From: Michael Poole Date: Sat, 15 May 2004 14:01:50 +0000 (+0000) Subject: Forward port IPCHECK_CLONE_LIMIT, IPCHECK_CLONE_PERIOD, X-Git-Url: http://git.pk910.de/?p=ircu2.10.12-pk.git;a=commitdiff_plain;h=b355f06a27c0bcdaec96d3ffbebadc311a848aa7 Forward port IPCHECK_CLONE_LIMIT, IPCHECK_CLONE_PERIOD, IPCHECK_CLONE_DELAY, IRCD_RES_RETRIES, IRCD_RES_TIMEOUT, and AUTH_TIMEOUT features from 2.10.11. git-svn-id: file:///home/klmitch/undernet-ircu/undernet-ircu-svn/ircu2/trunk@1048 c9e4aea6-c8fd-4c43-8297-357d70d61c8c --- diff --git a/ChangeLog b/ChangeLog index aa04a50..075f77a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,18 @@ +2004-05-15 Isomer + + [Original ChangeLog date: 2003-11-18 -MDP] + + * ircd/s_auth.c, ircd/res_libresolv.c, ircd/res_adns.c: Clean up + the preregistration subsystem allowing customisation of timers, + make the dns resolver stats oper only, and make it much more clear + what all the numbers are. + +2004-05-15 Spike + + [Original ChangeLog date: 2003-11-23 -MDP] + + * ircd/IPcheck.c: Make IPcheck constants configurable + 2004-05-14 Kevin L Mitchell [Original ChangeLog date: 2003-11-22 -MDP] diff --git a/doc/example.conf b/doc/example.conf index c3cabf2..0c6e6ae 100644 --- a/doc/example.conf +++ b/doc/example.conf @@ -742,6 +742,12 @@ features # "TOS_SERVER" = "0x08"; # "TOS_CLIENT" = "0x08"; # "POLLS_PER_LOOP" = "200"; +# "IRCD_RES_TIMEOUTS" = "4"; +# "IRCD_RES_RETRIES" = "2"; +# "AUTH_TIMEOUT" = "9"; +# "IPCHECK_CLONE_LIMIT" = "4"; +# "IPCHECK_CLONE_PERIOD" = "40"; +# "IPCHECK_CLONE_DELAY" = "600"; # "CRYPT_OPER_PASSWORD" = "TRUE"; # "OPER_NO_CHAN_LIMIT" = "TRUE"; # "OPER_MODE_LCHAN" = "TRUE"; diff --git a/doc/readme.features b/doc/readme.features index 8752e1a..b30202e 100644 --- a/doc/readme.features +++ b/doc/readme.features @@ -1077,3 +1077,57 @@ This is the allowed length of the nickname length. It may not be larger than the NICKLEN #define, and should usually be the same length. The real purpose of this feature is to permit easy increases in nickname length for a network. + +IRCD_RES_RETRIES + * Type: integer + * Default: 2 + +This is the number of attempts the irc daemon's resolver will have at +trying to solicit a response from the DNS server. +NOTE: Has no effect when using the adns resolver. + +IRCD_RES_TIMEOUT + * Type: integer + * Default: 4 + +When a DNS query is sent, the irc daemon's resolver will wait this many +seconds for a reply. After this timeout has expired, it will retry again, +for as many retries as IRCD_RES_RETRIES allows. This can be cut short by +AUTH_TIMEOUT expiring. +NOTE: Has no effect when using the adns resolver. + +AUTH_TIMEOUT + * Type: integer + * Default: 9 + +This is the maximum number of seconds to wait for the ident lookup and +the DNS query to succeed. On older (pre 2.10.11.06) servers this was +hard coded to 60 seconds. + +IPCHECK_CLONE_LIMIT + * Type: integer + * Default: 4 + +The number of times you are allowed to connect within IPCHECK_CLONE_PERIOD +seconds before you are considered abusing the server and throttled. + +IPCHECK_CLONE_PERIOD + * Type: integer + * Defualt: 40 + +The number of seconds you are allowed to connect IPCHECK_CLONE_LIMIT times +within before you are considered abusing the server and throttled. +For instance if you set IPCHECK_CLONE_LIMIT to 1, and IPCHECK_CLONE_PERIOD +to 10, then a user is only allowed to connect once in 10s, if they connect +again within 10s, then they are considered to be