From 4cd76f8712ee5b10a2047e67d45e6ad2929609a3 Mon Sep 17 00:00:00 2001
From: Gert Doering <gert@greenie.muc.de>
Date: Mon, 19 Oct 2015 20:03:38 +0200
Subject: [PATCH] Add option --push-suppress-ipv6 to stop sending IPv6 info to
clients.
Workaround option for servers that have IPv6 working just fine, but
need to turn it off for individual clients - in that case, set this
option in the --client-config-dir file for a particular user, or
via --client-connect script/plugin hook for a particular platform
(like IOS 9.0.2)
Trac #614
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
doc/openvpn.8 | 8 ++++++++
src/openvpn/options.c | 6 ++++++
src/openvpn/options.h | 1 +
src/openvpn/push.c | 33 +++++++++++++++++++++++++--------
4 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 3a86409..4cfc796 100644
a
|
b
|
for more details how to setup and use this, and how |
5704 | 5704 | and |
5705 | 5705 | .B \-\-route |
5706 | 5706 | interact. |
| 5707 | .TP |
| 5708 | .B \-\-push\-suppress\-ipv6 |
| 5709 | remove all IPv6 related options from the list of options that the |
| 5710 | server will send to a client. Only needed if the server has IPv6 in |
| 5711 | general, but one particular client (or client OS) is known to have |
| 5712 | problems with IPv6 - so this can be sent from a \-\-client\-config\-dir |
| 5713 | file (for a particular user), or a \-\-client\-connect script (evaluating |
| 5714 | peer-info variables, like IV_PLAT=) |
5707 | 5715 | |
5708 | 5716 | .\"********************************************************* |
5709 | 5717 | .SH SCRIPTING AND ENVIRONMENTAL VARIABLES |
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 5654830..ee2615a 100644
a
|
b
|
static const char usage_message[] = |
409 | 409 | " execution. Peer must specify --pull in its config file.\n" |
410 | 410 | "--push-reset : Don't inherit global push list for specific\n" |
411 | 411 | " client instance.\n" |
| 412 | "--push-suppress-ipv6 : do not send IPv6 config to client instance.\n" |
412 | 413 | "--ifconfig-pool start-IP end-IP [netmask] : Set aside a pool of subnets\n" |
413 | 414 | " to be dynamically allocated to connecting clients.\n" |
414 | 415 | "--ifconfig-pool-linear : Use individual addresses rather than /30 subnets\n" |
… |
… |
add_option (struct options *options, |
5881 | 5882 | options->push_ifconfig_ipv6_netbits = netbits; |
5882 | 5883 | options->push_ifconfig_ipv6_remote = remote; |
5883 | 5884 | } |
| 5885 | else if (streq (p[0], "push-suppress-ipv6") && !p[1]) |
| 5886 | { |
| 5887 | VERIFY_PERMISSION (OPT_P_INSTANCE); |
| 5888 | options->push_suppress_ipv6 = true; |
| 5889 | } |
5884 | 5890 | else if (streq (p[0], "disable") && !p[1]) |
5885 | 5891 | { |
5886 | 5892 | VERIFY_PERMISSION (OPT_P_INSTANCE); |
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index c642aa0..dee5994 100644
a
|
b
|
struct options |
434 | 434 | struct in6_addr push_ifconfig_ipv6_local; /* IPv6 */ |
435 | 435 | int push_ifconfig_ipv6_netbits; /* IPv6 */ |
436 | 436 | struct in6_addr push_ifconfig_ipv6_remote; /* IPv6 */ |
| 437 | bool push_suppress_ipv6; /* no-IPv6 */ |
437 | 438 | bool enable_c2c; |
438 | 439 | bool duplicate_cn; |
439 | 440 | int cf_max; |
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
index a4cb726..cdfafe4 100644
a
|
b
|
send_push_reply (struct context *c) |
251 | 251 | |
252 | 252 | if ( c->c2.push_ifconfig_ipv6_defined ) |
253 | 253 | { |
254 | | /* IPv6 is put into buffer first, could be lengthy */ |
255 | | buf_printf( &buf, ",ifconfig-ipv6 %s/%d %s", |
256 | | print_in6_addr( c->c2.push_ifconfig_ipv6_local, 0, &gc), |
257 | | c->c2.push_ifconfig_ipv6_netbits, |
258 | | print_in6_addr( c->c2.push_ifconfig_ipv6_remote, 0, &gc) ); |
259 | | if (BLEN (&buf) >= safe_cap) |
| 254 | if ( c->options.push_suppress_ipv6 ) |
260 | 255 | { |
261 | | msg (M_WARN, "--push ifconfig-ipv6 option is too long"); |
262 | | goto fail; |
| 256 | msg( M_INFO, "send_push_reply(): suppress sending ifconfig-ipv6" ); |
| 257 | } |
| 258 | else |
| 259 | { |
| 260 | /* IPv6 is put into buffer first, could be lengthy */ |
| 261 | buf_printf( &buf, ",ifconfig-ipv6 %s/%d %s", |
| 262 | print_in6_addr( c->c2.push_ifconfig_ipv6_local, 0, &gc), |
| 263 | c->c2.push_ifconfig_ipv6_netbits, |
| 264 | print_in6_addr( c->c2.push_ifconfig_ipv6_remote, 0, &gc) ); |
| 265 | if (BLEN (&buf) >= safe_cap) |
| 266 | { |
| 267 | msg (M_WARN, "--push ifconfig-ipv6 option is too long"); |
| 268 | goto fail; |
| 269 | } |
263 | 270 | } |
264 | 271 | } |
265 | 272 | |
… |
… |
send_push_reply (struct context *c) |
268 | 275 | if (e->enable) |
269 | 276 | { |
270 | 277 | const int l = strlen (e->option); |
| 278 | |
| 279 | if ( c->options.push_suppress_ipv6 && |
| 280 | ( strncmp( e->option, "tun-ipv6", 8 ) == 0 || |
| 281 | strncmp( e->option, "route-ipv6", 10 ) == 0 ) ) |
| 282 | { |
| 283 | msg( M_INFO, "send_push_reply(): suppress sending '%s'", e->option ); |
| 284 | goto next; |
| 285 | } |
| 286 | |
271 | 287 | if (BLEN (&buf) + l >= safe_cap) |
272 | 288 | { |
273 | 289 | buf_printf (&buf, ",push-continuation 2"); |
… |
… |
send_push_reply (struct context *c) |
288 | 304 | } |
289 | 305 | buf_printf (&buf, ",%s", e->option); |
290 | 306 | } |
| 307 | next: |
291 | 308 | e = e->next; |
292 | 309 | } |
293 | 310 | |