2 * (c) Copyright 1992 by Panagiotis Tsirigotis
3 * (c) Sections Copyright 1998-2001 by Rob Braun
4 * All rights reserved. The file named COPYRIGHT specifies the terms
5 * and conditions for redistribution.
12 #include <sys/socket.h>
13 #include <netinet/in.h>
14 #include <arpa/inet.h>
26 int deny_severity = LOG_INFO;
27 int allow_severity = LOG_INFO;
31 #include "xgetloadavg.h"
38 #include "main.h" /* for ps */
46 #if !defined(NAME_MAX)
48 #define NAME_MAX FILENAME_MAX
54 const struct name_value access_code_names[] =
56 { "address", (int) AC_ADDRESS },
57 { "time", (int) AC_TIME },
58 { "fork", (int) AC_FORK },
59 { "service_limit", (int) AC_SERVICE_LIMIT },
60 { "per_source_limit", (int) AC_PER_SOURCE_LIMIT},
61 { "process_limit", (int) AC_PROCESS_LIMIT },
62 { "libwrap", (int) AC_LIBWRAP },
63 { "load", (int) AC_LOAD },
64 { "connections per second", (int) AC_CPS },
70 /* This is called by the flags processor */
71 static void cps_service_restart(void)
75 const char *func = "cps_service_restart";
78 for( i=0; i < pset_count( SERVICES(ps) ); i++ ) {
80 struct service_config *scp;
82 sp = pset_pointer( SERVICES(ps), i);
84 if( SVC_STATE(sp) == SVC_DISABLED ) {
86 if ( SC_TIME_REENABLE(scp) <= nowtime ) {
87 /* re-enable the service */
88 if( svc_activate(sp) == OK ) {
90 "Activating service %s", SC_NAME(scp));
93 "Error activating service %s",
102 void cps_service_stop(struct service *sp, const char *reason)
104 struct service_config *scp = SVC_CONF( sp ) ;
107 svc_deactivate( sp );
108 msg(LOG_ERR, "service_stop",
109 "Deactivating service %s due to %s. Restarting in %d seconds.",
110 SC_NAME(scp), reason, (int)SC_TIME_WAIT(scp));
111 nowtime = time(NULL);
112 SC_TIME_REENABLE(scp) = nowtime + SC_TIME_WAIT(scp);
113 xtimer_add(cps_service_restart, SC_TIME_WAIT(scp));
118 * Returns OK if the IP address in sinp is acceptable to the access control
119 * lists of the specified service.
121 static status_e remote_address_check(const struct service *sp,
122 const union xsockaddr *sinp)
125 * of means only_from, na means no_access
127 const char *func = "remote_addr_chk";
128 bool_int of_matched = FALSE;
129 bool_int na_matched = FALSE;
134 if ( SC_SENSOR( SVC_CONF(sp) ))
135 { /* They hit a sensor...return FAILED since this isn't a real service */
136 process_sensor( sp, sinp ) ;
139 /* They hit a real server...note, this is likely to be a child process. */
140 else if ( check_sensor( sinp ) == FAILED )
144 * The addrlist_match function returns an offset+1 to a matching
145 * entry in the supplied list. It is not a true/false answer.
147 if ( SC_NO_ACCESS( SVC_CONF(sp) ) != NULL )
148 na_matched = addrlist_match( SC_NO_ACCESS( SVC_CONF(sp) ), SA(sinp));
150 if ( SC_ONLY_FROM( SVC_CONF(sp) ) != NULL )
151 of_matched = addrlist_match( SC_ONLY_FROM( SVC_CONF(sp) ), SA(sinp));
154 * Check if the specified address is in both lists
156 if ( na_matched && of_matched )
159 * If there is a match in both lists, this is an error in the
160 * service entry and we cannot allow a server to start.
161 * We do not disable the service entry (not our job).
164 "Service=%s: only_from list and no_access list match equally the address %s",
166 xaddrname( sinp ) ) ;
170 /* A no_access list was specified and the socket is on it, fail */
171 if ( SC_NO_ACCESS( SVC_CONF(sp) ) != NULL && (na_matched != 0) )
174 /* A only_from list was specified and the socket wasn't on the list, fail */
175 if ( SC_ONLY_FROM( SVC_CONF(sp) ) != NULL && (of_matched == 0) )
178 /* If no lists were specified, the default is to allow starting a server */
183 * mp is the mask pointer, t is the check type
185 #define CHECK( mp, t ) ( ( (mp) == NULL ) || M_IS_SET( *(mp), t ) )
188 * Perform the access controls specified by check_mask.
