TTLimit directive

file_61179.txt (text/plain), 3.74 KB, created by Donatas Abraitis on 2017-06-13 08:30:33 UTC

(hide)

Description: TTLimit directive

Filename:

MIME Type:

Creator: Donatas Abraitis

Created: 2017-06-13 08:30:33 UTC

Size: 3.74 KB

patch

obsolete

>commit 71c5147ae4365b4858609358dc183380730cee77 >Author: ton31337 <donatas.abraitis@gmail.com> >Date: Mon Jun 12 17:36:13 2017 +0300 > > Add `TTLimit` security check feature > >diff --git a/include/ap_listen.h b/include/ap_listen.h >index 58c2574..e20c566 100644 >--- a/include/ap_listen.h >+++ b/include/ap_listen.h >@@ -133,6 +133,7 @@ AP_DECLARE_NONSTD(int) ap_close_selected_listeners(ap_slave_t *); > * LISTEN_COMMANDS in their command_rec table so that these functions are > * called. > */ >+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, >@@ -144,6 +145,8 @@ AP_DECLARE_NONSTD(const char *) ap_set_receive_buffer_size(cmd_parms *cmd, > const char *arg); > > #define LISTEN_COMMANDS \ >+AP_INIT_TAKE1("TTLimit", ap_set_ttl_limit, NULL, RSRC_CONF, \ >+ "Maximum TTL value which will be accepted"), \ > AP_INIT_TAKE1("ListenBacklog", ap_set_listenbacklog, NULL, RSRC_CONF, \ > "Maximum length of the queue of pending connections, as used by listen(2)"), \ > AP_INIT_TAKE1("ListenCoresBucketsRatio", ap_set_listencbratio, NULL, RSRC_CONF, \ >diff --git a/server/listen.c b/server/listen.c >index 98cd117..db2564e 100644 >--- a/server/listen.c >+++ b/server/listen.c >@@ -55,6 +55,7 @@ static ap_listen_rec **ap_listen_buckets; > AP_DECLARE_DATA int ap_have_so_reuseport = -1; > > static ap_listen_rec *old_listeners; >+static int ap_ttl_limit; > static int ap_listenbacklog; > static int ap_listencbratio; > static int send_buffer_size; >@@ -186,6 +187,21 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server) > return stat; > } > >+ if (ap_ttl_limit) { >+ int thesock; >+ apr_os_sock_get(&thesock, s); >+ if (setsockopt(thesock, IPPROTO_IP, IP_TTL, >+ &ap_ttl_limit, sizeof(int)) < 0) { >+ stat = apr_get_netos_error(); >+ ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(02638) >+ "make_sock: for address %pI, apr_socket_opt_set: " >+ "(IP_TTL)", >+ server->bind_addr); >+ apr_socket_close(s); >+ return stat; >+ } >+ } >+ > #ifdef WIN32 > /* I seriously doubt that this would work on Unix; I have doubts that > * it entirely solves the problem on Win32. However, since setting >@@ -758,6 +774,7 @@ AP_DECLARE(void) ap_listen_pre_config(void) > ap_listen_buckets = NULL; > ap_num_listen_buckets = 0; > ap_listenbacklog = DEFAULT_LISTENBACKLOG; >+ ap_ttl_limit = 0; > ap_listencbratio = 0; > > /* Check once whether or not SO_REUSEPORT is supported. */ >@@ -863,6 +880,26 @@ AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, > return NULL; > } > >+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, >+ void *dummy, >+ const char *arg) >+{ >+ int b; >+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); >+ >+ if (err != NULL) { >+ return err; >+ } >+ >+ b = atoi(arg); >+ if (b < 1 || b > 255) { >+ return "TTLimit > 0 and TTLimit < 255"; >+ } >+ >+ ap_ttl_limit = b; >+ return NULL; >+} >+ > AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, > void *dummy, > const char *arg) View Attachment As Raw

This is ASF Bugzilla: the Apache Software Foundation bug system. In case of problems with the functioning of ASF Bugzilla, please contact bugzilla-admin@apache.org. Please Note: this e-mail address is only for reporting problems with ASF Bugzilla. Mail about any other subject will be silently ignored.

• • Home
  • | New
  • | Browse
  • | Search
  • |
    [?]
  • | Reports
  • | Help
  • | New Account
  • | Log In
    Remember [x]
  • | Forgot Password
    Login: [x]