Menu
▾
▴
openvpn-devel
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-25 08:58:34
|
Attention is currently required from: flichtenheld, plaisthos.
Hello plaisthos, flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email
to review the following change.
Change subject: run forced --dns-updown without --script-security
......................................................................
run forced --dns-updown without --script-security
Due to a shortcut in the `--dns-updown force' implementation, running the
default dns-updown script required `--script-security 2'. This makes the
forced default script run without --script-security set.
Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e
Signed-off-by: Heiko Hund <he...@is...>
---
M src/openvpn/dns.c
M src/openvpn/dns.h
M src/openvpn/options.c
3 files changed, 39 insertions(+), 12 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/1065/1
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index 939ae09..ea3d91b 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -264,7 +264,7 @@
clone.servers = clone_dns_servers(o->servers, gc);
clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc);
clone.updown = o->updown;
- clone.user_set_updown = o->user_set_updown;
+ clone.updown_flags = o->updown_flags;
return clone;
}
@@ -580,7 +580,7 @@
argv_printf(&argv, "%s", o->updown);
argv_msg(M_INFO, &argv);
int res;
- if (o->user_set_updown)
+ if (dns_updown_user_set(o))
{
res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown");
}
@@ -692,7 +692,7 @@
run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner)
{
struct dns_options *dns = &o->dns_options;
- if (!dns->updown || (o->up_script && !dns->user_set_updown))
+ if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)))
{
return;
}
diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h
index 688daa7..bbc38fd 100644
--- a/src/openvpn/dns.h
+++ b/src/openvpn/dns.h
@@ -42,13 +42,18 @@
DNS_TRANSPORT_TLS
};
+enum dns_updown_flags {
+ DNS_UPDOWN_NO_FLAGS,
+ DNS_UPDOWN_USER_SET,
+ DNS_UPDOWN_FORCED
+};
+
struct dns_domain {
struct dns_domain *next;
const char *name;
};
-struct dns_server_addr
-{
+struct dns_server_addr {
union {
struct in_addr a4;
struct in6_addr a6;
@@ -103,7 +108,7 @@
struct dns_server *servers;
struct gc_arena gc;
const char *updown;
- bool user_set_updown;
+ enum dns_updown_flags updown_flags;
};
/**
@@ -195,4 +200,26 @@
*/
void show_dns_options(const struct dns_options *o);
+/**
+ * Returns whether dns-updown is user defined
+ *
+ * @param o Pointer to the DNS options struct
+ */
+static inline bool
+dns_updown_user_set(struct dns_options *o)
+{
+ return o->updown_flags == DNS_UPDOWN_USER_SET;
+}
+
+/**
+ * Returns whether dns-updown is forced to run
+ *
+ * @param o Pointer to the DNS options struct
+ */
+static inline bool
+dns_updown_forced(struct dns_options *o)
+{
+ return o->updown_flags == DNS_UPDOWN_FORCED;
+}
+
#endif /* ifndef DNS_H */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7e26069..af097f8 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3593,7 +3593,7 @@
struct gc_arena gc = gc_new();
struct dns_options *dns = &o->dns_options;
- if (dns->servers || dns->user_set_updown)
+ if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
{
/* Clean up env from --dhcp-option DNS config */
struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
@@ -3667,7 +3667,7 @@
}
}
}
- else if (o->up_script && !dns->user_set_updown)
+ else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
{
/* Set foreign option env vars from --dns config */
const char *p[] = { "dhcp-option", NULL, NULL };
@@ -8182,15 +8182,15 @@
if (streq(p[1], "disable"))
{
dns->updown = NULL;
- dns->user_set_updown = false;
+ dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
}
else if (streq(p[1], "force"))
{
/* force dns-updown run, even if a --up script is defined */
- if (dns->user_set_updown == false)
+ if (!dns_updown_user_set(dns))
