]>
Commit | Line | Data |
---|---|---|
20d81666 PL |
1 | Rules for traffic exceeding QPS limits |
2 | ====================================== | |
3 | ||
4 | Traffic that exceeds a QPS limit, in total or per IP (subnet) can be matched by the :func:`MaxQPSIPRule`-rule. For example: | |
5 | ||
6 | .. code-block:: lua | |
7 | ||
832c1792 | 8 | addAction(MaxQPSIPRule(5, 32, 48), DelayAction(100)) |
20d81666 | 9 | |
e87c3dd0 | 10 | This measures traffic per IPv4 address and per /48 of IPv6, and if UDP traffic for such an address (range) exceeds 5 :term:`qps`, it gets delayed by 100ms. |
20d81666 PL |
11 | |
12 | As another example: | |
13 | ||
14 | .. code-block:: lua | |
15 | ||
16 | addAction(MaxQPSIPRule(5), NoRecurseAction()) | |
17 | ||
18 | This strips the Recursion Desired (RD) bit from any traffic per IPv4 or IPv6 /64 that exceeds 5 qps. This means any those traffic bins is allowed to make a recursor do 'work' for only 5 qps. | |
19 | ||
20 | If this is not enough, try: | |
21 | ||
22 | .. code-block:: lua | |
23 | ||
24 | addAction(MaxQPSIPRule(5), DropAction()) | |
25 | -- or | |
26 | addAction(MaxQPSIPRule(5), TCAction()) | |
27 | ||
28 | This will respectively drop traffic exceeding that 5 QPS limit per IP or range, or return it with TC=1, forcing clients to fall back to TCP. | |
29 | ||
30 | To turn this per IP or range limit into a global limit, use ``NotRule(MaxQPSRule(5000))`` instead of :func:`MaxQPSIPRule`. |