2
* OpenVPN -- An application to securely tunnel IP networks
3
* over a single TCP/UDP port, with support for SSL/TLS-based
4
* session authentication and key exchange,
5
* packet encryption, packet authentication, and
8
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
10
* This program is free software; you can redistribute it and/or modify
11
* it under the terms of the GNU General Public License version 2
12
* as published by the Free Software Foundation.
14
* This program is distributed in the hope that it will be useful,
15
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
* GNU General Public License for more details.
19
* You should have received a copy of the GNU General Public License
20
* along with this program (see the file COPYING included with this
21
* distribution); if not, write to the Free Software Foundation, Inc.,
22
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
37
#include "forward-inline.h"
38
#include "pf-inline.h"
40
/*#define MULTI_DEBUG_EVENT_LOOP*/
42
#ifdef MULTI_DEBUG_EVENT_LOOP
44
id (struct multi_instance *mi)
47
return tls_common_name (mi->context.c2.tls_multi, false);
53
#ifdef MANAGEMENT_DEF_AUTH
55
set_cc_config (struct multi_instance *mi, struct buffer_list *cc_config)
58
buffer_list_free (mi->cc_config);
59
mi->cc_config = cc_config;
64
learn_address_script (const struct multi_context *m,
65
const struct multi_instance *mi,
67
const struct mroute_addr *addr)
69
struct gc_arena gc = gc_new ();
72
struct plugin_list *plugins;
74
/* get environmental variable source */
75
if (mi && mi->context.c2.es)
76
es = mi->context.c2.es;
78
es = env_set_create (&gc);
80
/* get plugin source */
82
plugins = mi->context.plugins;
84
plugins = m->top.plugins;
86
if (plugin_defined (plugins, OPENVPN_PLUGIN_LEARN_ADDRESS))
88
struct argv argv = argv_new ();
89
argv_printf (&argv, "%s %s",
91
mroute_addr_print (addr, &gc));
93
argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
94
if (plugin_call (plugins, OPENVPN_PLUGIN_LEARN_ADDRESS, &argv, NULL, es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
96
msg (M_WARN, "WARNING: learn-address plugin call failed");
102
if (m->top.options.learn_address_script)
104
struct argv argv = argv_new ();
105
setenv_str (es, "script_type", "learn-address");
106
argv_printf (&argv, "%sc %s %s",
107
m->top.options.learn_address_script,
109
mroute_addr_print (addr, &gc));
111
argv_printf_cat (&argv, "%s", tls_common_name (mi->context.c2.tls_multi, false));
112
if (!openvpn_run_script (&argv, es, 0, "--learn-address"))
122
multi_ifconfig_pool_persist (struct multi_context *m, bool force)
124
/* write pool data to file */
126
&& m->top.c1.ifconfig_pool_persist
127
&& (force || ifconfig_pool_write_trigger (m->top.c1.ifconfig_pool_persist)))
129
ifconfig_pool_write (m->top.c1.ifconfig_pool_persist, m->ifconfig_pool);
134
multi_reap_range (const struct multi_context *m,
138
struct gc_arena gc = gc_new ();
139
struct hash_iterator hi;
140
struct hash_element *he;
142
if (start_bucket < 0)
145
end_bucket = hash_n_buckets (m->vhash);
148
dmsg (D_MULTI_DEBUG, "MULTI: REAP range %d -> %d", start_bucket, end_bucket);
149
hash_iterator_init_range (m->vhash, &hi, start_bucket, end_bucket);
150
while ((he = hash_iterator_next (&hi)) != NULL)
152
struct multi_route *r = (struct multi_route *) he->value;
153
if (!multi_route_defined (m, r))
155
dmsg (D_MULTI_DEBUG, "MULTI: REAP DEL %s",
156
mroute_addr_print (&r->addr, &gc));
157
learn_address_script (m, NULL, "delete", &r->addr);
159
hash_iterator_delete_element (&hi);
162
hash_iterator_free (&hi);
167
multi_reap_all (const struct multi_context *m)
169
multi_reap_range (m, -1, 0);
172
static struct multi_reap *
173
multi_reap_new (int buckets_per_pass)
175
struct multi_reap *mr;
176
ALLOC_OBJ (mr, struct multi_reap);
178
mr->buckets_per_pass = buckets_per_pass;
184
multi_reap_process_dowork (const struct multi_context *m)
186
struct multi_reap *mr = m->reaper;
187
if (mr->bucket_base >= hash_n_buckets (m->vhash))
189
multi_reap_range (m, mr->bucket_base, mr->bucket_base + mr->buckets_per_pass);
190
mr->bucket_base += mr->buckets_per_pass;
195
multi_reap_free (struct multi_reap *mr)
201
* How many buckets in vhash to reap per pass.
204
reap_buckets_per_pass (int n_buckets)
206
return constrain_int (n_buckets / REAP_DIVISOR, REAP_MIN, REAP_MAX);
209
#ifdef MANAGEMENT_DEF_AUTH
212
cid_hash_function (const void *key, uint32_t iv)
214
const unsigned long *k = (const unsigned long *)key;
215
return (uint32_t) *k;
219
cid_compare_function (const void *key1, const void *key2)
221
const unsigned long *k1 = (const unsigned long *)key1;
222
const unsigned long *k2 = (const unsigned long *)key2;
229
* Main initialization function, init multi_context object.
232
multi_init (struct multi_context *m, struct context *t, bool tcp_mode, int thread_mode)
234
int dev = DEV_TYPE_UNDEF;
236
msg (D_MULTI_LOW, "MULTI: multi_init called, r=%d v=%d",
237
t->options.real_hash_size,
238
t->options.virtual_hash_size);
241
* Get tun/tap/null device type
243
dev = dev_type_enum (t->options.dev, t->options.dev_type);
246
* Init our multi_context object.
250
m->thread_mode = thread_mode;
253
* Real address hash table (source port number is
254
* considered to be part of the address). Used
255
* to determine which client sent an incoming packet
256
* which is seen on the TCP/UDP socket.
258
m->hash = hash_init (t->options.real_hash_size,
260
mroute_addr_hash_function,
261
mroute_addr_compare_function);
264
* Virtual address hash table. Used to determine
265
* which client to route a packet to.
267
m->vhash = hash_init (t->options.virtual_hash_size,
269
mroute_addr_hash_function,
270
mroute_addr_compare_function);
273
* This hash table is a clone of m->hash but with a
274
* bucket size of one so that it can be used
275
* for fast iteration through the list.
277
m->iter = hash_init (1,
279
mroute_addr_hash_function,
280
mroute_addr_compare_function);
282
#ifdef MANAGEMENT_DEF_AUTH
283
m->cid_hash = hash_init (t->options.real_hash_size,
286
cid_compare_function);
290
* This is our scheduler, for time-based wakeup
293
m->schedule = schedule_init ();
296
* Limit frequency of incoming connections to control
299
m->new_connection_limiter = frequency_limit_init (t->options.cf_max,
303
* Allocate broadcast/multicast buffer list
305
m->mbuf = mbuf_init (t->options.n_bcast_buf);
308
* Different status file format options are available
310
m->status_file_version = t->options.status_file_version;
313
* Possibly allocate an ifconfig pool, do it
314
* differently based on whether a tun or tap style
317
if (t->options.ifconfig_pool_defined)
319
int pool_type = IFCONFIG_POOL_INDIV;
321
if ( dev == DEV_TYPE_TUN && t->options.topology == TOP_NET30 )
322
pool_type = IFCONFIG_POOL_30NET;
324
m->ifconfig_pool = ifconfig_pool_init (pool_type,
325
t->options.ifconfig_pool_start,
326
t->options.ifconfig_pool_end,
327
t->options.duplicate_cn,
328
t->options.ifconfig_ipv6_pool_defined,
329
t->options.ifconfig_ipv6_pool_base,
330
t->options.ifconfig_ipv6_pool_netbits );
332
/* reload pool data from file */
333
if (t->c1.ifconfig_pool_persist)
334
ifconfig_pool_read (t->c1.ifconfig_pool_persist, m->ifconfig_pool);
338
* Help us keep track of routing table.
340
m->route_helper = mroute_helper_init (MULTI_CACHE_ROUTE_TTL);
343
* Initialize route and instance reaper.
345
m->reaper = multi_reap_new (reap_buckets_per_pass (t->options.virtual_hash_size));
348
* Get local ifconfig address
351
ASSERT (t->c1.tuntap);
352
mroute_extract_in_addr_t (&m->local, t->c1.tuntap->local);
357
m->max_clients = t->options.max_clients;
360
* Initialize multi-socket TCP I/O wait object
363
m->mtcp = multi_tcp_init (t->options.max_clients, &m->max_clients);
364
m->tcp_queue_limit = t->options.tcp_queue_limit;
367
* Allow client <-> client communication, without going through
368
* tun/tap interface and network stack?
