Re: [Openvpn-devel] [S] Change in openvpn[master]: Minor fix to process_ip_header
Hi, Il 15/02/2024 17:17, Gert Doering ha scritto: Hi, On Thu, Feb 15, 2024 at 03:59:02PM +, its_Giaan (Code Review) wrote: if (buf->len > 0) { -/* - * The --passtos and --mssfix options require - * us to examine the IPv4 header. - */ - -if (flags & (PIP_MSSFIX -#if PASSTOS_CAPABILITY - | PIPV4_PASSTOS -#endif - | PIPV4_CLIENT_NAT - )) +if (flags & PIP_OPT_MASK) NAK, as this is not the same thing. PIP_OPT_MASK will also match on the IPv6 flags, which are not something we need to test for here (= if only an IPv6 flag is active, why should we enter this branch?). I had the feeling that it was wrong in fact. Thanks for your feedback. Cheers -- Gianmarco De Gregori ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] Persist-key: enable persist-key option by default.
This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Fixes: Trac #1405 Signed-off-by: Gianmarco De Gregori --- Changes from v1: * changed "DEPRECATED OPTION" with "**DEPRECATED**" in the documentation and with "(DEPRECATED)" in usage_message(). doc/man-sections/generic-options.rst | 2 ++ src/openvpn/init.c | 13 +++-- src/openvpn/options.c| 26 +- src/openvpn/options.h| 1 - 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 97e1b5aa..6c23aafc 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -303,6 +303,8 @@ which mode OpenVPN is configured as. lower priority, ``n`` less than zero is higher priority). --persist-key + **DEPRECATED**, corresponding behavior is now always enabled. + Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. This option can be combined with ``--user`` to allow restarts diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..36d4395c 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3606,14 +3606,6 @@ do_option_warnings(struct context *c) { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } -if (!o->persist_key -#ifdef ENABLE_PKCS11 -&& !o->pkcs11_id -#endif -) -{ -msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); -} } if (o->chroot_dir && !(o->username && o->groupname)) @@ -3687,6 +3679,7 @@ do_option_warnings(struct context *c) } } + struct context_buffers * init_context_buffers(const struct frame *frame) { @@ -3901,7 +3894,7 @@ static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) { /* - * always free the tls_auth/crypt key. If persist_key is true, the key will + * always free the tls_auth/crypt key. The key will * be reloaded from memory (pre-cached) */ free_key_ctx(>c1.ks.tls_crypt_v2_server_key); @@ -3910,7 +3903,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) buf_clear(>c1.ks.tls_crypt_v2_wkc); free_buf(>c1.ks.tls_crypt_v2_wkc); -if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) +if (!(c->sig->signal_received == SIGUSR1)) { key_schedule_free(>c1.ks, free_ssl_ctx); } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e4c596b8..caf45b7e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -275,7 +275,7 @@ static const char usage_message[] = "--persist-tun : Keep tun/tap device open across SIGUSR1 or --ping-restart.\n" "--persist-remote-ip : Keep remote IP address across SIGUSR1 or --ping-restart.\n" "--persist-local-ip : Keep local IP address across SIGUSR1 or --ping-restart.\n" -"--persist-key : Don't re-read key files across SIGUSR1 or --ping-restart.\n" +"--persist-key : (DEPRECATED) Don't re-read key files across SIGUSR1 or --ping-restart.\n" #if PASSTOS_CAPABILITY "--passtos : TOS passthrough (applies to IPv4 only).\n" #endif @@ -1860,7 +1860,6 @@ show_settings(const struct options *o) SHOW_BOOL(persist_tun); SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); -SHOW_BOOL(persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -3239,18 +3238,16 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } -/* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and +/* Pre-cache tls-auth/crypt(-v2) key file if * keys were not already embedded in the config file. */ -if (o->persist_key) -{ -connection_entry_preload_key(>tls_auth_file, - >tls_auth_file_inline, >gc); -connection_entry_preload_key(>tls_crypt_file, - >tls_crypt_file_inline, >gc); -connection_entry_preload_key(>tls_crypt_v2_file, - >tls_crypt_v2_file_inline, >gc); -} +connection_entry_preload_key(>tls_auth_file, + >tls_auth_file_inline, >gc); +connection_entry_preload_key(>tls_crypt_file, +
[Openvpn-devel] [PATCH] Persist-key: enable persist-key option by default.
