datamodel: stabilize rate-limiting schema

Author: alesmrazek

NEWS

@@ -32,6 +32,7 @@ Incompatible changes
   - /dnssec/trust-anchor-sentinel -> /dnssec/sentinel
   - /dnssec/trust-anchor-signal-query -> /dnssec/signal-query 
   - /logging/dnssec-bogus -> /dnssec/logging-bogus
+  - /rate-limiting/log-period -> /rate-limiting/logging-period
 
 
 Knot Resolver 6.0.11 (2025-02-26)

doc/_static/config.schema.json

@@ -1567,36 +1567,42 @@
         },
         "rate-limiting": {
             "description": "Configuration of rate limiting.",
-            "type": [
-                "object",
-                "null"
-            ],
+            "type": "object",
             "properties": {
-                "capacity": {
-                    "type": "integer",
-                    "minimum": 1,
-                    "description": "Expected maximal number of blocked networks/hosts at the same time.",
-                    "default": 524288
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Enable/disable rate limiting",
+                    "default": false
                 },
                 "rate-limit": {
-                    "type": "integer",
+                    "type": [
+                        "integer",
+                        "null"
+                    ],
                     "minimum": 1,
-                    "description": "Maximal number of allowed queries per second from a single host."
+                    "description": "Maximal number of allowed queries per second from a single host.",
+                    "default": null
                 },
                 "instant-limit": {
                     "type": "integer",
                     "minimum": 1,
                     "description": "Maximal number of allowed queries at a single point in time from a single host.",
                     "default": 50
                 },
+                "capacity": {
+                    "type": "integer",
+                    "minimum": 1,
+                    "description": "Expected maximal number of blocked networks/hosts at the same time.",
+                    "default": 524288
+                },
                 "slip": {
                     "type": "integer",
                     "minimum": 0,
                     "maximum": 32,
                     "description": "Number of restricted responses out of which one is sent as truncated, the others are dropped.",
                     "default": 2
                 },
-                "log-period": {
+                "logging-period": {
                     "type": "string",
                     "pattern": "^(\\d+)(us|ms|s|m|h|d)$",
                     "description": "Minimal time between two log messages, or '0s' to disable.",
@@ -1608,7 +1614,15 @@
                     "default": false
                 }
             },
-            "default": null
+            "default": {
+                "enabled": false,
+                "rate_limit": null,
+                "instant_limit": 50,
+                "capacity": 524288,
+                "slip": 2,
+                "logging_period": "0s",
+                "dry_run": false
+            }
         },
         "prioritization": {
             "description": "Configuration of request prioritization (defer).",

python/knot_resolver/datamodel/config_schema.py

@@ -125,7 +125,7 @@ class Raw(ConfigSchema):
         dns64: Dns64Schema = Dns64Schema()
         logging: LoggingSchema = LoggingSchema()
         monitoring: MonitoringSchema = MonitoringSchema()
-        rate_limiting: Optional[RateLimitingSchema] = None
+        rate_limiting: RateLimitingSchema = RateLimitingSchema()
         prioritization: PrioritizationSchema = PrioritizationSchema()
         lua: LuaSchema = LuaSchema()
 
@@ -146,7 +146,7 @@ class Raw(ConfigSchema):
     dns64: Dns64Schema
     logging: LoggingSchema
     monitoring: MonitoringSchema
-    rate_limiting: Optional[RateLimitingSchema]
+    rate_limiting: RateLimitingSchema
     prioritization: PrioritizationSchema
     lua: LuaSchema
 

python/knot_resolver/datamodel/rate_limiting_schema.py

@@ -1,3 +1,5 @@
+from typing import Optional
+
 from knot_resolver.datamodel.types import (
     Int0_32,
     IntPositive,
@@ -11,24 +13,29 @@ class RateLimitingSchema(ConfigSchema):
     Configuration of rate limiting.
 
     ---
-    capacity: Expected maximal number of blocked networks/hosts at the same time.
+    enabled: Enable/disable rate limiting
     rate_limit: Maximal number of allowed queries per second from a single host.
     instant_limit: Maximal number of allowed queries at a single point in time from a single host.
+    capacity: Expected maximal number of blocked networks/hosts at the same time.
     slip: Number of restricted responses out of which one is sent as truncated, the others are dropped.
-    log_period: Minimal time between two log messages, or '0s' to disable.
+    logging_period: Minimal time between two log messages, or '0s' to disable.
     dry_run: Perform only classification and logging but no restrictions.
     """
 
-    capacity: IntPositive = IntPositive(524288)
-    rate_limit: IntPositive
+    enabled: bool = False
+    rate_limit: Optional[IntPositive] = None
     instant_limit: IntPositive = IntPositive(50)
+    capacity: IntPositive = IntPositive(524288)
     slip: Int0_32 = Int0_32(2)
-    log_period: TimeUnit = TimeUnit("0s")
+    logging_period: TimeUnit = TimeUnit("0s")
     dry_run: bool = False
 
     def _validate(self) -> None:
+        if self.enabled and not self.rate_limit:
+            raise ValueError("'rate-limit' has to be configured to enable rate limiting")
+
         max_instant_limit = int(2**32 // 768 - 1)
         if not int(self.instant_limit) <= max_instant_limit:
             raise ValueError(f"'instant-limit' has to be in range 1..{max_instant_limit}")
-        if not int(self.rate_limit) <= 1000 * int(self.instant_limit):
+        if self.rate_limit and not int(self.rate_limit) <= 1000 * int(self.instant_limit):
             raise ValueError("'rate-limit' has to be in range 1..(1000 * instant-limit)")

python/knot_resolver/datamodel/templates/rate_limiting.lua.j2

@@ -1,12 +1,15 @@
 {% from 'macros/common_macros.lua.j2' import boolean %}
 
-{% if cfg.rate_limiting.rate_limit is defined and cfg.rate_limiting.rate_limit -%}
-assert(C.ratelimiting_init(
-	'{{ cfg.rundir }}/ratelimiting',
-	{{ cfg.rate_limiting.capacity }},
-	{{ cfg.rate_limiting.instant_limit }},
-	{{ cfg.rate_limiting.rate_limit }},
-	{{ cfg.rate_limiting.slip }},
-	{{ cfg.rate_limiting.log_period.millis() }},
-	{{ boolean(cfg.rate_limiting.dry_run) }}) == 0)
-{%- endif %}
+{% if cfg.rate_limiting.enabled %}
+assert(
+    C.ratelimiting_init(
+        '{{ cfg.rundir }}/ratelimiting',
+        {{ cfg.rate_limiting.capacity }},
+        {{ cfg.rate_limiting.instant_limit }},
+        {{ cfg.rate_limiting.rate_limit }},
+        {{ cfg.rate_limiting.slip }},
+        {{ cfg.rate_limiting.log_period.millis() }},
+        {{ boolean(cfg.rate_limiting.dry_run) }}
+    ) == 0
+)
+{% endif %}