Rate gate expensive validation of new identities in HELLO.
This commit is contained in:
Adam Ierymenko
parent
ab4021dd0e
commit
2ea9f516e1
6 changed files with 87 additions and 1 deletions
|
|
@ -375,6 +375,26 @@
|
|||
*/
|
||||
#define ZT_PEER_GENERAL_RATE_LIMIT 1000
|
||||
|
||||
/**
|
||||
* Don't do expensive identity validation more often than this
|
||||
*
|
||||
* IPv4 and IPv6 address prefixes are hashed down to 14-bit (0-16383) integers
|
||||
* using the first 24 bits for IPv4 or the first 48 bits for IPv6. These are
|
||||
* then rate limited to one identity validation per this often milliseconds.
|
||||
*/
|
||||
#if (defined(__amd64) || defined(__amd64__) || defined(__x86_64) || defined(__x86_64__) || defined(__AMD64) || defined(__AMD64__) || defined(_M_X64) || defined(_M_AMD64))
|
||||
// AMD64 machines can do anywhere from one every 50ms to one every 10ms. This provides plenty of margin.
|
||||
#define ZT_IDENTITY_VALIDATION_SOURCE_RATE_LIMIT 2000
|
||||
#else
|
||||
#if (defined(__i386__) || defined(__i486__) || defined(__i586__) || defined(__i686__) || defined(_M_IX86) || defined(_X86_) || defined(__I86__))
|
||||
// 32-bit Intel machines usually average about one every 100ms
|
||||
#define ZT_IDENTITY_VALIDATION_SOURCE_RATE_LIMIT 5000
|
||||
#else
|
||||
// This provides a safe margin for ARM, MIPS, etc. that usually average one every 250-400ms
|
||||
#define ZT_IDENTITY_VALIDATION_SOURCE_RATE_LIMIT 10000
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/**
|
||||
* How long is a path or peer considered to have a trust relationship with us (for e.g. relay policy) since last trusted established packet?
|
||||
*/
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue