From 2055ef70633a2f039bcd248d95f495f8d1f1ff91 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 4 Apr 2022 10:31:58 +0200 Subject: [PATCH 01/12] updated to latest upstream --- vpnc-script | 263 ++++++++++++++++++++++++++--------------------- vpnc-script.spec | 9 +- 2 files changed, 150 insertions(+), 122 deletions(-) diff --git a/vpnc-script b/vpnc-script index a2bf4a0..bc026ab 100644 --- a/vpnc-script +++ b/vpnc-script @@ -2,7 +2,7 @@ # # Originally part of vpnc source code: # © 2005-2012 Maurice Massar, Jörg Mayer, Antonio Borneo et al. -# © 2009-2012 David Woodhouse +# © 2009-2022 David Woodhouse , Daniel Lenski et al. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -22,31 +22,37 @@ # # List of parameters passed through environment #* reason -- why this script was called, one of: pre-init connect disconnect reconnect attempt-reconnect -#* VPNGATEWAY -- vpn gateway address (always present) +#* VPNGATEWAY -- VPN gateway address (always present) +#* VPNPID -- PID of the process controlling the VPN (OpenConnect v9.0+) #* TUNDEV -- tunnel device (always present) +#* IDLE_TIMEOUT -- gateway's idle timeout in seconds (OpenConnect v8.06+); unused +#* LOG_LEVEL -- log level; ERROR=0, INFO=1, DEBUG=2, TRACE=3 (OpenConnect v9.0+) #* INTERNAL_IP4_ADDRESS -- address (always present) -#* INTERNAL_IP4_MTU -- mtu (often unset) +#* INTERNAL_IP4_MTU -- MTU (often unset) #* INTERNAL_IP4_NETMASK -- netmask (often unset) #* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset) #* INTERNAL_IP4_NETADDR -- address of network (only present if netmask is set) -#* INTERNAL_IP4_DNS -- list of dns servers -#* INTERNAL_IP4_NBNS -- list of wins servers +#* INTERNAL_IP4_DNS -- list of DNS servers +#* INTERNAL_IP4_NBNS -- list of WINS servers #* INTERNAL_IP6_ADDRESS -- IPv6 address #* INTERNAL_IP6_NETMASK -- IPv6 netmask #* INTERNAL_IP6_DNS -- IPv6 list of dns servers #* CISCO_DEF_DOMAIN -- default domain name #* CISCO_BANNER -- banner from server -#* CISCO_SPLIT_DNS -- dns search domain list +#* CISCO_SPLIT_DNS -- DNS search domain list #* CISCO_SPLIT_INC -- number of networks in split-network-list #* CISCO_SPLIT_INC_%d_ADDR -- network address #* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0) #* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24) -#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0) -#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0) -#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0) +#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0); unused +#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0); unused +#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0); unused #* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list #* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address #* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen +# +# The split tunnel variables above have *_EXC* counterparts for network +# addresses to be excluded from the VPN tunnel. # FIXMEs: @@ -60,20 +66,20 @@ # 2) There are two different functions to set routes: generic routes and the # default route. Why isn't the defaultroute handled via the generic route case? # 3) In the split tunnel case, all routes but the default route might get replaced -# without getting restored later. We should explicitely check and save them just +# without getting restored later. We should explicitly check and save them just # like the defaultroute # 4) Replies to a dhcp-server should never be sent into the tunnel # Section B: Split DNS handling # 1) Maybe dnsmasq can do something like that -# 2) Parse dns packets going out via tunnel and redirect them to original dns-server +# 2) Parse DNS packets going out via tunnel and redirect them to original DNS-server # ======== For test logging (CI/CD will uncomment automatically) ========= #TRACE# echo "------------------" #TRACE# echo "vpnc-script environment:" -#TRACE# env | egrep '^(CISCO_|INTERNAL_IP|VPNGATEWAY|TUNDEV|reason)' | sort +#TRACE# env | grep -E '^(CISCO_|INTERNAL_IP|VPNGATEWAY|TUNDEV|IDLE_TIMEOUT|reason)' | sort #TRACE# echo "------------------" #TRACE# set -x @@ -84,9 +90,22 @@ PATH=/sbin:/usr/sbin:$PATH OS="`uname -s`" HOOKS_DIR=/etc/vpnc -DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute.${PPID} -DEFAULT_ROUTE_FILE_IPV6=/var/run/vpnc/defaultroute_ipv6.${PPID} -RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup + +# Use the PID of the controlling process (vpnc or OpenConnect) to +# uniquely identify this VPN connection. Normally, the parent process +# is a shell, and the grandparent's PID is the relevant one. +# OpenConnect v9.0+ provides VPNPID, so we don't need to determine it. +if [ -z "$VPNPID" ]; then + VPNPID=$PPID + PCMD=`ps -c -o cmd= -p $PPID` + case "$PCMD" in + *sh) VPNPID=`ps -o ppid= -p $PPID` ;; + esac +fi + +DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute.${VPNPID} +DEFAULT_ROUTE_FILE_IPV6=/var/run/vpnc/defaultroute_ipv6.${VPNPID} +RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup.${VPNPID} SCRIPTNAME=`basename $0` # some systems, eg. Darwin & FreeBSD, prune /var/run on boot @@ -102,7 +121,7 @@ else fi if [ "$OS" = "Linux" ]; then - IPROUTE="`which ip 2> /dev/null | grep '^/'`" + IPROUTE="`command -v ip | grep '^/'`" ifconfig_syntax_ptp="pointopoint" route_syntax_gw="gw" route_syntax_del="del" @@ -111,10 +130,10 @@ if [ "$OS" = "Linux" ]; then route_syntax_inet6_host="-6" route_syntax_inet6_net="-6" ifconfig_syntax_add_inet6="add" - ifconfig_syntax_del="del" + ifconfig_syntax_del() { case "$1" in *:*) echo del "$1" ;; *) echo 0.0.0.0 ;; esac; } netstat_syntax_ipv6="-6" else - # iproute2 is Linux only; if `which ip` returns something on another OS, it's likely an unrelated tool + # iproute2 is Linux only; if `command -v ip` returns something on another OS, it's likely an unrelated tool # (see https://github.com/dlenski/openconnect/issues/132#issuecomment-470475009) IPROUTE="" ifconfig_syntax_ptp="" @@ -124,7 +143,7 @@ else route_syntax_inet6="-inet6" route_syntax_inet6_host="-inet6 -host" route_syntax_inet6_net="-inet6 -net" - ifconfig_syntax_del="delete" + ifconfig_syntax_del() { case "$1" in *:*) echo inet6 "$1" delete ;; *) echo "$1" delete ;; esac; } ifconfig_syntax_add_inet6="inet6" netstat_syntax_ipv6="-f inet6" fi @@ -136,11 +155,13 @@ else ifconfig_syntax_ptpv6="" fi -grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 && command systemd-resolve --status >/dev/null 2>&1 +RESOLVEDENABLED=0 +grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 if [ $? = 0 ];then - RESOLVEDENABLED=1 -else - RESOLVEDENABLED=0 + command resolvectl status >/dev/null 2>&1 || command systemd-resolve --status >/dev/null 2>&1 + if [ $? = 0 ];then + RESOLVEDENABLED=1 + fi fi if [ -r /etc/openwrt_release ] && [ -n "$OPENWRT_INTERFACE" ]; then @@ -156,8 +177,8 @@ elif [ -x /usr/bin/busctl ] && [ ${RESOLVEDENABLED} = 1 ]; then # For systemd-resolved (version 229 and above) MODIFYRESOLVCONF=modify_resolved_manager_old RESTORERESOLVCONF=restore_resolved_manager_old -elif [ -x /sbin/resolvconf ] && [ `basename $(readlink /sbin/resolvconf)` != resolvectl ]; then - # Optional tool on Debian, Ubuntu, Gentoo and FreeBSD +elif [ -x /sbin/resolvconf ] && [ "`basename $(readlink /sbin/resolvconf) 2> /dev/null`" != resolvectl ]; then + # Optional tool on Debian, Ubuntu, Gentoo, FreeBSD and DragonFly BSD # (ignored if symlink to resolvctl, created by some versions of