109
109
mroute_addr_print (addr, &gc));
111
111
argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
112
if (!openvpn_execve_check (&argv, es, S_SCRIPT, "WARNING: learn-address command failed"))
112
if (!openvpn_run_script (&argv, es, 0, "--learn-address"))
114
114
argv_reset (&argv);
148
148
dmsg (D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
149
hash_iterator_init_range (m->vhash, &hi, true, start_bucket, end_bucket);
149
hash_iterator_init_range (m->vhash, &hi, start_bucket, end_bucket);
150
150
while ((he = hash_iterator_next (&hi)) != NULL)
152
152
struct multi_route *r = (struct multi_route *) he->value;
317
317
if (t->options.ifconfig_pool_defined)
319
if (dev == DEV_TYPE_TAP)
321
m->ifconfig_pool = ifconfig_pool_init (IFCONFIG_POOL_INDIV,
322
t->options.ifconfig_pool_start,
323
t->options.ifconfig_pool_end,
324
t->options.duplicate_cn);
326
else if (dev == DEV_TYPE_TUN)
328
m->ifconfig_pool = ifconfig_pool_init (
329
(t->options.topology == TOP_NET30) ? IFCONFIG_POOL_30NET : IFCONFIG_POOL_INDIV,
330
t->options.ifconfig_pool_start,
331
t->options.ifconfig_pool_end,
332
t->options.duplicate_cn);
319
int pool_type = IFCONFIG_POOL_INDIV;
321
if ( dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30 )
322
pool_type = IFCONFIG_POOL_30NET;
324
m->ifconfig_pool = ifconfig_pool_init (pool_type,
325
t->options.ifconfig_pool_start,
326
t->options.ifconfig_pool_end,
327
t->options.duplicate_cn,
328
t->options.ifconfig_ipv6_pool_defined,
329
t->options.ifconfig_ipv6_pool_base,
330
t->options.ifconfig_ipv6_pool_netbits );
339
332
/* reload pool data from file */
340
333
if (t->c1.ifconfig_pool_persist)
429
422
struct multi_instance *mi)
431
424
const struct iroute *ir;
425
const struct iroute_ipv6 *ir6;
432
426
if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
434
428
for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
435
429
mroute_helper_del_iroute (m->route_helper, ir);
431
for ( ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next )
432
mroute_helper_del_iroute6 (m->route_helper, ir6);
480
477
struct argv argv = argv_new ();
481
478
setenv_str (mi->context.c2.es, "script_type", "client-disconnect");
482
479
argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script);
483
openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-disconnect command failed");
480
openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-disconnect");
484
481
argv_reset (&argv);
486
483
#ifdef MANAGEMENT_DEF_AUTH
587
584
struct hash_iterator hi;
588
585
struct hash_element *he;
590
hash_iterator_init (m->iter, &hi, true);
587
hash_iterator_init (m->iter, &hi);
591
588
while ((he = hash_iterator_next (&hi)))
593
590
struct multi_instance *mi = (struct multi_instance *) he->value;
724
720
status_printf (so, "OpenVPN CLIENT LIST");
725
721
status_printf (so, "Updated,%s", time_string (0, 0, false, &gc_top));
726
722
status_printf (so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
727
hash_iterator_init (m->hash, &hi, true);
723
hash_iterator_init (m->hash, &hi);
728
724
while ((he = hash_iterator_next (&hi)))
730
726
struct gc_arena gc = gc_new ();
746
742
status_printf (so, "ROUTING TABLE");
747
743
status_printf (so, "Virtual Address,Common Name,Real Address,Last Ref");
748
hash_iterator_init (m->vhash, &hi, true);
744
hash_iterator_init (m->vhash, &hi);
749
745
while ((he = hash_iterator_next (&hi)))
751
747
struct gc_arena gc = gc_new ();
788
784
status_printf (so, "TIME%c%s%c%u", sep, time_string (now, 0, false, &gc_top), sep, (unsigned int)now);
789
785
status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)",
790
786
sep, sep, sep, sep, sep, sep, sep, sep);
791
hash_iterator_init (m->hash, &hi, true);
787
hash_iterator_init (m->hash, &hi);
792
788
while ((he = hash_iterator_next (&hi)))
794
790
struct gc_arena gc = gc_new ();
812
808
status_printf (so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
813
809
sep, sep, sep, sep, sep, sep);
814
hash_iterator_init (m->vhash, &hi, true);
810
hash_iterator_init (m->vhash, &hi);
815
811
while ((he = hash_iterator_next (&hi)))
817
813
struct gc_arena gc = gc_new ();
850
846
#ifdef PACKET_TRUNCATION_CHECK
852
848
status_printf (so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
853
hash_iterator_init (m->hash, &hi, true);
849
