'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)' tss2-devel
- java-devel-openjdk
+ java-devel-openjdk iproute iputils nuttcp
- ./autogen.sh
- ./configure --with-java CFLAGS=-g
- make -j4
'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
- java-devel-openjdk 'pkgconfig(libp11)'
+ java-devel-openjdk 'pkgconfig(libp11)' iproute iputils nuttcp
- ./autogen.sh
- ./configure --without-gnutls --with-openssl --with-java --without-openssl-version-check --enable-dtls-xfail --disable-dsa-tests CFLAGS=-g
- make -j4
ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
java-devel-openjdk vpnc 'pkgconfig(libp11)' 'pkgconfig(p11-kit-1)'
+ iproute iputils nuttcp
- ./autogen.sh
- ./configure --with-java --without-openssl-version-check --enable-dtls-xfail CFLAGS=-g
- make -j4
'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)' tss2-devel
- java-devel-openjdk glibc-langpack-cs
+ java-devel-openjdk glibc-langpack-cs iproute iputils nuttcp
- ./autogen.sh
- ./configure --with-java --disable-dsa-tests CFLAGS=-g
- make -j4
'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)' tss2-devel
- java-devel-openjdk clang glibc-langpack-cs
+ java-devel-openjdk clang glibc-langpack-cs iproute iputils nuttcp
- ./autogen.sh
- ./configure --with-java --disable-dsa-tests CC=clang CFLAGS=-g
- make -j4
'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
- java-devel-openjdk glibc-langpack-cs
+ java-devel-openjdk glibc-langpack-cs iproute iputils nuttcp
# Re-enable DSA since we test it
- update-crypto-policies --set LEGACY
- ./autogen.sh
'pkgconfig(libproxy-1.0)' 'pkgconfig(liboath)' 'pkgconfig(stoken)'
ocserv softhsm 'pkgconfig(uid_wrapper)' 'pkgconfig(socket_wrapper)'
vpnc-script 'pkgconfig(libpskc)' 'pkgconfig(libpcsclite)'
- java-devel-openjdk clang glibc-langpack-cs
+ java-devel-openjdk clang glibc-langpack-cs iproute iputils nuttcp
# Re-enable DSA since we test it
- update-crypto-policies --set LEGACY
- ./autogen.sh
- dnf update -y
- dnf install -y git autoconf automake libtool python gettext make
mingw32-gnutls mingw32-openssl mingw32-libxml2 mingw32-zlib
- mingw32-gcc wine.i686 make
+ mingw32-gcc wine.i686 make iproute iputils nuttcp
- mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
- echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
- ./autogen.sh
- dnf update -y
- dnf install -y git autoconf automake libtool python gettext make
mingw32-gnutls mingw32-openssl mingw32-libxml2 mingw32-zlib
- mingw32-gcc wine.i686 make
+ mingw32-gcc wine.i686 make iproute iputils nuttcp
- mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
- echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
- ./autogen.sh
- dnf update -y
- dnf install -y git autoconf automake libtool python gettext make
mingw64-gnutls mingw64-openssl mingw64-libxml2 mingw64-zlib
- mingw64-gcc wine.i686 make
+ mingw64-gcc wine.i686 make iproute iputils nuttcp
- mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
- echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
- ./autogen.sh
- dnf update -y
- dnf install -y git autoconf automake libtool python gettext make
mingw64-gnutls mingw64-openssl mingw64-libxml2 mingw64-zlib
- mingw64-gcc wine.x86_64 make
+ mingw64-gcc wine.x86_64 make iproute iputils nuttcp
- mount -t binfmt_misc binfmt_misc /proc/sys/fs/binfmt_misc
- echo ':DOSWin:M::MZ::/usr/bin/wine:' > /proc/sys/fs/binfmt_misc/register
- ./autogen.sh
PKG_CHECK_MODULES([CWRAP], [uid_wrapper, socket_wrapper], have_cwrap=yes, have_cwrap=no)
AM_CONDITIONAL(HAVE_CWRAP, test "x$have_cwrap" != xno)
+have_netns=no
+AC_PATH_PROG(NUTTCP, nuttcp)
+if test -n "$ac_cv_path_NUTTCP"; then
+ AC_PATH_PROG(IP, ip, [], $PATH:/sbin:/usr/sbin)
+ if test -n "$ac_cv_path_IP"; then
+ AC_MSG_CHECKING([For network namespaces])
+ NETNS=openconnect-configure-test-$$
+ if ip netns add $NETNS >/dev/null 2>/dev/null; then
+ ip netns delete $NETNS
+ have_netns=yes
+ fi
+ AC_MSG_RESULT($have_netns)
+ fi
+fi
+AM_CONDITIONAL(HAVE_NETNS, test "x$have_netns" != xno)
+
AC_SUBST([CONFIG_STATUS_DEPENDENCIES],
['$(top_srcdir)/po/LINGUAS \
$(top_srcdir)/openconnect.h \
SUMMARY([Java bindings], [$with_java])
SUMMARY([Build docs], [$build_www])
SUMMARY([Unit tests], [$have_cwrap])
