From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 30 Nov 2020 10:48:07 +0000 (+0100)
Subject: Revert "nm: Remove dummy TUN device"
X-Git-Tag: 5.9.2dr2~23
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa3d5bf7916ce8fed0051feadae0b0139d5fbe24;p=thirdparty%2Fstrongswan.git

Revert "nm: Remove dummy TUN device"

This reverts commit a28c6269a4aeb5369fed8933fa1baf0cd8847622.

We add a dummy TUN device again because systemd-resolved insists on
managing DNS servers per interface.

Fixes #3615.
---

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index 83fcaf898d..9aec3942e8 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -23,6 +23,7 @@
 #include <utils/identification.h>
 #include <config/peer_cfg.h>
 #include <credentials/certificates/x509.h>
+#include <networking/tun_device.h>
 
 #include <stdio.h>
 
@@ -40,6 +41,8 @@ typedef struct {
 	nm_creds_t *creds;
 	/* attribute handler for DNS/NBNS server information */
 	nm_handler_t *handler;
+	/* dummy TUN device */
+	tun_device_t *tun;
 	/* name of the connection */
 	char *name;
 } NMStrongswanPluginPrivate;
@@ -128,7 +131,18 @@ static void signal_ip_config(NMVpnServicePlugin *plugin,
 	/* NM apparently requires to know the gateway */
 	other = ike_sa->get_other_host(ike_sa);
 	g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY,
-	                       host_to_variant(other));
+						   host_to_variant(other));
+
+	/* systemd-resolved requires a device to properly install DNS servers, but
+	 * Netkey does not use one.  Passing the physical interface is not ideal,
+	 * as NM fiddles around with it and systemd-resolved likes a separate
+	 * device. So we pass a dummy TUN device along for NM etc. to play with...
+	 */
+	if (priv->tun)
+	{
+		g_variant_builder_add (&builder, "{sv}", NM_VPN_PLUGIN_CONFIG_TUNDEV,
+							   g_variant_new_string (priv->tun->get_name(priv->tun)));
+	}
 
 	/* pass the first virtual IPs we got or use the physical IP */
 	enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, TRUE);
@@ -642,6 +656,11 @@ static gboolean connect_(NMVpnServicePlugin *plugin, NMConnection *connection,
 		 priv->name);
 	DBG4(DBG_CFG, "%s",
 		 nm_setting_to_string(NM_SETTING(vpn)));
+	if (!priv->tun)
+	{
+		DBG1(DBG_CFG, "failed to create dummy TUN device, might affect DNS "
+			 "server installation negatively");
+	}
 	ike.remote = (char*)nm_setting_vpn_get_data_item(vpn, "address");
 	if (!ike.remote || !*ike.remote)
 	{
@@ -1031,9 +1050,28 @@ static void nm_strongswan_plugin_init(NMStrongswanPlugin *plugin)
 	priv->listener.ike_reestablish_pre = _ike_reestablish_pre;
 	priv->listener.ike_reestablish_post = _ike_reestablish_post;
 	charon->bus->add_listener(charon->bus, &priv->listener);
+	priv->tun = tun_device_create(NULL);
 	priv->name = NULL;
 }
 
+/**
+ * Destructor
+ */
+static void nm_strongswan_plugin_dispose(GObject *obj)
+{
+	NMStrongswanPlugin *plugin;
+	NMStrongswanPluginPrivate *priv;
+
+	plugin = NM_STRONGSWAN_PLUGIN(obj);
+	priv = NM_STRONGSWAN_PLUGIN_GET_PRIVATE(plugin);
+	if (priv->tun)
+	{
+		priv->tun->destroy(priv->tun);
+		priv->tun = NULL;
+	}
+	G_OBJECT_CLASS (nm_strongswan_plugin_parent_class)->dispose (obj);
+}
+
 /**
  * Class constructor
  */
@@ -1045,6 +1083,7 @@ static void nm_strongswan_plugin_class_init(
 	parent_class->connect = connect_;
 	parent_class->need_secrets = need_secrets;
 	parent_class->disconnect = disconnect;
+	G_OBJECT_CLASS(strongswan_class)->dispose = nm_strongswan_plugin_dispose;
 }
 
 /**