fix cut-n-paste error
[l2tpns.git] / ppp.c
diff --git a/ppp.c b/ppp.c
index 9467ef1..c69c603 100644 (file)
--- a/ppp.c
+++ b/ppp.c
@@ -1,6 +1,6 @@
 // L2TPNS PPP Stuff
 
-char const *cvs_id_ppp = "$Id: ppp.c,v 1.28 2004-11-25 02:45:27 bodea Exp $";
+char const *cvs_id_ppp = "$Id: ppp.c,v 1.38 2004-11-30 19:34:57 bodea Exp $";
 
 #include <stdio.h>
 #include <string.h>
@@ -21,7 +21,9 @@ extern int tunfd;
 extern char hostname[];
 extern u32 eth_tx;
 extern time_t time_now;
-extern struct configt *config;
+extern configt *config;
+
+static void initccp(tunnelidt t, sessionidt s);
 
 // Process PAP messages
 void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
@@ -35,14 +37,14 @@ void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
        LOG_HEX(5, "PAP", p, l);
        if (l < 4)
        {
-               LOG(1, 0, s, t, "Short PAP %u bytes\n", l);
+               LOG(1, s, t, "Short PAP %u bytes\n", l);
                STAT(tunnel_rx_errors);
                return ;
        }
 
        if ((hl = ntohs(*(u16 *) (p + 2))) > l)
        {
-               LOG(1, 0, s, t, "Length mismatch PAP %u/%u\n", hl, l);
+               LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -50,7 +52,7 @@ void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
 
        if (*p != 1)
        {
-               LOG(1, 0, s, t, "Unexpected PAP code %d\n", *p);
+               LOG(1, s, t, "Unexpected PAP code %d\n", *p);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -65,7 +67,7 @@ void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
                if (*b && *b < sizeof(pass))
                        memcpy(pass, b + 1, *b);
                pass[*b] = 0;
-               LOG(3, 0, s, t, "PAP login %s/%s\n", user, pass);
+               LOG(3, s, t, "PAP login %s/%s\n", user, pass);
        }
        if (session[s].ip || !session[s].radius)
        {
@@ -84,14 +86,16 @@ void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
                p[4] = 0;                       // no message
                if (session[s].ip)
                {
-                       LOG(3, session[s].ip, s, t, "Already an IP allocated: %s (%d)\n", inet_toa(htonl(session[s].ip)), session[s].ip_pool_index);
+                       LOG(3, s, t, "Already an IP allocated: %s (%d)\n",
+                               fmtaddr(htonl(session[s].ip), 0), session[s].ip_pool_index);
+
                        session[s].flags &= ~SF_IPCP_ACKED;
                }
                else
                {
-                       LOG(1, 0, s, t, "No radius session available to authenticate session...\n");
+                       LOG(1, s, t, "No radius session available to authenticate session...\n");
                }
-               LOG(3, 0, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
+               LOG(3, s, t, "Fallback response to PAP (%s)\n", (session[s].ip) ? "ACK" : "NAK");
                tunnelsend(b, 5 + (p - b), t); // send it
        }
        else
@@ -104,7 +108,7 @@ void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
                run_plugins(PLUGIN_PRE_AUTH, &packet);
                if (!packet.continue_auth)
                {
-                       LOG(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
+                       LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
                        if (packet.username) free(packet.username);
                        if (packet.password) free(packet.password);
                        return;
@@ -117,7 +121,7 @@ void processpap(tunnelidt t, sessionidt s, u8 *p, u16 l)
                free(packet.password);
 
                radius[r].id = p[1];
-               LOG(3, 0, s, t, "Sending login for %s/%s to radius\n", user, pass);
+               LOG(3, s, t, "Sending login for %s/%s to radius\n", user, pass);
                radiussend(r, RADIUSAUTH);
        }
 }
@@ -134,7 +138,7 @@ void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
        r = session[s].radius;
        if (!r)
        {
-               LOG(1, 0, s, t, "Unexpected CHAP message\n");
+               LOG(1, s, t, "Unexpected CHAP message\n");
 
 // FIXME: Need to drop the session here.
 
