Add a per client connection max exempt list cript

bneradt · bneradt · commit e5413cfab575 · 2025-08-29T18:35:55.000Z
This updates our build system to be able to make pre-compiled cripts.
Thus, adding a cript is now as easy as adding a plugin. Simply use
add_cript instead of add_atsplugin in CMakeLists.txt, and it will build
your cript for you.

As a part of this, this adds connection_exempt_list.cript, our first
cript plugin that sets the per client exempt list.
diff --git a/.gitignore b/.gitignore
@@ -170,7 +170,6 @@ rc/trafficserver.service
 .libs/
 
 .svn/
-.vscode/
 target
 
 tsxs
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,7 @@
+{
+    "files.associations": {
+        "*.cript": "cpp",
+        "*.test.py": "python",
+        "*.test.ext": "python"
+    }
+}
diff --git a/cmake/ExperimentalPlugins.cmake b/cmake/ExperimentalPlugins.cmake
@@ -31,6 +31,7 @@ auto_option(ACCESS_CONTROL FEATURE_VAR BUILD_ACCESS_CONTROL DEFAULT ${_DEFAULT})
 auto_option(BLOCK_ERRORS FEATURE_VAR BUILD_BLOCK_ERRORS DEFAULT ${_DEFAULT})
 auto_option(CACHE_FILL FEATURE_VAR BUILD_CACHE_FILL DEFAULT ${_DEFAULT})
 auto_option(CERT_REPORTING_TOOL FEATURE_VAR BUILD_CERT_REPORTING_TOOL DEFAULT ${_DEFAULT})
+auto_option(CONNECTION_EXEMPT_LIST FEATURE_VAR BUILD_CONNECTION_EXEMPT_LIST DEFAULT ${_DEFAULT})
 auto_option(COOKIE_REMAP FEATURE_VAR BUILD_COOKIE_REMAP DEFAULT ${_DEFAULT})
 auto_option(CUSTOM_REDIRECT FEATURE_VAR BUILD_CUSTOM_REDIRECT DEFAULT ${_DEFAULT})
 auto_option(FQ_PACING FEATURE_VAR BUILD_FQ_PACING DEFAULT ${_DEFAULT})
diff --git a/cmake/add_cript.cmake b/cmake/add_cript.cmake
@@ -0,0 +1,35 @@
+#######################
+#
+#  Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+#  agreements.  See the NOTICE file distributed with this work for additional information regarding
+#  copyright ownership.  The ASF licenses this file to you under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with the License.  You may obtain
+#  a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software distributed under the License
+#  is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+#  or implied. See the License for the specific language governing permissions and limitations under
+#  the License.
+#
+#######################
+
+# Function to build pre-compiled cript scripts
+function(add_cript name source_file)
+  # Check if ENABLE_CRIPTS is ON, if not, skip
+  if(NOT ENABLE_CRIPTS)
+    message(STATUS "Skipping cript ${name} - ENABLE_CRIPTS is OFF")
+    return()
+  endif()
+
+  # Use the standard ATS plugin macro and link with cripts
+  add_atsplugin(${name} ${source_file})
+  target_link_libraries(${name} PRIVATE ts::cripts)
+
+  # Tell CMake that .cript files are C++ files
+  set_target_properties(${name} PROPERTIES LINKER_LANGUAGE CXX)
+  set_source_files_properties(${source_file} PROPERTIES LANGUAGE CXX)
+
+  verify_remap_plugin(${name})
+endfunction()
diff --git a/doc/Doxyfile b/doc/Doxyfile
@@ -768,7 +768,7 @@ INPUT_ENCODING         = UTF-8
 # *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
 # *.qsf, *.as and *.js.
 
-FILE_PATTERNS          = *.c *.cc *.h *.h.in *.i
+FILE_PATTERNS          = *.c *.cc *.h *.h.in *.i *.cript
 
