OpenVPN
route.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23/*
24 * Support routines for adding/deleting network routes.
25 */
26#include <stddef.h>
27#include <stdbool.h>
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32
33#include "syshead.h"
34
35#include "common.h"
36#include "error.h"
37#include "route.h"
38#include "run_command.h"
39#include "socket.h"
40#include "manage.h"
41#include "win32.h"
42#include "options.h"
43#include "networking.h"
44#include "integer.h"
45
46#include "memdbg.h"
47
48#if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
49#include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
50#endif
51
52#if defined(TARGET_NETBSD)
53#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
54#endif
55
56#ifdef _WIN32
57#include "openvpn-msg.h"
58
59#define METRIC_NOT_USED ((DWORD)-1)
60static int add_route_service(const struct route_ipv4 *, const struct tuntap *);
61
62static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
63
64static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
65
66static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
67
68static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *);
69
70static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt,
71 DWORD adapter_index);
72
73static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt);
74
75
76#endif
77
78static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
79 const struct route_gateway_info *rgi, const struct env_set *es,
80 openvpn_net_ctx_t *ctx);
81
82static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
83
84#ifdef ENABLE_DEBUG
85
86static void
87print_bypass_addresses(const struct route_bypass *rb)
88{
89 struct gc_arena gc = gc_new();
90 int i;
91 for (i = 0; i < rb->n_bypass; ++i)
92 {
93 msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", i, print_in_addr_t(rb->bypass[i], 0, &gc));
94 }
95 gc_free(&gc);
96}
97
98#endif
99
100/* Route addition return status codes */
101#define RTA_ERROR 0 /* route addition failed */
102#define RTA_SUCCESS 1 /* route addition succeeded */
103#define RTA_EEXIST 2 /* route not added as it already exists */
104
105#ifndef TARGET_ANDROID
106static bool
107add_bypass_address(struct route_bypass *rb, const in_addr_t a)
108{
109 int i;
110 for (i = 0; i < rb->n_bypass; ++i)
111 {
112 if (a == rb->bypass[i]) /* avoid duplicates */
113 {
114 return true;
115 }
116 }
117 if (rb->n_bypass < N_ROUTE_BYPASS)
118 {
119 rb->bypass[rb->n_bypass++] = a;
120 return true;
121 }
122 else
123 {
124 return false;
125 }
126}
127#endif
128
129struct route_option_list *
130new_route_option_list(struct gc_arena *a)
131{
132 struct route_option_list *ret;
133 ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a);
134 ret->gc = a;
135 return ret;
136}
137
138struct route_ipv6_option_list *
139new_route_ipv6_option_list(struct gc_arena *a)
140{
141 struct route_ipv6_option_list *ret;
142 ALLOC_OBJ_CLEAR_GC(ret, struct route_ipv6_option_list, a);
143 ret->gc = a;
144 return ret;
145}
146
147/*
148 * NOTE: structs are cloned/copied shallow by design.
149 * The routes list from src will stay intact since it is allocated using
150 * the options->gc. The cloned/copied lists will share this common tail
151 * to avoid copying the data around between pulls. Pulled routes use
152 * the c2->gc so they get freed immediately after a reconnect.
153 */
154struct route_option_list *
155clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
156{
157 struct route_option_list *ret;
158 ALLOC_OBJ_GC(ret, struct route_option_list, a);
159 *ret = *src;
160 return ret;
161}
162
163struct route_ipv6_option_list *
164clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
165{
166 struct route_ipv6_option_list *ret;
167 ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
168 *ret = *src;
169 return ret;
170}
171
172void
173copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src,
174 struct gc_arena *a)
175{
176 *dest = *src;
177 dest->gc = a;
178}
179
180void
181copy_route_ipv6_option_list(struct route_ipv6_option_list *dest,
182 const struct route_ipv6_option_list *src, struct gc_arena *a)
183{
184 *dest = *src;
185 dest->gc = a;
186}
187
188static const char *
189route_string(const struct route_ipv4 *r, struct gc_arena *gc)
190{
191 struct buffer out = alloc_buf_gc(256, gc);
192 buf_printf(&out, "ROUTE network %s netmask %s gateway %s", print_in_addr_t(r->network, 0, gc),
193 print_in_addr_t(r->netmask, 0, gc), print_in_addr_t(r->gateway, 0, gc));
194 if (r->flags & RT_METRIC_DEFINED)
195 {
196 buf_printf(&out, " metric %d", r->metric);
197 }
198 return BSTR(&out);
199}
200
201static bool
202is_route_parm_defined(const char *parm)
203{
204 if (!parm)
205 {
206 return false;
207 }
208 if (!strcmp(parm, "default"))
209 {
210 return false;
211 }
212 return true;
213}
214
215static void
216setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
217{
218 struct gc_arena gc = gc_new();
219 struct buffer name = alloc_buf_gc(256, &gc);
220 if (i >= 0)
221 {
222 buf_printf(&name, "route_%s_%d", key, i);
223 }
224 else
225 {
226 buf_printf(&name, "route_%s", key);
227 }
228 setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
229 gc_free(&gc);
230}
231
232static bool
233get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
234{
235 if (status)
236 {
237 *status = true;
238 }
239 if (!strcmp(string, "vpn_gateway"))
240 {
241 if (rl)
242 {
243 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
244 {
245 *out = rl->spec.remote_endpoint;
246 }
247 else
248 {
249 msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
250 if (status)
251 {
252 *status = false;
253 }
254 }
255 }
256 return true;
257 }
258 else if (!strcmp(string, "net_gateway"))
259 {
260 if (rl)
261 {
262 if (rl->ngi.flags & RGI_ADDR_DEFINED)
263 {
264 *out = rl->ngi.gateway.addr;
265 }
266 else
267 {
268 msg(M_INFO, PACKAGE_NAME
269 " ROUTE: net_gateway undefined -- unable to get default gateway from system");
270 if (status)
271 {
272 *status = false;
273 }
274 }
275 }
276 return true;
277 }
278 else if (!strcmp(string, "remote_host"))
279 {
280 if (rl)
281 {
282 if (rl->spec.flags & RTSA_REMOTE_HOST)
283 {
284 *out = rl->spec.remote_host;
285 }
286 else
287 {
288 msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
289 if (status)
290 {
291 *status = false;
292 }
293 }
294 }
295 return true;
296 }
297 return false;
298}
299
300bool
301is_special_addr(const char *addr_str)
302{
303 if (addr_str)
304 {
305 return get_special_addr(NULL, addr_str, NULL, NULL);
306 }
307 else
308 {
309 return false;
310 }
311}
312
313static bool
314init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro,
315 const struct route_list *rl)
316{
317 const in_addr_t default_netmask = IPV4_NETMASK_HOST;
318 bool status;
319 int ret;
320 struct in_addr special = { 0 };
321
322 CLEAR(*r);
323 r->option = ro;
324
325 /* network */
326 if (!is_route_parm_defined(ro->network))
327 {
328 goto fail;
329 }
330
331 /* get_special_addr replaces specialaddr with a special ip addr
332 * like gw. getaddrinfo is called to convert a a addrinfo struct */
333
334 if (get_special_addr(rl, ro->network, (in_addr_t *)&special.s_addr, &status))
335 {
336 if (!status)
337 {
338 goto fail;
339 }
340 special.s_addr = htonl(special.s_addr);
341 char buf[INET_ADDRSTRLEN];
342 inet_ntop(AF_INET, &special, buf, sizeof(buf));
343 ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL, AF_INET, network_list);
344 }
345 else
346 {
347 ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, ro->network, NULL, 0,
348 NULL, AF_INET, network_list);
349 }
350
351 status = (ret == 0);
352
353 if (!status)
354 {
355 goto fail;
356 }
357
358 /* netmask */
359
360 if (is_route_parm_defined(ro->netmask))
361 {
362 r->netmask =
363 getaddr(GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, ro->netmask, 0, &status, NULL);
364 if (!status)
365 {
366 goto fail;
367 }
368 }
369 else
370 {
371 r->netmask = default_netmask;
372 }
373
374 /* gateway */
375
376 if (is_route_parm_defined(ro->gateway))
377 {
378 if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
379 {
380 r->gateway = getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL,
381 ro->gateway, 0, &status, NULL);
382 }
383 if (!status)
384 {
385 goto fail;
386 }
387 }
388 else
389 {
390 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
391 {
392 r->gateway = rl->spec.remote_endpoint;
393 }
394 else
395 {
396 msg(M_WARN, PACKAGE_NAME
397 " ROUTE: " PACKAGE_NAME
398 " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
399 goto fail;
400 }
401 }
402
403 /* metric */
404
405 r->metric = 0;
406 if (is_route_parm_defined(ro->metric))
407 {
408 r->metric = atoi(ro->metric);
409 if (r->metric < 0)
410 {
411 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
412 ro->network, ro->metric);
413 goto fail;
414 }
415 r->flags |= RT_METRIC_DEFINED;
416 }
417 else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
418 {
419 r->metric = rl->spec.default_metric;
420 r->flags |= RT_METRIC_DEFINED;
421 }
422
423 r->flags |= RT_DEFINED;
424
425 /* routing table id */
426 r->table_id = ro->table_id;
427
428 return true;
429
430fail:
431 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
432 ro->network);
433 return false;
434}
435
436static bool
437init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o,
438 const struct route_ipv6_list *rl6)
439{
440 CLEAR(*r6);
441
442 if (!get_ipv6_addr(r6o->prefix, &r6->network, &r6->netbits, M_WARN))
443 {
444 goto fail;
445 }
446
447 /* gateway */
448 if (is_route_parm_defined(r6o->gateway))
449 {
450 if (inet_pton(AF_INET6, r6o->gateway, &r6->gateway) != 1)
451 {
452 msg(M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway);
453 }
454 }
455 else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
456 {
457 r6->gateway = rl6->remote_endpoint_ipv6;
458 }
459
460 /* metric */
461
462 r6->metric = -1;
463 if (is_route_parm_defined(r6o->metric))
464 {
465 r6->metric = atoi(r6o->metric);
466 if (r6->metric < 0)
467 {
468 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
469 r6o->prefix, r6o->metric);
470 goto fail;
471 }
472 r6->flags |= RT_METRIC_DEFINED;
473 }
474 else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
475 {
476 r6->metric = rl6->default_metric;
477 r6->flags |= RT_METRIC_DEFINED;
478 }
479
480 r6->flags |= RT_DEFINED;
481
482 /* routing table id */
483 r6->table_id = r6o->table_id;
484
485 return true;
486
487fail:
488 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
489 r6o->prefix);
490 return false;
491}
492
493void
494add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask,
495 const char *gateway, const char *metric, int table_id)
496{
497 struct route_option *ro;
498 ALLOC_OBJ_GC(ro, struct route_option, l->gc);
499 ro->network = network;
500 ro->netmask = netmask;
501 ro->gateway = gateway;
502 ro->metric = metric;
503 ro->table_id = table_id;
504 ro->next = l->routes;
505 l->routes = ro;
506}
507
508void
509add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix,
510 const char *gateway, const char *metric, int table_id)
511{
512 struct route_ipv6_option *ro;
513 ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
514 ro->prefix = prefix;
515 ro->gateway = gateway;
516 ro->metric = metric;
517 ro->table_id = table_id;
518 ro->next = l->routes_ipv6;
519 l->routes_ipv6 = ro;
520}
521
522static void
523clear_route_list(struct route_list *rl)
524{
525 gc_free(&rl->gc);
526 CLEAR(*rl);
527}
528
529static void
530clear_route_ipv6_list(struct route_ipv6_list *rl6)
531{
532 gc_free(&rl6->gc);
533 CLEAR(*rl6);
534}
535
536void
537route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
538{
539 ASSERT(rl);
540 rl->spec.remote_endpoint = addr;
541 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
542 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
543}
544
545static void
546add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway,
547 in_addr_t target)
548{
549 if (rl->rgi.gateway.netmask < 0xFFFFFFFF)
550 {
551 struct route_ipv4 *r1, *r2;
552 unsigned int l2;
553
554 ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
555 ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
556
557 /* split a route into two smaller blocking routes, and direct them to target */
558 l2 = ((~gateway->netmask) + 1) >> 1;
559 r1->flags = RT_DEFINED;
560 r1->gateway = target;
561 r1->network = gateway->addr & gateway->netmask;
562 r1->netmask = ~(l2 - 1);
563 r1->next = rl->routes;
564 rl->routes = r1;
565
566 *r2 = *r1;
567 r2->network += l2;
568 r2->next = rl->routes;
569 rl->routes = r2;
570 }
571}
572
573static void
574add_block_local_routes(struct route_list *rl)
575{
576#ifndef TARGET_ANDROID
577 /* add bypass for gateway addr */
578 add_bypass_address(&rl->spec.bypass, rl->rgi.gateway.addr);
579#endif
580
581 /* block access to local subnet */
582 add_block_local_item(rl, &rl->rgi.gateway, rl->spec.remote_endpoint);
583
584 /* process additional subnets on gateway interface */
585 for (size_t i = 0; i < rl->rgi.n_addrs; ++i)
586 {
587 const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
588 /* omit the add/subnet in &rl->rgi which we processed above */
589 if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
590 && rl->rgi.gateway.netmask == gwa->netmask))
591 {
592 add_block_local_item(rl, gwa, rl->spec.remote_endpoint);
593 }
594 }
595}
596
597bool
598block_local_needed(const struct route_list *rl)
599{
600 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED);
601 return (rl->flags & RG_BLOCK_LOCAL) && (rl->rgi.flags & rgi_needed) == rgi_needed
602 && (rl->spec.flags & RTSA_REMOTE_ENDPOINT) && rl->spec.remote_host_local != TLA_LOCAL;
603}
604
605bool
606init_route_list(struct route_list *rl, const struct route_option_list *opt,
607 const char *remote_endpoint, int default_metric, in_addr_t remote_host,
608 struct env_set *es, openvpn_net_ctx_t *ctx)
609{
610 struct gc_arena gc = gc_new();
611 bool ret = true;
612
613 clear_route_list(rl);
614
615 rl->flags = opt->flags;
616
617 if (remote_host != IPV4_INVALID_ADDR)
618 {
619 rl->spec.remote_host = remote_host;
620 rl->spec.flags |= RTSA_REMOTE_HOST;
621 }
622
623 if (default_metric)
624 {
625 rl->spec.default_metric = default_metric;
626 rl->spec.flags |= RTSA_DEFAULT_METRIC;
627 }
628
629 get_default_gateway(&rl->ngi, INADDR_ANY, ctx);
630 if (rl->ngi.flags & RGI_ADDR_DEFINED)
631 {
632 setenv_route_addr(es, "net_gateway", rl->ngi.gateway.addr, -1);
633#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
634 print_default_gateway(D_ROUTE, &rl->rgi, NULL);
635#endif
636 }
637 else
638 {
639 dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
640 }
641
642 get_default_gateway(&rl->rgi, remote_host != IPV4_INVALID_ADDR ? remote_host : INADDR_ANY, ctx);
643
644 if (rl->spec.flags & RTSA_REMOTE_HOST)
645 {
646 rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
647 }
648
649 if (is_route_parm_defined(remote_endpoint))
650 {
651 bool defined = false;
652 rl->spec.remote_endpoint =
653 getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, remote_endpoint,
654 0, &defined, NULL);
655
656 if (defined)
657 {
658 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
659 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
660 }
661 else
662 {
663 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
664 remote_endpoint);
665 ret = false;
666 }
667 }
668
669 if (rl->flags & RG_ENABLE)
670 {
671 if (block_local_needed(rl))
672 {
673 add_block_local_routes(rl);
674 }
675 get_bypass_addresses(&rl->spec.bypass, rl->flags);
676#ifdef ENABLE_DEBUG
677 print_bypass_addresses(&rl->spec.bypass);
678#endif
679 }
680
681 /* parse the routes from opt to rl */
682 {
683 struct route_option *ro;
684 for (ro = opt->routes; ro; ro = ro->next)
685 {
686 struct addrinfo *netlist = NULL;
687 struct route_ipv4 r;
688
689 if (!init_route(&r, &netlist, ro, rl))
690 {
691 ret = false;
692 }
693 else
694 {
695 struct addrinfo *curele;
696 for (curele = netlist; curele; curele = curele->ai_next)
697 {
698 struct route_ipv4 *new;
699 ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
700 *new = r;
701 new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
702 new->next = rl->routes;
703 rl->routes = new;
704 }
705 }
706 if (netlist)
707 {
708 gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc);
709 }
710 }
711 }
712
713 gc_free(&gc);
714 return ret;
715}
716
717bool
718ipv6_net_contains_host(const struct in6_addr *network, unsigned int bits, const struct in6_addr *host)
719{
720 /* not the most beautiful implementation in the world, but portable and
721 * "good enough" */
722 if (bits > 128)
723 {
724 return false;
725 }
726
727 int i;
728 for (i = 0; bits >= 8; i++, bits -= 8)
729 {
730 if (network->s6_addr[i] != host->s6_addr[i])
731 {
732 return false;
733 }
734 }
735
736 if (bits == 0)
737 {
738 return true;
739 }
740
741 unsigned int mask = 0xff << (8 - bits);
742
743 if ((network->s6_addr[i] & mask) == (host->s6_addr[i] & mask))
744 {
745 return true;
746 }
747
748 return false;
749}
750
751bool
752init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6,
753 const char *remote_endpoint, int default_metric,
754 const struct in6_addr *remote_host_ipv6, struct env_set *es,
755 openvpn_net_ctx_t *ctx)
756{
757 struct gc_arena gc = gc_new();
758 bool ret = true;
