From patchwork Wed Nov 1 11:03:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 43 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director1.mail.ord1d.rsapps.net ([172.28.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id rMEdEvFE+lltKAAAgoeIoA for ; Wed, 01 Nov 2017 18:04:33 -0400 Received: from proxy2.mail.ord1c.rsapps.net ([172.28.255.1]) by director1.mail.ord1d.rsapps.net (Dovecot) with LMTP id v2WnEPFE+llafQAANGzteQ ; Wed, 01 Nov 2017 18:04:33 -0400 Received: from smtp49.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1c.rsapps.net (Dovecot) with LMTP id U+mgB/FE+lndMwAA311kuQ ; Wed, 01 Nov 2017 18:04:33 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-298-1117-1329-w 0-298-1117-1693-w 0-298-0-9868-f X-CMAE-Scan-Result: 0 X-CNFS-Analysis: v=2.2 cv=PMJNwriC c=1 sm=1 tr=0 a=Q8DxjiC8O3VT/NpP1XjEZQ==:117 a=Q8DxjiC8O3VT/NpP1XjEZQ==:17 a=kj9zAlcOel0A:10 a=xqWC_Br6kY4A:10 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=sC3jslCIGhcA:10 a=9hBjR9qptiMA:10 a=WiVod9pSvdkA:10 a=ZZnuYtJkoWoA:10 a=9sSjY8p1AAAA:8 a=P_JWiMecAAAA:8 a=FP58Ms26AAAA:8 a=wMpPiceOs-SDPOSKYq4A:9 a=CjuIK1q_8ugA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=ub54wNWiXv_DzeFsgEJW:22 a=D0-HAvA3Hk9NMREbgwuX:22 X-Orig-To: justin@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp49.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: a4593e66-bf50-11e7-b82e-b8ca3a5bc230-1-1 Received: from [216.34.181.88] ([216.34.181.88:32584] helo=lists.sourceforge.net) by smtp49.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 18/49-34177-1F44AF95; Wed, 01 Nov 2017 18:04:33 -0400 Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eA17C-0000Aj-MN; Wed, 01 Nov 2017 22:04:02 +0000 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1eA17A-0000AI-8Q for openvpn-devel@lists.sourceforge.net; Wed, 01 Nov 2017 22:04:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=OnGj6IYokGDc8ONcdoDtGKVKSGdr+kVRrPnNW/Q9dZw=; b=B+FwJgIqEk2QfrNXerljY04hVhEbpsdqqVzKFuMg3Wq5YiGiN2qfmFjoQJgJotICbO0IN15ddTjYuBUpI0qjW2rlKbdTST2so6FnD0oG7n6Re5DaHQyAE7sMqN8XuOzMn8GzpGMnHJBCx9/skXqZUNYx2XKeXpgyMVkp6YGmRzc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From; bh=OnGj6IYokGDc8ONcdoDtGKVKSGdr+kVRrPnNW/Q9dZw=; b=EFmJ/6gB8zi2/YDxMkJvjzqot+q+F9zjfSMtVUBUY70xjYl9RfMrfJf+mygTagT3QSmKAqfnZ+z3fLGhPsODzoCX5PbPet3EmGvI7KqEgAWWGAN3PXTfmRMwsClDP7K6SNh5ftqJ0UabY6fFIgmcdCsy1RX65OYxtwKrS055ndo=; Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of karger.me designates 74.125.82.65 as permitted sender) client-ip=74.125.82.65; envelope-from=steffan@karger.me; helo=mail-wm0-f65.google.com; Received: from mail-wm0-f65.google.com ([74.125.82.65]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES128-SHA:128) (Exim 4.76) id 1eA179-0007f2-4A for openvpn-devel@lists.sourceforge.net; Wed, 01 Nov 2017 22:04:00 +0000 Received: by mail-wm0-f65.google.com with SMTP id b189so7246941wmd.4 for ; Wed, 01 Nov 2017 