MXS-2773: Make host blocking an optional feature

In cases where servers are known to be down on startup, this feature does more harm than good. Disabling it in these cases would be preferable but due to how the parameter is used, it is not possible.
2019-11-28 17:43:57 +02:00 · 2019-11-28 17:43:57 +02:00 · ab8393939b
commit ab8393939b
parent 09e6d9eeae
4 changed files with 27 additions and 14 deletions
--- a/Documentation/Getting-Started/Configuration-Guide.md
+++ b/Documentation/Getting-Started/Configuration-Guide.md
@ -1038,7 +1038,8 @@ unexpected outage happens.

 The maximum number of authentication failures that are tolerated before a host
 is temporarily blocked. The default value is 10 failures. After a host is
-blocked, connections from it are rejected for 60 seconds.
+blocked, connections from it are rejected for 60 seconds. To disable this
+feature, set the value to 0.

 Note that the configured value is not a hard limit. The number of tolerated
 failures is between `max_auth_errors_until_block` and `threads *
--- a/server/core/config.cc
+++ b/server/core/config.cc
@ -2768,7 +2768,7 @@ static int handle_global_item(const char* name, const char* value)
    {
        char* endptr;
        int intval = strtol(value, &endptr, 0);
-        if (*endptr == '\0' && intval > 0)
+        if (*endptr == '\0' && intval >= 0)
        {
            gateway.max_auth_errors_until_block = intval;
        }
--- a/server/core/config_runtime.cc
+++ b/server/core/config_runtime.cc
@ -928,8 +928,9 @@ bool runtime_alter_maxscale(const char* name, const char* value)
    }
    else if (key == CN_MAX_AUTH_ERRORS_UNTIL_BLOCK)
    {
-        if (int intval = get_positive_int(value))
+        if (is_valid_integer(value))
        {
+            int intval = atoi(value);
            MXS_NOTICE("Updated '%s' from %d to %d",
                       CN_MAX_AUTH_ERRORS_UNTIL_BLOCK,
                       cnf.max_auth_errors_until_block,
--- a/server/core/listener.cc
+++ b/server/core/listener.cc
@ -65,27 +65,38 @@ public:
     */
    bool mark_auth_as_failed(const std::string& remote)
    {
-        auto& u = m_failures[remote];
-        u.last_failure = Clock::now();
-        return ++u.failures == config_get_global_options()->max_auth_errors_until_block;
+        bool rval = false;
+
+        if (int limit = config_get_global_options()->max_auth_errors_until_block)
+        {
+            auto& u = m_failures[remote];
+            u.last_failure = Clock::now();
+            rval = ++u.failures == limit;
+        }
+
+        return rval;
    }

    bool is_blocked(const std::string& remote)
    {
        bool rval = false;
-        auto it = m_failures.find(remote);

-        if (it != m_failures.end())
+        if (int limit = config_get_global_options()->max_auth_errors_until_block)
        {
-            auto& u = it->second;
+            auto it = m_failures.find(remote);

-            if (Clock::now() - u.last_failure > seconds(BLOCK_TIME))
+            if (it != m_failures.end())
            {
-                u.last_failure = Clock::now();
-                u.failures = 0;
-            }
+                auto& u = it->second;

-            rval = u.failures >= config_get_global_options()->max_auth_errors_until_block;
+                if (Clock::now() - u.last_failure > seconds(BLOCK_TIME))
+                {
+                    u.last_failure = Clock::now();
+                    u.failures = 0;
+                }
+
+                rval = u.failures >= limit;
+            }
        }

        return rval;