… | |
… | |
25 | #include <sys/socket.h> |
25 | #include <sys/socket.h> |
26 | #include <netinet/in.h> |
26 | #include <netinet/in.h> |
27 | |
27 | |
28 | #include <map> |
28 | #include <map> |
29 | |
29 | |
|
|
30 | #include "iom.h" |
30 | #include "device.h" |
31 | #include "device.h" |
31 | |
32 | |
32 | #define SOCKADDR sockaddr_in // this is lame, I know |
33 | #define SOCKADDR sockaddr_in // this is lame, I know |
33 | |
34 | |
34 | /* |
35 | /* |
… | |
… | |
68 | p[4] = id >> 8; |
69 | p[4] = id >> 8; |
69 | p[5] = id; |
70 | p[5] = id; |
70 | } |
71 | } |
71 | |
72 | |
72 | #define mac2id(p) (p[0] & 0x01 ? 0 : (p[4] << 8) | p[5]) |
73 | #define mac2id(p) (p[0] & 0x01 ? 0 : (p[4] << 8) | p[5]) |
73 | |
|
|
74 | // a very simple fifo pkt-queue |
|
|
75 | class pkt_queue |
|
|
76 | { |
|
|
77 | tap_packet *queue[QUEUEDEPTH]; |
|
|
78 | int i, j; |
|
|
79 | |
|
|
80 | public: |
|
|
81 | |
|
|
82 | void put (tap_packet *p); |
|
|
83 | tap_packet *get (); |
|
|
84 | |
|
|
85 | pkt_queue (); |
|
|
86 | ~pkt_queue (); |
|
|
87 | }; |
|
|
88 | |
74 | |
89 | struct sockinfo |
75 | struct sockinfo |
90 | { |
76 | { |
91 | u32 host; |
77 | u32 host; |
92 | u16 port; |
78 | u16 port; |
… | |
… | |
137 | { |
123 | { |
138 | return a.host < b.host |
124 | return a.host < b.host |
139 | || (a.host == b.host && a.port < b.port); |
125 | || (a.host == b.host && a.port < b.port); |
140 | } |
126 | } |
141 | |
127 | |
142 | // only do action once every x seconds per host. |
128 | struct sliding_window { |
143 | // currently this is quite a slow implementation, |
129 | u32 v[(WINDOWSIZE + 31) / 32]; |
144 | // but suffices for normal operation. |
130 | u32 seq; |
145 | struct u32_rate_limiter : private map<u32, time_t> |
|
|
146 | { |
|
|
147 | int every; |
|
|
148 | |
131 | |
149 | bool can (u32 host); |
132 | void reset (u32 seqno) |
|
|
133 | { |
|
|
134 | memset (v, -1, sizeof v); |
|
|
135 | seq = seqno; |
|
|
136 | } |
150 | |
137 | |
151 | u32_rate_limiter (time_t every = 1) |
138 | bool recv_ok (u32 seqno) |
152 | { |
139 | { |
153 | this->every = every; |
140 | if (seqno <= seq - WINDOWSIZE) |
154 | } |
141 | slog (L_ERR, _("received duplicate or outdated packet (received %08lx, expected %08lx)\n" |
155 | }; |
142 | "possible replay attack, or just massive packet reordering"), seqno, seq + 1);//D |
|
|
143 | else if (seqno > seq + WINDOWSIZE) |
|
|
144 | slog (L_ERR, _("received duplicate or out-of-sync packet (received %08lx, expected %08lx)\n" |
|
|
145 | "possible replay attack, or just massive packet loss"), seqno, seq + 1);//D |
|
|
146 | else |
|
|
147 | { |
|
|
148 | while (seqno > seq) |
|
|
149 | { |
|
|
150 | seq++; |
156 | |
151 | |
157 | struct net_rate_limiter : u32_rate_limiter |
152 | u32 s = seq % WINDOWSIZE; |
158 | { |
153 | u32 *cell = v + (s >> 5); |
159 | bool can (SOCKADDR *sa) { return u32_rate_limiter::can((u32)sa->sin_addr.s_addr); } |
154 | u32 mask = 1 << (s & 31); |
160 | bool can (sockinfo &si) { return u32_rate_limiter::can((u32)si.host); } |
|
|
161 | |
155 | |
162 | net_rate_limiter (time_t every) : u32_rate_limiter (every) {} |
156 | *cell &= ~mask; |
163 | }; |
157 | } |
|
|
158 | |
|
|
159 | u32 s = seqno % WINDOWSIZE; |
|
|
160 | u32 *cell = v + (s >> 5); |
|
|
161 | u32 mask = 1 << (s & 31); |
|
|
162 | |
|
|
163 | //printf ("received seqno %08lx, seq %08lx, mask %08lx is %08lx\n", seqno, seq, mask, ismask); |
|
|
164 | if (*cell & mask) |
|
|
165 | { |
|
|
166 | slog (L_ERR, _("received duplicate packet (received %08lx, expected %08lx)\n" |
|
|
167 | "possible replay attack, or just packet duplication"), seqno, seq + 1);//D |
|
|
168 | return false; |
|
|
169 | } |
|
|
170 | else |
|
|
171 | { |
|
|
172 | *cell |= mask; |
|
|
173 | return true; |
|
|
174 | } |
|
|
175 | } |
|
|
176 | } |
|
|
177 | }; |
164 | |
178 | |
165 | #endif |
179 | #endif |
166 | |
180 | |