Robin H. Johnson [Wed, 20 Jun 2018 06:26:37 +0000 (06:26 +0000)]
resolvconf: set search instead of domain
Some vpn clients pass multiple domains for DNS search scope, which
requires that we use search rather than domain. The generic path was
already using search, so just switch the resolvconf path to also use
search.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Gernot Hillier [Wed, 21 Feb 2018 16:46:43 +0000 (17:46 +0100)]
Revive route cleanup for /sbin/route code
Cleanup our routes upon disconnect also when using /sbin/route command - even
if OS will do it for us when TUNDEV gets removed. That's the same what the
ip-route code already does.
Additionally, we obviously didn't need route deletion in set_network_route for
/sbin/route mode - this function didn't do anything until now. So remove this
call -- it's a bad idea to call del_network_route inside set_network_route
anyways because both modify the same global variables.
Signed-off-by: Gernot Hillier <gernot.hillier@siemens.com> Tested-by: Thomas Zander <thomas.zander@siemens.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Gernot Hillier [Wed, 21 Feb 2018 16:46:42 +0000 (17:46 +0100)]
Support split-exclude rules from Pulse gateway
The vpnc-script used by OpenConnect only supports "split include" rules (default
route unchanged, specific VPN routes added). We add support for Pulse's "split
exclude" rules (default route to VPN, exclude rules for targets to be connected
via normal uplink).
For targets specified as split-exclude by the gateway, we add additional routes
which keep traffic as-is (i.e. separate from tunnel). On platforms only
providing /sbin/route, we guess that those are reached via default gateway.
Please note that IPv6 variant is completely untested as I have no
access to according testbeds.
Tested on Linux (using ip and route command) in a IPv4 environment, "ip"
case also tested in a IPv6 dialup config (gateway is IPv4 only).
Signed-off-by: Gernot Hillier <gernot.hillier@siemens.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Thiago Padilha [Thu, 20 Oct 2016 05:03:50 +0000 (02:03 -0300)]
Add support for systemd-resolved
Add support for modifying DNS information on systems using systemd-resolved.
The communication with systemd-resolved is done through dbus, which is
possible with the `busctl` program that comes with systemd version 229
and later.
Signed-off-by: Thiago de Arruda <tpadilha84@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Corey Hickey [Sun, 28 Aug 2016 05:45:14 +0000 (22:45 -0700)]
rewrite resolv.conf parsing
This patch simplifies parsing and changes behavior in two ways:
1. Domains for searching are now parsed from "search" and "domain"
lines. Only a "search" line is outputted, since "search" supports
multiple domains and is mutually exclusive with "domain". The motivation
for this is to make vpnc-script behave sanely when there are existing
resolv.conf files with only "domain" or with both "domain" and "search".
2. All original "nameserver" lines are discarded and replaced rather
than only the number of nameservers from $INTERNAL_IP4_DNS. The
rationale here is that vpnc-script should be consistent and either
retain all original nameservers or overwrite all of them. Retaining them
is problematic because there is a limit of three, and overwriting is
closer to the original behavior.
The Darwin changes are untested, but are a simple search/replace and
thus should work fine.
Signed-off-by: Corey Hickey <bugfood-ml@fatooh.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Björn Ketelaars [Sat, 14 Mar 2015 18:31:38 +0000 (19:31 +0100)]
OSX - Fix split DNS when doing split routing
Currently one can choose between two scenarios:
- overriding the default gateway, which breaks split routing, and honoring the
DNS server as proposed by the server
- not overriding the default gateway, which enables split routing, but without
honoring the DNS server as proposed by the server
446 # next line overrides the default gateway and breaks split routing
447 # d.add Router $INTERNAL_IP4_ADDRESS
Split DNS, when doing split routing, is enabled by adding INTERNAL_IP4_DNS to
the list of DNS servers.
