OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #if P2MP_SERVER
38 
39 #include "multi.h"
40 #include "push.h"
41 #include "misc.h"
42 #include "otime.h"
43 #include "gremlin.h"
44 #include "mstats.h"
45 #include "ssl_verify.h"
46 #include <inttypes.h>
47 
48 #include "memdbg.h"
49 
50 #include "forward-inline.h"
51 #include "pf-inline.h"
52 
53 /*#define MULTI_DEBUG_EVENT_LOOP*/
54 
55 #ifdef MULTI_DEBUG_EVENT_LOOP
56 static const char *
57 id(struct multi_instance *mi)
58 {
59  if (mi)
60  {
61  return tls_common_name(mi->context.c2.tls_multi, false);
62  }
63  else
64  {
65  return "NULL";
66  }
67 }
68 #endif
69 
70 #ifdef MANAGEMENT_DEF_AUTH
71 static void
72 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
73 {
74  if (mi->cc_config)
75  {
76  buffer_list_free(mi->cc_config);
77  }
78  mi->cc_config = cc_config;
79 }
80 #endif
81 
82 static inline void
83 update_mstat_n_clients(const int n_clients)
84 {
85 #ifdef ENABLE_MEMSTATS
86  if (mmap_stats)
87  {
88  mmap_stats->n_clients = n_clients;
89  }
90 #endif
91 }
92 
93 static bool
95  const struct multi_instance *mi,
96  const char *op,
97  const struct mroute_addr *addr)
98 {
99  struct gc_arena gc = gc_new();
100  struct env_set *es;
101  bool ret = true;
102  struct plugin_list *plugins;
103 
104  /* get environmental variable source */
105  if (mi && mi->context.c2.es)
106  {
107  es = mi->context.c2.es;
108  }
109  else
110  {
111  es = env_set_create(&gc);
112  }
113 
114  /* get plugin source */
115  if (mi)
116  {
117  plugins = mi->context.plugins;
118  }
119  else
120  {
121  plugins = m->top.plugins;
122  }
123 
124  if (plugin_defined(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
125  {
126  struct argv argv = argv_new();
127  argv_printf(&argv, "%s %s",
128  op,
129  mroute_addr_print(addr, &gc));
130  if (mi)
131  {
132  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
133  }
134  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
135  {
136  msg(M_WARN, "WARNING: learn-address plugin call failed");
137  ret = false;
138  }
139  argv_reset(&argv);
140  }
141 
143  {
144  struct argv argv = argv_new();
145  setenv_str(es, "script_type", "learn-address");
147  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
148  if (mi)
149  {
150  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
151  }
152  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
153  {
154  ret = false;
155  }
156  argv_reset(&argv);
157  }
158 
159  gc_free(&gc);
160  return ret;
161 }
162 
163 void
165 {
166  /* write pool data to file */
167  if (m->ifconfig_pool
170  {
172  }
173 }
174 
175 static void
177  int start_bucket,
178  int end_bucket)
179 {
180  struct gc_arena gc = gc_new();
181  struct hash_iterator hi;
182  struct hash_element *he;
183 
184  if (start_bucket < 0)
185  {
186  start_bucket = 0;
187  end_bucket = hash_n_buckets(m->vhash);
188  }
189 
190  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
191  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
192  while ((he = hash_iterator_next(&hi)) != NULL)
193  {
194  struct multi_route *r = (struct multi_route *) he->value;
195  if (!multi_route_defined(m, r))
196  {
197  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
198  mroute_addr_print(&r->addr, &gc));
199  learn_address_script(m, NULL, "delete", &r->addr);
200  multi_route_del(r);
202  }
203  }
204  hash_iterator_free(&hi);
205  gc_free(&gc);
206 }
207 
208 static void
210 {
211  multi_reap_range(m, -1, 0);
212 }
213 
214 static struct multi_reap *
216 {
217  struct multi_reap *mr;
218  ALLOC_OBJ(mr, struct multi_reap);
219  mr->bucket_base = 0;
221  mr->last_call = now;
222  return mr;
223 }
224 
225 void
227 {
228  struct multi_reap *mr = m->reaper;
229  if (mr->bucket_base >= hash_n_buckets(m->vhash))
230  {
231  mr->bucket_base = 0;
232  }
234  mr->bucket_base += mr->buckets_per_pass;
235  mr->last_call = now;
236 }
237 
238 static void
240 {
241  free(mr);
242 }
243 
244 /*
245  * How many buckets in vhash to reap per pass.
246  */
247 static int
248 reap_buckets_per_pass(int n_buckets)
249 {
250  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
251 }
252 
253 #ifdef MANAGEMENT_DEF_AUTH
254 
255 static uint32_t
256 cid_hash_function(const void *key, uint32_t iv)
257 {
258  const unsigned long *k = (const unsigned long *)key;
259  return (uint32_t) *k;
260 }
261 
262 static bool
263 cid_compare_function(const void *key1, const void *key2)
264 {
265  const unsigned long *k1 = (const unsigned long *)key1;
266  const unsigned long *k2 = (const unsigned long *)key2;
267  return *k1 == *k2;
268 }
269 
270 #endif
271 
272 #ifdef ENABLE_ASYNC_PUSH
273 static uint32_t
274 /*
275  * inotify watcher descriptors are used as hash value
276  */
277 int_hash_function(const void *key, uint32_t iv)
278 {
279  return (unsigned long)key;
280 }
281 
282 static bool
283 int_compare_function(const void *key1, const void *key2)
284 {
285  return (unsigned long)key1 == (unsigned long)key2;
286 }
287 #endif
288 
289 /*
290  * Main initialization function, init multi_context object.
291  */
292 void
293 multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
294 {
295  int dev = DEV_TYPE_UNDEF;
296 
297  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
300 
301  /*
302  * Get tun/tap/null device type
303  */
304  dev = dev_type_enum(t->options.dev, t->options.dev_type);
305 
306  /*
307  * Init our multi_context object.
308  */
309  CLEAR(*m);
310 
311  m->thread_mode = thread_mode;
312 
313  /*
314  * Real address hash table (source port number is
315  * considered to be part of the address). Used
316  * to determine which client sent an incoming packet
317  * which is seen on the TCP/UDP socket.
318  */
320  get_random(),
323 
324  /*
325  * Virtual address hash table. Used to determine
326  * which client to route a packet to.
327  */
329  get_random(),
332 
333  /*
334  * This hash table is a clone of m->hash but with a
335  * bucket size of one so that it can be used
336  * for fast iteration through the list.
337  */
338  m->iter = hash_init(1,
339  get_random(),
342 
343 #ifdef MANAGEMENT_DEF_AUTH
344  m->cid_hash = hash_init(t->options.real_hash_size,
345  0,
346  cid_hash_function,
347  cid_compare_function);
348 #endif
349 
350 #ifdef ENABLE_ASYNC_PUSH
351  /*
352  * Mapping between inotify watch descriptors and
353  * multi_instances.
354  */
355  m->inotify_watchers = hash_init(t->options.real_hash_size,
356  get_random(),
357  int_hash_function,
358  int_compare_function);
359 #endif
360 
361  /*
362  * This is our scheduler, for time-based wakeup
363  * events.
364  */
365  m->schedule = schedule_init();
366 
367  /*
368  * Limit frequency of incoming connections to control
369  * DoS.
370  */
372  t->options.cf_per);
373 
374  /*
375  * Allocate broadcast/multicast buffer list
376  */
378 
379  /*
380  * Different status file format options are available
381  */
383 
384  /*
385  * Possibly allocate an ifconfig pool, do it
386  * differently based on whether a tun or tap style
387  * tunnel.
388  */
390  {
391  int pool_type = IFCONFIG_POOL_INDIV;
392 
393  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
394  {
395  pool_type = IFCONFIG_POOL_30NET;
396  }
397 
398  m->ifconfig_pool = ifconfig_pool_init(pool_type,
405 
406  /* reload pool data from file */
407  if (t->c1.ifconfig_pool_persist)
408  {
410  }
411  }
412 
413  /*
414  * Help us keep track of routing table.
415  */
417 
418  /*
419  * Initialize route and instance reaper.
420  */
422 
423  /*
424  * Get local ifconfig address
425  */
426  CLEAR(m->local);
427  ASSERT(t->c1.tuntap);
429 
430  /*
431  * Per-client limits
432  */
434 
435  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
436 
437  /*
438  * Initialize multi-socket TCP I/O wait object
439  */
440  if (tcp_mode)
441  {
443  }
445 
446  /*
447  * Allow client <-> client communication, without going through
448  * tun/tap interface and network stack?
449  */
450  m->enable_c2c = t->options.enable_c2c;
451 
452  /* initialize stale routes check timer */
454  {
455  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
458  }
459 
461 }
462 
463 const char *
464 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
465 {
466  if (mi)
467  {
468  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
469  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
470 
471  if (cn)
472  {
473  buf_printf(&out, "%s/", cn);
474  }
475  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
476  return BSTR(&out);
477  }
478  else if (null)
479  {
480  return NULL;
481  }
482  else
483  {
484  return "UNDEF";
485  }
486 }
487 
488 static void
490 {
491  struct gc_arena gc = gc_new();
492  const char *prefix = multi_instance_string(mi, true, &gc);
493  if (prefix)
494  {
495  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
496  }
497  else
498  {
499  mi->msg_prefix[0] = '\0';
500  }
501  set_prefix(mi);
502  gc_free(&gc);
503 }
504 
505 void
507 {
508  mi->msg_prefix[0] = '\0';
509  set_prefix(mi);
510 }
511 
512 static const char *
513 mi_prefix(const struct multi_instance *mi)
514 {
515  if (mi && mi->msg_prefix[0])
516  {
517  return mi->msg_prefix;
518  }
519  else
520  {
521  return "UNDEF_I";
522  }
523 }
524 
525 /*
526  * Tell the route helper about deleted iroutes so
527  * that it can update its mask of currently used
528  * CIDR netlengths.
529  */
530 static void
532  struct multi_instance *mi)
533 {
534  const struct iroute *ir;
535  const struct iroute_ipv6 *ir6;
537  {
538  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
539  {
541  }
542 
543  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
544  {
546  }
547  }
548 }
549 
550 static void
552 {
553  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
554  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
555 }
556 
557 static void
559  struct multi_instance *mi)
560 {
561  /* setenv client real IP address */
563 
564  /* setenv stats */
565  setenv_stats(&mi->context);
566 
567  /* setenv connection duration */
568  {
569  const unsigned int duration = (unsigned int) now - mi->created;
570  setenv_unsigned(mi->context.c2.es, "time_duration", duration);
571  }
572 }
573 
574 static void
576  struct multi_instance *mi)
577 {
580  {
582 
583  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
584  {
585  if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
586  {
587  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
588  }
589  }
590 
592  {
593  struct argv argv = argv_new();
594  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
596  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
597  argv_reset(&argv);
598  }
599 #ifdef MANAGEMENT_DEF_AUTH
600  if (management)
601  {
602  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
603  }
604 #endif
605 
606  }
607 }
608 
609 void
611  struct multi_instance *mi,
612  bool shutdown)
613 {
615 
616  ASSERT(!mi->halt);
617  mi->halt = true;
618 
619  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
620 
621  /* adjust current client connection count */
622  m->n_clients += mi->n_clients_delta;
624  mi->n_clients_delta = 0;
625 
626  /* prevent dangling pointers */
627  if (m->pending == mi)
628  {
629  multi_set_pending(m, NULL);
630  }
631  if (m->earliest_wakeup == mi)
632  {
633  m->earliest_wakeup = NULL;
634  }
635 
636  if (!shutdown)
637  {
638  if (mi->did_real_hash)
639  {
640  ASSERT(hash_remove(m->hash, &mi->real));
641  }
642  if (mi->did_iter)
643  {
644  ASSERT(hash_remove(m->iter, &mi->real));
645  }
646 #ifdef MANAGEMENT_DEF_AUTH
647  if (mi->did_cid_hash)
648  {
649  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
650  }
651 #endif
652 
653 #ifdef ENABLE_ASYNC_PUSH
654  if (mi->inotify_watch != -1)
655  {
656  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
657  mi->inotify_watch = -1;
658  }
659 #endif
660 
661  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
662  {
663  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
664  }
665 
666  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
667 
668  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
669 
670  if (mi->did_iroutes)
671  {
672  multi_del_iroutes(m, mi);
673  mi->did_iroutes = false;
674  }
675 
676  if (m->mtcp)
677  {
679  }
680 
682  }
683 
684 #ifdef MANAGEMENT_DEF_AUTH
685  set_cc_config(mi, NULL);
686 #endif
687 
689 
690  if (mi->did_open_context)
691  {
693  }
694 
696 
697  ungenerate_prefix(mi);
698 
699  /*
700  * Don't actually delete the instance memory allocation yet,
701  * because virtual routes may still point to it. Let the
702  * vhash reaper deal with it.
703  */
705 
706  perf_pop();
707 }
708 
709 /*
710  * Called on shutdown or restart.
711  */
712 void
714 {
715  if (m->thread_mode & MC_WORK_THREAD)
716  {
717  multi_top_free(m);
718  m->thread_mode = MC_UNDEF;
719  }
720  else if (m->thread_mode)
721  {
722  if (m->hash)
723  {
724  struct hash_iterator hi;
725  struct hash_element *he;
726 
727  hash_iterator_init(m->iter, &hi);
728  while ((he = hash_iterator_next(&hi)))
729  {
730  struct multi_instance *mi = (struct multi_instance *) he->value;
731  mi->did_iter = false;
732  multi_close_instance(m, mi, true);
733  }
734  hash_iterator_free(&hi);
735 
736  multi_reap_all(m);
737 
738  hash_free(m->hash);
739  hash_free(m->vhash);
740  hash_free(m->iter);
741 #ifdef MANAGEMENT_DEF_AUTH
742  hash_free(m->cid_hash);
743 #endif
744  m->hash = NULL;
745 
746  free(m->instances);
747 
748 #ifdef ENABLE_ASYNC_PUSH
749  hash_free(m->inotify_watchers);
750  m->inotify_watchers = NULL;
751 #endif
752 
754  mbuf_free(m->mbuf);
759  multi_tcp_free(m->mtcp);
760  m->thread_mode = MC_UNDEF;
761  }
762  }
763 }
764 
765 /*
766  * Create a client instance object for a newly connected client.
767  */
768 struct multi_instance *
770 {
771  struct gc_arena gc = gc_new();
772  struct multi_instance *mi;
773 
775 
776  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
777 
778  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
779 
780  mi->gc = gc_new();
782  mi->vaddr_handle = -1;
783  mi->created = now;
784  mroute_addr_init(&mi->real);
785 
786  if (real)
787  {
788  mi->real = *real;
789  generate_prefix(mi);
790  }
791 
792  mi->did_open_context = true;
793  inherit_context_child(&mi->context, &m->top);
794  if (IS_SIG(&mi->context))
795  {
796  goto err;
797  }
798 
800 
801  if (hash_n_elements(m->hash) >= m->max_clients)
802  {
803  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
804  goto err;
805  }
806 
807  if (!real) /* TCP mode? */
808  {
810  {
811  goto err;
812  }
813  generate_prefix(mi);
814  }
815 
816  if (!hash_add(m->iter, &mi->real, mi, false))
817  {
818  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
819  mroute_addr_print(&mi->real, &gc));
820  goto err;
821  }
822  mi->did_iter = true;
823 
824 #ifdef MANAGEMENT_DEF_AUTH
825  do
826  {
827  mi->context.c2.mda_context.cid = m->cid_counter++;
828  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
829  mi->did_cid_hash = true;
830 #endif
831 
832  mi->context.c2.push_reply_deferred = true;
833 
834 #ifdef ENABLE_ASYNC_PUSH
835  mi->context.c2.push_request_received = false;
836  mi->inotify_watch = -1;
837 #endif
838 
839  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
840  {
841  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
842  goto err;
843  }
844 
845  perf_pop();
846  gc_free(&gc);
847  return mi;
848 
849 err:
850  multi_close_instance(m, mi, false);
851  perf_pop();
852  gc_free(&gc);
853  return NULL;
854 }
855 
856 /*
857  * Dump tables -- triggered by SIGUSR2.
858  * If status file is defined, write to file.
859  * If status file is NULL, write to syslog.
860  */
861 void
862 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
863 {
864  if (m->hash)
865  {
866  struct gc_arena gc_top = gc_new();
867  struct hash_iterator hi;
868  const struct hash_element *he;
869 
870  status_reset(so);
871 
872  if (version == 1) /* WAS: m->status_file_version */
873  {
874  /*
875  * Status file version 1
876  */
877  status_printf(so, "OpenVPN CLIENT LIST");
878  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
879  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
880  hash_iterator_init(m->hash, &hi);
881  while ((he = hash_iterator_next(&hi)))
882  {
883  struct gc_arena gc = gc_new();
884  const struct multi_instance *mi = (struct multi_instance *) he->value;
885 
886  if (!mi->halt)
887  {
888  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
889  tls_common_name(mi->context.c2.tls_multi, false),
890  mroute_addr_print(&mi->real, &gc),
893  time_string(mi->created, 0, false, &gc));
894  }
895  gc_free(&gc);
896  }
897  hash_iterator_free(&hi);
898 
899  status_printf(so, "ROUTING TABLE");
900  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
901  hash_iterator_init(m->vhash, &hi);
902  while ((he = hash_iterator_next(&hi)))
903  {
904  struct gc_arena gc = gc_new();
905  const struct multi_route *route = (struct multi_route *) he->value;
906 
907  if (multi_route_defined(m, route))
908  {
909  const struct multi_instance *mi = route->instance;
910  const struct mroute_addr *ma = &route->addr;
911  char flags[2] = {0, 0};
912 
913  if (route->flags & MULTI_ROUTE_CACHE)
914  {
915  flags[0] = 'C';
916  }
917  status_printf(so, "%s%s,%s,%s,%s",
918  mroute_addr_print(ma, &gc),
919  flags,
920  tls_common_name(mi->context.c2.tls_multi, false),
921  mroute_addr_print(&mi->real, &gc),
922  time_string(route->last_reference, 0, false, &gc));
923  }
924  gc_free(&gc);
925  }
926  hash_iterator_free(&hi);
927 
928  status_printf(so, "GLOBAL STATS");
929  if (m->mbuf)
930  {
931  status_printf(so, "Max bcast/mcast queue length,%d",
933  }
934 
935  status_printf(so, "END");
936  }
937  else if (version == 2 || version == 3)
938  {
939  const char sep = (version == 3) ? '\t' : ',';
940 
941  /*
942  * Status file version 2 and 3
943  */
944  status_printf(so, "TITLE%c%s", sep, title_string);
945  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
946  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID",
947  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
948  hash_iterator_init(m->hash, &hi);
949  while ((he = hash_iterator_next(&hi)))
950  {
951  struct gc_arena gc = gc_new();
952  const struct multi_instance *mi = (struct multi_instance *) he->value;
953 
954  if (!mi->halt)
955  {
956  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
957 #ifdef MANAGEMENT_DEF_AUTH
958  "%lu"
959 #else
960  ""
961 #endif
962  "%c%" PRIu32,
963  sep, tls_common_name(mi->context.c2.tls_multi, false),
964  sep, mroute_addr_print(&mi->real, &gc),
967  sep, mi->context.c2.link_read_bytes,
968  sep, mi->context.c2.link_write_bytes,
969  sep, time_string(mi->created, 0, false, &gc),
970  sep, (unsigned int)mi->created,
971  sep, tls_username(mi->context.c2.tls_multi, false),
972 #ifdef MANAGEMENT_DEF_AUTH
973  sep, mi->context.c2.mda_context.cid,
974 #else
975  sep,
976 #endif
977  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX);
978  }
979  gc_free(&gc);
980  }
981  hash_iterator_free(&hi);
982 
983  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
984  sep, sep, sep, sep, sep, sep);
985  hash_iterator_init(m->vhash, &hi);
986  while ((he = hash_iterator_next(&hi)))
987  {
988  struct gc_arena gc = gc_new();
989  const struct multi_route *route = (struct multi_route *) he->value;
990 
991  if (multi_route_defined(m, route))
992  {
993  const struct multi_instance *mi = route->instance;
994  const struct mroute_addr *ma = &route->addr;
995  char flags[2] = {0, 0};
996 
997  if (route->flags & MULTI_ROUTE_CACHE)
998  {
999  flags[0] = 'C';
1000  }
1001  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
1002  sep, mroute_addr_print(ma, &gc), flags,
1003  sep, tls_common_name(mi->context.c2.tls_multi, false),
1004  sep, mroute_addr_print(&mi->real, &gc),
1005  sep, time_string(route->last_reference, 0, false, &gc),
1006  sep, (unsigned int)route->last_reference);
1007  }
1008  gc_free(&gc);
1009  }
1010  hash_iterator_free(&hi);
1011 
1012  if (m->mbuf)
1013  {
1014  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1015  sep, sep, mbuf_maximum_queued(m->mbuf));
1016  }
1017 
1018  status_printf(so, "END");
1019  }
1020  else
1021  {
1022  status_printf(so, "ERROR: bad status format version number");
1023  }
1024 
1025 #ifdef PACKET_TRUNCATION_CHECK
1026  {
1027  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1028  hash_iterator_init(m->hash, &hi);
1029  while ((he = hash_iterator_next(&hi)))
1030  {
1031  struct gc_arena gc = gc_new();
1032  const struct multi_instance *mi = (struct multi_instance *) he->value;
1033 
1034  if (!mi->halt)
1035  {
1037  tls_common_name(mi->context.c2.tls_multi, false),
1038  m->top.c2.n_trunc_tun_read,
1039  mi->context.c2.n_trunc_tun_write,
1040  mi->context.c2.n_trunc_pre_encrypt,
1041  mi->context.c2.n_trunc_post_decrypt);
1042  }
1043  gc_free(&gc);
1044  }
1045  hash_iterator_free(&hi);
1046  }
1047 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1048 
1049  status_flush(so);
1050  gc_free(&gc_top);
1051  }
1052 
1053 #ifdef ENABLE_ASYNC_PUSH
1054  if (m->inotify_watchers)
1055  {
1056  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1057  }
1058 #endif
1059 }
1060 
1061 /*
1062  * Learn a virtual address or route.
1063  * The learn will fail if the learn address
1064  * script/plugin fails. In this case the
1065  * return value may be != mi.
1066  * Return the instance which owns this route,
1067  * or NULL if none.
1068  */
1069 static struct multi_instance *
1071  struct multi_instance *mi,
1072  const struct mroute_addr *addr,
1073  const unsigned int flags)
1074 {
1075  struct hash_element *he;
1076  const uint32_t hv = hash_value(m->vhash, addr);
1077  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1078  struct multi_route *oldroute = NULL;
1079  struct multi_instance *owner = NULL;
1080 
1081  /* if route currently exists, get the instance which owns it */
1082  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1083  if (he)
1084  {
1085  oldroute = (struct multi_route *) he->value;
1086  }
1087  if (oldroute && multi_route_defined(m, oldroute))
1088  {
1089  owner = oldroute->instance;
1090  }
1091 
1092  /* do we need to add address to hash table? */
1093  if ((!owner || owner != mi)
1094  && mroute_learnable_address(addr)
1095  && !mroute_addr_equal(addr, &m->local))
1096  {
1097  struct gc_arena gc = gc_new();
1098  struct multi_route *newroute;
1099  bool learn_succeeded = false;
1100 
1101  ALLOC_OBJ(newroute, struct multi_route);
1102  newroute->addr = *addr;
1103  newroute->instance = mi;
1104  newroute->flags = flags;
1105  newroute->last_reference = now;
1106  newroute->cache_generation = 0;
1107 
1108  /* The cache is invalidated when cache_generation is incremented */
1109  if (flags & MULTI_ROUTE_CACHE)
1110  {
1112  }
1113 
1114  if (oldroute) /* route already exists? */
1115  {
1116  if (route_quota_test(m, mi) && learn_address_script(m, mi, "update", &newroute->addr))
1117  {
1118  learn_succeeded = true;
1119  owner = mi;
1121  route_quota_inc(mi);
1122 
1123  /* delete old route */
1124  multi_route_del(oldroute);
1125 
1126  /* modify hash table entry, replacing old route */
1127  he->key = &newroute->addr;
1128  he->value = newroute;
1129  }
1130  }
1131  else
1132  {
1133  if (route_quota_test(m, mi) && learn_address_script(m, mi, "add", &newroute->addr))
1134  {
1135  learn_succeeded = true;
1136  owner = mi;
1138  route_quota_inc(mi);
1139 
1140  /* add new route */
1141  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1142  }
1143  }
1144 
1145  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1146  learn_succeeded ? "" : " FAILED",
1147  mroute_addr_print(&newroute->addr, &gc),
1148  multi_instance_string(mi, false, &gc));
1149 
1150  if (!learn_succeeded)
1151  {
1152  free(newroute);
1153  }
1154 
1155  gc_free(&gc);
1156  }
1157 
1158  return owner;
1159 }
1160 
1161 /*
1162  * Get client instance based on virtual address.
1163  */
1164 static struct multi_instance *
1166  const struct mroute_addr *addr,
1167  bool cidr_routing)
1168 {
1169  struct multi_route *route;
1170  struct multi_instance *ret = NULL;
1171 
1172  /* check for local address */
1173  if (mroute_addr_equal(addr, &m->local))
1174  {
1175  return NULL;
1176  }
1177 
1178  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1179 
1180  /* does host route (possible cached) exist? */
1181  if (route && multi_route_defined(m, route))
1182  {
1183  struct multi_instance *mi = route->instance;
1184  route->last_reference = now;
1185  ret = mi;
1186  }
1187  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1188  {
1189  struct mroute_helper *rh = m->route_helper;
1190  struct mroute_addr tryaddr;
1191  int i;
1192 
1193  /* cycle through each CIDR length */
1194  for (i = 0; i < rh->n_net_len; ++i)
1195  {
1196  tryaddr = *addr;
1197  tryaddr.type |= MR_WITH_NETBITS;
1198  tryaddr.netbits = rh->net_len[i];
1199  mroute_addr_mask_host_bits(&tryaddr);
1200 
1201  /* look up a possible route with netbits netmask */
1202  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1203 
1204  if (route && multi_route_defined(m, route))
1205  {
1206  /* found an applicable route, cache host route */
1207  struct multi_instance *mi = route->instance;
1209  ret = mi;
1210  break;
1211  }
1212  }
1213  }
1214 
1215 #ifdef ENABLE_DEBUG
1217  {
1218  struct gc_arena gc = gc_new();
1219  const char *addr_text = mroute_addr_print(addr, &gc);
1220  if (ret)
1221  {
1222  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1223  addr_text,
1224  multi_instance_string(ret, false, &gc),
1225  mroute_addr_print(&route->addr, &gc));
1226  }
1227  else
1228  {
1229  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1230  addr_text);
1231  }
1232  gc_free(&gc);
1233  }
1234 #endif
1235 
1236  ASSERT(!(ret && ret->halt));
1237  return ret;
1238 }
1239 
1240 /*
1241  * Helper function to multi_learn_addr().
1242  */
1243 static struct multi_instance *
1245  struct multi_instance *mi,
1246  in_addr_t a,
1247  int netbits, /* -1 if host route, otherwise # of network bits in address */
1248  bool primary)
1249 {
1250  struct openvpn_sockaddr remote_si;
1251  struct mroute_addr addr;
1252 
1253  CLEAR(remote_si);
1254  remote_si.addr.in4.sin_family = AF_INET;
1255  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1256  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1257 
1258  if (netbits >= 0)
1259  {
1260  addr.type |= MR_WITH_NETBITS;
1261  addr.netbits = (uint8_t) netbits;
1262  }
1263 
1264  {
1265  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1266 #ifdef MANAGEMENT_DEF_AUTH
1267  if (management && owner)
1268  {
1269  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1270  }
1271 #endif
1272  return owner;
1273  }
1274 }
1275 
1276 static struct multi_instance *
1278  struct multi_instance *mi,
1279  struct in6_addr a6,
1280  int netbits, /* -1 if host route, otherwise # of network bits in address */
1281  bool primary)
1282 {
1283  struct mroute_addr addr;
1284 
1285  addr.len = 16;
1286  addr.type = MR_ADDR_IPV6;
1287  addr.netbits = 0;
1288  addr.v6.addr = a6;
1289 
1290  if (netbits >= 0)
1291  {
1292  addr.type |= MR_WITH_NETBITS;
1293  addr.netbits = (uint8_t) netbits;
1294  mroute_addr_mask_host_bits( &addr );
1295  }
1296 
1297  {
1298  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1299 #ifdef MANAGEMENT_DEF_AUTH
1300  if (management && owner)
1301  {
1302  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1303  }
1304 #endif
1305  return owner;
1306  }
1307 }
1308 
1309 /*
1310  * A new client has connected, add routes (server -> client)
1311  * to internal routing table.
1312  */
1313 static void
1315  struct multi_instance *mi)
1316 {
1317  struct gc_arena gc = gc_new();
1318  const struct iroute *ir;
1319  const struct iroute_ipv6 *ir6;
1321  {
1322  mi->did_iroutes = true;
1323  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1324  {
1325  if (ir->netbits >= 0)
1326  {
1327  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1328  print_in_addr_t(ir->network, 0, &gc),
1329  ir->netbits,
1330  multi_instance_string(mi, false, &gc));
1331  }
1332  else
1333  {
1334  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1335  print_in_addr_t(ir->network, 0, &gc),
1336  multi_instance_string(mi, false, &gc));
1337  }
1338 
1340 
1341  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1342  }
1343  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1344  {
1345  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1346  print_in6_addr(ir6->network, 0, &gc),
1347  ir6->netbits,
1348  multi_instance_string(mi, false, &gc));
1349 
1351 
1352  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1353  }
1354  }
1355  gc_free(&gc);
1356 }
1357 
1358 /*
1359  * Given an instance (new_mi), delete all other instances which use the
1360  * same common name.
1361  */
1362 static void
1364 {
1365  if (new_mi)
1366  {
1367  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1368  if (new_cn)
1369  {
1370  struct hash_iterator hi;
1371  struct hash_element *he;
1372  int count = 0;
1373 
1374  hash_iterator_init(m->iter, &hi);
1375  while ((he = hash_iterator_next(&hi)))
1376  {
1377  struct multi_instance *mi = (struct multi_instance *) he->value;
1378  if (mi != new_mi && !mi->halt)
1379  {
1380  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1381  if (cn && !strcmp(cn, new_cn))
1382  {
1383  mi->did_iter = false;
1384  multi_close_instance(m, mi, false);
1386  ++count;
1387  }
1388  }
1389  }
1390  hash_iterator_free(&hi);
1391 
1392  if (count)
1393  {
1394  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1395  }
1396  }
1397  }
1398 }
1399 
1400 static void
1402 {
1403 
1404  struct gc_arena gc = gc_new();
1405  struct hash_iterator hi;
1406  struct hash_element *he;
1407 
1408  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1410  while ((he = hash_iterator_next(&hi)) != NULL)
1411  {
1412  struct multi_route *r = (struct multi_route *) he->value;
1413  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1414  {
1415  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1416  mroute_addr_print(&r->addr, &gc));
1417  learn_address_script(m, NULL, "delete", &r->addr);
1418  multi_route_del(r);
1420  }
1421  }
1422  hash_iterator_free(&hi);
1423  gc_free(&gc);
1424 }
1425 
1426 /*
1427  * Ensure that endpoint to be pushed to client
1428  * complies with --ifconfig-push-constraint directive.
1429  */
1430 static bool
1432 {
1433  const struct options *o = &c->options;
1435  {
1437  }
1438  else
1439  {
1440  return true;
1441  }
1442 }
1443 
1444 /*
1445  * Select a virtual address for a new client instance.
1446  * Use an --ifconfig-push directive, if given (static IP).
1447  * Otherwise use an --ifconfig-pool address (dynamic IP).
1448  */
1449 static void
1451 {
1452  struct gc_arena gc = gc_new();
1453 
1454  /*
1455  * If ifconfig addresses were set by dynamic config file,
1456  * release pool addresses, otherwise keep them.
1457  */
1459  {
1460  /* ifconfig addresses were set statically,
1461  * release dynamic allocation */
1462  if (mi->vaddr_handle >= 0)
1463  {
1465  mi->vaddr_handle = -1;
1466  }
1467 
1468  mi->context.c2.push_ifconfig_defined = true;
1472 
1473  /* the current implementation does not allow "static IPv4, pool IPv6",
1474  * (see below) so issue a warning if that happens - don't break the
1475  * session, though, as we don't even know if this client WANTS IPv6
1476  */
1479  {
1480  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1481  }
1482  }
1483  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1484  {
1485  in_addr_t local = 0, remote = 0;
1486  struct in6_addr remote_ipv6;
1487  const char *cn = NULL;
1488 
1489  if (!mi->context.options.duplicate_cn)
1490  {
1491  cn = tls_common_name(mi->context.c2.tls_multi, true);
1492  }
1493 
1494  CLEAR(remote_ipv6);
1495  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1496  if (mi->vaddr_handle >= 0)
1497  {
1498  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1499  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1500 
1501  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1502  print_in_addr_t( remote, 0, &gc ),
1504  ? print_in6_addr( remote_ipv6, 0, &gc )
1505  : "(Not enabled)") );
1506 
1507  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1508  mi->context.c2.push_ifconfig_local = remote;
1509  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1510  {
1513  {
1515  }
1516  }
1517  else if (tunnel_type == DEV_TYPE_TUN)
1518  {
1519  if (tunnel_topology == TOP_P2P)
1520  {
1522  }
1523  else if (tunnel_topology == TOP_NET30)
1524  {
1526  }
1527  }
1528 
1530  {
1531  mi->context.c2.push_ifconfig_defined = true;
1532  }
1533  else
1534  {
1535  msg(D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1536  multi_instance_string(mi, false, &gc));
1537  }
1538 
1540  {
1541  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1543  mi->context.c1.tuntap->local_ipv6;
1547  }
1548  }
1549  else
1550  {
1551  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1552  }
1553  }
1554 
1555  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1556  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1557  * will fail (because no pool will be allocated in this case).
1558  * OTOH, this doesn't make too much sense in reality - and the other
1559  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1560  * -> and so it's implemented right now
1561  */
1563  {
1571 
1572  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1575  }
1576 
1577  gc_free(&gc);
1578 }
1579 
1580 /*
1581  * Set virtual address environmental variables.
1582  */
1583 static void
1585 {
1586  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1587  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1588  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1589 
1591  {
1592  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1593  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1594 
1596  "ifconfig_pool_remote_ip",
1599 
1600  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1601  {
1603  "ifconfig_pool_netmask",
1606  }
1607  else if (tunnel_type == DEV_TYPE_TUN)
1608  {
1610  "ifconfig_pool_local_ip",
1613  }
1614  }
1615 
1616  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1617  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1618  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1619 
1621  {
1623  "ifconfig_pool_remote",
1627  "ifconfig_pool_local",
1630  setenv_int(mi->context.c2.es,
1631  "ifconfig_pool_ip6_netbits",
1633  }
1634 }
1635 
1636 /*
1637  * Called after client-connect script is called
1638  */
1639 static void
1641  struct multi_instance *mi,
1642  const char *dc_file,
1643  unsigned int option_permissions_mask,
1644  unsigned int *option_types_found)
1645 {
1646  /* Did script generate a dynamic config file? */
1647  if (test_file(dc_file))
1648  {
1650  dc_file,
1652  option_permissions_mask,
1653  option_types_found,
1654  mi->context.c2.es);
1655 
1656  /*
1657  * If the --client-connect script generates a config file
1658  * with an --ifconfig-push directive, it will override any
1659  * --ifconfig-push directive from the --client-config-dir
1660  * directory or any --ifconfig-pool dynamic address.