This commit changes the default behavior of the OpenVPN configuration to enable the persist-key option by default. This means that all the key file content will be kept in memory throughout the lifetime of the VPN connection. Fixes: Trac #1405 Signed-off-by: Gianmarco De Gregori --- doc/man-sections/generic-options.rst | 2 ++ src/openvpn/init.c | 12 ++-- src/openvpn/options.c| 23 +++ src/openvpn/options.h| 1 - 4 files changed, 15 insertions(+), 23 deletions(-) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index 97e1b5aa..5f74ab67 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -303,6 +303,8 @@ which mode OpenVPN is configured as. lower priority, ``n`` less than zero is higher priority). --persist-key + DEPRECATED OPTION, corresponding behavior is now always enabled. + Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``. This option can be combined with ``--user`` to allow restarts diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..654d8645 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3606,14 +3606,6 @@ do_option_warnings(struct context *c) { msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-tun -- this may cause restarts to fail"); } -if (!o->persist_key -#ifdef ENABLE_PKCS11 -&& !o->pkcs11_id -#endif -) -{ -msg(M_WARN, "WARNING: you are using user/group/chroot/setcon without persist-key -- this may cause restarts to fail"); -} } if (o->chroot_dir && !(o->username && o->groupname)) @@ -3901,7 +3893,7 @@ static void do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) { /* - * always free the tls_auth/crypt key. If persist_key is true, the key will + * always free the tls_auth/crypt key. The key will * be reloaded from memory (pre-cached) */ free_key_ctx(>c1.ks.tls_crypt_v2_server_key); @@ -3910,7 +3902,7 @@ do_close_free_key_schedule(struct context *c, bool free_ssl_ctx) buf_clear(>c1.ks.tls_crypt_v2_wkc); free_buf(>c1.ks.tls_crypt_v2_wkc); -if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key)) +if (!(c->sig->signal_received == SIGUSR1)) { key_schedule_free(>c1.ks, free_ssl_ctx); } diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2680f268..9ef21bc9 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1860,7 +1860,6 @@ show_settings(const struct options *o) SHOW_BOOL(persist_tun); SHOW_BOOL(persist_local_ip); SHOW_BOOL(persist_remote_ip); -SHOW_BOOL(persist_key); #if PASSTOS_CAPABILITY SHOW_BOOL(passtos); @@ -3239,18 +3238,15 @@ options_postprocess_mutate_ce(struct options *o, struct connection_entry *ce) ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline; } -/* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and +/* Pre-cache tls-auth/crypt(-v2) key file if * keys were not already embedded in the config file. */ -if (o->persist_key) -{ -connection_entry_preload_key(>tls_auth_file, - >tls_auth_file_inline, >gc); -connection_entry_preload_key(>tls_crypt_file, - >tls_crypt_file_inline, >gc); -connection_entry_preload_key(>tls_crypt_v2_file, - >tls_crypt_v2_file_inline, >gc); -} +connection_entry_preload_key(>tls_auth_file, + >tls_auth_file_inline, >gc); +connection_entry_preload_key(>tls_crypt_file, + >tls_crypt_file_inline, >gc); +connection_entry_preload_key(>tls_crypt_v2_file, + >tls_crypt_v2_file_inline, >gc); if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification) { @@ -6938,7 +6934,10 @@ add_option(struct options *options, else if (streq(p[0], "persist-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_PERSIST); -options->persist_key = true; +msg(M_WARN, "DEPRECATED OPTION: --persist-key option ignored." +"The corresponding behavior is now always activated." +"This option will be removed in a future version, " +"please remove it from your configuration."); } else if (streq(p[0], "persist-local-ip") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b90..cf9613b2 100644 --- a/src/openvp
[Openvpn-devel] [PATCH v5] Route: add support for user defined routing table
Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). The --route(-ipv6) directives have been extended with an additional argument (5th for --route) (4th for --route-ipv6) so that each of them can possibly use an independent routing table. Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Fixes: Trac #1399 Signed-off-by: Gianmarco De Gregori --- Changes from v1: * Fixed parameters (metric and table_id) order in init_route_list() call in init.c : 1535. Changes from v2: * Add route_default_table_id to show_settings() in options.c : 1800. Changes from v3: * Switched table_id data type from uint32_t to int. * Added discard to pulled routing table_id from server in case of pull mode. Changes from v4: * The --route-table option has been made non-pullable. * A short description of --route-table has been added to usage_message. doc/man-sections/vpn-network-options.rst | 16 +++- src/openvpn/helper.c | 1 + src/openvpn/init.c | 15 +++- src/openvpn/options.c| 67 +-- src/openvpn/options.h| 2 + src/openvpn/route.c | 101 +-- src/openvpn/route.h | 17 +++- 7 files changed, 202 insertions(+), 17 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 8e3c92ee..c25bbf31 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -367,6 +367,14 @@ routing. Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -379,6 +387,7 @@ routing. route network/IP netmask route network/IP netmask gateway route network/IP netmask gateway metric + route network/IP netmask gateway metric table-id This option is intended as a convenience proxy for the ``route``\(8) shell command, while at the same time providing portable semantics @@ -394,6 +403,9 @@ routing. ``metric`` default taken from ``--route-metric`` if set, otherwise :code:`0`. + ``table-id`` (Supported on Linux only, on other platforms this is a no-op). + default taken from ``--route-table`` if set, otherwise :code:`0`. + The default can be specified by leaving an option blank or setting it to :code:`default`. @@ -444,12 +456,14 @@ routing. Valid syntax: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits [gateway] [metric] [table-id] The gateway parameter is only used for IPv6 routes across *tap* devices, and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or ``--route-ipv6-gateway`` is used. + (table-id supported on Linux only, on other platforms this is a no-op). + --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 7c219fdf..4a0e0d85 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t netmask, struct option print_in_addr_t(network, 0, >gc), print_in_addr_t(netmask, 0, >gc), NULL, + NULL, NULL); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..e7b3b209 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options, const char *gw = NULL; int dev = dev_type_enum(options->dev, options->dev_type); int metric = 0; +int table_id = 0; /* unspec table */ /* if DCO is enabled we have both regular routes and iroutes in the system * routing table, and normal routes must have a higher metric for that to @@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options, { gw = options->route_default_gateway; } +if (options->route_default_table_id) +{ +table_id = options->route_default_table_id; +
[Openvpn-devel] [PATCH v4] Route: add support for user defined routing table
Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). The --route(-ipv6) directives have been extended with an additional argument (5th for --route) (4th for --route-ipv6) so that each of them can possibly use an independent routing table. Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Fixes: Trac #1399 Signed-off-by: Gianmarco De Gregori --- Changes from v1: * Fixed parameters (metric and table_id) order in init_route_list() call in init.c : 1535. Changes from v2: * Add route_default_table_id to show_settings() in options.c : 1800. Changes from v3: * Switched table_id data type from uint32_t to int. * Added discard to pulled routing table_id from server in case of pull mode. doc/man-sections/vpn-network-options.rst | 16 +++- src/openvpn/helper.c | 1 + src/openvpn/init.c | 15 +++- src/openvpn/options.c| 62 -- src/openvpn/options.h| 1 + src/openvpn/route.c | 101 +-- src/openvpn/route.h | 17 +++- 7 files changed, 196 insertions(+), 17 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 8e3c92ee..c25bbf31 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -367,6 +367,14 @@ routing. Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -379,6 +387,7 @@ routing. route network/IP netmask route network/IP netmask gateway route network/IP netmask gateway metric + route network/IP netmask gateway metric table-id This option is intended as a convenience proxy for the ``route``\(8) shell command, while at the same time providing portable semantics @@ -394,6 +403,9 @@ routing. ``metric`` default taken from ``--route-metric`` if set, otherwise :code:`0`. + ``table-id`` (Supported on Linux only, on other platforms this is a no-op). + default taken from ``--route-table`` if set, otherwise :code:`0`. + The default can be specified by leaving an option blank or setting it to :code:`default`. @@ -444,12 +456,14 @@ routing. Valid syntax: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits [gateway] [metric] [table-id] The gateway parameter is only used for IPv6 routes across *tap* devices, and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or ``--route-ipv6-gateway`` is used. + (table-id supported on Linux only, on other platforms this is a no-op). + --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 7c219fdf..4a0e0d85 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t netmask, struct option print_in_addr_t(network, 0, >gc), print_in_addr_t(netmask, 0, >gc), NULL, + NULL, NULL); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..e7b3b209 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options, const char *gw = NULL; int dev = dev_type_enum(options->dev, options->dev_type); int metric = 0; +int table_id = 0; /* unspec table */ /* if DCO is enabled we have both regular routes and iroutes in the system * routing table, and normal routes must have a higher metric for that to @@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options, { gw = options->route_default_gateway; } +if (options->route_default_table_id) +{ +table_id = options->route_default_table_id; +} if (options->route_default_metric) { metric = options->route_default_metric; @@ -1531,6 +1536,7 @@ do_init_route_list(co
