From patchwork Sat Jun 21 12:12:54 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4287 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:bd0c:b0:668:42a9:9967 with SMTP id gi12csp1505951mab; Sat, 21 Jun 2025 05:13:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWwHpHusfKUA2c+iwzhYLWgUtihykSRgWvo8hNvCJRj9oc0NpkzLpUWcBfG4XlZFuD6SYY264Pinfk=@openvpn.net X-Google-Smtp-Source: AGHT+IHupzGD51jefMrcyqdUu33X+Myyox2XIYTZBDMwYyRnRAuPIeLyMREqr6XUSiK4S6h6iaen X-Received: by 2002:a05:6808:1b14:b0:406:7186:5114 with SMTP id 5614622812f47-40ac71556f0mr4313990b6e.36.1750508004129; Sat, 21 Jun 2025 05:13:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750508004; cv=none; d=google.com; s=arc-20240605; b=gRQzyhKObdfVGTvLI1ZVvdoHnsCro09gMPqqYzGbo7I0BtNueWczlOCQvJ02ARzall mq5+R2nOGtm4SEH7RAnz1XWeLst2iltOKONrz+m61AKHBgmeOsoQ1gJEdL/D5lqlhQDu pTlso/4kIM79qSTN5lTjLsNuW9dloUK/qAR0eQMxxB6Fa9ufvD/3Dd8PriA87wZxCgIr vVM3nhFubZROxmDhaAefvg+9oycLE0Y5YeIW6gtO0bcZTKZJ49WfgpefOSmTLVMqZzbo Ok6eNquRoROMu+YGMmu1vFulQ0VjtSVoVCnoZH5MhyG4WMwUMb2l5e+BtIs2uQ1otgQg X7kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=U6Cv+3lWzLzU/kHQr6iurZEFHk1y8qQLJO8haw+eABw=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ikYo5aZa9IILKoWKZLV6CU3ddmNAQNaNhvXnqXi097wTTKRrGM68BcPm7tlmGK6VQ7 SNDFh7h2msBHNmPw94Jqc6QjF6sbow3p3xSFuDw1cheoSbjr9Z4WyXioE0QO45bDPt2Z yS50/Yo4BqRdCwxKfhoi5tkxAH8+55FQ5l5TX4V+ie940BTiCdwuI05EEPe0uYFv8fBu CoAjFlLIwmA3GSgEiE7hM1FyO5/1RQ5WP3CMLapzVRQHMpMm9W93/2kI60hmNyTsQ5Er HjXzhxwNhgTdpSl1NONS41Il8vDot6ulh7uZiAHrM028tKfG9u5W6PeeMwImpu5JnX/d 2PAA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=lprN+VCd; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="NjH/JPod"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iwSmx8Qe; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-40ac6d236f0si2311128b6e.132.2025.06.21.05.13.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Jun 2025 05:13:23 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=lprN+VCd; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="NjH/JPod"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=iwSmx8Qe; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=U6Cv+3lWzLzU/kHQr6iurZEFHk1y8qQLJO8haw+eABw=; b=lprN+VCdApuSfYA5Q4qTvUTD7E gojDDaQkPAmG8WTYF1xQwAkJ9GOkFQSqwvF47jUZNgzGn6o25/0153Y6Ro4sPzbh00uO5g2B03K54 tPgCJE+G+I1sV4cewoTeg4xyuW02IFlv7iwDSmdnSLSFxOLSDjqyZmHXwdwj3f5E5lFY=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uSx5y-0001Xo-E8; Sat, 21 Jun 2025 12:13:18 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uSx5v-0001Xf-L7 for openvpn-devel@lists.sourceforge.net; Sat, 21 Jun 2025 12:13:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=L2sTSDZUQwk52ZZzrVvWJ2EdvmoK6zRdiJLblWjxqxI=; b=NjH/JPoddgduacBKDSVn1Nv9Yv 0Se1TMeDLbVfFjSj5R27z0b3IumJ8iwsh9QOeQK++dFqVMLORRRESyNAFOepAsGEOhiLsadj/Vd/v /LYKiQ/+LvxEq2yYZvpG4EMwBt69ObGu9WBL23SzYvzOAdGXKv/Y0DYKRNxEs8vvMYfg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=L2sTSDZUQwk52ZZzrVvWJ2EdvmoK6zRdiJLblWjxqxI=; b=iwSmx8QeIZ/60jacCkTNwgmyXP ZJL7D/pVVzRW0Q2NJ6myvMELg+kJk+rGv/KvsIBl4Fm0I1a9BwyOPli5d8aEH++cIK22RsSk7MrGe eTVRmlqnX5k/fTUABrWPSPoy+fIgu9vCkZ+ZQHCWw89/IVatrXppR5HhWhLTESMjNZ/s=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uSx5u-0003lN-As for openvpn-devel@lists.sourceforge.net; Sat, 21 Jun 2025 12:13:15 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 55LCD2is027540 for ; Sat, 21 Jun 2025 14:13:02 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 