[PATCH 3/4] Support split-exclude rules from Pulse gateway

Wed Oct 11 13:40:01 PDT 2017

The vpnc-script used by OpenConnect only supports "split include" rules (default
route unchanged, specific VPN routes added). We add support for Pulse's "split
exclude" rules (default route to VPN, exclude rules for targets to be connected
via normal uplink).

Tested on OpenSUSE 42.2 using ip and route command. IPv6 part completely untested.

Signed-off-by: Gernot Hillier <gernot.hillier at siemens.com>
---
 vpnc-script | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/vpnc-script b/vpnc-script
index d04bba9..50ce252 100755
--- a/vpnc-script
+++ b/vpnc-script
@@ -818,6 +818,18 @@ do_connect() {
 	elif [ -n "$INTERNAL_IP4_ADDRESS" ]; then
 		set_default_route
 	fi
+	if [ -n "$CISCO_SPLIT_EXC" ]; then
+		i=0
+		UPLINKGW=`get_uplink_gw`
+		UPLINKDEV=`get_uplink_dev`
+		while [ $i -lt $CISCO_SPLIT_EXC ] ; do
+			eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
+			eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
+			eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
+			set_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$UPLINKDEV" "$UPLINKGW"
+			i=`expr $i + 1`
+		done
+	fi
 	if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
 		i=0
 		while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
@@ -838,6 +850,18 @@ do_connect() {
 	elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
 		set_ipv6_default_route
 	fi
+	if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then
+		# untested
+		i=0
+		UPLINKGW=`get_uplink_gw`
+		UPLINKDEV=`get_uplink_dev`
+		while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do
+			eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}"
+			eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}"
+			set_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$UPLINKDEV" "$UPLINKGW"
+			i=`expr $i + 1`
+		done
+	fi
 
 	if [ -n "$INTERNAL_IP4_DNS" ]; then
 		$MODIFYRESOLVCONF
@@ -866,6 +890,18 @@ do_disconnect() {
 	else
 		reset_default_route
 	fi
+	if [ -n "$CISCO_SPLIT_EXC" ]; then
+		i=0
+		UPLINKGW=`get_uplink_gw`
+		UPLINKDEV=`get_uplink_dev`
+		while [ $i -lt $CISCO_SPLIT_EXC ] ; do
+			eval NETWORK="\${CISCO_SPLIT_EXC_${i}_ADDR}"
+			eval NETMASK="\${CISCO_SPLIT_EXC_${i}_MASK}"
+			eval NETMASKLEN="\${CISCO_SPLIT_EXC_${i}_MASKLEN}"
+			del_network_route "$NETWORK" "$NETMASK" "$NETMASKLEN" "$UPLINKDEV" "$UPLINKGW"
+			i=`expr $i + 1`
+		done
+	fi
 	if [ -n "$CISCO_IPV6_SPLIT_INC" ]; then
 		i=0
 		while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
@@ -884,6 +920,18 @@ do_disconnect() {
 	elif [ -n "$INTERNAL_IP6_NETMASK" -o -n "$INTERNAL_IP6_ADDRESS" ]; then
 		reset_ipv6_default_route
 	fi
+	if [ -n "$CISCO_IPV6_SPLIT_EXC" ]; then
+		i=0
+		UPLINKGW=`get_uplink_gw`
+		UPLINKDEV=`get_uplink_dev`
+		while [ $i -lt $CISCO_IPV6_SPLIT_EXC ] ; do
+			eval NETWORK="\${CISCO_IPV6_SPLIT_EXC_${i}_ADDR}"
+			eval NETMASKLEN="\${CISCO_IPV6_SPLIT_EXC_${i}_MASKLEN}"
+			del_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$UPLINKDEV" "$UPLINKGW"
+			i=`expr $i + 1`
+		done
+	fi
+
 
 	del_vpngateway_route
 
-- 
2.12.3


