2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
19 * You should have received a copy of the GNU General Public License
20 * along with this program (see the file COPYING included with this
21 * distribution); if not, write to the Free Software Foundation, Inc.,
22 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 * Support routines for adding/deleting network routes.
31 #elif defined(_MSC_VER)
32 #include "config-msvc.h"
49 #define METRIC_NOT_USED ((DWORD)-1)
52 static void delete_route (struct route_ipv4
*r
, const struct tuntap
*tt
, unsigned int flags
, const struct route_gateway_info
*rgi
, const struct env_set
*es
);
54 static void get_bypass_addresses (struct route_bypass
*rb
, const unsigned int flags
);
59 print_bypass_addresses (const struct route_bypass
*rb
)
61 struct gc_arena gc
= gc_new ();
63 for (i
= 0; i
< rb
->n_bypass
; ++i
)
65 msg (D_ROUTE
, "ROUTE: bypass_host_route[%d]=%s",
67 print_in_addr_t (rb
->bypass
[i
], 0, &gc
));
75 add_bypass_address (struct route_bypass
*rb
, const in_addr_t a
)
78 for (i
= 0; i
< rb
->n_bypass
; ++i
)
80 if (a
== rb
->bypass
[i
]) /* avoid duplicates */
83 if (rb
->n_bypass
< N_ROUTE_BYPASS
)
85 rb
->bypass
[rb
->n_bypass
++] = a
;
94 struct route_option_list
*
95 new_route_option_list (const int max_routes
, struct gc_arena
*a
)
97 struct route_option_list
*ret
;
98 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_option_list
, struct route_option
, max_routes
, a
);
99 ret
->capacity
= max_routes
;
103 struct route_ipv6_option_list
*
104 new_route_ipv6_option_list (const int max_routes
, struct gc_arena
*a
)
106 struct route_ipv6_option_list
*ret
;
107 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_ipv6_option_list
, struct route_ipv6_option
, max_routes
, a
);
108 ret
->capacity
= max_routes
;
112 struct route_option_list
*
113 clone_route_option_list (const struct route_option_list
*src
, struct gc_arena
*a
)
115 const size_t rl_size
= array_mult_safe (sizeof(struct route_option
), src
->capacity
, sizeof(struct route_option_list
));
116 struct route_option_list
*ret
= gc_malloc (rl_size
, false, a
);
117 memcpy (ret
, src
, rl_size
);
121 struct route_ipv6_option_list
*
122 clone_route_ipv6_option_list (const struct route_ipv6_option_list
*src
, struct gc_arena
*a
)
124 const size_t rl_size
= array_mult_safe (sizeof(struct route_ipv6_option
), src
->capacity
, sizeof(struct route_ipv6_option_list
));
125 struct route_ipv6_option_list
*ret
= gc_malloc (rl_size
, false, a
);
126 memcpy (ret
, src
, rl_size
);
131 copy_route_option_list (struct route_option_list
*dest
, const struct route_option_list
*src
)
133 const size_t src_size
= array_mult_safe (sizeof(struct route_option
), src
->capacity
, sizeof(struct route_option_list
));
134 if (src
->capacity
> dest
->capacity
)
135 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src
->capacity
, dest
->capacity
);
136 memcpy (dest
, src
, src_size
);
140 copy_route_ipv6_option_list (struct route_ipv6_option_list
*dest
,
141 const struct route_ipv6_option_list
*src
)
143 const size_t src_size
= array_mult_safe (sizeof(struct route_ipv6_option
), src
->capacity
, sizeof(struct route_ipv6_option_list
));
144 if (src
->capacity
> dest
->capacity
)
145 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: (copy) number of route options in src (%d) is greater than route list capacity in dest (%d)", src
->capacity
, dest
->capacity
);
146 memcpy (dest
, src
, src_size
);
150 new_route_list (const int max_routes
, struct gc_arena
*a
)
152 struct route_list
*ret
;
153 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_list
, struct route_ipv4
, max_routes
, a
);
154 ret
->capacity
= max_routes
;
158 struct route_ipv6_list
*
159 new_route_ipv6_list (const int max_routes
, struct gc_arena
*a
)
161 struct route_ipv6_list
*ret
;
162 ALLOC_VAR_ARRAY_CLEAR_GC (ret
, struct route_ipv6_list
, struct route_ipv6
, max_routes
, a
);
163 ret
->capacity
= max_routes
;
168 route_string (const struct route_ipv4
*r
, struct gc_arena
*gc
)
170 struct buffer out
= alloc_buf_gc (256, gc
);
171 buf_printf (&out
, "ROUTE network %s netmask %s gateway %s",
172 print_in_addr_t (r
->network
, 0, gc
),
173 print_in_addr_t (r
->netmask
, 0, gc
),
174 print_in_addr_t (r
->gateway
, 0, gc
)
176 if (r
->flags
& RT_METRIC_DEFINED
)
177 buf_printf (&out
, " metric %d", r
->metric
);
182 is_route_parm_defined (const char *parm
)
186 if (!strcmp (parm
, "default"))
192 setenv_route_addr (struct env_set
*es
, const char *key
, const in_addr_t addr
, int i
)
194 struct gc_arena gc
= gc_new ();
195 struct buffer name
= alloc_buf_gc (256, &gc
);
197 buf_printf (&name
, "route_%s_%d", key
, i
);
199 buf_printf (&name
, "route_%s", key
);
200 setenv_str (es
, BSTR (&name
), print_in_addr_t (addr
, 0, &gc
));
205 get_special_addr (const struct route_list
*rl
,
212 if (!strcmp (string
, "vpn_gateway"))
216 if (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
)
217 *out
= rl
->spec
.remote_endpoint
;
220 msg (M_INFO
, PACKAGE_NAME
" ROUTE: vpn_gateway undefined");
227 else if (!strcmp (string
, "net_gateway"))
231 if (rl
->rgi
.flags
& RGI_ADDR_DEFINED
)
232 *out
= rl
->rgi
.gateway
.addr
;
235 msg (M_INFO
, PACKAGE_NAME
" ROUTE: net_gateway undefined -- unable to get default gateway from system");
242 else if (!strcmp (string
, "remote_host"))
246 if (rl
->spec
.flags
& RTSA_REMOTE_HOST
)
247 *out
= rl
->spec
.remote_host
;
250 msg (M_INFO
, PACKAGE_NAME
" ROUTE: remote_host undefined");
261 is_special_addr (const char *addr_str
)
264 return get_special_addr (NULL
, addr_str
, NULL
, NULL
);
270 init_route (struct route_ipv4
*r
,
271 struct addrinfo
**network_list
,
272 const struct route_option
*ro
,
273 const struct route_list
*rl
)
275 const in_addr_t default_netmask
= IPV4_NETMASK_HOST
;
278 struct in_addr special
;
285 if (!is_route_parm_defined (ro
->network
))
291 /* get_special_addr replaces specialaddr with a special ip addr
292 like gw. getaddrinfo is called to convert a a addrinfo struct */
294 if(get_special_addr (rl
, ro
->network
, &special
.s_addr
, &status
))
296 special
.s_addr
= htonl(special
.s_addr
);
297 ret
= openvpn_getaddrinfo(0, inet_ntoa(special
), 0, NULL
,
298 AF_INET
, network_list
);
301 ret
= openvpn_getaddrinfo(GETADDR_RESOLVE
| GETADDR_WARN_ON_SIGNAL
,
302 ro
->network
, 0, NULL
, AF_INET
, network_list
);
311 if (is_route_parm_defined (ro
->netmask
))
313 r
->netmask
= getaddr (
315 | GETADDR_WARN_ON_SIGNAL
,
324 r
->netmask
= default_netmask
;
328 if (is_route_parm_defined (ro
->gateway
))
330 if (!get_special_addr (rl
, ro
->gateway
, &r
->gateway
, &status
))
332 r
->gateway
= getaddr (
335 | GETADDR_WARN_ON_SIGNAL
,
346 if (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
)
347 r
->gateway
= rl
->spec
.remote_endpoint
;
350 msg (M_WARN
, PACKAGE_NAME
" ROUTE: " PACKAGE_NAME
" needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options");
358 if (is_route_parm_defined (ro
->metric
))
360 r
->metric
= atoi (ro
->metric
);
363 msg (M_WARN
, PACKAGE_NAME
" ROUTE: route metric for network %s (%s) must be >= 0",
368 r
->flags
|= RT_METRIC_DEFINED
;
370 else if (rl
->spec
.flags
& RTSA_DEFAULT_METRIC
)
372 r
->metric
= rl
->spec
.default_metric
;
373 r
->flags
|= RT_METRIC_DEFINED
;
376 r
->flags
|= RT_DEFINED
;
381 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve route for host/network: %s",
387 init_route_ipv6 (struct route_ipv6
*r6
,
388 const struct route_ipv6_option
*r6o
,
389 const struct route_ipv6_list
*rl6
)
393 if ( !get_ipv6_addr( r6o
->prefix
, &r6
->network
, &r6
->netbits
, NULL
, M_WARN
))
397 if (is_route_parm_defined (r6o
->gateway
))
399 if ( inet_pton( AF_INET6
, r6o
->gateway
, &r6
->gateway
) != 1 )
401 msg( M_WARN
, PACKAGE_NAME
"ROUTE6: cannot parse gateway spec '%s'", r6o
->gateway
);
404 else if (rl6
->remote_endpoint_defined
)
406 r6
->gateway
= rl6
->remote_endpoint_ipv6
;
410 msg (M_WARN
, PACKAGE_NAME
" ROUTE6: " PACKAGE_NAME
" needs a gateway parameter for a --route-ipv6 option and no default was specified by either --route-ipv6-gateway or --ifconfig-ipv6 options");
416 r6
->metric_defined
= false;
418 if (is_route_parm_defined (r6o
->metric
))
420 r6
->metric
= atoi (r6o
->metric
);
423 msg (M_WARN