{
dns->updown = DEFAULT_DNS_UPDOWN;
- dns->user_set_updown = true;
+ dns->updown_flags = DNS_UPDOWN_FORCED;
}
}
else
@@ -8201,7 +8201,7 @@
dns->updown = NULL;
}
set_user_script(options, &dns->updown, p[1], p[0], false);
- dns->user_set_updown = true;
+ dns->updown_flags = DNS_UPDOWN_USER_SET;
}
}
else if (streq(p[0], "dns") && p[1])
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e
Gerrit-Change-Number: 1065
Gerrit-PatchSet: 1
Gerrit-Owner: d12fk <he...@op...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: flichtenheld <fr...@li...>
Gerrit-MessageType: newchange
|
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-06-26 09:03:30
|
Attention is currently required from: d12fk, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) Change subject: run forced --dns-updown without --script-security ...................................................................... Patch Set 1: Code-Review-2 (1 comment) File src/openvpn/dns.c: http://gerrit.openvpn.net/c/openvpn/+/1065/comment/5051e657_d2d6667f : PS1, Line 583: if (dns_updown_user_set(o)) ``` dns.c: In function ‘do_run_up_down_command’: dns.c:583:29: error: passing argument 1 of ‘dns_updown_user_set’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers] 583 | if (dns_updown_user_set(o)) | ^ In file included from dns.c:30: dns.h:209:41: note: expected ‘struct dns_options *’ but argument is of type ‘const struct dns_options *’ 209 | dns_updown_user_set(struct dns_options *o) | ~~~~~~~~~~~~~~~~~~~~^ ``` -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 1 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:03:20 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 09:10:47
|
Attention is currently required from: d12fk, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email
to look at the new patch set (#2).
Change subject: run forced --dns-updown without --script-security
......................................................................
run forced --dns-updown without --script-security
Due to a shortcut in the `--dns-updown force' implementation, running the
default dns-updown script required `--script-security 2'. This makes the
forced default script run without --script-security set.
Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e
Signed-off-by: Heiko Hund <he...@is...>
---
M src/openvpn/dns.c
M src/openvpn/dns.h
M src/openvpn/options.c
3 files changed, 39 insertions(+), 12 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/1065/2
diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c
index 939ae09..ea3d91b 100644
--- a/src/openvpn/dns.c
+++ b/src/openvpn/dns.c
@@ -264,7 +264,7 @@
clone.servers = clone_dns_servers(o->servers, gc);
clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc);
clone.updown = o->updown;
- clone.user_set_updown = o->user_set_updown;
+ clone.updown_flags = o->updown_flags;
return clone;
}
@@ -580,7 +580,7 @@
argv_printf(&argv, "%s", o->updown);
argv_msg(M_INFO, &argv);
int res;
- if (o->user_set_updown)
+ if (dns_updown_user_set(o))
{
res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown");
}
@@ -692,7 +692,7 @@
run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner)
{
struct dns_options *dns = &o->dns_options;
- if (!dns->updown || (o->up_script && !dns->user_set_updown))
+ if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)))
{
return;
}
diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h
index 688daa7..d33f64e 100644
--- a/src/openvpn/dns.h
+++ b/src/openvpn/dns.h
@@ -42,13 +42,18 @@
DNS_TRANSPORT_TLS
};
+enum dns_updown_flags {
+ DNS_UPDOWN_NO_FLAGS,
+ DNS_UPDOWN_USER_SET,
+ DNS_UPDOWN_FORCED
+};
+
struct dns_domain {
struct dns_domain *next;
const char *name;
};
-struct dns_server_addr
-{
+struct dns_server_addr {
union {
struct in_addr a4;
struct in6_addr a6;
@@ -103,7 +108,7 @@
struct dns_server *servers;
struct gc_arena gc;
const char *updown;
- bool user_set_updown;
+ enum dns_updown_flags updown_flags;
