-* Mon Jan 10 2005 Brendan O'Dea <bod@optusnet.com.au> 2.0.15
+* Thu Jan 13 2005 Brendan O'Dea <bod@optusnet.com.au> 2.0.15
- More DoS prevention: add packet_limit option to apply a hard limit
to downstream packets per session.
+- Fix "clear counters".
+- Log "Accepted connection to CLI" at 4 when connection is from localhost
+ to reduce noise in logs.
+- Show time since last counter reset in "show counters".
* Mon Dec 20 2004 Brendan O'Dea <bod@optusnet.com.au> 2.0.14
- Throttle outgoing LASTSEEN packets to at most one per second for a
// vim: sw=8 ts=8
char const *cvs_name = "$Name: $";
-char const *cvs_id_cli = "$Id: cli.c,v 1.43.2.2 2005/01/12 05:20:49 bodea Exp $";
+char const *cvs_id_cli = "$Id: cli.c,v 1.43.2.3 2005/01/13 07:58:53 bodea Exp $";
#include <stdio.h>
#include <stdarg.h>
if (fork_and_close()) return;
if (getpeername(sockfd, (struct sockaddr *)&addr, &l) == 0)
{
- LOG(3, 0, 0, "Accepted connection to CLI from %s\n", fmtaddr(addr.sin_addr.s_addr, 0));
require_auth = addr.sin_addr.s_addr != inet_addr("127.0.0.1");
+ LOG(require_auth ? 3 : 4, 0, 0, "Accepted connection to CLI from %s\n",
+ fmtaddr(addr.sin_addr.s_addr, 0));
}
else
LOG(0, 0, 0, "getpeername() failed on cli socket. Requiring authentication: %s\n", strerror(errno));
cli_loop(cli, sockfd);
close(sockfd);
- LOG(3, 0, 0, "Closed CLI connection from %s\n", fmtaddr(addr.sin_addr.s_addr, 0));
+ LOG(require_auth ? 3 : 4, 0, 0, "Closed CLI connection from %s\n",
+ fmtaddr(addr.sin_addr.s_addr, 0));
+
exit(0);
}
cli_print(cli, "%-30s%u", "call_radiussend", GET_STAT(call_radiussend));
cli_print(cli, "%-30s%u", "call_radiusretry", GET_STAT(call_radiusretry));
#endif
+
+ cli_print(cli, "");
+ cli_print(cli, "Counters last reset %s ago", duration(time_now - GET_STAT(last_reset)));
+
return CLI_OK;
}
// L2TPNS Clustering Stuff
-char const *cvs_id_cluster = "$Id: cluster.c,v 1.26.2.1 2005/01/06 01:39:23 bodea Exp $";
+char const *cvs_id_cluster = "$Id: cluster.c,v 1.26.2.2 2005/01/13 07:58:54 bodea Exp $";
#include <stdio.h>
#include <stdlib.h>
if ( walk_session_number > config->cluster_highest_sessionid)
walk_session_number = 1;
- if (!sess_count[walk_session_number].cin && !sess_count[walk_session_number].cout)
+ if (!sess_local[walk_session_number].cin && !sess_local[walk_session_number].cout)
continue; // Unused. Skip it.
b[c].sid = walk_session_number;
- b[c].in = sess_count[walk_session_number].cin;
- b[c].out = sess_count[walk_session_number].cout;
+ b[c].in = sess_local[walk_session_number].cin;
+ b[c].out = sess_local[walk_session_number].cout;
if (++c > MAX_B_RECS) // Send a max of 400 elements in a packet.
break;
// Reset counters.
- sess_count[walk_session_number].cin = sess_count[walk_session_number].cout = 0;
+ sess_local[walk_session_number].cin = sess_local[walk_session_number].cout = 0;
}
if (!c) // Didn't find any that changes. Get out of here!
session[i].last_packet = time_now;
// Accumulate un-sent byte counters.