, PACKAGE_NAME
" ROUTE: route metric for network %s (%s) must be >= 0",
428 r6
->metric_defined
= true;
430 else if (rl6
->default_metric_defined
)
432 r6
->metric
= rl6
->default_metric
;
433 r6
->metric_defined
= true;
441 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve route for host/network: %s",
448 add_route_to_option_list (struct route_option_list
*l
,
454 struct route_option
*ro
;
455 if (l
->n
>= l
->capacity
)
456 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: cannot add more than %d routes -- please increase the max-routes option in the client configuration file",
458 ro
= &l
->routes
[l
->n
];
459 ro
->network
= network
;
460 ro
->netmask
= netmask
;
461 ro
->gateway
= gateway
;
467 add_route_ipv6_to_option_list (struct route_ipv6_option_list
*l
,
472 struct route_ipv6_option
*ro
;
473 if (l
->n
>= l
->capacity
)
474 msg (M_FATAL
, PACKAGE_NAME
" ROUTE: cannot add more than %d IPv6 routes -- please increase the max-routes option in the client configuration file",
476 ro
= &l
->routes_ipv6
[l
->n
];
478 ro
->gateway
= gateway
;
484 clear_route_list (struct route_list
*rl
)
486 const int capacity
= rl
->capacity
;
487 const size_t rl_size
= array_mult_safe (sizeof(struct route_ipv4
), capacity
, sizeof(struct route_list
));
488 memset(rl
, 0, rl_size
);
489 rl
->capacity
= capacity
;
493 clear_route_ipv6_list (struct route_ipv6_list
*rl6
)
495 const int capacity
= rl6
->capacity
;
496 const size_t rl6_size
= array_mult_safe (sizeof(struct route_ipv6
), capacity
, sizeof(struct route_ipv6_list
));
497 memset(rl6
, 0, rl6_size
);
498 rl6
->capacity
= capacity
;
502 route_list_add_vpn_gateway (struct route_list
*rl
,
504 const in_addr_t addr
)
507 rl
->spec
.remote_endpoint
= addr
;
508 rl
->spec
.flags
|= RTSA_REMOTE_ENDPOINT
;
509 setenv_route_addr (es
, "vpn_gateway", rl
->spec
.remote_endpoint
, -1);
513 add_block_local_item (struct route_list
*rl
,
514 const struct route_gateway_address
*gateway
,
517 const int rgi_needed
= (RGI_ADDR_DEFINED
|RGI_NETMASK_DEFINED
);
518 if ((rl
->rgi
.flags
& rgi_needed
) == rgi_needed
519 && rl
->rgi
.gateway
.netmask
< 0xFFFFFFFF
520 && (rl
->n
)+2 <= rl
->capacity
)
525 /* split a route into two smaller blocking routes, and direct them to target */
527 r
.flags
= RT_DEFINED
;
529 r
.network
= gateway
->addr
& gateway
->netmask
;
530 l2
= ((~gateway
->netmask
)+1)>>1;
532 rl
->routes
[rl
->n
++] = r
;
534 rl
->routes
[rl
->n
++] = r
;
539 add_block_local (struct route_list
*rl
)
541 const int rgi_needed
= (RGI_ADDR_DEFINED
|RGI_NETMASK_DEFINED
);
542 if ((rl
->flags
& RG_BLOCK_LOCAL
)
543 && (rl
->rgi
.flags
& rgi_needed
) == rgi_needed
544 && (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
)
545 && rl
->spec
.remote_host_local
!= TLA_LOCAL
)
549 /* add bypass for gateway addr */
550 add_bypass_address (&rl
->spec
.bypass
, rl
->rgi
.gateway
.addr
);
552 /* block access to local subnet */
553 add_block_local_item (rl
, &rl
->rgi
.gateway
, rl
->spec
.remote_endpoint
);
555 /* process additional subnets on gateway interface */
556 for (i
= 0; i
< rl
->rgi
.n_addrs
; ++i
)
558 const struct route_gateway_address
*gwa
= &rl
->rgi
.addrs
[i
];
559 /* omit the add/subnet in &rl->rgi which we processed above */
560 if (!((rl
->rgi
.gateway
.addr
& rl
->rgi
.gateway
.netmask
) == (gwa
->addr
& gwa
->netmask
)
561 && rl
->rgi
.gateway
.netmask
== gwa
->netmask
))
562 add_block_local_item (rl
, gwa
, rl
->spec
.remote_endpoint
);
568 init_route_list (struct route_list
*rl
,
569 const struct route_option_list
*opt
,
570 const char *remote_endpoint
,
572 in_addr_t remote_host
,
575 struct gc_arena gc
= gc_new ();
578 clear_route_list (rl
);
580 rl
->flags
= opt
->flags
;
584 rl
->spec
.remote_host
= remote_host
;
585 rl
->spec
.flags
|= RTSA_REMOTE_HOST
;
590 rl
->spec
.default_metric
= default_metric
;
591 rl
->spec
.flags
|= RTSA_DEFAULT_METRIC
;
594 get_default_gateway (&rl
->rgi
);
595 if (rl
->rgi
.flags
& RGI_ADDR_DEFINED
)
597 setenv_route_addr (es
, "net_gateway", rl
->rgi
.gateway
.addr
, -1);
598 #if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
599 print_default_gateway (D_ROUTE
, &rl
->rgi
);
604 dmsg (D_ROUTE
, "ROUTE: default_gateway=UNDEF");
607 if (rl
->spec
.flags
& RTSA_REMOTE_HOST
)
608 rl
->spec
.remote_host_local
= test_local_addr (remote_host
, &rl
->rgi
);
610 if (is_route_parm_defined (remote_endpoint
))
612 bool defined
= false;
613 rl
->spec
.remote_endpoint
= getaddr (
616 | GETADDR_WARN_ON_SIGNAL
,
624 setenv_route_addr (es
, "vpn_gateway", rl
->spec
.remote_endpoint
, -1);
625 rl
->spec
.flags
|= RTSA_REMOTE_ENDPOINT
;
629 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve default gateway: %s",
635 if (rl
->flags
& RG_ENABLE
)
637 add_block_local (rl
);
638 get_bypass_addresses (&rl
->spec
.bypass
, rl
->flags
);
640 print_bypass_addresses (&rl
->spec
.bypass
);
644 /* parse the routes from opt to rl */
649 for (i
= 0; i
< opt
->n
; ++i
)
651 struct addrinfo
* netlist
;
661 struct addrinfo
* curele
;
662 for (curele
= netlist
; curele
; curele
= curele
->ai_next
)
664 if (j
< rl
->capacity
)
666 r
.network
= ntohl(((struct sockaddr_in
*)(curele
)->ai_addr
)->sin_addr
.s_addr
);
673 msg (M_WARN
, PACKAGE_NAME
" ROUTE: routes dropped because number of expanded routes is greater than route list capacity (%d)", rl
->capacity
);
678 freeaddrinfo(netlist
);
689 init_route_ipv6_list (struct route_ipv6_list
*rl6
,
690 const struct route_ipv6_option_list
*opt6
,
691 const char *remote_endpoint
,
695 struct gc_arena gc
= gc_new ();
698 clear_route_ipv6_list (rl6
);
700 rl6
->flags
= opt6
->flags
;
702 if (default_metric
>= 0 )
704 rl6
->default_metric
= default_metric
;
705 rl6
->default_metric_defined
= true;
708 /* "default_gateway" is stuff for "redirect-gateway", which we don't
709 * do for IPv6 yet -> TODO
712 dmsg (D_ROUTE
, "ROUTE6: default_gateway=UNDEF");
715 if ( is_route_parm_defined( remote_endpoint
))
717 if ( inet_pton( AF_INET6
, remote_endpoint
,
718 &rl6
->remote_endpoint_ipv6
) == 1 )
720 rl6
->remote_endpoint_defined
= true;
724 msg (M_WARN
, PACKAGE_NAME
" ROUTE: failed to parse/resolve default gateway: %s", remote_endpoint
);
729 rl6
->remote_endpoint_defined
= false;
732 if (!(opt6
->n
>= 0 && opt6
->n
<= rl6
->capacity
))
733 msg (M_FATAL
, PACKAGE_NAME
" ROUTE6: (init) number of route options (%d) is greater than route list capacity (%d)", opt6
->n
, rl6
->capacity
);
735 /* parse the routes from opt to rl6 */
738 for (i
= 0; i
< opt6
->n
; ++i
)
740 if (!init_route_ipv6 (&rl6
->routes_ipv6
[j
],
741 &opt6
->routes_ipv6
[i
],
755 add_route3 (in_addr_t network
,
758 const struct tuntap
*tt
,
760 const struct route_gateway_info
*rgi
,
761 const struct env_set
*es
)
765 r
.flags
= RT_DEFINED
;
769 add_route (&r
, tt
, flags
, rgi
, es
);
773 del_route3 (in_addr_t network
,
776 const struct tuntap
*tt
,
778 const struct route_gateway_info
*rgi
,
779 const struct env_set
*es
)
783 r
.flags
= RT_DEFINED
|RT_ADDED
;
787 delete_route (&r
, tt
, flags
, rgi
, es
);
791 add_bypass_routes (struct route_bypass
*rb
,
793 const struct tuntap
*tt
,
795 const struct route_gateway_info
*rgi
,
796 const struct env_set
*es
)
799 for (i
= 0; i
< rb
->n_bypass
; ++i
)
802 add_route3 (rb
->bypass
[i
],
806 flags
| ROUTE_REF_GW
,
813 del_bypass_routes (struct route_bypass
*rb
,
815 const struct tuntap
*tt
,
817 const struct route_gateway_info
*rgi
,
818 const struct env_set
*es
)
821 for (i
= 0; i
< rb
->n_bypass
; ++i
)
824 del_route3 (rb
->bypass
[i
],
828 flags
| ROUTE_REF_GW
,
835 redirect_default_route_to_vpn (struct route_list
*rl
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
837 const char err
[] = "NOTE: unable to redirect default gateway --";
839 if ( rl
&& rl
->flags
& RG_ENABLE
)
841 if (!(rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
))
843 msg (M_WARN
, "%s VPN gateway parameter (--route-gateway or --ifconfig) is missing", err
);
845 else if (!(rl
->rgi
.flags
& RGI_ADDR_DEFINED
))
847 msg (M_WARN
, "%s Cannot read current default gateway from system", err
);
849 else if (!(rl
->spec
.flags
& RTSA_REMOTE_HOST
))
851 msg (M_WARN
, "%s Cannot obtain current remote host address", err
);
855 bool local
= BOOL_CAST(rl
->flags
& RG_LOCAL
);
856 if (rl
->flags
