tcpsvd: new applet

It's a GPL-ed 'clone' of Dan Bernstein's tcpserver. Author: Gerrit Pape <pape@smarden.org> http://smarden.sunsite.dk/ipsvd/ size tcpsvd.o text data bss dec hex filename 2571 4 16 2591 a1f tcpsvd.o git-svn-id: svn://busybox.net/trunk/busybox@18294 69ca8d6d-28ef-0310-b511-8ec308f3f277
author: vda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277> 2007-04-01 01:18:20 +0000
committer: vda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277> 2007-04-01 01:18:20 +0000
commit: 5348a94d2a6baae045918c4cc2bdd256ee8de5b8 (patch)
tree: d4f6495339702c0b6d79816d0bb07ba4b6679ce8 /ipsvd
parent: a4935249632f90595f8f8a5200ed7b6266cf6321 (diff)
download: busybox-w32-5348a94d2a6baae045918c4cc2bdd256ee8de5b8.tar.gz
busybox-w32-5348a94d2a6baae045918c4cc2bdd256ee8de5b8.tar.bz2
busybox-w32-5348a94d2a6baae045918c4cc2bdd256ee8de5b8.zip
5 files changed, 601 insertions, 0 deletions
diff --git a/ipsvd/Config.in b/ipsvd/Config.in
new file mode 100644
index 000000000..fb2931d07
--- /dev/null
+++ b/ipsvd/Config.in
@@ -0,0 +1,14 @@
+#
+# For a description of the syntax of this configuration file,
+# see scripts/kbuild/config-language.txt.
+#
+menu "ipsvd utilities"
+config TCPSVD
+        bool "tcpsvd"
+        default n
+        help
+          tcpsvd listens on a port and runs a program for each new connection
+endmenu
diff --git a/ipsvd/Kbuild b/ipsvd/Kbuild
new file mode 100644
index 000000000..8050921b0
--- /dev/null
+++ b/ipsvd/Kbuild
@@ -0,0 +1,8 @@
+# Makefile for busybox
+#
+# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
+#
+# Licensed under the GPL v2, see the file LICENSE in this tarball.
+lib-y:=
+lib-$(CONFIG_TCPSVD) += tcpsvd.o ipsvd_perhost.o
diff --git a/ipsvd/ipsvd_perhost.c b/ipsvd/ipsvd_perhost.c
new file mode 100644
index 000000000..c6f7de339
--- /dev/null
+++ b/ipsvd/ipsvd_perhost.c
@@ -0,0 +1,55 @@
+#include "busybox.h"
+#include "ipsvd_perhost.h"
+static struct hcc *cc;
+static unsigned cclen;
+/* to be optimized */
+void ipsvd_perhost_init(unsigned c)
+{
+//      free(cc);
+        cc = xzalloc(c * sizeof(*cc));
+        cclen = c;
+}
+unsigned ipsvd_perhost_add(const char *ip, unsigned maxconn, struct hcc **hccpp)
+{
+        unsigned i;
+        unsigned conn = 1;
+        int p = -1;
+        for (i = 0; i < cclen; ++i) {
+                if (cc[i].ip[0] == 0) {
+                        if (p == -1) p = i;
+                        continue;
+                }
+                if (strncmp(cc[i].ip, ip, sizeof(cc[i].ip)) == 0) {
+                        conn++;
+                        continue;
+                }
+        }
+        if (p == -1) return 0;
+        if (conn <= maxconn) {
+                strcpy(cc[p].ip, ip);
+                *hccpp = &cc[p];
+        }
+        return conn;
+}
+void ipsvd_perhost_remove(int pid)
+{
+        unsigned i;
+        for (i = 0; i < cclen; ++i) {
+                if (cc[i].pid == pid) {
+                        cc[i].ip[0] = 0;
+                        cc[i].pid = 0;
+                        return;
+                }
+        }
+}
+//void ipsvd_perhost_free(void)
+//{
+//      free(cc);
+//}
diff --git a/ipsvd/ipsvd_perhost.h b/ipsvd/ipsvd_perhost.h
new file mode 100644
index 000000000..05c939d89
--- /dev/null
+++ b/ipsvd/ipsvd_perhost.h
@@ -0,0 +1,10 @@
+struct hcc {
+        char ip[32 - sizeof(int)];
+        int pid;
+};
+void ipsvd_perhost_init(unsigned);
+unsigned ipsvd_perhost_add(const char *ip, unsigned maxconn, struct hcc **hccpp);
+void ipsvd_perhost_remove(int pid);
+//unsigned ipsvd_perhost_setpid(int pid);
+//void ipsvd_perhost_free(void);
diff --git a/ipsvd/tcpsvd.c b/ipsvd/tcpsvd.c
new file mode 100644
index 000000000..9a0a348de
--- /dev/null
+++ b/ipsvd/tcpsvd.c
@@ -0,0 +1,514 @@
+/*
+# /usr/bin/tcpsvd -v 0 1234 true
+tcpsvd: info: pid 24916 from 127.0.0.1
+tcpsvd: info: start 24916 localhost:127.0.0.1 ::127.0.0.1:47905
+tcpsvd: info: pid 24918 from 127.0.0.1
+tcpsvd: info: start 24918 localhost:127.0.0.1 ::127.0.0.1:47906
+# ./busybox tcpsvd -v 0 1234 true
+tcpsvd: info: pid 24924 from 127.0.0.1
+tcpsvd: info: start 24924 localhost:1234:127.0.0.1:1234 ::127.0.0.1:47908
+tcpsvd: info: pid 24926 from 127.0.0.1
+tcpsvd: info: start 24926 localhost:1234:127.0.0.1:1234 ::127.0.0.1:47909
+*/
+#include "busybox.h"
+#include "ipsvd_perhost.h"
+#ifdef SSLSVD
+#include "matrixSsl.h"
+#include "ssl_io.h"
+#endif
+static unsigned max_per_host; /* originally in ipsvd_check.c */
+static unsigned cur_per_host;
+static unsigned verbose;
+static unsigned cnum;
+static unsigned cmax = 30;
+/* Must match getopt32 in main! */
+enum {
+        OPT_c = (1 << 0),
+        OPT_C = (1 << 1),
+        OPT_i = (1 << 2),
+        OPT_x = (1 << 3),
+        OPT_u = (1 << 4),
+        OPT_l = (1 << 5),
+        OPT_E = (1 << 6),
+        OPT_b = (1 << 7),
+        OPT_h = (1 << 8),
+        OPT_p = (1 << 9),
+        OPT_t = (1 << 10),
+        OPT_v = (1 << 11),
+        OPT_V = (1 << 12),
+        OPT_U = (1 << 13),
+        OPT_slash = (1 << 14),
+        OPT_Z = (1 << 15),
+        OPT_K = (1 << 16),
+};
+static void connection_status(void)
+{
+        printf("%s: info: status %u/%u\n", applet_name, cnum, cmax);
+}
+static void sig_term_handler(int sig)
+{
+        if (verbose)
+                printf("%s: info: sigterm received, exit\n", applet_name);
+        exit(0);
+}
+static void sig_child_handler(int sig)
+{
+        int wstat;
+        int pid;
+        while ((pid = wait_nohang(&wstat)) > 0) {
+                if (max_per_host)
+                        ipsvd_perhost_remove(pid);
+                if (cnum)
+                        cnum--;
+                if (verbose) {
+                        /* Little bloated, but tries to give accurate info
+                         * how child exited. Makes easier to spot segfaulting
+                         * children etc... */
