aboutsummaryrefslogtreecommitdiff
path: root/multi.c
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-06-04 05:16:44 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2008-06-04 05:16:44 +0000
commit47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196 (patch)
tree0f47ea714dda8312ee85fe7530ee231c59b91221 /multi.c
parentFixed a bug in plugin.c that caused openvpn_plugin_client_destructor_v1 (diff)
downloadopenvpn-47ae8457f9e9c2bb0f5c1e8f28822e1bbc16c196.tar.xz
Incremented version to 2.1_rc7d.
Support asynchronous authentication by plugins by allowing OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY to return OPENVPN_PLUGIN_FUNC_DEFERRED. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_DEF_AUTH. Added a simple packet filter functionality that can be driven by a plugin. See comments in openvpn-plugin.h for documentation. Enabled by ENABLE_PF. See openvpn/plugin/defer/simple.c for examples of ENABLE_DEF_AUTH and ENABLE_PF. "TLS Error: local/remote TLS keys are out of sync" is no longer a fatal error for TCP-based sessions, since the error can arise normally in the course of deferred authentication. In a related change, allow packet-id sequence to begin at some number n > 0 for TCP sessions, rather than strictly requiring sequence to begin at 1. Added a test to configure.ac for LoadLibrary function on Windows. Modified "make dist" function to include all files from install-win32 so that ./domake-win can be run from a tarball-expanded directory. setenv and setenv-safe directives may now omit a value argument which defaults to "". git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2978 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'multi.c')
-rw-r--r--multi.c51
1 files changed, 41 insertions, 10 deletions
diff --git a/multi.c b/multi.c
index 54e1d76..431ad95 100644
--- a/multi.c
+++ b/multi.c
@@ -229,6 +229,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa
* which is seen on the TCP/UDP socket.
*/
m->hash = hash_init (t->options.real_hash_size,
+ get_random (),
mroute_addr_hash_function,
mroute_addr_compare_function);
@@ -237,6 +238,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa
* which client to route a packet to.
*/
m->vhash = hash_init (t->options.virtual_hash_size,
+ get_random (),
mroute_addr_hash_function,
mroute_addr_compare_function);
@@ -246,6 +248,7 @@ multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int threa
* for fast iteration through the list.
*/
m->iter = hash_init (1,
+ get_random (),
mroute_addr_hash_function,
mroute_addr_compare_function);
@@ -1818,12 +1821,29 @@ multi_process_incoming_link (struct multi_context *m, struct multi_instance *ins
/* if dest addr is a known client, route to it */
if (mi)
{
- multi_unicast (m, &c->c2.to_tun, mi);
- register_activity (c, BLEN(&c->c2.to_tun));
+#ifdef ENABLE_PF
+ if (!pf_c2c_test (c, &mi->context))
+ {
+ msg (D_PF, "PF: client -> [%s] packet dropped by packet filter",
+ np (mi->msg_prefix));
+ }
+ else
+#endif
+ {
+ multi_unicast (m, &c->c2.to_tun, mi);
+ register_activity (c, BLEN(&c->c2.to_tun));
+ }
c->c2.to_tun.len = 0;
}
}
}
+#ifdef ENABLE_PF
+ else if (!pf_addr_test (c, &dest))
+ {
+ msg (D_PF, "PF: client -> [%s] packet dropped by packet filter",
+ mroute_addr_print (&dest, &gc));
+ }
+#endif
}
else if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TAP)
{
@@ -1936,17 +1956,28 @@ multi_process_incoming_tun (struct multi_context *m, const unsigned int mpp_flag
set_prefix (m->pending);
- if (multi_output_queue_ready (m, m->pending))
+#ifdef ENABLE_PF
+ if (!pf_addr_test (c, &src))
{
- /* transfer packet pointer from top-level context buffer to instance */
- c->c2.buf = m->top.c2.buf;
+ msg (D_PF, "PF: [%s] -> client packet dropped by packet filter",
+ mroute_addr_print (&src, &gc));
+ buf_reset_len (&c->c2.buf);
}
else
- {
- /* drop packet */
- msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
- buf_clear (&c->c2.buf);
- }
+#endif
+ {
+ if (multi_output_queue_ready (m, m->pending))
+ {
+ /* transfer packet pointer from top-level context buffer to instance */
+ c->c2.buf = m->top.c2.buf;
+ }
+ else
+ {
+ /* drop packet */
+ msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
+ buf_reset_len (&c->c2.buf);
+ }
+ }
/* encrypt in instance context */
process_incoming_tun (c);