Opened 9 years ago

Closed 5 years ago

#15 closed Patch submission (wontfix)

[PATCH] Enabling Accounting/Stats for plugins

Reported by: Emmanuel Bretelle Owned by:
Priority: major Milestone:
Component: plug-ins / plug-in API Version: OpenVPN git master branch (Community Ed)
Severity: Patch Queue: Awaiting updated patch Keywords:
Cc:

Description

A while back this thread ( http://comments.gmane.org/gmane.network.openvpn.devel/990 and mainly http://permalink.gmane.org/gmane.network.openvpn.devel/1048 ) mentioned the possible integration of accounting into the plugin system.

This patch will add such feature in the following manner:

  • use default accounting frequency (default to 60s). Default can be overridden from config file, command line and ccd file.
  • if one uses openvpn_plugin_func_v2 along with OPENVPN_PLUGIN_CLIENT_CONNECT_V2, this value can be overridden for each client via openvpn_plugin_string_list.
  • Then again, each time OPENVPN_PLUGIN_ACCOUNTING is called, this value can be updated with the returned openvpn_plugin_string_list

To test the plugin, one needs to use --enable-accounting when compiling openvpn.
Accounting can be disabled by setting a value of 0.

Attachments (4)

openvpn_accounting.patch (22.9 KB) - added by Emmanuel Bretelle 9 years ago.
OpenVPN accounting patch
accounting.patch (11.3 KB) - added by Emmanuel Bretelle 9 years ago.
1 diff only
testplugin.c (4.7 KB) - added by Emmanuel Bretelle 9 years ago.
a plugin showing a use case of OPENVPN_PLUGIN_ACCOUNTING hook
openvpn-plugin.h (15.9 KB) - added by Emmanuel Bretelle 9 years ago.
headers required to compile the plugin

Download all attachments as: .zip

Change History (9)

Changed 9 years ago by Emmanuel Bretelle

Attachment: openvpn_accounting.patch added

OpenVPN accounting patch

Changed 9 years ago by Emmanuel Bretelle

Attachment: accounting.patch added

1 diff only

comment:1 Changed 9 years ago by Emmanuel Bretelle

As agreed on IRC, I cooked up a demo implementation of this new plugin hook.

Basically the idea is to be able to implement AAA (through radius for instance) with an openvpn plugin.

The benefit is that it is then possible to get network usage per client from within a plugin without starting a new process that will handle that in the background by parsing regurlarly openvpn-status.log or initiating a connection to the management console.

The plugin is taking advantage of the return_list parameter available in openvpn_plugin_func_v2 to update the interval at which is wants to receive update for a specific client.
A default value of 60 second is hardcoded within the options, but it can be changed at startup through --accounting-freq n command switch

A value of 0 will disable accounting information to be sent.

For compiling instructions and how to run the testing environmen, please check the comments in testplugin.c

The scenario would be as follow:

  1. plugin in invoke with type OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY plugin sends credentials to authentication server and returns success/error to main loop
  2. on success, plugin is called with OPENVPN_PLUGIN_CLIENT_CONNECT_V2
    • plugin send a message to accounting server informing it that the session starts
    • plugin receive an update interval value (let call it acct_interval) at which it should send updated information to accounting server. this acct_interval is passed to accounting server through return_list
  3. time passes, traffic goes through
  4. when acct_interval time is passed, the plugin is invoked with OPENVPN_PLUGIN_ACCOUNTING. bytes_sent/bytes_received being passed through envp
    • plugin contact accounting server and give it those value
    • accounting server might reply with a new acct_interval that plugin can pass back to openvpn server through return_list
  5. 3) and 4) repeat
  6. Client is disconnected, openvpn main loop will invoke plugin with OPENVPN_PLUGIN_CLIENT_DISCONNECT, plugin informs accounting server that session is stopped and that bytes_sent/bytes_received was used over time_duration

Here is the output of a session realised with the attached test plugin,.
Mind that after 1minute or so i disconnected the client, hence no packet were going through so the eventtimeout was not triggered at the exact second. In a normal scenario, update would not happen every so often, here low random values were given to illustrate the usage.

