Added configuration option restrict-user-to-routes

This option, if set, will call /usr/bin/ocserv-fw for each user
connecting, i.e., adding firewall restrictions based on its allowed
routes.

src/common/ctl.proto

@@ -49,6 +49,7 @@ message user_info_rep
 	repeated string domains = 27; /* split-dns domains */
 	required uint32 dpd = 28;
 	required uint32 keepalive = 29;
+	required bool restrict_to_routes = 30;
 }
 
 message user_list_rep

src/config.c

@@ -132,6 +132,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "persistent-cookies", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "use-occtl", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "try-mtu-discovery", .type = OPTION_BOOLEAN, .mandatory = 0 },
+	{ .name = "restrict-user-to-routes", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "ping-leases", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "tls-priorities", .type = OPTION_STRING, .mandatory = 0 },
 	{ .name = "chroot-dir", .type = OPTION_STRING, .mandatory = 0 },
@@ -831,6 +832,7 @@ size_t urlfw_size = 0;
 
 	READ_TF("try-mtu-discovery", config->try_mtu, 0);
 	READ_TF("ping-leases", config->ping_leases, 0);
+	READ_TF("restrict-user-to-routes", config->restrict_user_to_routes, 0);
 
 	READ_STRING("tls-priorities", config->priorities);
 

src/ipc.proto

@@ -262,6 +262,7 @@ message sec_auth_session_reply_msg
 	optional uint32 keepalive = 32;
 	optional uint32 max_same_clients = 33;
 	optional uint32 tunnel_all_dns = 34;
+	optional bool restrict_user_to_routes = 35;
 }
 
 message sec_refresh_cookie_key

src/main-ctl-unix.c

@@ -336,6 +336,7 @@ static int append_user_info(method_ctx *ctx,
 	rep->conn_time = ctmp->conn_time;
 	rep->hostname = ctmp->hostname;
 	rep->user_agent = ctmp->user_agent;
+	rep->restrict_to_routes = ctmp->config.restrict_user_to_routes;
 
 	if (ctmp->status == PS_AUTH_COMPLETED)
 		strtmp = "connected";

src/main-sec-mod-cmd.c

@@ -265,6 +265,11 @@ int session_open(main_server_st * s, struct proc_st *proc, const uint8_t *cookie
 	if (msg->has_no_udp)
 		proc->config.no_udp = msg->no_udp;
 
+	if (msg->has_restrict_user_to_routes)
+		proc->config.restrict_user_to_routes = msg->restrict_user_to_routes;
+	else
+		proc->config.restrict_user_to_routes = s->config->restrict_user_to_routes;
+
 	if (msg->has_max_same_clients)
 		proc->config.max_same_clients = msg->max_same_clients;
 

src/main-user.c

@@ -47,6 +47,8 @@
 #include <script-list.h>
 #include <ccan/list/list.h>
 
+#define OCSERV_FW_SCRIPT "/usr/bin/ocserv-fw"
+
 #define APPEND_TO_STR(str, val) \
 			ret = str_append_str(str, val); \
 			if (ret < 0) { \
@@ -220,13 +222,18 @@ int call_script(main_server_st *s, struct proc_st* proc, unsigned up)
 {
 pid_t pid;
 int ret;
-const char* script;
+const char* script, *next_script = NULL;
 
 	if (up != 0)
 		script = s->config->connect_script;
 	else
 		script = s->config->disconnect_script;
 
+	if (proc->config.restrict_user_to_routes) {
+		next_script = script;
+		script = OCSERV_FW_SCRIPT;
+	}
+
 	if (script == NULL)
 		return 0;
 
@@ -319,7 +326,11 @@ const char* script;
 		/* export DNS and route info */
 		export_dns_route_info(s, proc);
 
-		mslog(s, proc, LOG_DEBUG, "executing script %s %s", up?"up":"down", script);
+		if (next_script) {
+			setenv("OCSERV_NEXT_SCRIPT", next_script, 1);
+			mslog(s, proc, LOG_DEBUG, "executing script %s %s (next: %s)", up?"up":"down", script, next_script);
+		} else
+			mslog(s, proc, LOG_DEBUG, "executing script %s %s", up?"up":"down", script);
 		ret = execl(script, script, NULL);
 		if (ret == -1) {
 			mslog(s, proc, LOG_ERR, "Could not execute script %s", script);

src/occtl/unix.c

@@ -861,9 +861,11 @@ int common_info_cmd(UserListRep * args, FILE *out, cmd_params_st *params)
 		if ((r = print_list_entries(out, params, "No-routes", args->user[i]->no_routes, args->user[i]->n_no_routes, 1)) < 0)
 			goto error_parse;
 
