ratelimiter/ratelimiter.go

/* SPDX-License-Identifier: MIT
 *
 * Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.
 */

package ratelimiter

import (
	"net"
	"sync"
	"time"
)

const (
	packetsPerSecond   = 20
	packetsBurstable   = 5
	garbageCollectTime = time.Second
	packetCost         = 1000000000 / packetsPerSecond
	maxTokens          = packetCost * packetsBurstable
)

type RatelimiterEntry struct {
	mu       sync.Mutex
	lastTime time.Time
	tokens   int64
}

type Ratelimiter struct {
	mu      sync.RWMutex
	timeNow func() time.Time

	stopReset chan struct{} // send to reset, close to stop
	tableIPv4 map[[net.IPv4len]byte]*RatelimiterEntry
	tableIPv6 map[[net.IPv6len]byte]*RatelimiterEntry
}

func (rate *Ratelimiter) Close() {
	rate.mu.Lock()
	defer rate.mu.Unlock()

	if rate.stopReset != nil {
		close(rate.stopReset)
	}
}

func (rate *Ratelimiter) Init() {
	rate.mu.Lock()
	defer rate.mu.Unlock()

	if rate.timeNow == nil {
		rate.timeNow = time.Now
	}

	// stop any ongoing garbage collection routine
	if rate.stopReset != nil {
		close(rate.stopReset)
	}

	rate.stopReset = make(chan struct{})
	rate.tableIPv4 = make(map[[net.IPv4len]byte]*RatelimiterEntry)
	rate.tableIPv6 = make(map[[net.IPv6len]byte]*RatelimiterEntry)

	stopReset := rate.stopReset // store in case Init is called again.

	// Start garbage collection routine.
	go func() {
		ticker := time.NewTicker(time.Second)
		ticker.Stop()
		for {
			select {
			case _, ok := <-stopReset:
				ticker.Stop()
				if !ok {
					return
				}
				ticker = time.NewTicker(time.Second)
			case <-ticker.C:
				if rate.cleanup() {
					ticker.Stop()
				}
			}
		}
	}()
}

func (rate *Ratelimiter) cleanup() (empty bool) {
	rate.mu.Lock()
	defer rate.mu.Unlock()

	for key, entry := range rate.tableIPv4 {
		entry.mu.Lock()
		if rate.timeNow().Sub(entry.lastTime) > garbageCollectTime {
			delete(rate.tableIPv4, key)
		}
		entry.mu.Unlock()
	}

	for key, entry := range rate.tableIPv6 {
		entry.mu.Lock()
		if rate.timeNow().Sub(entry.lastTime) > garbageCollectTime {
			delete(rate.tableIPv6, key)
		}
		entry.mu.Unlock()
	}

	return len(rate.tableIPv4) == 0 && len(rate.tableIPv6) == 0
}

func (rate *Ratelimiter) Allow(ip net.IP) bool {
	var entry *RatelimiterEntry
	var keyIPv4 [net.IPv4len]byte
	var keyIPv6 [net.IPv6len]byte

	// lookup entry

	IPv4 := ip.To4()
	IPv6 := ip.To16()

	rate.mu.RLock()

	if IPv4 != nil {
		copy(keyIPv4[:], IPv4)
		entry = rate.tableIPv4[keyIPv4]
	} else {
		copy(keyIPv6[:], IPv6)
		entry = rate.tableIPv6[keyIPv6]
	}

	rate.mu.RUnlock()

	// make new entry if not found

	if entry == nil {
		entry = new(RatelimiterEntry)
		entry.tokens = maxTokens - packetCost
		entry.lastTime = rate.timeNow()
		rate.mu.Lock()
		if IPv4 != nil {
			rate.tableIPv4[keyIPv4] = entry
			if len(rate.tableIPv4) == 1 && len(rate.tableIPv6) == 0 {
				rate.stopReset <- struct{}{}
			}
		} else {
			rate.tableIPv6[keyIPv6] = entry
			if len(rate.tableIPv6) == 1 && len(rate.tableIPv4) == 0 {
				rate.stopReset <- struct{}{}
			}
		}
		rate.mu.Unlock()
		return true
	}

