proxy.config.http.per_client.connection.allow_list.filename

This implements
proxy.config.http.per_client.connection.allow_list.filename, a
configuration for the user to be able to provide a set of IP addresses
that are not counted against
proxy.config.net.per_client.max_connections_in.

Author: bneradt

doc/admin-guide/files/records.yaml.en.rst

@@ -524,6 +524,39 @@ Network
    below this limit. A value of 0 disables the per client concurrent connection
    limit.
 
+   See :ts:cv:`proxy.config.http.per_client.connection.allow_list.filename` for a way to
+   allow (not count) certain client IP addresses when applying this limit.
+
+.. ts:cv:: CONFIG proxy.config.http.per_client.connection.allow_list.filename STRING NULL
+
+   A path to a YAML formatted file containing a sequence of IP addresses to ignore
+   when counting incoming client connections. Incoming addresses in this
+   specified set will not count against
+   :ts:cv:`proxy.config.net.per_client.max_connections_in` and thus will not be
+   blocked for that configuration. This may be useful, for example, to allow any
+   number of incoming connections from within an organization's network without
+   blocking them due to the per client connection max feature.
+
+   This configuration takes a YAML sequence of IP addresses, CIDR networks, or
+   ranges separated by a dash.
+
+   ======================= ===========================================================
+   Example                 Effect
+   ======================= ===========================================================
+   ``10.0.2.123``          Ignore a single IP Address.
+   ``10.0.3.1-10.0.3.254`` Ignore a range of IP address.
+   ``10.0.4.0/24``         Ignore a range of IP address specified by CIDR notation.
+   ======================= ===========================================================
+
+   The root node should be ``allow_list``. Here is an example of the contents
+   of such a file::
+
+      allow_list:
+        - 10.0.2.123
+        - 172.16.0.0/20
+        - 192.168.1.0/24
+
+
 .. ts:cv:: CONFIG proxy.config.http.per_client.connection.alert_delay INT 60
    :reloadable:
    :units: seconds
@@ -2023,7 +2056,7 @@ Proxy User Variables
    by a dash or by using CIDR notation.
 
    ======================= ===========================================================
-   Example  Effect
+   Example                 Effect
    ======================= ===========================================================
    ``10.0.2.123``          A single IP Address.
    ``10.0.3.1-10.0.3.254`` A range of IP address.

include/iocore/net/ConnectionTracker.h

@@ -81,19 +81,28 @@ class ConnectionTracker
 
   /** Static configuration values. */
   struct GlobalConfig {
+    GlobalConfig() = default;
+    GlobalConfig(GlobalConfig const &);
+    GlobalConfig &operator=(GlobalConfig const &);
+
     std::chrono::seconds client_alert_delay{60}; ///< Alert delay in seconds.
     std::chrono::seconds server_alert_delay{60}; ///< Alert delay in seconds.
+    swoc::IPRangeSet     client_allow_list;      ///< The set of IP addresses to not block due client connection counting.
   };
 
   // The names of the configuration values.
   // Unfortunately these are not used in RecordsConfig.cc so that must be made consistent by hand.
   // Note: These need to be @c constexpr or there are static initialization ordering risks.
   static constexpr std::string_view CONFIG_CLIENT_VAR_ALERT_DELAY{"proxy.config.http.per_client.connection.alert_delay"};
+  static constexpr std::string_view CONFIG_CLIENT_VAR_ALLOW_LIST_FILENAME{
+    "proxy.config.http.per_client.connection.allow_list.filename"};
   static constexpr std::string_view CONFIG_SERVER_VAR_MAX{"proxy.config.http.per_server.connection.max"};
   static constexpr std::string_view CONFIG_SERVER_VAR_MIN{"proxy.config.http.per_server.connection.min"};
   static constexpr std::string_view CONFIG_SERVER_VAR_MATCH{"proxy.config.http.per_server.connection.match"};
   static constexpr std::string_view CONFIG_SERVER_VAR_ALERT_DELAY{"proxy.config.http.per_server.connection.alert_delay"};
 
+  static constexpr std::string_view ALLOW_LIST_ROOT_NODE{"allow_list"};
+
   /// A record for the outbound connection count.
   /// These are stored per outbound session equivalence class, as determined by the session matching.
   struct Group {
@@ -161,11 +170,18 @@ class ConnectionTracker
     std::shared_ptr<Group> _g;                 ///< Active group for this transaction.
     bool                   _reserved_p{false}; ///< Set if a connection slot has been reserved.
     bool                   _queued_p{false};   ///< Set if the connection is delayed / queued.
+    bool                   _allowed_p{false};  ///< Set if the peer is in the connection allow list.
 
