feat: add rate limit exempt IPs

Signed-off-by: simpliq-marvin <[email protected]>

Author: simpliq-marvin

src/api/docs/content/specs/config.yaml

@@ -340,6 +340,11 @@ components:
                       type: integer
                     interval:
                       type: integer
+                    exemptIPs:
+                      type: array
+                      items:
+                        type: string
+                        x-format: ipv4|ipv6
             dhcp:
               type: object
               properties:
@@ -789,6 +794,9 @@ components:
             rateLimit:
               count: 0
               interval: 0
+              exemptIPs:
+                - "192.168.1.10"
+                - "fd00::10"
           dhcp:
             active: false
             start: "192.168.0.10"

src/config/config.c

@@ -770,6 +770,13 @@ void initConfig(struct config *conf)
 	conf->dns.rateLimit.interval.d.ui = 60;
 	conf->dns.rateLimit.interval.c = validate_stub; // Only type-based checking
 
+	conf->dns.rateLimit.exemptIPs.k = "dns.rateLimit.exemptIPs";
+	conf->dns.rateLimit.exemptIPs.h = "IP addresses that should bypass per-client DNS rate limiting. Matching is exact by IP address and applies only when rate limiting is enabled. This is intended for trusted clients that may generate short legitimate DNS bursts.\n\n Example: [ \"192.168.1.10\", \"fd00::10\" ]";
+	conf->dns.rateLimit.exemptIPs.a = cJSON_CreateStringReference("Array of valid IPv4 and/or IPv6 addresses");
+	conf->dns.rateLimit.exemptIPs.t = CONF_JSON_STRING_ARRAY;
+	conf->dns.rateLimit.exemptIPs.d.json = cJSON_CreateArray();
+	conf->dns.rateLimit.exemptIPs.c = validate_ip_array;
+
 	// sub-struct dhcp
 	conf->dhcp.active.k = "dhcp.active";
 	conf->dhcp.active.h = "Is the embedded DHCP server enabled?";

src/config/config.h

@@ -189,6 +189,7 @@ struct config {
 		struct {
 			struct conf_item count;
 			struct conf_item interval;
+			struct conf_item exemptIPs;
 		} rateLimit;
 	} dns;
 

src/config/validator.c

@@ -206,6 +206,60 @@ bool validate_dns_domain(union conf_value *val, const char *key, char err[VALIDA
 	return true;
 }
 
+// Validate arrays of IP addresses (IPv4 and/or IPv6)
+bool validate_ip_array(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN])
+{
+	if(!cJSON_IsArray(val->json))
+	{
+		snprintf(err, VALIDATOR_ERRBUF_LEN, "%s: not an array", key);
+		return false;
+	}
+
+	for(int i = 0; i < cJSON_GetArraySize(val->json); i++)
+	{
+		cJSON *item = cJSON_GetArrayItem(val->json, i);
+
+		if(!cJSON_IsString(item) || item->valuestring == NULL)
+		{
+			snprintf(err, VALIDATOR_ERRBUF_LEN, "%s[%d]: not a string", key, i);
+			return false;
+		}
+
+		const char *raw = item->valuestring;
+		while(isspace((unsigned char)*raw))
+			raw++;
+
+		size_t len = strlen(raw);
+		while(len > 0 && isspace((unsigned char)raw[len-1]))
+			len--;
+
+		if(len == 0)
+		{
+			snprintf(err, VALIDATOR_ERRBUF_LEN, "%s[%d]: empty string", key, i);
+			return false;
+		}
+
+		if(len > INET6_ADDRSTRLEN)
+		{
+			snprintf(err, VALIDATOR_ERRBUF_LEN, "%s[%d]: address too long (\"%s\")", key, i, item->valuestring);
+			return false;
+		}
+
+		char ip[INET6_ADDRSTRLEN + 1] = { 0 };
+		memcpy(ip, raw, len);
+
+		struct in_addr addr4;
+		struct in6_addr addr6;
+		if(inet_pton(AF_INET, ip, &addr4) != 1 && inet_pton(AF_INET6, ip, &addr6) != 1)
+		{
+			snprintf(err, VALIDATOR_ERRBUF_LEN, "%s[%d]: neither a valid IPv4 nor IPv6 address (\"%s\")", key, i, item->valuestring);
+			return false;
+		}
+	}
+
+	return true;
+}
+
 // Validate IPs in CIDR notation
 bool validate_cidr(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN])
 {

src/config/validator.h

@@ -18,6 +18,7 @@ bool validate_stub(union conf_value *val, const char *key, char err[VALIDATOR_ER
 bool validate_dns_hosts(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 bool validate_dns_cnames(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 bool validate_dns_domain(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
+bool validate_ip_array(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 bool validate_cidr(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 bool validate_domain(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);
 bool validate_filepath(union conf_value *val, const char *key, char err[VALIDATOR_ERRBUF_LEN]);

src/dnsmasq_interface.c

@@ -80,6 +80,7 @@ static void _query_set_dnssec(queriesData *query, const enum dnssec_status dnsse
 static char *get_ptrname(const struct in_addr *addr);
 static const char *check_dnsmasq_name(const char *name);
 static void get_rcode(const unsigned short rcode, const char **rcodestr, enum reply_type *reply);
+static bool client_matches_rate_limit_exempt_ip(const char *clientIP);
 
