This patchs adds a script/plug-in hook which is called right before the
network routes are taken down. This gives external processes a
possibility to tear down communication over the VPN before the VPN
disappears.
One use case can be to mount a networked file system over the VPN via
--route-up. And then to unmount this file system via --route-pre-down
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1583,8 +1583,25 @@ do_close_tun (struct context *c, bool force) |
1583 | 1583 |
|
1584 | 1584 |
/* delete any routes we added */ |
1585 | 1585 |
if (c->c1.route_list || c->c1.route_ipv6_list ) |
1586 |
- delete_routes (c->c1.route_list, c->c1.route_ipv6_list, |
|
1587 |
- c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es); |
|
1586 |
+ { |
|
1587 |
+ run_up_down (c->options.route_predown_script, |
|
1588 |
+ c->plugins, |
|
1589 |
+ OPENVPN_PLUGIN_ROUTE_PREDOWN, |
|
1590 |
+ tuntap_actual, |
|
1591 |
+ NULL, |
|
1592 |
+ TUN_MTU_SIZE (&c->c2.frame), |
|
1593 |
+ EXPANDED_SIZE (&c->c2.frame), |
|
1594 |
+ print_in_addr_t (local, IA_EMPTY_IF_UNDEF, &gc), |
|
1595 |
+ print_in_addr_t (remote_netmask, IA_EMPTY_IF_UNDEF, &gc), |
|
1596 |
+ "init", |
|
1597 |
+ signal_description (c->sig->signal_received, |
|
1598 |
+ c->sig->signal_text), |
|
1599 |
+ "route-pre-down", |
|
1600 |
+ c->c2.es); |
|
1601 |
+ |
|
1602 |
+ delete_routes (c->c1.route_list, c->c1.route_ipv6_list, |
|
1603 |
+ c->c1.tuntap, ROUTE_OPTION_FLAGS (&c->options), c->c2.es); |
|
1604 |
+ } |
|
1588 | 1605 |
|
1589 | 1606 |
/* actually close tun/tap device based on --down-pre flag */ |
1590 | 1607 |
if (!c->options.down_pre) |
... | ... |
@@ -108,7 +108,8 @@ |
108 | 108 |
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2 9 |
109 | 109 |
#define OPENVPN_PLUGIN_TLS_FINAL 10 |
110 | 110 |
#define OPENVPN_PLUGIN_ENABLE_PF 11 |
111 |
-#define OPENVPN_PLUGIN_N 12 |
|
111 |
+#define OPENVPN_PLUGIN_ROUTE_PREDOWN 12 |
|
112 |
+#define OPENVPN_PLUGIN_N 13 |
|
112 | 113 |
|
113 | 114 |
/* |
114 | 115 |
* Build a mask out of a set of plug-in types. |
... | ... |
@@ -5194,6 +5194,10 @@ as defined by the |
5194 | 5194 |
option. |
5195 | 5195 |
.\"********************************************************* |
5196 | 5196 |
.TP |
5197 |
+.B \-\-route-pre-down |
|
5198 |
+Executed right before the routes are removed. |
|
5199 |
+.\"********************************************************* |
|
5200 |
+.TP |
|
5197 | 5201 |
.B \-\-client-disconnect |
5198 | 5202 |
Executed in |
5199 | 5203 |
.B \-\-mode server |
... | ... |
@@ -216,6 +216,7 @@ static const char usage_message[] = |
216 | 216 |
" be added immediately after tun/tap open. On Windows, wait\n" |
217 | 217 |
" up to w seconds for TUN/TAP adapter to come up.\n" |
218 | 218 |
"--route-up cmd : Execute shell cmd after routes are added.\n" |
219 |
+ "--route-pre-down cmd : Execute shell cmd before routes are removed.\n" |
|
219 | 220 |
"--route-noexec : Don't add routes automatically. Instead pass routes to\n" |
220 | 221 |
" --route-up script using environmental variables.\n" |
221 | 222 |
"--route-nopull : When used with --client or --pull, accept options pushed\n" |
... | ... |
@@ -2739,6 +2740,8 @@ options_postprocess_filechecks (struct options *options) |
2739 | 2739 |
R_OK|X_OK, "--ipchange script"); |
2740 | 2740 |
errs |= check_file_access (CHKACC_FILE, options->route_script, |
2741 | 2741 |
R_OK|X_OK, "--route-up script"); |
2742 |
+ errs |= check_file_access (CHKACC_FILE, options->route_predown_script, |
|
2743 |
+ R_OK|X_OK, "--route-pre-down script"); |
|
2742 | 2744 |
errs |= check_file_access (CHKACC_FILE, options->learn_address_script, |
2743 | 2745 |
R_OK|X_OK, "--learn-address script"); |
2744 | 2746 |
#endif /* P2MP_SERVER */ |
... | ... |
@@ -5217,6 +5220,14 @@ add_option (struct options *options, |
5217 | 5217 |
warn_multiple_script (options->route_script, "route-up"); |
5218 | 5218 |
options->route_script = p[1]; |
5219 | 5219 |
} |
5220 |
+ else if (streq (p[0], "route-pre-down") && p[1]) |
|
5221 |
+ { |
|
5222 |
+ VERIFY_PERMISSION (OPT_P_SCRIPT); |
|
5223 |
+ if (!no_more_than_n_args (msglevel, p, 2, NM_QUOTE_HINT)) |
|
5224 |
+ goto err; |
|
5225 |
+ warn_multiple_script (options->route_predown_script, "route-pre-down"); |
|
5226 |
+ options->route_predown_script = p[1]; |
|
5227 |
+ } |
|
5220 | 5228 |
else if (streq (p[0], "route-noexec")) |
5221 | 5229 |
{ |
5222 | 5230 |
VERIFY_PERMISSION (OPT_P_SCRIPT); |