From patchwork Mon Sep 19 03:41:08 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2776 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id gAvlObxxKGM+CQAAIUCqbw (envelope-from ) for ; Mon, 19 Sep 2022 09:42:20 -0400 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id gEHcObxxKGMDfwAAIasKDg (envelope-from ) for ; Mon, 19 Sep 2022 09:42:20 -0400 Received: from smtp4.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTPS id yN8ZObxxKGOJFQAATCaURg (envelope-from ) for ; Mon, 19 Sep 2022 09:42:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp4.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=unstable.cc; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: e1fbff6c-3820-11ed-9043-525400760ffc-1-1 Received: from [216.105.38.7] ([216.105.38.7:50890] helo=lists.sourceforge.net) by smtp4.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E6/6A-31125-CB178236; Mon, 19 Sep 2022 09:42:20 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1oaH1d-0007r3-RV; Mon, 19 Sep 2022 13:41:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1oaH1c-0007qx-QJ for openvpn-devel@lists.sourceforge.net; Mon, 19 Sep 2022 13:41:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ReGygeV37EsVvuHzKhR50HBsNUD+HyV2vK+fZHzIIDg=; b=CNbbB7pzBKPqOgZKVZ/TqNg8Uc jRp+Bp1UD0rWV3TCg78q2yrVXjunoy7OKP4ol0bGOPYc8TqR1nn7j9AWIfaTjmLMLkfxTS5TgMEhl gM+xtGE+HMK684ZnTllUUrYvHeNUPEdvdhJr1snvD9R21AQ+VsGr5Yx5VAn99KTB3fnQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ReGygeV37EsVvuHzKhR50HBsNUD+HyV2vK+fZHzIIDg=; b=R6L89RA986nbD+fjGfcUNM+s9d crp/1udlJg3+BJMKdmjH8mQ7w1B0n13hpxssh/v+C2m4ZrEuoHHI+EGGFSFNFLyWrkbpyXEo9KwqD JHpud0obdGQcd1fLutSp3eb4iQuDDLwWXyH4lTgLcm/OUuPOZ8oT6Gmf5EcrR6dohvo0=; Received: from mailout-l3b-97.contactoffice.com ([212.3.242.97]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1oaH1o-00DP0a-7j for openvpn-devel@lists.sourceforge.net; Mon, 19 Sep 2022 13:41:41 +0000 Received: from smtpauth1.co-bxl (smtpauth1.co-bxl [10.2.0.15]) by mailout-l3b-97.contactoffice.com (Postfix) with ESMTP id 704F5158F; Mon, 19 Sep 2022 15:41:33 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1663594893; s=20220809-q8oc; d=unstable.cc; i=a@unstable.cc; h=From:Cc:Date:Message-Id:In-Reply-To:References:MIME-Version:Content-Transfer-Encoding; l=6976; bh=ReGygeV37EsVvuHzKhR50HBsNUD+HyV2vK+fZHzIIDg=; b=HkmGZjJbtSnxX8ojKwnC40wGwrNMTir9pR33r/IMSNSvyz8+tbyNdqkwY470jsVD Hvmidx+zgQ8EKH44OR/avSmv3E6tprMJGwVnMb/7zGEcMxdIOwgyA6/+uztfuy8eZi3 3pzF3lSCjgFdgOfhcSuIkj1cgeLDg7SkK18IDf666+Ol2KWu8c1UsN3lQyL9dPdAmor lDnNDYd5PsW0Lol6ns+p+85vzvqBIwPc6CFszrh8Vr+/g+TPFJ5rLbTSZQjyg3svMUl qMxt1brhtevsXcyv5+5I8eBRSpmydALe5HTDggYvDfOlMeufkhoml1Qw9J3AMHvjjrt fkYPzg3C6g== Received: by smtp.mailfence.com with ESMTPSA ; Mon, 19 Sep 2022 15:41:30 +0200 (CEST) From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Mon, 19 Sep 2022 15:41:08 +0200 Message-Id: <20220919134108.31316-1-a@unstable.cc> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220917231030.22565-1-a@unstable.cc> References: MIME-Version: 1.0 X-Spam-Status: No, hits=-2.9 required=4.7 symbols=ALL_TRUSTED, BAYES_00 device=10.2.0.20 X-ContactOffice-Account: com:375058688 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Dmitry Zelenkovsky Disconnect clients after session-timeout expires. session-timeout can be defined in ccd files in order to limit per-user connection time. Signed-off-by: Dmitry Zelenkovsky --- Changes from v1: * added documentation to manpage * added entry in Changes.rst --- Changes.rst | 6 ++++++ doc/man-sections/link-options.r [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [212.3.242.97 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1oaH1o-00DP0a-7j Subject: [Openvpn-devel] [PATCH v2] implement --session-timeout X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Dmitry Zelenkovsky Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Dmitry Zelenkovsky Disconnect clients after session-timeout expires. session-timeout can be defined in ccd files in order to limit per-user connection time. Signed-off-by: Dmitry Zelenkovsky --- Changes from v1: * added documentation to manpage * added entry in Changes.rst --- Changes.rst | 6 ++++++ doc/man-sections/link-options.rst | 15 +++++++++++++++ doc/man-sections/server-options.rst | 2 +- src/openvpn/forward.c | 22 ++++++++++++++++++++++ src/openvpn/init.c | 7 +++++++ src/openvpn/openvpn.h | 2 ++ src/openvpn/options.c | 7 +++++++ src/openvpn/options.h | 2 ++ 8 files changed, 62 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 2daa97fb..7c45a042 100644 --- a/Changes.rst +++ b/Changes.rst @@ -93,6 +93,12 @@ Inline auth username and password missing OpenVPN will prompt for input via stdin. This applies to inline'd http-proxy-user-pass too. +Session timeout + It is now possible to terminate a session (or all) after a specified amount + of seconds has passed session commencement. This behaviour can be configured + using ``--session-timeout``. This option can be configured on the server, on + the client or can also be pushed. + Deprecated features ------------------- diff --git a/doc/man-sections/link-options.rst