 # The RECURSIVE tag can be used to specify whether or not subdirectories should
 # be searched for input files as well.
diff --git a/doc/admin-guide/plugins/connection_exempt_list.en.rst b/doc/admin-guide/plugins/connection_exempt_list.en.rst
@@ -0,0 +1,103 @@
+.. include:: ../../common.defs
+
+.. _admin-plugins-connection-exempt-list:
+
+Connection Exempt List Plugin
+******************************
+
+.. Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+
+Description
+===========
+
+:ts:cv:`proxy.config.http.per_client.connection.exempt_list` allows
+administrators to set exemptions to the per-client connection limit. However,
+for large networks, managing this as a comma-separated string in
+:file:`records.yaml` can be cumbersome. This plugin allows administrators to set
+the exemption list :ts:cv:`proxy.config.http.per_client.connection.exempt_list`
+value via an external YAML file.
+
+Plugin Configuration
+====================
+
+The plugin is configured as a global plugin and requires a path to a YAML
+configuration file. Load the plugin by adding a line to the
+:file:`plugin.config`:
+
+.. code-block:: text
+
+   connection_exempt_list.so /path/to/exempt_list.yaml
+
+Configuration File Format
+==========================
+
+The exempt list configuration file must be in YAML format with the following
+simple structure:
+
+.. code-block:: yaml
+
+   exempt_list:
+     - 127.0.0.1
+     - ::1
+     - 192.168.1.0/24
+     - 10.0.0.0/8
+
+The configuration file supports the same range formats as
+:ts:cv:`proxy.config.http.per_client.connection.exempt_list`.
+
+* Individual IPv4 addresses (e.g., ``192.168.1.100``)
+* Individual IPv6 addresses (e.g., ``::1``, ``2001:db8::1``)
+* IPv4 CIDR ranges (e.g., ``192.168.0.0/16``)
+* Ranges as a dash-separated string (e.g., ``10.0.0.0-10.0.0.255``)
+
+Example Usage
+=============
+
+1. Create an exempt list configuration file (e.g.,
+``/opt/ats/etc/trafficserver/exempt_localhost.yaml``):
+
+   .. code-block:: yaml
+
+      exempt_list:
+        - 127.0.0.1
+        - ::1
+
+2. Enable the plugin in :file:`plugin.config`:
+
+   .. code-block:: text
+
+      connection_exempt_list.so /opt/ats/etc/trafficserver/exempt_localhost.yaml
+
+3. Configure per-client connection limits in :file:`records.yaml`:
+
+   .. code-block:: yaml
+
+      records:
+        net:
+          per_client:
+            max_connections_in: 300
+
+4. Start |TS|. The plugin will load the exempt list and not apply the per-client
+   connection limit to the exempted IP addresses and ranges.
+
+See Also
+========
+
+* :ts:cv:`proxy.config.net.per_client.max_connections_in`
+* :ts:cv:`proxy.config.http.per_client.connection.exempt_list`
+* :doc:`../files/plugin.config.en`
diff --git a/doc/admin-guide/plugins/index.en.rst b/doc/admin-guide/plugins/index.en.rst
@@ -171,6 +171,7 @@ directory of the |TS| source tree. Experimental plugins can be compiled by passi
    Cache Fill <cache_fill.en>
    Certifier <certifier.en>
    Cert Reporting Tool <cert_reporting_tool.en>
+   Connection Exempt List <connection_exempt_list.en>
    Cookie Remap <cookie_remap.en>
    GeoIP ACL <geoip_acl.en>
    FQ Pacing <fq_pacing.en>
@@ -208,6 +209,10 @@ directory of the |TS| source tree. Experimental plugins can be compiled by passi
 :doc:`Cert Reporting Tool <cert_reporting_tool.en>`
    Examines and logs information on loaded certificates.
 
+:doc:`Connection Exempt List <connection_exempt_list.en>`
+   Provides a way for administrators to set
+   :ts:cv:`proxy.config.http.per_client.connection.exempt_list` via a YAML file.
+
 :doc:`Cookie Remap <cookie_remap.en>`
    Makes decisions on destinations based on cookies.
 
diff --git a/include/cripts/Epilogue.hpp b/include/cripts/Epilogue.hpp
@@ -752,10 +752,12 @@ TSPluginInit(int argc, const char *argv[])
     inst->NeedCallback(enabled_txn_hooks);
     TSContDataSet(contp, context);
     TSHttpHookAdd(TS_HTTP_TXN_START_HOOK, contp); // This acts similarly to the DoRemap callback
+  } else if (needs_glb_init) {
+    CDebug("[%s] - No global hooks, but there is a global init callback", info.plugin_name);
   } else {
+    TSError("[%s] - No global hooks, no global init callback", info.plugin_name);
     delete context;
     delete inst;
-    TSError("[%s] - No global hooks enabled", info.plugin_name);
   }
 }
 
diff --git a/plugins/CMakeLists.txt b/plugins/CMakeLists.txt
@@ -16,6 +16,7 @@
 #######################
 
 include(add_atsplugin)
+include(add_cript)
 
