OpenVPN
route.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23/*
24 * Support routines for adding/deleting network routes.
25 */
26#include <stddef.h>
27#include <stdbool.h>
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32
33#include "syshead.h"
34
35#include "common.h"
36#include "error.h"
37#include "route.h"
38#include "run_command.h"
39#include "socket.h"
40#include "manage.h"
41#include "win32.h"
42#include "options.h"
43#include "networking.h"
44#include "integer.h"
45
46#include "memdbg.h"
47
48#if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
49#include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
50#endif
51
52#if defined(TARGET_NETBSD)
53#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
54#endif
55
56#ifdef _WIN32
57#include "openvpn-msg.h"
58
59#define METRIC_NOT_USED ((DWORD)-1)
60static int add_route_service(const struct route_ipv4 *, const struct tuntap *);
61
62static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
63
64static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
65
66static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
67
68static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *);
69
70static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt,
71 DWORD adapter_index);
72
73static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt);
74
75
76#endif
77
78static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
79 const struct route_gateway_info *rgi, const struct env_set *es,
80 openvpn_net_ctx_t *ctx);
81
82static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
83
84#ifdef ENABLE_DEBUG
85
86static void
87print_bypass_addresses(const struct route_bypass *rb)
88{
89 struct gc_arena gc = gc_new();
90 int i;
91 for (i = 0; i < rb->n_bypass; ++i)
92 {
93 msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", i, print_in_addr_t(rb->bypass[i], 0, &gc));
94 }
95 gc_free(&gc);
96}
97
98#endif
99
100/* Route addition return status codes */
101#define RTA_ERROR 0 /* route addition failed */
102#define RTA_SUCCESS 1 /* route addition succeeded */
103#define RTA_EEXIST 2 /* route not added as it already exists */
104
105#ifndef TARGET_ANDROID
106static bool
107add_bypass_address(struct route_bypass *rb, const in_addr_t a)
108{
109 int i;
110 for (i = 0; i < rb->n_bypass; ++i)
111 {
112 if (a == rb->bypass[i]) /* avoid duplicates */
113 {
114 return true;
115 }
116 }
117 if (rb->n_bypass < N_ROUTE_BYPASS)
118 {
119 rb->bypass[rb->n_bypass++] = a;
120 return true;
121 }
122 else
123 {
124 return false;
125 }
126}
127#endif
128
129struct route_option_list *
130new_route_option_list(struct gc_arena *a)
131{
132 struct route_option_list *ret;
133 ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a);
134 ret->gc = a;
135 return ret;
136}
137
138struct route_ipv6_option_list *
139new_route_ipv6_option_list(struct gc_arena *a)
140{
141 struct route_ipv6_option_list *ret;
142 ALLOC_OBJ_CLEAR_GC(ret, struct route_ipv6_option_list, a);
143 ret->gc = a;
144 return ret;
145}
146
147/*
148 * NOTE: structs are cloned/copied shallow by design.
149 * The routes list from src will stay intact since it is allocated using
150 * the options->gc. The cloned/copied lists will share this common tail
151 * to avoid copying the data around between pulls. Pulled routes use
152 * the c2->gc so they get freed immediately after a reconnect.
153 */
154struct route_option_list *
155clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
156{
157 struct route_option_list *ret;
158 ALLOC_OBJ_GC(ret, struct route_option_list, a);
159 *ret = *src;
160 return ret;
161}
162
163struct route_ipv6_option_list *
164clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
165{
166 struct route_ipv6_option_list *ret;
167 ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
168 *ret = *src;
169 return ret;
170}
171
172void
173copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src,
174 struct gc_arena *a)
175{
176 *dest = *src;
177 dest->gc = a;
178}
179
180void
181copy_route_ipv6_option_list(struct route_ipv6_option_list *dest,
182 const struct route_ipv6_option_list *src, struct gc_arena *a)
183{
184 *dest = *src;
185 dest->gc = a;
186}
187
188static const char *
189route_string(const struct route_ipv4 *r, struct gc_arena *gc)
190{
191 struct buffer out = alloc_buf_gc(256, gc);
192 buf_printf(&out, "ROUTE network %s netmask %s gateway %s", print_in_addr_t(r->network, 0, gc),
193 print_in_addr_t(r->netmask, 0, gc), print_in_addr_t(r->gateway, 0, gc));
194 if (r->flags & RT_METRIC_DEFINED)
195 {
196 buf_printf(&out, " metric %d", r->metric);
197 }
198 return BSTR(&out);
199}
200
201static bool
202is_route_parm_defined(const char *parm)
203{
204 if (!parm)
205 {
206 return false;
207 }
208 if (!strcmp(parm, "default"))
209 {
210 return false;
211 }
212 return true;
213}
214
215static void
216setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
217{
218 struct gc_arena gc = gc_new();
219 struct buffer name = alloc_buf_gc(256, &gc);
220 if (i >= 0)
221 {
222 buf_printf(&name, "route_%s_%d", key, i);
223 }
224 else
225 {
226 buf_printf(&name, "route_%s", key);
227 }
228 setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
229 gc_free(&gc);
230}
231
232static bool
233get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
234{
235 if (status)
236 {
237 *status = true;
238 }
239 if (!strcmp(string, "vpn_gateway"))
240 {
241 if (rl)
242 {
243 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
244 {
245 *out = rl->spec.remote_endpoint;
246 }
247 else
248 {
249 msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
250 if (status)
251 {
252 *status = false;
253 }
254 }
255 }
256 return true;
257 }
258 else if (!strcmp(string, "net_gateway"))
259 {
260 if (rl)
261 {
262 if (rl->ngi.flags & RGI_ADDR_DEFINED)
263 {
264 *out = rl->ngi.gateway.addr;
265 }
266 else
267 {
268 msg(M_INFO, PACKAGE_NAME
269 " ROUTE: net_gateway undefined -- unable to get default gateway from system");
270 if (status)
271 {
272 *status = false;
273 }
274 }
275 }
276 return true;
277 }
278 else if (!strcmp(string, "remote_host"))
279 {
280 if (rl)
281 {
282 if (rl->spec.flags & RTSA_REMOTE_HOST)
283 {
284 *out = rl->spec.remote_host;
285 }
286 else
287 {
288 msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
289 if (status)
290 {
291 *status = false;
292 }
293 }
294 }
295 return true;
296 }
297 return false;
298}
299
300bool
301is_special_addr(const char *addr_str)
302{
303 if (addr_str)
304 {
305 return get_special_addr(NULL, addr_str, NULL, NULL);
306 }
307 else
308 {
309 return false;
310 }
311}
312
313static bool
314init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro,
315 const struct route_list *rl)
316{
317 const in_addr_t default_netmask = IPV4_NETMASK_HOST;
318 bool status;
319 int ret;
320 struct in_addr special = { 0 };
321
322 CLEAR(*r);
323 r->option = ro;
324
325 /* network */
326 if (!is_route_parm_defined(ro->network))
327 {
328 goto fail;
329 }
330
331 /* get_special_addr replaces specialaddr with a special ip addr
332 * like gw. getaddrinfo is called to convert a a addrinfo struct */
333
334 if (get_special_addr(rl, ro->network, (in_addr_t *)&special.s_addr, &status))
335 {
336 if (!status)
337 {
338 goto fail;
339 }
340 special.s_addr = htonl(special.s_addr);
341 char buf[INET_ADDRSTRLEN];
342 inet_ntop(AF_INET, &special, buf, sizeof(buf));
343 ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL, AF_INET, network_list);
344 }
345 else
346 {
347 ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, ro->network, NULL, 0,
348 NULL, AF_INET, network_list);
349 }
350
351 status = (ret == 0);
352
353 if (!status)
354 {
355 goto fail;
356 }
357
358 /* netmask */
359
360 if (is_route_parm_defined(ro->netmask))
361 {
362 r->netmask =
363 getaddr(GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, ro->netmask, 0, &status, NULL);
364 if (!status)
365 {
366 goto fail;
367 }
368 }
369 else
370 {
371 r->netmask = default_netmask;
372 }
373
374 /* gateway */
375
376 if (is_route_parm_defined(ro->gateway))
377 {
378 if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
379 {
380 r->gateway = getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL,
381 ro->gateway, 0, &status, NULL);
382 }
383 if (!status)
384 {
385 goto fail;
386 }
387 }
388 else
389 {
390 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
391 {
392 r->gateway = rl->spec.remote_endpoint;
393 }
394 else
395 {
396 msg(M_WARN, PACKAGE_NAME
397 " ROUTE: " PACKAGE_NAME
398 " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
399 goto fail;
400 }
401 }
402
403 /* metric */
404
405 r->metric = 0;
406 if (is_route_parm_defined(ro->metric))
407 {
408 r->metric = atoi(ro->metric);
409 if (r->metric < 0)
410 {
411 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
412 ro->network, ro->metric);
413 goto fail;
414 }
415 r->flags |= RT_METRIC_DEFINED;
416 }
417 else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
418 {
419 r->metric = rl->spec.default_metric;
420 r->flags |= RT_METRIC_DEFINED;
421 }
422
423 r->flags |= RT_DEFINED;
424
425 /* routing table id */
426 r->table_id = ro->table_id;
427
428 return true;
429
430fail:
431 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
432 ro->network);
433 return false;
434}
435
436static bool
437init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o,
438 const struct route_ipv6_list *rl6)
439{
440 CLEAR(*r6);
441
442 if (!get_ipv6_addr(r6o->prefix, &r6->network, &r6->netbits, M_WARN))
443 {
444 goto fail;
445 }
446
447 /* gateway */
448 if (is_route_parm_defined(r6o->gateway))
449 {
450 if (inet_pton(AF_INET6, r6o->gateway, &r6->gateway) != 1)
451 {
452 msg(M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway);
453 }
454 }
455 else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
456 {
457 r6->gateway = rl6->remote_endpoint_ipv6;
458 }
459
460 /* metric */
461
462 r6->metric = -1;
463 if (is_route_parm_defined(r6o->metric))
464 {
465 r6->metric = atoi(r6o->metric);
466 if (r6->metric < 0)
467 {
468 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
469 r6o->prefix, r6o->metric);
470 goto fail;
471 }
472 r6->flags |= RT_METRIC_DEFINED;
473 }
474 else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
475 {
476 r6->metric = rl6->default_metric;
477 r6->flags |= RT_METRIC_DEFINED;
478 }
479
480 r6->flags |= RT_DEFINED;
481
482 /* routing table id */
483 r6->table_id = r6o->table_id;
484
485 return true;
486
487fail:
488 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
489 r6o->prefix);
490 return false;
491}
492
493void
494add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask,
495 const char *gateway, const char *metric, int table_id)
496{
497 struct route_option *ro;
498 ALLOC_OBJ_GC(ro, struct route_option, l->gc);
499 ro->network = network;
500 ro->netmask = netmask;
501 ro->gateway = gateway;
502 ro->metric = metric;
503 ro->table_id = table_id;
504 ro->next = l->routes;
505 l->routes = ro;
506}
507
508void
509add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix,
510 const char *gateway, const char *metric, int table_id)
511{
512 struct route_ipv6_option *ro;
513 ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
514 ro->prefix = prefix;
515 ro->gateway = gateway;
516 ro->metric = metric;
517 ro->table_id = table_id;
518 ro->next = l->routes_ipv6;
519 l->routes_ipv6 = ro;
520}
521
522static void
523clear_route_list(struct route_list *rl)
524{
525 gc_free(&rl->gc);
526 CLEAR(*rl);
527}
528
529static void
530clear_route_ipv6_list(struct route_ipv6_list *rl6)
531{
532 gc_free(&rl6->gc);
533 CLEAR(*rl6);
534}
535
536void
537route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
538{
539 ASSERT(rl);
540 rl->spec.remote_endpoint = addr;
541 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
542 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
543}
544
545static void
546add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway,
547 in_addr_t target)
548{
549 if (rl->rgi.gateway.netmask < 0xFFFFFFFF)
550 {
551 struct route_ipv4 *r1, *r2;
552 unsigned int l2;
553
554 ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
555 ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
556
557 /* split a route into two smaller blocking routes, and direct them to target */
558 l2 = ((~gateway->netmask) + 1) >> 1;
559 r1->flags = RT_DEFINED;
560 r1->gateway = target;
561 r1->network = gateway->addr & gateway->netmask;
562 r1->netmask = ~(l2 - 1);
563 r1->next = rl->routes;
564 rl->routes = r1;
565
566 *r2 = *r1;
567 r2->network += l2;
568 r2->next = rl->routes;
569 rl->routes = r2;
570 }
571}
572
573#if defined(__GNUC__) || defined(__clang__)
574#pragma GCC diagnostic push
575#pragma GCC diagnostic ignored "-Wsign-compare"
576#endif
577
578static void
579add_block_local_routes(struct route_list *rl)
580{
581#ifndef TARGET_ANDROID
582 /* add bypass for gateway addr */
583 add_bypass_address(&rl->spec.bypass, rl->rgi.gateway.addr);
584#endif
585
586 /* block access to local subnet */
587 add_block_local_item(rl, &rl->rgi.gateway, rl->spec.remote_endpoint);
588
589 /* process additional subnets on gateway interface */
590 for (int i = 0; i < rl->rgi.n_addrs; ++i)
591 {
592 const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
593 /* omit the add/subnet in &rl->rgi which we processed above */
594 if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
595 && rl->rgi.gateway.netmask == gwa->netmask))
596 {
597 add_block_local_item(rl, gwa, rl->spec.remote_endpoint);
598 }
599 }
600}
601
602bool
603block_local_needed(const struct route_list *rl)
604{
605 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED);
606 return (rl->flags & RG_BLOCK_LOCAL) && (rl->rgi.flags & rgi_needed) == rgi_needed
607 && (rl->spec.flags & RTSA_REMOTE_ENDPOINT) && rl->spec.remote_host_local != TLA_LOCAL;
608}
609
610#if defined(__GNUC__) || defined(__clang__)
611#pragma GCC diagnostic pop
612#endif
613
614bool
615init_route_list(struct route_list *rl, const struct route_option_list *opt,
616 const char *remote_endpoint, int default_metric, in_addr_t remote_host,
617 struct env_set *es, openvpn_net_ctx_t *ctx)
618{
619 struct gc_arena gc = gc_new();
620 bool ret = true;
621
622 clear_route_list(rl);
623
624 rl->flags = opt->flags;
625
626 if (remote_host != IPV4_INVALID_ADDR)
627 {
628 rl->spec.remote_host = remote_host;
629 rl->spec.flags |= RTSA_REMOTE_HOST;
630 }
631
632 if (default_metric)
633 {
634 rl->spec.default_metric = default_metric;
635 rl->spec.flags |= RTSA_DEFAULT_METRIC;
636 }
637
638 get_default_gateway(&rl->ngi, INADDR_ANY, ctx);
639 if (rl->ngi.flags & RGI_ADDR_DEFINED)
640 {
641 setenv_route_addr(es, "net_gateway", rl->ngi.gateway.addr, -1);
642#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
643 print_default_gateway(D_ROUTE, &rl->rgi, NULL);
644#endif
645 }
646 else
647 {
648 dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
649 }
650
651 get_default_gateway(&rl->rgi, remote_host != IPV4_INVALID_ADDR ? remote_host : INADDR_ANY, ctx);
652
653 if (rl->spec.flags & RTSA_REMOTE_HOST)
654 {
655 rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
656 }
657
658 if (is_route_parm_defined(remote_endpoint))
659 {
660 bool defined = false;
661 rl->spec.remote_endpoint =
662 getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, remote_endpoint,
663 0, &defined, NULL);
664
665 if (defined)
666 {
667 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
668 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
669 }
670 else
671 {
672 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
673 remote_endpoint);
674 ret = false;
675 }
676 }
677
678 if (rl->flags & RG_ENABLE)
679 {
680 if (block_local_needed(rl))
681 {
682 add_block_local_routes(rl);
683 }
684 get_bypass_addresses(&rl->spec.bypass, rl->flags);
685#ifdef ENABLE_DEBUG
686 print_bypass_addresses(&rl->spec.bypass);
687#endif
688 }
689
690 /* parse the routes from opt to rl */
691 {
692 struct route_option *ro;
693 for (ro = opt->routes; ro; ro = ro->next)
694 {
695 struct addrinfo *netlist = NULL;
696 struct route_ipv4 r;
697
698 if (!init_route(&r, &netlist, ro, rl))
699 {
700 ret = false;
701 }
702 else
703 {
704 struct addrinfo *curele;
705 for (curele = netlist; curele; curele = curele->ai_next)
706 {
707 struct route_ipv4 *new;
708 ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
709 *new = r;
710 new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
711 new->next = rl->routes;
712 rl->routes = new;
713 }
714 }
715 if (netlist)
716 {
717 gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc);
718 }
719 }
720 }
721
722 gc_free(&gc);
723 return ret;
724}
725
726bool
727ipv6_net_contains_host(const struct in6_addr *network, unsigned int bits, const struct in6_addr *host)
728{
729 /* not the most beautiful implementation in the world, but portable and
730 * "good enough" */
731 if (bits > 128)
732 {
733 return false;
734 }
735
736 int i;
737 for (i = 0; bits >= 8; i++, bits -= 8)
738 {
739 if (network->s6_addr[i] != host->s6_addr[i])
740 {
741 return false;
742 }
743 }
744
745 if (bits == 0)
746 {
747 return true;
748 }
749
750 unsigned int mask = 0xff << (8 - bits);
751
752 if ((network->s6_addr[i] & mask) == (host->s6_addr[i] & mask))
753 {
754 return true;
755 }
756
757 return false;
758}
759
760bool
761init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6,
762 const char *remote_endpoint, int default_metric,
763 const struct in6_addr *remote_host_ipv6, struct env_set *es,