+                        unsigned e = 0;
+                        const char *cause = "?exit";
+                        if (WIFEXITED(wstat)) {
+                                cause++;
+                                e = WEXITSTATUS(wstat);
+                        } else if (WIFSIGNALED(wstat)) {
+                                cause = "signal";
+                                e = WTERMSIG(wstat);
+                        }
+                        printf("%s: info: end %d %s %d\n",
+                                        applet_name, pid, cause, e);
+                }
+        }
+        if (verbose)
+                connection_status();
+}
+int tcpsvd_main(int argc, char **argv);
+int tcpsvd_main(int argc, char **argv)
+{
+        char *str_c, *str_C, *str_b, *str_t;
+        char *user;
+        struct hcc *hccp;
+        const char *instructs;
+        char *msg_per_host = NULL;
+        unsigned len_per_host = len_per_host; /* gcc */
+        int need_addresses;
+        int pid;
+        int sock;
+        int conn;
+        unsigned backlog = 20;
+        union {
+                struct sockaddr sa;
+                struct sockaddr_in sin;
+                USE_FEATURE_IPV6(struct sockaddr_in6 sin6;)
+        } sock_adr;
+        socklen_t sockadr_size;
+        uint16_t local_port = local_port;
+        uint16_t remote_port;
+        unsigned port;
+        char *local_hostname = NULL;
+        char *remote_hostname = (char*)""; /* "" used if no -h */
+        char *local_ip = local_ip;
+        char *remote_ip = NULL;
+        //unsigned iscdb = 0;           /* = option_mask32 & OPT_x (TODO) */
+        //unsigned long timeout = 0;
+#ifndef SSLSVD
+        struct bb_uidgid_t ugid;
+#endif
+        /* 3+ args, -i at most once, -p implies -h, -v is counter */
+        opt_complementary = "-3:?:i--i:ph:vv";
+#ifdef SSLSVD
+        getopt32(argc, argv, "c:C:i:x:u:l:Eb:hpt:vU:/:Z:K:",
+                &str_c, &str_C, &instructs, &instructs, &user, &local_hostname,
+                &str_b, &str_t, &ssluser, &root, &cert, &key, &verbose
+        );
+#else
+        getopt32(argc, argv, "c:C:i:x:u:l:Eb:hpt:v",
+                &str_c, &str_C, &instructs, &instructs, &user, &local_hostname,
+                &str_b, &str_t, &verbose
+        );
+#endif
+        if (option_mask32 & OPT_c)
+                cmax = xatou_range(str_c, 1, INT_MAX);
+        if (option_mask32 & OPT_C) { /* -C n[:message] */
+                max_per_host = bb_strtou(str_C, &str_C, 10);
+                if (str_C[0]) {
+                        if (str_C[0] != ':')
+                                bb_show_usage();
+                        msg_per_host = str_C + 1;
+                        len_per_host = strlen(msg_per_host);
+                }
+        }
+        if (max_per_host > cmax)
+                max_per_host = cmax;
+        if (option_mask32 & OPT_u) {
+                if (!get_uidgid(&ugid, user, 1))
+                        bb_error_msg_and_die("unknown user/group: %s", user);
+        }
+        if (option_mask32 & OPT_b)
+                backlog = xatou(str_b);
+//      if (option_mask32 & OPT_t) timeout = xatou(str_t);
+#ifdef SSLSVD
+        if (option_mask32 & OPT_U) ssluser = (char*)optarg; break;
+        if (option_mask32 & OPT_slash) root = (char*)optarg; break;
+        if (option_mask32 & OPT_Z) cert = (char*)optarg; break;
+        if (option_mask32 & OPT_K) key = (char*)optarg; break;
+#endif
+        argv += optind;
+        if (!argv[0][0] || LONE_CHAR(argv[0], '0'))
+                argv[0] = (char*)"0.0.0.0";
+        need_addresses = verbose || !(option_mask32 & OPT_E);
+#ifdef SSLSVD
+        sslser = user;
+        client = 0;
+        if ((getuid() == 0) && !(option_mask32 & OPT_u)) {
+                xfunc_exitcode = 100;
+                bb_error_msg_and_die("fatal: -U ssluser must be set when running as root");
+        }
+        if (option_mask32 & OPT_u)
+                if (!uidgid_get(&sslugid, ssluser, 1)) {
+                        if (errno) {
+                                xfunc_exitcode = 100;
+                                bb_perror_msg_and_die("fatal: cannot get user/group: %s", ssluser);
+                        }
+                        xfunc_exitcode = 111;
+                        bb_error_msg_and_die("fatal: unknown user/group '%s'", ssluser);
+                }
+        if (!cert) cert = "./cert.pem";
+        if (!key) key = cert;
+        if (matrixSslOpen() < 0)
+                fatal("cannot initialize ssl");
+        if (matrixSslReadKeys(&keys, cert, key, 0, ca) < 0) {
+                if (client)
+                        fatal("cannot read cert, key, or ca file");
+                fatal("cannot read cert or key file");
+        }
+        if (matrixSslNewSession(&ssl, keys, 0, SSL_FLAGS_SERVER) < 0)
+                fatal("cannot create ssl session");
+#endif
+        sig_block(SIGCHLD);
+        signal(SIGCHLD, sig_child_handler);
+        signal(SIGTERM, sig_term_handler);
+        signal(SIGPIPE, SIG_IGN);
+        if (max_per_host)
+                ipsvd_perhost_init(cmax);
+        port = bb_lookup_port(argv[1], "tcp", 0);
+        sock = create_and_bind_stream_or_die(argv[0], port);
+        xlisten(sock, backlog);
+        /* ndelay_off(sock); - it is the default I think? */
+#ifndef SSLSVD
+        if (option_mask32 & OPT_u) {
+                /* drop permissions */
+                xsetgid(ugid.gid);
+                xsetuid(ugid.uid);
+        }
+#endif
+        bb_sanitize_stdio(); /* fd# 1,2 must be opened */
+        close(0);
+        if (verbose) {
+                /* we do it only for ":port" cosmetics... oh well */
+                len_and_sockaddr *lsa = xhost2sockaddr(argv[0], port);
+                char *addr = xmalloc_sockaddr2dotted(&lsa->sa, lsa->len);
