Re: [Openvpn-devel] [S] Change in openvpn[master]: Minor fix to process_ip_header
Hi,
Il 15/02/2024 17:17, Gert Doering ha scritto:
Hi,
On Thu, Feb 15, 2024 at 03:59:02PM +, its_Giaan (Code Review) wrote:
if (buf->len > 0)
{
-/*
- * The --passtos and --mssfix options require
- * us to examine the IPv4 header.
- */
-
-if (flags & (PIP_MSSFIX
-#if PASSTOS_CAPABILITY
- | PIPV4_PASSTOS
-#endif
- | PIPV4_CLIENT_NAT
- ))
+if (flags & PIP_OPT_MASK)
NAK, as this is not the same thing. PIP_OPT_MASK will also match on
the IPv6 flags, which are not something we need to test for here (= if
only an IPv6 flag is active, why should we enter this branch?).
I had the feeling that it was wrong in fact.
Thanks for your feedback.
Cheers
--
Gianmarco De Gregori
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] Persist-key: enable persist-key option by default.
This commit changes the default behavior of the OpenVPN
configuration to enable the persist-key option by default.
This means that all the key file content will be kept
in memory throughout the lifetime of the VPN connection.
Fixes: Trac #1405
Signed-off-by: Gianmarco De Gregori
---
Changes from v1:
* changed "DEPRECATED OPTION" with "**DEPRECATED**" in the documentation
and with "(DEPRECATED)" in usage_message().
doc/man-sections/generic-options.rst | 2 ++
src/openvpn/init.c | 13 +++--
src/openvpn/options.c| 26 +-
src/openvpn/options.h| 1 -
4 files changed, 18 insertions(+), 24 deletions(-)
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index 97e1b5aa..6c23aafc 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -303,6 +303,8 @@ which mode OpenVPN is configured as.
lower priority, ``n`` less than zero is higher priority).
--persist-key
+ **DEPRECATED**, corresponding behavior is now always enabled.
+
Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
This option can be combined with ``--user`` to allow restarts
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad00..36d4395c 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3606,14 +3606,6 @@ do_option_warnings(struct context *c)
{
msg(M_WARN, "WARNING: you are using user/group/chroot/setcon
without persist-tun -- this may cause restarts to fail");
}
-if (!o->persist_key
-#ifdef ENABLE_PKCS11
-&& !o->pkcs11_id
-#endif
-)
-{
-msg(M_WARN, "WARNING: you are using user/group/chroot/setcon
without persist-key -- this may cause restarts to fail");
-}
}
if (o->chroot_dir && !(o->username && o->groupname))
@@ -3687,6 +3679,7 @@ do_option_warnings(struct context *c)
}
}
+
struct context_buffers *
init_context_buffers(const struct frame *frame)
{
@@ -3901,7 +3894,7 @@ static void
do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
{
/*
- * always free the tls_auth/crypt key. If persist_key is true, the key will
+ * always free the tls_auth/crypt key. The key will
* be reloaded from memory (pre-cached)
*/
free_key_ctx(>c1.ks.tls_crypt_v2_server_key);
@@ -3910,7 +3903,7 @@ do_close_free_key_schedule(struct context *c, bool
free_ssl_ctx)
buf_clear(>c1.ks.tls_crypt_v2_wkc);
free_buf(>c1.ks.tls_crypt_v2_wkc);
-if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
+if (!(c->sig->signal_received == SIGUSR1))
{
key_schedule_free(>c1.ks, free_ssl_ctx);
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e4c596b8..caf45b7e 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -275,7 +275,7 @@ static const char usage_message[] =
"--persist-tun : Keep tun/tap device open across SIGUSR1 or
--ping-restart.\n"
"--persist-remote-ip : Keep remote IP address across SIGUSR1 or
--ping-restart.\n"
"--persist-local-ip : Keep local IP address across SIGUSR1 or
--ping-restart.\n"
-"--persist-key : Don't re-read key files across SIGUSR1 or
--ping-restart.\n"
+"--persist-key : (DEPRECATED) Don't re-read key files across SIGUSR1 or
--ping-restart.\n"
#if PASSTOS_CAPABILITY
"--passtos : TOS passthrough (applies to IPv4 only).\n"
#endif
@@ -1860,7 +1860,6 @@ show_settings(const struct options *o)
SHOW_BOOL(persist_tun);
SHOW_BOOL(persist_local_ip);
SHOW_BOOL(persist_remote_ip);
-SHOW_BOOL(persist_key);
#if PASSTOS_CAPABILITY
SHOW_BOOL(passtos);
@@ -3239,18 +3238,16 @@ options_postprocess_mutate_ce(struct options *o, struct
connection_entry *ce)
ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
}
-/* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
+/* Pre-cache tls-auth/crypt(-v2) key file if
* keys were not already embedded in the config file.
