1 /* 2 * Copyright (c) 2003 Sendmail, Inc. and its suppliers. 3 * All rights reserved. 4 * 5 * By using this file, you agree to the terms and conditions set 6 * forth in the LICENSE file which can be found at the top level of 7 * the sendmail distribution. 8 * 9 * Contributed by Jose Marcio Martins da Cruz - Ecole des Mines de Paris 10 * Jose-Marcio.Martins@ensmp.fr 11 */ 12 13 /* a part of this code is based on inetd.c for which this copyright applies: */ 14 /* 15 * Copyright (c) 1983, 1991, 1993, 1994 16 * The Regents of the University of California. All rights reserved. 17 * 18 * Redistribution and use in source and binary forms, with or without 19 * modification, are permitted provided that the following conditions 20 * are met: 21 * 1. Redistributions of source code must retain the above copyright 22 * notice, this list of conditions and the following disclaimer. 23 * 2. Redistributions in binary form must reproduce the above copyright 24 * notice, this list of conditions and the following disclaimer in the 25 * documentation and/or other materials provided with the distribution. 26 * 3. All advertising materials mentioning features or use of this software 27 * must display the following acknowledgement: 28 * This product includes software developed by the University of 29 * California, Berkeley and its contributors. 30 * 4. Neither the name of the University nor the names of its contributors 31 * may be used to endorse or promote products derived from this software 32 * without specific prior written permission. 33 * 34 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 35 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 36 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 37 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 38 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 39 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 40 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 41 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 42 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 43 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 44 * SUCH DAMAGE. 45 */ 46 47 #pragma ident "%Z%%M% %I% %E% SMI" 48 49 #include <sendmail.h> 50 SM_RCSID("@(#)$Id: ratectrl.c,v 8.11 2006/08/15 23:24:57 ca Exp $") 51 52 /* 53 ** stuff included - given some warnings (inet_ntoa) 54 ** - surely not everything is needed 55 */ 56 57 #if NETINET || NETINET6 58 # include <arpa/inet.h> 59 #endif /* NETINET || NETINET6 */ 60 61 #include <sm/time.h> 62 63 #ifndef HASH_ALG 64 # define HASH_ALG 2 65 #endif /* HASH_ALG */ 66 67 #ifndef RATECTL_DEBUG 68 # define RATECTL_DEBUG 0 69 #endif /* RATECTL_DEBUG */ 70 71 /* forward declarations */ 72 static int client_rate __P((time_t, SOCKADDR *, bool)); 73 static int total_rate __P((time_t, bool)); 74 #if 0 75 static int sockaddrcmp __P((SOCKADDR *, SOCKADDR *)); 76 #endif /* 0 */ 77 78 /* 79 ** CONNECTION_RATE_CHECK - updates connection history data 80 ** and computes connection rate for the given host 81 ** 82 ** Parameters: 83 ** hostaddr -- ip address of smtp client 84 ** e -- envelope 85 ** 86 ** Returns: 87 ** true (always) 88 ** 89 ** Side Effects: 90 ** updates connection history 91 ** 92 ** Warnings: 93 ** For each connection, this call shall be 94 ** done only once with the value true for the 95 ** update parameter. 