Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. vpnc>
  3. devel
Debian patches to vpnc
fschlich at ZEDAT
Apr 14, 2012, 2:38 PM
Post #1 of 14 (8680 views)
Permalink
Hi,

looking through the patches shipped in the current Debian package of
vpnc, I found two which I felt would be useful for general consumption,
i.e. inclusion upstream. The first, 03_vpnc.8.patch, deletes the TODO
section of the manpage, which contains outdated information and
references the almost-as-outdated TODO file.

The second patch, 03_vpnc-script.patch, adds hooks to vpnc-script that
allow users to customize the behaviour of vpnc-script in a way that
doesn't get lost when the package gets upgraded (and direct edits to
vpnc-script would be overwritten, or in Debian cause annoying prompts).
README.Debian explains:

----
vpnc-script, which handles routing and DNS updates, can be customized by adding
scripts to be run before and after connecting and disconnecting, respectively.
The names of the scripts that will be sourced by /etc/vpnc/vpnc-script are:

/etc/vpnc/vpnc-script-connect-action
/etc/vpnc/vpnc-script-post-connect-action
/etc/vpnc/vpnc-script-disconnect-action
/etc/vpnc/vpnc-script-post-disconnect-action

See the comments at the top of vpnc-script for the environment variables you
have access to.
----

If you think that such a feature would be generally useful, I can try to
turn this text into a patch to the manpage.

Florian

Attached Files:

Re: Debian patches to vpnc [ In reply to ]
dwmw2 at infradead
Apr 14, 2012, 2:45 PM
Post #2 of 14 (8584 views)
Permalink
On Sat, 2012-04-14 at 23:38 +0200, Florian Schlichting wrote:
> vpnc-script, which handles routing and DNS updates, can be customized
> by adding scripts to be run before and after connecting and
> disconnecting, respectively.
> The names of the scripts that will be sourced by /etc/vpnc/vpnc-script
> are:
>
> /etc/vpnc/vpnc-script-connect-action
> /etc/vpnc/vpnc-script-post-connect-action
> /etc/vpnc/vpnc-script-disconnect-action
> /etc/vpnc/vpnc-script-post-disconnect-action
>
> See the comments at the top of vpnc-script for the environment
> variables you have access to.

Hm, is Debian not shipping the separate vpnc-script yet?

How does its openconnect package work? Does it require vpnc? Or is
vpnc-script shipped in a separate binary package even though it comes
from the vpnc source tarball? Or is it just broken?

--
dwmw2

Attached Files:

Re: Debian patches to vpnc [ In reply to ]
fschlich at ZEDAT
Apr 14, 2012, 3:18 PM
Post #3 of 14 (8583 views)
Permalink
> Hm, is Debian not shipping the separate vpnc-script yet?

not that I am aware of; I remember you suggesting something like that,
but then Antonio synced all changes from your git repo into vpnc SVN,
so no immediate need for me to change things around.

> How does its openconnect package work? Does it require vpnc? Or is
> vpnc-script shipped in a separate binary package even though it comes
> from the vpnc source tarball? Or is it just broken?

AFAIKS openconnect in Debian does not require vpnc in any way (no
Depends, Recommends, Suggests package relationship). The latest version
includes the documentation from
http://www.infradead.org/openconnect/vpnc-script.html, so contains a
reference from where to get vpnc-script. I guess it's understood to be
primarily used from the NetworkManager plugin.


...but how is that related to my patch, which I intended for the
vpnc-scripts git repo as much as for vpnc SVN?

Florian
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Debian patches to vpnc [ In reply to ]
dwmw2 at infradead
Apr 14, 2012, 3:22 PM
Post #4 of 14 (8571 views)
Permalink
On Sun, 2012-04-15 at 00:18 +0200, Florian Schlichting wrote:
> ...but how is that related to my patch, which I intended for the
> vpnc-scripts git repo as much as for vpnc SVN?

Only tangentially :)

Your patch hard-codes the directory /etc/vpnc for the helper scripts —
would it be better to use `dirname $0` for that, to allow relocation?

--
dwmw2

Attached Files:

Re: Debian patches to vpnc [ In reply to ]
fschlich at ZEDAT
Apr 14, 2012, 3:46 PM
Post #5 of 14 (8561 views)
Permalink
On Sat, Apr 14, 2012 at 11:22:17PM +0100, David Woodhouse wrote:
> Your patch hard-codes the directory /etc/vpnc for the helper scripts ???
> would it be better to use `dirname $0` for that, to allow relocation?

well, as things are now that would be functionally equivalent, so no
objection from my side (NB that patch dates back to the times when
Eduard Bloch was Debian maintainer of vpnc, so if anyone wants to
attribute authorship, that would be to him rather than to me).