@@ -144,14 +148,14 @@ void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
 
        if (l < 4)
        {
-               LOG(1, 0, s, t, "Short CHAP %u bytes\n", l);
+               LOG(1, s, t, "Short CHAP %u bytes\n", l);
                STAT(tunnel_rx_errors);
                return ;
        }
 
        if ((hl = ntohs(*(u16 *) (p + 2))) > l)
        {
-               LOG(1, 0, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
+               LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -159,20 +163,20 @@ void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
 
        if (*p != 2)
        {
-               LOG(1, 0, s, t, "Unexpected CHAP response code %d\n", *p);
+               LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
                STAT(tunnel_rx_errors);
                return;
        }
        if (p[1] != radius[r].id)
        {
-               LOG(1, 0, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
+               LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
                STAT(tunnel_rx_errors);
                return ;
        }
 
        if (l < 5 || p[4] != 16)
        {
-               LOG(1, 0, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
+               LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -181,7 +185,7 @@ void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
        p += 5;
        if (l < 16 || l - 16 >= sizeof(session[s].user))
        {
-               LOG(1, 0, s, t, "CHAP user too long %d\n", l - 16);
+               LOG(1, s, t, "CHAP user too long %d\n", l - 16);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -202,7 +206,7 @@ void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
                run_plugins(PLUGIN_PRE_AUTH, &packet);
                if (!packet.continue_auth)
                {
-                       LOG(3, 0, s, t, "A plugin rejected PRE_AUTH\n");
+                       LOG(3, s, t, "A plugin rejected PRE_AUTH\n");
                        if (packet.username) free(packet.username);
                        if (packet.password) free(packet.password);
                        return;
@@ -216,7 +220,7 @@ void processchap(tunnelidt t, sessionidt s, u8 *p, u16 l)
        }
 
        radius[r].chap = 1;
-       LOG(3, 0, s, t, "CHAP login %s\n", session[s].user);
+       LOG(3, s, t, "CHAP login %s\n", session[s].user);
        radiussend(r, RADIUSAUTH);
 }
 
@@ -242,8 +246,8 @@ static void dumplcp(u8 *p, int l)
        u8 *o = (p + 4);
 
        LOG_HEX(5, "PPP LCP Packet", p, l);
-       LOG(4, 0, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
-       LOG(4, 0, 0, 0, "Length: %d\n", l);
+       LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((u16 *) p)[1]) );
+       LOG(4, 0, 0, "Length: %d\n", l);
        if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
                return;
 
