Incremented version to 2.1_rc7d.

Support asynchronous authentication by plugins by allowing OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH. Added a simple packet filter functionality that can be driven by a plugin. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_PF. See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH and ENABLE_PF. "TLS Error: local/remote TLS keys are out of sync" is no longer a fatal error for TCP-based sessions, since the error can arise normally in the course of deferred authentication. In a related change, allow packet-id sequence to begin at some number n > 0 for TCP sessions, rather than strictly requiring sequence to begin at 1. Added a test to configure.ac for LoadLibrary function on Windows. Modified "make dist" function to include all files from install-win32 so that ./domake-win can be run from a tarball-expanded directory. setenv and setenv-safe directives may now omit a value argument which defaults to "". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
author: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2008-06-04 05:16:44 +0000
committer: james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> 2008-06-04 05:16:44 +0000
commit: 47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196 (patch)
tree: 0f47ea714dda8312ee85fe7530ee231c59b91221 /multi.c
parent: Fixed a bug in plugin.c that caused openvpn_plugin_client_destructor_v1 (diff)
download: openvpn-47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196.tar.xz
1 files changed, 41 insertions, 10 deletions
diff --git a/multi.c b/multi.c
index 54e1d76..431ad95 100644
--- a/multi.c
+++ b/multi.c
@@ -229,6 +229,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa
    * which is seen on the TCP/UDP socket.
    */
   m->hash = hash_init (t->options.real_hash_size,
+		       get_random (),
 		       mroute_addr_hash_function,
 		       mroute_addr_compare_function);
 
@@ -237,6 +238,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa
    * which client to route a packet to. 
    */
   m->vhash = hash_init (t->options.virtual_hash_size,
+			get_random (),
 			mroute_addr_hash_function,
 			mroute_addr_compare_function);
 
@@ -246,6 +248,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa
    * for fast iteration through the list.
    */
   m->iter = hash_init (1,
+		       get_random (),
 		       mroute_addr_hash_function,
 		       mroute_addr_compare_function);
 
@@ -1818,12 +1821,29 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins
 		      /* if dest addr is a known client, route to it */
 		      if (mi)
 			{
-			  multi_unicast (m, &c->c2.to_tun, mi);
-			  register_activity (c, BLEN(&c->c2.to_tun));
+#ifdef ENABLE_PF
+			  if (!pf_c2c_test (c, &mi->context))
+			    {
+			      msg (D_PF, "PF: client -> [%s] packet dropped by packet filter",
+				   np (mi->msg_prefix));
+			    }
+			  else
+#endif
+			    {
+			      multi_unicast (m, &c->c2.to_tun, mi);
+			      register_activity (c, BLEN(&c->c2.to_tun));
+			    }
 			  c->c2.to_tun.len = 0;
 			}
 		    }
 		}
+#ifdef ENABLE_PF
+	      else if (!pf_addr_test (c, &dest))
+		{
+		  msg (D_PF, "PF: client -> [%s] packet dropped by packet filter",
+		       mroute_addr_print (&dest, &gc));
+		}
+#endif
 	    }
 	  else if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TAP)
 	    {
@@ -1936,17 +1956,28 @@ multi_process_incoming_tun (struct multi_context *m, const unsigned int mpp_flag
 		  
 		  set_prefix (m->pending);
 
-		  if (multi_output_queue_ready (m, m->pending))
+#ifdef ENABLE_PF
+		  if (!pf_addr_test (c, &src))
 		    {
-		      /* transfer packet pointer from top-level context buffer to instance */
-		      c->c2.buf = m->top.c2.buf;
+		      msg (D_PF, "PF: [%s] -> client packet dropped by packet filter",
+			   mroute_addr_print (&src, &gc));
+		      buf_reset_len (&c->c2.buf);
 		    }
 		  else
-		    {
-		      /* drop packet */
-		      msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
-		      buf_clear (&c->c2.buf);
-		    }
+#endif
+		  {
+		    if (multi_output_queue_ready (m, m->pending))
+		      {
+			/* transfer packet pointer from top-level context buffer to instance */
+			c->c2.buf = m->top.c2.buf;
+		      }
+		    else
+		      {
+			/* drop packet */
+			msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
+			buf_reset_len (&c->c2.buf);
+		      }
+		  }
 	      
 		  /* encrypt in instance context */
 		  process_incoming_tun (c);
author	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2008-06-04 05:16:44 +0000
committer	james <james@e7ae566f-a301-0410-adde-c780ea21d3b5>	2008-06-04 05:16:44 +0000
commit	47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196 (patch)
tree	0f47ea714dda8312ee85fe7530ee231c59b91221 /multi.c
parent	Fixed a bug in plugin.c that caused openvpn_plugin_client_destructor_v1 (diff)
download	openvpn-47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196.tar.xz