OpenVPN
reflect_filter.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2022-2023 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 
33 #include <stdint.h>
34 #include <stddef.h>
35 #include <stdlib.h>
36 #include <string.h>
37 #include <stdbool.h>
38 #include <memory.h>
39 
40 #include "crypto.h"
41 #include "reflect_filter.h"
42 
43 
44 bool
46 {
47  if (now > irl->last_period_reset + irl->period_length)
48  {
49  int64_t dropped = irl->curr_period_counter - irl->max_per_period;
50  if (dropped > 0)
51  {
52  msg(D_TLS_DEBUG_LOW, "Dropped %" PRId64 " initial handshake packets"
53  " due to --connect-freq-initial %" PRId64 " %d", dropped,
54  irl->max_per_period, irl->period_length);
55 
56  }
57  irl->last_period_reset = now;
58  irl->curr_period_counter = 0;
59  irl->warning_displayed = false;
60  }
61 
62  irl->curr_period_counter++;
63 
64  bool over_limit = irl->curr_period_counter > irl->max_per_period;
65 
66  if (over_limit && !irl->warning_displayed)
67  {
68  msg(M_WARN, "Note: --connect-freq-initial %" PRId64 " %d rate limit "
69  "exceeded, dropping initial handshake packets for the next %d "
70  "seconds", irl->max_per_period, irl->period_length,
71  (int)(irl->last_period_reset + irl->period_length - now));
72  irl->warning_displayed = true;
73  }
74  return !over_limit;
75 }
76 
77 void
79 {
80  if (irl->curr_period_counter > 0)
81  {
82  irl->curr_period_counter--;
83  }
84 }
85 
86 
89 {
90  struct initial_packet_rate_limit *irl;
91 
92 
94 
97  irl->curr_period_counter = 0;
98  irl->last_period_reset = 0;
99 
100  return irl;
101 }
102 
103 void
105 {
106  free(irl);
107 }
reflect_filter.h
reflect_filter_rate_limit_check
bool reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl)
checks if the connection is still allowed to connect under the rate limit.
Definition: reflect_filter.c:45
initial_packet_rate_limit
struct that handles all the rate limiting logic for initial responses
Definition: reflect_filter.h:30
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
config-msvc.h
initial_packet_rate_limit::period_length
int period_length
period length in seconds
Definition: reflect_filter.h:35
initial_packet_rate_limit::curr_period_counter
int64_t curr_period_counter
Number of packets in the current period.
Definition: reflect_filter.h:39
initial_rate_limit_init
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
Definition: reflect_filter.c:88
ALLOC_OBJ
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1041
M_WARN
#define M_WARN
Definition: error.h:97
crypto.h
initial_packet_rate_limit::last_period_reset
time_t last_period_reset
Definition: reflect_filter.h:42
syshead.h
initial_rate_limit_free
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
Definition: reflect_filter.c:104
reflect_filter_rate_limit_decrease
void reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl)
decreases the counter of initial packets seen, so connections that successfully completed the three-w...
Definition: reflect_filter.c:78
initial_packet_rate_limit::warning_displayed
bool warning_displayed
Definition: reflect_filter.h:46
now
time_t now
Definition: otime.c:36
config.h
initial_packet_rate_limit::max_per_period
int64_t max_per_period
This is a hard limit for packets per seconds.
Definition: reflect_filter.h:32
msg
#define msg(flags,...)
Definition: error.h:150