From patchwork Sat Sep 17 13:10:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2771 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.59]) by backend30.mail.ord1d.rsapps.net with LMTP id CCrFAzZUJmPXcgAAIUCqbw (envelope-from ) for ; Sat, 17 Sep 2022 19:11:50 -0400 Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.59]) by director15.mail.ord1d.rsapps.net with LMTP id 0CKlAzZUJmPudwAAIcMcQg (envelope-from ) for ; Sat, 17 Sep 2022 19:11:50 -0400 Received: from smtp13.gate.iad3a ([172.27.255.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3a.rsapps.net with LMTPS id kBqXHUFUJmMsXwAA1+b4IQ (envelope-from ) for ; Sat, 17 Sep 2022 19:12:01 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 1b5eedb2-36de-11ed-9a00-5254004b83b1-1-1 Received: from [216.105.38.7] ([216.105.38.7:38606] helo=lists.sourceforge.net) by smtp13.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 91/AF-28978-53456236; Sat, 17 Sep 2022 19:11:49 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oZgxY-0005ys-SA; Sat, 17 Sep 2022 23:10:52 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oZgxX-0005ym-96 for openvpn-devel@lists.sourceforge.net; Sat, 17 Sep 2022 23:10:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XynsvWp2OPl97rSaFU0Oa5Aj5/7bPJ8wh31XWe1aOBs=; b=ktOxIzD6edghR92BvSSz3jKtg5 zgHEOuHasD0ZjDYW+FjDbe0d+8+qFiw0uxbhrA1AMqz+K23BnCfVEi9ZlP7SHUikdkEsnsE7z7kGo ZrS9R6dD8agmFO7b43gKB7+HVwJ8k+0UC5RcWXywHQOjRXz+wgNtyStmX2TOgcR7J4cw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=XynsvWp2OPl97rSaFU0Oa5Aj5/7bPJ8wh31XWe1aOBs=; b=P GBT1xWnbv+GIbYL2ThZzllY0u50rOrHSwlzRaaIxeqR0pYirLMycDF5O+6Li8AQMd0upfy1l56VWB ygT1Lcq6JbD2iEKwDr5dKLudqbkq0mdqwjFTmNKCT3/d423t9K+G5vHEd0UiUJb2/OmW4pEMGKJdf JrkPM0zwP1eoe+J8=; Received: from wilbur.contactoffice.com ([212.3.242.68]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oZgxT-00016h-BO for openvpn-devel@lists.sourceforge.net; Sat, 17 Sep 2022 23:10:51 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by wilbur.contactoffice.com (Postfix) with ESMTP id 077D3D55; Sun, 18 Sep 2022 01:10:41 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663456241; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:MIME-Version:Content-Transfer-Encoding; l=4322; bh=XynsvWp2OPl97rSaFU0Oa5Aj5/7bPJ8wh31XWe1aOBs=; b=T2tMIrw+IDd9JdpJ/KcwxTTKRAvHIn7cuPvfiQkVHQR5JTZMLnnHoUhILpioLF2e yctGtjkHU4zxzcQgi+8xqdSu/uLGYHMnajRwuSPk4iA36mroLK3BxupKMXzPpTMEmNl ST8SmRHOaxCzoWKBW+xDj0FdzSrwczCh2ToyXKlUsYtp7EVsMyol2+EbM3DtbkRfk79 v4wX75ON7nXWkuSOlG9ZxTO661RTy5auWRhS0xvjluB3XSC0BXU27J4B57j9Vnupf5j oc9nn0mer75d9m/WFeevBDWu0KDKihHHLHjZGh/6uLb/MEuRM8un+S9O4zLHbcno8Wm mhBQgTsXYQ== Received: by smtp.mailfence.com with ESMTPSA ; Sun, 18 Sep 2022 01:10:38 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Sun, 18 Sep 2022 01:10:30 +0200 Message-Id: <20220917231030.22565-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.20 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Dmitry Zelenkovsky Disconnect clients after session-timeout expires. session-timeout can be defined in ccd files in order to limit per-user connection time. Signed-off-by: Dmitry Zelenkovsky --- src/openvpn/forward.c | 22 ++++++++++++++++++++++ src/openvpn/init.c | 7 +++++++ src/openvpn/openvpn.h | 2 ++ src/openvpn/options. [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.68 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: unstable.cc] 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1oZgxT-00016h-BO Subject: [Openvpn-devel] [PATCH] implement --session-timeout X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dmitry Zelenkovsky Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Dmitry Zelenkovsky Disconnect clients after session-timeout expires. session-timeout can be defined in ccd files in order to limit per-user connection time. Signed-off-by: Dmitry Zelenkovsky --- src/openvpn/forward.c | 22 ++++++++++++++++++++++ src/openvpn/init.c | 7 +++++++ src/openvpn/openvpn.h | 2 ++ src/openvpn/options.c | 7 +++++++ src/openvpn/options.h | 2 ++ 5 files changed, 40 insertions(+) diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index 3526dbf6..56ab5662 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -626,6 +626,21 @@ encrypt_sign(struct context *c, bool comp_frag) buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); } +/* + * Should we exit due to session timeout? + */ +static void +check_session_timeout(struct context *c) +{ + if (c->options.session_timeout + && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval, + ETT_DEFAULT)) + { + msg(M_INFO, "Session timeout, exiting"); + register_signal(c, SIGTERM, "session-timeout"); + } +} + /* * Coarse timers work to 1 second resolution. */ @@ -677,6 +692,13 @@ process_coarse_timers(struct context *c) return; } + /* kill session if time is over */ + check_session_timeout(c); + if (c->sig->signal_received) + { + return; + } + /* restart if ping not received */ check_ping_restart(c); if (c->sig->signal_received) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f2db8dd9..7b817612 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1322,6 +1322,13 @@ do_init_timers(struct context *c, bool deferred) event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now); } + /* initialize inactivity timeout */ + if (c->options.session_timeout) + { + event_timeout_init(&c->c2.session_interval, c->options.session_timeout, + now); + } + /* initialize pings */ if (dco_enabled(&c->options)) { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 00cd652f..f74125aa 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -288,6 +288,8 @@ struct context_2 struct event_timeout inactivity_interval; int64_t inactivity_bytes; + struct event_timeout session_interval; + /* the option strings must match across peers */ char *options_string_local; char *options_string_remote; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3d48c2d9..76c09a0a 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -261,6 +261,7 @@ static const char usage_message[] = " for m seconds.\n" "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n" " produces a combined in/out byte count < bytes.\n" + "--session-timeout n: Limit connection time to n seconds.\n" "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n" "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n" "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n" @@ -1818,6 +1819,7 @@ show_settings(const struct options *o) SHOW_INT(keepalive_ping); SHOW_INT(keepalive_timeout); SHOW_INT(inactivity_timeout); + SHOW_INT(session_timeout); SHOW_INT64(inactivity_minimum_bytes); SHOW_INT(ping_send_timeout); SHOW_INT(ping_rec_timeout); @@ -6583,6 +6585,11 @@ add_option(struct options *options, } } } + else if (streq(p[0], "session-timeout") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_TIMER); + options->session_timeout = positive_atoi(p[1]); + } else if (streq(p[0], "proto") && p[1] && !p[2]) { int proto; diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c9144154..a674a0a6 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -317,6 +317,8 @@ struct options int inactivity_timeout; /* --inactive */ int64_t inactivity_minimum_bytes; + int session_timeout; /* Kill session after n seconds, regardless activity */ + int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */ int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */ bool ping_timer_remote; /* Run ping timer only if we have a remote address */