764 openvpn_net_ctx_t *ctx)
765{
766 struct gc_arena gc = gc_new();
767 bool ret = true;
768 bool need_remote_ipv6_route;
769
770 clear_route_ipv6_list(rl6);
771
772 rl6->flags = opt6->flags;
773
774 if (remote_host_ipv6)
775 {
776 rl6->remote_host_ipv6 = *remote_host_ipv6;
777 rl6->spec_flags |= RTSA_REMOTE_HOST;
778 }
779
780 if (default_metric >= 0)
781 {
782 rl6->default_metric = default_metric;
783 rl6->spec_flags |= RTSA_DEFAULT_METRIC;
784 }
785
786 msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
787 remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a");
788
789 get_default_gateway_ipv6(&rl6->ngi6, NULL, ctx);
790 if (rl6->ngi6.flags & RGI_ADDR_DEFINED)
791 {
792 setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->ngi6.gateway.addr_ipv6, 0, &gc));
793#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
794 print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
795#endif
796 }
797 else
798 {
799 dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
800 }
801
802 get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
803
804 if (is_route_parm_defined(remote_endpoint))
805 {
806 if (inet_pton(AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1)
807 {
808 rl6->spec_flags |= RTSA_REMOTE_ENDPOINT;
809 }
810 else
811 {
812 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s",
813 remote_endpoint);
814 ret = false;
815 }
816 }
817
818 /* parse the routes from opt6 to rl6
819 * discovering potential overlaps with remote_host_ipv6 in the process
820 */
821 need_remote_ipv6_route = false;
822
823 {
824 struct route_ipv6_option *ro6;
825 for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
826 {
827 struct route_ipv6 *r6;
828 ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
829 if (!init_route_ipv6(r6, ro6, rl6))
830 {
831 ret = false;
832 }
833 else
834 {
835 r6->next = rl6->routes_ipv6;
836 rl6->routes_ipv6 = r6;
837
838#ifndef TARGET_ANDROID
839 /* On Android the VPNService protect function call will take of
840 * avoiding routing loops, so ignore this part and let
841 * need_remote_ipv6_route always evaluate to false
842 */
843 if (remote_host_ipv6
844 && ipv6_net_contains_host(&r6->network, r6->netbits, remote_host_ipv6))
845 {
846 need_remote_ipv6_route = true;
847 msg(D_ROUTE,
848 "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
849 print_in6_addr(r6->network, 0, &gc), r6->netbits,
850 print_in6_addr(*remote_host_ipv6, 0, &gc));
851 }
852#endif
853 }
854 }
855 }
856
857 /* add VPN server host route if needed */
858 if (need_remote_ipv6_route)
859 {
860 if ((rl6->rgi6.flags & (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
861 == (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
862 {
863 struct route_ipv6 *r6;
864 ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
865
866 r6->network = *remote_host_ipv6;
867 r6->netbits = 128;
868 if (!(rl6->rgi6.flags & RGI_ON_LINK))
869 {
870 r6->gateway = rl6->rgi6.gateway.addr_ipv6;
871 }
872 r6->metric = 1;
873#ifdef _WIN32
874 r6->adapter_index = rl6->rgi6.adapter_index;
875#else
876 r6->iface = rl6->rgi6.iface;
877#endif
878 r6->flags = RT_DEFINED | RT_METRIC_DEFINED;
879
880 r6->next = rl6->routes_ipv6;
881 rl6->routes_ipv6 = r6;
882 }
883 else
884 {
885 msg(M_WARN,
886 "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n");
887 }
888 }
889
890 gc_free(&gc);
891 return ret;
892}
893
894static bool
895add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
896 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
897 openvpn_net_ctx_t *ctx)
898{
899 struct route_ipv4 r;
900 CLEAR(r);
901 r.flags = RT_DEFINED;
902 r.network = network;
903 r.netmask = netmask;
904 r.gateway = gateway;
905 return add_route(&r, tt, flags, rgi, es, ctx);
906}
907
908static void
909del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
910 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
911 openvpn_net_ctx_t *ctx)
912{
913 struct route_ipv4 r;
914 CLEAR(r);
915 r.flags = RT_DEFINED | RT_ADDED;
916 r.network = network;
917 r.netmask = netmask;
918 r.gateway = gateway;
919 delete_route(&r, tt, flags, rgi, es, ctx);
920}
921
922static bool
923add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
924 unsigned int flags, const struct route_gateway_info *rgi,
925 const struct env_set *es, openvpn_net_ctx_t *ctx)
926{
927 int ret = true;
928 for (int i = 0; i < rb->n_bypass; ++i)
929 {
930 if (rb->bypass[i])
931 {
932 ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW,
933 rgi, es, ctx)
934 && ret;
935 }
936 }
937 return ret;
938}
939
940static void
941del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
942 unsigned int flags, const struct route_gateway_info *rgi,
943 const struct env_set *es, openvpn_net_ctx_t *ctx)
944{
945 int i;
946 for (i = 0; i < rb->n_bypass; ++i)
947 {
948 if (rb->bypass[i])
949 {
950 del_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, rgi, es,
951 ctx);
952 }
953 }
954}
955
956static bool
957redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
958 const struct env_set *es, openvpn_net_ctx_t *ctx)
959{
960 const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
961 bool ret = true;
962
963 if (rl && rl->flags & RG_ENABLE)
964 {
965 bool local = rl->flags & RG_LOCAL;
966
967 if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
968 {
969 msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
970 ret = false;
971 }
972 /*
973 * check if a default route is defined, unless:
974 * - we are connecting to a remote host in our network
975 * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
976 */
977 else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
978 && (rl->spec.flags & RTSA_REMOTE_HOST))
979 {
980 msg(M_WARN, "%s Cannot read current default gateway from system", err);
981 ret = false;
982 }
983 else
984 {
985#ifndef TARGET_ANDROID
986 if (rl->flags & RG_AUTO_LOCAL)
987 {
988 const int tla = rl->spec.remote_host_local;
989 if (tla == TLA_NONLOCAL)
990 {
991 dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
992 local = false;
993 }
994 else if (tla == TLA_LOCAL)
995 {
996 dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
997 local = true;
998 }
999 }
1000 if (!local)
1001 {
1002 /* route remote host to original default gateway */
1003 /* if remote_host is not ipv4 (ie: ipv6), just skip
1004 * adding this special /32 route */
1005 if ((rl->spec.flags & RTSA_REMOTE_HOST)
1006 && rl->spec.remote_host != IPV4_INVALID_ADDR)
1007 {
1008 ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr,
1009 tt, flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1010 if (ret)
1011 {
1012 rl->iflags |= RL_DID_LOCAL;
1013 }
1014 }
1015 else
1016 {
1017 dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1018 }
1019 }
1020#endif /* ifndef TARGET_ANDROID */
1021
1022 /* route DHCP/DNS server traffic through original default gateway */
1023 ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es,
1024 ctx)
1025 && ret;
1026
1027 if (rl->flags & RG_REROUTE_GW)
1028 {
1029 if (rl->flags & RG_DEF1)
1030 {
1031 /* add new default route (1st component) */
1032 ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1033 &rl->rgi, es, ctx)
1034 && ret;
1035
1036 /* add new default route (2nd component) */
1037 ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1038 &rl->rgi, es, ctx)
1039 && ret;
1040 }
1041 else
1042 {
1043 /* don't try to remove the def route if it does not exist */
1044 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1045 {
1046 /* delete default route */
1047 del_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi,
1048 es, ctx);
1049 }
1050
1051 /* add new default route */
1052 ret = add_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx)
1053 && ret;
1054 }
1055 }
1056
1057 /* set a flag so we can undo later */
1058 rl->iflags |= RL_DID_REDIRECT_DEFAULT_GATEWAY;
1059 }
1060 }
1061 return ret;
1062}
1063
1064static void
1065undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
1066 unsigned int flags, const struct env_set *es,
1067 openvpn_net_ctx_t *ctx)
1068{
1069 if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
1070 {
1071 /* delete remote host route */
1072 if (rl->iflags & RL_DID_LOCAL)
1073 {
1074 del_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt,
1075 flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1076 rl->iflags &= ~RL_DID_LOCAL;
1077 }
1078
1079 /* delete special DHCP/DNS bypass route */
1080 del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es, ctx);
1081
1082 if (rl->flags & RG_REROUTE_GW)
1083 {
1084 if (rl->flags & RG_DEF1)
1085 {
1086 /* delete default route (1st component) */
1087 del_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1088 es, ctx);
1089
1090 /* delete default route (2nd component) */
1091 del_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1092 es, ctx);
1093 }
1094 else
1095 {
1096 /* delete default route */
1097 del_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx);
1098 /* restore original default route if there was any */
1099 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1100 {
1101 add_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es,
1102 ctx);
1103 }
1104 }
1105 }
1106
1107 rl->iflags &= ~RL_DID_REDIRECT_DEFAULT_GATEWAY;
1108 }
1109}
1110
1111bool
1112add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1113 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1114{
1115 bool ret = redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1116 if (rl && !(rl->iflags & RL_ROUTES_ADDED))
1117 {
1118 struct route_ipv4 *r;
1119
1120 if (rl->routes && !tt->did_ifconfig_setup)
1121 {
1122 msg(M_INFO,
1123 "WARNING: OpenVPN was configured to add an IPv4 "
1124 "route. However, no IPv4 has been configured for %s, "
1125 "therefore the route installation may fail or may not work "
1126 "as expected.",
1127 tt->actual_name);
1128 }
1129
1130#ifdef ENABLE_MANAGEMENT
1131 if (management && rl->routes)
1132 {
1133 management_set_state(management, OPENVPN_STATE_ADD_ROUTES, NULL, NULL, NULL, NULL,
1134 NULL);
1135 }
1136#endif
1137
1138 for (r = rl->routes; r; r = r->next)
1139 {
1140 if (flags & ROUTE_DELETE_FIRST)
1141 {
1142 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1143 }
1144 ret = add_route(r, tt, flags, &rl->rgi, es, ctx) && ret;
1145 }
1146 rl->iflags |= RL_ROUTES_ADDED;
1147 }
1148 if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED))
1149 {
1150 struct route_ipv6 *r;
1151
1152 if (!tt->did_ifconfig_ipv6_setup)
1153 {
1154 msg(M_INFO,
1155 "WARNING: OpenVPN was configured to add an IPv6 "
1156 "route. However, no IPv6 has been configured for %s, "
1157 "therefore the route installation may fail or may not work "
1158 "as expected.",
1159 tt->actual_name);
1160 }
1161
1162 for (r = rl6->routes_ipv6; r; r = r->next)
1163 {
1164 if (flags & ROUTE_DELETE_FIRST)
1165 {
1166 delete_route_ipv6(r, tt, es, ctx);
1167 }
1168 ret = add_route_ipv6(r, tt, flags, es, ctx) && ret;
1169 }
1170 rl6->iflags |= RL_ROUTES_ADDED;
1171 }
1172
1173 return ret;
1174}
1175
1176void
1177delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1178 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1179{
1180 delete_routes_v4(rl, tt, flags, es, ctx);
1181 delete_routes_v6(rl6, tt, flags, es, ctx);
1182}
1183
1184void
1185delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
1186 const struct env_set *es, openvpn_net_ctx_t *ctx)
1187{
1188 if (rl && (rl->iflags & RL_ROUTES_ADDED))
1189 {
1190 struct route_ipv4 *r;
1191 for (r = rl->routes; r; r = r->next)
1192 {
1193 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1194 }
1195 rl->iflags &= ~RL_ROUTES_ADDED;
1196 }
1197
1198 undo_redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1199
1200 if (rl)
1201 {
1202 clear_route_list(rl);
1203 }
1204}
1205
1206void
1207delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags,
1208 const struct env_set *es, openvpn_net_ctx_t *ctx)
1209{
1210 if (rl6 && (rl6->iflags & RL_ROUTES_ADDED))
1211 {
1212 struct route_ipv6 *r6;
1213 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1214 {
1215 delete_route_ipv6(r6, tt, es, ctx);
1216 }
1217 rl6->iflags &= ~RL_ROUTES_ADDED;
1218 }
1219
1220 if (rl6)
1221 {
1222 clear_route_ipv6_list(rl6);
1223 }
1224}
1225
1226#ifndef ENABLE_SMALL
1227
1228static const char *
1229show_opt(const char *option)
1230{
1231 if (!option)
1232 {
1233 return "default (not set)";
1234 }
1235 else
1236 {
1237 return option;
1238 }
1239}
1240
1241static void
1242print_route_option(const struct route_option *ro, msglvl_t msglevel)
1243{
1244 msg(msglevel, " route %s/%s/%s/%s", show_opt(ro->network), show_opt(ro->netmask),
1245 show_opt(ro->gateway), show_opt(ro->metric));
1246}
1247
1248void
1249print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
1250{
1251 struct route_option *ro;
1252 if (rol->flags & RG_ENABLE)
1253 {
1254 msg(msglevel, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0);
1255 }
1256 for (ro = rol->routes; ro; ro = ro->next)
1257 {
1258 print_route_option(ro, msglevel);
1259 }
1260}
1261
1262void
1263print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi,
1264 const struct route_ipv6_gateway_info *rgi6)
1265{
1266 struct gc_arena gc = gc_new();
1267 if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1268 {
1269 struct buffer out = alloc_buf_gc(256, &gc);
1270 buf_printf(&out, "ROUTE_GATEWAY");
1271 if (rgi->flags & RGI_ON_LINK)
1272 {
1273 buf_printf(&out, " ON_LINK");
1274 }
1275 else
1276 {
1277 buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1278 }
1279 if (rgi->flags & RGI_NETMASK_DEFINED)
1280 {
1281 buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1282 }
1283#ifdef _WIN32
1284 if (rgi->flags & RGI_IFACE_DEFINED)
1285 {
1286 buf_printf(&out, " I=%lu", rgi->adapter_index);
1287 }
1288#else
1289 if (rgi->flags & RGI_IFACE_DEFINED)
1290 {
1291 buf_printf(&out, " IFACE=%s", rgi->iface);
1292 }
1293#endif
1294 if (rgi->flags & RGI_HWADDR_DEFINED)
1295 {
1296 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1297 }
1298 msg(msglevel, "%s", BSTR(&out));
1299 }
1300
1301 if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1302 {
1303 struct buffer out = alloc_buf_gc(256, &gc);
1304 buf_printf(&out, "ROUTE6_GATEWAY");
1305 buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1306 if (rgi6->flags & RGI_ON_LINK)
1307 {
1308 buf_printf(&out, " ON_LINK");
1309 }
1310 if (rgi6->flags & RGI_NETMASK_DEFINED)
1311 {
1312 buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1313 }
1314#ifdef _WIN32
1315 if (rgi6->flags & RGI_IFACE_DEFINED)
1316 {
1317 buf_printf(&out, " I=%lu", rgi6->adapter_index);
1318 }
1319#else
1320 if (rgi6->flags & RGI_IFACE_DEFINED)
1321 {
1322 buf_printf(&out, " IFACE=%s", rgi6->iface);
1323 }
1324#endif
1325 if (rgi6->flags & RGI_HWADDR_DEFINED)
1326 {
1327 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1328 }
1329 msg(msglevel, "%s", BSTR(&out));
1330 }
1331 gc_free(&gc);
1332}
1333
1334#endif /* ifndef ENABLE_SMALL */
1335
1336static void
1337print_route(const struct route_ipv4 *r, msglvl_t msglevel)
1338{
1339 struct gc_arena gc = gc_new();
1340 if (r->flags & RT_DEFINED)
1341 {
1342 msg(msglevel, "%s", route_string(r, &gc));
1343 }
1344 gc_free(&gc);
1345}
1346
1347void
1348print_routes(const struct route_list *rl, msglvl_t msglevel)
1349{
1350 struct route_ipv4 *r;
1351 for (r = rl->routes; r; r = r->next)
1352 {
1353 print_route(r, msglevel);
1354 }
1355}
1356
1357static void
1358setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1359{
1360 struct gc_arena gc = gc_new();
1361 if (r->flags & RT_DEFINED)
1362 {
1363 setenv_route_addr(es, "network", r->network, i);
1364 setenv_route_addr(es, "netmask", r->netmask, i);
1365 setenv_route_addr(es, "gateway", r->gateway, i);
1366
1367 if (r->flags & RT_METRIC_DEFINED)
1368 {
1369 struct buffer name = alloc_buf_gc(256, &gc);
1370 buf_printf(&name, "route_metric_%d", i);
1371 setenv_int(es, BSTR(&name), r->metric);
1372 }
1373 }
1374 gc_free(&gc);
1375}
1376
1377void
1378setenv_routes(struct env_set *es, const struct route_list *rl)
1379{
1380 int i = 1;
1381 struct route_ipv4 *r;
1382 for (r = rl->routes; r; r = r->next)
1383 {
1384 setenv_route(es, r, i++);
1385 }
1386}
1387
1388static void
1389setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1390{
1391 struct gc_arena gc = gc_new();
1392 if (r6->flags & RT_DEFINED)
1393 {
1394 struct buffer name1 = alloc_buf_gc(256, &gc);
1395 struct buffer val = alloc_buf_gc(256, &gc);
1396 struct buffer name2 = alloc_buf_gc(256, &gc);
1397
1398 buf_printf(&name1, "route_ipv6_network_%d", i);
1399 buf_printf(&val, "%s/%d", print_in6_addr(r6->network, 0, &gc), r6->netbits);
1400 setenv_str(es, BSTR(&name1), BSTR(&val));
1401
1402 buf_printf(&name2, "route_ipv6_gateway_%d", i);
1403 setenv_str(es, BSTR(&name2), print_in6_addr(r6->gateway, 0, &gc));
1404
1405 if (r6->flags & RT_METRIC_DEFINED)
1406 {
1407 struct buffer name3 = alloc_buf_gc(256, &gc);
1408 buf_printf(&name3, "route_ipv6_metric_%d", i);
1409 setenv_int(es, BSTR(&name3), r6->metric);
1410 }
1411 }
1412 gc_free(&gc);
1413}
1414void
1415setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
1416{
1417 int i = 1;
1418 struct route_ipv6 *r6;
1419 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1420 {
1421 setenv_route_ipv6(es, r6, i++);
1422 }
1423}
1424
1425/*
1426 * local_route() determines whether the gateway of a provided host
1427 * route is on the same interface that owns the default gateway.
