all: use ratelimit middleware

Author: Mizzick

internal/cmd/config.go

@@ -119,15 +119,15 @@ type configuration struct {
 	CacheSizeBytes int `yaml:"cache-size"`
 
 	// Ratelimit is the maximum number of requests per second.
-	Ratelimit int `yaml:"ratelimit"`
+	Ratelimit uint `yaml:"ratelimit"`
 
 	// RatelimitSubnetLenIPv4 is a subnet length for IPv4 addresses used for
 	// rate limiting requests.
-	RatelimitSubnetLenIPv4 int `yaml:"ratelimit-subnet-len-ipv4"`
+	RatelimitSubnetLenIPv4 uint `yaml:"ratelimit-subnet-len-ipv4"`
 
 	// RatelimitSubnetLenIPv6 is a subnet length for IPv6 addresses used for
 	// rate limiting requests.
-	RatelimitSubnetLenIPv6 int `yaml:"ratelimit-subnet-len-ipv6"`
+	RatelimitSubnetLenIPv6 uint `yaml:"ratelimit-subnet-len-ipv6"`
 
 	// UDPBufferSize is the size of the UDP buffer in bytes.  A value <= 0 will
 	// use the system default.

internal/cmd/proxy.go

@@ -16,6 +16,7 @@ import (
 	"github.com/AdguardTeam/dnsproxy/internal/handler"
 	proxynetutil "github.com/AdguardTeam/dnsproxy/internal/netutil"
 	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/dnsproxy/ratelimit"
 	"github.com/AdguardTeam/dnsproxy/upstream"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/logutil/slogutil"
@@ -44,6 +45,19 @@ func createProxyConfig(
 		return nil, fmt.Errorf("reading hosts files: %w", err)
 	}
 
+	mwConf := &ratelimit.Config{
+		Logger:         l.With(slogutil.KeyPrefix, "ratelimit"),
+		AllowlistAddrs: []netip.Addr{},
+		Ratelimit:      conf.Ratelimit,
+		SubnetLenIPv4:  conf.RatelimitSubnetLenIPv4,
+		SubnetLenIPv6:  conf.RatelimitSubnetLenIPv6,
+	}
+	if err = mwConf.Validate(); err != nil {
+		return nil, fmt.Errorf("invalid ratelimit configuration: %w", err)
+	}
+
+	mw := ratelimit.NewMiddleware(mwConf)
+
 	reqHdlr := handler.NewDefault(&handler.DefaultConfig{
 		Logger: l.With(slogutil.KeyPrefix, "default_handler"),
 		// TODO(e.burkov):  Use the configured message constructor.
@@ -55,10 +69,6 @@ func createProxyConfig(
 	proxyConf = &proxy.Config{
 		Logger: l.With(slogutil.KeyPrefix, proxy.LogPrefix),
 
-		RatelimitSubnetLenIPv4: conf.RatelimitSubnetLenIPv4,
-		RatelimitSubnetLenIPv6: conf.RatelimitSubnetLenIPv6,
-
-		Ratelimit:                conf.Ratelimit,
 		CacheEnabled:             conf.Cache,
 		CacheSizeBytes:           conf.CacheSizeBytes,
 		CacheMinTTL:              conf.CacheMinTTL,
@@ -81,6 +91,7 @@ func createProxyConfig(
 		MaxGoroutines:          conf.MaxGoRoutines,
 		UsePrivateRDNS:         conf.UsePrivateRDNS,
 		PrivateSubnets:         netutil.SubnetSetFunc(netutil.IsLocallyServed),
+		Middleware:             mw,
 		RequestHandler:         reqHdlr,
 		PendingRequests: &proxy.PendingRequestsConfig{
 			Enabled: conf.PendingRequestsEnabled,

proxy/bogusnxdomain_internal_test.go

@@ -15,14 +15,12 @@ import (
 
 func TestProxy_IsBogusNXDomain(t *testing.T) {
 	prx := mustNew(t, &Config{
-		Logger:                 slogutil.NewDiscardLogger(),
-		UDPListenAddr:          []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
-		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
-		UpstreamConfig:         newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
-		TrustedProxies:         defaultTrustedProxies,
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 64,
-		CacheEnabled:           true,
+		Logger:         slogutil.NewDiscardLogger(),
+		UDPListenAddr:  []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
+		TCPListenAddr:  []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
+		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
+		TrustedProxies: defaultTrustedProxies,
+		CacheEnabled:   true,
 		BogusNXDomain: []netip.Prefix{
 			netip.MustParsePrefix("4.3.2.1/24"),
 			netip.MustParsePrefix("1.2.3.4/8"),

proxy/cache_internal_test.go

@@ -53,14 +53,12 @@ func newTestCache(tb testing.TB, conf *cacheConfig) (c *cache) {
 
 func TestServeCached(t *testing.T) {
 	dnsProxy := mustNew(t, &Config{
-		Logger:                 slogutil.NewDiscardLogger(),
-		UDPListenAddr:          []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
-		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
-		UpstreamConfig:         newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
-		TrustedProxies:         defaultTrustedProxies,
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 64,
-		CacheEnabled:           true,
+		Logger:         slogutil.NewDiscardLogger(),
+		UDPListenAddr:  []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
+		TCPListenAddr:  []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
+		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
+		TrustedProxies: defaultTrustedProxies,
+		CacheEnabled:   true,
 	})
 
