From 0c2060028a233f9058e7dc8aeb3a8a9eb0e4f075 Mon Sep 17 00:00:00 2001
From: wangyu- <wangyucn@gmail.com>
Date: Sat, 24 Feb 2018 17:26:29 -0600
Subject: [PATCH] --max-rst-allowed --max-rst-to-show

---
 connection.cpp |  9 +++++++--
 connection.h   |  4 ++--
 main.cpp       | 28 ++++++++++++++++++++++++----
 misc.cpp       | 18 ++++++++++++++++++
 misc.h         |  4 ++++
 network.cpp    | 36 +++++++++++++++++++++++++++++++++++-
 network.h      |  3 ++-
 7 files changed, 92 insertions(+), 10 deletions(-)

diff --git a/connection.cpp b/connection.cpp
index 2638cf0..8ebdf57 100644
--- a/connection.cpp
+++ b/connection.cpp
@@ -228,6 +228,10 @@ conv_manager_t::~conv_manager_t()
 	 void conn_info_t::recover(const conn_info_t &conn_info)
 	 {
 			raw_info=conn_info.raw_info;
+
+			raw_info.rst_received=0;
+			raw_info.disabled=0;
+
 			last_state_time=conn_info.last_state_time;
 			last_hb_recv_time=conn_info.last_hb_recv_time;
 			last_hb_sent_time=conn_info.last_hb_sent_time;
@@ -238,6 +242,7 @@ conv_manager_t::~conv_manager_t()
 			my_roller=0;//no need to set,but for easier debug,set it to zero
 			oppsite_roller=0;//same as above
 			last_oppsite_roller_time=0;
+
 	 }
 
 	void conn_info_t::re_init()
@@ -642,7 +647,7 @@ int send_data_safer(conn_info_t &conn_info,const char* data,int len,u32_t conv_n
 	return 0;
 
 }
-int parse_safer(conn_info_t &conn_info,const char * input,int input_len,char &type,char* &data,int &len)//subfunction for recv_safer,allow overlap
+int reserved_parse_safer(conn_info_t &conn_info,const char * input,int input_len,char &type,char* &data,int &len)//subfunction for recv_safer,allow overlap
 {
 	 static char recv_data_buf[buf_len];
 
@@ -738,7 +743,7 @@ int recv_safer(conn_info_t &conn_info,char &type,char* &data,int &len)///safer t
 
 	if(recv_raw0(conn_info.raw_info,recv_data,recv_len)!=0) return -1;
 
-	return parse_safer(conn_info,recv_data,recv_len,type,data,len);
+	return reserved_parse_safer(conn_info,recv_data,recv_len,type,data,len);
 }
 
 void server_clear_function(u64_t u64)//used in conv_manager in server mode.for server we have to use one udp fd for one conv(udp connection),
diff --git a/connection.h b/connection.h
index 5850bfc..c476abe 100644
--- a/connection.h
+++ b/connection.h
@@ -154,12 +154,12 @@ void server_clear_function(u64_t u64);
 
 int send_bare(raw_info_t &raw_info,const char* data,int len);//send function with encryption but no anti replay,this is used when client and server verifys each other
 //you have to design the protocol carefully, so that you wont be affect by relay attack
-int reserved_parse_bare(const char *input,int input_len,char* & data,int & len); // a sub function used in recv_bare
+//int reserved_parse_bare(const char *input,int input_len,char* & data,int & len); // a sub function used in recv_bare
 int recv_bare(raw_info_t &raw_info,char* & data,int & len);//recv function with encryption but no anti replay,this is used when client and server verifys each other
 //you have to design the protocol carefully, so that you wont be affect by relay attack
 int send_handshake(raw_info_t &raw_info,id_t id1,id_t id2,id_t id3);// a warp for send_bare for sending handshake(this is not tcp handshake) easily
 int send_safer(conn_info_t &conn_info,char type,const char* data,int len);  //safer transfer function with anti-replay,when mutually verification is done.
 int send_data_safer(conn_info_t &conn_info,const char* data,int len,u32_t conv_num);//a wrap for  send_safer for transfer data.
-int parse_safer(conn_info_t &conn_info,const char * input,int input_len,char &type,char* &data,int &len);//subfunction for recv_safer,allow overlap
+//int reserved_parse_safer(conn_info_t &conn_info,const char * input,int input_len,char &type,char* &data,int &len);//subfunction for recv_safer,allow overlap
 int recv_safer(conn_info_t &conn_info,char &type,char* &data,int &len);///safer transfer function with anti-replay,when mutually verification is done.
 #endif /* CONNECTION_H_ */
diff --git a/main.cpp b/main.cpp
index 10d7fd1..cde8aed 100755
--- a/main.cpp
+++ b/main.cpp
@@ -10,11 +10,13 @@
 
 char hb_buf[buf_len];
 
