OpenVPN
route.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23/*
24 * Support routines for adding/deleting network routes.
25 */
26#include <stddef.h>
27#include <stdbool.h>
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32
33#include "syshead.h"
34
35#include "common.h"
36#include "error.h"
37#include "route.h"
38#include "run_command.h"
39#include "socket.h"
40#include "manage.h"
41#include "win32.h"
42#include "options.h"
43#include "networking.h"
44#include "integer.h"
45
46#include "memdbg.h"
47
48#if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
49#include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
50#endif
51
52#if defined(TARGET_NETBSD)
53#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
54#endif
55
56#ifdef _WIN32
57#include "openvpn-msg.h"
58
59#define METRIC_NOT_USED ((DWORD)-1)
60static int add_route_service(const struct route_ipv4 *, const struct tuntap *);
61
62static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
63
64static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
65
66static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
67
68static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *);
69
70static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt,
71 DWORD adapter_index);
72
73static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt);
74
75
76#endif
77
78static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
79 const struct route_gateway_info *rgi, const struct env_set *es,
81
82static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
83
84#ifdef ENABLE_DEBUG
85
86static void
87print_bypass_addresses(const struct route_bypass *rb)
88{
89 struct gc_arena gc = gc_new();
90 int i;
91 for (i = 0; i < rb->n_bypass; ++i)
92 {
93 msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", i, print_in_addr_t(rb->bypass[i], 0, &gc));
94 }
95 gc_free(&gc);
96}
97
98#endif
99
100/* Route addition return status codes */
101#define RTA_ERROR 0 /* route addition failed */
102#define RTA_SUCCESS 1 /* route addition succeeded */
103#define RTA_EEXIST 2 /* route not added as it already exists */
104
105static bool
106add_bypass_address(struct route_bypass *rb, const in_addr_t a)
107{
108 int i;
109 for (i = 0; i < rb->n_bypass; ++i)
110 {
111 if (a == rb->bypass[i]) /* avoid duplicates */
112 {
113 return true;
114 }
115 }
116 if (rb->n_bypass < N_ROUTE_BYPASS)
117 {
118 rb->bypass[rb->n_bypass++] = a;
119 return true;
120 }
121 else
122 {
123 return false;
124 }
125}
126
127struct route_option_list *
129{
130 struct route_option_list *ret;
132 ret->gc = a;
133 return ret;
134}
135
138{
139 struct route_ipv6_option_list *ret;
141 ret->gc = a;
142 return ret;
143}
144
145/*
146 * NOTE: structs are cloned/copied shallow by design.
147 * The routes list from src will stay intact since it is allocated using
148 * the options->gc. The cloned/copied lists will share this common tail
149 * to avoid copying the data around between pulls. Pulled routes use
150 * the c2->gc so they get freed immediately after a reconnect.
151 */
152struct route_option_list *
154{
155 struct route_option_list *ret;
156 ALLOC_OBJ_GC(ret, struct route_option_list, a);
157 *ret = *src;
158 return ret;
159}
160
163{
164 struct route_ipv6_option_list *ret;
165 ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
166 *ret = *src;
167 return ret;
168}
169
170void
172 struct gc_arena *a)
173{
174 *dest = *src;
175 dest->gc = a;
176}
177
178void
180 const struct route_ipv6_option_list *src, struct gc_arena *a)
181{
182 *dest = *src;
183 dest->gc = a;
184}
185
186static const char *
187route_string(const struct route_ipv4 *r, struct gc_arena *gc)
188{
189 struct buffer out = alloc_buf_gc(256, gc);
190 buf_printf(&out, "ROUTE network %s netmask %s gateway %s", print_in_addr_t(r->network, 0, gc),
191 print_in_addr_t(r->netmask, 0, gc), print_in_addr_t(r->gateway, 0, gc));
192 if (r->flags & RT_METRIC_DEFINED)
193 {
194 buf_printf(&out, " metric %d", r->metric);
195 }
196 return BSTR(&out);
197}
198
199static bool
201{
202 if (!parm)
203 {
204 return false;
205 }
206 if (!strcmp(parm, "default"))
207 {
208 return false;
209 }
210 return true;
211}
212
213static void
214setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
215{
216 struct gc_arena gc = gc_new();
217 struct buffer name = alloc_buf_gc(256, &gc);
218 if (i >= 0)
219 {
220 buf_printf(&name, "route_%s_%d", key, i);
221 }
222 else
223 {
224 buf_printf(&name, "route_%s", key);
225 }
226 setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
227 gc_free(&gc);
228}
229
230static bool
231get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
232{
233 if (status)
234 {
235 *status = true;
236 }
237 if (!strcmp(string, "vpn_gateway"))
238 {
239 if (rl)
240 {
241 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
242 {
243 *out = rl->spec.remote_endpoint;
244 }
245 else
246 {
247 msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
248 if (status)
249 {
250 *status = false;
251 }
252 }
253 }
254 return true;
255 }
256 else if (!strcmp(string, "net_gateway"))
257 {
258 if (rl)
259 {
260 if (rl->rgi.flags & RGI_ADDR_DEFINED)
261 {
262 *out = rl->rgi.gateway.addr;
263 }
264 else
265 {
267 " ROUTE: net_gateway undefined -- unable to get default gateway from system");
268 if (status)
269 {
270 *status = false;
271 }
272 }
273 }
274 return true;
275 }
276 else if (!strcmp(string, "remote_host"))
277 {
278 if (rl)
279 {
280 if (rl->spec.flags & RTSA_REMOTE_HOST)
281 {
282 *out = rl->spec.remote_host;
283 }
284 else
285 {
286 msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
287 if (status)
288 {
289 *status = false;
290 }
291 }
292 }
293 return true;
294 }
295 return false;
296}
297
298bool
300{
301 if (addr_str)
302 {
304 }
305 else
306 {
307 return false;
308 }
309}
310
311static bool
312init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro,
313 const struct route_list *rl)
314{
316 bool status;
317 int ret;
318 struct in_addr special = { 0 };
319
320 CLEAR(*r);
321 r->option = ro;
322
323 /* network */
325 {
326 goto fail;
327 }
328
329 /* get_special_addr replaces specialaddr with a special ip addr
330 * like gw. getaddrinfo is called to convert a a addrinfo struct */
331
332 if (get_special_addr(rl, ro->network, (in_addr_t *)&special.s_addr, &status))
333 {
334 if (!status)
335 {
336 goto fail;
337 }
338 special.s_addr = htonl(special.s_addr);
339 char buf[INET_ADDRSTRLEN];
340 inet_ntop(AF_INET, &special, buf, sizeof(buf));
341 ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL, AF_INET, network_list);
342 }
343 else
344 {
346 NULL, AF_INET, network_list);
347 }
348
349 status = (ret == 0);
350
351 if (!status)
352 {
353 goto fail;
354 }
355
356 /* netmask */
357
359 {
360 r->netmask =
362 if (!status)
363 {
364 goto fail;
365 }
366 }
367 else
368 {
369 r->netmask = default_netmask;
370 }
371
372 /* gateway */
373
375 {
376 if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
377 {
379 ro->gateway, 0, &status, NULL);
380 }
381 if (!status)
382 {
383 goto fail;
384 }
385 }
386 else
387 {
389 {
391 }
392 else
393 {
395 " ROUTE: " PACKAGE_NAME
396 " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
397 goto fail;
398 }
399 }
400
401 /* metric */
402
403 r->metric = 0;
405 {
406 r->metric = atoi(ro->metric);
407 if (r->metric < 0)
408 {
409 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
410 ro->network, ro->metric);
411 goto fail;
412 }
414 }
415 else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
416 {
417 r->metric = rl->spec.default_metric;
419 }
420
421 r->flags |= RT_DEFINED;
422
423 /* routing table id */
424 r->table_id = ro->table_id;
425
426 return true;
427
428fail:
429 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
430 ro->network);
431 return false;
432}
433
434static bool
436 const struct route_ipv6_list *rl6)
437{
438 CLEAR(*r6);
439
440 if (!get_ipv6_addr(r6o->prefix, &r6->network, &r6->netbits, M_WARN))
441 {
442 goto fail;
443 }
444
445 /* gateway */
447 {
448 if (inet_pton(AF_INET6, r6o->gateway, &r6->gateway) != 1)
449 {
450 msg(M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway);
451 }
452 }
453 else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
454 {
455 r6->gateway = rl6->remote_endpoint_ipv6;
456 }
457
458 /* metric */
459
460 r6->metric = -1;
462 {
463 r6->metric = atoi(r6o->metric);
464 if (r6->metric < 0)
465 {
466 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
467 r6o->prefix, r6o->metric);
468 goto fail;
469 }
470 r6->flags |= RT_METRIC_DEFINED;
471 }
472 else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
473 {
474 r6->metric = rl6->default_metric;
475 r6->flags |= RT_METRIC_DEFINED;
476 }
477
478 r6->flags |= RT_DEFINED;
479
480 /* routing table id */
481 r6->table_id = r6o->table_id;
482
483 return true;
484
485fail:
486 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
487 r6o->prefix);
488 return false;
489}
490
491void
492add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask,
493 const char *gateway, const char *metric, int table_id)
494{
495 struct route_option *ro;
496 ALLOC_OBJ_GC(ro, struct route_option, l->gc);
497 ro->network = network;
498 ro->netmask = netmask;
499 ro->gateway = gateway;
500 ro->metric = metric;
501 ro->table_id = table_id;
502 ro->next = l->routes;
503 l->routes = ro;
504}
505
506void
508 const char *gateway, const char *metric, int table_id)
509{
510 struct route_ipv6_option *ro;
511 ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
512 ro->prefix = prefix;
513 ro->gateway = gateway;
514 ro->metric = metric;
515 ro->table_id = table_id;
516 ro->next = l->routes_ipv6;
517 l->routes_ipv6 = ro;
518}
519
520static void
522{
523 gc_free(&rl->gc);
524 CLEAR(*rl);
525}
526
527static void
529{
530 gc_free(&rl6->gc);
531 CLEAR(*rl6);
532}
533
534void
535route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
536{
537 ASSERT(rl);
538 rl->spec.remote_endpoint = addr;
540 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
541}
542
543static void
545 in_addr_t target)
546{
547 if (rl->rgi.gateway.netmask < 0xFFFFFFFF)
548 {
549 struct route_ipv4 *r1, *r2;
550 unsigned int l2;
551
552 ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
553 ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
554
555 /* split a route into two smaller blocking routes, and direct them to target */
556 l2 = ((~gateway->netmask) + 1) >> 1;
557 r1->flags = RT_DEFINED;
558 r1->gateway = target;
559 r1->network = gateway->addr & gateway->netmask;
560 r1->netmask = ~(l2 - 1);
561 r1->next = rl->routes;
562 rl->routes = r1;
563
564 *r2 = *r1;
565 r2->network += l2;
566 r2->next = rl->routes;
567 rl->routes = r2;
568 }
569}
570
571static void
573{
574#ifndef TARGET_ANDROID
575 /* add bypass for gateway addr */
577#endif
578
579 /* block access to local subnet */
581
582 /* process additional subnets on gateway interface */
583 for (size_t i = 0; i < rl->rgi.n_addrs; ++i)
584 {
585 const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
586 /* omit the add/subnet in &rl->rgi which we processed above */
587 if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
588 && rl->rgi.gateway.netmask == gwa->netmask))
589 {
591 }
592 }
593}
594
595bool
597{
598 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED);
599 return (rl->flags & RG_BLOCK_LOCAL) && (rl->rgi.flags & rgi_needed) == rgi_needed
601}
602
603bool
604init_route_list(struct route_list *rl, const struct route_option_list *opt,
605 const char *remote_endpoint, int default_metric, in_addr_t remote_host,
606 struct env_set *es, openvpn_net_ctx_t *ctx)
607{
608 struct gc_arena gc = gc_new();
609 bool ret = true;
610
612
613 rl->flags = opt->flags;
614
615 if (remote_host != IPV4_INVALID_ADDR)
616 {
617 rl->spec.remote_host = remote_host;
619 }
620
621 if (default_metric)
622 {
623 rl->spec.default_metric = default_metric;
625 }
626
627 get_default_gateway(&rl->rgi, remote_host != IPV4_INVALID_ADDR ? remote_host : INADDR_ANY, ctx);
628 if (rl->rgi.flags & RGI_ADDR_DEFINED)
629 {
630 setenv_route_addr(es, "net_gateway", rl->rgi.gateway.addr, -1);
631#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
632 print_default_gateway(D_ROUTE, &rl->rgi, NULL);
633#endif
634 }
635 else
636 {
637 dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
638 }
639
640 if (rl->spec.flags & RTSA_REMOTE_HOST)
641 {
642 rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
643 }
644
645 if (is_route_parm_defined(remote_endpoint))
646 {
647 bool defined = false;
650 0, &defined, NULL);
651
652 if (defined)
653 {
654 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
656 }
657 else
658 {
659 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
660 remote_endpoint);
661 ret = false;
662 }
663 }
664
665 if (rl->flags & RG_ENABLE)
666 {
667 if (block_local_needed(rl))
668 {
670 }
672#ifdef ENABLE_DEBUG
673 print_bypass_addresses(&rl->spec.bypass);
674#endif
675 }
676
677 /* parse the routes from opt to rl */
678 {
679 struct route_option *ro;
680 for (ro = opt->routes; ro; ro = ro->next)
681 {
682 struct addrinfo *netlist = NULL;
683 struct route_ipv4 r;
684
685 if (!init_route(&r, &netlist, ro, rl))
686 {
687 ret = false;
688 }
689 else
690 {
691 struct addrinfo *curele;
692 for (curele = netlist; curele; curele = curele->ai_next)
693 {
694 struct route_ipv4 *new;
695 ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
696 *new = r;
697 new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
698 new->next = rl->routes;
699 rl->routes = new;
700 }
701 }
702 if (netlist)
703 {
705 }
706 }
707 }
708
709 gc_free(&gc);
710 return ret;
711}
712
713/* check whether an IPv6 host address is covered by a given route_ipv6
714 * (not the most beautiful implementation in the world, but portable and
715 * "good enough")
716 */
717static bool
718route_ipv6_match_host(const struct route_ipv6 *r6, const struct in6_addr *host)
719{
720 unsigned int bits = r6->netbits;
721 int i;
722 unsigned int mask;
723
724 if (bits > 128)
725 {
726 return false;
727 }
728
729 for (i = 0; bits >= 8; i++, bits -= 8)
730 {
731 if (r6->network.s6_addr[i] != host->s6_addr[i])
732 {
733 return false;
734 }
735 }
736
737 if (bits == 0)
738 {
739 return true;
740 }
741
742 mask = 0xff << (8 - bits);
743
744 if ((r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask))
745 {
746 return true;
747 }
748
749 return false;
750}
751
752bool
754 const char *remote_endpoint, int default_metric,
755 const struct in6_addr *remote_host_ipv6, struct env_set *es,
757{
758 struct gc_arena gc = gc_new();
759 bool ret = true;
760 bool need_remote_ipv6_route;
761
763
764 rl6->flags = opt6->flags;
765
766 if (remote_host_ipv6)
767 {
768 rl6->remote_host_ipv6 = *remote_host_ipv6;
770 }
771
772 if (default_metric >= 0)
773 {
774 rl6->default_metric = default_metric;
776 }
777
778 msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
779 remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a");
780
781 get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
782 if (rl6->rgi6.flags & RGI_ADDR_DEFINED)
783 {
784 setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->rgi6.gateway.addr_ipv6, 0, &gc));
785#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
