search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add OpenVPN 2.1rc12 source (unconfigured)
[tomato.git] / release / src / router / openvpn / multi.c
blob78cb5f32a6f879e3d6042f8a88b6061f14db9d9a
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2008 Telethra, Inc. <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #include "syshead.h"
26
27 #if P2MP_SERVER
28
29 #include "multi.h"
30 #include "push.h"
31 #include "misc.h"
32 #include "otime.h"
33 #include "gremlin.h"
34
35 #include "memdbg.h"
36
37 #include "forward-inline.h"
38 #include "pf-inline.h"
39
40 /*#define MULTI_DEBUG_EVENT_LOOP*/
41
42 #ifdef MULTI_DEBUG_EVENT_LOOP
43 static const char *
44 id (struct multi_instance *mi)
45 {
46 if (mi)
47 return tls_common_name (mi->context.c2.tls_multi, false);
48 else
49 return "NULL";
50 }
51 #endif
52
53 #ifdef MANAGEMENT_DEF_AUTH
54 static void
55 set_cc_config (struct multi_instance *mi, struct buffer_list *cc_config)
56 {
57 if (mi->cc_config)
58 buffer_list_free (mi->cc_config);
59 mi->cc_config = cc_config;
60 }
61 #endif
62
63 static bool
64 learn_address_script (const struct multi_context *m,
65 const struct multi_instance *mi,
66 const char *op,
67 const struct mroute_addr *addr)
68 {
69 struct gc_arena gc = gc_new ();
70 struct env_set *es;
71 bool ret = true;
72 struct plugin_list *plugins;
73
74 /* get environmental variable source */
75 if (mi && mi->context.c2.es)
76 es = mi->context.c2.es;
77 else
78 es = env_set_create (&gc);
79
80 /* get plugin source */
81 if (mi)
82 plugins = mi->context.plugins;
83 else
84 plugins = m->top.plugins;
85
86 if (plugin_defined (plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
87 {
88 struct argv argv = argv_new ();
89 argv_printf (&argv, "%s %s",
90 op,
91 mroute_addr_print (addr, &gc));
92 if (mi)
93 argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
94 if (plugin_call (plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
95 {
96 msg (M_WARN, "WARNING: learn-address plugin call failed");
97 ret = false;
98 }
99 argv_reset (&argv);
100 }
101
102 if (m->top.options.learn_address_script)
103 {
104 struct argv argv = argv_new ();
105 setenv_str (es, "script_type", "learn-address");
106 argv_printf (&argv, "%sc %s %s",
107 m->top.options.learn_address_script,
108 op,
109 mroute_addr_print (addr, &gc));
110 if (mi)
111 argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
112 if (!openvpn_execve_check (&argv, es, S_SCRIPT, "WARNING: learn-address command failed"))
113 ret = false;
114 argv_reset (&argv);
115 }
116
117 gc_free (&gc);
118 return ret;
119 }
120
121 void
122 multi_ifconfig_pool_persist (struct multi_context *m, bool force)
123 {
124 /* write pool data to file */
125 if (m->ifconfig_pool
126 && m->top.c1.ifconfig_pool_persist
127 && (force || ifconfig_pool_write_trigger (m->top.c1.ifconfig_pool_persist)))
128 {
129 ifconfig_pool_write (m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
130 }
131 }
132
133 static void
134 multi_reap_range (const struct multi_context *m,
135 int start_bucket,
136 int end_bucket)
137 {
138 struct gc_arena gc = gc_new ();
139 struct hash_iterator hi;
140 struct hash_element *he;
141
142 if (start_bucket < 0)
143 {
144 start_bucket = 0;
145 end_bucket = hash_n_buckets (m->vhash);
146 }
147
148 dmsg (D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
149 hash_iterator_init_range (m->vhash, &hi, true, start_bucket, end_bucket);
150 while ((he = hash_iterator_next (&hi)) != NULL)
151 {
152 struct multi_route *r = (struct multi_route *) he->value;
153 if (!multi_route_defined (m, r))
154 {
155 dmsg (D_MULTI_DEBUG, "MULTI: REAP DEL %s",
156 mroute_addr_print (&r->addr, &gc));
157 learn_address_script (m, NULL, "delete", &r->addr);
158 multi_route_del (r);
159 hash_iterator_delete_element (&hi);
160 }
161 }
162 hash_iterator_free (&hi);
163 gc_free (&gc);
164 }
165
166 static void
167 multi_reap_all (const struct multi_context *m)
168 {
169 multi_reap_range (m, -1, 0);
170 }
171
172 static struct multi_reap *
173 multi_reap_new (int buckets_per_pass)
174 {
175 struct multi_reap *mr;
176 ALLOC_OBJ (mr, struct multi_reap);
177 mr->bucket_base = 0;
178 mr->buckets_per_pass = buckets_per_pass;
179 mr->last_call = now;
180 return mr;
181 }
182
183 void
184 multi_reap_process_dowork (const struct multi_context *m)
185 {
186 struct multi_reap *mr = m->reaper;
187 if (mr->bucket_base >= hash_n_buckets (m->vhash))
188 mr->bucket_base = 0;
189 multi_reap_range (m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
190 mr->bucket_base += mr->buckets_per_pass;
191 mr->last_call = now;
192 }
193
194 static void
195 multi_reap_free (struct multi_reap *mr)
196 {
197 free (mr);
198 }
199
200 /*
201 * How many buckets in vhash to reap per pass.
202 */
203 static int
204 reap_buckets_per_pass (int n_buckets)
205 {
206 return constrain_int (n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
207 }
208
209 #ifdef MANAGEMENT_DEF_AUTH
210
211 static uint32_t
212 cid_hash_function (const void *key, uint32_t iv)
213 {
214 const unsigned long *k = (const unsigned long *)key;
215 return (uint32_t) *k;
216 }
217
218 static bool
219 cid_compare_function (const void *key1, const void *key2)
220 {
221 const unsigned long *k1 = (const unsigned long *)key1;
222 const unsigned long *k2 = (const unsigned long *)key2;
223 return *k1 == *k2;
224 }
225
226 #endif
227
228 /*
229 * Main initialization function, init multi_context object.
230 */
231 void
232 multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
233 {
234 int dev = DEV_TYPE_UNDEF;
235
236 msg (D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
237 t->options.real_hash_size,
238 t->options.virtual_hash_size);
239
240 /*
241 * Get tun/tap/null device type
242 */
243 dev = dev_type_enum (t->options.dev, t->options.dev_type);
244
245 /*
246 * Init our multi_context object.
247 */
248 CLEAR (*m);
249
250 m->thread_mode = thread_mode;
251
252 /*
253 * Real address hash table (source port number is
254 * considered to be part of the address). Used
255 * to determine which client sent an incoming packet
256 * which is seen on the TCP/UDP socket.
257 */
258 m->hash = hash_init (t->options.real_hash_size,
259 get_random (),
260 mroute_addr_hash_function,
261 mroute_addr_compare_function);
262
263 /*
264 * Virtual address hash table. Used to determine
265 * which client to route a packet to.
266 */
267 m->vhash = hash_init (t->options.virtual_hash_size,
268 get_random (),
269 mroute_addr_hash_function,
270 mroute_addr_compare_function);
271
272 /*
273 * This hash table is a clone of m->hash but with a
274 * bucket size of one so that it can be used
275 * for fast iteration through the list.
276 */
277 m->iter = hash_init (1,
278 get_random (),
279 mroute_addr_hash_function,
280 mroute_addr_compare_function);
281
282 #ifdef MANAGEMENT_DEF_AUTH
283 m->cid_hash = hash_init (t->options.real_hash_size,
284 0,
285 cid_hash_function,
286 cid_compare_function);
287 #endif
288
289 /*
290 * This is our scheduler, for time-based wakeup
291 * events.
292 */
293 m->schedule = schedule_init ();
294
295 /*
296 * Limit frequency of incoming connections to control
297 * DoS.
298 */
299 m->new_connection_limiter = frequency_limit_init (t->options.cf_max,
300 t->options.cf_per);
301
302 /*
303 * Allocate broadcast/multicast buffer list
304 */
305 m->mbuf = mbuf_init (t->options.n_bcast_buf);
306
307 /*
308 * Different status file format options are available
309 */
310 m->status_file_version = t->options.status_file_version;
311
312 /*
313 * Possibly allocate an ifconfig pool, do it
314 * differently based on whether a tun or tap style
315 * tunnel.
316 */
317 if (t->options.ifconfig_pool_defined)
318 {
319 if (dev == DEV_TYPE_TAP)
320 {
321 m->ifconfig_pool = ifconfig_pool_init (IFCONFIG_POOL_INDIV,
322 t->options.ifconfig_pool_start,
323 t->options.ifconfig_pool_end,
324 t->options.duplicate_cn);
325 }
326 else if (dev == DEV_TYPE_TUN)
327 {
328 m->ifconfig_pool = ifconfig_pool_init (
329 (t->options.topology == TOP_NET30) ? IFCONFIG_POOL_30NET : IFCONFIG_POOL_INDIV,
330 t->options.ifconfig_pool_start,
331 t->options.ifconfig_pool_end,
332 t->options.duplicate_cn);
333 }
334 else
335 {
336 ASSERT (0);
337 }
338
339 /* reload pool data from file */
340 if (t->c1.ifconfig_pool_persist)
341 ifconfig_pool_read (t->c1.ifconfig_pool_persist, m->ifconfig_pool);
342 }
343
344 /*
345 * Help us keep track of routing table.
346 */
347 m->route_helper = mroute_helper_init (MULTI_CACHE_ROUTE_TTL);
348
349 /*
350 * Initialize route and instance reaper.
351 */
352 m->reaper = multi_reap_new (reap_buckets_per_pass (t->options.virtual_hash_size));
353
354 /*
355 * Get local ifconfig address
356 */
357 CLEAR (m->local);
358 ASSERT (t->c1.tuntap);
359 mroute_extract_in_addr_t (&m->local, t->c1.tuntap->local);
360
361 /*
362 * Per-client limits
363 */
364 m->max_clients = t->options.max_clients;
365
366 /*
367 * Initialize multi-socket TCP I/O wait object
368 */
369 if (tcp_mode)
370 m->mtcp = multi_tcp_init (t->options.max_clients, &m->max_clients);
371 m->tcp_queue_limit = t->options.tcp_queue_limit;
372
373 /*
374 * Allow client <-> client communication, without going through
375 * tun/tap interface and network stack?