+                printf("%s: info: listening on %s", applet_name, addr);
+                free(addr);
+#ifndef SSLSVD
+                if (option_mask32 & OPT_u)
+                        printf(", uid %u, gid %u",
+                                (unsigned)ugid.uid, (unsigned)ugid.uid);
+#endif
+                puts(", starting");
+        }
+        /* The rest is a main accept() loop */
+ again:
+        hccp = NULL;
+        while (cnum >= cmax)
+                sig_pause(); /* wait for any signal (expecting SIGCHLD) */
+        sockadr_size = sizeof(sock_adr);
+        sig_unblock(SIGCHLD);
+        conn = accept(sock, &sock_adr.sa, &sockadr_size);
+        sig_block(SIGCHLD);
+        if (conn == -1) {
+                if (errno != EINTR)
+                        bb_perror_msg("accept");
+                goto again;
+        }
+        if (max_per_host) {
+                /* we drop connection immediately if cur_per_host > max_per_host
+                 * (minimizing load under SYN flood) */
+                free(remote_ip);
+                remote_ip = xmalloc_sockaddr2dotted_noport(&sock_adr.sa, sockadr_size);
+                cur_per_host = ipsvd_perhost_add(remote_ip, max_per_host, &hccp);
+                if (cur_per_host > max_per_host) {
+                        /* ipsvd_perhost_add detected that max is exceeded
+                         * (and did not store us in connection table) */
+                        if (msg_per_host) {
+                                ndelay_on(conn);
+                                /* don't test for errors */
+                                write(conn, msg_per_host, len_per_host);
+                        }
+                        close(conn);
+                        goto again;
+                }
+        }
+        cnum++;
+        if (verbose)
+                connection_status();
+        pid = fork();
+        if (pid == -1) {
+                bb_perror_msg("fork");
+                close(conn);
+                goto again;
+        }
+        if (pid != 0) {
+                /* parent */
+                close(conn);
+                if (hccp)
+                        hccp->pid = pid;
+                goto again;
+        }
+        /* Child: prepare env, log, and exec prog */
+        close(sock);
+        if (!max_per_host)
+                remote_ip = xmalloc_sockaddr2dotted_noport(&sock_adr.sa, sizeof(sock_adr));
+        /* else it is already done */
+        
+        remote_port = get_nport(&sock_adr.sa);
+        remote_port = ntohs(remote_port);
+        
+        if (verbose) {
+                pid = getpid();
+                printf("%s: info: pid %d from %s\n", applet_name, pid, remote_ip);
+        }
+        
+        if (need_addresses && (option_mask32 & OPT_h)) {
+                remote_hostname = xmalloc_sockaddr2host(&sock_adr.sa, sizeof(sock_adr));
+                if (!remote_hostname) {
+                        bb_error_msg("warning: cannot look up hostname for %s", remote_ip);
+                        remote_hostname = (char*)"";
+                }
+        }
+        
+        sockadr_size = sizeof(sock_adr);
+        /* Errors ignored (I'm not paranoid enough to imagine kernel
+         * which doesn't know local ip) */
+        getsockname(conn, &sock_adr.sa, &sockadr_size);
+        if (need_addresses) {
+                local_ip = xmalloc_sockaddr2dotted_noport(&sock_adr.sa, sockadr_size);
+                local_port = get_nport(&sock_adr.sa);
+                local_port = ntohs(local_port);
+                if (!local_hostname) {
+                        local_hostname = xmalloc_sockaddr2host_noport(&sock_adr.sa, sockadr_size);
+                        if (!local_hostname)
+                                bb_error_msg_and_die("cannot look up local hostname for %s", local_ip);
+                }
+        }
+        
+        if (!(option_mask32 & OPT_E)) {
+                /* setup ucspi env */
+                xsetenv("PROTO", "TCP");
+                xsetenv("TCPLOCALIP", local_ip);
+                xsetenv("TCPLOCALPORT", utoa(local_port));
+                xsetenv("TCPLOCALHOST", local_hostname);
+                xsetenv("TCPREMOTEIP", remote_ip);
+                xsetenv("TCPREMOTEPORT", utoa(remote_port));
+                if (option_mask32 & OPT_h) {
+                        xsetenv("TCPREMOTEHOST", remote_hostname);
+                }
+                xsetenv("TCPREMOTEINFO", "");
+                /* additional */
+                if (cur_per_host > 0)
+                        xsetenv("TCPCONCURRENCY", utoa(cur_per_host));
+        }
+        
+#if 0
+        if (instructs) {
+                ac = ipsvd_check(iscdb, &inst, &match, (char*)instructs,
+                                                        remote_ip, remote_hostname, timeout);
+                if (ac == -1) drop2("cannot check inst", remote_ip);
+                if (ac == IPSVD_ERR) drop2("cannot read", (char*)instructs);
+        } else
+                ac = IPSVD_DEFAULT;
+#endif
+        
+        if (max_per_host && verbose)
+                printf("%s: info: concurrency %u %s %u/%u\n",
+                        applet_name, pid, remote_ip, cur_per_host, max_per_host);
+        
+        if (verbose) {
+                printf("%s: info: start %u %s:%s :%s:%s:%u\n",
+                        applet_name, pid,
+                        local_hostname, local_ip,
+                        remote_hostname, remote_ip, (unsigned)remote_port);
+#if 0
+                switch(ac) {
+                case IPSVD_DENY:
+                        printf("deny "); break;
+                case IPSVD_DEFAULT:
+                case IPSVD_INSTRUCT:
+                        printf("start "); break;
+                case IPSVD_EXEC:
+                        printf("exec "); break;
+                }
+                ...