@@ -253,12 +257,12 @@ static void dumplcp(u8 *p, int l)
                int length = o[1];
                if (length < 2)
                {
-                       LOG(4, 0, 0, 0, "       Option length is %d...\n", length);
+                       LOG(4, 0, 0, "  Option length is %d...\n", length);
                        break;
                }
                if (type == 0)
                {
-                       LOG(4, 0, 0, 0, "       Option type is 0...\n");
+                       LOG(4, 0, 0, "  Option type is 0...\n");
                        x -= length;
                        o += length;
                        continue;
@@ -267,51 +271,51 @@ static void dumplcp(u8 *p, int l)
                {
                        case 1: // Maximum-Receive-Unit
                                if (length == 4)
-                                       LOG(4, 0, 0, 0, "    %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
+                                       LOG(4, 0, 0, "    %s %d\n", lcp_types[type], ntohs(*(u16 *)(o + 2)));
                                else
-                                       LOG(4, 0, 0, 0, "    %s odd length %d\n", lcp_types[type], length);
+                                       LOG(4, 0, 0, "    %s odd length %d\n", lcp_types[type], length);
                                break;
                        case 2: // Async-Control-Character-Map
                                if (length == 6)
                                {
                                        u32 asyncmap = ntohl(*(u32 *)(o + 2));
-                                       LOG(4, 0, 0, 0, "    %s %x\n", lcp_types[type], asyncmap);
+                                       LOG(4, 0, 0, "    %s %x\n", lcp_types[type], asyncmap);
                                }
                                else
-                                       LOG(4, 0, 0, 0, "   %s odd length %d\n", lcp_types[type], length);
+                                       LOG(4, 0, 0, "   %s odd length %d\n", lcp_types[type], length);
                                break;
                        case 3: // Authentication-Protocol
                                if (length == 4)
                                {
                                        int proto = ntohs(*(u16 *)(o + 2));
-                                       LOG(4, 0, 0, 0, "   %s 0x%x (%s)\n", lcp_types[type], proto,
+                                       LOG(4, 0, 0, "   %s 0x%x (%s)\n", lcp_types[type], proto,
                                                proto == PPPCHAP ? "CHAP" :
                                                proto == PPPPAP  ? "PAP"  : "UNKNOWN");
                                }
                                else
-                                       LOG(4, 0, 0, 0, "   %s odd length %d\n", lcp_types[type], length);
+                                       LOG(4, 0, 0, "   %s odd length %d\n", lcp_types[type], length);
                                break;
                        case 4: // Quality-Protocol
                                {
                                        u32 qp = ntohl(*(u32 *)(o + 2));
-                                       LOG(4, 0, 0, 0, "    %s %x\n", lcp_types[type], qp);
+                                       LOG(4, 0, 0, "    %s %x\n", lcp_types[type], qp);
                                }
                                break;
                        case 5: // Magic-Number
                                if (length == 6)
                                {
                                        u32 magicno = ntohl(*(u32 *)(o + 2));
-                                       LOG(4, 0, 0, 0, "    %s %x\n", lcp_types[type], magicno);
+                                       LOG(4, 0, 0, "    %s %x\n", lcp_types[type], magicno);
                                }
                                else
-                                       LOG(4, 0, 0, 0, "   %s odd length %d\n", lcp_types[type], length);
+                                       LOG(4, 0, 0, "   %s odd length %d\n", lcp_types[type], length);
                                break;
                        case 7: // Protocol-Field-Compression
                        case 8: // Address-And-Control-Field-Compression
-                               LOG(4, 0, 0, 0, "    %s\n", lcp_types[type]);
+                               LOG(4, 0, 0, "    %s\n", lcp_types[type]);
                                break;
                        default:
-                               LOG(2, 0, 0, 0, "    Unknown PPP LCP Option type %d\n", type);
+                               LOG(2, 0, 0, "    Unknown PPP LCP Option type %d\n", type);
                                break;
                }
                x -= length;
@@ -332,14 +336,14 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
        LOG_HEX(5, "LCP", p, l);
        if (l < 4)
        {
-               LOG(1, session[s].ip, s, t, "Short LCP %d bytes\n", l);
+               LOG(1, s, t, "Short LCP %d bytes\n", l);
                STAT(tunnel_rx_errors);
                return ;
        }
 
        if ((hl = ntohs(*(u16 *) (p + 2))) > l)
        {
-               LOG(1, 0, s, t, "Length mismatch LCP %u/%u\n", hl, l);
+               LOG(1, s, t, "Length mismatch LCP %u/%u\n", hl, l);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -347,22 +351,23 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
 
        if (*p == ConfigAck)
        {
-               LOG(3, session[s].ip, s, t, "LCP: Discarding ConfigAck\n");
+               LOG(3, s, t, "LCP: Discarding ConfigAck\n");
                session[s].flags |= SF_LCP_ACKED;
        }
        else if (*p == ConfigReq)
        {
                int x = l - 4;
                u8 *o = (p + 4);
-               u8 response = 0;
+               u8 *response = 0;
 
-               LOG(3, session[s].ip, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
+               LOG(3, s, t, "LCP: ConfigReq (%d bytes)...\n", l);
                if (config->debug > 3) dumplcp(p, l);
 
                while (x > 2)
                {
                        int type = o[0];
                        int length = o[1];
+
                        if (length == 0 || type == 0 || x < length) break;
                        switch (type)
                        {
@@ -374,20 +379,21 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                                        if (!ntohl(*(u32 *)(o + 2))) // all bits zero is OK
                                                break;
 
-                                       if (response && response != ConfigNak) // rej already queued
+                                       if (response && *response != ConfigNak) // rej already queued
                                                break;
 
-                                       LOG(2, session[s].ip, s, t, "    Remote requesting asyncmap.  Rejecting.\n");
+                                       LOG(2, s, t, "    Remote requesting asyncmap.  Rejecting.\n");
                                        if (!response)
                                        {
-                                               q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
+                                               q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
                                                if (!q) break;
-                                               response = *q++ = ConfigNak;
+                                               *q = ConfigNak;
+                                               q += 4;
                                        }
 
