[ocserv/epel7] Ship a default ocserv-script, which will put connecting clients into the internal firewall zone.
Nikos Mavrogiannopoulos
nmav at fedoraproject.org
Mon Oct 27 10:06:52 UTC 2014
commit 0497931d6c930fcd0c9f80f841288d8eb5cea745
Author: Nikos Mavrogiannopoulos <nmav at redhat.com>
Date: Tue Sep 9 16:18:55 2014 +0200
Ship a default ocserv-script, which will put connecting clients into the internal firewall zone.
ocserv-script | 10 ++++++++++
ocserv.conf | 7 +++----
ocserv.spec | 10 +++++++++-
3 files changed, 22 insertions(+), 5 deletions(-)
---
diff --git a/ocserv-script b/ocserv-script
new file mode 100755
index 0000000..b3e2061
--- /dev/null
+++ b/ocserv-script
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+if [ "$REASON" = "connect" ];then
+ # add the user's interface into the internal zone
+ firewall-cmd --zone=internal --add-interface=$DEVICE
+else
+ firewall-cmd --zone=internal --remove-interface=$DEVICE
+fi
+
+exit 0
diff --git a/ocserv.conf b/ocserv.conf
index 44872d5..b554b1d 100644
--- a/ocserv.conf
+++ b/ocserv.conf
@@ -151,8 +151,8 @@ rekey-method = ssl
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
-#connect-script = /usr/bin/myscript
-#disconnect-script = /usr/bin/myscript
+#connect-script = /usr/bin/ocserv-script
+#disconnect-script = /usr/bin/ocserv-script
# UTMP
use-utmp = true
@@ -285,8 +285,7 @@ route = 192.168.1.0/255.255.255.0
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
-# ocserv to scan all available groups and include the full list. That
-# option is only functional on plain authentication.
+# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# The system command to use to setup a route. %R will be replaced with the
diff --git a/ocserv.spec b/ocserv.spec
index 5b65b0e..e154d9d 100644
--- a/ocserv.spec
+++ b/ocserv.spec
@@ -1,6 +1,6 @@
Name: ocserv
Version: 0.8.4
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: OpenConnect SSL VPN server
# For a breakdown of the licensing, see PACKAGE-LICENSING
@@ -14,6 +14,7 @@ Source3: ocserv-pamd.conf
Source4: PACKAGE-LICENSING
Source6: ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
Source7: ocserv-genkey
+Source8: ocserv-script
# Taken from upstream:
# http://git.infradead.org/ocserv.git/commitdiff/7d70006a2dbddf783213f1856374bacc74217e09
@@ -111,6 +112,8 @@ mkdir -p %{buildroot}%{_localstatedir}/lib/ocserv/
install -p -m 644 doc/profile.xml %{buildroot}%{_localstatedir}/lib/ocserv/
mkdir -p %{buildroot}/%{_sbindir}
install -p -m 755 %{SOURCE7} %{buildroot}/%{_sbindir}
+mkdir -p %{buildroot}/%{_bindir}
+install -p -m 755 %{SOURCE8} %{buildroot}/%{_bindir}
%make_install
%clean
@@ -132,12 +135,17 @@ rm -rf %{buildroot}
%{_mandir}/man8/ocpasswd.8*
%{_bindir}/ocpasswd
%{_bindir}/occtl
+%{_bindir}/ocserv-script
%{_sbindir}/ocserv
%{_sbindir}/ocserv-genkey
%{_unitdir}/ocserv.service
%{_localstatedir}/lib/ocserv/profile.xml
%changelog
+* Thu Sep 09 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> - 0.8.4-2
+- Ship a default ocserv-script, which will put connecting clients
+ into the internal firewall zone.
+
* Thu Aug 28 2014 Nikos Mavrogiannopoulos <nmav at redhat.com> - 0.8.4-1
- New upstream release
More information about the scm-commits
mailing list