1428 * It uses the data structure
1429 * returned by get_default_gateway() (struct route_gateway_info)
1430 * to determine this. If the route is local, LR_MATCH is returned.
1431 * When adding routes into the kernel, if LR_MATCH is defined for
1432 * a given route, the route should explicitly reference the default
1433 * gateway interface as the route destination. For example, here
1434 * is an example on Linux that uses LR_MATCH:
1435 *
1436 * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1437 *
1438 * This capability is needed by the "default-gateway block-local"
1439 * directive, to allow client access to the local subnet to be
1440 * blocked but still allow access to the local default gateway.
1441 */
1442
1443/* local_route() return values */
1444#define LR_NOMATCH 0 /* route is not local */
1445#define LR_MATCH 1 /* route is local */
1446#define LR_ERROR 2 /* caller should abort adding route */
1447
1448#if defined(__GNUC__) || defined(__clang__)
1449#pragma GCC diagnostic push
1450#pragma GCC diagnostic ignored "-Wsign-compare"
1451#endif
1452
1453static int
1454local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway,
1455 const struct route_gateway_info *rgi)
1456{
1457 /* set LR_MATCH on local host routes */
1458 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED | RGI_IFACE_DEFINED);
1459 if (rgi && (rgi->flags & rgi_needed) == rgi_needed && gateway == rgi->gateway.addr
1460 && netmask == 0xFFFFFFFF)
1461 {
1462 if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1463 {
1464 return LR_MATCH;
1465 }
1466 else
1467 {
1468 /* examine additional subnets on gateway interface */
1469 for (int i = 0; i < rgi->n_addrs; ++i)
1470 {
1471 const struct route_gateway_address *gwa = &rgi->addrs[i];
1472 if (((network ^ gwa->addr) & gwa->netmask) == 0)
1473 {
1474 return LR_MATCH;
1475 }
1476 }
1477 }
1478 }
1479 return LR_NOMATCH;
1480}
1481
1482#if defined(__GNUC__) || defined(__clang__)
1483#pragma GCC diagnostic pop
1484#endif
1485
1486/* Return true if the "on-link" form of the route should be used. This is when the gateway for
1487 * a route is specified as an interface rather than an address. */
1488#if defined(TARGET_LINUX) || defined(_WIN32) || defined(TARGET_DARWIN)
1489static inline bool
1490is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1491{
1492 return rgi
1493 && (is_local_route == LR_MATCH
1494 || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1495}
1496#endif
1497
1498bool
1499add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
1500 const struct route_gateway_info *rgi, /* may be NULL */
1501 const struct env_set *es, openvpn_net_ctx_t *ctx)
1502{
1503 int status = 0;
1504 int is_local_route;
1505
1506 if (!(r->flags & RT_DEFINED))
1507 {
1508 return true; /* no error */
1509 }
1510
1511 struct argv argv = argv_new();
1512 struct gc_arena gc = gc_new();
1513
1514#if !defined(TARGET_LINUX)
1515 const char *network = print_in_addr_t(r->network, 0, &gc);
1516#if !defined(TARGET_AIX)
1517 const char *netmask = print_in_addr_t(r->netmask, 0, &gc);
1518#endif
1519 const char *gateway = print_in_addr_t(r->gateway, 0, &gc);
1520#endif
1521
1522 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1523 if (is_local_route == LR_ERROR)
1524 {
1525 goto done;
1526 }
1527
1528#if defined(TARGET_LINUX)
1529 const char *iface = NULL;
1530 int metric = -1;
1531
1532 if (is_on_link(is_local_route, flags, rgi))
1533 {
1534 iface = rgi->iface;
1535 }
1536
1537 if (r->flags & RT_METRIC_DEFINED)
1538 {
1539 metric = r->metric;
1540 }
1541
1542
1543 status = RTA_SUCCESS;
1544 int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway,
1545 iface, r->table_id, metric);
1546 if (ret == -EEXIST)
1547 {
1548 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1549 status = RTA_EEXIST;
1550 }
1551 else if (ret < 0)
1552 {
1553 msg(M_WARN, "ERROR: Linux route add command failed");
1554 status = RTA_ERROR;
1555 }
1556
1557#elif defined(TARGET_ANDROID)
1558 char out[128];
1559
1560 if (rgi)
1561 {
1562 snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1563 }
1564 else
1565 {
1566 snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1567 }
1568 bool ret = management_android_control(management, "ROUTE", out);
1569 status = ret ? RTA_SUCCESS : RTA_ERROR;
1570
1571#elif defined(_WIN32)
1572 {
1573 DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1574 argv_printf(&argv, "%s%s ADD %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
1575 network, netmask, gateway);
1576 if (r->flags & RT_METRIC_DEFINED)
1577 {
1578 argv_printf_cat(&argv, "METRIC %d", r->metric);
1579 }
1580 if (is_on_link(is_local_route, flags, rgi))
1581 {
1582 ai = rgi->adapter_index;
1583 argv_printf_cat(&argv, "IF %lu", ai);
1584 }
1585
1586 argv_msg(D_ROUTE, &argv);
1587
1588 const char *method = "service";
1589 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1590 {
1591 status = add_route_service(r, tt);
1592 }
1593 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1594 {
1595 status = add_route_ipapi(r, tt, ai);
1596 method = "ipapi";
1597 }
1598 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1599 {
1600 netcmd_semaphore_lock();
1601 bool ret =
1602 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
1603 status = ret ? RTA_SUCCESS : RTA_ERROR;
1604 netcmd_semaphore_release();
1605 method = "route.exe";
1606 }
1607 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1608 {
1609 status = add_route_ipapi(r, tt, ai);
1610 method = "ipapi [adaptive]";
1611 if (status == RTA_ERROR)
1612 {
1613 msg(D_ROUTE, "Route addition fallback to route.exe");
1614 netcmd_semaphore_lock();
1615 bool ret = openvpn_execve_check(
1616 &argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
1617 status = ret ? RTA_SUCCESS : RTA_ERROR;
1618 netcmd_semaphore_release();
1619 method = "route.exe";
1620 }
1621 }
1622 else
1623 {
1624 ASSERT(0);
1625 }
1626 if (status != RTA_ERROR) /* error is logged upstream */
1627 {
1628 msg(D_ROUTE, "Route addition via %s %s", method,
1629 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
1630 }
1631 }
1632
1633#elif defined(TARGET_SOLARIS)
1634
1635 /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1636
1637 argv_printf(&argv, "%s add", ROUTE_PATH);
1638
1639 argv_printf_cat(&argv, "%s -netmask %s %s", network, netmask, gateway);
1640
1641 /* Solaris can only distinguish between "metric 0" == "on-link on the
1642 * interface where the IP address given is configured" and "metric > 0"
1643 * == "use gateway specified" (no finer-grained route metrics available)
1644 *
1645 * More recent versions of Solaris can also do "-interface", but that
1646 * would break backwards compatibility with older versions for no gain.
1647 */
1648 if (r->flags & RT_METRIC_DEFINED)
1649 {
1650 argv_printf_cat(&argv, "%d", r->metric);
1651 }
1652
1653 argv_msg(D_ROUTE, &argv);
1654 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
1655 status = ret ? RTA_SUCCESS : RTA_ERROR;
1656
1657#elif defined(TARGET_FREEBSD)
1658
1659 argv_printf(&argv, "%s add", ROUTE_PATH);
1660
1661#if 0
1662 if (r->flags & RT_METRIC_DEFINED)
1663 {
1664 argv_printf_cat(&argv, "-rtt %d", r->metric);
1665 }
1666#endif
1667
1668 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1669
1670 /* FIXME -- add on-link support for FreeBSD */
1671
1672 argv_msg(D_ROUTE, &argv);
1673 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
1674 status = ret ? RTA_SUCCESS : RTA_ERROR;
1675
1676#elif defined(TARGET_DRAGONFLY)
1677
1678 argv_printf(&argv, "%s add", ROUTE_PATH);
1679
1680#if 0
1681 if (r->flags & RT_METRIC_DEFINED)
1682 {
1683 argv_printf_cat(&argv, "-rtt %d", r->metric);
1684 }
1685#endif
1686
1687 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1688
1689 /* FIXME -- add on-link support for Dragonfly */
1690
1691 argv_msg(D_ROUTE, &argv);
1692 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
1693 status = ret ? RTA_SUCCESS : RTA_ERROR;
1694
1695#elif defined(TARGET_DARWIN)
1696
1697 argv_printf(&argv, "%s add", ROUTE_PATH);
1698
1699#if 0
1700 if (r->flags & RT_METRIC_DEFINED)
1701 {
1702 argv_printf_cat(&argv, "-rtt %d", r->metric);
1703 }
1704#endif
1705
1706 if (is_on_link(is_local_route, flags, rgi))
1707 {
1708 /* Mac OS X route syntax for ON_LINK:
1709 * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1710 argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", network, netmask,
1711 rgi->iface);
1712 }
1713 else
1714 {
1715 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1716 }
1717
1718 argv_msg(D_ROUTE, &argv);
1719 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
1720 status = ret ? RTA_SUCCESS : RTA_ERROR;
1721
1722#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1723
1724 argv_printf(&argv, "%s add", ROUTE_PATH);
1725
1726#if 0
1727 if (r->flags & RT_METRIC_DEFINED)
1728 {
1729 argv_printf_cat(&argv, "-rtt %d", r->metric);
1730 }
1731#endif
1732
1733 argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask);
1734
1735 /* FIXME -- add on-link support for OpenBSD/NetBSD */
1736
1737 argv_msg(D_ROUTE, &argv);
1738 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1739 status = ret ? RTA_SUCCESS : RTA_ERROR;
1740
1741#elif defined(TARGET_AIX)
1742
1743 {
1744 int netbits = netmask_to_netbits2(r->netmask);
1745 argv_printf(&argv, "%s add -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
1746 argv_msg(D_ROUTE, &argv);
1747 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1748 status = ret ? RTA_SUCCESS : RTA_ERROR;
1749 }
1750
1751#elif defined(TARGET_HAIKU)
1752
1753 /* ex: route add /dev/net/ipro1000/0 0.0.0.0 gw 192.168.1.1 netmask 128.0.0.0 */
1754 argv_printf(&argv, "%s add %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
1755 gateway, netmask);
1756 argv_msg(D_ROUTE, &argv);
1757 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route add command failed");
1758 status = ret ? RTA_SUCCESS : RTA_ERROR;
1759
1760#else /* if defined(TARGET_LINUX) */
1761 msg(M_FATAL,
1762 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1763#endif /* if defined(TARGET_LINUX) */
1764
1765done:
1766 if (status == RTA_SUCCESS)
1767 {
1768 r->flags |= RT_ADDED;
1769 }
1770 else
1771 {
1772 r->flags &= ~RT_ADDED;
1773 }
1774 argv_free(&argv);
1775 gc_free(&gc);
1776 /* release resources potentially allocated during route setup */
1777 net_ctx_reset(ctx);
1778
1779 return (status != RTA_ERROR);
1780}
1781
1782void
1783route_ipv6_clear_host_bits(struct route_ipv6 *r6)
1784{
1785 /* clear host bit parts of route
1786 * (needed if routes are specified improperly, or if we need to
1787 * explicitly setup/clear the "connected" network routes on some OSes)
1788 */
1789 int byte = 15;
1790 int bits_to_clear = 128 - r6->netbits;
1791
1792 while (byte >= 0 && bits_to_clear > 0)
1793 {
1794 if (bits_to_clear >= 8)
1795 {
1796 r6->network.s6_addr[byte--] = 0;
1797 bits_to_clear -= 8;
1798 }
1799 else
1800 {
1801 r6->network.s6_addr[byte--] &= (0xff << bits_to_clear);
1802 bits_to_clear = 0;
1803 }
1804 }
1805}
1806
1807bool
1808add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags,
1809 const struct env_set *es, openvpn_net_ctx_t *ctx)
1810{
1811 int status = 0;
1812 bool gateway_needed = false;
1813
1814 if (!(r6->flags & RT_DEFINED))
1815 {
1816 return true; /* no error */
1817 }
1818
1819 struct argv argv = argv_new();
1820 struct gc_arena gc = gc_new();
1821
1822#ifndef _WIN32
1823 const char *device = tt->actual_name;
1824 if (r6->iface != NULL) /* vpn server special route */
1825 {
1826 device = r6->iface;
1827 if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1828 {
1829 gateway_needed = true;
1830 }
1831 }
1832#endif
1833
1834 route_ipv6_clear_host_bits(r6);
1835 const char *network = print_in6_addr(r6->network, 0, &gc);
1836 const char *gateway = print_in6_addr(r6->gateway, 0, &gc);
1837
1838#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1839 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1840
1841 /* the BSD platforms cannot specify gateway and interface independently,
1842 * but for link-local destinations, we MUST specify the interface, so
1843 * we build a combined "$gateway%$interface" gateway string
1844 */
1845 if (r6->iface != NULL && gateway_needed
1846 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
1847 {
1848 size_t len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
1849 char *tmp = gc_malloc(len, true, &gc);
1850 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
1851 gateway = tmp;
1852 }
1853#endif
1854
1855#ifndef _WIN32
1856 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway,
1857 r6->metric, device);
1858#else
1859 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu", network, r6->netbits, gateway,
1860 r6->metric, r6->adapter_index ? r6->adapter_index : tt->adapter_index);
1861#endif
1862
1863 /*
1864 * Filter out routes which are essentially no-ops
1865 * (not currently done for IPv6)
1866 */
1867
1868 /* On "tun" interface, we never set a gateway if the operating system
1869 * can do "route to interface" - it does not add value, as the target
1870 * dev already fully qualifies the route destination on point-to-point
1871 * interfaces. OTOH, on "tap" interface, we must always set the
1872 * gateway unless the route is to be an on-link network
1873 */
1874 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
1875 {
1876 gateway_needed = true;
1877 }
1878
1879 if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1880 {
1881 msg(M_WARN,
1882 "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
1883 "parameter for a --route-ipv6 option and no default was set via "
1884 "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
1885 "IPv6 route to %s/%d.",
1886 network, r6->netbits);
1887 status = 0;
1888 goto done;
1889 }
1890
1891#if defined(TARGET_LINUX)
1892 int metric = -1;
1893 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
1894 {
1895 metric = r6->metric;
1896 }
1897
1898 status = RTA_SUCCESS;
1899 int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
1900 device, r6->table_id, metric);
1901 if (ret == -EEXIST)
1902 {
1903 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1904 status = RTA_EEXIST;
1905 }
1906 else if (ret < 0)
1907 {
1908 msg(M_WARN, "ERROR: Linux route add command failed");
1909 status = RTA_ERROR;
1910 }
1911
1912#elif defined(TARGET_ANDROID)
1913 char out[64];
1914
1915 snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
1916
1917 status = management_android_control(management, "ROUTE6", out);
1918
1919#elif defined(_WIN32)
1920
1921 if (tt->options.msg_channel)
1922 {
1923 status = add_route_ipv6_service(r6, tt);
1924 }
1925 else
1926 {
1927 status = route_ipv6_ipapi(true, r6, tt);
1928 }
1929#elif defined(TARGET_SOLARIS)
1930
1931 /* example: route add -inet6 2001:db8::/32 somegateway 0 */
1932
1933 /* for some reason, routes to tun/tap do not work for me unless I set
1934 * "metric 0" - otherwise, the routes will be nicely installed, but
1935 * packets will just disappear somewhere. So we always use "0" now,
1936 * unless the route points to "gateway on other interface"...