376 */
377 m->enable_c2c = t->options.enable_c2c;
378 }
379
380 const char *
381 multi_instance_string (const struct multi_instance *mi, bool null, struct gc_arena *gc)
382 {
383 if (mi)
384 {
385 struct buffer out = alloc_buf_gc (256, gc);
386 const char *cn = tls_common_name (mi->context.c2.tls_multi, true);
387
388 if (cn)
389 buf_printf (&out, "%s/", cn);
390 buf_printf (&out, "%s", mroute_addr_print (&mi->real, gc));
391 return BSTR (&out);
392 }
393 else if (null)
394 return NULL;
395 else
396 return "UNDEF";
397 }
398
399 void
400 generate_prefix (struct multi_instance *mi)
401 {
402 mi->msg_prefix = multi_instance_string (mi, true, &mi->gc);
403 set_prefix (mi);
404 }
405
406 void
407 ungenerate_prefix (struct multi_instance *mi)
408 {
409 mi->msg_prefix = NULL;
410 set_prefix (mi);
411 }
412
413 static const char *
414 mi_prefix (const struct multi_instance *mi)
415 {
416 if (mi && mi->msg_prefix)
417 return mi->msg_prefix;
418 else
419 return "UNDEF_I";
420 }
421
422 /*
423 * Tell the route helper about deleted iroutes so
424 * that it can update its mask of currently used
425 * CIDR netlengths.
426 */
427 static void
428 multi_del_iroutes (struct multi_context *m,
429 struct multi_instance *mi)
430 {
431 const struct iroute *ir;
432 if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
433 {
434 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
435 mroute_helper_del_iroute (m->route_helper, ir);
436 }
437 }
438
439 static void
440 multi_client_disconnect_setenv (struct multi_context *m,
441 struct multi_instance *mi)
442 {
443 /* setenv client real IP address */
444 setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
445
446 /* setenv stats */
447 setenv_counter (mi->context.c2.es, "bytes_received", mi->context.c2.link_read_bytes);
448 setenv_counter (mi->context.c2.es, "bytes_sent", mi->context.c2.link_write_bytes);
449
450 /* setenv connection duration */
451 {
452 const unsigned int duration = (unsigned int) now - mi->created;
453 setenv_unsigned (mi->context.c2.es, "time_duration", duration);
454 }
455 }
456
457 static void
458 multi_client_disconnect_script (struct multi_context *m,
459 struct multi_instance *mi)
460 {
461 if ((mi->context.c2.context_auth == CAS_SUCCEEDED && mi->connection_established_flag)
462 || mi->context.c2.context_auth == CAS_PARTIAL)
463 {
464 multi_client_disconnect_setenv (m, mi);
465
466 if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
467 {
468 if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
469 msg (M_WARN, "WARNING: client-disconnect plugin call failed");
470 }
471
472 if (mi->context.options.client_disconnect_script)
473 {
474 struct argv argv = argv_new ();
475 setenv_str (mi->context.c2.es, "script_type", "client-disconnect");
476 argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script);
477 openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-disconnect command failed");
478 argv_reset (&argv);
479 }
480 #ifdef MANAGEMENT_DEF_AUTH
481 if (management)
482 management_notify_client_close (management, &mi->context.c2.mda_context, mi->context.c2.es);
483 #endif
484
485 }
486 }
487
488 void
489 multi_close_instance (struct multi_context *m,
490 struct multi_instance *mi,
491 bool shutdown)
492 {
493 perf_push (PERF_MULTI_CLOSE_INSTANCE);
494
495 ASSERT (!mi->halt);
496 mi->halt = true;
497
498 dmsg (D_MULTI_DEBUG, "MULTI: multi_close_instance called");
499
500 /* prevent dangling pointers */
501 if (m->pending == mi)
502 multi_set_pending (m, NULL);
503 if (m->earliest_wakeup == mi)
504 m->earliest_wakeup = NULL;
505
506 if (!shutdown)
507 {
508 if (mi->did_real_hash)
509 {
510 ASSERT (hash_remove (m->hash, &mi->real));
511 }
512 if (mi->did_iter)
513 {
514 ASSERT (hash_remove (m->iter, &mi->real));
515 }
516 #ifdef MANAGEMENT_DEF_AUTH
517 if (mi->did_cid_hash)
518 {
519 ASSERT (hash_remove (m->cid_hash, &mi->context.c2.mda_context.cid));
520 }
521 #endif
522
523 schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);
524
525 ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, false);
526
527 if (mi->did_iroutes)
528 {
529 multi_del_iroutes (m, mi);
530 mi->did_iroutes = false;
531 }
532
533 if (m->mtcp)
534 multi_tcp_dereference_instance (m->mtcp, mi);
535
536 mbuf_dereference_instance (m->mbuf, mi);
537 }
538
539 #ifdef MANAGEMENT_DEF_AUTH
540 set_cc_config (mi, NULL);
541 #endif
542
543 multi_client_disconnect_script (m, mi);
544
545 if (mi->did_open_context)
546 close_context (&mi->context, SIGTERM, CC_GC_FREE);
547
548 multi_tcp_instance_specific_free (mi);
549
550 ungenerate_prefix (mi);
551
552 /*
553 * Don't actually delete the instance memory allocation yet,
554 * because virtual routes may still point to it. Let the
555 * vhash reaper deal with it.
556 */
557 multi_instance_dec_refcount (mi);
558
559 perf_pop ();
560 }
561
562 /*
563 * Called on shutdown or restart.
564 */
565 void
566 multi_uninit (struct multi_context *m)
567 {
568 if (m->thread_mode & MC_WORK_THREAD)
569 {
570 multi_top_free (m);
571 m->thread_mode = MC_UNDEF;
572 }
573 else if (m->thread_mode)
574 {
575 if (m->hash)
576 {
577 struct hash_iterator hi;
578 struct hash_element *he;
579
580 hash_iterator_init (m->iter, &hi, true);
581 while ((he = hash_iterator_next (&hi)))
582 {
583 struct multi_instance *mi = (struct multi_instance *) he->value;
584 mi->did_iter = false;
585 multi_close_instance (m, mi, true);
586 }
587 hash_iterator_free (&hi);
588
589 multi_reap_all (m);
590
591 hash_free (m->hash);
592 hash_free (m->vhash);
593 hash_free (m->iter);
594 #ifdef MANAGEMENT_DEF_AUTH
595 hash_free (m->cid_hash);
596 #endif
597 m->hash = NULL;
598
599 schedule_free (m->schedule);
600 mbuf_free (m->mbuf);
601 ifconfig_pool_free (m->ifconfig_pool);
602 frequency_limit_free (m->new_connection_limiter);
603 multi_reap_free (m->reaper);
604 mroute_helper_free (m->route_helper);
605 multi_tcp_free (m->mtcp);
606 m->thread_mode = MC_UNDEF;
607 }
608 }
609 }
610
611 /*
612 * Create a client instance object for a newly connected client.
613 */
614 struct multi_instance *
615 multi_create_instance (struct multi_context *m, const struct mroute_addr *real)
616 {
617 struct gc_arena gc = gc_new ();
618 struct multi_instance *mi;
619
620 perf_push (PERF_MULTI_CREATE_INSTANCE);
621
622 msg (D_MULTI_LOW, "MULTI: multi_create_instance called");
623
624 ALLOC_OBJ_CLEAR (mi, struct multi_instance);
625
626 mutex_init (&mi->mutex);
627 mi->gc = gc_new ();
628 multi_instance_inc_refcount (mi);
629 mi->vaddr_handle = -1;
630 mi->created = now;
631 mroute_addr_init (&mi->real);
632
633 if (real)
634 {
635 mi->real = *real;
636 generate_prefix (mi);
637 }
638
639 mi->did_open_context = true;
640 inherit_context_child (&mi->context, &m->top);
641 if (IS_SIG (&mi->context))
642 goto err;
643
644 mi->context.c2.context_auth = CAS_PENDING;
645
646 if (hash_n_elements (m->hash) >= m->max_clients)
647 {
648 msg (D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
649 goto err;
650 }
651
652 if (!real) /* TCP mode? */
653 {
654 if (!multi_tcp_instance_specific_init (m, mi))
655 goto err;
656 generate_prefix (mi);
657 }
658
659 if (!hash_add (m->iter, &mi->real, mi, false))
660 {
661 msg (D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
662 mroute_addr_print (&mi->real, &gc));
663 goto err;
664 }
665 mi->did_iter = true;
666
667 #ifdef MANAGEMENT_DEF_AUTH
668 do {
669 mi->context.c2.mda_context.cid = m->cid_counter++;
670 } while (!hash_add (m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
671 mi->did_cid_hash = true;
672 #endif
673
674 mi->context.c2.push_reply_deferred = true;
675
676 if (!multi_process_post (m, mi, MPP_PRE_SELECT))
677 {
678 msg (D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
679 goto err;
680 }
681
682 perf_pop ();
683 gc_free (&gc);
684 return mi;
685
686 err:
687 multi_close_instance (m, mi, false);
688 perf_pop ();
689 gc_free (&gc);
690 return NULL;
691 }
692
693 /*
694 * Dump tables -- triggered by SIGUSR2.
695 * If status file is defined, write to file.
696 * If status file is NULL, write to syslog.