& RG_AUTO_LOCAL
) {
857 const int tla
= rl
->spec
.remote_host_local
;
858 if (tla
== TLA_NONLOCAL
)
860 dmsg (D_ROUTE
, "ROUTE remote_host is NOT LOCAL");
863 else if (tla
== TLA_LOCAL
)
865 dmsg (D_ROUTE
, "ROUTE remote_host is LOCAL");
871 /* route remote host to original default gateway */
872 /* if remote_host is not ipv4 (ie: ipv6), just skip
873 * adding this special /32 route */
874 if (rl
->spec
.remote_host
!= IPV4_INVALID_ADDR
) {
875 add_route3 (rl
->spec
.remote_host
,
877 rl
->rgi
.gateway
.addr
,
879 flags
| ROUTE_REF_GW
,
882 rl
->iflags
|= RL_DID_LOCAL
;
884 dmsg (D_ROUTE
, "ROUTE remote_host protocol differs from tunneled");
888 /* route DHCP/DNS server traffic through original default gateway */
889 add_bypass_routes (&rl
->spec
.bypass
, rl
->rgi
.gateway
.addr
, tt
, flags
, &rl
->rgi
, es
);
891 if (rl
->flags
& RG_REROUTE_GW
)
893 if (rl
->flags
& RG_DEF1
)
895 /* add new default route (1st component) */
896 add_route3 (0x00000000,
898 rl
->spec
.remote_endpoint
,
904 /* add new default route (2nd component) */
905 add_route3 (0x80000000,
907 rl
->spec
.remote_endpoint
,
915 /* delete default route */
918 rl
->rgi
.gateway
.addr
,
920 flags
| ROUTE_REF_GW
,
924 /* add new default route */
927 rl
->spec
.remote_endpoint
,
935 /* set a flag so we can undo later */
936 rl
->iflags
|= RL_DID_REDIRECT_DEFAULT_GATEWAY
;
942 undo_redirect_default_route_to_vpn (struct route_list
*rl
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
944 if ( rl
&& rl
->iflags
& RL_DID_REDIRECT_DEFAULT_GATEWAY
)
946 /* delete remote host route */
947 if (rl
->iflags
& RL_DID_LOCAL
)
949 del_route3 (rl
->spec
.remote_host
,
951 rl
->rgi
.gateway
.addr
,
953 flags
| ROUTE_REF_GW
,
956 rl
->iflags
&= ~RL_DID_LOCAL
;
959 /* delete special DHCP/DNS bypass route */
960 del_bypass_routes (&rl
->spec
.bypass
, rl
->rgi
.gateway
.addr
, tt
, flags
, &rl
->rgi
, es
);
962 if (rl
->flags
& RG_REROUTE_GW
)
964 if (rl
->flags
& RG_DEF1
)
966 /* delete default route (1st component) */
967 del_route3 (0x00000000,
969 rl
->spec
.remote_endpoint
,
975 /* delete default route (2nd component) */
976 del_route3 (0x80000000,
978 rl
->spec
.remote_endpoint
,
986 /* delete default route */
989 rl
->spec
.remote_endpoint
,
995 /* restore original default route */
998 rl
->rgi
.gateway
.addr
,
1000 flags
| ROUTE_REF_GW
,
1006 rl
->iflags
&= ~RL_DID_REDIRECT_DEFAULT_GATEWAY
;
1011 add_routes (struct route_list
*rl
, struct route_ipv6_list
*rl6
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1013 redirect_default_route_to_vpn (rl
, tt
, flags
, es
);
1014 if ( rl
&& !(rl
->iflags
& RL_ROUTES_ADDED
) )
1018 #ifdef ENABLE_MANAGEMENT
1019 if (management
&& rl
->n
)
1021 management_set_state (management
,
1022 OPENVPN_STATE_ADD_ROUTES
,
1029 for (i
= 0; i
< rl
->n
; ++i
)
1031 struct route_ipv4
*r
= &rl
->routes
[i
];
1032 check_subnet_conflict (r
->network
, r
->netmask
, "route");
1033 if (flags
& ROUTE_DELETE_FIRST
)
1034 delete_route (r
, tt
, flags
, &rl
->rgi
, es
);
1035 add_route (r
, tt
, flags
, &rl
->rgi
, es
);
1037 rl
->iflags
|= RL_ROUTES_ADDED
;
1039 if (rl6
&& !rl6
->routes_added
)
1043 for (i
= 0; i
< rl6
->n
; ++i
)
1045 struct route_ipv6
*r
= &rl6
->routes_ipv6
[i
];
1046 if (flags
& ROUTE_DELETE_FIRST
)
1047 delete_route_ipv6 (r
, tt
, flags
, es
);
1048 add_route_ipv6 (r
, tt
, flags
, es
);
1050 rl6
->routes_added
= true;
1055 delete_routes (struct route_list
*rl
, struct route_ipv6_list
*rl6
,
1056 const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1058 if ( rl
&& rl
->iflags
& RL_ROUTES_ADDED
)
1061 for (i
= rl
->n
- 1; i
>= 0; --i
)
1063 struct route_ipv4
* r
= &rl
->routes
[i
];
1064 delete_route (r
, tt
, flags
, &rl
->rgi
, es
);
1066 rl
->iflags
&= ~RL_ROUTES_ADDED
;
1069 undo_redirect_default_route_to_vpn (rl
, tt
, flags
, es
);
1073 clear_route_list (rl
);
1076 if ( rl6
&& rl6
->routes_added
)
1079 for (i
= rl6
->n
- 1; i
>= 0; --i
)
1081 const struct route_ipv6
*r6
= &rl6
->routes_ipv6
[i
];
1082 delete_route_ipv6 (r6
, tt
, flags
, es
);
1084 rl6
->routes_added
= false;
1089 clear_route_ipv6_list (rl6
);
1093 #ifndef ENABLE_SMALL
1096 show_opt (const char *option
)
1105 print_route_option (const struct route_option
*ro
, int level
)
1107 msg (level
, " route %s/%s/%s/%s",
1108 show_opt (ro
->network
),
1109 show_opt (ro
->netmask
),
1110 show_opt (ro
->gateway
),
1111 show_opt (ro
->metric
));
1115 print_route_options (const struct route_option_list
*rol
,
1119 if (rol
->flags
& RG_ENABLE
)
1120 msg (level
, " [redirect_default_gateway local=%d]",
1121 (rol
->flags
& RG_LOCAL
) != 0);
1122 for (i
= 0; i
< rol
->n
; ++i
)
1123 print_route_option (&rol
->routes
[i
], level
);
1127 print_default_gateway(const int msglevel
, const struct route_gateway_info
*rgi
)
1129 struct gc_arena gc
= gc_new ();
1130 if (rgi
->flags
& RGI_ADDR_DEFINED
)
1132 struct buffer out
= alloc_buf_gc (256, &gc
);
1133 buf_printf (&out
, "ROUTE_GATEWAY");
1134 if (rgi
->flags
& RGI_ON_LINK
)
1135 buf_printf (&out
, " ON_LINK");
1137 buf_printf (&out
, " %s", print_in_addr_t (rgi
->gateway
.addr
, 0, &gc
));
1138 if (rgi
->flags
& RGI_NETMASK_DEFINED
)
1139 buf_printf (&out
, "/%s", print_in_addr_t (rgi
->gateway
.netmask
, 0, &gc
));
1141 if (rgi
->flags
& RGI_IFACE_DEFINED
)
1142 buf_printf (&out
, " I=%u", (unsigned int)rgi
->adapter_index
);
1144 if (rgi
->flags
& RGI_IFACE_DEFINED
)
1145 buf_printf (&out
, " IFACE=%s", rgi
->iface
);
1147 if (rgi
->flags
& RGI_HWADDR_DEFINED
)
1148 buf_printf (&out
, " HWADDR=%s", format_hex_ex (rgi
->hwaddr
, 6, 0, 1, ":", &gc
));
1149 msg (msglevel
, "%s", BSTR (&out
));
1157 print_route (const struct route_ipv4
*r
, int level
)
1159 struct gc_arena gc
= gc_new ();
1160 if (r
->flags
& RT_DEFINED
)
1161 msg (level
, "%s", route_string (r
, &gc
));
1166 print_routes (const struct route_list
*rl
, int level
)
1169 for (i
= 0; i
< rl
->n
; ++i
)
1170 print_route (&rl
->routes
[i
], level
);
1174 setenv_route (struct env_set
*es
, const struct route_ipv4
*r
, int i
)
1176 struct gc_arena gc
= gc_new ();
1177 if (r
->flags
& RT_DEFINED
)
1179 setenv_route_addr (es
, "network", r
->network
, i
);
1180 setenv_route_addr (es
, "netmask", r
->netmask
, i
);
1181 setenv_route_addr (es
, "gateway", r
->gateway
, i
);
1183 if (r
->flags
& RT_METRIC_DEFINED
)
1185 struct buffer name
= alloc_buf_gc (256, &gc
);
1186 buf_printf (&name
, "route_metric_%d", i
);
1187 setenv_int (es
, BSTR (&name
), r
->metric
);
1194 setenv_routes (struct env_set
*es
, const struct route_list
*rl
)
1197 for (i
= 0; i
< rl
->n
; ++i
)
1198 setenv_route (es
, &rl
->routes
[i
], i
+ 1);
1202 setenv_route_ipv6 (struct env_set
*es
, const struct route_ipv6
*r6
, int i
)
1204 struct gc_arena gc
= gc_new ();
1207 struct buffer name1
= alloc_buf_gc( 256, &gc
);
1208 struct buffer val
= alloc_buf_gc( 256, &gc
);
1209 struct buffer name2
= alloc_buf_gc( 256, &gc
);
1211 buf_printf( &name1
, "route_ipv6_network_%d", i
);
1212 buf_printf( &val
, "%s/%d", print_in6_addr( r6
->network
, 0, &gc
),
1214 setenv_str( es
, BSTR(&name1
), BSTR(&val
) );
1216 buf_printf( &name2
, "route_ipv6_gateway_%d", i
);
1217 setenv_str( es
, BSTR(&name2
), print_in6_addr( r6
->gateway
, 0, &gc
));
1222 setenv_routes_ipv6 (struct env_set
*es
, const struct route_ipv6_list
*rl6
)
1225 for (i
= 0; i
< rl6
->n
; ++i
)
1226 setenv_route_ipv6 (es
, &rl6
->routes_ipv6
[i
], i
+ 1);
1230 * local_route() determines whether the gateway of a provided host
1231 * route is on the same interface that owns the default gateway.
1232 * It uses the data structure
1233 * returned by get_default_gateway() (struct route_gateway_info)
1234 * to determine this. If the route is local, LR_MATCH is returned.
1235 * When adding routes into the kernel, if LR_MATCH is defined for
1236 * a given route, the route should explicitly reference the default
1237 * gateway interface as the route destination. For example, here
1238 * is an example on Linux that uses LR_MATCH:
1240 * route add -net 10.10.0.1 netmask 255.255.255.255 dev eth0
1242 * This capability is needed by the "default-gateway block-local"
1243 * directive, to allow client access to the local subnet to be
1244 * blocked but still allow access to the local default gateway.
