Add a per client connection max exempt list cript

.gitignore

@@ -170,7 +170,6 @@ rc/trafficserver.service
 .libs/
 
 .svn/
-.vscode/
 target
 
 tsxs

.vscode/settings.json

@@ -0,0 +1,7 @@
+{
+    "files.associations": {
+        "*.cript": "cpp",
+        "*.test.py": "python",
+        "*.test.ext": "python"
+    }
+}

cmake/ExperimentalPlugins.cmake

@@ -31,6 +31,7 @@ auto_option(ACCESS_CONTROL FEATURE_VAR BUILD_ACCESS_CONTROL DEFAULT ${_DEFAULT})
 auto_option(BLOCK_ERRORS FEATURE_VAR BUILD_BLOCK_ERRORS DEFAULT ${_DEFAULT})
 auto_option(CACHE_FILL FEATURE_VAR BUILD_CACHE_FILL DEFAULT ${_DEFAULT})
 auto_option(CERT_REPORTING_TOOL FEATURE_VAR BUILD_CERT_REPORTING_TOOL DEFAULT ${_DEFAULT})
+auto_option(CONNECTION_EXEMPT_LIST FEATURE_VAR BUILD_CONNECTION_EXEMPT_LIST DEFAULT ${_DEFAULT})
 auto_option(COOKIE_REMAP FEATURE_VAR BUILD_COOKIE_REMAP DEFAULT ${_DEFAULT})
 auto_option(CUSTOM_REDIRECT FEATURE_VAR BUILD_CUSTOM_REDIRECT DEFAULT ${_DEFAULT})
 auto_option(FQ_PACING FEATURE_VAR BUILD_FQ_PACING DEFAULT ${_DEFAULT})

cmake/add_cript.cmake

@@ -0,0 +1,35 @@
+#######################
+#
+#  Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+#  agreements.  See the NOTICE file distributed with this work for additional information regarding
+#  copyright ownership.  The ASF licenses this file to you under the Apache License, Version 2.0
+#  (the "License"); you may not use this file except in compliance with the License.  You may obtain
+#  a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software distributed under the License
+#  is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+#  or implied. See the License for the specific language governing permissions and limitations under
+#  the License.
+#
+#######################
+
+# Function to build pre-compiled cript scripts
+function(add_cript name source_file)
+  # Check if ENABLE_CRIPTS is ON, if not, skip
+  if(NOT ENABLE_CRIPTS)
+    message(STATUS "Skipping cript ${name} - ENABLE_CRIPTS is OFF")
+    return()
+  endif()
+
+  # Use the standard ATS plugin macro and link with cripts
+  add_atsplugin(${name} ${source_file})
+  target_link_libraries(${name} PRIVATE ts::cripts)
+
+  # Tell CMake that .cript files are C++ files
+  set_target_properties(${name} PROPERTIES LINKER_LANGUAGE CXX)
+  set_source_files_properties(${source_file} PROPERTIES LANGUAGE CXX)
+
+  verify_remap_plugin(${name})
+endfunction()

doc/Doxyfile

@@ -768,7 +768,7 @@ INPUT_ENCODING         = UTF-8
 # *.md, *.mm, *.dox, *.py, *.f90, *.f, *.for, *.tcl, *.vhd, *.vhdl, *.ucf,
 # *.qsf, *.as and *.js.
 
-FILE_PATTERNS          = *.c *.cc *.h *.h.in *.i
+FILE_PATTERNS          = *.c *.cc *.h *.h.in *.i *.cript
 
 # The RECURSIVE tag can be used to specify whether or not subdirectories should
 # be searched for input files as well.

doc/admin-guide/files/records.yaml.en.rst

@@ -524,6 +524,37 @@ Network
    below this limit. A value of 0 disables the per client concurrent connection
    limit.
 
+   See :ts:cv:`proxy.config.http.per_client.connection.exempt_list` for a way to
+   allow (not count) certain client IP addresses when applying this limit.
+
+.. ts:cv:: CONFIG proxy.config.http.per_client.connection.exempt_list STRING NULL
+
+   A comma-separated list of IP addresses or CIDR ranges to exempt when
+   counting incoming client connections for per client connection
+   throttling. Incoming addresses in this specified set will not count
+   against :ts:cv:`proxy.config.net.per_client.max_connections_in` and
+   thus will not be blocked by that configuration. This may be useful,
+   for example, to allow any number of incoming connections from within
+   an organization's network without blocking them due to the per client
+   connection max feature.
+
+   This configuration takes a comma-separated list of IP addresses, CIDR
+   networks, or ranges separated by a dash.
+
+   ============================== ===========================================================
+   Example                        Effect
+   ============================== ===========================================================
+   ``10.0.2.123``                 Exempt a single IP Address.
+   ``10.0.3.1-10.0.3.254``        Exempt a range of IP address.
+   ``10.0.4.0/24``                Exempt a range of IP address specified by CIDR notation.
+   ``10.0.2.123,172.16.0.0/20``   Exempt multiple addresses/ranges.
+   ============================== ===========================================================
+
+   Here is an example configuration value::
+
+      10.0.2.123,172.16.0.0/20,192.168.1.0/24
+
+
 .. ts:cv:: CONFIG proxy.config.http.per_client.connection.alert_delay INT 60
    :reloadable:
    :units: seconds
@@ -2041,7 +2072,7 @@ Proxy User Variables
    by a dash or by using CIDR notation.
 