370
m->enable_c2c = t->options.enable_c2c;
374
multi_instance_string (const struct multi_instance *mi, bool null, struct gc_arena *gc)
378
struct buffer out = alloc_buf_gc (256, gc);
379
const char *cn = tls_common_name (mi->context.c2.tls_multi, true);
382
buf_printf (&out, "%s/", cn);
383
buf_printf (&out, "%s", mroute_addr_print (&mi->real, gc));
393
generate_prefix (struct multi_instance *mi)
395
mi->msg_prefix = multi_instance_string (mi, true, &mi->gc);
400
ungenerate_prefix (struct multi_instance *mi)
402
mi->msg_prefix = NULL;
407
mi_prefix (const struct multi_instance *mi)
409
if (mi && mi->msg_prefix)
410
return mi->msg_prefix;
416
* Tell the route helper about deleted iroutes so
417
* that it can update its mask of currently used
421
multi_del_iroutes (struct multi_context *m,
422
struct multi_instance *mi)
424
const struct iroute *ir;
425
const struct iroute_ipv6 *ir6;
426
if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
428
for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
429
mroute_helper_del_iroute (m->route_helper, ir);
431
for ( ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next )
432
mroute_helper_del_iroute6 (m->route_helper, ir6);
437
setenv_stats (struct context *c)
439
setenv_counter (c->c2.es, "bytes_received", c->c2.link_read_bytes);
440
setenv_counter (c->c2.es, "bytes_sent", c->c2.link_write_bytes);
444
multi_client_disconnect_setenv (struct multi_context *m,
445
struct multi_instance *mi)
447
/* setenv client real IP address */
448
setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
451
setenv_stats (&mi->context);
453
/* setenv connection duration */
455
const unsigned int duration = (unsigned int) now - mi->created;
456
setenv_unsigned (mi->context.c2.es, "time_duration", duration);
461
multi_client_disconnect_script (struct multi_context *m,
462
struct multi_instance *mi)
464
if ((mi->context.c2.context_auth == CAS_SUCCEEDED && mi->connection_established_flag)
465
|| mi->context.c2.context_auth == CAS_PARTIAL)
467
multi_client_disconnect_setenv (m, mi);
469
if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT))
471
if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_DISCONNECT, NULL, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
472
msg (M_WARN, "WARNING: client-disconnect plugin call failed");
475
if (mi->context.options.client_disconnect_script)
477
struct argv argv = argv_new ();
478
setenv_str (mi->context.c2.es, "script_type", "client-disconnect");
479
argv_printf (&argv, "%sc", mi->context.options.client_disconnect_script);
480
openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-disconnect");
483
#ifdef MANAGEMENT_DEF_AUTH
485
management_notify_client_close (management, &mi->context.c2.mda_context, mi->context.c2.es);
492
multi_close_instance (struct multi_context *m,
493
struct multi_instance *mi,
496
perf_push (PERF_MULTI_CLOSE_INSTANCE);
501
dmsg (D_MULTI_DEBUG, "MULTI: multi_close_instance called");
503
/* adjust current client connection count */
504
m->n_clients += mi->n_clients_delta;
505
mi->n_clients_delta = 0;
507
/* prevent dangling pointers */
508
if (m->pending == mi)
509
multi_set_pending (m, NULL);
510
if (m->earliest_wakeup == mi)
511
m->earliest_wakeup = NULL;
515
if (mi->did_real_hash)
517
ASSERT (hash_remove (m->hash, &mi->real));
521
ASSERT (hash_remove (m->iter, &mi->real));
523
#ifdef MANAGEMENT_DEF_AUTH
524
if (mi->did_cid_hash)
526
ASSERT (hash_remove (m->cid_hash, &mi->context.c2.mda_context.cid));
530
schedule_remove_entry (m->schedule, (struct schedule_entry *) mi);
532
ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, false);
536
multi_del_iroutes (m, mi);
537
mi->did_iroutes = false;
541
multi_tcp_dereference_instance (m->mtcp, mi);
543
mbuf_dereference_instance (m->mbuf, mi);
546
#ifdef MANAGEMENT_DEF_AUTH
547
set_cc_config (mi, NULL);
550
multi_client_disconnect_script (m, mi);
552
if (mi->did_open_context)
553
close_context (&mi->context, SIGTERM, CC_GC_FREE);
555
multi_tcp_instance_specific_free (mi);
557
ungenerate_prefix (mi);
560
* Don't actually delete the instance memory allocation yet,
561
* because virtual routes may still point to it. Let the
562
* vhash reaper deal with it.
564
multi_instance_dec_refcount (mi);
570
* Called on shutdown or restart.
573
multi_uninit (struct multi_context *m)
575
if (m->thread_mode & MC_WORK_THREAD)
578
m->thread_mode = MC_UNDEF;
580
else if (m->thread_mode)
584
struct hash_iterator hi;
585
struct hash_element *he;
587
hash_iterator_init (m->iter, &hi);
588
while ((he = hash_iterator_next (&hi)))
590
struct multi_instance *mi = (struct multi_instance *) he->value;
591
mi->did_iter = false;
592
multi_close_instance (m, mi, true);
594
hash_iterator_free (&hi);
599
hash_free (m->vhash);
601
#ifdef MANAGEMENT_DEF_AUTH
602
hash_free (m->cid_hash);
606
schedule_free (m->schedule);
608
ifconfig_pool_free (m->ifconfig_pool);
609
frequency_limit_free (m->new_connection_limiter);
610
multi_reap_free (m->reaper);
611
mroute_helper_free (m->route_helper);
612
multi_tcp_free (m->mtcp);
613
m->thread_mode = MC_UNDEF;
619
* Create a client instance object for a newly connected client.
621
struct multi_instance *
622
multi_create_instance (struct multi_context *m, const struct mroute_addr *real)
624
struct gc_arena gc = gc_new ();
625
struct multi_instance *mi;
627
perf_push (PERF_MULTI_CREATE_INSTANCE);
629
msg (D_MULTI_LOW, "MULTI: multi_create_instance called");
631
ALLOC_OBJ_CLEAR (mi, struct multi_instance);
634
multi_instance_inc_refcount (mi);
635
mi->vaddr_handle = -1;
637
mroute_addr_init (&mi->real);
642
generate_prefix (mi);
645
mi->did_open_context = true;
646
inherit_context_child (&mi->context, &m->top);
647
if (IS_SIG (&mi->context))
650
mi->context.c2.context_auth = CAS_PENDING;
652
if (hash_n_elements (m->hash) >= m->max_clients)
654
msg (D_MULTI_ERRORS, "MULTI: new incoming connection would exceed maximum number of clients (%d)", m->max_clients);
658
if (!real) /* TCP mode? */
660
if (!multi_tcp_instance_specific_init (m, mi))
662
generate_prefix (mi);
665
if (!hash_add (m->iter, &mi->real, mi, false))
667
msg (D_MULTI_LOW, "MULTI: unable to add real address [%s] to iterator hash table",
668
mroute_addr_print (&mi->real, &gc));
673
#ifdef MANAGEMENT_DEF_AUTH
675
mi->context.c2.mda_context.cid = m->cid_counter++;
676
} while (!hash_add (m->cid_hash, &mi->context.c2.mda_context.cid, mi, false));
677
mi->did_cid_hash = true;
680
mi->context.c2.push_reply_deferred = true;
682
if (!multi_process_post (m, mi, MPP_PRE_SELECT))
684
msg (D_MULTI_ERRORS, "MULTI: signal occurred during client instance initialization");
693
multi_close_instance (m, mi, false);
700
* Dump tables -- triggered by SIGUSR2.
701
* If status file is defined, write to file.
702
* If status file is NULL, write to syslog.
