2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 * Support routines for adding/deleting network routes.
31 #elif defined(_MSC_VER)
32 #include "config-msvc.h"
49 #define METRIC_NOT_USED ((DWORD)-1)
52 static void delete_route (struct route
*r
, const struct tuntap
*tt
, unsigned int flags
, const struct route_gateway_info
*rgi
, const struct env_set
*es
);
54 static void get_bypass_addresses (struct route_bypass
*rb
, const unsigned int flags
);
59 print_bypass_addresses (const struct route_bypass
*rb
)
61 struct gc_arena gc
= gc_new ();
63 for (i
= 0; i
< rb
->n_bypass
; ++i
)
65 msg (D_ROUTE
, "ROUTE: bypass_host_route[%d]=%s",
67 print_in_addr_t (rb
->bypass
[i
], 0, &gc
));
75 add_bypass_address (struct route_bypass
*rb
, const in_addr_t a
)
78 for (i
= 0; i
< rb
->n_bypass
; ++i
)
80 if (a
== rb
->bypass
[i
]) /* avoid duplicates */
83 if (rb
->n_bypass
< N_ROUTE_BYPASS
)
85 rb
->bypass
[rb
->n_bypass
++] = a
;
94 struct route_option_list
*
95 new_route_option_list (const int max_routes
, struct gc_arena
*a
)
97 struct route_option_list
*ret
;
98 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_option_list
, struct route_option
, max_routes
, a
);
99 ret
->capacity
= max_routes
;
103 struct route_ipv6_option_list
*
104 new_route_ipv6_option_list (const int max_routes
, struct gc_arena
*a
)
106 struct route_ipv6_option_list
*ret
;
107 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_ipv6_option_list
, struct route_ipv6_option
, max_routes
, a
);
108 ret
->capacity
= max_routes
;
112 struct route_option_list
*
113 clone_route_option_list (const struct route_option_list
*src
, struct gc_arena
*a
)
115 const size_t rl_size
= array_mult_safe (sizeof(struct route_option
), src
->capacity
, sizeof(struct route_option_list
));
116 struct route_option_list
*ret
= gc_malloc (rl_size
, false, a
);
117 memcpy (ret
, src
, rl_size
);
121 struct route_ipv6_option_list
*
122 clone_route_ipv6_option_list (const struct route_ipv6_option_list
*src
, struct gc_arena
*a
)
124 const size_t rl_size
= array_mult_safe (sizeof(struct route_ipv6_option
), src
->capacity
, sizeof(struct route_ipv6_option_list
));
125 struct route_ipv6_option_list
*ret
= gc_malloc (rl_size
, false, a
);
126 memcpy (ret
, src
, rl_size
);
131 copy_route_option_list (struct route_option_list
*dest
, const struct route_option_list
*src
)
133 const size_t src_size
= array_mult_safe (sizeof(struct route_option
), src
->capacity
, sizeof(struct route_option_list
));
134 if (src
->capacity
> dest
->capacity
)
135 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src
->capacity
, dest
->capacity
);
136 memcpy (dest
, src
, src_size
);
140 copy_route_ipv6_option_list (struct route_ipv6_option_list
*dest
,
141 const struct route_ipv6_option_list
*src
)
143 const size_t src_size
= array_mult_safe (sizeof(struct route_ipv6_option
), src
->capacity
, sizeof(struct route_ipv6_option_list
));
144 if (src
->capacity
> dest
->capacity
)
145 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src
->capacity
, dest
->capacity
);
146 memcpy (dest
, src
, src_size
);
150 new_route_list (const int max_routes
, struct gc_arena
*a
)
152 struct route_list
*ret
;
153 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_list
, struct route
, max_routes
, a
);
154 ret
->capacity
= max_routes
;
158 struct route_ipv6_list
*
159 new_route_ipv6_list (const int max_routes
, struct gc_arena
*a
)
161 struct route_ipv6_list
*ret
;
162 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_ipv6_list
, struct route_ipv6
, max_routes
, a
);
163 ret
->capacity
= max_routes
;
168 route_string (const struct route
*r
, struct gc_arena
*gc
)
170 struct buffer out
= alloc_buf_gc (256, gc
);
171 buf_printf (&out
, "ROUTE network %s netmask %s gateway %s",
172 print_in_addr_t (r
->network
, 0, gc
),
173 print_in_addr_t (r
->netmask
, 0, gc
),
174 print_in_addr_t (r
->gateway
, 0, gc
)
176 if (r
->flags
& RT_METRIC_DEFINED
)
177 buf_printf (&out
, " metric %d", r
->metric
);
182 is_route_parm_defined (const char *parm
)
186 if (!strcmp (parm
, "default"))
192 setenv_route_addr (struct env_set
*es
, const char *key
, const in_addr_t addr
, int i
)
194 struct gc_arena gc
= gc_new ();
195 struct buffer name
= alloc_buf_gc (256, &gc
);
197 buf_printf (&name
, "route_%s_%d", key
, i
);
199 buf_printf (&name
, "route_%s", key
);
200 setenv_str (es
, BSTR (&name
), print_in_addr_t (addr
, 0, &gc
));
205 get_special_addr (const struct route_list
*rl
,
212 if (!strcmp (string
, "vpn_gateway"))
216 if (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
)
217 *out
= rl
->spec
.remote_endpoint
;
220 msg (M_INFO
, PACKAGE_NAME
" ROUTE: vpn_gateway undefined");
227 else if (!strcmp (string
, "net_gateway"))
231 if (rl
->rgi
.flags
& RGI_ADDR_DEFINED
)
232 *out
= rl
->rgi
.gateway
.addr
;
235 msg (M_INFO
, PACKAGE_NAME
" ROUTE: net_gateway undefined -- unable to get default gateway from system");
242 else if (!strcmp (string
, "remote_host"))
246 if (rl
->spec
.flags
& RTSA_REMOTE_HOST
)
247 *out
= rl
->spec
.remote_host
;
250 msg (M_INFO
, PACKAGE_NAME
" ROUTE: remote_host undefined");
261 is_special_addr (const char *addr_str
)
264 return get_special_addr (NULL
, addr_str
, NULL
, NULL
);
270 init_route (struct route
*r
,
271 struct addrinfo
**network_list
,
272 const struct route_option
*ro
,
273 const struct route_list
*rl
)
275 const in_addr_t default_netmask
= IPV4_NETMASK_HOST
;
278 struct in_addr special
;
285 if (!is_route_parm_defined (ro
->network
))
291 /* get_special_addr replaces specialaddr with a special ip addr
292 like gw. getaddrinfo is called to convert a a addrinfo struct */
294 if(get_special_addr (rl
, ro
->network
, &special
.s_addr
, &status
))
296 special
.s_addr
= htonl(special
.s_addr
);
297 ret
= openvpn_getaddrinfo(0, inet_ntoa(special
), 0, NULL
,
298 AF_INET
, network_list
);
301 ret
= openvpn_getaddrinfo(GETADDR_RESOLVE
| GETADDR_WARN_ON_SIGNAL
,
302 ro
->network
, 0, NULL
, AF_INET
, network_list
);
311 if (is_route_parm_defined (ro
->netmask
))
313 r
->netmask
= getaddr (
315 | GETADDR_WARN_ON_SIGNAL
,
324 r
->netmask
= default_netmask
;
328 if (is_route_parm_defined (ro
->gateway
))
330 if (!get_special_addr (rl
, ro
->gateway
, &r
->gateway
, &status
))
332 r
->gateway
= getaddr (
335 | GETADDR_WARN_ON_SIGNAL
,
346 if (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
)
347 r
->gateway
= rl
->spec
.remote_endpoint
;
350 msg (M_WARN
, PACKAGE_NAME
" ROUTE: " PACKAGE_NAME
" needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
358 if (is_route_parm_defined (ro
->metric
))
360 r
->metric
= atoi (ro
->metric
);
363 msg (M_WARN
, PACKAGE_NAME
" ROUTE: route metric for network %s (%s) must be >= 0",
368 r
->flags
|= RT_METRIC_DEFINED
;
370 else if (rl
->spec
.flags
& RTSA_DEFAULT_METRIC
)
372 r
->metric
= rl
->spec
.default_metric
;
373 r
->flags
|= RT_METRIC_DEFINED
;
376 r
->flags
|= RT_DEFINED
;
381 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve route for host/network: %s",
387 init_route_ipv6 (struct route_ipv6
*r6
,
388 const struct route_ipv6_option
*r6o
,
389 const struct route_ipv6_list
*rl6
)
393 if ( !get_ipv6_addr( r6o
->prefix
, &r6
->network
, &r6
->netbits
, NULL
, M_WARN
))
397 if (is_route_parm_defined (r6o
->gateway
))
399 if ( inet_pton( AF_INET6
, r6o
->gateway
, &r6
->gateway
) != 1 )
401 msg( M_WARN
, PACKAGE_NAME
"ROUTE6: cannot parse gateway spec '%s'", r6o
->gateway
);
404 else if (rl6
->remote_endpoint_defined
)
406 r6
->gateway
= rl6
->remote_endpoint_ipv6
;
410 msg (M_WARN
, PACKAGE_NAME
" ROUTE6: " PACKAGE_NAME
" needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options");
416 r6
->metric_defined
= false;
418 if (is_route_parm_defined (r6o
->metric
))
420 r6
->metric
= atoi (r6o
->metric
);
423 msg (M_WARN
, PACKAGE_NAME
" ROUTE: route metric for network %s (%s) must be >= 0",
428 r6
->metric_defined
= true;
430 else if (rl6
->default_metric_defined
)
432 r6
->metric
= rl6
->default_metric
;
433 r6
->metric_defined
= true;
441 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve route for host/network: %s",
448 add_route_to_option_list (struct route_option_list
*l
,
454 struct route_option
*ro
;
455 if (l
->n
>= l
->capacity
)
456 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: cannot add more than %d routes -- please increase the max-routes option in the client configuration file",
458 ro
= &l
->routes
[l
->n
];
459 ro
->network
= network
;
460 ro
->netmask
= netmask
;
461 ro
->gateway
= gateway
;
467 add_route_ipv6_to_option_list (struct route_ipv6_option_list
