OpenVPN
route.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23/*
24 * Support routines for adding/deleting network routes.
25 */
26#include <stddef.h>
27#include <stdbool.h>
28
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32
33#include "syshead.h"
34
35#include "common.h"
36#include "error.h"
37#include "route.h"
38#include "run_command.h"
39#include "socket.h"
40#include "manage.h"
41#include "win32.h"
42#include "options.h"
43#include "networking.h"
44#include "integer.h"
45
46#include "memdbg.h"
47
48#if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
49#include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
50#endif
51
52#if defined(TARGET_NETBSD)
53#include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
54#endif
55
56#ifdef _WIN32
57#include "openvpn-msg.h"
58
59#define METRIC_NOT_USED ((DWORD)-1)
60static int add_route_service(const struct route_ipv4 *, const struct tuntap *);
61
62static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
63
64static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
65
66static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
67
68static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *);
69
70static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt,
71 DWORD adapter_index);
72
73static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt);
74
75
76#endif
77
78static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
79 const struct route_gateway_info *rgi, const struct env_set *es,
80 openvpn_net_ctx_t *ctx);
81
82static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
83
84#ifdef ENABLE_DEBUG
85
86static void
87print_bypass_addresses(const struct route_bypass *rb)
88{
89 struct gc_arena gc = gc_new();
90 int i;
91 for (i = 0; i < rb->n_bypass; ++i)
92 {
93 msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s", i, print_in_addr_t(rb->bypass[i], 0, &gc));
94 }
95 gc_free(&gc);
96}
97
98#endif
99
100/* Route addition return status codes */
101#define RTA_ERROR 0 /* route addition failed */
102#define RTA_SUCCESS 1 /* route addition succeeded */
103#define RTA_EEXIST 2 /* route not added as it already exists */
104
105static bool
106add_bypass_address(struct route_bypass *rb, const in_addr_t a)
107{
108 int i;
109 for (i = 0; i < rb->n_bypass; ++i)
110 {
111 if (a == rb->bypass[i]) /* avoid duplicates */
112 {
113 return true;
114 }
115 }
116 if (rb->n_bypass < N_ROUTE_BYPASS)
117 {
118 rb->bypass[rb->n_bypass++] = a;
119 return true;
120 }
121 else
122 {
123 return false;
124 }
125}
126
127struct route_option_list *
128new_route_option_list(struct gc_arena *a)
129{
130 struct route_option_list *ret;
131 ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a);
132 ret->gc = a;
133 return ret;
134}
135
136struct route_ipv6_option_list *
137new_route_ipv6_option_list(struct gc_arena *a)
138{
139 struct route_ipv6_option_list *ret;
140 ALLOC_OBJ_CLEAR_GC(ret, struct route_ipv6_option_list, a);
141 ret->gc = a;
142 return ret;
143}
144
145/*
146 * NOTE: structs are cloned/copied shallow by design.
147 * The routes list from src will stay intact since it is allocated using
148 * the options->gc. The cloned/copied lists will share this common tail
149 * to avoid copying the data around between pulls. Pulled routes use
150 * the c2->gc so they get freed immediately after a reconnect.
151 */
152struct route_option_list *
153clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
154{
155 struct route_option_list *ret;
156 ALLOC_OBJ_GC(ret, struct route_option_list, a);
157 *ret = *src;
158 return ret;
159}
160
161struct route_ipv6_option_list *
162clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
163{
164 struct route_ipv6_option_list *ret;
165 ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
166 *ret = *src;
167 return ret;
168}
169
170void
171copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src,
172 struct gc_arena *a)
173{
174 *dest = *src;
175 dest->gc = a;
176}
177
178void
179copy_route_ipv6_option_list(struct route_ipv6_option_list *dest,
180 const struct route_ipv6_option_list *src, struct gc_arena *a)
181{
182 *dest = *src;
183 dest->gc = a;
184}
185
186static const char *
187route_string(const struct route_ipv4 *r, struct gc_arena *gc)
188{
189 struct buffer out = alloc_buf_gc(256, gc);
190 buf_printf(&out, "ROUTE network %s netmask %s gateway %s", print_in_addr_t(r->network, 0, gc),
191 print_in_addr_t(r->netmask, 0, gc), print_in_addr_t(r->gateway, 0, gc));
192 if (r->flags & RT_METRIC_DEFINED)
193 {
194 buf_printf(&out, " metric %d", r->metric);
195 }
196 return BSTR(&out);
197}
198
199static bool
200is_route_parm_defined(const char *parm)
201{
202 if (!parm)
203 {
204 return false;
205 }
206 if (!strcmp(parm, "default"))
207 {
208 return false;
209 }
210 return true;
211}
212
213static void
214setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
215{
216 struct gc_arena gc = gc_new();
217 struct buffer name = alloc_buf_gc(256, &gc);
218 if (i >= 0)
219 {
220 buf_printf(&name, "route_%s_%d", key, i);
221 }
222 else
223 {
224 buf_printf(&name, "route_%s", key);
225 }
226 setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
227 gc_free(&gc);
228}
229
230static bool
231get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
232{
233 if (status)
234 {
235 *status = true;
236 }
237 if (!strcmp(string, "vpn_gateway"))
238 {
239 if (rl)
240 {
241 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
242 {
243 *out = rl->spec.remote_endpoint;
244 }
245 else
246 {
247 msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
248 if (status)
249 {
250 *status = false;
251 }
252 }
253 }
254 return true;
255 }
256 else if (!strcmp(string, "net_gateway"))
257 {
258 if (rl)
259 {
260 if (rl->rgi.flags & RGI_ADDR_DEFINED)
261 {
262 *out = rl->rgi.gateway.addr;
263 }
264 else
265 {
266 msg(M_INFO, PACKAGE_NAME
267 " ROUTE: net_gateway undefined -- unable to get default gateway from system");
268 if (status)
269 {
270 *status = false;
271 }
272 }
273 }
274 return true;
275 }
276 else if (!strcmp(string, "remote_host"))
277 {
278 if (rl)
279 {
280 if (rl->spec.flags & RTSA_REMOTE_HOST)
281 {
282 *out = rl->spec.remote_host;
283 }
284 else
285 {
286 msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
287 if (status)
288 {
289 *status = false;
290 }
291 }
292 }
293 return true;
294 }
295 return false;
296}
297
298bool
299is_special_addr(const char *addr_str)
300{
301 if (addr_str)
302 {
303 return get_special_addr(NULL, addr_str, NULL, NULL);
304 }
305 else
306 {
307 return false;
308 }
309}
310
311static bool
312init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro,
313 const struct route_list *rl)
314{
315 const in_addr_t default_netmask = IPV4_NETMASK_HOST;
316 bool status;
317 int ret;
318 struct in_addr special = { 0 };
319
320 CLEAR(*r);
321 r->option = ro;
322
323 /* network */
324 if (!is_route_parm_defined(ro->network))
325 {
326 goto fail;
327 }
328
329 /* get_special_addr replaces specialaddr with a special ip addr
330 * like gw. getaddrinfo is called to convert a a addrinfo struct */
331
332 if (get_special_addr(rl, ro->network, (in_addr_t *)&special.s_addr, &status))
333 {
334 if (!status)
335 {
336 goto fail;
337 }
338 special.s_addr = htonl(special.s_addr);
339 char buf[INET_ADDRSTRLEN];
340 inet_ntop(AF_INET, &special, buf, sizeof(buf));
341 ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL, AF_INET, network_list);
342 }
343 else
344 {
345 ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL, ro->network, NULL, 0,
346 NULL, AF_INET, network_list);
347 }
348
349 status = (ret == 0);
350
351 if (!status)
352 {
353 goto fail;
354 }
355
356 /* netmask */
357
358 if (is_route_parm_defined(ro->netmask))
359 {
360 r->netmask =
361 getaddr(GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, ro->netmask, 0, &status, NULL);
362 if (!status)
363 {
364 goto fail;
365 }
366 }
367 else
368 {
369 r->netmask = default_netmask;
370 }
371
372 /* gateway */
373
374 if (is_route_parm_defined(ro->gateway))
375 {
376 if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
377 {
378 r->gateway = getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL,
379 ro->gateway, 0, &status, NULL);
380 }
381 if (!status)
382 {
383 goto fail;
384 }
385 }
386 else
387 {
388 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
389 {
390 r->gateway = rl->spec.remote_endpoint;
391 }
392 else
393 {
394 msg(M_WARN, PACKAGE_NAME
395 " ROUTE: " PACKAGE_NAME
396 " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
397 goto fail;
398 }
399 }
400
401 /* metric */
402
403 r->metric = 0;
404 if (is_route_parm_defined(ro->metric))
405 {
406 r->metric = atoi(ro->metric);
407 if (r->metric < 0)
408 {
409 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
410 ro->network, ro->metric);
411 goto fail;
412 }
413 r->flags |= RT_METRIC_DEFINED;
414 }
415 else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
416 {
417 r->metric = rl->spec.default_metric;
418 r->flags |= RT_METRIC_DEFINED;
419 }
420
421 r->flags |= RT_DEFINED;
422
423 /* routing table id */
424 r->table_id = ro->table_id;
425
426 return true;
427
428fail:
429 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
430 ro->network);
431 return false;
432}
433
434static bool
435init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o,
436 const struct route_ipv6_list *rl6)
437{
438 CLEAR(*r6);
439
440 if (!get_ipv6_addr(r6o->prefix, &r6->network, &r6->netbits, M_WARN))
441 {
442 goto fail;
443 }
444
445 /* gateway */
446 if (is_route_parm_defined(r6o->gateway))
447 {
448 if (inet_pton(AF_INET6, r6o->gateway, &r6->gateway) != 1)
449 {
450 msg(M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway);
451 }
452 }
453 else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
454 {
455 r6->gateway = rl6->remote_endpoint_ipv6;
456 }
457
458 /* metric */
459
460 r6->metric = -1;
461 if (is_route_parm_defined(r6o->metric))
462 {
463 r6->metric = atoi(r6o->metric);
464 if (r6->metric < 0)
465 {
466 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
467 r6o->prefix, r6o->metric);
468 goto fail;
469 }
470 r6->flags |= RT_METRIC_DEFINED;
471 }
472 else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
473 {
474 r6->metric = rl6->default_metric;
475 r6->flags |= RT_METRIC_DEFINED;
476 }
477
478 r6->flags |= RT_DEFINED;
479
480 /* routing table id */
481 r6->table_id = r6o->table_id;
482
483 return true;
484
485fail:
486 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
487 r6o->prefix);
488 return false;
489}
490
491void
492add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask,
493 const char *gateway, const char *metric, int table_id)
494{
495 struct route_option *ro;
496 ALLOC_OBJ_GC(ro, struct route_option, l->gc);
497 ro->network = network;
498 ro->netmask = netmask;
499 ro->gateway = gateway;
500 ro->metric = metric;
501 ro->table_id = table_id;
502 ro->next = l->routes;
503 l->routes = ro;
504}
505
506void
507add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix,
508 const char *gateway, const char *metric, int table_id)
509{
510 struct route_ipv6_option *ro;
511 ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
512 ro->prefix = prefix;
513 ro->gateway = gateway;
514 ro->metric = metric;
515 ro->table_id = table_id;
516 ro->next = l->routes_ipv6;
517 l->routes_ipv6 = ro;
518}
519
520static void
521clear_route_list(struct route_list *rl)
522{
523 gc_free(&rl->gc);
524 CLEAR(*rl);
525}
526
527static void
528clear_route_ipv6_list(struct route_ipv6_list *rl6)
529{
530 gc_free(&rl6->gc);
531 CLEAR(*rl6);
532}
533
534void
535route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
536{
537 ASSERT(rl);
538 rl->spec.remote_endpoint = addr;
539 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
540 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
541}
542
543static void
544add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway,
545 in_addr_t target)
546{
547 if (rl->rgi.gateway.netmask < 0xFFFFFFFF)
548 {
549 struct route_ipv4 *r1, *r2;
550 unsigned int l2;
551
552 ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
553 ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
554
555 /* split a route into two smaller blocking routes, and direct them to target */
556 l2 = ((~gateway->netmask) + 1) >> 1;
557 r1->flags = RT_DEFINED;
558 r1->gateway = target;
559 r1->network = gateway->addr & gateway->netmask;
560 r1->netmask = ~(l2 - 1);
561 r1->next = rl->routes;
562 rl->routes = r1;
563
564 *r2 = *r1;
565 r2->network += l2;
566 r2->next = rl->routes;
567 rl->routes = r2;
568 }
569}
570
571static void
572add_block_local_routes(struct route_list *rl)
573{
574#ifndef TARGET_ANDROID
575 /* add bypass for gateway addr */
576 add_bypass_address(&rl->spec.bypass, rl->rgi.gateway.addr);
577#endif
578
579 /* block access to local subnet */
580 add_block_local_item(rl, &rl->rgi.gateway, rl->spec.remote_endpoint);
581
582 /* process additional subnets on gateway interface */
583 for (size_t i = 0; i < rl->rgi.n_addrs; ++i)
584 {
585 const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
586 /* omit the add/subnet in &rl->rgi which we processed above */
587 if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
588 && rl->rgi.gateway.netmask == gwa->netmask))
589 {
590 add_block_local_item(rl, gwa, rl->spec.remote_endpoint);
591 }
592 }
593}
594
595bool
596block_local_needed(const struct route_list *rl)
597{
598 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED);
599 return (rl->flags & RG_BLOCK_LOCAL) && (rl->rgi.flags & rgi_needed) == rgi_needed
600 && (rl->spec.flags & RTSA_REMOTE_ENDPOINT) && rl->spec.remote_host_local != TLA_LOCAL;
601}
602
603bool
604init_route_list(struct route_list *rl, const struct route_option_list *opt,
605 const char *remote_endpoint, int default_metric, in_addr_t remote_host,
606 struct env_set *es, openvpn_net_ctx_t *ctx)
607{
608 struct gc_arena gc = gc_new();
609 bool ret = true;
610
611 clear_route_list(rl);
612
613 rl->flags = opt->flags;
614
615 if (remote_host != IPV4_INVALID_ADDR)
616 {
617 rl->spec.remote_host = remote_host;
618 rl->spec.flags |= RTSA_REMOTE_HOST;
619 }
620
621 if (default_metric)
622 {
623 rl->spec.default_metric = default_metric;
624 rl->spec.flags |= RTSA_DEFAULT_METRIC;
625 }
626
627 get_default_gateway(&rl->rgi, remote_host != IPV4_INVALID_ADDR ? remote_host : INADDR_ANY, ctx);
628 if (rl->rgi.flags & RGI_ADDR_DEFINED)
629 {
630 setenv_route_addr(es, "net_gateway", rl->rgi.gateway.addr, -1);
631#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
632 print_default_gateway(D_ROUTE, &rl->rgi, NULL);
633#endif
634 }
635 else
636 {
637 dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
638 }
639
640 if (rl->spec.flags & RTSA_REMOTE_HOST)
641 {
642 rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
643 }
644
645 if (is_route_parm_defined(remote_endpoint))
646 {
647 bool defined = false;
648 rl->spec.remote_endpoint =
649 getaddr(GETADDR_RESOLVE | GETADDR_HOST_ORDER | GETADDR_WARN_ON_SIGNAL, remote_endpoint,
650 0, &defined, NULL);
651
652 if (defined)
653 {
654 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
655 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
656 }
657 else
658 {
659 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
660 remote_endpoint);
661 ret = false;
662 }
663 }
664
665 if (rl->flags & RG_ENABLE)
666 {
667 if (block_local_needed(rl))
668 {
669 add_block_local_routes(rl);
670 }
671 get_bypass_addresses(&rl->spec.bypass, rl->flags);
672#ifdef ENABLE_DEBUG
673 print_bypass_addresses(&rl->spec.bypass);
674#endif
675 }
676
677 /* parse the routes from opt to rl */
678 {
679 struct route_option *ro;
680 for (ro = opt->routes; ro; ro = ro->next)
681 {
682 struct addrinfo *netlist = NULL;
683 struct route_ipv4 r;
684
685 if (!init_route(&r, &netlist, ro, rl))
686 {
687 ret = false;
688 }
689 else
690 {
691 struct addrinfo *curele;
692 for (curele = netlist; curele; curele = curele->ai_next)
693 {
694 struct route_ipv4 *new;
695 ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
696 *new = r;
697 new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
698 new->next = rl->routes;
699 rl->routes = new;
700 }
701 }
702 if (netlist)
703 {
704 gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc);
705 }
706 }
707 }
708
709 gc_free(&gc);
710 return ret;
711}
712
713bool
714ipv6_net_contains_host(const struct in6_addr *network, unsigned int bits, const struct in6_addr *host)
715{
716 /* not the most beautiful implementation in the world, but portable and
717 * "good enough" */
718 if (bits > 128)
719 {
720 return false;
721 }
722
723 int i;
724 for (i = 0; bits >= 8; i++, bits -= 8)
725 {
726 if (network->s6_addr[i] != host->s6_addr[i])
727 {
728 return false;
729 }
730 }
731
732 if (bits == 0)
733 {
734 return true;
735 }
736
737 unsigned int mask = 0xff << (8 - bits);
738
739 if ((network->s6_addr[i] & mask) == (host->s6_addr[i] & mask))
740 {
741 return true;
742 }
743
744 return false;
745}
746
747bool
748init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6,
749 const char *remote_endpoint, int default_metric,
750 const struct in6_addr *remote_host_ipv6, struct env_set *es,
751 openvpn_net_ctx_t *ctx)
752{
753 struct gc_arena gc = gc_new();
754 bool ret = true;
755 bool need_remote_ipv6_route;
756
757 clear_route_ipv6_list(rl6);
758