1661  */
1664  }
1665 }
1666 
1667 #ifdef ENABLE_PLUGIN
1668 
1669 /*
1670  * Called after client-connect plug-in is called
1671  */
1672 static void
1674  struct multi_instance *mi,
1675  const struct plugin_return *pr,
1676  unsigned int option_permissions_mask,
1677  unsigned int *option_types_found)
1678 {
1679  struct plugin_return config;
1680 
1681  plugin_return_get_column(pr, &config, "config");
1682 
1683  /* Did script generate a dynamic config file? */
1684  if (plugin_return_defined(&config))
1685  {
1686  int i;
1687  for (i = 0; i < config.n; ++i)
1688  {
1689  if (config.list[i] && config.list[i]->value)
1690  {
1692  config.list[i]->value,
1694  option_permissions_mask,
1695  option_types_found,
1696  mi->context.c2.es);
1697  }
1698  }
1699 
1700  /*
1701  * If the --client-connect script generates a config file
1702  * with an --ifconfig-push directive, it will override any
1703  * --ifconfig-push directive from the --client-config-dir
1704  * directory or any --ifconfig-pool dynamic address.
1705  */
1708  }
1709 }
1710 
1711 #endif /* ifdef ENABLE_PLUGIN */
1712 
1713 #ifdef MANAGEMENT_DEF_AUTH
1714 
1715 /*
1716  * Called to load management-derived client-connect config
1717  */
1718 static void
1719 multi_client_connect_mda(struct multi_context *m,
1720  struct multi_instance *mi,
1721  const struct buffer_list *config,
1722  unsigned int option_permissions_mask,
1723  unsigned int *option_types_found)
1724 {
1725  if (config)
1726  {
1727  struct buffer_entry *be;
1728 
1729  for (be = config->head; be != NULL; be = be->next)
1730  {
1731  const char *opt = BSTR(&be->buf);
1733  opt,
1735  option_permissions_mask,
1736  option_types_found,
1737  mi->context.c2.es);
1738  }
1739 
1740  /*
1741  * If the --client-connect script generates a config file
1742  * with an --ifconfig-push directive, it will override any
1743  * --ifconfig-push directive from the --client-config-dir
1744  * directory or any --ifconfig-pool dynamic address.
1745  */
1748  }
1749 }
1750 
1751 #endif /* ifdef MANAGEMENT_DEF_AUTH */
1752 
1753 static void
1755  struct multi_instance *mi)
1756 {
1757  struct gc_arena gc = gc_new();
1758 
1759  /* setenv incoming cert common name for script */
1760  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1761 
1762  /* setenv client real IP address */
1764 
1765  /* setenv client virtual IP address */
1767 
1768  /* setenv connection time */
1769  {
1770  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1771  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1772  setenv_unsigned(mi->context.c2.es, "time_unix", (unsigned int)mi->created);
1773  }
1774 
1775  gc_free(&gc);
1776 }
1777 
1778 /*
1779  * Called as soon as the SSL/TLS connection authenticates.
1780  *
1781  * Instance-specific directives to be processed:
1782  *
1783  * iroute start-ip end-ip
1784  * ifconfig-push local remote-netmask
1785  * push
1786  */
1787 static void
1789 {
1791  {
1792  struct gc_arena gc = gc_new();
1793  unsigned int option_types_found = 0;
1794 
1795  const unsigned int option_permissions_mask =
1797  | OPT_P_INHERIT
1798  | OPT_P_PUSH
1799  | OPT_P_TIMER
1800  | OPT_P_CONFIG
1801  | OPT_P_ECHO
1802  | OPT_P_COMP
1803  | OPT_P_SOCKFLAGS;
1804 
1805  int cc_succeeded = true; /* client connect script status */
1806  int cc_succeeded_count = 0;
1807 
1808  ASSERT(mi->context.c1.tuntap);
1809 
1810  /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */
1813 
1814  /* generate a msg() prefix for this client instance */
1815  generate_prefix(mi);
1816 
1817  /* delete instances of previous clients with same common-name */
1818  if (!mi->context.options.duplicate_cn)
1819  {
1820  multi_delete_dup(m, mi);
1821  }
1822 
1823  /* reset pool handle to null */
1824  mi->vaddr_handle = -1;
1825 
1826  /*
1827  * Try to source a dynamic config file from the
1828  * --client-config-dir directory.
1829  */
1831  {
1832  const char *ccd_file;
1833 
1834  ccd_file = gen_path(mi->context.options.client_config_dir,
1835  tls_common_name(mi->context.c2.tls_multi, false),
1836  &gc);
1837 
1838  /* try common-name file */
1839  if (test_file(ccd_file))
1840  {
1842  ccd_file,
1844  option_permissions_mask,
1845  &option_types_found,
1846  mi->context.c2.es);
1847  }
1848  else /* try default file */
1849  {
1850  ccd_file = gen_path(mi->context.options.client_config_dir,
1851  CCD_DEFAULT,
1852  &gc);
1853 
1854  if (test_file(ccd_file))
1855  {
1857  ccd_file,
1859  option_permissions_mask,
1860  &option_types_found,
1861  mi->context.c2.es);
1862  }
1863  }
1864  }
1865 
1866  /*
1867  * Select a virtual address from either --ifconfig-push in --client-config-dir file
1868  * or --ifconfig-pool.
1869  */
1871 
1872  /* do --client-connect setenvs */
1874 
1875 #ifdef ENABLE_PLUGIN
1876  /*
1877  * Call client-connect plug-in.
1878  */
1879 
1880  /* deprecated callback, use a file for passing back return info */
1881  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
1882  {
1883  struct argv argv = argv_new();
1884  const char *dc_file = create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
1885 
1886  if (!dc_file)
1887  {
1888  cc_succeeded = false;
1889  goto script_depr_failed;
1890  }
1891 
1892  argv_printf(&argv, "%s", dc_file);
1893  if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1894  {
1895  msg(M_WARN, "WARNING: client-connect plugin call failed");
1896  cc_succeeded = false;
1897  }
1898  else
1899  {
1900  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1901  ++cc_succeeded_count;
1902  }
1903 
1904  if (!platform_unlink(dc_file))
1905  {
1906  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1907  dc_file);
1908  }
1909 
1910 script_depr_failed:
1911  argv_reset(&argv);
1912  }
1913 
1914  /* V2 callback, use a plugin_return struct for passing back return info */
1915  if (plugin_defined(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2))
1916  {
1917  struct plugin_return pr;
1918 
1919  plugin_return_init(&pr);
1920 
1921  if (plugin_call(mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1922  {
1923  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
1924  cc_succeeded = false;
1925  }
1926  else
1927  {
1928  multi_client_connect_post_plugin(m, mi, &pr, option_permissions_mask, &option_types_found);
1929  ++cc_succeeded_count;
1930  }
1931 
1932  plugin_return_free(&pr);
1933  }
1934 #endif /* ifdef ENABLE_PLUGIN */
1935 
1936  /*
1937  * Run --client-connect script.
1938  */
1939  if (mi->context.options.client_connect_script && cc_succeeded)
1940  {
1941  struct argv argv = argv_new();
1942  const char *dc_file = NULL;
1943 
1944  setenv_str(mi->context.c2.es, "script_type", "client-connect");
1945 
1946  dc_file = create_temp_file(mi->context.options.tmp_dir, "cc", &gc);
1947  if (!dc_file)
1948  {
1949  cc_succeeded = false;
1950  goto script_failed;
1951  }
1952 
1954  argv_printf_cat(&argv, "%s", dc_file);
1955 
1956  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
1957  {
1958  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1959  ++cc_succeeded_count;
1960  }
1961  else
1962  {
1963  cc_succeeded = false;
1964  }
1965 
1966  if (!platform_unlink(dc_file))
1967  {
1968  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1969  dc_file);
1970  }
1971 
1972 script_failed:
1973  argv_reset(&argv);
1974  }
1975 
1976  /*
1977  * Check for client-connect script left by management interface client
1978  */
1979 #ifdef MANAGEMENT_DEF_AUTH
1980  if (cc_succeeded && mi->cc_config)
1981  {
1982  multi_client_connect_mda(m, mi, mi->cc_config, option_permissions_mask, &option_types_found);
1983  ++cc_succeeded_count;
1984  }
1985 #endif
1986 
1987  /*
1988  * Check for "disable" directive in client-config-dir file
1989  * or config file generated by --client-connect script.
1990  */
1991  if (mi->context.options.disable)
1992  {
1993  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
1994  cc_succeeded = false;
1995  cc_succeeded_count = 0;
1996  }
1997 
1998  if (cc_succeeded)
1999  {
2000  /*
2001  * Process sourced options.
2002  */
2003  do_deferred_options(&mi->context, option_types_found);
2004 
2005  /*
2006  * make sure we got ifconfig settings from somewhere
2007  */
2008  if (!mi->context.c2.push_ifconfig_defined)
2009  {
2010  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
2011  multi_instance_string(mi, false, &gc));
2012  }
2013 
2014  /*
2015  * make sure that ifconfig settings comply with constraints
2016  */
2018  {
2019  /* JYFIXME -- this should cause the connection to fail */
2020  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
2021  multi_instance_string(mi, false, &gc),
2025  }
2026 
2027  /*
2028  * For routed tunnels, set up internal route to endpoint
2029  * plus add all iroute routes.
2030  */
2032  {
2034  {
2035  multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true);
2036  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2037  multi_instance_string(mi, false, &gc),
2039  }
2040 
2042  {
2044  /* TODO: find out where addresses are "unlearned"!! */
2045  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2046  multi_instance_string(mi, false, &gc),
2048  }
2049 
2050  /* add routes locally, pointing to new client, if
2051  * --iroute options have been specified */
2052  multi_add_iroutes(m, mi);
2053 
2054  /*
2055  * iroutes represent subnets which are "owned" by a particular
2056  * client. Therefore, do not actually push a route to a client
2057  * if it matches one of the client's iroutes.
2058  */
2060  }
2061  else if (mi->context.options.iroutes)
2062  {
2063  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
2064  multi_instance_string(mi, false, &gc));
2065  }
2066 
2067  /* set our client's VPN endpoint for status reporting purposes */
2070 
2071  /* set context-level authentication flag */
2073 
2074 #ifdef ENABLE_ASYNC_PUSH
2075  /* authentication complete, send push reply */
2076  if (mi->context.c2.push_request_received)
2077  {
2079  }
2080 #endif
2081  }
2082  else
2083  {
2084  /* set context-level authentication flag */
2085  mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
2086  }
2087 
2088  /* set flag so we don't get called again */
2089  mi->connection_established_flag = true;
2090 
2091  /* increment number of current authenticated clients */
2092  ++m->n_clients;
2094  --mi->n_clients_delta;
2095 
2096 #ifdef MANAGEMENT_DEF_AUTH
2097  if (management)
2098  {
2099  management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es);
2100  }
2101 #endif
2102 
2103  gc_free(&gc);
2104  }
2105 
2106  /*
2107  * Reply now to client's PUSH_REQUEST query
2108  */
2109  mi->context.c2.push_reply_deferred = false;
2110 }
2111 
2112 #ifdef ENABLE_ASYNC_PUSH
2113 /*
2114  * Called when inotify event is fired, which happens when acf file is closed or deleted.
2115  * Continues authentication and sends push_reply.
2116  */
2117 void
2118 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2119 {
2120  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2121  size_t buffer_i = 0;
2122  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2123 
2124  while (buffer_i < r)
2125  {
2126  /* parse inotify events */
2127  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2128  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2129  buffer_i += event_size;
2130 
2131  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2132 
2133  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2134 
2135  if (pevent->mask & IN_CLOSE_WRITE)
2136  {
2137  if (mi)
2138  {
2139  /* continue authentication and send push_reply */
2140  multi_process_post(m, mi, mpp_flags);
2141  }
2142  else
2143  {
2144  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2145  }
2146  }
2147  else if (pevent->mask & IN_IGNORED)
2148  {
2149  /* this event is _always_ fired when watch is removed or file is deleted */
2150  if (mi)
2151  {
2152  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2153  mi->inotify_watch = -1;
2154  }
2155  }
2156  else
2157  {
2158  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2159  }
2160  }
2161 }
2162 #endif /* ifdef ENABLE_ASYNC_PUSH */
2163 
2164 /*
2165  * Add a mbuf buffer to a particular
2166  * instance.
2167  */
2168 void
2170  struct multi_instance *mi,
2171  struct mbuf_buffer *mb)
2172 {
2173  if (multi_output_queue_ready(m, mi))
2174  {
2175  struct mbuf_item item;
2176  item.buffer = mb;
2177  item.instance = mi;
2178  mbuf_add_item(m->mbuf, &item);
2179  }
2180  else
2181  {
2182  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2183  }
2184 }
2185 
2186 /*
2187  * Add a packet to a client instance output queue.
2188  */
2189 static inline void
2191  const struct buffer *buf,
2192  struct multi_instance *mi)
2193 {
2194  struct mbuf_buffer *mb;
2195 
2196  if (BLEN(buf) > 0)
2197  {
2198  mb = mbuf_alloc_buf(buf);
2199  mb->flags = MF_UNICAST;
2200  multi_add_mbuf(m, mi, mb);
2201  mbuf_free_buf(mb);
2202  }
2203 }
2204 
2205 /*
2206  * Broadcast a packet to all clients.
2207  */
2208 static void
2210  const struct buffer *buf,
2211  const struct multi_instance *sender_instance,
2212  const struct mroute_addr *sender_addr)
2213 {
2214  struct hash_iterator hi;
2215  struct hash_element *he;
2216  struct multi_instance *mi;
2217  struct mbuf_buffer *mb;
2218 
2219  if (BLEN(buf) > 0)
2220  {
2222 #ifdef MULTI_DEBUG_EVENT_LOOP
2223  printf("BCAST len=%d\n", BLEN(buf));
2224 #endif
2225  mb = mbuf_alloc_buf(buf);
2226  hash_iterator_init(m->iter, &hi);
2227 
2228  while ((he = hash_iterator_next(&hi)))
2229  {
2230  mi = (struct multi_instance *) he->value;
2231  if (mi != sender_instance && !mi->halt)
2232  {
2233 #ifdef ENABLE_PF
2234  if (sender_instance)
2235  {
2236  if (!pf_c2c_test(&sender_instance->context, &mi->context, "bcast_c2c"))
2237  {
2238  msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
2239  mi_prefix(sender_instance),
2240  mi_prefix(mi));
2241  continue;
2242  }
2243  }
2244  if (sender_addr)
2245  {
2246  if (!pf_addr_test(&mi->context, sender_addr, "bcast_src_addr"))
2247  {
2248  struct gc_arena gc = gc_new();
2249  msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
2250  mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc),
2251  mi_prefix(mi));
2252  gc_free(&gc);
2253  continue;
2254  }
2255  }
2256 #endif /* ifdef ENABLE_PF */
2257  multi_add_mbuf(m, mi, mb);
2258  }
2259  }
2260 
2261  hash_iterator_free(&hi);
2262  mbuf_free_buf(mb);
2263  perf_pop();
2264  }
2265 }
2266 
2267 /*
2268  * Given a time delta, indicating that we wish to be
2269  * awoken by the scheduler at time now + delta, figure
2270  * a sigma parameter (in microseconds) that represents
2271  * a sort of fuzz factor around delta, so that we're
2272  * really telling the scheduler to wake us up any time
2273  * between now + delta - sigma and now + delta + sigma.
2274  *
2275  * The sigma parameter helps the scheduler to run more efficiently.
2276  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2277  */
2278 static inline unsigned int
2279 compute_wakeup_sigma(const struct timeval *delta)
2280 {
2281  if (delta->tv_sec < 1)
2282  {
2283  /* if < 1 sec, fuzz = # of microseconds / 8 */
2284  return delta->tv_usec >> 3;
2285  }
2286  else
2287  {
2288  /* if < 10 minutes, fuzz = 13.1% of timeout */
2289  if (delta->tv_sec < 600)
2290  {
2291  return delta->tv_sec << 17;
2292  }
2293  else
2294  {
2295  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2296  }
2297  }
2298 }
2299 
2300 static void
2302 {
2303  /* calculate an absolute wakeup time */
2304  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2305  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2306 
2307  /* tell scheduler to wake us up at some point in the future */
2309  (struct schedule_entry *) mi,
2310  &mi->wakeup,
2311  compute_wakeup_sigma(&mi->context.c2.timeval));
2312 }
2313 
2314 /*
2315  * Figure instance-specific timers, convert
2316  * earliest to absolute time in mi->wakeup,
2317  * call scheduler with our future wakeup time.
2318  *
2319  * Also close context on signal.
2320  */
2321 bool
2322 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2323 {
2324  bool ret = true;
2325 
2326  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2327  {
2328 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2329  bool was_authenticated = false;
2330  struct key_state *ks = NULL;
2331  if (mi->context.c2.tls_multi)
2332  {
2334  was_authenticated = ks->authenticated;
2335  }
2336 #endif
2337 
2338  /* figure timeouts and fetch possible outgoing
2339  * to_link packets (such as ping or TLS control) */
2340  pre_select(&mi->context);
2341 
2342 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2343  if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated)
2344  {
2345  /* watch acf file */
2346  long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT);
2347  if (watch_descriptor >= 0)
2348  {
2349  if (mi->inotify_watch != -1)
2350  {
2351  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
2352  }
2353  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true);
2354  mi->inotify_watch = watch_descriptor;
2355  }
2356  else
2357  {
2358  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2359  }
2360  }
2361 #endif
2362 
2363  if (!IS_SIG(&mi->context))
2364  {
2365  /* connection is "established" when SSL/TLS key negotiation succeeds
2366  * and (if specified) auth user/pass succeeds */
2368  {
2370  }
2371 
2372  /* tell scheduler to wake us up at some point in the future */
2374  }
2375  }
2376 
2377  if (IS_SIG(&mi->context))
2378  {
2379  if (flags & MPP_CLOSE_ON_SIGNAL)
2380  {
2382  ret = false;
2383  }
2384  }
2385  else
2386  {
2387  /* continue to pend on output? */
2388  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
2389 
2390 #ifdef MULTI_DEBUG_EVENT_LOOP
2391  printf("POST %s[%d] to=%d lo=%d/%d w=%lld/%ld\n",
2392  id(mi),
2393  (int) (mi == m->pending),
2394  mi ? mi->context.c2.to_tun.len : -1,
2395  mi ? mi->context.c2.to_link.len : -1,
2396  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
2397  (long long)mi->context.c2.timeval.tv_sec,
2398  (long)mi->context.c2.timeval.tv_usec);
2399 #endif
2400  }
2401 
2402  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
2403  {
2404  *m->mpp_touched = mi;
2405  }
2406 
2407  return ret;
2408 }
2409 
2410 void
2412 {
2413  struct mroute_addr real;
2414  struct hash *hash = m->hash;
2415  struct gc_arena gc = gc_new();
2416 
2417  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
2418  {
2419  goto done;
2420  }
2421 
2422  const uint32_t hv = hash_value(hash, &real);
2423  struct hash_bucket *bucket = hash_bucket(hash, hv);
2424 
2425  /* make sure that we don't float to an address taken by another client */
2426  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
2427  if (he)
2428  {
2429  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
2430 
2431  struct tls_multi *m1 = mi->context.c2.tls_multi;
2432  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
2433 
2434  /* do not float if target address is taken by client with another cert */
2435  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
2436  {
2437  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
2438  multi_instance_string(ex_mi, false, &gc));
2439 
2440  mi->context.c2.buf.len = 0;
2441 
2442  goto done;
2443  }
2444 
2445  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
2446  multi_close_instance(m, ex_mi, false);
2447  }
2448 
2449  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
2450  mi->context.c2.tls_multi->peer_id,
2451  tls_common_name(mi->context.c2.tls_multi, false),
2452  mroute_addr_print(&mi->real, &gc),
2453  print_link_socket_actual(&m->top.c2.from, &gc));
2454 
2455  /* remove old address from hash table before changing address */
2456  ASSERT(hash_remove(m->hash, &mi->real));
2457  ASSERT(hash_remove(m->iter, &mi->real));
2458 
2459  /* change external network address of the remote peer */
2460  mi->real = real;
2461  generate_prefix(mi);
2462 
2463  mi->context.c2.from = m->top.c2.from;
2464  mi->context.c2.to_link_addr = &mi->context.c2.from;
2465 
2466  /* inherit parent link_socket and link_socket_info */
2469 
2471 
2472  ASSERT(hash_add(m->hash, &mi->real, mi, false));
2473  ASSERT(hash_add(m->iter, &mi->real, mi, false));
2474 
2475 #ifdef MANAGEMENT_DEF_AUTH
2476  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
2477 #endif
2478 
2479 done:
2480  gc_free(&gc);
2481 }
2482 
2483 /*
2484  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
2485  * i.e. client -> server direction.
2486  */
2487 bool
2488 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
2489 {
2490  struct gc_arena gc = gc_new();
2491 
2492  struct context *c;
2493  struct mroute_addr src, dest;
2494  unsigned int mroute_flags;
2495  struct multi_instance *mi;
2496  bool ret = true;
2497  bool floated = false;
2498 
2499  if (m->pending)
2500  {
2501  return true;
2502  }
2503 
2504  if (!instance)
2505  {
2506 #ifdef MULTI_DEBUG_EVENT_LOOP
2507  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
2508 #endif
2510  }
2511  else
2512  {
2513  multi_set_pending(m, instance);
2514  }
2515 
2516  if (m->pending)
2517  {
2518  set_prefix(m->pending);
2519 
2520  /* get instance context */
2521  c = &m->pending->context;
2522 
2523  if (!instance)
2524  {
2525  /* transfer packet pointer from top-level context buffer to instance */
2526  c->c2.buf = m->top.c2.buf;
2527 
2528  /* transfer from-addr from top-level context buffer to instance */
2529  if (!floated)
2530  {
2531  c->c2.from = m->top.c2.from;
2532  }
2533  }
2534 
2535  if (BLEN(&c->c2.buf) > 0)
2536  {
2537  struct link_socket_info *lsi;
2538  const uint8_t *orig_buf;
2539 
2540  /* decrypt in instance context */
2541 
2543  lsi = get_link_socket_info(c);
2544  orig_buf = c->c2.buf.data;
2545  if (process_incoming_link_part1(c, lsi, floated))
2546  {
2547  if (floated)
2548  {
2550  }
2551 
2552  process_incoming_link_part2(c, lsi, orig_buf);
2553  }
2554  perf_pop();
2555 
2556  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
2557  {
2558  /* extract packet source and dest addresses */
2559  mroute_flags = mroute_extract_addr_from_packet(&src,
2560  &dest,
2561  NULL,
2562  NULL,
2563  &c->c2.to_tun,
2564  DEV_TYPE_TUN);
2565 
2566  /* drop packet if extract failed */
2567  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
2568  {
2569  c->c2.to_tun.len = 0;
2570  }
2571  /* make sure that source address is associated with this client */
2572  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
2573  {
2574  /* IPv6 link-local address (fe80::xxx)? */
2575  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
2576  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
2577  {
2578  /* do nothing, for now. TODO: add address learning */
2579  }
2580  else
2581  {
2582  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2583  mroute_addr_print(&src, &gc));
2584  }
2585  c->c2.to_tun.len = 0;
2586  }
2587  /* client-to-client communication enabled? */
2588  else if (m->enable_c2c)
2589  {
2590  /* multicast? */
2591  if (mroute_flags & MROUTE_EXTRACT_MCAST)
2592  {
2593  /* for now, treat multicast as broadcast */
2594  multi_bcast(m, &c->c2.to_tun, m->pending, NULL);
2595  }
2596  else /* possible client to client routing */
2597  {
2598  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
2599  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
2600 
2601  /* if dest addr is a known client, route to it */
2602  if (mi)
2603  {
2604 #ifdef ENABLE_PF
2605  if (!pf_c2c_test(c, &mi->context, "tun_c2c"))
2606  {
2607  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
2608  mi_prefix(mi));
2609  }
2610  else
2611 #endif
2612  {
2613  multi_unicast(m, &c->c2.to_tun, mi);
2614  register_activity(c, BLEN(&c->c2.to_tun));
2615  }
2616  c->c2.to_tun.len = 0;
2617  }
2618  }
2619  }
2620 #ifdef ENABLE_PF
2621  if (c->c2.to_tun.len && !pf_addr_test(c, &dest, "tun_dest_addr"))
2622  {
2623  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2624  mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc));
2625  c->c2.to_tun.len = 0;
2626  }
2627 #endif
2628  }
2629  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
2630  {
2631 #ifdef ENABLE_PF
2632  struct mroute_addr edest;
2633  mroute_addr_reset(&edest);
2634 #endif
2635  /* extract packet source and dest addresses */
2636  mroute_flags = mroute_extract_addr_from_packet(&src,
2637  &dest,
2638  NULL,
2639 #ifdef ENABLE_PF
2640  &edest,
2641 #else
2642  NULL,
2643 #endif
2644  &c->c2.to_tun,
2645  DEV_TYPE_TAP);
2646 
2647  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2648  {
2649  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
2650  {
2651  /* check for broadcast */
2652  if (m->enable_c2c)
2653  {
2654  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2655  {
2656  multi_bcast(m, &c->c2.to_tun, m->pending, NULL);
2657  }
2658  else /* try client-to-client routing */
2659  {
2660  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
2661 
2662  /* if dest addr is a known client, route to it */
2663  if (mi)
2664  {
2665 #ifdef ENABLE_PF
2666  if (!pf_c2c_test(c, &mi->context, "tap_c2c"))
2667  {
2668  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
2669  mi_prefix(mi));
2670  }
2671  else
2672 #endif
2673  {
2674  multi_unicast(m, &c->c2.to_tun, mi);
2675  register_activity(c, BLEN(&c->c2.to_tun));
2676  }
2677  c->c2.to_tun.len = 0;
2678  }
2679  }
2680  }
2681 #ifdef ENABLE_PF
2682  if (c->c2.to_tun.len && !pf_addr_test(c, &edest, "tap_dest_addr"))
2683  {
2684  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2685  mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc));
2686  c->c2.to_tun.len = 0;
2687  }
2688 #endif
2689  }
2690  else
2691  {
2692  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2693  mroute_addr_print(&src, &gc));
2694  c->c2.to_tun.len = 0;
2695  }
2696  }
2697  else
2698  {
2699  c->c2.to_tun.len = 0;
2700  }
2701  }
2702  }
2703 
2704  /* postprocess and set wakeup */
2705  ret = multi_process_post(m, m->pending, mpp_flags);
2706 
2707  clear_prefix();
2708  }
2709 
2710  gc_free(&gc);
2711  return ret;
2712 }
2713 
2714 /*
2715  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2716  * i.e. server -> client direction.
2717  */
2718 bool
2719 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
2720 {
2721  struct gc_arena gc = gc_new();
2722  bool ret = true;
2723 
2724  if (BLEN(&m->top.c2.buf) > 0)
2725  {
2726  unsigned int mroute_flags;
2727  struct mroute_addr src, dest;
2728  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
2729 
2730 #ifdef ENABLE_PF
2731  struct mroute_addr esrc, *e1, *e2;
2732  if (dev_type == DEV_TYPE_TUN)
2733  {
2734  e1 = NULL;
2735  e2 = &src;
2736  }
2737  else
2738  {
2739  e1 = e2 = &esrc;
2740  mroute_addr_reset(&esrc);
2741  }
2742 #endif
2743 
2744 #ifdef MULTI_DEBUG_EVENT_LOOP
2745  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
2746 #endif
2747 
2748  if (m->pending)
2749  {
2750  return true;
2751  }
2752 
2753  /*
2754  * Route an incoming tun/tap packet to
2755  * the appropriate multi_instance object.
2756  */
2757 
2758  mroute_flags = mroute_extract_addr_from_packet(&src,
2759  &dest,
2760 #ifdef ENABLE_PF
2761  e1,
2762 #else
2763  NULL,
2764 #endif
2765  NULL,
2766  &m->top.c2.buf,
2767  dev_type);
2768 
2769  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2770  {
2771  struct context *c;
2772 
2773  /* broadcast or multicast dest addr? */
2774  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2775  {
2776  /* for now, treat multicast as broadcast */
2777 #ifdef ENABLE_PF
2778  multi_bcast(m, &m->top.c2.buf, NULL, e2);
2779 #else
2780  multi_bcast(m, &m->top.c2.buf, NULL, NULL);
2781 #endif
2782  }
2783  else
2784  {
2786 
2787  if (m->pending)
2788  {
2789  /* get instance context */
2790  c = &m->pending->context;
2791 
2792  set_prefix(m->pending);
2793 
2794 #ifdef ENABLE_PF
2795  if (!pf_addr_test(c, e2, "tun_tap_src_addr"))
2796  {
2797  msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
2798  mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc));
2799  buf_reset_len(&c->c2.buf);
2800  }
2801  else
2802 #endif
2803  {
2804  if (multi_output_queue_ready(m, m->pending))
2805  {
2806  /* transfer packet pointer from top-level context buffer to instance */
2807  c->c2.buf = m->top.c2.buf;
2808  }
2809  else
2810  {
2811  /* drop packet */
2812  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2813  buf_reset_len(&c->c2.buf);
2814  }
2815  }
2816 
2817  /* encrypt in instance context */
2819 
2820  /* postprocess and set wakeup */
2821  ret = multi_process_post(m, m->pending, mpp_flags);
2822 
2823  clear_prefix();
2824  }
2825  }
2826  }
2827  }
2828  gc_free(&gc);
2829  return ret;
2830 }
2831 
2832 /*
2833  * Process a possible client-to-client/bcast/mcast message in the
2834  * queue.
2835  */
2836 struct multi_instance *
2838 {
2839  struct mbuf_item item;
2840 
2841  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
2842  {
2843  unsigned int pip_flags = PIPV4_PASSTOS;
2844 
2845  set_prefix(item.instance);
2846  item.instance->context.c2.buf = item.buffer->buf;
2847  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
2848  {
2849  pip_flags |= PIP_MSSFIX;
2850  }
2851  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
2852  encrypt_sign(&item.instance->context, true);
2853  mbuf_free_buf(item.buffer);
2854 
2855  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
2856 
2857  clear_prefix();
2858  return item.instance;
2859  }
2860  else
2861  {
2862  return NULL;
2863  }
2864 }
2865 
2866 /*
2867  * Called when an I/O wait times out. Usually means that a particular
2868  * client instance object needs timer-based service.
2869  */
2870 bool
2871 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
2872 {
2873  bool ret = true;
2874 
2875 #ifdef MULTI_DEBUG_EVENT_LOOP
2876  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
2877 #endif
2878 
2879  /* instance marked for wakeup? */
2880  if (m->earliest_wakeup)
2881  {
2883  {
2886  }
2887  else
2888  {
2890  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
2891  clear_prefix();
2892  }
2893  m->earliest_wakeup = NULL;
2894  }
2895  return ret;
2896 }
2897 
2898 /*
2899  * Drop a TUN/TAP outgoing packet..
2900  */
2901 void
2902 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
2903 {
2904  struct multi_instance *mi = m->pending;
2905 
2906  ASSERT(mi);
2907 
2908  set_prefix(mi);
2909 
2910  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2911  mi->context.c2.to_tun.len);
2912 
2913  buf_reset(&mi->context.c2.to_tun);
2914 
2915  multi_process_post(m, mi, mpp_flags);
2916  clear_prefix();
2917 }
2918 
2919 /*
2920  * Per-client route quota management
2921  */
2922 
2923 void
2924 route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi)
2925 {
2926  struct gc_arena gc = gc_new();
2927  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2929  multi_instance_string(mi, false, &gc));
2930  gc_free(&gc);
2931 }
2932 
2933 #ifdef ENABLE_DEBUG
2934 /*
2935  * Flood clients with random packets
2936  */
2937 static void
2938 gremlin_flood_clients(struct multi_context *m)
2939 {
2940  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
2941  if (level)
2942  {
2943  struct gc_arena gc = gc_new();
2944  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
2945  struct packet_flood_parms parm = get_packet_flood_parms(level);
2946  int i;
2947 
2948  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
2949  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
2950 
2951  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
2952  parm.n_packets,
2953  parm.packet_size);
2954 
2955  for (i = 0; i < parm.packet_size; ++i)
2956  {
2957  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
2958  }
2959 
2960  for (i = 0; i < parm.n_packets; ++i)
2961  {
2962  multi_bcast(m, &buf, NULL, NULL);
2963  }
2964 
2965  gc_free(&gc);
2966  }
2967 }
2968 #endif /* ifdef ENABLE_DEBUG */
2969 
2970 static bool
2972 {
2973  struct timeval null;
2974  CLEAR(null);
2976 }
2977 
2978 /*
2979  * Process timers in the top-level context
2980  */
2981 void
2983 {
2984  /* possibly reap instances/routes in vhash */
2985  multi_reap_process(m);
2986 
2987  /* possibly print to status log */
2988  if (m->top.c1.status_output)
2989  {
2991  {
2993  }
2994  }
2995 
2996  /* possibly flush ifconfig-pool file */
2997  multi_ifconfig_pool_persist(m, false);
2998 
2999 #ifdef ENABLE_DEBUG
3000  gremlin_flood_clients(m);
3001 #endif
3002 
3003  /* Should we check for stale routes? */
3005  {
3006  check_stale_routes(m);
3007  }
3008 }
3009 
3010 void
3011 multi_top_init(struct multi_context *m, const struct context *top)
3012 {
3013  inherit_context_top(&m->top, top);
3014  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3015 }
3016 
3017 void
3019 {
3020  close_context(&m->top, -1, CC_GC_FREE);
3022 }
3023 
3024 static bool
3026 {
3027  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3028 }
3029 
3030 static void
3032 {
3033  struct hash_iterator hi;
3034  struct hash_element *he;
3035  struct timeval tv;
3036 
3037  /* tell all clients to restart */
3038  hash_iterator_init(m->iter, &hi);
3039  while ((he = hash_iterator_next(&hi)))
3040  {
3041  struct multi_instance *mi = (struct multi_instance *) he->value;
3042  if (!mi->halt)
3043  {
3044  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3046  }
3047  }
3048  hash_iterator_free(&hi);
3049 
3050  /* reschedule signal */
3052  tv.tv_sec = 2;
3053  tv.tv_usec = 0;
3055 
3057 
3062 
3063  m->top.sig->signal_received = 0;
3064 }
3065 
3066 /*
3067  * Return true if event loop should break,
3068  * false if it should continue.
3069  */
3070 bool
3072 {
3073  if (m->top.sig->signal_received == SIGUSR2)
3074  {
3075  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3077  status_close(so);
3078  m->top.sig->signal_received = 0;
3079  return false;
3080  }
3081  else if (proto_is_dgram(m->top.options.ce.proto)
3085  {
3087  return false;
3088  }
3089  return true;
3090 }
3091 
3092 /*
3093  * Called when an instance should be closed due to the
3094  * reception of a soft signal.
