OpenVPN
route.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /*
25  * Support routines for adding/deleting network routes.
26  */
27 
28 #ifdef HAVE_CONFIG_H
29 #include "config.h"
30 #elif defined(_MSC_VER)
31 #include "config-msvc.h"
32 #endif
33 
34 #include "syshead.h"
35 
36 #include "common.h"
37 #include "error.h"
38 #include "route.h"
39 #include "run_command.h"
40 #include "socket.h"
41 #include "manage.h"
42 #include "win32.h"
43 #include "options.h"
44 #include "networking.h"
45 
46 #include "memdbg.h"
47 
48 #if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
49 #include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
50 #endif
51 
52 #if defined(TARGET_NETBSD)
53 #include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
54 #endif
55 
56 #ifdef _WIN32
57 #include "openvpn-msg.h"
58 
59 #define METRIC_NOT_USED ((DWORD)-1)
60 static bool add_route_service(const struct route_ipv4 *, const struct tuntap *);
61 
62 static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
63 
64 static bool add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
65 
66 static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
67 
68 #endif
69 
70 static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx);
71 
72 static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
73 
74 #ifdef ENABLE_DEBUG
75 
76 static void
77 print_bypass_addresses(const struct route_bypass *rb)
78 {
79  struct gc_arena gc = gc_new();
80  int i;
81  for (i = 0; i < rb->n_bypass; ++i)
82  {
83  msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s",
84  i,
85  print_in_addr_t(rb->bypass[i], 0, &gc));
86  }
87  gc_free(&gc);
88 }
89 
90 #endif
91 
92 static bool
94 {
95  int i;
96  for (i = 0; i < rb->n_bypass; ++i)
97  {
98  if (a == rb->bypass[i]) /* avoid duplicates */
99  {
100  return true;
101  }
102  }
103  if (rb->n_bypass < N_ROUTE_BYPASS)
104  {
105  rb->bypass[rb->n_bypass++] = a;
106  return true;
107  }
108  else
109  {
110  return false;
111  }
112 }
113 
114 struct route_option_list *
116 {
117  struct route_option_list *ret;
118  ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a);
119  ret->gc = a;
120  return ret;
121 }
122 
123 struct route_ipv6_option_list *
125 {
126  struct route_ipv6_option_list *ret;
128  ret->gc = a;
129  return ret;
130 }
131 
132 /*
133  * NOTE: structs are cloned/copied shallow by design.
134  * The routes list from src will stay intact since it is allocated using
135  * the options->gc. The cloned/copied lists will share this common tail
136  * to avoid copying the data around between pulls. Pulled routes use
137  * the c2->gc so they get freed immediately after a reconnect.
138  */
139 struct route_option_list *
141 {
142  struct route_option_list *ret;
143  ALLOC_OBJ_GC(ret, struct route_option_list, a);
144  *ret = *src;
145  return ret;
146 }
147 
148 struct route_ipv6_option_list *
150 {
151  struct route_ipv6_option_list *ret;
152  ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
153  *ret = *src;
154  return ret;
155 }
156 
157 void
158 copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
159 {
160  *dest = *src;
161  dest->gc = a;
162 }
163 
164 void
166  const struct route_ipv6_option_list *src,
167  struct gc_arena *a)
168 {
169  *dest = *src;
170  dest->gc = a;
171 }
172 
173 static const char *
174 route_string(const struct route_ipv4 *r, struct gc_arena *gc)
175 {
176  struct buffer out = alloc_buf_gc(256, gc);
177  buf_printf(&out, "ROUTE network %s netmask %s gateway %s",
178  print_in_addr_t(r->network, 0, gc),
179  print_in_addr_t(r->netmask, 0, gc),
180  print_in_addr_t(r->gateway, 0, gc)
181  );
182  if (r->flags & RT_METRIC_DEFINED)
183  {
184  buf_printf(&out, " metric %d", r->metric);
185  }
186  return BSTR(&out);
187 }
188 
189 static bool
190 is_route_parm_defined(const char *parm)
191 {
192  if (!parm)
193  {
194  return false;
195  }
196  if (!strcmp(parm, "default"))
197  {
198  return false;
199  }
200  return true;
201 }
202 
203 static void
204 setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
205 {
206  struct gc_arena gc = gc_new();
207  struct buffer name = alloc_buf_gc(256, &gc);
208  if (i >= 0)
209  {
210  buf_printf(&name, "route_%s_%d", key, i);
211  }
212  else
213  {
214  buf_printf(&name, "route_%s", key);
215  }
216  setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
217  gc_free(&gc);
218 }
219 
220 static bool
221 get_special_addr(const struct route_list *rl,
222  const char *string,
223  in_addr_t *out,
224  bool *status)
225 {
226  if (status)
227  {
228  *status = true;
229  }
230  if (!strcmp(string, "vpn_gateway"))
231  {
232  if (rl)
233  {
234  if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
235  {
236  *out = rl->spec.remote_endpoint;
237  }
238  else
239  {
240  msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
241  if (status)
242  {
243  *status = false;
244  }
245  }
246  }
247  return true;
248  }
249  else if (!strcmp(string, "net_gateway"))
250  {
251  if (rl)
252  {
253  if (rl->rgi.flags & RGI_ADDR_DEFINED)
254  {
255  *out = rl->rgi.gateway.addr;
256  }
257  else
258  {
259  msg(M_INFO, PACKAGE_NAME " ROUTE: net_gateway undefined -- unable to get default gateway from system");
260  if (status)
261  {
262  *status = false;
263  }
264  }
265  }
266  return true;
267  }
268  else if (!strcmp(string, "remote_host"))
269  {
270  if (rl)
271  {
272  if (rl->spec.flags & RTSA_REMOTE_HOST)
273  {
274  *out = rl->spec.remote_host;
275  }
276  else
277  {
278  msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
279  if (status)
280  {
281  *status = false;
282  }
283  }
284  }
285  return true;
286  }
287  return false;
288 }
289 
290 bool
291 is_special_addr(const char *addr_str)
292 {
293  if (addr_str)
294  {
295  return get_special_addr(NULL, addr_str, NULL, NULL);
296  }
297  else
298  {
299  return false;
300  }
301 }
302 
303 static bool
305  struct addrinfo **network_list,
306  const struct route_option *ro,
307  const struct route_list *rl)
308 {
309  const in_addr_t default_netmask = IPV4_NETMASK_HOST;
310  bool status;
311  int ret;
312  struct in_addr special;
313 
314  CLEAR(*r);
315  r->option = ro;
316 
317  /* network */
318 
319  if (!is_route_parm_defined(ro->network))
320  {
321  goto fail;
322  }
323 
324 
325  /* get_special_addr replaces specialaddr with a special ip addr
326  * like gw. getaddrinfo is called to convert a a addrinfo struct */
327 
328  if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status))
329  {
330  if (!status)
331  {
332  goto fail;
333  }
334  special.s_addr = htonl(special.s_addr);
335  ret = openvpn_getaddrinfo(0, inet_ntoa(special), NULL, 0, NULL,
336  AF_INET, network_list);
337  }
338  else
339  {
341  ro->network, NULL, 0, NULL, AF_INET, network_list);
342  }
343 
344  status = (ret == 0);
345 
346  if (!status)
347  {
348  goto fail;
349  }
350 
351  /* netmask */
352 
354  {
355  r->netmask = getaddr(
358  ro->netmask,
359  0,
360  &status,
361  NULL);
362  if (!status)
363  {
364  goto fail;
365  }
366  }
367  else
368  {
369  r->netmask = default_netmask;
370  }
371 
372  /* gateway */
373 
375  {
376  if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
377  {
378  r->gateway = getaddr(
382  ro->gateway,
383  0,
384  &status,
385  NULL);
386  }
387  if (!status)
388  {
389  goto fail;
390  }
391  }
392  else
393  {
394  if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
395  {
396  r->gateway = rl->spec.remote_endpoint;
397  }
398  else
399  {
400  msg(M_WARN, PACKAGE_NAME " ROUTE: " PACKAGE_NAME " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
401  goto fail;
402  }
403  }
404 
405  /* metric */
406 
407  r->metric = 0;
408  if (is_route_parm_defined(ro->metric))
409  {
410  r->metric = atoi(ro->metric);
411  if (r->metric < 0)
412  {
413  msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
414  ro->network,
415  ro->metric);
416  goto fail;
417  }
418  r->flags |= RT_METRIC_DEFINED;
419  }
420  else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
421  {
422  r->metric = rl->spec.default_metric;
423  r->flags |= RT_METRIC_DEFINED;
424  }
425 
426  r->flags |= RT_DEFINED;
427 
428  return true;
429 
430 fail:
431  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
432  ro->network);
433  return false;
434 }
435 
436 static bool
438  const struct route_ipv6_option *r6o,
439  const struct route_ipv6_list *rl6 )
440 {
441  CLEAR(*r6);
442 
443  if (!get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN ))
444  {
445  goto fail;
446  }
447 
448  /* gateway */
449  if (is_route_parm_defined(r6o->gateway))
450  {
451  if (inet_pton( AF_INET6, r6o->gateway, &r6->gateway ) != 1)
452  {
453  msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway );
454  }
455  }
456  else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
457  {
458  r6->gateway = rl6->remote_endpoint_ipv6;
459  }
460 
461  /* metric */
462 
463  r6->metric = -1;
464  if (is_route_parm_defined(r6o->metric))
465  {
466  r6->metric = atoi(r6o->metric);
467  if (r6->metric < 0)
468  {
469  msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
470  r6o->prefix,
471  r6o->metric);
472  goto fail;
473  }
474  r6->flags |= RT_METRIC_DEFINED;
475  }
476  else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
477  {
478  r6->metric = rl6->default_metric;
479  r6->flags |= RT_METRIC_DEFINED;
480  }
481 
482  r6->flags |= RT_DEFINED;
483 
484  return true;
485 
486 fail:
487  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
488  r6o->prefix);
489  return false;
490 }
491 
492 void
494  const char *network,
495  const char *netmask,
496  const char *gateway,
497  const char *metric)
498 {
499  struct route_option *ro;
500  ALLOC_OBJ_GC(ro, struct route_option, l->gc);
501  ro->network = network;
502  ro->netmask = netmask;
503  ro->gateway = gateway;
504  ro->metric = metric;
505  ro->next = l->routes;
506  l->routes = ro;
507 
508 }
509 
510 void
512  const char *prefix,
513  const char *gateway,
514  const char *metric)
515 {
516  struct route_ipv6_option *ro;
517  ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
518  ro->prefix = prefix;
519  ro->gateway = gateway;
520  ro->metric = metric;
521  ro->next = l->routes_ipv6;
522  l->routes_ipv6 = ro;
523 }
524 
525 static void
527 {
528  gc_free(&rl->gc);
529  CLEAR(*rl);
530 }
531 
532 static void
534 {
535  gc_free(&rl6->gc);
536  CLEAR(*rl6);
537 }
538 
539 void
541  struct env_set *es,
542  const in_addr_t addr)
543 {
544  ASSERT(rl);
545  rl->spec.remote_endpoint = addr;
547  setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
548 }
549 
550 static void
552  const struct route_gateway_address *gateway,
553  in_addr_t target)
554 {
555  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
556  if ((rl->rgi.flags & rgi_needed) == rgi_needed
557  && rl->rgi.gateway.netmask < 0xFFFFFFFF)
558  {
559  struct route_ipv4 *r1, *r2;
560  unsigned int l2;
561 
562  ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
563  ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
564 
565  /* split a route into two smaller blocking routes, and direct them to target */
566  l2 = ((~gateway->netmask)+1)>>1;
567  r1->flags = RT_DEFINED;
568  r1->gateway = target;
569  r1->network = gateway->addr & gateway->netmask;
570  r1->netmask = ~(l2-1);
571  r1->next = rl->routes;
572  rl->routes = r1;
573 
574  *r2 = *r1;
575  r2->network += l2;
576  r2->next = rl->routes;
577  rl->routes = r2;
578  }
579 }
580 
581 static void
583 {
584  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
585  if ((rl->flags & RG_BLOCK_LOCAL)
586  && (rl->rgi.flags & rgi_needed) == rgi_needed
587  && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
588  && rl->spec.remote_host_local != TLA_LOCAL)
589  {
590  size_t i;
591 
592 #ifndef TARGET_ANDROID
593  /* add bypass for gateway addr */
595 #endif
596 
597  /* block access to local subnet */
599 
600  /* process additional subnets on gateway interface */
601  for (i = 0; i < rl->rgi.n_addrs; ++i)
602  {
603  const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
604  /* omit the add/subnet in &rl->rgi which we processed above */
605  if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
606  && rl->rgi.gateway.netmask == gwa->netmask))
607  {
609  }
610  }
611  }
612 }
613 
614 bool
616  const struct route_option_list *opt,
617  const char *remote_endpoint,
618  int default_metric,
619  in_addr_t remote_host,
620  struct env_set *es,
621  openvpn_net_ctx_t *ctx)
622 {
623  struct gc_arena gc = gc_new();
624  bool ret = true;
625 
626  clear_route_list(rl);
627 
628  rl->flags = opt->flags;
629 
630  if (remote_host != IPV4_INVALID_ADDR)
631  {
632  rl->spec.remote_host = remote_host;
633  rl->spec.flags |= RTSA_REMOTE_HOST;
634  }
635 
636  if (default_metric)
637  {
638  rl->spec.default_metric = default_metric;
640  }
641 
642  get_default_gateway(&rl->rgi, ctx);
643  if (rl->rgi.flags & RGI_ADDR_DEFINED)
644  {