786 print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
787#endif
788 }
789 else
790 {
791 dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
792 }
793
794 if (is_route_parm_defined(remote_endpoint))
795 {
796 if (inet_pton(AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1)
797 {
799 }
800 else
801 {
802 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s",
803 remote_endpoint);
804 ret = false;
805 }
806 }
807
808 /* parse the routes from opt6 to rl6
809 * discovering potential overlaps with remote_host_ipv6 in the process
810 */
811 need_remote_ipv6_route = false;
812
813 {
814 struct route_ipv6_option *ro6;
815 for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
816 {
817 struct route_ipv6 *r6;
818 ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
819 if (!init_route_ipv6(r6, ro6, rl6))
820 {
821 ret = false;
822 }
823 else
824 {
825 r6->next = rl6->routes_ipv6;
826 rl6->routes_ipv6 = r6;
827
828#ifndef TARGET_ANDROID
829 /* On Android the VPNService protect function call will take of
830 * avoiding routing loops, so ignore this part and let
831 * need_remote_ipv6_route always evaluate to false
832 */
833 if (remote_host_ipv6 && route_ipv6_match_host(r6, remote_host_ipv6))
834 {
835 need_remote_ipv6_route = true;
836 msg(D_ROUTE,
837 "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
838 print_in6_addr(r6->network, 0, &gc), r6->netbits,
839 print_in6_addr(*remote_host_ipv6, 0, &gc));
840 }
841#endif
842 }
843 }
844 }
845
846 /* add VPN server host route if needed */
847 if (need_remote_ipv6_route)
848 {
851 {
852 struct route_ipv6 *r6;
853 ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
854
855 r6->network = *remote_host_ipv6;
856 r6->netbits = 128;
857 if (!(rl6->rgi6.flags & RGI_ON_LINK))
858 {
859 r6->gateway = rl6->rgi6.gateway.addr_ipv6;
860 }
861 r6->metric = 1;
862#ifdef _WIN32
863 r6->adapter_index = rl6->rgi6.adapter_index;
864#else
865 r6->iface = rl6->rgi6.iface;
866#endif
868
869 r6->next = rl6->routes_ipv6;
870 rl6->routes_ipv6 = r6;
871 }
872 else
873 {
874 msg(M_WARN,
875 "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n");
876 }
877 }
878
879 gc_free(&gc);
880 return ret;
881}
882
883static bool
884add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
885 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
887{
888 struct route_ipv4 r;
889 CLEAR(r);
890 r.flags = RT_DEFINED;
891 r.network = network;
892 r.netmask = netmask;
893 r.gateway = gateway;
894 return add_route(&r, tt, flags, rgi, es, ctx);
895}
896
897static void
898del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
899 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
901{
902 struct route_ipv4 r;
903 CLEAR(r);
905 r.network = network;
906 r.netmask = netmask;
907 r.gateway = gateway;
908 delete_route(&r, tt, flags, rgi, es, ctx);
909}
910
911static bool
912add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
913 unsigned int flags, const struct route_gateway_info *rgi,
914 const struct env_set *es, openvpn_net_ctx_t *ctx)
915{
916 int ret = true;
917 for (int i = 0; i < rb->n_bypass; ++i)
918 {
919 if (rb->bypass[i])
920 {
922 rgi, es, ctx)
923 && ret;
924 }
925 }
926 return ret;
927}
928
929static void
930del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
931 unsigned int flags, const struct route_gateway_info *rgi,
932 const struct env_set *es, openvpn_net_ctx_t *ctx)
933{
934 int i;
935 for (i = 0; i < rb->n_bypass; ++i)
936 {
937 if (rb->bypass[i])
938 {
940 ctx);
941 }
942 }
943}
944
945static bool
946redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
947 const struct env_set *es, openvpn_net_ctx_t *ctx)
948{
949 const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
950 bool ret = true;
951
952 if (rl && rl->flags & RG_ENABLE)
953 {
954 bool local = rl->flags & RG_LOCAL;
955
956 if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
957 {
958 msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
959 ret = false;
960 }
961 /*
962 * check if a default route is defined, unless:
963 * - we are connecting to a remote host in our network
964 * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
965 */
966 else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
967 && (rl->spec.flags & RTSA_REMOTE_HOST))
968 {
969 msg(M_WARN, "%s Cannot read current default gateway from system", err);
970 ret = false;
971 }
972 else
973 {
974#ifndef TARGET_ANDROID
975 if (rl->flags & RG_AUTO_LOCAL)
976 {
977 const int tla = rl->spec.remote_host_local;
978 if (tla == TLA_NONLOCAL)
979 {
980 dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
981 local = false;
982 }
983 else if (tla == TLA_LOCAL)
984 {
985 dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
986 local = true;
987 }
988 }
989 if (!local)
990 {
991 /* route remote host to original default gateway */
992 /* if remote_host is not ipv4 (ie: ipv6), just skip
993 * adding this special /32 route */
994 if ((rl->spec.flags & RTSA_REMOTE_HOST)
996 {
998 tt, flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
999 if (ret)
1000 {
1001 rl->iflags |= RL_DID_LOCAL;
1002 }
1003 }
1004 else
1005 {
1006 dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1007 }
1008 }
1009#endif /* ifndef TARGET_ANDROID */
1010
1011 /* route DHCP/DNS server traffic through original default gateway */
1012 ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es,
1013 ctx)
1014 && ret;
1015
1016 if (rl->flags & RG_REROUTE_GW)
1017 {
1018 if (rl->flags & RG_DEF1)
1019 {
1020 /* add new default route (1st component) */
1021 ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1022 &rl->rgi, es, ctx)
1023 && ret;
1024
1025 /* add new default route (2nd component) */
1026 ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1027 &rl->rgi, es, ctx)
1028 && ret;
1029 }
1030 else
1031 {
1032 /* don't try to remove the def route if it does not exist */
1033 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1034 {
1035 /* delete default route */
1036 del_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi,
1037 es, ctx);
1038 }
1039
1040 /* add new default route */
1041 ret = add_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx)
1042 && ret;
1043 }
1044 }
1045
1046 /* set a flag so we can undo later */
1048 }
1049 }
1050 return ret;
1051}
1052
1053static void
1055 unsigned int flags, const struct env_set *es,
1056 openvpn_net_ctx_t *ctx)
1057{
1059 {
1060 /* delete remote host route */
1061 if (rl->iflags & RL_DID_LOCAL)
1062 {
1064 flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1065 rl->iflags &= ~RL_DID_LOCAL;
1066 }
1067
1068 /* delete special DHCP/DNS bypass route */
1069 del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es, ctx);
1070
1071 if (rl->flags & RG_REROUTE_GW)
1072 {
1073 if (rl->flags & RG_DEF1)
1074 {
1075 /* delete default route (1st component) */
1076 del_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1077 es, ctx);
1078
1079 /* delete default route (2nd component) */
1080 del_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1081 es, ctx);
1082 }
1083 else
1084 {
1085 /* delete default route */
1086 del_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx);
1087 /* restore original default route if there was any */
1088 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1089 {
1090 add_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es,
1091 ctx);
1092 }
1093 }
1094 }
1095
1096 rl->iflags &= ~RL_DID_REDIRECT_DEFAULT_GATEWAY;
1097 }
1098}
1099
1100bool
1101add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1102 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1103{
1104 bool ret = redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1105 if (rl && !(rl->iflags & RL_ROUTES_ADDED))
1106 {
1107 struct route_ipv4 *r;
1108
1109 if (rl->routes && !tt->did_ifconfig_setup)
1110 {
1111 msg(M_INFO,
1112 "WARNING: OpenVPN was configured to add an IPv4 "
1113 "route. However, no IPv4 has been configured for %s, "
1114 "therefore the route installation may fail or may not work "
1115 "as expected.",
1116 tt->actual_name);
1117 }
1118
1119#ifdef ENABLE_MANAGEMENT
1120 if (management && rl->routes)
1121 {
1123 NULL);
1124 }
1125#endif
1126
1127 for (r = rl->routes; r; r = r->next)
1128 {
1130 {
1131 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1132 }
1133 ret = add_route(r, tt, flags, &rl->rgi, es, ctx) && ret;
1134 }
1135 rl->iflags |= RL_ROUTES_ADDED;
1136 }
1137 if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED))
1138 {
1139 struct route_ipv6 *r;
1140
1141 if (!tt->did_ifconfig_ipv6_setup)
1142 {
1143 msg(M_INFO,
1144 "WARNING: OpenVPN was configured to add an IPv6 "
1145 "route. However, no IPv6 has been configured for %s, "
1146 "therefore the route installation may fail or may not work "
1147 "as expected.",
1148 tt->actual_name);
1149 }
1150
1151 for (r = rl6->routes_ipv6; r; r = r->next)
1152 {
1154 {
1155 delete_route_ipv6(r, tt, es, ctx);
1156 }
1157 ret = add_route_ipv6(r, tt, flags, es, ctx) && ret;
1158 }
1159 rl6->iflags |= RL_ROUTES_ADDED;
1160 }
1161
1162 return ret;
1163}
1164
1165void
1166delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1167 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1168{
1169 delete_routes_v4(rl, tt, flags, es, ctx);
1170 delete_routes_v6(rl6, tt, flags, es, ctx);
1171}
1172
1173void
1174delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
1175 const struct env_set *es, openvpn_net_ctx_t *ctx)
1176{
1177 if (rl && (rl->iflags & RL_ROUTES_ADDED))
1178 {
1179 struct route_ipv4 *r;
1180 for (r = rl->routes; r; r = r->next)
1181 {
1182 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1183 }
1184 rl->iflags &= ~RL_ROUTES_ADDED;
1185 }
1186
1188
1189 if (rl)
1190 {
1191 clear_route_list(rl);
1192 }
1193}
1194
1195void
1196delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags,
1197 const struct env_set *es, openvpn_net_ctx_t *ctx)
1198{
1199 if (rl6 && (rl6->iflags & RL_ROUTES_ADDED))
1200 {
1201 struct route_ipv6 *r6;
1202 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1203 {
1204 delete_route_ipv6(r6, tt, es, ctx);
1205 }
1206 rl6->iflags &= ~RL_ROUTES_ADDED;
1207 }
1208
1209 if (rl6)
1210 {
1212 }
1213}
1214
1215#ifndef ENABLE_SMALL
1216
1217static const char *
1218show_opt(const char *option)
1219{
1220 if (!option)
1221 {
1222 return "default (not set)";
1223 }
1224 else
1225 {
1226 return option;
1227 }
1228}
1229
1230static void
1231print_route_option(const struct route_option *ro, msglvl_t msglevel)
1232{
1233 msg(msglevel, " route %s/%s/%s/%s", show_opt(ro->network), show_opt(ro->netmask),
1234 show_opt(ro->gateway), show_opt(ro->metric));
1235}
1236
1237void
1239{
1240 struct route_option *ro;
1241 if (rol->flags & RG_ENABLE)
1242 {
1243 msg(msglevel, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0);
1244 }
1245 for (ro = rol->routes; ro; ro = ro->next)
1246 {
1247 print_route_option(ro, msglevel);
1248 }
1249}
1250
1251void
1252print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi,
1253 const struct route_ipv6_gateway_info *rgi6)
1254{
1255 struct gc_arena gc = gc_new();
1256 if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1257 {
1258 struct buffer out = alloc_buf_gc(256, &gc);
1259 buf_printf(&out, "ROUTE_GATEWAY");
1260 if (rgi->flags & RGI_ON_LINK)
1261 {
1262 buf_printf(&out, " ON_LINK");
1263 }
1264 else
1265 {
1266 buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1267 }
1268 if (rgi->flags & RGI_NETMASK_DEFINED)
1269 {
1270 buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1271 }
1272#ifdef _WIN32
1273 if (rgi->flags & RGI_IFACE_DEFINED)
1274 {
1275 buf_printf(&out, " I=%lu", rgi->adapter_index);
1276 }
1277#else
1278 if (rgi->flags & RGI_IFACE_DEFINED)
1279 {
1280 buf_printf(&out, " IFACE=%s", rgi->iface);
1281 }
1282#endif
1283 if (rgi->flags & RGI_HWADDR_DEFINED)
1284 {
1285 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1286 }
1287 msg(msglevel, "%s", BSTR(&out));
1288 }
1289
1290 if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1291 {
1292 struct buffer out = alloc_buf_gc(256, &gc);
1293 buf_printf(&out, "ROUTE6_GATEWAY");
1294 buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1295 if (rgi6->flags & RGI_ON_LINK)
1296 {
1297 buf_printf(&out, " ON_LINK");
1298 }
1299 if (rgi6->flags & RGI_NETMASK_DEFINED)
1300 {
1301 buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1302 }
1303#ifdef _WIN32
1304 if (rgi6->flags & RGI_IFACE_DEFINED)
1305 {
1306 buf_printf(&out, " I=%lu", rgi6->adapter_index);
1307 }
1308#else
1309 if (rgi6->flags & RGI_IFACE_DEFINED)
1310 {
1311 buf_printf(&out, " IFACE=%s", rgi6->iface);
1312 }
1313#endif
1314 if (rgi6->flags & RGI_HWADDR_DEFINED)
1315 {
1316 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1317 }
1318 msg(msglevel, "%s", BSTR(&out));
1319 }
1320 gc_free(&gc);
1321}
1322
1323#endif /* ifndef ENABLE_SMALL */
1324
1325static void
1326print_route(const struct route_ipv4 *r, msglvl_t msglevel)
1327{
1328 struct gc_arena gc = gc_new();
1329 if (r->flags & RT_DEFINED)
1330 {
1331 msg(msglevel, "%s", route_string(r, &gc));
1332 }
1333 gc_free(&gc);
1334}
1335
1336void
1337print_routes(const struct route_list *rl, msglvl_t msglevel)
1338{
1339 struct route_ipv4 *r;
1340 for (r = rl->routes; r; r = r->next)
1341 {
1342 print_route(r, msglevel);
1343 }
1344}
1345
1346static void
1347setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1348{
1349 struct gc_arena gc = gc_new();
1350 if (r->flags & RT_DEFINED)
1351 {
1352 setenv_route_addr(es, "network", r->network, i);
1353 setenv_route_addr(es, "netmask", r->netmask, i);
1354 setenv_route_addr(es, "gateway", r->gateway, i);
1355
1356 if (r->flags & RT_METRIC_DEFINED)
1357 {
1358 struct buffer name = alloc_buf_gc(256, &gc);
1359 buf_printf(&name, "route_metric_%d", i);
1360 setenv_int(es, BSTR(&name), r->metric);
1361 }
1362 }
1363 gc_free(&gc);
1364}
1365
1366void
1367setenv_routes(struct env_set *es, const struct route_list *rl)
1368{
1369 int i = 1;
1370 struct route_ipv4 *r;
1371 for (r = rl->routes; r; r = r->next)
1372 {
1373 setenv_route(es, r, i++);
1374 }
1375}
1376
1377static void
1378setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1379{
1380 struct gc_arena gc = gc_new();
1381 if (r6->flags & RT_DEFINED)
1382 {
1383 struct buffer name1 = alloc_buf_gc(256, &gc);
1384 struct buffer val = alloc_buf_gc(256, &gc);
1385 struct buffer name2 = alloc_buf_gc(256, &gc);
1386
1387 buf_printf(&name1, "route_ipv6_network_%d", i);
1388 buf_printf(&val, "%s/%d", print_in6_addr(r6->network, 0, &gc), r6->netbits);
1389 setenv_str(es, BSTR(&name1), BSTR(&val));
1390
1391 buf_printf(&name2, "route_ipv6_gateway_%d", i);
1392 setenv_str(es, BSTR(&name2), print_in6_addr(r6->gateway, 0, &gc));
1393
1394 if (r6->flags & RT_METRIC_DEFINED)
1395 {
1396 struct buffer name3 = alloc_buf_gc(256, &gc);
1397 buf_printf(&name3, "route_ipv6_metric_%d", i);
1398 setenv_int(es, BSTR(&name3), r6->metric);
1399 }
1400 }
1401 gc_free(&gc);
1402}
1403void
1405{
1406 int i = 1;
1407 struct route_ipv6 *r6;
1408 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1409 {
1410 setenv_route_ipv6(es, r6, i++);
1411 }
1412}
1413
1414/*
1415 * local_route() determines whether the gateway of a provided host
1416 * route is on the same interface that owns the default gateway.
