l2tp: Check for connection limits upon session creation requests

Since multiple sessions may be created in each tunnel, a client may
bypass the connlimit module by creating many sessions in an existing
tunnel (connlimit is only used upon reception of SCCRQ messages).

This patch adds connlimit checks when handling session creation requests
(ICRQ and OCRQ) so that connection limits get enforced in every case.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>

1 files changed, 26 insertions, 0 deletions

diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c
index 19b90ab4..79d003ef 100644
--- a/accel-pppd/ctrl/l2tp/l2tp.c
+++ b/accel-pppd/ctrl/l2tp/l2tp.c
@@ -2463,6 +2463,19 @@ static int l2tp_recv_ICRQ(struct l2tp_conn_t *conn,
 		return 0;
 	}
 
+	if (ap_shutdown) {
+		log_tunnel(log_warn, conn, "shutdown in progress,"
+			   " discarding ICRQ\n");
+		return 0;
+	}
+
+	if (triton_module_loaded("connlimit")
+	    && connlimit_check(cl_key_from_ipv4(conn->peer_addr.sin_addr.s_addr))) {
+		log_tunnel(log_warn, conn, "connection limits reached,"
+			   " discarding ICRQ\n");
+		return 0;
+	}
+
 	log_tunnel(log_info2, conn, "handling ICRQ\n");
 
 	list_for_each_entry(attr, &pack->attrs, entry) {
@@ -2719,6 +2732,19 @@ static int l2tp_recv_OCRQ(struct l2tp_conn_t *conn,
 		return 0;
 	}
 
+	if (ap_shutdown) {
+		log_tunnel(log_warn, conn, "shutdown in progress,"
+			   " discarding OCRQ\n");
+		return 0;
+	}
+
+	if (triton_module_loaded("connlimit")
+	    && connlimit_check(cl_key_from_ipv4(conn->peer_addr.sin_addr.s_addr))) {
+		log_tunnel(log_warn, conn, "connection limits reached,"
+			   " discarding OCRQ\n");
+		return 0;
+	}
+
 	log_tunnel(log_info2, conn, "handling OCRQ\n");
 
 	list_for_each_entry(attr, &pack->attrs, entry) {