1 files changed, 44 insertions, 8 deletions
diff --git a/contrib/unbound/services/cache/infra.h b/contrib/unbound/services/cache/infra.h
index 14f97c4c64d3..1a88bbb94da8 100644
--- a/contrib/unbound/services/cache/infra.h
+++ b/contrib/unbound/services/cache/infra.h
@@ -122,6 +122,10 @@ struct infra_cache {
 	rbtree_type domain_limits;
 	/** hash table with query rates per client ip: ip_rate_key, ip_rate_data */
 	struct slabhash* client_ip_rates;
+	/** tree of addr_tree_node, with wait_limit_netblock_info information */
+	rbtree_type wait_limits_netblock;
+	/** tree of addr_tree_node, with wait_limit_netblock_info information */
+	rbtree_type wait_limits_cookie_netblock;
 };
 
 /** ratelimit, unless overridden by domain_limits, 0 is off */
@@ -153,6 +157,8 @@ struct rate_key {
 
 /** ip ratelimit, 0 is off */
 extern int infra_ip_ratelimit;
+/** ip ratelimit for DNS Cookie clients, 0 is off */
+extern int infra_ip_ratelimit_cookie;
 
 /**
  * key for ip_ratelimit lookups, a source IP.
@@ -182,10 +188,22 @@ struct rate_data {
 	/** what the timestamp is of the qps array members, counter is
 	 * valid for that timestamp.  Usually now and now-1. */
 	time_t timestamp[RATE_WINDOW];
+	/** the number of queries waiting in the mesh */
+	int mesh_wait;
 };
 
 #define ip_rate_data rate_data
 
+/**
+ * Data to store the configuration per netblock for the wait limit
+ */
+struct wait_limit_netblock_info {
+	/** The addr tree node, this must be first. */
+	struct addr_tree_node node;
+	/** the limit on the amount */
+	int limit;
+};
+
 /** infra host cache default hash lookup size */
 #define INFRA_HOST_STARTSIZE 32
 /** bytes per zonename reserved in the hostcache, dnamelen(zonename.com.) */
@@ -216,7 +234,7 @@ struct infra_cache* infra_adjust(struct infra_cache* infra,
 	struct config_file* cfg);
 
 /**
- * Plain find infra data function (used by the the other functions)
+ * Plain find infra data function (used by the other functions)
  * @param infra: infrastructure cache.
  * @param addr: host address.
  * @param addrlen: length of addr.
@@ -368,6 +386,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
  * @param name: zone name
  * @param namelen: zone name length
  * @param timenow: what time it is now.
+ * @param backoff: if backoff is enabled.
  * @param qinfo: for logging, query name.
  * @param replylist: for logging, querier's address (if any).
  * @return 1 if it could be incremented. 0 if the increment overshot the
@@ -375,7 +394,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
  * Failures like alloc failures are not returned (probably as 1).
  */
 int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow, struct query_info* qinfo,
+	size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
 	struct comm_reply* replylist);
 
 /**
@@ -398,13 +417,15 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
  * @param name: zone name
  * @param namelen: zone name length
  * @param timenow: what time it is now.
+ * @param backoff: if backoff is enabled.
  * @return true if exceeded.
  */
 int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
-	size_t namelen, time_t timenow);
+	size_t namelen, time_t timenow, int backoff);
 
-/** find the maximum rate stored, not too old. 0 if no information. */
-int infra_rate_max(void* data, time_t now);
+/** find the maximum rate stored. 0 if no information.
+ *  When backoff is enabled look for the maximum in the whole RATE_WINDOW. */
+int infra_rate_max(void* data, time_t now, int backoff);
 
 /** find the ratelimit in qps for a domain. 0 if no limit for domain. */
 int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
@@ -413,14 +434,17 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
 /** Update query ratelimit hash and decide
  *  whether or not a query should be dropped.
  *  @param infra: infra cache
- *  @param repinfo: information about client
+ *  @param addr: client address
+ *  @param addrlen: client address length
  *  @param timenow: what time it is now.
+ *  @param has_cookie: if the request came with a DNS Cookie.
+ *  @param backoff: if backoff is enabled.
  *  @param buffer: with query for logging.
  *  @return 1 if it could be incremented. 0 if the increment overshot the
  *  ratelimit and the query should be dropped. */
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-	struct comm_reply* repinfo, time_t timenow,
-	struct sldns_buffer* buffer);
+	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
+	int has_cookie, int backoff, struct sldns_buffer* buffer);
 
 /**
  * Get memory used by the infra cache.
@@ -466,4 +490,16 @@ void ip_rate_delkeyfunc(void* d, void* arg);
 /* delete data */
 #define ip_rate_deldatafunc rate_deldatafunc
 
+/** See if the IP address can have another reply in the wait limit */
+int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
+	int cookie_valid, struct config_file* cfg);
+
+/** Increment number of waiting replies for IP */
+void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
+	time_t timenow, struct config_file* cfg);
+
+/** Decrement number of waiting replies for IP */
+void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
+	struct config_file* cfg);
+
 #endif /* SERVICES_CACHE_INFRA_H */