759 rl6->flags = opt6->flags;
760
761 if (remote_host_ipv6)
762 {
763 rl6->remote_host_ipv6 = *remote_host_ipv6;
764 rl6->spec_flags |= RTSA_REMOTE_HOST;
765 }
766
767 if (default_metric >= 0)
768 {
769 rl6->default_metric = default_metric;
770 rl6->spec_flags |= RTSA_DEFAULT_METRIC;
771 }
772
773 msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
774 remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a");
775
776 get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
777 if (rl6->rgi6.flags & RGI_ADDR_DEFINED)
778 {
779 setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->rgi6.gateway.addr_ipv6, 0, &gc));
780#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
781 print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
782#endif
783 }
784 else
785 {
786 dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
787 }
788
789 if (is_route_parm_defined(remote_endpoint))
790 {
791 if (inet_pton(AF_INET6, remote_endpoint, &rl6->remote_endpoint_ipv6) == 1)
792 {
793 rl6->spec_flags |= RTSA_REMOTE_ENDPOINT;
794 }
795 else
796 {
797 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s",
798 remote_endpoint);
799 ret = false;
800 }
801 }
802
803 /* parse the routes from opt6 to rl6
804 * discovering potential overlaps with remote_host_ipv6 in the process
805 */
806 need_remote_ipv6_route = false;
807
808 {
809 struct route_ipv6_option *ro6;
810 for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
811 {
812 struct route_ipv6 *r6;
813 ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
814 if (!init_route_ipv6(r6, ro6, rl6))
815 {
816 ret = false;
817 }
818 else
819 {
820 r6->next = rl6->routes_ipv6;
821 rl6->routes_ipv6 = r6;
822
823#ifndef TARGET_ANDROID
824 /* On Android the VPNService protect function call will take of
825 * avoiding routing loops, so ignore this part and let
826 * need_remote_ipv6_route always evaluate to false
827 */
828 if (remote_host_ipv6
829 && ipv6_net_contains_host(&r6->network, r6->netbits, remote_host_ipv6))
830 {
831 need_remote_ipv6_route = true;
832 msg(D_ROUTE,
833 "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
834 print_in6_addr(r6->network, 0, &gc), r6->netbits,
835 print_in6_addr(*remote_host_ipv6, 0, &gc));
836 }
837#endif
838 }
839 }
840 }
841
842 /* add VPN server host route if needed */
843 if (need_remote_ipv6_route)
844 {
845 if ((rl6->rgi6.flags & (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
846 == (RGI_ADDR_DEFINED | RGI_IFACE_DEFINED))
847 {
848 struct route_ipv6 *r6;
849 ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
850
851 r6->network = *remote_host_ipv6;
852 r6->netbits = 128;
853 if (!(rl6->rgi6.flags & RGI_ON_LINK))
854 {
855 r6->gateway = rl6->rgi6.gateway.addr_ipv6;
856 }
857 r6->metric = 1;
858#ifdef _WIN32
859 r6->adapter_index = rl6->rgi6.adapter_index;
860#else
861 r6->iface = rl6->rgi6.iface;
862#endif
863 r6->flags = RT_DEFINED | RT_METRIC_DEFINED;
864
865 r6->next = rl6->routes_ipv6;
866 rl6->routes_ipv6 = r6;
867 }
868 else
869 {
870 msg(M_WARN,
871 "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n");
872 }
873 }
874
875 gc_free(&gc);
876 return ret;
877}
878
879static bool
880add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
881 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
882 openvpn_net_ctx_t *ctx)
883{
884 struct route_ipv4 r;
885 CLEAR(r);
886 r.flags = RT_DEFINED;
887 r.network = network;
888 r.netmask = netmask;
889 r.gateway = gateway;
890 return add_route(&r, tt, flags, rgi, es, ctx);
891}
892
893static void
894del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt,
895 unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es,
896 openvpn_net_ctx_t *ctx)
897{
898 struct route_ipv4 r;
899 CLEAR(r);
900 r.flags = RT_DEFINED | RT_ADDED;
901 r.network = network;
902 r.netmask = netmask;
903 r.gateway = gateway;
904 delete_route(&r, tt, flags, rgi, es, ctx);
905}
906
907static bool
908add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
909 unsigned int flags, const struct route_gateway_info *rgi,
910 const struct env_set *es, openvpn_net_ctx_t *ctx)
911{
912 int ret = true;
913 for (int i = 0; i < rb->n_bypass; ++i)
914 {
915 if (rb->bypass[i])
916 {
917 ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW,
918 rgi, es, ctx)
919 && ret;
920 }
921 }
922 return ret;
923}
924
925static void
926del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt,
927 unsigned int flags, const struct route_gateway_info *rgi,
928 const struct env_set *es, openvpn_net_ctx_t *ctx)
929{
930 int i;
931 for (i = 0; i < rb->n_bypass; ++i)
932 {
933 if (rb->bypass[i])
934 {
935 del_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt, flags | ROUTE_REF_GW, rgi, es,
936 ctx);
937 }
938 }
939}
940
941static bool
942redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
943 const struct env_set *es, openvpn_net_ctx_t *ctx)
944{
945 const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
946 bool ret = true;
947
948 if (rl && rl->flags & RG_ENABLE)
949 {
950 bool local = rl->flags & RG_LOCAL;
951
952 if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
953 {
954 msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
955 ret = false;
956 }
957 /*
958 * check if a default route is defined, unless:
959 * - we are connecting to a remote host in our network
960 * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
961 */
962 else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
963 && (rl->spec.flags & RTSA_REMOTE_HOST))
964 {
965 msg(M_WARN, "%s Cannot read current default gateway from system", err);
966 ret = false;
967 }
968 else
969 {
970#ifndef TARGET_ANDROID
971 if (rl->flags & RG_AUTO_LOCAL)
972 {
973 const int tla = rl->spec.remote_host_local;
974 if (tla == TLA_NONLOCAL)
975 {
976 dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
977 local = false;
978 }
979 else if (tla == TLA_LOCAL)
980 {
981 dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
982 local = true;
983 }
984 }
985 if (!local)
986 {
987 /* route remote host to original default gateway */
988 /* if remote_host is not ipv4 (ie: ipv6), just skip
989 * adding this special /32 route */
990 if ((rl->spec.flags & RTSA_REMOTE_HOST)
991 && rl->spec.remote_host != IPV4_INVALID_ADDR)
992 {
993 ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr,
994 tt, flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
995 if (ret)
996 {
997 rl->iflags |= RL_DID_LOCAL;
998 }
999 }
1000 else
1001 {
1002 dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1003 }
1004 }
1005#endif /* ifndef TARGET_ANDROID */
1006
1007 /* route DHCP/DNS server traffic through original default gateway */
1008 ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es,
1009 ctx)
1010 && ret;
1011
1012 if (rl->flags & RG_REROUTE_GW)
1013 {
1014 if (rl->flags & RG_DEF1)
1015 {
1016 /* add new default route (1st component) */
1017 ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1018 &rl->rgi, es, ctx)
1019 && ret;
1020
1021 /* add new default route (2nd component) */
1022 ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags,
1023 &rl->rgi, es, ctx)
1024 && ret;
1025 }
1026 else
1027 {
1028 /* don't try to remove the def route if it does not exist */
1029 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1030 {
1031 /* delete default route */
1032 del_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi,
1033 es, ctx);
1034 }
1035
1036 /* add new default route */
1037 ret = add_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx)
1038 && ret;
1039 }
1040 }
1041
1042 /* set a flag so we can undo later */
1043 rl->iflags |= RL_DID_REDIRECT_DEFAULT_GATEWAY;
1044 }
1045 }
1046 return ret;
1047}
1048
1049static void
1050undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
1051 unsigned int flags, const struct env_set *es,
1052 openvpn_net_ctx_t *ctx)
1053{
1054 if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
1055 {
1056 /* delete remote host route */
1057 if (rl->iflags & RL_DID_LOCAL)
1058 {
1059 del_route3(rl->spec.remote_host, IPV4_NETMASK_HOST, rl->rgi.gateway.addr, tt,
1060 flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1061 rl->iflags &= ~RL_DID_LOCAL;
1062 }
1063
1064 /* delete special DHCP/DNS bypass route */
1065 del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags, &rl->rgi, es, ctx);
1066
1067 if (rl->flags & RG_REROUTE_GW)
1068 {
1069 if (rl->flags & RG_DEF1)
1070 {
1071 /* delete default route (1st component) */
1072 del_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1073 es, ctx);
1074
1075 /* delete default route (2nd component) */
1076 del_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint, tt, flags, &rl->rgi,
1077 es, ctx);
1078 }
1079 else
1080 {
1081 /* delete default route */
1082 del_route3(0, 0, rl->spec.remote_endpoint, tt, flags, &rl->rgi, es, ctx);
1083 /* restore original default route if there was any */
1084 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1085 {
1086 add_route3(0, 0, rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW, &rl->rgi, es,
1087 ctx);
1088 }
1089 }
1090 }
1091
1092 rl->iflags &= ~RL_DID_REDIRECT_DEFAULT_GATEWAY;
1093 }
1094}
1095
1096bool
1097add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1098 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1099{
1100 bool ret = redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1101 if (rl && !(rl->iflags & RL_ROUTES_ADDED))
1102 {
1103 struct route_ipv4 *r;
1104
1105 if (rl->routes && !tt->did_ifconfig_setup)
1106 {
1107 msg(M_INFO,
1108 "WARNING: OpenVPN was configured to add an IPv4 "
1109 "route. However, no IPv4 has been configured for %s, "
1110 "therefore the route installation may fail or may not work "
1111 "as expected.",
1112 tt->actual_name);
1113 }
1114
1115#ifdef ENABLE_MANAGEMENT
1116 if (management && rl->routes)
1117 {
1118 management_set_state(management, OPENVPN_STATE_ADD_ROUTES, NULL, NULL, NULL, NULL,
1119 NULL);
1120 }
1121#endif
1122
1123 for (r = rl->routes; r; r = r->next)
1124 {
1125 if (flags & ROUTE_DELETE_FIRST)
1126 {
1127 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1128 }
1129 ret = add_route(r, tt, flags, &rl->rgi, es, ctx) && ret;
1130 }
1131 rl->iflags |= RL_ROUTES_ADDED;
1132 }
1133 if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED))
1134 {
1135 struct route_ipv6 *r;
1136
1137 if (!tt->did_ifconfig_ipv6_setup)
1138 {
1139 msg(M_INFO,
1140 "WARNING: OpenVPN was configured to add an IPv6 "
1141 "route. However, no IPv6 has been configured for %s, "
1142 "therefore the route installation may fail or may not work "
1143 "as expected.",
1144 tt->actual_name);
1145 }
1146
1147 for (r = rl6->routes_ipv6; r; r = r->next)
1148 {
1149 if (flags & ROUTE_DELETE_FIRST)
1150 {
1151 delete_route_ipv6(r, tt, es, ctx);
1152 }
1153 ret = add_route_ipv6(r, tt, flags, es, ctx) && ret;
1154 }
1155 rl6->iflags |= RL_ROUTES_ADDED;
1156 }
1157
1158 return ret;
1159}
1160
1161void
1162delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt,
1163 unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
1164{
1165 delete_routes_v4(rl, tt, flags, es, ctx);
1166 delete_routes_v6(rl6, tt, flags, es, ctx);
1167}
1168
1169void
1170delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags,
1171 const struct env_set *es, openvpn_net_ctx_t *ctx)
1172{
1173 if (rl && (rl->iflags & RL_ROUTES_ADDED))
1174 {
1175 struct route_ipv4 *r;
1176 for (r = rl->routes; r; r = r->next)
1177 {
1178 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1179 }
1180 rl->iflags &= ~RL_ROUTES_ADDED;
1181 }
1182
1183 undo_redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1184
1185 if (rl)
1186 {
1187 clear_route_list(rl);
1188 }
1189}
1190
1191void
1192delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags,
1193 const struct env_set *es, openvpn_net_ctx_t *ctx)
1194{
1195 if (rl6 && (rl6->iflags & RL_ROUTES_ADDED))
1196 {
1197 struct route_ipv6 *r6;
1198 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1199 {
1200 delete_route_ipv6(r6, tt, es, ctx);
1201 }
1202 rl6->iflags &= ~RL_ROUTES_ADDED;
1203 }
1204
1205 if (rl6)
1206 {
1207 clear_route_ipv6_list(rl6);
1208 }
1209}
1210
1211#ifndef ENABLE_SMALL
1212
1213static const char *
1214show_opt(const char *option)
1215{
1216 if (!option)
1217 {
1218 return "default (not set)";
1219 }
1220 else
1221 {
1222 return option;
1223 }
1224}
1225
1226static void
1227print_route_option(const struct route_option *ro, msglvl_t msglevel)
1228{
1229 msg(msglevel, " route %s/%s/%s/%s", show_opt(ro->network), show_opt(ro->netmask),
1230 show_opt(ro->gateway), show_opt(ro->metric));
1231}
1232
1233void
1234print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
1235{
1236 struct route_option *ro;
1237 if (rol->flags & RG_ENABLE)
1238 {
1239 msg(msglevel, " [redirect_default_gateway local=%d]", (rol->flags & RG_LOCAL) != 0);
1240 }
1241 for (ro = rol->routes; ro; ro = ro->next)
1242 {
1243 print_route_option(ro, msglevel);
1244 }
1245}
1246
1247void
1248print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi,
1249 const struct route_ipv6_gateway_info *rgi6)
1250{
1251 struct gc_arena gc = gc_new();
1252 if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1253 {
1254 struct buffer out = alloc_buf_gc(256, &gc);
1255 buf_printf(&out, "ROUTE_GATEWAY");
1256 if (rgi->flags & RGI_ON_LINK)
1257 {
1258 buf_printf(&out, " ON_LINK");
1259 }
1260 else
1261 {
1262 buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1263 }
1264 if (rgi->flags & RGI_NETMASK_DEFINED)
1265 {
1266 buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1267 }
1268#ifdef _WIN32
1269 if (rgi->flags & RGI_IFACE_DEFINED)
1270 {
1271 buf_printf(&out, " I=%lu", rgi->adapter_index);
1272 }
1273#else
1274 if (rgi->flags & RGI_IFACE_DEFINED)
1275 {
1276 buf_printf(&out, " IFACE=%s", rgi->iface);
1277 }
1278#endif
1279 if (rgi->flags & RGI_HWADDR_DEFINED)
1280 {
1281 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1282 }
1283 msg(msglevel, "%s", BSTR(&out));
1284 }
1285
1286 if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1287 {
1288 struct buffer out = alloc_buf_gc(256, &gc);
1289 buf_printf(&out, "ROUTE6_GATEWAY");
1290 buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1291 if (rgi6->flags & RGI_ON_LINK)
1292 {
1293 buf_printf(&out, " ON_LINK");
1294 }
1295 if (rgi6->flags & RGI_NETMASK_DEFINED)
1296 {
1297 buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1298 }
1299#ifdef _WIN32
1300 if (rgi6->flags & RGI_IFACE_DEFINED)
1301 {
1302 buf_printf(&out, " I=%lu", rgi6->adapter_index);
1303 }
1304#else
1305 if (rgi6->flags & RGI_IFACE_DEFINED)
1306 {
1307 buf_printf(&out, " IFACE=%s", rgi6->iface);
1308 }
1309#endif
1310 if (rgi6->flags & RGI_HWADDR_DEFINED)
1311 {
1312 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1313 }
1314 msg(msglevel, "%s", BSTR(&out));
1315 }
1316 gc_free(&gc);
1317}
1318
1319#endif /* ifndef ENABLE_SMALL */
1320
1321static void
1322print_route(const struct route_ipv4 *r, msglvl_t msglevel)
1323{
1324 struct gc_arena gc = gc_new();
1325 if (r->flags & RT_DEFINED)
1326 {
1327 msg(msglevel, "%s", route_string(r, &gc));
1328 }
1329 gc_free(&gc);
1330}
1331
1332void
1333print_routes(const struct route_list *rl, msglvl_t msglevel)
1334{
1335 struct route_ipv4 *r;
1336 for (r = rl->routes; r; r = r->next)
1337 {
1338 print_route(r, msglevel);
1339 }
1340}
1341
1342static void
1343setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1344{
1345 struct gc_arena gc = gc_new();
1346 if (r->flags & RT_DEFINED)
1347 {
1348 setenv_route_addr(es, "network", r->network, i);
1349 setenv_route_addr(es, "netmask", r->netmask, i);
1350 setenv_route_addr(es, "gateway", r->gateway, i);
1351
1352 if (r->flags & RT_METRIC_DEFINED)
1353 {
1354 struct buffer name = alloc_buf_gc(256, &gc);
1355 buf_printf(&name, "route_metric_%d", i);
1356 setenv_int(es, BSTR(&name), r->metric);
1357 }
1358 }
1359 gc_free(&gc);
1360}
1361
1362void
1363setenv_routes(struct env_set *es, const struct route_list *rl)
1364{
1365 int i = 1;
1366 struct route_ipv4 *r;
1367 for (r = rl->routes; r; r = r->next)
1368 {
1369 setenv_route(es, r, i++);
1370 }
1371}
1372
1373static void
1374setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1375{
1376 struct gc_arena gc = gc_new();
1377 if (r6->flags & RT_DEFINED)
1378 {
1379 struct buffer name1 = alloc_buf_gc(256, &gc);
1380 struct buffer val = alloc_buf_gc(256, &gc);
1381 struct buffer name2 = alloc_buf_gc(256, &gc);
1382
1383 buf_printf(&name1, "route_ipv6_network_%d", i);
1384 buf_printf(&val, "%s/%d", print_in6_addr(r6->network, 0, &gc), r6->netbits);
1385 setenv_str(es, BSTR(&name1), BSTR(&val));
1386
1387 buf_printf(&name2, "route_ipv6_gateway_%d", i);
1388 setenv_str(es, BSTR(&name2), print_in6_addr(r6->gateway, 0, &gc));
1389
1390 if (r6->flags & RT_METRIC_DEFINED)
1391 {
1392 struct buffer name3 = alloc_buf_gc(256, &gc);
1393 buf_printf(&name3, "route_ipv6_metric_%d", i);
1394 setenv_int(es, BSTR(&name3), r6->metric);
1395 }
1396 }
1397 gc_free(&gc);
1398}
1399void
1400setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
1401{
1402 int i = 1;
1403 struct route_ipv6 *r6;
1404 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1405 {
1406 setenv_route_ipv6(es, r6, i++);
1407 }
1408}
1409
1410/*
1411 * local_route() determines whether the gateway of a provided host
1412 * route is on the same interface that owns the default gateway.
