X-Git-Url: http://git.sameswireless.fr/l2tpns.git/blobdiff_plain/90a81d13b57bc08caaeaaccfcc4be75bf7a418a2..71f264277463b492bea5dadee35255f837301499:/l2tpns.c diff --git a/l2tpns.c b/l2tpns.c index 6839c25..b4828c3 100644 --- a/l2tpns.c +++ b/l2tpns.c @@ -4,7 +4,7 @@ // Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced // vim: sw=8 ts=8 -char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.131 2005-09-13 14:27:14 bodea Exp $"; +char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.162 2006-04-23 23:18:31 bodea Exp $"; #include #include @@ -75,6 +75,10 @@ static int syslog_log = 0; // are we logging to syslog static FILE *log_stream = 0; // file handle for direct logging (i.e. direct into file, not via syslog). uint32_t last_id = 0; // Unique ID for radius accounting +// calculated from config->l2tp_mtu +uint16_t MRU = 0; // PPP MRU +uint16_t MSS = 0; // TCP MSS + struct cli_session_actions *cli_session_actions = NULL; // Pending session changes requested by CLI struct cli_tunnel_actions *cli_tunnel_actions = NULL; // Pending tunnel changes required by CLI @@ -92,7 +96,9 @@ uint32_t eth_tx = 0; static uint32_t ip_pool_size = 1; // Size of the pool of addresses used for dynamic address allocation. time_t time_now = 0; // Current time in seconds since epoch. static char time_now_string[64] = {0}; // Current time as a string. +static int time_changed = 0; // time_now changed char main_quit = 0; // True if we're in the process of exiting. +static char main_reload = 0; // Re-load pending linked_list *loaded_plugins; linked_list *plugins[MAX_PLUGIN_TYPES]; @@ -104,7 +110,8 @@ config_descriptt config_values[] = { CONFIG("log_file", log_filename, STRING), CONFIG("pid_file", pid_file, STRING), CONFIG("random_device", random_device, STRING), - CONFIG("l2tp_secret", l2tpsecret, STRING), + CONFIG("l2tp_secret", l2tp_secret, STRING), + CONFIG("l2tp_mtu", l2tp_mtu, INT), CONFIG("ppp_restart_time", ppp_restart_time, INT), CONFIG("ppp_max_configure", ppp_max_configure, INT), CONFIG("ppp_max_failure", ppp_max_failure, INT), @@ -155,6 +162,7 @@ static char *plugin_functions[] = { "plugin_control", "plugin_radius_response", "plugin_radius_reset", + "plugin_radius_account", "plugin_become_master", "plugin_new_session_master", }; @@ -183,7 +191,6 @@ static void cache_ipv6map(struct in6_addr ip, int prefixlen, int s); static void free_ip_address(sessionidt s); static void dump_acct_info(int all); static void sighup_handler(int sig); -static void sigalrm_handler(int sig); static void shutdown_handler(int sig); static void sigchild_handler(int sig); static void build_chap_response(uint8_t *challenge, uint8_t id, uint16_t challenge_length, uint8_t **challenge_response); @@ -193,7 +200,7 @@ static void initplugins(void); static int add_plugin(char *plugin_name); static int remove_plugin(char *plugin_name); static void plugins_done(void); -static void processcontrol(uint8_t *buf, int len, struct sockaddr_in *addr, int alen); +static void processcontrol(uint8_t *buf, int len, struct sockaddr_in *addr, int alen, struct in_addr *local); static tunnelidt new_tunnel(void); static void unhide_value(uint8_t *value, size_t len, uint16_t type, uint8_t *vector, size_t vec_len); @@ -205,11 +212,17 @@ static void unhide_value(uint8_t *value, size_t len, uint16_t type, uint8_t *vec #define QUIT_SHUTDOWN 2 // SIGQUIT: shutdown sessions/tunnels, reject new connections // return internal time (10ths since process startup), set f if given +// as a side-effect sets time_now, and time_changed static clockt now(double *f) { struct timeval t; gettimeofday(&t, 0); if (f) *f = t.tv_sec + t.tv_usec / 1000000.0; + if (t.tv_sec != time_now) + { + time_now = t.tv_sec; + time_changed++; + } return (t.tv_sec - basetime) * 10 + t.tv_usec / 100000 + 1; } @@ -541,6 +554,13 @@ static void inittun(void) LOG(0, 0, 0, "Error setting tun queue length: %s\n", strerror(errno)); exit(1); } + /* set MTU to modem MRU */ + ifr.ifr_mtu = MRU; + if (ioctl(ifrfd, SIOCSIFMTU, (void *) &ifr) < 0) + { + LOG(0, 0, 0, "Error setting tun MTU: %s\n", strerror(errno)); + exit(1); + } ifr.ifr_flags = IFF_UP; if (ioctl(ifrfd, SIOCSIFFLAGS, (void *) &ifr) < 0) { @@ -614,6 +634,7 @@ static void initudp(void) addr.sin_port = htons(NSCTL_PORT); controlfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); setsockopt(controlfd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); + setsockopt(controlfd, SOL_IP, IP_PKTINFO, &on, sizeof(on)); // recvfromto if (bind(controlfd, (void *) &addr, sizeof(addr)) < 0) { LOG(0, 0, 0, "Error in control bind: %s\n", strerror(errno)); @@ -626,6 +647,7 @@ static void initudp(void) addr.sin_port = htons(config->radius_dae_port); daefd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); setsockopt(daefd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); + setsockopt(daefd, SOL_IP, IP_PKTINFO, &on, sizeof(on)); // recvfromto if (bind(daefd, (void *) &addr, sizeof(addr)) < 0) { LOG(0, 0, 0, "Error in DAE bind: %s\n", strerror(errno)); @@ -920,18 +942,14 @@ void tunnelsend(uint8_t * buf, uint16_t l, tunnelidt t) if (!t) { - static int backtrace_count = 0; LOG(0, 0, t, "tunnelsend called with 0 as tunnel id\n"); STAT(tunnel_tx_errors); - log_backtrace(backtrace_count, 5) return; } if (!tunnel[t].ip) { - static int backtrace_count = 0; LOG(1, 0, t, "Error sending data out tunnel: no remote endpoint (tunnel not set up)\n"); - log_backtrace(backtrace_count, 5) STAT(tunnel_tx_errors); return; } @@ -949,7 +967,7 @@ void tunnelsend(uint8_t * buf, uint16_t l, tunnelidt t) { tunnel[t].last = time_now; // control message sent tunnel[t].retry = backoff(tunnel[t].try); // when to resend - if (tunnel[t].try > 1) + if (tunnel[t].try) { STAT(tunnel_retries); LOG(3, 0, t, "Control message resend try %d\n", tunnel[t].try); @@ -978,6 +996,61 @@ int tun_write(uint8_t * data, int size) return write(tunfd, data, size); } +// adjust tcp mss to avoid fragmentation (called only for tcp packets with syn set) +void adjust_tcp_mss(sessionidt s, tunnelidt t, uint8_t *buf, int len, uint8_t *tcp) +{ + int d = (tcp[12] >> 4) * 4; + uint8_t *mss = 0; + uint8_t *opts; + uint8_t *data; + uint16_t orig; + uint32_t sum; + + if ((tcp[13] & 0x3f) & ~(TCP_FLAG_SYN|TCP_FLAG_ACK)) // only want SYN and SYN,ACK + return; + + if (tcp + d > buf + len) // short? + return; + + opts = tcp + 20; + data = tcp + d; + + while (opts < data) + { + if (*opts == 2 && opts[1] == 4) // mss option (2), length 4 + { + mss = opts + 2; + if (mss + 2 > data) return; // short? + break; + } + + if (*opts == 0) return; // end of options + if (*opts == 1 || !opts[1]) // no op (one byte), or no length (prevent loop) + opts++; + else + opts += opts[1]; // skip over option + } + + if (!mss) return; // not found + orig = ntohs(*(uint16_t *) mss); + + if (orig <= MSS) return; // mss OK + + LOG(5, s, t, "TCP: %s:%u -> %s:%u SYN%s: adjusted mss from %u to %u\n", + fmtaddr(*(in_addr_t *) (buf + 12), 0), ntohs(*(uint16_t *) tcp), + fmtaddr(*(in_addr_t *) (buf + 16), 1), ntohs(*(uint16_t *) (tcp + 2)), + (tcp[13] & TCP_FLAG_ACK) ? ",ACK" : "", orig, MSS); + + // set mss + *(int16_t *) mss = htons(MSS); + + // adjust checksum (see rfc1141) + sum = orig + (~MSS & 0xffff); + sum += ntohs(*(uint16_t *) (tcp + 16)); + sum = (sum & 0xffff) + (sum >> 16); + *(uint16_t *) (tcp + 16) = htons(sum + (sum >> 16)); +} + // process outgoing (to tunnel) IP // static void processipout(uint8_t *buf, int len) @@ -1085,6 +1158,14 @@ static void processipout(uint8_t *buf, int len) if (session[s].filter_out && !ip_filter(buf, len, session[s].filter_out - 