- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
Based on
60641282df.
Snapshot of config files are used to ensure that ocserv-sm and
ocserv-worker remain in sync. These snapshots are anonymous files that
are passed via a file descriptor. A worker creates a new file
description and file descriptor by using open(2) on /proc/self/fd.
Unfortunately OpenBSD lacks support for procfs.
Instead of using snapshot of config files let workers use the config
files.
While here add a note to README.md about this limitation, and add a CI
run (from @nmav).
Signed-off-by: Björn Ketelaars <bjorn.ketelaars@hydroxide.nl>
This adds a fedora CI run to with filtered calls failing
with a signal in order to detect missing syscalls from our filters.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This permits the validation of OpenID Connect auth tokens OpenID
Connect is an OAuth 2.0 protocol used to identify a resource owner
(VPN client end-user) to a resource server (VPN server) intermediated
by an Authorization server.
Resolves: #240
Signed-off-by: Alan TG Jowett <alan.jowett@microsoft.com>
This enables support for AES-256 for anyconnect clients which
do not support AES-GCM. Also prioritized the 256-bit ciphers
higher than the 128-bit ones.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That is, instead of requiring the user to explicitly pass --with-broken-gnutls
warn at the end of the configure script.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
In particular require gnutls 3.5.5 which fixes cleanups in
gnutls_certificate_set_key(), or a recent version of
the 3.3.x branch. When forced to use a broken version work-around
issues (at the cost of a memory leak).
Resolves#152
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This checks whether connecting to different virtual hosts
with different authentication methods works.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
That eliminates the need for autogen and also combines
doc/sample.config and manpage contents. Now the doc/sample.config
is the primary config documentation location.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
The complexity of its command line options didn't require
the use of libopts, and by eliminating that dependency for cmd
parsing, we can chose another parser for config file parsing.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
This allows running the root tests under CI, even if the
docker tests (which cannot be run) are not.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
