mirror of
https://oauth2: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@github.com/m1ngsama/TNT.git
synced 2026-06-26 05:44:38 +08:00
m1ngsama
562ee5296d
Move IP rate-limiting, auth-failure tracking, and global connection
counting out of ssh_server.c into a dedicated module.
New API (include/ratelimit.h):
- ratelimit_init()
- ratelimit_check_ip() / ratelimit_release_ip()
- ratelimit_record_auth_failure()
- ratelimit_check_and_increment_total() / ratelimit_decrement_total()
- ratelimit_get_active_total() (replaces the direct g_total_connections
read that exec_command_stats was doing under g_conn_count_lock)
env_int() also moves up to common.{c,h} since multiple modules need it.
ssh_server.c drops from 2469 to 2200 lines. Behaviour is preserved:
the new functions are byte-for-byte the same implementations, only the
file boundary moved.
g_idle_timeout and g_access_token reads stay inline in ssh_server_init()
for now; they will follow the auth.c and input.c extractions later.
27 lines
994 B
C
27 lines
994 B
C
#ifndef RATELIMIT_H
|
|
#define RATELIMIT_H
|
|
|
|
#include <stdbool.h>
|
|
|
|
/* Read TNT_MAX_CONNECTIONS / TNT_MAX_CONN_PER_IP / TNT_MAX_CONN_RATE_PER_IP /
|
|
* TNT_RATE_LIMIT from the environment. Idempotent, call once at startup. */
|
|
void ratelimit_init(void);
|
|
|
|
/* Per-IP entry point: returns false if the IP has hit any limit (concurrent,
|
|
* rate, or block). On success, increments the IP's active counter — caller
|
|
* MUST pair with ratelimit_release_ip() when the connection ends. */
|
|
bool ratelimit_check_ip(const char *ip);
|
|
void ratelimit_release_ip(const char *ip);
|
|
|
|
/* Auth-failure ledger. After enough failures within the window the IP is
|
|
* blocked for a fixed duration. */
|
|
void ratelimit_record_auth_failure(const char *ip);
|
|
|
|
/* Global active-connection cap (separate from per-IP). Pair them. */
|
|
bool ratelimit_check_and_increment_total(void);
|
|
void ratelimit_decrement_total(void);
|
|
|
|
/* Read-only accessor for stats subcommand. */
|
|
int ratelimit_get_active_total(void);
|
|
|
|
#endif /* RATELIMIT_H */
|