- session[i].cin += sess_count[i].cin;
- session[i].cout += sess_count[i].cout;
- session[i].total_cin += sess_count[i].cin;
- session[i].total_cout += sess_count[i].cout;
+ session[i].cin += sess_local[i].cin;
+ session[i].cout += sess_local[i].cout;
+ session[i].total_cin += sess_local[i].cin;
+ session[i].total_cout += sess_local[i].cout;
- sess_count[i].cin = sess_count[i].cout = 0;
+ sess_local[i].cin = sess_local[i].cout = 0;
session[i].radius = 0; // Reset authentication as the radius blocks aren't up to date.
// Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced
// vim: sw=8 ts=8
-char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.73.2.2 2005/01/10 07:44:49 bodea Exp $";
+char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.73.2.3 2005/01/13 07:58:54 bodea Exp $";
#include <arpa/inet.h>
#include <assert.h>
tunnelt *tunnel = NULL; // Array of tunnel structures.
sessiont *session = NULL; // Array of session structures.
-sessioncountt *sess_count = NULL; // Array of partial per-session traffic counters.
+sessionlocalt *sess_local = NULL; // Array of local per-session counters.
radiust *radius = NULL; // Array of radius structures.
ippoolt *ip_address_pool = NULL; // Array of dynamic IP addresses.
ip_filtert *ip_filters = NULL; // Array of named filters.
// DoS prevention: enforce a maximum number of packets per 0.1s for a session
if (config->max_packets > 0)
{
- if (sess_count[s].last_packet_out == TIME)
+ if (sess_local[s].last_packet_out == TIME)
{
int max = config->max_packets;
if (!config->cluster_iam_master && sp->throttle_out && sp->throttle_out < max)
max = sp->throttle_out;
- if (++sess_count[s].packets_out > max)
+ if (++sess_local[s].packets_out > max)
{
- sess_count[s].packets_dropped++;
+ sess_local[s].packets_dropped++;
return;
}
}
else
{
- if (sess_count[s].packets_dropped)
+ if (sess_local[s].packets_dropped)
{
- INC_STAT(tun_rx_dropped, sess_count[s].packets_dropped);
- LOG(2, s, t, "Possible DoS attack on %s (%s); dropped %u packets.\n",
- fmtaddr(ip, 0), sp->user, sess_count[s].packets_dropped);
+ INC_STAT(tun_rx_dropped, sess_local[s].packets_dropped);
+ LOG(3, s, t, "Dropped %u/%u packets to %s for %suser %s\n",
+ sess_local[s].packets_out, sess_local[s].packets_dropped,
+ fmtaddr(ip, 0), sp->throttle_out ? "throttled " : "",
+ sp->user);
}
- sess_count[s].last_packet_out = TIME;
- sess_count[s].packets_out = 1;
- sess_count[s].packets_dropped = 0;
+ sess_local[s].last_packet_out = TIME;
+ sess_local[s].packets_out = 1;
+ sess_local[s].packets_dropped = 0;
}
}
sp->total_cout += len; // byte count
sp->pout++;
udp_tx += len;
- sess_count[s].cout += len; // To send to master..
+ sess_local[s].cout += len; // To send to master..
}
//
sp->total_cout += len; // byte count
sp->pout++;
udp_tx += len;
- sess_count[s].cout += len; // To send to master..
+ sess_local[s].cout += len; // To send to master..