645  setenv_route_addr(es, "net_gateway", rl->rgi.gateway.addr, -1);
646 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
647  print_default_gateway(D_ROUTE, &rl->rgi, NULL);
648 #endif
649  }
650  else
651  {
652  dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
653  }
654 
655  if (rl->spec.flags & RTSA_REMOTE_HOST)
656  {
657  rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
658  }
659 
660  if (is_route_parm_defined(remote_endpoint))
661  {
662  bool defined = false;
667  remote_endpoint,
668  0,
669  &defined,
670  NULL);
671 
672  if (defined)
673  {
674  setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
676  }
677  else
678  {
679  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
680  remote_endpoint);
681  ret = false;
682  }
683  }
684 
685  if (rl->flags & RG_ENABLE)
686  {
687  add_block_local(rl);
689 #ifdef ENABLE_DEBUG
690  print_bypass_addresses(&rl->spec.bypass);
691 #endif
692  }
693 
694  /* parse the routes from opt to rl */
695  {
696  struct route_option *ro;
697  for (ro = opt->routes; ro; ro = ro->next)
698  {
699  struct addrinfo *netlist = NULL;
700  struct route_ipv4 r;
701 
702  if (!init_route(&r, &netlist, ro, rl))
703  {
704  ret = false;
705  }
706  else
707  {
708  struct addrinfo *curele;
709  for (curele = netlist; curele; curele = curele->ai_next)
710  {
711  struct route_ipv4 *new;
712  ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
713  *new = r;
714  new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
715  new->next = rl->routes;
716  rl->routes = new;
717  }
718  }
719  if (netlist)
720  {
721  gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc);
722  }
723  }
724  }
725 
726  gc_free(&gc);
727  return ret;
728 }
729 
730 /* check whether an IPv6 host address is covered by a given route_ipv6
731  * (not the most beautiful implementation in the world, but portable and
732  * "good enough")
733  */
734 static bool
736  const struct in6_addr *host )
737 {
738  unsigned int bits = r6->netbits;
739  int i;
740  unsigned int mask;
741 
742  if (bits>128)
743  {
744  return false;
745  }
746 
747  for (i = 0; bits >= 8; i++, bits -= 8)
748  {
749  if (r6->network.s6_addr[i] != host->s6_addr[i])
750  {
751  return false;
752  }
753  }
754 
755  if (bits == 0)
756  {
757  return true;
758  }
759 
760  mask = 0xff << (8-bits);
761 
762  if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask ))
763  {
764  return true;
765  }
766 
767  return false;
768 }
769 
770 bool
772  const struct route_ipv6_option_list *opt6,
773  const char *remote_endpoint,
774  int default_metric,
775  const struct in6_addr *remote_host_ipv6,
776  struct env_set *es,
777  openvpn_net_ctx_t *ctx)
778 {
779  struct gc_arena gc = gc_new();
780  bool ret = true;
781  bool need_remote_ipv6_route;
782 
784 
785  rl6->flags = opt6->flags;
786 
787  if (remote_host_ipv6)
788  {
789  rl6->remote_host_ipv6 = *remote_host_ipv6;
791  }
792 
793  if (default_metric >= 0)
794  {
795  rl6->default_metric = default_metric;
797  }
798 
799  msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
800  remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a" );
801 
802  get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
803  if (rl6->rgi6.flags & RGI_ADDR_DEFINED)
804  {
805  setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->rgi6.gateway.addr_ipv6, 0, &gc));
806 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
807  print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
808 #endif
809  }
810  else
811  {
812  dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
813  }
814 
815  if (is_route_parm_defined( remote_endpoint ))
816  {
817  if (inet_pton( AF_INET6, remote_endpoint,
818  &rl6->remote_endpoint_ipv6) == 1)
819  {
821  }
822  else
823  {
824  msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint);
825  ret = false;
826  }
827  }
828 
829  /* parse the routes from opt6 to rl6
830  * discovering potential overlaps with remote_host_ipv6 in the process
831  */
832  need_remote_ipv6_route = false;
833 
834  {
835  struct route_ipv6_option *ro6;
836  for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
837  {
838  struct route_ipv6 *r6;
839  ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
840  if (!init_route_ipv6(r6, ro6, rl6))
841  {
842  ret = false;
843  }
844  else
845  {
846  r6->next = rl6->routes_ipv6;
847  rl6->routes_ipv6 = r6;
848 
849 #ifndef TARGET_ANDROID
850  /* On Android the VPNService protect function call will take of
851  * avoiding routing loops, so ignore this part and let
852  * need_remote_ipv6_route always evaluate to false
853  */
854  if (remote_host_ipv6
855  && route_ipv6_match_host( r6, remote_host_ipv6 ) )
856  {
857  need_remote_ipv6_route = true;
858  msg(D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
859  print_in6_addr(r6->network, 0, &gc), r6->netbits,
860  print_in6_addr(*remote_host_ipv6, 0, &gc));
861  }
862 #endif
863  }
864  }
865  }
866 
867  /* add VPN server host route if needed */
868  if (need_remote_ipv6_route)
869  {
870  if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) ==
872  {
873  struct route_ipv6 *r6;
874  ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
875 
876  r6->network = *remote_host_ipv6;
877  r6->netbits = 128;
878  if (!(rl6->rgi6.flags & RGI_ON_LINK) )
879  {
880  r6->gateway = rl6->rgi6.gateway.addr_ipv6;
881  }
882  r6->metric = 1;
883 #ifdef _WIN32
884  r6->adapter_index = rl6->rgi6.adapter_index;
885 #else
886  r6->iface = rl6->rgi6.iface;
887 #endif
889 
890  r6->next = rl6->routes_ipv6;
891  rl6->routes_ipv6 = r6;
892  }
893  else
894  {
895  msg(M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" );
896  }
897  }
898 
899  gc_free(&gc);
900  return ret;
901 }
902 
903 static void
905  in_addr_t netmask,
907  const struct tuntap *tt,
908  unsigned int flags,
909  const struct route_gateway_info *rgi,
910  const struct env_set *es,
911  openvpn_net_ctx_t *ctx)
912 {
913  struct route_ipv4 r;
914  CLEAR(r);
915  r.flags = RT_DEFINED;
916  r.network = network;
917  r.netmask = netmask;
918  r.gateway = gateway;
919  add_route(&r, tt, flags, rgi, es, ctx);
920 }
921 
922 static void
926  const struct tuntap *tt,
927  unsigned int flags,
928  const struct route_gateway_info *rgi,
929  const struct env_set *es,
930  openvpn_net_ctx_t *ctx)
931 {
932  struct route_ipv4 r;
933  CLEAR(r);
935  r.network = network;
936  r.netmask = netmask;
937  r.gateway = gateway;
938  delete_route(&r, tt, flags, rgi, es, ctx);
939 }
940 
941 static void
944  const struct tuntap *tt,
945  unsigned int flags,
946  const struct route_gateway_info *rgi,
947  const struct env_set *es,
948  openvpn_net_ctx_t *ctx)
949 {
950  int i;
951  for (i = 0; i < rb->n_bypass; ++i)
952  {
953  if (rb->bypass[i])
954  {
955  add_route3(rb->bypass[i],
957  gateway,
958  tt,
959  flags | ROUTE_REF_GW,
960  rgi,
961  es,
962  ctx);
963  }
964  }
965 }
966 
967 static void
970  const struct tuntap *tt,
971  unsigned int flags,
972  const struct route_gateway_info *rgi,
973  const struct env_set *es,
974  openvpn_net_ctx_t *ctx)
975 {
976  int i;
977  for (i = 0; i < rb->n_bypass; ++i)
978  {
979  if (rb->bypass[i])
980  {
981  del_route3(rb->bypass[i],
983  gateway,
984  tt,
985  flags | ROUTE_REF_GW,
986  rgi,
987  es,
988  ctx);
989  }
990  }
991 }
992 
993 static void
994 redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
995  unsigned int flags, const struct env_set *es,
996  openvpn_net_ctx_t *ctx)
997 {
998  const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
999 
1000  if (rl && rl->flags & RG_ENABLE)
1001  {
1002  bool local = rl->flags & RG_LOCAL;
1003 
1004  if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
1005  {
1006  msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
1007  }
1008  /*
1009  * check if a default route is defined, unless:
1010  * - we are connecting to a remote host in our network
1011  * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
1012  */
1013  else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
1014  && (rl->spec.flags & RTSA_REMOTE_HOST))
1015  {
1016  msg(M_WARN, "%s Cannot read current default gateway from system", err);
1017  }
1018  else
1019  {
1020 #ifndef TARGET_ANDROID
1021  if (rl->flags & RG_AUTO_LOCAL)
1022  {
1023  const int tla = rl->spec.remote_host_local;
1024  if (tla == TLA_NONLOCAL)
1025  {
1026  dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
1027  local = false;
1028  }
1029  else if (tla == TLA_LOCAL)
1030  {
1031  dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
1032  local = true;
1033  }
1034  }
1035  if (!local)
1036  {
1037  /* route remote host to original default gateway */
1038  /* if remote_host is not ipv4 (ie: ipv6), just skip
1039  * adding this special /32 route */
1040  if ((rl->spec.flags & RTSA_REMOTE_HOST)
1042  {
1045  rl->rgi.gateway.addr,
1046  tt,
1047  flags | ROUTE_REF_GW,
1048  &rl->rgi,
1049  es,
1050  ctx);
1051  rl->iflags |= RL_DID_LOCAL;
1052  }
1053  else
1054  {
1055  dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1056  }
1057  }
1058 #endif /* ifndef TARGET_ANDROID */
1059 
1060  /* route DHCP/DNS server traffic through original default gateway */
1061  add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
1062  &rl->rgi, es, ctx);
1063 
1064  if (rl->flags & RG_REROUTE_GW)
1065  {
1066  if (rl->flags & RG_DEF1)
1067  {
1068  /* add new default route (1st component) */
1069  add_route3(0x00000000,
1070  0x80000000,
1071  rl->spec.remote_endpoint,
1072  tt,
1073  flags,
1074  &rl->rgi,
1075  es,
1076  ctx);
1077 
1078  /* add new default route (2nd component) */
1079  add_route3(0x80000000,
1080  0x80000000,
1081  rl->spec.remote_endpoint,
1082  tt,
1083  flags,
1084  &rl->rgi,
1085  es,
1086  ctx);
1087  }
1088  else
1089  {
1090  /* don't try to remove the def route if it does not exist */
1091  if (rl->rgi.flags & RGI_ADDR_DEFINED)
1092  {
1093  /* delete default route */
1094  del_route3(0, 0, rl->rgi.gateway.addr, tt,
1095  flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1096  }
1097 
1098  /* add new default route */
1099  add_route3(0,
1100  0,
1101  rl->spec.remote_endpoint,
1102  tt,
1103  flags,
1104  &rl->rgi,
1105  es,
1106  ctx);
1107  }
1108  }
1109 
1110  /* set a flag so we can undo later */
1112  }
1113  }
1114 }
1115 
1116 static void
1118  const struct tuntap *tt, unsigned int flags,
1119  const struct env_set *es,
1120  openvpn_net_ctx_t *ctx)
1121 {
1122  if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
1123  {
1124  /* delete remote host route */
1125  if (rl->iflags & RL_DID_LOCAL)
1126  {
1129  rl->rgi.gateway.addr,
1130  tt,
1131  flags | ROUTE_REF_GW,
1132  &rl->rgi,
1133  es,
1134  ctx);
1135  rl->iflags &= ~RL_DID_LOCAL;
1136  }
1137 
1138  /* delete special DHCP/DNS bypass route */
1139  del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
1140  &rl->rgi, es, ctx);
1141 
1142  if (rl->flags & RG_REROUTE_GW)
1143  {
1144  if (rl->flags & RG_DEF1)
1145  {
1146  /* delete default route (1st component) */
1147  del_route3(0x00000000,
1148  0x80000000,
1149  rl->spec.remote_endpoint,
1150  tt,
1151  flags,
1152  &rl->rgi,
1153  es,
1154  ctx);
1155 
1156  /* delete default route (2nd component) */
1157  del_route3(0x80000000,
1158  0x80000000,
1159  rl->spec.remote_endpoint,
1160  tt,
1161  flags,
1162  &rl->rgi,
1163  es,
1164  ctx);
1165  }
1166  else
1167  {
1168  /* delete default route */
1169  del_route3(0,
1170  0,
1171  rl->spec.remote_endpoint,
1172  tt,
1173  flags,
1174  &rl->rgi,
1175  es,
1176  ctx);
1177  /* restore original default route if there was any */
1178  if (rl->rgi.flags & RGI_ADDR_DEFINED)
1179  {
1180  add_route3(0, 0, rl->rgi.gateway.addr, tt,
1181  flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1182  }
1183  }
1184  }
1185 
1187  }
1188 }
1189 
1190 void
1191 add_routes(struct route_list *rl, struct route_ipv6_list *rl6,
1192  const struct tuntap *tt, unsigned int flags,
1193  const struct env_set *es, openvpn_net_ctx_t *ctx)
1194 {
1195  redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1196  if (rl && !(rl->iflags & RL_ROUTES_ADDED) )
1197  {
1198  struct route_ipv4 *r;
1199 
1200  if (rl->routes && !tt->did_ifconfig_setup)
1201  {
1202  msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv4 "
1203  "route. However, no IPv4 has been configured for %s, "
1204  "therefore the route installation may fail or may not work "
1205  "as expected.", tt->actual_name);
1206  }
1207 
1208 #ifdef ENABLE_MANAGEMENT
1209  if (management && rl->routes)
1210  {
1213  NULL,
1214  NULL,
1215  NULL,
1216  NULL,
1217  NULL);
1218  }
1219 #endif
1220 
1221  for (r = rl->routes; r; r = r->next)
1222  {
1223  check_subnet_conflict(r->network, r->netmask, "route");
1224  if (flags & ROUTE_DELETE_FIRST)
1225  {
1226  delete_route(r, tt, flags, &rl->rgi, es, ctx);
1227  }
1228  add_route(r, tt, flags, &rl->rgi, es, ctx);
1229  }
1230  rl->iflags |= RL_ROUTES_ADDED;
1231  }
1232  if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
1233  {
1234  struct route_ipv6 *r;
1235 
1236  if (!tt->did_ifconfig_ipv6_setup)
1237  {
1238  msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 "
1239  "route. However, no IPv6 has been configured for %s, "
1240  "therefore the route installation may fail or may not work "
1241  "as expected.", tt->actual_name);
1242  }
1243 
1244  for (r = rl6->routes_ipv6; r; r = r->next)
1245  {
1246  if (flags & ROUTE_DELETE_FIRST)
1247  {
1248  delete_route_ipv6(r, tt, flags, es, ctx);
1249  }
1250  add_route_ipv6(r, tt, flags, es, ctx);
1251  }
1252  rl6->iflags |= RL_ROUTES_ADDED;
1253  }
1254 }
1255 
1256 void
1257 delete_routes(struct route_list *rl, struct route_ipv6_list *rl6,
1258  const struct tuntap *tt, unsigned int flags,
1259  const struct env_set *es, openvpn_net_ctx_t *ctx)
1260 {
1261  if (rl && rl->iflags & RL_ROUTES_ADDED)
1262  {
1263  struct route_ipv4 *r;
1264  for (r = rl->routes; r; r = r->next)
1265  {
1266  delete_route(r, tt, flags, &rl->rgi, es, ctx);
1267  }
1268  rl->iflags &= ~RL_ROUTES_ADDED;
1269  }
1270 
1271  undo_redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1272 
1273  if (rl)
1274  {
1275  clear_route_list(rl);
1276  }
1277 
1278  if (rl6 && (rl6->iflags & RL_ROUTES_ADDED) )
1279  {
1280  struct route_ipv6 *r6;
1281  for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1282  {
1283  delete_route_ipv6(r6, tt, flags, es, ctx);
1284  }
1285  rl6->iflags &= ~RL_ROUTES_ADDED;
1286  }
1287 
1288  if (rl6)
1289  {
1290  clear_route_ipv6_list(rl6);
1291  }
1292 }
1293 
1294 #ifndef ENABLE_SMALL
1295 
1296 static const char *
1297 show_opt(const char *option)
1298 {
1299  if (!option)
1300  {
1301  return "default (not set)";
1302  }
1303  else
1304  {
1305  return option;
1306  }
1307 }
1308 
1309 static void
1310 print_route_option(const struct route_option *ro, int level)
1311 {
1312  msg(level, " route %s/%s/%s/%s",
1313  show_opt(ro->network),
1314  show_opt(ro->netmask),
1315  show_opt(ro->gateway),
1316  show_opt(ro->metric));
1317 }
1318 
1319 void
1321  int level)
1322 {
1323  struct route_option *ro;
1324  if (rol->flags & RG_ENABLE)
1325  {
1326  msg(level, " [redirect_default_gateway local=%d]",
1327  (rol->flags & RG_LOCAL) != 0);
1328  }
1329  for (ro = rol->routes; ro; ro = ro->next)
1330  {
1331  print_route_option(ro, level);
1332  }
1333 }
1334 
1335 void
1336 print_default_gateway(const int msglevel,
1337  const struct route_gateway_info *rgi,
1338  const struct route_ipv6_gateway_info *rgi6)
1339 {
1340  struct gc_arena gc = gc_new();
1341  if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1342  {
1343  struct buffer out = alloc_buf_gc(256, &gc);
1344  buf_printf(&out, "ROUTE_GATEWAY");
1345  if (rgi->flags & RGI_ON_LINK)
1346  {
1347  buf_printf(&out, " ON_LINK");
1348  }
1349  else
1350  {
1351  buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1352  }
1353  if (rgi->flags & RGI_NETMASK_DEFINED)
1354  {
1355  buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1356  }
1357 #ifdef _WIN32
1358  if (rgi->flags & RGI_IFACE_DEFINED)
1359  {
1360  buf_printf(&out, " I=%lu", rgi->adapter_index);
1361  }
1362 #else
1363  if (rgi->flags & RGI_IFACE_DEFINED)
1364  {
1365  buf_printf(&out, " IFACE=%s", rgi->iface);
1366  }
1367 #endif
1368  if (rgi->flags & RGI_HWADDR_DEFINED)
1369  {
1370  buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1371  }
1372  msg(msglevel, "%s", BSTR(&out));
1373  }
1374 
1375  if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1376  {
1377  struct buffer out = alloc_buf_gc(256, &gc);
1378  buf_printf(&out, "ROUTE6_GATEWAY");
1379  buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1380  if (rgi6->flags & RGI_ON_LINK)
1381  {
1382  buf_printf(&out, " ON_LINK");
1383  }
1384  if (rgi6->flags & RGI_NETMASK_DEFINED)
1385  {
1386  buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1387  }
1388 #ifdef _WIN32
1389  if (rgi6->flags & RGI_IFACE_DEFINED)
1390  {
1391  buf_printf(&out, " I=%lu", rgi6->adapter_index);
1392  }
1393 #else
1394  if (rgi6->flags & RGI_IFACE_DEFINED)
1395  {
1396  buf_printf(&out, " IFACE=%s", rgi6->iface);
1397  }
1398 #endif
1399  if (rgi6->flags & RGI_HWADDR_DEFINED)
1400  {
1401  buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1402  }
1403  msg(msglevel, "%s", BSTR(&out));
1404  }
1405  gc_free(&gc);
1406 }
1407 
1408 #endif /* ifndef ENABLE_SMALL */
1409 
1410 static void
1411 print_route(const struct route_ipv4 *r, int level)
1412 {
1413  struct gc_arena gc = gc_new();
1414  if (r->flags & RT_DEFINED)
1415  {
1416  msg(level, "%s", route_string(r, &gc));
1417  }
1418  gc_free(&gc);
1419 }
1420 
1421 void
1422 print_routes(const struct route_list *rl, int level)
1423 {
1424  struct route_ipv4 *r;
1425  for (r = rl->routes; r; r = r->next)
1426  {
1427  print_route(r, level);
1428  }
1429 }
1430 
1431 static void
1432 setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1433 {
1434  struct gc_arena gc = gc_new();
1435  if (r->flags & RT_DEFINED)
1436  {
1437  setenv_route_addr(es, "network", r->network, i);
1438  setenv_route_addr(es, "netmask", r->netmask, i);
1439  setenv_route_addr(es, "gateway", r->gateway, i);
1440 
1441  if (r->flags & RT_METRIC_DEFINED)
1442  {
1443  struct buffer name = alloc_buf_gc(256, &gc);
1444  buf_printf(&name, "route_metric_%d", i);
1445  setenv_int(es, BSTR(&name), r->metric);
1446  }
1447  }
1448  gc_free(&gc);
1449 }
1450 
1451 void
1452 setenv_routes(struct env_set *es, const struct route_list *rl)
1453 {
1454  int i = 1;
1455  struct route_ipv4 *r;
1456  for (r = rl->routes; r; r = r->next)
1457  {
1458  setenv_route(es, r, i++);
1459  }
1460 }
1461 
1462 static void
1463 setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1464 {
1465  struct gc_arena gc = gc_new();
1466  if (r6->flags & RT_DEFINED)
1467  {
1468  struct buffer name1 = alloc_buf_gc( 256, &gc );
1469  struct buffer val = alloc_buf_gc( 256, &gc );
1470  struct buffer name2 = alloc_buf_gc( 256, &gc );
1471 
1472  buf_printf( &name1, "route_ipv6_network_%d", i );
1473  buf_printf( &val, "%s/%d", print_in6_addr( r6->network, 0, &gc ),
1474  r6->netbits );
1475  setenv_str( es, BSTR(&name1), BSTR(&val) );
1476 
1477  buf_printf( &name2, "route_ipv6_gateway_%d", i );
1478  setenv_str( es, BSTR(&name2), print_in6_addr( r6->gateway, 0, &gc ));
1479 
1480  if (r6->flags & RT_METRIC_DEFINED)
1481  {
1482  struct buffer name3 = alloc_buf_gc( 256, &gc );
1483  buf_printf( &name3, "route_ipv6_metric_%d", i) ;
1484  setenv_int( es, BSTR(&name3), r6->metric);
1485  }
1486  }
1487  gc_free(&gc);
1488 }
1489 void
1490 setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
1491 {
1492  int i = 1;
1493  struct route_ipv6 *r6;
1494  for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1495  {
1496  setenv_route_ipv6(es, r6, i++);
1497  }
1498 }
1499 
1500 /*
1501  * local_route() determines whether the gateway of a provided host
1502  * route is on the same interface that owns the default gateway.
1503  * It uses the data structure
1504  * returned by get_default_gateway() (struct route_gateway_info)
1505  * to determine this. If the route is local, LR_MATCH is returned.
1506  * When adding routes into the kernel, if LR_MATCH is defined for
1507  * a given route, the route should explicitly reference the default
1508  * gateway interface as the route destination. For example, here
1509  * is an example on Linux that uses LR_MATCH:
1510  *
1511  * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1512  *
1513  * This capability is needed by the "default-gateway block-local"
1514  * directive, to allow client access to the local subnet to be
1515  * blocked but still allow access to the local default gateway.
1516  */
1517 
1518 /* local_route() return values */
1519 #define LR_NOMATCH 0 /* route is not local */
1520 #define LR_MATCH 1 /* route is local */
1521 #define LR_ERROR 2 /* caller should abort adding route */
1522 
1523 static int
1525  in_addr_t netmask,
1527  const struct route_gateway_info *rgi)
1528 {
1529  /* set LR_MATCH on local host routes */
1530  const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED|RGI_IFACE_DEFINED);
1531  if (rgi
1532  && (rgi->flags & rgi_needed) == rgi_needed
1533  && gateway == rgi->gateway.addr
1534  && netmask == 0xFFFFFFFF)
1535  {
1536  if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1537  {
1538  return LR_MATCH;
1539  }
1540  else
1541  {
1542  /* examine additional subnets on gateway interface */
1543  size_t i;
1544  for (i = 0; i < rgi->n_addrs; ++i)
1545  {
1546  const struct route_gateway_address *gwa = &rgi->addrs[i];
1547  if (((network ^ gwa->addr) & gwa->netmask) == 0)
1548  {
1549  return LR_MATCH;
1550  }
1551  }
1552  }
1553  }
1554  return LR_NOMATCH;
1555 }
1556 
1557 /* Return true if the "on-link" form of the route should be used. This is when the gateway for a
1558  * a route is specified as an interface rather than an address. */
1559 static inline bool
1560 is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1561 {
1562  return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1563 }
1564 
1565 void
1567  const struct tuntap *tt,
1568  unsigned int flags,
1569  const struct route_gateway_info *rgi, /* may be NULL */
1570  const struct env_set *es,
1571  openvpn_net_ctx_t *ctx)
1572 {
1573  bool status = false;
1574  int is_local_route;
1575 
1576  if (!(r->flags & RT_DEFINED))
1577  {
1578  return;
1579  }
1580 
1581  struct argv argv = argv_new();
1582  struct gc_arena gc = gc_new();
1583 
1584 #if !defined(TARGET_LINUX)
1585  const char *network = print_in_addr_t(r->network, 0, &gc);
1586 #if !defined(TARGET_AIX)
1587  const char *netmask = print_in_addr_t(r->netmask, 0, &gc);
1588 #endif
1589  const char *gateway = print_in_addr_t(r->gateway, 0, &gc);
1590 #endif
1591 
1592  is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1593  if (is_local_route == LR_ERROR)
1594  {
1595  goto done;
1596  }
1597 
1598 #if defined(TARGET_LINUX)
1599  const char *iface = NULL;
1600  int metric = -1;
1601 
1602  if (is_on_link(is_local_route, flags, rgi))
1603  {
1604  iface = rgi->iface;
1605  }
1606 
1607  if (r->flags & RT_METRIC_DEFINED)
1608  {
1609  metric = r->metric;
1610  }
1611 
1612  status = true;
1613  if (net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask),
1614  &r->gateway, iface, 0, metric) < 0)
1615  {
1616  msg(M_WARN, "ERROR: Linux route add command failed");
1617  status = false;
1618  }
1619 
1620 #elif defined (TARGET_ANDROID)
1621  char out[128];
1622 
1623  if (rgi)
1624  {
1625  openvpn_snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1626  }
1627  else
1628  {
1629  openvpn_snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1630  }
1631  management_android_control(management, "ROUTE", out);
1632 
1633 #elif defined (_WIN32)
1634  {
1635  DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1636  argv_printf(&argv, "%s%s ADD %s MASK %s %s",
1637  get_win_sys_path(),
1639  network,
1640  netmask,
1641  gateway);
1642  if (r->flags & RT_METRIC_DEFINED)
1643  {
1644  argv_printf_cat(&argv, "METRIC %d", r->metric);
1645  }
1646  if (is_on_link(is_local_route, flags, rgi))
1647  {
1648  ai = rgi->adapter_index;
1649  argv_printf_cat(&argv, "IF %lu", ai);
1650  }
1651 
1652  argv_msg(D_ROUTE, &argv);
1653 
1654  if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1655  {
1656  status = add_route_service(r, tt);
1657  msg(D_ROUTE, "Route addition via service %s", status ? "succeeded" : "failed");
1658  }
1659  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1660  {
1661  status = add_route_ipapi(r, tt, ai);
1662  msg(D_ROUTE, "Route addition via IPAPI %s", status ? "succeeded" : "failed");
1663  }
1664  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1665  {
1667  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
1669  }
1670  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1671  {
1672  status = add_route_ipapi(r, tt, ai);
1673  msg(D_ROUTE, "Route addition via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
1674  if (!status)
1675  {
1676  msg(D_ROUTE, "Route addition fallback to route.exe");
1678  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
1680  }
1681  }
1682  else
1683  {
1684  ASSERT(0);
1685  }
1686  }
1687 
1688 #elif defined (TARGET_SOLARIS)
1689 
1690  /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1691 
1692  argv_printf(&argv, "%s add",
1693  ROUTE_PATH);
1694 
1695  argv_printf_cat(&argv, "%s -netmask %s %s",
1696  network,
1697  netmask,
1698  gateway);
1699 
1700  /* Solaris can only distinguish between "metric 0" == "on-link on the
1701  * interface where the IP address given is configured" and "metric > 0"
1702  * == "use gateway specified" (no finer-grained route metrics available)
1703  *
1704  * More recent versions of Solaris can also do "-interface", but that
1705  * would break backwards compatibility with older versions for no gain.