 	// Start listening.
@@ -318,14 +316,12 @@ func TestCacheExpiration(t *testing.T) {
 	t.Parallel()
 
 	dnsProxy := mustNew(t, &Config{
-		Logger:                 slogutil.NewDiscardLogger(),
-		UDPListenAddr:          []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
-		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
-		UpstreamConfig:         newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
-		TrustedProxies:         defaultTrustedProxies,
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 64,
-		CacheEnabled:           true,
+		Logger:         slogutil.NewDiscardLogger(),
+		UDPListenAddr:  []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
+		TCPListenAddr:  []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
+		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
+		TrustedProxies: defaultTrustedProxies,
+		CacheEnabled:   true,
 	})
 
 	servicetest.RequireRun(t, dnsProxy, testTimeout)
@@ -381,12 +377,10 @@ func TestCacheExpirationWithTTLOverride(t *testing.T) {
 		UpstreamConfig: &UpstreamConfig{
 			Upstreams: []upstream.Upstream{&u},
 		},
-		TrustedProxies:         defaultTrustedProxies,
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 64,
-		CacheEnabled:           true,
-		CacheMinTTL:            20,
-		CacheMaxTTL:            40,
+		TrustedProxies: defaultTrustedProxies,
+		CacheEnabled:   true,
+		CacheMinTTL:    20,
+		CacheMaxTTL:    40,
 	})
 
 	servicetest.RequireRun(t, dnsProxy, testTimeout)

proxy/config.go

@@ -150,34 +150,9 @@ type Config struct {
 	// default Well-Known Prefix.
 	DNS64Prefs []netip.Prefix
 
-	// RatelimitWhitelist is a list of IP addresses excluded from rate limiting.
-	//
-	// TODO(d.kolyshev): !! Remove.
-	RatelimitWhitelist []netip.Addr
-
 	// EDNSAddr is the ECS IP used in request.
 	EDNSAddr net.IP
 
-	// TODO(s.chzhen):  Extract ratelimit settings to a separate structure.
-
-	// RatelimitSubnetLenIPv4 is a subnet length for IPv4 addresses used for
-	// rate limiting requests.
-	//
-	// TODO(d.kolyshev): !! Remove.
-	RatelimitSubnetLenIPv4 int
-
-	// RatelimitSubnetLenIPv6 is a subnet length for IPv6 addresses used for
-	// rate limiting requests.
-	//
-	// TODO(d.kolyshev): !! Remove.
-	RatelimitSubnetLenIPv6 int
-
-	// Ratelimit is a maximum number of requests per second from a given IP (0
-	// to disable).
-	//
-	// TODO(d.kolyshev): !! Remove.
-	Ratelimit int
-
 	// CacheSizeBytes is the maximum cache size in bytes.
 	CacheSizeBytes int
 
@@ -293,11 +268,6 @@ func (p *Proxy) validateConfig() (err error) {
 		return fmt.Errorf("fallbacks: %w", err)
 	}
 
-	err = p.validateRatelimit()
-	if err != nil {
-		return fmt.Errorf("ratelimit: %w", err)
-	}
-
 	switch p.UpstreamMode {
 	case
 		"",
@@ -319,57 +289,12 @@ func (p *Proxy) validateConfig() (err error) {
 	return nil
 }
 
-// validateRatelimit validates ratelimit configuration and returns an error if
-// it's invalid.
-func (p *Proxy) validateRatelimit() (err error) {
-	if p.Ratelimit == 0 {
-		return nil
-	}
-
-	err = checkInclusion(p.RatelimitSubnetLenIPv4, 0, netutil.IPv4BitLen)
-	if err != nil {
-		return fmt.Errorf("ratelimit subnet len ipv4 is invalid: %w", err)
-	}
-
-	err = checkInclusion(p.RatelimitSubnetLenIPv6, 0, netutil.IPv6BitLen)
-	if err != nil {
-		return fmt.Errorf("ratelimit subnet len ipv6 is invalid: %w", err)
-	}
-
-	return nil
-}
-
-// checkInclusion returns an error if a n is not in the inclusive range between
-// minN and maxN.
-func checkInclusion(n, minN, maxN int) (err error) {
-	switch {
-	case n < minN:
-		return fmt.Errorf("value %d less than min %d", n, minN)
-	case n > maxN:
-		return fmt.Errorf("value %d greater than max %d", n, maxN)
-	}
-
-	return nil
-}
-
 // logConfigInfo logs proxy configuration information.
 func (p *Proxy) logConfigInfo() {
 	if p.CacheMinTTL > 0 || p.CacheMaxTTL > 0 {
 		p.logger.Info("cache ttl override is enabled", "min", p.CacheMinTTL, "max", p.CacheMaxTTL)
 	}
 
