OpenVPN
route.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * Support routines for adding/deleting network routes.
26  */
27 
28 #ifdef HAVE_CONFIG_H
29 #include "config.h"
30 #elif defined(_MSC_VER)
31 #include "config-msvc.h"
32 #endif
33 
34 #include "syshead.h"
35 
36 #include "common.h"
37 #include "error.h"
38 #include "route.h"
39 #include "run_command.h"
40 #include "socket.h"
41 #include "manage.h"
42 #include "win32.h"
43 #include "options.h"
44 
45 #include "memdbg.h"
46 
47 #if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
48 #include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
49 #endif
50 
51 #ifdef _WIN32
52 #include "openvpn-msg.h"
53 
54 #define METRIC_NOT_USED ((DWORD)-1)
55 static bool add_route_service(const struct route_ipv4 *, const struct tuntap *);
56 
57 static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
58 
59 static bool add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
60 
61 static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
62 
63 #endif
64 
65 static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es);
66 
67 static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
68 
69 #ifdef ENABLE_DEBUG
70 
71 static void
72 print_bypass_addresses(const struct route_bypass *rb)
73 {
74  struct gc_arena gc = gc_new();
75  int i;
76  for (i = 0; i < rb->n_bypass; ++i)
77  {
78  msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s",
79  i,
80  print_in_addr_t(rb->bypass[i], 0, &gc));
81  }
82  gc_free(&gc);
83 }
84 
85 #endif
86 
87 static bool
89 {
90  int i;
91  for (i = 0; i < rb->n_bypass; ++i)
92  {
93  if (a == rb->bypass[i]) /* avoid duplicates */
94  {
95  return true;
96  }
97  }
98  if (rb->n_bypass < N_ROUTE_BYPASS)
99  {
100  rb->bypass[rb->n_bypass++] = a;
101  return true;
102  }
103  else
104  {
105  return false;
106  }
107 }
108 
109 struct route_option_list *
111 {
112  struct route_option_list *ret;
113  ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a);
114  ret->gc = a;
115  return ret;
116 }
117 
118 struct route_ipv6_option_list *
120 {
121  struct route_ipv6_option_list *ret;
123  ret->gc = a;
124  return ret;
125 }
126 
127 /*
128  * NOTE: structs are cloned/copied shallow by design.
129  * The routes list from src will stay intact since it is allocated using
130  * the options->gc. The cloned/copied lists will share this common tail
131  * to avoid copying the data around between pulls. Pulled routes use
132  * the c2->gc so they get freed immediately after a reconnect.
133  */
134 struct route_option_list *
136 {
137  struct route_option_list *ret;
138  ALLOC_OBJ_GC(ret, struct route_option_list, a);
139  *ret = *src;
140  return ret;
141 }
142 
143 struct route_ipv6_option_list *
145 {
146  struct route_ipv6_option_list *ret;
147  ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
148  *ret = *src;
149  return ret;
150 }
151 
152 void
154 {
155  *dest = *src;
156  dest->gc = a;
157 }
158 
159 void
161  const struct route_ipv6_option_list *src,
162  struct gc_arena *a)
163 {
164  *dest = *src;
165  dest->gc = a;
166 }
167 
168 static const char *
169 route_string(const struct route_ipv4 *r, struct gc_arena *gc)
170 {
171  struct buffer out = alloc_buf_gc(256, gc);
172  buf_printf(&out, "ROUTE network %s netmask %s gateway %s",
173  print_in_addr_t(r->network, 0, gc),
174  print_in_addr_t(r->netmask, 0, gc),
175  print_in_addr_t(r->gateway, 0, gc)
176  );
177  if (r->flags & RT_METRIC_DEFINED)
178  {
179  buf_printf(&out, " metric %d", r->metric);
180  }
181  return BSTR(&out);
182 }
183 
184 static bool
185 is_route_parm_defined(const char *parm)
186 {
187  if (!parm)
188  {
189  return false;
190  }
191  if (!strcmp(parm, "default"))
192  {
193  return false;
194  }
195  return true;
196 }
197 
198 static void
199 setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
200 {
201  struct gc_arena gc = gc_new();
202  struct buffer name = alloc_buf_gc(256, &gc);
203  if (i >= 0)
204  {
205  buf_printf(&name, "route_%s_%d", key, i);
206  }
207  else
208  {
209  buf_printf(&name, "route_%s", key);
210  }
211  setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
212  gc_free(&gc);
213 }
214 
215 static bool
216 get_special_addr(const struct route_list *rl,
217  const char *string,
218  in_addr_t *out,
219  bool *status)
220 {
221  if (status)
222  {
223  *status = true;
224  }
225  if (!strcmp(string, "vpn_gateway"))
226  {
227  if (rl)
228  {
229  if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
230  {
231  *out = rl->spec.remote_endpoint;
232  }
233  else
234  {
235  msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
236  if (status)
237  {
238  *status = false;
239  }
240  }
241  }
242  return true;
243  }
244  else if (!strcmp(string, "net_gateway"))
245  {
246  if (rl)
247  {
248  if (rl->rgi.flags & RGI_ADDR_DEFINED)
249  {
250  *out = rl->rgi.gateway.addr;
251  }
252  else
253  {
254  msg(M_INFO, PACKAGE_NAME " ROUTE: net_gateway undefined -- unable to get default gateway from system");
255  if (status)
256  {
257  *status = false;
258  }
259  }
260  }
261  return true;
262  }
263  else if (!strcmp(string, "remote_host"))
264  {
265  if (rl)
266  {
267  if (rl->spec.flags & RTSA_REMOTE_HOST)
268  {
269  *out = rl->spec.remote_host;
270  }
271  else
272  {
273  msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
274  if (status)
275  {
276  *status = false;
277  }
278  }
279  }
280  return true;
281  }
282  return false;
283 }
284 
285 bool
286 is_special_addr(const char *addr_str)
287 {
288  if (addr_str)
289  {
290  return get_special_addr(NULL, addr_str, NULL, NULL);
291  }
292  else
293  {
294  return false;
295  }
296 }
297 
298 static bool
300  struct addrinfo **network_list,
301  const struct route_option *ro,
302  const struct route_list *rl)
303 {
304  const in_addr_t default_netmask = IPV4_NETMASK_HOST;
305  bool status;
306  int ret;
307  struct in_addr special;
308 
309  CLEAR(*r);
310  r->option = ro;
311 
312  /* network */
313 
314  if (!is_route_parm_defined(ro->network))
315  {
316  goto fail;
317  }
318 
319 
320  /* get_special_addr replaces specialaddr with a special ip addr
321  * like gw. getaddrinfo is called to convert a a addrinfo struct */
322 
323  if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status))
324  {
325  special.s_addr = htonl(special.s_addr);
326  ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL,
327  AF_INET, network_list);
328  }
329  else
330  {
332  ro->network, NULL, 0, NULL, AF_INET, network_list);
333  }
334 
335  status = (ret == 0);
336 
337  if (!status)
338  {
339  goto fail;
340  }
341 
342  /* netmask */
343 
345  {
346  r->netmask = getaddr(
349  ro->netmask,
350  0,
351  &status,
352  NULL);
353  if (!status)
354  {
355  goto fail;
356  }
357  }
358  else
359  {
360  r->netmask = default_netmask;
361  }
362 
363  /* gateway */
364 
366  {
367  if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
368  {
369  r->gateway = getaddr(
373  ro->gateway,
374  0,
375  &status,
376  NULL);
377  }
378  if (!status)
379  {
380  goto fail;
381  }
382  }
383  else
384  {
385  if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
386  {
387  r->gateway = rl->spec.remote_endpoint;
388  }
389  else
390  {
391  msg(M_WARN, PACKAGE_NAME " ROUTE: " PACKAGE_NAME " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
392  goto fail;
393  }
394  }
395 
396  /* metric */
397 
398  r->metric = 0;
399  if (is_route_parm_defined(ro->metric))
400  {
401  r->metric = atoi(ro->metric);
402  if (r->metric < 0)
403  {
404  msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
405  ro->network,
406  ro->metric);
407  goto fail;
408  }
409  r->flags |= RT_METRIC_DEFINED;
410  }
411  else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
412  {
413  r->metric = rl->spec.default_metric;
414  r->flags |= RT_METRIC_DEFINED;
415  }
416 
417  r->flags |= RT_DEFINED;
418 
419  return true;
420 
421 fail:
422  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
423  ro->network);
424  return false;
425 }
426 
427 static bool
429  const struct route_ipv6_option *r6o,
430  const struct route_ipv6_list *rl6 )
431 {
432  CLEAR(*r6);
433 
434  if (!get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN ))
435  {
436  goto fail;
437  }
438 
439  /* gateway */
440  if (is_route_parm_defined(r6o->gateway))
441  {
442  if (inet_pton( AF_INET6, r6o->gateway, &r6->gateway ) != 1)
443  {
444  msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway );
445  }
446  }
447  else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
448  {
449  r6->gateway = rl6->remote_endpoint_ipv6;
450  }
451 
452  /* metric */
453 
454  r6->metric = -1;
455  if (is_route_parm_defined(r6o->metric))
456  {
457  r6->metric = atoi(r6o->metric);
458  if (r6->metric < 0)
459  {
460  msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
461  r6o->prefix,
462  r6o->metric);
463  goto fail;
464  }
465  r6->flags |= RT_METRIC_DEFINED;
466  }
467  else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
468  {
469  r6->metric = rl6->default_metric;
470  r6->flags |= RT_METRIC_DEFINED;
471  }
472 
473  r6->flags |= RT_DEFINED;
474 
475  return true;
476 
477 fail:
478  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
479  r6o->prefix);
480  return false;
481 }
482 
483 void
485  const char *network,
486  const char *netmask,
487  const char *gateway,
488  const char *metric)
489 {
490  struct route_option *ro;
491  ALLOC_OBJ_GC(ro, struct route_option, l->gc);
492  ro->network = network;
493  ro->netmask = netmask;
494  ro->gateway = gateway;
495  ro->metric = metric;
496  ro->next = l->routes;
497  l->routes = ro;
498 
499 }
500 
501 void
503  const char *prefix,
504  const char *gateway,
505  const char *metric)
506 {
507  struct route_ipv6_option *ro;
508  ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
509  ro->prefix = prefix;
510  ro->gateway = gateway;
511  ro->metric = metric;
512  ro->next = l->routes_ipv6;
513  l->routes_ipv6 = ro;
514 }
515 
516 static void
518 {
519  gc_free(&rl->gc);
520  CLEAR(*rl);
521 }
522 
523 static void
525 {
526  gc_free(&rl6->gc);
527  CLEAR(*rl6);
528 }
529 
530 void
532  struct env_set *es,
533  const in_addr_t addr)
534 {
535  ASSERT(rl);
536  rl->spec.remote_endpoint = addr;
538  setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
539 }
540 
541 static void
543  const struct route_gateway_address *gateway,
544  in_addr_t target)
545 {
546  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
547  if ((rl->rgi.flags & rgi_needed) == rgi_needed
548  && rl->rgi.gateway.netmask < 0xFFFFFFFF)
549  {
550  struct route_ipv4 *r1, *r2;
551  unsigned int l2;
552 
553  ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
554  ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
555 
556  /* split a route into two smaller blocking routes, and direct them to target */
557  l2 = ((~gateway->netmask)+1)>>1;
558  r1->flags = RT_DEFINED;
559  r1->gateway = target;
560  r1->network = gateway->addr & gateway->netmask;
561  r1->netmask = ~(l2-1);
562  r1->next = rl->routes;
563  rl->routes = r1;
564 
565  *r2 = *r1;
566  r2->network += l2;
567  r2->next = rl->routes;
568  rl->routes = r2;
569  }
570 }
571 
572 static void
574 {
575  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
576  if ((rl->flags & RG_BLOCK_LOCAL)
577  && (rl->rgi.flags & rgi_needed) == rgi_needed
578  && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
579  && rl->spec.remote_host_local != TLA_LOCAL)
580  {
581  size_t i;
582 
583 #ifndef TARGET_ANDROID
584  /* add bypass for gateway addr */
586 #endif
587 
588  /* block access to local subnet */
590 
591  /* process additional subnets on gateway interface */
592  for (i = 0; i < rl->rgi.n_addrs; ++i)
593  {
594  const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
595  /* omit the add/subnet in &rl->rgi which we processed above */
596  if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
597  && rl->rgi.gateway.netmask == gwa->netmask))
598  {
600  }
601  }
602  }
603 }
604 
605 bool
607  const struct route_option_list *opt,
608  const char *remote_endpoint,
609  int default_metric,
610  in_addr_t remote_host,
611  struct env_set *es)
612 {
613  struct gc_arena gc = gc_new();
614  bool ret = true;
615 
616  clear_route_list(rl);
617 
618  rl->flags = opt->flags;
619 
620  if (remote_host)
621  {
622  rl->spec.remote_host = remote_host;
623  rl->spec.flags |= RTSA_REMOTE_HOST;
624  }
625 
626  if (default_metric)
627  {
628  rl->spec.default_metric = default_metric;
630  }
631 
632  get_default_gateway(&rl->rgi);
633  if (rl->rgi.flags & RGI_ADDR_DEFINED)
634  {
635  setenv_route_addr(es, "net_gateway", rl->rgi.gateway.addr, -1);
636 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
637  print_default_gateway(D_ROUTE, &rl->rgi, NULL);
638 #endif
639  }
640  else
641  {
642  dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
643  }
644 
645  if (rl->spec.flags & RTSA_REMOTE_HOST)
646  {
647  rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
648  }
649 
650  if (is_route_parm_defined(remote_endpoint))
651  {
652  bool defined = false;
657  remote_endpoint,
658  0,
659  &defined,
660  NULL);
661 
662  if (defined)
663  {
664  setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
666  }
667  else
668  {
669  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
670  remote_endpoint);
671  ret = false;
672  }
673  }
674 
675  if (rl->flags & RG_ENABLE)
676  {
677  add_block_local(rl);
679 #ifdef ENABLE_DEBUG
680  print_bypass_addresses(&rl->spec.bypass);
681 #endif
682  }
683 
684  /* parse the routes from opt to rl */
685  {
686  struct route_option *ro;
687  for (ro = opt->routes; ro; ro = ro->next)
688  {
689  struct addrinfo *netlist = NULL;
690  struct route_ipv4 r;
691 
692  if (!init_route(&r, &netlist, ro, rl))
693  {
694  ret = false;
695  }
696  else
697  {
698  struct addrinfo *curele;
699  for (curele = netlist; curele; curele = curele->ai_next)
700  {
701  struct route_ipv4 *new;
702  ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
703  *new = r;
704  new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
705  new->next = rl->routes;
706  rl->routes = new;
707  }
708  }
709  if (netlist)
710  {
711  gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc);
712  }
713  }
714  }
715 
716  gc_free(&gc);
717  return ret;
718 }
719 
720 /* check whether an IPv6 host address is covered by a given route_ipv6
721  * (not the most beautiful implementation in the world, but portable and
722  * "good enough")
723  */
724 static bool
726  const struct in6_addr *host )
727 {
728  unsigned int bits = r6->netbits;
729  int i;
730  unsigned int mask;
731 
732  if (bits>128)
733  {
734  return false;
735  }
736 
737  for (i = 0; bits >= 8; i++, bits -= 8)
738  {
739  if (r6->network.s6_addr[i] != host->s6_addr[i])
740  {
741  return false;
742  }
743  }
744 
745  if (bits == 0)
746  {
747  return true;
748  }
749 
750  mask = 0xff << (8-bits);
751 
752  if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask ))
753  {
754  return true;
755  }
756 
757  return false;
758 }
759 
760 bool
762  const struct route_ipv6_option_list *opt6,
763  const char *remote_endpoint,
764  int default_metric,
765  const struct in6_addr *remote_host_ipv6,
766  struct env_set *es)
767 {
768  struct gc_arena gc = gc_new();
769  bool ret = true;
770  bool need_remote_ipv6_route;
771 
773 
774  rl6->flags = opt6->flags;
775 
776  if (remote_host_ipv6)
777  {
778  rl6->remote_host_ipv6 = *remote_host_ipv6;
780  }
781 
782  if (default_metric >= 0)
783  {
784  rl6->default_metric = default_metric;
786  }
787 
788  msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
789  remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a" );
790 
791  get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6);
