From 348452cffc1ac8cbe007108905de0022f684aa9d Mon Sep 17 00:00:00 2001 From: bodea Date: Thu, 13 Jan 2005 07:58:53 +0000 Subject: [PATCH] rename sess_count to sess_local, fiddle with packet_limit log output --- Changes | 6 ++++- cli.c | 13 +++++++--- cluster.c | 20 +++++++-------- l2tpns.c | 34 +++++++++++++------------ l2tpns.h | 6 ++--- l2tpns.spec | 2 +- ppp.c | 73 +++++++++++++++++++++++++++++++++-------------------- 7 files changed, 92 insertions(+), 62 deletions(-) diff --git a/Changes b/Changes index c5bd865..217fcb1 100644 --- a/Changes +++ b/Changes @@ -1,6 +1,10 @@ -* Mon Jan 10 2005 Brendan O'Dea 2.0.15 +* Thu Jan 13 2005 Brendan O'Dea 2.0.15 - More DoS prevention: add packet_limit option to apply a hard limit to downstream packets per session. +- Fix "clear counters". +- Log "Accepted connection to CLI" at 4 when connection is from localhost + to reduce noise in logs. +- Show time since last counter reset in "show counters". * Mon Dec 20 2004 Brendan O'Dea 2.0.14 - Throttle outgoing LASTSEEN packets to at most one per second for a diff --git a/cli.c b/cli.c index 10c2ed5..dbb0ca2 100644 --- a/cli.c +++ b/cli.c @@ -2,7 +2,7 @@ // vim: sw=8 ts=8 char const *cvs_name = "$Name: $"; -char const *cvs_id_cli = "$Id: cli.c,v 1.43.2.2 2005/01/12 05:20:49 bodea Exp $"; +char const *cvs_id_cli = "$Id: cli.c,v 1.43.2.3 2005/01/13 07:58:53 bodea Exp $"; #include #include @@ -289,8 +289,9 @@ void cli_do(int sockfd) if (fork_and_close()) return; if (getpeername(sockfd, (struct sockaddr *)&addr, &l) == 0) { - LOG(3, 0, 0, "Accepted connection to CLI from %s\n", fmtaddr(addr.sin_addr.s_addr, 0)); require_auth = addr.sin_addr.s_addr != inet_addr("127.0.0.1"); + LOG(require_auth ? 3 : 4, 0, 0, "Accepted connection to CLI from %s\n", + fmtaddr(addr.sin_addr.s_addr, 0)); } else LOG(0, 0, 0, "getpeername() failed on cli socket. Requiring authentication: %s\n", strerror(errno)); @@ -321,7 +322,9 @@ void cli_do(int sockfd) cli_loop(cli, sockfd); close(sockfd); - LOG(3, 0, 0, "Closed CLI connection from %s\n", fmtaddr(addr.sin_addr.s_addr, 0)); + LOG(require_auth ? 3 : 4, 0, 0, "Closed CLI connection from %s\n", + fmtaddr(addr.sin_addr.s_addr, 0)); + exit(0); } @@ -721,6 +724,10 @@ static int cmd_show_counters(struct cli_def *cli, char *command, char **argv, in cli_print(cli, "%-30s%u", "call_radiussend", GET_STAT(call_radiussend)); cli_print(cli, "%-30s%u", "call_radiusretry", GET_STAT(call_radiusretry)); #endif + + cli_print(cli, ""); + cli_print(cli, "Counters last reset %s ago", duration(time_now - GET_STAT(last_reset))); + return CLI_OK; } diff --git a/cluster.c b/cluster.c index 093d944..3241cd8 100644 --- a/cluster.c +++ b/cluster.c @@ -1,6 +1,6 @@ // L2TPNS Clustering Stuff -char const *cvs_id_cluster = "$Id: cluster.c,v 1.26.2.1 2005/01/06 01:39:23 bodea Exp $"; +char const *cvs_id_cluster = "$Id: cluster.c,v 1.26.2.2 2005/01/13 07:58:54 bodea Exp $"; #include #include @@ -405,18 +405,18 @@ void master_update_counts(void) if ( walk_session_number > config->cluster_highest_sessionid) walk_session_number = 1; - if (!sess_count[walk_session_number].cin && !sess_count[walk_session_number].cout) + if (!sess_local[walk_session_number].cin && !sess_local[walk_session_number].cout) continue; // Unused. Skip it. b[c].sid = walk_session_number; - b[c].in = sess_count[walk_session_number].cin; - b[c].out = sess_count[walk_session_number].cout; + b[c].in = sess_local[walk_session_number].cin; + b[c].out = sess_local[walk_session_number].cout; if (++c > MAX_B_RECS) // Send a max of 400 elements in a packet. break; // Reset counters. - sess_count[walk_session_number].cin = sess_count[walk_session_number].cout = 0; + sess_local[walk_session_number].cin = sess_local[walk_session_number].cout = 0; } if (!c) // Didn't find any that changes. Get out of here! @@ -580,12 +580,12 @@ void cluster_check_master(void) session[i].last_packet = time_now; // Accumulate un-sent byte counters. - session[i].cin += sess_count[i].cin; - session[i].cout += sess_count[i].cout; - session[i].total_cin += sess_count[i].cin; - session[i].total_cout += sess_count[i].cout; + session[i].cin += sess_local[i].cin; + session[i].cout += sess_local[i].cout; + session[i].total_cin += sess_local[i].cin; + session[i].total_cout += sess_local[i].cout; - sess_count[i].cin = sess_count[i].cout = 0; + sess_local[i].cin = sess_local[i].cout = 0; session[i].radius = 0; // Reset authentication as the radius blocks aren't up to date. diff --git a/l2tpns.c b/l2tpns.c index bcb14d2..603d66b 100644 --- a/l2tpns.c +++ b/l2tpns.c @@ -4,7 +4,7 @@ // Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced // vim: sw=8 ts=8 -char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.73.2.2 2005/01/10 07:44:49 bodea Exp $"; +char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.73.2.3 2005/01/13 07:58:54 bodea Exp $"; #include #include @@ -148,7 +148,7 @@ static sessionidt shut_acct_n = 0; tunnelt *tunnel = NULL; // Array of tunnel structures. sessiont *session = NULL; // Array of session structures. -sessioncountt *sess_count = NULL; // Array of partial per-session traffic counters. +sessionlocalt *sess_local = NULL; // Array of local per-session counters. radiust *radius = NULL; // Array of radius structures. ippoolt *ip_address_pool = NULL; // Array of dynamic IP addresses. ip_filtert *ip_filters = NULL; // Array of named filters. @@ -769,7 +769,7 @@ static void processipout(uint8_t * buf, int len) // DoS prevention: enforce a maximum number of packets per 0.1s for a session if (config->max_packets > 0) { - if (sess_count[s].last_packet_out == TIME) + if (sess_local[s].last_packet_out == TIME) { int max = config->max_packets; @@ -782,24 +782,26 @@ static void processipout(uint8_t * buf, int len) if (!config->cluster_iam_master && sp->throttle_out && sp->throttle_out < max) max = sp->throttle_out; - if (++sess_count[s].packets_out > max) + if (++sess_local[s].packets_out > max) { - sess_count[s].packets_dropped++; + sess_local[s].packets_dropped++; return; } } else { - if (sess_count[s].packets_dropped) + if (sess_local[s].packets_dropped) { - INC_STAT(tun_rx_dropped, sess_count[s].packets_dropped); - LOG(2, s, t, "Possible DoS attack on %s (%s); dropped %u packets.\n", - fmtaddr(ip, 0), sp->user, sess_count[s].packets_dropped); + INC_STAT(tun_rx_dropped, sess_local[s].packets_dropped); + LOG(3, s, t, "Dropped %u/%u packets to %s for %suser %s\n", + sess_local[s].packets_out, sess_local[s].packets_dropped, + fmtaddr(ip, 0), sp->throttle_out ? "throttled " : "", + sp->user); } - sess_count[s].last_packet_out = TIME; - sess_count[s].packets_out = 1; - sess_count[s].packets_dropped = 0; + sess_local[s].last_packet_out = TIME; + sess_local[s].packets_out = 1; + sess_local[s].packets_dropped = 0; } } @@ -840,7 +842,7 @@ static void processipout(uint8_t * buf, int len) sp->total_cout += len; // byte count sp->pout++; udp_tx += len; - sess_count[s].cout += len; // To send to master.. + sess_local[s].cout += len; // To send to master.. } // @@ -890,7 +892,7 @@ static void send_ipout(sessionidt s, uint8_t *buf, int len) sp->total_cout += len; // byte count sp->pout++; udp_tx += len; - sess_count[s].cout += len; // To send to master.. + sess_local[s].cout += len; // To send to master.. } // add an AVP (16 bit) @@ -2675,9 +2677,9 @@ static void initdata(int optdebug, char *optconfig) exit(1); } - if (!