Revert "nm: Remove dummy TUN device"

This reverts commit a28c6269a4aeb5369fed8933fa1baf0cd8847622.

We add a dummy TUN device again because systemd-resolved insists on
managing DNS servers per interface.

Fixes #3615.

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 83fcaf898d3d12e12a26710da76703296c91fcc2..9aec3942e819dad9a533230b3e847813b610f399 100644 (file)
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -23,6 +23,7 @@
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
+#include <networking/tun_device.h>
 
 #include <stdio.h>
 
@@ -40,6 +41,8 @@ typedef struct {
        nm_creds_t *creds;
        /* attribute handler for DNS/NBNS server information */
        nm_handler_t *handler;
+       /* dummy TUN device */
+       tun_device_t *tun;
        /* name of the connection */
        char *name;
 } NMStrongswanPluginPrivate;
@@ -128,7 +131,18 @@ static void signal_ip_config(NMVpnServicePlugin *plugin,
        /* NM apparently requires to know the gateway */
        other = ike_sa->get_other_host(ike_sa);
        g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY,
-                              host_to_variant(other));
+                                                  host_to_variant(other));
+
+       /* systemd-resolved requires a device to properly install DNS servers, but
+        * Netkey does not use one.  Passing the physical interface is not ideal,
+        * as NM fiddles around with it and systemd-resolved likes a separate
+        * device. So we pass a dummy TUN device along for NM etc. to play with...
+        */
+       if (priv->tun)
+       {
+               g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV,
+                                                          g_variant_new_string (priv->tun->get_name(priv->tun)));
+       }
 
        /* pass the first virtual IPs we got or use the physical IP */
        enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
@@ -642,6 +656,11 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
                 priv->name);
        DBG4(DBG_CFG, "%s",
                 nm_setting_to_string(NM_SETTING(vpn)));
+       if (!priv->tun)
+       {
+               DBG1(DBG_CFG, "failed to create dummy TUN device, might affect DNS "
+                        "server installation negatively");
+       }
        ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address");
        if (!ike.remote || !*ike.remote)
        {
@@ -1031,9 +1050,28 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
        priv->listener.ike_reestablish_pre = _ike_reestablish_pre;
        priv->listener.ike_reestablish_post = _ike_reestablish_post;
        charon->bus->add_listener(charon->bus, &priv->listener);
+       priv->tun = tun_device_create(NULL);
        priv->name = NULL;
 }
 
+/**
+ * Destructor
+ */
+static void nm_strongswan_plugin_dispose(GObject *obj)
+{
+       NMStrongswanPlugin *plugin;
+       NMStrongswanPluginPrivate *priv;
+
+       plugin = NM_STRONGSWAN_PLUGIN(obj);
+       priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+       if (priv->tun)
+       {
+               priv->tun->destroy(priv->tun);
+               priv->tun = NULL;
+       }
+       G_OBJECT_CLASS (nm_strongswan_plugin_parent_class)->dispose (obj);
+}
+
 /**
  * Class constructor
  */
@@ -1045,6 +1083,7 @@ static void nm_strongswan_plugin_class_init(
        parent_class->connect = connect_;
        parent_class->need_secrets = need_secrets;
        parent_class->disconnect = disconnect;
+       G_OBJECT_CLASS(strongswan_class)->dispose = nm_strongswan_plugin_dispose;
 }
 
 /**