Declare C string constants using array syntax, avoid pointer syntax
when possible. They are different, the array syntax generates smaller,
faster code.
Also, const char[] should usually be static, again to avoid poor
compilation and runtime performance where compilers tend to
initialize the const declaration for every call instead of using
.rodata for the string.
Signed-off-by: Dimitri Papadopoulos <3350651-DimitriPapadopoulos@users.noreply.gitlab.com>
By default, anyconnect clients will drop all traffic of a given IP
version if there is no IP address in that version assigned to the
client. The client-bypass-protocol option, if enabled, will send an
extra header to the clients telling anyconnect client to bypass VPN
tunnel if there is no IP assigned. No impact for openconnect clients,
this header will simply be ignored.
Signed-off-by: Florian Domain <f.domain@criteo.com>
- print outfile instead of new command; this will help debug when an
issue occurs, to know what was the original output
- also add some time between tests to avoid race; this was failing on
"could not find group information"
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(PSK)-(AES-256-GCM).
inet 192.168.93.190/32 scope global tun0
PING 192.168.93.1 (192.168.93.1) 56(84) bytes of data.
64 bytes from 192.168.93.1: icmp_seq=1 ttl=64 time=0.217 ms
64 bytes from 192.168.93.1: icmp_seq=2 ttl=64 time=0.246 ms
64 bytes from 192.168.93.1: icmp_seq=3 ttl=64 time=0.235 ms
--- 192.168.93.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2052ms
rtt min/avg/max/mdev = 0.217/0.232/0.246/0.011 ms
could not find group information
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
while using udp, we later open a file descriptor for the worker. With a
listen netns config, I overlooked this case which oblige me to move the
struct containing the file descriptor in the main one. Then I can access
them from each worker to make it possible to open the socket in the
correct netns. I also need to keep the netns fd open during the whole
life of the process.
the issue was not visible on a tcp-only case, but while using udp you
can see logs such as:
main[user]: x.x.x.x:54024 bind UDP to 0.0.0.0:443: Cannot assign requested address
worker[user]: x.x.x.x setting up DTLS-PSK connection
main[user]: x.x.x.x:54024 bind UDP to 0.0.0.0:443: Cannot assign requested address
update tests to reflects that:
- instead of creating our own netns, use the one created in common.sh
- we start server in ns1, but listen in ns2, and test client from ns3
(we don't want to listen in ns1 to test listen-ns)
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
This ignores any items following the first group class attribute.
Resolves: #332
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Add support for gracefully stopping the server.
Add primer on using ocserv with L3 load balancer.
Resolves: #345
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
Now all tests configs are being auto-generated, so this variable
will be replaced.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
This disables all the tests that use LD_PRELOAD, and thus limits
the test suite on the tests that are run as root.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
The previously used HOSTNAME variable is being overriden by bash and
thus was not a reliable one. We switch to setting REMOTE_HOSTNAME,
but keep the HOSTNAME for compatibility.
This also changes 'test-pass-script' to check for the new variable.
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Previously when we were disconnecting a user there were few seconds
after which the cookie was still valid, so a reconnect would succeed
by the same user. This change ensures that a disconnected (via occtl)
user cannot re-use the same cookie to connect. That enables a safe
user removal from the authentication database, and from run-time.
Resolves: #59
Signed-off-by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
- this patch adds `listen-netns` parameter
- when set the listening socket will be created in the given namespace
it allows to properly segregate your traffic:
- do the backend traffic in the root namespace
- receive the VIP traffic in a given namespace
All this patch is widely inspired by haproxy implementation which allows
to bind each IP in a given namespace.
Resolves: #316
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