Signed-off-by: Björn Ketelaars <bjorn.ketelaars@hydroxide.nl> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
John Baldwin [Thu, 12 Mar 2015 15:28:51 +0000 (15:28 +0000)]
Enable resolvconf on FreeBSD too
According to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195359
this should work fine. I've no idea why it wasn't enable for FreeBSD
in the first place; perhaps just lack of testing and conservatism.
Signed-off-by: John Baldwin <jhb@FreeBSD.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Antonio Borneo [Sun, 1 Dec 2013 07:06:41 +0000 (15:06 +0800)]
Add support for "unbound" DNS resolver
Original patch from Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>
posted at Red Hat Bugzilla - Bug #865092
https://bugzilla.redhat.com/show_bug.cgi?id=865092
Removed bashism, removed trailing spaces, use tab for indentation.
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Emanuel Haupt [Mon, 28 Jan 2013 15:33:38 +0000 (15:33 +0000)]
Fix various issues on FreeBSD
- duplicate creation of tun devices
- cleanup of created tun device
- deadlock of vpnc holding an open file descriptor on /dev/tunN
- properly restoring /etc/resolv.conf
Signed-off-by: Emanuel Haupt <ehaupt@FreeBSD.org> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Mon, 23 Apr 2012 00:20:34 +0000 (01:20 +0100)]
Add script hooks
This is based loosely in concept on the Debian patch, and is also needed for
OpenWrt unless we want to add a bunch of OpenWrt-specific stuff in here too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Tue, 13 Dec 2011 23:39:14 +0000 (23:39 +0000)]
No need to add link-local address on Solaris.
Revert commit 9e277b5e64315aa3e1a2f2472e9c2d55f9b0f788. Now that we plumb
the interface from openconnect instead of with ifconfig from vpnc-script,
the issues with link-local addresses no longer seem to bother us.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Antonio Borneo [Mon, 12 Dec 2011 20:39:06 +0000 (04:39 +0800)]
vpnc-script: fix for Suse pre 11.1
To handle /etc/resolv.conf file, Suse Linux pre 11.1
uses /sbin/modify_resolvconf script.
The same parameter "-s <service>" have to be passed
to modify_resolvconf on both "modify" and "restore".
Original vpnc-script.in from vpnc project runs:
/sbin/modify_resolvconf modify -s $SCRIPTNAME ...
/sbin/modify_resolvconf restore -s vpnc ...
with $SCRIPTNAME=="vpnc".
In this repository, vpnc-script.in has been converted
to vpnc-script. Doing this, the value $SCRIPTNAME has
changed from "vpnc" to "vpnc-script".
This breaks the "restore" and left /etc/resolv.conf
modified for the (already closed) VPN tunnel.
Replace "-s $SCRIPTNAME" with fixed value "-s vpnc".
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Fred Wittekind IV [Sun, 4 Sep 2011 22:10:40 +0000 (23:10 +0100)]
Fix MTU calculation (Red Hat bug #693235)
Newer iproute doesn't give the mtu in 'ip route get' output, so get the
device and then get the device's MTU (which theoretically could be
different to the route MTU but this is good enough for now).
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Dave Reisner [Mon, 15 Aug 2011 00:01:24 +0000 (20:01 -0400)]
vpnc-script: prevent negative MTU
We can't be sure that the route shown by 'ip route get' will return
anything. Restructure the logic to only perform the subtraction if it
does. Otherwise, fall back to the default 1412.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Bernhard Schmidt [Tue, 23 Feb 2010 18:11:53 +0000 (18:11 +0000)]
Set route to VPN gateway before configuring tunnel
In some circumstances (with $VPNGATEWAY being inside of
$INTERNAL_IP4_ADDRESS/$INTERNAL_IP4_NETMASK, for example when the netmask
was set incorrectly) the hostroute to $VPNGATEWAY pointed to the
tunnel device, creating a routing recursion.
Set the host route before configuring the tun interface to fix this.
Signed-off-by: Bernhard Schmidt <berni@birkenwald.de> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
projects / users / dwmw2 / vpnc-scripts.git / log