DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2025-12-03 20:45:07 -05:00
Code Issues Packages Projects Releases Wiki Activity

clientlog: limit response rate

Browse Source 
When the measured NTP or command request rate of a client exceeds
a threshold, reply only to a small fraction of the requests to reduce
the network traffic. Clients are allowed to send a burst of requests.
Try to detect broken clients which increase the request rate when not
getting replies and suppress the rate limiting for them.

Add ratelimit and cmdratelimit directives to configure the thresholds,
bursts and leak rates independently for NTP and command response rate
limiting. Both are disabled by default. Commands from localhost are
never limited.
This commit is contained in:
Miroslav Lichvar
2015-11-25 13:23:52 +01:00
parent 830135edea
commit b506594c2d
6 changed files with 273 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ntp_core.c
View File

@@ -1649,7 +1649,7 @@ NCR_ProcessUnknown
)
{
NTP_Mode pkt_mode, my_mode;
int has_auth, valid_auth;
int has_auth, valid_auth, log_index;
uint32_t key_id;
/* Ignore the packet if it wasn't received by server socket */
@@ -1686,7 +1686,13 @@ NCR_ProcessUnknown
return;
}
CLG_LogNTPAccess(&remote_addr->ip_addr, now->tv_sec);
log_index = CLG_LogNTPAccess(&remote_addr->ip_addr, now->tv_sec);
/* Don't reply to all requests if the rate is excessive */
if (log_index >= 0 && CLG_LimitNTPResponseRate(log_index)) {
DEBUG_LOG(LOGF_NtpCore, "NTP packet discarded to limit response rate");
return;
}
/* Check if the packet includes MAC that authenticates properly */
valid_auth = check_packet_auth(message, length, &has_auth, &key_id);