1 /* 2 * Copyright (c) 2003 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 * 9 * Contributed by Jose Marcio Martins da Cruz - Ecole des Mines de Paris 10 * Jose-Marcio.Martins@ensmp.fr 11 */ 12 13 /* a part of this code is based on inetd.c for which this copyright applies: */ 14 /* 15 * Copyright (c) 1983, 1991, 1993, 1994 16 * The Regents of the University of California. All rights reserved. 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 3. All advertising materials mentioning features or use of this software 27 * must display the following acknowledgement: 28 * This product includes software developed by the University of 29 * California, Berkeley and its contributors. 30 * 4. Neither the name of the University nor the names of its contributors 31 * may be used to endorse or promote products derived from this software 32 * without specific prior written permission. 33 * 34 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 35 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 36 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 37 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 38 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 39 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 40 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 41 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 42 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 43 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 44 * SUCH DAMAGE. 45 */ 46 47 #include <sendmail.h> 48 SM_RCSID("@(#)$Id: ratectrl.c,v 8.10 2005/06/14 23:07:23 ca Exp $") 49 50 /* 51 ** stuff included - given some warnings (inet_ntoa) 52 ** - surely not everything is needed 53 */ 54 55 #if NETINET || NETINET6 56 # include <arpa/inet.h> 57 #endif /* NETINET || NETINET6 */ 58 59 #include <sm/time.h> 60 61 #ifndef HASH_ALG 62 # define HASH_ALG 2 63 #endif /* HASH_ALG */ 64 65 #ifndef RATECTL_DEBUG 66 # define RATECTL_DEBUG 0 67 #endif /* RATECTL_DEBUG */ 68 69 /* forward declarations */ 70 static int client_rate __P((time_t, SOCKADDR *, bool)); 71 static int total_rate __P((time_t, bool)); 72 #if 0 73 static int sockaddrcmp __P((SOCKADDR *, SOCKADDR *)); 74 #endif /* 0 */ 75 76 /* 77 ** CONNECTION_RATE_CHECK - updates connection history data 78 ** and computes connection rate for the given host 79 ** 80 ** Parameters: 81 ** hostaddr -- ip address of smtp client 82 ** e -- envelope 83 ** 84 ** Returns: 85 ** true (always) 86 ** 87 ** Side Effects: 88 ** updates connection history 89 ** 90 ** Warnings: 91 ** For each connection, this call shall be 92 ** done only once with the value true for the 93 ** update parameter. 94 ** Typically, this call is done with the value 95 ** true by the father, and once again with 96 ** the value false by the children. 