189 * If check_mask is NULL, perform all access controls
191 access_e access_control( struct service *sp,
192 const connection_s *cp,
193 const mask_t *check_mask )
195 struct service_config *scp = SVC_CONF( sp ) ;
197 const char *func = "access_control";
200 /* make sure it's not one of the special pseudo services */
201 if( (strncmp(SC_NAME( scp ), INTERCEPT_SERVICE_NAME, sizeof(INTERCEPT_SERVICE_NAME)) == 0) || (strncmp(SC_NAME( scp ), LOG_SERVICE_NAME, sizeof(LOG_SERVICE_NAME)) == 0) ) {
205 /* This has to be before the TCP_WRAPPERS stuff to make sure that
206 the sensor gets a chance to see the address */
207 if ( CHECK( check_mask, CF_ADDRESS ) &&
208 remote_address_check( sp, CONN_XADDRESS( cp ) ) == FAILED )
209 return( AC_ADDRESS ) ;
211 if( ! SC_NOLIBWRAP( scp ) )
212 { /* LIBWRAP code block */
214 struct request_info req;
217 /* get the server name to pass to libwrap */
218 if( SC_NAMEINARGS( scp ) )
220 if ( SC_SERVER_ARGV(scp) )
221 server = strrchr( SC_SERVER_ARGV(scp)[0], '/' );
224 if( SC_SERVER(scp) == NULL ) {
225 /* probably an internal server, use the service id instead */
227 server--; /* nasty. we increment it later... */
229 server = strrchr( SC_SERVER(scp), '/' );
233 /* If this is a redirection or internal , go by the service name,
234 * since the server name will be bogus.
236 if( (SC_REDIR_ADDR(scp) != NULL) || (SC_IS_INTERNAL(scp) )) {
237 server = SC_NAME(scp);
238 server--; /* nasty but ok. */
243 if ( SC_SERVER_ARGV(scp))
244 server = SC_SERVER_ARGV(scp)[0];
249 if ( scp->sc_libwrap != NULL )
251 server = SC_LIBWRAP(scp);
254 if ( server == NULL )
256 msg(deny_severity, func,
257 "server param not provided to libwrap refusing connection to %s from %s",
258 SC_ID(scp), conn_addrstr(cp));
261 request_init(&req, RQ_DAEMON, server, RQ_FILE, cp->co_descriptor, 0);
263 if (!hosts_access(&req)) {
264 msg(deny_severity, func,
265 "libwrap refused connection to %s (libwrap=%s) from %s",
266 SC_ID(scp), server, conn_addrstr(cp));
270 } /* LIBWRAP code block */
276 /* Do the "light weight" access control here */
277 access_e parent_access_control( struct service *sp, const connection_s *cp )
279 struct service_config *scp = SVC_CONF( sp ) ;
283 /* make sure it's not one of the special pseudo services */
284 if( (strncmp(SC_NAME( scp ), INTERCEPT_SERVICE_NAME, sizeof(INTERCEPT_SERVICE_NAME)) == 0) || (strncmp(SC_NAME( scp ), LOG_SERVICE_NAME, sizeof(LOG_SERVICE_NAME)) == 0) )
288 if( SC_TIME_CONN_MAX(scp) != 0 ) {
290 nowtime = time(NULL);
291 time_diff = nowtime - SC_TIME_LIMIT(scp) ;
293 if( SC_TIME_CONN(scp) == 0 ) {
295 SC_TIME_LIMIT(scp) = nowtime;
296 } else if( time_diff < SC_TIME_CONN_MAX(scp) ) {
298 if( time_diff == 0 ) time_diff = 1;
299 if( SC_TIME_CONN(scp)/time_diff > SC_TIME_CONN_MAX(scp) ) {
300 cps_service_stop(sp, "excessive incoming connections");
304 SC_TIME_LIMIT(scp) = nowtime;
305 SC_TIME_CONN(scp) = 1;
310 if ( SC_MAX_LOAD(scp) != 0 ) {
311 if ( xgetloadavg() >= SC_MAX_LOAD(scp) ) {
312 msg(LOG_ERR, "xinetd",
313 "refused connect from %s due to excessive load",
320 if ( SC_ACCESS_TIMES( scp ) != NULL &&
321 ! ti_current_time_check( SC_ACCESS_TIMES( scp ) ) )
324 if ( SC_INSTANCES( scp ) != UNLIMITED &&
325 SVC_RUNNING_SERVERS( sp ) >= (unsigned)SC_INSTANCES( scp ) )
326 return( AC_SERVICE_LIMIT ) ;
328 if( SC_PER_SOURCE(scp) != UNLIMITED ) {
329 if ( CONN_XADDRESS(cp) != NULL ) {
332 for ( u = 0 ; u < pset_count( SERVERS( ps ) ) ; u++ ) {
333 struct server *serp = NULL;
334 connection_s *cop = NULL;
335 serp = SERP( pset_pointer( SERVERS( ps ), u ) ) ;
336 if ( (SERVER_SERVICE( serp ) == sp) &&
337 ( cop = SERVER_CONNECTION( serp ) ) ) {
339 if ( SC_IPV6( scp ) &&
340 IN6_ARE_ADDR_EQUAL( &(cop->co_remote_address.sa_in6.sin6_addr),
341 &((CONN_XADDRESS(cp))->sa_in6.sin6_addr)) )
343 if ( SC_IPV4( scp ) &&
344 (cop->co_remote_address.sa_in.sin_addr.s_addr ==
345 (CONN_XADDRESS(cp))->sa_in.sin_addr.s_addr) )
350 if ( n >= SC_PER_SOURCE(scp) )
351 return( AC_PER_SOURCE_LIMIT ) ;
355 if ( ps.ros.process_limit ) {
356 unsigned processes_to_create = SC_IS_INTERCEPTED( scp ) ? 2 : 1 ;
358 if ( pset_count( SERVERS( ps ) ) + processes_to_create >
359 ps.ros.process_limit ) {
360 return( AC_PROCESS_LIMIT ) ;
projects / packages / xinetd.git / blob