[Openvpn-devel] [PATCH v3] Route: add support for user defined routing table
Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). The --route(-ipv6) directives have been extended with an additional argument (5th for --route) (4th for --route-ipv6) so that each of them can possibly use an independent routing table. Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Signed-off-by: Gianmarco De Gregori --- Changes from v1: * Fixed parameters (metric and table_id) order in init_route_list() call in init.c : 1535. Changes from v2: * Add route_default_table_id to show_settings() in options.c : 1800. doc/man-sections/vpn-network-options.rst | 16 +++- src/openvpn/helper.c | 1 + src/openvpn/init.c | 15 +++- src/openvpn/options.c| 45 +- src/openvpn/options.h| 1 + src/openvpn/route.c | 101 +-- src/openvpn/route.h | 17 +++- 7 files changed, 180 insertions(+), 16 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 8e3c92ee..c25bbf31 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -367,6 +367,14 @@ routing. Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -379,6 +387,7 @@ routing. route network/IP netmask route network/IP netmask gateway route network/IP netmask gateway metric + route network/IP netmask gateway metric table-id This option is intended as a convenience proxy for the ``route``\(8) shell command, while at the same time providing portable semantics @@ -394,6 +403,9 @@ routing. ``metric`` default taken from ``--route-metric`` if set, otherwise :code:`0`. + ``table-id`` (Supported on Linux only, on other platforms this is a no-op). + default taken from ``--route-table`` if set, otherwise :code:`0`. + The default can be specified by leaving an option blank or setting it to :code:`default`. @@ -444,12 +456,14 @@ routing. Valid syntax: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits [gateway] [metric] [table-id] The gateway parameter is only used for IPv6 routes across *tap* devices, and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or ``--route-ipv6-gateway`` is used. + (table-id supported on Linux only, on other platforms this is a no-op). + --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 7c219fdf..4a0e0d85 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t netmask, struct option print_in_addr_t(network, 0, >gc), print_in_addr_t(netmask, 0, >gc), NULL, + NULL, NULL); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..00caa283 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options, const char *gw = NULL; int dev = dev_type_enum(options->dev, options->dev_type); int metric = 0; +uint32_t table_id = 0; /* unspec table */ /* if DCO is enabled we have both regular routes and iroutes in the system * routing table, and normal routes must have a higher metric for that to @@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options, { gw = options->route_default_gateway; } +if (options->route_default_table_id) +{ +table_id = options->route_default_table_id; +} if (options->route_default_metric) { metric = options->route_default_metric; @@ -1531,6 +1536,7 @@ do_init_route_list(const struct options *options, options->routes, gw, metric, +
[Openvpn-devel] [PATCH v2] Route: add support for user defined routing table
Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). The --route(-ipv6) directives have been extended with an additional argument (5th for --route) (4th for --route-ipv6) so that each of them can possibly use an independent routing table. Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Signed-off-by: Gianmarco De Gregori --- Changes from v1: * fixed parameters (metric and table_id) order in init_route_list() call in init.c : 1535. doc/man-sections/vpn-network-options.rst | 16 +++- src/openvpn/helper.c | 1 + src/openvpn/init.c | 15 +++- src/openvpn/options.c| 44 +- src/openvpn/options.h| 1 + src/openvpn/route.c | 101 +-- src/openvpn/route.h | 17 +++- 7 files changed, 179 insertions(+), 16 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 8e3c92ee..c25bbf31 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -367,6 +367,14 @@ routing. Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -379,6 +387,7 @@ routing. route network/IP netmask route network/IP netmask gateway route network/IP netmask gateway metric + route network/IP netmask gateway metric table-id This option is intended as a convenience proxy for the ``route``\(8) shell command, while at the same time providing portable semantics @@ -394,6 +403,9 @@ routing. ``metric`` default taken from ``--route-metric`` if set, otherwise :code:`0`. + ``table-id`` (Supported on Linux only, on other platforms this is a no-op). + default taken from ``--route-table`` if set, otherwise :code:`0`. + The default can be specified by leaving an option blank or setting it to :code:`default`. @@ -444,12 +456,14 @@ routing. Valid syntax: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits [gateway] [metric] [table-id] The gateway parameter is only used for IPv6 routes across *tap* devices, and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or ``--route-ipv6-gateway`` is used. + (table-id supported on Linux only, on other platforms this is a