97 ** 98 */ 99 100 bool 101 connection_rate_check(hostaddr, e) 102 SOCKADDR *hostaddr; 103 ENVELOPE *e; 104 { 105 time_t now; 106 int totalrate, clientrate; 107 static int clientconn = 0; 108 109 now = time(NULL); 110 #if RATECTL_DEBUG 111 sm_syslog(LOG_INFO, NOQID, "connection_rate_check entering..."); 112 #endif /* RATECTL_DEBUG */ 113 114 /* update server connection rate */ 115 totalrate = total_rate(now, e == NULL); 116 #if RATECTL_DEBUG 117 sm_syslog(LOG_INFO, NOQID, "global connection rate: %d", globalRate); 118 #endif /* RATECTL_DEBUG */ 119 120 /* update client connection rate */ 121 clientrate = client_rate(now, hostaddr, e == NULL); 122 123 if (e == NULL) 124 clientconn = count_open_connections(hostaddr); 125 126 if (e != NULL) 127 { 128 char s[16]; 129 130 sm_snprintf(s, sizeof(s), "%d", clientrate); 131 macdefine(&e->e_macro, A_TEMP, macid("{client_rate}"), s); 132 sm_snprintf(s, sizeof(s), "%d", totalrate); 133 macdefine(&e->e_macro, A_TEMP, macid("{total_rate}"), s); 134 sm_snprintf(s, sizeof(s), "%d", clientconn); 135 macdefine(&e->e_macro, A_TEMP, macid("{client_connections}"), 136 s); 137 } 138 return true; 139 } 140 141 /* 142 ** Data declarations needed to evaluate connection rate 143 */ 144 145 static int CollTime = 60; 146 147 /* this should be a power of 2, otherwise CPMHMASK doesn't work well */ 148 #ifndef CPMHSIZE 149 # define CPMHSIZE 1024 150 #endif /* CPMHSIZE */ 151 152 #define CPMHMASK (CPMHSIZE-1) 153 154 #ifndef MAX_CT_STEPS 155 # define MAX_CT_STEPS 10 156 #endif /* MAX_CT_STEPS */ 157 158 /* 159 ** time granularity: 10s (that's one "tick") 160 ** will be initialised to ConnectionRateWindowSize/CHTSIZE 161 ** before being used the first time 162 */ 163 164 static int ChtGran = -1; 165 166 #define CHTSIZE 6 167 168 /* Number of connections for a certain "tick" */ 169 typedef struct CTime 170 { 171 unsigned long ct_Ticks; 172 int ct_Count; 173 } 174 CTime_T; 175 176 typedef struct CHash 177 { 178 #if NETINET6 && NETINET 179 union 180 { 181 struct in_addr c4_Addr; 182 struct in6_addr c6_Addr; 183 } cu_Addr; 184 # define ch_Addr4 cu_Addr.c4_Addr 185 # define ch_Addr6 cu_Addr.c6_Addr 186 #else /* NETINET6 && NETINET */ 187 # if NETINET6 188 struct in6_addr ch_Addr; 189 # define ch_Addr6 ch_Addr 190 # else /* NETINET6 */ 191 struct in_addr ch_Addr; 192 # define ch_Addr4 ch_Addr 193 # endif /* NETINET6 */ 194 #endif /* NETINET6 && NETINET */ 195 196 int ch_Family; 197 time_t ch_LTime; 198 unsigned long ch_colls; 199 200 /* 6 buckets for ticks: 60s */ 201 CTime_T ch_Times[CHTSIZE]; 202 } 203 CHash_T; 204 205 static CHash_T CHashAry[CPMHSIZE]; 206 static bool CHashAryOK = false; 207 208 /* 209 ** CLIENT_RATE - Evaluate connection rate per smtp client 210 ** 211 ** Parameters: 212 ** now - current time in secs 213 ** saddr - client address 214 ** update - update data / check only 215 ** 216 ** Returns: 217 ** connection rate (connections / ConnectionRateWindowSize) 218 ** 219 ** Side effects: 220 ** update static global data 221 ** 222 */ 223 224 static int 225 client_rate(now, saddr, update) 226 time_t now; 227 SOCKADDR *saddr; 228 bool update; 229 { 230 unsigned int hv; 231 int i; 232 int cnt; 233 bool coll; 234 CHash_T *chBest = NULL; 235 unsigned int ticks; 236 237 cnt = 0; 238 hv = 0xABC3D20F; 239 if (ChtGran < 0) 240 ChtGran = ConnectionRateWindowSize / CHTSIZE; 241 if (ChtGran <= 0) 242 ChtGran = 10; 243 244 ticks = now / ChtGran; 245 246 if (!CHashAryOK) 247 { 248 memset(CHashAry, 0, sizeof (CHashAry)); 249 