1 /* 2 * Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2005, 2008, 2009, 2010, 3 * 2011, 2012, 2013, 2019 4 * Inferno Nettverk A/S, Norway. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. The above copyright notice, this list of conditions and the following 10 * disclaimer must appear in all copies of the software, derivative works 11 * or modified versions, and any portions thereof, aswell as in all 12 * supporting documentation. 13 * 2. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by 16 * Inferno Nettverk A/S, Norway. 17 * 3. The name of the author may not be used to endorse or promote products 18 * derived from this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 21 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 22 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 23 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 24 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 25 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 26 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 27 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 * 31 * Inferno Nettverk A/S requests users of this software to return to 32 * 33 * Software Distribution Coordinator or sdc@inet.no 34 * Inferno Nettverk A/S 35 * Oslo Research Park 36 * Gaustadall�en 21 37 * NO-0349 Oslo 38 * Norway 39 * 40 * any improvements or extensions that they make and grant Inferno Nettverk A/S 41 * the rights to redistribute these changes. 42 * 43 */ 44 45 /* $Id: config.h,v 1.137.10.3 2020/11/11 16:11:50 karls Exp $ */ 46 47 #ifndef _CONFIG_H_ 48 #define _CONFIG_H_ 49 50 /* 51 * Everything in this file is put here so you can change it to suit 52 * your particular installation. You should not need to change 53 * any other files. 54 * 55 * Several of the variables can have a big impact on performance, 56 * latency and throughput. Tuning the server to the optimum for 57 * your particular environment might be difficult, but hopefully 58 * the defaults as set in this file will provide an adequate 59 * compromise in most cases. 60 */ 61 62 63 64 /* 65 * default client/server lockfile (put in $TMPDIR, or /tmp). 66 * Put this on a fast, low-latency fs. Under /tmp is usually good. 67 * Note that if set, $TMPDIR is prefixed to this path. 68 */ 69 #define SOCKS_LOCKFILE ".sockslockXXXXXXXXXX" 70 71 /* 72 * default server file for shared memory mappings (put in $TMPDIR, or /tmp). 73 * Put this on a fast, low-latency fs. Under /tmp is usually good. 74 * Note that if set, $TMPDIR is prefixed to this path. 75 */ 76 #define SOCKD_SHMEMFILE ".sockdshmemXXXXXXXXXX" 77 78 #if COVENANT 79 80 /* max length of a http request. XXX probably too small. */ 81 #define MAXREQLEN (2048) 82 83 #define DEFAULT_REALMNAME "not the Inferno Nettverk A/S realm" 84 85 #elif SOCKS_SERVER /* !COVENANT */ 86 87 /* max length of a socks request, excluding gssapi-stuff. */ 88 #define MAXREQLEN (sizeof(struct request_t)) 89 90 #endif /* SOCKS_SERVER */ 91 92 93 /* if profiling is enabled, directory to store profile files in. */ 94 #define SOCKS_PROFILEDIR "./.prof" 95 96 97 /* 98 * stuff only related to the server. 