But I'm starting to think about how things would be with a separate
vpnc-scripts package. Wouldn't those scripts be located somewhere under
/usr/lib/vpnc-scripts/ then, and only the files meant to be edited by
the user (default.conf, vpnc-script-post-connect-action, etc) remain in
/etc/vpnc?

If the same vpnc-script is going to be used from both vpnc and
openconnect, how is it going to determine which action scripts to
source, or will that be the same in both cases? Would one user need to
distinguish between the two?

See, I know almost nothing about openconnect / Cisco AnyConnect, so it's
hard to know if we'd be making bad choices now...

Florian
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Debian patches to vpnc [ In reply to ]
dwmw2 at infradead
Apr 14, 2012, 3:49 PM
Post #6 of 14 (8565 views)
Permalink
On Sun, 2012-04-15 at 00:46 +0200, Florian Schlichting wrote:
> If the same vpnc-script is going to be used from both vpnc and
> openconnect, how is it going to determine which action scripts to
> source, or will that be the same in both cases? Would one user need to
> distinguish between the two?

The same vpnc-script is going to be used for various *different*
vpnc-based VPN connections. How does it distinguish between them at the
moment? Does it matter whether it's vpnc or openconnect?

> See, I know almost nothing about openconnect / Cisco AnyConnect, so
> it's hard to know if we'd be making bad choices now...

At the vpnc-script level, you don't need to know anything. For that
purpose it's identical to vpnc (except that it supports IPv6, while vpnc
still hasn't joined us in the 21st century).

--
dwmw2

Attached Files:

Re: Debian patches to vpnc [ In reply to ]
fschlich at ZEDAT
Apr 14, 2012, 4:27 PM
Post #7 of 14 (8567 views)
Permalink
On Sat, Apr 14, 2012 at 11:22:17PM +0100, David Woodhouse wrote:
> Your patch hard-codes the directory /etc/vpnc for the helper scripts ???
> would it be better to use `dirname $0` for that, to allow relocation?

thinking about things, what's your use case for that? Does openconnect
(in Fedora?) ship with a vpnc-scipt in a different location?

Florian
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Debian patches to vpnc [ In reply to ]
dwmw2 at infradead
Apr 14, 2012, 11:42 PM
Post #8 of 14 (8561 views)
Permalink
On Sun, 2012-04-15 at 01:27 +0200, Florian Schlichting wrote:
> thinking about things, what's your use case for that? Does openconnect
> (in Fedora?) ship with a vpnc-scipt in a different location?

No, but from an upstream point of view perhaps we ought to be flexible
if people want to ship it in a different location. /etc/vpnc for a
script like that isn't exactly FHS-standard, and people on *BSD etc.
might also have opinions about appropriate directories for such things.

--
dwmw2

Attached Files:

Re: Debian patches to vpnc [ In reply to ]
mtmiller at ieee
Apr 15, 2012, 8:19 AM
Post #9 of 14 (8579 views)
Permalink
On Sun, Apr 15, 2012 at 12:46:13AM +0200, Florian Schlichting wrote:
> On Sat, Apr 14, 2012 at 11:22:17PM +0100, David Woodhouse wrote:
> > Your patch hard-codes the directory /etc/vpnc for the helper scripts ???
> > would it be better to use `dirname $0` for that, to allow relocation?
>
> well, as things are now that would be functionally equivalent, so no
> objection from my side (NB that patch dates back to the times when
> Eduard Bloch was Debian maintainer of vpnc, so if anyone wants to
> attribute authorship, that would be to him rather than to me).
>
> But I'm starting to think about how things would be with a separate
> vpnc-scripts package. Wouldn't those scripts be located somewhere under
> /usr/lib/vpnc-scripts/ then, and only the files meant to be edited by
> the user (default.conf, vpnc-script-post-connect-action, etc) remain in
> /etc/vpnc?