1706  */
1707  if (r->flags & RT_METRIC_DEFINED)
1708  {
1709  argv_printf_cat(&argv, "%d", r->metric);
1710  }
1711 
1712  argv_msg(D_ROUTE, &argv);
1713  status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
1714 
1715 #elif defined(TARGET_FREEBSD)
1716 
1717  argv_printf(&argv, "%s add",
1718  ROUTE_PATH);
1719 
1720 #if 0
1721  if (r->flags & RT_METRIC_DEFINED)
1722  {
1723  argv_printf_cat(&argv, "-rtt %d", r->metric);
1724  }
1725 #endif
1726 
1727  argv_printf_cat(&argv, "-net %s %s %s",
1728  network,
1729  gateway,
1730  netmask);
1731 
1732  /* FIXME -- add on-link support for FreeBSD */
1733 
1734  argv_msg(D_ROUTE, &argv);
1735  status = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
1736 
1737 #elif defined(TARGET_DRAGONFLY)
1738 
1739  argv_printf(&argv, "%s add",
1740  ROUTE_PATH);
1741 
1742 #if 0
1743  if (r->flags & RT_METRIC_DEFINED)
1744  {
1745  argv_printf_cat(&argv, "-rtt %d", r->metric);
1746  }
1747 #endif
1748 
1749  argv_printf_cat(&argv, "-net %s %s %s",
1750  network,
1751  gateway,
1752  netmask);
1753 
1754  /* FIXME -- add on-link support for Dragonfly */
1755 
1756  argv_msg(D_ROUTE, &argv);
1757  status = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
1758 
1759 #elif defined(TARGET_DARWIN)
1760 
1761  argv_printf(&argv, "%s add",
1762  ROUTE_PATH);
1763 
1764 #if 0
1765  if (r->flags & RT_METRIC_DEFINED)
1766  {
1767  argv_printf_cat(&argv, "-rtt %d", r->metric);
1768  }
1769 #endif
1770 
1771  if (is_on_link(is_local_route, flags, rgi))
1772  {
1773  /* Mac OS X route syntax for ON_LINK:
1774  * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1775  argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s",
1776  network,
1777  netmask,
1778  rgi->iface);
1779  }
1780  else
1781  {
1782  argv_printf_cat(&argv, "-net %s %s %s",
1783  network,
1784  gateway,
1785  netmask);
1786  }
1787 
1788  argv_msg(D_ROUTE, &argv);
1789  status = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
1790 
1791 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1792 
1793  argv_printf(&argv, "%s add",
1794  ROUTE_PATH);
1795 
1796 #if 0
1797  if (r->flags & RT_METRIC_DEFINED)
1798  {
1799  argv_printf_cat(&argv, "-rtt %d", r->metric);
1800  }
1801 #endif
1802 
1803  argv_printf_cat(&argv, "-net %s %s -netmask %s",
1804  network,
1805  gateway,
1806  netmask);
1807 
1808  /* FIXME -- add on-link support for OpenBSD/NetBSD */
1809 
1810  argv_msg(D_ROUTE, &argv);
1811  status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1812 
1813 #elif defined(TARGET_AIX)
1814 
1815  {
1816  int netbits = netmask_to_netbits2(r->netmask);
1817  argv_printf(&argv, "%s add -net %s/%d %s",
1818  ROUTE_PATH,
1819  network, netbits, gateway);
1820  argv_msg(D_ROUTE, &argv);
1821  status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1822  }
1823 
1824 #else /* if defined(TARGET_LINUX) */
1825  msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1826 #endif /* if defined(TARGET_LINUX) */
1827 
1828 done:
1829  if (status)
1830  {
1831  r->flags |= RT_ADDED;
1832  }
1833  else
1834  {
1835  r->flags &= ~RT_ADDED;
1836  }
1837  argv_free(&argv);
1838  gc_free(&gc);
1839  /* release resources potentially allocated during route setup */
1840  net_ctx_reset(ctx);
1841 }
1842 
1843 
1844 void
1846 {
1847  /* clear host bit parts of route
1848  * (needed if routes are specified improperly, or if we need to
1849  * explicitly setup/clear the "connected" network routes on some OSes)
1850  */
1851  int byte = 15;
1852  int bits_to_clear = 128 - r6->netbits;
1853 
1854  while (byte >= 0 && bits_to_clear > 0)
1855  {
1856  if (bits_to_clear >= 8)
1857  {
1858  r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8;
1859  }
1860  else
1861  {
1862  r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0;
1863  }
1864  }
1865 }
1866 
1867 void
1868 add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt,
1869  unsigned int flags, const struct env_set *es,
1870  openvpn_net_ctx_t *ctx)
1871 {
1872  bool status = false;
1873  const char *device = tt->actual_name;
1874  bool gateway_needed = false;
1875 
1876  if (!(r6->flags & RT_DEFINED) )
1877  {
1878  return;
1879  }
1880 
1881  struct argv argv = argv_new();
1882  struct gc_arena gc = gc_new();
1883 
1884 #ifndef _WIN32
1885  if (r6->iface != NULL) /* vpn server special route */
1886  {
1887  device = r6->iface;
1888  if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
1889  {
1890  gateway_needed = true;
1891  }
1892  }
1893 #endif
1894 
1896  const char *network = print_in6_addr( r6->network, 0, &gc);
1897  const char *gateway = print_in6_addr( r6->gateway, 0, &gc);
1898 
1899 #if defined(TARGET_DARWIN) \
1900  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1901  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1902 
1903  /* the BSD platforms cannot specify gateway and interface independently,
1904  * but for link-local destinations, we MUST specify the interface, so
1905  * we build a combined "$gateway%$interface" gateway string
1906  */
1907  if (r6->iface != NULL && gateway_needed
1908  && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
1909  {
1910  int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
1911  char *tmp = gc_malloc( len, true, &gc );
1912  snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
1913  gateway = tmp;
1914  }
1915 #endif
1916 
1917  msg( M_INFO, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
1918  network, r6->netbits, gateway, r6->metric, device );
1919 
1920  /*
1921  * Filter out routes which are essentially no-ops
1922  * (not currently done for IPv6)
1923  */
1924 
1925  /* On "tun" interface, we never set a gateway if the operating system
1926  * can do "route to interface" - it does not add value, as the target
1927  * dev already fully qualifies the route destination on point-to-point
1928  * interfaces. OTOH, on "tap" interface, we must always set the
1929  * gateway unless the route is to be an on-link network
1930  */
1931  if (tt->type == DEV_TYPE_TAP
1932  && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
1933  {
1934  gateway_needed = true;
1935  }
1936 
1937  if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1938  {
1939  msg(M_WARN, "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
1940  "parameter for a --route-ipv6 option and no default was set via "
1941  "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
1942  "IPv6 route to %s/%d.", network, r6->netbits);
1943  status = false;
1944  goto done;
1945  }
1946 
1947 #if defined(TARGET_LINUX)
1948  int metric = -1;
1949  if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
1950  {
1951  metric = r6->metric;
1952  }
1953 
1954  status = true;
1955  if (net_route_v6_add(ctx, &r6->network, r6->netbits,
1956  gateway_needed ? &r6->gateway : NULL, device, 0,
1957  metric) < 0)
1958  {
1959  msg(M_WARN, "ERROR: Linux IPv6 route can't be added");
1960  status = false;
1961  }
1962 
1963 #elif defined (TARGET_ANDROID)
1964  char out[64];
1965 
1966  openvpn_snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
1967 
1968  management_android_control(management, "ROUTE6", out);
1969 
1970 #elif defined (_WIN32)
1971 
1972  if (tt->options.msg_channel)
1973  {
1974  status = add_route_ipv6_service(r6, tt);
1975  }
1976  else
1977  {
1978  DWORD adapter_index;
1979  if (r6->adapter_index) /* vpn server special route */
1980  {
1981  adapter_index = r6->adapter_index;
1982  gateway_needed = true;
1983  }
1984  else
1985  {
1986  adapter_index = tt->adapter_index;
1987  }
1988 
1989  /* netsh interface ipv6 add route 2001:db8::/32 42 */
1990  argv_printf(&argv, "%s%s interface ipv6 add route %s/%d %lu",
1991  get_win_sys_path(),
1993  network,
1994  r6->netbits,
1995  adapter_index);
1996 
1997  /* next-hop depends on TUN or TAP mode:
1998  * - in TAP mode, we use the "real" next-hop
1999  * - in TUN mode we use a special-case link-local address that the tapdrvr
2000  * knows about and will answer ND (neighbor discovery) packets for
2001  */
2002  if (tt->type == DEV_TYPE_TUN && !gateway_needed)
2003  {
2004  argv_printf_cat( &argv, " %s", "fe80::8" );
2005  }
2006  else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
2007  {
2008  argv_printf_cat( &argv, " %s", gateway );
2009  }
2010 
2011 #if 0
2012  if (r6->flags & RT_METRIC_DEFINED)
2013  {
2014  argv_printf_cat(&argv, " METRIC %d", r->metric);
2015  }
2016 #endif
2017 
2018  /* in some versions of Windows, routes are persistent across reboots by
2019  * default, unless "store=active" is set (pointed out by Tony Lim, thanks)
2020  */
2021  argv_printf_cat( &argv, " store=active" );
2022 
2023  argv_msg(D_ROUTE, &argv);
2024 
2026  status = openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add ipv6 command failed");
2028  }
2029 
2030 #elif defined (TARGET_SOLARIS)
2031 
2032  /* example: route add -inet6 2001:db8::/32 somegateway 0 */
2033 
2034  /* for some reason, routes to tun/tap do not work for me unless I set
2035  * "metric 0" - otherwise, the routes will be nicely installed, but
2036  * packets will just disappear somewhere. So we always use "0" now,
2037  * unless the route points to "gateway on other interface"...
2038  *
2039  * (Note: OpenSolaris can not specify host%interface gateways, so we just
2040  * use the GW addresses - it seems to still work for fe80:: addresses,
2041  * however this is done internally. NUD maybe?)
2042  */
2043  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2044  ROUTE_PATH,
2045  network,
2046  r6->netbits,
2047  gateway );
2048 
2049  /* on tun (not tap), not "elsewhere"? -> metric 0 */
2050  if (tt->type == DEV_TYPE_TUN && !r6->iface)
2051  {
2052  argv_printf_cat(&argv, "0");
2053  }
2054 
2055  argv_msg(D_ROUTE, &argv);
2056  status = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
2057 
2058 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2059 
2060  argv_printf(&argv, "%s add -inet6 %s/%d",
2061  ROUTE_PATH,
2062  network,
2063  r6->netbits);
2064 
2065  if (gateway_needed)
2066  {
2067  argv_printf_cat(&argv, "%s", gateway);
2068  }
2069  else
2070  {
2071  argv_printf_cat(&argv, "-iface %s", device);
2072  }
2073 
2074  argv_msg(D_ROUTE, &argv);
2075  status = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
2076 
2077 #elif defined(TARGET_DARWIN)
2078 
2079  argv_printf(&argv, "%s add -inet6 %s -prefixlen %d",
2080  ROUTE_PATH,
2081  network, r6->netbits );
2082 
2083  if (gateway_needed)
2084  {
2085  argv_printf_cat(&argv, "%s", gateway);
2086  }
2087  else
2088  {
2089  argv_printf_cat(&argv, "-iface %s", device);
2090  }
2091 
2092  argv_msg(D_ROUTE, &argv);
2093  status = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
2094 
2095 #elif defined(TARGET_OPENBSD)
2096 
2097  argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s",
2098  ROUTE_PATH,
2099  network, r6->netbits, gateway );
2100 
2101  argv_msg(D_ROUTE, &argv);
2102  status = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
2103 
2104 #elif defined(TARGET_NETBSD)
2105 
2106  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2107  ROUTE_PATH,
2108  network, r6->netbits, gateway );
2109 
2110  argv_msg(D_ROUTE, &argv);
2111  status = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
2112 
2113 #elif defined(TARGET_AIX)
2114 
2115  argv_printf(&argv, "%s add -inet6 %s/%d %s",
2116  ROUTE_PATH,
2117  network, r6->netbits, gateway);
2118  argv_msg(D_ROUTE, &argv);
2119  status = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2120 
2121 #else /* if defined(TARGET_LINUX) */
2122  msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2123 #endif /* if defined(TARGET_LINUX) */
2124 
2125 done:
2126  if (status)
2127  {
2128  r6->flags |= RT_ADDED;
2129  }
2130  else
2131  {
2132  r6->flags &= ~RT_ADDED;
2133  }
2134  argv_free(&argv);
2135  gc_free(&gc);
2136  /* release resources potentially allocated during route setup */
2137  net_ctx_reset(ctx);
2138 }
2139 
2140 static void
2142  const struct tuntap *tt,
2143  unsigned int flags,
2144  const struct route_gateway_info *rgi,
2145  const struct env_set *es,
2146  openvpn_net_ctx_t *ctx)
2147 {
2148  struct gc_arena gc;
2149  struct argv argv = argv_new();
2150 #if !defined(TARGET_LINUX)
2151  const char *network;
2152 #if !defined(TARGET_AIX)
2153  const char *netmask;
2154 #endif
2155 #if !defined(TARGET_ANDROID)
2156  const char *gateway;
2157 #endif
2158 #else /* if !defined(TARGET_LINUX) */
2159  int metric;
2160 #endif
2161  int is_local_route;
2162 
2163  if ((r->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2164  {
2165  return;
2166  }
2167 
2168  gc_init(&gc);
2169 
2170 #if !defined(TARGET_LINUX)
2171  network = print_in_addr_t(r->network, 0, &gc);
2172 #if !defined(TARGET_AIX)
2173  netmask = print_in_addr_t(r->netmask, 0, &gc);
2174 #endif
2175 #if !defined(TARGET_ANDROID)
2176  gateway = print_in_addr_t(r->gateway, 0, &gc);
2177 #endif
2178 #endif
2179 
2180  is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2181  if (is_local_route == LR_ERROR)
2182  {
2183  goto done;
2184  }
2185 
2186 #if defined(TARGET_LINUX)
2187  metric = -1;
2188  if (r->flags & RT_METRIC_DEFINED)
2189  {
2190  metric = r->metric;
2191  }
2192 
2193  if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask),
2194  &r->gateway, NULL, 0, metric) < 0)
2195  {
2196  msg(M_WARN, "ERROR: Linux route delete command failed");
2197  }
2198 #elif defined (_WIN32)
2199 
2200  argv_printf(&argv, "%s%s DELETE %s MASK %s %s",
2201  get_win_sys_path(),
2203  network,
2204  netmask,
2205  gateway);
2206 
2207  argv_msg(D_ROUTE, &argv);
2208 
2209  if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2210  {
2211  const bool status = del_route_service(r, tt);
2212  msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2213  }
2214  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2215  {
2216  const bool status = del_route_ipapi(r, tt);
2217  msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2218  }
2219  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2220  {
2222  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2224  }
2225  else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2226  {
2227  const bool status = del_route_ipapi(r, tt);
2228  msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2229  if (!status)
2230  {
2231  msg(D_ROUTE, "Route deletion fallback to route.exe");
2233  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed [adaptive]");
2235  }
2236  }
2237  else
2238  {
2239  ASSERT(0);
2240  }
2241 
2242 #elif defined (TARGET_SOLARIS)
2243 
2244  argv_printf(&argv, "%s delete %s -netmask %s %s",
2245  ROUTE_PATH,
2246  network,
2247  netmask,
2248  gateway);
2249 
2250  argv_msg(D_ROUTE, &argv);
2251  openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2252 
2253 #elif defined(TARGET_FREEBSD)
2254 
2255  argv_printf(&argv, "%s delete -net %s %s %s",
2256  ROUTE_PATH,
2257  network,
2258  gateway,
2259  netmask);
2260 
2261  argv_msg(D_ROUTE, &argv);
2262  openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2263 
2264 #elif defined(TARGET_DRAGONFLY)
2265 
2266  argv_printf(&argv, "%s delete -net %s %s %s",
2267  ROUTE_PATH,
2268  network,
2269  gateway,
2270  netmask);
2271 
2272  argv_msg(D_ROUTE, &argv);
2273  openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2274 
2275 #elif defined(TARGET_DARWIN)
2276 
2277  if (is_on_link(is_local_route, flags, rgi))
2278  {
2279  argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s",
2280  ROUTE_PATH,
2281  network,
2282  netmask,
2283  rgi->iface);
2284  }
2285  else
2286  {
2287  argv_printf(&argv, "%s delete -net %s %s %s",
2288  ROUTE_PATH,
2289  network,
2290  gateway,
2291  netmask);
2292  }
2293 
2294  argv_msg(D_ROUTE, &argv);
2295  openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2296 
2297 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2298 
2299  argv_printf(&argv, "%s delete -net %s %s -netmask %s",
2300  ROUTE_PATH,
2301  network,
2302  gateway,
2303  netmask);
2304 
2305  argv_msg(D_ROUTE, &argv);
2306  openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2307 
2308 #elif defined(TARGET_ANDROID)
2309  msg(M_NONFATAL, "Sorry, deleting routes on Android is not possible. The VpnService API allows routes to be set on connect only.");
2310 
2311 #elif defined(TARGET_AIX)
2312 
2313  {
2314  int netbits = netmask_to_netbits2(r->netmask);
2315  argv_printf(&argv, "%s delete -net %s/%d %s",
2316  ROUTE_PATH,
2317  network, netbits, gateway);
2318  argv_msg(D_ROUTE, &argv);
2319  openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2320  }
2321 
2322 #else /* if defined(TARGET_LINUX) */
2323  msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2324 #endif /* if defined(TARGET_LINUX) */
2325 
2326 done:
2327  r->flags &= ~RT_ADDED;
2328  argv_free(&argv);
2329  gc_free(&gc);
2330  /* release resources potentially allocated during route cleanup */
2331  net_ctx_reset(ctx);
2332 }
2333 
2334 void
2335 delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt,
2336  unsigned int flags, const struct env_set *es,
2337  openvpn_net_ctx_t *ctx)
2338 {
2339  struct gc_arena gc;
2340  struct argv argv = argv_new();
2341  const char *network;
2342 #if !defined(TARGET_LINUX)
2343  const char *gateway;
2344 #else
2345  int metric;
2346 #endif
2347  bool gateway_needed = false;
2348 
2349  if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2350  {
2351  return;
2352  }
2353 
2354 #ifndef _WIN32
2355  const char *device = tt->actual_name;
2356  if (r6->iface != NULL) /* vpn server special route */
2357  {
2358  device = r6->iface;
2359  gateway_needed = true;
2360  }
2361 #endif
2362 
2363  gc_init(&gc);
2364 
2365  network = print_in6_addr( r6->network, 0, &gc);
2366 #if !defined(TARGET_LINUX)
2367  gateway = print_in6_addr( r6->gateway, 0, &gc);
2368 #endif
2369 
2370 #if defined(TARGET_DARWIN) \
2371  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2372  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2373 
2374  /* the BSD platforms cannot specify gateway and interface independently,
2375  * but for link-local destinations, we MUST specify the interface, so
2376  * we build a combined "$gateway%$interface" gateway string
2377  */
2378  if (r6->iface != NULL && gateway_needed
2379  && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
2380  {
2381  int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
2382  char *tmp = gc_malloc( len, true, &gc );
2383  snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
2384  gateway = tmp;
2385  }
2386 #endif
2387 
2388  msg( M_INFO, "delete_route_ipv6(%s/%d)", network, r6->netbits );
2389 
2390  /* if we used a gateway on "add route", we also need to specify it on
2391  * delete, otherwise some OSes will refuse to delete the route
2392  */
2393  if (tt->type == DEV_TYPE_TAP
2394  && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
2395  {
2396  gateway_needed = true;
2397  }
2398 
2399 #if defined(TARGET_LINUX)
2400  metric = -1;
2401  if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2402  {
2403  metric = r6->metric;
2404  }
2405 
2406  if (net_route_v6_del(ctx, &r6->network, r6->netbits,
2407  gateway_needed ? &r6->gateway : NULL, device, 0,
2408  metric) < 0)
2409  {
2410  msg(M_WARN, "ERROR: Linux route v6 delete command failed");
2411  }
2412 
2413 #elif defined (_WIN32)
2414 
2415  if (tt->options.msg_channel)
2416  {
2417  del_route_ipv6_service(r6, tt);
2418  }
2419  else
2420  {
2421  DWORD adapter_index;
2422  if (r6->adapter_index) /* vpn server special route */
2423  {
2424  adapter_index = r6->adapter_index;
2425  gateway_needed = true;
2426  }
2427  else
2428  {
2429  adapter_index = tt->adapter_index;
2430  }
2431 
2432  /* netsh interface ipv6 delete route 2001:db8::/32 42 */
2433  argv_printf(&argv, "%s%s interface ipv6 delete route %s/%d %lu",
2434  get_win_sys_path(),
2436  network,
2437  r6->netbits,
2438  adapter_index);
2439 
2440  /* next-hop depends on TUN or TAP mode:
2441  * - in TAP mode, we use the "real" next-hop
2442  * - in TUN mode we use a special-case link-local address that the tapdrvr
2443  * knows about and will answer ND (neighbor discovery) packets for
2444  * (and "route deletion without specifying next-hop" does not work...)