Any things that are unclear, le me know.
Tks

Thu Jun 10 16:19:30 2010 192.168.51.1:40289 [ssss] Peer Connection Initiated with 192.168.51.1:40289
ACCT Thu Jun 10 16:19:30 2010
 Sending start time to accounting server 1276179570
ACCT Thu Jun 10 16:19:30 2010
 Plugin requested accounting update in 11 seconds
--
Thu Jun 10 16:19:41 2010 DEBUG: ACCOUNTING triggerred after 11s for ssss
ACCT Thu Jun 10 16:19:41 2010
 Sending accounting information to server 5724tx/3663rx
ACCT Thu Jun 10 16:19:41 2010
 Acounting server requesting new update in 5 seconds
--
Thu Jun 10 16:19:46 2010 DEBUG: ACCOUNTING triggerred after 5s for ssss
ACCT Thu Jun 10 16:19:46 2010
 Sending accounting information to server 6349tx/4288rx
ACCT Thu Jun 10 16:19:46 2010
 Acounting server requesting new update in 9 seconds
--
Thu Jun 10 16:19:55 2010 DEBUG: ACCOUNTING triggerred after 9s for ssss
ACCT Thu Jun 10 16:19:55 2010
 Sending accounting information to server 7474tx/5413rx
ACCT Thu Jun 10 16:19:55 2010
 Acounting server requesting new update in 19 seconds
--
Thu Jun 10 16:20:14 2010 DEBUG: ACCOUNTING triggerred after 19s for ssss
ACCT Thu Jun 10 16:20:14 2010
 Sending accounting information to server 9849tx/7788rx
ACCT Thu Jun 10 16:20:14 2010
 Acounting server requesting new update in 16 seconds
--
Thu Jun 10 16:20:30 2010 DEBUG: ACCOUNTING triggerred after 16s for ssss
ACCT Thu Jun 10 16:20:30 2010
 Sending accounting information to server 11849tx/9788rx
ACCT Thu Jun 10 16:20:30 2010
 Acounting server requesting new update in 10 seconds
--
Thu Jun 10 16:20:42 2010 DEBUG: ACCOUNTING triggerred after 10s for ssss
ACCT Thu Jun 10 16:20:42 2010
 Sending accounting information to server 12099tx/10038rx
ACCT Thu Jun 10 16:20:42 2010
 Acounting server requesting new update in 11 seconds
--
Thu Jun 10 16:21:00 2010 DEBUG: ACCOUNTING triggerred after 11s for ssss
ACCT Thu Jun 10 16:21:00 2010
 Sending accounting information to server 12205tx/10038rx
ACCT Thu Jun 10 16:21:00 2010
 Acounting server requesting new update in 12 seconds
--
Thu Jun 10 16:21:12 2010 DEBUG: ACCOUNTING triggerred after 12s for ssss
ACCT Thu Jun 10 16:21:12 2010
 Sending accounting information to server 12258tx/10038rx
ACCT Thu Jun 10 16:21:12 2010
 Acounting server requesting new update in 1 seconds
--
Thu Jun 10 16:21:15 2010 DEBUG: ACCOUNTING triggerred after 1s for ssss
ACCT Thu Jun 10 16:21:15 2010
 Sending accounting information to server 12311tx/10038rx
ACCT Thu Jun 10 16:21:15 2010
 Acounting server requesting new update in 8 seconds
--
Thu Jun 10 16:21:30 2010 DEBUG: ACCOUNTING triggerred after 8s for ssss
ACCT Thu Jun 10 16:21:30 2010
 Sending accounting information to server 12364tx/10038rx
ACCT Thu Jun 10 16:21:30 2010
 Acounting server requesting new update in 16 seconds
--
Thu Jun 10 16:21:53 2010 DEBUG: ACCOUNTING triggerred after 16s for ssss
ACCT Thu Jun 10 16:21:53 2010
 Sending accounting information to server 12470tx/10038rx
ACCT Thu Jun 10 16:21:53 2010
 Acounting server requesting new update in 8 seconds
--
Thu Jun 10 16:22:03 2010 DEBUG: ACCOUNTING triggerred after 8s for ssss
ACCT Thu Jun 10 16:22:03 2010
 Sending accounting information to server 12523tx/10038rx
ACCT Thu Jun 10 16:22:03 2010
 Acounting server requesting new update in 6 seconds
--
Thu Jun 10 16:22:13 2010 DEBUG: ACCOUNTING triggerred after 6s for ssss
ACCT Thu Jun 10 16:22:13 2010
 Sending accounting information to server 12576tx/10038rx
ACCT Thu Jun 10 16:22:13 2010
 Acounting server requesting new update in 3 seconds
--
Thu Jun 10 16:22:23 2010 DEBUG: ACCOUNTING triggerred after 3s for ssss
ACCT Thu Jun 10 16:22:23 2010
 Sending accounting information to server 12629tx/10038rx
ACCT Thu Jun 10 16:22:23 2010
 Acounting server requesting new update in 4 seconds
--
Thu Jun 10 16:22:30 2010 DEBUG: ACCOUNTING triggerred after 4s for ssss
ACCT Thu Jun 10 16:22:30 2010
 Sending accounting information to server 12682tx/10038rx
ACCT Thu Jun 10 16:22:30 2010
 Acounting server requesting new update in 6 seconds
--
Thu Jun 10 16:22:43 2010 DEBUG: ACCOUNTING triggerred after 6s for ssss
ACCT Thu Jun 10 16:22:43 2010
 Sending accounting information to server 12735tx/10038rx
ACCT Thu Jun 10 16:22:43 2010
 Acounting server requesting new update in 14 seconds
--
Thu Jun 10 16:23:00 2010 DEBUG: ACCOUNTING triggerred after 14s for ssss
ACCT Thu Jun 10 16:23:00 2010
 Sending accounting information to server 12841tx/10038rx
ACCT Thu Jun 10 16:23:00 2010
 Acounting server requesting new update in 12 seconds
--
Thu Jun 10 16:23:13 2010 DEBUG: ACCOUNTING triggerred after 12s for ssss
ACCT Thu Jun 10 16:23:13 2010
 Sending accounting information to server 12894tx/10038rx
ACCT Thu Jun 10 16:23:13 2010
 Acounting server requesting new update in 9 seconds
--
Thu Jun 10 16:23:24 2010 DEBUG: ACCOUNTING triggerred after 9s for ssss
ACCT Thu Jun 10 16:23:24 2010
 Sending accounting information to server 12947tx/10038rx
ACCT Thu Jun 10 16:23:24 2010
 Acounting server requesting new update in 16 seconds
--
Thu Jun 10 16:23:44 2010 DEBUG: ACCOUNTING triggerred after 16s for ssss
ACCT Thu Jun 10 16:23:44 2010
 Sending accounting information to server 13053tx/10038rx
ACCT Thu Jun 10 16:23:44 2010
 Acounting server requesting new update in 17 seconds
--
Thu Jun 10 16:24:04 2010 DEBUG: ACCOUNTING triggerred after 17s for ssss
ACCT Thu Jun 10 16:24:04 2010
 Sending accounting information to server 13159tx/10038rx
ACCT Thu Jun 10 16:24:04 2010
 Acounting server requesting new update in 4 seconds
--
Thu Jun 10 16:24:14 2010 DEBUG: ACCOUNTING triggerred after 4s for ssss
ACCT Thu Jun 10 16:24:14 2010
 Sending accounting information to server 13212tx/10038rx
ACCT Thu Jun 10 16:24:14 2010
 Acounting server requesting new update in 11 seconds
--
Thu Jun 10 16:24:25 2010 DEBUG: ACCOUNTING triggerred after 11s for ssss
ACCT Thu Jun 10 16:24:25 2010
 Sending accounting information to server 13265tx/10038rx
ACCT Thu Jun 10 16:24:25 2010
 Acounting server requesting new update in 8 seconds
--
Thu Jun 10 16:24:31 2010 ssss/192.168.51.1:40289 SIGUSR1[soft,ping-restart] received, client-instance restarting
ACCT Thu Jun 10 16:24:31 2010
 Sending accounting information to server 13318tx/10038rx, session started at 1276179570 and last 301