connecting too fast and +they are throttled. + +IPCHECK_CLONE_DELAY + * Type: integer + * Default: 600 + +The number of seconds grace after restarting the server before the throttle +code kicks in. Even if a user connects repeditively during this period, +they will never get throttled. This is so after a restart users on a +multiuser box can all connect to a server simultaniously without being +considered an attack. diff --git a/include/ircd_features.h b/include/ircd_features.h index 22bd490..0c6275e 100644 --- a/include/ircd_features.h +++ b/include/ircd_features.h @@ -68,6 +68,9 @@ enum Feature { FEAT_CONNECTFREQUENCY, FEAT_DEFAULTMAXSENDQLENGTH, FEAT_GLINEMAXUSERCOUNT, + FEAT_IPCHECK_CLONE_LIMIT, + FEAT_IPCHECK_CLONE_PERIOD, + FEAT_IPCHECK_CLONE_DELAY, /* Some misc. default paths */ FEAT_MPATH, @@ -79,6 +82,9 @@ enum Feature { FEAT_TOS_SERVER, FEAT_TOS_CLIENT, FEAT_POLLS_PER_LOOP, + FEAT_IRCD_RES_RETRIES, + FEAT_IRCD_RES_TIMEOUT, + FEAT_AUTH_TIMEOUT, /* features that affect all operators */ FEAT_CRYPT_OPER_PASSWORD, diff --git a/ircd/IPcheck.c b/ircd/IPcheck.c index 04ffb3a..8e9e353 100644 --- a/ircd/IPcheck.c +++ b/ircd/IPcheck.c @@ -31,6 +31,7 @@ #include "numnicks.h" /* NumNick, NumServ (GODMODE) */ #include "ircd_alloc.h" #include "ircd_events.h" +#include "ircd_features.h" #include "s_debug.h" /* Debug */ #include "s_user.h" /* TARGET_DELAY */ #include "send.h" @@ -64,9 +65,9 @@ struct IPRegistryEntry { #define NOW ((unsigned short)(CurrentTime & MASK_16)) #define CONNECTED_SINCE(x) (NOW - (x)) -#define IPCHECK_CLONE_LIMIT 4 -#define IPCHECK_CLONE_PERIOD 40 -#define IPCHECK_CLONE_DELAY 600 +#define IPCHECK_CLONE_LIMIT feature_int(FEAT_IPCHECK_CLONE_LIMIT) +#define IPCHECK_CLONE_PERIOD feature_int(FEAT_IPCHECK_CLONE_PERIOD) +#define IPCHECK_CLONE_DELAY feature_int(FEAT_IPCHECK_CLONE_DELAY) static struct IPRegistryEntry* hashTable[IP_REGISTRY_TABLE_SIZE]; diff --git a/ircd/ircd_features.c b/ircd/ircd_features.c index 8710d2d..9a3c592 100644 --- a/ircd/ircd_features.c +++ b/ircd/ircd_features.c @@ -274,6 +274,9 @@ static struct FeatureDesc { F_I(CONNECTFREQUENCY, 0, 600, init_class), F_I(DEFAULTMAXSENDQLENGTH, 0, 40000, init_class), F_I(GLINEMAXUSERCOUNT, 0, 20, 0), + F_I(IPCHECK_CLONE_LIMIT, 0, 4, 0), + F_I(IPCHECK_CLONE_PERIOD, 0, 40, 0), + F_I(IPCHECK_CLONE_DELAY, 0, 600, 0), /* Some misc. default paths */ F_S(MPATH, FEAT_CASE | FEAT_MYOPER, "ircd.motd", motd_init), @@ -285,6 +288,9 @@ static struct FeatureDesc { F_I(TOS_SERVER, 0, 0x08, 0), F_I(TOS_CLIENT, 0, 0x08, 0), F_I(POLLS_PER_LOOP, 0, 200, 0), + F_I(IRCD_RES_RETRIES, 0, 2, 0), + F_I(IRCD_RES_TIMEOUT, 0, 4, 0), + F_I(AUTH_TIMEOUT, 0, 9, 0), /* features that affect all operators */ F_B(CRYPT_OPER_PASSWORD, FEAT_MYOPER | FEAT_READ, 1, 0), diff --git a/ircd/parse.c b/ircd/parse.c index 6add537..6e539cf 100644 --- a/ircd/parse.c +++ b/ircd/parse.c @@ -544,7 +544,7 @@ struct Message msgtab[] = { TOK_DNS, 0, MAXPARA, MFLG_SLOW, 0, NULL, /* UNREG, CLIENT, SERVER, OPER, SERVICE */ - { m_unregistered, m_dns, m_dns, m_dns, m_ignore } + { m_unregistered, m_ignore, m_ignore, m_dns, m_ignore } }, { MSG_REHASH, diff --git a/ircd/res_adns.c b/ircd/res_adns.c index cf0d68b..1dcc447 100644 --- a/ircd/res_adns.c +++ b/ircd/res_adns.c @@ -796,17 +796,14 @@ static void res_adns_callback(adns_state state, adns_query q, void *context) int m_dns(struct Client *cptr, struct Client *sptr, int parc, char *parv[]) { #if !defined(NDEBUG) - if (parv[1] && *parv[1] == 