Hi,

On Mon, Sep 19, 2022 at 12:29:20AM +0200, Antonio Quartulli wrote:
> On 18/09/2022 12:37, Gert Doering wrote:
> > On Sun, Sep 18, 2022 at 01:10:30AM +0200, Antonio Quartulli wrote:
> >> From: Dmitry Zelenkovsky <dmitry.zelenkovs...@nokia.com>
> >>
> >> Disconnect clients after session-timeout expires.
> >> session-timeout can be defined in ccd files in order to limit
> >> per-user connection time.
> > 
> > I find this implementation needlessly complicated.
> > 
> >> +/*
> >> + * Should we exit due to session timeout?
> >> + */
> >> +static void
> >> +check_session_timeout(struct context *c)
> >> +{
> >> +    if (c->options.session_timeout
> >> +        && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval,
> >> +                                 ETT_DEFAULT))
> >> +    {
> >> +        msg(M_INFO, "Session timeout, exiting");
> >> +        register_signal(c, SIGTERM, "session-timeout");
> >> +    }
> >> +}
> > 
> > Why are we working with event triggers here, if all we *want* to do is
> > a single-shot
> > 
> >   if ( now > $somectx->session_must_end_at_this_time )
> >   {
> >        /* kick out this user now */
> >        ...
> >   }
> > 
> 
> we don't get here at all, if we have no event object that is timing out.

process_coarse_timers() is run once per second, and does not need 
additional timers to be called.

This new check is added to process_coarse_timers().

Why do we need an extra event object, again?


I can see the need for event objects for recurring things, but for 
a single-shot "terminate client instance at this time, done", I'm not
convinced.


> So, although one shot, we still need to setup a timer object that will 
> trigger the machinery upon timeout.

> >> +    else if (streq(p[0], "session-timeout") && p[1] && !p[2])
> >> +    {
> >> +        VERIFY_PERMISSION(OPT_P_TIMER);
> > 
> > OPT_P_INSTANCE?
> 
> makes sense to add OPT_P_INSTANCE, although I wonder why other 
> activity/timeout knobs are not marks as such, i.e. --inactivity)

Not "add" OPT_P_INSTANCE, but "just" OPT_P_INSTANCE.

This is not something you want in the client config file.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to