                                        if ((q - b + 11) > sizeof(b))
                                        {
-                                               LOG(2, session[s].ip, s, t, "LCP overflow for asyncmap ConfigNak.\n");
+                                               LOG(2, s, t, "LCP overflow for asyncmap ConfigNak.\n");
                                                break;
                                        }
 
@@ -395,6 +401,7 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                                        *q++ = 6;
                                        memset(q, 0, 4); // asyncmap 0
                                        q += 4;
+                                       *((u16 *) (response + 2)) = htons(q - response); // LCP header length
                                        break;
 
                                case 3: // Authentication-Protocol
@@ -404,7 +411,7 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                                                if (proto == PPPPAP)
                                                        break;
 
-                                               if (response && response != ConfigNak) // rej already queued
+                                               if (response && *response != ConfigNak) // rej already queued
                                                        break;
 
                                                if (proto == PPPCHAP)
@@ -412,24 +419,26 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                                                else
                                                        sprintf(proto_name, "%#4.4x", proto);
 
-                                               LOG(2, session[s].ip, s, t, "    Remote requesting %s authentication.  Rejecting.\n", proto_name);
+                                               LOG(2, s, t, "    Remote requesting %s authentication.  Rejecting.\n", proto_name);
 
                                                if (!response)
                                                {
-                                                       q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
+                                                       q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
                                                        if (!q) break;
-                                                       response = *q++ = ConfigNak;
+                                                       *q = ConfigNak;
+                                                       q += 4;
                                                }
 
                                                if ((q - b + length) > sizeof(b))
                                                {
-                                                       LOG(2, session[s].ip, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
+                                                       LOG(2, s, t, "LCP overflow for %s ConfigNak.\n", proto_name);
                                                        break;
                                                }
 
                                                memcpy(q, o, length);
                                                *(u16 *)(q += 2) = htons(PPPPAP); // NAK -> Use PAP instead
                                                q += length;
+                                               *((u16 *) (response + 2)) = htons(q - response);
                                        }
                                        break;
 
@@ -443,22 +452,24 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                                        break;
 
                                default: // Reject any unknown options
-                                       LOG(2, session[s].ip, s, t, "    Rejecting PPP LCP Option type %d\n", type);
-                                       if (!response || response != ConfigRej) // drop nak in favour of rej
+                                       LOG(2, s, t, "    Rejecting PPP LCP Option type %d\n", type);
+                                       if (!response || *response != ConfigRej) // drop nak in favour of rej
                                        {
-                                               q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP);
-                                               if (!q) return;
-                                               response = *q++ = ConfigRej;
+                                               q = response = makeppp(b, sizeof(b), p, 2, t, s, PPPLCP);
+                                               if (!q) break;
+                                               *q = ConfigRej;
+                                               q += 4;
                                        }
 
                                        if ((q - b + length) > sizeof(b))
                                        {
-                                               LOG(2, session[s].ip, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
+                                               LOG(2, s, t, "LCP overflow for ConfigRej (type=%d).\n", type);
                                                break;
                                        }
 
                                        memcpy(q, o, length);
                                        q += length;
+                                       *((u16 *) (response + 2)) = htons(q - response); // LCP header length
                        }
                        x -= length;
                        o += length;
@@ -467,12 +478,12 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                if (!response)
                {
                        // Send back a ConfigAck
-                       q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
+                       q = response = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
                        if (!q) return;
-                       response = *q = ConfigAck;
+                       *q = ConfigAck;
                }
 
-               LOG(3, session[s].ip, s, t, "Sending %s\n", ppp_lcp_types[response]);
+               LOG(3, s, t, "Sending %s\n", ppp_lcp_types[*response]);
                tunnelsend(b, l + (q - b), t);
 