+                if (instructs) {
+                        printf(" ");
+                        if (iscdb) {
+                                printf((char*)instructs);
+                                printf("/");
+                        }
+                        outfix(match.s);
+                        if(inst.s && inst.len && (verbose > 1)) {
+                                printf(": ");
+                                printf(&inst);
+                        }
+                }
+                printf("\n");
+#endif
+        }
+#if 0
+        if (ac == IPSVD_DENY) {
+                close(conn);
+                _exit(100);
+        }
+        if (ac == IPSVD_EXEC) {
+                args[0] = "/bin/sh";
+                args[1] = "-c";
+                args[2] = inst.s;
+                args[3] = 0;
+                run = args;
+        } else
+                run = argv + 2; /* below: we use argv+2 (was using run) */
+#endif
+        xmove_fd(conn, 0);
+        dup2(0, 1);
+        signal(SIGTERM, SIG_DFL);
+        signal(SIGPIPE, SIG_DFL);
+        signal(SIGCHLD, SIG_DFL);
+        sig_unblock(SIGCHLD);
+        argv += 2;
+#ifdef SSLSVD
+        strcpy(id, utoa(pid);
+        ssl_io(0, argv);
+#else
+        BB_EXECVP(argv[0], argv);
+#endif
+        bb_perror_msg_and_die("exec '%s'", argv[0]);
+}
+/*
+tcpsvd [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir|-x cdb] [ -t sec] host port prog
+tcpsvd creates a TCP/IP socket, binds it to the address host:port,
+and listens on the socket for incoming connections.
+On each incoming connection, tcpsvd conditionally runs a program,
+with standard input reading from the socket, and standard output
+writing to the socket, to handle this connection. tcpsvd keeps
+listening on the socket for new connections, and can handle
+multiple connections simultaneously.
+tcpsvd optionally checks for special instructions depending
+on the IP address or hostname of the client that initiated
+the connection, see ipsvd-instruct(5).
+host
+    host either is a hostname, or a dotted-decimal IP address,
+    or 0. If host is 0, tcpsvd accepts connections to any local
+    IP address.
+port
+    tcpsvd accepts connections to host:port. port may be a name
+    from /etc/services or a number.
+prog
+    prog consists of one or more arguments. For each connection,
+    tcpsvd normally runs prog, with file descriptor 0 reading from
+    the network, and file descriptor 1 writing to the network.
+    By default it also sets up TCP-related environment variables,
+    see tcp-environ(5) 
+-i dir
+    read instructions for handling new connections from the instructions
+    directory dir. See ipsvd-instruct(5) for details. 
+-x cdb
+    read instructions for handling new connections from the constant database
+    cdb. The constant database normally is created from an instructions
+    directory by running ipsvd-cdb(8). 
+-t sec
+    timeout. This option only takes effect if the -i option is given.
+    While checking the instructions directory, check the time of last access
+    of the file that matches the clients address or hostname if any, discard
+    and remove the file if it wasn't accessed within the last sec seconds;
+    tcpsvd does not discard or remove a file if the user's write permission
+    is not set, for those files the timeout is disabled. Default is 0,
+    which means that the timeout is disabled. 
+-l name
+    local hostname. Do not look up the local hostname in DNS, but use name
+    as hostname. This option must be set if tcpsvd listens on port 53
+    to avoid loops. 
+-u user[:group]
+    drop permissions. Switch user ID to user's UID, and group ID to user's
+    primary GID after creating and binding to the socket. If user is followed
+    by a colon and a group name, the group ID is switched to the GID of group
+    instead. All supplementary groups are removed. 
+-c n
+    concurrency. Handle up to n connections simultaneously. Default is 30.
+    If there are n connections active, tcpsvd defers acceptance of a new
+    connection until an active connection is closed. 
+-C n[:msg]
+    per host concurrency. Allow only up to n connections from the same IP
+    address simultaneously. If there are n active connections from one IP       
+    address, new incoming connections from this IP address are closed
+    immediately. If n is followed by :msg, the message msg is written   
+    to the client if possible, before closing the connection. By default
+    msg is empty. See ipsvd-instruct(5) for supported escape sequences in msg.
+    For each accepted connection, the current per host concurrency is
+    available through the environment variable TCPCONCURRENCY. n and msg
+    can be overwritten by ipsvd(7) instructions, see ipsvd-instruct(5).
+    By default tcpsvd doesn't keep track of connections. 
+-h
+    Look up the client's hostname in DNS. 
+-p
+    paranoid. After looking up the client's hostname in DNS, look up the IP
+    addresses in DNS for that hostname, and forget about the hostname
+    if none of the addresses match the client's IP address. You should
+    set this option if you use hostname based instructions. The -p option
+    implies the -h option. 
+-b n
+    backlog. Allow a backlog of approximately n TCP SYNs. On some systems n
+    is silently limited. Default is 20. 
+-E
+    no special environment. Do not set up TCP-related environment variables. 
+-v
+    verbose. Print verbose messsages to standard output. 
+-vv
+    more verbose. Print more verbose messages to standard output. 
+*/
author	vda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277>	2007-04-01 01:18:20 +0000
committer	vda <vda@69ca8d6d-28ef-0310-b511-8ec308f3f277>	2007-04-01 01:18:20 +0000
commit	5348a94d2a6baae045918c4cc2bdd256ee8de5b8 (patch)
tree	d4f6495339702c0b6d79816d0bb07ba4b6679ce8 /ipsvd
parent	a4935249632f90595f8f8a5200ed7b6266cf6321 (diff)
download	busybox-w32-5348a94d2a6baae045918c4cc2bdd256ee8de5b8.tar.gz busybox-w32-5348a94d2a6baae045918c4cc2bdd256ee8de5b8.tar.bz2 busybox-w32-5348a94d2a6baae045918c4cc2bdd256ee8de5b8.zip

diff --git a/ipsvd/Config.in b/ipsvd/Config.in new file mode 100644 index 000000000..fb2931d07 --- /dev/null +++ b/ipsvd/Config.in
@@ -0,0 +1,14 @@
	1	#
	2	# For a description of the syntax of this configuration file,
	3	# see scripts/kbuild/config-language.txt.
