ASF Bugzilla – Attachment 37265 Details for
Bug 61179
TTLimit directive to set maximum allowed IP_TTL
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
TTLimit.patch
1.patch (text/plain), 4.65 KB, created by
Donatas Abraitis
on 2020-05-22 11:43:37 UTC
(
hide
)
Description:
TTLimit.patch
Filename:
MIME Type:
Creator:
Donatas Abraitis
Created:
2020-05-22 11:43:37 UTC
Size:
4.65 KB
patch
obsolete
>diff --git a/docs/manual/mod/mpm_common.xml b/docs/manual/mod/mpm_common.xml >index be8a2ff5b2..2d27f1a1fe 100644 >--- a/docs/manual/mod/mpm_common.xml >+++ b/docs/manual/mod/mpm_common.xml >@@ -659,6 +659,28 @@ Apache HTTP Server</a></seealso> > </usage> > </directivesynopsis> > >+<directivesynopsis> >+<name>TTLimit</name> >+<description>Maximum TTL value which will be accepted</description> >+<syntax>TTLimit <var>number</var></syntax> >+<default>TTLimit 0</default> >+<contextlist><context>server config</context></contextlist> >+<modulelist><module>event</module><module>worker</module> >+<module>prefork</module><module>mpm_winnt</module> >+<module>mpm_netware</module><module>mpmt_os2</module> >+</modulelist> >+ >+<usage> >+ <p>Enabling this feature prevents attempts to bypass the frontend proxy layer. >+ If set to a value larger than 0, it won't accept any requests if TTL is >+ larger than specified.</p> >+ >+ <p>For example, if TTLimit is set to 1, then requests will be handled only >+ from a local network. In other words, no more than one hop. >+ </p> >+</usage> >+</directivesynopsis> >+ > <directivesynopsis> > <name>ServerLimit</name> > <description>Upper limit on configurable number of processes</description> >diff --git a/include/ap_listen.h b/include/ap_listen.h >index 2329cae70c..13c1e52ec2 100644 >--- a/include/ap_listen.h >+++ b/include/ap_listen.h >@@ -146,6 +146,7 @@ AP_DECLARE_NONSTD(int) ap_close_selected_listeners(ap_slave_t *); > * LISTEN_COMMANDS in their command_rec table so that these functions are > * called. > */ >+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, void *dummy, const char *arg); > AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy, >@@ -161,6 +162,8 @@ AP_DECLARE_NONSTD(const char *) ap_set_accept_errors_nonfatal(cmd_parms *cmd, > int flag); > > #define LISTEN_COMMANDS \ >+AP_INIT_TAKE1("TTLimit", ap_set_ttl_limit, NULL, RSRC_CONF, \ >+ "Maximum TTL value which will be accepted"), \ > AP_INIT_TAKE1("ListenBacklog", ap_set_listenbacklog, NULL, RSRC_CONF, \ > "Maximum length of the queue of pending connections, as used by listen(2)"), \ > AP_INIT_TAKE1("ListenCoresBucketsRatio", ap_set_listencbratio, NULL, RSRC_CONF, \ >diff --git a/server/listen.c b/server/listen.c >index 991a3f2c30..6ec737237a 100644 >--- a/server/listen.c >+++ b/server/listen.c >@@ -63,6 +63,7 @@ AP_DECLARE_DATA int ap_have_so_reuseport = -1; > AP_DECLARE_DATA int ap_accept_errors_nonfatal = 0; > > static ap_listen_rec *old_listeners; >+static int ap_ttl_limit; > static int ap_listenbacklog; > static int ap_listencbratio; > static int send_buffer_size; >@@ -215,6 +216,21 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server, int do_bind_ > } > } > >+ if (ap_ttl_limit) { >+ int thesock; >+ >+ apr_os_sock_get(&thesock, s); >+ if (setsockopt(thesock, IPPROTO_IP, IP_TTL, >+ &ap_ttl_limit, sizeof(int)) < 0) { >+ stat = apr_get_netos_error(); >+ ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(02638) >+ "make_sock: for address %pI, apr_socket_opt_set: (IP_TTL)" >+ server->bind_addr); >+ apr_socket_close(s); >+ return stat; >+ } >+ } >+ > #ifdef WIN32 > /* I seriously doubt that this would work on Unix; I have doubts that > * it entirely solves the problem on Win32. However, since setting >@@ -989,6 +1005,7 @@ AP_DECLARE(void) ap_listen_pre_config(void) > ap_listen_buckets = NULL; > ap_num_listen_buckets = 0; > ap_listenbacklog = DEFAULT_LISTENBACKLOG; >+ ap_ttl_limit = 0; > ap_listencbratio = 0; > > /* Check once whether or not SO_REUSEPORT is supported. */ >@@ -1178,6 +1195,25 @@ AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, > return NULL; > } > >+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, >+ void *dummy, >+ const char *arg) >+{ >+ int b; >+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); >+ >+ if (err != NULL) >+ return err; >+ >+ b = atoi(arg); >+ if (b < 1 || b > 255) >+ return "TTLimit > 0 and TTLimit < 255"; >+ >+ ap_ttl_limit = b; >+ >+ return NULL; >+} >+ > AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, > void *dummy, > const char *arg)
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 61179
:
35048
|
37264
|
37265
|
37267