};
/**
@@ -195,4 +200,26 @@
*/
void show_dns_options(const struct dns_options *o);
+/**
+ * Returns whether dns-updown is user defined
+ *
+ * @param o Pointer to the DNS options struct
+ */
+static inline bool
+dns_updown_user_set(const struct dns_options *o)
+{
+ return o->updown_flags == DNS_UPDOWN_USER_SET;
+}
+
+/**
+ * Returns whether dns-updown is forced to run
+ *
+ * @param o Pointer to the DNS options struct
+ */
+static inline bool
+dns_updown_forced(const struct dns_options *o)
+{
+ return o->updown_flags == DNS_UPDOWN_FORCED;
+}
+
#endif /* ifndef DNS_H */
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 7e26069..af097f8 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3593,7 +3593,7 @@
struct gc_arena gc = gc_new();
struct dns_options *dns = &o->dns_options;
- if (dns->servers || dns->user_set_updown)
+ if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns))
{
/* Clean up env from --dhcp-option DNS config */
struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc);
@@ -3667,7 +3667,7 @@
}
}
}
- else if (o->up_script && !dns->user_set_updown)
+ else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))
{
/* Set foreign option env vars from --dns config */
const char *p[] = { "dhcp-option", NULL, NULL };
@@ -8182,15 +8182,15 @@
if (streq(p[1], "disable"))
{
dns->updown = NULL;
- dns->user_set_updown = false;
+ dns->updown_flags = DNS_UPDOWN_NO_FLAGS;
}
else if (streq(p[1], "force"))
{
/* force dns-updown run, even if a --up script is defined */
- if (dns->user_set_updown == false)
+ if (!dns_updown_user_set(dns))
{
dns->updown = DEFAULT_DNS_UPDOWN;
- dns->user_set_updown = true;
+ dns->updown_flags = DNS_UPDOWN_FORCED;
}
}
else
@@ -8201,7 +8201,7 @@
dns->updown = NULL;
}
set_user_script(options, &dns->updown, p[1], p[0], false);
- dns->user_set_updown = true;
+ dns->updown_flags = DNS_UPDOWN_USER_SET;
}
}
else if (streq(p[0], "dns") && p[1])
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e
Gerrit-Change-Number: 1065
Gerrit-PatchSet: 2
Gerrit-Owner: d12fk <he...@op...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-Reviewer: plaisthos <arn...@rf...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: plaisthos <arn...@rf...>
Gerrit-Attention: d12fk <he...@op...>
Gerrit-MessageType: newpatchset
|
|
From: d12fk (C. Review) <ge...@op...> - 2025-06-26 09:15:05
|
Attention is currently required from: flichtenheld, plaisthos. d12fk has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) Change subject: run forced --dns-updown without --script-security ...................................................................... Patch Set 2: (1 comment) File src/openvpn/dns.c: http://gerrit.openvpn.net/c/openvpn/+/1065/comment/432c3110_649da563 : PS1, Line 583: if (dns_updown_user_set(o)) > ``` […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:14:51 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld <fr...@li...> Gerrit-MessageType: comment |
|
From: flichtenheld (C. Review) <ge...@op...> - 2025-06-26 09:22:03
|
Attention is currently required from: d12fk, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) Change subject: run forced --dns-updown without --script-security ...................................................................... Patch Set 2: Code-Review+2 (1 comment) Patchset: PS2: Tested, looks good -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 2 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: d12fk <he...@op...> Gerrit-Comment-Date: Thu, 26 Jun 2025 09:21:48 +0000 Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment |
|
From: Gert D. <ge...@gr...> - 2025-06-26 09:30:22
|