759 bool need_remote_ipv6_route;
760
761 clear_route_ipv6_list(rl6);
762
763 rl6->flags = opt6->flags;
764
765 if (remote_host_ipv6)
766 {
767 rl6->remote_host_ipv6 = *remote_host_ipv6;
768 rl6->spec_flags |= RTSA_REMOTE_HOST;
769 }
770
771 if (default_metric >= 0)
772 {
773 rl6->default_metric = default_metric;
774 rl6->spec_flags |= RTSA_DEFAULT_METRIC;
775 }
776
777 msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
778 remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a");
779
780 get_default_gateway_ipv6(&rl6->ngi6, NULL, ctx);
781 if (rl6->ngi6.flags & RGI_ADDR_DEFINED)
782 {
783 setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->ngi6.gateway.addr_ipv6, 0, &gc));
784#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
785 print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
786#endif
787 }
788 else
789 {
790 dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
791 }
792
793 get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
794
795 if (is_route_parm_defined(remote_endpoint))
796 {
797 if (inet_pton(AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1)
798 {
799 rl6->spec_flags |= RTSA_REMOTE_ENDPOINT;
800 }
801 else
802 {
803 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s",
804 remote_endpoint);
805 ret = false;
806 }
807 }
808
809 /* parse the routes from opt6 to rl6
810 * discovering potential overlaps with remote_host_ipv6 in the process
811 */
812 need_remote_ipv6_route = false;
813
814 {
815 struct route_ipv6_option *ro6;
816 for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
817 {
818 struct route_ipv6 *r6;
819 ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
820 if (!init_route_ipv6(r6, ro6, rl6))
821 {
822 ret = false;
823 }
824 else
825 {
826 r6->next = rl6->routes_ipv6;
827 rl6->routes_ipv6 = r6;
828
829#ifndef TARGET_ANDROID
830 /* On Android the VPNService protect function call will take of
831 * avoiding routing loops, so ignore this part and let
832 * need_remote_ipv6_route always evaluate to false
833 */
834 if (remote_host_ipv6
835 && ipv6_net_contains_host(&r6->network, r6->netbits, remote_host_ipv6))
836 {
837 need_remote_ipv6_route = true;
838 msg(D_ROUTE,
839 "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
840 print_in6_addr(r6->network, 0, &gc), r6->netbits,
841 print_in6_addr(*remote_host_ipv6, 0, &gc));
842 }
843#endif
844 }
845 }
846 }
847
848 /* add VPN server host route if needed */
849 if (need_remote_ipv6_route)
850 {
851 if ((rl6->rgi6.flags & (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
852 == (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
853 {
854 struct route_ipv6 *r6;
855 ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
856
857 r6->network = *remote_host_ipv6;
858 r6->netbits = 128;
859 if (!(rl6->rgi6.flags & RGI_ON_LINK))
860 {
861 r6->gateway = rl6->rgi6.gateway.addr_ipv6;
862 }
863 r6->metric = 1;
864#ifdef _WIN32
865 r6->adapter_index = rl6->rgi6.adapter_index;
866#else
867 r6->iface = rl6->rgi6.iface;
868#endif
869 r6->flags = RT_DEFINED | RT_METRIC_DEFINED;
870
871 r6->next = rl6->routes_ipv6;
872 rl6->routes_ipv6 = r6;
873 }
874 else
875 {
876 msg(M_WARN,
877 "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n");
878 }
879 }
880
881 gc_free(&gc);
882 return ret;
883}
884
885static bool
886add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
887 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
888 openvpn_net_ctx_t *ctx)
889{
890 struct route_ipv4 r;
891 CLEAR(r);
892 r.flags = RT_DEFINED;
893 r.network = network;
894 r.netmask = netmask;
895 r.gateway = gateway;
896 return add_route(&r, tt, flags, rgi, es, ctx);
897}
898
899static void
900del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
901 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
902 openvpn_net_ctx_t *ctx)
903{
904 struct route_ipv4 r;
905 CLEAR(r);
906 r.flags = RT_DEFINED | RT_ADDED;
907 r.network = network;
908 r.netmask = netmask;
909 r.gateway = gateway;
910 delete_route(&r, tt, flags, rgi, es, ctx);
911}
912
913static bool
914add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
915 unsigned int flags, const struct route_gateway_info *rgi,
916 const struct env_set *es, openvpn_net_ctx_t *ctx)
917{
918 int ret = true;
919 for (int i = 0; i < rb->n_bypass; ++i)
920 {
921 if (rb->bypass[i])
922 {
923 ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW,
924 rgi, es, ctx)
925 && ret;
926 }
927 }
928 return ret;
929}
930
931static void
932del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
933 unsigned int flags, const struct route_gateway_info *rgi,
934 const struct env_set *es, openvpn_net_ctx_t *ctx)
935{
936 int i;
937 for (i = 0; i < rb->n_bypass; ++i)
938 {
939 if (rb->bypass[i])
940 {
941 del_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, rgi, es,
942 ctx);
943 }
944 }
945}
946
947static bool
948redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
949 const struct env_set *es, openvpn_net_ctx_t *ctx)
950{
951 const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
952 bool ret = true;
953
954 if (rl && rl->flags & RG_ENABLE)
955 {
956 bool local = rl->flags & RG_LOCAL;
957
958 if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
959 {
960 msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
961 ret = false;
962 }
963 /*
964 * check if a default route is defined, unless:
965 * - we are connecting to a remote host in our network
966 * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
967 */
968 else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
969 && (rl->spec.flags & RTSA_REMOTE_HOST))
970 {
971 msg(M_WARN, "%s Cannot read current default gateway from system", err);
972 ret = false;
973 }
974 else
975 {
976#ifndef TARGET_ANDROID
977 if (rl->flags & RG_AUTO_LOCAL)
978 {
979 const int tla = rl->spec.remote_host_local;
980 if (tla == TLA_NONLOCAL)
981 {
982 dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
983 local = false;
984 }
985 else if (tla == TLA_LOCAL)
986 {
987 dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
988 local = true;
989 }
990 }
991 if (!local)
992 {
993 /* route remote host to original default gateway */
994 /* if remote_host is not ipv4 (ie: ipv6), just skip
995 * adding this special /32 route */
996 if ((rl->spec.flags & RTSA_REMOTE_HOST)
997 && rl->spec.remote_host != IPV4_INVALID_ADDR)
998 {
999 ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr,
1000 tt, flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1001 if (ret)
1002 {
1003 rl->iflags |= RL_DID_LOCAL;
1004 }
1005 }
1006 else
1007 {
1008 dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1009 }
1010 }
1011#endif /* ifndef TARGET_ANDROID */
1012
1013 /* route DHCP/DNS server traffic through original default gateway */
1014 ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es,
1015 ctx)
1016 && ret;
1017
1018 if (rl->flags & RG_REROUTE_GW)
1019 {
1020 if (rl->flags & RG_DEF1)
1021 {
1022 /* add new default route (1st component) */
1023 ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1024 &rl->rgi, es, ctx)
1025 && ret;
1026
1027 /* add new default route (2nd component) */
1028 ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1029 &rl->rgi, es, ctx)
1030 && ret;
1031 }
1032 else
1033 {
1034 /* don't try to remove the def route if it does not exist */
1035 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1036 {
1037 /* delete default route */
1038 del_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi,
1039 es, ctx);
1040 }
1041
1042 /* add new default route */
1043 ret = add_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx)
1044 && ret;
1045 }
1046 }
1047
1048 /* set a flag so we can undo later */
1049 rl->iflags |= RL_DID_REDIRECT_DEFAULT_GATEWAY;
1050 }
1051 }
1052 return ret;
1053}
1054
1055static void
1056undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
1057 unsigned int flags, const struct env_set *es,
1058 openvpn_net_ctx_t *ctx)
1059{
1060 if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
1061 {
1062 /* delete remote host route */
1063 if (rl->iflags & RL_DID_LOCAL)
1064 {
1065 del_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt,
1066 flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1067 rl->iflags &= ~RL_DID_LOCAL;
1068 }
1069
1070 /* delete special DHCP/DNS bypass route */
1071 del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es, ctx);
1072
1073 if (rl->flags & RG_REROUTE_GW)
1074 {
1075 if (rl->flags & RG_DEF1)
1076 {
1077 /* delete default route (1st component) */
1078 del_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1079 es, ctx);
1080
1081 /* delete default route (2nd component) */
1082 del_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1083 es, ctx);
1084 }
1085 else
1086 {
1087 /* delete default route */
1088 del_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx);
1089 /* restore original default route if there was any */
1090 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1091 {
1092 add_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es,
1093 ctx);
1094 }
1095 }
1096 }
1097
1098 rl->iflags &= ~RL_DID_REDIRECT_DEFAULT_GATEWAY;
1099 }
1100}
1101
1102bool
1103add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1104 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1105{
1106 bool ret = redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1107 if (rl && !(rl->iflags & RL_ROUTES_ADDED))
1108 {
1109 struct route_ipv4 *r;
1110
1111 if (rl->routes && !tt->did_ifconfig_setup)
1112 {
1113 msg(M_INFO,
1114 "WARNING: OpenVPN was configured to add an IPv4 "
1115 "route. However, no IPv4 has been configured for %s, "
1116 "therefore the route installation may fail or may not work "
1117 "as expected.",
1118 tt->actual_name);
1119 }
1120
1121#ifdef ENABLE_MANAGEMENT
1122 if (management && rl->routes)
1123 {
1124 management_set_state(management, OPENVPN_STATE_ADD_ROUTES, NULL, NULL, NULL, NULL,
1125 NULL);
1126 }
1127#endif
1128
1129 for (r = rl->routes; r; r = r->next)
1130 {
1131 if (flags & ROUTE_DELETE_FIRST)
1132 {
1133 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1134 }
1135 ret = add_route(r, tt, flags, &rl->rgi, es, ctx) && ret;
1136 }
1137 rl->iflags |= RL_ROUTES_ADDED;
1138 }
1139 if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED))
1140 {
1141 struct route_ipv6 *r;
1142
1143 if (!tt->did_ifconfig_ipv6_setup)
1144 {
1145 msg(M_INFO,
1146 "WARNING: OpenVPN was configured to add an IPv6 "
1147 "route. However, no IPv6 has been configured for %s, "
1148 "therefore the route installation may fail or may not work "
1149 "as expected.",
1150 tt->actual_name);
1151 }
1152
1153 for (r = rl6->routes_ipv6; r; r = r->next)
1154 {
1155 if (flags & ROUTE_DELETE_FIRST)
1156 {
1157 delete_route_ipv6(r, tt, es, ctx);
1158 }
1159 ret = add_route_ipv6(r, tt, flags, es, ctx) && ret;
1160 }
1161 rl6->iflags |= RL_ROUTES_ADDED;
1162 }
1163
1164 return ret;
1165}
1166
1167void
1168delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1169 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1170{
1171 delete_routes_v4(rl, tt, flags, es, ctx);
1172 delete_routes_v6(rl6, tt, flags, es, ctx);
1173}
1174
1175void
1176delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
1177 const struct env_set *es, openvpn_net_ctx_t *ctx)
1178{
1179 if (rl && (rl->iflags & RL_ROUTES_ADDED))
1180 {
1181 struct route_ipv4 *r;
1182 for (r = rl->routes; r; r = r->next)
1183 {
1184 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1185 }
1186 rl->iflags &= ~RL_ROUTES_ADDED;
1187 }
1188
1189 undo_redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1190
1191 if (rl)
1192 {
1193 clear_route_list(rl);
1194 }
1195}
1196
1197void
1198delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags,
1199 const struct env_set *es, openvpn_net_ctx_t *ctx)
1200{
1201 if (rl6 && (rl6->iflags & RL_ROUTES_ADDED))
1202 {
1203 struct route_ipv6 *r6;
1204 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1205 {
1206 delete_route_ipv6(r6, tt, es, ctx);
1207 }
1208 rl6->iflags &= ~RL_ROUTES_ADDED;
1209 }
1210
1211 if (rl6)
1212 {
1213 clear_route_ipv6_list(rl6);
1214 }
1215}
1216
1217#ifndef ENABLE_SMALL
1218
1219static const char *
1220show_opt(const char *option)
1221{
1222 if (!option)
1223 {
1224 return "default (not set)";
1225 }
1226 else
1227 {
1228 return option;
1229 }
1230}
1231
1232static void
1233print_route_option(const struct route_option *ro, msglvl_t msglevel)
1234{
1235 msg(msglevel, " route %s/%s/%s/%s", show_opt(ro->network), show_opt(ro->netmask),
1236 show_opt(ro->gateway), show_opt(ro->metric));
1237}
1238
1239void
1240print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
1241{
1242 struct route_option *ro;
1243 if (rol->flags & RG_ENABLE)
1244 {
1245 msg(msglevel, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0);
1246 }
1247 for (ro = rol->routes; ro; ro = ro->next)
1248 {
1249 print_route_option(ro, msglevel);
1250 }
1251}
1252
1253void
1254print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi,
1255 const struct route_ipv6_gateway_info *rgi6)
1256{
1257 struct gc_arena gc = gc_new();
1258 if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1259 {
1260 struct buffer out = alloc_buf_gc(256, &gc);
1261 buf_printf(&out, "ROUTE_GATEWAY");
1262 if (rgi->flags & RGI_ON_LINK)
1263 {
1264 buf_printf(&out, " ON_LINK");
1265 }
1266 else
1267 {
1268 buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1269 }
1270 if (rgi->flags & RGI_NETMASK_DEFINED)
1271 {
1272 buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1273 }
1274#ifdef _WIN32
1275 if (rgi->flags & RGI_IFACE_DEFINED)
1276 {
1277 buf_printf(&out, " I=%lu", rgi->adapter_index);
1278 }
1279#else
1280 if (rgi->flags & RGI_IFACE_DEFINED)
1281 {
1282 buf_printf(&out, " IFACE=%s", rgi->iface);
1283 }
1284#endif
1285 if (rgi->flags & RGI_HWADDR_DEFINED)
1286 {
1287 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1288 }
1289 msg(msglevel, "%s", BSTR(&out));
1290 }
1291
1292 if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1293 {
1294 struct buffer out = alloc_buf_gc(256, &gc);
1295 buf_printf(&out, "ROUTE6_GATEWAY");
1296 buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1297 if (rgi6->flags & RGI_ON_LINK)
1298 {
1299 buf_printf(&out, " ON_LINK");
1300 }
1301 if (rgi6->flags & RGI_NETMASK_DEFINED)
1302 {
1303 buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1304 }
1305#ifdef _WIN32
1306 if (rgi6->flags & RGI_IFACE_DEFINED)
1307 {
1308 buf_printf(&out, " I=%lu", rgi6->adapter_index);
1309 }
1310#else
1311 if (rgi6->flags & RGI_IFACE_DEFINED)
1312 {
1313 buf_printf(&out, " IFACE=%s", rgi6->iface);
1314 }
1315#endif
1316 if (rgi6->flags & RGI_HWADDR_DEFINED)
1317 {
1318 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1319 }
1320 msg(msglevel, "%s", BSTR(&out));
1321 }
1322 gc_free(&gc);
1323}
1324
1325#endif /* ifndef ENABLE_SMALL */
1326
1327static void
1328print_route(const struct route_ipv4 *r, msglvl_t msglevel)
1329{
1330 struct gc_arena gc = gc_new();
1331 if (r->flags & RT_DEFINED)
1332 {
1333 msg(msglevel, "%s", route_string(r, &gc));
1334 }
1335 gc_free(&gc);
1336}
1337
1338void
1339print_routes(const struct route_list *rl, msglvl_t msglevel)
1340{
1341 struct route_ipv4 *r;
1342 for (r = rl->routes; r; r = r->next)
1343 {
1344 print_route(r, msglevel);
1345 }
1346}
1347
1348static void
1349setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1350{
1351 struct gc_arena gc = gc_new();
1352 if (r->flags & RT_DEFINED)
1353 {
1354 setenv_route_addr(es, "network", r->network, i);
1355 setenv_route_addr(es, "netmask", r->netmask, i);
1356 setenv_route_addr(es, "gateway", r->gateway, i);
1357
1358 if (r->flags & RT_METRIC_DEFINED)
1359 {
1360 struct buffer name = alloc_buf_gc(256, &gc);
1361 buf_printf(&name, "route_metric_%d", i);
1362 setenv_int(es, BSTR(&name), r->metric);
1363 }
1364 }
1365 gc_free(&gc);
1366}
1367
1368void
1369setenv_routes(struct env_set *es, const struct route_list *rl)
1370{
1371 int i = 1;
1372 struct route_ipv4 *r;
1373 for (r = rl->routes; r; r = r->next)
1374 {
1375 setenv_route(es, r, i++);
1376 }
1377}
1378
1379static void
1380setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1381{
1382 struct gc_arena gc = gc_new();
1383 if (r6->flags & RT_DEFINED)
1384 {
1385 struct buffer name1 = alloc_buf_gc(256, &gc);
1386 struct buffer val = alloc_buf_gc(256, &gc);
1387 struct buffer name2 = alloc_buf_gc(256, &gc);
1388
1389 buf_printf(&name1, "route_ipv6_network_%d", i);
1390 buf_printf(&val, "%s/%d", print_in6_addr(r6->network, 0, &gc), r6->netbits);
1391 setenv_str(es, BSTR(&name1), BSTR(&val));
1392
1393 buf_printf(&name2, "route_ipv6_gateway_%d", i);
1394 setenv_str(es, BSTR(&name2), print_in6_addr(r6->gateway, 0, &gc));
1395
1396 if (r6->flags & RT_METRIC_DEFINED)
1397 {
1398 struct buffer name3 = alloc_buf_gc(256, &gc);
1399 buf_printf(&name3, "route_ipv6_metric_%d", i);
1400 setenv_int(es, BSTR(&name3), r6->metric);
1401 }
1402 }
1403 gc_free(&gc);
1404}
1405void
1406setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
1407{
1408 int i = 1;
1409 struct route_ipv6 *r6;
1410 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1411 {
1412 setenv_route_ipv6(es, r6, i++);
1413 }
1414}
1415
1416/*
1417 * local_route() determines whether the gateway of a provided host
1418 * route is on the same interface that owns the default gateway.