     /// Check if tracking is active.
-    bool is_active();
+    bool is_active() const;
+
+    /// Whether this group is in the connection max allow list.
+    /// @return @c true if this group should not be blocked due to
+    /// proxy.config.net.per_client.max_connections_in.
+    bool is_allowed() const;
 
     /// Reserve a connection.
+    /// @return the number of tracked connections.
     int reserve();
     /// Release a connection reservation.
     void release();
@@ -323,11 +339,17 @@ ConnectionTracker::Group::hash(const Key &key)
 }
 
 inline bool
-ConnectionTracker::TxnState::is_active()
+ConnectionTracker::TxnState::is_active() const
 {
   return nullptr != _g;
 }
 
+inline bool
+ConnectionTracker::TxnState::is_allowed() const
+{
+  return _allowed_p;
+}
+
 inline int
 ConnectionTracker::TxnState::reserve()
 {

src/iocore/net/ConnectionTracker.cc

@@ -24,6 +24,9 @@
 #include "P_Net.h" // For Metrics.
 #include "iocore/net/ConnectionTracker.h"
 #include "records/RecCore.h"
+#include "swoc/IPAddr.h"
+#include "swoc/swoc_file.h"
+#include <yaml-cpp/yaml.h>
 
 using namespace std::literals;
 
@@ -149,7 +152,93 @@ Config_Update_Conntrack_Client_Alert_Delay(const char *name, RecDataT dtype, Rec
   return Config_Update_Conntrack_Server_Alert_Delay_Helper(name, dtype, data, cookie, config->client_alert_delay);
 }
 