	// add tokens to entry

	entry.mu.Lock()
	now := rate.timeNow()
	entry.tokens += now.Sub(entry.lastTime).Nanoseconds()
	entry.lastTime = now
	if entry.tokens > maxTokens {
		entry.tokens = maxTokens
	}

	// subtract cost of packet

	if entry.tokens > packetCost {
		entry.tokens -= packetCost
		entry.mu.Unlock()
		return true
	}
	entry.mu.Unlock()
	return false
}
Update copyright 2019-01-02 01:55:51 +01:00			`/* SPDX-License-Identifier: MIT`
global: Add SPDX tags and copyright header 2018-05-03 15:04:00 +02:00			`*`
global: bump copyright 2021-01-28 17:52:15 +01:00			`* Copyright (C) 2017-2021 WireGuard LLC. All Rights Reserved.`
global: Add SPDX tags and copyright header 2018-05-03 15:04:00 +02:00			`*/`

Revert "Don't use modules" 2018-02-12 22:29:11 +01:00			`package ratelimiter`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00
			`import (`
			`"net"`
			`"sync"`
			`"time"`
			`)`

			`const (`
Removed exported methods from ratelimiter package 2018-02-11 23:01:55 +01:00			`packetsPerSecond = 20`
			`packetsBurstable = 5`
			`garbageCollectTime = time.Second`
			`packetCost = 1000000000 / packetsPerSecond`
			`maxTokens = packetCost * packetsBurstable`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`)`

			`type RatelimiterEntry struct {`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`mu sync.Mutex`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`lastTime time.Time`
			`tokens int64`
			`}`

			`type Ratelimiter struct {`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`mu sync.RWMutex`
			`timeNow func() time.Time`

			`stopReset chan struct{} // send to reset, close to stop`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00			`tableIPv4 map[[net.IPv4len]byte]*RatelimiterEntry`
			`tableIPv6 map[[net.IPv6len]byte]*RatelimiterEntry`
			`}`

			`func (rate *Ratelimiter) Close() {`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`rate.mu.Lock()`
			`defer rate.mu.Unlock()`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00
ratelimiter: do not run GC with nothing to do 2018-05-21 03:18:56 +02:00			`if rate.stopReset != nil {`
			`close(rate.stopReset)`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00			`}`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`}`

			`func (rate *Ratelimiter) Init() {`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`rate.mu.Lock()`
			`defer rate.mu.Unlock()`

			`if rate.timeNow == nil {`
			`rate.timeNow = time.Now`
			`}`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00
Removed exported methods from ratelimiter package 2018-02-11 23:01:55 +01:00			`// stop any ongoing garbage collection routine`
ratelimiter: do not run GC with nothing to do 2018-05-21 03:18:56 +02:00			`if rate.stopReset != nil {`
			`close(rate.stopReset)`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00			`}`

ratelimiter: do not run GC with nothing to do 2018-05-21 03:18:56 +02:00			`rate.stopReset = make(chan struct{})`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`rate.tableIPv4 = make(map[[net.IPv4len]byte]*RatelimiterEntry)`
			`rate.tableIPv6 = make(map[[net.IPv6len]byte]*RatelimiterEntry)`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`stopReset := rate.stopReset // store in case Init is called again.`
Removed exported methods from ratelimiter package 2018-02-11 23:01:55 +01:00
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`// Start garbage collection routine.`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00			`go func() {`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`ticker := time.NewTicker(time.Second)`
ratelimiter: do not run GC with nothing to do 2018-05-21 03:18:56 +02:00			`ticker.Stop()`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00			`for {`
			`select {`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`case _, ok := <-stopReset:`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`ticker.Stop()`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`if !ok {`
ratelimiter: do not run GC with nothing to do 2018-05-21 03:18:56 +02:00			`return`
			`}`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`ticker = time.NewTicker(time.Second)`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`case <-ticker.C:`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`if rate.cleanup() {`
			`ticker.Stop()`
			`}`
Moved ratelimiter to internal package 2018-02-11 22:53:39 +01:00			`}`
			`}`
			`}()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`}`

ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`func (rate *Ratelimiter) cleanup() (empty bool) {`
			`rate.mu.Lock()`
			`defer rate.mu.Unlock()`

			`for key, entry := range rate.tableIPv4 {`
			`entry.mu.Lock()`
			`if rate.timeNow().Sub(entry.lastTime) > garbageCollectTime {`
			`delete(rate.tableIPv4, key)`
			`}`
			`entry.mu.Unlock()`
			`}`

			`for key, entry := range rate.tableIPv6 {`
			`entry.mu.Lock()`
			`if rate.timeNow().Sub(entry.lastTime) > garbageCollectTime {`
			`delete(rate.tableIPv6, key)`
			`}`
			`entry.mu.Unlock()`
			`}`

			`return len(rate.tableIPv4) == 0 && len(rate.tableIPv6) == 0`
			`}`

Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`func (rate *Ratelimiter) Allow(ip net.IP) bool {`
			`var entry *RatelimiterEntry`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`var keyIPv4 [net.IPv4len]byte`
			`var keyIPv6 [net.IPv6len]byte`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00
			`// lookup entry`

			`IPv4 := ip.To4()`
			`IPv6 := ip.To16()`

ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`rate.mu.RLock()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00
			`if IPv4 != nil {`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`copy(keyIPv4[:], IPv4)`
			`entry = rate.tableIPv4[keyIPv4]`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`} else {`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`copy(keyIPv6[:], IPv6)`
			`entry = rate.tableIPv6[keyIPv6]`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`}`

ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`rate.mu.RUnlock()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00
			`// make new entry if not found`

			`if entry == nil {`
			`entry = new(RatelimiterEntry)`
Removed exported methods from ratelimiter package 2018-02-11 23:01:55 +01:00			`entry.tokens = maxTokens - packetCost`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`entry.lastTime = rate.timeNow()`
			`rate.mu.Lock()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`if IPv4 != nil {`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`rate.tableIPv4[keyIPv4] = entry`
ratelimiter: do not run GC with nothing to do 2018-05-21 03:18:56 +02:00			`if len(rate.tableIPv4) == 1 && len(rate.tableIPv6) == 0 {`
			`rate.stopReset <- struct{}{}`
			`}`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`} else {`
Cleanup ratelimiter 2018-05-13 18:42:06 +02:00			`rate.tableIPv6[keyIPv6] = entry`
ratelimiter: do not run GC with nothing to do 2018-05-21 03:18:56 +02:00			`if len(rate.tableIPv6) == 1 && len(rate.tableIPv4) == 0 {`
			`rate.stopReset <- struct{}{}`
			`}`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`}`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`rate.mu.Unlock()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`return true`
			`}`

			`// add tokens to entry`

ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`entry.mu.Lock()`
			`now := rate.timeNow()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`entry.tokens += now.Sub(entry.lastTime).Nanoseconds()`
			`entry.lastTime = now`
Removed exported methods from ratelimiter package 2018-02-11 23:01:55 +01:00			`if entry.tokens > maxTokens {`
			`entry.tokens = maxTokens`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`}`

			`// subtract cost of packet`

Removed exported methods from ratelimiter package 2018-02-11 23:01:55 +01:00			`if entry.tokens > packetCost {`
			`entry.tokens -= packetCost`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`entry.mu.Unlock()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`return true`
			`}`
ratelimiter: use a fake clock in tests and style cleanups 2019-12-08 18:22:31 -05:00			`entry.mu.Unlock()`
Added ratelimiting of handshake messages 2017-07-11 18:48:29 +02:00			`return false`
			`}`