697 */
698 void
699 multi_print_status (struct multi_context *m, struct status_output *so, const int version)
700 {
701 if (m->hash)
702 {
703 struct gc_arena gc_top = gc_new ();
704 struct hash_iterator hi;
705 const struct hash_element *he;
706
707 status_reset (so);
708
709 if (version == 1) /* WAS: m->status_file_version */
710 {
711 /*
712 * Status file version 1
713 */
714 status_printf (so, PACKAGE_NAME " CLIENT LIST");
715 status_printf (so, "Updated,%s", time_string (0, 0, false, &gc_top));
716 status_printf (so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
717 hash_iterator_init (m->hash, &hi, true);
718 while ((he = hash_iterator_next (&hi)))
719 {
720 struct gc_arena gc = gc_new ();
721 const struct multi_instance *mi = (struct multi_instance *) he->value;
722
723 if (!mi->halt)
724 {
725 status_printf (so, "%s,%s," counter_format "," counter_format ",%s",
726 tls_common_name (mi->context.c2.tls_multi, false),
727 mroute_addr_print (&mi->real, &gc),
728 mi->context.c2.link_read_bytes,
729 mi->context.c2.link_write_bytes,
730 time_string (mi->created, 0, false, &gc));
731 }
732 gc_free (&gc);
733 }
734 hash_iterator_free (&hi);
735
736 status_printf (so, "ROUTING TABLE");
737 status_printf (so, "Virtual Address,Common Name,Real Address,Last Ref");
738 hash_iterator_init (m->vhash, &hi, true);
739 while ((he = hash_iterator_next (&hi)))
740 {
741 struct gc_arena gc = gc_new ();
742 const struct multi_route *route = (struct multi_route *) he->value;
743
744 if (multi_route_defined (m, route))
745 {
746 const struct multi_instance *mi = route->instance;
747 const struct mroute_addr *ma = &route->addr;
748 char flags[2] = {0, 0};
749
750 if (route->flags & MULTI_ROUTE_CACHE)
751 flags[0] = 'C';
752 status_printf (so, "%s%s,%s,%s,%s",
753 mroute_addr_print (ma, &gc),
754 flags,
755 tls_common_name (mi->context.c2.tls_multi, false),
756 mroute_addr_print (&mi->real, &gc),
757 time_string (route->last_reference, 0, false, &gc));
758 }
759 gc_free (&gc);
760 }
761 hash_iterator_free (&hi);
762
763 status_printf (so, "GLOBAL STATS");
764 if (m->mbuf)
765 status_printf (so, "Max bcast/mcast queue length,%d",
766 mbuf_maximum_queued (m->mbuf));
767
768 status_printf (so, "END");
769 }
770 else if (version == 2)
771 {
772 /*
773 * Status file version 2
774 */
775 status_printf (so, "TITLE,%s", title_string);
776 status_printf (so, "TIME,%s,%u", time_string (now, 0, false, &gc_top), (unsigned int)now);
777 status_printf (so, "HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t)");
778 hash_iterator_init (m->hash, &hi, true);
779 while ((he = hash_iterator_next (&hi)))
780 {
781 struct gc_arena gc = gc_new ();
782 const struct multi_instance *mi = (struct multi_instance *) he->value;
783
784 if (!mi->halt)
785 {
786 status_printf (so, "CLIENT_LIST,%s,%s,%s," counter_format "," counter_format ",%s,%u",
787 tls_common_name (mi->context.c2.tls_multi, false),
788 mroute_addr_print (&mi->real, &gc),
789 print_in_addr_t (mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
790 mi->context.c2.link_read_bytes,
791 mi->context.c2.link_write_bytes,
792 time_string (mi->created, 0, false, &gc),
793 (unsigned int)mi->created);
794 }
795 gc_free (&gc);
796 }
797 hash_iterator_free (&hi);
798
799 status_printf (so, "HEADER,ROUTING_TABLE,Virtual Address,Common Name,Real Address,Last Ref,Last Ref (time_t)");
800 hash_iterator_init (m->vhash, &hi, true);
801 while ((he = hash_iterator_next (&hi)))
802 {
803 struct gc_arena gc = gc_new ();
804 const struct multi_route *route = (struct multi_route *) he->value;
805
806 if (multi_route_defined (m, route))
807 {
808 const struct multi_instance *mi = route->instance;
809 const struct mroute_addr *ma = &route->addr;
810 char flags[2] = {0, 0};
811
812 if (route->flags & MULTI_ROUTE_CACHE)
813 flags[0] = 'C';
814 status_printf (so, "ROUTING_TABLE,%s%s,%s,%s,%s,%u",
815 mroute_addr_print (ma, &gc),
816 flags,
817 tls_common_name (mi->context.c2.tls_multi, false),
818 mroute_addr_print (&mi->real, &gc),
819 time_string (route->last_reference, 0, false, &gc),
820 (unsigned int)route->last_reference);
821 }
822 gc_free (&gc);
823 }
824 hash_iterator_free (&hi);
825
826 if (m->mbuf)
827 status_printf (so, "GLOBAL_STATS,Max bcast/mcast queue length,%d",
828 mbuf_maximum_queued (m->mbuf));
829
830 status_printf (so, "END");
831 }
832 else
833 {
834 status_printf (so, "ERROR: bad status format version number");
835 }
836
837 #ifdef PACKET_TRUNCATION_CHECK
838 {
839 status_printf (so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
840 hash_iterator_init (m->hash, &hi, true);
841 while ((he = hash_iterator_next (&hi)))
842 {
843 struct gc_arena gc = gc_new ();
844 const struct multi_instance *mi = (struct multi_instance *) he->value;
845
846 if (!mi->halt)
847 {
848 status_printf (so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
849 tls_common_name (mi->context.c2.tls_multi, false),
850 m->top.c2.n_trunc_tun_read,
851 mi->context.c2.n_trunc_tun_write,
852 mi->context.c2.n_trunc_pre_encrypt,
853 mi->context.c2.n_trunc_post_decrypt);
854 }
855 gc_free (&gc);
856 }
857 hash_iterator_free (&hi);
858 }
859 #endif
860
861 status_flush (so);
862 gc_free (&gc_top);
863 }
864 }
865
866 /*
867 * Learn a virtual address or route.
868 * The learn will fail if the learn address
869 * script/plugin fails. In this case the
870 * return value may be != mi.
871 * Return the instance which owns this route,
872 * or NULL if none.
873 */
874 static struct multi_instance *
875 multi_learn_addr (struct multi_context *m,
876 struct multi_instance *mi,
877 const struct mroute_addr *addr,
878 const unsigned int flags)
879 {
880 struct hash_element *he;
881 const uint32_t hv = hash_value (m->vhash, addr);
882 struct hash_bucket *bucket = hash_bucket (m->vhash, hv);
883 struct multi_route *oldroute = NULL;
884 struct multi_instance *owner = NULL;
885
886 hash_bucket_lock (bucket);
887
888 /* if route currently exists, get the instance which owns it */
889 he = hash_lookup_fast (m->vhash, bucket, addr, hv);
890 if (he)
891 oldroute = (struct multi_route *) he->value;
892 if (oldroute && multi_route_defined (m, oldroute))
893 owner = oldroute->instance;
894
895 /* do we need to add address to hash table? */
896 if ((!owner || owner != mi)
897 && mroute_learnable_address (addr)
898 && !mroute_addr_equal (addr, &m->local))
899 {
900 struct gc_arena gc = gc_new ();
901 struct multi_route *newroute;
902 bool learn_succeeded = false;
903
904 ALLOC_OBJ (newroute, struct multi_route);
905 newroute->addr = *addr;
906 newroute->instance = mi;
907 newroute->flags = flags;
908 newroute->last_reference = now;
909 newroute->cache_generation = 0;
910
911 /* The cache is invalidated when cache_generation is incremented */
912 if (flags & MULTI_ROUTE_CACHE)
913 newroute->cache_generation = m->route_helper->cache_generation;
914
915 if (oldroute) /* route already exists? */
916 {
917 if (route_quota_test (m, mi) && learn_address_script (m, mi, "update", &newroute->addr))
918 {
919 learn_succeeded = true;
920 owner = mi;
921 multi_instance_inc_refcount (mi);
922 route_quota_inc (mi);
923
924 /* delete old route */
925 multi_route_del (oldroute);
926
927 /* modify hash table entry, replacing old route */
928 he->key = &newroute->addr;
929 he->value = newroute;
930 }
931 }
932 else
933 {
934 if (route_quota_test (m, mi) && learn_address_script (m, mi, "add", &newroute->addr))
935 {
936 learn_succeeded = true;
937 owner = mi;
938 multi_instance_inc_refcount (mi);
939 route_quota_inc (mi);
940
941 /* add new route */
942 hash_add_fast (m->vhash, bucket, &newroute->addr, hv, newroute);
943 }
944 }
945
946 msg (D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
947 learn_succeeded ? "" : " FAILED",
948 mroute_addr_print (&newroute->addr, &gc),
949 multi_instance_string (mi, false, &gc));
950
951 if (!learn_succeeded)
952 free (newroute);
953
954 gc_free (&gc);
955 }
956
957 hash_bucket_unlock (bucket);
958 return owner;
959 }
960
961 /*
962 * Get client instance based on virtual address.
963 */
964 static struct multi_instance *
965 multi_get_instance_by_virtual_addr (struct multi_context *m,
966 const struct mroute_addr *addr,
967 bool cidr_routing)
968 {
969 struct multi_route *route;
970 struct multi_instance *ret = NULL;
971
972 /* check for local address */
973 if (mroute_addr_equal (addr, &m->local))
974 return NULL;
975
976 route = (struct multi_route *) hash_lookup (m->vhash, addr);
977
978 /* does host route (possible cached) exist? */
979 if (route && multi_route_defined (m, route))
980 {
981 struct multi_instance *mi = route->instance;
982 route->last_reference = now;
983 ret = mi;
984 }
985 else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
986 {
987 struct mroute_helper *rh = m->route_helper;
988 struct mroute_addr tryaddr;
989 int i;
990
991 mroute_helper_lock (rh);
992
993 /* cycle through each CIDR length */
994 for (i = 0; i < rh->n_net_len; ++i)
995 {
996 tryaddr = *addr;
997 tryaddr.type |= MR_WITH_NETBITS;
998 tryaddr.netbits = rh->net_len[i];
999 mroute_addr_mask_host_bits (&tryaddr);
1000
1001 /* look up a possible route with netbits netmask */
1002 route = (struct multi_route *) hash_lookup (m->vhash, &tryaddr);
1003
1004 if (route && multi_route_defined (m, route))
1005 {
1006 /* found an applicable route, cache host route */
1007 struct multi_instance *mi = route->instance;
1008 multi_learn_addr (m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
1009 ret = mi;
1010 break;
1011 }
1012 }
1013
1014 mroute_helper_unlock (rh);
1015 }
1016
1017 #ifdef ENABLE_DEBUG
1018 if (check_debug_level (D_MULTI_DEBUG))
1019 {
1020 struct gc_arena gc = gc_new ();
1021 const char *addr_text = mroute_addr_print (addr, &gc);
1022 if (ret)
1023 {
1024 dmsg (D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1025 addr_text,
1026 multi_instance_string (ret, false, &gc),
1027 mroute_addr_print (&route->addr, &gc));
1028 }
1029 else
1030 {
1031 dmsg (D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1032 addr_text);
1033 }
1034 gc_free (&gc);
1035 }
1036 #endif
1037
1038 ASSERT (!(ret && ret->halt));
1039 return ret;
1040 }
1041
1042 /*
1043 * Helper function to multi_learn_addr().
