]> git.ipfire.org Git - thirdparty/openvpn.git/blob - src/openvpn/route.c
projects / thirdparty / openvpn.git / blob
? search:


156262a4f457dd52cbac83f75399f3f2f29c12a3
[thirdparty/openvpn.git] / src / openvpn / route.c
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24 /*
25 * Support routines for adding/deleting network routes.
26 */
27 #include <stddef.h>
28 #include <stdbool.h>
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33
34 #include "syshead.h"
35
36 #include "common.h"
37 #include "error.h"
38 #include "route.h"
39 #include "run_command.h"
40 #include "socket.h"
41 #include "manage.h"
42 #include "win32.h"
43 #include "options.h"
44 #include "networking.h"
45 #include "integer.h"
46
47 #include "memdbg.h"
48
49 #if defined(TARGET_LINUX) || defined(TARGET_ANDROID)
50 #include <linux/rtnetlink.h> /* RTM_GETROUTE etc. */
51 #endif
52
53 #if defined(TARGET_NETBSD)
54 #include <net/route.h> /* RT_ROUNDUP(), RT_ADVANCE() */
55 #endif
56
57 #ifdef _WIN32
58 #include "openvpn-msg.h"
59
60 #define METRIC_NOT_USED ((DWORD)-1)
61 static int add_route_service(const struct route_ipv4 *, const struct tuntap *);
62
63 static bool del_route_service(const struct route_ipv4 *, const struct tuntap *);
64
65 static int add_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
66
67 static bool del_route_ipv6_service(const struct route_ipv6 *, const struct tuntap *);
68
69 static int route_ipv6_ipapi(bool add, const struct route_ipv6 *, const struct tuntap *);
70
71 static int add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index);
72
73 static bool del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt);
74
75
76 #endif
77
78 static void delete_route(struct route_ipv4 *r, const struct tuntap *tt, unsigned int flags,
79 const struct route_gateway_info *rgi, const struct env_set *es,
80 openvpn_net_ctx_t *ctx);
81
82 static void get_bypass_addresses(struct route_bypass *rb, const unsigned int flags);
83
84 #ifdef ENABLE_DEBUG
85
86 static void
87 print_bypass_addresses(const struct route_bypass *rb)
88 {
89 struct gc_arena gc = gc_new();
90 int i;
91 for (i = 0; i < rb->n_bypass; ++i)
92 {
93 msg(D_ROUTE, "ROUTE: bypass_host_route[%d]=%s",
94 i,
95 print_in_addr_t(rb->bypass[i], 0, &gc));
96 }
97 gc_free(&gc);
98 }
99
100 #endif
101
102 /* Route addition return status codes */
103 #define RTA_ERROR 0 /* route addition failed */
104 #define RTA_SUCCESS 1 /* route addition succeeded */
105 #define RTA_EEXIST 2 /* route not added as it already exists */
106
107 static bool
108 add_bypass_address(struct route_bypass *rb, const in_addr_t a)
109 {
110 int i;
111 for (i = 0; i < rb->n_bypass; ++i)
112 {
113 if (a == rb->bypass[i]) /* avoid duplicates */
114 {
115 return true;
116 }
117 }
118 if (rb->n_bypass < N_ROUTE_BYPASS)
119 {
120 rb->bypass[rb->n_bypass++] = a;
121 return true;
122 }
123 else
124 {
125 return false;
126 }
127 }
128
129 struct route_option_list *
130 new_route_option_list(struct gc_arena *a)
131 {
132 struct route_option_list *ret;
133 ALLOC_OBJ_CLEAR_GC(ret, struct route_option_list, a);
134 ret->gc = a;
135 return ret;
136 }
137
138 struct route_ipv6_option_list *
139 new_route_ipv6_option_list(struct gc_arena *a)
140 {
141 struct route_ipv6_option_list *ret;
142 ALLOC_OBJ_CLEAR_GC(ret, struct route_ipv6_option_list, a);
143 ret->gc = a;
144 return ret;
145 }
146
147 /*
148 * NOTE: structs are cloned/copied shallow by design.
149 * The routes list from src will stay intact since it is allocated using
150 * the options->gc. The cloned/copied lists will share this common tail
151 * to avoid copying the data around between pulls. Pulled routes use
152 * the c2->gc so they get freed immediately after a reconnect.
153 */
154 struct route_option_list *
155 clone_route_option_list(const struct route_option_list *src, struct gc_arena *a)
156 {
157 struct route_option_list *ret;
158 ALLOC_OBJ_GC(ret, struct route_option_list, a);
159 *ret = *src;
160 return ret;
161 }
162
163 struct route_ipv6_option_list *
164 clone_route_ipv6_option_list(const struct route_ipv6_option_list *src, struct gc_arena *a)
165 {
166 struct route_ipv6_option_list *ret;
167 ALLOC_OBJ_GC(ret, struct route_ipv6_option_list, a);
168 *ret = *src;
169 return ret;
170 }
171
172 void
173 copy_route_option_list(struct route_option_list *dest, const struct route_option_list *src, struct gc_arena *a)
174 {
175 *dest = *src;
176 dest->gc = a;
177 }
178
179 void
180 copy_route_ipv6_option_list(struct route_ipv6_option_list *dest,
181 const struct route_ipv6_option_list *src,
182 struct gc_arena *a)
183 {
184 *dest = *src;
185 dest->gc = a;
186 }
187
188 static const char *
189 route_string(const struct route_ipv4 *r, struct gc_arena *gc)
190 {
191 struct buffer out = alloc_buf_gc(256, gc);
192 buf_printf(&out, "ROUTE network %s netmask %s gateway %s",
193 print_in_addr_t(r->network, 0, gc),
194 print_in_addr_t(r->netmask, 0, gc),
195 print_in_addr_t(r->gateway, 0, gc)
196 );
197 if (r->flags & RT_METRIC_DEFINED)
198 {
199 buf_printf(&out, " metric %d", r->metric);
200 }
201 return BSTR(&out);
202 }
203
204 static bool
205 is_route_parm_defined(const char *parm)
206 {
207 if (!parm)
208 {
209 return false;
210 }
211 if (!strcmp(parm, "default"))
212 {
213 return false;
214 }
215 return true;
216 }
217
218 static void
219 setenv_route_addr(struct env_set *es, const char *key, const in_addr_t addr, int i)
220 {
221 struct gc_arena gc = gc_new();
222 struct buffer name = alloc_buf_gc(256, &gc);
223 if (i >= 0)
224 {
225 buf_printf(&name, "route_%s_%d", key, i);
226 }
227 else
228 {
229 buf_printf(&name, "route_%s", key);
230 }
231 setenv_str(es, BSTR(&name), print_in_addr_t(addr, 0, &gc));
232 gc_free(&gc);
233 }
234
235 static bool
236 get_special_addr(const struct route_list *rl,
237 const char *string,
238 in_addr_t *out,
239 bool *status)
240 {
241 if (status)
242 {
243 *status = true;
244 }
245 if (!strcmp(string, "vpn_gateway"))
246 {
247 if (rl)
248 {
249 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
250 {
251 *out = rl->spec.remote_endpoint;
252 }
253 else
254 {
255 msg(M_INFO, PACKAGE_NAME " ROUTE: vpn_gateway undefined");
256 if (status)
257 {
258 *status = false;
259 }
260 }
261 }
262 return true;
263 }
264 else if (!strcmp(string, "net_gateway"))
265 {
266 if (rl)
267 {
268 if (rl->rgi.flags & RGI_ADDR_DEFINED)
269 {
270 *out = rl->rgi.gateway.addr;
271 }
272 else
273 {
274 msg(M_INFO, PACKAGE_NAME " ROUTE: net_gateway undefined -- unable to get default gateway from system");
275 if (status)
276 {
277 *status = false;
278 }
279 }
280 }
281 return true;
282 }
283 else if (!strcmp(string, "remote_host"))
284 {
285 if (rl)
286 {
287 if (rl->spec.flags & RTSA_REMOTE_HOST)
288 {
289 *out = rl->spec.remote_host;
290 }
291 else
292 {
293 msg(M_INFO, PACKAGE_NAME " ROUTE: remote_host undefined");
294 if (status)
295 {
296 *status = false;
297 }
298 }
299 }
300 return true;
301 }
302 return false;
303 }
304
305 bool
306 is_special_addr(const char *addr_str)
307 {
308 if (addr_str)
309 {
310 return get_special_addr(NULL, addr_str, NULL, NULL);
311 }
312 else
313 {
314 return false;
315 }
316 }
317
318 static bool
319 init_route(struct route_ipv4 *r,
320 struct addrinfo **network_list,
321 const struct route_option *ro,
322 const struct route_list *rl)
323 {
324 const in_addr_t default_netmask = IPV4_NETMASK_HOST;
325 bool status;
326 int ret;
327 struct in_addr special = {0};
328
329 CLEAR(*r);
330 r->option = ro;
331
332 /* network */
333 if (!is_route_parm_defined(ro->network))
334 {
335 goto fail;
336 }
337
338 /* get_special_addr replaces specialaddr with a special ip addr
339 * like gw. getaddrinfo is called to convert a a addrinfo struct */
340
341 if (get_special_addr(rl, ro->network, (in_addr_t *) &special.s_addr, &status))
342 {
343 if (!status)
344 {
345 goto fail;
346 }
347 special.s_addr = htonl(special.s_addr);
348 char buf[INET_ADDRSTRLEN];
349 inet_ntop(AF_INET, &special, buf, sizeof(buf));
350 ret = openvpn_getaddrinfo(0, buf, NULL, 0, NULL,
351 AF_INET, network_list);
352 }
353 else
354 {
355 ret = openvpn_getaddrinfo(GETADDR_RESOLVE | GETADDR_WARN_ON_SIGNAL,
356 ro->network, NULL, 0, NULL, AF_INET, network_list);
357 }
358
359 status = (ret == 0);
360
361 if (!status)
362 {
363 goto fail;
364 }
365
366 /* netmask */
367
368 if (is_route_parm_defined(ro->netmask))
369 {
370 r->netmask = getaddr(
371 GETADDR_HOST_ORDER
372 | GETADDR_WARN_ON_SIGNAL,
373 ro->netmask,
374 0,
375 &status,
376 NULL);
377 if (!status)
378 {
379 goto fail;
380 }
381 }
382 else
383 {
384 r->netmask = default_netmask;
385 }
386
387 /* gateway */
388
389 if (is_route_parm_defined(ro->gateway))
390 {
391 if (!get_special_addr(rl, ro->gateway, &r->gateway, &status))
392 {
393 r->gateway = getaddr(
394 GETADDR_RESOLVE
395 | GETADDR_HOST_ORDER
396 | GETADDR_WARN_ON_SIGNAL,
397 ro->gateway,
398 0,
399 &status,
400 NULL);
401 }
402 if (!status)
403 {
404 goto fail;
405 }
406 }
407 else
408 {
409 if (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
410 {
411 r->gateway = rl->spec.remote_endpoint;
412 }
413 else
414 {
415 msg(M_WARN, PACKAGE_NAME " ROUTE: " PACKAGE_NAME " needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
416 goto fail;
417 }
418 }
419
420 /* metric */
421
422 r->metric = 0;
423 if (is_route_parm_defined(ro->metric))
424 {
425 r->metric = atoi(ro->metric);
426 if (r->metric < 0)
427 {
428 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
429 ro->network,
430 ro->metric);
431 goto fail;
432 }
433 r->flags |= RT_METRIC_DEFINED;
434 }
435 else if (rl->spec.flags & RTSA_DEFAULT_METRIC)
436 {
437 r->metric = rl->spec.default_metric;
438 r->flags |= RT_METRIC_DEFINED;
439 }
440
441 r->flags |= RT_DEFINED;
442
443 /* routing table id */
444 r->table_id = ro->table_id;
445
446 return true;
447
448 fail:
449 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
450 ro->network);
451 return false;
452 }
453
454 static bool
455 init_route_ipv6(struct route_ipv6 *r6,
456 const struct route_ipv6_option *r6o,
457 const struct route_ipv6_list *rl6 )
458 {
459 CLEAR(*r6);
460
461 if (!get_ipv6_addr( r6o->prefix, &r6->network, &r6->netbits, M_WARN ))
462 {
463 goto fail;
464 }
465
466 /* gateway */
467 if (is_route_parm_defined(r6o->gateway))
468 {
469 if (inet_pton( AF_INET6, r6o->gateway, &r6->gateway ) != 1)
470 {
471 msg( M_WARN, PACKAGE_NAME "ROUTE6: cannot parse gateway spec '%s'", r6o->gateway );
472 }
473 }
474 else if (rl6->spec_flags & RTSA_REMOTE_ENDPOINT)
475 {
476 r6->gateway = rl6->remote_endpoint_ipv6;
477 }
478
479 /* metric */
480
481 r6->metric = -1;
482 if (is_route_parm_defined(r6o->metric))
483 {
484 r6->metric = atoi(r6o->metric);
485 if (r6->metric < 0)
486 {
487 msg(M_WARN, PACKAGE_NAME " ROUTE: route metric for network %s (%s) must be >= 0",
488 r6o->prefix,
489 r6o->metric);
490 goto fail;
491 }
492 r6->flags |= RT_METRIC_DEFINED;
493 }
494 else if (rl6->spec_flags & RTSA_DEFAULT_METRIC)
495 {
496 r6->metric = rl6->default_metric;
497 r6->flags |= RT_METRIC_DEFINED;
498 }
499
500 r6->flags |= RT_DEFINED;
501
502 /* routing table id */
503 r6->table_id = r6o->table_id;
504
505 return true;
506
507 fail:
508 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve route for host/network: %s",
509 r6o->prefix);
510 return false;
511 }
512
513 void
514 add_route_to_option_list(struct route_option_list *l,
515 const char *network,
516 const char *netmask,
517 const char *gateway,
518 const char *metric,
519 int table_id)
520 {
521 struct route_option *ro;
522 ALLOC_OBJ_GC(ro, struct route_option, l->gc);
523 ro->network = network;
524 ro->netmask = netmask;
525 ro->gateway = gateway;
526 ro->metric = metric;
527 ro->table_id = table_id;
528 ro->next = l->routes;
529 l->routes = ro;
530
531 }
532
533 void
534 add_route_ipv6_to_option_list(struct route_ipv6_option_list *l,
535 const char *prefix,
536 const char *gateway,
537 const char *metric,
538 int table_id)
539 {
540 struct route_ipv6_option *ro;
541 ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
542 ro->prefix = prefix;
543 ro->gateway = gateway;
544 ro->metric = metric;
545 ro->table_id = table_id;
546 ro->next = l->routes_ipv6;
547 l->routes_ipv6 = ro;
548 }
549
550 static void
551 clear_route_list(struct route_list *rl)
552 {
553 gc_free(&rl->gc);
554 CLEAR(*rl);
555 }
556
557 static void
558 clear_route_ipv6_list(struct route_ipv6_list *rl6)
559 {
560 gc_free(&rl6->gc);
561 CLEAR(*rl6);
562 }
563
564 void
565 route_list_add_vpn_gateway(struct route_list *rl,
566 struct env_set *es,
567 const in_addr_t addr)
568 {
569 ASSERT(rl);
570 rl->spec.remote_endpoint = addr;
571 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
572 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
573 }
574
575 static void
576 add_block_local_item(struct route_list *rl,
577 const struct route_gateway_address *gateway,
578 in_addr_t target)
579 {
580 if (rl->rgi.gateway.netmask < 0xFFFFFFFF)
581 {
582 struct route_ipv4 *r1, *r2;
583 unsigned int l2;
584
585 ALLOC_OBJ_GC(r1, struct route_ipv4, &rl->gc);
586 ALLOC_OBJ_GC(r2, struct route_ipv4, &rl->gc);
587
588 /* split a route into two smaller blocking routes, and direct them to target */
589 l2 = ((~gateway->netmask)+1)>>1;
590 r1->flags = RT_DEFINED;
591 r1->gateway = target;
592 r1->network = gateway->addr & gateway->netmask;
593 r1->netmask = ~(l2-1);
594 r1->next = rl->routes;
595 rl->routes = r1;
596
597 *r2 = *r1;
598 r2->network += l2;
599 r2->next = rl->routes;
600 rl->routes = r2;
601 }
602 }
603
604 static void
605 add_block_local_routes(struct route_list *rl)
606 {
607 #ifndef TARGET_ANDROID
608 /* add bypass for gateway addr */
609 add_bypass_address(&rl->spec.bypass, rl->rgi.gateway.addr);
610 #endif
611
612 /* block access to local subnet */
613 add_block_local_item(rl, &rl->rgi.gateway, rl->spec.remote_endpoint);
614
615 /* process additional subnets on gateway interface */
616 for (size_t i = 0; i < rl->rgi.n_addrs; ++i)
617 {
618 const struct route_gateway_address *gwa = &rl->rgi.addrs[i];
619 /* omit the add/subnet in &rl->rgi which we processed above */
620 if (!((rl->rgi.gateway.addr & rl->rgi.gateway.netmask) == (gwa->addr & gwa->netmask)
621 && rl->rgi.gateway.netmask == gwa->netmask))
622 {
623 add_block_local_item(rl, gwa, rl->spec.remote_endpoint);
624 }
625 }
626 }
627
628 bool
629 block_local_needed(const struct route_list *rl)
630 {
631 const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED);