b/doc/man-sections/link-options.rst index 373193aa..5b310d92 100644 --- a/doc/man-sections/link-options.rst +++ b/doc/man-sections/link-options.rst @@ -427,6 +427,21 @@ the local and the remote host. default) and you are using either ``--secret`` (shared-secret key mode) or TLS mode with ``--tls-auth``. +--session-timeout n + Raises :code:`SIGTERM` for the client instance after ``n`` seconds since + the beginning of the session, forcing OpenVPN to disconnect. + In client mode, OpenVPN will disconnect and exit, while in server mode + all client sessions are terminated. + + This option can also be specified in a client instance config file + using ``--client-config-dir`` or dynamically generated using a + ``--client-connect`` script. In these cases, only the related client + session is terminated. + + When using option on the server side, it may be useful to push + ``--explicit-exit-notify`` in order to terminate a client session + and be informed about it. + --socket-flags flags Apply the given flags to the OpenVPN transport socket. Currently, only :code:`TCP_NODELAY` is supported. diff --git a/doc/man-sections/server-options.rst b/doc/man-sections/server-options.rst index 54ea8b66..9d0c73b6 100644 --- a/doc/man-sections/server-options.rst +++ b/doc/man-sections/server-options.rst @@ -426,7 +426,7 @@ fast hardware. SSL/TLS authentication must be used in this mode. ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, - ``--rcvbuf`` + ``--rcvbuf``, ``--session-timeout`` --push-remove opt Selectively remove all ``--push`` options matching "opt" from the option diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c index e5cee665..810cb8a7 100644 --- a/src/openvpn/forward.c +++ b/src/openvpn/forward.c @@ -630,6 +630,21 @@ encrypt_sign(struct context *c, bool comp_frag) buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); } +/* + * Should we exit due to session timeout? + */ +static void +check_session_timeout(struct context *c) +{ + if (c->options.session_timeout + && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval, + ETT_DEFAULT)) + { + msg(M_INFO, "Session timeout, exiting"); + register_signal(c, SIGTERM, "session-timeout"); + } +} + /* * Coarse timers work to 1 second resolution. */ @@ -681,6 +696,13 @@ process_coarse_timers(struct context *c) return; } + /* kill session if time is over */ + check_session_timeout(c); + if (c->sig->signal_received) + { + return; + } + /* restart if ping not received */ check_ping_restart(c); if (c->sig->signal_received) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index f2db8dd9..7b817612 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1322,6 +1322,13 @@ do_init_timers(struct context *c, bool deferred) event_timeout_init(&c->c2.inactivity_interval, c->options.inactivity_timeout, now); } + /* initialize inactivity timeout */ + if (c->options.session_timeout) + { + event_timeout_init(&c->c2.session_interval, c->options.session_timeout, + now); + } + /* initialize pings */ if (dco_enabled(&c->options)) { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 00cd652f..f74125aa 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -288,6 +288,8 @@ struct context_2 struct event_timeout inactivity_interval; int64_t inactivity_bytes; + struct event_timeout session_interval; + /* the option strings must match across peers */ char *options_string_local; char *options_string_remote; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 93db0865..4566172b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -261,6 +261,7 @@ static const char usage_message[] = " for m seconds.\n" "--inactive n [bytes] : Exit after n seconds of activity on tun/tap device\n" " produces a combined in/out byte count < bytes.\n" + "--session-timeout n: Limit connection time to n seconds.\n" "--ping-exit n : Exit if n seconds pass without reception of remote ping.\n" "--ping-restart n: Restart if n seconds pass without reception of remote ping.\n" "--ping-timer-rem: Run the --ping-exit/--ping-restart timer only if we have a\n" @@ -1823,6 +1824,7 @@ show_settings(const struct options *o) SHOW_INT(keepalive_ping); SHOW_INT(keepalive_timeout); SHOW_INT(inactivity_timeout); + SHOW_INT(session_timeout); SHOW_INT64(inactivity_minimum_bytes); SHOW_INT(ping_send_timeout); SHOW_INT(ping_rec_timeout); @@ -6598,6 +6600,11 @@ add_option(struct options *options, } } } + else if (streq(p[0], "session-timeout") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_TIMER); + options->session_timeout = positive_atoi(p[1]); + } else if (streq(p[0], "proto") && p[1] && !p[2]) { int proto; diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 4332acd3..2fb85b58 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -317,6 +317,8 @@ struct options int inactivity_timeout; /* --inactive */ int64_t inactivity_minimum_bytes; + int session_timeout; /* Kill session after n seconds, regardless activity */ + int ping_send_timeout; /* Send a TCP/UDP ping to remote every n seconds */ int ping_rec_timeout; /* Expect a TCP/UDP ping from remote at least once every n seconds */ bool ping_timer_remote; /* Run ping timer only if we have a remote address */