*l
,
472 struct route_ipv6_option
*ro
;
473 if (l
->n
>= l
->capacity
)
474 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: cannot add more than %d IPv6 routes -- please increase the max-routes option in the client configuration file",
476 ro
= &l
->routes_ipv6
[l
->n
];
478 ro
->gateway
= gateway
;
484 clear_route_list (struct route_list
*rl
)
486 const int capacity
= rl
->capacity
;
487 const size_t rl_size
= array_mult_safe (sizeof(struct route
), capacity
, sizeof(struct route_list
));
488 memset(rl
, 0, rl_size
);
489 rl
->capacity
= capacity
;
493 clear_route_ipv6_list (struct route_ipv6_list
*rl6
)
495 const int capacity
= rl6
->capacity
;
496 const size_t rl6_size
= array_mult_safe (sizeof(struct route_ipv6
), capacity
, sizeof(struct route_ipv6_list
));
497 memset(rl6
, 0, rl6_size
);
498 rl6
->capacity
= capacity
;
502 route_list_add_vpn_gateway (struct route_list
*rl
,
504 const in_addr_t addr
)
506 rl
->spec
.remote_endpoint
= addr
;
507 rl
->spec
.flags
|= RTSA_REMOTE_ENDPOINT
;
508 setenv_route_addr (es
, "vpn_gateway", rl
->spec
.remote_endpoint
, -1);
512 add_block_local_item (struct route_list
*rl
,
513 const struct route_gateway_address
*gateway
,
516 const int rgi_needed
= (RGI_ADDR_DEFINED
|RGI_NETMASK_DEFINED
);
517 if ((rl
->rgi
.flags
& rgi_needed
) == rgi_needed
518 && rl
->rgi
.gateway
.netmask
< 0xFFFFFFFF
519 && (rl
->n
)+2 <= rl
->capacity
)
524 /* split a route into two smaller blocking routes, and direct them to target */
526 r
.flags
= RT_DEFINED
;
528 r
.network
= gateway
->addr
& gateway
->netmask
;
529 l2
= ((~gateway
->netmask
)+1)>>1;
531 rl
->routes
[rl
->n
++] = r
;
533 rl
->routes
[rl
->n
++] = r
;
538 add_block_local (struct route_list
*rl
)
540 const int rgi_needed
= (RGI_ADDR_DEFINED
|RGI_NETMASK_DEFINED
);
541 if ((rl
->flags
& RG_BLOCK_LOCAL
)
542 && (rl
->rgi
.flags
& rgi_needed
) == rgi_needed
543 && (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
)
544 && rl
->spec
.remote_host_local
!= TLA_LOCAL
)
548 /* add bypass for gateway addr */
549 add_bypass_address (&rl
->spec
.bypass
, rl
->rgi
.gateway
.addr
);
551 /* block access to local subnet */
552 add_block_local_item (rl
, &rl
->rgi
.gateway
, rl
->spec
.remote_endpoint
);
554 /* process additional subnets on gateway interface */
555 for (i
= 0; i
< rl
->rgi
.n_addrs
; ++i
)
557 const struct route_gateway_address
*gwa
= &rl
->rgi
.addrs
[i
];
558 /* omit the add/subnet in &rl->rgi which we processed above */
559 if (!((rl
->rgi
.gateway
.addr
& rl
->rgi
.gateway
.netmask
) == (gwa
->addr
& gwa
->netmask
)
560 && rl
->rgi
.gateway
.netmask
== gwa
->netmask
))
561 add_block_local_item (rl
, gwa
, rl
->spec
.remote_endpoint
);
567 init_route_list (struct route_list
*rl
,
568 const struct route_option_list
*opt
,
569 const char *remote_endpoint
,
571 in_addr_t remote_host
,
574 struct gc_arena gc
= gc_new ();
577 clear_route_list (rl
);
579 rl
->flags
= opt
->flags
;
583 rl
->spec
.remote_host
= remote_host
;
584 rl
->spec
.flags
|= RTSA_REMOTE_HOST
;
589 rl
->spec
.default_metric
= default_metric
;
590 rl
->spec
.flags
|= RTSA_DEFAULT_METRIC
;
593 get_default_gateway (&rl
->rgi
);
594 if (rl
->rgi
.flags
& RGI_ADDR_DEFINED
)
596 setenv_route_addr (es
, "net_gateway", rl
->rgi
.gateway
.addr
, -1);
598 print_default_gateway (D_ROUTE
, &rl
->rgi
);
603 dmsg (D_ROUTE
, "ROUTE: default_gateway=UNDEF");
606 if (rl
->spec
.flags
& RTSA_REMOTE_HOST
)
607 rl
->spec
.remote_host_local
= test_local_addr (remote_host
, &rl
->rgi
);
609 if (is_route_parm_defined (remote_endpoint
))
611 bool defined
= false;
612 rl
->spec
.remote_endpoint
= getaddr (
615 | GETADDR_WARN_ON_SIGNAL
,
623 setenv_route_addr (es
, "vpn_gateway", rl
->spec
.remote_endpoint
, -1);
624 rl
->spec
.flags
|= RTSA_REMOTE_ENDPOINT
;
628 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve default gateway: %s",
634 if (rl
->flags
& RG_ENABLE
)
636 add_block_local (rl
);
637 get_bypass_addresses (&rl
->spec
.bypass
, rl
->flags
);
639 print_bypass_addresses (&rl
->spec
.bypass
);
643 /* parse the routes from opt to rl */
648 for (i
= 0; i
< opt
->n
; ++i
)
650 struct addrinfo
* netlist
;
660 struct addrinfo
* curele
;
661 for (curele
= netlist
; curele
; curele
= curele
->ai_next
)
663 if (j
< rl
->capacity
)
665 r
.network
= ntohl(((struct sockaddr_in
*)(curele
)->ai_addr
)->sin_addr
.s_addr
);
672 msg (M_WARN
, PACKAGE_NAME
" ROUTE: routes dropped because number of expanded routes is greater than route list capacity (%d)", rl
->capacity
);
677 freeaddrinfo(netlist
);
688 init_route_ipv6_list (struct route_ipv6_list
*rl6
,
689 const struct route_ipv6_option_list
*opt6
,
690 const char *remote_endpoint
,
694 struct gc_arena gc
= gc_new ();
697 clear_route_ipv6_list (rl6
);
699 rl6
->flags
= opt6
->flags
;
701 if (default_metric
>= 0 )
703 rl6
->default_metric
= default_metric
;
704 rl6
->default_metric_defined
= true;
707 /* "default_gateway" is stuff for "redirect-gateway", which we don't
708 * do for IPv6 yet -> TODO
711 dmsg (D_ROUTE
, "ROUTE6: default_gateway=UNDEF");
714 if ( is_route_parm_defined( remote_endpoint
))
716 if ( inet_pton( AF_INET6
, remote_endpoint
,
717 &rl6
->remote_endpoint_ipv6
) == 1 )
719 rl6
->remote_endpoint_defined
= true;
723 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve default gateway: %s", remote_endpoint
);
728 rl6
->remote_endpoint_defined
= false;
731 if (!(opt6
->n
>= 0 && opt6
->n
<= rl6
->capacity
))
732 msg (M_FATAL
, PACKAGE_NAME
" ROUTE6: (init) number of route options (%d) is greater than route list capacity (%d)", opt6
->n
, rl6
->capacity
);
734 /* parse the routes from opt to rl6 */
737 for (i
= 0; i
< opt6
->n
; ++i
)
739 if (!init_route_ipv6 (&rl6
->routes_ipv6
[j
],
740 &opt6
->routes_ipv6
[i
],
754 add_route3 (in_addr_t network
,
757 const struct tuntap
*tt
,
759 const struct route_gateway_info
*rgi
,
760 const struct env_set
*es
)
764 r
.flags
= RT_DEFINED
;
768 add_route (&r
, tt
, flags
, rgi
, es
);
772 del_route3 (in_addr_t network
,
775 const struct tuntap
*tt
,
777 const struct route_gateway_info
*rgi
,
778 const struct env_set
*es
)
782 r
.flags
= RT_DEFINED
|RT_ADDED
;
786 delete_route (&r
, tt
, flags
, rgi
, es
);
790 add_bypass_routes (struct route_bypass
*rb
,
792 const struct tuntap
*tt
,
794 const struct route_gateway_info
*rgi
,
795 const struct env_set
*es
)
798 for (i
= 0; i
< rb
->n_bypass
; ++i
)
801 add_route3 (rb
->bypass
[i
],
805 flags
| ROUTE_REF_GW
,
812 del_bypass_routes (struct route_bypass
*rb
,
814 const struct tuntap
*tt
,
816 const struct route_gateway_info
*rgi
,
817 const struct env_set
*es
)
820 for (i
= 0; i
< rb
->n_bypass
; ++i
)
823 del_route3 (rb
->bypass
[i
],
827 flags
| ROUTE_REF_GW
,
834 redirect_default_route_to_vpn (struct route_list
*rl
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
836 const char err
[] = "NOTE: unable to redirect default gateway --";
838 if ( rl
&& rl
->flags
& RG_ENABLE
)
840 if (!(rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
))
842 msg (M_WARN
, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err
);
844 else if (!(rl
->rgi
.flags
& RGI_ADDR_DEFINED
))
846 msg (M_WARN
, "%s Cannot read current default gateway from system", err
);
848 else if (!(rl
->spec
.flags
& RTSA_REMOTE_HOST
))
850 msg (M_WARN
, "%s Cannot obtain current remote host address", err
);
854 bool local
= BOOL_CAST(rl
->flags
& RG_LOCAL
);
855 if (rl
->flags
& RG_AUTO_LOCAL
) {
856 const int tla
= rl
->spec
.remote_host_local
;
857 if (tla
== TLA_NONLOCAL
)
859 dmsg (D_ROUTE
, "ROUTE remote_host is NOT LOCAL");
862 else if (tla
== TLA_LOCAL
)
864 dmsg (D_ROUTE
, "ROUTE remote_host is LOCAL");
870 /* route remote host to original default gateway */
871 /* if remote_host is not ipv4 (ie: ipv6), just skip
872 * adding this special /32 route */
873 if (rl
->spec
.remote_host
!= IPV4_INVALID_ADDR
) {
874 add_route3 (rl
->spec
.remote_host
,
876 rl
->rgi
.gateway
.addr
,
878 flags
| ROUTE_REF_GW
,
881 rl
->iflags
|= RL_DID_LOCAL
;
883 dmsg (D_ROUTE
, "ROUTE remote_host protocol differs from tunneled");
887 /* route DHCP/DNS server traffic through original default gateway */
888 add_bypass_routes (&rl
->spec
.bypass
, rl
->rgi
.gateway
.addr
, tt
, flags
, &rl
->rgi
, es
);
890 if (rl
->flags
& RG_REROUTE_GW
)
892 if (rl
->flags
& RG_DEF1
)
894 /* add new default route (1st component) */
895 add_route3 (0x00000000,
897 rl
->spec
.remote_endpoint
,
903 /* add new default route (2nd component) */
904 add_route3 (0x80000000,
906 rl
->spec
.remote_endpoint
,
914 /* delete default route */
917 rl
