all: ratelimit package

Author: Mizzick

internal/ratelimit/ratelimit.go

@@ -0,0 +1,141 @@
+// Package ratelimit provides a rate limiting functionality.
+package ratelimit
+
+import (
+	"fmt"
+	"log/slog"
+	"net/netip"
+	"slices"
+	"sync"
+	"time"
+
+	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
+	rate "github.com/beefsack/go-rate"
+	gocache "github.com/patrickmn/go-cache"
+)
+
+// Config is the configuration for the ratelimit handler.
+type Config struct {
+	// Logger is used for logging in the ratelimit handler. It must not be nil.
+	Logger *slog.Logger
+
+	// AllowlistAddrs is a list of IP addresses excluded from rate limiting.
+	AllowlistAddrs []netip.Addr
+
+	// Ratelimit is a maximum number of requests per second from a given IP (0
+	// to disable).
+	Ratelimit int
+
+	// SubnetLenIPv4 is a subnet length for IPv4 addresses used for rate
+	// limiting requests.
+	SubnetLenIPv4 int
+
+	// SubnetLenIPv6 is a subnet length for IPv6 addresses used for rate
+	// limiting requests.
+	SubnetLenIPv6 int
+}
+
+// handler implements [proxy.RequestHandler] with rate limiting functionality.
+type handler struct {
+	buckets *gocache.Cache
+	handler proxy.RequestHandler
+	logger  *slog.Logger
+
+	// mu protects buckets.
+	mu *sync.Mutex
+
+	allowlistAddrs []netip.Addr
+	ratelimit      int
+	subnetLenIPv4  int
+	subnetLenIPv6  int
+}
+
+// NewRatelimitedRequestHandler wraps a RequestHandler with rate limiting
+// functionality.  h must not be nil, c must be valid.
+//
+// TODO(d.kolyshev): !! Use.
+func NewRatelimitedRequestHandler(h proxy.RequestHandler, c *Config) (wrapped proxy.RequestHandler) {
+	if c.Ratelimit <= 0 {
+		return h
+	}
+
+	return &handler{
+		handler:        h,
+		logger:         c.Logger,
+		mu:             &sync.Mutex{},
+		allowlistAddrs: c.AllowlistAddrs,
+		ratelimit:      c.Ratelimit,
+		subnetLenIPv4:  c.SubnetLenIPv4,
+		subnetLenIPv6:  c.SubnetLenIPv6,
+	}
+}
+
+// type check
+var _ proxy.RequestHandler = (*handler)(nil)
+
+// Handle implements the [proxy.RequestHandler] interface for *handler.  If the
+// client is rate limited, it returns [proxy.ErrDrop] to signal that no response
+// should be sent.
+func (h *handler) Handle(p *proxy.Proxy, dctx *proxy.DNSContext) (err error) {
+	if dctx.Proto == proxy.ProtoUDP && h.isRatelimited(dctx.Addr.Addr()) {
+		h.logger.Debug("ratelimited based on ip only", "addr", dctx.Addr)
+
+		return proxy.ErrDrop
+	}
+
+	return h.handler.Handle(p, dctx)
+}
+
+// limiterForIP returns a rate limiter for the specified IP address.
+func (h *handler) limiterForIP(ip string) interface{} {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	if h.buckets == nil {
+		h.buckets = gocache.New(time.Hour, time.Hour)
+	}
+
+	value, found := h.buckets.Get(ip)
+	if !found {
+		value = rate.New(h.ratelimit, time.Second)
+		h.buckets.Set(ip, value, time.Hour)
+	}
+
+	return value
+}
+
+// isRatelimited checks if the specified address should be rate limited.
+func (h *handler) isRatelimited(addr netip.Addr) (ok bool) {
+	addr = addr.Unmap()
+	_, ok = slices.BinarySearchFunc(h.allowlistAddrs, addr, netip.Addr.Compare)
+	if ok {
+		return false
+	}
+
+	var pref netip.Prefix
+	if addr.Is4() {
+		pref = netip.PrefixFrom(addr, h.subnetLenIPv4)
+	} else {
+		pref = netip.PrefixFrom(addr, h.subnetLenIPv6)
+	}
+	pref = pref.Masked()
+
+	// TODO(d.kolyshev):  Improve caching.  Decrease allocations.
+	ipStr := pref.Addr().String()
+	value := h.limiterForIP(ipStr)
+	rl, ok := value.(*rate.RateLimiter)
+	if !ok {
+		h.logger.Error(
+			"invalid value found in ratelimit cache",
+			slogutil.KeyError,
+			fmt.Errorf("bad type %T", value),
+		)
+
+		return false
+	}
+
+	allow, _ := rl.Try()
+
+	return !allow
+}

