From patchwork Fri Sep 29 06:24:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 4 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director4.mail.ord1d.rsapps.net ([172.30.157.10]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id 9vFXAsJ7zlkvbQAAgoeIoA for ; Fri, 29 Sep 2017 12:58:42 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.129.24]) by director4.mail.ord1d.rsapps.net (Dovecot) with LMTP id DiVqN3JZzll8VAAAHDmxtw ; Fri, 29 Sep 2017 12:58:42 -0400 Received: from smtp17.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net (Dovecot) with LMTP id Cp7TOsh6zllhAQAAYaqY3Q ; Fri, 29 Sep 2017 12:58:42 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-298-1099-1313-w 0-298-1099-1677-w 0-298-0-9263-f X-CMAE-Scan-Result: 0 X-CNFS-Analysis: v=2.2 cv=GoAAwQ9C c=1 sm=1 tr=0 a=Q8DxjiC8O3VT/NpP1XjEZQ==:117 a=Q8DxjiC8O3VT/NpP1XjEZQ==:17 a=kj9zAlcOel0A:10 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=2JCJgTwv5E4A:10 a=9hBjR9qptiMA:10 a=WiVod9pSvdkA:10 a=ZZnuYtJkoWoA:10 a=9sSjY8p1AAAA:8 a=P_JWiMecAAAA:8 a=FP58Ms26AAAA:8 a=wMpPiceOs-SDPOSKYq4A:9 a=CjuIK1q_8ugA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=ub54wNWiXv_DzeFsgEJW:22 a=D0-HAvA3Hk9NMREbgwuX:22 X-Orig-To: justin@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp17.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: 720eb09a-a537-11e7-8cea-bc305bf5997c-1-1 Received: from [216.34.181.88] ([216.34.181.88:65484] helo=lists.sourceforge.net) by smtp17.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 66/31-07094-1CB7EC95; Fri, 29 Sep 2017 12:58:41 -0400 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1dxyY8-0001p9-PZ; Fri, 29 Sep 2017 16:54:04 +0000 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1dxyY4-0001of-JO for openvpn-devel@lists.sourceforge.net; Fri, 29 Sep 2017 16:54:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=WoS30SDQWp+IO235zUcX+Wqnrc7Kbn1lTbDe0hpLKoU=; b=LzjA4sVA3dxf9KoXwjUynkH4aPlZ0v39zEXd88t7LrcGPqqicP4UXmfJhGOWMWRCC3DPEfd/RX8QXJr74kUJjpcH4zbcNLTlOqSGnSWOtSctB5+L0Q9hboShMmhoOB4Ecki5lMY04KDPn/Nnt+jNOaqPd+wHvlROlAZpRxP1DCo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=WoS30SDQWp+IO235zUcX+Wqnrc7Kbn1lTbDe0hpLKoU=; b=YplgbsGFYAUw/4Gg0Fnmq16mX0I6yiQyM63sXMpIY0RtmJXa8KCj2cABrC6ZQh7CYzSo6ccyE6L82aapBa+6kwqYV8hc0pk+0+IJg246CSJBwEzQAJ8QmpTSc6lO3GF63HtU6U9phqN5036n27DPiYWLvjITvAKhkHFJc4F6IdU=; Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of karger.me designates 74.125.83.68 as permitted sender) client-ip=74.125.83.68; envelope-from=steffan@karger.me; helo=mail-pg0-f68.google.com; Received: from mail-pg0-f68.google.com ([74.125.83.68]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1dxyY1-0000tB-92 for openvpn-devel@lists.sourceforge.net; Fri, 29 Sep 2017 16:54:00 +0000 Received: by mail-pg0-f68.google.com with SMTP id