Merge pull request #160 from ginkoid/master
net: add support for max_conns
This commit is contained in:
commit
645eabd862
@ -368,6 +368,8 @@ Options:
|
|||||||
TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
|
TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
|
||||||
--bindhost VALUE
|
--bindhost VALUE
|
||||||
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
|
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
|
||||||
|
--max_conns VALUE
|
||||||
|
Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
||||||
--max_conns_per_ip|-i VALUE
|
--max_conns_per_ip|-i VALUE
|
||||||
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
||||||
--log|-l VALUE
|
--log|-l VALUE
|
||||||
|
21
cmdline.cc
21
cmdline.cc
@ -83,6 +83,7 @@ struct custom_option custom_opts[] = {
|
|||||||
{ { "cwd", required_argument, NULL, 'D' }, "Directory in the namespace the process will run (default: '/')" },
|
{ { "cwd", required_argument, NULL, 'D' }, "Directory in the namespace the process will run (default: '/')" },
|
||||||
{ { "port", required_argument, NULL, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" },
|
{ { "port", required_argument, NULL, 'p' }, "TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)" },
|
||||||
{ { "bindhost", required_argument, NULL, 0x604 }, "IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')" },
|
{ { "bindhost", required_argument, NULL, 0x604 }, "IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')" },
|
||||||
|
{ { "max_conns", required_argument, NULL, 0x608 }, "Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" },
|
||||||
{ { "max_conns_per_ip", required_argument, NULL, 'i' }, "Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" },
|
{ { "max_conns_per_ip", required_argument, NULL, 'i' }, "Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))" },
|
||||||
{ { "log", required_argument, NULL, 'l' }, "Log file (default: use log_fd)" },
|
{ { "log", required_argument, NULL, 'l' }, "Log file (default: use log_fd)" },
|
||||||
{ { "log_fd", required_argument, NULL, 'L' }, "Log FD (default: 2)" },
|
{ { "log_fd", required_argument, NULL, 'L' }, "Log FD (default: 2)" },
|
||||||
@ -226,19 +227,19 @@ void logParams(nsjconf_t* nsjconf) {
|
|||||||
|
|
||||||
LOG_I(
|
LOG_I(
|
||||||
"Jail parameters: hostname:'%s', chroot:'%s', process:'%s', bind:[%s]:%d, "
|
"Jail parameters: hostname:'%s', chroot:'%s', process:'%s', bind:[%s]:%d, "
|
||||||
"max_conns_per_ip:%u, time_limit:%" PRId64
|
"max_conns:%u, max_conns_per_ip:%u, time_limit:%" PRId64
|
||||||
", personality:%#lx, daemonize:%s, clone_newnet:%s, "
|
", personality:%#lx, daemonize:%s, clone_newnet:%s, "
|
||||||
"clone_newuser:%s, clone_newns:%s, clone_newpid:%s, clone_newipc:%s, clone_newuts:%s, "
|
"clone_newuser:%s, clone_newns:%s, clone_newpid:%s, clone_newipc:%s, clone_newuts:%s, "
|
||||||
"clone_newcgroup:%s, keep_caps:%s, disable_no_new_privs:%s, max_cpus:%zu",
|
"clone_newcgroup:%s, keep_caps:%s, disable_no_new_privs:%s, max_cpus:%zu",
|
||||||
nsjconf->hostname.c_str(), nsjconf->chroot.c_str(),
|
nsjconf->hostname.c_str(), nsjconf->chroot.c_str(),
|
||||||
nsjconf->exec_file.empty() ? nsjconf->argv[0].c_str() : nsjconf->exec_file.c_str(),
|
nsjconf->exec_file.empty() ? nsjconf->argv[0].c_str() : nsjconf->exec_file.c_str(),
|
||||||
nsjconf->bindhost.c_str(), nsjconf->port, nsjconf->max_conns_per_ip, nsjconf->tlimit,
|
nsjconf->bindhost.c_str(), nsjconf->port, nsjconf->max_conns, nsjconf->max_conns_per_ip,
|
||||||
nsjconf->personality, logYesNo(nsjconf->daemonize), logYesNo(nsjconf->clone_newnet),
|
nsjconf->tlimit, nsjconf->personality, logYesNo(nsjconf->daemonize),
|
||||||
logYesNo(nsjconf->clone_newuser), logYesNo(nsjconf->clone_newns),
|
logYesNo(nsjconf->clone_newnet), logYesNo(nsjconf->clone_newuser),
|
||||||
logYesNo(nsjconf->clone_newpid), logYesNo(nsjconf->clone_newipc),
|
logYesNo(nsjconf->clone_newns), logYesNo(nsjconf->clone_newpid),
|
||||||
logYesNo(nsjconf->clone_newuts), logYesNo(nsjconf->clone_newcgroup),
|
logYesNo(nsjconf->clone_newipc), logYesNo(nsjconf->clone_newuts),
|
||||||
logYesNo(nsjconf->keep_caps), logYesNo(nsjconf->disable_no_new_privs),
|
logYesNo(nsjconf->clone_newcgroup), logYesNo(nsjconf->keep_caps),
|
||||||
nsjconf->max_cpus);
|
logYesNo(nsjconf->disable_no_new_privs), nsjconf->max_cpus);
|
||||||
|
|
||||||
for (const auto& p : nsjconf->mountpts) {
|
for (const auto& p : nsjconf->mountpts) {
|
||||||
