#!trydef ANTIFLOOD_RATE_WINDOW 2
#!trydef ANTIFLOOD_RATE_DENSITY 50
#!trydef ANTIFLOOD_RATE_EXPIRE 4
#!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 120
#!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 3

######## Flood Prevention Hash Tables ########
modparam("htable", "htable", "failed_auth_hash=>size=8;autoexpire=3600;")

######## Flood Prevention Module ########
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", ANTIFLOOD_RATE_WINDOW)
modparam("pike", "reqs_density_per_unit", ANTIFLOOD_RATE_DENSITY)
modparam("pike", "remove_latency", ANTIFLOOD_RATE_EXPIRE)


route[ANTIFLOOD_RATE_LIMIT]
{
    if (has_totag() || isflagset(FLAG_TRUSTED_SOURCE)) {
        return;
    }

    # use pike to control the rates
    if (!pike_check_req()) {
        xlog("L_WARN", "$ci|end|dropping request from $fu due to rate of requests with source $si:$sp");
        drop();
        exit;
    }
}

route[ANITFLOOD_AUTH_LIMIT]
{
    if (isflagset(FLAG_TRUSTED_SOURCE)) {
        return(1);
    }

    if ($Au != $null &&
        $sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
    ) {
        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
            xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp");
            drop();
            exit;
        } else {
            $sht(failed_auth_hash=>$Au::count) = 0;
        }
    }
}

route[ANTIFLOOD_SUCCESSFUL_AUTH]
{
    if ($Au != $null && $sht(failed_auth_hash=>$Au::count) != $null) {
        $sht(failed_auth_hash=>$Au::count) = 0;
    }
}

route[ANITFLOOD_FAILED_AUTH]
{
    if (isflagset(FLAG_TRUSTED_SOURCE)) {
        return;
    }

    if($sht(failed_auth_hash=>$Au::count) == $null) {
        $sht(failed_auth_hash=>$Au::count) = 0;
    }

    $sht(failed_auth_hash=>$Au::count) = $sht(failed_auth_hash=>$Au::count) + 1;
    $sht(failed_auth_hash=>$Au::last) = $Ts;

    xlog("L_INFO", "$ci|log|$sht(failed_auth_hash=>$Au::count) errounous authorization response for $Au $si:$sp");

   if ($sht(failed_auth_hash=>$Au::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
        if($sht(failed_auth_hash=>$Au::last) > $var(exp)){
            xlog("L_INFO", "$ci|end|registration forbidden $Au $si:$sp");
            send_reply("403", "Forbidden");
            exit;
        }
  }
}