OpenVPN
reflect_filter.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2022-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 
31 #include <stdint.h>
32 #include <stddef.h>
33 #include <stdlib.h>
34 #include <string.h>
35 #include <stdbool.h>
36 #include <memory.h>
37 
38 #include "crypto.h"
39 #include "reflect_filter.h"
40 
41 
42 bool
44 {
45  if (now > irl->last_period_reset + irl->period_length)
46  {
47  int64_t dropped = irl->curr_period_counter - irl->max_per_period;
48  if (dropped > 0)
49  {
50  msg(D_TLS_DEBUG_LOW, "Dropped %" PRId64 " initial handshake packets"
51  " due to --connect-freq-initial %" PRId64 " %d", dropped,
52  irl->max_per_period, irl->period_length);
53 
54  }
55  irl->last_period_reset = now;
56  irl->curr_period_counter = 0;
57  irl->warning_displayed = false;
58  }
59 
60  irl->curr_period_counter++;
61 
62  bool over_limit = irl->curr_period_counter > irl->max_per_period;
63 
64  if (over_limit && !irl->warning_displayed)
65  {
66  msg(M_WARN, "Note: --connect-freq-initial %" PRId64 " %d rate limit "
67  "exceeded, dropping initial handshake packets for the next %d "
68  "seconds", irl->max_per_period, irl->period_length,
69  (int)(irl->last_period_reset + irl->period_length - now));
70  irl->warning_displayed = true;
71  }
72  return !over_limit;
73 }
74 
75 void
77 {
78  if (irl->curr_period_counter > 0)
79  {
80  irl->curr_period_counter--;
81  }
82 }
83 
84 
87 {
88  struct initial_packet_rate_limit *irl;
89 
90 
92 
95  irl->curr_period_counter = 0;
96  irl->last_period_reset = 0;
97 
98  return irl;
99 }
100 
101 void
103 {
104  free(irl);
105 }
reflect_filter.h
reflect_filter_rate_limit_check
bool reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl)
checks if the connection is still allowed to connect under the rate limit.
Definition: reflect_filter.c:43
initial_packet_rate_limit
struct that handles all the rate limiting logic for initial responses
Definition: reflect_filter.h:30
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
initial_packet_rate_limit::period_length
int period_length
period length in seconds
Definition: reflect_filter.h:35
initial_packet_rate_limit::curr_period_counter
int64_t curr_period_counter
Number of packets in the current period.
Definition: reflect_filter.h:39
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition: reflect_filter.c:86
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1060
M_WARN
#define M_WARN
Definition: error.h:91
crypto.h
initial_packet_rate_limit::last_period_reset
time_t last_period_reset
Definition: reflect_filter.h:42
syshead.h
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition: reflect_filter.c:102
reflect_filter_rate_limit_decrease
void reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl)
decreases the counter of initial packets seen, so connections that successfully completed the three-w...
Definition: reflect_filter.c:76
initial_packet_rate_limit::warning_displayed
bool warning_displayed
Definition: reflect_filter.h:46
now
time_t now
Definition: otime.c:34
config.h
initial_packet_rate_limit::max_per_period
int64_t max_per_period
This is a hard limit for packets per seconds.
Definition: reflect_filter.h:32
msg
#define msg(flags,...)
Definition: error.h:144