u18so133864pgo.1 for ; Fri, 29 Sep 2017 09:53:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=WoS30SDQWp+IO235zUcX+Wqnrc7Kbn1lTbDe0hpLKoU=; b=SU6uqYG5Z5V5WWh/ReWwbtT32x8hverywdPRr9MnRWAICIcbDCLFV9YNx0h6AjA1py RKSaplBELCIzhw/N7hVjUY0xOoB+SBLy0cWopMnXeV827mrmHWvYRvKfprMij5Z0SvYQ YHtVuF+7ycHXcHR8jbmW5m+BqclvYAVG8FkOnCpSOQAfX6aD6iLd5anH5CbgpiCSdBkV 5QgzLeLTgQ8mKYgNycHHA6Ov0B6dVFsEm8SjesVYKfKsabURQey6/nuBPgNNsesbyvUM xryYtcmtKeGn4yeQAhVpDrlsIysJld9hUnKmsJdd5TBk9hC2jKnFcyDz3SKtYX4MYUYG 78Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=WoS30SDQWp+IO235zUcX+Wqnrc7Kbn1lTbDe0hpLKoU=; b=p7m9+XuMJH3s3TQsO47ASfBiMCbXF9C6Lj9Q+YbxhuSDCclgDaVCc1VXiBGJv3bruG 4FViYhj6T7wiuDb6zllgfEAR4WUyxMTyE5AT0NbpxlfFB9wWpbd6MQ6O0fawAQDMu85R MGroHTFx9lvinxTWQC3DJRiEF7qVf9udIwMC/MdT/qPpojW4SSLQCMn/nMzXOoz3nMaB KsNukQl3+xS0UxVGAfX0NI/oyYWttSjLfYoL4kaxiB06CsAK3tSUzjovQjjtTeLTIU00 vCT5Nm8AWMmwZ9T5khI/VsLtpA7DoVXv5txUsdS+u/FsLXSQgsLT2NUVY8qrWS0wz4Y9 5BnA== X-Gm-Message-State: AHPjjUjxcj0fL5Lu81NDKOnpARCyG+kl2K4fIQ20PhHsYiXNMKBT1oT+ 0YxeLs4cGWhUyvwJY3rhVt94gYA+/DU= X-Google-Smtp-Source: AOwi7QB3faV07NZ2tshwJ7yxkpByrx0fsKGw8jOhxqlCTzNTpTDGpbJdcp5lEtrI8fpLPIC5j1Y1RQ== X-Received: by 10.98.0.150 with SMTP id 144mr8131172pfa.75.1506702305219; Fri, 29 Sep 2017 09:25:05 -0700 (PDT) Received: from localhost.localdomain (125-227-35-218.HINET-IP.hinet.net. [125.227.35.218]) by smtp.gmail.com with ESMTPSA id 19sm7458270pfo.140.2017.09.29.09.25.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Sep 2017 09:25:04 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Fri, 29 Sep 2017 18:24:58 +0200 Message-Id: <20170929162458.16514-1-steffan@karger.me> X-Mailer: git-send-email 2.11.0 In-Reply-To: References: X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.83.68 listed in list.dnswl.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source [74.125.83.68 listed in dnsbl.sorbs.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1dxyY1-0000tB-92 Subject: [Openvpn-devel] [PATCH 0/2] Reject client if PF plugin is configured, but init fails X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This changes the behavior for pf plugins: instead of just not initializing the firewall rules and happily continuing, this now rejects the client in the case of an (unlikely) failure to initialize the pf. Signed-off-by: Steffan Karger --- src/openvpn/pf.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c index 5cb002bf..29231b67 100644 --- a/src/openvpn/pf.c +++ b/src/openvpn/pf.c @@ -639,10 +639,11 @@ pf_init_context(struct context *c) } #endif } - else - { - msg(M_WARN, "WARNING: OPENVPN_PLUGIN_ENABLE_PF disabled"); - } + } + if (!c->c2.pf.enabled) + { + msg(M_WARN, "WARNING: failed to init PF plugin, rejecting client."); + register_signal(c, SIGUSR1, "plugin-pf-init-failed"); } } #endif /* ifdef PLUGIN_PF */