From: Heiko Hund <he...@is...> Due to a shortcut in the `--dns-updown force' implementation, running the default dns-updown script required `--script-security 2'. This makes the forced default script run without --script-security set. Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1065 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld <fr...@li...> diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 939ae09..ea3d91b 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -264,7 +264,7 @@ clone.servers = clone_dns_servers(o->servers, gc); clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc); clone.updown = o->updown; - clone.user_set_updown = o->user_set_updown; + clone.updown_flags = o->updown_flags; return clone; } @@ -580,7 +580,7 @@ argv_printf(&argv, "%s", o->updown); argv_msg(M_INFO, &argv); int res; - if (o->user_set_updown) + if (dns_updown_user_set(o)) { res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown"); } @@ -692,7 +692,7 @@ run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner) { struct dns_options *dns = &o->dns_options; - if (!dns->updown || (o->up_script && !dns->user_set_updown)) + if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))) { return; } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 688daa7..d33f64e 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -42,13 +42,18 @@ DNS_TRANSPORT_TLS }; +enum dns_updown_flags { + DNS_UPDOWN_NO_FLAGS, + DNS_UPDOWN_USER_SET, + DNS_UPDOWN_FORCED +}; + struct dns_domain { struct dns_domain *next; const char *name; }; -struct dns_server_addr -{ +struct dns_server_addr { union { struct in_addr a4; struct in6_addr a6; @@ -103,7 +108,7 @@ struct dns_server *servers; struct gc_arena gc; const char *updown; - bool user_set_updown; + enum dns_updown_flags updown_flags; }; /** @@ -195,4 +200,26 @@ */ void show_dns_options(const struct dns_options *o); +/** + * Returns whether dns-updown is user defined + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_user_set(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_USER_SET; +} + +/** + * Returns whether dns-updown is forced to run + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_forced(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_FORCED; +} + #endif /* ifndef DNS_H */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7e26069..af097f8 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3593,7 +3593,7 @@ struct gc_arena gc = gc_new(); struct dns_options *dns = &o->dns_options; - if (dns->servers || dns->user_set_updown) + if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns)) { /* Clean up env from --dhcp-option DNS config */ struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc); @@ -3667,7 +3667,7 @@ } } } - else if (o->up_script && !dns->user_set_updown) + else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)) { /* Set foreign option env vars from --dns config */ const char *p[] = { "dhcp-option", NULL, NULL }; @@ -8182,15 +8182,15 @@ if (streq(p[1], "disable")) { dns->updown = NULL; - dns->user_set_updown = false; + dns->updown_flags = DNS_UPDOWN_NO_FLAGS; } else if (streq(p[1], "force")) { /* force dns-updown run, even if a --up script is defined */ - if (dns->user_set_updown == false) + if (!dns_updown_user_set(dns)) { dns->updown = DEFAULT_DNS_UPDOWN; - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_FORCED; } } else @@ -8201,7 +8201,7 @@ dns->updown = NULL; } set_user_script(options, &dns->updown, p[1], p[0], false); - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_USER_SET; } } else if (streq(p[0], "dns") && p[1]) |
|
From: Gert D. <ge...@gr...> - 2025-06-28 16:22:41
|
Thanks for addressing this imbalance wrt --script-security - I have not
tested the various combinations, just --dns-updown $builddir/...
in my t_client tests (still works, and correctly still requires
script-security). A brief stare at the code also looks reasonable.
The message "I am going to run *this* script now" is still a bit barebones,
though ;-)
2025-06-28 18:18:00 ../distro/dns-scripts/dns-updown
2025-06-28 18:18:00 WARNING: External program may not be called unless '--script-security 2' or higher...
Your patch has been applied to the master branch.