632 return (rl->flags & RG_BLOCK_LOCAL)
633 && (rl->rgi.flags & rgi_needed) == rgi_needed
634 && (rl->spec.flags & RTSA_REMOTE_ENDPOINT)
635 && rl->spec.remote_host_local != TLA_LOCAL;
636 }
637
638 bool
639 init_route_list(struct route_list *rl,
640 const struct route_option_list *opt,
641 const char *remote_endpoint,
642 int default_metric,
643 in_addr_t remote_host,
644 struct env_set *es,
645 openvpn_net_ctx_t *ctx)
646 {
647 struct gc_arena gc = gc_new();
648 bool ret = true;
649
650 clear_route_list(rl);
651
652 rl->flags = opt->flags;
653
654 if (remote_host != IPV4_INVALID_ADDR)
655 {
656 rl->spec.remote_host = remote_host;
657 rl->spec.flags |= RTSA_REMOTE_HOST;
658 }
659
660 if (default_metric)
661 {
662 rl->spec.default_metric = default_metric;
663 rl->spec.flags |= RTSA_DEFAULT_METRIC;
664 }
665
666 get_default_gateway(&rl->rgi, remote_host != IPV4_INVALID_ADDR ? remote_host : INADDR_ANY, ctx);
667 if (rl->rgi.flags & RGI_ADDR_DEFINED)
668 {
669 setenv_route_addr(es, "net_gateway", rl->rgi.gateway.addr, -1);
670 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
671 print_default_gateway(D_ROUTE, &rl->rgi, NULL);
672 #endif
673 }
674 else
675 {
676 dmsg(D_ROUTE, "ROUTE: default_gateway=UNDEF");
677 }
678
679 if (rl->spec.flags & RTSA_REMOTE_HOST)
680 {
681 rl->spec.remote_host_local = test_local_addr(remote_host, &rl->rgi);
682 }
683
684 if (is_route_parm_defined(remote_endpoint))
685 {
686 bool defined = false;
687 rl->spec.remote_endpoint = getaddr(
688 GETADDR_RESOLVE
689 | GETADDR_HOST_ORDER
690 | GETADDR_WARN_ON_SIGNAL,
691 remote_endpoint,
692 0,
693 &defined,
694 NULL);
695
696 if (defined)
697 {
698 setenv_route_addr(es, "vpn_gateway", rl->spec.remote_endpoint, -1);
699 rl->spec.flags |= RTSA_REMOTE_ENDPOINT;
700 }
701 else
702 {
703 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s",
704 remote_endpoint);
705 ret = false;
706 }
707 }
708
709 if (rl->flags & RG_ENABLE)
710 {
711 if (block_local_needed(rl))
712 {
713 add_block_local_routes(rl);
714 }
715 get_bypass_addresses(&rl->spec.bypass, rl->flags);
716 #ifdef ENABLE_DEBUG
717 print_bypass_addresses(&rl->spec.bypass);
718 #endif
719 }
720
721 /* parse the routes from opt to rl */
722 {
723 struct route_option *ro;
724 for (ro = opt->routes; ro; ro = ro->next)
725 {
726 struct addrinfo *netlist = NULL;
727 struct route_ipv4 r;
728
729 if (!init_route(&r, &netlist, ro, rl))
730 {
731 ret = false;
732 }
733 else
734 {
735 struct addrinfo *curele;
736 for (curele = netlist; curele; curele = curele->ai_next)
737 {
738 struct route_ipv4 *new;
739 ALLOC_OBJ_GC(new, struct route_ipv4, &rl->gc);
740 *new = r;
741 new->network = ntohl(((struct sockaddr_in *)curele->ai_addr)->sin_addr.s_addr);
742 new->next = rl->routes;
743 rl->routes = new;
744 }
745 }
746 if (netlist)
747 {
748 gc_addspecial(netlist, &gc_freeaddrinfo_callback, &gc);
749 }
750 }
751 }
752
753 gc_free(&gc);
754 return ret;
755 }
756
757 /* check whether an IPv6 host address is covered by a given route_ipv6
758 * (not the most beautiful implementation in the world, but portable and
759 * "good enough")
760 */
761 static bool
762 route_ipv6_match_host( const struct route_ipv6 *r6,
763 const struct in6_addr *host )
764 {
765 unsigned int bits = r6->netbits;
766 int i;
767 unsigned int mask;
768
769 if (bits>128)
770 {
771 return false;
772 }
773
774 for (i = 0; bits >= 8; i++, bits -= 8)
775 {
776 if (r6->network.s6_addr[i] != host->s6_addr[i])
777 {
778 return false;
779 }
780 }
781
782 if (bits == 0)
783 {
784 return true;
785 }
786
787 mask = 0xff << (8-bits);
788
789 if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask ))
790 {
791 return true;
792 }
793
794 return false;
795 }
796
797 bool
798 init_route_ipv6_list(struct route_ipv6_list *rl6,
799 const struct route_ipv6_option_list *opt6,
800 const char *remote_endpoint,
801 int default_metric,
802 const struct in6_addr *remote_host_ipv6,
803 struct env_set *es,
804 openvpn_net_ctx_t *ctx)
805 {
806 struct gc_arena gc = gc_new();
807 bool ret = true;
808 bool need_remote_ipv6_route;
809
810 clear_route_ipv6_list(rl6);
811
812 rl6->flags = opt6->flags;
813
814 if (remote_host_ipv6)
815 {
816 rl6->remote_host_ipv6 = *remote_host_ipv6;
817 rl6->spec_flags |= RTSA_REMOTE_HOST;
818 }
819
820 if (default_metric >= 0)
821 {
822 rl6->default_metric = default_metric;
823 rl6->spec_flags |= RTSA_DEFAULT_METRIC;
824 }
825
826 msg(D_ROUTE, "GDG6: remote_host_ipv6=%s",
827 remote_host_ipv6 ? print_in6_addr(*remote_host_ipv6, 0, &gc) : "n/a" );
828
829 get_default_gateway_ipv6(&rl6->rgi6, remote_host_ipv6, ctx);
830 if (rl6->rgi6.flags & RGI_ADDR_DEFINED)
831 {
832 setenv_str(es, "net_gateway_ipv6", print_in6_addr(rl6->rgi6.gateway.addr_ipv6, 0, &gc));
833 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
834 print_default_gateway(D_ROUTE, NULL, &rl6->rgi6);
835 #endif
836 }
837 else
838 {
839 dmsg(D_ROUTE, "ROUTE6: default_gateway=UNDEF");
840 }
841
842 if (is_route_parm_defined( remote_endpoint ))
843 {
844 if (inet_pton( AF_INET6, remote_endpoint,
845 &rl6->remote_endpoint_ipv6) == 1)
846 {
847 rl6->spec_flags |= RTSA_REMOTE_ENDPOINT;
848 }
849 else
850 {
851 msg(M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint);
852 ret = false;
853 }
854 }
855
856 /* parse the routes from opt6 to rl6
857 * discovering potential overlaps with remote_host_ipv6 in the process
858 */
859 need_remote_ipv6_route = false;
860
861 {
862 struct route_ipv6_option *ro6;
863 for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next)
864 {
865 struct route_ipv6 *r6;
866 ALLOC_OBJ_GC(r6, struct route_ipv6, &rl6->gc);
867 if (!init_route_ipv6(r6, ro6, rl6))
868 {
869 ret = false;
870 }
871 else
872 {
873 r6->next = rl6->routes_ipv6;
874 rl6->routes_ipv6 = r6;
875
876 #ifndef TARGET_ANDROID
877 /* On Android the VPNService protect function call will take of
878 * avoiding routing loops, so ignore this part and let
879 * need_remote_ipv6_route always evaluate to false
880 */
881 if (remote_host_ipv6
882 && route_ipv6_match_host( r6, remote_host_ipv6 ) )
883 {
884 need_remote_ipv6_route = true;
885 msg(D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint",
886 print_in6_addr(r6->network, 0, &gc), r6->netbits,
887 print_in6_addr(*remote_host_ipv6, 0, &gc));
888 }
889 #endif
890 }
891 }
892 }
893
894 /* add VPN server host route if needed */
895 if (need_remote_ipv6_route)
896 {
897 if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) ==
898 (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) )
899 {
900 struct route_ipv6 *r6;
901 ALLOC_OBJ_CLEAR_GC(r6, struct route_ipv6, &rl6->gc);
902
903 r6->network = *remote_host_ipv6;
904 r6->netbits = 128;
905 if (!(rl6->rgi6.flags & RGI_ON_LINK) )
906 {
907 r6->gateway = rl6->rgi6.gateway.addr_ipv6;
908 }
909 r6->metric = 1;
910 #ifdef _WIN32
911 r6->adapter_index = rl6->rgi6.adapter_index;
912 #else
913 r6->iface = rl6->rgi6.iface;
914 #endif
915 r6->flags = RT_DEFINED | RT_METRIC_DEFINED;
916
917 r6->next = rl6->routes_ipv6;
918 rl6->routes_ipv6 = r6;
919 }
920 else
921 {
922 msg(M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" );
923 }
924 }
925
926 gc_free(&gc);
927 return ret;
928 }
929
930 static bool
931 add_route3(in_addr_t network,
932 in_addr_t netmask,
933 in_addr_t gateway,
934 const struct tuntap *tt,
935 unsigned int flags,
936 const struct route_gateway_info *rgi,
937 const struct env_set *es,
938 openvpn_net_ctx_t *ctx)
939 {
940 struct route_ipv4 r;
941 CLEAR(r);
942 r.flags = RT_DEFINED;
943 r.network = network;
944 r.netmask = netmask;
945 r.gateway = gateway;
946 return add_route(&r, tt, flags, rgi, es, ctx);
947 }
948
949 static void
950 del_route3(in_addr_t network,
951 in_addr_t netmask,
952 in_addr_t gateway,
953 const struct tuntap *tt,
954 unsigned int flags,
955 const struct route_gateway_info *rgi,
956 const struct env_set *es,
957 openvpn_net_ctx_t *ctx)
958 {
959 struct route_ipv4 r;
960 CLEAR(r);
961 r.flags = RT_DEFINED|RT_ADDED;
962 r.network = network;
963 r.netmask = netmask;
964 r.gateway = gateway;
965 delete_route(&r, tt, flags, rgi, es, ctx);
966 }
967
968 static bool
969 add_bypass_routes(struct route_bypass *rb,
970 in_addr_t gateway,
971 const struct tuntap *tt,
972 unsigned int flags,
973 const struct route_gateway_info *rgi,
974 const struct env_set *es,
975 openvpn_net_ctx_t *ctx)
976 {
977 int ret = true;
978 for (int i = 0; i < rb->n_bypass; ++i)
979 {
980 if (rb->bypass[i])
981 {
982 ret = add_route3(rb->bypass[i], IPV4_NETMASK_HOST, gateway, tt,
983 flags | ROUTE_REF_GW, rgi, es, ctx) && ret;
984 }
985 }
986 return ret;
987 }
988
989 static void
990 del_bypass_routes(struct route_bypass *rb,
991 in_addr_t gateway,
992 const struct tuntap *tt,
993 unsigned int flags,
994 const struct route_gateway_info *rgi,
995 const struct env_set *es,
996 openvpn_net_ctx_t *ctx)
997 {
998 int i;
999 for (i = 0; i < rb->n_bypass; ++i)
1000 {
1001 if (rb->bypass[i])
1002 {
1003 del_route3(rb->bypass[i],
1004 IPV4_NETMASK_HOST,
1005 gateway,
1006 tt,
1007 flags | ROUTE_REF_GW,
1008 rgi,
1009 es,
1010 ctx);
1011 }
1012 }
1013 }
1014
1015 static bool
1016 redirect_default_route_to_vpn(struct route_list *rl, const struct tuntap *tt,
1017 unsigned int flags, const struct env_set *es,
1018 openvpn_net_ctx_t *ctx)
1019 {
1020 const char err[] = "NOTE: unable to redirect IPv4 default gateway --";
1021 bool ret = true;
1022
1023 if (rl && rl->flags & RG_ENABLE)
1024 {
1025 bool local = rl->flags & RG_LOCAL;
1026
1027 if (!(rl->spec.flags & RTSA_REMOTE_ENDPOINT) && (rl->flags & RG_REROUTE_GW))
1028 {
1029 msg(M_WARN, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err);
1030 ret = false;
1031 }
1032 /*
1033 * check if a default route is defined, unless:
1034 * - we are connecting to a remote host in our network
1035 * - we are connecting to a non-IPv4 remote host (i.e. we use IPv6)
1036 */
1037 else if (!(rl->rgi.flags & RGI_ADDR_DEFINED) && !local
1038 && (rl->spec.flags & RTSA_REMOTE_HOST))
1039 {
1040 msg(M_WARN, "%s Cannot read current default gateway from system", err);
1041 ret = false;
1042 }
1043 else
1044 {
1045 #ifndef TARGET_ANDROID
1046 if (rl->flags & RG_AUTO_LOCAL)
1047 {
1048 const int tla = rl->spec.remote_host_local;
1049 if (tla == TLA_NONLOCAL)
1050 {
1051 dmsg(D_ROUTE, "ROUTE remote_host is NOT LOCAL");
1052 local = false;
1053 }
1054 else if (tla == TLA_LOCAL)
1055 {
1056 dmsg(D_ROUTE, "ROUTE remote_host is LOCAL");
1057 local = true;
1058 }
1059 }
1060 if (!local)
1061 {
1062 /* route remote host to original default gateway */
1063 /* if remote_host is not ipv4 (ie: ipv6), just skip
1064 * adding this special /32 route */
1065 if ((rl->spec.flags & RTSA_REMOTE_HOST)
1066 && rl->spec.remote_host != IPV4_INVALID_ADDR)
1067 {
1068 ret = add_route3(rl->spec.remote_host, IPV4_NETMASK_HOST,
1069 rl->rgi.gateway.addr, tt, flags | ROUTE_REF_GW,
1070 &rl->rgi, es, ctx);
1071 if (ret)
1072 {
1073 rl->iflags |= RL_DID_LOCAL;
1074 }
1075 }
1076 else
1077 {
1078 dmsg(D_ROUTE, "ROUTE remote_host protocol differs from tunneled");
1079 }
1080 }
1081 #endif /* ifndef TARGET_ANDROID */
1082
1083 /* route DHCP/DNS server traffic through original default gateway */
1084 ret = add_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
1085 &rl->rgi, es, ctx) && ret;
1086
1087 if (rl->flags & RG_REROUTE_GW)
1088 {
1089 if (rl->flags & RG_DEF1)
1090 {
1091 /* add new default route (1st component) */
1092 ret = add_route3(0x00000000, 0x80000000, rl->spec.remote_endpoint,
1093 tt, flags, &rl->rgi, es, ctx) && ret;
1094
1095 /* add new default route (2nd component) */
1096 ret = add_route3(0x80000000, 0x80000000, rl->spec.remote_endpoint,
1097 tt, flags, &rl->rgi, es, ctx) && ret;
1098 }
1099 else
1100 {
1101 /* don't try to remove the def route if it does not exist */
1102 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1103 {
1104 /* delete default route */
1105 del_route3(0, 0, rl->rgi.gateway.addr, tt,
1106 flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1107 }
1108
1109 /* add new default route */
1110 ret = add_route3(0, 0, rl->spec.remote_endpoint, tt,
1111 flags, &rl->rgi, es, ctx) && ret;
1112 }
1113 }
1114
1115 /* set a flag so we can undo later */
1116 rl->iflags |= RL_DID_REDIRECT_DEFAULT_GATEWAY;
1117 }
1118 }
1119 return ret;
1120 }
1121
1122 static void
1123 undo_redirect_default_route_to_vpn(struct route_list *rl,
1124 const struct tuntap *tt, unsigned int flags,
1125 const struct env_set *es,
1126 openvpn_net_ctx_t *ctx)
1127 {
1128 if (rl && rl->iflags & RL_DID_REDIRECT_DEFAULT_GATEWAY)
1129 {
1130 /* delete remote host route */
1131 if (rl->iflags & RL_DID_LOCAL)
1132 {
1133 del_route3(rl->spec.remote_host,
1134 IPV4_NETMASK_HOST,
1135 rl->rgi.gateway.addr,
1136 tt,
1137 flags | ROUTE_REF_GW,
1138 &rl->rgi,
1139 es,
1140 ctx);
1141 rl->iflags &= ~RL_DID_LOCAL;
1142 }
1143
1144 /* delete special DHCP/DNS bypass route */
1145 del_bypass_routes(&rl->spec.bypass, rl->rgi.gateway.addr, tt, flags,
1146 &rl->rgi, es, ctx);
1147
1148 if (rl->flags & RG_REROUTE_GW)
1149 {
1150 if (rl->flags & RG_DEF1)
1151 {
1152 /* delete default route (1st component) */
1153 del_route3(0x00000000,
1154 0x80000000,
1155 rl->spec.remote_endpoint,
1156 tt,
1157 flags,
1158 &rl->rgi,
1159 es,
1160 ctx);
1161
1162 /* delete default route (2nd component) */
1163 del_route3(0x80000000,
1164 0x80000000,
1165 rl->spec.remote_endpoint,
1166 tt,
1167 flags,
1168 &rl->rgi,
1169 es,
1170 ctx);
1171 }
1172 else
1173 {
1174 /* delete default route */
1175 del_route3(0,
1176 0,
1177 rl->spec.remote_endpoint,
1178 tt,
1179 flags,
1180 &rl->rgi,
1181 es,
1182 ctx);
1183 /* restore original default route if there was any */
1184 if (rl->rgi.flags & RGI_ADDR_DEFINED)
1185 {
1186 add_route3(0, 0, rl->rgi.gateway.addr, tt,
1187 flags | ROUTE_REF_GW, &rl->rgi, es, ctx);
1188 }
1189 }
1190 }
1191
1192 rl->iflags &= ~RL_DID_REDIRECT_DEFAULT_GATEWAY;
1193 }
1194 }
1195
1196 bool
1197 add_routes(struct route_list *rl, struct route_ipv6_list *rl6,
1198 const struct tuntap *tt, unsigned int flags,
1199 const struct env_set *es, openvpn_net_ctx_t *ctx)
1200 {
1201 bool ret = redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1202 if (rl && !(rl->iflags & RL_ROUTES_ADDED) )
1203 {
1204 struct route_ipv4 *r;
1205
1206 if (rl->routes && !tt->did_ifconfig_setup)
1207 {
1208 msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv4 "
