OpenVPN
multi.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #ifdef HAVE_SYS_INOTIFY_H
31 #include <sys/inotify.h>
32 #define INOTIFY_EVENT_BUFFER_SIZE 16384
33 #endif
34 
35 #include "syshead.h"
36 
37 #if P2MP_SERVER
38 
39 #include "forward.h"
40 #include "multi.h"
41 #include "push.h"
42 #include "run_command.h"
43 #include "otime.h"
44 #include "pf.h"
45 #include "gremlin.h"
46 #include "mstats.h"
47 #include "ssl_verify.h"
48 #include "vlan.h"
49 #include <inttypes.h>
50 
51 #include "memdbg.h"
52 
53 
54 #include "crypto_backend.h"
55 
56 /*#define MULTI_DEBUG_EVENT_LOOP*/
57 
58 #ifdef MULTI_DEBUG_EVENT_LOOP
59 static const char *
60 id(struct multi_instance *mi)
61 {
62  if (mi)
63  {
64  return tls_common_name(mi->context.c2.tls_multi, false);
65  }
66  else
67  {
68  return "NULL";
69  }
70 }
71 #endif
72 
73 #ifdef MANAGEMENT_DEF_AUTH
74 static void
75 set_cc_config(struct multi_instance *mi, struct buffer_list *cc_config)
76 {
77  if (mi->cc_config)
78  {
79  buffer_list_free(mi->cc_config);
80  }
81  mi->cc_config = cc_config;
82 }
83 #endif
84 
85 static inline void
86 update_mstat_n_clients(const int n_clients)
87 {
88 #ifdef ENABLE_MEMSTATS
89  if (mmap_stats)
90  {
91  mmap_stats->n_clients = n_clients;
92  }
93 #endif
94 }
95 
96 static bool
98  const struct multi_instance *mi,
99  const char *op,
100  const struct mroute_addr *addr)
101 {
102  struct gc_arena gc = gc_new();
103  struct env_set *es;
104  bool ret = true;
105  struct plugin_list *plugins;
106 
107  /* get environmental variable source */
108  if (mi && mi->context.c2.es)
109  {
110  es = mi->context.c2.es;
111  }
112  else
113  {
114  es = env_set_create(&gc);
115  }
116 
117  /* get plugin source */
118  if (mi)
119  {
120  plugins = mi->context.plugins;
121  }
122  else
123  {
124  plugins = m->top.plugins;
125  }
126 
128  {
129  struct argv argv = argv_new();
130  argv_printf(&argv, "%s %s",
131  op,
132  mroute_addr_print(addr, &gc));
133  if (mi)
134  {
135  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
136  }
137  if (plugin_call(plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
138  {
139  msg(M_WARN, "WARNING: learn-address plugin call failed");
140  ret = false;
141  }
142  argv_free(&argv);
143  }
144 
146  {
147  struct argv argv = argv_new();
148  setenv_str(es, "script_type", "learn-address");
150  argv_printf_cat(&argv, "%s %s", op, mroute_addr_print(addr, &gc));
151  if (mi)
152  {
153  argv_printf_cat(&argv, "%s", tls_common_name(mi->context.c2.tls_multi, false));
154  }
155  if (!openvpn_run_script(&argv, es, 0, "--learn-address"))
156  {
157  ret = false;
158  }
159  argv_free(&argv);
160  }
161 
162  gc_free(&gc);
163  return ret;
164 }
165 
166 void
168 {
169  /* write pool data to file */
170  if (m->ifconfig_pool
173  {
175  }
176 }
177 
178 static void
180  int start_bucket,
181  int end_bucket)
182 {
183  struct gc_arena gc = gc_new();
184  struct hash_iterator hi;
185  struct hash_element *he;
186 
187  if (start_bucket < 0)
188  {
189  start_bucket = 0;
190  end_bucket = hash_n_buckets(m->vhash);
191  }
192 
193  dmsg(D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
194  hash_iterator_init_range(m->vhash, &hi, start_bucket, end_bucket);
195  while ((he = hash_iterator_next(&hi)) != NULL)
196  {
197  struct multi_route *r = (struct multi_route *) he->value;
198  if (!multi_route_defined(m, r))
199  {
200  dmsg(D_MULTI_DEBUG, "MULTI: REAP DEL %s",
201  mroute_addr_print(&r->addr, &gc));
202  learn_address_script(m, NULL, "delete", &r->addr);
203  multi_route_del(r);
205  }
206  }
207  hash_iterator_free(&hi);
208  gc_free(&gc);
209 }
210 
211 static void
213 {
214  multi_reap_range(m, -1, 0);
215 }
216 
217 static struct multi_reap *
219 {
220  struct multi_reap *mr;
221  ALLOC_OBJ(mr, struct multi_reap);
222  mr->bucket_base = 0;
224  mr->last_call = now;
225  return mr;
226 }
227 
228 void
230 {
231  struct multi_reap *mr = m->reaper;
232  if (mr->bucket_base >= hash_n_buckets(m->vhash))
233  {
234  mr->bucket_base = 0;
235  }
237  mr->bucket_base += mr->buckets_per_pass;
238  mr->last_call = now;
239 }
240 
241 static void
243 {
244  free(mr);
245 }
246 
247 /*
248  * How many buckets in vhash to reap per pass.
249  */
250 static int
251 reap_buckets_per_pass(int n_buckets)
252 {
253  return constrain_int(n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
254 }
255 
256 #ifdef MANAGEMENT_DEF_AUTH
257 
258 static uint32_t
259 cid_hash_function(const void *key, uint32_t iv)
260 {
261  const unsigned long *k = (const unsigned long *)key;
262  return (uint32_t) *k;
263 }
264 
265 static bool
266 cid_compare_function(const void *key1, const void *key2)
267 {
268  const unsigned long *k1 = (const unsigned long *)key1;
269  const unsigned long *k2 = (const unsigned long *)key2;
270  return *k1 == *k2;
271 }
272 
273 #endif
274 
275 #ifdef ENABLE_ASYNC_PUSH
276 static uint32_t
277 /*
278  * inotify watcher descriptors are used as hash value
279  */
280 int_hash_function(const void *key, uint32_t iv)
281 {
282  return (unsigned long)key;
283 }
284 
285 static bool
286 int_compare_function(const void *key1, const void *key2)
287 {
288  return (unsigned long)key1 == (unsigned long)key2;
289 }
290 #endif
291 
292 /*
293  * Main initialization function, init multi_context object.
294  */
295 void
296 multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
297 {
298  int dev = DEV_TYPE_UNDEF;
299 
300  msg(D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
303 
304  /*
305  * Get tun/tap/null device type
306  */
307  dev = dev_type_enum(t->options.dev, t->options.dev_type);
308 
309  /*
310  * Init our multi_context object.
311  */
312  CLEAR(*m);
313 
314  m->thread_mode = thread_mode;
315 
316  /*
317  * Real address hash table (source port number is
318  * considered to be part of the address). Used
319  * to determine which client sent an incoming packet
320  * which is seen on the TCP/UDP socket.
321  */
323  get_random(),
326 
327  /*
328  * Virtual address hash table. Used to determine
329  * which client to route a packet to.
330  */
332  get_random(),
335 
336  /*
337  * This hash table is a clone of m->hash but with a
338  * bucket size of one so that it can be used
339  * for fast iteration through the list.
340  */
341  m->iter = hash_init(1,
342  get_random(),
345 
346 #ifdef MANAGEMENT_DEF_AUTH
347  m->cid_hash = hash_init(t->options.real_hash_size,
348  0,
349  cid_hash_function,
350  cid_compare_function);
351 #endif
352 
353 #ifdef ENABLE_ASYNC_PUSH
354  /*
355  * Mapping between inotify watch descriptors and
356  * multi_instances.
357  */
358  m->inotify_watchers = hash_init(t->options.real_hash_size,
359  get_random(),
360  int_hash_function,
361  int_compare_function);
362 #endif
363 
364  /*
365  * This is our scheduler, for time-based wakeup
366  * events.
367  */
368  m->schedule = schedule_init();
369 
370  /*
371  * Limit frequency of incoming connections to control
372  * DoS.
373  */
375  t->options.cf_per);
376 
377  /*
378  * Allocate broadcast/multicast buffer list
379  */
381 
382  /*
383  * Different status file format options are available
384  */
386 
387  /*
388  * Possibly allocate an ifconfig pool, do it
389  * differently based on whether a tun or tap style
390  * tunnel.
391  */
393  {
395 
396  if (dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30)
397  {
398  pool_type = IFCONFIG_POOL_30NET;
399  }
400 
401  m->ifconfig_pool = ifconfig_pool_init(pool_type,
408 
409  /* reload pool data from file */
410  if (t->c1.ifconfig_pool_persist)
411  {
413  }
414  }
415 
416  /*
417  * Help us keep track of routing table.
418  */
420 
421  /*
422  * Initialize route and instance reaper.
423  */
425 
426  /*
427  * Get local ifconfig address
428  */
429  CLEAR(m->local);
430  ASSERT(t->c1.tuntap);
432 
433  /*
434  * Per-client limits
435  */
437 
438  m->instances = calloc(m->max_clients, sizeof(struct multi_instance *));
439 
440  /*
441  * Initialize multi-socket TCP I/O wait object
442  */
443  if (tcp_mode)
444  {
446  }
448 
449  /*
450  * Allow client <-> client communication, without going through
451  * tun/tap interface and network stack?
452  */
453  m->enable_c2c = t->options.enable_c2c;
454 
455  /* initialize stale routes check timer */
457  {
458  msg(M_INFO, "Initializing stale route check timer to run every %i seconds and to removing routes with activity timeout older than %i seconds",
461  }
462 
464 }
465 
466 const char *
467 multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
468 {
469  if (mi)
470  {
471  struct buffer out = alloc_buf_gc(MULTI_PREFIX_MAX_LENGTH, gc);
472  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
473 
474  if (cn)
475  {
476  buf_printf(&out, "%s/", cn);
477  }
478  buf_printf(&out, "%s", mroute_addr_print(&mi->real, gc));
479  return BSTR(&out);
480  }
481  else if (null)
482  {
483  return NULL;
484  }
485  else
486  {
487  return "UNDEF";
488  }
489 }
490 
491 static void
493 {
494  struct gc_arena gc = gc_new();
495  const char *prefix = multi_instance_string(mi, true, &gc);
496  if (prefix)
497  {
498  strncpynt(mi->msg_prefix, prefix, sizeof(mi->msg_prefix));
499  }
500  else
501  {
502  mi->msg_prefix[0] = '\0';
503  }
504  set_prefix(mi);
505  gc_free(&gc);
506 }
507 
508 void
510 {
511  mi->msg_prefix[0] = '\0';
512  set_prefix(mi);
513 }
514 
515 static const char *
516 mi_prefix(const struct multi_instance *mi)
517 {
518  if (mi && mi->msg_prefix[0])
519  {
520  return mi->msg_prefix;
521  }
522  else
523  {
524  return "UNDEF_I";
525  }
526 }
527 
528 /*
529  * Tell the route helper about deleted iroutes so
530  * that it can update its mask of currently used
531  * CIDR netlengths.
532  */
533 static void
535  struct multi_instance *mi)
536 {
537  const struct iroute *ir;
538  const struct iroute_ipv6 *ir6;
540  {
541  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
542  {
544  }
545 
546  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
547  {
549  }
550  }
551 }
552 
553 static void
555 {
556  setenv_counter(c->c2.es, "bytes_received", c->c2.link_read_bytes);
557  setenv_counter(c->c2.es, "bytes_sent", c->c2.link_write_bytes);
558 }
559 
560 static void
562 {
563  /* setenv client real IP address */
565 
566  /* setenv stats */
567  setenv_stats(&mi->context);
568 
569  /* setenv connection duration */
570  setenv_long_long(mi->context.c2.es, "time_duration", now - mi->created);
571 }
572 
573 static void
575 {
578  {
580 
582  {
584  {
585  msg(M_WARN, "WARNING: client-disconnect plugin call failed");
586  }
587  }
588 
590  {
591  struct argv argv = argv_new();
592  setenv_str(mi->context.c2.es, "script_type", "client-disconnect");
594  openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-disconnect");
595  argv_free(&argv);
596  }
597 #ifdef MANAGEMENT_DEF_AUTH
598  if (management)
599  {
600  management_notify_client_close(management, &mi->context.c2.mda_context, mi->context.c2.es);
601  }
602 #endif
603 
604  }
605 }
606 
607 void
609  struct multi_instance *mi,
610  bool shutdown)
611 {
613 
614  ASSERT(!mi->halt);
615  mi->halt = true;
616 
617  dmsg(D_MULTI_DEBUG, "MULTI: multi_close_instance called");
618 
619  /* adjust current client connection count */
620  m->n_clients += mi->n_clients_delta;
622  mi->n_clients_delta = 0;
623 
624  /* prevent dangling pointers */
625  if (m->pending == mi)
626  {
627  multi_set_pending(m, NULL);
628  }
629  if (m->earliest_wakeup == mi)
630  {
631  m->earliest_wakeup = NULL;
632  }
633 
634  if (!shutdown)
635  {
636  if (mi->did_real_hash)
637  {
638  ASSERT(hash_remove(m->hash, &mi->real));
639  }
640  if (mi->did_iter)
641  {
642  ASSERT(hash_remove(m->iter, &mi->real));
643  }
644 #ifdef MANAGEMENT_DEF_AUTH
645  if (mi->did_cid_hash)
646  {
647  ASSERT(hash_remove(m->cid_hash, &mi->context.c2.mda_context.cid));
648  }
649 #endif
650 
651 #ifdef ENABLE_ASYNC_PUSH
652  if (mi->inotify_watch != -1)
653  {
654  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
655  mi->inotify_watch = -1;
656  }
657 #endif
658 
659  if (mi->context.c2.tls_multi->peer_id != MAX_PEER_ID)
660  {
661  m->instances[mi->context.c2.tls_multi->peer_id] = NULL;
662  }
663 
664  schedule_remove_entry(m->schedule, (struct schedule_entry *) mi);
665 
666  ifconfig_pool_release(m->ifconfig_pool, mi->vaddr_handle, false);
667 
668  if (mi->did_iroutes)
669  {
670  multi_del_iroutes(m, mi);
671  mi->did_iroutes = false;
672  }
673 
674  if (m->mtcp)
675  {
677  }
678 
680  }
681 
682 #ifdef MANAGEMENT_DEF_AUTH
683  set_cc_config(mi, NULL);
684 #endif
685 
687 
688  if (mi->did_open_context)
689  {
691  }
692 
694 
695  ungenerate_prefix(mi);
696 
697  /*
698  * Don't actually delete the instance memory allocation yet,
699  * because virtual routes may still point to it. Let the
700  * vhash reaper deal with it.
701  */
703 
704  perf_pop();
705 }
706 
707 /*
708  * Called on shutdown or restart.
709  */
710 void
712 {
713  if (m->thread_mode & MC_WORK_THREAD)
714  {
715  multi_top_free(m);
716  m->thread_mode = MC_UNDEF;
717  }
718  else if (m->thread_mode)
719  {
720  if (m->hash)
721  {
722  struct hash_iterator hi;
723  struct hash_element *he;
724 
725  hash_iterator_init(m->iter, &hi);
726  while ((he = hash_iterator_next(&hi)))
727  {
728  struct multi_instance *mi = (struct multi_instance *) he->value;
729  mi->did_iter = false;
730  multi_close_instance(m, mi, true);
731  }
732  hash_iterator_free(&hi);
733 
734  multi_reap_all(m);
735 
736  hash_free(m->hash);
737  hash_free(m->vhash);
738  hash_free(m->iter);
739 #ifdef MANAGEMENT_DEF_AUTH
740  hash_free(m->cid_hash);
741 #endif
742  m->hash = NULL;
743 
744  free(m->instances);
745 
746 #ifdef ENABLE_ASYNC_PUSH
747  hash_free(m->inotify_watchers);
748  m->inotify_watchers = NULL;
749 #endif
750 
752  mbuf_free(m->mbuf);
757  multi_tcp_free(m->mtcp);
758  m->thread_mode = MC_UNDEF;
759  }
760  }
761 }
762 
763 /*
764  * Create a client instance object for a newly connected client.
