blocklist/allow list faster, also prepare for subnet masking.

xward · Oct 10, 2023 · a696d12 · a696d12
1 parent 3c42935
commit a696d12
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 23 deletions.
diff --git a/README.md b/README.md
@@ -170,8 +170,7 @@ Slack: join [elixir-lang](https://elixir-lang.slack.com/) and join channel `#pho
 
 ## Next in roadmap
 
-- [perf] generate blocklist/allow pre-compute list module instead of make an `ip in blocklist` test
-- [monitoring/config] observe tooling, to be able to observe what volume is normal traffic and craft a configuration accordingly
+- [engin/rate_limit/monitoring] observe tooling, to be able to observe what volume is normal traffic and craft a configuration accordingly
 - [feat] ip blocklist/safelist with mask/subnet
 - [feat] log central genserver to avoid log spam and create possibility provide aggregated report
 - [feat] out of jail system: an attacker ip would go out of jail and will make some damage again before being put in jail, prevent that

diff --git a/docs/benchmark.md b/docs/benchmark.md
@@ -5,28 +5,28 @@ Using `mix benchmark`, we try different phoenix_ddos configurations:
 | Configuration             | Speed                        |
 | :------------------------ | :--------------------------- |
 |         1 ip 1 rate limit |     33 ms per 10_000 queries |
-|     10 ips 10 rate limits |    113 ms per 10_000 queries |
-|   500 ips 500 rate limits |   4716 ms per 10_000 queries |
+|     10 ips 10 rate limits |    114 ms per 10_000 queries |
+|   500 ips 500 rate limits |   4721 ms per 10_000 queries |
 |       1 path 1 rate limit |     14 ms per 10_000 queries |
 |    500 paths 1 rate limit |     14 ms per 10_000 queries |
 |          1 safelisted ip  |     14 ms per 10_000 queries |
-|        500 safelisted ips |     42 ms per 10_000 queries |
-|         1 blocklisted ip  |     44 ms per 10_000 queries |
-|       500 blocklisted ips |     68 ms per 10_000 queries |
+|        500 safelisted ips |     15 ms per 10_000 queries |
+|         1 blocklisted ip  |     14 ms per 10_000 queries |
+|       500 blocklisted ips |     15 ms per 10_000 queries |
 
 Comparison with previous versions:
 
-| Configuration             | Speed (v0.7.18)              |
-| :------------------------ | :--------------------------- |
-|         1 ip 1 rate limit |     38 ms per 10_000 queries |
-|     10 ips 10 rate limits |    148 ms per 10_000 queries |
-|   500 ips 500 rate limits |   5110 ms per 10_000 queries |
-|       1 path 1 rate limit |     25 ms per 10_000 queries |
-|    500 paths 1 rate limit |   2450 ms per 10_000 queries |
-|          1 safelisted ip  |                            - |
-|        500 safelisted ips |                            - |
-|         1 blocklisted ip  |                            - |
-|       500 blocklisted ips |                            - |
+| Configuration             | Speed  (v1.1.4)              | Speed (v0.7.18)              |
+| :------------------------ | :--------------------------- | :--------------------------- |
+|         1 ip 1 rate limit |     33 ms per 10_000 queries |     38 ms per 10_000 queries |
+|     10 ips 10 rate limits |    113 ms per 10_000 queries |    148 ms per 10_000 queries |
+|   500 ips 500 rate limits |   4716 ms per 10_000 queries |   5110 ms per 10_000 queries |
+|       1 path 1 rate limit |     14 ms per 10_000 queries |     25 ms per 10_000 queries |
+|    500 paths 1 rate limit |     14 ms per 10_000 queries |   2450 ms per 10_000 queries |
+|          1 safelisted ip  |     14 ms per 10_000 queries |                            - |
+|        500 safelisted ips |     42 ms per 10_000 queries |                            - |
+|         1 blocklisted ip  |     44 ms per 10_000 queries |                            - |
+|       500 blocklisted ips |     68 ms per 10_000 queries |                            - |
 
 
 running on 1 thread on a i9-9900k NOC

diff --git a/lib/phoenix_ddos/template/engine.eex b/lib/phoenix_ddos/template/engine.eex
@@ -41,12 +41,10 @@ defmodule PhoenixDDoS.Engine do
 
     cond do
 <%= if Application.get_env(:phoenix_ddos, :blocklist_ips, []) != [] do %>
-      ip in <%= PhoenixDDoS.TemplateHelper.render_list(Application.get_env(:phoenix_ddos, :blocklist_ips)) %> ->
-        Dredd.reject(conn)
+      blocklist_ips?(ip) -> Dredd.reject(conn)
 <% end %>
 <%= if Application.get_env(:phoenix_ddos, :safelist_ips, []) != [] do %>
-      ip in <%= PhoenixDDoS.TemplateHelper.render_list(Application.get_env(:phoenix_ddos, :safelist_ips)) %> ->
-        conn
+      safelist_ips?(ip) -> conn
 <% end %>
 
       Jail.in_jail?(ip) ->
@@ -64,7 +62,6 @@ defmodule PhoenixDDoS.Engine do
 <% end %>
         # |> IO.inspect()
         |> RateLimit.batch_check()
-        # |> IO.inspect()
 
         cond do
           decisions[:jail] ->
@@ -94,4 +91,14 @@ defmodule PhoenixDDoS.Engine do
   def get_prot_cfg("<%= cfg.id %>"), do: {<%= prot %>, <%= inspect(cfg) %>}
 <% end %>
   def get_prot_cfg(_), do: {nil, nil}
+
+<%= for ip <- Application.get_env(:phoenix_ddos, :blocklist_ips, []) do %>
+  def blocklist_ips?(<%= inspect(ip) %>), do: true
+<% end %>
+  def blocklist_ips?(_), do: false
+
+<%= for ip <- Application.get_env(:phoenix_ddos, :safelist_ips, []) do %>
+  def safelist_ips?(<%= inspect(ip) %>), do: true
+<% end %>
+  def safelist_ips?(_), do: false
 end