diff options
Diffstat (limited to 'src/openvpn/route.c')
-rw-r--r-- | src/openvpn/route.c | 132 |
1 files changed, 121 insertions, 11 deletions
diff --git a/src/openvpn/route.c b/src/openvpn/route.c index ed21d15..db4657e 100644 --- a/src/openvpn/route.c +++ b/src/openvpn/route.c @@ -660,29 +660,78 @@ init_route_list (struct route_list *rl, return ret; } +/* check whether an IPv6 host address is covered by a given route_ipv6 + * (not the most beautiful implementation in the world, but portable and + * "good enough") + */ +static bool +route_ipv6_match_host( const struct route_ipv6 *r6, + const struct in6_addr *host ) +{ + unsigned int bits = r6->netbits; + int i; + unsigned int mask; + + if ( bits>128 ) + return false; + + for( i=0; bits >= 8; i++, bits -= 8 ) + { + if ( r6->network.s6_addr[i] != host->s6_addr[i] ) + return false; + } + + if ( bits == 0 ) + return true; + + mask = 0xff << (8-bits); + + if ( (r6->network.s6_addr[i] & mask) == (host->s6_addr[i] & mask )) + return true; + + return false; +} + bool init_route_ipv6_list (struct route_ipv6_list *rl6, const struct route_ipv6_option_list *opt6, const char *remote_endpoint, int default_metric, + const struct in6_addr *remote_host_ipv6, struct env_set *es) { struct gc_arena gc = gc_new (); bool ret = true; + bool need_remote_ipv6_route; clear_route_ipv6_list (rl6); rl6->flags = opt6->flags; + if (remote_host_ipv6) + { + rl6->remote_host_ipv6 = *remote_host_ipv6; + rl6->spec_flags |= RTSA_REMOTE_HOST; + } + if (default_metric >= 0 ) { rl6->default_metric = default_metric; rl6->spec_flags |= RTSA_DEFAULT_METRIC; } - /* "default_gateway" is stuff for "redirect-gateway", which we don't - * do for IPv6 yet -> TODO - */ + msg (D_ROUTE, "GDG6: remote_host_ipv6=%s", + remote_host_ipv6? print_in6_addr (*remote_host_ipv6, 0, &gc): "n/a" ); + + get_default_gateway_ipv6 (&rl6->rgi6, remote_host_ipv6); + if (rl6->rgi6.flags & RGI_ADDR_DEFINED) + { + setenv_str (es, "net_gateway_ipv6", print_in6_addr (rl6->rgi6.gateway.addr_ipv6, 0, &gc)); +#if defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) + print_default_gateway (D_ROUTE, NULL, &rl6->rgi6); +#endif + } + else { dmsg (D_ROUTE, "ROUTE6: default_gateway=UNDEF"); } @@ -696,12 +745,16 @@ init_route_ipv6_list (struct route_ipv6_list *rl6, } else { - msg (M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve default gateway: %s", remote_endpoint); + msg (M_WARN, PACKAGE_NAME " ROUTE: failed to parse/resolve VPN endpoint: %s", remote_endpoint); ret = false; } } - /* parse the routes from opt6 to rl6 */ + /* parse the routes from opt6 to rl6 + * discovering potential overlaps with remote_host_ipv6 in the process + */ + need_remote_ipv6_route = false; + { struct route_ipv6_option *ro6; for (ro6 = opt6->routes_ipv6; ro6; ro6 = ro6->next) @@ -714,10 +767,49 @@ init_route_ipv6_list (struct route_ipv6_list *rl6, { r6->next = rl6->routes_ipv6; rl6->routes_ipv6 = r6; + + if ( remote_host_ipv6 && + route_ipv6_match_host( r6, remote_host_ipv6 ) ) + { + need_remote_ipv6_route = true; + msg (D_ROUTE, "ROUTE6: %s/%d overlaps IPv6 remote %s, adding host route to VPN endpoint", + print_in6_addr (r6->network, 0, &gc), r6->netbits, + print_in6_addr (*remote_host_ipv6, 0, &gc)); + } } } } + /* add VPN server host route if needed */ + if ( need_remote_ipv6_route ) + { + if ( (rl6->rgi6.flags & (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) == + (RGI_ADDR_DEFINED|RGI_IFACE_DEFINED) ) + { + struct route_ipv6 *r6; + ALLOC_OBJ_CLEAR_GC (r6, struct route_ipv6, &rl6->gc); + + r6->network = *remote_host_ipv6; + r6->netbits = 128; + if ( !