search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update to OpenVPN 2.1rc18
[tomato.git] / release / src / router / openvpn / multi.c
blob7173d66d9e9e9d85677e97f1e6e8f650a9f397ba
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
23 */
24
25 #include "syshead.h"
26
27 #if P2MP_SERVER
28
29 #include "multi.h"
30 #include "push.h"
31 #include "misc.h"
32 #include "otime.h"
33 #include "gremlin.h"
34
35 #include "memdbg.h"
36
37 #include "forward-inline.h"
38 #include "pf-inline.h"
39
40 /*#define MULTI_DEBUG_EVENT_LOOP*/
41
42 #ifdef MULTI_DEBUG_EVENT_LOOP
43 static const char *
44 id (struct multi_instance *mi)
45 {
46 if (mi)
47 return tls_common_name (mi->context.c2.tls_multi, false);
48 else
49 return "NULL";
50 }
51 #endif
52
53 #ifdef MANAGEMENT_DEF_AUTH
54 static void
55 set_cc_config (struct multi_instance *mi, struct buffer_list *cc_config)
56 {
57 if (mi->cc_config)
58 buffer_list_free (mi->cc_config);
59 mi->cc_config = cc_config;
60 }
61 #endif
62
63 static bool
64 learn_address_script (const struct multi_context *m,
65 const struct multi_instance *mi,
66 const char *op,
67 const struct mroute_addr *addr)
68 {
69 struct gc_arena gc = gc_new ();
70 struct env_set *es;
71 bool ret = true;
72 struct plugin_list *plugins;
73
74 /* get environmental variable source */
75 if (mi && mi->context.c2.es)
76 es = mi->context.c2.es;
77 else
78 es = env_set_create (&gc);
79
80 /* get plugin source */
81 if (mi)
82 plugins = mi->context.plugins;
83 else
84 plugins = m->top.plugins;
85
86 if (plugin_defined (plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
87 {
88 struct argv argv = argv_new ();
89 argv_printf (&argv, "%s %s",
90 op,
91 mroute_addr_print (addr, &gc));
92 if (mi)
93 argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
94 if (plugin_call (plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
95 {
96 msg (M_WARN, "WARNING: learn-address plugin call failed");
97 ret = false;
98 }
99 argv_reset (&argv);
100 }
101
102 if (m->top.options.learn_address_script)
103 {
104 struct argv argv = argv_new ();
105 setenv_str (es, "script_type", "learn-address");
106 argv_printf (&argv, "%sc %s %s",
107 m->top.options.learn_address_script,
108 op,
109 mroute_addr_print (addr, &gc));
110 if (mi)
111 argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
112 if (!openvpn_execve_check (&argv, es, S_SCRIPT, "WARNING: learn-address command failed"))
113 ret = false;
114 argv_reset (&argv);
115 }
116
117 gc_free (&gc);
118 return ret;
119 }
120
121 void
122 multi_ifconfig_pool_persist (struct multi_context *m, bool force)
123 {
124 /* write pool data to file */
125 if (m->ifconfig_pool
126 && m->top.c1.ifconfig_pool_persist
127 && (force || ifconfig_pool_write_trigger (m->top.c1.ifconfig_pool_persist)))
128 {
129 ifconfig_pool_write (m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
130 }
131 }
132
133 static void
134 multi_reap_range (const struct multi_context *m,
135 int start_bucket,
136 int end_bucket)
137 {
138 struct gc_arena gc = gc_new ();
139 struct hash_iterator hi;
140 struct hash_element *he;
141
142 if (start_bucket < 0)
143 {
144 start_bucket = 0;
145 end_bucket = hash_n_buckets (m->vhash);
146 }
147
148 dmsg (D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
149 hash_iterator_init_range (m->vhash, &hi, true, start_bucket, end_bucket);
150 while ((he = hash_iterator_next (&hi)) != NULL)
151 {
152 struct multi_route *r = (struct multi_route *) he->value;
153 if (!multi_route_defined (m, r))
154 {
155 dmsg (D_MULTI_DEBUG, "MULTI: REAP DEL %s",
156 mroute_addr_print (&r->addr, &gc));
157 learn_address_script (m, NULL, "delete", &r->addr);
158 multi_route_del (r);
159 hash_iterator_delete_element (&hi);
160 }
161 }
162 hash_iterator_free (&hi);
163 gc_free (&gc);
164 }
165
166 static void
167 multi_reap_all (const struct multi_context *m)
168 {
169 multi_reap_range (m, -1, 0);
170 }
171
172 static struct multi_reap *
173 multi_reap_new (int buckets_per_pass)
174 {
175 struct multi_reap *mr;
176 ALLOC_OBJ (mr, struct multi_reap);
177 mr->bucket_base = 0;
178 mr->buckets_per_pass = buckets_per_pass;
179 mr->last_call = now;
180 return mr;
181 }
182
183 void
184 multi_reap_process_dowork (const struct multi_context *m)
185 {
186 struct multi_reap *mr = m->reaper;
187 if (mr->bucket_base >= hash_n_buckets (m->vhash))
188 mr->bucket_base = 0;
189 multi_reap_range (m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
190 mr->bucket_base += mr->buckets_per_pass;
191 mr->last_call = now;
192 }
193
194 static void
195 multi_reap_free (struct multi_reap *mr)
196 {
197 free (mr);
198 }
199
200 /*
201 * How many buckets in vhash to reap per pass.
202 */
203 static int
204 reap_buckets_per_pass (int n_buckets)
205 {
206 return constrain_int (n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
207 }
208
209 #ifdef MANAGEMENT_DEF_AUTH
210
211 static uint32_t
212 cid_hash_function (const void *key, uint32_t iv)
213 {
214 const unsigned long *k = (const unsigned long *)key;
215 return (uint32_t) *k;
216 }
217
218 static bool
219 cid_compare_function (const void *key1, const void *key2)
220 {
221 const unsigned long *k1 = (const unsigned long *)key1;
222 const unsigned long *k2 = (const unsigned long *)key2;
223 return *k1 == *k2;
224 }
225
226 #endif
227
228 /*
229 * Main initialization function, init multi_context object.
230 */
231 void
232 multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
233 {
234 int dev = DEV_TYPE_UNDEF;
235
236 msg (D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
237 t->options.real_hash_size,
238 t->options.virtual_hash_size);
239
240 /*
241 * Get tun/tap/null device type
242 */
243 dev = dev_type_enum (t->options.dev, t->options.dev_type);
244
245 /*
246 * Init our multi_context object.
247 */
248 CLEAR (*m);
249
250 m->thread_mode = thread_mode;
251
252 /*
253 * Real address hash table (source port number is
254 * considered to be part of the address). Used
255 * to determine which client sent an incoming packet
256 * which is seen on the TCP/UDP socket.
257 */
258 m->hash = hash_init (t->options.real_hash_size,
259 get_random (),
260 mroute_addr_hash_function,
261 mroute_addr_compare_function);
262
263 /*
264 * Virtual address hash table. Used to determine
265 * which client to route a packet to.
266 */
267 m->vhash = hash_init (t->options.virtual_hash_size,
268 get_random (),
269 mroute_addr_hash_function,
270 mroute_addr_compare_function);
271
272 /*
273 * This hash table is a clone of m->hash but with a
274 * bucket size of one so that it can be used
275 * for fast iteration through the list.
276 */
277 m->iter = hash_init (1,
278 get_random (),
279 mroute_addr_hash_function,
280 mroute_addr_compare_function);
281
282 #ifdef MANAGEMENT_DEF_AUTH
283 m->cid_hash = hash_init (t->options.real_hash_size,
284 0,
285 cid_hash_function,
286 cid_compare_function);
287 #endif
288
289 /*
290 * This is our scheduler, for time-based wakeup
291 * events.
292 */
293 m->schedule = schedule_init ();
294
295 /*
296 * Limit frequency of incoming connections to control
297 * DoS.
298 */
299 m->new_connection_limiter = frequency_limit_init (t->options.cf_max,
300 t->options.cf_per);
301
302 /*
303 * Allocate broadcast/multicast buffer list
304 */
305 m->mbuf = mbuf_init (t->options.n_bcast_buf);
306
307 /*
308 * Different status file format options are available
309 */
310 m->status_file_version = t->options.status_file_version;
311
312 /*
313 * Possibly allocate an ifconfig pool, do it
314 * differently based on whether a tun or tap style
315 * tunnel.
316 */
317 if (t->options.ifconfig_pool_defined)
318 {
319 if (dev == DEV_TYPE_TAP)
320 {
321 m->ifconfig_pool = ifconfig_pool_init (IFCONFIG_POOL_INDIV,
322 t->options.ifconfig_pool_start,
323 t->options.ifconfig_pool_end,
324 t->options.duplicate_cn);
325 }
326 else if (dev == DEV_TYPE_TUN)
327 {
328 m->ifconfig_pool = ifconfig_pool_init (
329 (t->options.topology == TOP_NET30) ? IFCONFIG_POOL_30NET : IFCONFIG_POOL_INDIV,
330 t->options.ifconfig_pool_start,
331 t->options.ifconfig_pool_end,
332 t->options.duplicate_cn);
333 }
334 else
335 {
336 ASSERT (0);
337 }
338
339 /* reload pool data from file */
340 if (t->c1.ifconfig_pool_persist)
341 ifconfig_pool_read (t->c1.ifconfig_pool_persist, m->ifconfig_pool);
342 }
343
344 /*
345 * Help us keep track of routing table.
346 */
347 m->route_helper = mroute_helper_init (MULTI_CACHE_ROUTE_TTL);
348
349 /*
350 * Initialize route and instance reaper.
351 */
352 m->reaper = multi_reap_new (reap_buckets_per_pass (t->options.virtual_hash_size));
353
354 /*
355 * Get local ifconfig address
356 */
357 CLEAR (m->local);
358 ASSERT (t->c1.tuntap);
359 mroute_extract_in_addr_t (&m->local, t->c1.tuntap->local);
360
361 /*
362 * Per-client limits
363 */
364 m->max_clients = t->options.max_clients;
365
366 /*
367 * Initialize multi-socket TCP I/O wait object
368 */
369 if (tcp_mode)
370 m->mtcp = multi_tcp_init (t->options.max_clients, &m->max_clients);
371 m->tcp_queue_limit = t->options.tcp_queue_limit;
372
373 /*
374 * Allow client <-> client communication, without going through
375 * tun/tap interface and network stack?
376 */
377 m->enable_c2c = t->options.enable_c2c;
378 }
379
380 const char *
381 multi_instance_string (const struct multi_instance *mi, bool null, struct gc_arena *gc)
382 {
383 if (mi)
384 {
385 struct buffer out = alloc_buf_gc (256, gc);
386 const char *cn = tls_common_name (mi->context.c2.tls_multi, true);
387
388 if (cn)
389 buf_printf (&out, "%s/", cn);
390 buf_printf (&out, "%s", mroute_addr_print (&mi->real, gc));
391 return BSTR (&out);
392 }
393 else if (null)
394 return NULL;
395 else
396 return "UNDEF";
397 }
398
399 void
400 generate_prefix (struct multi_instance *mi)
401 {
402 mi->msg_prefix = multi_instance_string (mi, true, &mi->gc);
403 set_prefix (mi);
404 }
405
406 void
407 ungenerate_prefix (struct multi_instance *mi)
408 {
409 mi->msg_prefix = NULL;
410 set_prefix (mi);
411 }
412
413 static const char *
414 mi_prefix (const struct multi_instance *mi)
415 {
416 if (mi && mi->msg_prefix)
417 return mi->msg_prefix;
418 else
419 return "UNDEF_I";
420 }
421
422 /*
423 * Tell the route helper about deleted iroutes so
424 * that it can update its mask of currently used
425 * CIDR netlengths.
426 */
427 static void
428 multi_del_iroutes (struct multi_context *m,
429 struct multi_instance *mi)
430 {
431 const struct iroute *ir;
432 if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
433 {
434 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
435 mroute_helper_del_iroute (m->route_helper, ir);
436 }
437 }
438
439 static void
440 setenv_stats (struct context *c)
441 {
442 setenv_counter (c->c2.es, "bytes_received", c->c2.link_read_bytes);
443 setenv_counter (c->c2.es, "bytes_sent", c->c2.link_write_bytes);
444 }
445
446 static void
447 multi_client_disconnect_setenv (struct multi_context *m,
448 struct multi_instance *mi)
449 {
450 /* setenv client real IP address */
451 setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
452
453 /* setenv stats */
454 setenv_stats (&mi->context);
455
456 /* setenv connection duration */
457 {
458 const unsigned int duration = (unsigned int) now - mi->created;
459 setenv_unsigned (mi->context.c2.es, "time_duration", duration);
460 }
461 }
462
463 static void
464 multi_client_disconnect_script (struct multi_context *m,
465 struct multi_instance *mi)
466 {
467 if ((mi->context.c2.context_auth == CAS_SUCCEEDED && mi->connection_established_flag)
468 || mi->context.c2.context_auth == CAS_PARTIAL)
469 {
470 multi_client_disconnect_setenv (m, mi);
471
472 if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
473 {
474 if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
475 msg (M_WARN, "WARNING: client-disconnect plugin call failed");
476 }
477
478 if (mi->context.options.client_disconnect_script)
479 {
480 struct argv argv = argv_new ();
481 setenv_str (mi->context.c2.es, "script_type", "client-disconnect");
482 argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script);
483 openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-disconnect command failed");
484 argv_reset (&argv);
485 }
486 #ifdef MANAGEMENT_DEF_AUTH
487 if (management)
488 management_notify_client_close (management, &mi->context.c2.mda_context, mi->context.c2.es);
489 #endif
490
491 }
492 }
493
494 void
495 multi_close_instance (struct multi_context *m,
496 struct multi_instance *mi,
497 bool shutdown)
498 {
499 perf_push (PERF_MULTI_CLOSE_INSTANCE);
500
501 ASSERT (!mi->halt);
502 mi->halt = true;
503
504 dmsg (D_MULTI_DEBUG, "MULTI: multi_close_instance called");
505
506 /* adjust current client connection count */
507 m->n_clients += mi->n_clients_delta;
508 mi->n_clients_delta = 0;
509
510 /* prevent dangling pointers */
511 if (m->pending == mi)
512 multi_set_pending (m, NULL);
513 if (m->earliest_wakeup == mi)
514 m->earliest_wakeup = NULL;
515
516 if (!shutdown)
517 {
518 if (mi->did_real_hash)
519 {
520 ASSERT (hash_remove (m->hash, &mi->real));
521 }
522 if (mi->did_iter)
523 {
524 ASSERT (hash_remove (m->iter, &mi->real));
525 }
526 #ifdef MANAGEMENT_DEF_AUTH
527 if (mi->did_cid_hash)
528 {
529 ASSERT (hash_remove (m->cid_hash, &mi->context.c2.mda_context.cid));
530 }
531 #endif
532
533 schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);
534
535 ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, false);
536
537 if (mi->did_iroutes)
538 {
539 multi_del_iroutes (m, mi);
540 mi->did_iroutes = false;
541 }
542
543 if (m->mtcp)
544 multi_tcp_dereference_instance (m->mtcp, mi);
545
546 mbuf_dereference_instance (m->mbuf, mi);
547 }
548
549 #ifdef MANAGEMENT_DEF_AUTH
550 set_cc_config (mi, NULL);
551 #endif
552
553 multi_client_disconnect_script (m, mi);
554
555 if (mi->did_open_context)
556 close_context (&mi->context, SIGTERM, CC_GC_FREE);
557
558 multi_tcp_instance_specific_free (mi);
559
560 ungenerate_prefix (mi);
561
562 /*
563 * Don't actually delete the instance memory allocation yet,
564 * because virtual routes may still point to it. Let the
565 * vhash reaper deal with it.
566 */
567 multi_instance_dec_refcount (mi);
568
569 perf_pop ();
570 }
571
572 /*
573 * Called on shutdown or restart.
574 */
575 void
576 multi_uninit (struct multi_context *m)
577 {
578 if (m->thread_mode & MC_WORK_THREAD)
579 {
580 multi_top_free (m);
581 m->thread_mode = MC_UNDEF;
582 }
583 else if (m->thread_mode)
584 {
585 if (m->hash)
586 {
587 struct hash_iterator hi;
588 struct hash_element *he;
589
590 hash_iterator_init (m->iter, &hi, true);
591 while ((he = hash_iterator_next (&hi)))
592 {
593 struct multi_instance *mi = (struct multi_instance *) he->value;
594 mi->did_iter = false;
595 multi_close_instance (m, mi, true);
596 }
597 hash_iterator_free (&hi);
598
599 multi_reap_all (m);
600
601 hash_free (m->hash);
602 hash_free (m->vhash);
603 hash_free (m->iter);
604 #ifdef MANAGEMENT_DEF_AUTH
605 hash_free (m->cid_hash);
606 #endif
607 m->hash = NULL;
608
609 schedule_free (m->schedule);
610 mbuf_free (m->mbuf);
611 ifconfig_pool_free (m->ifconfig_pool);
612 frequency_limit_free (m->new_connection_limiter);
613 multi_reap_free (m->reaper);
614 mroute_helper_free (m->route_helper);
615 multi_tcp_free (m->mtcp);
616 m->thread_mode = MC_UNDEF;
617 }
618 }
619 }
620
621 /*
622 * Create a client instance object for a newly connected client.
623 */
624 struct multi_instance *
625 multi_create_instance (struct multi_context *m, const struct mroute_addr *real)
626 {
627 struct gc_arena gc = gc_new ();
628 struct multi_instance *mi;
629
630 perf_push (PERF_MULTI_CREATE_INSTANCE);
631
632 msg (D_MULTI_LOW, "MULTI: multi_create_instance called");
633
634 ALLOC_OBJ_CLEAR (mi, struct multi_instance);
635
636 mutex_init (&mi->mutex);
637 mi->gc = gc_new ();
638 multi_instance_inc_refcount (mi);
639 mi->vaddr_handle = -1;
640 mi->created = now;
641 mroute_addr_init (&mi->real);
642
643 if (real)
644 {
645 mi->real = *real;
646 generate_prefix (mi);
647 }
648
649 mi->did_open_context = true;
650 inherit_context_child (&mi->context, &m->top);
651 if (IS_SIG (&mi->context))
652 goto err;
653
654 mi->context.c2.context_auth = CAS_PENDING;
655
656 if (hash_n_elements (m->hash) >= m->max_clients)
657 {
658 msg (D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
659 goto err;
660 }
661
662 if (!real) /* TCP mode? */
663 {
664 if (!multi_tcp_instance_specific_init (m, mi))
665 goto err;
666 generate_prefix (mi);
667 }
668
669 if (!hash_add (m->iter, &mi->real, mi, false))
670 {
671 msg (D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
672 mroute_addr_print (&mi->real, &gc));
673 goto err;
674 }
675 mi->did_iter = true;
676
677 #ifdef MANAGEMENT_DEF_AUTH
678 do {
679 mi->context.c2.mda_context.cid = m->cid_counter++;
680 } while (!hash_add (m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
681 mi->did_cid_hash = true;
682 #endif
683
684 mi->context.c2.push_reply_deferred = true;
685
686 if (!multi_process_post (m, mi, MPP_PRE_SELECT))
687 {
688 msg (D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
689 goto err;
690 }
691
692 perf_pop ();
693 gc_free (&gc);
694 return mi;
695
696 err:
697 multi_close_instance (m, mi, false);
698 perf_pop ();
699 gc_free (&gc);
700 return NULL;
701 }
702
703 /*
704 * Dump tables -- triggered by SIGUSR2.
705 * If status file is defined, write to file.
706 * If status file is NULL, write to syslog.
