mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2024-09-21 10:27:19 +00:00
Merge branch 'IPv6_for_unknown_agents' into 'master'
Don't disable IPv6 for unknown client agents See merge request openconnect/ocserv!377
This commit is contained in:
commit
5779a9cac1
@ -2114,24 +2114,25 @@ static int connect_handler(worker_st * ws)
|
||||
}
|
||||
}
|
||||
|
||||
/* While anyconnect clients can handle the assignment
|
||||
* of an IPv6 address, they cannot handle routes or DNS
|
||||
* in IPv6. So we disable IPv6 after an IP is assigned. */
|
||||
if (ws->full_ipv6 == 0) {
|
||||
req->no_ipv6 = 1;
|
||||
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because IPv6 support was not requested.");
|
||||
} else {
|
||||
switch (req->user_agent_type) {
|
||||
case AGENT_OPENCONNECT_V3:
|
||||
req->no_ipv6 = 1;
|
||||
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is known not to support them.");
|
||||
break;
|
||||
case AGENT_OPENCONNECT:
|
||||
case AGENT_ANYCONNECT:
|
||||
case AGENT_OPENCONNECT_CLAVISTER:
|
||||
case AGENT_ANYLINK:
|
||||
oclog(ws, LOG_DEBUG, "Enabling IPv6 routes/DNS because the agent is known to support them.");
|
||||
break;
|
||||
case AGENT_OPENCONNECT_V3:
|
||||
case AGENT_UNKNOWN:
|
||||
default:
|
||||
req->no_ipv6 = 1;
|
||||
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is not known.");
|
||||
oclog(ws, LOG_NOTICE, "Enabling IPv6 routes/DNS although the agent is unknown.");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -65,7 +65,8 @@ dist_check_SCRIPTS += haproxy-connect test-iroute test-multi-cookie test-pass-sc
|
||||
multiple-routes json test-udp-listen-host test-max-same-1 test-script-multi-user \
|
||||
apple-ios ipv6-iface test-namespace-listen disconnect-user disconnect-user2 \
|
||||
ping-leases test-ban-local test-client-bypass-protocol ipv6-small-net test-camouflage \
|
||||
test-camouflage-norealm vhost-traffic defvhost-traffic session-timeout test-occtl
|
||||
test-camouflage-norealm vhost-traffic defvhost-traffic session-timeout test-occtl \
|
||||
no-ipv6-ocv3
|
||||
|
||||
if RADIUS_ENABLED
|
||||
dist_check_SCRIPTS += radius-group radius-multi-group radius-otp
|
||||
|
@ -163,3 +163,5 @@ ping-leases = false
|
||||
# cookie. Legacy CISCO clients do not do that, and thus this option
|
||||
# should be set for them.
|
||||
#always-require-cert = false
|
||||
|
||||
route = fd63:5c2c:462c:26c2:5ca:d418::/96
|
||||
|
88
tests/no-ipv6-ocv3
Executable file
88
tests/no-ipv6-ocv3
Executable file
@ -0,0 +1,88 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright (C) 2023 Nikos Mavrogiannopoulos
|
||||
#
|
||||
# This file is part of ocserv.
|
||||
#
|
||||
# ocserv is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by the
|
||||
# Free Software Foundation; either version 2 of the License, or (at
|
||||
# your option) any later version.
|
||||
#
|
||||
# ocserv is distributed in the hope that it will be useful, but
|
||||
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
# General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with GnuTLS; if not, write to the Free Software Foundation,
|
||||
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
|
||||
SERV="${SERV:-../src/ocserv}"
|
||||
srcdir=${srcdir:-.}
|
||||
PIDFILE=ocserv-pid.$$.tmp
|
||||
CLIPID=oc-pid.$$.tmp
|
||||
IP=$(which ip)
|
||||
TMPFILE=$(mktemp)
|
||||
|
||||
. `dirname $0`/common.sh
|
||||
|
||||
eval "${GETPORT}"
|
||||
|
||||
if test -z "${IP}";then
|
||||
echo "no IP tool is present"
|
||||
exit 77
|
||||
fi
|
||||
|
||||
if test "$(id -u)" != "0";then
|
||||
echo "This test must be run as root"
|
||||
exit 77
|
||||
fi
|
||||
|
||||
|
||||
echo "Testing that ocserv doesn't assign IPv6 address on unknown clients... "
|
||||
|
||||
function finish {
|
||||
set +e
|
||||
echo " * Cleaning up..."
|
||||
test -n "${PID}" && kill ${PID} >/dev/null 2>&1
|
||||
test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1
|
||||
test -n "${CLIPID}" && kill $(cat ${CLIPID}) >/dev/null 2>&1
|
||||
test -n "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1
|
||||
test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1
|
||||
}
|
||||
trap finish EXIT
|
||||
|
||||
ADDRESS=172.23.236.0
|
||||
CLI_ADDRESS=10.119.255.0
|
||||
VPNNET6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5c/127
|
||||
VPNADDR6=fd50:efcf:d5e5:636d:ffb2:edad:dfe8:5a5d
|
||||
OCCTL_SOCKET=./ipv6-no-$$.socket
|
||||
USERNAME=test
|
||||
|
||||
. `dirname $0`/ns.sh
|
||||
|
||||
update_config ipv6-iface.config
|
||||
if test "$VERBOSE" = 1;then
|
||||
DEBUG="-d 3"
|
||||
fi
|
||||
|
||||
${CMDNS2} ${SERV} -p ${PIDFILE} -f -c ${CONFIG} ${DEBUG} & PID=$!
|
||||
wait_server $PID
|
||||
|
||||
echo -n "Connecting to setup interface... "
|
||||
echo "test" | ${CMDNS1} timeout 15s $OPENCONNECT -v $ADDRESS:$PORT --useragent="Open AnyConnect VPN Agent v3" --passwd-on-stdin -u test --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s /bin/true >${TMPFILE} 2>&1
|
||||
|
||||
echo ok
|
||||
|
||||
cat ${TMPFILE}|grep X-CSTP-Split-Include|grep 'fd63:' >/dev/null
|
||||
if test $? = 0;then
|
||||
cat ${TMPFILE}|grep X-CSTP-Split
|
||||
echo "Found route that shouldn't be there"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
kill $PID
|
||||
wait
|
||||
|
||||
exit 0
|
Loading…
Reference in New Issue
Block a user