Ticket #15735: LIMITS.TXT

This patch (20060126) makes tcpserver from DJB's ucspi-tcp-0.88 package (see
http://cr.yp.to/ucspi-tcp.html) to modify its behavior if some environment
variables are present.

The variables can be preset before starting tcpserver (thus acting as
default for all connections), or, if you use 'tcpserver -x xxx.cdb', they
can be set (or overridden) from xxx.cdb. If none of the variables are set,
tcpserver behaves same as non patched version (except for negligible
performance loss). Any or all variables can be set, as soon as first limit
is reached the connection is dropped. I'd recommend using .cdb files
exclusively though, as you can then modify configuration without killing
tcpserver.

The variables are:

(1) MAXLOAD 
    maximum 1-minute load average * 100. For example, if you have line
    :allow,MAXLOAD="350" 
    in your rules file from which you created .cdb, the connection will be
    accepted only if load average is below 3.50

    See COMPILING instructions above for info on supported systems.
  
(2) MAXCONNIP
    maximum connections from one IP address. tcpserver's -c flag defines
    maximum number of allowed connections, but it can be abused if
    just one host goes wild and eats all the connections - no other host
    would be able to connect then. If you created your .cdb with:
    :allow,MAXCONNIP="5"
    and run tcpserver -c 50, then each IP address would be able to have at 
    most 5 concurrent connections, while there still could connect 50
    clients total.
    0 is valid value and means 'always reject'

(3) MAXCONNC

    maximum connections from whole C-class (256 addresses). Extension of
    MAXCONNIP, as sometimes the problematic client has a whole farm of
    client machines with different IP addresses instead of just one IP
    address, and they all try to connect. It might have been more useful to
    be able to specify CIDR block than C-class, but I've decided to KISS.

    for example tcpserver -c 200, and .cdb with:
    :allow,MAXCONNC="15"
    will allow at most 15 host from any x.y.z.0/24 address block, while
    still allowing up to 200 total connections.
    0 is valid value and means 'always reject'

(4) DIEMSG
    
    if set and one of the above limits is exceeded, this is the message 
    to be sent to client (CRLF is always added to the text) before terminating
    connection. If unset, the connection simply terminates (after 1 sec delay) 
    if limit is exceeded.

    For example:
    DIEMSG="421 example.com Service temporarily not available, closing 
    transmission channel"

(5) DIEMSG_MAXLOAD

    If set, and a connection is denied because the MAXLOAD limit is exceeded,
    this value will be used instead of DIEMSG.

    For example:
    DIEMSG_MAXLOAD="421 example.com Server busy, try again later."

(6) DIEMSG_MAXCONNIP

    If set, and a connection is denied because the MAXCONNIP limit is exceeded,
    this value will be used instead of DIEMSG.

    For example:
    DIEMSG_MAXCONNIP="421 example.com Too many connections from your IP."

(7) DIEMSG_MAXCONNC

    If set, and a connection is denied because the MAXCONNC limit is exceeded,
    this value will be used instead of DIEMSG.

    For example:
    DIEMSG_MAXCONNC="421 example.com Too many connections from your network."

Notes: 

- if a connection is dropped due to some of those variables set, it will be
  flagged (if you run tcpserver -v) with "MAXLOAD:", "MAXCONNIP:" or
  "MAXCONNC:" at the end of the "tcpserver: deny" line. If that bothers you
  (eg. you have a strict log parsers), don't apply that chunk of the patch.

- the idea for this patch came from my previous experience with xinetd, and
  need to limit incoming bursts of virus/spam SMTP connections, since I was
  running qmail-scanner to scan incoming and outgoing messages for viruses
  and spam.

When you make changes, please check that they work as expected. 

Examples (for tcprules created .cdb)
(a) 192.168.:allow,MAXLOAD="1000"
    :allow,MAXCONNIP="3"

    this would allow any connection from your local LAN (192.168.*.*
    addresses) if system load is less than 10.00. non-LAN connections would
    be accepted only if clients from that IP address have not already opened
    more than 2 connections (as your connection would be last allowed -- 3rd)

(b) 192.168.:allow
    5.6.7.8:allow,MAXCONNIP="3"
    1.2.:allow,MAXLOAD="500",MAXCONNIP="1",MAXCONNC="5"
    :allow,MAXLOAD="1000",MAXCONNIP="3",DIEMSG="421 example.com unavailable"

    if client connects from 192.168.*.* (ex: your LAN), it is allowed.
    if it connects from 5.6.7.8 (ex: little abusive customer of yours),
     it is allowed unless there are already 3active connections from 5.6.7.8
     to this service
    if it connects from 1.2.*.* (ex: some problematic networks which caused
     you grief in the past) it will connect only if load is less than 5.0,
     there is less than 5 active connections from whole C class
     (1.2.*.0/24), and if that specific IP address does not already have
     connection open.
    in all other cases, the client will be permitted to connect if load is
     less than 10.00 and client has 2 or less connections open. If load is
     higher than 10.00 or there are 3 or more connections open from this
     client, the message "421 example.com unavailable" will be returned to 
     the client and connection terminated.


Any bugs introduced are ours, do not bother DJB with them.
If you find any, or have neat ideas, or better documentation, or whatever,
contact me.

the 2006-01-26 version of the patch can be found at:
http://linux.voyager.hr/ucspi-tcp/

the 2007-12-22 version of the patch can be found at:
http://qmail.jms1.net/ucspi-tcp/

Enjoy,
Matija Nalis < mnalis-tcpserver _at_ voyager.hr >
John Simpson <jms1@jms1.net> (2007-12-22 version)