This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy. As I currently don't have any OpenVPN n2n connections, therefore I could not fully test this part, however some dry-runs looked rather promising.
Regards Oliver
--- html/cgi-bin/proxy.cgi | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+)
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 6daa7fb..e7ee1f3 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -2738,6 +2738,10 @@ sub write_acls
sub writepacfile { + my %vpnconfig=(); + my %ovpnconfig=(); + &General::readhasharray("${General::swroot}/vpn/config", %vpnconfig); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", %ovpnconfig); open(FILE, ">/srv/web/ipfire/html/proxy.pac"); flock(FILE, 2); print FILE "function FindProxyForURL(url, host)\n"; @@ -2763,6 +2767,26 @@ END print FILE " (isInNet(host, "$netsettings{'ORANGE_NETADDRESS'}", "$netsettings{'ORANGE_NETMASK'}")) ||\n"; }
+ foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) { + if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') { + my @networks = split(/|/, $vpnconfig{$key}[11]); + foreach my $network (@networks) { + my ($vpnip, $vpnsub) = split("/", $network); + $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub; + print FILE " (isInNet(host, "$vpnip", "$vpnsub")) ||\n"; + } + } + } + + foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) { + if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne 'host') { + my @networks = split(/|/, $ovpnconfig{$key}[11]); + foreach my $network (@networks) { + my ($vpnip, $vpnsub) = split("/", $network); + print FILE " (isInNet(host, "$vpnip", "$vpnsub")) ||\n"; + } + } + } print FILE <<END (isInNet(host, "169.254.0.0", "255.255.0.0")) )