1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
use std::{
collections::HashMap,
net::IpAddr,
sync::Arc,
time::{Duration, Instant},
};
use dashmap::DashMap;
use tokio::sync::RwLock;
use tracing::{debug, warn};
/// A rate limiter using a sliding window algorithm.
#[derive(Clone)]
pub struct RateLimiter {
max_tokens: u64,
window_duration: Duration,
tokens: Arc<RwLock<HashMap<IpAddr, Vec<Instant>>>>,
}
impl RateLimiter {
/// Creates a new rate limiter.
///
/// # Parameters
///
/// * `max_tokens` - Maximum number of tokens (connections) allowed per window.
/// * `window_duration_secs` - Window duration in seconds.
///
/// # Returns
///
/// A new RateLimiter instance.
pub fn new(max_tokens: u64, window_duration_secs: u64) -> Self {
Self {
max_tokens,
window_duration: Duration::from_secs(window_duration_secs),
tokens: Arc::new(RwLock::new(HashMap::new())),
}
}
/// Checks if a connection from the given IP is allowed.
///
/// # Parameters
///
/// * `ip` - The IP address to check.
///
/// # Returns
///
/// `true` if the connection is allowed, `false` otherwise.
pub async fn check_rate_limit(&self, ip: IpAddr) -> bool {
if self.max_tokens == 0 {
return true; // No rate limiting
}
let mut tokens = self.tokens.write().await;
let now = Instant::now();
let window_start = now - self.window_duration;
// Get or create the timestamp vector for this IP
let timestamps = tokens.entry(ip).or_insert_with(Vec::new);
// Remove timestamps outside the window
timestamps.retain(|&ts| ts > window_start);
// Check if we can add a new connection
if timestamps.len() < self.max_tokens as usize {
timestamps.push(now);
debug!(
"Rate limit check passed for IP: {}, count: {}/{}",
ip,
timestamps.len(),
self.max_tokens
);
true
} else {
warn!(
"Rate limit exceeded for IP: {}, count: {}/{}",
ip,
timestamps.len(),
self.max_tokens
);
false
}
}
/// Removes all timestamps for a given IP (called when connection closes).
pub async fn cleanup_ip(&self, ip: IpAddr) {
let mut tokens = self.tokens.write().await;
tokens.remove(&ip);
}
/// Periodically cleanup old timestamps to prevent memory leaks.
pub async fn periodic_cleanup(&self) {
let mut tokens = self.tokens.write().await;
let now = Instant::now();
let window_start = now - self.window_duration;
for timestamps in tokens.values_mut() {
timestamps.retain(|&ts| ts > window_start);
}
// Remove empty entries
tokens.retain(|_, timestamps| !timestamps.is_empty());
}
}
/// Limits the number of connections per IP address.
#[derive(Clone)]
pub struct IpConnectionLimiter {
max_connections_per_ip: usize,
ip_connections: Arc<DashMap<IpAddr, usize>>,
}
impl IpConnectionLimiter {
/// Creates a new IP connection limiter.
///
/// # Parameters
///
/// * `max_connections_per_ip` - Maximum number of connections per IP.
///
/// # Returns
///
/// A new IpConnectionLimiter instance.
pub fn new(max_connections_per_ip: usize) -> Self {
Self {
max_connections_per_ip,
ip_connections: Arc::new(DashMap::new()),
}
}
/// Checks if a connection from the given IP is allowed.
///
/// # Parameters
///
/// * `ip` - The IP address to check.
///
/// # Returns
///
/// `true` if the connection is allowed, `false` otherwise.
pub fn check_connection_limit(&self, ip: IpAddr) -> bool {
let mut count = self.ip_connections.entry(ip).or_insert(0);
if *count < self.max_connections_per_ip {
*count += 1;
debug!(
"Connection limit check passed for IP: {}, count: {}/{}",
ip, *count, self.max_connections_per_ip
);
true
} else {
warn!(
"Connection limit exceeded for IP: {}, count: {}/{}",
ip, *count, self.max_connections_per_ip
);
false
}
}
/// Records that a connection from the given IP has closed.
pub fn release_connection(&self, ip: IpAddr) {
if let Some(mut count) = self.ip_connections.get_mut(&ip) {
if *count > 0 {
*count -= 1;
}
if *count == 0 {
self.ip_connections.remove(&ip);
}
debug!(
"Connection released for IP: {}, remaining count: {}",
ip, *count
);
}
}
/// Gets the current number of connections for a given IP.
pub fn get_connection_count(&self, ip: IpAddr) -> usize {
self.ip_connections.get(&ip).map(|v| *v).unwrap_or(0)
}
}
/// A combined limiter that manages both rate limiting and per-IP connection limits.
pub struct ConnectionLimiter {
rate_limiter: Option<RateLimiter>,
ip_limiter: Option<IpConnectionLimiter>,
}
impl ConnectionLimiter {
/// Creates a new connection limiter.