1413 * It uses the data structure
1414 * returned by get_default_gateway() (struct route_gateway_info)
1415 * to determine this. If the route is local, LR_MATCH is returned.
1416 * When adding routes into the kernel, if LR_MATCH is defined for
1417 * a given route, the route should explicitly reference the default
1418 * gateway interface as the route destination. For example, here
1419 * is an example on Linux that uses LR_MATCH:
1420 *
1421 * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1422 *
1423 * This capability is needed by the "default-gateway block-local"
1424 * directive, to allow client access to the local subnet to be
1425 * blocked but still allow access to the local default gateway.
1426 */
1427
1428/* local_route() return values */
1429#define LR_NOMATCH 0 /* route is not local */
1430#define LR_MATCH 1 /* route is local */
1431#define LR_ERROR 2 /* caller should abort adding route */
1432
1433static int
1434local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway,
1435 const struct route_gateway_info *rgi)
1436{
1437 /* set LR_MATCH on local host routes */
1438 const int rgi_needed = (RGI_ADDR_DEFINED | RGI_NETMASK_DEFINED | RGI_IFACE_DEFINED);
1439 if (rgi && (rgi->flags & rgi_needed) == rgi_needed && gateway == rgi->gateway.addr
1440 && netmask == 0xFFFFFFFF)
1441 {
1442 if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1443 {
1444 return LR_MATCH;
1445 }
1446 else
1447 {
1448 /* examine additional subnets on gateway interface */
1449 size_t i;
1450 for (i = 0; i < rgi->n_addrs; ++i)
1451 {
1452 const struct route_gateway_address *gwa = &rgi->addrs[i];
1453 if (((network ^ gwa->addr) & gwa->netmask) == 0)
1454 {
1455 return LR_MATCH;
1456 }
1457 }
1458 }
1459 }
1460 return LR_NOMATCH;
1461}
1462
1463/* Return true if the "on-link" form of the route should be used. This is when the gateway for
1464 * a route is specified as an interface rather than an address. */
1465#if defined(TARGET_LINUX) || defined(_WIN32) || defined(TARGET_DARWIN)
1466static inline bool
1467is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1468{
1469 return rgi
1470 && (is_local_route == LR_MATCH
1471 || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1472}
1473#endif
1474
1475bool
1476add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
1477 const struct route_gateway_info *rgi, /* may be NULL */
1478 const struct env_set *es, openvpn_net_ctx_t *ctx)
1479{
1480 int status = 0;
1481 int is_local_route;
1482
1483 if (!(r->flags & RT_DEFINED))
1484 {
1485 return true; /* no error */
1486 }
1487
1488 struct argv argv = argv_new();
1489 struct gc_arena gc = gc_new();
1490
1491#if !defined(TARGET_LINUX)
1492 const char *network = print_in_addr_t(r->network, 0, &gc);
1493#if !defined(TARGET_AIX)
1494 const char *netmask = print_in_addr_t(r->netmask, 0, &gc);
1495#endif
1496 const char *gateway = print_in_addr_t(r->gateway, 0, &gc);
1497#endif
1498
1499 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1500 if (is_local_route == LR_ERROR)
1501 {
1502 goto done;
1503 }
1504
1505#if defined(TARGET_LINUX)
1506 const char *iface = NULL;
1507 int metric = -1;
1508
1509 if (is_on_link(is_local_route, flags, rgi))
1510 {
1511 iface = rgi->iface;
1512 }
1513
1514 if (r->flags & RT_METRIC_DEFINED)
1515 {
1516 metric = r->metric;
1517 }
1518
1519
1520 status = RTA_SUCCESS;
1521 int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway,
1522 iface, r->table_id, metric);
1523 if (ret == -EEXIST)
1524 {
1525 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1526 status = RTA_EEXIST;
1527 }
1528 else if (ret < 0)
1529 {
1530 msg(M_WARN, "ERROR: Linux route add command failed");
1531 status = RTA_ERROR;
1532 }
1533
1534#elif defined(TARGET_ANDROID)
1535 char out[128];
1536
1537 if (rgi)
1538 {
1539 snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1540 }
1541 else
1542 {
1543 snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1544 }
1545 bool ret = management_android_control(management, "ROUTE", out);
1546 status = ret ? RTA_SUCCESS : RTA_ERROR;
1547
1548#elif defined(_WIN32)
1549 {
1550 DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1551 argv_printf(&argv, "%s%s ADD %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
1552 network, netmask, gateway);
1553 if (r->flags & RT_METRIC_DEFINED)
1554 {
1555 argv_printf_cat(&argv, "METRIC %d", r->metric);
1556 }
1557 if (is_on_link(is_local_route, flags, rgi))
1558 {
1559 ai = rgi->adapter_index;
1560 argv_printf_cat(&argv, "IF %lu", ai);
1561 }
1562
1563 argv_msg(D_ROUTE, &argv);
1564
1565 const char *method = "service";
1566 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1567 {
1568 status = add_route_service(r, tt);
1569 }
1570 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1571 {
1572 status = add_route_ipapi(r, tt, ai);
1573 method = "ipapi";
1574 }
1575 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1576 {
1577 netcmd_semaphore_lock();
1578 bool ret =
1579 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route add command failed");
1580 status = ret ? RTA_SUCCESS : RTA_ERROR;
1581 netcmd_semaphore_release();
1582 method = "route.exe";
1583 }
1584 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1585 {
1586 status = add_route_ipapi(r, tt, ai);
1587 method = "ipapi [adaptive]";
1588 if (status == RTA_ERROR)
1589 {
1590 msg(D_ROUTE, "Route addition fallback to route.exe");
1591 netcmd_semaphore_lock();
1592 bool ret = openvpn_execve_check(
1593 &argv, es, 0, "ERROR: Windows route add command failed [adaptive]");
1594 status = ret ? RTA_SUCCESS : RTA_ERROR;
1595 netcmd_semaphore_release();
1596 method = "route.exe";
1597 }
1598 }
1599 else
1600 {
1601 ASSERT(0);
1602 }
1603 if (status != RTA_ERROR) /* error is logged upstream */
1604 {
1605 msg(D_ROUTE, "Route addition via %s %s", method,
1606 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
1607 }
1608 }
1609
1610#elif defined(TARGET_SOLARIS)
1611
1612 /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1613
1614 argv_printf(&argv, "%s add", ROUTE_PATH);
1615
1616 argv_printf_cat(&argv, "%s -netmask %s %s", network, netmask, gateway);
1617
1618 /* Solaris can only distinguish between "metric 0" == "on-link on the
1619 * interface where the IP address given is configured" and "metric > 0"
1620 * == "use gateway specified" (no finer-grained route metrics available)
1621 *
1622 * More recent versions of Solaris can also do "-interface", but that
1623 * would break backwards compatibility with older versions for no gain.
1624 */
1625 if (r->flags & RT_METRIC_DEFINED)
1626 {
1627 argv_printf_cat(&argv, "%d", r->metric);
1628 }
1629
1630 argv_msg(D_ROUTE, &argv);
1631 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add command failed");
1632 status = ret ? RTA_SUCCESS : RTA_ERROR;
1633
1634#elif defined(TARGET_FREEBSD)
1635
1636 argv_printf(&argv, "%s add", ROUTE_PATH);
1637
1638#if 0
1639 if (r->flags & RT_METRIC_DEFINED)
1640 {
1641 argv_printf_cat(&argv, "-rtt %d", r->metric);
1642 }
1643#endif
1644
1645 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1646
1647 /* FIXME -- add on-link support for FreeBSD */
1648
1649 argv_msg(D_ROUTE, &argv);
1650 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route add command failed");
1651 status = ret ? RTA_SUCCESS : RTA_ERROR;
1652
1653#elif defined(TARGET_DRAGONFLY)
1654
1655 argv_printf(&argv, "%s add", ROUTE_PATH);
1656
1657#if 0
1658 if (r->flags & RT_METRIC_DEFINED)
1659 {
1660 argv_printf_cat(&argv, "-rtt %d", r->metric);
1661 }
1662#endif
1663
1664 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1665
1666 /* FIXME -- add on-link support for Dragonfly */
1667
1668 argv_msg(D_ROUTE, &argv);
1669 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route add command failed");
1670 status = ret ? RTA_SUCCESS : RTA_ERROR;
1671
1672#elif defined(TARGET_DARWIN)
1673
1674 argv_printf(&argv, "%s add", ROUTE_PATH);
1675
1676#if 0
1677 if (r->flags & RT_METRIC_DEFINED)
1678 {
1679 argv_printf_cat(&argv, "-rtt %d", r->metric);
1680 }
1681#endif
1682
1683 if (is_on_link(is_local_route, flags, rgi))
1684 {
1685 /* Mac OS X route syntax for ON_LINK:
1686 * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1687 argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s", network, netmask,
1688 rgi->iface);
1689 }
1690 else
1691 {
1692 argv_printf_cat(&argv, "-net %s %s %s", network, gateway, netmask);
1693 }
1694
1695 argv_msg(D_ROUTE, &argv);
1696 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OS X route add command failed");
1697 status = ret ? RTA_SUCCESS : RTA_ERROR;
1698
1699#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1700
1701 argv_printf(&argv, "%s add", ROUTE_PATH);
1702
1703#if 0
1704 if (r->flags & RT_METRIC_DEFINED)
1705 {
1706 argv_printf_cat(&argv, "-rtt %d", r->metric);
1707 }
1708#endif
1709
1710 argv_printf_cat(&argv, "-net %s %s -netmask %s", network, gateway, netmask);
1711
1712 /* FIXME -- add on-link support for OpenBSD/NetBSD */
1713
1714 argv_msg(D_ROUTE, &argv);
1715 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1716 status = ret ? RTA_SUCCESS : RTA_ERROR;
1717
1718#elif defined(TARGET_AIX)
1719
1720 {
1721 int netbits = netmask_to_netbits2(r->netmask);
1722 argv_printf(&argv, "%s add -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
1723 argv_msg(D_ROUTE, &argv);
1724 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1725 status = ret ? RTA_SUCCESS : RTA_ERROR;
1726 }
1727
1728#elif defined(TARGET_HAIKU)
1729
1730 /* ex: route add /dev/net/ipro1000/0 0.0.0.0 gw 192.168.1.1 netmask 128.0.0.0 */
1731 argv_printf(&argv, "%s add %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
1732 gateway, netmask);
1733 argv_msg(D_ROUTE, &argv);
1734 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route add command failed");
1735 status = ret ? RTA_SUCCESS : RTA_ERROR;
1736
1737#else /* if defined(TARGET_LINUX) */
1738 msg(M_FATAL,
1739 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1740#endif /* if defined(TARGET_LINUX) */
1741
1742done:
1743 if (status == RTA_SUCCESS)
1744 {
1745 r->flags |= RT_ADDED;
1746 }
1747 else
1748 {
1749 r->flags &= ~RT_ADDED;
1750 }
1751 argv_free(&argv);
1752 gc_free(&gc);
1753 /* release resources potentially allocated during route setup */
1754 net_ctx_reset(ctx);
1755
1756 return (status != RTA_ERROR);
1757}
1758
1759#if defined(__GNUC__) || defined(__clang__)
1760#pragma GCC diagnostic push
1761#pragma GCC diagnostic ignored "-Wconversion"
1762#endif
1763
1764void
1765route_ipv6_clear_host_bits(struct route_ipv6 *r6)
1766{
1767 /* clear host bit parts of route
1768 * (needed if routes are specified improperly, or if we need to
1769 * explicitly setup/clear the "connected" network routes on some OSes)
1770 */
1771 int byte = 15;
1772 int bits_to_clear = 128 - r6->netbits;
1773
1774 while (byte >= 0 && bits_to_clear > 0)
1775 {
1776 if (bits_to_clear >= 8)
1777 {
1778 r6->network.s6_addr[byte--] = 0;
1779 bits_to_clear -= 8;
1780 }
1781 else
1782 {
1783 r6->network.s6_addr[byte--] &= (0xff << bits_to_clear);
1784 bits_to_clear = 0;
1785 }
1786 }
1787}
1788
1789bool
1790add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags,
1791 const struct env_set *es, openvpn_net_ctx_t *ctx)
1792{
1793 int status = 0;
1794 bool gateway_needed = false;
1795
1796 if (!(r6->flags & RT_DEFINED))
1797 {
1798 return true; /* no error */
1799 }
1800
1801 struct argv argv = argv_new();
1802 struct gc_arena gc = gc_new();
1803
1804#ifndef _WIN32
1805 const char *device = tt->actual_name;
1806 if (r6->iface != NULL) /* vpn server special route */
1807 {
1808 device = r6->iface;
1809 if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1810 {
1811 gateway_needed = true;
1812 }
1813 }
1814#endif
1815
1816 route_ipv6_clear_host_bits(r6);
1817 const char *network = print_in6_addr(r6->network, 0, &gc);
1818 const char *gateway = print_in6_addr(r6->gateway, 0, &gc);
1819
1820#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1821 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1822
1823 /* the BSD platforms cannot specify gateway and interface independently,
1824 * but for link-local destinations, we MUST specify the interface, so
1825 * we build a combined "$gateway%$interface" gateway string
1826 */
1827 if (r6->iface != NULL && gateway_needed
1828 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
1829 {
1830 int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
1831 char *tmp = gc_malloc(len, true, &gc);
1832 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
1833 gateway = tmp;
1834 }
1835#endif
1836
1837#ifndef _WIN32
1838 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s", network, r6->netbits, gateway,
1839 r6->metric, device);
1840#else
1841 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu", network, r6->netbits, gateway,
1842 r6->metric, r6->adapter_index ? r6->adapter_index : tt->adapter_index);
1843#endif
1844
1845 /*
1846 * Filter out routes which are essentially no-ops
1847 * (not currently done for IPv6)
1848 */
1849
1850 /* On "tun" interface, we never set a gateway if the operating system
1851 * can do "route to interface" - it does not add value, as the target
1852 * dev already fully qualifies the route destination on point-to-point
1853 * interfaces. OTOH, on "tap" interface, we must always set the
1854 * gateway unless the route is to be an on-link network
1855 */
1856 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
1857 {
1858 gateway_needed = true;
1859 }
1860
1861 if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
1862 {
1863 msg(M_WARN,
1864 "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
1865 "parameter for a --route-ipv6 option and no default was set via "
1866 "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
1867 "IPv6 route to %s/%d.",
1868 network, r6->netbits);
1869 status = 0;
1870 goto done;
1871 }
1872
1873#if defined(TARGET_LINUX)
1874 int metric = -1;
1875 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
1876 {
1877 metric = r6->metric;
1878 }
1879
1880 status = RTA_SUCCESS;
1881 int ret = net_route_v6_add(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
1882 device, r6->table_id, metric);
1883 if (ret == -EEXIST)
1884 {
1885 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1886 status = RTA_EEXIST;
1887 }
1888 else if (ret < 0)
1889 {
1890 msg(M_WARN, "ERROR: Linux route add command failed");
1891 status = RTA_ERROR;
1892 }
1893
1894#elif defined(TARGET_ANDROID)
1895 char out[64];
1896
1897 snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
1898
1899 status = management_android_control(management, "ROUTE6", out);
1900
1901#elif defined(_WIN32)
1902
1903 if (tt->options.msg_channel)
1904 {
1905 status = add_route_ipv6_service(r6, tt);
1906 }
1907 else
1908 {
1909 status = route_ipv6_ipapi(true, r6, tt);
1910 }
1911#elif defined(TARGET_SOLARIS)
1912
1913 /* example: route add -inet6 2001:db8::/32 somegateway 0 */
1914
1915 /* for some reason, routes to tun/tap do not work for me unless I set
1916 * "metric 0" - otherwise, the routes will be nicely installed, but
1917 * packets will just disappear somewhere. So we always use "0" now,
1918 * unless the route points to "gateway on other interface"...
1919 *
1920 * (Note: OpenSolaris can not specify host%interface gateways, so we just
1921 * use the GW addresses - it seems to still work for fe80:: addresses,
1922 * however this is done internally. NUD maybe?)
