22 #include <openbsd-compat/sys-tree.h>
58 	const char *reason;  member
76 	if (addr_netmask(addr->af, bits, &xmask) != 0 ||  in srclimit_mask_addr()
79 		return -1;  in srclimit_mask_addr()
99 srclimit_init(int max, int persource, int ipv4len, int ipv6len,  in srclimit_init()  argument
104 	max_children = max;  in srclimit_init()
119 	debug("%s: max connections %d, per source %d, masks %d,%d", __func__,  in srclimit_init()
120 	    max, persource, ipv4len, ipv6len);  in srclimit_init()
121 	if (max <= 0)  in srclimit_init()
122 		fatal("%s: invalid number of sockets: %d", __func__, max);  in srclimit_init()
125 		children[i].id = -1;  in srclimit_init()
149 		if (children[i].id == -1) {  in srclimit_check_allow()
192 			children[i].id = -1;  in srclimit_done()
201 	return addr_cmp(&a->addr, &b->addr);  in penalty_addr_cmp()
208 	if (a->expiry != b->expiry)  in penalty_expiry_cmp()
209 		return a->expiry < b->expiry ? -1 : 1;  in penalty_expiry_cmp()
211 	return addr_cmp(&a->addr, &b->addr);  in penalty_expiry_cmp()
221 	/* XXX avoid full scan of tree, e.g. min-heap */  in expire_penalties_from_tree()
223 		if (penalty->expiry >= now)  in expire_penalties_from_tree()
231 		if ((*npenaltiesp)-- == 0)  in expire_penalties_from_tree()
255 		snprintf(s + o, slen - o, "/%d", masklen);  in addr_masklen_ntop()
259 srclimit_penalty_check_allow(int sock, const char **reason)  in srclimit_penalty_check_allow()  argument
291 		*reason = "too many penalised addresses";  in srclimit_penalty_check_allow()
300 	if (penalty->expiry < now) {  in srclimit_penalty_check_allow()
304 	if (!penalty->active)  in srclimit_penalty_check_allow()
306 	*reason = penalty->reason;  in srclimit_penalty_check_allow()
319 	/* Delete the soonest-to-expire penalties. */  in srclimit_early_expire_penalties_from_tree()
323 		bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;  in srclimit_early_expire_penalties_from_tree()
324 		addr_masklen_ntop(&p->addr, bits, s, sizeof(s));  in srclimit_early_expire_penalties_from_tree()
330 		(*npenaltiesp)--;  in srclimit_early_expire_penalties_from_tree()
353 	const char *reason = NULL, *t;  in srclimit_penalise()  local
374 		reason = "penalty: caused crash";  in srclimit_penalise()
378 		reason = "penalty: failed authentication";  in srclimit_penalise()
382 		reason = "penalty: connections without attempting authentication";  in srclimit_penalise()
386 		reason = "penalty: connection prohibited by RefuseConnection";  in srclimit_penalise()
390 		reason = "penalty: exceeded LoginGraceTime";  in srclimit_penalise()
395 	bits = addr->af == AF_INET ? ipv4_masklen : ipv6_masklen;  in srclimit_penalise()
402 	by_expiry = addr->af == AF_INET ?  in srclimit_penalise()
404 	by_addr = addr->af == AF_INET ?  in srclimit_penalise()
406 	max_sources = addr->af == AF_INET ?  in srclimit_penalise()
408 	overflow_mode = addr->af == AF_INET ?  in srclimit_penalise()
410 	npenaltiesp = addr->af == AF_INET ?  &npenalties4 : &npenalties6;  in srclimit_penalise()
411 	t = addr->af == AF_INET ? "ipv4" : "ipv6";  in srclimit_penalise()
415 		    addrnetmask, reason);  in srclimit_penalise()
420 	penalty->addr = masked;  in srclimit_penalise()
421 	penalty->expiry = now + penalty_secs;  in srclimit_penalise()
422 	penalty->reason = reason;  in srclimit_penalise()
427 			penalty->active = 1;  in srclimit_penalise()
431 		    addrnetmask, penalty->active ? "active" : "deferred",  in srclimit_penalise()
432 		    penalty_secs, reason);  in srclimit_penalise()
438 	    existing->active ? "active" : "inactive", t,  in srclimit_penalise()
439 	    addrnetmask, (long long)(existing->expiry - now));  in srclimit_penalise()
444 	existing->expiry += penalty_secs;  in srclimit_penalise()
445 	if (existing->expiry - now > penalty_cfg.penalty_max)  in srclimit_penalise()
446 		existing->expiry = now + penalty_cfg.penalty_max;  in srclimit_penalise()
447 	if (existing->expiry - now > penalty_cfg.penalty_min &&  in srclimit_penalise()
448 	    !existing->active) {  in srclimit_penalise()
450 		    addrnetmask, t, (long long)(existing->expiry - now),  in srclimit_penalise()
451 		    reason);  in srclimit_penalise()
452 		existing->active = 1;  in srclimit_penalise()
454 	existing->reason = penalty->reason;  in srclimit_penalise()
457 	/* Re-insert into expiry tree */  in srclimit_penalise()
474 		bits = p->addr.af == AF_INET ? ipv4_masklen : ipv6_masklen;  in srclimit_penalty_info_for_tree()
475 		addr_masklen_ntop(&p->addr, bits, s, sizeof(s));  in srclimit_penalty_info_for_tree()
476 		if (p->expiry < now)  in srclimit_penalty_info_for_tree()
477 			logit("client %s %s (expired)", s, p->reason);  in srclimit_penalty_info_for_tree()
479 			logit("client %s %s (%llu secs left)", s, p->reason,  in srclimit_penalty_info_for_tree()
480 			   (long long)(p->expiry - now));  in srclimit_penalty_info_for_tree()