CHashAryOK = true; 250 } 251 252 { 253 char *p; 254 int addrlen; 255 #if HASH_ALG != 1 256 int c, d; 257 #endif /* HASH_ALG != 1 */ 258 259 switch (saddr->sa.sa_family) 260 { 261 #if NETINET 262 case AF_INET: 263 p = (char *)&saddr->sin.sin_addr; 264 addrlen = sizeof(struct in_addr); 265 break; 266 #endif /* NETINET */ 267 #if NETINET6 268 case AF_INET6: 269 p = (char *)&saddr->sin6.sin6_addr; 270 addrlen = sizeof(struct in6_addr); 271 break; 272 #endif /* NETINET6 */ 273 default: 274 /* should not happen */ 275 return -1; 276 } 277 278 /* compute hash value */ 279 for (i = 0; i < addrlen; ++i, ++p) 280 #if HASH_ALG == 1 281 hv = (hv << 5) ^ (hv >> 23) ^ *p; 282 hv = (hv ^ (hv >> 16)); 283 #elif HASH_ALG == 2 284 { 285 d = *p; 286 c = d; 287 c ^= c<<6; 288 hv += (c<<11) ^ (c>>1); 289 hv ^= (d<<14) + (d<<7) + (d<<4) + d; 290 } 291 #elif HASH_ALG == 3 292 { 293 hv = (hv << 4) + *p; 294 d = hv & 0xf0000000; 295 if (d != 0) 296 { 297 hv ^= (d >> 24); 298 hv ^= d; 299 } 300 } 301 #else /* HASH_ALG == 1 */ 302 hv = ((hv << 1) ^ (*p & 0377)) % cctx->cc_size; 303 #endif /* HASH_ALG == 1 */ 304 } 305 306 coll = true; 307 for (i = 0; i < MAX_CT_STEPS; ++i) 308 { 309 CHash_T *ch = &CHashAry[(hv + i) & CPMHMASK]; 310 311 #if NETINET 312 if (saddr->sa.sa_family == AF_INET && 313 ch->ch_Family == AF_INET && 314 (saddr->sin.sin_addr.s_addr == ch->ch_Addr4.s_addr || 315 ch->ch_Addr4.s_addr == 0)) 316 { 317 chBest = ch; 318 coll = false; 319 break; 320 } 321 #endif /* NETINET */ 322 #if NETINET6 323 if (saddr->sa.sa_family == AF_INET6 && 324 ch->ch_Family == AF_INET6 && 325 (IN6_ARE_ADDR_EQUAL(&saddr->sin6.sin6_addr, 326 &ch->ch_Addr6) != 0 || 327 IN6_IS_ADDR_UNSPECIFIED(&ch->ch_Addr6))) 328 { 329 chBest = ch; 330 coll = false; 331 break; 332 } 333 #endif /* NETINET6 */ 334 if (chBest == NULL || ch->ch_LTime == 0 || 335 ch->ch_LTime < chBest->ch_LTime) 336 chBest = ch; 337 } 338 339 /* Let's update data... */ 340 if (update) 341 { 342 if (coll && (now - chBest->ch_LTime < CollTime)) 343 { 344 /* 345 ** increment the number of collisions last 346 ** CollTime for this client 347 */ 348 349 chBest->ch_colls++; 350 351 /* 352 ** Maybe shall log if collision rate is too high... 353 ** and take measures to resize tables 354 ** if this is the case 355 */ 356 } 357 358 /* 359 ** If it's not a match, then replace the data. 360 ** Note: this purges the history of a colliding entry, 361 ** which may cause "overruns", i.e., if two entries are 362 ** "cancelling" each other out, then they may exceed 363 ** the limits that are set. This might be mitigated a bit 364 ** by the above "best of 5" function however. 365 ** 366 ** Alternative approach: just use the old data, which may 367 ** cause false positives however. 