1247 /* local_route() return values */
1248 #define LR_NOMATCH 0 /* route is not local */
1249 #define LR_MATCH 1 /* route is local */
1250 #define LR_ERROR 2 /* caller should abort adding route */
1253 local_route (in_addr_t network
,
1256 const struct route_gateway_info
*rgi
)
1258 /* set LR_MATCH on local host routes */
1259 const int rgi_needed
= (RGI_ADDR_DEFINED
|RGI_NETMASK_DEFINED
|RGI_IFACE_DEFINED
);
1261 && (rgi
->flags
& rgi_needed
) == rgi_needed
1262 && gateway
== rgi
->gateway
.addr
1263 && netmask
== 0xFFFFFFFF)
1265 if (((network
^ rgi
->gateway
.addr
) & rgi
->gateway
.netmask
) == 0)
1269 /* examine additional subnets on gateway interface */
1271 for (i
= 0; i
< rgi
->n_addrs
; ++i
)
1273 const struct route_gateway_address
*gwa
= &rgi
->addrs
[i
];
1274 if (((network
^ gwa
->addr
) & gwa
->netmask
) == 0)
1282 /* Return true if the "on-link" form of the route should be used. This is when the gateway for a
1283 a route is specified as an interface rather than an address. */
1285 is_on_link (const int is_local_route
, const unsigned int flags
, const struct route_gateway_info
*rgi
)
1287 return rgi
&& (is_local_route
== LR_MATCH
|| ((flags
& ROUTE_REF_GW
) && (rgi
->flags
& RGI_ON_LINK
)));
1291 add_route (struct route_ipv4
*r
,
1292 const struct tuntap
*tt
,
1294 const struct route_gateway_info
*rgi
, /* may be NULL */
1295 const struct env_set
*es
)
1299 const char *network
;
1300 const char *netmask
;
1301 const char *gateway
;
1302 bool status
= false;
1305 if (!(r
->flags
& RT_DEFINED
))
1311 network
= print_in_addr_t (r
->network
, 0, &gc
);
1312 netmask
= print_in_addr_t (r
->netmask
, 0, &gc
);
1313 gateway
= print_in_addr_t (r
->gateway
, 0, &gc
);
1315 is_local_route
= local_route(r
->network
, r
->netmask
, r
->gateway
, rgi
);
1316 if (is_local_route
== LR_ERROR
)
1319 #if defined(TARGET_LINUX)
1320 #ifdef ENABLE_IPROUTE
1321 argv_printf (&argv
, "%s route add %s/%d",
1324 count_netmask_bits(netmask
));
1326 if (r
->flags
& RT_METRIC_DEFINED
)
1327 argv_printf_cat (&argv
, "metric %d", r
->metric
);
1329 if (is_on_link (is_local_route
, flags
, rgi
))
1330 argv_printf_cat (&argv
, "dev %s", rgi
->iface
);
1332 argv_printf_cat (&argv
, "via %s", gateway
);
1334 argv_printf (&argv
, "%s add -net %s netmask %s",
1338 if (r
->flags
& RT_METRIC_DEFINED
)
1339 argv_printf_cat (&argv
, "metric %d", r
->metric
);
1340 if (is_on_link (is_local_route
, flags
, rgi
))
1341 argv_printf_cat (&argv
, "dev %s", rgi
->iface
);
1343 argv_printf_cat (&argv
, "gw %s", gateway
);
1345 #endif /*ENABLE_IPROUTE*/
1346 argv_msg (D_ROUTE
, &argv
);
1347 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route add command failed");
1349 #elif defined (WIN32)
1351 DWORD ai
= TUN_ADAPTER_INDEX_INVALID
;
1352 argv_printf (&argv
, "%s%sc ADD %s MASK %s %s",
1354 WIN_ROUTE_PATH_SUFFIX
,
1358 if (r
->flags
& RT_METRIC_DEFINED
)
1359 argv_printf_cat (&argv
, "METRIC %d", r
->metric
);
1360 if (is_on_link (is_local_route
, flags
, rgi
))
1362 ai
= rgi
->adapter_index
;
1363 argv_printf_cat (&argv
, "IF %u", (unsigned int)ai
);
1366 argv_msg (D_ROUTE
, &argv
);
1368 if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_IPAPI
)
1370 status
= add_route_ipapi (r
, tt
, ai
);
1371 msg (D_ROUTE
, "Route addition via IPAPI %s", status
? "succeeded" : "failed");
1373 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_EXE
)
1375 netcmd_semaphore_lock ();
1376 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route add command failed");
1377 netcmd_semaphore_release ();
1379 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_ADAPTIVE
)
1381 status
= add_route_ipapi (r
, tt
, ai
);
1382 msg (D_ROUTE
, "Route addition via IPAPI %s [adaptive]", status
? "succeeded" : "failed");
1385 msg (D_ROUTE
, "Route addition fallback to route.exe");
1386 netcmd_semaphore_lock ();
1387 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route add command failed [adaptive]");
1388 netcmd_semaphore_release ();
1397 #elif defined (TARGET_SOLARIS)
1399 /* example: route add 192.0.2.32 -netmask 255.255.255.224 somegateway */
1401 argv_printf (&argv
, "%s add",
1404 argv_printf_cat (&argv
, "%s -netmask %s %s",
1409 /* Solaris can only distinguish between "metric 0" == "on-link on the
1410 * interface where the IP address given is configured" and "metric > 0"
1411 * == "use gateway specified" (no finer-grained route metrics available)
1413 * More recent versions of Solaris can also do "-interface", but that
1414 * would break backwards compatibility with older versions for no gain.
1416 if (r
->flags
& RT_METRIC_DEFINED
)
1417 argv_printf_cat (&argv
, "%d", r
->metric
);
1419 argv_msg (D_ROUTE
, &argv
);
1420 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route add command failed");
1422 #elif defined(TARGET_FREEBSD)
1424 argv_printf (&argv
, "%s add",
1428 if (r
->flags
& RT_METRIC_DEFINED
)
1429 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1432 argv_printf_cat (&argv
, "-net %s %s %s",
1437 /* FIXME -- add on-link support for FreeBSD */
1439 argv_msg (D_ROUTE
, &argv
);
1440 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: FreeBSD route add command failed");
1442 #elif defined(TARGET_DRAGONFLY)
1444 argv_printf (&argv
, "%s add",
1448 if (r
->flags
& RT_METRIC_DEFINED
)
1449 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1452 argv_printf_cat (&argv
, "-net %s %s %s",
1457 /* FIXME -- add on-link support for Dragonfly */
1459 argv_msg (D_ROUTE
, &argv
);
1460 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: DragonFly route add command failed");
1462 #elif defined(TARGET_DARWIN)
1464 argv_printf (&argv
, "%s add",
1468 if (r
->flags
& RT_METRIC_DEFINED
)
1469 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1472 if (is_on_link (is_local_route
, flags
, rgi
))
1474 /* Mac OS X route syntax for ON_LINK:
1475 route add -cloning -net 10.10.0.1 -netmask 255.255.255.255 -interface en0 */
1476 argv_printf_cat (&argv
, "-cloning -net %s -netmask %s -interface %s",
1483 argv_printf_cat (&argv
, "-net %s %s %s",
1489 argv_msg (D_ROUTE
, &argv
);
1490 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: OS X route add command failed");
1492 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1494 argv_printf (&argv
, "%s add",
1498 if (r
->flags
& RT_METRIC_DEFINED
)
1499 argv_printf_cat (&argv
, "-rtt %d", r
->metric
);
1502 argv_printf_cat (&argv
, "-net %s %s -netmask %s",
1507 /* FIXME -- add on-link support for OpenBSD/NetBSD */
1509 argv_msg (D_ROUTE
, &argv
);
1510 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD/NetBSD route add command failed");
1513 msg (M_FATAL
, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1518 r
->flags
|= RT_ADDED
;
1520 r
->flags
&= ~RT_ADDED
;
1527 print_in6_addr_netbits_only( struct in6_addr network_copy
, int netbits
,
1528 struct gc_arena
* gc
)
1530 /* clear host bit parts of route
1531 * (needed if routes are specified improperly, or if we need to
1532 * explicitely setup/clear the "connected" network routes on some OSes)
1535 int bits_to_clear
= 128 - netbits
;
1537 while( byte
>= 0 && bits_to_clear
> 0 )
1539 if ( bits_to_clear
>= 8 )
1540 { network_copy
.s6_addr
[byte
--] = 0; bits_to_clear
-= 8; }
1542 { network_copy
.s6_addr
[byte
--] &= (0xff << bits_to_clear
); bits_to_clear
= 0; }
1545 return print_in6_addr( network_copy
, 0, gc
);
1549 add_route_ipv6 (struct route_ipv6
*r6
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1554 const char *network
;
1555 const char *gateway
;
1556 bool status
= false;
1557 const char *device
= tt
->actual_name
;
1559 bool gateway_needed
= false;
1567 network
= print_in6_addr_netbits_only( r6
->network
, r6
->netbits
, &gc
);
1568 gateway
= print_in6_addr( r6
->gateway
, 0, &gc
);
1572 msg( M_INFO
, "add_route_ipv6(): not adding %s/%d, no IPv6 on if %s",
1573 network
, r6
->netbits
, device
);
1577 msg( M_INFO
, "add_route_ipv6(%s/%d -> %s metric %d) dev %s",
1578 network
, r6
->netbits
, gateway
, r6
->metric
, device
);
1581 * Filter out routes which are essentially no-ops
1582 * (not currently done for IPv6)
1585 /* On "tun" interface, we never set a gateway if the operating system
1586 * can do "route to interface" - it does not add value, as the target
1587 * dev already fully qualifies the route destination on point-to-point
1588 * interfaces. OTOH, on "tap" interface, we must always set the
1589 * gateway unless the route is to be an on-link network
1591 if ( tt
->type
== DEV_TYPE_TAP
&&
1592 !(r6
->metric_defined
&& r6
->metric
== 0 ) )
1594 gateway_needed
= true;
1597 #if defined(TARGET_LINUX)
1598 #ifdef ENABLE_IPROUTE
1599 argv_printf (&argv
, "%s -6 route add %s/%d dev %s",
1605 argv_printf_cat (&argv
, "via %s", gateway
);
1606 if (r6
->metric_defined
&& r6
->metric
> 0 )
1607 argv_printf_cat (&argv
, " metric %d", r6
->metric
);
1610 argv_printf (&argv
, "%s -A inet6 add %s/%d dev %s",
1616 argv_printf_cat (&argv
, "gw %s", gateway
);
1617 if (r6
->metric_defined
&& r6
->metric
> 0 )
1618 argv_printf_cat (&argv
, " metric %d", r6
->metric
);
1619 #endif /*ENABLE_IPROUTE*/
1620 argv_msg (D_ROUTE
, &argv
);
1621 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route -6/-A inet6 add command failed");
1623 #elif defined (WIN32)
1625 /* netsh interface ipv6 add route 2001:db8::/32 MyTunDevice */
1626 argv_printf (&argv
, "%s%sc interface ipv6 add route %s/%d %s",
1633 /* next-hop depends on TUN or TAP mode:
1634 * - in TAP mode, we use the "real" next-hop
1635 * - in TUN mode we use a special-case link-local address that the tapdrvr
1636 * knows about and will answer ND (neighbor discovery) packets for
1638 if ( tt
->type
== DEV_TYPE_TUN
)
1639 argv_printf_cat( &argv
, " %s", "fe80::8" );
1641 argv_printf_cat( &argv
, " %s", gateway
);
1644 if (r
->metric_defined
)
1645 argv_printf_cat (&argv
, " METRIC %d", r
->metric
);
1648 /* in some versions of Windows, routes are persistent across reboots by
1649 * default, unless "store=active" is set (pointed out by Tony Lim, thanks)
1651 argv_printf_cat( &argv
, " store=active" );
1653 argv_msg (D_ROUTE
, &argv
);
1655 netcmd_semaphore_lock ();
1656 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route add ipv6 command failed");
1657 netcmd_semaphore_release ();
1659 #elif defined (TARGET_SOLARIS)
1661 /* example: route add -inet6 2001:db8::/32 somegateway 0 */
1663 /* for some weird reason, this does not work for me unless I set
1664 * "metric 0" - otherwise, the routes will be nicely installed, but
1665 * packets will just disappear somewhere. So we use "0" now...