hash_iterator_init (m->hash, &hi);
854
850
while ((he = hash_iterator_next (&hi)))
856
852
struct gc_arena gc = gc_new ();
896
892
struct multi_route *oldroute = NULL;
897
893
struct multi_instance *owner = NULL;
899
hash_bucket_lock (bucket);
901
895
/* if route currently exists, get the instance which owns it */
902
896
he = hash_lookup_fast (m->vhash, bucket, addr, hv);
1078
static struct multi_instance *
1079
multi_learn_in6_addr (struct multi_context *m,
1080
struct multi_instance *mi,
1082
int netbits, /* -1 if host route, otherwise # of network bits in address */
1085
struct mroute_addr addr;
1088
addr.type = MR_ADDR_IPV6;
1090
memcpy( &addr.addr, &a6, sizeof(a6) );
1094
addr.type |= MR_WITH_NETBITS;
1095
addr.netbits = (uint8_t) netbits;
1096
mroute_addr_mask_host_bits( &addr );
1100
struct multi_instance *owner = multi_learn_addr (m, mi, &addr, 0);
1101
#ifdef MANAGEMENT_DEF_AUTH
1102
if (management && owner)
1103
management_learn_addr (management, &mi->context.c2.mda_context, &addr, primary);
1090
1110
* A new client has connected, add routes (server -> client)
1091
1111
* to internal routing table.
1116
1137
multi_learn_in_addr_t (m, mi, ir->network, ir->netbits, false);
1139
for ( ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next )
1141
if (ir6->netbits >= 0)
1142
msg (D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1143
print_in6_addr (ir6->network, 0, &gc),
1145
multi_instance_string (mi, false, &gc));
1147
msg (D_MULTI_LOW, "MULTI: internal route %s -> %s",
1148
print_in6_addr (ir6->network, 0, &gc),
1149
multi_instance_string (mi, false, &gc));
1151
mroute_helper_add_iroute6 (m->route_helper, ir6);
1153
multi_learn_in6_addr (m, mi, ir6->network, ir6->netbits, false);
1135
1172
struct hash_element *he;
1138
hash_iterator_init (m->iter, &hi, true);
1175
hash_iterator_init (m->iter, &hi);
1139
1176
while ((he = hash_iterator_next (&hi)))
1141
1178
struct multi_instance *mi = (struct multi_instance *) he->value;
1200
1237
mi->context.c2.push_ifconfig_defined = true;
1201
1238
mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1202
1239
mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1241
/* the current implementation does not allow "static IPv4, pool IPv6",
1242
* (see below) so issue a warning if that happens - don't break the
1243
* session, though, as we don't even know if this client WANTS IPv6
1245
if ( mi->context.c1.tuntap->ipv6 &&
1246
mi->context.options.ifconfig_ipv6_pool_defined &&
1247
! mi->context.options.push_ifconfig_ipv6_defined )
1249
msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1204
1252
else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1206
1254
in_addr_t local=0, remote=0;
1255
struct in6_addr remote_ipv6;
1207
1256
const char *cn = NULL;
1209
1258
if (!mi->context.options.duplicate_cn)
1210
1259
cn = tls_common_name (mi->context.c2.tls_multi, true);
1212
mi->vaddr_handle = ifconfig_pool_acquire (m->ifconfig_pool, &local, &remote, cn);
1261
mi->vaddr_handle = ifconfig_pool_acquire (m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1213
1262
if (mi->vaddr_handle >= 0)
1215
1264
const int tunnel_type = TUNNEL_TYPE (mi->context.c1.tuntap);
1216
1265
const int tunnel_topology = TUNNEL_TOPOLOGY (mi->context.c1.tuntap);
1267
msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1268
print_in_addr_t( remote, 0, &gc ),
1269
print_in6_addr( remote_ipv6, 0, &gc ) );
1218
1271
/* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1219
1272
mi->context.c2.push_ifconfig_local = remote;
1220
1273
if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1237
1290
msg (D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1238
1291
multi_instance_string (mi, false, &gc));
1293
if ( mi->context.options.ifconfig_ipv6_pool_defined )
1295
mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1296
mi->context.c2.push_ifconfig_ipv6_remote =
1297
mi->context.c1.tuntap->local_ipv6;
1298
mi->context.c2.push_ifconfig_ipv6_netbits =
1299
mi->context.options.ifconfig_ipv6_pool_netbits;
1300
mi->context.c2.push_ifconfig_ipv6_defined = true;
1242
1305
msg (D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1309
/* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1310
* pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1311
* will fail (because no pool will be allocated in this case).