1419 * It uses the data structure
1420 * returned by get_default_gateway() (struct route_gateway_info)
1421 * to determine this. If the route is local, LR_MATCH is returned.
1422 * When adding routes into the kernel, if LR_MATCH is defined for
1423 * a given route, the route should explicitly reference the default
1424 * gateway interface as the route destination. For example, here
1425 * is an example on Linux that uses LR_MATCH:
1426 *
1427 * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1428 *
1429 * This capability is needed by the "default-gateway block-local"
1430 * directive, to allow client access to the local subnet to be
1431 * blocked but still allow access to the local default gateway.
1432 */
1433
1434/* local_route() return values */
1435#define LR_NOMATCH 0 /* route is not local */
1436#define LR_MATCH 1 /* route is local */
1437#define LR_ERROR 2 /* caller should abort adding route */
1438
1439static int
1440local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway,
1441 const struct route_gateway_info *rgi)
1442{
1443 /* set LR_MATCH on local host routes */
1444 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED | RGI_IFACE_DEFINED);
1445 if (rgi && (rgi->flags & rgi_needed) == rgi_needed && gateway == rgi->gateway.addr
1446 && netmask == 0xFFFFFFFF)
1447 {
1448 if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1449 {
1450 return LR_MATCH;
1451 }
1452 else
1453 {
1454 /* examine additional subnets on gateway interface */
1455 size_t i;
1456 for (i = 0; i < rgi->n_addrs; ++i)
1457 {
1458 const struct route_gateway_address *gwa = &rgi->addrs[i];
1459 if (((network ^ gwa->addr) & gwa->netmask) == 0)
1460 {
1461 return LR_MATCH;
1462 }
1463 }
1464 }
1465 }
1466 return LR_NOMATCH;
1467}
1468
1469/* Return true if the "on-link" form of the route should be used. This is when the gateway for
1470 * a route is specified as an interface rather than an address. */
1471#if defined(TARGET_LINUX) || defined(_WIN32) || defined(TARGET_DARWIN)
1472static inline bool
1473is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1474{
1475 return rgi
1476 && (is_local_route == LR_MATCH
1477 || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1478}
1479#endif
1480
1481bool
1482add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
1483 const struct route_gateway_info *rgi, /* may be NULL */
1484 const struct env_set *es, openvpn_net_ctx_t *ctx)
1485{
1486 int status = 0;
1487 int is_local_route;
1488
1489 if (!(r->flags & RT_DEFINED))
1490 {
1491 return true; /* no error */
1492 }
1493
1494 struct argv argv = argv_new();
1495 struct gc_arena gc = gc_new();
1496
1497#if !defined(TARGET_LINUX)
1498 const char *network = print_in_addr_t(r->network, 0, &gc);
1499#if !defined(TARGET_AIX)
1500 const char *netmask = print_in_addr_t(r->netmask, 0, &gc);
1501#endif
1502 const char *gateway = print_in_addr_t(r->gateway, 0, &gc);
1503#endif
1504
1505 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1506 if (is_local_route == LR_ERROR)
1507 {
1508 goto done;
1509 }
1510
1511#if defined(TARGET_LINUX)
1512 const char *iface = NULL;
1513 int metric = -1;
1514
1515 if (is_on_link(is_local_route, flags, rgi))
1516 {
1517 iface = rgi->iface;
1518 }
1519
1520 if (r->flags & RT_METRIC_DEFINED)
1521 {
1522 metric = r->metric;
1523 }
1524
1525
1526 status = RTA_SUCCESS;
1527 int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway,
1528 iface, r->table_id, metric);
1529 if (ret == -EEXIST)
1530 {
1531 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1532 status = RTA_EEXIST;
1533 }
1534 else if (ret < 0)
1535 {
1536 msg(M_WARN, "ERROR: Linux route add command failed");
1537 status = RTA_ERROR;
1538 }
1539
1540#elif defined(TARGET_ANDROID)
1541 char out[128];
1542
1543 if (rgi)
1544 {
1545 snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1546 }
1547 else
1548 {
1549 snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1550 }
1551 bool ret = management_android_control(management, "ROUTE", out);
1552 status = ret ? RTA_SUCCESS : RTA_ERROR;
1553
1554#elif defined(_WIN32)
1555 {
1556 DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1557 argv_printf(&argv, "%s%s ADD %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
1558 network, netmask, gateway);
1559 if (r->flags & RT_METRIC_DEFINED)
1560 {
1561 argv_printf_cat(&argv, "METRIC %d", r->metric);
1562 }
1563 if (is_on_link(is_local_route, flags, rgi))
1564 {
1565 ai = rgi->adapter_index;
1566 argv_printf_cat(&argv, "IF %lu", ai);
1567 }
1568
1569 argv_msg(D_ROUTE, &argv);
1570
1571 const char *method = "service";
1572 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1573 {
1574 status = add_route_service(r, tt);
1575 }
1576 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1577 {
1578 status = add_route_ipapi(r, tt, ai);
1579 method = "ipapi";
1580 }
1581 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1582 {
1583 netcmd_semaphore_lock();
1584 bool ret =
1585 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
1586 status = ret ? RTA_SUCCESS : RTA_ERROR;
1587 netcmd_semaphore_release();
1588 method = "route.exe";
1589 }
1590 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1591 {
1592 status = add_route_ipapi(r, tt, ai);
1593 method = "ipapi [adaptive]";
1594 if (status == RTA_ERROR)
1595 {
1596 msg(D_ROUTE, "Route addition fallback to route.exe");
1597 netcmd_semaphore_lock();
1598 bool ret = openvpn_execve_check(
1599 &argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
1600 status = ret ? RTA_SUCCESS : RTA_ERROR;
1601 netcmd_semaphore_release();
1602 method = "route.exe";
1603 }
1604 }
1605 else
1606 {
1607 ASSERT(0);
1608 }
1609 if (status != RTA_ERROR) /* error is logged upstream */
1610 {
1611 msg(D_ROUTE, "Route addition via %s %s", method,
1612 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
1613 }
1614 }
1615
1616#elif defined(TARGET_SOLARIS)
1617
1618 /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1619
1620 argv_printf(&argv, "%s add", ROUTE_PATH);
1621
1622 argv_printf_cat(&argv, "%s -netmask %s %s", network, netmask, gateway);
1623
1624 /* Solaris can only distinguish between "metric 0" == "on-link on the
1625 * interface where the IP address given is configured" and "metric > 0"
1626 * == "use gateway specified" (no finer-grained route metrics available)
1627 *
1628 * More recent versions of Solaris can also do "-interface", but that
1629 * would break backwards compatibility with older versions for no gain.
1630 */
1631 if (r->flags & RT_METRIC_DEFINED)
1632 {
1633 argv_printf_cat(&argv, "%d", r->metric);
1634 }
1635
1636 argv_msg(D_ROUTE, &argv);
1637 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
1638 status = ret ? RTA_SUCCESS : RTA_ERROR;
1639
1640#elif defined(TARGET_FREEBSD)
1641
1642 argv_printf(&argv, "%s add", ROUTE_PATH);
1643
1644#if 0
1645 if (r->flags & RT_METRIC_DEFINED)
1646 {
1647 argv_printf_cat(&argv, "-rtt %d", r->metric);
1648 }
1649#endif
1650
1651 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1652
1653 /* FIXME -- add on-link support for FreeBSD */
1654
1655 argv_msg(D_ROUTE, &argv);
1656 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
1657 status = ret ? RTA_SUCCESS : RTA_ERROR;
1658
1659#elif defined(TARGET_DRAGONFLY)
1660
1661 argv_printf(&argv, "%s add", ROUTE_PATH);
1662
1663#if 0
1664 if (r->flags & RT_METRIC_DEFINED)
1665 {
1666 argv_printf_cat(&argv, "-rtt %d", r->metric);
1667 }
1668#endif
1669
1670 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1671
1672 /* FIXME -- add on-link support for Dragonfly */
1673
1674 argv_msg(D_ROUTE, &argv);
1675 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
1676 status = ret ? RTA_SUCCESS : RTA_ERROR;
1677
1678#elif defined(TARGET_DARWIN)
1679
1680 argv_printf(&argv, "%s add", ROUTE_PATH);
1681
1682#if 0
1683 if (r->flags & RT_METRIC_DEFINED)
1684 {
1685 argv_printf_cat(&argv, "-rtt %d", r->metric);
1686 }
1687#endif
1688
1689 if (is_on_link(is_local_route, flags, rgi))
1690 {
1691 /* Mac OS X route syntax for ON_LINK:
1692 * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1693 argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", network, netmask,
1694 rgi->iface);
1695 }
1696 else
1697 {
1698 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1699 }
1700
1701 argv_msg(D_ROUTE, &argv);
1702 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
1703 status = ret ? RTA_SUCCESS : RTA_ERROR;
1704
1705#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1706
1707 argv_printf(&argv, "%s add", ROUTE_PATH);
1708
1709#if 0
1710 if (r->flags & RT_METRIC_DEFINED)
1711 {
1712 argv_printf_cat(&argv, "-rtt %d", r->metric);
1713 }
1714#endif
1715
1716 argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask);
1717
1718 /* FIXME -- add on-link support for OpenBSD/NetBSD */
1719
1720 argv_msg(D_ROUTE, &argv);
1721 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1722 status = ret ? RTA_SUCCESS : RTA_ERROR;
1723
1724#elif defined(TARGET_AIX)
1725
1726 {
1727 int netbits = netmask_to_netbits2(r->netmask);
1728 argv_printf(&argv, "%s add -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
1729 argv_msg(D_ROUTE, &argv);
1730 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1731 status = ret ? RTA_SUCCESS : RTA_ERROR;
1732 }
1733
1734#elif defined(TARGET_HAIKU)
1735
1736 /* ex: route add /dev/net/ipro1000/0 0.0.0.0 gw 192.168.1.1 netmask 128.0.0.0 */
1737 argv_printf(&argv, "%s add %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
1738 gateway, netmask);
1739 argv_msg(D_ROUTE, &argv);
1740 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route add command failed");
1741 status = ret ? RTA_SUCCESS : RTA_ERROR;
1742
1743#else /* if defined(TARGET_LINUX) */
1744 msg(M_FATAL,
1745 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1746#endif /* if defined(TARGET_LINUX) */
1747
1748done:
1749 if (status == RTA_SUCCESS)
1750 {
1751 r->flags |= RT_ADDED;
1752 }
1753 else
1754 {
1755 r->flags &= ~RT_ADDED;
1756 }
1757 argv_free(&argv);
1758 gc_free(&gc);
1759 /* release resources potentially allocated during route setup */
1760 net_ctx_reset(ctx);
1761
1762 return (status != RTA_ERROR);
1763}
1764
1765#if defined(__GNUC__) || defined(__clang__)
1766#pragma GCC diagnostic push
1767#pragma GCC diagnostic ignored "-Wconversion"
1768#endif
1769
1770void
1771route_ipv6_clear_host_bits(struct route_ipv6 *r6)
1772{
1773 /* clear host bit parts of route
1774 * (needed if routes are specified improperly, or if we need to
1775 * explicitly setup/clear the "connected" network routes on some OSes)
1776 */
1777 int byte = 15;
1778 int bits_to_clear = 128 - r6->netbits;
1779
1780 while (byte >= 0 && bits_to_clear > 0)
1781 {
1782 if (bits_to_clear >= 8)
1783 {
1784 r6->network.s6_addr[byte--] = 0;
1785 bits_to_clear -= 8;
1786 }
1787 else
1788 {
1789 r6->network.s6_addr[byte--] &= (0xff << bits_to_clear);
1790 bits_to_clear = 0;
1791 }
1792 }
1793}
1794
1795bool
1796add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags,
1797 const struct env_set *es, openvpn_net_ctx_t *ctx)
1798{
1799 int status = 0;
1800 bool gateway_needed = false;
1801
1802 if (!(r6->flags & RT_DEFINED))
1803 {
1804 return true; /* no error */
1805 }
1806
1807 struct argv argv = argv_new();
1808 struct gc_arena gc = gc_new();
1809
1810#ifndef _WIN32
1811 const char *device = tt->actual_name;
1812 if (r6->iface != NULL) /* vpn server special route */
1813 {
1814 device = r6->iface;
1815 if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1816 {
1817 gateway_needed = true;
1818 }
1819 }
1820#endif
1821
1822 route_ipv6_clear_host_bits(r6);
1823 const char *network = print_in6_addr(r6->network, 0, &gc);
1824 const char *gateway = print_in6_addr(r6->gateway, 0, &gc);
1825
1826#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1827 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1828
1829 /* the BSD platforms cannot specify gateway and interface independently,
1830 * but for link-local destinations, we MUST specify the interface, so
1831 * we build a combined "$gateway%$interface" gateway string
1832 */
1833 if (r6->iface != NULL && gateway_needed
1834 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
1835 {
1836 int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
1837 char *tmp = gc_malloc(len, true, &gc);
1838 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
1839 gateway = tmp;
1840 }
1841#endif
1842
1843#ifndef _WIN32
1844 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway,
1845 r6->metric, device);
1846#else
1847 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu", network, r6->netbits, gateway,
1848 r6->metric, r6->adapter_index ? r6->adapter_index : tt->adapter_index);
1849#endif
1850
1851 /*
1852 * Filter out routes which are essentially no-ops
1853 * (not currently done for IPv6)
1854 */
1855
1856 /* On "tun" interface, we never set a gateway if the operating system
1857 * can do "route to interface" - it does not add value, as the target
1858 * dev already fully qualifies the route destination on point-to-point
1859 * interfaces. OTOH, on "tap" interface, we must always set the
1860 * gateway unless the route is to be an on-link network
1861 */
1862 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
1863 {
1864 gateway_needed = true;
1865 }
1866
1867 if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1868 {
1869 msg(M_WARN,
1870 "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
1871 "parameter for a --route-ipv6 option and no default was set via "
1872 "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
1873 "IPv6 route to %s/%d.",
1874 network, r6->netbits);
1875 status = 0;
1876 goto done;
1877 }
1878
1879#if defined(TARGET_LINUX)
1880 int metric = -1;
1881 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
1882 {
1883 metric = r6->metric;
1884 }
1885
1886 status = RTA_SUCCESS;
1887 int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
1888 device, r6->table_id, metric);
1889 if (ret == -EEXIST)
1890 {
1891 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1892 status = RTA_EEXIST;
1893 }
1894 else if (ret < 0)
1895 {
1896 msg(M_WARN, "ERROR: Linux route add command failed");
1897 status = RTA_ERROR;
1898 }
1899
1900#elif defined(TARGET_ANDROID)
1901 char out[64];
1902
1903 snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
1904
1905 status = management_android_control(management, "ROUTE6", out);
1906
1907#elif defined(_WIN32)
1908
1909 if (tt->options.msg_channel)
1910 {
1911 status = add_route_ipv6_service(r6, tt);
1912 }
1913 else
1914 {
1915 status = route_ipv6_ipapi(true, r6, tt);
1916 }
1917#elif defined(TARGET_SOLARIS)
1918
1919 /* example: route add -inet6 2001:db8::/32 somegateway 0 */
1920
1921 /* for some reason, routes to tun/tap do not work for me unless I set
1922 * "metric 0" - otherwise, the routes will be nicely installed, but
1923 * packets will just disappear somewhere. So we always use "0" now,
1924 * unless the route points to "gateway on other interface"...