1668 argv_printf (&argv
, "%s add -inet6 %s/%d %s 0",
1674 argv_msg (D_ROUTE
, &argv
);
1675 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route add -inet6 command failed");
1677 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
1679 argv_printf (&argv
, "%s add -inet6 %s/%d",
1685 argv_printf_cat (&argv
, "%s", gateway
);
1687 argv_printf_cat (&argv
, "-iface %s", device
);
1689 argv_msg (D_ROUTE
, &argv
);
1690 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: *BSD route add -inet6 command failed");
1692 #elif defined(TARGET_DARWIN)
1694 argv_printf (&argv
, "%s add -inet6 %s -prefixlen %d",
1696 network
, r6
->netbits
);
1699 argv_printf_cat (&argv
, "%s", gateway
);
1701 argv_printf_cat (&argv
, "-iface %s", device
);
1703 argv_msg (D_ROUTE
, &argv
);
1704 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: MacOS X route add -inet6 command failed");
1706 #elif defined(TARGET_OPENBSD)
1708 argv_printf (&argv
, "%s add -inet6 %s -prefixlen %d %s",
1710 network
, r6
->netbits
, gateway
);
1712 argv_msg (D_ROUTE
, &argv
);
1713 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD route add -inet6 command failed");
1715 #elif defined(TARGET_NETBSD)
1717 argv_printf (&argv
, "%s add -inet6 %s/%d %s",
1719 network
, r6
->netbits
, gateway
);
1721 argv_msg (D_ROUTE
, &argv
);
1722 status
= openvpn_execve_check (&argv
, es
, 0, "ERROR: NetBSD route add -inet6 command failed");
1725 msg (M_FATAL
, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-up script");
1728 r6
->defined
= status
;
1734 delete_route (struct route_ipv4
*r
,
1735 const struct tuntap
*tt
,
1737 const struct route_gateway_info
*rgi
,
1738 const struct env_set
*es
)
1742 const char *network
;
1743 const char *netmask
;
1744 const char *gateway
;
1747 if ((r
->flags
& (RT_DEFINED
|RT_ADDED
)) != (RT_DEFINED
|RT_ADDED
))
1753 network
= print_in_addr_t (r
->network
, 0, &gc
);
1754 netmask
= print_in_addr_t (r
->netmask
, 0, &gc
);
1755 gateway
= print_in_addr_t (r
->gateway
, 0, &gc
);
1757 is_local_route
= local_route(r
->network
, r
->netmask
, r
->gateway
, rgi
);
1758 if (is_local_route
== LR_ERROR
)
1761 #if defined(TARGET_LINUX)
1762 #ifdef ENABLE_IPROUTE
1763 argv_printf (&argv
, "%s route del %s/%d",
1766 count_netmask_bits(netmask
));
1768 argv_printf (&argv
, "%s del -net %s netmask %s",
1772 #endif /*ENABLE_IPROUTE*/
1773 if (r
->flags
& RT_METRIC_DEFINED
)
1774 argv_printf_cat (&argv
, "metric %d", r
->metric
);
1775 argv_msg (D_ROUTE
, &argv
);
1776 openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route delete command failed");
1778 #elif defined (WIN32)
1780 argv_printf (&argv
, "%s%sc DELETE %s MASK %s %s",
1782 WIN_ROUTE_PATH_SUFFIX
,
1787 argv_msg (D_ROUTE
, &argv
);
1789 if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_IPAPI
)
1791 const bool status
= del_route_ipapi (r
, tt
);
1792 msg (D_ROUTE
, "Route deletion via IPAPI %s", status
? "succeeded" : "failed");
1794 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_EXE
)
1796 netcmd_semaphore_lock ();
1797 openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route delete command failed");
1798 netcmd_semaphore_release ();
1800 else if ((flags
& ROUTE_METHOD_MASK
) == ROUTE_METHOD_ADAPTIVE
)
1802 const bool status
= del_route_ipapi (r
, tt
);
1803 msg (D_ROUTE
, "Route deletion via IPAPI %s [adaptive]", status
? "succeeded" : "failed");
1806 msg (D_ROUTE
, "Route deletion fallback to route.exe");
1807 netcmd_semaphore_lock ();
1808 openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route delete command failed [adaptive]");
1809 netcmd_semaphore_release ();
1817 #elif defined (TARGET_SOLARIS)
1819 argv_printf (&argv
, "%s delete %s -netmask %s %s",
1825 argv_msg (D_ROUTE
, &argv
);
1826 openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route delete command failed");
1828 #elif defined(TARGET_FREEBSD)
1830 argv_printf (&argv
, "%s delete -net %s %s %s",
1836 argv_msg (D_ROUTE
, &argv
);
1837 openvpn_execve_check (&argv
, es
, 0, "ERROR: FreeBSD route delete command failed");
1839 #elif defined(TARGET_DRAGONFLY)
1841 argv_printf (&argv
, "%s delete -net %s %s %s",
1847 argv_msg (D_ROUTE
, &argv
);
1848 openvpn_execve_check (&argv
, es
, 0, "ERROR: DragonFly route delete command failed");
1850 #elif defined(TARGET_DARWIN)
1852 if (is_on_link (is_local_route
, flags
, rgi
))
1854 argv_printf (&argv
, "%s delete -cloning -net %s -netmask %s -interface %s",
1862 argv_printf (&argv
, "%s delete -net %s %s %s",
1869 argv_msg (D_ROUTE
, &argv
);
1870 openvpn_execve_check (&argv
, es
, 0, "ERROR: OS X route delete command failed");
1872 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
1874 argv_printf (&argv
, "%s delete -net %s %s -netmask %s",
1880 argv_msg (D_ROUTE
, &argv
);
1881 openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD/NetBSD route delete command failed");
1884 msg (M_FATAL
, "Sorry, but I don't know how to do 'route' commands on this operating system. Try putting your routes in a --route-up script");
1888 r
->flags
&= ~RT_ADDED
;
1894 delete_route_ipv6 (const struct route_ipv6
*r6
, const struct tuntap
*tt
, unsigned int flags
, const struct env_set
*es
)
1898 const char *network
;
1899 const char *gateway
;
1900 const char *device
= tt
->actual_name
;
1901 bool gateway_needed
= false;
1909 network
= print_in6_addr_netbits_only( r6
->network
, r6
->netbits
, &gc
);
1910 gateway
= print_in6_addr( r6
->gateway
, 0, &gc
);
1914 msg( M_INFO
, "delete_route_ipv6(): not deleting %s/%d, no IPv6 on if %s",
1915 network
, r6
->netbits
, device
);
1919 msg( M_INFO
, "delete_route_ipv6(%s/%d)", network
, r6
->netbits
);
1921 /* if we used a gateway on "add route", we also need to specify it on
1922 * delete, otherwise some OSes will refuse to delete the route
1924 if ( tt
->type
== DEV_TYPE_TAP
&&
1925 !(r6
->metric_defined
&& r6
->metric
== 0 ) )
1927 gateway_needed
= true;
1931 #if defined(TARGET_LINUX)
1932 #ifdef ENABLE_IPROUTE
1933 argv_printf (&argv
, "%s -6 route del %s/%d dev %s",
1939 argv_printf_cat (&argv
, "via %s", gateway
);
1941 argv_printf (&argv
, "%s -A inet6 del %s/%d dev %s",
1947 argv_printf_cat (&argv
, "gw %s", gateway
);
1948 if (r6
->metric_defined
&& r6
->metric
> 0 )
1949 argv_printf_cat (&argv
, " metric %d", r6
->metric
);
1950 #endif /*ENABLE_IPROUTE*/
1951 argv_msg (D_ROUTE
, &argv
);
1952 openvpn_execve_check (&argv
, es
, 0, "ERROR: Linux route -6/-A inet6 del command failed");
1954 #elif defined (WIN32)
1956 /* netsh interface ipv6 delete route 2001:db8::/32 MyTunDevice */
1957 argv_printf (&argv
, "%s%sc interface ipv6 delete route %s/%d %s",
1964 /* next-hop depends on TUN or TAP mode:
1965 * - in TAP mode, we use the "real" next-hop
1966 * - in TUN mode we use a special-case link-local address that the tapdrvr
1967 * knows about and will answer ND (neighbor discovery) packets for
1968 * (and "route deletion without specifying next-hop" does not work...)
1970 if ( tt
->type
== DEV_TYPE_TUN
)
1971 argv_printf_cat( &argv
, " %s", "fe80::8" );
1973 argv_printf_cat( &argv
, " %s", gateway
);
1976 if (r
->metric_defined
)
1977 argv_printf_cat (&argv
, "METRIC %d", r
->metric
);
1980 /* Windows XP to 7 "just delete" routes, wherever they came from, but
1981 * in Windows 8(.1?), if you create them with "store=active", this is
1982 * how you should delete them as well (pointed out by Cedric Tabary)
1984 argv_printf_cat( &argv
, " store=active" );
1986 argv_msg (D_ROUTE
, &argv
);
1988 netcmd_semaphore_lock ();
1989 openvpn_execve_check (&argv
, es
, 0, "ERROR: Windows route delete ipv6 command failed");
1990 netcmd_semaphore_release ();
1992 #elif defined (TARGET_SOLARIS)
1994 /* example: route delete -inet6 2001:db8::/32 somegateway */
1995 /* GERT-TODO: this is untested, but should work */
1997 argv_printf (&argv
, "%s delete -inet6 %s/%d %s",
2003 argv_msg (D_ROUTE
, &argv
);
2004 openvpn_execve_check (&argv
, es
, 0, "ERROR: Solaris route delete -inet6 command failed");
2006 #elif defined(TARGET_FREEBSD) || defined(TARGET_DRAGONFLY)
2008 argv_printf (&argv
, "%s delete -inet6 %s/%d",
2014 argv_printf_cat (&argv
, "%s", gateway
);
2016 argv_printf_cat (&argv
, "-iface %s", device
);
2018 argv_msg (D_ROUTE
, &argv
);
2019 openvpn_execve_check (&argv
, es
, 0, "ERROR: *BSD route delete -inet6 command failed");
2021 #elif defined(TARGET_DARWIN)
2023 argv_printf (&argv
, "%s delete -inet6 %s -prefixlen %d",
2025 network
, r6
->netbits
);
2028 argv_printf_cat (&argv
, "%s", gateway
);
2030 argv_printf_cat (&argv
, "-iface %s", device
);
2032 argv_msg (D_ROUTE
, &argv
);
2033 openvpn_execve_check (&argv
, es
, 0, "ERROR: MacOS X route delete -inet6 command failed");
2035 #elif defined(TARGET_OPENBSD)
2037 argv_printf (&argv
, "%s delete -inet6 %s -prefixlen %d %s",
2039 network
, r6
->netbits
, gateway
);
2041 argv_msg (D_ROUTE
, &argv
);
2042 openvpn_execve_check (&argv
, es
, 0, "ERROR: OpenBSD route delete -inet6 command failed");
2044 #elif defined(TARGET_NETBSD)
2046 argv_printf (&argv
, "%s delete -inet6 %s/%d %s",
2048 network
, r6
->netbits
, gateway
);
2050 argv_msg (D_ROUTE
, &argv
);
2051 openvpn_execve_check (&argv
, es
, 0, "ERROR: NetBSD route delete -inet6 command failed");
2054 msg (M_FATAL
, "Sorry, but I don't know how to do 'route ipv6' commands on this operating system. Try putting your routes in a --route-down script");
2062 * The --redirect-gateway option requires OS-specific code below
2063 * to get the current default gateway.
2068 static const MIB_IPFORWARDTABLE
*
2069 get_windows_routing_table (struct gc_arena
*gc
)
2072 PMIB_IPFORWARDTABLE rt
= NULL
;
2075 status
= GetIpForwardTable (NULL
, &size
, TRUE
);
2076 if (status
== ERROR_INSUFFICIENT_BUFFER
)
2078 rt
= (PMIB_IPFORWARDTABLE
) gc_malloc (size
, false, gc
);
2079 status
= GetIpForwardTable (rt
, &size
, TRUE
);
2080 if (status
!= NO_ERROR
)
2082 msg (D_ROUTE
, "NOTE: GetIpForwardTable returned error: %s (code=%u)",
2083 strerror_win32 (status
, gc
),
2084 (unsigned int)status
);
2092 test_route (const IP_ADAPTER_INFO
*adapters
,
2093 const in_addr_t gateway
,
2097 DWORD i
= adapter_index_of_ip (adapters
, gateway
, &count
, NULL
);
2104 test_route_helper (bool *ret
,
2108 const IP_ADAPTER_INFO
*adapters
,
2109 const in_addr_t gateway
)
2114 c
= test_route (adapters
, gateway
, NULL
);
2124 * If we tried to add routes now, would we succeed?