                if (!(session[s].flags & SF_LCP_ACKED))
@@ -480,13 +491,13 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
        }
        else if (*p == ConfigNak)
        {
-               LOG(1, session[s].ip, s, t, "Remote end sent a ConfigNak.  Ignoring\n");
+               LOG(1, s, t, "Remote end sent a ConfigNak.  Ignoring\n");
                if (config->debug > 3) dumplcp(p, l);
                return ;
        }
        else if (*p == TerminateReq)
        {
-               LOG(3, session[s].ip, s, t, "LCP: Received TerminateReq.  Sending TerminateAck\n");
+               LOG(3, s, t, "LCP: Received TerminateReq.  Sending TerminateAck\n");
                *p = TerminateAck;      // close
                q = makeppp(b, sizeof(b),  p, l, t, s, PPPLCP);
                if (!q) return;
@@ -499,7 +510,7 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
        }
        else if (*p == EchoReq)
        {
-               LOG(5, session[s].ip, s, t, "LCP: Received EchoReq.  Sending EchoReply\n");
+               LOG(5, s, t, "LCP: Received EchoReq.  Sending EchoReply\n");
                *p = EchoReply;         // reply
                *(u32 *) (p + 4) = htonl(session[s].magic); // our magic number
                q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
@@ -515,7 +526,7 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                *p = CodeRej;
                if (l > MAXCONTROL)
                {
-                       LOG(1, 0, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
+                       LOG(1, s, t, "Truncated Ident Packet (length=%d) to 1400 bytes\n", l);
                        l = 1400;
                }
                q = makeppp(b, sizeof(b), p, l, t, s, PPPLCP);
@@ -525,7 +536,7 @@ void processlcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
        }
        else
        {
-               LOG(1, session[s].ip, s, t, "Unexpected LCP code %d\n", *p);
+               LOG(1, s, t, "Unexpected LCP code %d\n", *p);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -561,14 +572,14 @@ void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
        LOG_HEX(5, "IPCP", p, l);
        if (l < 5)
        {
-               LOG(1, 0, s, t, "Short IPCP %d bytes\n", l);
+               LOG(1, s, t, "Short IPCP %d bytes\n", l);
                STAT(tunnel_rx_errors);
                return ;
        }
 
        if ((hl = ntohs(*(u16 *) (p + 2))) > l)
        {
-               LOG(1, 0, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
+               LOG(1, s, t, "Length mismatch IPCP %u/%u\n", hl, l);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -587,24 +598,24 @@ void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                }
                session[s].flags |= SF_IPCP_ACKED;
 
-               LOG(3, session[s].ip, s, t, "IPCP Acked, session is now active\n");
+               LOG(3, s, t, "IPCP Acked, session is now active\n");
 
-               // clear  LCP_ACKED flag  for possible fast renegotiaion for routers
-               session[s].flags &= ~SF_LCP_ACKED;
+               // clear LCP_ACKED/CCP_ACKED flag for possible fast renegotiaion for routers
+               session[s].flags &= ~(SF_LCP_ACKED|SF_CCP_ACKED);
 
                return;
        }
        if (*p != ConfigReq)
        {
-               LOG(1, 0, s, t, "Unexpected IPCP code %d\n", *p);
+               LOG(1, s, t, "Unexpected IPCP code %d\n", *p);
                STAT(tunnel_rx_errors);
                return ;
        }
-       LOG(4, session[s].ip, s, t, "IPCP ConfigReq received\n");
+       LOG(4, s, t, "IPCP ConfigReq received\n");
 
