summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Changelog-SVN.txt5
-rw-r--r--conf-tmpl/inter_athena.conf3
-rw-r--r--conf-tmpl/packet_athena.conf46
-rw-r--r--src/common/socket.c341
-rw-r--r--src/common/socket.h16
-rw-r--r--src/map/clif.c6
-rw-r--r--src/map/map.c9
7 files changed, 391 insertions, 35 deletions
diff --git a/Changelog-SVN.txt b/Changelog-SVN.txt
index b6b7e0867..4647f89d5 100644
--- a/Changelog-SVN.txt
+++ b/Changelog-SVN.txt
@@ -1,5 +1,10 @@
Date Added
+03/16
+ * Updated jA's dummy socket to mod1137 [celest]
+ * Added jA's ddos protection system -- check packet_athena.conf [celest]
+ * Moved stall_time's reading from inter_athena.conf to packet_athena.conf
+
03/15
* Fixed a compile warning in pc.c [celest]
* Updated Soul Breaker's damage display, by DracoRPG [celest]
diff --git a/conf-tmpl/inter_athena.conf b/conf-tmpl/inter_athena.conf
index b73865f8f..a2155a5ac 100644
--- a/conf-tmpl/inter_athena.conf
+++ b/conf-tmpl/inter_athena.conf
@@ -32,9 +32,6 @@ inter_log_filename: log/inter.log
// Level range for sharing within a party
party_share_level: 10
-// How long can a socket stall before closing the connection
-stall_time: 60
-
// SQL version options only
diff --git a/conf-tmpl/packet_athena.conf b/conf-tmpl/packet_athena.conf
new file mode 100644
index 000000000..b8e1f31f7
--- /dev/null
+++ b/conf-tmpl/packet_athena.conf
@@ -0,0 +1,46 @@
+// ソケット関連の設定です。 (Untranslated yet)
+
+
+// How long can a socket stall before closing the connection (in seconds)
+stall_time: 60
+
+//---- Ddos Protection Settings ----
+
+// デバッグ情報の表示(バグ報告の際にコピペして頂けると助かります)
+// debug: 1
+
+// ddos攻撃と判断する為のルール設定
+// ddos_interval msec以内の接続要求がddos_count回続いた場合に、
+// ddos攻撃されたと判定します。
+
+// 接続間隔(msec)
+ddos_interval: 3000
+
+// 接続回数
+ddos_count: 5
+
+// ddos制限を解除する間隔(msec)
+// この時間経過すると、接続制限が解除されます。
+ddos_autoreset: 600000
+
+// アクセス制限の判定順序(Apacheと同じ)
+// deny,allow が標準になっています。
+
+order: deny,allow
+// order: allow,deny
+// order: mutual-failture
+
+// アクセスコントロールするIPリスト
+// allow : ddosチェックの結果に関係なく許可
+// deny : 不許可
+// 指定無し : ddosチェックの結果で許可 / 不許可を決定
+// ただし、mutual-failture の場合は不許可になります。
+
+// allow: 127.0.0.1
+// allow: 192.168.0.0/16
+// allow: 10.0.0.0/255.0.0.0
+allow: all
+
+// deny: 127.0.0.1
+
+import: conf/import/packet_conf.txt \ No newline at end of file
diff --git a/src/common/socket.c b/src/common/socket.c
index ad4e7d2e2..19e4275a8 100644
--- a/src/common/socket.c
+++ b/src/common/socket.c
@@ -29,9 +29,10 @@ typedef int socklen_t;
#include <fcntl.h>
#include <string.h>
-#include "mmo.h" // [Valaris] thanks to fov
#include "socket.h"
-#include "utils.h"
+#include "../common/mmo.h" // [Valaris] thanks to fov
+#include "../common/timer.h"
+#include "../common/utils.h"
#ifdef MEMWATCH
#include "memwatch.h"
@@ -54,11 +55,9 @@ struct socket_data *session[FD_SETSIZE];
static int null_parse(int fd);
static int (*default_func_parse)(int) = null_parse;
-// fdが不正な時に代わりに読み書きするバッファ
-unsigned char socket_dummy[SOCKET_DUMMY_SIZE];
-
static int null_console_parse(char *buf);
static int (*default_console_parse)(char*) = null_console_parse;