	4	#
	5
	6	menu "ipsvd utilities"
	7
	8	config TCPSVD
	9	bool "tcpsvd"
	10	default n
	11	help
	12	tcpsvd listens on a port and runs a program for each new connection
	13
	14	endmenu


diff --git a/ipsvd/Kbuild b/ipsvd/Kbuild new file mode 100644 index 000000000..8050921b0 --- /dev/null +++ b/ipsvd/Kbuild
@@ -0,0 +1,8 @@
	1	# Makefile for busybox
	2	#
	3	# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
	4	#
	5	# Licensed under the GPL v2, see the file LICENSE in this tarball.
	6
	7	lib-y:=
	8	lib-$(CONFIG_TCPSVD) += tcpsvd.o ipsvd_perhost.o


diff --git a/ipsvd/ipsvd_perhost.c b/ipsvd/ipsvd_perhost.c new file mode 100644 index 000000000..c6f7de339 --- /dev/null +++ b/ipsvd/ipsvd_perhost.c
@@ -0,0 +1,55 @@
	1	#include "busybox.h"
	2	#include "ipsvd_perhost.h"
	3
	4	static struct hcc *cc;
	5	static unsigned cclen;
	6
	7	/* to be optimized */
	8
	9	void ipsvd_perhost_init(unsigned c)
	10	{
	11	// free(cc);
	12	cc = xzalloc(c * sizeof(*cc));
	13	cclen = c;
	14	}
	15
	16	unsigned ipsvd_perhost_add(const char ip, unsigned maxconn, struct hcc *hccpp)
	17	{
	18	unsigned i;
	19	unsigned conn = 1;
	20	int p = -1;
	21
	22	for (i = 0; i < cclen; ++i) {
	23	if (cc[i].ip[0] == 0) {
	24	if (p == -1) p = i;
	25	continue;
	26	}
	27	if (strncmp(cc[i].ip, ip, sizeof(cc[i].ip)) == 0) {
	28	conn++;
	29	continue;
	30	}
	31	}
	32	if (p == -1) return 0;
	33	if (conn <= maxconn) {
	34	strcpy(cc[p].ip, ip);
	35	*hccpp = &cc[p];
	36	}
	37	return conn;
	38	}
	39
	40	void ipsvd_perhost_remove(int pid)
	41	{
	42	unsigned i;
	43	for (i = 0; i < cclen; ++i) {
	44	if (cc[i].pid == pid) {
	45	cc[i].ip[0] = 0;
	46	cc[i].pid = 0;
	47	return;
	48	}
	49	}
	50	}
	51
	52	//void ipsvd_perhost_free(void)
	53	//{
	54	// free(cc);
	55	//}


diff --git a/ipsvd/ipsvd_perhost.h b/ipsvd/ipsvd_perhost.h new file mode 100644 index 000000000..05c939d89 --- /dev/null +++ b/ipsvd/ipsvd_perhost.h
@@ -0,0 +1,10 @@
	1	struct hcc {
	2	char ip[32 - sizeof(int)];
	3	int pid;
	4	};
	5
	6	void ipsvd_perhost_init(unsigned);
	7	unsigned ipsvd_perhost_add(const char ip, unsigned maxconn, struct hcc *hccpp);
	8	void ipsvd_perhost_remove(int pid);
	9	//unsigned ipsvd_perhost_setpid(int pid);
	10	//void ipsvd_perhost_free(void);


diff --git a/ipsvd/tcpsvd.c b/ipsvd/tcpsvd.c new file mode 100644 index 000000000..9a0a348de --- /dev/null +++ b/ipsvd/tcpsvd.c
@@ -0,0 +1,514 @@
	1	/*
	2	# /usr/bin/tcpsvd -v 0 1234 true
	3	tcpsvd: info: pid 24916 from 127.0.0.1
	4	tcpsvd: info: start 24916 localhost:127.0.0.1 ::127.0.0.1:47905
	5	tcpsvd: info: pid 24918 from 127.0.0.1
	6	tcpsvd: info: start 24918 localhost:127.0.0.1 ::127.0.0.1:47906
	7	# ./busybox tcpsvd -v 0 1234 true
	8	tcpsvd: info: pid 24924 from 127.0.0.1
	9	tcpsvd: info: start 24924 localhost:1234:127.0.0.1:1234 ::127.0.0.1:47908
	10	tcpsvd: info: pid 24926 from 127.0.0.1
	11	tcpsvd: info: start 24926 localhost:1234:127.0.0.1:1234 ::127.0.0.1:47909
	12	*/
	13
	14	#include "busybox.h"
	15	#include "ipsvd_perhost.h"
	16
	17	#ifdef SSLSVD
	18	#include "matrixSsl.h"
	19	#include "ssl_io.h"
	20	#endif
	21
	22
	23	static unsigned max_per_host; /* originally in ipsvd_check.c */
	24	static unsigned cur_per_host;
	25	static unsigned verbose;
	26	static unsigned cnum;
	27	static unsigned cmax = 30;
	28
	29	/* Must match getopt32 in main! */
	30	enum {
	31	OPT_c = (1 << 0),
	32	OPT_C = (1 << 1),
	33	OPT_i = (1 << 2),
	34	OPT_x = (1 << 3),
	35	OPT_u = (1 << 4),
	36	OPT_l = (1 << 5),
	37	OPT_E = (1 << 6),
	38	OPT_b = (1 << 7),
	39	OPT_h = (1 << 8),
	40	OPT_p = (1 << 9),
	41	OPT_t = (1 << 10),
	42	OPT_v = (1 << 11),
	43	OPT_V = (1 << 12),
	44	OPT_U = (1 << 13),
	45	OPT_slash = (1 << 14),
	46	OPT_Z = (1 << 15),
	47	OPT_K = (1 << 16),
	48	};
	49
	50	static void connection_status(void)
	51	{
	52	printf("%s: info: status %u/%u\n", applet_name, cnum, cmax);
	53	}
	54
	55	static void sig_term_handler(int sig)
	56	{
	57	if (verbose)
	58	printf("%s: info: sigterm received, exit\n", applet_name);
	59	exit(0);
	60	}
	61
	62	static void sig_child_handler(int sig)
	63	{
	64	int wstat;
	65	int pid;
	66
	67	while ((pid = wait_nohang(&wstat)) > 0) {
	68	if (max_per_host)
	69	ipsvd_perhost_remove(pid);
	70	if (cnum)
	71	cnum--;
	72	if (verbose) {
	73	/* Little bloated, but tries to give accurate info
	74	* how child exited. Makes easier to spot segfaulting
	75	* children etc... */
	76	unsigned e = 0;
	77	const char *cause = "?exit";
	78	if (WIFEXITED(wstat)) {
	79	cause++;
	80	e = WEXITSTATUS(wstat);
	81	} else if (WIFSIGNALED(wstat)) {
	82	cause = "signal";
	83	e = WTERMSIG(wstat);
	84	}
	85	printf("%s: info: end %d %s %d\n",
	86	applet_name, pid, cause, e);
	87	}
	88	}
	89	if (verbose)
	90	connection_status();
	91	}
	92
	93	int tcpsvd_main(int argc, char **argv);
	94	int tcpsvd_main(int argc, char **argv)
	95	{
	96	char str_c, str_C, str_b, str_t;
	97	char *user;
	98	struct hcc *hccp;
	99	const char *instructs;
	100	char *msg_per_host = NULL;
	101	unsigned len_per_host = len_per_host; /* gcc */
	102	int need_addresses;
	103	int pid;
	104	int sock;
	105	int conn;
	106	unsigned backlog = 20;
	107	union {
	108	struct sockaddr sa;
	109	struct sockaddr_in sin;
	110	USE_FEATURE_IPV6(struct sockaddr_in6 sin6;)
	111	} sock_adr;
	112	socklen_t sockadr_size;
	113	uint16_t local_port = local_port;
	114	uint16_t remote_port;
	115	unsigned port;
	116	char *local_hostname = NULL;
	117	char remote_hostname = (char)""; /* "" used if no -h */
	118	char *local_ip = local_ip;
	119	char *remote_ip = NULL;
	120	//unsigned iscdb = 0; /* = option_mask32 & OPT_x (TODO) */
	121	//unsigned long timeout = 0;
	122	#ifndef SSLSVD
	123	struct bb_uidgid_t ugid;
	124	#endif
	125
	126	/* 3+ args, -i at most once, -p implies -h, -v is counter */
	127	opt_complementary = "-3:?:i--i:ph:vv";
	128	#ifdef SSLSVD
	129	getopt32(argc, argv, "c:C:i:x:u:l:Eb:hpt:vU:/:Z:K:",
	130	&str_c, &str_C, &instructs, &instructs, &user, &local_hostname,
	131	&str_b, &str_t, &ssluser, &root, &cert, &key, &verbose
	132	);
	133	#else
	134	getopt32(argc, argv, "c:C:i:x:u:l:Eb:hpt:v",
	135	&str_c, &str_C, &instructs, &instructs, &user, &local_hostname,
	136	&str_b, &str_t, &verbose
	137	);
	138	#endif
	139	if (option_mask32 & OPT_c)
	140	cmax = xatou_range(str_c, 1, INT_MAX);
	141	if (option_mask32 & OPT_C) { /* -C n[:message] */
	142	max_per_host = bb_strtou(str_C, &str_C, 10);
	143	if (str_C[0]) {
	144	if (str_C[0] != ':')
	145	bb_show_usage();
	146	msg_per_host = str_C + 1;
	147	len_per_host = strlen(msg_per_host);
	148	}
	149	}
	150	if (max_per_host > cmax)
	151	max_per_host = cmax;
	152	if (option_mask32 & OPT_u) {
	153	if (!get_uidgid(&ugid, user, 1))
	154	bb_error_msg_and_die("unknown user/group: %s", user);
	155	}
	156	if (option_mask32 & OPT_b)
	157	backlog = xatou(str_b);
	158	// if (option_mask32 & OPT_t) timeout = xatou(str_t);
	159	#ifdef SSLSVD
	160	if (option_mask32 & OPT_U) ssluser = (char*)optarg; break;
	161	if (option_mask32 & OPT_slash) root = (char*)optarg; break;
	162	if (option_mask32 & OPT_Z) cert = (char*)optarg; break;
	163	if (option_mask32 & OPT_K) key = (char*)optarg; break;
	164	#endif
	165	argv += optind;
	166	if (!argv[0][0] \|\| LONE_CHAR(argv[0], '0'))
	167	argv[0] = (char*)"0.0.0.0";
	168
	169	need_addresses = verbose \|\| !(option_mask32 & OPT_E);
	170
	171	#ifdef SSLSVD
	172	sslser = user;
	173	client = 0;
	174	if ((getuid() == 0) && !(option_mask32 & OPT_u)) {
	175	xfunc_exitcode = 100;
	176	bb_error_msg_and_die("fatal: -U ssluser must be set when running as root");
	177	}
	178	if (option_mask32 & OPT_u)
	179	if (!uidgid_get(&sslugid, ssluser, 1)) {
	180	if (errno) {
	181	xfunc_exitcode = 100;
	182	bb_perror_msg_and_die("fatal: cannot get user/group: %s", ssluser);
	183	}
	184	xfunc_exitcode = 111;
	185	bb_error_msg_and_die("fatal: unknown user/group '%s'", ssluser);
	186	}
	187	if (!cert) cert = "./cert.pem";
	188	if (!key) key = cert;
	189	if (matrixSslOpen() < 0)
	190	fatal("cannot initialize ssl");
	191	if (matrixSslReadKeys(&keys, cert, key, 0, ca) < 0) {
	192	if (client)
	193	fatal("cannot read cert, key, or ca file");
	194	fatal("cannot read cert or key file");
	195	}
	196	if (matrixSslNewSession(&ssl, keys, 0, SSL_FLAGS_SERVER) < 0)
	197	fatal("cannot create ssl session");
	198	#endif
	199
	200	sig_block(SIGCHLD);
	201	signal(SIGCHLD, sig_child_handler);
	202	signal(SIGTERM, sig_term_handler);
	203	signal(SIGPIPE, SIG_IGN);
	204
	205	if (max_per_host)
	206	ipsvd_perhost_init(cmax);
	207
	208	port = bb_lookup_port(argv[1], "tcp", 0);
	209	sock = create_and_bind_stream_or_die(argv[0], port);
	210	xlisten(sock, backlog);
	211	/* ndelay_off(sock); - it is the default I think? */
	212
	213	#ifndef SSLSVD
	214	if (option_mask32 & OPT_u) {
	215	/* drop permissions */
	216	xsetgid(ugid.gid);
	217	xsetuid(ugid.uid);
	218	}
	219	#endif
	220	bb_sanitize_stdio(); /* fd# 1,2 must be opened */
	221	close(0);
	222
	223	if (verbose) {
	224	/* we do it only for ":port" cosmetics... oh well */
	225	len_and_sockaddr *lsa = xhost2sockaddr(argv[0], port);
