OpenVPN
route.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * Support routines for adding/deleting network routes.
26  */
27 
28 #ifdef HAVE_CONFIG_H
29 #include "config.h"
30 #elif defined(_MSC_VER)
31 #include "config-msvc.h"
32 #endif
33 
34 #include "syshead.h"
35 
36 #include "common.h"
37 #include "error.h"
38 #include "route.h"
39 #include "run_command.h"
40 #include "socket.h"
41 #include "manage.h"
42 #include "win32.h"
43 #include "options.h"
44 #include "networking.h"
45 
46 #include "memdbg.h"
47 
48 #if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
49 #include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
50 #endif
51 
52 #if defined(TARGET_NETBSD)
53 #include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
54 #endif
55 
56 #ifdef _WIN32
57 #include "openvpn-msg.h"
58 
59 #define METRIC_NOT_USED ((DWORD)-1)
60 static bool add_route_service(const struct route_ipv4 *, const struct tuntap *);
61 
62 static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
63 
64 static bool add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
65 
66 static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
67 
68 #endif
69 
70 static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx);
71 
72 static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
73 
74 #ifdef ENABLE_DEBUG
75 
76 static void
77 print_bypass_addresses(const struct route_bypass *rb)
78 {
79  struct gc_arena gc = gc_new();
80  int i;
81  for (i = 0; i < rb->n_bypass; ++i)
82  {
83  msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s",
84  i,
85  print_in_addr_t(rb->bypass[i], 0, &gc));
86  }
87  gc_free(&gc);
88 }
89 
90 #endif
91 
92 static bool
94 {
95  int i;
96  for (i = 0; i < rb->n_bypass; ++i)
97  {
98  if (a == rb->bypass[i]) /* avoid duplicates */
99  {
100  return true;
101  }
102  }
103  if (rb->n_bypass < N_ROUTE_BYPASS)
104  {
105  rb->bypass[rb->n_bypass++] = a;
106  return true;
107  }
108  else
109  {
110  return false;
111  }
112 }
113 
114 struct route_option_list *
116 {
117  struct route_option_list *ret;
118  ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a);
119  ret->gc = a;
120  return ret;
121 }
122 
123 struct route_ipv6_option_list *
125 {
126  struct route_ipv6_option_list *ret;
128  ret->gc = a;
129  return ret;
130 }
131 
132 /*
133  * NOTE: structs are cloned/copied shallow by design.
134  * The routes list from src will stay intact since it is allocated using
135  * the options->gc. The cloned/copied lists will share this common tail
136  * to avoid copying the data around between pulls. Pulled routes use
137  * the c2->gc so they get freed immediately after a reconnect.
138  */
139 struct route_option_list *
141 {
142  struct route_option_list *ret;
143  ALLOC_OBJ_GC(ret, struct route_option_list, a);
144  *ret = *src;
145  return ret;
146 }
147 
148 struct route_ipv6_option_list *
150 {
151  struct route_ipv6_option_list *ret;
152  ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
153  *ret = *src;
154  return ret;
155 }
156 
157 void
159 {
160  *dest = *src;
161  dest->gc = a;
162 }
163 
164 void
166  const struct route_ipv6_option_list *src,
167  struct gc_arena *a)
168 {
169  *dest = *src;
170  dest->gc = a;
171 }
172 
173 static const char *
174 route_string(const struct route_ipv4 *r, struct gc_arena *gc)
175 {
176  struct buffer out = alloc_buf_gc(256, gc);
177  buf_printf(&out, "ROUTE network %s netmask %s gateway %s",
178  print_in_addr_t(r->network, 0, gc),
179  print_in_addr_t(r->netmask, 0, gc),
180  print_in_addr_t(r->gateway, 0, gc)
181  );
182  if (r->flags & RT_METRIC_DEFINED)
183  {
184  buf_printf(&out, " metric %d", r->metric);
185  }
186  return BSTR(&out);
187 }
188 
189 static bool
190 is_route_parm_defined(const char *parm)
191 {
192  if (!parm)
193  {
194  return false;
195  }
196  if (!strcmp(parm, "default"))
197  {
198  return false;
199  }
200  return true;
201 }
202 
203 static void
204 setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
205 {
206  struct gc_arena gc = gc_new();
207  struct buffer name = alloc_buf_gc(256, &gc);
208  if (i >= 0)
209  {
210  buf_printf(&name, "route_%s_%d", key, i);
211  }
212  else
213  {
214  buf_printf(&name, "route_%s", key);
215  }
216  setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
217  gc_free(&gc);
218 }
219 
220 static bool
221 get_special_addr(const struct route_list *rl,
222  const char *string,
223  in_addr_t *out,
224  bool *status)
225 {
226  if (status)
227  {
228  *status = true;
229  }
230  if (!strcmp(string, "vpn_gateway"))
231  {
232  if (rl)
233  {
234  if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
235  {
236  *out = rl->spec.remote_endpoint;
237  }
238  else
239  {
240  msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
241  if (status)
242  {
243  *status = false;
244  }
245  }
246  }
247  return true;
248  }
249  else if (!strcmp(string, "net_gateway"))
250  {
251  if (rl)
252  {
253  if (rl->rgi.flags & RGI_ADDR_DEFINED)
254  {
255  *out = rl->rgi.gateway.addr;
256  }
257  else
258  {
259  msg(M_INFO, PACKAGE_NAME " ROUTE: net_gateway undefined -- unable to get default gateway from system");
260  if (status)
261  {
262  *status = false;
263  }
264  }
265  }
266  return true;
267  }
268  else if (!strcmp(string, "remote_host"))
269  {
270  if (rl)
271  {
272  if (rl->spec.flags & RTSA_REMOTE_HOST)
273  {
274  *out = rl->spec.remote_host;
275  }
276  else
277  {
278  msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
279  if (status)
280  {
281  *status = false;
282  }
283  }
284  }
285  return true;
286  }
287  return false;
288 }
289 
290 bool
291 is_special_addr(const char *addr_str)
292 {
293  if (addr_str)
294  {
295  return get_special_addr(NULL, addr_str, NULL, NULL);
296  }
297  else
298  {
299  return false;
300  }
301 }
302 
303 static bool
305  struct addrinfo **network_list,
306  const struct route_option *ro,
307  const struct route_list *rl)
308 {
309  const in_addr_t default_netmask = IPV4_NETMASK_HOST;
310  bool status;
311  int ret;
312  struct in_addr special;
313 
314  CLEAR(*r);
315  r->option = ro;
316 
317  /* network */
318 
319  if (!is_route_parm_defined(ro->network))
320  {
321  goto fail;
322  }
323 
324 
325  /* get_special_addr replaces specialaddr with a special ip addr
326  * like gw. getaddrinfo is called to convert a a addrinfo struct */
327 
328  if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status))
329  {
330  if (!status)
331  {
332  goto fail;
333  }
334  special.s_addr = htonl(special.s_addr);
335  ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL,
336  AF_INET, network_list);
337  }
338  else
339  {
341  ro->network, NULL, 0, NULL, AF_INET, network_list);
342  }
343 
344  status = (ret == 0);
345 
346  if (!status)
347  {
348  goto fail;
349  }
350 
351  /* netmask */
352 
354  {
355  r->netmask = getaddr(
358  ro->netmask,
359  0,
360  &status,
361  NULL);
362  if (!status)
363  {
364  goto fail;
365  }
366  }
367  else
368  {
369  r->netmask = default_netmask;
370  }
371 
372  /* gateway */
373 
375  {
376  if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
377  {
378  r->gateway = getaddr(
382  ro->gateway,
383  0,
384  &status,
385  NULL);
386  }
387  if (!status)
388  {
389  goto fail;
390  }
391  }
392  else
393  {
394  if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
395  {
396  r->gateway = rl->spec.remote_endpoint;
397  }
398  else
399  {
400  msg(M_WARN, PACKAGE_NAME " ROUTE: " PACKAGE_NAME " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
401  goto fail;
402  }
403  }
404 
405  /* metric */
406 
407  r->metric = 0;
408  if (is_route_parm_defined(ro->metric))
409  {
410  r->metric = atoi(ro->metric);
411  if (r->metric < 0)
412  {
413  msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
414  ro->network,
415  ro->metric);
416  goto fail;
417  }
418  r->flags |= RT_METRIC_DEFINED;
419  }
420  else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
421  {
422  r->metric = rl->spec.default_metric;
423  r->flags |= RT_METRIC_DEFINED;
424  }
425 
426  r->flags |= RT_DEFINED;
427 
428  return true;
429 
430 fail:
431  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
432  ro->network);
433  return false;
434 }
435 
436 static bool
438  const struct route_ipv6_option *r6o,
439  const struct route_ipv6_list *rl6 )
440 {
441  CLEAR(*r6);
442 
443  if (!get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN ))
444  {
445  goto fail;
446  }
447 
448  /* gateway */
449  if (is_route_parm_defined(r6o->gateway))
450  {
451  if (inet_pton( AF_INET6, r6o->gateway, &r6->gateway ) != 1)
452  {
453  msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway );
454  }
455  }
456  else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
457  {
458  r6->gateway = rl6->remote_endpoint_ipv6;
459  }
460 
461  /* metric */
462 
463  r6->metric = -1;
464  if (is_route_parm_defined(r6o->metric))
465  {
466  r6->metric = atoi(r6o->metric);
467  if (r6->metric < 0)
468  {
469  msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
470  r6o->prefix,
471  r6o->metric);
472  goto fail;
473  }
474  r6->flags |= RT_METRIC_DEFINED;
475  }
476  else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
477  {
478  r6->metric = rl6->default_metric;
479  r6->flags |= RT_METRIC_DEFINED;
480  }
481 
482  r6->flags |= RT_DEFINED;
483 
484  return true;
485 
486 fail:
487  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
488  r6o->prefix);
489  return false;
490 }
491 
492 void
494  const char *network,
495  const char *netmask,
496  const char *gateway,
497  const char *metric)
498 {
499  struct route_option *ro;
500  ALLOC_OBJ_GC(ro, struct route_option, l->gc);
501  ro->network = network;
502  ro->netmask = netmask;
503  ro->gateway = gateway;
504  ro->metric = metric;
505  ro->next = l->routes;
506  l->routes = ro;
507 
508 }
509 
510 void
512  const char *prefix,
513  const char *gateway,
514  const char *metric)
515 {
516  struct route_ipv6_option *ro;
517  ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
518  ro->prefix = prefix;
519  ro->gateway = gateway;
520  ro->metric = metric;
521  ro->next = l->routes_ipv6;
522  l->routes_ipv6 = ro;
523 }
524 
525 static void
527 {
528  gc_free(&rl->gc);
529  CLEAR(*rl);
530 }
531 
532 static void
534 {
535  gc_free(&rl6->gc);
536  CLEAR(*rl6);
537 }
538 
539 void
541  struct env_set *es,
542  const in_addr_t addr)
543 {
544  ASSERT(rl);
545  rl->spec.remote_endpoint = addr;
547  setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
548 }
549 
550 static void
552  const struct route_gateway_address *gateway,
553  in_addr_t target)
554 {
555  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
556  if ((rl->rgi.flags & rgi_needed) == rgi_needed
557  && rl->rgi.gateway.netmask < 0xFFFFFFFF)
558  {
559  struct route_ipv4 *r1, *r2;
560  unsigned int l2;
561 
562  ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
563  ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
564 
565  /* split a route into two smaller blocking routes, and direct them to target */
566  l2 = ((~gateway->netmask)+1)>>1;
567  r1->flags = RT_DEFINED;
568  r1->gateway = target;
569  r1->network = gateway->addr & gateway->netmask;
570  r1->netmask = ~(l2-1);
571  r1->next = rl->routes;
572  rl->routes = r1;
573 
574  *r2 = *r1;
575  r2->network += l2;
576  r2->next = rl->routes;
577  rl->routes = r2;
578  }
579 }
580 
581 static void
583 {
584  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
585  if ((rl->flags & RG_BLOCK_LOCAL)
586  && (rl->rgi.flags & rgi_needed) == rgi_needed
587  && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
588  && rl->spec.remote_host_local != TLA_LOCAL)
589  {
590  size_t i;
591 
592 #ifndef TARGET_ANDROID
593  /* add bypass for gateway addr */
595 #endif
596 
597  /* block access to local subnet */
599 
600  /* process additional subnets on gateway interface */
601  for (i = 0; i < rl->rgi.n_addrs; ++i)
602  {
603  const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
604  /* omit the add/subnet in &rl->rgi which we processed above */
605  if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
606  && rl->rgi.gateway.netmask == gwa->netmask))
607  {
609  }
610  }
611  }
612 }
613 
614 bool
616  const struct route_option_list *opt,
617  const char *remote_endpoint,
618  int default_metric,
619  in_addr_t remote_host,
620  struct env_set *es,
621  openvpn_net_ctx_t *ctx)
622 {
623  struct gc_arena gc = gc_new();
624  bool ret = true;
625 
626  clear_route_list(rl);
627 
628  rl->flags = opt->flags;
629 
630  if (remote_host != IPV4_INVALID_ADDR)
631  {
632  rl->spec.remote_host = remote_host;
633  rl->spec.flags |= RTSA_REMOTE_HOST;
634  }
635 
636  if (default_metric)
637  {
638  rl->spec.default_metric = default_metric;
640  }
641 
642  get_default_gateway(&rl->rgi, ctx);
643  if (rl->rgi.flags & RGI_ADDR_DEFINED)
644  {
645  setenv_route_addr(es, "net_gateway", rl->rgi.gateway.addr, -1);
646 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