368 ** To activate this, change deactivate following memset call. 369 */ 370 371 if (coll) 372 { 373 #if NETINET 374 if (saddr->sa.sa_family == AF_INET) 375 { 376 chBest->ch_Family = AF_INET; 377 chBest->ch_Addr4 = saddr->sin.sin_addr; 378 } 379 #endif /* NETINET */ 380 #if NETINET6 381 if (saddr->sa.sa_family == AF_INET6) 382 { 383 chBest->ch_Family = AF_INET6; 384 chBest->ch_Addr6 = saddr->sin6.sin6_addr; 385 } 386 #endif /* NETINET6 */ 387 #if 1 388 memset(chBest->ch_Times, '\0', 389 sizeof (chBest->ch_Times)); 390 #endif /* 1 */ 391 } 392 393 chBest->ch_LTime = now; 394 { 395 CTime_T *ct = &chBest->ch_Times[ticks % CHTSIZE]; 396 397 if (ct->ct_Ticks != ticks) 398 { 399 ct->ct_Ticks = ticks; 400 ct->ct_Count = 0; 401 } 402 ++ct->ct_Count; 403 } 404 } 405 406 /* Now let's count connections on the window */ 407 for (i = 0; i < CHTSIZE; ++i) 408 { 409 CTime_T *ct = &chBest->ch_Times[i]; 410 411 if (ct->ct_Ticks <= ticks && ct->ct_Ticks >= ticks - CHTSIZE) 412 cnt += ct->ct_Count; 413 } 414 415 #if RATECTL_DEBUG 416 sm_syslog(LOG_WARNING, NOQID, 417 "cln: cnt=(%d), CHTSIZE=(%d), ChtGran=(%d)", 418 cnt, CHTSIZE, ChtGran); 419 #endif /* RATECTL_DEBUG */ 420 return cnt; 421 } 422 423 /* 424 ** TOTAL_RATE - Evaluate global connection rate 425 ** 426 ** Parameters: 427 ** now - current time in secs 428 ** update - update data / check only 429 ** 430 ** Returns: 431 ** connection rate (connections / ConnectionRateWindowSize) 432 */ 433 434 static CTime_T srv_Times[CHTSIZE]; 435 static bool srv_Times_OK = false; 436 437 static int 438 total_rate(now, update) 439 time_t now; 440 bool update; 441 { 442 int i; 443 int cnt = 0; 444 CTime_T *ct; 445 unsigned int ticks; 446 447 if (ChtGran < 0) 448 ChtGran = ConnectionRateWindowSize / CHTSIZE; 449 if (ChtGran == 0) 450 ChtGran = 10; 451 ticks = now / ChtGran; 452 if (!srv_Times_OK) 453 { 454 memset(srv_Times, 0, sizeof(srv_Times)); 455 srv_Times_OK = true; 456 } 457 458 /* Let's update data */ 459 if (update) 460 { 461 ct = &srv_Times[ticks % CHTSIZE]; 462 463 if (ct->ct_Ticks != ticks) 464 { 465 ct->ct_Ticks = ticks; 466 ct->ct_Count = 0; 467 } 468 ++ct->ct_Count; 469 } 470 471 /* Let's count connections on the window */ 472 for (i = 0; i < CHTSIZE; ++i) 473 { 474 ct = &srv_Times[i]; 475 476 if (ct->ct_Ticks <= ticks && ct->ct_Ticks >= ticks - CHTSIZE) 477 cnt += ct->ct_Count; 478 } 479 480 #if RATECTL_DEBUG 481 sm_syslog(LOG_WARNING, NOQID, 482 "srv: cnt=(%d), CHTSIZE=(%d), ChtGran=(%d)", 483 cnt, CHTSIZE, ChtGran); 484 #endif /* RATECTL_DEBUG */ 485 486 return cnt; 487 } 488 489 #if 0 490 /* 491 ** SOCKADDRCMP - compare two SOCKADDR structures 492 ** this function may be used to compare SOCKADDR 493 ** structures when using bsearch and qsort functions 494 ** in the same way we do with strcmp 495 ** 496 ** Parameters: 497 ** a, b - addresses 498 ** 499 ** Returns: 500 ** 1 if a > b 501 ** -1 if a < b 502 ** 0 if a = b 503 ** 504 ** OBS: This call isn't used at the moment, it will 505 ** be used when code will be extended to work with IPV6 506 */ 507 508 static int 509 sockaddrcmp(a, b) 510 SOCKADDR *a; 511 SOCKADDR *b; 512 { 513 if (a->sa.sa_family > b->sa.sa_family) 514 return 1; 515 if (a->sa.sa_family < b->sa.sa_family) 516 return -1; 517 518 switch (a->sa.sa_family) 519 { 520 case AF_INET: 521 if (a->sin.sin_addr.s_addr > b->sin.sin_addr.s_addr) 522 return 1; 523 if (a->sin.sin_addr.s_addr < b->sin.sin_addr.s_addr) 524 return -1; 525 return 0; 526 break; 527 528 case AF_INET6: 529 /* TO BE DONE */ 530 break; 531 } 532 return 0; 533 } 534 #endif /* 0 */ 535