*/
-if (o->persist_key)
-{
-connection_entry_preload_key(>tls_auth_file,
- >tls_auth_file_inline, >gc);
-connection_entry_preload_key(>tls_crypt_file,
- >tls_crypt_file_inline, >gc);
-connection_entry_preload_key(>tls_crypt_v2_file,
- >tls_crypt_v2_file_inline, >gc);
-}
+connection_entry_preload_key(>tls_auth_file,
+ >tls_auth_file_inline, >gc);
+connection_entry_preload_key(>tls_crypt_file,
+
[Openvpn-devel] [PATCH] Persist-key: enable persist-key option by default.
This commit changes the default behavior of
the OpenVPN configuration to enable the
persist-key option by default.
This means that all the key file content will be kept
in memory throughout the lifetime of the VPN connection.
Fixes: Trac #1405
Signed-off-by: Gianmarco De Gregori
---
doc/man-sections/generic-options.rst | 2 ++
src/openvpn/init.c | 12 ++--
src/openvpn/options.c| 23 +++
src/openvpn/options.h| 1 -
4 files changed, 15 insertions(+), 23 deletions(-)
diff --git a/doc/man-sections/generic-options.rst
b/doc/man-sections/generic-options.rst
index 97e1b5aa..5f74ab67 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -303,6 +303,8 @@ which mode OpenVPN is configured as.
lower priority, ``n`` less than zero is higher priority).
--persist-key
+ DEPRECATED OPTION, corresponding behavior is now always enabled.
+
Don't re-read key files across :code:`SIGUSR1` or ``--ping-restart``.
This option can be combined with ``--user`` to allow restarts
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad00..654d8645 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3606,14 +3606,6 @@ do_option_warnings(struct context *c)
{
msg(M_WARN, "WARNING: you are using user/group/chroot/setcon
without persist-tun -- this may cause restarts to fail");
}
-if (!o->persist_key
-#ifdef ENABLE_PKCS11
-&& !o->pkcs11_id
-#endif
-)
-{
-msg(M_WARN, "WARNING: you are using user/group/chroot/setcon
without persist-key -- this may cause restarts to fail");
-}
}
if (o->chroot_dir && !(o->username && o->groupname))
@@ -3901,7 +3893,7 @@ static void
do_close_free_key_schedule(struct context *c, bool free_ssl_ctx)
{
/*
- * always free the tls_auth/crypt key. If persist_key is true, the key will
+ * always free the tls_auth/crypt key. The key will
* be reloaded from memory (pre-cached)
*/
free_key_ctx(>c1.ks.tls_crypt_v2_server_key);
@@ -3910,7 +3902,7 @@ do_close_free_key_schedule(struct context *c, bool
free_ssl_ctx)
buf_clear(>c1.ks.tls_crypt_v2_wkc);
free_buf(>c1.ks.tls_crypt_v2_wkc);
-if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
+if (!(c->sig->signal_received == SIGUSR1))
{
key_schedule_free(>c1.ks, free_ssl_ctx);
}
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 2680f268..9ef21bc9 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1860,7 +1860,6 @@ show_settings(const struct options *o)
SHOW_BOOL(persist_tun);
SHOW_BOOL(persist_local_ip);
SHOW_BOOL(persist_remote_ip);
-SHOW_BOOL(persist_key);
#if PASSTOS_CAPABILITY
SHOW_BOOL(passtos);
@@ -3239,18 +3238,15 @@ options_postprocess_mutate_ce(struct options *o, struct
connection_entry *ce)
ce->tls_crypt_v2_file_inline = o->tls_crypt_v2_file_inline;
}
-/* Pre-cache tls-auth/crypt(-v2) key file if persist-key was specified and
+/* Pre-cache tls-auth/crypt(-v2) key file if
* keys were not already embedded in the config file.