+int on_epoll_recv_event=0;  //TODO, just a flag to help detect epoll infinite shoot
 
 int server_on_raw_recv_pre_ready(conn_info_t &conn_info,char * ip_port,u32_t tmp_oppsite_const_id);
 int server_on_raw_recv_ready(conn_info_t &conn_info,char * ip_port,char type,char *data,int data_len);
 int server_on_raw_recv_handshake1(conn_info_t &conn_info,char * ip_port,char * data, int data_len);
 
+
 int client_on_timer(conn_info_t &conn_info) //for client. called when a timer is ready in epoll
 {
 	//keep_iptables_rule();
@@ -28,9 +30,19 @@ int client_on_timer(conn_info_t &conn_info) //for client. called when a timer is
 
 	mylog(log_trace,"<client_on_timer,send_info.ts_ack= %u>\n",send_info.ts_ack);
 
+	if(raw_info.disabled)
+	{
+		conn_info.state.client_current_state=client_idle;
+		conn_info.my_id=get_true_random_number_nz();
+
+		mylog(log_info,"state back to client_idle\n");
+	}
 
 	if(conn_info.state.client_current_state==client_idle)
 	{
+		raw_info.rst_received=0;
+		raw_info.disabled=0;
+
 		fail_time_counter++;
 		if(max_fail_time>0&&fail_time_counter>max_fail_time)
 		{
@@ -41,6 +53,8 @@ int client_on_timer(conn_info_t &conn_info) //for client. called when a timer is
 		conn_info.blob->anti_replay.re_init();
 		conn_info.my_id = get_true_random_number_nz(); ///todo no need to do this everytime
 
+
+
 		u32_t new_ip=0;
 		if(!force_source_ip&&get_src_adress(new_ip,remote_ip_uint32,remote_port)==0)
 		{
@@ -610,13 +624,15 @@ int server_on_raw_recv_multi() //called when server received an raw packet
 
 		conn_info_t &conn_info=conn_manager.find_insert(ip,port);
 		conn_info.raw_info=tmp_raw_info;
+		raw_info_t &raw_info=conn_info.raw_info;
+
+		packet_info_t &send_info=conn_info.raw_info.send_info;
+		packet_info_t &recv_info=conn_info.raw_info.recv_info;
 
 		//conn_info.ip_port.ip=ip;
 		//conn_info.ip_port.port=port;
 
-		packet_info_t &send_info=conn_info.raw_info.send_info;
-		packet_info_t &recv_info=conn_info.raw_info.recv_info;
-		raw_info_t &raw_info=conn_info.raw_info;
+
 
 		send_info.src_ip=recv_info.dst_ip;
 		send_info.src_port=recv_info.dst_port;
@@ -645,6 +661,8 @@ int server_on_raw_recv_multi() //called when server received an raw packet
 	}
 
 
+
+
 	conn_info_t & conn_info=conn_manager.find_insert(ip,port);//insert if not exist
 	packet_info_t &send_info=conn_info.raw_info.send_info;
 	packet_info_t &recv_info=conn_info.raw_info.recv_info;
@@ -1479,6 +1497,8 @@ int server_event_loop()
 		}
 		mylog(log_info,"fifo_file=%s\n",fifo_file);
 	}
+
+
 	while(1)////////////////////////
 	{
 
@@ -1730,7 +1750,7 @@ int main(int argc, char *argv[])
 
 	if(geteuid() != 0)
 	{
-		mylog(log_error,"root check failed, it seems like you are using a non-root account. we can try to continue, but it may fail. If you want to run udp2raw as non-root, you have to add iptables rule manually, and grant udp2raw CAP_NET_RAW capability, check README.md in repo for more info.\n");
+		mylog(log_warn,"root check failed, it seems like you are using a non-root account. we can try to continue, but it may fail. If you want to run udp2raw as non-root, you have to add iptables rule manually, and grant udp2raw CAP_NET_RAW capability, check README.md in repo for more info.\n");
 	}
 	else
 	{
diff --git a/misc.cpp b/misc.cpp
index 264d76d..b62729e 100644
--- a/misc.cpp
+++ b/misc.cpp
@@ -18,6 +18,10 @@ int hb_len=1200;
 
 int mtu_warn=1375;//if a packet larger than mtu warn is receviced,there will be a warning
 
+int max_rst_to_show=15;
+
+int max_rst_allowed=-1;
+
 
 fd_manager_t fd_manager;
 
@@ -268,6 +272,8 @@ void process_arg(int argc, char *argv[])  //process all options
 		{"hb-mode", required_argument,    0, 1},
 		{"hb-len", required_argument,    0, 1},
 		{"mtu-warn", required_argument,    0, 1},
+		{"max-rst-to-show", required_argument,    0, 1},
+		{"max-rst-allowed", required_argument,    0, 1},
 		{NULL, 0, 0, 0}
 	  };
 