765  */
766 struct multi_instance *
768 {
769  struct gc_arena gc = gc_new();
770  struct multi_instance *mi;
771 
773 
774  msg(D_MULTI_MEDIUM, "MULTI: multi_create_instance called");
775 
776  ALLOC_OBJ_CLEAR(mi, struct multi_instance);
777 
778  mi->gc = gc_new();
780  mi->vaddr_handle = -1;
781  mi->created = now;
782  mroute_addr_init(&mi->real);
783 
784  if (real)
785  {
786  mi->real = *real;
787  generate_prefix(mi);
788  }
789 
790  mi->did_open_context = true;
791  inherit_context_child(&mi->context, &m->top);
792  if (IS_SIG(&mi->context))
793  {
794  goto err;
795  }
796 
798 
799  if (hash_n_elements(m->hash) >= m->max_clients)
800  {
801  msg(D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
802  goto err;
803  }
804 
805  if (!real) /* TCP mode? */
806  {
808  {
809  goto err;
810  }
811  generate_prefix(mi);
812  }
813 
814  if (!hash_add(m->iter, &mi->real, mi, false))
815  {
816  msg(D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
817  mroute_addr_print(&mi->real, &gc));
818  goto err;
819  }
820  mi->did_iter = true;
821 
822 #ifdef MANAGEMENT_DEF_AUTH
823  do
824  {
825  mi->context.c2.mda_context.cid = m->cid_counter++;
826  } while (!hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
827  mi->did_cid_hash = true;
828 #endif
829 
830  mi->context.c2.push_reply_deferred = true;
831 
832 #ifdef ENABLE_ASYNC_PUSH
833  mi->context.c2.push_request_received = false;
834  mi->inotify_watch = -1;
835 #endif
836 
837  if (!multi_process_post(m, mi, MPP_PRE_SELECT))
838  {
839  msg(D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
840  goto err;
841  }
842 
843  perf_pop();
844  gc_free(&gc);
845  return mi;
846 
847 err:
848  multi_close_instance(m, mi, false);
849  perf_pop();
850  gc_free(&gc);
851  return NULL;
852 }
853 
854 /*
855  * Dump tables -- triggered by SIGUSR2.
856  * If status file is defined, write to file.
857  * If status file is NULL, write to syslog.
858  */
859 void
860 multi_print_status(struct multi_context *m, struct status_output *so, const int version)
861 {
862  if (m->hash)
863  {
864  struct gc_arena gc_top = gc_new();
865  struct hash_iterator hi;
866  const struct hash_element *he;
867 
868  status_reset(so);
869 
870  if (version == 1) /* WAS: m->status_file_version */
871  {
872  /*
873  * Status file version 1
874  */
875  status_printf(so, "OpenVPN CLIENT LIST");
876  status_printf(so, "Updated,%s", time_string(0, 0, false, &gc_top));
877  status_printf(so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
878  hash_iterator_init(m->hash, &hi);
879  while ((he = hash_iterator_next(&hi)))
880  {
881  struct gc_arena gc = gc_new();
882  const struct multi_instance *mi = (struct multi_instance *) he->value;
883 
884  if (!mi->halt)
885  {
886  status_printf(so, "%s,%s," counter_format "," counter_format ",%s",
887  tls_common_name(mi->context.c2.tls_multi, false),
888  mroute_addr_print(&mi->real, &gc),
891  time_string(mi->created, 0, false, &gc));
892  }
893  gc_free(&gc);
894  }
895  hash_iterator_free(&hi);
896 
897  status_printf(so, "ROUTING TABLE");
898  status_printf(so, "Virtual Address,Common Name,Real Address,Last Ref");
899  hash_iterator_init(m->vhash, &hi);
900  while ((he = hash_iterator_next(&hi)))
901  {
902  struct gc_arena gc = gc_new();
903  const struct multi_route *route = (struct multi_route *) he->value;
904 
905  if (multi_route_defined(m, route))
906  {
907  const struct multi_instance *mi = route->instance;
908  const struct mroute_addr *ma = &route->addr;
909  char flags[2] = {0, 0};
910 
911  if (route->flags & MULTI_ROUTE_CACHE)
912  {
913  flags[0] = 'C';
914  }
915  status_printf(so, "%s%s,%s,%s,%s",
916  mroute_addr_print(ma, &gc),
917  flags,
918  tls_common_name(mi->context.c2.tls_multi, false),
919  mroute_addr_print(&mi->real, &gc),
920  time_string(route->last_reference, 0, false, &gc));
921  }
922  gc_free(&gc);
923  }
924  hash_iterator_free(&hi);
925 
926  status_printf(so, "GLOBAL STATS");
927  if (m->mbuf)
928  {
929  status_printf(so, "Max bcast/mcast queue length,%d",
931  }
932 
933  status_printf(so, "END");
934  }
935  else if (version == 2 || version == 3)
936  {
937  const char sep = (version == 3) ? '\t' : ',';
938 
939  /*
940  * Status file version 2 and 3
941  */
942  status_printf(so, "TITLE%c%s", sep, title_string);
943  status_printf(so, "TIME%c%s%c%u", sep, time_string(now, 0, false, &gc_top), sep, (unsigned int)now);
944  status_printf(so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cVirtual IPv6 Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)%cUsername%cClient ID%cPeer ID%cData Channel Cipher",
945  sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep, sep);
946  hash_iterator_init(m->hash, &hi);
947  while ((he = hash_iterator_next(&hi)))
948  {
949  struct gc_arena gc = gc_new();
950  const struct multi_instance *mi = (struct multi_instance *) he->value;
951 
952  if (!mi->halt)
953  {
954  status_printf(so, "CLIENT_LIST%c%s%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u%c%s%c"
955 #ifdef MANAGEMENT_DEF_AUTH
956  "%lu"
957 #else
958  ""
959 #endif
960  "%c%" PRIu32 "%c%s",
961  sep, tls_common_name(mi->context.c2.tls_multi, false),
962  sep, mroute_addr_print(&mi->real, &gc),
965  sep, mi->context.c2.link_read_bytes,
966  sep, mi->context.c2.link_write_bytes,
967  sep, time_string(mi->created, 0, false, &gc),
968  sep, (unsigned int)mi->created,
969  sep, tls_username(mi->context.c2.tls_multi, false),
970 #ifdef MANAGEMENT_DEF_AUTH
971  sep, mi->context.c2.mda_context.cid,
972 #else
973  sep,
974 #endif
975  sep, mi->context.c2.tls_multi ? mi->context.c2.tls_multi->peer_id : UINT32_MAX,
977  }
978  gc_free(&gc);
979  }
980  hash_iterator_free(&hi);
981 
982  status_printf(so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
983  sep, sep, sep, sep, sep, sep);
984  hash_iterator_init(m->vhash, &hi);
985  while ((he = hash_iterator_next(&hi)))
986  {
987  struct gc_arena gc = gc_new();
988  const struct multi_route *route = (struct multi_route *) he->value;
989 
990  if (multi_route_defined(m, route))
991  {
992  const struct multi_instance *mi = route->instance;
993  const struct mroute_addr *ma = &route->addr;
994  char flags[2] = {0, 0};
995 
996  if (route->flags & MULTI_ROUTE_CACHE)
997  {
998  flags[0] = 'C';
999  }
1000  status_printf(so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
1001  sep, mroute_addr_print(ma, &gc), flags,
1002  sep, tls_common_name(mi->context.c2.tls_multi, false),
1003  sep, mroute_addr_print(&mi->real, &gc),
1004  sep, time_string(route->last_reference, 0, false, &gc),
1005  sep, (unsigned int)route->last_reference);
1006  }
1007  gc_free(&gc);
1008  }
1009  hash_iterator_free(&hi);
1010 
1011  if (m->mbuf)
1012  {
1013  status_printf(so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
1014  sep, sep, mbuf_maximum_queued(m->mbuf));
1015  }
1016 
1017  status_printf(so, "END");
1018  }
1019  else
1020  {
1021  status_printf(so, "ERROR: bad status format version number");
1022  }
1023 
1024 #ifdef PACKET_TRUNCATION_CHECK
1025  {
1026  status_printf(so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
1027  hash_iterator_init(m->hash, &hi);
1028  while ((he = hash_iterator_next(&hi)))
1029  {
1030  struct gc_arena gc = gc_new();
1031  const struct multi_instance *mi = (struct multi_instance *) he->value;
1032 
1033  if (!mi->halt)
1034  {
1036  tls_common_name(mi->context.c2.tls_multi, false),
1037  m->top.c2.n_trunc_tun_read,
1038  mi->context.c2.n_trunc_tun_write,
1039  mi->context.c2.n_trunc_pre_encrypt,
1040  mi->context.c2.n_trunc_post_decrypt);
1041  }
1042  gc_free(&gc);
1043  }
1044  hash_iterator_free(&hi);
1045  }
1046 #endif /* ifdef PACKET_TRUNCATION_CHECK */
1047 
1048  status_flush(so);
1049  gc_free(&gc_top);
1050  }
1051 
1052 #ifdef ENABLE_ASYNC_PUSH
1053  if (m->inotify_watchers)
1054  {
1055  msg(D_MULTI_DEBUG, "inotify watchers count: %d\n", hash_n_elements(m->inotify_watchers));
1056  }
1057 #endif
1058 }
1059 
1060 /*
1061  * Learn a virtual address or route.
1062  * The learn will fail if the learn address
1063  * script/plugin fails. In this case the
1064  * return value may be != mi.
1065  * Return the instance which owns this route,
1066  * or NULL if none.
1067  */
1068 static struct multi_instance *
1070  struct multi_instance *mi,
1071  const struct mroute_addr *addr,
1072  const unsigned int flags)
1073 {
1074  struct hash_element *he;
1075  const uint32_t hv = hash_value(m->vhash, addr);
1076  struct hash_bucket *bucket = hash_bucket(m->vhash, hv);
1077  struct multi_route *oldroute = NULL;
1078  struct multi_instance *owner = NULL;
1079  struct gc_arena gc = gc_new();
1080 
1081  /* if route currently exists, get the instance which owns it */
1082  he = hash_lookup_fast(m->vhash, bucket, addr, hv);
1083  if (he)
1084  {
1085  oldroute = (struct multi_route *) he->value;
1086  }
1087  if (oldroute && multi_route_defined(m, oldroute))
1088  {
1089  owner = oldroute->instance;
1090  }
1091 
1092  /* do we need to add address to hash table? */
1093  if ((!owner || owner != mi) && mroute_learnable_address(addr, &gc)
1094  && !mroute_addr_equal(addr, &m->local))
1095  {
1096  struct multi_route *newroute;
1097  bool learn_succeeded = false;
1098 
1099  ALLOC_OBJ(newroute, struct multi_route);
1100  newroute->addr = *addr;
1101  newroute->instance = mi;
1102  newroute->flags = flags;
1103  newroute->last_reference = now;
1104  newroute->cache_generation = 0;
1105 
1106  /* The cache is invalidated when cache_generation is incremented */
1107  if (flags & MULTI_ROUTE_CACHE)
1108  {
1110  }
1111 
1112  if (oldroute) /* route already exists? */
1113  {
1114  if (route_quota_test(mi) && learn_address_script(m, mi, "update", &newroute->addr))
1115  {
1116  learn_succeeded = true;
1117  owner = mi;
1119  route_quota_inc(mi);
1120 
1121  /* delete old route */
1122  multi_route_del(oldroute);
1123 
1124  /* modify hash table entry, replacing old route */
1125  he->key = &newroute->addr;
1126  he->value = newroute;
1127  }
1128  }
1129  else
1130  {
1131  if (route_quota_test(mi) && learn_address_script(m, mi, "add", &newroute->addr))
1132  {
1133  learn_succeeded = true;
1134  owner = mi;
1136  route_quota_inc(mi);
1137 
1138  /* add new route */
1139  hash_add_fast(m->vhash, bucket, &newroute->addr, hv, newroute);
1140  }
1141  }
1142 
1143  msg(D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
1144  learn_succeeded ? "" : " FAILED",
1145  mroute_addr_print(&newroute->addr, &gc),
1146  multi_instance_string(mi, false, &gc));
1147 
1148  if (!learn_succeeded)
1149  {
1150  free(newroute);
1151  }
1152  }
1153  gc_free(&gc);
1154 
1155  return owner;
1156 }
1157 
1158 /*
1159  * Get client instance based on virtual address.
1160  */
1161 static struct multi_instance *
1163  const struct mroute_addr *addr,
1164  bool cidr_routing)
1165 {
1166  struct multi_route *route;
1167  struct multi_instance *ret = NULL;
1168 
1169  /* check for local address */
1170  if (mroute_addr_equal(addr, &m->local))
1171  {
1172  return NULL;
1173  }
1174 
1175  route = (struct multi_route *) hash_lookup(m->vhash, addr);
1176 
1177  /* does host route (possible cached) exist? */
1178  if (route && multi_route_defined(m, route))
1179  {
1180  struct multi_instance *mi = route->instance;
1181  route->last_reference = now;
1182  ret = mi;
1183  }
1184  else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
1185  {
1186  struct mroute_helper *rh = m->route_helper;
1187  struct mroute_addr tryaddr;
1188  int i;
1189 
1190  /* cycle through each CIDR length */
1191  for (i = 0; i < rh->n_net_len; ++i)
1192  {
1193  tryaddr = *addr;
1194  tryaddr.type |= MR_WITH_NETBITS;
1195  tryaddr.netbits = rh->net_len[i];
1196  mroute_addr_mask_host_bits(&tryaddr);
1197 
1198  /* look up a possible route with netbits netmask */
1199  route = (struct multi_route *) hash_lookup(m->vhash, &tryaddr);
1200 
1201  if (route && multi_route_defined(m, route))
1202  {
1203  /* found an applicable route, cache host route */
1204  struct multi_instance *mi = route->instance;
1206  ret = mi;
1207  break;
1208  }
1209  }
1210  }
1211 
1212 #ifdef ENABLE_DEBUG
1214  {
1215  struct gc_arena gc = gc_new();
1216  const char *addr_text = mroute_addr_print(addr, &gc);
1217  if (ret)
1218  {
1219  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1220  addr_text,
1221  multi_instance_string(ret, false, &gc),
1222  mroute_addr_print(&route->addr, &gc));
1223  }
1224  else
1225  {
1226  dmsg(D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1227  addr_text);
1228  }
1229  gc_free(&gc);
1230  }
1231 #endif
1232 
1233  ASSERT(!(ret && ret->halt));
1234  return ret;
1235 }
1236 
1237 /*
1238  * Helper function to multi_learn_addr().
1239  */
1240 static struct multi_instance *
1242  struct multi_instance *mi,
1243  in_addr_t a,
1244  int netbits, /* -1 if host route, otherwise # of network bits in address */
1245  bool primary)
1246 {
1247  struct openvpn_sockaddr remote_si;
1248  struct mroute_addr addr;
1249 
1250  CLEAR(remote_si);
1251  remote_si.addr.in4.sin_family = AF_INET;
1252  remote_si.addr.in4.sin_addr.s_addr = htonl(a);
1253  ASSERT(mroute_extract_openvpn_sockaddr(&addr, &remote_si, false));
1254 
1255  if (netbits >= 0)
1256  {
1257  addr.type |= MR_WITH_NETBITS;
1258  addr.netbits = (uint8_t) netbits;
1259  }
1260 
1261  {
1262  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1263 #ifdef MANAGEMENT_DEF_AUTH
1264  if (management && owner)
1265  {
1266  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1267  }
1268 #endif
1269  return owner;
1270  }
1271 }
1272 
1273 static struct multi_instance *
1275  struct multi_instance *mi,
1276  struct in6_addr a6,
1277  int netbits, /* -1 if host route, otherwise # of network bits in address */
1278  bool primary)
1279 {
1280  struct mroute_addr addr;
1281 
1282  addr.len = 16;
1283  addr.type = MR_ADDR_IPV6;
1284  addr.netbits = 0;
1285  addr.v6.addr = a6;
1286 
1287  if (netbits >= 0)
1288  {
1289  addr.type |= MR_WITH_NETBITS;
1290  addr.netbits = (uint8_t) netbits;
1291  mroute_addr_mask_host_bits( &addr );
1292  }
1293 
1294  {
1295  struct multi_instance *owner = multi_learn_addr(m, mi, &addr, 0);
1296 #ifdef MANAGEMENT_DEF_AUTH
1297  if (management && owner)
1298  {
1299  management_learn_addr(management, &mi->context.c2.mda_context, &addr, primary);
1300  }
1301 #endif
1302  return owner;
1303  }
1304 }
1305 
1306 /*
1307  * A new client has connected, add routes (server -> client)
1308  * to internal routing table.