Changed 9 years ago by Emmanuel Bretelle

Attachment: testplugin.c added

a plugin showing a use case of OPENVPN_PLUGIN_ACCOUNTING hook

Changed 9 years ago by Emmanuel Bretelle

Attachment: openvpn-plugin.h added

headers required to compile the plugin

comment:2 Changed 9 years ago by David Sommerseth

Severity: unsetPatch Queue: New / awaiting ACK

comment:3 Changed 9 years ago by David Sommerseth

Severity: Patch Queue: New / awaiting ACKPatch Queue: Awaiting updated patch

Thank you for your patch! I've been looking at it, and as we discussed on IRC, making this new plug-in hook support the same feature set as the other plug-in hooks is needed. This plug-in API needs to allow plug-ins to put the task to a separate thread to avoid blocking other operations in OpenVPN (OPENVPN_PLUGIN_FUNC_DEFERRED).

Further the new plug-in hook is not described as other hooks in openvpn-plugin.h

comment:4 Changed 5 years ago by Gert Döring

dazo: is this something for 2.4? or drop, close, timeout?

comment:5 Changed 5 years ago by David Sommerseth

Resolution: wontfix
Status: newclosed

Wow ... We asked for an updated patch 4 years ago, so I don't think this is a feature many is waiting for. Let's close it. Anyhow, if a new patch appears, we'll re-open it and consider it. But then this plug-in should support at least the v3 plug-in API as well, in addition to the requirements in comment 3.

Note: See TracTickets for help on using tickets.