1417 * It uses the data structure
1418 * returned by get_default_gateway() (struct route_gateway_info)
1419 * to determine this. If the route is local, LR_MATCH is returned.
1420 * When adding routes into the kernel, if LR_MATCH is defined for
1421 * a given route, the route should explicitly reference the default
1422 * gateway interface as the route destination. For example, here
1423 * is an example on Linux that uses LR_MATCH:
1424 *
1425 * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1426 *
1427 * This capability is needed by the "default-gateway block-local"
1428 * directive, to allow client access to the local subnet to be
1429 * blocked but still allow access to the local default gateway.
1430 */
1431
1432/* local_route() return values */
1433#define LR_NOMATCH 0 /* route is not local */
1434#define LR_MATCH 1 /* route is local */
1435#define LR_ERROR 2 /* caller should abort adding route */
1436
1437static int
1438local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway,
1439 const struct route_gateway_info *rgi)
1440{
1441 /* set LR_MATCH on local host routes */
1442 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED | RGI_IFACE_DEFINED);
1443 if (rgi && (rgi->flags & rgi_needed) == rgi_needed && gateway == rgi->gateway.addr
1444 && netmask == 0xFFFFFFFF)
1445 {
1446 if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1447 {
1448 return LR_MATCH;
1449 }
1450 else
1451 {
1452 /* examine additional subnets on gateway interface */
1453 size_t i;
1454 for (i = 0; i < rgi->n_addrs; ++i)
1455 {
1456 const struct route_gateway_address *gwa = &rgi->addrs[i];
1457 if (((network ^ gwa->addr) & gwa->netmask) == 0)
1458 {
1459 return LR_MATCH;
1460 }
1461 }
1462 }
1463 }
1464 return LR_NOMATCH;
1465}
1466
1467/* Return true if the "on-link" form of the route should be used. This is when the gateway for
1468 * a route is specified as an interface rather than an address. */
1469#if defined(TARGET_LINUX) || defined(_WIN32) || defined(TARGET_DARWIN)
1470static inline bool
1471is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1472{
1473 return rgi
1474 && (is_local_route == LR_MATCH
1475 || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1476}
1477#endif
1478
1479bool
1480add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
1481 const struct route_gateway_info *rgi, /* may be NULL */
1482 const struct env_set *es, openvpn_net_ctx_t *ctx)
1483{
1484 int status = 0;
1485 int is_local_route;
1486
1487 if (!(r->flags & RT_DEFINED))
1488 {
1489 return true; /* no error */
1490 }
1491
1492 struct argv argv = argv_new();
1493 struct gc_arena gc = gc_new();
1494
1495#if !defined(TARGET_LINUX)
1496 const char *network = print_in_addr_t(r->network, 0, &gc);
1497#if !defined(TARGET_AIX)
1498 const char *netmask = print_in_addr_t(r->netmask, 0, &gc);
1499#endif
1500 const char *gateway = print_in_addr_t(r->gateway, 0, &gc);
1501#endif
1502
1503 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1504 if (is_local_route == LR_ERROR)
1505 {
1506 goto done;
1507 }
1508
1509#if defined(TARGET_LINUX)
1510 const char *iface = NULL;
1511 int metric = -1;
1512
1513 if (is_on_link(is_local_route, flags, rgi))
1514 {
1515 iface = rgi->iface;
1516 }
1517
1518 if (r->flags & RT_METRIC_DEFINED)
1519 {
1520 metric = r->metric;
1521 }
1522
1523
1525 int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway,
1526 iface, r->table_id, metric);
1527 if (ret == -EEXIST)
1528 {
1529 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1531 }
1532 else if (ret < 0)
1533 {
1534 msg(M_WARN, "ERROR: Linux route add command failed");
1535 status = RTA_ERROR;
1536 }
1537
1538#elif defined(TARGET_ANDROID)
1539 char out[128];
1540
1541 if (rgi)
1542 {
1543 snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1544 }
1545 else
1546 {
1547 snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1548 }
1549 bool ret = management_android_control(management, "ROUTE", out);
1550 status = ret ? RTA_SUCCESS : RTA_ERROR;
1551
1552#elif defined(_WIN32)
1553 {
1554 DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1555 argv_printf(&argv, "%s%s ADD %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
1556 network, netmask, gateway);
1557 if (r->flags & RT_METRIC_DEFINED)
1558 {
1559 argv_printf_cat(&argv, "METRIC %d", r->metric);
1560 }
1561 if (is_on_link(is_local_route, flags, rgi))
1562 {
1563 ai = rgi->adapter_index;
1564 argv_printf_cat(&argv, "IF %lu", ai);
1565 }
1566
1568
1569 const char *method = "service";
1570 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1571 {
1572 status = add_route_service(r, tt);
1573 }
1574 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1575 {
1576 status = add_route_ipapi(r, tt, ai);
1577 method = "ipapi";
1578 }
1579 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1580 {
1582 bool ret =
1583 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
1584 status = ret ? RTA_SUCCESS : RTA_ERROR;
1586 method = "route.exe";
1587 }
1588 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1589 {
1590 status = add_route_ipapi(r, tt, ai);
1591 method = "ipapi [adaptive]";
1592 if (status == RTA_ERROR)
1593 {
1594 msg(D_ROUTE, "Route addition fallback to route.exe");
1596 bool ret = openvpn_execve_check(
1597 &argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
1598 status = ret ? RTA_SUCCESS : RTA_ERROR;
1600 method = "route.exe";
1601 }
1602 }
1603 else
1604 {
1605 ASSERT(0);
1606 }
1607 if (status != RTA_ERROR) /* error is logged upstream */
1608 {
1609 msg(D_ROUTE, "Route addition via %s %s", method,
1610 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
1611 }
1612 }
1613
1614#elif defined(TARGET_SOLARIS)
1615
1616 /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1617
1618 argv_printf(&argv, "%s add", ROUTE_PATH);
1619
1620 argv_printf_cat(&argv, "%s -netmask %s %s", network, netmask, gateway);
1621
1622 /* Solaris can only distinguish between "metric 0" == "on-link on the
1623 * interface where the IP address given is configured" and "metric > 0"
1624 * == "use gateway specified" (no finer-grained route metrics available)
1625 *
1626 * More recent versions of Solaris can also do "-interface", but that
1627 * would break backwards compatibility with older versions for no gain.
1628 */
1629 if (r->flags & RT_METRIC_DEFINED)
1630 {
1631 argv_printf_cat(&argv, "%d", r->metric);
1632 }
1633
1635 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
1636 status = ret ? RTA_SUCCESS : RTA_ERROR;
1637
1638#elif defined(TARGET_FREEBSD)
1639
1640 argv_printf(&argv, "%s add", ROUTE_PATH);
1641
1642#if 0
1643 if (r->flags & RT_METRIC_DEFINED)
1644 {
1645 argv_printf_cat(&argv, "-rtt %d", r->metric);
1646 }
1647#endif
1648
1649 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1650
1651 /* FIXME -- add on-link support for FreeBSD */
1652
1654 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
1655 status = ret ? RTA_SUCCESS : RTA_ERROR;
1656
1657#elif defined(TARGET_DRAGONFLY)
1658
1659 argv_printf(&argv, "%s add", ROUTE_PATH);
1660
1661#if 0
1662 if (r->flags & RT_METRIC_DEFINED)
1663 {
1664 argv_printf_cat(&argv, "-rtt %d", r->metric);
1665 }
1666#endif
1667
1668 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1669
1670 /* FIXME -- add on-link support for Dragonfly */
1671
1673 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
1674 status = ret ? RTA_SUCCESS : RTA_ERROR;
1675
1676#elif defined(TARGET_DARWIN)
1677
1678 argv_printf(&argv, "%s add", ROUTE_PATH);
1679
1680#if 0
1681 if (r->flags & RT_METRIC_DEFINED)
1682 {
1683 argv_printf_cat(&argv, "-rtt %d", r->metric);
1684 }
1685#endif
1686
1687 if (is_on_link(is_local_route, flags, rgi))
1688 {
1689 /* Mac OS X route syntax for ON_LINK:
1690 * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1691 argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", network, netmask,
1692 rgi->iface);
1693 }
1694 else
1695 {
1696 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1697 }
1698
1700 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
1701 status = ret ? RTA_SUCCESS : RTA_ERROR;
1702
1703#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1704
1705 argv_printf(&argv, "%s add", ROUTE_PATH);
1706
1707#if 0
1708 if (r->flags & RT_METRIC_DEFINED)
1709 {
1710 argv_printf_cat(&argv, "-rtt %d", r->metric);
1711 }
1712#endif
1713
1714 argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask);
1715
1716 /* FIXME -- add on-link support for OpenBSD/NetBSD */
1717
1719 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1720 status = ret ? RTA_SUCCESS : RTA_ERROR;
1721
1722#elif defined(TARGET_AIX)
1723
1724 {
1725 int netbits = netmask_to_netbits2(r->netmask);
1726 argv_printf(&argv, "%s add -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
1728 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1729 status = ret ? RTA_SUCCESS : RTA_ERROR;
1730 }
1731
1732#elif defined(TARGET_HAIKU)
1733
1734 /* ex: route add /dev/net/ipro1000/0 0.0.0.0 gw 192.168.1.1 netmask 128.0.0.0 */
1735 argv_printf(&argv, "%s add %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
1736 gateway, netmask);
1738 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route add command failed");
1739 status = ret ? RTA_SUCCESS : RTA_ERROR;
1740
1741#else /* if defined(TARGET_LINUX) */
1742 msg(M_FATAL,
1743 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1744#endif /* if defined(TARGET_LINUX) */
1745
1746done:
1747 if (status == RTA_SUCCESS)
1748 {
1749 r->flags |= RT_ADDED;
1750 }
1751 else
1752 {
1753 r->flags &= ~RT_ADDED;
1754 }
1755 argv_free(&argv);
1756 gc_free(&gc);
1757 /* release resources potentially allocated during route setup */
1758 net_ctx_reset(ctx);
1759
1760 return (status != RTA_ERROR);
1761}
1762
1763#if defined(__GNUC__) || defined(__clang__)
1764#pragma GCC diagnostic push
1765#pragma GCC diagnostic ignored "-Wconversion"
1766#endif
1767
1768void
1770{
1771 /* clear host bit parts of route
1772 * (needed if routes are specified improperly, or if we need to
1773 * explicitly setup/clear the "connected" network routes on some OSes)
1774 */
1775 int byte = 15;
1776 int bits_to_clear = 128 - r6->netbits;
1777
1778 while (byte >= 0 && bits_to_clear > 0)
1779 {
1780 if (bits_to_clear >= 8)
1781 {
1782 r6->network.s6_addr[byte--] = 0;
1783 bits_to_clear -= 8;
1784 }
1785 else
1786 {
1787 r6->network.s6_addr[byte--] &= (0xff << bits_to_clear);
1788 bits_to_clear = 0;
1789 }
1790 }
1791}
1792
1793bool
1794add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags,
1795 const struct env_set *es, openvpn_net_ctx_t *ctx)
1796{
1797 int status = 0;
1798 bool gateway_needed = false;
1799
1800 if (!(r6->flags & RT_DEFINED))
1801 {
1802 return true; /* no error */
1803 }
1804
1805 struct argv argv = argv_new();
1806 struct gc_arena gc = gc_new();
1807
1808#ifndef _WIN32
1809 const char *device = tt->actual_name;
1810 if (r6->iface != NULL) /* vpn server special route */
1811 {
1812 device = r6->iface;
1813 if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1814 {
1815 gateway_needed = true;
1816 }
1817 }
1818#endif
1819
1821 const char *network = print_in6_addr(r6->network, 0, &gc);
1822 const char *gateway = print_in6_addr(r6->gateway, 0, &gc);
1823
1824#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1825 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1826
1827 /* the BSD platforms cannot specify gateway and interface independently,
1828 * but for link-local destinations, we MUST specify the interface, so
1829 * we build a combined "$gateway%$interface" gateway string
1830 */
1831 if (r6->iface != NULL && gateway_needed
1832 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
1833 {
1834 int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
1835 char *tmp = gc_malloc(len, true, &gc);
1836 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
1837 gateway = tmp;
1838 }
1839#endif
1840
1841#ifndef _WIN32
1842 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway,
1843 r6->metric, device);
1844#else
1845 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu", network, r6->netbits, gateway,
1846 r6->metric, r6->adapter_index ? r6->adapter_index : tt->adapter_index);
1847#endif
1848
1849 /*
1850 * Filter out routes which are essentially no-ops
1851 * (not currently done for IPv6)
1852 */
1853
1854 /* On "tun" interface, we never set a gateway if the operating system
1855 * can do "route to interface" - it does not add value, as the target
1856 * dev already fully qualifies the route destination on point-to-point
1857 * interfaces. OTOH, on "tap" interface, we must always set the
1858 * gateway unless the route is to be an on-link network
1859 */
1860 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
1861 {
1862 gateway_needed = true;
1863 }
1864
1865 if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1866 {
1867 msg(M_WARN,
1868 "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
1869 "parameter for a --route-ipv6 option and no default was set via "
1870 "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
1871 "IPv6 route to %s/%d.",
1872 network, r6->netbits);
1873 status = 0;
1874 goto done;
1875 }
1876
1877#if defined(TARGET_LINUX)
1878 int metric = -1;
1879 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
1880 {
1881 metric = r6->metric;
1882 }
1883
1885 int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
1886 device, r6->table_id, metric);
1887 if (ret == -EEXIST)
1888 {
1889 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1891 }
1892 else if (ret < 0)
1893 {
1894 msg(M_WARN, "ERROR: Linux route add command failed");
1895 status = RTA_ERROR;
1896 }
1897
1898#elif defined(TARGET_ANDROID)
1899 char out[64];
1900
1901 snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
1902
1903 status = management_android_control(management, "ROUTE6", out);
1904
1905#elif defined(_WIN32)
1906
1907 if (tt->options.msg_channel)
1908 {
1910 }
1911 else
1912 {
1913 status = route_ipv6_ipapi(true, r6, tt);
1914 }
1915#elif defined(TARGET_SOLARIS)
1916
1917 /* example: route add -inet6 2001:db8::/32 somegateway 0 */
1918
1919 /* for some reason, routes to tun/tap do not work for me unless I set
1920 * "metric 0" - otherwise, the routes will be nicely installed, but
1921 * packets will just disappear somewhere. So we always use "0" now,
1922 * unless the route points to "gateway on other interface"...
