) + return 0; + + return acl_fetch_conn_rate(l4->tracked_table, test, l4->tracked_counters); +} + +/* set test->i to the connection rate from the session's source address in the + * table pointed to by expr, over the configured period. + */ +static int +acl_fetch_src_conn_rate(struct proxy *px, struct session *l4, void *l7, int dir, + struct acl_expr *expr, struct acl_test *test) +{ + struct stktable_key *key; + + key = tcpv4_src_to_stktable_key(l4); + if (!key) + return 0; /* only TCPv4 is supported right now */ + + if (expr->arg_len) + px = find_stktable(expr->arg.str); + + if (!px) + return 0; /* table not found */ + + return acl_fetch_conn_rate(&px->table, test, stktable_lookup_key(&px->table, key)); +} + /* set test->i to the number of connections from the session's source address * in the table pointed to by expr, after updating it. */ @@ -2261,6 +2320,57 @@ acl_fetch_src_sess_cnt(struct proxy *px, struct session *l4, void *l7, int dir, return acl_fetch_sess_cnt(&px->table, test, stktable_lookup_key(&px->table, key)); } +/* set test->i to the session rate in the stksess entry over the configured period */ +static int +acl_fetch_sess_rate(struct stktable *table, struct acl_test *test, struct stksess *ts) +{ + test->flags = ACL_TEST_F_VOL_TEST; + test->i = 0; + if (ts != NULL) { + void *ptr = stktable_data_ptr(table, ts, STKTABLE_DT_SESS_RATE); + if (!ptr) + return 0; /* parameter not stored */ + test->i = read_freq_ctr_period(&stktable_data_cast(ptr, sess_rate), + table->data_arg[STKTABLE_DT_SESS_RATE].u); + } + return 1; +} + +/* set test->i to the session rate from the session's tracked counters over + * the configured period. + */ +static int +acl_fetch_trk_sess_rate(struct proxy *px, struct session *l4, void *l7, int dir, + struct acl_expr *expr, struct acl_test *test) +{ + if (!l4->tracked_counters) + return 0; + + return acl_fetch_sess_rate(l4->tracked_table, test, l4->tracked_counters); +} + +/* set test->i to the session rate from the session's source address in the + * table pointed to by expr, over the configured period. + */ +static int +acl_fetch_src_sess_rate(struct proxy *px, struct session *l4, void *l7, int dir, + struct acl_expr *expr, struct acl_test *test) +{ + struct stktable_key *key; + + key = tcpv4_src_to_stktable_key(l4); + if (!key) + return 0; /* only TCPv4 is supported right now */ + + if (expr->arg_len) + px = find_stktable(expr->arg.str); + + if (!px) + return 0; /* table not found */ + + return acl_fetch_sess_rate(&px->table, test, stktable_lookup_key(&px->table, key)); +} + /* set test->i to the number of kbytes received from clients matching the stksess entry */ static int acl_fetch_kbytes_in(struct stktable *table, struct acl_test *test, struct stksess *ts) @@ -2368,11 +2478,15 @@ acl_fetch_src_kbytes_out(struct proxy *px, struct session *l4, void *l7, int dir static struct acl_kw_list acl_kws = {{ },{ { "trk_conn_cnt", acl_parse_int, acl_fetch_trk_conn_cnt, acl_match_int, ACL_USE_NOTHING }, { "src_conn_cnt", acl_parse_int, acl_fetch_src_conn_cnt, acl_match_int, ACL_USE_TCP4_VOLATILE }, + { "trk_conn_rate", acl_parse_int, acl_fetch_trk_conn_rate, acl_match_int, ACL_USE_NOTHING }, + { "src_conn_rate", acl_parse_int, acl_fetch_src_conn_rate, acl_match_int, ACL_USE_TCP4_VOLATILE }, { "src_updt_conn_cnt", acl_parse_int, acl_fetch_src_updt_conn_cnt, acl_match_int, ACL_USE_TCP4_VOLATILE }, { "trk_conn_cur", acl_parse_int, acl_fetch_trk_conn_cur, acl_match_int, ACL_USE_NOTHING }, { "src_conn_cur", acl_parse_int, acl_fetch_src_conn_cur, acl_match_int, ACL_USE_TCP4_VOLATILE }, { "trk_sess_cnt", acl_parse_int, acl_fetch_trk_sess_cnt, acl_match_int, ACL_USE_NOTHING }, { "src_sess_cnt", acl_parse_int, acl_fetch_src_sess_cnt, acl_match_int, ACL_USE_TCP4_VOLATILE }, + { "trk_sess_rate", acl_parse_int, acl_fetch_trk_sess_rate, acl_match_int, ACL_USE_NOTHING }, + { "src_sess_rate", acl_parse_int, acl_fetch_src_sess_rate, acl_match_int, ACL_USE_TCP4_VOLATILE }, { "trk_kbytes_in", acl_parse_int, acl_fetch_trk_kbytes_in, acl_match_int, ACL_USE_TCP4_VOLATILE }, { "src_kbytes_in", acl_parse_int, acl_fetch_src_kbytes_in, acl_match_int, ACL_USE_TCP4_VOLATILE }, { "trk_kbytes_out", acl_parse_int, acl_fetch_trk_kbytes_out, acl_match_int, ACL_USE_TCP4_VOLATILE }, diff --git a/src/stick_table.c b/src/stick_table.c index e68cae35ca..1801270f15 100644 --- a/src/stick_table.c +++ b/src/stick_table.c @@ -527,8 +527,10 @@ int stktable_compatible_pattern(struct pattern_expr *expr, unsigned long table_t struct stktable_data_type stktable_data_types[STKTABLE_DATA_TYPES] = { [STKTABLE_DT_SERVER_ID] = { .name = "server_id", .data_length = stktable_data_size(server_id) }, [STKTABLE_DT_CONN_CNT] = { .name = "conn_cnt", .data_length = stktable_data_size(conn_cnt) }, + [STKTABLE_DT_CONN_RATE] = { .name = "conn_rate", .data_length = stktable_data_size(conn_rate), .arg_type = ARG_T_DELAY }, [STKTABLE_DT_CONN_CUR] = { .name = "conn_cur", .data_length = stktable_data_size(conn_cur) }, [STKTABLE_DT_SESS_CNT] = { .name = "sess_cnt", .data_length = stktable_data_size(sess_cnt) }, + [STKTABLE_DT_SESS_RATE] = { .name = "sess_rate", .data_length = stktable_data_size(sess_rate), .arg_type = ARG_T_DELAY }, [STKTABLE_DT_BYTES_IN_CNT] = { .name = "bytes_in_cnt", .data_length = stktable_data_size(bytes_in_cnt) }, [STKTABLE_DT_BYTES_OUT_CNT] = { .name = "bytes_out_cnt", .data_length = stktable_data_size(bytes_out_cnt) }, };