1309  */
1310 static void
1312  struct multi_instance *mi)
1313 {
1314  struct gc_arena gc = gc_new();
1315  const struct iroute *ir;
1316  const struct iroute_ipv6 *ir6;
1318  {
1319  mi->did_iroutes = true;
1320  for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1321  {
1322  if (ir->netbits >= 0)
1323  {
1324  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1325  print_in_addr_t(ir->network, 0, &gc),
1326  ir->netbits,
1327  multi_instance_string(mi, false, &gc));
1328  }
1329  else
1330  {
1331  msg(D_MULTI_LOW, "MULTI: internal route %s -> %s",
1332  print_in_addr_t(ir->network, 0, &gc),
1333  multi_instance_string(mi, false, &gc));
1334  }
1335 
1337 
1338  multi_learn_in_addr_t(m, mi, ir->network, ir->netbits, false);
1339  }
1340  for (ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next)
1341  {
1342  msg(D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1343  print_in6_addr(ir6->network, 0, &gc),
1344  ir6->netbits,
1345  multi_instance_string(mi, false, &gc));
1346 
1348 
1349  multi_learn_in6_addr(m, mi, ir6->network, ir6->netbits, false);
1350  }
1351  }
1352  gc_free(&gc);
1353 }
1354 
1355 /*
1356  * Given an instance (new_mi), delete all other instances which use the
1357  * same common name.
1358  */
1359 static void
1361 {
1362  if (new_mi)
1363  {
1364  const char *new_cn = tls_common_name(new_mi->context.c2.tls_multi, true);
1365  if (new_cn)
1366  {
1367  struct hash_iterator hi;
1368  struct hash_element *he;
1369  int count = 0;
1370 
1371  hash_iterator_init(m->iter, &hi);
1372  while ((he = hash_iterator_next(&hi)))
1373  {
1374  struct multi_instance *mi = (struct multi_instance *) he->value;
1375  if (mi != new_mi && !mi->halt)
1376  {
1377  const char *cn = tls_common_name(mi->context.c2.tls_multi, true);
1378  if (cn && !strcmp(cn, new_cn))
1379  {
1380  mi->did_iter = false;
1381  multi_close_instance(m, mi, false);
1383  ++count;
1384  }
1385  }
1386  }
1387  hash_iterator_free(&hi);
1388 
1389  if (count)
1390  {
1391  msg(D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1392  }
1393  }
1394  }
1395 }
1396 
1397 static void
1399 {
1400 
1401  struct gc_arena gc = gc_new();
1402  struct hash_iterator hi;
1403  struct hash_element *he;
1404 
1405  dmsg(D_MULTI_DEBUG, "MULTI: Checking stale routes");
1407  while ((he = hash_iterator_next(&hi)) != NULL)
1408  {
1409  struct multi_route *r = (struct multi_route *) he->value;
1410  if (multi_route_defined(m, r) && difftime(now, r->last_reference) >= m->top.options.stale_routes_ageing_time)
1411  {
1412  dmsg(D_MULTI_DEBUG, "MULTI: Deleting stale route for address '%s'",
1413  mroute_addr_print(&r->addr, &gc));
1414  learn_address_script(m, NULL, "delete", &r->addr);
1415  multi_route_del(r);
1417  }
1418  }
1419  hash_iterator_free(&hi);
1420  gc_free(&gc);
1421 }
1422 
1423 /*
1424  * Ensure that endpoint to be pushed to client
1425  * complies with --ifconfig-push-constraint directive.
1426  */
1427 static bool
1429 {
1430  const struct options *o = &c->options;
1432  {
1434  }
1435  else
1436  {
1437  return true;
1438  }
1439 }
1440 
1441 /*
1442  * Select a virtual address for a new client instance.
1443  * Use an --ifconfig-push directive, if given (static IP).
1444  * Otherwise use an --ifconfig-pool address (dynamic IP).
1445  */
1446 static void
1448 {
1449  struct gc_arena gc = gc_new();
1450 
1451  /*
1452  * If ifconfig addresses were set by dynamic config file,
1453  * release pool addresses, otherwise keep them.
1454  */
1456  {
1457  /* ifconfig addresses were set statically,
1458  * release dynamic allocation */
1459  if (mi->vaddr_handle >= 0)
1460  {
1462  mi->vaddr_handle = -1;
1463  }
1464 
1465  mi->context.c2.push_ifconfig_defined = true;
1469 
1470  /* the current implementation does not allow "static IPv4, pool IPv6",
1471  * (see below) so issue a warning if that happens - don't break the
1472  * session, though, as we don't even know if this client WANTS IPv6
1473  */
1476  {
1477  msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1478  }
1479  }
1480  else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1481  {
1482  in_addr_t local = 0, remote = 0;
1483  struct in6_addr remote_ipv6;
1484  const char *cn = NULL;
1485 
1486  if (!mi->context.options.duplicate_cn)
1487  {
1488  cn = tls_common_name(mi->context.c2.tls_multi, true);
1489  }
1490 
1491  CLEAR(remote_ipv6);
1492  mi->vaddr_handle = ifconfig_pool_acquire(m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1493  if (mi->vaddr_handle >= 0)
1494  {
1495  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1496  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1497 
1498  msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1499  print_in_addr_t( remote, 0, &gc ),
1501  ? print_in6_addr( remote_ipv6, 0, &gc )
1502  : "(Not enabled)") );
1503 
1504  /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1505  mi->context.c2.push_ifconfig_local = remote;
1506  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1507  {
1510  {
1512  }
1513  }
1514  else if (tunnel_type == DEV_TYPE_TUN)
1515  {
1516  if (tunnel_topology == TOP_P2P)
1517  {
1519  }
1520  else if (tunnel_topology == TOP_NET30)
1521  {
1523  }
1524  }
1525 
1527  {
1528  mi->context.c2.push_ifconfig_defined = true;
1529  }
1530  else
1531  {
1532  msg(D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1533  multi_instance_string(mi, false, &gc));
1534  }
1535 
1537  {
1538  mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1540  mi->context.c1.tuntap->local_ipv6;
1544  }
1545  }
1546  else
1547  {
1548  msg(D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1549  }
1550  }
1551 
1552  /* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1553  * pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1554  * will fail (because no pool will be allocated in this case).
1555  * OTOH, this doesn't make too much sense in reality - and the other
1556  * way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1557  * -> and so it's implemented right now
1558  */
1560  {
1568 
1569  msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1572  }
1573 
1574  gc_free(&gc);
1575 }
1576 
1577 /*
1578  * Set virtual address environmental variables.
1579  */
1580 static void
1582 {
1583  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip");
1584  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip");
1585  setenv_del(mi->context.c2.es, "ifconfig_pool_netmask");
1586 
1588  {
1589  const int tunnel_type = TUNNEL_TYPE(mi->context.c1.tuntap);
1590  const int tunnel_topology = TUNNEL_TOPOLOGY(mi->context.c1.tuntap);
1591 
1593  "ifconfig_pool_remote_ip",
1596 
1597  if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1598  {
1600  "ifconfig_pool_netmask",
1603  }
1604  else if (tunnel_type == DEV_TYPE_TUN)
1605  {
1607  "ifconfig_pool_local_ip",
1610  }
1611  }
1612 
1613  setenv_del(mi->context.c2.es, "ifconfig_pool_local_ip6");
1614  setenv_del(mi->context.c2.es, "ifconfig_pool_remote_ip6");
1615  setenv_del(mi->context.c2.es, "ifconfig_pool_ip6_netbits");
1616 
1618  {
1620  "ifconfig_pool_remote",
1624  "ifconfig_pool_local",
1627  setenv_int(mi->context.c2.es,
1628  "ifconfig_pool_ip6_netbits",
1630  }
1631 }
1632 
1633 /*
1634  * Called after client-connect script is called
1635  */
1636 static void
1638  struct multi_instance *mi,
1639  const char *dc_file,
1640  unsigned int option_permissions_mask,
1641  unsigned int *option_types_found)
1642 {
1643  /* Did script generate a dynamic config file? */
1644  if (platform_test_file(dc_file))
1645  {
1647  dc_file,
1649  option_permissions_mask,
1650  option_types_found,
1651  mi->context.c2.es);
1652 
1653  /*
1654  * If the --client-connect script generates a config file
1655  * with an --ifconfig-push directive, it will override any
1656  * --ifconfig-push directive from the --client-config-dir
1657  * directory or any --ifconfig-pool dynamic address.
1658  */
1661  }
1662 }
1663 
1664 #ifdef ENABLE_PLUGIN
1665 
1666 /*
1667  * Called after client-connect plug-in is called
1668  */
1669 static void
1671  struct multi_instance *mi,
1672  const struct plugin_return *pr,
1673  unsigned int option_permissions_mask,
1674  unsigned int *option_types_found)
1675 {
1676  struct plugin_return config;
1677 
1678  plugin_return_get_column(pr, &config, "config");
1679 
1680  /* Did script generate a dynamic config file? */
1681  if (plugin_return_defined(&config))
1682  {
1683  int i;
1684  for (i = 0; i < config.n; ++i)
1685  {
1686  if (config.list[i] && config.list[i]->value)
1687  {
1689  config.list[i]->value,
1691  option_permissions_mask,
1692  option_types_found,
1693  mi->context.c2.es);
1694  }
1695  }
1696 
1697  /*
1698  * If the --client-connect script generates a config file
1699  * with an --ifconfig-push directive, it will override any
1700  * --ifconfig-push directive from the --client-config-dir
1701  * directory or any --ifconfig-pool dynamic address.
1702  */
1705  }
1706 }
1707 
1708 #endif /* ifdef ENABLE_PLUGIN */
1709 
1710 #ifdef MANAGEMENT_DEF_AUTH
1711 
1712 /*
1713  * Called to load management-derived client-connect config
1714  */
1715 static void
1716 multi_client_connect_mda(struct multi_context *m,
1717  struct multi_instance *mi,
1718  const struct buffer_list *config,
1719  unsigned int option_permissions_mask,
1720  unsigned int *option_types_found)
1721 {
1722  if (config)
1723  {
1724  struct buffer_entry *be;
1725 
1726  for (be = config->head; be != NULL; be = be->next)
1727  {
1728  const char *opt = BSTR(&be->buf);
1730  opt,
1732  option_permissions_mask,
1733  option_types_found,
1734  mi->context.c2.es);
1735  }
1736 
1737  /*
1738  * If the --client-connect script generates a config file
1739  * with an --ifconfig-push directive, it will override any
1740  * --ifconfig-push directive from the --client-config-dir
1741  * directory or any --ifconfig-pool dynamic address.
1742  */
1745  }
1746 }
1747 
1748 #endif /* ifdef MANAGEMENT_DEF_AUTH */
1749 
1750 static void
1752  struct multi_instance *mi)
1753 {
1754  struct gc_arena gc = gc_new();
1755 
1756  /* setenv incoming cert common name for script */
1757  setenv_str(mi->context.c2.es, "common_name", tls_common_name(mi->context.c2.tls_multi, true));
1758 
1759  /* setenv client real IP address */
1761 
1762  /* setenv client virtual IP address */
1764 
1765  /* setenv connection time */
1766  {
1767  const char *created_ascii = time_string(mi->created, 0, false, &gc);
1768  setenv_str(mi->context.c2.es, "time_ascii", created_ascii);
1769  setenv_long_long(mi->context.c2.es, "time_unix", mi->created);
1770  }
1771 
1772  gc_free(&gc);
1773 }
1774 
1775 /*
1776  * Called as soon as the SSL/TLS connection authenticates.
1777  *
1778  * Instance-specific directives to be processed:
1779  *
1780  * iroute start-ip end-ip
1781  * ifconfig-push local remote-netmask
1782  * push
1783  */
1784 static void
1786 {
1788  {
1789  struct gc_arena gc = gc_new();
1790  unsigned int option_types_found = 0;
1791 
1792  const unsigned int option_permissions_mask =
1794  | OPT_P_INHERIT
1795  | OPT_P_PUSH
1796  | OPT_P_TIMER
1797  | OPT_P_CONFIG
1798  | OPT_P_ECHO
1799  | OPT_P_COMP
1800  | OPT_P_SOCKFLAGS;
1801 
1802  int cc_succeeded = true; /* client connect script status */
1803  int cc_succeeded_count = 0;
1804 
1805  ASSERT(mi->context.c1.tuntap);
1806 
1807  /* lock down the common name and cert hashes so they can't change during future TLS renegotiations */
1810 
1811  /* generate a msg() prefix for this client instance */
1812  generate_prefix(mi);
1813 
1814  /* delete instances of previous clients with same common-name */
1815  if (!mi->context.options.duplicate_cn)
1816  {
1817  multi_delete_dup(m, mi);
1818  }
1819 
1820  /* reset pool handle to null */
1821  mi->vaddr_handle = -1;
1822 
1823  /*
1824  * Try to source a dynamic config file from the
1825  * --client-config-dir directory.
1826  */
1828  {
1829  const char *ccd_file;
1830 
1833  false),
1834  &gc);
1835 
1836  /* try common-name file */
1837  if (platform_test_file(ccd_file))
1838  {
1840  ccd_file,
1842  option_permissions_mask,
1843  &option_types_found,
1844  mi->context.c2.es);
1845  }
1846  else /* try default file */
1847  {
1849  CCD_DEFAULT,
1850  &gc);
1851 
1852  if (platform_test_file(ccd_file))
1853  {
1855  ccd_file,
1857  option_permissions_mask,
1858  &option_types_found,
1859  mi->context.c2.es);
1860  }
1861  }
1862  }
1863 
1864  /*
1865  * Select a virtual address from either --ifconfig-push in --client-config-dir file
1866  * or --ifconfig-pool.
1867  */
1869 
1870  /* do --client-connect setenvs */
1872 
1873 #ifdef ENABLE_PLUGIN
1874  /*
1875  * Call client-connect plug-in.
1876  */
1877 
1878  /* deprecated callback, use a file for passing back return info */
1880  {
1881  struct argv argv = argv_new();
1882  const char *dc_file = platform_create_temp_file(mi->context.options.tmp_dir,
1883  "cc", &gc);
1884 
1885  if (!dc_file)
1886  {
1887  cc_succeeded = false;
1888  goto script_depr_failed;
1889  }
1890 
1891  argv_printf(&argv, "%s", dc_file);
1893  {
1894  msg(M_WARN, "WARNING: client-connect plugin call failed");
1895  cc_succeeded = false;
1896  }
1897  else
1898  {
1899  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1900  ++cc_succeeded_count;
1901  }
1902 
1903  if (!platform_unlink(dc_file))
1904  {
1905  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1906  dc_file);
1907  }
1908 
1909 script_depr_failed:
1910  argv_free(&argv);
1911  }
1912 
1913  /* V2 callback, use a plugin_return struct for passing back return info */
1915  {
1916  struct plugin_return pr;
1917 
1918  plugin_return_init(&pr);
1919 
1921  {
1922  msg(M_WARN, "WARNING: client-connect-v2 plugin call failed");
1923  cc_succeeded = false;
1924  }
1925  else
1926  {
1927  multi_client_connect_post_plugin(m, mi, &pr, option_permissions_mask, &option_types_found);
1928  ++cc_succeeded_count;
1929  }
1930 
1931  plugin_return_free(&pr);
1932  }
1933 #endif /* ifdef ENABLE_PLUGIN */
1934 
1935  /*
1936  * Run --client-connect script.