2127 test_routes (const struct route_list
*rl
, const struct tuntap
*tt
)
2129 struct gc_arena gc
= gc_new ();
2130 const IP_ADAPTER_INFO
*adapters
= get_adapter_info_list (&gc
);
2135 bool adapter_up
= false;
2137 if (is_adapter_up (tt
, adapters
))
2145 for (i
= 0; i
< rl
->n
; ++i
)
2146 test_route_helper (&ret
, &count
, &good
, &ambig
, adapters
, rl
->routes
[i
].gateway
);
2148 if ((rl
->flags
& RG_ENABLE
) && (rl
->spec
.flags
& RTSA_REMOTE_ENDPOINT
))
2149 test_route_helper (&ret
, &count
, &good
, &ambig
, adapters
, rl
->spec
.remote_endpoint
);
2153 msg (D_ROUTE
, "TEST ROUTES: %d/%d succeeded len=%d ret=%d a=%d u/d=%s",
2159 adapter_up
? "up" : "down");
2165 static const MIB_IPFORWARDROW
*
2166 get_default_gateway_row (const MIB_IPFORWARDTABLE
*routes
)
2168 struct gc_arena gc
= gc_new ();
2169 DWORD lowest_metric
= MAXDWORD
;
2170 const MIB_IPFORWARDROW
*ret
= NULL
;
2176 for (i
= 0; i
< routes
->dwNumEntries
; ++i
)
2178 const MIB_IPFORWARDROW
*row
= &routes
->table
[i
];
2179 const in_addr_t net
= ntohl (row
->dwForwardDest
);
2180 const in_addr_t mask
= ntohl (row
->dwForwardMask
);
2181 const DWORD index
= row
->dwForwardIfIndex
;
2182 const DWORD metric
= row
->dwForwardMetric1
;
2184 dmsg (D_ROUTE_DEBUG
, "GDGR: route[%d] %s/%s i=%d m=%d",
2186 print_in_addr_t ((in_addr_t
) net
, 0, &gc
),
2187 print_in_addr_t ((in_addr_t
) mask
, 0, &gc
),
2191 if (!net
&& !mask
&& metric
< lowest_metric
)
2194 lowest_metric
= metric
;
2200 dmsg (D_ROUTE_DEBUG
, "GDGR: best=%d lm=%u", best
, (unsigned int)lowest_metric
);
2207 get_default_gateway (struct route_gateway_info
*rgi
)
2209 struct gc_arena gc
= gc_new ();
2211 const IP_ADAPTER_INFO
*adapters
= get_adapter_info_list (&gc
);
2212 const MIB_IPFORWARDTABLE
*routes
= get_windows_routing_table (&gc
);
2213 const MIB_IPFORWARDROW
*row
= get_default_gateway_row (routes
);
2215 const IP_ADAPTER_INFO
*ai
;
2221 rgi
->gateway
.addr
= ntohl (row
->dwForwardNextHop
);
2222 if (rgi
->gateway
.addr
)
2224 rgi
->flags
|= RGI_ADDR_DEFINED
;
2225 a_index
= adapter_index_of_ip (adapters
, rgi
->gateway
.addr
, NULL
, &rgi
->gateway
.netmask
);
2226 if (a_index
!= TUN_ADAPTER_INDEX_INVALID
)
2228 rgi
->adapter_index
= a_index
;
2229 rgi
->flags
|= (RGI_IFACE_DEFINED
|RGI_NETMASK_DEFINED
);
2230 ai
= get_adapter (adapters
, a_index
);
2233 memcpy (rgi
->hwaddr
, ai
->Address
, 6);
2234 rgi
->flags
|= RGI_HWADDR_DEFINED
;
2244 windows_route_find_if_index (const struct route_ipv4
*r
, const struct tuntap
*tt
)
2246 struct gc_arena gc
= gc_new ();
2247 DWORD ret
= TUN_ADAPTER_INDEX_INVALID
;
2249 const IP_ADAPTER_INFO
*adapters
= get_adapter_info_list (&gc
);
2250 const IP_ADAPTER_INFO
*tun_adapter
= get_tun_adapter (tt
, adapters
);
2251 bool on_tun
= false;
2253 /* first test on tun interface */
2254 if (is_ip_in_adapter_subnet (tun_adapter
, r
->gateway
, NULL
))
2256 ret
= tun_adapter
->Index
;
2260 else /* test on other interfaces */
2262 count
= test_route (adapters
, r
->gateway
, &ret
);
2267 msg (M_WARN
, "Warning: route gateway is not reachable on any active network adapters: %s",
2268 print_in_addr_t (r
->gateway
, 0, &gc
));
2269 ret
= TUN_ADAPTER_INDEX_INVALID
;
2273 msg (M_WARN
, "Warning: route gateway is ambiguous: %s (%d matches)",
2274 print_in_addr_t (r
->gateway
, 0, &gc
),
2276 ret
= TUN_ADAPTER_INDEX_INVALID
;
2279 dmsg (D_ROUTE_DEBUG
, "DEBUG: route find if: on_tun=%d count=%d index=%d",
2289 add_route_ipapi (const struct route_ipv4
*r
, const struct tuntap
*tt
, DWORD adapter_index
)
2291 struct gc_arena gc
= gc_new ();
2294 const DWORD if_index
= (adapter_index
== TUN_ADAPTER_INDEX_INVALID
) ? windows_route_find_if_index (r
, tt
) : adapter_index
;
2296 if (if_index
!= TUN_ADAPTER_INDEX_INVALID
)
2298 MIB_IPFORWARDROW fr
;
2300 fr
.dwForwardDest
= htonl (r
->network
);
2301 fr
.dwForwardMask
= htonl (r
->netmask
);
2302 fr
.dwForwardPolicy
= 0;
2303 fr
.dwForwardNextHop
= htonl (r
->gateway
);
2304 fr
.dwForwardIfIndex
= if_index
;
2305 fr
.dwForwardType
= 4; /* the next hop is not the final dest */
2306 fr
.dwForwardProto
= 3; /* PROTO_IP_NETMGMT */
2307 fr
.dwForwardAge
= 0;
2308 fr
.dwForwardNextHopAS
= 0;
2309 fr
.dwForwardMetric1
= (r
->flags
& RT_METRIC_DEFINED
) ? r
->metric
: 1;
2310 fr
.dwForwardMetric2
= METRIC_NOT_USED
;
2311 fr
.dwForwardMetric3
= METRIC_NOT_USED
;
2312 fr
.dwForwardMetric4
= METRIC_NOT_USED
;
2313 fr
.dwForwardMetric5
= METRIC_NOT_USED
;
2315 if ((r
->network
& r
->netmask
) != r
->network
)
2316 msg (M_WARN
, "Warning: address %s is not a network address in relation to netmask %s",
2317 print_in_addr_t (r
->network
, 0, &gc
),
2318 print_in_addr_t (r
->netmask
, 0, &gc
));
2320 status
= CreateIpForwardEntry (&fr
);
2322 if (status
== NO_ERROR
)
2326 /* failed, try increasing the metric to work around Vista issue */
2327 const unsigned int forward_metric_limit
= 2048; /* iteratively retry higher metrics up to this limit */
2329 for ( ; fr
.dwForwardMetric1
<= forward_metric_limit
; ++fr
.dwForwardMetric1
)
2331 /* try a different forward type=3 ("the next hop is the final dest") in addition to 4.
2332 --redirect-gateway over RRAS seems to need this. */
2333 for (fr
.dwForwardType
= 4; fr
.dwForwardType
>= 3; --fr
.dwForwardType
)
2335 status
= CreateIpForwardEntry (&fr
);
2336 if (status
== NO_ERROR
)
2338 msg (D_ROUTE
, "ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=%u and dwForwardType=%u",
2339 (unsigned int)fr
.dwForwardMetric1
,
2340 (unsigned int)fr
.dwForwardType
);
2344 else if (status
!= ERROR_BAD_ARGUMENTS
)
2350 if (status
!= NO_ERROR
)
2351 msg (M_WARN
, "ROUTE: route addition failed using CreateIpForwardEntry: %s [status=%u if_index=%u]",
2352 strerror_win32 (status
, &gc
),
2353 (unsigned int)status
,
2354 (unsigned int)if_index
);
2363 del_route_ipapi (const struct route_ipv4
*r
, const struct tuntap
*tt
)
2365 struct gc_arena gc
= gc_new ();
2368 const DWORD if_index
= windows_route_find_if_index (r
, tt
);
2370 if (if_index
!= TUN_ADAPTER_INDEX_INVALID
)
2372 MIB_IPFORWARDROW fr
;
2375 fr
.dwForwardDest
= htonl (r
->network
);
2376 fr
.dwForwardMask
= htonl (r
->netmask
);
2377 fr
.dwForwardPolicy
= 0;
2378 fr
.dwForwardNextHop
= htonl (r
->gateway
);
2379 fr
.dwForwardIfIndex
= if_index
;
2381 status
= DeleteIpForwardEntry (&fr
);
2383 if (status
== NO_ERROR
)
2386 msg (M_WARN
, "ROUTE: route deletion failed using DeleteIpForwardEntry: %s",
2387 strerror_win32 (status
, &gc
));
2395 format_route_entry (const MIB_IPFORWARDROW
*r
, struct gc_arena
*gc
)
2397 struct buffer out
= alloc_buf_gc (256, gc
);
2398 buf_printf (&out
, "%s %s %s p=%d i=%d t=%d pr=%d a=%d h=%d m=%d/%d/%d/%d/%d",
2399 print_in_addr_t (r
->dwForwardDest
, IA_NET_ORDER
, gc
),
2400 print_in_addr_t (r
->dwForwardMask
, IA_NET_ORDER
, gc
),
2401 print_in_addr_t (r
->dwForwardNextHop
, IA_NET_ORDER
, gc
),
2402 (int)r
->dwForwardPolicy
,
2403 (int)r
->dwForwardIfIndex
,
2404 (int)r
->dwForwardType
,
2405 (int)r
->dwForwardProto
,
2406 (int)r
->dwForwardAge
,
2407 (int)r
->dwForwardNextHopAS
,
2408 (int)r
->dwForwardMetric1
,
2409 (int)r
->dwForwardMetric2
,
2410 (int)r
->dwForwardMetric3
,
2411 (int)r
->dwForwardMetric4
,
2412 (int)r
->dwForwardMetric5
);
2417 * Show current routing table
2420 show_routes (int msglev
)
2422 struct gc_arena gc
= gc_new ();
2425 const MIB_IPFORWARDTABLE
*rt
= get_windows_routing_table (&gc
);
2427 msg (msglev
, "SYSTEM ROUTING TABLE");
2430 for (i
= 0; i
< rt
->dwNumEntries
; ++i
)
2432 msg (msglev
, "%s", format_route_entry (&rt
->table
[i
], &gc
));
2438 #elif defined(TARGET_LINUX)
2441 get_default_gateway (struct route_gateway_info
*rgi
)
2443 struct gc_arena gc
= gc_new ();
2450 /* get default gateway IP addr */
2452 FILE *fp
= fopen ("/proc/net/route", "r");
2457 unsigned int lowest_metric
= UINT_MAX
;
2458 in_addr_t best_gw
= 0;
2460 while (fgets (line
, sizeof (line
), fp
) != NULL
)
2464 unsigned int net_x
= 0;
2465 unsigned int mask_x
= 0;
2466 unsigned int gw_x
= 0;
2467 unsigned int metric
= 0;
