From patchwork Tue May 14 04:33:25 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Oliver Fuhrer X-Patchwork-Id: 2251 Return-Path: Received: from mail01.ipfire.org (unknown [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 8912588AE37 for ; Mon, 13 May 2019 19:34:32 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 452qGv38Q1z4xFg4; Mon, 13 May 2019 19:34:31 +0100 (BST) Received: from vimdzmsp-mail02.bluewin.ch (vimdzmsp-mail02.bluewin.ch [195.186.227.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 452qGq0JBRz4xFg1 for ; Mon, 13 May 2019 19:34:26 +0100 (BST) Received: from mail.0xdecafbad.info ([178.198.13.2]) by vimdzmsp-mail02.bluewin.ch Swisscom AG with SMTP id QFmFh1lNnjUrdQFmFhLs1v; Mon, 13 May 2019 20:34:19 +0200 X-Bluewin-Spam-Analysis: v=2.1 cv=WbrBExVX c=1 sm=1 tr=0 a=YHE3FDuBGPdfKus2i3ZD5A==:117 a=YHE3FDuBGPdfKus2i3ZD5A==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=E5NmQfObTbMA:10 a=qEZVf6OcnWQAlhKFRJIA:9 X-Bluewin-Spam-Score: 0.00 X-FXIT-IP: IPv4[178.198.13.2] Epoch[1557772459] Received: from buildhost7.vmlab.local (buildhost7.vmlab.local [192.168.10.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail.0xdecafbad.info (Postfix) with ESMTPS id 35DC31D9D; Mon, 13 May 2019 20:33:42 +0200 (CEST) From: Oliver Fuhrer To: oliver.fuhrer@bluewin.ch Subject: [PATCH] BUG 11696: VPN Subnets missing from wpad.dat Date: Mon, 13 May 2019 20:33:25 +0200 Message-Id: <1557772405-23819-1-git-send-email-oliver.fuhrer@bluewin.ch> X-Mailer: git-send-email 1.8.3.1 X-0xDecafBad-MailScanner-Information: Please contact the ISP for more information X-0xDecafBad-MailScanner-ID: 35DC31D9D.A6B2D X-0xDecafBad-MailScanner: Found to be clean X-0xDecafBad-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1, required 2, autolearn=not spam, ALL_TRUSTED -1.00) X-0xDecafBad-MailScanner-From: oliver.fuhrer@bluewin.ch X-Spam-Status: No X-CMAE-Envelope: MS4wfMyO5UaPWbLtQ0SD50QBfYhmxoC3JWUB2laBAWW8gEs3jytJ/ZSzzidF3aBhpm3E8dIgmlNqCOQnBWhmvr90YYGRWEjIg/PLtJDbL5dwsqn1RNmx+jCa 4vFYbPSc58Mm9KKchtZzMoMZ8fPC+SKMYjYUGYC8CA1w+OPitnibP0Ao5oeWxAAd0OVVl/gim+Wucm4xZTm29wwH3vOV4E0pfD3ex1w3VjuwPm0/+pYSaQIj Authentication-Results: mail01.ipfire.org; dkim=none; dmarc=none; spf=pass (mail01.ipfire.org: domain of oliver.fuhrer@bluewin.ch designates 195.186.227.120 as permitted sender) smtp.mailfrom=oliver.fuhrer@bluewin.ch X-Rspamd-Queue-Id: 452qGq0JBRz4xFg1 X-Spamd-Result: default: False [0.59 / 11.00]; ARC_NA(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[2.13.198.178.zen.spamhaus.org : 127.0.0.11]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.186.227.0/24]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[bluewin.ch]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[mx-v01.bluewin.ch,mx-v02.bluewin.ch,mxbw.lb.bluewin.ch]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:3303, ipnet:195.186.0.0/16, country:CH]; RCVD_TLS_LAST(0.00)[]; RCVD_IN_DNSWL_LOW(-0.10)[120.227.186.195.list.dnswl.org : 127.0.5.1] X-Rspamd-Server: mail01.i.ipfire.org Cc: development@lists.ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy. --- Hi All Apologies for the line-wrapping mess with the previous attempt. Looks like Outlook isn't up for the task. This Message is now sent directly via git, which should hopefully fix the issue. As I currently don't have any OpenVPN n2n connections, I could not fully test this part, however some dry-runs looked rather promising html/cgi-bin/proxy.cgi | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 6daa7fb..e7ee1f3 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2738,6 +2738,10 @@ sub write_acls sub writepacfile { + my %vpnconfig=(); + my %ovpnconfig=(); + &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfig); open(FILE, ">/srv/web/ipfire/html/proxy.pac"); flock(FILE, 2); print FILE "function FindProxyForURL(url, host)\n"; @@ -2763,6 +2767,26 @@ END print FILE " (isInNet(host, \"$netsettings{'ORANGE_NETADDRESS'}\", \"$netsettings{'ORANGE_NETMASK'}\")) ||\n"; } + foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) { + if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') { + my @networks = split(/\|/, $vpnconfig{$key}[11]); + foreach my $network (@networks) { + my ($vpnip, $vpnsub) = split("/", $network); + $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub; + print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n"; + } + } + } + + foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) { + if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne 'host') { + my @networks = split(/\|/, $ovpnconfig{$key}[11]); + foreach my $network (@networks) { + my ($vpnip, $vpnsub) = split("/", $network); + print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n"; + } + } + } print FILE <