792  if (rl6->rgi6.flags & RGI_ADDR_DEFINED)
793  {
794  setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->rgi6.gateway.addr_ipv6, 0, &gc));
795 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
796  print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
797 #endif
798  }
799  else
800  {
801  dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
802  }
803 
804  if (is_route_parm_defined( remote_endpoint ))
805  {
806  if (inet_pton( AF_INET6, remote_endpoint,
807  &rl6->remote_endpoint_ipv6) == 1)
808  {
810  }
811  else
812  {
813  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint);
814  ret = false;
815  }
816  }
817 
818  /* parse the routes from opt6 to rl6
819  * discovering potential overlaps with remote_host_ipv6 in the process
820  */
821  need_remote_ipv6_route = false;
822 
823  {
824  struct route_ipv6_option *ro6;
825  for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
826  {
827  struct route_ipv6 *r6;
828  ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
829  if (!init_route_ipv6(r6, ro6, rl6))
830  {
831  ret = false;
832  }
833  else
834  {
835  r6->next = rl6->routes_ipv6;
836  rl6->routes_ipv6 = r6;
837 
838 #ifndef TARGET_ANDROID
839  /* On Android the VPNService protect function call will take of
840  * avoiding routing loops, so ignore this part and let
841  * need_remote_ipv6_route always evaluate to false
842  */
843  if (remote_host_ipv6
844  && route_ipv6_match_host( r6, remote_host_ipv6 ) )
845  {
846  need_remote_ipv6_route = true;
847  msg(D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
848  print_in6_addr(r6->network, 0, &gc), r6->netbits,
849  print_in6_addr(*remote_host_ipv6, 0, &gc));
850  }
851 #endif
852  }
853  }
854  }
855 
856  /* add VPN server host route if needed */
857  if (need_remote_ipv6_route)
858  {
859  if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) ==
861  {
862  struct route_ipv6 *r6;
863  ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
864 
865  r6->network = *remote_host_ipv6;
866  r6->netbits = 128;
867  if (!(rl6->rgi6.flags & RGI_ON_LINK) )
868  {
869  r6->gateway = rl6->rgi6.gateway.addr_ipv6;
870  }
871  r6->metric = 1;
872 #ifdef _WIN32
873  r6->adapter_index = rl6->rgi6.adapter_index;
874 #else
875  r6->iface = rl6->rgi6.iface;
876 #endif
878 
879  r6->next = rl6->routes_ipv6;
880  rl6->routes_ipv6 = r6;
881  }
882  else
883  {
884  msg(M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" );
885  }
886  }
887 
888  gc_free(&gc);
889  return ret;
890 }
891 
892 static void
894  in_addr_t netmask,
896  const struct tuntap *tt,
897  unsigned int flags,
898  const struct route_gateway_info *rgi,
899  const struct env_set *es)
900 {
901  struct route_ipv4 r;
902  CLEAR(r);
903  r.flags = RT_DEFINED;
904  r.network = network;
905  r.netmask = netmask;
906  r.gateway = gateway;
907  add_route(&r, tt, flags, rgi, es);
908 }
909 
910 static void
914  const struct tuntap *tt,
915  unsigned int flags,
916  const struct route_gateway_info *rgi,
917  const struct env_set *es)
918 {
919  struct route_ipv4 r;
920  CLEAR(r);
922  r.network = network;
923  r.netmask = netmask;
924  r.gateway = gateway;
925  delete_route(&r, tt, flags, rgi, es);
926 }
927 
928 static void
931  const struct tuntap *tt,
932  unsigned int flags,
933  const struct route_gateway_info *rgi,
934  const struct env_set *es)
935 {
936  int i;
937  for (i = 0; i < rb->n_bypass; ++i)
938  {
939  if (rb->bypass[i])
940  {
941  add_route3(rb->bypass[i],
943  gateway,
944  tt,
945  flags | ROUTE_REF_GW,
946  rgi,
947  es);
948  }
949  }
950 }
951 
952 static void
955  const struct tuntap *tt,
956  unsigned int flags,
957  const struct route_gateway_info *rgi,
958  const struct env_set *es)
959 {
960  int i;
961  for (i = 0; i < rb->n_bypass; ++i)
962  {
963  if (rb->bypass[i])
964  {
965  del_route3(rb->bypass[i],
967  gateway,
968  tt,
969  flags | ROUTE_REF_GW,
970  rgi,
971  es);
972  }
973  }
974 }
975 
976 static void
977 redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
978 {
979  const char err[] = "NOTE: unable to redirect default gateway --";
980 
981  if (rl && rl->flags & RG_ENABLE)
982  {
983  bool local = rl->flags & RG_LOCAL;
984 
985  if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
986  {
987  msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
988  }
989  /*
990  * check if a default route is defined, unless:
991  * - we are connecting to a remote host in our network
992  * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
993  */
994  else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
995  && (rl->spec.remote_host != IPV4_INVALID_ADDR))
996  {
997  msg(M_WARN, "%s Cannot read current default gateway from system", err);
998  }
999  else if (!(rl->spec.flags & RTSA_REMOTE_HOST))
1000  {
1001  msg(M_WARN, "%s Cannot obtain current remote host address", err);
1002  }
1003  else
1004  {
1005 #ifndef TARGET_ANDROID
1006  if (rl->flags & RG_AUTO_LOCAL)
1007  {
1008  const int tla = rl->spec.remote_host_local;
1009  if (tla == TLA_NONLOCAL)
1010  {
1011  dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
1012  local = false;
1013  }
1014  else if (tla == TLA_LOCAL)
1015  {
1016  dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
1017  local = true;
1018  }
1019  }
1020  if (!local)
1021  {
1022  /* route remote host to original default gateway */
1023  /* if remote_host is not ipv4 (ie: ipv6), just skip
1024  * adding this special /32 route */
1025  if (rl->spec.remote_host != IPV4_INVALID_ADDR)
1026  {
1029  rl->rgi.gateway.addr,
1030  tt,
1031  flags | ROUTE_REF_GW,
1032  &rl->rgi,
1033  es);
1034  rl->iflags |= RL_DID_LOCAL;
1035  }
1036  else
1037  {
1038  dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1039  }
1040  }
1041 #endif /* ifndef TARGET_ANDROID */
1042 
1043  /* route DHCP/DNS server traffic through original default gateway */
1044  add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es);
1045 
1046  if (rl->flags & RG_REROUTE_GW)
1047  {
1048  if (rl->flags & RG_DEF1)
1049  {
1050  /* add new default route (1st component) */
1051  add_route3(0x00000000,
1052  0x80000000,
1053  rl->spec.remote_endpoint,
1054  tt,
1055  flags,
1056  &rl->rgi,
1057  es);
1058 
1059  /* add new default route (2nd component) */
1060  add_route3(0x80000000,
1061  0x80000000,
1062  rl->spec.remote_endpoint,
1063  tt,
1064  flags,
1065  &rl->rgi,
1066  es);
1067  }
1068  else
1069  {
1070  /* don't try to remove the def route if it does not exist */
1071  if (rl->rgi.flags & RGI_ADDR_DEFINED)
1072  {
1073  /* delete default route */
1074  del_route3(0, 0, rl->rgi.gateway.addr, tt,
1075  flags | ROUTE_REF_GW, &rl->rgi, es);
1076  }
1077 
1078  /* add new default route */
1079  add_route3(0,
1080  0,
1081  rl->spec.remote_endpoint,
1082  tt,
1083  flags,
1084  &rl->rgi,
1085  es);
1086  }
1087  }
1088 
1089  /* set a flag so we can undo later */
1091  }
1092  }
1093 }
1094 
1095 static void
1096 undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
1097 {
1098  if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
1099  {
1100  /* delete remote host route */
1101  if (rl->iflags & RL_DID_LOCAL)
1102  {
1105  rl->rgi.gateway.addr,
1106  tt,
1107  flags | ROUTE_REF_GW,
1108  &rl->rgi,
1109  es);
1110  rl->iflags &= ~RL_DID_LOCAL;
1111  }
1112 
1113  /* delete special DHCP/DNS bypass route */
1114  del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es);
1115 
1116  if (rl->flags & RG_REROUTE_GW)
1117  {
1118  if (rl->flags & RG_DEF1)
1119  {
1120  /* delete default route (1st component) */
1121  del_route3(0x00000000,
1122  0x80000000,
1123  rl->spec.remote_endpoint,
1124  tt,
1125  flags,
1126  &rl->rgi,
1127  es);
1128 
1129  /* delete default route (2nd component) */
1130  del_route3(0x80000000,
1131  0x80000000,
1132  rl->spec.remote_endpoint,
1133  tt,
1134  flags,
1135  &rl->rgi,
1136  es);
1137  }
1138  else
1139  {
1140  /* delete default route */
1141  del_route3(0,
1142  0,
1143  rl->spec.remote_endpoint,
1144  tt,
1145  flags,
1146  &rl->rgi,
1147  es);
1148  /* restore original default route if there was any */
1149  if (rl->rgi.flags & RGI_ADDR_DEFINED)
1150  {
1151  add_route3(0, 0, rl->rgi.gateway.addr, tt,
1152  flags | ROUTE_REF_GW, &rl->rgi, es);
1153  }
1154  }
1155  }
1156 
1158  }
1159 }
1160 
1161 void
1162 add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
1163 {
1164  redirect_default_route_to_vpn(rl, tt, flags, es);
1165  if (rl && !(rl->iflags & RL_ROUTES_ADDED) )
1166  {
1167  struct route_ipv4 *r;
1168 
1169 #ifdef ENABLE_MANAGEMENT
1170  if (management && rl->routes)
1171  {
1174  NULL,
1175  NULL,
1176  NULL,
1177  NULL,
1178  NULL);
1179  }
1180 #endif
1181 
1182  for (r = rl->routes; r; r = r->next)
1183  {
1184  check_subnet_conflict(r->network, r->netmask, "route");
1185  if (flags & ROUTE_DELETE_FIRST)
1186  {
1187  delete_route(r, tt, flags, &rl->rgi, es);
1188  }
1189  add_route(r, tt, flags, &rl->rgi, es);
1190  }
1191  rl->iflags |= RL_ROUTES_ADDED;
1192  }
1193  if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
1194  {
1195  struct route_ipv6 *r;
1196 
1197  if (!tt->did_ifconfig_ipv6_setup)
1198  {
1199  msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 "
1200  "route over %s. However, no IPv6 has been configured for "
1201  "this interface, therefore the route installation may "
1202  "fail or may not work as expected.", tt->actual_name);
1203  }
1204 
1205  for (r = rl6->routes_ipv6; r; r = r->next)
1206  {
1207  if (flags & ROUTE_DELETE_FIRST)
1208  {
1209  delete_route_ipv6(r, tt, flags, es);
1210  }
1211  add_route_ipv6(r, tt, flags, es);
1212  }
1213  rl6->iflags |= RL_ROUTES_ADDED;
1214  }
1215 }
1216 
1217 void
1218 delete_routes(struct route_list *rl, struct route_ipv6_list *rl6,
1219  const struct tuntap *tt, unsigned int flags, const struct env_set *es)
1220 {
1221  if (rl && rl->iflags & RL_ROUTES_ADDED)
1222  {
1223  struct route_ipv4 *r;
1224  for (r = rl->routes; r; r = r->next)
1225  {
1226  delete_route(r, tt, flags, &rl->rgi, es);
1227  }
1228  rl->iflags &= ~RL_ROUTES_ADDED;
1229  }
1230 
1231  undo_redirect_default_route_to_vpn(rl, tt, flags, es);
1232 
1233  if (rl)
1234  {
1235  clear_route_list(rl);
1236  }
1237 
1238  if (rl6 && (rl6->iflags & RL_ROUTES_ADDED) )
1239  {
1240  struct route_ipv6 *r6;
1241  for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1242  {
1243  delete_route_ipv6(r6, tt, flags, es);
1244  }
1245  rl6->iflags &= ~RL_ROUTES_ADDED;
1246  }
1247 
1248  if (rl6)
1249  {
1250  clear_route_ipv6_list(rl6);
1251  }
1252 }
1253 
1254 #ifndef ENABLE_SMALL
1255 
1256 static const char *
1257 show_opt(const char *option)
1258 {
1259  if (!option)
1260  {
1261  return "default (not set)";
1262  }
1263  else
1264  {
1265  return option;
1266  }
1267 }
1268 
1269 static void
1270 print_route_option(const struct route_option *ro, int level)
1271 {
1272  msg(level, " route %s/%s/%s/%s",
1273  show_opt(ro->network),
1274  show_opt(ro->netmask),
1275  show_opt(ro->gateway),
1276  show_opt(ro->metric));
1277 }
1278 
1279 void
1281  int level)
1282 {
1283  struct route_option *ro;
1284  if (rol->flags & RG_ENABLE)
1285  {
1286  msg(level, " [redirect_default_gateway local=%d]",
1287  (rol->flags & RG_LOCAL) != 0);
1288  }
1289  for (ro = rol->routes; ro; ro = ro->next)
1290  {
1291  print_route_option(ro, level);
1292  }
1293 }
1294 
1295 void
1296 print_default_gateway(const int msglevel,
1297  const struct route_gateway_info *rgi,
1298  const struct route_ipv6_gateway_info *rgi6)
1299 {
1300  struct gc_arena gc = gc_new();
1301  if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1302  {
1303  struct buffer out = alloc_buf_gc(256, &gc);
1304  buf_printf(&out, "ROUTE_GATEWAY");
1305  if (rgi->flags & RGI_ON_LINK)
1306  {
1307  buf_printf(&out, " ON_LINK");
1308  }
1309  else
1310  {
1311  buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1312  }
1313  if (rgi->flags & RGI_NETMASK_DEFINED)
1314  {
1315  buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1316  }
1317 #ifdef _WIN32
1318  if (rgi->flags & RGI_IFACE_DEFINED)
1319  {
1320  buf_printf(&out, " I=%lu", rgi->adapter_index);
1321  }
1322 #else
1323  if (rgi->flags & RGI_IFACE_DEFINED)
1324  {
1325  buf_printf(&out, " IFACE=%s", rgi->iface);
1326  }
1327 #endif
1328  if (rgi->flags & RGI_HWADDR_DEFINED)
1329  {
1330  buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1331  }
1332  msg(msglevel, "%s", BSTR(&out));
1333  }
1334 
1335  if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1336  {
1337  struct buffer out = alloc_buf_gc(256, &gc);
1338  buf_printf(&out, "ROUTE6_GATEWAY");
1339  buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1340  if (rgi6->flags & RGI_ON_LINK)
1341  {
1342  buf_printf(&out, " ON_LINK");
1343  }
1344  if (rgi6->flags & RGI_NETMASK_DEFINED)
1345  {
1346  buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1347  }
1348 #ifdef _WIN32
1349  if (rgi6->flags & RGI_IFACE_DEFINED)
1350  {
1351  buf_printf(&out, " I=%lu", rgi6->adapter_index);
1352  }
1353 #else
1354  if (rgi6->flags & RGI_IFACE_DEFINED)
1355  {
1356  buf_printf(&out, " IFACE=%s", rgi6->iface);
1357  }
1358 #endif
1359  if (rgi6->flags & RGI_HWADDR_DEFINED)
1360  {
1361  buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1362  }
1363  msg(msglevel, "%s", BSTR(&out));
1364  }
1365  gc_free(&gc);
1366 }
1367 
1368 #endif /* ifndef ENABLE_SMALL */
1369 
1370 static void
1371 print_route(const struct route_ipv4 *r, int level)
1372 {
1373  struct gc_arena gc = gc_new();
1374  if (r->flags & RT_DEFINED)
1375  {
1376  msg(level, "%s", route_string(r, &gc));
1377  }
1378  gc_free(&gc);
1379 }
1380 
1381 void
1382 print_routes(const struct route_list *rl, int level)
1383 {
1384  struct route_ipv4 *r;
1385  for (r = rl->routes; r; r = r->next)
1386  {
1387  print_route(r, level);
1388  }
1389 }
1390 
1391 static void
1392 setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1393 {
1394  struct gc_arena gc = gc_new();
1395  if (r->flags & RT_DEFINED)
1396  {
1397  setenv_route_addr(es, "network", r->network, i);
1398  setenv_route_addr(es, "netmask", r->netmask, i);
1399  setenv_route_addr(es, "gateway", r->gateway, i);
1400 
1401  if (r->flags & RT_METRIC_DEFINED)
1402  {
1403  struct buffer name = alloc_buf_gc(256, &gc);
1404  buf_printf(&name, "route_metric_%d", i);
1405  setenv_int(es, BSTR(&name), r->metric);
1406  }
1407  }
1408  gc_free(&gc);
1409 }
1410 
1411 void
1412 setenv_routes(struct env_set *es, const struct route_list *rl)
1413 {
1414  int i = 1;
1415  struct route_ipv4 *r;
1416  for (r = rl->routes; r; r = r->next)
1417  {
1418  setenv_route(es, r, i++);
1419  }
1420 }
1421 
1422 static void
1423 setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1424 {
1425  struct gc_arena gc = gc_new();
1426  if (r6->flags & RT_DEFINED)
1427  {
1428  struct buffer name1 = alloc_buf_gc( 256, &gc );
1429  struct buffer val = alloc_buf_gc( 256, &gc );
1430  struct buffer name2 = alloc_buf_gc( 256, &gc );
1431 
1432  buf_printf( &name1, "route_ipv6_network_%d", i );
1433  buf_printf( &val, "%s/%d", print_in6_addr( r6->network, 0, &gc ),
1434  r6->netbits );
1435  setenv_str( es, BSTR(&name1), BSTR(&val) );
1436 
1437  buf_printf( &name2, "route_ipv6_gateway_%d", i );
1438  setenv_str( es, BSTR(&name2), print_in6_addr( r6->gateway, 0, &gc ));
1439  }
1440  gc_free(&gc);
1441 }
1442 void
1443 setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
1444 {
1445  int i = 1;
1446  struct route_ipv6 *r6;
1447  for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1448  {
1449  setenv_route_ipv6(es, r6, i++);
1450  }
1451 }
1452 
1453 /*
1454  * local_route() determines whether the gateway of a provided host
1455  * route is on the same interface that owns the default gateway.