705
multi_print_status (struct multi_context *m, struct status_output *so, const int version)
709
struct gc_arena gc_top = gc_new ();
710
struct hash_iterator hi;
711
const struct hash_element *he;
715
if (version == 1) /* WAS: m->status_file_version */
718
* Status file version 1
720
status_printf (so, "OpenVPN CLIENT LIST");
721
status_printf (so, "Updated,%s", time_string (0, 0, false, &gc_top));
722
status_printf (so, "Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since");
723
hash_iterator_init (m->hash, &hi);
724
while ((he = hash_iterator_next (&hi)))
726
struct gc_arena gc = gc_new ();
727
const struct multi_instance *mi = (struct multi_instance *) he->value;
731
status_printf (so, "%s,%s," counter_format "," counter_format ",%s",
732
tls_common_name (mi->context.c2.tls_multi, false),
733
mroute_addr_print (&mi->real, &gc),
734
mi->context.c2.link_read_bytes,
735
mi->context.c2.link_write_bytes,
736
time_string (mi->created, 0, false, &gc));
740
hash_iterator_free (&hi);
742
status_printf (so, "ROUTING TABLE");
743
status_printf (so, "Virtual Address,Common Name,Real Address,Last Ref");
744
hash_iterator_init (m->vhash, &hi);
745
while ((he = hash_iterator_next (&hi)))
747
struct gc_arena gc = gc_new ();
748
const struct multi_route *route = (struct multi_route *) he->value;
750
if (multi_route_defined (m, route))
752
const struct multi_instance *mi = route->instance;
753
const struct mroute_addr *ma = &route->addr;
754
char flags[2] = {0, 0};
756
if (route->flags & MULTI_ROUTE_CACHE)
758
status_printf (so, "%s%s,%s,%s,%s",
759
mroute_addr_print (ma, &gc),
761
tls_common_name (mi->context.c2.tls_multi, false),
762
mroute_addr_print (&mi->real, &gc),
763
time_string (route->last_reference, 0, false, &gc));
767
hash_iterator_free (&hi);
769
status_printf (so, "GLOBAL STATS");
771
status_printf (so, "Max bcast/mcast queue length,%d",
772
mbuf_maximum_queued (m->mbuf));
774
status_printf (so, "END");
776
else if (version == 2 || version == 3)
778
const char sep = (version == 3) ? '\t' : ',';
781
* Status file version 2 and 3
783
status_printf (so, "TITLE%c%s", sep, title_string);
784
status_printf (so, "TIME%c%s%c%u", sep, time_string (now, 0, false, &gc_top), sep, (unsigned int)now);
785
status_printf (so, "HEADER%cCLIENT_LIST%cCommon Name%cReal Address%cVirtual Address%cBytes Received%cBytes Sent%cConnected Since%cConnected Since (time_t)",
786
sep, sep, sep, sep, sep, sep, sep, sep);
787
hash_iterator_init (m->hash, &hi);
788
while ((he = hash_iterator_next (&hi)))
790
struct gc_arena gc = gc_new ();
791
const struct multi_instance *mi = (struct multi_instance *) he->value;
795
status_printf (so, "CLIENT_LIST%c%s%c%s%c%s%c" counter_format "%c" counter_format "%c%s%c%u",
796
sep, tls_common_name (mi->context.c2.tls_multi, false),
797
sep, mroute_addr_print (&mi->real, &gc),
798
sep, print_in_addr_t (mi->reporting_addr, IA_EMPTY_IF_UNDEF, &gc),
799
sep, mi->context.c2.link_read_bytes,
800
sep, mi->context.c2.link_write_bytes,
801
sep, time_string (mi->created, 0, false, &gc),
802
sep, (unsigned int)mi->created);
806
hash_iterator_free (&hi);
808
status_printf (so, "HEADER%cROUTING_TABLE%cVirtual Address%cCommon Name%cReal Address%cLast Ref%cLast Ref (time_t)",
809
sep, sep, sep, sep, sep, sep);
810
hash_iterator_init (m->vhash, &hi);
811
while ((he = hash_iterator_next (&hi)))
813
struct gc_arena gc = gc_new ();
814
const struct multi_route *route = (struct multi_route *) he->value;
816
if (multi_route_defined (m, route))
818
const struct multi_instance *mi = route->instance;
819
const struct mroute_addr *ma = &route->addr;
820
char flags[2] = {0, 0};
822
if (route->flags & MULTI_ROUTE_CACHE)
824
status_printf (so, "ROUTING_TABLE%c%s%s%c%s%c%s%c%s%c%u",
825
sep, mroute_addr_print (ma, &gc), flags,
826
sep, tls_common_name (mi->context.c2.tls_multi, false),
827
sep, mroute_addr_print (&mi->real, &gc),
828
sep, time_string (route->last_reference, 0, false, &gc),
829
sep, (unsigned int)route->last_reference);
833
hash_iterator_free (&hi);
836
status_printf (so, "GLOBAL_STATS%cMax bcast/mcast queue length%c%d",
837
sep, sep, mbuf_maximum_queued (m->mbuf));
839
status_printf (so, "END");
843
status_printf (so, "ERROR: bad status format version number");
846
#ifdef PACKET_TRUNCATION_CHECK
848
status_printf (so, "HEADER,ERRORS,Common Name,TUN Read Trunc,TUN Write Trunc,Pre-encrypt Trunc,Post-decrypt Trunc");
849
hash_iterator_init (m->hash, &hi);
850
while ((he = hash_iterator_next (&hi)))
852
struct gc_arena gc = gc_new ();
853
const struct multi_instance *mi = (struct multi_instance *) he->value;
857
status_printf (so, "ERRORS,%s," counter_format "," counter_format "," counter_format "," counter_format,
858
tls_common_name (mi->context.c2.tls_multi, false),
859
m->top.c2.n_trunc_tun_read,
860
mi->context.c2.n_trunc_tun_write,
861
mi->context.c2.n_trunc_pre_encrypt,
862
mi->context.c2.n_trunc_post_decrypt);
866
hash_iterator_free (&hi);
876
* Learn a virtual address or route.
877
* The learn will fail if the learn address
878
* script/plugin fails. In this case the
879
* return value may be != mi.
880
* Return the instance which owns this route,
883
static struct multi_instance *
884
multi_learn_addr (struct multi_context *m,
885
struct multi_instance *mi,
886
const struct mroute_addr *addr,
887
const unsigned int flags)
889
struct hash_element *he;
890
const uint32_t hv = hash_value (m->vhash, addr);
891
struct hash_bucket *bucket = hash_bucket (m->vhash, hv);
892
struct multi_route *oldroute = NULL;
893
struct multi_instance *owner = NULL;
895
/* if route currently exists, get the instance which owns it */
896
he = hash_lookup_fast (m->vhash, bucket, addr, hv);
898
oldroute = (struct multi_route *) he->value;
899
if (oldroute && multi_route_defined (m, oldroute))
900
owner = oldroute->instance;
902
/* do we need to add address to hash table? */
903
if ((!owner || owner != mi)
904
&& mroute_learnable_address (addr)
905
&& !mroute_addr_equal (addr, &m->local))
907
struct gc_arena gc = gc_new ();
908
struct multi_route *newroute;
909
bool learn_succeeded = false;
911
ALLOC_OBJ (newroute, struct multi_route);
912
newroute->addr = *addr;
913
newroute->instance = mi;
914
newroute->flags = flags;
915
newroute->last_reference = now;
916
newroute->cache_generation = 0;
918
/* The cache is invalidated when cache_generation is incremented */
919
if (flags & MULTI_ROUTE_CACHE)
920
newroute->cache_generation = m->route_helper->cache_generation;
922
if (oldroute) /* route already exists? */
924
if (route_quota_test (m, mi) && learn_address_script (m, mi, "update", &newroute->addr))
926
learn_succeeded = true;
928
multi_instance_inc_refcount (mi);
929
route_quota_inc (mi);
931
/* delete old route */
932
multi_route_del (oldroute);
934
/* modify hash table entry, replacing old route */
935
he->key = &newroute->addr;
936
he->value = newroute;
941
if (route_quota_test (m, mi) && learn_address_script (m, mi, "add", &newroute->addr))
943
learn_succeeded = true;
945
multi_instance_inc_refcount (mi);
946
route_quota_inc (mi);
949
hash_add_fast (m->vhash, bucket, &newroute->addr, hv, newroute);
953
msg (D_MULTI_LOW, "MULTI: Learn%s: %s -> %s",
954
learn_succeeded ? "" : " FAILED",
955
mroute_addr_print (&newroute->addr, &gc),
956
multi_instance_string (mi, false, &gc));
958
if (!learn_succeeded)
968
* Get client instance based on virtual address.
970
static struct multi_instance *
971
multi_get_instance_by_virtual_addr (struct multi_context *m,
972
const struct mroute_addr *addr,
975
struct multi_route *route;
976
struct multi_instance *ret = NULL;
978
/* check for local address */
979
if (mroute_addr_equal (addr, &m->local))
982
route = (struct multi_route *) hash_lookup (m->vhash, addr);
984
/* does host route (possible cached) exist? */
985
if (route && multi_route_defined (m, route))
987
struct multi_instance *mi = route->instance;
988
route->last_reference = now;
991
else if (cidr_routing) /* do we need to regenerate a host route cache entry? */
993
struct mroute_helper *rh = m->route_helper;
994
struct mroute_addr tryaddr;
997
/* cycle through each CIDR length */
998
for (i = 0; i < rh->n_net_len; ++i)
1001
tryaddr.type |= MR_WITH_NETBITS;
1002
tryaddr.netbits = rh->net_len[i];
1003
mroute_addr_mask_host_bits (&tryaddr);
1005
/* look up a possible route with netbits netmask */
1006
route = (struct multi_route *) hash_lookup (m->vhash, &tryaddr);
1008
if (route && multi_route_defined (m, route))
1010
/* found an applicable route, cache host route */
1011
struct multi_instance *mi = route->instance;
1012
multi_learn_addr (m, mi, addr, MULTI_ROUTE_CACHE|MULTI_ROUTE_AGEABLE);
1020
if (check_debug_level (D_MULTI_DEBUG))
1022
struct gc_arena gc = gc_new ();
1023
const char *addr_text = mroute_addr_print (addr, &gc);
1026
dmsg (D_MULTI_DEBUG, "GET INST BY VIRT: %s -> %s via %s",
1028
multi_instance_string (ret, false, &gc),
1029
mroute_addr_print (&route->addr, &gc));
1033
dmsg (D_MULTI_DEBUG, "GET INST BY VIRT: %s [failed]",
1040
ASSERT (!(ret && ret->halt));
1045
* Helper function to multi_learn_addr().
1047
static struct multi_instance *
1048
multi_learn_in_addr_t (struct multi_context *m,
1049
struct multi_instance *mi,
1051
int netbits, /* -1 if host route, otherwise # of network bits in address */
1054
struct openvpn_sockaddr remote_si;
1055
struct mroute_addr addr;
1058
remote_si.addr.in4.sin_family = AF_INET;
1059
remote_si.addr.in4.sin_addr.s_addr = htonl (a);
1060
ASSERT (mroute_extract_openvpn_sockaddr (&addr, &remote_si, false));
1064
addr.type |= MR_WITH_NETBITS;
1065
addr.netbits = (uint8_t) netbits;
1069
struct multi_instance *owner = multi_learn_addr (m, mi, &addr, 0);
1070
#ifdef MANAGEMENT_DEF_AUTH
1071
if (management && owner)
1072
management_learn_addr (management, &mi->context.c2.mda_context, &addr, primary);
1078
static struct multi_instance *
1079
multi_learn_in6_addr (struct multi_context *m,
1080
struct multi_instance *mi,
1082
int netbits, /* -1 if host route, otherwise # of network bits in address */
1085
struct mroute_addr addr;
1088
addr.type = MR_ADDR_IPV6;
1090
memcpy( &addr.addr, &a6, sizeof(a6) );
1094
addr.type |= MR_WITH_NETBITS;
1095
addr.netbits = (uint8_t) netbits;
1096
mroute_addr_mask_host_bits( &addr );
1100
struct multi_instance *owner = multi_learn_addr (m, mi, &addr, 0);
1101
#ifdef MANAGEMENT_DEF_AUTH
1102
if (management && owner)
1103
management_learn_addr (management, &mi->context.c2.mda_context, &addr, primary);
1110
* A new client has connected, add routes (server -> client)
1111
* to internal routing table.