1312
* OTOH, this doesn't make too much sense in reality - and the other
1313
* way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1314
* -> and so it's implemented right now
1316
if ( mi->context.c1.tuntap->ipv6 &&
1317
mi->context.options.push_ifconfig_ipv6_defined )
1319
mi->context.c2.push_ifconfig_ipv6_local =
1320
mi->context.options.push_ifconfig_ipv6_local;
1321
mi->context.c2.push_ifconfig_ipv6_remote =
1322
mi->context.options.push_ifconfig_ipv6_remote;
1323
mi->context.c2.push_ifconfig_ipv6_netbits =
1324
mi->context.options.push_ifconfig_ipv6_netbits;
1325
mi->context.c2.push_ifconfig_ipv6_defined = true;
1327
msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1328
print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ),
1329
mi->context.c2.push_ifconfig_ipv6_netbits );
1594
1686
mi->context.options.client_connect_script,
1597
if (openvpn_execve_check (&argv, mi->context.c2.es, S_SCRIPT, "client-connect command failed"))
1689
if (openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-connect"))
1599
1691
multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1600
1692
++cc_succeeded_count;
1669
1761
print_in_addr_t (mi->context.c2.push_ifconfig_local, 0, &gc));
1764
if (mi->context.c2.push_ifconfig_ipv6_defined)
1766
multi_learn_in6_addr (m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true);
1767
/* TODO: find out where addresses are "unlearned"!! */
1768
msg (D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
1769
multi_instance_string (mi, false, &gc),
1770
print_in6_addr (mi->context.c2.push_ifconfig_ipv6_local, 0, &gc));
1672
1773
/* add routes locally, pointing to new client, if
1673
1774
--iroute options have been specified */
1674
1775
multi_add_iroutes (m, mi);
1781
1882
printf ("BCAST len=%d\n", BLEN (buf));
1783
1884
mb = mbuf_alloc_buf (buf);
1784
hash_iterator_init (m->iter, &hi, true);
1885
hash_iterator_init (m->iter, &hi);
1786
1887
while ((he = hash_iterator_next (&hi)))
2250
2351
struct mbuf_item item;
2252
if (mbuf_extract_item (ms, &item, true)) /* cleartext IP packet */
2353
if (mbuf_extract_item (ms, &item)) /* cleartext IP packet */
2254
2355
unsigned int pipv4_flags = PIPV4_PASSTOS;
2475
2576
struct hash_element *he;
2478
hash_iterator_init (m->iter, &hi, true);
2579
hash_iterator_init (m->iter, &hi);
2479
2580
while ((he = hash_iterator_next (&hi)))
2481
2582
struct multi_instance *mi = (struct multi_instance *) he->value;
2509
2610
saddr.addr.in4.sin_port = htons (port);
2510
2611
if (mroute_extract_openvpn_sockaddr (&maddr, &saddr, true))
2512
hash_iterator_init (m->iter, &hi, true);
2613
hash_iterator_init (m->iter, &hi);
2513
2614
while ((he = hash_iterator_next (&hi)))
2515
2616
struct multi_instance *mi = (struct multi_instance *) he->value;