3
0
mirror of https://github.com/ergochat/ergo.git synced 2024-11-25 13:29:27 +01:00
Includes a partially backwards-incompatible config change
This commit is contained in:
Shivaram Lingamneni 2019-11-18 01:42:48 -05:00
parent 5cce365092
commit 4050b6571a
8 changed files with 332 additions and 319 deletions

View File

@ -309,8 +309,7 @@ type Config struct {
SendUnprefixedSasl bool `yaml:"send-unprefixed-sasl"`
}
isupport isupport.List
ConnectionLimiter connection_limits.LimiterConfig `yaml:"connection-limits"`
ConnectionThrottler connection_limits.ThrottlerConfig `yaml:"connection-throttling"`
IPLimits connection_limits.LimiterConfig `yaml:"ip-limits"`
Cloaks cloaks.CloakConfig `yaml:"ip-cloaking"`
supportedCaps *caps.Set
capValues caps.Values
@ -633,16 +632,6 @@ func LoadConfig(filename string) (config *Config, err error) {
// set this even if STS is disabled
config.Server.capValues[caps.STS] = config.Server.STS.Value()
if config.Server.ConnectionThrottler.Enabled {
config.Server.ConnectionThrottler.Duration, err = time.ParseDuration(config.Server.ConnectionThrottler.DurationString)
if err != nil {
return nil, fmt.Errorf("Could not parse connection-throttle duration: %s", err.Error())
}
config.Server.ConnectionThrottler.BanDuration, err = time.ParseDuration(config.Server.ConnectionThrottler.BanDurationString)
if err != nil {
return nil, fmt.Errorf("Could not parse connection-throttle ban-duration: %s", err.Error())
}
}
// process webirc blocks
var newWebIRC []webircConfig
for _, webirc := range config.Server.WebIRC {