2445  */
2446  if (tt->type == DEV_TYPE_TUN && !gateway_needed)
2447  {
2448  argv_printf_cat( &argv, " %s", "fe80::8" );
2449  }
2450  else if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
2451  {
2452  argv_printf_cat( &argv, " %s", gateway );
2453  }
2454 
2455 #if 0
2456  if (r6->flags & RT_METRIC_DEFINED)
2457  {
2458  argv_printf_cat(&argv, "METRIC %d", r->metric);
2459  }
2460 #endif
2461 
2462  /* Windows XP to 7 "just delete" routes, wherever they came from, but
2463  * in Windows 8(.1?), if you create them with "store=active", this is
2464  * how you should delete them as well (pointed out by Cedric Tabary)
2465  */
2466  argv_printf_cat( &argv, " store=active" );
2467 
2468  argv_msg(D_ROUTE, &argv);
2469 
2471  openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete ipv6 command failed");
2473  }
2474 
2475 #elif defined (TARGET_SOLARIS)
2476 
2477  /* example: route delete -inet6 2001:db8::/32 somegateway */
2478 
2479  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2480  ROUTE_PATH,
2481  network,
2482  r6->netbits,
2483  gateway );
2484 
2485  argv_msg(D_ROUTE, &argv);
2486  openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2487 
2488 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2489 
2490  argv_printf(&argv, "%s delete -inet6 %s/%d",
2491  ROUTE_PATH,
2492  network,
2493  r6->netbits );
2494 
2495  if (gateway_needed)
2496  {
2497  argv_printf_cat(&argv, "%s", gateway);
2498  }
2499  else
2500  {
2501  argv_printf_cat(&argv, "-iface %s", device);
2502  }
2503 
2504  argv_msg(D_ROUTE, &argv);
2505  openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2506 
2507 #elif defined(TARGET_DARWIN)
2508 
2509  argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d",
2510  ROUTE_PATH,
2511  network, r6->netbits );
2512 
2513  if (gateway_needed)
2514  {
2515  argv_printf_cat(&argv, "%s", gateway);
2516  }
2517  else
2518  {
2519  argv_printf_cat(&argv, "-iface %s", device);
2520  }
2521 
2522  argv_msg(D_ROUTE, &argv);
2523  openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2524 
2525 #elif defined(TARGET_OPENBSD)
2526 
2527  argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s",
2528  ROUTE_PATH,
2529  network, r6->netbits, gateway );
2530 
2531  argv_msg(D_ROUTE, &argv);
2532  openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2533 
2534 #elif defined(TARGET_NETBSD)
2535 
2536  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2537  ROUTE_PATH,
2538  network, r6->netbits, gateway );
2539 
2540  argv_msg(D_ROUTE, &argv);
2541  openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2542 
2543 #elif defined(TARGET_AIX)
2544 
2545  argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2546  ROUTE_PATH,
2547  network, r6->netbits, gateway);
2548  argv_msg(D_ROUTE, &argv);
2549  openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2550 
2551 #else /* if defined(TARGET_LINUX) */
2552  msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2553 #endif /* if defined(TARGET_LINUX) */
2554 
2555  argv_free(&argv);
2556  gc_free(&gc);
2557  /* release resources potentially allocated during route cleanup */
2558  net_ctx_reset(ctx);
2559 }
2560 
2561 /*
2562  * The --redirect-gateway option requires OS-specific code below
2563  * to get the current default gateway.
2564  */
2565 
2566 #if defined(_WIN32)
2567 
2568 static const MIB_IPFORWARDTABLE *
2570 {
2571  ULONG size = 0;
2572  PMIB_IPFORWARDTABLE rt = NULL;
2573  DWORD status;
2574 
2575  status = GetIpForwardTable(NULL, &size, TRUE);
2576  if (status == ERROR_INSUFFICIENT_BUFFER)
2577  {
2578  rt = (PMIB_IPFORWARDTABLE) gc_malloc(size, false, gc);
2579  status = GetIpForwardTable(rt, &size, TRUE);
2580  if (status != NO_ERROR)
2581  {
2582  msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2583  strerror_win32(status, gc),
2584  (unsigned int)status);
2585  rt = NULL;
2586  }
2587  }
2588  return rt;
2589 }
2590 
2591 static int
2592 test_route(const IP_ADAPTER_INFO *adapters,
2593  const in_addr_t gateway,
2594  DWORD *index)
2595 {
2596  int count = 0;
2597  DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2598  if (index)
2599  {
2600  *index = i;
2601  }
2602  return count;
2603 }
2604 
2605 static void
2607  int *count,
2608  int *good,
2609  int *ambig,
2610  const IP_ADAPTER_INFO *adapters,
2611  const in_addr_t gateway)
2612 {
2613  int c;
2614 
2615  ++*count;
2616  c = test_route(adapters, gateway, NULL);
2617  if (c == 0)
2618  {
2619  *ret = false;
2620  }
2621  else
2622  {
2623  ++*good;
2624  }
2625  if (c > 1)
2626  {
2627  ++*ambig;
2628  }
2629 }
2630 
2631 /*
2632  * If we tried to add routes now, would we succeed?
2633  */
2634 bool
2635 test_routes(const struct route_list *rl, const struct tuntap *tt)
2636 {
2637  struct gc_arena gc = gc_new();
2638  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2639  bool ret = false;
2640  int count = 0;
2641  int good = 0;
2642  int ambig = 0;
2643  int len = -1;
2644  bool adapter_up = false;
2645 
2646  if (is_adapter_up(tt, adapters))
2647  {
2648  ret = true;
2649  adapter_up = true;
2650 
2651  /* we do this test only if we have IPv4 routes to install, and if
2652  * the tun/tap interface has seen IPv4 ifconfig - because if we
2653  * have no IPv4, the check will always fail, failing tun init
2654  */
2655  if (rl && tt->did_ifconfig_setup)
2656  {
2657  struct route_ipv4 *r;
2658  for (r = rl->routes, len = 0; r; r = r->next, ++len)
2659  {
2660  test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2661  }
2662 
2663  if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2664  {
2665  test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2666  }
2667  }
2668  }
2669 
2670  msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s",
2671  good,
2672  count,
2673  len,
2674  (int)ret,
2675  ambig,
2676  adapter_up ? "up" : "down");
2677 
2678  gc_free(&gc);
2679  return ret;
2680 }
2681 
2682 static const MIB_IPFORWARDROW *
2683 get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2684 {
2685  struct gc_arena gc = gc_new();
2686  DWORD lowest_metric = MAXDWORD;
2687  const MIB_IPFORWARDROW *ret = NULL;
2688  int best = -1;
2689 
2690  if (routes)
2691  {
2692  for (DWORD i = 0; i < routes->dwNumEntries; ++i)
2693  {
2694  const MIB_IPFORWARDROW *row = &routes->table[i];
2695  const in_addr_t net = ntohl(row->dwForwardDest);
2696  const in_addr_t mask = ntohl(row->dwForwardMask);
2697  const DWORD index = row->dwForwardIfIndex;
2698  const DWORD metric = row->dwForwardMetric1;
2699 
2700  dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d",
2701  i,
2702  print_in_addr_t((in_addr_t) net, 0, &gc),
2703  print_in_addr_t((in_addr_t) mask, 0, &gc),
2704  (int)index,
2705  (int)metric);
2706 
2707  if (!net && !mask && metric < lowest_metric)
2708  {
2709  ret = row;
2710  lowest_metric = metric;
2711  best = i;
2712  }
2713  }
2714  }
2715 
2716  dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2717 
2718  gc_free(&gc);
2719  return ret;
2720 }
2721 
2722 void
2724 {
2725  struct gc_arena gc = gc_new();
2726 
2727  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2728  const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
2729  const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
2730  DWORD a_index;
2731  const IP_ADAPTER_INFO *ai;
2732 
2733  CLEAR(*rgi);
2734 
2735  if (row)
2736  {
2737  rgi->gateway.addr = ntohl(row->dwForwardNextHop);
2738  if (rgi->gateway.addr)
2739  {
2740  rgi->flags |= RGI_ADDR_DEFINED;
2741  a_index = adapter_index_of_ip(adapters, rgi->gateway.addr, NULL, &rgi->gateway.netmask);
2742  if (a_index != TUN_ADAPTER_INDEX_INVALID)
2743  {
2744  rgi->adapter_index = a_index;
2746  ai = get_adapter(adapters, a_index);
2747  if (ai)
2748  {
2749  memcpy(rgi->hwaddr, ai->Address, 6);
2750  rgi->flags |= RGI_HWADDR_DEFINED;
2751  }
2752  }
2753  }
2754  }
2755 
2756  gc_free(&gc);
2757 }
2758 
2759 static DWORD
2760 windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2761 {
2762  struct gc_arena gc = gc_new();
2763  DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2764  int count = 0;
2765  const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2766  const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2767  bool on_tun = false;
2768 
2769  /* first test on tun interface */
2770  if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2771  {
2772  ret = tun_adapter->Index;
2773  count = 1;
2774  on_tun = true;
2775  }
2776  else /* test on other interfaces */
2777  {
2778  count = test_route(adapters, r->gateway, &ret);
2779  }
2780 
2781  if (count == 0)
2782  {
2783  msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2784  print_in_addr_t(r->gateway, 0, &gc));
2786  }
2787  else if (count > 1)
2788  {
2789  msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2790  print_in_addr_t(r->gateway, 0, &gc),
2791  count);
2792  }
2793 
2794  dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d",
2795  on_tun,
2796  count,
2797  (int)ret);
2798 
2799  gc_free(&gc);
2800  return ret;
2801 }
2802 
2803 /* IPv6 implementation using GetBestRoute2()
2804  * (TBD: dynamic linking so the binary can still run on XP?)
2805  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2806  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2807  */
2808 void
2810  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
2811 {
2812  struct gc_arena gc = gc_new();
2813  MIB_IPFORWARD_ROW2 BestRoute;
2814  SOCKADDR_INET DestinationAddress, BestSourceAddress;
2815  DWORD BestIfIndex;
2816  DWORD status;
2817  NET_LUID InterfaceLuid;
2818 
2819  CLEAR(*rgi6);
2820  CLEAR(InterfaceLuid); /* cleared = not used for lookup */
2821  CLEAR(DestinationAddress);
2822 
2823  DestinationAddress.si_family = AF_INET6;
2824  if (dest)
2825  {
2826  DestinationAddress.Ipv6.sin6_addr = *dest;
2827  }
2828 
2829  status = GetBestInterfaceEx( (struct sockaddr *)&DestinationAddress, &BestIfIndex );
2830 
2831  if (status != NO_ERROR)
2832  {
2833  msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2834  strerror_win32(status, &gc),
2835  (unsigned int)status);
2836  goto done;
2837  }
2838 
2839  msg( D_ROUTE, "GetBestInterfaceEx() returned if=%d", (int) BestIfIndex );
2840 
2841  status = GetBestRoute2( &InterfaceLuid, BestIfIndex, NULL,
2842  &DestinationAddress, 0,
2843  &BestRoute, &BestSourceAddress );
2844 
2845  if (status != NO_ERROR)
2846  {
2847  msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2848  strerror_win32(status, &gc),
2849  (unsigned int)status);
2850  goto done;
2851  }
2852 
2853  msg( D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s",
2854  BestRoute.InterfaceIndex,
2855  print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2856  BestRoute.DestinationPrefix.PrefixLength,
2857  print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) );
2858  msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d",
2859  (int) BestRoute.Metric,
2860  (int) BestRoute.Loopback,
2861  (int) BestRoute.AutoconfigureAddress,
2862  (int) BestRoute.Immortal );
2863 
2864  rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2865  rgi6->adapter_index = BestRoute.InterfaceIndex;
2867 
2868  /* on-link is signalled by receiving an empty (::) NextHop */
2869  if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) )
2870  {
2871  rgi6->flags |= RGI_ON_LINK;
2872  }
2873 
2874 done:
2875  gc_free(&gc);
2876 }
2877 
2878 bool
2879 add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2880 {
2881  struct gc_arena gc = gc_new();
2882  bool ret = false;
2883  DWORD status;
2884  const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) ? windows_route_find_if_index(r, tt) : adapter_index;
2885 
2886  if (if_index != TUN_ADAPTER_INDEX_INVALID)
2887  {
2888  MIB_IPFORWARDROW fr;
2889  CLEAR(fr);
2890  fr.dwForwardDest = htonl(r->network);
2891  fr.dwForwardMask = htonl(r->netmask);
2892  fr.dwForwardPolicy = 0;
2893  fr.dwForwardNextHop = htonl(r->gateway);
2894  fr.dwForwardIfIndex = if_index;
2895  fr.dwForwardType = 4; /* the next hop is not the final dest */
2896  fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2897  fr.dwForwardAge = 0;
2898  fr.dwForwardNextHopAS = 0;
2899  fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2900  fr.dwForwardMetric2 = METRIC_NOT_USED;
2901  fr.dwForwardMetric3 = METRIC_NOT_USED;
2902  fr.dwForwardMetric4 = METRIC_NOT_USED;
2903  fr.dwForwardMetric5 = METRIC_NOT_USED;
2904 
2905  if ((r->network & r->netmask) != r->network)
2906  {
2907  msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2908  print_in_addr_t(r->network, 0, &gc),
2909  print_in_addr_t(r->netmask, 0, &gc));
2910  }
2911 
2912  status = CreateIpForwardEntry(&fr);
2913 
2914  if (status == NO_ERROR)
2915  {
2916  ret = true;
2917  }
2918  else
2919  {
2920  /* failed, try increasing the metric to work around Vista issue */
2921  const unsigned int forward_metric_limit = 2048; /* iteratively retry higher metrics up to this limit */
2922 
2923  for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2924  {
2925  /* try a different forward type=3 ("the next hop is the final dest") in addition to 4.
