diff options
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/socket.c | 48 |
1 files changed, 33 insertions, 15 deletions
diff --git a/src/common/socket.c b/src/common/socket.c index 19e4275a8..f49d4c0ca 100644 --- a/src/common/socket.c +++ b/src/common/socket.c @@ -42,6 +42,7 @@ fd_set readfds; int fd_max; time_t tick_; time_t stall_time_ = 60; +int ip_rules = 1; int rfifo_size = 65536; int wfifo_size = 65536; @@ -50,6 +51,8 @@ int wfifo_size = 65536; #define TCP_FRAME_LEN 1053 #endif +#define CONVIP(ip) ip&0xFF,(ip>>8)&0xFF,(ip>>16)&0xFF,ip>>24 + struct socket_data *session[FD_SETSIZE]; static int null_parse(int fd); @@ -197,7 +200,7 @@ static int connect_client(int listen_fd) if(fd==-1) { perror("accept"); return -1; - } else if (!connect_check(*(unsigned int*)(&client_address.sin_addr))) { + } else if (ip_rules && !connect_check(*(unsigned int*)(&client_address.sin_addr))) { close(fd); return -1; } else @@ -554,7 +557,7 @@ static struct _access_control *access_deny; static int access_order=ACO_DENY_ALLOW; static int access_allownum=0; static int access_denynum=0; -static int access_debug; +static int access_debug=0; static int ddos_count = 10; static int ddos_interval = 3000; static int ddos_autoreset = 600*1000; @@ -576,8 +579,8 @@ static int connect_check_(unsigned int ip); static int connect_check(unsigned int ip) { int result = connect_check_(ip); if(access_debug) { - printf("connect_check: connection from %08x %s\n", - ip,result ? "allowed" : "denied"); + printf("connect_check: Connection from %d.%d.%d.%d %s\n", + CONVIP(ip),result ? "allowed." : "denied!"); } return result; } @@ -591,8 +594,10 @@ static int connect_check_(unsigned int ip) { for(i = 0;i < access_allownum; i++) { if((ip & access_allow[i].mask) == (access_allow[i].ip & access_allow[i].mask)) { if(access_debug) { - printf("connect_check: match allow list from:%08x ip:%08x mask:%08x\n", - ip,access_allow[i].ip,access_allow[i].mask); + printf("connect_check: Found match from allow list:%d.%d.%d.%d IP:%d.%d.%d.%d Mask:%d.%d.%d.%d\n", + CONVIP(ip), + CONVIP(access_allow[i].ip), + CONVIP(access_allow[i].mask)); } is_allowip = 1; break; @@ -601,8 +606,10 @@ static int connect_check_(unsigned int ip) { for(i = 0;i < access_denynum; i++) { if((ip & access_deny[i].mask) == (access_deny[i].ip & access_deny[i].mask)) { if(access_debug) { - printf("connect_check: match deny list from:%08x ip:%08x mask:%08x\n", - ip,access_deny[i].ip,access_deny[i].mask); + printf("connect_check: Found match from deny list:%d.%d.%d.%d IP:%d.%d.%d.%d Mask:%d.%d.%d.%d\n", + CONVIP(ip), + CONVIP(access_deny[i].ip), + CONVIP(access_deny[i].mask)); } is_denyip = 1; break; @@ -655,8 +662,8 @@ static int connect_check_(unsigned int ip) { if(hist->count++ >= ddos_count) { // ddos UŒ‚‚ðŒŸo hist->status = 1; - printf("connect_check: ddos attack detected (%d.%d.%d.%d)\n", - ip & 0xFF,(ip >> 8) & 0xFF,(ip >> 16) & 0xFF,ip >> 24); + printf("connect_check: DDOS Attack detected from %d.%d.%d.%d!\n", + CONVIP(ip)); return (connect_ok == 2 ? 1 : 0); } else { return connect_ok; @@ -715,7 +722,7 @@ static int connect_check_clear(int tid,unsigned int tick,int id,int data) { } } if(access_debug) { - printf("connect_check_clear: clear = %d list = %d\n",clear,list); + printf("connect_check_clear: Cleared %d of %d from IP list.\n", clear, clear+list); } return list; } @@ -729,7 +736,7 @@ int access_ipmask(const char *str,struct _access_control* acc) mask = 0; } else { if( sscanf(str,"%d.%d.%d.%d%n",&a0,&a1,&a2,&a3,&i)!=4 || i==0) { - printf("access_ipmask: unknown format %s\n",str); + printf("access_ipmask: Unknown format %s!\n",str); return 0; } ip = (a3 << 24) | (a2 << 16) | (a1 << 8) | a0; @@ -746,7 +753,8 @@ int access_ipmask(const char *str,struct _access_control* acc) } } if(access_debug) { - printf("access_ipmask: ip:%08x mask:%08x %s\n",ip,mask,str); + printf("access_ipmask: Loaded IP:%d.%d.%d.%d mask:%d.%d.%d.%d\n", + CONVIP(ip), CONVIP(mask)); } acc->ip = ip; acc->mask = mask; @@ -771,11 +779,17 @@ int socket_config_read(const char *cfgName) { continue; if(strcmpi(w1,"stall_time")==0){ stall_time_ = atoi(w2); + } else if(strcmpi(w1,"enable_ip_rules")==0){ + if(strcmpi(w2,"yes")==0) + ip_rules = 1; + else if(strcmpi(w2,"no")==0) + ip_rules = 0; + else ip_rules = atoi(w2); } else if(strcmpi(w1,"order")==0){ access_order=atoi(w2); if(strcmpi(w2,"deny,allow")==0) access_order=ACO_DENY_ALLOW; if(strcmpi(w2,"allow,deny")==0) access_order=ACO_ALLOW_DENY; - if(strcmpi(w2,"mutual-failture")==0) access_order=ACO_MUTUAL_FAILTURE; + if(strcmpi(w2,"mutual-failure")==0) access_order=ACO_MUTUAL_FAILTURE; } else if(strcmpi(w1,"allow")==0){ access_allow = aRealloc(access_allow,(access_allownum+1)*sizeof(struct _access_control)); if(access_ipmask(w2,&access_allow[access_allownum])) { @@ -793,7 +807,11 @@ int socket_config_read(const char *cfgName) { } else if(!strcmpi(w1,"ddos_autoreset")){ ddos_autoreset = atoi(w2); } else if(!strcmpi(w1,"debug")){ - access_debug = atoi(w2); + if(strcmpi(w2,"yes")==0) + access_debug = 1; + else if(strcmpi(w2,"no")==0) + access_debug = 0; + else access_debug = atoi(w2); } else if (strcmpi(w1, "import") == 0) socket_config_read(w2); } |