-		if (print_list_entries(out, params, "iRoutes", args->user[i]->iroutes, args->user[i]->n_iroutes, 0) < 0)
+		if (print_list_entries(out, params, "iRoutes", args->user[i]->iroutes, args->user[i]->n_iroutes, 1) < 0)
 			goto error_parse;
 
+		print_single_value(out, params, "Restricted to routes", args->user[i]->restrict_to_routes?"True":"False", 0);
+
 		print_end_block(out, params, i<(args->n_user-1)?1:0);
 
 		at_least_one = 1;

src/ocserv-args.def

@@ -554,6 +554,13 @@ route = 192.168.0.0/255.255.0.0
 
 no-route = 192.168.5.0/255.255.255.0
 
+# If set, the script /usr/bin/ocserv-fw will be called to restrict
+# the user to its allowed routes and prevent him from accessing
+# any other routes. All the routes applied by ocserv can be reverted
+# using /usr/bin/ocserv-fw --removeall. This option can be set globally
+# or in the per-user configuration.
+#restrict-user-to-routes = true
+
 # When set to true, all client's iroutes are made visible to all
 # connecting clients except for the ones offering them. This option
 # only makes sense if config-per-user is set.
@@ -582,7 +589,8 @@ no-route = 192.168.5.0/255.255.255.0
 #  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
 #  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 
 #  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
-#  user-profile, cgroup, stats-report-time, and session-timeout.
+#  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
+#  and session-timeout.
 #
 # Note that the 'iroute' option allows to add routes on the server
 # based on a user or group. The syntax depends on the input accepted

src/ocserv-fw

@@ -115,4 +115,10 @@ else
 	allow_all
 fi
 
+if test -n "${OCSERV_NEXT_SCRIPT}";then
+	TMP_SCRIPT="${OCSERV_NEXT_SCRIPT}"
+	unset OCSERV_NEXT_SCRIPT
+	/bin/sh "${TMP_SCRIPT}"
+fi
+
 exit 0

src/sup-config/file.c

@@ -45,6 +45,7 @@ struct cfg_options {
 
 static struct cfg_options available_options[] = {
 	{ .name = "no-udp", .type = OPTION_BOOLEAN },
+	{ .name = "restrict-user-to-routes", .type = OPTION_BOOLEAN },
 	{ .name = "tunnel-all-dns", .type = OPTION_BOOLEAN },
 	{ .name = "deny-roaming", .type = OPTION_BOOLEAN },
 	{ .name = "route", .type = OPTION_MULTI_LINE },
@@ -181,6 +182,7 @@ unsigned j;
 	} while((val = optionNextValue(pov, prev)) != NULL);
 
 	READ_TF("no-udp", msg->no_udp, msg->has_no_udp);
+	READ_TF("restrict-user-to-routes", msg->restrict_user_to_routes, msg->has_restrict_user_to_routes);
 	READ_TF("tunnel_all_dns", msg->tunnel_all_dns, msg->has_tunnel_all_dns);
 	READ_TF("deny-roaming", msg->deny_roaming, msg->has_deny_roaming);
 

src/vpn.h

@@ -230,6 +230,7 @@ struct group_cfg_st {
 	unsigned deny_roaming; /* whether the user is allowed to re-use cookies from another IP */
 	unsigned net_priority;
 	unsigned no_udp; /* whether to disable UDP for this user */
+	unsigned restrict_user_to_routes;
 };
 
 struct vpn_st {
@@ -327,7 +328,7 @@ struct cfg_st {
 	char **split_dns;
 	size_t split_dns_size;;
 
-
+	unsigned restrict_user_to_routes; /* whether the firewall script will be run for the user */
 	unsigned deny_roaming; /* whether a cookie is restricted to a single IP */
 	time_t cookie_timeout;	/* in seconds */
 	time_t cookie_rekey_time;	/* in seconds */