1044 */
1045 static struct multi_instance *
1046 multi_learn_in_addr_t (struct multi_context *m,
1047 struct multi_instance *mi,
1048 in_addr_t a,
1049 int netbits, /* -1 if host route, otherwise # of network bits in address */
1050 bool primary)
1051 {
1052 struct openvpn_sockaddr remote_si;
1053 struct mroute_addr addr;
1054
1055 CLEAR (remote_si);
1056 remote_si.sa.sin_family = AF_INET;
1057 remote_si.sa.sin_addr.s_addr = htonl (a);
1058 ASSERT (mroute_extract_openvpn_sockaddr (&addr, &remote_si, false));
1059
1060 if (netbits >= 0)
1061 {
1062 addr.type |= MR_WITH_NETBITS;
1063 addr.netbits = (uint8_t) netbits;
1064 }
1065
1066 {
1067 struct multi_instance *owner = multi_learn_addr (m, mi, &addr, 0);
1068 #ifdef MANAGEMENT_DEF_AUTH
1069 if (management && owner)
1070 management_learn_addr (management, &mi->context.c2.mda_context, &addr, primary);
1071 #endif
1072 return owner;
1073 }
1074 }
1075
1076 /*
1077 * A new client has connected, add routes (server -> client)
1078 * to internal routing table.
1079 */
1080 static void
1081 multi_add_iroutes (struct multi_context *m,
1082 struct multi_instance *mi)
1083 {
1084 struct gc_arena gc = gc_new ();
1085 const struct iroute *ir;
1086 if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
1087 {
1088 mi->did_iroutes = true;
1089 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1090 {
1091 if (ir->netbits >= 0)
1092 msg (D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1093 print_in_addr_t (ir->network, 0, &gc),
1094 ir->netbits,
1095 multi_instance_string (mi, false, &gc));
1096 else
1097 msg (D_MULTI_LOW, "MULTI: internal route %s -> %s",
1098 print_in_addr_t (ir->network, 0, &gc),
1099 multi_instance_string (mi, false, &gc));
1100
1101 mroute_helper_add_iroute (m->route_helper, ir);
1102
1103 multi_learn_in_addr_t (m, mi, ir->network, ir->netbits, false);
1104 }
1105 }
1106 gc_free (&gc);
1107 }
1108
1109 /*
1110 * Given an instance (new_mi), delete all other instances which use the
1111 * same common name.
1112 */
1113 static void
1114 multi_delete_dup (struct multi_context *m, struct multi_instance *new_mi)
1115 {
1116 if (new_mi)
1117 {
1118 const char *new_cn = tls_common_name (new_mi->context.c2.tls_multi, true);
1119 if (new_cn)
1120 {
1121 struct hash_iterator hi;
1122 struct hash_element *he;
1123 int count = 0;
1124
1125 hash_iterator_init (m->iter, &hi, true);
1126 while ((he = hash_iterator_next (&hi)))
1127 {
1128 struct multi_instance *mi = (struct multi_instance *) he->value;
1129 if (mi != new_mi && !mi->halt)
1130 {
1131 const char *cn = tls_common_name (mi->context.c2.tls_multi, true);
1132 if (cn && !strcmp (cn, new_cn))
1133 {
1134 mi->did_iter = false;
1135 multi_close_instance (m, mi, false);
1136 hash_iterator_delete_element (&hi);
1137 ++count;
1138 }
1139 }
1140 }
1141 hash_iterator_free (&hi);
1142
1143 if (count)
1144 msg (D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1145 }
1146 }
1147 }
1148
1149 /*
1150 * Ensure that endpoint to be pushed to client
1151 * complies with --ifconfig-push-constraint directive.
1152 */
1153 static bool
1154 ifconfig_push_constraint_satisfied (const struct context *c)
1155 {
1156 const struct options *o = &c->options;
1157 if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1158 return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
1159 else
1160 return true;
1161 }
1162
1163 /*
1164 * Select a virtual address for a new client instance.
1165 * Use an --ifconfig-push directive, if given (static IP).
1166 * Otherwise use an --ifconfig-pool address (dynamic IP).
1167 */
1168 static void
1169 multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi)
1170 {
1171 struct gc_arena gc = gc_new ();
1172
1173 /*
1174 * If ifconfig addresses were set by dynamic config file,
1175 * release pool addresses, otherwise keep them.
1176 */
1177 if (mi->context.options.push_ifconfig_defined)
1178 {
1179 /* ifconfig addresses were set statically,
1180 release dynamic allocation */
1181 if (mi->vaddr_handle >= 0)
1182 {
1183 ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, true);
1184 mi->vaddr_handle = -1;
1185 }
1186
1187 mi->context.c2.push_ifconfig_defined = true;
1188 mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1189 mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1190 }
1191 else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1192 {
1193 in_addr_t local=0, remote=0;
1194 const char *cn = NULL;
1195
1196 if (!mi->context.options.duplicate_cn)
1197 cn = tls_common_name (mi->context.c2.tls_multi, true);
1198
1199 mi->vaddr_handle = ifconfig_pool_acquire (m->ifconfig_pool, &local, &remote, cn);
1200 if (mi->vaddr_handle >= 0)
1201 {
1202 const int tunnel_type = TUNNEL_TYPE (mi->context.c1.tuntap);
1203 const int tunnel_topology = TUNNEL_TOPOLOGY (mi->context.c1.tuntap);
1204
1205 /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1206 mi->context.c2.push_ifconfig_local = remote;
1207 if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1208 {
1209 mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
1210 if (!mi->context.c2.push_ifconfig_remote_netmask)
1211 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
1212 }
1213 else if (tunnel_type == DEV_TYPE_TUN)
1214 {
1215 if (tunnel_topology == TOP_P2P)
1216 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1217 else if (tunnel_topology == TOP_NET30)
1218 mi->context.c2.push_ifconfig_remote_netmask = local;
1219 }
1220
1221 if (mi->context.c2.push_ifconfig_remote_netmask)
1222 mi->context.c2.push_ifconfig_defined = true;
1223 else
1224 msg (D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1225 multi_instance_string (mi, false, &gc));
1226 }
1227 else
1228 {
1229 msg (D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1230 }
1231 }
1232 gc_free (&gc);
1233 }
1234
1235 /*
1236 * Set virtual address environmental variables.
1237 */
1238 static void
1239 multi_set_virtual_addr_env (struct multi_context *m, struct multi_instance *mi)
1240 {
1241 setenv_del (mi->context.c2.es, "ifconfig_pool_local_ip");
1242 setenv_del (mi->context.c2.es, "ifconfig_pool_remote_ip");
1243 setenv_del (mi->context.c2.es, "ifconfig_pool_netmask");
1244
1245 if (mi->context.c2.push_ifconfig_defined)
1246 {
1247 const int tunnel_type = TUNNEL_TYPE (mi->context.c1.tuntap);
1248 const int tunnel_topology = TUNNEL_TOPOLOGY (mi->context.c1.tuntap);
1249
1250 setenv_in_addr_t (mi->context.c2.es,
1251 "ifconfig_pool_remote_ip",
1252 mi->context.c2.push_ifconfig_local,
1253 SA_SET_IF_NONZERO);
1254
1255 if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1256 {
1257 setenv_in_addr_t (mi->context.c2.es,
1258 "ifconfig_pool_netmask",
1259 mi->context.c2.push_ifconfig_remote_netmask,
1260 SA_SET_IF_NONZERO);
1261 }
1262 else if (tunnel_type == DEV_TYPE_TUN)
1263 {
1264 setenv_in_addr_t (mi->context.c2.es,
1265 "ifconfig_pool_local_ip",
1266 mi->context.c2.push_ifconfig_remote_netmask,
1267 SA_SET_IF_NONZERO);
1268 }
1269 }
1270 }
1271
1272 /*
1273 * Called after client-connect script is called
1274 */
1275 static void
1276 multi_client_connect_post (struct multi_context *m,
1277 struct multi_instance *mi,
1278 const char *dc_file,
1279 unsigned int option_permissions_mask,
1280 unsigned int *option_types_found)
1281 {
1282 /* Did script generate a dynamic config file? */
1283 if (test_file (dc_file))
1284 {
1285 options_server_import (&mi->context.options,
1286 dc_file,
1287 D_IMPORT_ERRORS|M_OPTERR,
1288 option_permissions_mask,
1289 option_types_found,
1290 mi->context.c2.es);
1291
1292 if (!delete_file (dc_file))
1293 msg (D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1294 dc_file);
1295
1296 /*
1297 * If the --client-connect script generates a config file
1298 * with an --ifconfig-push directive, it will override any
1299 * --ifconfig-push directive from the --client-config-dir
1300 * directory or any --ifconfig-pool dynamic address.
1301 */
1302 multi_select_virtual_addr (m, mi);
1303 multi_set_virtual_addr_env (m, mi);
1304 }
1305 }
1306
1307 #ifdef ENABLE_PLUGIN
1308
1309 /*
1310 * Called after client-connect plug-in is called
1311 */
1312 static void
1313 multi_client_connect_post_plugin (struct multi_context *m,
1314 struct multi_instance *mi,
1315 const struct plugin_return *pr,
1316 unsigned int option_permissions_mask,
1317 unsigned int *option_types_found)
1318 {
1319 struct plugin_return config;
1320
1321 plugin_return_get_column (pr, &config, "config");
1322
1323 /* Did script generate a dynamic config file? */
1324 if (plugin_return_defined (&config))
1325 {
1326 int i;
1327 for (i = 0; i < config.n; ++i)
1328 {
1329 if (config.list[i] && config.list[i]->value)
1330 options_string_import (&mi->context.options,
1331 config.list[i]->value,
1332 D_IMPORT_ERRORS|M_OPTERR,
1333 option_permissions_mask,
1334 option_types_found,
1335 mi->context.c2.es);
1336 }
1337
1338 /*
1339 * If the --client-connect script generates a config file
1340 * with an --ifconfig-push directive, it will override any
1341 * --ifconfig-push directive from the --client-config-dir
1342 * directory or any --ifconfig-pool dynamic address.