1923 *
1924 * (Note: OpenSolaris can not specify host%interface gateways, so we just
1925 * use the GW addresses - it seems to still work for fe80:: addresses,
1926 * however this is done internally. NUD maybe?)
1927 */
1928 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1929
1930 /* on tun (not tap), not "elsewhere"? -> metric 0 */
1931 if (tt->type == DEV_TYPE_TUN && !r6->iface)
1932 {
1933 argv_printf_cat(&argv, "0");
1934 }
1935
1937 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
1938 status = ret ? RTA_SUCCESS : RTA_ERROR;
1939
1940#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
1941
1942 argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
1943
1944 if (gateway_needed)
1945 {
1946 argv_printf_cat(&argv, "%s", gateway);
1947 }
1948 else
1949 {
1950 argv_printf_cat(&argv, "-iface %s", device);
1951 }
1952
1954 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
1955 status = ret ? RTA_SUCCESS : RTA_ERROR;
1956
1957#elif defined(TARGET_DARWIN)
1958
1959 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
1960
1961 if (gateway_needed)
1962 {
1963 argv_printf_cat(&argv, "%s", gateway);
1964 }
1965 else
1966 {
1967 argv_printf_cat(&argv, "-iface %s", device);
1968 }
1969
1971 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
1972 status = ret ? RTA_SUCCESS : RTA_ERROR;
1973
1974#elif defined(TARGET_OPENBSD)
1975
1976 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
1977 gateway);
1978
1980 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
1981 status = ret ? RTA_SUCCESS : RTA_ERROR;
1982
1983#elif defined(TARGET_NETBSD)
1984
1985 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1986
1988 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
1989 status = ret ? RTA_SUCCESS : RTA_ERROR;
1990
1991#elif defined(TARGET_AIX)
1992
1993 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1995 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1996 status = ret ? RTA_SUCCESS : RTA_ERROR;
1997
1998#elif defined(TARGET_HAIKU)
1999
2000 /* ex: route add /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2001 argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
2002 gateway, r6->netbits);
2004 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route add command failed");
2005 status = ret ? RTA_SUCCESS : RTA_ERROR;
2006
2007#else /* if defined(TARGET_LINUX) */
2008 msg(M_FATAL,
2009 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2010#endif /* if defined(TARGET_LINUX) */
2011
2012done:
2013 if (status == RTA_SUCCESS)
2014 {
2015 r6->flags |= RT_ADDED;
2016 }
2017 else
2018 {
2019 r6->flags &= ~RT_ADDED;
2020 }
2021 argv_free(&argv);
2022 gc_free(&gc);
2023 /* release resources potentially allocated during route setup */
2024 net_ctx_reset(ctx);
2025
2026 return (status != RTA_ERROR);
2027}
2028
2029static void
2030delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
2031 const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
2032{
2033#if !defined(TARGET_LINUX)
2034 const char *network;
2035#if !defined(TARGET_AIX)
2036 const char *netmask;
2037#endif
2038#if !defined(TARGET_ANDROID)
2039 const char *gateway;
2040#endif
2041#else /* if !defined(TARGET_LINUX) */
2042 int metric;
2043#endif
2044 int is_local_route;
2045
2046 if ((r->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2047 {
2048 return;
2049 }
2050
2051 struct gc_arena gc = gc_new();
2052 struct argv argv = argv_new();
2053
2054#if !defined(TARGET_LINUX)
2055 network = print_in_addr_t(r->network, 0, &gc);
2056#if !defined(TARGET_AIX)
2057 netmask = print_in_addr_t(r->netmask, 0, &gc);
2058#endif
2059#if !defined(TARGET_ANDROID)
2060 gateway = print_in_addr_t(r->gateway, 0, &gc);
2061#endif
2062#endif
2063
2064 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2065 if (is_local_route == LR_ERROR)
2066 {
2067 goto done;
2068 }
2069
2070#if defined(TARGET_LINUX)
2071 metric = -1;
2072 if (r->flags & RT_METRIC_DEFINED)
2073 {
2074 metric = r->metric;
2075 }
2076
2077 if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway, NULL,
2078 r->table_id, metric)
2079 < 0)
2080 {
2081 msg(M_WARN, "ERROR: Linux route delete command failed");
2082 }
2083#elif defined(_WIN32)
2084
2085 argv_printf(&argv, "%s%s DELETE %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
2086 network, netmask, gateway);
2087
2089
2090 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2091 {
2092 const bool status = del_route_service(r, tt);
2093 msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2094 }
2095 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2096 {
2097 const bool status = del_route_ipapi(r, tt);
2098 msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2099 }
2100 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2101 {
2103 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2105 }
2106 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2107 {
2108 const bool status = del_route_ipapi(r, tt);
2109 msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2110 if (!status)
2111 {
2112 msg(D_ROUTE, "Route deletion fallback to route.exe");
2115 "ERROR: Windows route delete command failed [adaptive]");
2117 }
2118 }
2119 else
2120 {
2121 ASSERT(0);
2122 }
2123
2124#elif defined(TARGET_SOLARIS)
2125
2126 argv_printf(&argv, "%s delete %s -netmask %s %s", ROUTE_PATH, network, netmask, gateway);
2127
2129 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2130
2131#elif defined(TARGET_FREEBSD)
2132
2133 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2134
2136 openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2137
2138#elif defined(TARGET_DRAGONFLY)
2139
2140 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2141
2143 openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2144
2145#elif defined(TARGET_DARWIN)
2146
2147 if (is_on_link(is_local_route, flags, rgi))
2148 {
2149 argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", ROUTE_PATH,
2150 network, netmask, rgi->iface);
2151 }
2152 else
2153 {
2154 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2155 }
2156
2158 openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2159
2160#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2161
2162 argv_printf(&argv, "%s delete -net %s %s -netmask %s", ROUTE_PATH, network, gateway, netmask);
2163
2165 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2166
2167#elif defined(TARGET_ANDROID)
2168 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2169 "needed. The VpnService API allows routes to be set "
2170 "on connect only and will clean up automatically.");
2171#elif defined(TARGET_AIX)
2172
2173 {
2174 int netbits = netmask_to_netbits2(r->netmask);
2175 argv_printf(&argv, "%s delete -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
2177 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2178 }
2179
2180#elif defined(TARGET_HAIKU)
2181
2182 /* ex: route delete /dev/net/ipro1000/0 inet 192.168.0.0 gw 192.168.1.1 netmask 255.255.0.0 */
2183 argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
2184 gateway, netmask);
2186 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route delete command failed");
2187
2188#else /* if defined(TARGET_LINUX) */
2189 msg(M_FATAL,
2190 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2191#endif /* if defined(TARGET_LINUX) */
2192
2193done:
2194 r->flags &= ~RT_ADDED;
2195 argv_free(&argv);
2196 gc_free(&gc);
2197 /* release resources potentially allocated during route cleanup */
2198 net_ctx_reset(ctx);
2199}
2200
2201void
2202delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es,
2203 openvpn_net_ctx_t *ctx)
2204{
2205 const char *network;
2206
2207 if ((r6->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2208 {
2209 return;
2210 }
2211
2212#if !defined(_WIN32)
2213#if !defined(TARGET_LINUX)
2214 const char *gateway;
2215#endif
2216#if !defined(TARGET_SOLARIS)
2217 bool gateway_needed = false;
2218 const char *device = tt->actual_name;
2219 if (r6->iface != NULL) /* vpn server special route */
2220 {
2221 device = r6->iface;
2222 gateway_needed = true;
2223 }
2224
2225 /* if we used a gateway on "add route", we also need to specify it on
2226 * delete, otherwise some OSes will refuse to delete the route
2227 */
2228 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
2229 {
2230 gateway_needed = true;
2231 }
2232#endif
2233#endif
2234
2235 struct gc_arena gc = gc_new();
2236 struct argv argv = argv_new();
2237
2238 network = print_in6_addr(r6->network, 0, &gc);
2239#if !defined(TARGET_LINUX) && !defined(_WIN32)
2240 gateway = print_in6_addr(r6->gateway, 0, &gc);
2241#endif
2242
2243#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2244 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2245
2246 /* the BSD platforms cannot specify gateway and interface independently,
2247 * but for link-local destinations, we MUST specify the interface, so
2248 * we build a combined "$gateway%$interface" gateway string
2249 */
2250 if (r6->iface != NULL && gateway_needed
2251 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
2252 {
2253 int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
2254 char *tmp = gc_malloc(len, true, &gc);
2255 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
2256 gateway = tmp;
2257 }
2258#endif
2259
2260 msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits);
2261
2262#if defined(TARGET_LINUX)
2263 int metric = -1;
2264 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2265 {
2266 metric = r6->metric;
2267 }
2268
2269 if (net_route_v6_del(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
2270 device, r6->table_id, metric)
2271 < 0)
2272 {
2273 msg(M_WARN, "ERROR: Linux route v6 delete command failed");
2274 }
2275
2276#elif defined(_WIN32)
2277
2278 if (tt->options.msg_channel)
2279 {
2281 }
2282 else
2283 {
2284 route_ipv6_ipapi(false, r6, tt);
2285 }
2286#elif defined(TARGET_SOLARIS)
2287
2288 /* example: route delete -inet6 2001:db8::/32 somegateway */
2289
2290 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2291
2293 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2294
2295#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2296
2297 argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
2298
2299 if (gateway_needed)
2300 {
2301 argv_printf_cat(&argv, "%s", gateway);
2302 }
2303 else
2304 {
2305 argv_printf_cat(&argv, "-iface %s", device);
2306 }
2307
2309 openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2310
2311#elif defined(TARGET_DARWIN)
2312
2313 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
2314
2315 if (gateway_needed)
2316 {
2317 argv_printf_cat(&argv, "%s", gateway);
2318 }
2319 else
2320 {
2321 argv_printf_cat(&argv, "-iface %s", device);
2322 }
2323
2325 openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2326
2327#elif defined(TARGET_OPENBSD)
2328
2329 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
2330 gateway);
2331
2333 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2334
2335#elif defined(TARGET_NETBSD)
2336
2337 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2338
2340 openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2341
2342#elif defined(TARGET_AIX)
2343
2344 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2346 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2347
2348#elif defined(TARGET_ANDROID)
2349 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2350 "needed. The VpnService API allows routes to be set "
2351 "on connect only and will clean up automatically.");
2352#elif defined(TARGET_HAIKU)
2353
2354 /* ex: route delete /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2355 argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
2356 gateway, r6->netbits);
2358 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route delete command failed");
2359
2360#else /* if defined(TARGET_LINUX) */
2361 msg(M_FATAL,
2362 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2363#endif /* if defined(TARGET_LINUX) */
2364
2365 argv_free(&argv);
2366 gc_free(&gc);
2367 /* release resources potentially allocated during route cleanup */
2368 net_ctx_reset(ctx);
2369}
2370
2371#if defined(__GNUC__) || defined(__clang__)
2372#pragma GCC diagnostic pop
2373#endif
2374
2375/*
2376 * The --redirect-gateway option requires OS-specific code below
2377 * to get the current default gateway.
2378 */
2379
2380#if defined(_WIN32)
2381
2382static const MIB_IPFORWARDTABLE *
2384{
2385 ULONG size = 0;
2386 PMIB_IPFORWARDTABLE rt = NULL;
2387 DWORD status;
2388
2389 status = GetIpForwardTable(NULL, &size, TRUE);
2390 if (status == ERROR_INSUFFICIENT_BUFFER)
2391 {
2392 rt = (PMIB_IPFORWARDTABLE)gc_malloc(size, false, gc);
2393 status = GetIpForwardTable(rt, &size, TRUE);
2394 if (status != NO_ERROR)
2395 {
2396 msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2397 strerror_win32(status, gc), (unsigned int)status);
2398 rt = NULL;
2399 }
2400 }
2401 return rt;
2402}
2403
2404static int
2405test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
2406{
2407 int count = 0;
2408 DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2409 if (index)
2410 {
2411 *index = i;
2412 }
2413 return count;
2414}
2415
2416static void
2417test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters,
2418 const in_addr_t gateway)
2419{
2420 int c;
2421
2422 ++*count;
2423 c = test_route(adapters, gateway, NULL);
2424 if (c == 0)
2425 {
2426 *ret = false;
2427 }
2428 else
2429 {
2430 ++*good;
2431 }
2432 if (c > 1)
2433 {
2434 ++*ambig;
2435 }
2436}
2437
2438/*
2439 * If we tried to add routes now, would we succeed?