647  print_default_gateway(D_ROUTE, &rl->rgi, NULL);
648 #endif
649  }
650  else
651  {
652  dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
653  }
654 
655  if (rl->spec.flags & RTSA_REMOTE_HOST)
656  {
657  rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
658  }
659 
660  if (is_route_parm_defined(remote_endpoint))
661  {
662  bool defined = false;
667  remote_endpoint,
668  0,
669  &defined,
670  NULL);
671 
672  if (defined)
673  {
674  setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
676  }
677  else
678  {
679  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
680  remote_endpoint);
681  ret = false;
682  }
683  }
684 
685  if (rl->flags & RG_ENABLE)
686  {
687  add_block_local(rl);
689 #ifdef ENABLE_DEBUG
690  print_bypass_addresses(&rl->spec.bypass);
691 #endif
692  }
693 
694  /* parse the routes from opt to rl */
695  {
696  struct route_option *ro;
697  for (ro = opt->routes; ro; ro = ro->next)
698  {
699  struct addrinfo *netlist = NULL;
700  struct route_ipv4 r;
701 
702  if (!init_route(&r, &netlist, ro, rl))
703  {
704  ret = false;
705  }
706  else
707  {
708  struct addrinfo *curele;
709  for (curele = netlist; curele; curele = curele->ai_next)
710  {
711  struct route_ipv4 *new;
712  ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
713  *new = r;
714  new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
715  new->next = rl->routes;
716  rl->routes = new;
717  }
718  }
719  if (netlist)
720  {
721  gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc);
722  }
723  }
724  }
725 
726  gc_free(&gc);
727  return ret;
728 }
729 
730 /* check whether an IPv6 host address is covered by a given route_ipv6
731  * (not the most beautiful implementation in the world, but portable and
732  * "good enough")
733  */
734 static bool
736  const struct in6_addr *host )
737 {
738  unsigned int bits = r6->netbits;
739  int i;
740  unsigned int mask;
741 
742  if (bits>128)
743  {
744  return false;
745  }
746 
747  for (i = 0; bits >= 8; i++, bits -= 8)
748  {
749  if (r6->network.s6_addr[i] != host->s6_addr[i])
750  {
751  return false;
752  }
753  }
754 
755  if (bits == 0)
756  {
757  return true;
758  }
759 
760  mask = 0xff << (8-bits);
761 
762  if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask ))
763  {
764  return true;
765  }
766 
767  return false;
768 }
769 
770 bool
772  const struct route_ipv6_option_list *opt6,
773  const char *remote_endpoint,
774  int default_metric,
775  const struct in6_addr *remote_host_ipv6,
776  struct env_set *es,
777  openvpn_net_ctx_t *ctx)
778 {
779  struct gc_arena gc = gc_new();
780  bool ret = true;
781  bool need_remote_ipv6_route;
782 
784 
785  rl6->flags = opt6->flags;
786 
787  if (remote_host_ipv6)
788  {
789  rl6->remote_host_ipv6 = *remote_host_ipv6;
791  }
792 
793  if (default_metric >= 0)
794  {
795  rl6->default_metric = default_metric;
797  }
798 
799  msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
800  remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a" );
801 
802  get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
803  if (rl6->rgi6.flags & RGI_ADDR_DEFINED)
804  {
805  setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->rgi6.gateway.addr_ipv6, 0, &gc));
806 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
807  print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
808 #endif
809  }
810  else
811  {
812  dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
813  }
814 
815  if (is_route_parm_defined( remote_endpoint ))
816  {
817  if (inet_pton( AF_INET6, remote_endpoint,
818  &rl6->remote_endpoint_ipv6) == 1)
819  {
821  }
822  else
823  {
824  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint);
825  ret = false;
826  }
827  }
828 
829  /* parse the routes from opt6 to rl6
830  * discovering potential overlaps with remote_host_ipv6 in the process
831  */
832  need_remote_ipv6_route = false;
833 
834  {
835  struct route_ipv6_option *ro6;
836  for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
837  {
838  struct route_ipv6 *r6;
839  ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
840  if (!init_route_ipv6(r6, ro6, rl6))
841  {
842  ret = false;
843  }
844  else
845  {
846  r6->next = rl6->routes_ipv6;
847  rl6->routes_ipv6 = r6;
848 
849 #ifndef TARGET_ANDROID
850  /* On Android the VPNService protect function call will take of
851  * avoiding routing loops, so ignore this part and let
852  * need_remote_ipv6_route always evaluate to false
853  */
854  if (remote_host_ipv6
855  && route_ipv6_match_host( r6, remote_host_ipv6 ) )
856  {
857  need_remote_ipv6_route = true;
858  msg(D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
859  print_in6_addr(r6->network, 0, &gc), r6->netbits,
860  print_in6_addr(*remote_host_ipv6, 0, &gc));
861  }
862 #endif
863  }
864  }
865  }
866 
867  /* add VPN server host route if needed */
868  if (need_remote_ipv6_route)
869  {
870  if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) ==
872  {
873  struct route_ipv6 *r6;
874  ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
875 
876  r6->network = *remote_host_ipv6;
877  r6->netbits = 128;
878  if (!(rl6->rgi6.flags & RGI_ON_LINK) )
879  {
880  r6->gateway = rl6->rgi6.gateway.addr_ipv6;
881  }
882  r6->metric = 1;
883 #ifdef _WIN32
884  r6->adapter_index = rl6->rgi6.adapter_index;
885 #else
886  r6->iface = rl6->rgi6.iface;
887 #endif
889 
890  r6->next = rl6->routes_ipv6;
891  rl6->routes_ipv6 = r6;
892  }
893  else
894  {
895  msg(M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" );
896  }
897  }
898 
899  gc_free(&gc);
900  return ret;
901 }
902 
903 static void
905  in_addr_t netmask,
907  const struct tuntap *tt,
908  unsigned int flags,
909  const struct route_gateway_info *rgi,
910  const struct env_set *es,
911  openvpn_net_ctx_t *ctx)
912 {
913  struct route_ipv4 r;
914  CLEAR(r);
915  r.flags = RT_DEFINED;
916  r.network = network;
917  r.netmask = netmask;
918  r.gateway = gateway;
919  add_route(&r, tt, flags, rgi, es, ctx);
920 }
921 
922 static void
926  const struct tuntap *tt,
927  unsigned int flags,
928  const struct route_gateway_info *rgi,
929  const struct env_set *es,
930  openvpn_net_ctx_t *ctx)
931 {
932  struct route_ipv4 r;
933  CLEAR(r);
935  r.network = network;
936  r.netmask = netmask;
937  r.gateway = gateway;
938  delete_route(&r, tt, flags, rgi, es, ctx);
939 }
940 
941 static void
944  const struct tuntap *tt,
945  unsigned int flags,
946  const struct route_gateway_info *rgi,
947  const struct env_set *es,
948  openvpn_net_ctx_t *ctx)
949 {
950  int i;
951  for (i = 0; i < rb->n_bypass; ++i)
952  {
953  if (rb->bypass[i])
954  {
955  add_route3(rb->bypass[i],
957  gateway,
958  tt,
959  flags | ROUTE_REF_GW,
960  rgi,
961  es,
962  ctx);
963  }
964  }
965 }
966 
967 static void
970  const struct tuntap *tt,
971  unsigned int flags,
972  const struct route_gateway_info *rgi,
973  const struct env_set *es,
974  openvpn_net_ctx_t *ctx)
975 {
976  int i;
977  for (i = 0; i < rb->n_bypass; ++i)
978  {
979  if (rb->bypass[i])
980  {
981  del_route3(rb->bypass[i],
983  gateway,
984  tt,
985  flags | ROUTE_REF_GW,
986  rgi,
987  es,
988  ctx);
989  }
990  }
991 }
992 
993 static void
994 redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
995  unsigned int flags, const struct env_set *es,
996  openvpn_net_ctx_t *ctx)
997 {
998  const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
999 
1000  if (rl && rl->flags & RG_ENABLE)
1001  {
1002  bool local = rl->flags & RG_LOCAL;
1003 
1004  if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
1005  {
1006  msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
1007  }
1008  /*
1009  * check if a default route is defined, unless:
1010  * - we are connecting to a remote host in our network
1011  * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
1012  */
1013  else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
1014  && (rl->spec.flags & RTSA_REMOTE_HOST))
1015  {
1016  msg(M_WARN, "%s Cannot read current default gateway from system", err);
1017  }
1018  else
1019  {
1020 #ifndef TARGET_ANDROID
1021  if (rl->flags & RG_AUTO_LOCAL)
1022  {
1023  const int tla = rl->spec.remote_host_local;
1024  if (tla == TLA_NONLOCAL)
1025  {
1026  dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
1027  local = false;
1028  }
1029  else if (tla == TLA_LOCAL)
1030  {
1031  dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
1032  local = true;
1033  }
1034  }
1035  if (!local)
1036  {
1037  /* route remote host to original default gateway */
1038  /* if remote_host is not ipv4 (ie: ipv6), just skip
1039  * adding this special /32 route */
1040  if ((rl->spec.flags & RTSA_REMOTE_HOST)
1042  {
1045  rl->rgi.gateway.addr,
1046  tt,
1047  flags | ROUTE_REF_GW,
1048  &rl->rgi,
1049  es,
1050  ctx);
1051  rl->iflags |= RL_DID_LOCAL;
1052  }
1053  else
1054  {
1055  dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1056  }
1057  }
1058 #endif /* ifndef TARGET_ANDROID */
1059 
1060  /* route DHCP/DNS server traffic through original default gateway */
1061  add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
1062  &rl->rgi, es, ctx);
1063 
1064  if (rl->flags & RG_REROUTE_GW)
1065  {
1066  if (rl->flags & RG_DEF1)
1067  {
1068  /* add new default route (1st component) */
1069  add_route3(0x00000000,
1070  0x80000000,
1071  rl->spec.remote_endpoint,
1072  tt,
1073  flags,
1074  &rl->rgi,
1075  es,
1076  ctx);
1077 
1078  /* add new default route (2nd component) */
1079  add_route3(0x80000000,
1080  0x80000000,
1081  rl->spec.remote_endpoint,
1082  tt,
1083  flags,
1084  &rl->rgi,
1085  es,
1086  ctx);
1087  }
1088  else
1089  {
1090  /* don't try to remove the def route if it does not exist */
1091  if (rl->rgi.flags & RGI_ADDR_DEFINED)
1092  {
1093  /* delete default route */
1094  del_route3(0, 0, rl->rgi.gateway.addr, tt,
1095  flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1096  }
1097 
1098  /* add new default route */
1099  add_route3(0,
1100  0,
1101  rl->spec.remote_endpoint,
1102  tt,
1103  flags,
1104  &rl->rgi,
1105  es,
1106  ctx);
1107  }
1108  }
1109 
1110  /* set a flag so we can undo later */
1112  }
1113  }
1114 }
1115 
1116 static void
1118  const struct tuntap *tt, unsigned int flags,
1119  const struct env_set *es,
1120  openvpn_net_ctx_t *ctx)
1121 {
1122  if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
1123  {
1124  /* delete remote host route */
1125  if (rl->iflags & RL_DID_LOCAL)
1126  {
1129  rl->rgi.gateway.addr,
1130  tt,
1131  flags | ROUTE_REF_GW,
1132  &rl->rgi,
1133  es,
1134  ctx);
1135  rl->iflags &= ~RL_DID_LOCAL;
1136  }
1137 
1138  /* delete special DHCP/DNS bypass route */
1139  del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
1140  &rl->rgi, es, ctx);
1141 
1142  if (rl->flags & RG_REROUTE_GW)
1143  {
1144  if (rl->flags & RG_DEF1)
1145  {
1146  /* delete default route (1st component) */
1147  del_route3(0x00000000,
1148  0x80000000,
1149  rl->spec.remote_endpoint,
1150  tt,
1151  flags,
1152  &rl->rgi,
1153  es,
1154  ctx);
1155 
1156  /* delete default route (2nd component) */
1157  del_route3(0x80000000,
1158  0x80000000,
1159  rl->spec.remote_endpoint,
1160  tt,
1161  flags,
1162  &rl->rgi,
1163  es,
1164  ctx);
1165  }
1166  else
1167  {
1168  /* delete default route */
1169  del_route3(0,
1170  0,
1171  rl->spec.remote_endpoint,
1172  tt,
1173  flags,
1174  &rl->rgi,
1175  es,
1176  ctx);
1177  /* restore original default route if there was any */
1178  if (rl->rgi.flags & RGI_ADDR_DEFINED)
1179  {
1180  add_route3(0, 0, rl->rgi.gateway.addr, tt,
1181  flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1182  }
1183  }
1184  }
1185 
1187  }
1188 }
1189 
1190 void
1191 add_routes(struct route_list *rl, struct route_ipv6_list *rl6,
1192  const struct tuntap *tt, unsigned int flags,
1193  const struct env_set *es, openvpn_net_ctx_t *ctx)
1194 {
1195  redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1196  if (rl && !(rl->iflags & RL_ROUTES_ADDED) )
1197  {
1198  struct route_ipv4 *r;
1199 
1200  if (rl->routes && !tt->did_ifconfig_setup)
1201  {
1202  msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv4 "
1203  "route. However, no IPv4 has been configured for %s, "
1204  "therefore the route installation may fail or may not work "
1205  "as expected.", tt->actual_name);
1206  }
1207 
1208 #ifdef ENABLE_MANAGEMENT
1209  if (management && rl->routes)
1210  {
1213  NULL,
1214  NULL,
1215  NULL,
1216  NULL,
1217  NULL);
1218  }
1219 #endif
1220 
1221  for (r = rl->routes; r; r = r->next)
1222  {
1223  check_subnet_conflict(r->network, r->netmask, "route");
1224  if (flags & ROUTE_DELETE_FIRST)
1225  {
1226  delete_route(r, tt, flags, &rl->rgi, es, ctx);
1227  }
1228  add_route(r, tt, flags, &rl->rgi, es, ctx);
1229  }
1230  rl->iflags |= RL_ROUTES_ADDED;
1231  }
1232  if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
1233  {
1234  struct route_ipv6 *r;
1235 
