From 7941c08174dd5acbaf6cf5316d4fc3ad31a2327d Mon Sep 17 00:00:00 2001 From: Guillaume Nault Date: Fri, 19 Apr 2013 12:52:03 +0200 Subject: l2tp: Check for connection limits upon session creation requests Since multiple sessions may be created in each tunnel, a client may bypass the connlimit module by creating many sessions in an existing tunnel (connlimit is only used upon reception of SCCRQ messages). This patch adds connlimit checks when handling session creation requests (ICRQ and OCRQ) so that connection limits get enforced in every case. Signed-off-by: Guillaume Nault --- accel-pppd/ctrl/l2tp/l2tp.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'accel-pppd/ctrl/l2tp/l2tp.c') diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c index 19b90ab4..79d003ef 100644 --- a/accel-pppd/ctrl/l2tp/l2tp.c +++ b/accel-pppd/ctrl/l2tp/l2tp.c @@ -2463,6 +2463,19 @@ static int l2tp_recv_ICRQ(struct l2tp_conn_t *conn, return 0; } + if (ap_shutdown) { + log_tunnel(log_warn, conn, "shutdown in progress," + " discarding ICRQ\n"); + return 0; + } + + if (triton_module_loaded("connlimit") + && connlimit_check(cl_key_from_ipv4(conn->peer_addr.sin_addr.s_addr))) { + log_tunnel(log_warn, conn, "connection limits reached," + " discarding ICRQ\n"); + return 0; + } + log_tunnel(log_info2, conn, "handling ICRQ\n"); list_for_each_entry(attr, &pack->attrs, entry) { @@ -2719,6 +2732,19 @@ static int l2tp_recv_OCRQ(struct l2tp_conn_t *conn, return 0; } + if (ap_shutdown) { + log_tunnel(log_warn, conn, "shutdown in progress," + " discarding OCRQ\n"); + return 0; + } + + if (triton_module_loaded("connlimit") + && connlimit_check(cl_key_from_ipv4(conn->peer_addr.sin_addr.s_addr))) { + log_tunnel(log_warn, conn, "connection limits reached," + " discarding OCRQ\n"); + return 0; + } + log_tunnel(log_info2, conn, "handling OCRQ\n"); list_for_each_entry(attr, &pack->attrs, entry) { -- cgit v1.2.3