systemd-resolved) MODIFYRESOLVCONF=modify_resolvconf_manager RESTORERESOLVCONF=restore_resolvconf_manager @@ -174,6 +195,10 @@ elif [ -x /sbin/modify_resolvconf ]; then elif [ -x /usr/sbin/unbound-control ] && /usr/sbin/unbound-control status > /dev/null 2>&1; then MODIFYRESOLVCONF=modify_resolvconf_unbound RESTORERESOLVCONF=restore_resolvconf_unbound +elif [ -x /usr/sbin/rcctl ] && /usr/sbin/rcctl check resolvd >/dev/null; then + # OpenBSD's resolvd by sending route messages + MODIFYRESOLVCONF=modify_resolvconf_resolvd + RESTORERESOLVCONF=restore_resolvconf_resolvd else # Generic for any OS MODIFYRESOLVCONF=modify_resolvconf_generic RESTORERESOLVCONF=restore_resolvconf_generic @@ -186,9 +211,9 @@ run_hooks() { HOOK="$1" if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then - for script in ${HOOKS_DIR}/${HOOK}.d/* ; do - [ -f $script ] && . $script - done + for script in ${HOOKS_DIR}/${HOOK}.d/* ; do + [ -f $script ] && . $script + done fi } @@ -223,56 +248,47 @@ do_ifconfig() { # If the netmask is provided, it contains the address _and_ netmask if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then - INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" fi if [ -n "$INTERNAL_IP6_NETMASK" ]; then - if [ -n "$IPROUTE" ]; then - $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV - else - # Unlike for Legacy IP, we don't specify the dest_address - # here on *BSD. OpenBSD for one will refuse to accept - # incoming packets to that address if we do. - # OpenVPN does the same (gives dest_address for Legacy IP - # but not for IPv6). - # Only Solaris needs it; hence $ifconfig_syntax_ptpv6 - ifconfig "$TUNDEV" $ifconfig_syntax_add_inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up - fi + if [ -n "$IPROUTE" ]; then + $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV + else + # Unlike for Legacy IP, we don't specify the dest_address + # here on *BSD. OpenBSD for one will refuse to accept + # incoming packets to that address if we do. + # OpenVPN does the same (gives dest_address for Legacy IP + # but not for IPv6). + # Only Solaris needs it; hence $ifconfig_syntax_ptpv6 + ifconfig "$TUNDEV" $ifconfig_syntax_add_inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up + fi fi } -destroy_tun_device() { - case "$OS" in - NetBSD|OpenBSD) # and probably others... - ifconfig "$TUNDEV" destroy - ;; - FreeBSD) - ifconfig "$TUNDEV" destroy > /dev/null 2>&1 & - ;; - esac -} - # =========== route handling ==================================== if [ -n "$IPROUTE" ]; then fix_ip_get_output () { sed -e 's/ /\n/g' | \ - sed -ne "1 s|\$|${1}|p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p};/metric/{N;p}" + sed -ne "1 s|\$|${1}|p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p};/metric/{N;p};/onlink/{p}" } + # returns all routes to a destination *except* those through $TUNDEV, + # sorted by increasing metric (with absent metric as last) + list_non_loopback_routes () { + echo "$1" | grep -q : && FAMILY=-6 ROOT=::/0 || FAMILY=-4 ROOT=0/0 + # put metric in front, sort by metric, then chop off first two fields (metric and destination) + $IPROUTE $FAMILY route show to "$1" root "$ROOT" | + awk '/dev '"$TUNDEV"'/ { next; } { printf "%s %s\n", (match($0, /metric ([^ ]+)/) ? substr($0, RSTART+7, RLENGTH-7) : 4294967295), $0; }' | + sort -n | cut -d' ' -f3- + } + set_vpngateway_route() { - $IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output` - $IPROUTE route flush cache 2>/dev/null - } - - set_vpngateway_route_attempt_reconnect() { # We'll attempt to add a host route to the gateway through every route that matches # its address (excluding those through TUNDEV because the goal is to avoid loopback). + echo "$VPNGATEWAY" | grep -q : && FAMILY=-6 || FAMILY=-4 - echo "$VPNGATEWAY" | grep -q : && FAMILY=-6 ROOT=::/0 || FAMILY=-4 ROOT=0/0 - # put metric in front, sort by metric, then chop off first two fields (metric and destination) - $IPROUTE $FAMILY route show to "$VPNGATEWAY" root "$ROOT" | - awk '/dev '"$TUNDEV"'/ { next; } { printf "%s %s\n", (match($0, /metric ([^ ]+)/) ? substr($0, RSTART+7, RLENGTH-7) : 4294967295), $0; }' | - sort -n | cut -d' ' -f3- | + list_non_loopback_routes "$VPNGATEWAY" | while read LINE ; do # We do not want to use 'replace', since a route to the gateway that already # exists is mostly likely the correct one (e.g. the case of a reconnect attempt @@ -280,7 +296,7 @@ if [ -n "$IPROUTE" ]; then $IPROUTE $FAMILY route add `echo "$VPNGATEWAY $LINE" | fix_ip_get_output` 2>/dev/null done $IPROUTE $FAMILY route flush cache 2>/dev/null - } + } del_vpngateway_route() { $IPROUTE route $route_syntax_del "$VPNGATEWAY" @@ -313,13 +329,19 @@ if [ -n "$IPROUTE" ]; then NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" - $IPROUTE route add `$IPROUTE route get "$NETWORK" | fix_ip_get_output "/$NETMASKLEN"` - $IPROUTE route flush cache 2>/dev/null + + echo "$1" | grep -q : && FAMILY=-6 || FAMILY=-4 + + list_non_loopback_routes "$NETWORK/$NETMASKLEN" | + while read LINE ; do + $IPROUTE $FAMILY route add `echo "$NETWORK/$NETMASKLEN $LINE" | fix_ip_get_output` 2>/dev/null + done + $IPROUTE $FAMILY route flush cache 2>/dev/null } del_exclude_route() { # FIXME: In theory, this could delete existing routes which are - # identical to split-exclude routes specificed by VPNGATEWAY + # identical to split-exclude routes specified by VPNGATEWAY NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" @@ -360,21 +382,18 @@ if [ -n "$IPROUTE" ]; then else $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" fi - $IPROUTE route flush cache 2>/dev/null + $IPROUTE -6 route flush cache 2>/dev/null } set_ipv6_exclude_route() { - # add explicit route to keep current routing for this target - # (keep traffic separate from VPN tunnel) NETWORK="$1" NETMASKLEN="$2" - $IPROUTE -6 route add `$IPROUTE route get "$NETWORK" | fix_ip_get_output "/$NETMASKLEN"` - $IPROUTE route flush cache 2>/dev/null + set_exclude_route "$NETWORK" nomask "$NETMASKLEN" } reset_ipv6_default_route() { $IPROUTE -6 route del default dev "$TUNDEV" - $IPROUTE route flush cache 2>/dev/null + $IPROUTE -6 route flush cache 2>/dev/null } del_ipv6_network_route() { @@ -387,7 +406,7 @@ if [ -n "$IPROUTE" ]; then del_ipv6_exclude_route() { # FIXME: In theory, this could delete existing routes which are - # identical to split-exclude routes specificed by VPNGATEWAY + # identical to split-exclude routes specified by VPNGATEWAY NETWORK="$1" NETMASKLEN="$2" $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" @@ -395,12 +414,12 @@ if [ -n "$IPROUTE" ]; then } else # use route command get_default_gw() { - # isn't -n supposed to give --numeric output? - # apperently not... - # Get rid of lines containing IPv6 addresses (':') - # Get rid of lines for link-local routes (https://superuser.com/a/1067742) - # Get rid of lines containing $TUNDEV (we don't want loopback) - netstat -r -n | awk '/:/ { next; } /link\#/ { next; } /\s'"$TUNDEV"'(\s|$)/ { next; } /^(default|0\.0\.0\.0)/ { print $2; exit; }' + # Intended behavior, starting with `netstat -r -n` output: + # - keep lines starting with 'default' or '0.0.0.0', but exclude bogus routes '0.0.0.0/nn' where nn != 0 + # - remove lines containing IPv6 addresses (':') + # - remove lines for link-local routes (https://superuser.com/a/1067742) + # - remove lines containing $TUNDEV (we don't want loopback) + netstat -r -n | awk '/:/ { next; } /link#/ { next; } /[[:space:]]'"$TUNDEV"'([[:space:]]|$)/ { next; } /^(default|0\.0\.0\.0([[:space:]]|\/0))/ { print $2; exit; }' } set_vpngateway_route() { @@ -413,10 +432,6 @@ else # use route command esac } - set_vpngateway_route_attempt_reconnect() { - set_vpngateway_route - } - del_vpngateway_route() { case "$VPNGATEWAY" in *:*) route $route_syntax_del $route_syntax_inet6_host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";; @@ -447,8 +462,10 @@ else # use route command NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" + DEFAULTGW="${DEFAULTGW:-`get_default_gw`}" if [ -z "$DEFAULTGW" ]; then - DEFAULTGW="`get_default_gw`" + echo "cannot find route for exclude route $NETWORK/$NETMASKLEN, ignoring" >&2 + return fi # Add explicit route to keep traffic for this target separate # from tunnel. FIXME: We use default gateway - this is our best @@ -486,10 +503,13 @@ else # use route command } get_ipv6_default_gw() { - # isn't -n supposed to give --numeric output? - # apperently not... + # Intended behavior, starting with `netstat -r -n` IPv6 output: + # - keep lines starting with 'default' or '::' + # - append %$interface to link-local routes (fe80::/10) + # - remove lines for loopback interface (lo) + # - remove lines containing $TUNDEV (we don't want loopback) # FIXME: is there a better way to exclude loopback routes than filtering interface /^lo/? - netstat -r -n $netstat_syntax_ipv6 | awk '/^(default|::\/0)/ { if ($NF!~/^lo/) { print ($2~/^fe[89ab]/ ? $2"%"$NF : $2); } }' + netstat -r -n $netstat_syntax_ipv6 | awk '/^(default|::\/0)/ { if ($NF!~/^lo/ && $NF!~/'"$TUNDEV"'([[:space:]]|$)/) { print ($2~/^fe[89ab]/ ? $2"%"$NF : $2); } }' } set_ipv6_default_route() { @@ -519,10 +539,15 @@ else # use route command set_ipv6_exclude_route() { NETWORK="$1" NETMASK="$2" + IPV6DEFAULTGW="${IPV6DEFAULTGW:-`get_ipv6_default_gw`}" + if [ -z "$IPV6DEFAULTGW" ]; then + echo "cannot find route for exclude route $NETWORK/$NETMASKLEN, ignoring" >&2 + return + fi # Add explicit route to keep traffic for this target separate # from tunnel. FIXME: We use default gateway - this is our best # guess in absence of "ip" command to query effective route. - route add $route_syntax_inet6_net "$NETWORK/$NETMASK" "`get_ipv6_default_gw`" $route_syntax_interface + route add $route_syntax_inet6_net "$NETWORK/$NETMASK" "$IPV6DEFAULTGW" $route_syntax_interface : } @@ -881,30 +906,24 @@ restore_resolvconf_unbound() { fi } -# ========= Toplevel state handling ======================================= +# === resolv.conf handling via resolvd ========= -kernel_is_2_6_or_above() { - case `uname -r` in - 1.*|2.[012345]*) - return 1 - ;; - *) - return 0 - ;; - esac +modify_resolvconf_resolvd() { + /sbin/route nameserver $TUNDEV $INTERNAL_IP4_DNS $INTERNAL_IP6_DNS } +restore_resolvconf_resolvd() { + /sbin/route nameserver $TUNDEV +} + +# ========= Toplevel state handling ======================================= + do_pre_init() { if [ "$OS" = "Linux" ]; then if (exec 6< /dev/net/tun) > /dev/null 2>&1 ; then : else # can't open /dev/net/tun test -e /proc/sys/kernel/modprobe && `cat /proc/sys/kernel/modprobe` tun 2>/dev/null - # fix for broken devfs in kernel 2.6.x - if [ "`readlink /dev/net/tun`" = misc/net/tun \ - -a ! -e /dev/net/misc/net/tun -a -e /dev/misc/net/tun ] ; then - ln -sf /dev/misc/net/tun /dev/net/tun - fi # make sure tun device exists if [ ! -e /dev/net/tun ]; then mkdir -p /dev/net @@ -912,18 +931,12 @@ do_pre_init() { [ -x /sbin/restorecon ] && /sbin/restorecon /dev/net/tun fi # workaround for a possible latency caused by udev, sleep max. 10s - if kernel_is_2_6_or_above ; then - for x in `seq 100` ; do - (exec 6<> /dev/net/tun) > /dev/null 2>&1 && break; - sleep 0.1 - done - fi + for x in $(seq 100) ; do + (exec 6<> /dev/net/tun) > /dev/null 2>&1 && break; + sleep 0.1 + done fi - elif [ "$OS" = "FreeBSD" ]; then - if ! kldstat -q -m if_tun > /dev/null; then - kldload if_tun - fi - + elif [ "$OS" = "FreeBSD" -o "$OS" = "DragonFly" ]; then if ! ifconfig $TUNDEV > /dev/null; then ifconfig $TUNDEV create fi @@ -1054,7 +1067,10 @@ do_disconnect() { eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}" eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}" eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}" - del_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" + case "$NETWORK" in + 0.*|127.*|169.254.*) ;; # ignoring non-forwardable exclude route + *) del_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; + esac i=`expr $i + 1` done fi @@ -1105,23 +1121,32 @@ do_disconnect() { if [ -n "$INTERNAL_IP6_NETMASK" ]; then $IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV fi + $IPROUTE link set dev "$TUNDEV" down else if [ -n "$INTERNAL_IP4_ADDRESS" ]; then - ifconfig "$TUNDEV" 0.0.0.0 + ifconfig "$TUNDEV" `ifconfig_syntax_del "$INTERNAL_IP4_ADDRESS"` fi if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" fi if [ -n "$INTERNAL_IP6_NETMASK" ]; then - ifconfig "$TUNDEV" inet6 $ifconfig_syntax_del $INTERNAL_IP6_NETMASK + ifconfig "$TUNDEV" `ifconfig_syntax_del "$INTERNAL_IP6_NETMASK"` fi + ifconfig "$TUNDEV" down fi - destroy_tun_device + case "$OS" in + NetBSD|OpenBSD) # and probably others... + ifconfig "$TUNDEV" destroy + ;; + FreeBSD|DragonFly) + ifconfig "$TUNDEV" destroy > /dev/null 2>&1 & + ;; + esac } do_attempt_reconnect() { - set_vpngateway_route_attempt_reconnect + set_vpngateway_route } #### Main diff --git a/vpnc-script.spec b/vpnc-script.spec index 0105827..d0a115a 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -1,9 +1,9 @@ -%global git_date 20201205 -%global git_commit_hash cdbd5b +%global git_date 20220404 +%global git_commit_hash 40a8c62c Name: vpnc-script Version: %{git_date} -Release: 4.git%{git_commit_hash}%{?dist} +Release: 1.git%{git_commit_hash}%{?dist} Summary: Routing setup script for vpnc and openconnect BuildArch: noarch @@ -34,6 +34,9 @@ install -m 0755 vpnc-script \ %{_sysconfdir}/vpnc/vpnc-script %changelog +* Mon Apr 04 2022 Nikos Mavrogiannopoulos - 20220404-1.git40a8c62c +- Updated to latest upstream version + * Sat Jan 22 2022 Fedora Release Engineering - 20201205-4.gitcdbd5b - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 894c26d5cdeb7a7f785c612a0f3e12e9994e5191 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Mon, 4 Apr 2022 10:31:58 +0200 Subject: [PATCH 02/12] updated to latest upstream --- vpnc-script | 263 ++++++++++++++++++++++++++--------------------- vpnc-script.spec | 9 +- 2 files changed, 150 insertions(+), 122 deletions(-) diff --git a/vpnc-script b/vpnc-script index a2bf4a0..bc026ab 100644 --- a/vpnc-script +++ b/vpnc-script @@ -2,7 +2,7 @@ # # Originally part of vpnc source code: # © 2005-2012 Maurice Massar, Jörg Mayer, Antonio Borneo et al. -# © 2009-2012 David Woodhouse +# © 2009-2022 David Woodhouse , Daniel Lenski et al. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -22,31 +22,37 @@ # # List of parameters passed through environment #* reason -- why this script was called, one of: pre-init connect disconnect reconnect attempt-reconnect -#* VPNGATEWAY -- vpn gateway address (always present) +#* VPNGATEWAY -- VPN gateway address (always present) +#* VPNPID -- PID of the process controlling the VPN (OpenConnect v9.0+) #* TUNDEV -- tunnel device (always present) +#* IDLE_TIMEOUT -- gateway's idle timeout in seconds (OpenConnect v8.06+); unused +#* LOG_LEVEL -- log level; ERROR=0, INFO=1, DEBUG=2, TRACE=3 (OpenConnect v9.0+) #* INTERNAL_IP4_ADDRESS -- address (always present) -#* INTERNAL_IP4_MTU -- mtu (often unset) +#* INTERNAL_IP4_MTU -- MTU (often unset) #* INTERNAL_IP4_NETMASK -- netmask (often unset) #* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset) #* INTERNAL_IP4_NETADDR -- address of network (only present if netmask is set) -#* INTERNAL_IP4_DNS -- list of dns servers -#* INTERNAL_IP4_NBNS -- list of wins servers +#* INTERNAL_IP4_DNS -- list of DNS servers +#* INTERNAL_IP4_NBNS -- list of WINS servers #* INTERNAL_IP6_ADDRESS -- IPv6 address #* INTERNAL_IP6_NETMASK -- IPv6 netmask #* INTERNAL_IP6_DNS -- IPv6 list of dns servers #* CISCO_DEF_DOMAIN -- default domain name #* CISCO_BANNER -- banner from server -#* CISCO_SPLIT_DNS -- dns search domain list +#* CISCO_SPLIT_DNS -- DNS search domain list #* CISCO_SPLIT_INC -- number of networks in split-network-list #* CISCO_SPLIT_INC_%d_ADDR -- network address #* CISCO_SPLIT_INC_%d_MASK -- subnet mask (for example: 255.255.255.0) #* CISCO_SPLIT_INC_%d_MASKLEN -- subnet masklen (for example: 24) -#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0) -#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0) -#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0) +#* CISCO_SPLIT_INC_%d_PROTOCOL -- protocol (often just 0); unused +#* CISCO_SPLIT_INC_%d_SPORT -- source port (often just 0); unused +#* CISCO_SPLIT_INC_%d_DPORT -- destination port (often just 0); unused #* CISCO_IPV6_SPLIT_INC -- number of networks in IPv6 split-network-list #* CISCO_IPV6_SPLIT_INC_%d_ADDR -- IPv6 network address #* CISCO_IPV6_SPLIT_INC_$%d_MASKLEN -- IPv6 subnet masklen +# +# The split tunnel variables above have *_EXC* counterparts for network +# addresses to be excluded from the VPN tunnel. # FIXMEs: @@ -60,20 +66,20 @@ # 2) There are two different functions to set routes: generic routes and the # default route. Why isn't the defaultroute handled via the generic route case? # 3) In the split tunnel case, all routes but the default route might get replaced -# without getting restored later. We should explicitely check and save them just +# without getting restored later. We should explicitly check and save them just # like the defaultroute # 4) Replies to a dhcp-server should never be sent into the tunnel # Section B: Split DNS handling # 1) Maybe dnsmasq can do something like that -# 2) Parse dns packets going out via tunnel and redirect them to original dns-server +# 2) Parse DNS packets going out via tunnel and redirect them to original DNS-server # ======== For test logging (CI/CD will uncomment automatically) ========= #TRACE# echo "------------------" #TRACE# echo "vpnc-script environment:" -#TRACE# env | egrep '^(CISCO_|INTERNAL_IP|VPNGATEWAY|TUNDEV|reason)' | sort +#TRACE# env | grep -E '^(CISCO_|INTERNAL_IP|VPNGATEWAY|TUNDEV|IDLE_TIMEOUT|reason)' | sort #TRACE# echo "------------------" #TRACE# set -x @@ -84,9 +90,22 @@ PATH=/sbin:/usr/sbin:$PATH OS="`uname -s`" HOOKS_DIR=/etc/vpnc -DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute.${PPID} -DEFAULT_ROUTE_FILE_IPV6=/var/run/vpnc/defaultroute_ipv6.${PPID} -RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup + +# Use the PID of the controlling process (vpnc or OpenConnect) to +# uniquely identify this VPN connection. Normally, the parent process +# is a shell, and the grandparent's PID is the relevant one. +# OpenConnect v9.0+ provides VPNPID, so we don't need to determine it. +if [ -z "$VPNPID" ]; then + VPNPID=$PPID + PCMD=`ps -c -o cmd= -p $PPID` + case "$PCMD" in + *sh) VPNPID=`ps -o ppid= -p $PPID` ;; + esac +fi + +DEFAULT_ROUTE_FILE=/var/run/vpnc/defaultroute.${VPNPID} +DEFAULT_ROUTE_FILE_IPV6=/var/run/vpnc/defaultroute_ipv6.${VPNPID} +RESOLV_CONF_BACKUP=/var/run/vpnc/resolv.conf-backup.${VPNPID} SCRIPTNAME=`basename $0` # some systems, eg. Darwin & FreeBSD, prune /var/run on boot @@ -102,7 +121,7 @@ else fi if [ "$OS" = "Linux" ]; then - IPROUTE="`which ip 2> /dev/null | grep '^/'`" + IPROUTE="`command -v ip | grep '^/'`" ifconfig_syntax_ptp="pointopoint" route_syntax_gw="gw" route_syntax_del="del" @@ -111,10 +130,10 @@ if [ "$OS" = "Linux" ]; then route_syntax_inet6_host="-6" route_syntax_inet6_net="-6" ifconfig_syntax_add_inet6="add" - ifconfig_syntax_del="del" + ifconfig_syntax_del() { case "$1" in *:*) echo del "$1" ;; *) echo 0.0.0.0 ;; esac; } netstat_syntax_ipv6="-6" else - # iproute2 is Linux only; if `which ip` returns something on another OS, it's likely an unrelated tool + # iproute2 is Linux only; if `command -v ip` returns something on another OS, it's likely an unrelated tool # (see https://github.com/dlenski/openconnect/issues/132#issuecomment-470475009) IPROUTE="" ifconfig_syntax_ptp="" @@ -124,7 +143,7 @@ else route_syntax_inet6="-inet6" route_syntax_inet6_host="-inet6 -host" route_syntax_inet6_net="-inet6 -net" - ifconfig_syntax_del="delete" + ifconfig_syntax_del() { case "$1" in *:*) echo inet6 "$1" delete ;; *) echo "$1" delete ;; esac; } ifconfig_syntax_add_inet6="inet6" netstat_syntax_ipv6="-f inet6" fi @@ -136,11 +155,13 @@ else ifconfig_syntax_ptpv6="" fi -grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 && command systemd-resolve --status >/dev/null 2>&1 +RESOLVEDENABLED=0 +grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 if [ $? = 0 ];then - RESOLVEDENABLED=1 -else - RESOLVEDENABLED=0 + command resolvectl status >/dev/null 2>&1 || command systemd-resolve --status >/dev/null 2>&1 + if [ $? = 0 ];then + RESOLVEDENABLED=1 + fi fi if [ -r /etc/openwrt_release ] && [ -n "$OPENWRT_INTERFACE" ]; then @@ -156,8 +177,8 @@ elif [ -x /usr/bin/busctl ] && [ ${RESOLVEDENABLED} = 1 ]; then # For systemd-resolved (version 229 and above) MODIFYRESOLVCONF=modify_resolved_manager_old RESTORERESOLVCONF=restore_resolved_manager_old -elif [ -x /sbin/resolvconf ] && [ `basename $(readlink /sbin/resolvconf)` != resolvectl ]; then - # Optional tool on Debian, Ubuntu, Gentoo and FreeBSD +elif [ -x /sbin/resolvconf ] && [ "`basename $(readlink /sbin/resolvconf) 2> /dev/null`" != resolvectl ]; then + # Optional tool on Debian, Ubuntu, Gentoo, FreeBSD and DragonFly BSD # (ignored if symlink to resolvctl, created by some versions of systemd-resolved) MODIFYRESOLVCONF=modify_resolvconf_manager RESTORERESOLVCONF=restore_resolvconf_manager @@ -174,6 +195,10 @@ elif [ -x /sbin/modify_resolvconf ]; then elif [ -x /usr/sbin/unbound-control ] && /usr/sbin/unbound-control status > /dev/null 2>&1; then MODIFYRESOLVCONF=modify_resolvconf_unbound RESTORERESOLVCONF=restore_resolvconf_unbound +elif [ -x /usr/sbin/rcctl ] && /usr/sbin/rcctl check resolvd >/dev/null; then + # OpenBSD's resolvd by sending route messages + MODIFYRESOLVCONF=modify_resolvconf_resolvd + RESTORERESOLVCONF=restore_resolvconf_resolvd else # Generic for any OS MODIFYRESOLVCONF=modify_resolvconf_generic RESTORERESOLVCONF=restore_resolvconf_generic @@ -186,9 +211,9 @@ run_hooks() { HOOK="$1" if [ -d ${HOOKS_DIR}/${HOOK}.d ]; then - for script in ${HOOKS_DIR}/${HOOK}.d/* ; do - [ -f $script ] && . $script - done + for script in ${HOOKS_DIR}/${HOOK}.d/* ; do + [ -f $script ] && . $script + done fi } @@ -223,56 +248,47 @@ do_ifconfig() { # If the netmask is provided, it contains the address _and_ netmask if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then - INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" + INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" fi if [ -n "$INTERNAL_IP6_NETMASK" ]; then - if [ -n "$IPROUTE" ]; then - $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV - else - # Unlike for Legacy IP, we don't specify the dest_address - # here on *BSD. OpenBSD for one will refuse to accept - # incoming packets to that address if we do. - # OpenVPN does the same (gives dest_address for Legacy IP - # but not for IPv6). - # Only Solaris needs it; hence $ifconfig_syntax_ptpv6 - ifconfig "$TUNDEV" $ifconfig_syntax_add_inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up - fi + if [ -n "$IPROUTE" ]; then + $IPROUTE -6 addr add $INTERNAL_IP6_NETMASK dev $TUNDEV + else + # Unlike for Legacy IP, we don't specify the dest_address + # here on *BSD. OpenBSD for one will refuse to accept + # incoming packets to that address if we do. + # OpenVPN does the same (gives dest_address for Legacy IP + # but not for IPv6). + # Only Solaris needs it; hence $ifconfig_syntax_ptpv6 + ifconfig "$TUNDEV" $ifconfig_syntax_add_inet6 $INTERNAL_IP6_NETMASK $ifconfig_syntax_ptpv6 mtu $MTU up + fi fi } -destroy_tun_device() { - case "$OS" in - NetBSD|OpenBSD) # and probably others... - ifconfig "$TUNDEV" destroy - ;; - FreeBSD) - ifconfig "$TUNDEV" destroy > /dev/null 2>&1 & - ;; - esac -} - # =========== route handling ==================================== if [ -n "$IPROUTE" ]; then fix_ip_get_output () { sed -e 's/ /\n/g' | \ - sed -ne "1 s|\$|${1}|p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p};/metric/{N;p}" + sed -ne "1 s|\$|${1}|p;/via/{N;p};/dev/{N;p};/src/{N;p};/mtu/{N;p};/metric/{N;p};/onlink/{p}" } + # returns all routes to a destination *except* those through $TUNDEV, + # sorted by increasing metric (with absent metric as last) + list_non_loopback_routes () { + echo "$1" | grep -q : && FAMILY=-6 ROOT=::/0 || FAMILY=-4 ROOT=0/0 + # put metric in front, sort by metric, then chop off first two fields (metric and destination) + $IPROUTE $FAMILY route show to "$1" root "$ROOT" | + awk '/dev '"$TUNDEV"'/ { next; } { printf "%s %s\n", (match($0, /metric ([^ ]+)/) ? substr($0, RSTART+7, RLENGTH-7) : 4294967295), $0; }' | + sort -n | cut -d' ' -f3- + } + set_vpngateway_route() { - $IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output` - $IPROUTE route flush cache 2>/dev/null - } - - set_vpngateway_route_attempt_reconnect() { # We'll attempt to add a host route to the gateway through every route that matches # its address (excluding those through TUNDEV because the goal is to avoid loopback). + echo "$VPNGATEWAY" | grep -q : && FAMILY=-6 || FAMILY=-4 - echo "$VPNGATEWAY" | grep -q : && FAMILY=-6 ROOT=::/0 || FAMILY=-4 ROOT=0/0 - # put metric in front, sort by metric, then chop off first two fields (metric and destination) - $IPROUTE $FAMILY route show to "$VPNGATEWAY" root "$ROOT" | - awk '/dev '"$TUNDEV"'/ { next; } { printf "%s %s\n", (match($0, /metric ([^ ]+)/) ? substr($0, RSTART+7, RLENGTH-7) : 4294967295), $0; }' | - sort -n | cut -d' ' -f3- | + list_non_loopback_routes "$VPNGATEWAY" | while read LINE ; do # We do not want to use 'replace', since a route to the gateway that already # exists is mostly likely the correct one (e.g. the case of a reconnect attempt @@ -280,7 +296,7 @@ if [ -n "$IPROUTE" ]; then $IPROUTE $FAMILY route add `echo "$VPNGATEWAY $LINE" | fix_ip_get_output` 2>/dev/null done $IPROUTE $FAMILY route flush cache 2>/dev/null - } + } del_vpngateway_route() { $IPROUTE route $route_syntax_del "$VPNGATEWAY" @@ -313,13 +329,19 @@ if [ -n "$IPROUTE" ]; then NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" - $IPROUTE route add `$IPROUTE route get "$NETWORK" | fix_ip_get_output "/$NETMASKLEN"` - $IPROUTE route flush cache 2>/dev/null + + echo "$1" | grep -q : && FAMILY=-6 || FAMILY=-4 + + list_non_loopback_routes "$NETWORK/$NETMASKLEN" | + while read LINE ; do + $IPROUTE $FAMILY route add `echo "$NETWORK/$NETMASKLEN $LINE" | fix_ip_get_output` 2>/dev/null + done + $IPROUTE $FAMILY route flush cache 2>/dev/null } del_exclude_route() { # FIXME: In theory, this could delete existing routes which are - # identical to split-exclude routes specificed by VPNGATEWAY + # identical to split-exclude routes specified by VPNGATEWAY NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" @@ -360,21 +382,18 @@ if [ -n "$IPROUTE" ]; then else $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" fi - $IPROUTE route flush cache 2>/dev/null + $IPROUTE -6 route flush cache 2>/dev/null } set_ipv6_exclude_route() { - # add explicit route to keep current routing for this target - # (keep traffic separate from VPN tunnel) NETWORK="$1" NETMASKLEN="$2" - $IPROUTE -6 route add `$IPROUTE route get "$NETWORK" | fix_ip_get_output "/$NETMASKLEN"` - $IPROUTE route flush cache 2>/dev/null + set_exclude_route "$NETWORK" nomask "$NETMASKLEN" } reset_ipv6_default_route() { $IPROUTE -6 route del default dev "$TUNDEV" - $IPROUTE route flush cache 2>/dev/null + $IPROUTE -6 route flush cache 2>/dev/null } del_ipv6_network_route() { @@ -387,7 +406,7 @@ if [ -n "$IPROUTE" ]; then del_ipv6_exclude_route() { # FIXME: In theory, this could delete existing routes which are - # identical to split-exclude routes specificed by VPNGATEWAY + # identical to split-exclude routes specified by VPNGATEWAY NETWORK="$1" NETMASKLEN="$2" $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" @@ -395,12 +414,12 @@ if [ -n "$IPROUTE" ]; then } else # use route command get_default_gw() { - # isn't -n supposed to give --numeric output? - # apperently not... - # Get rid of lines containing IPv6 addresses (':') - # Get rid of lines for link-local routes (https://superuser.com/a/1067742) - # Get rid of lines containing $TUNDEV (we don't want loopback) - netstat -r -n | awk '/:/ { next; } /link\#/ { next; } /\s'"$TUNDEV"'(\s|$)/ { next; } /^(default|0\.0\.0\.0)/ { print $2; exit; }' + # Intended behavior, starting with `netstat -r -n` output: + # - keep lines starting with 'default' or '0.0.0.0', but exclude bogus routes '0.0.0.0/nn' where nn != 0 + # - remove lines containing IPv6 addresses (':') + # - remove lines for link-local routes (https://superuser.com/a/1067742) + # - remove lines containing $TUNDEV (we don't want loopback) + netstat -r -n | awk '/:/ { next; } /link#/ { next; } /[[:space:]]'"$TUNDEV"'([[:space:]]|$)/ { next; } /^(default|0\.0\.0\.0([[:space:]]|\/0))/ { print $2; exit; }' } set_vpngateway_route() { @@ -413,10 +432,6 @@ else # use route command esac } - set_vpngateway_route_attempt_reconnect() { - set_vpngateway_route - } - del_vpngateway_route() { case "$VPNGATEWAY" in *:*) route $route_syntax_del $route_syntax_inet6_host "$VPNGATEWAY" $route_syntax_gw "`get_ipv6_default_gw`";; @@ -447,8 +462,10 @@ else # use route command NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" + DEFAULTGW="${DEFAULTGW:-`get_default_gw`}" if [ -z "$DEFAULTGW" ]; then - DEFAULTGW="`get_default_gw`" + echo "cannot find route for exclude route $NETWORK/$NETMASKLEN, ignoring" >&2 + return fi # Add explicit route to keep traffic for this target separate # from tunnel. FIXME: We use default gateway - this is our best @@ -486,10 +503,13 @@ else # use route command } get_ipv6_default_gw() { - # isn't -n supposed to give --numeric output? - # apperently not... + # Intended behavior, starting with `netstat -r -n` IPv6 output: + # - keep lines starting with 'default' or '::' + # - append %$interface to link-local routes (fe80::/10) + # - remove lines for loopback interface (lo) + # - remove lines containing $TUNDEV (we don't want loopback) # FIXME: is there a better way to exclude loopback routes than filtering interface /^lo/? - netstat -r -n $netstat_syntax_ipv6 | awk '/^(default|::\/0)/ { if ($NF!