1236  if (!tt->did_ifconfig_ipv6_setup)
1237  {
1238  msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 "
1239  "route. However, no IPv6 has been configured for %s, "
1240  "therefore the route installation may fail or may not work "
1241  "as expected.", tt->actual_name);
1242  }
1243 
1244  for (r = rl6->routes_ipv6; r; r = r->next)
1245  {
1246  if (flags & ROUTE_DELETE_FIRST)
1247  {
1248  delete_route_ipv6(r, tt, flags, es, ctx);
1249  }
1250  add_route_ipv6(r, tt, flags, es, ctx);
1251  }
1252  rl6->iflags |= RL_ROUTES_ADDED;
1253  }
1254 }
1255 
1256 void
1257 delete_routes(struct route_list *rl, struct route_ipv6_list *rl6,
1258  const struct tuntap *tt, unsigned int flags,
1259  const struct env_set *es, openvpn_net_ctx_t *ctx)
1260 {
1261  if (rl && rl->iflags & RL_ROUTES_ADDED)
1262  {
1263  struct route_ipv4 *r;
1264  for (r = rl->routes; r; r = r->next)
1265  {
1266  delete_route(r, tt, flags, &rl->rgi, es, ctx);
1267  }
1268  rl->iflags &= ~RL_ROUTES_ADDED;
1269  }
1270 
1271  undo_redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1272 
1273  if (rl)
1274  {
1275  clear_route_list(rl);
1276  }
1277 
1278  if (rl6 && (rl6->iflags & RL_ROUTES_ADDED) )
1279  {
1280  struct route_ipv6 *r6;
1281  for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1282  {
1283  delete_route_ipv6(r6, tt, flags, es, ctx);
1284  }
1285  rl6->iflags &= ~RL_ROUTES_ADDED;
1286  }
1287 
1288  if (rl6)
1289  {
1290  clear_route_ipv6_list(rl6);
1291  }
1292 }
1293 
1294 #ifndef ENABLE_SMALL
1295 
1296 static const char *
1297 show_opt(const char *option)
1298 {
1299  if (!option)
1300  {
1301  return "default (not set)";
1302  }
1303  else
1304  {
1305  return option;
1306  }
1307 }
1308 
1309 static void
1310 print_route_option(const struct route_option *ro, int level)
1311 {
1312  msg(level, " route %s/%s/%s/%s",
1313  show_opt(ro->network),
1314  show_opt(ro->netmask),
1315  show_opt(ro->gateway),
1316  show_opt(ro->metric));
1317 }
1318 
1319 void
1321  int level)
1322 {
1323  struct route_option *ro;
1324  if (rol->flags & RG_ENABLE)
1325  {
1326  msg(level, " [redirect_default_gateway local=%d]",
1327  (rol->flags & RG_LOCAL) != 0);
1328  }
1329  for (ro = rol->routes; ro; ro = ro->next)
1330  {
1331  print_route_option(ro, level);
1332  }
1333 }
1334 
1335 void
1336 print_default_gateway(const int msglevel,
1337  const struct route_gateway_info *rgi,
1338  const struct route_ipv6_gateway_info *rgi6)
1339 {
1340  struct gc_arena gc = gc_new();
1341  if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1342  {
1343  struct buffer out = alloc_buf_gc(256, &gc);
1344  buf_printf(&out, "ROUTE_GATEWAY");
1345  if (rgi->flags & RGI_ON_LINK)
1346  {
1347  buf_printf(&out, " ON_LINK");
1348  }
1349  else
1350  {
1351  buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1352  }
1353  if (rgi->flags & RGI_NETMASK_DEFINED)
1354  {
1355  buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1356  }
1357 #ifdef _WIN32
1358  if (rgi->flags & RGI_IFACE_DEFINED)
1359  {
1360  buf_printf(&out, " I=%lu", rgi->adapter_index);
1361  }
1362 #else
1363  if (rgi->flags & RGI_IFACE_DEFINED)
1364  {
1365  buf_printf(&out, " IFACE=%s", rgi->iface);
1366  }
1367 #endif
1368  if (rgi->flags & RGI_HWADDR_DEFINED)
1369  {
1370  buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1371  }
1372  msg(msglevel, "%s", BSTR(&out));
1373  }
1374 
1375  if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1376  {
1377  struct buffer out = alloc_buf_gc(256, &gc);
1378  buf_printf(&out, "ROUTE6_GATEWAY");
1379  buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1380  if (rgi6->flags & RGI_ON_LINK)
1381  {
1382  buf_printf(&out, " ON_LINK");
1383  }
1384  if (rgi6->flags & RGI_NETMASK_DEFINED)
1385  {
1386  buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1387  }
1388 #ifdef _WIN32
1389  if (rgi6->flags & RGI_IFACE_DEFINED)
1390  {
1391  buf_printf(&out, " I=%lu", rgi6->adapter_index);
1392  }
1393 #else
1394  if (rgi6->flags & RGI_IFACE_DEFINED)
1395  {
1396  buf_printf(&out, " IFACE=%s", rgi6->iface);
1397  }
1398 #endif
1399  if (rgi6->flags & RGI_HWADDR_DEFINED)
1400  {
1401  buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1402  }
1403  msg(msglevel, "%s", BSTR(&out));
1404  }
1405  gc_free(&gc);
1406 }
1407 
1408 #endif /* ifndef ENABLE_SMALL */
1409 
1410 static void
1411 print_route(const struct route_ipv4 *r, int level)
1412 {
1413  struct gc_arena gc = gc_new();
1414  if (r->flags & RT_DEFINED)
1415  {
1416  msg(level, "%s", route_string(r, &gc));
1417  }
1418  gc_free(&gc);
1419 }
1420 
1421 void
1422 print_routes(const struct route_list *rl, int level)
1423 {
1424  struct route_ipv4 *r;
1425  for (r = rl->routes; r; r = r->next)
1426  {
1427  print_route(r, level);
1428  }
1429 }
1430 
1431 static void
1432 setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1433 {
1434  struct gc_arena gc = gc_new();
1435  if (r->flags & RT_DEFINED)
1436  {
1437  setenv_route_addr(es, "network", r->network, i);
1438  setenv_route_addr(es, "netmask", r->netmask, i);
1439  setenv_route_addr(es, "gateway", r->gateway, i);
1440 
1441  if (r->flags & RT_METRIC_DEFINED)
1442  {
1443  struct buffer name = alloc_buf_gc(256, &gc);
1444  buf_printf(&name, "route_metric_%d", i);
1445  setenv_int(es, BSTR(&name), r->metric);
1446  }
1447  }
1448  gc_free(&gc);
1449 }
1450 
1451 void
1452 setenv_routes(struct env_set *es, const struct route_list *rl)
1453 {
1454  int i = 1;
1455  struct route_ipv4 *r;
1456  for (r = rl->routes; r; r = r->next)
1457  {
1458  setenv_route(es, r, i++);
1459  }
1460 }
1461 
1462 static void
1463 setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1464 {
1465  struct gc_arena gc = gc_new();
1466  if (r6->flags & RT_DEFINED)
1467  {
1468  struct buffer name1 = alloc_buf_gc( 256, &gc );
1469  struct buffer val = alloc_buf_gc( 256, &gc );
1470  struct buffer name2 = alloc_buf_gc( 256, &gc );
1471 
1472  buf_printf( &name1, "route_ipv6_network_%d", i );
1473  buf_printf( &val, "%s/%d", print_in6_addr( r6->network, 0, &gc ),
1474  r6->netbits );
1475  setenv_str( es, BSTR(&name1), BSTR(&val) );
1476 
1477  buf_printf( &name2, "route_ipv6_gateway_%d", i );
1478  setenv_str( es, BSTR(&name2), print_in6_addr( r6->gateway, 0, &gc ));
1479 
1480  if (r6->flags & RT_METRIC_DEFINED)
1481  {
1482  struct buffer name3 = alloc_buf_gc( 256, &gc );
1483  buf_printf( &name3, "route_ipv6_metric_%d", i) ;
1484  setenv_int( es, BSTR(&name3), r6->metric);
1485  }
1486  }
1487  gc_free(&gc);
1488 }
1489 void
1490 setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
1491 {
1492  int i = 1;
1493  struct route_ipv6 *r6;
1494  for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1495  {
1496  setenv_route_ipv6(es, r6, i++);
1497  }
1498 }
1499 
1500 /*
1501  * local_route() determines whether the gateway of a provided host
1502  * route is on the same interface that owns the default gateway.
1503  * It uses the data structure
1504  * returned by get_default_gateway() (struct route_gateway_info)
1505  * to determine this. If the route is local, LR_MATCH is returned.
1506  * When adding routes into the kernel, if LR_MATCH is defined for
1507  * a given route, the route should explicitly reference the default
1508  * gateway interface as the route destination. For example, here
1509  * is an example on Linux that uses LR_MATCH:
1510  *
1511  * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1512  *
1513  * This capability is needed by the "default-gateway block-local"
1514  * directive, to allow client access to the local subnet to be
1515  * blocked but still allow access to the local default gateway.
1516  */
1517 
1518 /* local_route() return values */
1519 #define LR_NOMATCH 0 /* route is not local */
1520 #define LR_MATCH 1 /* route is local */
1521 #define LR_ERROR 2 /* caller should abort adding route */
1522 
1523 static int
1525  in_addr_t netmask,
1527  const struct route_gateway_info *rgi)
1528 {
1529  /* set LR_MATCH on local host routes */
1530  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED|RGI_IFACE_DEFINED);
1531  if (rgi
1532  && (rgi->flags & rgi_needed) == rgi_needed
1533  && gateway == rgi->gateway.addr
1534  && netmask == 0xFFFFFFFF)
1535  {
1536  if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1537  {
1538  return LR_MATCH;
1539  }
1540  else
1541  {
1542  /* examine additional subnets on gateway interface */
1543  size_t i;
1544  for (i = 0; i < rgi->n_addrs; ++i)
1545  {
1546  const struct route_gateway_address *gwa = &rgi->addrs[i];
1547  if (((network ^ gwa->addr) & gwa->netmask) == 0)
1548  {
1549  return LR_MATCH;
1550  }
1551  }
1552  }
1553  }
1554  return LR_NOMATCH;
1555 }
1556 
1557 /* Return true if the "on-link" form of the route should be used. This is when the gateway for a
1558  * a route is specified as an interface rather than an address. */
1559 static inline bool
1560 is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1561 {
1562  return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1563 }
1564 
1565 void
1567  const struct tuntap *tt,
1568  unsigned int flags,
1569  const struct route_gateway_info *rgi, /* may be NULL */
1570  const struct env_set *es,
1571  openvpn_net_ctx_t *ctx)
1572 {
1573  struct gc_arena gc;
1574  struct argv argv = argv_new();
1575 #if !defined(TARGET_LINUX)
1576  const char *network;
1577 #if !defined(TARGET_AIX)
1578  const char *netmask;
1579 #endif
1580  const char *gateway;
1581 #endif
1582  bool status = false;
1583  int is_local_route;
1584 
1585  if (!(r->flags & RT_DEFINED))
1586  {
1587  return;
1588  }
1589 
1590  gc_init(&gc);
1591 
1592 #if !defined(TARGET_LINUX)
1593  network = print_in_addr_t(r->network, 0, &gc);
1594 #if !defined(TARGET_AIX)
1595  netmask = print_in_addr_t(r->netmask, 0, &gc);
1596 #endif
1597  gateway = print_in_addr_t(r->gateway, 0, &gc);
1598 #endif
1599 
1600  is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1601  if (is_local_route == LR_ERROR)
1602  {
1603  goto done;
1604  }
1605 
1606 #if defined(TARGET_LINUX)
1607  const char *iface = NULL;
1608  int metric = -1;
1609 
1610  if (is_on_link(is_local_route, flags, rgi))
1611  {
1612  iface = rgi->iface;
1613  }
1614 
1615  if (r->flags & RT_METRIC_DEFINED)
1616  {
1617  metric = r->metric;
1618  }
1619 
1620  status = true;
1621  if (net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask),
1622  &r->gateway, iface, 0, metric) < 0)
1623  {
1624  msg(M_WARN, "ERROR: Linux route add command failed");
1625  status = false;
1626  }
1627 
1628 #elif defined (TARGET_ANDROID)
1629  char out[128];
1630 
1631  if (rgi)
1632  {
1633  openvpn_snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1634  }
1635  else
1636  {
1637  openvpn_snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1638  }
1639  management_android_control(management, "ROUTE", out);
1640 
1641 #elif defined (_WIN32)
1642  {
1643  DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1644  argv_printf(&argv, "%s%s ADD %s MASK %s %s",
1645  get_win_sys_path(),
1647  network,
1648  netmask,
1649  gateway);
1650  if (r->flags & RT_METRIC_DEFINED)
1651  {
1652  argv_printf_cat(&argv, "METRIC %d", r->metric);
1653  }
1654  if (is_on_link(is_local_route, flags, rgi))
1655  {
1656  ai = rgi->adapter_index;
1657  argv_printf_cat(&argv, "IF %lu", ai);
1658  }
1659 
1660  argv_msg(D_ROUTE, &argv);
1661 
1662  if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1663  {
1664  status = add_route_service(r, tt);
1665  msg(D_ROUTE, "Route addition via service %s", status ? "succeeded" : "failed");
1666  }
1667  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1668  {
1669  status = add_route_ipapi(r, tt, ai);
1670  msg(D_ROUTE, "Route addition via IPAPI %s", status ? "succeeded" : "failed");
1671  }
1672  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1673  {
1675  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
1677  }
1678  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1679  {
1680  status = add_route_ipapi(r, tt, ai);
1681  msg(D_ROUTE, "Route addition via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
1682  if (!status)
1683  {
1684  msg(D_ROUTE, "Route addition fallback to route.exe");
1686  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
1688  }
1689  }
1690  else
1691  {
1692  ASSERT(0);
1693  }
1694  }
1695 
1696 #elif defined (TARGET_SOLARIS)
1697 
1698  /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1699 
1700  argv_printf(&argv, "%s add",
1701  ROUTE_PATH);
1702 
1703  argv_printf_cat(&argv, "%s -netmask %s %s",
1704  network,
1705  netmask,
1706  gateway);
1707 
1708  /* Solaris can only distinguish between "metric 0" == "on-link on the
1709  * interface where the IP address given is configured" and "metric > 0"
1710  * == "use gateway specified" (no finer-grained route metrics available)
1711  *
1712  * More recent versions of Solaris can also do "-interface", but that
1713  * would break backwards compatibility with older versions for no gain.