707 */
708 void
709 multi_print_status (struct multi_context *m, struct status_output *so, const int version)
710 {
711 if (m->hash)
712 {
713 struct gc_arena gc_top = gc_new ();
714 struct hash_iterator hi;
715 const struct hash_element *he;
716
717 status_reset (so);
718
719 if (version == 1) /* WAS: m->status_file_version */
720 {
721 /*
722 * Status file version 1
723 */
724 status_printf (so, PACKAGE_NAME " CLIENT LIST");
725 status_printf (so, "Updated,%s", time_string (0, 0, false, &gc_top));
726 status_printf (so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
727 hash_iterator_init (m->hash, &hi, true);
728 while ((he = hash_iterator_next (&hi)))
729 {
730 struct gc_arena gc = gc_new ();
731 const struct multi_instance *mi = (struct multi_instance *) he->value;
732
733 if (!mi->halt)
734 {
735 status_printf (so, "%s,%s," counter_format "," counter_format ",%s",
736 tls_common_name (mi->context.c2.tls_multi, false),
737 mroute_addr_print (&mi->real, &gc),
738 mi->context.c2.link_read_bytes,
739 mi->context.c2.link_write_bytes,
740 time_string (mi->created, 0, false, &gc));
741 }
742 gc_free (&gc);
743 }
744 hash_iterator_free (&hi);
745
746 status_printf (so, "ROUTING TABLE");
747 status_printf (so, "Virtual Address,Common Name,Real Address,Last Ref");
748 hash_iterator_init (m->vhash, &hi, true);
749 while ((he = hash_iterator_next (&hi)))
750 {
751 struct gc_arena gc = gc_new ();
752 const struct multi_route *route = (struct multi_route *) he->value;
753
754 if (multi_route_defined (m, route))
755 {
756 const struct multi_instance *mi = route->instance;
757 const struct mroute_addr *ma = &route->addr;
758 char flags[2] = {0, 0};
759
760 if (route->flags & MULTI_ROUTE_CACHE)
761 flags[0] = 'C';
762 status_printf (so, "%s%s,%s,%s,%s",
763 mroute_addr_print (ma, &gc),
764 flags,
765 tls_common_name (mi->context.c2.tls_multi, false),
766 mroute_addr_print (&mi->real, &gc),
767 time_string (route->last_reference, 0, false, &gc));
768 }
769 gc_free (&gc);
770 }
771 hash_iterator_free (&hi);
772
773 status_printf (so, "GLOBAL STATS");
774 if (m->mbuf)
775 status_printf (so, "Max bcast/mcast queue length,%d",
776 mbuf_maximum_queued (m->mbuf));
777
778 status_printf (so, "END");
779 }
780 else if (version == 2 || version == 3)
781 {
782 const char sep = (version == 3) ? '\t' : ',';
783
784 /*
785 * Status file version 2 and 3
786 */
787 status_printf (so, "TITLE%c%s", sep, title_string);
788 status_printf (so, "TIME%c%s%c%u", sep, time_string (now, 0, false, &gc_top), sep, (unsigned int)now);
789 status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)",
790 sep, sep, sep, sep, sep, sep, sep, sep);
791 hash_iterator_init (m->hash, &hi, true);
792 while ((he = hash_iterator_next (&hi)))
793 {
794 struct gc_arena gc = gc_new ();
795 const struct multi_instance *mi = (struct multi_instance *) he->value;
796
797 if (!mi->halt)
798 {
799 status_printf (so, "CLIENT_LIST%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u",
800 sep, tls_common_name (mi->context.c2.tls_multi, false),
801 sep, mroute_addr_print (&mi->real, &gc),
802 sep, print_in_addr_t (mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
803 sep, mi->context.c2.link_read_bytes,
804 sep, mi->context.c2.link_write_bytes,
805 sep, time_string (mi->created, 0, false, &gc),
806 sep, (unsigned int)mi->created);
807 }
808 gc_free (&gc);
809 }
810 hash_iterator_free (&hi);
811
812 status_printf (so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
813 sep, sep, sep, sep, sep, sep);
814 hash_iterator_init (m->vhash, &hi, true);
815 while ((he = hash_iterator_next (&hi)))
816 {
817 struct gc_arena gc = gc_new ();
818 const struct multi_route *route = (struct multi_route *) he->value;
819
820 if (multi_route_defined (m, route))
821 {
822 const struct multi_instance *mi = route->instance;
823 const struct mroute_addr *ma = &route->addr;
824 char flags[2] = {0, 0};
825
826 if (route->flags & MULTI_ROUTE_CACHE)
827 flags[0] = 'C';
828 status_printf (so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
829 sep, mroute_addr_print (ma, &gc), flags,
830 sep, tls_common_name (mi->context.c2.tls_multi, false),
831 sep, mroute_addr_print (&mi->real, &gc),
832 sep, time_string (route->last_reference, 0, false, &gc),
833 sep, (unsigned int)route->last_reference);
834 }
835 gc_free (&gc);
836 }
837 hash_iterator_free (&hi);
838
839 if (m->mbuf)
840 status_printf (so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
841 sep, sep, mbuf_maximum_queued (m->mbuf));
842
843 status_printf (so, "END");
844 }
845 else
846 {
847 status_printf (so, "ERROR: bad status format version number");
848 }
849
850 #ifdef PACKET_TRUNCATION_CHECK
851 {
852 status_printf (so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
853 hash_iterator_init (m->hash, &hi, true);
854 while ((he = hash_iterator_next (&hi)))
855 {
856 struct gc_arena gc = gc_new ();
857 const struct multi_instance *mi = (struct multi_instance *) he->value;
858
859 if (!mi->halt)
860 {
861 status_printf (so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
862 tls_common_name (mi->context.c2.tls_multi, false),
863 m->top.c2.n_trunc_tun_read,
864 mi->context.c2.n_trunc_tun_write,
865 mi->context.c2.n_trunc_pre_encrypt,
866 mi->context.c2.n_trunc_post_decrypt);
867 }
868 gc_free (&gc);
869 }
870 hash_iterator_free (&hi);
871 }
872 #endif
873
874 status_flush (so);
875 gc_free (&gc_top);
876 }
877 }
878
879 /*
880 * Learn a virtual address or route.
881 * The learn will fail if the learn address
882 * script/plugin fails. In this case the
883 * return value may be != mi.
884 * Return the instance which owns this route,
885 * or NULL if none.
886 */
887 static struct multi_instance *
888 multi_learn_addr (struct multi_context *m,
889 struct multi_instance *mi,
890 const struct mroute_addr *addr,
891 const unsigned int flags)
892 {
893 struct hash_element *he;
894 const uint32_t hv = hash_value (m->vhash, addr);
895 struct hash_bucket *bucket = hash_bucket (m->vhash, hv);
896 struct multi_route *oldroute = NULL;
897 struct multi_instance *owner = NULL;
898
899 hash_bucket_lock (bucket);
900
901 /* if route currently exists, get the instance which owns it */
902 he = hash_lookup_fast (m->vhash, bucket, addr, hv);
903 if (he)
904 oldroute = (struct multi_route *) he->value;
905 if (oldroute && multi_route_defined (m, oldroute))
906 owner = oldroute->instance;
907
908 /* do we need to add address to hash table? */
909 if ((!owner || owner != mi)
910 && mroute_learnable_address (addr)
911 && !mroute_addr_equal (addr, &m->local))
912 {
913 struct gc_arena gc = gc_new ();
914 struct multi_route *newroute;
915 bool learn_succeeded = false;
916
917 ALLOC_OBJ (newroute, struct multi_route);
918 newroute->addr = *addr;
919 newroute->instance = mi;
920 newroute->flags = flags;
921 newroute->last_reference = now;
922 newroute->cache_generation = 0;
923
924 /* The cache is invalidated when cache_generation is incremented */
925 if (flags & MULTI_ROUTE_CACHE)
926 newroute->cache_generation = m->route_helper->cache_generation;
927
928 if (oldroute) /* route already exists? */
929 {
930 if (route_quota_test (m, mi) && learn_address_script (m, mi, "update", &newroute->addr))
931 {
932 learn_succeeded = true;
933 owner = mi;
934 multi_instance_inc_refcount (mi);
935 route_quota_inc (mi);
936
937 /* delete old route */
938 multi_route_del (oldroute);
939
940 /* modify hash table entry, replacing old route */
941 he->key = &newroute->addr;
942 he->value = newroute;
943 }
944 }
945 else
946 {
947 if (route_quota_test (m, mi) && learn_address_script (m, mi, "add", &newroute->addr))
948 {
949 learn_succeeded = true;
950 owner = mi;
951 multi_instance_inc_refcount (mi);
952 route_quota_inc (mi);
953
954 /* add new route */
955 hash_add_fast (m->vhash, bucket, &newroute->addr, hv, newroute);
956 }
957 }
958
959 msg (D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
960 learn_succeeded ? "" : " FAILED",
961 mroute_addr_print (&newroute->addr, &gc),
962 multi_instance_string (mi, false, &gc));
963
964 if (!learn_succeeded)
965 free (newroute);
966
967 gc_free (&gc);
968 }
969
970 hash_bucket_unlock (bucket);
971 return owner;
972 }
973
974 /*
975 * Get client instance based on virtual address.
976 */
977 static struct multi_instance *
978 multi_get_instance_by_virtual_addr (struct multi_context *m,
979 const struct mroute_addr *addr,
980 bool cidr_routing)
981 {
982 struct multi_route *route;
983 struct multi_instance *ret = NULL;
984
985 /* check for local address */
986 if (mroute_addr_equal (addr, &m->local))
987 return NULL;
988
989 route = (struct multi_route *) hash_lookup (m->vhash, addr);
990
991 /* does host route (possible cached) exist? */
992 if (route && multi_route_defined (m, route))
993 {
994 struct multi_instance *mi = route->instance;
995 route->last_reference = now;
996 ret = mi;
997 }
998 else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
999 {
1000 struct mroute_helper *rh = m->route_helper;
1001 struct mroute_addr tryaddr;
1002 int i;
1003
1004 mroute_helper_lock (rh);
1005
1006 /* cycle through each CIDR length */
1007 for (i = 0; i < rh->n_net_len; ++i)
1008 {
1009 tryaddr = *addr;
1010 tryaddr.type |= MR_WITH_NETBITS;
1011 tryaddr.netbits = rh->net_len[i];
1012 mroute_addr_mask_host_bits (&tryaddr);
1013
1014 /* look up a possible route with netbits netmask */
1015 route = (struct multi_route *) hash_lookup (m->vhash, &tryaddr);
1016
1017 if (route && multi_route_defined (m, route))
1018 {
1019 /* found an applicable route, cache host route */
1020 struct multi_instance *mi = route->instance;
1021 multi_learn_addr (m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
1022 ret = mi;
1023 break;
1024 }
1025 }
1026
1027 mroute_helper_unlock (rh);
1028 }
1029
1030 #ifdef ENABLE_DEBUG
1031 if (check_debug_level (D_MULTI_DEBUG))
1032 {
1033 struct gc_arena gc = gc_new ();
1034 const char *addr_text = mroute_addr_print (addr, &gc);
1035 if (ret)
1036 {
1037 dmsg (D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1038 addr_text,
1039 multi_instance_string (ret, false, &gc),
1040 mroute_addr_print (&route->addr, &gc));
1041 }
1042 else
1043 {
1044 dmsg (D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1045 addr_text);
1046 }
1047 gc_free (&gc);
1048 }
1049 #endif
1050
1051 ASSERT (!(ret && ret->halt));
1052 return ret;
1053 }
1054
1055 /*
1056 * Helper function to multi_learn_addr().