96 ** Typically, this call is done with the value 97 ** true by the father, and once again with 98 ** the value false by the children. 99 ** 100 */ 101 102 bool 103 connection_rate_check(hostaddr, e) 104 SOCKADDR *hostaddr; 105 ENVELOPE *e; 106 { 107 time_t now; 108 int totalrate, clientrate; 109 static int clientconn = 0; 110 111 now = time(NULL); 112 #if RATECTL_DEBUG 113 sm_syslog(LOG_INFO, NOQID, "connection_rate_check entering..."); 114 #endif /* RATECTL_DEBUG */ 115 116 /* update server connection rate */ 117 totalrate = total_rate(now, e == NULL); 118 #if RATECTL_DEBUG 119 sm_syslog(LOG_INFO, NOQID, "global connection rate: %d", globalRate); 120 #endif /* RATECTL_DEBUG */ 121 122 /* update client connection rate */ 123 clientrate = client_rate(now, hostaddr, e == NULL); 124 125 if (e == NULL) 126 clientconn = count_open_connections(hostaddr); 127 128 if (e != NULL) 129 { 130 char s[16]; 131 132 sm_snprintf(s, sizeof(s), "%d", clientrate); 133 macdefine(&e->e_macro, A_TEMP, macid("{client_rate}"), s); 134 sm_snprintf(s, sizeof(s), "%d", totalrate); 135 macdefine(&e->e_macro, A_TEMP, macid("{total_rate}"), s); 136 sm_snprintf(s, sizeof(s), "%d", clientconn); 137 macdefine(&e->e_macro, A_TEMP, macid("{client_connections}"), 138 s); 139 } 140 return true; 141 } 142 143 /* 144 ** Data declarations needed to evaluate connection rate 145 */ 146 147 static int CollTime = 60; 148 149 /* this should be a power of 2, otherwise CPMHMASK doesn't work well */ 150 #ifndef CPMHSIZE 151 # define CPMHSIZE 1024 152 #endif /* CPMHSIZE */ 153 154 #define CPMHMASK (CPMHSIZE-1) 155 156 #ifndef MAX_CT_STEPS 157 # define MAX_CT_STEPS 10 158 #endif /* MAX_CT_STEPS */ 159 160 /* 161 ** time granularity: 10s (that's one "tick") 162 ** will be initialised to ConnectionRateWindowSize/CHTSIZE 163 ** before being used the first time 164 */ 165 166 static int ChtGran = -1; 167 168 #define CHTSIZE 6 169 170 /* Number of connections for a certain "tick" */ 171 typedef struct CTime 172 { 173 unsigned long ct_Ticks; 174 int ct_Count; 175 } 176 CTime_T; 177 178 typedef struct CHash 179 { 180 #if NETINET6 && NETINET 181 union 182 { 183 struct in_addr c4_Addr; 184 struct in6_addr c6_Addr; 185 } cu_Addr; 186 # define ch_Addr4 cu_Addr.c4_Addr 187 # define ch_Addr6 cu_Addr.c6_Addr 188 #else /* NETINET6 && NETINET */ 189 # if NETINET6 190 struct in6_addr ch_Addr; 191 # define ch_Addr6 ch_Addr 192 # else /* NETINET6 */ 193 struct in_addr ch_Addr; 194 # define ch_Addr4 ch_Addr 195 # endif /* NETINET6 */ 196 #endif /* NETINET6 && NETINET */ 197 198 int ch_Family; 199 time_t ch_LTime; 200 unsigned long ch_colls; 201 202 /* 6 buckets for ticks: 60s */ 203 CTime_T ch_Times[CHTSIZE]; 204 } 205 CHash_T; 206 207 static CHash_T CHashAry[CPMHSIZE]; 208 static bool CHashAryOK = false; 209 210 /* 211 ** CLIENT_RATE - Evaluate connection rate per smtp client 212 ** 213 ** Parameters: 214 ** now - current time in secs 215 ** saddr - client address 216 ** update - update data / check only 217 ** 218 ** Returns: 219 ** connection rate (connections / ConnectionRateWindowSize) 220 ** 221 ** Side effects: 222 ** update static global data 223 ** 224 */ 225 226 static int 227 client_rate(now, saddr, update) 228 time_t now; 229 SOCKADDR *saddr; 230 bool update; 231 { 232 unsigned int hv; 233 