+SUMMARY([Net namespace tests], [$have_netns])
if test "$ssl_library" = "OpenSSL"; then
AC_MSG_WARN([[
EXTRA_DIST = certs/ca.pem certs/ca-key.pem certs/user-cert.pem $(USER_KEYS) $(USER_CERTS) \
certs/server-cert.pem certs/server-key.pem configs/test1.passwd \
common.sh configs/test-user-cert.config configs/test-user-pass.config \
- configs/user-cert.prm softhsm2.conf.in softhsm
+ configs/user-cert.prm softhsm2.conf.in softhsm ns.sh configs/test-dtls-psk.config \
+ scripts/vpnc-script
dist_check_SCRIPTS =
+if HAVE_NETNS
+dist_check_SCRIPTS += dtls-psk
+endif
+
if HAVE_CWRAP
dist_check_SCRIPTS += auth-username-pass auth-certificate auth-nonascii id-test
OCSERV=/usr/sbin/ocserv
+top_builddir=${top_builddir:-..}
SOCKDIR="./sockwrap.$$.tmp"
mkdir -p $SOCKDIR
export SOCKET_WRAPPER_DIR=$SOCKDIR
certdir="${srcdir}/certs"
confdir="${srcdir}/configs"
+update_config() {
+ file=$1
+ username=$(whoami)
+ group=$(groups|cut -f 1 -d ' ')
+ cp "${srcdir}/configs/${file}" "$file.$$.tmp"
+ sed -i -e 's|@USERNAME@|'${username}'|g' "$file.$$.tmp" \
+ -e 's|@GROUP@|'${group}'|g' "$file.$$.tmp" \
+ -e 's|@SRCDIR@|'${srcdir}'|g' "$file.$$.tmp" \
+ -e 's|@OTP_FILE@|'${OTP_FILE}'|g' "$file.$$.tmp" \
+ -e 's|@CRLNAME@|'${CRLNAME}'|g' "$file.$$.tmp" \
+ -e 's|@PORT@|'${PORT}'|g' "$file.$$.tmp" \
+ -e 's|@ADDRESS@|'${ADDRESS}'|g' "$file.$$.tmp" \
+ -e 's|@VPNNET@|'${VPNNET}'|g' "$file.$$.tmp" \
+ -e 's|@VPNNET6@|'${VPNNET6}'|g' "$file.$$.tmp" \
+ -e 's|@OCCTL_SOCKET@|'${OCCTL_SOCKET}'|g' "$file.$$.tmp"
+ CONFIG="$file.$$.tmp"
+}
+
launch_simple_sr_server() {
LD_PRELOAD=libsocket_wrapper.so:libuid_wrapper.so UID_WRAPPER=1 UID_WRAPPER_ROOT=1 $OCSERV $* &
}
--- /dev/null
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam.
+#auth = "certificate"
+auth = "plain[@SRCDIR@/configs/test1.passwd]"
+#auth = "pam"
+
+isolate-workers = false
+
+max-ban-score = 0
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
+#listen-host = @ADDRESS@
+
+use-dbus = no
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+listen-proxy-proto = false
+
+# Limit the number of client connections to one every X milliseconds
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting multiple times)
+# Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = @PORT@
+udp-port = @PORT@
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds
+dpd = 440
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g.,
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = @SRCDIR@/certs/server-cert.pem
+server-key = @SRCDIR@/certs/server-key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
+# root key).
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used
+# to verify clients if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client certificate.
+# The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the client
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are:
+# OU (organizational unit) = 2.5.4.11
+#cert-group-oid = 2.5.4.11
+
+# A revocation list of ca-cert is set
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is not allowed to reconnect after
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
+# may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+#disconnect-script = /usr/bin/myscript
+
+# UTMP
+#use-utmp = true
+
+# PID file
+#pid-file = ./ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = ./ocserv-socket
+
+occtl-socket-file = @OCCTL_SOCKET@
+use-occtl = true
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = @USERNAME@
+run-as-group = @GROUP@
+
+# Network settings
+
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+ipv4-network = @VPNNET@
+# Use the keywork local to advertize the local P-t-P address as DNS server
+ipv4-dns = 192.168.1.1
+
+# The NBNS server (if any)
+#ipv4-nbns = 192.168.2.3
+
+ipv6-network = @VPNNET6@
+#address =
+#ipv6-mask =
+#ipv6-dns =
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Leave empty to assign the default MTU of the device
+# mtu =
+
+#route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+
+#
+# The following options are for (experimental) AnyConnect client
+# compatibility. They are only available if the server is built
+# with --enable-anyconnect
+#
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot.
