Follow disable_ipv6 for Pulse and Fortinet

As with other protocols (AnyConnect, F5, GP), the behavior of 'disable_ipv6'
for these protocols is relatively "shallow": if set, it will cause
OpenConnect to ignore any IPv6 address or netmask sent by the server, but
will *not* ignore IPv6 split-{in,ex}cludes or IPv6 addresses of DNS servers.

More thorough IPv6-ignoring could be handled by the vpnc-script, or cleaned
up as part of a future change to simplify IP configuration and routing
across protocols.

(The lack of support for --disable-ipv6 in Pulse was noted in
https://gitlab.com/openconnect/openconnect/-/issues/254.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/fortinet.c b/fortinet.c
index 0b220b7a5197af6e92f8f19bf58df86adf1e200d..62bc5002c07cae3a8c6303bc346f374fa2f94aca 100644 (file)
--- a/fortinet.c
+++ b/fortinet.c
@@ -417,10 +417,13 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf
                                                        goto out;
                                                }
                                                vpn_progress(vpninfo, PRG_INFO, _("Got IPv6 address %s\n"), a);
-                                               new_ip_info.netmask6 = add_option_steal(&new_opts, "ipaddr6", &a);
+                                               if (!vpninfo->disable_ipv6)
+                                                       new_ip_info.netmask6 = add_option_steal(&new_opts, "ipaddr6", &a);
+                                               free(a);
                                        } else {
                                                vpn_progress(vpninfo, PRG_INFO, _("Got IPv6 address %s\n"), s);
-                                               new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s);
+                                               if (!vpninfo->disable_ipv6)
+                                                       new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s);
                                        }
                                } else if (xmlnode_is_named(x, "dns")) {
                                        if (!xmlnode_get_prop(x, "domain", &s) && s && *s) {
@@ -541,7 +544,7 @@ static int fortinet_configure(struct openconnect_info *vpninfo)
         * FortiOS 4 was the last version to send the legacy HTTP configuration.
         * FortiOS 5 and later send the current XML configuration.
         * We clearly do not need to support FortiOS 4 anymore.
-        * 
+        *
         * Yet we keep this code around in order to get a sanity check about
         * whether the SVPNCOOKIE is still valid/alive, until we are sure we've
         * worked out the weirdness with reconnects.

diff --git a/pulse.c b/pulse.c
index 280cc4a3f65cdc978daccfd976c19438809cf703..090e70e35e56f83302c64edefd9a1b0d4f2c04f3 100644 (file)
--- a/pulse.c
+++ b/pulse.c
@@ -283,12 +283,13 @@ static int process_attr(struct openconnect_info *vpninfo, struct oc_vpn_option *
                                     _("Failed to handle IPv6 address\n"));
                        return -EINVAL;
                }
-               new_ip_info->addr6 = add_option_dup(new_opts, "ip6addr", buf, -1);
-
-               i = strlen(buf);
-               snprintf(buf + i, sizeof(buf) - i, "/%d", data[16]);
-               new_ip_info->netmask6 = add_option_dup(new_opts, "ip6netmask", buf, -1);
+               if (!vpninfo->disable_ipv6) {
+                       new_ip_info->addr6 = add_option_dup(new_opts, "ip6addr", buf, -1);
 
+                       i = strlen(buf);
+                       snprintf(buf + i, sizeof(buf) - i, "/%d", data[16]);
+                       new_ip_info->netmask6 = add_option_dup(new_opts, "ip6netmask", buf, -1);
+               }
                vpn_progress(vpninfo, PRG_DEBUG, _("Received internal IPv6 address %s\n"), buf);
                break;