1925 *
1926 * (Note: OpenSolaris can not specify host%interface gateways, so we just
1927 * use the GW addresses - it seems to still work for fe80:: addresses,
1928 * however this is done internally. NUD maybe?)
1929 */
1930 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1931
1932 /* on tun (not tap), not "elsewhere"? -> metric 0 */
1933 if (tt->type == DEV_TYPE_TUN && !r6->iface)
1934 {
1935 argv_printf_cat(&argv, "0");
1936 }
1937
1938 argv_msg(D_ROUTE, &argv);
1939 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
1940 status = ret ? RTA_SUCCESS : RTA_ERROR;
1941
1942#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
1943
1944 argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
1945
1946 if (gateway_needed)
1947 {
1948 argv_printf_cat(&argv, "%s", gateway);
1949 }
1950 else
1951 {
1952 argv_printf_cat(&argv, "-iface %s", device);
1953 }
1954
1955 argv_msg(D_ROUTE, &argv);
1956 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
1957 status = ret ? RTA_SUCCESS : RTA_ERROR;
1958
1959#elif defined(TARGET_DARWIN)
1960
1961 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
1962
1963 if (gateway_needed)
1964 {
1965 argv_printf_cat(&argv, "%s", gateway);
1966 }
1967 else
1968 {
1969 argv_printf_cat(&argv, "-iface %s", device);
1970 }
1971
1972 argv_msg(D_ROUTE, &argv);
1973 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
1974 status = ret ? RTA_SUCCESS : RTA_ERROR;
1975
1976#elif defined(TARGET_OPENBSD)
1977
1978 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
1979 gateway);
1980
1981 argv_msg(D_ROUTE, &argv);
1982 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
1983 status = ret ? RTA_SUCCESS : RTA_ERROR;
1984
1985#elif defined(TARGET_NETBSD)
1986
1987 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1988
1989 argv_msg(D_ROUTE, &argv);
1990 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
1991 status = ret ? RTA_SUCCESS : RTA_ERROR;
1992
1993#elif defined(TARGET_AIX)
1994
1995 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1996 argv_msg(D_ROUTE, &argv);
1997 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1998 status = ret ? RTA_SUCCESS : RTA_ERROR;
1999
2000#elif defined(TARGET_HAIKU)
2001
2002 /* ex: route add /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2003 argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
2004 gateway, r6->netbits);
2005 argv_msg(D_ROUTE, &argv);
2006 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route add command failed");
2007 status = ret ? RTA_SUCCESS : RTA_ERROR;
2008
2009#else /* if defined(TARGET_LINUX) */
2010 msg(M_FATAL,
2011 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2012#endif /* if defined(TARGET_LINUX) */
2013
2014done:
2015 if (status == RTA_SUCCESS)
2016 {
2017 r6->flags |= RT_ADDED;
2018 }
2019 else
2020 {
2021 r6->flags &= ~RT_ADDED;
2022 }
2023 argv_free(&argv);
2024 gc_free(&gc);
2025 /* release resources potentially allocated during route setup */
2026 net_ctx_reset(ctx);
2027
2028 return (status != RTA_ERROR);
2029}
2030
2031static void
2032delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
2033 const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
2034{
2035#if !defined(TARGET_LINUX)
2036 const char *network;
2037#if !defined(TARGET_AIX)
2038 const char *netmask;
2039#endif
2040 const char *gateway;
2041#else /* if !defined(TARGET_LINUX) */
2042 int metric;
2043#endif
2044 int is_local_route;
2045
2046 if ((r->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2047 {
2048 return;
2049 }
2050
2051 struct gc_arena gc = gc_new();
2052 struct argv argv = argv_new();
2053
2054#if !defined(TARGET_LINUX)
2055 network = print_in_addr_t(r->network, 0, &gc);
2056#if !defined(TARGET_AIX)
2057 netmask = print_in_addr_t(r->netmask, 0, &gc);
2058#endif
2059 gateway = print_in_addr_t(r->gateway, 0, &gc);
2060#endif
2061
2062 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2063 if (is_local_route == LR_ERROR)
2064 {
2065 goto done;
2066 }
2067
2068#if defined(TARGET_LINUX)
2069 metric = -1;
2070 if (r->flags & RT_METRIC_DEFINED)
2071 {
2072 metric = r->metric;
2073 }
2074
2075 if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway, NULL,
2076 r->table_id, metric)
2077 < 0)
2078 {
2079 msg(M_WARN, "ERROR: Linux route delete command failed");
2080 }
2081#elif defined(_WIN32)
2082
2083 argv_printf(&argv, "%s%s DELETE %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
2084 network, netmask, gateway);
2085
2086 argv_msg(D_ROUTE, &argv);
2087
2088 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2089 {
2090 const bool status = del_route_service(r, tt);
2091 msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2092 }
2093 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2094 {
2095 const bool status = del_route_ipapi(r, tt);
2096 msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2097 }
2098 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2099 {
2100 netcmd_semaphore_lock();
2101 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2102 netcmd_semaphore_release();
2103 }
2104 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2105 {
2106 const bool status = del_route_ipapi(r, tt);
2107 msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2108 if (!status)
2109 {
2110 msg(D_ROUTE, "Route deletion fallback to route.exe");
2111 netcmd_semaphore_lock();
2112 openvpn_execve_check(&argv, es, 0,
2113 "ERROR: Windows route delete command failed [adaptive]");
2114 netcmd_semaphore_release();
2115 }
2116 }
2117 else
2118 {
2119 ASSERT(0);
2120 }
2121
2122#elif defined(TARGET_SOLARIS)
2123
2124 argv_printf(&argv, "%s delete %s -netmask %s %s", ROUTE_PATH, network, netmask, gateway);
2125
2126 argv_msg(D_ROUTE, &argv);
2127 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2128
2129#elif defined(TARGET_FREEBSD)
2130
2131 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2132
2133 argv_msg(D_ROUTE, &argv);
2134 openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2135
2136#elif defined(TARGET_DRAGONFLY)
2137
2138 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2139
2140 argv_msg(D_ROUTE, &argv);
2141 openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2142
2143#elif defined(TARGET_DARWIN)
2144
2145 if (is_on_link(is_local_route, flags, rgi))
2146 {
2147 argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", ROUTE_PATH,
2148 network, netmask, rgi->iface);
2149 }
2150 else
2151 {
2152 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2153 }
2154
2155 argv_msg(D_ROUTE, &argv);
2156 openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2157
2158#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2159
2160 argv_printf(&argv, "%s delete -net %s %s -netmask %s", ROUTE_PATH, network, gateway, netmask);
2161
2162 argv_msg(D_ROUTE, &argv);
2163 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2164
2165#elif defined(TARGET_ANDROID)
2166 /* Avoids the unused variables warnings that all other platforms use
2167 * by adding them to the error message. */
2168 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2169 "needed. The VpnService API allows routes to be set "
2170 "on connect only and will clean up automatically. "
2171 "Tried to delete route %s netmask %s gateway %s",
2172 network, netmask, gateway);
2173#elif defined(TARGET_AIX)
2174
2175 {
2176 int netbits = netmask_to_netbits2(r->netmask);
2177 argv_printf(&argv, "%s delete -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
2178 argv_msg(D_ROUTE, &argv);
2179 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2180 }
2181
2182#elif defined(TARGET_HAIKU)
2183
2184 /* ex: route delete /dev/net/ipro1000/0 inet 192.168.0.0 gw 192.168.1.1 netmask 255.255.0.0 */
2185 argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
2186 gateway, netmask);
2187 argv_msg(D_ROUTE, &argv);
2188 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route delete command failed");
2189
2190#else /* if defined(TARGET_LINUX) */
2191 msg(M_FATAL,
2192 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2193#endif /* if defined(TARGET_LINUX) */
2194
2195done:
2196 r->flags &= ~RT_ADDED;
2197 argv_free(&argv);
2198 gc_free(&gc);
2199 /* release resources potentially allocated during route cleanup */
2200 net_ctx_reset(ctx);
2201}
2202
2203void
2204delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es,
2205 openvpn_net_ctx_t *ctx)
2206{
2207 const char *network;
2208
2209 if ((r6->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2210 {
2211 return;
2212 }
2213
2214#if !defined(_WIN32)
2215#if !defined(TARGET_LINUX)
2216 const char *gateway;
2217#endif
2218#if !defined(TARGET_SOLARIS)
2219 bool gateway_needed = false;
2220 const char *device = tt->actual_name;
2221 if (r6->iface != NULL) /* vpn server special route */
2222 {
2223 device = r6->iface;
2224 gateway_needed = true;
2225 }
2226 (void)device; /* unused on some platforms */
2227
2228 /* if we used a gateway on "add route", we also need to specify it on
2229 * delete, otherwise some OSes will refuse to delete the route
2230 */
2231 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
2232 {
2233 gateway_needed = true;
2234 }
2235#endif
2236#endif
2237
2238 struct gc_arena gc = gc_new();
2239 struct argv argv = argv_new();
2240
2241 network = print_in6_addr(r6->network, 0, &gc);
2242#if !defined(TARGET_LINUX) && !defined(_WIN32)
2243 gateway = print_in6_addr(r6->gateway, 0, &gc);
2244#endif
2245
2246#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2247 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2248
2249 /* the BSD platforms cannot specify gateway and interface independently,
2250 * but for link-local destinations, we MUST specify the interface, so
2251 * we build a combined "$gateway%$interface" gateway string
2252 */
2253 if (r6->iface != NULL && gateway_needed
2254 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
2255 {
2256 int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
2257 char *tmp = gc_malloc(len, true, &gc);
2258 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
2259 gateway = tmp;
2260 }
2261#endif
2262
2263 msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits);
2264
2265#if defined(TARGET_LINUX)
2266 int metric = -1;
2267 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2268 {
2269 metric = r6->metric;
2270 }
2271
2272 if (net_route_v6_del(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
2273 device, r6->table_id, metric)
2274 < 0)
2275 {
2276 msg(M_WARN, "ERROR: Linux route v6 delete command failed");
2277 }
2278
2279#elif defined(_WIN32)
2280
2281 if (tt->options.msg_channel)
2282 {
2283 del_route_ipv6_service(r6, tt);
2284 }
2285 else
2286 {
2287 route_ipv6_ipapi(false, r6, tt);
2288 }
2289#elif defined(TARGET_SOLARIS)
2290
2291 /* example: route delete -inet6 2001:db8::/32 somegateway */
2292
2293 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2294
2295 argv_msg(D_ROUTE, &argv);
2296 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2297
2298#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2299
2300 argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
2301
2302 if (gateway_needed)
2303 {
2304 argv_printf_cat(&argv, "%s", gateway);
2305 }
2306 else
2307 {
2308 argv_printf_cat(&argv, "-iface %s", device);
2309 }
2310
2311 argv_msg(D_ROUTE, &argv);
2312 openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2313
2314#elif defined(TARGET_DARWIN)
2315
2316 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
2317
2318 if (gateway_needed)
2319 {
2320 argv_printf_cat(&argv, "%s", gateway);
2321 }
2322 else
2323 {
2324 argv_printf_cat(&argv, "-iface %s", device);
2325 }
2326
2327 argv_msg(D_ROUTE, &argv);
2328 openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2329
2330#elif defined(TARGET_OPENBSD)
2331
2332 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
2333 gateway);
2334
2335 argv_msg(D_ROUTE, &argv);
2336 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2337
2338#elif defined(TARGET_NETBSD)
2339
2340 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2341
2342 argv_msg(D_ROUTE, &argv);
2343 openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2344
2345#elif defined(TARGET_AIX)
2346
2347 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2348 argv_msg(D_ROUTE, &argv);
2349 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2350
2351#elif defined(TARGET_ANDROID)
2352 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2353 "needed. The VpnService API allows routes to be set "
2354 "on connect only and will clean up automatically. "
2355 "Tried to delete %s gateway %s",
2356 network,
2357 gateway_needed ? gateway : "(not needed)");
2358#elif defined(TARGET_HAIKU)
2359
2360 /* ex: route delete /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2361 argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
2362 gateway, r6->netbits);
2363 argv_msg(D_ROUTE, &argv);
2364 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route delete command failed");
2365
2366#else /* if defined(TARGET_LINUX) */
2367 msg(M_FATAL,
2368 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2369#endif /* if defined(TARGET_LINUX) */
2370
2371 argv_free(&argv);
2372 gc_free(&gc);
2373 /* release resources potentially allocated during route cleanup */
2374 net_ctx_reset(ctx);
2375}
2376
2377#if defined(__GNUC__) || defined(__clang__)
2378#pragma GCC diagnostic pop
2379#endif
2380
2381/*
2382 * The --redirect-gateway option requires OS-specific code below
2383 * to get the current default gateway.
2384 */
2385
2386#if defined(_WIN32)
2387
2388static const MIB_IPFORWARDTABLE *
2389get_windows_routing_table(struct gc_arena *gc)
2390{
2391 ULONG size = 0;
2392 PMIB_IPFORWARDTABLE rt = NULL;
2393 DWORD status;
2394
2395 status = GetIpForwardTable(NULL, &size, TRUE);
2396 if (status == ERROR_INSUFFICIENT_BUFFER)
2397 {
2398 rt = (PMIB_IPFORWARDTABLE)gc_malloc(size, false, gc);
2399 status = GetIpForwardTable(rt, &size, TRUE);
2400 if (status != NO_ERROR)
2401 {
2402 msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2403 strerror_win32(status, gc), (unsigned int)status);
2404 rt = NULL;
2405 }
2406 }
2407 return rt;
2408}
2409
2410static int
2411test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
2412{
2413 int count = 0;
2414 DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2415 if (index)
2416 {
2417 *index = i;
2418 }
2419 return count;
2420}
2421
2422static void
2423test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters,
2424 const in_addr_t gateway)
2425{
2426 int c;
2427
2428 ++*count;
2429 c = test_route(adapters, gateway, NULL);
2430 if (c == 0)
2431 {
2432 *ret = false;
2433 }
2434 else
2435 {
2436 ++*good;
2437 }
2438 if (c > 1)
2439 {
2440 ++*ambig;
2441 }
2442}
2443
2444/*
2445 * If we tried to add routes now, would we succeed?
2446 */
2447bool
2448test_routes(const struct route_list *rl, const struct tuntap *tt)
2449{
2450 struct gc_arena gc = gc_new();
2451 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2452 bool ret = false;
2453 int count = 0;
2454 int good = 0;
2455 int ambig = 0;
2456 int len = -1;
2457 bool adapter_up = false;
2458
2459 if (is_adapter_up(tt, adapters))
2460 {
2461 ret = true;
2462 adapter_up = true;
2463
2464 /* we do this test only if we have IPv4 routes to install, and if
2465 * the tun/tap interface has seen IPv4 ifconfig - because if we
2466 * have no IPv4, the check will always fail, failing tun init
2467 */
2468 if (rl && tt->did_ifconfig_setup)
2469 {
2470 struct route_ipv4 *r;
2471 for (r = rl->routes, len = 0; r; r = r->next, ++len)
2472 {
2473 test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2474 }
2475
2476 if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2477 {
2478 test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2479 }
2480 }
2481 }
2482
2483 msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, len,
2484 (int)ret, ambig, adapter_up ? "up" : "down");
2485
2486 gc_free(&gc);
2487 return ret;
2488}
2489
2490static const MIB_IPFORWARDROW *
2491get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2492{
2493 struct gc_arena gc = gc_new();
2494 DWORD lowest_metric = MAXDWORD;
2495 const MIB_IPFORWARDROW *ret = NULL;
2496 int best = -1;
2497
2498 if (routes)
2499 {
2500 for (DWORD i = 0; i < routes->dwNumEntries; ++i)
2501 {
2502 const MIB_IPFORWARDROW *row = &routes->table[i];
2503 const in_addr_t net = ntohl(row->dwForwardDest);
2504 const in_addr_t mask = ntohl(row->dwForwardMask);
2505 const DWORD index = row->dwForwardIfIndex;
2506 const DWORD metric = row->dwForwardMetric1;
2507
2508 dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d", i,
2509 print_in_addr_t((in_addr_t)net, 0, &gc), print_in_addr_t((in_addr_t)mask, 0, &gc),
2510 (int)index, (int)metric);
2511
2512 if (!net && !mask && metric < lowest_metric)
2513 {
2514 ret = row;
2515 lowest_metric = metric;
2516 best = i;
2517 }
2518 }
2519 }
2520
2521 dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2522
2523 gc_free(&gc);
2524 return ret;
2525}
2526
2538static DWORD
2539get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
2540{
2541 DWORD best_if_index;
2542 DWORD status;
2543
2544 CLEAR(*best_route);
2545
2546 /* get the best interface index to reach dest */
2547 status = GetBestInterfaceEx((struct sockaddr *)dest, &best_if_index);
2548 if (status != NO_ERROR)
2549 {
2550 msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2551 strerror_win32(status, gc), (unsigned int)status);
2552 goto done;
2553 }
2554
2555 msg(D_ROUTE_DEBUG, "GetBestInterfaceEx() returned if=%d", (int)best_if_index);
2556
2557 /* get the routing information (such as NextHop) for the destination and interface */
2558 NET_LUID luid;
2559 CLEAR(luid);
2560 SOCKADDR_INET best_src;
2561 CLEAR(best_src);
2562 status = GetBestRoute2(&luid, best_if_index, NULL, dest, 0, best_route, &best_src);
2563 if (status != NO_ERROR)
2564 {
2565 msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2566 strerror_win32(status, gc), (unsigned int)status);
2567 goto done;
2568 }
2569
2570done:
2571 return status;
2572}
2573
2574void
2575get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
2576{
2577 CLEAR(*rgi);
2578
2579 struct gc_arena gc = gc_new();
2580
2581 /* convert in_addr_t into SOCKADDR_INET */
2582 SOCKADDR_INET sa;
2583 CLEAR(sa);
2584 sa.si_family = AF_INET;
2585 sa.Ipv4.sin_addr.s_addr = htonl(dest);
2586
2587 /* get the best route to the destination */
2588 MIB_IPFORWARD_ROW2 best_route;
2589 CLEAR(best_route);
2590 DWORD status = get_best_route(&gc, &sa, &best_route);
2591 if (status != NO_ERROR)
2592 {
2593 goto done;
2594 }
2595
2596 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2597 rgi->gateway.addr = ntohl(best_route.NextHop.Ipv4.sin_addr.S_un.S_addr);
2598 rgi->adapter_index = best_route.InterfaceIndex;
2599
2600 if (rgi->gateway.addr == INADDR_ANY)
2601 {
2602 rgi->flags |= RGI_ON_LINK;
2603 }
2604
2605 /* get netmask and MAC address */
2606 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2607 const IP_ADAPTER_INFO *ai = get_adapter(adapters, rgi->adapter_index);
2608 if (ai)
2609 {
2610 memcpy(rgi->hwaddr, ai->Address, 6);
2611 rgi->flags |= RGI_HWADDR_DEFINED;
2612
2613 /* get netmask for non-onlink routes */
2614 in_addr_t nm = inet_addr(ai->IpAddressList.IpMask.String);
2615 if (!(rgi->flags & RGI_ON_LINK) && (nm != INADDR_NONE))
2616 {
2617 rgi->gateway.netmask = ntohl(nm);
2618 rgi->flags |= RGI_NETMASK_DEFINED;
2619 }
2620 }
2621
2622done:
2623 gc_free(&gc);
2624}
2625
2626static DWORD
2627windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2628{
2629 struct gc_arena gc = gc_new();
2630 DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2631 int count = 0;
2632 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2633 const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2634 bool on_tun = false;
2635
2636 /* first test on tun interface */
2637 if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2638 {
2639 ret = tun_adapter->Index;
2640 count = 1;
2641 on_tun = true;
2642 }
2643 else /* test on other interfaces */
2644 {
2645 count = test_route(adapters, r->gateway, &ret);
2646 }
2647
2648 if (count == 0)
2649 {
2650 msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2651 print_in_addr_t(r->gateway, 0, &gc));
2652 ret = TUN_ADAPTER_INDEX_INVALID;
2653 }
2654 else if (count > 1)
2655 {
2656 msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2657 print_in_addr_t(r->gateway, 0, &gc), count);
2658 }
2659
2660 dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", on_tun, count,
2661 (int)ret);
2662
2663 gc_free(&gc);
2664 return ret;
2665}
2666
2667/* IPv6 implementation using GetBestRoute2()
2668 * (TBD: dynamic linking so the binary can still run on XP?)
2669 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2670 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2671 */
2672void
2673get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
2674 openvpn_net_ctx_t *ctx)
2675{
2676 struct gc_arena gc = gc_new();
2677 CLEAR(*rgi6);
2678
2679 SOCKADDR_INET DestinationAddress;
2680 CLEAR(DestinationAddress);
2681 DestinationAddress.si_family = AF_INET6;
2682 if (dest)
2683 {
2684 DestinationAddress.Ipv6.sin6_addr = *dest;
2685 }
2686
2687 MIB_IPFORWARD_ROW2 BestRoute;
2688 CLEAR(BestRoute);
2689 DWORD status = get_best_route(&gc, &DestinationAddress, &BestRoute);
2690
2691 if (status != NO_ERROR)
2692 {
2693 goto done;
2694 }
2695
2696 msg(D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s", BestRoute.InterfaceIndex,
2697 print_in6_addr(BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2698 BestRoute.DestinationPrefix.PrefixLength,
2699 print_in6_addr(BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc));
2700 msg(D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", (int)BestRoute.Metric,
2701 (int)BestRoute.Loopback, (int)BestRoute.AutoconfigureAddress, (int)BestRoute.Immortal);
2702
2703 rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2704 rgi6->adapter_index = BestRoute.InterfaceIndex;
2705 rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2706
2707 /* on-link is signalled by receiving an empty (::) NextHop */
2708 if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr))
2709 {
2710 rgi6->flags |= RGI_ON_LINK;
2711 }
2712
2713done:
2714 gc_free(&gc);
2715}
2716
2717/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2718static int
2719add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2720{
2721 struct gc_arena gc = gc_new();
2722 int ret = RTA_ERROR;
2723 DWORD status;
2724 const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID)
2725 ? windows_route_find_if_index(r, tt)
2726 : adapter_index;
2727
2728 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2729 {
2730 MIB_IPFORWARDROW fr;
2731 CLEAR(fr);
2732 fr.dwForwardDest = htonl(r->network);
2733 fr.dwForwardMask = htonl(r->netmask);
2734 fr.dwForwardPolicy = 0;
2735 fr.dwForwardNextHop = htonl(r->gateway);
2736 fr.dwForwardIfIndex = if_index;
2737 fr.dwForwardType = 4; /* the next hop is not the final dest */
2738 fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2739 fr.dwForwardAge = 0;
2740 fr.dwForwardNextHopAS = 0;
2741 fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2742 fr.dwForwardMetric2 = METRIC_NOT_USED;
2743 fr.dwForwardMetric3 = METRIC_NOT_USED;
2744 fr.dwForwardMetric4 = METRIC_NOT_USED;
2745 fr.dwForwardMetric5 = METRIC_NOT_USED;
2746
2747 if ((r->network & r->netmask) != r->network)
2748 {
2749 msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2750 print_in_addr_t(r->network, 0, &gc), print_in_addr_t(r->netmask, 0, &gc));
2751 }
2752
2753 status = CreateIpForwardEntry(&fr);
2754
2755 if (status == NO_ERROR)
2756 {
2757 ret = RTA_SUCCESS;
2758 }
2759 else if (status == ERROR_OBJECT_ALREADY_EXISTS)
2760 {
2761 ret = RTA_EEXIST;
2762 }
2763 else
2764 {
2765 /* failed, try increasing the metric to work around Vista issue */
2766 const unsigned int forward_metric_limit =
2767 2048; /* iteratively retry higher metrics up to this limit */
2768
2769 for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2770 {
2771 /* try a different forward type=3 ("the next hop is the final dest") in addition
2772 * to 4.
2773 * --redirect-gateway over RRAS seems to need this. */
2774 for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2775 {
2776 status = CreateIpForwardEntry(&fr);
2777 if (status == NO_ERROR)
2778 {
2779 msg(D_ROUTE,
2780 "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2781 (unsigned int)fr.dwForwardMetric1, (unsigned int)fr.dwForwardType);
2782 ret = RTA_SUCCESS;
2783 goto doublebreak;
2784 }
2785 else if (status != ERROR_BAD_ARGUMENTS)
2786 {
2787 goto doublebreak;
2788 }
2789 }
2790 }
2791
2792doublebreak:
2793 if (status != NO_ERROR)
2794 {
2795 if (status == ERROR_OBJECT_ALREADY_EXISTS)
2796 {
2797 ret = RTA_EEXIST;
2798 }
2799 else
2800 {
2801 msg(M_WARN,
2802 "ERROR: route addition failed using CreateIpForwardEntry: "
2803 "%s [status=%u if_index=%u]",
2804 strerror_win32(status, &gc), (unsigned int)status, (unsigned int)if_index);
2805 }
2806 }
2807 }
2808 }
2809
2810 gc_free(&gc);
2811 return ret;
2812}
2813
2814static bool
2815del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
2816{
2817 struct gc_arena gc = gc_new();
2818 bool ret = false;
2819 DWORD status;
2820 const DWORD if_index = windows_route_find_if_index(r, tt);
2821
2822 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2823 {
2824 MIB_IPFORWARDROW fr;
2825 CLEAR(fr);
2826
2827 fr.dwForwardDest = htonl(r->network);
2828 fr.dwForwardMask = htonl(r->netmask);
2829 fr.dwForwardPolicy = 0;
2830 fr.dwForwardNextHop = htonl(r->gateway);
2831 fr.dwForwardIfIndex = if_index;
2832
2833 status = DeleteIpForwardEntry(&fr);
2834
2835 if (status == NO_ERROR)
2836 {
2837 ret = true;
2838 }
2839 else
2840 {
2841 msg(M_WARN, "ERROR: route deletion failed using DeleteIpForwardEntry: %s",
2842 strerror_win32(status, &gc));
2843 }
2844 }
2845
2846 gc_free(&gc);
2847 return ret;
2848}
2849
2850/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2851static int
2852do_route_service(const bool add, const route_message_t *rt, const DWORD size, HANDLE pipe)
2853{
2854 int ret = RTA_ERROR;
2855 ack_message_t ack;
2856 struct gc_arena gc = gc_new();
2857
2858 if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
2859 {
2860 goto out;
2861 }
2862
2863 if (ack.error_number != NO_ERROR)
2864 {
2865 ret = (ack.error_number == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2866 if (ret == RTA_ERROR)
2867 {
2868 msg(M_WARN, "ERROR: route %s failed using service: %s [status=%u if_index=%d]",
2869 (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
2870 ack.error_number, rt->iface.index);
2871 }
2872 goto out;
2873 }
2874
2875 ret = RTA_SUCCESS;
2876
2877out:
2878 gc_free(&gc);
2879 return ret;
2880}
2881
2882/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2883static int
2884do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
2885{
2886 DWORD if_index = windows_route_find_if_index(r, tt);
2887 if (if_index == ~0)
2888 {
2889 return RTA_ERROR;
2890 }
2891
2892 route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
2893 sizeof(route_message_t), 0 },
2894 .family = AF_INET,
2895 .prefix.ipv4.s_addr = htonl(r->network),
2896 .gateway.ipv4.s_addr = htonl(r->gateway),
2897 .iface = { .index = if_index, .name = "" },
2898 .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) };
2899
2900 netmask_to_netbits(r->network, r->netmask, &msg.prefix_len);
2901 if (msg.prefix_len == -1)
2902 {
2903 msg.prefix_len = 32;
2904 }
2905
2906 return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
2907}
2908
2909/* Add or delete an ipv6 route
2910 * Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error
2911 */
2912static int
2913route_ipv6_ipapi(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
2914{
2915 DWORD err;
2916 int ret = RTA_ERROR;
2917 PMIB_IPFORWARD_ROW2 fwd_row;
2918 struct gc_arena gc = gc_new();
2919
2920 fwd_row = gc_malloc(sizeof(*fwd_row), true, &gc);
2921
2922 fwd_row->ValidLifetime = 0xffffffff;
2923 fwd_row->PreferredLifetime = 0xffffffff;
2924 fwd_row->Protocol = MIB_IPPROTO_NETMGMT;
2925 fwd_row->Metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1);
2926 fwd_row->DestinationPrefix.Prefix.si_family = AF_INET6;
2927 fwd_row->DestinationPrefix.Prefix.Ipv6.sin6_addr = r->network;
2928 fwd_row->DestinationPrefix.PrefixLength = (UINT8)r->netbits;
2929 fwd_row->NextHop.si_family = AF_INET6;
2930 fwd_row->NextHop.Ipv6.sin6_addr = r->gateway;
2931 fwd_row->InterfaceIndex = r->adapter_index ? r->adapter_index : tt->adapter_index;
2932
2933 /* In TUN mode we use a special link-local address as the next hop.
2934 * The tapdrvr knows about it and will answer neighbor discovery packets.
