Ignore connection attempts while server is shutting down

Currently we still allow clients to connect while the server is waiting to shut down. This window is very small (2s) and is only used when explicit-exit-notify is enabled on the server side. The chance of a client connecting during this time period is very low unless someone puts something stupid like --connect-retry 1 3 into his/her client config and forces the client to reconnect during this time period. Github: #189 Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg25638.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 7d0a903)
OpenVPN · Dec 12, 2022 · f8bfe1a · f8bfe1a
1 parent acc7ecc
commit f8bfe1a
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
@@ -229,8 +229,13 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated)
         if (!mi)
         {
             struct tls_pre_decrypt_state state = {0};
-
-            if (do_pre_decrypt_check(m, &state, real))
+            if (m->deferred_shutdown_signal.signal_received)
+            {
+                msg(D_MULTI_ERRORS,
+                    "MULTI: Connection attempt from %s ignored while server is "
+                    "shutting down", mroute_addr_print(&real, &gc));
+            }
+            else if (do_pre_decrypt_check(m, &state, real))
             {
                 /* This is an unknown session but with valid tls-auth/tls-crypt
                  * (or no auth at all).  If this is the initial packet of a