diff options
author | Guillaume Nault <g.nault@alphalink.fr> | 2013-04-19 12:52:03 +0200 |
---|---|---|
committer | Dmitry Kozlov <xeb@mail.ru> | 2013-04-22 23:09:40 +0400 |
commit | 7941c08174dd5acbaf6cf5316d4fc3ad31a2327d (patch) | |
tree | 5233a73e45c50283e868ca040c9d8ef81e3f28a6 | |
parent | 39615e77e9570ec99c894da44b82b43a32c14c6a (diff) | |
download | accel-ppp-xebd-7941c08174dd5acbaf6cf5316d4fc3ad31a2327d.tar.gz accel-ppp-xebd-7941c08174dd5acbaf6cf5316d4fc3ad31a2327d.zip |
l2tp: Check for connection limits upon session creation requests
Since multiple sessions may be created in each tunnel, a client may
bypass the connlimit module by creating many sessions in an existing
tunnel (connlimit is only used upon reception of SCCRQ messages).
This patch adds connlimit checks when handling session creation requests
(ICRQ and OCRQ) so that connection limits get enforced in every case.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
-rw-r--r-- | accel-pppd/ctrl/l2tp/l2tp.c | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c index 19b90ab..79d003e 100644 --- a/accel-pppd/ctrl/l2tp/l2tp.c +++ b/accel-pppd/ctrl/l2tp/l2tp.c @@ -2463,6 +2463,19 @@ static int l2tp_recv_ICRQ(struct l2tp_conn_t *conn, return 0; } + if (ap_shutdown) { + log_tunnel(log_warn, conn, "shutdown in progress," + " discarding ICRQ\n"); + return 0; + } + + if (triton_module_loaded("connlimit") + && connlimit_check(cl_key_from_ipv4(conn->peer_addr.sin_addr.s_addr))) { + log_tunnel(log_warn, conn, "connection limits reached," + " discarding ICRQ\n"); + return 0; + } + log_tunnel(log_info2, conn, "handling ICRQ\n"); list_for_each_entry(attr, &pack->attrs, entry) { @@ -2719,6 +2732,19 @@ static int l2tp_recv_OCRQ(struct l2tp_conn_t *conn, return 0; } + if (ap_shutdown) { + log_tunnel(log_warn, conn, "shutdown in progress," + " discarding OCRQ\n"); + return 0; + } + + if (triton_module_loaded("connlimit") + && connlimit_check(cl_key_from_ipv4(conn->peer_addr.sin_addr.s_addr))) { + log_tunnel(log_warn, conn, "connection limits reached," + " discarding OCRQ\n"); + return 0; + } + log_tunnel(log_info2, conn, "handling OCRQ\n"); list_for_each_entry(attr, &pack->attrs, entry) { |