From c00d6353eeece52e20a5857cf1b7e92983e29906 Mon Sep 17 00:00:00 2001 From: tigro Date: Thu, 3 Aug 2023 18:20:24 +0200 Subject: [PATCH] import vpnc-script-20220404-1.git40a8c62c.el9 --- .vpnc-script.metadata | 0 SOURCES/vpnc-script | 1193 ++++++++++++++++++++++++++++++++++++++++ SPECS/vpnc-script.spec | 107 ++++ 3 files changed, 1300 insertions(+) create mode 100644 .vpnc-script.metadata create mode 100644 SOURCES/vpnc-script create mode 100644 SPECS/vpnc-script.spec diff --git a/.vpnc-script.metadata b/.vpnc-script.metadata new file mode 100644 index 0000000..e69de29 diff --git a/SOURCES/vpnc-script b/SOURCES/vpnc-script new file mode 100644 index 0000000..bc026ab --- /dev/null +++ b/SOURCES/vpnc-script @@ -0,0 +1,1193 @@ +#!/bin/sh +# +# Originally part of vpnc source code: +# © 2005-2012 Maurice Massar, Jörg Mayer, Antonio Borneo et al. +# © 2009-2022 David Woodhouse , Daniel Lenski et al. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +# +################ +# +# List of parameters passed through environment +#* reason -- why this script was called, one of: pre-init connect disconnect reconnect attempt-reconnect +#* VPNGATEWAY -- VPN gateway address (always present) +#* VPNPID -- PID of the process controlling the VPN (OpenConnect v9.0+) +#* TUNDEV -- tunnel device (always present) +#* IDLE_TIMEOUT -- gateway's idle timeout in seconds (OpenConnect v8.06+); unused +#* LOG_LEVEL -- log level; ERROR=0, INFO=1, DEBUG=2, TRACE=3 (OpenConnect v9.0+) +#* INTERNAL_IP4_ADDRESS -- address (always present) +#* INTERNAL_IP4_MTU -- MTU (often unset) +#* INTERNAL_IP4_NETMASK -- netmask (often unset) +#* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset) +#* INTERNAL_IP4_NETADDR -- address of network (only present if netmask is set) +#* INTERNAL_IP4_DNS -- list of DNS servers +#* INTERNAL_IP4_NBNS -- list of WINS servers +#* INTERNAL_IP6_ADDRESS -- IPv6 address +#* INTERNAL_IP6_NETMASK -- IPv6 netmask +#* INTERNAL_IP6_DNS -- IPv6 list of dns servers +#* CISCO_DEF_DOMAIN -- default domain name +#* CISCO_BANNER -- banner from server +#* CISCO_SPLIT_DNS -- DNS search domain list +#* CISCO_SPLIT_INC -- number of networks in split-network-list +#* CISCO_SPLIT_INC_%d_ADDR -- network address +#* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0) +#* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24) +#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0); unused +#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0); unused +#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0); unused +#* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list +#* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address +#* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen +# +# The split tunnel variables above have *_EXC* counterparts for network +# addresses to be excluded from the VPN tunnel. + +# FIXMEs: + +# Section A: route handling + +# 1) The 3 values CISCO_SPLIT_INC_%d_PROTOCOL/SPORT/DPORT are currently being ignored +# In order to use them, we'll probably need os specific solutions +# * Linux: iptables -t mangle -I PREROUTING -j ROUTE --oif $TUNDEV +# This would be an *alternative* to changing the routes (and thus 2) and 3) +# shouldn't be relevant at all) +# 2) There are two different functions to set routes: generic routes and the +# default route. Why isn't the defaultroute handled via the generic route case? +# 3) In the split tunnel case, all routes but the default route might get replaced +# without getting restored later. We should explicitly check and save them just +# like the defaultroute +# 4) Replies to a dhcp-server should never be sent into the tunnel + +# Section B: Split DNS handling + +# 1) Maybe dnsmasq can do something like that +# 2) Parse DNS packets going out via tunnel and redirect them to original DNS-server + +# ======== For test logging (CI/CD will uncomment automatically) ========= + +#TRACE# echo "------------------" +#TRACE# echo "vpnc-script environment:" +#TRACE# env | grep -E '^(CISCO_|INTERNAL_IP|VPNGATEWAY|TUNDEV|IDLE_TIMEOUT|reason)' | sort +#TRACE# echo "------------------" +#TRACE# set -x + +# =========== script (variable) setup ==================================== + +PATH=/sbin:/usr/sbin:$PATH + +OS="`uname -s`" + +HOOKS_DIR=/etc/vpnc + +# Use the PID of the controlling process (vpnc or OpenConnect) to +# uniquely identify this VPN connection. Normally, the parent process +# is a shell, and the grandparent's PID is the relevant one. +# OpenConnect v9.0+ provides VPNPID, so we don't need to determine it. +if [ -z "$VPNPID" ]; then + VPNPID=$PPID + PCMD=`ps -c -o cmd= -p $PPID` + case "$PCMD" in + *sh) VPNPID=`ps -o ppid= -p $PPID` ;; + esac +fi + +DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute.${VPNPID} +DEFAULT_ROUTE_FILE_IPV6=/var/run/vpnc/defaultroute_ipv6.${VPNPID} +RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup.${VPNPID} +SCRIPTNAME=`basename $0` + +# some systems, eg. Darwin & FreeBSD, prune /var/run on boot +if [ ! -d "/var/run/vpnc" ]; then + mkdir -p /var/run/vpnc + [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc +fi + +if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then + ifconfig_syntax_inet="" +else + ifconfig_syntax_inet="inet" +fi + +if [ "$OS" = "Linux" ]; then + IPROUTE="`command -v ip | grep '^/'`" + ifconfig_syntax_ptp="pointopoint" + route_syntax_gw="gw" + route_syntax_del="del" + route_syntax_netmask="netmask" + route_syntax_inet6="-6" + route_syntax_inet6_host="-6" + route_syntax_inet6_net="-6" + ifconfig_syntax_add_inet6="add" + ifconfig_syntax_del() { case "$1" in *:*) echo del "$1" ;; *) echo 0.0.0.0 ;; esac; } + netstat_syntax_ipv6="-6" +else + # iproute2 is Linux only; if `command -v ip` returns something on another OS, it's likely an unrelated tool + # (see https://github.com/dlenski/openconnect/issues/132#issuecomment-470475009) + IPROUTE="" + ifconfig_syntax_ptp="" + route_syntax_gw="" + route_syntax_del="delete" + route_syntax_netmask="-netmask" + route_syntax_inet6="-inet6" + route_syntax_inet6_host="-inet6 -host" + route_syntax_inet6_net="-inet6 -net" + ifconfig_syntax_del() { case "$1" in *:*) echo inet6 "$1" delete ;; *) echo "$1" delete ;; esac; } + ifconfig_syntax_add_inet6="inet6" + netstat_syntax_ipv6="-f inet6" +fi +if [ "$OS" = "SunOS" ]; then + route_syntax_interface="-interface" + ifconfig_syntax_ptpv6="$INTERNAL_IP6_ADDRESS" +else + route_syntax_interface="" + ifconfig_syntax_ptpv6="" +fi + +RESOLVEDENABLED=0 +grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 +if [ $? = 0 ];then + command resolvectl status >/dev/null 2>&1 || command systemd-resolve --status >/dev/null 2>&1 + if [ $? = 0 ];then + RESOLVEDENABLED=1 + fi +fi + +if [ -r /etc/openwrt_release ] && [ -n "$OPENWRT_INTERFACE" ]; then + . /etc/functions.sh + include /lib/network + MODIFYRESOLVCONF=modify_resolvconf_openwrt + RESTORERESOLVCONF=restore_resolvconf_openwrt +elif [ -x /usr/bin/resolvectl ] && [ ${RESOLVEDENABLED} = 1 ]; then + # For systemd-resolved (version 239 and above) + MODIFYRESOLVCONF=modify_resolved_manager + RESTORERESOLVCONF=restore_resolved_manager +elif [ -x /usr/bin/busctl ] && [ ${RESOLVEDENABLED} = 1 ]; then + # For systemd-resolved (version 229 and above) + MODIFYRESOLVCONF=modify_resolved_manager_old + RESTORERESOLVCONF=restore_resolved_manager_old +elif [ -x /sbin/resolvconf ] && [ "`basename $(readlink /sbin/resolvconf) 2> /dev/null`" != resolvectl ]; then + # Optional tool on Debian, Ubuntu, Gentoo, FreeBSD and DragonFly BSD + # (ignored if symlink to resolvctl, created by some versions of systemd-resolved) + MODIFYRESOLVCONF=modify_resolvconf_manager + RESTORERESOLVCONF=restore_resolvconf_manager +elif [ -x /sbin/netconfig ] && [ ! -f /etc/slackware-version ]; then + # tool on Suse after 11.1 + # Slackware's netconfig is an unrelated tool that should not be invoked here + # (see https://www.linuxquestions.org/questions/slackware-14/vpnc-on-slackware-14-2-is-bringing-up-network-configuration-dialog-each-time-4175595447/#post5646866) + MODIFYRESOLVCONF=modify_resolvconf_suse_netconfig + RESTORERESOLVCONF=restore_resolvconf_suse_netconfig +elif [ -x /sbin/modify_resolvconf ]; then + # Mandatory tool on Suse earlier than 11.1 + MODIFYRESOLVCONF=modify_resolvconf_suse + RESTORERESOLVCONF=restore_resolvconf_suse +elif [ -x /usr/sbin/unbound-control ] && /usr/sbin/unbound-control status > /dev/null 2>&1; then + MODIFYRESOLVCONF=modify_resolvconf_unbound + RESTORERESOLVCONF=restore_resolvconf_unbound +elif [ -x /usr/sbin/rcctl ] && /usr/sbin/rcctl check resolvd >/dev/null; then + # OpenBSD's resolvd by sending route messages + MODIFYRESOLVCONF=modify_resolvconf_resolvd + RESTORERESOLVCONF=restore_resolvconf_resolvd +else # Generic for any OS + MODIFYRESOLVCONF=modify_resolvconf_generic + RESTORERESOLVCONF=restore_resolvconf_generic +fi + + +# =========== script hooks ================================================= + +run_hooks() { + HOOK="$1" + + if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then + for script in ${HOOKS_DIR}/${HOOK}.d/* ; do + [ -f $script ] && . $script + done + fi +} + +# =========== tunnel interface handling ==================================== + +do_ifconfig() { + if [ -n "$INTERNAL_IP4_MTU" ]; then + MTU=$INTERNAL_IP4_MTU + elif [ -n "$IPROUTE" ]; then + MTUDEV=`$IPROUTE route get "$VPNGATEWAY" | sed -ne 's/^.*dev \([a-z0-9]*\).*$/\1/p'` + MTU=`$IPROUTE link show "$MTUDEV" | sed -ne 's/^.*mtu \([[:digit:]]\+\).*$/\1/p'` + if [ -n "$MTU" ]; then + MTU=`expr $MTU - 88` + fi + fi + + if [ -z "$MTU" ]; then + MTU=1412 + fi + + # Point to point interface require a netmask of 255.255.255.255 on some systems + if [ -n "$IPROUTE" ]; then + $IPROUTE link set dev "$TUNDEV" up mtu "$MTU" + $IPROUTE addr add "$INTERNAL_IP4_ADDRESS/32" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV" + else + ifconfig "$TUNDEV" ${ifconfig_syntax_inet} "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up + fi + + if [ -n "$INTERNAL_IP4_NETMASK" ]; then + set_network_route "$INTERNAL_IP4_NETADDR" "$INTERNAL_IP4_NETMASK" "$INTERNAL_IP4_NETMASKLEN" "$TUNDEV" + fi + + # If the netmask is provided, it contains the address _and_ netmask + if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + fi + if [ -n "$INTERNAL_IP6_NETMASK" ]; then + if [ -n "$IPROUTE" ]; then + $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV + else + # Unlike for Legacy IP, we don't specify the dest_address + # here on *BSD. OpenBSD for one will refuse to accept + # incoming packets to that address if we do. + # OpenVPN does the same (gives dest_address for Legacy IP + # but not for IPv6). + # Only Solaris needs it; hence $ifconfig_syntax_ptpv6 + ifconfig "$TUNDEV" $ifconfig_syntax_add_inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up + fi + fi +} + +# =========== route handling ==================================== + +if [ -n "$IPROUTE" ]; then + fix_ip_get_output () { + sed -e 's/ /\n/g' | \ + sed -ne "1 s|\$|${1}|p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p};/metric/{N;p};/onlink/{p}" + } + + # returns all routes to a destination *except* those through $TUNDEV, + # sorted by increasing metric (with absent metric as last) + list_non_loopback_routes () { + echo "$1" | grep -q : && FAMILY=-6 ROOT=::/0 || FAMILY=-4 ROOT=0/0 + # put metric in front, sort by metric, then chop off first two fields (metric and destination) + $IPROUTE $FAMILY route show to "$1" root "$ROOT" | + awk '/dev '"$TUNDEV"'/ { next; } { printf "%s %s\n", (match($0, /metric ([^ ]+)/) ? substr($0, RSTART+7, RLENGTH-7) : 4294967295), $0; }' | + sort -n | cut -d' ' -f3- + } + + set_vpngateway_route() { + # We'll attempt to add a host route to the gateway through every route that matches + # its address (excluding those through TUNDEV because the goal is to avoid loopback). + echo "$VPNGATEWAY" | grep -q : && FAMILY=-6 || FAMILY=-4 + + list_non_loopback_routes "$VPNGATEWAY" | + while read LINE ; do + # We do not want to use 'replace', since a route to the gateway that already + # exists is mostly likely the correct one (e.g. the case of a reconnect attempt + # after dead-peer detection, but no change in the underlying network devices). + $IPROUTE $FAMILY route add `echo "$VPNGATEWAY $LINE" | fix_ip_get_output` 2>/dev/null + done + $IPROUTE $FAMILY route flush cache 2>/dev/null + } + + del_vpngateway_route() { + $IPROUTE route $route_syntax_del "$VPNGATEWAY" + $IPROUTE route flush cache 2>/dev/null + } + + set_default_route() { + $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE" + $IPROUTE route replace default dev "$TUNDEV" + $IPROUTE route flush cache 2>/dev/null + } + + set_network_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + NETDEV="$4" + NETGW="$5" + if [ -n "$NETGW" ]; then + $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" via "$NETGW" + else + $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" + fi + $IPROUTE route flush cache 2>/dev/null + } + + set_exclude_route() { + # add explicit route to keep current routing for this target + # (keep traffic separate from VPN tunnel) + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + + echo "$1" | grep -q : && FAMILY=-6 || FAMILY=-4 + + list_non_loopback_routes "$NETWORK/$NETMASKLEN" | + while read LINE ; do + $IPROUTE $FAMILY route add `echo "$NETWORK/$NETMASKLEN $LINE" | fix_ip_get_output` 2>/dev/null + done + $IPROUTE $FAMILY route flush cache 2>/dev/null + } + + del_exclude_route() { + # FIXME: In theory, this could delete existing routes which are + # identical to split-exclude routes specified by VPNGATEWAY + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" + $IPROUTE route flush cache 2>/dev/null + } + + reset_default_route() { + if [ -s "$DEFAULT_ROUTE_FILE" ]; then + $IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"` + $IPROUTE route flush cache 2>/dev/null + rm -f -- "$DEFAULT_ROUTE_FILE" + fi + } + + del_network_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + NETDEV="$4" + $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$NETDEV" + $IPROUTE route flush cache 2>/dev/null + } + + set_ipv6_default_route() { + # We don't save/restore IPv6 default route; just add a higher-priority one. + $IPROUTE -6 route add default dev "$TUNDEV" metric 1 + $IPROUTE -6 route flush cache 2>/dev/null + } + + set_ipv6_network_route() { + NETWORK="$1" + NETMASKLEN="$2" + NETDEV="$3" + NETGW="$4" + if [ -n "$NETGW" ]; then + $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" via "$NETGW" + else + $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" + fi + $IPROUTE -6 route flush cache 2>/dev/null + } + + set_ipv6_exclude_route() { + NETWORK="$1" + NETMASKLEN="$2" + set_exclude_route "$NETWORK" nomask "$NETMASKLEN" + } + + reset_ipv6_default_route() { + $IPROUTE -6 route del default dev "$TUNDEV" + $IPROUTE -6 route flush cache 2>/dev/null + } + + del_ipv6_network_route() { + NETWORK="$1" + NETMASKLEN="$2" + NETDEV="$3" + $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$NETDEV" + $IPROUTE -6 route flush cache 2>/dev/null + } + + del_ipv6_exclude_route() { + # FIXME: In theory, this could delete existing routes which are + # identical to split-exclude routes specified by VPNGATEWAY + NETWORK="$1" + NETMASKLEN="$2" + $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" + $IPROUTE -6 route flush cache 2>/dev/null + } +else # use route command + get_default_gw() { + # Intended behavior, starting with `netstat -r -n` output: + # - keep lines starting with 'default' or '0.0.0.0', but exclude bogus routes '0.0.0.0/nn' where nn != 0 + # - remove lines containing IPv6 addresses (':') + # - remove lines for link-local routes (https://superuser.com/a/1067742) + # - remove lines containing $TUNDEV (we don't want loopback) + netstat -r -n | awk '/:/ { next; } /link#/ { next; } /[[:space:]]'"$TUNDEV"'([[:space:]]|$)/ { next; } /^(default|0\.0\.0\.0([[:space:]]|\/0))/ { print $2; exit; }' + } + + set_vpngateway_route() { + # Unlike with iproute2, there is no way to determine which current + # route(s) match the VPN gateway, so we simply find a default + # route and use its gateway. + case "$VPNGATEWAY" in + *:*) route add $route_syntax_inet6_host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";; + *) route add -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`";; + esac + } + + del_vpngateway_route() { + case "$VPNGATEWAY" in + *:*) route $route_syntax_del $route_syntax_inet6_host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";; + *) route $route_syntax_del -host "$VPNGATEWAY" $route_syntax_gw "`get_default_gw`";; + esac + } + + set_default_route() { + DEFAULTGW="`get_default_gw`" + echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE" + route $route_syntax_del default $route_syntax_gw "$DEFAULTGW" + route add default $route_syntax_gw "$INTERNAL_IP4_ADDRESS" $route_syntax_interface + } + + set_network_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + if [ -n "$5" ]; then + NETGW="$5" + else + NETGW="$INTERNAL_IP4_ADDRESS" + fi + route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$NETGW" $route_syntax_interface + } + + set_exclude_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + DEFAULTGW="${DEFAULTGW:-`get_default_gw`}" + if [ -z "$DEFAULTGW" ]; then + echo "cannot find route for exclude route $NETWORK/$NETMASKLEN, ignoring" >&2 + return + fi + # Add explicit route to keep traffic for this target separate + # from tunnel. FIXME: We use default gateway - this is our best + # guess in absence of "ip" command to query effective route. + route add -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$DEFAULTGW" $route_syntax_interface + } + + del_exclude_route() { + # FIXME: This can delete existing routes in case they're + # identical to split-exclude routes specified by VPNGATEWAY + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" + } + + reset_default_route() { + if [ -s "$DEFAULT_ROUTE_FILE" ]; then + route $route_syntax_del default $route_syntax_gw "`get_default_gw`" $route_syntax_interface + route add default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE"` + rm -f -- "$DEFAULT_ROUTE_FILE" + fi + } + + del_network_route() { + NETWORK="$1" + NETMASK="$2" + NETMASKLEN="$3" + if [ -n "$5" ]; then + NETGW="$5" + else + NETGW="$INTERNAL_IP4_ADDRESS" + fi + route $route_syntax_del -net "$NETWORK" $route_syntax_netmask "$NETMASK" $route_syntax_gw "$NETGW" + } + + get_ipv6_default_gw() { + # Intended behavior, starting with `netstat -r -n` IPv6 output: + # - keep lines starting with 'default' or '::' + # - append %$interface to link-local routes (fe80::/10) + # - remove lines for loopback interface (lo) + # - remove lines containing $TUNDEV (we don't want loopback) + # FIXME: is there a better way to exclude loopback routes than filtering interface /^lo/? + netstat -r -n $netstat_syntax_ipv6 | awk '/^(default|::\/0)/ { if ($NF!~/^lo/ && $NF!~/'"$TUNDEV"'([[:space:]]|$)/) { print ($2~/^fe[89ab]/ ? $2"%"$NF : $2); } }' + } + + set_ipv6_default_route() { + DEFAULTGW="`get_ipv6_default_gw`" + echo "$DEFAULTGW" > "$DEFAULT_ROUTE_FILE_IPV6" + route $route_syntax_del $route_syntax_inet6 default $route_syntax_gw "$DEFAULTGW" + route add $route_syntax_inet6 default $route_syntax_gw "$INTERNAL_IP6_ADDRESS" $route_syntax_interface + } + + set_ipv6_network_route() { + NETWORK="$1" + NETMASK="$2" + DEVICE="$3" + if [ -n "$4" ]; then + NETGW="$4" + elif [ "$OS" = "Linux" ]; then + route add $route_syntax_inet6_net "$NETWORK/$NETMASK" dev "$DEVICE" + return + else + NETGW="$INTERNAL_IP6_ADDRESS" + fi + + route add $route_syntax_inet6_net "$NETWORK/$NETMASK" $route_syntax_gw "$NETGW" $route_syntax_interface + : + } + + set_ipv6_exclude_route() { + NETWORK="$1" + NETMASK="$2" + IPV6DEFAULTGW="${IPV6DEFAULTGW:-`get_ipv6_default_gw`}" + if [ -z "$IPV6DEFAULTGW" ]; then + echo "cannot find route for exclude route $NETWORK/$NETMASKLEN, ignoring" >&2 + return + fi + # Add explicit route to keep traffic for this target separate + # from tunnel. FIXME: We use default gateway - this is our best + # guess in absence of "ip" command to query effective route. + route add $route_syntax_inet6_net "$NETWORK/$NETMASK" "$IPV6DEFAULTGW" $route_syntax_interface + : + } + + reset_ipv6_default_route() { + if [ -s "$DEFAULT_ROUTE_FILE_IPV6" ]; then + route $route_syntax_del $route_syntax_inet6 default $route_syntax_gw "`get_ipv6_default_gw`" $route_syntax_interface + route add $route_syntax_inet6 default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE_IPV6"` + rm -f -- "$DEFAULT_ROUTE_FILE_IPV6" + fi + : + } + + del_ipv6_network_route() { + NETWORK="$1" + NETMASK="$2" + DEVICE="$3" + if [ -n "$4" ]; then + NETGW="$4" + elif [ "$OS" = "Linux" ]; then + route $route_syntax_del $route_syntax_inet6 "$NETWORK/$NETMASK" dev "$DEVICE" + return + else + NETGW="$INTERNAL_IP6_ADDRESS" + fi + route $route_syntax_del $route_syntax_inet6 "$NETWORK/$NETMASK" $route_syntax_gw "$NETGW" + : + } + + del_ipv6_exclude_route() { + NETWORK="$1" + NETMASK="$2" + route $route_syntax_del $route_syntax_inet6 "$NETWORK/$NETMASK" + : + } + +fi + +# =========== resolv.conf handling ==================================== + +# =========== resolv.conf handling for any OS ========================= + +modify_resolvconf_generic() { + grep '^#@VPNC_GENERATED@' /etc/resolv.conf > /dev/null 2>&1 || cp -- /etc/resolv.conf "$RESOLV_CONF_BACKUP" + NEW_RESOLVCONF="#@VPNC_GENERATED@ -- this file is generated by vpnc +# and will be overwritten by vpnc +# as long as the above mark is intact" + + DOMAINS="$CISCO_DEF_DOMAIN" + + exec 6< "$RESOLV_CONF_BACKUP" + while read LINE <&6 ; do + case "$LINE" in + # omit; we will overwrite these + nameserver*) ;; + # extract listed domains and prepend to list + domain* | search*) DOMAINS="${LINE#* } $DOMAINS" ;; + # retain other lines + *) NEW_RESOLVCONF="$NEW_RESOLVCONF +$LINE" ;; + esac + done + exec 6<&- + + for i in $INTERNAL_IP4_DNS ; do + NEW_RESOLVCONF="$NEW_RESOLVCONF +nameserver $i" + done + # note that "search" is mutually exclusive with "domain"; + # "search" allows multiple domains to be listed, so use that + if [ -n "$DOMAINS" ]; then + NEW_RESOLVCONF="$NEW_RESOLVCONF +search $DOMAINS" + fi + echo "$NEW_RESOLVCONF" > /etc/resolv.conf + + if [ "$OS" = "Darwin" ]; then + case "`uname -r`" in + # Skip for pre-10.4 systems + 4.*|5.*|6.*|7.*) + ;; + # 10.4 and later require use of scutil for DNS to work properly + *) + OVERRIDE_PRIMARY="" + if [ -n "$CISCO_SPLIT_INC" ]; then + if [ $CISCO_SPLIT_INC -lt 1 ]; then + # Must override for correct default route + # Cannot use multiple DNS matching in this case + OVERRIDE_PRIMARY='d.add OverridePrimary # 1' + fi + # Overriding the default gateway breaks split routing + OVERRIDE_GATEWAY="" + # Not overriding the default gateway breaks usage of + # INTERNAL_IP4_DNS. Prepend INTERNAL_IP4_DNS to list + # of used DNS servers + SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'` + SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs` + if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then + scutil >/dev/null 2>&1 <<-EOF + open + get State:/Network/Service/$SERVICE/DNS + d.add ServerAddresses * $INTERNAL_IP4_DNS $SERVICE_DNS + set State:/Network/Service/$SERVICE/DNS + close + EOF + fi + else + # No split routing. Override default gateway + OVERRIDE_GATEWAY="d.add Router $INTERNAL_IP4_ADDRESS" + fi + # Uncomment the following if/fi pair to use multiple + # DNS matching when available. When multiple DNS matching + # is present, anything reading the /etc/resolv.conf file + # directly will probably not work as intended. + #if [ -z "$CISCO_DEF_DOMAIN" ]; then + # Cannot use multiple DNS matching without a domain + OVERRIDE_PRIMARY='d.add OverridePrimary # 1' + #fi + scutil >/dev/null 2>&1 <<-EOF + open + d.init + d.add ServerAddresses * $INTERNAL_IP4_DNS + set State:/Network/Service/$TUNDEV/DNS + d.init + $OVERRIDE_GATEWAY + d.add Addresses * $INTERNAL_IP4_ADDRESS + d.add SubnetMasks * 255.255.255.255 + d.add InterfaceName $TUNDEV + $OVERRIDE_PRIMARY + set State:/Network/Service/$TUNDEV/IPv4 + close + EOF + if [ -n "$CISCO_DEF_DOMAIN" ]; then + scutil >/dev/null 2>&1 <<-EOF + open + get State:/Network/Service/$TUNDEV/DNS + d.add DomainName $CISCO_DEF_DOMAIN + d.add SearchDomains * $CISCO_DEF_DOMAIN + d.add SupplementalMatchDomains * $CISCO_DEF_DOMAIN + set State:/Network/Service/$TUNDEV/DNS + close + EOF + fi + ;; + esac + fi +} + +restore_resolvconf_generic() { + if [ ! -f "$RESOLV_CONF_BACKUP" ]; then + return + fi + grep '^#@VPNC_GENERATED@' /etc/resolv.conf > /dev/null 2>&1 && cat "$RESOLV_CONF_BACKUP" > /etc/resolv.conf + rm -f -- "$RESOLV_CONF_BACKUP" + + if [ "$OS" = "Darwin" ]; then + case "`uname -r`" in + # Skip for pre-10.4 systems + 4.*|5.*|6.*|7.*) + ;; + # 10.4 and later require use of scutil for DNS to work properly + *) + scutil >/dev/null 2>&1 <<-EOF + open + remove State:/Network/Service/$TUNDEV/IPv4 + remove State:/Network/Service/$TUNDEV/DNS + close + EOF + # Split routing required prepending of INTERNAL_IP4_DNS + # to list of used DNS servers + if [ -n "$CISCO_SPLIT_INC" ]; then + SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'` + SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs` + if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then + scutil >/dev/null 2>&1 <<-EOF + open + get State:/Network/Service/$SERVICE/DNS + d.add ServerAddresses * ${SERVICE_DNS##$INTERNAL_IP4_DNS} + set State:/Network/Service/$SERVICE/DNS + close + EOF + fi + fi + ;; + esac + fi +} +# === resolv.conf handling via /sbin/netconfig (Suse 11.1) ===================== + +# Suse provides a script that modifies resolv.conf. Use it because it will +# restart/reload all other services that care about it (e.g. lwresd). [unclear if this is still true, but probably --mlk] + +modify_resolvconf_suse_netconfig() +{ + /sbin/netconfig modify -s vpnc -i "$TUNDEV" <<-EOF + INTERFACE='$TUNDEV' + DNSSERVERS='$INTERNAL_IP4_DNS' + DNSDOMAIN='$CISCO_DEF_DOMAIN' + EOF +} +# Restore resolv.conf to old contents on Suse +restore_resolvconf_suse_netconfig() +{ + /sbin/netconfig remove -s vpnc -i "$TUNDEV" +} + +# === resolv.conf handling via /sbin/modify_resolvconf (Suse) ===================== + +# Suse provides a script that modifies resolv.conf. Use it because it will +# restart/reload all other services that care about it (e.g. lwresd). + +modify_resolvconf_suse() +{ + FULL_SCRIPTNAME=`readlink -f $0` + RESOLV_OPTS='' + test -n "$INTERNAL_IP4_DNS" && RESOLV_OPTS="-n \"$INTERNAL_IP4_DNS\"" + test -n "$CISCO_DEF_DOMAIN" && RESOLV_OPTS="$RESOLV_OPTS -d $CISCO_DEF_DOMAIN" + test -n "$RESOLV_OPTS" && eval /sbin/modify_resolvconf modify -s vpnc -p $SCRIPTNAME -f $FULL_SCRIPTNAME -e $TUNDEV $RESOLV_OPTS -t \"This file was created by $SCRIPTNAME\" +} + +# Restore resolv.conf to old contents on Suse +restore_resolvconf_suse() +{ + FULL_SCRIPTNAME=`readlink -f $0` + /sbin/modify_resolvconf restore -s vpnc -p $SCRIPTNAME -f $FULL_SCRIPTNAME -e $TUNDEV +} + +# === resolv.conf handling via UCI (OpenWRT) ========= + +modify_resolvconf_openwrt() { + add_dns $OPENWRT_INTERFACE $INTERNAL_IP4_DNS +} + +restore_resolvconf_openwrt() { + remove_dns $OPENWRT_INTERFACE +} +# === resolv.conf handling via /sbin/resolvconf (Debian, Ubuntu, Gentoo)) ========= + +modify_resolvconf_manager() { + NEW_RESOLVCONF="" + for i in $INTERNAL_IP4_DNS; do + NEW_RESOLVCONF="$NEW_RESOLVCONF +nameserver $i" + done + if [ -n "$CISCO_DEF_DOMAIN" ]; then + NEW_RESOLVCONF="$NEW_RESOLVCONF +search $CISCO_DEF_DOMAIN" + fi + echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV +} + +restore_resolvconf_manager() { + /sbin/resolvconf -d $TUNDEV +} + +AF_INET=2 + +get_if_index() { + local link + link="$(ip link show dev "$1")" || return $? + echo ${link} | awk -F: '{print $1}' +} + +busctl_call() { + local dest node + dest=org.freedesktop.resolve1 + node=/org/freedesktop/resolve1 + busctl call "$dest" "${node}" "${dest}.Manager" "$@" +} + +busctl_set_nameservers() { + local if_index addresses args addr + if_index=$1 + shift + addresses="$@" + args="$if_index $#" + for addr in ${addresses}; do + args="$args ${AF_INET} 4 $(echo $addr | sed 's/[.]/ /g')" + done + busctl_call SetLinkDNS 'ia(iay)' ${args} +} + +resolvectl_set_nameservers() { + local if_index addresses + if_index=$1 + shift + addresses="$@" + /usr/bin/resolvectl dns $if_index $addresses +} + +busctl_set_search() { + local if_index domains args domain + if_index=$1 + shift + domains="$@" + args="$if_index $#" + for domain in ${domains}; do + args="$args ${domain} false" + done + busctl_call SetLinkDomains 'ia(sb)' ${args} +} + +resolvectl_set_search() { + local if_index domains + if_index=$1 + shift + domains="$@" + /usr/bin/resolvectl domain $if_index $domains +} + +modify_resolved_manager() { + local if_index split_dns_list + if_index=$(get_if_index $TUNDEV) + split_dns_list=$(echo $CISCO_SPLIT_DNS | tr ',' ' ') + resolvectl_set_nameservers $if_index $INTERNAL_IP4_DNS + if [ -n "$CISCO_DEF_DOMAIN" ] || [ -n "$split_dns_list" ]; then + resolvectl_set_search $if_index $CISCO_DEF_DOMAIN $split_dns_list + fi +} + +modify_resolved_manager_old() { + local if_index + if_index=$(get_if_index $TUNDEV) + busctl_set_nameservers $if_index $INTERNAL_IP4_DNS + if [ -n "$CISCO_DEF_DOMAIN" ]; then + busctl_set_search $if_index $CISCO_DEF_DOMAIN + fi +} + +restore_resolved_manager() { + local if_index + if_index=$(get_if_index $TUNDEV) + /usr/bin/resolvectl revert $if_index +} + +restore_resolved_manager_old() { + local if_index + if_index=$(get_if_index $TUNDEV) + busctl_call RevertLink 'i' $if_index +} + +# === resolv.conf handling via unbound ========= + +modify_resolvconf_unbound() { + if [ -n "$CISCO_DEF_DOMAIN" ]; then + /usr/sbin/unbound-control forward_add +i ${CISCO_DEF_DOMAIN} ${INTERNAL_IP4_DNS} + /usr/sbin/unbound-control flush_requestlist + /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN} + fi +} + +restore_resolvconf_unbound() { + if [ -n "$CISCO_DEF_DOMAIN" ]; then + /usr/sbin/unbound-control forward_remove +i ${CISCO_DEF_DOMAIN} + /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN} + /usr/sbin/unbound-control flush_requestlist + fi +} + +# === resolv.conf handling via resolvd ========= + +modify_resolvconf_resolvd() { + /sbin/route nameserver $TUNDEV $INTERNAL_IP4_DNS $INTERNAL_IP6_DNS +} + +restore_resolvconf_resolvd() { + /sbin/route nameserver $TUNDEV +} + +# ========= Toplevel state handling ======================================= + +do_pre_init() { + if [ "$OS" = "Linux" ]; then + if (exec 6< /dev/net/tun) > /dev/null 2>&1 ; then + : + else # can't open /dev/net/tun + test -e /proc/sys/kernel/modprobe && `cat /proc/sys/kernel/modprobe` tun 2>/dev/null + # make sure tun device exists + if [ ! -e /dev/net/tun ]; then + mkdir -p /dev/net + mknod -m 0640 /dev/net/tun c 10 200 + [ -x /sbin/restorecon ] && /sbin/restorecon /dev/net/tun + fi + # workaround for a possible latency caused by udev, sleep max. 10s + for x in $(seq 100) ; do + (exec 6<> /dev/net/tun) > /dev/null 2>&1 && break; + sleep 0.1 + done + fi + elif [ "$OS" = "FreeBSD" -o "$OS" = "DragonFly" ]; then + if ! ifconfig $TUNDEV > /dev/null; then + ifconfig $TUNDEV create + fi + elif [ "$OS" = "GNU/kFreeBSD" ]; then + if [ ! -e /dev/tun ]; then + kldload if_tun + fi + elif [ "$OS" = "NetBSD" ]; then + : + elif [ "$OS" = "OpenBSD" ]; then + if ! ifconfig $TUNDEV > /dev/null; then + ifconfig $TUNDEV create + fi + : + elif [ "$OS" = "SunOS" ]; then + : + elif [ "$OS" = "Darwin" ]; then + : + fi +} + +do_connect() { + if [ -n "$CISCO_BANNER" ]; then + echo "Connect Banner:" + echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done + echo + fi + + case "$VPNGATEWAY" in + 127.*|::1) ;; # localhost (probably proxy) + *) set_vpngateway_route ;; + esac + do_ifconfig + if [ -n "$CISCO_SPLIT_EXC" ]; then + i=0 + while [ $i -lt $CISCO_SPLIT_EXC ] ; do + eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}" + eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}" + eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}" + case "$NETWORK" in + 0.*|127.*|169.254.*) echo "ignoring non-forwardable exclude route $NETWORK/$NETMASKLEN" >&2 ;; + *) set_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; + esac + i=`expr $i + 1` + done + fi + if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then + # untested + i=0 + while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do + eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}" + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}" + set_ipv6_exclude_route "$NETWORK" "$NETMASKLEN" + i=`expr $i + 1` + done + fi + if [ -n "$CISCO_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}" + eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}" + eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}" + if [ "$NETWORK" != "0.0.0.0" ]; then + set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV" + else + set_default_route + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP4_DNS ; do + echo "$i" | grep : >/dev/null || \ + set_network_route "$i" "255.255.255.255" "32" "$TUNDEV" + done + elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then + set_default_route + fi + if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}" + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}" + if [ $NETMASKLEN -eq 0 ]; then + set_ipv6_default_route + else + set_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV" + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP4_DNS ; do + if echo "$i" | grep : >/dev/null; then + set_ipv6_network_route "$i" "128" "$TUNDEV" + fi + done + elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then + set_ipv6_default_route + fi + + if [ -n "$INTERNAL_IP4_DNS" ]; then + $MODIFYRESOLVCONF + fi +} + +do_disconnect() { + if [ -n "$CISCO_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_SPLIT_INC_${i}_ADDR}" + eval NETMASK="\${CISCO_SPLIT_INC_${i}_MASK}" + eval NETMASKLEN="\${CISCO_SPLIT_INC_${i}_MASKLEN}" + if [ "$NETWORK" != "0.0.0.0" ]; then + # FIXME: This doesn't restore previously overwritten + # routes. + del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$TUNDEV" + else + reset_default_route + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP4_DNS ; do + del_network_route "$i" "255.255.255.255" "32" "$TUNDEV" + done + else + reset_default_route + fi + if [ -n "$CISCO_SPLIT_EXC" ]; then + i=0 + while [ $i -lt $CISCO_SPLIT_EXC ] ; do + eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}" + eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}" + eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}" + case "$NETWORK" in + 0.*|127.*|169.254.*) ;; # ignoring non-forwardable exclude route + *) del_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; + esac + i=`expr $i + 1` + done + fi + if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then + # untested + i=0 + while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do + eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}" + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}" + del_ipv6_exclude_route "$NETWORK" "$NETMASKLEN" + i=`expr $i + 1` + done + fi + if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then + i=0 + while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do + eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}" + eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}" + if [ $NETMASKLEN -eq 0 ]; then + reset_ipv6_default_route + else + del_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV" + fi + i=`expr $i + 1` + done + for i in $INTERNAL_IP6_DNS ; do + del_ipv6_network_route "$i" "128" "$TUNDEV" + done + elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then + reset_ipv6_default_route + fi + + del_vpngateway_route + + if [ -n "$INTERNAL_IP4_DNS" ]; then + $RESTORERESOLVCONF + fi + + + if [ -n "$IPROUTE" ]; then + if [ -n "$INTERNAL_IP4_ADDRESS" ]; then + $IPROUTE addr del "$INTERNAL_IP4_ADDRESS/255.255.255.255" peer "$INTERNAL_IP4_ADDRESS" dev "$TUNDEV" + fi + # If the netmask is