GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Execute disconnect script for user that their IP was hijacked by a cookie reconnection

Browse Source 
This will prevent having the script be called to initiate connections
that are never disconnected. This patch also introduces IPV6_LOCAL and
IPV6_REMOTE script environment variables that allow passing both addresses
in case both IPv4 and IPv6 are assigned.
This commit is contained in:
Nikos Mavrogiannopoulos
2014-04-12 08:40:55 +02:00
parent 3137c507e2
commit 1185cb07ee
3 changed files with 47 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/main-misc.c
View File

@@ -294,7 +294,8 @@ void remove_proc(main_server_st * s, struct proc_st *proc, unsigned k)
kill(proc->pid, SIGTERM);
remove_from_script_list(s, proc);
user_disconnected(s, proc);
if (proc->username[0] != 0)
user_disconnected(s, proc);
/* close the intercomm fd */
if (proc->fd >= 0)

76
src/main-user.c
View File

@@ -62,44 +62,57 @@ const char* script;
pid = fork();
if (pid == 0) {
char real[64];
char local[64];
char remote[64];
char real[64] = "";
char local[64] = "";
char remote[64] = "";
snprintf(real, sizeof(real), "%u", (unsigned)proc->pid);
setenv("ID", real, 1);
if (proc->ipv4 == NULL && proc->ipv6 == NULL) {
mslog(s, proc, LOG_DEBUG, "no IP configured; script failed");
exit(1);
}
if (getnameinfo((void*)&proc->remote_addr, proc->remote_addr_len, real, sizeof(real), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine peer address; script failed");
exit(1);
if (proc->remote_addr_len > 0) {
if (getnameinfo((void*)&proc->remote_addr, proc->remote_addr_len, real, sizeof(real), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine peer address; script failed");
exit(1);
}
setenv("IP_REAL", real, 1);
}
if (proc->ipv4 && proc->ipv4->lip_len > 0) {
if (getnameinfo((void*)&proc->ipv4->lip, proc->ipv4->lip_len, local, sizeof(local), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN address; script failed");
exit(1);
}
} else {
if (getnameinfo((void*)&proc->ipv6->lip, proc->ipv6->lip_len, local, sizeof(local), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN PtP address; script failed");
exit(1);
}
}
if (proc->ipv4 != NULL || proc->ipv6 != NULL) {
mslog(s, proc, LOG_DEBUG, "no IP for this user (probably re-used by a cookie reconnection)");
if (proc->ipv4 && proc->ipv4->rip_len > 0) {
if (getnameinfo((void*)&proc->ipv4->rip, proc->ipv4->rip_len, remote, sizeof(remote), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN address; script failed");
exit(1);
if (proc->ipv4 && proc->ipv4->lip_len > 0) {
if (getnameinfo((void*)&proc->ipv4->lip, proc->ipv4->lip_len, local, sizeof(local), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN address; script failed");
exit(1);
}
setenv("IP_LOCAL", local, 1);
}
} else {
if (getnameinfo((void*)&proc->ipv6->rip, proc->ipv6->rip_len, remote, sizeof(remote), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN PtP address; script failed");
exit(1);
if (proc->ipv6 && proc->ipv6->lip_len > 0) {
if (getnameinfo((void*)&proc->ipv6->lip, proc->ipv6->lip_len, local, sizeof(local), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN PtP address; script failed");
exit(1);
}
if (local[0] == 0)
setenv("IP_LOCAL", local, 1);
setenv("IPV6_LOCAL", local, 1);
}
if (proc->ipv4 && proc->ipv4->rip_len > 0) {
if (getnameinfo((void*)&proc->ipv4->rip, proc->ipv4->rip_len, remote, sizeof(remote), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN address; script failed");
exit(1);
}
setenv("IP_REMOTE", remote, 1);
}
if (proc->ipv6 && proc->ipv6->rip_len > 0) {
if (getnameinfo((void*)&proc->ipv6->rip, proc->ipv6->rip_len, remote, sizeof(remote), NULL, 0, NI_NUMERICHOST) != 0) {
mslog(s, proc, LOG_DEBUG, "cannot determine local VPN PtP address; script failed");
exit(1);
}
if (remote[0] == 0)
setenv("IP_REMOTE", remote, 1);
setenv("IP_REMOTE", remote, 1);
}
}
@@ -107,9 +120,6 @@ const char* script;
setenv("GROUPNAME", proc->groupname, 1);
setenv("HOSTNAME", proc->hostname, 1);
setenv("DEVICE", proc->tun_lease.name, 1);
setenv("IP_REAL", real, 1);
setenv("IP_LOCAL", local, 1);
setenv("IP_REMOTE", remote, 1);
if (up)
setenv("REASON", "connect", 1);
else

2
src/ocserv-args.def
View File

@@ -222,6 +222,8 @@ rekey-method = ssl
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOVE (the IPv6 remote address), and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript