Ignore connection attempts while server is shutting down

Currently we still allow clients to connect while the server is waiting
to shut down. This window is very small (2s) and is only used when
explicit-exit-notify is enabled on the server side.

The chance of a client connecting during this time period is very low
unless someone puts something stupid like --connect-retry 1 3 into his/her
client config and forces the client to reconnect during this time period.

Github: OpenVPN/openvpn#189

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20221208153129.1207228-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25638.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7d0a90335fe79a352456f262ce42ea501796ae87)

diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c
index bdf35a8ba283bf856d45b4ed967a18edccaf323f..45815233562aa182c9f38b8ba6e046b447f7c8c8 100644 (file)
--- a/src/openvpn/mudp.c
+++ b/src/openvpn/mudp.c
@@ -229,8 +229,13 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated)
         if (!mi)
         {
             struct tls_pre_decrypt_state state = {0};
-
-            if (do_pre_decrypt_check(m, &state, real))
+            if (m->deferred_shutdown_signal.signal_received)
+            {
+                msg(D_MULTI_ERRORS,
+                    "MULTI: Connection attempt from %s ignored while server is "
+                    "shutting down", mroute_addr_print(&real, &gc));
+            }
+            else if (do_pre_decrypt_check(m, &state, real))
             {
                 /* This is an unknown session but with valid tls-auth/tls-crypt
                  * (or no auth at all).  If this is the initial packet of a