->rgi
.gateway
.addr
,
919 flags
| ROUTE_REF_GW
,
923 /* add new default route */
926 rl
->spec
.remote_endpoint
,
934 /* set a flag so we can undo later */
935 rl
->iflags
|= RL_DID_REDIRECT_DEFAULT_GATEWAY
;
941 undo_redirect_default_route_to_vpn (struct route_list
*rl
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
943 if ( rl
&& rl
->iflags
& RL_DID_REDIRECT_DEFAULT_GATEWAY
)
945 /* delete remote host route */
946 if (rl
->iflags
& RL_DID_LOCAL
)
948 del_route3 (rl
->spec
.remote_host
,
950 rl
->rgi
.gateway
.addr
,
952 flags
| ROUTE_REF_GW
,
955 rl
->iflags
&= ~RL_DID_LOCAL
;
958 /* delete special DHCP/DNS bypass route */
959 del_bypass_routes (&rl
->spec
.bypass
, rl
->rgi
.gateway
.addr
, tt
, flags
, &rl
->rgi
, es
);
961 if (rl
->flags
& RG_REROUTE_GW
)
963 if (rl
->flags
& RG_DEF1
)
965 /* delete default route (1st component) */
966 del_route3 (0x00000000,
968 rl
->spec
.remote_endpoint
,
974 /* delete default route (2nd component) */
975 del_route3 (0x80000000,
977 rl
->spec
.remote_endpoint
,
985 /* delete default route */
988 rl
->spec
.remote_endpoint
,
994 /* restore original default route */
997 rl
->rgi
.gateway
.addr
,
999 flags
| ROUTE_REF_GW
,
1005 rl
->iflags
&= ~RL_DID_REDIRECT_DEFAULT_GATEWAY
;
1010 add_routes (struct route_list
*rl
, struct route_ipv6_list
*rl6
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1012 redirect_default_route_to_vpn (rl
, tt
, flags
, es
);
1013 if ( rl
&& !(rl
->iflags
& RL_ROUTES_ADDED
) )
1017 #ifdef ENABLE_MANAGEMENT
1018 if (management
&& rl
->n
)
1020 management_set_state (management
,
1021 OPENVPN_STATE_ADD_ROUTES
,
1028 for (i
= 0; i
< rl
->n
; ++i
)
1030 struct route
*r
= &rl
->routes
[i
];
1031 check_subnet_conflict (r
->network
, r
->netmask
, "route");
1032 if (flags
& ROUTE_DELETE_FIRST
)
1033 delete_route (r
, tt
, flags
, &rl
->rgi
, es
);
1034 add_route (r
, tt
, flags
, &rl
->rgi
, es
);
1036 rl
->iflags
|= RL_ROUTES_ADDED
;
1038 if (rl6
&& !rl6
->routes_added
)
1042 for (i
= 0; i
< rl6
->n
; ++i
)
1044 struct route_ipv6
*r
= &rl6
->routes_ipv6
[i
];
1045 if (flags
& ROUTE_DELETE_FIRST
)
1046 delete_route_ipv6 (r
, tt
, flags
, es
);
1047 add_route_ipv6 (r
, tt
, flags
, es
);
1049 rl6
->routes_added
= true;
1054 delete_routes (struct route_list
*rl
, struct route_ipv6_list
*rl6
,
1055 const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1057 if ( rl
&& rl
->iflags
& RL_ROUTES_ADDED
)
1060 for (i
= rl
->n
- 1; i
>= 0; --i
)
1062 struct route
* r
= &rl
->routes
[i
];
1063 delete_route (r
, tt
, flags
, &rl
->rgi
, es
);
1065 rl
->iflags
&= ~RL_ROUTES_ADDED
;
1068 undo_redirect_default_route_to_vpn (rl
, tt
, flags
, es
);
1072 clear_route_list (rl
);
1075 if ( rl6
&& rl6
->routes_added
)
1078 for (i
= rl6
->n
- 1; i
>= 0; --i
)
1080 const struct route_ipv6
*r6
= &rl6
->routes_ipv6
[i
];
1081 delete_route_ipv6 (r6
, tt
, flags
, es
);
1083 rl6
->routes_added
= false;
1088 clear_route_ipv6_list (rl6
);
1095 show_opt (const char *option
)
1104 print_route_option (const struct route_option
*ro
, int level
)
1106 msg (level
, " route %s/%s/%s/%s",
1107 show_opt (ro
->network
),
1108 show_opt (ro
->netmask
),
1109 show_opt (ro
->gateway
),
1110 show_opt (ro
->metric
));
1114 print_route_options (const struct route_option_list
*rol
,
1118 if (rol
->flags
& RG_ENABLE
)
1119 msg (level
, " [redirect_default_gateway local=%d]",
1120 (rol
->flags
& RG_LOCAL
) != 0);
1121 for (i
= 0; i
< rol
->n
; ++i
)
1122 print_route_option (&rol
->routes
[i
], level
);
1126 print_default_gateway(const int msglevel
, const struct route_gateway_info
*rgi
)
1128 struct gc_arena gc
= gc_new ();
1129 if (rgi
->flags
& RGI_ADDR_DEFINED
)
1131 struct buffer out
= alloc_buf_gc (256, &gc
);
1132 buf_printf (&out
, "ROUTE_GATEWAY");
1133 if (rgi
->flags
& RGI_ON_LINK
)
1134 buf_printf (&out
, " ON_LINK");
1136 buf_printf (&out
, " %s", print_in_addr_t (rgi
->gateway
.addr
, 0, &gc
));
1137 if (rgi
->flags
& RGI_NETMASK_DEFINED
)
1138 buf_printf (&out
, "/%s", print_in_addr_t (rgi
->gateway
.netmask
, 0, &gc
));
1140 if (rgi
->flags
& RGI_IFACE_DEFINED
)
1141 buf_printf (&out
, " I=%u", (unsigned int)rgi
->adapter_index
);
1143 if (rgi
->flags
& RGI_IFACE_DEFINED
)
1144 buf_printf (&out
, " IFACE=%s", rgi
->iface
);
1146 if (rgi
->flags
& RGI_HWADDR_DEFINED
)
1147 buf_printf (&out
, " HWADDR=%s", format_hex_ex (rgi
->hwaddr
, 6, 0, 1, ":", &gc
));
1148 msg (msglevel
, "%s", BSTR (&out
));
1156 print_route (const struct route
*r
, int level
)
1158 struct gc_arena gc
= gc_new ();
1159 if (r
->flags
& RT_DEFINED
)
1160 msg (level
, "%s", route_string (r
, &gc
));
1165 print_routes (const struct route_list
*rl
, int level
)
1168 for (i
= 0; i
< rl
->n
; ++i
)
1169 print_route (&rl
->routes
[i
], level
);
1173 setenv_route (struct env_set
*es
, const struct route
*r
, int i
)
1175 struct gc_arena gc
= gc_new ();
1176 if (r
->flags
& RT_DEFINED
)
1178 setenv_route_addr (es
, "network", r
->network
, i
);
1179 setenv_route_addr (es
, "netmask", r
->netmask
, i
);
1180 setenv_route_addr (es
, "gateway", r
->gateway
, i
);
1182 if (r
->flags
& RT_METRIC_DEFINED
)
1184 struct buffer name
= alloc_buf_gc (256, &gc
);
1185 buf_printf (&name
, "route_metric_%d", i
);
1186 setenv_int (es
, BSTR (&name
), r
->metric
);
1193 setenv_routes (struct env_set
*es
, const struct route_list
*rl
)
1196 for (i
= 0; i
< rl
->n
; ++i
)
1197 setenv_route (es
, &rl
->routes
[i
], i
+ 1);
1201 setenv_route_ipv6 (struct env_set
*es
, const struct route_ipv6
*r6
, int i
)
1203 struct gc_arena gc
= gc_new ();
1206 struct buffer name1
= alloc_buf_gc( 256, &gc
);
1207 struct buffer val
= alloc_buf_gc( 256, &gc
);
1208 struct buffer name2
= alloc_buf_gc( 256, &gc
);
1210 buf_printf( &name1
, "route_ipv6_network_%d", i
);
1211 buf_printf( &val
, "%s/%d", print_in6_addr( r6
->network
, 0, &gc
),
1213 setenv_str( es
, BSTR(&name1
), BSTR(&val
) );
1215 buf_printf( &name2
, "route_ipv6_gateway_%d", i
);
1216 setenv_str( es
, BSTR(&name2
), print_in6_addr( r6
->gateway
, 0, &gc
));
1221 setenv_routes_ipv6 (struct env_set
*es
, const struct route_ipv6_list
*rl6
)
1224 for (i
= 0; i
< rl6
->n
; ++i
)
1225 setenv_route_ipv6 (es
, &rl6
->routes_ipv6
[i
], i
+ 1);
1229 * local_route() determines whether the gateway of a provided host
1230 * route is on the same interface that owns the default gateway.
1231 * It uses the data structure
1232 * returned by get_default_gateway() (struct route_gateway_info)
1233 * to determine this. If the route is local, LR_MATCH is returned.
1234 * When adding routes into the kernel, if LR_MATCH is defined for
1235 * a given route, the route should explicitly reference the default
1236 * gateway interface as the route destination. For example, here
1237 * is an example on Linux that uses LR_MATCH:
1239 * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1241 * This capability is needed by the "default-gateway block-local"
1242 * directive, to allow client access to the local subnet to be
1243 * blocked but still allow access to the local default gateway.
1246 /* local_route() return values */
1247 #define LR_NOMATCH 0 /* route is not local */
1248 #define LR_MATCH 1 /* route is local */
1249 #define LR_ERROR 2 /* caller should abort adding route */
1252 local_route (in_addr_t network
,
1255 const struct route_gateway_info
*rgi
)
1257 /* set LR_MATCH on local host routes */
1258 const int rgi_needed
= (RGI_ADDR_DEFINED
|RGI_NETMASK_DEFINED
|RGI_IFACE_DEFINED
);
1260 && (rgi
->flags
& rgi_needed
) == rgi_needed
1261 && gateway
== rgi
->gateway
.addr
1262 && netmask
== 0xFFFFFFFF)
1264 if (((network
^ rgi
->gateway
.addr
) & rgi
->gateway
.netmask
) == 0)
1268 /* examine additional subnets on gateway interface */
1270 for (i
= 0; i
< rgi
->n_addrs
; ++i
)
1272 const struct route_gateway_address
*gwa
= &rgi
->addrs
[i
];
1273 if (((network
^ gwa
->addr
) & gwa
->netmask
) == 0)
1281 /* Return true if the "on-link" form of the route should be used. This is when the gateway for a
1282 a route is specified as an interface rather than an address. */
1284 is_on_link (const int is_local_route
, const unsigned int flags
, const struct route_gateway_info
*rgi
)
1286 return rgi
&& (is_local_route
== LR_MATCH
|| ((flags
& ROUTE_REF_GW
) && (rgi
->flags
& RGI_ON_LINK
)));
1290 add_route (struct route
*r
,
1291 const struct tuntap
*tt
,
1293 const struct route_gateway_info
*rgi
, /* may be NULL */
1294 const struct env_set
*es
)
1298 const char *network
;
1299 const char *netmask
;
1300 const char *gateway
;
1301 bool status
= false;
1304 if (!(r
->flags