}
// add an AVP (16 bit)
exit(1);
}
- if (!(sess_count = shared_malloc(sizeof(sessioncountt) * MAXSESSION)))
+ if (!(sess_local = shared_malloc(sizeof(sessionlocalt) * MAXSESSION)))
{
- LOG(0, 0, 0, "Error doing malloc for sessions_count: %s\n", strerror(errno));
+ LOG(0, 0, 0, "Error doing malloc for sess_local: %s\n", strerror(errno));
exit(1);
}
// L2TPNS Global Stuff
-// $Id: l2tpns.h,v 1.49.2.2 2005/01/10 07:08:14 bodea Exp $
+// $Id: l2tpns.h,v 1.49.2.3 2005/01/13 07:58:54 bodea Exp $
#ifndef __L2TPNS_H__
#define __L2TPNS_H__
clockt last_packet_out;
uint32_t packets_out;
uint32_t packets_dropped;
-} sessioncountt;
+} sessionlocalt;
#define SESSIONPFC 1 // PFC negotiated flags
#define SESSIONACFC 2 // ACFC negotiated flags
extern tunnelt *tunnel;
extern sessiont *session;
-extern sessioncountt *sess_count;
+extern sessionlocalt *sess_local;
extern ippoolt *ip_address_pool;
#define sessionfree (session[0].next)
%attr(644,root,root) /usr/share/man/man[58]/*
%changelog
-* Mon Jan 10 2005 Brendan O'Dea <bod@optusnet.com.au> 2.0.15-1
+* Thu Jan 13 2005 Brendan O'Dea <bod@optusnet.com.au> 2.0.15-1
- 2.0.15 release, see /usr/share/doc/l2tpns-2.0.15/Changes
// L2TPNS PPP Stuff
-char const *cvs_id_ppp = "$Id: ppp.c,v 1.40 2005/01/05 13:50:30 bodea Exp $";
+char const *cvs_id_ppp = "$Id: ppp.c,v 1.39.2.1 2005/01/13 07:58:54 bodea Exp $";
#include <stdio.h>
#include <string.h>
char pass[129];
uint16_t hl;
- CSTAT(processpap);
+ CSTAT(call_processpap);
LOG_HEX(5, "PAP", p, l);
if (l < 4)
uint16_t r;
uint16_t hl;
- CSTAT(processchap);
+ CSTAT(call_processchap);
LOG_HEX(5, "CHAP", p, l);
r = session[s].radius;
radiussend(r, RADIUSAUTH);
}
+static char *ppp_lcp_types[] = {
+ NULL,
+ "ConfigReq",
+ "ConfigAck",
+ "ConfigNak",
+ "ConfigRej",
+ "TerminateReq",
+ "TerminateAck",
+ "CodeRej",
+ "ProtocolRej",
+ "EchoReq",
+ "EchoReply",
+ "DiscardRequest",
+ "IdentRequest",
+};
+
static void dumplcp(uint8_t *p, int l)
{
int x = l - 4;
uint8_t *o = (p + 4);
LOG_HEX(5, "PPP LCP Packet", p, l);
- LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_type((int)*p), ntohs( ((uint16_t *) p)[1]) );
+ LOG(4, 0, 0, "PPP LCP Packet type %d (%s len %d)\n", *p, ppp_lcp_types[(int)*p], ntohs( ((uint16_t *) p)[1]) );
LOG(4, 0, 0, "Length: %d\n", l);
if (*p != ConfigReq && *p != ConfigRej && *p != ConfigAck)
return;
{
case 1: // Maximum-Receive-Unit
if (length == 4)
- LOG(4, 0, 0, " %s %d\n", lcp_type(type), ntohs(*(uint16_t *)(o + 2)));
+ LOG(4, 0, 0, " %s %d\n", lcp_types[type], ntohs(*(uint16_t *)(o + 2)));
else
- LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
+ LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
break;
case 2: // Async-Control-Character-Map
if (length == 6)
{
uint32_t asyncmap = ntohl(*(uint32_t *)(o + 2));
- LOG(4, 0, 0, " %s %x\n", lcp_type(type), asyncmap);
+ LOG(4, 0, 0, " %s %x\n", lcp_types[type], asyncmap);
}
else
- LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
+ LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
break;
case 3: // Authentication-Protocol
if (length == 4)
{
int proto = ntohs(*(uint16_t *)(o + 2));
- LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_type(type), proto,
+ LOG(4, 0, 0, " %s 0x%x (%s)\n", lcp_types[type], proto,
proto == PPPCHAP ? "CHAP" :
proto == PPPPAP ? "PAP" : "UNKNOWN");
}
else
- LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
+ LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
break;
case 4: // Quality-Protocol
{
uint32_t qp = ntohl(*(uint32_t *)(o + 2));
- LOG(4, 0, 0, " %s %x\n", lcp_type(type), qp);
+ LOG(4, 0, 0, " %s %x\n", lcp_types[type], qp);
}
break;
case 5: // Magic-Number
if (length == 6)
{
uint32_t magicno = ntohl(*(uint32_t *)(o + 2));
- LOG(4, 0, 0, " %s %x\n", lcp_type(type), magicno);
+ LOG(4, 0, 0, " %s %x\n", lcp_types[type], magicno);
}
else
- LOG(4, 0, 0, " %s odd length %d\n", lcp_type(type), length);
+ LOG(4, 0, 0, " %s odd length %d\n", lcp_types[type], length);
break;
case 7: // Protocol-Field-Compression
case 8: // Address-And-Control-Field-Compression
- LOG(4, 0, 0, " %s\n", lcp_type(type));
+ LOG(4, 0, 0, " %s\n", lcp_types[type]);
break;
default:
LOG(2, 0, 0, " Unknown PPP LCP Option type %d\n", type);
uint32_t magicno = 0;
uint16_t hl;
- CSTAT(processlcp);
+ CSTAT(call_processlcp);
LOG_HEX(5, "LCP", p, l);
if (l < 4)
*q = ConfigAck;
}
- LOG(3, s, t, "Sending %s\n", ppp_lcp_type(*response));
+ LOG(3, s, t, "Sending %s\n", ppp_lcp_types[*response]);
tunnelsend(b, l + (q - b), t);
if (!(session[s].flags & SF_LCP_ACKED))
{
uint16_t hl;
- CSTAT(processipcp);
+ CSTAT(call_processipcp);
LOG_HEX(5, "IPCP", p, l);
if (l < 5)
{
in_addr_t ip;
- CSTAT(processipin);
+ CSTAT(call_processipin);
LOG_HEX(5, "IP", p, l);
session[s].cin += l - 4;
session[s].total_cin += l - 4;
- sess_count[s].cin += l - 4;
+ sess_local[s].cin += l - 4;
session[s].pin++;
eth_tx += l - 4;
// Increment packet counters
session[s].cin += len - 4;
session[s].total_cin += len - 4;
- sess_count[s].cin += len - 4;
+ sess_local[s].cin += len - 4;
session[s].pin++;
eth_tx += len - 4;
uint8_t b[MAXCONTROL];
uint8_t *q;
- CSTAT(processccp);
+ CSTAT(call_processccp);
LOG_HEX(5, "CCP", p, l);
switch (l > 1 ? *p : 0)
uint16_t r = session[s].radius;
uint8_t *q;
- CSTAT(sendchap);
+ CSTAT(call_sendchap);
if (!r)
{
LOG(1, s, t, "No RADIUS to send challenge\n");
STAT(tunnel_tx_errors);
- return;
+ return ;
}
-
LOG(1, s, t, "Send CHAP challenge\n");
-
- // new challenge
- random_data(radius[r].auth, sizeof(radius[r].auth));
+ {
+ // new challenge
+ int n;
+ for (n = 0; n < 15; n++)
+ radius[r].auth[n] = rand();
+ }
radius[r].chap = 1; // CHAP not PAP
radius[r].id++;
if (radius[r].state != RADIUSCHAP)
radius[r].try = 0;
-
radius[r].state = RADIUSCHAP;
radius[r].retry = backoff(radius[r].try++);
if (radius[r].try > 5)
projects / l2tpns.git / commitdiff