1937 *
1938 * (Note: OpenSolaris can not specify host%interface gateways, so we just
1939 * use the GW addresses - it seems to still work for fe80:: addresses,
1940 * however this is done internally. NUD maybe?)
1941 */
1942 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1943
1944 /* on tun (not tap), not "elsewhere"? -> metric 0 */
1945 if (tt->type == DEV_TYPE_TUN && !r6->iface)
1946 {
1947 argv_printf_cat(&argv, "0");
1948 }
1949
1950 argv_msg(D_ROUTE, &argv);
1951 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
1952 status = ret ? RTA_SUCCESS : RTA_ERROR;
1953
1954#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
1955
1956 argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
1957
1958 if (gateway_needed)
1959 {
1960 argv_printf_cat(&argv, "%s", gateway);
1961 }
1962 else
1963 {
1964 argv_printf_cat(&argv, "-iface %s", device);
1965 }
1966
1967 argv_msg(D_ROUTE, &argv);
1968 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
1969 status = ret ? RTA_SUCCESS : RTA_ERROR;
1970
1971#elif defined(TARGET_DARWIN)
1972
1973 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
1974
1975 if (gateway_needed)
1976 {
1977 argv_printf_cat(&argv, "%s", gateway);
1978 }
1979 else
1980 {
1981 argv_printf_cat(&argv, "-iface %s", device);
1982 }
1983
1984 argv_msg(D_ROUTE, &argv);
1985 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
1986 status = ret ? RTA_SUCCESS : RTA_ERROR;
1987
1988#elif defined(TARGET_OPENBSD)
1989
1990 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
1991 gateway);
1992
1993 argv_msg(D_ROUTE, &argv);
1994 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
1995 status = ret ? RTA_SUCCESS : RTA_ERROR;
1996
1997#elif defined(TARGET_NETBSD)
1998
1999 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2000
2001 argv_msg(D_ROUTE, &argv);
2002 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
2003 status = ret ? RTA_SUCCESS : RTA_ERROR;
2004
2005#elif defined(TARGET_AIX)
2006
2007 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2008 argv_msg(D_ROUTE, &argv);
2009 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2010 status = ret ? RTA_SUCCESS : RTA_ERROR;
2011
2012#elif defined(TARGET_HAIKU)
2013
2014 /* ex: route add /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2015 argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
2016 gateway, r6->netbits);
2017 argv_msg(D_ROUTE, &argv);
2018 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route add command failed");
2019 status = ret ? RTA_SUCCESS : RTA_ERROR;
2020
2021#else /* if defined(TARGET_LINUX) */
2022 msg(M_FATAL,
2023 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2024#endif /* if defined(TARGET_LINUX) */
2025
2026done:
2027 if (status == RTA_SUCCESS)
2028 {
2029 r6->flags |= RT_ADDED;
2030 }
2031 else
2032 {
2033 r6->flags &= ~RT_ADDED;
2034 }
2035 argv_free(&argv);
2036 gc_free(&gc);
2037 /* release resources potentially allocated during route setup */
2038 net_ctx_reset(ctx);
2039
2040 return (status != RTA_ERROR);
2041}
2042
2043static void
2044delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
2045 const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
2046{
2047#if !defined(TARGET_LINUX)
2048 const char *network;
2049#if !defined(TARGET_AIX)
2050 const char *netmask;
2051#endif
2052 const char *gateway;
2053#else /* if !defined(TARGET_LINUX) */
2054 int metric;
2055#endif
2056 int is_local_route;
2057
2058 if ((r->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2059 {
2060 return;
2061 }
2062
2063 struct gc_arena gc = gc_new();
2064 struct argv argv = argv_new();
2065
2066#if !defined(TARGET_LINUX)
2067 network = print_in_addr_t(r->network, 0, &gc);
2068#if !defined(TARGET_AIX)
2069 netmask = print_in_addr_t(r->netmask, 0, &gc);
2070#endif
2071 gateway = print_in_addr_t(r->gateway, 0, &gc);
2072#endif
2073
2074 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2075 if (is_local_route == LR_ERROR)
2076 {
2077 goto done;
2078 }
2079
2080#if defined(TARGET_LINUX)
2081 metric = -1;
2082 if (r->flags & RT_METRIC_DEFINED)
2083 {
2084 metric = r->metric;
2085 }
2086
2087 if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway, NULL,
2088 r->table_id, metric)
2089 < 0)
2090 {
2091 msg(M_WARN, "ERROR: Linux route delete command failed");
2092 }
2093#elif defined(_WIN32)
2094
2095 argv_printf(&argv, "%s%s DELETE %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
2096 network, netmask, gateway);
2097
2098 argv_msg(D_ROUTE, &argv);
2099
2100 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2101 {
2102 const bool status = del_route_service(r, tt);
2103 msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2104 }
2105 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2106 {
2107 const bool status = del_route_ipapi(r, tt);
2108 msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2109 }
2110 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2111 {
2112 netcmd_semaphore_lock();
2113 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2114 netcmd_semaphore_release();
2115 }
2116 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2117 {
2118 const bool status = del_route_ipapi(r, tt);
2119 msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2120 if (!status)
2121 {
2122 msg(D_ROUTE, "Route deletion fallback to route.exe");
2123 netcmd_semaphore_lock();
2124 openvpn_execve_check(&argv, es, 0,
2125 "ERROR: Windows route delete command failed [adaptive]");
2126 netcmd_semaphore_release();
2127 }
2128 }
2129 else
2130 {
2131 ASSERT(0);
2132 }
2133
2134#elif defined(TARGET_SOLARIS)
2135
2136 argv_printf(&argv, "%s delete %s -netmask %s %s", ROUTE_PATH, network, netmask, gateway);
2137
2138 argv_msg(D_ROUTE, &argv);
2139 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2140
2141#elif defined(TARGET_FREEBSD)
2142
2143 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2144
2145 argv_msg(D_ROUTE, &argv);
2146 openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2147
2148#elif defined(TARGET_DRAGONFLY)
2149
2150 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2151
2152 argv_msg(D_ROUTE, &argv);
2153 openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2154
2155#elif defined(TARGET_DARWIN)
2156
2157 if (is_on_link(is_local_route, flags, rgi))
2158 {
2159 argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", ROUTE_PATH,
2160 network, netmask, rgi->iface);
2161 }
2162 else
2163 {
2164 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2165 }
2166
2167 argv_msg(D_ROUTE, &argv);
2168 openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2169
2170#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2171
2172 argv_printf(&argv, "%s delete -net %s %s -netmask %s", ROUTE_PATH, network, gateway, netmask);
2173
2174 argv_msg(D_ROUTE, &argv);
2175 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2176
2177#elif defined(TARGET_ANDROID)
2178 /* Avoids the unused variables warnings that all other platforms use
2179 * by adding them to the error message. */
2180 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2181 "needed. The VpnService API allows routes to be set "
2182 "on connect only and will clean up automatically. "
2183 "Tried to delete route %s netmask %s gateway %s",
2184 network, netmask, gateway);
2185#elif defined(TARGET_AIX)
2186
2187 {
2188 int netbits = netmask_to_netbits2(r->netmask);
2189 argv_printf(&argv, "%s delete -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
2190 argv_msg(D_ROUTE, &argv);
2191 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2192 }
2193
2194#elif defined(TARGET_HAIKU)
2195
2196 /* ex: route delete /dev/net/ipro1000/0 inet 192.168.0.0 gw 192.168.1.1 netmask 255.255.0.0 */
2197 argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
2198 gateway, netmask);
2199 argv_msg(D_ROUTE, &argv);
2200 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route delete command failed");
2201
2202#else /* if defined(TARGET_LINUX) */
2203 msg(M_FATAL,
2204 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2205#endif /* if defined(TARGET_LINUX) */
2206
2207done:
2208 r->flags &= ~RT_ADDED;
2209 argv_free(&argv);
2210 gc_free(&gc);
2211 /* release resources potentially allocated during route cleanup */
2212 net_ctx_reset(ctx);
2213}
2214
2215void
2216delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es,
2217 openvpn_net_ctx_t *ctx)
2218{
2219 const char *network;
2220
2221 if ((r6->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2222 {
2223 return;
2224 }
2225
2226#if !defined(_WIN32)
2227#if !defined(TARGET_LINUX)
2228 const char *gateway;
2229#endif
2230#if !defined(TARGET_SOLARIS)
2231 bool gateway_needed = false;
2232 const char *device = tt->actual_name;
2233 if (r6->iface != NULL) /* vpn server special route */
2234 {
2235 device = r6->iface;
2236 gateway_needed = true;
2237 }
2238 (void)device; /* unused on some platforms */
2239
2240 /* if we used a gateway on "add route", we also need to specify it on
2241 * delete, otherwise some OSes will refuse to delete the route
2242 */
2243 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
2244 {
2245 gateway_needed = true;
2246 }
2247#endif
2248#endif
2249
2250 struct gc_arena gc = gc_new();
2251 struct argv argv = argv_new();
2252
2253 network = print_in6_addr(r6->network, 0, &gc);
2254#if !defined(TARGET_LINUX) && !defined(_WIN32)
2255 gateway = print_in6_addr(r6->gateway, 0, &gc);
2256#endif
2257
2258#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2259 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2260
2261 /* the BSD platforms cannot specify gateway and interface independently,
2262 * but for link-local destinations, we MUST specify the interface, so
2263 * we build a combined "$gateway%$interface" gateway string
2264 */
2265 if (r6->iface != NULL && gateway_needed
2266 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
2267 {
2268 size_t len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
2269 char *tmp = gc_malloc(len, true, &gc);
2270 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
2271 gateway = tmp;
2272 }
2273#endif
2274
2275 msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits);
2276
2277#if defined(TARGET_LINUX)
2278 int metric = -1;
2279 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2280 {
2281 metric = r6->metric;
2282 }
2283
2284 if (net_route_v6_del(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
2285 device, r6->table_id, metric)
2286 < 0)
2287 {
2288 msg(M_WARN, "ERROR: Linux route v6 delete command failed");
2289 }
2290
2291#elif defined(_WIN32)
2292
2293 if (tt->options.msg_channel)
2294 {
2295 del_route_ipv6_service(r6, tt);
2296 }
2297 else
2298 {
2299 route_ipv6_ipapi(false, r6, tt);
2300 }
2301#elif defined(TARGET_SOLARIS)
2302
2303 /* example: route delete -inet6 2001:db8::/32 somegateway */
2304
2305 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2306
2307 argv_msg(D_ROUTE, &argv);
2308 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2309
2310#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2311
2312 argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
2313
2314 if (gateway_needed)
2315 {
2316 argv_printf_cat(&argv, "%s", gateway);
2317 }
2318 else
2319 {
2320 argv_printf_cat(&argv, "-iface %s", device);
2321 }
2322
2323 argv_msg(D_ROUTE, &argv);
2324 openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2325
2326#elif defined(TARGET_DARWIN)
2327
2328 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
2329
2330 if (gateway_needed)
2331 {
2332 argv_printf_cat(&argv, "%s", gateway);
2333 }
2334 else
2335 {
2336 argv_printf_cat(&argv, "-iface %s", device);
2337 }
2338
2339 argv_msg(D_ROUTE, &argv);
2340 openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2341
2342#elif defined(TARGET_OPENBSD)
2343
2344 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
2345 gateway);
2346
2347 argv_msg(D_ROUTE, &argv);
2348 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2349
2350#elif defined(TARGET_NETBSD)
2351
2352 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2353
2354 argv_msg(D_ROUTE, &argv);
2355 openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2356
2357#elif defined(TARGET_AIX)
2358
2359 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2360 argv_msg(D_ROUTE, &argv);
2361 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2362
2363#elif defined(TARGET_ANDROID)
2364 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2365 "needed. The VpnService API allows routes to be set "
2366 "on connect only and will clean up automatically. "
2367 "Tried to delete %s gateway %s",
2368 network,
2369 gateway_needed ? gateway : "(not needed)");
2370#elif defined(TARGET_HAIKU)
2371
2372 /* ex: route delete /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2373 argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
2374 gateway, r6->netbits);
2375 argv_msg(D_ROUTE, &argv);
2376 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route delete command failed");
2377
2378#else /* if defined(TARGET_LINUX) */
2379 msg(M_FATAL,
2380 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2381#endif /* if defined(TARGET_LINUX) */
2382
2383 argv_free(&argv);
2384 gc_free(&gc);
2385 /* release resources potentially allocated during route cleanup */
2386 net_ctx_reset(ctx);
2387}
2388
2389/*
2390 * The --redirect-gateway option requires OS-specific code below
2391 * to get the current default gateway.
2392 */
2393
2394#if defined(_WIN32)
2395
2396static const MIB_IPFORWARDTABLE *
2397get_windows_routing_table(struct gc_arena *gc)
2398{
2399 ULONG size = 0;
2400 PMIB_IPFORWARDTABLE rt = NULL;
2401 DWORD status;
2402
2403 status = GetIpForwardTable(NULL, &size, TRUE);
2404 if (status == ERROR_INSUFFICIENT_BUFFER)
2405 {
2406 rt = (PMIB_IPFORWARDTABLE)gc_malloc(size, false, gc);
2407 status = GetIpForwardTable(rt, &size, TRUE);
2408 if (status != NO_ERROR)
2409 {
2410 msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2411 strerror_win32(status, gc), (unsigned int)status);
2412 rt = NULL;
2413 }
2414 }
2415 return rt;
2416}
2417
2418static int
2419test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
2420{
2421 int count = 0;
2422 DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2423 if (index)
2424 {
2425 *index = i;
2426 }
2427 return count;
2428}
2429
2430static void
2431test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters,
2432 const in_addr_t gateway)
2433{
2434 int c;
2435
2436 ++*count;
2437 c = test_route(adapters, gateway, NULL);
2438 if (c == 0)
2439 {
2440 *ret = false;
2441 }
2442 else
2443 {
2444 ++*good;
2445 }
2446 if (c > 1)
2447 {
2448 ++*ambig;
2449 }
2450}
2451
2452/*
2453 * If we tried to add routes now, would we succeed?
