Handle default Legacy IP route for Pulse as for GP and oNCP
If a default Legacy IP route is specified as a "split"-include route, then
we should use that route as the Legacy IP netmask, and add the original
netmask as a split (if it's anything other than 255.255.255.255 or /32).
Signed-off-by: Daniel Lenski <email address hidden>
Handle default Legacy IP route for oNCP as we do for GP
If a default Legacy IP route is specified as a "split"-include route, then
we should use that route as the Legacy IP netmask, and add the original
netmask as a split (if it's anything other than 255.255.255.255 or /32).
This patch factors out the function finalize_netmask_fixing_default_route_as_split()
from gpst.c and makes it a global internal function, so that the mechanism
can be shared.
Signed-off-by: Daniel Lenski <email address hidden>
Do not ignore 0.0.0.0/0 specified as a "split"-{in,ex}clude route for oNCP
This addresses https://gitlab.com/openconnect/openconnect/-/issues/245. In the case
presented there, the oNCP server sends a Legacy IP netmask ("default route") of
255.255.255.255, and a "split"-include route of 0.0.0.0/0.0.0.0:
> Received split include route 0.0.0.0/0.0.0.0
> Received netmask 255.255.255.255
We also should not ignore 0.0.0.0/0 if specified as a "split"-exclude route, though
the purpose of such a route is unclear and we have never seen one in the wild.
Next, we should handle this case in the same way that we do for GlobalProtect,
as of https://gitlab.com/openconnect/openconnect/-/merge_requests/118; namely,
by replacing the 255.255.255.255 netmask with the 0.0.0.0/0 send as a "split"-include,
and removing the latter from the list of split-includes.
Signed-off-by: Daniel Lenski <email address hidden>
Signed-off-by: Daniel Lenski <email address hidden>
d1267ec...
by
David Overton <email address hidden>
Pulse: handle 0x2e20f000 main configuration packet
This packet type was received upon attempting to connect to a
Pulseb 9.1R14 server (with IPv6 enabled, though this may not
be relevant).
Upon receiving this packet we previously bailed out and failed
back to the user with:
Unexpected IF-T/TLS packet when expecting configuration
The "new" config packet packs what appears to be a second
attributes section in front of the legacy routing block. It
is not yet clear what the single example attribute seen so
far (0x4025) is for (perhaps it is to indicate the presence
or absence of the legacy routing block?).
Signed-off-by: Daniel Lenski <email address hidden>
52d1c67...
by
David Overton <email address hidden>
Bugfix Legacy IP split include/exclude routes for Pulse
In 3d845bc9b, routing configuration was modified to use the `new_ip_info`
and `install_vpn_opts()`. Pulse IPv6 split include/exclude handling were
modified accordingly in that commit, but Legacy IP split include/exclude
routes were overlooked.
Since `install_vpn_opts()` clobbers the split include/exclude routes, this
means Legacy IP split routes for Pulse have been ignored since then.