	226	char *addr = xmalloc_sockaddr2dotted(&lsa->sa, lsa->len);
	227
	228	printf("%s: info: listening on %s", applet_name, addr);
	229	free(addr);
	230	#ifndef SSLSVD
	231	if (option_mask32 & OPT_u)
	232	printf(", uid %u, gid %u",
	233	(unsigned)ugid.uid, (unsigned)ugid.uid);
	234	#endif
	235	puts(", starting");
	236	}
	237
	238	/* The rest is a main accept() loop */
	239
	240	again:
	241	hccp = NULL;
	242
	243	while (cnum >= cmax)
	244	sig_pause(); /* wait for any signal (expecting SIGCHLD) */
	245
	246	sockadr_size = sizeof(sock_adr);
	247	sig_unblock(SIGCHLD);
	248	conn = accept(sock, &sock_adr.sa, &sockadr_size);
	249	sig_block(SIGCHLD);
	250	if (conn == -1) {
	251	if (errno != EINTR)
	252	bb_perror_msg("accept");
	253	goto again;
	254	}
	255
	256	if (max_per_host) {
	257	/* we drop connection immediately if cur_per_host > max_per_host
	258	* (minimizing load under SYN flood) */
	259	free(remote_ip);
	260	remote_ip = xmalloc_sockaddr2dotted_noport(&sock_adr.sa, sockadr_size);
	261	cur_per_host = ipsvd_perhost_add(remote_ip, max_per_host, &hccp);
	262	if (cur_per_host > max_per_host) {
	263	/* ipsvd_perhost_add detected that max is exceeded
	264	* (and did not store us in connection table) */
	265	if (msg_per_host) {
	266	ndelay_on(conn);
	267	/* don't test for errors */
	268	write(conn, msg_per_host, len_per_host);
	269	}
	270	close(conn);
	271	goto again;
	272	}
	273	}
	274
	275	cnum++;
	276	if (verbose)
	277	connection_status();
	278
	279	pid = fork();
	280	if (pid == -1) {
	281	bb_perror_msg("fork");
	282	close(conn);
	283	goto again;
	284	}
	285	if (pid != 0) {
	286	/* parent */
	287	close(conn);
	288	if (hccp)
	289	hccp->pid = pid;
	290	goto again;
	291	}
	292
	293	/* Child: prepare env, log, and exec prog */
	294
	295	close(sock);
	296
	297	if (!max_per_host)
	298	remote_ip = xmalloc_sockaddr2dotted_noport(&sock_adr.sa, sizeof(sock_adr));
	299	/* else it is already done */
	300
	301	remote_port = get_nport(&sock_adr.sa);
	302	remote_port = ntohs(remote_port);
	303
	304	if (verbose) {
	305	pid = getpid();
	306	printf("%s: info: pid %d from %s\n", applet_name, pid, remote_ip);
	307	}
	308
	309	if (need_addresses && (option_mask32 & OPT_h)) {
	310	remote_hostname = xmalloc_sockaddr2host(&sock_adr.sa, sizeof(sock_adr));
	311	if (!remote_hostname) {
	312	bb_error_msg("warning: cannot look up hostname for %s", remote_ip);
	313	remote_hostname = (char*)"";
	314	}
	315	}
	316
	317	sockadr_size = sizeof(sock_adr);
	318	/* Errors ignored (I'm not paranoid enough to imagine kernel
	319	* which doesn't know local ip) */
	320	getsockname(conn, &sock_adr.sa, &sockadr_size);
	321
	322	if (need_addresses) {
	323	local_ip = xmalloc_sockaddr2dotted_noport(&sock_adr.sa, sockadr_size);
	324	local_port = get_nport(&sock_adr.sa);
	325	local_port = ntohs(local_port);
	326	if (!local_hostname) {
	327	local_hostname = xmalloc_sockaddr2host_noport(&sock_adr.sa, sockadr_size);
	328	if (!local_hostname)
	329	bb_error_msg_and_die("cannot look up local hostname for %s", local_ip);
	330	}
	331	}
	332
	333	if (!(option_mask32 & OPT_E)) {
	334	/* setup ucspi env */
	335	xsetenv("PROTO", "TCP");
	336	xsetenv("TCPLOCALIP", local_ip);
	337	xsetenv("TCPLOCALPORT", utoa(local_port));
	338	xsetenv("TCPLOCALHOST", local_hostname);
	339	xsetenv("TCPREMOTEIP", remote_ip);
	340	xsetenv("TCPREMOTEPORT", utoa(remote_port));
	341	if (option_mask32 & OPT_h) {
	342	xsetenv("TCPREMOTEHOST", remote_hostname);
	343	}
	344	xsetenv("TCPREMOTEINFO", "");
	345	/* additional */
	346	if (cur_per_host > 0)
	347	xsetenv("TCPCONCURRENCY", utoa(cur_per_host));
	348	}
	349
	350	#if 0
	351	if (instructs) {
	352	ac = ipsvd_check(iscdb, &inst, &match, (char*)instructs,
	353	remote_ip, remote_hostname, timeout);
	354	if (ac == -1) drop2("cannot check inst", remote_ip);
	355	if (ac == IPSVD_ERR) drop2("cannot read", (char*)instructs);
	356	} else
	357	ac = IPSVD_DEFAULT;
	358	#endif
	359
	360	if (max_per_host && verbose)
	361	printf("%s: info: concurrency %u %s %u/%u\n",
	362	applet_name, pid, remote_ip, cur_per_host, max_per_host);
	363
	364	if (verbose) {
	365	printf("%s: info: start %u %s:%s :%s:%s:%u\n",
	366	applet_name, pid,
	367	local_hostname, local_ip,
	368	remote_hostname, remote_ip, (unsigned)remote_port);
	369	#if 0
	370	switch(ac) {
	371	case IPSVD_DENY:
	372	printf("deny "); break;
	373	case IPSVD_DEFAULT:
	374	case IPSVD_INSTRUCT:
	375	printf("start "); break;
	376	case IPSVD_EXEC:
	377	printf("exec "); break;
	378	}
	379	...
