Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sys-apps/ucspi-tcp/files/0.88-limits.patch
diff options
context:
space:
mode:
Diffstat (limited to 'sys-apps/ucspi-tcp/files/0.88-limits.patch')
-rw-r--r--sys-apps/ucspi-tcp/files/0.88-limits.patch365
1 files changed, 365 insertions, 0 deletions
diff --git a/sys-apps/ucspi-tcp/files/0.88-limits.patch b/sys-apps/ucspi-tcp/files/0.88-limits.patch
new file mode 100644
index 000000000000..6ec88694bf0c
--- /dev/null
+++ b/sys-apps/ucspi-tcp/files/0.88-limits.patch
@@ -0,0 +1,365 @@
+diff -purN ucspi-tcp-0.88.org/README.tcpserver-limits-patch ucspi-tcp-0.88.my/README.tcpserver-limits-patch
+--- ucspi-tcp-0.88.org/README.tcpserver-limits-patch 1970-01-01 01:00:00.000000000 +0100
++++ ucspi-tcp-0.88.my/README.tcpserver-limits-patch 2005-01-30 18:26:14.000000000 +0100
+@@ -0,0 +1,135 @@
++20050130 reinstated /proc/loadavg support for those compiling on Linux
++with dietlibc (see #define NO_GETLOADAVG at top of tcpserver.c).
++Also, we now compile on 64bit platforms (we avoid including unistd.h if
++using getloadavg(3), so we don't conflict with readwrite.h header file)
++Needed if your compile was breaking with:
++readwrite.h:4: error: syntax error before "read"
++readwrite.h:4: warning: data definition has no type or storage class
++SUMMARY: If 20040725 worked for you, there is no reason to upgrade
++(no new features of bugfixes)
++
++20040725 adds a sleep(1) before terminating (to prevent too high load from
++many rapid fork()/exit() calls. It also changes the method for checking
++system load to getloadavg(3) instead of parsing /proc/loadavg, therefore
++making it working on *BSD and other non-Linux systems in addition to Linux.
++It also adds DIEMSG="xxx" support.
++
++20040327 fixes a bug in 20040124 related to MAXLOAD (it would not work
++correctly when load was higher than 10.00)
++
++
++This patch (20040725) makes tcpserver from DJB's ucspi-tcp-0.88 package (see
++http://cr.yp.to/ucspi-tcp.html) to modify its behavior if some environment
++variables are present.
++
++The variables can be preset before starting tcpserver (thus acting as
++default for all connections), or, if you use 'tcpserver -x xxx.cdb', they
++can be set (or overridden) from xxx.cdb. If none of the variables are set,
++tcpserver behaves same as non patched version (except for negligible
++performance loss). Any or all variables can be set, as soon as first limit
++is reached the connection is dropped. I'd recommend using .cdb files
++exclusively though, as you can then modify configuration without killing
++tcpserver.
++
++The variables are:
++
++(1) MAXLOAD
++ maximum 1-minute load average * 100. For example, if you have line
++ :allow,MAXLOAD="350"
++ in your rules file from which you created .cdb, the connection will be
++ accepted only if load average is below 3.50
++ For this variable to have effect, you have to have working getloadavg(3)
++ (most modern UN*Xoids have, including Linux and FreeBSD)
++ Otherwise, you have to uncomment #define NO_GETLOADAVG in tcpserver.c
++ and have readable '/proc/loadavg' with linux-2.4.x/2.6.x syntax (see
++ the source -- this is needed if you're compiling with dietlibc
++ or such)
++
++(2) MAXCONNIP
++ maximum connections from one IP address. tcpserver's -c flag defines
++ maximum number of allowed connections, but it can be abused if
++ just one host goes wild and eats all the connections - no other host
++ would be able to connect then. If you created your .cdb with:
++ :allow,MAXCONNIP="5"
++ and run tcpserver -c 50, then each IP address would be able to have at
++ most 5 concurrent connections, while there still could connect 50
++ clients total
++
++(3) MAXCONNC
++
++ maximum connections from whole C-class (256 addresses). Extension of
++ MAXCONNIP, as sometimes the problematic client has a whole farm of
++ client machines with different IP addresses instead of just one IP
++ address, and they all try to connect. It might have been more useful to
++ be able to specify CIDR block than C-class, but I've decided to KISS.
++
++ for example tcpserver -c 200, and .cdb with:
++ :allow,MAXCONNC="15"
++ will allow at most 15 host from any x.y.z.0/24 address block, while
++ still allowing up to 200 total connections.
++
++(4) DIEMSG
++
++ if set and one of the above limits is exceeded, this is the message
++ to be sent to client (CRLF is always added to the text) before terminating
++ connection. If unset, the connection simply terminates (after 1 sec delay)
++ if limit is exceeded.
++
++ For example:
++ DIEMSG="421 example.com Service temporarily not available, closing
++ transmission channel"
++
++Notes:
++
++- if a connection is dropped due to some of those variables set, it will be
++ flagged (if you run tcpserver -v) with "LOAD:", "MAXCONNIP:" or
++ "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you
++ (eg. you have a strict log parsers), don't apply that chunk of the patch.
