ip-ratelimit not change in ip_ratelimit_list - after reload

Luiz_Fernando_Softov · July 11, 2018, 4:38am

Hi,

After my application changes unbound configuration, i call a reload to put thing in order.

After calling reload, I figure out that ip-ratelimit was not changed in ip_ratelimit_list

ip-ratelimit: 350
ip-ratelimit-size: 4m
ip-ratelimit-slabs: 2
ip-ratelimit-factor: 10

$ unbound-control get_option ip-ratelimit
350

$ unbound-control ip_ratelimit_list +a
192.168.0.1 5 limit 350

change ip-ratelimit to 400 in unbound conf file and calls reload

$ unbound-control reload

$ unbound-control get_option ip-ratelimit

400

even new users get the old ip-ratelimit

$ unbound-control ip_ratelimit_list +a
192.168.0.1 7 limit 350

$ unbound-control ip_ratelimit_list +a
192.168.0.1 7 limit 350
192.168.0.2 15 limit 350

then I call set_option, and everything is fine

$ unbound-control
set_option ip-ratelimit: 400

ok

$ unbound-control get_option ip-ratelimit

400

$ unbound-control ip_ratelimit_list +a
192.168.0.1 8 limit 400
192.168.0.2 9 limit 400

This is suppose to work that way? There is a problem/BUG? Or I’m missing something?

Wouter · July 17, 2018, 2:29pm

Hi Luiz,

Luiz_Fernando_Softov · July 17, 2018, 3:57pm

Thanks a lot…

I have read the code, there is a ‘global’ to store the ip-ratelimit.

There is a plan to implement ip-ratelimit filtered by IP/network?
Something like:
ip-ratelimit: 192.168.1.0/24 200
ip-ratelimit: 192.168.2.0/24 300
ip-ratelimit: 0.0.0.0/0 50

That way, we
can have
clients
with different limitations
.

Eric_Luehrsen · July 18, 2018, 1:22am

Rate per subnet seems like a good idea. This could be used in an any-cast global cluster of Unbound servers. They may prefer queries that are near over distant. They may prefer known consumer grade ISP blocks over the rest falling outside the intended audience. It is not desired to block (firewall) these IP blocks, but rather bias rate preference.

It could be used so that Unbound could serve a public-private split network such as a restaurant. Less rate for the guest network. If multiple restaurants are owned, then Unbound at each site can forward to Unbound at another site (store1234.example.net, via VPN or TLS). These forwards would be protected at a different rate yet. Each site can use a dhcp script to insert business network hosts into Unbound (or NSD).

Side note, views can be used to hide the business local domain from guest network. Vies can also be used to block ads, malicious and NSFW sites on the business network but permit guest uncensored public access.