2454 */
2455bool
2456test_routes(const struct route_list *rl, const struct tuntap *tt)
2457{
2458 struct gc_arena gc = gc_new();
2459 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2460 bool ret = false;
2461 int count = 0;
2462 int good = 0;
2463 int ambig = 0;
2464 int len = -1;
2465 bool adapter_up = false;
2466
2467 if (is_adapter_up(tt, adapters))
2468 {
2469 ret = true;
2470 adapter_up = true;
2471
2472 /* we do this test only if we have IPv4 routes to install, and if
2473 * the tun/tap interface has seen IPv4 ifconfig - because if we
2474 * have no IPv4, the check will always fail, failing tun init
2475 */
2476 if (rl && tt->did_ifconfig_setup)
2477 {
2478 struct route_ipv4 *r;
2479 for (r = rl->routes, len = 0; r; r = r->next, ++len)
2480 {
2481 test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2482 }
2483
2484 if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2485 {
2486 test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2487 }
2488 }
2489 }
2490
2491 msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, len,
2492 (int)ret, ambig, adapter_up ? "up" : "down");
2493
2494 gc_free(&gc);
2495 return ret;
2496}
2497
2498static const MIB_IPFORWARDROW *
2499get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2500{
2501 struct gc_arena gc = gc_new();
2502 DWORD lowest_metric = MAXDWORD;
2503 const MIB_IPFORWARDROW *ret = NULL;
2504 int best = -1;
2505
2506 if (routes)
2507 {
2508 for (DWORD i = 0; i < routes->dwNumEntries; ++i)
2509 {
2510 const MIB_IPFORWARDROW *row = &routes->table[i];
2511 const in_addr_t net = ntohl(row->dwForwardDest);
2512 const in_addr_t mask = ntohl(row->dwForwardMask);
2513 const DWORD index = row->dwForwardIfIndex;
2514 const DWORD metric = row->dwForwardMetric1;
2515
2516 dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d", i,
2517 print_in_addr_t((in_addr_t)net, 0, &gc), print_in_addr_t((in_addr_t)mask, 0, &gc),
2518 (int)index, (int)metric);
2519
2520 if (!net && !mask && metric < lowest_metric)
2521 {
2522 ret = row;
2523 lowest_metric = metric;
2524 best = i;
2525 }
2526 }
2527 }
2528
2529 dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2530
2531 gc_free(&gc);
2532 return ret;
2533}
2534
2546static DWORD
2547get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
2548{
2549 DWORD best_if_index;
2550 DWORD status;
2551
2552 CLEAR(*best_route);
2553
2554 /* get the best interface index to reach dest */
2555 status = GetBestInterfaceEx((struct sockaddr *)dest, &best_if_index);
2556 if (status != NO_ERROR)
2557 {
2558 msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2559 strerror_win32(status, gc), (unsigned int)status);
2560 goto done;
2561 }
2562
2563 msg(D_ROUTE_DEBUG, "GetBestInterfaceEx() returned if=%d", (int)best_if_index);
2564
2565 /* get the routing information (such as NextHop) for the destination and interface */
2566 NET_LUID luid;
2567 CLEAR(luid);
2568 SOCKADDR_INET best_src;
2569 CLEAR(best_src);
2570 status = GetBestRoute2(&luid, best_if_index, NULL, dest, 0, best_route, &best_src);
2571 if (status != NO_ERROR)
2572 {
2573 msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2574 strerror_win32(status, gc), (unsigned int)status);
2575 goto done;
2576 }
2577
2578done:
2579 return status;
2580}
2581
2582void
2583get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
2584{
2585 CLEAR(*rgi);
2586
2587 struct gc_arena gc = gc_new();
2588
2589 /* convert in_addr_t into SOCKADDR_INET */
2590 SOCKADDR_INET sa;
2591 CLEAR(sa);
2592 sa.si_family = AF_INET;
2593 sa.Ipv4.sin_addr.s_addr = htonl(dest);
2594
2595 /* get the best route to the destination */
2596 MIB_IPFORWARD_ROW2 best_route;
2597 CLEAR(best_route);
2598 DWORD status = get_best_route(&gc, &sa, &best_route);
2599 if (status != NO_ERROR)
2600 {
2601 goto done;
2602 }
2603
2604 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2605 rgi->gateway.addr = ntohl(best_route.NextHop.Ipv4.sin_addr.S_un.S_addr);
2606 rgi->adapter_index = best_route.InterfaceIndex;
2607
2608 if (rgi->gateway.addr == INADDR_ANY)
2609 {
2610 rgi->flags |= RGI_ON_LINK;
2611 }
2612
2613 /* get netmask and MAC address */
2614 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2615 const IP_ADAPTER_INFO *ai = get_adapter(adapters, rgi->adapter_index);
2616 if (ai)
2617 {
2618 memcpy(rgi->hwaddr, ai->Address, 6);
2619 rgi->flags |= RGI_HWADDR_DEFINED;
2620
2621 /* get netmask for non-onlink routes */
2622 in_addr_t nm = inet_addr(ai->IpAddressList.IpMask.String);
2623 if (!(rgi->flags & RGI_ON_LINK) && (nm != INADDR_NONE))
2624 {
2625 rgi->gateway.netmask = ntohl(nm);
2626 rgi->flags |= RGI_NETMASK_DEFINED;
2627 }
2628 }
2629
2630done:
2631 gc_free(&gc);
2632}
2633
2634static DWORD
2635windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2636{
2637 struct gc_arena gc = gc_new();
2638 DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2639 int count = 0;
2640 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2641 const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2642 bool on_tun = false;
2643
2644 /* first test on tun interface */
2645 if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2646 {
2647 ret = tun_adapter->Index;
2648 count = 1;
2649 on_tun = true;
2650 }
2651 else /* test on other interfaces */
2652 {
2653 count = test_route(adapters, r->gateway, &ret);
2654 }
2655
2656 if (count == 0)
2657 {
2658 msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2659 print_in_addr_t(r->gateway, 0, &gc));
2660 ret = TUN_ADAPTER_INDEX_INVALID;
2661 }
2662 else if (count > 1)
2663 {
2664 msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2665 print_in_addr_t(r->gateway, 0, &gc), count);
2666 }
2667
2668 dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", on_tun, count,
2669 (int)ret);
2670
2671 gc_free(&gc);
2672 return ret;
2673}
2674
2675/* IPv6 implementation using GetBestRoute2()
2676 * (TBD: dynamic linking so the binary can still run on XP?)
2677 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2678 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2679 */
2680void
2681get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
2682 openvpn_net_ctx_t *ctx)
2683{
2684 struct gc_arena gc = gc_new();
2685 CLEAR(*rgi6);
2686
2687 SOCKADDR_INET DestinationAddress;
2688 CLEAR(DestinationAddress);
2689 DestinationAddress.si_family = AF_INET6;
2690 if (dest)
2691 {
2692 DestinationAddress.Ipv6.sin6_addr = *dest;
2693 }
2694
2695 MIB_IPFORWARD_ROW2 BestRoute;
2696 CLEAR(BestRoute);
2697 DWORD status = get_best_route(&gc, &DestinationAddress, &BestRoute);
2698
2699 if (status != NO_ERROR)
2700 {
2701 goto done;
2702 }
2703
2704 msg(D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s", BestRoute.InterfaceIndex,
2705 print_in6_addr(BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2706 BestRoute.DestinationPrefix.PrefixLength,
2707 print_in6_addr(BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc));
2708 msg(D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", (int)BestRoute.Metric,
2709 (int)BestRoute.Loopback, (int)BestRoute.AutoconfigureAddress, (int)BestRoute.Immortal);
2710
2711 rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2712 rgi6->adapter_index = BestRoute.InterfaceIndex;
2713 rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2714
2715 /* on-link is signalled by receiving an empty (::) NextHop */
2716 if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr))
2717 {
2718 rgi6->flags |= RGI_ON_LINK;
2719 }
2720
2721done:
2722 gc_free(&gc);
2723}
2724
2725/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2726static int
2727add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2728{
2729 struct gc_arena gc = gc_new();
2730 int ret = RTA_ERROR;
2731 DWORD status;
2732 const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID)
2733 ? windows_route_find_if_index(r, tt)
2734 : adapter_index;
2735
2736 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2737 {
2738 MIB_IPFORWARDROW fr;
2739 CLEAR(fr);
2740 fr.dwForwardDest = htonl(r->network);
2741 fr.dwForwardMask = htonl(r->netmask);
2742 fr.dwForwardPolicy = 0;
2743 fr.dwForwardNextHop = htonl(r->gateway);
2744 fr.dwForwardIfIndex = if_index;
2745 fr.dwForwardType = 4; /* the next hop is not the final dest */
2746 fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2747 fr.dwForwardAge = 0;
2748 fr.dwForwardNextHopAS = 0;
2749 fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2750 fr.dwForwardMetric2 = METRIC_NOT_USED;
2751 fr.dwForwardMetric3 = METRIC_NOT_USED;
2752 fr.dwForwardMetric4 = METRIC_NOT_USED;
2753 fr.dwForwardMetric5 = METRIC_NOT_USED;
2754
2755 if ((r->network & r->netmask) != r->network)
2756 {
2757 msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2758 print_in_addr_t(r->network, 0, &gc), print_in_addr_t(r->netmask, 0, &gc));
2759 }
2760
2761 status = CreateIpForwardEntry(&fr);
2762
2763 if (status == NO_ERROR)
2764 {
2765 ret = RTA_SUCCESS;
2766 }
2767 else if (status == ERROR_OBJECT_ALREADY_EXISTS)
2768 {
2769 ret = RTA_EEXIST;
2770 }
2771 else
2772 {
2773 /* failed, try increasing the metric to work around Vista issue */
2774 const unsigned int forward_metric_limit =
2775 2048; /* iteratively retry higher metrics up to this limit */
2776
2777 for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2778 {
2779 /* try a different forward type=3 ("the next hop is the final dest") in addition
2780 * to 4.
2781 * --redirect-gateway over RRAS seems to need this. */
2782 for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2783 {
2784 status = CreateIpForwardEntry(&fr);
2785 if (status == NO_ERROR)
2786 {
2787 msg(D_ROUTE,
2788 "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2789 (unsigned int)fr.dwForwardMetric1, (unsigned int)fr.dwForwardType);
2790 ret = RTA_SUCCESS;
2791 goto doublebreak;
2792 }
2793 else if (status != ERROR_BAD_ARGUMENTS)
2794 {
2795 goto doublebreak;
2796 }
2797 }
2798 }
2799
2800doublebreak:
2801 if (status != NO_ERROR)
2802 {
2803 if (status == ERROR_OBJECT_ALREADY_EXISTS)
2804 {
2805 ret = RTA_EEXIST;
2806 }
2807 else
2808 {
2809 msg(M_WARN,
2810 "ERROR: route addition failed using CreateIpForwardEntry: "
2811 "%s [status=%u if_index=%u]",
2812 strerror_win32(status, &gc), (unsigned int)status, (unsigned int)if_index);
2813 }
2814 }
2815 }
2816 }
2817
2818 gc_free(&gc);
2819 return ret;
2820}
2821
2822static bool
2823del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
2824{
2825 struct gc_arena gc = gc_new();
2826 bool ret = false;
2827 DWORD status;
2828 const DWORD if_index = windows_route_find_if_index(r, tt);
2829
2830 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2831 {
2832 MIB_IPFORWARDROW fr;
2833 CLEAR(fr);
2834
2835 fr.dwForwardDest = htonl(r->network);
2836 fr.dwForwardMask = htonl(r->netmask);
2837 fr.dwForwardPolicy = 0;
2838 fr.dwForwardNextHop = htonl(r->gateway);
2839 fr.dwForwardIfIndex = if_index;
2840
2841 status = DeleteIpForwardEntry(&fr);
2842
2843 if (status == NO_ERROR)
2844 {
2845 ret = true;
2846 }
2847 else
2848 {
2849 msg(M_WARN, "ERROR: route deletion failed using DeleteIpForwardEntry: %s",
2850 strerror_win32(status, &gc));
2851 }
2852 }
2853
2854 gc_free(&gc);
2855 return ret;
2856}
2857
2858/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2859static int
2860do_route_service(const bool add, const route_message_t *rt, const DWORD size, HANDLE pipe)
2861{
2862 int ret = RTA_ERROR;
2863 ack_message_t ack;
2864 struct gc_arena gc = gc_new();
2865
2866 if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
2867 {
2868 goto out;
2869 }
2870
2871 if (ack.error_number != NO_ERROR)
2872 {
2873 ret = (ack.error_number == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2874 if (ret == RTA_ERROR)
2875 {
2876 msg(M_WARN, "ERROR: route %s failed using service: %s [status=%u if_index=%d]",
2877 (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
2878 ack.error_number, rt->iface.index);
2879 }
2880 goto out;
2881 }
2882
2883 ret = RTA_SUCCESS;
2884
2885out:
2886 gc_free(&gc);
2887 return ret;
2888}
2889
2890#if defined(__GNUC__) || defined(__clang__)
2891#pragma GCC diagnostic push
2892#pragma GCC diagnostic ignored "-Wsign-compare"
2893#endif
2894
2895/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2896static int
2897do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
2898{
2899 DWORD if_index = windows_route_find_if_index(r, tt);
2900 if (if_index == ~0)
2901 {
2902 return RTA_ERROR;
2903 }
2904
2905 route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
2906 sizeof(route_message_t), 0 },
2907 .family = AF_INET,
2908 .prefix.ipv4.s_addr = htonl(r->network),
2909 .gateway.ipv4.s_addr = htonl(r->gateway),
2910 .iface = { .index = if_index, .name = "" },
2911 .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) };
2912
2913 netmask_to_netbits(r->network, r->netmask, &msg.prefix_len);
2914 if (msg.prefix_len == -1)
2915 {
2916 msg.prefix_len = 32;
2917 }
2918
2919 return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
2920}
2921
2922/* Add or delete an ipv6 route
2923 * Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error
2924 */
2925static int
2926route_ipv6_ipapi(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
2927{
2928 DWORD err;
2929 int ret = RTA_ERROR;
2930 PMIB_IPFORWARD_ROW2 fwd_row;
2931 struct gc_arena gc = gc_new();
2932
2933 fwd_row = gc_malloc(sizeof(*fwd_row), true, &gc);
2934
2935 fwd_row->ValidLifetime = 0xffffffff;
2936 fwd_row->PreferredLifetime = 0xffffffff;
2937 fwd_row->Protocol = MIB_IPPROTO_NETMGMT;
2938 fwd_row->Metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1);
2939 fwd_row->DestinationPrefix.Prefix.si_family = AF_INET6;
2940 fwd_row->DestinationPrefix.Prefix.Ipv6.sin6_addr = r->network;
2941 fwd_row->DestinationPrefix.PrefixLength = (UINT8)r->netbits;
2942 fwd_row->NextHop.si_family = AF_INET6;
2943 fwd_row->NextHop.Ipv6.sin6_addr = r->gateway;
2944 fwd_row->InterfaceIndex = r->adapter_index ? r->adapter_index : tt->adapter_index;
2945
2946 /* In TUN mode we use a special link-local address as the next hop.
2947 * The tapdrvr knows about it and will answer neighbor discovery packets.
2948 * (only do this for routes actually using the tun/tap device)
2949 */
2950 if (tt->type == DEV_TYPE_TUN && !r->adapter_index)
2951 {
2952 inet_pton(AF_INET6, "fe80::8", &fwd_row->NextHop.Ipv6.sin6_addr);
2953 }
2954
2955 /* Use LUID if interface index not available */
2956 if (fwd_row->InterfaceIndex == TUN_ADAPTER_INDEX_INVALID && strlen(tt->actual_name))
2957 {
2958 NET_LUID luid;
2959 err = ConvertInterfaceAliasToLuid(wide_string(tt->actual_name, &gc), &luid);
2960 if (err != NO_ERROR)
2961 {
2962 goto out;
2963 }
2964 fwd_row->InterfaceLuid = luid;
2965 fwd_row->InterfaceIndex = 0;
2966 }
2967
2968 if (add)
2969 {
2970 err = CreateIpForwardEntry2(fwd_row);
2971 }
2972 else
2973 {
2974 err = DeleteIpForwardEntry2(fwd_row);
2975 }
2976
2977out:
2978 if (err != NO_ERROR)
2979 {
2980 ret = (err == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2981 if (ret == RTA_ERROR)
2982 {
2983 msg(M_WARN, "ERROR: route %s failed using ipapi: %s [status=%lu if_index=%lu]",
2984 (add ? "addition" : "deletion"), strerror_win32(err, &gc), err,
2985 fwd_row->InterfaceIndex);
2986 }
2987 else if (add)
2988 {
2989 msg(D_ROUTE, "IPv6 route addition using ipapi failed because route exists");
2990 }
2991 }
2992 else
2993 {
2994 msg(D_ROUTE, "IPv6 route %s using ipapi", add ? "added" : "deleted");
2995 ret = RTA_SUCCESS;
2996 }
2997 gc_free(&gc);
2998 return ret;
2999}
3000
3001/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3002static int
3003do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
3004{
3005 int status;
3006 route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
3007 sizeof(route_message_t), 0 },
3008 .family = AF_INET6,
3009 .prefix.ipv6 = r->network,
3010 .prefix_len = r->netbits,
3011 .gateway.ipv6 = r->gateway,
3012 .iface = { .index = tt->adapter_index, .name = "" },
3013 .metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1) };
3014
3015 if (r->adapter_index) /* vpn server special route */
3016 {
3017 msg.iface.index = r->adapter_index;
3018 }
3019
3020 /* In TUN mode we use a special link-local address as the next hop.