++
++- the idea for this patch came from my previous experience with xinetd, and
++ need to limit incoming bursts of virus/spam SMTP connections, since I was
++ running qmail-scanner to scan incoming and outgoing messages for viruses
++ and spam.
++
++When you make changes, please check that they work as expected.
++
++Examples (for tcprules created .cdb)
++(a) 192.168.:allow,MAXLOAD="1000"
++ :allow,MAXCONNIP="3"
++
++ this would allow any connection from your local LAN (192.168.*.*
++ addresses) if system load is less than 10.00. non-LAN connections would
++ be accepted only if clients from that IP address have not already opened
++ more than 2 connections (as your connection would be last allowed -- 3rd)
++
++(b) 192.168.:allow
++ 5.6.7.8:allow,MAXCONNIP="3"
++ 1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
++ :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable"
++
++ if client connects from 192.168.*.* (ex: your LAN), it is allowed.
++ if it connects from 5.6.7.8 (ex: little abusive customer of yours),
++ it is allowed unless there are already 3active connections from 5.6.7.8
++ to this service
++ if it connects from 1.2.*.* (ex: some problematic networks which caused
++ you grief in the past) it will connect only if load is less than 5.0,
++ there is less than 5 active connections from whole C class
++ (1.2.*.0/24), and if that specific IP address does not already have
++ connection open.
++ in all other cases, the client will be permitted to connect if load is
++ less than 10.00 and client has 2 or less connections open. If load is
++ higher than 10.00 or there are 3 or more connections open from this
++ client, the message "421 example.com unavailable" will be returned to
++ the client and connection terminated.
++
++
++Any bugs introduced are my own, do not bother DJB with them.
++If you find any, or have neat ideas, or better documentation, or whatever,
++contact me.
++
++the latest version of the patch can be found at:
++http://linux.voyager.hr/ucspi-tcp/
++
++Enjoy,
++Matija Nalis,
++mnalis-tcpserver _at_ voyager.hr
+diff -N -ru ucspi-tcp-0.88.orig/tcpserver.c ucspi-tcp-0.88/tcpserver.c
+--- ucspi-tcp-0.88.orig/tcpserver.c 2005-08-28 14:34:30.000000000 +0200
++++ ucspi-tcp-0.88/tcpserver.c 2005-08-28 14:35:00.000000000 +0200
+@@ -1,3 +1,12 @@
++#ifdef __dietlibc__
++#define NO_GETLOADAVG
++#endif
++
++#include <stdlib.h>
++#ifdef NO_GETLOADAVG
++#include <unistd.h>
++#endif
++
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <netdb.h>
+@@ -64,6 +73,13 @@
+ buffer b;
+
+
++typedef struct
++{
++ char ip[4];
++ pid_t pid;
++} baby;
++
++baby *child;
+
+ /* ---------------------------- child */
+
+@@ -72,6 +88,10 @@
+ int flagdeny = 0;
+ int flagallownorules = 0;
+ char *fnrules = 0;
++unsigned long maxload = 0;
++unsigned long maxconnip = 0;
++unsigned long maxconnc = 0;
++char *diemsg = "";
+
+ void drop_nomem(void)
+ {
+@@ -110,6 +130,8 @@
+ strerr_die4sys(111,DROP,"unable to read ",fnrules,": ");
+ }
+
++unsigned long limit = 40;
++
+ void found(char *data,unsigned int datalen)
+ {
+ unsigned int next0;
+@@ -125,6 +147,10 @@
+ if (data[1 + split] == '=') {
+ data[1 + split] = 0;
+ env(data + 1,data + 1 + split + 1);
++ if (str_diff(data+1, "MAXLOAD") == 0) scan_ulong(data+1+split+1,&maxload);
++ if (str_diff(data+1, "MAXCONNIP") == 0) scan_ulong(data+1+split+1,&maxconnip);
++ if (str_diff(data+1, "MAXCONNC") == 0) scan_ulong(data+1+split+1,&maxconnc);
++ if (str_diff(data+1, "DIEMSG") == 0) diemsg = data+1+split+1;
+ }
+ break;
+ }
+@@ -210,6 +236,53 @@
+ close(fdrules);
+ }
+ }
++
++ unsigned long curload;
++
++ if (maxload) {
++#ifdef NO_GETLOADAVG
++ int lret;
++ int i;
++ unsigned long u1, u2;
++ char *s;
++ static stralloc loadavg_data = {0};
++
++ lret = openreadclose("/proc/loadavg", &loadavg_data, 10);
++ if (lret != -1) {