 # The experimental plugins are handled in cmake/ExperimentalPlugins.cmake.
 
diff --git a/plugins/experimental/CMakeLists.txt b/plugins/experimental/CMakeLists.txt
@@ -29,6 +29,9 @@ endif()
 if(BUILD_CERT_REPORTING_TOOL)
   add_subdirectory(cert_reporting_tool)
 endif()
+if(BUILD_CONNECTION_EXEMPT_LIST)
+  add_subdirectory(connection_exempt_list)
+endif()
 if(BUILD_COOKIE_REMAP)
   add_subdirectory(cookie_remap)
 endif()
diff --git a/plugins/experimental/connection_exempt_list/CMakeLists.txt b/plugins/experimental/connection_exempt_list/CMakeLists.txt
@@ -0,0 +1,22 @@
+#######################
+#
+#  Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+#  agreements.  See the NOTICE file distributed with this work for additional information regarding
+#  copyright ownership.  The ASF licenses this file to you under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with the License.  You may obtain
+#  a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software distributed under the License
+#  is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+#  or implied. See the License for the specific language governing permissions and limitations under
+#  the License.
+#
+#######################
+
+# Include the add_cript macro
+include(add_cript)
+
+# Build the connection_exempt_list cript as a pre-compiled plugin
+add_cript(connection_exempt_list connection_exempt_list.cript)
diff --git a/plugins/experimental/connection_exempt_list/connection_exempt_list.cript b/plugins/experimental/connection_exempt_list/connection_exempt_list.cript
@@ -0,0 +1,86 @@
+/*
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+*/
+
+#include <cripts/Preamble.hpp>
+#include <yaml-cpp/yaml.h>
+
+glb_init()
+{
+  CDebug("Initializing per-client connection exempt list plugin");
+  if (instance.Size() != 1) {
+    TSError("Expected a single exempt list filepath as argument, %lu provided.", instance.Size());
+    return;
+  }
+  // First argument (after plugin name) should be the filename
+  auto filename = AsString(instance.data[0]);
+
+  CDebug("Loading exempt list from file: {}", filename);
+
+  // Clear any existing exempt list
+  TSConnectionLimitExemptListClear();
+
+  try {
+    // Load the YAML file
+    YAML::Node config      = YAML::LoadFile(filename.c_str());
+    integer    added_count = 0;
+
+    // Check if the root node contains the exempt_list key
+    if (!config["exempt_list"]) {
+      TSError("YAML file '%s' does not contain an 'exempt_list' key", filename.c_str());
+      return;
+    }
+
+    const YAML::Node &exempt_list = config["exempt_list"];
+
+    // Verify that exempt_list is a sequence/array
+    if (!exempt_list.IsSequence()) {
+      TSError("'exempt_list' in YAML file '%s' is not a sequence/array", filename.c_str());
+      return;
+    }
+
+    // Iterate through each IP range in the exempt list
+    for (const YAML::Node &item : exempt_list) {
+      if (!item.IsScalar()) {
+        TSError("Non-scalar item found in exempt_list, skipping");
+        continue;
+      }
+
+      std::string ip_range = item.as<std::string>();
+
+      // Add IP range to exempt list
+      TSReturnCode result = TSConnectionLimitExemptListAdd(ip_range);
+      if (result == TS_SUCCESS) {
+        added_count++;
+        CDebug("Added IP range: {}", ip_range);
+      } else {
+        TSError("Failed to add IP range '%s'", ip_range.c_str());
+      }
+    }
+
+    CDebug("Successfully processed YAML file, added {} IP ranges to exempt list", added_count);
+
+  } catch (const YAML::Exception &e) {
+    TSError("YAML parsing error for file '%s': %s", filename.c_str(), e.what());
+  } catch (const std::exception &e) {
+    TSError("Failed to process exempt list file '%s': %s", filename.c_str(), e.what());
+  } catch (...) {
+    TSError("Unknown error while processing exempt list file '%s'", filename.c_str());
+  }
+}
+
+#include <cripts/Epilogue.hpp>
diff --git a/src/cripts/Instance.cc b/src/cripts/Instance.cc
@@ -37,6 +37,15 @@ Instance::_initialize(int argc, const char *argv[], const char *filename, bool r
       data[i - 2] = s;
     }
     _size = argc - 2;
+  } else {
+    // Global plugins don't have the from/to url values.
+    for (int i = 1; i < argc && i <= 16; i++) {
+      auto s = cripts::string(argv[i]);
+
+      s.trim("\"\'");
+      data[i - 1] = s;
+    }
+    _size = argc - 1;
   }
 
