Skip to content

Lua plugin support for connection exempt list #12849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
shukitchan wants to merge 3 commits into
base: master
Choose a base branch
from
+133 −0
Draft

Lua plugin support for connection exempt list #12849

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4c1d0e9
Update ts_lua_misc.cc to add connection limit exempt list functions.
shukitchan Jan 30, 2026
1470339
Add Lua plugin documentation for connection limit exempt list APIs
shukitchan Jan 30, 2026
1dab75e
Update lua.en.rst
shukitchan Jan 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions doc/admin-guide/plugins/lua.en.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -452,6 +452,73 @@ Here is an example:

:ref:`TOP <admin-plugins-ts-lua>`

ts.connection_limit_exempt_list_add
------------------------------------
**syntax:** *success = ts.connection_limit_exempt_list_add(IP_RANGES)*

**context:** global

**description**: Add IP ranges to the per-client connection limit exempt list. This function wraps the TSConnectionLimitExemptListAdd API.

The IP_RANGES parameter should be a string containing one or more IP address ranges in CIDR notation, separated by commas. Client connections from these IP ranges will be exempt from per-client connection limits.

Comment on lines +461 to +464
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs say IP_RANGES must be in CIDR notation, but the underlying parsing (swoc::IPRange) accepts a single IP address and dash ranges in addition to CIDR. Consider updating the description to match the supported formats (and note that whitespace around comma-separated entries is not trimmed, so ", " may fail).

Copilot uses AI. Check for mistakes.
Returns true on success, false on failure.

Here is an example:

::

if ts.connection_limit_exempt_list_add('10.0.0.0/8,192.168.1.0/24') then
ts.debug('Successfully added IP ranges to exempt list')
else
ts.error('Failed to add IP ranges to exempt list')
end

:ref:`TOP <admin-plugins-ts-lua>`

ts.connection_limit_exempt_list_remove
---------------------------------------
**syntax:** *success = ts.connection_limit_exempt_list_remove(IP_RANGES)*

**context:** global

**description**: Remove IP ranges from the per-client connection limit exempt list. This function wraps the TSConnectionLimitExemptListRemove API.

The IP_RANGES parameter should be a string containing one or more IP address ranges in CIDR notation, separated by commas.
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same doc issue as add(): IP_RANGES is documented as CIDR-only, but the underlying API accepts single IPs and dash ranges too; also consider noting that whitespace around comma separators is not ignored.

Suggested change
The IP_RANGES parameter should be a string containing one or more IP address ranges in CIDR notation, separated by commas.
The IP_RANGES parameter should be a string containing one or more IP address specifications separated by commas. Each
specification may be a CIDR range (for example, ``192.168.1.0/24``), a single IP address (for example, ``192.168.1.10``),
or a dash-separated IP range (for example, ``192.168.1.10-192.168.1.20``). Whitespace around the commas is not ignored,
so do not include spaces before or after commas.

Copilot uses AI. Check for mistakes.

Returns true on success, false on failure.

Here is an example:

::

if ts.connection_limit_exempt_list_remove('192.168.1.0/24') then
ts.debug('Successfully removed IP range from exempt list')
else
ts.error('Failed to remove IP range from exempt list')
end

:ref:`TOP <admin-plugins-ts-lua>`

ts.connection_limit_exempt_list_clear
--------------------------------------
**syntax:** *ts.connection_limit_exempt_list_clear()*

**context:** global

**description**: Clear all IP ranges from the per-client connection limit exempt list. This function wraps the TSConnectionLimitExemptListClear API.

This function removes all entries from the exempt list.

Here is an example:

::

ts.connection_limit_exempt_list_clear()
ts.debug('Cleared connection limit exempt list')

:ref:`TOP <admin-plugins-ts-lua>`

Remap status constants
----------------------
**context:** do_remap
Expand Down
66 changes: 66 additions & 0 deletions plugins/lua/ts_lua_misc.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ static int ts_lua_get_config_dir(lua_State *L);
static int ts_lua_get_runtime_dir(lua_State *L);
static int ts_lua_get_plugin_dir(lua_State *L);
static int ts_lua_get_traffic_server_version(lua_State *L);
static int ts_lua_connection_limit_exempt_list_add(lua_State *L);
static int ts_lua_connection_limit_exempt_list_remove(lua_State *L);
static int ts_lua_connection_limit_exempt_list_clear(lua_State *L);

static int ts_lua_sleep_cleanup(ts_lua_async_item *ai);
static int ts_lua_sleep_handler(TSCont contp, TSEvent event, void *edata);
Expand Down Expand Up @@ -136,6 +139,18 @@ ts_lua_inject_misc_api(lua_State *L)
lua_pushcfunction(L, ts_lua_get_traffic_server_version);
lua_setfield(L, -2, "get_traffic_server_version");

/* ts.connection_limit_exempt_list_add(...) */
lua_pushcfunction(L, ts_lua_connection_limit_exempt_list_add);
lua_setfield(L, -2, "connection_limit_exempt_list_add");

/* ts.connection_limit_exempt_list_remove(...) */
lua_pushcfunction(L, ts_lua_connection_limit_exempt_list_remove);
lua_setfield(L, -2, "connection_limit_exempt_list_remove");

/* ts.connection_limit_exempt_list_clear(...) */
lua_pushcfunction(L, ts_lua_connection_limit_exempt_list_clear);
lua_setfield(L, -2, "connection_limit_exempt_list_clear");

ts_lua_inject_misc_variables(L);
}

Expand Down Expand Up @@ -631,3 +646,54 @@ ts_lua_get_traffic_server_version(lua_State *L)
lua_pushstring(L, s);
return 1;
}

static int
ts_lua_connection_limit_exempt_list_add(lua_State *L)
{
size_t len;
const char *ip_ranges;

ip_ranges = luaL_checklstring(L, 1, &len);

if (ip_ranges && len > 0) {
TSReturnCode ret = TSConnectionLimitExemptListAdd(std::string_view(ip_ranges, len));
Comment on lines +650 to +659
Copy link

Copilot AI Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These new Lua bindings add user-visible behavior but there doesn’t appear to be a gold test covering them. Consider adding a pluginTest/lua gold test that exercises add/remove/clear and verifies the per-client connection limit exempt behavior (e.g., max_connections_in throttles before add, then no throttling after adding 127.0.0.1/32, and throttling returns after remove/clear).

Copilot uses AI. Check for mistakes.
if (ret == TS_SUCCESS) {
lua_pushboolean(L, 1);
} else {
lua_pushboolean(L, 0);
}
} else {
lua_pushboolean(L, 0);
}

return 1;
}

static int
ts_lua_connection_limit_exempt_list_remove(lua_State *L)
{
size_t len;
const char *ip_ranges;

ip_ranges = luaL_checklstring(L, 1, &len);

if (ip_ranges && len > 0) {
TSReturnCode ret = TSConnectionLimitExemptListRemove(std::string_view(ip_ranges, len));
if (ret == TS_SUCCESS) {
lua_pushboolean(L, 1);
} else {
lua_pushboolean(L, 0);
}
} else {
lua_pushboolean(L, 0);
}

return 1;
}

static int
ts_lua_connection_limit_exempt_list_clear(lua_State *L)
{
TSConnectionLimitExemptListClear();
return 0;
}