1714  */
1715  if (r->flags & RT_METRIC_DEFINED)
1716  {
1717  argv_printf_cat(&argv, "%d", r->metric);
1718  }
1719 
1720  argv_msg(D_ROUTE, &argv);
1721  status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
1722 
1723 #elif defined(TARGET_FREEBSD)
1724 
1725  argv_printf(&argv, "%s add",
1726  ROUTE_PATH);
1727 
1728 #if 0
1729  if (r->flags & RT_METRIC_DEFINED)
1730  {
1731  argv_printf_cat(&argv, "-rtt %d", r->metric);
1732  }
1733 #endif
1734 
1735  argv_printf_cat(&argv, "-net %s %s %s",
1736  network,
1737  gateway,
1738  netmask);
1739 
1740  /* FIXME -- add on-link support for FreeBSD */
1741 
1742  argv_msg(D_ROUTE, &argv);
1743  status = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
1744 
1745 #elif defined(TARGET_DRAGONFLY)
1746 
1747  argv_printf(&argv, "%s add",
1748  ROUTE_PATH);
1749 
1750 #if 0
1751  if (r->flags & RT_METRIC_DEFINED)
1752  {
1753  argv_printf_cat(&argv, "-rtt %d", r->metric);
1754  }
1755 #endif
1756 
1757  argv_printf_cat(&argv, "-net %s %s %s",
1758  network,
1759  gateway,
1760  netmask);
1761 
1762  /* FIXME -- add on-link support for Dragonfly */
1763 
1764  argv_msg(D_ROUTE, &argv);
1765  status = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
1766 
1767 #elif defined(TARGET_DARWIN)
1768 
1769  argv_printf(&argv, "%s add",
1770  ROUTE_PATH);
1771 
1772 #if 0
1773  if (r->flags & RT_METRIC_DEFINED)
1774  {
1775  argv_printf_cat(&argv, "-rtt %d", r->metric);
1776  }
1777 #endif
1778 
1779  if (is_on_link(is_local_route, flags, rgi))
1780  {
1781  /* Mac OS X route syntax for ON_LINK:
1782  * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1783  argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s",
1784  network,
1785  netmask,
1786  rgi->iface);
1787  }
1788  else
1789  {
1790  argv_printf_cat(&argv, "-net %s %s %s",
1791  network,
1792  gateway,
1793  netmask);
1794  }
1795 
1796  argv_msg(D_ROUTE, &argv);
1797  status = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
1798 
1799 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1800 
1801  argv_printf(&argv, "%s add",
1802  ROUTE_PATH);
1803 
1804 #if 0
1805  if (r->flags & RT_METRIC_DEFINED)
1806  {
1807  argv_printf_cat(&argv, "-rtt %d", r->metric);
1808  }
1809 #endif
1810 
1811  argv_printf_cat(&argv, "-net %s %s -netmask %s",
1812  network,
1813  gateway,
1814  netmask);
1815 
1816  /* FIXME -- add on-link support for OpenBSD/NetBSD */
1817 
1818  argv_msg(D_ROUTE, &argv);
1819  status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1820 
1821 #elif defined(TARGET_AIX)
1822 
1823  {
1824  int netbits = netmask_to_netbits2(r->netmask);
1825  argv_printf(&argv, "%s add -net %s/%d %s",
1826  ROUTE_PATH,
1827  network, netbits, gateway);
1828  argv_msg(D_ROUTE, &argv);
1829  status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1830  }
1831 
1832 #else /* if defined(TARGET_LINUX) */
1833  msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1834 #endif /* if defined(TARGET_LINUX) */
1835 
1836 done:
1837  if (status)
1838  {
1839  r->flags |= RT_ADDED;
1840  }
1841  else
1842  {
1843  r->flags &= ~RT_ADDED;
1844  }
1845  argv_free(&argv);
1846  gc_free(&gc);
1847  /* release resources potentially allocated during route setup */
1848  net_ctx_reset(ctx);
1849 }
1850 
1851 
1852 void
1854 {
1855  /* clear host bit parts of route
1856  * (needed if routes are specified improperly, or if we need to
1857  * explicitly setup/clear the "connected" network routes on some OSes)
1858  */
1859  int byte = 15;
1860  int bits_to_clear = 128 - r6->netbits;
1861 
1862  while (byte >= 0 && bits_to_clear > 0)
1863  {
1864  if (bits_to_clear >= 8)
1865  {
1866  r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8;
1867  }
1868  else
1869  {
1870  r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0;
1871  }
1872  }
1873 }
1874 
1875 void
1876 add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt,
1877  unsigned int flags, const struct env_set *es,
1878  openvpn_net_ctx_t *ctx)
1879 {
1880  struct gc_arena gc;
1881  struct argv argv = argv_new();
1882 
1883  const char *network;
1884  const char *gateway;
1885  bool status = false;
1886  const char *device = tt->actual_name;
1887 #if defined(TARGET_LINUX)
1888  int metric;
1889 #endif
1890  bool gateway_needed = false;
1891 
1892  if (!(r6->flags & RT_DEFINED) )
1893  {
1894  return;
1895  }
1896 
1897 #ifndef _WIN32
1898  if (r6->iface != NULL) /* vpn server special route */
1899  {
1900  device = r6->iface;
1901  if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
1902  {
1903  gateway_needed = true;
1904  }
1905  }
1906 #endif
1907 
1908  gc_init(&gc);
1909 
1911 
1912  network = print_in6_addr( r6->network, 0, &gc);
1913  gateway = print_in6_addr( r6->gateway, 0, &gc);
1914 
1915 #if defined(TARGET_DARWIN) \
1916  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1917  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1918 
1919  /* the BSD platforms cannot specify gateway and interface independently,
1920  * but for link-local destinations, we MUST specify the interface, so
1921  * we build a combined "$gateway%$interface" gateway string
1922  */
1923  if (r6->iface != NULL && gateway_needed
1924  && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
1925  {
1926  int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
1927  char *tmp = gc_malloc( len, true, &gc );
1928  snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
1929  gateway = tmp;
1930  }
1931 #endif
1932 
1933  msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
1934  network, r6->netbits, gateway, r6->metric, device );
1935 
1936  /*
1937  * Filter out routes which are essentially no-ops
1938  * (not currently done for IPv6)
1939  */
1940 
1941  /* On "tun" interface, we never set a gateway if the operating system
1942  * can do "route to interface" - it does not add value, as the target
1943  * dev already fully qualifies the route destination on point-to-point
1944  * interfaces. OTOH, on "tap" interface, we must always set the
1945  * gateway unless the route is to be an on-link network
1946  */
1947  if (tt->type == DEV_TYPE_TAP
1948  && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
1949  {
1950  gateway_needed = true;
1951  }
1952 
1953  if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1954  {
1955  msg(M_WARN, "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
1956  "parameter for a --route-ipv6 option and no default was set via "
1957  "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
1958  "IPv6 route to %s/%d.", network, r6->netbits);
1959  status = false;
1960  goto done;
1961  }
1962 
1963 #if defined(TARGET_LINUX)
1964  metric = -1;
1965  if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
1966  {
1967  metric = r6->metric;
1968  }
1969 
1970  status = true;
1971  if (net_route_v6_add(ctx, &r6->network, r6->netbits,
1972  gateway_needed ? &r6->gateway : NULL, device, 0,
1973  metric) < 0)
1974  {
1975  msg(M_WARN, "ERROR: Linux IPv6 route can't be added");
1976  status = false;
1977  }
1978 
1979 #elif defined (TARGET_ANDROID)
1980  char out[64];
1981 
1982  openvpn_snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
1983 
1984  management_android_control(management, "ROUTE6", out);
1985 
1986 #elif defined (_WIN32)
1987 
1988  if (tt->options.msg_channel)
1989  {
1990  status = add_route_ipv6_service(r6, tt);
1991  }
1992  else
1993  {
1994  DWORD adapter_index;
1995  if (r6->adapter_index) /* vpn server special route */
1996  {
1997  adapter_index = r6->adapter_index;
1998  gateway_needed = true;
1999  }
2000  else
2001  {
2002  adapter_index = tt->adapter_index;
2003  }
2004 
2005  /* netsh interface ipv6 add route 2001:db8::/32 42 */
2006  argv_printf(&argv, "%s%s interface ipv6 add route %s/%d %lu",
2007  get_win_sys_path(),
2009  network,
2010  r6->netbits,
2011  adapter_index);
2012 
2013  /* next-hop depends on TUN or TAP mode:
2014  * - in TAP mode, we use the "real" next-hop
2015  * - in TUN mode we use a special-case link-local address that the tapdrvr
2016  * knows about and will answer ND (neighbor discovery) packets for
2017  */
2018  if (tt->type == DEV_TYPE_TUN && !gateway_needed)
2019  {
2020  argv_printf_cat( &argv, " %s", "fe80::8" );
2021  }
2022  else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
2023  {
2024  argv_printf_cat( &argv, " %s", gateway );
2025  }
2026 
2027 #if 0
2028  if (r6->flags & RT_METRIC_DEFINED)
2029  {
2030  argv_printf_cat(&argv, " METRIC %d", r->metric);
2031  }
2032 #endif
2033 
2034  /* in some versions of Windows, routes are persistent across reboots by
2035  * default, unless "store=active" is set (pointed out by Tony Lim, thanks)
2036  */
2037  argv_printf_cat( &argv, " store=active" );
2038 
2039  argv_msg(D_ROUTE, &argv);
2040 
2042  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add ipv6 command failed");
2044  }
2045 
2046 #elif defined (TARGET_SOLARIS)
2047 
2048  /* example: route add -inet6 2001:db8::/32 somegateway 0 */
2049 
2050  /* for some reason, routes to tun/tap do not work for me unless I set
2051  * "metric 0" - otherwise, the routes will be nicely installed, but
2052  * packets will just disappear somewhere. So we always use "0" now,
2053  * unless the route points to "gateway on other interface"...
2054  *
2055  * (Note: OpenSolaris can not specify host%interface gateways, so we just
2056  * use the GW addresses - it seems to still work for fe80:: addresses,
2057  * however this is done internally. NUD maybe?)
2058  */
2059  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2060  ROUTE_PATH,
2061  network,
2062  r6->netbits,
2063  gateway );
2064 
2065  /* on tun (not tap), not "elsewhere"? -> metric 0 */
2066  if (tt->type == DEV_TYPE_TUN && !r6->iface)
2067  {
2068  argv_printf_cat(&argv, "0");
2069  }
2070 
2071  argv_msg(D_ROUTE, &argv);
2072  status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
2073 
2074 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2075 
2076  argv_printf(&argv, "%s add -inet6 %s/%d",
2077  ROUTE_PATH,
2078  network,
2079  r6->netbits);
2080 
2081  if (gateway_needed)
2082  {
2083  argv_printf_cat(&argv, "%s", gateway);
2084  }
2085  else
2086  {
2087  argv_printf_cat(&argv, "-iface %s", device);
2088  }
2089 
2090  argv_msg(D_ROUTE, &argv);
2091  status = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
2092 
2093 #elif defined(TARGET_DARWIN)
2094 
2095  argv_printf(&argv, "%s add -inet6 %s -prefixlen %d",
2096  ROUTE_PATH,
2097  network, r6->netbits );
2098 
2099  if (gateway_needed)
2100  {
2101  argv_printf_cat(&argv, "%s", gateway);
2102  }
2103  else
2104  {
2105  argv_printf_cat(&argv, "-iface %s", device);
2106  }
2107 
2108  argv_msg(D_ROUTE, &argv);
2109  status = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
2110 
2111 #elif defined(TARGET_OPENBSD)
2112 
2113  argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s",
2114  ROUTE_PATH,
2115  network, r6->netbits, gateway );
2116 
2117  argv_msg(D_ROUTE, &argv);
2118  status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
2119 
2120 #elif defined(TARGET_NETBSD)
2121 
2122  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2123  ROUTE_PATH,
2124  network, r6->netbits, gateway );
2125 
2126  argv_msg(D_ROUTE, &argv);
2127  status = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
2128 
2129 #elif defined(TARGET_AIX)
2130 
2131  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2132  ROUTE_PATH,
2133  network, r6->netbits, gateway);
2134  argv_msg(D_ROUTE, &argv);
2135  status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2136 
2137 #else /* if defined(TARGET_LINUX) */
2138  msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2139 #endif /* if defined(TARGET_LINUX) */
2140 
2141 done:
2142  if (status)
2143  {
2144  r6->flags |= RT_ADDED;
2145  }
2146  else
2147  {
2148  r6->flags &= ~RT_ADDED;
2149  }
2150  argv_free(&argv);
2151  gc_free(&gc);
2152  /* release resources potentially allocated during route setup */
2153  net_ctx_reset(ctx);
2154 }
2155 
2156 static void
2158  const struct tuntap *tt,
2159  unsigned int flags,
2160  const struct route_gateway_info *rgi,
2161  const struct env_set *es,
2162  openvpn_net_ctx_t *ctx)
2163 {
2164  struct gc_arena gc;
2165  struct argv argv = argv_new();
2166 #if !defined(TARGET_LINUX)
2167  const char *network;
2168 #if !defined(TARGET_AIX)
2169  const char *netmask;
2170 #endif
2171 #if !defined(TARGET_ANDROID)
2172  const char *gateway;
2173 #endif
2174 #else /* if !defined(TARGET_LINUX) */
2175  int metric;
2176 #endif
2177  int is_local_route;
2178 
2179  if ((r->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2180  {
2181  return;
2182  }
2183 
2184  gc_init(&gc);
2185 
2186 #if !defined(TARGET_LINUX)
2187  network = print_in_addr_t(r->network, 0, &gc);
2188 #if !defined(TARGET_AIX)
2189  netmask = print_in_addr_t(r->netmask, 0, &gc);
2190 #endif
2191 #if !defined(TARGET_ANDROID)
2192  gateway = print_in_addr_t(r->gateway, 0, &gc);
2193 #endif
2194 #endif
2195 
2196  is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2197  if (is_local_route == LR_ERROR)
2198  {
2199  goto done;
2200  }
2201 
2202 #if defined(TARGET_LINUX)
2203  metric = -1;
2204  if (r->flags & RT_METRIC_DEFINED)
2205  {
2206  metric = r->metric;
2207  }
2208 
2209  if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask),
2210  &r->gateway, NULL, 0, metric) < 0)
2211  {
2212  msg(M_WARN, "ERROR: Linux route delete command failed");
2213  }
2214 #elif defined (_WIN32)
2215 
2216  argv_printf(&argv, "%s%s DELETE %s MASK %s %s",
2217  get_win_sys_path(),
2219  network,
2220  netmask,
2221  gateway);
2222 
2223  argv_msg(D_ROUTE, &argv);
2224 
2225  if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2226  {
2227  const bool status = del_route_service(r, tt);
2228  msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2229  }
2230  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2231  {
2232  const bool status = del_route_ipapi(r, tt);
2233  msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2234  }
2235  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2236  {
2238  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2240  }
2241  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2242  {
2243  const bool status = del_route_ipapi(r, tt);
2244  msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2245  if (!status)
2246  {
2247  msg(D_ROUTE, "Route deletion fallback to route.exe");
2249  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed [adaptive]");
2251  }
2252  }
2253  else
2254  {
2255  ASSERT(0);
2256  }
2257 
2258 #elif defined (TARGET_SOLARIS)
2259 
2260  argv_printf(&argv, "%s delete %s -netmask %s %s",
2261  ROUTE_PATH,
2262  network,
2263  netmask,
2264  gateway);
2265 
2266  argv_msg(D_ROUTE, &argv);
2267  openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2268 
2269 #elif defined(TARGET_FREEBSD)
2270 
2271  argv_printf(&argv, "%s delete -net %s %s %s",
2272  ROUTE_PATH,
2273  network,
2274  gateway,
2275  netmask);
2276 
2277  argv_msg(D_ROUTE, &argv);
2278  openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2279 
2280 #elif defined(TARGET_DRAGONFLY)
2281 
2282  argv_printf(&argv, "%s delete -net %s %s %s",
2283  ROUTE_PATH,
2284  network,
2285  gateway,
2286  netmask);
2287 
2288  argv_msg(D_ROUTE, &argv);
2289  openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2290 
2291 #elif defined(TARGET_DARWIN)
2292 
2293  if (is_on_link(is_local_route, flags, rgi))
2294  {
2295  argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s",
2296  ROUTE_PATH,
2297  network,
2298  netmask,
2299  rgi->iface);
2300  }
2301  else
2302  {
2303  argv_printf(&argv, "%s delete -net %s %s %s",
2304  ROUTE_PATH,
2305  network,
2306  gateway,
2307  netmask);
2308  }
2309 
2310  argv_msg(D_ROUTE, &argv);
2311  openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2312 
2313 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2314 
2315  argv_printf(&argv, "%s delete -net %s %s -netmask %s",
2316  ROUTE_PATH,
2317  network,
2318  gateway,
2319  netmask);
2320 
2321  argv_msg(D_ROUTE, &argv);
2322  openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2323 
2324 #elif defined(TARGET_ANDROID)
2325  msg(M_NONFATAL, "Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.");
2326 
2327 #elif defined(TARGET_AIX)
2328 
2329  {
2330  int netbits = netmask_to_netbits2(r->netmask);
2331  argv_printf(&argv, "%s delete -net %s/%d %s",
2332  ROUTE_PATH,
2333  network, netbits, gateway);
2334  argv_msg(D_ROUTE, &argv);
2335  openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2336  }
2337 
2338 #else /* if defined(TARGET_LINUX) */
2339  msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2340 #endif /* if defined(TARGET_LINUX) */
2341 
2342 done:
2343  r->flags &= ~RT_ADDED;
2344  argv_free(&argv);
2345  gc_free(&gc);
2346  /* release resources potentially allocated during route cleanup */
2347  net_ctx_reset(ctx);
2348 }
2349 
2350 void
2351 delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt,
2352  unsigned int flags, const struct env_set *es,
2353  openvpn_net_ctx_t *ctx)
2354 {
2355  struct gc_arena gc;
2356  struct argv argv = argv_new();
2357  const char *network;
2358 #if !defined(TARGET_LINUX)
2359  const char *gateway;
2360 #else
2361  int metric;
2362 #endif
2363  const char *device = tt->actual_name;
2364  bool gateway_needed = false;
2365 
2366  if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2367  {
2368  return;
2369  }
2370 
2371 #ifndef _WIN32
2372  if (r6->iface != NULL) /* vpn server special route */
2373  {
2374  device = r6->iface;
2375  gateway_needed = true;
2376  }
2377 #endif
2378 
2379  gc_init(&gc);
2380 
2381  network = print_in6_addr( r6->network, 0, &gc);
2382 #if !defined(TARGET_LINUX)
2383  gateway = print_in6_addr( r6->gateway, 0, &gc);
2384 #endif
2385 
2386 #if defined(TARGET_DARWIN) \
2387  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2388  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2389 
2390  /* the BSD platforms cannot specify gateway and interface independently,
2391  * but for link-local destinations, we MUST specify the interface, so
2392  * we build a combined "$gateway%$interface" gateway string
2393  */
2394  if (r6->iface != NULL && gateway_needed
2395  && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
2396  {
2397  int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
2398  char *tmp = gc_malloc( len, true, &gc );
2399  snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
2400  gateway = tmp;
2401  }
2402 #endif
2403 
2404  msg( M_INFO, "delete_route_ipv6(%s/%d)", network, r6->netbits );
2405 
2406  /* if we used a gateway on "add route", we also need to specify it on
2407  * delete, otherwise some OSes will refuse to delete the route
2408  */
2409  if (tt->type == DEV_TYPE_TAP
2410  && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
2411  {
2412  gateway_needed = true;
2413  }
2414 
2415 #if defined(TARGET_LINUX)
2416  metric = -1;
2417  if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2418  {
2419  metric = r6->metric;
2420  }
2421 
2422  if (net_route_v6_del(ctx, &r6->network, r6->netbits,
2423  gateway_needed ? &r6->gateway : NULL, device, 0,
2424  metric) < 0)
2425  {
2426  msg(M_WARN, "ERROR: Linux route v6 delete command failed");
2427  }
2428 
2429 #elif defined (_WIN32)
2430 
2431  if (tt->options.msg_channel)
2432  {
2433  del_route_ipv6_service(r6, tt);
2434  }
2435  else
2436  {
2437  DWORD adapter_index;
2438  if (r6->adapter_index) /* vpn server special route */
2439  {
2440  adapter_index = r6->adapter_index;
2441  gateway_needed = true;
2442  }
2443  else
2444  {
2445  adapter_index = tt->adapter_index;
2446  }
2447 
2448  /* netsh interface ipv6 delete route 2001:db8::/32 42 */
2449  argv_printf(&argv, "%s%s interface ipv6 delete route %s/%d %lu",
2450  get_win_sys_path(),
2452  network,
2453  r6->netbits,
2454  adapter_index);
2455 
2456  /* next-hop depends on TUN or TAP mode:
2457  * - in TAP mode, we use the "real" next-hop
2458  * - in TUN mode we use a special-case link-local address that the tapdrvr
2459  * knows about and will answer ND (neighbor discovery) packets for
2460  * (and "route deletion without specifying next-hop" does not work...)