1456  * It uses the data structure
1457  * returned by get_default_gateway() (struct route_gateway_info)
1458  * to determine this. If the route is local, LR_MATCH is returned.
1459  * When adding routes into the kernel, if LR_MATCH is defined for
1460  * a given route, the route should explicitly reference the default
1461  * gateway interface as the route destination. For example, here
1462  * is an example on Linux that uses LR_MATCH:
1463  *
1464  * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1465  *
1466  * This capability is needed by the "default-gateway block-local"
1467  * directive, to allow client access to the local subnet to be
1468  * blocked but still allow access to the local default gateway.
1469  */
1470 
1471 /* local_route() return values */
1472 #define LR_NOMATCH 0 /* route is not local */
1473 #define LR_MATCH 1 /* route is local */
1474 #define LR_ERROR 2 /* caller should abort adding route */
1475 
1476 static int
1478  in_addr_t netmask,
1480  const struct route_gateway_info *rgi)
1481 {
1482  /* set LR_MATCH on local host routes */
1483  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED|RGI_IFACE_DEFINED);
1484  if (rgi
1485  && (rgi->flags & rgi_needed) == rgi_needed
1486  && gateway == rgi->gateway.addr
1487  && netmask == 0xFFFFFFFF)
1488  {
1489  if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1490  {
1491  return LR_MATCH;
1492  }
1493  else
1494  {
1495  /* examine additional subnets on gateway interface */
1496  size_t i;
1497  for (i = 0; i < rgi->n_addrs; ++i)
1498  {
1499  const struct route_gateway_address *gwa = &rgi->addrs[i];
1500  if (((network ^ gwa->addr) & gwa->netmask) == 0)
1501  {
1502  return LR_MATCH;
1503  }
1504  }
1505  }
1506  }
1507  return LR_NOMATCH;
1508 }
1509 
1510 /* Return true if the "on-link" form of the route should be used. This is when the gateway for a
1511  * a route is specified as an interface rather than an address. */
1512 static inline bool
1513 is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1514 {
1515  return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1516 }
1517 
1518 void
1520  const struct tuntap *tt,
1521  unsigned int flags,
1522  const struct route_gateway_info *rgi, /* may be NULL */
1523  const struct env_set *es)
1524 {
1525  struct gc_arena gc;
1526  struct argv argv = argv_new();
1527  const char *network;
1528 #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX)
1529  const char *netmask;
1530 #endif
1531  const char *gateway;
1532  bool status = false;
1533  int is_local_route;
1534 
1535  if (!(r->flags & RT_DEFINED))
1536  {
1537  return;
1538  }
1539 
1540  gc_init(&gc);
1541 
1542  network = print_in_addr_t(r->network, 0, &gc);
1543 #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX)
1544  netmask = print_in_addr_t(r->netmask, 0, &gc);
1545 #endif
1546  gateway = print_in_addr_t(r->gateway, 0, &gc);
1547 
1548  is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1549  if (is_local_route == LR_ERROR)
1550  {
1551  goto done;
1552  }
1553 
1554 #if defined(TARGET_LINUX)
1555 #ifdef ENABLE_IPROUTE
1556  argv_printf(&argv, "%s route add %s/%d",
1557  iproute_path,
1558  network,
1560 
1561  if (r->flags & RT_METRIC_DEFINED)
1562  {
1563  argv_printf_cat(&argv, "metric %d", r->metric);
1564  }
1565 
1566  if (is_on_link(is_local_route, flags, rgi))
1567  {
1568  argv_printf_cat(&argv, "dev %s", rgi->iface);
1569  }
1570  else
1571  {
1572  argv_printf_cat(&argv, "via %s", gateway);
1573  }
1574 #else /* ifdef ENABLE_IPROUTE */
1575  argv_printf(&argv, "%s add -net %s netmask %s",
1576  ROUTE_PATH,
1577  network,
1578  netmask);
1579  if (r->flags & RT_METRIC_DEFINED)
1580  {
1581  argv_printf_cat(&argv, "metric %d", r->metric);
1582  }
1583  if (is_on_link(is_local_route, flags, rgi))
1584  {
1585  argv_printf_cat(&argv, "dev %s", rgi->iface);
1586  }
1587  else
1588  {
1589  argv_printf_cat(&argv, "gw %s", gateway);
1590  }
1591 
1592 #endif /*ENABLE_IPROUTE*/
1593  argv_msg(D_ROUTE, &argv);
1594  status = openvpn_execve_check(&argv, es, 0, "ERROR: Linux route add command failed");
1595 
1596 #elif defined (TARGET_ANDROID)
1597  char out[128];
1598 
1599  if (rgi)
1600  {
1601  openvpn_snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1602  }
1603  else
1604  {
1605  openvpn_snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1606  }
1607  management_android_control(management, "ROUTE", out);
1608 
1609 #elif defined (_WIN32)
1610  {
1611  DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1612  argv_printf(&argv, "%s%sc ADD %s MASK %s %s",
1613  get_win_sys_path(),
1615  network,
1616  netmask,
1617  gateway);
1618  if (r->flags & RT_METRIC_DEFINED)
1619  {
1620  argv_printf_cat(&argv, "METRIC %d", r->metric);
1621  }
1622  if (is_on_link(is_local_route, flags, rgi))
1623  {
1624  ai = rgi->adapter_index;
1625  argv_printf_cat(&argv, "IF %lu", ai);
1626  }
1627 
1628  argv_msg(D_ROUTE, &argv);
1629 
1630  if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1631  {
1632  status = add_route_service(r, tt);
1633  msg(D_ROUTE, "Route addition via service %s", status ? "succeeded" : "failed");
1634  }
1635  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1636  {
1637  status = add_route_ipapi(r, tt, ai);
1638  msg(D_ROUTE, "Route addition via IPAPI %s", status ? "succeeded" : "failed");
1639  }
1640  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1641  {
1643  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
1645  }
1646  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1647  {
1648  status = add_route_ipapi(r, tt, ai);
1649  msg(D_ROUTE, "Route addition via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
1650  if (!status)
1651  {
1652  msg(D_ROUTE, "Route addition fallback to route.exe");
1654  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
1656  }
1657  }
1658  else
1659  {
1660  ASSERT(0);
1661  }
1662  }
1663 
1664 #elif defined (TARGET_SOLARIS)
1665 
1666  /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1667 
1668  argv_printf(&argv, "%s add",
1669  ROUTE_PATH);
1670 
1671  argv_printf_cat(&argv, "%s -netmask %s %s",
1672  network,
1673  netmask,
1674  gateway);
1675 
1676  /* Solaris can only distinguish between "metric 0" == "on-link on the
1677  * interface where the IP address given is configured" and "metric > 0"
1678  * == "use gateway specified" (no finer-grained route metrics available)
1679  *
1680  * More recent versions of Solaris can also do "-interface", but that
1681  * would break backwards compatibility with older versions for no gain.
1682  */
1683  if (r->flags & RT_METRIC_DEFINED)
1684  {
1685  argv_printf_cat(&argv, "%d", r->metric);
1686  }
1687 
1688  argv_msg(D_ROUTE, &argv);
1689  status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
1690 
1691 #elif defined(TARGET_FREEBSD)
1692 
1693  argv_printf(&argv, "%s add",
1694  ROUTE_PATH);
1695 
1696 #if 0
1697  if (r->flags & RT_METRIC_DEFINED)
1698  {
1699  argv_printf_cat(&argv, "-rtt %d", r->metric);
1700  }
1701 #endif
1702 
1703  argv_printf_cat(&argv, "-net %s %s %s",
1704  network,
1705  gateway,
1706  netmask);
1707 
1708  /* FIXME -- add on-link support for FreeBSD */
1709 
1710  argv_msg(D_ROUTE, &argv);
1711  status = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
1712 
1713 #elif defined(TARGET_DRAGONFLY)
1714 
1715  argv_printf(&argv, "%s add",
1716  ROUTE_PATH);
1717 
1718 #if 0
1719  if (r->flags & RT_METRIC_DEFINED)
1720  {
1721  argv_printf_cat(&argv, "-rtt %d", r->metric);
1722  }
1723 #endif
1724 
1725  argv_printf_cat(&argv, "-net %s %s %s",
1726  network,
1727  gateway,
1728  netmask);
1729 
1730  /* FIXME -- add on-link support for Dragonfly */
1731 
1732  argv_msg(D_ROUTE, &argv);
1733  status = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
1734 
1735 #elif defined(TARGET_DARWIN)
1736 
1737  argv_printf(&argv, "%s add",
1738  ROUTE_PATH);
1739 
1740 #if 0
1741  if (r->flags & RT_METRIC_DEFINED)
1742  {
1743  argv_printf_cat(&argv, "-rtt %d", r->metric);
1744  }
1745 #endif
1746 
1747  if (is_on_link(is_local_route, flags, rgi))
1748  {
1749  /* Mac OS X route syntax for ON_LINK:
1750  * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1751  argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s",
1752  network,
1753  netmask,
1754  rgi->iface);
1755  }
1756  else
1757  {
1758  argv_printf_cat(&argv, "-net %s %s %s",
1759  network,
1760  gateway,
1761  netmask);
1762  }
1763 
1764  argv_msg(D_ROUTE, &argv);
1765  status = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
1766 
1767 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1768 
1769  argv_printf(&argv, "%s add",
1770  ROUTE_PATH);
1771 
1772 #if 0
1773  if (r->flags & RT_METRIC_DEFINED)
1774  {
1775  argv_printf_cat(&argv, "-rtt %d", r->metric);
1776  }
1777 #endif
1778 
1779  argv_printf_cat(&argv, "-net %s %s -netmask %s",
1780  network,
1781  gateway,
1782  netmask);
1783 
1784  /* FIXME -- add on-link support for OpenBSD/NetBSD */
1785 
1786  argv_msg(D_ROUTE, &argv);
1787  status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1788 
1789 #elif defined(TARGET_AIX)
1790 
1791  {
1792  int netbits = netmask_to_netbits2(r->netmask);
1793  argv_printf(&argv, "%s add -net %s/%d %s",
1794  ROUTE_PATH,
1795  network, netbits, gateway);
1796  argv_msg(D_ROUTE, &argv);
1797  status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1798  }
1799 
1800 #else /* if defined(TARGET_LINUX) */
1801  msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1802 #endif /* if defined(TARGET_LINUX) */
1803 
1804 done:
1805  if (status)
1806  {
1807  r->flags |= RT_ADDED;
1808  }
1809  else
1810  {
1811  r->flags &= ~RT_ADDED;
1812  }
1813  argv_reset(&argv);
1814  gc_free(&gc);
1815 }
1816 
1817 
1818 void
1820 {
1821  /* clear host bit parts of route
1822  * (needed if routes are specified improperly, or if we need to
1823  * explicitly setup/clear the "connected" network routes on some OSes)
1824  */
1825  int byte = 15;
1826  int bits_to_clear = 128 - r6->netbits;
1827 
1828  while (byte >= 0 && bits_to_clear > 0)
1829  {
1830  if (bits_to_clear >= 8)
1831  {
1832  r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8;
1833  }
1834  else
1835  {
1836  r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0;
1837  }
1838  }
1839 }
1840 
1841 void
1842 add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
1843 {
1844  struct gc_arena gc;
1845  struct argv argv = argv_new();
1846 
1847  const char *network;
1848  const char *gateway;
1849  bool status = false;
1850  const char *device = tt->actual_name;
1851 
1852  bool gateway_needed = false;
1853 
1854  if (!(r6->flags & RT_DEFINED) )
1855  {
1856  return;
1857  }
1858 
1859 #ifndef _WIN32
1860  if (r6->iface != NULL) /* vpn server special route */
1861  {
1862  device = r6->iface;
1863  if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
1864  {
1865  gateway_needed = true;
1866  }
1867  }
1868 #endif
1869 
1870  gc_init(&gc);
1871 
1873 
1874  network = print_in6_addr( r6->network, 0, &gc);
1875  gateway = print_in6_addr( r6->gateway, 0, &gc);
1876 
1877 #if defined(TARGET_DARWIN) \
1878  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1879  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1880 
1881  /* the BSD platforms cannot specify gateway and interface independently,
1882  * but for link-local destinations, we MUST specify the interface, so
1883  * we build a combined "$gateway%$interface" gateway string
1884  */
1885  if (r6->iface != NULL && gateway_needed
1886  && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
1887  {
1888  int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
1889  char *tmp = gc_malloc( len, true, &gc );
1890  snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
1891  gateway = tmp;
1892  }
1893 #endif
1894 
1895  msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
1896  network, r6->netbits, gateway, r6->metric, device );
1897 
1898  /*
1899  * Filter out routes which are essentially no-ops
1900  * (not currently done for IPv6)
1901  */
1902 
1903  /* On "tun" interface, we never set a gateway if the operating system
1904  * can do "route to interface" - it does not add value, as the target
1905  * dev already fully qualifies the route destination on point-to-point
1906  * interfaces. OTOH, on "tap" interface, we must always set the
1907  * gateway unless the route is to be an on-link network
1908  */
1909  if (tt->type == DEV_TYPE_TAP
1910  && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
1911  {
1912  gateway_needed = true;
1913  }
1914 
1915  if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1916  {
1917  msg(M_WARN, "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
1918  "parameter for a --route-ipv6 option and no default was set via "
1919  "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
1920  "IPv6 route to %s/%d.", network, r6->netbits);
1921  status = false;
1922  goto done;
1923  }
1924 
1925 #if defined(TARGET_LINUX)
1926 #ifdef ENABLE_IPROUTE
1927  argv_printf(&argv, "%s -6 route add %s/%d dev %s",
1928  iproute_path,
1929  network,
1930  r6->netbits,
1931  device);
1932  if (gateway_needed)
1933  {
1934  argv_printf_cat(&argv, "via %s", gateway);
1935  }
1936  if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0)
1937  {
1938  argv_printf_cat(&argv, " metric %d", r6->metric);
1939  }
1940 
1941 #else /* ifdef ENABLE_IPROUTE */
1942  argv_printf(&argv, "%s -A inet6 add %s/%d dev %s",
1943  ROUTE_PATH,
1944  network,
1945  r6->netbits,
1946  device);
1947  if (gateway_needed)
1948  {
1949  argv_printf_cat(&argv, "gw %s", gateway);
1950  }
1951  if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0)
1952  {
1953  argv_printf_cat(&argv, " metric %d", r6->metric);
1954  }
1955 #endif /*ENABLE_IPROUTE*/
1956  argv_msg(D_ROUTE, &argv);
1957  status = openvpn_execve_check(&argv, es, 0, "ERROR: Linux route -6/-A inet6 add command failed");
1958 
1959 #elif defined (TARGET_ANDROID)
1960  char out[64];
1961 
1962  openvpn_snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
1963 
1964  management_android_control(management, "ROUTE6", out);
1965 
1966 #elif defined (_WIN32)
1967 
1968  if (tt->options.msg_channel)
1969  {
1970  status = add_route_ipv6_service(r6, tt);
1971  }
1972  else
1973  {
1974  struct buffer out = alloc_buf_gc(64, &gc);
1975  if (r6->adapter_index) /* vpn server special route */
1976  {
1977  buf_printf(&out, "interface=%lu", r6->adapter_index );
1978  gateway_needed = true;
1979  }
1980  else
1981  {
1982  buf_printf(&out, "interface=%lu", tt->adapter_index );
1983  }
1984  device = buf_bptr(&out);
1985 
1986  /* netsh interface ipv6 add route 2001:db8::/32 MyTunDevice */
1987  argv_printf(&argv, "%s%sc interface ipv6 add route %s/%d %s",
1988  get_win_sys_path(),
1990  network,
1991  r6->netbits,
1992  device);
1993 
1994  /* next-hop depends on TUN or TAP mode:
1995  * - in TAP mode, we use the "real" next-hop
1996  * - in TUN mode we use a special-case link-local address that the tapdrvr
1997  * knows about and will answer ND (neighbor discovery) packets for
1998  */
1999  if (tt->type == DEV_TYPE_TUN && !gateway_needed)
2000  {
2001  argv_printf_cat( &argv, " %s", "fe80::8" );
2002  }
2003  else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
2004  {
2005  argv_printf_cat( &argv, " %s", gateway );
2006  }
2007 
2008 #if 0
2009  if (r6->flags & RT_METRIC_DEFINED)
2010  {
2011  argv_printf_cat(&argv, " METRIC %d", r->metric);
2012  }
2013 #endif
2014 
2015  /* in some versions of Windows, routes are persistent across reboots by
2016  * default, unless "store=active" is set (pointed out by Tony Lim, thanks)
2017  */
2018  argv_printf_cat( &argv, " store=active" );
2019 
2020  argv_msg(D_ROUTE, &argv);
2021 
2023  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add ipv6 command failed");
2025  }
2026 
2027 #elif defined (TARGET_SOLARIS)
2028 
2029  /* example: route add -inet6 2001:db8::/32 somegateway 0 */
2030 
2031  /* for some reason, routes to tun/tap do not work for me unless I set
2032  * "metric 0" - otherwise, the routes will be nicely installed, but
2033  * packets will just disappear somewhere. So we always use "0" now,
2034  * unless the route points to "gateway on other interface"...
2035  *
2036  * (Note: OpenSolaris can not specify host%interface gateways, so we just
2037  * use the GW addresses - it seems to still work for fe80:: addresses,
2038  * however this is done internally. NUD maybe?)
2039  */
2040  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2041  ROUTE_PATH,
2042  network,
2043  r6->netbits,
2044  gateway );
2045 
2046  /* on tun/tap, not "elsewhere"? -> metric 0 */
2047  if (!r6->iface)
2048  {
2049  argv_printf_cat(&argv, "0");
2050  }
2051 
2052  argv_msg(D_ROUTE, &argv);
2053  status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
2054 
2055 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2056 
2057  argv_printf(&argv, "%s add -inet6 %s/%d",
2058  ROUTE_PATH,
2059  network,
2060  r6->netbits);
2061 
2062  if (gateway_needed)
2063  {
2064  argv_printf_cat(&argv, "%s", gateway);
2065  }
2066  else
2067  {
2068  argv_printf_cat(&argv, "-iface %s", device);
2069  }
2070 
2071  argv_msg(D_ROUTE, &argv);
2072  status = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
2073 
2074 #elif defined(TARGET_DARWIN)
2075 
2076  argv_printf(&argv, "%s add -inet6 %s -prefixlen %d",
2077  ROUTE_PATH,
2078  network, r6->netbits );
2079 
2080  if (gateway_needed)
2081  {
2082  argv_printf_cat(&argv, "%s", gateway);
2083  }
2084  else
2085  {
2086  argv_printf_cat(&argv, "-iface %s", device);
2087  }
2088 
2089  argv_msg(D_ROUTE, &argv);
2090  status = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
2091 
2092 #elif defined(TARGET_OPENBSD)
2093 
2094  argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s",
2095  ROUTE_PATH,
2096  network, r6->netbits, gateway );
2097 
2098  argv_msg(D_ROUTE, &argv);
2099  status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
2100 
2101 #elif defined(TARGET_NETBSD)
2102 
2103  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2104  ROUTE_PATH,
2105  network, r6->netbits, gateway );
2106 
2107  argv_msg(D_ROUTE, &argv);
2108  status = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
2109 
2110 #elif defined(TARGET_AIX)
2111 
2112  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2113  ROUTE_PATH,
2114  network, r6->netbits, gateway);
2115  argv_msg(D_ROUTE, &argv);
2116  status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2117 
2118 #else /* if defined(TARGET_LINUX) */
2119  msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2120 #endif /* if defined(TARGET_LINUX) */
2121 
2122 done:
2123  if (status)
2124  {
2125  r6->flags |= RT_ADDED;
2126  }
2127  else
2128  {
2129  r6->flags &= ~RT_ADDED;
2130  }
2131  argv_reset(&argv);
2132  gc_free(&gc);
2133 }
2134 
2135 static void
2137  const struct tuntap *tt,
2138  unsigned int flags,
2139  const struct route_gateway_info *rgi,
2140  const struct env_set *es)
2141 {
2142  struct gc_arena gc;
2143  struct argv argv = argv_new();
2144  const char *network;
2145 #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX)
2146  const char *netmask;
2147 #endif
2148 #if !defined(TARGET_LINUX) && !defined(TARGET_ANDROID)
2149  const char *gateway;
2150 #endif
2151  int is_local_route;
2152 
2153  if ((r->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2154  {
2155  return;
2156  }
2157 
2158  gc_init(&gc);
2159 
2160  network = print_in_addr_t(r->network, 0, &gc);
2161 #if !defined(ENABLE_IPROUTE) && !defined(TARGET_AIX)
2162  netmask = print_in_addr_t(r->netmask, 0, &gc);
2163 #endif
2164 #if !defined(TARGET_LINUX) && !defined(TARGET_ANDROID)
2165  gateway = print_in_addr_t(r->gateway, 0, &gc);
2166 #endif
2167 
2168  is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2169  if (is_local_route == LR_ERROR)
2170  {
2171  goto done;
2172  }
2173 
2174 #if defined(TARGET_LINUX)
2175 #ifdef ENABLE_IPROUTE
2176  argv_printf(&argv, "%s route del %s/%d",
2177  iproute_path,
2178  network,
2180 #else
2181  argv_printf(&argv, "%s del -net %s netmask %s",
2182  ROUTE_PATH,
2183  network,
2184  netmask);
2185 #endif /*ENABLE_IPROUTE*/
2186  if (r->flags & RT_METRIC_DEFINED)
2187  {
2188  argv_printf_cat(&argv, "metric %d", r->metric);
2189  }
2190  argv_msg(D_ROUTE, &argv);
2191  openvpn_execve_check(&argv, es, 0, "ERROR: Linux route delete command failed");
2192 
2193 #elif defined (_WIN32)
2194 
2195  argv_printf(&argv, "%s%sc DELETE %s MASK %s %s",
2196  get_win_sys_path(),
2198  network,
2199  netmask,
2200  gateway);
2201 
2202  argv_msg(D_ROUTE, &argv);
2203 
2204  if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2205  {
2206  const bool status = del_route_service(r, tt);
2207  msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2208  }
2209  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2210  {
2211  const bool status = del_route_ipapi(r, tt);
2212  msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2213  }
2214  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2215  {
2217  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2219  }
2220  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2221  {
2222  const bool status = del_route_ipapi(r, tt);
2223  msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2224  if (!status)
2225  {
2226  msg(D_ROUTE, "Route deletion fallback to route.exe");
2228  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed [adaptive]");
2230  }
2231  }
2232  else
2233  {
2234  ASSERT(0);
2235  }
2236 
2237 #elif defined (TARGET_SOLARIS)
2238 
2239  argv_printf(&argv, "%s delete %s -netmask %s %s",
2240  ROUTE_PATH,
2241  network,
2242  netmask,
2243  gateway);
2244 
2245  argv_msg(D_ROUTE, &argv);
2246  openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2247 
2248 #elif defined(TARGET_FREEBSD)
2249 
2250  argv_printf(&argv, "%s delete -net %s %s %s",
2251  ROUTE_PATH,
2252  network,
2253  gateway,
2254  netmask);
2255 
2256  argv_msg(D_ROUTE, &argv);
2257  openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2258 
2259 #elif defined(TARGET_DRAGONFLY)
2260 
2261  argv_printf(&argv, "%s delete -net %s %s %s",
2262  ROUTE_PATH,
2263  network,
2264  gateway,
2265  netmask);
2266 
2267  argv_msg(D_ROUTE, &argv);
2268  openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2269 
2270 #elif defined(TARGET_DARWIN)
2271 
2272  if (is_on_link(is_local_route, flags, rgi))
2273  {
2274  argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s",
2275  ROUTE_PATH,
2276  network,
2277  netmask,
2278  rgi->iface);
2279  }
2280  else
2281  {
2282  argv_printf(&argv, "%s delete -net %s %s %s",
2283  ROUTE_PATH,
2284  network,
2285  gateway,
2286  netmask);
2287  }
2288 
2289  argv_msg(D_ROUTE, &argv);
2290  openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2291 
2292 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2293 
2294  argv_printf(&argv, "%s delete -net %s %s -netmask %s",
2295  ROUTE_PATH,
2296  network,
2297  gateway,
2298  netmask);
2299 
2300  argv_msg(D_ROUTE, &argv);
2301  openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2302 
2303 #elif defined(TARGET_ANDROID)
2304  msg(M_NONFATAL, "Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.");
2305 
2306 #elif defined(TARGET_AIX)
2307 
2308  {
2309  int netbits = netmask_to_netbits2(r->netmask);
2310  argv_printf(&argv, "%s delete -net %s/%d %s",
2311  ROUTE_PATH,
2312  network, netbits, gateway);
2313  argv_msg(D_ROUTE, &argv);
2314  openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2315  }
2316 
2317 #else /* if defined(TARGET_LINUX) */
2318  msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2319 #endif /* if defined(TARGET_LINUX) */
2320 
2321 done:
2322  r->flags &= ~RT_ADDED;
2323  argv_reset(&argv);
2324  gc_free(&gc);
2325 }
2326 
2327 void
2328 delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
2329 {
2330  struct gc_arena gc;
2331  struct argv argv = argv_new();
2332  const char *network;
2333  const char *gateway;
2334  const char *device = tt->actual_name;
2335  bool gateway_needed = false;
2336 
2337  if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2338  {
2339  return;
2340  }
2341 
2342 #ifndef _WIN32
2343  if (r6->iface != NULL) /* vpn server special route */
2344  {
2345  device = r6->iface;
2346  gateway_needed = true;
2347  }
2348 #endif
2349 
2350  gc_init(&gc);
2351 
2352  network = print_in6_addr( r6->network, 0, &gc);
2353  gateway = print_in6_addr( r6->gateway, 0, &gc);
2354 
2355 #if defined(TARGET_DARWIN) \
2356  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2357  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2358 
2359  /* the BSD platforms cannot specify gateway and interface independently,
2360  * but for link-local destinations, we MUST specify the interface, so
2361  * we build a combined "$gateway%$interface" gateway string
2362  */
2363  if (r6->iface != NULL && gateway_needed
2364  && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
2365  {
2366  int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
2367  char *tmp = gc_malloc( len, true, &gc );
2368  snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
2369  gateway = tmp;
2370  }
2371 #endif
2372 
2373  msg( M_INFO, "delete_route_ipv6(%s/%d)", network, r6->netbits );
2374 
2375  /* if we used a gateway on "add route", we also need to specify it on
2376  * delete, otherwise some OSes will refuse to delete the route
2377  */
2378  if (tt->type == DEV_TYPE_TAP
2379  && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
2380  {
2381  gateway_needed = true;
2382  }
2383 
2384 
2385 #if defined(TARGET_LINUX)
2386 #ifdef ENABLE_IPROUTE
2387  argv_printf(&argv, "%s -6 route del %s/%d dev %s",
2388  iproute_path,
2389  network,
2390  r6->netbits,
2391  device);
2392  if (gateway_needed)
2393  {
2394  argv_printf_cat(&argv, "via %s", gateway);
2395  }
2396 #else /* ifdef ENABLE_IPROUTE */
2397  argv_printf(&argv, "%s -A inet6 del %s/%d dev %s",
2398  ROUTE_PATH,
2399  network,
2400  r6->netbits,
2401  device);
2402  if (gateway_needed)
2403  {
2404  argv_printf_cat(&argv, "gw %s", gateway);
2405  }
2406  if ( (r6->flags & RT_METRIC_DEFINED) && r6->metric > 0)
2407  {
2408  argv_printf_cat(&argv, " metric %d", r6->metric);
2409  }
2410 #endif /*ENABLE_IPROUTE*/
2411  argv_msg(D_ROUTE, &argv);
2412  openvpn_execve_check(&argv, es, 0, "ERROR: Linux route -6/-A inet6 del command failed");
2413 
2414 #elif defined (_WIN32)
2415 
2416  if (tt->options.msg_channel)
2417  {
2418  del_route_ipv6_service(r6, tt);
2419  }
2420  else
2421  {
2422  struct buffer out = alloc_buf_gc(64, &gc);
2423  if (r6->adapter_index) /* vpn server special route */
2424  {
2425  buf_printf(&out, "interface=%lu", r6->adapter_index );
2426  gateway_needed = true;
2427  }
2428  else
2429  {
2430  buf_printf(&out, "interface=%lu", tt->adapter_index );
2431  }
2432  device = buf_bptr(&out);
2433 
2434  /* netsh interface ipv6 delete route 2001:db8::/32 MyTunDevice */
2435  argv_printf(&argv, "%s%sc interface ipv6 delete route %s/%d %s",
2436  get_win_sys_path(),
2438  network,
2439  r6->netbits,
2440  device);
2441 
2442  /* next-hop depends on TUN or TAP mode:
2443  * - in TAP mode, we use the "real" next-hop
2444  * - in TUN mode we use a special-case link-local address that the tapdrvr
2445  * knows about and will answer ND (neighbor discovery) packets for
2446  * (and "route deletion without specifying next-hop" does not work...)
2447  */
2448  if (tt->type == DEV_TYPE_TUN && !gateway_needed)
2449  {
2450  argv_printf_cat( &argv, " %s", "fe80::8" );
2451  }
2452  else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
2453  {
2454  argv_printf_cat( &argv, " %s", gateway );
2455  }
2456 
2457 #if 0
2458  if (r6->flags & RT_METRIC_DEFINED)
2459  {
2460  argv_printf_cat(&argv, "METRIC %d", r->metric);
2461  }
2462 #endif
2463 
2464  /* Windows XP to 7 "just delete" routes, wherever they came from, but
2465  * in Windows 8(.1?), if you create them with "store=active", this is
2466  * how you should delete them as well (pointed out by Cedric Tabary)
2467  */
2468  argv_printf_cat( &argv, " store=active" );
2469 
2470  argv_msg(D_ROUTE, &argv);
2471 
2473  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete ipv6 command failed");
2475  }
2476 
2477 #elif defined (TARGET_SOLARIS)
2478 
2479  /* example: route delete -inet6 2001:db8::/32 somegateway */
2480 
2481  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2482  ROUTE_PATH,
2483  network,
2484  r6->netbits,
2485  gateway );
2486 
2487  argv_msg(D_ROUTE, &argv);
2488  openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2489 
2490 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2491 
2492  argv_printf(&argv, "%s delete -inet6 %s/%d",
2493  ROUTE_PATH,
2494  network,
2495  r6->netbits );
2496 
2497  if (gateway_needed)
2498  {
2499  argv_printf_cat(&argv, "%s", gateway);
2500  }
2501  else
2502  {
2503  argv_printf_cat(&argv, "-iface %s", device);
2504  }
2505 
2506  argv_msg(D_ROUTE, &argv);
2507  openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2508 
2509 #elif defined(TARGET_DARWIN)
2510 
2511  argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d",
2512  ROUTE_PATH,
2513  network, r6->netbits );
2514 
2515  if (gateway_needed)
2516  {
2517  argv_printf_cat(&argv, "%s", gateway);
2518  }
2519  else
2520  {
2521  argv_printf_cat(&argv, "-iface %s", device);
2522  }
2523 
2524  argv_msg(D_ROUTE, &argv);
2525  openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2526 
2527 #elif defined(TARGET_OPENBSD)
2528 
2529  argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s",
2530  ROUTE_PATH,
2531  network, r6->netbits, gateway );
2532 
2533  argv_msg(D_ROUTE, &argv);
2534  openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2535 
2536 #elif defined(TARGET_NETBSD)
2537 
2538  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2539  ROUTE_PATH,
2540  network, r6->netbits, gateway );
2541 
2542  argv_msg(D_ROUTE, &argv);
2543  openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2544 
2545 #elif defined(TARGET_AIX)
2546 
2547  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2548  ROUTE_PATH,
2549  network, r6->netbits, gateway);
2550  argv_msg(D_ROUTE, &argv);
2551  openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2552 
2553 #else /* if defined(TARGET_LINUX) */
2554  msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2555 #endif /* if defined(TARGET_LINUX) */
2556 
2557  argv_reset(&argv);
2558  gc_free(&gc);
2559 }
2560 
2561 /*
2562  * The --redirect-gateway option requires OS-specific code below
2563  * to get the current default gateway.
2564  */
2565 
2566 #if defined(_WIN32)
2567 
2568 static const MIB_IPFORWARDTABLE *
2570 {
2571  ULONG size = 0;
2572  PMIB_IPFORWARDTABLE rt = NULL;
2573  DWORD status;
2574 
2575  status = GetIpForwardTable(NULL, &size, TRUE);
2576  if (status == ERROR_INSUFFICIENT_BUFFER)
2577  {
2578  rt = (PMIB_IPFORWARDTABLE) gc_malloc(size, false, gc);
2579  status = GetIpForwardTable(rt, &size, TRUE);
2580  if (status != NO_ERROR)
2581  {
2582  msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2583  strerror_win32(status, gc),
2584  (unsigned int)status);
2585  rt = NULL;
2586  }
2587  }
2588  return rt;
2589 }
2590 
2591 static int
2592 test_route(const IP_ADAPTER_INFO *adapters,
2593  const in_addr_t gateway,
2594  DWORD *index)
2595 {
2596  int count = 0;
2597  DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2598  if (index)
2599  {
2600  *index = i;
2601  }
2602  return count;
2603 }
2604 
2605 static void
2607  int *count,
2608  int *good,
2609  int *ambig,
2610  const IP_ADAPTER_INFO *adapters,
2611  const in_addr_t gateway)
2612 {
2613  int c;
2614 
2615  ++*count;
2616  c = test_route(adapters, gateway, NULL);
2617  if (c == 0)
2618  {
2619  *ret = false;
2620  }
2621  else
2622  {
2623  ++*good;
2624  }
2625  if (c > 1)
2626  {
2627  ++*ambig;
2628  }
2629 }
2630 
2631 /*
2632  * If we tried to add routes now, would we succeed?
2633  */
2634 bool
2635 test_routes(const struct route_list *rl, const struct tuntap *tt)
2636 {
2637  struct gc_arena gc = gc_new();
2638  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2639  bool ret = false;
2640  int count = 0;
2641  int good = 0;
2642  int ambig = 0;
2643  int len = -1;
2644  bool adapter_up = false;
2645 
2646  if (is_adapter_up(tt, adapters))
2647  {
2648  ret = true;
2649  adapter_up = true;
2650 
2651  /* we do this test only if we have IPv4 routes to install, and if
2652  * the tun/tap interface has seen IPv4 ifconfig - because if we
2653  * have no IPv4, the check will always fail, failing tun init
2654  */
2655  if (rl && tt->did_ifconfig_setup)
2656  {
2657  struct route_ipv4 *r;
2658  for (r = rl->routes, len = 0; r; r = r->next, ++len)
2659  {
2660  test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2661  }
2662 
2663  if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2664  {
2665  test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2666  }
2667  }
2668  }
2669 
2670  msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s",
2671  good,
2672  count,
2673  len,
2674  (int)ret,
2675  ambig,
2676  adapter_up ? "up" : "down");
2677 
2678  gc_free(&gc);
2679  return ret;
2680 }
2681 
2682 static const MIB_IPFORWARDROW *
2683 get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2684 {
2685  struct gc_arena gc = gc_new();
2686  DWORD lowest_metric = MAXDWORD;
2687  const MIB_IPFORWARDROW *ret = NULL;
2688  int i;
2689  int best = -1;
2690 
2691  if (routes)
2692  {
2693  for (i = 0; i < routes->dwNumEntries; ++i)
2694  {
2695  const MIB_IPFORWARDROW *row = &routes->table[i];
2696  const in_addr_t net = ntohl(row->dwForwardDest);
2697  const in_addr_t mask = ntohl(row->dwForwardMask);
2698  const DWORD index = row->dwForwardIfIndex;
2699  const DWORD metric = row->dwForwardMetric1;
2700 
2701  dmsg(D_ROUTE_DEBUG, "GDGR: route[%d] %s/%s i=%d m=%d",
2702  i,
2703  print_in_addr_t((in_addr_t) net, 0, &gc),
2704  print_in_addr_t((in_addr_t) mask, 0, &gc),
2705  (int)index,
2706  (int)metric);
2707 
2708  if (!net && !mask && metric < lowest_metric)
2709  {
2710  ret = row;
2711  lowest_metric = metric;
2712  best = i;
2713  }
2714  }
2715  }
2716 
2717  dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2718 
2719  gc_free(&gc);
2720  return ret;
2721 }
2722 
2723 void
2725 {
2726  struct gc_arena gc = gc_new();
2727 
2728  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2729  const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
2730  const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
2731  DWORD a_index;
2732  const IP_ADAPTER_INFO *ai;
2733 
2734  CLEAR(*rgi);
2735 
2736  if (row)
2737  {
2738  rgi->gateway.addr = ntohl(row->dwForwardNextHop);
2739  if (rgi->gateway.addr)
2740  {
2741  rgi->flags |= RGI_ADDR_DEFINED;
2742  a_index = adapter_index_of_ip(adapters, rgi->gateway.addr, NULL, &rgi->gateway.netmask);
2743  if (a_index != TUN_ADAPTER_INDEX_INVALID)
2744  {
2745  rgi->adapter_index = a_index;
2747  ai = get_adapter(adapters, a_index);
2748  if (ai)
2749  {
2750  memcpy(rgi->hwaddr, ai->Address, 6);
2751  rgi->flags |= RGI_HWADDR_DEFINED;
2752  }
2753  }
2754  }
2755  }
2756 
2757  gc_free(&gc);
2758 }
2759 
2760 static DWORD
2761 windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2762 {
2763  struct gc_arena gc = gc_new();
2764  DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2765  int count = 0;
2766  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2767  const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2768  bool on_tun = false;
2769 
2770  /* first test on tun interface */
2771  if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2772  {
2773  ret = tun_adapter->Index;
2774  count = 1;
2775  on_tun = true;
2776  }
2777  else /* test on other interfaces */
2778  {
2779  count = test_route(adapters, r->gateway, &ret);
2780  }
2781 
2782  if (count == 0)
2783  {
2784  msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2785  print_in_addr_t(r->gateway, 0, &gc));
2787  }
2788  else if (count > 1)
2789  {
2790  msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2791  print_in_addr_t(r->gateway, 0, &gc),
2792  count);
2793  }
2794 
2795  dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d",
2796  on_tun,
2797  count,
2798  (int)ret);
2799 
2800  gc_free(&gc);
2801  return ret;
2802 }
2803 
2804 /* IPv6 implementation using GetBestRoute2()
2805  * (TBD: dynamic linking so the binary can still run on XP?)
2806  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2807  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2808  */
2809 void
2811  const struct in6_addr *dest)
2812 {
2813  struct gc_arena gc = gc_new();
2814  MIB_IPFORWARD_ROW2 BestRoute;
2815  SOCKADDR_INET DestinationAddress, BestSourceAddress;
2816  DWORD BestIfIndex;
2817  DWORD status;
2818  NET_LUID InterfaceLuid;
2819 
2820  CLEAR(*rgi6);
2821  CLEAR(InterfaceLuid); /* cleared = not used for lookup */
2822  CLEAR(DestinationAddress);
2823 
2824  DestinationAddress.si_family = AF_INET6;
2825  if (dest)
2826  {
2827  DestinationAddress.Ipv6.sin6_addr = *dest;
2828  }
2829 
2830  status = GetBestInterfaceEx( &DestinationAddress, &BestIfIndex );
2831 
2832  if (status != NO_ERROR)
2833  {
2834  msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2835  strerror_win32(status, &gc),
2836  (unsigned int)status);
2837  goto done;
2838  }
2839 
2840  msg( D_ROUTE, "GetBestInterfaceEx() returned if=%d", (int) BestIfIndex );
2841 
2842  status = GetBestRoute2( &InterfaceLuid, BestIfIndex, NULL,
2843  &DestinationAddress, 0,
2844  &BestRoute, &BestSourceAddress );
2845 
2846  if (status != NO_ERROR)
2847  {
2848  msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2849  strerror_win32(status, &gc),
2850  (unsigned int)status);
2851  goto done;
2852  }
2853 
2854  msg( D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s",
2855  BestRoute.InterfaceIndex,
2856  print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2857  BestRoute.DestinationPrefix.PrefixLength,
2858  print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) );
2859  msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d",
2860  (int) BestRoute.Metric,
2861  (int) BestRoute.Loopback,
2862  (int) BestRoute.AutoconfigureAddress,
2863  (int) BestRoute.Immortal );
2864 
2865  rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2866  rgi6->adapter_index = BestRoute.InterfaceIndex;
2868 
2869  /* on-link is signalled by receiving an empty (::) NextHop */
2870  if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) )
2871  {
2872  rgi6->flags |= RGI_ON_LINK;
2873  }
2874 
2875 done:
2876  gc_free(&gc);
2877 }
2878 
2879 bool
2880 add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2881 {
2882  struct gc_arena gc = gc_new();
2883  bool ret = false;
2884  DWORD status;
2885  const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) ? windows_route_find_if_index(r, tt) : adapter_index;
2886 
2887  if (if_index != TUN_ADAPTER_INDEX_INVALID)
2888  {
2889  MIB_IPFORWARDROW fr;
2890  CLEAR(fr);
2891  fr.dwForwardDest = htonl(r->network);
2892  fr.dwForwardMask = htonl(r->netmask);
2893  fr.dwForwardPolicy = 0;
2894  fr.dwForwardNextHop = htonl(r->gateway);
2895  fr.dwForwardIfIndex = if_index;
2896  fr.dwForwardType = 4; /* the next hop is not the final dest */
2897  fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2898  fr.dwForwardAge = 0;
2899  fr.dwForwardNextHopAS = 0;
2900  fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2901  fr.dwForwardMetric2 = METRIC_NOT_USED;
2902  fr.dwForwardMetric3 = METRIC_NOT_USED;
2903  fr.dwForwardMetric4 = METRIC_NOT_USED;
2904  fr.dwForwardMetric5 = METRIC_NOT_USED;
2905 
2906  if ((r->network & r->netmask) != r->network)
2907  {
2908  msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2909  print_in_addr_t(r->network, 0, &gc),
2910  print_in_addr_t(r->netmask, 0, &gc));
2911  }
2912 
2913  status = CreateIpForwardEntry(&fr);
2914 
2915  if (status == NO_ERROR)
2916  {
2917  ret = true;
2918  }
2919  else
2920  {
2921  /* failed, try increasing the metric to work around Vista issue */
2922  const unsigned int forward_metric_limit = 2048; /* iteratively retry higher metrics up to this limit */
2923 
2924  for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2925  {
2926  /* try a different forward type=3 ("the next hop is the final dest") in addition to 4.
2927  * --redirect-gateway over RRAS seems to need this. */
2928  for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2929  {
2930  status = CreateIpForwardEntry(&fr);
2931  if (status == NO_ERROR)
2932  {
2933  msg(D_ROUTE, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2934  (unsigned int)fr.dwForwardMetric1,
2935  (unsigned int)fr.dwForwardType);
2936  ret = true;
2937  goto doublebreak;
2938  }
2939  else if (status != ERROR_BAD_ARGUMENTS)
2940  {
2941  goto doublebreak;
2942  }
2943  }
2944  }
2945 
2946 doublebreak:
2947  if (status != NO_ERROR)
2948  {
2949  msg(M_WARN, "ROUTE: route addition failed using CreateIpForwardEntry: %s [status=%u if_index=%u]",
2950  strerror_win32(status, &gc),
2951  (unsigned int)status,
2952  (unsigned int)if_index);
2953  }
2954  }
2955  }
2956 
2957  gc_free(&gc);
2958  return ret;
2959 }
2960 
2961 bool
2962 del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
2963 {
2964  struct gc_arena gc = gc_new();
2965  bool ret = false;
2966  DWORD status;
2967  const DWORD if_index = windows_route_find_if_index(r, tt);
2968 
2969  if (if_index != TUN_ADAPTER_INDEX_INVALID)
2970  {
2971  MIB_IPFORWARDROW fr;
2972  CLEAR(fr);
2973 
2974  fr.dwForwardDest = htonl(r->network);
2975  fr.dwForwardMask = htonl(r->netmask);
2976  fr.dwForwardPolicy = 0;
2977  fr.dwForwardNextHop = htonl(r->gateway);
2978  fr.dwForwardIfIndex = if_index;
2979 
2980  status = DeleteIpForwardEntry(&fr);
2981 
2982  if (status == NO_ERROR)
2983  {
2984  ret = true;
2985  }
2986  else
2987  {
2988  msg(M_WARN, "ROUTE: route deletion failed using DeleteIpForwardEntry: %s",
2989  strerror_win32(status, &gc));
2990  }
2991  }
2992 
2993  gc_free(&gc);
2994  return ret;
2995 }
2996 
2997 static bool
2998 do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
2999 {
3000  bool ret = false;
3001  ack_message_t ack;
3002  struct gc_arena gc = gc_new();
3003 
3004  if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
3005  {
3006  goto out;
3007  }
3008 
3009  if (ack.error_number != NO_ERROR)
3010  {
3011  msg(M_WARN, "ROUTE: route %s failed using service: %s [status=%u if_index=%d]",
3012  (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
3013  ack.error_number, rt->iface.index);
3014  goto out;
3015  }
3016 
3017  ret = true;
3018 
3019 out:
3020  gc_free(&gc);
3021  return ret;
3022 }
3023 
3024 static bool
3025 do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
3026 {
3027  DWORD if_index = windows_route_find_if_index(r, tt);
3028  if (if_index == ~0)
3029  {
3030  return false;
3031  }
3032 
3033  route_message_t msg = {
3034  .header = {
3035  (add ? msg_add_route : msg_del_route),
3036  sizeof(route_message_t),
3037  0
3038  },
3039  .family = AF_INET,
3040  .prefix.ipv4.s_addr = htonl(r->network),
3041  .gateway.ipv4.s_addr = htonl(r->gateway),
3042  .iface = { .index = if_index, .name = "" },
3043  .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1)
3044  };
3045 
3047  if (msg.prefix_len == -1)
3048  {
3049  msg.prefix_len = 32;
3050  }
3051 
3052  return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3053 }
3054 
3055 static bool
3056 do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
3057 {
3058  bool status;
3059  route_message_t msg = {
3060  .header = {
3061  (add ? msg_add_route : msg_del_route),
3062  sizeof(route_message_t),
3063  0
3064  },
3065  .family = AF_INET6,
3066  .prefix.ipv6 = r->network,
3067  .prefix_len = r->netbits,
3068  .gateway.ipv6 = r->gateway,
3069  .iface = { .index = tt->adapter_index, .name = "" },
3070  .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1)
3071  };
3072 
3073  if (r->adapter_index) /* vpn server special route */
3074  {
3075  msg.iface.index = r->adapter_index;
3076  }
3077 
3078  /* In TUN mode we use a special link-local address as the next hop.
