From 6ff0a8fb0706e3fff64b969c3a1dcb1afb6a88b9 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Tue, 19 May 2015 15:07:49 +0200
Subject: [PATCH] Introduced session-timeout option

That allows to set the maximum number of seconds a session can be
active.
---
 src/acct/radius.c   |  2 ++
 src/config.c        |  3 +++
 src/ocserv-args.def |  4 ++++
 src/vpn.h           |  2 ++
 src/worker-vpn.c    | 11 +++++++++++
 5 files changed, 22 insertions(+)

diff --git a/src/acct/radius.c b/src/acct/radius.c
index 4900a62f..969db9b3 100644
--- a/src/acct/radius.c
+++ b/src/acct/radius.c
@@ -278,6 +278,8 @@ VALUE_PAIR *send = NULL, *recvd = NULL;
 		ret = PW_ADMIN_RESET;
 	else if (discon_reason == REASON_IDLE_TIMEOUT)
 		ret = PW_ACCT_IDLE_TIMEOUT;
+	else if (discon_reason == REASON_SESSION_TIMEOUT)
+		ret = PW_ACCT_SESSION_TIMEOUT;
 	else if (discon_reason == REASON_DPD_TIMEOUT)
 		ret = PW_LOST_CARRIER;
 	else if (discon_reason == REASON_ERROR)
diff --git a/src/config.c b/src/config.c
index cdaea4cd..86063bda 100644
--- a/src/config.c
+++ b/src/config.c
@@ -132,6 +132,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "net-priority", .type = OPTION_STRING, .mandatory = 0 },
 	{ .name = "output-buffer", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "cookie-timeout", .type = OPTION_NUMERIC, .mandatory = 0 },
+	{ .name = "session-timeout", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "stats-report-time", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "rekey-time", .type = OPTION_NUMERIC, .mandatory = 0 },
 	{ .name = "rekey-method", .type = OPTION_STRING, .mandatory = 0 },
@@ -843,6 +844,8 @@ unsigned urlfw_size = 0;
 		config->cookie_timeout = DEFAULT_COOKIE_RECON_TIMEOUT;
 	READ_TF("persistent-cookies", config->persistent_cookies, 0);
 
+	READ_NUMERIC("session-timeout", config->session_timeout);
+
 	READ_NUMERIC("auth-timeout", config->auth_timeout);
 	READ_NUMERIC("idle-timeout", config->idle_timeout);
 
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 9456b45f..ca47111a 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -321,6 +321,10 @@ auth-timeout = 40
 # before being disconnected. Unset to disable.
 #idle-timeout = 1200
 
+# The time (in seconds) that a client is allowed to stay connected
+# Unset to disable.
+#session-timeout = 86400
+
 # The time (in seconds) that a mobile client is allowed to stay idle (no
 # traffic) before being disconnected. Unset to disable.
 #mobile-idle-timeout = 2400
diff --git a/src/vpn.h b/src/vpn.h
index 848f232d..2953bc42 100644
--- a/src/vpn.h
+++ b/src/vpn.h
@@ -116,6 +116,7 @@ extern int syslog_open;
 #define REASON_IDLE_TIMEOUT 4
 #define REASON_DPD_TIMEOUT 5
 #define REASON_ERROR 6
+#define REASON_SESSION_TIMEOUT 7
 
 #define ERR_SUCCESS 0
 #define ERR_BAD_COMMAND -2
@@ -324,6 +325,7 @@ struct cfg_st {
 
 	unsigned deny_roaming; /* whether a cookie is restricted to a single IP */
 	time_t cookie_timeout;	/* in seconds */
+	time_t session_timeout;	/* in seconds */
 	unsigned persistent_cookies; /* whether cookies stay valid after disconnect */
 
 	time_t rekey_time;	/* in seconds */
diff --git a/src/worker-vpn.c b/src/worker-vpn.c
index af44d709..c43f2522 100644
--- a/src/worker-vpn.c
+++ b/src/worker-vpn.c
@@ -739,6 +739,17 @@ int periodic_check(worker_st * ws, unsigned mtu_overhead, time_t now,
 		}
 	}
 
+	if (ws->config->session_timeout > 0) {
+		if (now - ws->session_start_time > ws->config->session_timeout) {
+			oclog(ws, LOG_ERR,
+			      "session timeout reached for process (%d secs)",
+			      (int)(now - ws->session_start_time));
+			terminate = 1;
+			terminate_reason = REASON_SESSION_TIMEOUT;
+			goto cleanup;
+		}
+	}
+
 	if (ws->config->stats_report_time > 0 &&
 	    now - ws->last_stats_msg >= ws->config->stats_report_time &&
 	    ws->sid_set) {