2461  */
2462  if (tt->type == DEV_TYPE_TUN && !gateway_needed)
2463  {
2464  argv_printf_cat( &argv, " %s", "fe80::8" );
2465  }
2466  else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
2467  {
2468  argv_printf_cat( &argv, " %s", gateway );
2469  }
2470 
2471 #if 0
2472  if (r6->flags & RT_METRIC_DEFINED)
2473  {
2474  argv_printf_cat(&argv, "METRIC %d", r->metric);
2475  }
2476 #endif
2477 
2478  /* Windows XP to 7 "just delete" routes, wherever they came from, but
2479  * in Windows 8(.1?), if you create them with "store=active", this is
2480  * how you should delete them as well (pointed out by Cedric Tabary)
2481  */
2482  argv_printf_cat( &argv, " store=active" );
2483 
2484  argv_msg(D_ROUTE, &argv);
2485 
2487  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete ipv6 command failed");
2489  }
2490 
2491 #elif defined (TARGET_SOLARIS)
2492 
2493  /* example: route delete -inet6 2001:db8::/32 somegateway */
2494 
2495  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2496  ROUTE_PATH,
2497  network,
2498  r6->netbits,
2499  gateway );
2500 
2501  argv_msg(D_ROUTE, &argv);
2502  openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2503 
2504 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2505 
2506  argv_printf(&argv, "%s delete -inet6 %s/%d",
2507  ROUTE_PATH,
2508  network,
2509  r6->netbits );
2510 
2511  if (gateway_needed)
2512  {
2513  argv_printf_cat(&argv, "%s", gateway);
2514  }
2515  else
2516  {
2517  argv_printf_cat(&argv, "-iface %s", device);
2518  }
2519 
2520  argv_msg(D_ROUTE, &argv);
2521  openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2522 
2523 #elif defined(TARGET_DARWIN)
2524 
2525  argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d",
2526  ROUTE_PATH,
2527  network, r6->netbits );
2528 
2529  if (gateway_needed)
2530  {
2531  argv_printf_cat(&argv, "%s", gateway);
2532  }
2533  else
2534  {
2535  argv_printf_cat(&argv, "-iface %s", device);
2536  }
2537 
2538  argv_msg(D_ROUTE, &argv);
2539  openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2540 
2541 #elif defined(TARGET_OPENBSD)
2542 
2543  argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s",
2544  ROUTE_PATH,
2545  network, r6->netbits, gateway );
2546 
2547  argv_msg(D_ROUTE, &argv);
2548  openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2549 
2550 #elif defined(TARGET_NETBSD)
2551 
2552  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2553  ROUTE_PATH,
2554  network, r6->netbits, gateway );
2555 
2556  argv_msg(D_ROUTE, &argv);
2557  openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2558 
2559 #elif defined(TARGET_AIX)
2560 
2561  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2562  ROUTE_PATH,
2563  network, r6->netbits, gateway);
2564  argv_msg(D_ROUTE, &argv);
2565  openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2566 
2567 #else /* if defined(TARGET_LINUX) */
2568  msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2569 #endif /* if defined(TARGET_LINUX) */
2570 
2571  argv_free(&argv);
2572  gc_free(&gc);
2573  /* release resources potentially allocated during route cleanup */
2574  net_ctx_reset(ctx);
2575 }
2576 
2577 /*
2578  * The --redirect-gateway option requires OS-specific code below
2579  * to get the current default gateway.
2580  */
2581 
2582 #if defined(_WIN32)
2583 
2584 static const MIB_IPFORWARDTABLE *
2586 {
2587  ULONG size = 0;
2588  PMIB_IPFORWARDTABLE rt = NULL;
2589  DWORD status;
2590 
2591  status = GetIpForwardTable(NULL, &size, TRUE);
2592  if (status == ERROR_INSUFFICIENT_BUFFER)
2593  {
2594  rt = (PMIB_IPFORWARDTABLE) gc_malloc(size, false, gc);
2595  status = GetIpForwardTable(rt, &size, TRUE);
2596  if (status != NO_ERROR)
2597  {
2598  msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2599  strerror_win32(status, gc),
2600  (unsigned int)status);
2601  rt = NULL;
2602  }
2603  }
2604  return rt;
2605 }
2606 
2607 static int
2608 test_route(const IP_ADAPTER_INFO *adapters,
2609  const in_addr_t gateway,
2610  DWORD *index)
2611 {
2612  int count = 0;
2613  DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2614  if (index)
2615  {
2616  *index = i;
2617  }
2618  return count;
2619 }
2620 
2621 static void
2623  int *count,
2624  int *good,
2625  int *ambig,
2626  const IP_ADAPTER_INFO *adapters,
2627  const in_addr_t gateway)
2628 {
2629  int c;
2630 
2631  ++*count;
2632  c = test_route(adapters, gateway, NULL);
2633  if (c == 0)
2634  {
2635  *ret = false;
2636  }
2637  else
2638  {
2639  ++*good;
2640  }
2641  if (c > 1)
2642  {
2643  ++*ambig;
2644  }
2645 }
2646 
2647 /*
2648  * If we tried to add routes now, would we succeed?
2649  */
2650 bool
2651 test_routes(const struct route_list *rl, const struct tuntap *tt)
2652 {
2653  struct gc_arena gc = gc_new();
2654  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2655  bool ret = false;
2656  int count = 0;
2657  int good = 0;
2658  int ambig = 0;
2659  int len = -1;
2660  bool adapter_up = false;
2661 
2662  if (is_adapter_up(tt, adapters))
2663  {
2664  ret = true;
2665  adapter_up = true;
2666 
2667  /* we do this test only if we have IPv4 routes to install, and if
2668  * the tun/tap interface has seen IPv4 ifconfig - because if we
2669  * have no IPv4, the check will always fail, failing tun init
2670  */
2671  if (rl && tt->did_ifconfig_setup)
2672  {
2673  struct route_ipv4 *r;
2674  for (r = rl->routes, len = 0; r; r = r->next, ++len)
2675  {
2676  test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2677  }
2678 
2679  if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2680  {
2681  test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2682  }
2683  }
2684  }
2685 
2686  msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s",
2687  good,
2688  count,
2689  len,
2690  (int)ret,
2691  ambig,
2692  adapter_up ? "up" : "down");
2693 
2694  gc_free(&gc);
2695  return ret;
2696 }
2697 
2698 static const MIB_IPFORWARDROW *
2699 get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2700 {
2701  struct gc_arena gc = gc_new();
2702  DWORD lowest_metric = MAXDWORD;
2703  const MIB_IPFORWARDROW *ret = NULL;
2704  int i;
2705  int best = -1;
2706 
2707  if (routes)
2708  {
2709  for (i = 0; i < routes->dwNumEntries; ++i)
2710  {
2711  const MIB_IPFORWARDROW *row = &routes->table[i];
2712  const in_addr_t net = ntohl(row->dwForwardDest);
2713  const in_addr_t mask = ntohl(row->dwForwardMask);
2714  const DWORD index = row->dwForwardIfIndex;
2715  const DWORD metric = row->dwForwardMetric1;
2716 
2717  dmsg(D_ROUTE_DEBUG, "GDGR: route[%d] %s/%s i=%d m=%d",
2718  i,
2719  print_in_addr_t((in_addr_t) net, 0, &gc),
2720  print_in_addr_t((in_addr_t) mask, 0, &gc),
2721  (int)index,
2722  (int)metric);
2723 
2724  if (!net && !mask && metric < lowest_metric)
2725  {
2726  ret = row;
2727  lowest_metric = metric;
2728  best = i;
2729  }
2730  }
2731  }
2732 
2733  dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2734 
2735  gc_free(&gc);
2736  return ret;
2737 }
2738 
2739 void
2741 {
2742  struct gc_arena gc = gc_new();
2743 
2744  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2745  const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
2746  const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
2747  DWORD a_index;
2748  const IP_ADAPTER_INFO *ai;
2749 
2750  CLEAR(*rgi);
2751 
2752  if (row)
2753  {
2754  rgi->gateway.addr = ntohl(row->dwForwardNextHop);
2755  if (rgi->gateway.addr)
2756  {
2757  rgi->flags |= RGI_ADDR_DEFINED;
2758  a_index = adapter_index_of_ip(adapters, rgi->gateway.addr, NULL, &rgi->gateway.netmask);
2759  if (a_index != TUN_ADAPTER_INDEX_INVALID)
2760  {
2761  rgi->adapter_index = a_index;
2763  ai = get_adapter(adapters, a_index);
2764  if (ai)
2765  {
2766  memcpy(rgi->hwaddr, ai->Address, 6);
2767  rgi->flags |= RGI_HWADDR_DEFINED;
2768  }
2769  }
2770  }
2771  }
2772 
2773  gc_free(&gc);
2774 }
2775 
2776 static DWORD
2777 windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2778 {
2779  struct gc_arena gc = gc_new();
2780  DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2781  int count = 0;
2782  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2783  const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2784  bool on_tun = false;
2785 
2786  /* first test on tun interface */
2787  if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2788  {
2789  ret = tun_adapter->Index;
2790  count = 1;
2791  on_tun = true;
2792  }
2793  else /* test on other interfaces */
2794  {
2795  count = test_route(adapters, r->gateway, &ret);
2796  }
2797 
2798  if (count == 0)
2799  {
2800  msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2801  print_in_addr_t(r->gateway, 0, &gc));
2803  }
2804  else if (count > 1)
2805  {
2806  msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2807  print_in_addr_t(r->gateway, 0, &gc),
2808  count);
2809  }
2810 
2811  dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d",
2812  on_tun,
2813  count,
2814  (int)ret);
2815 
2816  gc_free(&gc);
2817  return ret;
2818 }
2819 
2820 /* IPv6 implementation using GetBestRoute2()
2821  * (TBD: dynamic linking so the binary can still run on XP?)
2822  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2823  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2824  */
2825 void
2827  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
2828 {
2829  struct gc_arena gc = gc_new();
2830  MIB_IPFORWARD_ROW2 BestRoute;
2831  SOCKADDR_INET DestinationAddress, BestSourceAddress;
2832  DWORD BestIfIndex;
2833  DWORD status;
2834  NET_LUID InterfaceLuid;
2835 
2836  CLEAR(*rgi6);
2837  CLEAR(InterfaceLuid); /* cleared = not used for lookup */
2838  CLEAR(DestinationAddress);
2839 
2840  DestinationAddress.si_family = AF_INET6;
2841  if (dest)
2842  {
2843  DestinationAddress.Ipv6.sin6_addr = *dest;
2844  }
2845 
2846  status = GetBestInterfaceEx( (struct sockaddr *)&DestinationAddress, &BestIfIndex );
2847 
2848  if (status != NO_ERROR)
2849  {
2850  msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2851  strerror_win32(status, &gc),
2852  (unsigned int)status);
2853  goto done;
2854  }
2855 
2856  msg( D_ROUTE, "GetBestInterfaceEx() returned if=%d", (int) BestIfIndex );
2857 
2858  status = GetBestRoute2( &InterfaceLuid, BestIfIndex, NULL,
2859  &DestinationAddress, 0,
2860  &BestRoute, &BestSourceAddress );
2861 
2862  if (status != NO_ERROR)
2863  {
2864  msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2865  strerror_win32(status, &gc),
2866  (unsigned int)status);
2867  goto done;
2868  }
2869 
2870  msg( D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s",
2871  BestRoute.InterfaceIndex,
2872  print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2873  BestRoute.DestinationPrefix.PrefixLength,
2874  print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) );
2875  msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d",
2876  (int) BestRoute.Metric,
2877  (int) BestRoute.Loopback,
2878  (int) BestRoute.AutoconfigureAddress,
2879  (int) BestRoute.Immortal );
2880 
2881  rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2882  rgi6->adapter_index = BestRoute.InterfaceIndex;
2884 
2885  /* on-link is signalled by receiving an empty (::) NextHop */
2886  if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) )
2887  {
2888  rgi6->flags |= RGI_ON_LINK;
2889  }
2890 
2891 done:
2892  gc_free(&gc);
2893 }
2894 
2895 bool
2896 add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2897 {
2898  struct gc_arena gc = gc_new();
2899  bool ret = false;
2900  DWORD status;
2901  const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) ? windows_route_find_if_index(r, tt) : adapter_index;
2902 
2903  if (if_index != TUN_ADAPTER_INDEX_INVALID)
2904  {
2905  MIB_IPFORWARDROW fr;
2906  CLEAR(fr);
2907  fr.dwForwardDest = htonl(r->network);
2908  fr.dwForwardMask = htonl(r->netmask);
2909  fr.dwForwardPolicy = 0;
2910  fr.dwForwardNextHop = htonl(r->gateway);
2911  fr.dwForwardIfIndex = if_index;
2912  fr.dwForwardType = 4; /* the next hop is not the final dest */
2913  fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2914  fr.dwForwardAge = 0;
2915  fr.dwForwardNextHopAS = 0;
2916  fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2917  fr.dwForwardMetric2 = METRIC_NOT_USED;
2918  fr.dwForwardMetric3 = METRIC_NOT_USED;
2919  fr.dwForwardMetric4 = METRIC_NOT_USED;
2920  fr.dwForwardMetric5 = METRIC_NOT_USED;
2921 
2922  if ((r->network & r->netmask) != r->network)
2923  {
2924  msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2925  print_in_addr_t(r->network, 0, &gc),
2926  print_in_addr_t(r->netmask, 0, &gc));
2927  }
2928 
2929  status = CreateIpForwardEntry(&fr);
2930 
2931  if (status == NO_ERROR)
2932  {
2933  ret = true;
2934  }
2935  else
2936  {
2937  /* failed, try increasing the metric to work around Vista issue */
2938  const unsigned int forward_metric_limit = 2048; /* iteratively retry higher metrics up to this limit */
2939 
2940  for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2941  {
2942  /* try a different forward type=3 ("the next hop is the final dest") in addition to 4.