+static int connect_check(unsigned int ip);
/*======================================
* CORE : Set function
@@ -195,16 +194,20 @@ static int connect_client(int listen_fd)
setsocketopts(fd);
- if(fd==-1)
+ if(fd==-1) {
perror("accept");
- else
+ return -1;
+ } else if (!connect_check(*(unsigned int*)(&client_address.sin_addr))) {
+ close(fd);
+ return -1;
+ } else
FD_SET(fd,&readfds);
#ifdef _WIN32
- {
- unsigned long val = 1;
- ioctlsocket(fd, FIONBIO, &val);
- }
+ {
+ unsigned long val = 1;
+ ioctlsocket(fd, FIONBIO, &val);
+ }
#else
result = fcntl(fd, F_SETFL, O_NONBLOCK);
#endif
@@ -415,7 +418,7 @@ int make_connection(long ip,int port)
int delete_session(int fd)
{
- if(fd<0 || fd>=FD_SETSIZE)
+ if(fd<=0 || fd>=FD_SETSIZE)
return -1;
FD_CLR(fd,&readfds);
if(session[fd]){
@@ -533,9 +536,269 @@ int do_parsepacket(void)
return 0;
}
-void do_socket(void)
+/* DDoS 攻撃対策 */
+
+enum {
+ ACO_DENY_ALLOW=0,
+ ACO_ALLOW_DENY,
+ ACO_MUTUAL_FAILTURE,
+};
+
+struct _access_control {
+ unsigned int ip;
+ unsigned int mask;
+};
+
+static struct _access_control *access_allow;
+static struct _access_control *access_deny;
+static int access_order=ACO_DENY_ALLOW;
+static int access_allownum=0;
+static int access_denynum=0;
+static int access_debug;
+static int ddos_count = 10;
+static int ddos_interval = 3000;
+static int ddos_autoreset = 600*1000;
+
+struct _connect_history {
+ struct _connect_history *next;
+ struct _connect_history *prev;
+ int status;
+ int count;
+ unsigned int ip;
+ unsigned int tick;
+};
+static struct _connect_history *connect_history[0x10000];
+static int connect_check_(unsigned int ip);
+
+// 接続できるかどうかの確認
+// false : 接続OK
+// true : 接続NG
+static int connect_check(unsigned int ip) {
+ int result = connect_check_(ip);
+ if(access_debug) {
+ printf("connect_check: connection from %08x %s\n",
+ ip,result ? "allowed" : "denied");
+ }
+ return result;
+}
+
+static int connect_check_(unsigned int ip) {
+ struct _connect_history *hist = connect_history[ip & 0xFFFF];
+ struct _connect_history *hist_new;
+ int i,is_allowip = 0,is_denyip = 0,connect_ok = 0;
+
+ // allow , deny リストに入っているか確認
+ for(i = 0;i < access_allownum; i++) {
+ if((ip & access_allow[i].mask) == (access_allow[i].ip & access_allow[i].mask)) {
+ if(access_debug) {
+ printf("connect_check: match allow list from:%08x ip:%08x mask:%08x\n",
+ ip,access_allow[i].ip,access_allow[i].mask);
+ }
+ is_allowip = 1;
+ break;
+ }
+ }
+ for(i = 0;i < access_denynum; i++) {
+ if((ip & access_deny[i].mask) == (access_deny[i].ip & access_deny[i].mask)) {
+ if(access_debug) {
+ printf("connect_check: match deny list from:%08x ip:%08x mask:%08x\n",
+ ip,access_deny[i].ip,access_deny[i].mask);
+ }
+ is_denyip = 1;
+ break;
+ }
+ }
+ // コネクト出来るかどうか確認
+ // connect_ok
+ // 0 : 無条件に拒否
+ // 1 : 田代砲チェックの結果次第
+ // 2 : 無条件に許可
+ switch(access_order) {
+ case ACO_DENY_ALLOW:
+ default:
+ if(is_allowip) {
+ connect_ok = 2;
+ } else if(is_denyip) {
+ connect_ok = 0;
+ } else {
+ connect_ok = 1;
+ }
+ break;
+ case ACO_ALLOW_DENY:
+ if(is_denyip) {
+ connect_ok = 0;