1937  */
1938  if (mi->context.options.client_connect_script && cc_succeeded)
1939  {
1940  struct argv argv = argv_new();
1941  const char *dc_file = NULL;
1942 
1943  setenv_str(mi->context.c2.es, "script_type", "client-connect");
1944 
1946  "cc", &gc);
1947  if (!dc_file)
1948  {
1949  cc_succeeded = false;
1950  goto script_failed;
1951  }
1952 
1954  argv_printf_cat(&argv, "%s", dc_file);
1955 
1956  if (openvpn_run_script(&argv, mi->context.c2.es, 0, "--client-connect"))
1957  {
1958  multi_client_connect_post(m, mi, dc_file, option_permissions_mask, &option_types_found);
1959  ++cc_succeeded_count;
1960  }
1961  else
1962  {
1963  cc_succeeded = false;
1964  }
1965 
1966  if (!platform_unlink(dc_file))
1967  {
1968  msg(D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1969  dc_file);
1970  }
1971 
1972 script_failed:
1973  argv_free(&argv);
1974  }
1975 
1976  /*
1977  * Check for client-connect script left by management interface client
1978  */
1979 #ifdef MANAGEMENT_DEF_AUTH
1980  if (cc_succeeded && mi->cc_config)
1981  {
1982  multi_client_connect_mda(m, mi, mi->cc_config, option_permissions_mask, &option_types_found);
1983  ++cc_succeeded_count;
1984  }
1985 #endif
1986 
1987  /*
1988  * Check for "disable" directive in client-config-dir file
1989  * or config file generated by --client-connect script.
1990  */
1991  if (mi->context.options.disable)
1992  {
1993  msg(D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
1994  cc_succeeded = false;
1995  cc_succeeded_count = 0;
1996  }
1997 
1998  if (cc_succeeded)
1999  {
2000  /*
2001  * Process sourced options.
2002  */
2003  do_deferred_options(&mi->context, option_types_found);
2004 
2005  /*
2006  * make sure we got ifconfig settings from somewhere
2007  */
2008  if (!mi->context.c2.push_ifconfig_defined)
2009  {
2010  msg(D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
2011  multi_instance_string(mi, false, &gc));
2012  }
2013 
2014  /*
2015  * make sure that ifconfig settings comply with constraints
2016  */
2018  {
2019  /* JYFIXME -- this should cause the connection to fail */
2020  msg(D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
2021  multi_instance_string(mi, false, &gc),
2025  }
2026 
2027  /*
2028  * For routed tunnels, set up internal route to endpoint
2029  * plus add all iroute routes.
2030  */
2032  {
2034  {
2035  multi_learn_in_addr_t(m, mi, mi->context.c2.push_ifconfig_local, -1, true);
2036  msg(D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
2037  multi_instance_string(mi, false, &gc),
2039  }
2040 
2042  {
2044  /* TODO: find out where addresses are "unlearned"!! */
2045  msg(D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
2046  multi_instance_string(mi, false, &gc),
2048  }
2049 
2050  /* add routes locally, pointing to new client, if
2051  * --iroute options have been specified */
2052  multi_add_iroutes(m, mi);
2053 
2054  /*
2055  * iroutes represent subnets which are "owned" by a particular
2056  * client. Therefore, do not actually push a route to a client
2057  * if it matches one of the client's iroutes.
2058  */
2060  }
2061  else if (mi->context.options.iroutes)
2062  {
2063  msg(D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
2064  multi_instance_string(mi, false, &gc));
2065  }
2066 
2067  /* set our client's VPN endpoint for status reporting purposes */
2070 
2071  /* set context-level authentication flag */
2073 
2074 #ifdef ENABLE_ASYNC_PUSH
2075  /* authentication complete, send push reply */
2076  if (mi->context.c2.push_request_received)
2077  {
2079  }
2080 #endif
2081  }
2082  else
2083  {
2084  /* set context-level authentication flag */
2085  mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
2086  }
2087 
2088  /* set flag so we don't get called again */
2089  mi->connection_established_flag = true;
2090 
2091  /* increment number of current authenticated clients */
2092  ++m->n_clients;
2094  --mi->n_clients_delta;
2095 
2096 #ifdef MANAGEMENT_DEF_AUTH
2097  if (management)
2098  {
2099  management_connection_established(management, &mi->context.c2.mda_context, mi->context.c2.es);
2100  }
2101 #endif
2102 
2103  gc_free(&gc);
2104  }
2105 
2106  /*
2107  * Reply now to client's PUSH_REQUEST query
2108  */
2109  mi->context.c2.push_reply_deferred = false;
2110 }
2111 
2112 #ifdef ENABLE_ASYNC_PUSH
2113 /*
2114  * Called when inotify event is fired, which happens when acf file is closed or deleted.
2115  * Continues authentication and sends push_reply.
2116  */
2117 void
2118 multi_process_file_closed(struct multi_context *m, const unsigned int mpp_flags)
2119 {
2120  char buffer[INOTIFY_EVENT_BUFFER_SIZE];
2121  size_t buffer_i = 0;
2122  int r = read(m->top.c2.inotify_fd, buffer, INOTIFY_EVENT_BUFFER_SIZE);
2123 
2124  while (buffer_i < r)
2125  {
2126  /* parse inotify events */
2127  struct inotify_event *pevent = (struct inotify_event *) &buffer[buffer_i];
2128  size_t event_size = sizeof(struct inotify_event) + pevent->len;
2129  buffer_i += event_size;
2130 
2131  msg(D_MULTI_DEBUG, "MULTI: modified fd %d, mask %d", pevent->wd, pevent->mask);
2132 
2133  struct multi_instance *mi = hash_lookup(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2134 
2135  if (pevent->mask & IN_CLOSE_WRITE)
2136  {
2137  if (mi)
2138  {
2139  /* continue authentication and send push_reply */
2140  multi_process_post(m, mi, mpp_flags);
2141  }
2142  else
2143  {
2144  msg(D_MULTI_ERRORS, "MULTI: multi_instance not found!");
2145  }
2146  }
2147  else if (pevent->mask & IN_IGNORED)
2148  {
2149  /* this event is _always_ fired when watch is removed or file is deleted */
2150  if (mi)
2151  {
2152  hash_remove(m->inotify_watchers, (void *) (unsigned long) pevent->wd);
2153  mi->inotify_watch = -1;
2154  }
2155  }
2156  else
2157  {
2158  msg(D_MULTI_ERRORS, "MULTI: unknown mask %d", pevent->mask);
2159  }
2160  }
2161 }
2162 #endif /* ifdef ENABLE_ASYNC_PUSH */
2163 
2164 /*
2165  * Add a mbuf buffer to a particular
2166  * instance.
2167  */
2168 void
2170  struct multi_instance *mi,
2171  struct mbuf_buffer *mb)
2172 {
2173  if (multi_output_queue_ready(m, mi))
2174  {
2175  struct mbuf_item item;
2176  item.buffer = mb;
2177  item.instance = mi;
2178  mbuf_add_item(m->mbuf, &item);
2179  }
2180  else
2181  {
2182  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
2183  }
2184 }
2185 
2186 /*
2187  * Add a packet to a client instance output queue.
2188  */
2189 static inline void
2191  const struct buffer *buf,
2192  struct multi_instance *mi)
2193 {
2194  struct mbuf_buffer *mb;
2195 
2196  if (BLEN(buf) > 0)
2197  {
2198  mb = mbuf_alloc_buf(buf);
2199  mb->flags = MF_UNICAST;
2200  multi_add_mbuf(m, mi, mb);
2201  mbuf_free_buf(mb);
2202  }
2203 }
2204 
2205 /*
2206  * Broadcast a packet to all clients.
2207  */
2208 static void
2210  const struct buffer *buf,
2211  const struct multi_instance *sender_instance,
2212  const struct mroute_addr *sender_addr,
2213  uint16_t vid)
2214 {
2215  struct hash_iterator hi;
2216  struct hash_element *he;
2217  struct multi_instance *mi;
2218  struct mbuf_buffer *mb;
2219 
2220  if (BLEN(buf) > 0)
2221  {
2223 #ifdef MULTI_DEBUG_EVENT_LOOP
2224  printf("BCAST len=%d\n", BLEN(buf));
2225 #endif
2226  mb = mbuf_alloc_buf(buf);
2227  hash_iterator_init(m->iter, &hi);
2228 
2229  while ((he = hash_iterator_next(&hi)))
2230  {
2231  mi = (struct multi_instance *) he->value;
2232  if (mi != sender_instance && !mi->halt)
2233  {
2234 #ifdef ENABLE_PF
2235  if (sender_instance)
2236  {
2237  if (!pf_c2c_test(&sender_instance->context.c2.pf,
2238  sender_instance->context.c2.tls_multi,
2239  &mi->context.c2.pf,
2240  mi->context.c2.tls_multi,
2241  "bcast_c2c"))
2242  {
2243  msg(D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
2244  mi_prefix(sender_instance),
2245  mi_prefix(mi));
2246  continue;
2247  }
2248  }
2249  if (sender_addr)
2250  {
2251  if (!pf_addr_test(&mi->context.c2.pf, &mi->context,
2252  sender_addr, "bcast_src_addr"))
2253  {
2254  struct gc_arena gc = gc_new();
2255  msg(D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
2256  mroute_addr_print_ex(sender_addr, MAPF_SHOW_ARP, &gc),
2257  mi_prefix(mi));
2258  gc_free(&gc);
2259  continue;
2260  }
2261  }
2262 #endif /* ifdef ENABLE_PF */
2263  if (vid != 0 && vid != mi->context.options.vlan_pvid)
2264  {
2265  continue;
2266  }
2267  multi_add_mbuf(m, mi, mb);
2268  }
2269  }
2270 
2271  hash_iterator_free(&hi);
2272  mbuf_free_buf(mb);
2273  perf_pop();
2274  }
2275 }
2276 
2277 /*
2278  * Given a time delta, indicating that we wish to be
2279  * awoken by the scheduler at time now + delta, figure
2280  * a sigma parameter (in microseconds) that represents
2281  * a sort of fuzz factor around delta, so that we're
2282  * really telling the scheduler to wake us up any time
2283  * between now + delta - sigma and now + delta + sigma.
2284  *
2285  * The sigma parameter helps the scheduler to run more efficiently.
2286  * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
2287  */
2288 static inline unsigned int
2289 compute_wakeup_sigma(const struct timeval *delta)
2290 {
2291  if (delta->tv_sec < 1)
2292  {
2293  /* if < 1 sec, fuzz = # of microseconds / 8 */
2294  return delta->tv_usec >> 3;
2295  }
2296  else
2297  {
2298  /* if < 10 minutes, fuzz = 13.1% of timeout */
2299  if (delta->tv_sec < 600)
2300  {
2301  return delta->tv_sec << 17;
2302  }
2303  else
2304  {
2305  return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
2306  }
2307  }
2308 }
2309 
2310 static void
2312 {
2313  /* calculate an absolute wakeup time */
2314  ASSERT(!openvpn_gettimeofday(&mi->wakeup, NULL));
2315  tv_add(&mi->wakeup, &mi->context.c2.timeval);
2316 
2317  /* tell scheduler to wake us up at some point in the future */
2319  (struct schedule_entry *) mi,
2320  &mi->wakeup,
2321  compute_wakeup_sigma(&mi->context.c2.timeval));
2322 }
2323 
2324 /*
2325  * Figure instance-specific timers, convert
2326  * earliest to absolute time in mi->wakeup,
2327  * call scheduler with our future wakeup time.
2328  *
2329  * Also close context on signal.
2330  */
2331 bool
2332 multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
2333 {
2334  bool ret = true;
2335 
2336  if (!IS_SIG(&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT(&mi->context))))
2337  {
2338 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2339  bool was_authenticated = false;
2340  struct key_state *ks = NULL;
2341  if (mi->context.c2.tls_multi)
2342  {
2344  was_authenticated = ks->authenticated;
2345  }
2346 #endif
2347 
2348  /* figure timeouts and fetch possible outgoing
2349  * to_link packets (such as ping or TLS control) */
2350  pre_select(&mi->context);
2351 
2352 #if defined(ENABLE_ASYNC_PUSH) && defined(ENABLE_DEF_AUTH)
2353  if (ks && ks->auth_control_file && ks->auth_deferred && !was_authenticated)
2354  {
2355  /* watch acf file */
2356  long watch_descriptor = inotify_add_watch(m->top.c2.inotify_fd, ks->auth_control_file, IN_CLOSE_WRITE | IN_ONESHOT);
2357  if (watch_descriptor >= 0)
2358  {
2359  if (mi->inotify_watch != -1)
2360  {
2361  hash_remove(m->inotify_watchers, (void *) (unsigned long)mi->inotify_watch);
2362  }
2363  hash_add(m->inotify_watchers, (const uintptr_t *)watch_descriptor, mi, true);
2364  mi->inotify_watch = watch_descriptor;
2365  }
2366  else
2367  {
2368  msg(M_NONFATAL | M_ERRNO, "MULTI: inotify_add_watch error");
2369  }
2370  }
2371 #endif
2372 
2373  if (!IS_SIG(&mi->context))
2374  {
2375  /* connection is "established" when SSL/TLS key negotiation succeeds
2376  * and (if specified) auth user/pass succeeds */
2378  {
2380  }
2381 
2382  /* tell scheduler to wake us up at some point in the future */
2384  }
2385  }
2386 
2387  if (IS_SIG(&mi->context))
2388  {
2389  if (flags & MPP_CLOSE_ON_SIGNAL)
2390  {
2392  ret = false;
2393  }
2394  }
2395  else
2396  {
2397  /* continue to pend on output? */
2398  multi_set_pending(m, ANY_OUT(&mi->context) ? mi : NULL);
2399 
2400 #ifdef MULTI_DEBUG_EVENT_LOOP
2401  printf("POST %s[%d] to=%d lo=%d/%d w=%" PRIi64 "/%ld\n",
2402  id(mi),
2403  (int) (mi == m->pending),
2404  mi ? mi->context.c2.to_tun.len : -1,
2405  mi ? mi->context.c2.to_link.len : -1,
2406  (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
2407  (int64_t)mi->context.c2.timeval.tv_sec,
2408  (long)mi->context.c2.timeval.tv_usec);
2409 #endif
2410  }
2411 
2412  if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
2413  {
2414  *m->mpp_touched = mi;
2415  }
2416 
2417  return ret;
2418 }
2419 
2420 void
2422 {
2423  struct mroute_addr real;
2424  struct hash *hash = m->hash;
2425  struct gc_arena gc = gc_new();
2426 
2427  if (!mroute_extract_openvpn_sockaddr(&real, &m->top.c2.from.dest, true))
2428  {
2429  goto done;
2430  }
2431 
2432  const uint32_t hv = hash_value(hash, &real);
2433  struct hash_bucket *bucket = hash_bucket(hash, hv);
2434 
2435  /* make sure that we don't float to an address taken by another client */
2436  struct hash_element *he = hash_lookup_fast(hash, bucket, &real, hv);
2437  if (he)
2438  {
2439  struct multi_instance *ex_mi = (struct multi_instance *) he->value;
2440 
2441  struct tls_multi *m1 = mi->context.c2.tls_multi;
2442  struct tls_multi *m2 = ex_mi->context.c2.tls_multi;
2443 
2444  /* do not float if target address is taken by client with another cert */
2445  if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set))
2446  {
2447  msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
2448  multi_instance_string(ex_mi, false, &gc));
2449 
2450  mi->context.c2.buf.len = 0;
2451 
2452  goto done;
2453  }
2454 
2455  msg(D_MULTI_MEDIUM, "closing instance %s", multi_instance_string(ex_mi, false, &gc));
2456  multi_close_instance(m, ex_mi, false);
2457  }
2458 
2459  msg(D_MULTI_MEDIUM, "peer %" PRIu32 " (%s) floated from %s to %s",
2460  mi->context.c2.tls_multi->peer_id,
2461  tls_common_name(mi->context.c2.tls_multi, false),
2462  mroute_addr_print(&mi->real, &gc),
2463  print_link_socket_actual(&m->top.c2.from, &gc));
2464 
2465  /* remove old address from hash table before changing address */
2466  ASSERT(hash_remove(m->hash, &mi->real));
2467  ASSERT(hash_remove(m->iter, &mi->real));
2468 
2469  /* change external network address of the remote peer */
2470  mi->real = real;
2471  generate_prefix(mi);
2472 
2473  mi->context.c2.from = m->top.c2.from;
2474  mi->context.c2.to_link_addr = &mi->context.c2.from;
2475 
2476  /* inherit parent link_socket and link_socket_info */
2479 
2481 
2482  ASSERT(hash_add(m->hash, &mi->real, mi, false));
2483  ASSERT(hash_add(m->iter, &mi->real, mi, false));
2484 
2485 #ifdef MANAGEMENT_DEF_AUTH
2486  ASSERT(hash_add(m->cid_hash, &mi->context.c2.mda_context.cid, mi, true));
2487 #endif
2488 
2489 done:
2490  gc_free(&gc);
2491 }
2492 
2493 /*
2494  * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
2495  * i.e. client -> server direction.
