Fix bug with IPv6 in mod_evasive

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2222 152afb58-edef-0310-8abb-c4023f1b3aa9
2008-07-28 08:43:19 +00:00 · 2008-07-28 08:43:19 +00:00 · 543830266c
parent f08cd32877
commit 543830266c
2 changed files with 33 additions and 10 deletions
--- a/1
+++ b/1
@ -29,6 +29,7 @@ NEWS
  * let spawn-fcgi propagate exit code from spawned fcgi application
  * close connection after redirect in trigger_b4_dl (thx icy)
  * close connection in mod_magnet if returned status code
+  * fix bug with IPv6 in mod_evasive (#1579)

 - 1.4.19 - 2008-03-10

--- a/src/mod_evasive.c
+++ b/src/mod_evasive.c
@ -138,24 +138,46 @@ URIHANDLER_FUNC(mod_evasive_uri_handler) {
 	/* no limit set, nothing to block */
 	if (p->conf.max_conns == 0) return HANDLER_GO_ON;

+	switch (con->dst_addr.plain.sa_family) {
+		case AF_INET:
+#ifdef HAVE_IPV6
+		case AF_INET6:
+#endif
+			break;
+		default: // Address family not supported
+			return HANDLER_GO_ON;
+	};
+
 	for (j = 0; j < srv->conns->used; j++) {
 		connection *c = srv->conns->ptr[j];

 		/* check if other connections are already actively serving data for the same IP
 		 * we can only ban connections which are already behind the 'read request' state
 		 * */
-		if (c->dst_addr.ipv4.sin_addr.s_addr == con->dst_addr.ipv4.sin_addr.s_addr &&
-		    c->state > CON_STATE_REQUEST_END) {
-			conns_by_ip++;
+		if (c->dst_addr.plain.sa_family != con->dst_addr.plain.sa_family) continue;
+		if (c->state <= CON_STATE_REQUEST_END) continue;

-			if (conns_by_ip > p->conf.max_conns) {
-				log_error_write(srv, __FILE__, __LINE__, "ss",
-					inet_ntop_cache_get_ip(srv, &(con->dst_addr)),
-					"turned away. Too many connections.");
+		switch (con->dst_addr.plain.sa_family) {
+			case AF_INET:
+				if (c->dst_addr.ipv4.sin_addr.s_addr != con->dst_addr.ipv4.sin_addr.s_addr) continue;
+				break;
+#ifdef HAVE_IPV6
+			case AF_INET6:
+				if (0 != memcmp(c->dst_addr.ipv6.sin6_addr.s6_addr, con->dst_addr.ipv6.sin6_addr.s6_addr, 16)) continue;
+				break;
+#endif
+			default: /* Address family not supported, should never be reached */
+				continue;
+		};
+		conns_by_ip++;

-				con->http_status = 403;
-				return HANDLER_FINISHED;
-			}
+		if (conns_by_ip > p->conf.max_conns) {
+			log_error_write(srv, __FILE__, __LINE__, "ss",
+				inet_ntop_cache_get_ip(srv, &(con->dst_addr)),
+				"turned away. Too many connections.");
+
+			con->http_status = 403;
+			return HANDLER_FINISHED;
 		}
 	}