1057 */
1058 static struct multi_instance *
1059 multi_learn_in_addr_t (struct multi_context *m,
1060 struct multi_instance *mi,
1061 in_addr_t a,
1062 int netbits, /* -1 if host route, otherwise # of network bits in address */
1063 bool primary)
1064 {
1065 struct openvpn_sockaddr remote_si;
1066 struct mroute_addr addr;
1067
1068 CLEAR (remote_si);
1069 remote_si.sa.sin_family = AF_INET;
1070 remote_si.sa.sin_addr.s_addr = htonl (a);
1071 ASSERT (mroute_extract_openvpn_sockaddr (&addr, &remote_si, false));
1072
1073 if (netbits >= 0)
1074 {
1075 addr.type |= MR_WITH_NETBITS;
1076 addr.netbits = (uint8_t) netbits;
1077 }
1078
1079 {
1080 struct multi_instance *owner = multi_learn_addr (m, mi, &addr, 0);
1081 #ifdef MANAGEMENT_DEF_AUTH
1082 if (management && owner)
1083 management_learn_addr (management, &mi->context.c2.mda_context, &addr, primary);
1084 #endif
1085 return owner;
1086 }
1087 }
1088
1089 /*
1090 * A new client has connected, add routes (server -> client)
1091 * to internal routing table.
1092 */
1093 static void
1094 multi_add_iroutes (struct multi_context *m,
1095 struct multi_instance *mi)
1096 {
1097 struct gc_arena gc = gc_new ();
1098 const struct iroute *ir;
1099 if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
1100 {
1101 mi->did_iroutes = true;
1102 for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1103 {
1104 if (ir->netbits >= 0)
1105 msg (D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1106 print_in_addr_t (ir->network, 0, &gc),
1107 ir->netbits,
1108 multi_instance_string (mi, false, &gc));
1109 else
1110 msg (D_MULTI_LOW, "MULTI: internal route %s -> %s",
1111 print_in_addr_t (ir->network, 0, &gc),
1112 multi_instance_string (mi, false, &gc));
1113
1114 mroute_helper_add_iroute (m->route_helper, ir);
1115
1116 multi_learn_in_addr_t (m, mi, ir->network, ir->netbits, false);
1117 }
1118 }
1119 gc_free (&gc);
1120 }
1121
1122 /*
1123 * Given an instance (new_mi), delete all other instances which use the
1124 * same common name.
1125 */
1126 static void
1127 multi_delete_dup (struct multi_context *m, struct multi_instance *new_mi)
1128 {
1129 if (new_mi)
1130 {
1131 const char *new_cn = tls_common_name (new_mi->context.c2.tls_multi, true);
1132 if (new_cn)
1133 {
1134 struct hash_iterator hi;
1135 struct hash_element *he;
1136 int count = 0;
1137
1138 hash_iterator_init (m->iter, &hi, true);
1139 while ((he = hash_iterator_next (&hi)))
1140 {
1141 struct multi_instance *mi = (struct multi_instance *) he->value;
1142 if (mi != new_mi && !mi->halt)
1143 {
1144 const char *cn = tls_common_name (mi->context.c2.tls_multi, true);
1145 if (cn && !strcmp (cn, new_cn))
1146 {
1147 mi->did_iter = false;
1148 multi_close_instance (m, mi, false);
1149 hash_iterator_delete_element (&hi);
1150 ++count;
1151 }
1152 }
1153 }
1154 hash_iterator_free (&hi);
1155
1156 if (count)
1157 msg (D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1158 }
1159 }
1160 }
1161
1162 /*
1163 * Ensure that endpoint to be pushed to client
1164 * complies with --ifconfig-push-constraint directive.
1165 */
1166 static bool
1167 ifconfig_push_constraint_satisfied (const struct context *c)
1168 {
1169 const struct options *o = &c->options;
1170 if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1171 return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
1172 else
1173 return true;
1174 }
1175
1176 /*
1177 * Select a virtual address for a new client instance.
1178 * Use an --ifconfig-push directive, if given (static IP).
1179 * Otherwise use an --ifconfig-pool address (dynamic IP).
1180 */
1181 static void
1182 multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi)
1183 {
1184 struct gc_arena gc = gc_new ();
1185
1186 /*
1187 * If ifconfig addresses were set by dynamic config file,
1188 * release pool addresses, otherwise keep them.
1189 */
1190 if (mi->context.options.push_ifconfig_defined)
1191 {
1192 /* ifconfig addresses were set statically,
1193 release dynamic allocation */
1194 if (mi->vaddr_handle >= 0)
1195 {
1196 ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, true);
1197 mi->vaddr_handle = -1;
1198 }
1199
1200 mi->context.c2.push_ifconfig_defined = true;
1201 mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1202 mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1203 }
1204 else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1205 {
1206 in_addr_t local=0, remote=0;
1207 const char *cn = NULL;
1208
1209 if (!mi->context.options.duplicate_cn)
1210 cn = tls_common_name (mi->context.c2.tls_multi, true);
1211
1212 mi->vaddr_handle = ifconfig_pool_acquire (m->ifconfig_pool, &local, &remote, cn);
1213 if (mi->vaddr_handle >= 0)
1214 {
1215 const int tunnel_type = TUNNEL_TYPE (mi->context.c1.tuntap);
1216 const int tunnel_topology = TUNNEL_TOPOLOGY (mi->context.c1.tuntap);
1217
1218 /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1219 mi->context.c2.push_ifconfig_local = remote;
1220 if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1221 {
1222 mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
1223 if (!mi->context.c2.push_ifconfig_remote_netmask)
1224 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
1225 }
1226 else if (tunnel_type == DEV_TYPE_TUN)
1227 {
1228 if (tunnel_topology == TOP_P2P)
1229 mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1230 else if (tunnel_topology == TOP_NET30)
1231 mi->context.c2.push_ifconfig_remote_netmask = local;
1232 }
1233
1234 if (mi->context.c2.push_ifconfig_remote_netmask)
1235 mi->context.c2.push_ifconfig_defined = true;
1236 else
1237 msg (D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1238 multi_instance_string (mi, false, &gc));
1239 }
1240 else
1241 {
1242 msg (D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1243 }
1244 }
1245 gc_free (&gc);
1246 }
1247
1248 /*
1249 * Set virtual address environmental variables.
1250 */
1251 static void
1252 multi_set_virtual_addr_env (struct multi_context *m, struct multi_instance *mi)
1253 {
1254 setenv_del (mi->context.c2.es, "ifconfig_pool_local_ip");
1255 setenv_del (mi->context.c2.es, "ifconfig_pool_remote_ip");
1256 setenv_del (mi->context.c2.es, "ifconfig_pool_netmask");
1257
1258 if (mi->context.c2.push_ifconfig_defined)
1259 {
1260 const int tunnel_type = TUNNEL_TYPE (mi->context.c1.tuntap);
1261 const int tunnel_topology = TUNNEL_TOPOLOGY (mi->context.c1.tuntap);
1262
1263 setenv_in_addr_t (mi->context.c2.es,
1264 "ifconfig_pool_remote_ip",
1265 mi->context.c2.push_ifconfig_local,
1266 SA_SET_IF_NONZERO);
1267
1268 if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1269 {
1270 setenv_in_addr_t (mi->context.c2.es,
1271 "ifconfig_pool_netmask",
1272 mi->context.c2.push_ifconfig_remote_netmask,
1273 SA_SET_IF_NONZERO);
1274 }
1275 else if (tunnel_type == DEV_TYPE_TUN)
1276 {
1277 setenv_in_addr_t (mi->context.c2.es,
1278 "ifconfig_pool_local_ip",
1279 mi->context.c2.push_ifconfig_remote_netmask,
1280 SA_SET_IF_NONZERO);
1281 }
1282 }
1283 }
1284
1285 /*
1286 * Called after client-connect script is called
1287 */
1288 static void
1289 multi_client_connect_post (struct multi_context *m,
1290 struct multi_instance *mi,
1291 const char *dc_file,
1292 unsigned int option_permissions_mask,
1293 unsigned int *option_types_found)
1294 {
1295 /* Did script generate a dynamic config file? */
1296 if (test_file (dc_file))
1297 {
1298 options_server_import (&mi->context.options,
1299 dc_file,
1300 D_IMPORT_ERRORS|M_OPTERR,
1301 option_permissions_mask,
1302 option_types_found,
1303 mi->context.c2.es);
1304
1305 if (!delete_file (dc_file))
1306 msg (D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1307 dc_file);
1308
1309 /*
1310 * If the --client-connect script generates a config file
1311 * with an --ifconfig-push directive, it will override any
1312 * --ifconfig-push directive from the --client-config-dir
1313 * directory or any --ifconfig-pool dynamic address.
1314 */
1315 multi_select_virtual_addr (m, mi);
1316 multi_set_virtual_addr_env (m, mi);
1317 }
1318 }
1319
1320 #ifdef ENABLE_PLUGIN
1321
1322 /*
1323 * Called after client-connect plug-in is called
1324 */
1325 static void
1326 multi_client_connect_post_plugin (struct multi_context *m,
1327 struct multi_instance *mi,
1328 const struct plugin_return *pr,
1329 unsigned int option_permissions_mask,
1330 unsigned int *option_types_found)
1331 {
1332 struct plugin_return config;
1333
1334 plugin_return_get_column (pr, &config, "config");
1335
1336 /* Did script generate a dynamic config file? */
1337 if (plugin_return_defined (&config))
1338 {
1339 int i;
1340 for (i = 0; i < config.n; ++i)
1341 {
1342 if (config.list[i] && config.list[i]->value)
1343 options_string_import (&mi->context.options,
1344 config.list[i]->value,
1345 D_IMPORT_ERRORS|M_OPTERR,
1346 option_permissions_mask,
1347 option_types_found,
1348 mi->context.c2.es);
1349 }
1350
1351 /*
1352 * If the --client-connect script generates a config file
1353 * with an --ifconfig-push directive, it will override any
1354 * --ifconfig-push directive from the --client-config-dir
1355 * directory or any --ifconfig-pool dynamic address.