internal/ratelimit/ratelimit_test.go

@@ -0,0 +1,163 @@
+package ratelimit_test
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/AdguardTeam/dnsproxy/internal/ratelimit"
+	"github.com/AdguardTeam/dnsproxy/proxy"
+	"github.com/AdguardTeam/golibs/logutil/slogutil"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// Subnet lengths used in tests.
+const (
+	subnetLenIPv4 = 24
+	subnetLenIPv6 = 64
+)
+
+// testLogger is a test logger used in tests.
+var testLogger = slogutil.NewDiscardLogger()
+
+func TestHandler_Handle(t *testing.T) {
+	t.Parallel()
+
+	testAddr := netip.MustParseAddrPort("192.0.2.0:53")
+
+	testCases := []struct {
+		config *ratelimit.Config
+		dctx   *proxy.DNSContext
+		want   error
+		name   string
+	}{{
+		name: "disabled_ratelimit",
+		config: &ratelimit.Config{
+			Logger:        testLogger,
+			Ratelimit:     0,
+			SubnetLenIPv4: subnetLenIPv4,
+			SubnetLenIPv6: subnetLenIPv6,
+		},
+		dctx: &proxy.DNSContext{
+			Addr:  testAddr,
+			Proto: proxy.ProtoUDP,
+		},
+		want: nil,
+	}, {
+		name: "tcp_not_ratelimited",
+		config: &ratelimit.Config{
+			Logger:        testLogger,
+			Ratelimit:     1,
+			SubnetLenIPv4: subnetLenIPv4,
+			SubnetLenIPv6: subnetLenIPv6,
+		},
+		dctx: &proxy.DNSContext{
+			Addr:  testAddr,
+			Proto: proxy.ProtoTCP,
+		},
+		want: nil,
+	}, {
+		name: "ratelimited",
+		config: &ratelimit.Config{
+			Logger:        testLogger,
+			Ratelimit:     1,
+			SubnetLenIPv4: subnetLenIPv4,
+			SubnetLenIPv6: subnetLenIPv6,
+		},
+		dctx: &proxy.DNSContext{
+			Addr:  testAddr,
+			Proto: proxy.ProtoUDP,
+		},
+		want: proxy.ErrDrop,
+	}}
+
+	mock := &TestRequestHandler{
+		OnHandle: func(p *proxy.Proxy, dctx *proxy.DNSContext) (err error) {
+			return nil
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			wrapped := ratelimit.NewRatelimitedRequestHandler(mock, tc.config)
+
+			err := wrapped.Handle(nil, tc.dctx)
+			require.NoError(t, err, "first request should not be ratelimited")
+
+			err = wrapped.Handle(nil, tc.dctx)
+			assert.Equal(t, tc.want, err)
+		})
+	}
+}
+
+func TestHandler_Handle_allowlist(t *testing.T) {
+	t.Parallel()
+
+	var (
+		addrAllow     = netip.MustParseAddr("192.0.2.0")
+		addrPortAllow = netip.AddrPortFrom(addrAllow, 53)
+		addrPortDrop  = netip.MustParseAddrPort("192.0.2.1:53")
+	)
+
+	conf := &ratelimit.Config{
+		Logger:        testLogger,
+		Ratelimit:     1,
+		SubnetLenIPv4: subnetLenIPv4,
+		SubnetLenIPv6: subnetLenIPv6,
+		AllowlistAddrs: []netip.Addr{
+			addrAllow,
+		},
+	}
+
+	mock := &TestRequestHandler{
+		OnHandle: func(p *proxy.Proxy, dctx *proxy.DNSContext) (err error) {
+			return nil
+		},
+	}
+	handler := ratelimit.NewRatelimitedRequestHandler(mock, conf)
+
+	t.Run("block", func(t *testing.T) {
+		dctx := &proxy.DNSContext{
+			Addr:  addrPortDrop,
+			Proto: proxy.ProtoUDP,
+		}
+
+		err := handler.Handle(nil, dctx)
+		require.NoError(t, err, "first request should not be ratelimited")
+
+		err = handler.Handle(nil, dctx)
+		require.Error(t, err, "second request should be ratelimited")
+		assert.Equal(t, proxy.ErrDrop, err)
+	})
+
+	t.Run("allow", func(t *testing.T) {
+		dctx := &proxy.DNSContext{
+			Addr:  addrPortAllow,
+			Proto: proxy.ProtoUDP,
+		}
+
+		err := handler.Handle(nil, dctx)
+		require.NoError(t, err, "first request should not be ratelimited")
+
+		err = handler.Handle(nil, dctx)
+		require.NoError(t, err, "second request should not be ratelimited due to whitelist")
+	})
+}
+
+// TestRequestHandler is a mock request handler implementation to simplify
+// testing.
+//
+// TODO(d.kolyshev):  Move to internal/dnsproxytest.
+type TestRequestHandler struct {
+	OnHandle func(p *proxy.Proxy, dctx *proxy.DNSContext) (err error)
+}
+
+// type check
+var _ proxy.RequestHandler = (*TestRequestHandler)(nil)
+
+// Handle implements the [RequestHandler] interface for *TestRequestHandler.
+func (h *TestRequestHandler) Handle(p *proxy.Proxy, dctx *proxy.DNSContext) (err error) {
+	return h.OnHandle(p, dctx)
+}

