2 * Copyright (c) 2003 Sendmail, Inc. and its suppliers.
5 * By using this file, you agree to the terms and conditions set
6 * forth in the LICENSE file which can be found at the top level of
7 * the sendmail distribution.
9 * Contributed by Jose Marcio Martins da Cruz - Ecole des Mines de Paris
10 * Jose-Marcio.Martins@ensmp.fr
13 /* a part of this code is based on inetd.c for which this copyright applies: */
15 * Copyright (c) 1983, 1991, 1993, 1994
16 * The Regents of the University of California. All rights reserved.
18 * Redistribution and use in source and binary forms, with or without
19 * modification, are permitted provided that the following conditions
21 * 1. Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in the
25 * documentation and/or other materials provided with the distribution.
26 * 3. All advertising materials mentioning features or use of this software
27 * must display the following acknowledgement:
28 * This product includes software developed by the University of
29 * California, Berkeley and its contributors.
30 * 4. Neither the name of the University nor the names of its contributors
31 * may be used to endorse or promote products derived from this software
32 * without specific prior written permission.
34 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
35 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
36 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
37 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
38 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
39 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
40 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
41 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
42 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
43 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48 SM_RCSID("@(#)$Id: ratectrl.c,v 8.11 2006/08/15 23:24:57 ca Exp $")
51 ** stuff included - given some warnings (inet_ntoa)
52 ** - surely not everything is needed
55 #if NETINET || NETINET6
56 # include <arpa/inet.h>
57 #endif /* NETINET || NETINET6 */
66 # define RATECTL_DEBUG 0
67 #endif /* RATECTL_DEBUG */
69 /* forward declarations */
70 static int client_rate
__P((time_t, SOCKADDR
*, bool));
71 static int total_rate
__P((time_t, bool));
73 static int sockaddrcmp
__P((SOCKADDR
*, SOCKADDR
*));
77 ** CONNECTION_RATE_CHECK - updates connection history data
78 ** and computes connection rate for the given host
81 ** hostaddr -- ip address of smtp client
88 ** updates connection history
91 ** For each connection, this call shall be
92 ** done only once with the value true for the
94 ** Typically, this call is done with the value
95 ** true by the father, and once again with
96 ** the value false by the children.
101 connection_rate_check(hostaddr
, e
)
106 int totalrate
, clientrate
;
107 static int clientconn
= 0;
111 sm_syslog(LOG_INFO
, NOQID
, "connection_rate_check entering...");
112 #endif /* RATECTL_DEBUG */
114 /* update server connection rate */
115 totalrate
= total_rate(now
, e
== NULL
);
117 sm_syslog(LOG_INFO
, NOQID
, "global connection rate: %d", globalRate
);
118 #endif /* RATECTL_DEBUG */
120 /* update client connection rate */
121 clientrate
= client_rate(now
, hostaddr
, e
== NULL
);
124 clientconn
= count_open_connections(hostaddr
);
130 sm_snprintf(s
, sizeof(s
), "%d", clientrate