   // Set the debug tag for this plugin, slightly annoying that we have to calculate
diff --git a/tests/gold_tests/autest-site/setup.cli.ext b/tests/gold_tests/autest-site/setup.cli.ext
@@ -111,6 +111,7 @@ if ENV['ATS_BIN'] is not None:
     host.WriteVerbose(['ats'], "Traffic server version:", out)
 
 Variables.AtsExampleDir = os.path.join(AutestSitePath, '..', '..', '..', 'example')
+Variables.AtsToolsDir = os.path.join(AutestSitePath, '..', '..', '..', 'tools')
 Variables.AtsTestToolsDir = os.path.join(AutestSitePath, '..', '..', 'tools')
 Variables.VerifierBinPath = ENV['VERIFIER_BIN']
 Variables.BuildRoot = ENV['BUILD_ROOT']
diff --git a/tests/gold_tests/autest-site/trafficserver.test.ext b/tests/gold_tests/autest-site/trafficserver.test.ext
@@ -405,10 +405,11 @@ def MakeATSProcess(
         })
 
     if enable_cripts:
-        p.Setup.Copy(
-            os.path.join(p.Variables.RepoDir, 'tools', 'cripts', 'compiler.sh'), os.path.join(bin_path, 'cripts_compiler.sh'))
+        cripts_compiler = os.path.join(bin_path, 'cripts_compiler.sh')
+        p.Setup.Copy(os.path.join(p.Variables.RepoDir, 'tools', 'cripts', 'compiler.sh'), cripts_compiler)
+        p.Variables.cripts_compiler = cripts_compiler
         p.Disk.records_config.update({
-            'proxy.config.plugin.compiler_path': os.path.join(bin_path, 'cripts_compiler.sh'),
+            'proxy.config.plugin.compiler_path': cripts_compiler,
         })
         # ATS_ROOT is used by compiler.sh to find the ATS install directory.
         p.Env['ATS_ROOT'] = p.Variables.PREFIX
diff --git a/tests/gold_tests/client_connection/exempt_lists/exempt_all.yaml b/tests/gold_tests/client_connection/exempt_lists/exempt_all.yaml
@@ -0,0 +1,19 @@
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+exempt_list:
+  - 0/0
+  - ::/0
diff --git a/tests/gold_tests/client_connection/exempt_lists/exempt_localhost.yaml b/tests/gold_tests/client_connection/exempt_lists/exempt_localhost.yaml
diff --git a/tests/gold_tests/client_connection/exempt_lists/no_localhost.yaml b/tests/gold_tests/client_connection/exempt_lists/no_localhost.yaml
diff --git a/tests/gold_tests/client_connection/per_client_connection_max.test.py b/tests/gold_tests/client_connection/per_client_connection_max.test.py
diff --git a/tests/gold_tests/cripts/files/basic.cript b/tests/gold_tests/cripts/files/basic.cript
diff --git a/tools/clang-format.sh b/tools/clang-format.sh
diff --git a/tools/git/pre-commit b/tools/git/pre-commit

-Original file line number
+Diff line change
 .libs/
 .svn/
 -.vscode/
 target
 tsxs
Original file line number	Diff line number	Diff line change
`@@ -752,10 +752,12 @@ TSPluginInit(int argc, const char *argv[])`
`752`	`752`	`inst->NeedCallback(enabled_txn_hooks);`
`753`	`753`	`TSContDataSet(contp, context);`
`754`	`754`	`TSHttpHookAdd(TS_HTTP_TXN_START_HOOK, contp); // This acts similarly to the DoRemap callback`
	`755`	`+ } else if (needs_glb_init) {`
	`756`	`+ CDebug("[%s] - No global hooks, but there is a global init callback", info.plugin_name);`
`755`	`757`	`} else {`
	`758`	`+ TSError("[%s] - No global hooks, no global init callback", info.plugin_name);`
`756`	`759`	`delete context;`
`757`	`760`	`delete inst;`
`758`		`- TSError("[%s] - No global hooks enabled", info.plugin_name);`
`759`	`761`	`}`
`760`	`762`	`}`
`761`	`763`