2926  * --redirect-gateway over RRAS seems to need this. */
2927  for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2928  {
2929  status = CreateIpForwardEntry(&fr);
2930  if (status == NO_ERROR)
2931  {
2932  msg(D_ROUTE, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2933  (unsigned int)fr.dwForwardMetric1,
2934  (unsigned int)fr.dwForwardType);
2935  ret = true;
2936  goto doublebreak;
2937  }
2938  else if (status != ERROR_BAD_ARGUMENTS)
2939  {
2940  goto doublebreak;
2941  }
2942  }
2943  }
2944 
2945 doublebreak:
2946  if (status != NO_ERROR)
2947  {
2948  msg(M_WARN, "ROUTE: route addition failed using CreateIpForwardEntry: %s [status=%u if_index=%u]",
2949  strerror_win32(status, &gc),
2950  (unsigned int)status,
2951  (unsigned int)if_index);
2952  }
2953  }
2954  }
2955 
2956  gc_free(&gc);
2957  return ret;
2958 }
2959 
2960 bool
2961 del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
2962 {
2963  struct gc_arena gc = gc_new();
2964  bool ret = false;
2965  DWORD status;
2966  const DWORD if_index = windows_route_find_if_index(r, tt);
2967 
2968  if (if_index != TUN_ADAPTER_INDEX_INVALID)
2969  {
2970  MIB_IPFORWARDROW fr;
2971  CLEAR(fr);
2972 
2973  fr.dwForwardDest = htonl(r->network);
2974  fr.dwForwardMask = htonl(r->netmask);
2975  fr.dwForwardPolicy = 0;
2976  fr.dwForwardNextHop = htonl(r->gateway);
2977  fr.dwForwardIfIndex = if_index;
2978 
2979  status = DeleteIpForwardEntry(&fr);
2980 
2981  if (status == NO_ERROR)
2982  {
2983  ret = true;
2984  }
2985  else
2986  {
2987  msg(M_WARN, "ROUTE: route deletion failed using DeleteIpForwardEntry: %s",
2988  strerror_win32(status, &gc));
2989  }
2990  }
2991 
2992  gc_free(&gc);
2993  return ret;
2994 }
2995 
2996 static bool
2997 do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
2998 {
2999  bool ret = false;
3000  ack_message_t ack;
3001  struct gc_arena gc = gc_new();
3002 
3003  if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
3004  {
3005  goto out;
3006  }
3007 
3008  if (ack.error_number != NO_ERROR)
3009  {
3010  msg(M_WARN, "ROUTE: route %s failed using service: %s [status=%u if_index=%d]",
3011  (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
3012  ack.error_number, rt->iface.index);
3013  goto out;
3014  }
3015 
3016  ret = true;
3017 
3018 out:
3019  gc_free(&gc);
3020  return ret;
3021 }
3022 
3023 static bool
3024 do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
3025 {
3026  DWORD if_index = windows_route_find_if_index(r, tt);
3027  if (if_index == ~0)
3028  {
3029  return false;
3030  }
3031 
3032  route_message_t msg = {
3033  .header = {
3034  (add ? msg_add_route : msg_del_route),
3035  sizeof(route_message_t),
3036  0
3037  },
3038  .family = AF_INET,
3039  .prefix.ipv4.s_addr = htonl(r->network),
3040  .gateway.ipv4.s_addr = htonl(r->gateway),
3041  .iface = { .index = if_index, .name = "" },
3042  .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1)
3043  };
3044 
3046  if (msg.prefix_len == -1)
3047  {
3048  msg.prefix_len = 32;
3049  }
3050 
3051  return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3052 }
3053 
3054 static bool
3055 do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
3056 {
3057  bool status;
3058  route_message_t msg = {
3059  .header = {
3060  (add ? msg_add_route : msg_del_route),
3061  sizeof(route_message_t),
3062  0
3063  },
3064  .family = AF_INET6,
3065  .prefix.ipv6 = r->network,
3066  .prefix_len = r->netbits,
3067  .gateway.ipv6 = r->gateway,
3068  .iface = { .index = tt->adapter_index, .name = "" },
3069  .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1)
3070  };
3071 
3072  if (r->adapter_index) /* vpn server special route */
3073  {
3074  msg.iface.index = r->adapter_index;
3075  }
3076 
3077  /* In TUN mode we use a special link-local address as the next hop.
3078  * The tapdrvr knows about it and will answer neighbor discovery packets.
3079  * (only do this for routes actually using the tun/tap device)
3080  */
3081  if (tt->type == DEV_TYPE_TUN
3082  && msg.iface.index == tt->adapter_index)
3083  {
3084  inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3085  }
3086 
3088  {
3089  strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3090  msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3091  }
3092 
3093  status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3094  msg(D_ROUTE, "IPv6 route %s via service %s",
3095  add ? "addition" : "deletion",
3096  status ? "succeeded" : "failed");
3097  return status;
3098 }
3099 
3100 static bool
3101 add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3102 {
3103  return do_route_ipv4_service(true, r, tt);
3104 }
3105 
3106 static bool
3107 del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3108 {
3109  return do_route_ipv4_service(false, r, tt);
3110 }
3111 
3112 static bool
3113 add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3114 {
3115  return do_route_ipv6_service(true, r, tt);
3116 }
3117 
3118 static bool
3119 del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3120 {
3121  return do_route_ipv6_service(false, r, tt);
3122 }
3123 
3124 static const char *
3125 format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3126 {
3127  struct buffer out = alloc_buf_gc(256, gc);
3128  buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3129  print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3130  print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3131  print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc),
3132  (int)r->dwForwardPolicy,
3133  (int)r->dwForwardIfIndex,
3134  (int)r->dwForwardType,
3135  (int)r->dwForwardProto,
3136  (int)r->dwForwardAge,
3137  (int)r->dwForwardNextHopAS,
3138  (int)r->dwForwardMetric1,
3139  (int)r->dwForwardMetric2,
3140  (int)r->dwForwardMetric3,
3141  (int)r->dwForwardMetric4,
3142  (int)r->dwForwardMetric5);
3143  return BSTR(&out);
3144 }
3145 
3146 /*
3147  * Show current routing table
3148  */
3149 void
3150 show_routes(int msglev)
3151 {
3152  struct gc_arena gc = gc_new();
3153 
3154  const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3155 
3156  msg(msglev, "SYSTEM ROUTING TABLE");
3157  if (rt)
3158  {
3159  for (DWORD i = 0; i < rt->dwNumEntries; ++i)
3160  {
3161  msg(msglev, "%s", format_route_entry(&rt->table[i], &gc));
3162  }
3163  }
3164  gc_free(&gc);
3165 }
3166 
3167 #elif defined(TARGET_ANDROID)
3168 
3169 void
3171 {
3172  /* Android, set some pseudo GW, addr is in host byte order,
3173  * Determining the default GW on Android 5.0+ is non trivial
3174  * and serves almost no purpose since OpenVPN only uses the
3175  * default GW address to add routes for networks that should
3176  * NOT be routed over the VPN. Using a well known address
3177  * (127.'d'.'g'.'w') for the default GW make detecting
3178  * these routes easier from the controlling app.
3179  */
3180  CLEAR(*rgi);
3181 
3182  rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3184  strcpy(rgi->iface, "android-gw");
3185 
3186  /* Skip scanning/fetching interface from loopback interface we do
3187  * normally on Linux.
3188  * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3189  */
3190 
3191 }
3192 
3193 void
3195  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3196 {
3197  /* Same for ipv6 */
3198 
3199  CLEAR(*rgi6);
3200 
3201  /* Use a fake link-local address */
3202  ASSERT(inet_pton(AF_INET6, "fe80::ad", &rgi6->addrs->addr_ipv6) == 1);
3203  rgi6->addrs->netbits_ipv6 = 64;
3205  strcpy(rgi6->iface, "android-gw");
3206 }
3207 
3208 #elif defined(TARGET_LINUX)
3209 
3210 void
3212 {
3213  struct gc_arena gc = gc_new();
3214  int sd = -1;
3215  char best_name[IFNAMSIZ];
3216 
3217  CLEAR(*rgi);
3218  CLEAR(best_name);
3219 
3220  /* get default gateway IP addr */
3221  if (net_route_v4_best_gw(ctx, NULL, &rgi->gateway.addr, best_name) == 0)
3222  {
3223  rgi->flags |= RGI_ADDR_DEFINED;
3224  if (!rgi->gateway.addr && best_name[0])
3225  {
3226  rgi->flags |= RGI_ON_LINK;
3227  }
3228  }
3229 
3230  /* scan adapter list */
3231  if (rgi->flags & RGI_ADDR_DEFINED)
3232  {
3233  struct ifreq *ifr, *ifend;
3234  in_addr_t addr, netmask;
3235  struct ifreq ifreq;
3236  struct ifconf ifc;
3237  struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3238 
3239  if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3240  {
3241  msg(M_WARN, "GDG: socket() failed");
3242  goto done;
3243  }
3244  ifc.ifc_len = sizeof(ifs);
3245  ifc.ifc_req = ifs;
3246  if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3247  {
3248  msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3249  goto done;
3250  }
3251 
3252  /* scan through interface list */
3253  ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3254  for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3255  {
3256  if (ifr->ifr_addr.sa_family == AF_INET)
3257  {
3258  /* get interface addr */
3259  addr = ntohl(((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr);
3260 
3261  /* get interface name */
3262  strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3263 
3264  /* check that the interface is up */
3265  if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3266  {
3267  continue;
3268  }
3269  if (!(ifreq.ifr_flags & IFF_UP))
3270  {
3271  continue;
3272  }
3273 
3274  if (rgi->flags & RGI_ON_LINK)
3275  {
3276  /* check that interface name of current interface
3277  * matches interface name of best default route */
3278  if (strcmp(ifreq.ifr_name, best_name))
3279  {
3280  continue;
3281  }
3282 #if 0
3283  /* if point-to-point link, use remote addr as route gateway */
3284  if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3285  {
3286  rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3287  if (rgi->gateway.addr)
3288  {
3289  rgi->flags &= ~RGI_ON_LINK;
3290  }
3291  }
3292 #endif
3293  }
3294  else
3295  {
3296  /* get interface netmask */
3297  if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3298  {
3299  continue;
3300  }
3301  netmask = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3302 
3303  /* check that interface matches default route */
3304  if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3305  {
3306  continue;
3307  }
3308 
3309  /* save netmask */
3310  rgi->gateway.netmask = netmask;
3311  rgi->flags |= RGI_NETMASK_DEFINED;
3312  }
3313 
3314  /* save iface name */
3315  strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3316  rgi->flags |= RGI_IFACE_DEFINED;
3317 
3318  /* now get the hardware address. */
3319  memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3320  if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3321  {
3322  msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3323  goto done;
3324  }
3325  memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3326  rgi->flags |= RGI_HWADDR_DEFINED;
3327 
3328  break;
3329  }
3330  }
3331  }
3332 
3333 done:
3334  if (sd >= 0)
3335  {
3336  close(sd);
3337  }
3338  gc_free(&gc);
3339 }
3340 
3341 /* IPv6 implementation using netlink
3342  * http://www.linuxjournal.com/article/7356
3343  * netlink(3), netlink(7), rtnetlink(7)
3344  * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c
3345  */
3346 struct rtreq {
3347  struct nlmsghdr nh;
3348  struct rtmsg rtm;
3349  char attrbuf[512];
3350 };
3351 
3352 void
3354  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3355 {
3356  int flags;
3357 
3358  CLEAR(*rgi6);
3359 
3360  if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6,
3361  rgi6->iface) == 0)
3362  {
3363  if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6))
3364  {
3365  rgi6->flags |= RGI_ADDR_DEFINED;
3366  }
3367 
3368  if (strlen(rgi6->iface) > 0)
3369  {
3370  rgi6->flags |= RGI_IFACE_DEFINED;
3371  }
3372  }
3373 
3374  /* if we have an interface but no gateway, the destination is on-link */
3375  flags = rgi6->flags & (RGI_IFACE_DEFINED | RGI_ADDR_DEFINED);
3376  if (flags == RGI_IFACE_DEFINED)
3377  {
3378  rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3379  if (dest)
3380  {
3381  rgi6->gateway.addr_ipv6 = *dest;
3382  }
3383  }
3384 }
3385 
3386 #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \
3387  || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
3388  || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3389 
3390 #include <sys/types.h>
3391 #include <sys/socket.h>
3392 #include <netinet/in.h>
3393 #include <net/route.h>
3394 #include <net/if_dl.h>
3395 
3396 struct rtmsg {
3397  struct rt_msghdr m_rtm;
3398  char m_space[512];
3399 };
3400 
3401 /* the route socket code is identical for all 4 supported BSDs and for
3402  * MacOS X (Darwin), with one crucial difference: when going from
3403  * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
3404  * source code compatibility by keeping the use of "long", while
3405  * MacOS X decided to keep binary compatibility by *changing* the API
3406  * to use "uint32_t", thus 32 bit on all OS X variants
3407  *
3408  * NetBSD does the MacOS way of "fixed number of bits, no matter if
3409  * 32 or 64 bit OS", but chose uint64_t. For maximum portability, we
3410  * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
3411  *
3412  * We used to have a large amount of duplicate code here which really
