Re: [Libguestfs] [PATCH nbdkit v2] New filter: limit: Limit number of clients that can connect.

--- docs/nbdkit-service.pod | 1 + filters/exitlast/nbdkit-exitlast-filter.pod | 1 + filters/ip/nbdkit-ip-filter.pod | 1 + filters/limit/nbdkit-limit-filter.pod | 61 +++++++++ filters/rate/nbdkit-rate-filter.pod | 1 + configure.ac | 2 + filters/limit/Makefile.am | 66 ++++++++++ tests/Makefile.am | 3 + filters/limit/limit.c | 129 ++++++++++++++++++++ tests/test-limit.sh | 81 ++++++++++++ TODO | 2 - 11 files changed, 346 insertions(+), 2 deletions(-)

+++ b/filters/limit/nbdkit-limit-filter.pod @@ -0,0 +1,61 @@ +=head1 NAME + +nbdkit-limit-filter - limit number of clients that can connect

+ +=head1 SYNOPSIS + + nbdkit --filter=limit PLUGIN [limit=N] + +=head1 DESCRIPTION + +C<nbdkit-limit-filter> is an nbdkit filter that limits the number of +clients which can connect concurrently. If more than C<limit=N> +(default: 1) clients try to connect at the same time then later +clients are rejected. + +=head1 PARAMETERS + +=over 4 + +=item B<limit=>N + +Limit the number of concurrent clients to C<N>. This parameter is +optional. If not specified then the limit defaults to 1. You can +also set this to 0 to make the number of clients unlimited (ie. +disable the filter). +

+=head1 SEE ALSO + +L<nbdkit(1)>, +L<nbdkit-exitlast-filter(1)>, +L<nbdkit-ip-filter(1)>, +L<nbdkit-noparallel-filter(1)>, +L<nbdkit-rate-filter(1)>, +L<nbdkit-filter(3)>, +L<nbdkit-plugin(3)>.

+++ b/filters/limit/limit.c

+ +/* Counts client connections. */ +static unsigned connections; +static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; + +/* Client limit (0 = filter is disabled). */ +static unsigned limit = 1; + +static int +limit_config (nbdkit_next_config *next, nbdkit_backend *nxdata, + const char *key, const char *value) +{ + if (strcmp (key, "limit") == 0) { + if (nbdkit_parse_unsigned ("limit", value, &limit) == -1) + return -1; + return 0; + } + + return next (nxdata, key, value); +} + +static void +too_many_clients_error (void) +{ + nbdkit_error ("limit: too many clients connected, connection rejected"); +} + +/* We limit connections in the preconnect stage (in particular before + * any heavyweight NBD or TLS negotiations has been done). However we + * count connections in the open/close calls since clients can drop + * out between preconnect and open. + */

+static int +limit_preconnect (nbdkit_next_preconnect *next, nbdkit_backend *nxdata, + int readonly) +{ + if (next (nxdata, readonly) == -1) + return -1; + + ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&lock); + + if (limit > 0 && connections >= limit) { + too_many_clients_error (); + return -1; + } + + return 0; +} + +static void * +limit_open (nbdkit_next_open *next, nbdkit_backend *nxdata, + int readonly) +{ + if (next (nxdata, readonly) == -1) + return NULL; + + ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&lock); + + /* We have to check again because clients can artificially slow down + * the NBD negotiation in order to bypass the limit otherwise. + */ + if (limit > 0 && connections >= limit) { + too_many_clients_error (); + return NULL; + } + + connections++; + return NBDKIT_HANDLE_NOT_NEEDED; +} + +static void +limit_close (void *handle) +{ + ACQUIRE_LOCK_FOR_CURRENT_SCOPE (&lock); + connections--; +}