mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2024-09-21 10:27:19 +00:00
Don't disable IPv6 for unknown client agents
We are now planning to change the default HTTP user-agent string in the OpenConnect client. In order to improve compatibility with Cisco servers, it needs to start with `AnyConnect`; likely, the complete prefix will be `AnyConnect-compatible OpenConnect VPN Agent`. (Details in https://gitlab.com/openconnect/openconnect/-/merge_requests/497) ocserv treats clients differently depending on their user-agent strings: 1. ocserv makes simplifications/accommodations in its authentication flow to accommodate old versions of OpenConnect (`AGENT_OPENCONNECTV3`). https://gitlab.com/openconnect/ocserv/-/blob/master/src/worker-auth.c 2. `ocserv` entirely disables IPv6 for old versions of OpenConnect (`AGENT_OPENCONNECTV3`) *and* for unknown client software (`AGENT_UNKNOWN`). https://gitlab.com/openconnect/ocserv/-/blob/master/src/worker-vpn.c#L2123-2136 At this point, ocserv seems to be aware of a reasonably-complete list of compatible client software: AnyConnect, OpenConnect, Clavister OneConnect, AnyLink, and Cisco SVC IPPhone. Among these, *only* old OpenConnect clients are known to require special handling to unconditionally disable IPv6. This patch modifies ocserv so that the IPv6 is disabled *only* for old OpenConnect clients, and not for unknown clients. This should make the transition to OpenConnect's modified UA string go more smoothly. This should also improve "future-proofness" generally. Accommodations for buggy clients should specifically list the affected clients, rather than include unknown clients, since unknown clients are most likely to be newer clients, in which bugs and incompatibilities may have been fixed. Signed-off-by: Daniel Lenski <dlenski@gmail.com>
This commit is contained in:
parent
aaf2a53246
commit
8b8a1a7b53
@ -2122,16 +2122,20 @@ static int connect_handler(worker_st * ws)
|
||||
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because IPv6 support was not requested.");
|
||||
} else {
|
||||
switch (req->user_agent_type) {
|
||||
case AGENT_OPENCONNECT_V3:
|
||||
req->no_ipv6 = 1;
|
||||
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is known not to support them.");
|
||||
break;
|
||||
case AGENT_OPENCONNECT:
|
||||
case AGENT_ANYCONNECT:
|
||||
case AGENT_OPENCONNECT_CLAVISTER:
|
||||
case AGENT_ANYLINK:
|
||||
oclog(ws, LOG_DEBUG, "Enabling IPv6 routes/DNS because the agent is known to support them.");
|
||||
break;
|
||||
case AGENT_OPENCONNECT_V3:
|
||||
case AGENT_UNKNOWN:
|
||||
default:
|
||||
req->no_ipv6 = 1;
|
||||
oclog(ws, LOG_INFO, "IPv6 routes/DNS disabled because the agent is not known.");
|
||||
oclog(ws, LOG_NOTICE, "Enabling IPv6 routes/DNS although the agent is unknown.");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user