Hi, I have a few documentation / comment language issues, and a bit of grumbling about the code (which can be ignored).
On Mon, Sep 19, 2022 at 03:41:08PM +0200, Antonio Quartulli wrote: > +--session-timeout n > + Raises :code:`SIGTERM` for the client instance after ``n`` seconds since > + the beginning of the session, forcing OpenVPN to disconnect. > + In client mode, OpenVPN will disconnect and exit, while in server mode > + all client sessions are terminated. > + > + This option can also be specified in a client instance config file > + using ``--client-config-dir`` or dynamically generated using a > + ``--client-connect`` script. In these cases, only the related client > + session is terminated. > + > + When using option on the server side, it may be useful to push > + ``--explicit-exit-notify`` in order to terminate a client session > + and be informed about it. This paragraph is a bit unclear. Why would you want to *push* --explicit-exit-notify? *Use* it, on the server, so the client gets an EEN, this I would understand. Maybe reword this as "If this is used on the server (main config or per-client), this works better if ``--explicit-exit-notify`` is also used in the server config, so clients are not just silently disconnected but get told about it." > + > --socket-flags flags > Apply the given flags to the OpenVPN transport socket. Currently, only > :code:`TCP_NODELAY` is supported. > diff --git a/doc/man-sections/server-options.rst > b/doc/man-sections/server-options.rst > index 54ea8b66..9d0c73b6 100644 > --- a/doc/man-sections/server-options.rst > +++ b/doc/man-sections/server-options.rst > @@ -426,7 +426,7 @@ fast hardware. SSL/TLS authentication must be used in > this mode. > ``--inactive``, ``--ping``, ``--ping-exit``, ``--ping-restart``, > ``--setenv``, ``--auth-token``, ``--persist-key``, ``--persist-tun``, > ``--echo``, ``--comp-lzo``, ``--socket-flags``, ``--sndbuf``, > - ``--rcvbuf`` > + ``--rcvbuf``, ``--session-timeout`` > > --push-remove opt > Selectively remove all ``--push`` options matching "opt" from the option > diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c > index e5cee665..810cb8a7 100644 > --- a/src/openvpn/forward.c > +++ b/src/openvpn/forward.c > @@ -630,6 +630,21 @@ encrypt_sign(struct context *c, bool comp_frag) > buffer_turnover(orig_buf, &c->c2.to_link, &c->c2.buf, &b->read_tun_buf); > } > > +/* > + * Should we exit due to session timeout? > + */ > +static void > +check_session_timeout(struct context *c) > +{ > + if (c->options.session_timeout > + && event_timeout_trigger(&c->c2.session_interval, &c->c2.timeval, > + ETT_DEFAULT)) > + { > + msg(M_INFO, "Session timeout, exiting"); > + register_signal(c, SIGTERM, "session-timeout"); > + } > +} > + > /* > * Coarse timers work to 1 second resolution. > */ > @@ -681,6 +696,13 @@ process_coarse_timers(struct context *c) > return; > } > > + /* kill session if time is over */ > + check_session_timeout(c); > + if (c->sig->signal_received) > + { > + return; > + } This now-triple "if (c->sig->signal_received)" still rubs my sensitivies, but I'm not sure if it's worth rewriting check_session_timeout() and check_ping_restart() to return a bool instead, and make this if (check_session_timeout(c)) /* game over? */ { return; } if (check_ping_restart(c)) /* peer went to sleep? */ { return; } instead... But anyway, this is more "material for a general cleanup patch", this patch is OK as it is, code-wise. > + int session_timeout; /* Kill session after n seconds, regardless > activity */ "regardless activity" is no good, "regardless of activity" is getting a bit long. What about "/* force-kill session after n seconds */"? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel