Re: [Openvpn-devel] [L] Change in openvpn[master]: dns: don't publish env vars to non-dns scripts

Sat, 17 May 2025 02:44:01 -0700 

Hi,

On Sun, Jan 19, 2025 at 06:02:46PM -0500, Jonathan K. Bullard wrote:
> Does this mean that if there are --dns options which override
> --dns-options options, then (for macOS) the foreign_options_N
> environment variables related to DNS will not be passed to the up/down
> scripts? That would be a a *major* breaking change.

As a side note: we discussed this a lot, and I think we've come up with
a compromise that addresses existing deployments, and provides new and
exciting functionality if needed.

So, if all the DNS related patches are merged, what you have is

 - *if* there is an --up script, it will receive "foreign_options_N" for
   DNS config, no matter if the config was pushed by means of "--dns ..."
   or "--dhcp-option DNS ..."

   In this case, --dns-updown is not run by default

 - the --up script will no longer receive "dns_server_..." env variables 
   -> compat scripts can use "foreign_options_N", and new scripts should
   use the --dns-updown hook

 - if there is no --up script, or you use "--dns-updown $myscript" or
   "--dns-updown force", the dns-updown script will be called to take
   care of DNS.  In this case, if an --up script is run, it will NOT
   receive any DNS related information (no foreign_options_N) to avoid
   setting DNS info twice.

 - "--dns-updown disable" will unconditionally not run the dns-updown
   script, for those users who do not want OpenVPN to manipulate their
   DNS settings - this includes me, on servers that might have multiple
   OpenVPN sessions, and "nothing must interfere with my server's DNS
   config".  Somewhat of a special case, but there for a reason :-)


... and, as Heiko has said, this is all 2.7 stuff, as the change is much
too big and has too much potential to break something for users to sneak
this in a minor 2.6.x release.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to