int i; 234 int cnt; 235 bool coll; 236 CHash_T *chBest = NULL; 237 unsigned int ticks; 238 239 cnt = 0; 240 hv = 0xABC3D20F; 241 if (ChtGran < 0) 242 ChtGran = ConnectionRateWindowSize / CHTSIZE; 243 if (ChtGran <= 0) 244 ChtGran = 10; 245 246 ticks = now / ChtGran; 247 248 if (!CHashAryOK) 249 { 250 memset(CHashAry, 0, sizeof(CHashAry)); 251 CHashAryOK = true; 252 } 253 254 { 255 char *p; 256 int addrlen; 257 #if HASH_ALG != 1 258 int c, d; 259 #endif /* HASH_ALG != 1 */ 260 261 switch (saddr->sa.sa_family) 262 { 263 #if NETINET 264 case AF_INET: 265 p = (char *)&saddr->sin.sin_addr; 266 addrlen = sizeof(struct in_addr); 267 break; 268 #endif /* NETINET */ 269 #if NETINET6 270 case AF_INET6: 271 p = (char *)&saddr->sin6.sin6_addr; 272 addrlen = sizeof(struct in6_addr); 273 break; 274 #endif /* NETINET6 */ 275 default: 276 /* should not happen */ 277 return -1; 278 } 279 280 /* compute hash value */ 281 for (i = 0; i < addrlen; ++i, ++p) 282 #if HASH_ALG == 1 283 hv = (hv << 5) ^ (hv >> 23) ^ *p; 284 hv = (hv ^ (hv >> 16)); 285 #elif HASH_ALG == 2 286 { 287 d = *p; 288 c = d; 289 c ^= c<<6; 290 hv += (c<<11) ^ (c>>1); 291 hv ^= (d<<14) + (d<<7) + (d<<4) + d; 292 } 293 #elif HASH_ALG == 3 294 { 295 hv = (hv << 4) + *p; 296 d = hv & 0xf0000000; 297 if (d != 0) 298 { 299 hv ^= (d >> 24); 300 hv ^= d; 301 } 302 } 303 #else /* HASH_ALG == 1 */ 304 hv = ((hv << 1) ^ (*p & 0377)) % cctx->cc_size; 305 #endif /* HASH_ALG == 1 */ 306 } 307 308 coll = true; 309 for (i = 0; i < MAX_CT_STEPS; ++i) 310 { 311 CHash_T *ch = &CHashAry[(hv + i) & CPMHMASK]; 312 313 #if NETINET 314 if (saddr->sa.sa_family == AF_INET && 315 ch->ch_Family == AF_INET && 316 (saddr->sin.sin_addr.s_addr == ch->ch_Addr4.s_addr || 317 ch->ch_Addr4.s_addr == 0)) 318 { 319 chBest = ch; 320 coll = false; 321 break; 322 } 323 #endif /* NETINET */ 324 #if NETINET6 325 if (saddr->sa.sa_family == AF_INET6 && 326 ch->ch_Family == AF_INET6 && 327 (IN6_ARE_ADDR_EQUAL(&saddr->sin6.sin6_addr, 328 &ch->ch_Addr6) != 0 || 329 IN6_IS_ADDR_UNSPECIFIED(&ch->ch_Addr6))) 330 { 331 chBest = ch; 332 coll = false; 333 break; 334 } 335 #endif /* NETINET6 */ 336 if (chBest == NULL || ch->ch_LTime == 0 || 337 ch->ch_LTime < chBest->ch_LTime) 338 chBest = ch; 339 } 340 341 /* Let's update data... */ 342 if (update) 343 { 344 if (coll && (now - chBest->ch_LTime < CollTime)) 345 { 346 /* 347 ** increment the number of collisions last 348 ** CollTime for this client 349 */ 350 351 chBest->ch_colls++; 352 353 /* 354 ** Maybe shall log if collision rate is too high... 355 ** and take measures to resize tables 356 ** if this is the case 357 */ 358 } 359 360 /* 361 ** If it's not a match, then replace the data. 362 ** Note: this purges the history of a colliding entry, 363 ** which may cause "overruns", i.e., if two entries are 364 ** "cancelling" each other out, then they may exceed 365 ** the limits that are set. This might be mitigated a bit 366 ** by the above "best of 5" function however. 367 ** 368 ** Alternative approach: just use the old data, which may 369 ** cause false positives however. 