 // Static blocking metadata
 static bool aabit = false, adbit = false, rabit = false;
@@ -106,6 +107,55 @@ static union mysockaddr last_server = {};
 
 const char *flagnames[] = {"F_IMMORTAL ", "F_NAMEP ", "F_REVERSE ", "F_FORWARD ", "F_DHCP ", "F_NEG ", "F_HOSTS ", "F_IPV4 ", "F_IPV6 ", "F_BIGNAME ", "F_NXDOMAIN ", "F_CNAME ", "F_DNSKEY ", "F_CONFIG ", "F_DS ", "F_DNSSECOK ", "F_UPSTREAM ", "F_RRNAME ", "F_SERVER ", "F_QUERY ", "F_NOERR ", "F_AUTH ", "F_DNSSEC ", "F_KEYTAG ", "F_SECSTAT ", "F_NO_RR ", "F_IPSET ", "F_NOEXTRA ", "F_DOMAINSRV", "F_RCODE", "F_RR", "F_STALE" };
 
+static bool client_matches_rate_limit_exempt_ip(const char *clientIP)
+{
+	if(clientIP == NULL || config.dns.rateLimit.exemptIPs.v.json == NULL)
+		return false;
+
+	struct in_addr client4;
+	struct in6_addr client6;
+	const sa_family_t family = inet_pton(AF_INET, clientIP, &client4) == 1 ? AF_INET :
+	                           inet_pton(AF_INET6, clientIP, &client6) == 1 ? AF_INET6 : AF_UNSPEC;
+	if(family == AF_UNSPEC)
+		return false;
+
+	cJSON *item = NULL;
+	cJSON_ArrayForEach(item, config.dns.rateLimit.exemptIPs.v.json)
+	{
+		if(!cJSON_IsString(item) || item->valuestring == NULL)
+			continue;
+
+		const char *raw = item->valuestring;
+		while(isspace((unsigned char)*raw))
+			raw++;
+
+		size_t len = strlen(raw);
+		while(len > 0 && isspace((unsigned char)raw[len-1]))
+			len--;
+
+		if(len == 0 || len > ADDRSTRLEN)
+			continue;
+
+		char exemptIP[ADDRSTRLEN + 1] = { 0 };
+		memcpy(exemptIP, raw, len);
+
+		if(family == AF_INET)
+		{
+			struct in_addr exempt4;
+			if(inet_pton(AF_INET, exemptIP, &exempt4) == 1 && memcmp(&client4, &exempt4, sizeof(exempt4)) == 0)
+				return true;
+		}
+		else
+		{
+			struct in6_addr exempt6;
+			if(inet_pton(AF_INET6, exemptIP, &exempt6) == 1 && memcmp(&client6, &exempt6, sizeof(exempt6)) == 0)
+				return true;
+		}
+	}
+
+	return false;
+}
+
 void FTL_hook(unsigned int flags, const char *name, const union all_addr *addr, char *arg, int id, unsigned short type, const char *file, const int line)
 {
 	// Extract filename from path
@@ -794,9 +844,10 @@ bool _FTL_new_query(const unsigned int flags, const char *name,
 	// Interface name is only available for regular queries, not for
 	// automatically generated DNSSEC queries
 	const char *interface = internal_query ? "-" : next_iface.name;
+	const bool rate_limit_exempt = client_matches_rate_limit_exempt_ip(clientIP);
 
 	// Check rate-limit for this client
-	if(!internal_query && config.dns.rateLimit.count.v.ui > 0 &&
+	if(!internal_query && !rate_limit_exempt && config.dns.rateLimit.count.v.ui > 0 &&
 	   (++client->rate_limit > config.dns.rateLimit.count.v.ui  || client->flags.rate_limited))
 	{
 		if(!client->flags.rate_limited)

test/pihole.toml

@@ -553,6 +553,16 @@
     #     A positive integer value in seconds
     interval = 0 ### CHANGED, default = 60
 
+    # IP addresses that should bypass per-client DNS rate limiting. Matching is exact by
+    # IP address and applies only when rate limiting is enabled. This is intended for
+    # trusted clients that may generate short legitimate DNS bursts.
+    #
+    # Example: [ "192.168.1.10", "fd00::10" ]
+    #
+    # Allowed values are:
+    #     An array of valid IPv4 and/or IPv6 addresses
+    exemptIPs = ["192.168.1.10", "fd00::10"] ### CHANGED, default = []
+
 [dhcp]
   # Is the embedded DHCP server enabled?
   #