+# The profile is ignored by the openconnect client.
+#user-profile = profile.xml
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie. Legacy CISCO clients do not do that, and thus this option
+# should be set for them.
+#always-require-cert = false
+
+compression = false
+
--- /dev/null
+#!/bin/bash
+#
+# Copyright (C) 2018 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# This tests operation/traffic under compression (lzs or lz4).
+
+OCCTL="${OCCTL:-occtl}"
+SERV="${OCSERV:-ocserv}"
+srcdir=${srcdir:-.}
+PORT=4568
+PIDFILE=ocserv-pid.$$.tmp
+CLIPID=oc-pid.$$.tmp
+PATH=${PATH}:/usr/sbin
+IP=$(which ip)
+OUTFILE=traffic.$$.tmp
+
+. `dirname $0`/common.sh
+
+if test -z "${IP}";then
+ echo "no IP tool is present"
+ exit 77
+fi
+
+if test "$(id -u)" != "0";then
+ echo "This test must be run as root"
+ exit 77
+fi
+
+echo "Testing ocserv connection with DTLS-PSK... "
+
+function finish {
+ set +e
+ echo " * Cleaning up..."
+ test -n "${PID}" && kill ${PID} >/dev/null 2>&1
+ test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
+ test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
+ test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
+ test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
+ rm -f ${OUTFILE} 2>&1
+}
+trap finish EXIT
+
+# server address
+ADDRESS=10.201.2.1
+CLI_ADDRESS=10.201.1.1
+VPNNET=192.168.2.0/24
+VPNADDR=192.168.2.1
+VPNNET6=fd91:6d87:7341:dc6a::/112
+VPNADDR6=fd91:6d87:7341:dc6a::1
+OCCTL_SOCKET=./occtl-comp-$$.socket
+USERNAME=test
+TUNDEV=oc-$$-tun0
+
+. `dirname $0`/ns.sh
+
+# Run servers
+update_config test-dtls-psk.config
+if test "$VERBOSE" = 1;then
+DEBUG="-d 3"
+fi
+
+${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
+
+sleep 4
+
+# Run clients
+echo " * Getting cookie from ${ADDRESS}:${PORT}..."
+( echo "test" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly )
+if test $? != 0;then
+ echo "Could not get cookie from server"
+ exit 1
+fi
+
+echo " * Connecting to ${ADDRESS}:${PORT}..."
+( echo "test" | ${CMDNS1} ${OPENCONNECT} --interface ${TUNDEV} --dtls-ciphers=PSK-NEGOTIATE ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --passwd-on-stdin -b )
+if test $? != 0;then
+ echo "Could not connect to server"
+ exit 1
+fi
+
+set -e
+
+echo " * wait for ${TUNDEV}"
+
+TIMEOUT=10
+while ! ${CMDNS1} ip addr list dev ${TUNDEV} &>/dev/null; do
+ TIMEOUT=$(($TIMEOUT - 1))
+ if [ $TIMEOUT -eq 0 ]; then
+ echo "Timed out waiting for ${TUNDEV}"
+ exit 1
+ fi
+ sleep 1
+done
+
+echo " * add routes"
+
+${CMDNS1} ip route add ${VPNADDR} dev ${TUNDEV}
+${CMDNS1} ip -6 route add ${VPNADDR6} dev ${TUNDEV}
+
+echo " * ping remote address"
+
+${CMDNS2} nuttcp -1
+
+${CMDNS1} ping -c 3 ${VPNADDR}
+
+sleep 2
+
+echo " * Transmitting with nuttcp"
+
+${CMDNS1} nuttcp -T 6 -t ${VPNADDR}
+
+# IPv6
+
+${CMDNS2} nuttcp -1
+
+${CMDNS1} ping -c 3 ${VPNADDR6}
+
+echo " * Receiving with nuttcp"
+
+${CMDNS1} nuttcp -T 6 -r ${VPNADDR}
+
+set +e
+
+${OCCTL} -s ${OCCTL_SOCKET} show users|grep ${USERNAME}
+if test $? != 0;then
+ echo "occtl didn't find connected user!"
+ exit 1
+fi
+
+${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME} >${OUTFILE}
+if test $? != 0;then
+ ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+ echo "occtl didn't find connected user!"