1114
multi_add_iroutes (struct multi_context *m,
1115
struct multi_instance *mi)
1117
struct gc_arena gc = gc_new ();
1118
const struct iroute *ir;
1119
const struct iroute_ipv6 *ir6;
1120
if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
1122
mi->did_iroutes = true;
1123
for (ir = mi->context.options.iroutes; ir != NULL; ir = ir->next)
1125
if (ir->netbits >= 0)
1126
msg (D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1127
print_in_addr_t (ir->network, 0, &gc),
1129
multi_instance_string (mi, false, &gc));
1131
msg (D_MULTI_LOW, "MULTI: internal route %s -> %s",
1132
print_in_addr_t (ir->network, 0, &gc),
1133
multi_instance_string (mi, false, &gc));
1135
mroute_helper_add_iroute (m->route_helper, ir);
1137
multi_learn_in_addr_t (m, mi, ir->network, ir->netbits, false);
1139
for ( ir6 = mi->context.options.iroutes_ipv6; ir6 != NULL; ir6 = ir6->next )
1141
if (ir6->netbits >= 0)
1142
msg (D_MULTI_LOW, "MULTI: internal route %s/%d -> %s",
1143
print_in6_addr (ir6->network, 0, &gc),
1145
multi_instance_string (mi, false, &gc));
1147
msg (D_MULTI_LOW, "MULTI: internal route %s -> %s",
1148
print_in6_addr (ir6->network, 0, &gc),
1149
multi_instance_string (mi, false, &gc));
1151
mroute_helper_add_iroute6 (m->route_helper, ir6);
1153
multi_learn_in6_addr (m, mi, ir6->network, ir6->netbits, false);
1160
* Given an instance (new_mi), delete all other instances which use the
1164
multi_delete_dup (struct multi_context *m, struct multi_instance *new_mi)
1168
const char *new_cn = tls_common_name (new_mi->context.c2.tls_multi, true);
1171
struct hash_iterator hi;
1172
struct hash_element *he;
1175
hash_iterator_init (m->iter, &hi);
1176
while ((he = hash_iterator_next (&hi)))
1178
struct multi_instance *mi = (struct multi_instance *) he->value;
1179
if (mi != new_mi && !mi->halt)
1181
const char *cn = tls_common_name (mi->context.c2.tls_multi, true);
1182
if (cn && !strcmp (cn, new_cn))
1184
mi->did_iter = false;
1185
multi_close_instance (m, mi, false);
1186
hash_iterator_delete_element (&hi);
1191
hash_iterator_free (&hi);
1194
msg (D_MULTI_LOW, "MULTI: new connection by client '%s' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.", new_cn);
1200
* Ensure that endpoint to be pushed to client
1201
* complies with --ifconfig-push-constraint directive.
1204
ifconfig_push_constraint_satisfied (const struct context *c)
1206
const struct options *o = &c->options;
1207
if (o->push_ifconfig_constraint_defined && c->c2.push_ifconfig_defined)
1208
return (o->push_ifconfig_constraint_netmask & c->c2.push_ifconfig_local) == o->push_ifconfig_constraint_network;
1214
* Select a virtual address for a new client instance.
1215
* Use an --ifconfig-push directive, if given (static IP).
1216
* Otherwise use an --ifconfig-pool address (dynamic IP).
1219
multi_select_virtual_addr (struct multi_context *m, struct multi_instance *mi)
1221
struct gc_arena gc = gc_new ();
1224
* If ifconfig addresses were set by dynamic config file,
1225
* release pool addresses, otherwise keep them.
1227
if (mi->context.options.push_ifconfig_defined)
1229
/* ifconfig addresses were set statically,
1230
release dynamic allocation */
1231
if (mi->vaddr_handle >= 0)
1233
ifconfig_pool_release (m->ifconfig_pool, mi->vaddr_handle, true);
1234
mi->vaddr_handle = -1;
1237
mi->context.c2.push_ifconfig_defined = true;
1238
mi->context.c2.push_ifconfig_local = mi->context.options.push_ifconfig_local;
1239
mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.push_ifconfig_remote_netmask;
1241
/* the current implementation does not allow "static IPv4, pool IPv6",
1242
* (see below) so issue a warning if that happens - don't break the
1243
* session, though, as we don't even know if this client WANTS IPv6
1245
if ( mi->context.c1.tuntap->ipv6 &&
1246
mi->context.options.ifconfig_ipv6_pool_defined &&
1247
! mi->context.options.push_ifconfig_ipv6_defined )
1249
msg( M_INFO, "MULTI_sva: WARNING: if --ifconfig-push is used for IPv4, automatic IPv6 assignment from --ifconfig-ipv6-pool does not work. Use --ifconfig-ipv6-push for IPv6 then." );
1252
else if (m->ifconfig_pool && mi->vaddr_handle < 0) /* otherwise, choose a pool address */
1254
in_addr_t local=0, remote=0;
1255
struct in6_addr remote_ipv6;
1256
const char *cn = NULL;
1258
if (!mi->context.options.duplicate_cn)
1259
cn = tls_common_name (mi->context.c2.tls_multi, true);
1261
mi->vaddr_handle = ifconfig_pool_acquire (m->ifconfig_pool, &local, &remote, &remote_ipv6, cn);
1262
if (mi->vaddr_handle >= 0)
1264
const int tunnel_type = TUNNEL_TYPE (mi->context.c1.tuntap);
1265
const int tunnel_topology = TUNNEL_TOPOLOGY (mi->context.c1.tuntap);
1267
msg( M_INFO, "MULTI_sva: pool returned IPv4=%s, IPv6=%s",
1268
print_in_addr_t( remote, 0, &gc ),
1269
print_in6_addr( remote_ipv6, 0, &gc ) );
1271
/* set push_ifconfig_remote_netmask from pool ifconfig address(es) */
1272
mi->context.c2.push_ifconfig_local = remote;
1273
if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1275
mi->context.c2.push_ifconfig_remote_netmask = mi->context.options.ifconfig_pool_netmask;
1276
if (!mi->context.c2.push_ifconfig_remote_netmask)
1277
mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->remote_netmask;
1279
else if (tunnel_type == DEV_TYPE_TUN)
1281
if (tunnel_topology == TOP_P2P)
1282
mi->context.c2.push_ifconfig_remote_netmask = mi->context.c1.tuntap->local;
1283
else if (tunnel_topology == TOP_NET30)
1284
mi->context.c2.push_ifconfig_remote_netmask = local;
1287
if (mi->context.c2.push_ifconfig_remote_netmask)
1288
mi->context.c2.push_ifconfig_defined = true;
1290
msg (D_MULTI_ERRORS, "MULTI: no --ifconfig-pool netmask parameter is available to push to %s",
1291
multi_instance_string (mi, false, &gc));
1293
if ( mi->context.options.ifconfig_ipv6_pool_defined )
1295
mi->context.c2.push_ifconfig_ipv6_local = remote_ipv6;
1296
mi->context.c2.push_ifconfig_ipv6_remote =
1297
mi->context.c1.tuntap->local_ipv6;
1298
mi->context.c2.push_ifconfig_ipv6_netbits =
1299
mi->context.options.ifconfig_ipv6_pool_netbits;
1300
mi->context.c2.push_ifconfig_ipv6_defined = true;
1305
msg (D_MULTI_ERRORS, "MULTI: no free --ifconfig-pool addresses are available");
1309
/* IPv6 push_ifconfig is a bit problematic - since IPv6 shares the
1310
* pool handling with IPv4, the combination "static IPv4, dynamic IPv6"
1311
* will fail (because no pool will be allocated in this case).
1312
* OTOH, this doesn't make too much sense in reality - and the other
1313
* way round ("dynamic IPv4, static IPv6") or "both static" makes sense
1314
* -> and so it's implemented right now
1316
if ( mi->context.c1.tuntap->ipv6 &&
1317
mi->context.options.push_ifconfig_ipv6_defined )
1319
mi->context.c2.push_ifconfig_ipv6_local =
1320
mi->context.options.push_ifconfig_ipv6_local;
1321
mi->context.c2.push_ifconfig_ipv6_remote =
1322
mi->context.options.push_ifconfig_ipv6_remote;
1323
mi->context.c2.push_ifconfig_ipv6_netbits =
1324
mi->context.options.push_ifconfig_ipv6_netbits;
1325
mi->context.c2.push_ifconfig_ipv6_defined = true;
1327
msg( M_INFO, "MULTI_sva: push_ifconfig_ipv6 %s/%d",
1328
print_in6_addr( mi->context.c2.push_ifconfig_ipv6_local, 0, &gc ),
1329
mi->context.c2.push_ifconfig_ipv6_netbits );
1336
* Set virtual address environmental variables.
