GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,504 Commits 19 Branches 88 Tags
6f714d6f2e9da34a1016e9d90858118ec96ce73c
Commit Graph

1058 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
6f714d6f2e report the compression algorithms to occtl 2015-01-15 19:04:43 +01:00
Nikos Mavrogiannopoulos
048b25ba45 Made the no-compress-limit configurable 2015-01-15 18:31:33 +01:00
Nikos Mavrogiannopoulos
67f621976b Allow compression to fail, and in that case send uncompressed packets 
That allows to cancel compression early, if it seems to expand the
packet. Suggested by David Woodhouse.
 2015-01-15 17:43:48 +01:00
Nikos Mavrogiannopoulos
7f997cc3fc only transmit a compressed packet, if it reduces the size 2015-01-15 17:13:26 +01:00
Nikos Mavrogiannopoulos
27168673f0 added option to disable compression 2015-01-15 16:42:29 +01:00
Nikos Mavrogiannopoulos
850181ed4e Moved negotiation/parsing of parameters using HTTP headers to worker-extras.c 2015-01-15 16:42:17 +01:00
Nikos Mavrogiannopoulos
3c023ffe5e Added support for LZ4 compression 2015-01-15 16:39:36 +01:00
Nikos Mavrogiannopoulos
831abcb76d corrected typo 2015-01-15 16:34:58 +01:00
Nikos Mavrogiannopoulos
fe848ad153 replaced use-seccomp by isolate-workers 
That, if enabled, includes the Linux namespaces restrictions into workers.
 2015-01-15 10:25:23 +01:00
Nikos Mavrogiannopoulos
7a51462abd reorganized to avoid compiler warnings 2015-01-15 09:59:38 +01:00
Nikos Mavrogiannopoulos
65a4646d2f include linux/sched.h to compile on systems with older libc 2015-01-15 09:55:51 +01:00
Nikos Mavrogiannopoulos
8b65df1ce3 remove the CLONE_NEWNET isolation option as it's performance cost is too high 2015-01-14 21:05:19 +01:00
Nikos Mavrogiannopoulos
4dee583e29 In linux run the server in it's own container with separate IPC and PID namespace 2015-01-14 17:08:01 +01:00
Nikos Mavrogiannopoulos
b124f68f12 do not allow the processes to be traced in linux 
That would prevent a worker process tracing one
from another user.
 2015-01-13 22:44:08 +01:00
Nikos Mavrogiannopoulos
a02dbb1fb2 removed unneeded variable 2015-01-12 10:53:47 +01:00
Nikos Mavrogiannopoulos
9f619b3a79 corrected check for non-empty pull buffer 2015-01-12 10:50:10 +01:00
Nikos Mavrogiannopoulos
4a56dd95c9 prevent a memory leak when multiple fds are received in short time 2015-01-12 10:45:37 +01:00
Nikos Mavrogiannopoulos
8c24dd8dd7 occtl: re-arranged user-agent and MTU printing 2015-01-11 12:42:08 +01:00
Nikos Mavrogiannopoulos
9477340b86 added more precise match of version 2015-01-11 12:40:04 +01:00
Nikos Mavrogiannopoulos
406c171069 avoid repeating username in logs 2015-01-11 12:28:01 +01:00
Nikos Mavrogiannopoulos
2f3d520c85 do not enforce PFS on default strings 
That allows legacy clients connect.
 2015-01-11 12:22:27 +01:00
Nikos Mavrogiannopoulos
c3417f0830 simplified DTLS fd handling and dtls_pull() 2015-01-11 11:40:22 +01:00
Nikos Mavrogiannopoulos
a04599afc8 always forward the first message when forwarding fd 2015-01-11 11:33:44 +01:00
Nikos Mavrogiannopoulos
41d61c4225 cleanups 2015-01-11 11:27:06 +01:00
Nikos Mavrogiannopoulos
286ea8ff7b only set IPV6_RECVPKTINFO on IPv6 sockets 2015-01-11 10:57:02 +01:00
Nikos Mavrogiannopoulos
a4c2967e02 simplified forward_udp_to_owner() by introducing oc_recvfrom_at() 2015-01-11 10:53:29 +01:00
Nikos Mavrogiannopoulos
04ec372f4f save MTU in main, and report it to occtl 2015-01-11 10:34:13 +01:00
Nikos Mavrogiannopoulos
3d7ac2c98c bind to the address we received UDP on 
That in addition allocates a new UDP socket per client,
and forwards the initial client hello to the worker
process as auxillary data. That, eliminates the need to
re-open the main server's UDP socket per client connection.
