You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also moved the part about bypassing ip-ratelimit to the ip-ratelimit description as it will be bypassed with a valid DNS-Cookie regardless of the allow_cookie acl.
Also moved the part about bypassing ip-ratelimit to the ip-ratelimit
description as it will be bypassed with a valid DNS-Cookie regardless of the
allow_cookie acl.
The reason will be displayed to describe this comment to others. Learn more.
Okay, glad my suggested part of the text made it through, mostly :-) . I feel it is okay to have a reference to the cookie ratelimit, or its difference to ordinary ratelimit at the allow_cookie description, but also the new location for the text is more genuine since other access control settings can have cookie traffic that uses the cookie ratelimit. So I am happy with the current solution.
Wait a minute, looking at the code I'm not convinced ip-ratelimit will be bypassed with a valid cookie regardless of the allow_cookie acl. @gthess perhaps pre_edns_ip_ratelimit should be set if worker->env.cfg->answer_cookie is set instead of based on allow_cookie acl, WDYT?
That's true. Currently only if you demand clients with cookies (i.e., allow_cookie in acl) you can bypass the ratelimit.
I am not sure what is the correct behavior.
You would expect that by presenting a cookie the client would be allowed through ratelimit even if demand for it is not necessary? But that makes sense only in case you do ip-ratelimit as a countermeasure for spoofing. I mean maybe you just want to ratelimit access for certain IPs. If they start doing cookies they are through.
I mean maybe you just want to ratelimit access for certain IPs. If they start doing cookies they are through.
But currently ip-ratelimit is global anyway. There is no rate-limiting for certain IPs, right?
If you want to do it regardless of cookies, you can also set the ip-ratelimit-cookie setting. This would be conform the docs.
- Merge #1010: Mention REFUSED has the TC bit set with unmatched
allow_cookie acl in the manpage. It also fixes the code to match the
documentation about clients with a valid cookie that bypass the
ratelimit regardless of the allow_cookie acl.
jedisct1
added a commit
to jedisct1/unbound
that referenced
this pull request
Feb 22, 2024
* nlnet/master:
Changelog entry for NLnetLabs#1010: - Merge NLnetLabs#1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl.
Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage (NLnetLabs#1010)
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Also moved the part about bypassing ip-ratelimit to the ip-ratelimit description as it will be bypassed with a valid DNS-Cookie regardless of the allow_cookie acl.