3021 * The tapdrvr knows about it and will answer neighbor discovery packets.
3022 * (only do this for routes actually using the tun/tap device)
3023 */
3024 if (tt->type == DEV_TYPE_TUN && msg.iface.index == tt->adapter_index)
3025 {
3026 inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3027 }
3028
3029 if (msg.iface.index == TUN_ADAPTER_INDEX_INVALID)
3030 {
3031 strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3032 msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3033 }
3034
3035 status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3036 if (status != RTA_ERROR)
3037 {
3038 msg(D_ROUTE, "IPv6 route %s via service %s", add ? "addition" : "deletion",
3039 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
3040 }
3041 return status;
3042}
3043
3044#if defined(__GNUC__) || defined(__clang__)
3045#pragma GCC diagnostic pop
3046#endif
3047
3048/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3049static int
3050add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3051{
3052 return do_route_ipv4_service(true, r, tt);
3053}
3054
3055static bool
3056del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3057{
3058 return do_route_ipv4_service(false, r, tt);
3059}
3060
3061/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3062static int
3063add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3064{
3065 return do_route_ipv6_service(true, r, tt);
3066}
3067
3068static bool
3069del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3070{
3071 return do_route_ipv6_service(false, r, tt);
3072}
3073
3074static const char *
3075format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3076{
3077 struct buffer out = alloc_buf_gc(256, gc);
3078 buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3079 print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3080 print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3081 print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), (int)r->dwForwardPolicy,
3082 (int)r->dwForwardIfIndex, (int)r->dwForwardType, (int)r->dwForwardProto,
3083 (int)r->dwForwardAge, (int)r->dwForwardNextHopAS, (int)r->dwForwardMetric1,
3084 (int)r->dwForwardMetric2, (int)r->dwForwardMetric3, (int)r->dwForwardMetric4,
3085 (int)r->dwForwardMetric5);
3086 return BSTR(&out);
3087}
3088
3089/*
3090 * Show current routing table
3091 */
3092void
3093show_routes(msglvl_t msglevel)
3094{
3095 struct gc_arena gc = gc_new();
3096
3097 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3098
3099 msg(msglevel, "SYSTEM ROUTING TABLE");
3100 if (rt)
3101 {
3102 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
3103 {
3104 msg(msglevel, "%s", format_route_entry(&rt->table[i], &gc));
3105 }
3106 }
3107 gc_free(&gc);
3108}
3109
3110#elif defined(TARGET_ANDROID)
3111
3112void
3113get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3114{
3115 /* Android, set some pseudo GW, addr is in host byte order,
3116 * Determining the default GW on Android 5.0+ is non trivial
3117 * and serves almost no purpose since OpenVPN only uses the
3118 * default GW address to add routes for networks that should
3119 * NOT be routed over the VPN. Using a well known address
3120 * (127.'d'.'g'.'w') for the default GW make detecting
3121 * these routes easier from the controlling app.
3122 */
3123 CLEAR(*rgi);
3124
3125 rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3126 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3127 strcpy(rgi->iface, "android-gw");
3128
3129 /* Skip scanning/fetching interface from loopback interface we do
3130 * normally on Linux.
3131 * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3132 */
3133}
3134
3135void
3136get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3137 openvpn_net_ctx_t *ctx)
3138{
3139 /* Same for ipv6 */
3140
3141 CLEAR(*rgi6);
3142
3143 /* Use a fake link-local address */
3144 ASSERT(inet_pton(AF_INET6, "fe80::ad", &rgi6->addrs->addr_ipv6) == 1);
3145 rgi6->addrs->netbits_ipv6 = 64;
3146 rgi6->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3147 strcpy(rgi6->iface, "android-gw");
3148}
3149
3150#elif defined(TARGET_LINUX)
3151
3152void
3153get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3154{
3155 struct gc_arena gc = gc_new();
3156 int sd = -1;
3157 char best_name[IFNAMSIZ];
3158
3159 CLEAR(*rgi);
3160 CLEAR(best_name);
3161
3162 /* find best route to 'dest', get gateway IP addr + interface */
3163 if (net_route_v4_best_gw(ctx, &dest, &rgi->gateway.addr, best_name) == 0)
3164 {
3165 rgi->flags |= RGI_ADDR_DEFINED;
3166 if (!rgi->gateway.addr && best_name[0])
3167 {
3168 rgi->flags |= RGI_ON_LINK;
3169 }
3170 }
3171
3172 /* scan adapter list */
3173 if (rgi->flags & RGI_ADDR_DEFINED)
3174 {
3175 struct ifreq *ifr, *ifend;
3176 in_addr_t addr, netmask;
3177 struct ifreq ifreq;
3178 struct ifconf ifc;
3179 struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3180
3181 if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3182 {
3183 msg(M_WARN, "GDG: socket() failed");
3184 goto done;
3185 }
3186 ifc.ifc_len = sizeof(ifs);
3187 ifc.ifc_req = ifs;
3188 if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3189 {
3190 msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3191 goto done;
3192 }
3193
3194 /* scan through interface list */
3195 ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3196 for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3197 {
3198 if (ifr->ifr_addr.sa_family == AF_INET)
3199 {
3200 /* get interface addr */
3201 addr = ntohl(((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr.s_addr);
3202
3203 /* get interface name */
3204 strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3205
3206 /* check that the interface is up */
3207 if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3208 {
3209 continue;
3210 }
3211 if (!(ifreq.ifr_flags & IFF_UP))
3212 {
3213 continue;
3214 }
3215
3216 if (rgi->flags & RGI_ON_LINK)
3217 {
3218 /* check that interface name of current interface
3219 * matches interface name of best default route */
3220 if (strcmp(ifreq.ifr_name, best_name))
3221 {
3222 continue;
3223 }
3224#if 0
3225 /* if point-to-point link, use remote addr as route gateway */
3226 if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3227 {
3228 rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3229 if (rgi->gateway.addr)
3230 {
3231 rgi->flags &= ~RGI_ON_LINK;
3232 }
3233 }
3234#endif
3235 }
3236 else
3237 {
3238 /* get interface netmask */
3239 if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3240 {
3241 continue;
3242 }
3243 netmask = ntohl(((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr.s_addr);
3244
3245 /* check that interface matches default route */
3246 if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3247 {
3248 continue;
3249 }
3250
3251 /* save netmask */
3252 rgi->gateway.netmask = netmask;
3253 rgi->flags |= RGI_NETMASK_DEFINED;
3254 }
3255
3256 /* save iface name */
3257 strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3258 rgi->flags |= RGI_IFACE_DEFINED;
3259
3260 /* now get the hardware address. */
3261 memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3262 if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3263 {
3264 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3265 goto done;
3266 }
3267 memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3268 rgi->flags |= RGI_HWADDR_DEFINED;
3269
3270 break;
3271 }
3272 }
3273 }
3274
3275done:
3276 if (sd >= 0)
3277 {
3278 close(sd);
3279 }
3280 gc_free(&gc);
3281}
3282
3283/* IPv6 implementation using netlink
3284 * https://www.linuxjournal.com/article/7356 - "Kernel Korner - Why and How to Use Netlink Socket"
3285 * netlink(3), netlink(7), rtnetlink(7)
3286 * https://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/
3287 */
3288struct rtreq
3289{
3290 struct nlmsghdr nh;
3291 struct rtmsg rtm;
3292 char attrbuf[512];
3293};
3294
3295void
3296get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3297 openvpn_net_ctx_t *ctx)
3298{
3299 int flags;
3300
3301 CLEAR(*rgi6);
3302
3303 if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6, rgi6->iface) == 0)
3304 {
3305 if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6))
3306 {
3307 rgi6->flags |= RGI_ADDR_DEFINED;
3308 }
3309
3310 if (strlen(rgi6->iface) > 0)
3311 {
3312 rgi6->flags |= RGI_IFACE_DEFINED;
3313 }
3314 }
3315
3316 /* if we have an interface but no gateway, the destination is on-link */
3317 flags = rgi6->flags & (RGI_IFACE_DEFINED | RGI_ADDR_DEFINED);
3318 if (flags == RGI_IFACE_DEFINED)
3319 {
3320 rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3321 if (dest)
3322 {
3323 rgi6->gateway.addr_ipv6 = *dest;
3324 }
3325 }
3326}
3327
3328#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || defined(TARGET_FREEBSD) \
3329 || defined(TARGET_DRAGONFLY) || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3330
3331#include <sys/types.h>
3332#include <sys/socket.h>
3333#include <netinet/in.h>
3334#include <net/route.h>
3335#include <net/if_dl.h>
3336#if !defined(TARGET_SOLARIS)
3337#include <ifaddrs.h>
3338#endif
3339
3340struct rtmsg
3341{
3342 struct rt_msghdr m_rtm;
3343 char m_space[512];
3344};
3345
3346/* the route socket code is identical for all 4 supported BSDs and for
3347 * MacOS X (Darwin), with one crucial difference: when going from
3348 * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
3349 * source code compatibility by keeping the use of "long", while
3350 * MacOS X decided to keep binary compatibility by *changing* the API
3351 * to use "uint32_t", thus 32 bit on all OS X variants
3352 *
3353 * NetBSD does the MacOS way of "fixed number of bits, no matter if
3354 * 32 or 64 bit OS", but chose uint64_t. For maximum portability, we
3355 * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
3356 *
3357 * We used to have a large amount of duplicate code here which really
3358 * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3359 * having a combined block for all BSDs with this single #ifdef inside
3360 */
3361
3362#if defined(TARGET_DARWIN)
3363#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3364#elif defined(TARGET_NETBSD)
3365#define ROUNDUP(a) RT_ROUNDUP(a)
3366#else
3367#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3368#endif
3369
3370#if defined(TARGET_SOLARIS)
3371#define NEXTADDR(w, u) \
3372 if (rtm_addrs & (w)) \
3373 { \
3374 size_t l = sizeof(u); \
3375 memmove(cp, &(u), l); \
3376 cp += ROUNDUP(l); \
3377 }
3378
3379#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3380#else /* if defined(TARGET_SOLARIS) */
3381#define NEXTADDR(w, u) \
3382 if (rtm_addrs & (w)) \
3383 { \
3384 size_t l = ((struct sockaddr *)&(u))->sa_len; \
3385 memmove(cp, &(u), l); \
3386 cp += ROUNDUP(l); \
3387 }
3388
3389#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3390#endif
3391
3392#define max(a, b) ((a) > (b) ? (a) : (b))
3393
3394void
3395get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3396{
3397 struct gc_arena gc = gc_new();
3398 struct rtmsg m_rtmsg;
3399 int sockfd = -1;
3400 int rtm_addrs;
3401 struct sockaddr so_dst, so_mask;
3402 char *cp = m_rtmsg.m_space;
3403 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3404 struct rt_msghdr *rtm_aux;
3405
3406#define rtm m_rtmsg.m_rtm
3407
3408 CLEAR(*rgi);
3409
3410 /* setup data to send to routing socket */
3411 const int pid = getpid();
3412 int seq = 0;
3413#ifdef TARGET_OPENBSD
3414 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3415#else
3416 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3417#endif
3418
3419 bzero(&m_rtmsg, sizeof(m_rtmsg));
3420 bzero(&so_dst, sizeof(so_dst));
3421 bzero(&so_mask, sizeof(so_mask));
3422 bzero(&rtm, sizeof(struct rt_msghdr));
3423
3424 rtm.rtm_type = RTM_GET;
3425 rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3426 rtm.rtm_version = RTM_VERSION;
3427 rtm.rtm_seq = ++seq;
3428#ifdef TARGET_OPENBSD
3429 rtm.rtm_tableid = (u_short)getrtable();
3430#endif
3431 rtm.rtm_addrs = rtm_addrs;
3432
3433 so_dst.sa_family = AF_INET;
3434 so_mask.sa_family = AF_INET;
3435
3436#ifndef TARGET_SOLARIS
3437 so_dst.sa_len = sizeof(struct sockaddr_in);
3438 so_mask.sa_len = sizeof(struct sockaddr_in);
3439#endif
3440
3441 NEXTADDR(RTA_DST, so_dst);
3442 NEXTADDR(RTA_NETMASK, so_mask);
3443
3444 /* sizeof(struct rt_msghdr) + padding */
3445 rtm.rtm_msglen = (u_short)(cp - (char *)&m_rtmsg);
3446
3447 /* transact with routing socket */
3448 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3449 if (sockfd < 0)
3450 {
3451 msg(M_WARN, "GDG: socket #1 failed");
3452 goto done;
3453 }
3454 if (write(sockfd, (char *)&m_rtmsg, rtm.rtm_msglen) < 0)
3455 {
3456 msg(M_WARN | M_ERRNO, "GDG: problem writing to routing socket");
3457 goto done;
3458 }
3459 ssize_t ret;
3460 do
3461 {
3462 ret = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3463 } while (ret > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3464 close(sockfd);
3465 sockfd = -1;
3466
3467 /* extract return data from routing socket */
3468 rtm_aux = &rtm;
3469 cp = (char *)(rtm_aux + 1);
3470 if (rtm_aux->rtm_addrs)
3471 {
3472 for (unsigned int i = 1; i; i <<= 1)
3473 {
3474 if (i & rtm_aux->rtm_addrs)
3475 {
3476 sa = (struct sockaddr *)cp;
3477 if (i == RTA_GATEWAY)
3478 {
3479 gate = sa;
3480 }
3481 else if (i == RTA_IFP)
3482 {
3483 ifp = sa;
3484 }
3485 ADVANCE(cp, sa);
3486 }
3487 }
3488 }
3489 else
3490 {
3491 goto done;
3492 }
3493
3494 /* get gateway addr and interface name */
3495 if (gate != NULL)
3496 {
3497 /* get default gateway addr */
3498 rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3499 if (rgi->gateway.addr)
3500 {
3501 rgi->flags |= RGI_ADDR_DEFINED;
3502 }
3503
3504 if (ifp)
3505 {
3506 /* get interface name */
3507 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3508 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3509 {
3510 memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3511 rgi->iface[adl->sdl_nlen] = '\0';
3512 rgi->flags |= RGI_IFACE_DEFINED;
3513 }
3514 }
3515 }
3516
3517 /* get netmask of interface that owns default gateway */
3518 if (rgi->flags & RGI_IFACE_DEFINED)
3519 {
3520 struct ifreq ifr;
3521
3522 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3523 if (sockfd < 0)
3524 {
3525 msg(M_WARN, "GDG: socket #2 failed");
3526 goto done;
3527 }
3528
3529 CLEAR(ifr);
3530 ifr.ifr_addr.sa_family = AF_INET;
3531 strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3532
3533 if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3534 {
3535 msg(M_WARN, "GDG: ioctl #1 failed");
3536 goto done;
3537 }
3538 close(sockfd);
3539 sockfd = -1;
3540
3541 rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3542 rgi->flags |= RGI_NETMASK_DEFINED;
3543 }
3544
3545 /* try to read MAC addr associated with interface that owns default gateway */
3546 if (rgi->flags & RGI_IFACE_DEFINED)
3547 {
3548#if defined(TARGET_SOLARIS)
3549 /* OpenSolaris has getifaddrs(3), but it does not return AF_LINK */
3550 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3551 if (sockfd < 0)
3552 {
3553 msg(M_WARN, "GDG: socket #3 failed");
3554 goto done;
3555 }
3556
3557 struct ifreq ifreq = { 0 };
3558
3559 /* now get the hardware address. */
3560 strncpynt(ifreq.ifr_name, rgi->iface, sizeof(ifreq.ifr_name));
3561 if (ioctl(sockfd, SIOCGIFHWADDR, &ifreq) < 0)
3562 {
3563 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3564 }
3565 else
3566 {
3567 memcpy(rgi->hwaddr, &ifreq.ifr_addr.sa_data, 6);
3568 rgi->flags |= RGI_HWADDR_DEFINED;
3569 }
3570#else /* if defined(TARGET_SOLARIS) */
3571 struct ifaddrs *ifap, *ifa;
3572
3573 if (getifaddrs(&ifap) != 0)
3574 {
3575 msg(M_WARN | M_ERRNO, "GDG: getifaddrs() failed");
3576 goto done;
3577 }
3578
3579 for (ifa = ifap; ifa; ifa = ifa->ifa_next)
3580 {
3581 if (ifa->ifa_addr != NULL && ifa->ifa_addr->sa_family == AF_LINK
3582 && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ))
3583 {
3584 struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr;
3585 memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3586 rgi->flags |= RGI_HWADDR_DEFINED;
3587 }
3588 }
3589
3590 freeifaddrs(ifap);
3591#endif /* if defined(TARGET_SOLARIS) */
3592 }
3593
3594done:
3595 if (sockfd >= 0)
3596 {
3597 close(sockfd);
3598 }
3599 gc_free(&gc);
3600}
3601
3602/* BSD implementation using routing socket (as does IPv4)
3603 * (the code duplication is somewhat unavoidable if we want this to
3604 * work on OpenSolaris as well. *sigh*)
3605 */
3606
3607/* Solaris has no length field - this is ugly, but less #ifdef in total
3608 */
3609#if defined(TARGET_SOLARIS)
3610#undef ADVANCE