370 ** To activate this, change deactivate following memset call. 371 */ 372 373 if (coll) 374 { 375 #if NETINET 376 if (saddr->sa.sa_family == AF_INET) 377 { 378 chBest->ch_Family = AF_INET; 379 chBest->ch_Addr4 = saddr->sin.sin_addr; 380 } 381 #endif /* NETINET */ 382 #if NETINET6 383 if (saddr->sa.sa_family == AF_INET6) 384 { 385 chBest->ch_Family = AF_INET6; 386 chBest->ch_Addr6 = saddr->sin6.sin6_addr; 387 } 388 #endif /* NETINET6 */ 389 #if 1 390 memset(chBest->ch_Times, '\0', 391 sizeof(chBest->ch_Times)); 392 #endif /* 1 */ 393 } 394 395 chBest->ch_LTime = now; 396 { 397 CTime_T *ct = &chBest->ch_Times[ticks % CHTSIZE]; 398 399 if (ct->ct_Ticks != ticks) 400 { 401 ct->ct_Ticks = ticks; 402 ct->ct_Count = 0; 403 } 404 ++ct->ct_Count; 405 } 406 } 407 408 /* Now let's count connections on the window */ 409 for (i = 0; i < CHTSIZE; ++i) 410 { 411 CTime_T *ct = &chBest->ch_Times[i]; 412 413 if (ct->ct_Ticks <= ticks && ct->ct_Ticks >= ticks - CHTSIZE) 414 cnt += ct->ct_Count; 415 } 416 417 #if RATECTL_DEBUG 418 sm_syslog(LOG_WARNING, NOQID, 419 "cln: cnt=(%d), CHTSIZE=(%d), ChtGran=(%d)", 420 cnt, CHTSIZE, ChtGran); 421 #endif /* RATECTL_DEBUG */ 422 return cnt; 423 } 424 425 /* 426 ** TOTAL_RATE - Evaluate global connection rate 427 ** 428 ** Parameters: 429 ** now - current time in secs 430 ** update - update data / check only 431 ** 432 ** Returns: 433 ** connection rate (connections / ConnectionRateWindowSize) 434 */ 435 436 static CTime_T srv_Times[CHTSIZE]; 437 static bool srv_Times_OK = false; 438 439 static int 440 total_rate(now, update) 441 time_t now; 442 bool update; 443 { 444 int i; 445 int cnt = 0; 446 CTime_T *ct; 447 unsigned int ticks; 448 449 if (ChtGran < 0) 450 ChtGran = ConnectionRateWindowSize / CHTSIZE; 451 if (ChtGran == 0) 452 ChtGran = 10; 453 ticks = now / ChtGran; 454 if (!srv_Times_OK) 455 { 456 memset(srv_Times, 0, sizeof(srv_Times)); 457 srv_Times_OK = true; 458 } 459 460 /* Let's update data */ 461 if (update) 462 { 463 ct = &srv_Times[ticks % CHTSIZE]; 464 465 if (ct->ct_Ticks != ticks) 466 { 467 ct->ct_Ticks = ticks; 468 ct->ct_Count = 0; 469 } 470 ++ct->ct_Count; 471 } 472 473 /* Let's count connections on the window */ 474 for (i = 0; i < CHTSIZE; ++i) 475 { 476 ct = &srv_Times[i]; 477 478 if (ct->ct_Ticks <= ticks && ct->ct_Ticks >= ticks - CHTSIZE) 479 cnt += ct->ct_Count; 480 } 481 482 #if RATECTL_DEBUG 483 sm_syslog(LOG_WARNING, NOQID, 484 "srv: cnt=(%d), CHTSIZE=(%d), ChtGran=(%d)", 485 cnt, CHTSIZE, ChtGran); 486 #endif /* RATECTL_DEBUG */ 487 488 return cnt; 489 } 490 491 #if 0 492 /* 493 ** SOCKADDRCMP - compare two SOCKADDR structures 494 ** this function may be used to compare SOCKADDR 495 ** structures when using bsearch and qsort functions 496 ** in the same way we do with strcmp 497 ** 498 ** Parameters: 499 ** a, b - addresses 500 ** 501 ** Returns: 502 ** 1 if a > b 503 ** -1 if a < b 504 ** 0 if a = b 505 ** 506 ** OBS: This call isn't used at the moment, it will 507 ** be used when code will be extended to work with IPV6 508 */ 509 510 static int 511 sockaddrcmp(a, b) 512 SOCKADDR *a; 513 SOCKADDR *b; 514 { 515 if (a->sa.sa_family > b->sa.sa_family) 516 return 1; 517 if (a->sa.sa_family < b->sa.sa_family) 518 return -1; 519 520 switch (a->sa.sa_family) 521 { 522 case AF_INET: 523 if (a->sin.sin_addr.s_addr > b->sin.sin_addr.s_addr) 524 return 1; 525 if (a->sin.sin_addr.s_addr < b->sin.sin_addr.s_addr) 526 return -1; 527 return 0; 528 break; 529 530 case AF_INET6: 531 /* TO BE DONE */ 532 break; 533 } 534 return 0; 535 } 536 #endif /* 0 */ 537