GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 00:37:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
3,345 Commits 19 Branches 88 Tags
5cb41a570b31b092658c3ff3c77a9ae285986109
Commit Graph

62 Commits

Author SHA1 Message Date
Yousong Zhou
5cb41a570b Fix display of rx/tx per sec limit 
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
 2020-09-15 19:14:37 +08:00
Alan Jowett
945699097d Modify ocserv-sm to permit it to scale up to the number of CPUs. This permits a higher rate of client connections and prevents TLS signing from becoming a bottleneck for clients connecting. 
Resolves: #341

Signed-off-by: Alan Jowett <alanjo@microsoft.com>
 2020-08-26 09:46:04 -06:00
Nikos Mavrogiannopoulos
8aa39b0106 Improved user disconnection to avoid race conditions 
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.

Resolves: #59

Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
 2020-07-25 21:38:55 +02:00
Alan Jowett
722e030e58 Add reporting of RX latency 
Resolve: #258

Signed-off-by: Alan Jowett <alanjo@microsoft.com>
 2020-05-26 18:14:36 -06:00
Nikos Mavrogiannopoulos
ba6921ed9a Introduced the notion of virtual hosts 
This provides virtualized server configurations which take
effect after client connection when client hello is received.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2018-03-06 20:42:31 +01:00
Nikos Mavrogiannopoulos
ccb80b5d4f occtl: improved presentation of printed statistics 
Also added different values to keep authentication failures
and closed sessions, in total and per accounting period.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
 2017-04-14 16:39:00 +03:00
Nikos Mavrogiannopoulos
538d1bca21 occtl: print statistics provided by main 
Also introduced the --debug option.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-04-14 16:39:00 +03:00
Nikos Mavrogiannopoulos
e9cf88f8c2 main: store additional statistics globally 
That is, store:
 * number of timed out sessions
 * number of timed out due being idle sessions
 * number of errored sessions
 * total number of session handled (closed)
 * total number of kbytes sent
 * total number of kbytes received
 * minimum MTU seen
 * maximum MTU seen
 * total authentication failures
 * average/max authentication time (in secs)
 * average/max session time (in minutes)

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-04-14 16:39:00 +03:00
Nikos Mavrogiannopoulos
fdea01f4f5 Do not log the internal session ID nor re-use it in radius 
Use instead a value derived from it, to avoid access to the debugging
log files, or radius result to access to the server.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
 2017-01-29 15:48:46 +01:00
Nikos Mavrogiannopoulos
3a834fad26 occtl: print the cookie associated with a user on user info 
This allows to map existing cookies to connected users.
 2016-05-14 20:37:12 +02:00
Nikos Mavrogiannopoulos
da4e4fcf2a Improved error message propagation due to new combined APIs 
This amends 8892eb1934
 2016-03-07 13:51:55 +01:00
Nikos Mavrogiannopoulos
e0947340bb ipc: pass the connection status as integer 
Conversion to textual form now happens at the client (occtl)
instead of the main server.
 2016-03-06 19:07:24 +01:00
Nikos Mavrogiannopoulos
8892eb1934 use a single format for all messages simplifying server 
That patch also combines all the message generation or receiving
functions for to allow easier modifications to the format.
 2016-03-06 19:07:07 +01:00
Nikos Mavrogiannopoulos
f3338e84f7 Added occtl command to display cookies 
This allows to display and examine valid cookies from occtl.
 2016-03-06 12:05:36 +01:00
Nikos Mavrogiannopoulos
ff5b2b7aad Use 32-bit length variable for transferring between occtl and ocserv 
This allows to handle the transfer of long data between ocserv and occtl.
Reported by Liviu.