3611#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3612#endif
3613
3614void
3615get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3616 openvpn_net_ctx_t *ctx)
3617{
3618 struct rtmsg m_rtmsg;
3619 int sockfd = -1;
3620 int rtm_addrs;
3621 struct sockaddr_in6 so_dst, so_mask;
3622 char *cp = m_rtmsg.m_space;
3623 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3624 struct rt_msghdr *rtm_aux;
3625
3626 CLEAR(*rgi6);
3627
3628 /* setup data to send to routing socket */
3629 const int pid = getpid();
3630 int seq = 0;
3631#ifdef TARGET_OPENBSD
3632 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3633#else
3634 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3635#endif
3636
3637 bzero(&m_rtmsg, sizeof(m_rtmsg));
3638 bzero(&so_dst, sizeof(so_dst));
3639 bzero(&so_mask, sizeof(so_mask));
3640 bzero(&rtm, sizeof(struct rt_msghdr));
3641
3642 rtm.rtm_type = RTM_GET;
3643 rtm.rtm_flags = RTF_UP;
3644 rtm.rtm_version = RTM_VERSION;
3645 rtm.rtm_seq = ++seq;
3646#ifdef TARGET_OPENBSD
3647 rtm.rtm_tableid = (u_short)getrtable();
3648#endif
3649
3650 so_dst.sin6_family = AF_INET6;
3651 so_mask.sin6_family = AF_INET6;
3652
3653 if (dest != NULL /* specific host? */
3654 && !IN6_IS_ADDR_UNSPECIFIED(dest))
3655 {
3656 so_dst.sin6_addr = *dest;
3657 /* :: needs /0 "netmask", host route wants "no netmask */
3658 rtm_addrs &= ~RTA_NETMASK;
3659 }
3660
3661 rtm.rtm_addrs = rtm_addrs;
3662
3663#ifndef TARGET_SOLARIS
3664 so_dst.sin6_len = sizeof(struct sockaddr_in6);
3665 so_mask.sin6_len = sizeof(struct sockaddr_in6);
3666#endif
3667
3668 NEXTADDR(RTA_DST, so_dst);
3669 NEXTADDR(RTA_NETMASK, so_mask);
3670
3671 /* sizeof(struct rt_msghdr) + padding */
3672 rtm.rtm_msglen = (u_short)(cp - (char *)&m_rtmsg);
3673
3674 /* transact with routing socket */
3675 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3676 if (sockfd < 0)
3677 {
3678 msg(M_WARN, "GDG6: socket #1 failed");
3679 goto done;
3680 }
3681 if (write(sockfd, (char *)&m_rtmsg, rtm.rtm_msglen) < 0)
3682 {
3683 msg(M_WARN | M_ERRNO, "GDG6: problem writing to routing socket");
3684 goto done;
3685 }
3686 ssize_t ret;
3687 do
3688 {
3689 ret = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3690 } while (ret > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3691
3692 close(sockfd);
3693 sockfd = -1;
3694
3695 /* extract return data from routing socket */
3696 rtm_aux = &rtm;
3697 cp = (char *)(rtm_aux + 1);
3698 if (rtm_aux->rtm_addrs)
3699 {
3700 for (unsigned int i = 1; i; i <<= 1)
3701 {
3702 if (i & rtm_aux->rtm_addrs)
3703 {
3704 sa = (struct sockaddr *)cp;
3705 if (i == RTA_GATEWAY)
3706 {
3707 gate = sa;
3708 }
3709 else if (i == RTA_IFP)
3710 {
3711 ifp = sa;
3712 }
3713 ADVANCE(cp, sa);
3714 }
3715 }
3716 }
3717 else
3718 {
3719 goto done;
3720 }
3721
3722 /* get gateway addr and interface name */
3723 if (gate != NULL)
3724 {
3725 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3726 struct in6_addr gw = s6->sin6_addr;
3727
3728#ifndef TARGET_SOLARIS
3729 /* You do not really want to know... from FreeBSD's route.c
3730 * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3731 * but for a correct link-local address these must be :0000: )
3732 */
3733 if (gate->sa_len == sizeof(struct sockaddr_in6) && IN6_IS_ADDR_LINKLOCAL(&gw))
3734 {
3735 gw.s6_addr[2] = gw.s6_addr[3] = 0;
3736 }
3737
3738 if (gate->sa_len != sizeof(struct sockaddr_in6) || IN6_IS_ADDR_UNSPECIFIED(&gw))
3739 {
3740 rgi6->flags |= RGI_ON_LINK;
3741 }
3742 else
3743#endif
3744 {
3745 rgi6->gateway.addr_ipv6 = gw;
3746 }
3747 rgi6->flags |= RGI_ADDR_DEFINED;
3748
3749 if (ifp)
3750 {
3751 /* get interface name */
3752 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3753 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3754 {
3755 memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3756 rgi6->flags |= RGI_IFACE_DEFINED;
3757 }
3758 }
3759 }
3760
3761done:
3762 if (sockfd >= 0)
3763 {
3764 close(sockfd);
3765 }
3766}
3767
3768#undef max
3769
3770#elif defined(TARGET_HAIKU)
3771
3772void
3773get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3774{
3775 CLEAR(*rgi);
3776
3777 int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3778 if (sockfd < 0)
3779 {
3780 msg(M_ERRNO, "%s: Error opening socket for AF_INET", __func__);
3781 return;
3782 }
3783
3784 struct ifconf config;
3785 config.ifc_len = sizeof(config.ifc_value);
3786 if (ioctl(sockfd, SIOCGRTSIZE, &config, sizeof(struct ifconf)) < 0)
3787 {
3788 msg(M_ERRNO, "%s: Error getting routing table size", __func__);
3789 return;
3790 }
3791
3792 uint32 size = (uint32)config.ifc_value;
3793 if (size == 0)
3794 {
3795 return;
3796 }
3797
3798 void *buffer = malloc(size);
3799 check_malloc_return(buffer);
3800
3801 config.ifc_len = size;
3802 config.ifc_buf = buffer;
3803 if (ioctl(sockfd, SIOCGRTTABLE, &config, sizeof(struct ifconf)) < 0)
3804 {
3805 free(buffer);
3806 return;
3807 }
3808
3809 struct ifreq *interface = (struct ifreq *)buffer;
3810 struct ifreq *end = (struct ifreq *)((uint8 *)buffer + size);
3811
3812 while (interface < end)
3813 {
3814 struct route_entry route = interface->ifr_route;
3815 if ((route.flags & RTF_GATEWAY) != 0 && (route.flags & RTF_DEFAULT) != 0)
3816 {
3817 rgi->gateway.addr = ntohl(((struct sockaddr_in *)route.gateway)->sin_addr.s_addr);
3818 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3819 strncpy(rgi->iface, interface->ifr_name, sizeof(rgi->iface));
3820 }
3821
3822 int32 address_size = 0;
3823 if (route.destination != NULL)
3824 {
3825 address_size += route.destination->sa_len;
3826 }
3827 if (route.mask != NULL)
3828 {
3829 address_size += route.mask->sa_len;
3830 }
3831 if (route.gateway != NULL)
3832 {
3833 address_size += route.gateway->sa_len;
3834 }
3835
3836 interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE + sizeof(struct route_entry)
3837 + address_size);
3838 }
3839 free(buffer);
3840}
3841
3842void
3843get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3844 openvpn_net_ctx_t *ctx)
3845{
3846 /* TODO: Same for ipv6 with AF_INET6 */
3847 CLEAR(*rgi6);
3848}
3849
3850#else /* if defined(_WIN32) */
3851
3852/*
3853 * This is a platform-specific method that returns data about
3854 * the current default gateway. Return data is placed into
3855 * a struct route_gateway_info object provided by caller. The
3856 * implementation should CLEAR the structure before adding
3857 * data to it.
3858 *
3859 * Data returned includes:
3860 * 1. default gateway address (rgi->gateway.addr)
3861 * 2. netmask of interface that owns default gateway
3862 * (rgi->gateway.netmask)
3863 * 3. hardware address (i.e. MAC address) of interface that owns
3864 * default gateway (rgi->hwaddr)
3865 * 4. interface name (or adapter index on Windows) that owns default
3866 * gateway (rgi->iface or rgi->adapter_index)
3867 * 5. an array of additional address/netmask pairs defined by
3868 * interface that owns default gateway (rgi->addrs with length
3869 * given in rgi->n_addrs)
3870 *
3871 * The flags RGI_x_DEFINED may be used to indicate which of the data
3872 * members were successfully returned (set in rgi->flags). All of
3873 * the data members are optional, however certain OpenVPN functionality
3874 * may be disabled by missing items.
3875 */
3876void
3877get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3878{
3879 CLEAR(*rgi);
3880}
3881void
3882get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3883 openvpn_net_ctx_t *ctx)
3884{
3885 msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
3886 CLEAR(*rgi6);
3887}
3888
3889#endif /* if defined(_WIN32) */
3890
3891bool
3892netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
3893{
3894 int i;
3895 const int addrlen = sizeof(in_addr_t) * 8;
3896
3897 if ((network & netmask) == network)
3898 {
3899 for (i = 0; i <= addrlen; ++i)
3900 {
3901 in_addr_t mask = netbits_to_netmask(i);
3902 if (mask == netmask)
3903 {
3904 if (i == addrlen)
3905 {
3906 *netbits = -1;
3907 }
3908 else
3909 {
3910 *netbits = i;
3911 }
3912 return true;
3913 }
3914 }
3915 }
3916 return false;
3917}
3918
3919/* similar to netmask_to_netbits(), but don't mess with base address
3920 * etc., just convert to netbits - non-mappable masks are returned as "-1"
3921 */
3922int
3923netmask_to_netbits2(in_addr_t netmask)
3924{
3925 int i;
3926 const int addrlen = sizeof(in_addr_t) * 8;
3927
3928 for (i = 0; i <= addrlen; ++i)
3929 {
3930 in_addr_t mask = netbits_to_netmask(i);
3931 if (mask == netmask)
3932 {
3933 return i;
3934 }
3935 }
3936 return -1;
3937}
3938
3939
3940/*
3941 * get_bypass_addresses() is used by the redirect-gateway bypass-x
3942 * functions to build a route bypass to selected DHCP/DNS servers,
3943 * so that outgoing packets to these servers don't end up in the tunnel.
3944 */
3945
3946#if defined(_WIN32)
3947
3948static void
3949add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
3950{
3951 if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
3952 {
3953 add_bypass_address(rb, addr);
3954 }
3955}
3956
3957static void
3958add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
3959{
3960 while (iplist)
3961 {
3962 bool succeed = false;
3963 const in_addr_t ip =
3964 getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
3965 if (succeed)
3966 {
3967 add_host_route_if_nonlocal(rb, ip);
3968 }
3969 iplist = iplist->Next;
3970 }
3971}
3972
3973static void
3974get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
3975{
3976 struct gc_arena gc = gc_new();
3977 /*bool ret_bool = false;*/
3978
3979 /* get full routing table */
3980 const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
3981
3982 /* get the route which represents the default gateway */
3983 const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
3984
3985 if (row)
3986 {
3987 /* get the adapter which the default gateway is associated with */
3988 const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
3989
3990 /* get extra adapter info, such as DNS addresses */
3991 const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
3992
3993 /* Bypass DHCP server address */
3994 if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
3995 {
3996 add_host_route_array(rb, &dgi->DhcpServer);
3997 }
3998
3999 /* Bypass DNS server addresses */
4000 if ((flags & RG_BYPASS_DNS) && pai)
4001 {
4002 add_host_route_array(rb, &pai->DnsServerList);
4003 }
4004 }
4005
4006 gc_free(&gc);
4007}
4008
4009#else /* if defined(_WIN32) */
4010
4011static void
4012get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
4013{
4014}
4015
4016#endif /* if defined(_WIN32) */
4017
4018/*
4019 * Test if addr is reachable via a local interface (return ILA_LOCAL),
4020 * or if it needs to be routed via the default gateway (return
4021 * ILA_NONLOCAL). If the target platform doesn't implement this
4022 * function, return ILA_NOT_IMPLEMENTED.
4023 *
4024 * Used by redirect-gateway autolocal feature
4025 */
4026
4027#if defined(_WIN32)
4028
4029int
4030test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
4031{
4032 struct gc_arena gc = gc_new();
4033 const in_addr_t nonlocal_netmask =
4034 0x80000000L; /* routes with netmask <= to this are considered non-local */
4035 int ret = TLA_NONLOCAL;
4036
4037 /* get full routing table */
4038 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4039 if (rt)
4040 {
4041 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
4042 {
4043 const MIB_IPFORWARDROW *row = &rt->table[i];
4044 const in_addr_t net = ntohl(row->dwForwardDest);
4045 const in_addr_t mask = ntohl(row->dwForwardMask);
4046 if (mask > nonlocal_netmask && (addr & mask) == net)
4047 {
4048 ret = TLA_LOCAL;
4049 break;
4050 }
4051 }
4052 }
4053
4054 gc_free(&gc);
4055 return ret;
4056}
4057
4058#else /* if defined(_WIN32) */
4059
4060int
4061test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4062{
4063 if (rgi)
4064 {
4065 if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4066 {
4067 return TLA_LOCAL;
4068 }
4069 else
4070 {
4071 return TLA_NONLOCAL;
4072 }
4073 }
4074 return TLA_NOT_IMPLEMENTED;
4075}
4076
4077#endif /* if defined(_WIN32) */
argv_msg
void argv_msg(const msglvl_t msglevel, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:341
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
format_hex_ex
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:488
gc_addspecial
void gc_addspecial(void *addr, void(*free_function)(void *), struct gc_arena *a)
Definition buffer.c:443
BSTR
#define BSTR(buf)
Definition buffer.h:129
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1125
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1120
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:362
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1131
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
gc_freeaddrinfo_callback
static void gc_freeaddrinfo_callback(void *addr)
Definition buffer.h:216
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1041
PACKAGE_NAME
#define PACKAGE_NAME
Definition config.h:492
ROUTE_PATH
#define ROUTE_PATH
Definition config.h:513
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
D_ROUTE_DEBUG
#define D_ROUTE_DEBUG
Definition errlevel.h:132
M_INFO
#define M_INFO
Definition errlevel.h:54
D_ROUTE
#define D_ROUTE
Definition errlevel.h:79
status
static SERVICE_STATUS status
Definition interactive.c:51
route
@ route
Definition interactive.c:85
write
@ write
Definition interactive.c:213
read
@ read
Definition interactive.c:212
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2795
OPENVPN_STATE_ADD_ROUTES
#define OPENVPN_STATE_ADD_ROUTES
Definition manage.h:451
net_ctx_reset
static void net_ctx_reset(openvpn_net_ctx_t *ctx)
Definition networking.h:56
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
msg_add_route
@ msg_add_route
Definition openvpn-msg.h:34
msg_del_route
@ msg_del_route
Definition openvpn-msg.h:35
IPV4_NETMASK_HOST
#define IPV4_NETMASK_HOST
Definition basic.h:34
CLEAR
#define CLEAR(x)
Definition basic.h:32
strerror_win32
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
Definition error.c:786
M_FATAL
#define M_FATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
print_route_options
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1249
undo_redirect_default_route_to_vpn
static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1065
print_route_option
static void print_route_option(const struct route_option *ro, msglvl_t msglevel)
Definition route.c:1242
add_host_route_if_nonlocal
static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
Definition route.c:3949
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1112
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:301
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:155
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1415
clear_route_list
static void clear_route_list(struct route_list *rl)
Definition route.c:523
test_route_helper
static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway)
Definition route.c:2431
del_bypass_routes
static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:941
del_route_ipapi
static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2823
redirect_default_route_to_vpn
static bool redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:957
add_route3
static bool add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:895
add_host_route_array
static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
Definition route.c:3958
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3923
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:139
init_route
static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl)
Definition route.c:314
delete_routes_v6
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1207
route_string
static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc)
Definition route.c:189
get_special_addr
static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
Definition route.c:233
RTA_EEXIST
#define RTA_EEXIST
Definition route.c:103
LR_NOMATCH
#define LR_NOMATCH
Definition route.c:1444
test_routes
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition route.c:2456
add_block_local_routes
static void add_block_local_routes(struct route_list *rl)
Definition route.c:579
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:603
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2681
get_windows_routing_table
static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc)
Definition route.c:2397
get_best_route
static DWORD get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
Determines the best route to a destination for both IPv4 and IPv6.