& RT_DEFINED
))
1310 network
= print_in_addr_t (r
->network
, 0, &gc
);
1311 netmask
= print_in_addr_t (r
->netmask
, 0, &gc
);
1312 gateway
= print_in_addr_t (r
->gateway
, 0, &gc
);
1314 is_local_route
= local_route(r
->network
, r
->netmask
, r
->gateway
, rgi
);
1315 if (is_local_route
== LR_ERROR
)
1318 #if defined(TARGET_LINUX)
1319 #ifdef ENABLE_IPROUTE
1320 /* FIXME -- add on-link support for ENABLE_IPROUTE */
1321 argv_printf (&argv
, "%s route add %s/%d via %s",
1324 count_netmask_bits(netmask
),
1326 if (r
->flags
& RT_METRIC_DEFINED
)
1327 argv_printf_cat (&argv
, "metric %d", r
->metric
);
1330 argv_printf (&argv
, "%s add -net %s netmask %s",
1334 if (r
->flags
& RT_METRIC_DEFINED
)
1335 argv_printf_cat (&argv
, "metric %d", r
->metric
);
1336 if (is_on_link (is_local_route
, flags
, rgi
))
1337 argv_printf_cat (&argv
, "dev %s", rgi
->iface
);
1339 argv_printf_cat (&argv
, "gw %s", gateway
);
1341 #endif /*ENABLE_IPROUTE*/
1342 argv_msg (D_ROUTE
, &argv
);
1343 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route add command failed");
1345 #elif defined (WIN32)
1347 DWORD ai
= TUN_ADAPTER_INDEX_INVALID
;
1348 argv_printf (&argv
, "%s%sc ADD %s MASK %s %s",
1350 WIN_ROUTE_PATH_SUFFIX
,
1354 if (r
->flags
& RT_METRIC_DEFINED
)
1355 argv_printf_cat (&argv
, "METRIC %d", r
->metric
);
1356 if (is_on_link (is_local_route
, flags
, rgi
))
1358 ai
= rgi
->adapter_index
;
1359 argv_printf_cat (&argv
, "IF %u", (unsigned int)ai
);
1362 argv_msg (D_ROUTE
, &argv
);
1364 if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_IPAPI
)
1366 status
= add_route_ipapi (r
, tt
, ai
);
1367 msg (D_ROUTE
, "Route addition via IPAPI %s", status
? "succeeded" : "failed");
1369 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_EXE
)
1371 netcmd_semaphore_lock ();
1372 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route add command failed");
1373 netcmd_semaphore_release ();
1375 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_ADAPTIVE
)
1377 status
= add_route_ipapi (r
, tt
, ai
);
1378 msg (D_ROUTE
, "Route addition via IPAPI %s [adaptive]", status
? "succeeded" : "failed");
1381 msg (D_ROUTE
, "Route addition fallback to route.exe");
1382 netcmd_semaphore_lock ();
1383 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route add command failed [adaptive]");
1384 netcmd_semaphore_release ();
1393 #elif defined (TARGET_SOLARIS)
1395 /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1397 argv_printf (&argv
, "%s add",
1401 if (r
->flags
& RT_METRIC_DEFINED
)
1402 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1405 argv_printf_cat (&argv
, "%s -netmask %s %s",
1410 /* FIXME -- add on-link support for Solaris */
1412 argv_msg (D_ROUTE
, &argv
);
1413 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route add command failed");
1415 #elif defined(TARGET_FREEBSD)
1417 argv_printf (&argv
, "%s add",
1421 if (r
->flags
& RT_METRIC_DEFINED
)
1422 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1425 argv_printf_cat (&argv
, "-net %s %s %s",
1430 /* FIXME -- add on-link support for FreeBSD */
1432 argv_msg (D_ROUTE
, &argv
);
1433 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: FreeBSD route add command failed");
1435 #elif defined(TARGET_DRAGONFLY)
1437 argv_printf (&argv
, "%s add",
1441 if (r
->flags
& RT_METRIC_DEFINED
)
1442 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1445 argv_printf_cat (&argv
, "-net %s %s %s",
1450 /* FIXME -- add on-link support for Dragonfly */
1452 argv_msg (D_ROUTE
, &argv
);
1453 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: DragonFly route add command failed");
1455 #elif defined(TARGET_DARWIN)
1457 argv_printf (&argv
, "%s add",
1461 if (r
->flags
& RT_METRIC_DEFINED
)
1462 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1465 if (is_on_link (is_local_route
, flags
, rgi
))
1467 /* Mac OS X route syntax for ON_LINK:
1468 route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1469 argv_printf_cat (&argv
, "-cloning -net %s -netmask %s -interface %s",
1476 argv_printf_cat (&argv
, "-net %s %s %s",
1482 argv_msg (D_ROUTE
, &argv
);
1483 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: OS X route add command failed");
1485 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1487 argv_printf (&argv
, "%s add",
1491 if (r
->flags
& RT_METRIC_DEFINED
)
1492 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1495 argv_printf_cat (&argv
, "-net %s %s -netmask %s",
1500 /* FIXME -- add on-link support for OpenBSD/NetBSD */
1502 argv_msg (D_ROUTE
, &argv
);
1503 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1506 msg (M_FATAL
, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1511 r
->flags
|= RT_ADDED
;
1513 r
->flags
&= ~RT_ADDED
;
1520 print_in6_addr_netbits_only( struct in6_addr network_copy
, int netbits
,
1521 struct gc_arena
* gc
)
1523 /* clear host bit parts of route
1524 * (needed if routes are specified improperly, or if we need to
1525 * explicitely setup/clear the "connected" network routes on some OSes)
1528 int bits_to_clear
= 128 - netbits
;
1530 while( byte
>= 0 && bits_to_clear
> 0 )
1532 if ( bits_to_clear
>= 8 )
1533 { network_copy
.s6_addr
[byte
--] = 0; bits_to_clear
-= 8; }
1535 { network_copy
.s6_addr
[byte
--] &= (0xff << bits_to_clear
); bits_to_clear
= 0; }
1538 return print_in6_addr( network_copy
, 0, gc
);
1542 add_route_ipv6 (struct route_ipv6
*r6
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1547 const char *network
;
1548 const char *gateway
;
1549 bool status
= false;
1550 const char *device
= tt
->actual_name
;
1552 bool gateway_needed
= false;
1560 network
= print_in6_addr_netbits_only( r6
->network
, r6
->netbits
, &gc
);
1561 gateway
= print_in6_addr( r6
->gateway
, 0, &gc
);
1565 msg( M_INFO
, "add_route_ipv6(): not adding %s/%d, no IPv6 on if %s",
1566 network
, r6
->netbits
, device
);
1570 msg( M_INFO
, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
1571 network
, r6
->netbits
, gateway
, r6
->metric
, device
);
1574 * Filter out routes which are essentially no-ops
1575 * (not currently done for IPv6)
1578 /* On "tun" interface, we never set a gateway if the operating system
1579 * can do "route to interface" - it does not add value, as the target
1580 * dev already fully qualifies the route destination on point-to-point
1581 * interfaces. OTOH, on "tap" interface, we must always set the
1582 * gateway unless the route is to be an on-link network
1584 if ( tt
->type
== DEV_TYPE_TAP
&&
1585 !(r6
->metric_defined
&& r6
->metric
== 0 ) )
1587 gateway_needed
= true;
1590 #if defined(TARGET_LINUX)
1591 #ifdef ENABLE_IPROUTE
1592 argv_printf (&argv
, "%s -6 route add %s/%d dev %s",
1598 argv_printf_cat (&argv
, "via %s", gateway
);
1599 if (r6
->metric_defined
&& r6
->metric
> 0 )
1600 argv_printf_cat (&argv
, " metric %d", r6
->metric
);
1603 argv_printf (&argv
, "%s -A inet6 add %s/%d dev %s",
1609 argv_printf_cat (&argv
, "gw %s", gateway
);
1610 if (r6
->metric_defined
&& r6
->metric
> 0 )
1611 argv_printf_cat (&argv
, " metric %d", r6
->metric
);
1612 #endif /*ENABLE_IPROUTE*/
1613 argv_msg (D_ROUTE
, &argv
);
1614 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route -6/-A inet6 add command failed");
1616 #elif defined (WIN32)
1618 /* netsh interface ipv6 add route 2001:db8::/32 MyTunDevice */
1619 argv_printf (&argv
, "%s%sc interface ipv6 add route %s/%d %s",
1626 /* next-hop depends on TUN or TAP mode:
1627 * - in TAP mode, we use the "real" next-hop
1628 * - in TUN mode we use a special-case link-local address that the tapdrvr
1629 * knows about and will answer ND (neighbor discovery) packets for
1631 if ( tt
->type
== DEV_TYPE_TUN
)
1632 argv_printf_cat( &argv
, " %s", "fe80::8" );
1634 argv_printf_cat( &argv
, " %s", gateway
);
1637 if (r
->metric_defined
)
1638 argv_printf_cat (&argv
, " METRIC %d", r
->metric
);
1641 /* in some versions of Windows, routes are persistent across reboots by
1642 * default, unless "store=active" is set (pointed out by Tony Lim, thanks)
1644 argv_printf_cat( &argv
, " store=active" );
1646 argv_msg (D_ROUTE
, &argv
);
1648 netcmd_semaphore_lock ();
1649 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route add ipv6 command failed");
1650 netcmd_semaphore_release ();
1652 #elif defined (TARGET_SOLARIS)
1654 /* example: route add -inet6 2001:db8::/32 somegateway 0 */
1656 /* for some weird reason, this does not work for me unless I set
1657 * "metric 0" - otherwise, the routes will be nicely installed, but
1658 * packets will just disappear somewhere. So we use "0" now...
1661 argv_printf (&argv
, "%s add -inet6 %s/%d %s 0",
1667 argv_msg (D_ROUTE
, &argv
);
1668 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route add -inet6 command failed");
1670 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
1672 argv_printf (&argv
, "%s add -inet6 %s/%d",
1678 argv_printf_cat (&argv
, "%s", gateway
);
1680 argv_printf_cat (&argv
, "-iface %s", device
);
1682 argv_msg (D_ROUTE
, &argv
);
1683 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: *BSD route add -inet6 command failed");
1685 #elif defined(TARGET_DARWIN)
1687 argv_printf (&argv
, "%s add -inet6 %s -prefixlen %d",
1689 network
, r6
->netbits
);
1692 argv_printf_cat (&argv
, "%s", gateway
);
1694 argv_printf_cat (&argv
, "-iface %s", device
);
1696 argv_msg (D_ROUTE
, &argv
);
1697 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: MacOS X route add -inet6 command failed");
1699 #elif defined(TARGET_OPENBSD)
1701 argv_printf (&argv
, "%s add -inet6 %s -prefixlen %d %s",
1703 network
, r6
->netbits
, gateway
);
1705 argv_msg (D_ROUTE
, &argv
);
1706 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD route add -inet6 command failed");
1708 #elif defined(TARGET_NETBSD)
1710 argv_printf (&argv
, "%s add -inet6 %s/%d %s",
1712 network
, r6
->netbits
, gateway
);
1714 argv_msg (D_ROUTE
, &argv
);
1715 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: NetBSD route add -inet6 command failed");
1718 msg (M_FATAL
, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
1721 r6
->defined
= status
;
1727 delete_route (struct route
*r
,
1728 const struct tuntap
*tt
,
1730 const struct route_gateway_info
*rgi
,
1731 const struct env_set
*es
)
1735 const char *network
;
1736 const char *netmask
;
1737 const char *gateway
;
1740 if ((r
->flags
& (RT_DEFINED
|RT_ADDED
)) != (RT_DEFINED
|RT_ADDED
))
1746 network
= print_in_addr_t (r
->network
, 0, &gc
);
1747 netmask
= print_in_addr_t (r
->netmask
, 0, &gc
);
1748 gateway
= print_in_addr_t (r
->gateway
, 0, &gc
);
1750 is_local_route
= local_route(r
->network
, r
->netmask
, r
->gateway
, rgi
);
1751 if (is_local_route
== LR_ERROR
)
1754 #if defined(TARGET_LINUX)
1755 #ifdef ENABLE_IPROUTE
1756 argv_printf (&argv
, "%s route del %s/%d",
1759 count_netmask_bits(netmask
));
1761 argv_printf (&argv
, "%s del -net %s netmask %s",
1765 #endif /*ENABLE_IPROUTE*/
1766 if (r
->flags
& RT_METRIC_DEFINED
)
1767 argv_printf_cat (&argv
, "metric %d", r
->metric
);
1768 argv_msg (D_ROUTE
, &argv
);
1769 openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route delete command failed");
1771 #elif defined (WIN32)
1773 argv_printf (&argv
, "%s%sc DELETE %s MASK %s %s",
1775 WIN_ROUTE_PATH_SUFFIX
,
1780 argv_msg (D_ROUTE
, &argv
);
1782 if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_IPAPI
)
1784 const bool status
= del_route_ipapi (r
, tt
);
1785 msg (D_ROUTE
, "Route deletion via IPAPI %s", status
? "succeeded" : "failed");
1787 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_EXE
)
1789 netcmd_semaphore_lock ();
1790 openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route delete command failed");
1791 netcmd_semaphore_release ();
1793 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_ADAPTIVE
)
1795 const bool status
= del_route_ipapi (r
, tt
);
1796 msg (D_ROUTE
, "Route deletion via IPAPI %s [adaptive]", status
? "succeeded" : "failed");
1799 msg (D_ROUTE
, "Route deletion fallback to route.exe");
1800 netcmd_semaphore_lock ();
1801 openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route delete command failed [adaptive]");
1802 netcmd_semaphore_release ();
1810 #elif defined (TARGET_SOLARIS)
1812 argv_printf (&argv
, "%s delete %s -netmask %s %s",
1818 argv_msg (D_ROUTE
, &argv
);
1819 openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route delete command failed");
1821 #elif defined(TARGET_FREEBSD)
1823 argv_printf (&argv
, "%s delete -net %s %s %s",
1829 argv_msg (D_ROUTE
, &argv
);
1830 openvpn_execve_check (&argv
, es
, 0, "ERROR: FreeBSD route delete command failed");
1832 #elif defined(TARGET_DRAGONFLY)
1834 argv_printf (&argv
, "%s delete -net %s %s %s",
1840 argv_msg (D_ROUTE
, &argv
);
1841 openvpn_execve_check (&argv
, es
, 0, "ERROR: DragonFly route delete command failed");
1843 #elif defined(TARGET_DARWIN)
1845 if (is_on_link (is_local_route
, flags
, rgi
))
1847 argv_printf (&argv
, "%s delete -cloning -net %s -netmask %s -interface %s",
1855 argv_printf (&argv
, "%s delete -net %s %s %s",
1862 argv_msg (D_ROUTE
, &argv
);
1863 openvpn_execve_check (&argv
, es
, 0, "ERROR: OS X route delete command failed");
1865 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1867 argv_printf (&argv
, "%s delete -net %s %s -netmask %s",
1873 argv_msg (D_ROUTE
, &argv
);
1874 openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
1877 msg (M_FATAL
, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1881 r
->flags
&= ~RT_ADDED
;
1887 delete_route_ipv6 (const struct route_ipv6
*r6
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1891 const char *network
;
1892 const char *gateway
;
1893 const char *device
= tt
->actual_name
;
1894 bool gateway_needed
= false;
1902 network
= print_in6_addr_netbits_only( r6
->network
, r6
->netbits
, &gc
);
1903 gateway
= print_in6_addr( r6
->gateway
, 0, &gc
);
1907 msg( M_INFO
, "delete_route_ipv6(): not deleting %s/%d, no IPv6 on if %s",
1908 network
, r6
->netbits
, device
);
1912 msg( M_INFO
, "delete_route_ipv6(%s/%d)", network
, r6
->netbits
);
1914 /* if we used a gateway on "add route", we also need to specify it on
1915 * delete, otherwise some OSes will refuse to delete the route
1917 if ( tt
->type
== DEV_TYPE_TAP
&&
1918 !(r6
->metric_defined
&& r6
->metric
== 0 ) )
1920 gateway_needed
= true;
1924 #if defined(TARGET_LINUX)
1925 #ifdef ENABLE_IPROUTE
1926 argv_printf (&argv
, "%s -6 route del %s/%d dev %s",
1932 argv_printf_cat (&argv
, "via %s", gateway
);
1934 argv_printf (&argv
, "%s -A inet6 del %s/%d dev %s",
1940 argv_printf_cat (&argv
, "gw %s", gateway
);
1941 if (r6
->metric_defined
&& r6
->metric
> 0 )
1942 argv_printf_cat (&argv
, " metric %d", r6
->metric
);
1943 #endif /*ENABLE_IPROUTE*/
1944 argv_msg (D_ROUTE
, &argv
);
1945 openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route -6/-A inet6 del command failed");
1947 #elif defined (WIN32)
1949 /* netsh interface ipv6 delete route 2001:db8::/32 MyTunDevice */
1950 argv_printf (&argv
, "%s%sc interface ipv6 delete route %s/%d %s",
1957 /* next-hop depends on TUN or TAP mode:
1958 * - in TAP mode, we use the "real" next-hop
1959 * - in TUN mode we use a special-case link-local address that the tapdrvr
1960 * knows about and will answer ND (neighbor discovery) packets for
1961 * (and "route deletion without specifying next-hop" does not work...)
1963 if ( tt
->type
== DEV_TYPE_TUN
)
1964 argv_printf_cat( &argv
, " %s", "fe80::8" );
1966 argv_printf_cat( &argv
, " %s", gateway
);
1969 if (r
->metric_defined
)
1970 argv_printf_cat (&argv
, "METRIC %d", r
->metric
);
1973 argv_msg (D_ROUTE
, &argv
);
1975 netcmd_semaphore_lock ();
1976 openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route add ipv6 command failed");
1977 netcmd_semaphore_release ();
1979 #elif defined (TARGET_SOLARIS)
1981 /* example: route delete -inet6 2001:db8::/32 somegateway */
1982 /* GERT-TODO: this is untested, but should work */
1984 argv_printf (&argv
, "%s delete -inet6 %s/%d %s",
1990 argv_msg (D_ROUTE
, &argv
);
1991 openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route delete -inet6 command failed");
1993 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
1995 argv_printf (&argv
, "%s delete -inet6 %s/%d",
2001 argv_printf_cat (&argv
, "%s", gateway
);
2003 argv_printf_cat (&argv
, "-iface %s", device
);
2005 argv_msg (D_ROUTE
, &argv
);
2006 openvpn_execve_check (&argv
, es
, 0, "ERROR: *BSD route delete -inet6 command failed");
2008 #elif defined(TARGET_DARWIN)
2010 argv_printf (&argv
, "%s delete -inet6 %s -prefixlen %d",
2012 network
, r6
->netbits
);
2015 argv_printf_cat (&argv
, "%s", gateway
);
2017 argv_printf_cat (&argv
, "-iface %s", device
);
2019 argv_msg (D_ROUTE
, &argv
);
2020 openvpn_execve_check (&argv
, es
, 0, "ERROR: MacOS X route delete -inet6 command failed");
2022 #elif defined(TARGET_OPENBSD)
2024 argv_printf (&argv
, "%s delete -inet6 %s -prefixlen %d %s",
2026 network
, r6
->netbits
, gateway
);
2028 argv_msg (D_ROUTE
, &argv
);
2029 openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2031 #elif defined(TARGET_NETBSD)
2033 argv_printf (&argv
, "%s delete -inet6 %s/%d %s",
2035 network
, r6
->netbits
, gateway
);
2037 argv_msg (D_ROUTE
, &argv
);
2038 openvpn_execve_check (&argv
, es
, 0, "ERROR: NetBSD route delete -inet6 command failed");
2041 msg (M_FATAL
, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2049 * The --redirect-gateway option requires OS-specific code below
2050 * to get the current default gateway.
2055 static const MIB_IPFORWARDTABLE
*
2056 get_windows_routing_table (struct gc_arena
*gc
)
2059 PMIB_IPFORWARDTABLE rt
= NULL
;
2062 status
= GetIpForwardTable (NULL
, &size
, TRUE
);
2063 if (status
== ERROR_INSUFFICIENT_BUFFER
)
2065 rt
= (PMIB_IPFORWARDTABLE
) gc_malloc (size
, false, gc
);
2066 status
= GetIpForwardTable (rt
, &size
, TRUE
);
2067 if (status
!= NO_ERROR
)
2069 msg (D_ROUTE
, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2070 strerror_win32 (status
, gc
),
2071 (unsigned int)status
);
2079 test_route (const IP_ADAPTER_INFO
*adapters
,
2080 const in_addr_t gateway
,
2084 DWORD i
= adapter_index_of_ip (adapters
, gateway
, &count
, NULL
);
2091 test_route_helper (bool *ret
,
2095 const IP_ADAPTER_INFO
*adapters
,
2096 const in_addr_t gateway
)
2101 c
= test_route (adapters
, gateway
, NULL
);
2111 * If we tried to add routes now, would we succeed?
2114 test_routes (const struct route_list
*rl
, const struct tuntap
*tt
)
2116 struct gc_arena gc
= gc_new ();
2117 const IP_ADAPTER_INFO
*adapters
= get_adapter_info_list (&gc
);
2122 bool adapter_up
= false;
2124 if (is_adapter_up (tt
, adapters
))
2132 for (i
= 0; i
< rl
->n
; ++i
)
2133 test_route_helper (&ret
, &count
, &good
, &ambig
, adapters
, rl
->routes
[i
].gateway
);
2135 if ((rl
->flags
& RG_ENABLE
) && (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
))
2136 test_route_helper (&ret
, &count
, &good
, &ambig
, adapters
, rl
->spec
.remote_endpoint
);
2140 msg (D_ROUTE
, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s",
2146 adapter_up
? "up" : "down");
2152 static const MIB_IPFORWARDROW
*
2153 get_default_gateway_row (const MIB_IPFORWARDTABLE
*routes
)
2155 struct gc_arena gc
= gc_new ();
2156 DWORD lowest_metric
= MAXDWORD
;
2157 const MIB_IPFORWARDROW
*ret
= NULL
;
2163 for (i
= 0; i
< routes
->dwNumEntries
; ++i
)
2165 const MIB_IPFORWARDROW
*row
= &routes
->table
[i
];
2166 const in_addr_t net
= ntohl (row
->dwForwardDest
);
2167 const in_addr_t mask
= ntohl (row
->dwForwardMask
);
2168 const DWORD index
= row
->dwForwardIfIndex
;
2169 const DWORD metric
= row
->dwForwardMetric1
;
2171 dmsg (D_ROUTE_DEBUG
, "GDGR: route[%d] %s/%s i=%d m=%d",
2173 print_in_addr_t ((in_addr_t
) net
, 0, &gc
),
2174 print_in_addr_t ((in_addr_t
) mask
, 0, &gc
),
2178 if (!net
&& !mask
&& metric
< lowest_metric
)
2181 lowest_metric
= metric
;
2187 dmsg (D_ROUTE_DEBUG
, "GDGR: best=%d lm=%u", best
, (unsigned int)lowest_metric
);
2194 get_default_gateway (struct route_gateway_info
*rgi
)
2196 struct gc_arena gc
= gc_new ();
2198 const IP_ADAPTER_INFO
*adapters
= get_adapter_info_list (&gc
);
2199 const MIB_IPFORWARDTABLE
*routes
= get_windows_routing_table (&gc
);
2200 const MIB_IPFORWARDROW
*row
= get_default_gateway_row (routes
);
2202 const IP_ADAPTER_INFO
*ai
;
2208 rgi
->gateway
.addr
= ntohl (row
->dwForwardNextHop
);
2209 if (rgi
->gateway
.addr
)
2211 rgi
->flags
|= RGI_ADDR_DEFINED
;
2212 a_index
= adapter_index_of_ip (adapters
, rgi
->gateway
.addr
, NULL
, &rgi
->gateway
.netmask
);
2213 if (a_index
!= TUN_ADAPTER_INDEX_INVALID
)
2215 rgi
->adapter_index
= a_index
;
2216 rgi
->flags
|= (RGI_IFACE_DEFINED
|RGI_NETMASK_DEFINED
);
2217 ai
= get_adapter (adapters
, a_index
);
2220 memcpy (rgi
->hwaddr
, ai
->Address
, 6);
2221 rgi
->flags
|= RGI_HWADDR_DEFINED
;
2231 windows_route_find_if_index (const struct route
*r
, const struct tuntap
*tt
)
2233 struct gc_arena gc
= gc_new ();
2234 DWORD ret
= TUN_ADAPTER_INDEX_INVALID
;
2236 const IP_ADAPTER_INFO
*adapters
= get_adapter_info_list (&gc
);
2237 const IP_ADAPTER_INFO
*tun_adapter
= get_tun_adapter (tt
, adapters
);
2238 bool on_tun
= false;
2240 /* first test on tun interface */
2241 if (is_ip_in_adapter_subnet (tun_adapter
, r
->gateway
, NULL
))
2243 ret
= tun_adapter
->Index
;
2247 else /* test on other interfaces */
2249 count
= test_route (adapters
, r
->gateway
, &ret
);
2254 msg (M_WARN
, "Warning: route gateway is not reachable on any active network adapters: %s",
2255 print_in_addr_t (r
->gateway
, 0, &gc
));
2256 ret
= TUN_ADAPTER_INDEX_INVALID
;
2260 msg (M_WARN
, "Warning: route gateway is ambiguous: %s (%d matches)",
2261 print_in_addr_t (r
->gateway
, 0, &gc
),
2263 ret
= TUN_ADAPTER_INDEX_INVALID
;
2266 dmsg (D_ROUTE_DEBUG
, "DEBUG: route find if: on_tun=%d count=%d index=%d",
2276 add_route_ipapi (const struct route
*r
, const struct tuntap
*tt
, DWORD adapter_index
)
2278 struct gc_arena gc
= gc_new ();
2281 const DWORD if_index
= (adapter_index
== TUN_ADAPTER_INDEX_INVALID
) ? windows_route_find_if_index (r
, tt
) : adapter_index
;
2283 if (if_index
!= TUN_ADAPTER_INDEX_INVALID
)
2285 MIB_IPFORWARDROW fr
;
2287 fr
.dwForwardDest
= htonl (r
->network
);
2288 fr
.dwForwardMask
= htonl (r
->netmask
);
2289 fr
.dwForwardPolicy
= 0;
2290 fr
.dwForwardNextHop
= htonl (r
->gateway
);
2291 fr
.dwForwardIfIndex
= if_index
;
2292 fr
.dwForwardType
= 4; /* the next hop is not the final dest */
2293 fr
.dwForwardProto
= 3; /* PROTO_IP_NETMGMT */
2294 fr
.dwForwardAge
= 0;
2295 fr
.dwForwardNextHopAS
= 0;
2296 fr
.dwForwardMetric1
= (r
->flags
& RT_METRIC_DEFINED
) ? r
->metric
: 1;
2297 fr
.dwForwardMetric2
= METRIC_NOT_USED
;
2298 fr
.dwForwardMetric3
= METRIC_NOT_USED
;
2299 fr
.dwForwardMetric4
= METRIC_NOT_USED
;
2300 fr
.dwForwardMetric5
= METRIC_NOT_USED
;
2302 if ((r
->network
& r
->netmask
) != r
->network
)
2303 msg (M_WARN
, "Warning: address %s is not a network address in relation to netmask %s",
2304 print_in_addr_t (r
->network
, 0, &gc
),
2305 print_in_addr_t (r
->netmask
, 0, &gc
));
2307 status
= CreateIpForwardEntry (&fr
);
2309 if (status
== NO_ERROR
)
2313 /* failed, try increasing the metric to work around Vista issue */
2314 const unsigned int forward_metric_limit
= 2048; /* iteratively retry higher metrics up to this limit */
2316 for ( ; fr
.dwForwardMetric1
<= forward_metric_limit
; ++fr
.dwForwardMetric1
)
2318 /* try a different forward type=3 ("the next hop is the final dest") in addition to 4.
2319 --redirect-gateway over RRAS seems to need this. */
2320 for (fr
.dwForwardType
= 4; fr
.dwForwardType
>= 3; --fr
.dwForwardType
)
2322 status
= CreateIpForwardEntry (&fr
);
2323 if (status
== NO_ERROR
)
2325 msg (D_ROUTE
, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2326 (unsigned int)fr
.dwForwardMetric1
,
2327 (unsigned int)fr
.dwForwardType
);
2331 else if (status
!= ERROR_BAD_ARGUMENTS
)
2337 if (status
!= NO_ERROR
)
2338 msg (M_WARN
, "ROUTE: route addition failed using CreateIpForwardEntry: %s [status=%u if_index=%u]",
2339 strerror_win32 (status
, &gc
),
2340 (unsigned int)status
,
2341 (unsigned int)if_index
);
2350 del_route_ipapi (const struct route
*r
, const struct tuntap
*tt
)
2352 struct gc_arena gc
= gc_new ();
2355 const DWORD if_index
= windows_route_find_if_index (r
, tt
);
2357 if (if_index
!= TUN_ADAPTER_INDEX_INVALID
)
2359 MIB_IPFORWARDROW fr
;
2362 fr
.dwForwardDest
= htonl (r
->network
);
2363 fr
.dwForwardMask
= htonl (r
->netmask
);
2364 fr
.dwForwardPolicy
= 0;
2365 fr
.dwForwardNextHop
= htonl (r
->gateway
);
2366 fr
.dwForwardIfIndex
= if_index
;
2368 status
= DeleteIpForwardEntry (&fr
);
2370 if (status
== NO_ERROR
)
2373 msg (M_WARN
, "ROUTE: route deletion failed using DeleteIpForwardEntry: %s",
2374 strerror_win32 (status
, &gc
));
2382 format_route_entry (const MIB_IPFORWARDROW
*r
, struct gc_arena
*gc
)
2384 struct buffer out
= alloc_buf_gc (256, gc
);
2385 buf_printf (&out
, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
2386 print_in_addr_t (r
->dwForwardDest
, IA_NET_ORDER
, gc
),
2387 print_in_addr_t (r
->dwForwardMask
, IA_NET_ORDER
, gc
),
2388 print_in_addr_t (r
->dwForwardNextHop
, IA_NET_ORDER
, gc
),
2389 (int)r
->dwForwardPolicy
,
2390 (int)r
->dwForwardIfIndex
,
2391 (int)r
->dwForwardType
,
2392 (int)r
->dwForwardProto
,
2393 (int)r
->dwForwardAge
,
2394 (int)r
->dwForwardNextHopAS
,
2395 (int)r
->dwForwardMetric1
,
2396 (int)r
->dwForwardMetric2
,
2397 (int)r
->dwForwardMetric3
,
2398 (int)r
->dwForwardMetric4
,
2399 (int)r
->dwForwardMetric5
);
2404 * Show current routing table
2407 show_routes (int msglev
)
2409 struct gc_arena gc
= gc_new ();
2412 const MIB_IPFORWARDTABLE
*rt
= get_windows_routing_table (&gc
);
2414 msg (msglev
, "SYSTEM ROUTING TABLE");
2417 for (i
= 0; i
< rt
->dwNumEntries
; ++i
)
2419 msg (msglev
, "%s", format_route_entry (&rt
->table
[i
], &gc
));
2425 #elif defined(TARGET_LINUX)
2428 get_default_gateway (struct route_gateway_info
*rgi
)
2430 struct gc_arena gc
= gc_new ();
2437 /* get default gateway IP addr */
2439 FILE *fp
= fopen ("/proc/net/route", "r");
2444 unsigned int lowest_metric
= UINT_MAX
;
2445 in_addr_t best_gw
= 0;
2447 while (fgets (line
, sizeof (line
), fp
) != NULL
)
2451 unsigned int net_x
= 0;
2452 unsigned int mask_x
= 0;
2453 unsigned int gw_x
= 0;
2454 unsigned int metric
= 0;
2455 unsigned int flags
= 0;
2458 const int np
= sscanf (line
, "%15s\t%x\t%x\t%x\t%*s\t%*s\t%d\t%x",
2465 if (np
== 6 && (flags
& IFF_UP
))
2467 const in_addr_t net
= ntohl (net_x
);
2468 const in_addr_t mask
= ntohl (mask_x
);
2469 const in_addr_t gw
= ntohl (gw_x
);
2471 if (!net
&& !mask
&& metric
< lowest_metric
)
2475 strcpy (best_name
, name
);
2476 lowest_metric
= metric
;
2486 rgi
->gateway
.addr
= best_gw
;
2487 rgi
->flags
|= RGI_ADDR_DEFINED
;
2488 if (!rgi
->gateway
.addr
&& best_name
[0])
2489 rgi
->flags
|= RGI_ON_LINK
;
2494 /* scan adapter list */
2495 if (rgi
->flags
& RGI_ADDR_DEFINED
)
2497 struct ifreq
*ifr
, *ifend
;
2498 in_addr_t addr
, netmask
;
2501 struct ifreq ifs
[20]; /* Maximum number of interfaces to scan */
2503 if ((sd
= socket (AF_INET
, SOCK_DGRAM
, 0)) < 0)
2505 msg (M_WARN
, "GDG: socket() failed");
2508 ifc
.ifc_len
= sizeof (ifs
);
2510 if (ioctl (sd
, SIOCGIFCONF
, &ifc
) < 0)
2512 msg (M_WARN
, "GDG: ioctl(SIOCGIFCONF) failed");
2516 /* scan through interface list */
2517 ifend
= ifs
+ (ifc
.ifc_len
/ sizeof (struct ifreq
));
2518 for (ifr
= ifc
.ifc_req
; ifr
< ifend
; ifr
++)
2520 if (ifr
->ifr_addr
.sa_family
== AF_INET
)
2522 /* get interface addr */
2523 addr
= ntohl(((struct sockaddr_in
*) &ifr
->ifr_addr
)->sin_addr
.s_addr
);
2525 /* get interface name */
2526 strncpynt (ifreq
.ifr_name
, ifr
->ifr_name
, sizeof (ifreq
.ifr_name
));
2528 /* check that the interface is up */
2529 if (ioctl (sd
, SIOCGIFFLAGS
, &ifreq
) < 0)
2531 if (!(ifreq
.ifr_flags
& IFF_UP
))
2534 if (rgi
->flags
& RGI_ON_LINK
)
2536 /* check that interface name of current interface
2537 matches interface name of best default route */
2538 if (strcmp(ifreq
.ifr_name
, best_name
))
2541 /* if point-to-point link, use remote addr as route gateway */
2542 if ((ifreq
.ifr_flags
& IFF_POINTOPOINT
) && ioctl (sd
, SIOCGIFDSTADDR
, &ifreq
) >= 0)
2544 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*) &ifreq
.ifr_addr
)->sin_addr
.s_addr
);
2545 if (rgi
->gateway
.addr
)
2546 rgi
->flags
&= ~RGI_ON_LINK
;
2552 /* get interface netmask */
2553 if (ioctl (sd
, SIOCGIFNETMASK
, &ifreq
) < 0)
2555 netmask
= ntohl(((struct sockaddr_in
*) &ifreq
.ifr_addr
)->sin_addr
.s_addr
);
2557 /* check that interface matches default route */
2558 if (((rgi
->gateway
.addr
^ addr
) & netmask
) != 0)
2562 rgi
->gateway
.netmask
= netmask
;
2563 rgi
->flags
|= RGI_NETMASK_DEFINED
;
2566 /* save iface name */
2567 strncpynt (rgi
->iface
, ifreq
.ifr_name
, sizeof(rgi
->iface
));
2568 rgi
->flags
|= RGI_IFACE_DEFINED
;
2570 /* now get the hardware address. */
2571 memset (&ifreq
.ifr_hwaddr
, 0, sizeof (struct sockaddr
));
2572 if (ioctl (sd
, SIOCGIFHWADDR
, &ifreq
) < 0)
2574 msg (M_WARN
, "GDG: SIOCGIFHWADDR(%s) failed", ifreq
.ifr_name
);
2577 memcpy (rgi
->hwaddr
, &ifreq
.ifr_hwaddr
.sa_data
, 6);
2578 rgi
->flags
|= RGI_HWADDR_DEFINED
;
2591 #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
2593 #include <sys/types.h>
2594 #include <sys/socket.h>
2595 #include <netinet/in.h>
2597 /* all of this is taken from <net/route.h> in FreeBSD */
2599 #define RTA_GATEWAY 0x2
2600 #define RTA_NETMASK 0x4
2603 #define RTM_VERSION 5
2606 #define RTF_GATEWAY 0x2
2609 * These numbers are used by reliable protocols for determining
2610 * retransmission behavior and are included in the routing structure.
2613 u_long rmx_locks
; /* Kernel must leave these values alone */
2614 u_long rmx_mtu
; /* MTU for this path */
2615 u_long rmx_hopcount
; /* max hops expected */
2616 u_long rmx_expire
; /* lifetime for route, e.g. redirect */
2617 u_long rmx_recvpipe
; /* inbound delay-bandwidth product */
2618 u_long rmx_sendpipe
; /* outbound delay-bandwidth product */
2619 u_long rmx_ssthresh
; /* outbound gateway buffer limit */
2620 u_long rmx_rtt
; /* estimated round trip time */
2621 u_long rmx_rttvar
; /* estimated rtt variance */
2622 u_long rmx_pksent
; /* packets sent using this route */
2623 u_long rmx_filler
[4]; /* will be used for T/TCP later */
2627 * Structures for routing messages.
2630 u_short rtm_msglen
; /* to skip over non-understood messages */
2631 u_char rtm_version
; /* future binary compatibility */
2632 u_char rtm_type
; /* message type */
2633 u_short rtm_index
; /* index for associated ifp */
2634 int rtm_flags
; /* flags, incl. kern & message, e.g. DONE */
2635 int rtm_addrs
; /* bitmask identifying sockaddrs in msg */
2636 pid_t rtm_pid
; /* identify sender */
2637 int rtm_seq
; /* for sender to identify action */
2638 int rtm_errno
; /* why failed */
2639 int rtm_use
; /* from rtentry */
2640 u_long rtm_inits
; /* which metrics we are initializing */
2641 struct rt_metrics rtm_rmx
; /* metrics themselves */
2645 struct rt_msghdr m_rtm
;
2649 #define ROUNDUP(a) \
2650 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
2653 * FIXME -- add support for netmask, hwaddr, and iface
2656 get_default_gateway (struct route_gateway_info
*rgi
)
2658 struct gc_arena gc
= gc_new ();
2659 int s
, seq
, l
, pid
, rtm_addrs
, i
;
2660 struct sockaddr so_dst
, so_mask
;
2661 char *cp
= m_rtmsg
.m_space
;
2662 struct sockaddr
*gate
= NULL
, *sa
;
2663 struct rt_msghdr
*rtm_aux
;
2665 #define NEXTADDR(w, u) \
2666 if (rtm_addrs & (w)) {\
2667 l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\
2670 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
2672 #define rtm m_rtmsg.m_rtm
2678 rtm_addrs
= RTA_DST
| RTA_NETMASK
;
2680 bzero(&so_dst
, sizeof(so_dst
));
2681 bzero(&so_mask
, sizeof(so_mask
));
2682 bzero(&rtm
, sizeof(struct rt_msghdr
));
2684 rtm
.rtm_type
= RTM_GET
;
2685 rtm
.rtm_flags
= RTF_UP
| RTF_GATEWAY
;
2686 rtm
.rtm_version
= RTM_VERSION
;
2687 rtm
.rtm_seq
= ++seq
;
2688 rtm
.rtm_addrs
= rtm_addrs
;
2690 so_dst
.sa_family
= AF_INET
;
2691 so_dst
.sa_len
= sizeof(struct sockaddr_in
);
2692 so_mask
.sa_family
= AF_INET
;
2693 so_mask
.sa_len
= sizeof(struct sockaddr_in
);
2695 NEXTADDR(RTA_DST
, so_dst
);
2696 NEXTADDR(RTA_NETMASK
, so_mask
);
2698 rtm
.rtm_msglen
= l
= cp
- (char *)&m_rtmsg
;
2700 s
= socket(PF_ROUTE
, SOCK_RAW
, 0);
2702 if (write(s
, (char *)&m_rtmsg
, l
) < 0)
2704 msg(M_WARN
|M_ERRNO
, "Could not retrieve default gateway from route socket:");
2711 l
= read(s
, (char *)&m_rtmsg
, sizeof(m_rtmsg
));
2712 } while (l
> 0 && (rtm
.rtm_seq
!= seq
|| rtm
.rtm_pid
!= pid
));
2718 cp
= ((char *)(rtm_aux
+ 1));
2719 if (rtm_aux
->rtm_addrs
) {
2720 for (i
= 1; i
; i
<<= 1)
2721 if (i
& rtm_aux
->rtm_addrs
) {
2722 sa
= (struct sockaddr
*)cp
;
2723 if (i
== RTA_GATEWAY
)
2737 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*)gate
)->sin_addr
.s_addr
);
2738 rgi
->flags
|= RGI_ADDR_DEFINED
;
2748 #elif defined(TARGET_DARWIN)
2750 #include <sys/types.h>
2751 #include <sys/socket.h>
2752 #include <netinet/in.h>
2753 #include <net/route.h>
2754 #include <net/if_dl.h>
2757 struct rt_msghdr m_rtm
;
2761 #define ROUNDUP(a) \
2762 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
2764 #define NEXTADDR(w, u) \
2765 if (rtm_addrs & (w)) {\
2766 l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\
2769 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
2771 #define max(a,b) ((a) > (b) ? (a) : (b))
2774 get_default_gateway (struct route_gateway_info
*rgi
)
2776 struct gc_arena gc
= gc_new ();
2777 struct rtmsg m_rtmsg
;
2779 int seq
, l
, pid
, rtm_addrs
, i
;
2780 struct sockaddr so_dst
, so_mask
;
2781 char *cp
= m_rtmsg
.m_space
;
2782 struct sockaddr
*gate
= NULL
, *ifp
= NULL
, *sa
;
2783 struct rt_msghdr
*rtm_aux
;
2785 # define rtm m_rtmsg.m_rtm
2789 /* setup data to send to routing socket */
2792 rtm_addrs
= RTA_DST
| RTA_NETMASK
| RTA_IFP
;
2794 bzero(&m_rtmsg
, sizeof(m_rtmsg
));
2795 bzero(&so_dst
, sizeof(so_dst
));
2796 bzero(&so_mask
, sizeof(so_mask
));
2797 bzero(&rtm
, sizeof(struct rt_msghdr
));
2799 rtm
.rtm_type
= RTM_GET
;
2800 rtm
.rtm_flags
= RTF_UP
| RTF_GATEWAY
;
2801 rtm
.rtm_version
= RTM_VERSION
;
2802 rtm
.rtm_seq
= ++seq
;
2803 rtm
.rtm_addrs
= rtm_addrs
;
2805 so_dst
.sa_family
= AF_INET
;
2806 so_dst
.sa_len
= sizeof(struct sockaddr_in
);
2807 so_mask
.sa_family
= AF_INET
;
2808 so_mask
.sa_len
= sizeof(struct sockaddr_in
);
2810 NEXTADDR(RTA_DST
, so_dst
);
2811 NEXTADDR(RTA_NETMASK
, so_mask
);
2813 rtm
.rtm_msglen
= l
= cp
- (char *)&m_rtmsg
;
2815 /* transact with routing socket */
2816 sockfd
= socket(PF_ROUTE
, SOCK_RAW
, 0);
2819 msg (M_WARN
, "GDG: socket #1 failed");
2822 if (write(sockfd
, (char *)&m_rtmsg
, l
) < 0)
2824 msg (M_WARN
, "GDG: problem writing to routing socket");
2828 l
= read(sockfd
, (char *)&m_rtmsg
, sizeof(m_rtmsg
));
2829 } while (l
> 0 && (rtm
.rtm_seq
!= seq
|| rtm
.rtm_pid
!= pid
));
2833 /* extract return data from routing socket */
2835 cp
= ((char *)(rtm_aux
+ 1));
2836 if (rtm_aux
->rtm_addrs
)
2838 for (i
= 1; i
; i
<<= 1)
2840 if (i
& rtm_aux
->rtm_addrs
)
2842 sa
= (struct sockaddr
*)cp
;
2843 if (i
== RTA_GATEWAY
)
2845 else if (i
== RTA_IFP
)
2854 /* get gateway addr and interface name */
2857 /* get default gateway addr */
2858 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*)gate
)->sin_addr
.s_addr
);
2859 if (rgi
->gateway
.addr
)
2860 rgi
->flags
|= RGI_ADDR_DEFINED
;
2864 /* get interface name */
2865 const struct sockaddr_dl
*adl
= (struct sockaddr_dl
*) ifp
;
2866 int len
= adl
->sdl_nlen
;
2867 if (adl
->sdl_nlen
&& adl
->sdl_nlen
< sizeof(rgi
->iface
))
2869 memcpy (rgi
->iface
, adl
->sdl_data
, adl
->sdl_nlen
);
2870 rgi
->iface
[adl
->sdl_nlen
] = '\0';
2871 rgi
->flags
|= RGI_IFACE_DEFINED
;
2876 /* get netmask of interface that owns default gateway */
2877 if (rgi
->flags
& RGI_IFACE_DEFINED
) {
2880 sockfd
= socket(AF_INET
, SOCK_DGRAM
, 0);
2883 msg (M_WARN
, "GDG: socket #2 failed");
2888 ifr
.ifr_addr
.sa_family
= AF_INET
;
2889 strncpynt(ifr
.ifr_name
, rgi
->iface
, IFNAMSIZ
);
2891 if (ioctl(sockfd
, SIOCGIFNETMASK
, (char *)&ifr
) < 0)
2893 msg (M_WARN
, "GDG: ioctl #1 failed");
2899 rgi
->gateway
.netmask
= ntohl(((struct sockaddr_in
*)&ifr
.ifr_addr
)->sin_addr
.s_addr
);
2900 rgi
->flags
|= RGI_NETMASK_DEFINED
;
2903 /* try to read MAC addr associated with interface that owns default gateway */
2904 if (rgi
->flags
& RGI_IFACE_DEFINED
)
2908 const int bufsize
= 4096;
2911 buffer
= (char *) gc_malloc (bufsize
, true, &gc
);
2912 sockfd
= socket(AF_INET
, SOCK_DGRAM
, 0);
2915 msg (M_WARN
, "GDG: socket #3 failed");
2919 ifc
.ifc_len
= bufsize
;
2920 ifc
.ifc_buf
= buffer
;
2922 if (ioctl(sockfd
, SIOCGIFCONF
, (char *)&ifc
) < 0)
2924 msg (M_WARN
, "GDG: ioctl #2 failed");
2930 for (cp
= buffer
; cp
<= buffer
+ ifc
.ifc_len
- sizeof(struct ifreq
); )
2932 ifr
= (struct ifreq
*)cp
;
2933 const size_t len
= sizeof(ifr
->ifr_name
) + max(sizeof(ifr
->ifr_addr
), ifr
->ifr_addr
.sa_len
);
2934 if (!ifr
->ifr_addr
.sa_family
)
2936 if (!strncmp(ifr
->ifr_name
, rgi
->iface
, IFNAMSIZ
))
2938 if (ifr
->ifr_addr
.sa_family
== AF_LINK
)
2940 struct sockaddr_dl
*sdl
= (struct sockaddr_dl
*)&ifr
->ifr_addr
;
2941 memcpy(rgi
->hwaddr
, LLADDR(sdl
), 6);
2942 rgi
->flags
|= RGI_HWADDR_DEFINED
;
2957 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2959 #include <sys/types.h>
2960 #include <sys/socket.h>
2961 #include <netinet/in.h>
2963 /* all of this is taken from <net/route.h> in OpenBSD 3.6 */
2964 #define RTA_DST 0x1 /* destination sockaddr present */
2965 #define RTA_GATEWAY 0x2 /* gateway sockaddr present */
2966 #define RTA_NETMASK 0x4 /* netmask sockaddr present */
2968 #define RTM_GET 0x4 /* Report Metrics */
2970 #define RTM_VERSION 3 /* Up the ante and ignore older versions */
2972 #define RTF_UP 0x1 /* route usable */
2973 #define RTF_GATEWAY 0x2 /* destination is a gateway */
2976 * Huge version for userland compatibility.
2979 u_long rmx_locks
; /* Kernel must leave these values alone */
2980 u_long rmx_mtu
; /* MTU for this path */
2981 u_long rmx_hopcount
; /* max hops expected */
2982 u_long rmx_expire
; /* lifetime for route, e.g. redirect */
2983 u_long rmx_recvpipe
; /* inbound delay-bandwidth product */
2984 u_long rmx_sendpipe
; /* outbound delay-bandwidth product */
2985 u_long rmx_ssthresh
; /* outbound gateway buffer limit */
2986 u_long rmx_rtt
; /* estimated round trip time */
2987 u_long rmx_rttvar
; /* estimated rtt variance */
2988 u_long rmx_pksent
; /* packets sent using this route */
2992 * Structures for routing messages.
2995 u_short rtm_msglen
; /* to skip over non-understood messages */
2996 u_char rtm_version
; /* future binary compatibility */
2997 u_char rtm_type
; /* message type */
2998 u_short rtm_index
; /* index for associated ifp */
2999 int rtm_flags
; /* flags, incl. kern & message, e.g. DONE */
3000 int rtm_addrs
; /* bitmask identifying sockaddrs in msg */
3001 pid_t rtm_pid
; /* identify sender */
3002 int rtm_seq
; /* for sender to identify action */
3003 int rtm_errno
; /* why failed */
3004 int rtm_use
; /* from rtentry */
3005 u_long rtm_inits
; /* which metrics we are initializing */
3006 struct rt_metrics rtm_rmx
; /* metrics themselves */
3010 struct rt_msghdr m_rtm
;
3014 #define ROUNDUP(a) \
3015 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
3018 * FIXME -- add support for netmask, hwaddr, and iface
3021 get_default_gateway (struct route_gateway_info
*rgi
)
3023 struct gc_arena gc
= gc_new ();
3024 int s
, seq
, l
, rtm_addrs
, i
;
3026 struct sockaddr so_dst
, so_mask
;
3027 char *cp
= m_rtmsg
.m_space
;
3028 struct sockaddr
*gate
= NULL
, *sa
;
3029 struct rt_msghdr
*rtm_aux
;
3031 #define NEXTADDR(w, u) \
3032 if (rtm_addrs & (w)) {\
3033 l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\
3036 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
3038 #define rtm m_rtmsg.m_rtm
3044 rtm_addrs
= RTA_DST
| RTA_NETMASK
;
3046 bzero(&so_dst
, sizeof(so_dst
));
3047 bzero(&so_mask
, sizeof(so_mask
));
3048 bzero(&rtm
, sizeof(struct rt_msghdr
));
3050 rtm
.rtm_type
= RTM_GET
;
3051 rtm
.rtm_flags
= RTF_UP
| RTF_GATEWAY
;
3052 rtm
.rtm_version
= RTM_VERSION
;
3053 rtm
.rtm_seq
= ++seq
;
3054 rtm
.rtm_addrs
= rtm_addrs
;
3056 so_dst
.sa_family
= AF_INET
;
3057 so_dst
.sa_len
= sizeof(struct sockaddr_in
);
3058 so_mask
.sa_family
= AF_INET
;
3059 so_mask
.sa_len
= sizeof(struct sockaddr_in
);
3061 NEXTADDR(RTA_DST
, so_dst
);
3062 NEXTADDR(RTA_NETMASK
, so_mask
);
3064 rtm
.rtm_msglen
= l
= cp
- (char *)&m_rtmsg
;
3066 s
= socket(PF_ROUTE
, SOCK_RAW
, 0);
3068 if (write(s
, (char *)&m_rtmsg
, l
) < 0)
3070 msg(M_WARN
|M_ERRNO
, "Could not retrieve default gateway from route socket:");
3077 l
= read(s
, (char *)&m_rtmsg
, sizeof(m_rtmsg
));
3078 } while (l
> 0 && (rtm
.rtm_seq
!= seq
|| rtm
.rtm_pid
!= pid
));
3084 cp
= ((char *)(rtm_aux
+ 1));
3085 if (rtm_aux
->rtm_addrs
) {
3086 for (i
= 1; i
; i
<<= 1)
3087 if (i
& rtm_aux
->rtm_addrs
) {
3088 sa
= (struct sockaddr
*)cp
;
3089 if (i
== RTA_GATEWAY
)
3103 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*)gate
)->sin_addr
.s_addr
);
3104 rgi
->flags
|= RGI_ADDR_DEFINED
;
3117 * This is a platform-specific method that returns data about
3118 * the current default gateway. Return data is placed into
3119 * a struct route_gateway_info object provided by caller. The
3120 * implementation should CLEAR the structure before adding
3123 * Data returned includes:
3124 * 1. default gateway address (rgi->gateway.addr)
3125 * 2. netmask of interface that owns default gateway
3126 * (rgi->gateway.netmask)
3127 * 3. hardware address (i.e. MAC address) of interface that owns
3128 * default gateway (rgi->hwaddr)
3129 * 4. interface name (or adapter index on Windows) that owns default
3130 * gateway (rgi->iface or rgi->adapter_index)
3131 * 5. an array of additional address/netmask pairs defined by
3132 * interface that owns default gateway (rgi->addrs with length
3133 * given in rgi->n_addrs)
3135 * The flags RGI_x_DEFINED may be used to indicate which of the data
3136 * members were successfully returned (set in rgi->flags). All of
3137 * the data members are optional, however certain OpenVPN functionality
3138 * may be disabled by missing items.
3141 get_default_gateway (struct route_gateway_info
*rgi
)
3149 netmask_to_netbits (const in_addr_t network
, const in_addr_t netmask
, int *netbits
)
3152 const int addrlen
= sizeof (in_addr_t
) * 8;
3154 if ((network
& netmask
) == network
)
3156 for (i
= 0; i
<= addrlen
; ++i
)
3158 in_addr_t mask
= netbits_to_netmask (i
);
3159 if (mask
== netmask
)
3173 * get_bypass_addresses() is used by the redirect-gateway bypass-x
3174 * functions to build a route bypass to selected DHCP/DNS servers,
3175 * so that outgoing packets to these servers don't end up in the tunnel.
3181 add_host_route_if_nonlocal (struct route_bypass
*rb
, const in_addr_t addr
)
3183 if (test_local_addr(addr
, NULL
) == TLA_NONLOCAL
&& addr
!= 0 && addr
!= IPV4_NETMASK_HOST
)
3184 add_bypass_address (rb
, addr
);
3188 add_host_route_array (struct route_bypass
*rb
, const IP_ADDR_STRING
*iplist
)
3192 bool succeed
= false;
3193 const in_addr_t ip
= getaddr (GETADDR_HOST_ORDER
, iplist
->IpAddress
.String
, 0, &succeed
, NULL
);
3196 add_host_route_if_nonlocal (rb
, ip
);
3198 iplist
= iplist
->Next
;
3203 get_bypass_addresses (struct route_bypass
*rb
, const unsigned int flags
)
3205 struct gc_arena gc
= gc_new ();
3206 /*bool ret_bool = false;*/
3208 /* get full routing table */
3209 const MIB_IPFORWARDTABLE
*routes
= get_windows_routing_table (&gc
);
3211 /* get the route which represents the default gateway */
3212 const MIB_IPFORWARDROW
*row
= get_default_gateway_row (routes
);
3216 /* get the adapter which the default gateway is associated with */
3217 const IP_ADAPTER_INFO
*dgi
= get_adapter_info (row
->dwForwardIfIndex
, &gc
);
3219 /* get extra adapter info, such as DNS addresses */
3220 const IP_PER_ADAPTER_INFO
*pai
= get_per_adapter_info (row
->dwForwardIfIndex
, &gc
);
3222 /* Bypass DHCP server address */
3223 if ((flags
& RG_BYPASS_DHCP
) && dgi
&& dgi
->DhcpEnabled
)
3224 add_host_route_array (rb
, &dgi
->DhcpServer
);
3226 /* Bypass DNS server addresses */
3227 if ((flags
& RG_BYPASS_DNS
) && pai
)
3228 add_host_route_array (rb
, &pai
->DnsServerList
);
3237 get_bypass_addresses (struct route_bypass
*rb
, const unsigned int flags
) /* PLATFORM-SPECIFIC */
3244 * Test if addr is reachable via a local interface (return ILA_LOCAL),
3245 * or if it needs to be routed via the default gateway (return
3246 * ILA_NONLOCAL). If the target platform doesn't implement this
3247 * function, return ILA_NOT_IMPLEMENTED.
3249 * Used by redirect-gateway autolocal feature
3255 test_local_addr (const in_addr_t addr
, const struct route_gateway_info
*rgi
)
3257 struct gc_arena gc
= gc_new ();
3258 const in_addr_t nonlocal_netmask
= 0x80000000L
; /* routes with netmask <= to this are considered non-local */
3259 bool ret
= TLA_NONLOCAL
;
3261 /* get full routing table */
3262 const MIB_IPFORWARDTABLE
*rt
= get_windows_routing_table (&gc
);
3266 for (i
= 0; i
< rt
->dwNumEntries
; ++i
)
3268 const MIB_IPFORWARDROW
*row
= &rt
->table
[i
];
3269 const in_addr_t net
= ntohl (row
->dwForwardDest
);
3270 const in_addr_t mask
= ntohl (row
->dwForwardMask
);
3271 if (mask
> nonlocal_netmask
&& (addr
& mask
) == net
)
3286 test_local_addr (const in_addr_t addr
, const struct route_gateway_info
*rgi
) /* PLATFORM-SPECIFIC */
3290 if (local_route (addr
, 0xFFFFFFFF, rgi
->gateway
.addr
, rgi
))
3293 return TLA_NONLOCAL
;
3295 return TLA_NOT_IMPLEMENTED
;