On Mon, 2012-12-03 at 10:17 +0000, David Edmondson wrote: > On 2 Dec 2012, at 21:44, David Woodhouse <dwmw2 at infradead.org> wrote: > > I could contrive a scenario in which your assumption isn't valid ? for > > example if you want stuff to 'just work' regardless of whether you're > > contacting a machine inside or outside the VPN, and don't want to have > > to manually enable/disable SOCKS support. A user might want to just > > configure their software to use SOCKS for everything, and have it the > > SOCKS proxy do the right thing. > > This would imply that the SOCKS server is running when the VPN is > down. That's not the case with ocproxy. One could chain a normal SOCKS > proxy in front of ocproxy, of course, but then the configuration that > you describe would be part of that proxy rather than ocproxy. Or you run a traditional SOCKS server normally, and kill it when you bring the VPN up. Or you can relatively easily configure all your software with a big switch that turns SOCKS on or off, and do that automatically when the VPN goes up or down. But not "Use SOCKS for this site, but not for that" which is harder. Browsers can do that with a PAC script, but not a lot else. I'm not necessarily advocating that we should *care* about this scenario; merely observing that it exists. I'm happy with the behaviour suggested in Kevin's original email ? if someone later wants to add "split tunnelling" functionality to ocproxy, let them worry about it then. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20121203/49479994/attachment-0001.bin>
