diff options
| author | kali <kali@leap.se> | 2013-01-16 01:33:50 +0900 |
|---|---|---|
| committer | kali <kali@leap.se> | 2013-01-16 01:33:50 +0900 |
| commit | 67506fe6ba55ac7eaf4cbfd3606bff34a1214c11 (patch) | |
| tree | 1d6fc2b21a1d482401e3bb1264a82cdf44daadd7 | |
| parent | 9c260efd6f9821f5d97cc426f501203bfc8a1fde (diff) | |
add update resolv.conf script
| -rw-r--r-- | pkg/linux/leap-update-resolv-conf | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/pkg/linux/leap-update-resolv-conf b/pkg/linux/leap-update-resolv-conf new file mode 100644 index 00000000..a54802e3 --- /dev/null +++ b/pkg/linux/leap-update-resolv-conf @@ -0,0 +1,90 @@ +#!/bin/bash +# +# Parses options from openvpn to update resolv.conf +# +# The only way to enforce that a linux system will not leak DNS +# queries is to replace /etc/resolv.conf with a file that only +# has the DNS resolver specified by the VPN. +# +# That is what this script does. This is what resolvconf is for, +# but sadly it does not always work. +# +# Example envs set from openvpn: +# foreign_option_1='dhcp-option DNS 193.43.27.132' +# foreign_option_2='dhcp-option DNS 193.43.27.133' +# foreign_option_3='dhcp-option DOMAIN be.bnc.ch' +# + +function up() { + + comment=$( +cat <<SETVAR +# +# This is a temporary resolv.conf set by the LEAP Client in order to +# strictly enforce that DNS lookups are secured by the VPN. +# +# When the LEAP Client quits or the VPN connection it manages is dropped, +# this file will be replace with the regularly scheduled /etc/resolv.conf +# +# If you want custom entries to appear in this file while LEAP is running, +# put them in /etc/leap/resolv-head or /etc/leap/resolv-tail. These files +# should only be writable by root. +# + +SETVAR +) + + if [ -f /etc/leap/resolv-head ] ; then + custom_head=$(cat /etc/leap/resolv-head) + else + custom_head="" + fi + + if [ -f /etc/leap/resolv-tail ] ; then + custom_tail=$(cat /etc/leap/resolv-tail) + else + custom_tail="" + fi + + for optionname in ${!foreign_option_*} ; do + option="${!optionname}" + echo $option + part1=$(echo "$option" | cut -d " " -f 1) + if [ "$part1" == "dhcp-option" ] ; then + part2=$(echo "$option" | cut -d " " -f 2) + part3=$(echo "$option" | cut -d " " -f 3) + if [ "$part2" == "DNS" ] ; then + IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" + fi + if [ "$part2" == "DOMAIN" ] ; then + IF_DNS_SEARCH="$IF_DNS_SEARCH $part3" + fi + fi + done + R="" + for SS in $IF_DNS_SEARCH ; do + R="${R}search $SS +" + done + for NS in $IF_DNS_NAMESERVERS ; do + R="${R}nameserver $NS +" + done + mv /etc/resolv.conf /etc/resolv.conf.bak + echo "$comment +$custom_head +$R +$custom_tail" > /etc/resolv.conf +} + +function down() { + if [ -f /etc/resolv.conf.bak ] ; then + unlink /etc/resolv.conf + mv /etc/resolv.conf.bak /etc/resolv.conf + fi +} + +case $script_type in + up) up ;; + down) down ;; +esac |