2943  * --redirect-gateway over RRAS seems to need this. */
2944  for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2945  {
2946  status = CreateIpForwardEntry(&fr);
2947  if (status == NO_ERROR)
2948  {
2949  msg(D_ROUTE, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2950  (unsigned int)fr.dwForwardMetric1,
2951  (unsigned int)fr.dwForwardType);
2952  ret = true;
2953  goto doublebreak;
2954  }
2955  else if (status != ERROR_BAD_ARGUMENTS)
2956  {
2957  goto doublebreak;
2958  }
2959  }
2960  }
2961 
2962 doublebreak:
2963  if (status != NO_ERROR)
2964  {
2965  msg(M_WARN, "ROUTE: route addition failed using CreateIpForwardEntry: %s [status=%u if_index=%u]",
2966  strerror_win32(status, &gc),
2967  (unsigned int)status,
2968  (unsigned int)if_index);
2969  }
2970  }
2971  }
2972 
2973  gc_free(&gc);
2974  return ret;
2975 }
2976 
2977 bool
2978 del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
2979 {
2980  struct gc_arena gc = gc_new();
2981  bool ret = false;
2982  DWORD status;
2983  const DWORD if_index = windows_route_find_if_index(r, tt);
2984 
2985  if (if_index != TUN_ADAPTER_INDEX_INVALID)
2986  {
2987  MIB_IPFORWARDROW fr;
2988  CLEAR(fr);
2989 
2990  fr.dwForwardDest = htonl(r->network);
2991  fr.dwForwardMask = htonl(r->netmask);
2992  fr.dwForwardPolicy = 0;
2993  fr.dwForwardNextHop = htonl(r->gateway);
2994  fr.dwForwardIfIndex = if_index;
2995 
2996  status = DeleteIpForwardEntry(&fr);
2997 
2998  if (status == NO_ERROR)
2999  {
3000  ret = true;
3001  }
3002  else
3003  {
3004  msg(M_WARN, "ROUTE: route deletion failed using DeleteIpForwardEntry: %s",
3005  strerror_win32(status, &gc));
3006  }
3007  }
3008 
3009  gc_free(&gc);
3010  return ret;
3011 }
3012 
3013 static bool
3014 do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
3015 {
3016  bool ret = false;
3017  ack_message_t ack;
3018  struct gc_arena gc = gc_new();
3019 
3020  if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
3021  {
3022  goto out;
3023  }
3024 
3025  if (ack.error_number != NO_ERROR)
3026  {
3027  msg(M_WARN, "ROUTE: route %s failed using service: %s [status=%u if_index=%d]",
3028  (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
3029  ack.error_number, rt->iface.index);
3030  goto out;
3031  }
3032 
3033  ret = true;
3034 
3035 out:
3036  gc_free(&gc);
3037  return ret;
3038 }
3039 
3040 static bool
3041 do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
3042 {
3043  DWORD if_index = windows_route_find_if_index(r, tt);
3044  if (if_index == ~0)
3045  {
3046  return false;
3047  }
3048 
3049  route_message_t msg = {
3050  .header = {
3051  (add ? msg_add_route : msg_del_route),
3052  sizeof(route_message_t),
3053  0
3054  },
3055  .family = AF_INET,
3056  .prefix.ipv4.s_addr = htonl(r->network),
3057  .gateway.ipv4.s_addr = htonl(r->gateway),
3058  .iface = { .index = if_index, .name = "" },
3059  .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1)
3060  };
3061 
3063  if (msg.prefix_len == -1)
3064  {
3065  msg.prefix_len = 32;
3066  }
3067 
3068  return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3069 }
3070 
3071 static bool
3072 do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
3073 {
3074  bool status;
3075  route_message_t msg = {
3076  .header = {
3077  (add ? msg_add_route : msg_del_route),
3078  sizeof(route_message_t),
3079  0
3080  },
3081  .family = AF_INET6,
3082  .prefix.ipv6 = r->network,
3083  .prefix_len = r->netbits,
3084  .gateway.ipv6 = r->gateway,
3085  .iface = { .index = tt->adapter_index, .name = "" },
3086  .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1)
3087  };
3088 
3089  if (r->adapter_index) /* vpn server special route */
3090  {
3091  msg.iface.index = r->adapter_index;
3092  }
3093 
3094  /* In TUN mode we use a special link-local address as the next hop.
3095  * The tapdrvr knows about it and will answer neighbor discovery packets.
3096  * (only do this for routes actually using the tun/tap device)
3097  */
3098  if (tt->type == DEV_TYPE_TUN
3099  && msg.iface.index == tt->adapter_index)
3100  {
3101  inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3102  }
3103 
3105  {
3106  strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3107  msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3108  }
3109 
3110  status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3111  msg(D_ROUTE, "IPv6 route %s via service %s",
3112  add ? "addition" : "deletion",
3113  status ? "succeeded" : "failed");
3114  return status;
3115 }
3116 
3117 static bool
3118 add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3119 {
3120  return do_route_ipv4_service(true, r, tt);
3121 }
3122 
3123 static bool
3124 del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3125 {
3126  return do_route_ipv4_service(false, r, tt);
3127 }
3128 
3129 static bool
3130 add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3131 {
3132  return do_route_ipv6_service(true, r, tt);
3133 }
3134 
3135 static bool
3136 del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3137 {
3138  return do_route_ipv6_service(false, r, tt);
3139 }
3140 
3141 static const char *
3142 format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3143 {
3144  struct buffer out = alloc_buf_gc(256, gc);
3145  buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3146  print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3147  print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3148  print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc),
3149  (int)r->dwForwardPolicy,
3150  (int)r->dwForwardIfIndex,
3151  (int)r->dwForwardType,
3152  (int)r->dwForwardProto,
3153  (int)r->dwForwardAge,
3154  (int)r->dwForwardNextHopAS,
3155  (int)r->dwForwardMetric1,
3156  (int)r->dwForwardMetric2,
3157  (int)r->dwForwardMetric3,
3158  (int)r->dwForwardMetric4,
3159  (int)r->dwForwardMetric5);
3160  return BSTR(&out);
3161 }
3162 
3163 /*
3164  * Show current routing table
3165  */
3166 void
3167 show_routes(int msglev)
3168 {
3169  struct gc_arena gc = gc_new();
3170  int i;
3171 
3172  const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3173 
3174  msg(msglev, "SYSTEM ROUTING TABLE");
3175  if (rt)
3176  {
3177  for (i = 0; i < rt->dwNumEntries; ++i)
3178  {
3179  msg(msglev, "%s", format_route_entry(&rt->table[i], &gc));
3180  }
3181  }
3182  gc_free(&gc);
3183 }
3184 
3185 #elif defined(TARGET_ANDROID)
3186 
3187 void
3189 {
3190  /* Android, set some pseudo GW, addr is in host byte order,
3191  * Determining the default GW on Android 5.0+ is non trivial
3192  * and serves almost no purpose since OpenVPN only uses the
3193  * default GW address to add routes for networks that should
3194  * NOT be routed over the VPN. Using a well known address
3195  * (127.'d'.'g'.'w') for the default GW make detecting
3196  * these routes easier from the controlling app.
3197  */
3198  CLEAR(*rgi);
3199 
3200  rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3202  strcpy(rgi->iface, "android-gw");
3203 
3204  /* Skip scanning/fetching interface from loopback interface we do
3205  * normally on Linux.
3206  * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3207  */
3208 
3209 }
3210 
3211 void
3213  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3214 {
3215  /* Same for ipv6 */
3216 
3217  CLEAR(*rgi6);
3218 
3219  /* Use a fake link-local address */
3220  ASSERT(inet_pton(AF_INET6, "fe80::ad", &rgi6->addrs->addr_ipv6) == 1);
3221  rgi6->addrs->netbits_ipv6 = 64;
3223  strcpy(rgi6->iface, "android-gw");
3224 }
3225 
3226 #elif defined(TARGET_LINUX)
3227 
3228 void
3230 {
3231  struct gc_arena gc = gc_new();
3232  int sd = -1;
3233  char best_name[IFNAMSIZ];
3234 
3235  CLEAR(*rgi);
3236  CLEAR(best_name);
3237 
3238  /* get default gateway IP addr */
3239  if (net_route_v4_best_gw(ctx, NULL, &rgi->gateway.addr, best_name) == 0)
3240  {
3241  rgi->flags |= RGI_ADDR_DEFINED;
3242  if (!rgi->gateway.addr && best_name[0])
3243  {
3244  rgi->flags |= RGI_ON_LINK;
3245  }
3246  }
3247 
3248  /* scan adapter list */
3249  if (rgi->flags & RGI_ADDR_DEFINED)
3250  {
3251  struct ifreq *ifr, *ifend;
3252  in_addr_t addr, netmask;
3253  struct ifreq ifreq;
3254  struct ifconf ifc;
3255  struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3256 
3257  if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3258  {
3259  msg(M_WARN, "GDG: socket() failed");
3260  goto done;
3261  }
3262  ifc.ifc_len = sizeof(ifs);
3263  ifc.ifc_req = ifs;
3264  if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3265  {
3266  msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3267  goto done;
3268  }
3269 
3270  /* scan through interface list */
3271  ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3272  for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3273  {
3274  if (ifr->ifr_addr.sa_family == AF_INET)
3275  {
3276  /* get interface addr */
3277  addr = ntohl(((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr);
3278 
3279  /* get interface name */
3280  strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3281 
3282  /* check that the interface is up */
3283  if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3284  {
3285  continue;
3286  }
3287  if (!(ifreq.ifr_flags & IFF_UP))
3288  {
3289  continue;
3290  }
3291 
3292  if (rgi->flags & RGI_ON_LINK)
3293  {
3294  /* check that interface name of current interface
3295  * matches interface name of best default route */
3296  if (strcmp(ifreq.ifr_name, best_name))
3297  {
3298  continue;
3299  }
3300 #if 0
3301  /* if point-to-point link, use remote addr as route gateway */
3302  if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3303  {
3304  rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3305  if (rgi->gateway.addr)
3306  {
3307  rgi->flags &= ~RGI_ON_LINK;
3308  }
3309  }
3310 #endif
3311  }
3312  else
3313  {
3314  /* get interface netmask */
3315  if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3316  {
3317  continue;
3318  }
3319  netmask = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3320 
3321  /* check that interface matches default route */
3322  if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3323  {
3324  continue;
3325  }
3326 
3327  /* save netmask */
3328  rgi->gateway.netmask = netmask;
3329  rgi->flags |= RGI_NETMASK_DEFINED;
3330  }
3331 
3332  /* save iface name */
3333  strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3334  rgi->flags |= RGI_IFACE_DEFINED;
3335 
3336  /* now get the hardware address. */
3337  memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3338  if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3339  {
3340  msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3341  goto done;
3342  }
3343  memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3344  rgi->flags |= RGI_HWADDR_DEFINED;
3345 
3346  break;
3347  }
3348  }
3349  }
3350 
3351 done:
3352  if (sd >= 0)
3353  {
3354  close(sd);
3355  }
3356  gc_free(&gc);
3357 }
3358 
3359 /* IPv6 implementation using netlink
3360  * http://www.linuxjournal.com/article/7356
3361  * netlink(3), netlink(7), rtnetlink(7)
3362  * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c
3363  */
3364 struct rtreq {
3365  struct nlmsghdr nh;
3366  struct rtmsg rtm;
3367  char attrbuf[512];
3368 };
3369 
3370 void
3372  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3373 {
3374  int flags;
3375 
3376  CLEAR(*rgi6);
3377 
3378  if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6,
3379  rgi6->iface) == 0)
3380  {
3381  if (!IN6_IS_ADDR_UNSPECIFIED(rgi6->gateway.addr_ipv6.s6_addr))
3382  {
3383  rgi6->flags |= RGI_ADDR_DEFINED;
3384  }
3385 
3386  if (strlen(rgi6->iface) > 0)
3387  {
3388  rgi6->flags |= RGI_IFACE_DEFINED;
3389  }
3390  }
3391 
3392  /* if we have an interface but no gateway, the destination is on-link */
3393  flags = rgi6->flags & (RGI_IFACE_DEFINED | RGI_ADDR_DEFINED);
3394  if (flags == RGI_IFACE_DEFINED)
3395  {
3396  rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3397  if (dest)
3398  {
3399  rgi6->gateway.addr_ipv6 = *dest;
3400  }
3401  }
3402 }
3403 
3404 #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \
3405  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
3406  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3407 
3408 #include <sys/types.h>
3409 #include <sys/socket.h>
3410 #include <netinet/in.h>
3411 #include <net/route.h>
3412 #include <net/if_dl.h>
3413 
3414 struct rtmsg {
3415  struct rt_msghdr m_rtm;
3416  char m_space[512];
3417 };
3418 
3419 /* the route socket code is identical for all 4 supported BSDs and for
3420  * MacOS X (Darwin), with one crucial difference: when going from
3421  * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
3422  * source code compatibility by keeping the use of "long", while
3423  * MacOS X decided to keep binary compatibility by *changing* the API
3424  * to use "uint32_t", thus 32 bit on all OS X variants
3425  *
3426  * NetBSD does the MacOS way of "fixed number of bits, no matter if
3427  * 32 or 64 bit OS", but chose uint64_t. For maximum portability, we
3428  * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
3429  *
3430  * We used to have a large amount of duplicate code here which really