15:03:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=OnGj6IYokGDc8ONcdoDtGKVKSGdr+kVRrPnNW/Q9dZw=; b=QtdjC61rxobUuzm3mizpwUwGR/0HE7Ip0HD/ObY4SqwMYf4FZWB1YBYxPcGWplA+x4 iXQJAJA74mKxItVvxJ37ciC8HifVPNEcbmdPh3nvm7Ldl8efi/+kNQRroy6km3FpIFsU z7eKrbkQpt5gHNWQTgicg0IN96fZk+kvPfiIo1M1FyuSovbuvr2NsBgmrGnf0N0bE2jB CORhbfEScaKpExwsoA2gopjL7qLmSuKLkBbuCou6NJKiRjRTZbKT/U5dvIQpqT5F+08t aGYWmEGSaM5tRDg5oSW3xjWe28/uMUE6qzXSuVLHxxB9XadVccTbmdNWE+ARtfMmS8LV qqSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=OnGj6IYokGDc8ONcdoDtGKVKSGdr+kVRrPnNW/Q9dZw=; b=N5JVcNqG9ETcI81R1duou5+lrGmeZIWzTWYeqiDGGXjxImTfP/nQGxDJc7Nc3Xus0o yvdW/foSrH4qyjIyS4dA6NalRXRj2qo8sQH5Mqew3QU40JLnzloNTuX4fynXyLeye2uO URGmWQ86C4yhBU1x6iI1LS8gSONoMXniZmhMokK23RL/bBzAneNVNhwYXDO3eW6D/3Jm Gni2EDMUB+8+fyzKYfqB2oTEbkn3+ccTsIf9ueXl4gysYMxegVwdhxnWLk7WqlY/1xPB tvceIjyTk+VnWV2X4xW7cDPzkvSkNx/grWg0wH8ymSaB/P5YEzY9Xt4o3k2UBVNh+wm0 OUWg== X-Gm-Message-State: AMCzsaVCm7h9uzFSL3T0ZpCiJvTkWxt2WZCuXiMlSVpVNpjr8H6QKn0M Jd9gDqc2m5X5cDdwEDAXrP7dNIbwoOs= X-Google-Smtp-Source: ABhQp+SqEQ3iOzu3F6cT6FYP55F5KXMVN0aVz7Nitcp9G6WTPb5wQQHL0MhbBvUGUPQZ/C8JCnZ+2Q== X-Received: by 10.80.145.6 with SMTP id e6mr1970622eda.34.1509573832520; Wed, 01 Nov 2017 15:03:52 -0700 (PDT) Received: from vesta.fritz.box ([2001:985:e54:1:f834:91b2:a7cf:128b]) by smtp.gmail.com with ESMTPSA id f39sm2096642edf.83.2017.11.01.15.03.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Nov 2017 15:03:51 -0700 (PDT) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Wed, 1 Nov 2017 23:03:40 +0100 Message-Id: <20171101220342.14648-3-steffan@karger.me> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171101220342.14648-1-steffan@karger.me> References: <1505424872-27434-1-git-send-email-steffan.karger@fox-it.com> <20171101220342.14648-1-steffan@karger.me> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.5 RCVD_IN_SORBS_SPAM RBL: SORBS: sender is a spam source [74.125.82.65 listed in dnsbl.sorbs.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.65 listed in list.dnswl.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eA179-0007f2-4A Subject: [Openvpn-devel] [PATCH 2/4 v2] pf: reject client if PF plugin is configured, but init fails X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This changes the behavior for pf plugins: instead of just not initializing the firewall rules and happily continuing, this now rejects the client in the case of an (unlikely) failure to initialize the pf. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli --- v3: return immediately after registering signal src/openvpn/pf.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c index e1b5b0e7..6e4107c5 100644 --- a/src/openvpn/pf.c +++ b/src/openvpn/pf.c @@ -638,10 +638,12 @@ pf_init_context(struct context *c) } #endif } - else - { - msg(M_WARN, "WARNING: OPENVPN_PLUGIN_ENABLE_PF disabled"); - } + } + if (!c->c2.pf.enabled) + { + msg(M_WARN, "WARNING: failed to init PF plugin, rejecting client."); + register_signal(c, SIGUSR1, "plugin-pf-init-failed"); + return; } } #endif /* ifdef PLUGIN_PF */