1209 "route. However, no IPv4 has been configured for %s, "
1210 "therefore the route installation may fail or may not work "
1211 "as expected.", tt->actual_name);
1212 }
1213
1214 #ifdef ENABLE_MANAGEMENT
1215 if (management && rl->routes)
1216 {
1217 management_set_state(management,
1218 OPENVPN_STATE_ADD_ROUTES,
1219 NULL,
1220 NULL,
1221 NULL,
1222 NULL,
1223 NULL);
1224 }
1225 #endif
1226
1227 for (r = rl->routes; r; r = r->next)
1228 {
1229 if (flags & ROUTE_DELETE_FIRST)
1230 {
1231 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1232 }
1233 ret = add_route(r, tt, flags, &rl->rgi, es, ctx) && ret;
1234 }
1235 rl->iflags |= RL_ROUTES_ADDED;
1236 }
1237 if (rl6 && !(rl6->iflags & RL_ROUTES_ADDED) )
1238 {
1239 struct route_ipv6 *r;
1240
1241 if (!tt->did_ifconfig_ipv6_setup)
1242 {
1243 msg(M_INFO, "WARNING: OpenVPN was configured to add an IPv6 "
1244 "route. However, no IPv6 has been configured for %s, "
1245 "therefore the route installation may fail or may not work "
1246 "as expected.", tt->actual_name);
1247 }
1248
1249 for (r = rl6->routes_ipv6; r; r = r->next)
1250 {
1251 if (flags & ROUTE_DELETE_FIRST)
1252 {
1253 delete_route_ipv6(r, tt, es, ctx);
1254 }
1255 ret = add_route_ipv6(r, tt, flags, es, ctx) && ret;
1256 }
1257 rl6->iflags |= RL_ROUTES_ADDED;
1258 }
1259
1260 return ret;
1261 }
1262
1263 void
1264 delete_routes(struct route_list *rl, struct route_ipv6_list *rl6,
1265 const struct tuntap *tt, unsigned int flags,
1266 const struct env_set *es, openvpn_net_ctx_t *ctx)
1267 {
1268 if (rl && rl->iflags & RL_ROUTES_ADDED)
1269 {
1270 struct route_ipv4 *r;
1271 for (r = rl->routes; r; r = r->next)
1272 {
1273 delete_route(r, tt, flags, &rl->rgi, es, ctx);
1274 }
1275 rl->iflags &= ~RL_ROUTES_ADDED;
1276 }
1277
1278 undo_redirect_default_route_to_vpn(rl, tt, flags, es, ctx);
1279
1280 if (rl)
1281 {
1282 clear_route_list(rl);
1283 }
1284
1285 if (rl6 && (rl6->iflags & RL_ROUTES_ADDED) )
1286 {
1287 struct route_ipv6 *r6;
1288 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1289 {
1290 delete_route_ipv6(r6, tt, es, ctx);
1291 }
1292 rl6->iflags &= ~RL_ROUTES_ADDED;
1293 }
1294
1295 if (rl6)
1296 {
1297 clear_route_ipv6_list(rl6);
1298 }
1299 }
1300
1301 #ifndef ENABLE_SMALL
1302
1303 static const char *
1304 show_opt(const char *option)
1305 {
1306 if (!option)
1307 {
1308 return "default (not set)";
1309 }
1310 else
1311 {
1312 return option;
1313 }
1314 }
1315
1316 static void
1317 print_route_option(const struct route_option *ro, int level)
1318 {
1319 msg(level, " route %s/%s/%s/%s",
1320 show_opt(ro->network),
1321 show_opt(ro->netmask),
1322 show_opt(ro->gateway),
1323 show_opt(ro->metric));
1324 }
1325
1326 void
1327 print_route_options(const struct route_option_list *rol,
1328 int level)
1329 {
1330 struct route_option *ro;
1331 if (rol->flags & RG_ENABLE)
1332 {
1333 msg(level, " [redirect_default_gateway local=%d]",
1334 (rol->flags & RG_LOCAL) != 0);
1335 }
1336 for (ro = rol->routes; ro; ro = ro->next)
1337 {
1338 print_route_option(ro, level);
1339 }
1340 }
1341
1342 void
1343 print_default_gateway(const int msglevel,
1344 const struct route_gateway_info *rgi,
1345 const struct route_ipv6_gateway_info *rgi6)
1346 {
1347 struct gc_arena gc = gc_new();
1348 if (rgi && (rgi->flags & RGI_ADDR_DEFINED))
1349 {
1350 struct buffer out = alloc_buf_gc(256, &gc);
1351 buf_printf(&out, "ROUTE_GATEWAY");
1352 if (rgi->flags & RGI_ON_LINK)
1353 {
1354 buf_printf(&out, " ON_LINK");
1355 }
1356 else
1357 {
1358 buf_printf(&out, " %s", print_in_addr_t(rgi->gateway.addr, 0, &gc));
1359 }
1360 if (rgi->flags & RGI_NETMASK_DEFINED)
1361 {
1362 buf_printf(&out, "/%s", print_in_addr_t(rgi->gateway.netmask, 0, &gc));
1363 }
1364 #ifdef _WIN32
1365 if (rgi->flags & RGI_IFACE_DEFINED)
1366 {
1367 buf_printf(&out, " I=%lu", rgi->adapter_index);
1368 }
1369 #else
1370 if (rgi->flags & RGI_IFACE_DEFINED)
1371 {
1372 buf_printf(&out, " IFACE=%s", rgi->iface);
1373 }
1374 #endif
1375 if (rgi->flags & RGI_HWADDR_DEFINED)
1376 {
1377 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi->hwaddr, 6, 0, 1, ":", &gc));
1378 }
1379 msg(msglevel, "%s", BSTR(&out));
1380 }
1381
1382 if (rgi6 && (rgi6->flags & RGI_ADDR_DEFINED))
1383 {
1384 struct buffer out = alloc_buf_gc(256, &gc);
1385 buf_printf(&out, "ROUTE6_GATEWAY");
1386 buf_printf(&out, " %s", print_in6_addr(rgi6->gateway.addr_ipv6, 0, &gc));
1387 if (rgi6->flags & RGI_ON_LINK)
1388 {
1389 buf_printf(&out, " ON_LINK");
1390 }
1391 if (rgi6->flags & RGI_NETMASK_DEFINED)
1392 {
1393 buf_printf(&out, "/%d", rgi6->gateway.netbits_ipv6);
1394 }
1395 #ifdef _WIN32
1396 if (rgi6->flags & RGI_IFACE_DEFINED)
1397 {
1398 buf_printf(&out, " I=%lu", rgi6->adapter_index);
1399 }
1400 #else
1401 if (rgi6->flags & RGI_IFACE_DEFINED)
1402 {
1403 buf_printf(&out, " IFACE=%s", rgi6->iface);
1404 }
1405 #endif
1406 if (rgi6->flags & RGI_HWADDR_DEFINED)
1407 {
1408 buf_printf(&out, " HWADDR=%s", format_hex_ex(rgi6->hwaddr, 6, 0, 1, ":", &gc));
1409 }
1410 msg(msglevel, "%s", BSTR(&out));
1411 }
1412 gc_free(&gc);
1413 }
1414
1415 #endif /* ifndef ENABLE_SMALL */
1416
1417 static void
1418 print_route(const struct route_ipv4 *r, int level)
1419 {
1420 struct gc_arena gc = gc_new();
1421 if (r->flags & RT_DEFINED)
1422 {
1423 msg(level, "%s", route_string(r, &gc));
1424 }
1425 gc_free(&gc);
1426 }
1427
1428 void
1429 print_routes(const struct route_list *rl, int level)
1430 {
1431 struct route_ipv4 *r;
1432 for (r = rl->routes; r; r = r->next)
1433 {
1434 print_route(r, level);
1435 }
1436 }
1437
1438 static void
1439 setenv_route(struct env_set *es, const struct route_ipv4 *r, int i)
1440 {
1441 struct gc_arena gc = gc_new();
1442 if (r->flags & RT_DEFINED)
1443 {
1444 setenv_route_addr(es, "network", r->network, i);
1445 setenv_route_addr(es, "netmask", r->netmask, i);
1446 setenv_route_addr(es, "gateway", r->gateway, i);
1447
1448 if (r->flags & RT_METRIC_DEFINED)
1449 {
1450 struct buffer name = alloc_buf_gc(256, &gc);
1451 buf_printf(&name, "route_metric_%d", i);
1452 setenv_int(es, BSTR(&name), r->metric);
1453 }
1454 }
1455 gc_free(&gc);
1456 }
1457
1458 void
1459 setenv_routes(struct env_set *es, const struct route_list *rl)
1460 {
1461 int i = 1;
1462 struct route_ipv4 *r;
1463 for (r = rl->routes; r; r = r->next)
1464 {
1465 setenv_route(es, r, i++);
1466 }
1467 }
1468
1469 static void
1470 setenv_route_ipv6(struct env_set *es, const struct route_ipv6 *r6, int i)
1471 {
1472 struct gc_arena gc = gc_new();
1473 if (r6->flags & RT_DEFINED)
1474 {
1475 struct buffer name1 = alloc_buf_gc( 256, &gc );
1476 struct buffer val = alloc_buf_gc( 256, &gc );
1477 struct buffer name2 = alloc_buf_gc( 256, &gc );
1478
1479 buf_printf( &name1, "route_ipv6_network_%d", i );
1480 buf_printf( &val, "%s/%d", print_in6_addr( r6->network, 0, &gc ),
1481 r6->netbits );
1482 setenv_str( es, BSTR(&name1), BSTR(&val) );
1483
1484 buf_printf( &name2, "route_ipv6_gateway_%d", i );
1485 setenv_str( es, BSTR(&name2), print_in6_addr( r6->gateway, 0, &gc ));
1486
1487 if (r6->flags & RT_METRIC_DEFINED)
1488 {
1489 struct buffer name3 = alloc_buf_gc( 256, &gc );
1490 buf_printf( &name3, "route_ipv6_metric_%d", i);
1491 setenv_int( es, BSTR(&name3), r6->metric);
1492 }
1493 }
1494 gc_free(&gc);
1495 }
1496 void
1497 setenv_routes_ipv6(struct env_set *es, const struct route_ipv6_list *rl6)
1498 {
1499 int i = 1;
1500 struct route_ipv6 *r6;
1501 for (r6 = rl6->routes_ipv6; r6; r6 = r6->next)
1502 {
1503 setenv_route_ipv6(es, r6, i++);
1504 }
1505 }
1506
1507 /*
1508 * local_route() determines whether the gateway of a provided host
1509 * route is on the same interface that owns the default gateway.
1510 * It uses the data structure
1511 * returned by get_default_gateway() (struct route_gateway_info)
1512 * to determine this. If the route is local, LR_MATCH is returned.
1513 * When adding routes into the kernel, if LR_MATCH is defined for
1514 * a given route, the route should explicitly reference the default
1515 * gateway interface as the route destination. For example, here
1516 * is an example on Linux that uses LR_MATCH:
1517 *
1518 * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1519 *
1520 * This capability is needed by the "default-gateway block-local"
1521 * directive, to allow client access to the local subnet to be
1522 * blocked but still allow access to the local default gateway.
1523 */
1524
1525 /* local_route() return values */
1526 #define LR_NOMATCH 0 /* route is not local */
1527 #define LR_MATCH 1 /* route is local */
1528 #define LR_ERROR 2 /* caller should abort adding route */
1529
1530 static int
1531 local_route(in_addr_t network,
1532 in_addr_t netmask,
1533 in_addr_t gateway,
1534 const struct route_gateway_info *rgi)
1535 {
1536 /* set LR_MATCH on local host routes */
1537 const int rgi_needed = (RGI_ADDR_DEFINED|RGI_NETMASK_DEFINED|RGI_IFACE_DEFINED);
1538 if (rgi
1539 && (rgi->flags & rgi_needed) == rgi_needed
1540 && gateway == rgi->gateway.addr
1541 && netmask == 0xFFFFFFFF)
1542 {
1543 if (((network ^ rgi->gateway.addr) & rgi->gateway.netmask) == 0)
1544 {
1545 return LR_MATCH;
1546 }
1547 else
1548 {
1549 /* examine additional subnets on gateway interface */
1550 size_t i;
1551 for (i = 0; i < rgi->n_addrs; ++i)
1552 {
1553 const struct route_gateway_address *gwa = &rgi->addrs[i];
1554 if (((network ^ gwa->addr) & gwa->netmask) == 0)
1555 {
1556 return LR_MATCH;
1557 }
1558 }
1559 }
1560 }
1561 return LR_NOMATCH;
1562 }
1563
1564 /* Return true if the "on-link" form of the route should be used. This is when the gateway for
1565 * a route is specified as an interface rather than an address. */
1566 #if defined(TARGET_LINUX) || defined(_WIN32) || defined(TARGET_DARWIN)
1567 static inline bool
1568 is_on_link(const int is_local_route, const unsigned int flags, const struct route_gateway_info *rgi)
1569 {
1570 return rgi && (is_local_route == LR_MATCH || ((flags & ROUTE_REF_GW) && (rgi->flags & RGI_ON_LINK)));
1571 }
1572 #endif
1573
1574 bool
1575 add_route(struct route_ipv4 *r,
1576 const struct tuntap *tt,
1577 unsigned int flags,
1578 const struct route_gateway_info *rgi, /* may be NULL */
1579 const struct env_set *es,
1580 openvpn_net_ctx_t *ctx)
1581 {
1582 int status = 0;
1583 int is_local_route;
1584
1585 if (!(r->flags & RT_DEFINED))
1586 {
1587 return true; /* no error */
1588 }
1589
1590 struct argv argv = argv_new();
1591 struct gc_arena gc = gc_new();
1592
1593 #if !defined(TARGET_LINUX)
1594 const char *network = print_in_addr_t(r->network, 0, &gc);
1595 #if !defined(TARGET_AIX)
1596 const char *netmask = print_in_addr_t(r->netmask, 0, &gc);
1597 #endif
1598 const char *gateway = print_in_addr_t(r->gateway, 0, &gc);
1599 #endif
1600
1601 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
1602 if (is_local_route == LR_ERROR)
1603 {
1604 goto done;
1605 }
1606
1607 #if defined(TARGET_LINUX)
1608 const char *iface = NULL;
1609 int metric = -1;
1610
1611 if (is_on_link(is_local_route, flags, rgi))
1612 {
1613 iface = rgi->iface;
1614 }
1615
1616 if (r->flags & RT_METRIC_DEFINED)
1617 {
1618 metric = r->metric;
1619 }
1620
1621
1622 status = RTA_SUCCESS;
1623 int ret = net_route_v4_add(ctx, &r->network, netmask_to_netbits2(r->netmask),
1624 &r->gateway, iface, r->table_id, metric);
1625 if (ret == -EEXIST)
1626 {
1627 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
1628 status = RTA_EEXIST;
1629 }
1630 else if (ret < 0)
1631 {
1632 msg(M_WARN, "ERROR: Linux route add command failed");
1633 status = RTA_ERROR;
1634 }
1635
1636 #elif defined (TARGET_ANDROID)
1637 char out[128];
1638
1639 if (rgi)
1640 {
1641 snprintf(out, sizeof(out), "%s %s %s dev %s", network, netmask, gateway, rgi->iface);
1642 }
1643 else
1644 {
1645 snprintf(out, sizeof(out), "%s %s %s", network, netmask, gateway);
1646 }
1647 bool ret = management_android_control(management, "ROUTE", out);
1648 status = ret ? RTA_SUCCESS : RTA_ERROR;
1649
1650 #elif defined (_WIN32)
1651 {
1652 DWORD ai = TUN_ADAPTER_INDEX_INVALID;
1653 argv_printf(&argv, "%s%s ADD %s MASK %s %s",
1654 get_win_sys_path(),
1655 WIN_ROUTE_PATH_SUFFIX,
1656 network,
1657 netmask,
1658 gateway);
1659 if (r->flags & RT_METRIC_DEFINED)
1660 {
1661 argv_printf_cat(&argv, "METRIC %d", r->metric);
1662 }
1663 if (is_on_link(is_local_route, flags, rgi))
1664 {
1665 ai = rgi->adapter_index;
1666 argv_printf_cat(&argv, "IF %lu", ai);
1667 }
1668
1669 argv_msg(D_ROUTE, &argv);
1670
1671 const char *method = "service";
1672 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
1673 {
1674 status = add_route_service(r, tt);
1675 }
1676 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
1677 {
1678 status = add_route_ipapi(r, tt, ai);
1679 method = "ipapi";
1680 }
1681 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
1682 {
1683 netcmd_semaphore_lock();
1684 bool ret = openvpn_execve_check(&argv, es, 0,
1685 "ERROR: Windows route add command failed");
1686 status = ret ? RTA_SUCCESS : RTA_ERROR;
1687 netcmd_semaphore_release();
1688 method = "route.exe";
1689 }
1690 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
1691 {
1692 status = add_route_ipapi(r, tt, ai);
1693 method = "ipapi [adaptive]";
1694 if (status == RTA_ERROR)
1695 {
1696 msg(D_ROUTE, "Route addition fallback to route.exe");
1697 netcmd_semaphore_lock();
1698 bool ret = openvpn_execve_check(&argv, es, 0,
1699 "ERROR: Windows route add command failed [adaptive]");
1700 status = ret ? RTA_SUCCESS : RTA_ERROR;
1701 netcmd_semaphore_release();
1702 method = "route.exe";
1703 }
1704 }
1705 else
1706 {
1707 ASSERT(0);
1708 }
1709 if (status != RTA_ERROR) /* error is logged upstream */
1710 {
1711 msg(D_ROUTE, "Route addition via %s %s", method,
1712 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
1713 }
1714 }
1715
1716 #elif defined (TARGET_SOLARIS)
1717
1718 /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1719
1720 argv_printf(&argv, "%s add",
1721 ROUTE_PATH);
1722
1723 argv_printf_cat(&argv, "%s -netmask %s %s",
1724 network,
1725 netmask,
1726 gateway);
1727
1728 /* Solaris can only distinguish between "metric 0" == "on-link on the
1729 * interface where the IP address given is configured" and "metric > 0"
1730 * == "use gateway specified" (no finer-grained route metrics available)
1731 *
1732 * More recent versions of Solaris can also do "-interface", but that
1733 * would break backwards compatibility with older versions for no gain.