1356 */
1357 multi_select_virtual_addr (m, mi);
1358 multi_set_virtual_addr_env (m, mi);
1359 }
1360 }
1361
1362 #endif
1363
1364 #ifdef MANAGEMENT_DEF_AUTH
1365
1366 /*
1367 * Called to load management-derived client-connect config
1368 */
1369 static void
1370 multi_client_connect_mda (struct multi_context *m,
1371 struct multi_instance *mi,
1372 const struct buffer_list *config,
1373 unsigned int option_permissions_mask,
1374 unsigned int *option_types_found)
1375 {
1376 if (config)
1377 {
1378 struct buffer_entry *be;
1379
1380 for (be = config->head; be != NULL; be = be->next)
1381 {
1382 const char *opt = BSTR(&be->buf);
1383 options_string_import (&mi->context.options,
1384 opt,
1385 D_IMPORT_ERRORS|M_OPTERR,
1386 option_permissions_mask,
1387 option_types_found,
1388 mi->context.c2.es);
1389 }
1390
1391 /*
1392 * If the --client-connect script generates a config file
1393 * with an --ifconfig-push directive, it will override any
1394 * --ifconfig-push directive from the --client-config-dir
1395 * directory or any --ifconfig-pool dynamic address.
1396 */
1397 multi_select_virtual_addr (m, mi);
1398 multi_set_virtual_addr_env (m, mi);
1399 }
1400 }
1401
1402 #endif
1403
1404 static void
1405 multi_client_connect_setenv (struct multi_context *m,
1406 struct multi_instance *mi)
1407 {
1408 struct gc_arena gc = gc_new ();
1409
1410 /* setenv incoming cert common name for script */
1411 setenv_str (mi->context.c2.es, "common_name", tls_common_name (mi->context.c2.tls_multi, true));
1412
1413 /* setenv client real IP address */
1414 setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
1415
1416 /* setenv client virtual IP address */
1417 multi_set_virtual_addr_env (m, mi);
1418
1419 /* setenv connection time */
1420 {
1421 const char *created_ascii = time_string (mi->created, 0, false, &gc);
1422 setenv_str (mi->context.c2.es, "time_ascii", created_ascii);
1423 setenv_unsigned (mi->context.c2.es, "time_unix", (unsigned int)mi->created);
1424 }
1425
1426 gc_free (&gc);
1427 }
1428
1429 /*
1430 * Called as soon as the SSL/TLS connection authenticates.
1431 *
1432 * Instance-specific directives to be processed:
1433 *
1434 * iroute start-ip end-ip
1435 * ifconfig-push local remote-netmask
1436 * push
1437 */
1438 static void
1439 multi_connection_established (struct multi_context *m, struct multi_instance *mi)
1440 {
1441 if (tls_authentication_status (mi->context.c2.tls_multi, 0) == TLS_AUTHENTICATION_SUCCEEDED)
1442 {
1443 struct gc_arena gc = gc_new ();
1444 unsigned int option_types_found = 0;
1445
1446 const unsigned int option_permissions_mask =
1447 OPT_P_INSTANCE
1448 | OPT_P_INHERIT
1449 | OPT_P_PUSH
1450 | OPT_P_TIMER
1451 | OPT_P_CONFIG
1452 | OPT_P_ECHO
1453 | OPT_P_COMP
1454 | OPT_P_SOCKFLAGS;
1455
1456 int cc_succeeded = true; /* client connect script status */
1457 int cc_succeeded_count = 0;
1458
1459 ASSERT (mi->context.c1.tuntap);
1460
1461 /* lock down the common name so it can't change during future TLS renegotiations */
1462 tls_lock_common_name (mi->context.c2.tls_multi);
1463
1464 /* generate a msg() prefix for this client instance */
1465 generate_prefix (mi);
1466
1467 /* delete instances of previous clients with same common-name */
1468 if (!mi->context.options.duplicate_cn)
1469 multi_delete_dup (m, mi);
1470
1471 /* reset pool handle to null */
1472 mi->vaddr_handle = -1;
1473
1474 /*
1475 * Try to source a dynamic config file from the
1476 * --client-config-dir directory.
1477 */
1478 if (mi->context.options.client_config_dir)
1479 {
1480 const char *ccd_file;
1481
1482 ccd_file = gen_path (mi->context.options.client_config_dir,
1483 tls_common_name (mi->context.c2.tls_multi, false),
1484 &gc);
1485
1486 /* try common-name file */
1487 if (test_file (ccd_file))
1488 {
1489 options_server_import (&mi->context.options,
1490 ccd_file,
1491 D_IMPORT_ERRORS|M_OPTERR,
1492 option_permissions_mask,
1493 &option_types_found,
1494 mi->context.c2.es);
1495 }
1496 else /* try default file */
1497 {
1498 ccd_file = gen_path (mi->context.options.client_config_dir,
1499 CCD_DEFAULT,
1500 &gc);
1501
1502 if (test_file (ccd_file))
1503 {
1504 options_server_import (&mi->context.options,
1505 ccd_file,
1506 D_IMPORT_ERRORS|M_OPTERR,
1507 option_permissions_mask,
1508 &option_types_found,
1509 mi->context.c2.es);
1510 }
1511 }
1512 }
1513
1514 /*
1515 * Select a virtual address from either --ifconfig-push in --client-config-dir file
1516 * or --ifconfig-pool.
1517 */
1518 multi_select_virtual_addr (m, mi);
1519
1520 /* do --client-connect setenvs */
1521 multi_client_connect_setenv (m, mi);
1522
1523 #ifdef ENABLE_PLUGIN
1524 /*
1525 * Call client-connect plug-in.
1526 */
1527
1528 /* deprecated callback, use a file for passing back return info */
1529 if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
1530 {
1531 struct argv argv = argv_new ();
1532 const char *dc_file = create_temp_filename (mi->context.options.tmp_dir, "cc", &gc);
1533 argv_printf (&argv, "%s", dc_file);
1534 delete_file (dc_file);
1535 if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1536 {
1537 msg (M_WARN, "WARNING: client-connect plugin call failed");
1538 cc_succeeded = false;
1539 }
1540 else
1541 {
1542 multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1543 ++cc_succeeded_count;
1544 }
1545 argv_reset (&argv);
1546 }
1547
1548 /* V2 callback, use a plugin_return struct for passing back return info */
1549 if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2))
1550 {
1551 struct plugin_return pr;
1552
1553 plugin_return_init (&pr);
1554
1555 if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1556 {
1557 msg (M_WARN, "WARNING: client-connect-v2 plugin call failed");
1558 cc_succeeded = false;
1559 }
1560 else
1561 {
1562 multi_client_connect_post_plugin (m, mi, &pr, option_permissions_mask, &option_types_found);
1563 ++cc_succeeded_count;
1564 }
1565
1566 plugin_return_free (&pr);
1567 }
1568 #endif
1569
1570 /*
1571 * Run --client-connect script.
1572 */
1573 if (mi->context.options.client_connect_script && cc_succeeded)
1574 {
1575 struct argv argv = argv_new ();
1576 const char *dc_file = NULL;
1577
1578 setenv_str (mi->context.c2.es, "script_type", "client-connect");
1579
1580 dc_file = create_temp_filename (mi->context.options.tmp_dir, "cc", &gc);
1581
1582 delete_file (dc_file);
1583
1584 argv_printf (&argv, "%sc %s",
1585 mi->context.options.client_connect_script,
1586 dc_file);
1587
1588 if (openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-connect command failed"))
1589 {
1590 multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1591 ++cc_succeeded_count;
1592 }
1593 else
1594 cc_succeeded = false;
1595
1596 argv_reset (&argv);
1597 }
1598
1599 /*
1600 * Check for client-connect script left by management interface client
1601 */
1602 #ifdef MANAGEMENT_DEF_AUTH
1603 if (cc_succeeded && mi->cc_config)
1604 {
1605 multi_client_connect_mda (m, mi, mi->cc_config, option_permissions_mask, &option_types_found);
1606 ++cc_succeeded_count;
1607 }
1608 #endif
1609
1610 /*
1611 * Check for "disable" directive in client-config-dir file
1612 * or config file generated by --client-connect script.
1613 */
1614 if (mi->context.options.disable)
1615 {
1616 msg (D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
1617 cc_succeeded = false;
1618 }
1619
1620 if (cc_succeeded)
1621 {
1622 /*
1623 * Process sourced options.
1624 */
1625 do_deferred_options (&mi->context, option_types_found);
1626
1627 /*
1628 * make sure we got ifconfig settings from somewhere
1629 */
1630 if (!mi->context.c2.push_ifconfig_defined)
1631 {
1632 msg (D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
1633 multi_instance_string (mi, false, &gc));
1634 }
1635
1636 /*
1637 * make sure that ifconfig settings comply with constraints
1638 */
1639 if (!ifconfig_push_constraint_satisfied (&mi->context))
1640 {
1641 /* JYFIXME -- this should cause the connection to fail */
1642 msg (D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
1643 multi_instance_string (mi, false, &gc),
1644 print_in_addr_t (mi->context.c2.push_ifconfig_local, 0, &gc),
1645 print_in_addr_t (mi->context.options.push_ifconfig_constraint_network, 0, &gc),
1646 print_in_addr_t (mi->context.options.push_ifconfig_constraint_netmask, 0, &gc));
1647 }
1648
1649 /*
1650 * For routed tunnels, set up internal route to endpoint
1651 * plus add all iroute routes.
1652 */
1653 if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
1654 {
1655 if (mi->context.c2.push_ifconfig_defined)
1656 {
1657 multi_learn_in_addr_t (m, mi, mi->context.c2.push_ifconfig_local, -1, true);
1658 msg (D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
1659 multi_instance_string (mi, false, &gc),
1660 print_in_addr_t (mi->context.c2.push_ifconfig_local, 0, &gc));
1661 }
1662
1663 /* add routes locally, pointing to new client, if
1664 --iroute options have been specified */
1665 multi_add_iroutes (m, mi);
1666
1667 /*
1668 * iroutes represent subnets which are "owned" by a particular
1669 * client. Therefore, do not actually push a route to a client
1670 * if it matches one of the client's iroutes.
