clientlog: add NTS-KE service
Instead of sharing the NTP rate limiting with NTS-KE, specify a new service for NTS-KE and use it in the NTS-KE server. Add ntsratelimit directive for configuration.
This commit is contained in:
Miroslav Lichvar
parent
3a2d33d5a3
commit
6366ebc17e
7 changed files with 38 additions and 3 deletions
|
|
@ -44,7 +44,7 @@
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "logging.h"
|
#include "logging.h"
|
||||||
|
|
||||||
#define MAX_SERVICES 2
|
#define MAX_SERVICES 3
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
IPAddr ip_addr;
|
IPAddr ip_addr;
|
||||||
|
|
@ -329,6 +329,10 @@ CLG_Initialise(void)
|
||||||
if (!CNF_GetNTPRateLimit(&interval, &burst, &lrate))
|
if (!CNF_GetNTPRateLimit(&interval, &burst, &lrate))
|
||||||
continue;
|
continue;
|
||||||
break;
|
break;
|
||||||
|
case CLG_NTSKE:
|
||||||
|
if (!CNF_GetNtsRateLimit(&interval, &burst, &lrate))
|
||||||
|
continue;
|
||||||
|
break;
|
||||||
case CLG_CMDMON:
|
case CLG_CMDMON:
|
||||||
if (!CNF_GetCommandRateLimit(&interval, &burst, &lrate))
|
if (!CNF_GetCommandRateLimit(&interval, &burst, &lrate))
|
||||||
continue;
|
continue;
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,7 @@
|
||||||
|
|
||||||
typedef enum {
|
typedef enum {
|
||||||
CLG_NTP = 0,
|
CLG_NTP = 0,
|
||||||
|
CLG_NTSKE,
|
||||||
CLG_CMDMON,
|
CLG_CMDMON,
|
||||||
} CLG_Service;
|
} CLG_Service;
|
||||||
|
|
||||||
|
|
|
||||||
17
conf.c
17
conf.c
|
|
@ -204,6 +204,10 @@ static int ntp_ratelimit_enabled = 0;
|
||||||
static int ntp_ratelimit_interval = 3;
|
static int ntp_ratelimit_interval = 3;
|
||||||
static int ntp_ratelimit_burst = 8;
|
static int ntp_ratelimit_burst = 8;
|
||||||
static int ntp_ratelimit_leak = 2;
|
static int ntp_ratelimit_leak = 2;
|
||||||
|
static int nts_ratelimit_enabled = 0;
|
||||||
|
static int nts_ratelimit_interval = 6;
|
||||||
|
static int nts_ratelimit_burst = 8;
|
||||||
|
static int nts_ratelimit_leak = 2;
|
||||||
static int cmd_ratelimit_enabled = 0;
|
static int cmd_ratelimit_enabled = 0;
|
||||||
static int cmd_ratelimit_interval = -4;
|
static int cmd_ratelimit_interval = -4;
|
||||||
static int cmd_ratelimit_burst = 8;
|
static int cmd_ratelimit_burst = 8;
|
||||||
|
|
@ -577,6 +581,9 @@ CNF_ParseLine(const char *filename, int number, char *line)
|
||||||
no_system_cert = parse_null(p);
|
no_system_cert = parse_null(p);
|
||||||
} else if (!strcasecmp(command, "ntpsigndsocket")) {
|
} else if (!strcasecmp(command, "ntpsigndsocket")) {
|
||||||
parse_string(p, &ntp_signd_socket);
|
parse_string(p, &ntp_signd_socket);
|
||||||
|
} else if (!strcasecmp(command, "ntsratelimit")) {
|
||||||
|
parse_ratelimit(p, &nts_ratelimit_enabled, &nts_ratelimit_interval,
|
||||||
|
&nts_ratelimit_burst, &nts_ratelimit_leak);
|
||||||
} else if (!strcasecmp(command, "ntstrustedcerts")) {
|
} else if (!strcasecmp(command, "ntstrustedcerts")) {
|
||||||
parse_string(p, &nts_trusted_cert_file);
|
parse_string(p, &nts_trusted_cert_file);
|
||||||
} else if (!strcasecmp(command, "ntscachedir") ||
|
} else if (!strcasecmp(command, "ntscachedir") ||
|
||||||
|
|
@ -2093,6 +2100,16 @@ int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak)
|
||||||
|
|
||||||
/* ================================================== */
|
/* ================================================== */
|
||||||
|
|
||||||
|
int CNF_GetNtsRateLimit(int *interval, int *burst, int *leak)
|
||||||
|
{
|
||||||
|
*interval = nts_ratelimit_interval;
|
||||||
|
*burst = nts_ratelimit_burst;
|
||||||
|
*leak = nts_ratelimit_leak;
|
||||||
|
return nts_ratelimit_enabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* ================================================== */
|
||||||
|
|
||||||
int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak)