 2015-01-11 00:46:34 +01:00
Nikos Mavrogiannopoulos
cb56984e8d when compiling with gnutls 3.3.5 or later use the zero copy recv API 2015-01-07 22:33:12 +01:00
Nikos Mavrogiannopoulos
efe61fa48e radius: added safety checks in the parsing of Framed-IPv6-Prefix 2015-01-06 10:58:05 +01:00
Nikos Mavrogiannopoulos
a530330873 radius: use separate types for ipv4 and ipv6 2015-01-06 10:56:24 +01:00
Nikos Mavrogiannopoulos
b097d8a3ff radius: handle Framed-IPv6-Prefix as routes to add 2015-01-01 01:22:32 +02:00
Nikos Mavrogiannopoulos
a1abcdbeae Allow prefixes in specifying the IPv4 network 2014-12-30 17:22:02 +02:00
Nikos Mavrogiannopoulos
674a690301 Disable route and DNS assignment in IPv6 for non-openconnect clients 
That is because anyconnect clients can handle the assignment
of an IPv6 address, but cannot handle routes or DNS in IPv6.
So we disable IPv6 after an IP is assigned.
 2014-12-30 14:14:22 +02:00
Nikos Mavrogiannopoulos
50f2fb88f6 simplify the input of IPv6 networks 
The prefix is specified as part of the network.
 2014-12-29 20:15:36 +02:00
Nikos Mavrogiannopoulos
90b0ac7932 radius: added support for Framed-IPv6-Prefix 2014-12-29 20:00:45 +02:00
Nikos Mavrogiannopoulos
73726d13a3 print IPv6 netmask only when in non-full mode 
Also use the network address if available to print netmask.
 2014-12-29 19:42:00 +02:00
Nikos Mavrogiannopoulos
27b9e91eb8 bail out if use-seccomp is set to true but there is no seccomp capability 2014-12-29 14:22:45 +02:00
Nikos Mavrogiannopoulos
02734d8f54 send the Netmask when an IPv6 Address is assigned 2014-12-29 11:47:39 +02:00
Nikos Mavrogiannopoulos
0b47b5fb8f IPv6 fixes in ip-lease 
Issue discovered and fixed by sskaje.
 2014-12-29 11:39:52 +02:00
Nikos Mavrogiannopoulos
660311d74d enable IPv6 in Anyconnect clients, and send the prefix 2014-12-28 09:55:35 +02:00
Nikos Mavrogiannopoulos
071a8ae05f Do print error when pam_authenticate or pam_acct_mgmt fail 2014-12-27 11:17:41 +02:00
Nikos Mavrogiannopoulos
b38a1bb39a override the default ipv6_prefix only if ipv6_prefix is set 2014-12-26 20:23:12 +02:00
Nikos Mavrogiannopoulos
80459cfbd5 the default strings will enforce PFS 2014-12-25 10:56:19 +02:00
Nikos Mavrogiannopoulos
6d331584c1 radius: optimize "parse" of route 2014-12-14 20:55:04 +01:00
Nikos Mavrogiannopoulos
4cf2797afc radius: use Framed-Route and Framed-IPv6-Route 
That is read and if format is the expected, they are forwarded to client.
 2014-12-14 20:37:50 +01:00
Nikos Mavrogiannopoulos
3bbee0b069 more strlcpy() related changes 2014-12-14 20:12:08 +01:00
Nikos Mavrogiannopoulos
9fc8568107 ensure that stats are only updated if they increase 
That is, transferred bytes will not decrease in an update
due to miscommunication between main and workers.
 2014-12-14 20:00:33 +01:00
Nikos Mavrogiannopoulos
07e01d06b5 use strlcpy() instead of snprintf() where it make sense 
That should reduce wasted cycles.
 2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos
853f7876cd radius: increase the info sent during accounting requests 
Based on suggestions by Niels Peen. That adds:
Calling-Station-Id in auth message, and Service-Type,
Framed-Protocol, Framed-IP-Address, Acct-Authentic,
NAS-Port-Type, Acct-Session-Time in acct messages.
 2014-12-14 15:03:59 +01:00