1343 */
1344 multi_select_virtual_addr (m, mi);
1345 multi_set_virtual_addr_env (m, mi);
1346 }
1347 }
1348
1349 #endif
1350
1351 #ifdef MANAGEMENT_DEF_AUTH
1352
1353 /*
1354 * Called to load management-derived client-connect config
1355 */
1356 static void
1357 multi_client_connect_mda (struct multi_context *m,
1358 struct multi_instance *mi,
1359 const struct buffer_list *config,
1360 unsigned int option_permissions_mask,
1361 unsigned int *option_types_found)
1362 {
1363 if (config)
1364 {
1365 struct buffer_entry *be;
1366
1367 for (be = config->head; be != NULL; be = be->next)
1368 {
1369 const char *opt = BSTR(&be->buf);
1370 options_string_import (&mi->context.options,
1371 opt,
1372 D_IMPORT_ERRORS|M_OPTERR,
1373 option_permissions_mask,
1374 option_types_found,
1375 mi->context.c2.es);
1376 }
1377
1378 /*
1379 * If the --client-connect script generates a config file
1380 * with an --ifconfig-push directive, it will override any
1381 * --ifconfig-push directive from the --client-config-dir
1382 * directory or any --ifconfig-pool dynamic address.
1383 */
1384 multi_select_virtual_addr (m, mi);
1385 multi_set_virtual_addr_env (m, mi);
1386 }
1387 }
1388
1389 #endif
1390
1391 static void
1392 multi_client_connect_setenv (struct multi_context *m,
1393 struct multi_instance *mi)
1394 {
1395 struct gc_arena gc = gc_new ();
1396
1397 /* setenv incoming cert common name for script */
1398 setenv_str (mi->context.c2.es, "common_name", tls_common_name (mi->context.c2.tls_multi, true));
1399
1400 /* setenv client real IP address */
1401 setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
1402
1403 /* setenv client virtual IP address */
1404 multi_set_virtual_addr_env (m, mi);
1405
1406 /* setenv connection time */
1407 {
1408 const char *created_ascii = time_string (mi->created, 0, false, &gc);
1409 setenv_str (mi->context.c2.es, "time_ascii", created_ascii);
1410 setenv_unsigned (mi->context.c2.es, "time_unix", (unsigned int)mi->created);
1411 }
1412
1413 gc_free (&gc);
1414 }
1415
1416 /*
1417 * Called as soon as the SSL/TLS connection authenticates.
1418 *
1419 * Instance-specific directives to be processed:
1420 *
1421 * iroute start-ip end-ip
1422 * ifconfig-push local remote-netmask
1423 * push
1424 */
1425 static void
1426 multi_connection_established (struct multi_context *m, struct multi_instance *mi)
1427 {
1428 if (tls_authentication_status (mi->context.c2.tls_multi, 0) == TLS_AUTHENTICATION_SUCCEEDED)
1429 {
1430 struct gc_arena gc = gc_new ();
1431 unsigned int option_types_found = 0;
1432
1433 const unsigned int option_permissions_mask =
1434 OPT_P_INSTANCE
1435 | OPT_P_INHERIT
1436 | OPT_P_PUSH
1437 | OPT_P_TIMER
1438 | OPT_P_CONFIG
1439 | OPT_P_ECHO
1440 | OPT_P_COMP
1441 | OPT_P_SOCKFLAGS;
1442
1443 int cc_succeeded = true; /* client connect script status */
1444 int cc_succeeded_count = 0;
1445
1446 ASSERT (mi->context.c1.tuntap);
1447
1448 /* lock down the common name so it can't change during future TLS renegotiations */
1449 tls_lock_common_name (mi->context.c2.tls_multi);
1450
1451 /* generate a msg() prefix for this client instance */
1452 generate_prefix (mi);
1453
1454 /* delete instances of previous clients with same common-name */
1455 if (!mi->context.options.duplicate_cn)
1456 multi_delete_dup (m, mi);
1457
1458 /* reset pool handle to null */
1459 mi->vaddr_handle = -1;
1460
1461 /*
1462 * Try to source a dynamic config file from the
1463 * --client-config-dir directory.
1464 */
1465 if (mi->context.options.client_config_dir)
1466 {
1467 const char *ccd_file;
1468
1469 ccd_file = gen_path (mi->context.options.client_config_dir,
1470 tls_common_name (mi->context.c2.tls_multi, false),
1471 &gc);
1472
1473 /* try common-name file */
1474 if (test_file (ccd_file))
1475 {
1476 options_server_import (&mi->context.options,
1477 ccd_file,
1478 D_IMPORT_ERRORS|M_OPTERR,
1479 option_permissions_mask,
1480 &option_types_found,
1481 mi->context.c2.es);
1482 }
1483 else /* try default file */
1484 {
1485 ccd_file = gen_path (mi->context.options.client_config_dir,
1486 CCD_DEFAULT,
1487 &gc);
1488
1489 if (test_file (ccd_file))
1490 {
1491 options_server_import (&mi->context.options,
1492 ccd_file,
1493 D_IMPORT_ERRORS|M_OPTERR,
1494 option_permissions_mask,
1495 &option_types_found,
1496 mi->context.c2.es);
1497 }
1498 }
1499 }
1500
1501 /*
1502 * Select a virtual address from either --ifconfig-push in --client-config-dir file
1503 * or --ifconfig-pool.
1504 */
1505 multi_select_virtual_addr (m, mi);
1506
1507 /* do --client-connect setenvs */
1508 multi_client_connect_setenv (m, mi);
1509
1510 #ifdef ENABLE_PLUGIN
1511 /*
1512 * Call client-connect plug-in.
1513 */
1514
1515 /* deprecated callback, use a file for passing back return info */
1516 if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
1517 {
1518 struct argv argv = argv_new ();
1519 const char *dc_file = create_temp_filename (mi->context.options.tmp_dir, "cc", &gc);
1520 argv_printf (&argv, "%s", dc_file);
1521 delete_file (dc_file);
1522 if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1523 {
1524 msg (M_WARN, "WARNING: client-connect plugin call failed");
1525 cc_succeeded = false;
1526 }
1527 else
1528 {
1529 multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1530 ++cc_succeeded_count;
1531 }
1532 argv_reset (&argv);
1533 }
1534
1535 /* V2 callback, use a plugin_return struct for passing back return info */
1536 if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2))
1537 {
1538 struct plugin_return pr;
1539
1540 plugin_return_init (&pr);
1541
1542 if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1543 {
1544 msg (M_WARN, "WARNING: client-connect-v2 plugin call failed");
1545 cc_succeeded = false;
1546 }
1547 else
1548 {
1549 multi_client_connect_post_plugin (m, mi, &pr, option_permissions_mask, &option_types_found);
1550 ++cc_succeeded_count;
1551 }
1552
1553 plugin_return_free (&pr);
1554 }
1555 #endif
1556
1557 /*
1558 * Run --client-connect script.
1559 */
1560 if (mi->context.options.client_connect_script && cc_succeeded)
1561 {
1562 struct argv argv = argv_new ();
1563 const char *dc_file = NULL;
1564
1565 setenv_str (mi->context.c2.es, "script_type", "client-connect");
1566
1567 dc_file = create_temp_filename (mi->context.options.tmp_dir, "cc", &gc);
1568
1569 delete_file (dc_file);
1570
1571 argv_printf (&argv, "%sc %s",
1572 mi->context.options.client_connect_script,
1573 dc_file);
1574
1575 if (openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-connect command failed"))
1576 {
1577 multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1578 ++cc_succeeded_count;
1579 }
1580 else
1581 cc_succeeded = false;
1582
1583 argv_reset (&argv);
1584 }
1585
1586 /*
1587 * Check for client-connect script left by management interface client
1588 */
1589 #ifdef MANAGEMENT_DEF_AUTH
1590 if (cc_succeeded && mi->cc_config)
1591 {
1592 multi_client_connect_mda (m, mi, mi->cc_config, option_permissions_mask, &option_types_found);
1593 ++cc_succeeded_count;
1594 }
1595 #endif
1596
1597 /*
1598 * Check for "disable" directive in client-config-dir file
1599 * or config file generated by --client-connect script.
1600 */
1601 if (mi->context.options.disable)
1602 {
1603 msg (D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
1604 cc_succeeded = false;
1605 }
1606
1607 if (cc_succeeded)
1608 {
1609 /*
1610 * Process sourced options.
1611 */
1612 do_deferred_options (&mi->context, option_types_found);
1613
1614 /*
1615 * make sure we got ifconfig settings from somewhere
1616 */
1617 if (!mi->context.c2.push_ifconfig_defined)
1618 {
1619 msg (D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
1620 multi_instance_string (mi, false, &gc));
1621 }
1622
1623 /*
1624 * make sure that ifconfig settings comply with constraints
1625 */
1626 if (!ifconfig_push_constraint_satisfied (&mi->context))
1627 {
1628 /* JYFIXME -- this should cause the connection to fail */
1629 msg (D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
1630 multi_instance_string (mi, false, &gc),
1631 print_in_addr_t (mi->context.c2.push_ifconfig_local, 0, &gc),
1632 print_in_addr_t (mi->context.options.push_ifconfig_constraint_network, 0, &gc),
1633 print_in_addr_t (mi->context.options.push_ifconfig_constraint_netmask, 0, &gc));
1634 }
1635
1636 /*
1637 * For routed tunnels, set up internal route to endpoint
1638 * plus add all iroute routes.
1639 */
1640 if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
1641 {
1642 if (mi->context.c2.push_ifconfig_defined)
1643 {
1644 multi_learn_in_addr_t (m, mi, mi->context.c2.push_ifconfig_local, -1, true);
1645 msg (D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
1646 multi_instance_string (mi, false, &gc),
1647 print_in_addr_t (mi->context.c2.push_ifconfig_local, 0, &gc));
1648 }
1649
1650 /* add routes locally, pointing to new client, if
1651 --iroute options have been specified */
1652 multi_add_iroutes (m, mi);
1653
1654 /*
1655 * iroutes represent subnets which are "owned" by a particular
1656 * client. Therefore, do not actually push a route to a client
1657 * if it matches one of the client's iroutes.