        if (!session[s].ip)
        {
-               LOG(3, 0, s, t, "Waiting on radius reply\n");
+               LOG(3, s, t, "Waiting on radius reply\n");
                return;                 // have to wait on RADIUS reply
        }
        // form a config reply quoting the IP in the session
@@ -635,19 +646,19 @@ void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                        {
                                if (*p != 0x81 && *p != 0x83 && *p != 3)
                                {
-                                       LOG(2, 0, s, t, "IPCP reject %d\n", *p);
+                                       LOG(2, s, t, "IPCP reject %d\n", *p);
                                        memcpy(q + n, p, p[1]);
                                        n += p[1];
                                }
                                p += p[1];
                        }
                        *(u16 *) (q + 2) = htons(n);
-                       LOG(4, session[s].ip, s, t, "Sending ConfigRej\n");
+                       LOG(4, s, t, "Sending ConfigRej\n");
                        tunnelsend(b, n + (q - b), t); // send it
                }
                else
                {
-                       LOG(4, session[s].ip, s, t, "Sending ConfigAck\n");
+                       LOG(4, s, t, "Sending ConfigAck\n");
                        *p = ConfigAck;
                        if ((i = findppp(p, 0x81))) // Primary DNS address
                        {
@@ -655,7 +666,8 @@ void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                                {
                                        *(u32 *) (i + 2) = htonl(session[s].dns1);
                                        *p = ConfigNak;
-                                       LOG(5, session[s].ip, s, t, "   DNS1 = %s\n", inet_toa(session[s].dns1));
+                                       LOG(5, s, t, "   DNS1 = %s\n",
+                                               fmtaddr(htonl(session[s].dns1), 0));
                                }
                        }
                        if ((i = findppp(p, 0x83))) // Secondary DNS address (TBA, is it)
@@ -664,13 +676,14 @@ void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                                {
                                        *(u32 *) (i + 2) = htonl(session[s].dns2);
                                        *p = ConfigNak;
-                                       LOG(5, session[s].ip, s, t, "   DNS2 = %s\n", inet_toa(session[s].dns2));
+                                       LOG(5, s, t, "   DNS2 = %s\n",
+                                               fmtaddr(htonl(session[s].dns2), 0));
                                }
                        }
                        i = findppp(p, 3);              // IP address
                        if (!i || i[1] != 6)
                        {
-                               LOG(1, 0, s, t, "No IP in IPCP request\n");
+                               LOG(1, s, t, "No IP in IPCP request\n");
                                STAT(tunnel_rx_errors);
                                return ;
                        }
@@ -678,8 +691,8 @@ void processipcp(tunnelidt t, sessionidt s, u8 *p, u16 l)
                        {
                                *(u32 *) (i + 2) = htonl(session[s].ip);
                                *p = ConfigNak;
-                               LOG(4, session[s].ip, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
-                                               inet_toa(htonl(session[s].ip)));
+                               LOG(4, s, t, " No, a ConfigNak, client is requesting IP - sending %s\n",
+                                               fmtaddr(htonl(session[s].ip), 0));
                        }
                        if (!(q = makeppp(b, sizeof(b), p, l, t, s, PPPIPCP)))
                                return;
@@ -705,7 +718,7 @@ void processipin(tunnelidt t, sessionidt s, u8 *p, u16 l)
 
        if (l > MAXETHER)
        {
-               LOG(1, ip, s, t, "IP packet too long %d\n", l);
+               LOG(1, s, t, "IP packet too long %d\n", l);
                STAT(tunnel_rx_errors);
                return ;
        }
@@ -713,10 +726,14 @@ void processipin(tunnelidt t, sessionidt s, u8 *p, u16 l)
        // no spoof (do sessionbyip to handled statically routed subnets)
        if (ip != session[s].ip && sessionbyip(htonl(ip)) != s)
        {
-               LOG(5, ip, s, t, "Dropping packet with spoofed IP %s\n", inet_toa(htonl(ip)));
+               LOG(5, s, t, "Dropping packet with spoofed IP %s\n", fmtaddr(htonl(ip), 0));
                return;
        }
 
+       // run access-list if any
+       if (session[s].filter_in && !ip_filter(p, l, session[s].filter_in - 1))
+               return;
+
        // Add on the tun header
        p -= 4;
        *(u32 *)p = htonl(0x00000800);
@@ -736,7 +753,7 @@ void processipin(tunnelidt t, sessionidt s, u8 *p, u16 l)
        if (tun_write(p, l) < 0)
        {
                STAT(tun_tx_errors);
-               LOG(0, 0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
+               LOG(0, s, t, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
                        l, strerror(errno), tunfd, p);
 
                return;
@@ -770,7 +787,7 @@ void send_ipin(sessionidt s, u8 *buf, int len)
        if (write(tunfd, buf, len) < 0)
        {
                STAT(tun_tx_errors);
-               LOG(0, 0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
+               LOG(0, 0, 0, "Error writing %d bytes to TUN device: %s (tunfd=%d, p=%p)\n",
                        len, strerror(errno), tunfd, buf);
 
                return;
@@ -806,11 +823,23 @@ void processccp(tunnelidt t, sessionidt s, u8 *p, u16 l)
        LOG_HEX(5, "CCP", p, l);
        switch (l > 1 ? *p : 0)
        {
+       case ConfigAck:
+               session[s].flags |= SF_CCP_ACKED;
+               return;
+
        case ConfigReq:
-               if (l < 6)
-                       *p = ConfigAck;         // accept no compression
-               else
-                       *p = ConfigRej;         // reject
+               if (l < 6) // accept no compression
+               {
+                       *p = ConfigAck;
+                       break;
+               }
+
+               // compression requested--reject
+               *p = ConfigRej;
+
+               // send CCP request for no compression for our end if not negotiated
+               if (!(session[s].flags & SF_CCP_ACKED))
+                       initccp(t, s);
 
                break;
 
@@ -820,9 +849,9 @@ void processccp(tunnelidt t, sessionidt s, u8 *p, u16 l)
 
        default:
                if (l > 1)
-                       LOG(1, 0, s, t, "Unexpected CCP request code %d\n", *p);
+                       LOG(1, s, t, "Unexpected CCP request code %d\n", *p);
                else
-                       LOG(1, 0, s, t, "Short CCP packet\n");
+                       LOG(1, s, t, "Short CCP packet\n");
 
                STAT(tunnel_rx_errors);
                return;
@@ -845,11 +874,11 @@ void sendchap(tunnelidt t, sessionidt s)
 
        if (!r)
        {
-               LOG(1, 0, s, t, "No RADIUS to send challenge\n");
+               LOG(1, s, t, "No RADIUS to send challenge\n");
                STAT(tunnel_tx_errors);
                return ;
        }
-       LOG(1, 0, s, t, "Send CHAP challenge\n");
+       LOG(1, s, t, "Send CHAP challenge\n");
        {
                // new challenge
                int n;
@@ -888,7 +917,7 @@ u8 *makeppp(u8 *b, int size, u8 *p, int l, tunnelidt t, sessionidt s, u16 mtype)
        if (size < 12) // Need more space than this!!
        {
                static int backtrace_count = 0;
-               LOG(0, session[s].ip, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
+               LOG(0, s, t, "makeppp buffer too small for L2TP header (size=%d)\n", size);
                log_backtrace(backtrace_count, 5)
                return NULL;
        }
@@ -913,7 +942,7 @@ u8 *makeppp(u8 *b, int size, u8 *p, int l, tunnelidt t, sessionidt s, u16 mtype)
        if (l + 12 > size)
        {
                static int backtrace_count = 0;
-               LOG(2, session[s].ip, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
+               LOG(2, s, t, "makeppp would overflow buffer (size=%d, header+payload=%d)\n", size, l + 12);
                log_backtrace(backtrace_count, 5)
                return NULL;
        }
@@ -924,15 +953,15 @@ u8 *makeppp(u8 *b, int size, u8 *p, int l, tunnelidt t, sessionidt s, u16 mtype)
        return b;
 }
 
-// Send initial LCP ConfigReq
+// Send initial LCP ConfigReq for PAP, set magic no.
 void initlcp(tunnelidt t, sessionidt s)
 {
-       char b[500] = {0}, *q;
+       char b[500], *q;
 
        if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPLCP)))
                return;
 
-       LOG(4, 0, s, t, "Sending LCP ConfigReq for PAP\n");
+       LOG(4, s, t, "Sending LCP ConfigReq for PAP\n");
        *q = ConfigReq;
        *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
        *(u16 *)(q + 2) = htons(14); // Length
@@ -942,5 +971,24 @@ void initlcp(tunnelidt t, sessionidt s)
        *(u8 *)(q + 10) = 3;
        *(u8 *)(q + 11) = 4;
        *(u16 *)(q + 12) = htons(PPPPAP); // PAP
-       tunnelsend(b, 12 + 14, t);
+
+       LOG_HEX(5, "PPPLCP", q, 14);
+       tunnelsend(b, (q - b) + 14, t);
+}
+
+// Send CCP request for no compression
+static void initccp(tunnelidt t, sessionidt s)
+{
+       char b[500], *q;
+
+       if (!(q = makeppp(b, sizeof(b), NULL, 0, t, s, PPPCCP)))
+               return;
+
+       LOG(4, s, t, "Sending CCP ConfigReq for no compression\n");
+       *q = ConfigReq;
+       *(u8 *)(q + 1) = (time_now % 255) + 1; // ID
+       *(u16 *)(q + 2) = htons(4); // Length
+
+       LOG_HEX(5, "PPPCCP", q, 4);
+       tunnelsend(b, (q - b) + 4 , t);
 }