[PATCH 3/4] allow custom routing table specification via hooks

Corey Hickey bugfood-ml at fatooh.org
Wed Aug 31 22:17:49 PDT 2016


Using hooks for this is a bit odd--a configuration file would make more
sense, but there currently isn't one. Should I add one?

This is useful on a host that functions as a router for clients that
need VPN access, in which case the router should not actually have
access by default.

In this case, the user will have to do further configuration to ensure
that clients traverse the specified routing table. For example, if
routing table "8" were to be used and client 192.168.0.2 should get a
VPN route:

    # ip rule add from 192.168.0.2 lookup 8

Setting up NAT is probably necessary as well:

    # iptables -t POSTROUTING -o "$TUNDEV" -j MASQUERADE

Signed-off-by: Corey Hickey <bugfood-ml at fatooh.org>
---
 vpnc-script | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/vpnc-script b/vpnc-script
index 8cf897b..5cf033a 100755
--- a/vpnc-script
+++ b/vpnc-script
@@ -90,6 +90,10 @@ fi
 
 # stupid SunOS: no blubber in /usr/local/bin ... (on stdout)
 IPROUTE="`which ip 2> /dev/null | grep '^/'`"
+# If you want to use a different table, then override this in the connect,
+# reconnent, and disconnect hooks. Note--this only works on systems with
+# the 'ip' command ($IPROUTE above).
+IPROUTE_TABLE=main
 
 if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then
 	ifconfig_syntax_inet=""
@@ -222,18 +226,18 @@ if [ -n "$IPROUTE" ]; then
 	}
 
 	set_vpngateway_route() {
-		$IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output`
+		$IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output` table "$IPROUTE_TABLE"
 		$IPROUTE route flush cache
 	}
 
 	del_vpngateway_route() {
-		$IPROUTE route $route_syntax_del "$VPNGATEWAY"
+		$IPROUTE route $route_syntax_del "$VPNGATEWAY" table "$IPROUTE_TABLE"
 		$IPROUTE route flush cache
 	}
 
 	set_default_route() {
 		$IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE"
-		$IPROUTE route replace default dev "$TUNDEV"
+		$IPROUTE route replace default dev "$TUNDEV" table "$IPROUTE_TABLE"
 		$IPROUTE route flush cache
 	}
 
@@ -241,13 +245,13 @@ if [ -n "$IPROUTE" ]; then
 		NETWORK="$1"
 		NETMASK="$2"
 		NETMASKLEN="$3"
-		$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+		$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV" table "$IPROUTE_TABLE"
 		$IPROUTE route flush cache
 	}
 
 	reset_default_route() {
 		if [ -s "$DEFAULT_ROUTE_FILE" ]; then
-			$IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"`
+			$IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"` table "$IPROUTE_TABLE"
 			$IPROUTE route flush cache
 			rm -f -- "$DEFAULT_ROUTE_FILE"
 		fi
@@ -257,32 +261,32 @@ if [ -n "$IPROUTE" ]; then
 		NETWORK="$1"
 		NETMASK="$2"
 		NETMASKLEN="$3"
-		$IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+		$IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$TUNDEV" table "$IPROUTE_TABLE"
 		$IPROUTE route flush cache
 	}
 
 	set_ipv6_default_route() {
 		# We don't save/restore IPv6 default route; just add a higher-priority one.
-		$IPROUTE -6 route add default dev "$TUNDEV" metric 1
+		$IPROUTE -6 route add default dev "$TUNDEV" metric 1 table "$IPROUTE_TABLE"
 		$IPROUTE -6 route flush cache
 	}
 
 	set_ipv6_network_route() {
 		NETWORK="$1"
 		NETMASKLEN="$2"
-		$IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+		$IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$TUNDEV" table "$IPROUTE_TABLE"
 		$IPROUTE route flush cache
 	}
 
 	reset_ipv6_default_route() {
-		$IPROUTE -6 route del default dev "$TUNDEV"
+		$IPROUTE -6 route del default dev "$TUNDEV" table "$IPROUTE_TABLE"
 		$IPROUTE route flush cache
 	}
 
 	del_ipv6_network_route() {
 		NETWORK="$1"
 		NETMASKLEN="$2"
-		$IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$TUNDEV"
+		$IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$TUNDEV" table "$IPROUTE_TABLE"
 		$IPROUTE -6 route flush cache
 	}
 else # use route command
-- 
2.9.3




More information about the openconnect-devel mailing list