Definition route.c:2547
do_route_service
static int do_route_service(const bool add, const route_message_t *rt, const DWORD size, HANDLE pipe)
Definition route.c:2860
format_route_entry
static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
Definition route.c:3075
add_route_service
static int add_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3050
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:761
delete_route
static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2044
del_route_ipv6_service
static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3069
route_list_add_vpn_gateway
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition route.c:537
ipv6_net_contains_host
bool ipv6_net_contains_host(const struct in6_addr *network, unsigned int bits, const struct in6_addr *host)
check whether an IPv6 host address is covered by a given network/bits
Definition route.c:727
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:509
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:173
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:181
add_route
bool add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1499
test_route
static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
Definition route.c:2419
print_default_gateway
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1263
add_route_ipv6
bool add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1808
RTA_ERROR
#define RTA_ERROR
Definition route.c:101
del_route_service
static bool del_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3056
print_route
static void print_route(const struct route_ipv4 *r, msglvl_t msglevel)
Definition route.c:1337
local_route
static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi)
Definition route.c:1454
add_route_ipv6_service
static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3063
is_on_link
static bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
Definition route.c:1490
get_default_gateway_row
static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
Definition route.c:2499
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2583
route_ipv6_ipapi
static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *)
Definition route.c:2926
add_block_local_item
static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target)
Definition route.c:546
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:164
show_opt
static const char * show_opt(const char *option)
Definition route.c:1229
print_routes
void print_routes(const struct route_list *rl, msglvl_t msglevel)
Definition route.c:1348
init_route_ipv6
static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6)
Definition route.c:437
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:130
test_local_addr
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
Definition route.c:4030
METRIC_NOT_USED
#define METRIC_NOT_USED
Definition route.c:59
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:615
add_route_ipapi
static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
Definition route.c:2727
RTA_SUCCESS
#define RTA_SUCCESS
Definition route.c:102
delete_route_ipv6
void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2216
LR_MATCH
#define LR_MATCH
Definition route.c:1445
do_route_ipv6_service
static int do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
Definition route.c:3003
route_ipv6_clear_host_bits
void route_ipv6_clear_host_bits(struct route_ipv6 *r6)
Definition route.c:1783
clear_route_ipv6_list
static void clear_route_ipv6_list(struct route_ipv6_list *rl6)
Definition route.c:530
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1177
LR_ERROR
#define LR_ERROR
Definition route.c:1446
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3093
netmask_to_netbits
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition route.c:3892
setenv_route_addr
static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
Definition route.c:216
windows_route_find_if_index
static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2635
do_route_ipv4_service
static int do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2897
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1378
delete_routes_v4
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1185
add_bypass_routes
static bool add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:923
get_bypass_addresses
static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
Definition route.c:3974
is_route_parm_defined
static bool is_route_parm_defined(const char *parm)
Definition route.c:202
setenv_route_ipv6
static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
Definition route.c:1389
add_bypass_address
static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a)
Definition route.c:107
setenv_route
static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
Definition route.c:1358
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:494
del_route3
static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:909
RG_LOCAL
#define RG_LOCAL
Definition route.h:87
TLA_LOCAL
#define TLA_LOCAL
Definition route.h:372
RGI_ON_LINK
#define RGI_ON_LINK
Definition route.h:164
RL_DID_LOCAL
#define RL_DID_LOCAL
Definition route.h:231
RL_DID_REDIRECT_DEFAULT_GATEWAY
#define RL_DID_REDIRECT_DEFAULT_GATEWAY
Definition route.h:230
ROUTE_REF_GW
#define ROUTE_REF_GW
Definition route.h:50
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:89
RTSA_REMOTE_ENDPOINT
#define RTSA_REMOTE_ENDPOINT
Definition route.h:62
RGI_ADDR_DEFINED
#define RGI_ADDR_DEFINED
Definition route.h:159
RL_ROUTES_ADDED
#define RL_ROUTES_ADDED
Definition route.h:232
RGI_HWADDR_DEFINED
#define RGI_HWADDR_DEFINED
Definition route.h:161
netbits_to_netmask
static in_addr_t netbits_to_netmask(const int netbits)
Definition route.h:401
RTSA_REMOTE_HOST
#define RTSA_REMOTE_HOST
Definition route.h:63
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:42
RGI_IFACE_DEFINED
#define RGI_IFACE_DEFINED
Definition route.h:162
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:40
RT_ADDED
#define RT_ADDED
Definition route.h:121
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:41
RT_METRIC_DEFINED
#define RT_METRIC_DEFINED
Definition route.h:122
ROUTE_DELETE_FIRST
#define ROUTE_DELETE_FIRST
Definition route.h:49
RG_DEF1
#define RG_DEF1
Definition route.h:88
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:90
RG_ENABLE
#define RG_ENABLE
Definition route.h:86
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
TLA_NOT_IMPLEMENTED
#define TLA_NOT_IMPLEMENTED
Definition route.h:370
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:92
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:93
TLA_NONLOCAL
#define TLA_NONLOCAL
Definition route.h:371
N_ROUTE_BYPASS
#define N_ROUTE_BYPASS
Definition route.h:54
RT_DEFINED
#define RT_DEFINED
Definition route.h:120
ROUTE_METHOD_MASK
#define ROUTE_METHOD_MASK
Definition route.h:43
RTSA_DEFAULT_METRIC
#define RTSA_DEFAULT_METRIC
Definition route.h:64
RGI_NETMASK_DEFINED
#define RGI_NETMASK_DEFINED
Definition route.h:160
openvpn_execve_check
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition run_command.c:233
run_command.h
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:222
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:195
IPV4_INVALID_ADDR
#define IPV4_INVALID_ADDR
Definition socket.h:375
openvpn_getaddrinfo
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
Definition socket_util.c:537
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IF_NAMESIZE
#define IF_NAMESIZE
Definition socket_util.c:123
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket_util.h:119
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket_util.h:117
IA_NET_ORDER
#define IA_NET_ORDER
Definition socket_util.h:90
GETADDR_WARN_ON_SIGNAL
#define GETADDR_WARN_ON_SIGNAL
Definition socket_util.h:122
ack_message_t
Definition openvpn-msg.h:157
ack_message_t::error_number
int error_number
Definition openvpn-msg.h:159
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
env_set
Definition env_set.h:43
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
interface_t::index
int index
Definition openvpn-msg.h:69
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
route_bypass
Definition route.h:53
route_bypass::n_bypass
int n_bypass
Definition route.h:55
route_bypass::bypass
in_addr_t bypass[N_ROUTE_BYPASS]
Definition route.h:56
route_gateway_address
Definition route.h:152
route_gateway_address::netmask
in_addr_t netmask
Definition route.h:154
route_gateway_address::addr
in_addr_t addr
Definition route.h:153
route_gateway_info
Definition route.h:158
route_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:177
route_gateway_info::flags
unsigned int flags
Definition route.h:165
route_gateway_info::addrs
struct route_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:185
route_gateway_info::adapter_index
DWORD adapter_index
Definition route.h:169
route_gateway_info::gateway
struct route_gateway_address gateway
Definition route.h:180
route_gateway_info::n_addrs
int n_addrs
Definition route.h:184
route_ipv4
Definition route.h:119
route_ipv4::option
const struct route_option * option
Definition route.h:125
route_ipv4::metric
int metric
Definition route.h:130
route_ipv4::next
struct route_ipv4 * next
Definition route.h:123
route_ipv4::table_id
int table_id
Definition route.h:129
route_ipv4::network
in_addr_t network
Definition route.h:126
route_ipv4::netmask
in_addr_t netmask
Definition route.h:127
route_ipv4::gateway
in_addr_t gateway
Definition route.h:128
route_ipv4::flags
unsigned int flags
Definition route.h:124
route_ipv6_gateway_address::addr_ipv6
struct in6_addr addr_ipv6
Definition route.h:190
route_ipv6_gateway_address::netbits_ipv6
int netbits_ipv6
Definition route.h:191
route_ipv6_gateway_info
Definition route.h:195
route_ipv6_gateway_info::gateway
struct route_ipv6_gateway_address gateway
Definition route.h:219
route_ipv6_gateway_info::addrs
struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:224
route_ipv6_gateway_info::flags
unsigned int flags
Definition route.h:197
route_ipv6_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:216
route_ipv6_gateway_info::adapter_index
DWORD adapter_index
Definition route.h:201
route_ipv6_list
Definition route.h:244
route_ipv6_list::iflags
unsigned int iflags
Definition route.h:245
route_ipv6_list::flags
unsigned int flags
Definition route.h:254
route_ipv6_list::rgi6
struct route_ipv6_gateway_info rgi6
Definition route.h:252
route_ipv6_list::routes_ipv6
struct route_ipv6 * routes_ipv6
Definition route.h:255
route_ipv6_list::spec_flags
unsigned int spec_flags
Definition route.h:247
route_ipv6_list::ngi6
struct route_ipv6_gateway_info ngi6
Definition route.h:253
route_ipv6_list::default_metric
int default_metric
Definition route.h:250
route_ipv6_list::remote_host_ipv6
struct in6_addr remote_host_ipv6
Definition route.h:249
route_ipv6_list::gc
struct gc_arena gc
Definition route.h:256
route_ipv6_list::remote_endpoint_ipv6
struct in6_addr remote_endpoint_ipv6
Definition route.h:248
route_ipv6_option_list
Definition route.h:112
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_ipv6_option_list::gc
struct gc_arena * gc
Definition route.h:115
route_ipv6_option_list::routes_ipv6
struct route_ipv6_option * routes_ipv6
Definition route.h:114
route_ipv6_option
Definition route.h:103
route_ipv6_option::next
struct route_ipv6_option * next
Definition route.h:104
route_ipv6_option::gateway
const char * gateway
Definition route.h:106
route_ipv6_option::table_id
int table_id
Definition route.h:108
route_ipv6_option::metric
const char * metric
Definition route.h:107
route_ipv6_option::prefix
const char * prefix
Definition route.h:105
route_ipv6
Definition route.h:134
route_ipv6::gateway
struct in6_addr gateway
Definition route.h:139
route_ipv6::adapter_index
DWORD adapter_index
Definition route.h:144
route_ipv6::netbits
unsigned int netbits
Definition route.h:138
route_ipv6::next
struct route_ipv6 * next
Definition route.h:135
route_ipv6::flags
unsigned int flags
Definition route.h:136
route_ipv6::network
struct in6_addr network
Definition route.h:137
route_ipv6::metric
int metric
Definition route.h:140
route_list
Definition route.h:229
route_list::rgi
struct route_gateway_info rgi
Definition route.h:236
route_list::routes
struct route_ipv4 * routes
Definition route.h:239
route_list::spec
struct route_special_addr spec
Definition route.h:235
route_list::flags
unsigned int flags
Definition route.h:238
route_list::gc
struct gc_arena gc
Definition route.h:240
route_list::ngi
struct route_gateway_info ngi
Definition route.h:237
route_list::iflags
unsigned int iflags
Definition route.h:233
route_message_t
Definition openvpn-msg.h:89
route_message_t::header
message_header_t header
Definition openvpn-msg.h:90
route_message_t::iface
interface_t iface
Definition openvpn-msg.h:95
route_option_list
Definition route.h:96
route_option_list::gc
struct gc_arena * gc
Definition route.h:99
route_option_list::flags
unsigned int flags
Definition route.h:97
route_option_list::routes
struct route_option * routes
Definition route.h:98
route_option
Definition route.h:76
route_option::table_id
int table_id
Definition route.h:81
route_option::network
const char * network
Definition route.h:78
route_option::netmask
const char * netmask
Definition route.h:79
route_option::next
struct route_option * next
Definition route.h:77
route_option::gateway
const char * gateway
Definition route.h:80
route_option::metric
const char * metric
Definition route.h:82
route_special_addr::remote_host
in_addr_t remote_host
Definition route.h:68
route_special_addr::bypass
struct route_bypass bypass
Definition route.h:70
route_special_addr::flags
unsigned int flags
Definition route.h:65
route_special_addr::default_metric
int default_metric
Definition route.h:72
route_special_addr::remote_endpoint
in_addr_t remote_endpoint
Definition route.h:67
route_special_addr::remote_host_local
int remote_host_local
Definition route.h:69
tuntap_options::msg_channel
HANDLE msg_channel
Definition tun.h:88
tuntap
Definition tun.h:183
tuntap::type
int type
Definition tun.h:185
tuntap::adapter_index
DWORD adapter_index
Definition tun.h:234
tuntap::did_ifconfig_ipv6_setup
bool did_ifconfig_ipv6_setup
if the internal variables related to ifconfig-ipv6 of this struct have been set up.
Definition tun.h:201
tuntap::options
struct tuntap_options options
Definition tun.h:205
tuntap::did_ifconfig_setup
bool did_ifconfig_setup
if the internal variables related to ifconfig of this struct have been set up.
Definition tun.h:197
tuntap::actual_name
char * actual_name
Definition tun.h:207
in_addr_t
uint32_t in_addr_t
Definition syshead.h:52
iface
static char * iface
Definition test_networking.c:8
es
struct env_set * es
Definition test_pkcs11.c:138
r6
char * r6[]
Definition test_push_update_msg.c:418
r1
char * r1[]
Definition test_push_update_msg.c:396
gc
struct gc_arena gc
Definition test_ssl.c:131
get_tun_adapter
const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4318
is_adapter_up
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4331
get_adapter_info
const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc)
Definition tun.c:4233
get_per_adapter_info
const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc)
Definition tun.c:4131
is_ip_in_adapter_subnet
bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
Definition tun.c:4375
get_adapter_info_list
const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc)
Definition tun.c:4106
get_adapter
const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index)
Definition tun.c:4214
adapter_index_of_ip
DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
Definition tun.c:4409
TUN_ADAPTER_INDEX_INVALID
#define TUN_ADAPTER_INDEX_INVALID
Definition tun.h:64
wide_string
WCHAR * wide_string(const char *utf8, struct gc_arena *gc)
Definition win32-util.c:40
netcmd_semaphore_release
void netcmd_semaphore_release(void)
Definition win32.c:867
get_win_sys_path
char * get_win_sys_path(void)
Definition win32.c:1108
netcmd_semaphore_lock
void netcmd_semaphore_lock(void)
Definition win32.c:851
send_msg_iservice
bool send_msg_iservice(HANDLE pipe, const void *data, DWORD size, ack_message_t *ack, const char *context)
Send the size bytes in buffer data to the interactive service pipe and read the result in ack.
Definition win32.c:1422
WIN_ROUTE_PATH_SUFFIX
#define WIN_ROUTE_PATH_SUFFIX
Definition win32.h:40
Generated by doxygen 1.9.8