Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge branch 'GP_demangle_default_route_as_split_route' into 'master'
GP: Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask.

See merge request openconnect/openconnect!118
  • Loading branch information
dlenski committed Nov 19, 2020
2 parents 774ee37 + 99ae55a commit 63369ba
Showing 1 changed file with 49 additions and 7 deletions.
56 changes: 49 additions & 7 deletions gpst.c
Expand Up @@ -456,7 +456,9 @@ static int xml_to_key(xmlNode *xml_node, unsigned char *dest, int dest_size)
static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_node, void *cb_data)
{
xmlNode *member;
char *s = NULL;
char *s = NULL, *deferred_netmask = NULL;
struct oc_split_include *inc;
int split_route_is_default_route = 0;
int ii;

if (!xml_node || !xmlnode_is_named(xml_node, "response"))
Expand All @@ -480,9 +482,12 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
for (xml_node = xml_node->children; xml_node; xml_node=xml_node->next) {
if (!xmlnode_get_val(xml_node, "ip-address", &s))
vpninfo->ip_info.addr = add_option(vpninfo, "ipaddr", &s);
else if (!xmlnode_get_val(xml_node, "netmask", &s))
vpninfo->ip_info.netmask = add_option(vpninfo, "netmask", &s);
else if (!xmlnode_get_val(xml_node, "mtu", &s))
else if (!xmlnode_get_val(xml_node, "netmask", &deferred_netmask)) {
/* XX: GlobalProtect servers always (almost always?) send 255.255.255.255 as their netmask
* (a /32 host route), and if they want to include an actual default route (0.0.0.0/0)
* they instead put it under <access-routes/>. We defer saving the netmask until later.
*/
} else if (!xmlnode_get_val(xml_node, "mtu", &s))
vpninfo->ip_info.mtu = atoi(s);
else if (!xmlnode_get_val(xml_node, "lifetime", &s))
vpn_progress(vpninfo, PRG_INFO, _("Session will expire after %d minutes.\n"), atoi(s)/60);
Expand Down Expand Up @@ -538,10 +543,19 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
} else if (xmlnode_is_named(xml_node, "access-routes") || xmlnode_is_named(xml_node, "exclude-access-routes")) {
for (member = xml_node->children; member; member=member->next) {
if (!xmlnode_get_val(member, "member", &s)) {
struct oc_split_include *inc = malloc(sizeof(*inc));
if (!inc)
int is_inc = xmlnode_is_named(xml_node, "access-routes");

/* XX: if this is a default route jammed into the split-include
* routes, just mark it for now.
*/
if (is_inc && !strcmp(s, "0.0.0.0/0")) {
split_route_is_default_route = 1;
continue;
if (xmlnode_is_named(xml_node, "access-routes")) {
}

if ((inc = malloc(sizeof(*inc))) == NULL)
return -ENOMEM;
if (is_inc) {
inc->route = add_option(vpninfo, "split-include", &s);
inc->next = vpninfo->ip_info.split_includes;
vpninfo->ip_info.split_includes = inc;
Expand Down Expand Up @@ -607,6 +621,34 @@ static int gpst_parse_config_xml(struct openconnect_info *vpninfo, xmlNode *xml_
}
}

/* Fix the issue of a 0.0.0.0/0 "split"-include route by swapping the "split" route with the default netmask. */
if (split_route_is_default_route) {
char *original_netmask = deferred_netmask;

if ((deferred_netmask = strdup("0.0.0.0")) == NULL)
return -ENOMEM;

/* If the original netmask wasn't /32, add it as a split route */
if (vpninfo->ip_info.addr && original_netmask) {
uint32_t nm_bits = inet_addr(original_netmask);
if (nm_bits != 0xffffffff) { /* 255.255.255.255 */
struct in_addr net_addr;
inet_aton(vpninfo->ip_info.addr, &net_addr);
net_addr.s_addr &= nm_bits; /* clear host bits */

if ((inc = malloc(sizeof(*inc))) == NULL ||
asprintf(&s, "%s/%s", inet_ntoa(net_addr), original_netmask) <= 0)
return -ENOMEM;
inc->route = add_option(vpninfo, "split-include", &s);
inc->next = vpninfo->ip_info.split_includes;
vpninfo->ip_info.split_includes = inc;
}
}
free(original_netmask);
}
if (deferred_netmask)
vpninfo->ip_info.netmask = add_option(vpninfo, "netmask", &deferred_netmask);

/* Set 10-second DPD/keepalive (same as Windows client) unless
* overridden with --force-dpd */
if (!vpninfo->ssl_times.dpd)
Expand Down

0 comments on commit 63369ba

Please sign in to comment.