Added configuration parameters

Author: fdurand

conf/documentation.conf

@@ -1880,6 +1880,19 @@ description=<<EOT
 The size of the queue for each worker.
 EOT
 
+[radius_configuration.pfacct_rate_limit]
+type=toggle
+options=enable|disabled
+description=<<EOT
+Enable the rate limiting on pfacct to prevent hammering httpd.aaa
+EOT
+
+[radius_configuration.pfacct_rate_limit_cache_ttl]
+type=numeric
+description=<<EOT
+If rate limiting on pfacct is enabled,  the Time to Live value in minutes represent the time of the accounting cache
+EOT
+
 [dns_configuration.record_dns_in_sql]
 type=toggle
 options=enabled|disabled

conf/pf.conf.defaults

@@ -1418,6 +1418,14 @@ pfacct_workers = 0
 #
 # The size of the queue for each worker.
 pfacct_work_queue_size = 1000
+# radius_configuration.pfacct_rate_limit
+#
+# Enable the rate limiting on pfacct to prevent hammering httpd.aaa
+pfacct_rate_limit=disabled
+# radius_configuration.pfacct_rate_limit_cache_ttl
+#
+# If rate limiting on pfacct is enabled,  the Time to Live value in minutes represent the time of the accounting cache
+pfacct_rate_limit_cache_ttl=5
 
 [dns_configuration]
 #

go/cmd/pfacct/pfacct.go

@@ -38,33 +38,35 @@ type radiusRequest struct {
 
 type PfAcct struct {
 	RadiusStatements
-	TimeDuration         time.Duration
-	Db                   *sql.DB
-	AllowedNetworks      []net.IPNet
-	NetFlowPort          string
-	NetFlowAddress       string
-	Management           pfconfigdriver.ManagementNetwork
-	AAAClient            *jsonrpc2.Client
-	LoggerCtx            context.Context
-	Dispatcher           *Dispatcher
-	SwitchInfoCache      *cache.Cache
-	NodeSessionCache     *cache.Cache
-	AcctSessionCache     *cache.Cache
-	RateLimit            *cache.Cache
-	MacNas               *cache.Cache
-	StatsdAddress        string
-	StatsdOption         statsd.Option
-	StatsdClient         *statsd.Client
-	radiusRequests       []chan<- radiusRequest
-	overflows            []atomic.Int64
-	localSecret          string
-	StatsdOnce           tryableonce.TryableOnce
-	isProxied            bool
-	radiusdAcctEnabled   bool
-	AllNetworks          bool
-	ProcessBandwidthAcct bool
-	RadiusWorkers        int
-	RadiusWorkQueueSize  int
+	TimeDuration            time.Duration
+	Db                      *sql.DB
+	AllowedNetworks         []net.IPNet
+	NetFlowPort             string
+	NetFlowAddress          string
+	Management              pfconfigdriver.ManagementNetwork
+	AAAClient               *jsonrpc2.Client
+	LoggerCtx               context.Context
+	Dispatcher              *Dispatcher
+	SwitchInfoCache         *cache.Cache
+	NodeSessionCache        *cache.Cache
+	AcctSessionCache        *cache.Cache
+	RateLimitCache          *cache.Cache
+	MacNasCache             *cache.Cache
+	RateLimit               bool
+	PfacctRateLimitCacheTtl int
+	StatsdAddress           string
+	StatsdOption            statsd.Option
+	StatsdClient            *statsd.Client
+	radiusRequests          []chan<- radiusRequest
+	overflows               []atomic.Int64
+	localSecret             string
+	StatsdOnce              tryableonce.TryableOnce
+	isProxied               bool
+	radiusdAcctEnabled      bool
+	AllNetworks             bool
+	ProcessBandwidthAcct    bool
+	RadiusWorkers           int
+	RadiusWorkQueueSize     int
 }
 
 func NewPfAcct() *PfAcct {
@@ -92,8 +94,7 @@ func NewPfAcct() *PfAcct {
 	pfAcct.SwitchInfoCache = cache.New(5*time.Minute, 10*time.Minute)
 	pfAcct.NodeSessionCache = cache.New(cache.NoExpiration, cache.NoExpiration)
 	pfAcct.AcctSessionCache = cache.New(5*time.Minute, 10*time.Minute)
-	pfAcct.RateLimit = cache.New(5*time.Minute, 10*time.Minute)
-	pfAcct.MacNas = cache.New(5*time.Minute, 10*time.Minute)
+
 	pfAcct.LoggerCtx = ctx
 	pfAcct.RadiusStatements.Setup(pfAcct.Db)
 