1339
multi_set_virtual_addr_env (struct multi_context *m, struct multi_instance *mi)
1341
setenv_del (mi->context.c2.es, "ifconfig_pool_local_ip");
1342
setenv_del (mi->context.c2.es, "ifconfig_pool_remote_ip");
1343
setenv_del (mi->context.c2.es, "ifconfig_pool_netmask");
1345
if (mi->context.c2.push_ifconfig_defined)
1347
const int tunnel_type = TUNNEL_TYPE (mi->context.c1.tuntap);
1348
const int tunnel_topology = TUNNEL_TOPOLOGY (mi->context.c1.tuntap);
1350
setenv_in_addr_t (mi->context.c2.es,
1351
"ifconfig_pool_remote_ip",
1352
mi->context.c2.push_ifconfig_local,
1355
if (tunnel_type == DEV_TYPE_TAP || (tunnel_type == DEV_TYPE_TUN && tunnel_topology == TOP_SUBNET))
1357
setenv_in_addr_t (mi->context.c2.es,
1358
"ifconfig_pool_netmask",
1359
mi->context.c2.push_ifconfig_remote_netmask,
1362
else if (tunnel_type == DEV_TYPE_TUN)
1364
setenv_in_addr_t (mi->context.c2.es,
1365
"ifconfig_pool_local_ip",
1366
mi->context.c2.push_ifconfig_remote_netmask,
1371
/* TODO: I'm not exactly sure what these environment variables are
1372
* used for, but if we have them for IPv4, we should also have
1373
* them for IPv6, no?
1378
* Called after client-connect script is called
1381
multi_client_connect_post (struct multi_context *m,
1382
struct multi_instance *mi,
1383
const char *dc_file,
1384
unsigned int option_permissions_mask,
1385
unsigned int *option_types_found)
1387
/* Did script generate a dynamic config file? */
1388
if (test_file (dc_file))
1390
options_server_import (&mi->context.options,
1392
D_IMPORT_ERRORS|M_OPTERR,
1393
option_permissions_mask,
1397
if (!delete_file (dc_file))
1398
msg (D_MULTI_ERRORS, "MULTI: problem deleting temporary file: %s",
1402
* If the --client-connect script generates a config file
1403
* with an --ifconfig-push directive, it will override any
1404
* --ifconfig-push directive from the --client-config-dir
1405
* directory or any --ifconfig-pool dynamic address.
1407
multi_select_virtual_addr (m, mi);
1408
multi_set_virtual_addr_env (m, mi);
1412
#ifdef ENABLE_PLUGIN
1415
* Called after client-connect plug-in is called
1418
multi_client_connect_post_plugin (struct multi_context *m,
1419
struct multi_instance *mi,
1420
const struct plugin_return *pr,
1421
unsigned int option_permissions_mask,
1422
unsigned int *option_types_found)
1424
struct plugin_return config;
1426
plugin_return_get_column (pr, &config, "config");
1428
/* Did script generate a dynamic config file? */
1429
if (plugin_return_defined (&config))
1432
for (i = 0; i < config.n; ++i)
1434
if (config.list[i] && config.list[i]->value)
1435
options_string_import (&mi->context.options,
1436
config.list[i]->value,
1437
D_IMPORT_ERRORS|M_OPTERR,
1438
option_permissions_mask,
1444
* If the --client-connect script generates a config file
1445
* with an --ifconfig-push directive, it will override any
1446
* --ifconfig-push directive from the --client-config-dir
1447
* directory or any --ifconfig-pool dynamic address.
1449
multi_select_virtual_addr (m, mi);
1450
multi_set_virtual_addr_env (m, mi);
1456
#ifdef MANAGEMENT_DEF_AUTH
1459
* Called to load management-derived client-connect config
1462
multi_client_connect_mda (struct multi_context *m,
1463
struct multi_instance *mi,
1464
const struct buffer_list *config,
1465
unsigned int option_permissions_mask,
1466
unsigned int *option_types_found)
1470
struct buffer_entry *be;
1472
for (be = config->head; be != NULL; be = be->next)
1474
const char *opt = BSTR(&be->buf);
1475
options_string_import (&mi->context.options,
1477
D_IMPORT_ERRORS|M_OPTERR,
1478
option_permissions_mask,
1484
* If the --client-connect script generates a config file
1485
* with an --ifconfig-push directive, it will override any
1486
* --ifconfig-push directive from the --client-config-dir
1487
* directory or any --ifconfig-pool dynamic address.
1489
multi_select_virtual_addr (m, mi);
1490
multi_set_virtual_addr_env (m, mi);
1497
multi_client_connect_setenv (struct multi_context *m,
1498
struct multi_instance *mi)
1500
struct gc_arena gc = gc_new ();
1502
/* setenv incoming cert common name for script */
1503
setenv_str (mi->context.c2.es, "common_name", tls_common_name (mi->context.c2.tls_multi, true));
1505
/* setenv client real IP address */
1506
setenv_trusted (mi->context.c2.es, get_link_socket_info (&mi->context));
1508
/* setenv client virtual IP address */
1509
multi_set_virtual_addr_env (m, mi);
1511
/* setenv connection time */
1513
const char *created_ascii = time_string (mi->created, 0, false, &gc);
1514
setenv_str (mi->context.c2.es, "time_ascii", created_ascii);
1515
setenv_unsigned (mi->context.c2.es, "time_unix", (unsigned int)mi->created);
1522
* Called as soon as the SSL/TLS connection authenticates.
1524
* Instance-specific directives to be processed:
1526
* iroute start-ip end-ip
1527
* ifconfig-push local remote-netmask
1531
multi_connection_established (struct multi_context *m, struct multi_instance *mi)
1533
if (tls_authentication_status (mi->context.c2.tls_multi, 0) == TLS_AUTHENTICATION_SUCCEEDED)
1535
struct gc_arena gc = gc_new ();
1536
unsigned int option_types_found = 0;
1538
const unsigned int option_permissions_mask =
1548
int cc_succeeded = true; /* client connect script status */
1549
int cc_succeeded_count = 0;
1551
ASSERT (mi->context.c1.tuntap);
1553
/* lock down the common name and cert hashes so they can't change during future TLS renegotiations */
1554
tls_lock_common_name (mi->context.c2.tls_multi);
1555
tls_lock_cert_hash_set (mi->context.c2.tls_multi);
1557
/* generate a msg() prefix for this client instance */
1558
generate_prefix (mi);
1560
/* delete instances of previous clients with same common-name */
1561
if (!mi->context.options.duplicate_cn)
1562
multi_delete_dup (m, mi);
1564
/* reset pool handle to null */
1565
mi->vaddr_handle = -1;
1568
* Try to source a dynamic config file from the
1569
* --client-config-dir directory.
1571
if (mi->context.options.client_config_dir)
1573
const char *ccd_file;
1575
ccd_file = gen_path (mi->context.options.client_config_dir,
1576
tls_common_name (mi->context.c2.tls_multi, false),
1579
/* try common-name file */
1580
if (test_file (ccd_file))
1582
options_server_import (&mi->context.options,
1584
D_IMPORT_ERRORS|M_OPTERR,
1585
option_permissions_mask,
1586
&option_types_found,
1589
else /* try default file */
1591
ccd_file = gen_path (mi->context.options.client_config_dir,
1595
if (test_file (ccd_file))
1597
options_server_import (&mi->context.options,
1599
D_IMPORT_ERRORS|M_OPTERR,
1600
option_permissions_mask,
1601
&option_types_found,
1608
* Select a virtual address from either --ifconfig-push in --client-config-dir file
1609
* or --ifconfig-pool.
1611
multi_select_virtual_addr (m, mi);
1613
/* do --client-connect setenvs */
1614
multi_client_connect_setenv (m, mi);
1616
#ifdef ENABLE_PLUGIN
1618
* Call client-connect plug-in.
1621
/* deprecated callback, use a file for passing back return info */
1622
if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT))
1624
struct argv argv = argv_new ();
1625
const char *dc_file = create_temp_file (mi->context.options.tmp_dir, "cc", &gc);
1628
cc_succeeded = false;
1629
goto script_depr_failed;
1632
argv_printf (&argv, "%s", dc_file);
1633
if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT, &argv, NULL, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1635
msg (M_WARN, "WARNING: client-connect plugin call failed");
1636
cc_succeeded = false;
1640
multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1641
++cc_succeeded_count;
1647
/* V2 callback, use a plugin_return struct for passing back return info */
1648
if (plugin_defined (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2))
1650
struct plugin_return pr;
1652
plugin_return_init (&pr);
1654
if (plugin_call (mi->context.plugins, OPENVPN_PLUGIN_CLIENT_CONNECT_V2, NULL, &pr, mi->context.c2.es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
1656
msg (M_WARN, "WARNING: client-connect-v2 plugin call failed");
1657
cc_succeeded = false;
1661
multi_client_connect_post_plugin (m, mi, &pr, option_permissions_mask, &option_types_found);
1662
++cc_succeeded_count;
1665
plugin_return_free (&pr);
1670
* Run --client-connect script.
1672
if (mi->context.options.client_connect_script && cc_succeeded)
1674
struct argv argv = argv_new ();
1675
const char *dc_file = NULL;
1677
setenv_str (mi->context.c2.es, "script_type", "client-connect");
1679
dc_file = create_temp_file (mi->context.options.tmp_dir, "cc", &gc);
1681
cc_succeeded = false;
1685
argv_printf (&argv, "%sc %s",
1686
mi->context.options.client_connect_script,
1689
if (openvpn_run_script (&argv, mi->context.c2.es, 0, "--client-connect"))
1691
multi_client_connect_post (m, mi, dc_file, option_permissions_mask, &option_types_found);
1692
++cc_succeeded_count;
1695
cc_succeeded = false;
1701
* Check for client-connect script left by management interface client
1703
#ifdef MANAGEMENT_DEF_AUTH
1704
if (cc_succeeded && mi->cc_config)
1706
multi_client_connect_mda (m, mi, mi->cc_config, option_permissions_mask, &option_types_found);
1707
++cc_succeeded_count;
1712
* Check for "disable" directive in client-config-dir file
1713
* or config file generated by --client-connect script.