(rl6->rgi6.flags & RGI_ON_LINK) ) + { r6->gateway = rl6->rgi6.gateway.addr_ipv6; } + r6->metric = 1; +#ifdef WIN32 + r6->adapter_index = rl6->rgi6.adapter_index; +#else + r6->iface = rl6->rgi6.iface; +#endif + r6->flags = RT_DEFINED | RT_METRIC_DEFINED; + + r6->next = rl6->routes_ipv6; + rl6->routes_ipv6 = r6; + } + else + { + msg (M_WARN, "ROUTE6: IPv6 route overlaps with IPv6 remote address, but could not determine IPv6 gateway address + interface, expect failure\n" ); + } + } + gc_free (&gc); return ret; } @@ -1574,6 +1666,15 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla if (! (r6->flags & RT_DEFINED) ) return; +#ifndef WIN32 + if ( r6->iface != NULL ) /* vpn server special route */ + { + device = r6->iface; + if ( !IN6_IS_ADDR_UNSPECIFIED(&r6->gateway) ) + gateway_needed = true; + } +#endif + gc_init (&gc); argv_init (&argv); @@ -1655,7 +1756,7 @@ add_route_ipv6 (struct route_ipv6 *r6, const struct tuntap *tt, unsigned int fla * - in TUN mode we use a special-case link-local address that the tapdrvr * knows about and will answer ND (neighbor discovery) packets for */ - if ( tt->type == DEV_TYPE_TUN ) + if ( tt->type == DEV_TYPE_TUN && !gateway_needed ) argv_printf_cat( &argv, " %s", "fe80::8" ); else argv_printf_cat( &argv, " %s", gateway ); @@ -1948,6 +2049,14 @@ delete_route_ipv6 (const struct route_ipv6 *r6, const struct tuntap *tt, unsigne if ((r6->flags & (RT_DEFINED|RT_ADDED)) != (RT_DEFINED|RT_ADDED)) return; +#ifndef WIN32 + if ( r6->iface != NULL ) /* vpn server special route */ + { + device = r6->iface; + gateway_needed = true; + } +#endif + gc_init (&gc); argv_init (&argv); @@ -2344,7 +2453,7 @@ windows_route_find_if_index (const struct route_ipv4 *r, const struct tuntap *tt */ void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - struct in6_addr *dest) + const struct in6_addr *dest) { msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system (windows)"); CLEAR(*rgi6); @@ -2693,7 +2802,7 @@ struct rtreq { void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - struct in6_addr *dest) + const struct in6_addr *dest) { int nls = -1; struct rtreq rtreq; @@ -2811,7 +2920,8 @@ get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, RGI_IFACE_DEFINED ) { rgi6->flags |= (RGI_ADDR_DEFINED | RGI_ON_LINK); - rgi6->gateway.addr_ipv6 = *dest; + if ( dest ) + rgi6->gateway.addr_ipv6 = *dest; } done: @@ -3065,7 +3175,7 @@ get_default_gateway (struct route_gateway_info *rgi) */ void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - struct in6_addr *dest) + const struct in6_addr *dest) { msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system (BSD and OSX)"); CLEAR(*rgi6); @@ -3106,7 +3216,7 @@ get_default_gateway (struct route_gateway_info *rgi) } void get_default_gateway_ipv6(struct route_ipv6_gateway_info *rgi6, - struct in6_addr *dest) + const struct in6_addr *dest) { msg(D_ROUTE, "no support for get_default_gateway_ipv6() on this system"); CLEAR(*rgi6); |