Hi, jumping in the middle here... I wasn't on the start of this thread,
I haven't seen your patches yet, but it sounds very analogous to

1) dhclient the executable, which runs
2) dhclient-script the helper script, which sources
3) /etc/dhclient-hook* scripts or whatever they are called

For Debian, if we're going to do a vpnc-scripts package, I would vote
for the script living under /usr/share/vpnc-scripts/ and these user hook
scripts would go under /etc/vpnc-scripts/. Debian policy really wants
things that don't need to be edited under /usr. So I don't think
dirname $0 is flexible enough to meet every packaging system's needs.

And as for Debian openconnect, this issue is still an open bug. I like
the vpnc-scripts shared dependency solution.

--
mike
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Debian patches to vpnc [ In reply to ]
dwmw2 at infradead
Apr 15, 2012, 12:59 PM
Post #10 of 14 (8571 views)
Permalink
On Sun, 2012-04-15 at 11:19 -0400, Mike Miller wrote:
> For Debian, if we're going to do a vpnc-scripts package, I would vote
> for the script living under /usr/share/vpnc-scripts/ and these user hook
> scripts would go under /etc/vpnc-scripts/. Debian policy really wants
> things that don't need to be edited under /usr. So I don't think
> dirname $0 is flexible enough to meet every packaging system's needs.

That's true.

The user hooks shouldn't be a single hard-coded script either; there
should be a directory such as /etc/vpnc-scripts/connect.d/ into which
other packages can drop new scripts.

OpenWRT could then drop part of its patch to vonc-script, which is to
start and stop NAT after processing the connection and before processing
the disconnection, respectively.

While I'm looking at it... the other part of the OpenWRT patch is to
remove 'inet' from the part which adds the Legacy IP address with
'ifconfig':
- ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up
+ ifconfig "$TUNDEV" "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu ${MTU} up

I bet that breaks on *BSD or Solaris? I suspect it's better to fix
Busybox 'ifconfig' than try to merge that patch from OpenWRT?

--
dwmw2

Attached Files:

Re: Debian patches to vpnc [ In reply to ]
fschlich at ZEDAT
Apr 15, 2012, 2:59 PM
Post #11 of 14 (8563 views)
Permalink
On Sun, Apr 15, 2012 at 09:50:40AM -0400, Mike Miller wrote:
> On Sun, Apr 15, 2012 at 12:46:13AM +0200, Florian Schlichting wrote:
> > But I'm starting to think about how things would be with a separate
> > vpnc-scripts package. Wouldn't those scripts be located somewhere under
> > /usr/lib/vpnc-scripts/ then, and only the files meant to be edited by
> > the user (default.conf, vpnc-script-post-connect-action, etc) remain in
> > /etc/vpnc?
>
> Hi, jumping in the middle here... I wasn't on the start of this thread,
> I haven't seen your patches yet, but it sounds very analogous to
>
> 1) dhclient the executable, which runs
> 2) dhclient-script the helper script, which sources
> 3) /etc/dhclient-hook* scripts or whatever they are called

well, dhclient and dhclient-script live in the same package, and the
/etc/dhcp/dhclient-*-hooks.d/ directories provide a mechanism for other
programs and packages to hook into the dhcp update process. Whereas in
our case it's several packages optionally using the same script, and the
rare possibility that its many options don't already do what you need.

Have a look at
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2012-April/003751.html
for the beginning of this thread, or
http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20120414/85fb6919/attachment-0001.patch
for the proposed patch.

> For Debian, if we're going to do a vpnc-scripts package, I would vote
> for the script living under /usr/share/vpnc-scripts/ and these user hook
> scripts would go under /etc/vpnc-scripts/. Debian policy really wants
> things that don't need to be edited under /usr. So I don't think
> dirname $0 is flexible enough to meet every packaging system's needs.

ACK. To limit namespace pollution with mostly empty directories and
allow for compatibility with the vpnc-script shipped as part of the vpnc
tarball, I advocate putting those directories under /etc/vpnc, though:

/etc/vpnc/pre-connect.d/
/etc/vpnc/post-connect.d/
/etc/vpnc/pre-disconnect.d/
/etc/vpnc/post-disconnect.d/

I'm still not sure this isn't over-engineering a very rare use case,
though.

Florian
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Debian patches to vpnc [ In reply to ]
dwmw2 at infradead
Apr 22, 2012, 5:26 PM
Post #12 of 14 (8534 views)
Permalink
On Sat, 2012-04-14 at 23:38 +0200, Florian Schlichting wrote:
> The second patch, 03_vpnc-script.patch, adds hooks to vpnc-script that
> allow users to customize the behaviour of vpnc-script in a way that
> doesn't get lost when the package gets upgraded (and direct edits to
> vpnc-script would be overwritten, or in Debian cause annoying
> prompts).

