From patchwork Thu Dec 12 07:47:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ralf_lici (Code Review)" X-Patchwork-Id: 3990 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:750c:b0:5e7:b9eb:58e8 with SMTP id r12csp1399800mai; Wed, 11 Dec 2024 23:48:06 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCU+EfGYmNW/V62rXsWmmcVOWmGlcWcX8slm0+P3ky77lFmuEBMgTQcAYXn1J+BDmZm2IVbX57UZ1io=@openvpn.net X-Google-Smtp-Source: AGHT+IGvn50SICqjMbX8Hsl8Rnqd79kheDcgj6AoSqcAR3sgwkMvE+8OoM1t+VbnLtglEOzHofOM X-Received: by 2002:a05:6870:56a4:b0:29e:592f:f4f3 with SMTP id 586e51a60fabf-2a012d8c24amr3563088fac.27.1733989686277; Wed, 11 Dec 2024 23:48:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1733989686; cv=none; d=google.com; s=arc-20240605; b=EtgcB9QkKjQXDxVr9qKVuomSObQvtr704dFMpfWJTCZo5n1E6QXnvfgugrVc3d44yx 45BdilRCguIRzNIWEsfSnHDsziKFaZgF+ZWGys2+qQwgpM0DYaAbxMOWB5zm4kBFtlkn u5mXjmMgmNuTypSBzqdeWPnhUfLuVGduM3VrEAVlqbkIfRc7M9ZehELg8bsqErddQwXe qvMLZdaT6IsYsJEteZCR0BwvKyWk9L1XgjTfbzk5p9WNQe7HuaEKGPn9fQdBrx0UAK+K QhOEnuej8Llh7i6y4xbyHHgY7a1v4xe/4/OKbWPEVEA1EQATdmi+iiFujbMOaSf9ON/R +uwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=sNsJtSKEbqPhIXjuJlAH19nB8D5nsjjW+kOBndU9rGk=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=FSUoVLWKd/xbGBpk+Iw2HtP3ipPQ0l4sQ4Bhfdxzyyg917gVqE0Fo4+eaxRcqyzE4Q Ad6z+BQG2P9ojFg5NlM29nLnzgkc6rNcGqrum2/ovdcUxxaV1Gl9dEwRk98dELFOZd9s 2JXXEuvZi7VIrqeHRhhhyDhm7EhSDUQHQktee2pYgDyl6yeuUOjiU26KTLbuFLP8NO2S /N3TgBOe7JZ0mdJvcXJLXkfb39NHb8zSXE6pyBjsHRSNDvF72mJ8F4crtcGt8ITa8v+D OP2EKvJYEC5zvY6JM0jMD/wBLaO3GXAxmOaam7ePwLkkIe1LAmAVO9c59ZZRQ4PK2VgW tYpw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=V5C4fGjt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DKetctiI; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ATzUO09S; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-29f56647851si9044325fac.34.2024.12.11.23.48.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Dec 2024 23:48:06 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=V5C4fGjt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=DKetctiI; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=ATzUO09S; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tLdvU-0002qO-Ov; Thu, 12 Dec 2024 07:48:01 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tLdvQ-0002q5-QF for openvpn-devel@lists.sourceforge.net; Thu, 12 Dec 2024 07:47:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AGZ3qENNa/r9ylUJ/eo/n1gr+84OwvsoEC6XmfWONrE=; b=V5C4fGjtCObLE5Apx3TIBTpDix UOjXSlfHtCz85A/SgBnBksiB8Hwgr3f/CJpGH2DxU1+efTBKU0pQQmIDVp3apvXmnuYTTceU25Y+r Wmfa3sHsFM1ASlhqf7Xk1sp1da+Z8NMQo+ikane8l0bK+nx4j7+Vc+pBFOzYD+YVHSoc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=AGZ3qENNa/r9ylUJ/eo/n1gr+84OwvsoEC6XmfWONrE=; b=D KetctiIdLhXdo65eZ/ltqs9SMD28nwcttGojl/gvDoL9rESsUoAOeIXd2jX0ZbFf1a06zfXQvSy9+ bkHUX9Dhf14QOl0q4euX69u5kfTo80AGeLlGYTMqcWogaxKuGYYzqzBpWWyzXwWohWaY1wUP4ADfZ OfA/W2/CsFGWKoMA=; Received: from mail-wr1-f49.google.com ([209.85.221.49]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tLdvO-00064Q-SO for openvpn-devel@lists.sourceforge.net; Thu, 12 Dec 2024 07:47:57 +0000 Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-38789e5b6a7so106931f8f.1 for ; Wed, 11 Dec 2024 23:47:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1733989668; x=1734594468; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=AGZ3qENNa/r9ylUJ/eo/n1gr+84OwvsoEC6XmfWONrE=; b=ATzUO09SNi6JWkqgGdcP+C6ahFwRlW291s2H96aO1AD1uwoc9+hzjU7k94IC8c1LSy JVmpMhxgizc3nnXT5BW9G0U6TN2/Ii62Ngxl6jwKtyx+DfjuLrUMAEd7HzViTKWk8n5d W5ykAmbRVLtGNOHScTH5TcfcbLUzGsB46w+XfGedfZSi9hWHA0u9efiGwKxArsfXhvmQ 3ApEqY0dg5VWHCiD2yWHNyVSVnuiTtDJ3I+8CL1dxhju3QslwMmFqV0wdvDCjEAoTamk luozxZAfTdSgsvcDYGHCimaMCVR4XdGRgpVBWrKwC7t1q0B/zS9RLXN2t4cz90IFleKL CVBQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733989668; x=1734594468; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AGZ3qENNa/r9ylUJ/eo/n1gr+84OwvsoEC6XmfWONrE=; b=Wbx4pf56urwgzofVcTLF5ei2TjL6d9BLkS3Mg5tgsOFIBLL/SJdasAvHgSXqceQo4a rxJReLwDK4U1rrxyoJyT9J4wSZQ1vdtDIUVAKx3ECW9lbIFiWkQ3nO06afDt5vnXgR2Q i0PSbrY+NtCqIYV00NCHs4uPVRsjelZZXPJiiXfFISION8m9SmhPgBGjDfAyVXZIF/71 WrKf1XjZWeK4FfWAqhVUVcVmf1aaEG3OBRYKJugo5g0zbuPoX/St3cpR1WMHSliEY7Eu SaCrCZNDKxcKe2zaPTdKEhOgMB2z8O56zmPsUrgKYkN+ginrkfyXox1Yw/lqbUdIHKlX 5u1Q== X-Gm-Message-State: AOJu0Yx9xY8WYGVsXtnlDC/7NJLbJFvhni9oWD7cnetsjUnHzubSgRbi k+xdxMuocrlBqZXUy3j47xW1blkY7laBfzKxtRQfnQIrv/wcEGzMOUoXZDYekkRAT5kVDCb06wr J X-Gm-Gg: ASbGnctDUcWJHXpx9PXUIUypwOZaASHGzc3da1o6nb/34OZ45C6GauE68/l/tSNAKDs BASbu88n3vEAzmrY2LOhR8cTcUyMP4Z8wmW0tkjuZO/yA5v2og97LD3zrWc/1/wmhdOHIhNRMj6 2b9xsuKmYUREOtHkt4DUC4Ligsbj/wVu++W+Xv8tD2wwnduiB9+Oii8E/gwGKt0WCFq7qKJg0dk lUUVd+BysSV1Ph+R+ddxyIdMpRCfGkUdMiwHj5qVkhpPcCa8un5NpNPkyNpSURjcrfQ52mso+EL jFMvfGWnMmxCVYbQNl7GTsO07YvViN4gYBWmPCnrgYom/4vf X-Received: by 2002:a5d:588b:0:b0:385:e2c4:1f8d with SMTP id ffacd0b85a97d-3864ce96ed1mr4795812f8f.19.1733989668043; Wed, 11 Dec 2024 23:47:48 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3878248f810sm3201670f8f.22.2024.12.11.23.47.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Dec 2024 23:47:47 -0800 (PST) From: "d12fk (Code Review)" X-Google-Original-From: "d12fk (Code Review)" X-Gerrit-PatchSet: 1 Date: Thu, 12 Dec 2024 07:47:46 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ifbe4ffb44d3bfcaa50adb38cacb3436fcdc71b10 X-Gerrit-Change-Number: 838 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 524abb6f2789a9c4c151f9b8c716addc5cd51aab References: Message-ID: <512869b830f8378ca8280553affef768e5dd840b-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.49 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.49 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.49 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.49 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tLdvO-00064Q-SO Subject: [Openvpn-devel] [L] Change in openvpn[master]: dns: apply settings via script on unixoid systems X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: heiko@openvpn.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1818219968750740622?= X-GMAIL-MSGID: =?utf-8?q?1818219968750740622?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/838?usp=email to review the following change. Change subject: dns: apply settings via script on unixoid systems ...................................................................... dns: apply settings via script on unixoid systems This introduces a new script hook, the dns-script and implements such a script for a few popular systems (and a default for the not so popular ones). Like the name suggests this script is soleley for dealing with modifying how names are resolved when the VPN pushes some --dns settings. The default dns script is part of the distribution and is installed with openvpn. You can change the path the script is located at as a compile time option, defaults to libexecdir. There's also a new runtime option --dns-script, which can run a custom script. Change-Id: Ifbe4ffb44d3bfcaa50adb38cacb3436fcdc71b10 Signed-off-by: Heiko Hund --- M .gitignore M CMakeLists.txt M configure.ac M distro/Makefile.am A distro/dns-scripts/Makefile.am A distro/dns-scripts/freebsd-dns-updown.sh A distro/dns-scripts/linux-dns-updown.sh A distro/dns-scripts/other-dns-updown.sh M src/openvpn/Makefile.am M src/openvpn/dns.c M src/openvpn/dns.h M src/openvpn/options.c 12 files changed, 344 insertions(+), 3 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/38/838/1 diff --git a/.gitignore b/.gitignore index db8bb73..04523af 100644 --- a/.gitignore +++ b/.gitignore @@ -49,6 +49,7 @@ /doc/doxygen/latex/ /doc/doxygen/openvpn.doxyfile distro/systemd/*.service +distro/dns-scripts/dns-updown sample/sample-keys/sample-ca/ vendor/cmocka_build vendor/dist diff --git a/CMakeLists.txt b/CMakeLists.txt index ca58cd7..249f7bc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -40,6 +40,7 @@ option(ENABLE_PKCS11 "BUILD with pkcs11-helper" ON) option(USE_WERROR "Treat compiler warnings as errors (-Werror)" ON) +set(DNS_UPDOWN_PATH "/usr/libexec/openvpn/dns-updown" CACHE STRING "Default location for the DNS up/down script") set(PLUGIN_DIR /usr/local/lib/openvpn/plugins CACHE FILEPATH "Location of the plugin directory") # Create machine readable compile commands @@ -565,6 +566,8 @@ add_library_deps(openvpn) +target_compile_options(openvpn PRIVATE -DDNS_UPDOWN_PATH=\"${DNS_UPDOWN_PATH}\") + if(MINGW) target_compile_options(openvpn PRIVATE -municode -UUNICODE) target_link_options(openvpn PRIVATE -municode) diff --git a/configure.ac b/configure.ac index 9777e36..4bd9a69 100644 --- a/configure.ac +++ b/configure.ac @@ -315,37 +315,50 @@ plugindir="\${libdir}/openvpn/plugins" fi +AC_ARG_VAR([SCRIPTDIR], [Path of script directory @<:@default=PKGLIBEXECDIR@:>@]) +if test -n "${SCRIPTDIR}"; then + scriptdir="${SCRIPTDIR}" +else + scriptdir="\${pkglibexecdir}" +fi + AC_DEFINE_UNQUOTED([TARGET_ALIAS], ["${host}"], [A string representing our host]) -AM_CONDITIONAL([TARGET_LINUX], [false]) +AM_CONDITIONAL([ENABLE_DNS_SCRIPT],[true]) case "$host" in *-*-linux*) AC_DEFINE([TARGET_LINUX], [1], [Are we running on Linux?]) - AM_CONDITIONAL([TARGET_LINUX], [true]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["L"], [Target prefix]) + AC_SUBST([TARGET_OS], ["linux"]) have_sitnl="yes" pkg_config_required="yes" ;; *-*-solaris*) AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["S"], [Target prefix]) + AC_SUBST([TARGET_OS], ["solaris"]) CPPFLAGS="$CPPFLAGS -D_XPG4_2" test -x /bin/bash && SHELL="/bin/bash" ;; *-*-openbsd*) AC_DEFINE([TARGET_OPENBSD], [1], [Are we running on OpenBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["O"], [Target prefix]) + AC_SUBST([TARGET_OS], ["openbsd"]) ;; *-*-freebsd*) AC_DEFINE([TARGET_FREEBSD], [1], [Are we running on FreeBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["F"], [Target prefix]) + AC_SUBST([TARGET_OS], ["freebsd"]) ;; *-*-netbsd*) AC_DEFINE([TARGET_NETBSD], [1], [Are we running NetBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["N"], [Target prefix]) + AC_SUBST([TARGET_OS], ["netbsd"]) ;; *-*-darwin*) AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix]) + AM_CONDITIONAL([ENABLE_DNS_SCRIPT],[false]) + AC_SUBST([TARGET_OS], ["darwin"]) have_tap_header="yes" ac_cv_type_struct_in_pktinfo=no ;; @@ -353,6 +366,8 @@ AC_DEFINE([TARGET_WIN32], [1], [Are we running WIN32?]) AC_DEFINE([ENABLE_DCO], [1], [DCO is always enabled on Windows]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["W"], [Target prefix]) + AM_CONDITIONAL([ENABLE_DNS_SCRIPT],[false]) + AC_SUBST([TARGET_OS], ["windows"]) CPPFLAGS="${CPPFLAGS} -DWIN32_LEAN_AND_MEAN" CPPFLAGS="${CPPFLAGS} -DNTDDI_VERSION=NTDDI_VISTA -D_WIN32_WINNT=_WIN32_WINNT_VISTA" WIN32=yes @@ -360,10 +375,12 @@ *-*-dragonfly*) AC_DEFINE([TARGET_DRAGONFLY], [1], [Are we running on DragonFlyBSD?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["D"], [Target prefix]) + AC_SUBST([TARGET_OS], ["dragonfly"]) ;; *-aix*) AC_DEFINE([TARGET_AIX], [1], [Are we running AIX?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["A"], [Target prefix]) + AC_SUBST([TARGET_OS], ["aix"]) ROUTE="/usr/sbin/route" have_tap_header="yes" ac_cv_header_net_if_h="no" # exists, but breaks things @@ -375,6 +392,7 @@ ;; *) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["X"], [Target prefix]) + AC_SUBST([TARGET_OS], ["other"]) have_tap_header="yes" ;; esac @@ -1505,6 +1523,7 @@ sampledir="\$(docdir)/sample" AC_SUBST([plugindir]) +AC_SUBST([scriptdir]) AC_SUBST([sampledir]) AC_SUBST([systemdunitdir]) @@ -1541,6 +1560,7 @@ Makefile distro/Makefile distro/systemd/Makefile + distro/dns-scripts/Makefile doc/Makefile doc/doxygen/Makefile doc/doxygen/openvpn.doxyfile diff --git a/distro/Makefile.am b/distro/Makefile.am index 7a588da..b8fb85b 100644 --- a/distro/Makefile.am +++ b/distro/Makefile.am @@ -13,3 +13,7 @@ $(srcdir)/Makefile.in SUBDIRS = systemd + +if ENABLE_DNS_SCRIPT +SUBDIRS += dns-scripts +endif diff --git a/distro/dns-scripts/Makefile.am b/distro/dns-scripts/Makefile.am new file mode 100644 index 0000000..610bf18 --- /dev/null +++ b/distro/dns-scripts/Makefile.am @@ -0,0 +1,27 @@ +# +# OpenVPN -- An application to securely tunnel IP networks +# over a single UDP port, with support for SSL/TLS-based +# session authentication and key exchange, +# packet encryption, packet authentication, and +# packet compression. +# +# Copyright (C) 2002-2024 OpenVPN Inc +# + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +EXTRA_DIST = \ + linux-dns-updown.sh \ + freebsd-dns-updown.sh \ + other-dns-updown.sh + +script_SCRIPTS = \ + dns-updown + +CLEANFILES = $(script_SCRIPTS) + +dns-updown: @TARGET_OS@-dns-updown.sh + cp ${srcdir}/@TARGET_OS@-dns-updown.sh $@ + +all: $(script_SCRIPTS) diff --git a/distro/dns-scripts/freebsd-dns-updown.sh b/distro/dns-scripts/freebsd-dns-updown.sh new file mode 100644 index 0000000..12d742d --- /dev/null +++ b/distro/dns-scripts/freebsd-dns-updown.sh @@ -0,0 +1,55 @@ +#!/bin/sh +# +# Simple OpenVPN up/down script for openresolv integration +# (C) Copyright 2016 Baptiste Daroussin +# 2024 OpenVPN Inc +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Example env from openvpn (most are not applied): +# +# dns_search_domain_1 mycorp.in +# dns_search_domain_2 eu.mycorp.com +# dns_server_1_address_1 192.168.99.254 +# dns_server_1_address_2 fd00::99:53 +# dns_server_1_port_1 53 +# dns_server_1_port_2 53 +# dns_server_1_resolve_domain_1 mycorp.in +# dns_server_1_resolve_domain_2 eu.mycorp.com +# dns_server_1_dnssec true +# dns_server_1_transport DoH +# dns_server_1_sni dns.mycorp.in +# + +set -e +u +[ -z "${dns_vars_file}" ] || . "${dns_vars_file}" +: ${script_type:=dns-down} +case "${script_type}" in +dns-up) + { + i=1 + maxns=3 + while :; do + maxns=$((maxns - 1)) + [ $maxns -gt 0 ] || break + eval option=\"\$dns_server_1_address_${i}\" || break + [ "${option}" ] || break + i=$((i + 1)) + echo "nameserver ${option}" + done + i=1 + maxdom=6 + while :; do + maxdom=$((maxdom - 1)) + [ $maxdom -gt 0 ] || break + eval option=\"\$dns_search_domain_${i}\" || break + [ "${option}" ] || break + i=$((i + 1)) + echo "search ${option}" + done + } | /sbin/resolvconf -a "${dev}" + ;; +dns-down) + /sbin/resolvconf -d "${dev}" -f + ;; +esac diff --git a/distro/dns-scripts/linux-dns-updown.sh b/distro/dns-scripts/linux-dns-updown.sh new file mode 100644 index 0000000..4b459f5 --- /dev/null +++ b/distro/dns-scripts/linux-dns-updown.sh @@ -0,0 +1,128 @@ +#!/bin/bash +# +# dns-updown - add/remove openvpn provided DNS information +# +# Copyright (C) 2024 OpenVPN Inc +# +# SPDX-License-Identifier: GPL-2.0 +# +# Add/remove openvpn DNS settings from the env into/from +# the system. Supported backends in this order: +# +# * systemd-resolved +# * resolvconf +# +# Example env from openvpn (not all are always applied): +# +# dns_search_domain_1 mycorp.in +# dns_search_domain_2 eu.mycorp.com +# dns_server_1_address_1 192.168.99.254 +# dns_server_1_address_2 fd00::99:53 +# dns_server_1_port_1 53 +# dns_server_1_port_2 53 +# dns_server_1_resolve_domain_1 mycorp.in +# dns_server_1_resolve_domain_2 eu.mycorp.com +# dns_server_1_dnssec true +# dns_server_1_transport DoH +# dns_server_1_sni dns.mycorp.in +# + +[ -z "${dns_vars_file}" ] || . "${dns_vars_file}" + +function do_resolved_servers { + local sni="" + [ "$dns_server_1_transport" = "DoT" ] && sni="#$dns_server_1_sni" + + local addrs="" + for addr_var in ${!dns_server_1_address_*}; do + local port_var="${addr_var/address/port}" + local addr="${!addr_var}" + if [ -n "${!port_var}" ]; then + if [[ "$addr" =~ : ]]; then + addr="[$addr]" + fi + addrs+="${addr}:${!port_var}${sni} " + else + addrs+="${addr}${sni} " + fi + done + + resolvectl dns "$dev" $addrs +} + +function do_resolved_domains { + local