OpenVPN
reflect_filter.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2022-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29
30#include <stdint.h>
31#include <stddef.h>
32#include <stdlib.h>
33#include <string.h>
34#include <stdbool.h>
35#include <memory.h>
36
37#include "crypto.h"
38#include "reflect_filter.h"
39
40
41bool
43{
44 if (now > irl->last_period_reset + irl->period_length)
45 {
46 int64_t dropped = irl->curr_period_counter - irl->max_per_period;
47 if (dropped > 0)
48 {
50 "Dropped %" PRId64 " initial handshake packets"
51 " due to --connect-freq-initial %" PRId64 " %d",
52 dropped, irl->max_per_period, irl->period_length);
53 }
55 irl->curr_period_counter = 0;
56 irl->warning_displayed = false;
57 }
58
60
61 bool over_limit = irl->curr_period_counter > irl->max_per_period;
62
63 if (over_limit && !irl->warning_displayed)
64 {
65 msg(M_WARN,
66 "Note: --connect-freq-initial %" PRId64 " %d rate limit "
67 "exceeded, dropping initial handshake packets for the next %d "
68 "seconds",
70 (int)(irl->last_period_reset + irl->period_length - now));
71 irl->warning_displayed = true;
72 }
73 return !over_limit;
74}
75
76void
84
85
88{
89 struct initial_packet_rate_limit *irl;
90
91
93
96 irl->curr_period_counter = 0;
97 irl->last_period_reset = 0;
98
99 return irl;
100}
101
102void
104{
105 free(irl);
106}
#define ALLOC_OBJ(dptr, type)
Definition buffer.h:1037
Data Channel Cryptography Module.
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
#define msg(flags,...)
Definition error.h:150
#define M_WARN
Definition error.h:90
time_t now
Definition otime.c:33
void reflect_filter_rate_limit_decrease(struct initial_packet_rate_limit *irl)
decreases the counter of initial packets seen, so connections that successfully completed the three-w...
void initial_rate_limit_free(struct initial_packet_rate_limit *irl)
free the initial-packet rate limiter structure
struct initial_packet_rate_limit * initial_rate_limit_init(int max_per_period, int period_length)
allocate and initialize the initial-packet rate limiter structure
bool reflect_filter_rate_limit_check(struct initial_packet_rate_limit *irl)
checks if the connection is still allowed to connect under the rate limit.
struct that handles all the rate limiting logic for initial responses
int64_t max_per_period
This is a hard limit for packets per seconds.
int period_length
period length in seconds
int64_t curr_period_counter
Number of packets in the current period.