Struct SessionManager 

pub struct SessionManager {
    pub max_connections: usize,
    pub nb_connections: usize,
    pub can_accept: bool,
    pub slab: Slab<Rc<RefCell<dyn ProxySession>>>,
    pub max_connections_per_ip: u64,
    pub retry_after: u32,
    /* private fields */
}

Fields

max_connections: usize

nb_connections: usize

can_accept: bool

slab: Slab<Rc<RefCell<dyn ProxySession>>>

max_connections_per_ip: u64

Default per-(cluster, source-IP) connection limit. 0 disables the feature; cluster-level overrides take precedence at check time.

retry_after: u32

Default Retry-After header value (seconds) for HTTP 429 responses emitted on per-(cluster, source-IP) limit hit. 0 omits the header.

Implementations

impl SessionManager

pub fn new( slab: Slab<Rc<RefCell<dyn ProxySession>>>, max_connections: usize, max_connections_per_ip: u64, retry_after: u32, ) -> Rc<RefCell<Self>>

pub fn effective_max_connections_per_ip( &self, override_value: Option<u64>, ) -> u64

Resolve the effective per-(cluster, source-IP) limit. override_value is the cluster-level setting from the proto Cluster message: None inherits the global default, Some(0) is explicit “unlimited”, Some(n > 0) overrides.

pub fn effective_retry_after(&self, override_value: Option<u32>) -> u32

Resolve the effective Retry-After header value. Some(0) (or the global default of 0) signals “omit the header” — caller must skip emission rather than render Retry-After: 0.

pub fn cluster_ip_at_limit( &self, token: Token, cluster_id: &str, ip: &IpAddr, override_value: Option<u64>, ) -> bool

Returns true when admitting token to one more connection for (cluster, ip) would exceed the resolved limit. 0 is treated as unlimited. A token that already holds a slot for this (cluster, ip) is NEVER at the limit — H2 sessions multiplex many streams to the same cluster on a single connection, and the limit governs distinct frontend connections, not streams.

Hot-path: called for every cluster-resolving request from mux/router::connect. The nested-map storage lets both lookups borrow cluster_id and ip; no per-call allocation runs here in steady state.

pub fn track_cluster_ip(&mut self, token: Token, cluster_id: String, ip: IpAddr)

Account token’s active connection against (cluster, ip). Idempotent within a token: a second call for the same (cluster, ip) is a no-op so H2 retries / multi-stream opens to the same cluster do not double-count.

Allocates a single owned String per (token, cluster) pair on first observation — entry(cluster_id.clone()) materialises a new outer-map slot. Subsequent IPs under the same (token, cluster) reuse the existing slot.

pub fn untrack_all_cluster_ip(&mut self, token: Token)

Drain every (cluster, ip) slot held by token and apply the matching decrements. Called on session teardown only — there is no per-stream untrack because the limit is per-connection, not per-stream. Removes empty inner maps so the outer connections_per_cluster_ip does not retain (cluster_id, empty_map) orphans across cluster lifetimes.

pub fn clear_cluster_ip_tracking(&mut self)

Wipe every per-(cluster, source-IP) accounting bucket. Called by the runtime SetMaxConnectionsPerIp(0) path so disabling the feature does not leave dead bookkeeping behind that a future re-enable would consult.

pub fn at_capacity(&self) -> bool

The slab is considered at capacity if it contains more sessions than twice max_connections

pub fn accept_slab_threshold(&self) -> usize

The slab fill level at which at_capacity flips to true and the accept queue is flushed. Reported as slab.accept_threshold so the per-iteration slab.accept_threshold_percent gauge in the run loop can chart proximity to this gate, distinct from raw slab usage.

The constant 10 + 2 * max_connections is the historical pre-knob budget; configured slab capacity is 10 + slab_entries_per_connection * max_connections (see command/src/config.rs) and can be larger, so slab.usage_percent (against slab.capacity()) and slab.accept_threshold_percent (against this gate) are emitted as independent gauges.

pub fn check_limits(&mut self) -> bool

Check the number of connections against max_connections, and the slab capacity. Returns false if limits are reached.

pub fn to_session(token: Token) -> SessionToken

pub fn incr(&mut self)

pub fn decr(&mut self)

Decrements the number of sessions, start accepting new connections if the capacity limit of 90% has not been reached.