1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
|
diff -purN ucspi-tcp-0.88.org/README.tcpserver-limits-patch ucspi-tcp-0.88.my/README.tcpserver-limits-patch
--- ucspi-tcp-0.88.org/README.tcpserver-limits-patch 1970-01-01 01:00:00.000000000 +0100
+++ ucspi-tcp-0.88.my/README.tcpserver-limits-patch 2005-01-30 18:26:14.000000000 +0100
@@ -0,0 +1,135 @@
+20050130 reinstated /proc/loadavg support for those compiling on Linux
+with dietlibc (see #define NO_GETLOADAVG at top of tcpserver.c).
+Also, we now compile on 64bit platforms (we avoid including unistd.h if
+using getloadavg(3), so we don't conflict with readwrite.h header file)
+Needed if your compile was breaking with:
+readwrite.h:4: error: syntax error before "read"
+readwrite.h:4: warning: data definition has no type or storage class
+SUMMARY: If 20040725 worked for you, there is no reason to upgrade
+(no new features of bugfixes)
+
+20040725 adds a sleep(1) before terminating (to prevent too high load from
+many rapid fork()/exit() calls. It also changes the method for checking
+system load to getloadavg(3) instead of parsing /proc/loadavg, therefore
+making it working on *BSD and other non-Linux systems in addition to Linux.
+It also adds DIEMSG="xxx" support.
+
+20040327 fixes a bug in 20040124 related to MAXLOAD (it would not work
+correctly when load was higher than 10.00)
+
+
+This patch (20040725) makes tcpserver from DJB's ucspi-tcp-0.88 package (see
+http://cr.yp.to/ucspi-tcp.html) to modify its behavior if some environment
+variables are present.
+
+The variables can be preset before starting tcpserver (thus acting as
+default for all connections), or, if you use 'tcpserver -x xxx.cdb', they
+can be set (or overridden) from xxx.cdb. If none of the variables are set,
+tcpserver behaves same as non patched version (except for negligible
+performance loss). Any or all variables can be set, as soon as first limit
+is reached the connection is dropped. I'd recommend using .cdb files
+exclusively though, as you can then modify configuration without killing
+tcpserver.
+
+The variables are:
+
+(1) MAXLOAD
+ maximum 1-minute load average * 100. For example, if you have line
+ :allow,MAXLOAD="350"
+ in your rules file from which you created .cdb, the connection will be
+ accepted only if load average is below 3.50
+ For this variable to have effect, you have to have working getloadavg(3)
+ (most modern UN*Xoids have, including Linux and FreeBSD)
+ Otherwise, you have to uncomment #define NO_GETLOADAVG in tcpserver.c
+ and have readable '/proc/loadavg' with linux-2.4.x/2.6.x syntax (see
+ the source -- this is needed if you're compiling with dietlibc
+ or such)
+
+(2) MAXCONNIP
+ maximum connections from one IP address. tcpserver's -c flag defines
+ maximum number of allowed connections, but it can be abused if
+ just one host goes wild and eats all the connections - no other host
+ would be able to connect then. If you created your .cdb with:
+ :allow,MAXCONNIP="5"
+ and run tcpserver -c 50, then each IP address would be able to have at
+ most 5 concurrent connections, while there still could connect 50
+ clients total
+
+(3) MAXCONNC
+
+ maximum connections from whole C-class (256 addresses). Extension of
+ MAXCONNIP, as sometimes the problematic client has a whole farm of
+ client machines with different IP addresses instead of just one IP
+ address, and they all try to connect. It might have been more useful to
+ be able to specify CIDR block than C-class, but I've decided to KISS.
+
+ for example tcpserver -c 200, and .cdb with:
+ :allow,MAXCONNC="15"
+ will allow at most 15 host from any x.y.z.0/24 address block, while
+ still allowing up to 200 total connections.
+
+(4) DIEMSG
+
+ if set and one of the above limits is exceeded, this is the message
+ to be sent to client (CRLF is always added to the text) before terminating
+ connection. If unset, the connection simply terminates (after 1 sec delay)
+ if limit is exceeded.
+
+ For example:
+ DIEMSG="421 example.com Service temporarily not available, closing
+ transmission channel"
+
+Notes:
+
+- if a connection is dropped due to some of those variables set, it will be
+ flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or
+ "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you
+ (eg. you have a strict log parsers), don't apply that chunk of the patch.
+
+- the idea for this patch came from my previous experience with xinetd, and
+ need to limit incoming bursts of virus/spam SMTP connections, since I was
+ running qmail-scanner to scan incoming and outgoing messages for viruses
+ and spam.
+
+When you make changes, please check that they work as expected.