    ======================= ===========================================================
-   Example  Effect
+   Example                 Effect
    ======================= ===========================================================
    ``10.0.2.123``          A single IP Address.
    ``10.0.3.1-10.0.3.254`` A range of IP address.

doc/admin-guide/plugins/connection_exempt_list.en.rst

@@ -0,0 +1,103 @@
+.. include:: ../../common.defs
+
+.. _admin-plugins-connection-exempt-list:
+
+Connection Exempt List Plugin
+******************************
+
+.. Licensed to the Apache Software Foundation (ASF) under one
+   or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+
+Description
+===========
+
+:ts:cv:`proxy.config.http.per_client.connection.exempt_list` allows
+administrators to set exemptions to the per-client connection limit. However,
+for large networks, managing this as a comma-separated string in
+:file:`records.yaml` can be cumbersome. This plugin allows administrators to set
+the exemption list :ts:cv:`proxy.config.http.per_client.connection.exempt_list`
+value via an external YAML file.
+
+Plugin Configuration
+====================
+
+The plugin is configured as a global plugin and requires a path to a YAML
+configuration file. Load the plugin by adding a line to the
+:file:`plugin.config`:
+
+.. code-block:: text
+
+   connection_exempt_list.so /path/to/exempt_list.yaml
+
+Configuration File Format
+==========================
+
+The exempt list configuration file must be in YAML format with the following
+simple structure:
+
+.. code-block:: yaml
+
+   exempt_list:
+     - 127.0.0.1
+     - ::1
+     - 192.168.1.0/24
+     - 10.0.0.0/8
+
+The configuration file supports the same range formats as
+:ts:cv:`proxy.config.http.per_client.connection.exempt_list`.
+
+* Individual IPv4 addresses (e.g., ``192.168.1.100``)
+* Individual IPv6 addresses (e.g., ``::1``, ``2001:db8::1``)
+* IPv4 CIDR ranges (e.g., ``192.168.0.0/16``)
+* Ranges as a dash-separated string (e.g., ``10.0.0.0-10.0.0.255``)
+
+Example Usage
+=============
+
+1. Create an exempt list configuration file (e.g.,
+``/opt/ats/etc/trafficserver/exempt_localhost.yaml``):
+
+   .. code-block:: yaml
+
+      exempt_list:
+        - 127.0.0.1
+        - ::1
+
+2. Enable the plugin in :file:`plugin.config`:
+
+   .. code-block:: text
+
+      connection_exempt_list.so /opt/ats/etc/trafficserver/exempt_localhost.yaml
+
+3. Configure per-client connection limits in :file:`records.yaml`:
+
+   .. code-block:: yaml
+
+      records:
+        net:
+          per_client:
+            max_connections_in: 300
+
+4. Start |TS|. The plugin will load the exempt list and not apply the per-client
+   connection limit to the exempted IP addresses and ranges.
+
+See Also
+========
+
+* :ts:cv:`proxy.config.net.per_client.max_connections_in`
+* :ts:cv:`proxy.config.http.per_client.connection.exempt_list`
+* :doc:`../files/plugin.config.en`

doc/admin-guide/plugins/index.en.rst

@@ -171,6 +171,7 @@ directory of the |TS| source tree. Experimental plugins can be compiled by passi
    Cache Fill <cache_fill.en>
    Certifier <certifier.en>
    Cert Reporting Tool <cert_reporting_tool.en>
+   Connection Exempt List <connection_exempt_list.en>
    Cookie Remap <cookie_remap.en>
    GeoIP ACL <geoip_acl.en>
    FQ Pacing <fq_pacing.en>
@@ -208,6 +209,10 @@ directory of the |TS| source tree. Experimental plugins can be compiled by passi
 :doc:`Cert Reporting Tool <cert_reporting_tool.en>`
    Examines and logs information on loaded certificates.
 
