From 67506fe6ba55ac7eaf4cbfd3606bff34a1214c11 Mon Sep 17 00:00:00 2001
From: kali <kali@leap.se>
Date: Wed, 16 Jan 2013 01:33:50 +0900
Subject: add update resolv.conf script

---
 pkg/linux/leap-update-resolv-conf | 90 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 pkg/linux/leap-update-resolv-conf

diff --git a/pkg/linux/leap-update-resolv-conf b/pkg/linux/leap-update-resolv-conf
new file mode 100644
index 00000000..a54802e3
--- /dev/null
+++ b/pkg/linux/leap-update-resolv-conf
@@ -0,0 +1,90 @@
+#!/bin/bash
+#
+# Parses options from openvpn to update resolv.conf
+#
+# The only way to enforce that a linux system will not leak DNS
+# queries is to replace /etc/resolv.conf with a file that only
+# has the DNS resolver specified by the VPN.
+#
+# That is what this script does. This is what resolvconf is for,
+# but sadly it does not always work.
+#
+# Example envs set from openvpn:
+# foreign_option_1='dhcp-option DNS 193.43.27.132'
+# foreign_option_2='dhcp-option DNS 193.43.27.133'
+# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
+#
+
+function up() {
+
+  comment=$(
+cat <<SETVAR
+#
+# This is a temporary resolv.conf set by the LEAP Client in order to
+# strictly enforce that DNS lookups are secured by the VPN.
+#
+# When the LEAP Client quits or the VPN connection it manages is dropped,
+# this file will be replace with the regularly scheduled /etc/resolv.conf
+#
+# If you want custom entries to appear in this file while LEAP is running,
+# put them in /etc/leap/resolv-head or /etc/leap/resolv-tail. These files
+# should only be writable by root.
+#
+
+SETVAR
+)
+
+  if [ -f /etc/leap/resolv-head ] ; then
+    custom_head=$(cat /etc/leap/resolv-head)
+  else
+    custom_head=""
+  fi
+
+  if [ -f /etc/leap/resolv-tail ] ; then
+    custom_tail=$(cat /etc/leap/resolv-tail)
+  else
+    custom_tail=""
+  fi
+
+  for optionname in ${!foreign_option_*} ; do
+    option="${!optionname}"
+    echo $option
+    part1=$(echo "$option" | cut -d " " -f 1)
+    if [ "$part1" == "dhcp-option" ] ; then
+      part2=$(echo "$option" | cut -d " " -f 2)
+      part3=$(echo "$option" | cut -d " " -f 3)
+      if [ "$part2" == "DNS" ] ; then
+        IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
+      fi
+      if [ "$part2" == "DOMAIN" ] ; then
+        IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
+      fi
+    fi
+  done
+  R=""
+  for SS in $IF_DNS_SEARCH ; do
+          R="${R}search $SS
+"
+  done
+  for NS in $IF_DNS_NAMESERVERS ; do
+          R="${R}nameserver $NS
+"
+  done
+  mv /etc/resolv.conf /etc/resolv.conf.bak
+  echo "$comment
+$custom_head
+$R
+$custom_tail" > /etc/resolv.conf
+}
+
+function down() {
+  if [ -f /etc/resolv.conf.bak ] ; then
+    unlink /etc/resolv.conf
+    mv /etc/resolv.conf.bak /etc/resolv.conf
+  fi
+}
+
+case $script_type in
+  up)   up   ;;
+  down) down ;;
+esac
-- 
cgit v1.2.3