1)) return; + // adjust MSS on SYN and SYN,ACK packets with options + if ((ntohs(*(uint16_t *) (buf + 6)) & 0x1fff) == 0 && buf[9] == IPPROTO_TCP) // first tcp fragment + { + int ihl = (buf[0] & 0xf) * 4; // length of IP header + if (len >= ihl + 20 && (buf[ihl + 13] & TCP_FLAG_SYN) && ((buf[ihl + 12] >> 4) > 5)) + adjust_tcp_mss(s, t, buf, len, buf + ihl); + } + if (sp->tbf_out) { // Are we throttling this session? @@ -1094,7 +1175,8 @@ static void processipout(uint8_t *buf, int len) master_throttle_packet(sp->tbf_out, data, size); return; } - else if (sp->walled_garden && !config->cluster_iam_master) + + if (sp->walled_garden && !config->cluster_iam_master) { // We are walled-gardening this master_garden_packet(s, data, size); @@ -1477,7 +1559,7 @@ void filter_session(sessionidt s, int filter_in, int filter_out) } // start tidy shutdown of session -void sessionshutdown(sessionidt s, char *reason, int result, int error) +void sessionshutdown(sessionidt s, char const *reason, int cdn_result, int cdn_error, int term_cause) { int walled_garden = session[s].walled_garden; @@ -1505,7 +1587,11 @@ void sessionshutdown(sessionidt s, char *reason, int result, int error) { // stop, if not already trying if (radius[r].state != RADIUSSTOP) + { + radius[r].term_cause = term_cause; + radius[r].term_msg = reason; radiussend(r, RADIUSSTOP); + } } else LOG(1, s, session[s].tunnel, "No free RADIUS sessions for Stop message\n"); @@ -1545,18 +1631,18 @@ void sessionshutdown(sessionidt s, char *reason, int result, int error) if (session[s].throttle_in || session[s].throttle_out) // Unthrottle if throttled. throttle_session(s, 0, 0); - if (result) + if (cdn_result) { // Send CDN controlt *c = controlnew(14); // sending CDN - if (error) + if (cdn_error) { uint8_t buf[4]; - *(uint16_t *) buf = htons(result); - *(uint16_t *) (buf+2) = htons(error); + *(uint16_t *) buf = htons(cdn_result); + *(uint16_t *) (buf+2) = htons(cdn_error); controlb(c, 1, buf, 4, 1); } else - control16(c, 1, result, 1); + control16(c, 1, cdn_result, 1); control16(c, 14, s, 1); // assigned session (our end) controladd(c, session[s].far, session[s].tunnel); // send the message @@ -1606,6 +1692,7 @@ void sendipcp(sessionidt s, tunnelidt t) my_address; // send my IP tunnelsend(buf, 10 + (q - buf), t); // send it + restart_timer(s, ipcp); } void sendipv6cp(sessionidt s, tunnelidt t) @@ -1631,6 +1718,7 @@ void sendipv6cp(sessionidt s, tunnelidt t) q[13] = 1; tunnelsend(buf, 14 + (q - buf), t); // send it + restart_timer(s, ipv6cp); } static void sessionclear(sessionidt s) @@ -1660,7 +1748,7 @@ void sessionkill(sessionidt s, char *reason) } session[s].die = TIME; - sessionshutdown(s, reason, 3, 0); // close radius/routes, etc. + sessionshutdown(s, reason, CDN_ADMIN_DISC, TERM_ADMIN_RESET); // close radius/routes, etc. if (sess_local[s].radius) radiusclear(sess_local[s].radius, s); // cant send clean accounting data, session is killed @@ -1725,7 +1813,7 @@ static void tunnelshutdown(tunnelidt t, char *reason, int result, int error, cha // close session for (s = 1; s <= config->cluster_highest_sessionid ; ++s) if (session[s].tunnel == t) - sessionshutdown(s, reason, 0, 0); + sessionshutdown(s, reason, CDN_NONE, TERM_ADMIN_RESET); tunnel[t].state = TUNNELDIE; tunnel[t].die = TIME + 700; // Clean up in 70 seconds @@ -1964,6 +2052,12 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) int error = 0; char *msg = 0; + // default disconnect cause/message on receipt + // of CDN (set to more specific value from + // attribute 46 if present below). + int disc_cause = TERM_NAS_REQUEST; + char const *disc_reason = "Closed (Received CDN)."; + // process AVPs while (l && !