Resolves #29
 2016-01-28 13:53:21 +01:00
Nikos Mavrogiannopoulos
353bd39686 replaced select() calls will poll() calls 
This allows to handle descriptors more than the maximum limit
allowed by select(), and thus handle more clients than 1024.
 2016-01-28 13:53:08 +01:00
Nikos Mavrogiannopoulos
b66b1f6390 main: don't attempt to access client configuration if not already set 
This prevents crash introduced by cefd77b633
 2016-01-27 14:24:49 +01:00
Nikos Mavrogiannopoulos
01706859e0 occtl: print the restricted ports for the client 2015-12-08 14:14:27 +01:00
Nikos Mavrogiannopoulos
e1fc1f3c45 TLS session resumption database was moved to sec-mod 
This reduces the number of sensitive data available to main process.
Resolves #21
 2015-12-07 19:52:30 +01:00
Nikos Mavrogiannopoulos
fe28fd15cd Added occtl command 'show events', as well as the corresponding command in main 
This allows the main process to handle a single listener which will
get all information about new and disconnecting users.
 2015-12-05 11:23:06 +01:00
Nikos Mavrogiannopoulos
12bc8955bd main: allow multiple clients in control channel (occtl) 2015-12-05 11:23:01 +01:00
Nikos Mavrogiannopoulos
0e604b8a9f Master process was converted to use libev 2015-12-05 11:18:09 +01:00
Nikos Mavrogiannopoulos
9252e22298 Added reference counting to configuration values. 
That is, to allow referencing to these values from proc_st
without fearing of them being invalidated on a config reload. We
perform a cleanup of these values on the server periodic check.
 2015-12-05 11:08:51 +01:00
Nikos Mavrogiannopoulos
cefd77b633 Simplified per-user/group configuration handling 
We now use a common structure in SESSION_REPLY and AUTH_REP
messages. That structure is generated by sec-mod and forwarded
by main to worker, thus eliminating the need to create passing
code for each new user-config variable being added.
 2015-11-26 18:29:14 +01:00
Nikos Mavrogiannopoulos
f5fca982dc Added configuration option restrict-user-to-routes 
This option, if set, will call /usr/bin/ocserv-fw for each user
connecting, i.e., adding firewall restrictions based on its allowed
routes.
 2015-11-23 17:31:55 +01:00
Nikos Mavrogiannopoulos
ba44c2a6c1 pass DPD and keepalive values to occtl 2015-11-19 12:23:37 +01:00
Nikos Mavrogiannopoulos
aed34ebd62 ip banning: entries hold in raw IP format rather than textual 2015-11-10 13:47:51 +01:00
Nikos Mavrogiannopoulos
845fcbc891 forward all routes sent to client to occtl 2015-09-18 16:45:53 +02:00
Nikos Mavrogiannopoulos
b674a46af6 occtl: print the configured split-dns domains 2015-08-28 11:41:58 +02:00
Nikos Mavrogiannopoulos
f8c7bccfa1 occtl: print the Local Device IP (the IP the user connected to) 2015-08-22 20:13:46 +02:00
Nikos Mavrogiannopoulos
ab93ea4d82 Log info message when the control socket is disabled 2015-08-17 14:27:11 +02:00
Nikos Mavrogiannopoulos
1ca573ff16 occtl: added --json option 
This allows to parse the output data using automated tools.
 2015-05-26 16:09:25 +02:00
Nikos Mavrogiannopoulos
41bcc9d0c0 radius: put the process ID into NAS-Port 2015-05-11 14:15:25 +02:00
Nikos Mavrogiannopoulos
02aa9c691e keep track of client entries in sec-mod and report them in status msg 2015-04-26 17:06:16 +02:00
Nikos Mavrogiannopoulos
abfcee5991 terminate_proc is shared between dbus and unix 2015-04-03 14:49:58 +02:00
Nikos Mavrogiannopoulos
adc8473328 chroot_dir, occtl_socket_file and socket_file_prefix were moved to permanent config options 2015-03-03 11:50:48 +01:00
Nikos Mavrogiannopoulos
cc16a65819 separated permanent configuration options from the reloaded ones 2015-03-02 13:18:52 +01:00
Nikos Mavrogiannopoulos
4aa726bd9c main-ctl-unix: avoid using remove_proc() unless necessary 2015-02-27 22:51:49 +01:00
Nikos Mavrogiannopoulos
9f95d086d9 removed unused variables and structures 2015-02-26 21:15:17 +01:00
Nikos Mavrogiannopoulos
17c1c3d381 sanitize IP addresses provided by occtl 2015-02-26 16:15:40 +01:00
Nikos Mavrogiannopoulos
0326ec168b occtl: added ability to list banned, and unban IPs 2015-02-26 14:33:38 +01:00
Nikos Mavrogiannopoulos
ad66cb92d8 report the number of banned IPs via occtl 2015-02-25 14:07:53 +01:00
Nikos Mavrogiannopoulos
bcea928abe Added support for no-routes (X-Split-Exclude) 2015-02-06 14:05:10 +01:00
Nikos Mavrogiannopoulos
c954e45e53 silence debugging messages from sec-mod when not in debug 2015-01-18 17:34:59 +01:00
Nikos Mavrogiannopoulos
6f714d6f2e report the compression algorithms to occtl 2015-01-15 19:04:43 +01:00
Nikos Mavrogiannopoulos
04ec372f4f save MTU in main, and report it to occtl 2015-01-11 10:34:13 +01:00
Nikos Mavrogiannopoulos
07e01d06b5 use strlcpy() instead of snprintf() where it make sense 
That should reduce wasted cycles.
 2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos
ef7fb7d594 Revert "use force_close() on server to avoid descriptor leaks" 
This reverts commit f622f6696c.
 2014-10-02 09:36:22 +02:00
Nikos Mavrogiannopoulos
30bcf35576 Revert "license upgraded to GPLv3" 
This reverts commit 213f9a63ee.

Conflicts:
	configure.ac
 2014-09-24 11:34:15 +02:00
Nikos Mavrogiannopoulos
f622f6696c use force_close() on server to avoid descriptor leaks 2014-09-21 01:40:36 +02:00