++ /* /proc/loadavg format is:
++ 13.08 3.04 1.00 34/170 14190 */
++ s = loadavg_data.s;
++ i = scan_ulong (s, &u1); s+=i;
++ if ((i>0) && (i<5) && (*s == '.')) { /* load should be < 10000 */
++ i = scan_ulong (s+1,&u2);
++ if (i==2) { /* we require two decimal places */
++ curload = u1 * 100 + u2;
++ if (curload > maxload) flagdeny = 2;
++ }
++ }
++ }
++#else
++ double result;
++ if (getloadavg(&result, 1) == 1) {
++ curload = result * 100;
++ if (curload > maxload) flagdeny = 2;
++ }
++#endif
++ }
++
++ if (!flagdeny && (maxconnip || maxconnc)) {
++ unsigned long u, c1=0, cc=0;
++ for (u=0; u < limit; u++) if (child[u].pid != 0) {
++ if ((child[u].ip[0] == remoteip[0]) &&
++ (child[u].ip[1] == remoteip[1]) &&
++ (child[u].ip[2] == remoteip[2]) ) {
++ cc++;
++ if (child[u].ip[3] == remoteip[3]) c1++;
++ }
++ }
++ if (maxconnc && (cc >= maxconnc)) flagdeny = 4;
++ if (maxconnip && (c1 >= maxconnip)) flagdeny = 3;
++ }
+
+ if (verbosity >= 2) {
+ strnum[fmt_ulong(strnum,getpid())] = 0;
+@@ -223,11 +296,35 @@
+ cats(":"); safecats(remoteipstr);
+ cats(":"); if (flagremoteinfo) safecats(tcpremoteinfo.s);
+ cats(":"); safecats(remoteportstr);
++ if (flagdeny == 2) {
++ char curloadstr[FMT_ULONG];
++ curloadstr[fmt_ulong(curloadstr,curload)] = 0;
++ cats(" "); safecats ("LOAD"); cats(":"); safecats(curloadstr);
++ }
++ if (flagdeny == 3) {
++ char maxconstr[FMT_ULONG];
++ maxconstr[fmt_ulong(maxconstr,maxconnip)] = 0;
++ cats(" "); safecats ("MAXCONNIP"); cats(":"); safecats(maxconstr);
++ }
++ if (flagdeny == 4) {
++ char maxconstr[FMT_ULONG];
++ maxconstr[fmt_ulong(maxconstr,maxconnc)] = 0;
++ cats(" "); safecats ("MAXCONNC"); cats(":"); safecats(maxconstr);
++ }
+ cats("\n");
+ buffer_putflush(buffer_2,tmp.s,tmp.len);
+ }
+
+- if (flagdeny) _exit(100);
++ if (flagdeny) {
++ if (*diemsg) {
++ buffer_init(&b,write,t,bspace,sizeof bspace);
++ buffer_puts(&b,diemsg);
++ if (buffer_putsflush(&b,"\r\n") == -1)
++ strerr_die2sys(111,DROP,"unable to print diemsg: ");
++ }
++ sleep(1);
++ _exit(100);
++ }
+ }
+
+
+@@ -253,7 +350,6 @@
+ _exit(100);
+ }
+
+-unsigned long limit = 40;
+ unsigned long numchildren = 0;
+
+ int flag1 = 0;
+@@ -278,6 +374,7 @@
+ {
+ int wstat;
+ int pid;
++ unsigned long u;
+
+ while ((pid = wait_nohang(&wstat)) > 0) {
+ if (verbosity >= 2) {
+@@ -286,11 +383,14 @@
+ strerr_warn4("tcpserver: end ",strnum," status ",strnum2,0);
+ }
+ if (numchildren) --numchildren; printstatus();
++ for (u=0; u < limit; u++) if (child[u].pid == pid) { child[u].pid = 0; break; }
++ if (u == limit) strerr_die1x(111,"tcpserver: ERROR: dead child not found?!"); /* never happens */
+ }
+ }
+
+ main(int argc,char **argv)
+ {
++ pid_t pid;
+ char *hostname;
+ char *portname;
+ int opt;
+@@ -332,6 +432,11 @@
+ argc -= optind;
+ argv += optind;
+
++ x = env_get("MAXLOAD"); if (x) scan_ulong(x,&maxload);
++ x = env_get("MAXCONNIP"); if (x) scan_ulong(x,&maxconnip);
++ x = env_get("MAXCONNC"); if (x) scan_ulong(x,&maxconnc);
++ x = env_get("DIEMSG"); if (x) diemsg = x;
++
+ if (!verbosity)
+ buffer_2->fd = -1;
+
+@@ -352,6 +457,10 @@
+ }
+
+ if (!*argv) usage();
++
++ child = calloc(sizeof(baby),limit);
++ if (!child)
++ strerr_die2x(111,FATAL,"out of memory for MAXCONNIP tracking");
+
+ sig_block(sig_child);
+ sig_catch(sig_child,sigchld);
+@@ -405,7 +514,7 @@
+ if (t == -1) continue;
+ ++numchildren; printstatus();
+
+- switch(fork()) {
++ switch(pid=fork()) {
+ case 0:
+ close(s);
+ doit(t);
+@@ -420,6 +529,10 @@
+ case -1:
+ strerr_warn2(DROP,"unable to fork: ",&strerr_sys);
+ --numchildren; printstatus();
++ break;
++ default:
++ for (u=0; u < limit; u++) if (child[u].pid == 0) { byte_copy(child[u].ip,4,remoteip); child[u].pid = pid; break; }
++ if (u == limit) strerr_die1x(111,"tcpserver: ERROR: no empty space for new child?!"); /* never happens */
+ }
+ close(t);
+ }