2935 * (only do this for routes actually using the tun/tap device)
2936 */
2937 if (tt->type == DEV_TYPE_TUN && !r->adapter_index)
2938 {
2939 inet_pton(AF_INET6, "fe80::8", &fwd_row->NextHop.Ipv6.sin6_addr);
2940 }
2941
2942 /* Use LUID if interface index not available */
2943 if (fwd_row->InterfaceIndex == TUN_ADAPTER_INDEX_INVALID && strlen(tt->actual_name))
2944 {
2945 NET_LUID luid;
2946 err = ConvertInterfaceAliasToLuid(wide_string(tt->actual_name, &gc), &luid);
2947 if (err != NO_ERROR)
2948 {
2949 goto out;
2950 }
2951 fwd_row->InterfaceLuid = luid;
2952 fwd_row->InterfaceIndex = 0;
2953 }
2954
2955 if (add)
2956 {
2957 err = CreateIpForwardEntry2(fwd_row);
2958 }
2959 else
2960 {
2961 err = DeleteIpForwardEntry2(fwd_row);
2962 }
2963
2964out:
2965 if (err != NO_ERROR)
2966 {
2967 ret = (err == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2968 if (ret == RTA_ERROR)
2969 {
2970 msg(M_WARN, "ERROR: route %s failed using ipapi: %s [status=%lu if_index=%lu]",
2971 (add ? "addition" : "deletion"), strerror_win32(err, &gc), err,
2972 fwd_row->InterfaceIndex);
2973 }
2974 else if (add)
2975 {
2976 msg(D_ROUTE, "IPv6 route addition using ipapi failed because route exists");
2977 }
2978 }
2979 else
2980 {
2981 msg(D_ROUTE, "IPv6 route %s using ipapi", add ? "added" : "deleted");
2982 ret = RTA_SUCCESS;
2983 }
2984 gc_free(&gc);
2985 return ret;
2986}
2987
2988/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2989static int
2990do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
2991{
2992 int status;
2993 route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
2994 sizeof(route_message_t), 0 },
2995 .family = AF_INET6,
2996 .prefix.ipv6 = r->network,
2997 .prefix_len = r->netbits,
2998 .gateway.ipv6 = r->gateway,
2999 .iface = { .index = tt->adapter_index, .name = "" },
3000 .metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1) };
3001
3002 if (r->adapter_index) /* vpn server special route */
3003 {
3004 msg.iface.index = r->adapter_index;
3005 }
3006
3007 /* In TUN mode we use a special link-local address as the next hop.
3008 * The tapdrvr knows about it and will answer neighbor discovery packets.
3009 * (only do this for routes actually using the tun/tap device)
3010 */
3011 if (tt->type == DEV_TYPE_TUN && msg.iface.index == tt->adapter_index)
3012 {
3013 inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3014 }
3015
3016 if (msg.iface.index == TUN_ADAPTER_INDEX_INVALID)
3017 {
3018 strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3019 msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3020 }
3021
3022 status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3023 if (status != RTA_ERROR)
3024 {
3025 msg(D_ROUTE, "IPv6 route %s via service %s", add ? "addition" : "deletion",
3026 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
3027 }
3028 return status;
3029}
3030
3031/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3032static int
3033add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3034{
3035 return do_route_ipv4_service(true, r, tt);
3036}
3037
3038static bool
3039del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3040{
3041 return do_route_ipv4_service(false, r, tt);
3042}
3043
3044/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3045static int
3046add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3047{
3048 return do_route_ipv6_service(true, r, tt);
3049}
3050
3051static bool
3052del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3053{
3054 return do_route_ipv6_service(false, r, tt);
3055}
3056
3057static const char *
3058format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3059{
3060 struct buffer out = alloc_buf_gc(256, gc);
3061 buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3062 print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3063 print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3064 print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), (int)r->dwForwardPolicy,
3065 (int)r->dwForwardIfIndex, (int)r->dwForwardType, (int)r->dwForwardProto,
3066 (int)r->dwForwardAge, (int)r->dwForwardNextHopAS, (int)r->dwForwardMetric1,
3067 (int)r->dwForwardMetric2, (int)r->dwForwardMetric3, (int)r->dwForwardMetric4,
3068 (int)r->dwForwardMetric5);
3069 return BSTR(&out);
3070}
3071
3072/*
3073 * Show current routing table
3074 */
3075void
3076show_routes(msglvl_t msglevel)
3077{
3078 struct gc_arena gc = gc_new();
3079
3080 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3081
3082 msg(msglevel, "SYSTEM ROUTING TABLE");
3083 if (rt)
3084 {
3085 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
3086 {
3087 msg(msglevel, "%s", format_route_entry(&rt->table[i], &gc));
3088 }
3089 }
3090 gc_free(&gc);
3091}
3092
3093#elif defined(TARGET_ANDROID)
3094
3095void
3096get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3097{
3098 /* Android, set some pseudo GW, addr is in host byte order,
3099 * Determining the default GW on Android 5.0+ is non trivial
3100 * and serves almost no purpose since OpenVPN only uses the
3101 * default GW address to add routes for networks that should
3102 * NOT be routed over the VPN. Using a well known address
3103 * (127.'d'.'g'.'w') for the default GW make detecting
3104 * these routes easier from the controlling app.
3105 */
3106 CLEAR(*rgi);
3107
3108 rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3109 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3110 strcpy(rgi->iface, "android-gw");
3111
3112 /* Skip scanning/fetching interface from loopback interface we do
3113 * normally on Linux.
3114 * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3115 */
3116}
3117
3118void
3119get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3120 openvpn_net_ctx_t *ctx)
3121{
3122 /* Same for ipv6 */
3123
3124 CLEAR(*rgi6);
3125
3126 /* Use a fake link-local address */
3127 ASSERT(inet_pton(AF_INET6, "fe80::ad", &rgi6->addrs->addr_ipv6) == 1);
3128 rgi6->addrs->netbits_ipv6 = 64;
3129 rgi6->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3130 strcpy(rgi6->iface, "android-gw");
3131}
3132
3133#elif defined(TARGET_LINUX)
3134
3135void
3136get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3137{
3138 struct gc_arena gc = gc_new();
3139 int sd = -1;
3140 char best_name[IFNAMSIZ];
3141
3142 CLEAR(*rgi);
3143 CLEAR(best_name);
3144
3145 /* find best route to 'dest', get gateway IP addr + interface */
3146 if (net_route_v4_best_gw(ctx, &dest, &rgi->gateway.addr, best_name) == 0)
3147 {
3148 rgi->flags |= RGI_ADDR_DEFINED;
3149 if (!rgi->gateway.addr && best_name[0])
3150 {
3151 rgi->flags |= RGI_ON_LINK;
3152 }
3153 }
3154
3155 /* scan adapter list */
3156 if (rgi->flags & RGI_ADDR_DEFINED)
3157 {
3158 struct ifreq *ifr, *ifend;
3159 in_addr_t addr, netmask;
3160 struct ifreq ifreq;
3161 struct ifconf ifc;
3162 struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3163
3164 if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3165 {
3166 msg(M_WARN, "GDG: socket() failed");
3167 goto done;
3168 }
3169 ifc.ifc_len = sizeof(ifs);
3170 ifc.ifc_req = ifs;
3171 if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3172 {
3173 msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3174 goto done;
3175 }
3176
3177 /* scan through interface list */
3178 ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3179 for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3180 {
3181 if (ifr->ifr_addr.sa_family == AF_INET)
3182 {
3183 /* get interface addr */
3184 addr = ntohl(((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr.s_addr);
3185
3186 /* get interface name */
3187 strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3188
3189 /* check that the interface is up */
3190 if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3191 {
3192 continue;
3193 }
3194 if (!(ifreq.ifr_flags & IFF_UP))
3195 {
3196 continue;
3197 }
3198
3199 if (rgi->flags & RGI_ON_LINK)
3200 {
3201 /* check that interface name of current interface
3202 * matches interface name of best default route */
3203 if (strcmp(ifreq.ifr_name, best_name))
3204 {
3205 continue;
3206 }
3207#if 0
3208 /* if point-to-point link, use remote addr as route gateway */
3209 if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3210 {
3211 rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3212 if (rgi->gateway.addr)
3213 {
3214 rgi->flags &= ~RGI_ON_LINK;
3215 }
3216 }
3217#endif
3218 }
3219 else
3220 {
3221 /* get interface netmask */
3222 if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3223 {
3224 continue;
3225 }
3226 netmask = ntohl(((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr.s_addr);
3227
3228 /* check that interface matches default route */
3229 if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3230 {
3231 continue;
3232 }
3233
3234 /* save netmask */
3235 rgi->gateway.netmask = netmask;
3236 rgi->flags |= RGI_NETMASK_DEFINED;
3237 }
3238
3239 /* save iface name */
3240 strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3241 rgi->flags |= RGI_IFACE_DEFINED;
3242
3243 /* now get the hardware address. */
3244 memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3245 if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3246 {
3247 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3248 goto done;
3249 }
3250 memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3251 rgi->flags |= RGI_HWADDR_DEFINED;
3252
3253 break;
3254 }
3255 }
3256 }
3257
3258done:
3259 if (sd >= 0)
3260 {
3261 close(sd);
3262 }
3263 gc_free(&gc);
3264}
3265
3266/* IPv6 implementation using netlink
3267 * https://www.linuxjournal.com/article/7356 - "Kernel Korner - Why and How to Use Netlink Socket"
3268 * netlink(3), netlink(7), rtnetlink(7)
3269 * https://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/
3270 */
3271struct rtreq
3272{
3273 struct nlmsghdr nh;
3274 struct rtmsg rtm;
3275 char attrbuf[512];
3276};
3277
3278void
3279get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3280 openvpn_net_ctx_t *ctx)
3281{
3282 int flags;
3283
3284 CLEAR(*rgi6);
3285
3286 if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6, rgi6->iface) == 0)
3287 {
3288 if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6))
3289 {
3290 rgi6->flags |= RGI_ADDR_DEFINED;
3291 }
3292
3293 if (strlen(rgi6->iface) > 0)
3294 {
3295 rgi6->flags |= RGI_IFACE_DEFINED;
3296 }
3297 }
3298
3299 /* if we have an interface but no gateway, the destination is on-link */
3300 flags = rgi6->flags & (RGI_IFACE_DEFINED | RGI_ADDR_DEFINED);
3301 if (flags == RGI_IFACE_DEFINED)
3302 {
3303 rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3304 if (dest)
3305 {
3306 rgi6->gateway.addr_ipv6 = *dest;
3307 }
3308 }
3309}
3310
3311#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || defined(TARGET_FREEBSD) \
3312 || defined(TARGET_DRAGONFLY) || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3313
3314#include <sys/types.h>
3315#include <sys/socket.h>
3316#include <netinet/in.h>
3317#include <net/route.h>
3318#include <net/if_dl.h>
3319#if !defined(TARGET_SOLARIS)
3320#include <ifaddrs.h>
3321#endif
3322
3323struct rtmsg
3324{
3325 struct rt_msghdr m_rtm;
3326 char m_space[512];
3327};
3328
3329/* the route socket code is identical for all 4 supported BSDs and for
3330 * MacOS X (Darwin), with one crucial difference: when going from
3331 * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
3332 * source code compatibility by keeping the use of "long", while
3333 * MacOS X decided to keep binary compatibility by *changing* the API
3334 * to use "uint32_t", thus 32 bit on all OS X variants
3335 *
3336 * NetBSD does the MacOS way of "fixed number of bits, no matter if
3337 * 32 or 64 bit OS", but chose uint64_t. For maximum portability, we
3338 * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
3339 *
3340 * We used to have a large amount of duplicate code here which really
3341 * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3342 * having a combined block for all BSDs with this single #ifdef inside
3343 */
3344
3345#if defined(TARGET_DARWIN)
3346#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3347#elif defined(TARGET_NETBSD)
3348#define ROUNDUP(a) RT_ROUNDUP(a)
3349#else
3350#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3351#endif
3352
3353#if defined(TARGET_SOLARIS)
3354#define NEXTADDR(w, u) \
3355 if (rtm_addrs & (w)) \
3356 { \
3357 l = sizeof(u); \
3358 memmove(cp, &(u), l); \
3359 cp += ROUNDUP(l); \
3360 }
3361
3362#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3363#else /* if defined(TARGET_SOLARIS) */
3364#define NEXTADDR(w, u) \
3365 if (rtm_addrs & (w)) \
3366 { \
3367 l = ((struct sockaddr *)&(u))->sa_len; \
3368 memmove(cp, &(u), l); \
3369 cp += ROUNDUP(l); \
3370 }
3371
3372#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3373#endif
3374
3375#define max(a, b) ((a) > (b) ? (a) : (b))
3376
3377#if defined(__GNUC__) || defined(__clang__)
3378#pragma GCC diagnostic push
3379#pragma GCC diagnostic ignored "-Wconversion"
3380#endif
3381
3382void
3383get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3384{
3385 struct gc_arena gc = gc_new();
3386 struct rtmsg m_rtmsg;
3387 int sockfd = -1;
3388 int seq, l, pid, rtm_addrs;
3389 unsigned int i;
3390 struct sockaddr so_dst, so_mask;
3391 char *cp = m_rtmsg.m_space;
3392 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3393 struct rt_msghdr *rtm_aux;
3394
3395#define rtm m_rtmsg.m_rtm
3396
3397 CLEAR(*rgi);
3398
3399 /* setup data to send to routing socket */
3400 pid = getpid();
3401 seq = 0;
3402#ifdef TARGET_OPENBSD
3403 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3404#else
3405 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3406#endif
3407
3408 bzero(&m_rtmsg, sizeof(m_rtmsg));
3409 bzero(&so_dst, sizeof(so_dst));
3410 bzero(&so_mask, sizeof(so_mask));
3411 bzero(&rtm, sizeof(struct rt_msghdr));
3412
3413 rtm.rtm_type = RTM_GET;
3414 rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3415 rtm.rtm_version = RTM_VERSION;
3416 rtm.rtm_seq = ++seq;
3417#ifdef TARGET_OPENBSD
3418 rtm.rtm_tableid = getrtable();
3419#endif
3420 rtm.rtm_addrs = rtm_addrs;
3421
3422 so_dst.sa_family = AF_INET;
3423 so_mask.sa_family = AF_INET;
3424
3425#ifndef TARGET_SOLARIS
3426 so_dst.sa_len = sizeof(struct sockaddr_in);
3427 so_mask.sa_len = sizeof(struct sockaddr_in);
3428#endif
3429
3430 NEXTADDR(RTA_DST, so_dst);
3431 NEXTADDR(RTA_NETMASK, so_mask);
3432
3433 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3434
3435 /* transact with routing socket */
3436 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3437 if (sockfd < 0)
3438 {
3439 msg(M_WARN, "GDG: socket #1 failed");
3440 goto done;
3441 }
3442 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3443 {
3444 msg(M_WARN | M_ERRNO, "GDG: problem writing to routing socket");
3445 goto done;
3446 }
3447 do
3448 {
3449 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3450 } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3451 close(sockfd);
3452 sockfd = -1;
3453
3454 /* extract return data from routing socket */
3455 rtm_aux = &rtm;
3456 cp = ((char *)(rtm_aux + 1));
3457 if (rtm_aux->rtm_addrs)
3458 {
3459 for (i = 1; i; i <<= 1)
3460 {
3461 if (i & rtm_aux->rtm_addrs)
3462 {
3463 sa = (struct sockaddr *)cp;
3464 if (i == RTA_GATEWAY)
3465 {
3466 gate = sa;
3467 }
3468 else if (i == RTA_IFP)
3469 {
3470 ifp = sa;
3471 }
3472 ADVANCE(cp, sa);
3473 }
3474 }
3475 }
3476 else
3477 {
3478 goto done;
3479 }
3480
3481 /* get gateway addr and interface name */
3482 if (gate != NULL)
3483 {
3484 /* get default gateway addr */
3485 rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3486 if (rgi->gateway.addr)
3487 {
3488 rgi->flags |= RGI_ADDR_DEFINED;
3489 }
3490
3491 if (ifp)
3492 {
3493 /* get interface name */
3494 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3495 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3496 {
3497 memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3498 rgi->iface[adl->sdl_nlen] = '\0';
3499 rgi->flags |= RGI_IFACE_DEFINED;
3500 }
3501 }
3502 }
3503
3504 /* get netmask of interface that owns default gateway */
3505 if (rgi->flags & RGI_IFACE_DEFINED)
3506 {
3507 struct ifreq ifr;
3508
3509 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3510 if (sockfd < 0)
3511 {
3512 msg(M_WARN, "GDG: socket #2 failed");
3513 goto done;
3514 }
3515
3516 CLEAR(ifr);
3517 ifr.ifr_addr.sa_family = AF_INET;
3518 strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3519
3520 if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3521 {
3522 msg(M_WARN, "GDG: ioctl #1 failed");
3523 goto done;
3524 }
3525 close(sockfd);
3526 sockfd = -1;
3527
3528 rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3529 rgi->flags |= RGI_NETMASK_DEFINED;
3530 }
3531
3532 /* try to read MAC addr associated with interface that owns default gateway */
3533 if (rgi->flags & RGI_IFACE_DEFINED)
3534 {
3535#if defined(TARGET_SOLARIS)
3536 /* OpenSolaris has getifaddrs(3), but it does not return AF_LINK */
3537 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3538 if (sockfd < 0)
3539 {
3540 msg(M_WARN, "GDG: socket #3 failed");
3541 goto done;
3542 }
3543
3544 struct ifreq ifreq = { 0 };
3545
3546 /* now get the hardware address. */
3547 strncpynt(ifreq.ifr_name, rgi->iface, sizeof(ifreq.ifr_name));
3548 if (ioctl(sockfd, SIOCGIFHWADDR, &ifreq) < 0)
3549 {
3550 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3551 }
3552 else
3553 {
3554 memcpy(rgi->hwaddr, &ifreq.ifr_addr.sa_data, 6);
3555 rgi->flags |= RGI_HWADDR_DEFINED;