2440 */
2441bool
2442test_routes(const struct route_list *rl, const struct tuntap *tt)
2443{
2444 struct gc_arena gc = gc_new();
2445 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2446 bool ret = false;
2447 int count = 0;
2448 int good = 0;
2449 int ambig = 0;
2450 int len = -1;
2451 bool adapter_up = false;
2452
2453 if (is_adapter_up(tt, adapters))
2454 {
2455 ret = true;
2456 adapter_up = true;
2457
2458 /* we do this test only if we have IPv4 routes to install, and if
2459 * the tun/tap interface has seen IPv4 ifconfig - because if we
2460 * have no IPv4, the check will always fail, failing tun init
2461 */
2462 if (rl && tt->did_ifconfig_setup)
2463 {
2464 struct route_ipv4 *r;
2465 for (r = rl->routes, len = 0; r; r = r->next, ++len)
2466 {
2467 test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2468 }
2469
2470 if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2471 {
2472 test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2473 }
2474 }
2475 }
2476
2477 msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, len,
2478 (int)ret, ambig, adapter_up ? "up" : "down");
2479
2480 gc_free(&gc);
2481 return ret;
2482}
2483
2484static const MIB_IPFORWARDROW *
2485get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2486{
2487 struct gc_arena gc = gc_new();
2488 DWORD lowest_metric = MAXDWORD;
2489 const MIB_IPFORWARDROW *ret = NULL;
2490 int best = -1;
2491
2492 if (routes)
2493 {
2494 for (DWORD i = 0; i < routes->dwNumEntries; ++i)
2495 {
2496 const MIB_IPFORWARDROW *row = &routes->table[i];
2497 const in_addr_t net = ntohl(row->dwForwardDest);
2498 const in_addr_t mask = ntohl(row->dwForwardMask);
2499 const DWORD index = row->dwForwardIfIndex;
2500 const DWORD metric = row->dwForwardMetric1;
2501
2502 dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d", i,
2503 print_in_addr_t((in_addr_t)net, 0, &gc), print_in_addr_t((in_addr_t)mask, 0, &gc),
2504 (int)index, (int)metric);
2505
2506 if (!net && !mask && metric < lowest_metric)
2507 {
2508 ret = row;
2509 lowest_metric = metric;
2510 best = i;
2511 }
2512 }
2513 }
2514
2515 dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2516
2517 gc_free(&gc);
2518 return ret;
2519}
2520
2532static DWORD
2533get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
2534{
2535 DWORD best_if_index;
2536 DWORD status;
2537
2538 CLEAR(*best_route);
2539
2540 /* get the best interface index to reach dest */
2541 status = GetBestInterfaceEx((struct sockaddr *)dest, &best_if_index);
2542 if (status != NO_ERROR)
2543 {
2544 msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2545 strerror_win32(status, gc), (unsigned int)status);
2546 goto done;
2547 }
2548
2549 msg(D_ROUTE_DEBUG, "GetBestInterfaceEx() returned if=%d", (int)best_if_index);
2550
2551 /* get the routing information (such as NextHop) for the destination and interface */
2552 NET_LUID luid;
2553 CLEAR(luid);
2554 SOCKADDR_INET best_src;
2555 CLEAR(best_src);
2556 status = GetBestRoute2(&luid, best_if_index, NULL, dest, 0, best_route, &best_src);
2557 if (status != NO_ERROR)
2558 {
2559 msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2560 strerror_win32(status, gc), (unsigned int)status);
2561 goto done;
2562 }
2563
2564done:
2565 return status;
2566}
2567
2568void
2570{
2571 CLEAR(*rgi);
2572
2573 struct gc_arena gc = gc_new();
2574
2575 /* convert in_addr_t into SOCKADDR_INET */
2576 SOCKADDR_INET sa;
2577 CLEAR(sa);
2578 sa.si_family = AF_INET;
2579 sa.Ipv4.sin_addr.s_addr = htonl(dest);
2580
2581 /* get the best route to the destination */
2582 MIB_IPFORWARD_ROW2 best_route;
2583 CLEAR(best_route);
2584 DWORD status = get_best_route(&gc, &sa, &best_route);
2585 if (status != NO_ERROR)
2586 {
2587 goto done;
2588 }
2589
2591 rgi->gateway.addr = ntohl(best_route.NextHop.Ipv4.sin_addr.S_un.S_addr);
2592 rgi->adapter_index = best_route.InterfaceIndex;
2593
2594 if (rgi->gateway.addr == INADDR_ANY)
2595 {
2596 rgi->flags |= RGI_ON_LINK;
2597 }
2598
2599 /* get netmask and MAC address */
2600 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2601 const IP_ADAPTER_INFO *ai = get_adapter(adapters, rgi->adapter_index);
2602 if (ai)
2603 {
2604 memcpy(rgi->hwaddr, ai->Address, 6);
2605 rgi->flags |= RGI_HWADDR_DEFINED;
2606
2607 /* get netmask for non-onlink routes */
2608 in_addr_t nm = inet_addr(ai->IpAddressList.IpMask.String);
2609 if (!(rgi->flags & RGI_ON_LINK) && (nm != INADDR_NONE))
2610 {
2611 rgi->gateway.netmask = ntohl(nm);
2612 rgi->flags |= RGI_NETMASK_DEFINED;
2613 }
2614 }
2615
2616done:
2617 gc_free(&gc);
2618}
2619
2620static DWORD
2621windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2622{
2623 struct gc_arena gc = gc_new();
2624 DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2625 int count = 0;
2626 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2627 const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2628 bool on_tun = false;
2629
2630 /* first test on tun interface */
2631 if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2632 {
2633 ret = tun_adapter->Index;
2634 count = 1;
2635 on_tun = true;
2636 }
2637 else /* test on other interfaces */
2638 {
2639 count = test_route(adapters, r->gateway, &ret);
2640 }
2641
2642 if (count == 0)
2643 {
2644 msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2645 print_in_addr_t(r->gateway, 0, &gc));
2647 }
2648 else if (count > 1)
2649 {
2650 msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2651 print_in_addr_t(r->gateway, 0, &gc), count);
2652 }
2653
2654 dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", on_tun, count,
2655 (int)ret);
2656
2657 gc_free(&gc);
2658 return ret;
2659}
2660
2661/* IPv6 implementation using GetBestRoute2()
2662 * (TBD: dynamic linking so the binary can still run on XP?)
2663 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2664 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2665 */
2666void
2667get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
2668 openvpn_net_ctx_t *ctx)
2669{
2670 struct gc_arena gc = gc_new();
2671 CLEAR(*rgi6);
2672
2673 SOCKADDR_INET DestinationAddress;
2674 CLEAR(DestinationAddress);
2675 DestinationAddress.si_family = AF_INET6;
2676 if (dest)
2677 {
2678 DestinationAddress.Ipv6.sin6_addr = *dest;
2679 }
2680
2681 MIB_IPFORWARD_ROW2 BestRoute;
2682 CLEAR(BestRoute);
2683 DWORD status = get_best_route(&gc, &DestinationAddress, &BestRoute);
2684
2685 if (status != NO_ERROR)
2686 {
2687 goto done;
2688 }
2689
2690 msg(D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s", BestRoute.InterfaceIndex,
2691 print_in6_addr(BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2692 BestRoute.DestinationPrefix.PrefixLength,
2693 print_in6_addr(BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc));
2694 msg(D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", (int)BestRoute.Metric,
2695 (int)BestRoute.Loopback, (int)BestRoute.AutoconfigureAddress, (int)BestRoute.Immortal);
2696
2697 rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2698 rgi6->adapter_index = BestRoute.InterfaceIndex;
2700
2701 /* on-link is signalled by receiving an empty (::) NextHop */
2702 if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr))
2703 {
2704 rgi6->flags |= RGI_ON_LINK;
2705 }
2706
2707done:
2708 gc_free(&gc);
2709}
2710
2711/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2712static int
2713add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2714{
2715 struct gc_arena gc = gc_new();
2716 int ret = RTA_ERROR;
2717 DWORD status;
2718 const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID)
2720 : adapter_index;
2721
2722 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2723 {
2724 MIB_IPFORWARDROW fr;
2725 CLEAR(fr);
2726 fr.dwForwardDest = htonl(r->network);
2727 fr.dwForwardMask = htonl(r->netmask);
2728 fr.dwForwardPolicy = 0;
2729 fr.dwForwardNextHop = htonl(r->gateway);
2730 fr.dwForwardIfIndex = if_index;
2731 fr.dwForwardType = 4; /* the next hop is not the final dest */
2732 fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2733 fr.dwForwardAge = 0;
2734 fr.dwForwardNextHopAS = 0;
2735 fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2736 fr.dwForwardMetric2 = METRIC_NOT_USED;
2737 fr.dwForwardMetric3 = METRIC_NOT_USED;
2738 fr.dwForwardMetric4 = METRIC_NOT_USED;
2739 fr.dwForwardMetric5 = METRIC_NOT_USED;
2740
2741 if ((r->network & r->netmask) != r->network)
2742 {
2743 msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2744 print_in_addr_t(r->network, 0, &gc), print_in_addr_t(r->netmask, 0, &gc));
2745 }
2746
2747 status = CreateIpForwardEntry(&fr);
2748
2749 if (status == NO_ERROR)
2750 {
2751 ret = RTA_SUCCESS;
2752 }
2753 else if (status == ERROR_OBJECT_ALREADY_EXISTS)
2754 {
2755 ret = RTA_EEXIST;
2756 }
2757 else
2758 {
2759 /* failed, try increasing the metric to work around Vista issue */
2760 const unsigned int forward_metric_limit =
2761 2048; /* iteratively retry higher metrics up to this limit */
2762
2763 for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2764 {
2765 /* try a different forward type=3 ("the next hop is the final dest") in addition
2766 * to 4.
2767 * --redirect-gateway over RRAS seems to need this. */
2768 for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2769 {
2770 status = CreateIpForwardEntry(&fr);
2771 if (status == NO_ERROR)
2772 {
2773 msg(D_ROUTE,
2774 "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2775 (unsigned int)fr.dwForwardMetric1, (unsigned int)fr.dwForwardType);
2776 ret = RTA_SUCCESS;
2777 goto doublebreak;
2778 }
2779 else if (status != ERROR_BAD_ARGUMENTS)
2780 {
2781 goto doublebreak;
2782 }
2783 }
2784 }
2785
2786doublebreak:
2787 if (status != NO_ERROR)
2788 {
2789 if (status == ERROR_OBJECT_ALREADY_EXISTS)
2790 {
2791 ret = RTA_EEXIST;
2792 }
2793 else
2794 {
2795 msg(M_WARN,
2796 "ERROR: route addition failed using CreateIpForwardEntry: "
2797 "%s [status=%u if_index=%u]",
2798 strerror_win32(status, &gc), (unsigned int)status, (unsigned int)if_index);
2799 }
2800 }
2801 }
2802 }
2803
2804 gc_free(&gc);
2805 return ret;
2806}
2807
2808static bool
2809del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
2810{
2811 struct gc_arena gc = gc_new();
2812 bool ret = false;
2813 DWORD status;
2814 const DWORD if_index = windows_route_find_if_index(r, tt);
2815
2816 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2817 {
2818 MIB_IPFORWARDROW fr;
2819 CLEAR(fr);
2820
2821 fr.dwForwardDest = htonl(r->network);
2822 fr.dwForwardMask = htonl(r->netmask);
2823 fr.dwForwardPolicy = 0;
2824 fr.dwForwardNextHop = htonl(r->gateway);
2825 fr.dwForwardIfIndex = if_index;
2826
2827 status = DeleteIpForwardEntry(&fr);
2828
2829 if (status == NO_ERROR)
2830 {
2831 ret = true;
2832 }
2833 else
2834 {
2835 msg(M_WARN, "ERROR: route deletion failed using DeleteIpForwardEntry: %s",
2837 }
2838 }
2839
2840 gc_free(&gc);
2841 return ret;
2842}
2843
2844/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2845static int
2846do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
2847{
2848 int ret = RTA_ERROR;
2849 ack_message_t ack;
2850 struct gc_arena gc = gc_new();
2851
2852 if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
2853 {
2854 goto out;
2855 }
2856
2857 if (ack.error_number != NO_ERROR)
2858 {
2859 ret = (ack.error_number == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2860 if (ret == RTA_ERROR)
2861 {
2862 msg(M_WARN, "ERROR: route %s failed using service: %s [status=%u if_index=%d]",
2863 (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
2864 ack.error_number, rt->iface.index);
2865 }
2866 goto out;
2867 }
2868
2869 ret = RTA_SUCCESS;
2870
2871out:
2872 gc_free(&gc);
2873 return ret;
2874}
2875
2876/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2877static int
2878do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
2879{
2880 DWORD if_index = windows_route_find_if_index(r, tt);
2881 if (if_index == ~0)
2882 {
2883 return RTA_ERROR;
2884 }
2885
2887 sizeof(route_message_t), 0 },
2888 .family = AF_INET,
2889 .prefix.ipv4.s_addr = htonl(r->network),
2890 .gateway.ipv4.s_addr = htonl(r->gateway),
2891 .iface = { .index = if_index, .name = "" },
2892 .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) };
2893
2894 netmask_to_netbits(r->network, r->netmask, &msg.prefix_len);
2895 if (msg.prefix_len == -1)
2896 {
2897 msg.prefix_len = 32;
2898 }
2899
2900 return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
2901}
2902
2903/* Add or delete an ipv6 route
2904 * Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error
2905 */
2906static int
2907route_ipv6_ipapi(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
2908{
2909 DWORD err;
2910 int ret = RTA_ERROR;
2911 PMIB_IPFORWARD_ROW2 fwd_row;
2912 struct gc_arena gc = gc_new();
2913
2914 fwd_row = gc_malloc(sizeof(*fwd_row), true, &gc);
2915
2916 fwd_row->ValidLifetime = 0xffffffff;
2917 fwd_row->PreferredLifetime = 0xffffffff;
2918 fwd_row->Protocol = MIB_IPPROTO_NETMGMT;
2919 fwd_row->Metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1);
2920 fwd_row->DestinationPrefix.Prefix.si_family = AF_INET6;
2921 fwd_row->DestinationPrefix.Prefix.Ipv6.sin6_addr = r->network;
2922 fwd_row->DestinationPrefix.PrefixLength = (UINT8)r->netbits;
2923 fwd_row->NextHop.si_family = AF_INET6;
2924 fwd_row->NextHop.Ipv6.sin6_addr = r->gateway;
2925 fwd_row->InterfaceIndex = r->adapter_index ? r->adapter_index : tt->adapter_index;
2926
2927 /* In TUN mode we use a special link-local address as the next hop.
