openvpn: fix startup with script-security lower than 2

External scripts may only be specified with script-security 2 or higher,
otherwise OpenVPN fails at tunnel startup with an error.
This changes the previously hardcoded hotplug scripts to only be added if
script-security is 2 or higher is used.

Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>

net/openvpn/Makefile

@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=openvpn
 
 PKG_VERSION:=2.6.11
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \

net/openvpn/files/openvpn.init

@@ -155,7 +155,12 @@ openvpn_add_instance() {
 		--syslog "openvpn($name)" \
 		--status "/var/run/openvpn.$name.status" \
 		--cd "$dir" \
-		--config "$conf" \
+		--config "$conf"
+	# external scripts can only be called on script-security 2 or higher
+	if [ "${security:-2}" -lt 2 ]; then
+		logger -t "openvpn(${name})" "not adding hotplug scripts due to script-security ${security:-2}"
+	else
+		procd_append_param command \
 			--up "/usr/libexec/openvpn-hotplug up $name" \
 			--down "/usr/libexec/openvpn-hotplug down $name" \
 			--route-up "/usr/libexec/openvpn-hotplug route-up $name" \
@@ -165,7 +170,9 @@ openvpn_add_instance() {
 			${down:+--setenv user_down "$down"} \
 			${route_up:+--setenv user_route_up "$route_up"} \
 			${route_pre_down:+--setenv user_route_pre_down "$route_pre_down"} \
-		${client:+${ipchange:+--setenv user_ipchange "$ipchange"}} \
+			${client:+${ipchange:+--setenv user_ipchange "$ipchange"}}
+	fi
+	procd_append_param command \
 		--script-security "${security:-2}" \
 		$(openvpn_get_dev "$name" "$conf") \
 		$(openvpn_get_credentials "$name" "$conf")