2468 unsigned int flags
= 0;
2471 const int np
= sscanf (line
, "%15s\t%x\t%x\t%x\t%*s\t%*s\t%d\t%x",
2478 if (np
== 6 && (flags
& IFF_UP
))
2480 const in_addr_t net
= ntohl (net_x
);
2481 const in_addr_t mask
= ntohl (mask_x
);
2482 const in_addr_t gw
= ntohl (gw_x
);
2484 if (!net
&& !mask
&& metric
< lowest_metric
)
2488 strcpy (best_name
, name
);
2489 lowest_metric
= metric
;
2499 rgi
->gateway
.addr
= best_gw
;
2500 rgi
->flags
|= RGI_ADDR_DEFINED
;
2501 if (!rgi
->gateway
.addr
&& best_name
[0])
2502 rgi
->flags
|= RGI_ON_LINK
;
2507 /* scan adapter list */
2508 if (rgi
->flags
& RGI_ADDR_DEFINED
)
2510 struct ifreq
*ifr
, *ifend
;
2511 in_addr_t addr
, netmask
;
2514 struct ifreq ifs
[20]; /* Maximum number of interfaces to scan */
2516 if ((sd
= socket (AF_INET
, SOCK_DGRAM
, 0)) < 0)
2518 msg (M_WARN
, "GDG: socket() failed");
2521 ifc
.ifc_len
= sizeof (ifs
);
2523 if (ioctl (sd
, SIOCGIFCONF
, &ifc
) < 0)
2525 msg (M_WARN
, "GDG: ioctl(SIOCGIFCONF) failed");
2529 /* scan through interface list */
2530 ifend
= ifs
+ (ifc
.ifc_len
/ sizeof (struct ifreq
));
2531 for (ifr
= ifc
.ifc_req
; ifr
< ifend
; ifr
++)
2533 if (ifr
->ifr_addr
.sa_family
== AF_INET
)
2535 /* get interface addr */
2536 addr
= ntohl(((struct sockaddr_in
*) &ifr
->ifr_addr
)->sin_addr
.s_addr
);
2538 /* get interface name */
2539 strncpynt (ifreq
.ifr_name
, ifr
->ifr_name
, sizeof (ifreq
.ifr_name
));
2541 /* check that the interface is up */
2542 if (ioctl (sd
, SIOCGIFFLAGS
, &ifreq
) < 0)
2544 if (!(ifreq
.ifr_flags
& IFF_UP
))
2547 if (rgi
->flags
& RGI_ON_LINK
)
2549 /* check that interface name of current interface
2550 matches interface name of best default route */
2551 if (strcmp(ifreq
.ifr_name
, best_name
))
2554 /* if point-to-point link, use remote addr as route gateway */
2555 if ((ifreq
.ifr_flags
& IFF_POINTOPOINT
) && ioctl (sd
, SIOCGIFDSTADDR
, &ifreq
) >= 0)
2557 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*) &ifreq
.ifr_addr
)->sin_addr
.s_addr
);
2558 if (rgi
->gateway
.addr
)
2559 rgi
->flags
&= ~RGI_ON_LINK
;
2565 /* get interface netmask */
2566 if (ioctl (sd
, SIOCGIFNETMASK
, &ifreq
) < 0)
2568 netmask
= ntohl(((struct sockaddr_in
*) &ifreq
.ifr_addr
)->sin_addr
.s_addr
);
2570 /* check that interface matches default route */
2571 if (((rgi
->gateway
.addr
^ addr
) & netmask
) != 0)
2575 rgi
->gateway
.netmask
= netmask
;
2576 rgi
->flags
|= RGI_NETMASK_DEFINED
;
2579 /* save iface name */
2580 strncpynt (rgi
->iface
, ifreq
.ifr_name
, sizeof(rgi
->iface
));
2581 rgi
->flags
|= RGI_IFACE_DEFINED
;
2583 /* now get the hardware address. */
2584 memset (&ifreq
.ifr_hwaddr
, 0, sizeof (struct sockaddr
));
2585 if (ioctl (sd
, SIOCGIFHWADDR
, &ifreq
) < 0)
2587 msg (M_WARN
, "GDG: SIOCGIFHWADDR(%s) failed", ifreq
.ifr_name
);
2590 memcpy (rgi
->hwaddr
, &ifreq
.ifr_hwaddr
.sa_data
, 6);
2591 rgi
->flags
|= RGI_HWADDR_DEFINED
;
2604 #elif defined(TARGET_FREEBSD)||defined(TARGET_DRAGONFLY)
2606 #include <sys/types.h>
2607 #include <sys/socket.h>
2608 #include <netinet/in.h>
2609 #include <net/route.h>
2612 struct rt_msghdr m_rtm
;
2616 #define ROUNDUP(a) \
2617 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
2620 * FIXME -- add support for netmask, hwaddr, and iface
2623 get_default_gateway (struct route_gateway_info
*rgi
)
2625 struct gc_arena gc
= gc_new ();
2626 int s
, seq
, l
, pid
, rtm_addrs
, i
;
2627 struct sockaddr so_dst
, so_mask
;
2628 char *cp
= m_rtmsg
.m_space
;
2629 struct sockaddr
*gate
= NULL
, *sa
;
2630 struct rt_msghdr
*rtm_aux
;
2632 #define NEXTADDR(w, u) \
2633 if (rtm_addrs & (w)) {\
2634 l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\
2637 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
2639 #define rtm m_rtmsg.m_rtm
2645 rtm_addrs
= RTA_DST
| RTA_NETMASK
;
2647 bzero(&so_dst
, sizeof(so_dst
));
2648 bzero(&so_mask
, sizeof(so_mask
));
2649 bzero(&rtm
, sizeof(struct rt_msghdr
));
2651 rtm
.rtm_type
= RTM_GET
;
2652 rtm
.rtm_flags
= RTF_UP
| RTF_GATEWAY
;
2653 rtm
.rtm_version
= RTM_VERSION
;
2654 rtm
.rtm_seq
= ++seq
;
2655 rtm
.rtm_addrs
= rtm_addrs
;
2657 so_dst
.sa_family
= AF_INET
;
2658 so_dst
.sa_len
= sizeof(struct sockaddr_in
);
2659 so_mask
.sa_family
= AF_INET
;
2660 so_mask
.sa_len
= sizeof(struct sockaddr_in
);
2662 NEXTADDR(RTA_DST
, so_dst
);
2663 NEXTADDR(RTA_NETMASK
, so_mask
);
2665 rtm
.rtm_msglen
= l
= cp
- (char *)&m_rtmsg
;
2667 s
= socket(PF_ROUTE
, SOCK_RAW
, 0);
2669 if (write(s
, (char *)&m_rtmsg
, l
) < 0)
2671 msg(M_WARN
|M_ERRNO
, "Could not retrieve default gateway from route socket:");
2678 l
= read(s
, (char *)&m_rtmsg
, sizeof(m_rtmsg
));
2679 } while (l
> 0 && (rtm
.rtm_seq
!= seq
|| rtm
.rtm_pid
!= pid
));
2685 cp
= ((char *)(rtm_aux
+ 1));
2686 if (rtm_aux
->rtm_addrs
) {
2687 for (i
= 1; i
; i
<<= 1)
2688 if (i
& rtm_aux
->rtm_addrs
) {
2689 sa
= (struct sockaddr
*)cp
;
2690 if (i
== RTA_GATEWAY
)
2704 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*)gate
)->sin_addr
.s_addr
);
2705 rgi
->flags
|= RGI_ADDR_DEFINED
;
2715 #elif defined(TARGET_DARWIN)
2717 #include <sys/types.h>
2718 #include <sys/socket.h>
2719 #include <netinet/in.h>
2720 #include <net/route.h>
2721 #include <net/if_dl.h>
2724 struct rt_msghdr m_rtm
;
2728 #define ROUNDUP(a) \
2729 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(uint32_t) - 1))) : sizeof(uint32_t))
2731 #define NEXTADDR(w, u) \
2732 if (rtm_addrs & (w)) {\
2733 l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\
2736 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
2738 #define max(a,b) ((a) > (b) ? (a) : (b))
2741 get_default_gateway (struct route_gateway_info
*rgi
)
2743 struct gc_arena gc
= gc_new ();
2744 struct rtmsg m_rtmsg
;
2746 int seq
, l
, pid
, rtm_addrs
, i
;
2747 struct sockaddr so_dst
, so_mask
;
2748 char *cp
= m_rtmsg
.m_space
;
2749 struct sockaddr
*gate
= NULL
, *ifp
= NULL
, *sa
;
2750 struct rt_msghdr
*rtm_aux
;
2752 # define rtm m_rtmsg.m_rtm
2756 /* setup data to send to routing socket */
2759 rtm_addrs
= RTA_DST
| RTA_NETMASK
| RTA_IFP
;
2761 bzero(&m_rtmsg
, sizeof(m_rtmsg
));
2762 bzero(&so_dst
, sizeof(so_dst
));
2763 bzero(&so_mask
, sizeof(so_mask
));
2764 bzero(&rtm
, sizeof(struct rt_msghdr
));
2766 rtm
.rtm_type
= RTM_GET
;
2767 rtm
.rtm_flags
= RTF_UP
| RTF_GATEWAY
;
2768 rtm
.rtm_version
= RTM_VERSION
;
2769 rtm
.rtm_seq
= ++seq
;
2770 rtm
.rtm_addrs
= rtm_addrs
;
2772 so_dst
.sa_family
= AF_INET
;
2773 so_dst
.sa_len
= sizeof(struct sockaddr_in
);
2774 so_mask
.sa_family
= AF_INET
;
2775 so_mask
.sa_len
= sizeof(struct sockaddr_in
);
2777 NEXTADDR(RTA_DST
, so_dst
);
2778 NEXTADDR(RTA_NETMASK
, so_mask
);
2780 rtm
.rtm_msglen
= l
= cp
- (char *)&m_rtmsg
;
2782 /* transact with routing socket */
2783 sockfd
= socket(PF_ROUTE
, SOCK_RAW
, 0);
2786 msg (M_WARN
, "GDG: socket #1 failed");
2789 if (write(sockfd
, (char *)&m_rtmsg
, l
) < 0)
2791 msg (M_WARN
, "GDG: problem writing to routing socket");
2795 l
= read(sockfd
, (char *)&m_rtmsg
, sizeof(m_rtmsg
));
2796 } while (l
> 0 && (rtm
.rtm_seq
!= seq
|| rtm
.rtm_pid
!= pid
));
2800 /* extract return data from routing socket */
2802 cp
= ((char *)(rtm_aux
+ 1));
2803 if (rtm_aux
->rtm_addrs
)
2805 for (i
= 1; i
; i
<<= 1)
2807 if (i
& rtm_aux
->rtm_addrs
)
2809 sa
= (struct sockaddr
*)cp
;
2810 if (i
== RTA_GATEWAY
)
2812 else if (i
== RTA_IFP
)
2821 /* get gateway addr and interface name */
2824 /* get default gateway addr */
2825 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*)gate
)->sin_addr
.s_addr
);
2826 if (rgi
->gateway
.addr
)
2827 rgi
->flags
|= RGI_ADDR_DEFINED
;
2831 /* get interface name */
2832 const struct sockaddr_dl
*adl
= (struct sockaddr_dl
*) ifp
;
2833 int len
= adl
->sdl_nlen
;
2834 if (adl
->sdl_nlen
&& adl
->sdl_nlen
< sizeof(rgi
->iface
))
2836 memcpy (rgi
->iface
, adl
->sdl_data
, adl
->sdl_nlen
);
2837 rgi
->iface
[adl
->sdl_nlen
] = '\0';
2838 rgi
->flags
|= RGI_IFACE_DEFINED
;
2843 /* get netmask of interface that owns default gateway */
2844 if (rgi
->flags
& RGI_IFACE_DEFINED