+ exit 1
+fi
+
+grep "Username: ${USERNAME}" ${OUTFILE}
+if test $? != 0;then
+ ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+ echo "occtl show user didn't find connected user!"
+ exit 1
+fi
+
+grep "DTLS cipher: (DTLS1.2)-(PSK)" ${OUTFILE}
+if test $? != 0;then
+ ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+ echo "occtl show user didn't show DTLS-PSK ciphersuite!"
+ exit 1
+fi
+
+grep ${CLI_ADDRESS} ${OUTFILE}
+if test $? != 0;then
+ ${OCCTL} -s ${OCCTL_SOCKET} show user ${USERNAME}
+ echo "occtl show user didn't find client address!"
+ exit 1
+fi
+
+exit 0
--- /dev/null
+#!/bin/bash
+#
+# Copyright (C) 2018 Nikos Mavrogiannopoulos
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Input:
+# ADDRESS=10.200.2.1
+# CLI_ADDRESS=10.200.1.1
+# VPNNET=192.168.1.0/24
+# VPNADDR=192.168.1.1
+#
+# Provides:
+# ${NSCMD1} - to run on NS1
+# ${NSCMD2} - to run on NS2
+#
+# Cleanup is automatic via a trap
+# Requires: finish() to be defined
+
+
+PATH=${PATH}:/usr/sbin
+IP=$(which ip)
+
+if test "$(id -u)" != "0";then
+ echo "This test must be run as root"
+ exit 77
+fi
+
+ip netns list >/dev/null 2>&1
+if test $? != 0;then
+ echo "This test requires ip netns command"
+ exit 77
+fi
+
+if test "$(uname -s)" != Linux;then
+ echo "This test must be run on Linux"
+ exit 77
+fi
+
+function nsfinish {
+ set +e
+ test -n "${ETHNAME1}" && ${IP} link delete ${ETHNAME1} >/dev/null 2>&1
+ test -n "${ETHNAME2}" && ${IP} link delete ${ETHNAME2} >/dev/null 2>&1
+ test -n "${NSNAME1}" && ${IP} netns delete ${NSNAME1} >/dev/null 2>&1
+ test -n "${NSNAME2}" && ${IP} netns delete ${NSNAME2} >/dev/null 2>&1
+
+ finish
+}
+trap nsfinish EXIT
+
+echo " * Setting up namespaces..."
+set -e
+NSNAME1="ocserv-c-tmp-$$"
+NSNAME2="ocserv-s-tmp-$$"
+ETHNAME1="oceth-c$$"
+ETHNAME2="oceth-s$$"
+${IP} netns add ${NSNAME1}
+${IP} netns add ${NSNAME2}
+
+${IP} link add ${ETHNAME1} type veth peer name ${ETHNAME2}
+${IP} link set ${ETHNAME1} netns ${NSNAME1}
+${IP} link set ${ETHNAME2} netns ${NSNAME2}
+
+${IP} netns exec ${NSNAME1} ip link set ${ETHNAME1} up
+${IP} netns exec ${NSNAME2} ip link set ${ETHNAME2} up
+${IP} netns exec ${NSNAME2} ip link set lo up
+
+${IP} netns exec ${NSNAME1} ip addr add ${CLI_ADDRESS} dev ${ETHNAME1}
+${IP} netns exec ${NSNAME2} ip addr add ${ADDRESS} dev ${ETHNAME2}
+
+${IP} netns exec ${NSNAME1} ip route add default via ${CLI_ADDRESS} dev ${ETHNAME1}
+${IP} netns exec ${NSNAME2} ip route add default via ${ADDRESS} dev ${ETHNAME2}
+
+${IP} netns exec ${NSNAME2} ip addr
+${IP} netns exec ${NSNAME2} ip route
+${IP} netns exec ${NSNAME1} ip route
+
+${IP} netns exec ${NSNAME1} ping -c 1 ${ADDRESS} >/dev/null
+${IP} netns exec ${NSNAME2} ping -c 1 ${ADDRESS} >/dev/null
+${IP} netns exec ${NSNAME2} ping -c 1 ${CLI_ADDRESS} >/dev/null
+set +e
+
+CMDNS1="${IP} netns exec ${NSNAME1}"
+CMDNS2="${IP} netns exec ${NSNAME2}"
--- /dev/null
+#!/bin/sh -x
+
+# Fake script just for unit tests. Do not use.
+# For a real one, see http://www.infradead.org/openconnect/vpnc-script.html
+
+if [ "$reason" = "connect" ]; then
+ ip link set dev "$TUNDEV" up mtu "$INTERNAL_IP4_MTU"
+ ip addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV"
+ ip -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV
+fi
+exit 0
projects / users / dwmw2 / openconnect.git / commitdiff