2496  */
2497 bool
2498 multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
2499 {
2500  struct gc_arena gc = gc_new();
2501 
2502  struct context *c;
2503  struct mroute_addr src, dest;
2504  unsigned int mroute_flags;
2505  struct multi_instance *mi;
2506  bool ret = true;
2507  bool floated = false;
2508 
2509  if (m->pending)
2510  {
2511  return true;
2512  }
2513 
2514  if (!instance)
2515  {
2516 #ifdef MULTI_DEBUG_EVENT_LOOP
2517  printf("TCP/UDP -> TUN [%d]\n", BLEN(&m->top.c2.buf));
2518 #endif
2520  }
2521  else
2522  {
2523  multi_set_pending(m, instance);
2524  }
2525 
2526  if (m->pending)
2527  {
2528  set_prefix(m->pending);
2529 
2530  /* get instance context */
2531  c = &m->pending->context;
2532 
2533  if (!instance)
2534  {
2535  /* transfer packet pointer from top-level context buffer to instance */
2536  c->c2.buf = m->top.c2.buf;
2537 
2538  /* transfer from-addr from top-level context buffer to instance */
2539  if (!floated)
2540  {
2541  c->c2.from = m->top.c2.from;
2542  }
2543  }
2544 
2545  if (BLEN(&c->c2.buf) > 0)
2546  {
2547  struct link_socket_info *lsi;
2548  const uint8_t *orig_buf;
2549 
2550  /* decrypt in instance context */
2551 
2553  lsi = get_link_socket_info(c);
2554  orig_buf = c->c2.buf.data;
2555  if (process_incoming_link_part1(c, lsi, floated))
2556  {
2557  if (floated)
2558  {
2560  }
2561 
2562  process_incoming_link_part2(c, lsi, orig_buf);
2563  }
2564  perf_pop();
2565 
2566  if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TUN)
2567  {
2568  /* extract packet source and dest addresses */
2569  mroute_flags = mroute_extract_addr_from_packet(&src,
2570  &dest,
2571  NULL,
2572  NULL,
2573  0,
2574  &c->c2.to_tun,
2575  DEV_TYPE_TUN);
2576 
2577  /* drop packet if extract failed */
2578  if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
2579  {
2580  c->c2.to_tun.len = 0;
2581  }
2582  /* make sure that source address is associated with this client */
2583  else if (multi_get_instance_by_virtual_addr(m, &src, true) != m->pending)
2584  {
2585  /* IPv6 link-local address (fe80::xxx)? */
2586  if ( (src.type & MR_ADDR_MASK) == MR_ADDR_IPV6
2587  && IN6_IS_ADDR_LINKLOCAL(&src.v6.addr) )
2588  {
2589  /* do nothing, for now. TODO: add address learning */
2590  }
2591  else
2592  {
2593  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2594  mroute_addr_print(&src, &gc));
2595  }
2596  c->c2.to_tun.len = 0;
2597  }
2598  /* client-to-client communication enabled? */
2599  else if (m->enable_c2c)
2600  {
2601  /* multicast? */
2602  if (mroute_flags & MROUTE_EXTRACT_MCAST)
2603  {
2604  /* for now, treat multicast as broadcast */
2605  multi_bcast(m, &c->c2.to_tun, m->pending, NULL, 0);
2606  }
2607  else /* possible client to client routing */
2608  {
2609  ASSERT(!(mroute_flags & MROUTE_EXTRACT_BCAST));
2610  mi = multi_get_instance_by_virtual_addr(m, &dest, true);
2611 
2612  /* if dest addr is a known client, route to it */
2613  if (mi)
2614  {
2615 #ifdef ENABLE_PF
2616  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
2617  &mi->context.c2.pf,
2618  mi->context.c2.tls_multi,
2619  "tun_c2c"))
2620  {
2621  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
2622  mi_prefix(mi));
2623  }
2624  else
2625 #endif
2626  {
2627  multi_unicast(m, &c->c2.to_tun, mi);
2628  register_activity(c, BLEN(&c->c2.to_tun));
2629  }
2630  c->c2.to_tun.len = 0;
2631  }
2632  }
2633  }
2634 #ifdef ENABLE_PF
2635  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c, &dest,
2636  "tun_dest_addr"))
2637  {
2638  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2639  mroute_addr_print_ex(&dest, MAPF_SHOW_ARP, &gc));
2640  c->c2.to_tun.len = 0;
2641  }
2642 #endif
2643  }
2644  else if (TUNNEL_TYPE(m->top.c1.tuntap) == DEV_TYPE_TAP)
2645  {
2646  uint16_t vid = 0;
2647 #ifdef ENABLE_PF
2648  struct mroute_addr edest;
2649  mroute_addr_reset(&edest);
2650 #endif
2651 
2652  if (m->top.options.vlan_tagging)
2653  {
2654  if (vlan_is_tagged(&c->c2.to_tun))
2655  {
2656  /* Drop VLAN-tagged frame. */
2657  msg(D_VLAN_DEBUG, "dropping incoming VLAN-tagged frame");
2658  c->c2.to_tun.len = 0;
2659  }
2660  else
2661  {
2662  vid = c->options.vlan_pvid;
2663  }
2664  }
2665  /* extract packet source and dest addresses */
2666  mroute_flags = mroute_extract_addr_from_packet(&src,
2667  &dest,
2668  NULL,
2669 #ifdef ENABLE_PF
2670  &edest,
2671 #else
2672  NULL,
2673 #endif
2674  vid,
2675  &c->c2.to_tun,
2676  DEV_TYPE_TAP);
2677 
2678  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2679  {
2680  if (multi_learn_addr(m, m->pending, &src, 0) == m->pending)
2681  {
2682  /* check for broadcast */
2683  if (m->enable_c2c)
2684  {
2685  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2686  {
2687  multi_bcast(m, &c->c2.to_tun, m->pending, NULL,
2688  vid);
2689  }
2690  else /* try client-to-client routing */
2691  {
2692  mi = multi_get_instance_by_virtual_addr(m, &dest, false);
2693 
2694  /* if dest addr is a known client, route to it */
2695  if (mi)
2696  {
2697 #ifdef ENABLE_PF
2698  if (!pf_c2c_test(&c->c2.pf, c->c2.tls_multi,
2699  &mi->context.c2.pf,
2700  mi->context.c2.tls_multi,
2701  "tap_c2c"))
2702  {
2703  msg(D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
2704  mi_prefix(mi));
2705  }
2706  else
2707 #endif
2708  {
2709  multi_unicast(m, &c->c2.to_tun, mi);
2710  register_activity(c, BLEN(&c->c2.to_tun));
2711  }
2712  c->c2.to_tun.len = 0;
2713  }
2714  }
2715  }
2716 #ifdef ENABLE_PF
2717  if (c->c2.to_tun.len && !pf_addr_test(&c->c2.pf, c,
2718  &edest,
2719  "tap_dest_addr"))
2720  {
2721  msg(D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2722  mroute_addr_print_ex(&edest, MAPF_SHOW_ARP, &gc));
2723  c->c2.to_tun.len = 0;
2724  }
2725 #endif
2726  }
2727  else
2728  {
2729  msg(D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2730  mroute_addr_print(&src, &gc));
2731  c->c2.to_tun.len = 0;
2732  }
2733  }
2734  else
2735  {
2736  c->c2.to_tun.len = 0;
2737  }
2738  }
2739  }
2740 
2741  /* postprocess and set wakeup */
2742  ret = multi_process_post(m, m->pending, mpp_flags);
2743 
2744  clear_prefix();
2745  }
2746 
2747  gc_free(&gc);
2748  return ret;
2749 }
2750 
2751 /*
2752  * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2753  * i.e. server -> client direction.
2754  */
2755 bool
2756 multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
2757 {
2758  struct gc_arena gc = gc_new();
2759  bool ret = true;
2760 
2761  if (BLEN(&m->top.c2.buf) > 0)
2762  {
2763  unsigned int mroute_flags;
2764  struct mroute_addr src, dest;
2765  const int dev_type = TUNNEL_TYPE(m->top.c1.tuntap);
2766  int16_t vid = 0;
2767 
2768 #ifdef ENABLE_PF
2769  struct mroute_addr esrc, *e1, *e2;
2770  if (dev_type == DEV_TYPE_TUN)
2771  {
2772  e1 = NULL;
2773  e2 = &src;
2774  }
2775  else
2776  {
2777  e1 = e2 = &esrc;
2778  mroute_addr_reset(&esrc);
2779  }
2780 #endif
2781 
2782 #ifdef MULTI_DEBUG_EVENT_LOOP
2783  printf("TUN -> TCP/UDP [%d]\n", BLEN(&m->top.c2.buf));
2784 #endif
2785 
2786  if (m->pending)
2787  {
2788  return true;
2789  }
2790 
2791  if (dev_type == DEV_TYPE_TAP && m->top.options.vlan_tagging)
2792  {
2793  vid = vlan_decapsulate(&m->top, &m->top.c2.buf);
2794  if (vid < 0)
2795  {
2796  return false;
2797  }
2798  }
2799 
2800  /*
2801  * Route an incoming tun/tap packet to
2802  * the appropriate multi_instance object.
2803  */
2804 
2805  mroute_flags = mroute_extract_addr_from_packet(&src,
2806  &dest,
2807 #ifdef ENABLE_PF
2808  e1,
2809 #else
2810  NULL,
2811 #endif
2812  NULL,
2813  vid,
2814  &m->top.c2.buf,
2815  dev_type);
2816 
2817  if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2818  {
2819  struct context *c;
2820 
2821  /* broadcast or multicast dest addr? */
2822  if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2823  {
2824  /* for now, treat multicast as broadcast */
2825 #ifdef ENABLE_PF
2826  multi_bcast(m, &m->top.c2.buf, NULL, e2, vid);
2827 #else
2828  multi_bcast(m, &m->top.c2.buf, NULL, NULL, vid);
2829 #endif
2830  }
2831  else
2832  {
2834 
2835  if (m->pending)
2836  {
2837  /* get instance context */
2838  c = &m->pending->context;
2839 
2840  set_prefix(m->pending);
2841 
2842 #ifdef ENABLE_PF
2843  if (!pf_addr_test(&c->c2.pf, c, e2, "tun_tap_src_addr"))
2844  {
2845  msg(D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
2846  mroute_addr_print_ex(&src, MAPF_SHOW_ARP, &gc));
2847  buf_reset_len(&c->c2.buf);
2848  }
2849  else
2850 #endif
2851  {
2852  if (multi_output_queue_ready(m, m->pending))
2853  {
2854  /* transfer packet pointer from top-level context buffer to instance */
2855  c->c2.buf = m->top.c2.buf;
2856  }
2857  else
2858  {
2859  /* drop packet */
2860  msg(D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2861  buf_reset_len(&c->c2.buf);
2862  }
2863  }
2864 
2865  /* encrypt in instance context */
2867 
2868  /* postprocess and set wakeup */
2869  ret = multi_process_post(m, m->pending, mpp_flags);
2870 
2871  clear_prefix();
2872  }
2873  }
2874  }
2875  }
2876  gc_free(&gc);
2877  return ret;
2878 }
2879 
2880 /*
2881  * Process a possible client-to-client/bcast/mcast message in the
2882  * queue.
2883  */
2884 struct multi_instance *
2886 {
2887  struct mbuf_item item;
2888 
2889  if (mbuf_extract_item(ms, &item)) /* cleartext IP packet */
2890  {
2891  unsigned int pip_flags = PIPV4_PASSTOS | PIPV6_IMCP_NOHOST_SERVER;
2892 
2893  set_prefix(item.instance);
2894  item.instance->context.c2.buf = item.buffer->buf;
2895  if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
2896  {
2897  pip_flags |= PIP_MSSFIX;
2898  }
2899  process_ip_header(&item.instance->context, pip_flags, &item.instance->context.c2.buf);
2900  encrypt_sign(&item.instance->context, true);
2901  mbuf_free_buf(item.buffer);
2902 
2903  dmsg(D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
2904 
2905  clear_prefix();
2906  return item.instance;
2907  }
2908  else
2909  {
2910  return NULL;
2911  }
2912 }
2913 
2914 /*
2915  * Called when an I/O wait times out. Usually means that a particular
2916  * client instance object needs timer-based service.
2917  */
2918 bool
2919 multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
2920 {
2921  bool ret = true;
2922 
2923 #ifdef MULTI_DEBUG_EVENT_LOOP
2924  printf("%s -> TIMEOUT\n", id(m->earliest_wakeup));
2925 #endif
2926 
2927  /* instance marked for wakeup? */
2928  if (m->earliest_wakeup)
2929  {
2931  {
2934  }
2935  else
2936  {
2938  ret = multi_process_post(m, m->earliest_wakeup, mpp_flags);
2939  clear_prefix();
2940  }
2941  m->earliest_wakeup = NULL;
2942  }
2943  return ret;
2944 }
2945 
2946 /*
2947  * Drop a TUN/TAP outgoing packet..
2948  */
2949 void
2950 multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
2951 {
2952  struct multi_instance *mi = m->pending;
2953 
2954  ASSERT(mi);
2955 
2956  set_prefix(mi);
2957 
2958  msg(D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2959  mi->context.c2.to_tun.len);
2960 
2961  buf_reset(&mi->context.c2.to_tun);
2962 
2963  multi_process_post(m, mi, mpp_flags);
2964  clear_prefix();
2965 }
2966 
2967 /*
2968  * Per-client route quota management
2969  */
2970 
2971 void
2973 {
2974  struct gc_arena gc = gc_new();
2975  msg(D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2977  multi_instance_string(mi, false, &gc));
2978  gc_free(&gc);
2979 }
2980 
2981 #ifdef ENABLE_DEBUG
2982 /*
2983  * Flood clients with random packets
2984  */
2985 static void
2986 gremlin_flood_clients(struct multi_context *m)
2987 {
2988  const int level = GREMLIN_PACKET_FLOOD_LEVEL(m->top.options.gremlin);
2989  if (level)
2990  {
2991  struct gc_arena gc = gc_new();
2992  struct buffer buf = alloc_buf_gc(BUF_SIZE(&m->top.c2.frame), &gc);
2993  struct packet_flood_parms parm = get_packet_flood_parms(level);
2994  int i;
2995 
2996  ASSERT(buf_init(&buf, FRAME_HEADROOM(&m->top.c2.frame)));
2997  parm.packet_size = min_int(parm.packet_size, MAX_RW_SIZE_TUN(&m->top.c2.frame));
2998 
2999  msg(D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
3000  parm.n_packets,
3001  parm.packet_size);
3002 
3003  for (i = 0; i < parm.packet_size; ++i)
3004  {
3005  ASSERT(buf_write_u8(&buf, get_random() & 0xFF));
3006  }
3007 
3008  for (i = 0; i < parm.n_packets; ++i)
3009  {
3010  multi_bcast(m, &buf, NULL, NULL, 0);
3011  }
3012 
3013  gc_free(&gc);
3014  }
3015 }
3016 #endif /* ifdef ENABLE_DEBUG */
3017 
3018 static bool
3020 {
3021  struct timeval null;
3022  CLEAR(null);
3024 }
3025 
3026 /*
3027  * Process timers in the top-level context
3028  */
3029 void
3031 {
3032  /* possibly reap instances/routes in vhash */
3033  multi_reap_process(m);
3034 
3035  /* possibly print to status log */
3036  if (m->top.c1.status_output)
3037  {
3039  {
3041  }
3042  }
3043 
3044  /* possibly flush ifconfig-pool file */
3045  multi_ifconfig_pool_persist(m, false);
3046 
3047 #ifdef ENABLE_DEBUG
3048  gremlin_flood_clients(m);
3049 #endif
3050 
3051  /* Should we check for stale routes? */
3053  {
3054  check_stale_routes(m);
3055  }
3056 }
3057 
3058 void
3059 multi_top_init(struct multi_context *m, const struct context *top)
3060 {
3061  inherit_context_top(&m->top, top);
3062  m->top.c2.buffers = init_context_buffers(&top->c2.frame);
3063 }
3064 
3065 void
3067 {
3068  close_context(&m->top, -1, CC_GC_FREE);
3070 }
3071 
3072 static bool
3074 {
3075  return (sig == SIGUSR1 || sig == SIGTERM || sig == SIGHUP || sig == SIGINT);
3076 }
3077 
3078 static void
3080 {
3081  struct hash_iterator hi;
3082  struct hash_element *he;
3083  struct timeval tv;
3084 
3085  /* tell all clients to restart */
3086  hash_iterator_init(m->iter, &hi);
3087  while ((he = hash_iterator_next(&hi)))
3088  {
3089  struct multi_instance *mi = (struct multi_instance *) he->value;
3090  if (!mi->halt)
3091  {
3092  send_control_channel_string(&mi->context, next_server ? "RESTART,[N]" : "RESTART", D_PUSH);
3094  }
3095  }
3096  hash_iterator_free(&hi);
3097 
3098  /* reschedule signal */
3100  tv.tv_sec = 2;
3101  tv.tv_usec = 0;
3103 
3105 
3110 
3111  m->top.sig->signal_received = 0;
3112 }
3113 
3114 /*
3115  * Return true if event loop should break,
3116  * false if it should continue.