///
/// # Parameters
///
/// * `rate_limit` - Maximum connections per second (0 to disable).
/// * `max_connections_per_ip` - Maximum connections per IP (0 to disable).
///
/// # Returns
///
/// A new ConnectionLimiter instance.
pub fn new(rate_limit: u64, max_connections_per_ip: usize) -> Self {
let rate_limiter = if rate_limit > 0 {
Some(RateLimiter::new(rate_limit, 1))
} else {
None
};
let ip_limiter = if max_connections_per_ip > 0 {
Some(IpConnectionLimiter::new(max_connections_per_ip))
} else {
None
};
Self {
rate_limiter,
ip_limiter,
}
}
/// Checks if a connection from the given address is allowed.
///
/// # Parameters
///
/// * `ip` - The IP address to check.
///
/// # Returns
///
/// `true` if the connection is allowed, `false` otherwise.
pub async fn check_connection(&self, ip: IpAddr) -> bool {
// Check rate limit first
if let Some(rate_limiter) = &self.rate_limiter {
if !rate_limiter.check_rate_limit(ip).await {
return false;
}
}
// Check per-IP connection limit
if let Some(ip_limiter) = &self.ip_limiter {
if !ip_limiter.check_connection_limit(ip) {
return false;
}
}
true
}
/// Records that a connection from the given IP has closed.
pub fn release_connection(&self, ip: IpAddr) {
if let Some(ip_limiter) = &self.ip_limiter {
ip_limiter.release_connection(ip);
}
}
/// Starts the periodic cleanup task for the rate limiter.
pub fn spawn_cleanup_task(self: Arc<Self>) {
if let Some(rate_limiter) = &self.rate_limiter {
let rate_limiter = rate_limiter.clone();
tokio::spawn(async move {
let mut interval = tokio::time::interval(Duration::from_secs(60));
loop {
interval.tick().await;
rate_limiter.periodic_cleanup().await;
}
});
}
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::net::{Ipv4Addr, Ipv6Addr};
#[tokio::test]
async fn test_rate_limiter() {
let limiter = RateLimiter::new(5, 1);
let ip = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
// First 5 connections should succeed
for i in 0..5 {
assert!(
limiter.check_rate_limit(ip).await,
"Connection {} should succeed",
i + 1
);
}
// 6th connection should fail
assert!(!limiter.check_rate_limit(ip).await, "6th connection should fail");
// Wait for window to expire
tokio::time::sleep(Duration::from_secs(2)).await;
// After window expires, should work again
assert!(limiter.check_rate_limit(ip).await, "Connection after window should succeed");
}
#[tokio::test]
async fn test_ip_connection_limiter() {
let limiter = IpConnectionLimiter::new(3);
let ip = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
// First 3 connections should succeed
for i in 0..3 {
assert!(
limiter.check_connection_limit(ip),
"Connection {} should succeed",
i + 1
);
}
// 4th connection should fail
assert!(
!limiter.check_connection_limit(ip),
"4th connection should fail"
);
// Release one connection
limiter.release_connection(ip);
// Now should work again
assert!(
limiter.check_connection_limit(ip),
"Connection after release should succeed"
);
}
#[tokio::test]
async fn test_connection_limiter_combined() {
let limiter = Arc::new(ConnectionLimiter::new(5, 3));
let ip = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
// First 3 connections should succeed (limited by per-IP limit)
for i in 0..3 {
assert!(
limiter.check_connection(ip).await,
"Connection {} should succeed",
i + 1
);
}
// 4th connection should fail (exceeds per-IP limit)
assert!(!limiter.check_connection(ip).await, "4th connection should fail (per-IP limit)");
}
#[tokio::test]
async fn test_rate_limit_disabled() {
let limiter = RateLimiter::new(0, 1);
let ip = IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1));
// With rate limit disabled, all connections should succeed
for i in 0..100 {
assert!(
limiter.check_rate_limit(ip).await,
"Connection {} should succeed",
i + 1
);
}
}
#[tokio::test]
async fn test_ipv6_rate_limiting() {
let limiter = RateLimiter::new(2, 1);
let ip = IpAddr::V6(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1));
// Should work with IPv6 addresses
assert!(limiter.check_rate_limit(ip).await);
assert!(limiter.check_rate_limit(ip).await);
assert!(!limiter.check_rate_limit(ip).await);
}
}