1923 */
1924 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1925
1926 /* on tun (not tap), not "elsewhere"? -> metric 0 */
1927 if (tt->type == DEV_TYPE_TUN && !r6->iface)
1928 {
1929 argv_printf_cat(&argv, "0");
1930 }
1931
1932 argv_msg(D_ROUTE, &argv);
1933 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route add -inet6 command failed");
1934 status = ret ? RTA_SUCCESS : RTA_ERROR;
1935
1936#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
1937
1938 argv_printf(&argv, "%s add -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
1939
1940 if (gateway_needed)
1941 {
1942 argv_printf_cat(&argv, "%s", gateway);
1943 }
1944 else
1945 {
1946 argv_printf_cat(&argv, "-iface %s", device);
1947 }
1948
1949 argv_msg(D_ROUTE, &argv);
1950 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route add -inet6 command failed");
1951 status = ret ? RTA_SUCCESS : RTA_ERROR;
1952
1953#elif defined(TARGET_DARWIN)
1954
1955 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
1956
1957 if (gateway_needed)
1958 {
1959 argv_printf_cat(&argv, "%s", gateway);
1960 }
1961 else
1962 {
1963 argv_printf_cat(&argv, "-iface %s", device);
1964 }
1965
1966 argv_msg(D_ROUTE, &argv);
1967 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route add -inet6 command failed");
1968 status = ret ? RTA_SUCCESS : RTA_ERROR;
1969
1970#elif defined(TARGET_OPENBSD)
1971
1972 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
1973 gateway);
1974
1975 argv_msg(D_ROUTE, &argv);
1976 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route add -inet6 command failed");
1977 status = ret ? RTA_SUCCESS : RTA_ERROR;
1978
1979#elif defined(TARGET_NETBSD)
1980
1981 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1982
1983 argv_msg(D_ROUTE, &argv);
1984 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route add -inet6 command failed");
1985 status = ret ? RTA_SUCCESS : RTA_ERROR;
1986
1987#elif defined(TARGET_AIX)
1988
1989 argv_printf(&argv, "%s add -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
1990 argv_msg(D_ROUTE, &argv);
1991 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
1992 status = ret ? RTA_SUCCESS : RTA_ERROR;
1993
1994#elif defined(TARGET_HAIKU)
1995
1996 /* ex: route add /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
1997 argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
1998 gateway, r6->netbits);
1999 argv_msg(D_ROUTE, &argv);
2000 bool ret = openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route add command failed");
2001 status = ret ? RTA_SUCCESS : RTA_ERROR;
2002
2003#else /* if defined(TARGET_LINUX) */
2004 msg(M_FATAL,
2005 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2006#endif /* if defined(TARGET_LINUX) */
2007
2008done:
2009 if (status == RTA_SUCCESS)
2010 {
2011 r6->flags |= RT_ADDED;
2012 }
2013 else
2014 {
2015 r6->flags &= ~RT_ADDED;
2016 }
2017 argv_free(&argv);
2018 gc_free(&gc);
2019 /* release resources potentially allocated during route setup */
2020 net_ctx_reset(ctx);
2021
2022 return (status != RTA_ERROR);
2023}
2024
2025static void
2026delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
2027 const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
2028{
2029#if !defined(TARGET_LINUX)
2030 const char *network;
2031#if !defined(TARGET_AIX)
2032 const char *netmask;
2033#endif
2034#if !defined(TARGET_ANDROID)
2035 const char *gateway;
2036#endif
2037#else /* if !defined(TARGET_LINUX) */
2038 int metric;
2039#endif
2040 int is_local_route;
2041
2042 if ((r->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2043 {
2044 return;
2045 }
2046
2047 struct gc_arena gc = gc_new();
2048 struct argv argv = argv_new();
2049
2050#if !defined(TARGET_LINUX)
2051 network = print_in_addr_t(r->network, 0, &gc);
2052#if !defined(TARGET_AIX)
2053 netmask = print_in_addr_t(r->netmask, 0, &gc);
2054#endif
2055#if !defined(TARGET_ANDROID)
2056 gateway = print_in_addr_t(r->gateway, 0, &gc);
2057#endif
2058#endif
2059
2060 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2061 if (is_local_route == LR_ERROR)
2062 {
2063 goto done;
2064 }
2065
2066#if defined(TARGET_LINUX)
2067 metric = -1;
2068 if (r->flags & RT_METRIC_DEFINED)
2069 {
2070 metric = r->metric;
2071 }
2072
2073 if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask), &r->gateway, NULL,
2074 r->table_id, metric)
2075 < 0)
2076 {
2077 msg(M_WARN, "ERROR: Linux route delete command failed");
2078 }
2079#elif defined(_WIN32)
2080
2081 argv_printf(&argv, "%s%s DELETE %s MASK %s %s", get_win_sys_path(), WIN_ROUTE_PATH_SUFFIX,
2082 network, netmask, gateway);
2083
2084 argv_msg(D_ROUTE, &argv);
2085
2086 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2087 {
2088 const bool status = del_route_service(r, tt);
2089 msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2090 }
2091 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2092 {
2093 const bool status = del_route_ipapi(r, tt);
2094 msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2095 }
2096 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2097 {
2098 netcmd_semaphore_lock();
2099 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2100 netcmd_semaphore_release();
2101 }
2102 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2103 {
2104 const bool status = del_route_ipapi(r, tt);
2105 msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2106 if (!status)
2107 {
2108 msg(D_ROUTE, "Route deletion fallback to route.exe");
2109 netcmd_semaphore_lock();
2110 openvpn_execve_check(&argv, es, 0,
2111 "ERROR: Windows route delete command failed [adaptive]");
2112 netcmd_semaphore_release();
2113 }
2114 }
2115 else
2116 {
2117 ASSERT(0);
2118 }
2119
2120#elif defined(TARGET_SOLARIS)
2121
2122 argv_printf(&argv, "%s delete %s -netmask %s %s", ROUTE_PATH, network, netmask, gateway);
2123
2124 argv_msg(D_ROUTE, &argv);
2125 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2126
2127#elif defined(TARGET_FREEBSD)
2128
2129 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2130
2131 argv_msg(D_ROUTE, &argv);
2132 openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2133
2134#elif defined(TARGET_DRAGONFLY)
2135
2136 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2137
2138 argv_msg(D_ROUTE, &argv);
2139 openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2140
2141#elif defined(TARGET_DARWIN)
2142
2143 if (is_on_link(is_local_route, flags, rgi))
2144 {
2145 argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s", ROUTE_PATH,
2146 network, netmask, rgi->iface);
2147 }
2148 else
2149 {
2150 argv_printf(&argv, "%s delete -net %s %s %s", ROUTE_PATH, network, gateway, netmask);
2151 }
2152
2153 argv_msg(D_ROUTE, &argv);
2154 openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2155
2156#elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2157
2158 argv_printf(&argv, "%s delete -net %s %s -netmask %s", ROUTE_PATH, network, gateway, netmask);
2159
2160 argv_msg(D_ROUTE, &argv);
2161 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2162
2163#elif defined(TARGET_ANDROID)
2164 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2165 "needed. The VpnService API allows routes to be set "
2166 "on connect only and will clean up automatically.");
2167#elif defined(TARGET_AIX)
2168
2169 {
2170 int netbits = netmask_to_netbits2(r->netmask);
2171 argv_printf(&argv, "%s delete -net %s/%d %s", ROUTE_PATH, network, netbits, gateway);
2172 argv_msg(D_ROUTE, &argv);
2173 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2174 }
2175
2176#elif defined(TARGET_HAIKU)
2177
2178 /* ex: route delete /dev/net/ipro1000/0 inet 192.168.0.0 gw 192.168.1.1 netmask 255.255.0.0 */
2179 argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s", ROUTE_PATH, rgi->iface, network,
2180 gateway, netmask);
2181 argv_msg(D_ROUTE, &argv);
2182 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route delete command failed");
2183
2184#else /* if defined(TARGET_LINUX) */
2185 msg(M_FATAL,
2186 "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2187#endif /* if defined(TARGET_LINUX) */
2188
2189done:
2190 r->flags &= ~RT_ADDED;
2191 argv_free(&argv);
2192 gc_free(&gc);
2193 /* release resources potentially allocated during route cleanup */
2194 net_ctx_reset(ctx);
2195}
2196
2197void
2198delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es,
2199 openvpn_net_ctx_t *ctx)
2200{
2201 const char *network;
2202
2203 if ((r6->flags & (RT_DEFINED | RT_ADDED)) != (RT_DEFINED | RT_ADDED))
2204 {
2205 return;
2206 }
2207
2208#if !defined(_WIN32)
2209#if !defined(TARGET_LINUX)
2210 const char *gateway;
2211#endif
2212#if !defined(TARGET_SOLARIS)
2213 bool gateway_needed = false;
2214 const char *device = tt->actual_name;
2215 if (r6->iface != NULL) /* vpn server special route */
2216 {
2217 device = r6->iface;
2218 gateway_needed = true;
2219 }
2220 (void)device; /* unused on some platforms */
2221
2222 /* if we used a gateway on "add route", we also need to specify it on
2223 * delete, otherwise some OSes will refuse to delete the route
2224 */
2225 if (tt->type == DEV_TYPE_TAP && !((r6->flags & RT_METRIC_DEFINED) && r6->metric == 0))
2226 {
2227 gateway_needed = true;
2228 }
2229#endif
2230#endif
2231
2232 struct gc_arena gc = gc_new();
2233 struct argv argv = argv_new();
2234
2235 network = print_in6_addr(r6->network, 0, &gc);
2236#if !defined(TARGET_LINUX) && !defined(_WIN32)
2237 gateway = print_in6_addr(r6->gateway, 0, &gc);
2238#endif
2239
2240#if defined(TARGET_DARWIN) || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2241 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2242
2243 /* the BSD platforms cannot specify gateway and interface independently,
2244 * but for link-local destinations, we MUST specify the interface, so
2245 * we build a combined "$gateway%$interface" gateway string
2246 */
2247 if (r6->iface != NULL && gateway_needed
2248 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway)) /* fe80::...%intf */
2249 {
2250 int len = strlen(gateway) + 1 + strlen(r6->iface) + 1;
2251 char *tmp = gc_malloc(len, true, &gc);
2252 snprintf(tmp, len, "%s%%%s", gateway, r6->iface);
2253 gateway = tmp;
2254 }
2255#endif
2256
2257 msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits);
2258
2259#if defined(TARGET_LINUX)
2260 int metric = -1;
2261 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2262 {
2263 metric = r6->metric;
2264 }
2265
2266 if (net_route_v6_del(ctx, &r6->network, r6->netbits, gateway_needed ? &r6->gateway : NULL,
2267 device, r6->table_id, metric)
2268 < 0)
2269 {
2270 msg(M_WARN, "ERROR: Linux route v6 delete command failed");
2271 }
2272
2273#elif defined(_WIN32)
2274
2275 if (tt->options.msg_channel)
2276 {
2277 del_route_ipv6_service(r6, tt);
2278 }
2279 else
2280 {
2281 route_ipv6_ipapi(false, r6, tt);
2282 }
2283#elif defined(TARGET_SOLARIS)
2284
2285 /* example: route delete -inet6 2001:db8::/32 somegateway */
2286
2287 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2288
2289 argv_msg(D_ROUTE, &argv);
2290 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2291
2292#elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2293
2294 argv_printf(&argv, "%s delete -inet6 %s/%d", ROUTE_PATH, network, r6->netbits);
2295
2296 if (gateway_needed)
2297 {
2298 argv_printf_cat(&argv, "%s", gateway);
2299 }
2300 else
2301 {
2302 argv_printf_cat(&argv, "-iface %s", device);
2303 }
2304
2305 argv_msg(D_ROUTE, &argv);
2306 openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2307
2308#elif defined(TARGET_DARWIN)
2309
2310 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d", ROUTE_PATH, network, r6->netbits);
2311
2312 if (gateway_needed)
2313 {
2314 argv_printf_cat(&argv, "%s", gateway);
2315 }
2316 else
2317 {
2318 argv_printf_cat(&argv, "-iface %s", device);
2319 }
2320
2321 argv_msg(D_ROUTE, &argv);
2322 openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2323
2324#elif defined(TARGET_OPENBSD)
2325
2326 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s", ROUTE_PATH, network, r6->netbits,
2327 gateway);
2328
2329 argv_msg(D_ROUTE, &argv);
2330 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2331
2332#elif defined(TARGET_NETBSD)
2333
2334 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2335
2336 argv_msg(D_ROUTE, &argv);
2337 openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2338
2339#elif defined(TARGET_AIX)
2340
2341 argv_printf(&argv, "%s delete -inet6 %s/%d %s", ROUTE_PATH, network, r6->netbits, gateway);
2342 argv_msg(D_ROUTE, &argv);
2343 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2344
2345#elif defined(TARGET_ANDROID)
2346 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2347 "needed. The VpnService API allows routes to be set "
2348 "on connect only and will clean up automatically.");
2349#elif defined(TARGET_HAIKU)
2350
2351 /* ex: route delete /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2352 argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d", ROUTE_PATH, r6->iface, network,
2353 gateway, r6->netbits);
2354 argv_msg(D_ROUTE, &argv);
2355 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route delete command failed");
2356
2357#else /* if defined(TARGET_LINUX) */
2358 msg(M_FATAL,
2359 "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2360#endif /* if defined(TARGET_LINUX) */
2361
2362 argv_free(&argv);
2363 gc_free(&gc);
2364 /* release resources potentially allocated during route cleanup */
2365 net_ctx_reset(ctx);
2366}
2367
2368#if defined(__GNUC__) || defined(__clang__)
2369#pragma GCC diagnostic pop
2370#endif
2371
2372/*
2373 * The --redirect-gateway option requires OS-specific code below
2374 * to get the current default gateway.
2375 */
2376
2377#if defined(_WIN32)
2378
2379static const MIB_IPFORWARDTABLE *
2380get_windows_routing_table(struct gc_arena *gc)
2381{
2382 ULONG size = 0;
2383 PMIB_IPFORWARDTABLE rt = NULL;
2384 DWORD status;
2385
2386 status = GetIpForwardTable(NULL, &size, TRUE);
2387 if (status == ERROR_INSUFFICIENT_BUFFER)
2388 {
2389 rt = (PMIB_IPFORWARDTABLE)gc_malloc(size, false, gc);
2390 status = GetIpForwardTable(rt, &size, TRUE);
2391 if (status != NO_ERROR)
2392 {
2393 msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2394 strerror_win32(status, gc), (unsigned int)status);
2395 rt = NULL;
2396 }
2397 }
2398 return rt;
2399}
2400
2401static int
2402test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
2403{
2404 int count = 0;
2405 DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2406 if (index)
2407 {
2408 *index = i;
2409 }
2410 return count;
2411}
2412
2413static void
2414test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters,
2415 const in_addr_t gateway)
2416{
2417 int c;
2418
2419 ++*count;
2420 c = test_route(adapters, gateway, NULL);
2421 if (c == 0)
2422 {
2423 *ret = false;
2424 }
2425 else
2426 {
2427 ++*good;
2428 }
2429 if (c > 1)
2430 {
2431 ++*ambig;
2432 }
2433}
2434
2435/*
2436 * If we tried to add routes now, would we succeed?
