TUN-8861: Add session limiter to UDP session manager

## Summary In order to make cloudflared behavior more predictable and prevent an exhaustion of resources, we have decided to add session limits that can be configured by the user. This first commit introduces the session limiter and adds it to the UDP handling path. For now the limiter is set to run only in unlimited mode.
2025-07-27 19:29:57 +00:00 · 2025-01-20 02:52:32 -08:00
parent 8918b6729e
commit bf4954e96a
66 changed files with 3409 additions and 1184 deletions
--- a/supervisor/supervisor.go
+++ b/supervisor/supervisor.go
@@ -26,12 +26,6 @@ const (
 	tunnelRetryDuration = time.Second * 10
 	// Interval between registering new tunnels
 	registrationInterval = time.Second
-
-	subsystemRefreshAuth = "refresh_auth"
-	// Maximum exponent for 'Authenticate' exponential backoff
-	refreshAuthMaxBackoff = 10
-	// Waiting time before retrying a failed 'Authenticate' connection
-	refreshAuthRetryDuration = time.Second * 10
 )

 // Supervisor manages non-declarative tunnels. Establishes TCP connections with the edge, and
@@ -84,7 +78,7 @@ func NewSupervisor(config *TunnelConfig, orchestrator *orchestration.Orchestrato
 	edgeBindAddr := config.EdgeBindAddr

 	datagramMetrics := v3.NewMetrics(prometheus.DefaultRegisterer)
-	sessionManager := v3.NewSessionManager(datagramMetrics, config.Log, ingress.DialUDPAddrPort)
+	sessionManager := v3.NewSessionManager(datagramMetrics, config.Log, ingress.DialUDPAddrPort, orchestrator.GetSessionLimiter())

 	edgeTunnelServer := EdgeTunnelServer{
 		config:            config,
@@ -313,6 +307,7 @@ func (s *Supervisor) startTunnel(
 		s.tunnelErrors <- tunnelError{index: index, err: err}
 	}()

+	// nolint: gosec
 	err = s.edgeTunnelServer.Serve(ctx, uint8(index), s.tunnelsProtocolFallback[index], connectedSignal)
 }

@@ -334,7 +329,3 @@ func (s *Supervisor) waitForNextTunnel(index int) bool {
 	}
 	return false
 }
-
-func (s *Supervisor) unusedIPs() bool {
-	return s.edgeIPs.AvailableAddrs() > s.config.HAConnections
-}
--- a/supervisor/tunnel.go
+++ b/supervisor/tunnel.go
@@ -459,6 +459,7 @@ func (e *EdgeTunnelServer) serveConnection(

 	switch protocol {
 	case connection.QUIC:
+		// nolint: gosec
 		connOptions := e.config.connectionOptions(addr.UDP.String(), uint8(backoff.Retries()))
 		return e.serveQUIC(ctx,
 			addr.UDP.AddrPort(),
@@ -474,6 +475,7 @@ func (e *EdgeTunnelServer) serveConnection(
 			return err, true
 		}

+		// nolint: gosec
 		connOptions := e.config.connectionOptions(edgeConn.LocalAddr().String(), uint8(backoff.Retries()))
 		if err := e.serveHTTP2(
 			ctx,
@@ -615,6 +617,7 @@ func (e *EdgeTunnelServer) serveQUIC(
 			connIndex,
 			e.config.RPCTimeout,
 			e.config.WriteStreamTimeout,
+			e.orchestrator.GetSessionLimiter(),
 			connLogger.Logger(),
 		)
 	}