View File

@ -8,69 +8,161 @@ import (
"fmt"
"net"
"sync"
"time"
"github.com/oragono/oragono/irc/utils"
)
// LimiterConfig controls the automated connection limits.
type LimiterConfig struct {
Enabled bool
CidrLenIPv4 int `yaml:"cidr-len-ipv4"`
CidrLenIPv6 int `yaml:"cidr-len-ipv6"`
ConnsPerSubnet int `yaml:"connections-per-subnet"`
IPsPerSubnet int `yaml:"ips-per-subnet"` // legacy name for ConnsPerSubnet
Exempted []string
var (
ErrLimitExceeded = errors.New("too many concurrent connections")
ErrThrottleExceeded = errors.New("too many recent connection attempts")
)
type CustomLimitConfig struct {
MaxConcurrent int `yaml:"max-concurrent-connections"`
MaxPerWindow int `yaml:"max-connections-per-window"`
}
var (
errTooManyClients = errors.New("Too many clients in subnet")
)
// tuples the key-value pair of a CIDR and its custom limit/throttle values
type customLimit struct {
CustomLimitConfig
ipNet net.IPNet
}
// LimiterConfig controls the automated connection limits.
// RawLimiterConfig contains all the YAML-visible fields;
// LimiterConfig contains additional denormalized private fields
type RawLimiterConfig struct {
Limit bool
MaxConcurrent int `yaml:"max-concurrent-connections"`
Throttle bool
Window time.Duration
MaxPerWindow int `yaml:"max-connections-per-window"`
BanDuration time.Duration `yaml:"throttle-ban-duration"`
CidrLenIPv4 int `yaml:"cidr-len-ipv4"`
CidrLenIPv6 int `yaml:"cidr-len-ipv6"`
Exempted []string
CustomLimits map[string]CustomLimitConfig `yaml:"custom-limits"`
}
type LimiterConfig struct {
RawLimiterConfig
ipv4Mask net.IPMask
ipv6Mask net.IPMask
exemptedNets []net.IPNet
customLimits []customLimit
}
func (config *LimiterConfig) UnmarshalYAML(unmarshal func(interface{}) error) (err error) {
if err = unmarshal(&config.RawLimiterConfig); err != nil {
return err
}
return config.postprocess()
}
func (config *LimiterConfig) postprocess() (err error) {
config.exemptedNets, err = utils.ParseNetList(config.Exempted)
if err != nil {
return fmt.Errorf("Could not parse limiter exemption list: %v", err.Error())
}
for netStr, customLimitConf := range config.CustomLimits {
normalizedNet, err := utils.NormalizedNetFromString(netStr)
if err != nil {
return fmt.Errorf("Could not parse custom limit specification: %v", err.Error())
}
config.customLimits = append(config.customLimits, customLimit{
CustomLimitConfig: customLimitConf,
ipNet: normalizedNet,
})
}
config.ipv4Mask = net.CIDRMask(config.CidrLenIPv4, 32)
config.ipv6Mask = net.CIDRMask(config.CidrLenIPv6, 128)
return nil
}
// Limiter manages the automated client connection limits.
type Limiter struct {
sync.Mutex
enabled bool
ipv4Mask net.IPMask
ipv6Mask net.IPMask
// subnetLimit is the maximum number of clients per subnet
subnetLimit int
// population holds IP -> count of clients connected from there
population map[string]int
config *LimiterConfig
// exemptedNets holds networks that are exempt from limits
exemptedNets []net.IPNet
// IP/CIDR -> count of clients connected from there:
limiter map[string]int
// IP/CIDR -> throttle state:
throttler map[string]ThrottleDetails
}
// addrToKey canonicalizes `addr` to a string key.
func addrToKey(addr net.IP, v4Mask net.IPMask, v6Mask net.IPMask) string {
if addr.To4() != nil {
addr = addr.Mask(v4Mask) // IP.Mask() handles the 4-in-6 mapping for us
} else {
addr = addr.Mask(v6Mask)
// addrToKey canonicalizes `addr` to a string key, and returns
// the relevant connection limit and throttle max-per-window values
func (cl *Limiter) addrToKey(addr net.IP) (key string, limit int, throttle int) {
// `key` will be a CIDR string like "8.8.8.8/32" or "2001:0db8::/32"
for _, custom := range cl.config.customLimits {
if custom.ipNet.Contains(addr) {
return custom.ipNet.String(), custom.MaxConcurrent, custom.MaxPerWindow
}
return addr.String()
}
var ipNet net.IPNet
addrv4 := addr.To4()
if addrv4 != nil {
ipNet = net.IPNet{
IP: addrv4.Mask(cl.config.ipv4Mask),
Mask: cl.config.ipv4Mask,
}
} else {
ipNet = net.IPNet{
IP: addr.Mask(cl.config.ipv6Mask),
Mask: cl.config.ipv6Mask,
}
}
return ipNet.String(), cl.config.MaxConcurrent, cl.config.MaxPerWindow
}
// AddClient adds a client to our population if possible. If we can't, throws an error instead.
// 'force' is used to add already-existing clients (i.e. ones that are already on the network).
func (cl *Limiter) AddClient(addr net.IP, force bool) error {
func (cl *Limiter) AddClient(addr net.IP) error {
cl.Lock()
defer cl.Unlock()
// we don't track populations for exempted addresses or nets - this is by design
if !cl.enabled || utils.IPInNets(addr, cl.exemptedNets) {
if utils.IPInNets(addr, cl.config.exemptedNets) {
return nil
}
// check population
addrString := addrToKey(addr, cl.ipv4Mask, cl.ipv6Mask)
addrString, maxConcurrent, maxPerWindow := cl.addrToKey(addr)
if cl.population[addrString]+1 > cl.subnetLimit && !force {
return errTooManyClients
// XXX check throttle first; if we checked limit first and then checked throttle,
// we'd have to decrement the limit on an unsuccessful throttle check
if cl.config.Throttle {
details := cl.throttler[addrString] // retrieve mutable throttle state from the map
// add in constant state to process the limiting operation
g := GenericThrottle{
ThrottleDetails: details,
Duration: cl.config.Window,
Limit: maxPerWindow,
}
throttled, _ := g.Touch() // actually check the limit
cl.throttler[addrString] = g.ThrottleDetails // store modified mutable state
if throttled {
return ErrThrottleExceeded
}
}
cl.population[addrString] = cl.population[addrString] + 1
// now check limiter
if cl.config.Limit {
count := cl.limiter[addrString] + 1
if count > maxConcurrent {
return ErrLimitExceeded
}
cl.limiter[addrString] = count
}
return nil
}
@ -80,45 +172,43 @@ func (cl *Limiter) RemoveClient(addr net.IP) {
cl.Lock()
defer cl.Unlock()
if !cl.enabled || utils.IPInNets(addr, cl.exemptedNets) {
if !cl.config.Limit || utils.IPInNets(addr, cl.config.exemptedNets) {
return
}
addrString := addrToKey(addr, cl.ipv4Mask, cl.ipv6Mask)
cl.population[addrString] = cl.population[addrString] - 1
// safety limiter
if cl.population[addrString] < 0 {
cl.population[addrString] = 0
addrString, _, _ := cl.addrToKey(addr)
count := cl.limiter[addrString]
count -= 1
if count < 0 {
count = 0
}
cl.limiter[addrString] = count
}
// ApplyConfig atomically applies a config update to a connection limit handler
func (cl *Limiter) ApplyConfig(config LimiterConfig) error {
// assemble exempted nets
exemptedNets, err := utils.ParseNetList(config.Exempted)
if err != nil {
return fmt.Errorf("Could not parse limiter exemption list: %v", err.Error())
}
// ResetThrottle resets the throttle count for an IP
func (cl *Limiter) ResetThrottle(addr net.IP) {
cl.Lock()
defer cl.Unlock()
if cl.population == nil {
cl.population = make(map[string]int)
if !cl.config.Throttle || utils.IPInNets(addr, cl.config.exemptedNets) {
return
}
cl.enabled = config.Enabled
cl.ipv4Mask = net.CIDRMask(config.CidrLenIPv4, 32)
cl.ipv6Mask = net.CIDRMask(config.CidrLenIPv6, 128)
// subnetLimit is explicitly NOT capped at a minimum of one.
// this is so that CL config can be used to allow ONLY clients from exempted IPs/nets
cl.subnetLimit = config.ConnsPerSubnet
// but: check if the current key was left unset, but the legacy was set:
if cl.subnetLimit == 0 && config.IPsPerSubnet != 0 {
cl.subnetLimit = config.IPsPerSubnet
}
cl.exemptedNets = exemptedNets
return nil
addrString, _, _ := cl.addrToKey(addr)
delete(cl.throttler, addrString)
}
// ApplyConfig atomically applies a config update to a connection limit handler
func (cl *Limiter) ApplyConfig(config *LimiterConfig) {
cl.Lock()
defer cl.Unlock()
if cl.limiter == nil {
cl.limiter = make(map[string]int)
}
if cl.throttler == nil {
cl.throttler = make(map[string]ThrottleDetails)
}
cl.config = config
}