~/^lo/) { print ($2~/^fe[89ab]/ ? $2"%"$NF : $2); } }' + netstat -r -n $netstat_syntax_ipv6 | awk '/^(default|::\/0)/ { if ($NF!~/^lo/ && $NF!~/'"$TUNDEV"'([[:space:]]|$)/) { print ($2~/^fe[89ab]/ ? $2"%"$NF : $2); } }' } set_ipv6_default_route() { @@ -519,10 +539,15 @@ else # use route command set_ipv6_exclude_route() { NETWORK="$1" NETMASK="$2" + IPV6DEFAULTGW="${IPV6DEFAULTGW:-`get_ipv6_default_gw`}" + if [ -z "$IPV6DEFAULTGW" ]; then + echo "cannot find route for exclude route $NETWORK/$NETMASKLEN, ignoring" >&2 + return + fi # Add explicit route to keep traffic for this target separate # from tunnel. FIXME: We use default gateway - this is our best # guess in absence of "ip" command to query effective route. - route add $route_syntax_inet6_net "$NETWORK/$NETMASK" "`get_ipv6_default_gw`" $route_syntax_interface + route add $route_syntax_inet6_net "$NETWORK/$NETMASK" "$IPV6DEFAULTGW" $route_syntax_interface : } @@ -881,30 +906,24 @@ restore_resolvconf_unbound() { fi } -# ========= Toplevel state handling ======================================= +# === resolv.conf handling via resolvd ========= -kernel_is_2_6_or_above() { - case `uname -r` in - 1.*|2.[012345]*) - return 1 - ;; - *) - return 0 - ;; - esac +modify_resolvconf_resolvd() { + /sbin/route nameserver $TUNDEV $INTERNAL_IP4_DNS $INTERNAL_IP6_DNS } +restore_resolvconf_resolvd() { + /sbin/route nameserver $TUNDEV +} + +# ========= Toplevel state handling ======================================= + do_pre_init() { if [ "$OS" = "Linux" ]; then if (exec 6< /dev/net/tun) > /dev/null 2>&1 ; then : else # can't open /dev/net/tun test -e /proc/sys/kernel/modprobe && `cat /proc/sys/kernel/modprobe` tun 2>/dev/null - # fix for broken devfs in kernel 2.6.x - if [ "`readlink /dev/net/tun`" = misc/net/tun \ - -a ! -e /dev/net/misc/net/tun -a -e /dev/misc/net/tun ] ; then - ln -sf /dev/misc/net/tun /dev/net/tun - fi # make sure tun device exists if [ ! -e /dev/net/tun ]; then mkdir -p /dev/net @@ -912,18 +931,12 @@ do_pre_init() { [ -x /sbin/restorecon ] && /sbin/restorecon /dev/net/tun fi # workaround for a possible latency caused by udev, sleep max. 10s - if kernel_is_2_6_or_above ; then - for x in `seq 100` ; do - (exec 6<> /dev/net/tun) > /dev/null 2>&1 && break; - sleep 0.1 - done - fi + for x in $(seq 100) ; do + (exec 6<> /dev/net/tun) > /dev/null 2>&1 && break; + sleep 0.1 + done fi - elif [ "$OS" = "FreeBSD" ]; then - if ! kldstat -q -m if_tun > /dev/null; then - kldload if_tun - fi - + elif [ "$OS" = "FreeBSD" -o "$OS" = "DragonFly" ]; then if ! ifconfig $TUNDEV > /dev/null; then ifconfig $TUNDEV create fi @@ -1054,7 +1067,10 @@ do_disconnect() { eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}" eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}" eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}" - del_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" + case "$NETWORK" in + 0.*|127.*|169.254.*) ;; # ignoring non-forwardable exclude route + *) del_exclude_route "$NETWORK" "$NETMASK" "$NETMASKLEN" ;; + esac i=`expr $i + 1` done fi @@ -1105,23 +1121,32 @@ do_disconnect() { if [ -n "$INTERNAL_IP6_NETMASK" ]; then $IPROUTE -6 addr del $INTERNAL_IP6_NETMASK dev $TUNDEV fi + $IPROUTE link set dev "$TUNDEV" down else if [ -n "$INTERNAL_IP4_ADDRESS" ]; then - ifconfig "$TUNDEV" 0.0.0.0 + ifconfig "$TUNDEV" `ifconfig_syntax_del "$INTERNAL_IP4_ADDRESS"` fi if [ -n "$INTERNAL_IP6_ADDRESS" ] && [ -z "$INTERNAL_IP6_NETMASK" ]; then INTERNAL_IP6_NETMASK="$INTERNAL_IP6_ADDRESS/128" fi if [ -n "$INTERNAL_IP6_NETMASK" ]; then - ifconfig "$TUNDEV" inet6 $ifconfig_syntax_del $INTERNAL_IP6_NETMASK + ifconfig "$TUNDEV" `ifconfig_syntax_del "$INTERNAL_IP6_NETMASK"` fi + ifconfig "$TUNDEV" down fi - destroy_tun_device + case "$OS" in + NetBSD|OpenBSD) # and probably others... + ifconfig "$TUNDEV" destroy + ;; + FreeBSD|DragonFly) + ifconfig "$TUNDEV" destroy > /dev/null 2>&1 & + ;; + esac } do_attempt_reconnect() { - set_vpngateway_route_attempt_reconnect + set_vpngateway_route } #### Main diff --git a/vpnc-script.spec b/vpnc-script.spec index 0105827..d0a115a 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -1,9 +1,9 @@ -%global git_date 20201205 -%global git_commit_hash cdbd5b +%global git_date 20220404 +%global git_commit_hash 40a8c62c Name: vpnc-script Version: %{git_date} -Release: 4.git%{git_commit_hash}%{?dist} +Release: 1.git%{git_commit_hash}%{?dist} Summary: Routing setup script for vpnc and openconnect BuildArch: noarch @@ -34,6 +34,9 @@ install -m 0755 vpnc-script \ %{_sysconfdir}/vpnc/vpnc-script %changelog +* Mon Apr 04 2022 Nikos Mavrogiannopoulos - 20220404-1.git40a8c62c +- Updated to latest upstream version + * Sat Jan 22 2022 Fedora Release Engineering - 20201205-4.gitcdbd5b - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild From 51ea0555266b0fa5bdcae0c8f7460a70cbd9d4bc Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 6 Jul 2022 08:33:17 +0200 Subject: [PATCH 03/12] updated to latest upstream --- vpnc-script | 23 ++++++++--------------- vpnc-script.spec | 7 +++++-- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/vpnc-script b/vpnc-script index bc026ab..85e773d 100644 --- a/vpnc-script +++ b/vpnc-script @@ -690,6 +690,10 @@ search $DOMAINS" close EOF fi + # For newer MacOS versions it is needed to set DNS + ACTIVE_INTERFACE=`route -n get default | grep interface | awk '{print $2}'` + ACTIVE_NETWORK_SERVICE=`networksetup -listnetworkserviceorder | grep -B 1 "$ACTIVE_INTERFACE" | head -n 1 | awk '/\([0-9]+\)/{ print }'|cut -d " " -f2-` + networksetup -setdnsservers "$ACTIVE_NETWORK_SERVICE" $INTERNAL_IP4_DNS ;; esac fi @@ -730,6 +734,10 @@ restore_resolvconf_generic() { EOF fi fi + # For newer MacOS versions it is needed to unset DNS + ACTIVE_INTERFACE=`route -n get default | grep interface | awk '{print $2}'` + ACTIVE_NETWORK_SERVICE=`networksetup -listnetworkserviceorder | grep -B 1 "$ACTIVE_INTERFACE" | head -n 1 | awk '/\([0-9]+\)/{ print }'|cut -d " " -f2-` + networksetup -setdnsservers "$ACTIVE_NETWORK_SERVICE" Empty ;; esac fi @@ -1006,10 +1014,6 @@ do_connect() { fi i=`expr $i + 1` done - for i in $INTERNAL_IP4_DNS ; do - echo "$i" | grep : >/dev/null || \ - set_network_route "$i" "255.255.255.255" "32" "$TUNDEV" - done elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then set_default_route fi @@ -1025,11 +1029,6 @@ do_connect() { fi i=`expr $i + 1` done - for i in $INTERNAL_IP4_DNS ; do - if echo "$i" | grep : >/dev/null; then - set_ipv6_network_route "$i" "128" "$TUNDEV" - fi - done elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then set_ipv6_default_route fi @@ -1055,9 +1054,6 @@ do_disconnect() { fi i=`expr $i + 1` done - for i in $INTERNAL_IP4_DNS ; do - del_network_route "$i" "255.255.255.255" "32" "$TUNDEV" - done else reset_default_route fi @@ -1096,9 +1092,6 @@ do_disconnect() { fi i=`expr $i + 1` done - for i in $INTERNAL_IP6_DNS ; do - del_ipv6_network_route "$i" "128" "$TUNDEV" - done elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then reset_ipv6_default_route fi diff --git a/vpnc-script.spec b/vpnc-script.spec index d0a115a..e772164 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -1,5 +1,5 @@ -%global git_date 20220404 -%global git_commit_hash 40a8c62c +%global git_date 20220509 +%global git_commit_hash e52f8e66 Name: vpnc-script Version: %{git_date} @@ -34,6 +34,9 @@ install -m 0755 vpnc-script \ %{_sysconfdir}/vpnc/vpnc-script %changelog +* Wed Jul 06 2022 Nikos Mavrogiannopoulos - 20220509-1.gite52f8e66 +- Updated to latest upstream version + * Mon Apr 04 2022 Nikos Mavrogiannopoulos - 20220404-1.git40a8c62c - Updated to latest upstream version From a58b1dfb51eb540a218ed5165d51cc4056cfc6b4 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 23 Jul 2022 12:06:55 +0000 Subject: [PATCH 04/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- vpnc-script.