(fatal & 0x80)) // 0x80 = mandatory AVP { @@ -1971,6 +2065,7 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) uint8_t *b = p; uint8_t flags = *p; uint16_t mtype; + if (n > l) { LOG(1, s, t, "Invalid length in AVP\n"); @@ -2008,7 +2103,7 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) uint16_t orig_len; // handle hidden AVPs - if (!*config->l2tpsecret) + if (!*config->l2tp_secret) { LOG(1, s, t, "Hidden AVP requested, but no L2TP secret.\n"); fatal = flags; @@ -2107,17 +2202,13 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) } break; case 3: // framing capabilities -// LOG(4, s, t, "Framing capabilities\n"); break; case 4: // bearer capabilities -// LOG(4, s, t, "Bearer capabilities\n"); break; case 5: // tie breaker // We never open tunnels, so we don't care about tie breakers -// LOG(4, s, t, "Tie breaker\n"); continue; case 6: // firmware revision -// LOG(4, s, t, "Firmware revision\n"); break; case 7: // host name memset(tunnel[t].hostname, 0, sizeof(tunnel[t].hostname)); @@ -2251,9 +2342,9 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) if (*p == 5 && p[1] == 6) // Magic-Number amagic = ntohl(*(uint32_t *) (p + 2)); else if (*p == 7) // Protocol-Field-Compression - aflags |= SESSIONPFC; + aflags |= SESSION_PFC; else if (*p == 8) // Address-and-Control-Field-Compression - aflags |= SESSIONACFC; + aflags |= SESSION_ACFC; p += p[1]; } } @@ -2272,6 +2363,84 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) memcpy(session[s].random_vector, b, n); session[s].random_vector_length = n; break; + case 46: // ppp disconnect cause + if (n >= 5) + { + uint16_t code = ntohs(*(uint16_t *) b); + uint16_t proto = ntohs(*(uint16_t *) (b + 2)); + uint8_t dir = *(b + 4); + + LOG(4, s, t, " PPP disconnect cause " + "(code=%u, proto=%04X, dir=%u, msg=\"%.*s\")\n", + code, proto, dir, n - 5, b + 5); + + switch (code) + { + case 1: // admin disconnect + disc_cause = TERM_ADMIN_RESET; + disc_reason = "Administrative disconnect"; + break; + case 3: // lcp terminate + if (dir != 2) break; // 1=peer (LNS), 2=local (LAC) + disc_cause = TERM_USER_REQUEST; + disc_reason = "Normal disconnection"; + break; + case 4: // compulsory encryption unavailable + if (dir != 1) break; // 1=refused by peer, 2=local + disc_cause = TERM_USER_ERROR; + disc_reason = "Compulsory encryption refused"; + break; + case 5: // lcp: fsm timeout + disc_cause = TERM_PORT_ERROR; + disc_reason = "LCP: FSM timeout"; + break; + case 6: // lcp: no recognisable lcp packets received + disc_cause = TERM_PORT_ERROR; + disc_reason = "LCP: no recognisable LCP packets"; + break; + case 7: // lcp: magic-no error (possibly looped back) + disc_cause = TERM_PORT_ERROR; + disc_reason = "LCP: magic-no error (possible loop)"; + break; + case 8: // lcp: echo request timeout + disc_cause = TERM_PORT_ERROR; + disc_reason = "LCP: echo request timeout"; + break; + case 13: // auth: fsm timeout + disc_cause = TERM_SERVICE_UNAVAILABLE; + disc_reason = "Authentication: FSM timeout"; + break; + case 15: // auth: unacceptable auth protocol + disc_cause = TERM_SERVICE_UNAVAILABLE; + disc_reason = "Unacceptable authentication protocol"; + break; + case 16: // auth: authentication failed + disc_cause = TERM_SERVICE_UNAVAILABLE; + disc_reason = "Authentication failed"; + break; + case 17: // ncp: fsm timeout + disc_cause = TERM_SERVICE_UNAVAILABLE; + disc_reason = "NCP: FSM timeout"; + break; + case 18: // ncp: no ncps available + disc_cause = TERM_SERVICE_UNAVAILABLE; + disc_reason = "NCP: no NCPs available"; + break; + case 19: // ncp: failure to converge on acceptable address + disc_cause = TERM_SERVICE_UNAVAILABLE; + disc_reason = (dir == 1) + ? "NCP: too many Configure-Naks received from peer" + : "NCP: too many Configure-Naks sent to peer"; + break; + case 20: // ncp: user not permitted to use any address + disc_cause = TERM_SERVICE_UNAVAILABLE; + disc_reason = (dir == 