[PATCH] vpnc-script: add dnsmasq split-horizon DNS support

Tue Jun 24 07:56:59 PDT 2014

Attempt to determine if dnsmasq is being used to manage name resolution
and, if so, update the configuration with VPN-supplied DNS information.

Signed-off-by: Joe MacDonald <joe_macdonald at mentor.com>
---

Adding any level of dnsmasq interaction makes it pretty easy to set up
best-effort split-horizon DNS.  This does depend on having resolvconf
managing things as well, but the concept should apply equally well to a
non-resolvconf scenario.  It just seemed easiest and least invasive to
create / remove the dnsmasq.d configuration piece in the
*_resolvconf_manager() functions.  I try to err on the side of asking the
VPN DNS more often rather than less but still use the
previously-configured resolver for what looks like non-VPN traffic.


 vpnc-script |   54 +++++++++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 47 insertions(+), 7 deletions(-)

diff --git a/vpnc-script b/vpnc-script
index 79cf6e2..bbde4cd 100755
--- a/vpnc-script
+++ b/vpnc-script
@@ -360,6 +360,22 @@ fi
 
 # =========== resolv.conf handling for any OS =========================
 
+do_restart_dnsmasq() {
+	SERVICE=`which service`
+	if [ -x $SERVICE ] ; then
+		$SERVICE dnsmasq restart
+	else
+		if [ -x /etc/init.d/dnsmasq ] ; then
+			/etc/init.d/dnsmasq restart
+		else
+			SYSTEMCTL=`which systemctl`
+			if [ -x $SYSTEMCTL ] ; then
+				$SYSTEMCTL restart dnsmasq
+			fi
+		fi
+	fi
+}
+
 modify_resolvconf_generic() {
 	grep '^#@VPNC_GENERATED@' /etc/resolv.conf > /dev/null 2>&1 || cp -- /etc/resolv.conf "$RESOLV_CONF_BACKUP"
 	NEW_RESOLVCONF="#@VPNC_GENERATED@ -- this file is generated by vpnc
@@ -542,19 +558,43 @@ restore_resolvconf_openwrt() {
 
 modify_resolvconf_manager() {
 	NEW_RESOLVCONF=""
-	for i in $INTERNAL_IP4_DNS; do
-		NEW_RESOLVCONF="$NEW_RESOLVCONF
+	if [[ -d /etc/dnsmasq.d/ && `pgrep dnsmasq` ]] ;
+	then
+		# the system has dnsmasq installed and appears to be using it so inform
+		# dnsmasq about the new servers and domains
+		if [ -n "$CISCO_DEF_DOMAIN" ]; then
+			#  limit searching the VPN servers for only VPN addresses, but it is
+			#  better to cast too wide a net on this than miss VPN address lookups.
+			VPN_DNS=`echo $CISCO_DEF_DOMAIN | awk -F. '{ print "/" $(NF-1) "." $NF "/" }'`
+		fi
+		for i in $INTERNAL_IP4_DNS; do
+			NEW_RESOLVCONF="$NEW_RESOLVCONF
+server=$VPN_DNS$i"
+		done
+		echo "$NEW_RESOLVCONF" > /etc/dnsmasq.d/$TUNDEV.conf
+		# inform dnsmasq that there is a new configuraiton fragment to consider.
+		do_restart_dnsmasq
+	else
+		for i in $INTERNAL_IP4_DNS; do
+			NEW_RESOLVCONF="$NEW_RESOLVCONF
 nameserver $i"
-	done
-	if [ -n "$CISCO_DEF_DOMAIN" ]; then
-		NEW_RESOLVCONF="$NEW_RESOLVCONF
+		done
+		if [ -n "$CISCO_DEF_DOMAIN" ]; then
+			NEW_RESOLVCONF="$NEW_RESOLVCONF
 domain $CISCO_DEF_DOMAIN"
+		fi
+		echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
 	fi
-	echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
 }
 
 restore_resolvconf_manager() {
-	/sbin/resolvconf -d $TUNDEV
+	if [[ -d /etc/dnsmasq.d/ && `pgrep dnsmasq` ]] ;
+	then
+		rm -f /etc/dnsmasq.d/$TUNDEV.conf
+		do_restart_dnsmasq
+	else
+		/sbin/resolvconf -d $TUNDEV
+	fi
 }
 
 # ========= Toplevel state handling  =======================================
-- 
1.7.10.4