1671 */
1672 remove_iroutes_from_push_route_list (&mi->context.options);
1673 }
1674 else if (mi->context.options.iroutes)
1675 {
1676 msg (D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
1677 multi_instance_string (mi, false, &gc));
1678 }
1679
1680 /* set our client's VPN endpoint for status reporting purposes */
1681 mi->reporting_addr = mi->context.c2.push_ifconfig_local;
1682
1683 /* set context-level authentication flag */
1684 mi->context.c2.context_auth = CAS_SUCCEEDED;
1685 }
1686 else
1687 {
1688 /* set context-level authentication flag */
1689 mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
1690 }
1691
1692 /* set flag so we don't get called again */
1693 mi->connection_established_flag = true;
1694
1695 /* increment number of current authenticated clients */
1696 ++m->n_clients;
1697 --mi->n_clients_delta;
1698
1699 #ifdef MANAGEMENT_DEF_AUTH
1700 if (management)
1701 management_connection_established (management, &mi->context.c2.mda_context, mi->context.c2.es);
1702 #endif
1703
1704 gc_free (&gc);
1705 }
1706
1707 /*
1708 * Reply now to client's PUSH_REQUEST query
1709 */
1710 mi->context.c2.push_reply_deferred = false;
1711 }
1712
1713 /*
1714 * Add a mbuf buffer to a particular
1715 * instance.
1716 */
1717 void
1718 multi_add_mbuf (struct multi_context *m,
1719 struct multi_instance *mi,
1720 struct mbuf_buffer *mb)
1721 {
1722 if (multi_output_queue_ready (m, mi))
1723 {
1724 struct mbuf_item item;
1725 item.buffer = mb;
1726 item.instance = mi;
1727 mbuf_add_item (m->mbuf, &item);
1728 }
1729 else
1730 {
1731 msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
1732 }
1733 }
1734
1735 /*
1736 * Add a packet to a client instance output queue.
1737 */
1738 static inline void
1739 multi_unicast (struct multi_context *m,
1740 const struct buffer *buf,
1741 struct multi_instance *mi)
1742 {
1743 struct mbuf_buffer *mb;
1744
1745 if (BLEN (buf) > 0)
1746 {
1747 mb = mbuf_alloc_buf (buf);
1748 mb->flags = MF_UNICAST;
1749 multi_add_mbuf (m, mi, mb);
1750 mbuf_free_buf (mb);
1751 }
1752 }
1753
1754 /*
1755 * Broadcast a packet to all clients.
1756 */
1757 static void
1758 multi_bcast (struct multi_context *m,
1759 const struct buffer *buf,
1760 const struct multi_instance *sender_instance,
1761 const struct mroute_addr *sender_addr)
1762 {
1763 struct hash_iterator hi;
1764 struct hash_element *he;
1765 struct multi_instance *mi;
1766 struct mbuf_buffer *mb;
1767
1768 if (BLEN (buf) > 0)
1769 {
1770 perf_push (PERF_MULTI_BCAST);
1771 #ifdef MULTI_DEBUG_EVENT_LOOP
1772 printf ("BCAST len=%d\n", BLEN (buf));
1773 #endif
1774 mb = mbuf_alloc_buf (buf);
1775 hash_iterator_init (m->iter, &hi, true);
1776
1777 while ((he = hash_iterator_next (&hi)))
1778 {
1779 mi = (struct multi_instance *) he->value;
1780 if (mi != sender_instance && !mi->halt)
1781 {
1782 #ifdef ENABLE_PF
1783 if (sender_instance)
1784 {
1785 if (!pf_c2c_test (&sender_instance->context, &mi->context, "bcast_c2c"))
1786 {
1787 msg (D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
1788 mi_prefix (sender_instance),
1789 mi_prefix (mi));
1790 continue;
1791 }
1792 }
1793 if (sender_addr)
1794 {
1795 if (!pf_addr_test (&mi->context, sender_addr, "bcast_src_addr"))
1796 {
1797 struct gc_arena gc = gc_new ();
1798 msg (D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
1799 mroute_addr_print_ex (sender_addr, MAPF_SHOW_ARP, &gc),
1800 mi_prefix (mi));
1801 gc_free (&gc);
1802 continue;
1803 }
1804 }
1805 #endif
1806 multi_add_mbuf (m, mi, mb);
1807 }
1808 }
1809
1810 hash_iterator_free (&hi);
1811 mbuf_free_buf (mb);
1812 perf_pop ();
1813 }
1814 }
1815
1816 /*
1817 * Given a time delta, indicating that we wish to be
1818 * awoken by the scheduler at time now + delta, figure
1819 * a sigma parameter (in microseconds) that represents
1820 * a sort of fuzz factor around delta, so that we're
1821 * really telling the scheduler to wake us up any time
1822 * between now + delta - sigma and now + delta + sigma.
1823 *
1824 * The sigma parameter helps the scheduler to run more efficiently.
1825 * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
1826 */
1827 static inline unsigned int
1828 compute_wakeup_sigma (const struct timeval *delta)
1829 {
1830 if (delta->tv_sec < 1)
1831 {
1832 /* if < 1 sec, fuzz = # of microseconds / 8 */
1833 return delta->tv_usec >> 3;
1834 }
1835 else
1836 {
1837 /* if < 10 minutes, fuzz = 13.1% of timeout */
1838 if (delta->tv_sec < 600)
1839 return delta->tv_sec << 17;
1840 else
1841 return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
1842 }
1843 }
1844
1845 /*
1846 * Figure instance-specific timers, convert
1847 * earliest to absolute time in mi->wakeup,
1848 * call scheduler with our future wakeup time.
1849 *
1850 * Also close context on signal.
1851 */
1852 bool
1853 multi_process_post (struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
1854 {
1855 bool ret = true;
1856
1857 if (!IS_SIG (&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT (&mi->context))))
1858 {
1859 /* figure timeouts and fetch possible outgoing
1860 to_link packets (such as ping or TLS control) */
1861 pre_select (&mi->context);
1862
1863 if (!IS_SIG (&mi->context))
1864 {
1865 /* calculate an absolute wakeup time */
1866 ASSERT (!openvpn_gettimeofday (&mi->wakeup, NULL));
1867 tv_add (&mi->wakeup, &mi->context.c2.timeval);
1868
1869 /* tell scheduler to wake us up at some point in the future */
1870 schedule_add_entry (m->schedule,
1871 (struct schedule_entry *) mi,
1872 &mi->wakeup,
1873 compute_wakeup_sigma (&mi->context.c2.timeval));
1874
1875 /* connection is "established" when SSL/TLS key negotiation succeeds
1876 and (if specified) auth user/pass succeeds */
1877 if (!mi->connection_established_flag && CONNECTION_ESTABLISHED (&mi->context))
1878 multi_connection_established (m, mi);
1879 }
1880 }
1881
1882 if (IS_SIG (&mi->context))
1883 {
1884 if (flags & MPP_CLOSE_ON_SIGNAL)
1885 {
1886 multi_close_instance_on_signal (m, mi);
1887 ret = false;
1888 }
1889 }
1890 else
1891 {
1892 /* continue to pend on output? */
1893 multi_set_pending (m, ANY_OUT (&mi->context) ? mi : NULL);
1894
1895 #ifdef MULTI_DEBUG_EVENT_LOOP
1896 printf ("POST %s[%d] to=%d lo=%d/%d w=%d/%d\n",
1897 id(mi),
1898 (int) (mi == m->pending),
1899 mi ? mi->context.c2.to_tun.len : -1,
1900 mi ? mi->context.c2.to_link.len : -1,
1901 (mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
1902 (int)mi->context.c2.timeval.tv_sec,
1903 (int)mi->context.c2.timeval.tv_usec);
1904 #endif
1905 }
1906
1907 if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
1908 *m->mpp_touched = mi;
1909
1910 return ret;
1911 }
1912
1913 /*
1914 * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
1915 * i.e. client -> server direction.
