Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Follow disable_ipv6 for Pulse and Fortinet
As with other protocols (AnyConnect, F5, GP), the behavior of 'disable_ipv6'
for these protocols is relatively "shallow": if set, it will cause
OpenConnect to ignore any IPv6 address or netmask sent by the server, but
will *not* ignore IPv6 split-{in,ex}cludes or IPv6 addresses of DNS servers.

More thorough IPv6-ignoring could be handled by the vpnc-script, or cleaned
up as part of a future change to simplify IP configuration and routing
across protocols.

(The lack of support for --disable-ipv6 in Pulse was noted in
https://gitlab.com/openconnect/openconnect/-/issues/254.)

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
  • Loading branch information
dlenski committed Jun 17, 2021
1 parent f5fe88c commit 80e6f8a
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 8 deletions.
9 changes: 6 additions & 3 deletions fortinet.c
Expand Up @@ -417,10 +417,13 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf
goto out;
}
vpn_progress(vpninfo, PRG_INFO, _("Got IPv6 address %s\n"), a);
new_ip_info.netmask6 = add_option_steal(&new_opts, "ipaddr6", &a);
if (!vpninfo->disable_ipv6)
new_ip_info.netmask6 = add_option_steal(&new_opts, "ipaddr6", &a);
free(a);
} else {
vpn_progress(vpninfo, PRG_INFO, _("Got IPv6 address %s\n"), s);
new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s);
if (!vpninfo->disable_ipv6)
new_ip_info.addr6 = add_option_steal(&new_opts, "ipaddr6", &s);
}
} else if (xmlnode_is_named(x, "dns")) {
if (!xmlnode_get_prop(x, "domain", &s) && s && *s) {
Expand Down Expand Up @@ -541,7 +544,7 @@ static int fortinet_configure(struct openconnect_info *vpninfo)
* FortiOS 4 was the last version to send the legacy HTTP configuration.
* FortiOS 5 and later send the current XML configuration.
* We clearly do not need to support FortiOS 4 anymore.
*
*
* Yet we keep this code around in order to get a sanity check about
* whether the SVPNCOOKIE is still valid/alive, until we are sure we've
* worked out the weirdness with reconnects.
Expand Down
11 changes: 6 additions & 5 deletions pulse.c
Expand Up @@ -283,12 +283,13 @@ static int process_attr(struct openconnect_info *vpninfo, struct oc_vpn_option *
_("Failed to handle IPv6 address\n"));
return -EINVAL;
}
new_ip_info->addr6 = add_option_dup(new_opts, "ip6addr", buf, -1);

i = strlen(buf);
snprintf(buf + i, sizeof(buf) - i, "/%d", data[16]);
new_ip_info->netmask6 = add_option_dup(new_opts, "ip6netmask", buf, -1);
if (!vpninfo->disable_ipv6) {
new_ip_info->addr6 = add_option_dup(new_opts, "ip6addr", buf, -1);

i = strlen(buf);
snprintf(buf + i, sizeof(buf) - i, "/%d", data[16]);
new_ip_info->netmask6 = add_option_dup(new_opts, "ip6netmask", buf, -1);
}
vpn_progress(vpninfo, PRG_DEBUG, _("Received internal IPv6 address %s\n"), buf);
break;

Expand Down

0 comments on commit 80e6f8a

Please sign in to comment.