From patchwork Sat Apr 21 07:00:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
X-Patchwork-Id: 1721
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.i.ipfire.org (Postfix) with ESMTP id 73691602CE
	for <patchwork@web02.i.ipfire.org>;
	Fri, 20 Apr 2018 23:00:53 +0200 (CEST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 9E0FD10F6E96;
	Fri, 20 Apr 2018 22:00:52 +0100 (BST)
Authentication-Results: mail01.ipfire.org;
	spf=pass smtp.mailfrom=oliver.fuhrer@bluewin.ch
Received: from vimdzmsp-sfwd01.bluewin.ch (vimdzmsp-sfwd01.bluewin.ch
	[195.186.120.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "Client", Issuer "CA" (not verified))
	by mail01.ipfire.org (Postfix) with ESMTPS id 3E013108B8B7
	for <development@lists.ipfire.org>;
	Fri, 20 Apr 2018 22:00:50 +0100 (BST)
Received: from SATANAS ([85.5.193.20])
	by vimdzmsp-sfwd01.bluewin.ch Swisscom AG with SMTP
	id 9d9Af9b4gjnEf9d9Af4JHE; Fri, 20 Apr 2018 23:00:44 +0200
X-Bluewin-Spam-Analysis: v=2.1 cv=fKf0pcue c=1 sm=1 tr=0
	a=yaV7cdQwoOBJmahzhWOhlA==:117 a=yaV7cdQwoOBJmahzhWOhlA==:17
	a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10
	a=kj9zAlcOel0A:10
	a=0G1SjJUUhcm6C0VCQRoA:9 a=CjuIK1q_8ugA:10
X-Bluewin-Spam-Score: 0.00
X-FXIT-IP: IPv4[85.5.193.20] Epoch[1524258044]
X-Bluewin-AuthAs: oliver.fuhrer@bluewin.ch
From: "Oliver Fuhrer" <oliver.fuhrer@bluewin.ch>
To: <development@lists.ipfire.org>
Subject: [PATCH] BUG: 11696 - VPN Subnets missing from wpad.dat
Date: Fri, 20 Apr 2018 23:00:46 +0200
Message-ID: <008901d3d8ea$a7c0be90$f7423bb0$@bluewin.ch>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdPY4+A7A7VglK5TQfSOScf8o07i6A==
Content-Language: de-ch
X-CMAE-Envelope: 
 MS4wfIY0ABrO0Wi6d/YIcW4RhSL+tCTdEPuVz7R7pUf2wHAjUsHo3lrWHGbazG4dXpI1VWgZw/+OEEdFy8WUmdZIHbjSrXSX4J/3iMyLC7ybn1Py0pnLOccN
	ezHaX992c9cxfWOnrfwu4sXtk8iLAK1SpkNdysg1J7ej0WjuS08otqOd
X-Spamd-Result: default: False [-3.26 / 11.00]; DMARC_NA(0.00)[bluewin.ch];
	FROM_HAS_DN(0.00)[]; MX_GOOD(-0.01)[mxbw.lb.bluewin.ch];
	R_DKIM_NA(0.00)[];
	RCVD_IN_DNSWL_LOW(-0.50)[131.120.186.195.list.dnswl.org : 127.0.5.1];
	BAYES_HAM(-2.45)[97.49%]; TO_MATCH_ENVRCPT_ALL(0.00)[];
	R_SPF_ALLOW(-0.20)[+ip4:195.186.120.0/24];
	RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[];
	RECEIVED_SPAMHAUS(0.00)[20.193.5.85.zen.spamhaus.org];
	FROM_EQ_ENVFROM(0.00)[]; MIME_GOOD(-0.10)[text/plain];
	RWL_MAILSPIKE_POSSIBLE(0.00)[131.120.186.195.rep.mailspike.net :
	127.0.0.17]; ARC_NA(0.00)[];
	ASN(0.00)[asn:3303, ipnet:195.186.0.0/16, country:CH];
	MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
	RCVD_TLS_LAST(0.00)[]
X-Spam-Status: No, score=-3.26
X-Rspamd-Server: mail01.i.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This Patch excludes enabled ipsec/ OpenVPN N2N Subnets from wpad.dat so they
don't go through the proxy.
I could only test it with ipsec tunnels, however as the code for openvpn is
pretty much the same, I included this one as well and some basic tests
worked as expected.
As I'm not very familiar with Perl, there probably is some room for
improvement too.

Regards
Oliver


        flock(FILE, 2);
        print FILE "function FindProxyForURL(url, host)\n";
@@ -3039,6 +3044,26 @@ END
                print FILE "     (isInNet(host,
\"$netsettings{'ORANGE_NETADDRESS'}\", \"$netsettings{'ORANGE_NETMASK'}\"))
||\n";
        }

+       foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp
uc($vpnconfig{$b}[1]) } keys %vpnconfig) {
+               if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne
'host') {
+                       my @networks = split(/\|/, $vpnconfig{$key}[11]);
+                       foreach my $network (@networks) {
+                               my ($vpnip, $vpnsub) = split("/", $network);
+                               $vpnsub =
&Network::convert_prefix2netmask($vpnsub) || $vpnsub;
+                               print FILE "     (isInNet(host, \"$vpnip\",
\"$vpnsub\")) ||\n";
+                       }
+               }
+       }
+
+        foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp
uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) {
+                if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne
'host') {
+                        my @networks = split(/\|/, $ovpnconfig{$key}[11]);
+                        foreach my $network (@networks) {
+                                my ($vpnip, $vpnsub) = split("/",
$network);
+                                print FILE "     (isInNet(host, \"$vpnip\",
\"$vpnsub\")) ||\n";
+                        }
+                }
+        }
        print FILE <<END
      (isInNet(host, "169.254.0.0", "255.255.0.0"))
    )

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index c36fc4e..69bfdd4 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3014,6 +3014,11 @@ sub write_acls

 sub writepacfile
 {
+       my %vpnconfig=();
+       my %ovpnconfig=();
+       &General::readhasharray("${General::swroot}/vpn/config",
\%vpnconfig);
+       &General::readhasharray("${General::swroot}/ovpn/ovpnconfig",
\%ovpnconfig);
+
        open(FILE, ">/srv/web/ipfire/html/proxy.pac");