2928 * The tapdrvr knows about it and will answer neighbor discovery packets.
2929 * (only do this for routes actually using the tun/tap device)
2930 */
2931 if (tt->type == DEV_TYPE_TUN && !r->adapter_index)
2932 {
2933 inet_pton(AF_INET6, "fe80::8", &fwd_row->NextHop.Ipv6.sin6_addr);
2934 }
2935
2936 /* Use LUID if interface index not available */
2937 if (fwd_row->InterfaceIndex == TUN_ADAPTER_INDEX_INVALID && strlen(tt->actual_name))
2938 {
2939 NET_LUID luid;
2940 err = ConvertInterfaceAliasToLuid(wide_string(tt->actual_name, &gc), &luid);
2941 if (err != NO_ERROR)
2942 {
2943 goto out;
2944 }
2945 fwd_row->InterfaceLuid = luid;
2946 fwd_row->InterfaceIndex = 0;
2947 }
2948
2949 if (add)
2950 {
2951 err = CreateIpForwardEntry2(fwd_row);
2952 }
2953 else
2954 {
2955 err = DeleteIpForwardEntry2(fwd_row);
2956 }
2957
2958out:
2959 if (err != NO_ERROR)
2960 {
2961 ret = (err == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2962 if (ret == RTA_ERROR)
2963 {
2964 msg(M_WARN, "ERROR: route %s failed using ipapi: %s [status=%lu if_index=%lu]",
2965 (add ? "addition" : "deletion"), strerror_win32(err, &gc), err,
2966 fwd_row->InterfaceIndex);
2967 }
2968 else if (add)
2969 {
2970 msg(D_ROUTE, "IPv6 route addition using ipapi failed because route exists");
2971 }
2972 }
2973 else
2974 {
2975 msg(D_ROUTE, "IPv6 route %s using ipapi", add ? "added" : "deleted");
2976 ret = RTA_SUCCESS;
2977 }
2978 gc_free(&gc);
2979 return ret;
2980}
2981
2982/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2983static int
2984do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
2985{
2986 int status;
2988 sizeof(route_message_t), 0 },
2989 .family = AF_INET6,
2990 .prefix.ipv6 = r->network,
2991 .prefix_len = r->netbits,
2992 .gateway.ipv6 = r->gateway,
2993 .iface = { .index = tt->adapter_index, .name = "" },
2994 .metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1) };
2995
2996 if (r->adapter_index) /* vpn server special route */
2997 {
2998 msg.iface.index = r->adapter_index;
2999 }
3000
3001 /* In TUN mode we use a special link-local address as the next hop.
3002 * The tapdrvr knows about it and will answer neighbor discovery packets.
3003 * (only do this for routes actually using the tun/tap device)
3004 */
3005 if (tt->type == DEV_TYPE_TUN && msg.iface.index == tt->adapter_index)
3006 {
3007 inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3008 }
3009
3010 if (msg.iface.index == TUN_ADAPTER_INDEX_INVALID)
3011 {
3012 strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3013 msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3014 }
3015
3016 status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3017 if (status != RTA_ERROR)
3018 {
3019 msg(D_ROUTE, "IPv6 route %s via service %s", add ? "addition" : "deletion",
3020 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
3021 }
3022 return status;
3023}
3024
3025/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3026static int
3027add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3028{
3029 return do_route_ipv4_service(true, r, tt);
3030}
3031
3032static bool
3033del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3034{
3035 return do_route_ipv4_service(false, r, tt);
3036}
3037
3038/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3039static int
3040add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3041{
3042 return do_route_ipv6_service(true, r, tt);
3043}
3044
3045static bool
3046del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3047{
3048 return do_route_ipv6_service(false, r, tt);
3049}
3050
3051static const char *
3052format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3053{
3054 struct buffer out = alloc_buf_gc(256, gc);
3055 buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3056 print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3057 print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3058 print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), (int)r->dwForwardPolicy,
3059 (int)r->dwForwardIfIndex, (int)r->dwForwardType, (int)r->dwForwardProto,
3060 (int)r->dwForwardAge, (int)r->dwForwardNextHopAS, (int)r->dwForwardMetric1,
3061 (int)r->dwForwardMetric2, (int)r->dwForwardMetric3, (int)r->dwForwardMetric4,
3062 (int)r->dwForwardMetric5);
3063 return BSTR(&out);
3064}
3065
3066/*
3067 * Show current routing table
3068 */
3069void
3071{
3072 struct gc_arena gc = gc_new();
3073
3074 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3075
3076 msg(msglevel, "SYSTEM ROUTING TABLE");
3077 if (rt)
3078 {
3079 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
3080 {
3081 msg(msglevel, "%s", format_route_entry(&rt->table[i], &gc));
3082 }
3083 }
3084 gc_free(&gc);
3085}
3086
3087#elif defined(TARGET_ANDROID)
3088
3089void
3090get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3091{
3092 /* Android, set some pseudo GW, addr is in host byte order,
3093 * Determining the default GW on Android 5.0+ is non trivial
3094 * and serves almost no purpose since OpenVPN only uses the
3095 * default GW address to add routes for networks that should
3096 * NOT be routed over the VPN. Using a well known address
3097 * (127.'d'.'g'.'w') for the default GW make detecting
3098 * these routes easier from the controlling app.
3099 */
3100 CLEAR(*rgi);
3101
3102 rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3104 strcpy(rgi->iface, "android-gw");
3105
3106 /* Skip scanning/fetching interface from loopback interface we do
3107 * normally on Linux.
3108 * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3109 */
3110}
3111
3112void
3113get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3114 openvpn_net_ctx_t *ctx)
3115{
3116 /* Same for ipv6 */
3117
3118 CLEAR(*rgi6);
3119
3120 /* Use a fake link-local address */
3121 ASSERT(inet_pton(AF_INET6, "fe80::ad", &rgi6->addrs->addr_ipv6) == 1);
3122 rgi6->addrs->netbits_ipv6 = 64;
3124 strcpy(rgi6->iface, "android-gw");
3125}
3126
3127#elif defined(TARGET_LINUX)
3128
3129void
3130get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3131{
3132 struct gc_arena gc = gc_new();
3133 int sd = -1;
3134 char best_name[IFNAMSIZ];
3135
3136 CLEAR(*rgi);
3137 CLEAR(best_name);
3138
3139 /* find best route to 'dest', get gateway IP addr + interface */
3140 if (net_route_v4_best_gw(ctx, &dest, &rgi->gateway.addr, best_name) == 0)
3141 {
3142 rgi->flags |= RGI_ADDR_DEFINED;
3143 if (!rgi->gateway.addr && best_name[0])
3144 {
3145 rgi->flags |= RGI_ON_LINK;
3146 }
3147 }
3148
3149 /* scan adapter list */
3150 if (rgi->flags & RGI_ADDR_DEFINED)
3151 {
3152 struct ifreq *ifr, *ifend;
3153 in_addr_t addr, netmask;
3154 struct ifreq ifreq;
3155 struct ifconf ifc;
3156 struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3157
3158 if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3159 {
3160 msg(M_WARN, "GDG: socket() failed");
3161 goto done;
3162 }
3163 ifc.ifc_len = sizeof(ifs);
3164 ifc.ifc_req = ifs;
3165 if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3166 {
3167 msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3168 goto done;
3169 }
3170
3171 /* scan through interface list */
3172 ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3173 for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3174 {
3175 if (ifr->ifr_addr.sa_family == AF_INET)
3176 {
3177 /* get interface addr */
3178 addr = ntohl(((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr.s_addr);
3179
3180 /* get interface name */
3181 strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3182
3183 /* check that the interface is up */
3184 if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3185 {
3186 continue;
3187 }
3188 if (!(ifreq.ifr_flags & IFF_UP))
3189 {
3190 continue;
3191 }
3192
3193 if (rgi->flags & RGI_ON_LINK)
3194 {
3195 /* check that interface name of current interface
3196 * matches interface name of best default route */
3197 if (strcmp(ifreq.ifr_name, best_name))
3198 {
3199 continue;
3200 }
3201#if 0
3202 /* if point-to-point link, use remote addr as route gateway */
3203 if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3204 {
3205 rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3206 if (rgi->gateway.addr)
3207 {
3208 rgi->flags &= ~RGI_ON_LINK;
3209 }
3210 }
3211#endif
3212 }
3213 else
3214 {
3215 /* get interface netmask */
3216 if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3217 {
3218 continue;
3219 }
3220 netmask = ntohl(((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr.s_addr);
3221
3222 /* check that interface matches default route */
3223 if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3224 {
3225 continue;
3226 }
3227
3228 /* save netmask */
3229 rgi->gateway.netmask = netmask;
3230 rgi->flags |= RGI_NETMASK_DEFINED;
3231 }
3232
3233 /* save iface name */
3234 strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3235 rgi->flags |= RGI_IFACE_DEFINED;
3236
3237 /* now get the hardware address. */
3238 memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3239 if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3240 {
3241 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3242 goto done;
3243 }
3244 memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3245 rgi->flags |= RGI_HWADDR_DEFINED;
3246
3247 break;
3248 }
3249 }
3250 }
3251
3252done:
3253 if (sd >= 0)
3254 {
3255 close(sd);
3256 }
3257 gc_free(&gc);
3258}
3259
3260/* IPv6 implementation using netlink
3261 * http://www.linuxjournal.com/article/7356
3262 * netlink(3), netlink(7), rtnetlink(7)
3263 * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c
3264 */
3265struct rtreq
3266{
3267 struct nlmsghdr nh;
3268 struct rtmsg rtm;
3269 char attrbuf[512];
3270};
3271
3272void
3273get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3274 openvpn_net_ctx_t *ctx)
3275{
3276 int flags;
3277
3278 CLEAR(*rgi6);
3279
3280 if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6, rgi6->iface) == 0)
3281 {
3282 if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6))
3283 {
3284 rgi6->flags |= RGI_ADDR_DEFINED;
3285 }
3286
3287 if (strlen(rgi6->iface) > 0)
3288 {
3289 rgi6->flags |= RGI_IFACE_DEFINED;
3290 }
3291 }
3292
3293 /* if we have an interface but no gateway, the destination is on-link */
3294 flags = rgi6->flags & (RGI_IFACE_DEFINED | RGI_ADDR_DEFINED);
3295 if (flags == RGI_IFACE_DEFINED)
3296 {
3297 rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3298 if (dest)
3299 {
3300 rgi6->gateway.addr_ipv6 = *dest;
3301 }
3302 }
3303}
3304
3305#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || defined(TARGET_FREEBSD) \
3306 || defined(TARGET_DRAGONFLY) || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3307
3308#include <sys/types.h>
3309#include <sys/socket.h>
3310#include <netinet/in.h>
3311#include <net/route.h>
3312#include <net/if_dl.h>
3313#if !defined(TARGET_SOLARIS)
3314#include <ifaddrs.h>
3315#endif
3316
3317struct rtmsg
3318{
3319 struct rt_msghdr m_rtm;
3320 char m_space[512];
3321};
3322
3323/* the route socket code is identical for all 4 supported BSDs and for
3324 * MacOS X (Darwin), with one crucial difference: when going from
3325 * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
3326 * source code compatibility by keeping the use of "long", while
3327 * MacOS X decided to keep binary compatibility by *changing* the API
3328 * to use "uint32_t", thus 32 bit on all OS X variants
3329 *
3330 * NetBSD does the MacOS way of "fixed number of bits, no matter if
3331 * 32 or 64 bit OS", but chose uint64_t. For maximum portability, we
3332 * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
3333 *
3334 * We used to have a large amount of duplicate code here which really
3335 * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3336 * having a combined block for all BSDs with this single #ifdef inside
3337 */
3338
3339#if defined(TARGET_DARWIN)
3340#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3341#elif defined(TARGET_NETBSD)
3342#define ROUNDUP(a) RT_ROUNDUP(a)
3343#else
3344#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3345#endif
3346
3347#if defined(TARGET_SOLARIS)
3348#define NEXTADDR(w, u) \
3349 if (rtm_addrs & (w)) \
3350 { \
3351 l = sizeof(u); \
3352 memmove(cp, &(u), l); \
3353 cp += ROUNDUP(l); \
3354 }
3355
3356#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3357#else /* if defined(TARGET_SOLARIS) */
3358#define NEXTADDR(w, u) \
3359 if (rtm_addrs & (w)) \
3360 { \
3361 l = ((struct sockaddr *)&(u))->sa_len; \
3362 memmove(cp, &(u), l); \
3363 cp += ROUNDUP(l); \
3364 }
3365
3366#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3367#endif
3368
3369#define max(a, b) ((a) > (b) ? (a) : (b))
3370
3371#if defined(__GNUC__) || defined(__clang__)
3372#pragma GCC diagnostic push
3373#pragma GCC diagnostic ignored "-Wconversion"
3374#endif
3375
3376void
3377get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3378{
3379 struct gc_arena gc = gc_new();
3380 struct rtmsg m_rtmsg;
3381 int sockfd = -1;
3382 int seq, l, pid, rtm_addrs;
3383 unsigned int i;
3384 struct sockaddr so_dst, so_mask;
3385 char *cp = m_rtmsg.m_space;
3386 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3387 struct rt_msghdr *rtm_aux;
3388
3389#define rtm m_rtmsg.m_rtm
3390
3391 CLEAR(*rgi);
3392
3393 /* setup data to send to routing socket */
3394 pid = getpid();
3395 seq = 0;
3396#ifdef TARGET_OPENBSD
3397 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3398#else
3399 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3400#endif
3401
3402 bzero(&m_rtmsg, sizeof(m_rtmsg));
3403 bzero(&so_dst, sizeof(so_dst));