99 */ 100 101 /* loglevel used for alarms. */ 102 #define LOG_ALARM (LOG_WARNING) 103 104 /* 105 * If we are compiling with libwrap support, this sets the maximum 106 * line length for a libwrap line. Should be the same or less as the 107 * one libwrap uses internally, but we don't have access to that size. 108 */ 109 #if HAVE_LIBWRAP 110 #define LIBWRAPBUF (200) 111 #endif /* HAVE_LIBWRAP */ 112 113 /* 114 * Name to give as servicename when starting pam for rules that don't 115 * set it. 116 */ 117 #if SOCKS_SERVER 118 #define DEFAULT_PAMSERVICENAME "sockd" 119 #elif BAREFOOTD 120 #define DEFAULT_PAMSERVICENAME "barefootd" 121 #else 122 #define DEFAULT_PAMSERVICENAME "covenantd" 123 #endif 124 125 /* 126 * Name to give as stylename when using bsdauth for rules that don't 127 * set it. 128 */ 129 #define DEFAULT_BSDAUTHSTYLENAME "" /* use ""; NULL is the default value. */ 130 131 /* 132 * Name to give as servicename when starting gssapi for rules that don't 133 * set it. 134 */ 135 #define DEFAULT_GSSAPISERVICENAME "rcmd" 136 #define DEFAULT_GSSAPIKEYTAB "FILE:/etc/sockd.keytab" 137 138 139 #define DEFAULT_PAM_USER "rhostusr" 140 141 /* 142 * Name to give as RUSER when using PAM (corresponds to username of client). 143 */ 144 145 #define DEFAULT_PAM_RUSER "rhostusr" 146 147 /* default port for server to listen on. */ 148 #define SOCKD_PORT (1080) 149 150 /* 151 * Internal buffer size for network i/o. This is the amount of 152 * buffer space set aside internally by the server for each socket. 153 * It is *not* the socket buffer size. 154 */ 155 156 #ifndef SOCKD_BUFSIZE 157 #if HAVE_GSSAPI 158 /* 159 * Warning: this size needs to be at least big enough to hold two max-size 160 * gssapi encoded tokens, or two max-size gssapi decoded tokens. 161 * Assuming a decoded token will never be bigger than an encoded token. 162 */ 163 #define SOCKD_BUFSIZE (2 * (MAXGSSAPITOKENLEN + GSSAPI_HLEN)) 164 #else /* !HAVE_GSSAPI */ 165 /* 166 * Warning: this size needs to be at least big enough to hold one max-size 167 * udp packet. 168 */ 169 #define SOCKD_BUFSIZE (1024 * 64 * 1) 170 #endif /* !HAVE_GSSAPI */ 171 #endif /* SOCKD_BUFSIZE */ 172 173 /* max number of clients pending to server (argument to listen()). 174 * The Apache people say: 175 * It defaults to 511 instead of 512 because some systems store it 176 * as an 8-bit data type; 512 truncated to 8-bits is 0, while 511 is 177 * 255 when truncated. 178 */ 179 #define SOCKD_MAXCLIENTQUEUE (511) 180 181 /* how long a route blacklist should last. */ 182 #define ROUTEBLACKLIST_SECONDS (60 * 5) 183 184 /* 185 * We try to cache resolved hostnames and addresses. The following 186 * values affect this. 187 */ 188 189 /* cache entries we should allocate for caching hostnames/addresses. */ 190 #define SOCKD_HOSTCACHE (512) 191 192 /* seconds a cache entry is to be considered valid. Don't set below 1. */ 193 #define SOCKD_CACHETIMEOUT (60 * 5) 194 195 /* print some statistics for every SOCKD_CACHESTAT lookup. 0 to disable. */ 196 #define SOCKD_LDAPCACHE_STAT (0) 197 198 199 /* 200 * Dante supports one process handling N clients, where the max value for 201 * 'N' is limited by your system. 202 * 203 * There are two defines that govern this; SOCKD_NEGOTIATEMAX and SOCKD_IOMAX. 204 * Note that these only govern how many clients a process can handle, 205 * Dante will automatically create as many processes as it needs as 206 * the need arises. 207 */ 208 209 /* 210 * max number of clients each negotiate process will handle at a time. 211 * You can probably set this to a big number. 212 * Each client will occupy one file descriptor. 213 */ 214 #ifndef SOCKD_NEGOTIATEMAX 215 #if PRERELEASE 216 #define SOCKD_NEGOTIATEMAX (2) 217 #else 218 #define SOCKD_NEGOTIATEMAX (96) 219 #endif /* !PRERELEASE */ 220 #endif /* SOCKD_NEGOTIATEMAX */ 221 222 /* 223 * max number of clients each i/o process will handle. 