) {
2847 sockfd
= socket(AF_INET
, SOCK_DGRAM
, 0);
2850 msg (M_WARN
, "GDG: socket #2 failed");
2855 ifr
.ifr_addr
.sa_family
= AF_INET
;
2856 strncpynt(ifr
.ifr_name
, rgi
->iface
, IFNAMSIZ
);
2858 if (ioctl(sockfd
, SIOCGIFNETMASK
, (char *)&ifr
) < 0)
2860 msg (M_WARN
, "GDG: ioctl #1 failed");
2866 rgi
->gateway
.netmask
= ntohl(((struct sockaddr_in
*)&ifr
.ifr_addr
)->sin_addr
.s_addr
);
2867 rgi
->flags
|= RGI_NETMASK_DEFINED
;
2870 /* try to read MAC addr associated with interface that owns default gateway */
2871 if (rgi
->flags
& RGI_IFACE_DEFINED
)
2875 const int bufsize
= 4096;
2878 buffer
= (char *) gc_malloc (bufsize
, true, &gc
);
2879 sockfd
= socket(AF_INET
, SOCK_DGRAM
, 0);
2882 msg (M_WARN
, "GDG: socket #3 failed");
2886 ifc
.ifc_len
= bufsize
;
2887 ifc
.ifc_buf
= buffer
;
2889 if (ioctl(sockfd
, SIOCGIFCONF
, (char *)&ifc
) < 0)
2891 msg (M_WARN
, "GDG: ioctl #2 failed");
2897 for (cp
= buffer
; cp
<= buffer
+ ifc
.ifc_len
- sizeof(struct ifreq
); )
2899 ifr
= (struct ifreq
*)cp
;
2900 const size_t len
= sizeof(ifr
->ifr_name
) + max(sizeof(ifr
->ifr_addr
), ifr
->ifr_addr
.sa_len
);
2901 if (!ifr
->ifr_addr
.sa_family
)
2903 if (!strncmp(ifr
->ifr_name
, rgi
->iface
, IFNAMSIZ
))
2905 if (ifr
->ifr_addr
.sa_family
== AF_LINK
)
2907 struct sockaddr_dl
*sdl
= (struct sockaddr_dl
*)&ifr
->ifr_addr
;
2908 memcpy(rgi
->hwaddr
, LLADDR(sdl
), 6);
2909 rgi
->flags
|= RGI_HWADDR_DEFINED
;
2924 #elif defined(TARGET_OPENBSD) || defined(TARGET_NETBSD)
2926 #include <sys/types.h>
2927 #include <sys/socket.h>
2928 #include <netinet/in.h>
2929 #include <net/route.h>
2932 struct rt_msghdr m_rtm
;
2936 #define ROUNDUP(a) \
2937 ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
2940 * FIXME -- add support for netmask, hwaddr, and iface
2943 get_default_gateway (struct route_gateway_info
*rgi
)
2945 struct gc_arena gc
= gc_new ();
2946 int s
, seq
, l
, rtm_addrs
, i
;
2948 struct sockaddr so_dst
, so_mask
;
2949 char *cp
= m_rtmsg
.m_space
;
2950 struct sockaddr
*gate
= NULL
, *sa
;
2951 struct rt_msghdr
*rtm_aux
;
2953 #define NEXTADDR(w, u) \
2954 if (rtm_addrs & (w)) {\
2955 l = ROUNDUP(u.sa_len); memmove(cp, &(u), l); cp += l;\
2958 #define ADVANCE(x, n) (x += ROUNDUP((n)->sa_len))
2960 #define rtm m_rtmsg.m_rtm
2966 rtm_addrs
= RTA_DST
| RTA_NETMASK
;
2968 bzero(&so_dst
, sizeof(so_dst
));
2969 bzero(&so_mask
, sizeof(so_mask
));
2970 bzero(&rtm
, sizeof(struct rt_msghdr
));
2972 rtm
.rtm_type
= RTM_GET
;
2973 rtm
.rtm_flags
= RTF_UP
| RTF_GATEWAY
;
2974 rtm
.rtm_version
= RTM_VERSION
;
2975 rtm
.rtm_seq
= ++seq
;
2976 rtm
.rtm_addrs
= rtm_addrs
;
2978 so_dst
.sa_family
= AF_INET
;
2979 so_dst
.sa_len
= sizeof(struct sockaddr_in
);
2980 so_mask
.sa_family
= AF_INET
;
2981 so_mask
.sa_len
= sizeof(struct sockaddr_in
);
2983 NEXTADDR(RTA_DST
, so_dst
);
2984 NEXTADDR(RTA_NETMASK
, so_mask
);
2986 rtm
.rtm_msglen
= l
= cp
- (char *)&m_rtmsg
;
2988 s
= socket(PF_ROUTE
, SOCK_RAW
, 0);
2990 if (write(s
, (char *)&m_rtmsg
, l
) < 0)
2992 msg(M_WARN
|M_ERRNO
, "Could not retrieve default gateway from route socket:");
2999 l
= read(s
, (char *)&m_rtmsg
, sizeof(m_rtmsg
));
3000 } while (l
> 0 && (rtm
.rtm_seq
!= seq
|| rtm
.rtm_pid
!= pid
));
3006 cp
= ((char *)(rtm_aux
+ 1));
3007 if (rtm_aux
->rtm_addrs
) {
3008 for (i
= 1; i
; i
<<= 1)
3009 if (i
& rtm_aux
->rtm_addrs
) {
3010 sa
= (struct sockaddr
*)cp
;
3011 if (i
== RTA_GATEWAY
)
3025 rgi
->gateway
.addr
= ntohl(((struct sockaddr_in
*)gate
)->sin_addr
.s_addr
);
3026 rgi
->flags
|= RGI_ADDR_DEFINED
;
3039 * This is a platform-specific method that returns data about
3040 * the current default gateway. Return data is placed into
3041 * a struct route_gateway_info object provided by caller. The
3042 * implementation should CLEAR the structure before adding
3045 * Data returned includes:
3046 * 1. default gateway address (rgi->gateway.addr)
3047 * 2. netmask of interface that owns default gateway
3048 * (rgi->gateway.netmask)
3049 * 3. hardware address (i.e. MAC address) of interface that owns
3050 * default gateway (rgi->hwaddr)
3051 * 4. interface name (or adapter index on Windows) that owns default
3052 * gateway (rgi->iface or rgi->adapter_index)
3053 * 5. an array of additional address/netmask pairs defined by
3054 * interface that owns default gateway (rgi->addrs with length
3055 * given in rgi->n_addrs)
3057 * The flags RGI_x_DEFINED may be used to indicate which of the data
3058 * members were successfully returned (set in rgi->flags). All of
3059 * the data members are optional, however certain OpenVPN functionality
3060 * may be disabled by missing items.
3063 get_default_gateway (struct route_gateway_info
*rgi
)
3071 netmask_to_netbits (const in_addr_t network
, const in_addr_t netmask
, int *netbits
)
3074 const int addrlen
= sizeof (in_addr_t
) * 8;
3076 if ((network
& netmask
) == network
)
3078 for (i
= 0; i
<= addrlen
; ++i
)
3080 in_addr_t mask
= netbits_to_netmask (i
);
3081 if (mask
== netmask
)
3095 * get_bypass_addresses() is used by the redirect-gateway bypass-x
3096 * functions to build a route bypass to selected DHCP/DNS servers,
3097 * so that outgoing packets to these servers don't end up in the tunnel.
3103 add_host_route_if_nonlocal (struct route_bypass
*rb
, const in_addr_t addr
)
3105 if (test_local_addr(addr
, NULL
) == TLA_NONLOCAL
&& addr
!= 0 && addr
!= IPV4_NETMASK_HOST
)
3106 add_bypass_address (rb
, addr
);
3110 add_host_route_array (struct route_bypass
*rb
, const IP_ADDR_STRING
*iplist
)
3114 bool succeed
= false;
3115 const in_addr_t ip
= getaddr (GETADDR_HOST_ORDER
, iplist
->IpAddress
.String
, 0, &succeed
, NULL
);
3118 add_host_route_if_nonlocal (rb
, ip
);
3120 iplist
= iplist
->Next
;
3125 get_bypass_addresses (struct route_bypass
*rb
, const unsigned int flags
)
3127 struct gc_arena gc
= gc_new ();
3128 /*bool ret_bool = false;*/
3130 /* get full routing table */
3131 const MIB_IPFORWARDTABLE
*routes
= get_windows_routing_table (&gc
);
3133 /* get the route which represents the default gateway */
3134 const MIB_IPFORWARDROW
*row
= get_default_gateway_row (routes
);
3138 /* get the adapter which the default gateway is associated with */
3139 const IP_ADAPTER_INFO
*dgi
= get_adapter_info (row
->dwForwardIfIndex
, &gc
);
3141 /* get extra adapter info, such as DNS addresses */
3142 const IP_PER_ADAPTER_INFO
*pai
= get_per_adapter_info (row
->dwForwardIfIndex
, &gc
);
3144 /* Bypass DHCP server address */
3145 if ((flags
& RG_BYPASS_DHCP
) && dgi
&& dgi
->DhcpEnabled
)
3146 add_host_route_array (rb
, &dgi
->DhcpServer
);
3148 /* Bypass DNS server addresses */
3149 if ((flags
& RG_BYPASS_DNS
) && pai
)
3150 add_host_route_array (rb
, &pai
->DnsServerList
);
3159 get_bypass_addresses (struct route_bypass
*rb
, const unsigned int flags
) /* PLATFORM-SPECIFIC */
3166 * Test if addr is reachable via a local interface (return ILA_LOCAL),
3167 * or if it needs to be routed via the default gateway (return
3168 * ILA_NONLOCAL). If the target platform doesn't implement this
3169 * function, return ILA_NOT_IMPLEMENTED.
3171 * Used by redirect-gateway autolocal feature
3177 test_local_addr (const in_addr_t addr
, const struct route_gateway_info
*rgi
)
3179 struct gc_arena gc
= gc_new ();
3180 const in_addr_t nonlocal_netmask
= 0x80000000L
; /* routes with netmask <= to this are considered non-local */
3181 bool ret
= TLA_NONLOCAL
;
3183 /* get full routing table */
3184 const MIB_IPFORWARDTABLE
*rt
= get_windows_routing_table (&gc
);
3188 for (i
= 0; i
< rt
->dwNumEntries
; ++i
)
3190 const MIB_IPFORWARDROW
*row
= &rt
->table
[i
];
3191 const in_addr_t net
= ntohl (row
->dwForwardDest
);
3192 const in_addr_t mask
= ntohl (row
->dwForwardMask
);
3193 if (mask
> nonlocal_netmask
&& (addr
& mask
) == net
)
3208 test_local_addr (const in_addr_t addr
, const struct route_gateway_info
*rgi
) /* PLATFORM-SPECIFIC */
3212 if (local_route (addr
, 0xFFFFFFFF, rgi
->gateway
.addr
, rgi
))
3215 return TLA_NONLOCAL
;
3217 return TLA_NOT_IMPLEMENTED
;