paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-10-23 04:52:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

rate_limiter: Block IPv6 by /64 instead of per-single-IP.

Browse Source 
Fixes #21544.

The network prefix (e.g. 64) identifies the network portion
which determines which bucket should that IPv6 belong to.

Implemented as a generic approach, so we have the option
to use different prefix sizes (leading to different buckets)
in the future.

Add comprehensive assertions for which IPv6s
are expected to belong to the same bucket and which are not.
This commit is contained in:
bedo
2025-09-04 12:34:41 +03:00
committed by Tim Abbott
parent 5fa027a577
commit bc1ed82620
3 changed files with 118 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
zproject/default_settings.py
View File

@@ -269,8 +269,10 @@ DEFAULT_RATE_LIMITING_RULES = {
],
# Limits total number of unauthenticated API requests (primarily
# used by the public access option). Since these are
# unauthenticated requests, each IP address is a separate bucket.
# unauthenticated requests, each IPv4 address is a separate bucket.
# For IPv6, one bucket is used for each /64 subnet.
"api_by_ip": [
# 100 requests per minute.
(60, 100),
],
# Limits total requests to the Mobile Push Notifications Service