1658 */
1659 remove_iroutes_from_push_route_list (&mi->context.options);
1660 }
1661 else if (mi->context.options.iroutes)
1662 {
1663 msg (D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
1664 multi_instance_string (mi, false, &gc));
1665 }
1666
1667 /* set our client's VPN endpoint for status reporting purposes */
1668 mi->reporting_addr = mi->context.c2.push_ifconfig_local;
1669
1670 /* set context-level authentication flag */
1671 mi->context.c2.context_auth = CAS_SUCCEEDED;
1672 }
1673 else
1674 {
1675 /* set context-level authentication flag */
1676 mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
1677 }
1678
1679 /* set flag so we don't get called again */
1680 mi->connection_established_flag = true;
1681
1682 #ifdef MANAGEMENT_DEF_AUTH
1683 if (management)
1684 management_connection_established (management, &mi->context.c2.mda_context);
1685 #endif
1686
1687 gc_free (&gc);
1688 }
1689
1690 /*
1691 * Reply now to client's PUSH_REQUEST query
1692 */
1693 mi->context.c2.push_reply_deferred = false;
1694 }
1695
1696 /*
1697 * Add a mbuf buffer to a particular
1698 * instance.
1699 */
1700 void
1701 multi_add_mbuf (struct multi_context *m,
1702 struct multi_instance *mi,
1703 struct mbuf_buffer *mb)
1704 {
1705 if (multi_output_queue_ready (m, mi))
1706 {
1707 struct mbuf_item item;
1708 item.buffer = mb;
1709 item.instance = mi;
1710 mbuf_add_item (m->mbuf, &item);
1711 }
1712 else
1713 {
1714 msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
1715 }
1716 }
1717
1718 /*
1719 * Add a packet to a client instance output queue.
1720 */
1721 static inline void
1722 multi_unicast (struct multi_context *m,
1723 const struct buffer *buf,
1724 struct multi_instance *mi)
1725 {
1726 struct mbuf_buffer *mb;
1727
1728 if (BLEN (buf) > 0)
1729 {
1730 mb = mbuf_alloc_buf (buf);
1731 mb->flags = MF_UNICAST;
1732 multi_add_mbuf (m, mi, mb);
1733 mbuf_free_buf (mb);
1734 }
1735 }
1736
1737 /*
1738 * Broadcast a packet to all clients.
1739 */
1740 static void
1741 multi_bcast (struct multi_context *m,
1742 const struct buffer *buf,
1743 const struct multi_instance *sender_instance,
1744 const struct mroute_addr *sender_addr)
1745 {
1746 struct hash_iterator hi;
1747 struct hash_element *he;
1748 struct multi_instance *mi;
1749 struct mbuf_buffer *mb;
1750
1751 if (BLEN (buf) > 0)
1752 {
1753 perf_push (PERF_MULTI_BCAST);
1754 #ifdef MULTI_DEBUG_EVENT_LOOP
1755 printf ("BCAST len=%d\n", BLEN (buf));
1756 #endif
1757 mb = mbuf_alloc_buf (buf);
1758 hash_iterator_init (m->iter, &hi, true);
1759
1760 while ((he = hash_iterator_next (&hi)))
1761 {
1762 mi = (struct multi_instance *) he->value;
1763 if (mi != sender_instance && !mi->halt)
1764 {
1765 #ifdef ENABLE_PF
1766 if (sender_instance)
1767 {
1768 if (!pf_c2c_test (&sender_instance->context, &mi->context, "bcast_c2c"))
1769 {
1770 msg (D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
1771 mi_prefix (sender_instance),
1772 mi_prefix (mi));
1773 continue;
1774 }
1775 }
1776 if (sender_addr)
1777 {
1778 if (!pf_addr_test (&mi->context, sender_addr, "bcast_src_addr"))
1779 {
1780 struct gc_arena gc = gc_new ();
1781 msg (D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
1782 mroute_addr_print_ex (sender_addr, MAPF_SHOW_ARP, &gc),
1783 mi_prefix (mi));
1784 gc_free (&gc);
1785 continue;
1786 }
1787 }
1788 #endif
1789 multi_add_mbuf (m, mi, mb);
1790 }
1791 }
1792
1793 hash_iterator_free (&hi);
1794 mbuf_free_buf (mb);
1795 perf_pop ();
1796 }
1797 }
1798
1799 /*
1800 * Given a time delta, indicating that we wish to be
1801 * awoken by the scheduler at time now + delta, figure
1802 * a sigma parameter (in microseconds) that represents
1803 * a sort of fuzz factor around delta, so that we're
1804 * really telling the scheduler to wake us up any time
1805 * between now + delta - sigma and now + delta + sigma.
1806 *
1807 * The sigma parameter helps the scheduler to run more efficiently.
1808 * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
1809 */
1810 static inline unsigned int
1811 compute_wakeup_sigma (const struct timeval *delta)
1812 {
1813 if (delta->tv_sec < 1)
1814 {
1815 /* if < 1 sec, fuzz = # of microseconds / 8 */
1816 return delta->tv_usec >> 3;
1817 }
1818 else
1819 {
1820 /* if < 10 minutes, fuzz = 13.1% of timeout */
1821 if (delta->tv_sec < 600)
1822 return delta->tv_sec << 17;
1823 else
1824 return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
1825 }
1826 }
1827
1828 /*
1829 * Figure instance-specific timers, convert
1830 * earliest to absolute time in mi->wakeup,
1831 * call scheduler with our future wakeup time.
1832 *
1833 * Also close context on signal.
1834 */
1835 bool
1836 multi_process_post (struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
1837 {
1838 bool ret = true;
1839
1840 if (!IS_SIG (&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT (&mi->context))))
1841 {
1842 /* figure timeouts and fetch possible outgoing
1843 to_link packets (such as ping or TLS control) */
1844 pre_select (&mi->context);
1845
1846 if (!IS_SIG (&mi->context))
1847 {
1848 /* calculate an absolute wakeup time */
1849 ASSERT (!openvpn_gettimeofday (&mi->wakeup, NULL));
1850 tv_add (&mi->wakeup, &mi->context.c2.timeval);
1851
1852 /* tell scheduler to wake us up at some point in the future */
1853 schedule_add_entry (m->schedule,
1854 (struct schedule_entry *) mi,
1855 &mi->wakeup,
1856 compute_wakeup_sigma (&mi->context.c2.timeval));
1857
1858 /* connection is "established" when SSL/TLS key negotiation succeeds
1859 and (if specified) auth user/pass succeeds */
1860 if (!mi->connection_established_flag && CONNECTION_ESTABLISHED (&mi->context))
1861 multi_connection_established (m, mi);
1862 }
1863 }
1864
1865 if (IS_SIG (&mi->context))
1866 {
1867 if (flags & MPP_CLOSE_ON_SIGNAL)
1868 {
1869 multi_close_instance_on_signal (m, mi);
1870 ret = false;
1871 }
1872 }
1873 else
1874 {
1875 /* continue to pend on output? */
1876 multi_set_pending (m, ANY_OUT (&mi->context) ? mi : NULL);
1877
1878 #ifdef MULTI_DEBUG_EVENT_LOOP
1879 printf ("POST %s[%d] to=%d lo=%d/%d w=%d/%d\n",
1880 id(mi),
1881 (int) (mi == m->pending),
1882 mi ? mi->context.c2.to_tun.len : -1,
1883 mi ? mi->context.c2.to_link.len : -1,
1884 (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
1885 (int)mi->context.c2.timeval.tv_sec,
1886 (int)mi->context.c2.timeval.tv_usec);
1887 #endif
1888 }
1889
1890 if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
1891 *m->mpp_touched = mi;
1892
1893 return ret;
1894 }
1895
1896 /*
1897 * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
1898 * i.e. client -> server direction.
