From 4bcf29643df1fc682c788eaa22a55bc0a6fe23f5 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Sun, 17 Nov 2019 10:56:46 +0100 Subject: [PATCH] ocserv: added support for per-user split-dns directive Resolves: #229 Signed-off-by: Nikos Mavrogiannopoulos --- NEWS | 1 + doc/sample.config | 2 +- src/ipc.proto | 1 + src/main-sec-mod-cmd.c | 5 +++++ src/sup-config/file.c | 2 ++ src/worker-vpn.c | 8 ++++---- tests/data/test-user-config.config | 4 ++++ tests/test-user-config | 32 +++++++++++++++++++++++++++++- tests/user-config/testuser | 2 ++ 9 files changed, 51 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index ecc5f9e4..80925be5 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,6 @@ * Version 0.12.6 (unreleased) - Improved IPv6 support for anyconnect clients. Patch by Leendert van Doorn. +- The 'split-dns' configuration directive can be used per-user (#229). * Version 0.12.5 (released 2019-10-16) diff --git a/doc/sample.config b/doc/sample.config index 688fc73a..40f655d7 100644 --- a/doc/sample.config +++ b/doc/sample.config @@ -581,7 +581,7 @@ no-route = 192.168.5.0/255.255.255.0 # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns, # restrict-user-to-routes, user-profile, cgroup, stats-report-time, # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports, -# and session-timeout. +# split-dns and session-timeout. # # Note that the 'iroute' option allows one to add routes on the server # based on a user or group. The syntax depends on the input accepted diff --git a/src/ipc.proto b/src/ipc.proto index 111810b8..b6f583ea 100644 --- a/src/ipc.proto +++ b/src/ipc.proto @@ -62,6 +62,7 @@ message group_cfg_st optional uint32 mobile_idle_timeout = 38; repeated fw_port_st fw_ports = 39; optional string hostname = 40; + repeated string split_dns = 41; } /* AUTH_COOKIE_REP */ diff --git a/src/main-sec-mod-cmd.c b/src/main-sec-mod-cmd.c index 7bfbb99b..2992b93b 100644 --- a/src/main-sec-mod-cmd.c +++ b/src/main-sec-mod-cmd.c @@ -324,6 +324,11 @@ void apply_default_config(main_server_st *s, proc_st *proc, GroupCfgSt *gc) gc->n_nbns = vhost->perm_config.config->network.nbns_size; } + if (gc->split_dns == NULL) { + gc->split_dns = vhost->perm_config.config->split_dns; + gc->n_split_dns = vhost->perm_config.config->split_dns_size; + } + if (!gc->has_interim_update_secs) { gc->interim_update_secs = vhost->perm_config.config->stats_report_time; gc->has_interim_update_secs = 1; diff --git a/src/sup-config/file.c b/src/sup-config/file.c index ef074021..b892cf3f 100644 --- a/src/sup-config/file.c +++ b/src/sup-config/file.c @@ -111,6 +111,8 @@ static int group_cfg_ini_handler(void *_ctx, const char *section, const char *na READ_TF(msg->config->deny_roaming, msg->config->has_deny_roaming); } else if (strcmp(name, "route") == 0) { READ_RAW_MULTI_LINE(msg->config->routes, msg->config->n_routes); + } else if (strcmp(name, "split-dns") == 0) { + READ_RAW_MULTI_LINE(msg->config->split_dns, msg->config->n_split_dns); } else if (strcmp(name, "no-route") == 0) { READ_RAW_MULTI_LINE(msg->config->no_routes, msg->config->n_no_routes); } else if (strcmp(name, "iroute") == 0) { diff --git a/src/worker-vpn.c b/src/worker-vpn.c index 2504d570..52ce2630 100644 --- a/src/worker-vpn.c +++ b/src/worker-vpn.c @@ -2023,8 +2023,8 @@ static int connect_handler(worker_st * ws) SEND_ERR(ret); } - for (i = 0; i < WSCONFIG(ws)->split_dns_size; i++) { - if (strchr(WSCONFIG(ws)->split_dns[i], ':') != 0) + for (i = 0; i < ws->user_config->n_split_dns; i++) { + if (strchr(ws->user_config->split_dns[i], ':') != 0) ip6 = 1; else ip6 = 0; @@ -2035,10 +2035,10 @@ static int connect_handler(worker_st * ws) continue; oclog(ws, LOG_INFO, "adding split DNS %s", - WSCONFIG(ws)->split_dns[i]); + ws->user_config->split_dns[i]); ret = cstp_printf(ws, "X-CSTP-Split-DNS: %s\r\n", - WSCONFIG(ws)->split_dns[i]); + ws->user_config->split_dns[i]); SEND_ERR(ret); } diff --git a/tests/data/test-user-config.config b/tests/data/test-user-config.config index 1f26945c..9a73fab9 100644 --- a/tests/data/test-user-config.config +++ b/tests/data/test-user-config.config @@ -153,6 +153,10 @@ ipv4-dns = 192.168.5.1 # The NBNS server (if any) #ipv4-nbns = 192.168.2.3 +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +split-dns = example.com + #ipv6-address = #ipv6-mask = #ipv6-dns = diff --git a/tests/test-user-config b/tests/test-user-config index 61568796..bbe7ccff 100755 --- a/tests/test-user-config +++ b/tests/test-user-config @@ -83,7 +83,7 @@ echo -n "Checking if proper dns was sent... " CONTENTS=`cat ${TMPFILE1}|grep "X-CSTP-DNS: 8.8.8.8"` if test -z "$CONTENTS";then - cat ${TMPFILE1} + cat ${TMPFILE1}|grep X-CSTP-DNS fail $PID "Expected DNS was not sent" fi @@ -99,6 +99,26 @@ fi echo ok +echo -n "Checking if split-dns has been sent... " + +CONTENTS=`cat ${TMPFILE1}|grep X-CSTP-Split-DNS|grep example6.com` +if test -z "$CONTENTS";then + cat ${TMPFILE1}|grep X-CSTP-Split-DNS + fail $PID "Temporary file contents are not correct; X-CSTP-Split-DNS was not found" +fi + +echo ok + +echo -n "Checking if split-dns has not been sent... " + +cat ${TMPFILE1}|grep X-CSTP-Split-DNS|grep example.com >/dev/null +if test $? = 0;then + cat ${TMPFILE1}|grep X-CSTP-Split-DNS + fail $PID "Temporary file contents are not correct; X-CSTP-Split-DNS contained main config value" +fi + +echo ok + echo -n "Checking if user-specific DPD has been sent... " CONTENTS=`cat ${TMPFILE1}|grep X-DTLS-DPD|grep 880` @@ -150,6 +170,16 @@ if test -z "$CONTENTS";then fail $PID "Temporary file contents are not correct; address was not the expected (10.9.)" fi +echo -n "Checking if main config split-dns has been sent... " + +cat ${TMPFILE1}|grep X-CSTP-Split-DNS|grep example.com >/dev/null +if test $? != 0;then + cat ${TMPFILE1}|grep X-CSTP-Split-DNS + fail $PID "Temporary file contents are not correct; X-CSTP-Split-DNS did not contain main config value" +fi + +echo ok + kill $kpid3 rm -f ${TMPFILE1} diff --git a/tests/user-config/testuser b/tests/user-config/testuser index 2f13b91b..bc40e246 100644 --- a/tests/user-config/testuser +++ b/tests/user-config/testuser @@ -4,3 +4,5 @@ keepalive = 14400 max-same-clients = 1 dns = 8.8.8.8 hostname = xxxx +split-dns = example5.com +split-dns = example6.com