*/
-if (o->persist_key)
-{
-connection_entry_preload_key(>tls_auth_file,
- >tls_auth_file_inline, >gc);
-connection_entry_preload_key(>tls_crypt_file,
- >tls_crypt_file_inline, >gc);
-connection_entry_preload_key(>tls_crypt_v2_file,
- >tls_crypt_v2_file_inline, >gc);
-}
+connection_entry_preload_key(>tls_auth_file,
+ >tls_auth_file_inline, >gc);
+connection_entry_preload_key(>tls_crypt_file,
+ >tls_crypt_file_inline, >gc);
+connection_entry_preload_key(>tls_crypt_v2_file,
+ >tls_crypt_v2_file_inline, >gc);
if (!proto_is_udp(ce->proto) && ce->explicit_exit_notification)
{
@@ -6938,7 +6934,10 @@ add_option(struct options *options,
else if (streq(p[0], "persist-key") && !p[1])
{
VERIFY_PERMISSION(OPT_P_PERSIST);
-options->persist_key = true;
+msg(M_WARN, "DEPRECATED OPTION: --persist-key option ignored."
+"The corresponding behavior is now always activated."
+"This option will be removed in a future version, "
+"please remove it from your configuration.");
}
else if (streq(p[0], "persist-local-ip") && !p[1])
{
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index f5890b90..cf9613b2 100644
--- a/src/openvp
[Openvpn-devel] [PATCH v5] Route: add support for user defined routing table
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
The --route(-ipv6) directives have been extended
with an additional argument (5th for --route)
(4th for --route-ipv6) so that each of them
can possibly use an independent routing table.
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Fixes: Trac #1399
Signed-off-by: Gianmarco De Gregori
---
Changes from v1:
* Fixed parameters (metric and table_id) order in init_route_list() call in
init.c : 1535.
Changes from v2:
* Add route_default_table_id to show_settings() in options.c : 1800.
Changes from v3:
* Switched table_id data type from uint32_t to int.
* Added discard to pulled routing table_id from server in case of pull mode.
Changes from v4:
* The --route-table option has been made non-pullable.
* A short description of --route-table has been added to usage_message.
doc/man-sections/vpn-network-options.rst | 16 +++-
src/openvpn/helper.c | 1 +
src/openvpn/init.c | 15 +++-
src/openvpn/options.c| 67 +--
src/openvpn/options.h| 2 +
src/openvpn/route.c | 101 +--
src/openvpn/route.h | 17 +++-
7 files changed, 202 insertions(+), 17 deletions(-)
diff --git a/doc/man-sections/vpn-network-options.rst
b/doc/man-sections/vpn-network-options.rst
index 8e3c92ee..c25bbf31 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -367,6 +367,14 @@ routing.
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
+--route-table id
+ Specify a default table id for use with --route.
+ By default, OpenVPN installs routes in the main routing
+ table of the operating system, but with this option,
+ a user defined routing table can be used instead.
+
+ (Supported on Linux only, on other platforms this is a no-op).
+
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
@@ -379,6 +387,7 @@ routing.
route network/IP netmask
route network/IP netmask gateway
route network/IP netmask gateway metric
+ route network/IP netmask gateway metric table-id
This option is intended as a convenience proxy for the ``route``\(8)
shell command, while at the same time providing portable semantics
@@ -394,6 +403,9 @@ routing.
``metric``
default taken from ``--route-metric`` if set, otherwise :code:`0`.
+ ``table-id`` (Supported on Linux only, on other platforms this is a no-op).
+ default taken from ``--route-table`` if set, otherwise :code:`0`.
+
The default can be specified by leaving an option blank or setting it to
:code:`default`.
@@ -444,12 +456,14 @@ routing.
Valid syntax:
::
- route-ipv6 ipv6addr/bits [gateway] [metric]
+ route-ipv6 ipv6addr/bits [gateway] [metric] [table-id]
The gateway parameter is only used for IPv6 routes across *tap* devices,
and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
``--route-ipv6-gateway`` is used.
+ (table-id supported on Linux only, on other platforms this is a no-op).
+
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 7c219fdf..4a0e0d85 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t
netmask, struct option
print_in_addr_t(network, 0, >gc),
print_in_addr_t(netmask, 0, >gc),
NULL,
+ NULL,
NULL);
}
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad00..e7b3b209 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options,
const char *gw = NULL;
int dev = dev_type_enum(options->dev, options->dev_type);
int metric = 0;
+int table_id = 0; /* unspec table */
/* if DCO is enabled we have both regular routes and iroutes in the system
* routing table, and normal routes must have a higher metric for that to
@@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options,
{
gw = options->route_default_gateway;
}
+if (options->route_default_table_id)
+{
+table_id = options->route_default_table_id;
+
[Openvpn-devel] [PATCH v4] Route: add support for user defined routing table
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
The --route(-ipv6) directives have been extended
with an additional argument (5th for --route)
(4th for --route-ipv6) so that each of them
can possibly use an independent routing table.