View File

@ -0,0 +1,87 @@
// Copyright (c) 2018 Shivaram Lingamneni
// released under the MIT license
package connection_limits
import (
"net"
"testing"
"time"
)
func easyParseIP(ipstr string) (result net.IP) {
result = net.ParseIP(ipstr)
if result == nil {
panic(ipstr)
}
return
}
var baseConfig = LimiterConfig{
RawLimiterConfig: RawLimiterConfig{
Limit: true,
MaxConcurrent: 4,
Throttle: true,
Window: time.Second * 600,
MaxPerWindow: 8,
CidrLenIPv4: 32,
CidrLenIPv6: 64,
Exempted: []string{"localhost"},
CustomLimits: map[string]CustomLimitConfig{
"8.8.0.0/16": {
MaxConcurrent: 128,
MaxPerWindow: 256,
},
},
},
}
func TestKeying(t *testing.T) {
config := baseConfig
config.postprocess()
var limiter Limiter
limiter.ApplyConfig(&config)
key, maxConc, maxWin := limiter.addrToKey(easyParseIP("1.1.1.1"))
assertEqual(key, "1.1.1.1/32", t)
assertEqual(maxConc, 4, t)
assertEqual(maxWin, 8, t)
key, maxConc, maxWin = limiter.addrToKey(easyParseIP("2607:5301:201:3100::7426"))
assertEqual(key, "2607:5301:201:3100::/64", t)
assertEqual(maxConc, 4, t)
assertEqual(maxWin, 8, t)
key, maxConc, maxWin = limiter.addrToKey(easyParseIP("8.8.4.4"))
assertEqual(key, "8.8.0.0/16", t)
assertEqual(maxConc, 128, t)
assertEqual(maxWin, 256, t)
}
func TestLimits(t *testing.T) {
regularIP := easyParseIP("2607:5301:201:3100::7426")
config := baseConfig
config.postprocess()
var limiter Limiter
limiter.ApplyConfig(&config)
for i := 0; i < 4; i++ {
err := limiter.AddClient(regularIP)
if err != nil {
t.Errorf("ip should not be blocked, but %v", err)
}
}
err := limiter.AddClient(regularIP)
if err != ErrLimitExceeded {
t.Errorf("ip should be blocked, but %v", err)
}
limiter.RemoveClient(regularIP)
err = limiter.AddClient(regularIP)
if err != nil {
t.Errorf("ip should not be blocked, but %v", err)
}
}