2437 */
2438bool
2439test_routes(const struct route_list *rl, const struct tuntap *tt)
2440{
2441 struct gc_arena gc = gc_new();
2442 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2443 bool ret = false;
2444 int count = 0;
2445 int good = 0;
2446 int ambig = 0;
2447 int len = -1;
2448 bool adapter_up = false;
2449
2450 if (is_adapter_up(tt, adapters))
2451 {
2452 ret = true;
2453 adapter_up = true;
2454
2455 /* we do this test only if we have IPv4 routes to install, and if
2456 * the tun/tap interface has seen IPv4 ifconfig - because if we
2457 * have no IPv4, the check will always fail, failing tun init
2458 */
2459 if (rl && tt->did_ifconfig_setup)
2460 {
2461 struct route_ipv4 *r;
2462 for (r = rl->routes, len = 0; r; r = r->next, ++len)
2463 {
2464 test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2465 }
2466
2467 if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2468 {
2469 test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2470 }
2471 }
2472 }
2473
2474 msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s", good, count, len,
2475 (int)ret, ambig, adapter_up ? "up" : "down");
2476
2477 gc_free(&gc);
2478 return ret;
2479}
2480
2481static const MIB_IPFORWARDROW *
2482get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2483{
2484 struct gc_arena gc = gc_new();
2485 DWORD lowest_metric = MAXDWORD;
2486 const MIB_IPFORWARDROW *ret = NULL;
2487 int best = -1;
2488
2489 if (routes)
2490 {
2491 for (DWORD i = 0; i < routes->dwNumEntries; ++i)
2492 {
2493 const MIB_IPFORWARDROW *row = &routes->table[i];
2494 const in_addr_t net = ntohl(row->dwForwardDest);
2495 const in_addr_t mask = ntohl(row->dwForwardMask);
2496 const DWORD index = row->dwForwardIfIndex;
2497 const DWORD metric = row->dwForwardMetric1;
2498
2499 dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d", i,
2500 print_in_addr_t((in_addr_t)net, 0, &gc), print_in_addr_t((in_addr_t)mask, 0, &gc),
2501 (int)index, (int)metric);
2502
2503 if (!net && !mask && metric < lowest_metric)
2504 {
2505 ret = row;
2506 lowest_metric = metric;
2507 best = i;
2508 }
2509 }
2510 }
2511
2512 dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2513
2514 gc_free(&gc);
2515 return ret;
2516}
2517
2529static DWORD
2530get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
2531{
2532 DWORD best_if_index;
2533 DWORD status;
2534
2535 CLEAR(*best_route);
2536
2537 /* get the best interface index to reach dest */
2538 status = GetBestInterfaceEx((struct sockaddr *)dest, &best_if_index);
2539 if (status != NO_ERROR)
2540 {
2541 msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2542 strerror_win32(status, gc), (unsigned int)status);
2543 goto done;
2544 }
2545
2546 msg(D_ROUTE_DEBUG, "GetBestInterfaceEx() returned if=%d", (int)best_if_index);
2547
2548 /* get the routing information (such as NextHop) for the destination and interface */
2549 NET_LUID luid;
2550 CLEAR(luid);
2551 SOCKADDR_INET best_src;
2552 CLEAR(best_src);
2553 status = GetBestRoute2(&luid, best_if_index, NULL, dest, 0, best_route, &best_src);
2554 if (status != NO_ERROR)
2555 {
2556 msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2557 strerror_win32(status, gc), (unsigned int)status);
2558 goto done;
2559 }
2560
2561done:
2562 return status;
2563}
2564
2565void
2566get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
2567{
2568 CLEAR(*rgi);
2569
2570 struct gc_arena gc = gc_new();
2571
2572 /* convert in_addr_t into SOCKADDR_INET */
2573 SOCKADDR_INET sa;
2574 CLEAR(sa);
2575 sa.si_family = AF_INET;
2576 sa.Ipv4.sin_addr.s_addr = htonl(dest);
2577
2578 /* get the best route to the destination */
2579 MIB_IPFORWARD_ROW2 best_route;
2580 CLEAR(best_route);
2581 DWORD status = get_best_route(&gc, &sa, &best_route);
2582 if (status != NO_ERROR)
2583 {
2584 goto done;
2585 }
2586
2587 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2588 rgi->gateway.addr = ntohl(best_route.NextHop.Ipv4.sin_addr.S_un.S_addr);
2589 rgi->adapter_index = best_route.InterfaceIndex;
2590
2591 if (rgi->gateway.addr == INADDR_ANY)
2592 {
2593 rgi->flags |= RGI_ON_LINK;
2594 }
2595
2596 /* get netmask and MAC address */
2597 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2598 const IP_ADAPTER_INFO *ai = get_adapter(adapters, rgi->adapter_index);
2599 if (ai)
2600 {
2601 memcpy(rgi->hwaddr, ai->Address, 6);
2602 rgi->flags |= RGI_HWADDR_DEFINED;
2603
2604 /* get netmask for non-onlink routes */
2605 in_addr_t nm = inet_addr(ai->IpAddressList.IpMask.String);
2606 if (!(rgi->flags & RGI_ON_LINK) && (nm != INADDR_NONE))
2607 {
2608 rgi->gateway.netmask = ntohl(nm);
2609 rgi->flags |= RGI_NETMASK_DEFINED;
2610 }
2611 }
2612
2613done:
2614 gc_free(&gc);
2615}
2616
2617static DWORD
2618windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2619{
2620 struct gc_arena gc = gc_new();
2621 DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2622 int count = 0;
2623 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2624 const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2625 bool on_tun = false;
2626
2627 /* first test on tun interface */
2628 if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2629 {
2630 ret = tun_adapter->Index;
2631 count = 1;
2632 on_tun = true;
2633 }
2634 else /* test on other interfaces */
2635 {
2636 count = test_route(adapters, r->gateway, &ret);
2637 }
2638
2639 if (count == 0)
2640 {
2641 msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2642 print_in_addr_t(r->gateway, 0, &gc));
2643 ret = TUN_ADAPTER_INDEX_INVALID;
2644 }
2645 else if (count > 1)
2646 {
2647 msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2648 print_in_addr_t(r->gateway, 0, &gc), count);
2649 }
2650
2651 dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d", on_tun, count,
2652 (int)ret);
2653
2654 gc_free(&gc);
2655 return ret;
2656}
2657
2658/* IPv6 implementation using GetBestRoute2()
2659 * (TBD: dynamic linking so the binary can still run on XP?)
2660 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2661 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2662 */
2663void
2664get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
2665 openvpn_net_ctx_t *ctx)
2666{
2667 struct gc_arena gc = gc_new();
2668 CLEAR(*rgi6);
2669
2670 SOCKADDR_INET DestinationAddress;
2671 CLEAR(DestinationAddress);
2672 DestinationAddress.si_family = AF_INET6;
2673 if (dest)
2674 {
2675 DestinationAddress.Ipv6.sin6_addr = *dest;
2676 }
2677
2678 MIB_IPFORWARD_ROW2 BestRoute;
2679 CLEAR(BestRoute);
2680 DWORD status = get_best_route(&gc, &DestinationAddress, &BestRoute);
2681
2682 if (status != NO_ERROR)
2683 {
2684 goto done;
2685 }
2686
2687 msg(D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s", BestRoute.InterfaceIndex,
2688 print_in6_addr(BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2689 BestRoute.DestinationPrefix.PrefixLength,
2690 print_in6_addr(BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc));
2691 msg(D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d", (int)BestRoute.Metric,
2692 (int)BestRoute.Loopback, (int)BestRoute.AutoconfigureAddress, (int)BestRoute.Immortal);
2693
2694 rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2695 rgi6->adapter_index = BestRoute.InterfaceIndex;
2696 rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2697
2698 /* on-link is signalled by receiving an empty (::) NextHop */
2699 if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr))
2700 {
2701 rgi6->flags |= RGI_ON_LINK;
2702 }
2703
2704done:
2705 gc_free(&gc);
2706}
2707
2708/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2709static int
2710add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2711{
2712 struct gc_arena gc = gc_new();
2713 int ret = RTA_ERROR;
2714 DWORD status;
2715 const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID)
2716 ? windows_route_find_if_index(r, tt)
2717 : adapter_index;
2718
2719 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2720 {
2721 MIB_IPFORWARDROW fr;
2722 CLEAR(fr);
2723 fr.dwForwardDest = htonl(r->network);
2724 fr.dwForwardMask = htonl(r->netmask);
2725 fr.dwForwardPolicy = 0;
2726 fr.dwForwardNextHop = htonl(r->gateway);
2727 fr.dwForwardIfIndex = if_index;
2728 fr.dwForwardType = 4; /* the next hop is not the final dest */
2729 fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2730 fr.dwForwardAge = 0;
2731 fr.dwForwardNextHopAS = 0;
2732 fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2733 fr.dwForwardMetric2 = METRIC_NOT_USED;
2734 fr.dwForwardMetric3 = METRIC_NOT_USED;
2735 fr.dwForwardMetric4 = METRIC_NOT_USED;
2736 fr.dwForwardMetric5 = METRIC_NOT_USED;
2737
2738 if ((r->network & r->netmask) != r->network)
2739 {
2740 msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2741 print_in_addr_t(r->network, 0, &gc), print_in_addr_t(r->netmask, 0, &gc));
2742 }
2743
2744 status = CreateIpForwardEntry(&fr);
2745
2746 if (status == NO_ERROR)
2747 {
2748 ret = RTA_SUCCESS;
2749 }
2750 else if (status == ERROR_OBJECT_ALREADY_EXISTS)
2751 {
2752 ret = RTA_EEXIST;
2753 }
2754 else
2755 {
2756 /* failed, try increasing the metric to work around Vista issue */
2757 const unsigned int forward_metric_limit =
2758 2048; /* iteratively retry higher metrics up to this limit */
2759
2760 for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2761 {
2762 /* try a different forward type=3 ("the next hop is the final dest") in addition
2763 * to 4.
2764 * --redirect-gateway over RRAS seems to need this. */
2765 for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2766 {
2767 status = CreateIpForwardEntry(&fr);
2768 if (status == NO_ERROR)
2769 {
2770 msg(D_ROUTE,
2771 "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2772 (unsigned int)fr.dwForwardMetric1, (unsigned int)fr.dwForwardType);
2773 ret = RTA_SUCCESS;
2774 goto doublebreak;
2775 }
2776 else if (status != ERROR_BAD_ARGUMENTS)
2777 {
2778 goto doublebreak;
2779 }
2780 }
2781 }
2782
2783doublebreak:
2784 if (status != NO_ERROR)
2785 {
2786 if (status == ERROR_OBJECT_ALREADY_EXISTS)
2787 {
2788 ret = RTA_EEXIST;
2789 }
2790 else
2791 {
2792 msg(M_WARN,
2793 "ERROR: route addition failed using CreateIpForwardEntry: "
2794 "%s [status=%u if_index=%u]",
2795 strerror_win32(status, &gc), (unsigned int)status, (unsigned int)if_index);
2796 }
2797 }
2798 }
2799 }
2800
2801 gc_free(&gc);
2802 return ret;
2803}
2804
2805static bool
2806del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
2807{
2808 struct gc_arena gc = gc_new();
2809 bool ret = false;
2810 DWORD status;
2811 const DWORD if_index = windows_route_find_if_index(r, tt);
2812
2813 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2814 {
2815 MIB_IPFORWARDROW fr;
2816 CLEAR(fr);
2817
2818 fr.dwForwardDest = htonl(r->network);
2819 fr.dwForwardMask = htonl(r->netmask);
2820 fr.dwForwardPolicy = 0;
2821 fr.dwForwardNextHop = htonl(r->gateway);
2822 fr.dwForwardIfIndex = if_index;
2823
2824 status = DeleteIpForwardEntry(&fr);
2825
2826 if (status == NO_ERROR)
2827 {
2828 ret = true;
2829 }
2830 else
2831 {
2832 msg(M_WARN, "ERROR: route deletion failed using DeleteIpForwardEntry: %s",
2833 strerror_win32(status, &gc));
2834 }
2835 }
2836
2837 gc_free(&gc);
2838 return ret;
2839}
2840
2841/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2842static int
2843do_route_service(const bool add, const route_message_t *rt, const DWORD size, HANDLE pipe)
2844{
2845 int ret = RTA_ERROR;
2846 ack_message_t ack;
2847 struct gc_arena gc = gc_new();
2848
2849 if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
2850 {
2851 goto out;
2852 }
2853
2854 if (ack.error_number != NO_ERROR)
2855 {
2856 ret = (ack.error_number == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2857 if (ret == RTA_ERROR)
2858 {
2859 msg(M_WARN, "ERROR: route %s failed using service: %s [status=%u if_index=%d]",
2860 (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
2861 ack.error_number, rt->iface.index);
2862 }
2863 goto out;
2864 }
2865
2866 ret = RTA_SUCCESS;
2867
2868out:
2869 gc_free(&gc);
2870 return ret;
2871}
2872
2873/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2874static int
2875do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
2876{
2877 DWORD if_index = windows_route_find_if_index(r, tt);
2878 if (if_index == ~0)
2879 {
2880 return RTA_ERROR;
2881 }
2882
2883 route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
2884 sizeof(route_message_t), 0 },
2885 .family = AF_INET,
2886 .prefix.ipv4.s_addr = htonl(r->network),
2887 .gateway.ipv4.s_addr = htonl(r->gateway),
2888 .iface = { .index = if_index, .name = "" },
2889 .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1) };
2890
2891 netmask_to_netbits(r->network, r->netmask, &msg.prefix_len);
2892 if (msg.prefix_len == -1)
2893 {
2894 msg.prefix_len = 32;
2895 }
2896
2897 return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
2898}
2899
2900/* Add or delete an ipv6 route
2901 * Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error
2902 */
2903static int
2904route_ipv6_ipapi(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
2905{
2906 DWORD err;
2907 int ret = RTA_ERROR;
2908 PMIB_IPFORWARD_ROW2 fwd_row;
2909 struct gc_arena gc = gc_new();
2910
2911 fwd_row = gc_malloc(sizeof(*fwd_row), true, &gc);
2912
2913 fwd_row->ValidLifetime = 0xffffffff;
2914 fwd_row->PreferredLifetime = 0xffffffff;
2915 fwd_row->Protocol = MIB_IPPROTO_NETMGMT;
2916 fwd_row->Metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1);
2917 fwd_row->DestinationPrefix.Prefix.si_family = AF_INET6;
2918 fwd_row->DestinationPrefix.Prefix.Ipv6.sin6_addr = r->network;
2919 fwd_row->DestinationPrefix.PrefixLength = (UINT8)r->netbits;
2920 fwd_row->NextHop.si_family = AF_INET6;
2921 fwd_row->NextHop.Ipv6.sin6_addr = r->gateway;
2922 fwd_row->InterfaceIndex = r->adapter_index ? r->adapter_index : tt->adapter_index;
2923
2924 /* In TUN mode we use a special link-local address as the next hop.
2925 * The tapdrvr knows about it and will answer neighbor discovery packets.
2926 * (only do this for routes actually using the tun/tap device)
2927 */
2928 if (tt->type == DEV_TYPE_TUN && !r->adapter_index)
2929 {
2930 inet_pton(AF_INET6, "fe80::8", &fwd_row->NextHop.Ipv6.sin6_addr);
2931 }
2932
2933 /* Use LUID if interface index not available */
2934 if (fwd_row->InterfaceIndex == TUN_ADAPTER_INDEX_INVALID && strlen(tt->actual_name))
2935 {
2936 NET_LUID luid;
2937 err = ConvertInterfaceAliasToLuid(wide_string(tt->actual_name, &gc), &luid);
2938 if (err != NO_ERROR)
2939 {
2940 goto out;
2941 }
2942 fwd_row->InterfaceLuid = luid;
2943 fwd_row->InterfaceIndex = 0;
2944 }
2945
2946 if (add)
2947 {
2948 err = CreateIpForwardEntry2(fwd_row);
2949 }
2950 else
2951 {
2952 err = DeleteIpForwardEntry2(fwd_row);
2953 }
2954
2955out:
2956 if (err != NO_ERROR)
2957 {
2958 ret = (err == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
2959 if (ret == RTA_ERROR)
2960 {
2961 msg(M_WARN, "ERROR: route %s failed using ipapi: %s [status=%lu if_index=%lu]",
2962 (add ? "addition" : "deletion"), strerror_win32(err, &gc), err,
2963 fwd_row->InterfaceIndex);
2964 }
2965 else if (add)
2966 {
2967 msg(D_ROUTE, "IPv6 route addition using ipapi failed because route exists");
2968 }
2969 }
2970 else
2971 {
2972 msg(D_ROUTE, "IPv6 route %s using ipapi", add ? "added" : "deleted");
2973 ret = RTA_SUCCESS;
2974 }
2975 gc_free(&gc);
2976 return ret;
2977}
2978
2979/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2980static int
2981do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
2982{
2983 int status;
2984 route_message_t msg = { .header = { (add ? msg_add_route : msg_del_route),
2985 sizeof(route_message_t), 0 },
2986 .family = AF_INET6,
2987 .prefix.ipv6 = r->network,
2988 .prefix_len = r->netbits,
2989 .gateway.ipv6 = r->gateway,
2990 .iface = { .index = tt->adapter_index, .name = "" },
2991 .metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1) };
2992
2993 if (r->adapter_index) /* vpn server special route */
2994 {
2995 msg.iface.index = r->adapter_index;
2996 }
2997
2998 /* In TUN mode we use a special link-local address as the next hop.
2999 * The tapdrvr knows about it and will answer neighbor discovery packets.
3000 * (only do this for routes actually using the tun/tap device)
3001 */
3002 if (tt->type == DEV_TYPE_TUN && msg.iface.index == tt->adapter_index)
3003 {
3004 inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3005 }
3006
3007 if (msg.iface.index == TUN_ADAPTER_INDEX_INVALID)
3008 {
3009 strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3010 msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3011 }
3012
3013 status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3014 if (status != RTA_ERROR)
3015 {
3016 msg(D_ROUTE, "IPv6 route %s via service %s", add ? "addition" : "deletion",
3017 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
3018 }
3019 return status;
3020}
3021
3022/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3023static int
3024add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3025{
3026 return do_route_ipv4_service(true, r, tt);
3027}
3028
3029static bool
3030del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3031{
3032 return do_route_ipv4_service(false, r, tt);
3033}
3034
3035/* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3036static int
3037add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3038{
3039 return do_route_ipv6_service(true, r, tt);
3040}
3041
3042static bool
3043del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3044{
3045 return do_route_ipv6_service(false, r, tt);
3046}
3047
3048static const char *
3049format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3050{
3051 struct buffer out = alloc_buf_gc(256, gc);
3052 buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3053 print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3054 print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3055 print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc), (int)r->dwForwardPolicy,
3056 (int)r->dwForwardIfIndex, (int)r->dwForwardType, (int)r->dwForwardProto,
3057 (int)r->dwForwardAge, (int)r->dwForwardNextHopAS, (int)r->dwForwardMetric1,
3058 (int)r->dwForwardMetric2, (int)r->dwForwardMetric3, (int)r->dwForwardMetric4,
3059 (int)r->dwForwardMetric5);
3060 return BSTR(&out);
3061}
3062
3063/*
3064 * Show current routing table
3065 */
3066void
3067show_routes(msglvl_t msglevel)
3068{
3069 struct gc_arena gc = gc_new();
3070
3071 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3072
3073 msg(msglevel, "SYSTEM ROUTING TABLE");
3074 if (rt)
3075 {
3076 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
3077 {
3078 msg(msglevel, "%s", format_route_entry(&rt->table[i], &gc));
3079 }
3080 }
3081 gc_free(&gc);
3082}
3083
3084#elif defined(TARGET_ANDROID)
3085
3086void
3087get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3088{
3089 /* Android, set some pseudo GW, addr is in host byte order,
3090 * Determining the default GW on Android 5.0+ is non trivial
3091 * and serves almost no purpose since OpenVPN only uses the
3092 * default GW address to add routes for networks that should
3093 * NOT be routed over the VPN. Using a well known address
3094 * (127.'d'.'g'.'w') for the default GW make detecting
3095 * these routes easier from the controlling app.
3096 */
3097 CLEAR(*rgi);
3098
3099 rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3100 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3101 strcpy(rgi->iface, "android-gw");
3102
3103 /* Skip scanning/fetching interface from loopback interface we do
3104 * normally on Linux.
3105 * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3106 */
3107}
3108
3109void
3110get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3111 openvpn_net_ctx_t *ctx)
3112{
3113 /* Same for ipv6 */
3114
3115 CLEAR(*rgi6);
3116
3117 /* Use a fake link-local address */
3118 ASSERT(inet_pton(AF_INET6, "fe80::ad", &rgi6->addrs->addr_ipv6) == 1);
3119 rgi6->addrs->netbits_ipv6 = 64;
3120 rgi6->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3121 strcpy(rgi6->iface, "android-gw");
3122}
3123
3124#elif defined(TARGET_LINUX)
3125
3126void
3127get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3128{
3129 struct gc_arena gc = gc_new();
3130 int sd = -1;
3131 char best_name[IFNAMSIZ];
3132
3133 CLEAR(*rgi);
3134 CLEAR(best_name);
3135
3136 /* find best route to 'dest', get gateway IP addr + interface */
3137 if (net_route_v4_best_gw(ctx, &dest, &rgi->gateway.addr, best_name) == 0)
3138 {
3139 rgi->flags |= RGI_ADDR_DEFINED;
3140 if (!rgi->gateway.addr && best_name[0])
3141 {
3142 rgi->flags |= RGI_ON_LINK;
3143 }
3144 }
3145
3146 /* scan adapter list */
3147 if (rgi->flags & RGI_ADDR_DEFINED)
3148 {
3149 struct ifreq *ifr, *ifend;
3150 in_addr_t addr, netmask;
3151 struct ifreq ifreq;
3152 struct ifconf ifc;
3153 struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3154
3155 if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3156 {
3157 msg(M_WARN, "GDG: socket() failed");
3158 goto done;
3159 }
3160 ifc.ifc_len = sizeof(ifs);
3161 ifc.ifc_req = ifs;
3162 if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3163 {
3164 msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3165 goto done;
3166 }
3167
3168 /* scan through interface list */
3169 ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3170 for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3171 {
3172 if (ifr->ifr_addr.sa_family == AF_INET)
3173 {
3174 /* get interface addr */
3175 addr = ntohl(((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr.s_addr);
3176
3177 /* get interface name */
3178 strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3179
3180 /* check that the interface is up */
3181 if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3182 {
3183 continue;
3184 }
3185 if (!(ifreq.ifr_flags & IFF_UP))
3186 {
3187 continue;
3188 }
3189
3190 if (rgi->flags & RGI_ON_LINK)
3191 {
3192 /* check that interface name of current interface
3193 * matches interface name of best default route */
3194 if (strcmp(ifreq.ifr_name, best_name))
3195 {
3196 continue;
3197 }
3198#if 0
3199 /* if point-to-point link, use remote addr as route gateway */
3200 if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3201 {
3202 rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3203 if (rgi->gateway.addr)
3204 {
3205 rgi->flags &= ~RGI_ON_LINK;
3206 }
3207 }
3208#endif
3209 }
3210 else
3211 {
3212 /* get interface netmask */
3213 if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3214 {
3215 continue;
3216 }
3217 netmask = ntohl(((struct sockaddr_in *)&ifreq.ifr_addr)->sin_addr.s_addr);
3218
3219 /* check that interface matches default route */
3220 if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3221 {
3222 continue;
3223 }
3224
3225 /* save netmask */
3226 rgi->gateway.netmask = netmask;
3227 rgi->flags |= RGI_NETMASK_DEFINED;
3228 }
3229
3230 /* save iface name */
3231 strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3232 rgi->flags |= RGI_IFACE_DEFINED;
3233
3234 /* now get the hardware address. */
3235 memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3236 if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3237 {
3238 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3239 goto done;
3240 }
3241 memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3242 rgi->flags |= RGI_HWADDR_DEFINED;
3243
3244 break;
3245 }
3246 }
3247 }
3248
3249done:
3250 if (sd >= 0)
3251 {
3252 close(sd);
3253 }
3254 gc_free(&gc);
3255}
3256
3257/* IPv6 implementation using netlink
3258 * https://www.linuxjournal.com/article/7356 - "Kernel Korner - Why and How to Use Netlink Socket"
3259 * netlink(3), netlink(7), rtnetlink(7)
3260 * https://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/
3261 */
3262struct rtreq
3263{
3264 struct nlmsghdr nh;
3265 struct rtmsg rtm;
3266 char attrbuf[512];
3267};
3268
3269void
3270get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3271 openvpn_net_ctx_t *ctx)
3272{
3273 int flags;
3274
3275 CLEAR(*rgi6);
3276
3277 if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6, rgi6->iface) == 0)
3278 {
3279 if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6))
3280 {
3281 rgi6->flags |= RGI_ADDR_DEFINED;
3282 }
3283
3284 if (strlen(rgi6->iface) > 0)
3285 {
3286 rgi6->flags |= RGI_IFACE_DEFINED;
3287 }
3288 }
3289
3290 /* if we have an interface but no gateway, the destination is on-link */
3291 flags = rgi6->flags & (RGI_IFACE_DEFINED | RGI_ADDR_DEFINED);
3292 if (flags == RGI_IFACE_DEFINED)
3293 {
3294 rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3295 if (dest)
3296 {
3297 rgi6->gateway.addr_ipv6 = *dest;
3298 }
3299 }
3300}
3301
3302#elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) || defined(TARGET_FREEBSD) \
3303 || defined(TARGET_DRAGONFLY) || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3304
3305#include <sys/types.h>
3306#include <sys/socket.h>
3307#include <netinet/in.h>
3308#include <net/route.h>
3309#include <net/if_dl.h>
3310#if !defined(TARGET_SOLARIS)
3311#include <ifaddrs.h>
3312#endif
3313
3314struct rtmsg
3315{
3316 struct rt_msghdr m_rtm;
3317 char m_space[512];
3318};
3319
3320/* the route socket code is identical for all 4 supported BSDs and for
3321 * MacOS X (Darwin), with one crucial difference: when going from
3322 * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
3323 * source code compatibility by keeping the use of "long", while
3324 * MacOS X decided to keep binary compatibility by *changing* the API
3325 * to use "uint32_t", thus 32 bit on all OS X variants
3326 *
3327 * NetBSD does the MacOS way of "fixed number of bits, no matter if
3328 * 32 or 64 bit OS", but chose uint64_t. For maximum portability, we
3329 * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
3330 *
3331 * We used to have a large amount of duplicate code here which really
3332 * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3333 * having a combined block for all BSDs with this single #ifdef inside
3334 */
3335
3336#if defined(TARGET_DARWIN)
3337#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3338#elif defined(TARGET_NETBSD)
3339#define ROUNDUP(a) RT_ROUNDUP(a)
3340#else
3341#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3342#endif
3343
3344#if defined(TARGET_SOLARIS)
3345#define NEXTADDR(w, u) \
3346 if (rtm_addrs & (w)) \
3347 { \
3348 l = sizeof(u); \
3349 memmove(cp, &(u), l); \
3350 cp += ROUNDUP(l); \
3351 }
3352
3353#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3354#else /* if defined(TARGET_SOLARIS) */
3355#define NEXTADDR(w, u) \
3356 if (rtm_addrs & (w)) \
3357 { \
3358 l = ((struct sockaddr *)&(u))->sa_len; \
3359 memmove(cp, &(u), l); \
3360 cp += ROUNDUP(l); \
3361 }
3362
3363#define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3364#endif
3365
3366#define max(a, b) ((a) > (b) ? (a) : (b))
3367
3368#if defined(__GNUC__) || defined(__clang__)
3369#pragma GCC diagnostic push
3370#pragma GCC diagnostic ignored "-Wconversion"
3371#endif
3372
3373void
3374get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3375{
3376 struct gc_arena gc = gc_new();
3377 struct rtmsg m_rtmsg;
3378 int sockfd = -1;
3379 int seq, l, pid, rtm_addrs;
3380 unsigned int i;
3381 struct sockaddr so_dst, so_mask;
3382 char *cp = m_rtmsg.m_space;
3383 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3384 struct rt_msghdr *rtm_aux;
3385
3386#define rtm m_rtmsg.m_rtm
3387
3388 CLEAR(*rgi);
3389
3390 /* setup data to send to routing socket */
3391 pid = getpid();
3392 seq = 0;
3393#ifdef TARGET_OPENBSD
3394 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3395#else
3396 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3397#endif
3398
3399 bzero(&m_rtmsg, sizeof(m_rtmsg));
3400 bzero(&so_dst, sizeof(so_dst));
3401 bzero(&so_mask, sizeof(so_mask));
3402 bzero(&rtm, sizeof(struct rt_msghdr));
3403
3404 rtm.rtm_type = RTM_GET;
3405 rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3406 rtm.rtm_version = RTM_VERSION;
3407 rtm.rtm_seq = ++seq;
3408#ifdef TARGET_OPENBSD
3409 rtm.rtm_tableid = getrtable();
3410#endif
3411 rtm.rtm_addrs = rtm_addrs;
3412
3413 so_dst.sa_family = AF_INET;
3414 so_mask.sa_family = AF_INET;
3415
3416#ifndef TARGET_SOLARIS
3417 so_dst.sa_len = sizeof(struct sockaddr_in);
3418 so_mask.sa_len = sizeof(struct sockaddr_in);
3419#endif
3420
3421 NEXTADDR(RTA_DST, so_dst);
3422 NEXTADDR(RTA_NETMASK, so_mask);
3423
3424 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3425
3426 /* transact with routing socket */
3427 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3428 if (sockfd < 0)
3429 {
3430 msg(M_WARN, "GDG: socket #1 failed");
3431 goto done;
3432 }
3433 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3434 {
3435 msg(M_WARN | M_ERRNO, "GDG: problem writing to routing socket");
3436 goto done;
3437 }
3438 do
3439 {
3440 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3441 } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3442 close(sockfd);
3443 sockfd = -1;
3444
3445 /* extract return data from routing socket */
3446 rtm_aux = &rtm;
3447 cp = ((char *)(rtm_aux + 1));
3448 if (rtm_aux->rtm_addrs)
3449 {
3450 for (i = 1; i; i <<= 1)
3451 {
3452 if (i & rtm_aux->rtm_addrs)
3453 {
3454 sa = (struct sockaddr *)cp;
3455 if (i == RTA_GATEWAY)
3456 {
3457 gate = sa;
3458 }
3459 else if (i == RTA_IFP)
3460 {
3461 ifp = sa;
3462 }
3463 ADVANCE(cp, sa);
3464 }
3465 }
3466 }
3467 else
3468 {
3469 goto done;
3470 }
3471
3472 /* get gateway addr and interface name */
3473 if (gate != NULL)
3474 {
3475 /* get default gateway addr */
3476 rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3477 if (rgi->gateway.addr)
3478 {
3479 rgi->flags |= RGI_ADDR_DEFINED;
3480 }
3481
3482 if (ifp)
3483 {
3484 /* get interface name */
3485 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3486 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3487 {
3488 memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3489 rgi->iface[adl->sdl_nlen] = '\0';
3490 rgi->flags |= RGI_IFACE_DEFINED;
3491 }
3492 }
3493 }
3494
3495 /* get netmask of interface that owns default gateway */
3496 if (rgi->flags & RGI_IFACE_DEFINED)
3497 {
3498 struct ifreq ifr;
3499
3500 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3501 if (sockfd < 0)
3502 {
3503 msg(M_WARN, "GDG: socket #2 failed");
3504 goto done;
3505 }
3506
3507 CLEAR(ifr);
3508 ifr.ifr_addr.sa_family = AF_INET;
3509 strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3510
3511 if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3512 {
3513 msg(M_WARN, "GDG: ioctl #1 failed");
3514 goto done;
3515 }
3516 close(sockfd);
3517 sockfd = -1;
3518
3519 rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3520 rgi->flags |= RGI_NETMASK_DEFINED;
3521 }
3522
3523 /* try to read MAC addr associated with interface that owns default gateway */
3524 if (rgi->flags & RGI_IFACE_DEFINED)
3525 {
3526#if defined(TARGET_SOLARIS)
3527 /* OpenSolaris has getifaddrs(3), but it does not return AF_LINK */
3528 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3529 if (sockfd < 0)
3530 {
3531 msg(M_WARN, "GDG: socket #3 failed");
3532 goto done;
3533 }
3534
3535 struct ifreq ifreq = { 0 };
3536
3537 /* now get the hardware address. */
3538 strncpynt(ifreq.ifr_name, rgi->iface, sizeof(ifreq.ifr_name));
3539 if (ioctl(sockfd, SIOCGIFHWADDR, &ifreq) < 0)
3540 {
3541 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3542 }
3543 else
3544 {
3545 memcpy(rgi->hwaddr, &ifreq.ifr_addr.sa_data, 6);
3546 rgi->flags |= RGI_HWADDR_DEFINED;
3547 }
3548#else /* if defined(TARGET_SOLARIS) */
3549 struct ifaddrs *ifap, *ifa;
3550
3551 if (getifaddrs(&ifap) != 0)
3552 {
3553 msg(M_WARN | M_ERRNO, "GDG: getifaddrs() failed");
3554 goto done;
3555 }
3556
3557 for (ifa = ifap; ifa; ifa = ifa->ifa_next)
3558 {
3559 if (ifa->ifa_addr != NULL && ifa->ifa_addr->sa_family == AF_LINK
3560 && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ))
3561 {
3562 struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr;
3563 memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3564 rgi->flags |= RGI_HWADDR_DEFINED;
3565 }
3566 }
3567
3568 freeifaddrs(ifap);
3569#endif /* if defined(TARGET_SOLARIS) */
3570 }
3571
3572done:
3573 if (sockfd >= 0)
3574 {
3575 close(sockfd);
3576 }
3577 gc_free(&gc);
3578}
3579
3580/* BSD implementation using routing socket (as does IPv4)
3581 * (the code duplication is somewhat unavoidable if we want this to
3582 * work on OpenSolaris as well. *sigh*)
3583 */
3584
3585/* Solaris has no length field - this is ugly, but less #ifdef in total
3586 */
3587#if defined(TARGET_SOLARIS)
3588#undef ADVANCE
3589#define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3590#endif
3591
3592void
3593get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3594 openvpn_net_ctx_t *ctx)
3595{
3596 struct rtmsg m_rtmsg;
3597 int sockfd = -1;
3598 int seq, l, pid, rtm_addrs;
3599 unsigned int i;
3600 struct sockaddr_in6 so_dst, so_mask;
3601 char *cp = m_rtmsg.m_space;
3602 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3603 struct rt_msghdr *rtm_aux;
3604
3605 CLEAR(*rgi6);
3606
3607 /* setup data to send to routing socket */
3608 pid = getpid();
3609 seq = 0;
3610#ifdef TARGET_OPENBSD
3611 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3612#else
3613 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3614#endif
3615
3616 bzero(&m_rtmsg, sizeof(m_rtmsg));
3617 bzero(&so_dst, sizeof(so_dst));
3618 bzero(&so_mask, sizeof(so_mask));
3619 bzero(&rtm, sizeof(struct rt_msghdr));
3620
3621 rtm.rtm_type = RTM_GET;
3622 rtm.rtm_flags = RTF_UP;
3623 rtm.rtm_version = RTM_VERSION;
3624 rtm.rtm_seq = ++seq;
3625#ifdef TARGET_OPENBSD
3626 rtm.rtm_tableid = getrtable();
3627#endif
3628
3629 so_dst.sin6_family = AF_INET6;
3630 so_mask.sin6_family = AF_INET6;
3631
3632 if (dest != NULL /* specific host? */
3633 && !IN6_IS_ADDR_UNSPECIFIED(dest))
3634 {
3635 so_dst.sin6_addr = *dest;
3636 /* :: needs /0 "netmask", host route wants "no netmask */
3637 rtm_addrs &= ~RTA_NETMASK;
3638 }
3639
3640 rtm.rtm_addrs = rtm_addrs;
3641
3642#ifndef TARGET_SOLARIS
3643 so_dst.sin6_len = sizeof(struct sockaddr_in6);
3644 so_mask.sin6_len = sizeof(struct sockaddr_in6);
3645#endif
3646
3647 NEXTADDR(RTA_DST, so_dst);
3648 NEXTADDR(RTA_NETMASK, so_mask);
3649
3650 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3651
3652 /* transact with routing socket */
3653 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3654 if (sockfd < 0)
3655 {
3656 msg(M_WARN, "GDG6: socket #1 failed");
3657 goto done;
3658 }
3659 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3660 {
3661 msg(M_WARN | M_ERRNO, "GDG6: problem writing to routing socket");
3662 goto done;
3663 }
3664
3665 do
3666 {
3667 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3668 } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3669
3670 close(sockfd);
3671 sockfd = -1;
3672
3673 /* extract return data from routing socket */
3674 rtm_aux = &rtm;
3675 cp = ((char *)(rtm_aux + 1));
3676 if (rtm_aux->rtm_addrs)
3677 {
3678 for (i = 1; i; i <<= 1)
3679 {
3680 if (i & rtm_aux->rtm_addrs)
3681 {
3682 sa = (struct sockaddr *)cp;
3683 if (i == RTA_GATEWAY)
3684 {
3685 gate = sa;
3686 }
3687 else if (i == RTA_IFP)
3688 {
3689 ifp = sa;
3690 }
3691 ADVANCE(cp, sa);
3692 }
3693 }
3694 }
3695 else
3696 {
3697 goto done;
3698 }
3699
3700 /* get gateway addr and interface name */
3701 if (gate != NULL)
3702 {
3703 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3704 struct in6_addr gw = s6->sin6_addr;
3705
3706#ifndef TARGET_SOLARIS
3707 /* You do not really want to know... from FreeBSD's route.c
3708 * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3709 * but for a correct link-local address these must be :0000: )
3710 */
3711 if (gate->sa_len == sizeof(struct sockaddr_in6) && IN6_IS_ADDR_LINKLOCAL(&gw))
3712 {
3713 gw.s6_addr[2] = gw.s6_addr[3] = 0;
3714 }
3715
3716 if (gate->sa_len != sizeof(struct sockaddr_in6) || IN6_IS_ADDR_UNSPECIFIED(&gw))
3717 {
3718 rgi6->flags |= RGI_ON_LINK;
3719 }
3720 else
3721#endif
3722 {
3723 rgi6->gateway.addr_ipv6 = gw;
3724 }
3725 rgi6->flags |= RGI_ADDR_DEFINED;
3726
3727 if (ifp)
3728 {
3729 /* get interface name */
3730 const struct sockaddr_dl *adl = (struct sockaddr_dl *)ifp;
3731 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3732 {
3733 memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3734 rgi6->flags |= RGI_IFACE_DEFINED;
3735 }
3736 }
3737 }
3738
3739done:
3740 if (sockfd >= 0)
3741 {
3742 close(sockfd);
3743 }
3744}
3745
3746#if defined(__GNUC__) || defined(__clang__)
3747#pragma GCC diagnostic pop
3748#endif
3749
3750#undef max
3751
3752#elif defined(TARGET_HAIKU)
3753
3754void
3755get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3756{
3757 CLEAR(*rgi);
3758
3759 int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3760 if (sockfd < 0)
3761 {
3762 msg(M_ERRNO, "%s: Error opening socket for AF_INET", __func__);
3763 return;
3764 }
3765
3766 struct ifconf config;
3767 config.ifc_len = sizeof(config.ifc_value);
3768 if (ioctl(sockfd, SIOCGRTSIZE, &config, sizeof(struct ifconf)) < 0)
3769 {
3770 msg(M_ERRNO, "%s: Error getting routing table size", __func__);
3771 return;
3772 }
3773
3774 uint32 size = (uint32)config.ifc_value;
3775 if (size == 0)
3776 {
3777 return;
3778 }
3779
3780 void *buffer = malloc(size);
3781 check_malloc_return(buffer);
3782
3783 config.ifc_len = size;
3784 config.ifc_buf = buffer;
3785 if (ioctl(sockfd, SIOCGRTTABLE, &config, sizeof(struct ifconf)) < 0)
3786 {
3787 free(buffer);
3788 return;
3789 }
3790
3791 struct ifreq *interface = (struct ifreq *)buffer;
3792 struct ifreq *end = (struct ifreq *)((uint8 *)buffer + size);
3793
3794 while (interface < end)
3795 {
3796 struct route_entry route = interface->ifr_route;
3797 if ((route.flags & RTF_GATEWAY) != 0 && (route.flags & RTF_DEFAULT) != 0)
3798 {
3799 rgi->gateway.addr = ntohl(((struct sockaddr_in *)route.gateway)->sin_addr.s_addr);
3800 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3801 strncpy(rgi->iface, interface->ifr_name, sizeof(rgi->iface));
3802 }
3803
3804 int32 address_size = 0;
3805 if (route.destination != NULL)
3806 {
3807 address_size += route.destination->sa_len;
3808 }
3809 if (route.mask != NULL)
3810 {
3811 address_size += route.mask->sa_len;
3812 }
3813 if (route.gateway != NULL)
3814 {
3815 address_size += route.gateway->sa_len;
3816 }
3817
3818 interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE + sizeof(struct route_entry)
3819 + address_size);
3820 }
3821 free(buffer);
3822}
3823
3824void
3825get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3826 openvpn_net_ctx_t *ctx)
3827{
3828 /* TODO: Same for ipv6 with AF_INET6 */
3829 CLEAR(*rgi6);
3830}
3831
3832#else /* if defined(_WIN32) */
3833
3834/*
3835 * This is a platform-specific method that returns data about
3836 * the current default gateway. Return data is placed into
3837 * a struct route_gateway_info object provided by caller. The
3838 * implementation should CLEAR the structure before adding
3839 * data to it.
3840 *
3841 * Data returned includes:
3842 * 1. default gateway address (rgi->gateway.addr)
3843 * 2. netmask of interface that owns default gateway
3844 * (rgi->gateway.netmask)
3845 * 3. hardware address (i.e. MAC address) of interface that owns
3846 * default gateway (rgi->hwaddr)
3847 * 4. interface name (or adapter index on Windows) that owns default
3848 * gateway (rgi->iface or rgi->adapter_index)
3849 * 5. an array of additional address/netmask pairs defined by
3850 * interface that owns default gateway (rgi->addrs with length
3851 * given in rgi->n_addrs)
3852 *
3853 * The flags RGI_x_DEFINED may be used to indicate which of the data
3854 * members were successfully returned (set in rgi->flags). All of
3855 * the data members are optional, however certain OpenVPN functionality
3856 * may be disabled by missing items.
3857 */
3858void
3859get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3860{
3861 CLEAR(*rgi);
3862}
3863void
3864get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest,
3865 openvpn_net_ctx_t *ctx)
3866{
3867 msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
3868 CLEAR(*rgi6);
3869}
3870
3871#endif /* if defined(_WIN32) */
3872
3873bool
3874netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
3875{
3876 int i;
3877 const int addrlen = sizeof(in_addr_t) * 8;
3878
3879 if ((network & netmask) == network)
3880 {
3881 for (i = 0; i <= addrlen; ++i)
3882 {
3883 in_addr_t mask = netbits_to_netmask(i);
3884 if (mask == netmask)
3885 {
3886 if (i == addrlen)
3887 {
3888 *netbits = -1;
3889 }
3890 else
3891 {
3892 *netbits = i;
3893 }
3894 return true;
3895 }
3896 }
3897 }
3898 return false;
3899}
3900
3901/* similar to netmask_to_netbits(), but don't mess with base address
3902 * etc., just convert to netbits - non-mappable masks are returned as "-1"
3903 */
3904int
3905netmask_to_netbits2(in_addr_t netmask)
3906{
3907 int i;
3908 const int addrlen = sizeof(in_addr_t) * 8;
3909
3910 for (i = 0; i <= addrlen; ++i)
3911 {
3912 in_addr_t mask = netbits_to_netmask(i);
3913 if (mask == netmask)
3914 {
3915 return i;
3916 }
3917 }
3918 return -1;
3919}
3920
3921
3922/*
3923 * get_bypass_addresses() is used by the redirect-gateway bypass-x
3924 * functions to build a route bypass to selected DHCP/DNS servers,
3925 * so that outgoing packets to these servers don't end up in the tunnel.
3926 */
3927
3928#if defined(_WIN32)
3929
3930static void
3931add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
3932{
3933 if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
3934 {
3935 add_bypass_address(rb, addr);
3936 }
3937}
3938
3939static void
3940add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
3941{
3942 while (iplist)
3943 {
3944 bool succeed = false;
3945 const in_addr_t ip =
3946 getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
3947 if (succeed)
3948 {
3949 add_host_route_if_nonlocal(rb, ip);
3950 }
3951 iplist = iplist->Next;
3952 }
3953}
3954
3955static void
3956get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
3957{
3958 struct gc_arena gc = gc_new();
3959 /*bool ret_bool = false;*/
3960
3961 /* get full routing table */
3962 const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
3963
3964 /* get the route which represents the default gateway */
3965 const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
3966
3967 if (row)
3968 {
3969 /* get the adapter which the default gateway is associated with */
3970 const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
3971
3972 /* get extra adapter info, such as DNS addresses */
3973 const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
3974
3975 /* Bypass DHCP server address */
3976 if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
3977 {
3978 add_host_route_array(rb, &dgi->DhcpServer);
3979 }
3980
3981 /* Bypass DNS server addresses */
3982 if ((flags & RG_BYPASS_DNS) && pai)
3983 {
3984 add_host_route_array(rb, &pai->DnsServerList);
3985 }
3986 }
3987
3988 gc_free(&gc);
3989}
3990
3991#else /* if defined(_WIN32) */
3992
3993static void
3994get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
3995{
3996}
3997
3998#endif /* if defined(_WIN32) */
3999
4000/*
4001 * Test if addr is reachable via a local interface (return ILA_LOCAL),
4002 * or if it needs to be routed via the default gateway (return
4003 * ILA_NONLOCAL). If the target platform doesn't implement this
4004 * function, return ILA_NOT_IMPLEMENTED.
4005 *
4006 * Used by redirect-gateway autolocal feature
4007 */
4008
4009#if defined(_WIN32)
4010
4011int
4012test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
4013{
4014 struct gc_arena gc = gc_new();
4015 const in_addr_t nonlocal_netmask =
4016 0x80000000L; /* routes with netmask <= to this are considered non-local */
4017 int ret = TLA_NONLOCAL;
4018
4019 /* get full routing table */
4020 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4021 if (rt)
4022 {
4023 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
4024 {
4025 const MIB_IPFORWARDROW *row = &rt->table[i];
4026 const in_addr_t net = ntohl(row->dwForwardDest);
4027 const in_addr_t mask = ntohl(row->dwForwardMask);
4028 if (mask > nonlocal_netmask && (addr & mask) == net)
4029 {
4030 ret = TLA_LOCAL;
4031 break;
4032 }
4033 }
4034 }
4035
4036 gc_free(&gc);
4037 return ret;
4038}
4039
4040#else /* if defined(_WIN32) */
4041
4042int
4043test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4044{
4045 if (rgi)
4046 {
4047 if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4048 {
4049 return TLA_LOCAL;
4050 }
4051 else
4052 {
4053 return TLA_NONLOCAL;
4054 }
4055 }
4056 return TLA_NOT_IMPLEMENTED;
4057}
4058
4059#endif /* if defined(_WIN32) */
argv_msg
void argv_msg(const msglvl_t msglevel, const struct argv *a)
Write the arguments stored in a struct argv via the msg() command.
Definition argv.c:242
argv_free
void argv_free(struct argv *a)
Frees all memory allocations allocated by the struct argv related functions.
Definition argv.c:101
argv_printf
bool argv_printf(struct argv *argres, const char *format,...)
printf() variant which populates a struct argv.
Definition argv.c:438
argv_printf_cat
bool argv_printf_cat(struct argv *argres, const char *format,...)
printf() inspired argv concatenation.
Definition argv.c:462
argv_new
struct argv argv_new(void)
Allocates a new struct argv and ensures it is initialised.
Definition argv.c:87
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
gc_addspecial
void gc_addspecial(void *addr, void(*free_function)(void *), struct gc_arena *a)
Definition buffer.c:438
BSTR
#define BSTR(buf)
Definition buffer.h:128
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1089
ALLOC_OBJ_GC
#define ALLOC_OBJ_GC(dptr, type, gc)
Definition buffer.h:1084
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1095
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1025
gc_freeaddrinfo_callback
static void gc_freeaddrinfo_callback(void *addr)
Definition buffer.h:215
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1017
setenv_int
void setenv_int(struct env_set *es, const char *name, int value)
Definition env_set.c:291
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
D_ROUTE_DEBUG
#define D_ROUTE_DEBUG
Definition errlevel.h:132
M_INFO
#define M_INFO
Definition errlevel.h:54
D_ROUTE
#define D_ROUTE
Definition errlevel.h:79
status
static SERVICE_STATUS status
Definition interactive.c:51
route
@ route
Definition interactive.c:85
write
@ write
Definition interactive.c:212
read
@ read
Definition interactive.c:211
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2789
OPENVPN_STATE_ADD_ROUTES
#define OPENVPN_STATE_ADD_ROUTES
Definition manage.h:451
net_ctx_reset
static void net_ctx_reset(openvpn_net_ctx_t *ctx)
Definition networking.h:56
openvpn_net_ctx_t
void * openvpn_net_ctx_t
Definition networking.h:38
msg_add_route
@ msg_add_route
Definition openvpn-msg.h:34
msg_del_route
@ msg_del_route
Definition openvpn-msg.h:35
IPV4_NETMASK_HOST
#define IPV4_NETMASK_HOST
Definition basic.h:34
CLEAR
#define CLEAR(x)
Definition basic.h:32
strerror_win32
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
Definition error.c:774
M_FATAL
#define M_FATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
msglvl_t
unsigned int msglvl_t
Definition error.h:77
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
M_ERRNO
#define M_ERRNO
Definition error.h:95
DEV_TYPE_TAP
#define DEV_TYPE_TAP
Definition proto.h:36
DEV_TYPE_TUN
#define DEV_TYPE_TUN
Definition proto.h:35
print_route_options
void print_route_options(const struct route_option_list *rol, msglvl_t msglevel)
Definition route.c:1234
undo_redirect_default_route_to_vpn
static void undo_redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1050
print_route_option
static void print_route_option(const struct route_option *ro, msglvl_t msglevel)
Definition route.c:1227
add_host_route_if_nonlocal
static void add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
Definition route.c:3931
add_routes
bool add_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1097
is_special_addr
bool is_special_addr(const char *addr_str)
Definition route.c:299
clone_route_option_list
struct route_option_list * clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
Definition route.c:153
setenv_routes_ipv6
void setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
Definition route.c:1400
clear_route_list
static void clear_route_list(struct route_list *rl)
Definition route.c:521
test_route_helper
static void test_route_helper(bool *ret, int *count, int *good, int *ambig, const IP_ADAPTER_INFO *adapters, const in_addr_t gateway)
Definition route.c:2414
del_bypass_routes
static void del_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:926
del_route_ipapi
static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2806
redirect_default_route_to_vpn
static bool redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:942
add_route3
static bool add_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:880
add_host_route_array
static void add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
Definition route.c:3940
netmask_to_netbits2
int netmask_to_netbits2(in_addr_t netmask)
Definition route.c:3905
new_route_ipv6_option_list
struct route_ipv6_option_list * new_route_ipv6_option_list(struct gc_arena *a)
Definition route.c:137
init_route
static bool init_route(struct route_ipv4 *r, struct addrinfo **network_list, const struct route_option *ro, const struct route_list *rl)
Definition route.c:312
delete_routes_v6
void delete_routes_v6(struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1192
route_string
static const char * route_string(const struct route_ipv4 *r, struct gc_arena *gc)
Definition route.c:187
get_special_addr
static bool get_special_addr(const struct route_list *rl, const char *string, in_addr_t *out, bool *status)
Definition route.c:231
RTA_EEXIST
#define RTA_EEXIST
Definition route.c:103
LR_NOMATCH
#define LR_NOMATCH
Definition route.c:1429
test_routes
bool test_routes(const struct route_list *rl, const struct tuntap *tt)
Definition route.c:2439
add_block_local_routes
static void add_block_local_routes(struct route_list *rl)
Definition route.c:572
block_local_needed
bool block_local_needed(const struct route_list *rl)
Get the decision whether to block traffic to local networks while the VPN is connected.
Definition route.c:596
get_default_gateway_ipv6
void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
Definition route.c:2664
get_windows_routing_table
static const MIB_IPFORWARDTABLE * get_windows_routing_table(struct gc_arena *gc)
Definition route.c:2380
get_best_route
static DWORD get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
Determines the best route to a destination for both IPv4 and IPv6.
Definition route.c:2530
do_route_service
static int do_route_service(const bool add, const route_message_t *rt, const DWORD size, HANDLE pipe)
Definition route.c:2843
format_route_entry
static const char * format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
Definition route.c:3049
add_route_service
static int add_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3024
init_route_ipv6_list
bool init_route_ipv6_list(struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, const struct in6_addr *remote_host_ipv6, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:748
delete_route
static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2026
del_route_ipv6_service
static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3043
route_list_add_vpn_gateway
void route_list_add_vpn_gateway(struct route_list *rl, struct env_set *es, const in_addr_t addr)
Definition route.c:535
ipv6_net_contains_host
bool ipv6_net_contains_host(const struct in6_addr *network, unsigned int bits, const struct in6_addr *host)
check whether an IPv6 host address is covered by a given network/bits
Definition route.c:714
add_route_ipv6_to_option_list
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l, const char *prefix, const char *gateway, const char *metric, int table_id)
Definition route.c:507
copy_route_option_list
void copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
Definition route.c:171
copy_route_ipv6_option_list
void copy_route_ipv6_option_list(struct route_ipv6_option_list *dest, const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:179
add_route
bool add_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1476
test_route
static int test_route(const IP_ADAPTER_INFO *adapters, const in_addr_t gateway, DWORD *index)
Definition route.c:2402
print_default_gateway
void print_default_gateway(const msglvl_t msglevel, const struct route_gateway_info *rgi, const struct route_ipv6_gateway_info *rgi6)
Definition route.c:1248
add_route_ipv6
bool add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1790
RTA_ERROR
#define RTA_ERROR
Definition route.c:101
del_route_service
static bool del_route_service(const struct route_ipv4 *, const struct tuntap *)
Definition route.c:3030
print_route
static void print_route(const struct route_ipv4 *r, msglvl_t msglevel)
Definition route.c:1322
local_route
static int local_route(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct route_gateway_info *rgi)
Definition route.c:1434
add_route_ipv6_service
static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *)
Definition route.c:3037
is_on_link
static bool is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
Definition route.c:1467
get_default_gateway_row
static const MIB_IPFORWARDROW * get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
Definition route.c:2482
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2566
route_ipv6_ipapi
static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *)
Definition route.c:2904
add_block_local_item
static void add_block_local_item(struct route_list *rl, const struct route_gateway_address *gateway, in_addr_t target)
Definition route.c:544
clone_route_ipv6_option_list
struct route_ipv6_option_list * clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
Definition route.c:162
show_opt
static const char * show_opt(const char *option)
Definition route.c:1214
print_routes
void print_routes(const struct route_list *rl, msglvl_t msglevel)
Definition route.c:1333
init_route_ipv6
static bool init_route_ipv6(struct route_ipv6 *r6, const struct route_ipv6_option *r6o, const struct route_ipv6_list *rl6)
Definition route.c:435
new_route_option_list
struct route_option_list * new_route_option_list(struct gc_arena *a)
Definition route.c:128
test_local_addr
int test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
Definition route.c:4012
METRIC_NOT_USED
#define METRIC_NOT_USED
Definition route.c:59
init_route_list
bool init_route_list(struct route_list *rl, const struct route_option_list *opt, const char *remote_endpoint, int default_metric, in_addr_t remote_host, struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:604
add_route_ipapi
static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
Definition route.c:2710
RTA_SUCCESS
#define RTA_SUCCESS
Definition route.c:102
delete_route_ipv6
void delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:2198
LR_MATCH
#define LR_MATCH
Definition route.c:1430
do_route_ipv6_service
static int do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
Definition route.c:2981
route_ipv6_clear_host_bits
void route_ipv6_clear_host_bits(struct route_ipv6 *r6)
Definition route.c:1765
clear_route_ipv6_list
static void clear_route_ipv6_list(struct route_ipv6_list *rl6)
Definition route.c:528
delete_routes
void delete_routes(struct route_list *rl, struct route_ipv6_list *rl6, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1162
LR_ERROR
#define LR_ERROR
Definition route.c:1431
show_routes
void show_routes(msglvl_t msglevel)
Definition route.c:3067
netmask_to_netbits
bool netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
Definition route.c:3874
setenv_route_addr
static void setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
Definition route.c:214
windows_route_find_if_index
static DWORD windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2618
do_route_ipv4_service
static int do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
Definition route.c:2875
setenv_routes
void setenv_routes(struct env_set *es, const struct route_list *rl)
Definition route.c:1363
delete_routes_v4
void delete_routes_v4(struct route_list *rl, const struct tuntap *tt, unsigned int flags, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:1170
add_bypass_routes
static bool add_bypass_routes(struct route_bypass *rb, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:908
get_bypass_addresses
static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
Definition route.c:3956
is_route_parm_defined
static bool is_route_parm_defined(const char *parm)
Definition route.c:200
setenv_route_ipv6
static void setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
Definition route.c:1374
add_bypass_address
static bool add_bypass_address(struct route_bypass *rb, const in_addr_t a)
Definition route.c:106
setenv_route
static void setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
Definition route.c:1343
add_route_to_option_list
void add_route_to_option_list(struct route_option_list *l, const char *network, const char *netmask, const char *gateway, const char *metric, int table_id)
Definition route.c:492
del_route3
static void del_route3(in_addr_t network, in_addr_t netmask, in_addr_t gateway, const struct tuntap *tt, unsigned int flags, const struct route_gateway_info *rgi, const struct env_set *es, openvpn_net_ctx_t *ctx)
Definition route.c:894
RG_LOCAL
#define RG_LOCAL
Definition route.h:87
TLA_LOCAL
#define TLA_LOCAL
Definition route.h:370
RGI_ON_LINK
#define RGI_ON_LINK
Definition route.h:164
RL_DID_LOCAL
#define RL_DID_LOCAL
Definition route.h:231
RL_DID_REDIRECT_DEFAULT_GATEWAY
#define RL_DID_REDIRECT_DEFAULT_GATEWAY
Definition route.h:230
ROUTE_REF_GW
#define ROUTE_REF_GW
Definition route.h:50
RG_BYPASS_DHCP
#define RG_BYPASS_DHCP
Definition route.h:89
RTSA_REMOTE_ENDPOINT
#define RTSA_REMOTE_ENDPOINT
Definition route.h:62
RGI_ADDR_DEFINED
#define RGI_ADDR_DEFINED
Definition route.h:159
RL_ROUTES_ADDED
#define RL_ROUTES_ADDED
Definition route.h:232
RGI_HWADDR_DEFINED
#define RGI_HWADDR_DEFINED
Definition route.h:161
netbits_to_netmask
static in_addr_t netbits_to_netmask(const int netbits)
Definition route.h:399
RTSA_REMOTE_HOST
#define RTSA_REMOTE_HOST
Definition route.h:63
ROUTE_METHOD_SERVICE
#define ROUTE_METHOD_SERVICE
Definition route.h:42
RGI_IFACE_DEFINED
#define RGI_IFACE_DEFINED
Definition route.h:162
ROUTE_METHOD_IPAPI
#define ROUTE_METHOD_IPAPI
Definition route.h:40
RT_ADDED
#define RT_ADDED
Definition route.h:121
ROUTE_METHOD_EXE
#define ROUTE_METHOD_EXE
Definition route.h:41
RT_METRIC_DEFINED
#define RT_METRIC_DEFINED
Definition route.h:122
ROUTE_DELETE_FIRST
#define ROUTE_DELETE_FIRST
Definition route.h:49
RG_DEF1
#define RG_DEF1
Definition route.h:88
RG_BYPASS_DNS
#define RG_BYPASS_DNS
Definition route.h:90
RG_ENABLE
#define RG_ENABLE
Definition route.h:86
RG_REROUTE_GW
#define RG_REROUTE_GW
Definition route.h:91
TLA_NOT_IMPLEMENTED
#define TLA_NOT_IMPLEMENTED
Definition route.h:368
ROUTE_METHOD_ADAPTIVE
#define ROUTE_METHOD_ADAPTIVE
Definition route.h:39
RG_AUTO_LOCAL
#define RG_AUTO_LOCAL
Definition route.h:92
RG_BLOCK_LOCAL
#define RG_BLOCK_LOCAL
Definition route.h:93
TLA_NONLOCAL
#define TLA_NONLOCAL
Definition route.h:369
N_ROUTE_BYPASS
#define N_ROUTE_BYPASS
Definition route.h:54
RT_DEFINED
#define RT_DEFINED
Definition route.h:120
ROUTE_METHOD_MASK
#define ROUTE_METHOD_MASK
Definition route.h:43
RTSA_DEFAULT_METRIC
#define RTSA_DEFAULT_METRIC
Definition route.h:64
RGI_NETMASK_DEFINED
#define RGI_NETMASK_DEFINED
Definition route.h:160
openvpn_execve_check
int openvpn_execve_check(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *error_message)
Definition run_command.c:233
run_command.h
get_ipv6_addr
bool get_ipv6_addr(const char *hostname, struct in6_addr *network, unsigned int *netbits, msglvl_t msglevel)
Translate an IPv6 addr or hostname from string form to in6_addr.
Definition socket.c:219
getaddr
in_addr_t getaddr(unsigned int flags, const char *hostname, int resolve_retry_seconds, bool *succeeded, struct signal_info *sig_info)
Translate an IPv4 addr or hostname from string form to in_addr_t.
Definition socket.c:192
IPV4_INVALID_ADDR
#define IPV4_INVALID_ADDR
Definition socket.h:356
openvpn_getaddrinfo
int openvpn_getaddrinfo(unsigned int flags, const char *hostname, const char *servname, int resolve_retry_seconds, struct signal_info *sig_info, int ai_family, struct addrinfo **res)
Definition socket_util.c:537
print_in6_addr
const char * print_in6_addr(struct in6_addr a6, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:216
print_in_addr_t
const char * print_in_addr_t(in_addr_t addr, unsigned int flags, struct gc_arena *gc)
Definition socket_util.c:196
IF_NAMESIZE
#define IF_NAMESIZE
Definition socket_util.c:123
GETADDR_HOST_ORDER
#define GETADDR_HOST_ORDER
Definition socket_util.h:119
GETADDR_RESOLVE
#define GETADDR_RESOLVE
Definition socket_util.h:117
IA_NET_ORDER
#define IA_NET_ORDER
Definition socket_util.h:90
GETADDR_WARN_ON_SIGNAL
#define GETADDR_WARN_ON_SIGNAL
Definition socket_util.h:122
ack_message_t
Definition openvpn-msg.h:157
ack_message_t::error_number
int error_number
Definition openvpn-msg.h:159
argv
Definition argv.h:35
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
env_set
Definition env_set.h:43
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
interface_t::index
int index
Definition openvpn-msg.h:69
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
route_bypass
Definition route.h:53
route_bypass::n_bypass
int n_bypass
Definition route.h:55
route_bypass::bypass
in_addr_t bypass[N_ROUTE_BYPASS]
Definition route.h:56
route_gateway_address
Definition route.h:152
route_gateway_address::netmask
in_addr_t netmask
Definition route.h:154
route_gateway_address::addr
in_addr_t addr
Definition route.h:153
route_gateway_info
Definition route.h:158
route_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:177
route_gateway_info::flags
unsigned int flags
Definition route.h:165
route_gateway_info::addrs
struct route_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:185
route_gateway_info::adapter_index
DWORD adapter_index
Definition route.h:169
route_gateway_info::gateway
struct route_gateway_address gateway
Definition route.h:180
route_gateway_info::n_addrs
int n_addrs
Definition route.h:184
route_ipv4
Definition route.h:119
route_ipv4::option
const struct route_option * option
Definition route.h:125
route_ipv4::metric
int metric
Definition route.h:130
route_ipv4::next
struct route_ipv4 * next
Definition route.h:123
route_ipv4::table_id
int table_id
Definition route.h:129
route_ipv4::network
in_addr_t network
Definition route.h:126
route_ipv4::netmask
in_addr_t netmask
Definition route.h:127
route_ipv4::gateway
in_addr_t gateway
Definition route.h:128
route_ipv4::flags
unsigned int flags
Definition route.h:124
route_ipv6_gateway_address::addr_ipv6
struct in6_addr addr_ipv6
Definition route.h:190
route_ipv6_gateway_address::netbits_ipv6
int netbits_ipv6
Definition route.h:191
route_ipv6_gateway_info
Definition route.h:195
route_ipv6_gateway_info::gateway
struct route_ipv6_gateway_address gateway
Definition route.h:219
route_ipv6_gateway_info::addrs
struct route_ipv6_gateway_address addrs[RGI_N_ADDRESSES]
Definition route.h:224
route_ipv6_gateway_info::flags
unsigned int flags
Definition route.h:197
route_ipv6_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:216
route_ipv6_gateway_info::adapter_index
DWORD adapter_index
Definition route.h:201
route_ipv6_list
Definition route.h:243
route_ipv6_list::iflags
unsigned int iflags
Definition route.h:244
route_ipv6_list::flags
unsigned int flags
Definition route.h:252
route_ipv6_list::rgi6
struct route_ipv6_gateway_info rgi6
Definition route.h:251
route_ipv6_list::routes_ipv6
struct route_ipv6 * routes_ipv6
Definition route.h:253
route_ipv6_list::spec_flags
unsigned int spec_flags
Definition route.h:246
route_ipv6_list::default_metric
int default_metric
Definition route.h:249
route_ipv6_list::remote_host_ipv6
struct in6_addr remote_host_ipv6
Definition route.h:248
route_ipv6_list::gc
struct gc_arena gc
Definition route.h:254
route_ipv6_list::remote_endpoint_ipv6
struct in6_addr remote_endpoint_ipv6
Definition route.h:247
route_ipv6_option_list
Definition route.h:112
route_ipv6_option_list::flags
unsigned int flags
Definition route.h:113
route_ipv6_option_list::gc
struct gc_arena * gc
Definition route.h:115
route_ipv6_option_list::routes_ipv6
struct route_ipv6_option * routes_ipv6
Definition route.h:114
route_ipv6_option
Definition route.h:103
route_ipv6_option::next
struct route_ipv6_option * next
Definition route.h:104
route_ipv6_option::gateway
const char * gateway
Definition route.h:106
route_ipv6_option::table_id
int table_id
Definition route.h:108
route_ipv6_option::metric
const char * metric
Definition route.h:107
route_ipv6_option::prefix
const char * prefix
Definition route.h:105
route_ipv6
Definition route.h:134
route_ipv6::gateway
struct in6_addr gateway
Definition route.h:139
route_ipv6::adapter_index
DWORD adapter_index
Definition route.h:144
route_ipv6::netbits
unsigned int netbits
Definition route.h:138
route_ipv6::next
struct route_ipv6 * next
Definition route.h:135
route_ipv6::flags
unsigned int flags
Definition route.h:136
route_ipv6::network
struct in6_addr network
Definition route.h:137
route_ipv6::metric
int metric
Definition route.h:140
route_list
Definition route.h:229
route_list::rgi
struct route_gateway_info rgi
Definition route.h:236
route_list::routes
struct route_ipv4 * routes
Definition route.h:238
route_list::spec
struct route_special_addr spec
Definition route.h:235
route_list::flags
unsigned int flags
Definition route.h:237
route_list::gc
struct gc_arena gc
Definition route.h:239
route_list::iflags
unsigned int iflags
Definition route.h:233
route_message_t
Definition openvpn-msg.h:89
route_message_t::header
message_header_t header
Definition openvpn-msg.h:90
route_message_t::iface
interface_t iface
Definition openvpn-msg.h:95
route_option_list
Definition route.h:96
route_option_list::gc
struct gc_arena * gc
Definition route.h:99
route_option_list::flags
unsigned int flags
Definition route.h:97
route_option_list::routes
struct route_option * routes
Definition route.h:98
route_option
Definition route.h:76
route_option::table_id
int table_id
Definition route.h:81
route_option::network
const char * network
Definition route.h:78
route_option::netmask
const char * netmask
Definition route.h:79
route_option::next
struct route_option * next
Definition route.h:77
route_option::gateway
const char * gateway
Definition route.h:80
route_option::metric
const char * metric
Definition route.h:82
route_special_addr::remote_host
in_addr_t remote_host
Definition route.h:68
route_special_addr::bypass
struct route_bypass bypass
Definition route.h:70
route_special_addr::flags
unsigned int flags
Definition route.h:65
route_special_addr::default_metric
int default_metric
Definition route.h:72
route_special_addr::remote_endpoint
in_addr_t remote_endpoint
Definition route.h:67
route_special_addr::remote_host_local
int remote_host_local
Definition route.h:69
tuntap_options::msg_channel
HANDLE msg_channel
Definition tun.h:88
tuntap
Definition tun.h:183
tuntap::type
int type
Definition tun.h:185
tuntap::adapter_index
DWORD adapter_index
Definition tun.h:234
tuntap::did_ifconfig_ipv6_setup
bool did_ifconfig_ipv6_setup
if the internal variables related to ifconfig-ipv6 of this struct have been set up.
Definition tun.h:201
tuntap::options
struct tuntap_options options
Definition tun.h:205
tuntap::did_ifconfig_setup
bool did_ifconfig_setup
if the internal variables related to ifconfig of this struct have been set up.
Definition tun.h:197
tuntap::actual_name
char * actual_name
Definition tun.h:207
iface
static char * iface
Definition test_networking.c:7
es
struct env_set * es
Definition test_pkcs11.c:138
r6
char * r6[]
Definition test_push_update_msg.c:324
i
int i
Definition test_push_update_msg.c:134
r1
char * r1[]
Definition test_push_update_msg.c:306
gc
struct gc_arena gc
Definition test_ssl.c:131
get_tun_adapter
const IP_ADAPTER_INFO * get_tun_adapter(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4530
is_adapter_up
bool is_adapter_up(const struct tuntap *tt, const IP_ADAPTER_INFO *list)
Definition tun.c:4543
get_adapter_info
const IP_ADAPTER_INFO * get_adapter_info(DWORD index, struct gc_arena *gc)
Definition tun.c:4445
get_per_adapter_info
const IP_PER_ADAPTER_INFO * get_per_adapter_info(const DWORD index, struct gc_arena *gc)
Definition tun.c:4343
is_ip_in_adapter_subnet
bool is_ip_in_adapter_subnet(const IP_ADAPTER_INFO *ai, const in_addr_t ip, in_addr_t *highest_netmask)
Definition tun.c:4587
get_adapter_info_list
const IP_ADAPTER_INFO * get_adapter_info_list(struct gc_arena *gc)
Definition tun.c:4318
get_adapter
const IP_ADAPTER_INFO * get_adapter(const IP_ADAPTER_INFO *ai, DWORD index)
Definition tun.c:4426
adapter_index_of_ip
DWORD adapter_index_of_ip(const IP_ADAPTER_INFO *list, const in_addr_t ip, int *count, in_addr_t *netmask)
Definition tun.c:4621
TUN_ADAPTER_INDEX_INVALID
#define TUN_ADAPTER_INDEX_INVALID
Definition tun.h:64
wide_string
WCHAR * wide_string(const char *utf8, struct gc_arena *gc)
Definition win32-util.c:40
netcmd_semaphore_release
void netcmd_semaphore_release(void)
Definition win32.c:867
get_win_sys_path
char * get_win_sys_path(void)
Definition win32.c:1108
netcmd_semaphore_lock
void netcmd_semaphore_lock(void)
Definition win32.c:851
send_msg_iservice
bool send_msg_iservice(HANDLE pipe, const void *data, DWORD size, ack_message_t *ack, const char *context)
Send the size bytes in buffer data to the interactive service pipe and read the result in ack.
Definition win32.c:1422
WIN_ROUTE_PATH_SUFFIX
#define WIN_ROUTE_PATH_SUFFIX
Definition win32.h:40
Generated by doxygen 1.9.8