@@ -628,6 +634,18 @@ void process_arg(int argc, char *argv[])  //process all options
 				assert(mtu_warn>0);
 				mylog(log_info,"mtu_warn=%d \n",mtu_warn);
 			}
+			else if(strcmp(long_options[option_index].name,"max-rst-to-show")==0)
+			{
+				sscanf(optarg,"%d",&max_rst_to_show);
+				assert(max_rst_to_show>=-1);
+				mylog(log_info,"max_rst_to_show=%d \n",max_rst_to_show);
+			}
+			else if(strcmp(long_options[option_index].name,"max-rst-allowed")==0)
+			{
+				sscanf(optarg,"%d",&max_rst_allowed);
+				assert(max_rst_allowed>=-1);
+				mylog(log_info,"max_rst_allowed=%d \n",max_rst_allowed);
+			}
 			else
 			{
 				mylog(log_warn,"ignored unknown long option ,option_index:%d code:<%x>\n",option_index, optopt);
diff --git a/misc.h b/misc.h
index 95c9fda..63e459b 100644
--- a/misc.h
+++ b/misc.h
@@ -17,6 +17,10 @@ extern int hb_mode;
 extern int hb_len;
 extern int mtu_warn;
 
+extern int max_rst_allowed;
+extern int max_rst_to_show;
+
+
 const u32_t max_handshake_conn_num=10000;
 const u32_t max_ready_conn_num=1000;
 const u32_t anti_replay_window_size=4000;
diff --git a/network.cpp b/network.cpp
index 3c00a3f..326ea0f 100644
--- a/network.cpp
+++ b/network.cpp
@@ -566,6 +566,11 @@ int send_raw_ip(raw_info_t &raw_info,const char * payload,int payloadlen)
 	const packet_info_t &recv_info=raw_info.recv_info;
 	char send_raw_ip_buf[buf_len];
 
+	if(raw_info.disabled)
+	{
+		return 0;
+	}
+
 	struct iphdr *iph = (struct iphdr *) send_raw_ip_buf;
     memset(iph,0,sizeof(iphdr));
 
@@ -1445,7 +1450,36 @@ int recv_raw_tcp(raw_info_t &raw_info,char * &payload,int &payloadlen)
 
     if(tcph->rst==1)
     {
-    	mylog(log_error,"[%s,%d]rst==1\n",my_ntoa(recv_info.src_ip),recv_info.src_port);
+		raw_info.rst_received++;
+    	if(max_rst_to_show>0)
+    	{
+    		if(raw_info.rst_received < max_rst_to_show)
+    		{
+    			mylog(log_warn,"[%s,%d]rst==1,cnt=%d\n",my_ntoa(recv_info.src_ip),recv_info.src_port,(int)raw_info.rst_received);
+    		}
+    		else if(raw_info.rst_received == max_rst_to_show)
+    		{
+    			mylog(log_warn,"[%s,%d]rst==1,cnt=%d >=max_rst_to_show, this log is muted for current connection\n",my_ntoa(recv_info.src_ip),recv_info.src_port,(int)raw_info.rst_received);
+    		}
+    		else
+    		{
+    			mylog(log_debug,"[%s,%d]rst==1,cnt=%d\n",my_ntoa(recv_info.src_ip),recv_info.src_port,(int)raw_info.rst_received);
+    		}
+    	}
+    	if(max_rst_to_show==0)
+    	{
+    		mylog(log_debug,"[%s,%d]rst==1,cnt=%d\n",my_ntoa(recv_info.src_ip),recv_info.src_port,(int)raw_info.rst_received);
+    	}
+    	else
+    	{
+    		mylog(log_warn,"[%s,%d]rst==1,cnt=%d\n",my_ntoa(recv_info.src_ip),recv_info.src_port,(int)raw_info.rst_received);
+    	}
+
+		if(max_rst_allowed>=0 && raw_info.rst_received==max_rst_allowed+1 )
+		{
+			mylog(log_warn,"[%s,%d]connection disabled because of rst_received %d > max_rst_allow=%d\n",my_ntoa(recv_info.src_ip),recv_info.src_port,(int)raw_info.rst_received,(int)max_rst_allowed );
+			raw_info.disabled=1;
+		}
     }
 
    /* if(recv_info.has_ts)
diff --git a/network.h b/network.h
index 6e803f1..a87f458 100644
--- a/network.h
+++ b/network.h
@@ -77,12 +77,13 @@ struct raw_info_t
 {
 	packet_info_t send_info;
 	packet_info_t recv_info;
-
 	//int last_send_len;
 	//int last_recv_len;
 
 	u32_t reserved_send_seq;
 	//uint32_t first_seq,first_ack_seq;
+	int rst_received=0;
+	bool disabled=0;
 
 };//g_raw_info;