From patchwork Thu Jun 26 09:30:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4292 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:3846:b0:671:5a2c:6455 with SMTP id n6csp87551mal; Thu, 26 Jun 2025 02:30:32 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXjonaR+QZny9QnfmtbZfBy22bN/JhRQjF1yVZ7rlG7KbLPkiq91PzfcTw4/dpNmsn3IcQtrt0ibt4=@openvpn.net X-Google-Smtp-Source: AGHT+IFcHmSRAF/e84R5lPx7DG/kl9AN3xVSoPFGZ/79L+z2QYmRx0Qs5hIgHoursKVCRP/g/nHb X-Received: by 2002:a05:6870:962a:b0:2c2:2f08:5e5b with SMTP id 586e51a60fabf-2efb26d2537mr4656585fac.13.1750930232477; Thu, 26 Jun 2025 02:30:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750930232; cv=none; d=google.com; s=arc-20240605; b=Hv6Z2NMSH/zeTaZV7Zf1e//otuHgSvueI25CzC+fBE2XRn0x6UQMi8NJNy0XRsyxn0 pRsnWS1ofo4V6OB8l4ptZjOuSebpekbzdzwkRZXiZJptNQrKwy6WPF6Qs3lplHl5+IsF sG0/xQ07Zzy9Afw1yklnv9u8OQlD7o8q9JazHCRSv+R0Kt6UpX9Wmdx0M9dCZjzShSU+ 3pFKhN5ToJ+z0yGvNxR8es637iemQzseOC6qg5HsKVfLeY1nZ2vaTnlI5+mnuJIGkFrQ JH6dFDx4xrG9zz/CyGRPcobYotQyC6UR55qReO0DcZiq81eCMxsLkNpmd9LzmG5/sftJ W1tA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=4zs6HP4Qy9+Bvvm7meIxL5uGpVzff+VXVRptXr+nUsc=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=FfoR9+dukP6v1LgHVLoL3iS62SRJz2El3AJC4V6biosVmE3lHnk502q0patPPG0Q8o d8g03E/KPLNUuSPSOQyuW1RU0OkgO5oX7P04ZcMA02bm8LJlSFM7JifvIfTNaj5Jgg3+ lNAU0wnUmro2/WfqeWCuzmGex30dBoiy8wIXmJGfVr+vZpnKD7KKT8Sp4xlzimPQiyOD GAGIsl4ioIgerhiQvBB1npRzWvM8sqdF7oqOtVpKKnE1v7QzKw0xFVzVVLLkkT+21ARv gh3nz6ZzRTETVFub0RGGyKjKZ+mn4mUfrGh0HlxkyB8V+urh7O1MikcUGmVJuc9Nvc79 ISMg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=EoQHR64b; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aK8D0vUy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fXkHoQOU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2efd5034f17si713771fac.209.2025.06.26.02.30.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 02:30:32 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=EoQHR64b; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=aK8D0vUy; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fXkHoQOU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=4zs6HP4Qy9+Bvvm7meIxL5uGpVzff+VXVRptXr+nUsc=; b=EoQHR64bBUUyfbkGQpfU5+lkHg 2S7QBtIGzqLKkMFNVgEeTsFdZ8YFWQQnADFfutzfInYoY+7vRZ3M0ri7RQDmWzdzt//Sa8iOsXJXR Sjf8RS6YtU7B0uwqSWbxMlT0XLGE6eg4dooCbL7hjwUTzA2zb0LLgjP4ah+RlKSH4d2o=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uUiwA-0006vD-6P; Thu, 26 Jun 2025 09:30:30 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uUiw2-0006uy-5z for openvpn-devel@lists.sourceforge.net; Thu, 26 Jun 2025 09:30:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Z7Iu72aS6KoB3uP+maJXpBqWDvS8CAQhO94Yp5Y1u4M=; b=aK8D0vUyf6tEvrN7p+8UfmgX4B 7s0p2KgzLan625zAesHsKKz3XspsA3LtCXTF7c+urDGjer8fTRPyRS9ew+yntQRw1YMq/u07Rk077 Hdo2h04Nc/aOwHAHTS3XtFp4FlJ4BNW9B7LvvLULxVSOrEksJP5yD7KgxrvVovMjaf30=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Z7Iu72aS6KoB3uP+maJXpBqWDvS8CAQhO94Yp5Y1u4M=; b=fXkHoQOU6gAhdOVf9ZfRbSOpKW 9GJUlynqiue+J+WtOHN/+dS4kF/4MPBWP9rXe/f3fmthalR6y6L3SzyRbpD53oAJjeNrKdXsU8NCD BYheVfMIRNiaNFWsefG6HuScLQXCI9yVHTbBKq+OLNn5L5nYjT1yHJqu2Ku2RJ1E55eA=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uUivz-0006BF-9v for openvpn-devel@lists.sourceforge.net; Thu, 26 Jun 2025 09:30:20 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 55Q9U7wB024826 for ; Thu, 26 Jun 2025 11:30:07 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 55Q9U7jK024825 for openvpn-devel@lists.sourceforge.net; Thu, 26 Jun 2025 11:30:07 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 26 Jun 2025 11:30:00 +0200 Message-ID: <20250626093006.24789-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Heiko Hund Due to a shortcut in the `--dns-updown force' implementation, running the default dns-updown script required `--script-security 2'. This makes the forced default script run without --script-security s [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uUivz-0006BF-9v Subject: [Openvpn-devel] [PATCH v2] run forced --dns-updown without --script-security X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1835983419661581948?