- Print query name with ip_ratelimit exceeded log lines.

author Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 18 Feb 2019 10:40:41 +0000 (10:40 +0000)

committer Wouter Wijngaards <wouter@nlnetlabs.nl>

Mon, 18 Feb 2019 10:40:41 +0000 (10:40 +0000)
author Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 18 Feb 2019 10:40:41 +0000 (10:40 +0000)
committer Wouter Wijngaards <wouter@nlnetlabs.nl>
Mon, 18 Feb 2019 10:40:41 +0000 (10:40 +0000)
diff --git a/daemon/worker.c b/daemon/worker.c

index 886107b9497764f1fab1f65756d2a6051b6ea1ce..433b96fd527a0662caaf51a2da150036bfbf5641 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1171,7 +1171,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
  
         /* check if this query should be dropped based on source ip rate limiting */
         if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
-                       *worker->env.now)) {
+                       *worker->env.now, c->buffer)) {
                 /* See if we are passed through with slip factor */
                 if(worker->env.cfg->ip_ratelimit_factor != 0 &&
                         ub_random_max(worker->env.rnd,
diff --git a/doc/Changelog b/doc/Changelog

index 5f117afe54eb96be17bbcd9fbed2c631beb72b1e..041c10516aabbb8b0435f7a858b424872fb00f50 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+18 February 2019: Wouter
+       - Print query name with ip_ratelimit exceeded log lines.
+
  14 February 2019: Wouter
         - Fix capsforid canonical sort qsort callback.
  
diff --git a/services/cache/infra.c b/services/cache/infra.c

index 07c41928d67e50ac42254843ae20e8481b7839f3..fa127e918d4e5d19dc39863879fc267025c888c3 100644 (file)
--- a/services/cache/infra.c
+++ b/services/cache/infra.c
@@ -41,6 +41,8 @@
  #include "config.h"
  #include "sldns/rrdef.h"
  #include "sldns/str2wire.h"
+#include "sldns/sbuffer.h"
+#include "sldns/wire2str.h"
  #include "services/cache/infra.h"
  #include "util/storage/slabhash.h"
  #include "util/storage/lookup3.h"
@@ -991,7 +993,7 @@ infra_get_mem(struct infra_cache* infra)
  }
  
  int infra_ip_ratelimit_inc(struct infra_cache* infra,
-  struct comm_reply* repinfo, time_t timenow)
+  struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
  {
         int max;
         struct lruhash_entry* entry;
@@ -1010,11 +1012,24 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
                 lock_rw_unlock(&entry->lock);
  
                 if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
-                       char client_ip[128];
+                       char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
                         addr_to_str((struct sockaddr_storage *)&repinfo->addr,
                                 repinfo->addrlen, client_ip, sizeof(client_ip));
-                       verbose(VERB_OPS, "ip_ratelimit exceeded %s %d",
-                               client_ip, infra_ip_ratelimit);
+                       qnm[0]=0;
+                       if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
+                               LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
+                               (void)sldns_wire2str_rrquestion_buf(
+                                       sldns_buffer_at(buffer, LDNS_HEADER_SIZE),
+                                       sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE,
+                                       qnm, sizeof(qnm));
+                               if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n')
+                                       qnm[strlen(qnm)-1] = 0; /*remove newline*/
+                               verbose(VERB_OPS, "ip_ratelimit exceeded %s %d %s",
+                                       client_ip, infra_ip_ratelimit, qnm);
+                       } else {
+                               verbose(VERB_OPS, "ip_ratelimit exceeded %s %d (no query name)",
+                                       client_ip, infra_ip_ratelimit);
+                       }
                 }
                 return (max <= infra_ip_ratelimit);
         }
diff --git a/services/cache/infra.h b/services/cache/infra.h

index 10db796bfcddd5a10d96856dbf029b56d241de4b..0f398d8ede3f13f033839c4924884d2cb39c6f1c 100644 (file)
--- a/services/cache/infra.h
+++ b/services/cache/infra.h
@@ -410,10 +410,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
   *  @param infra: infra cache
   *  @param repinfo: information about client
   *  @param timenow: what time it is now.
+ *  @param buffer: with query for logging.
   *  @return 1 if it could be incremented. 0 if the increment overshot the
   *  ratelimit and the query should be dropped. */
  int infra_ip_ratelimit_inc(struct infra_cache* infra,
-       struct comm_reply* repinfo, time_t timenow);
+       struct comm_reply* repinfo, time_t timenow,
+       struct sldns_buffer* buffer);
  
  /**
   * Get memory used by the infra cache.
author	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 18 Feb 2019 10:40:41 +0000 (10:40 +0000)
committer	Wouter Wijngaards <wouter@nlnetlabs.nl>
	Mon, 18 Feb 2019 10:40:41 +0000 (10:40 +0000)
daemon/worker.c		patch \| blob \| blame \| history
doc/Changelog		patch \| blob \| blame \| history
services/cache/infra.c		patch \| blob \| blame \| history
services/cache/infra.h		patch \| blob \| blame \| history