Add 'terminate user', 'terminate id' and 'terminate session' commands
to occtl that disconnect users and invalidate their session cookies,
preventing reconnection with cached credentials.
Short session IDs are resolved to full safe_id by fetching the cookie
list from sec-mod via CTL_CMD_LIST_COOKIES with prefix matching and
ambiguity detection. Active sessions trigger a warning before
invalidation.
Add integration tests for all three terminate commands.
Signed-off-by: Ivan Verbin <verbinivan@gmail.com>
- Fixes an issue #599 where the session timeout could be bypassed
by reconnecting, such as through a laptop lid close/open cycle.
- Adds 'Session started at:' field to 'occtl show user' output.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
The hostname validation was rejecting any hostname containg a '.'
character (eg: 'MacBook-Air.local'). This was overly restrictive and
prevented the HOSTNAME environment variable from being populated for
a signifficant number of clients, particularly on macOS.
Strip the domain suffix from such hostnames instead of discarding them.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
- Increase the width from 14 to 15 characters for 'show bans' and
'show ban points' commands. This ensures proper column alignment
for all valid IPv4 addresses.
- Reduce Score column to 10 characters since UINT_MAX is typically
10 digits.
- Remove unnecessary (unsinged int) cast since 'score' is an actual
unsigned int.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Currently 'ocserv' sends session accounting statistics at irregular intervals.
For example, if 'stats-report-time' is set to 60, the actual intervals may vary
between 50, 60, 70, or even 80 seconds. Moreover, these intervals are not
constant - they fluctuate arbitrarily with each statistics update.
This behavior was intentionally introduced to avoid worker processes acting
simultaneously in scenarios like server restarts, where all clients reconnect
at the same time, which could impose heavy load on the secmod process.
However, it causes issues for RADIUS servers that require accurate and
consistent timing.
Summary of changes:
- Apply randomization only once when the timer is initially set up, affecting
only the first timer firing. All subsequent firings will occur at regular
intervals relative to the first one.
- Remove fuzzing from 'interim_update_secs'. This value originates either from
RADIUS or from 'stats-report-time' and should not be altered.
Closes: #630
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This ensures all subsequent worker communications reach the original
secmod instance that authenticated the client, enabling correct session
accounting after IP address changes.
Closes: #674
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
The previous condition for resetting a ban score was insufficient.
It failed to reset the score for a client that had just exited a ban,
and also incorrectly reset the score of a currently banned client,
causing premature unbans.
Closes: #678
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Added current timestamp comparison to ensure only active bans
are shown by 'occtl show ip bans'.
Closes: #675.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Existing code used the loop index 'i == 0' to determine when to print
column headers. However, a 'continue' statement inside the loop could
skip the 'i = 0' iteration, causing the headers to never be printed.
Introduced a separate boolean 'header_printed' variable to track
whether headers have been printed.
Closes: #677
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Remove IPV6_V6ONLY flag from per-client UDP sockets as it prevents
IPv4 traffic on systemd-provided IPv6 sockets. This was a legacy
from the old reopen_udp_port() code and is no longer needed.
Fixes: #647
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
Return proper values (1 for success, 0 for error) from iroutes_handler()
to prevent premature parser termination
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
A misplaced bracket passed 'sizeof(*addr1) == -1' instead of 'sizeof(*addr1)'
to sendto(), causing it to fail. This prevented icmp_ping4() from sending
ICMP echo requests.
Consequently, the 'ping-leases' option has been non-functional since
this bug was introduced in commit 2aaa287a.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
This reverts commit 6fea92a961.
The URL consolidation caused worker to no longer recognize either of the original URLs.
This led to "unexpected URL" errors and immediate worker termination.
The original change was intended to simplify URL configuration,
but it inadvertently broke functionality for both endpoints.
Signed-off-by: Grigory Trenin <grigory.trenin@gmail.com>
http-parser is an unmaintained library that has been replaced by llhttp.
Resolves: #598
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This introduces the 'select-group-by-url' config option
that allows selecting an authgroup just by connecting to
a dedicated URI.
Signed-off-by: Marcin Ochab <marcin.ochab@gmail.com>
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Hijack Roaring Penguin's RADIUS attributes for that purpose:
* RP-Upstream-Speed-Limit → rx_per_sec
* RP-Downstream-Speed-Limit → tx_per_sec
While the ocserv configuration options use b/s, ocserv uses kb/s
internally. The radius attributes are already expressed in kb/s,
so we don't need to convert them.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