1899 */
1900 bool
1901 multi_process_incoming_link (struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
1902 {
1903 struct gc_arena gc = gc_new ();
1904
1905 struct context *c;
1906 struct mroute_addr src, dest;
1907 unsigned int mroute_flags;
1908 struct multi_instance *mi;
1909 bool ret = true;
1910
1911 if (m->pending)
1912 return true;
1913
1914 if (!instance)
1915 {
1916 #ifdef MULTI_DEBUG_EVENT_LOOP
1917 printf ("TCP/UDP -> TUN [%d]\n", BLEN (&m->top.c2.buf));
1918 #endif
1919 multi_set_pending (m, multi_get_create_instance_udp (m));
1920 }
1921 else
1922 multi_set_pending (m, instance);
1923
1924 if (m->pending)
1925 {
1926 set_prefix (m->pending);
1927
1928 /* get instance context */
1929 c = &m->pending->context;
1930
1931 if (!instance)
1932 {
1933 /* transfer packet pointer from top-level context buffer to instance */
1934 c->c2.buf = m->top.c2.buf;
1935
1936 /* transfer from-addr from top-level context buffer to instance */
1937 c->c2.from = m->top.c2.from;
1938 }
1939
1940 if (BLEN (&c->c2.buf) > 0)
1941 {
1942 /* decrypt in instance context */
1943 process_incoming_link (c);
1944
1945 if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TUN)
1946 {
1947 /* extract packet source and dest addresses */
1948 mroute_flags = mroute_extract_addr_from_packet (&src,
1949 &dest,
1950 NULL,
1951 NULL,
1952 &c->c2.to_tun,
1953 DEV_TYPE_TUN);
1954
1955 /* drop packet if extract failed */
1956 if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
1957 {
1958 c->c2.to_tun.len = 0;
1959 }
1960 /* make sure that source address is associated with this client */
1961 else if (multi_get_instance_by_virtual_addr (m, &src, true) != m->pending)
1962 {
1963 msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
1964 mroute_addr_print (&src, &gc));
1965 c->c2.to_tun.len = 0;
1966 }
1967 /* client-to-client communication enabled? */
1968 else if (m->enable_c2c)
1969 {
1970 /* multicast? */
1971 if (mroute_flags & MROUTE_EXTRACT_MCAST)
1972 {
1973 /* for now, treat multicast as broadcast */
1974 multi_bcast (m, &c->c2.to_tun, m->pending, NULL);
1975 }
1976 else /* possible client to client routing */
1977 {
1978 ASSERT (!(mroute_flags & MROUTE_EXTRACT_BCAST));
1979 mi = multi_get_instance_by_virtual_addr (m, &dest, true);
1980
1981 /* if dest addr is a known client, route to it */
1982 if (mi)
1983 {
1984 #ifdef ENABLE_PF
1985 if (!pf_c2c_test (c, &mi->context, "tun_c2c"))
1986 {
1987 msg (D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
1988 mi_prefix (mi));
1989 }
1990 else
1991 #endif
1992 {
1993 multi_unicast (m, &c->c2.to_tun, mi);
1994 register_activity (c, BLEN(&c->c2.to_tun));
1995 }
1996 c->c2.to_tun.len = 0;
1997 }
1998 }
1999 }
2000 #ifdef ENABLE_PF
2001 if (c->c2.to_tun.len && !pf_addr_test (c, &dest, "tun_dest_addr"))
2002 {
2003 msg (D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2004 mroute_addr_print_ex (&dest, MAPF_SHOW_ARP, &gc));
2005 c->c2.to_tun.len = 0;
2006 }
2007 #endif
2008 }
2009 else if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TAP)
2010 {
2011 #ifdef ENABLE_PF
2012 struct mroute_addr edest;
2013 mroute_addr_reset (&edest);
2014 #endif
2015 /* extract packet source and dest addresses */
2016 mroute_flags = mroute_extract_addr_from_packet (&src,
2017 &dest,
2018 NULL,
2019 #ifdef ENABLE_PF
2020 &edest,
2021 #else
2022 NULL,
2023 #endif
2024 &c->c2.to_tun,
2025 DEV_TYPE_TAP);
2026
2027 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2028 {
2029 if (multi_learn_addr (m, m->pending, &src, 0) == m->pending)
2030 {
2031 /* check for broadcast */
2032 if (m->enable_c2c)
2033 {
2034 if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2035 {
2036 multi_bcast (m, &c->c2.to_tun, m->pending, NULL);
2037 }
2038 else /* try client-to-client routing */
2039 {
2040 mi = multi_get_instance_by_virtual_addr (m, &dest, false);
2041
2042 /* if dest addr is a known client, route to it */
2043 if (mi)
2044 {
2045 #ifdef ENABLE_PF
2046 if (!pf_c2c_test (c, &mi->context, "tap_c2c"))
2047 {
2048 msg (D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
2049 mi_prefix (mi));
2050 }
2051 else
2052 #endif
2053 {
2054 multi_unicast (m, &c->c2.to_tun, mi);
2055 register_activity (c, BLEN(&c->c2.to_tun));
2056 }
2057 c->c2.to_tun.len = 0;
2058 }
2059 }
2060 }
2061 #ifdef ENABLE_PF
2062 if (c->c2.to_tun.len && !pf_addr_test (c, &edest, "tap_dest_addr"))
2063 {
2064 msg (D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2065 mroute_addr_print_ex (&edest, MAPF_SHOW_ARP, &gc));
2066 c->c2.to_tun.len = 0;
2067 }
2068 #endif
2069 }
2070 else
2071 {
2072 msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2073 mroute_addr_print (&src, &gc));
2074 c->c2.to_tun.len = 0;
2075 }
2076 }
2077 else
2078 {
2079 c->c2.to_tun.len = 0;
2080 }
2081 }
2082 }
2083
2084 /* postprocess and set wakeup */
2085 ret = multi_process_post (m, m->pending, mpp_flags);
2086
2087 clear_prefix ();
2088 }
2089
2090 gc_free (&gc);
2091 return ret;
2092 }
2093
2094 /*
2095 * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2096 * i.e. server -> client direction.
2097 */
2098 bool
2099 multi_process_incoming_tun (struct multi_context *m, const unsigned int mpp_flags)
2100 {
2101 struct gc_arena gc = gc_new ();
2102 bool ret = true;
2103
2104 if (BLEN (&m->top.c2.buf) > 0)
2105 {
2106 unsigned int mroute_flags;
2107 struct mroute_addr src, dest;
2108 const int dev_type = TUNNEL_TYPE (m->top.c1.tuntap);
2109
2110 #ifdef ENABLE_PF
2111 struct mroute_addr esrc, *e1, *e2;
2112 if (dev_type == DEV_TYPE_TUN)
2113 {
2114 e1 = NULL;
2115 e2 = &src;
2116 }
2117 else
2118 {
2119 e1 = e2 = &esrc;
2120 mroute_addr_reset (&esrc);
2121 }
2122 #endif
2123
2124 #ifdef MULTI_DEBUG_EVENT_LOOP
2125 printf ("TUN -> TCP/UDP [%d]\n", BLEN (&m->top.c2.buf));
2126 #endif
2127
2128 if (m->pending)
2129 return true;
2130
2131 /*
2132 * Route an incoming tun/tap packet to
2133 * the appropriate multi_instance object.
2134 */
2135
2136 mroute_flags = mroute_extract_addr_from_packet (&src,
2137 &dest,
2138 #ifdef ENABLE_PF
2139 e1,
2140 #else
2141 NULL,
2142 #endif
2143 NULL,
2144 &m->top.c2.buf,
2145 dev_type);
2146
2147 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2148 {
2149 struct context *c;
2150
2151 /* broadcast or multicast dest addr? */
2152 if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2153 {
2154 /* for now, treat multicast as broadcast */
2155 #ifdef ENABLE_PF
2156 multi_bcast (m, &m->top.c2.buf, NULL, e2);
2157 #else
2158 multi_bcast (m, &m->top.c2.buf, NULL, NULL);
2159 #endif
2160 }
2161 else
2162 {
2163 multi_set_pending (m, multi_get_instance_by_virtual_addr (m, &dest, dev_type == DEV_TYPE_TUN));
2164
2165 if (m->pending)
2166 {
2167 /* get instance context */
2168 c = &m->pending->context;
2169
2170 set_prefix (m->pending);
2171
2172 #ifdef ENABLE_PF
2173 if (!pf_addr_test (c, e2, "tun_tap_src_addr"))
2174 {
2175 msg (D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
2176 mroute_addr_print_ex (&src, MAPF_SHOW_ARP, &gc));
2177 buf_reset_len (&c->c2.buf);
2178 }
2179 else
2180 #endif
2181 {
2182 if (multi_output_queue_ready (m, m->pending))
2183 {
2184 /* transfer packet pointer from top-level context buffer to instance */
2185 c->c2.buf = m->top.c2.buf;
2186 }
2187 else
2188 {
2189 /* drop packet */
2190 msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2191 buf_reset_len (&c->c2.buf);
2192 }
2193 }
2194
2195 /* encrypt in instance context */
2196 process_incoming_tun (c);
2197
2198 /* postprocess and set wakeup */
2199 ret = multi_process_post (m, m->pending, mpp_flags);
2200
2201 clear_prefix ();
2202 }
2203 }
2204 }
2205 }
2206 gc_free (&gc);
2207 return ret;
2208 }
2209
2210 /*
2211 * Process a possible client-to-client/bcast/mcast message in the
2212 * queue.
2213 */
2214 struct multi_instance *
2215 multi_get_queue (struct mbuf_set *ms)
2216 {
2217 struct mbuf_item item;
2218
2219 if (mbuf_extract_item (ms, &item, true)) /* cleartext IP packet */
2220 {
2221 unsigned int pipv4_flags = PIPV4_PASSTOS;
2222
2223 set_prefix (item.instance);
2224 item.instance->context.c2.buf = item.buffer->buf;
2225 if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
2226 pipv4_flags |= PIPV4_MSSFIX;
2227 process_ipv4_header (&item.instance->context, pipv4_flags, &item.instance->context.c2.buf);
2228 encrypt_sign (&item.instance->context, true);
2229 mbuf_free_buf (item.buffer);
2230
2231 dmsg (D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
2232
2233 clear_prefix ();
2234 return item.instance;
2235 }
2236 else
2237 {
2238 return NULL;
2239 }
2240 }
2241
2242 /*
2243 * Called when an I/O wait times out. Usually means that a particular
2244 * client instance object needs timer-based service.
2245 */
2246 bool
2247 multi_process_timeout (struct multi_context *m, const unsigned int mpp_flags)
2248 {
2249 bool ret = true;
2250
2251 #ifdef MULTI_DEBUG_EVENT_LOOP
2252 printf ("%s -> TIMEOUT\n", id(m->earliest_wakeup));
2253 #endif
2254
2255 /* instance marked for wakeup? */
2256 if (m->earliest_wakeup)
2257 {
2258 set_prefix (m->earliest_wakeup);
2259 ret = multi_process_post (m, m->earliest_wakeup, mpp_flags);
2260 m->earliest_wakeup = NULL;
2261 clear_prefix ();
2262 }
2263 return ret;
2264 }
2265
2266 /*
2267 * Drop a TUN/TAP outgoing packet..