I modified this to use a directory for each action — having a single
script file still potentially leaves you with the problem of multiple
edits to the same file.

Of course you can maintain compatibility with existing scripts in Debian
by putting a hook into the directory, which execs a file from the old
location if it exists.

http://git.infradead.org/users/dwmw2/vpnc-scripts.git/commitdiff/1b65c39e

--
dwmw2

Attached Files:

Re: Debian patches to vpnc [ In reply to ]
fschlich at ZEDAT
Apr 24, 2012, 3:56 PM
Post #13 of 14 (8518 views)
Permalink
On Mon, Apr 23, 2012 at 01:26:01AM +0100, David Woodhouse wrote:
> On Sat, 2012-04-14 at 23:38 +0200, Florian Schlichting wrote:
> > The second patch, 03_vpnc-script.patch, adds hooks to vpnc-script that
> > allow users to customize the behaviour of vpnc-script in a way that
> > doesn't get lost when the package gets upgraded (and direct edits to
> > vpnc-script would be overwritten, or in Debian cause annoying
> > prompts).

> http://git.infradead.org/users/dwmw2/vpnc-scripts.git/commitdiff/1b65c39e

I notice that there's a new $reason, "reconnect", when is that being
called and doesn't it require anything else than calling a (usually
absent) hook?

Also, post-disconnect moved after destroy_tun_device, but I guess that
doesn't actually make a difference.

Are you aware of suggestions in the Debian BTS to override rather than
replace the default route (see http://bugs.debian.org/495911)? Also,
there's a request to check for and act on $CISCO_DEF_DOMAIN
independently of $INTERNAL_IP4_DNS (http://bugs.debian.org/460822) - I
thought you might like to look at them directly rather than me playing
go-between.

BTW is there a way to subscribe to new commits in vpnc-scripts.git by
email?

What's the relation of the other stuff in that repository (netunshare.c,
xinetd.netns.conf) to vpnc or openconnect?

Florian
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
Re: Debian patches to vpnc [ In reply to ]
dwmw2 at infradead
Apr 24, 2012, 4:02 PM
Post #14 of 14 (8521 views)
Permalink
On Wed, 2012-04-25 at 00:56 +0200, Florian Schlichting wrote:
> On Mon, Apr 23, 2012 at 01:26:01AM +0100, David Woodhouse wrote:
> > On Sat, 2012-04-14 at 23:38 +0200, Florian Schlichting wrote:
> > > The second patch, 03_vpnc-script.patch, adds hooks to vpnc-script that
> > > allow users to customize the behaviour of vpnc-script in a way that
> > > doesn't get lost when the package gets upgraded (and direct edits to
> > > vpnc-script would be overwritten, or in Debian cause annoying
> > > prompts).
>
> > http://git.infradead.org/users/dwmw2/vpnc-scripts.git/commitdiff/1b65c39e
>
> I notice that there's a new $reason, "reconnect", when is that being
> called and doesn't it require anything else than calling a (usually
> absent) hook?

That's being called when openconnect *reconnects* to the server. This
might happen after falling off one network and reconnecting to another,
and DHCP may have reinstated the default route through the local
network, instead of through the VPN.

My reaction to user complaints when that happened was "here's a
reconnect trigger. You can send me a patch to fix vpnc-script to cope".

> Are you aware of suggestions in the Debian BTS to override rather than
> replace the default route (see http://bugs.debian.org/495911)? Also,
> there's a request to check for and act on $CISCO_DEF_DOMAIN
> independently of $INTERNAL_IP4_DNS (http://bugs.debian.org/460822) - I
> thought you might like to look at them directly rather than me playing
> go-between.


> BTW is there a way to subscribe to new commits in vpnc-scripts.git by
> email?
>
> What's the relation of the other stuff in that repository (netunshare.c,
> xinetd.netns.conf) to vpnc or openconnect?

They're just there to support the other vpnc-scripts which do cunning
things like setting up the VPN in a separate network namespace that you
can SSH into with the '-D' option, to give you a SOCKS proxy talking to
the VPN, but without screwing with your local routing at all. And the
one which uses NAT64 to put the entire range of Legacy IP addresses from
the VPN into a tiny corner of the IPv6 address space so that again you
can access them without screwing with real network access.

--
dwmw2

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal