Attachment 37265 Details for Bug 61179 – TTLimit.patch

[patch] TTLimit.patch

1.patch (text/plain), 4.65 KB, created by Donatas Abraitis on 2020-05-22 11:43:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Donatas Abraitis

Created: 2020-05-22 11:43:37 UTC

Size: 4.65 KB

patch

obsolete

>diff --git a/docs/manual/mod/mpm_common.xml b/docs/manual/mod/mpm_common.xml
>index be8a2ff5b2..2d27f1a1fe 100644
>--- a/docs/manual/mod/mpm_common.xml
>+++ b/docs/manual/mod/mpm_common.xml
>@@ -659,6 +659,28 @@ Apache HTTP Server</a></seealso>
> </usage>
> </directivesynopsis>
> 
>+<directivesynopsis>
>+<name>TTLimit</name>
>+<description>Maximum TTL value which will be accepted</description>
>+<syntax>TTLimit <var>number</var></syntax>
>+<default>TTLimit 0</default>
>+<contextlist><context>server config</context></contextlist>
>+<modulelist><module>event</module><module>worker</module>
>+<module>prefork</module><module>mpm_winnt</module>
>+<module>mpm_netware</module><module>mpmt_os2</module>
>+</modulelist>
>+
>+<usage>
>+    <p>Enabling this feature prevents attempts to bypass the frontend proxy layer.
>+    If set to a value larger than 0, it won't accept any requests if TTL is
>+    larger than specified.</p>
>+
>+    <p>For example, if TTLimit is set to 1, then requests will be handled only
>+    from a local network. In other words, no more than one hop.
>+    </p>
>+</usage>
>+</directivesynopsis>
>+
> <directivesynopsis>
> <name>ServerLimit</name>
> <description>Upper limit on configurable number of processes</description>
>diff --git a/include/ap_listen.h b/include/ap_listen.h
>index 2329cae70c..13c1e52ec2 100644
>--- a/include/ap_listen.h
>+++ b/include/ap_listen.h
>@@ -146,6 +146,7 @@ AP_DECLARE_NONSTD(int) ap_close_selected_listeners(ap_slave_t *);
>  * LISTEN_COMMANDS in their command_rec table so that these functions are
>  * called.
>  */
>+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, void *dummy, const char *arg);
> AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, void *dummy, const char *arg);
> AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, void *dummy, const char *arg);
> AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
>@@ -161,6 +162,8 @@ AP_DECLARE_NONSTD(const char *) ap_set_accept_errors_nonfatal(cmd_parms *cmd,
>                                                            int flag);
> 
> #define LISTEN_COMMANDS \
>+AP_INIT_TAKE1("TTLimit", ap_set_ttl_limit, NULL, RSRC_CONF, \
>+  "Maximum TTL value which will be accepted"), \
> AP_INIT_TAKE1("ListenBacklog", ap_set_listenbacklog, NULL, RSRC_CONF, \
>   "Maximum length of the queue of pending connections, as used by listen(2)"), \
> AP_INIT_TAKE1("ListenCoresBucketsRatio", ap_set_listencbratio, NULL, RSRC_CONF, \
>diff --git a/server/listen.c b/server/listen.c
>index 991a3f2c30..6ec737237a 100644
>--- a/server/listen.c
>+++ b/server/listen.c
>@@ -63,6 +63,7 @@ AP_DECLARE_DATA int ap_have_so_reuseport = -1;
> AP_DECLARE_DATA int ap_accept_errors_nonfatal = 0;
> 
> static ap_listen_rec *old_listeners;
>+static int ap_ttl_limit;
> static int ap_listenbacklog;
> static int ap_listencbratio;
> static int send_buffer_size;
>@@ -215,6 +216,21 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_
>         }
>     }
> 
>+    if (ap_ttl_limit) {
>+        int thesock;
>+
>+        apr_os_sock_get(&thesock, s);
>+        if (setsockopt(thesock, IPPROTO_IP, IP_TTL,
>+                       &ap_ttl_limit, sizeof(int)) < 0) {
>+            stat = apr_get_netos_error();
>+            ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(02638)
>+                          "make_sock: for address %pI, apr_socket_opt_set: (IP_TTL)"
>+                          server->bind_addr);
>+            apr_socket_close(s);
>+            return stat;
>+        }
>+    }
>+
> #ifdef WIN32
>     /* I seriously doubt that this would work on Unix; I have doubts that
>      * it entirely solves the problem on Win32.  However, since setting
>@@ -989,6 +1005,7 @@ AP_DECLARE(void) ap_listen_pre_config(void)
>     ap_listen_buckets = NULL;
>     ap_num_listen_buckets = 0;
>     ap_listenbacklog = DEFAULT_LISTENBACKLOG;
>+    ap_ttl_limit = 0;
>     ap_listencbratio = 0;
> 
>     /* Check once whether or not SO_REUSEPORT is supported. */
>@@ -1178,6 +1195,25 @@ AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd,
>     return NULL;
> }
> 
>+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd,
>+                                                 void *dummy,
>+                                                 const char *arg)
>+{
>+    int b;
>+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
>+
>+    if (err != NULL)
>+        return err;
>+
>+    b = atoi(arg);
>+    if (b < 1 || b > 255)
>+        return "TTLimit > 0 and TTLimit < 255";
>+
>+    ap_ttl_limit = b;
>+
>+    return NULL;
>+}
>+
> AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd,
>                                                      void *dummy,
>                                                      const char *arg)

Actions: View | Diff

Attachments on bug 61179: 35048 | 37264 | 37265 | 37267