(sess_count = shared_malloc(sizeof(sessioncountt) * MAXSESSION))) + if (!(sess_local = shared_malloc(sizeof(sessionlocalt) * MAXSESSION))) { - LOG(0, 0, 0, "Error doing malloc for sessions_count: %s\n", strerror(errno)); + LOG(0, 0, 0, "Error doing malloc for sess_local: %s\n", strerror(errno)); exit(1); } diff --git a/l2tpns.h b/l2tpns.h index 87ed953..084fa4e 100644 --- a/l2tpns.h +++ b/l2tpns.h @@ -1,5 +1,5 @@ // L2TPNS Global Stuff -// $Id: l2tpns.h,v 1.49.2.2 2005/01/10 07:08:14 bodea Exp $ +// $Id: l2tpns.h,v 1.49.2.3 2005/01/13 07:58:54 bodea Exp $ #ifndef __L2TPNS_H__ #define __L2TPNS_H__ @@ -219,7 +219,7 @@ typedef struct clockt last_packet_out; uint32_t packets_out; uint32_t packets_dropped; -} sessioncountt; +} sessionlocalt; #define SESSIONPFC 1 // PFC negotiated flags #define SESSIONACFC 2 // ACFC negotiated flags @@ -619,7 +619,7 @@ void host_unreachable(in_addr_t destination, uint16_t id, in_addr_t source, char extern tunnelt *tunnel; extern sessiont *session; -extern sessioncountt *sess_count; +extern sessionlocalt *sess_local; extern ippoolt *ip_address_pool; #define sessionfree (session[0].next) diff --git a/l2tpns.spec b/l2tpns.spec index b73eb21..0b2d3d9 100644 --- a/l2tpns.spec +++ b/l2tpns.spec @@ -43,5 +43,5 @@ rm -rf %{buildroot} %attr(644,root,root) /usr/share/man/man[58]/* %changelog -* Mon Jan 10 2005 Brendan O'Dea 2.0.15-1 +* Thu Jan 13 2005 Brendan O'Dea 2.0.15-1 - 2.0.15 release, see /usr/share/doc/l2tpns-2.0.15/Changes diff --git a/ppp.c b/ppp.c index 0d9dc01..caec156 100644 --- a/ppp.c +++ b/ppp.c @@ -1,6 +1,6 @@ // L2TPNS PPP Stuff -char const *cvs_id_ppp = "$Id: ppp.c,v 1.40 2005/01/05 13:50:30 bodea Exp $"; +char const *cvs_id_ppp = "$Id: ppp.c,v 1.39.2.1 2005/01/13 07:58:54 bodea Exp $"; #include #include @@ -32,7 +32,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) char pass[129]; uint16_t hl; - CSTAT(processpap); + CSTAT(call_processpap); LOG_HEX(5, "PAP", p, l); if (l < 4) @@ -132,7 +132,7 @@ void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) uint16_t r; uint16_t hl; - CSTAT(processchap); + CSTAT(call_processchap); LOG_HEX(5, "CHAP", p, l); r = session[s].radius; @@ -224,13 +224,29 @@ void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) radiussend(r, RADIUSAUTH); } +static char *ppp_lcp_types[] = { + NULL, + "ConfigReq", + "ConfigAck", + "ConfigNak", + "ConfigRej", + "TerminateReq", + "TerminateAck", + "CodeRej", + "ProtocolRej", + "EchoReq", + "EchoReply", + "DiscardRequest", + "IdentRequest", +}; + static void dumplcp(uint8_t *p, int l) { int x = l - 4; uint8_t *o = (p + 4); LOG_HEX(5, "PPP LCP Packet", p, l); - LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) ); + LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((uint16_t *) p)[1]) ); LOG(4, 0, 0, "Length: %d\n", l); if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck) return; @@ -255,48 +271,48 @@ static void dumplcp(uint8_t *p, int l) { case 1: // Maximum-Receive-Unit if (length == 4) - LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2))); + LOG(4, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(uint16_t *)(o + 2))); else - LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length); + LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length); break; case 2: // Async-Control-Character-Map if (length == 6) { uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2)); - LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap); + LOG(4, 0, 0, " %s %x\n", lcp_types[type], asyncmap); } else - LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length); + LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length); break; case 3: // Authentication-Protocol if (length == 4) { int proto = ntohs(*(uint16_t *)(o + 2)); - LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto, + LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto, proto == PPPCHAP ? "CHAP" : proto == PPPPAP ? "PAP" : "UNKNOWN"); } else - LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length); + LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length); break; case 4: // Quality-Protocol { uint32_t qp = ntohl(*(uint32_t *)(o + 2)); - LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp); + LOG(4, 0, 0, " %s %x\n", lcp_types[type], qp); } break; case 5: // Magic-Number if (length == 6) { uint32_t magicno = ntohl(*(uint32_t *)(o + 2)); - LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno); + LOG(4, 0, 0, " %s %x\n", lcp_types[type], magicno); } else - LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length); + LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length); break; case 7: // Protocol-Field-Compression case 8: // Address-And-Control-Field-Compression - LOG(4, 0, 0, " %s\n", lcp_type(type)); + LOG(4, 0, 0, " %s\n", lcp_types[type]); break; default: LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type); @@ -315,7 +331,7 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) uint32_t magicno = 0; uint16_t hl; - CSTAT(processlcp); + CSTAT(call_processlcp); LOG_HEX(5, "LCP", p, l); if (l < 4) @@ -467,7 +483,7 @@ void processlcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) *q = ConfigAck; } - LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response)); + LOG(3, s, t, "Sending %s\n", ppp_lcp_types[*response]); tunnelsend(b, l + (q - b), t); if (!(session[s].flags & SF_LCP_ACKED)) @@ -551,7 +567,7 @@ void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) { uint16_t hl; - CSTAT(processipcp); + CSTAT(call_processipcp); LOG_HEX(5, "IPCP", p, l); if (l < 5) @@ -693,7 +709,7 @@ void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) { in_addr_t ip; - CSTAT(processipin); + CSTAT(call_processipin); LOG_HEX(5, "IP", p, l); @@ -750,7 +766,7 @@ void processipin(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) session[s].cin += l - 4; session[s].total_cin += l - 4; - sess_count[s].cin += l - 4; + sess_local[s].cin += l - 4; session[s].pin++; eth_tx += l - 4; @@ -785,7 +801,7 @@ void send_ipin(sessionidt s, uint8_t *buf, int len) // Increment packet counters session[s].cin += len - 4; session[s].total_cin += len - 4; - sess_count[s].cin += len - 4; + sess_local[s].cin += len - 4; session[s].pin++; eth_tx += len - 4; @@ -801,7 +817,7 @@ void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l) uint8_t b[MAXCONTROL]; uint8_t *q; - CSTAT(processccp); + CSTAT(call_processccp); LOG_HEX(5, "CCP", p, l); switch (l > 1 ? *p : 0) @@ -853,24 +869,25 @@ void sendchap(tunnelidt t, sessionidt s) uint16_t r = session[s].radius; uint8_t *q; - CSTAT(sendchap); + CSTAT(call_sendchap); if (!r) { LOG(1, s, t, "No RADIUS to send challenge\n"); STAT(tunnel_tx_errors); - return; + return ; } - LOG(1, s, t, "Send CHAP challenge\n"); - - // new challenge - random_data(radius[r].auth, sizeof(radius[r].auth)); + { + // new challenge + int n; + for (n = 0; n < 15; n++) + radius[r].auth[n] = rand(); + } radius[r].chap = 1; // CHAP not PAP radius[r].id++; if (radius[r].state != RADIUSCHAP) radius[r].try = 0; - radius[r].state = RADIUSCHAP; radius[r].retry = backoff(radius[r].try++); if (radius[r].try > 5) -- 2.20.1