Ignore connection attempts while server is shutting down
Currently we still allow clients to connect while the server is waiting
to shut down. This window is very small (2s) and is only used when
explicit-exit-notify is enabled on the server side.
The chance of a client connecting during this time period is very low
unless someone puts something stupid like --connect-retry 1 3 into his/her
client config and forces the client to reconnect during this time period.
Github: OpenVPN/openvpn#189
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221208153129.1207228-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25638.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7d0a90335fe79a352456f262ce42ea501796ae87)
Arne Schwabe authored on 2022/12/09 00:31:29Showing 1 changed files
| ... | ... |
@@ -229,8 +229,13 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated) |
| 229 | 229 |
if (!mi) |
| 230 | 230 |
{
|
| 231 | 231 |
struct tls_pre_decrypt_state state = {0};
|
| 232 |
- |
|
| 233 |
- if (do_pre_decrypt_check(m, &state, real)) |
|
| 232 |
+ if (m->deferred_shutdown_signal.signal_received) |
|
| 233 |
+ {
|
|
| 234 |
+ msg(D_MULTI_ERRORS, |
|
| 235 |
+ "MULTI: Connection attempt from %s ignored while server is " |
|
| 236 |
+ "shutting down", mroute_addr_print(&real, &gc)); |
|
| 237 |
+ } |
|
| 238 |
+ else if (do_pre_decrypt_check(m, &state, real)) |
|
| 234 | 239 |
{
|
| 235 | 240 |
/* This is an unknown session but with valid tls-auth/tls-crypt |
| 236 | 241 |
* (or no auth at all). If this is the initial packet of a |