224 * Each client will occupy up to three file descriptors. 225 * While shortage of slots in the other processes will create a 226 * delay for the client, shortage of i/o slots will prevent the client 227 * from doing any i/o until a i/o slot has become available. It is 228 * therefore important that enough i/o slots are available at all times. 229 */ 230 231 #ifndef SOCKD_IOMAX 232 #if PRERELEASE 233 #define SOCKD_IOMAX (2) 234 #else 235 #define SOCKD_IOMAX (32) 236 #endif /* !PRERELEASE */ 237 #endif /* SOCKD_IOMAX */ 238 239 #if SOCKD_NEGOTIATEMAX < 1 || SOCKD_IOMAX < 1 240 #error "SOCKD_NEGOTIATEMAX and SOCKD_IOMAX can not be less than 1" 241 #endif 242 243 /* 244 * Number of slots to try and keep available for new clients at any given time. 245 * The server tries to be a little more intelligent about this, but not much. 246 */ 247 #define SOCKD_FREESLOTS_NEGOTIATE (MAX(SOCKD_NEGOTIATEMAX, 8)) 248 #define SOCKD_FREESLOTS_REQUEST (MAX(SOCKD_REQUESTMAX, 16)) 249 #define SOCKD_FREESLOTS_IO (MAX(SOCKD_IOMAX, 32)) 250 251 #if SOCKD_FREESLOTS_NEGOTIATE < 1 252 || SOCKD_FREESLOTS_REQUEST < 1 253 || SOCKD_FREESLOTS_IO < 1 254 #error "SOCKD_FREESLOTS_* can not be less than 1" 255 #endif /* SOCKD_FREESLOTS < 1 */ 256 257 /* 258 * LDAP variables. 259 */ 260 261 /* 262 * Cache for LDAP stuff. 263 */ 264 265 /* number of entries in cache. */ 266 #ifndef SOCKD_LDAPCACHE 267 #if PRERELEASE 268 #define SOCKD_LDAPCACHE (1) 269 #else 270 #define SOCKD_LDAPCACHE (512) 271 #endif /* PRERELEASE */ 272 #endif /* SOCKD_LDAPCACHE */ 273 274 /* 275 * Seconds a (user) cache entry is to be considered valid. 276 * Don't set below 1. 277 */ 278 #ifndef SOCKD_LDAPCACHE_TIMEOUT 279 #if PRERELEASE 280 #define SOCKD_LDAPCACHE_TIMEOUT (5) 281 #else 282 #define SOCKD_LDAPCACHE_TIMEOUT (60 * 15) 283 #endif /* PRERELEASE */ 284 #endif /* SOCKD_LDAPCACHE_TIMEOUT */ 285 286 /* 287 * Seconds a (sid) cache entry is to be considered valid. 288 */ 289 #ifndef SOCKD_LDAP_SID_CACHE_TIMEOUT 290 #if PRERELEASE 291 #define SOCKD_LDAP_SID_CACHE_TIMEOUT (15) 292 #else 293 #define SOCKD_LDAP_SID_CACHE_TIMEOUT (24 * 60 * 60) 294 #endif /* PRERELEASE */ 295 #endif /* SOCKD_LDAP_SID_CACHE_TIMEOUT */ 296 297 /* 298 * Name to give as filter and attribute name for ldap server 299 */ 300 #define DEFAULT_LDAP_FILTER "(memberuid=%s)" 301 #define DEFAULT_LDAP_ATTRIBUTE "cn" 302 303 /* 304 * Name to give as filter and attribute name for Active Directory server 305 */ 306 #define DEFAULT_LDAP_FILTER_AD "(samaccountname=%s)" 307 #define DEFAULT_LDAP_ATTRIBUTE_AD "memberof" 308 309 /* 310 * Name to give as filter for user to DN mapping for ldap authentication 311 */ 312 #define DEFAULT_LDAP_AUTH_FILTER "(uid=%s)" 313 #define DEFAULT_LDAP_AUTH_FILTER_AD "(samaccountname=%s)" 314 315 /* 316 * Name to give as ca cert file or cert db path 317 */ 318 #define DEFAULT_LDAP_CACERTFILE "/etc/ssl/certs/cert.pem" 319 #define DEFAULT_LDAP_CERTDBPATH "/etc/certs" 320 321 /* 322 * Name to give as USER when using PAM and username is not available 323 * (such as when pam is used as a clientmethod). 324 */ 325 326 327 #if BAREFOOTD 328 /* 329 * each i/o process should attempt to handle at least this many udp clients. 330 * Note that there is no hardcoded bound on this in Barefoot, this is only 331 * limited by system resources. If the system resources are too low for 332 * this value, we will complain when starting up though. 333 */ 334 #define MIN_UDPCLIENTS (512) 335 #endif /* BAREFOOTD */ 336 337 #endif /* !_CONFIG_H_ */ 338