55LCD28R027539 for openvpn-devel@lists.sourceforge.net; Sat, 21 Jun 2025 14:13:02 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Sat, 21 Jun 2025 14:12:54 +0200 Message-ID: <20250621121301.27509-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Heiko Hund Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Signed-off-by: Heiko Hund Acked-by: Arne Schwabe --- Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1uSx5u-0003lN-As Subject: [Openvpn-devel] [PATCH v3] dns: add updown script for macOS X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1835540680795803164?= X-GMAIL-MSGID: =?utf-8?q?1835540680795803164?= From: Heiko Hund Change-Id: Iade06a8454ccf53668deef61f07217ead8ec6c63 Signed-off-by: Heiko Hund Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1062 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/configure.ac b/configure.ac index 8bdec32..02b45f8 100644 --- a/configure.ac +++ b/configure.ac @@ -364,8 +364,7 @@ *-*-darwin*) AC_DEFINE([TARGET_DARWIN], [1], [Are we running on Mac OS X?]) AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["M"], [Target prefix]) - AM_CONDITIONAL([ENABLE_DNS_UPDOWN], [false]) - AC_SUBST([DNS_UPDOWN_TYPE], ["resolvconf_file"]) + AC_SUBST([DNS_UPDOWN_TYPE], ["macos"]) have_tap_header="yes" ac_cv_type_struct_in_pktinfo=no ;; diff --git a/distro/dns-scripts/Makefile.am b/distro/dns-scripts/Makefile.am index 9fcd3f7..e3f9043 100644 --- a/distro/dns-scripts/Makefile.am +++ b/distro/dns-scripts/Makefile.am @@ -12,6 +12,7 @@ $(srcdir)/Makefile.in EXTRA_DIST = \ + macos-dns-updown.sh \ systemd-dns-updown.sh \ openresolv-dns-updown.sh \ haikuos_file-dns-updown.sh \ diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh new file mode 100644 index 0000000..89d6882 --- /dev/null +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -0,0 +1,217 @@ +#!/bin/bash +# +# dns-updown - add/remove openvpn provided DNS information +# +# (C) Copyright 2025 OpenVPN Inc +# +# SPDX-License-Identifier: BSD-2-Clause +# +# Example env from openvpn (most are not applied): +# +# dns_vars_file /tmp/openvpn_dvf_58b95c0c97b2db43afb5d745f986c53c.tmp +# +# or +# +# dev utun0 +# script_type dns-up +# dns_search_domain_1 mycorp.in +# dns_search_domain_2 eu.mycorp.com +# dns_server_1_address_1 192.168.99.254 +# dns_server_1_address_2 fd00::99:53 +# dns_server_1_port_2 53 +# dns_server_1_resolve_domain_1 mycorp.in +# dns_server_1_resolve_domain_2 eu.mycorp.com +# dns_server_1_dnssec true +# dns_server_1_transport DoH +# dns_server_1_sni dns.mycorp.in +# + +[ -z "${dns_vars_file}" ] || . "${dns_vars_file}" + +itf_dns_key="State:/Network/Service/openvpn-${dev}/DNS" +dns_backup_key="State:/Network/Service/openvpn-${dev}/DnsBackup" + +function primary_dns_key { + local uuid=$(echo "show State:/Network/Global/IPv4" | /usr/sbin/scutil | grep "PrimaryService" | cut -d: -f2 | xargs) + echo "Setup:/Network/Service/${uuid}/DNS" +} + +function only_standard_server_ports { + local i=1 + while :; do + local addr_var=dns_server_${n}_address_${i} + [ -n "${!addr_var}" ] || return 0 + + local port_var=dns_server_${n}_port_${i} + [ -z "${!port_var}" -o "${!port_var}" = "53" ] || return 1 + + i=$((i+1)) + done +} + +function find_compat_profile { + local n=1 + while :; do + local addr_var=dns_server_${n}_address_1 + [ -n "${!addr_var}" ] || { + echo "setting DNS failed, no compatible server profile" + exit 1 + } + + # Skip server profiles which require DNSSEC, + # secure transport or use a custom port + local dnssec_var=dns_server_${n}_dnssec + local transport_var=dns_server_${n}_transport + [ -z "${!transport_var}" -o "${!transport_var}" = "plain" ] \ + && [ -z "${!dnssec_var}" -o "${!dnssec_var}" = "no" ] \ + && only_standard_server_ports && break + + n=$((n+1)) + done + return $n +} + +function get_search_domains { + local search_domains="" + local resolver=0 + /usr/sbin/scutil --dns | while read line; do + if [[ "$line" =~ resolver.