3404 bzero(&so_mask, sizeof(so_mask));
3405 bzero(&rtm, sizeof(struct rt_msghdr));
3406
3407 rtm.rtm_type = RTM_GET;
3408 rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3409 rtm.rtm_version = RTM_VERSION;
3410 rtm.rtm_seq = ++seq;
3411#ifdef TARGET_OPENBSD
3412 rtm.rtm_tableid = getrtable();
3413#endif
3414 rtm.rtm_addrs = rtm_addrs;
3415
3416 so_dst.sa_family = AF_INET;
3417 so_mask.sa_family = AF_INET;
3418
3419#ifndef TARGET_SOLARIS
3420 so_dst.sa_len = sizeof(struct sockaddr_in);
3421 so_mask.sa_len = sizeof(struct sockaddr_in);
3422#endif
3423
3424 NEXTADDR(RTA_DST, so_dst);
3425 NEXTADDR(RTA_NETMASK, so_mask);
3426
3427 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3428
3429 /* transact with routing socket */
3430 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3431 if (sockfd < 0)
3432 {
3433 msg(M_WARN, "GDG: socket #1 failed");
3434 goto done;
3435 }
3436 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3437 {
3438 msg(M_WARN | M_ERRNO, "GDG: problem writing to routing socket");
3439 goto done;
3440 }
3441 do
3442 {
3443 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3444 } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3445 close(sockfd);
3446 sockfd = -1;
3447
3448 /* extract return data from routing socket */
3449 rtm_aux = &rtm;
3450 cp = ((char *)(rtm_aux + 1));
3451 if (rtm_aux->rtm_addrs)
3452 {
3453 for (i = 1; i; i <<= 1)
3454 {
3455 if (i & rtm_aux->rtm_addrs)
3456 {
3457 sa = (struct sockaddr *)cp;
3458 if (i == RTA_GATEWAY)
3459 {
3460 gate = sa;
3461 }
3462 else if (i == RTA_IFP)
3463 {
3464 ifp = sa;
3465 }
3466 ADVANCE(cp, sa);
3467 }
3468 }
3469 }
3470 else
3471 {
3472 goto done;
3473 }
3474
3475 /* get gateway addr and interface name */
3476 if (gate != NULL)
3477 {
3478 /* get default gateway addr */
3479 rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3480 if (rgi->gateway.addr)
3481 {
3482 rgi->flags |= RGI_ADDR_DEFINED;
3483 }
3484
3485 if (ifp)
3486 {
3487 /* get interface name */
3488 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3489 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3490 {
3491 memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3492 rgi->iface[adl->sdl_nlen] = '\0';
3493 rgi->flags |= RGI_IFACE_DEFINED;
3494 }
3495 }
3496 }
3497
3498 /* get netmask of interface that owns default gateway */
3499 if (rgi->flags & RGI_IFACE_DEFINED)
3500 {
3501 struct ifreq ifr;
3502
3503 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3504 if (sockfd < 0)
3505 {
3506 msg(M_WARN, "GDG: socket #2 failed");
3507 goto done;
3508 }
3509
3510 CLEAR(ifr);
3511 ifr.ifr_addr.sa_family = AF_INET;
3512 strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3513
3514 if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3515 {
3516 msg(M_WARN, "GDG: ioctl #1 failed");
3517 goto done;
3518 }
3519 close(sockfd);
3520 sockfd = -1;
3521
3522 rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3523 rgi->flags |= RGI_NETMASK_DEFINED;
3524 }
3525
3526 /* try to read MAC addr associated with interface that owns default gateway */
3527 if (rgi->flags & RGI_IFACE_DEFINED)
3528 {
3529#if defined(TARGET_SOLARIS)
3530 /* OpenSolaris has getifaddrs(3), but it does not return AF_LINK */
3531 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3532 if (sockfd < 0)
3533 {
3534 msg(M_WARN, "GDG: socket #3 failed");
3535 goto done;
3536 }
3537
3538 struct ifreq ifreq = { 0 };
3539
3540 /* now get the hardware address. */
3541 strncpynt(ifreq.ifr_name, rgi->iface, sizeof(ifreq.ifr_name));
3542 if (ioctl(sockfd, SIOCGIFHWADDR, &ifreq) < 0)
3543 {
3544 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3545 }
3546 else
3547 {
3548 memcpy(rgi->hwaddr, &ifreq.ifr_addr.sa_data, 6);
3549 rgi->flags |= RGI_HWADDR_DEFINED;
3550 }
3551#else /* if defined(TARGET_SOLARIS) */
3552 struct ifaddrs *ifap, *ifa;
3553
3554 if (getifaddrs(&ifap) != 0)
3555 {
3556 msg(M_WARN | M_ERRNO, "GDG: getifaddrs() failed");
3557 goto done;
3558 }
3559
3560 for (ifa = ifap; ifa; ifa = ifa->ifa_next)
3561 {
3562 if (ifa->ifa_addr != NULL && ifa->ifa_addr->sa_family == AF_LINK
3563 && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ))
3564 {
3565 struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr;
3566 memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3567 rgi->flags |= RGI_HWADDR_DEFINED;
3568 }
3569 }
3570
3571 freeifaddrs(ifap);
3572#endif /* if defined(TARGET_SOLARIS) */
3573 }
3574
3575done:
3576 if (sockfd >= 0)
3577 {
3578 close(sockfd);
3579 }
3580 gc_free(&gc);
3581}
3582
3583/* BSD implementation using routing socket (as does IPv4)
3584 * (the code duplication is somewhat unavoidable if we want this to
3585 * work on OpenSolaris as well. *sigh*)
3586 */
3587
3588/* Solaris has no length field - this is ugly, but less #ifdef in total
3589 */
3590#if defined(TARGET_SOLARIS)
3591#undef ADVANCE
3592#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3593#endif
3594
3595void
3596get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3597 openvpn_net_ctx_t *ctx)
3598{
3599 struct rtmsg m_rtmsg;
3600 int sockfd = -1;
3601 int seq, l, pid, rtm_addrs;
3602 unsigned int i;
3603 struct sockaddr_in6 so_dst, so_mask;
3604 char *cp = m_rtmsg.m_space;
3605 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3606 struct rt_msghdr *rtm_aux;
3607
3608 CLEAR(*rgi6);
3609
3610 /* setup data to send to routing socket */
3611 pid = getpid();
3612 seq = 0;
3613#ifdef TARGET_OPENBSD
3614 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3615#else
3616 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3617#endif
3618
3619 bzero(&m_rtmsg, sizeof(m_rtmsg));
3620 bzero(&so_dst, sizeof(so_dst));
3621 bzero(&so_mask, sizeof(so_mask));
3622 bzero(&rtm, sizeof(struct rt_msghdr));
3623
3624 rtm.rtm_type = RTM_GET;
3625 rtm.rtm_flags = RTF_UP;
3626 rtm.rtm_version = RTM_VERSION;
3627 rtm.rtm_seq = ++seq;
3628#ifdef TARGET_OPENBSD
3629 rtm.rtm_tableid = getrtable();
3630#endif
3631
3632 so_dst.sin6_family = AF_INET6;
3633 so_mask.sin6_family = AF_INET6;
3634
3635 if (dest != NULL /* specific host? */
3636 && !IN6_IS_ADDR_UNSPECIFIED(dest))
3637 {
3638 so_dst.sin6_addr = *dest;
3639 /* :: needs /0 "netmask", host route wants "no netmask */
3640 rtm_addrs &= ~RTA_NETMASK;
3641 }
3642
3643 rtm.rtm_addrs = rtm_addrs;
3644
3645#ifndef TARGET_SOLARIS
3646 so_dst.sin6_len = sizeof(struct sockaddr_in6);
3647 so_mask.sin6_len = sizeof(struct sockaddr_in6);
3648#endif
3649
3650 NEXTADDR(RTA_DST, so_dst);
3651 NEXTADDR(RTA_NETMASK, so_mask);
3652
3653 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3654
3655 /* transact with routing socket */
3656 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3657 if (sockfd < 0)
3658 {
3659 msg(M_WARN, "GDG6: socket #1 failed");
3660 goto done;
3661 }
3662 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3663 {
3664 msg(M_WARN | M_ERRNO, "GDG6: problem writing to routing socket");
3665 goto done;
3666 }
3667
3668 do
3669 {
3670 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3671 } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3672
3673 close(sockfd);
3674 sockfd = -1;
3675
3676 /* extract return data from routing socket */
3677 rtm_aux = &rtm;
3678 cp = ((char *)(rtm_aux + 1));
3679 if (rtm_aux->rtm_addrs)
3680 {
3681 for (i = 1; i; i <<= 1)
3682 {
3683 if (i & rtm_aux->rtm_addrs)
3684 {
3685 sa = (struct sockaddr *)cp;
3686 if (i == RTA_GATEWAY)
3687 {
3688 gate = sa;
3689 }
3690 else if (i == RTA_IFP)
3691 {
3692 ifp = sa;
3693 }
3694 ADVANCE(cp, sa);
3695 }
3696 }
3697 }
3698 else
3699 {
3700 goto done;
3701 }
3702
3703 /* get gateway addr and interface name */
3704 if (gate != NULL)
3705 {
3706 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3707 struct in6_addr gw = s6->sin6_addr;
3708
3709#ifndef TARGET_SOLARIS
3710 /* You do not really want to know... from FreeBSD's route.c
3711 * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3712 * but for a correct link-local address these must be :0000: )
3713 */
3714 if (gate->sa_len == sizeof(struct sockaddr_in6) && IN6_IS_ADDR_LINKLOCAL(&gw))
3715 {
3716 gw.s6_addr[2] = gw.s6_addr[3] = 0;
3717 }
3718
3719 if (gate->sa_len != sizeof(struct sockaddr_in6) || IN6_IS_ADDR_UNSPECIFIED(&gw))
3720 {
3721 rgi6->flags |= RGI_ON_LINK;
3722 }
3723 else
3724#endif
3725 {
3726 rgi6->gateway.addr_ipv6 = gw;
3727 }
3728 rgi6->flags |= RGI_ADDR_DEFINED;
3729
3730 if (ifp)
3731 {
3732 /* get interface name */
3733 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3734 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3735 {
3736 memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3737 rgi6->flags |= RGI_IFACE_DEFINED;
3738 }
3739 }
3740 }
3741
3742done:
3743 if (sockfd >= 0)
3744 {
3745 close(sockfd);
3746 }
3747}
3748
3749#if defined(__GNUC__) || defined(__clang__)
3750#pragma GCC diagnostic pop
3751#endif
3752
3753#undef max
3754
3755#elif defined(TARGET_HAIKU)
3756
3757void
3758get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3759{
3760 CLEAR(*rgi);
3761
3762 int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3763 if (sockfd < 0)
3764 {
3765 msg(M_ERRNO, "%s: Error opening socket for AF_INET", __func__);
3766 return;
3767 }
3768
3769 struct ifconf config;
3770 config.ifc_len = sizeof(config.ifc_value);
3771 if (ioctl(sockfd, SIOCGRTSIZE, &config, sizeof(struct ifconf)) < 0)
3772 {
3773 msg(M_ERRNO, "%s: Error getting routing table size", __func__);
3774 return;
3775 }
3776
3777 uint32 size = (uint32)config.ifc_value;
3778 if (size == 0)
3779 {
3780 return;
3781 }
3782
3783 void *buffer = malloc(size);
3785
3786 config.ifc_len = size;
3787 config.ifc_buf = buffer;
3788 if (ioctl(sockfd, SIOCGRTTABLE, &config, sizeof(struct ifconf)) < 0)
3789 {
3790 free(buffer);
3791 return;
3792 }
3793
3794 struct ifreq *interface = (struct ifreq *)buffer;
3795 struct ifreq *end = (struct ifreq *)((uint8 *)buffer + size);
3796
3797 while (interface < end)
3798 {
3799 struct route_entry route = interface->ifr_route;
3800 if ((route.flags & RTF_GATEWAY) != 0 && (route.flags & RTF_DEFAULT) != 0)
3801 {
3802 rgi->gateway.addr = ntohl(((struct sockaddr_in *)route.gateway)->sin_addr.s_addr);
3804 strncpy(rgi->iface, interface->ifr_name, sizeof(rgi->iface));
3805 }
3806
3807 int32 address_size = 0;
3808 if (route.destination != NULL)
3809 {
3810 address_size += route.destination->sa_len;
3811 }
3812 if (route.mask != NULL)
3813 {
3814 address_size += route.mask->sa_len;
3815 }
3816 if (route.gateway != NULL)
3817 {
3818 address_size += route.gateway->sa_len;
3819 }
3820
3821 interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE + sizeof(struct route_entry)
3822 + address_size);
3823 }
3824 free(buffer);
3825}
3826
3827void
3828get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3829 openvpn_net_ctx_t *ctx)
3830{
3831 /* TODO: Same for ipv6 with AF_INET6 */
3832 CLEAR(*rgi6);
3833}
3834
3835#else /* if defined(_WIN32) */
3836
3837/*
3838 * This is a platform-specific method that returns data about
3839 * the current default gateway. Return data is placed into
3840 * a struct route_gateway_info object provided by caller. The
3841 * implementation should CLEAR the structure before adding
3842 * data to it.
3843 *
3844 * Data returned includes:
3845 * 1. default gateway address (rgi->gateway.addr)
3846 * 2. netmask of interface that owns default gateway
3847 * (rgi->gateway.netmask)
3848 * 3. hardware address (i.e. MAC address) of interface that owns
3849 * default gateway (rgi->hwaddr)
3850 * 4. interface name (or adapter index on Windows) that owns default
3851 * gateway (rgi->iface or rgi->adapter_index)
3852 * 5. an array of additional address/netmask pairs defined by
3853 * interface that owns default gateway (rgi->addrs with length
3854 * given in rgi->n_addrs)
3855 *
3856 * The flags RGI_x_DEFINED may be used to indicate which of the data
3857 * members were successfully returned (set in rgi->flags). All of
3858 * the data members are optional, however certain OpenVPN functionality
3859 * may be disabled by missing items.
3860 */
3861void
3862get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3863{
3864 CLEAR(*rgi);
3865}
3866void
3867get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3868 openvpn_net_ctx_t *ctx)
3869{
3870 msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
3871 CLEAR(*rgi6);
3872}
3873
3874#endif /* if defined(_WIN32) */
3875
3876bool
3877netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
3878{
3879 int i;
3880 const int addrlen = sizeof(in_addr_t) * 8;
3881
3882 if ((network & netmask) == network)
3883 {
3884 for (i = 0; i <= addrlen; ++i)
3885 {
3886 in_addr_t mask = netbits_to_netmask(i);
3887 if (mask == netmask)
3888 {
3889 if (i == addrlen)
3890 {
3891 *netbits = -1;
3892 }
3893 else
3894 {
3895 *netbits = i;
3896 }
3897 return true;
3898 }
3899 }
3900 }
3901 return false;
3902}
3903
3904/* similar to netmask_to_netbits(), but don't mess with base address
3905 * etc., just convert to netbits - non-mappable masks are returned as "-1"
3906 */
3907int
3908netmask_to_netbits2(in_addr_t netmask)
3909{
3910 int i;
3911 const int addrlen = sizeof(in_addr_t) * 8;
3912
3913 for (i = 0; i <= addrlen; ++i)
3914 {
3915 in_addr_t mask = netbits_to_netmask(i);
3916 if (mask == netmask)
3917 {
3918 return i;
3919 }
3920 }
3921 return -1;
3922}
3923
3924
3925/*
3926 * get_bypass_addresses() is used by the redirect-gateway bypass-x
3927 * functions to build a route bypass to selected DHCP/DNS servers,
3928 * so that outgoing packets to these servers don't end up in the tunnel.