1715
if (mi->context.options.disable)
1717
msg (D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
1718
cc_succeeded = false;
1724
* Process sourced options.
1726
do_deferred_options (&mi->context, option_types_found);
1729
* make sure we got ifconfig settings from somewhere
1731
if (!mi->context.c2.push_ifconfig_defined)
1733
msg (D_MULTI_ERRORS, "MULTI: no dynamic or static remote --ifconfig address is available for %s",
1734
multi_instance_string (mi, false, &gc));
1738
* make sure that ifconfig settings comply with constraints
1740
if (!ifconfig_push_constraint_satisfied (&mi->context))
1742
/* JYFIXME -- this should cause the connection to fail */
1743
msg (D_MULTI_ERRORS, "MULTI ERROR: primary virtual IP for %s (%s) violates tunnel network/netmask constraint (%s/%s)",
1744
multi_instance_string (mi, false, &gc),
1745
print_in_addr_t (mi->context.c2.push_ifconfig_local, 0, &gc),
1746
print_in_addr_t (mi->context.options.push_ifconfig_constraint_network, 0, &gc),
1747
print_in_addr_t (mi->context.options.push_ifconfig_constraint_netmask, 0, &gc));
1751
* For routed tunnels, set up internal route to endpoint
1752
* plus add all iroute routes.
1754
if (TUNNEL_TYPE (mi->context.c1.tuntap) == DEV_TYPE_TUN)
1756
if (mi->context.c2.push_ifconfig_defined)
1758
multi_learn_in_addr_t (m, mi, mi->context.c2.push_ifconfig_local, -1, true);
1759
msg (D_MULTI_LOW, "MULTI: primary virtual IP for %s: %s",
1760
multi_instance_string (mi, false, &gc),
1761
print_in_addr_t (mi->context.c2.push_ifconfig_local, 0, &gc));
1764
if (mi->context.c2.push_ifconfig_ipv6_defined)
1766
multi_learn_in6_addr (m, mi, mi->context.c2.push_ifconfig_ipv6_local, -1, true);
1767
/* TODO: find out where addresses are "unlearned"!! */
1768
msg (D_MULTI_LOW, "MULTI: primary virtual IPv6 for %s: %s",
1769
multi_instance_string (mi, false, &gc),
1770
print_in6_addr (mi->context.c2.push_ifconfig_ipv6_local, 0, &gc));
1773
/* add routes locally, pointing to new client, if
1774
--iroute options have been specified */
1775
multi_add_iroutes (m, mi);
1778
* iroutes represent subnets which are "owned" by a particular
1779
* client. Therefore, do not actually push a route to a client
1780
* if it matches one of the client's iroutes.
1782
remove_iroutes_from_push_route_list (&mi->context.options);
1784
else if (mi->context.options.iroutes)
1786
msg (D_MULTI_ERRORS, "MULTI: --iroute options rejected for %s -- iroute only works with tun-style tunnels",
1787
multi_instance_string (mi, false, &gc));
1790
/* set our client's VPN endpoint for status reporting purposes */
1791
mi->reporting_addr = mi->context.c2.push_ifconfig_local;
1793
/* set context-level authentication flag */
1794
mi->context.c2.context_auth = CAS_SUCCEEDED;
1798
/* set context-level authentication flag */
1799
mi->context.c2.context_auth = cc_succeeded_count ? CAS_PARTIAL : CAS_FAILED;
1802
/* set flag so we don't get called again */
1803
mi->connection_established_flag = true;
1805
/* increment number of current authenticated clients */
1807
--mi->n_clients_delta;
1809
#ifdef MANAGEMENT_DEF_AUTH
1811
management_connection_established (management, &mi->context.c2.mda_context, mi->context.c2.es);
1818
* Reply now to client's PUSH_REQUEST query
1820
mi->context.c2.push_reply_deferred = false;
1824
* Add a mbuf buffer to a particular
1828
multi_add_mbuf (struct multi_context *m,
1829
struct multi_instance *mi,
1830
struct mbuf_buffer *mb)
1832
if (multi_output_queue_ready (m, mi))
1834
struct mbuf_item item;
1837
mbuf_add_item (m->mbuf, &item);
1841
msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_add_mbuf)");
1846
* Add a packet to a client instance output queue.
1849
multi_unicast (struct multi_context *m,
1850
const struct buffer *buf,
1851
struct multi_instance *mi)
1853
struct mbuf_buffer *mb;
1857
mb = mbuf_alloc_buf (buf);
1858
mb->flags = MF_UNICAST;
1859
multi_add_mbuf (m, mi, mb);
1865
* Broadcast a packet to all clients.
1868
multi_bcast (struct multi_context *m,
1869
const struct buffer *buf,
1870
const struct multi_instance *sender_instance,
1871
const struct mroute_addr *sender_addr)
1873
struct hash_iterator hi;
1874
struct hash_element *he;
1875
struct multi_instance *mi;
1876
struct mbuf_buffer *mb;
1880
perf_push (PERF_MULTI_BCAST);
1881
#ifdef MULTI_DEBUG_EVENT_LOOP
1882
printf ("BCAST len=%d\n", BLEN (buf));
1884
mb = mbuf_alloc_buf (buf);
1885
hash_iterator_init (m->iter, &hi);
1887
while ((he = hash_iterator_next (&hi)))
1889
mi = (struct multi_instance *) he->value;
1890
if (mi != sender_instance && !mi->halt)
1893
if (sender_instance)
1895
if (!pf_c2c_test (&sender_instance->context, &mi->context, "bcast_c2c"))
1897
msg (D_PF_DROPPED_BCAST, "PF: client[%s] -> client[%s] packet dropped by BCAST packet filter",
1898
mi_prefix (sender_instance),
1905
if (!pf_addr_test (&mi->context, sender_addr, "bcast_src_addr"))
1907
struct gc_arena gc = gc_new ();
1908
msg (D_PF_DROPPED_BCAST, "PF: addr[%s] -> client[%s] packet dropped by BCAST packet filter",
1909
mroute_addr_print_ex (sender_addr, MAPF_SHOW_ARP, &gc),
1916
multi_add_mbuf (m, mi, mb);
1920
hash_iterator_free (&hi);
1927
* Given a time delta, indicating that we wish to be
1928
* awoken by the scheduler at time now + delta, figure
1929
* a sigma parameter (in microseconds) that represents
1930
* a sort of fuzz factor around delta, so that we're
1931
* really telling the scheduler to wake us up any time
1932
* between now + delta - sigma and now + delta + sigma.
1934
* The sigma parameter helps the scheduler to run more efficiently.
1935
* Sigma should be no larger than TV_WITHIN_SIGMA_MAX_USEC
1937
static inline unsigned int
1938
compute_wakeup_sigma (const struct timeval *delta)
1940
if (delta->tv_sec < 1)
1942
/* if < 1 sec, fuzz = # of microseconds / 8 */
1943
return delta->tv_usec >> 3;
1947
/* if < 10 minutes, fuzz = 13.1% of timeout */
1948
if (delta->tv_sec < 600)
1949
return delta->tv_sec << 17;
1951
return 120000000; /* if >= 10 minutes, fuzz = 2 minutes */
1956
multi_schedule_context_wakeup (struct multi_context *m, struct multi_instance *mi)
1958
/* calculate an absolute wakeup time */
1959
ASSERT (!openvpn_gettimeofday (&mi->wakeup, NULL));
1960
tv_add (&mi->wakeup, &mi->context.c2.timeval);
1962
/* tell scheduler to wake us up at some point in the future */
1963
schedule_add_entry (m->schedule,
1964
(struct schedule_entry *) mi,
1966
compute_wakeup_sigma (&mi->context.c2.timeval));
1970
* Figure instance-specific timers, convert
1971
* earliest to absolute time in mi->wakeup,
1972
* call scheduler with our future wakeup time.
1974
* Also close context on signal.
1977
multi_process_post (struct multi_context *m, struct multi_instance *mi, const unsigned int flags)
1981
if (!IS_SIG (&mi->context) && ((flags & MPP_PRE_SELECT) || ((flags & MPP_CONDITIONAL_PRE_SELECT) && !ANY_OUT (&mi->context))))
1983
/* figure timeouts and fetch possible outgoing
1984
to_link packets (such as ping or TLS control) */
1985
pre_select (&mi->context);
1987
if (!IS_SIG (&mi->context))
1989
/* tell scheduler to wake us up at some point in the future */
1990
multi_schedule_context_wakeup(m, mi);
1992
/* connection is "established" when SSL/TLS key negotiation succeeds
1993
and (if specified) auth user/pass succeeds */
1994
if (!mi->connection_established_flag && CONNECTION_ESTABLISHED (&mi->context))
1995
multi_connection_established (m, mi);
1999
if (IS_SIG (&mi->context))
2001
if (flags & MPP_CLOSE_ON_SIGNAL)
2003
multi_close_instance_on_signal (m, mi);
2009
/* continue to pend on output? */
2010
multi_set_pending (m, ANY_OUT (&mi->context) ? mi : NULL);
2012
#ifdef MULTI_DEBUG_EVENT_LOOP
2013
printf ("POST %s[%d] to=%d lo=%d/%d w=%d/%d\n",
2015
(int) (mi == m->pending),
2016
mi ? mi->context.c2.to_tun.len : -1,
2017
mi ? mi->context.c2.to_link.len : -1,
2018
(mi && mi->context.c2.fragment) ? mi->context.c2.fragment->outgoing.len : -1,
2019
(int)mi->context.c2.timeval.tv_sec,
2020
(int)mi->context.c2.timeval.tv_usec);
2024
if ((flags & MPP_RECORD_TOUCH) && m->mpp_touched)
2025
*m->mpp_touched = mi;
2031
* Process packets in the TCP/UDP socket -> TUN/TAP interface direction,
2032
* i.e. client -> server direction.
