Accepting request 1059390 from home:mgerstner:branches:network:vpn

- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
  installed into /etc by a more tailored mechanism. Enabling IP routing
  globally and permanently, just because the package is installed is quite
  invasive. This new script will be invoked before and after the ocserv
  service to switch on and off forwarding, if necessary (bsc#1174722).

OBS-URL: https://build.opensuse.org/request/show/1059390
OBS-URL: https://build.opensuse.org/package/show/network:vpn/ocserv?expand=0&rev=45

ocserv-forwarding.sh

@@ -0,0 +1,89 @@
+#!/bin/bash
+
+set -o errexit
+
+# This script enables IP forwarding only for the time of ocserv running
+#
+# The script should be run as a pre and post script via the systemd service
+# unit.
+#
+# It only touches a sysctl if it doesn't have the required value and is able
+# to restore it back to the original value by keeping track of changed
+# settings in a state file.
+
+STATEDIR="/run/ocserv"
+STATEFILE="$STATEDIR/changed_sysctls"
+# the sysctls that need to be at '1' for ocserv to work properly
+CONTROLS=("net.ipv4.ip_forward" "net.ipv6.conf.default.forwarding" "net.ipv6.conf.all.forwarding")
+
+errecho() {
+	echo $* 1>&2
+}
+
+usage() {
+	errecho "Usage: $0 [--enable|--disable]"
+	errecho
+	errecho "--enable: enable IP forwarding kernel settings, if necessary"
+	errecho "--disable: restore IP forwarding kernel settings that have previously been changed via --enable"
+	errecho
+	errecho "This script temporarily enables IP forwarding while ocserv is running"
+	exit 1
+}
+
+# make sure we don't create anything world readable for other users
+umask 077
+
+if [ $# -ne 1 ]; then
+	usage
+fi
+
+SYSCTL=`which sysctl`
+if [ -z "$SYSCTL" ]; then
+	errecho "Couldn't find 'sysctl'. You need to be root to run this script."
+	exit 1
+fi
+
+operation="$1"
+
+if [ "$operation" = "-h" -o "$operation" = "--help" ]; then
+	usage
+elif [ "$operation" = "--enable" ]; then
+	changed=()
+	for control in ${CONTROLS[@]}; do
+		val=$($SYSCTL -n "$control")
+		if [ $? -ne 0 ]; then
+			errecho "failed to run sysctl"
+			exit 2
+		fi
+
+		if [ "$val" -eq 0 ]; then
+			echo -n "enabling $control: "
+			$SYSCTL "${control}=1"
+			if [ $? -eq 0 ]; then
+				changed+=("$control")
+			fi
+		fi
+	done
+
+	if (( ${#changed[@]} )); then
+		mkdir -p "$STATEDIR"
+		for changed in ${changed[@]}; do
+			echo "$changed" >>"$STATEFILE"
+		done
+	fi
+elif [ "$operation" = "--disable" ]; then
+	if [ ! -f "$STATEFILE" ]; then
+		# nothing to restore
+		exit 0
+	fi
+
+	for control in `cat $STATEFILE`; do
+		echo -n "restoring $control: "
+		$SYSCTL "${control}=0" || continue
+	done
+
+	rm -f "$STATEFILE"
+else
+	errecho "invalid argument: $operation"
+	usage
+fi

ocserv.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Wed Jan 18 13:17:42 UTC 2023 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- add ocserv-forwarding.sh: replace the sysctl drop-in file which was wrongly
+  installed into /etc by a more tailored mechanism. Enabling IP routing
+  globally and permanently, just because the package is installed is quite
+  invasive. This new script will be invoked before and after the ocserv
+  service to switch on and off forwarding, if necessary (bsc#1174722).
+
 -------------------------------------------------------------------
 Sun Aug 14 14:11:34 UTC 2022 - Michael Du <duyizhaozj321@yahoo.com>
 

ocserv.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ocserv
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,7 +28,7 @@ Source1:        ftp://ftp.infradead.org/pub/ocserv/%{name}-%{version}.tar.xz.sig
 Source2:        ca.tmpl
 Source3:        server.tmpl
 Source4:        user.tmpl
-Source5:        ocserv.sysctl
+Source5:        ocserv-forwarding.sh
 Source6:        ocserv.firewalld.xml
 Source99:       README.SUSE
 Source100:      gpgkey-1F42418905D8206AA754CCDC29EE58B996865171.gpg
@@ -109,7 +109,7 @@ make V=1 %{?_smp_mflags}
 %install
 make %{?_smp_mflags} DESTDIR=%{buildroot} install
 
-install -Dm 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/sysctl.d/60-ocserv.conf
+install -Dm 0755 %{SOURCE5} %{buildroot}%{_sbindir}/ocserv-forwarding
 %if 0%{suse_version} >= 1500
 install -D -m 644 %{SOURCE6} %{buildroot}%{_prefix}/lib/firewalld/services/ocserv.xml
 %endif
@@ -128,6 +128,9 @@ install -d %{buildroot}%{_unitdir}
 install -m 0644 doc/systemd/socket-activated/ocserv.socket %{buildroot}%{_unitdir}
 install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitdir}
 
+sed -i '/^\[Service\].*/a ExecStopPost=%{_sbindir}/ocserv-forwarding --disable' %{buildroot}%{_unitdir}/ocserv.service
+sed -i '/^\[Service\].*/a ExecStartPre=%{_sbindir}/ocserv-forwarding --enable' %{buildroot}%{_unitdir}/ocserv.service
+
 %pre
 %service_add_pre ocserv.service ocserv.socket
 
@@ -148,7 +151,6 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 %doc AUTHORS NEWS README.md
 %license COPYING LICENSE
 %config %{_sysconfdir}/ocserv
-%config(noreplace) %{_sysconfdir}/sysctl.d/60-ocserv.conf
 %if 0%{suse_version} >= 1500
 %dir %{_prefix}/lib/firewalld
 %dir %{_prefix}/lib/firewalld/services
@@ -159,6 +161,7 @@ install -m 0644 doc/systemd/socket-activated/ocserv.service %{buildroot}%{_unitd
 %{_bindir}/ocserv-script
 %{_bindir}/ocserv-fw
 %{_sbindir}/ocserv
+%{_sbindir}/ocserv-forwarding
 %{_sbindir}/ocserv-worker
 %{_unitdir}/ocserv.service
 %{_unitdir}/ocserv.socket

ocserv.sysctl

@@ -1,3 +0,0 @@
-net.ipv4.ip_forward=1
-net.ipv6.conf.default.forwarding=1
-net.ipv6.conf.all.forwarding=1