From: Wouter Wijngaards Date: Mon, 18 Feb 2019 10:40:41 +0000 (+0000) Subject: - Print query name with ip_ratelimit exceeded log lines. X-Git-Tag: release-1.9.1rc1~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3949bf2c82ef47fd0b8fc1d12d5dae2a33a31793;p=thirdparty%2Funbound.git - Print query name with ip_ratelimit exceeded log lines. git-svn-id: file:///svn/unbound/trunk@5115 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/daemon/worker.c b/daemon/worker.c index 886107b94..433b96fd5 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -1171,7 +1171,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, /* check if this query should be dropped based on source ip rate limiting */ if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo, - *worker->env.now)) { + *worker->env.now, c->buffer)) { /* See if we are passed through with slip factor */ if(worker->env.cfg->ip_ratelimit_factor != 0 && ub_random_max(worker->env.rnd, diff --git a/doc/Changelog b/doc/Changelog index 5f117afe5..041c10516 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +18 February 2019: Wouter + - Print query name with ip_ratelimit exceeded log lines. + 14 February 2019: Wouter - Fix capsforid canonical sort qsort callback. diff --git a/services/cache/infra.c b/services/cache/infra.c index 07c41928d..fa127e918 100644 --- a/services/cache/infra.c +++ b/services/cache/infra.c @@ -41,6 +41,8 @@ #include "config.h" #include "sldns/rrdef.h" #include "sldns/str2wire.h" +#include "sldns/sbuffer.h" +#include "sldns/wire2str.h" #include "services/cache/infra.h" #include "util/storage/slabhash.h" #include "util/storage/lookup3.h" @@ -991,7 +993,7 @@ infra_get_mem(struct infra_cache* infra) } int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow) + struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer) { int max; struct lruhash_entry* entry; @@ -1010,11 +1012,24 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, lock_rw_unlock(&entry->lock); if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) { - char client_ip[128]; + char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12]; addr_to_str((struct sockaddr_storage *)&repinfo->addr, repinfo->addrlen, client_ip, sizeof(client_ip)); - verbose(VERB_OPS, "ip_ratelimit exceeded %s %d", - client_ip, infra_ip_ratelimit); + qnm[0]=0; + if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE && + LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) { + (void)sldns_wire2str_rrquestion_buf( + sldns_buffer_at(buffer, LDNS_HEADER_SIZE), + sldns_buffer_limit(buffer)-LDNS_HEADER_SIZE, + qnm, sizeof(qnm)); + if(strlen(qnm)>0 && qnm[strlen(qnm)-1]=='\n') + qnm[strlen(qnm)-1] = 0; /*remove newline*/ + verbose(VERB_OPS, "ip_ratelimit exceeded %s %d %s", + client_ip, infra_ip_ratelimit, qnm); + } else { + verbose(VERB_OPS, "ip_ratelimit exceeded %s %d (no query name)", + client_ip, infra_ip_ratelimit); + } } return (max <= infra_ip_ratelimit); } diff --git a/services/cache/infra.h b/services/cache/infra.h index 10db796bf..0f398d8ed 100644 --- a/services/cache/infra.h +++ b/services/cache/infra.h @@ -410,10 +410,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, * @param infra: infra cache * @param repinfo: information about client * @param timenow: what time it is now. + * @param buffer: with query for logging. * @return 1 if it could be incremented. 0 if the increment overshot the * ratelimit and the query should be dropped. */ int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow); + struct comm_reply* repinfo, time_t timenow, + struct sldns_buffer* buffer); /** * Get memory used by the infra cache.