From 80e6f8aadd16c268fb58bc07e9362e31d2382873 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Thu, 17 Jun 2021 10:25:15 -0700 Subject: [PATCH] Follow disable_ipv6 for Pulse and Fortinet As with other protocols (AnyConnect, F5, GP), the behavior of 'disable_ipv6' for these protocols is relatively "shallow": if set, it will cause OpenConnect to ignore any IPv6 address or netmask sent by the server, but will *not* ignore IPv6 split-{in,ex}cludes or IPv6 addresses of DNS servers. More thorough IPv6-ignoring could be handled by the vpnc-script, or cleaned up as part of a future change to simplify IP configuration and routing across protocols. (The lack of support for --disable-ipv6 in Pulse was noted in https://gitlab.com/openconnect/openconnect/-/issues/254.) Signed-off-by: Daniel Lenski --- fortinet.c | 9 ++++++--- pulse.c | 11 ++++++----- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/fortinet.c b/fortinet.c index 0b220b7a..62bc5002 100644 --- a/fortinet.c +++ b/fortinet.c @@ -417,10 +417,13 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf goto out; } vpn_progress(vpninfo, PRG_INFO, _("Got IPv6 address %s\n"), a); - new_ip_info.netmask6 = add_option_steal(&new_opts, "ipaddr6", &a); + if (!vpninfo->disable_ipv6) + new_ip_info.netmask6 = add_option_steal(&new_opts, "ipaddr6", &a); + free(a); } else { vpn_progress(vpninfo, PRG_INFO, _("Got IPv6 address %s\n"), s); - new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s); + if (!vpninfo->disable_ipv6) + new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s); } } else if (xmlnode_is_named(x, "dns")) { if (!xmlnode_get_prop(x, "domain", &s) && s && *s) { @@ -541,7 +544,7 @@ static int fortinet_configure(struct openconnect_info *vpninfo) * FortiOS 4 was the last version to send the legacy HTTP configuration. * FortiOS 5 and later send the current XML configuration. * We clearly do not need to support FortiOS 4 anymore. - * + * * Yet we keep this code around in order to get a sanity check about * whether the SVPNCOOKIE is still valid/alive, until we are sure we've * worked out the weirdness with reconnects. diff --git a/pulse.c b/pulse.c index 280cc4a3..090e70e3 100644 --- a/pulse.c +++ b/pulse.c @@ -283,12 +283,13 @@ static int process_attr(struct openconnect_info *vpninfo, struct oc_vpn_option * _("Failed to handle IPv6 address\n")); return -EINVAL; } - new_ip_info->addr6 = add_option_dup(new_opts, "ip6addr", buf, -1); - - i = strlen(buf); - snprintf(buf + i, sizeof(buf) - i, "/%d", data[16]); - new_ip_info->netmask6 = add_option_dup(new_opts, "ip6netmask", buf, -1); + if (!vpninfo->disable_ipv6) { + new_ip_info->addr6 = add_option_dup(new_opts, "ip6addr", buf, -1); + i = strlen(buf); + snprintf(buf + i, sizeof(buf) - i, "/%d", data[16]); + new_ip_info->netmask6 = add_option_dup(new_opts, "ip6netmask", buf, -1); + } vpn_progress(vpninfo, PRG_DEBUG, _("Received internal IPv6 address %s\n"), buf); break; -- 2.49.0