2268 */
2269 void
2270 multi_process_drop_outgoing_tun (struct multi_context *m, const unsigned int mpp_flags)
2271 {
2272 struct multi_instance *mi = m->pending;
2273
2274 ASSERT (mi);
2275
2276 set_prefix (mi);
2277
2278 msg (D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2279 mi->context.c2.to_tun.len);
2280
2281 buf_reset (&mi->context.c2.to_tun);
2282
2283 multi_process_post (m, mi, mpp_flags);
2284 clear_prefix ();
2285 }
2286
2287 /*
2288 * Per-client route quota management
2289 */
2290
2291 void
2292 route_quota_exceeded (const struct multi_context *m, const struct multi_instance *mi)
2293 {
2294 struct gc_arena gc = gc_new ();
2295 msg (D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2296 mi->context.options.max_routes_per_client,
2297 multi_instance_string (mi, false, &gc));
2298 gc_free (&gc);
2299 }
2300
2301 #ifdef ENABLE_DEBUG
2302 /*
2303 * Flood clients with random packets
2304 */
2305 static void
2306 gremlin_flood_clients (struct multi_context *m)
2307 {
2308 const int level = GREMLIN_PACKET_FLOOD_LEVEL (m->top.options.gremlin);
2309 if (level)
2310 {
2311 struct gc_arena gc = gc_new ();
2312 struct buffer buf = alloc_buf_gc (BUF_SIZE (&m->top.c2.frame), &gc);
2313 struct packet_flood_parms parm = get_packet_flood_parms (level);
2314 int i;
2315
2316 ASSERT (buf_init (&buf, FRAME_HEADROOM (&m->top.c2.frame)));
2317 parm.packet_size = min_int (parm.packet_size, MAX_RW_SIZE_TUN (&m->top.c2.frame));
2318
2319 msg (D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
2320 parm.n_packets,
2321 parm.packet_size);
2322
2323 for (i = 0; i < parm.packet_size; ++i)
2324 ASSERT (buf_write_u8 (&buf, get_random () & 0xFF));
2325
2326 for (i = 0; i < parm.n_packets; ++i)
2327 multi_bcast (m, &buf, NULL, NULL);
2328
2329 gc_free (&gc);
2330 }
2331 }
2332 #endif
2333
2334 /*
2335 * Process timers in the top-level context
2336 */
2337 void
2338 multi_process_per_second_timers_dowork (struct multi_context *m)
2339 {
2340 /* possibly reap instances/routes in vhash */
2341 multi_reap_process (m);
2342
2343 /* possibly print to status log */
2344 if (m->top.c1.status_output)
2345 {
2346 if (status_trigger (m->top.c1.status_output))
2347 multi_print_status (m, m->top.c1.status_output, m->status_file_version);
2348 }
2349
2350 /* possibly flush ifconfig-pool file */
2351 multi_ifconfig_pool_persist (m, false);
2352
2353 #ifdef ENABLE_DEBUG
2354 gremlin_flood_clients (m);
2355 #endif
2356 }
2357
2358 void
2359 multi_top_init (struct multi_context *m, const struct context *top, const bool alloc_buffers)
2360 {
2361 inherit_context_top (&m->top, top);
2362 m->top.c2.buffers = NULL;
2363 if (alloc_buffers)
2364 m->top.c2.buffers = init_context_buffers (&top->c2.frame);
2365 }
2366
2367 void
2368 multi_top_free (struct multi_context *m)
2369 {
2370 close_context (&m->top, -1, CC_GC_FREE);
2371 free_context_buffers (m->top.c2.buffers);
2372 }
2373
2374 /*
2375 * Return true if event loop should break,
2376 * false if it should continue.
2377 */
2378 bool
2379 multi_process_signal (struct multi_context *m)
2380 {
2381 if (m->top.sig->signal_received == SIGUSR2)
2382 {
2383 struct status_output *so = status_open (NULL, 0, M_INFO, NULL, 0);
2384 multi_print_status (m, so, m->status_file_version);
2385 status_close (so);
2386 m->top.sig->signal_received = 0;
2387 return false;
2388 }
2389 return true;
2390 }
2391
2392 /*
2393 * Called when an instance should be closed due to the
2394 * reception of a soft signal.
2395 */
2396 void
2397 multi_close_instance_on_signal (struct multi_context *m, struct multi_instance *mi)
2398 {
2399 remap_signal (&mi->context);
2400 set_prefix (mi);
2401 print_signal (mi->context.sig, "client-instance", D_MULTI_LOW);
2402 clear_prefix ();
2403 multi_close_instance (m, mi, false);
2404 }
2405
2406 static void
2407 multi_signal_instance (struct multi_context *m, struct multi_instance *mi, const int sig)
2408 {
2409 mi->context.sig->signal_received = sig;
2410 multi_close_instance_on_signal (m, mi);
2411 }
2412
2413 /*
2414 * Management subsystem callbacks
2415 */
2416
2417 #ifdef ENABLE_MANAGEMENT
2418
2419 static void
2420 management_callback_status (void *arg, const int version, struct status_output *so)
2421 {
2422 struct multi_context *m = (struct multi_context *) arg;
2423
2424 if (!version)
2425 multi_print_status (m, so, m->status_file_version);
2426 else
2427 multi_print_status (m, so, version);
2428 }
2429
2430 static int
2431 management_callback_kill_by_cn (void *arg, const char *del_cn)
2432 {
2433 struct multi_context *m = (struct multi_context *) arg;
2434 struct hash_iterator hi;
2435 struct hash_element *he;
2436 int count = 0;
2437
2438 hash_iterator_init (m->iter, &hi, true);
2439 while ((he = hash_iterator_next (&hi)))
2440 {
2441 struct multi_instance *mi = (struct multi_instance *) he->value;
2442 if (!mi->halt)
2443 {
2444 const char *cn = tls_common_name (mi->context.c2.tls_multi, false);
2445 if (cn && !strcmp (cn, del_cn))
2446 {
2447 multi_signal_instance (m, mi, SIGTERM);
2448 ++count;
2449 }
2450 }
2451 }
2452 hash_iterator_free (&hi);
2453 return count;
2454 }
2455
2456 static int
2457 management_callback_kill_by_addr (void *arg, const in_addr_t addr, const int port)
2458 {
2459 struct multi_context *m = (struct multi_context *) arg;
2460 struct hash_iterator hi;
2461 struct hash_element *he;
2462 struct openvpn_sockaddr saddr;
2463 struct mroute_addr maddr;
2464 int count = 0;
2465
2466 CLEAR (saddr);
2467 saddr.sa.sin_family = AF_INET;
2468 saddr.sa.sin_addr.s_addr = htonl (addr);
2469 saddr.sa.sin_port = htons (port);
2470 if (mroute_extract_openvpn_sockaddr (&maddr, &saddr, true))
2471 {
2472 hash_iterator_init (m->iter, &hi, true);
2473 while ((he = hash_iterator_next (&hi)))
2474 {
2475 struct multi_instance *mi = (struct multi_instance *) he->value;
2476 if (!mi->halt && mroute_addr_equal (&maddr, &mi->real))
2477 {
2478 multi_signal_instance (m, mi, SIGTERM);
2479 ++count;
2480 }
2481 }
2482 hash_iterator_free (&hi);
2483 }
2484 return count;
2485 }
2486
2487 static void
2488 management_delete_event (void *arg, event_t event)
2489 {
2490 struct multi_context *m = (struct multi_context *) arg;
2491 if (m->mtcp)
2492 multi_tcp_delete_event (m->mtcp, event);
2493 }
2494
2495 #endif
2496
2497 #ifdef MANAGEMENT_DEF_AUTH
2498
2499 static struct multi_instance *
2500 lookup_by_cid (struct multi_context *m, const unsigned long cid)
2501 {
2502 if (m)
2503 {
2504 struct multi_instance *mi = (struct multi_instance *) hash_lookup (m->cid_hash, &cid);
2505 if (mi && !mi->halt)
2506 return mi;
2507 }
2508 return NULL;
2509 }
2510
2511 static bool
2512 management_kill_by_cid (void *arg, const unsigned long cid)
2513 {
2514 struct multi_context *m = (struct multi_context *) arg;
2515 struct multi_instance *mi = lookup_by_cid (m, cid);
2516 if (mi)
2517 {
2518 multi_signal_instance (m, mi, SIGTERM);
2519 return true;
2520 }
2521 else
2522 return false;
2523 }
2524
2525 static bool
2526 management_client_auth (void *arg,
2527 const unsigned long cid,
2528 const unsigned int mda_key_id,
2529 const bool auth,
2530 const char *reason,
2531 struct buffer_list *cc_config) /* ownership transferred */
2532 {
2533 struct multi_context *m = (struct multi_context *) arg;
2534 struct multi_instance *mi = lookup_by_cid (m, cid);
2535 bool cc_config_owned = true;
2536 bool ret = false;
2537
2538 if (mi)
2539 {
2540 ret = tls_authenticate_key (mi->context.c2.tls_multi, mda_key_id, auth);
2541 if (ret)
2542 {
2543 if (auth && !mi->connection_established_flag)
2544 {
2545 set_cc_config (mi, cc_config);
2546 cc_config_owned = false;
2547 }
2548 if (!auth && reason)
2549 msg (D_MULTI_LOW, "MULTI: connection rejected: %s", reason);
2550 }
2551 }
2552 if (cc_config_owned && cc_config)
2553 buffer_list_free (cc_config);
2554 return ret;
2555 }
2556 #endif
2557
2558 #ifdef MANAGEMENT_PF
2559 static bool
2560 management_client_pf (void *arg,
2561 const unsigned long cid,
2562 struct buffer_list *pf_config) /* ownership transferred */
2563 {
2564 struct multi_context *m = (struct multi_context *) arg;
2565 struct multi_instance *mi = lookup_by_cid (m, cid);
2566 bool ret = false;
2567
2568 if (mi && pf_config)
2569 ret = pf_load_from_buffer_list (&mi->context, pf_config);
2570
2571 if (pf_config)
2572 buffer_list_free (pf_config);
2573 return ret;
2574 }
2575 #endif
2576
2577 void
2578 init_management_callback_multi (struct multi_context *m)
2579 {
2580 #ifdef ENABLE_MANAGEMENT
2581 if (management)
2582 {
2583 struct management_callback cb;
2584 CLEAR (cb);
2585 cb.arg = m;
2586 cb.status = management_callback_status;
2587 cb.show_net = management_show_net_callback;
2588 cb.kill_by_cn = management_callback_kill_by_cn;
2589 cb.kill_by_addr = management_callback_kill_by_addr;
2590 cb.delete_event = management_delete_event;
2591 #ifdef MANAGEMENT_DEF_AUTH
2592 cb.kill_by_cid = management_kill_by_cid;
2593 cb.client_auth = management_client_auth;
2594 #endif
2595 #ifdef MANAGEMENT_PF
2596 cb.client_pf = management_client_pf;
2597 #endif
2598 management_set_callback (management, &cb);
2599 }
2600 #endif
2601 }
2602
2603 void
2604 uninit_management_callback_multi (struct multi_context *m)
2605 {
2606 uninit_management_callback ();
2607 }
2608
2609 /*
2610 * Top level event loop.
2611 */
2612 void
2613 tunnel_server (struct context *top)
2614 {
2615 ASSERT (top->options.mode == MODE_SERVER);
2616
2617 switch (top->options.ce.proto) {
2618 case PROTO_UDPv4:
2619 tunnel_server_udp (top);
2620 break;
2621 case PROTO_TCPv4_SERVER:
2622 tunnel_server_tcp (top);
2623 break;
2624 default:
2625 ASSERT (0);
2626 }
2627 }
2628
2629 #else
2630 static void dummy(void) {}
2631 #endif /* P2MP_SERVER */
Tomato firmware and modifications.