3556 }
3557#else /* if defined(TARGET_SOLARIS) */
3558 struct ifaddrs *ifap, *ifa;
3559
3560 if (getifaddrs(&ifap) != 0)
3561 {
3562 msg(M_WARN | M_ERRNO, "GDG: getifaddrs() failed");
3563 goto done;
3564 }
3565
3566 for (ifa = ifap; ifa; ifa = ifa->ifa_next)
3567 {
3568 if (ifa->ifa_addr != NULL && ifa->ifa_addr->sa_family == AF_LINK
3569 && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ))
3570 {
3571 struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr;
3572 memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3573 rgi->flags |= RGI_HWADDR_DEFINED;
3574 }
3575 }
3576
3577 freeifaddrs(ifap);
3578#endif /* if defined(TARGET_SOLARIS) */
3579 }
3580
3581done:
3582 if (sockfd >= 0)
3583 {
3584 close(sockfd);
3585 }
3586 gc_free(&gc);
3587}
3588
3589/* BSD implementation using routing socket (as does IPv4)
3590 * (the code duplication is somewhat unavoidable if we want this to
3591 * work on OpenSolaris as well. *sigh*)
3592 */
3593
3594/* Solaris has no length field - this is ugly, but less #ifdef in total
3595 */
3596#if defined(TARGET_SOLARIS)
3597#undef ADVANCE
3598#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3599#endif
3600
3601void
3602get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3603 openvpn_net_ctx_t *ctx)
3604{
3605 struct rtmsg m_rtmsg;
3606 int sockfd = -1;
3607 int seq, l, pid, rtm_addrs;
3608 unsigned int i;
3609 struct sockaddr_in6 so_dst, so_mask;
3610 char *cp = m_rtmsg.m_space;
3611 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3612 struct rt_msghdr *rtm_aux;
3613
3614 CLEAR(*rgi6);
3615
3616 /* setup data to send to routing socket */
3617 pid = getpid();
3618 seq = 0;
3619#ifdef TARGET_OPENBSD
3620 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3621#else
3622 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3623#endif
3624
3625 bzero(&m_rtmsg, sizeof(m_rtmsg));
3626 bzero(&so_dst, sizeof(so_dst));
3627 bzero(&so_mask, sizeof(so_mask));
3628 bzero(&rtm, sizeof(struct rt_msghdr));
3629
3630 rtm.rtm_type = RTM_GET;
3631 rtm.rtm_flags = RTF_UP;
3632 rtm.rtm_version = RTM_VERSION;
3633 rtm.rtm_seq = ++seq;
3634#ifdef TARGET_OPENBSD
3635 rtm.rtm_tableid = getrtable();
3636#endif
3637
3638 so_dst.sin6_family = AF_INET6;
3639 so_mask.sin6_family = AF_INET6;
3640
3641 if (dest != NULL /* specific host? */
3642 && !IN6_IS_ADDR_UNSPECIFIED(dest))
3643 {
3644 so_dst.sin6_addr = *dest;
3645 /* :: needs /0 "netmask", host route wants "no netmask */
3646 rtm_addrs &= ~RTA_NETMASK;
3647 }
3648
3649 rtm.rtm_addrs = rtm_addrs;
3650
3651#ifndef TARGET_SOLARIS
3652 so_dst.sin6_len = sizeof(struct sockaddr_in6);
3653 so_mask.sin6_len = sizeof(struct sockaddr_in6);
3654#endif
3655
3656 NEXTADDR(RTA_DST, so_dst);
3657 NEXTADDR(RTA_NETMASK, so_mask);
3658
3659 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3660
3661 /* transact with routing socket */
3662 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3663 if (sockfd < 0)
3664 {
3665 msg(M_WARN, "GDG6: socket #1 failed");
3666 goto done;
3667 }
3668 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3669 {
3670 msg(M_WARN | M_ERRNO, "GDG6: problem writing to routing socket");
3671 goto done;
3672 }
3673
3674 do
3675 {
3676 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3677 } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3678
3679 close(sockfd);
3680 sockfd = -1;
3681
3682 /* extract return data from routing socket */
3683 rtm_aux = &rtm;
3684 cp = ((char *)(rtm_aux + 1));
3685 if (rtm_aux->rtm_addrs)
3686 {
3687 for (i = 1; i; i <<= 1)
3688 {
3689 if (i & rtm_aux->rtm_addrs)
3690 {
3691 sa = (struct sockaddr *)cp;
3692 if (i == RTA_GATEWAY)
3693 {
3694 gate = sa;
3695 }
3696 else if (i == RTA_IFP)
3697 {
3698 ifp = sa;
3699 }
3700 ADVANCE(cp, sa);
3701 }
3702 }
3703 }
3704 else
3705 {
3706 goto done;
3707 }
3708
3709 /* get gateway addr and interface name */
3710 if (gate != NULL)
3711 {
3712 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3713 struct in6_addr gw = s6->sin6_addr;
3714
3715#ifndef TARGET_SOLARIS
3716 /* You do not really want to know... from FreeBSD's route.c
3717 * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3718 * but for a correct link-local address these must be :0000: )
3719 */
3720 if (gate->sa_len == sizeof(struct sockaddr_in6) && IN6_IS_ADDR_LINKLOCAL(&gw))
3721 {
3722 gw.s6_addr[2] = gw.s6_addr[3] = 0;
3723 }
3724
3725 if (gate->sa_len != sizeof(struct sockaddr_in6) || IN6_IS_ADDR_UNSPECIFIED(&gw))
3726 {
3727 rgi6->flags |= RGI_ON_LINK;
3728 }
3729 else
3730#endif
3731 {
3732 rgi6->gateway.addr_ipv6 = gw;
3733 }
3734 rgi6->flags |= RGI_ADDR_DEFINED;
3735
3736 if (ifp)
3737 {
3738 /* get interface name */
3739 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3740 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3741 {
3742 memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3743 rgi6->flags |= RGI_IFACE_DEFINED;
3744 }
3745 }
3746 }
3747
3748done:
3749 if (sockfd >= 0)
3750 {
3751 close(sockfd);
3752 }
3753}
3754
3755#if defined(__GNUC__) || defined(__clang__)
3756#pragma GCC diagnostic pop
3757#endif
3758
3759#undef max
3760
3761#elif defined(TARGET_HAIKU)
3762
3763void
3764get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3765{
3766 CLEAR(*rgi);
3767
3768 int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3769 if (sockfd < 0)
3770 {
3771 msg(M_ERRNO, "%s: Error opening socket for AF_INET", __func__);
3772 return;
3773 }
3774
3775 struct ifconf config;
3776 config.ifc_len = sizeof(config.ifc_value);
3777 if (ioctl(sockfd, SIOCGRTSIZE, &config, sizeof(struct ifconf)) < 0)
3778 {
3779 msg(M_ERRNO, "%s: Error getting routing table size", __func__);
3780 return;
3781 }
3782
3783 uint32 size = (uint32)config.ifc_value;
3784 if (size == 0)
3785 {
3786 return;
3787 }
3788
3789 void *buffer = malloc(size);
3790 check_malloc_return(buffer);
3791
3792 config.ifc_len = size;
3793 config.ifc_buf = buffer;
3794 if (ioctl(sockfd, SIOCGRTTABLE, &config, sizeof(struct ifconf)) < 0)
3795 {
3796 free(buffer);
3797 return;
3798 }
3799
3800 struct ifreq *interface = (struct ifreq *)buffer;
3801 struct ifreq *end = (struct ifreq *)((uint8 *)buffer + size);
3802
3803 while (interface < end)
3804 {
3805 struct route_entry route = interface->ifr_route;
3806 if ((route.flags & RTF_GATEWAY) != 0 && (route.flags & RTF_DEFAULT) != 0)
3807 {
3808 rgi->gateway.addr = ntohl(((struct sockaddr_in *)route.gateway)->sin_addr.s_addr);
3809 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3810 strncpy(rgi->iface, interface->ifr_name, sizeof(rgi->iface));
3811 }
3812
3813 int32 address_size = 0;
3814 if (route.destination != NULL)
3815 {
3816 address_size += route.destination->sa_len;
3817 }
3818 if (route.mask != NULL)
3819 {
3820 address_size += route.mask->sa_len;
3821 }
3822 if (route.gateway != NULL)
3823 {
3824 address_size += route.gateway->sa_len;
3825 }
3826
3827 interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE + sizeof(struct route_entry)
3828 + address_size);
3829 }
3830 free(buffer);
3831}
3832
3833void
3834get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3835 openvpn_net_ctx_t *ctx)
3836{
3837 /* TODO: Same for ipv6 with AF_INET6 */
3838 CLEAR(*rgi6);
3839}
3840
3841#else /* if defined(_WIN32) */
3842
3843/*
3844 * This is a platform-specific method that returns data about
3845 * the current default gateway. Return data is placed into
3846 * a struct route_gateway_info object provided by caller. The
3847 * implementation should CLEAR the structure before adding
3848 * data to it.
3849 *
3850 * Data returned includes:
3851 * 1. default gateway address (rgi->gateway.addr)
3852 * 2. netmask of interface that owns default gateway
3853 * (rgi->gateway.netmask)
3854 * 3. hardware address (i.e. MAC address) of interface that owns
3855 * default gateway (rgi->hwaddr)
3856 * 4. interface name (or adapter index on Windows) that owns default
3857 * gateway (rgi->iface or rgi->adapter_index)
3858 * 5. an array of additional address/netmask pairs defined by
3859 * interface that owns default gateway (rgi->addrs with length
3860 * given in rgi->n_addrs)
3861 *
3862 * The flags RGI_x_DEFINED may be used to indicate which of the data
3863 * members were successfully returned (set in rgi->flags). All of
3864 * the data members are optional, however certain OpenVPN functionality
3865 * may be disabled by missing items.
3866 */
3867void
3868get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3869{
3870 CLEAR(*rgi);
3871}
3872void
3873get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3874 openvpn_net_ctx_t *ctx)
3875{
3876 msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
3877 CLEAR(*rgi6);
3878}
3879
3880#endif /* if defined(_WIN32) */
3881
3882bool
3883netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
3884{
3885 int i;
3886 const int addrlen = sizeof(in_addr_t) * 8;
3887
3888 if ((network & netmask) == network)
3889 {
3890 for (i = 0; i <= addrlen; ++i)
3891 {
3892 in_addr_t mask = netbits_to_netmask(i);
3893 if (mask == netmask)
3894 {
3895 if (i == addrlen)
3896 {
3897 *netbits = -1;
3898 }
3899 else
3900 {
3901 *netbits = i;
3902 }
3903 return true;
3904 }
3905 }
3906 }
3907 return false;
3908}
3909
3910/* similar to netmask_to_netbits(), but don't mess with base address
3911 * etc., just convert to netbits - non-mappable masks are returned as "-1"
3912 */
3913int
3914netmask_to_netbits2(in_addr_t netmask)
3915{
3916 int i;
3917 const int addrlen = sizeof(in_addr_t) * 8;
3918
3919 for (i = 0; i <= addrlen; ++i)
3920 {
3921 in_addr_t mask = netbits_to_netmask(i);
3922 if (mask == netmask)
3923 {
3924 return i;
3925 }
3926 }
3927 return -1;
3928}
3929
3930
3931/*
3932 * get_bypass_addresses() is used by the redirect-gateway bypass-x
3933 * functions to build a route bypass to selected DHCP/DNS servers,
3934 * so that outgoing packets to these servers don't end up in the tunnel.
3935 */
3936
3937#if defined(_WIN32)
3938
3939static void
3940add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
3941{
3942 if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
3943 {
3944 add_bypass_address(rb, addr);
3945 }
3946}
3947
3948static void
3949add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
3950{
3951 while (iplist)
3952 {
3953 bool succeed = false;
3954 const in_addr_t ip =
3955 getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
3956 if (succeed)
3957 {
3958 add_host_route_if_nonlocal(rb, ip);
3959 }
3960 iplist = iplist->Next;
3961 }
3962}
3963
3964static void
3965get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
3966{
3967 struct gc_arena gc = gc_new();
3968 /*bool ret_bool = false;*/
3969
3970 /* get full routing table */
3971 const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
3972
3973 /* get the route which represents the default gateway */
3974 const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
3975
3976 if (row)
3977 {
3978 /* get the adapter which the default gateway is associated with */
3979 const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
3980
3981 /* get extra adapter info, such as DNS addresses */
3982 const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
3983
3984 /* Bypass DHCP server address */
3985 if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
3986 {
3987 add_host_route_array(rb, &dgi->DhcpServer);
3988 }
3989
3990 /* Bypass DNS server addresses */
3991 if ((flags & RG_BYPASS_DNS) && pai)
3992 {
3993 add_host_route_array(rb, &pai->DnsServerList);
3994 }
3995 }
3996
3997 gc_free(&gc);
3998}
3999
4000#else /* if defined(_WIN32) */
4001
4002static void
4003get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
4004{
4005}
4006
4007#endif /* if defined(_WIN32) */
4008
4009/*
4010 * Test if addr is reachable via a local interface (return ILA_LOCAL),
4011 * or if it needs to be routed via the default gateway (return
4012 * ILA_NONLOCAL). If the target platform doesn't implement this
4013 * function, return ILA_NOT_IMPLEMENTED.
4014 *
4015 * Used by redirect-gateway autolocal feature
4016 */
4017
4018#if defined(_WIN32)
4019
4020int
4021test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
4022{
4023 struct gc_arena gc = gc_new();
4024 const in_addr_t nonlocal_netmask =
4025 0x80000000L; /* routes with netmask <= to this are considered non-local */
4026 int ret = TLA_NONLOCAL;
4027
4028 /* get full routing table */
4029 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4030 if (rt)
4031 {
4032 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
4033 {
4034 const MIB_IPFORWARDROW *row = &rt->table[i];
4035 const in_addr_t net = ntohl(row->dwForwardDest);
4036 const in_addr_t mask = ntohl(row->dwForwardMask);
4037 if (mask > nonlocal_netmask && (addr & mask) == net)
4038 {
4039 ret = TLA_LOCAL;
4040 break;
4041 }
4042 }
4043 }
4044
4045 gc_free(&gc);
4046 return ret;
4047}
4048
4049#else /* if defined(_WIN32) */
4050
4051int
4052test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4053{
4054 if (rgi)
4055 {
4056 if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4057 {
4058 return TLA_LOCAL;
4059 }
4060 else
4061 {
4062 return TLA_NONLOCAL;
4063 }
4064 }
4065 return TLA_NOT_IMPLEMENTED;
4066}
4067
4068#endif /* if defined(_WIN32) */
argv_msg
void argv_msg(const msglvl_t msglevel, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
format_hex_ex
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
gc_addspecial
void gc_addspecial(void *addr, void(*free_function)(void *), struct gc_arena *a)
Definition buffer.c:438
BSTR
#define BSTR(buf)
Definition buffer.h:128
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1101
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1096
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1107
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1025
gc_freeaddrinfo_callback
static void gc_freeaddrinfo_callback(void *addr)
Definition buffer.h:215
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1017
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
D_ROUTE_DEBUG
#define D_ROUTE_DEBUG
Definition errlevel.h:132
M_INFO
#define M_INFO
Definition errlevel.h:54
D_ROUTE
#define D_ROUTE
Definition errlevel.h:79
status
static SERVICE_STATUS status
Definition interactive.c:51
route
@ route
Definition interactive.c:85
write
@ write
Definition interactive.c:213
read
@ read
Definition interactive.c:212
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2774
OPENVPN_STATE_ADD_ROUTES
#define OPENVPN_STATE_ADD_ROUTES
Definition manage.h:451
net_ctx_reset
static void net_ctx_reset(openvpn_net_ctx_t *ctx)
Definition networking.h:56
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
msg_add_route
@ msg_add_route
Definition openvpn-msg.h:34
msg_del_route
@ msg_del_route
Definition openvpn-msg.h:35
IPV4_NETMASK_HOST
#define IPV4_NETMASK_HOST
Definition basic.h:34
CLEAR
#define CLEAR(x)
Definition basic.h:32
strerror_win32
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
Definition error.c:768
M_FATAL
#define M_FATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
print_route_options
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1240
undo_redirect_default_route_to_vpn
static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1056
print_route_option
static void print_route_option(const struct route_option *ro, msglvl_t msglevel)
Definition route.c:1233
add_host_route_if_nonlocal
static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
Definition route.c:3940
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1103
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:301
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:155
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1406
clear_route_list
static void clear_route_list(struct route_list *rl)
Definition route.c:523
test_route_helper
static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway)
Definition route.c:2423
del_bypass_routes
static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:932
del_route_ipapi
static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2815
redirect_default_route_to_vpn
static bool redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:948
add_route3
static bool add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:886
add_host_route_array
static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
Definition route.c:3949
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3914
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:139
init_route
static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl)
Definition route.c:314
delete_routes_v6
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1198
route_string
static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc)
Definition route.c:189
get_special_addr
static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
Definition route.c:233
RTA_EEXIST
#define RTA_EEXIST
Definition route.c:103
LR_NOMATCH
#define LR_NOMATCH
Definition route.c:1435
test_routes
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition route.c:2448
add_block_local_routes
static void add_block_local_routes(struct route_list *rl)
Definition route.c:574
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:598
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2673
get_windows_routing_table
static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc)
Definition route.c:2389
get_best_route
static DWORD get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
Determines the best route to a destination for both IPv4 and IPv6.
Definition route.c:2539
do_route_service
static int do_route_service(const bool add, const route_message_t *rt, const DWORD size, HANDLE pipe)
Definition route.c:2852
format_route_entry
static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
Definition route.c:3058
add_route_service
static int add_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3033
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:752
delete_route
static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2032
del_route_ipv6_service
static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3052
route_list_add_vpn_gateway
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition route.c:537
ipv6_net_contains_host
bool ipv6_net_contains_host(const struct in6_addr *network, unsigned int bits, const struct in6_addr *host)
check whether an IPv6 host address is covered by a given network/bits
Definition route.c:718
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:509
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:173
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:181
add_route
bool add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1482
test_route
static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
Definition route.c:2411
print_default_gateway
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1254
add_route_ipv6
bool add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1796
RTA_ERROR
#define RTA_ERROR
Definition route.c:101
del_route_service
static bool del_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3039
print_route
static void print_route(const struct route_ipv4 *r, msglvl_t msglevel)
Definition route.c:1328
local_route
static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi)
Definition route.c:1440
add_route_ipv6_service
static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3046
is_on_link
static bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
Definition route.c:1473
get_default_gateway_row
static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
Definition route.c:2491
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2575
route_ipv6_ipapi
static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *)
Definition route.c:2913
add_block_local_item
static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target)
Definition route.c:546
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:164
show_opt
static const char * show_opt(const char *option)
Definition route.c:1220
print_routes
void print_routes(const struct route_list *rl, msglvl_t msglevel)
Definition route.c:1339
init_route_ipv6
static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6)
Definition route.c:437
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:130
test_local_addr
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
Definition route.c:4021
METRIC_NOT_USED
#define METRIC_NOT_USED
Definition route.c:59
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:606
add_route_ipapi
static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
Definition route.c:2719
RTA_SUCCESS
#define RTA_SUCCESS
Definition route.c:102
delete_route_ipv6
void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2204
LR_MATCH
#define LR_MATCH
Definition route.c:1436
do_route_ipv6_service
static int do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
Definition route.c:2990
route_ipv6_clear_host_bits
void route_ipv6_clear_host_bits(struct route_ipv6 *r6)
Definition route.c:1771
clear_route_ipv6_list
static void clear_route_ipv6_list(struct route_ipv6_list *rl6)
Definition route.c:530
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1168
LR_ERROR
#define LR_ERROR
Definition route.c:1437
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3076
netmask_to_netbits
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition route.c:3883
setenv_route_addr
static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
Definition route.c:216
windows_route_find_if_index
static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2627
do_route_ipv4_service
static int do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2884
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1369
delete_routes_v4
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1176
add_bypass_routes
static bool add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:914
get_bypass_addresses
static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
Definition route.c:3965
is_route_parm_defined
static bool is_route_parm_defined(const char *parm)
Definition route.c:202
setenv_route_ipv6
static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
Definition route.c:1380
add_bypass_address
static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a)
Definition route.c:107
setenv_route
static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
Definition route.c:1349
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:494
del_route3
static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:900
RG_LOCAL
#define RG_LOCAL
Definition route.h:87
TLA_LOCAL
#define TLA_LOCAL
Definition route.h:372
RGI_ON_LINK
#define RGI_ON_LINK
Definition route.h:164
RL_DID_LOCAL
#define RL_DID_LOCAL
Definition route.h:231
RL_DID_REDIRECT_DEFAULT_GATEWAY
#define RL_DID_REDIRECT_DEFAULT_GATEWAY
Definition route.h:230
ROUTE_REF_GW
#define ROUTE_REF_GW
Definition route.h:50
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:89
RTSA_REMOTE_ENDPOINT
#define RTSA_REMOTE_ENDPOINT
Definition route.h:62
RGI_ADDR_DEFINED
#define RGI_ADDR_DEFINED
Definition route.h:159
RL_ROUTES_ADDED
#define RL_ROUTES_ADDED
Definition route.h:232
RGI_HWADDR_DEFINED
#define RGI_HWADDR_DEFINED
Definition route.h:161
netbits_to_netmask
static in_addr_t netbits_to_netmask(const int netbits)
Definition route.h:401
RTSA_REMOTE_HOST
#define RTSA_REMOTE_HOST
Definition route.h:63
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:42
RGI_IFACE_DEFINED
#define RGI_IFACE_DEFINED
Definition route.h:162
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:40
RT_ADDED
#define RT_ADDED
Definition route.h:121
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:41
RT_METRIC_DEFINED
#define RT_METRIC_DEFINED
Definition route.h:122
ROUTE_DELETE_FIRST
#define ROUTE_DELETE_FIRST
Definition route.h:49
RG_DEF1
#define RG_DEF1
Definition route.h:88
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:90
RG_ENABLE
#define RG_ENABLE
Definition route.h:86
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
TLA_NOT_IMPLEMENTED
#define TLA_NOT_IMPLEMENTED
Definition route.h:370
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:92
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:93
TLA_NONLOCAL
#define TLA_NONLOCAL
Definition route.h:371
N_ROUTE_BYPASS
#define N_ROUTE_BYPASS
Definition route.h:54
RT_DEFINED
#define RT_DEFINED
Definition route.h:120
ROUTE_METHOD_MASK
#define ROUTE_METHOD_MASK
Definition route.h:43
RTSA_DEFAULT_METRIC
#define RTSA_DEFAULT_METRIC
Definition route.h:64
RGI_NETMASK_DEFINED
#define RGI_NETMASK_DEFINED
Definition route.h:160
openvpn_execve_check
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition run_command.c:233
run_command.h
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:229
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:202
IPV4_INVALID_ADDR
#define IPV4_INVALID_ADDR
Definition socket.h:357
openvpn_getaddrinfo
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
Definition socket_util.c:537
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IF_NAMESIZE
#define IF_NAMESIZE
Definition socket_util.c:123
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket_util.h:119
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket_util.h:117
IA_NET_ORDER
#define IA_NET_ORDER
Definition socket_util.h:90
GETADDR_WARN_ON_SIGNAL
#define GETADDR_WARN_ON_SIGNAL
Definition socket_util.h:122
ack_message_t
Definition openvpn-msg.h:157
ack_message_t::error_number
int error_number
Definition openvpn-msg.h:159
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
env_set
Definition env_set.h:43
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
interface_t::index
int index
Definition openvpn-msg.h:69
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
route_bypass
Definition route.h:53
route_bypass::n_bypass
int n_bypass
Definition route.h:55
route_bypass::bypass
in_addr_t bypass[N_ROUTE_BYPASS]
Definition route.h:56
route_gateway_address
Definition route.h:152
route_gateway_address::netmask
in_addr_t netmask
Definition route.h:154
route_gateway_address::addr
in_addr_t addr
Definition route.h:153
route_gateway_info
Definition route.h:158
route_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:177
route_gateway_info::flags
unsigned int flags
Definition route.h:165
route_gateway_info::addrs
struct route_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:185
route_gateway_info::adapter_index
DWORD adapter_index
Definition route.h:169
route_gateway_info::gateway
struct route_gateway_address gateway
Definition route.h:180
route_gateway_info::n_addrs
int n_addrs
Definition route.h:184
route_ipv4
Definition route.h:119
route_ipv4::option
const struct route_option * option
Definition route.h:125
route_ipv4::metric
int metric
Definition route.h:130
route_ipv4::next
struct route_ipv4 * next
Definition route.h:123
route_ipv4::table_id
int table_id
Definition route.h:129
route_ipv4::network
in_addr_t network
Definition route.h:126
route_ipv4::netmask
in_addr_t netmask
Definition route.h:127
route_ipv4::gateway
in_addr_t gateway
Definition route.h:128
route_ipv4::flags
unsigned int flags
Definition route.h:124
route_ipv6_gateway_address::addr_ipv6
struct in6_addr addr_ipv6
Definition route.h:190
route_ipv6_gateway_address::netbits_ipv6
int netbits_ipv6
Definition route.h:191
route_ipv6_gateway_info
Definition route.h:195
route_ipv6_gateway_info::gateway
struct route_ipv6_gateway_address gateway
Definition route.h:219
route_ipv6_gateway_info::addrs
struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:224
route_ipv6_gateway_info::flags
unsigned int flags
Definition route.h:197
route_ipv6_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:216
route_ipv6_gateway_info::adapter_index
DWORD adapter_index
Definition route.h:201
route_ipv6_list
Definition route.h:244
route_ipv6_list::iflags
unsigned int iflags
Definition route.h:245
route_ipv6_list::flags
unsigned int flags
Definition route.h:254
route_ipv6_list::rgi6
struct route_ipv6_gateway_info rgi6
Definition route.h:252
route_ipv6_list::routes_ipv6
struct route_ipv6 * routes_ipv6
Definition route.h:255
route_ipv6_list::spec_flags
unsigned int spec_flags
Definition route.h:247
route_ipv6_list::ngi6
struct route_ipv6_gateway_info ngi6
Definition route.h:253
route_ipv6_list::default_metric
int default_metric
Definition route.h:250
route_ipv6_list::remote_host_ipv6
struct in6_addr remote_host_ipv6
Definition route.h:249
route_ipv6_list::gc
struct gc_arena gc
Definition route.h:256
route_ipv6_list::remote_endpoint_ipv6
struct in6_addr remote_endpoint_ipv6
Definition route.h:248
route_ipv6_option_list
Definition route.h:112
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_ipv6_option_list::gc
struct gc_arena * gc
Definition route.h:115
route_ipv6_option_list::routes_ipv6
struct route_ipv6_option * routes_ipv6
Definition route.h:114
route_ipv6_option
Definition route.h:103
route_ipv6_option::next
struct route_ipv6_option * next
Definition route.h:104
route_ipv6_option::gateway
const char * gateway
Definition route.h:106
route_ipv6_option::table_id
int table_id
Definition route.h:108
route_ipv6_option::metric
const char * metric
Definition route.h:107
route_ipv6_option::prefix
const char * prefix
Definition route.h:105
route_ipv6
Definition route.h:134
route_ipv6::gateway
struct in6_addr gateway
Definition route.h:139
route_ipv6::adapter_index
DWORD adapter_index
Definition route.h:144
route_ipv6::netbits
unsigned int netbits
Definition route.h:138
route_ipv6::next
struct route_ipv6 * next
Definition route.h:135
route_ipv6::flags
unsigned int flags
Definition route.h:136
route_ipv6::network
struct in6_addr network
Definition route.h:137
route_ipv6::metric
int metric
Definition route.h:140
route_list
Definition route.h:229
route_list::rgi
struct route_gateway_info rgi
Definition route.h:236
route_list::routes
struct route_ipv4 * routes
Definition route.h:239
route_list::spec
struct route_special_addr spec
Definition route.h:235
route_list::flags
unsigned int flags
Definition route.h:238
route_list::gc
struct gc_arena gc
Definition route.h:240
route_list::ngi
struct route_gateway_info ngi
Definition route.h:237
route_list::iflags
unsigned int iflags
Definition route.h:233
route_message_t
Definition openvpn-msg.h:89
route_message_t::header
message_header_t header
Definition openvpn-msg.h:90
route_message_t::iface
interface_t iface
Definition openvpn-msg.h:95
route_option_list
Definition route.h:96
route_option_list::gc
struct gc_arena * gc
Definition route.h:99
route_option_list::flags
unsigned int flags
Definition route.h:97
route_option_list::routes
struct route_option * routes
Definition route.h:98
route_option
Definition route.h:76
route_option::table_id
int table_id
Definition route.h:81
route_option::network
const char * network
Definition route.h:78
route_option::netmask
const char * netmask
Definition route.h:79
route_option::next
struct route_option * next
Definition route.h:77
route_option::gateway
const char * gateway
Definition route.h:80
route_option::metric
const char * metric
Definition route.h:82
route_special_addr::remote_host
in_addr_t remote_host
Definition route.h:68
route_special_addr::bypass
struct route_bypass bypass
Definition route.h:70
route_special_addr::flags
unsigned int flags
Definition route.h:65
route_special_addr::default_metric
int default_metric
Definition route.h:72
route_special_addr::remote_endpoint
in_addr_t remote_endpoint
Definition route.h:67
route_special_addr::remote_host_local
int remote_host_local
Definition route.h:69
tuntap_options::msg_channel
HANDLE msg_channel
Definition tun.h:88
tuntap
Definition tun.h:183
tuntap::type
int type
Definition tun.h:185
tuntap::adapter_index
DWORD adapter_index
Definition tun.h:234
tuntap::did_ifconfig_ipv6_setup
bool did_ifconfig_ipv6_setup
if the internal variables related to ifconfig-ipv6 of this struct have been set up.
Definition tun.h:201
tuntap::options
struct tuntap_options options
Definition tun.h:205
tuntap::did_ifconfig_setup
bool did_ifconfig_setup
if the internal variables related to ifconfig of this struct have been set up.
Definition tun.h:197
tuntap::actual_name
char * actual_name
Definition tun.h:207
in_addr_t
uint32_t in_addr_t
Definition syshead.h:52
iface
static char * iface
Definition test_networking.c:8
es
struct env_set * es
Definition test_pkcs11.c:138
r6
char * r6[]
Definition test_push_update_msg.c:418
r1
char * r1[]
Definition test_push_update_msg.c:396
gc
struct gc_arena gc
Definition test_ssl.c:131
get_tun_adapter
const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4285
is_adapter_up
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4298
get_adapter_info
const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc)
Definition tun.c:4200
get_per_adapter_info
const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc)
Definition tun.c:4098
is_ip_in_adapter_subnet
bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
Definition tun.c:4342
get_adapter_info_list
const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc)
Definition tun.c:4073
get_adapter
const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index)
Definition tun.c:4181
adapter_index_of_ip
DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
Definition tun.c:4376
TUN_ADAPTER_INDEX_INVALID
#define TUN_ADAPTER_INDEX_INVALID
Definition tun.h:64
wide_string
WCHAR * wide_string(const char *utf8, struct gc_arena *gc)
Definition win32-util.c:40
netcmd_semaphore_release
void netcmd_semaphore_release(void)
Definition win32.c:867
get_win_sys_path
char * get_win_sys_path(void)
Definition win32.c:1109
netcmd_semaphore_lock
void netcmd_semaphore_lock(void)
Definition win32.c:851
send_msg_iservice
bool send_msg_iservice(HANDLE pipe, const void *data, DWORD size, ack_message_t *ack, const char *context)
Send the size bytes in buffer data to the interactive service pipe and read the result in ack.
Definition win32.c:1423
WIN_ROUTE_PATH_SUFFIX
#define WIN_ROUTE_PATH_SUFFIX
Definition win32.h:40
Generated by doxygen 1.9.8