proxy/config.go

@@ -148,6 +148,8 @@ type Config struct {
 	DNS64Prefs []netip.Prefix
 
 	// RatelimitWhitelist is a list of IP addresses excluded from rate limiting.
+	//
+	// TODO(d.kolyshev): !! Remove.
 	RatelimitWhitelist []netip.Addr
 
 	// EDNSAddr is the ECS IP used in request.
@@ -157,14 +159,20 @@ type Config struct {
 
 	// RatelimitSubnetLenIPv4 is a subnet length for IPv4 addresses used for
 	// rate limiting requests.
+	//
+	// TODO(d.kolyshev): !! Remove.
 	RatelimitSubnetLenIPv4 int
 
 	// RatelimitSubnetLenIPv6 is a subnet length for IPv6 addresses used for
 	// rate limiting requests.
+	//
+	// TODO(d.kolyshev): !! Remove.
 	RatelimitSubnetLenIPv6 int
 
 	// Ratelimit is a maximum number of requests per second from a given IP (0
 	// to disable).
+	//
+	// TODO(d.kolyshev): !! Remove.
 	Ratelimit int
 
 	// CacheSizeBytes is the maximum cache size in bytes.

proxy/proxy.go

@@ -30,7 +30,6 @@ import (
 	"github.com/AdguardTeam/golibs/validate"
 	"github.com/ameshkov/dnscrypt/v2"
 	"github.com/miekg/dns"
-	gocache "github.com/patrickmn/go-cache"
 	"github.com/quic-go/quic-go"
 	"github.com/quic-go/quic-go/http3"
 )
@@ -59,6 +58,10 @@ const (
 	ProtoDNSCrypt Proto = "dnscrypt"
 )
 
+// ErrDrop is returned by a RequestHandler to signal that the proxy should not
+// send any response to the client.
+var ErrDrop = errors.Error("drop response")
+
 // Proxy combines the proxy server state and configuration.
 //
 // TODO(a.garipov): Consider extracting conf blocks for better fieldalignment.
@@ -102,9 +105,6 @@ type Proxy struct {
 	// logger is used for logging in the proxy service.  It is never nil.
 	logger *slog.Logger
 
-	// ratelimitBuckets is a storage for ratelimiters for individual IPs.
-	ratelimitBuckets *gocache.Cache
-
 	// fastestAddr finds the fastest IP address for the resolved domain.
 	fastestAddr *fastip.FastestAddr
 
@@ -203,9 +203,6 @@ type Proxy struct {
 	// Also make it a pointer.
 	sync.RWMutex
 
-	// ratelimitLock protects ratelimitBuckets.
-	ratelimitLock sync.Mutex
-
 	// rttLock protects upstreamRTTStats.
 	//
 	// TODO(e.burkov):  Make it a pointer.
@@ -234,7 +231,6 @@ func New(c *Config) (p *Proxy, err error) {
 		requestHandler:   cmp.Or[RequestHandler](c.RequestHandler, DefaultRequestHandler{}),
 		upstreamRTTStats: map[string]upstreamRTTStats{},
 		rttLock:          sync.Mutex{},
-		ratelimitLock:    sync.Mutex{},
 		RWMutex:          sync.RWMutex{},
 		// 2 bytes may be used to store packet length (see TCP/TLS).
 		bytesPool:  syncutil.NewSlicePool[byte](2 + dns.MaxMsgSize),