	380	if (instructs) {
	381	printf(" ");
	382	if (iscdb) {
	383	printf((char*)instructs);
	384	printf("/");
	385	}
	386	outfix(match.s);
	387	if(inst.s && inst.len && (verbose > 1)) {
	388	printf(": ");
	389	printf(&inst);
	390	}
	391	}
	392	printf("\n");
	393	#endif
	394	}
	395
	396	#if 0
	397	if (ac == IPSVD_DENY) {
	398	close(conn);
	399	_exit(100);
	400	}
	401	if (ac == IPSVD_EXEC) {
	402	args[0] = "/bin/sh";
	403	args[1] = "-c";
	404	args[2] = inst.s;
	405	args[3] = 0;
	406	run = args;
	407	} else
	408	run = argv + 2; /* below: we use argv+2 (was using run) */
	409	#endif
	410
	411	xmove_fd(conn, 0);
	412	dup2(0, 1);
	413	signal(SIGTERM, SIG_DFL);
	414	signal(SIGPIPE, SIG_DFL);
	415	signal(SIGCHLD, SIG_DFL);
	416	sig_unblock(SIGCHLD);
	417
	418	argv += 2;
	419	#ifdef SSLSVD
	420	strcpy(id, utoa(pid);
	421	ssl_io(0, argv);
	422	#else
	423	BB_EXECVP(argv[0], argv);
	424	#endif
	425	bb_perror_msg_and_die("exec '%s'", argv[0]);
	426	}
	427
	428	/*
	429	tcpsvd [-hpEvv] [-c n] [-C n:msg] [-b n] [-u user] [-l name] [-i dir\|-x cdb] [ -t sec] host port prog
	430
	431	tcpsvd creates a TCP/IP socket, binds it to the address host:port,
	432	and listens on the socket for incoming connections.
	433
	434	On each incoming connection, tcpsvd conditionally runs a program,
	435	with standard input reading from the socket, and standard output
	436	writing to the socket, to handle this connection. tcpsvd keeps
	437	listening on the socket for new connections, and can handle
	438	multiple connections simultaneously.
	439
	440	tcpsvd optionally checks for special instructions depending
	441	on the IP address or hostname of the client that initiated
	442	the connection, see ipsvd-instruct(5).
	443
	444	host
	445	host either is a hostname, or a dotted-decimal IP address,
	446	or 0. If host is 0, tcpsvd accepts connections to any local
	447	IP address.
	448	port
	449	tcpsvd accepts connections to host:port. port may be a name
	450	from /etc/services or a number.
	451	prog
	452	prog consists of one or more arguments. For each connection,
	453	tcpsvd normally runs prog, with file descriptor 0 reading from
	454	the network, and file descriptor 1 writing to the network.
	455	By default it also sets up TCP-related environment variables,
	456	see tcp-environ(5)
	457	-i dir
	458	read instructions for handling new connections from the instructions
	459	directory dir. See ipsvd-instruct(5) for details.
	460	-x cdb
	461	read instructions for handling new connections from the constant database
	462	cdb. The constant database normally is created from an instructions
	463	directory by running ipsvd-cdb(8).
	464	-t sec
	465	timeout. This option only takes effect if the -i option is given.
	466	While checking the instructions directory, check the time of last access
	467	of the file that matches the clients address or hostname if any, discard
	468	and remove the file if it wasn't accessed within the last sec seconds;
	469	tcpsvd does not discard or remove a file if the user's write permission
	470	is not set, for those files the timeout is disabled. Default is 0,
	471	which means that the timeout is disabled.
	472	-l name
	473	local hostname. Do not look up the local hostname in DNS, but use name
	474	as hostname. This option must be set if tcpsvd listens on port 53
	475	to avoid loops.
	476	-u user[:group]
	477	drop permissions. Switch user ID to user's UID, and group ID to user's
	478	primary GID after creating and binding to the socket. If user is followed
	479	by a colon and a group name, the group ID is switched to the GID of group
	480	instead. All supplementary groups are removed.
	481	-c n
	482	concurrency. Handle up to n connections simultaneously. Default is 30.
	483	If there are n connections active, tcpsvd defers acceptance of a new
	484	connection until an active connection is closed.
	485	-C n[:msg]
	486	per host concurrency. Allow only up to n connections from the same IP
	487	address simultaneously. If there are n active connections from one IP
	488	address, new incoming connections from this IP address are closed
	489	immediately. If n is followed by :msg, the message msg is written
	490	to the client if possible, before closing the connection. By default
	491	msg is empty. See ipsvd-instruct(5) for supported escape sequences in msg.
	492
	493	For each accepted connection, the current per host concurrency is
	494	available through the environment variable TCPCONCURRENCY. n and msg
	495	can be overwritten by ipsvd(7) instructions, see ipsvd-instruct(5).
	496	By default tcpsvd doesn't keep track of connections.
	497	-h
	498	Look up the client's hostname in DNS.
	499	-p
	500	paranoid. After looking up the client's hostname in DNS, look up the IP
	501	addresses in DNS for that hostname, and forget about the hostname
	502	if none of the addresses match the client's IP address. You should
	503	set this option if you use hostname based instructions. The -p option
	504	implies the -h option.
	505	-b n
	506	backlog. Allow a backlog of approximately n TCP SYNs. On some systems n
	507	is silently limited. Default is 20.
	508	-E
	509	no special environment. Do not set up TCP-related environment variables.
	510	-v
	511	verbose. Print verbose messsages to standard output.
	512	-vv
	513	more verbose. Print more verbose messages to standard output.
	514	*/