provided, it contains the address _and_ netmask + if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + fi + if [ -n "$INTERNAL_IP6_NETMASK" ]; then + $IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV + fi + $IPROUTE link set dev "$TUNDEV" down + else + if [ -n "$INTERNAL_IP4_ADDRESS" ]; then + ifconfig "$TUNDEV" `ifconfig_syntax_del "$INTERNAL_IP4_ADDRESS"` + fi + if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + fi + if [ -n "$INTERNAL_IP6_NETMASK" ]; then + ifconfig "$TUNDEV" `ifconfig_syntax_del "$INTERNAL_IP6_NETMASK"` + fi + ifconfig "$TUNDEV" down + fi + + case "$OS" in + NetBSD|OpenBSD) # and probably others... + ifconfig "$TUNDEV" destroy + ;; + FreeBSD|DragonFly) + ifconfig "$TUNDEV" destroy > /dev/null 2>&1 & + ;; + esac +} + +do_attempt_reconnect() { + set_vpngateway_route +} + +#### Main + +if [ -z "$reason" ]; then + echo "this script must be called from vpnc" 1>&2 + exit 1 +fi + +case "$reason" in + pre-init) + run_hooks pre-init + do_pre_init + ;; + connect) + run_hooks connect + do_connect + run_hooks post-connect + ;; + disconnect) + run_hooks disconnect + do_disconnect + run_hooks post-disconnect + ;; + attempt-reconnect) + # Invoked before each attempt to re-establish the session. + # If the underlying physical connection changed, we might + # be left with a route to the VPN server through the VPN + # itself, which would need to be fixed. + run_hooks attempt-reconnect + do_attempt_reconnect + run_hooks post-attempt-reconnect + ;; + reconnect) + # After successfully re-establishing the session. + run_hooks reconnect + ;; + *) + echo "unknown reason '$reason'. Maybe vpnc-script is out of date" 1>&2 + exit 1 + ;; +esac + +exit 0 diff --git a/SPECS/vpnc-script.spec b/SPECS/vpnc-script.spec new file mode 100644 index 0000000..eea0023 --- /dev/null +++ b/SPECS/vpnc-script.spec @@ -0,0 +1,107 @@ +%global git_date 20220404 +%global git_commit_hash 40a8c62c + +Name: vpnc-script +Version: %{git_date} +Release: 1.git%{git_commit_hash}%{?dist} + +Summary: Routing setup script for vpnc and openconnect +BuildArch: noarch +Requires: iproute +Requires: which + +License: GPLv2+ +URL: https://gitlab.com/openconnect/vpnc-scripts/ +Source0: vpnc-script + +%description +This script sets up routing for VPN connectivity, when invoked by vpnc +or openconnect. + + +%prep +cp -p %SOURCE0 . + +%build + +%install +mkdir -p -m 755 %{buildroot}%{_sysconfdir}/vpnc +install -m 0755 vpnc-script \ + %{buildroot}%{_sysconfdir}/vpnc/vpnc-script + +%files +%dir %{_sysconfdir}/vpnc +%{_sysconfdir}/vpnc/vpnc-script + +%changelog +* Thu Aug 03 2023 Arkady L. Shane - 20220404-1.git40a8c62c +- Rebuilt for MSVSphere 9.2 + +* Mon Apr 04 2022 Nikos Mavrogiannopoulos - 20220404-1.git40a8c62c +- Updated to latest upstream version + +* Sat Jan 22 2022 Fedora Release Engineering - 20201205-4.gitcdbd5b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Fri Jul 23 2021 Fedora Release Engineering - 20201205-3.gitcdbd5b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jan 27 2021 Fedora Release Engineering - 20201205-2.gitcdbd5b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Sat Dec 05 2020 Nikos Mavrogiannopoulos +- Updated to latest upstream vpnc-script + +* Tue Sep 29 2020 Nikos Mavrogiannopoulos +- Updated to latest upstream vpnc-script + +* Wed Jul 29 2020 Fedora Release Engineering - 20171004-8.git6f87b0f +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jan 31 2020 Fedora Release Engineering - 20171004-7.git6f87b0f +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Sat Jul 27 2019 Fedora Release Engineering - 20171004-6.git6f87b0f +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 20171004-5.git6f87b0f +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Dec 01 2018 James Hennessy +- Fixed issue where vpnc-script is using resolvconf on systems where "resolve" isn't enabled in /etc/nsswitch. + +* Sat Jul 14 2018 Fedora Release Engineering - 20171004-3.git6f87b0f +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Fri Feb 09 2018 Fedora Release Engineering - 20171004-2.git6f87b0f +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Oct 5 2017 Nikos Mavrogiannopoulos - 20171004-1.git6f87b0f +- Fixed issue with systemd-resolved (#1497750) + +* Mon Aug 21 2017 Nikos Mavrogiannopoulos - 20170821-1.git6f87b0f +- new upstream release +- removed dependency on net-tools and added on iproute (#1481164) + +* Thu Jul 27 2017 Fedora Release Engineering - 20140805-6.gitdf5808b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 20140805-5.gitdf5808b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Fri Feb 05 2016 Fedora Release Engineering - 20140805-4.gitdf5808b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 20140805-3.gitdf5808b +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Thu Nov 20 2014 Nikos Mavrogiannopoulos - 20140805-2.gitdf5808b +- Added dependency on which (#1068899) +- Added dependency on net-tools (#1007363) + +* Wed Oct 01 2014 Nikos Mavrogiannopoulos - 20140805-1.gitdf5808b +- new upstream release (includes unbound patch) + +* Tue Aug 05 2014 Nikos Mavrogiannopoulos - 20140705-1.git6201ebd +- new package +