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vpnc-script.spec b/vpnc-script.spec index e772164..28fba78 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -3,7 +3,7 @@ Name: vpnc-script Version: %{git_date} -Release: 1.git%{git_commit_hash}%{?dist} +Release: 2.git%{git_commit_hash}%{?dist} Summary: Routing setup script for vpnc and openconnect BuildArch: noarch @@ -34,6 +34,9 @@ install -m 0755 vpnc-script \ %{_sysconfdir}/vpnc/vpnc-script %changelog +* Sat Jul 23 2022 Fedora Release Engineering - 20220509-2.gite52f8e66 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + * Wed Jul 06 2022 Nikos Mavrogiannopoulos - 20220509-1.gite52f8e66 - Updated to latest upstream version From 5c0365e2e0554067a0cae54ffd4a7fea7f7d770d Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 21 Jan 2023 06:30:33 +0000 Subject: [PATCH 05/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- vpnc-script.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vpnc-script.spec b/vpnc-script.spec index 28fba78..1325408 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -3,7 +3,7 @@ Name: vpnc-script Version: %{git_date} -Release: 2.git%{git_commit_hash}%{?dist} +Release: 3.git%{git_commit_hash}%{?dist} Summary: Routing setup script for vpnc and openconnect BuildArch: noarch @@ -34,6 +34,9 @@ install -m 0755 vpnc-script \ %{_sysconfdir}/vpnc/vpnc-script %changelog +* Sat Jan 21 2023 Fedora Release Engineering - 20220509-3.gite52f8e66 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + * Sat Jul 23 2022 Fedora Release Engineering - 20220509-2.gite52f8e66 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild From 41d3abd2042ac19b766db49ec9e084dd99a6331e Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 22 Jul 2023 17:52:41 +0000 Subject: [PATCH 06/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- vpnc-script.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/vpnc-script.spec b/vpnc-script.spec index 1325408..46dee39 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -3,7 +3,7 @@ Name: vpnc-script Version: %{git_date} -Release: 3.git%{git_commit_hash}%{?dist} +Release: 4.git%{git_commit_hash}%{?dist} Summary: Routing setup script for vpnc and openconnect BuildArch: noarch @@ -34,6 +34,9 @@ install -m 0755 vpnc-script \ %{_sysconfdir}/vpnc/vpnc-script %changelog +* Sat Jul 22 2023 Fedora Release Engineering - 20220509-4.gite52f8e66 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + * Sat Jan 21 2023 Fedora Release Engineering - 20220509-3.gite52f8e66 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild From 1e76c12e31f6e486927e54c60854e023cc180fb2 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 7 Sep 2023 09:43:34 +0200 Subject: [PATCH 07/12] Updated to latest release and use auto macros Signed-off-by: Nikos Mavrogiannopoulos --- vpnc-script | 49 ++++++++++++++++----------- vpnc-script.spec | 87 +++--------------------------------------------- 2 files changed, 33 insertions(+), 103 deletions(-) diff --git a/vpnc-script b/vpnc-script index 85e773d..4cf934f 100644 --- a/vpnc-script +++ b/vpnc-script @@ -97,7 +97,7 @@ HOOKS_DIR=/etc/vpnc # OpenConnect v9.0+ provides VPNPID, so we don't need to determine it. if [ -z "$VPNPID" ]; then VPNPID=$PPID - PCMD=`ps -c -o cmd= -p $PPID` + PCMD=`ps -c -o command= -p $PPID` case "$PCMD" in *sh) VPNPID=`ps -o ppid= -p $PPID` ;; esac @@ -156,7 +156,10 @@ else fi RESOLVEDENABLED=0 -grep '^hosts' /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 +# detect usage of systemd-resolved via nss-resolve... +grep '^hosts' /etc/nsswitch.conf 2>/dev/null | grep resolve >/dev/null 2>&1 || \ +# or via nss-dns with /etc/resolv.conf under control of systemd-resolved +(grep '^hosts' /etc/nsswitch.conf 2>/dev/null | grep dns >/dev/null 2>&1 && readlink /etc/resolv.conf | grep -e '/run/systemd/resolve/stub-resolv.conf$' -e '/usr/lib/systemd/resolv.conf$' -e '/run/systemd/resolve/resolv.conf$' >/dev/null 2>&1) if [ $? = 0 ];then command resolvectl status >/dev/null 2>&1 || command systemd-resolve --status >/dev/null 2>&1 if [ $? = 0 ];then @@ -295,18 +298,23 @@ if [ -n "$IPROUTE" ]; then # after dead-peer detection, but no change in the underlying network devices). $IPROUTE $FAMILY route add `echo "$VPNGATEWAY $LINE" | fix_ip_get_output` 2>/dev/null done - $IPROUTE $FAMILY route flush cache 2>/dev/null + if [ $FAMILY != -4 ]; then + $IPROUTE $FAMILY route flush cache 2>/dev/null + fi } del_vpngateway_route() { + echo "$VPNGATEWAY" | grep -q : && FAMILY=-6 || FAMILY=-4 + $IPROUTE route $route_syntax_del "$VPNGATEWAY" - $IPROUTE route flush cache 2>/dev/null + if [ $FAMILY != -4 ]; then + $IPROUTE $FAMILY route flush cache 2>/dev/null + fi } set_default_route() { $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE" $IPROUTE route replace default dev "$TUNDEV" - $IPROUTE route flush cache 2>/dev/null } set_network_route() { @@ -320,7 +328,6 @@ if [ -n "$IPROUTE" ]; then else $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" fi - $IPROUTE route flush cache 2>/dev/null } set_exclude_route() { @@ -329,14 +336,10 @@ if [ -n "$IPROUTE" ]; then NETWORK="$1" NETMASK="$2" NETMASKLEN="$3" - - echo "$1" | grep -q : && FAMILY=-6 || FAMILY=-4 - list_non_loopback_routes "$NETWORK/$NETMASKLEN" | while read LINE ; do - $IPROUTE $FAMILY route add `echo "$NETWORK/$NETMASKLEN $LINE" | fix_ip_get_output` 2>/dev/null + $IPROUTE route add `echo "$NETWORK/$NETMASKLEN $LINE" | fix_ip_get_output` 2>/dev/null done - $IPROUTE $FAMILY route flush cache 2>/dev/null } del_exclude_route() { @@ -346,13 +349,11 @@ if [ -n "$IPROUTE" ]; then NETMASK="$2" NETMASKLEN="$3" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" - $IPROUTE route flush cache 2>/dev/null } reset_default_route() { if [ -s "$DEFAULT_ROUTE_FILE" ]; then $IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"` - $IPROUTE route flush cache 2>/dev/null rm -f -- "$DEFAULT_ROUTE_FILE" fi } @@ -363,7 +364,6 @@ if [ -n "$IPROUTE" ]; then NETMASKLEN="$3" NETDEV="$4" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$NETDEV" - $IPROUTE route flush cache 2>/dev/null } set_ipv6_default_route() { @@ -419,7 +419,7 @@ else # use route command # - remove lines containing IPv6 addresses (':') # - remove lines for link-local routes (https://superuser.com/a/1067742) # - remove lines containing $TUNDEV (we don't want loopback) - netstat -r -n | awk '/:/ { next; } /link#/ { next; } /[[:space:]]'"$TUNDEV"'([[:space:]]|$)/ { next; } /^(default|0\.0\.0\.0([[:space:]]|\/0))/ { print $2; exit; }' + netstat -r -n | awk '/:/ { next; } /link#/ { next; } /^(default|0\.0\.0\.0([[:space:]]|\/0))/ { print $2; exit; } /[[:space:]]'"$TUNDEV"'([[:space:]]|$)/ { next; }' } set_vpngateway_route() { @@ -484,7 +484,7 @@ else # use route command reset_default_route() { if [ -s "$DEFAULT_ROUTE_FILE" ]; then - route $route_syntax_del default $route_syntax_gw "`get_default_gw`" $route_syntax_interface + route $route_syntax_del default $route_syntax_gw `get_default_gw` $route_syntax_interface route add default $route_syntax_gw `cat "$DEFAULT_ROUTE_FILE"` rm -f -- "$DEFAULT_ROUTE_FILE" fi @@ -723,12 +723,13 @@ restore_resolvconf_generic() { # to list of used DNS servers if [ -n "$CISCO_SPLIT_INC" ]; then SERVICE=`echo "show State:/Network/Global/IPv4" | scutil | grep -oE '[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}'` - SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}' | xargs` - if [ X"$SERVICE_DNS" != X"$INTERNAL_IP4_DNS" ]; then + SERVICE_DNS=`echo "show State:/Network/Service/$SERVICE/DNS" | scutil | grep -oE '([0-9]{1,3}[\.]){3}[0-9]{1,3}'` + FILTERED_SERVICE_DNS=`echo "$SERVICE_DNS" | grep -Fv "$(echo $INTERNAL_IP4_DNS | tr ' ' '\n')" | xargs` + if [ -n "$FILTERED_SERVICE_DNS" ]; then scutil >/dev/null 2>&1 <<-EOF open get State:/Network/Service/$SERVICE/DNS - d.add ServerAddresses * ${SERVICE_DNS##$INTERNAL_IP4_DNS} + d.add ServerAddresses * ${FILTERED_SERVICE_DNS} set State:/Network/Service/$SERVICE/DNS close EOF @@ -791,6 +792,7 @@ modify_resolvconf_openwrt() { restore_resolvconf_openwrt() { remove_dns $OPENWRT_INTERFACE } + # === resolv.conf handling via /sbin/resolvconf (Debian, Ubuntu, Gentoo)) ========= modify_resolvconf_manager() { @@ -810,6 +812,8 @@ restore_resolvconf_manager() { /sbin/resolvconf -d $TUNDEV } +# === resolv.conf handling via systemd-resolved ========= + AF_INET=2 get_if_index() { @@ -903,6 +907,11 @@ modify_resolvconf_unbound() { /usr/sbin/unbound-control forward_add +i ${CISCO_DEF_DOMAIN} ${INTERNAL_IP4_DNS} /usr/sbin/unbound-control flush_requestlist /usr/sbin/unbound-control flush_zone ${CISCO_DEF_DOMAIN} + # flush infra cache + for i in $INTERNAL_IP4_DNS ; do + /usr/sbin/unbound-control flush_infra "$i" + done + fi } @@ -914,7 +923,7 @@ restore_resolvconf_unbound() { fi } -# === resolv.conf handling via resolvd ========= +# === resolv.conf handling via resolvd (OpenBSD) ========= modify_resolvconf_resolvd() { /sbin/route nameserver $TUNDEV $INTERNAL_IP4_DNS $INTERNAL_IP6_DNS diff --git a/vpnc-script.spec b/vpnc-script.spec index 46dee39..5ff80ba 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -1,9 +1,9 @@ -%global git_date 20220509 -%global git_commit_hash e52f8e66 +%global git_date 20230907 +%global git_commit_hash 5b9e7e4c Name: vpnc-script Version: %{git_date} -Release: 4.git%{git_commit_hash}%{?dist} +Release: %autorelease -e git%{git_commit_hash} Summary: Routing setup script for vpnc and openconnect BuildArch: noarch @@ -34,83 +34,4 @@ install -m 0755 vpnc-script \ %{_sysconfdir}/vpnc/vpnc-script %changelog -* Sat Jul 22 2023 Fedora Release Engineering - 20220509-4.gite52f8e66 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Sat Jan 21 2023 Fedora Release Engineering - 20220509-3.gite52f8e66 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Sat Jul 23 2022 Fedora Release Engineering - 20220509-2.gite52f8e66 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - -* Wed Jul 06 2022 Nikos Mavrogiannopoulos - 20220509-1.gite52f8e66 -- Updated to latest upstream version - -* Mon Apr 04 2022 Nikos Mavrogiannopoulos - 20220404-1.git40a8c62c -- Updated to latest upstream version - -* Sat Jan 22 2022 Fedora Release Engineering - 20201205-4.gitcdbd5b -- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - -* Fri Jul 23 2021 Fedora Release Engineering - 20201205-3.gitcdbd5b -- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - -* Wed Jan 27 2021 Fedora Release Engineering - 20201205-2.gitcdbd5b -- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - -* Sat Dec 05 2020 Nikos Mavrogiannopoulos -- Updated to latest upstream vpnc-script - -* Tue Sep 29 2020 Nikos Mavrogiannopoulos -- Updated to latest upstream vpnc-script - -* Wed Jul 29 2020 Fedora Release Engineering - 20171004-8.git6f87b0f -- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild - -* Fri Jan 31 2020 Fedora Release Engineering - 20171004-7.git6f87b0f -- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild - -* Sat Jul 27 2019 Fedora Release Engineering - 20171004-6.git6f87b0f -- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - -* Sun Feb 03 2019 Fedora Release Engineering - 20171004-5.git6f87b0f -- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild - -* Sat Dec 01 2018 James Hennessy -- Fixed issue where vpnc-script is using resolvconf on systems where "resolve" isn't enabled in /etc/nsswitch. - -* Sat Jul 14 2018 Fedora Release Engineering - 20171004-3.git6f87b0f -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Fri Feb 09 2018 Fedora Release Engineering - 20171004-2.git6f87b0f -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Thu Oct 5 2017 Nikos Mavrogiannopoulos - 20171004-1.git6f87b0f -- Fixed issue with systemd-resolved (#1497750) - -* Mon Aug 21 2017 Nikos Mavrogiannopoulos - 20170821-1.git6f87b0f -- new upstream release -- removed dependency on net-tools and added on iproute (#1481164) - -* Thu Jul 27 2017 Fedora Release Engineering - 20140805-6.gitdf5808b -- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild - -* Sat Feb 11 2017 Fedora Release Engineering - 20140805-5.gitdf5808b -- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild - -* Fri Feb 05 2016 Fedora Release Engineering - 20140805-4.gitdf5808b -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Fri Jun 19 2015 Fedora Release Engineering - 20140805-3.gitdf5808b -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Thu Nov 20 2014 Nikos Mavrogiannopoulos - 20140805-2.gitdf5808b -- Added dependency on which (#1068899) -- Added dependency on net-tools (#1007363) - -* Wed Oct 01 2014 Nikos Mavrogiannopoulos - 20140805-1.gitdf5808b -- new upstream release (includes unbound patch) - -* Tue Aug 05 2014 Nikos Mavrogiannopoulos - 20140705-1.git6201ebd -- new package - +%autochangelog From 40a52008f27b3146d90427d5c036bcd7cfb49588 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 27 Jan 2024 08:13:14 +0000 Subject: [PATCH 08/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild From 5c75405dc9a08ab54d1469c6da61b1963eb66252 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sat, 20 Jul 2024 09:01:19 +0000 Subject: [PATCH 09/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild From 794f7ee18c2edd11806c678658e507ff12fdcd30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Fri, 26 Jul 2024 03:37:08 +0200 Subject: [PATCH 10/12] convert GPLv2+ license to SPDX This is part of https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_4 --- vpnc-script.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vpnc-script.spec b/vpnc-script.spec index 5ff80ba..9c57b1a 100644 --- a/vpnc-script.spec +++ b/vpnc-script.spec @@ -10,7 +10,8 @@ BuildArch: noarch Requires: iproute Requires: which -License: GPLv2+ +# Automatically converted from old format: GPLv2+ - review is highly recommended. +License: GPL-2.0-or-later URL: https://gitlab.com/openconnect/vpnc-scripts/ Source0: vpnc-script From 2c05084503ea4110977353668ec43fe22800aca6 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Sun, 19 Jan 2025 14:38:00 +0000 Subject: [PATCH 11/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild From f2468b734fff21368f5baeefce1235ef07409fa0 Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Fri, 25 Jul 2025 20:14:01 +0000 Subject: [PATCH 12/12] Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild