2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
37 #include "forward-inline.h"
38 #include "pf-inline.h"
40 /*#define MULTI_DEBUG_EVENT_LOOP*/
42 #ifdef MULTI_DEBUG_EVENT_LOOP
44 id (struct multi_instance
*mi
)
47 return tls_common_name (mi
->context
.c2
.tls_multi
, false);
53 #ifdef MANAGEMENT_DEF_AUTH
55 set_cc_config (struct multi_instance
*mi
, struct buffer_list
*cc_config
)
58 buffer_list_free (mi
->cc_config
);
59 mi
->cc_config
= cc_config
;
64 learn_address_script (const struct multi_context
*m
,
65 const struct multi_instance
*mi
,
67 const struct mroute_addr
*addr
)
69 struct gc_arena gc
= gc_new ();
72 struct plugin_list
*plugins
;
74 /* get environmental variable source */
75 if (mi
&& mi
->context
.c2
.es
)
76 es
= mi
->context
.c2
.es
;
78 es
= env_set_create (&gc
);
80 /* get plugin source */
82 plugins
= mi
->context
.plugins
;
84 plugins
= m
->top
.plugins
;
86 if (plugin_defined (plugins
, OPENVPN_PLUGIN_LEARN_ADDRESS
))
88 struct argv argv
= argv_new ();
89 argv_printf (&argv
, "%s %s",
91 mroute_addr_print (addr
, &gc
));
93 argv_printf_cat (&argv
, "%s", tls_common_name (mi
->context
.c2
.tls_multi
, false));
94 if (plugin_call (plugins
, OPENVPN_PLUGIN_LEARN_ADDRESS
, &argv
, NULL
, es
) != OPENVPN_PLUGIN_FUNC_SUCCESS
)
96 msg (M_WARN
, "WARNING: learn-address plugin call failed");
102 if (m
->top
.options
.learn_address_script
)
104 struct argv argv
= argv_new ();
105 setenv_str (es
, "script_type", "learn-address");
106 argv_printf (&argv
, "%sc %s %s",
107 m
->top
.options
.learn_address_script
,
109 mroute_addr_print (addr
, &gc
));
111 argv_printf_cat (&argv
, "%s", tls_common_name (mi
->context
.c2
.tls_multi
, false));
112 if (!openvpn_execve_check (&argv
, es
, S_SCRIPT
, "WARNING: learn-address command failed"))
122 multi_ifconfig_pool_persist (struct multi_context
*m
, bool force
)
124 /* write pool data to file */
126 && m
->top
.c1
.ifconfig_pool_persist
127 && (force
|| ifconfig_pool_write_trigger (m
->top
.c1
.ifconfig_pool_persist
)))
129 ifconfig_pool_write (m
->top
.c1
.ifconfig_pool_persist
, m
->ifconfig_pool
);
134 multi_reap_range (const struct multi_context
*m
,
138 struct gc_arena gc
= gc_new ();
139 struct hash_iterator hi
;
140 struct hash_element
*he
;
142 if (start_bucket
< 0)
145 end_bucket
= hash_n_buckets (m
->vhash
);
148 dmsg (D_MULTI_DEBUG
, "MULTI: REAP range %d -> %d", start_bucket
, end_bucket
);
149 hash_iterator_init_range (m
->vhash
, &hi
, true, start_bucket
, end_bucket
);
150 while ((he
= hash_iterator_next (&hi
)) != NULL
)
152 struct multi_route
*r
= (struct multi_route
*) he
->value
;
153 if (!multi_route_defined (m
, r
))
155 dmsg (D_MULTI_DEBUG
, "MULTI: REAP DEL %s",
156 mroute_addr_print (&r
->addr
, &gc
));
157 learn_address_script (m
, NULL
, "delete", &r
->addr
);
159 hash_iterator_delete_element (&hi
);
162 hash_iterator_free (&hi
);
167 multi_reap_all (const struct multi_context
*m
)
169 multi_reap_range (m
, -1, 0);
172 static struct multi_reap
*
173 multi_reap_new (int buckets_per_pass
)
175 struct multi_reap
*mr
;
176 ALLOC_OBJ (mr
, struct multi_reap
);
178 mr
->buckets_per_pass
= buckets_per_pass
;
184 multi_reap_process_dowork (const struct multi_context
*m
)
186 struct multi_reap
*mr
= m
->reaper
;
187 if (mr
->bucket_base
>= hash_n_buckets (m
->vhash
))
189 multi_reap_range (m
, mr
->bucket_base
, mr
->bucket_base
+ mr
->buckets_per_pass
);
190 mr
->bucket_base
+= mr
->buckets_per_pass
;
195 multi_reap_free (struct multi_reap
*mr
)
201 * How many buckets in vhash to reap per pass.
204 reap_buckets_per_pass (int n_buckets
)
206 return constrain_int (n_buckets
/ REAP_DIVISOR
, REAP_MIN
, REAP_MAX
);
209 #ifdef MANAGEMENT_DEF_AUTH
212 cid_hash_function (const void *key
, uint32_t iv
)
214 const unsigned long *k
= (const unsigned long *)key
;
215 return (uint32_t) *k
;
219 cid_compare_function (const void *key1
, const void *key2
)
221 const unsigned long *k1
= (const unsigned long *)key1
;
222 const unsigned long *k2
= (const unsigned long *)key2
;
229 * Main initialization function, init multi_context object.
232 multi_init (struct multi_context
*m
, struct context
*t
, bool tcp_mode
, int thread_mode
)
234 int dev
= DEV_TYPE_UNDEF
;
236 msg (D_MULTI_LOW
, "MULTI: multi_init called, r=%d v=%d",
237 t
->options
.real_hash_size
,
238 t
->options
.virtual_hash_size
);
241 * Get tun/tap/null device type
243 dev
= dev_type_enum (t
->options
.dev
, t
->options
.dev_type
);
246 * Init our multi_context object.
250 m
->thread_mode
= thread_mode
;
253 * Real address hash table (source port number is
254 * considered to be part of the address). Used
255 * to determine which client sent an incoming packet
256 * which is seen on the TCP/UDP socket.
258 m
->hash
= hash_init (t
->options
.real_hash_size
,
260 mroute_addr_hash_function
,
261 mroute_addr_compare_function
);
264 * Virtual address hash table. Used to determine
265 * which client to route a packet to.
267 m
->vhash
= hash_init (t
->options
.virtual_hash_size
,
269 mroute_addr_hash_function
,
270 mroute_addr_compare_function
);
273 * This hash table is a clone of m->hash but with a
274 * bucket size of one so that it can be used
275 * for fast iteration through the list.
277 m
->iter
= hash_init (1,
279 mroute_addr_hash_function
,
280 mroute_addr_compare_function
);
282 #ifdef MANAGEMENT_DEF_AUTH
283 m
->cid_hash
= hash_init (t
->options
.real_hash_size
,
286 cid_compare_function
);
290 * This is our scheduler, for time-based wakeup
293 m
->schedule
= schedule_init ();
296 * Limit frequency of incoming connections to control
299 m
->new_connection_limiter
= frequency_limit_init (t
->options
.cf_max
,
303 * Allocate broadcast/multicast buffer list
305 m
->mbuf
= mbuf_init (t
->options
.n_bcast_buf
);
308 * Different status file format options are available
310 m
->status_file_version
= t
->options
.status_file_version
;
313 * Possibly allocate an ifconfig pool, do it
314 * differently based on whether a tun or tap style
317 if (t
->options
.ifconfig_pool_defined
)
319 if (dev
== DEV_TYPE_TAP
)
321 m
->ifconfig_pool
= ifconfig_pool_init (IFCONFIG_POOL_INDIV
,
322 t
->options
.ifconfig_pool_start
,
323 t
->options
.ifconfig_pool_end
,
324 t
->options
.duplicate_cn
);
326 else if (dev
== DEV_TYPE_TUN
)
328 m
->ifconfig_pool
= ifconfig_pool_init (
329 (t
->options
.topology
== TOP_NET30
) ? IFCONFIG_POOL_30NET
: IFCONFIG_POOL_INDIV
,
330 t
->options
.ifconfig_pool_start
,
331 t
->options
.ifconfig_pool_end
,
332 t
->options
.duplicate_cn
);
339 /* reload pool data from file */
340 if (t
->c1
.ifconfig_pool_persist
)
341 ifconfig_pool_read (t
->c1
.ifconfig_pool_persist
, m
->ifconfig_pool
);
345 * Help us keep track of routing table.
347 m
->route_helper
= mroute_helper_init (MULTI_CACHE_ROUTE_TTL
);
350 * Initialize route and instance reaper.
352 m
->reaper
= multi_reap_new (reap_buckets_per_pass (t
->options
.virtual_hash_size
));
355 * Get local ifconfig address
358 ASSERT (t
->c1
.tuntap
);
359 mroute_extract_in_addr_t (&m
->local
, t
->c1
.tuntap
->local
);
364 m
->max_clients
= t
->options
.max_clients
;
367 * Initialize multi-socket TCP I/O wait object
370 m
->mtcp
= multi_tcp_init (t
->options
.max_clients
, &m
->max_clients
);
371 m
->tcp_queue_limit
= t
->options
.tcp_queue_limit
;
374 * Allow client <-> client communication, without going through
375 * tun/tap interface and network stack?
377 m
->enable_c2c
= t
->options
.enable_c2c
;
381 multi_instance_string (const struct multi_instance
*mi
, bool null
, struct gc_arena
*gc
)
385 struct buffer out
= alloc_buf_gc (256, gc
);
386 const char *cn
= tls_common_name (mi
->context
.c2
.tls_multi
, true);
389 buf_printf (&out
, "%s/", cn
);
390 buf_printf (&out
, "%s", mroute_addr_print (&mi
->real
, gc
));
400 generate_prefix (struct multi_instance
*mi
)
402 mi
->msg_prefix
= multi_instance_string (mi
, true, &mi
->gc
);
407 ungenerate_prefix (struct multi_instance
*mi
)
409 mi
->msg_prefix
= NULL
;
414 mi_prefix (const struct multi_instance
*mi
)
416 if (mi
&& mi
->msg_prefix
)
417 return mi
->msg_prefix
;
423 * Tell the route helper about deleted iroutes so
424 * that it can update its mask of currently used
428 multi_del_iroutes (struct multi_context
*m
,
429 struct multi_instance
*mi
)
431 const struct iroute
*ir
;
432 if (TUNNEL_TYPE (mi
->context
.c1
.tuntap
) == DEV_TYPE_TUN
)
434 for (ir
= mi
->context
.options
.iroutes
; ir
!= NULL
; ir
= ir
->next
)
435 mroute_helper_del_iroute (m
->route_helper
, ir
);
440 setenv_stats (struct context
*c
)
442 setenv_counter (c
->c2
.es
, "bytes_received", c
->c2
.link_read_bytes
);
443 setenv_counter (c
->c2
.es
, "bytes_sent", c
->c2
.link_write_bytes
);
447 multi_client_disconnect_setenv (struct multi_context
*m
,
448 struct multi_instance
*mi
)
450 /* setenv client real IP address */
451 setenv_trusted (mi
->context
.c2
.es
, get_link_socket_info (&mi
->context
));
454 setenv_stats (&mi
->context
);
456 /* setenv connection duration */
458 const unsigned int duration
= (unsigned int) now
- mi
->created
;
459 setenv_unsigned (mi
->context
.c2
.es
, "time_duration", duration
);
464 multi_client_disconnect_script (struct multi_context
*m
,
465 struct multi_instance
*mi
)
467 if ((mi
->context
.c2
.context_auth
== CAS_SUCCEEDED
&& mi
->connection_established_flag
)
468 || mi
->context
.c2
.context_auth
== CAS_PARTIAL
)
470 multi_client_disconnect_setenv (m
, mi
);
472 if (plugin_defined (mi
->context
.plugins
, OPENVPN_PLUGIN_CLIENT_DISCONNECT
))
474 if (plugin_call (mi
->context
.plugins
, OPENVPN_PLUGIN_CLIENT_DISCONNECT
, NULL
, NULL
, mi
->context
.c2
.es
) != OPENVPN_PLUGIN_FUNC_SUCCESS
)
475 msg (M_WARN
, "WARNING: client-disconnect plugin call failed");
478 if (mi
->context
.options
.client_disconnect_script
)
480 struct argv argv
= argv_new ();
481 setenv_str (mi
->context
.c2
.es
, "script_type", "client-disconnect");
482 argv_printf (&argv
, "%sc", mi
->context
.options
.client_disconnect_script
);
483 openvpn_execve_check (&argv
, mi
->context
.c2
.es
, S_SCRIPT
, "client-disconnect command failed");
486 #ifdef MANAGEMENT_DEF_AUTH
488 management_notify_client_close (management
, &mi
->context
.c2
.mda_context
, mi
->context
.c2
.es
);
495 multi_close_instance (struct multi_context
*m
,
496 struct multi_instance
*mi
,
499 perf_push (PERF_MULTI_CLOSE_INSTANCE
);
504 dmsg (D_MULTI_DEBUG
, "MULTI: multi_close_instance called");
506 /* adjust current client connection count */
507 m
->n_clients
+= mi
->n_clients_delta
;
508 mi
->n_clients_delta
= 0;
510 /* prevent dangling pointers */
511 if (m
->pending
== mi
)
512 multi_set_pending (m
, NULL
);
513 if (m
->earliest_wakeup
== mi
)
514 m
->earliest_wakeup
= NULL
;
518 if (mi
->did_real_hash
)
520 ASSERT (hash_remove (m
->hash
, &mi
->real
));
524 ASSERT (hash_remove (m
->iter
, &mi
->real
));
526 #ifdef MANAGEMENT_DEF_AUTH
527 if (mi
->did_cid_hash
)
529 ASSERT (hash_remove (m
->cid_hash
, &mi
->context
.c2
.mda_context
.cid
));
533 schedule_remove_entry (m
->schedule
, (struct schedule_entry
*) mi
);
535 ifconfig_pool_release (m
->ifconfig_pool
, mi
->vaddr_handle
, false);
539 multi_del_iroutes (m
, mi
);
540 mi
->did_iroutes
= false;
544 multi_tcp_dereference_instance (m
->mtcp
, mi
);
546 mbuf_dereference_instance (m
->mbuf
, mi
);
549 #ifdef MANAGEMENT_DEF_AUTH
550 set_cc_config (mi
, NULL
);
553 multi_client_disconnect_script (m
, mi
);
555 if (mi
->did_open_context
)
556 close_context (&mi
->context
, SIGTERM
, CC_GC_FREE
);
558 multi_tcp_instance_specific_free (mi
);
560 ungenerate_prefix (mi
);
563 * Don't actually delete the instance memory allocation yet,
564 * because virtual routes may still point to it. Let the
565 * vhash reaper deal with it.
567 multi_instance_dec_refcount (mi
);
573 * Called on shutdown or restart.
576 multi_uninit (struct multi_context
*m
)
578 if (m
->thread_mode
& MC_WORK_THREAD
)
581 m
->thread_mode
= MC_UNDEF
;
583 else if (m
->thread_mode
)
587 struct hash_iterator hi
;
588 struct hash_element
*he
;
590 hash_iterator_init (m
->iter
, &hi
, true);
591 while ((he
= hash_iterator_next (&hi
)))
593 struct multi_instance
*mi
= (struct multi_instance
*) he
->value
;
594 mi
->did_iter
= false;
595 multi_close_instance (m
, mi
, true);
597 hash_iterator_free (&hi
);
602 hash_free (m
->vhash
);
604 #ifdef MANAGEMENT_DEF_AUTH
605 hash_free (m
->cid_hash
);
609 schedule_free (m
->schedule
);
611 ifconfig_pool_free (m
->ifconfig_pool
);
612 frequency_limit_free (m
->new_connection_limiter
);
613 multi_reap_free (m
->reaper
);
614 mroute_helper_free (m
->route_helper
);
615 multi_tcp_free (m
->mtcp
);
616 m
->thread_mode
= MC_UNDEF
;
622 * Create a client instance object for a newly connected client.
624 struct multi_instance
*
625 multi_create_instance (struct multi_context
*m
, const struct mroute_addr
*real
)
627 struct gc_arena gc
= gc_new ();
628 struct multi_instance
*mi
;
630 perf_push (PERF_MULTI_CREATE_INSTANCE
);
632 msg (D_MULTI_LOW
, "MULTI: multi_create_instance called");
634 ALLOC_OBJ_CLEAR (mi
, struct multi_instance
);
636 mutex_init (&mi
->mutex
);
638 multi_instance_inc_refcount (mi
);
639 mi
->vaddr_handle
= -1;
641 mroute_addr_init (&mi
->real
);
646 generate_prefix (mi
);
649 mi
->did_open_context
= true;
650 inherit_context_child (&mi
->context
, &m
->top
);
651 if (IS_SIG (&mi
->context
))
654 mi
->context
.c2
.context_auth
= CAS_PENDING
;
656 if (hash_n_elements (m
->hash
) >= m
->max_clients
)
658 msg (D_MULTI_ERRORS
, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m
->max_clients
);
662 if (!real
) /* TCP mode? */
664 if (!multi_tcp_instance_specific_init (m
, mi
))
666 generate_prefix (mi
);
669 if (!hash_add (m
->iter
, &mi
->real
, mi
, false))
671 msg (D_MULTI_LOW
, "MULTI: unable to add real address [%s] to iterator hash table",
672 mroute_addr_print (&mi
->real
, &gc
));
677 #ifdef MANAGEMENT_DEF_AUTH
679 mi
->context
.c2
.mda_context
.cid
= m
->cid_counter
++;
680 } while (!hash_add (m
->cid_hash
, &mi
->context
.c2
.mda_context
.cid
, mi
, false));
681 mi
->did_cid_hash
= true;
684 mi
->context
.c2
.push_reply_deferred
= true;
686 if (!multi_process_post (m
, mi
, MPP_PRE_SELECT
))
688 msg (D_MULTI_ERRORS
, "MULTI: signal occurred during client instance initialization");
697 multi_close_instance (m
, mi
, false);
704 * Dump tables -- triggered by SIGUSR2.
705 * If status file is defined, write to file.
706 * If status file is NULL, write to syslog.
709 multi_print_status (struct multi_context
*m
, struct status_output
*so
, const int version
)
713 struct gc_arena gc_top
= gc_new ();
714 struct hash_iterator hi
;
715 const struct hash_element
*he
;
719 if (version
== 1) /* WAS: m->status_file_version */
722 * Status file version 1
724 status_printf (so
, PACKAGE_NAME
" CLIENT LIST");
725 status_printf (so
, "Updated,%s", time_string (0, 0, false, &gc_top
));
726 status_printf (so
, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
727 hash_iterator_init (m
->hash
, &hi
, true);
728 while ((he
= hash_iterator_next (&hi
)))
730 struct gc_arena gc
= gc_new ();
731 const struct multi_instance
*mi
= (struct multi_instance
*) he
->value
;
735 status_printf (so
, "%s,%s," counter_format
"," counter_format
",%s",
736 tls_common_name (mi
->context
.c2
.tls_multi
, false),
737 mroute_addr_print (&mi
->real
, &gc
),
738 mi
->context
.c2
.link_read_bytes
,
739 mi
->context
.c2
.link_write_bytes
,
740 time_string (mi
->created
, 0, false, &gc
));
744 hash_iterator_free (&hi
);
746 status_printf (so
, "ROUTING TABLE");
747 status_printf (so
, "Virtual Address,Common Name,Real Address,Last Ref");
748 hash_iterator_init (m
->vhash
, &hi
, true);
749 while ((he
= hash_iterator_next (&hi
)))
751 struct gc_arena gc
= gc_new ();
752 const struct multi_route
*route
= (struct multi_route
*) he
->value
;
754 if (multi_route_defined (m
, route
))
756 const struct multi_instance
*mi
= route
->instance
;
757 const struct mroute_addr
*ma
= &route
->addr
;
758 char flags
[2] = {0, 0};
760 if (route
->flags
& MULTI_ROUTE_CACHE
)
762 status_printf (so
, "%s%s,%s,%s,%s",
763 mroute_addr_print (ma
, &gc
),
765 tls_common_name (mi
->context
.c2
.tls_multi
, false),
766 mroute_addr_print (&mi
->real
, &gc
),
767 time_string (route
->last_reference
, 0, false, &gc
));
771 hash_iterator_free (&hi
);
773 status_printf (so
, "GLOBAL STATS");
775 status_printf (so
, "Max bcast/mcast queue length,%d",
776 mbuf_maximum_queued (m
->mbuf
));
778 status_printf (so
, "END");
780 else if (version
== 2 || version
== 3)
782 const char sep
= (version
== 3) ? '\t' : ',';
785 * Status file version 2 and 3
787 status_printf (so
, "TITLE%c%s", sep
, title_string
);
788 status_printf (so
, "TIME%c%s%c%u", sep
, time_string (now
, 0, false, &gc_top
), sep
, (unsigned int)now
);
789 status_printf (so
, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)",
790 sep
, sep
, sep
, sep
, sep
, sep
, sep
, sep
);
791 hash_iterator_init (m
->hash
, &hi
, true);
792 while ((he
= hash_iterator_next (&hi
)))
794 struct gc_arena gc
= gc_new ();
795 const struct multi_instance
*mi
= (struct multi_instance
*) he
->value
;
799 status_printf (so
, "CLIENT_LIST%c%s%c%s%c%s%c" counter_format
"%c" counter_format
"%c%s%c%u",
800 sep
, tls_common_name (mi
->context
.c2
.tls_multi
, false),
801 sep
, mroute_addr_print (&mi
->real
, &gc
),
802 sep
, print_in_addr_t (mi
->reporting_addr
, IA_EMPTY_IF_UNDEF
, &gc
),
803 sep
, mi
->context
.c2
.link_read_bytes
,
804 sep
, mi
->context
.c2
.link_write_bytes
,
805 sep
, time_string (mi
->created
, 0, false, &gc
),
806 sep
, (unsigned int)mi
->created
);
810 hash_iterator_free (&hi
);
812 status_printf (so
, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
813 sep
, sep
, sep
, sep
, sep
, sep
);
814 hash_iterator_init (m
->vhash
, &hi
, true);
815 while ((he
= hash_iterator_next (&hi
)))
817 struct gc_arena gc
= gc_new ();
818 const struct multi_route
*route
= (struct multi_route
*) he
->value
;
820 if (multi_route_defined (m
, route
))
822 const struct multi_instance
*mi
= route
->instance
;
823 const struct mroute_addr
*ma
= &route
->addr
;
824 char flags
[2] = {0, 0};
826 if (route
->flags
& MULTI_ROUTE_CACHE
)
828 status_printf (so
, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
829 sep
, mroute_addr_print (ma
, &gc
), flags
,
830 sep
, tls_common_name (mi
->context
.c2
.tls_multi
, false),
831 sep
, mroute_addr_print (&mi
->real
, &gc
),
832 sep
, time_string (route
->last_reference
, 0, false, &gc
),
833 sep
, (unsigned int)route
->last_reference
);
837 hash_iterator_free (&hi
);
840 status_printf (so
, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
841 sep
, sep
, mbuf_maximum_queued (m
->mbuf
));
843 status_printf (so
, "END");
847 status_printf (so
, "ERROR: bad status format version number");
850 #ifdef PACKET_TRUNCATION_CHECK
852 status_printf (so
, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
853 hash_iterator_init (m
->hash
, &hi
, true);
854 while ((he
= hash_iterator_next (&hi
)))
856 struct gc_arena gc
= gc_new ();
857 const struct multi_instance
*mi
= (struct multi_instance
*) he
->value
;
861 status_printf (so
, "ERRORS,%s," counter_format
"," counter_format
"," counter_format
"," counter_format
,
862 tls_common_name (mi
->context
.c2
.tls_multi
, false),
863 m
->top
.c2
.n_trunc_tun_read
,
864 mi
->context
.c2
.n_trunc_tun_write
,
865 mi
->context
.c2
.n_trunc_pre_encrypt
,
866 mi
->context
.c2
.n_trunc_post_decrypt
);
870 hash_iterator_free (&hi
);
880 * Learn a virtual address or route.
881 * The learn will fail if the learn address
882 * script/plugin fails. In this case the
883 * return value may be != mi.
884 * Return the instance which owns this route,
887 static struct multi_instance
*
888 multi_learn_addr (struct multi_context
*m
,
889 struct multi_instance
*mi
,
890 const struct mroute_addr
*addr
,
891 const unsigned int flags
)
893 struct hash_element
*he
;
894 const uint32_t hv
= hash_value (m
->vhash
, addr
);
895 struct hash_bucket
*bucket
= hash_bucket (m
->vhash
, hv
);
896 struct multi_route
*oldroute
= NULL
;
897 struct multi_instance
*owner
= NULL
;
899 hash_bucket_lock (bucket
);
901 /* if route currently exists, get the instance which owns it */
902 he
= hash_lookup_fast (m
->vhash
, bucket
, addr
, hv
);
904 oldroute
= (struct multi_route
*) he
->value
;
905 if (oldroute
&& multi_route_defined (m
, oldroute
))
906 owner
= oldroute
->instance
;
908 /* do we need to add address to hash table? */
909 if ((!owner
|| owner
!= mi
)
910 && mroute_learnable_address (addr
)
911 && !mroute_addr_equal (addr
, &m
->local
))
913 struct gc_arena gc
= gc_new ();
914 struct multi_route
*newroute
;
915 bool learn_succeeded
= false;
917 ALLOC_OBJ (newroute
, struct multi_route
);
918 newroute
->addr
= *addr
;
919 newroute
->instance
= mi
;
920 newroute
->flags
= flags
;
921 newroute
->last_reference
= now
;
922 newroute
->cache_generation
= 0;
924 /* The cache is invalidated when cache_generation is incremented */
925 if (flags
& MULTI_ROUTE_CACHE
)
926 newroute
->cache_generation
= m
->route_helper
->cache_generation
;
928 if (oldroute
) /* route already exists? */
930 if (route_quota_test (m
, mi
) && learn_address_script (m
, mi
, "update", &newroute
->addr
))
932 learn_succeeded
= true;
934 multi_instance_inc_refcount (mi
);
935 route_quota_inc (mi
);
937 /* delete old route */
938 multi_route_del (oldroute
);
940 /* modify hash table entry, replacing old route */
941 he
->key
= &newroute
->addr
;
942 he
->value
= newroute
;
947 if (route_quota_test (m
, mi
) && learn_address_script (m
, mi
, "add", &newroute
->addr
))
949 learn_succeeded
= true;
951 multi_instance_inc_refcount (mi
);
952 route_quota_inc (mi
);
955 hash_add_fast (m
->vhash
, bucket
, &newroute
->addr
, hv
, newroute
);
959 msg (D_MULTI_LOW
, "MULTI: Learn%s: %s -> %s",
960 learn_succeeded
? "" : " FAILED",
961 mroute_addr_print (&newroute
->addr
, &gc
),
962 multi_instance_string (mi
, false, &gc
));
964 if (!learn_succeeded
)
970 hash_bucket_unlock (bucket
);
975 * Get client instance based on virtual address.
977 static struct multi_instance
*
978 multi_get_instance_by_virtual_addr (struct multi_context
*m
,
979 const struct mroute_addr
*addr
,
982 struct multi_route
*route
;
983 struct multi_instance
*ret
= NULL
;
985 /* check for local address */
986 if (mroute_addr_equal (addr
, &m
->local
))
989 route
= (struct multi_route
*) hash_lookup (m
->vhash
, addr
);
991 /* does host route (possible cached) exist? */
992 if (route
&& multi_route_defined (m
, route
))
994 struct multi_instance
*mi
= route
->instance
;
995 route
->last_reference
= now
;
998 else if (cidr_routing
) /* do we need to regenerate a host route cache entry? */
1000 struct mroute_helper
*rh
= m
->route_helper
;
1001 struct mroute_addr tryaddr
;
1004 mroute_helper_lock (rh
);
1006 /* cycle through each CIDR length */
1007 for (i
= 0; i
< rh
->n_net_len
; ++i
)
1010 tryaddr
.type
|= MR_WITH_NETBITS
;
1011 tryaddr
.netbits
= rh
->net_len
[i
];
1012 mroute_addr_mask_host_bits (&tryaddr
);
1014 /* look up a possible route with netbits netmask */
1015 route
= (struct multi_route
*) hash_lookup (m
->vhash
, &tryaddr
);
1017 if (route
&& multi_route_defined (m
, route
))
1019 /* found an applicable route, cache host route */
1020 struct multi_instance
*mi
= route
->instance
;
1021 multi_learn_addr (m
, mi
, addr
, MULTI_ROUTE_CACHE
|MULTI_ROUTE_AGEABLE
);
1027 mroute_helper_unlock (rh
);
1031 if (check_debug_level (D_MULTI_DEBUG
))
1033 struct gc_arena gc
= gc_new ();
1034 const char *addr_text
= mroute_addr_print (addr
, &gc
);
1037 dmsg (D_MULTI_DEBUG
, "GET INST BY VIRT: %s -> %s via %s",
1039 multi_instance_string (ret
, false, &gc
),
1040 mroute_addr_print (&route
->addr
, &gc
));
1044 dmsg (D_MULTI_DEBUG
, "GET INST BY VIRT: %s [failed]",
1051 ASSERT (!(ret
&& ret
->halt
));
1056 * Helper function to multi_learn_addr().
1058 static struct multi_instance
*
1059 multi_learn_in_addr_t (struct multi_context
*m
,
1060 struct multi_instance
*mi
,
1062 int netbits
, /* -1 if host route, otherwise # of network bits in address */
1065 struct openvpn_sockaddr remote_si
;
1066 struct mroute_addr addr
;
1069 remote_si
.sa
.sin_family
= AF_INET
;
1070 remote_si
.sa
.sin_addr
.s_addr
= htonl (a
);
1071 ASSERT (mroute_extract_openvpn_sockaddr (&addr
, &remote_si
, false));
1075 addr
.type
|= MR_WITH_NETBITS
;
1076 addr
.netbits
= (uint8_t) netbits
;
1080 struct multi_instance
*owner
= multi_learn_addr (m
, mi
, &addr
, 0);
1081 #ifdef MANAGEMENT_DEF_AUTH
1082 if (management
&& owner
)
1083 management_learn_addr (management
, &mi
->context
.c2
.mda_context
, &addr
, primary
);
1090 * A new client has connected, add routes (server -> client)
1091 * to internal routing table.
1094 multi_add_iroutes (struct multi_context
*m
,
1095 struct multi_instance
*mi
)
1097 struct gc_arena gc
= gc_new ();
1098 const struct iroute
*ir
;
1099 if (TUNNEL_TYPE (mi
->context
.c1
.tuntap
) == DEV_TYPE_TUN
)
1101 mi
->did_iroutes
= true;
1102 for (ir
= mi
->context
.options
.iroutes
; ir
!= NULL
; ir
= ir
->next
)
1104 if (ir
->netbits
>= 0)
1105 msg (D_MULTI_LOW
, "MULTI: internal route %s/%d -> %s",
1106 print_in_addr_t (ir
->network
, 0, &gc
),
1108 multi_instance_string (mi
, false, &gc
));
1110 msg (D_MULTI_LOW
, "MULTI: internal route %s -> %s",
1111 print_in_addr_t (ir
->network
, 0, &gc
),
1112 multi_instance_string (mi
, false, &gc
));
1114 mroute_helper_add_iroute (m
->route_helper
, ir
);
1116 multi_learn_in_addr_t (m
, mi
, ir
->network
, ir
->netbits
, false);
1123 * Given an instance (new_mi), delete all other instances which use the
1127 multi_delete_dup (struct multi_context
*m
, struct multi_instance
*new_mi
)
1131 const char *new_cn
= tls_common_name (new_mi
->context
.c2
.tls_multi
, true);
1134 struct hash_iterator hi
;
1135 struct hash_element
*he
;
1138 hash_iterator_init (m
->iter
, &hi
, true);
1139 while ((he
= hash_iterator_next (&hi
)))
1141 struct multi_instance
*mi
= (struct multi_instance
*) he
->value
;
1142 if (mi
!= new_mi
&& !mi
->halt
)
1144 const char *cn
= tls_common_name (mi
->context
.c2
.tls_multi
, true);
1145 if (cn
&& !strcmp (cn
, new_cn
))
1147 mi
->did_iter
= false;
1148 multi_close_instance (m
, mi
, false);
1149 hash_iterator_delete_element (&hi
);
1154 hash_iterator_free (&hi
);
1157 msg (D_MULTI_LOW
, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn
);
1163 * Ensure that endpoint to be pushed to client
1164 * complies with --ifconfig-push-constraint directive.
1167 ifconfig_push_constraint_satisfied (const struct context
*c
)
1169 const struct options
*o
= &c
->options
;
1170 if (o
->push_ifconfig_constraint_defined
&& c
->c2
.push_ifconfig_defined
)
1171 return (o
->push_ifconfig_constraint_netmask
& c
->c2
.push_ifconfig_local
) == o
->push_ifconfig_constraint_network
;
1177 * Select a virtual address for a new client instance.
1178 * Use an --ifconfig-push directive, if given (static IP).
1179 * Otherwise use an --ifconfig-pool address (dynamic IP).
1182 multi_select_virtual_addr (struct multi_context
*m
, struct multi_instance
*mi
)
1184 struct gc_arena gc
= gc_new ();
1187 * If ifconfig addresses were set by dynamic config file,
1188 * release pool addresses, otherwise keep them.
1190 if (mi
->context
.options
.push_ifconfig_defined
)
1192 /* ifconfig addresses were set statically,
1193 release dynamic allocation */
1194 if (mi
->vaddr_handle
>= 0)
1196 ifconfig_pool_release (m
->ifconfig_pool
, mi
->vaddr_handle
, true);
1197 mi
->vaddr_handle
= -1;
1200 mi
->context
.c2
.push_ifconfig_defined
= true;
1201 mi
->context
.c2
.push_ifconfig_local
= mi
->context
.options
.push_ifconfig_local
;
1202 mi
->context
.c2
.push_ifconfig_remote_netmask
= mi
->context
.options
.push_ifconfig_remote_netmask
;
1204 else if (m
->ifconfig_pool
&& mi
->vaddr_handle
< 0) /* otherwise, choose a pool address */
1206 in_addr_t local
=0, remote
=0;
1207 const char *cn
= NULL
;
1209 if (!mi
->context
.options
.duplicate_cn
)
1210 cn
= tls_common_name (mi
->context
.c2
.tls_multi
, true);
1212 mi
->vaddr_handle
= ifconfig_pool_acquire (m
->ifconfig_pool
, &local
, &remote
, cn
);
1213 if (mi
->vaddr_handle
>= 0)
1215 const int tunnel_type
= TUNNEL_TYPE (mi
->context
.c1
.tuntap
);
1216 const int tunnel_topology
= TUNNEL_TOPOLOGY (mi
->context
.c1
.tuntap
);
1218 /* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1219 mi
->context
.c2
.push_ifconfig_local
= remote
;
1220 if (tunnel_type
== DEV_TYPE_TAP
|| (tunnel_type
== DEV_TYPE_TUN
&& tunnel_topology
== TOP_SUBNET
))
1222 mi
->context
.c2
.push_ifconfig_remote_netmask
= mi
->context
.options
.ifconfig_pool_netmask
;
1223 if (!mi
->context
.c2
.push_ifconfig_remote_netmask
)
1224 mi
->context
.c2
.push_ifconfig_remote_netmask
= mi
->context
.c1
.tuntap
->remote_netmask
;
1226 else if (tunnel_type
== DEV_TYPE_TUN
)
1228 if (tunnel_topology
== TOP_P2P
)
1229 mi
->context
.c2
.push_ifconfig_remote_netmask
= mi
->context
.c1
.tuntap
->local
;
1230 else if (tunnel_topology
== TOP_NET30
)
1231 mi
->context
.c2
.push_ifconfig_remote_netmask
= local
;
1234 if (mi
->context
.c2
.push_ifconfig_remote_netmask
)
1235 mi
->context
.c2
.push_ifconfig_defined
= true;
1237 msg (D_MULTI_ERRORS
, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1238 multi_instance_string (mi
, false, &gc
));
1242 msg (D_MULTI_ERRORS
, "MULTI: no free --ifconfig-pool addresses are available");
1249 * Set virtual address environmental variables.
1252 multi_set_virtual_addr_env (struct multi_context
*m
, struct multi_instance
*mi
)
1254 setenv_del (mi
->context
.c2
.es
, "ifconfig_pool_local_ip");
1255 setenv_del (mi
->context
.c2
.es
, "ifconfig_pool_remote_ip");
1256 setenv_del (mi
->context
.c2
.es
, "ifconfig_pool_netmask");
1258 if (mi
->context
.c2
.push_ifconfig_defined
)
1260 const int tunnel_type
= TUNNEL_TYPE (mi
->context
.c1
.tuntap
);
1261 const int tunnel_topology
= TUNNEL_TOPOLOGY (mi
->context
.c1
.tuntap
);
1263 setenv_in_addr_t (mi
->context
.c2
.es
,
1264 "ifconfig_pool_remote_ip",
1265 mi
->context
.c2
.push_ifconfig_local
,
1268 if (tunnel_type
== DEV_TYPE_TAP
|| (tunnel_type
== DEV_TYPE_TUN
&& tunnel_topology
== TOP_SUBNET
))
1270 setenv_in_addr_t (mi
->context
.c2
.es
,
1271 "ifconfig_pool_netmask",
1272 mi
->context
.c2
.push_ifconfig_remote_netmask
,
1275 else if (tunnel_type
== DEV_TYPE_TUN
)
1277 setenv_in_addr_t (mi
->context
.c2
.es
,
1278 "ifconfig_pool_local_ip",
1279 mi
->context
.c2
.push_ifconfig_remote_netmask
,
1286 * Called after client-connect script is called
1289 multi_client_connect_post (struct multi_context
*m
,
1290 struct multi_instance
*mi
,
1291 const char *dc_file
,
1292 unsigned int option_permissions_mask
,
1293 unsigned int *option_types_found
)
1295 /* Did script generate a dynamic config file? */
1296 if (test_file (dc_file
))
1298 options_server_import (&mi
->context
.options
,
1300 D_IMPORT_ERRORS
|M_OPTERR
,
1301 option_permissions_mask
,
1305 if (!delete_file (dc_file
))
1306 msg (D_MULTI_ERRORS
, "MULTI: problem deleting temporary file: %s",
1310 * If the --client-connect script generates a config file
1311 * with an --ifconfig-push directive, it will override any
1312 * --ifconfig-push directive from the --client-config-dir
1313 * directory or any --ifconfig-pool dynamic address.
1315 multi_select_virtual_addr (m
, mi
);
1316 multi_set_virtual_addr_env (m
, mi
);
1320 #ifdef ENABLE_PLUGIN
1323 * Called after client-connect plug-in is called
1326 multi_client_connect_post_plugin (struct multi_context
*m
,
1327 struct multi_instance
*mi
,
1328 const struct plugin_return
*pr
,
1329 unsigned int option_permissions_mask
,
1330 unsigned int *option_types_found
)
1332 struct plugin_return config
;
1334 plugin_return_get_column (pr
, &config
, "config");
1336 /* Did script generate a dynamic config file? */
1337 if (plugin_return_defined (&config
))
1340 for (i
= 0; i
< config
.n
; ++i
)
1342 if (config
.list
[i
] && config
.list
[i
]->value
)
1343 options_string_import (&mi
->context
.options
,
1344 config
.list
[i
]->value
,
1345 D_IMPORT_ERRORS
|M_OPTERR
,
1346 option_permissions_mask
,
1352 * If the --client-connect script generates a config file
1353 * with an --ifconfig-push directive, it will override any
1354 * --ifconfig-push directive from the --client-config-dir
1355 * directory or any --ifconfig-pool dynamic address.
1357 multi_select_virtual_addr (m
, mi
);
1358 multi_set_virtual_addr_env (m
, mi
);
1364 #ifdef MANAGEMENT_DEF_AUTH
1367 * Called to load management-derived client-connect config
1370 multi_client_connect_mda (struct multi_context
*m
,
1371 struct multi_instance
*mi
,
1372 const struct buffer_list
*config
,
1373 unsigned int option_permissions_mask
,
1374 unsigned int *option_types_found
)
1378 struct buffer_entry
*be
;
1380 for (be
= config
->head
; be
!= NULL
; be
= be
->next
)
1382 const char *opt
= BSTR(&be
->buf
);
1383 options_string_import (&mi
->context
.options
,
1385 D_IMPORT_ERRORS
|M_OPTERR
,
1386 option_permissions_mask
,
1392 * If the --client-connect script generates a config file
1393 * with an --ifconfig-push directive, it will override any
1394 * --ifconfig-push directive from the --client-config-dir
1395 * directory or any --ifconfig-pool dynamic address.
1397 multi_select_virtual_addr (m
, mi
);
1398 multi_set_virtual_addr_env (m
, mi
);
1405 multi_client_connect_setenv (struct multi_context
*m
,
1406 struct multi_instance
*mi
)
1408 struct gc_arena gc
= gc_new ();
1410 /* setenv incoming cert common name for script */
1411 setenv_str (mi
->context
.c2
.es
, "common_name", tls_common_name (mi
->context
.c2
.tls_multi
, true));
1413 /* setenv client real IP address */
1414 setenv_trusted (mi
->context
.c2
.es
, get_link_socket_info (&mi
->context
));
1416 /* setenv client virtual IP address */
1417 multi_set_virtual_addr_env (m
, mi
);
1419 /* setenv connection time */
1421 const char *created_ascii
= time_string (mi
->created
, 0, false, &gc
);
1422 setenv_str (mi
->context
.c2
.es
, "time_ascii", created_ascii
);
1423 setenv_unsigned (mi
->context
.c2
.es
, "time_unix", (unsigned int)mi
->created
);
1430 * Called as soon as the SSL/TLS connection authenticates.
1432 * Instance-specific directives to be processed:
1434 * iroute start-ip end-ip
1435 * ifconfig-push local remote-netmask
1439 multi_connection_established (struct multi_context
*m
, struct multi_instance
*mi
)
1441 if (tls_authentication_status (mi
->context
.c2
.tls_multi
, 0) == TLS_AUTHENTICATION_SUCCEEDED
)
1443 struct gc_arena gc
= gc_new ();
1444 unsigned int option_types_found
= 0;
1446 const unsigned int option_permissions_mask
=
1456 int cc_succeeded
= true; /* client connect script status */
1457 int cc_succeeded_count
= 0;
1459 ASSERT (mi
->context
.c1
.tuntap
);
1461 /* lock down the common name so it can't change during future TLS renegotiations */
1462 tls_lock_common_name (mi
->context
.c2
.tls_multi
);
1464 /* generate a msg() prefix for this client instance */
1465 generate_prefix (mi
);
1467 /* delete instances of previous clients with same common-name */
1468 if (!mi
->context
.options
.duplicate_cn
)
1469 multi_delete_dup (m
, mi
);
1471 /* reset pool handle to null */
1472 mi
->vaddr_handle
= -1;
1475 * Try to source a dynamic config file from the
1476 * --client-config-dir directory.
1478 if (mi
->context
.options
.client_config_dir
)
1480 const char *ccd_file
;
1482 ccd_file
= gen_path (mi
->context
.options
.client_config_dir
,
1483 tls_common_name (mi
->context
.c2
.tls_multi
, false),
1486 /* try common-name file */
1487 if (test_file (ccd_file
))
1489 options_server_import (&mi
->context
.options
,
1491 D_IMPORT_ERRORS
|M_OPTERR
,
1492 option_permissions_mask
,
1493 &option_types_found
,
1496 else /* try default file */
1498 ccd_file
= gen_path (mi
->context
.options
.client_config_dir
,
1502 if (test_file (ccd_file
))
1504 options_server_import (&mi
->context
.options
,
1506 D_IMPORT_ERRORS
|M_OPTERR
,
1507 option_permissions_mask
,
1508 &option_types_found
,
1515 * Select a virtual address from either --ifconfig-push in --client-config-dir file
1516 * or --ifconfig-pool.
1518 multi_select_virtual_addr (m
, mi
);
1520 /* do --client-connect setenvs */
1521 multi_client_connect_setenv (m
, mi
);
1523 #ifdef ENABLE_PLUGIN
1525 * Call client-connect plug-in.
1528 /* deprecated callback, use a file for passing back return info */
1529 if (plugin_defined (mi
->context
.plugins
, OPENVPN_PLUGIN_CLIENT_CONNECT
))
1531 struct argv argv
= argv_new ();
1532 const char *dc_file
= create_temp_filename (mi
->context
.options
.tmp_dir
, "cc", &gc
);
1533 argv_printf (&argv
, "%s", dc_file
);
1534 delete_file (dc_file
);
1535 if (plugin_call (mi
->context
.plugins
, OPENVPN_PLUGIN_CLIENT_CONNECT
, &argv
, NULL
, mi
->context
.c2
.es
) != OPENVPN_PLUGIN_FUNC_SUCCESS
)
1537 msg (M_WARN
, "WARNING: client-connect plugin call failed");
1538 cc_succeeded
= false;
1542 multi_client_connect_post (m
, mi
, dc_file
, option_permissions_mask
, &option_types_found
);
1543 ++cc_succeeded_count
;
1548 /* V2 callback, use a plugin_return struct for passing back return info */
1549 if (plugin_defined (mi
->context
.plugins
, OPENVPN_PLUGIN_CLIENT_CONNECT_V2
))
1551 struct plugin_return pr
;
1553 plugin_return_init (&pr
);
1555 if (plugin_call (mi
->context
.plugins
, OPENVPN_PLUGIN_CLIENT_CONNECT_V2
, NULL
, &pr
, mi
->context
.c2
.es
) != OPENVPN_PLUGIN_FUNC_SUCCESS
)
1557 msg (M_WARN
, "WARNING: client-connect-v2 plugin call failed");
1558 cc_succeeded
= false;
1562 multi_client_connect_post_plugin (m
, mi
, &pr
, option_permissions_mask
, &option_types_found
);
1563 ++cc_succeeded_count
;
1566 plugin_return_free (&pr
);
1571 * Run --client-connect script.
1573 if (mi
->context
.options
.client_connect_script
&& cc_succeeded
)
1575 struct argv argv
= argv_new ();
1576 const char *dc_file
= NULL
;
1578 setenv_str (mi
->context
.c2
.es
, "script_type", "client-connect");
1580 dc_file
= create_temp_filename (mi
->context
.options
.tmp_dir
, "cc", &gc
);
1582 delete_file (dc_file
);
1584 argv_printf (&argv
, "%sc %s",
1585 mi
->context
.options
.client_connect_script
,
1588 if (openvpn_execve_check (&argv
, mi
->context
.c2
.es
, S_SCRIPT
, "client-connect command failed"))
1590 multi_client_connect_post (m
, mi
, dc_file
, option_permissions_mask
, &option_types_found
);
1591 ++cc_succeeded_count
;
1594 cc_succeeded
= false;
1600 * Check for client-connect script left by management interface client
1602 #ifdef MANAGEMENT_DEF_AUTH
1603 if (cc_succeeded
&& mi
->cc_config
)
1605 multi_client_connect_mda (m
, mi
, mi
->cc_config
, option_permissions_mask
, &option_types_found
);
1606 ++cc_succeeded_count
;
1611 * Check for "disable" directive in client-config-dir file
1612 * or config file generated by --client-connect script.
1614 if (mi
->context
.options
.disable
)
1616 msg (D_MULTI_ERRORS
, "MULTI: client has been rejected due to 'disable' directive");
1617 cc_succeeded
= false;
1623 * Process sourced options.
1625 do_deferred_options (&mi
->context
, option_types_found
);
1628 * make sure we got ifconfig settings from somewhere
1630 if (!mi
->context
.c2
.push_ifconfig_defined
)
1632 msg (D_MULTI_ERRORS
, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
1633 multi_instance_string (mi
, false, &gc
));
1637 * make sure that ifconfig settings comply with constraints
1639 if (!ifconfig_push_constraint_satisfied (&mi
->context
))
1641 /* JYFIXME -- this should cause the connection to fail */
1642 msg (D_MULTI_ERRORS
, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
1643 multi_instance_string (mi
, false, &gc
),
1644 print_in_addr_t (mi
->context
.c2
.push_ifconfig_local
, 0, &gc
),
1645 print_in_addr_t (mi
->context
.options
.push_ifconfig_constraint_network
, 0, &gc
),
1646 print_in_addr_t (mi
->context
.options
.push_ifconfig_constraint_netmask
, 0, &gc
));
1650 * For routed tunnels, set up internal route to endpoint
1651 * plus add all iroute routes.
1653 if (TUNNEL_TYPE (mi
->context
.c1
.tuntap
) == DEV_TYPE_TUN
)
1655 if (mi
->context
.c2
.push_ifconfig_defined
)
1657 multi_learn_in_addr_t (m
, mi
, mi
->context
.c2
.push_ifconfig_local
, -1, true);
1658 msg (D_MULTI_LOW
, "MULTI: primary virtual IP for %s: %s",
1659 multi_instance_string (mi
, false, &gc
),
1660 print_in_addr_t (mi
->context
.c2
.push_ifconfig_local
, 0, &gc
));
1663 /* add routes locally, pointing to new client, if
1664 --iroute options have been specified */
1665 multi_add_iroutes (m
, mi
);
1668 * iroutes represent subnets which are "owned" by a particular
1669 * client. Therefore, do not actually push a route to a client
1670 * if it matches one of the client's iroutes.
1672 remove_iroutes_from_push_route_list (&mi
->context
.options
);
1674 else if (mi
->context
.options
.iroutes
)
1676 msg (D_MULTI_ERRORS
, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
1677 multi_instance_string (mi
, false, &gc
));
1680 /* set our client's VPN endpoint for status reporting purposes */
1681 mi
->reporting_addr
= mi
->context
.c2
.push_ifconfig_local
;
1683 /* set context-level authentication flag */
1684 mi
->context
.c2
.context_auth
= CAS_SUCCEEDED
;
1688 /* set context-level authentication flag */
1689 mi
->context
.c2
.context_auth
= cc_succeeded_count
? CAS_PARTIAL
: CAS_FAILED
;
1692 /* set flag so we don't get called again */
1693 mi
->connection_established_flag
= true;
1695 /* increment number of current authenticated clients */
1697 --mi
->n_clients_delta
;
1699 #ifdef MANAGEMENT_DEF_AUTH
1701 management_connection_established (management
, &mi
->context
.c2
.mda_context
, mi
->context
.c2
.es
);
1708 * Reply now to client's PUSH_REQUEST query
1710 mi
->context
.c2
.push_reply_deferred
= false;
1714 * Add a mbuf buffer to a particular
1718 multi_add_mbuf (struct multi_context
*m
,
1719 struct multi_instance
*mi
,
1720 struct mbuf_buffer
*mb
)
1722 if (multi_output_queue_ready (m
, mi
))
1724 struct mbuf_item item
;
1727 mbuf_add_item (m
->mbuf
, &item
);
1731 msg (D_MULTI_DROPPED
, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
1736 * Add a packet to a client instance output queue.
1739 multi_unicast (struct multi_context
*m
,
1740 const struct buffer
*buf
,
1741 struct multi_instance
*mi
)
1743 struct mbuf_buffer
*mb
;
1747 mb
= mbuf_alloc_buf (buf
);
1748 mb
->flags
= MF_UNICAST
;
1749 multi_add_mbuf (m
, mi
, mb
);
1755 * Broadcast a packet to all clients.
1758 multi_bcast (struct multi_context
*m
,
1759 const struct buffer
*buf
,
1760 const struct multi_instance
*sender_instance
,
1761 const struct mroute_addr
*sender_addr
)
1763 struct hash_iterator hi
;
1764 struct hash_element
*he
;
1765 struct multi_instance
*mi
;
1766 struct mbuf_buffer
*mb
;
1770 perf_push (PERF_MULTI_BCAST
);
1771 #ifdef MULTI_DEBUG_EVENT_LOOP
1772 printf ("BCAST len=%d\n", BLEN (buf
));
1774 mb
= mbuf_alloc_buf (buf
);
1775 hash_iterator_init (m
->iter
, &hi
, true);
1777 while ((he
= hash_iterator_next (&hi
)))
1779 mi
= (struct multi_instance
*) he
->value
;
1780 if (mi
!= sender_instance
&& !mi
->halt
)
1783 if (sender_instance
)
1785 if (!pf_c2c_test (&sender_instance
->context
, &mi
->context
, "bcast_c2c"))
1787 msg (D_PF_DROPPED_BCAST
, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
1788 mi_prefix (sender_instance
),
1795 if (!pf_addr_test (&mi
->context
, sender_addr
, "bcast_src_addr"))
1797 struct gc_arena gc
= gc_new ();
1798 msg (D_PF_DROPPED_BCAST
, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
1799 mroute_addr_print_ex (sender_addr
, MAPF_SHOW_ARP
, &gc
),
1806 multi_add_mbuf (m
, mi
, mb
);
1810 hash_iterator_free (&hi
);
1817 * Given a time delta, indicating that we wish to be
1818 * awoken by the scheduler at time now + delta, figure
1819 * a sigma parameter (in microseconds) that represents
1820 * a sort of fuzz factor around delta, so that we're
1821 * really telling the scheduler to wake us up any time
1822 * between now + delta - sigma and now + delta + sigma.
1824 * The sigma parameter helps the scheduler to run more efficiently.
1825 * Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
1827 static inline unsigned int
1828 compute_wakeup_sigma (const struct timeval
*delta
)
1830 if (delta
->tv_sec
< 1)
1832 /* if < 1 sec, fuzz = # of microseconds / 8 */
1833 return delta
->tv_usec
>> 3;
1837 /* if < 10 minutes, fuzz = 13.1% of timeout */
1838 if (delta
->tv_sec
< 600)
1839 return delta
->tv_sec
<< 17;
1841 return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
1846 * Figure instance-specific timers, convert
1847 * earliest to absolute time in mi->wakeup,
1848 * call scheduler with our future wakeup time.
1850 * Also close context on signal.
1853 multi_process_post (struct multi_context
*m
, struct multi_instance
*mi
, const unsigned int flags
)
1857 if (!IS_SIG (&mi
->context
) && ((flags
& MPP_PRE_SELECT
) || ((flags
& MPP_CONDITIONAL_PRE_SELECT
) && !ANY_OUT (&mi
->context
))))
1859 /* figure timeouts and fetch possible outgoing
1860 to_link packets (such as ping or TLS control) */
1861 pre_select (&mi
->context
);
1863 if (!IS_SIG (&mi
->context
))
1865 /* calculate an absolute wakeup time */
1866 ASSERT (!openvpn_gettimeofday (&mi
->wakeup
, NULL
));
1867 tv_add (&mi
->wakeup
, &mi
->context
.c2
.timeval
);
1869 /* tell scheduler to wake us up at some point in the future */
1870 schedule_add_entry (m
->schedule
,
1871 (struct schedule_entry
*) mi
,
1873 compute_wakeup_sigma (&mi
->context
.c2
.timeval
));
1875 /* connection is "established" when SSL/TLS key negotiation succeeds
1876 and (if specified) auth user/pass succeeds */
1877 if (!mi
->connection_established_flag
&& CONNECTION_ESTABLISHED (&mi
->context
))
1878 multi_connection_established (m
, mi
);
1882 if (IS_SIG (&mi
->context
))
1884 if (flags
& MPP_CLOSE_ON_SIGNAL
)
1886 multi_close_instance_on_signal (m
, mi
);
1892 /* continue to pend on output? */
1893 multi_set_pending (m
, ANY_OUT (&mi
->context
) ? mi
: NULL
);
1895 #ifdef MULTI_DEBUG_EVENT_LOOP
1896 printf ("POST %s[%d] to=%d lo=%d/%d w=%d/%d\n",
1898 (int) (mi
== m
->pending
),
1899 mi
? mi
->context
.c2
.to_tun
.len
: -1,
1900 mi
? mi
->context
.c2
.to_link
.len
: -1,
1901 (mi
&& mi
->context
.c2
.fragment
) ? mi
->context
.c2
.fragment
->outgoing
.len
: -1,
1902 (int)mi
->context
.c2
.timeval
.tv_sec
,
1903 (int)mi
->context
.c2
.timeval
.tv_usec
);
1907 if ((flags
& MPP_RECORD_TOUCH
) && m
->mpp_touched
)
1908 *m
->mpp_touched
= mi
;
1914 * Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
1915 * i.e. client -> server direction.
1918 multi_process_incoming_link (struct multi_context
*m
, struct multi_instance
*instance
, const unsigned int mpp_flags
)
1920 struct gc_arena gc
= gc_new ();
1923 struct mroute_addr src
, dest
;
1924 unsigned int mroute_flags
;
1925 struct multi_instance
*mi
;
1933 #ifdef MULTI_DEBUG_EVENT_LOOP
1934 printf ("TCP/UDP -> TUN [%d]\n", BLEN (&m
->top
.c2
.buf
));
1936 multi_set_pending (m
, multi_get_create_instance_udp (m
));
1939 multi_set_pending (m
, instance
);
1943 set_prefix (m
->pending
);
1945 /* get instance context */
1946 c
= &m
->pending
->context
;
1950 /* transfer packet pointer from top-level context buffer to instance */
1951 c
->c2
.buf
= m
->top
.c2
.buf
;
1953 /* transfer from-addr from top-level context buffer to instance */
1954 c
->c2
.from
= m
->top
.c2
.from
;
1957 if (BLEN (&c
->c2
.buf
) > 0)
1959 /* decrypt in instance context */
1960 process_incoming_link (c
);
1962 if (TUNNEL_TYPE (m
->top
.c1
.tuntap
) == DEV_TYPE_TUN
)
1964 /* extract packet source and dest addresses */
1965 mroute_flags
= mroute_extract_addr_from_packet (&src
,
1972 /* drop packet if extract failed */
1973 if (!(mroute_flags
& MROUTE_EXTRACT_SUCCEEDED
))
1975 c
->c2
.to_tun
.len
= 0;
1977 /* make sure that source address is associated with this client */
1978 else if (multi_get_instance_by_virtual_addr (m
, &src
, true) != m
->pending
)
1980 msg (D_MULTI_DROPPED
, "MULTI: bad source address from client [%s], packet dropped",
1981 mroute_addr_print (&src
, &gc
));
1982 c
->c2
.to_tun
.len
= 0;
1984 /* client-to-client communication enabled? */
1985 else if (m
->enable_c2c
)
1988 if (mroute_flags
& MROUTE_EXTRACT_MCAST
)
1990 /* for now, treat multicast as broadcast */
1991 multi_bcast (m
, &c
->c2
.to_tun
, m
->pending
, NULL
);
1993 else /* possible client to client routing */
1995 ASSERT (!(mroute_flags
& MROUTE_EXTRACT_BCAST
));
1996 mi
= multi_get_instance_by_virtual_addr (m
, &dest
, true);
1998 /* if dest addr is a known client, route to it */
2002 if (!pf_c2c_test (c
, &mi
->context
, "tun_c2c"))
2004 msg (D_PF_DROPPED
, "PF: client -> client[%s] packet dropped by TUN packet filter",
2010 multi_unicast (m
, &c
->c2
.to_tun
, mi
);
2011 register_activity (c
, BLEN(&c
->c2
.to_tun
));
2013 c
->c2
.to_tun
.len
= 0;
2018 if (c
->c2
.to_tun
.len
&& !pf_addr_test (c
, &dest
, "tun_dest_addr"))
2020 msg (D_PF_DROPPED
, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2021 mroute_addr_print_ex (&dest
, MAPF_SHOW_ARP
, &gc
));
2022 c
->c2
.to_tun
.len
= 0;
2026 else if (TUNNEL_TYPE (m
->top
.c1
.tuntap
) == DEV_TYPE_TAP
)
2029 struct mroute_addr edest
;
2030 mroute_addr_reset (&edest
);
2032 /* extract packet source and dest addresses */
2033 mroute_flags
= mroute_extract_addr_from_packet (&src
,
2044 if (mroute_flags
& MROUTE_EXTRACT_SUCCEEDED
)
2046 if (multi_learn_addr (m
, m
->pending
, &src
, 0) == m
->pending
)
2048 /* check for broadcast */
2051 if (mroute_flags
& (MROUTE_EXTRACT_BCAST
|MROUTE_EXTRACT_MCAST
))
2053 multi_bcast (m
, &c
->c2
.to_tun
, m
->pending
, NULL
);
2055 else /* try client-to-client routing */
2057 mi
= multi_get_instance_by_virtual_addr (m
, &dest
, false);
2059 /* if dest addr is a known client, route to it */
2063 if (!pf_c2c_test (c
, &mi
->context
, "tap_c2c"))
2065 msg (D_PF_DROPPED
, "PF: client -> client[%s] packet dropped by TAP packet filter",
2071 multi_unicast (m
, &c
->c2
.to_tun
, mi
);
2072 register_activity (c
, BLEN(&c
->c2
.to_tun
));
2074 c
->c2
.to_tun
.len
= 0;
2079 if (c
->c2
.to_tun
.len
&& !pf_addr_test (c
, &edest
, "tap_dest_addr"))
2081 msg (D_PF_DROPPED
, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2082 mroute_addr_print_ex (&edest
, MAPF_SHOW_ARP
, &gc
));
2083 c
->c2
.to_tun
.len
= 0;
2089 msg (D_MULTI_DROPPED
, "MULTI: bad source address from client [%s], packet dropped",
2090 mroute_addr_print (&src
, &gc
));
2091 c
->c2
.to_tun
.len
= 0;
2096 c
->c2
.to_tun
.len
= 0;
2101 /* postprocess and set wakeup */
2102 ret
= multi_process_post (m
, m
->pending
, mpp_flags
);
2112 * Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2113 * i.e. server -> client direction.
2116 multi_process_incoming_tun (struct multi_context
*m
, const unsigned int mpp_flags
)
2118 struct gc_arena gc
= gc_new ();
2121 if (BLEN (&m
->top
.c2
.buf
) > 0)
2123 unsigned int mroute_flags
;
2124 struct mroute_addr src
, dest
;
2125 const int dev_type
= TUNNEL_TYPE (m
->top
.c1
.tuntap
);
2128 struct mroute_addr esrc
, *e1
, *e2
;
2129 if (dev_type
== DEV_TYPE_TUN
)
2137 mroute_addr_reset (&esrc
);
2141 #ifdef MULTI_DEBUG_EVENT_LOOP
2142 printf ("TUN -> TCP/UDP [%d]\n", BLEN (&m
->top
.c2
.buf
));
2149 * Route an incoming tun/tap packet to
2150 * the appropriate multi_instance object.
2153 mroute_flags
= mroute_extract_addr_from_packet (&src
,
2164 if (mroute_flags
& MROUTE_EXTRACT_SUCCEEDED
)
2168 /* broadcast or multicast dest addr? */
2169 if (mroute_flags
& (MROUTE_EXTRACT_BCAST
|MROUTE_EXTRACT_MCAST
))
2171 /* for now, treat multicast as broadcast */
2173 multi_bcast (m
, &m
->top
.c2
.buf
, NULL
, e2
);
2175 multi_bcast (m
, &m
->top
.c2
.buf
, NULL
, NULL
);
2180 multi_set_pending (m
, multi_get_instance_by_virtual_addr (m
, &dest
, dev_type
== DEV_TYPE_TUN
));
2184 /* get instance context */
2185 c
= &m
->pending
->context
;
2187 set_prefix (m
->pending
);
2190 if (!pf_addr_test (c
, e2
, "tun_tap_src_addr"))
2192 msg (D_PF_DROPPED
, "PF: addr[%s] -> client packet dropped by packet filter",
2193 mroute_addr_print_ex (&src
, MAPF_SHOW_ARP
, &gc
));
2194 buf_reset_len (&c
->c2
.buf
);
2199 if (multi_output_queue_ready (m
, m
->pending
))
2201 /* transfer packet pointer from top-level context buffer to instance */
2202 c
->c2
.buf
= m
->top
.c2
.buf
;
2207 msg (D_MULTI_DROPPED
, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2208 buf_reset_len (&c
->c2
.buf
);
2212 /* encrypt in instance context */
2213 process_incoming_tun (c
);
2215 /* postprocess and set wakeup */
2216 ret
= multi_process_post (m
, m
->pending
, mpp_flags
);
2228 * Process a possible client-to-client/bcast/mcast message in the
2231 struct multi_instance
*
2232 multi_get_queue (struct mbuf_set
*ms
)
2234 struct mbuf_item item
;
2236 if (mbuf_extract_item (ms
, &item
, true)) /* cleartext IP packet */
2238 unsigned int pipv4_flags
= PIPV4_PASSTOS
;
2240 set_prefix (item
.instance
);
2241 item
.instance
->context
.c2
.buf
= item
.buffer
->buf
;
2242 if (item
.buffer
->flags
& MF_UNICAST
) /* --mssfix doesn't make sense for broadcast or multicast */
2243 pipv4_flags
|= PIPV4_MSSFIX
;
2244 process_ipv4_header (&item
.instance
->context
, pipv4_flags
, &item
.instance
->context
.c2
.buf
);
2245 encrypt_sign (&item
.instance
->context
, true);
2246 mbuf_free_buf (item
.buffer
);
2248 dmsg (D_MULTI_DEBUG
, "MULTI: C2C/MCAST/BCAST");
2251 return item
.instance
;
2260 * Called when an I/O wait times out. Usually means that a particular
2261 * client instance object needs timer-based service.
2264 multi_process_timeout (struct multi_context
*m
, const unsigned int mpp_flags
)
2268 #ifdef MULTI_DEBUG_EVENT_LOOP
2269 printf ("%s -> TIMEOUT\n", id(m
->earliest_wakeup
));
2272 /* instance marked for wakeup? */
2273 if (m
->earliest_wakeup
)
2275 set_prefix (m
->earliest_wakeup
);
2276 ret
= multi_process_post (m
, m
->earliest_wakeup
, mpp_flags
);
2277 m
->earliest_wakeup
= NULL
;
2284 * Drop a TUN/TAP outgoing packet..
2287 multi_process_drop_outgoing_tun (struct multi_context
*m
, const unsigned int mpp_flags
)
2289 struct multi_instance
*mi
= m
->pending
;
2295 msg (D_MULTI_ERRORS
, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2296 mi
->context
.c2
.to_tun
.len
);
2298 buf_reset (&mi
->context
.c2
.to_tun
);
2300 multi_process_post (m
, mi
, mpp_flags
);
2305 * Per-client route quota management
2309 route_quota_exceeded (const struct multi_context
*m
, const struct multi_instance
*mi
)
2311 struct gc_arena gc
= gc_new ();
2312 msg (D_ROUTE_QUOTA
, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2313 mi
->context
.options
.max_routes_per_client
,
2314 multi_instance_string (mi
, false, &gc
));
2320 * Flood clients with random packets
2323 gremlin_flood_clients (struct multi_context
*m
)
2325 const int level
= GREMLIN_PACKET_FLOOD_LEVEL (m
->top
.options
.gremlin
);
2328 struct gc_arena gc
= gc_new ();
2329 struct buffer buf
= alloc_buf_gc (BUF_SIZE (&m
->top
.c2
.frame
), &gc
);
2330 struct packet_flood_parms parm
= get_packet_flood_parms (level
);
2333 ASSERT (buf_init (&buf
, FRAME_HEADROOM (&m
->top
.c2
.frame
)));
2334 parm
.packet_size
= min_int (parm
.packet_size
, MAX_RW_SIZE_TUN (&m
->top
.c2
.frame
));
2336 msg (D_GREMLIN
, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
2340 for (i
= 0; i
< parm
.packet_size
; ++i
)
2341 ASSERT (buf_write_u8 (&buf
, get_random () & 0xFF));
2343 for (i
= 0; i
< parm
.n_packets
; ++i
)
2344 multi_bcast (m
, &buf
, NULL
, NULL
);
2352 * Process timers in the top-level context
2355 multi_process_per_second_timers_dowork (struct multi_context
*m
)
2357 /* possibly reap instances/routes in vhash */
2358 multi_reap_process (m
);
2360 /* possibly print to status log */
2361 if (m
->top
.c1
.status_output
)
2363 if (status_trigger (m
->top
.c1
.status_output
))
2364 multi_print_status (m
, m
->top
.c1
.status_output
, m
->status_file_version
);
2367 /* possibly flush ifconfig-pool file */
2368 multi_ifconfig_pool_persist (m
, false);
2371 gremlin_flood_clients (m
);
2376 multi_top_init (struct multi_context
*m
, const struct context
*top
, const bool alloc_buffers
)
2378 inherit_context_top (&m
->top
, top
);
2379 m
->top
.c2
.buffers
= NULL
;
2381 m
->top
.c2
.buffers
= init_context_buffers (&top
->c2
.frame
);
2385 multi_top_free (struct multi_context
*m
)
2387 close_context (&m
->top
, -1, CC_GC_FREE
);
2388 free_context_buffers (m
->top
.c2
.buffers
);
2392 * Return true if event loop should break,
2393 * false if it should continue.
2396 multi_process_signal (struct multi_context
*m
)
2398 if (m
->top
.sig
->signal_received
== SIGUSR2
)
2400 struct status_output
*so
= m
->top
.c1
.status_output
? m
->top
.c1
.status_output
: status_open (NULL
, 0, M_INFO
, NULL
, 0);
2401 multi_print_status (m
, so
, m
->status_file_version
);
2402 if ( so
!= m
->top
.c1
.status_output
) status_close (so
);
2403 m
->top
.sig
->signal_received
= 0;
2410 * Called when an instance should be closed due to the
2411 * reception of a soft signal.
2414 multi_close_instance_on_signal (struct multi_context
*m
, struct multi_instance
*mi
)
2416 remap_signal (&mi
->context
);
2418 print_signal (mi
->context
.sig
, "client-instance", D_MULTI_LOW
);
2420 multi_close_instance (m
, mi
, false);
2424 multi_signal_instance (struct multi_context
*m
, struct multi_instance
*mi
, const int sig
)
2426 mi
->context
.sig
->signal_received
= sig
;
2427 multi_close_instance_on_signal (m
, mi
);
2431 * Management subsystem callbacks
2434 #ifdef ENABLE_MANAGEMENT
2437 management_callback_status (void *arg
, const int version
, struct status_output
*so
)
2439 struct multi_context
*m
= (struct multi_context
*) arg
;
2442 multi_print_status (m
, so
, m
->status_file_version
);
2444 multi_print_status (m
, so
, version
);
2448 management_callback_n_clients (void *arg
)
2450 struct multi_context
*m
= (struct multi_context
*) arg
;
2451 return m
->n_clients
;
2455 management_callback_kill_by_cn (void *arg
, const char *del_cn
)
2457 struct multi_context
*m
= (struct multi_context
*) arg
;
2458 struct hash_iterator hi
;
2459 struct hash_element
*he
;
2462 hash_iterator_init (m
->iter
, &hi
, true);
2463 while ((he
= hash_iterator_next (&hi
)))
2465 struct multi_instance
*mi
= (struct multi_instance
*) he
->value
;
2468 const char *cn
= tls_common_name (mi
->context
.c2
.tls_multi
, false);
2469 if (cn
&& !strcmp (cn
, del_cn
))
2471 multi_signal_instance (m
, mi
, SIGTERM
);
2476 hash_iterator_free (&hi
);
2481 management_callback_kill_by_addr (void *arg
, const in_addr_t addr
, const int port
)
2483 struct multi_context
*m
= (struct multi_context
*) arg
;
2484 struct hash_iterator hi
;
2485 struct hash_element
*he
;
2486 struct openvpn_sockaddr saddr
;
2487 struct mroute_addr maddr
;
2491 saddr
.sa
.sin_family
= AF_INET
;
2492 saddr
.sa
.sin_addr
.s_addr
= htonl (addr
);
2493 saddr
.sa
.sin_port
= htons (port
);
2494 if (mroute_extract_openvpn_sockaddr (&maddr
, &saddr
, true))
2496 hash_iterator_init (m
->iter
, &hi
, true);
2497 while ((he
= hash_iterator_next (&hi
)))
2499 struct multi_instance
*mi
= (struct multi_instance
*) he
->value
;
2500 if (!mi
->halt
&& mroute_addr_equal (&maddr
, &mi
->real
))
2502 multi_signal_instance (m
, mi
, SIGTERM
);
2506 hash_iterator_free (&hi
);
2512 management_delete_event (void *arg
, event_t event
)
2514 struct multi_context
*m
= (struct multi_context
*) arg
;
2516 multi_tcp_delete_event (m
->mtcp
, event
);
2521 #ifdef MANAGEMENT_DEF_AUTH
2523 static struct multi_instance
*
2524 lookup_by_cid (struct multi_context
*m
, const unsigned long cid
)
2528 struct multi_instance
*mi
= (struct multi_instance
*) hash_lookup (m
->cid_hash
, &cid
);
2529 if (mi
&& !mi
->halt
)
2536 management_kill_by_cid (void *arg
, const unsigned long cid
)
2538 struct multi_context
*m
= (struct multi_context
*) arg
;
2539 struct multi_instance
*mi
= lookup_by_cid (m
, cid
);
2542 multi_signal_instance (m
, mi
, SIGTERM
);
2550 management_client_auth (void *arg
,
2551 const unsigned long cid
,
2552 const unsigned int mda_key_id
,
2555 struct buffer_list
*cc_config
) /* ownership transferred */
2557 struct multi_context
*m
= (struct multi_context
*) arg
;
2558 struct multi_instance
*mi
= lookup_by_cid (m
, cid
);
2559 bool cc_config_owned
= true;
2564 ret
= tls_authenticate_key (mi
->context
.c2
.tls_multi
, mda_key_id
, auth
);
2567 if (auth
&& !mi
->connection_established_flag
)
2569 set_cc_config (mi
, cc_config
);
2570 cc_config_owned
= false;
2572 if (!auth
&& reason
)
2573 msg (D_MULTI_LOW
, "MULTI: connection rejected: %s", reason
);
2576 if (cc_config_owned
&& cc_config
)
2577 buffer_list_free (cc_config
);
2582 #ifdef MANAGEMENT_PF
2584 management_client_pf (void *arg
,
2585 const unsigned long cid
,
2586 struct buffer_list
*pf_config
) /* ownership transferred */
2588 struct multi_context
*m
= (struct multi_context
*) arg
;
2589 struct multi_instance
*mi
= lookup_by_cid (m
, cid
);
2592 if (mi
&& pf_config
)
2593 ret
= pf_load_from_buffer_list (&mi
->context
, pf_config
);
2596 buffer_list_free (pf_config
);
2602 init_management_callback_multi (struct multi_context
*m
)
2604 #ifdef ENABLE_MANAGEMENT
2607 struct management_callback cb
;
2610 cb
.flags
= MCF_SERVER
;
2611 cb
.status
= management_callback_status
;
2612 cb
.show_net
= management_show_net_callback
;
2613 cb
.kill_by_cn
= management_callback_kill_by_cn
;
2614 cb
.kill_by_addr
= management_callback_kill_by_addr
;
2615 cb
.delete_event
= management_delete_event
;
2616 cb
.n_clients
= management_callback_n_clients
;
2617 #ifdef MANAGEMENT_DEF_AUTH
2618 cb
.kill_by_cid
= management_kill_by_cid
;
2619 cb
.client_auth
= management_client_auth
;
2621 #ifdef MANAGEMENT_PF
2622 cb
.client_pf
= management_client_pf
;
2624 management_set_callback (management
, &cb
);
2630 uninit_management_callback_multi (struct multi_context
*m
)
2632 uninit_management_callback ();
2636 * Top level event loop.
2639 tunnel_server (struct context
*top
)
2641 ASSERT (top
->options
.mode
== MODE_SERVER
);
2643 switch (top
->options
.ce
.proto
) {
2645 tunnel_server_udp (top
);
2647 case PROTO_TCPv4_SERVER
:
2648 tunnel_server_tcp (top
);
2656 static void dummy(void) {}
2657 #endif /* P2MP_SERVER */