+:doc:`Connection Exempt List <connection_exempt_list.en>`
+   Provides a way for administrators to set
+   :ts:cv:`proxy.config.http.per_client.connection.exempt_list` via a YAML file.
+
 :doc:`Cookie Remap <cookie_remap.en>`
    Makes decisions on destinations based on cookies.
 

doc/developer-guide/api/functions/TSConnectionLimitExemptList.en.rst

@@ -0,0 +1,125 @@
+.. Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed
+   with this work for additional information regarding copyright
+   ownership.  The ASF licenses this file to you under the Apache
+   License, Version 2.0 (the "License"); you may not use this file
+   except in compliance with the License.  You may obtain a copy of
+   the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied.  See the License for the specific language governing
+   permissions and limitations under the License.
+
+.. default-domain:: cpp
+
+TSConnectionLimitExemptList
+===========================
+
+Synopsis
+--------
+
+.. code-block:: cpp
+
+    #include <ts/ts.h>
+
+.. function:: TSReturnCode TSConnectionLimitExemptListAdd(std::string_view ip_ranges)
+.. function:: TSReturnCode TSConnectionLimitExemptListRemove(std::string_view ip_ranges)
+.. function:: void TSConnectionLimitExemptListClear()
+
+Description
+-----------
+
+These functions manage the per-client connection limit exempt list, which contains IP addresses
+and ranges that are exempt from the connection limits enforced by
+:ts:cv:`proxy.config.net.per_client.max_connections_in`.
+
+:func:`TSConnectionLimitExemptListAdd` adds one or more IP addresses or CIDR ranges specified in
+:arg:`ip_ranges` to the existing exempt list. The :arg:`ip_ranges` parameter can be a single
+IP address or CIDR range, or a comma-separated string of multiple ranges (e.g.,
+"192.168.1.10,10.0.0.0/8,172.16.0.0/12"). The ranges are added without removing any existing
+entries. Returns :enumerator:`TS_SUCCESS` if all ranges were successfully added, :enumerator:`TS_ERROR` if
+any of the IP ranges are invalid or if the operation fails.
+
+:func:`TSConnectionLimitExemptListRemove` removes one or more IP addresses or CIDR ranges specified in
+:arg:`ip_ranges` from the existing exempt list. The :arg:`ip_ranges` parameter can be a single
+IP address or CIDR range, or a comma-separated string of multiple ranges. If a range is not present
+in the list, it is silently ignored. Returns :enumerator:`TS_SUCCESS` if all ranges were successfully
+processed, :enumerator:`TS_ERROR` if any of the IP ranges are invalid or if the operation fails.
+
+:func:`TSConnectionLimitExemptListClear` removes all entries from the per-client connection
+limit exempt list. After calling this function, all clients will be subject to connection
+limits. This function does not return a value and never fails.
+
+All functions are thread-safe and can be called from any plugin context. Changes made through
+these functions will override any configuration set via
+:ts:cv:`proxy.config.http.per_client.connection.exempt_list`.
+
+Return Values
+-------------
+
+:func:`TSConnectionLimitExemptListAdd` and :func:`TSConnectionLimitExemptListRemove` return
+:enumerator:`TS_SUCCESS` if the operation completed successfully, or :enumerator:`TS_ERROR` if the
+operation failed due to invalid input or system errors.
+
+Examples
+--------
+
+.. code-block:: cpp
+
+    #include <ts/ts.h>
+    #include <fstream>
+    #include <string>
+
+    void load_exempt_list_from_file(const char *filename) {
+        std::ifstream file(filename);
+        if (!file.is_open()) {
+            TSError("Failed to open exempt list file: %s", filename);
+            return;
+        }
+
+        // Clear existing exempt list before loading from file
+        TSConnectionLimitExemptListClear();
+
+        std::string line;
+        int line_num = 0;
+        while (std::getline(file, line)) {
+            line_num++;
+
+            // Skip empty lines and comments
+            if (line.empty() || line[0] == '#') {
+                continue;
+            }
+
+            // Add each IP range to the exempt list
+            TSReturnCode result = TSConnectionLimitExemptListAdd(line.c_str());
+            if (result != TS_SUCCESS) {
+                TSError("Failed to add IP range '%s' from line %d in %s", line.c_str(), line_num, filename);
+            } else {
+                TSDebug("exempt_list", "Added IP range: %s", line.c_str());
+            }
+        }
+        file.close();
+    }
+
+    void TSPluginInit(int argc, const char *argv[]) {
+        const char *exempt_file = "exempt_ips.txt";
+
+        // Check if custom file specified in plugin arguments
+        if (argc > 1) {
+            exempt_file = argv[1];
+        }
+
+        // Load exempt list from file
+        load_exempt_list_from_file(exempt_file);
+    }
+
+
+See Also
+--------
+
+:ts:cv:`proxy.config.net.per_client.max_connections_in`,
+:ts:cv:`proxy.config.http.per_client.connection.exempt_list`

include/cripts/Epilogue.hpp

@@ -752,10 +752,12 @@ TSPluginInit(int argc, const char *argv[])
     inst->NeedCallback(enabled_txn_hooks);
     TSContDataSet(contp, context);
     TSHttpHookAdd(TS_HTTP_TXN_START_HOOK, contp); // This acts similarly to the DoRemap callback
+  } else if (needs_glb_init) {
+    CDebug("[%s] - No global hooks, but there is a global init callback", info.plugin_name);
   } else {
+    TSError("[%s] - No global hooks, no global init callback", info.plugin_name);
     delete context;
     delete inst;
-    TSError("[%s] - No global hooks enabled", info.plugin_name);
   }
 }