list="" + for domain_var in ${!dns_search_domain_*}; do + list+="${!domain_var} " + done + if [ -z "${!dns_server_1_resolve_domain_*}" ]; then + resolvectl default-route "$dev" true + list+="~." + else + resolvectl default-route "$dev" false + for domain_var in ${!dns_server_1_resolve_domain_*}; do + [[ "$list" =~ (^| )"${!domain_var}"( |$) ]] && continue + list+="~${!domain_var} " + done + fi + + resolvectl domain "$dev" $list +} + +function do_resolved_dnssec { + if [ "$dns_server_1_dnssec" = "optional" ]; then + resolvectl dnssec "$dev" allow-downgrade + elif [ "$dns_server_1_dnssec" = "yes" ]; then + resolvectl dnssec "$dev" true + else + resolvectl dnssec "$dev" false + fi +} + +function do_resolved_dnsovertls { + if [ "$dns_server_1_transport" = "DoT" ]; then + resolvectl dnsovertls "$dev" true + else + resolvectl dnsovertls "$dev" false + fi +} + +function do_resolved { + [[ "$(readlink /etc/resolv.conf)" =~ systemd ]] || return 1 + + if [ "$script_type" = "dns-up" ]; then + do_resolved_servers + do_resolved_domains + do_resolved_dnssec + do_resolved_dnsovertls + else + resolvectl revert "$dev" + fi + + return 0 +} + +function do_resolvconf { + [ -x /sbin/resolvconf ] || return 1 + + if [ "$script_type" = "dns-up" ]; then + local domains="" + for domain_var in ${!dns_search_domain_*}; do + domains+="${!domain_var} " + done + { + local maxns=3 + for addr_var in ${!dns_server_1_address_*}; do + [ $((maxns--)) -gt 0 ] || break + echo "nameserver ${!addr_var}" + done + [ -z "$domains" ] || echo "search $domains" + } | /sbin/resolvconf -a "$dev" + else + /sbin/resolvconf -d "$dev" + fi + + return 0 +} + +do_resolved || do_resolvconf diff --git a/distro/dns-scripts/other-dns-updown.sh b/distro/dns-scripts/other-dns-updown.sh new file mode 100644 index 0000000..e3bcf0d --- /dev/null +++ b/distro/dns-scripts/other-dns-updown.sh @@ -0,0 +1,50 @@ +#!/bin/sh +# +# Simple OpenVPN up/down script for modifying /etc/resolv.conf +# (C) Copyright 2024 OpenVPN Inc +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Example env from openvpn (most are not applied): +# +# dns_search_domain_1 mycorp.in +# dns_search_domain_2 eu.mycorp.com +# dns_server_1_address_1 192.168.99.254 +# dns_server_1_address_2 fd00::99:53 +# dns_server_1_port_1 53 +# dns_server_1_port_2 53 +# dns_server_1_resolve_domain_1 mycorp.in +# dns_server_1_resolve_domain_2 eu.mycorp.com +# dns_server_1_dnssec true +# dns_server_1_transport DoH +# dns_server_1_sni dns.mycorp.in +# + +set -e +u + +conf=/etc/resolv.conf +test -e "$conf" || exit 1 +test -z "${dns_vars_file}" || . "${dns_vars_file}" +case "${script_type}" in +dns-up) + text="### openvpn ${dev} begin ###\n" + text="${text}nameserver $dns_server_1_address_1\n" + test -z "$dns_server_1_address_2" || + text="${text}nameserver $dns_server_1_address_2\n" + test -z "$dns_server_1_address_3" || + text="${text}nameserver $dns_server_1_address_3\n" + + test -z "$dns_search_domain_1" || { + for i in $(seq 1 6); do + eval domains=\"$domains\$dns_search_domain_${i} \" || break + done + text="${text}search $domains\n" + } + text="${text}### openvpn ${dev} end ###" + + sed -i "1i${text}" "$conf" + ;; +dns-down) + sed -i "/### openvpn ${dev} begin ###/,/### openvpn ${dev} end ###/d" "$conf" + ;; +esac diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index ecb2bcf..d8beabd 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -30,7 +30,8 @@ $(OPTIONAL_LZ4_CFLAGS) \ $(OPTIONAL_PKCS11_HELPER_CFLAGS) \ $(OPTIONAL_INOTIFY_CFLAGS) \ - -DPLUGIN_LIBDIR=\"${plugindir}\" + -DPLUGIN_LIBDIR=\"${plugindir}\" \ + -DDNS_UPDOWN_PATH=\"${scriptdir}/dns-updown\" if WIN32 # we want unicode entry point but not the macro diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 4528a9c..2f21ed5 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -30,6 +30,7 @@ #include "dns.h" #include "socket.h" #include "options.h" +#include "run_command.h" #ifdef _WIN32 #include "win32.h" @@ -262,6 +263,7 @@ clone.search_domains = clone_dns_domains(o->search_domains, gc); clone.servers = clone_dns_servers(o->servers, gc); clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc); + clone.script = o->script; return clone; } @@ -519,6 +521,42 @@ send_msg_iservice(o->msg_channel, &nrpt, sizeof(nrpt), &ack, "DNS"); } +#else /* ifdef _WIN32 */ + +static void +script_env_set(bool up, const struct dns_options *o, const struct tuntap *tt, struct env_set *es) +{ + setenv_str(es, "dev", tt->actual_name); + setenv_str(es, "script_type", up ? "dns-up" : "dns-down"); + setenv_dns_options(o, es); +} + +static int +do_run_up_down_script(bool up, const struct dns_options *o, const struct tuntap *tt) +{ + struct gc_arena gc = gc_new(); + struct argv argv = argv_new(); + struct env_set *es = env_set_create(&gc); + + script_env_set(up, o, tt, es); + + argv_printf(&argv, "%s", o->script); + argv_msg(M_INFO, &argv); + int res = openvpn_run_script(&argv, es, S_FATAL|S_EXITCODE, "dns script"); + + argv_free(&argv); + gc_free(&gc); + return res; +} + +static void +run_up_down_script(bool up, struct options *o, const struct tuntap *tt) +{ + int status; + status = do_run_up_down_script(up, &o->dns_options, tt); + msg(M_INFO, "dns script exited with status %d", status); +} + #endif /* _WIN32 */ void @@ -637,5 +675,7 @@ #ifdef _WIN32 run_up_down_service(up, o, tt); +#else + run_up_down_script(up, o, tt); #endif /* ifdef _WIN32 */ } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index f24e30b..39a3393 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -73,6 +73,7 @@ struct dns_server *servers_prepull; struct dns_server *servers; struct gc_arena gc; + const char *script; }; /** diff --git a/src/openvpn/options.c b/src/openvpn/options.c index cc723ca..319f370 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -907,6 +907,8 @@ #ifndef ENABLE_DCO o->disable_dco = true; #endif /* ENABLE_DCO */ + + o->dns_options.script = DNS_UPDOWN_PATH; } void @@ -8073,6 +8075,15 @@ to->ip_win32_defined = true; } #endif /* ifdef _WIN32 */ + else if (streq(p[0], "dns-script") && p[1]) + { + VERIFY_PERMISSION(OPT_P_SCRIPT); + if (!no_more_than_n_args(msglevel, p, 2, NM_QUOTE_HINT)) + { + goto err; + } + set_user_script(options, &options->dns_options.script, p[1], p[0], false); + } else if (streq(p[0], "dns") && p[1]) { VERIFY_PERMISSION(OPT_P_DHCPDNS);