1734 */
1735 if (r->flags & RT_METRIC_DEFINED)
1736 {
1737 argv_printf_cat(&argv, "%d", r->metric);
1738 }
1739
1740 argv_msg(D_ROUTE, &argv);
1741 bool ret = openvpn_execve_check(&argv, es, 0,
1742 "ERROR: Solaris route add command failed");
1743 status = ret ? RTA_SUCCESS : RTA_ERROR;
1744
1745 #elif defined(TARGET_FREEBSD)
1746
1747 argv_printf(&argv, "%s add",
1748 ROUTE_PATH);
1749
1750 #if 0
1751 if (r->flags & RT_METRIC_DEFINED)
1752 {
1753 argv_printf_cat(&argv, "-rtt %d", r->metric);
1754 }
1755 #endif
1756
1757 argv_printf_cat(&argv, "-net %s %s %s",
1758 network,
1759 gateway,
1760 netmask);
1761
1762 /* FIXME -- add on-link support for FreeBSD */
1763
1764 argv_msg(D_ROUTE, &argv);
1765 bool ret = openvpn_execve_check(&argv, es, 0,
1766 "ERROR: FreeBSD route add command failed");
1767 status = ret ? RTA_SUCCESS : RTA_ERROR;
1768
1769 #elif defined(TARGET_DRAGONFLY)
1770
1771 argv_printf(&argv, "%s add",
1772 ROUTE_PATH);
1773
1774 #if 0
1775 if (r->flags & RT_METRIC_DEFINED)
1776 {
1777 argv_printf_cat(&argv, "-rtt %d", r->metric);
1778 }
1779 #endif
1780
1781 argv_printf_cat(&argv, "-net %s %s %s",
1782 network,
1783 gateway,
1784 netmask);
1785
1786 /* FIXME -- add on-link support for Dragonfly */
1787
1788 argv_msg(D_ROUTE, &argv);
1789 bool ret = openvpn_execve_check(&argv, es, 0,
1790 "ERROR: DragonFly route add command failed");
1791 status = ret ? RTA_SUCCESS : RTA_ERROR;
1792
1793 #elif defined(TARGET_DARWIN)
1794
1795 argv_printf(&argv, "%s add",
1796 ROUTE_PATH);
1797
1798 #if 0
1799 if (r->flags & RT_METRIC_DEFINED)
1800 {
1801 argv_printf_cat(&argv, "-rtt %d", r->metric);
1802 }
1803 #endif
1804
1805 if (is_on_link(is_local_route, flags, rgi))
1806 {
1807 /* Mac OS X route syntax for ON_LINK:
1808 * route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1809 argv_printf_cat(&argv, "-cloning -net %s -netmask %s -interface %s",
1810 network,
1811 netmask,
1812 rgi->iface);
1813 }
1814 else
1815 {
1816 argv_printf_cat(&argv, "-net %s %s %s",
1817 network,
1818 gateway,
1819 netmask);
1820 }
1821
1822 argv_msg(D_ROUTE, &argv);
1823 bool ret = openvpn_execve_check(&argv, es, 0,
1824 "ERROR: OS X route add command failed");
1825 status = ret ? RTA_SUCCESS : RTA_ERROR;
1826
1827 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1828
1829 argv_printf(&argv, "%s add",
1830 ROUTE_PATH);
1831
1832 #if 0
1833 if (r->flags & RT_METRIC_DEFINED)
1834 {
1835 argv_printf_cat(&argv, "-rtt %d", r->metric);
1836 }
1837 #endif
1838
1839 argv_printf_cat(&argv, "-net %s %s -netmask %s",
1840 network,
1841 gateway,
1842 netmask);
1843
1844 /* FIXME -- add on-link support for OpenBSD/NetBSD */
1845
1846 argv_msg(D_ROUTE, &argv);
1847 bool ret = openvpn_execve_check(&argv, es, 0,
1848 "ERROR: OpenBSD/NetBSD route add command failed");
1849 status = ret ? RTA_SUCCESS : RTA_ERROR;
1850
1851 #elif defined(TARGET_AIX)
1852
1853 {
1854 int netbits = netmask_to_netbits2(r->netmask);
1855 argv_printf(&argv, "%s add -net %s/%d %s",
1856 ROUTE_PATH,
1857 network, netbits, gateway);
1858 argv_msg(D_ROUTE, &argv);
1859 bool ret = openvpn_execve_check(&argv, es, 0,
1860 "ERROR: AIX route add command failed");
1861 status = ret ? RTA_SUCCESS : RTA_ERROR;
1862 }
1863
1864 #elif defined(TARGET_HAIKU)
1865
1866 /* ex: route add /dev/net/ipro1000/0 0.0.0.0 gw 192.168.1.1 netmask 128.0.0.0 */
1867 argv_printf(&argv, "%s add %s inet %s gw %s netmask %s",
1868 ROUTE_PATH,
1869 rgi->iface,
1870 network,
1871 gateway,
1872 netmask);
1873 argv_msg(D_ROUTE, &argv);
1874 bool ret = openvpn_execve_check(&argv, es, 0,
1875 "ERROR: Haiku inet route add command failed");
1876 status = ret ? RTA_SUCCESS : RTA_ERROR;
1877
1878 #else /* if defined(TARGET_LINUX) */
1879 msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1880 #endif /* if defined(TARGET_LINUX) */
1881
1882 done:
1883 if (status == RTA_SUCCESS)
1884 {
1885 r->flags |= RT_ADDED;
1886 }
1887 else
1888 {
1889 r->flags &= ~RT_ADDED;
1890 }
1891 argv_free(&argv);
1892 gc_free(&gc);
1893 /* release resources potentially allocated during route setup */
1894 net_ctx_reset(ctx);
1895
1896 return (status != RTA_ERROR);
1897 }
1898
1899
1900 void
1901 route_ipv6_clear_host_bits( struct route_ipv6 *r6 )
1902 {
1903 /* clear host bit parts of route
1904 * (needed if routes are specified improperly, or if we need to
1905 * explicitly setup/clear the "connected" network routes on some OSes)
1906 */
1907 int byte = 15;
1908 int bits_to_clear = 128 - r6->netbits;
1909
1910 while (byte >= 0 && bits_to_clear > 0)
1911 {
1912 if (bits_to_clear >= 8)
1913 {
1914 r6->network.s6_addr[byte--] = 0; bits_to_clear -= 8;
1915 }
1916 else
1917 {
1918 r6->network.s6_addr[byte--] &= (0xff << bits_to_clear); bits_to_clear = 0;
1919 }
1920 }
1921 }
1922
1923 bool
1924 add_route_ipv6(struct route_ipv6 *r6, const struct tuntap *tt,
1925 unsigned int flags, const struct env_set *es,
1926 openvpn_net_ctx_t *ctx)
1927 {
1928 int status = 0;
1929 bool gateway_needed = false;
1930
1931 if (!(r6->flags & RT_DEFINED) )
1932 {
1933 return true; /* no error */
1934 }
1935
1936 struct argv argv = argv_new();
1937 struct gc_arena gc = gc_new();
1938
1939 #ifndef _WIN32
1940 const char *device = tt->actual_name;
1941 if (r6->iface != NULL) /* vpn server special route */
1942 {
1943 device = r6->iface;
1944 if (!IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) )
1945 {
1946 gateway_needed = true;
1947 }
1948 }
1949 #endif
1950
1951 route_ipv6_clear_host_bits(r6);
1952 const char *network = print_in6_addr( r6->network, 0, &gc);
1953 const char *gateway = print_in6_addr( r6->gateway, 0, &gc);
1954
1955 #if defined(TARGET_DARWIN) \
1956 || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
1957 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1958
1959 /* the BSD platforms cannot specify gateway and interface independently,
1960 * but for link-local destinations, we MUST specify the interface, so
1961 * we build a combined "$gateway%$interface" gateway string
1962 */
1963 if (r6->iface != NULL && gateway_needed
1964 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
1965 {
1966 int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
1967 char *tmp = gc_malloc( len, true, &gc );
1968 snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
1969 gateway = tmp;
1970 }
1971 #endif
1972
1973 #ifndef _WIN32
1974 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
1975 network, r6->netbits, gateway, r6->metric, device );
1976 #else
1977 msg(D_ROUTE, "add_route_ipv6(%s/%d -> %s metric %d) IF %lu",
1978 network, r6->netbits, gateway, r6->metric,
1979 r6->adapter_index ? r6->adapter_index : tt->adapter_index);
1980 #endif
1981
1982 /*
1983 * Filter out routes which are essentially no-ops
1984 * (not currently done for IPv6)
1985 */
1986
1987 /* On "tun" interface, we never set a gateway if the operating system
1988 * can do "route to interface" - it does not add value, as the target
1989 * dev already fully qualifies the route destination on point-to-point
1990 * interfaces. OTOH, on "tap" interface, we must always set the
1991 * gateway unless the route is to be an on-link network
1992 */
1993 if (tt->type == DEV_TYPE_TAP
1994 && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
1995 {
1996 gateway_needed = true;
1997 }
1998
1999 if (gateway_needed && IN6_IS_ADDR_UNSPECIFIED(&r6->gateway))
2000 {
2001 msg(M_WARN, "ROUTE6 WARNING: " PACKAGE_NAME " needs a gateway "
2002 "parameter for a --route-ipv6 option and no default was set via "
2003 "--ifconfig-ipv6 or --route-ipv6-gateway option. Not installing "
2004 "IPv6 route to %s/%d.", network, r6->netbits);
2005 status = 0;
2006 goto done;
2007 }
2008
2009 #if defined(TARGET_LINUX)
2010 int metric = -1;
2011 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2012 {
2013 metric = r6->metric;
2014 }
2015
2016 status = RTA_SUCCESS;
2017 int ret = net_route_v6_add(ctx, &r6->network, r6->netbits,
2018 gateway_needed ? &r6->gateway : NULL,
2019 device, r6->table_id, metric);
2020 if (ret == -EEXIST)
2021 {
2022 msg(D_ROUTE, "NOTE: Linux route add command failed because route exists");
2023 status = RTA_EEXIST;
2024 }
2025 else if (ret < 0)
2026 {
2027 msg(M_WARN, "ERROR: Linux route add command failed");
2028 status = RTA_ERROR;
2029 }
2030
2031 #elif defined (TARGET_ANDROID)
2032 char out[64];
2033
2034 snprintf(out, sizeof(out), "%s/%d %s", network, r6->netbits, device);
2035
2036 status = management_android_control(management, "ROUTE6", out);
2037
2038 #elif defined (_WIN32)
2039
2040 if (tt->options.msg_channel)
2041 {
2042 status = add_route_ipv6_service(r6, tt);
2043 }
2044 else
2045 {
2046 status = route_ipv6_ipapi(true, r6, tt);
2047 }
2048 #elif defined (TARGET_SOLARIS)
2049
2050 /* example: route add -inet6 2001:db8::/32 somegateway 0 */
2051
2052 /* for some reason, routes to tun/tap do not work for me unless I set
2053 * "metric 0" - otherwise, the routes will be nicely installed, but
2054 * packets will just disappear somewhere. So we always use "0" now,
2055 * unless the route points to "gateway on other interface"...
2056 *
2057 * (Note: OpenSolaris can not specify host%interface gateways, so we just
2058 * use the GW addresses - it seems to still work for fe80:: addresses,
2059 * however this is done internally. NUD maybe?)
2060 */
2061 argv_printf(&argv, "%s add -inet6 %s/%d %s",
2062 ROUTE_PATH,
2063 network,
2064 r6->netbits,
2065 gateway );
2066
2067 /* on tun (not tap), not "elsewhere"? -> metric 0 */
2068 if (tt->type == DEV_TYPE_TUN && !r6->iface)
2069 {
2070 argv_printf_cat(&argv, "0");
2071 }
2072
2073 argv_msg(D_ROUTE, &argv);
2074 bool ret = openvpn_execve_check(&argv, es, 0,
2075 "ERROR: Solaris route add -inet6 command failed");
2076 status = ret ? RTA_SUCCESS : RTA_ERROR;
2077
2078 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2079
2080 argv_printf(&argv, "%s add -inet6 %s/%d",
2081 ROUTE_PATH,
2082 network,
2083 r6->netbits);
2084
2085 if (gateway_needed)
2086 {
2087 argv_printf_cat(&argv, "%s", gateway);
2088 }
2089 else
2090 {
2091 argv_printf_cat(&argv, "-iface %s", device);
2092 }
2093
2094 argv_msg(D_ROUTE, &argv);
2095 bool ret = openvpn_execve_check(&argv, es, 0,
2096 "ERROR: *BSD route add -inet6 command failed");
2097 status = ret ? RTA_SUCCESS : RTA_ERROR;
2098
2099 #elif defined(TARGET_DARWIN)
2100
2101 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d",
2102 ROUTE_PATH,
2103 network, r6->netbits );
2104
2105 if (gateway_needed)
2106 {
2107 argv_printf_cat(&argv, "%s", gateway);
2108 }
2109 else
2110 {
2111 argv_printf_cat(&argv, "-iface %s", device);
2112 }
2113
2114 argv_msg(D_ROUTE, &argv);
2115 bool ret = openvpn_execve_check(&argv, es, 0,
2116 "ERROR: MacOS X route add -inet6 command failed");
2117 status = ret ? RTA_SUCCESS : RTA_ERROR;
2118
2119 #elif defined(TARGET_OPENBSD)
2120
2121 argv_printf(&argv, "%s add -inet6 %s -prefixlen %d %s",
2122 ROUTE_PATH,
2123 network, r6->netbits, gateway );
2124
2125 argv_msg(D_ROUTE, &argv);
2126 bool ret = openvpn_execve_check(&argv, es, 0,
2127 "ERROR: OpenBSD route add -inet6 command failed");
2128 status = ret ? RTA_SUCCESS : RTA_ERROR;
2129
2130 #elif defined(TARGET_NETBSD)
2131
2132 argv_printf(&argv, "%s add -inet6 %s/%d %s",
2133 ROUTE_PATH,
2134 network, r6->netbits, gateway );
2135
2136 argv_msg(D_ROUTE, &argv);
2137 bool ret = openvpn_execve_check(&argv, es, 0,
2138 "ERROR: NetBSD route add -inet6 command failed");
2139 status = ret ? RTA_SUCCESS : RTA_ERROR;
2140
2141 #elif defined(TARGET_AIX)
2142
2143 argv_printf(&argv, "%s add -inet6 %s/%d %s",
2144 ROUTE_PATH,
2145 network, r6->netbits, gateway);
2146 argv_msg(D_ROUTE, &argv);
2147 bool ret = openvpn_execve_check(&argv, es, 0,
2148 "ERROR: AIX route add command failed");
2149 status = ret ? RTA_SUCCESS : RTA_ERROR;
2150
2151 #elif defined(TARGET_HAIKU)
2152
2153 /* ex: route add /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2154 argv_printf(&argv, "%s add %s inet6 %s gw %s prefixlen %d",
2155 ROUTE_PATH,
2156 r6->iface,
2157 network,
2158 gateway,
2159 r6->netbits);
2160 argv_msg(D_ROUTE, &argv);
2161 bool ret = openvpn_execve_check(&argv, es, 0,
2162 "ERROR: Haiku inet6 route add command failed");
2163 status = ret ? RTA_SUCCESS : RTA_ERROR;
2164
2165 #else /* if defined(TARGET_LINUX) */
2166 msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
2167 #endif /* if defined(TARGET_LINUX) */
2168
2169 done:
2170 if (status == RTA_SUCCESS)
2171 {
2172 r6->flags |= RT_ADDED;
2173 }
2174 else
2175 {
2176 r6->flags &= ~RT_ADDED;
2177 }
2178 argv_free(&argv);
2179 gc_free(&gc);
2180 /* release resources potentially allocated during route setup */
2181 net_ctx_reset(ctx);
2182
2183 return (status != RTA_ERROR);
2184 }
2185
2186 static void
2187 delete_route(struct route_ipv4 *r,
2188 const struct tuntap *tt,
2189 unsigned int flags,
2190 const struct route_gateway_info *rgi,
2191 const struct env_set *es,
2192 openvpn_net_ctx_t *ctx)
2193 {
2194 #if !defined(TARGET_LINUX)
2195 const char *network;
2196 #if !defined(TARGET_AIX)
2197 const char *netmask;
2198 #endif
2199 #if !defined(TARGET_ANDROID)
2200 const char *gateway;
2201 #endif
2202 #else /* if !defined(TARGET_LINUX) */
2203 int metric;
2204 #endif
2205 int is_local_route;
2206
2207 if ((r->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2208 {
2209 return;
2210 }
2211
2212 struct gc_arena gc = gc_new();
2213 struct argv argv = argv_new();
2214
2215 #if !defined(TARGET_LINUX)
2216 network = print_in_addr_t(r->network, 0, &gc);
2217 #if !defined(TARGET_AIX)
2218 netmask = print_in_addr_t(r->netmask, 0, &gc);
2219 #endif
2220 #if !defined(TARGET_ANDROID)
2221 gateway = print_in_addr_t(r->gateway, 0, &gc);
2222 #endif
2223 #endif
2224
2225 is_local_route = local_route(r->network, r->netmask, r->gateway, rgi);
2226 if (is_local_route == LR_ERROR)
2227 {
2228 goto done;
2229 }
2230
2231 #if defined(TARGET_LINUX)
2232 metric = -1;
2233 if (r->flags & RT_METRIC_DEFINED)
2234 {
2235 metric = r->metric;
2236 }
2237
2238 if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask),
2239 &r->gateway, NULL, r->table_id, metric) < 0)
2240 {
2241 msg(M_WARN, "ERROR: Linux route delete command failed");
2242 }
2243 #elif defined (_WIN32)
2244
2245 argv_printf(&argv, "%s%s DELETE %s MASK %s %s",
2246 get_win_sys_path(),
2247 WIN_ROUTE_PATH_SUFFIX,
2248 network,
2249 netmask,
2250 gateway);
2251
2252 argv_msg(D_ROUTE, &argv);
2253
2254 if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_SERVICE)
2255 {
2256 const bool status = del_route_service(r, tt);
2257 msg(D_ROUTE, "Route deletion via service %s", status ? "succeeded" : "failed");
2258 }
2259 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_IPAPI)
2260 {
2261 const bool status = del_route_ipapi(r, tt);
2262 msg(D_ROUTE, "Route deletion via IPAPI %s", status ? "succeeded" : "failed");
2263 }
2264 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_EXE)
2265 {
2266 netcmd_semaphore_lock();
2267 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed");
2268 netcmd_semaphore_release();
2269 }
2270 else if ((flags & ROUTE_METHOD_MASK) == ROUTE_METHOD_ADAPTIVE)
2271 {
2272 const bool status = del_route_ipapi(r, tt);
2273 msg(D_ROUTE, "Route deletion via IPAPI %s [adaptive]", status ? "succeeded" : "failed");
2274 if (!status)
2275 {
2276 msg(D_ROUTE, "Route deletion fallback to route.exe");
2277 netcmd_semaphore_lock();
2278 openvpn_execve_check(&argv, es, 0, "ERROR: Windows route delete command failed [adaptive]");
2279 netcmd_semaphore_release();
2280 }
2281 }
2282 else
2283 {
2284 ASSERT(0);
2285 }
2286
2287 #elif defined (TARGET_SOLARIS)
2288
2289 argv_printf(&argv, "%s delete %s -netmask %s %s",
2290 ROUTE_PATH,
2291 network,
2292 netmask,
2293 gateway);
2294
2295 argv_msg(D_ROUTE, &argv);
2296 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete command failed");
2297
2298 #elif defined(TARGET_FREEBSD)
2299
2300 argv_printf(&argv, "%s delete -net %s %s %s",
2301 ROUTE_PATH,
2302 network,
2303 gateway,
2304 netmask);
2305
2306 argv_msg(D_ROUTE, &argv);
2307 openvpn_execve_check(&argv, es, 0, "ERROR: FreeBSD route delete command failed");
2308
2309 #elif defined(TARGET_DRAGONFLY)
2310
2311 argv_printf(&argv, "%s delete -net %s %s %s",
2312 ROUTE_PATH,
2313 network,
2314 gateway,
2315 netmask);
2316
2317 argv_msg(D_ROUTE, &argv);
2318 openvpn_execve_check(&argv, es, 0, "ERROR: DragonFly route delete command failed");
2319
2320 #elif defined(TARGET_DARWIN)
2321
2322 if (is_on_link(is_local_route, flags, rgi))
2323 {
2324 argv_printf(&argv, "%s delete -cloning -net %s -netmask %s -interface %s",
2325 ROUTE_PATH,
2326 network,
2327 netmask,
2328 rgi->iface);
2329 }
2330 else
2331 {
2332 argv_printf(&argv, "%s delete -net %s %s %s",
2333 ROUTE_PATH,
2334 network,
2335 gateway,
2336 netmask);
2337 }
2338
2339 argv_msg(D_ROUTE, &argv);
2340 openvpn_execve_check(&argv, es, 0, "ERROR: OS X route delete command failed");
2341
2342 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2343
2344 argv_printf(&argv, "%s delete -net %s %s -netmask %s",
2345 ROUTE_PATH,
2346 network,
2347 gateway,
2348 netmask);
2349
2350 argv_msg(D_ROUTE, &argv);
2351 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
2352
2353 #elif defined(TARGET_ANDROID)
2354 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2355 "needed. The VpnService API allows routes to be set "
2356 "on connect only and will clean up automatically.");
2357 #elif defined(TARGET_AIX)
2358
2359 {
2360 int netbits = netmask_to_netbits2(r->netmask);
2361 argv_printf(&argv, "%s delete -net %s/%d %s",
2362 ROUTE_PATH,
2363 network, netbits, gateway);
2364 argv_msg(D_ROUTE, &argv);
2365 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route delete command failed");
2366 }
2367
2368 #elif defined(TARGET_HAIKU)
2369
2370 /* ex: route delete /dev/net/ipro1000/0 inet 192.168.0.0 gw 192.168.1.1 netmask 255.255.0.0 */
2371 argv_printf(&argv, "%s delete %s inet %s gw %s netmask %s",
2372 ROUTE_PATH,
2373 rgi->iface,
2374 network,
2375 gateway,
2376 netmask);
2377 argv_msg(D_ROUTE, &argv);
2378 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet route delete command failed");
2379
2380 #else /* if defined(TARGET_LINUX) */
2381 msg(M_FATAL, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
2382 #endif /* if defined(TARGET_LINUX) */
2383
2384 done:
2385 r->flags &= ~RT_ADDED;
2386 argv_free(&argv);
2387 gc_free(&gc);
2388 /* release resources potentially allocated during route cleanup */
2389 net_ctx_reset(ctx);
2390 }
2391
2392 void
2393 delete_route_ipv6(const struct route_ipv6 *r6, const struct tuntap *tt,
2394 const struct env_set *es,
2395 openvpn_net_ctx_t *ctx)
2396 {
2397 const char *network;
2398
2399 if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED))
2400 {
2401 return;
2402 }
2403
2404 #if !defined(_WIN32)
2405 #if !defined(TARGET_LINUX)
2406 const char *gateway;
2407 #endif
2408 #if !defined(TARGET_SOLARIS)
2409 bool gateway_needed = false;
2410 const char *device = tt->actual_name;
2411 if (r6->iface != NULL) /* vpn server special route */
2412 {
2413 device = r6->iface;
2414 gateway_needed = true;
2415 }
2416
2417 /* if we used a gateway on "add route", we also need to specify it on
2418 * delete, otherwise some OSes will refuse to delete the route
2419 */
2420 if (tt->type == DEV_TYPE_TAP
2421 && !( (r6->flags & RT_METRIC_DEFINED) && r6->metric == 0 ) )
2422 {
2423 gateway_needed = true;
2424 }
2425 #endif
2426 #endif
2427
2428 struct gc_arena gc = gc_new();
2429 struct argv argv = argv_new();
2430
2431 network = print_in6_addr( r6->network, 0, &gc);
2432 #if !defined(TARGET_LINUX) && !defined(_WIN32)
2433 gateway = print_in6_addr( r6->gateway, 0, &gc);
2434 #endif
2435
2436 #if defined(TARGET_DARWIN) \
2437 || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
2438 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2439
2440 /* the BSD platforms cannot specify gateway and interface independently,
2441 * but for link-local destinations, we MUST specify the interface, so
2442 * we build a combined "$gateway%$interface" gateway string
2443 */
2444 if (r6->iface != NULL && gateway_needed
2445 && IN6_IS_ADDR_LINKLOCAL(&r6->gateway) ) /* fe80::...%intf */
2446 {
2447 int len = strlen(gateway) + 1 + strlen(r6->iface)+1;
2448 char *tmp = gc_malloc( len, true, &gc );
2449 snprintf( tmp, len, "%s%%%s", gateway, r6->iface );
2450 gateway = tmp;
2451 }
2452 #endif
2453
2454 msg(D_ROUTE, "delete_route_ipv6(%s/%d)", network, r6->netbits );
2455
2456 #if defined(TARGET_LINUX)
2457 int metric = -1;
2458 if ((r6->flags & RT_METRIC_DEFINED) && (r6->metric > 0))
2459 {
2460 metric = r6->metric;
2461 }
2462
2463 if (net_route_v6_del(ctx, &r6->network, r6->netbits,
2464 gateway_needed ? &r6->gateway : NULL, device, r6->table_id,
2465 metric) < 0)
2466 {
2467 msg(M_WARN, "ERROR: Linux route v6 delete command failed");
2468 }
2469
2470 #elif defined (_WIN32)
2471
2472 if (tt->options.msg_channel)
2473 {
2474 del_route_ipv6_service(r6, tt);
2475 }
2476 else
2477 {
2478 route_ipv6_ipapi(false, r6, tt);
2479 }
2480 #elif defined (TARGET_SOLARIS)
2481
2482 /* example: route delete -inet6 2001:db8::/32 somegateway */
2483
2484 argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2485 ROUTE_PATH,
2486 network,
2487 r6->netbits,
2488 gateway );
2489
2490 argv_msg(D_ROUTE, &argv);
2491 openvpn_execve_check(&argv, es, 0, "ERROR: Solaris route delete -inet6 command failed");
2492
2493 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2494
2495 argv_printf(&argv, "%s delete -inet6 %s/%d",
2496 ROUTE_PATH,
2497 network,
2498 r6->netbits );
2499
2500 if (gateway_needed)
2501 {
2502 argv_printf_cat(&argv, "%s", gateway);
2503 }
2504 else
2505 {
2506 argv_printf_cat(&argv, "-iface %s", device);
2507 }
2508
2509 argv_msg(D_ROUTE, &argv);
2510 openvpn_execve_check(&argv, es, 0, "ERROR: *BSD route delete -inet6 command failed");
2511
2512 #elif defined(TARGET_DARWIN)
2513
2514 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d",
2515 ROUTE_PATH,
2516 network, r6->netbits );
2517
2518 if (gateway_needed)
2519 {
2520 argv_printf_cat(&argv, "%s", gateway);
2521 }
2522 else
2523 {
2524 argv_printf_cat(&argv, "-iface %s", device);
2525 }
2526
2527 argv_msg(D_ROUTE, &argv);
2528 openvpn_execve_check(&argv, es, 0, "ERROR: MacOS X route delete -inet6 command failed");
2529
2530 #elif defined(TARGET_OPENBSD)
2531
2532 argv_printf(&argv, "%s delete -inet6 %s -prefixlen %d %s",
2533 ROUTE_PATH,
2534 network, r6->netbits, gateway );
2535
2536 argv_msg(D_ROUTE, &argv);
2537 openvpn_execve_check(&argv, es, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2538
2539 #elif defined(TARGET_NETBSD)
2540
2541 argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2542 ROUTE_PATH,
2543 network, r6->netbits, gateway );
2544
2545 argv_msg(D_ROUTE, &argv);
2546 openvpn_execve_check(&argv, es, 0, "ERROR: NetBSD route delete -inet6 command failed");
2547
2548 #elif defined(TARGET_AIX)
2549
2550 argv_printf(&argv, "%s delete -inet6 %s/%d %s",
2551 ROUTE_PATH,
2552 network, r6->netbits, gateway);
2553 argv_msg(D_ROUTE, &argv);
2554 openvpn_execve_check(&argv, es, 0, "ERROR: AIX route add command failed");
2555
2556 #elif defined(TARGET_ANDROID)
2557 msg(D_ROUTE_DEBUG, "Deleting routes on Android is not possible/not "
2558 "needed. The VpnService API allows routes to be set "
2559 "on connect only and will clean up automatically.");
2560 #elif defined(TARGET_HAIKU)
2561
2562 /* ex: route delete /dev/net/ipro1000/0 inet6 :: gw beef::cafe prefixlen 64 */
2563 argv_printf(&argv, "%s delete %s inet6 %s gw %s prefixlen %d",
2564 ROUTE_PATH,
2565 r6->iface,
2566 network,
2567 gateway,
2568 r6->netbits);
2569 argv_msg(D_ROUTE, &argv);
2570 openvpn_execve_check(&argv, es, 0, "ERROR: Haiku inet6 route delete command failed");
2571
2572 #else /* if defined(TARGET_LINUX) */
2573 msg(M_FATAL, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2574 #endif /* if defined(TARGET_LINUX) */
2575
2576 argv_free(&argv);
2577 gc_free(&gc);
2578 /* release resources potentially allocated during route cleanup */
2579 net_ctx_reset(ctx);
2580 }
2581
2582 /*
2583 * The --redirect-gateway option requires OS-specific code below
2584 * to get the current default gateway.
2585 */
2586
2587 #if defined(_WIN32)
2588
2589 static const MIB_IPFORWARDTABLE *
2590 get_windows_routing_table(struct gc_arena *gc)
2591 {
2592 ULONG size = 0;
2593 PMIB_IPFORWARDTABLE rt = NULL;
2594 DWORD status;
2595
2596 status = GetIpForwardTable(NULL, &size, TRUE);
2597 if (status == ERROR_INSUFFICIENT_BUFFER)
2598 {
2599 rt = (PMIB_IPFORWARDTABLE) gc_malloc(size, false, gc);
2600 status = GetIpForwardTable(rt, &size, TRUE);
2601 if (status != NO_ERROR)
2602 {
2603 msg(D_ROUTE, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2604 strerror_win32(status, gc),
2605 (unsigned int)status);
2606 rt = NULL;
2607 }
2608 }
2609 return rt;
2610 }
2611
2612 static int
2613 test_route(const IP_ADAPTER_INFO *adapters,
2614 const in_addr_t gateway,
2615 DWORD *index)
2616 {
2617 int count = 0;
2618 DWORD i = adapter_index_of_ip(adapters, gateway, &count, NULL);
2619 if (index)
2620 {
2621 *index = i;
2622 }
2623 return count;
2624 }
2625
2626 static void
2627 test_route_helper(bool *ret,
2628 int *count,
2629 int *good,
2630 int *ambig,
2631 const IP_ADAPTER_INFO *adapters,
2632 const in_addr_t gateway)
2633 {
2634 int c;
2635
2636 ++*count;
2637 c = test_route(adapters, gateway, NULL);
2638 if (c == 0)
2639 {
2640 *ret = false;
2641 }
2642 else
2643 {
2644 ++*good;
2645 }
2646 if (c > 1)
2647 {
2648 ++*ambig;
2649 }
2650 }
2651
2652 /*
2653 * If we tried to add routes now, would we succeed?
2654 */
2655 bool
2656 test_routes(const struct route_list *rl, const struct tuntap *tt)
2657 {
2658 struct gc_arena gc = gc_new();
2659 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2660 bool ret = false;
2661 int count = 0;
2662 int good = 0;
2663 int ambig = 0;
2664 int len = -1;
2665 bool adapter_up = false;
2666
2667 if (is_adapter_up(tt, adapters))
2668 {
2669 ret = true;
2670 adapter_up = true;
2671
2672 /* we do this test only if we have IPv4 routes to install, and if
2673 * the tun/tap interface has seen IPv4 ifconfig - because if we
2674 * have no IPv4, the check will always fail, failing tun init
2675 */
2676 if (rl && tt->did_ifconfig_setup)
2677 {
2678 struct route_ipv4 *r;
2679 for (r = rl->routes, len = 0; r; r = r->next, ++len)
2680 {
2681 test_route_helper(&ret, &count, &good, &ambig, adapters, r->gateway);
2682 }
2683
2684 if ((rl->flags & RG_ENABLE) && (rl->spec.flags & RTSA_REMOTE_ENDPOINT))
2685 {
2686 test_route_helper(&ret, &count, &good, &ambig, adapters, rl->spec.remote_endpoint);
2687 }
2688 }
2689 }
2690
2691 msg(D_ROUTE, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s",
2692 good,
2693 count,
2694 len,
2695 (int)ret,
2696 ambig,
2697 adapter_up ? "up" : "down");
2698
2699 gc_free(&gc);
2700 return ret;
2701 }
2702
2703 static const MIB_IPFORWARDROW *
2704 get_default_gateway_row(const MIB_IPFORWARDTABLE *routes)
2705 {
2706 struct gc_arena gc = gc_new();
2707 DWORD lowest_metric = MAXDWORD;
2708 const MIB_IPFORWARDROW *ret = NULL;
2709 int best = -1;
2710
2711 if (routes)
2712 {
2713 for (DWORD i = 0; i < routes->dwNumEntries; ++i)
2714 {
2715 const MIB_IPFORWARDROW *row = &routes->table[i];
2716 const in_addr_t net = ntohl(row->dwForwardDest);
2717 const in_addr_t mask = ntohl(row->dwForwardMask);
2718 const DWORD index = row->dwForwardIfIndex;
2719 const DWORD metric = row->dwForwardMetric1;
2720
2721 dmsg(D_ROUTE_DEBUG, "GDGR: route[%lu] %s/%s i=%d m=%d",
2722 i,
2723 print_in_addr_t((in_addr_t) net, 0, &gc),
2724 print_in_addr_t((in_addr_t) mask, 0, &gc),
2725 (int)index,
2726 (int)metric);
2727
2728 if (!net && !mask && metric < lowest_metric)
2729 {
2730 ret = row;
2731 lowest_metric = metric;
2732 best = i;
2733 }
2734 }
2735 }
2736
2737 dmsg(D_ROUTE_DEBUG, "GDGR: best=%d lm=%u", best, (unsigned int)lowest_metric);
2738
2739 gc_free(&gc);
2740 return ret;
2741 }
2742
2743 /**
2744 * @brief Determines the best route to a destination for both IPv4 and IPv6.
2745 *
2746 * Uses `GetBestInterfaceEx` and `GetBestRoute2` to find the optimal route
2747 * and network interface for the specified destination address.
2748 *
2749 * @param gc Pointer to struct gc_arena for internal string allocation.
2750 * @param dest The destination IP address (IPv4 or IPv6).
2751 * @param best_route Pointer to a `MIB_IPFORWARD_ROW2` structure to store the best route.
2752 * @return DWORD `NO_ERROR` on success, or an error code.
2753 */
2754 static DWORD
2755 get_best_route(struct gc_arena *gc, SOCKADDR_INET *dest, MIB_IPFORWARD_ROW2 *best_route)
2756 {
2757 DWORD best_if_index;
2758 DWORD status;
2759
2760 CLEAR(*best_route);
2761
2762 /* get the best interface index to reach dest */
2763 status = GetBestInterfaceEx((struct sockaddr *)dest, &best_if_index);
2764 if (status != NO_ERROR)
2765 {
2766 msg(D_ROUTE, "NOTE: GetBestInterfaceEx returned error: %s (code=%u)",
2767 strerror_win32(status, gc),
2768 (unsigned int)status);
2769 goto done;
2770 }
2771
2772 msg(D_ROUTE_DEBUG, "GetBestInterfaceEx() returned if=%d", (int)best_if_index);
2773
2774 /* get the routing information (such as NextHop) for the destination and interface */
2775 NET_LUID luid;
2776 CLEAR(luid);
2777 SOCKADDR_INET best_src;
2778 CLEAR(best_src);
2779 status = GetBestRoute2(&luid, best_if_index, NULL,
2780 dest, 0, best_route, &best_src);
2781 if (status != NO_ERROR)
2782 {
2783 msg(D_ROUTE, "NOTE: GetIpForwardEntry2 returned error: %s (code=%u)",
2784 strerror_win32(status, gc),
2785 (unsigned int)status);
2786 goto done;
2787 }
2788
2789 done:
2790 return status;
2791 }
2792
2793 void
2794 get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
2795 {
2796 CLEAR(*rgi);
2797
2798 struct gc_arena gc = gc_new();
2799
2800 /* convert in_addr_t into SOCKADDR_INET */
2801 SOCKADDR_INET sa;
2802 CLEAR(sa);
2803 sa.si_family = AF_INET;
2804 sa.Ipv4.sin_addr.s_addr = htonl(dest);
2805
2806 /* get the best route to the destination */
2807 MIB_IPFORWARD_ROW2 best_route;
2808 CLEAR(best_route);
2809 DWORD status = get_best_route(&gc, &sa, &best_route);
2810 if (status != NO_ERROR)
2811 {
2812 goto done;
2813 }
2814
2815 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2816 rgi->gateway.addr = ntohl(best_route.NextHop.Ipv4.sin_addr.S_un.S_addr);
2817 rgi->adapter_index = best_route.InterfaceIndex;
2818
2819 if (rgi->gateway.addr == INADDR_ANY)
2820 {
2821 rgi->flags |= RGI_ON_LINK;
2822 }
2823
2824 /* get netmask and MAC address */
2825 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2826 const IP_ADAPTER_INFO *ai = get_adapter(adapters, rgi->adapter_index);
2827 if (ai)
2828 {
2829 memcpy(rgi->hwaddr, ai->Address, 6);
2830 rgi->flags |= RGI_HWADDR_DEFINED;
2831
2832 /* get netmask for non-onlink routes */
2833 in_addr_t nm = inet_addr(ai->IpAddressList.IpMask.String);
2834 if (!(rgi->flags & RGI_ON_LINK) && (nm != INADDR_NONE))
2835 {
2836 rgi->gateway.netmask = ntohl(nm);
2837 rgi->flags |= RGI_NETMASK_DEFINED;
2838 }
2839 }
2840
2841 done:
2842 gc_free(&gc);
2843 }
2844
2845 static DWORD
2846 windows_route_find_if_index(const struct route_ipv4 *r, const struct tuntap *tt)
2847 {
2848 struct gc_arena gc = gc_new();
2849 DWORD ret = TUN_ADAPTER_INDEX_INVALID;
2850 int count = 0;
2851 const IP_ADAPTER_INFO *adapters = get_adapter_info_list(&gc);
2852 const IP_ADAPTER_INFO *tun_adapter = get_tun_adapter(tt, adapters);
2853 bool on_tun = false;
2854
2855 /* first test on tun interface */
2856 if (is_ip_in_adapter_subnet(tun_adapter, r->gateway, NULL))
2857 {
2858 ret = tun_adapter->Index;
2859 count = 1;
2860 on_tun = true;
2861 }
2862 else /* test on other interfaces */
2863 {
2864 count = test_route(adapters, r->gateway, &ret);
2865 }
2866
2867 if (count == 0)
2868 {
2869 msg(M_WARN, "Warning: route gateway is not reachable on any active network adapters: %s",
2870 print_in_addr_t(r->gateway, 0, &gc));
2871 ret = TUN_ADAPTER_INDEX_INVALID;
2872 }
2873 else if (count > 1)
2874 {
2875 msg(M_WARN, "Warning: route gateway is ambiguous: %s (%d matches)",
2876 print_in_addr_t(r->gateway, 0, &gc),
2877 count);
2878 }
2879
2880 dmsg(D_ROUTE_DEBUG, "DEBUG: route find if: on_tun=%d count=%d index=%d",
2881 on_tun,
2882 count,
2883 (int)ret);
2884
2885 gc_free(&gc);
2886 return ret;
2887 }
2888
2889 /* IPv6 implementation using GetBestRoute2()
2890 * (TBD: dynamic linking so the binary can still run on XP?)
2891 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa365922(v=vs.85).aspx
2892 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa814411(v=vs.85).aspx
2893 */
2894 void
2895 get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
2896 const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
2897 {
2898 struct gc_arena gc = gc_new();
2899 CLEAR(*rgi6);
2900
2901 SOCKADDR_INET DestinationAddress;
2902 CLEAR(DestinationAddress);
2903 DestinationAddress.si_family = AF_INET6;
2904 if (dest)
2905 {
2906 DestinationAddress.Ipv6.sin6_addr = *dest;
2907 }
2908
2909 MIB_IPFORWARD_ROW2 BestRoute;
2910 CLEAR(BestRoute);
2911 DWORD status = get_best_route(&gc, &DestinationAddress, &BestRoute);
2912
2913 if (status != NO_ERROR)
2914 {
2915 goto done;
2916 }
2917
2918 msg( D_ROUTE, "GDG6: II=%lu DP=%s/%d NH=%s",
2919 BestRoute.InterfaceIndex,
2920 print_in6_addr( BestRoute.DestinationPrefix.Prefix.Ipv6.sin6_addr, 0, &gc),
2921 BestRoute.DestinationPrefix.PrefixLength,
2922 print_in6_addr( BestRoute.NextHop.Ipv6.sin6_addr, 0, &gc) );
2923 msg( D_ROUTE, "GDG6: Metric=%d, Loopback=%d, AA=%d, I=%d",
2924 (int) BestRoute.Metric,
2925 (int) BestRoute.Loopback,
2926 (int) BestRoute.AutoconfigureAddress,
2927 (int) BestRoute.Immortal );
2928
2929 rgi6->gateway.addr_ipv6 = BestRoute.NextHop.Ipv6.sin6_addr;
2930 rgi6->adapter_index = BestRoute.InterfaceIndex;
2931 rgi6->flags |= RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
2932
2933 /* on-link is signalled by receiving an empty (::) NextHop */
2934 if (IN6_IS_ADDR_UNSPECIFIED(&BestRoute.NextHop.Ipv6.sin6_addr) )
2935 {
2936 rgi6->flags |= RGI_ON_LINK;
2937 }
2938
2939 done:
2940 gc_free(&gc);
2941 }
2942
2943 /* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
2944 static int
2945 add_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt, DWORD adapter_index)
2946 {
2947 struct gc_arena gc = gc_new();
2948 int ret = RTA_ERROR;
2949 DWORD status;
2950 const DWORD if_index = (adapter_index == TUN_ADAPTER_INDEX_INVALID) ? windows_route_find_if_index(r, tt) : adapter_index;
2951
2952 if (if_index != TUN_ADAPTER_INDEX_INVALID)
2953 {
2954 MIB_IPFORWARDROW fr;
2955 CLEAR(fr);
2956 fr.dwForwardDest = htonl(r->network);
2957 fr.dwForwardMask = htonl(r->netmask);
2958 fr.dwForwardPolicy = 0;
2959 fr.dwForwardNextHop = htonl(r->gateway);
2960 fr.dwForwardIfIndex = if_index;
2961 fr.dwForwardType = 4; /* the next hop is not the final dest */
2962 fr.dwForwardProto = 3; /* PROTO_IP_NETMGMT */
2963 fr.dwForwardAge = 0;
2964 fr.dwForwardNextHopAS = 0;
2965 fr.dwForwardMetric1 = (r->flags & RT_METRIC_DEFINED) ? r->metric : 1;
2966 fr.dwForwardMetric2 = METRIC_NOT_USED;
2967 fr.dwForwardMetric3 = METRIC_NOT_USED;
2968 fr.dwForwardMetric4 = METRIC_NOT_USED;
2969 fr.dwForwardMetric5 = METRIC_NOT_USED;
2970
2971 if ((r->network & r->netmask) != r->network)
2972 {
2973 msg(M_WARN, "Warning: address %s is not a network address in relation to netmask %s",
2974 print_in_addr_t(r->network, 0, &gc),
2975 print_in_addr_t(r->netmask, 0, &gc));
2976 }
2977
2978 status = CreateIpForwardEntry(&fr);
2979
2980 if (status == NO_ERROR)
2981 {
2982 ret = RTA_SUCCESS;
2983 }
2984 else if (status == ERROR_OBJECT_ALREADY_EXISTS)
2985 {
2986 ret = RTA_EEXIST;
2987 }
2988 else
2989 {
2990 /* failed, try increasing the metric to work around Vista issue */
2991 const unsigned int forward_metric_limit = 2048; /* iteratively retry higher metrics up to this limit */
2992
2993 for (; fr.dwForwardMetric1 <= forward_metric_limit; ++fr.dwForwardMetric1)
2994 {
2995 /* try a different forward type=3 ("the next hop is the final dest") in addition to 4.
2996 * --redirect-gateway over RRAS seems to need this. */
2997 for (fr.dwForwardType = 4; fr.dwForwardType >= 3; --fr.dwForwardType)
2998 {
2999 status = CreateIpForwardEntry(&fr);
3000 if (status == NO_ERROR)
3001 {
3002 msg(D_ROUTE, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
3003 (unsigned int)fr.dwForwardMetric1,
3004 (unsigned int)fr.dwForwardType);
3005 ret = RTA_SUCCESS;
3006 goto doublebreak;
3007 }
3008 else if (status != ERROR_BAD_ARGUMENTS)
3009 {
3010 goto doublebreak;
3011 }
3012 }
3013 }
3014
3015 doublebreak:
3016 if (status != NO_ERROR)
3017 {
3018 if (status == ERROR_OBJECT_ALREADY_EXISTS)
3019 {
3020 ret = RTA_EEXIST;
3021 }
3022 else
3023 {
3024 msg(M_WARN, "ERROR: route addition failed using CreateIpForwardEntry: "
3025 "%s [status=%u if_index=%u]", strerror_win32(status, &gc),
3026 (unsigned int)status, (unsigned int)if_index);
3027 }
3028 }
3029 }
3030 }
3031
3032 gc_free(&gc);
3033 return ret;
3034 }
3035
3036 static bool
3037 del_route_ipapi(const struct route_ipv4 *r, const struct tuntap *tt)
3038 {
3039 struct gc_arena gc = gc_new();
3040 bool ret = false;
3041 DWORD status;
3042 const DWORD if_index = windows_route_find_if_index(r, tt);
3043
3044 if (if_index != TUN_ADAPTER_INDEX_INVALID)
3045 {
3046 MIB_IPFORWARDROW fr;
3047 CLEAR(fr);
3048
3049 fr.dwForwardDest = htonl(r->network);
3050 fr.dwForwardMask = htonl(r->netmask);
3051 fr.dwForwardPolicy = 0;
3052 fr.dwForwardNextHop = htonl(r->gateway);
3053 fr.dwForwardIfIndex = if_index;
3054
3055 status = DeleteIpForwardEntry(&fr);
3056
3057 if (status == NO_ERROR)
3058 {
3059 ret = true;
3060 }
3061 else
3062 {
3063 msg(M_WARN, "ERROR: route deletion failed using DeleteIpForwardEntry: %s",
3064 strerror_win32(status, &gc));
3065 }
3066 }
3067
3068 gc_free(&gc);
3069 return ret;
3070 }
3071
3072 /* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3073 static int
3074 do_route_service(const bool add, const route_message_t *rt, const size_t size, HANDLE pipe)
3075 {
3076 int ret = RTA_ERROR;
3077 ack_message_t ack;
3078 struct gc_arena gc = gc_new();
3079
3080 if (!send_msg_iservice(pipe, rt, size, &ack, "ROUTE"))
3081 {
3082 goto out;
3083 }
3084
3085 if (ack.error_number != NO_ERROR)
3086 {
3087 ret = (ack.error_number == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
3088 if (ret == RTA_ERROR)
3089 {
3090 msg(M_WARN, "ERROR: route %s failed using service: %s [status=%u if_index=%d]",
3091 (add ? "addition" : "deletion"), strerror_win32(ack.error_number, &gc),
3092 ack.error_number, rt->iface.index);
3093 }
3094 goto out;
3095 }
3096
3097 ret = RTA_SUCCESS;
3098
3099 out:
3100 gc_free(&gc);
3101 return ret;
3102 }
3103
3104 /* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3105 static int
3106 do_route_ipv4_service(const bool add, const struct route_ipv4 *r, const struct tuntap *tt)
3107 {
3108 DWORD if_index = windows_route_find_if_index(r, tt);
3109 if (if_index == ~0)
3110 {
3111 return RTA_ERROR;
3112 }
3113
3114 route_message_t msg = {
3115 .header = {
3116 (add ? msg_add_route : msg_del_route),
3117 sizeof(route_message_t),
3118 0
3119 },
3120 .family = AF_INET,
3121 .prefix.ipv4.s_addr = htonl(r->network),
3122 .gateway.ipv4.s_addr = htonl(r->gateway),
3123 .iface = { .index = if_index, .name = "" },
3124 .metric = (r->flags & RT_METRIC_DEFINED ? r->metric : -1)
3125 };
3126
3127 netmask_to_netbits(r->network, r->netmask, &msg.prefix_len);
3128 if (msg.prefix_len == -1)
3129 {
3130 msg.prefix_len = 32;
3131 }
3132
3133 return do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3134 }
3135
3136 /* Add or delete an ipv6 route
3137 * Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error
3138 */
3139 static int
3140 route_ipv6_ipapi(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
3141 {
3142 DWORD err;
3143 int ret = RTA_ERROR;
3144 PMIB_IPFORWARD_ROW2 fwd_row;
3145 struct gc_arena gc = gc_new();
3146
3147 fwd_row = gc_malloc(sizeof(*fwd_row), true, &gc);
3148
3149 fwd_row->ValidLifetime = 0xffffffff;
3150 fwd_row->PreferredLifetime = 0xffffffff;
3151 fwd_row->Protocol = MIB_IPPROTO_NETMGMT;
3152 fwd_row->Metric = ((r->flags & RT_METRIC_DEFINED) ? r->metric : -1);
3153 fwd_row->DestinationPrefix.Prefix.si_family = AF_INET6;
3154 fwd_row->DestinationPrefix.Prefix.Ipv6.sin6_addr = r->network;
3155 fwd_row->DestinationPrefix.PrefixLength = (UINT8) r->netbits;
3156 fwd_row->NextHop.si_family = AF_INET6;
3157 fwd_row->NextHop.Ipv6.sin6_addr = r->gateway;
3158 fwd_row->InterfaceIndex = r->adapter_index ? r->adapter_index : tt->adapter_index;
3159
3160 /* In TUN mode we use a special link-local address as the next hop.
3161 * The tapdrvr knows about it and will answer neighbor discovery packets.
3162 * (only do this for routes actually using the tun/tap device)
3163 */
3164 if (tt->type == DEV_TYPE_TUN && !r->adapter_index)
3165 {
3166 inet_pton(AF_INET6, "fe80::8", &fwd_row->NextHop.Ipv6.sin6_addr);
3167 }
3168
3169 /* Use LUID if interface index not available */
3170 if (fwd_row->InterfaceIndex == TUN_ADAPTER_INDEX_INVALID && strlen(tt->actual_name))
3171 {
3172 NET_LUID luid;
3173 err = ConvertInterfaceAliasToLuid(wide_string(tt->actual_name, &gc), &luid);
3174 if (err != NO_ERROR)
3175 {
3176 goto out;
3177 }
3178 fwd_row->InterfaceLuid = luid;
3179 fwd_row->InterfaceIndex = 0;
3180 }
3181
3182 if (add)
3183 {
3184 err = CreateIpForwardEntry2(fwd_row);
3185 }
3186 else
3187 {
3188 err = DeleteIpForwardEntry2(fwd_row);
3189 }
3190
3191 out:
3192 if (err != NO_ERROR)
3193 {
3194 ret = (err == ERROR_OBJECT_ALREADY_EXISTS) ? RTA_EEXIST : RTA_ERROR;
3195 if (ret == RTA_ERROR)
3196 {
3197 msg(M_WARN, "ERROR: route %s failed using ipapi: %s [status=%lu if_index=%lu]",
3198 (add ? "addition" : "deletion"), strerror_win32(err, &gc), err,
3199 fwd_row->InterfaceIndex);
3200 }
3201 else if (add)
3202 {
3203 msg(D_ROUTE, "IPv6 route addition using ipapi failed because route exists");
3204 }
3205 }
3206 else
3207 {
3208 msg(D_ROUTE, "IPv6 route %s using ipapi", add ? "added" : "deleted");
3209 ret = RTA_SUCCESS;
3210 }
3211 gc_free(&gc);
3212 return ret;
3213 }
3214
3215 /* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3216 static int
3217 do_route_ipv6_service(const bool add, const struct route_ipv6 *r, const struct tuntap *tt)
3218 {
3219 int status;
3220 route_message_t msg = {
3221 .header = {
3222 (add ? msg_add_route : msg_del_route),
3223 sizeof(route_message_t),
3224 0
3225 },
3226 .family = AF_INET6,
3227 .prefix.ipv6 = r->network,
3228 .prefix_len = r->netbits,
3229 .gateway.ipv6 = r->gateway,
3230 .iface = { .index = tt->adapter_index, .name = "" },
3231 .metric = ( (r->flags & RT_METRIC_DEFINED) ? r->metric : -1)
3232 };
3233
3234 if (r->adapter_index) /* vpn server special route */
3235 {
3236 msg.iface.index = r->adapter_index;
3237 }
3238
3239 /* In TUN mode we use a special link-local address as the next hop.
3240 * The tapdrvr knows about it and will answer neighbor discovery packets.
3241 * (only do this for routes actually using the tun/tap device)
3242 */
3243 if (tt->type == DEV_TYPE_TUN
3244 && msg.iface.index == tt->adapter_index)
3245 {
3246 inet_pton(AF_INET6, "fe80::8", &msg.gateway.ipv6);
3247 }
3248
3249 if (msg.iface.index == TUN_ADAPTER_INDEX_INVALID)
3250 {
3251 strncpy(msg.iface.name, tt->actual_name, sizeof(msg.iface.name));
3252 msg.iface.name[sizeof(msg.iface.name) - 1] = '\0';
3253 }
3254
3255 status = do_route_service(add, &msg, sizeof(msg), tt->options.msg_channel);
3256 if (status != RTA_ERROR)
3257 {
3258 msg(D_ROUTE, "IPv6 route %s via service %s",
3259 add ? "addition" : "deletion",
3260 (status == RTA_SUCCESS) ? "succeeded" : "failed because route exists");
3261 }
3262 return status;
3263 }
3264
3265 /* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3266 static int
3267 add_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3268 {
3269 return do_route_ipv4_service(true, r, tt);
3270 }
3271
3272 static bool
3273 del_route_service(const struct route_ipv4 *r, const struct tuntap *tt)
3274 {
3275 return do_route_ipv4_service(false, r, tt);
3276 }
3277
3278 /* Returns RTA_SUCCESS on success, RTA_EEXIST if route exists, RTA_ERROR on error */
3279 static int
3280 add_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3281 {
3282 return do_route_ipv6_service(true, r, tt);
3283 }
3284
3285 static bool
3286 del_route_ipv6_service(const struct route_ipv6 *r, const struct tuntap *tt)
3287 {
3288 return do_route_ipv6_service(false, r, tt);
3289 }
3290
3291 static const char *
3292 format_route_entry(const MIB_IPFORWARDROW *r, struct gc_arena *gc)
3293 {
3294 struct buffer out = alloc_buf_gc(256, gc);
3295 buf_printf(&out, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
3296 print_in_addr_t(r->dwForwardDest, IA_NET_ORDER, gc),
3297 print_in_addr_t(r->dwForwardMask, IA_NET_ORDER, gc),
3298 print_in_addr_t(r->dwForwardNextHop, IA_NET_ORDER, gc),
3299 (int)r->dwForwardPolicy,
3300 (int)r->dwForwardIfIndex,
3301 (int)r->dwForwardType,
3302 (int)r->dwForwardProto,
3303 (int)r->dwForwardAge,
3304 (int)r->dwForwardNextHopAS,
3305 (int)r->dwForwardMetric1,
3306 (int)r->dwForwardMetric2,
3307 (int)r->dwForwardMetric3,
3308 (int)r->dwForwardMetric4,
3309 (int)r->dwForwardMetric5);
3310 return BSTR(&out);
3311 }
3312
3313 /*
3314 * Show current routing table
3315 */
3316 void
3317 show_routes(int msglev)
3318 {
3319 struct gc_arena gc = gc_new();
3320
3321 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
3322
3323 msg(msglev, "SYSTEM ROUTING TABLE");
3324 if (rt)
3325 {
3326 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
3327 {
3328 msg(msglev, "%s", format_route_entry(&rt->table[i], &gc));
3329 }
3330 }
3331 gc_free(&gc);
3332 }
3333
3334 #elif defined(TARGET_ANDROID)
3335
3336 void
3337 get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3338 {
3339 /* Android, set some pseudo GW, addr is in host byte order,
3340 * Determining the default GW on Android 5.0+ is non trivial
3341 * and serves almost no purpose since OpenVPN only uses the
3342 * default GW address to add routes for networks that should
3343 * NOT be routed over the VPN. Using a well known address
3344 * (127.'d'.'g'.'w') for the default GW make detecting
3345 * these routes easier from the controlling app.
3346 */
3347 CLEAR(*rgi);
3348
3349 rgi->gateway.addr = 127 << 24 | 'd' << 16 | 'g' << 8 | 'w';
3350 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3351 strcpy(rgi->iface, "android-gw");
3352
3353 /* Skip scanning/fetching interface from loopback interface we do
3354 * normally on Linux.
3355 * It always fails and "ioctl(SIOCGIFCONF) failed" confuses users
3356 */
3357
3358 }
3359
3360 void
3361 get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
3362 const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3363 {
3364 /* Same for ipv6 */
3365
3366 CLEAR(*rgi6);
3367
3368 /* Use a fake link-local address */
3369 ASSERT(inet_pton(AF_INET6, "fe80::ad", &rgi6->addrs->addr_ipv6) == 1);
3370 rgi6->addrs->netbits_ipv6 = 64;
3371 rgi6->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
3372 strcpy(rgi6->iface, "android-gw");
3373 }
3374
3375 #elif defined(TARGET_LINUX)
3376
3377 void
3378 get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3379 {
3380 struct gc_arena gc = gc_new();
3381 int sd = -1;
3382 char best_name[IFNAMSIZ];
3383
3384 CLEAR(*rgi);
3385 CLEAR(best_name);
3386
3387 /* find best route to 'dest', get gateway IP addr + interface */
3388 if (net_route_v4_best_gw(ctx, &dest, &rgi->gateway.addr, best_name) == 0)
3389 {
3390 rgi->flags |= RGI_ADDR_DEFINED;
3391 if (!rgi->gateway.addr && best_name[0])
3392 {
3393 rgi->flags |= RGI_ON_LINK;
3394 }
3395 }
3396
3397 /* scan adapter list */
3398 if (rgi->flags & RGI_ADDR_DEFINED)
3399 {
3400 struct ifreq *ifr, *ifend;
3401 in_addr_t addr, netmask;
3402 struct ifreq ifreq;
3403 struct ifconf ifc;
3404 struct ifreq ifs[20]; /* Maximum number of interfaces to scan */
3405
3406 if ((sd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
3407 {
3408 msg(M_WARN, "GDG: socket() failed");
3409 goto done;
3410 }
3411 ifc.ifc_len = sizeof(ifs);
3412 ifc.ifc_req = ifs;
3413 if (ioctl(sd, SIOCGIFCONF, &ifc) < 0)
3414 {
3415 msg(M_WARN, "GDG: ioctl(SIOCGIFCONF) failed");
3416 goto done;
3417 }
3418
3419 /* scan through interface list */
3420 ifend = ifs + (ifc.ifc_len / sizeof(struct ifreq));
3421 for (ifr = ifc.ifc_req; ifr < ifend; ifr++)
3422 {
3423 if (ifr->ifr_addr.sa_family == AF_INET)
3424 {
3425 /* get interface addr */
3426 addr = ntohl(((struct sockaddr_in *) &ifr->ifr_addr)->sin_addr.s_addr);
3427
3428 /* get interface name */
3429 strncpynt(ifreq.ifr_name, ifr->ifr_name, sizeof(ifreq.ifr_name));
3430
3431 /* check that the interface is up */
3432 if (ioctl(sd, SIOCGIFFLAGS, &ifreq) < 0)
3433 {
3434 continue;
3435 }
3436 if (!(ifreq.ifr_flags & IFF_UP))
3437 {
3438 continue;
3439 }
3440
3441 if (rgi->flags & RGI_ON_LINK)
3442 {
3443 /* check that interface name of current interface
3444 * matches interface name of best default route */
3445 if (strcmp(ifreq.ifr_name, best_name))
3446 {
3447 continue;
3448 }
3449 #if 0
3450 /* if point-to-point link, use remote addr as route gateway */
3451 if ((ifreq.ifr_flags & IFF_POINTOPOINT) && ioctl(sd, SIOCGIFDSTADDR, &ifreq) >= 0)
3452 {
3453 rgi->gateway.addr = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3454 if (rgi->gateway.addr)
3455 {
3456 rgi->flags &= ~RGI_ON_LINK;
3457 }
3458 }
3459 #endif
3460 }
3461 else
3462 {
3463 /* get interface netmask */
3464 if (ioctl(sd, SIOCGIFNETMASK, &ifreq) < 0)
3465 {
3466 continue;
3467 }
3468 netmask = ntohl(((struct sockaddr_in *) &ifreq.ifr_addr)->sin_addr.s_addr);
3469
3470 /* check that interface matches default route */
3471 if (((rgi->gateway.addr ^ addr) & netmask) != 0)
3472 {
3473 continue;
3474 }
3475
3476 /* save netmask */
3477 rgi->gateway.netmask = netmask;
3478 rgi->flags |= RGI_NETMASK_DEFINED;
3479 }
3480
3481 /* save iface name */
3482 strncpynt(rgi->iface, ifreq.ifr_name, sizeof(rgi->iface));
3483 rgi->flags |= RGI_IFACE_DEFINED;
3484
3485 /* now get the hardware address. */
3486 memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr));
3487 if (ioctl(sd, SIOCGIFHWADDR, &ifreq) < 0)
3488 {
3489 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3490 goto done;
3491 }
3492 memcpy(rgi->hwaddr, &ifreq.ifr_hwaddr.sa_data, 6);
3493 rgi->flags |= RGI_HWADDR_DEFINED;
3494
3495 break;
3496 }
3497 }
3498 }
3499
3500 done:
3501 if (sd >= 0)
3502 {
3503 close(sd);
3504 }
3505 gc_free(&gc);
3506 }
3507
3508 /* IPv6 implementation using netlink
3509 * http://www.linuxjournal.com/article/7356
3510 * netlink(3), netlink(7), rtnetlink(7)
3511 * http://www.virtualbox.org/svn/vbox/trunk/src/VBox/NetworkServices/NAT/rtmon_linux.c
3512 */
3513 struct rtreq {
3514 struct nlmsghdr nh;
3515 struct rtmsg rtm;
3516 char attrbuf[512];
3517 };
3518
3519 void
3520 get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
3521 const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3522 {
3523 int flags;
3524
3525 CLEAR(*rgi6);
3526
3527 if (net_route_v6_best_gw(ctx, dest, &rgi6->gateway.addr_ipv6,
3528 rgi6->iface) == 0)
3529 {
3530 if (!IN6_IS_ADDR_UNSPECIFIED(&rgi6->gateway.addr_ipv6))
3531 {
3532 rgi6->flags |= RGI_ADDR_DEFINED;
3533 }
3534
3535 if (strlen(rgi6->iface) > 0)
3536 {
3537 rgi6->flags |= RGI_IFACE_DEFINED;
3538 }
3539 }
3540
3541 /* if we have an interface but no gateway, the destination is on-link */
3542 flags = rgi6->flags & (RGI_IFACE_DEFINED | RGI_ADDR_DEFINED);
3543 if (flags == RGI_IFACE_DEFINED)
3544 {
3545 rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK);
3546 if (dest)
3547 {
3548 rgi6->gateway.addr_ipv6 = *dest;
3549 }
3550 }
3551 }
3552
3553 #elif defined(TARGET_DARWIN) || defined(TARGET_SOLARIS) \
3554 || defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY) \
3555 || defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
3556
3557 #include <sys/types.h>
3558 #include <sys/socket.h>
3559 #include <netinet/in.h>
3560 #include <net/route.h>
3561 #include <net/if_dl.h>
3562 #if !defined(TARGET_SOLARIS)
3563 #include <ifaddrs.h>
3564 #endif
3565
3566 struct rtmsg {
3567 struct rt_msghdr m_rtm;
3568 char m_space[512];
3569 };
3570
3571 /* the route socket code is identical for all 4 supported BSDs and for
3572 * MacOS X (Darwin), with one crucial difference: when going from
3573 * 32 bit to 64 bit, FreeBSD/OpenBSD increased the structure size but kept
3574 * source code compatibility by keeping the use of "long", while
3575 * MacOS X decided to keep binary compatibility by *changing* the API
3576 * to use "uint32_t", thus 32 bit on all OS X variants
3577 *
3578 * NetBSD does the MacOS way of "fixed number of bits, no matter if
3579 * 32 or 64 bit OS", but chose uint64_t. For maximum portability, we
3580 * just use the OS RT_ROUNDUP() macro, which is guaranteed to be correct.
3581 *
3582 * We used to have a large amount of duplicate code here which really
3583 * differed only in this (long) vs. (uint32_t) - IMHO, worse than
3584 * having a combined block for all BSDs with this single #ifdef inside
3585 */
3586
3587 #if defined(TARGET_DARWIN)
3588 #define ROUNDUP(a) \
3589 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
3590 #elif defined(TARGET_NETBSD)
3591 #define ROUNDUP(a) RT_ROUNDUP(a)
3592 #else
3593 #define ROUNDUP(a) \
3594 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3595 #endif
3596
3597 #if defined(TARGET_SOLARIS)
3598 #define NEXTADDR(w, u) \
3599 if (rtm_addrs & (w)) { \
3600 l = sizeof(u); memmove(cp, &(u), l); cp += ROUNDUP(l); \
3601 }
3602
3603 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in)))
3604 #else /* if defined(TARGET_SOLARIS) */
3605 #define NEXTADDR(w, u) \
3606 if (rtm_addrs & (w)) { \
3607 l = ((struct sockaddr *)&(u))->sa_len; memmove(cp, &(u), l); cp += ROUNDUP(l); \
3608 }
3609
3610 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3611 #endif
3612
3613 #define max(a, b) ((a) > (b) ? (a) : (b))
3614
3615 void
3616 get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3617 {
3618 struct gc_arena gc = gc_new();
3619 struct rtmsg m_rtmsg;
3620 int sockfd = -1;
3621 int seq, l, pid, rtm_addrs;
3622 unsigned int i;
3623 struct sockaddr so_dst, so_mask;
3624 char *cp = m_rtmsg.m_space;
3625 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3626 struct rt_msghdr *rtm_aux;
3627
3628 #define rtm m_rtmsg.m_rtm
3629
3630 CLEAR(*rgi);
3631
3632 /* setup data to send to routing socket */
3633 pid = getpid();
3634 seq = 0;
3635 #ifdef TARGET_OPENBSD
3636 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3637 #else
3638 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3639 #endif
3640
3641 bzero(&m_rtmsg, sizeof(m_rtmsg));
3642 bzero(&so_dst, sizeof(so_dst));
3643 bzero(&so_mask, sizeof(so_mask));
3644 bzero(&rtm, sizeof(struct rt_msghdr));
3645
3646 rtm.rtm_type = RTM_GET;
3647 rtm.rtm_flags = RTF_UP | RTF_GATEWAY;
3648 rtm.rtm_version = RTM_VERSION;
3649 rtm.rtm_seq = ++seq;
3650 #ifdef TARGET_OPENBSD
3651 rtm.rtm_tableid = getrtable();
3652 #endif
3653 rtm.rtm_addrs = rtm_addrs;
3654
3655 so_dst.sa_family = AF_INET;
3656 so_mask.sa_family = AF_INET;
3657
3658 #ifndef TARGET_SOLARIS
3659 so_dst.sa_len = sizeof(struct sockaddr_in);
3660 so_mask.sa_len = sizeof(struct sockaddr_in);
3661 #endif
3662
3663 NEXTADDR(RTA_DST, so_dst);
3664 NEXTADDR(RTA_NETMASK, so_mask);
3665
3666 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3667
3668 /* transact with routing socket */
3669 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3670 if (sockfd < 0)
3671 {
3672 msg(M_WARN, "GDG: socket #1 failed");
3673 goto done;
3674 }
3675 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3676 {
3677 msg(M_WARN|M_ERRNO, "GDG: problem writing to routing socket");
3678 goto done;
3679 }
3680 do
3681 {
3682 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3683 } while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3684 close(sockfd);
3685 sockfd = -1;
3686
3687 /* extract return data from routing socket */
3688 rtm_aux = &rtm;
3689 cp = ((char *)(rtm_aux + 1));
3690 if (rtm_aux->rtm_addrs)
3691 {
3692 for (i = 1; i; i <<= 1)
3693 {
3694 if (i & rtm_aux->rtm_addrs)
3695 {
3696 sa = (struct sockaddr *)cp;
3697 if (i == RTA_GATEWAY)
3698 {
3699 gate = sa;
3700 }
3701 else if (i == RTA_IFP)
3702 {
3703 ifp = sa;
3704 }
3705 ADVANCE(cp, sa);
3706 }
3707 }
3708 }
3709 else
3710 {
3711 goto done;
3712 }
3713
3714 /* get gateway addr and interface name */
3715 if (gate != NULL)
3716 {
3717 /* get default gateway addr */
3718 rgi->gateway.addr = ntohl(((struct sockaddr_in *)gate)->sin_addr.s_addr);
3719 if (rgi->gateway.addr)
3720 {
3721 rgi->flags |= RGI_ADDR_DEFINED;
3722 }
3723
3724 if (ifp)
3725 {
3726 /* get interface name */
3727 const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3728 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi->iface))
3729 {
3730 memcpy(rgi->iface, adl->sdl_data, adl->sdl_nlen);
3731 rgi->iface[adl->sdl_nlen] = '\0';
3732 rgi->flags |= RGI_IFACE_DEFINED;
3733 }
3734 }
3735 }
3736
3737 /* get netmask of interface that owns default gateway */
3738 if (rgi->flags & RGI_IFACE_DEFINED)
3739 {
3740 struct ifreq ifr;
3741
3742 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3743 if (sockfd < 0)
3744 {
3745 msg(M_WARN, "GDG: socket #2 failed");
3746 goto done;
3747 }
3748
3749 CLEAR(ifr);
3750 ifr.ifr_addr.sa_family = AF_INET;
3751 strncpynt(ifr.ifr_name, rgi->iface, IFNAMSIZ);
3752
3753 if (ioctl(sockfd, SIOCGIFNETMASK, (char *)&ifr) < 0)
3754 {
3755 msg(M_WARN, "GDG: ioctl #1 failed");
3756 goto done;
3757 }
3758 close(sockfd);
3759 sockfd = -1;
3760
3761 rgi->gateway.netmask = ntohl(((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr);
3762 rgi->flags |= RGI_NETMASK_DEFINED;
3763 }
3764
3765 /* try to read MAC addr associated with interface that owns default gateway */
3766 if (rgi->flags & RGI_IFACE_DEFINED)
3767 {
3768 #if defined(TARGET_SOLARIS)
3769 /* OpenSolaris has getifaddrs(3), but it does not return AF_LINK */
3770 sockfd = socket(AF_INET, SOCK_DGRAM, 0);
3771 if (sockfd < 0)
3772 {
3773 msg(M_WARN, "GDG: socket #3 failed");
3774 goto done;
3775 }
3776
3777 struct ifreq ifreq = { 0 };
3778
3779 /* now get the hardware address. */
3780 strncpynt(ifreq.ifr_name, rgi->iface, sizeof(ifreq.ifr_name));
3781 if (ioctl(sockfd, SIOCGIFHWADDR, &ifreq) < 0)
3782 {
3783 msg(M_WARN, "GDG: SIOCGIFHWADDR(%s) failed", ifreq.ifr_name);
3784 }
3785 else
3786 {
3787 memcpy(rgi->hwaddr, &ifreq.ifr_addr.sa_data, 6);
3788 rgi->flags |= RGI_HWADDR_DEFINED;
3789 }
3790 #else /* if defined(TARGET_SOLARIS) */
3791 struct ifaddrs *ifap, *ifa;
3792
3793 if (getifaddrs(&ifap) != 0)
3794 {
3795 msg(M_WARN|M_ERRNO, "GDG: getifaddrs() failed");
3796 goto done;
3797 }
3798
3799 for (ifa = ifap; ifa; ifa = ifa->ifa_next)
3800 {
3801 if (ifa->ifa_addr != NULL
3802 && ifa->ifa_addr->sa_family == AF_LINK
3803 && !strncmp(ifa->ifa_name, rgi->iface, IFNAMSIZ) )
3804 {
3805 struct sockaddr_dl *sdl = (struct sockaddr_dl *)ifa->ifa_addr;
3806 memcpy(rgi->hwaddr, LLADDR(sdl), 6);
3807 rgi->flags |= RGI_HWADDR_DEFINED;
3808 }
3809 }
3810
3811 freeifaddrs(ifap);
3812 #endif /* if defined(TARGET_SOLARIS) */
3813 }
3814
3815 done:
3816 if (sockfd >= 0)
3817 {
3818 close(sockfd);
3819 }
3820 gc_free(&gc);
3821 }
3822
3823 /* BSD implementation using routing socket (as does IPv4)
3824 * (the code duplication is somewhat unavoidable if we want this to
3825 * work on OpenSolaris as well. *sigh*)
3826 */
3827
3828 /* Solaris has no length field - this is ugly, but less #ifdef in total
3829 */
3830 #if defined(TARGET_SOLARIS)
3831 #undef ADVANCE
3832 #define ADVANCE(x, n) (x += ROUNDUP(sizeof(struct sockaddr_in6)))
3833 #endif
3834
3835 void
3836 get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
3837 const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
3838 {
3839
3840 struct rtmsg m_rtmsg;
3841 int sockfd = -1;
3842 int seq, l, pid, rtm_addrs;
3843 unsigned int i;
3844 struct sockaddr_in6 so_dst, so_mask;
3845 char *cp = m_rtmsg.m_space;
3846 struct sockaddr *gate = NULL, *ifp = NULL, *sa;
3847 struct rt_msghdr *rtm_aux;
3848
3849 CLEAR(*rgi6);
3850
3851 /* setup data to send to routing socket */
3852 pid = getpid();
3853 seq = 0;
3854 #ifdef TARGET_OPENBSD
3855 rtm_addrs = RTA_DST | RTA_NETMASK; /* Kernel refuses RTA_IFP */
3856 #else
3857 rtm_addrs = RTA_DST | RTA_NETMASK | RTA_IFP;
3858 #endif
3859
3860 bzero(&m_rtmsg, sizeof(m_rtmsg));
3861 bzero(&so_dst, sizeof(so_dst));
3862 bzero(&so_mask, sizeof(so_mask));
3863 bzero(&rtm, sizeof(struct rt_msghdr));
3864
3865 rtm.rtm_type = RTM_GET;
3866 rtm.rtm_flags = RTF_UP;
3867 rtm.rtm_version = RTM_VERSION;
3868 rtm.rtm_seq = ++seq;
3869 #ifdef TARGET_OPENBSD
3870 rtm.rtm_tableid = getrtable();
3871 #endif
3872
3873 so_dst.sin6_family = AF_INET6;
3874 so_mask.sin6_family = AF_INET6;
3875
3876 if (dest != NULL /* specific host? */
3877 && !IN6_IS_ADDR_UNSPECIFIED(dest) )
3878 {
3879 so_dst.sin6_addr = *dest;
3880 /* :: needs /0 "netmask", host route wants "no netmask */
3881 rtm_addrs &= ~RTA_NETMASK;
3882 }
3883
3884 rtm.rtm_addrs = rtm_addrs;
3885
3886 #ifndef TARGET_SOLARIS
3887 so_dst.sin6_len = sizeof(struct sockaddr_in6);
3888 so_mask.sin6_len = sizeof(struct sockaddr_in6);
3889 #endif
3890
3891 NEXTADDR(RTA_DST, so_dst);
3892 NEXTADDR(RTA_NETMASK, so_mask);
3893
3894 rtm.rtm_msglen = l = cp - (char *)&m_rtmsg;
3895
3896 /* transact with routing socket */
3897 sockfd = socket(PF_ROUTE, SOCK_RAW, 0);
3898 if (sockfd < 0)
3899 {
3900 msg(M_WARN, "GDG6: socket #1 failed");
3901 goto done;
3902 }
3903 if (write(sockfd, (char *)&m_rtmsg, l) < 0)
3904 {
3905 msg(M_WARN|M_ERRNO, "GDG6: problem writing to routing socket");
3906 goto done;
3907 }
3908
3909 do
3910 {
3911 l = read(sockfd, (char *)&m_rtmsg, sizeof(m_rtmsg));
3912 }
3913 while (l > 0 && (rtm.rtm_seq != seq || rtm.rtm_pid != pid));
3914
3915 close(sockfd);
3916 sockfd = -1;
3917
3918 /* extract return data from routing socket */
3919 rtm_aux = &rtm;
3920 cp = ((char *)(rtm_aux + 1));
3921 if (rtm_aux->rtm_addrs)
3922 {
3923 for (i = 1; i; i <<= 1)
3924 {
3925 if (i & rtm_aux->rtm_addrs)
3926 {
3927 sa = (struct sockaddr *)cp;
3928 if (i == RTA_GATEWAY)
3929 {
3930 gate = sa;
3931 }
3932 else if (i == RTA_IFP)
3933 {
3934 ifp = sa;
3935 }
3936 ADVANCE(cp, sa);
3937 }
3938 }
3939 }
3940 else
3941 {
3942 goto done;
3943 }
3944
3945 /* get gateway addr and interface name */
3946 if (gate != NULL)
3947 {
3948 struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)gate;
3949 struct in6_addr gw = s6->sin6_addr;
3950
3951 #ifndef TARGET_SOLARIS
3952 /* You do not really want to know... from FreeBSD's route.c
3953 * (KAME encodes the 16 bit scope_id in s6_addr[2] + [3],
3954 * but for a correct link-local address these must be :0000: )
3955 */
3956 if (gate->sa_len == sizeof(struct sockaddr_in6)
3957 && IN6_IS_ADDR_LINKLOCAL(&gw) )
3958 {
3959 gw.s6_addr[2] = gw.s6_addr[3] = 0;
3960 }
3961
3962 if (gate->sa_len != sizeof(struct sockaddr_in6)
3963 || IN6_IS_ADDR_UNSPECIFIED(&gw) )
3964 {
3965 rgi6->flags |= RGI_ON_LINK;
3966 }
3967 else
3968 #endif
3969 {
3970 rgi6->gateway.addr_ipv6 = gw;
3971 }
3972 rgi6->flags |= RGI_ADDR_DEFINED;
3973
3974 if (ifp)
3975 {
3976 /* get interface name */
3977 const struct sockaddr_dl *adl = (struct sockaddr_dl *) ifp;
3978 if (adl->sdl_nlen && adl->sdl_nlen < sizeof(rgi6->iface))
3979 {
3980 memcpy(rgi6->iface, adl->sdl_data, adl->sdl_nlen);
3981 rgi6->flags |= RGI_IFACE_DEFINED;
3982 }
3983 }
3984 }
3985
3986 done:
3987 if (sockfd >= 0)
3988 {
3989 close(sockfd);
3990 }
3991 }
3992
3993 #undef max
3994
3995 #elif defined(TARGET_HAIKU)
3996
3997 void
3998 get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
3999 {
4000 CLEAR(*rgi);
4001
4002 int sockfd = socket(AF_INET, SOCK_DGRAM, 0);
4003 if (sockfd < 0)
4004 {
4005 msg(M_ERRNO, "%s: Error opening socket for AF_INET", __func__);
4006 return;
4007 }
4008
4009 struct ifconf config;
4010 config.ifc_len = sizeof(config.ifc_value);
4011 if (ioctl(sockfd, SIOCGRTSIZE, &config, sizeof(struct ifconf)) < 0)
4012 {
4013 msg(M_ERRNO, "%s: Error getting routing table size", __func__);
4014 return;
4015 }
4016
4017 uint32 size = (uint32)config.ifc_value;
4018 if (size == 0)
4019 {
4020 return;
4021 }
4022
4023 void *buffer = malloc(size);
4024 check_malloc_return(buffer);
4025
4026 config.ifc_len = size;
4027 config.ifc_buf = buffer;
4028 if (ioctl(sockfd, SIOCGRTTABLE, &config, sizeof(struct ifconf)) < 0)
4029 {
4030 free(buffer);
4031 return;
4032 }
4033
4034 struct ifreq *interface = (struct ifreq *)buffer;
4035 struct ifreq *end = (struct ifreq *)((uint8 *)buffer + size);
4036
4037 while (interface < end)
4038 {
4039 struct route_entry route = interface->ifr_route;
4040 if ((route.flags & RTF_GATEWAY) != 0 && (route.flags & RTF_DEFAULT) != 0)
4041 {
4042 rgi->gateway.addr = ntohl(((struct sockaddr_in *)route.gateway)->sin_addr.s_addr);
4043 rgi->flags = RGI_ADDR_DEFINED | RGI_IFACE_DEFINED;
4044 strncpy(rgi->iface, interface->ifr_name, sizeof(rgi->iface));
4045 }
4046
4047 int32 address_size = 0;
4048 if (route.destination != NULL)
4049 {
4050 address_size += route.destination->sa_len;
4051 }
4052 if (route.mask != NULL)
4053 {
4054 address_size += route.mask->sa_len;
4055 }
4056 if (route.gateway != NULL)
4057 {
4058 address_size += route.gateway->sa_len;
4059 }
4060
4061 interface = (struct ifreq *)((addr_t)interface + IF_NAMESIZE
4062 + sizeof(struct route_entry) + address_size);
4063 }
4064 free(buffer);
4065 }
4066
4067 void
4068 get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
4069 const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
4070 {
4071 /* TODO: Same for ipv6 with AF_INET6 */
4072 CLEAR(*rgi6);
4073 }
4074
4075 #else /* if defined(_WIN32) */
4076
4077 /*
4078 * This is a platform-specific method that returns data about
4079 * the current default gateway. Return data is placed into
4080 * a struct route_gateway_info object provided by caller. The
4081 * implementation should CLEAR the structure before adding
4082 * data to it.
4083 *
4084 * Data returned includes:
4085 * 1. default gateway address (rgi->gateway.addr)
4086 * 2. netmask of interface that owns default gateway
4087 * (rgi->gateway.netmask)
4088 * 3. hardware address (i.e. MAC address) of interface that owns
4089 * default gateway (rgi->hwaddr)
4090 * 4. interface name (or adapter index on Windows) that owns default
4091 * gateway (rgi->iface or rgi->adapter_index)
4092 * 5. an array of additional address/netmask pairs defined by
4093 * interface that owns default gateway (rgi->addrs with length
4094 * given in rgi->n_addrs)
4095 *
4096 * The flags RGI_x_DEFINED may be used to indicate which of the data
4097 * members were successfully returned (set in rgi->flags). All of
4098 * the data members are optional, however certain OpenVPN functionality
4099 * may be disabled by missing items.
4100 */
4101 void
4102 get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
4103 {
4104 CLEAR(*rgi);
4105 }
4106 void
4107 get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6,
4108 const struct in6_addr *dest, openvpn_net_ctx_t *ctx)
4109 {
4110 msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system");
4111 CLEAR(*rgi6);
4112 }
4113
4114 #endif /* if defined(_WIN32) */
4115
4116 bool
4117 netmask_to_netbits(const in_addr_t network, const in_addr_t netmask, int *netbits)
4118 {
4119 int i;
4120 const int addrlen = sizeof(in_addr_t) * 8;
4121
4122 if ((network & netmask) == network)
4123 {
4124 for (i = 0; i <= addrlen; ++i)
4125 {
4126 in_addr_t mask = netbits_to_netmask(i);
4127 if (mask == netmask)
4128 {
4129 if (i == addrlen)
4130 {
4131 *netbits = -1;
4132 }
4133 else
4134 {
4135 *netbits = i;
4136 }
4137 return true;
4138 }
4139 }
4140 }
4141 return false;
4142 }
4143
4144 /* similar to netmask_to_netbits(), but don't mess with base address
4145 * etc., just convert to netbits - non-mappable masks are returned as "-1"
4146 */
4147 int
4148 netmask_to_netbits2(in_addr_t netmask)
4149 {
4150 int i;
4151 const int addrlen = sizeof(in_addr_t) * 8;
4152
4153 for (i = 0; i <= addrlen; ++i)
4154 {
4155 in_addr_t mask = netbits_to_netmask(i);
4156 if (mask == netmask)
4157 {
4158 return i;
4159 }
4160 }
4161 return -1;
4162 }
4163
4164
4165 /*
4166 * get_bypass_addresses() is used by the redirect-gateway bypass-x
4167 * functions to build a route bypass to selected DHCP/DNS servers,
4168 * so that outgoing packets to these servers don't end up in the tunnel.
4169 */
4170
4171 #if defined(_WIN32)
4172
4173 static void
4174 add_host_route_if_nonlocal(struct route_bypass *rb, const in_addr_t addr)
4175 {
4176 if (test_local_addr(addr, NULL) == TLA_NONLOCAL && addr != 0 && addr != IPV4_NETMASK_HOST)
4177 {
4178 add_bypass_address(rb, addr);
4179 }
4180 }
4181
4182 static void
4183 add_host_route_array(struct route_bypass *rb, const IP_ADDR_STRING *iplist)
4184 {
4185 while (iplist)
4186 {
4187 bool succeed = false;
4188 const in_addr_t ip = getaddr(GETADDR_HOST_ORDER, iplist->IpAddress.String, 0, &succeed, NULL);
4189 if (succeed)
4190 {
4191 add_host_route_if_nonlocal(rb, ip);
4192 }
4193 iplist = iplist->Next;
4194 }
4195 }
4196
4197 static void
4198 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags)
4199 {
4200 struct gc_arena gc = gc_new();
4201 /*bool ret_bool = false;*/
4202
4203 /* get full routing table */
4204 const MIB_IPFORWARDTABLE *routes = get_windows_routing_table(&gc);
4205
4206 /* get the route which represents the default gateway */
4207 const MIB_IPFORWARDROW *row = get_default_gateway_row(routes);
4208
4209 if (row)
4210 {
4211 /* get the adapter which the default gateway is associated with */
4212 const IP_ADAPTER_INFO *dgi = get_adapter_info(row->dwForwardIfIndex, &gc);
4213
4214 /* get extra adapter info, such as DNS addresses */
4215 const IP_PER_ADAPTER_INFO *pai = get_per_adapter_info(row->dwForwardIfIndex, &gc);
4216
4217 /* Bypass DHCP server address */
4218 if ((flags & RG_BYPASS_DHCP) && dgi && dgi->DhcpEnabled)
4219 {
4220 add_host_route_array(rb, &dgi->DhcpServer);
4221 }
4222
4223 /* Bypass DNS server addresses */
4224 if ((flags & RG_BYPASS_DNS) && pai)
4225 {
4226 add_host_route_array(rb, &pai->DnsServerList);
4227 }
4228 }
4229
4230 gc_free(&gc);
4231 }
4232
4233 #else /* if defined(_WIN32) */
4234
4235 static void
4236 get_bypass_addresses(struct route_bypass *rb, const unsigned int flags) /* PLATFORM-SPECIFIC */
4237 {
4238 }
4239
4240 #endif /* if defined(_WIN32) */
4241
4242 /*
4243 * Test if addr is reachable via a local interface (return ILA_LOCAL),
4244 * or if it needs to be routed via the default gateway (return
4245 * ILA_NONLOCAL). If the target platform doesn't implement this
4246 * function, return ILA_NOT_IMPLEMENTED.
4247 *
4248 * Used by redirect-gateway autolocal feature
4249 */
4250
4251 #if defined(_WIN32)
4252
4253 int
4254 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi)
4255 {
4256 struct gc_arena gc = gc_new();
4257 const in_addr_t nonlocal_netmask = 0x80000000L; /* routes with netmask <= to this are considered non-local */
4258 int ret = TLA_NONLOCAL;
4259
4260 /* get full routing table */
4261 const MIB_IPFORWARDTABLE *rt = get_windows_routing_table(&gc);
4262 if (rt)
4263 {
4264 for (DWORD i = 0; i < rt->dwNumEntries; ++i)
4265 {
4266 const MIB_IPFORWARDROW *row = &rt->table[i];
4267 const in_addr_t net = ntohl(row->dwForwardDest);
4268 const in_addr_t mask = ntohl(row->dwForwardMask);
4269 if (mask > nonlocal_netmask && (addr & mask) == net)
4270 {
4271 ret = TLA_LOCAL;
4272 break;
4273 }
4274 }
4275 }
4276
4277 gc_free(&gc);
4278 return ret;
4279 }
4280
4281 #else /* if defined(_WIN32) */
4282
4283 int
4284 test_local_addr(const in_addr_t addr, const struct route_gateway_info *rgi) /* PLATFORM-SPECIFIC */
4285 {
4286 if (rgi)
4287 {
4288 if (local_route(addr, 0xFFFFFFFF, rgi->gateway.addr, rgi))
4289 {
4290 return TLA_LOCAL;
4291 }
4292 else
4293 {
4294 return TLA_NONLOCAL;
4295 }
4296 }
4297 return TLA_NOT_IMPLEMENTED;
4298 }
4299
4300 #endif /* if defined(_WIN32) */
Mirror of https://github.com/OpenVPN/openvpn.git