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Fixes: Trac #1399
Signed-off-by: Gianmarco De Gregori
---
Changes from v1:
* Fixed parameters (metric and table_id) order in init_route_list() call in
init.c : 1535.
Changes from v2:
* Add route_default_table_id to show_settings() in options.c : 1800.
Changes from v3:
* Switched table_id data type from uint32_t to int.
* Added discard to pulled routing table_id from server in case of pull mode.
doc/man-sections/vpn-network-options.rst | 16 +++-
src/openvpn/helper.c | 1 +
src/openvpn/init.c | 15 +++-
src/openvpn/options.c| 62 --
src/openvpn/options.h| 1 +
src/openvpn/route.c | 101 +--
src/openvpn/route.h | 17 +++-
7 files changed, 196 insertions(+), 17 deletions(-)
diff --git a/doc/man-sections/vpn-network-options.rst
b/doc/man-sections/vpn-network-options.rst
index 8e3c92ee..c25bbf31 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -367,6 +367,14 @@ routing.
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
+--route-table id
+ Specify a default table id for use with --route.
+ By default, OpenVPN installs routes in the main routing
+ table of the operating system, but with this option,
+ a user defined routing table can be used instead.
+
+ (Supported on Linux only, on other platforms this is a no-op).
+
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
@@ -379,6 +387,7 @@ routing.
route network/IP netmask
route network/IP netmask gateway
route network/IP netmask gateway metric
+ route network/IP netmask gateway metric table-id
This option is intended as a convenience proxy for the ``route``\(8)
shell command, while at the same time providing portable semantics
@@ -394,6 +403,9 @@ routing.
``metric``
default taken from ``--route-metric`` if set, otherwise :code:`0`.
+ ``table-id`` (Supported on Linux only, on other platforms this is a no-op).
+ default taken from ``--route-table`` if set, otherwise :code:`0`.
+
The default can be specified by leaving an option blank or setting it to
:code:`default`.
@@ -444,12 +456,14 @@ routing.
Valid syntax:
::
- route-ipv6 ipv6addr/bits [gateway] [metric]
+ route-ipv6 ipv6addr/bits [gateway] [metric] [table-id]
The gateway parameter is only used for IPv6 routes across *tap* devices,
and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
``--route-ipv6-gateway`` is used.
+ (table-id supported on Linux only, on other platforms this is a no-op).
+
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 7c219fdf..4a0e0d85 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t
netmask, struct option
print_in_addr_t(network, 0, >gc),
print_in_addr_t(netmask, 0, >gc),
NULL,
+ NULL,
NULL);
}
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad00..e7b3b209 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options,
const char *gw = NULL;
int dev = dev_type_enum(options->dev, options->dev_type);
int metric = 0;
+int table_id = 0; /* unspec table */
/* if DCO is enabled we have both regular routes and iroutes in the system
* routing table, and normal routes must have a higher metric for that to
@@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options,
{
gw = options->route_default_gateway;
}
+if (options->route_default_table_id)
+{
+table_id = options->route_default_table_id;
+}
if (options->route_default_metric)
{
metric = options->route_default_metric;
@@ -1531,6 +1536,7 @@ do_init_route_list(co
[Openvpn-devel] [PATCH v3] Route: add support for user defined routing table
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
The --route(-ipv6) directives have been extended
with an additional argument (5th for --route)
(4th for --route-ipv6) so that each of them
can possibly use an independent routing table.
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Signed-off-by: Gianmarco De Gregori
---
Changes from v1:
* Fixed parameters (metric and table_id) order in init_route_list() call in
init.c : 1535.
Changes from v2:
* Add route_default_table_id to show_settings() in options.c : 1800.
doc/man-sections/vpn-network-options.rst | 16 +++-
src/openvpn/helper.c | 1 +
src/openvpn/init.c | 15 +++-
src/openvpn/options.c| 45 +-
src/openvpn/options.h| 1 +
src/openvpn/route.c | 101 +--
src/openvpn/route.h | 17 +++-
7 files changed, 180 insertions(+), 16 deletions(-)
diff --git a/doc/man-sections/vpn-network-options.rst
b/doc/man-sections/vpn-network-options.rst
index 8e3c92ee..c25bbf31 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -367,6 +367,14 @@ routing.
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
+--route-table id
+ Specify a default table id for use with --route.
+ By default, OpenVPN installs routes in the main routing
+ table of the operating system, but with this option,
+ a user defined routing table can be used instead.
+
+ (Supported on Linux only, on other platforms this is a no-op).
