[Bug 61179] New: TTLimit directive to set maximum allowed IP_TTL

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61179] New: TTLimit directive to set maximum allowed IP_TTL

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61179

            Bug ID: 61179
           Summary: TTLimit directive to set maximum allowed IP_TTL
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: All
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Hi,

I would like to propose this patchset allowing to set maximum TTL value for
incoming requests. This is not a usual use case, but I'm interested (maybe
others too) to have this in place. The real use case would be like this one
http://blog.donatas.net/blog/2017/04/20/http-request-validation/.

TL;DR: if you want to deny requests bypassing proxy layer (in this case Apache
operates as a backend). Hence set TTLimit to 1 and Apache will be able to
handle requests coming almost from the local network, because packets with TTL
usually come from local networks.

commit 5b28a17bdf8a86fa4cccc9a76ce474e5afdb434e
Author: ton31337 <[hidden email]>
Date:   Mon Jun 12 17:36:13 2017 +0300

    Add `TTLimit` security check feature

diff --git a/include/ap_listen.h b/include/ap_listen.h
index 58c2574..e20c566 100644
--- a/include/ap_listen.h
+++ b/include/ap_listen.h
@@ -133,6 +133,7 @@ AP_DECLARE_NONSTD(int)
ap_close_selected_listeners(ap_slave_t *);
  * LISTEN_COMMANDS in their command_rec table so that these functions are
  * called.
  */
+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd, void *dummy,
const char *arg);
 AP_DECLARE_NONSTD(const char *) ap_set_listenbacklog(cmd_parms *cmd, void
*dummy, const char *arg);
 AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd, void
*dummy, const char *arg);
 AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
@@ -144,6 +145,8 @@ AP_DECLARE_NONSTD(const char *)
ap_set_receive_buffer_size(cmd_parms *cmd,
                                                            const char *arg);

 #define LISTEN_COMMANDS \
+AP_INIT_TAKE1("TTLimit", ap_set_ttl_limit, NULL, RSRC_CONF, \
+  "Maximum TTL value which will be accepted"), \
 AP_INIT_TAKE1("ListenBacklog", ap_set_listenbacklog, NULL, RSRC_CONF, \
   "Maximum length of the queue of pending connections, as used by listen(2)"),
\
 AP_INIT_TAKE1("ListenCoresBucketsRatio", ap_set_listencbratio, NULL,
RSRC_CONF, \
diff --git a/server/listen.c b/server/listen.c
index 98cd117..bc498e3 100644
--- a/server/listen.c
+++ b/server/listen.c
@@ -186,6 +186,21 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec
*server)
         return stat;
     }

+    if (ap_ttl_limit) {
+        int thesock;
+        apr_os_sock_get(&thesock, s);
+        if (setsockopt(thesock, IPPROTO_IP, IP_TTL,
+                       &ap_ttl_limit, sizeof(int)) < 0) {
+            stat = apr_get_netos_error();
+            ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(02638)
+                          "make_sock: for address %pI, apr_socket_opt_set: "
+                          "(IP_TTL)",
+                          server->bind_addr);
+            apr_socket_close(s);
+            return stat;
+        }
+    }
+
 #ifdef WIN32
     /* I seriously doubt that this would work on Unix; I have doubts that
      * it entirely solves the problem on Win32.  However, since setting
@@ -758,6 +773,7 @@ AP_DECLARE(void) ap_listen_pre_config(void)
     ap_listen_buckets = NULL;
     ap_num_listen_buckets = 0;
     ap_listenbacklog = DEFAULT_LISTENBACKLOG;
+    ap_ttl_limit = 255;
     ap_listencbratio = 0;

     /* Check once whether or not SO_REUSEPORT is supported. */
@@ -863,6 +879,26 @@ AP_DECLARE_NONSTD(const char *)
ap_set_listenbacklog(cmd_parms *cmd,
     return NULL;
 }

+AP_DECLARE_NONSTD(const char *) ap_set_ttl_limit(cmd_parms *cmd,
+                                                 void *dummy,
+                                                 const char *arg)
+{
+    int b;
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+
+    if (err != NULL) {
+        return err;
+    }
+
+    b = atoi(arg);
+    if (b < 1 || b > 255) {
+        return "TTLimit > 0 and TTLimit < 255";
+    }
+
+    ap_ttl_limit = b;
+    return NULL;
+}
+
 AP_DECLARE_NONSTD(const char *) ap_set_listencbratio(cmd_parms *cmd,
                                                      void *dummy,
                                                      const char *arg)

Waiting for comments,
D.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61179] TTLimit directive to set maximum allowed IP_TTL

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61179

Donatas Abraitis <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61179] TTLimit directive to set maximum allowed IP_TTL

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61179

Donatas Abraitis <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|All                         |Core

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61179] TTLimit directive to set maximum allowed IP_TTL

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61179

Donatas Abraitis <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61179] TTLimit directive to set maximum allowed IP_TTL

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61179

Donatas Abraitis <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                URL|                            |http://blog.donatas.net/blo
                   |                            |g/2017/04/20/http-request-v
                   |                            |alidation/

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61179] TTLimit directive to set maximum allowed IP_TTL

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61179

--- Comment #1 from Donatas Abraitis <[hidden email]> ---
Created attachment 35048
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35048&action=edit
TTLimit directive

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...