3413  * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3414  * having a combined block for all BSDs with this single #ifdef inside
3415  */
3416 
3417 #if defined(TARGET_DARWIN)
3418 #define ROUNDUP(a) \
3419  ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3420 #elif defined(TARGET_NETBSD)
3421 #define ROUNDUP(a) RT_ROUNDUP(a)
3422 #else
3423 #define ROUNDUP(a) \
3424  ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3425 #endif
3426 
3427 #if defined(TARGET_SOLARIS)
3428 #define NEXTADDR(w, u) \
3429  if (rtm_addrs & (w)) { \
3430  l = sizeof(u); memmove(cp, &(u), l); cp += ROUNDUP(l); \
3431  }
3432 
3433 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3434 #else /* if defined(TARGET_SOLARIS) */
3435 #define NEXTADDR(w, u) \
3436  if (rtm_addrs & (w)) { \
3437  l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += ROUNDUP(l); \
3438  }
3439 
3440 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3441 #endif
3442 
3443 #define max(a,b) ((a) > (b) ? (a) : (b))
3444 
3445 void
3447 {
3448  struct gc_arena gc = gc_new();
3449  struct rtmsg m_rtmsg;
3450  int sockfd = -1;
3451  int seq, l, pid, rtm_addrs;
3452  unsigned int i;
3453  struct sockaddr so_dst, so_mask;
3454  char *cp = m_rtmsg.m_space;
3455  struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3456  struct rt_msghdr *rtm_aux;
3457 
3458 #define rtm m_rtmsg.m_rtm
3459 
3460  CLEAR(*rgi);
3461 
3462  /* setup data to send to routing socket */
3463  pid = getpid();
3464  seq = 0;
3465  rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3466 
3467  bzero(&m_rtmsg, sizeof(m_rtmsg));
3468  bzero(&so_dst, sizeof(so_dst));
3469  bzero(&so_mask, sizeof(so_mask));
3470  bzero(&rtm, sizeof(struct rt_msghdr));
3471 
3472  rtm.rtm_type = RTM_GET;
3473  rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3474  rtm.rtm_version = RTM_VERSION;
3475  rtm.rtm_seq = ++seq;
3476 #ifdef TARGET_OPENBSD
3477  rtm.rtm_tableid = getrtable();
3478 #endif
3479  rtm.rtm_addrs = rtm_addrs;
3480 
3481  so_dst.sa_family = AF_INET;
3482  so_mask.sa_family = AF_INET;
3483 
3484 #ifndef TARGET_SOLARIS
3485  so_dst.sa_len = sizeof(struct sockaddr_in);
3486  so_mask.sa_len = sizeof(struct sockaddr_in);
3487 #endif
3488 
3489  NEXTADDR(RTA_DST, so_dst);
3490  NEXTADDR(RTA_NETMASK, so_mask);
3491 
3492  rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3493 
3494  /* transact with routing socket */
3495  sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3496  if (sockfd < 0)
3497  {
3498  msg(M_WARN, "GDG: socket #1 failed");
3499  goto done;
3500  }
3501  if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3502  {
3503  msg(M_WARN, "GDG: problem writing to routing socket");
3504  goto done;
3505  }
3506  do
3507  {
3508  l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3509  } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3510  close(sockfd);
3511  sockfd = -1;
3512 
3513  /* extract return data from routing socket */
3514  rtm_aux = &rtm;
3515  cp = ((char *)(rtm_aux + 1));
3516  if (rtm_aux->rtm_addrs)
3517  {
3518  for (i = 1; i; i <<= 1)
3519  {
3520  if (i & rtm_aux->rtm_addrs)
3521  {
3522  sa = (struct sockaddr *)cp;
3523  if (i == RTA_GATEWAY)
3524  {
3525  gate = sa;
3526  }
3527  else if (i == RTA_IFP)
3528  {
3529  ifp = sa;
3530  }
3531  ADVANCE(cp, sa);
3532  }
3533  }
3534  }
3535  else
3536  {
3537  goto done;
3538  }
3539 
3540  /* get gateway addr and interface name */
3541  if (gate != NULL)
3542  {
3543  /* get default gateway addr */
3544  rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3545  if (rgi->gateway.addr)
3546  {
3547  rgi->flags |= RGI_ADDR_DEFINED;
3548  }
3549 
3550  if (ifp)
3551  {
3552  /* get interface name */
3553  const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3554  if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3555  {
3556  memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3557  rgi->iface[adl->sdl_nlen] = '\0';
3558  rgi->flags |= RGI_IFACE_DEFINED;
3559  }
3560  }
3561  }
3562 
3563  /* get netmask of interface that owns default gateway */
3564  if (rgi->flags & RGI_IFACE_DEFINED)
3565  {
3566  struct ifreq ifr;
3567 
3568  sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3569  if (sockfd < 0)
3570  {
3571  msg(M_WARN, "GDG: socket #2 failed");
3572  goto done;
3573  }
3574 
3575  CLEAR(ifr);
3576  ifr.ifr_addr.sa_family = AF_INET;
3577  strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3578 
3579  if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3580  {
3581  msg(M_WARN, "GDG: ioctl #1 failed");
3582  goto done;
3583  }
3584  close(sockfd);
3585  sockfd = -1;
3586 
3587  rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3588  rgi->flags |= RGI_NETMASK_DEFINED;
3589  }
3590 
3591  /* try to read MAC addr associated with interface that owns default gateway */
3592  if (rgi->flags & RGI_IFACE_DEFINED)
3593  {
3594  struct ifconf ifc;
3595  struct ifreq *ifr;
3596  const int bufsize = 4096;
3597  char *buffer;
3598 
3599  buffer = (char *) gc_malloc(bufsize, true, &gc);
3600  sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3601  if (sockfd < 0)
3602  {
3603  msg(M_WARN, "GDG: socket #3 failed");
3604  goto done;
3605  }
3606 
3607  ifc.ifc_len = bufsize;
3608  ifc.ifc_buf = buffer;
3609 
3610  if (ioctl(sockfd, SIOCGIFCONF, (char *)&ifc) < 0)
3611  {
3612  msg(M_WARN, "GDG: ioctl #2 failed");
3613  goto done;
3614  }
3615  close(sockfd);
3616  sockfd = -1;
3617 
3618  for (cp = buffer; cp <= buffer + ifc.ifc_len - sizeof(struct ifreq); )
3619  {
3620  ifr = (struct ifreq *)cp;
3621 #if defined(TARGET_SOLARIS)
3622  const size_t len = sizeof(ifr->ifr_name) + sizeof(ifr->ifr_addr);
3623 #else
3624  const size_t len = sizeof(ifr->ifr_name) + max(sizeof(ifr->ifr_addr), ifr->ifr_addr.sa_len);
3625 #endif
3626 
3627  if (!ifr->ifr_addr.sa_family)
3628  {
3629  break;
3630  }
3631  if (!strncmp(ifr->ifr_name, rgi->iface, IFNAMSIZ))
3632  {
3633  if (ifr->ifr_addr.sa_family == AF_LINK)
3634  {
3635  struct sockaddr_dl *sdl = (struct sockaddr_dl *)&ifr->ifr_addr;
3636  memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3637  rgi->flags |= RGI_HWADDR_DEFINED;
3638  }
3639  }
3640  cp += len;
3641  }
3642  }
3643 
3644 done:
3645  if (sockfd >= 0)
3646  {
3647  close(sockfd);
3648  }
3649  gc_free(&gc);
3650 }
3651 
3652 /* BSD implementation using routing socket (as does IPv4)
3653  * (the code duplication is somewhat unavoidable if we want this to
3654  * work on OpenSolaris as well. *sigh*)
3655  */
3656 
3657 /* Solaris has no length field - this is ugly, but less #ifdef in total
3658  */
3659 #if defined(TARGET_SOLARIS)
3660 #undef ADVANCE
3661 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3662 #endif
3663 
3664 void
3666  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3667 {
3668 
3669  struct rtmsg m_rtmsg;
3670  int sockfd = -1;
3671  int seq, l, pid, rtm_addrs;
3672  unsigned int i;
3673  struct sockaddr_in6 so_dst, so_mask;
3674  char *cp = m_rtmsg.m_space;
3675  struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3676  struct rt_msghdr *rtm_aux;
3677 
3678  CLEAR(*rgi6);
3679 
3680  /* setup data to send to routing socket */
3681  pid = getpid();
3682  seq = 0;
3683  rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3684 
3685  bzero(&m_rtmsg, sizeof(m_rtmsg));
3686  bzero(&so_dst, sizeof(so_dst));
3687  bzero(&so_mask, sizeof(so_mask));
3688  bzero(&rtm, sizeof(struct rt_msghdr));
3689 
3690  rtm.rtm_type = RTM_GET;
3691  rtm.rtm_flags = RTF_UP;
3692  rtm.rtm_version = RTM_VERSION;
3693  rtm.rtm_seq = ++seq;
3694 #ifdef TARGET_OPENBSD
3695  rtm.rtm_tableid = getrtable();
3696 #endif
3697 
3698  so_dst.sin6_family = AF_INET6;
3699  so_mask.sin6_family = AF_INET6;
3700 
3701  if (dest != NULL /* specific host? */
3702  && !IN6_IS_ADDR_UNSPECIFIED(dest) )
3703  {
3704  so_dst.sin6_addr = *dest;
3705  /* :: needs /0 "netmask", host route wants "no netmask */
3706  rtm_addrs &= ~RTA_NETMASK;
3707  }
3708 
3709  rtm.rtm_addrs = rtm_addrs;
3710 
3711 #ifndef TARGET_SOLARIS
3712  so_dst.sin6_len = sizeof(struct sockaddr_in6);
3713  so_mask.sin6_len = sizeof(struct sockaddr_in6);
3714 #endif
3715 
3716  NEXTADDR(RTA_DST, so_dst);
3717  NEXTADDR(RTA_NETMASK, so_mask);
3718 
3719  rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3720 
3721  /* transact with routing socket */
3722  sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3723  if (sockfd < 0)
3724  {
3725  msg(M_WARN, "GDG6: socket #1 failed");
3726  goto done;
3727  }
3728  if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3729  {
3730  msg(M_WARN|M_ERRNO, "GDG6: problem writing to routing socket");
3731  goto done;
3732  }
3733 
3734  do
3735  {
3736  l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3737  }
3738  while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3739 
3740  close(sockfd);
3741  sockfd = -1;
3742 
3743  /* extract return data from routing socket */
3744  rtm_aux = &rtm;
3745  cp = ((char *)(rtm_aux + 1));
3746  if (rtm_aux->rtm_addrs)
3747  {
3748  for (i = 1; i; i <<= 1)
3749  {
3750  if (i & rtm_aux->rtm_addrs)
3751  {
3752  sa = (struct sockaddr *)cp;
3753  if (i == RTA_GATEWAY)
3754  {
3755  gate = sa;
3756  }
3757  else if (i == RTA_IFP)
3758  {
3759  ifp = sa;
3760  }
3761  ADVANCE(cp, sa);
3762  }
3763  }
3764  }
3765  else
3766  {
3767  goto done;
3768  }
3769 
3770  /* get gateway addr and interface name */
3771  if (gate != NULL)
3772  {
3773  struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3774  struct in6_addr gw = s6->sin6_addr;
3775 
3776 #ifndef TARGET_SOLARIS
3777  /* You do not really want to know... from FreeBSD's route.c
3778  * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3779  * but for a correct link-local address these must be :0000: )
3780  */
3781  if (gate->sa_len == sizeof(struct sockaddr_in6)
3782  && IN6_IS_ADDR_LINKLOCAL(&gw) )
3783  {
3784  gw.s6_addr[2] = gw.s6_addr[3] = 0;
3785  }
3786 
3787  if (gate->sa_len != sizeof(struct sockaddr_in6)
3788  || IN6_IS_ADDR_UNSPECIFIED(&gw) )
3789  {
3790  rgi6->flags |= RGI_ON_LINK;
3791  }
3792  else
3793 #endif
3794 
3795  rgi6->gateway.addr_ipv6 = gw;
3796  rgi6->flags |= RGI_ADDR_DEFINED;
3797 
3798  if (ifp)
3799  {
3800  /* get interface name */
3801  const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3802  if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3803  {
3804  memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3805  rgi6->flags |= RGI_IFACE_DEFINED;
3806  }
3807  }
3808  }
3809 
3810 done:
3811  if (sockfd >= 0)
3812  {
3813  close(sockfd);
3814  }
3815 }
3816 
3817 #undef max
3818 
3819 #else /* if defined(_WIN32) */
3820 
3821 /*
3822  * This is a platform-specific method that returns data about
3823  * the current default gateway. Return data is placed into
3824  * a struct route_gateway_info object provided by caller. The
3825  * implementation should CLEAR the structure before adding
3826  * data to it.
3827  *
3828  * Data returned includes:
3829  * 1. default gateway address (rgi->gateway.addr)
3830  * 2. netmask of interface that owns default gateway
3831  * (rgi->gateway.netmask)
3832  * 3. hardware address (i.e. MAC address) of interface that owns
3833  * default gateway (rgi->hwaddr)
3834  * 4. interface name (or adapter index on Windows) that owns default
3835  * gateway (rgi->iface or rgi->adapter_index)
3836  * 5. an array of additional address/netmask pairs defined by
3837  * interface that owns default gateway (rgi->addrs with length
3838  * given in rgi->n_addrs)
3839  *
3840  * The flags RGI_x_DEFINED may be used to indicate which of the data
3841  * members were successfully returned (set in rgi->flags). All of
3842  * the data members are optional, however certain OpenVPN functionality
3843  * may be disabled by missing items.
3844  */
3845 void
3847 {
3848  CLEAR(*rgi);
3849 }
3850 void
3852  const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3853 {
3854  msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
3855  CLEAR(*rgi6);
3856 }
3857 
3858 #endif /* if defined(_WIN32) */
3859 
3860 bool
3861 netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
3862 {
3863  int i;
3864  const int addrlen = sizeof(in_addr_t) * 8;
3865 
3866  if ((network & netmask) == network)
3867  {
3868  for (i = 0; i <= addrlen; ++i)
3869  {
3870  in_addr_t mask = netbits_to_netmask(i);
3871  if (mask == netmask)
3872  {
3873  if (i == addrlen)
3874  {
3875  *netbits = -1;
3876  }
3877  else
3878  {
3879  *netbits = i;
3880  }
3881  return true;
3882  }
3883  }
3884  }
3885  return false;
3886 }
3887 
3888 /* similar to netmask_to_netbits(), but don't mess with base address
3889  * etc., just convert to netbits - non-mappable masks are returned as "-1"
3890  */
3891 int
3893 {
3894  int i;
3895  const int addrlen = sizeof(in_addr_t) * 8;
3896 
3897  for (i = 0; i <= addrlen; ++i)
3898  {
3899  in_addr_t mask = netbits_to_netmask(i);
3900  if (mask == netmask)
3901  {
3902  return i;
3903  }
3904  }
3905  return -1;
3906 }
3907 
3908 
3909 /*
3910  * get_bypass_addresses() is used by the redirect-gateway bypass-x
3911  * functions to build a route bypass to selected DHCP/DNS servers,
3912  * so that outgoing packets to these servers don't end up in the tunnel.