no-op). + --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 7c219fdf..4a0e0d85 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t netmask, struct option print_in_addr_t(network, 0, >gc), print_in_addr_t(netmask, 0, >gc), NULL, + NULL, NULL); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..00caa283 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options, const char *gw = NULL; int dev = dev_type_enum(options->dev, options->dev_type); int metric = 0; +uint32_t table_id = 0; /* unspec table */ /* if DCO is enabled we have both regular routes and iroutes in the system * routing table, and normal routes must have a higher metric for that to @@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options, { gw = options->route_default_gateway; } +if (options->route_default_table_id) +{ +table_id = options->route_default_table_id; +} if (options->route_default_metric) { metric = options->route_default_metric; @@ -1531,6 +1536,7 @@ do_init_route_list(const struct options *options, options->routes, gw, metric, +table_id, link_socket_current_remote(link_socket_info
[Openvpn-devel] [PATCH] Route: add support for user defined routing table
Add the ability for users to specify a custom routing table where routes should be installed in. As of now routes are always installed in the main routing table of the operating system, however, with the new --route-table option it is possibile to specify the ID of the default routing table to be used by --route(-ipv6). The --route(-ipv6) directives have been extended with an additional argument (5th for --route) (4th for --route-ipv6) so that each of them can possibly use an independent routing table. Please note: this feature is currently supported only by Linux/SITNL. Support for other platforms should be added in related backends. Signed-off-by: Gianmarco De Gregori --- doc/man-sections/vpn-network-options.rst | 16 +++- src/openvpn/helper.c | 1 + src/openvpn/init.c | 15 +++- src/openvpn/options.c| 44 +- src/openvpn/options.h| 1 + src/openvpn/route.c | 101 +-- src/openvpn/route.h | 17 +++- 7 files changed, 179 insertions(+), 16 deletions(-) diff --git a/doc/man-sections/vpn-network-options.rst b/doc/man-sections/vpn-network-options.rst index 8e3c92ee..c25bbf31 100644 --- a/doc/man-sections/vpn-network-options.rst +++ b/doc/man-sections/vpn-network-options.rst @@ -367,6 +367,14 @@ routing. Like ``--redirect-gateway``, but omit actually changing the default gateway. Useful when pushing private subnets. +--route-table id + Specify a default table id for use with --route. + By default, OpenVPN installs routes in the main routing + table of the operating system, but with this option, + a user defined routing table can be used instead. + + (Supported on Linux only, on other platforms this is a no-op). + --route args Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in @@ -379,6 +387,7 @@ routing. route network/IP netmask route network/IP netmask gateway route network/IP netmask gateway metric + route network/IP netmask gateway metric table-id This option is intended as a convenience proxy for the ``route``\(8) shell command, while at the same time providing portable semantics @@ -394,6 +403,9 @@ routing. ``metric`` default taken from ``--route-metric`` if set, otherwise :code:`0`. + ``table-id`` (Supported on Linux only, on other platforms this is a no-op). + default taken from ``--route-table`` if set, otherwise :code:`0`. + The default can be specified by leaving an option blank or setting it to :code:`default`. @@ -444,12 +456,14 @@ routing. Valid syntax: :: - route-ipv6 ipv6addr/bits [gateway] [metric] + route-ipv6 ipv6addr/bits [gateway] [metric] [table-id] The gateway parameter is only used for IPv6 routes across *tap* devices, and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or ``--route-ipv6-gateway`` is used. + (table-id supported on Linux only, on other platforms this is a no-op). + --route-gateway arg Specify a default *gateway* for use with ``--route``. diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 7c219fdf..4a0e0d85 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t netmask, struct option print_in_addr_t(network, 0, >gc), print_in_addr_t(netmask, 0, >gc), NULL, + NULL, NULL); } diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad00..8220eb93 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options, const char *gw = NULL; int dev = dev_type_enum(options->dev, options->dev_type); int metric = 0; +uint32_t table_id = 0; /* unspec table */ /* if DCO is enabled we have both regular routes and iroutes in the system * routing table, and normal routes must have a higher metric for that to @@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options, { gw = options->route_default_gateway; } +if (options->route_default_table_id) +{ +table_id = options->route_default_table_id; +} if (options->route_default_metric) { metric = options->route_default_metric; @@ -1530,6 +1535,7 @@ do_init_route_list(const struct options *options, if (init_route_list(route_list, options->routes, gw, +table_id, metric, link_socket_current_remote(link_socket_info), es, @@ -1549,6 +1555,7 @@ do_init_route_ipv6_list(const struct o