1916 */
1917 bool
1918 multi_process_incoming_link (struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
1919 {
1920 struct gc_arena gc = gc_new ();
1921
1922 struct context *c;
1923 struct mroute_addr src, dest;
1924 unsigned int mroute_flags;
1925 struct multi_instance *mi;
1926 bool ret = true;
1927
1928 if (m->pending)
1929 return true;
1930
1931 if (!instance)
1932 {
1933 #ifdef MULTI_DEBUG_EVENT_LOOP
1934 printf ("TCP/UDP -> TUN [%d]\n", BLEN (&m->top.c2.buf));
1935 #endif
1936 multi_set_pending (m, multi_get_create_instance_udp (m));
1937 }
1938 else
1939 multi_set_pending (m, instance);
1940
1941 if (m->pending)
1942 {
1943 set_prefix (m->pending);
1944
1945 /* get instance context */
1946 c = &m->pending->context;
1947
1948 if (!instance)
1949 {
1950 /* transfer packet pointer from top-level context buffer to instance */
1951 c->c2.buf = m->top.c2.buf;
1952
1953 /* transfer from-addr from top-level context buffer to instance */
1954 c->c2.from = m->top.c2.from;
1955 }
1956
1957 if (BLEN (&c->c2.buf) > 0)
1958 {
1959 /* decrypt in instance context */
1960 process_incoming_link (c);
1961
1962 if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TUN)
1963 {
1964 /* extract packet source and dest addresses */
1965 mroute_flags = mroute_extract_addr_from_packet (&src,
1966 &dest,
1967 NULL,
1968 NULL,
1969 &c->c2.to_tun,
1970 DEV_TYPE_TUN);
1971
1972 /* drop packet if extract failed */
1973 if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
1974 {
1975 c->c2.to_tun.len = 0;
1976 }
1977 /* make sure that source address is associated with this client */
1978 else if (multi_get_instance_by_virtual_addr (m, &src, true) != m->pending)
1979 {
1980 msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
1981 mroute_addr_print (&src, &gc));
1982 c->c2.to_tun.len = 0;
1983 }
1984 /* client-to-client communication enabled? */
1985 else if (m->enable_c2c)
1986 {
1987 /* multicast? */
1988 if (mroute_flags & MROUTE_EXTRACT_MCAST)
1989 {
1990 /* for now, treat multicast as broadcast */
1991 multi_bcast (m, &c->c2.to_tun, m->pending, NULL);
1992 }
1993 else /* possible client to client routing */
1994 {
1995 ASSERT (!(mroute_flags & MROUTE_EXTRACT_BCAST));
1996 mi = multi_get_instance_by_virtual_addr (m, &dest, true);
1997
1998 /* if dest addr is a known client, route to it */
1999 if (mi)
2000 {
2001 #ifdef ENABLE_PF
2002 if (!pf_c2c_test (c, &mi->context, "tun_c2c"))
2003 {
2004 msg (D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
2005 mi_prefix (mi));
2006 }
2007 else
2008 #endif
2009 {
2010 multi_unicast (m, &c->c2.to_tun, mi);
2011 register_activity (c, BLEN(&c->c2.to_tun));
2012 }
2013 c->c2.to_tun.len = 0;
2014 }
2015 }
2016 }
2017 #ifdef ENABLE_PF
2018 if (c->c2.to_tun.len && !pf_addr_test (c, &dest, "tun_dest_addr"))
2019 {
2020 msg (D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2021 mroute_addr_print_ex (&dest, MAPF_SHOW_ARP, &gc));
2022 c->c2.to_tun.len = 0;
2023 }
2024 #endif
2025 }
2026 else if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TAP)
2027 {
2028 #ifdef ENABLE_PF
2029 struct mroute_addr edest;
2030 mroute_addr_reset (&edest);
2031 #endif
2032 /* extract packet source and dest addresses */
2033 mroute_flags = mroute_extract_addr_from_packet (&src,
2034 &dest,
2035 NULL,
2036 #ifdef ENABLE_PF
2037 &edest,
2038 #else
2039 NULL,
2040 #endif
2041 &c->c2.to_tun,
2042 DEV_TYPE_TAP);
2043
2044 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2045 {
2046 if (multi_learn_addr (m, m->pending, &src, 0) == m->pending)
2047 {
2048 /* check for broadcast */
2049 if (m->enable_c2c)
2050 {
2051 if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2052 {
2053 multi_bcast (m, &c->c2.to_tun, m->pending, NULL);
2054 }
2055 else /* try client-to-client routing */
2056 {
2057 mi = multi_get_instance_by_virtual_addr (m, &dest, false);
2058
2059 /* if dest addr is a known client, route to it */
2060 if (mi)
2061 {
2062 #ifdef ENABLE_PF
2063 if (!pf_c2c_test (c, &mi->context, "tap_c2c"))
2064 {
2065 msg (D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
2066 mi_prefix (mi));
2067 }
2068 else
2069 #endif
2070 {
2071 multi_unicast (m, &c->c2.to_tun, mi);
2072 register_activity (c, BLEN(&c->c2.to_tun));
2073 }
2074 c->c2.to_tun.len = 0;
2075 }
2076 }
2077 }
2078 #ifdef ENABLE_PF
2079 if (c->c2.to_tun.len && !pf_addr_test (c, &edest, "tap_dest_addr"))
2080 {
2081 msg (D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2082 mroute_addr_print_ex (&edest, MAPF_SHOW_ARP, &gc));
2083 c->c2.to_tun.len = 0;
2084 }
2085 #endif
2086 }
2087 else
2088 {
2089 msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2090 mroute_addr_print (&src, &gc));
2091 c->c2.to_tun.len = 0;
2092 }
2093 }
2094 else
2095 {
2096 c->c2.to_tun.len = 0;
2097 }
2098 }
2099 }
2100
2101 /* postprocess and set wakeup */
2102 ret = multi_process_post (m, m->pending, mpp_flags);
2103
2104 clear_prefix ();
2105 }
2106
2107 gc_free (&gc);
2108 return ret;
2109 }
2110
2111 /*
2112 * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2113 * i.e. server -> client direction.
2114 */
2115 bool
2116 multi_process_incoming_tun (struct multi_context *m, const unsigned int mpp_flags)
2117 {
2118 struct gc_arena gc = gc_new ();
2119 bool ret = true;
2120
2121 if (BLEN (&m->top.c2.buf) > 0)
2122 {
2123 unsigned int mroute_flags;
2124 struct mroute_addr src, dest;
2125 const int dev_type = TUNNEL_TYPE (m->top.c1.tuntap);
2126
2127 #ifdef ENABLE_PF
2128 struct mroute_addr esrc, *e1, *e2;
2129 if (dev_type == DEV_TYPE_TUN)
2130 {
2131 e1 = NULL;
2132 e2 = &src;
2133 }
2134 else
2135 {
2136 e1 = e2 = &esrc;
2137 mroute_addr_reset (&esrc);
2138 }
2139 #endif
2140
2141 #ifdef MULTI_DEBUG_EVENT_LOOP
2142 printf ("TUN -> TCP/UDP [%d]\n", BLEN (&m->top.c2.buf));
2143 #endif
2144
2145 if (m->pending)
2146 return true;
2147
2148 /*
2149 * Route an incoming tun/tap packet to
2150 * the appropriate multi_instance object.
2151 */
2152
2153 mroute_flags = mroute_extract_addr_from_packet (&src,
2154 &dest,
2155 #ifdef ENABLE_PF
2156 e1,
2157 #else
2158 NULL,
2159 #endif
2160 NULL,
2161 &m->top.c2.buf,
2162 dev_type);
2163
2164 if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2165 {
2166 struct context *c;
2167
2168 /* broadcast or multicast dest addr? */
2169 if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2170 {
2171 /* for now, treat multicast as broadcast */
2172 #ifdef ENABLE_PF
2173 multi_bcast (m, &m->top.c2.buf, NULL, e2);
2174 #else
2175 multi_bcast (m, &m->top.c2.buf, NULL, NULL);
2176 #endif
2177 }
2178 else
2179 {
2180 multi_set_pending (m, multi_get_instance_by_virtual_addr (m, &dest, dev_type == DEV_TYPE_TUN));
2181
2182 if (m->pending)
2183 {
2184 /* get instance context */
2185 c = &m->pending->context;
2186
2187 set_prefix (m->pending);
2188
2189 #ifdef ENABLE_PF
2190 if (!pf_addr_test (c, e2, "tun_tap_src_addr"))
2191 {
2192 msg (D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
2193 mroute_addr_print_ex (&src, MAPF_SHOW_ARP, &gc));
2194 buf_reset_len (&c->c2.buf);
2195 }
2196 else
2197 #endif
2198 {
2199 if (multi_output_queue_ready (m, m->pending))
2200 {
2201 /* transfer packet pointer from top-level context buffer to instance */
2202 c->c2.buf = m->top.c2.buf;
2203 }
2204 else
2205 {
2206 /* drop packet */
2207 msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2208 buf_reset_len (&c->c2.buf);
2209 }
2210 }
2211
2212 /* encrypt in instance context */
2213 process_incoming_tun (c);
2214
2215 /* postprocess and set wakeup */
2216 ret = multi_process_post (m, m->pending, mpp_flags);
2217
2218 clear_prefix ();
2219 }
2220 }
2221 }
2222 }
2223 gc_free (&gc);
2224 return ret;
2225 }
2226
2227 /*
2228 * Process a possible client-to-client/bcast/mcast message in the
2229 * queue.
2230 */
2231 struct multi_instance *
2232 multi_get_queue (struct mbuf_set *ms)
2233 {
2234 struct mbuf_item item;
2235
2236 if (mbuf_extract_item (ms, &item, true)) /* cleartext IP packet */
2237 {
2238 unsigned int pipv4_flags = PIPV4_PASSTOS;
2239
2240 set_prefix (item.instance);
2241 item.instance->context.c2.buf = item.buffer->buf;
2242 if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
2243 pipv4_flags |= PIPV4_MSSFIX;
2244 process_ipv4_header (&item.instance->context, pipv4_flags, &item.instance->context.c2.buf);
2245 encrypt_sign (&item.instance->context, true);
2246 mbuf_free_buf (item.buffer);
2247
2248 dmsg (D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
2249
2250 clear_prefix ();
2251 return item.instance;
2252 }
2253 else
2254 {
2255 return NULL;
2256 }
2257 }
2258
2259 /*
2260 * Called when an I/O wait times out. Usually means that a particular
2261 * client instance object needs timer-based service.
2262 */
2263 bool
2264 multi_process_timeout (struct multi_context *m, const unsigned int mpp_flags)
2265 {
2266 bool ret = true;
2267
2268 #ifdef MULTI_DEBUG_EVENT_LOOP
2269 printf ("%s -> TIMEOUT\n", id(m->earliest_wakeup));
2270 #endif
2271
2272 /* instance marked for wakeup? */
2273 if (m->earliest_wakeup)
2274 {
2275 set_prefix (m->earliest_wakeup);
2276 ret = multi_process_post (m, m->earliest_wakeup, mpp_flags);
2277 m->earliest_wakeup = NULL;
2278 clear_prefix ();
2279 }
2280 return ret;
2281 }
2282
2283 /*
2284 * Drop a TUN/TAP outgoing packet..
2285 */
2286 void
2287 multi_process_drop_outgoing_tun (struct multi_context *m, const unsigned int mpp_flags)
2288 {
2289 struct multi_instance *mi = m->pending;
2290
2291 ASSERT (mi);
2292
2293 set_prefix (mi);
2294
2295 msg (D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2296 mi->context.c2.to_tun.len);
2297
2298 buf_reset (&mi->context.c2.to_tun);
2299
2300 multi_process_post (m, mi, mpp_flags);
2301 clear_prefix ();
2302 }
2303
2304 /*
2305 * Per-client route quota management
2306 */
2307
2308 void
2309 route_quota_exceeded (const struct multi_context *m, const struct multi_instance *mi)
2310 {
2311 struct gc_arena gc = gc_new ();
2312 msg (D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2313 mi->context.options.max_routes_per_client,
2314 multi_instance_string (mi, false, &gc));
2315 gc_free (&gc);
2316 }
2317
2318 #ifdef ENABLE_DEBUG
2319 /*
2320 * Flood clients with random packets
2321 */
2322 static void
2323 gremlin_flood_clients (struct multi_context *m)
2324 {
2325 const int level = GREMLIN_PACKET_FLOOD_LEVEL (m->top.options.gremlin);
2326 if (level)
2327 {
2328 struct gc_arena gc = gc_new ();
2329 struct buffer buf = alloc_buf_gc (BUF_SIZE (&m->top.c2.frame), &gc);
2330 struct packet_flood_parms parm = get_packet_flood_parms (level);
2331 int i;
2332
2333 ASSERT (buf_init (&buf, FRAME_HEADROOM (&m->top.c2.frame)));
2334 parm.packet_size = min_int (parm.packet_size, MAX_RW_SIZE_TUN (&m->top.c2.frame));
2335
2336 msg (D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
2337 parm.n_packets,
2338 parm.packet_size);
2339
2340 for (i = 0; i < parm.packet_size; ++i)
2341 ASSERT (buf_write_u8 (&buf, get_random () & 0xFF));
2342
2343 for (i = 0; i < parm.n_packets; ++i)
2344 multi_bcast (m, &buf, NULL, NULL);
2345
2346 gc_free (&gc);
2347 }
2348 }
2349 #endif
2350
2351 /*
2352 * Process timers in the top-level context
2353 */
2354 void
2355 multi_process_per_second_timers_dowork (struct multi_context *m)
2356 {
2357 /* possibly reap instances/routes in vhash */
2358 multi_reap_process (m);
2359
2360 /* possibly print to status log */
2361 if (m->top.c1.status_output)
2362 {
2363 if (status_trigger (m->top.c1.status_output))
2364 multi_print_status (m, m->top.c1.status_output, m->status_file_version);
2365 }
2366
2367 /* possibly flush ifconfig-pool file */
2368 multi_ifconfig_pool_persist (m, false);
2369
2370 #ifdef ENABLE_DEBUG
2371 gremlin_flood_clients (m);
2372 #endif
2373 }
2374
2375 void
2376 multi_top_init (struct multi_context *m, const struct context *top, const bool alloc_buffers)
2377 {
2378 inherit_context_top (&m->top, top);
2379 m->top.c2.buffers = NULL;
2380 if (alloc_buffers)
2381 m->top.c2.buffers = init_context_buffers (&top->c2.frame);
2382 }
2383
2384 void
2385 multi_top_free (struct multi_context *m)
2386 {
2387 close_context (&m->top, -1, CC_GC_FREE);
2388 free_context_buffers (m->top.c2.buffers);
2389 }
2390
2391 /*
2392 * Return true if event loop should break,
2393 * false if it should continue.
