From 44dab795acaa39d8481d86022b691626989e52e8 Mon Sep 17 00:00:00 2001
From: Jernej Jakob <jernej.jakob@gmail.com>
Date: Wed, 15 Apr 2020 13:59:29 +0200
Subject: openvpn: T2335: allow disabling client-ip-pool

---
 data/templates/openvpn/server.conf.tmpl         |  4 ++--
 interface-definitions/interfaces-openvpn.xml.in |  6 +++++
 src/conf_mode/interfaces-openvpn.py             | 30 ++++++++++++++++---------
 3 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index a9dacd36e..e2f9062a1 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -78,10 +78,10 @@ topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topo
 mode server
 tls-server
 {%- else %}
-server {{ server_subnet }}{% if server_pool_start %} nopool{% endif %}
+server {{ server_subnet }} nopool
 {%- endif %}
 
-{%- if server_pool_start %}
+{%- if server_pool %}
 ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %}
 {%- endif %}
 
diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in
index d926876f7..574a3a58c 100644
--- a/interface-definitions/interfaces-openvpn.xml.in
+++ b/interface-definitions/interfaces-openvpn.xml.in
@@ -449,6 +449,12 @@
                   <help>Pool of client IP addresses</help>
                 </properties>
                 <children>
+                  <leafNode name="disable">
+                    <properties>
+                      <help>Disable client IP pool</help>
+                      <valueless/>
+                    </properties>
+                  </leafNode>
                   <leafNode name="start">
                     <properties>
                       <help>First IP address in the pool</help>
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index 6733623c6..435e8a8f0 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -72,7 +72,7 @@ default_config_data = {
     'server_domain': '',
     'server_max_conn': '',
     'server_dns_nameserver': [],
-    'server_pool': False,
+    'server_pool': True,
     'server_pool_start': '',
     'server_pool_stop': '',
     'server_pool_netmask': '',
@@ -195,6 +195,10 @@ def get_config():
             if intf == openvpn['intf']:
                 openvpn['bridge_member'].append(intf)
 
+    # bridged server should not have a pool by default (but can be specified manually)
+    if openvpn['bridge_member']:
+        openvpn['server_pool'] = False
+
     # set configuration level
     conf.set_level('interfaces openvpn ' + openvpn['intf'])
 
@@ -386,16 +390,22 @@ def get_config():
 
     # Server client IP pool
     if conf.exists('server client-ip-pool'):
-        openvpn['server_pool'] = True
+        conf.set_level('interfaces openvpn ' + openvpn['intf'] + ' server client-ip-pool')
+
+        # enable or disable server_pool where necessary
+        # default is enabled, or disabled in bridge mode
+        openvpn['server_pool'] = not conf.exists('disable')
+
+        if conf.exists('start'):
+            openvpn['server_pool_start'] = conf.return_value('start')
 
-        if conf.exists('server client-ip-pool start'):
-            openvpn['server_pool_start'] = conf.return_value('server client-ip-pool start')
+        if conf.exists('stop'):
+            openvpn['server_pool_stop'] = conf.return_value('stop')
 
-        if conf.exists('server client-ip-pool stop'):
-            openvpn['server_pool_stop'] = conf.return_value('server client-ip-pool stop')
+        if conf.exists('netmask'):
+            openvpn['server_pool_netmask'] = conf.return_value('netmask')
 
-        if conf.exists('server client-ip-pool netmask'):
-            openvpn['server_pool_netmask'] = conf.return_value('server client-ip-pool netmask')
+        conf.set_level('interfaces openvpn ' + openvpn['intf'])
 
     # DNS suffix to be pushed to all clients
     if conf.exists('server domain-name'):
@@ -486,8 +496,7 @@ def get_config():
         default_server = getDefaultServer(server_network, openvpn['server_topology'], openvpn['type'])
         if default_server:
             # server-bridge doesn't require a pool so don't set defaults for it
-            if not openvpn['bridge_member']:
-                openvpn['server_pool'] = True
+            if openvpn['server_pool'] and not openvpn['bridge_member']:
                 if not openvpn['server_pool_start']:
                     openvpn['server_pool_start'] = default_server['pool_start']
 
@@ -610,7 +619,6 @@ def verify(openvpn):
             if not openvpn['bridge_member']:
                 raise ConfigError('Must specify "server subnet" or "bridge member interface" in server mode')
 
-
         if openvpn['server_pool']:
             if not (openvpn['server_pool_start'] and openvpn['server_pool_stop']):
                 raise ConfigError('Server client-ip-pool requires both start and stop addresses in bridged mode')
-- 
cgit v1.2.3