OpenVPN should have a --nopull option to generically reject pushed options

[pdbogen]

Currently there's only (as far as I can tell) route-nopull, which rejects a predefined set of options.

This functionality should be extended and generalized so that route-nopull becomes an alias for --nopull <some options>; and --nopull is exposed as a setting that can generically reject pushed options.

[Steffan Karger]

Just don't specify pull, if you don't want to pull. In practice this means that instead of client you just put tls-client in your config file. See the man-page:

--client
       A  helper  directive  designed  to simplify the configuration of
       OpenVPN's client mode.  This directive is equivalent to:

            pull
            tls-client

[Gert Döring]

First, what syzzer said - if you don't want pull, do not config pull :-)

Then, there is the nice feature added via trac #682 - git master (which will become 2.4.0 later this year) has "pull-filter" which can be used to selectively accept/ignore/reject individual parts of the pushed option list.

[Eric Crist]

Just for posterity, I'll provide a bit more clarification.

First off, the --client configuration option is actually a macro of multiple options:
--tls-client
--pull

If you specify --tls-client directly, you can simply omit the --pull option from the list. Effectively, this will serve as your --nopull request in this ticket.

Typically, users want to pull most configuration directives from the server, with the exception of the routing table. For that, we offer the --route-no-pull configuration directive. This can be used in conjunction with --client. As cron2 has stated, there is a new feature added in #682 which effectively allows the client to omit or filter specific routing table entries to provide more granularity.

[pdbogen]

I think the pull-filter upcoming is 2.4.0 is exactly what I want; thanks guys! (I do want to pull, just not everything- and what I want to block isn't routes.)