3431  * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3432  * having a combined block for all BSDs with this single #ifdef inside
3433  */
3434 
3435 #if defined(TARGET_DARWIN)
3436 #define ROUNDUP(a) \
3437  ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3438 #elif defined(TARGET_NETBSD)
3439 #define ROUNDUP(a) RT_ROUNDUP(a)
3440 #else
3441 #define ROUNDUP(a) \
3442  ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3443 #endif
3444 
3445 #if defined(TARGET_SOLARIS)
3446 #define NEXTADDR(w, u) \
3447  if (rtm_addrs & (w)) { \
3448  l = sizeof(u); memmove(cp, &(u), l); cp += ROUNDUP(l); \
3449  }
3450 
3451 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3452 #else /* if defined(TARGET_SOLARIS) */
3453 #define NEXTADDR(w, u) \
3454  if (rtm_addrs & (w)) { \
3455  l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += ROUNDUP(l); \
3456  }
3457 
3458 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3459 #endif
3460 
3461 #define max(a,b) ((a) > (b) ? (a) : (b))
3462 
3463 void
3465 {
3466  struct gc_arena gc = gc_new();
3467  struct rtmsg m_rtmsg;
3468  int sockfd = -1;
3469  int seq, l, pid, rtm_addrs;
3470  unsigned int i;
3471  struct sockaddr so_dst, so_mask;
3472  char *cp = m_rtmsg.m_space;
3473  struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3474  struct rt_msghdr *rtm_aux;
3475 
3476 #define rtm m_rtmsg.m_rtm
3477 
3478  CLEAR(*rgi);
3479 
3480  /* setup data to send to routing socket */
3481  pid = getpid();
3482  seq = 0;
3483  rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3484 
3485  bzero(&m_rtmsg, sizeof(m_rtmsg));
3486  bzero(&so_dst, sizeof(so_dst));
3487  bzero(&so_mask, sizeof(so_mask));
3488  bzero(&rtm, sizeof(struct rt_msghdr));
3489 
3490  rtm.rtm_type = RTM_GET;
3491  rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3492  rtm.rtm_version = RTM_VERSION;
3493  rtm.rtm_seq = ++seq;
3494 #ifdef TARGET_OPENBSD
3495  rtm.rtm_tableid = getrtable();
3496 #endif
3497  rtm.rtm_addrs = rtm_addrs;
3498 
3499  so_dst.sa_family = AF_INET;
3500  so_mask.sa_family = AF_INET;
3501 
3502 #ifndef TARGET_SOLARIS
3503  so_dst.sa_len = sizeof(struct sockaddr_in);
3504  so_mask.sa_len = sizeof(struct sockaddr_in);
3505 #endif
3506 
3507  NEXTADDR(RTA_DST, so_dst);
3508  NEXTADDR(RTA_NETMASK, so_mask);
3509 
3510  rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3511 
3512  /* transact with routing socket */
3513  sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3514  if (sockfd < 0)
3515  {
3516  msg(M_WARN, "GDG: socket #1 failed");
3517  goto done;
3518  }
3519  if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3520  {
3521  msg(M_WARN, "GDG: problem writing to routing socket");
3522  goto done;
3523  }
3524  do
3525  {
3526  l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3527  } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3528  close(sockfd);
3529  sockfd = -1;
3530 
3531  /* extract return data from routing socket */
3532  rtm_aux = &rtm;
3533  cp = ((char *)(rtm_aux + 1));
3534  if (rtm_aux->rtm_addrs)
3535  {
3536  for (i = 1; i; i <<= 1)
3537  {
3538  if (i & rtm_aux->rtm_addrs)
3539  {
3540  sa = (struct sockaddr *)cp;
3541  if (i == RTA_GATEWAY)
3542  {
3543  gate = sa;
3544  }
3545  else if (i == RTA_IFP)
3546  {
3547  ifp = sa;
3548  }
3549  ADVANCE(cp, sa);
3550  }
3551  }
3552  }
3553  else
3554  {
3555  goto done;
3556  }
3557 
3558  /* get gateway addr and interface name */
3559  if (gate != NULL)
3560  {
3561  /* get default gateway addr */
3562  rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3563  if (rgi->gateway.addr)
3564  {
3565  rgi->flags |= RGI_ADDR_DEFINED;
3566  }
3567 
3568  if (ifp)
3569  {
3570  /* get interface name */
3571  const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3572  if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3573  {
3574  memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3575  rgi->iface[adl->sdl_nlen] = '\0';
3576  rgi->flags |= RGI_IFACE_DEFINED;
3577  }
3578  }
3579  }
3580 
3581  /* get netmask of interface that owns default gateway */
3582  if (rgi->flags & RGI_IFACE_DEFINED)
3583  {
3584  struct ifreq ifr;
3585 
3586  sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3587  if (sockfd < 0)
3588  {
3589  msg(M_WARN, "GDG: socket #2 failed");
3590  goto done;
3591  }
3592 
3593  CLEAR(ifr);
3594  ifr.ifr_addr.sa_family = AF_INET;
3595  strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3596 
3597  if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3598  {
3599  msg(M_WARN, "GDG: ioctl #1 failed");
3600  goto done;
3601  }
3602  close(sockfd);
3603  sockfd = -1;
3604 
3605  rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3606  rgi->flags |= RGI_NETMASK_DEFINED;
3607  }
3608 
3609  /* try to read MAC addr associated with interface that owns default gateway */
3610  if (rgi->flags & RGI_IFACE_DEFINED)
3611  {
3612  struct ifconf ifc;
3613  struct ifreq *ifr;
3614  const int bufsize = 4096;
3615  char *buffer;
3616 
3617  buffer = (char *) gc_malloc(bufsize, true, &gc);
3618  sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3619  if (sockfd < 0)
3620  {
3621  msg(M_WARN, "GDG: socket #3 failed");
3622  goto done;
3623  }
3624 
3625  ifc.ifc_len = bufsize;
3626  ifc.ifc_buf = buffer;
3627 
3628  if (ioctl(sockfd, SIOCGIFCONF, (char *)&ifc) < 0)
3629  {
3630  msg(M_WARN, "GDG: ioctl #2 failed");
3631  goto done;
3632  }
3633  close(sockfd);
3634  sockfd = -1;
3635 
3636  for (cp = buffer; cp <= buffer + ifc.ifc_len - sizeof(struct ifreq); )
3637  {
3638  ifr = (struct ifreq *)cp;
3639 #if defined(TARGET_SOLARIS)
3640  const size_t len = sizeof(ifr->ifr_name) + sizeof(ifr->ifr_addr);
3641 #else
3642  const size_t len = sizeof(ifr->ifr_name) + max(sizeof(ifr->ifr_addr), ifr->ifr_addr.sa_len);
3643 #endif
3644 
3645  if (!ifr->ifr_addr.sa_family)
3646  {
3647  break;
3648  }
3649  if (!strncmp(ifr->ifr_name, rgi->iface, IFNAMSIZ))
3650  {
3651  if (ifr->ifr_addr.sa_family == AF_LINK)
3652  {
3653  struct sockaddr_dl *sdl = (struct sockaddr_dl *)&ifr->ifr_addr;
3654  memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3655  rgi->flags |= RGI_HWADDR_DEFINED;
3656  }
3657  }
3658  cp += len;
3659  }
3660  }
3661 
3662 done:
3663  if (sockfd >= 0)
3664  {
3665  close(sockfd);
3666  }
3667  gc_free(&gc);
3668 }
3669 
3670 /* BSD implementation using routing socket (as does IPv4)
3671  * (the code duplication is somewhat unavoidable if we want this to
3672  * work on OpenSolaris as well. *sigh*)
3673  */
3674 
3675 /* Solaris has no length field - this is ugly, but less #ifdef in total
3676  */
3677 #if defined(TARGET_SOLARIS)
3678 #undef ADVANCE
3679 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3680 #endif
3681 
3682 void
3684  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3685 {
3686 
3687  struct rtmsg m_rtmsg;
3688  int sockfd = -1;
3689  int seq, l, pid, rtm_addrs;
3690  unsigned int i;
3691  struct sockaddr_in6 so_dst, so_mask;
3692  char *cp = m_rtmsg.m_space;
3693  struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3694  struct rt_msghdr *rtm_aux;
3695 
3696  CLEAR(*rgi6);
3697 
3698  /* setup data to send to routing socket */
3699  pid = getpid();
3700  seq = 0;
3701  rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3702 
3703  bzero(&m_rtmsg, sizeof(m_rtmsg));
3704  bzero(&so_dst, sizeof(so_dst));
3705  bzero(&so_mask, sizeof(so_mask));
3706  bzero(&rtm, sizeof(struct rt_msghdr));
3707 
3708  rtm.rtm_type = RTM_GET;
3709  rtm.rtm_flags = RTF_UP;
3710  rtm.rtm_version = RTM_VERSION;
3711  rtm.rtm_seq = ++seq;
3712 #ifdef TARGET_OPENBSD
3713  rtm.rtm_tableid = getrtable();
3714 #endif
3715 
3716  so_dst.sin6_family = AF_INET6;
3717  so_mask.sin6_family = AF_INET6;
3718 
3719  if (dest != NULL /* specific host? */
3720  && !IN6_IS_ADDR_UNSPECIFIED(dest) )
3721  {
3722  so_dst.sin6_addr = *dest;
3723  /* :: needs /0 "netmask", host route wants "no netmask */
3724  rtm_addrs &= ~RTA_NETMASK;
3725  }
3726 
3727  rtm.rtm_addrs = rtm_addrs;
3728 
3729 #ifndef TARGET_SOLARIS
3730  so_dst.sin6_len = sizeof(struct sockaddr_in6);
3731  so_mask.sin6_len = sizeof(struct sockaddr_in6);
3732 #endif
3733 
3734  NEXTADDR(RTA_DST, so_dst);
3735  NEXTADDR(RTA_NETMASK, so_mask);
3736 
3737  rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3738 
3739  /* transact with routing socket */
3740  sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3741  if (sockfd < 0)
3742  {
3743  msg(M_WARN, "GDG6: socket #1 failed");
3744  goto done;
3745  }
3746  if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3747  {
3748  msg(M_WARN|M_ERRNO, "GDG6: problem writing to routing socket");
3749  goto done;
3750  }
3751 
3752  do
3753  {
3754  l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3755  }
3756  while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3757 
3758  close(sockfd);
3759  sockfd = -1;
3760 
3761  /* extract return data from routing socket */
3762  rtm_aux = &rtm;
3763  cp = ((char *)(rtm_aux + 1));
3764  if (rtm_aux->rtm_addrs)
3765  {
3766  for (i = 1; i; i <<= 1)
3767  {
3768  if (i & rtm_aux->rtm_addrs)
3769  {
3770  sa = (struct sockaddr *)cp;
3771  if (i == RTA_GATEWAY)
3772  {
3773  gate = sa;
3774  }
3775  else if (i == RTA_IFP)
3776  {
3777  ifp = sa;
3778  }
3779  ADVANCE(cp, sa);
3780  }
3781  }
3782  }
3783  else
3784  {
3785  goto done;
3786  }
3787 
3788  /* get gateway addr and interface name */
3789  if (gate != NULL)
3790  {
3791  struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3792  struct in6_addr gw = s6->sin6_addr;
3793 
3794 #ifndef TARGET_SOLARIS
3795  /* You do not really want to know... from FreeBSD's route.c
3796  * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3797  * but for a correct link-local address these must be :0000: )
3798  */
3799  if (gate->sa_len == sizeof(struct sockaddr_in6)
3800  && IN6_IS_ADDR_LINKLOCAL(&gw) )
3801  {
3802  gw.s6_addr[2] = gw.s6_addr[3] = 0;
3803  }
3804 
3805  if (gate->sa_len != sizeof(struct sockaddr_in6)
3806  || IN6_IS_ADDR_UNSPECIFIED(&gw) )
3807  {
3808  rgi6->flags |= RGI_ON_LINK;
3809  }
3810  else
3811 #endif
3812 
3813  rgi6->gateway.addr_ipv6 = gw;
3814  rgi6->flags |= RGI_ADDR_DEFINED;
3815 
3816  if (ifp)
3817  {
3818  /* get interface name */
3819  const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3820  if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3821  {
3822  memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3823  rgi6->flags |= RGI_IFACE_DEFINED;
3824  }
3825  }
3826  }
3827 
3828 done:
3829  if (sockfd >= 0)
3830  {
3831  close(sockfd);
3832  }
3833 }
3834 
3835 #undef max
3836 
3837 #else /* if defined(_WIN32) */
3838 
3839 /*
3840  * This is a platform-specific method that returns data about
3841  * the current default gateway. Return data is placed into
3842  * a struct route_gateway_info object provided by caller. The
3843  * implementation should CLEAR the structure before adding
3844  * data to it.
3845  *
3846  * Data returned includes:
3847  * 1. default gateway address (rgi->gateway.addr)
3848  * 2. netmask of interface that owns default gateway
3849  * (rgi->gateway.netmask)
3850  * 3. hardware address (i.e. MAC address) of interface that owns
3851  * default gateway (rgi->hwaddr)
3852  * 4. interface name (or adapter index on Windows) that owns default
3853  * gateway (rgi->iface or rgi->adapter_index)
3854  * 5. an array of additional address/netmask pairs defined by
3855  * interface that owns default gateway (rgi->addrs with length
3856  * given in rgi->n_addrs)
3857  *
3858  * The flags RGI_x_DEFINED may be used to indicate which of the data
3859  * members were successfully returned (set in rgi->flags). All of
3860  * the data members are optional, however certain OpenVPN functionality
3861  * may be disabled by missing items.
3862  */
3863 void
3865 {
3866  CLEAR(*rgi);
3867 }
3868 void
3870  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3871 {
3872  msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
3873  CLEAR(*rgi6);
3874 }
3875 
3876 #endif /* if defined(_WIN32) */
3877 
3878 bool
3879 netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
3880 {
3881  int i;
3882  const int addrlen = sizeof(in_addr_t) * 8;
3883 
3884  if ((network & netmask) == network)
3885  {
3886  for (i = 0; i <= addrlen; ++i)
3887  {
3888  in_addr_t mask = netbits_to_netmask(i);
3889  if (mask == netmask)
3890  {
3891  if (i == addrlen)
3892  {
3893  *netbits = -1;
3894  }
3895  else
3896  {
3897  *netbits = i;
3898  }
3899  return true;
3900  }
3901  }
3902  }
3903  return false;
3904 }
3905 
3906 /* similar to netmask_to_netbits(), but don't mess with base address
3907  * etc., just convert to netbits - non-mappable masks are returned as "-1"
3908  */
3909 int
3911 {
3912  int i;
3913  const int addrlen = sizeof(in_addr_t) * 8;
3914 
3915  for (i = 0; i <= addrlen; ++i)
3916  {
3917  in_addr_t mask = netbits_to_netmask(i);
3918  if (mask == netmask)
3919  {
3920  return i;
3921  }
3922  }
3923  return -1;
3924 }
3925 
3926 
3927 /*
3928  * get_bypass_addresses() is used by the redirect-gateway bypass-x
3929  * functions to build a route bypass to selected DHCP/DNS servers,
3930  * so that outgoing packets to these servers don't end up in the tunnel.
