From: Jussi Laakkonen <jussi.laakkonen@jolla.com>
To: connman@lists.linux.dev
Subject: [PATCH 4/5] openvpn: Default to 10 AuthErrorLimit unless set by user
Date: Thu, 2 Sep 2021 18:11:23 +0300 [thread overview]
Message-ID: <20210902151124.4983-5-jussi.laakkonen@jolla.com> (raw)
In-Reply-To: <20210902151124.4983-1-jussi.laakkonen@jolla.com>
Unless the user has set a value for provider property "AuthErrorLimit"
default to 10 attempts after a successful connection has been made before
allowing to clear the credentials. This is imperative for the cases when
OpenVPN server requires client to do a clean shutdown but the network
goes down before it can be completed. In these cases server may respond
back with AUTH_FAILED control message until it determines that old
client is realy gone. By using this limit credentials are not
unnecessarily cleared because there was no real problem with them.
---
vpn/plugins/openvpn.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/vpn/plugins/openvpn.c b/vpn/plugins/openvpn.c
index daf66cd5..7089d6ce 100644
--- a/vpn/plugins/openvpn.c
+++ b/vpn/plugins/openvpn.c
@@ -1099,6 +1099,15 @@ static int ov_connect(struct vpn_provider *provider,
const char *tmpdir;
struct ov_private_data *data;
+ /*
+ * Explicitly set limit of 10 for authentication errors. This defines
+ * the authentication error message limit from the server before VPN
+ * agent is instructed to clear the credentials. This is effective only
+ * after a successful connection has been made within CONNECT_OK_DIFF
+ * time. User defined value for "AuthErrorLimit" overrides this.
+ */
+ vpn_provider_set_auth_error_limit(provider, 10);
+
data = g_try_new0(struct ov_private_data, 1);
if (!data)
return -ENOMEM;
--
2.20.1
next prev parent reply other threads:[~2021-09-02 15:12 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-02 15:11 [PATCH 0/5] Add heurestic and customizable value for VPN auth errors Jussi Laakkonen
2021-09-02 15:11 ` [PATCH 1/5] vpn: Report EALREADY back to caller if VPN is already disconnecting Jussi Laakkonen
2021-09-02 15:11 ` [PATCH 2/5] vpn-provider: Ignore error adding when state is idle/unknown Jussi Laakkonen
2021-09-13 6:32 ` Daniel Wagner
2021-09-13 9:05 ` Jussi Laakkonen
2021-09-02 15:11 ` [PATCH 3/5] vpn-provider: Add auth error check heuristic to avoid losing creds Jussi Laakkonen
2021-09-02 15:11 ` Jussi Laakkonen [this message]
2021-09-02 15:11 ` [PATCH 5/5] doc: Document AuthErrorLimit in VPN connection API Jussi Laakkonen
2021-09-13 6:43 ` [PATCH 0/5] Add heurestic and customizable value for VPN auth errors Daniel Wagner
2021-09-13 9:36 ` Jussi Laakkonen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210902151124.4983-5-jussi.laakkonen@jolla.com \
--to=jussi.laakkonen@jolla.com \
--cc=connman@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).