From: Wouter Wijngaards Date: Mon, 18 Feb 2019 15:53:02 +0000 (+0000) Subject: - Print query name and IP address when domain rate limit exceeded. X-Git-Tag: release-1.9.1rc1~13 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=91e863138bce887e276811754c3617f7aa156227;p=thirdparty%2Funbound.git - Print query name and IP address when domain rate limit exceeded. git-svn-id: file:///svn/unbound/trunk@5117 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 78af63b84..bd2e0a602 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 18 February 2019: Wouter - Print query name with ip_ratelimit exceeded log lines. - Spaces instead of tabs in that log message. + - Print query name and IP address when domain rate limit exceeded. 14 February 2019: Wouter - Fix capsforid canonical sort qsort callback. diff --git a/iterator/iterator.c b/iterator/iterator.c index adc2b2233..c73fb5177 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -1448,7 +1448,8 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq, * now will also exceed the rate, keeping cache fresh */ (void)infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name, iq->dp->namelen, - *qstate->env->now); + *qstate->env->now, &qstate->qinfo, + qstate->reply); /* see if we are passed through with slip factor */ if(qstate->env->cfg->ratelimit_factor != 0 && ub_random_max(qstate->env->rnd, @@ -2487,7 +2488,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, /* if not forwarding, check ratelimits per delegationpoint name */ if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name, - iq->dp->namelen, *qstate->env->now)) { + iq->dp->namelen, *qstate->env->now, &qstate->qinfo, + qstate->reply)) { lock_basic_lock(&ie->queries_ratelimit_lock); ie->num_queries_ratelimited++; lock_basic_unlock(&ie->queries_ratelimit_lock); diff --git a/services/cache/infra.c b/services/cache/infra.c index 5ced2d5bb..c2484a9f1 100644 --- a/services/cache/infra.c +++ b/services/cache/infra.c @@ -909,7 +909,8 @@ int infra_rate_max(void* data, time_t now) } int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow) + size_t namelen, time_t timenow, struct query_info* qinfo, + struct comm_reply* replylist) { int lim, max; struct lruhash_entry* entry; @@ -932,9 +933,19 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, lock_rw_unlock(&entry->lock); if(premax < lim && max >= lim) { - char buf[257]; + char buf[257], qnm[257], ts[12], cs[12], ip[128]; dname_str(name, buf); - verbose(VERB_OPS, "ratelimit exceeded %s %d", buf, lim); + dname_str(qinfo->qname, qnm); + sldns_wire2str_type_buf(qinfo->qtype, ts, sizeof(ts)); + sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs)); + ip[0]=0; + if(replylist) { + addr_to_str((struct sockaddr_storage *)&replylist->addr, + replylist->addrlen, ip, sizeof(ip)); + verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip); + } else { + verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts); + } } return (max < lim); } diff --git a/services/cache/infra.h b/services/cache/infra.h index 0f398d8ed..e33f2a6c0 100644 --- a/services/cache/infra.h +++ b/services/cache/infra.h @@ -366,12 +366,15 @@ long long infra_get_host_rto(struct infra_cache* infra, * @param name: zone name * @param namelen: zone name length * @param timenow: what time it is now. + * @param qinfo: for logging, query name. + * @param replylist: for logging, querier's address (if any). * @return 1 if it could be incremented. 0 if the increment overshot the * ratelimit or if in the previous second the ratelimit was exceeded. * Failures like alloc failures are not returned (probably as 1). */ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow); + size_t namelen, time_t timenow, struct query_info* qinfo, + struct comm_reply* replylist); /** * Decrement the query rate counter for a delegation point.