commit cbf3621825c9e2f2542a370f4c049411c71d2329
Author: Heiko Hund
Date: Thu Jun 26 11:30:00 2025 +0200
run forced --dns-updown without --script-security
Signed-off-by: Heiko Hund <he...@is...>
Acked-by: Frank Lichtenheld <fr...@li...>
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg31994.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-28 16:23:01
|
cron2 has uploaded a new patch set (#4) to the change originally created by d12fk. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: run forced --dns-updown without --script-security ...................................................................... run forced --dns-updown without --script-security Due to a shortcut in the `--dns-updown force' implementation, running the default dns-updown script required `--script-security 2'. This makes the forced default script run without --script-security set. Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31994.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dns.c M src/openvpn/dns.h M src/openvpn/options.c 3 files changed, 39 insertions(+), 12 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/65/1065/4 diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 939ae09..ea3d91b 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -264,7 +264,7 @@ clone.servers = clone_dns_servers(o->servers, gc); clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc); clone.updown = o->updown; - clone.user_set_updown = o->user_set_updown; + clone.updown_flags = o->updown_flags; return clone; } @@ -580,7 +580,7 @@ argv_printf(&argv, "%s", o->updown); argv_msg(M_INFO, &argv); int res; - if (o->user_set_updown) + if (dns_updown_user_set(o)) { res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown"); } @@ -692,7 +692,7 @@ run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner) { struct dns_options *dns = &o->dns_options; - if (!dns->updown || (o->up_script && !dns->user_set_updown)) + if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))) { return; } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 688daa7..d33f64e 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -42,13 +42,18 @@ DNS_TRANSPORT_TLS }; +enum dns_updown_flags { + DNS_UPDOWN_NO_FLAGS, + DNS_UPDOWN_USER_SET, + DNS_UPDOWN_FORCED +}; + struct dns_domain { struct dns_domain *next; const char *name; }; -struct dns_server_addr -{ +struct dns_server_addr { union { struct in_addr a4; struct in6_addr a6; @@ -103,7 +108,7 @@ struct dns_server *servers; struct gc_arena gc; const char *updown; - bool user_set_updown; + enum dns_updown_flags updown_flags; }; /** @@ -195,4 +200,26 @@ */ void show_dns_options(const struct dns_options *o); +/** + * Returns whether dns-updown is user defined + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_user_set(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_USER_SET; +} + +/** + * Returns whether dns-updown is forced to run + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_forced(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_FORCED; +} + #endif /* ifndef DNS_H */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7e26069..af097f8 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3593,7 +3593,7 @@ struct gc_arena gc = gc_new(); struct dns_options *dns = &o->dns_options; - if (dns->servers || dns->user_set_updown) + if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns)) { /* Clean up env from --dhcp-option DNS config */ struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc); @@ -3667,7 +3667,7 @@ } } } - else if (o->up_script && !dns->user_set_updown) + else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)) { /* Set foreign option env vars from --dns config */ const char *p[] = { "dhcp-option", NULL, NULL }; @@ -8182,15 +8182,15 @@ if (streq(p[1], "disable")) { dns->updown = NULL; - dns->user_set_updown = false; + dns->updown_flags = DNS_UPDOWN_NO_FLAGS; } else if (streq(p[1], "force")) { /* force dns-updown run, even if a --up script is defined */ - if (dns->user_set_updown == false) + if (!dns_updown_user_set(dns)) { dns->updown = DEFAULT_DNS_UPDOWN; - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_FORCED; } } else @@ -8201,7 +8201,7 @@ dns->updown = NULL; } set_user_script(options, &dns->updown, p[1], p[0], false); - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_USER_SET; } } else if (streq(p[0], "dns") && p[1]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 4 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: newpatchset |
|
From: cron2 (C. Review) <ge...@op...> - 2025-06-28 16:23:02