# ]]; then + resolver=$((resolver+1)) + elif [ "$resolver" = 1 ] && [[ "$line" =~ search.domain ]]; then + search_domains+="$(echo $line | cut -d: -f2 | xargs) " + elif [ "$resolver" -gt 1 ]; then + echo "$search_domains" + break + fi + done +} + +function set_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="${1}$(get_search_domains)" + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function unset_search_domains { + [ -n "$1" ] || return + dns_key=$(primary_dns_key) + search_domains="$(get_search_domains)" + search_domains=$(echo $search_domains | sed -e "s/$1//") + + local cmds="" + cmds+="get ${dns_key}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="set ${dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil +} + +function set_dns { + find_compat_profile + local n=$? + + local i=1 + local addrs="" + while :; do + local addr_var=dns_server_${n}_address_${i} + local addr="${!addr_var}" + [ -n "$addr" ] || break + + local port_var=dns_server_${n}_port_${i} + if [ -n "${!port_var}" ]; then + if [[ "$addr" =~ : ]]; then + addr="[$addr]" + fi + addrs+="${addr}:${!port_var}${sni} " + else + addrs+="${addr}${sni} " + fi + i=$((i+1)) + done + + i=1 + local match_domains="" + while :; do + domain_var=dns_server_${n}_resolve_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as match domain, if it doesn't already exist + [[ "$match_domains" =~ (^| )${!domain_var}( |$) ]] \ + || match_domains+="${!domain_var} " + i=$((i+1)) + done + + i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + if [ -n "$match_domains" ]; then + local cmds="" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SupplementalMatchDomains * ${match_domains}\n" + cmds+="d.add SupplementalMatchDomainsNoSearch # 1\n" + cmds+="add ${itf_dns_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + set_search_domains "$search_domains" + else + local cmds="" + cmds+="get $(primary_dns_key)\n" + cmds+="set ${dns_backup_key}\n" + cmds+="d.init\n" + cmds+="d.add ServerAddresses * ${addrs}\n" + cmds+="d.add SearchDomains * ${search_domains}\n" + cmds+="d.add SearchOrder # 5000\n" + cmds+="set $(primary_dns_key)\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +function unset_dns { + find_compat_profile + local n=$? + + local i=1 + local search_domains="" + while :; do + domain_var=dns_search_domain_${i} + [ -n "${!domain_var}" ] || break + # Add as search domain, if it doesn't already exist + [[ "$search_domains" =~ (^| )${!domain_var}( |$) ]] \ + || search_domains+="${!domain_var} " + i=$((i+1)) + done + + domain_var=dns_server_${n}_resolve_domain_1 + if [ -n "${!domain_var}" ]; then + echo "remove ${itf_dns_key}" | /usr/sbin/scutil + unset_search_domains "$search_domains" + else + local cmds="" + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + cmds+="remove ${dns_backup_key}\n" + echo -e "${cmds}" | /usr/sbin/scutil + fi + + /usr/bin/dscacheutil -flushcache +} + +if [ "$script_type" = "dns-up" ]; then + set_dns +else + unset_dns +fi