LOG_I(
|
LOG_I(
|
||||||
@ -423,6 +424,7 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
|||||||
nsjconf->is_silent = false;
|
nsjconf->is_silent = false;
|
||||||
nsjconf->stderr_to_null = false;
|
nsjconf->stderr_to_null = false;
|
||||||
nsjconf->skip_setsid = false;
|
nsjconf->skip_setsid = false;
|
||||||
|
nsjconf->max_conns = 0;
|
||||||
nsjconf->max_conns_per_ip = 0;
|
nsjconf->max_conns_per_ip = 0;
|
||||||
nsjconf->proc_path = "/proc";
|
nsjconf->proc_path = "/proc";
|
||||||
nsjconf->is_proc_rw = false;
|
nsjconf->is_proc_rw = false;
|
||||||
@ -503,6 +505,9 @@ std::unique_ptr<nsjconf_t> parseArgs(int argc, char* argv[]) {
|
|||||||
case 0x604:
|
case 0x604:
|
||||||
nsjconf->bindhost = optarg;
|
nsjconf->bindhost = optarg;
|
||||||
break;
|
break;
|
||||||
|
case 0x608:
|
||||||
|
nsjconf->max_conns = strtoul(optarg, NULL, 0);
|
||||||
|
break;
|
||||||
case 'i':
|
case 'i':
|
||||||
nsjconf->max_conns_per_ip = strtoul(optarg, NULL, 0);
|
nsjconf->max_conns_per_ip = strtoul(optarg, NULL, 0);
|
||||||
break;
|
break;
|
||||||
|
@ -86,6 +86,7 @@ static bool configParseInternal(nsjconf_t* nsjconf, const nsjail::NsJailConfig&
|
|||||||
nsjconf->cwd = njc.cwd();
|
nsjconf->cwd = njc.cwd();
|
||||||
nsjconf->port = njc.port();
|
nsjconf->port = njc.port();
|
||||||
nsjconf->bindhost = njc.bindhost();
|
nsjconf->bindhost = njc.bindhost();
|
||||||
|
nsjconf->max_conns = njc.max_conns();
|
||||||
nsjconf->max_conns_per_ip = njc.max_conns_per_ip();
|
nsjconf->max_conns_per_ip = njc.max_conns_per_ip();
|
||||||
nsjconf->tlimit = njc.time_limit();
|
nsjconf->tlimit = njc.time_limit();
|
||||||
nsjconf->max_cpus = njc.max_cpus();
|
nsjconf->max_cpus = njc.max_cpus();
|
||||||
|
@ -90,6 +90,8 @@ message NsJailConfig {
|
|||||||
optional uint32 port = 10 [default = 0];
|
optional uint32 port = 10 [default = 0];
|
||||||
/* Host to bind to for mode=LISTEN. Must be in IPv6 format */
|
/* Host to bind to for mode=LISTEN. Must be in IPv6 format */
|
||||||
optional string bindhost = 11 [default = "::"];
|
optional string bindhost = 11 [default = "::"];
|
||||||
|
/* For mode=LISTEN, maximum number of connections across all IPs */
|
||||||
|
optional uint32 max_conns = 85 [default = 0];
|
||||||
/* For mode=LISTEN, maximum number of connections from a single IP */
|
/* For mode=LISTEN, maximum number of connections from a single IP */
|
||||||
optional uint32 max_conns_per_ip = 12 [default = 0];
|
optional uint32 max_conns_per_ip = 12 [default = 0];
|
||||||
|
|
||||||
|
6
net.cc
6
net.cc
@ -181,6 +181,12 @@ static bool isSocket(int fd) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
bool limitConns(nsjconf_t* nsjconf, int connsock) {
|
bool limitConns(nsjconf_t* nsjconf, int connsock) {
|
||||||
|
/* 0 means 'unlimited' */
|
||||||
|
if (nsjconf->max_conns != 0 && nsjconf->pids.size() >= nsjconf->max_conns) {
|
||||||
|
LOG_W("Rejecting connection, max_conns limit reached: %u", nsjconf->max_conns);
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
/* 0 means 'unlimited' */
|
/* 0 means 'unlimited' */
|
||||||
if (nsjconf->max_conns_per_ip == 0) {
|
if (nsjconf->max_conns_per_ip == 0) {
|
||||||
return true;
|
return true;
|
||||||
|
3
nsjail.1
3
nsjail.1
@ -61,6 +61,9 @@ TCP port to bind to (enables MODE_LISTEN_TCP) (default: 0)
|
|||||||
\fB\-\-bindhost\fR VALUE
|
\fB\-\-bindhost\fR VALUE
|
||||||
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
|
IP address to bind the port to (only in [MODE_LISTEN_TCP]), (default: '::')
|
||||||
.TP
|
.TP
|
||||||
|
\fB\-\-max_conns\fR VALUE
|
||||||
|
Maximum number of connections across all IPs (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
||||||
|
.TP
|
||||||
\fB\-\-max_conns_per_ip\fR|\fB\-i\fR VALUE
|
\fB\-\-max_conns_per_ip\fR|\fB\-i\fR VALUE
|
||||||
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
Maximum number of connections per one IP (only in [MODE_LISTEN_TCP]), (default: 0 (unlimited))
|
||||||
.TP
|
.TP
|
||||||
|
1
nsjail.h
1
nsjail.h
@ -129,6 +129,7 @@ struct nsjconf_t {
|
|||||||
bool is_silent;
|
bool is_silent;
|
||||||
bool stderr_to_null;
|
bool stderr_to_null;
|
||||||
bool skip_setsid;
|
bool skip_setsid;
|
||||||
|
unsigned int max_conns;
|
||||||
unsigned int max_conns_per_ip;
|
unsigned int max_conns_per_ip;
|
||||||
std::string proc_path;
|
std::string proc_path;
|
||||||
bool is_proc_rw;
|
bool is_proc_rw;
|
||||||
|
Loading…
Reference in New Issue
Block a user