2035
multi_process_incoming_link (struct multi_context *m, struct multi_instance *instance, const unsigned int mpp_flags)
2037
struct gc_arena gc = gc_new ();
2040
struct mroute_addr src, dest;
2041
unsigned int mroute_flags;
2042
struct multi_instance *mi;
2050
#ifdef MULTI_DEBUG_EVENT_LOOP
2051
printf ("TCP/UDP -> TUN [%d]\n", BLEN (&m->top.c2.buf));
2053
multi_set_pending (m, multi_get_create_instance_udp (m));
2056
multi_set_pending (m, instance);
2060
set_prefix (m->pending);
2062
/* get instance context */
2063
c = &m->pending->context;
2067
/* transfer packet pointer from top-level context buffer to instance */
2068
c->c2.buf = m->top.c2.buf;
2070
/* transfer from-addr from top-level context buffer to instance */
2071
c->c2.from = m->top.c2.from;
2074
if (BLEN (&c->c2.buf) > 0)
2076
/* decrypt in instance context */
2077
process_incoming_link (c);
2079
if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TUN)
2081
/* extract packet source and dest addresses */
2082
mroute_flags = mroute_extract_addr_from_packet (&src,
2089
/* drop packet if extract failed */
2090
if (!(mroute_flags & MROUTE_EXTRACT_SUCCEEDED))
2092
c->c2.to_tun.len = 0;
2094
/* make sure that source address is associated with this client */
2095
else if (multi_get_instance_by_virtual_addr (m, &src, true) != m->pending)
2097
msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2098
mroute_addr_print (&src, &gc));
2099
c->c2.to_tun.len = 0;
2101
/* client-to-client communication enabled? */
2102
else if (m->enable_c2c)
2105
if (mroute_flags & MROUTE_EXTRACT_MCAST)
2107
/* for now, treat multicast as broadcast */
2108
multi_bcast (m, &c->c2.to_tun, m->pending, NULL);
2110
else /* possible client to client routing */
2112
ASSERT (!(mroute_flags & MROUTE_EXTRACT_BCAST));
2113
mi = multi_get_instance_by_virtual_addr (m, &dest, true);
2115
/* if dest addr is a known client, route to it */
2119
if (!pf_c2c_test (c, &mi->context, "tun_c2c"))
2121
msg (D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TUN packet filter",
2127
multi_unicast (m, &c->c2.to_tun, mi);
2128
register_activity (c, BLEN(&c->c2.to_tun));
2130
c->c2.to_tun.len = 0;
2135
if (c->c2.to_tun.len && !pf_addr_test (c, &dest, "tun_dest_addr"))
2137
msg (D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TUN packet filter",
2138
mroute_addr_print_ex (&dest, MAPF_SHOW_ARP, &gc));
2139
c->c2.to_tun.len = 0;
2143
else if (TUNNEL_TYPE (m->top.c1.tuntap) == DEV_TYPE_TAP)
2146
struct mroute_addr edest;
2147
mroute_addr_reset (&edest);
2149
/* extract packet source and dest addresses */
2150
mroute_flags = mroute_extract_addr_from_packet (&src,
2161
if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2163
if (multi_learn_addr (m, m->pending, &src, 0) == m->pending)
2165
/* check for broadcast */
2168
if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2170
multi_bcast (m, &c->c2.to_tun, m->pending, NULL);
2172
else /* try client-to-client routing */
2174
mi = multi_get_instance_by_virtual_addr (m, &dest, false);
2176
/* if dest addr is a known client, route to it */
2180
if (!pf_c2c_test (c, &mi->context, "tap_c2c"))
2182
msg (D_PF_DROPPED, "PF: client -> client[%s] packet dropped by TAP packet filter",
2188
multi_unicast (m, &c->c2.to_tun, mi);
2189
register_activity (c, BLEN(&c->c2.to_tun));
2191
c->c2.to_tun.len = 0;
2196
if (c->c2.to_tun.len && !pf_addr_test (c, &edest, "tap_dest_addr"))
2198
msg (D_PF_DROPPED, "PF: client -> addr[%s] packet dropped by TAP packet filter",
2199
mroute_addr_print_ex (&edest, MAPF_SHOW_ARP, &gc));
2200
c->c2.to_tun.len = 0;
2206
msg (D_MULTI_DROPPED, "MULTI: bad source address from client [%s], packet dropped",
2207
mroute_addr_print (&src, &gc));
2208
c->c2.to_tun.len = 0;
2213
c->c2.to_tun.len = 0;
2218
/* postprocess and set wakeup */
2219
ret = multi_process_post (m, m->pending, mpp_flags);
2229
* Process packets in the TUN/TAP interface -> TCP/UDP socket direction,
2230
* i.e. server -> client direction.
2233
multi_process_incoming_tun (struct multi_context *m, const unsigned int mpp_flags)
2235
struct gc_arena gc = gc_new ();
2238
if (BLEN (&m->top.c2.buf) > 0)
2240
unsigned int mroute_flags;
2241
struct mroute_addr src, dest;
2242
const int dev_type = TUNNEL_TYPE (m->top.c1.tuntap);
2245
struct mroute_addr esrc, *e1, *e2;
2246
if (dev_type == DEV_TYPE_TUN)
2254
mroute_addr_reset (&esrc);
2258
#ifdef MULTI_DEBUG_EVENT_LOOP
2259
printf ("TUN -> TCP/UDP [%d]\n", BLEN (&m->top.c2.buf));
2266
* Route an incoming tun/tap packet to
2267
* the appropriate multi_instance object.
2270
mroute_flags = mroute_extract_addr_from_packet (&src,
2281
if (mroute_flags & MROUTE_EXTRACT_SUCCEEDED)
2285
/* broadcast or multicast dest addr? */
2286
if (mroute_flags & (MROUTE_EXTRACT_BCAST|MROUTE_EXTRACT_MCAST))
2288
/* for now, treat multicast as broadcast */
2290
multi_bcast (m, &m->top.c2.buf, NULL, e2);
2292
multi_bcast (m, &m->top.c2.buf, NULL, NULL);
2297
multi_set_pending (m, multi_get_instance_by_virtual_addr (m, &dest, dev_type == DEV_TYPE_TUN));
2301
/* get instance context */
2302
c = &m->pending->context;
2304
set_prefix (m->pending);
2307
if (!pf_addr_test (c, e2, "tun_tap_src_addr"))
2309
msg (D_PF_DROPPED, "PF: addr[%s] -> client packet dropped by packet filter",
2310
mroute_addr_print_ex (&src, MAPF_SHOW_ARP, &gc));
2311
buf_reset_len (&c->c2.buf);
2316
if (multi_output_queue_ready (m, m->pending))
2318
/* transfer packet pointer from top-level context buffer to instance */
2319
c->c2.buf = m->top.c2.buf;
2324
msg (D_MULTI_DROPPED, "MULTI: packet dropped due to output saturation (multi_process_incoming_tun)");
2325
buf_reset_len (&c->c2.buf);
2329
/* encrypt in instance context */
2330
process_incoming_tun (c);
2332
/* postprocess and set wakeup */
2333
ret = multi_process_post (m, m->pending, mpp_flags);
2345
* Process a possible client-to-client/bcast/mcast message in the
2348
struct multi_instance *
2349
multi_get_queue (struct mbuf_set *ms)
2351
struct mbuf_item item;
2353
if (mbuf_extract_item (ms, &item)) /* cleartext IP packet */
2355
unsigned int pipv4_flags = PIPV4_PASSTOS;
2357
set_prefix (item.instance);
2358
item.instance->context.c2.buf = item.buffer->buf;
2359
if (item.buffer->flags & MF_UNICAST) /* --mssfix doesn't make sense for broadcast or multicast */
2360
pipv4_flags |= PIPV4_MSSFIX;
2361
process_ipv4_header (&item.instance->context, pipv4_flags, &item.instance->context.c2.buf);
2362
encrypt_sign (&item.instance->context, true);
2363
mbuf_free_buf (item.buffer);
2365
dmsg (D_MULTI_DEBUG, "MULTI: C2C/MCAST/BCAST");
2368
return item.instance;
2377
* Called when an I/O wait times out. Usually means that a particular
2378
* client instance object needs timer-based service.
2381
multi_process_timeout (struct multi_context *m, const unsigned int mpp_flags)
2385
#ifdef MULTI_DEBUG_EVENT_LOOP
2386
printf ("%s -> TIMEOUT\n", id(m->earliest_wakeup));
2389
/* instance marked for wakeup? */
2390
if (m->earliest_wakeup)
2392
set_prefix (m->earliest_wakeup);
2393
ret = multi_process_post (m, m->earliest_wakeup, mpp_flags);
2394
m->earliest_wakeup = NULL;
2401
* Drop a TUN/TAP outgoing packet..