1) + ? "NCP: local link address not acceptable to peer" + : "NCP: remote link address not acceptable"; + break; + } + } + break; default: { static char e[] = "unknown AVP 0xXXXX"; @@ -2380,22 +2549,20 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) case 12: // ICCN if (amagic == 0) amagic = time_now; session[s].magic = amagic; // set magic number - session[s].l2tp_flags = aflags; // set flags received - session[s].mru = DEFAULT_MRU; + session[s].flags = aflags; // set flags received + session[s].mru = PPPoE_MRU; // default controlnull(t); // ack // start LCP - sess_local[s].lcp.restart = time_now + config->ppp_restart_time; - sess_local[s].lcp.conf_sent = 1; - sess_local[s].lcp.nak_sent = 0; sess_local[s].lcp_authtype = config->radius_authprefer; - session[s].ppp.lcp = RequestSent; + sess_local[s].ppp_mru = MRU; sendlcp(s, t); - + change_state(s, lcp, RequestSent); break; + case 14: // CDN controlnull(t); // ack - sessionshutdown(s, "Closed (Received CDN).", 0, 0); + sessionshutdown(s, disc_reason, CDN_NONE, disc_cause); break; case 0xFFFF: LOG(1, s, t, "Missing message type\n"); @@ -2531,31 +2698,9 @@ void processudp(uint8_t *buf, int len, struct sockaddr_in *addr) } else if (session[s].ppp.lcp == Opened) { - uint8_t buf[MAXETHER]; - uint8_t *q; - int mru = session[s].mru; - - if (!mru) mru = MAXMRU; - if (mru > sizeof(buf)) mru = sizeof(buf); - - l += 6; - if (l > mru) l = mru; - - q = makeppp(buf, sizeof(buf), 0, 0, s, t, proto); - if (!q) return; - - *q = CodeRej; - *(q + 1) = ++sess_local[s].lcp_ident; - *(uint16_t *)(q + 2) = l; - *(uint16_t *)(q + 4) = htons(proto); - memcpy(q + 6, p, l - 6); - - if (proto == PPPIPV6CP) - LOG(3, s, t, "LCP: send ProtocolRej (IPV6CP: not configured)\n"); - else - LOG(2, s, t, "LCP: sent ProtocolRej (0x%04X: unsupported)\n", proto); - - tunnelsend(buf, l + (q - buf), t); + session[s].last_packet = time_now; + if (!config->cluster_iam_master) { master_forward_packet(buf, len, addr->sin_addr.s_addr, addr->sin_port); return; } + protoreject(s, t, p, l, proto); } else { @@ -2671,7 +2816,7 @@ static void regular_cleanups(double period) } } // Send hello - if (tunnel[t].state == TUNNELOPEN && (time_now - tunnel[t].lastrec) > 60) + if (tunnel[t].state == TUNNELOPEN && !tunnel[t].controlc && (time_now - tunnel[t].lastrec) > 60) { controlt *c = controlnew(6); // sending HELLO controladd(c, 0, t); // send the message @@ -2742,14 +2887,12 @@ static void regular_cleanups(double period) if (sess_local[s].lcp.conf_sent < config->ppp_max_configure) { LOG(3, s, session[s].tunnel, "No ACK for LCP ConfigReq... resending\n"); - sess_local[s].lcp.restart = time_now + config->ppp_restart_time; - sess_local[s].lcp.conf_sent++; sendlcp(s, session[s].tunnel); change_state(s, lcp, next_state); } else { - sessionshutdown(s, "No response to LCP ConfigReq.", 3, 0); + sessionshutdown(s, "No response to LCP ConfigReq.", CDN_ADMIN_DISC, TERM_LOST_SERVICE); STAT(session_timeout); } @@ -2773,14 +2916,12 @@ static void regular_cleanups(double period) if (sess_local[s].ipcp.conf_sent < config->ppp_max_configure) { LOG(3, s, session[s].tunnel, "No ACK for IPCP ConfigReq... resending\n"); - sess_local[s].ipcp.restart = time_now + config->ppp_restart_time; - sess_local[s].ipcp.conf_sent++; sendipcp(s, session[s].tunnel); change_state(s, ipcp, next_state); } else { - sessionshutdown(s, "No response to IPCP ConfigReq.", 3, 0); + sessionshutdown(s, "No response to IPCP ConfigReq.", CDN_ADMIN_DISC, TERM_LOST_SERVICE); STAT(session_timeout); } @@ -2804,8 +2945,6 @@ static void regular_cleanups(double period) if (sess_local[s].ipv6cp.conf_sent < config->ppp_max_configure) { LOG(3, s, session[s].tunnel, "No ACK for IPV6CP ConfigReq... resending\n"); - sess_local[s].ipv6cp.restart = time_now + config->ppp_restart_time; - sess_local[s].ipv6cp.conf_sent++; sendipv6cp(s, session[s].tunnel); change_state(s, ipv6cp, next_state); } @@ -2832,8 +2971,6 @@ static void regular_cleanups(double period) if (sess_local[s].ccp.conf_sent < config->ppp_max_configure) { LOG(3, s, session[s].tunnel, "No ACK for CCP ConfigReq... resending\n"); - sess_local[s].ccp.restart = time_now + config->ppp_restart_time; - sess_local[s].ccp.conf_sent++; sendccp(s, session[s].tunnel); change_state(s, ccp, next_state); } @@ -2850,14 +2987,15 @@ static void regular_cleanups(double period) // Drop sessions who have not responded within IDLE_TIMEOUT seconds if (session[s].last_packet && (time_now - session[s].last_packet >= IDLE_TIMEOUT)) { - sessionshutdown(s, "No response to LCP ECHO requests.", 3, 0); + sessionshutdown(s, "No response to LCP ECHO requests.", CDN_ADMIN_DISC, TERM_LOST_SERVICE); STAT(session_timeout); s_actions++; continue; } // No data in ECHO_TIMEOUT seconds, send LCP ECHO - if (session[s].ppp.phase >= Establish && (time_now - session[s].last_packet >= ECHO_TIMEOUT)) + if (session[s].ppp.phase >= Establish && (time_now - session[s].last_packet >= ECHO_TIMEOUT) && + (time_now - sess_local[s].last_echo >= ECHO_TIMEOUT)) { uint8_t b[MAXETHER]; @@ -2867,11 +3005,12 @@ static void regular_cleanups(double period) *q = EchoReq; *(uint8_t *)(q + 1) = (time_now % 255); // ID *(uint16_t *)(q + 2) = htons(8); // Length - *(uint32_t *)(q + 4) = 0; // Magic Number (not supported) + *(uint32_t *)(q + 4) = session[s].ppp.lcp == Opened ? htonl(session[s].magic) : 0; // Magic Number LOG(4, s, session[s].tunnel, "No data in %d seconds, sending LCP ECHO\n", (int)(time_now - session[s].last_packet)); tunnelsend(b, 24, session[s].tunnel); // send it + sess_local[s].last_echo = time_now; s_actions++; } @@ -2884,7 +3023,7 @@ static void regular_cleanups(double period) if (a & CLI_SESS_KILL) { LOG(2, s, session[s].tunnel, "Dropping session by CLI\n"); - sessionshutdown(s, "Requested by administrator.", 3, 0); + sessionshutdown(s, "Requested by administrator.", CDN_ADMIN_DISC, TERM_ADMIN_RESET); a = 0; // dead, no need to check for other actions s_actions++; } @@ -3116,9 +3255,12 @@ static void mainloop(void) e.events = EPOLLIN; i = 0; - d[i].type = FD_TYPE_CLI; - e.data.ptr = &d[i++]; - epoll_ctl(epollfd, EPOLL_CTL_ADD, clifd, &e); + if (clifd >= 0) + { + d[i].type = FD_TYPE_CLI; + e.data.ptr = &d[i++]; + epoll_ctl(epollfd, EPOLL_CTL_ADD, clifd, &e); + } d[i].type = FD_TYPE_CLUSTER; e.data.ptr = &d[i++]; @@ -3161,9 +3303,17 @@ static void mainloop(void) int more = 0; int n; + + if (main_reload) + { + main_reload = 0; + read_config_file(); + config->reload_config++; + } + if (config->reload_config) { - // Update the config state based on config settings + config->reload_config = 0; update_config(); } @@ -3188,6 +3338,7 @@ static void mainloop(void) if (n) { struct sockaddr_in addr; + struct in_addr local; socklen_t alen; int c, s; int udp_ready = 0; @@ -3204,6 +3355,7 @@ static void mainloop(void) for (c = n, i = 0; i < c; i++) { struct event_data *d = events[i].data.ptr; + switch (d->type) { case FD_TYPE_CLI: // CLI connections @@ -3230,20 +3382,30 @@ static void mainloop(void) case FD_TYPE_CONTROL: // nsctl commands alen = sizeof(addr); - processcontrol(buf, recvfrom(controlfd, buf, sizeof(buf), MSG_WAITALL, (void *) &addr, &alen), &addr, alen); + s = recvfromto(controlfd, buf, sizeof(buf), MSG_WAITALL, (struct sockaddr *) &addr, &alen, &local); + if (s > 0) processcontrol(buf, s, &addr, alen, &local); n--; break; case FD_TYPE_DAE: // DAE requests alen = sizeof(addr); - processdae(buf, recvfrom(daefd, buf, sizeof(buf), MSG_WAITALL, (void *) &addr, &alen), &addr, alen); + s = recvfromto(daefd, buf, sizeof(buf), MSG_WAITALL, (struct sockaddr *) &addr, &alen, &local); + if (s > 0) processdae(buf, s, &addr, alen, &local); n--; break; case FD_TYPE_RADIUS: // RADIUS response - s = recv(radfds[d->index], buf, sizeof(buf), 0); + alen = sizeof(addr); + s = recvfrom(radfds[d->index], buf, sizeof(buf), MSG_WAITALL, (struct sockaddr *) &addr, &alen); if (s >= 0 && config->cluster_iam_master) - processrad(buf, s, d->index); + { + if (addr.sin_addr.s_addr == config->radiusserver[0] || + addr.sin_addr.s_addr == config->radiusserver[1]) + processrad(buf, s, d->index); + else + LOG(3, 0, 0, "Dropping RADIUS packet from unknown source %s\n", + fmtaddr(addr.sin_addr.s_addr, 0)); + } n--; break; @@ -3327,6 +3489,35 @@ static void mainloop(void) } } + if (time_changed) + { + double Mbps = 1024.0 * 1024.0 / 8 * time_changed; + + // Log current traffic stats + snprintf(config->bandwidth, sizeof(config->bandwidth), + "UDP-ETH:%1.0f/%1.0f ETH-UDP:%1.0f/%1.0f TOTAL:%0.1f IN:%u OUT:%u", + (udp_rx / Mbps), (eth_tx / Mbps), (eth_rx / Mbps), (udp_tx / Mbps), + ((udp_tx + udp_rx + eth_tx + eth_rx) / Mbps), + udp_rx_pkt / time_changed, eth_rx_pkt / time_changed); + + udp_tx = udp_rx = 0; + udp_rx_pkt = eth_rx_pkt = 0; + eth_tx = eth_rx = 0; + time_changed = 0; + + if (config->dump_speed) + printf("%s\n", config->bandwidth); + + // Update the internal time counter + strftime(time_now_string, sizeof(time_now_string), "%Y-%m-%d %H:%M:%S", localtime(&time_now)); + + { + // Run timer hooks + struct param_timer p = { time_now }; + run_plugins(PLUGIN_TIMER, &p); + } + } + // Runs on every machine (master and slaves). if (next_cluster_ping <= TIME) { @@ -3860,7 +4051,7 @@ static void initippool() else { // It's a single ip address - add_to_ip_pool(inet_addr(pool), 0); + add_to_ip_pool(ntohl(inet_addr(pool)), 0); } } fclose(f); @@ -4002,14 +4193,13 @@ int main(int argc, char *argv[]) // Start the timer routine off time(&time_now); strftime(time_now_string, sizeof(time_now_string), "%Y-%m-%d %H:%M:%S", localtime(&time_now)); - signal(SIGALRM, sigalrm_handler); - siginterrupt(SIGALRM, 0); initplugins(); initdata(optdebug, optconfig); init_cli(hostname); read_config_file(); + update_config(); init_tbf(config->num_tbfs); LOG(0, 0, 0, "L2TPNS version " VERSION "\n"); @@ -4085,8 +4275,6 @@ int main(int argc, char *argv[]) LOG(0, 0, 0, "Can't lock pages: %s\n", strerror(errno)); } - alarm(1); - // Drop privileges here if (config->target_uid > 0 && geteuid() == 0) setuid(config->target_uid); @@ -4108,53 +4296,11 @@ int main(int argc, char *argv[]) static void sighup_handler(int sig) { - if (log_stream) - { - if (log_stream != stderr) - fclose(log_stream); - - log_stream = NULL; - } - - read_config_file(); -} - -static void sigalrm_handler(int sig) -{ - // Log current traffic stats - - snprintf(config->bandwidth, sizeof(config->bandwidth), - "UDP-ETH:%1.0f/%1.0f ETH-UDP:%1.0f/%1.0f TOTAL:%0.1f IN:%u OUT:%u", - (udp_rx / 1024.0 / 1024.0 * 8), - (eth_tx / 1024.0 / 1024.0 * 8), - (eth_rx / 1024.0 / 1024.0 * 8), - (udp_tx / 1024.0 / 1024.0 * 8), - ((udp_tx + udp_rx + eth_tx + eth_rx) / 1024.0 / 1024.0 * 8), - udp_rx_pkt, eth_rx_pkt); - - udp_tx = udp_rx = 0; - udp_rx_pkt = eth_rx_pkt = 0; - eth_tx = eth_rx = 0; - - if (config->dump_speed) - printf("%s\n", config->bandwidth); - - // Update the internal time counter - time(&time_now); - strftime(time_now_string, sizeof(time_now_string), "%Y-%m-%d %H:%M:%S", localtime(&time_now)); - alarm(1); - - { - // Run timer hooks - struct param_timer p = { time_now }; - run_plugins(PLUGIN_TIMER, &p); - } - + main_reload++; } static void shutdown_handler(int sig) { - LOG(1, 0, 0, "Shutting down\n"); main_quit = (sig == SIGQUIT) ? QUIT_SHUTDOWN : QUIT_FAILOVER; } @@ -4169,7 +4315,7 @@ static void build_chap_response(uint8_t *challenge, uint8_t id, uint16_t challen MD5_CTX ctx; *challenge_response = NULL; - if (!