3079  * The tapdrvr knows about it and will answer neighbor discovery packets.
3080  * (only do this for routes actually using the tun/tap device)
3081  */
3082  if (tt->type == DEV_TYPE_TUN
3083  && msg.iface.index == tt->adapter_index)
3084  {
3085  inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3086  }
3087 
3089  {
3090  strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3091  msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3092  }
3093 
3094  status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3095  msg(D_ROUTE, "IPv6 route %s via service %s",
3096  add ? "addition" : "deletion",
3097  status ? "succeeded" : "failed");
3098  return status;
3099 }
3100 
3101 static bool
3102 add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3103 {
3104  return do_route_ipv4_service(true, r, tt);
3105 }
3106 
3107 static bool
3108 del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3109 {
3110  return do_route_ipv4_service(false, r, tt);
3111 }
3112 
3113 static bool
3114 add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3115 {
3116  return do_route_ipv6_service(true, r, tt);
3117 }
3118 
3119 static bool
3120 del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3121 {
3122  return do_route_ipv6_service(false, r, tt);
3123 }
3124 
3125 static const char *
3126 format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3127 {
3128  struct buffer out = alloc_buf_gc(256, gc);
3129  buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3130  print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3131  print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3132  print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc),
3133  (int)r->dwForwardPolicy,
3134  (int)r->dwForwardIfIndex,
3135  (int)r->dwForwardType,
3136  (int)r->dwForwardProto,
3137  (int)r->dwForwardAge,
3138  (int)r->dwForwardNextHopAS,
3139  (int)r->dwForwardMetric1,
3140  (int)r->dwForwardMetric2,
3141  (int)r->dwForwardMetric3,
3142  (int)r->dwForwardMetric4,
3143  (int)r->dwForwardMetric5);
3144  return BSTR(&out);
3145 }
3146 
3147 /*
3148  * Show current routing table
3149  */
3150 void
3151 show_routes(int msglev)
3152 {
3153  struct gc_arena gc = gc_new();
3154  int i;
3155 
3156  const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3157 
3158  msg(msglev, "SYSTEM ROUTING TABLE");
3159  if (rt)
3160  {
3161  for (i = 0; i < rt->dwNumEntries; ++i)
3162  {
3163  msg(msglev, "%s", format_route_entry(&rt->table[i], &gc));
3164  }
3165  }
3166  gc_free(&gc);
3167 }
3168 
3169 #elif defined(TARGET_LINUX) || defined(TARGET_ANDROID)
3170 
3171 void
3173 {
3174  struct gc_arena gc = gc_new();
3175  int sd = -1;
3176  char best_name[16];
3177  best_name[0] = 0;
3178 
3179  CLEAR(*rgi);
3180 
3181 #ifndef TARGET_ANDROID
3182  /* get default gateway IP addr */
3183  {
3184  FILE *fp = fopen("/proc/net/route", "r");
3185  if (fp)
3186  {
3187  char line[256];
3188  int count = 0;
3189  unsigned int lowest_metric = UINT_MAX;
3190  in_addr_t best_gw = 0;
3191  bool found = false;
3192  while (fgets(line, sizeof(line), fp) != NULL)
3193  {
3194  if (count)
3195  {
3196  unsigned int net_x = 0;
3197  unsigned int mask_x = 0;
3198  unsigned int gw_x = 0;
3199  unsigned int metric = 0;
3200  unsigned int flags = 0;
3201  char name[16];
3202  name[0] = 0;
3203  const int np = sscanf(line, "%15s\t%x\t%x\t%x\t%*s\t%*s\t%d\t%x",
3204  name,
3205  &net_x,
3206  &gw_x,
3207  &flags,
3208  &metric,
3209  &mask_x);
3210  if (np == 6 && (flags & IFF_UP))
3211  {
3212  const in_addr_t net = ntohl(net_x);
3213  const in_addr_t mask = ntohl(mask_x);
3214  const in_addr_t gw = ntohl(gw_x);
3215 
3216  if (!net && !mask && metric < lowest_metric)
3217  {
3218  found = true;
3219  best_gw = gw;
3220  strcpy(best_name, name);
3221  lowest_metric = metric;
3222  }
3223  }
3224  }
3225  ++count;
3226  }
3227  fclose(fp);
3228 
3229  if (found)
3230  {
3231  rgi->gateway.addr = best_gw;
3232  rgi->flags |= RGI_ADDR_DEFINED;
3233  if (!rgi->gateway.addr && best_name[0])
3234  {
3235  rgi->flags |= RGI_ON_LINK;
3236  }
3237  }
3238  }
3239  }
3240 #else /* ifndef TARGET_ANDROID */
3241  /* Android, set some pseudo GW, addr is in host byte order,
3242  * Determining the default GW on Android 5.0+ is non trivial
3243  * and serves almost no purpose since OpenVPN only uses the
3244  * default GW address to add routes for networks that should
3245  * NOT be routed over the VPN. Using a well known address
3246  * (127.'d'.'g'.'w') for the default GW make detecting
3247  * these routes easier from the controlling app.
3248  */
3249  rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3250  rgi->flags |= RGI_ADDR_DEFINED;
3251  strcpy(best_name, "android-gw");
3252 
3253  /*
3254  * Skip scanning/fetching interface from loopback interface
3255  * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3256  */
3257  goto done;
3258 #endif /* ifndef TARGET_ANDROID */
3259 
3260  /* scan adapter list */
3261  if (rgi->flags & RGI_ADDR_DEFINED)
3262  {
3263  struct ifreq *ifr, *ifend;
3264  in_addr_t addr, netmask;
3265  struct ifreq ifreq;
3266  struct ifconf ifc;
3267  struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3268 
3269  if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3270  {
3271  msg(M_WARN, "GDG: socket() failed");
3272  goto done;
3273  }
3274  ifc.ifc_len = sizeof(ifs);
3275  ifc.ifc_req = ifs;
3276  if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3277  {
3278  msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3279  goto done;
3280  }
3281 
3282  /* scan through interface list */
3283  ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3284  for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3285  {
3286  if (ifr->ifr_addr.sa_family == AF_INET)
3287  {
3288  /* get interface addr */
3289  addr = ntohl(((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr);
3290 
3291  /* get interface name */
3292  strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3293 
3294  /* check that the interface is up */
3295  if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3296  {
3297  continue;
3298  }
3299  if (!(ifreq.ifr_flags & IFF_UP))
3300  {
3301  continue;
3302  }
3303 
3304  if (rgi->flags & RGI_ON_LINK)
3305  {
3306  /* check that interface name of current interface
3307  * matches interface name of best default route */
3308  if (strcmp(ifreq.ifr_name, best_name))
3309  {
3310  continue;
3311  }
3312 #if 0
3313  /* if point-to-point link, use remote addr as route gateway */
3314  if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3315  {
3316  rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3317  if (rgi->gateway.addr)
3318  {
3319  rgi->flags &= ~RGI_ON_LINK;
3320  }
3321  }
3322 #endif
3323  }
3324  else
3325  {
3326  /* get interface netmask */
3327  if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3328  {
3329  continue;
3330  }
3331  netmask = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3332 
3333  /* check that interface matches default route */
3334  if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3335  {
3336  continue;
3337  }
3338 
3339  /* save netmask */
3340  rgi->gateway.netmask = netmask;
3341  rgi->flags |= RGI_NETMASK_DEFINED;
3342  }
3343 
3344  /* save iface name */
3345  strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3346  rgi->flags |= RGI_IFACE_DEFINED;
3347 
3348  /* now get the hardware address. */
3349  memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3350  if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3351  {
3352  msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3353  goto done;
3354  }
3355  memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3356  rgi->flags |= RGI_HWADDR_DEFINED;
3357 
3358  break;
3359  }
3360  }
3361  }
3362 
3363 done:
3364  if (sd >= 0)
3365  {
3366  close(sd);
3367  }
3368  gc_free(&gc);
3369 }
3370 
3371 /* IPv6 implementation using netlink
3372  * http://www.linuxjournal.com/article/7356
3373  * netlink(3), netlink(7), rtnetlink(7)
3374  * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c
3375  */
3376 struct rtreq {
3377  struct nlmsghdr nh;
3378  struct rtmsg rtm;
3379  char attrbuf[512];
3380 };
3381 
3382 void
3384  const struct in6_addr *dest)
3385 {
3386  int nls = -1;
3387  struct rtreq rtreq;
3388  struct rtattr *rta;
3389 
3390  char rtbuf[2000];
3391  ssize_t ssize;
3392 
3393  CLEAR(*rgi6);
3394 
3395  nls = socket( PF_NETLINK, SOCK_RAW, NETLINK_ROUTE );
3396  if (nls < 0)
3397  {
3398  msg(M_WARN|M_ERRNO, "GDG6: socket() failed" ); goto done;
3399  }
3400 
3401  /* bind() is not needed, no unsolicited msgs coming in */
3402 
3403  /* request best matching route, see netlink(7) for explanations
3404  */
3405  CLEAR(rtreq);
3406  rtreq.nh.nlmsg_type = RTM_GETROUTE;
3407  rtreq.nh.nlmsg_flags = NLM_F_REQUEST; /* best match only */
3408  rtreq.rtm.rtm_family = AF_INET6;
3409  rtreq.rtm.rtm_src_len = 0; /* not source dependent */
3410  rtreq.rtm.rtm_dst_len = 128; /* exact dst */
3411  rtreq.rtm.rtm_table = RT_TABLE_MAIN;
3412  rtreq.rtm.rtm_protocol = RTPROT_UNSPEC;
3413  rtreq.nh.nlmsg_len = NLMSG_SPACE(sizeof(rtreq.rtm));
3414 
3415  /* set RTA_DST for target IPv6 address we want */
3416  rta = (struct rtattr *)(((char *) &rtreq)+NLMSG_ALIGN(rtreq.nh.nlmsg_len));
3417  rta->rta_type = RTA_DST;
3418  rta->rta_len = RTA_LENGTH(16);
3419  rtreq.nh.nlmsg_len = NLMSG_ALIGN(rtreq.nh.nlmsg_len)
3420  +RTA_LENGTH(16);
3421 
3422  if (dest == NULL) /* ::, unspecified */
3423  {
3424  memset( RTA_DATA(rta), 0, 16 ); /* :: = all-zero */
3425  }
3426  else
3427  {
3428  memcpy( RTA_DATA(rta), (void *)dest, 16 );
3429  }
3430 
3431  /* send and receive reply */
3432  if (send( nls, &rtreq, rtreq.nh.nlmsg_len, 0 ) < 0)
3433  {
3434  msg(M_WARN|M_ERRNO, "GDG6: send() failed" ); goto done;
3435  }
3436 
3437  ssize = recv(nls, rtbuf, sizeof(rtbuf), MSG_TRUNC);
3438 
3439  if (ssize < 0)
3440  {
3441  msg(M_WARN|M_ERRNO, "GDG6: recv() failed" ); goto done;
3442  }
3443 
3444  if (ssize > sizeof(rtbuf))
3445  {
3446  msg(M_WARN, "get_default_gateway_ipv6: returned message too big for buffer (%d>%d)", (int)ssize, (int)sizeof(rtbuf) );
3447  goto done;
3448  }
3449 
3450  struct nlmsghdr *nh;
3451 
3452  for (nh = (struct nlmsghdr *)rtbuf;
3453  NLMSG_OK(nh, ssize);
3454  nh = NLMSG_NEXT(nh, ssize))
3455  {
3456  struct rtmsg *rtm;
3457  int attrlen;
3458 
3459  if (nh->nlmsg_type == NLMSG_DONE)
3460  {
3461  break;
3462  }
3463 
3464  if (nh->nlmsg_type == NLMSG_ERROR)
3465  {
3466  struct nlmsgerr *ne = (struct nlmsgerr *)NLMSG_DATA(nh);
3467 
3468  /* since linux-4.11 -ENETUNREACH is returned when no route can be
3469  * found. Don't print any error message in this case */
3470  if (ne->error != -ENETUNREACH)
3471  {
3472  msg(M_WARN, "GDG6: NLMSG_ERROR: error %s\n",
3473  strerror(-ne->error));
3474  }
3475  break;
3476  }
3477 
3478  if (nh->nlmsg_type != RTM_NEWROUTE)
3479  {
3480  /* shouldn't happen */
3481  msg(M_WARN, "GDG6: unexpected msg_type %d", nh->nlmsg_type );
3482  continue;
3483  }
3484 
3485  rtm = (struct rtmsg *)NLMSG_DATA(nh);
3486  attrlen = RTM_PAYLOAD(nh);
3487 
3488  /* we're only looking for routes in the main table, as "we have
3489  * no IPv6" will lead to a lookup result in "Local" (::/0 reject)
3490  */
3491  if (rtm->rtm_family != AF_INET6
3492  || rtm->rtm_table != RT_TABLE_MAIN)
3493  {
3494  continue;
3495  } /* we're not interested */
3496 
3497  for (rta = RTM_RTA(rtm);
3498  RTA_OK(rta, attrlen);
3499  rta = RTA_NEXT(rta, attrlen))
3500  {
3501  if (rta->rta_type == RTA_GATEWAY)
3502  {
3503  if (RTA_PAYLOAD(rta) != sizeof(struct in6_addr) )
3504  {
3505  msg(M_WARN, "GDG6: RTA_GW size mismatch"); continue;
3506  }
3507  rgi6->gateway.addr_ipv6 = *(struct in6_addr *) RTA_DATA(rta);
3508  rgi6->flags |= RGI_ADDR_DEFINED;
3509  }
3510  else if (rta->rta_type == RTA_OIF)
3511  {
3512  char ifname[IF_NAMESIZE+1];
3513  int oif;
3514  if (RTA_PAYLOAD(rta) != sizeof(oif) )
3515  {
3516  msg(M_WARN, "GDG6: oif size mismatch"); continue;
3517  }
3518 
3519  memcpy(&oif, RTA_DATA(rta), sizeof(oif));
3520  if_indextoname(oif,ifname);
3521  strncpy( rgi6->iface, ifname, sizeof(rgi6->iface)-1 );
3522  rgi6->flags |= RGI_IFACE_DEFINED;
3523  }
3524  }
3525  }
3526 
3527  /* if we have an interface but no gateway, the destination is on-link */
3528  if ( ( rgi6->flags & (RGI_IFACE_DEFINED|RGI_ADDR_DEFINED) ) ==
3530  {
3531  rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3532  if (dest)
3533  {
3534  rgi6->gateway.addr_ipv6 = *dest;
3535  }
3536  }
3537 
3538 done:
3539  if (nls >= 0)
3540  {
3541  close(nls);
3542  }
3543 }
3544 
3545 #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \
3546  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
3547  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3548 
3549 #include <sys/types.h>
3550 #include <sys/socket.h>
3551 #include <netinet/in.h>
3552 #include <net/route.h>
3553 #include <net/if_dl.h>
3554 
3555 struct rtmsg {
3556  struct rt_msghdr m_rtm;
3557  char m_space[512];
3558 };
3559 
3560 /* the route socket code is identical for all 4 supported BSDs and for
3561  * MacOS X (Darwin), with one crucial difference: when going from
3562  * 32 bit to 64 bit, the BSDs increased the structure size but kept
3563  * source code compatibility by keeping the use of "long", while
3564  * MacOS X decided to keep binary compatibility by *changing* the API
3565  * to use "uint32_t", thus 32 bit on all OS X variants
3566  *
3567  * We used to have a large amount of duplicate code here which really
3568  * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3569  * having a combined block for all BSDs with this single #ifdef inside
3570  */
3571 
3572 #if defined(TARGET_DARWIN)
3573 #define ROUNDUP(a) \
3574  ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3575 #else
3576 #define ROUNDUP(a) \
3577  ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3578 #endif
3579 
3580 #if defined(TARGET_SOLARIS)
3581 #define NEXTADDR(w, u) \
3582  if (rtm_addrs & (w)) { \
3583  l = ROUNDUP(sizeof(u)); memmove(cp, &(u), l); cp += l; \
3584  }
3585 
3586 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3587 #else /* if defined(TARGET_SOLARIS) */
3588 #define NEXTADDR(w, u) \
3589  if (rtm_addrs & (w)) { \
3590  l = ROUNDUP( ((struct sockaddr *)&(u))->sa_len); memmove(cp, &(u), l); cp += l; \
3591  }
3592 
3593 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3594 #endif
3595 
3596 #define max(a,b) ((a) > (b) ? (a) : (b))
3597 
3598 void
3600 {
3601  struct gc_arena gc = gc_new();
3602  struct rtmsg m_rtmsg;
3603  int sockfd = -1;
3604  int seq, l, pid, rtm_addrs;
3605  unsigned int i;
3606  struct sockaddr so_dst, so_mask;
3607  char *cp = m_rtmsg.m_space;
3608  struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3609  struct rt_msghdr *rtm_aux;
3610 
3611 #define rtm m_rtmsg.m_rtm
3612 
3613  CLEAR(*rgi);
3614 
3615  /* setup data to send to routing socket */
3616  pid = getpid();
3617  seq = 0;
3618  rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3619 
3620  bzero(&m_rtmsg, sizeof(m_rtmsg));
3621  bzero(&so_dst, sizeof(so_dst));
3622  bzero(&so_mask, sizeof(so_mask));
3623  bzero(&rtm, sizeof(struct rt_msghdr));
3624 
3625  rtm.rtm_type = RTM_GET;
3626  rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3627  rtm.rtm_version = RTM_VERSION;
3628  rtm.rtm_seq = ++seq;
3629 #ifdef TARGET_OPENBSD
3630  rtm.rtm_tableid = getrtable();
3631 #endif
3632  rtm.rtm_addrs = rtm_addrs;
3633 
3634  so_dst.sa_family = AF_INET;
3635  so_mask.sa_family = AF_INET;
3636 
3637 #ifndef TARGET_SOLARIS
3638  so_dst.sa_len = sizeof(struct sockaddr_in);
3639  so_mask.sa_len = sizeof(struct sockaddr_in);
3640 #endif
3641 
3642  NEXTADDR(RTA_DST, so_dst);
3643  NEXTADDR(RTA_NETMASK, so_mask);
3644 
3645  rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3646 
3647  /* transact with routing socket */
3648  sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3649  if (sockfd < 0)
3650  {
3651  msg(M_WARN, "GDG: socket #1 failed");
3652  goto done;
3653  }
3654  if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3655  {
3656  msg(M_WARN, "GDG: problem writing to routing socket");
3657  goto done;
3658  }
3659  do
3660  {
3661  l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3662  } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3663  close(sockfd);
3664  sockfd = -1;
3665 
3666  /* extract return data from routing socket */
3667  rtm_aux = &rtm;
3668  cp = ((char *)(rtm_aux + 1));
3669  if (rtm_aux->rtm_addrs)
3670  {
3671  for (i = 1; i; i <<= 1)
3672  {
3673  if (i & rtm_aux->rtm_addrs)
3674  {
3675  sa = (struct sockaddr *)cp;
3676  if (i == RTA_GATEWAY)
3677  {
3678  gate = sa;
3679  }
3680  else if (i == RTA_IFP)
3681  {
3682  ifp = sa;
3683  }
3684  ADVANCE(cp, sa);
3685  }
3686  }
3687  }
3688  else
3689  {
3690  goto done;
3691  }
3692 
3693  /* get gateway addr and interface name */
3694  if (gate != NULL)
3695  {
3696  /* get default gateway addr */
3697  rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3698  if (rgi->gateway.addr)
3699  {
3700  rgi->flags |= RGI_ADDR_DEFINED;
3701  }
3702 
3703  if (ifp)
3704  {
3705  /* get interface name */
3706  const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3707  if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3708  {
3709  memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3710  rgi->iface[adl->sdl_nlen] = '\0';
3711  rgi->flags |= RGI_IFACE_DEFINED;
3712  }
3713  }
3714  }
3715 
3716  /* get netmask of interface that owns default gateway */
3717  if (rgi->flags & RGI_IFACE_DEFINED)
3718  {
3719  struct ifreq ifr;
3720 
3721  sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3722  if (sockfd < 0)
3723  {
3724  msg(M_WARN, "GDG: socket #2 failed");
3725  goto done;
3726  }
3727 
3728  CLEAR(ifr);
3729  ifr.ifr_addr.sa_family = AF_INET;
3730  strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3731 
3732  if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3733  {
3734  msg(M_WARN, "GDG: ioctl #1 failed");
3735  goto done;
3736  }
3737  close(sockfd);
3738  sockfd = -1;
3739 
3740  rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3741  rgi->flags |= RGI_NETMASK_DEFINED;
3742  }
3743 
3744  /* try to read MAC addr associated with interface that owns default gateway */
3745  if (rgi->flags & RGI_IFACE_DEFINED)
3746  {
3747  struct ifconf ifc;
3748  struct ifreq *ifr;
3749  const int bufsize = 4096;
3750  char *buffer;
3751 
3752  buffer = (char *) gc_malloc(bufsize, true, &gc);
3753  sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3754  if (sockfd < 0)
3755  {
3756  msg(M_WARN, "GDG: socket #3 failed");
3757  goto done;
3758  }
3759 
3760  ifc.ifc_len = bufsize;
3761  ifc.ifc_buf = buffer;
3762 
3763  if (ioctl(sockfd, SIOCGIFCONF, (char *)&ifc) < 0)
3764  {
3765  msg(M_WARN, "GDG: ioctl #2 failed");
3766  goto done;
3767  }
3768  close(sockfd);
3769  sockfd = -1;
3770 
3771  for (cp = buffer; cp <= buffer + ifc.ifc_len - sizeof(struct ifreq); )
3772  {
3773  ifr = (struct ifreq *)cp;
3774 #if defined(TARGET_SOLARIS)
3775  const size_t len = sizeof(ifr->ifr_name) + sizeof(ifr->ifr_addr);
3776 #else
3777  const size_t len = sizeof(ifr->ifr_name) + max(sizeof(ifr->ifr_addr), ifr->ifr_addr.sa_len);
3778 #endif
3779 
3780  if (!ifr->ifr_addr.sa_family)
3781  {
3782  break;
3783  }
3784  if (!strncmp(ifr->ifr_name, rgi->iface, IFNAMSIZ))
3785  {
3786  if (ifr->ifr_addr.sa_family == AF_LINK)
3787  {
3788  struct sockaddr_dl *sdl = (struct sockaddr_dl *)&ifr->ifr_addr;
3789  memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3790  rgi->flags |= RGI_HWADDR_DEFINED;
3791  }
3792  }
3793  cp += len;
3794  }
3795  }
3796 
3797 done:
3798  if (sockfd >= 0)
3799  {
3800  close(sockfd);
3801  }
3802  gc_free(&gc);
3803 }
3804 
3805 /* BSD implementation using routing socket (as does IPv4)
3806  * (the code duplication is somewhat unavoidable if we want this to
3807  * work on OpenSolaris as well. *sigh*)
3808  */
3809 
3810 /* Solaris has no length field - this is ugly, but less #ifdef in total
3811  */
3812 #if defined(TARGET_SOLARIS)
3813 #undef ADVANCE
3814 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3815 #endif
3816 
3817 void
3819  const struct in6_addr *dest)
3820 {
3821 
3822  struct rtmsg m_rtmsg;
3823  int sockfd = -1;
3824  int seq, l, pid, rtm_addrs;
3825  unsigned int i;
3826  struct sockaddr_in6 so_dst, so_mask;
3827  char *cp = m_rtmsg.m_space;
3828  struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3829  struct rt_msghdr *rtm_aux;
3830 
3831  CLEAR(*rgi6);
3832 
3833  /* setup data to send to routing socket */
3834  pid = getpid();
3835  seq = 0;
3836  rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3837 
3838  bzero(&m_rtmsg, sizeof(m_rtmsg));
3839  bzero(&so_dst, sizeof(so_dst));
3840  bzero(&so_mask, sizeof(so_mask));
3841  bzero(&rtm, sizeof(struct rt_msghdr));
3842 
3843  rtm.rtm_type = RTM_GET;
3844  rtm.rtm_flags = RTF_UP;
3845  rtm.rtm_version = RTM_VERSION;
3846  rtm.rtm_seq = ++seq;
3847 #ifdef TARGET_OPENBSD
3848  rtm.rtm_tableid = getrtable();
3849 #endif
3850 
3851  so_dst.sin6_family = AF_INET6;
3852  so_mask.sin6_family = AF_INET6;
3853 
3854  if (dest != NULL /* specific host? */
3855  && !IN6_IS_ADDR_UNSPECIFIED(dest) )
3856  {
3857  so_dst.sin6_addr = *dest;
3858  /* :: needs /0 "netmask", host route wants "no netmask */
3859  rtm_addrs &= ~RTA_NETMASK;
3860  }
3861 
3862  rtm.rtm_addrs = rtm_addrs;
3863 
3864 #ifndef TARGET_SOLARIS
3865  so_dst.sin6_len = sizeof(struct sockaddr_in6);
3866  so_mask.sin6_len = sizeof(struct sockaddr_in6);
3867 #endif
3868 
3869  NEXTADDR(RTA_DST, so_dst);
3870  NEXTADDR(RTA_NETMASK, so_mask);
3871 
3872  rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3873 
3874  /* transact with routing socket */
3875  sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3876  if (sockfd < 0)
3877  {
3878  msg(M_WARN, "GDG6: socket #1 failed");
3879  goto done;
3880  }
3881  if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3882  {
3883  msg(M_WARN, "GDG6: problem writing to routing socket");
3884  goto done;
3885  }
3886 
3887  do
3888  {
3889  l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3890  }
3891  while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3892 
3893  close(sockfd);
3894  sockfd = -1;
3895 
3896  /* extract return data from routing socket */
3897  rtm_aux = &rtm;
3898  cp = ((char *)(rtm_aux + 1));
3899  if (rtm_aux->rtm_addrs)
3900  {
3901  for (i = 1; i; i <<= 1)
3902  {
3903  if (i & rtm_aux->rtm_addrs)
3904  {
3905  sa = (struct sockaddr *)cp;
3906  if (i == RTA_GATEWAY)
3907  {
3908  gate = sa;
3909  }
3910  else if (i == RTA_IFP)
3911  {
3912  ifp = sa;
3913  }
3914  ADVANCE(cp, sa);
3915  }
3916  }
3917  }
3918  else
3919  {
3920  goto done;
3921  }
3922 
3923  /* get gateway addr and interface name */
3924  if (gate != NULL)
3925  {
3926  struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3927  struct in6_addr gw = s6->sin6_addr;
3928 
3929 #ifndef TARGET_SOLARIS
3930  /* You do not really want to know... from FreeBSD's route.c
3931  * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3932  * but for a correct link-local address these must be :0000: )
3933  */
3934  if (gate->sa_len == sizeof(struct sockaddr_in6)
3935  && IN6_IS_ADDR_LINKLOCAL(&gw) )
3936  {
3937  gw.s6_addr[2] = gw.s6_addr[3] = 0;
3938  }
3939 
3940  if (gate->sa_len != sizeof(struct sockaddr_in6)
3941  || IN6_IS_ADDR_UNSPECIFIED(&gw) )
3942  {
3943  rgi6->flags |= RGI_ON_LINK;
3944  }
3945  else
3946 #endif
3947 
3948  rgi6->gateway.addr_ipv6 = gw;
3949  rgi6->flags |= RGI_ADDR_DEFINED;
3950 
3951  if (ifp)
3952  {
3953  /* get interface name */
3954  const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3955  if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3956  {
3957  memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3958  rgi6->flags |= RGI_IFACE_DEFINED;
3959  }
3960  }
3961  }
3962 
3963 done:
3964  if (sockfd >= 0)
3965  {
3966  close(sockfd);
3967  }
3968 }
3969 
3970 #undef max
3971 
3972 #else /* if defined(_WIN32) */
3973 
3974 /*
3975  * This is a platform-specific method that returns data about
3976  * the current default gateway. Return data is placed into
3977  * a struct route_gateway_info object provided by caller. The
3978  * implementation should CLEAR the structure before adding
3979  * data to it.
3980  *
3981  * Data returned includes:
3982  * 1. default gateway address (rgi->gateway.addr)
3983  * 2. netmask of interface that owns default gateway
3984  * (rgi->gateway.netmask)
3985  * 3. hardware address (i.e. MAC address) of interface that owns
3986  * default gateway (rgi->hwaddr)
3987  * 4. interface name (or adapter index on Windows) that owns default
3988  * gateway (rgi->iface or rgi->adapter_index)
3989  * 5. an array of additional address/netmask pairs defined by
3990  * interface that owns default gateway (rgi->addrs with length
3991  * given in rgi->n_addrs)
3992  *
3993  * The flags RGI_x_DEFINED may be used to indicate which of the data
3994  * members were successfully returned (set in rgi->flags). All of
3995  * the data members are optional, however certain OpenVPN functionality
3996  * may be disabled by missing items.
3997  */
3998 void
4000 {
4001  CLEAR(*rgi);
4002 }
4003 void
4005  const struct in6_addr *dest)
4006 {
4007  msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
4008  CLEAR(*rgi6);
4009 }
4010 
4011 #endif /* if defined(_WIN32) */
4012 
4013 bool
4014 netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
4015 {
4016  int i;
4017  const int addrlen = sizeof(in_addr_t) * 8;
4018 
4019  if ((network & netmask) == network)
4020  {
4021  for (i = 0; i <= addrlen; ++i)
4022  {
4023  in_addr_t mask = netbits_to_netmask(i);
4024  if (mask == netmask)
4025  {
4026  if (i == addrlen)
4027  {
4028  *netbits = -1;
4029  }
4030  else
4031  {
4032  *netbits = i;
4033  }
4034  return true;
4035  }
4036  }
4037  }
4038  return false;
4039 }
4040 
4041 /* similar to netmask_to_netbits(), but don't mess with base address
4042  * etc., just convert to netbits - non-mappable masks are returned as "-1"
4043  */
4044 int
4046 {
4047  int i;
4048  const int addrlen = sizeof(in_addr_t) * 8;
4049 
4050  for (i = 0; i <= addrlen; ++i)
4051  {
4052  in_addr_t mask = netbits_to_netmask(i);
4053  if (mask == netmask)
4054  {
4055  return i;
4056  }
4057  }
4058  return -1;
4059 }
4060 
4061 
4062 /*
4063  * get_bypass_addresses() is used by the redirect-gateway bypass-x
4064  * functions to build a route bypass to selected DHCP/DNS servers,
4065  * so that outgoing packets to these servers don't end up in the tunnel.