View File

@ -4,28 +4,9 @@
package connection_limits
import (
"fmt"
"net"
"sync"
"time"
"github.com/oragono/oragono/irc/utils"
)
// ThrottlerConfig controls the automated connection throttling.
type ThrottlerConfig struct {
Enabled bool
CidrLenIPv4 int `yaml:"cidr-len-ipv4"`
CidrLenIPv6 int `yaml:"cidr-len-ipv6"`
ConnectionsPerCidr int `yaml:"max-connections"`
DurationString string `yaml:"duration"`
Duration time.Duration `yaml:"duration-time"`
BanDurationString string `yaml:"ban-duration"`
BanDuration time.Duration
BanMessage string `yaml:"ban-message"`
Exempted []string
}
// ThrottleDetails holds the connection-throttling details for a subnet/IP.
type ThrottleDetails struct {
Start time.Time
@ -68,111 +49,3 @@ func (g *GenericThrottle) touch(now time.Time) (throttled bool, remainingTime ti
return false, 0
}
}
// Throttler manages automated client connection throttling.
type Throttler struct {
sync.RWMutex
enabled bool
ipv4Mask net.IPMask
ipv6Mask net.IPMask
subnetLimit int
duration time.Duration
population map[string]ThrottleDetails
// used by the server to ban clients that go over this limit
banDuration time.Duration
banMessage string
// exemptedNets holds networks that are exempt from limits
exemptedNets []net.IPNet
}
// ResetFor removes any existing count for the given address.
func (ct *Throttler) ResetFor(addr net.IP) {
ct.Lock()
defer ct.Unlock()
if !ct.enabled {
return
}
// remove
addrString := addrToKey(addr, ct.ipv4Mask, ct.ipv6Mask)
delete(ct.population, addrString)
}
// AddClient introduces a new client connection if possible. If we can't, throws an error instead.
func (ct *Throttler) AddClient(addr net.IP) error {
ct.Lock()
defer ct.Unlock()
if !ct.enabled {
return nil
}
// check exempted lists
if utils.IPInNets(addr, ct.exemptedNets) {
return nil
}
// check throttle
addrString := addrToKey(addr, ct.ipv4Mask, ct.ipv6Mask)
details := ct.population[addrString] // retrieve mutable throttle state from the map
// add in constant state to process the limiting operation
g := GenericThrottle{
ThrottleDetails: details,
Duration: ct.duration,
Limit: ct.subnetLimit,
}
throttled, _ := g.Touch() // actually check the limit
ct.population[addrString] = g.ThrottleDetails // store modified mutable state
if throttled {
return errTooManyClients
} else {
return nil
}
}
func (ct *Throttler) BanDuration() time.Duration {
ct.RLock()
defer ct.RUnlock()
return ct.banDuration
}
func (ct *Throttler) BanMessage() string {
ct.RLock()
defer ct.RUnlock()
return ct.banMessage
}
// ApplyConfig atomically applies a config update to a throttler
func (ct *Throttler) ApplyConfig(config ThrottlerConfig) error {
// assemble exempted nets
exemptedNets, err := utils.ParseNetList(config.Exempted)
if err != nil {
return fmt.Errorf("Could not parse throttle exemption list: %v", err.Error())
}
ct.Lock()
defer ct.Unlock()
if ct.population == nil {
ct.population = make(map[string]ThrottleDetails)
}
ct.enabled = config.Enabled
ct.ipv4Mask = net.CIDRMask(config.CidrLenIPv4, 32)
ct.ipv6Mask = net.CIDRMask(config.CidrLenIPv6, 128)
ct.subnetLimit = config.ConnectionsPerCidr
ct.duration = config.Duration
ct.banDuration = config.BanDuration
ct.banMessage = config.BanMessage
ct.exemptedNets = exemptedNets
return nil
}

