GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-09 08:16:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix 'occtl show ip bans' showing expired ban entries

Browse Source 
Added current timestamp comparison to ensure only active bans
are shown by 'occtl show ip bans'.

Closes: #675.

Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This commit is contained in:
Grigory Trenin
2025-12-13 18:29:19 -05:00
committed by Nikos Mavrogiannopoulos
parent 1c31314df4
commit d15b2af4b2
4 changed files with 8 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@@ -9,6 +9,7 @@
- occtl: fix invalid JSON output in `occtl -j show iroutes` (#661)
- occtl: fix regression with trailing commas in `occtl -j show sessions` (#669)
- occtl: fix missing column headers in 'show ip bans' output (#677)
- occtl: 'show ip bans' no longer shows expired bans (#675)
- Fixed DTLS not working with systemd socket activation (#647)
* Version 1.3.0 (released 2024-05-05)

2
src/main-ban.c
View File

@@ -94,8 +94,6 @@ void main_ban_db_deinit(main_server_st *s)
}
}
#define IS_BANNED(main, entry) (entry->score >= GETCONFIG(main)->max_ban_score)
unsigned int main_ban_db_elems(main_server_st *s)
{
struct htable *db = s->ban_db;

2
src/main-ban.h
View File

@@ -36,6 +36,8 @@ typedef struct ban_entry_st {
time_t expires; /* the time after the client is allowed to login */
} ban_entry_st;
#define IS_BANNED(main, entry) (entry->score >= GETCONFIG(main)->max_ban_score)
void cleanup_banned_entries(main_server_st *s);
unsigned int check_if_banned(main_server_st *s, struct sockaddr_storage *addr,
socklen_t addr_size);

9
src/main-ctl-unix.c
View File

@@ -512,7 +512,7 @@ static void method_top(method_ctx *ctx, int cfd, uint8_t *msg,
}
static int append_ban_info(method_ctx *ctx, BanListRep *list,
struct ban_entry_st *e)
struct ban_entry_st *e, time_t now)
{
BanInfoRep *rep;
main_server_st *s = ctx->s;
@@ -533,8 +533,8 @@ static int append_ban_info(method_ctx *ctx, BanListRep *list,
rep->ip.len = e->ip.size;
rep->score = e->score;
if (GETCONFIG(s)->max_ban_score > 0 &&
e->score >= GETCONFIG(s)->max_ban_score) {
if (GETCONFIG(s)->max_ban_score > 0 && IS_BANNED(s, e) &&
e->expires > now) {
rep->expires = e->expires;
rep->has_expires = 1;
}
@@ -550,12 +550,13 @@ static void method_list_banned(method_ctx *ctx, int cfd, uint8_t *msg,
struct htable *db = ctx->s->ban_db;
int ret;
struct htable_iter iter;
time_t now = time(NULL);
mslog(ctx->s, NULL, LOG_DEBUG, "ctl: list-banned-ips");
e = htable_first(db, &iter);
while (e != NULL) {
ret = append_ban_info(ctx, &rep, e);
ret = append_ban_info(ctx, &rep, e, now);
if (ret < 0) {
mslog(ctx->s, NULL, LOG_ERR,
"error appending ban info to reply");