4066  */
4067 
4068 #if defined(_WIN32)
4069 
4070 static void
4072 {
4073  if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
4074  {
4075  add_bypass_address(rb, addr);
4076  }
4077 }
4078 
4079 static void
4080 add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
4081 {
4082  while (iplist)
4083  {
4084  bool succeed = false;
4085  const in_addr_t ip = getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
4086  if (succeed)
4087  {
4089  }
4090  iplist = iplist->Next;
4091  }
4092 }
4093 
4094 static void
4095 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
4096 {
4097  struct gc_arena gc = gc_new();
4098  /*bool ret_bool = false;*/
4099 
4100  /* get full routing table */
4101  const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
4102 
4103  /* get the route which represents the default gateway */
4104  const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
4105 
4106  if (row)
4107  {
4108  /* get the adapter which the default gateway is associated with */
4109  const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
4110 
4111  /* get extra adapter info, such as DNS addresses */
4112  const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
4113 
4114  /* Bypass DHCP server address */
4115  if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
4116  {
4117  add_host_route_array(rb, &dgi->DhcpServer);
4118  }
4119 
4120  /* Bypass DNS server addresses */
4121  if ((flags & RG_BYPASS_DNS) && pai)
4122  {
4123  add_host_route_array(rb, &pai->DnsServerList);
4124  }
4125  }
4126 
4127  gc_free(&gc);
4128 }
4129 
4130 #else /* if defined(_WIN32) */
4131 
4132 static void
4133 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
4134 {
4135 }
4136 
4137 #endif /* if defined(_WIN32) */
4138 
4139 /*
4140  * Test if addr is reachable via a local interface (return ILA_LOCAL),
4141  * or if it needs to be routed via the default gateway (return
4142  * ILA_NONLOCAL). If the target platform doesn't implement this
4143  * function, return ILA_NOT_IMPLEMENTED.
4144  *
4145  * Used by redirect-gateway autolocal feature
4146  */
4147 
4148 #if defined(_WIN32)
4149 
4150 int
4151 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
4152 {
4153  struct gc_arena gc = gc_new();
4154  const in_addr_t nonlocal_netmask = 0x80000000L; /* routes with netmask <= to this are considered non-local */
4155  int ret = TLA_NONLOCAL;
4156 
4157  /* get full routing table */
4158  const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4159  if (rt)
4160  {
4161  int i;
4162  for (i = 0; i < rt->dwNumEntries; ++i)
4163  {
4164  const MIB_IPFORWARDROW *row = &rt->table[i];
4165  const in_addr_t net = ntohl(row->dwForwardDest);
4166  const in_addr_t mask = ntohl(row->dwForwardMask);
4167  if (mask > nonlocal_netmask && (addr & mask) == net)
4168  {
4169  ret = TLA_LOCAL;
4170  break;
4171  }
4172  }
4173  }
4174 
4175  gc_free(&gc);
4176  return ret;
4177 }
4178 
4179 #else /* if defined(_WIN32) */
4180 
4181 int
4182 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4183 {
4184  if (rgi)
4185  {
4186  if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4187  {
4188  return TLA_LOCAL;
4189  }
4190  else
4191  {
4192  return TLA_NONLOCAL;
4193  }
4194  }
4195  return TLA_NOT_IMPLEMENTED;
4196 }
4197 
4198 #endif /* if defined(_WIN32) */
static bool del_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition: route.c:3108
#define M_NONFATAL
Definition: error.h:95
#define RG_BYPASS_DNS
Definition: route.h:87
in_addr_t gateway
Definition: route.h:120
in_addr_t addr
Definition: route.h:141
static bool add_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition: route.c:3102
struct route_gateway_address gateway
Definition: route.h:165
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
unsigned int spec_flags
Definition: route.h:217
Definition: tun.h:131
const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc)
Definition: tun.c:4036
struct route_bypass bypass
Definition: route.h:70
const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc)
Definition: tun.c:4009
struct in6_addr ipv6
Definition: openvpn-msg.h:52
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, struct addrinfo **res)
Definition: socket.c:440
#define GETADDR_WARN_ON_SIGNAL
Definition: socket.h:525
static void print_route_option(const struct route_option *ro, int level)
Definition: route.c:1270
static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
Definition: route.c:199
in_addr_t network
Definition: route.h:118
#define LR_ERROR
Definition: route.c:1474
#define D_ROUTE
Definition: errlevel.h:80
void gc_addspecial(void *addr, void(free_function)(void *), struct gc_arena *a)
Definition: buffer.c:477
#define RL_DID_LOCAL
Definition: route.h:203
static bool do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
Definition: route.c:2998
struct argv argv_new(void)
Definition: argv.c:52
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:193
struct route_ipv6 * next
Definition: route.h:125
int n_bypass
Definition: route.h:55
unsigned int flags
Definition: route.h:65
static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es)
Definition: route.c:2136
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2992
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1296
#define M_INFO
Definition: errlevel.h:55
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition: route.c:119
static bool is_route_parm_defined(const char *parm)
Definition: route.c:185
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
unsigned int iflags
Definition: route.h:205
void check_subnet_conflict(const in_addr_t ip, const in_addr_t netmask, const char *prefix)
Definition: tun.c:424
#define dmsg
Definition: error.h:174
struct in6_addr remote_host_ipv6
Definition: route.h:219
void print_route_options(const struct route_option_list *rol, int level)
Definition: route.c:1280
static void redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:977
struct in6_addr remote_endpoint_ipv6
Definition: route.h:218
static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
Definition: route.c:1423
struct route_option * routes
Definition: route.h:94
static void clear_route_list(struct route_list *rl)
Definition: route.c:517
unsigned int flags
Definition: route.h:126
in_addr_t bypass[N_ROUTE_BYPASS]
Definition: route.h:56
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:144
const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition: tun.c:4227
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition: route.c:4014
static void clear_route_ipv6_list(struct route_ipv6_list *rl6)
Definition: route.c:524
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1443
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1162
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:369
in_addr_t netmask
Definition: route.h:142
static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
Definition: route.c:2683
const char * metric
Definition: route.h:102
#define RT_METRIC_DEFINED
Definition: route.h:114
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:502
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
Definition: route.c:2592
#define RL_ROUTES_ADDED
Definition: route.h:204
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es)
Definition: route.c:911
#define in_addr_t
Definition: config-msvc.h:104
#define ROUTE_METHOD_SERVICE
Definition: route.h:42
struct route_gateway_info rgi
Definition: route.h:208
#define RL_DID_REDIRECT_DEFAULT_GATEWAY
Definition: route.h:202
static bool do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:3025
struct route_ipv6_gateway_info rgi6
Definition: route.h:222
const char * gateway
Definition: route.h:78
void add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1842
void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:2328
struct in6_addr network
Definition: route.h:127
struct route_ipv6_option * routes_ipv6
Definition: route.h:107
struct route_special_addr spec
Definition: route.h:207
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2635
#define ASSERT(x)
Definition: error.h:221
#define IA_NET_ORDER
Definition: socket.h:394
static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc)
Definition: route.c:169
#define snprintf
Definition: config-msvc.h:97
static bool route_ipv6_match_host(const struct route_ipv6 *r6, const struct in6_addr *host)
Definition: route.c:725
unsigned int flags
Definition: route.h:223
struct tuntap_options options
Definition: tun.h:144
const struct route_option * option
Definition: route.h:117
#define N_ROUTE_BYPASS
Definition: route.h:54
struct route_ipv6 * routes_ipv6
Definition: route.h:224
void argv_msg(const int msglev, const struct argv *a)
Definition: argv.c:206
unsigned int flags
Definition: route.h:209
static void print_route(const struct route_ipv4 *r, int level)
Definition: route.c:1371
static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a)
Definition: route.c:88
#define LR_NOMATCH
Definition: route.c:1472
void netcmd_semaphore_lock(void)
Definition: win32.c:860
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
static bool add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition: route.c:3114
int add(int a, int b)
list flags
#define fail()
Definition: cmocka.h:1531
#define RG_ENABLE
Definition: route.h:83
int inet_pton(int af, const char *src, void *dst)
#define WIN_ROUTE_PATH_SUFFIX
Definition: win32.h:35
#define RGI_NETMASK_DEFINED
Definition: route.h:147
static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1096
unsigned int netbits
Definition: route.h:128
#define RT_ADDED
Definition: route.h:113
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1412
in_addr_t netmask
Definition: route.h:119
#define CLEAR(x)
Definition: basic.h:33
#define IPV4_INVALID_ADDR
Definition: socket.h:428
#define ROUTE_REF_GW
Definition: route.h:50
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest)
Definition: route.c:2810
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:299
bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
Definition: tun.c:4285
#define TLA_NONLOCAL
Definition: route.h:334
#define RG_LOCAL
Definition: route.h:84
bool is_special_addr(const char *addr_str)
Definition: route.c:286
#define RGI_ON_LINK
Definition: route.h:151
static const char * np(const char *str)
Definition: simple.c:108
inet_address_t gateway
Definition: openvpn-msg.h:73
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
static void add_block_local(struct route_list *rl)
Definition: route.c:573
bool did_ifconfig_setup
Definition: tun.h:139
static bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
Definition: route.c:1513
static DWORD InterfaceLuid(const char *iface_name, PNET_LUID luid)
Definition: interactive.c:548
struct gc_arena gc
Definition: route.h:211
#define RGI_ADDR_DEFINED
Definition: route.h:146
#define PACKAGE_NAME
Definition: config.h:730
struct route_gateway_address addrs[RGI_N_ADDRESSES]
Definition: route.h:170
unsigned int iflags
Definition: route.h:215
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2972
#define OPENVPN_STATE_ADD_ROUTES
Definition: manage.h:485
#define TLA_LOCAL
Definition: route.h:335
#define METRIC_NOT_USED
Definition: route.c:54
#define DEV_TYPE_TUN
Definition: proto.h:37
int type
Definition: tun.h:134
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1002
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:408
static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:2761
void route_ipv6_clear_host_bits(struct route_ipv6 *r6)
Definition: route.c:1819
#define NETSH_PATH_SUFFIX
Definition: win32.h:34
#define ROUTE_DELETE_FIRST
Definition: route.h:49
unsigned int flags
Definition: route.h:152
static void gc_freeaddrinfo_callback(void *addr)
Definition: buffer.h:202
static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
Definition: route.c:216
#define RT_DEFINED
Definition: route.h:112
struct gc_arena gc
Definition: route.h:225
#define RG_DEF1
Definition: route.h:85
#define RTSA_DEFAULT_METRIC
Definition: route.h:64
static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
Definition: route.c:1392
DWORD adapter_index
Definition: route.h:133
in_addr_t remote_endpoint
Definition: route.h:67
struct in6_addr addr_ipv6
Definition: route.h:174
#define RG_BYPASS_DHCP
Definition: route.h:86
#define ROUTE_METHOD_MASK
Definition: route.h:43
static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition: route.c:3120
static SERVICE_STATUS status
Definition: automatic.c:43
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:160
const char * netmask
Definition: route.h:77
DWORD adapter_index
Definition: route.h:156
static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6)
Definition: route.c:428
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:531
unsigned int flags
Definition: route.h:116
bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack, const char *context)
Definition: win32.c:1477
#define M_ERRNO
Definition: error.h:99
#define msg
Definition: error.h:173
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:522
#define RGI_HWADDR_DEFINED
Definition: route.h:148
#define GETADDR_HOST_ORDER
Definition: socket.h:522
char * get_win_sys_path(void)
Definition: win32.c:1210
DWORD adapter_index
Definition: tun.h:175
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:484
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
Definition: error.c:819
unsigned int flags
Definition: route.h:180
const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc)
Definition: tun.c:4142
int netmask_to_netbits2(in_addr_t netmask)
Definition: route.c:4045
#define RTSA_REMOTE_ENDPOINT
Definition: route.h:62
struct route_ipv4 * next
Definition: route.h:115
static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
Definition: route.c:4071
unsigned int flags
Definition: route.h:93
unsigned int flags
Definition: route.h:106
struct gc_arena * gc
Definition: route.h:108
struct in6_addr gateway
Definition: route.h:129
HANDLE msg_channel
Definition: tun.h:61
#define RTSA_REMOTE_HOST
Definition: route.h:63
static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi)
Definition: route.c:1477
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
Definition: route.c:4151
bool did_ifconfig_ipv6_setup
Definition: tun.h:140
struct route_ipv6_gateway_address gateway
Definition: route.h:193
#define RG_BLOCK_LOCAL
Definition: route.h:90
interface_t iface
Definition: openvpn-msg.h:74
int metric
Definition: route.h:130
const char * network
Definition: route.h:76
const char * metric
Definition: route.h:79
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es)
Definition: route.c:606
void argv_printf_cat(struct argv *a, const char *format,...)
Definition: argv.c:328
#define RG_REROUTE_GW
Definition: route.h:88
char name[256]
Definition: openvpn-msg.h:57
#define ROUTE_METHOD_IPAPI
Definition: route.h:40
#define ROUTE_METHOD_EXE
Definition: route.h:41
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es)
Definition: route.c:761
#define IF_NAMESIZE
Definition: socket.c:2898
#define RG_AUTO_LOCAL
Definition: route.h:89
struct route_ipv6_option * next
Definition: route.h:99
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
void show_routes(int msglev)
Definition: route.c:3151
struct gc_arena * gc
Definition: route.h:95
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es)
Definition: route.c:1218
bool add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
Definition: route.c:2880
#define LR_MATCH
Definition: route.c:1473
static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl)
Definition: route.c:299
void netcmd_semaphore_release(void)
Definition: win32.c:876
const char * prefix
Definition: route.h:100
#define TUN_ADAPTER_INDEX_INVALID
Definition: tun.h:42
static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
Definition: route.c:4095
#define TLA_NOT_IMPLEMENTED
Definition: route.h:333
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2663
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:135
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition: tun.c:4240
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:162
DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
Definition: tun.c:4318
#define M_WARN
Definition: error.h:96
#define ROUTE_PATH
Definition: config.h:757
static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
Definition: route.c:4080
static void add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es)
Definition: route.c:893
static uint8_t * buf_bptr(const struct buffer *buf)
Definition: buffer.h:227
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:224
struct route_option * next
Definition: route.h:75
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void get_default_gateway(struct route_gateway_info *rgi)
Definition: route.c:2724
void add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es)
Definition: route.c:1519
int remote_host_local
Definition: route.h:69
const char * gateway
Definition: route.h:101
static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
Definition: route.c:3126
#define ROUTE_METHOD_ADAPTIVE
Definition: route.h:39
const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index)
Definition: tun.c:4123
static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target)
Definition: route.c:542
void argv_reset(struct argv *a)
Definition: argv.c:60
#define BSTR(buf)
Definition: buffer.h:129
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:153
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition: route.c:110
static void add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es)
Definition: route.c:929
Definition: argv.h:35
bool openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition: run_command.c:195
char * actual_name
Definition: tun.h:146
struct route_ipv4 * routes
Definition: route.h:210
static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc)
Definition: route.c:2569
static bool do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
Definition: route.c:3056
char * dest
Definition: compat-lz4.h:431
static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es)
Definition: route.c:953
#define GETADDR_RESOLVE
Definition: socket.h:520
#define ssize_t
Definition: config-msvc.h:105
#define IPV4_NETMASK_HOST
Definition: basic.h:35
in_addr_t remote_host
Definition: route.h:68
uint8_t hwaddr[6]
Definition: route.h:190
void argv_printf(struct argv *a, const char *format,...)
Definition: argv.c:318
int default_metric
Definition: route.h:220
#define D_ROUTE_DEBUG
Definition: errlevel.h:129
static const char * show_opt(const char *option)
Definition: route.c:1257
#define RGI_IFACE_DEFINED
Definition: route.h:149
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
#define DEV_TYPE_TAP
Definition: proto.h:38
int default_metric
Definition: route.h:71
void print_routes(const struct route_list *rl, int level)
Definition: route.c:1382
static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway)
Definition: route.c:2606
bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:2962
int metric
Definition: route.h:121