+
+Examples (for tcprules created .cdb)
+(a) 192.168.:allow,MAXLOAD="1000"
+ :allow,MAXCONNIP="3"
+
+ this would allow any connection from your local LAN (192.168.*.*
+ addresses) if system load is less than 10.00. non-LAN connections would
+ be accepted only if clients from that IP address have not already opened
+ more than 2 connections (as your connection would be last allowed -- 3rd)
+
+(b) 192.168.:allow
+ 5.6.7.8:allow,MAXCONNIP="3"
+ 1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
+ :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable"
+
+ if client connects from 192.168.*.* (ex: your LAN), it is allowed.
+ if it connects from 5.6.7.8 (ex: little abusive customer of yours),
+ it is allowed unless there are already 3active connections from 5.6.7.8
+ to this service
+ if it connects from 1.2.*.* (ex: some problematic networks which caused
+ you grief in the past) it will connect only if load is less than 5.0,
+ there is less than 5 active connections from whole C class
+ (1.2.*.0/24), and if that specific IP address does not already have
+ connection open.
+ in all other cases, the client will be permitted to connect if load is
+ less than 10.00 and client has 2 or less connections open. If load is
+ higher than 10.00 or there are 3 or more connections open from this
+ client, the message "421 example.com unavailable" will be returned to
+ the client and connection terminated.
+
+
+Any bugs introduced are my own, do not bother DJB with them.
+If you find any, or have neat ideas, or better documentation, or whatever,
+contact me.
+
+the latest version of the patch can be found at:
+http://linux.voyager.hr/ucspi-tcp/
+
+Enjoy,
+Matija Nalis,
+mnalis-tcpserver _at_ voyager.hr
diff -N -ru ucspi-tcp-0.88.orig/tcpserver.c ucspi-tcp-0.88/tcpserver.c
--- ucspi-tcp-0.88.orig/tcpserver.c 2005-08-28 14:34:30.000000000 +0200
+++ ucspi-tcp-0.88/tcpserver.c 2005-08-28 14:35:00.000000000 +0200
@@ -1,3 +1,12 @@
+#ifdef __dietlibc__
+#define NO_GETLOADAVG
+#endif
+
+#include <stdlib.h>
+#ifdef NO_GETLOADAVG
+#include <unistd.h>
+#endif
+
#include <sys/types.h>
#include <sys/param.h>
#include <netdb.h>
@@ -64,6 +73,13 @@
buffer b;
+typedef struct
+{
+ char ip[4];
+ pid_t pid;
+} baby;
+
+baby *child;
/* ---------------------------- child */
@@ -72,6 +88,10 @@
int flagdeny = 0;
int flagallownorules = 0;
char *fnrules = 0;
+unsigned long maxload = 0;
+unsigned long maxconnip = 0;
+unsigned long maxconnc = 0;
+char *diemsg = "";
void drop_nomem(void)
{
@@ -110,6 +130,8 @@
strerr_die4sys(111,DROP,"unable to read ",fnrules,": ");
}
+unsigned long limit = 40;
+
void found(char *data,unsigned int datalen)
{
unsigned int next0;
@@ -125,6 +147,10 @@
if (data[1 + split] == '=') {
data[1 + split] = 0;
env(data + 1,data + 1 + split + 1);
+ if (str_diff(data+1, "MAXLOAD") == 0) scan_ulong(data+1+split+1,&maxload);
+ if (str_diff(data+1, "MAXCONNIP") == 0) scan_ulong(data+1+split+1,&maxconnip);
+ if (str_diff(data+1, "MAXCONNC") == 0) scan_ulong(data+1+split+1,&maxconnc);
+ if (str_diff(data+1, "DIEMSG") == 0) diemsg = data+1+split+1;
}
break;
}
@@ -210,6 +236,53 @@
close(fdrules);
}
}
+
+ unsigned long curload;
+
+ if (maxload) {
+#ifdef NO_GETLOADAVG
+ int lret;
+ int i;
+ unsigned long u1, u2;
+ char *s;
+ static stralloc loadavg_data = {0};
+
+ lret = openreadclose("/proc/loadavg", &loadavg_data, 10);
+ if (lret != -1) {
+ /* /proc/loadavg format is:
+ 13.08 3.04 1.00 34/170 14190 */
+ s = loadavg_data.s;
+ i = scan_ulong (s, &u1); s+=i;
+ if ((i>0) && (i<5) && (*s == '.')) { /* load should be < 10000 */
+ i = scan_ulong (s+1,&u2);
+ if (i==2) { /* we require two decimal places */
+ curload = u1 * 100 + u2;
+ if (curload > maxload) flagdeny = 2;
+ }
+ }
+ }
+#else
+ double result;
+ if (getloadavg(&result, 1) == 1) {
+ curload = result * 100;
+ if (curload > maxload) flagdeny = 2;
+ }
+#endif
+ }
+
+ if (!flagdeny && (maxconnip || maxconnc)) {
+ unsigned long u, c1=0, cc=0;
+ for (u=0; u < limit; u++) if (child[u].pid != 0) {
+ if ((child[u].ip[0] == remoteip[0]) &&
+ (child[u].ip[1] == remoteip[1]) &&
+ (child[u].ip[2] == remoteip[2]) ) {
+ cc++;
+ if (child[u].ip[3] == remoteip[3]) c1++;
+ }
+ }
+ if (maxconnc && (cc >= maxconnc)) flagdeny = 4;
+ if (maxconnip && (c1 >= maxconnip)) flagdeny = 3;
+ }
if (verbosity >= 2) {
strnum[fmt_ulong(strnum,getpid())] = 0;
@@ -223,11 +296,35 @@
cats(":"); safecats(remoteipstr);
cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s);
cats(":"); safecats(remoteportstr);
+ if (flagdeny == 2) {
+ char curloadstr[FMT_ULONG];
+ curloadstr[fmt_ulong(curloadstr,curload)] = 0;
+ cats(" "); safecats ("LOAD"); cats(":"); safecats(curloadstr);
+ }
+ if (flagdeny == 3) {
+ char maxconstr[FMT_ULONG];
+ maxconstr[fmt_ulong(maxconstr,maxconnip)] = 0;
+ cats(" "); safecats ("MAXCONNIP"); cats(":"); safecats(maxconstr);
+ }
+ if (flagdeny == 4) {
+ char maxconstr[FMT_ULONG];
+ maxconstr[fmt_ulong(maxconstr,maxconnc)] = 0;
+ cats(" "); safecats ("MAXCONNC"); cats(":"); safecats(maxconstr);
+ }
cats("\n");
buffer_putflush(buffer_2,tmp.s,tmp.len);
}
- if (flagdeny) _exit(100);
+ if (flagdeny) {
+ if (*diemsg) {
+ buffer_init(&b,write,t,bspace,sizeof bspace);
+ buffer_puts(&b,diemsg);
+ if (buffer_putsflush(&b,"\r\n") == -1)
+ strerr_die2sys(111,DROP,"unable to print diemsg: ");
+ }
+ sleep(1);
+ _exit(100);
+ }
}
@@ -253,7 +350,6 @@
_exit(100);
}
-unsigned long limit = 40;
unsigned long numchildren = 0;
int flag1 = 0;
@@ -278,6 +374,7 @@
{
int wstat;
int pid;
+ unsigned long u;
while ((pid = wait_nohang(&wstat)) > 0) {
if (verbosity >= 2) {
@@ -286,11 +383,14 @@
strerr_warn4("tcpserver: end ",strnum," status ",strnum2,0);
}
if (numchildren) --numchildren; printstatus();
+ for (u=0; u < limit; u++) if (child[u].pid == pid) { child[u].pid = 0; break; }
+ if (u == limit) strerr_die1x(111,"tcpserver: ERROR: dead child not found?!"); /* never happens */
}
}
main(int argc,char **argv)
{
+ pid_t pid;
char *hostname;
char *portname;
int opt;
@@ -332,6 +432,11 @@
argc -= optind;
argv += optind;
+ x = env_get("MAXLOAD"); if (x) scan_ulong(x,&maxload);
+ x = env_get("MAXCONNIP"); if (x) scan_ulong(x,&maxconnip);
+ x = env_get("MAXCONNC"); if (x) scan_ulong(x,&maxconnc);
+ x = env_get("DIEMSG"); if (x) diemsg = x;
+
if (!verbosity)
buffer_2->fd = -1;
@@ -352,6 +457,10 @@
}
if (!*argv) usage();
+
+ child = calloc(sizeof(baby),limit);
+ if (!child)
+ strerr_die2x(111,FATAL,"out of memory for MAXCONNIP tracking");
sig_block(sig_child);
sig_catch(sig_child,sigchld);
@@ -405,7 +514,7 @@
if (t == -1) continue;
++numchildren; printstatus();
- switch(fork()) {
+ switch(pid=fork()) {
case 0:
close(s);
doit(t);
@@ -420,6 +529,10 @@
case -1:
strerr_warn2(DROP,"unable to fork: ",&strerr_sys);
--numchildren; printstatus();
+ break;
+ default:
+ for (u=0; u < limit; u++) if (child[u].pid == 0) { byte_copy(child[u].ip,4,remoteip); child[u].pid = pid; break; }
+ if (u == limit) strerr_die1x(111,"tcpserver: ERROR: no empty space for new child?!"); /* never happens */
}
close(t);
}
|
GitWeb