From patchwork Sun Jul 1 09:59:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 391 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id 6zUOHwUzOVvHEAAAIUCqbw for ; Sun, 01 Jul 2018 16:01:09 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net (Dovecot) with LMTP id K92kHgUzOVv5TgAAIasKDg ; Sun, 01 Jul 2018 16:01:09 -0400 Received: from smtp26.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTP id UCB2HgUzOVvzMgAAsk8m8w ; Sun, 01 Jul 2018 16:01:09 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=greenie.muc.de X-Suspicious-Flag: YES X-Classification-ID: 7e64e750-7d69-11e8-b787-b8ca3a5bd12c-1-1 Received: from [216.105.38.7] ([216.105.38.7:46623] helo=lists.sourceforge.net) by smtp26.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7C/78-42517-403393B5; Sun, 01 Jul 2018 16:01:08 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fZiVn-0004LV-JB; Sun, 01 Jul 2018 19:59:55 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fZiVn-0004LO-0O for openvpn-devel@lists.sourceforge.net; Sun, 01 Jul 2018 19:59:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=OPg0PeLIvz0guAX+I6HK+ZRj4zqmr/DZGYzjdy2aW8s=; b=dgS/sBRKWGjc86qmGcXgNXljRr CBYIIgGZEvwHHdmsUW5OqoMyhgL0HMQN7FPWxPTmrLWGM8sjtl8djSKlA/3BTC4P2AAQVM2PL0N35 AjKg9Xhnkgvq7eBbNahVlryG0Oijx+CCmu5LGJK2QOTsK8EYnaERC3LGVq2VpmDQWQ0k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=OPg0PeLIvz0guAX+I6HK+ZRj4zqmr/DZGYzjdy2aW8s=; b=Vd3BMlxeyCjdOv2CXp432Hm63W JS3SvrW1Aj6/6LFnq54AGazdJ7snfz9yeTANYGmigr7D+WdnwNTOHuj39j6ilHAw4BAeWxJwSWdpz bNJJVZHglXLs8KlIs+8jG43A1LUirCoBFfywh+/jrSYGmDUbjjxjHJqh2ud0KeAl70pg=; Received: from chekov.greenie.muc.de ([193.149.48.178]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1fZiVk-007h8S-1v for openvpn-devel@lists.sourceforge.net; Sun, 01 Jul 2018 19:59:54 +0000 Received: from chekov.greenie.muc.de (localhost [127.0.0.1]) by chekov.greenie.muc.de (8.15.2/8.15.2) with ESMTPS id w61JxcS8002586 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sun, 1 Jul 2018 21:59:38 +0200 (CEST) (envelope-from gert@chekov.greenie.muc.de) Received: (from gert@localhost) by chekov.greenie.muc.de (8.15.2/8.15.2/Submit) id w61JxcMO002585 for openvpn-devel@lists.sourceforge.net; Sun, 1 Jul 2018 21:59:38 +0200 (CEST) (envelope-from gert) From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sun, 1 Jul 2018 21:59:38 +0200 Message-Id: <20180701195938.2541-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.17.1 In-Reply-To: <023bf67a-02c2-93ca-7c97-3219b24d3411@unstable.cc> References: <023bf67a-02c2-93ca-7c97-3219b24d3411@unstable.cc> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1fZiVk-007h8S-1v Subject: [Openvpn-devel] [PATCH] Extend push-remove to also handle 'ifconfig'. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Push-remove (introduced in commit 970312f1850) did not handle "ifconfig" yet, as both "ifconfig" and "ifconfig-ipv6" are handled differently from all other pushed options. Since there was no valid use-case to not-push "ifconfig" (no support on the client side for running IPv6-only) this was not an issue so far - but with the recent commits to enable ipv6-only operation it can be a desirable feature. The implementation is similar to "push-remove ifconfig-ipv6" - namely, flagging via a new context option (c->options.push_ifconfig_ipv4_blocked) and then not creating the push statement in "send_push_reply()". While not truly elegant, it's much less invasive than the alternatives (storing the list of "push-remove" statements somewhere and then checking in push_option_ex()) Trac: #1072 Signed-off-by: Gert Doering Acked-by: Antonio Quartulli --- v2: style changes, manpage note about exact match --- doc/openvpn.8 | 5 +++++ src/openvpn/options.h | 1 + src/openvpn/push.c | 10 +++++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 0e5d467..46ea58b 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3045,6 +3045,11 @@ an option, can be used to first remove the old value, and then add a new .B \-\-push option with the new value. + +NOTE2: due to implementation details, 'ifconfig' and 'ifconfig-ipv6' +can only be removed with an exact match on the option ("push-remove ifconfig"), +no substring matching and no matching on the IPv4/IPv6 address argument +is possible. .\"********************************************************* .TP .B \-\-push\-peer\-info diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f7d0145..3a6c33f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -425,6 +425,7 @@ struct options bool push_ifconfig_constraint_defined; in_addr_t push_ifconfig_constraint_network; in_addr_t push_ifconfig_constraint_netmask; + bool push_ifconfig_ipv4_blocked; /* IPv4 */ bool push_ifconfig_ipv6_defined; /* IPv6 */ struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ int push_ifconfig_ipv6_netbits; /* IPv6 */ diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 6a30e47..a7ec4dd 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -342,7 +342,8 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, /* ipv4 */ if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local - && c->c2.push_ifconfig_remote_netmask) + && c->c2.push_ifconfig_remote_netmask + && !o->push_ifconfig_ipv4_blocked) { in_addr_t ifconfig_local = c->c2.push_ifconfig_local; if (c->c2.push_ifconfig_local_alias) @@ -602,6 +603,13 @@ push_remove_option(struct options *o, const char *p) { msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p); + /* ifconfig is special, as not part of the push list */ + if (streq(p, "ifconfig")) + { + o->push_ifconfig_ipv4_blocked = true; + return; + } + /* ifconfig-ipv6 is special, as not part of the push list */ if (streq( p, "ifconfig-ipv6" )) {