3117  */
3118 bool
3120 {
3121  if (m->top.sig->signal_received == SIGUSR2)
3122  {
3123  struct status_output *so = status_open(NULL, 0, M_INFO, NULL, 0);
3125  status_close(so);
3126  m->top.sig->signal_received = 0;
3127  return false;
3128  }
3129  else if (proto_is_dgram(m->top.options.ce.proto)
3133  {
3135  return false;
3136  }
3137  return true;
3138 }
3139 
3140 /*
3141  * Called when an instance should be closed due to the
3142  * reception of a soft signal.
3143  */
3144 void
3146 {
3147  remap_signal(&mi->context);
3148  set_prefix(mi);
3149  print_signal(mi->context.sig, "client-instance", D_MULTI_LOW);
3150  clear_prefix();
3151  multi_close_instance(m, mi, false);
3152 }
3153 
3154 static void
3155 multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
3156 {
3157  mi->context.sig->signal_received = sig;
3159 }
3160 
3161 /*
3162  * Management subsystem callbacks
3163  */
3164 
3165 #ifdef ENABLE_MANAGEMENT
3166 
3167 static void
3168 management_callback_status(void *arg, const int version, struct status_output *so)
3169 {
3170  struct multi_context *m = (struct multi_context *) arg;
3171 
3172  if (!version)
3173  {
3175  }
3176  else
3177  {
3178  multi_print_status(m, so, version);
3179  }
3180 }
3181 
3182 static int
3184 {
3185  struct multi_context *m = (struct multi_context *) arg;
3186  return m->n_clients;
3187 }
3188 
3189 static int
3190 management_callback_kill_by_cn(void *arg, const char *del_cn)
3191 {
3192  struct multi_context *m = (struct multi_context *) arg;
3193  struct hash_iterator hi;
3194  struct hash_element *he;
3195  int count = 0;
3196 
3197  hash_iterator_init(m->iter, &hi);
3198  while ((he = hash_iterator_next(&hi)))
3199  {
3200  struct multi_instance *mi = (struct multi_instance *) he->value;
3201  if (!mi->halt)
3202  {
3203  const char *cn = tls_common_name(mi->context.c2.tls_multi, false);
3204  if (cn && !strcmp(cn, del_cn))
3205  {
3207  ++count;
3208  }
3209  }
3210  }
3211  hash_iterator_free(&hi);
3212  return count;
3213 }
3214 
3215 static int
3216 management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
3217 {
3218  struct multi_context *m = (struct multi_context *) arg;
3219  struct hash_iterator hi;
3220  struct hash_element *he;
3221  struct openvpn_sockaddr saddr;
3222  struct mroute_addr maddr;
3223  int count = 0;
3224 
3225  CLEAR(saddr);
3226  saddr.addr.in4.sin_family = AF_INET;
3227  saddr.addr.in4.sin_addr.s_addr = htonl(addr);
3228  saddr.addr.in4.sin_port = htons(port);
3229  if (mroute_extract_openvpn_sockaddr(&maddr, &saddr, true))
3230  {
3231  hash_iterator_init(m->iter, &hi);
3232  while ((he = hash_iterator_next(&hi)))
3233  {
3234  struct multi_instance *mi = (struct multi_instance *) he->value;
3235  if (!mi->halt && mroute_addr_equal(&maddr, &mi->real))
3236  {
3238  ++count;
3239  }
3240  }
3241  hash_iterator_free(&hi);
3242  }
3243  return count;
3244 }
3245 
3246 static void
3248 {
3249  struct multi_context *m = (struct multi_context *) arg;
3250  if (m->mtcp)
3251  {
3252  multi_tcp_delete_event(m->mtcp, event);
3253  }
3254 }
3255 
3256 #endif /* ifdef ENABLE_MANAGEMENT */
3257 
3258 #ifdef MANAGEMENT_DEF_AUTH
3259 
3260 static struct multi_instance *
3261 lookup_by_cid(struct multi_context *m, const unsigned long cid)
3262 {
3263  if (m)
3264  {
3265  struct multi_instance *mi = (struct multi_instance *) hash_lookup(m->cid_hash, &cid);
3266  if (mi && !mi->halt)
3267  {
3268  return mi;
3269  }
3270  }
3271  return NULL;
3272 }
3273 
3274 static bool
3275 management_kill_by_cid(void *arg, const unsigned long cid, const char *kill_msg)
3276 {
3277  struct multi_context *m = (struct multi_context *) arg;
3278  struct multi_instance *mi = lookup_by_cid(m, cid);
3279  if (mi)
3280  {
3281  send_restart(&mi->context, kill_msg); /* was: multi_signal_instance (m, mi, SIGTERM); */
3283  return true;
3284  }
3285  else
3286  {
3287  return false;
3288  }
3289 }
3290 
3291 static bool
3292 management_client_auth(void *arg,
3293  const unsigned long cid,
3294  const unsigned int mda_key_id,
3295  const bool auth,
3296  const char *reason,
3297  const char *client_reason,
3298  struct buffer_list *cc_config) /* ownership transferred */
3299 {
3300  struct multi_context *m = (struct multi_context *) arg;
3301  struct multi_instance *mi = lookup_by_cid(m, cid);
3302  bool cc_config_owned = true;
3303  bool ret = false;
3304 
3305  if (mi)
3306  {
3307  ret = tls_authenticate_key(mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
3308  if (ret)
3309  {
3310  if (auth)
3311  {
3312  if (!mi->connection_established_flag)
3313  {
3314  set_cc_config(mi, cc_config);
3315  cc_config_owned = false;
3316  }
3317  }
3318  else
3319  {
3320  if (reason)
3321  {
3322  msg(D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
3323  }
3325  {
3326  send_auth_failed(&mi->context, client_reason); /* mid-session reauth failed */
3328  }
3329  }
3330  }
3331  }
3332  if (cc_config_owned && cc_config)
3333  {
3334  buffer_list_free(cc_config);
3335  }
3336  return ret;
3337 }
3338 
3339 static char *
3340 management_get_peer_info(void *arg, const unsigned long cid)
3341 {
3342  struct multi_context *m = (struct multi_context *) arg;
3343  struct multi_instance *mi = lookup_by_cid(m, cid);
3344  char *ret = NULL;
3345 
3346  if (mi)
3347  {
3348  ret = tls_get_peer_info(mi->context.c2.tls_multi);
3349  }
3350 
3351  return ret;
3352 }
3353 
3354 #endif /* ifdef MANAGEMENT_DEF_AUTH */
3355 
3356 #ifdef MANAGEMENT_PF
3357 static bool
3358 management_client_pf(void *arg,
3359  const unsigned long cid,
3360  struct buffer_list *pf_config) /* ownership transferred */
3361 {
3362  struct multi_context *m = (struct multi_context *) arg;
3363  struct multi_instance *mi = lookup_by_cid(m, cid);
3364  bool ret = false;
3365 
3366  if (mi && pf_config)
3367  {
3368  ret = pf_load_from_buffer_list(&mi->context, pf_config);
3369  }
3370 
3371  if (pf_config)
3372  {
3373  buffer_list_free(pf_config);
3374  }
3375  return ret;
3376 }
3377 #endif /* ifdef MANAGEMENT_PF */
3378 
3379 void
3381 {
3382 #ifdef ENABLE_MANAGEMENT
3383  if (management)
3384  {
3385  struct management_callback cb;
3386  CLEAR(cb);
3387  cb.arg = m;
3388  cb.flags = MCF_SERVER;
3395 #ifdef MANAGEMENT_DEF_AUTH
3396  cb.kill_by_cid = management_kill_by_cid;
3397  cb.client_auth = management_client_auth;
3398  cb.get_peer_info = management_get_peer_info;
3399 #endif
3400 #ifdef MANAGEMENT_PF
3401  cb.client_pf = management_client_pf;
3402 #endif
3404  }
3405 #endif /* ifdef ENABLE_MANAGEMENT */
3406 }
3407 
3408 /*
3409  * Top level event loop.
3410  */
3411 void
3413 {
3414  ASSERT(top->options.mode == MODE_SERVER);
3415 
3416  if (proto_is_dgram(top->options.ce.proto))
3417  {
3418  tunnel_server_udp(top);
3419  }
3420  else
3421  {
3422  tunnel_server_tcp(top);
3423  }
3424 }
3425 
3426 #else /* if P2MP_SERVER */
3427 static void
3428 dummy(void)
3429 {
3430 }
3431 #endif /* P2MP_SERVER */
#define M_NONFATAL
Definition: error.h:95
struct env_set * es
Definition: openvpn.h:429
uint8_t type
Definition: mroute.h:80
static void multi_push_restart_schedule_exit(struct multi_context *m, bool next_server)
Definition: multi.c:3079
void print_signal(const struct signal_info *si, const char *title, int msglevel)
Definition: sig.c:130
struct multi_instance ** mpp_touched
Definition: multi.h:175
static void multi_bcast(struct multi_context *m, const struct buffer *buf, const struct multi_instance *sender_instance, const struct mroute_addr *sender_addr, uint16_t vid)
Definition: multi.c:2209
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
static void multi_instance_inc_refcount(struct multi_instance *mi)
Definition: multi.h:438
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
#define MR_WITH_NETBITS
Definition: mroute.h:72
static bool is_exit_restart(int sig)
Definition: multi.c:3073
static void register_activity(struct context *c, const int size)
Definition: forward.h:349
void ifconfig_pool_free(struct ifconfig_pool *pool)
Definition: pool.c:211
struct buffer to_link
Definition: openvpn.h:386
static void multi_client_connect_setenv(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1751
static void multi_signal_instance(struct multi_context *m, struct multi_instance *mi, const int sig)
Definition: multi.c:3155
void multi_process_drop_outgoing_tun(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2950
#define ETT_DEFAULT
Definition: interval.h:213
bool ifconfig_pool_release(struct ifconfig_pool *pool, ifconfig_pool_handle hand, const bool hard)
Definition: pool.c:274
void(* delete_event)(void *arg, event_t event)
Definition: manage.h:165
static void buf_reset_len(struct buffer *buf)
Definition: buffer.h:299
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
struct mroute_helper * route_helper
Definition: multi.h:159
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
static void schedule_add_entry(struct schedule *s, struct schedule_entry *e, const struct timeval *tv, unsigned int sigma)
Definition: schedule.h:100
static struct multi_instance * multi_get_instance_by_virtual_addr(struct multi_context *m, const struct mroute_addr *addr, bool cidr_routing)
Definition: multi.c:1162
void send_restart(struct context *c, const char *kill_msg)
Definition: push.c:242
int dev_type_enum(const char *dev, const char *dev_type)
Definition: tun.c:252
#define REAP_DIVISOR
Definition: multi.h:527
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
struct iroute * next
Definition: route.h:238
struct multi_instance ** instances
Array of multi_instances.
Definition: multi.h:141
struct in6_addr reporting_addr_ipv6
Definition: multi.h:100
struct options options
Options loaded from command line or configuration file.
Definition: openvpn.h:504
#define ALLOC_OBJ(dptr, type)
Definition: buffer.h:1045
void plugin_return_get_column(const struct plugin_return *src, struct plugin_return *dest, const char *colname)
Definition: plugin.c:962
#define CAS_PENDING
Definition: openvpn.h:456
counter_type link_write_bytes
Definition: openvpn.h:287
static void route_quota_inc(struct multi_instance *mi)
Definition: multi.h:407
void setenv_trusted(struct env_set *es, const struct link_socket_info *info)
Definition: socket.c:2417
#define MULTI_ROUTE_CACHE
Definition: multi.h:203
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
#define M_OPTERR
Definition: error.h:105
void mroute_addr_mask_host_bits(struct mroute_addr *ma)
Definition: mroute.c:394
int signal_received
Definition: multi.h:63
bool connection_established_flag
Definition: multi.h:109
static void plugin_return_init(struct plugin_return *pr)
Definition: plugin.h:170
#define D_MULTI_ERRORS
Definition: errlevel.h:65
const char * dev
Definition: options.h:247
void hash_free(struct hash *hash)
Definition: list.c:66
static void hash_add_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv, void *value)
Definition: list.h:167
#define D_IMPORT_ERRORS
Definition: errlevel.h:64
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2992
#define M_INFO
Definition: errlevel.h:55
#define PERF_MULTI_CREATE_INSTANCE
Definition: perf.h:45
Contains all state information for one tunnel.
Definition: openvpn.h:502
void multi_init(struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
Definition: multi.c:296
static void generate_prefix(struct multi_instance *mi)
Definition: multi.c:492
pool_type
Definition: pool.h:37
#define D_PUSH
Definition: errlevel.h:83
struct buffer_entry * head
Definition: buffer.h:1112
bool push_ifconfig_defined
Definition: openvpn.h:443
struct openvpn_plugin_string_list * list[MAX_PLUGINS]
Definition: plugin.h:104
void remap_signal(struct context *c)
Definition: sig.c:377
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2892
struct mroute_addr::@0::@3 v6
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
const char * learn_address_script
Definition: options.h:446
void ifconfig_pool_read(struct ifconfig_pool_persist *persist, struct ifconfig_pool *pool)
Definition: pool.c:473
#define MROUTE_EXTRACT_MCAST
Definition: mroute.h:42
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
void ungenerate_prefix(struct multi_instance *mi)
Definition: multi.c:509
#define dmsg
Definition: error.h:174
void send_auth_failed(struct context *c, const char *client_reason)
Definition: push.c:211
void close_context(struct context *c, int sig, unsigned int flags)
Definition: init.c:4629
bool mroute_addr_compare_function(const void *key1, const void *key2)
Definition: mroute.c:442
bool send_control_channel_string(struct context *c, const char *str, int msglevel)
Definition: forward.c:487
in_addr_t push_ifconfig_local
Definition: openvpn.h:445
bool enable_c2c
Definition: options.h:467
struct ifconfig_pool * ifconfig_pool_init(enum pool_type type, in_addr_t start, in_addr_t end, const bool duplicate_cn, const bool ipv6_pool, const struct in6_addr ipv6_base, const int ipv6_netbits)
Definition: pool.c:150
int push_ifconfig_ipv6_netbits
Definition: options.h:464
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:503
struct in6_addr network
Definition: route.h:242
struct buffer buf
Definition: openvpn.h:384
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf)
Definition: forward.c:1600
unsigned int flags
Definition: mbuf.h:49
time_t created
Time at which a VPN tunnel instance was created.