*config->l2tpsecret) + if (!*config->l2tp_secret) { LOG(0, 0, 0, "LNS requested CHAP authentication, but no l2tp secret is defined\n"); return; @@ -4181,7 +4327,7 @@ static void build_chap_response(uint8_t *challenge, uint8_t id, uint16_t challen MD5_Init(&ctx); MD5_Update(&ctx, &id, 1); - MD5_Update(&ctx, config->l2tpsecret, strlen(config->l2tpsecret)); + MD5_Update(&ctx, config->l2tp_secret, strlen(config->l2tp_secret)); MD5_Update(&ctx, challenge, challenge_length); MD5_Final(*challenge_response, &ctx); @@ -4248,6 +4394,20 @@ static void update_config() setbuf(log_stream, NULL); } +#define L2TP_HDRS (20+8+6+4) // L2TP data encaptulation: ip + udp + l2tp (data) + ppp (inc hdlc) +#define TCP_HDRS (20+20) // TCP encapsulation: ip + tcp + + if (config->l2tp_mtu <= 0) config->l2tp_mtu = 1500; // ethernet default + else if (config->l2tp_mtu < MINMTU) config->l2tp_mtu = MINMTU; + else if (config->l2tp_mtu > MAXMTU) config->l2tp_mtu = MAXMTU; + + // reset MRU/MSS globals + MRU = config->l2tp_mtu - L2TP_HDRS; + if (MRU > PPPoE_MRU) + MRU = PPPoE_MRU; + + MSS = MRU - TCP_HDRS; + // Update radius config->numradiusservers = 0; for (i = 0; i < MAXRADSERVER; i++) @@ -4393,8 +4553,6 @@ static void update_config() LOG(0, 0, 0, "Can't write to PID file %s: %s\n", config->pid_file, strerror(errno)); } } - - config->reload_config = 0; } static void read_config_file() @@ -4412,7 +4570,6 @@ static void read_config_file() cli_do_file(f); LOG(3, 0, 0, "Done reading config file\n"); fclose(f); - update_config(); } int sessionsetup(sessionidt s, tunnelidt t) @@ -4433,7 +4590,7 @@ int sessionsetup(sessionidt s, tunnelidt t) if (!session[s].ip) { LOG(0, s, t, " No IP allocated. The IP address pool is FULL!\n"); - sessionshutdown(s, "No IP addresses available.", 2, 7); // try another + sessionshutdown(s, "No IP addresses available.", CDN_TRY_ANOTHER, TERM_SERVICE_UNAVAILABLE); return 0; } LOG(3, s, t, " No IP allocated. Assigned %s from pool\n", @@ -4820,7 +4977,7 @@ static void plugins_done() run_plugin_done(p); } -static void processcontrol(uint8_t *buf, int len, struct sockaddr_in *addr, int alen) +static void processcontrol(uint8_t *buf, int len, struct sockaddr_in *addr, int alen, struct in_addr *local) { struct nsctl request; struct nsctl response; @@ -4978,7 +5135,7 @@ static void processcontrol(uint8_t *buf, int len, struct sockaddr_in *addr, int r = pack_control(buf, NSCTL_MAX_PKT_SZ, response.type, response.argc, response.argv); if (r > 0) { - sendto(controlfd, buf, r, 0, (const struct sockaddr *) addr, alen); + sendtofrom(controlfd, buf, r, 0, (const struct sockaddr *) addr, alen, local); if (log_stream && config->debug >= 4) { LOG(4, 0, 0, "Sent [%s] ", fmtaddr(addr->sin_addr.s_addr, 0)); @@ -5146,7 +5303,7 @@ static void unhide_value(uint8_t *value, size_t len, uint16_t type, uint8_t *vec // Compute initial pad MD5_Init(&ctx); MD5_Update(&ctx, (unsigned char *) &m, 2); - MD5_Update(&ctx, config->l2tpsecret, strlen(config->l2tpsecret)); + MD5_Update(&ctx, config->l2tp_secret, strlen(config->l2tp_secret)); MD5_Update(&ctx, vector, vec_len); MD5_Final(digest, &ctx); @@ -5159,7 +5316,7 @@ static void unhide_value(uint8_t *value, size_t len, uint16_t type, uint8_t *vec if (d >= sizeof(digest)) { MD5_Init(&ctx); - MD5_Update(&ctx, config->l2tpsecret, strlen(config->l2tpsecret)); + MD5_Update(&ctx, config->l2tp_secret, strlen(config->l2tp_secret)); MD5_Update(&ctx, last, sizeof(digest)); MD5_Final(digest, &ctx); @@ -5282,7 +5439,9 @@ int ip_filter(uint8_t *buf, int len, uint8_t filter) if (frag_offset) { - if (!rule->frag || rule->action == FILTER_ACTION_DENY) + // layer 4 deny rules are skipped + if (rule->action == FILTER_ACTION_DENY && + (rule->src_ports.op || rule->dst_ports.op || rule->tcp_flag_op)) continue; } else