From: Steffan Karger <steffan@karger.me>
Date: Wed, 1 Nov 2017 22:03:40 +0000 (+0100)
Subject: pf: reject client if PF plugin is configured, but init fails
X-Git-Tag: v2.5_beta1~555
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=492e42d35f141346fe21b3e984ed1bd86e5aac40;p=thirdparty%2Fopenvpn.git

pf: reject client if PF plugin is configured, but init fails

This changes the behavior for pf plugins: instead of just not initializing
the firewall rules and happily continuing, this now rejects the client in
the case of an (unlikely) failure to initialize the pf.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20171101220342.14648-3-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15704.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/pf.c b/src/openvpn/pf.c
index e1b5b0e7d..6e4107c50 100644
--- a/src/openvpn/pf.c
+++ b/src/openvpn/pf.c
@@ -638,10 +638,12 @@ pf_init_context(struct context *c)
                 }
 #endif
             }
-            else
-            {
-                msg(M_WARN, "WARNING: OPENVPN_PLUGIN_ENABLE_PF disabled");
-            }
+        }
+        if (!c->c2.pf.enabled)
+        {
+            msg(M_WARN, "WARNING: failed to init PF plugin, rejecting client.");
+            register_signal(c, SIGUSR1, "plugin-pf-init-failed");
+            return;
         }
     }
 #endif /* ifdef PLUGIN_PF */