|
int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak)
|
||||||
{
|
{
|
||||||
*interval = cmd_ratelimit_interval;
|
*interval = cmd_ratelimit_interval;
|
||||||
|
|
|
||||||
1
conf.h
1
conf.h
|
|
@ -103,6 +103,7 @@ extern int CNF_GetSchedPriority(void);
|
||||||
extern int CNF_GetLockMemory(void);
|
extern int CNF_GetLockMemory(void);
|
||||||
|
|
||||||
extern int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak);
|
extern int CNF_GetNTPRateLimit(int *interval, int *burst, int *leak);
|
||||||
|
extern int CNF_GetNtsRateLimit(int *interval, int *burst, int *leak);
|
||||||
extern int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak);
|
extern int CNF_GetCommandRateLimit(int *interval, int *burst, int *leak);
|
||||||
extern void CNF_GetSmooth(double *max_freq, double *max_wander, int *leap_only);
|
extern void CNF_GetSmooth(double *max_freq, double *max_wander, int *leap_only);
|
||||||
extern void CNF_GetTempComp(char **file, double *interval, char **point_file, double *T0, double *k0, double *k1, double *k2);
|
extern void CNF_GetTempComp(char **file, double *interval, char **point_file, double *T0, double *k0, double *k1, double *k2);
|
||||||
|
|
|
||||||
|
|
@ -1600,6 +1600,17 @@ This would reduce the response rate for IP addresses sending packets on average
|
||||||
more than once per 2 seconds, or sending packets in bursts of more than 16
|
more than once per 2 seconds, or sending packets in bursts of more than 16
|
||||||
packets, by up to 75% (with default *leak* of 2).
|
packets, by up to 75% (with default *leak* of 2).
|
||||||
|
|
||||||
|
[[ntsratelimit]]*ntsratelimit* [_option_]...::
|
||||||
|
This directive enables rate limiting of NTS-KE requests. It is similar to the
|
||||||
|
<<ratelimit,*ratelimit*>> directive, except the default interval is 6
|
||||||
|
(1 connection per 64 seconds).
|
||||||
|
+
|
||||||
|
An example of the use of the directive is:
|
||||||
|
+
|
||||||
|
----
|
||||||
|
ntsratelimit interval 3 burst 1
|
||||||
|
----
|
||||||
|
|
||||||
[[smoothtime]]*smoothtime* _max-freq_ _max-wander_ [*leaponly*]::
|
[[smoothtime]]*smoothtime* _max-freq_ _max-wander_ [*leaponly*]::
|
||||||
The *smoothtime* directive can be used to enable smoothing of the time that
|
The *smoothtime* directive can be used to enable smoothing of the time that
|
||||||
*chronyd* serves to its clients to make it easier for them to track it and keep
|
*chronyd* serves to its clients to make it easier for them to track it and keep
|
||||||
|
|
|
||||||
|
|
@ -209,8 +209,8 @@ accept_connection(int server_fd, int event, void *arg)
|
||||||
}
|
}
|
||||||
|
|
||||||
SCH_GetLastEventTime(&now, NULL, NULL);
|
SCH_GetLastEventTime(&now, NULL, NULL);
|
||||||
log_index = CLG_LogServiceAccess(CLG_NTP, &addr.ip_addr, &now);
|
log_index = CLG_LogServiceAccess(CLG_NTSKE, &addr.ip_addr, &now);
|
||||||
if (log_index >= 0 && CLG_LimitServiceRate(CLG_NTP, log_index)) {
|
if (log_index >= 0 && CLG_LimitServiceRate(CLG_NTSKE, log_index)) {
|
||||||
DEBUG_LOG("Rejected connection from %s (%s)",
|
DEBUG_LOG("Rejected connection from %s (%s)",
|
||||||
UTI_IPSockAddrToString(&addr), "rate limit");
|
UTI_IPSockAddrToString(&addr), "rate limit");
|
||||||
SCK_CloseSocket(sock_fd);
|
SCK_CloseSocket(sock_fd);
|
||||||
|
|
|
||||||
|
|
@ -36,6 +36,7 @@ test_unit(void)
|
||||||
"clientloglimit 10000",
|
"clientloglimit 10000",
|
||||||
"ratelimit interval 3 burst 4 leak 3",
|
"ratelimit interval 3 burst 4 leak 3",
|
||||||
"cmdratelimit interval 3 burst 4 leak 3",
|
"cmdratelimit interval 3 burst 4 leak 3",
|
||||||
|
"ntsratelimit interval 6 burst 8 leak 3",
|
||||||
};
|
};
|
||||||
|
|
||||||
CNF_Initialise(0, 0);
|
CNF_Initialise(0, 0);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue