>From code inspection it seems like I need to have one PF-file/client. So for 1000 clients connected this means 1000 files! That is the bottleneck I am talking about. Also, in my use-case the plugin (which spawns a separate thread) is the one who asynchronously wants to close a socket. The important thing to note here is that this socket may not be actively being served by openvpn process at the time of closing (by plugin) and so packet filtering will never kick in.
So I am not sure if PF will help here. It will help of course if the use-case is for closing a socket *the next time it is used*. Hope I didn't confused folks with my use-case. This is why I started with the telnet-client idea whereby my plugin thread sends "kill IP:port" command via telnet to openvpn's management listener. But the problem I will run into is the fact that telnet somehow is written to only allow one telnet session at a time. So if my plugin decides to use this session then at that instant in time no one else can use this cool management feature. Are there ways around that : making telnet accept multiple sessions? Thanks, Vineet On Tue, Dec 14, 2010 at 9:52 AM, David Sommerseth <openvpn.l...@topphemmelig.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 14/12/10 18:47, Vineet Kumar wrote: >> Thanks for your response. This seems to involve file I/O and iptables >> right? File I/O seems like a performance bottleneck, no? > > Maybe, if you're still using tapes and need to rewind the tape ;-) > > Seriously, not really. All decent OSes today have pretty good caching, > so most likely will things not manage to get written properly to disk > before the file is read, parsed and removed again by OpenVPN. > > But to improve things a bit, you can always mount a directory for such > files in a tmpfs (or a RAM disk) and let OpenVPN use that. > > > kind regards, > > David Sommerseth > > > >> Vineet >> On Mon, Dec 13, 2010 at 4:35 PM, chantra <chan...@debuntu.org >> <mailto:chan...@debuntu.org>> wrote: >> >> Vineet, >> >> I think you could use Packet filtering plugin hook and use the >> [KILL] tag at the end of the pf file . >> >> See >> >> http://openvpn.git.sourceforge.net/git/gitweb.cgi?p=openvpn/openvpn-testing.git;a=blob;f=openvpn-plugin.h;h=56b0a701574e6913b3a714e941cdc4899dbea8e1;hb=HEAD#l316 >> >> I have never used it myself, but I think that should sort you out. >> >> The doc says that this file may be dynamically updated during a >> client session. I assume the main process will pick up the change >> quick fast. >> >> Chantra >> >> >> On Mon, 2010-12-13 at 15:16 -0800, Vineet Kumar wrote: >>> Hi, >>> If my openvpn plugin spawns its own thread and from that thread >>> wants to kill a tunnel specified by IP:port how can that be done? >>> (something like what the 'telnet' management provides: "kill IP:port") >>> This plugin is meant to do other stuff and in certain scenarios wants >>> to close specific tunnels. >>> First I thought of using the plugin to write code to establish a >>> telnet-client sessions and send over "kill IP:port" command. But I >>> notice an issue with the management listener: if I run more than 1 >>> telnet session only the first one can pass through data whereas all >>> others' telnet sessions just hang. >>> >>> Is this even possible? >>> >>> Vineet > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0HrsYACgkQDC186MBRfrqm1ACfeP0/aDdh9Ss2Xuas583v+R5A > dtkAnRBv1+3Ky9BOQwDana06n3xxKOMa > =8ouQ > -----END PGP SIGNATURE----- >
