git.ipfire.org Git - thirdparty/rspamd.git/commit

author	Vsevolod Stakhov <vsevolod@rspamd.com>
	Wed, 3 Jun 2026 09:40:48 +0000 (10:40 +0100)
committer	Vsevolod Stakhov <vsevolod@rspamd.com>
	Wed, 3 Jun 2026 09:41:08 +0000 (10:41 +0100)
commit	78e947763b5cb221254725740127c3c15754fd09
tree	a81c34e559b072bf7b2c4581753368a3bf7fee7f	tree \| snapshot
parent	4cda7b1b5131f883dac023dbb0397e9316525f9b	commit \| diff

[Fix] ratelimit: Track all buckets in selector rules

When a rule defines several buckets (e.g. "200 / 1h" plus "30 / 1m")
and uses a selector, limit_to_prefixes keyed the prefixes table by the
selector value alone. Every bucket therefore mapped to the same Redis
key and only the last bucket in the array was ever tracked, so the
other limits were silently ignored.

Give each bucket a distinct key by prefixing the selector value with a
per-bucket id (burst + rate), mirroring the burst component that
gen_rate_key already prepends for the non-selector path. The
non-selector path is unchanged, so its existing Redis keys are kept.

Adds a functional regression test (two buckets, burst 2 + burst 20)
that fails before the fix because the restrictive bucket is ignored.

Closes #6059

src/plugins/lua/ratelimit.lua		diff \| blob \| blame \| history
test/functional/cases/500_ratelimit.robot		diff \| blob \| blame \| history
test/functional/configs/ratelimit.conf		diff \| blob \| blame \| history