From patchwork Fri Jul 11 15:23:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 4305 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:3846:b0:671:5a2c:6455 with SMTP id n6csp9834080mal; Fri, 11 Jul 2025 08:23:39 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWwa6VGC83pJQb9QdT4vZv11rNSWwc1G40nAg0NU9zbNlFZw3Yyllk4nAo+K0gENnOgS99UDePzqro=@openvpn.net X-Google-Smtp-Source: AGHT+IGczOBLEEGgRfeQV6VHWTbBknZKrOgPElpnlXi0N1Vqmq888yS0gBV+cJZZRWfQmC1cfzbh X-Received: by 2002:a05:6808:6787:b0:3f8:150b:f571 with SMTP id 5614622812f47-4150f4c4849mr2802363b6e.21.1752247419231; Fri, 11 Jul 2025 08:23:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1752247419; cv=none; d=google.com; s=arc-20240605; b=MQc9yVVeZjKPDTTRVgZCdygaOPmKqvo8yPkXFvnjOzsoXIXFF6GE/Uzb/av4KMiApC 43ipOGd0+SwNXMuRtGFFPdPNwjEjUf2vpPlRi/e6UnPUraPo9P5lN94fGaaQk64fCM8d Bfu/m53xGzWC8YjyQPlJKcFlFj9yU2Y3scDKuD+2vsN96CQvpyO0YmOtfVxlkUx9uReK 0HXTCwcuEhmoEdKuUkFhMtedbTHjrufuytxV8CqX79ZKwoK+2ikFUyGrWsVlBT2MZEc6 IM3DkFFFSc6zzAZ1SsuJoTjZfy5W+xINfOeC54STwLUemZ34lWrPV6OEBRytkC2qIKMu 3pVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature:dkim-signature; bh=sNRV/IehnAVappgpVp+XK/mrLNGncaG/PRWNWoL+qY0=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=XLgEnLBG8xlpLplE7DG/J0CWQcX4Pt5y53gjzcjCxM6NYahgXld2icKA8Yms/BWn02 iwmfbqAHz4RLyClBJ3KfJOko5mlNyV7lVouD347RrLQpNro8dVQoYlnzbosGtMsYYvAz dcwTqKuYi5lEBKkPZuj7fF2rGOTi0EAsu6Fe6W5Cq5JsyusE/no49YBImq2OuEMJvQ41 HGeCssRh+hCAcf+sqnyrP/8XDcaSGjPW7baou40Tk4+dvA6VRm62L4hBNtRA8WguPcDx E9aSVMvijNCh548ql7slcdAbtHJyyOJfkIs/gaKNv4l+7Ya9aIJNbmup7MC0mU6KJjKf Tg6Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dQwA8+BM; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DE3tKy8g; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VSdxumEv; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="Tds/AkdN"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-4141bfbbf6asi2170629b6e.172.2025.07.11.08.23.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Jul 2025 08:23:39 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=dQwA8+BM; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=DE3tKy8g; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VSdxumEv; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b="Tds/AkdN"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-Id:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=sNRV/IehnAVappgpVp+XK/mrLNGncaG/PRWNWoL+qY0=; b=dQwA8+BMWeagLytPuHxpA66UB/ /ms1z3ofcCSTaFo0hvLEjG0AeNp0WXgx3xTKnX32E2tZdaiEiW9BQ3Y7UrLx3yXOwgnzrCJW3AZC9 J6AXfIkH5TmMiJAvG4WgkOEpZOVvUJ5L8CQOuVRHa+xhVpGlc3rTGBNvfsFucLmmB2es=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uaFb7-0004Gd-4W; Fri, 11 Jul 2025 15:23:37 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uaFav-0004GF-Ht for openvpn-devel@lists.sourceforge.net; Fri, 11 Jul 2025 15:23:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WiO4SzX0oYfq/nfmqlAF6w2+LBv3D/4fm+X1ii+D4kc=; b=DE3tKy8glptClNndF1KAALH274 FUmL3r+vjUBWWZxf8eUuOebDl7wsQsFBYZZvJS+g1dbIjrKoJB0EX16S25lGCCwJW5J1bJ4PsQJAB vdSUlT9gvSrULFDfeO+pFavq95NXd5U8fFpndA5qtoDJ+I+AQOaEPGoGh7iIu7YT+fwY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WiO4SzX0oYfq/nfmqlAF6w2+LBv3D/4fm+X1ii+D4kc=; b=VSdxumEv35eGBQomieB8jKUv33 UxywdrKk5feOLo4Kn9cBaUM+hXn0NvwXE0eROGIs9hy4oblX9qATsh3VgkhmDDf2S4w5Dq9ULoOpr QSBjRiAvGrWs/9vpnIL8JfB/Km2PRJu9+17zuaB0mO+ubJBUgKgAmon7bDtev7o8xqCQ=; Received: from mout-p-201.mailbox.org ([80.241.56.171]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uaFau-0002II-Nz for openvpn-devel@lists.sourceforge.net; Fri, 11 Jul 2025 15:23:25 +0000 Received: from smtp102.mailbox.org (smtp102.mailbox.org [IPv6:2001:67c:2050:b231:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4bdwTC33crz9sxJ; Fri, 11 Jul 2025 17:23:11 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1752247391; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WiO4SzX0oYfq/nfmqlAF6w2+LBv3D/4fm+X1ii+D4kc=; b=Tds/AkdNAlJfo+dLX4qFiRuRyxkx2seuXOsgFTx9y15hdNnEU9IVay7mXwM5T+08B3RuXW hSE3BlorpD5WP2h6ieTFYOIDqmbv9yrr9Oh5x0wXgearN/yLoJJ3FW0qQxTp4mGaoDaTSO wTAUk37ApxiDyilX8nD50qRHVBJ85266zT3ROzPTXod+YBc/S730bO/XMg/Ray6gPM1bRn OhEaDoJzhmA8i6/MaY5HTTyoCWGhnqMScJprSLgk9RmwYE5QWHO2wePTEkWI5Fxzbj+1KH PfTYs8+HpDD3KTyVnq2IwiB4XFlTzt2CkftahPiMpZrTShiNiXV3uI+Nur3Gnw== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of frank@lichtenheld.com designates 2001:67c:2050:b231:465::102 as permitted sender) smtp.mailfrom=frank@lichtenheld.com From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Fri, 11 Jul 2025 17:23:09 +0200 Message-Id: <20250711152309.286177-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Rspamd-Queue-Id: 4bdwTC33crz9sxJ X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Heiko Hund In case anything changed the global DNS server addresses, while the tunnel was connected, do not restore the backup of the global DNS configuration we made when connecting. Doing so would likely chang [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Headers-End: 1uaFau-0002II-Nz Subject: [Openvpn-devel] [PATCH v4] mac dns: compare servers before restoring backup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1837364589551377971?= X-GMAIL-MSGID: =?utf-8?q?1837364589551377971?= From: Heiko Hund In case anything changed the global DNS server addresses, while the tunnel was connected, do not restore the backup of the global DNS configuration we made when connecting. Doing so would likely change DNS to something unexpected. Instead just clear the backup and leave a message in the log. Change-Id: I1aabd62e60dd18408a57baccbb0f4ebd6d2f8d67 Signed-off-by: Heiko Hund Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1075 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/distro/dns-scripts/macos-dns-updown.sh b/distro/dns-scripts/macos-dns-updown.sh index 56f1009..73bbee9 100644 --- a/distro/dns-scripts/macos-dns-updown.sh +++ b/distro/dns-scripts/macos-dns-updown.sh @@ -111,6 +111,10 @@ property_value State:/Network/Global/DNS SearchDomains } +function get_server_addresses { + property_value "$(primary_dns_key)" ServerAddresses +} + function set_search_domains { [ -n "$1" ] || return local dns_key=$(primary_dns_key) @@ -239,11 +243,10 @@ function unset_dns { local n="$(find_compat_profile)" - local addresses="$(addresses_string $n)" - local search_domains="$(search_domains_string $n)" local match_domains="$(match_domains_string $n)" if [ -n "$match_domains" ]; then + local search_domains="$(search_domains_string $n)" echo "remove ${itf_dns_key}" | /usr/sbin/scutil unset_search_domains "$search_domains" else @@ -252,8 +255,15 @@ [[ "${dns_backup_key}" =~ ${dev}/ ]] || return local cmds="" - cmds+="get ${dns_backup_key}\n" - cmds+="set $(primary_dns_key)\n" + local servers="$(get_server_addresses)" + local addresses="$(addresses_string $n)" + # Only restore backup if the server addresses match + if [ "${servers}" = "${addresses}" ]; then + cmds+="get ${dns_backup_key}\n" + cmds+="set $(primary_dns_key)\n" + else + echo "not restoring global DNS configuration, server addresses have changed" + fi cmds+="remove ${dns_backup_key}\n" echo -e "${cmds}" | /usr/sbin/scutil fi