= X-GMAIL-MSGID: =?utf-8?q?1835983419661581948?= From: Heiko Hund Due to a shortcut in the `--dns-updown force' implementation, running the default dns-updown script required `--script-security 2'. This makes the forced default script run without --script-security set. Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Signed-off-by: Heiko Hund Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1065 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 939ae09..ea3d91b 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -264,7 +264,7 @@ clone.servers = clone_dns_servers(o->servers, gc); clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc); clone.updown = o->updown; - clone.user_set_updown = o->user_set_updown; + clone.updown_flags = o->updown_flags; return clone; } @@ -580,7 +580,7 @@ argv_printf(&argv, "%s", o->updown); argv_msg(M_INFO, &argv); int res; - if (o->user_set_updown) + if (dns_updown_user_set(o)) { res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown"); } @@ -692,7 +692,7 @@ run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner) { struct dns_options *dns = &o->dns_options; - if (!dns->updown || (o->up_script && !dns->user_set_updown)) + if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))) { return; } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 688daa7..d33f64e 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -42,13 +42,18 @@ DNS_TRANSPORT_TLS }; +enum dns_updown_flags { + DNS_UPDOWN_NO_FLAGS, + DNS_UPDOWN_USER_SET, + DNS_UPDOWN_FORCED +}; + struct dns_domain { struct dns_domain *next; const char *name; }; -struct dns_server_addr -{ +struct dns_server_addr { union { struct in_addr a4; struct in6_addr a6; @@ -103,7 +108,7 @@ struct dns_server *servers; struct gc_arena gc; const char *updown; - bool user_set_updown; + enum dns_updown_flags updown_flags; }; /** @@ -195,4 +200,26 @@ */ void show_dns_options(const struct dns_options *o); +/** + * Returns whether dns-updown is user defined + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_user_set(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_USER_SET; +} + +/** + * Returns whether dns-updown is forced to run + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_forced(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_FORCED; +} + #endif /* ifndef DNS_H */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7e26069..af097f8 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3593,7 +3593,7 @@ struct gc_arena gc = gc_new(); struct dns_options *dns = &o->dns_options; - if (dns->servers || dns->user_set_updown) + if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns)) { /* Clean up env from --dhcp-option DNS config */ struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc); @@ -3667,7 +3667,7 @@ } } } - else if (o->up_script && !dns->user_set_updown) + else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)) { /* Set foreign option env vars from --dns config */ const char *p[] = { "dhcp-option", NULL, NULL }; @@ -8182,15 +8182,15 @@ if (streq(p[1], "disable")) { dns->updown = NULL; - dns->user_set_updown = false; + dns->updown_flags = DNS_UPDOWN_NO_FLAGS; } else if (streq(p[1], "force")) { /* force dns-updown run, even if a --up script is defined */ - if (dns->user_set_updown == false) + if (!dns_updown_user_set(dns)) { dns->updown = DEFAULT_DNS_UPDOWN; - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_FORCED; } } else @@ -8201,7 +8201,7 @@ dns->updown = NULL; } set_user_script(options, &dns->updown, p[1], p[0], false); - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_USER_SET; } } else if (streq(p[0], "dns") && p[1])