+ } else if(is_allowip) {
+ connect_ok = 2;
+ } else {
+ connect_ok = 1;
+ }
+ break;
+ case ACO_MUTUAL_FAILTURE:
+ if(is_allowip) {
+ connect_ok = 2;
+ } else {
+ connect_ok = 0;
+ }
+ break;
+ }
+
+ // 接続履歴を調べる
+ while(hist) {
+ if(ip == hist->ip) {
+ // 同じIP発見
+ if(hist->status) {
+ // ban フラグが立ってる
+ return (connect_ok == 2 ? 1 : 0);
+ } else if(DIFF_TICK(gettick(),hist->tick) < ddos_interval) {
+ // ddos_interval秒以内にリクエスト有り
+ hist->tick = gettick();
+ if(hist->count++ >= ddos_count) {
+ // ddos 攻撃を検出
+ hist->status = 1;
+ printf("connect_check: ddos attack detected (%d.%d.%d.%d)\n",
+ ip & 0xFF,(ip >> 8) & 0xFF,(ip >> 16) & 0xFF,ip >> 24);
+ return (connect_ok == 2 ? 1 : 0);
+ } else {
+ return connect_ok;
+ }
+ } else {
+ // ddos_interval秒以内にリクエスト無いのでタイマークリア
+ hist->tick = gettick();
+ hist->count = 0;
+ return connect_ok;
+ }
+ }
+ hist = hist->next;
+ }
+ // IPリストに無いので新規作成
+ hist_new = aCalloc(1,sizeof(struct _connect_history));
+ hist_new->ip = ip;
+ hist_new->tick = gettick();
+ if(connect_history[ip & 0xFFFF] != NULL) {
+ hist = connect_history[ip & 0xFFFF];
+ hist->prev = hist_new;
+ hist_new->next = hist;
+ }
+ connect_history[ip & 0xFFFF] = hist_new;
+ return connect_ok;
+}
+
+static int connect_check_clear(int tid,unsigned int tick,int id,int data) {
+ int i;
+ int clear = 0;
+ int list = 0;
+ struct _connect_history *hist , *hist2;
+ for(i = 0;i < 0x10000 ; i++) {
+ hist = connect_history[i];
+ while(hist) {
+ if(
+ (DIFF_TICK(tick,hist->tick) > ddos_interval * 3 && !hist->status) ||
+ (DIFF_TICK(tick,hist->tick) > ddos_autoreset && hist->status)
+ ) {
+ // clear data
+ hist2 = hist->next;
+ if(hist->prev) {
+ hist->prev->next = hist->next;
+ } else {
+ connect_history[i] = hist->next;
+ }
+ if(hist->next) {
+ hist->next->prev = hist->prev;
+ }
+ aFree(hist);
+ hist = hist2;
+ clear++;
+ } else {
+ hist = hist->next;
+ list++;
+ }
+ }
+ }
+ if(access_debug) {
+ printf("connect_check_clear: clear = %d list = %d\n",clear,list);
+ }
+ return list;
+}
+
+// IPマスクチェック
+int access_ipmask(const char *str,struct _access_control* acc)
{
- FD_ZERO(&readfds);
+ unsigned int mask=0,i=0,m,ip, a0,a1,a2,a3;
+ if( !strcmp(str,"all") ) {
+ ip = 0;
+ mask = 0;
+ } else {
+ if( sscanf(str,"%d.%d.%d.%d%n",&a0,&a1,&a2,&a3,&i)!=4 || i==0) {
+ printf("access_ipmask: unknown format %s\n",str);
+ return 0;
+ }
+ ip = (a3 << 24) | (a2 << 16) | (a1 << 8) | a0;
+
+ if(sscanf(str+i,"/%d.%d.%d.%d",&a0,&a1,&a2,&a3)==4 ){
+ mask = (a3 << 24) | (a2 << 16) | (a1 << 8) | a0;
+ } else if(sscanf(str+i,"/%d",&m) == 1) {
+ for(i=0;i<m;i++) {
+ mask = (mask >> 1) | 0x80000000;
+ }
+ mask = ntohl(mask);
+ } else {
+ mask = 0xFFFFFFFF;
+ }
+ }
+ if(access_debug) {
+ printf("access_ipmask: ip:%08x mask:%08x %s\n",ip,mask,str);
+ }
+ acc->ip = ip;
+ acc->mask = mask;
+ return 1;
+}
+
+int socket_config_read(const char *cfgName) {
+ int i;
+ char line[1024],w1[1024],w2[1024];
+ FILE *fp;
+
+ fp=fopen(cfgName, "r");
+ if(fp==NULL){
+ printf("File not found: %s\n", cfgName);
+ return 1;
+ }
+ while(fgets(line,1020,fp)){