View File

@ -62,19 +62,23 @@ func TestGenericThrottleDisabled(t *testing.T) {
}
}
func makeTestThrottler(v4len, v6len int) *Throttler {
func makeTestThrottler(v4len, v6len int) *Limiter {
minute, _ := time.ParseDuration("1m")
maxConnections := 3
config := ThrottlerConfig{
Enabled: true,
config := LimiterConfig{
RawLimiterConfig: RawLimiterConfig{
Limit: false,
Throttle: true,
CidrLenIPv4: v4len,
CidrLenIPv6: v6len,
ConnectionsPerCidr: maxConnections,
Duration: minute,
MaxPerWindow: maxConnections,
Window: minute,
},
}
var throttler Throttler
throttler.ApplyConfig(config)
return &throttler
config.postprocess()
var limiter Limiter
limiter.ApplyConfig(&config)
return &limiter
}
func TestConnectionThrottle(t *testing.T) {
@ -86,7 +90,7 @@ func TestConnectionThrottle(t *testing.T) {
assertEqual(err, nil, t)
}
err := throttler.AddClient(addr)
assertEqual(err, errTooManyClients, t)
assertEqual(err, ErrThrottleExceeded, t)
}
func TestConnectionThrottleIPv6(t *testing.T) {
@ -101,7 +105,7 @@ func TestConnectionThrottleIPv6(t *testing.T) {
assertEqual(err, nil, t)
err = throttler.AddClient(net.ParseIP("2001:0db8::4"))
assertEqual(err, errTooManyClients, t)
assertEqual(err, ErrThrottleExceeded, t)
}
func TestConnectionThrottleIPv4(t *testing.T) {
@ -116,5 +120,5 @@ func TestConnectionThrottleIPv4(t *testing.T) {
assertEqual(err, nil, t)
err = throttler.AddClient(net.ParseIP("192.168.1.104"))
assertEqual(err, errTooManyClients, t)
assertEqual(err, ErrThrottleExceeded, t)
}

View File

@ -4,16 +4,10 @@
package connection_limits
import (
"errors"
"sync"
"time"
)
var (
ErrLimitExceeded = errors.New("too many concurrent connections")
ErrThrottleExceeded = errors.New("too many recent connection attempts")
)
// TorLimiter is a combined limiter and throttler for use on connections
// proxied from a Tor hidden service (so we don't have meaningful IPs,
// a notion of CIDR width, etc.)

View File

@ -46,6 +46,8 @@ var (
// we only have standard channels for now. TODO: any updates to this
// will also need to be reflected in CasefoldChannel
chanTypes = "#"
throttleMessage = "You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect."
)
// ListenerWrapper wraps a listener so it can be safely reconfigured or stopped
@ -66,7 +68,6 @@ type Server struct {
config unsafe.Pointer
configFilename string
connectionLimiter connection_limits.Limiter
connectionThrottler connection_limits.Throttler
ctime time.Time
dlines *DLineManager
helpIndexManager HelpIndexManager
@ -214,32 +215,28 @@ func (server *Server) checkBans(ipaddr net.IP) (banned bool, message string) {
}
// check connection limits
err := server.connectionLimiter.AddClient(ipaddr, false)
if err != nil {
err := server.connectionLimiter.AddClient(ipaddr)
if err == connection_limits.ErrLimitExceeded {
// too many connections from one client, tell the client and close the connection
server.logger.Info("localconnect-ip", fmt.Sprintf("Client from %v rejected for connection limit", ipaddr))
return true, "Too many clients from your network"
}
// check connection throttle
err = server.connectionThrottler.AddClient(ipaddr)
if err != nil {
// too many connections too quickly from client, tell them and close the connection
duration := server.connectionThrottler.BanDuration()
} else if err == connection_limits.ErrThrottleExceeded {
duration := server.Config().Server.IPLimits.BanDuration
if duration == 0 {
return false, ""
}
server.dlines.AddIP(ipaddr, duration, server.connectionThrottler.BanMessage(), "Exceeded automated connection throttle", "auto.connection.throttler")
server.dlines.AddIP(ipaddr, duration, throttleMessage, "Exceeded automated connection throttle", "auto.connection.throttler")
// they're DLINE'd for 15 minutes or whatever, so we can reset the connection throttle now,
// and once their temporary DLINE is finished they can fill up the throttler again
server.connectionThrottler.ResetFor(ipaddr)
server.connectionLimiter.ResetThrottle(ipaddr)
// this might not show up properly on some clients, but our objective here is just to close it out before it has a load impact on us
server.logger.Info(
"localconnect-ip",
fmt.Sprintf("Client from %v exceeded connection throttle, d-lining for %v", ipaddr, duration))
return true, server.connectionThrottler.BanMessage()
return true, throttleMessage
} else if err != nil {
server.logger.Warning("internal", "unexpected ban result", err.Error())
}
return false, ""
@ -604,15 +601,7 @@ func (server *Server) applyConfig(config *Config, initial bool) (err error) {
// first, reload config sections for functionality implemented in subpackages:
err = server.connectionLimiter.ApplyConfig(config.Server.ConnectionLimiter)
if err != nil {
return err
}
err = server.connectionThrottler.ApplyConfig(config.Server.ConnectionThrottler)
if err != nil {
return err
}
server.connectionLimiter.ApplyConfig(&config.Server.IPLimits)
tlConf := &config.Server.TorListeners
server.torLimiter.Configure(tlConf.MaxConnections, tlConf.ThrottleDuration, tlConf.MaxConnectionsPerDuration)