3095  */
3096 void
3098 {
3099  remap_signal(&mi->context);
3100  set_prefix(mi);
3101  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3102  clear_prefix();
3103  multi_close_instance(m, mi, false);
3104 }
3105 
3106 static void
3107 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3108 {
3109  mi->context.sig->signal_received = sig;
3111 }
3112 
3113 /*
3114  * Management subsystem callbacks
3115  */
3116 
3117 #ifdef ENABLE_MANAGEMENT
3118 
3119 static void
3120 management_callback_status(void *arg, const int version, struct status_output *so)
3121 {
3122  struct multi_context *m = (struct multi_context *) arg;
3123 
3124  if (!version)
3125  {
3127  }
3128  else
3129  {
3130  multi_print_status(m, so, version);
3131  }
3132 }
3133 
3134 static int
3136 {
3137  struct multi_context *m = (struct multi_context *) arg;
3138  return m->n_clients;
3139 }
3140 
3141 static int
3142 management_callback_kill_by_cn(void *arg, const char *del_cn)
3143 {
3144  struct multi_context *m = (struct multi_context *) arg;
3145  struct hash_iterator hi;
3146  struct hash_element *he;
3147  int count = 0;
3148 
3149  hash_iterator_init(m->iter, &hi);
3150  while ((he = hash_iterator_next(&hi)))
3151  {
3152  struct multi_instance *mi = (struct multi_instance *) he->value;
3153  if (!mi->halt)
3154  {
3155  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3156  if (cn && !strcmp(cn, del_cn))
3157  {
3159  ++count;
3160  }
3161  }
3162  }
3163  hash_iterator_free(&hi);
3164  return count;
3165 }
3166 
3167 static int
3168 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3169 {
3170  struct multi_context *m = (struct multi_context *) arg;
3171  struct hash_iterator hi;
3172  struct hash_element *he;
3173  struct openvpn_sockaddr saddr;
3174  struct mroute_addr maddr;
3175  int count = 0;
3176 
3177  CLEAR(saddr);
3178  saddr.addr.in4.sin_family = AF_INET;
3179  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3180  saddr.addr.in4.sin_port = htons(port);
3181  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3182  {
3183  hash_iterator_init(m->iter, &hi);
3184  while ((he = hash_iterator_next(&hi)))
3185  {
3186  struct multi_instance *mi = (struct multi_instance *) he->value;
3187  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3188  {
3190  ++count;
3191  }
3192  }
3193  hash_iterator_free(&hi);
3194  }
3195  return count;
3196 }
3197 
3198 static void
3200 {
3201  struct multi_context *m = (struct multi_context *) arg;
3202  if (m->mtcp)
3203  {
3204  multi_tcp_delete_event(m->mtcp, event);
3205  }
3206 }
3207 
3208 #endif /* ifdef ENABLE_MANAGEMENT */
3209 
3210 #ifdef MANAGEMENT_DEF_AUTH
3211 
3212 static struct multi_instance *
3213 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3214 {
3215  if (m)
3216  {
3217  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3218  if (mi && !mi->halt)
3219  {
3220  return mi;
3221  }
3222  }
3223  return NULL;
3224 }
3225 
3226 static bool
3227 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3228 {
3229  struct multi_context *m = (struct multi_context *) arg;
3230  struct multi_instance *mi = lookup_by_cid(m, cid);
3231  if (mi)
3232  {
3233  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3235  return true;
3236  }
3237  else
3238  {
3239  return false;
3240  }
3241 }
3242 
3243 static bool
3244 management_client_auth(void *arg,
3245  const unsigned long cid,
3246  const unsigned int mda_key_id,
3247  const bool auth,
3248  const char *reason,
3249  const char *client_reason,
3250  struct buffer_list *cc_config) /* ownership transferred */
3251 {
3252  struct multi_context *m = (struct multi_context *) arg;
3253  struct multi_instance *mi = lookup_by_cid(m, cid);
3254  bool cc_config_owned = true;
3255  bool ret = false;
3256 
3257  if (mi)
3258  {
3259  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3260  if (ret)
3261  {
3262  if (auth)
3263  {
3264  if (!mi->connection_established_flag)
3265  {
3266  set_cc_config(mi, cc_config);
3267  cc_config_owned = false;
3268  }
3269  }
3270  else
3271  {
3272  if (reason)
3273  {
3274  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3275  }
3277  {
3278  send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */
3280  }
3281  }
3282  }
3283  }
3284  if (cc_config_owned && cc_config)
3285  {
3286  buffer_list_free(cc_config);
3287  }
3288  return ret;
3289 }
3290 
3291 static char *
3292 management_get_peer_info(void *arg, const unsigned long cid)
3293 {
3294  struct multi_context *m = (struct multi_context *) arg;
3295  struct multi_instance *mi = lookup_by_cid(m, cid);
3296  char *ret = NULL;
3297 
3298  if (mi)
3299  {
3300  ret = tls_get_peer_info(mi->context.c2.tls_multi);
3301  }
3302 
3303  return ret;
3304 }
3305 
3306 #endif /* ifdef MANAGEMENT_DEF_AUTH */
3307 
3308 #ifdef MANAGEMENT_PF
3309 static bool
3310 management_client_pf(void *arg,
3311  const unsigned long cid,
3312  struct buffer_list *pf_config) /* ownership transferred */
3313 {
3314  struct multi_context *m = (struct multi_context *) arg;
3315  struct multi_instance *mi = lookup_by_cid(m, cid);
3316  bool ret = false;
3317 
3318  if (mi && pf_config)
3319  {
3320  ret = pf_load_from_buffer_list(&mi->context, pf_config);
3321  }
3322 
3323  if (pf_config)
3324  {
3325  buffer_list_free(pf_config);
3326  }
3327  return ret;
3328 }
3329 #endif /* ifdef MANAGEMENT_PF */
3330 
3331 void
3333 {
3334 #ifdef ENABLE_MANAGEMENT
3335  if (management)
3336  {
3337  struct management_callback cb;
3338  CLEAR(cb);
3339  cb.arg = m;
3340  cb.flags = MCF_SERVER;
3347 #ifdef MANAGEMENT_DEF_AUTH
3348  cb.kill_by_cid = management_kill_by_cid;
3349  cb.client_auth = management_client_auth;
3350  cb.get_peer_info = management_get_peer_info;
3351 #endif
3352 #ifdef MANAGEMENT_PF
3353  cb.client_pf = management_client_pf;
3354 #endif
3356  }
3357 #endif /* ifdef ENABLE_MANAGEMENT */
3358 }
3359 
3360 void
3362 {
3364 }
3365 
3366 /*
3367  * Top level event loop.
3368  */
3369 void
3371 {
3372  ASSERT(top->options.mode == MODE_SERVER);
3373 
3374  if (proto_is_dgram(top->options.ce.proto))
3375  {
3376  tunnel_server_udp(top);
3377  }
3378  else
3379  {
3380  tunnel_server_tcp(top);
3381  }
3382 }
3383 
3384 #else /* if P2MP_SERVER */
3385 static void
3386 dummy(void)
3387 {
3388 }
3389 #endif /* P2MP_SERVER */
struct env_set * es
Definition: openvpn.h:435
uint8_t type
Definition: mroute.h:80
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3031
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:174
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:687
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:440
#define MR_WITH_NETBITS
Definition: mroute.h:72
static bool is_exit_restart(int sig)
Definition: multi.c:3025
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:211
struct buffer to_link
Definition: openvpn.h:392
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1754
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3107
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2902
#define ETT_DEFAULT
Definition: interval.h:213
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:274
union openvpn_sockaddr::@6 addr
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:165
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:294
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:343
struct mroute_helper * route_helper
Definition: multi.h:158
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:458
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:100
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1165
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:227
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:246
#define REAP_DIVISOR
Definition: multi.h:529
struct key_state key[KS_SIZE]
Definition: ssl_common.h:438
struct iroute * next
Definition: route.h:233
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:140
struct in6_addr reporting_addr_ipv6
Definition: multi.h:99
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:510
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1012
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:971
#define CAS_PENDING
Definition: openvpn.h:462
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: misc.h:70
counter_type link_write_bytes
Definition: openvpn.h:289
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:409
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2280
#define MULTI_ROUTE_CACHE
Definition: multi.h:202
struct argv argv_new(void)
Definition: argv.c:51
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:345
int signal_received
Definition: multi.h:62
bool connection_established_flag
Definition: multi.h:108
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:172
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:220
void hash_free(struct hash *hash)
Definition: list.c:66
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:171
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2855
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:508
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
Definition: multi.c:293
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:489
#define D_PUSH
Definition: errlevel.h:83
struct buffer_entry * head
Definition: buffer.h:1079
static void multi_set_virtual_addr_env(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1584
bool push_ifconfig_defined
Definition: openvpn.h:449
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:374
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2755
static void gc_free(struct gc_arena *a)
Definition: buffer.h:990
const char * learn_address_script
Definition: options.h:417
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:473
static bool check_debug_level(unsigned int level)
Definition: error.h:245
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:42
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:205
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:506
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:196
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4471
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:393
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:249
in_addr_t push_ifconfig_local
Definition: openvpn.h:451
bool enable_c2c
Definition: options.h:437
int push_ifconfig_ipv6_netbits
Definition: options.h:434
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:496
struct in6_addr network
Definition: route.h:237
struct buffer buf
Definition: openvpn.h:390
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1223
unsigned int flags
Definition: mbuf.h:49
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:83
#define ASSERT(x)
Definition: error.h:221
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4769
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:936
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3120
#define SIGUSR1
Definition: config-msvc.h:116
const void * key
Definition: list.h:50
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:540
#define MR_ADDR_MASK
Definition: mroute.h:66
struct multi_reap * reaper
Definition: multi.h:159
struct context_buffers * buffers
Definition: openvpn.h:382
struct multi_instance * instance
Definition: multi.h:200
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:427
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:456
void buffer_list_free(struct buffer_list *ol)
Definition: buffer.c:1149
bool ifconfig_pool_defined
Definition: options.h:402
void multi_top_free(struct multi_context *m)
Definition: multi.c:3018
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:156
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:195
#define D_PF_DROPPED
Definition: errlevel.h:101
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:94
struct link_socket_info * link_socket_info
Definition: openvpn.h:258
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:53
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4049
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3199
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:203
in_addr_t remote_netmask
Definition: tun.h:154
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:385
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:458
static int management_callback_n_clients(void *arg)
Definition: multi.c:3135
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:435
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:223
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static void perf_push(int type)
Definition: perf.h:78
int status_file_version
Definition: multi.h:164
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:537
#define CLEAR(x)
Definition: basic.h:33
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:407
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1363
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr)
Definition: multi.c:2209
#define in_addr_t
Definition: config-msvc.h:104
static bool route_quota_test(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:422
bool mroute_learnable_address(const struct mroute_addr *addr)
Definition: mroute.c:68
ifconfig_pool_handle vaddr_handle
Definition: multi.h:90
bool did_iter
Definition: multi.h:103
const char * gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Definition: misc.c:807
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:91
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3071
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1450
struct event_timeout stale_routes_check_et
Definition: multi.h:184
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:533
#define MAX_PEER_ID
Definition: openvpn.h:595
int cf_max
Definition: options.h:439
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:465
void pre_select(struct context *c)
Definition: forward.c:1553
static void dummy(void)
Definition: comp-lz4.c:319
unsigned int cache_generation
Definition: mroute.h:131
#define SIGTERM
Definition: config-msvc.h:118
struct mroute_addr::@0::@2 v6
#define SIGHUP
Definition: config-msvc.h:114
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:171
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: misc.c:564
#define MCF_SERVER
Definition: manage.h:158
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2169
in_addr_t ifconfig_pool_end
Definition: options.h:404
bool did_open_context
Definition: multi.h:101
bool authenticated
Definition: ssl_common.h:201
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:571
const char * client_disconnect_script
Definition: options.h:416
int explicit_exit_notification
Definition: options.h:123
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1277
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:2719
bool platform_unlink(const char *filename)
Definition: platform.c:285
unsigned int flags
Definition: multi.h:204
#define IFCONFIG_POOL_30NET
Definition: pool.h:37
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
int context_auth
Definition: openvpn.h:466
int n_clients
Definition: multi.h:165
#define MF_UNICAST
Definition: mbuf.h:48
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:454
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:41
static void clear_prefix(void)
Definition: multi.h:511
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:42
static void setenv_stats(struct context *c)
Definition: multi.c:551
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3168
bool did_real_hash
Definition: multi.h:102
#define MODE_SERVER
Definition: options.h:179
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:258
#define PIP_MSSFIX
Definition: forward.h:253
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:220
int netbits
Definition: route.h:232
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:610
in_addr_t addr
Definition: mroute.h:87
void status_flush(struct status_output *so)
Definition: status.c:172
int n_clients_delta
Definition: multi.h:110
#define IFCONFIG_POOL_INDIV
Definition: pool.h:38
#define D_MULTI_MEDIUM
Definition: errlevel.h:103
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:150
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:44
int cf_per
Definition: options.h:440
void multi_uninit(struct multi_context *m)
Definition: multi.c:713
bool status_close(struct status_output *so)
Definition: status.c:203
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:80
struct context_1 c1
Level 1 context.