+ if(line[0] == '/' && line[1] == '/')
+ continue;
+ i=sscanf(line,"%[^:]: %[^\r\n]",w1,w2);
+ if(i!=2)
+ continue;
+ if(strcmpi(w1,"stall_time")==0){
+ stall_time_ = atoi(w2);
+ } else if(strcmpi(w1,"order")==0){
+ access_order=atoi(w2);
+ if(strcmpi(w2,"deny,allow")==0) access_order=ACO_DENY_ALLOW;
+ if(strcmpi(w2,"allow,deny")==0) access_order=ACO_ALLOW_DENY;
+ if(strcmpi(w2,"mutual-failture")==0) access_order=ACO_MUTUAL_FAILTURE;
+ } else if(strcmpi(w1,"allow")==0){
+ access_allow = aRealloc(access_allow,(access_allownum+1)*sizeof(struct _access_control));
+ if(access_ipmask(w2,&access_allow[access_allownum])) {
+ access_allownum++;
+ }
+ } else if(strcmpi(w1,"deny")==0){
+ access_deny = aRealloc(access_deny,(access_denynum+1)*sizeof(struct _access_control));
+ if(access_ipmask(w2,&access_deny[access_denynum])) {
+ access_denynum++;
+ }
+ } else if(!strcmpi(w1,"ddos_interval")){
+ ddos_interval = atoi(w2);
+ } else if(!strcmpi(w1,"ddos_count")){
+ ddos_count = atoi(w2);
+ } else if(!strcmpi(w1,"ddos_autoreset")){
+ ddos_autoreset = atoi(w2);
+ } else if(!strcmpi(w1,"debug")){
+ access_debug = atoi(w2);
+ } else if (strcmpi(w1, "import") == 0)
+ socket_config_read(w2);
+ }
+ fclose(fp);
+ return 0;
}
int RFIFOSKIP(int fd,int len)
@@ -638,3 +901,53 @@ int Net_Init(void)
return(0);
}
+
+void do_final_socket(void)
+{
+ int i;
+ struct _connect_history *hist , *hist2;
+ for(i=0; i<fd_max; i++) {
+ if(session[i]) {
+ delete_session(i);
+ }
+ }
+ for(i=0; i<0x10000; i++) {
+ hist = connect_history[i];
+ while(hist) {
+ hist2 = hist->next;
+ aFree(hist);
+ hist = hist2;
+ }
+ }
+ if (access_allow)
+ aFree(access_allow);
+ if (access_deny)
+ aFree(access_deny);
+
+ // session[0] のダミーデータを削除
+ if (session[0]) {
+ aFree(session[0]->rdata);
+ aFree(session[0]->wdata);
+ aFree(session[0]);
+ }
+}
+
+void do_socket(void)
+{
+ char *SOCKET_CONF_FILENAME = "conf/packet_athena.conf";
+
+ FD_ZERO(&readfds);
+
+ atexit(do_final_socket);
+ socket_config_read(SOCKET_CONF_FILENAME);
+
+ // session[0] にダミーデータを確保する
+ CREATE(session[0], struct socket_data, 1);
+ CREATE_A(session[0]->rdata, unsigned char, rfifo_size);
+ CREATE_A(session[0]->wdata, unsigned char, wfifo_size);
+ session[0]->max_rdata = rfifo_size;
+ session[0]->max_wdata = wfifo_size;
+
+ // とりあえず5分ごとに不要なデータを削除する
+ add_timer_interval(gettick()+1000,connect_check_clear,0,0,300*1000);
+}
diff --git a/src/common/socket.h b/src/common/socket.h
index 52581faf7..130c33d0c 100644
--- a/src/common/socket.h
+++ b/src/common/socket.h
@@ -22,18 +22,14 @@ extern time_t stall_time_;
// define declaration
-// fdが不正な時に代わりに読み書きするバッファ
-#define SOCKET_DUMMY_SIZE 32768
-extern unsigned char socket_dummy[SOCKET_DUMMY_SIZE];
-
-#define RFIFOSPACE(fd) (fd <= 0 ? SOCKET_DUMMY_SIZE : session[fd]->max_rdata-session[fd]->rdata_size)
-#define RFIFOP(fd,pos) (fd <= 0 ? socket_dummy : session[fd]->rdata+session[fd]->rdata_pos+(pos))
+#define RFIFOSPACE(fd) (session[fd]->max_rdata-session[fd]->rdata_size)
+#define RFIFOP(fd,pos) (session[fd]->rdata+session[fd]->rdata_pos+(pos))
// use function instead of macro.
