You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This change fixes the case where multiple validators behind the same IP interfere with each other due to QUIC flood control.
It makes two changes:
RFC1918 private IPv4 ranges are no longer subject to per-IP QUIC flood control:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Validator endpoints can use separate flood buckets by exact ip:port, so multiple validators on the same public IP no longer
consume the same per-IP flood quota.
The global new-connection limiter is unchanged.
What changed
QuicServer flood control is now bucket-based:
RFC1918 source -> bypass per-IP flood bucket
protected validator endpoint -> bucket by exact ip:port
all other traffic -> bucket by ip
The selected flood bucket is stored on accepted inbound connections and reused on close, so accounting stays correct even if
protection state changes later.
Added protected-endpoint registration in QUIC.
QuicSender now tracks protected validator peers per local ADNL ID, resolves their exact endpoints, and updates the QUIC server
with those endpoints.
ValidatorGroup now registers current validator-set peers as protected on session start and unregisters them on destroy.
Medium: protected peer endpoint resolution has no retry path, so a transient get_peer_node/address miss leaves that peer permanently unprotected unless an outbound reconnect happens later. quic/quic-sender.cpp:485 returns immediately on error, and there is no periodic/backoff re-resolution for entries still present in protected_peers_. This can silently defeat the new shared-IP protection for inbound-only peers.
Medium: RFC1918 exemption bypasses both concurrent flood buckets and per-bucket new-connection rate limiting, not just per-IP bucket sharing. quic/quic-server.cpp:232 returns nullopt for private IPv4, and quic/quic-server.cpp:247 then skips conn_rate_limiters_.take_new_connection(...). On private but untrusted networks, this creates a much weaker limiter than before (only global limiter remains). Consider keeping a per-endpoint limiter for exempt ranges if that is not intentional.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change fixes the case where multiple validators behind the same IP interfere with each other due to QUIC flood control.
It makes two changes:
10.0.0.0/8172.16.0.0/12192.168.0.0/16ip:port, so multiple validators on the same public IP no longerconsume the same per-IP flood quota.
The global new-connection limiter is unchanged.
What changed
QuicServerflood control is now bucket-based:ip:portipprotection state changes later.
QuicSendernow tracks protected validator peers per local ADNL ID, resolves their exact endpoints, and updates the QUIC serverwith those endpoints.
ValidatorGroupnow registers current validator-set peers as protected on session start and unregisters them on destroy.validator-engine:--quic-exempt-private-rfc1918-from-per-ip-flood--quic-protect-validator-endpoints-from-shared-ip-floodBoth are enabled by default.
Notes