From 90bbd8b34565ff5106dde34e0798c5e33fb4b786 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 23 Sep 2009 17:58:19 +0200 Subject: conntrackd: rate-limit the amount of connect() calls This patch rate-limits the amount of connect() calls to avoid syn-floods when the other peer is not connected and we are generating updates. Signed-off-by: Pablo Neira Ayuso --- src/tcp.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/tcp.c') diff --git a/src/tcp.c b/src/tcp.c index ce2cd6f..c551c54 100644 --- a/src/tcp.c +++ b/src/tcp.c @@ -224,6 +224,10 @@ tcp_client_init(struct tcp_sock *m, struct tcp_conf *c) return 0; } +/* We use this to rate-limit the amount of connect() calls per second. */ +static struct alarm_block tcp_connect_alarm; +static void tcp_connect_alarm_cb(struct alarm_block *a, void *data) {} + struct tcp_sock *tcp_client_create(struct tcp_conf *c) { struct tcp_sock *m; @@ -239,6 +243,8 @@ struct tcp_sock *tcp_client_create(struct tcp_conf *c) return NULL; } + init_alarm(&tcp_connect_alarm, NULL, tcp_connect_alarm_cb); + return m; } @@ -286,12 +292,20 @@ int tcp_accept(struct tcp_sock *m) return m->client_fd; } +#define TCP_CONNECT_TIMEOUT 1 + ssize_t tcp_send(struct tcp_sock *m, const void *data, int size) { ssize_t ret = 0; switch(m->state) { case TCP_CLIENT_DISCONNECTED: + /* We rate-limit the amount of connect() calls. */ + if (alarm_pending(&tcp_connect_alarm)) { + ret = -1; + break; + } + add_alarm(&tcp_connect_alarm, TCP_CONNECT_TIMEOUT, 0); ret = connect(m->fd, (struct sockaddr *)&m->addr, m->sockaddr_len); if (ret == -1) { -- cgit v1.2.3