'd') { - sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d", - sptr, ResolverFileDescriptor); - return 0; - } - sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Re %d Rl %d/%d Rp %d Rq %d", + sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Errors %d Lookups %d/%d Replies %d Requests %d", sptr, reinfo.re_errors, reinfo.re_nu_look, reinfo.re_na_look, reinfo.re_replies, reinfo.re_requests); - sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Ru %d Rsh %d Rs %d(%d) Rt %d", sptr, + sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :Unknown Reply %d Short TTL(<10m) %d Sent %d Resends %d Timeouts %d", sptr, reinfo.re_unkrep, reinfo.re_shortttl, reinfo.re_sent, reinfo.re_resends, reinfo.re_timeouts); + sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d", + sptr, ResolverFileDescriptor); #endif return 0; } diff --git a/ircd/res_libresolv.c b/ircd/res_libresolv.c index 4401029..d964eb9 100644 --- a/ircd/res_libresolv.c +++ b/ircd/res_libresolv.c @@ -17,6 +17,7 @@ #include "ircd.h" #include "ircd_alloc.h" #include "ircd_events.h" +#include "ircd_features.h" #include "ircd_log.h" #include "ircd_osdep.h" #include "ircd_reply.h" @@ -431,9 +432,9 @@ static struct ResRequest* make_request(const struct DNSQuery* query) memset(request, 0, sizeof(struct ResRequest)); request->sentat = CurrentTime; - request->retries = 3; + request->retries = feature_int(FEAT_IRCD_RES_RETRIES); request->resend = 1; - request->timeout = 5; /* start at 5 per RFC1123 */ + request->timeout = feature_int(FEAT_IRCD_RES_TIMEOUT); request->addr.s_addr = INADDR_NONE; request->he.h_addrtype = AF_INET; request->he.h_length = sizeof(struct in_addr); @@ -1166,18 +1167,14 @@ void resolver_read_multiple(int count) int m_dns(struct Client *cptr, struct Client *sptr, int parc, char *parv[]) { #if !defined(NDEBUG) - if (parv[1] && *parv[1] == 'd') { - sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d", - sptr, ResolverFileDescriptor); - return 0; - } - - sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Re %d Rl %d/%d Rp %d Rq %d", + sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Errors %d Lookups %d/%d Replies %d Requests %d", sptr, reinfo.re_errors, reinfo.re_nu_look, reinfo.re_na_look, reinfo.re_replies, reinfo.re_requests); - sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Ru %d Rsh %d Rs %d(%d) Rt %d", sptr, + sendcmdto_one(&me, CMD_NOTICE, sptr,"%C :Unknown Reply %d Short TTL(<10m) %d Sent %d Resends %d Timeouts %d", sptr, reinfo.re_unkrep, reinfo.re_shortttl, reinfo.re_sent, reinfo.re_resends, reinfo.re_timeouts); + sendcmdto_one(&me, CMD_NOTICE, sptr, "%C :ResolverFileDescriptor = %d", + sptr, ResolverFileDescriptor); #endif return 0; } diff --git a/ircd/s_auth.c b/ircd/s_auth.c index d399af0..935d700 100644 --- a/ircd/s_auth.c +++ b/ircd/s_auth.c @@ -103,8 +103,6 @@ typedef enum { struct AuthRequest* AuthPollList = 0; /* GLOBAL - auth queries pending io */ static struct AuthRequest* AuthIncompleteList = 0; -enum { AUTH_TIMEOUT = 60 }; - static void release_auth_client(struct Client* client); static void unlink_auth_request(struct AuthRequest* request, struct AuthRequest** list); @@ -250,7 +248,7 @@ static struct AuthRequest* make_auth_request(struct Client* client) auth->client = client; cli_auth(client) = auth; timer_add(timer_init(&auth->timeout), auth_timeout_callback, (void*) auth, - TT_RELATIVE, AUTH_TIMEOUT); + TT_RELATIVE, feature_int(FEAT_AUTH_TIMEOUT)); return auth; }