3931  */
3932 
3933 #if defined(_WIN32)
3934 
3935 static void
3937 {
3938  if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
3939  {
3940  add_bypass_address(rb, addr);
3941  }
3942 }
3943 
3944 static void
3945 add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
3946 {
3947  while (iplist)
3948  {
3949  bool succeed = false;
3950  const in_addr_t ip = getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
3951  if (succeed)
3952  {
3954  }
3955  iplist = iplist->Next;
3956  }
3957 }
3958 
3959 static void
3960 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
3961 {
3962  struct gc_arena gc = gc_new();
3963  /*bool ret_bool = false;*/
3964 
3965  /* get full routing table */
3966  const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
3967 
3968  /* get the route which represents the default gateway */
3969  const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
3970 
3971  if (row)
3972  {
3973  /* get the adapter which the default gateway is associated with */
3974  const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
3975 
3976  /* get extra adapter info, such as DNS addresses */
3977  const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
3978 
3979  /* Bypass DHCP server address */
3980  if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
3981  {
3982  add_host_route_array(rb, &dgi->DhcpServer);
3983  }
3984 
3985  /* Bypass DNS server addresses */
3986  if ((flags & RG_BYPASS_DNS) && pai)
3987  {
3988  add_host_route_array(rb, &pai->DnsServerList);
3989  }
3990  }
3991 
3992  gc_free(&gc);
3993 }
3994 
3995 #else /* if defined(_WIN32) */
3996 
3997 static void
3998 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
3999 {
4000 }
4001 
4002 #endif /* if defined(_WIN32) */
4003 
4004 /*
4005  * Test if addr is reachable via a local interface (return ILA_LOCAL),
4006  * or if it needs to be routed via the default gateway (return
4007  * ILA_NONLOCAL). If the target platform doesn't implement this
4008  * function, return ILA_NOT_IMPLEMENTED.
4009  *
4010  * Used by redirect-gateway autolocal feature
4011  */
4012 
4013 #if defined(_WIN32)
4014 
4015 int
4016 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
4017 {
4018  struct gc_arena gc = gc_new();
4019  const in_addr_t nonlocal_netmask = 0x80000000L; /* routes with netmask <= to this are considered non-local */
4020  int ret = TLA_NONLOCAL;
4021 
4022  /* get full routing table */
4023  const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4024  if (rt)
4025  {
4026  int i;
4027  for (i = 0; i < rt->dwNumEntries; ++i)
4028  {
4029  const MIB_IPFORWARDROW *row = &rt->table[i];
4030  const in_addr_t net = ntohl(row->dwForwardDest);
4031  const in_addr_t mask = ntohl(row->dwForwardMask);
4032  if (mask > nonlocal_netmask && (addr & mask) == net)
4033  {
4034  ret = TLA_LOCAL;
4035  break;
4036  }
4037  }
4038  }
4039 
4040  gc_free(&gc);
4041  return ret;
4042 }
4043 
4044 #else /* if defined(_WIN32) */
4045 
4046 int
4047 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4048 {
4049  if (rgi)
4050  {
4051  if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4052  {
4053  return TLA_LOCAL;
4054  }
4055  else
4056  {
4057  return TLA_NONLOCAL;
4058  }
4059  }
4060  return TLA_NOT_IMPLEMENTED;
4061 }
4062 
4063 #endif /* if defined(_WIN32) */
static bool del_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition: route.c:3124
#define M_NONFATAL
Definition: error.h:95
#define RG_BYPASS_DNS
Definition: route.h:88
in_addr_t gateway
Definition: route.h:121
in_addr_t addr
Definition: route.h:142
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
static bool add_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition: route.c:3118
struct route_gateway_address gateway
Definition: route.h:166
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
unsigned int spec_flags
Definition: route.h:222
Definition: tun.h:151
const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc)
Definition: tun.c:4389
struct route_bypass bypass
Definition: route.h:71
const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc)
Definition: tun.c:4362
struct in6_addr ipv6
Definition: openvpn-msg.h:54
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, struct addrinfo **res)
Definition: socket.c:442
#define GETADDR_WARN_ON_SIGNAL
Definition: socket.h:528
static void print_route_option(const struct route_option *ro, int level)
Definition: route.c:1310
static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
Definition: route.c:204
in_addr_t network
Definition: route.h:119
#define LR_ERROR
Definition: route.c:1521
#define D_ROUTE
Definition: errlevel.h:80
#define RL_DID_LOCAL
Definition: route.h:208
static bool do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
Definition: route.c:3014
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:923
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:193
struct route_ipv6 * next
Definition: route.h:126
int n_bypass
Definition: route.h:56
unsigned int flags
Definition: route.h:66
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3021
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
#define M_INFO
Definition: errlevel.h:55
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition: route.c:124
void add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1566
static bool is_route_parm_defined(const char *parm)
Definition: route.c:190
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
unsigned int iflags
Definition: route.h:210
void check_subnet_conflict(const in_addr_t ip, const in_addr_t netmask, const char *prefix)
Definition: tun.c:539
#define dmsg
Definition: error.h:174
struct in6_addr remote_host_ipv6
Definition: route.h:224
void print_route_options(const struct route_option_list *rol, int level)
Definition: route.c:1320
struct in6_addr remote_endpoint_ipv6
Definition: route.h:223
static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
Definition: route.c:1463
struct route_option * routes
Definition: route.h:95
static void clear_route_list(struct route_list *rl)
Definition: route.c:526
unsigned int flags
Definition: route.h:127
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2826
in_addr_t bypass[N_ROUTE_BYPASS]
Definition: route.h:57
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:149
const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition: tun.c:4580
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition: route.c:3879
static void clear_route_ipv6_list(struct route_ipv6_list *rl6)
Definition: route.c:533
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:379
in_addr_t netmask
Definition: route.h:143
static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
Definition: route.c:2699
const char * metric
Definition: route.h:103
static char * iface
static void add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:942
#define RT_METRIC_DEFINED
Definition: route.h:115
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
Definition: route.c:2608
#define RL_ROUTES_ADDED
Definition: route.h:209
struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]
Definition: route.h:203
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:140
#define ROUTE_METHOD_SERVICE
Definition: route.h:43
struct route_gateway_info rgi
Definition: route.h:213
#define RL_DID_REDIRECT_DEFAULT_GATEWAY
Definition: route.h:207
static bool do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:3041
struct route_ipv6_gateway_info rgi6
Definition: route.h:227
const char * gateway
Definition: route.h:79
void * openvpn_net_ctx_t
Definition: networking.h:26
struct in6_addr network
Definition: route.h:128
struct route_ipv6_option * routes_ipv6
Definition: route.h:108
struct route_special_addr spec
Definition: route.h:212
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2651
#define ASSERT(x)
Definition: error.h:221
#define IA_NET_ORDER
Definition: socket.h:398
static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc)
Definition: route.c:174
static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:2157
#define snprintf
Definition: config-msvc.h:133
static bool route_ipv6_match_host(const struct route_ipv6 *r6, const struct in6_addr *host)
Definition: route.c:735
unsigned int flags
Definition: route.h:228
struct tuntap_options options
Definition: tun.h:164
const struct route_option * option
Definition: route.h:118
#define N_ROUTE_BYPASS
Definition: route.h:55
struct route_ipv6 * routes_ipv6
Definition: route.h:229
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
unsigned int flags
Definition: route.h:214
static void print_route(const struct route_ipv4 *r, int level)
Definition: route.c:1411
static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a)
Definition: route.c:93
#define LR_NOMATCH
Definition: route.c:1519
void netcmd_semaphore_lock(void)
Definition: win32.c:859
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
static bool add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition: route.c:3130
int add(int a, int b)
list flags
#define fail()
Definition: cmocka.h:1531
#define RG_ENABLE
Definition: route.h:84
int inet_pton(int af, const char *src, void *dst)
#define WIN_ROUTE_PATH_SUFFIX
Definition: win32.h:37
#define RGI_NETMASK_DEFINED
Definition: route.h:148
unsigned int netbits
Definition: route.h:129
#define RT_ADDED
Definition: route.h:114
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1452
in_addr_t netmask
Definition: route.h:120
#define CLEAR(x)
Definition: basic.h:33
#define IPV4_INVALID_ADDR
Definition: socket.h:432
#define ROUTE_REF_GW
Definition: route.h:51
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2740
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:296
bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
Definition: tun.c:4638
#define TLA_NONLOCAL
Definition: route.h:344
#define RG_LOCAL
Definition: route.h:85
bool is_special_addr(const char *addr_str)
Definition: route.c:291
#define RGI_ON_LINK
Definition: route.h:152
void gc_addspecial(void *addr, void(*free_function)(void *), struct gc_arena *a)
Definition: buffer.c:474
inet_address_t gateway
Definition: openvpn-msg.h:75
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:615
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
static void add_block_local(struct route_list *rl)
Definition: route.c:582
bool did_ifconfig_setup
Definition: tun.h:159
static bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
Definition: route.c:1560
static DWORD InterfaceLuid(const char *iface_name, PNET_LUID luid)
Definition: interactive.c:551
struct gc_arena gc
Definition: route.h:216
#define RGI_ADDR_DEFINED
Definition: route.h:147
#define PACKAGE_NAME
Definition: config.h:730
struct route_gateway_address addrs[RGI_N_ADDRESSES]
Definition: route.h:171
unsigned int iflags
Definition: route.h:220
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:3001
#define OPENVPN_STATE_ADD_ROUTES
Definition: manage.h:484
#define TLA_LOCAL
Definition: route.h:345
#define METRIC_NOT_USED
Definition: route.c:59
#define DEV_TYPE_TUN
Definition: proto.h:37
int type
Definition: tun.h:154
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1002
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:405
static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1117
static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:2777
void route_ipv6_clear_host_bits(struct route_ipv6 *r6)
Definition: route.c:1853
#define NETSH_PATH_SUFFIX
Definition: win32.h:36
#define ROUTE_DELETE_FIRST
Definition: route.h:50
unsigned int flags
Definition: route.h:153
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1257
static void gc_freeaddrinfo_callback(void *addr)
Definition: buffer.h:202
static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
Definition: route.c:221
#define RT_DEFINED
Definition: route.h:113
struct gc_arena gc
Definition: route.h:230
#define RG_DEF1
Definition: route.h:86
#define RTSA_DEFAULT_METRIC
Definition: route.h:65
static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
Definition: route.c:1432
DWORD adapter_index
Definition: route.h:134
in_addr_t remote_endpoint
Definition: route.h:68
struct in6_addr addr_ipv6
Definition: route.h:175
#define RG_BYPASS_DHCP
Definition: route.h:87
#define ROUTE_METHOD_MASK
Definition: route.h:44
static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition: route.c:3136
static SERVICE_STATUS status
Definition: automatic.c:43
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:165
const char * netmask
Definition: route.h:78
DWORD adapter_index
Definition: route.h:157
static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6)
Definition: route.c:437
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:540
unsigned int flags
Definition: route.h:117
bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack, const char *context)
Definition: win32.c:1492
#define M_ERRNO
Definition: error.h:99
#define msg
Definition: error.h:173
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:519
#define RGI_HWADDR_DEFINED
Definition: route.h:149
#define GETADDR_HOST_ORDER
Definition: socket.h:525
char * get_win_sys_path(void)
Definition: win32.c:1209
DWORD adapter_index
Definition: tun.h:194
char * dest
Definition: compat-lz4.h:686
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:493
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
Definition: error.c:820
unsigned int flags
Definition: route.h:181
const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc)
Definition: tun.c:4495
int netmask_to_netbits2(in_addr_t netmask)
Definition: route.c:3910
#define RTSA_REMOTE_ENDPOINT
Definition: route.h:63
struct route_ipv4 * next
Definition: route.h:116
static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
Definition: route.c:3936
unsigned int flags
Definition: route.h:94
unsigned int flags
Definition: route.h:107
struct gc_arena * gc
Definition: route.h:109
struct in6_addr gateway
Definition: route.h:130
HANDLE msg_channel
Definition: tun.h:75
#define RTSA_REMOTE_HOST
Definition: route.h:64
static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi)
Definition: route.c:1524
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
Definition: route.c:4016
bool did_ifconfig_ipv6_setup
Definition: tun.h:160
struct route_ipv6_gateway_address gateway
Definition: route.h:198
#define RG_BLOCK_LOCAL
Definition: route.h:91
interface_t iface
Definition: openvpn-msg.h:76
int metric
Definition: route.h:131
const char * network
Definition: route.h:77
const char * metric
Definition: route.h:80
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
#define RG_REROUTE_GW
Definition: route.h:89
char name[256]
Definition: openvpn-msg.h:59
#define ROUTE_METHOD_IPAPI
Definition: route.h:41
#define ROUTE_METHOD_EXE
Definition: route.h:42
#define RG_AUTO_LOCAL
Definition: route.h:90
struct route_ipv6_option * next
Definition: route.h:100
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
void show_routes(int msglev)
Definition: route.c:3167
struct gc_arena * gc
Definition: route.h:96
bool add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
Definition: route.c:2896
#define LR_MATCH
Definition: route.c:1520
static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl)
Definition: route.c:304
void netcmd_semaphore_release(void)
Definition: win32.c:875
const char * prefix
Definition: route.h:101
#define TUN_ADAPTER_INDEX_INVALID
Definition: tun.h:56
static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
Definition: route.c:3960
#define TLA_NOT_IMPLEMENTED
Definition: route.h:343
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:771
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2716
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:140
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition: tun.c:4593
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:163
void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:2351
DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
Definition: tun.c:4671
static void add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:904
#define M_WARN
Definition: error.h:96
#define ROUTE_PATH
Definition: config.h:757
static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
Definition: route.c:3945
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:224
struct route_option * next
Definition: route.h:76
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
int remote_host_local
Definition: route.h:70
const char * gateway
Definition: route.h:102
static void net_ctx_reset(openvpn_net_ctx_t *ctx)
Definition: networking.h:44
static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
Definition: route.c:3142
#define ROUTE_METHOD_ADAPTIVE
Definition: route.h:40
const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index)
Definition: tun.c:4476
static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target)
Definition: route.c:551
#define BSTR(buf)
Definition: buffer.h:129
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:158
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition: route.c:115
static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:968
Definition: argv.h:35
bool openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition: run_command.c:195
char * actual_name
Definition: tun.h:166
struct route_ipv4 * routes
Definition: route.h:215
static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc)
Definition: route.c:2585
static bool do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
Definition: route.c:3072
#define GETADDR_RESOLVE
Definition: socket.h:523
static void redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:994
#define IPV4_NETMASK_HOST
Definition: basic.h:35
in_addr_t remote_host
Definition: route.h:69
uint8_t hwaddr[6]
Definition: route.h:195
int default_metric
Definition: route.h:225
#define D_ROUTE_DEBUG
Definition: errlevel.h:131
static const char * show_opt(const char *option)
Definition: route.c:1297
void add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1876
#define RGI_IFACE_DEFINED
Definition: route.h:150
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
#define DEV_TYPE_TAP
Definition: proto.h:38
int default_metric
Definition: route.h:72
void print_routes(const struct route_list *rl, int level)
Definition: route.c:1422
static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway)
Definition: route.c:2622
bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:2978
int metric
Definition: route.h:122
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442