Menu
▾
▴
Re: [Openvpn-devel] Async OPENVPN_PLUGIN_CLIENT_CONNECT plugin support
|
From: Lev S. <lst...@gm...> - 2014-10-07 18:50:57
|
Hi Fabian & all, Patch works great, thanks! I have rebased it a bit and added support for client-connect plugin call. I would like to offer a related feature (and implementation) I call async-push. Use case: authentication / authorization takes time. I have auth/az code in auth-user-pass-verify and client-connect calls, and sometimes it takes more that second to execute those. The problem is that after auth-user-pass-verify is done, OpenVPN server won’t proceed with client-connect unless some timeout/io event happens for that client. Also, server will not notify client that client-connect returned success unless client sends PULL_REQUEST. Client, in turn, sends PULL_REQUEST one second after connection initiation and after that once per 5 seconds. So, for example, if at the moment when first pull request has arrived, client-connect has not finished yet, we will have to wait another 5 seconds for the next PULL_REQUEST. Solution: Inotify. Since OpenVPN creates itself files (auth-contro and client-connect-deferred) which names it passes to the plugin, we create one inotify descriptor for event loop and right after creating those files, we add inotify watch on those. Before calling epoll (or whatever we use) we add inotify descriptor to the list of watched descriptors. We also keep watch descriptor and multi_instance in a hashtable. When epoll informs us that an event has happened on inotify descriptor, we get multi_instance by watch descriptor (fetched from poll event) from our new hashtable and call multi_process_post for given multi_instance. This will check result from the file and eventually call multi_connection_established, from where we call send_push_reply. Since implementation uses Inotify, it will work on Linux only. Code is under #define, which is set at compile-time (--enable-async-push=yes). I have attached an implementation. So far has been working nicely in my test environment. I would love to hear a feedback from the community. Is the whole thing done more or less right? Any bugs got introduced that someone could spot? -Lev 2014-08-01 0:21 GMT+03:00 Fabian Knittel <fab...@le...>: > Hi Lev, > > 2014-07-29 12:56 GMT+02:00 Lev Stipakov <lst...@gm...>: >> >> I am pondering about asynchronous OPENVPN_PLUGIN_CLIENT_CONNECT >> callback. Basically, I want _not_ to establish connection until >> response is received and ofcI don't want to block rest of traffic. > > > [ Details of approach snipped. ] > >> What do you think about that? Does that approach sound reasonable? > > > Some time ago I implemented something quite similar, but never quite managed > to officially submit it. You can find my old git branch here [0]. > Unfortunately, to be of any use it would need to be ported to a current > OpenVPN release / master first. > > The code has been in use for several years now [1], so the approach and the > code basically work quite well. (I think my use case involved calling a > Python script, but I might have implemented the plugin part too.) > > If the OpenVPN commiters see a certain chance, that such a change could be > included upstream, I might even try to rebase the branch to master myself... > > Cheers > Fabian > > 0: > http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=shortlog;h=refs/heads/feat_deferred_client-connect > 1: ... in a production environment with several hundred users (together with > the equally unofficial VLAN-tagging feature [2]). The feature is needed by a > daemon that does asynchronous IP-configuration via a central DHCP server > [3]. > 2: > http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=shortlog;h=refs/heads/feat_vlan > 3: https://gitorious.org/odr -- -Lev |
