mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
Added client-bypass-protocol config option
By default, anyconnect clients will drop all traffic of a given IP version if there is no IP address in that version assigned to the client. The client-bypass-protocol option, if enabled, will send an extra header to the clients telling anyconnect client to bypass VPN tunnel if there is no IP assigned. No impact for openconnect clients, this header will simply be ignored. Signed-off-by: Florian Domain <f.domain@criteo.com>
This commit is contained in:
fdomain
committed by
Nikos Mavrogiannopoulos
Nikos Mavrogiannopoulos
parent
4eb211d8d0
commit
b3fe0d85c2
@@ -877,7 +877,9 @@ static int cfg_ini_handler(void *_ctx, const char *section, const char *name, co
|
||||
#ifdef ANYCONNECT_CLIENT_COMPAT
|
||||
} else if (strcmp(name, "user-profile") == 0) {
|
||||
READ_STRING(config->xml_config_file);
|
||||
#endif
|
||||
#endif
|
||||
} else if (strcmp(name, "client-bypass-protocol") == 0) {
|
||||
READ_TF(config->client_bypass_protocol);
|
||||
} else if (strcmp(name, "default-domain") == 0) {
|
||||
READ_STRING(config->default_domain);
|
||||
} else if (strcmp(name, "crl") == 0) {
|
||||
|
||||
@@ -64,6 +64,7 @@ message group_cfg_st
|
||||
repeated fw_port_st fw_ports = 39;
|
||||
optional string hostname = 40;
|
||||
repeated string split_dns = 41;
|
||||
optional uint32 client_bypass_protocol = 42;
|
||||
}
|
||||
|
||||
/* AUTH_COOKIE_REP */
|
||||
|
||||
@@ -376,7 +376,12 @@ void apply_default_config(sec_mod_instance_st * sec_mod_instance, proc_st *proc,
|
||||
if (!gc->xml_config_file) {
|
||||
gc->xml_config_file = vhost->perm_config.config->xml_config_file;
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
if (!gc->has_client_bypass_protocol) {
|
||||
gc->client_bypass_protocol = vhost->perm_config.config->client_bypass_protocol;
|
||||
gc->has_client_bypass_protocol = 1;
|
||||
}
|
||||
|
||||
if (!gc->has_rx_per_sec) {
|
||||
gc->rx_per_sec = vhost->perm_config.config->rx_per_sec;
|
||||
|
||||
@@ -188,7 +188,9 @@ static int group_cfg_ini_handler(void *_ctx, const char *section, const char *na
|
||||
#ifdef ANYCONNECT_CLIENT_COMPAT
|
||||
} else if (strcmp(name, "user-profile") == 0) {
|
||||
READ_RAW_STRING(msg->config->xml_config_file);
|
||||
#endif
|
||||
#endif
|
||||
} else if (strcmp(name, "client-bypass-protocol") == 0) {
|
||||
READ_TF(msg->config->client_bypass_protocol, msg->config->has_client_bypass_protocol);
|
||||
} else if (strcmp(name, "restrict-user-to-ports") == 0) {
|
||||
ret = cfg_parse_ports(pool, &msg->config->fw_ports, &msg->config->n_fw_ports, value);
|
||||
if (ret < 0) {
|
||||
|
||||
@@ -331,6 +331,8 @@ struct cfg_st {
|
||||
char *xml_config_hash;
|
||||
#endif
|
||||
|
||||
unsigned client_bypass_protocol;
|
||||
|
||||
/* additional configuration files */
|
||||
char *per_group_dir;
|
||||
char *per_user_dir;
|
||||
|
||||
@@ -2153,6 +2153,13 @@ static int connect_handler(worker_st * ws)
|
||||
}
|
||||
SEND_ERR(ret);
|
||||
|
||||
if (WSCONFIG(ws)->client_bypass_protocol) {
|
||||
ret = cstp_puts(ws, "X-CSTP-Client-Bypass-Protocol: true\r\n");
|
||||
} else {
|
||||
ret = cstp_puts(ws, "X-CSTP-Client-Bypass-Protocol: false\r\n");
|
||||
}
|
||||
SEND_ERR(ret);
|
||||
|
||||
ret = send_routes(ws, req, ws->user_config->no_routes, ws->user_config->n_no_routes, 0);
|
||||
SEND_ERR(ret);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user