@@ -172,6 +173,10 @@ func (pfAcct *PfAcct) SetupConfig(ctx context.Context) {
 	var RadiusConfiguration pfconfigdriver.PfConfRadiusConfiguration
 	pfconfigdriver.FetchDecodeSocket(ctx, &RadiusConfiguration)
 	pfAcct.ProcessBandwidthAcct = sharedutils.IsEnabled(RadiusConfiguration.ProcessBandwidthAccounting)
+	pfAcct.RateLimit = sharedutils.IsEnabled(RadiusConfiguration.PfacctRateLimit)
+	pfAcct.PfacctRateLimitCacheTtl = RadiusConfiguration.PfacctRateLimitCacheTtl
+	pfAcct.RateLimitCache = cache.New(time.Duration(RadiusConfiguration.PfacctRateLimitCacheTtl)*time.Minute, 10*time.Minute)
+	pfAcct.MacNasCache = cache.New(time.Duration(RadiusConfiguration.PfacctRateLimitCacheTtl)*time.Minute, 10*time.Minute)
 
 	if !pfAcct.ProcessBandwidthAcct {
 		logInfo(ctx, "Not processing bandwidth accounting records. To enable set radius_configuration.process_bandwidth_accounting = enabled")

go/cmd/pfacct/radius.go

@@ -335,7 +335,7 @@ func (h *PfAcct) sendRadiusAccountingCall(r *radius.Request) {
 
 	status := rfc2866.AcctStatusType_Get(r.Packet)
 
-	if h.rateLimit(attr, status) {
+	if h.RateLimit && h.rateLimit(attr, status) {
 		if err := h.AAAClient.Notify(ctx, "radius_accounting", attr); err != nil {
 			logError(ctx, err.Error())
 		}
@@ -359,39 +359,41 @@ func (h *PfAcct) rateLimit(attr map[string]interface{}, status rfc2866.AcctStatu
 		macAddress, _ = mac.NewFromString(CallingStationId.(string))
 	}
 
-	macOldLocation, macOldLocationExists := h.MacNas.Get(macAddress.String())
+	macOldLocation, macOldLocationExists := h.MacNasCache.Get(macAddress.String())
 
 	// Generate the keys
 	if CalledStationIdExists {
 		key = rfc2866.AcctStatusType_Strings[status] + "-" + CalledStationId.(string) + "-" + CallingStationId.(string)
 		keyStart = "Start" + "-" + CalledStationId.(string) + "-" + CallingStationId.(string)
 		macLocValue = CalledStationId.(string)
-		// h.MacNas.Set(macAddress.String(), CalledStationId, 5*time.Minute)
 
 	} else if NasIPExists {
 		key = rfc2866.AcctStatusType_Strings[status] + "-" + NasIp.(string) + "-" + CallingStationId.(string)
 		keyStart = "Start" + "-" + NasIp.(string) + "-" + CallingStationId.(string)
 		macLocValue = NasIp.(string)
-		// h.MacNas.Set(macAddress.String(), CalledStationId, 5*time.Minute)
 	} else {
 		return true
 	}
 
 	if rfc2866.AcctStatusType_Strings[status] == "Start" {
-		ip, exists := h.RateLimit.Get(key)
+		ip, exists := h.RateLimitCache.Get(key)
 		if !exists {
-			h.RateLimit.Set(key, FramedIPAddress, 5*time.Minute)
+			if FramedIPAddressExists {
+				h.RateLimitCache.Set(key, FramedIPAddress, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
+			} else {
+				h.RateLimitCache.Set(key, "0.0.0.0", time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
+			}
 			// Purge old Start entry
 			if macOldLocationExists && macOldLocation != macLocValue {
 				// Replace the location
-				h.MacNas.Set(macAddress.String(), macLocValue, 5*time.Minute)
-				h.RateLimit.Delete("Start" + macOldLocation.(string) + CallingStationId.(string))
+				h.MacNasCache.Set(macAddress.String(), macLocValue, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
+				h.RateLimitCache.Delete("Start" + "-" + macOldLocation.(string) + "-" + CallingStationId.(string))
 			}
 			return true
 		} else {
 			if FramedIPAddressExists && FramedIPAddress != ip.(string) {
-				h.RateLimit.Set(key, FramedIPAddress, 5*time.Minute)
-				h.MacNas.Set(macAddress.String(), macLocValue, 5*time.Minute)
+				h.RateLimitCache.Set(key, FramedIPAddress, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
+				h.MacNasCache.Set(macAddress.String(), macLocValue, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
 				return true
 			} else {
 				return false
@@ -400,11 +402,11 @@ func (h *PfAcct) rateLimit(attr map[string]interface{}, status rfc2866.AcctStatu
 	}
 	if rfc2866.AcctStatusType_Strings[status] == "Interim-Update" {
 		// Verify that we already got a start
-		ip, exists := h.RateLimit.Get(keyStart)
+		ip, exists := h.RateLimitCache.Get(keyStart)
 		if exists {
 			if FramedIPAddressExists && FramedIPAddress != ip.(string) {
-				h.RateLimit.Set(key, FramedIPAddress, 5*time.Minute)
-				h.MacNas.Set(macAddress.String(), macLocValue, 5*time.Minute)
+				h.RateLimitCache.Set(keyStart, FramedIPAddress, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
+				h.MacNasCache.Set(macAddress.String(), macLocValue, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
 				return true
 			} else {
 				return false
@@ -413,17 +415,16 @@ func (h *PfAcct) rateLimit(attr map[string]interface{}, status rfc2866.AcctStatu
 	}
 	if rfc2866.AcctStatusType_Strings[status] == "Stop" {
 		// Verify that we already got a start
-		ip, exists := h.RateLimit.Get(keyStart)
+		ip, exists := h.RateLimitCache.Get(keyStart)
 		if exists {
 			if FramedIPAddressExists && FramedIPAddress != ip.(string) {
-				h.RateLimit.Set(key, FramedIPAddress, 5*time.Minute)
-				h.MacNas.Set(macAddress.String(), macLocValue, 5*time.Minute)
+				h.RateLimitCache.Set(keyStart, FramedIPAddress, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
+				h.MacNasCache.Set(macAddress.String(), macLocValue, time.Duration(h.PfacctRateLimitCacheTtl)*time.Minute)
 				return true
 			} else {
 				return false
 			}
 		}
-
 	}
 	return false
 }

go/pfconfigdriver/structs.go

@@ -711,6 +711,8 @@ type PfConfRadiusConfiguration struct {
 	ProcessBandwidthAccounting         string   `json:"process_bandwidth_accounting"`
 	PfacctWorkers                      string   `json:"pfacct_workers"`
 	PfacctWorkQueueSize                string   `json:"pfacct_work_queue_size"`
+	PfacctRateLimit                    string   `json:"pfacct_rate_limit"`
+	PfacctRateLimitCacheTtl            int      `json:"pfacct_rate_limit_cache_ttl"`
 }
 
 type PfQueueConfig struct {

html/pfappserver/root/src/views/Configuration/radius/general/_components/TheForm.vue

@@ -104,6 +104,18 @@
                                        :text="$i18n.t('The size of the queue for each worker. Requires a restart of pfacct to be effective')"
     />
 
+    <form-group-pfacct-rate-limit namespace="pfacct_rate_limit"
+                                       :column-label="$i18n.t('Pfacct Rate Limiting')"
+                                       :text="$i18n.t('Enable the rate limiting in pfacct to avoid hammering httpd.aaa. Requires a restart of pfacct to be effective')"
+                                       enabled-value="enabled"
+                                       disabled-value="disabled"
+    />
+
+    <form-group-pfacct-rate-limit-cache-ttl namespace="pfacct_rate_limit_cache_ttl"
+                                       :column-label="$i18n.t('Pfacct Rate Limiting Time to Live')"
+                                       :text="$i18n.t('Time to Live value in minutes, should be a little bit more than the Interim Update value. Requires a restart of pfacct to be effective')"
+    />
+
     <form-group-radius-attributes namespace="radius_attributes"
                                   :column-label="$i18n.t('RADIUS attributes')"
                                   :text="$i18n.t('List of RADIUS attributes that can be used in the sources configuration.')"
@@ -159,6 +171,8 @@ import {
   FormGroupNtlmRedisCache,
   FormGroupPfacctWorkers,
   FormGroupPfacctWorkQueueSize,
+  FormGroupPfacctRateLimit,
+  FormGroupPfacctRateLimitCacheTtl,
   FormGroupProcessBandwidthAccounting,
   FormGroupRadiusAttributes,
   FormGroupRecordAccountingInSql,
@@ -188,7 +202,9 @@ const components = {
   FormGroupProcessBandwidthAccounting,
   FormGroupUsernameAttributes,
   FormGroupPfacctWorkers,
-  FormGroupPfacctWorkQueueSize
+  FormGroupPfacctWorkQueueSize,
+  FormGroupPfacctRateLimit,
+  FormGroupPfacctRateLimitCacheTtl
 }
 
 export const props = {

html/pfappserver/root/src/views/Configuration/radius/general/_components/index.js

@@ -30,6 +30,8 @@ export {
   BaseFormGroupTextarea as FormGroupUsernameAttributes,
   BaseFormGroupInputNumber as FormGroupPfacctWorkers,
   BaseFormGroupInputNumber as FormGroupPfacctWorkQueueSize,
+  BaseFormGroupSwitch as FormGroupPfacctRateLimit,
+  BaseFormGroupInputNumber as FormGroupPfacctRateLimitCacheTtl,
 
   BaseViewResource as BaseView,
   TheForm,