Definition: openvpn.h:546
Definition: mbuf.h:58
#define PIPV4_PASSTOS
Definition: forward.h:252
static void multi_route_del(struct multi_route *route)
Definition: multi.h:456
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:429
bool test_file(const char *filename)
Definition: misc.c:695
struct schedule * schedule_init(void)
Definition: schedule.c:416
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:83
in_addr_t push_ifconfig_local
Definition: options.h:426
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3011
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4343
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3142
time_t last_reference
Definition: multi.h:207
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:94
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
#define CAS_PARTIAL
Definition: openvpn.h:464
void setenv_unsigned(struct env_set *es, const char *name, unsigned int value)
Definition: misc.c:556
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3166
in_addr_t local
Definition: tun.h:153
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:3332
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:528
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:2411
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:90
#define MAPF_SHOW_ARP
Definition: mroute.h:157
int stale_routes_check_interval
Definition: options.h:443
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:164
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:400
#define OPT_P_INSTANCE
Definition: options.h:635
counter_type link_read_bytes
Definition: openvpn.h:287
static const char * np(const char *str)
Definition: simple.c:108
#define counter_format
Definition: common.h:39
int mode
Definition: options.h:180
bool ifconfig_ipv6_pool_defined
Definition: options.h:409
static struct gc_arena gc_new(void)
Definition: buffer.h:982
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:370
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:431
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4789
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:261
int ifconfig_ipv6_netbits
Definition: options.h:228
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:499
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:453
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1017
Definition: mbuf.h:52
bool did_iroutes
Definition: multi.h:109
#define MPP_PRE_SELECT
Definition: multi.h:256
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:769
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:147
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:368
int topology
Definition: options.h:224
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2835
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:243
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1244
struct iroute * iroutes
Definition: options.h:423
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define OPT_P_COMP
Definition: options.h:628
unsigned int cache_generation
Definition: multi.h:206
struct frame frame
Definition: openvpn.h:265
#define DEV_TYPE_TUN
Definition: proto.h:37
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2301
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:288
struct timeval timeval
Definition: openvpn.h:409
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:261
int virtual_hash_size
Definition: options.h:414
Definition: schedule.h:46
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3097
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:201
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:457
#define D_MULTI_DEBUG
Definition: errlevel.h:123
static void multi_client_disconnect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:558
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3141
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:776
unsigned __int32 uint32_t
Definition: config-msvc.h:121
int tcp_queue_limit
Definition: options.h:422
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:112
const char * client_config_dir
Definition: options.h:418
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:114
#define OPT_P_ECHO
Definition: options.h:638
uint8_t len
Definition: mroute.h:78
#define REAP_MAX
Definition: multi.h:531
struct multi_instance * pending
Definition: multi.h:172
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:163
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:153
int buckets_per_pass
Definition: multi.h:54
struct gc_arena gc
Definition: multi.h:78
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:540
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:149
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
in_addr_t network
Definition: route.h:231
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:464
int bucket_base
Definition: multi.h:53
in_addr_t reporting_addr
Definition: multi.h:98
int max_routes_per_client
Definition: options.h:442
struct buffer buf
Definition: buffer.h:1073
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:150
struct env_set * env_set_create(struct gc_arena *gc)
Definition: misc.c:437
static void register_activity(struct context *c, const int size)
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:556
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:226
int n_bcast_buf
Definition: options.h:421
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: misc.c:540
struct multi_instance * instance
Definition: mbuf.h:55
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:284
int max_clients
Definition: multi.h:162
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:410
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:238
in_addr_t ifconfig_pool_start
Definition: options.h:403
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:145
struct link_socket * link_socket
Definition: openvpn.h:256
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:41
void argv_parse_cmd(struct argv *a, const char *s)
Definition: argv.c:329
void route_quota_exceeded(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.c:2924
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:2982
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3763
bool status_trigger(struct status_output *so)
Definition: status.c:135
struct multi_instance * earliest_wakeup
Definition: multi.h:173
#define IS_SIG(c)
Definition: sig.h:50
#define DEV_TYPE_UNDEF
Definition: proto.h:35
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:177
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:175
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1070
struct connection_entry ce
Definition: options.h:203
static const char * mi_prefix(const struct multi_instance *mi)
Definition: multi.c:513
bool push_ifconfig_defined
Definition: options.h:425
void schedule_free(struct schedule *s)
Definition: schedule.c:425
struct context_2 c2
Level 2 context.
Definition: openvpn.h:547
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define dmsg
Definition: error.h:174
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1431
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:141
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:151
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:115
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:156
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:43
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:304
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2152
const char * create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Definition: misc.c:724
struct ifconfig_pool * ifconfig_pool_init(int type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:150
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:183
const char * client_connect_script
Definition: options.h:415
#define CCD_DEFAULT
Definition: common.h:71
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:162
#define OPT_P_TIMER
Definition: options.h:625
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:431
#define BLEN(buf)
Definition: buffer.h:127
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:115
in_addr_t ifconfig_pool_netmask
Definition: options.h:405
bool disable
Definition: options.h:420
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:769
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:93
#define SA_SET_IF_NONZERO
Definition: socket.h:402
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:199
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:147
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1314
int(* n_clients)(void *arg)
Definition: manage.h:166
bool halt
Definition: multi.h:80
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:3370
struct buffer_entry * next
Definition: buffer.h:1074
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:154
#define REAP_MIN
Definition: multi.h:530
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:129
void uninit_management_callback_multi(struct multi_context *m)
Definition: multi.c:3361
#define CAS_SUCCEEDED
Definition: openvpn.h:461
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2650
unsigned __int8 uint8_t
Definition: config-msvc.h:123
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:2837
const char * tmp_dir
Definition: options.h:380
#define D_PF_DROPPED_BCAST
Definition: errlevel.h:147
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2190
struct mroute_addr local
Definition: multi.h:160
unsigned int netbits
Definition: route.h:238
int max_clients
Definition: options.h:441
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:298
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:455
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:986
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:226
int status_file_version
Definition: options.h:312
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:88
#define SIGINT
Definition: config-msvc.h:115
struct timeval wakeup
Definition: multi.h:87
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:2966
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2322
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:164
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:40
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:903
#define SIGUSR2
Definition: config-msvc.h:117
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:176
void argv_printf_cat(struct argv *a, const char *format,...)
Definition: argv.c:320
#define OPT_P_INHERIT
Definition: options.h:639
bool push_ifconfig_ipv6_defined
Definition: options.h:432
Main OpenVPN server state structure.
Definition: multi.h:131
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:487
bool push_reply_deferred
Definition: openvpn.h:445
#define CAS_FAILED
Definition: openvpn.h:463
#define msg
Definition: error.h:173
time_t last_call
Definition: multi.h:55
#define ENABLE_PF
Definition: config-msvc.h:6
#define M_OPTERR
Definition: error.h:105
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:259
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:86
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:525
bool proto_is_dgram(int proto)
Definition: socket.c:3031
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:70
#define buf_init(buf, offset)
Definition: buffer.h:198
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:651
struct fragment_master * fragment
Definition: openvpn.h:270
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:460
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1401
struct status_output * status_output
Definition: openvpn.h:184
struct buffer buf
Definition: mbuf.h:45
static int hash_n_elements(const struct hash *hash)
Definition: list.h:135
#define OPT_P_SOCKFLAGS
Definition: options.h:644
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:535
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:413
int n_net_len
Definition: mroute.h:133
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:2971
#define MR_ADDR_IPV6
Definition: mroute.h:65
int thread_mode
Definition: multi.h:138
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:239
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:209
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:143
in_addr_t push_ifconfig_local_alias
Definition: options.h:428
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:2488
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1673
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:531
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:163
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:189
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:556
Definition: route.h:230
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:424
static int constrain_int(int x, int min, int max)
Definition: integer.h:60
Definition: misc.h:49
static int min_int(int x, int y)
Definition: integer.h:47
#define MC_WORK_THREAD
Definition: multi.h:137
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:227
void setenv_int(struct env_set *es, const char *name, int value)
Definition: misc.c:548
void throw_signal(const int signum)
Definition: sig.c:104
bool enable_c2c
Definition: multi.h:161
struct frequency_limit * new_connection_limiter
Definition: multi.h:157
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:215
unsigned int flags
Definition: manage.h:159
Definition: buffer.h:1071
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:336
static void buf_reset(struct buffer *buf)
Definition: buffer.h:285
int tcp_queue_limit
Definition: multi.h:163
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:178
void * value
Definition: list.h:49
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:239
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1640
#define TUNNEL_TYPE(tt)
Definition: tun.h:133
#define CC_GC_FREE
Definition: init.h:105
void tunnel_server_udp(struct context *top)
Main event loop wrapper function for OpenVPN in UDP server mode.
Definition: mudp.c:377
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:166
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:188
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:342
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:191
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1788
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:862
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:446
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:926
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:208
struct link_socket_actual from
Definition: openvpn.h:262
void argv_reset(struct argv *a)
Definition: argv.c:59
int process_incoming_push_request(struct context *c)
Definition: push.c:633
struct iroute_ipv6 * next
Definition: route.h:239
#define BSTR(buf)
Definition: buffer.h:129
long int get_random(void)
Definition: crypto.c:1788
#define OPT_P_CONFIG
Definition: options.h:636
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:134
#define M_ERRNO
Definition: error.h:99
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:51
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:136
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:76
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:783
Definition: argv.h:35
uint8_t netbits
Definition: mroute.h:81
struct buffer to_tun
Definition: openvpn.h:391
in_addr_t push_ifconfig_constraint_network
Definition: options.h:430
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:2953
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2279
#define M_NONFATAL
Definition: error.h:95
Definition: list.h:60
bool duplicate_cn
Definition: options.h:438
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:69
int stale_routes_ageing_time
Definition: options.h:444
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:342
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:164
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:229
struct timeval wakeup
Definition: multi.h:63
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:452
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1170
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:257
void setenv_del(struct env_set *es, const char *name)
Definition: misc.c:609
struct in6_addr local_ipv6
Definition: tun.h:157
struct mroute_addr addr
Definition: multi.h:199
void status_reset(struct status_output *so)
Definition: status.c:163
#define CONNECTION_ESTABLISHED(c)
const char title_string[]
Definition: options.c:64
#define D_MULTI_LOW
Definition: errlevel.h:86
#define MC_UNDEF
Definition: multi.h:132
void argv_printf(struct argv *a, const char *format,...)
Definition: argv.c:310
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static void mroute_addr_reset(struct mroute_addr *ma)
Definition: mroute.h:261
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:248
void uninit_management_callback(void)
Definition: init.c:3912
static struct link_socket_info * get_link_socket_info(struct context *c)
#define M_WARN
Definition: error.h:96
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2871
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:433
static void multi_client_disconnect_script(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:575
int ifconfig_ipv6_pool_netbits
Definition: options.h:411
#define OPT_P_PUSH
Definition: options.h:634
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:153
struct mbuf_buffer * buffer
Definition: mbuf.h:54
const char * dev_type
Definition: options.h:221
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4417