2404
multi_process_drop_outgoing_tun (struct multi_context *m, const unsigned int mpp_flags)
2406
struct multi_instance *mi = m->pending;
2412
msg (D_MULTI_ERRORS, "MULTI: Outgoing TUN queue full, dropped packet len=%d",
2413
mi->context.c2.to_tun.len);
2415
buf_reset (&mi->context.c2.to_tun);
2417
multi_process_post (m, mi, mpp_flags);
2422
* Per-client route quota management
2426
route_quota_exceeded (const struct multi_context *m, const struct multi_instance *mi)
2428
struct gc_arena gc = gc_new ();
2429
msg (D_ROUTE_QUOTA, "MULTI ROUTE: route quota (%d) exceeded for %s (see --max-routes-per-client option)",
2430
mi->context.options.max_routes_per_client,
2431
multi_instance_string (mi, false, &gc));
2437
* Flood clients with random packets
2440
gremlin_flood_clients (struct multi_context *m)
2442
const int level = GREMLIN_PACKET_FLOOD_LEVEL (m->top.options.gremlin);
2445
struct gc_arena gc = gc_new ();
2446
struct buffer buf = alloc_buf_gc (BUF_SIZE (&m->top.c2.frame), &gc);
2447
struct packet_flood_parms parm = get_packet_flood_parms (level);
2450
ASSERT (buf_init (&buf, FRAME_HEADROOM (&m->top.c2.frame)));
2451
parm.packet_size = min_int (parm.packet_size, MAX_RW_SIZE_TUN (&m->top.c2.frame));
2453
msg (D_GREMLIN, "GREMLIN_FLOOD_CLIENTS: flooding clients with %d packets of size %d",
2457
for (i = 0; i < parm.packet_size; ++i)
2458
ASSERT (buf_write_u8 (&buf, get_random () & 0xFF));
2460
for (i = 0; i < parm.n_packets; ++i)
2461
multi_bcast (m, &buf, NULL, NULL);
2469
* Process timers in the top-level context
2472
multi_process_per_second_timers_dowork (struct multi_context *m)
2474
/* possibly reap instances/routes in vhash */
2475
multi_reap_process (m);
2477
/* possibly print to status log */
2478
if (m->top.c1.status_output)
2480
if (status_trigger (m->top.c1.status_output))
2481
multi_print_status (m, m->top.c1.status_output, m->status_file_version);
2484
/* possibly flush ifconfig-pool file */
2485
multi_ifconfig_pool_persist (m, false);
2488
gremlin_flood_clients (m);
2493
multi_top_init (struct multi_context *m, const struct context *top, const bool alloc_buffers)
2495
inherit_context_top (&m->top, top);
2496
m->top.c2.buffers = NULL;
2498
m->top.c2.buffers = init_context_buffers (&top->c2.frame);
2502
multi_top_free (struct multi_context *m)
2504
close_context (&m->top, -1, CC_GC_FREE);
2505
free_context_buffers (m->top.c2.buffers);
2509
* Return true if event loop should break,
2510
* false if it should continue.
2513
multi_process_signal (struct multi_context *m)
2515
if (m->top.sig->signal_received == SIGUSR2)
2517
struct status_output *so = status_open (NULL, 0, M_INFO, NULL, 0);
2518
multi_print_status (m, so, m->status_file_version);
2520
m->top.sig->signal_received = 0;
2527
* Called when an instance should be closed due to the
2528
* reception of a soft signal.
2531
multi_close_instance_on_signal (struct multi_context *m, struct multi_instance *mi)
2533
remap_signal (&mi->context);
2535
print_signal (mi->context.sig, "client-instance", D_MULTI_LOW);
2537
multi_close_instance (m, mi, false);
2541
multi_signal_instance (struct multi_context *m, struct multi_instance *mi, const int sig)
2543
mi->context.sig->signal_received = sig;
2544
multi_close_instance_on_signal (m, mi);
2548
* Management subsystem callbacks
2551
#ifdef ENABLE_MANAGEMENT
2554
management_callback_status (void *arg, const int version, struct status_output *so)
2556
struct multi_context *m = (struct multi_context *) arg;
2559
multi_print_status (m, so, m->status_file_version);
2561
multi_print_status (m, so, version);
2565
management_callback_n_clients (void *arg)
2567
struct multi_context *m = (struct multi_context *) arg;
2568
return m->n_clients;
2572
management_callback_kill_by_cn (void *arg, const char *del_cn)
2574
struct multi_context *m = (struct multi_context *) arg;
2575
struct hash_iterator hi;
2576
struct hash_element *he;
2579
hash_iterator_init (m->iter, &hi);
2580
while ((he = hash_iterator_next (&hi)))
2582
struct multi_instance *mi = (struct multi_instance *) he->value;
2585
const char *cn = tls_common_name (mi->context.c2.tls_multi, false);
2586
if (cn && !strcmp (cn, del_cn))
2588
multi_signal_instance (m, mi, SIGTERM);
2593
hash_iterator_free (&hi);
2598
management_callback_kill_by_addr (void *arg, const in_addr_t addr, const int port)
2600
struct multi_context *m = (struct multi_context *) arg;
2601
struct hash_iterator hi;
2602
struct hash_element *he;
2603
struct openvpn_sockaddr saddr;
2604
struct mroute_addr maddr;
2608
saddr.addr.in4.sin_family = AF_INET;
2609
saddr.addr.in4.sin_addr.s_addr = htonl (addr);
2610
saddr.addr.in4.sin_port = htons (port);
2611
if (mroute_extract_openvpn_sockaddr (&maddr, &saddr, true))
2613
hash_iterator_init (m->iter, &hi);
2614
while ((he = hash_iterator_next (&hi)))
2616
struct multi_instance *mi = (struct multi_instance *) he->value;
2617
if (!mi->halt && mroute_addr_equal (&maddr, &mi->real))
2619
multi_signal_instance (m, mi, SIGTERM);
2623
hash_iterator_free (&hi);
2629
management_delete_event (void *arg, event_t event)
2631
struct multi_context *m = (struct multi_context *) arg;
2633
multi_tcp_delete_event (m->mtcp, event);
2638
#ifdef MANAGEMENT_DEF_AUTH
2640
static struct multi_instance *
2641
lookup_by_cid (struct multi_context *m, const unsigned long cid)
2645
struct multi_instance *mi = (struct multi_instance *) hash_lookup (m->cid_hash, &cid);
2646
if (mi && !mi->halt)
2653
management_kill_by_cid (void *arg, const unsigned long cid)
2655
struct multi_context *m = (struct multi_context *) arg;
2656
struct multi_instance *mi = lookup_by_cid (m, cid);
2659
send_restart (&mi->context); /* was: multi_signal_instance (m, mi, SIGTERM); */
2667
management_client_auth (void *arg,
2668
const unsigned long cid,
2669
const unsigned int mda_key_id,
2672
const char *client_reason,
2673
struct buffer_list *cc_config) /* ownership transferred */
2675
struct multi_context *m = (struct multi_context *) arg;
2676
struct multi_instance *mi = lookup_by_cid (m, cid);
2677
bool cc_config_owned = true;
2682
ret = tls_authenticate_key (mi->context.c2.tls_multi, mda_key_id, auth, client_reason);
2687
if (!mi->connection_established_flag)
2689
set_cc_config (mi, cc_config);
2690
cc_config_owned = false;
2696
msg (D_MULTI_LOW, "MULTI: connection rejected: %s, CLI:%s", reason, np(client_reason));
2697
if (mi->connection_established_flag)
2699
send_auth_failed (&mi->context, client_reason); /* mid-session reauth failed */
2700
multi_schedule_context_wakeup(m, mi);
2705
if (cc_config_owned && cc_config)
2706
buffer_list_free (cc_config);
2711
management_get_peer_info (void *arg, const unsigned long cid)
2713
struct multi_context *m = (struct multi_context *) arg;
2714
struct multi_instance *mi = lookup_by_cid (m, cid);
2718
ret = tls_get_peer_info (mi->context.c2.tls_multi);
2725
#ifdef MANAGEMENT_PF
2727
management_client_pf (void *arg,
2728
const unsigned long cid,
2729
struct buffer_list *pf_config) /* ownership transferred */
2731
struct multi_context *m = (struct multi_context *) arg;
2732
struct multi_instance *mi = lookup_by_cid (m, cid);
2735
if (mi && pf_config)
2736
ret = pf_load_from_buffer_list (&mi->context, pf_config);
2739
buffer_list_free (pf_config);
2745
init_management_callback_multi (struct multi_context *m)
2747
#ifdef ENABLE_MANAGEMENT
2750
struct management_callback cb;
2753
cb.flags = MCF_SERVER;
2754
cb.status = management_callback_status;
2755
cb.show_net = management_show_net_callback;
2756
cb.kill_by_cn = management_callback_kill_by_cn;
2757
cb.kill_by_addr = management_callback_kill_by_addr;
2758
cb.delete_event = management_delete_event;
2759
cb.n_clients = management_callback_n_clients;
2760
#ifdef MANAGEMENT_DEF_AUTH
2761
cb.kill_by_cid = management_kill_by_cid;
2762
cb.client_auth = management_client_auth;
2763
cb.get_peer_info = management_get_peer_info;
2765
#ifdef MANAGEMENT_PF
2766
cb.client_pf = management_client_pf;
2768
management_set_callback (management, &cb);
2774
uninit_management_callback_multi (struct multi_context *m)
2776
uninit_management_callback ();
2780
* Top level event loop.
2783
tunnel_server (struct context *top)
2785
ASSERT (top->options.mode == MODE_SERVER);
2788
if (proto_is_dgram(top->options.ce.proto))
2789
tunnel_server_udp(top);
2791
tunnel_server_tcp(top);
2793
switch (top->options.ce.proto)
2796
tunnel_server_udp (top);
2798
case PROTO_TCPv4_SERVER:
2799
tunnel_server_tcp (top);
2808
static void dummy(void) {}
2809
#endif /* P2MP_SERVER */