From a2b8134edf8e5f8e942dedf105e2813a0824b919 Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 25 Apr 2022 10:25:20 +0100 Subject: [PATCH] Revert "GP: Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask." This reverts commit 99ae55aec1408a2905df72394dab99cb6fb41aed, which causes regressions with existing NetworkManager-openconnect releases. We can do it in NetworkManager-openconnect with https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/merge_requests/36 Signed-off-by: David Woodhouse --- gpst.c | 54 +++++------------------------------------------ www/changelog.xml | 1 + 2 files changed, 6 insertions(+), 49 deletions(-) diff --git a/gpst.c b/gpst.c index a7c6fb99..b655a3da 100644 --- a/gpst.c +++ b/gpst.c @@ -342,11 +342,9 @@ out: static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_node, void *cb_data) { xmlNode *member; - char *s = NULL, *deferred_netmask = NULL; - struct oc_split_include *inc; - int split_route_is_default_route = 0; int n_dns = 0, esp_keys = 0, esp_v4 = 0, esp_v6 = 0; int ret = 0; + char *s = NULL; int ii; uint32_t esp_magic = 0; @@ -370,11 +368,8 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ else if (!xmlnode_get_val(xml_node, "ip-address-v6", &s)) { if (!vpninfo->disable_ipv6) new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s); - } else if (!xmlnode_get_val(xml_node, "netmask", &deferred_netmask)) { - /* XX: GlobalProtect servers always (almost always?) send 255.255.255.255 as their netmask - * (a /32 host route), and if they want to include an actual default route (0.0.0.0/0) - * they instead put it under . We defer saving the netmask until later. - */ + } else if (!xmlnode_get_val(xml_node, "netmask", &s)) { + new_ip_info.netmask = add_option_steal(&new_opts, "netmask", &s); } else if (!xmlnode_get_val(xml_node, "mtu", &s)) new_ip_info.mtu = atoi(s); else if (!xmlnode_get_val(xml_node, "lifetime", &s)) @@ -455,22 +450,12 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ xmlnode_is_named(xml_node, "access-routes") || xmlnode_is_named(xml_node, "exclude-access-routes")) { for (member = xml_node->children; member; member=member->next) { if (!xmlnode_get_val(member, "member", &s)) { - int is_inc = (xml_node->name[0] == 'a'); - - /* XX: if this is a default Legacy IP route jammed into the split-include - * routes, just mark it for now. - */ - if (is_inc && !strcmp(s, "0.0.0.0/0")) { - split_route_is_default_route = 1; - continue; - } - - inc = malloc(sizeof(*inc)); + struct oc_split_include *inc = malloc(sizeof(*inc)); if (!inc) { ret = -ENOMEM; goto err; } - if (is_inc) { + if (xmlnode_is_named(xml_node, "access-routes")) { inc->route = add_option_steal(&new_opts, "split-include", &s); inc->next = new_ip_info.split_includes; new_ip_info.split_includes = inc; @@ -530,35 +515,6 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_ } } - /* Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask. */ - if (split_route_is_default_route) { - char *original_netmask = deferred_netmask; - - if ((deferred_netmask = strdup("0.0.0.0")) == NULL) - return -ENOMEM; - - /* If the original netmask wasn't /32, add it as a split route */ - if (new_ip_info.addr && original_netmask) { - uint32_t nm_bits = inet_addr(original_netmask); - if (nm_bits != 0xffffffff) { /* 255.255.255.255 */ - struct in_addr net_addr; - inet_aton(new_ip_info.addr, &net_addr); - net_addr.s_addr &= nm_bits; /* clear host bits */ - - char abuf[INET_ADDRSTRLEN]; - if ((inc = malloc(sizeof(*inc))) == NULL || - asprintf(&s, "%s/%s", inet_ntop(AF_INET, &net_addr, abuf, sizeof(abuf)), original_netmask) <= 0) - return -ENOMEM; - inc->route = add_option_steal(&new_opts, "split-include", &s); - inc->next = new_ip_info.split_includes; - new_ip_info.split_includes = inc; - } - } - free(original_netmask); - } - if (deferred_netmask) - new_ip_info.netmask = add_option_steal(&new_opts, "netmask", &deferred_netmask); - /* Set 10-second DPD/keepalive (same as Windows client) unless * overridden with --force-dpd */ if (!vpninfo->ssl_times.dpd) diff --git a/www/changelog.xml b/www/changelog.xml index 4cd7e700..7dc7e9c0 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -21,6 +21,7 @@
  • Bugfix RSA SecurID token decryption and PIN entry forms, broken in v8.20. (#388, !344)
  • Support Cisco's multiple-certificate authentication (!194).
  • Append internal=no to GlobalProtect authentication/configuration forms, for compatibility with servers which apparently require this to function properly. (#246, !337)
    • +
  • Revert GlobalProtect default route handling change from v8.20. (!367)

  • OpenConnect v8.20 -- 2.50.1