+2004-05-15 Isomer <isomer@undernet.org>
+
+ [Original ChangeLog date: 2003-11-18 -MDP]
+
+ * ircd/s_auth.c, ircd/res_libresolv.c, ircd/res_adns.c: Clean up
+ the preregistration subsystem allowing customisation of timers,
+ make the dns resolver stats oper only, and make it much more clear
+ what all the numbers are.
+
+2004-05-15 Spike <spike@undernet.org>
+
+ [Original ChangeLog date: 2003-11-23 -MDP]
+
+ * ircd/IPcheck.c: Make IPcheck constants configurable
+
2004-05-14 Kevin L Mitchell <klmitch@mit.edu>
[Original ChangeLog date: 2003-11-22 -MDP]
# "TOS_SERVER" = "0x08";
# "TOS_CLIENT" = "0x08";
# "POLLS_PER_LOOP" = "200";
+# "IRCD_RES_TIMEOUTS" = "4";
+# "IRCD_RES_RETRIES" = "2";
+# "AUTH_TIMEOUT" = "9";
+# "IPCHECK_CLONE_LIMIT" = "4";
+# "IPCHECK_CLONE_PERIOD" = "40";
+# "IPCHECK_CLONE_DELAY" = "600";
# "CRYPT_OPER_PASSWORD" = "TRUE";
# "OPER_NO_CHAN_LIMIT" = "TRUE";
# "OPER_MODE_LCHAN" = "TRUE";
larger than the NICKLEN #define, and should usually be the same
length. The real purpose of this feature is to permit easy increases
in nickname length for a network.
+
+IRCD_RES_RETRIES
+ * Type: integer
+ * Default: 2
+
+This is the number of attempts the irc daemon's resolver will have at
+trying to solicit a response from the DNS server.
+NOTE: Has no effect when using the adns resolver.
+
+IRCD_RES_TIMEOUT
+ * Type: integer
+ * Default: 4
+
+When a DNS query is sent, the irc daemon's resolver will wait this many
+seconds for a reply. After this timeout has expired, it will retry again,
+for as many retries as IRCD_RES_RETRIES allows. This can be cut short by
+AUTH_TIMEOUT expiring.
+NOTE: Has no effect when using the adns resolver.
+
+AUTH_TIMEOUT
+ * Type: integer
+ * Default: 9
+
+This is the maximum number of seconds to wait for the ident lookup and
+the DNS query to succeed. On older (pre 2.10.11.06) servers this was
+hard coded to 60 seconds.
+
+IPCHECK_CLONE_LIMIT
+ * Type: integer
+ * Default: 4
+
+The number of times you are allowed to connect within IPCHECK_CLONE_PERIOD
+seconds before you are considered abusing the server and throttled.
+
+IPCHECK_CLONE_PERIOD
+ * Type: integer
+ * Defualt: 40
+
+The number of seconds you are allowed to connect IPCHECK_CLONE_LIMIT times
+within before you are considered abusing the server and throttled.
+For instance if you set IPCHECK_CLONE_LIMIT to 1, and IPCHECK_CLONE_PERIOD
+to 10, then a user is only allowed to connect once in 10s, if they connect
+again within 10s, then they are considered to be connecting too fast and
+they are throttled.
+
+IPCHECK_CLONE_DELAY
+ * Type: integer
+ * Default: 600
+
+The number of seconds grace after restarting the server before the throttle
+code kicks in. Even if a user connects repeditively during this period,
+they will never get throttled. This is so after a restart users on a
+multiuser box can all connect to a server simultaniously without being
+considered an attack.
FEAT_CONNECTFREQUENCY,
FEAT_DEFAULTMAXSENDQLENGTH,
FEAT_GLINEMAXUSERCOUNT,
+ FEAT_IPCHECK_CLONE_LIMIT,
+ FEAT_IPCHECK_CLONE_PERIOD,
+ FEAT_IPCHECK_CLONE_DELAY,
/* Some misc. default paths */
FEAT_MPATH,
FEAT_TOS_SERVER,
FEAT_TOS_CLIENT,
FEAT_POLLS_PER_LOOP,
+ FEAT_IRCD_RES_RETRIES,
+ FEAT_IRCD_RES_TIMEOUT,
+ FEAT_AUTH_TIMEOUT,
/* features that affect all operators */
FEAT_CRYPT_OPER_PASSWORD,
#include "numnicks.h" /* NumNick, NumServ (GODMODE) */
#include "ircd_alloc.h"
#include "ircd_events.h"
+#include "ircd_features.h"
#include "s_debug.h" /* Debug */
#include "s_user.h" /* TARGET_DELAY */
#include "send.h"
#define NOW ((unsigned short)(CurrentTime & MASK_16))
#define CONNECTED_SINCE(x) (NOW - (x))
-#define IPCHECK_CLONE_LIMIT 4
-#define IPCHECK_CLONE_PERIOD 40
-#define IPCHECK_CLONE_DELAY 600
+#define IPCHECK_CLONE_LIMIT feature_int(FEAT_IPCHECK_CLONE_LIMIT)
+#define IPCHECK_CLONE_PERIOD feature_int(FEAT_IPCHECK_CLONE_PERIOD)
+#define IPCHECK_CLONE_DELAY feature_int(FEAT_IPCHECK_CLONE_DELAY)
