From: Gert Doering Date: Sun, 1 Jul 2018 19:59:38 +0000 (+0200) Subject: Extend push-remove to also handle 'ifconfig'. X-Git-Tag: v2.5_beta1~466 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ae2f19d891e8cedccffdb1760b9774b9feff140;p=thirdparty%2Fopenvpn.git Extend push-remove to also handle 'ifconfig'. Push-remove (introduced in commit 970312f1850) did not handle "ifconfig" yet, as both "ifconfig" and "ifconfig-ipv6" are handled differently from all other pushed options. Since there was no valid use-case to not-push "ifconfig" (no support on the client side for running IPv6-only) this was not an issue so far - but with the recent commits to enable ipv6-only operation it can be a desirable feature. The implementation is similar to "push-remove ifconfig-ipv6" - namely, flagging via a new context option (c->options.push_ifconfig_ipv4_blocked) and then not creating the push statement in "send_push_reply()". While not truly elegant, it's much less invasive than the alternatives (storing the list of "push-remove" statements somewhere and then checking in push_option_ex()) Trac: #1072 Signed-off-by: Gert Doering Acked-by: Antonio Quartulli Message-Id: <20180701195938.2541-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17169.html Signed-off-by: Gert Doering --- diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 0e5d467a8..46ea58b68 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3045,6 +3045,11 @@ an option, can be used to first remove the old value, and then add a new .B \-\-push option with the new value. + +NOTE2: due to implementation details, 'ifconfig' and 'ifconfig-ipv6' +can only be removed with an exact match on the option ("push-remove ifconfig"), +no substring matching and no matching on the IPv4/IPv6 address argument +is possible. .\"********************************************************* .TP .B \-\-push\-peer\-info diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f7d0145a7..3a6c33f83 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -425,6 +425,7 @@ struct options bool push_ifconfig_constraint_defined; in_addr_t push_ifconfig_constraint_network; in_addr_t push_ifconfig_constraint_netmask; + bool push_ifconfig_ipv4_blocked; /* IPv4 */ bool push_ifconfig_ipv6_defined; /* IPv6 */ struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ int push_ifconfig_ipv6_netbits; /* IPv6 */ diff --git a/src/openvpn/push.c b/src/openvpn/push.c index 6a30e4792..a7ec4dd6c 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -342,7 +342,8 @@ prepare_push_reply(struct context *c, struct gc_arena *gc, /* ipv4 */ if (c->c2.push_ifconfig_defined && c->c2.push_ifconfig_local - && c->c2.push_ifconfig_remote_netmask) + && c->c2.push_ifconfig_remote_netmask + && !o->push_ifconfig_ipv4_blocked) { in_addr_t ifconfig_local = c->c2.push_ifconfig_local; if (c->c2.push_ifconfig_local_alias) @@ -602,6 +603,13 @@ push_remove_option(struct options *o, const char *p) { msg(D_PUSH_DEBUG, "PUSH_REMOVE searching for: '%s'", p); + /* ifconfig is special, as not part of the push list */ + if (streq(p, "ifconfig")) + { + o->push_ifconfig_ipv4_blocked = true; + return; + } + /* ifconfig-ipv6 is special, as not part of the push list */ if (streq( p, "ifconfig-ipv6" )) {