Definition: multi.h:84
void options_server_import(struct options *o, const char *filename, int msglevel, unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4898
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:907
static void management_callback_status(void *arg, const int version, struct status_output *so)
Definition: multi.c:3168
#define SIGUSR1
Definition: config-msvc.h:153
const void * key
Definition: list.h:50
void mroute_helper_del_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:597
#define MR_ADDR_MASK
Definition: mroute.h:66
struct multi_reap * reaper
Definition: multi.h:160
struct context_buffers * buffers
Definition: openvpn.h:376
struct multi_instance * instance
Definition: multi.h:201
in_addr_t push_ifconfig_remote_netmask
Definition: options.h:456
struct in6_addr push_ifconfig_ipv6_local
Definition: openvpn.h:450
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
bool ifconfig_pool_defined
Definition: options.h:431
void multi_top_free(struct multi_context *m)
Definition: multi.c:3066
void mbuf_dereference_instance(struct mbuf_set *ms, struct multi_instance *mi)
Definition: mbuf.c:156
static void multi_client_disconnect_setenv(struct multi_instance *mi)
Definition: multi.c:561
void multi_tcp_instance_specific_free(struct multi_instance *mi)
Definition: mtcp.c:195
#define D_PF_DROPPED
Definition: errlevel.h:101
static bool learn_address_script(const struct multi_context *m, const struct multi_instance *mi, const char *op, const struct mroute_addr *addr)
Definition: multi.c:97
struct link_socket_info * link_socket_info
Definition: openvpn.h:255
void mbuf_free(struct mbuf_set *ms)
Definition: mbuf.c:53
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4229
static void management_delete_event(void *arg, event_t event)
Definition: multi.c:3247
#define MULTI_ROUTE_AGEABLE
Definition: multi.h:204
in_addr_t remote_netmask
Definition: tun.h:167
uint32_t mroute_addr_hash_function(const void *key, uint32_t iv)
Definition: mroute.c:434
static void perf_pop(void)
Definition: perf.h:82
struct in6_addr push_ifconfig_ipv6_remote
Definition: openvpn.h:452
static int management_callback_n_clients(void *arg)
Definition: multi.c:3183
struct in6_addr push_ifconfig_ipv6_remote
Definition: options.h:465
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static void perf_push(int type)
Definition: perf.h:78
static void multi_set_virtual_addr_env(struct multi_instance *mi)
Definition: multi.c:1581
int status_file_version
Definition: multi.h:165
#define MULTI_CACHE_ROUTE_TTL
Definition: multi.h:535
const char * mroute_addr_print_ex(const struct mroute_addr *ma, const unsigned int flags, struct gc_arena *gc)
Definition: mroute.c:456
static void multi_delete_dup(struct multi_context *m, struct multi_instance *new_mi)
Definition: multi.c:1360
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:141
ifconfig_pool_handle vaddr_handle
Definition: multi.h:91
bool did_iter
Definition: multi.h:104
char msg_prefix[MULTI_PREFIX_MAX_LENGTH]
Definition: multi.h:92
bool multi_process_signal(struct multi_context *m)
Definition: multi.c:3119
static void multi_select_virtual_addr(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1447
struct event_timeout stale_routes_check_et
Definition: multi.h:185
struct signal_info * sig
Internal error signaling object.
Definition: openvpn.h:529
#define MAX_PEER_ID
Definition: openvpn.h:576
int cf_max
Definition: options.h:469
static bool multi_route_defined(const struct multi_context *m, const struct multi_route *r)
Definition: multi.h:463
void pre_select(struct context *c)
Definition: forward.c:1943
static void dummy(void)
Definition: comp-lz4.c:319
unsigned int cache_generation
Definition: mroute.h:134
#define SIGTERM
Definition: config-msvc.h:155
#define SIGHUP
Definition: config-msvc.h:151
struct tuntap * tuntap
Tun/tap virtual network interface.
Definition: openvpn.h:168
#define MCF_SERVER
Definition: manage.h:158
#define ASSERT(x)
Definition: error.h:221
void multi_add_mbuf(struct multi_context *m, struct multi_instance *mi, struct mbuf_buffer *mb)
Definition: multi.c:2169
in_addr_t ifconfig_pool_end
Definition: options.h:433
static bool check_debug_level(unsigned int level)
Definition: error.h:245
bool did_open_context
Definition: multi.h:102
#define OPENVPN_PLUGIN_FUNC_SUCCESS
bool authenticated
Definition: ssl_common.h:201
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
const char * client_disconnect_script
Definition: options.h:445
int explicit_exit_notification
Definition: options.h:121
static struct multi_instance * multi_learn_in6_addr(struct multi_context *m, struct multi_instance *mi, struct in6_addr a6, int netbits, bool primary)
Definition: multi.c:1274
bool multi_process_incoming_tun(struct multi_context *m, const unsigned int mpp_flags)
Determine the destination VPN tunnel of a packet received over the virtual tun/tap network interface ...
Definition: multi.c:2756
bool platform_unlink(const char *filename)
Definition: platform.c:287
unsigned int flags
Definition: multi.h:205
void(* status)(void *arg, const int version, struct status_output *so)
Definition: manage.h:161
int context_auth
Definition: openvpn.h:460
int n_clients
Definition: multi.h:166
#define MF_UNICAST
Definition: mbuf.h:48
void status_printf(struct status_output *so, const char *format,...)
Definition: status.c:239
void encrypt_sign(struct context *c, bool comp_frag)
Process a data channel packet that will be sent through a VPN tunnel.
Definition: forward.c:679
struct hash * hash_init(const int n_buckets, const uint32_t iv, uint32_t(*hash_function)(const void *key, uint32_t iv), bool(*compare_function)(const void *key1, const void *key2))
Definition: list.c:41
static void clear_prefix(void)
Definition: multi.h:509
void mroute_addr_init(struct mroute_addr *addr)
Definition: mroute.c:42
static void setenv_stats(struct context *c)
Definition: multi.c:554
static int management_callback_kill_by_addr(void *arg, const in_addr_t addr, const int port)
Definition: multi.c:3216
bool did_real_hash
Definition: multi.h:103
#define MODE_SERVER
Definition: options.h:205
#define MPP_CLOSE_ON_SIGNAL
Definition: multi.h:259
#define PIP_MSSFIX
Definition: forward.h:321
void multi_tcp_delete_event(struct multi_tcp *mtcp, event_t event)
Definition: mtcp.c:220
int netbits
Definition: route.h:237
void multi_close_instance(struct multi_context *m, struct multi_instance *mi, bool shutdown)
Definition: multi.c:608
void status_flush(struct status_output *so)
Definition: status.c:172
int n_clients_delta
Definition: multi.h:111
#define D_MULTI_MEDIUM
Definition: errlevel.h:103
static bool route_quota_test(const struct multi_instance *mi)
Definition: multi.h:420
list flags
#define TOP_P2P
Definition: proto.h:44
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
#define OPENVPN_PLUGIN_LEARN_ADDRESS
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
bool hash_add(struct hash *hash, const void *key, void *value, bool replace)
Definition: list.c:150
struct status_output * status_open(const char *filename, const int refresh_freq, const int msglevel, const struct virtual_output *vout, const unsigned int flags)
Definition: status.c:63
#define MULTI_PREFIX_MAX_LENGTH
Definition: multi.h:45
bool vlan_is_tagged(const struct buffer *buf)
Definition: vlan.c:270
int cf_per
Definition: options.h:470
void multi_uninit(struct multi_context *m)
Definition: multi.c:711
bool status_close(struct status_output *so)
Definition: status.c:203
void mbuf_free_buf(struct mbuf_buffer *mb)
Definition: mbuf.c:80
struct context_1 c1
Level 1 context.
Definition: openvpn.h:542
Definition: mbuf.h:58
#define PIPV4_PASSTOS
Definition: forward.h:320
static void multi_route_del(struct multi_route *route)
Definition: multi.h:454
uint8_t addr[OPENVPN_ETH_ALEN]
Definition: mroute.h:86
#define ANY_OUT(c)
Definition: forward.h:40
bool push_ifconfig_constraint_defined
Definition: options.h:458
#define CLEAR(x)
Definition: basic.h:33
struct schedule * schedule_init(void)
Definition: schedule.c:416
#define BUF_SIZE(f)
Definition: mtu.h:194
static void update_mstat_n_clients(const int n_clients)
Definition: multi.c:86
in_addr_t push_ifconfig_local
Definition: options.h:455
void multi_top_init(struct multi_context *m, const struct context *top)
Definition: multi.c:3059
void inherit_context_child(struct context *dest, const struct context *src)
Definition: init.c:4501
static int management_callback_kill_by_cn(void *arg, const char *del_cn)
Definition: multi.c:3190
time_t last_reference
Definition: multi.h:208
static struct link_socket_info * get_link_socket_info(struct context *c)
Definition: forward.h:336
static int mbuf_maximum_queued(const struct mbuf_set *ms)
Definition: mbuf.h:94
#define D_GREMLIN
Definition: errlevel.h:78
#define PERF_MULTI_BCAST
Definition: perf.h:48
#define CAS_PARTIAL
Definition: openvpn.h:458
void free_context_buffers(struct context_buffers *b)
Definition: init.c:3315
in_addr_t local
Definition: tun.h:166
void init_management_callback_multi(struct multi_context *m)
Definition: multi.c:3380
#define IA_EMPTY_IF_UNDEF
Definition: socket.h:393
void ifconfig_pool_write(struct ifconfig_pool_persist *persist, const struct ifconfig_pool *pool)
Definition: pool.c:528
void multi_process_float(struct multi_context *m, struct multi_instance *mi)
Handles peer floating.
Definition: multi.c:2421
bool event_timeout_trigger(struct event_timeout *et, struct timeval *tv, const int et_const_retry)
Definition: interval.c:45
int proto
Definition: options.h:88
#define MAPF_SHOW_ARP
Definition: mroute.h:161
int stale_routes_check_interval
Definition: options.h:473
void multi_ifconfig_pool_persist(struct multi_context *m, bool force)
Definition: multi.c:167
const char * mroute_addr_print(const struct mroute_addr *ma, struct gc_arena *gc)
Definition: mroute.c:449
#define OPT_P_INSTANCE
Definition: options.h:682
uint16_t vlan_pvid
Definition: options.h:651
counter_type link_read_bytes
Definition: openvpn.h:285
static const char * np(const char *str)
Definition: simple.c:108
#define counter_format
Definition: common.h:39
int mode
Definition: options.h:206
bool ifconfig_ipv6_pool_defined
Definition: options.h:438
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:384
in_addr_t push_ifconfig_constraint_netmask
Definition: options.h:460
void options_string_import(struct options *options, const char *config, const int msglevel, const unsigned int permission_mask, unsigned int *option_types_found, struct env_set *es)
Definition: options.c:4918
time_t now
Definition: otime.c:36
struct link_socket_actual * to_link_addr
Definition: openvpn.h:258
int ifconfig_ipv6_netbits
Definition: options.h:255
static void set_prefix(struct multi_instance *mi)
Definition: multi.h:497
in_addr_t push_ifconfig_local_alias
Definition: openvpn.h:447
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
Definition: mbuf.h:52
bool did_iroutes
Definition: multi.h:110
#define MPP_PRE_SELECT
Definition: multi.h:257
struct multi_instance * multi_create_instance(struct multi_context *m, const struct mroute_addr *real)
Definition: multi.c:767
struct hash * iter
VPN tunnel instances indexed by real address of the remote peer, optimized for iteration.
Definition: multi.h:148
static bool multi_output_queue_ready(const struct multi_context *m, const struct multi_instance *mi)
Definition: multi.h:366
static unsigned int mroute_extract_addr_from_packet(struct mroute_addr *src, struct mroute_addr *dest, struct mroute_addr *esrc, struct mroute_addr *edest, uint16_t vid, const struct buffer *buf, int tunnel_type)
Definition: mroute.h:192
int topology
Definition: options.h:251
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2972
void multi_tcp_dereference_instance(struct multi_tcp *mtcp, struct multi_instance *mi)
Definition: mtcp.c:243
bool platform_test_file(const char *filename)
Return true if filename can be opened for read.
Definition: platform.c:461
static struct multi_instance * multi_learn_in_addr_t(struct multi_context *m, struct multi_instance *mi, in_addr_t a, int netbits, bool primary)
Definition: multi.c:1241
struct iroute * iroutes
Definition: options.h:452
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define OPT_P_COMP
Definition: options.h:675
unsigned int cache_generation
Definition: multi.h:207
struct frame frame
Definition: openvpn.h:262
#define DEV_TYPE_TUN
Definition: proto.h:37
static void multi_schedule_context_wakeup(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:2311
bool mroute_extract_openvpn_sockaddr(struct mroute_addr *addr, const struct openvpn_sockaddr *osaddr, bool use_port)
Definition: mroute.c:337
struct timeval timeval
Definition: openvpn.h:403
void hash_iterator_init(struct hash *hash, struct hash_iterator *hi)
Definition: list.c:249
int virtual_hash_size
Definition: options.h:443
Definition: schedule.h:46
struct sockaddr_in in4
Definition: socket.h:69
void multi_close_instance_on_signal(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:3145
struct multi_tcp * multi_tcp_init(int maxevents, int *maxclients)
Definition: mtcp.c:201
int push_ifconfig_ipv6_netbits
Definition: openvpn.h:451
#define D_MULTI_DEBUG
Definition: errlevel.h:124
struct context_buffers * init_context_buffers(const struct frame *frame)
Definition: init.c:3292
void remove_iroutes_from_push_route_list(struct options *o)
Definition: push.c:866
unsigned __int32 uint32_t
Definition: config-msvc.h:158
int tcp_queue_limit
Definition: options.h:451
struct context context
The context structure storing state for this VPN tunnel.
Definition: multi.h:113
const char * client_config_dir
Definition: options.h:447
const char * ciphername
Definition: options.h:510
const char * time_string(time_t t, int usec, bool show_usec, struct gc_arena *gc)
Definition: otime.c:114
#define OPT_P_ECHO
Definition: options.h:685
uint8_t len
Definition: mroute.h:78
#define REAP_MAX
Definition: multi.h:529
struct multi_instance * pending
Definition: multi.h:173
int(* kill_by_cn)(void *arg, const char *common_name)
Definition: manage.h:163
static void * hash_lookup(struct hash *hash, const void *key)
Definition: list.h:149
int buckets_per_pass
Definition: multi.h:55
struct gc_arena gc
Definition: multi.h:79
bool vlan_tagging
Definition: options.h:649
static void multi_reap_process(const struct multi_context *m)
Definition: multi.h:542
struct frequency_limit * frequency_limit_init(int max, int per)
Definition: otime.c:149
static void tv_add(struct timeval *dest, const struct timeval *src)
Definition: otime.h:165
in_addr_t network
Definition: route.h:236
const char * multi_instance_string(const struct multi_instance *mi, bool null, struct gc_arena *gc)
Definition: multi.c:467
int bucket_base
Definition: multi.h:54
in_addr_t reporting_addr
Definition: multi.h:99
int max_routes_per_client
Definition: options.h:472
struct buffer buf
Definition: buffer.h:1106
struct buffer outgoing
Buffer containing the remaining parts of the fragmented packet being sent.
Definition: fragment.h:172
struct schedule * schedule
Definition: multi.h:151
void mroute_helper_free(struct mroute_helper *mh)
Definition: mroute.c:613
void multi_reap_process_dowork(const struct multi_context *m)
Definition: multi.c:229
int n_bcast_buf
Definition: options.h:450
struct multi_instance * instance
Definition: mbuf.h:55
bool cert_hash_compare(const struct cert_hash_set *chs1, const struct cert_hash_set *chs2)
Compares certificates hashes, returns true if hashes are equal.
Definition: ssl_verify.c:248
int max_clients
Definition: multi.h:163
#define TOP_SUBNET
Definition: proto.h:45
struct in6_addr ifconfig_ipv6_pool_base
Definition: options.h:439
void hash_iterator_init_range(struct hash *hash, struct hash_iterator *hi, int start_bucket, int end_bucket)
Definition: list.c:226
const char * platform_gen_path(const char *directory, const char *filename, struct gc_arena *gc)
Put a directory and filename together.
Definition: platform.c:395
union openvpn_sockaddr::@10 addr
in_addr_t ifconfig_pool_start
Definition: options.h:432
struct hash * vhash
VPN tunnel instances indexed by virtual address of remote hosts.
Definition: multi.h:146
struct link_socket * link_socket
Definition: openvpn.h:253
#define MROUTE_EXTRACT_BCAST
Definition: mroute.h:41
void multi_process_per_second_timers_dowork(struct multi_context *m)
Definition: multi.c:3030
void management_show_net_callback(void *arg, const int msglevel)
Definition: init.c:3919
bool status_trigger(struct status_output *so)
Definition: status.c:135
uint16_t vid
Definition: mroute.h:87
#define M_ERRNO
Definition: error.h:99
#define msg
Definition: error.h:173
struct multi_instance * earliest_wakeup
Definition: multi.h:174
Interface functions to the internal and external multiplexers.