-	if p.Ratelimit > 0 {
-		p.logger.Info(
-			"ratelimit is enabled",
-			"rps",
-			p.Ratelimit,
-			"ipv4_subnet_mask_len",
-			p.RatelimitSubnetLenIPv4,
-			"ipv6_subnet_mask_len",
-			p.RatelimitSubnetLenIPv6,
-		)
-	}
-
 	if p.RefuseAny {
 		p.logger.Info("server will refuse requests of type any")
 	}

proxy/dns64_internal_test.go

@@ -50,9 +50,7 @@ func TestDNS64Race(t *testing.T) {
 		PrivateRDNSUpstreamConfig: &UpstreamConfig{
 			Upstreams: []upstream.Upstream{localUps},
 		},
-		TrustedProxies:         defaultTrustedProxies,
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 64,
+		TrustedProxies: defaultTrustedProxies,
 
 		UseDNS64:       true,
 		UsePrivateRDNS: true,
@@ -363,10 +361,8 @@ func TestProxy_Resolve_dns64(t *testing.T) {
 				PrivateRDNSUpstreamConfig: &UpstreamConfig{
 					Upstreams: []upstream.Upstream{localUps},
 				},
-				TrustedProxies:         defaultTrustedProxies,
-				RatelimitSubnetLenIPv4: 24,
-				RatelimitSubnetLenIPv6: 64,
-				CacheEnabled:           true,
+				TrustedProxies: defaultTrustedProxies,
+				CacheEnabled:   true,
 
 				UseDNS64:       true,
 				UsePrivateRDNS: true,

proxy/exchange_internal_test.go

@@ -215,9 +215,7 @@ func TestProxy_Exchange_loadBalance(t *testing.T) {
 			UpstreamConfig: &UpstreamConfig{
 				Upstreams: ups,
 			},
-			TrustedProxies:         defaultTrustedProxies,
-			RatelimitSubnetLenIPv4: 24,
-			RatelimitSubnetLenIPv6: 64,
+			TrustedProxies: defaultTrustedProxies,
 		})
 		p.time = tc.clock
 		p.randSrc = randSrc

proxy/handler_internal_test.go

@@ -40,14 +40,12 @@ func TestFilteringHandler(t *testing.T) {
 
 	// Prepare the proxy server.
 	dnsProxy := mustNew(t, &Config{
-		Logger:                 slogutil.NewDiscardLogger(),
-		TrustedProxies:         defaultTrustedProxies,
-		UpstreamConfig:         newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
-		RequestHandler:         reqHandler,
-		UDPListenAddr:          []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
-		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 64,
+		Logger:         slogutil.NewDiscardLogger(),
+		TrustedProxies: defaultTrustedProxies,
+		UpstreamConfig: newTestUpstreamConfig(t, defaultTimeout, testDefaultUpstreamAddr),
+		RequestHandler: reqHandler,
+		UDPListenAddr:  []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
+		TCPListenAddr:  []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
 	})
 
 	servicetest.RequireRun(t, dnsProxy, testTimeout)

proxy/pending_test.go

@@ -115,9 +115,6 @@ func TestPendingRequests(t *testing.T) {
 		RequestHandler:         reqHandler,
 		UDPListenAddr:          []*net.UDPAddr{net.UDPAddrFromAddrPort(localhostAnyPort)},
 		TCPListenAddr:          []*net.TCPAddr{net.TCPAddrFromAddrPort(localhostAnyPort)},
-		RatelimitSubnetLenIPv4: 24,
-		RatelimitSubnetLenIPv6: 64,
-		Ratelimit:              0,
 		CacheSizeBytes:         testCacheSize,
 		CacheEnabled:           true,
 		EnableEDNSClientSubnet: true,

proxy/proxy.go

@@ -12,7 +12,6 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
-	"slices"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -287,10 +286,6 @@ func New(c *Config) (p *Proxy, err error) {
 		return nil, fmt.Errorf("setting up DNS64: %w", err)
 	}
 
-	// TODO(e.burkov):  Clone all mutable fields of Config.
-	p.RatelimitWhitelist = slices.Clone(p.RatelimitWhitelist)
-	slices.SortFunc(p.RatelimitWhitelist, netip.Addr.Compare)
-
 	return p, nil
 }