static struct IPRegistryEntry* hashTable[IP_REGISTRY_TABLE_SIZE];
F_I(CONNECTFREQUENCY, 0, 600, init_class),
F_I(DEFAULTMAXSENDQLENGTH, 0, 40000, init_class),
F_I(GLINEMAXUSERCOUNT, 0, 20, 0),
+ F_I(IPCHECK_CLONE_LIMIT, 0, 4, 0),
+ F_I(IPCHECK_CLONE_PERIOD, 0, 40, 0),
+ F_I(IPCHECK_CLONE_DELAY, 0, 600, 0),
/* Some misc. default paths */
F_S(MPATH, FEAT_CASE | FEAT_MYOPER, "ircd.motd", motd_init),
F_I(TOS_SERVER, 0, 0x08, 0),
F_I(TOS_CLIENT, 0, 0x08, 0),
F_I(POLLS_PER_LOOP, 0, 200, 0),
+ F_I(IRCD_RES_RETRIES, 0, 2, 0),
+ F_I(IRCD_RES_TIMEOUT, 0, 4, 0),
+ F_I(AUTH_TIMEOUT, 0, 9, 0),
/* features that affect all operators */
F_B(CRYPT_OPER_PASSWORD, FEAT_MYOPER | FEAT_READ, 1, 0),
TOK_DNS,
0, MAXPARA, MFLG_SLOW, 0, NULL,
/* UNREG, CLIENT, SERVER, OPER, SERVICE */
- { m_unregistered, m_dns, m_dns, m_dns, m_ignore }
+ { m_unregistered, m_ignore, m_ignore, m_dns, m_ignore }
},
{
MSG_REHASH,
int m_dns(struct Client *cptr, struct Client *sptr, int parc, char *parv[])
{
#if !defined(NDEBUG)
- if (parv[1] && *parv[1] == 'd') {
- sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d",
- sptr, ResolverFileDescriptor);
- return 0;
- }
- sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Re %d Rl %d/%d Rp %d Rq %d",
+ sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Errors %d Lookups %d/%d Replies %d Requests %d",
sptr, reinfo.re_errors, reinfo.re_nu_look,
reinfo.re_na_look, reinfo.re_replies, reinfo.re_requests);
- sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Ru %d Rsh %d Rs %d(%d) Rt %d", sptr,
+ sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :Unknown Reply %d Short TTL(<10m) %d Sent %d Resends %d Timeouts %d", sptr,
reinfo.re_unkrep, reinfo.re_shortttl, reinfo.re_sent,
reinfo.re_resends, reinfo.re_timeouts);
+ sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d",
+ sptr, ResolverFileDescriptor);
#endif
return 0;
}
#include "ircd.h"
#include "ircd_alloc.h"
#include "ircd_events.h"
+#include "ircd_features.h"
#include "ircd_log.h"
#include "ircd_osdep.h"
#include "ircd_reply.h"
memset(request, 0, sizeof(struct ResRequest));
request->sentat = CurrentTime;
- request->retries = 3;
+ request->retries = feature_int(FEAT_IRCD_RES_RETRIES);
request->resend = 1;
- request->timeout = 5; /* start at 5 per RFC1123 */
+ request->timeout = feature_int(FEAT_IRCD_RES_TIMEOUT);
request->addr.s_addr = INADDR_NONE;
request->he.h_addrtype = AF_INET;
request->he.h_length = sizeof(struct in_addr);
int m_dns(struct Client *cptr, struct Client *sptr, int parc, char *parv[])
{
#if !defined(NDEBUG)
- if (parv[1] && *parv[1] == 'd') {
- sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d",
- sptr, ResolverFileDescriptor);
- return 0;
- }
-
- sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Re %d Rl %d/%d Rp %d Rq %d",
+ sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Errors %d Lookups %d/%d Replies %d Requests %d",
sptr, reinfo.re_errors, reinfo.re_nu_look,
reinfo.re_na_look, reinfo.re_replies, reinfo.re_requests);
- sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Ru %d Rsh %d Rs %d(%d) Rt %d", sptr,
+ sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Unknown Reply %d Short TTL(<10m) %d Sent %d Resends %d Timeouts %d", sptr,
reinfo.re_unkrep, reinfo.re_shortttl, reinfo.re_sent,
reinfo.re_resends, reinfo.re_timeouts);
+ sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d",
+ sptr, ResolverFileDescriptor);
#endif
return 0;
}
struct AuthRequest* AuthPollList = 0; /* GLOBAL - auth queries pending io */
static struct AuthRequest* AuthIncompleteList = 0;
-enum { AUTH_TIMEOUT = 60 };
-
static void release_auth_client(struct Client* client);
static void unlink_auth_request(struct AuthRequest* request,
struct AuthRequest** list);
auth->client = client;
cli_auth(client) = auth;
timer_add(timer_init(&auth->timeout), auth_timeout_callback, (void*) auth,
- TT_RELATIVE, AUTH_TIMEOUT);
+ TT_RELATIVE, feature_int(FEAT_AUTH_TIMEOUT));
return auth;
}