2394 */
2395 bool
2396 multi_process_signal (struct multi_context *m)
2397 {
2398 if (m->top.sig->signal_received == SIGUSR2)
2399 {
2400 struct status_output *so = m->top.c1.status_output? m->top.c1.status_output: status_open (NULL, 0, M_INFO, NULL, 0);
2401 multi_print_status (m, so, m->status_file_version);
2402 if ( so != m->top.c1.status_output ) status_close (so);
2403 m->top.sig->signal_received = 0;
2404 return false;
2405 }
2406 return true;
2407 }
2408
2409 /*
2410 * Called when an instance should be closed due to the
2411 * reception of a soft signal.
2412 */
2413 void
2414 multi_close_instance_on_signal (struct multi_context *m, struct multi_instance *mi)
2415 {
2416 remap_signal (&mi->context);
2417 set_prefix (mi);
2418 print_signal (mi->context.sig, "client-instance", D_MULTI_LOW);
2419 clear_prefix ();
2420 multi_close_instance (m, mi, false);
2421 }
2422
2423 static void
2424 multi_signal_instance (struct multi_context *m, struct multi_instance *mi, const int sig)
2425 {
2426 mi->context.sig->signal_received = sig;
2427 multi_close_instance_on_signal (m, mi);
2428 }
2429
2430 /*
2431 * Management subsystem callbacks
2432 */
2433
2434 #ifdef ENABLE_MANAGEMENT
2435
2436 static void
2437 management_callback_status (void *arg, const int version, struct status_output *so)
2438 {
2439 struct multi_context *m = (struct multi_context *) arg;
2440
2441 if (!version)
2442 multi_print_status (m, so, m->status_file_version);
2443 else
2444 multi_print_status (m, so, version);
2445 }
2446
2447 static int
2448 management_callback_n_clients (void *arg)
2449 {
2450 struct multi_context *m = (struct multi_context *) arg;
2451 return m->n_clients;
2452 }
2453
2454 static int
2455 management_callback_kill_by_cn (void *arg, const char *del_cn)
2456 {
2457 struct multi_context *m = (struct multi_context *) arg;
2458 struct hash_iterator hi;
2459 struct hash_element *he;
2460 int count = 0;
2461
2462 hash_iterator_init (m->iter, &hi, true);
2463 while ((he = hash_iterator_next (&hi)))
2464 {
2465 struct multi_instance *mi = (struct multi_instance *) he->value;
2466 if (!mi->halt)
2467 {
2468 const char *cn = tls_common_name (mi->context.c2.tls_multi, false);
2469 if (cn && !strcmp (cn, del_cn))
2470 {
2471 multi_signal_instance (m, mi, SIGTERM);
2472 ++count;
2473 }
2474 }
2475 }
2476 hash_iterator_free (&hi);
2477 return count;
2478 }
2479
2480 static int
2481 management_callback_kill_by_addr (void *arg, const in_addr_t addr, const int port)
2482 {
2483 struct multi_context *m = (struct multi_context *) arg;
2484 struct hash_iterator hi;
2485 struct hash_element *he;
2486 struct openvpn_sockaddr saddr;
2487 struct mroute_addr maddr;
2488 int count = 0;
2489
2490 CLEAR (saddr);
2491 saddr.sa.sin_family = AF_INET;
2492 saddr.sa.sin_addr.s_addr = htonl (addr);
2493 saddr.sa.sin_port = htons (port);
2494 if (mroute_extract_openvpn_sockaddr (&maddr, &saddr, true))
2495 {
2496 hash_iterator_init (m->iter, &hi, true);
2497 while ((he = hash_iterator_next (&hi)))
2498 {
2499 struct multi_instance *mi = (struct multi_instance *) he->value;
2500 if (!mi->halt && mroute_addr_equal (&maddr, &mi->real))
2501 {
2502 multi_signal_instance (m, mi, SIGTERM);
2503 ++count;
2504 }
2505 }
2506 hash_iterator_free (&hi);
2507 }
2508 return count;
2509 }
2510
2511 static void
2512 management_delete_event (void *arg, event_t event)
2513 {
2514 struct multi_context *m = (struct multi_context *) arg;
2515 if (m->mtcp)
2516 multi_tcp_delete_event (m->mtcp, event);
2517 }
2518
2519 #endif
2520
2521 #ifdef MANAGEMENT_DEF_AUTH
2522
2523 static struct multi_instance *
2524 lookup_by_cid (struct multi_context *m, const unsigned long cid)
2525 {
2526 if (m)
2527 {
2528 struct multi_instance *mi = (struct multi_instance *) hash_lookup (m->cid_hash, &cid);
2529 if (mi && !mi->halt)
2530 return mi;
2531 }
2532 return NULL;
2533 }
2534
2535 static bool
2536 management_kill_by_cid (void *arg, const unsigned long cid)
2537 {
2538 struct multi_context *m = (struct multi_context *) arg;
2539 struct multi_instance *mi = lookup_by_cid (m, cid);
2540 if (mi)
2541 {
2542 multi_signal_instance (m, mi, SIGTERM);
2543 return true;
2544 }
2545 else
2546 return false;
2547 }
2548
2549 static bool
2550 management_client_auth (void *arg,
2551 const unsigned long cid,
2552 const unsigned int mda_key_id,
2553 const bool auth,
2554 const char *reason,
2555 struct buffer_list *cc_config) /* ownership transferred */
2556 {
2557 struct multi_context *m = (struct multi_context *) arg;
2558 struct multi_instance *mi = lookup_by_cid (m, cid);
2559 bool cc_config_owned = true;
2560 bool ret = false;
2561
2562 if (mi)
2563 {
2564 ret = tls_authenticate_key (mi->context.c2.tls_multi, mda_key_id, auth);
2565 if (ret)
2566 {
2567 if (auth && !mi->connection_established_flag)
2568 {
2569 set_cc_config (mi, cc_config);
2570 cc_config_owned = false;
2571 }
2572 if (!auth && reason)
2573 msg (D_MULTI_LOW, "MULTI: connection rejected: %s", reason);
2574 }
2575 }
2576 if (cc_config_owned && cc_config)
2577 buffer_list_free (cc_config);
2578 return ret;
2579 }
2580 #endif
2581
2582 #ifdef MANAGEMENT_PF
2583 static bool
2584 management_client_pf (void *arg,
2585 const unsigned long cid,
2586 struct buffer_list *pf_config) /* ownership transferred */
2587 {
2588 struct multi_context *m = (struct multi_context *) arg;
2589 struct multi_instance *mi = lookup_by_cid (m, cid);
2590 bool ret = false;
2591
2592 if (mi && pf_config)
2593 ret = pf_load_from_buffer_list (&mi->context, pf_config);
2594
2595 if (pf_config)
2596 buffer_list_free (pf_config);
2597 return ret;
2598 }
2599 #endif
2600
2601 void
2602 init_management_callback_multi (struct multi_context *m)
2603 {
2604 #ifdef ENABLE_MANAGEMENT
2605 if (management)
2606 {
2607 struct management_callback cb;
2608 CLEAR (cb);
2609 cb.arg = m;
2610 cb.flags = MCF_SERVER;
2611 cb.status = management_callback_status;
2612 cb.show_net = management_show_net_callback;
2613 cb.kill_by_cn = management_callback_kill_by_cn;
2614 cb.kill_by_addr = management_callback_kill_by_addr;
2615 cb.delete_event = management_delete_event;
2616 cb.n_clients = management_callback_n_clients;
2617 #ifdef MANAGEMENT_DEF_AUTH
2618 cb.kill_by_cid = management_kill_by_cid;
2619 cb.client_auth = management_client_auth;
2620 #endif
2621 #ifdef MANAGEMENT_PF
2622 cb.client_pf = management_client_pf;
2623 #endif
2624 management_set_callback (management, &cb);
2625 }
2626 #endif
2627 }
2628
2629 void
2630 uninit_management_callback_multi (struct multi_context *m)
2631 {
2632 uninit_management_callback ();
2633 }
2634
2635 /*
2636 * Top level event loop.
2637 */
2638 void
2639 tunnel_server (struct context *top)
2640 {
2641 ASSERT (top->options.mode == MODE_SERVER);
2642
2643 switch (top->options.ce.proto) {
2644 case PROTO_UDPv4:
2645 tunnel_server_udp (top);
2646 break;
2647 case PROTO_TCPv4_SERVER:
2648 tunnel_server_tcp (top);
2649 break;
2650 default:
2651 ASSERT (0);
2652 }
2653 }
2654
2655 #else
2656 static void dummy(void) {}
2657 #endif /* P2MP_SERVER */
Tomato firmware and modifications.