);
131 macdefine(&e
->e_macro
, A_TEMP
, macid("{client_rate}"), s
);
132 sm_snprintf(s
, sizeof(s
), "%d", totalrate
);
133 macdefine(&e
->e_macro
, A_TEMP
, macid("{total_rate}"), s
);
134 sm_snprintf(s
, sizeof(s
), "%d", clientconn
);
135 macdefine(&e
->e_macro
, A_TEMP
, macid("{client_connections}"),
142 ** Data declarations needed to evaluate connection rate
145 static int CollTime
= 60;
147 /* this should be a power of 2, otherwise CPMHMASK doesn't work well */
149 # define CPMHSIZE 1024
150 #endif /* CPMHSIZE */
152 #define CPMHMASK (CPMHSIZE-1)
155 # define MAX_CT_STEPS 10
156 #endif /* MAX_CT_STEPS */
159 ** time granularity: 10s (that's one "tick")
160 ** will be initialised to ConnectionRateWindowSize/CHTSIZE
161 ** before being used the first time
164 static int ChtGran
= -1;
168 /* Number of connections for a certain "tick" */
171 unsigned long ct_Ticks
;
178 #if NETINET6 && NETINET
181 struct in_addr c4_Addr
;
182 struct in6_addr c6_Addr
;
184 # define ch_Addr4 cu_Addr.c4_Addr
185 # define ch_Addr6 cu_Addr.c6_Addr
186 #else /* NETINET6 && NETINET */
188 struct in6_addr ch_Addr
;
189 # define ch_Addr6 ch_Addr
190 # else /* NETINET6 */
191 struct in_addr ch_Addr
;
192 # define ch_Addr4 ch_Addr
193 # endif /* NETINET6 */
194 #endif /* NETINET6 && NETINET */
198 unsigned long ch_colls
;
200 /* 6 buckets for ticks: 60s */
201 CTime_T ch_Times
[CHTSIZE
];
205 static CHash_T CHashAry
[CPMHSIZE
];
206 static bool CHashAryOK
= false;
209 ** CLIENT_RATE - Evaluate connection rate per smtp client
212 ** now - current time in secs
213 ** saddr - client address
214 ** update - update data / check only
217 ** connection rate (connections / ConnectionRateWindowSize)
220 ** update static global data
225 client_rate(now
, saddr
, update
)
234 CHash_T
*chBest
= NULL
;
240 ChtGran
= ConnectionRateWindowSize
/ CHTSIZE
;
244 ticks
= now
/ ChtGran
;
248 memset(CHashAry
, 0, sizeof(CHashAry
));
257 #endif /* HASH_ALG != 1 */
259 switch (saddr
->sa
.sa_family
)
263 p
= (char *)&saddr
->sin
.sin_addr
;
264 addrlen
= sizeof(struct in_addr
);
269 p
= (char *)&saddr
->sin6
.sin6_addr
;
270 addrlen
= sizeof(struct in6_addr
);
272 #endif /* NETINET6 */
274 /* should not happen */
278 /* compute hash value */
279 for (i
= 0; i
< addrlen
; ++i
, ++p
)
281 hv
= (hv
<< 5) ^ (hv
>> 23) ^ *p
;
282 hv
= (hv
^ (hv
>> 16));
288 hv
+= (c
<<11) ^ (c
>>1);
289 hv
^= (d
<<14) + (d
<<7) + (d
<<4) + d
;
301 #else /* HASH_ALG == 1 */
302 hv
= ((hv
<< 1) ^ (*p
& 0377)) % cctx
->cc_size
;
303 #endif /* HASH_ALG == 1 */
307 for (i
= 0; i
< MAX_CT_STEPS
; ++i
)
309 CHash_T
*ch
= &CHashAry
[(hv
+ i
) & CPMHMASK
];
312 if (saddr
->sa
.sa_family
== AF_INET
&&
313 ch
->ch_Family
== AF_INET
&&
314 (saddr
->sin
.sin_addr
.s_addr
== ch
->ch_Addr4
.s_addr
||
315 ch
->ch_Addr4
.s_addr
== 0))
323 if (saddr
->sa
.sa_family
== AF_INET6
&&
324 ch
->ch_Family
== AF_INET6
&&
325 (IN6_ARE_ADDR_EQUAL(&saddr
->sin6
.sin6_addr
,
326 &ch
->ch_Addr6
) != 0 ||
327 IN6_IS_ADDR_UNSPECIFIED(&ch
->ch_Addr6
)))
333 #endif /* NETINET6 */
334 if (chBest
== NULL
|| ch
->ch_LTime
== 0 ||
335 ch
->ch_LTime
< chBest
->ch_LTime
)
339 /* Let's update data... */
342 if (coll
&& (now
- chBest
->ch_LTime
< CollTime
))
345 ** increment the number of collisions last
346 ** CollTime for this client
352 ** Maybe shall log if collision rate is too high...