View File

@ -144,53 +144,42 @@ server:
# this works around that bug, allowing them to use SASL.
send-unprefixed-sasl: true
# maximum number of connections per subnet
connection-limits:
# whether to enforce connection limits or not
enabled: true
# IP-based DoS protection
ip-limits:
# whether to enforce limits on the total number of concurrent connections per IP / CIDR
limit: true
# maximum concurrent connections per subnet
max-concurrent-connections: 16
# how wide the cidr should be for IPv4
# whether to restrict the rate of new connections per IP / CIDR
throttle: true
# how long to keep track of connections for
window: 10m
# maximum number of connections, per subnet, within the given duration
max-connections-per-window: 32
# how long to ban offenders for
# after banning them, the number of connections is reset (which lets you use UNDLINE to unban people)
throttle-ban-duration: 10m
# how wide the CIDR should be for IPv4 (a /32 is a fully specified IPv4 address)
cidr-len-ipv4: 32
# how wide the cidr should be for IPv6
# how wide the cidr should be for IPv6 (a /64 is the typical prefix assigned
# by an ISP to an individual customer for their LAN)
cidr-len-ipv6: 64
# maximum concurrent connections per subnet (defined above by the cidr length)
connections-per-subnet: 16
# IPs/networks which are exempted from connection limits
exempted:
- "localhost"
# - "192.168.1.1"
# - "2001:0db8::/32"
# automated connection throttling
connection-throttling:
# whether to throttle connections or not
enabled: true
# how wide the cidr should be for IPv4
cidr-len-ipv4: 32
# how wide the cidr should be for IPv6
cidr-len-ipv6: 64
# how long to keep track of connections for
duration: 10m
# maximum number of connections, per subnet, within the given duration
max-connections: 32
# how long to ban offenders for, and the message to use
# after banning them, the number of connections is reset (which lets you use UNDLINE to unban people)
ban-duration: 10m
ban-message: You have attempted to connect too many times within a short duration. Wait a while, and you will be able to connect.
# IPs/networks which are exempted from connection throttling
exempted:
- "localhost"
# - "192.168.1.1"
# - "2001:0db8::/32"
# custom connection limits for certain IPs/networks. Note that CIDR
# widths defined here override the default CIDR width --- the limit
# will apply to the entire CIDR no matter how large or small it is
custom-limits:
# "8.8.0.0/16":
# max-concurrent-connections: 128
# max-connections-per-window: 1024
# IP cloaking hides users' IP addresses from other users and from channel admins
# (but not from server admins), while still allowing channel admins to ban
@ -214,13 +203,11 @@ server:
# the cloaked hostname is derived only from the CIDR (most significant bits
# of the IP address), up to a configurable number of bits. this is the
# granularity at which bans will take effect for ipv4 (a /32 is a fully
# specified IP address). note that changing this value will invalidate
# any stored bans.
# granularity at which bans will take effect for IPv4. Note that changing
# this value will invalidate any stored bans.
cidr-len-ipv4: 32
# analogous value for ipv6 (an ipv6 /64 is the typical prefix assigned
# by an ISP to an individual customer for their LAN)
# analogous granularity for IPv6
cidr-len-ipv6: 64
# number of bits of hash output to include in the cloaked hostname.