From 11b689c5e8ee0d0c31a94a2fc919b09aa63eeedc Mon Sep 17 00:00:00 2001
From: metamuffin <metamuffin@disroot.org>
Date: Tue, 18 Mar 2025 11:33:31 +0100
Subject: seperate h3 connection limit

---
 readme.md     | 5 ++++-
 src/config.rs | 2 ++
 src/main.rs   | 4 +++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/readme.md b/readme.md
index 2e6e983..3b2b5d0 100644
--- a/readme.md
+++ b/readme.md
@@ -76,7 +76,10 @@ reported in stderr and are only fatal at startup.
   - Note: Make sure you do not exceed the maximum file descriptor limit on your
     platform.
   - `max_incoming_connections` number of maximum incoming (downstream)
-    connections. excess connections are rejected. Default: 512
+    connections over TCP transport. excess connections are rejected. Default:
+    512
+  - `max_incoming_connections_h3` same but for HTTP/3 where connections are
+    cheaper due to reuse of a single UDP socket. Default: 4096
   - `max_outgoing_connections` number of maximum outgoing (upstream)
     connections. excess connections are rejected. Default: 256
 
diff --git a/src/config.rs b/src/config.rs
index bc972e3..25b8a12 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -47,6 +47,7 @@ pub fn return_true() -> bool {
 pub struct Limits {
     pub max_incoming_connections: usize,
     pub max_outgoing_connections: usize,
+    pub max_incoming_connections_h3: usize,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -191,6 +192,7 @@ impl Default for Limits {
     fn default() -> Self {
         Self {
             max_incoming_connections: 512,
+            max_incoming_connections_h3: 4096,
             max_outgoing_connections: 256,
         }
     }
diff --git a/src/main.rs b/src/main.rs
index 9f7ba22..3d4e764 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -52,6 +52,7 @@ pub struct State {
     pub access_logs: RwLock<HashMap<String, BufWriter<File>>>,
     pub l_incoming: Semaphore,
     pub l_outgoing: Semaphore,
+    pub l_incoming_h3: Semaphore,
 }
 
 #[tokio::main]
@@ -89,6 +90,7 @@ async fn main() -> anyhow::Result<()> {
     let state = Arc::new(State {
         crypto_key: aes_gcm_siv::Aes256GcmSiv::new(GenericArray::from_slice(&config.private_key)),
         l_incoming: Semaphore::new(config.limits.max_incoming_connections),
+        l_incoming_h3: Semaphore::new(config.limits.max_incoming_connections_h3),
         l_outgoing: Semaphore::new(config.limits.max_outgoing_connections),
         config: RwLock::new(Arc::new(config)),
         access_logs: Default::default(),
@@ -226,7 +228,7 @@ async fn serve_h3(state: Arc<State>) -> Result<()> {
                 tokio::spawn(async move {
                     let addr = conn.remote_address(); // TODO wait for validatation (or not?)
                     debug!("h3 connection attempt from {addr}");
-                    let Ok(_sem) = state.l_incoming.try_acquire() else {
+                    let Ok(_sem) = state.l_incoming_h3.try_acquire() else {
                         return conn.refuse();
                     };
                     let conn = match conn.accept() {
-- 
cgit v1.2.3-70-g09d2