New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage #1010
Conversation
Also moved the part about bypassing ip-ratelimit to the ip-ratelimit description as it will be bypassed with a valid DNS-Cookie regardless of the allow_cookie acl.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, glad my suggested part of the text made it through, mostly :-) . I feel it is okay to have a reference to the cookie ratelimit, or its difference to ordinary ratelimit at the allow_cookie description, but also the new location for the text is more genuine since other access control settings can have cookie traffic that uses the cookie ratelimit. So I am happy with the current solution.
Can we please squash before merging this? :) |
Wait a minute, looking at the code I'm not convinced ip-ratelimit will be bypassed with a valid cookie regardless of the allow_cookie acl. @gthess perhaps |
That's true. Currently only if you demand clients with cookies (i.e., allow_cookie in acl) you can bypass the ratelimit. |
But you are right, with the current code the text is wrong. |
But currently ip-ratelimit is global anyway. There is no rate-limiting for certain IPs, right? |
…ound into devel/fix-allow_cookie-doc
Ah you are right, I was confused with regular ratelimit to the upstream where it is not global only. |
So this looks good, merging. |
- Merge #1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl.
* nlnet/master: Changelog entry for NLnetLabs#1010: - Merge NLnetLabs#1010: Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage. It also fixes the code to match the documentation about clients with a valid cookie that bypass the ratelimit regardless of the allow_cookie acl. Mention REFUSED has the TC bit set with unmatched allow_cookie acl in the manpage (NLnetLabs#1010)
Also moved the part about bypassing ip-ratelimit to the ip-ratelimit description as it will be bypassed with a valid DNS-Cookie regardless of the allow_cookie acl.