diff options
| author | Davide Brini <dave_br@gmx.com> | 2010-05-02 11:07:38 +0200 |
|---|---|---|
| committer | David Sommerseth <dazo@users.sourceforge.net> | 2010-10-21 11:40:36 +0200 |
| commit | 639216502cc474fcc2526598680b2bcdbb35c0a1 (patch) | |
| tree | c64d172489464a41bb4ddac0802858324720b71c /ping.c | |
| parent | b02b609b28199a932da2d07ec61c2fb6b9271363 (diff) | |
| download | openvpn-639216502cc474fcc2526598680b2bcdbb35c0a1.tar.gz openvpn-639216502cc474fcc2526598680b2bcdbb35c0a1.tar.xz openvpn-639216502cc474fcc2526598680b2bcdbb35c0a1.zip | |
Exclude ping and control packets from activity
Problem: using --ping and --inactive together partially defeats the
point of using --inactive as periodic ping packets are counted as
activity. Here is the original discussion:
http://article.gmane.org/gmane.network.openvpn.devel/3676
It turns out that "activity" is detected and recorded in two places
in the code, both in forward.c: in process_outgoing_tun() for received
packets, after they've been decrypted and sent to the TUN device; and
in process_outgoing_link(), after they've been encrypted and written
to the network socket.
In the first case we can be sure that packets that get so far are
really due to user activity, whereas in the second case there can be
non-user packets (like OpenVPN's internal ping packets, and TLS control
packets), and those should not be counted as activity as they are not
coming from the user.
So a need arises to detect those control packets and not count them as
activity for the purposes of --inactive. Unfortunately, at that stage
packets are already compressed and encrypted, so it's not possible to
look into them to see what they are. However, there seems to be a
convention in the code that packets whose buffer length in the context_2
structure is 0 should be ignored for certain purposes. TLS control
packets follow that convention already, so this patch makes a small
change in the code that generates the ping packets to set their buffer
length to 0 as well.
Finally, the call to register_activity() in process_outgoing_link() is
made conditional to the buffer length being > 0.
According to my tests, now --inactive behaves correctly according to
the configured parameters (time or time+bytes) even when --ping is
being used.
forward.c:
Call register_activity() in process_outgoing_link() only if the
packet is not a ping or TLS control packet.
openvpn.8:
Updated the description of --inactive to describe the new semantics.
ping.c:
Set c->c2.buf.len = 0 after the ping packet has been generated and
encrypted.
Test routine is described here:
<https://community.openvpn.net/openvpn/wiki/PingInactivePatch?version=6>
Signed-off-by: Davide Brini <dave_br@gmx.com>
Acked-by: David Sommerseth <dazo@users.sourceforge.net>
Signed-off-by: David Sommerseth <dazo@users.sourceforge.net>
Diffstat (limited to 'ping.c')
| -rw-r--r-- | ping.c | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -86,5 +86,7 @@ check_ping_send_dowork (struct context *c) * encrypt, sign, etc. */ encrypt_sign (c, true); + /* Set length to 0, so it won't be counted as activity */ + c->c2.buf.len = 0; dmsg (D_PING, "SENT PING"); } |