3913  */
3914 
3915 #if defined(_WIN32)
3916 
3917 static void
3919 {
3920  if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
3921  {
3922  add_bypass_address(rb, addr);
3923  }
3924 }
3925 
3926 static void
3927 add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
3928 {
3929  while (iplist)
3930  {
3931  bool succeed = false;
3932  const in_addr_t ip = getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
3933  if (succeed)
3934  {
3936  }
3937  iplist = iplist->Next;
3938  }
3939 }
3940 
3941 static void
3942 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
3943 {
3944  struct gc_arena gc = gc_new();
3945  /*bool ret_bool = false;*/
3946 
3947  /* get full routing table */
3948  const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
3949 
3950  /* get the route which represents the default gateway */
3951  const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
3952 
3953  if (row)
3954  {
3955  /* get the adapter which the default gateway is associated with */
3956  const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
3957 
3958  /* get extra adapter info, such as DNS addresses */
3959  const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
3960 
3961  /* Bypass DHCP server address */
3962  if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
3963  {
3964  add_host_route_array(rb, &dgi->DhcpServer);
3965  }
3966 
3967  /* Bypass DNS server addresses */
3968  if ((flags & RG_BYPASS_DNS) && pai)
3969  {
3970  add_host_route_array(rb, &pai->DnsServerList);
3971  }
3972  }
3973 
3974  gc_free(&gc);
3975 }
3976 
3977 #else /* if defined(_WIN32) */
3978 
3979 static void
3980 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
3981 {
3982 }
3983 
3984 #endif /* if defined(_WIN32) */
3985 
3986 /*
3987  * Test if addr is reachable via a local interface (return ILA_LOCAL),
3988  * or if it needs to be routed via the default gateway (return
3989  * ILA_NONLOCAL). If the target platform doesn't implement this
3990  * function, return ILA_NOT_IMPLEMENTED.
3991  *
3992  * Used by redirect-gateway autolocal feature
3993  */
3994 
3995 #if defined(_WIN32)
3996 
3997 int
3998 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
3999 {
4000  struct gc_arena gc = gc_new();
4001  const in_addr_t nonlocal_netmask = 0x80000000L; /* routes with netmask <= to this are considered non-local */
4002  int ret = TLA_NONLOCAL;
4003 
4004  /* get full routing table */
4005  const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4006  if (rt)
4007  {
4008  for (DWORD i = 0; i < rt->dwNumEntries; ++i)
4009  {
4010  const MIB_IPFORWARDROW *row = &rt->table[i];
4011  const in_addr_t net = ntohl(row->dwForwardDest);
4012  const in_addr_t mask = ntohl(row->dwForwardMask);
4013  if (mask > nonlocal_netmask && (addr & mask) == net)
4014  {
4015  ret = TLA_LOCAL;
4016  break;
4017  }
4018  }
4019  }
4020 
4021  gc_free(&gc);
4022  return ret;
4023 }
4024 
4025 #else /* if defined(_WIN32) */
4026 
4027 int
4028 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4029 {
4030  if (rgi)
4031  {
4032  if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4033  {
4034  return TLA_LOCAL;
4035  }
4036  else
4037  {
4038  return TLA_NONLOCAL;
4039  }
4040  }
4041  return TLA_NOT_IMPLEMENTED;
4042 }
4043 
4044 #endif /* if defined(_WIN32) */
static bool del_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition: route.c:3107
#define M_NONFATAL
Definition: error.h:99
#define RG_BYPASS_DNS
Definition: route.h:88
in_addr_t gateway
Definition: route.h:121
in_addr_t addr
Definition: route.h:142
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition: argv.c:466
static bool add_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition: route.c:3101
struct route_gateway_address gateway
Definition: route.h:166
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition: run_command.c:195
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
unsigned int spec_flags
Definition: route.h:222
Definition: tun.h:155
const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc)
Definition: tun.c:4395
struct route_bypass bypass
Definition: route.h:71
const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc)
Definition: tun.c:4368
struct in6_addr ipv6
Definition: openvpn-msg.h:54
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, volatile int *signal_received, int ai_family, struct addrinfo **res)
Definition: socket.c:442
#define GETADDR_WARN_ON_SIGNAL
Definition: socket.h:476
static void print_route_option(const struct route_option *ro, int level)
Definition: route.c:1310
static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
Definition: route.c:204
in_addr_t network
Definition: route.h:119
#define LR_ERROR
Definition: route.c:1521
#define D_ROUTE
Definition: errlevel.h:80
#define RL_DID_LOCAL
Definition: route.h:208
static bool do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
Definition: route.c:2997
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition: argv.c:90
void add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1191
static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:923
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, volatile int *signal_received)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition: socket.c:193
struct route_ipv6 * next
Definition: route.h:126
int n_bypass
Definition: route.h:56
unsigned int flags
Definition: route.h:66
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2896
void print_default_gateway(const int msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition: route.c:1336
#define M_INFO
Definition: errlevel.h:55
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition: route.c:124
void add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1566
static bool is_route_parm_defined(const char *parm)
Definition: route.c:190
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
unsigned int iflags
Definition: route.h:210
void check_subnet_conflict(const in_addr_t ip, const in_addr_t netmask, const char *prefix)
Definition: tun.c:536
struct in6_addr remote_host_ipv6
Definition: route.h:224
void print_route_options(const struct route_option_list *rol, int level)
Definition: route.c:1320
struct in6_addr remote_endpoint_ipv6
Definition: route.h:223
static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
Definition: route.c:1463
struct route_option * routes
Definition: route.h:95
static void clear_route_list(struct route_list *rl)
Definition: route.c:526
unsigned int flags
Definition: route.h:127
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition: route.c:2809
in_addr_t bypass[N_ROUTE_BYPASS]
Definition: route.h:57
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:149
const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition: tun.c:4586
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition: route.c:3861
static void clear_route_ipv6_list(struct route_ipv6_list *rl6)
Definition: route.c:533
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition: route.c:1490
static in_addr_t netbits_to_netmask(const int netbits)
Definition: route.h:377
in_addr_t netmask
Definition: route.h:143
static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
Definition: route.c:2683
const char * metric
Definition: route.h:103
static char * iface
static void add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:942
#define RT_METRIC_DEFINED
Definition: route.h:115
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric)
Definition: route.c:511
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
Definition: route.c:2592
#define RL_ROUTES_ADDED
Definition: route.h:209
struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]
Definition: route.h:203
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
#define in_addr_t
Definition: config-msvc.h:103
#define dmsg(flags,...)
Definition: error.h:157
#define ROUTE_METHOD_SERVICE
Definition: route.h:43
struct route_gateway_info rgi
Definition: route.h:213
#define RL_DID_REDIRECT_DEFAULT_GATEWAY
Definition: route.h:207
static bool do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:3024
struct route_ipv6_gateway_info rgi6
Definition: route.h:227
const char * gateway
Definition: route.h:79
void * openvpn_net_ctx_t
Definition: networking.h:26
struct in6_addr network
Definition: route.h:128
struct route_ipv6_option * routes_ipv6
Definition: route.h:108
struct route_special_addr spec
Definition: route.h:212
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition: route.c:2635
#define ASSERT(x)
Definition: error.h:204
#define IA_NET_ORDER
Definition: socket.h:358
static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc)
Definition: route.c:174
static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:2141
#define snprintf
Definition: config-msvc.h:96
static bool route_ipv6_match_host(const struct route_ipv6 *r6, const struct in6_addr *host)
Definition: route.c:735
unsigned int flags
Definition: route.h:228
struct tuntap_options options
Definition: tun.h:168
const struct route_option * option
Definition: route.h:118
#define N_ROUTE_BYPASS
Definition: route.h:55
struct route_ipv6 * routes_ipv6
Definition: route.h:229
void argv_msg(const int msglev, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition: argv.c:245
unsigned int flags
Definition: route.h:214
static void print_route(const struct route_ipv4 *r, int level)
Definition: route.c:1411
static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a)
Definition: route.c:93
#define LR_NOMATCH
Definition: route.c:1519
void netcmd_semaphore_lock(void)
Definition: win32.c:860
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition: buffer.h:1082
static bool add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition: route.c:3113
int add(int a, int b)
list flags
#define fail()
Definition: cmocka.h:1531
#define RG_ENABLE
Definition: route.h:84
#define WIN_ROUTE_PATH_SUFFIX
Definition: win32.h:38
#define RGI_NETMASK_DEFINED
Definition: route.h:148
unsigned int netbits
Definition: route.h:129
#define RT_ADDED
Definition: route.h:114
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition: route.c:1452
in_addr_t netmask
Definition: route.h:120
#define CLEAR(x)
Definition: basic.h:33
#define IPV4_INVALID_ADDR
Definition: socket.h:392
#define ROUTE_REF_GW
Definition: route.h:51
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2723
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:296
bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
Definition: tun.c:4644
#define TLA_NONLOCAL
Definition: route.h:342
#define RG_LOCAL
Definition: route.h:85
bool is_special_addr(const char *addr_str)
Definition: route.c:291
#define RGI_ON_LINK
Definition: route.h:152
void gc_addspecial(void *addr, void(*free_function)(void *), struct gc_arena *a)
Definition: buffer.c:474
inet_address_t gateway
Definition: openvpn-msg.h:75
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:615
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
static void add_block_local(struct route_list *rl)
Definition: route.c:582
bool did_ifconfig_setup
Definition: tun.h:163
static bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
Definition: route.c:1560
static DWORD InterfaceLuid(const char *iface_name, PNET_LUID luid)
Definition: interactive.c:547
struct gc_arena gc
Definition: route.h:216
#define RGI_ADDR_DEFINED
Definition: route.h:147
#define PACKAGE_NAME
Definition: config.h:730
struct route_gateway_address addrs[RGI_N_ADDRESSES]
Definition: route.h:171
unsigned int iflags
Definition: route.h:220
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition: socket.c:2876
#define OPENVPN_STATE_ADD_ROUTES
Definition: manage.h:471
#define TLA_LOCAL
Definition: route.h:343
#define METRIC_NOT_USED
Definition: route.c:59
#define DEV_TYPE_TUN
Definition: proto.h:37
int type
Definition: tun.h:158
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1002
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:405
static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1117
static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:2760
void route_ipv6_clear_host_bits(struct route_ipv6 *r6)
Definition: route.c:1845
#define NETSH_PATH_SUFFIX
Definition: win32.h:37
#define ROUTE_DELETE_FIRST
Definition: route.h:50
unsigned int flags
Definition: route.h:153
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1257
static void gc_freeaddrinfo_callback(void *addr)
Definition: buffer.h:202
static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
Definition: route.c:221
#define RT_DEFINED
Definition: route.h:113
struct gc_arena gc
Definition: route.h:230
#define RG_DEF1
Definition: route.h:86
#define RTSA_DEFAULT_METRIC
Definition: route.h:65
static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
Definition: route.c:1432
DWORD adapter_index
Definition: route.h:134
in_addr_t remote_endpoint
Definition: route.h:68
struct in6_addr addr_ipv6
Definition: route.h:175
#define RG_BYPASS_DHCP
Definition: route.h:87
#define ROUTE_METHOD_MASK
Definition: route.h:44
static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition: route.c:3119
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition: route.c:165
const char * netmask
Definition: route.h:78
DWORD adapter_index
Definition: route.h:157
static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6)
Definition: route.c:437
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition: route.c:540
unsigned int flags
Definition: route.h:117
bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, ack_message_t *ack, const char *context)
Definition: win32.c:1398
#define M_ERRNO
Definition: error.h:103
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:519
#define RGI_HWADDR_DEFINED
Definition: route.h:149
#define GETADDR_HOST_ORDER
Definition: socket.h:473
char * get_win_sys_path(void)
Definition: win32.c:1115
DWORD adapter_index
Definition: tun.h:195
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric)
Definition: route.c:493
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
Definition: error.c:802
unsigned int flags
Definition: route.h:181
const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc)
Definition: tun.c:4501
int netmask_to_netbits2(in_addr_t netmask)
Definition: route.c:3892
#define RTSA_REMOTE_ENDPOINT
Definition: route.h:63
struct route_ipv4 * next
Definition: route.h:116
static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
Definition: route.c:3918
unsigned int flags
Definition: route.h:94
unsigned int flags
Definition: route.h:107
struct gc_arena * gc
Definition: route.h:109
struct in6_addr gateway
Definition: route.h:130
HANDLE msg_channel
Definition: tun.h:75
#define RTSA_REMOTE_HOST
Definition: route.h:64
static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi)
Definition: route.c:1524
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
Definition: route.c:3998
bool did_ifconfig_ipv6_setup
Definition: tun.h:164
struct route_ipv6_gateway_address gateway
Definition: route.h:198
#define msg(flags,...)
Definition: error.h:153
#define RG_BLOCK_LOCAL
Definition: route.h:91
interface_t iface
Definition: openvpn-msg.h:76
int metric
Definition: route.h:131
const char * network
Definition: route.h:77
const char * metric
Definition: route.h:80
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
#define RG_REROUTE_GW
Definition: route.h:89
char name[256]
Definition: openvpn-msg.h:59
#define ROUTE_METHOD_IPAPI
Definition: route.h:41
#define ROUTE_METHOD_EXE
Definition: route.h:42
#define RG_AUTO_LOCAL
Definition: route.h:90
struct route_ipv6_option * next
Definition: route.h:100
void setenv_int(struct env_set *es, const char *name, int value)
Definition: env_set.c:269
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:98
void show_routes(int msglev)
Definition: route.c:3150
struct gc_arena * gc
Definition: route.h:96
bool add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
Definition: route.c:2879
#define LR_MATCH
Definition: route.c:1520
static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl)
Definition: route.c:304
void netcmd_semaphore_release(void)
Definition: win32.c:876
const char * prefix
Definition: route.h:101
#define TUN_ADAPTER_INDEX_INVALID
Definition: tun.h:56
static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
Definition: route.c:3942
#define TLA_NOT_IMPLEMENTED
Definition: route.h:341
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:771
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2665
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:140
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition: tun.c:4599
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:163
void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:2335
DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
Definition: tun.c:4677
static void add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:904
#define M_WARN
Definition: error.h:100
#define ROUTE_PATH
Definition: config.h:757
static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
Definition: route.c:3927
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, int msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition: socket.c:224
struct route_option * next
Definition: route.h:76
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
int remote_host_local
Definition: route.h:70
const char * gateway
Definition: route.h:102
static void net_ctx_reset(openvpn_net_ctx_t *ctx)
Definition: networking.h:44
static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
Definition: route.c:3125
#define ROUTE_METHOD_ADAPTIVE
Definition: route.h:40
const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index)
Definition: tun.c:4482
static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target)
Definition: route.c:551
#define BSTR(buf)
Definition: buffer.h:129
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition: route.c:158
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition: argv.c:104
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition: route.c:115
static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:968
Definition: argv.h:35
char * actual_name
Definition: tun.h:170
struct route_ipv4 * routes
Definition: route.h:215
static SERVICE_STATUS status
Definition: interactive.c:56
static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc)
Definition: route.c:2569
static bool do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
Definition: route.c:3055
#define GETADDR_RESOLVE
Definition: socket.h:471
static void redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:994
#define IPV4_NETMASK_HOST
Definition: basic.h:35
in_addr_t remote_host
Definition: route.h:69
uint8_t hwaddr[6]
Definition: route.h:195
int default_metric
Definition: route.h:225
#define D_ROUTE_DEBUG
Definition: errlevel.h:129
static const char * show_opt(const char *option)
Definition: route.c:1297
void add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition: route.c:1868
#define RGI_IFACE_DEFINED
Definition: route.h:150
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
#define DEV_TYPE_TAP
Definition: proto.h:38
int default_metric
Definition: route.h:72
void print_routes(const struct route_list *rl, int level)
Definition: route.c:1422
static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway)
Definition: route.c:2606
bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
Definition: route.c:2961
int metric
Definition: route.h:122
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition: argv.c:442