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email ) Change subject: run forced --dns-updown without --script-security ...................................................................... run forced --dns-updown without --script-security Due to a shortcut in the `--dns-updown force' implementation, running the default dns-updown script required `--script-security 2'. This makes the forced default script run without --script-security set. Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Signed-off-by: Heiko Hund <he...@is...> Acked-by: Frank Lichtenheld <fr...@li...> Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg31994.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/dns.c M src/openvpn/dns.h M src/openvpn/options.c 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/src/openvpn/dns.c b/src/openvpn/dns.c index 939ae09..ea3d91b 100644 --- a/src/openvpn/dns.c +++ b/src/openvpn/dns.c @@ -264,7 +264,7 @@ clone.servers = clone_dns_servers(o->servers, gc); clone.servers_prepull = clone_dns_servers(o->servers_prepull, gc); clone.updown = o->updown; - clone.user_set_updown = o->user_set_updown; + clone.updown_flags = o->updown_flags; return clone; } @@ -580,7 +580,7 @@ argv_printf(&argv, "%s", o->updown); argv_msg(M_INFO, &argv); int res; - if (o->user_set_updown) + if (dns_updown_user_set(o)) { res = openvpn_run_script(&argv, es, S_EXITCODE, "dns updown"); } @@ -692,7 +692,7 @@ run_up_down_command(bool up, struct options *o, const struct tuntap *tt, struct dns_updown_runner_info *updown_runner) { struct dns_options *dns = &o->dns_options; - if (!dns->updown || (o->up_script && !dns->user_set_updown)) + if (!dns->updown || (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns))) { return; } diff --git a/src/openvpn/dns.h b/src/openvpn/dns.h index 688daa7..d33f64e 100644 --- a/src/openvpn/dns.h +++ b/src/openvpn/dns.h @@ -42,13 +42,18 @@ DNS_TRANSPORT_TLS }; +enum dns_updown_flags { + DNS_UPDOWN_NO_FLAGS, + DNS_UPDOWN_USER_SET, + DNS_UPDOWN_FORCED +}; + struct dns_domain { struct dns_domain *next; const char *name; }; -struct dns_server_addr -{ +struct dns_server_addr { union { struct in_addr a4; struct in6_addr a6; @@ -103,7 +108,7 @@ struct dns_server *servers; struct gc_arena gc; const char *updown; - bool user_set_updown; + enum dns_updown_flags updown_flags; }; /** @@ -195,4 +200,26 @@ */ void show_dns_options(const struct dns_options *o); +/** + * Returns whether dns-updown is user defined + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_user_set(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_USER_SET; +} + +/** + * Returns whether dns-updown is forced to run + * + * @param o Pointer to the DNS options struct + */ +static inline bool +dns_updown_forced(const struct dns_options *o) +{ + return o->updown_flags == DNS_UPDOWN_FORCED; +} + #endif /* ifndef DNS_H */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7e26069..af097f8 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3593,7 +3593,7 @@ struct gc_arena gc = gc_new(); struct dns_options *dns = &o->dns_options; - if (dns->servers || dns->user_set_updown) + if (dns->servers || dns_updown_user_set(dns) || dns_updown_forced(dns)) { /* Clean up env from --dhcp-option DNS config */ struct buffer name = alloc_buf_gc(OPTION_PARM_SIZE, &gc); @@ -3667,7 +3667,7 @@ } } } - else if (o->up_script && !dns->user_set_updown) + else if (o->up_script && !dns_updown_user_set(dns) && !dns_updown_forced(dns)) { /* Set foreign option env vars from --dns config */ const char *p[] = { "dhcp-option", NULL, NULL }; @@ -8182,15 +8182,15 @@ if (streq(p[1], "disable")) { dns->updown = NULL; - dns->user_set_updown = false; + dns->updown_flags = DNS_UPDOWN_NO_FLAGS; } else if (streq(p[1], "force")) { /* force dns-updown run, even if a --up script is defined */ - if (dns->user_set_updown == false) + if (!dns_updown_user_set(dns)) { dns->updown = DEFAULT_DNS_UPDOWN; - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_FORCED; } } else @@ -8201,7 +8201,7 @@ dns->updown = NULL; } set_user_script(options, &dns->updown, p[1], p[0], false); - dns->user_set_updown = true; + dns->updown_flags = DNS_UPDOWN_USER_SET; } } else if (streq(p[0], "dns") && p[1]) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1065?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I55940b78e35f0e3d74aa6cba14378afed97a444e Gerrit-Change-Number: 1065 Gerrit-PatchSet: 4 Gerrit-Owner: d12fk <he...@op...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-Reviewer: plaisthos <arn...@rf...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-MessageType: merged |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X