353 ** and take measures to resize tables
354 ** if this is the case
359 ** If it's not a match, then replace the data.
360 ** Note: this purges the history of a colliding entry,
361 ** which may cause "overruns", i.e., if two entries are
362 ** "cancelling" each other out, then they may exceed
363 ** the limits that are set. This might be mitigated a bit
364 ** by the above "best of 5" function however.
366 ** Alternative approach: just use the old data, which may
367 ** cause false positives however.
368 ** To activate this, change deactivate following memset call.
374 if (saddr
->sa
.sa_family
== AF_INET
)
376 chBest
->ch_Family
= AF_INET
;
377 chBest
->ch_Addr4
= saddr
->sin
.sin_addr
;
381 if (saddr
->sa
.sa_family
== AF_INET6
)
383 chBest
->ch_Family
= AF_INET6
;
384 chBest
->ch_Addr6
= saddr
->sin6
.sin6_addr
;
386 #endif /* NETINET6 */
388 memset(chBest
->ch_Times
, '\0',
389 sizeof(chBest
->ch_Times
));
393 chBest
->ch_LTime
= now
;
395 CTime_T
*ct
= &chBest
->ch_Times
[ticks
% CHTSIZE
];
397 if (ct
->ct_Ticks
!= ticks
)
399 ct
->ct_Ticks
= ticks
;
406 /* Now let's count connections on the window */
407 for (i
= 0; i
< CHTSIZE
; ++i
)
409 CTime_T
*ct
= &chBest
->ch_Times
[i
];
411 if (ct
->ct_Ticks
<= ticks
&& ct
->ct_Ticks
>= ticks
- CHTSIZE
)
416 sm_syslog(LOG_WARNING
, NOQID
,
417 "cln: cnt=(%d), CHTSIZE=(%d), ChtGran=(%d)",
418 cnt
, CHTSIZE
, ChtGran
);
419 #endif /* RATECTL_DEBUG */
424 ** TOTAL_RATE - Evaluate global connection rate
427 ** now - current time in secs
428 ** update - update data / check only
431 ** connection rate (connections / ConnectionRateWindowSize)
434 static CTime_T srv_Times
[CHTSIZE
];
435 static bool srv_Times_OK
= false;
438 total_rate(now
, update
)
448 ChtGran
= ConnectionRateWindowSize
/ CHTSIZE
;
451 ticks
= now
/ ChtGran
;
454 memset(srv_Times
, 0, sizeof(srv_Times
));
458 /* Let's update data */
461 ct
= &srv_Times
[ticks
% CHTSIZE
];
463 if (ct
->ct_Ticks
!= ticks
)
465 ct
->ct_Ticks
= ticks
;
471 /* Let's count connections on the window */
472 for (i
= 0; i
< CHTSIZE
; ++i
)
476 if (ct
->ct_Ticks
<= ticks
&& ct
->ct_Ticks
>= ticks
- CHTSIZE
)
481 sm_syslog(LOG_WARNING
, NOQID
,
482 "srv: cnt=(%d), CHTSIZE=(%d), ChtGran=(%d)",
483 cnt
, CHTSIZE
, ChtGran
);
484 #endif /* RATECTL_DEBUG */
491 ** SOCKADDRCMP - compare two SOCKADDR structures
492 ** this function may be used to compare SOCKADDR
493 ** structures when using bsearch and qsort functions
494 ** in the same way we do with strcmp
504 ** OBS: This call isn't used at the moment, it will
505 ** be used when code will be extended to work with IPV6
513 if (a
->sa
.sa_family
> b
->sa
.sa_family
)
515 if (a
->sa
.sa_family
< b
->sa
.sa_family
)
518 switch (a
->sa
.sa_family
)
521 if (a
->sin
.sin_addr
.s_addr
> b
->sin
.sin_addr
.s_addr
)
523 if (a
->sin
.sin_addr
.s_addr
< b
->sin
.sin_addr
.s_addr
)