don't try to set an explicit route to VPN gateway if localhost, and ignore bogus...

This should fix confusing errors (see https://gitlab.com/openconnect/openconnect/-/issues/172 and
https://gitlab.com/openconnect/openconnect/-/issues/173) and close #8.

Per IANA (https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml#note1),
there are other IPv4 blocks which are effectively unrouteable (not "Forwardable"), but the ones included here
(0.*, 127.*, 169.254.*) are the ones we've actually seen in real VPNs in the wild.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/vpnc-script b/vpnc-script
index 24788fef5e7b8545a9f58d9843ca9f340bc9d634..4e2d6eab960543928900a097812fbe43f157019b 100755 (executable)
--- a/vpnc-script
+++ b/vpnc-script
@@ -879,7 +879,10 @@ do_connect() {
                echo
        fi
 
-       set_vpngateway_route
+       case "$VPNGATEWAY" in
+               127.*|::1) ;; # localhost (probably proxy)
+               *) set_vpngateway_route ;;
+       esac
        do_ifconfig
        if [ -n "$CISCO_SPLIT_EXC" ]; then
                i=0
@@ -887,7 +890,10 @@ do_connect() {
                        eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
                        eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
                        eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
-                       set_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN"
+                       case "$NETWORK" in
+                               0.*|127.*|169.254.*) echo "ignoring non-forwardable exclude route $NETWORK/$NETMASKLEN" >&2 ;;
+                               *) set_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;;
+                       esac
                        i=`expr $i + 1`
                done
        fi