-} // namespace
+bool
+Update_Client_Allow_List_From_File(swoc::IPRangeSet &range_set, std::string_view filename)
+{
+  char const *config_name = ConnectionTracker::CONFIG_CLIENT_VAR_ALLOW_LIST_FILENAME.data();
+  Note("%s: loading %.*s", config_name, static_cast<int>(filename.size()), filename.data());
+  std::error_code ec;
+  std::string     content{swoc::file::load(filename, ec)};
+  if (ec.value() != 0) {
+    Warning("%s: Failed to load %.*s - %s", config_name, static_cast<int>(filename.size()), filename.data(), ec.message().c_str());
+    return false;
+  }
+
+  YAML::Node root_node{YAML::Load(content)};
+  YAML::Node ranges_node{root_node[ConnectionTracker::ALLOW_LIST_ROOT_NODE.data()]};
+  if (!ranges_node) {
+    Warning("%s: no %s root node found in %.*s", config_name, ConnectionTracker::ALLOW_LIST_ROOT_NODE.data(),
+            static_cast<int>(filename.size()), filename.data());
+    return false;
+  }
+
+  // The allow list should contain a Sequence of allowed addresses.
+  if (!ranges_node.IsSequence()) {
+    Warning("%s: %s root node must be a sequence of ip address ranges in %.*s", config_name,
+            ConnectionTracker::ALLOW_LIST_ROOT_NODE.data(), static_cast<int>(filename.size()), filename.data());
+    return false;
+  }
+
+  for (auto const &range_node : ranges_node) {
+    if (!range_node.IsScalar()) {
+      Warning("%s: %.*s root node must be a sequence of ip address ranges in %.*s:%d", config_name,
+              static_cast<int>(ConnectionTracker::ALLOW_LIST_ROOT_NODE.size()), ConnectionTracker::ALLOW_LIST_ROOT_NODE.data(),
+              static_cast<int>(filename.size()), filename.data(), range_node.Mark().line);
+      return false;
+    }
+    std::string_view range_sv{range_node.Scalar()};
+    swoc::IPRange    range;
+    if (!range.load(range_sv)) {
+      Warning("%s: %.*s is not a valid IP range in %.*s:%d", config_name, static_cast<int>(range_sv.size()), range_sv.data(),
+              static_cast<int>(filename.size()), filename.data(), range_node.Mark().line);
+      return false;
+    }
+    range_set.mark(range);
+  }
+  return true;
+}
+
+bool
+Config_Update_Conntrack_Client_Allow_List_Filename(const char * /* name ATS_UNUSED */, RecDataT dtype, RecData data, void *cookie)
+{
+  if (RECD_STRING != dtype) {
+    Warning("Invalid type for '%s' - must be 'STRING'", ConnectionTracker::CONFIG_CLIENT_VAR_ALLOW_LIST_FILENAME.data());
+    return false;
+  }
+  auto *config = static_cast<ConnectionTracker::GlobalConfig *>(cookie);
+  if (data.rec_string == nullptr) {
+    // There is no allow list configured. Ensure that our allow list is empty.
+    config->client_allow_list.clear();
+    return true;
+  }
+  std::string_view allow_list_filename{data.rec_string};
+  ink_release_assert(config != nullptr);
+  return Update_Client_Allow_List_From_File(config->client_allow_list, allow_list_filename);
+}
+
+} // anonymous namespace
+
+ConnectionTracker::GlobalConfig::GlobalConfig(GlobalConfig const &other)
+{
+  this->client_alert_delay = other.client_alert_delay;
+  this->server_alert_delay = other.server_alert_delay;
+  this->client_allow_list.clear();
+  for (auto const &ip_range : other.client_allow_list) {
+    this->client_allow_list.mark(ip_range);
+  }
+}
+
+ConnectionTracker::GlobalConfig &
+ConnectionTracker::GlobalConfig::operator=(GlobalConfig const &other)
+{
+  this->client_alert_delay = other.client_alert_delay;
+  this->server_alert_delay = other.server_alert_delay;
+  this->client_allow_list.clear();
+  for (auto const &ip_range : other.client_allow_list) {
+    this->client_allow_list.mark(ip_range);
+  }
+  return *this;
+}
 
 void
 ConnectionTracker::config_init(GlobalConfig *global, TxnConfig *txn, RecConfigUpdateCb const &config_cb)
@@ -158,6 +247,7 @@ ConnectionTracker::config_init(GlobalConfig *global, TxnConfig *txn, RecConfigUp
                            // Per transaction lookup must be done at call time because it changes.
 
   Enable_Config_Var(CONFIG_CLIENT_VAR_ALERT_DELAY, &Config_Update_Conntrack_Client_Alert_Delay, config_cb, global);
+  Enable_Config_Var(CONFIG_CLIENT_VAR_ALLOW_LIST_FILENAME, &Config_Update_Conntrack_Client_Allow_List_Filename, config_cb, global);
   Enable_Config_Var(CONFIG_SERVER_VAR_MIN, &Config_Update_Conntrack_Min, config_cb, txn);
   Enable_Config_Var(CONFIG_SERVER_VAR_MAX, &Config_Update_Conntrack_Max, config_cb, txn);
   Enable_Config_Var(CONFIG_SERVER_VAR_MATCH, &Config_Update_Conntrack_Match, config_cb, txn);
@@ -167,7 +257,14 @@ ConnectionTracker::config_init(GlobalConfig *global, TxnConfig *txn, RecConfigUp
 ConnectionTracker::TxnState
 ConnectionTracker::obtain_inbound(IpEndpoint const &addr)
 {
-  TxnState                    zret;
+  TxnState zret;
+  if (_global_config->client_allow_list.contains(swoc::IPAddr{addr})) {
+    // This short-circuits all our connection logic. Save time by just setting
+    // the flag for the caller to see that connections are not tracked for this
+    // address.
+    zret._allowed_p = true;
+    return zret;
+  }
   CryptoHash                  hash;
   Group::Key                  key{addr, hash, MatchType::MATCH_IP};
   std::lock_guard<std::mutex> lock(_inbound_table._mutex); // Table lock

