Hi, I have a few documentation / comment language issues, and a bit of grumbling about the code (which can be ignored).
On Mon, Sep 19, 2022 at 03:41:08PM +0200, Antonio Quartulli wrote:
> +--session-timeout n
> + Raises :code:`SIGTERM` for the client instance after ``n`` seconds since
> + the beginning of the session, forcing OpenVPN to disconnect.
> + In client mode, OpenVPN will disconnect and exit, while in server mode
> + all client sessions are terminated.
> +
> + This option can also be specified in a client instance config file
> + using ``--client-config-dir`` or dynamically generated using a
> + ``--client-connect`` script. In these cases, only the related client
> + session is terminated.
> +
> + When using option on the server side, it may be useful to push
> + ``--explicit-exit-notify`` in order to terminate a client session
> + and be informed about it.
This paragraph is a bit unclear. Why would you want to *push*
--explicit-exit-notify? *Use* it, on the server, so the client gets
an EEN, this I would understand.
Maybe reword this as
"If this is used on the server (main config or per-client), this works
better if ``--explicit-exit-notify`` is also used in the server config,
so clients are not just silently disconnected but get told about it."
> +
> --socket-flags flags
> Apply the given flags to the OpenVPN transport socket. Currently, only
> :code:`TCP_NODELAY` is supported.
> diff --git a/doc/man-sections/server-options.rst
> b/doc/man-sections/server-options.rst
> index 54ea8b66..9d0c73b6 100644
> --- a/doc/man-sections/server-options.rst
> +++ b/doc/man-sections/server-options.rst
> @@ -426,7 +426,7 @@ fast hardware. SSL/TLS authentication must be used in
> this mode.
> ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``,
> ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``,
> ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``,
> - ``--rcvbuf``
> + ``--rcvbuf``, ``--session-timeout``
>
> --push-remove opt
> Selectively remove all ``--push`` options matching "opt" from the option
> diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c
> index e5cee665..810cb8a7 100644
> --- a/src/openvpn/forward.c
> +++ b/src/openvpn/forward.c
> @@ -630,6 +630,21 @@ encrypt_sign(struct context *c, bool comp_frag)
> buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf);
> }
>
> +/*
> + * Should we exit due to session timeout?
> + */
> +static void
> +check_session_timeout(struct context *c)
> +{
> + if (c->options.session_timeout
> + && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval,
> + ETT_DEFAULT))
> + {
> + msg(M_INFO, "Session timeout, exiting");
> + register_signal(c, SIGTERM, "session-timeout");
> + }
> +}
> +
> /*
> * Coarse timers work to 1 second resolution.
> */
> @@ -681,6 +696,13 @@ process_coarse_timers(struct context *c)
> return;
> }
>
> + /* kill session if time is over */
> + check_session_timeout(c);
> + if (c->sig->signal_received)
> + {
> + return;
> + }
This now-triple "if (c->sig->signal_received)" still rubs my sensitivies,
but I'm not sure if it's worth rewriting check_session_timeout() and
check_ping_restart() to return a bool instead, and make this
if (check_session_timeout(c)) /* game over? */
{
return;
}
if (check_ping_restart(c)) /* peer went to sleep? */
{
return;
}
instead...
But anyway, this is more "material for a general cleanup patch", this
patch is OK as it is, code-wise.
> + int session_timeout; /* Kill session after n seconds, regardless
> activity */
"regardless activity" is no good, "regardless of activity" is getting a bit
long.
What about "/* force-kill session after n seconds */"?
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