#define IS_SIG(c)
Definition: sig.h:50
#define OPENVPN_PLUGIN_CLIENT_DISCONNECT
#define DEV_TYPE_UNDEF
Definition: proto.h:35
bool multi_tcp_instance_specific_init(struct multi_context *m, struct multi_instance *mi)
Definition: mtcp.c:175
static struct multi_instance * multi_learn_addr(struct multi_context *m, struct multi_instance *mi, const struct mroute_addr *addr, const unsigned int flags)
Definition: multi.c:1069
struct connection_entry ce
Definition: options.h:230
static const char * mi_prefix(const struct multi_instance *mi)
Definition: multi.c:516
bool push_ifconfig_defined
Definition: options.h:454
void schedule_free(struct schedule *s)
Definition: schedule.c:425
struct context_2 c2
Level 2 context.
Definition: openvpn.h:543
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define TOP_NET30
Definition: proto.h:43
static bool ifconfig_push_constraint_satisfied(const struct context *c)
Definition: multi.c:1428
static int hash_n_buckets(const struct hash *hash)
Definition: list.h:137
struct mbuf_set * mbuf
Set of buffers for passing data channel packets between VPN tunnel instances.
Definition: multi.h:152
bool mbuf_extract_item(struct mbuf_set *ms, struct mbuf_item *item)
Definition: mbuf.c:115
struct ifconfig_pool * ifconfig_pool
Definition: multi.h:157
struct mbuf_set * mbuf_init(unsigned int size)
Definition: mbuf.c:43
struct hash_element * hash_iterator_next(struct hash_iterator *hi)
Definition: list.c:292
bool do_deferred_options(struct context *c, const unsigned int found)
Definition: init.c:2225
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
const char * client_connect_script
Definition: options.h:444
#define CCD_DEFAULT
Definition: common.h:71
void(* show_net)(void *arg, const int msglevel)
Definition: manage.h:162
#define OPT_P_TIMER
Definition: options.h:672
void schedule_remove_entry(struct schedule *s, struct schedule_entry *e)
Definition: schedule.c:431
#define BLEN(buf)
Definition: buffer.h:127
static int openvpn_gettimeofday(struct timeval *tv, void *tz)
Definition: otime.h:115
in_addr_t ifconfig_pool_netmask
Definition: options.h:434
bool disable
Definition: options.h:449
void tunnel_server_tcp(struct context *top)
Main event loop for OpenVPN in TCP server mode.
Definition: mtcp.c:786
void mbuf_add_item(struct mbuf_set *ms, const struct mbuf_item *item)
Definition: mbuf.c:93
#define SA_SET_IF_NONZERO
Definition: socket.h:402
struct ifconfig_pool_persist * ifconfig_pool_persist
Definition: openvpn.h:196
static struct hash_bucket * hash_bucket(struct hash *hash, uint32_t hv)
Definition: list.h:143
static void multi_add_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1311
int(* n_clients)(void *arg)
Definition: manage.h:166
bool halt
Definition: multi.h:81
void tunnel_server(struct context *top)
Main event loop for OpenVPN in server mode.
Definition: multi.c:3412
struct buffer_entry * next
Definition: buffer.h:1107
struct multi_tcp * mtcp
State specific to OpenVPN using TCP as external transport.
Definition: multi.h:155
#define REAP_MIN
Definition: multi.h:528
static uint32_t hash_value(const struct hash *hash, const void *key)
Definition: list.h:125
#define CAS_SUCCEEDED
Definition: openvpn.h:455
__int64 int64_t
Definition: config-msvc.h:161
void management_set_callback(struct management *man, const struct management_callback *cb)
Definition: manage.c:2646
unsigned __int8 uint8_t
Definition: config-msvc.h:160
struct multi_instance * multi_get_queue(struct mbuf_set *ms)
Definition: multi.c:2885
const char * tmp_dir
Definition: options.h:409
#define D_PF_DROPPED_BCAST
Definition: errlevel.h:147
static void multi_unicast(struct multi_context *m, const struct buffer *buf, struct multi_instance *mi)
Definition: multi.c:2190
struct mroute_addr local
Definition: multi.h:161
unsigned int netbits
Definition: route.h:243
int max_clients
Definition: options.h:471
void hash_iterator_free(struct hash_iterator *hi)
Definition: list.c:286
bool push_ifconfig_ipv6_defined
Definition: openvpn.h:449
unsigned int uintptr_t
Definition: cmocka.h:103
#define CONNECTION_ESTABLISHED(c)
Definition: forward.h:445
void plugin_return_free(struct plugin_return *pr)
Definition: plugin.c:977
ifconfig_pool_handle ifconfig_pool_acquire(struct ifconfig_pool *pool, in_addr_t *local, in_addr_t *remote, struct in6_addr *remote_ipv6, const char *common_name)
Definition: pool.c:226
int status_file_version
Definition: options.h:339
struct mroute_addr real
External network address of the remote peer.
Definition: multi.h:89
#define SIGINT
Definition: config-msvc.h:152
struct timeval wakeup
Definition: multi.h:88
void setenv_in6_addr(struct env_set *es, const char *name_prefix, const struct in6_addr *addr, const unsigned int flags)
Definition: socket.c:3103
volatile int signal_received
Definition: sig.h:45
bool multi_process_post(struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
Perform postprocessing of a VPN tunnel instance.
Definition: multi.c:2332
int(* kill_by_addr)(void *arg, const in_addr_t addr, const int port)
Definition: manage.h:164
#define MROUTE_EXTRACT_SUCCEEDED
Definition: mroute.h:40
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:894
#define SIGUSR2
Definition: config-msvc.h:154
static void multi_reap_range(const struct multi_context *m, int start_bucket, int end_bucket)
Definition: multi.c:179
#define OPT_P_INHERIT
Definition: options.h:686
#define D_VLAN_DEBUG
Definition: errlevel.h:151
bool push_ifconfig_ipv6_defined
Definition: options.h:462
Main OpenVPN server state structure.
Definition: multi.h:132
struct mroute_helper * mroute_helper_init(int ageable_ttl_secs)
Definition: mroute.c:544
bool push_reply_deferred
Definition: openvpn.h:439
#define CAS_FAILED
Definition: openvpn.h:457
time_t last_call
Definition: multi.h:56
int16_t vlan_decapsulate(const struct context *c, struct buffer *buf)
Definition: vlan.c:86
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
#define ENABLE_PF
Definition: config-msvc.h:6
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define MPP_RECORD_TOUCH
Definition: multi.h:260
struct hash_element * hash_lookup_fast(struct hash *hash, struct hash_bucket *bucket, const void *key, uint32_t hv)
Definition: list.c:86
void mroute_helper_add_iroute46(struct mroute_helper *mh, int netbits)
Definition: mroute.c:582
bool proto_is_dgram(int proto)
Definition: socket.c:3168
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1854
#define buf_init(buf, offset)
Definition: buffer.h:196
static void multi_set_pending(struct multi_context *m, struct multi_instance *mi)
Definition: multi.h:650
struct fragment_master * fragment
Definition: openvpn.h:267
bool ifconfig_pool_write_trigger(struct ifconfig_pool_persist *persist)
Definition: pool.c:460
static void check_stale_routes(struct multi_context *m)
Definition: multi.c:1398
struct status_output * status_output
Definition: openvpn.h:181
struct buffer buf
Definition: mbuf.h:45
static int hash_n_elements(const struct hash *hash)
Definition: list.h:131
#define PIPV6_IMCP_NOHOST_SERVER
Definition: forward.h:326
#define OPT_P_SOCKFLAGS
Definition: options.h:691
struct plugin_list * plugins
List of plug-ins.
Definition: openvpn.h:531
#define D_ROUTE_QUOTA
Definition: errlevel.h:90
int real_hash_size
Definition: options.h:442
int n_net_len
Definition: mroute.h:136
void setenv_long_long(struct env_set *es, const char *name, long long value)
Definition: env_set.c:277
static bool stale_route_check_trigger(struct multi_context *m)
Definition: multi.c:3019
#define MR_ADDR_IPV6
Definition: mroute.h:65
int thread_mode
Definition: multi.h:139
static void mroute_extract_in_addr_t(struct mroute_addr *dest, const in_addr_t src)
Definition: mroute.h:245
#define MAX_RW_SIZE_TUN(f)
Definition: mtu.h:180
void setenv_counter(struct env_set *es, const char *name, counter_type value)
Definition: env_set.c:261
static void multi_reap_all(const struct multi_context *m)
Definition: multi.c:212
struct hash * hash
VPN tunnel instances indexed by real address of the remote peer.
Definition: multi.h:144
in_addr_t push_ifconfig_local_alias
Definition: options.h:457
bool multi_process_incoming_link(struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
Demultiplex and process a packet received over the external network interface.
Definition: multi.c:2498
static void multi_client_connect_post_plugin(struct multi_context *m, struct multi_instance *mi, const struct plugin_return *pr, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1670
static void multi_del_iroutes(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:534
const char * tls_common_name(const struct tls_multi *multi, const bool null)
Returns the common name field for the given tunnel.
Definition: ssl_verify.c:127
static bool hash_remove(struct hash *hash, const void *key)
Definition: list.h:185
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
#define PERF_PROC_IN_LINK
Definition: perf.h:52
uint32_t peer_id
Definition: ssl_common.h:585
Definition: route.h:235
struct iroute_ipv6 * iroutes_ipv6
Definition: options.h:453
static int constrain_int(int x, int min, int max)
Definition: integer.h:70
#define M_WARN
Definition: error.h:96
static int min_int(int x, int y)
Definition: integer.h:57
#define MC_WORK_THREAD
Definition: multi.h:138
const char * tls_username(const struct tls_multi *multi, const bool null)
Returns the username field for the given tunnel.
Definition: ssl_verify.c:191
void throw_signal(const int signum)
Definition: sig.c:104
#define OPENVPN_PLUGIN_CLIENT_CONNECT
bool enable_c2c
Definition: multi.h:162
struct frequency_limit * new_connection_limiter
Definition: multi.h:158
static struct multi_reap * multi_reap_new(int buckets_per_pass)
Definition: multi.c:218
unsigned int flags
Definition: manage.h:159
#define free
Definition: cmocka.c:1850
Definition: buffer.h:1104
void hash_iterator_delete_element(struct hash_iterator *hi)
Definition: list.c:324
static void buf_reset(struct buffer *buf)
Definition: buffer.h:290
int tcp_queue_limit
Definition: multi.h:164
struct context top
Storage structure for process-wide configuration.
Definition: multi.h:179
void * value
Definition: list.h:49
unsigned __int16 uint16_t
Definition: config-msvc.h:159
void argv_parse_cmd(struct argv *argres, const char *cmdstr)
Parses a command string, tokenizes it and puts each element into a separate struct argv argument slot...
Definition: argv.c:485
static void multi_reap_free(struct multi_reap *mr)
Definition: multi.c:242
static void multi_client_connect_post(struct multi_context *m, struct multi_instance *mi, const char *dc_file, unsigned int option_permissions_mask, unsigned int *option_types_found)
Definition: multi.c:1637
#define TUNNEL_TYPE(tt)
Definition: tun.h:147
#define CC_GC_FREE
Definition: init.h:106
void tunnel_server_udp(struct context *top)
Main event loop wrapper function for OpenVPN in UDP server mode.
Definition: mudp.c:382
static bool plugin_return_defined(const struct plugin_return *pr)
Definition: plugin.h:164
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_lock_common_name(struct tls_multi *multi)
Locks the common name field for the given tunnel.
Definition: ssl_verify.c:152
void tls_lock_cert_hash_set(struct tls_multi *multi)
Locks the certificate hash set used in the given tunnel.
Definition: ssl_verify.c:306
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:342
struct deferred_signal_schedule_entry deferred_shutdown_signal
Definition: multi.h:192
static void multi_connection_established(struct multi_context *m, struct multi_instance *mi)
Definition: multi.c:1785
void multi_print_status(struct multi_context *m, struct status_output *so, const int version)
Definition: multi.c:860
static void multi_instance_dec_refcount(struct multi_instance *mi)
Definition: multi.h:444
void process_incoming_link_part2(struct context *c, struct link_socket_info *lsi, const uint8_t *orig_buf)
Continues processing a packet read from the external network interface.
Definition: forward.c:1146
static bool mroute_addr_equal(const struct mroute_addr *a1, const struct mroute_addr *a2)
Definition: mroute.h:214
struct link_socket_actual from
Definition: openvpn.h:259
int process_incoming_push_request(struct context *c)
Definition: push.c:724
struct iroute_ipv6 * next
Definition: route.h:244
#define BSTR(buf)
Definition: buffer.h:129
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
long int get_random(void)
Definition: crypto.c:1781
#define OPT_P_CONFIG
Definition: options.h:683
uint8_t net_len[MR_HELPER_NET_LEN]
Definition: mroute.h:137
struct multi_instance * multi_get_create_instance_udp(struct multi_context *m, bool *floated)
Get, and if necessary create, the multi_instance associated with a packet&#39;s source address...
Definition: mudp.c:51
#define TUNNEL_TOPOLOGY(tt)
Definition: tun.h:150
Server-mode state structure for one single VPN tunnel.
Definition: multi.h:77
bool process_incoming_link_part1(struct context *c, struct link_socket_info *lsi, bool floated)
Starts processing a packet read from the external network interface.
Definition: forward.c:1004
Definition: argv.h:35
uint8_t netbits
Definition: mroute.h:81
struct buffer to_tun
Definition: openvpn.h:385
in_addr_t push_ifconfig_constraint_network
Definition: options.h:459
void setenv_in_addr_t(struct env_set *es, const char *name_prefix, in_addr_t addr, const unsigned int flags)
Definition: socket.c:3090
static unsigned int compute_wakeup_sigma(const struct timeval *delta)
Definition: multi.c:2289
static void multi_client_disconnect_script(struct multi_instance *mi)
Definition: multi.c:574
#define OPENVPN_PLUGIN_CLIENT_CONNECT_V2
Definition: list.h:60
bool duplicate_cn
Definition: options.h:468
struct mbuf_buffer * mbuf_alloc_buf(const struct buffer *buf)
Definition: mbuf.c:69
int stale_routes_ageing_time
Definition: options.h:474
struct tls_multi * tls_multi
TLS state structure for this VPN tunnel.
Definition: openvpn.h:338
void frequency_limit_free(struct frequency_limit *f)
Definition: otime.c:164
void multi_tcp_free(struct multi_tcp *mtcp)
Definition: mtcp.c:229
struct timeval wakeup
Definition: multi.h:64
in_addr_t push_ifconfig_remote_netmask
Definition: openvpn.h:446
void process_incoming_tun(struct context *c)
Process a packet read from the virtual tun/tap network interface.
Definition: forward.c:1406
#define MPP_CONDITIONAL_PRE_SELECT
Definition: multi.h:258
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: run_command.h:57
struct in6_addr local_ipv6
Definition: tun.h:169
struct mroute_addr addr
Definition: multi.h:200
void status_reset(struct status_output *so)
Definition: status.c:163
const char title_string[]
Definition: options.c:66
#define D_MULTI_LOW
Definition: errlevel.h:86
#define MC_UNDEF
Definition: multi.h:133
#define PERF_MULTI_CLOSE_INSTANCE
Definition: perf.h:46
static void mroute_addr_reset(struct mroute_addr *ma)
Definition: mroute.h:267
static int reap_buckets_per_pass(int n_buckets)
Definition: multi.c:251
static void event_timeout_init(struct event_timeout *et, interval_t n, const time_t local_now)
Definition: interval.h:166
bool multi_process_timeout(struct multi_context *m, const unsigned int mpp_flags)
Definition: multi.c:2919
struct in6_addr push_ifconfig_ipv6_local
Definition: options.h:463
bool mroute_learnable_address(const struct mroute_addr *addr, struct gc_arena *gc)
Definition: mroute.c:68
int ifconfig_ipv6_pool_netbits
Definition: options.h:440
#define OPT_P_PUSH
Definition: options.h:681
__int16 int16_t
Definition: config-msvc.h:163
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct mbuf_buffer * buffer
Definition: mbuf.h:54
const char * dev_type
Definition: options.h:248
#define DEV_TYPE_TAP
Definition: proto.h:38
void inherit_context_top(struct context *dest, const struct context *src)
Definition: init.c:4577
void route_quota_exceeded(const struct multi_instance *mi)
Definition: multi.c:2972
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442