3929 */
3930
3931#if defined(_WIN32)
3932
3933static void
3934add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
3935{
3936 if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
3937 {
3938 add_bypass_address(rb, addr);
3939 }
3940}
3941
3942static void
3943add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
3944{
3945 while (iplist)
3946 {
3947 bool succeed = false;
3948 const in_addr_t ip =
3949 getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
3950 if (succeed)
3951 {
3953 }
3954 iplist = iplist->Next;
3955 }
3956}
3957
3958static void
3959get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
3960{
3961 struct gc_arena gc = gc_new();
3962 /*bool ret_bool = false;*/
3963
3964 /* get full routing table */
3965 const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
3966
3967 /* get the route which represents the default gateway */
3968 const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
3969
3970 if (row)
3971 {
3972 /* get the adapter which the default gateway is associated with */
3973 const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
3974
3975 /* get extra adapter info, such as DNS addresses */
3976 const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
3977
3978 /* Bypass DHCP server address */
3979 if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
3980 {
3981 add_host_route_array(rb, &dgi->DhcpServer);
3982 }
3983
3984 /* Bypass DNS server addresses */
3985 if ((flags & RG_BYPASS_DNS) && pai)
3986 {
3987 add_host_route_array(rb, &pai->DnsServerList);
3988 }
3989 }
3990
3991 gc_free(&gc);
3992}
3993
3994#else /* if defined(_WIN32) */
3995
3996static void
3997get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
3998{
3999}
4000
4001#endif /* if defined(_WIN32) */
4002
4003/*
4004 * Test if addr is reachable via a local interface (return ILA_LOCAL),
4005 * or if it needs to be routed via the default gateway (return
4006 * ILA_NONLOCAL). If the target platform doesn't implement this
4007 * function, return ILA_NOT_IMPLEMENTED.
4008 *
4009 * Used by redirect-gateway autolocal feature
4010 */
4011
4012#if defined(_WIN32)
4013
4014int
4015test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
4016{
4017 struct gc_arena gc = gc_new();
4018 const in_addr_t nonlocal_netmask =
4019 0x80000000L; /* routes with netmask <= to this are considered non-local */
4020 int ret = TLA_NONLOCAL;
4021
4022 /* get full routing table */
4023 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4024 if (rt)
4025 {
4026 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
4027 {
4028 const MIB_IPFORWARDROW *row = &rt->table[i];
4029 const in_addr_t net = ntohl(row->dwForwardDest);
4030 const in_addr_t mask = ntohl(row->dwForwardMask);
4031 if (mask > nonlocal_netmask && (addr & mask) == net)
4032 {
4033 ret = TLA_LOCAL;
4034 break;
4035 }
4036 }
4037 }
4038
4039 gc_free(&gc);
4040 return ret;
4041}
4042
4043#else /* if defined(_WIN32) */
4044
4045int
4046test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4047{
4048 if (rgi)
4049 {
4050 if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4051 {
4052 return TLA_LOCAL;
4053 }
4054 else
4055 {
4056 return TLA_NONLOCAL;
4057 }
4058 }
4059 return TLA_NOT_IMPLEMENTED;
4060}
4061
4062#endif /* if defined(_WIN32) */
void argv_msg(const msglvl_t msglevel, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
void gc_addspecial(void *addr, void(*free_function)(void *), struct gc_arena *a)
Definition buffer.c:438
#define BSTR(buf)
Definition buffer.h:128
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1074
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void check_malloc_return(void *p)
Definition buffer.h:1085
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
static void gc_freeaddrinfo_callback(void *addr)
Definition buffer.h:215
static struct gc_arena gc_new(void)
Definition buffer.h:1007
#define PACKAGE_NAME
Definition config.h:492
#define ROUTE_PATH
Definition config.h:513
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
#define D_ROUTE_DEBUG
Definition errlevel.h:132
#define M_INFO
Definition errlevel.h:54
#define D_ROUTE
Definition errlevel.h:79
static SERVICE_STATUS status
Definition interactive.c:51
@ route
Definition interactive.c:85
@ write
@ read
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2796
#define OPENVPN_STATE_ADD_ROUTES
Definition manage.h:451
static void net_ctx_reset(openvpn_net_ctx_t *ctx)
Definition networking.h:56
void * openvpn_net_ctx_t
Definition networking.h:38
@ msg_add_route
Definition openvpn-msg.h:34
@ msg_del_route
Definition openvpn-msg.h:35
#define IPV4_NETMASK_HOST
Definition basic.h:34
#define CLEAR(x)
Definition basic.h:32
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
Definition error.c:780
#define M_FATAL
Definition error.h:90
#define dmsg(flags,...)
Definition error.h:172
#define msg(flags,...)
Definition error.h:152
unsigned int msglvl_t
Definition error.h:77
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define M_ERRNO
Definition error.h:95
#define DEV_TYPE_TAP
Definition proto.h:36
#define DEV_TYPE_TUN
Definition proto.h:35
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1238
static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1054
static void print_route_option(const struct route_option *ro, msglvl_t msglevel)
Definition route.c:1231
static bool route_ipv6_match_host(const struct route_ipv6 *r6, const struct in6_addr *host)
Definition route.c:718
static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
Definition route.c:3934
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1101
bool is_special_addr(const char *addr_str)
Definition route.c:299
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:153
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1404
static void clear_route_list(struct route_list *rl)
Definition route.c:521
static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway)
Definition route.c:2417
static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:930
static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2809
static bool redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:946
static bool add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:884
static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
Definition route.c:3943
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3908
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:137
static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl)
Definition route.c:312
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1196
static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc)
Definition route.c:187
static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
Definition route.c:231
#define RTA_EEXIST
Definition route.c:103
#define LR_NOMATCH
Definition route.c:1433
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition route.c:2442
static void add_block_local_routes(struct route_list *rl)
Definition route.c:572
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:596
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2667
static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc)
Definition route.c:2383
static DWORD get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
Determines the best route to a destination for both IPv4 and IPv6.
Definition route.c:2533
static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
Definition route.c:3052
static int add_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3027
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:753
static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2030
static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3046
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition route.c:535
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:171
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:179
bool add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1480
static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
Definition route.c:2405
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1252
bool add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1794
#define RTA_ERROR
Definition route.c:101
static bool del_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3033
static void print_route(const struct route_ipv4 *r, msglvl_t msglevel)
Definition route.c:1326
static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi)
Definition route.c:1438
static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3040
static bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
Definition route.c:1471
static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
Definition route.c:2485
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2569
static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *)
Definition route.c:2907
static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target)
Definition route.c:544
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:162
static const char * show_opt(const char *option)
Definition route.c:1218
void print_routes(const struct route_list *rl, msglvl_t msglevel)
Definition route.c:1337
static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6)
Definition route.c:435
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:128
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
Definition route.c:4015
#define METRIC_NOT_USED
Definition route.c:59
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:604
static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
Definition route.c:2713
#define RTA_SUCCESS
Definition route.c:102
void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2202
#define LR_MATCH
Definition route.c:1434
static int do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
Definition route.c:2984
static int do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
Definition route.c:2846
void route_ipv6_clear_host_bits(struct route_ipv6 *r6)
Definition route.c:1769
static void clear_route_ipv6_list(struct route_ipv6_list *rl6)
Definition route.c:528
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1166
#define LR_ERROR
Definition route.c:1435
void show_routes(msglvl_t msglevel)
Definition route.c:3070
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition route.c:3877
static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
Definition route.c:214
static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2621
static int do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2878
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1367
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1174
static bool add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:912
static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
Definition route.c:3959
static bool is_route_parm_defined(const char *parm)
Definition route.c:200
static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
Definition route.c:1378
static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a)
Definition route.c:106
static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
Definition route.c:1347
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:492
static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:898
#define RG_LOCAL
Definition route.h:87
#define TLA_LOCAL
Definition route.h:370
#define RGI_ON_LINK
Definition route.h:164
#define RL_DID_LOCAL
Definition route.h:231
#define RL_DID_REDIRECT_DEFAULT_GATEWAY
Definition route.h:230
#define ROUTE_REF_GW
Definition route.h:50
#define RG_BYPASS_DHCP
Definition route.h:89
#define RTSA_REMOTE_ENDPOINT
Definition route.h:62
#define RGI_ADDR_DEFINED
Definition route.h:159
#define RL_ROUTES_ADDED
Definition route.h:232
#define RGI_HWADDR_DEFINED
Definition route.h:161
static in_addr_t netbits_to_netmask(const int netbits)
Definition route.h:399
#define RTSA_REMOTE_HOST
Definition route.h:63
#define ROUTE_METHOD_SERVICE
Definition route.h:42
#define RGI_IFACE_DEFINED
Definition route.h:162
#define ROUTE_METHOD_IPAPI
Definition route.h:40
#define RT_ADDED
Definition route.h:121
#define ROUTE_METHOD_EXE
Definition route.h:41
#define RT_METRIC_DEFINED
Definition route.h:122
#define ROUTE_DELETE_FIRST
Definition route.h:49
#define RG_DEF1
Definition route.h:88
#define RG_BYPASS_DNS
Definition route.h:90
#define RG_ENABLE
Definition route.h:86
#define RG_REROUTE_GW
Definition route.h:91
#define TLA_NOT_IMPLEMENTED
Definition route.h:368
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
#define RG_AUTO_LOCAL
Definition route.h:92
#define RG_BLOCK_LOCAL
Definition route.h:93
#define TLA_NONLOCAL
Definition route.h:369
#define N_ROUTE_BYPASS
Definition route.h:54
#define RT_DEFINED
Definition route.h:120
#define ROUTE_METHOD_MASK
Definition route.h:43
#define RTSA_DEFAULT_METRIC
Definition route.h:64
#define RGI_NETMASK_DEFINED
Definition route.h:160
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:219
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:192
#define IPV4_INVALID_ADDR
Definition socket.h:327
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
#define IF_NAMESIZE
#define GETADDR_HOST_ORDER
#define GETADDR_RESOLVE
#define IA_NET_ORDER
Definition socket_util.h:90
#define GETADDR_WARN_ON_SIGNAL
Definition argv.h:35
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
int n_bypass
Definition route.h:55
in_addr_t bypass[N_ROUTE_BYPASS]
Definition route.h:56
in_addr_t netmask
Definition route.h:154
uint8_t hwaddr[6]
Definition route.h:177
unsigned int flags
Definition route.h:165
struct route_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:185
DWORD adapter_index
Definition route.h:169
struct route_gateway_address gateway
Definition route.h:180
const struct route_option * option
Definition route.h:125
int metric
Definition route.h:130
struct route_ipv4 * next
Definition route.h:123
int table_id
Definition route.h:129
in_addr_t network
Definition route.h:126
in_addr_t netmask
Definition route.h:127
in_addr_t gateway
Definition route.h:128
unsigned int flags
Definition route.h:124
struct in6_addr addr_ipv6
Definition route.h:190
struct route_ipv6_gateway_address gateway
Definition route.h:219
struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:224
unsigned int flags
Definition route.h:197
uint8_t hwaddr[6]
Definition route.h:216
unsigned int iflags
Definition route.h:244
unsigned int flags
Definition route.h:252
struct route_ipv6_gateway_info rgi6
Definition route.h:251
struct route_ipv6 * routes_ipv6
Definition route.h:253
unsigned int spec_flags
Definition route.h:246
int default_metric
Definition route.h:249
struct in6_addr remote_host_ipv6
Definition route.h:248
struct gc_arena gc
Definition route.h:254
struct in6_addr remote_endpoint_ipv6
Definition route.h:247
unsigned int flags
Definition route.h:113
struct gc_arena * gc
Definition route.h:115
struct route_ipv6_option * routes_ipv6
Definition route.h:114
struct route_ipv6_option * next
Definition route.h:104
const char * gateway
Definition route.h:106
const char * metric
Definition route.h:107
const char * prefix
Definition route.h:105
struct in6_addr gateway
Definition route.h:139
DWORD adapter_index
Definition route.h:144
unsigned int netbits
Definition route.h:138
struct route_ipv6 * next
Definition route.h:135
unsigned int flags
Definition route.h:136
struct in6_addr network
Definition route.h:137
int metric
Definition route.h:140
struct route_gateway_info rgi
Definition route.h:236
struct route_ipv4 * routes
Definition route.h:238
struct route_special_addr spec
Definition route.h:235
unsigned int flags
Definition route.h:237
struct gc_arena gc
Definition route.h:239
unsigned int iflags
Definition route.h:233
message_header_t header
Definition openvpn-msg.h:90
interface_t iface
Definition openvpn-msg.h:95
struct gc_arena * gc
Definition route.h:99
unsigned int flags
Definition route.h:97
struct route_option * routes
Definition route.h:98
int table_id
Definition route.h:81
const char * network
Definition route.h:78
const char * netmask
Definition route.h:79
struct route_option * next
Definition route.h:77
const char * gateway
Definition route.h:80
const char * metric
Definition route.h:82
in_addr_t remote_host
Definition route.h:68
struct route_bypass bypass
Definition route.h:70
unsigned int flags
Definition route.h:65
in_addr_t remote_endpoint
Definition route.h:67
int remote_host_local
Definition route.h:69
HANDLE msg_channel
Definition tun.h:88
Definition tun.h:183
int type
Definition tun.h:185
DWORD adapter_index
Definition tun.h:234
bool did_ifconfig_ipv6_setup
if the internal variables related to ifconfig-ipv6 of this struct have been set up.
Definition tun.h:201
struct tuntap_options options
Definition tun.h:205
bool did_ifconfig_setup
if the internal variables related to ifconfig of this struct have been set up.
Definition tun.h:197
char * actual_name
Definition tun.h:207
static char * iface
struct env_set * es
char * r6[]
char * r1[]
struct gc_arena gc
Definition test_ssl.c:131
const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4529
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4542
const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc)
Definition tun.c:4444
const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc)
Definition tun.c:4342
bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
Definition tun.c:4586
const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc)
Definition tun.c:4317
const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index)
Definition tun.c:4425
DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
Definition tun.c:4620
#define TUN_ADAPTER_INDEX_INVALID
Definition tun.h:64
WCHAR * wide_string(const char *utf8, struct gc_arena *gc)
Definition win32-util.c:40
bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack, const char *context)
Definition win32.c:1427
void netcmd_semaphore_release(void)
Definition win32.c:867
char * get_win_sys_path(void)
Definition win32.c:1108
void netcmd_semaphore_lock(void)
Definition win32.c:851
#define WIN_ROUTE_PATH_SUFFIX
Definition win32.h:40