src/iocore/net/Net.cc

@@ -90,7 +90,8 @@ register_net_stats()
   net_rsb.connections_throttled_in   = Metrics::Counter::createPtr("proxy.process.net.connections_throttled_in");
   net_rsb.per_client_connections_throttled_in =
     Metrics::Counter::createPtr("proxy.process.net.per_client.connections_throttled_in");
-  net_rsb.connections_throttled_out = Metrics::Counter::createPtr("proxy.process.net.connections_throttled_out");
+  net_rsb.per_client_connections_allowed_in = Metrics::Counter::createPtr("proxy.process.net.per_client.connections_allowed_in");
+  net_rsb.connections_throttled_out         = Metrics::Counter::createPtr("proxy.process.net.connections_throttled_out");
   net_rsb.tunnel_total_client_connections_blind_tcp =
     Metrics::Counter::createPtr("proxy.process.tunnel.total_client_connections_blind_tcp");
   net_rsb.tunnel_current_client_connections_blind_tcp =

src/iocore/net/P_Net.h

@@ -45,6 +45,7 @@ struct NetStatsBlock {
   Metrics::Gauge::AtomicType   *connections_currently_open;
   Metrics::Counter::AtomicType *connections_throttled_in;
   Metrics::Counter::AtomicType *per_client_connections_throttled_in;
+  Metrics::Counter::AtomicType *per_client_connections_allowed_in;
   Metrics::Counter::AtomicType *connections_throttled_out;
   Metrics::Counter::AtomicType *default_inactivity_timeout_applied;
   Metrics::Counter::AtomicType *default_inactivity_timeout_count;

src/iocore/net/UnixNetAccept.cc

@@ -54,15 +54,22 @@ handle_max_client_connections(IpEndpoint const &addr, std::shared_ptr<Connection
 {
   int const client_max = NetHandler::get_per_client_max_connections_in();
   if (client_max > 0) {
-    auto       inbound_tracker = ConnectionTracker::obtain_inbound(addr);
-    auto const tracked_count   = inbound_tracker.reserve();
+    auto inbound_tracker = ConnectionTracker::obtain_inbound(addr);
+    if (inbound_tracker.is_allowed()) {
+      // The user configured connections like this to not be tracked. Simply allow it.
+      Metrics::Counter::increment(net_rsb.per_client_connections_allowed_in);
+      Dbg(dbg_ctl_iocore_net_accepts, "Ignoring client connection counting for an incoming address in the allow list.");
+      return true;
+    }
+    auto const tracked_count = inbound_tracker.reserve();
     if (tracked_count > client_max) {
       // close the connection as we are in per client connection throttle state
       inbound_tracker.release();
       inbound_tracker.blocked();
       inbound_tracker.Warn_Blocked(client_max, 0, tracked_count - 1, addr,
                                    dbg_ctl_iocore_net_accept.on() ? &dbg_ctl_iocore_net_accept : nullptr);
       Metrics::Counter::increment(net_rsb.per_client_connections_throttled_in);
+      Dbg(dbg_ctl_iocore_net_accepts, "Blocking a client connection due to per client connection limit.");
       return false;
     }
     conn_track_group = inbound_tracker.drop();

src/records/RecordsConfig.cc

@@ -381,6 +381,8 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.net.per_client.max_connections_in", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
+  {RECT_CONFIG, "proxy.config.http.per_client.connection.allow_list.filename", RECD_STRING, nullptr, RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
+  ,
   {RECT_CONFIG, "proxy.config.http.per_client.connection.alert_delay", RECD_INT, "60", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.net.max_requests_in", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}

tests/gold_tests/client_connection/allow_lists/allow_all.yaml

@@ -0,0 +1,19 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+allow_list:
+  - 0/0
+  - ::/0

tests/gold_tests/client_connection/allow_lists/allow_localhost.yaml

@@ -0,0 +1,19 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+allow_list:
+  - 127.0.0.1
+  - ::1

tests/gold_tests/client_connection/allow_lists/no_localhost.yaml

@@ -0,0 +1,19 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+allow_list:
+  - 1.2.3.4
+  - 5.6.0.0/16