#define RFIFOB(fd,pos) (*(unsigned char*)RFIFOP(fd,pos))
#define RFIFOW(fd,pos) (*(unsigned short*)RFIFOP(fd,pos))
#define RFIFOL(fd,pos) (*(unsigned int*)RFIFOP(fd,pos))
-#define RFIFOREST(fd) (fd <= 0 ? 0 : session[fd]->rdata_size-session[fd]->rdata_pos)
-#define RFIFOFLUSH(fd) (fd <= 0 ? 0 : memmove(session[fd]->rdata,RFIFOP(fd,0),RFIFOREST(fd)),session[fd]->rdata_size=RFIFOREST(fd),session[fd]->rdata_pos=0)
+#define RFIFOREST(fd) (session[fd]->rdata_size-session[fd]->rdata_pos)
+#define RFIFOFLUSH(fd) (memmove(session[fd]->rdata,RFIFOP(fd,0),RFIFOREST(fd)),session[fd]->rdata_size=RFIFOREST(fd),session[fd]->rdata_pos=0)
//#define RFIFOSKIP(fd,len) ((session[fd]->rdata_size-session[fd]->rdata_pos-(len)<0) ? (fprintf(stderr,"too many skip\n"),exit(1)) : (session[fd]->rdata_pos+=(len)))
#define RBUFP(p,pos) (((unsigned char*)(p))+(pos))
@@ -41,8 +37,8 @@ extern unsigned char socket_dummy[SOCKET_DUMMY_SIZE];
#define RBUFW(p,pos) (*(unsigned short*)RBUFP((p),(pos)))
#define RBUFL(p,pos) (*(unsigned int*)RBUFP((p),(pos)))
-#define WFIFOSPACE(fd) (fd <= 0 ? SOCKET_DUMMY_SIZE : session[fd]->max_wdata-session[fd]->wdata_size)
-#define WFIFOP(fd,pos) (fd <= 0 ? socket_dummy : session[fd]->wdata+session[fd]->wdata_size+(pos))
+#define WFIFOSPACE(fd) (session[fd]->max_wdata-session[fd]->wdata_size)
+#define WFIFOP(fd,pos) (session[fd]->wdata+session[fd]->wdata_size+(pos))
#define WFIFOB(fd,pos) (*(unsigned char*)WFIFOP(fd,pos))
#define WFIFOW(fd,pos) (*(unsigned short*)WFIFOP(fd,pos))
#define WFIFOL(fd,pos) (*(unsigned int*)WFIFOP(fd,pos))
diff --git a/src/map/clif.c b/src/map/clif.c
index a44979ff4..2e1a7e1e7 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -973,7 +973,7 @@ int clif_mob_equip(struct mob_data *md, int nameid) {
*/
static int clif_mob0078(struct mob_data *md, unsigned char *buf)
{
- int level;
+ int level, i;
memset(buf,0,packet_len_table[0x78]);
@@ -986,7 +986,7 @@ static int clif_mob0078(struct mob_data *md, unsigned char *buf)
WBUFW(buf,10)=md->opt2;
WBUFW(buf,12)=md->option;
WBUFW(buf,14)=mob_get_viewclass(md->class_);
- if((mob_get_viewclass(md->class_) <= 23) || (mob_get_viewclass(md->class_) == 812) || (mob_get_viewclass(md->class_) >= 4001)) {
+ if((i=mob_get_viewclass(md->class_)) <= 23 || i == 812 || i >= 4001) {
WBUFW(buf,12)|=mob_db[md->class_].option;
WBUFW(buf,16)=mob_get_hair(md->class_);
WBUFW(buf,18)=mob_get_weapon(md->class_);
@@ -1360,7 +1360,7 @@ int clif_spawnmob(struct mob_data *md)
nullpo_retr(0, md);
- if (mob_get_viewclass(md->class_) > 23 ) {
+ if (mob_get_viewclass(md->class_) > 23) {
memset(buf,0,packet_len_table[0x7c]);
WBUFW(buf,0)=0x7c;
diff --git a/src/map/map.c b/src/map/map.c
index 7c8275cf9..3a6a29fde 100644
--- a/src/map/map.c
+++ b/src/map/map.c
@@ -2896,8 +2896,10 @@ int inter_config_read(char *cfgName)
i=sscanf(line,"%[^:]: %[^\r\n]",w1,w2);
if(i!=2)
continue;
- if(strcmpi(w1,"stall_time")==0){
- stall_time_ = atoi(w2);
+ //support the import command, just like any other config
+ if(strcmpi(w1,"import")==0){
+ inter_config_read(w2);
+ }
#ifndef TXT_ONLY
} else if(strcmpi(w1,"item_db_db")==0){
strcpy(item_db_db,w2);
@@ -2959,9 +2961,6 @@ int inter_config_read(char *cfgName)
} else if(strcmpi(w1,"log_db_port")==0) {
log_db_port = atoi(w2);
#endif
- //support the import command, just like any other config
- } else if(strcmpi(w1,"import")==0){
- inter_config_read(w2);
}
}
fclose(fp);