From 4cd76f8712ee5b10a2047e67d45e6ad2929609a3 Mon Sep 17 00:00:00 2001
From: Gert Doering <gert@greenie.muc.de>
Date: Mon, 19 Oct 2015 20:03:38 +0200
Subject: [PATCH] Add option --push-suppress-ipv6 to stop sending IPv6 info to
clients.
Workaround option for servers that have IPv6 working just fine, but
need to turn it off for individual clients - in that case, set this
option in the --client-config-dir file for a particular user, or
via --client-connect script/plugin hook for a particular platform
(like IOS 9.0.2)
Trac #614
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
doc/openvpn.8 | 8 ++++++++
src/openvpn/options.c | 6 ++++++
src/openvpn/options.h | 1 +
src/openvpn/push.c | 33 +++++++++++++++++++++++++--------
4 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3a86409..4cfc796 100644
|
a
|
b
|
for more details how to setup and use this, and how |
| 5704 | 5704 | and |
| 5705 | 5705 | .B \-\-route |
| 5706 | 5706 | interact. |
| | 5707 | .TP |
| | 5708 | .B \-\-push\-suppress\-ipv6 |
| | 5709 | remove all IPv6 related options from the list of options that the |
| | 5710 | server will send to a client. Only needed if the server has IPv6 in |
| | 5711 | general, but one particular client (or client OS) is known to have |
| | 5712 | problems with IPv6 - so this can be sent from a \-\-client\-config\-dir |
| | 5713 | file (for a particular user), or a \-\-client\-connect script (evaluating |
| | 5714 | peer-info variables, like IV_PLAT=) |
| 5707 | 5715 | |
| 5708 | 5716 | .\"********************************************************* |
| 5709 | 5717 | .SH SCRIPTING AND ENVIRONMENTAL VARIABLES |
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 5654830..ee2615a 100644
|
a
|
b
|
static const char usage_message[] = |
| 409 | 409 | " execution. Peer must specify --pull in its config file.\n" |
| 410 | 410 | "--push-reset : Don't inherit global push list for specific\n" |
| 411 | 411 | " client instance.\n" |
| | 412 | "--push-suppress-ipv6 : do not send IPv6 config to client instance.\n" |
| 412 | 413 | "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" |
| 413 | 414 | " to be dynamically allocated to connecting clients.\n" |
| 414 | 415 | "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n" |
| … |
… |
add_option (struct options *options, |
| 5881 | 5882 | options->push_ifconfig_ipv6_netbits = netbits; |
| 5882 | 5883 | options->push_ifconfig_ipv6_remote = remote; |
| 5883 | 5884 | } |
| | 5885 | else if (streq (p[0], "push-suppress-ipv6") && !p[1]) |
| | 5886 | { |
| | 5887 | VERIFY_PERMISSION (OPT_P_INSTANCE); |
| | 5888 | options->push_suppress_ipv6 = true; |
| | 5889 | } |
| 5884 | 5890 | else if (streq (p[0], "disable") && !p[1]) |
| 5885 | 5891 | { |
| 5886 | 5892 | VERIFY_PERMISSION (OPT_P_INSTANCE); |
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index c642aa0..dee5994 100644
|
a
|
b
|
struct options |
| 434 | 434 | struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ |
| 435 | 435 | int push_ifconfig_ipv6_netbits; /* IPv6 */ |
| 436 | 436 | struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */ |
| | 437 | bool push_suppress_ipv6; /* no-IPv6 */ |
| 437 | 438 | bool enable_c2c; |
| 438 | 439 | bool duplicate_cn; |
| 439 | 440 | int cf_max; |
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index a4cb726..cdfafe4 100644
|
a
|
b
|
send_push_reply (struct context *c) |
| 251 | 251 | |
| 252 | 252 | if ( c->c2.push_ifconfig_ipv6_defined ) |
| 253 | 253 | { |
| 254 | | /* IPv6 is put into buffer first, could be lengthy */ |
| 255 | | buf_printf( &buf, ",ifconfig-ipv6 %s/%d %s", |
| 256 | | print_in6_addr( c->c2.push_ifconfig_ipv6_local, 0, &gc), |
| 257 | | c->c2.push_ifconfig_ipv6_netbits, |
| 258 | | print_in6_addr( c->c2.push_ifconfig_ipv6_remote, 0, &gc) ); |
| 259 | | if (BLEN (&buf) >= safe_cap) |
| | 254 | if ( c->options.push_suppress_ipv6 ) |
| 260 | 255 | { |
| 261 | | msg (M_WARN, "--push ifconfig-ipv6 option is too long"); |
| 262 | | goto fail; |
| | 256 | msg( M_INFO, "send_push_reply(): suppress sending ifconfig-ipv6" ); |
| | 257 | } |
| | 258 | else |
| | 259 | { |
| | 260 | /* IPv6 is put into buffer first, could be lengthy */ |
| | 261 | buf_printf( &buf, ",ifconfig-ipv6 %s/%d %s", |
| | 262 | print_in6_addr( c->c2.push_ifconfig_ipv6_local, 0, &gc), |
| | 263 | c->c2.push_ifconfig_ipv6_netbits, |
| | 264 | print_in6_addr( c->c2.push_ifconfig_ipv6_remote, 0, &gc) ); |
| | 265 | if (BLEN (&buf) >= safe_cap) |
| | 266 | { |
| | 267 | msg (M_WARN, "--push ifconfig-ipv6 option is too long"); |
| | 268 | goto fail; |
| | 269 | } |
| 263 | 270 | } |
| 264 | 271 | } |
| 265 | 272 | |
| … |
… |
send_push_reply (struct context *c) |
| 268 | 275 | if (e->enable) |
| 269 | 276 | { |
| 270 | 277 | const int l = strlen (e->option); |
| | 278 | |
| | 279 | if ( c->options.push_suppress_ipv6 && |
| | 280 | ( strncmp( e->option, "tun-ipv6", 8 ) == 0 || |
| | 281 | strncmp( e->option, "route-ipv6", 10 ) == 0 ) ) |
| | 282 | { |
| | 283 | msg( M_INFO, "send_push_reply(): suppress sending '%s'", e->option ); |
| | 284 | goto next; |
| | 285 | } |
| | 286 | |
| 271 | 287 | if (BLEN (&buf) + l >= safe_cap) |
| 272 | 288 | { |
| 273 | 289 | buf_printf (&buf, ",push-continuation 2"); |
| … |
… |
send_push_reply (struct context *c) |
| 288 | 304 | } |
| 289 | 305 | buf_printf (&buf, ",%s", e->option); |
| 290 | 306 | } |
| | 307 | next: |
| 291 | 308 | e = e->next; |
| 292 | 309 | } |
| 293 | 310 | |