+
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
@@ -379,6 +387,7 @@ routing.
route network/IP netmask
route network/IP netmask gateway
route network/IP netmask gateway metric
+ route network/IP netmask gateway metric table-id
This option is intended as a convenience proxy for the ``route``\(8)
shell command, while at the same time providing portable semantics
@@ -394,6 +403,9 @@ routing.
``metric``
default taken from ``--route-metric`` if set, otherwise :code:`0`.
+ ``table-id`` (Supported on Linux only, on other platforms this is a no-op).
+ default taken from ``--route-table`` if set, otherwise :code:`0`.
+
The default can be specified by leaving an option blank or setting it to
:code:`default`.
@@ -444,12 +456,14 @@ routing.
Valid syntax:
::
- route-ipv6 ipv6addr/bits [gateway] [metric]
+ route-ipv6 ipv6addr/bits [gateway] [metric] [table-id]
The gateway parameter is only used for IPv6 routes across *tap* devices,
and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
``--route-ipv6-gateway`` is used.
+ (table-id supported on Linux only, on other platforms this is a no-op).
+
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 7c219fdf..4a0e0d85 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t
netmask, struct option
print_in_addr_t(network, 0, >gc),
print_in_addr_t(netmask, 0, >gc),
NULL,
+ NULL,
NULL);
}
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad00..00caa283 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options,
const char *gw = NULL;
int dev = dev_type_enum(options->dev, options->dev_type);
int metric = 0;
+uint32_t table_id = 0; /* unspec table */
/* if DCO is enabled we have both regular routes and iroutes in the system
* routing table, and normal routes must have a higher metric for that to
@@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options,
{
gw = options->route_default_gateway;
}
+if (options->route_default_table_id)
+{
+table_id = options->route_default_table_id;
+}
if (options->route_default_metric)
{
metric = options->route_default_metric;
@@ -1531,6 +1536,7 @@ do_init_route_list(const struct options *options,
options->routes,
gw,
metric,
+
[Openvpn-devel] [PATCH v2] Route: add support for user defined routing table
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
The --route(-ipv6) directives have been extended
with an additional argument (5th for --route)
(4th for --route-ipv6) so that each of them
can possibly use an independent routing table.
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Signed-off-by: Gianmarco De Gregori
---
Changes from v1:
* fixed parameters (metric and table_id) order in init_route_list() call in
init.c : 1535.
doc/man-sections/vpn-network-options.rst | 16 +++-
src/openvpn/helper.c | 1 +
src/openvpn/init.c | 15 +++-
src/openvpn/options.c| 44 +-
src/openvpn/options.h| 1 +
src/openvpn/route.c | 101 +--
src/openvpn/route.h | 17 +++-
7 files changed, 179 insertions(+), 16 deletions(-)
diff --git a/doc/man-sections/vpn-network-options.rst
b/doc/man-sections/vpn-network-options.rst
index 8e3c92ee..c25bbf31 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -367,6 +367,14 @@ routing.
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
+--route-table id
+ Specify a default table id for use with --route.
+ By default, OpenVPN installs routes in the main routing
+ table of the operating system, but with this option,
+ a user defined routing table can be used instead.
+
+ (Supported on Linux only, on other platforms this is a no-op).
+
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
@@ -379,6 +387,7 @@ routing.
route network/IP netmask
route network/IP netmask gateway
route network/IP netmask gateway metric
+ route network/IP netmask gateway metric table-id
This option is intended as a convenience proxy for the ``route``\(8)
shell command, while at the same time providing portable semantics
@@ -394,6 +403,9 @@ routing.
``metric``
default taken from ``--route-metric`` if set, otherwise :code:`0`.
+ ``table-id`` (Supported on Linux only, on other platforms this is a no-op).
+ default taken from ``--route-table`` if set, otherwise :code:`0`.
+
The default can be specified by leaving an option blank or setting it to
:code:`default`.
@@ -444,12 +456,14 @@ routing.
Valid syntax:
::
- route-ipv6 ipv6addr/bits [gateway] [metric]
+ route-ipv6 ipv6addr/bits [gateway] [metric] [table-id]
The gateway parameter is only used for IPv6 routes across *tap* devices,
and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
``--route-ipv6-gateway`` is used.
+ (table-id supported on Linux only, on other platforms this is a no-op).
+
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 7c219fdf..4a0e0d85 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t
netmask, struct option
print_in_addr_t(network, 0, >gc),
print_in_addr_t(netmask, 0, >gc),
NULL,
+ NULL,
NULL);
}
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad00..00caa283 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options,
const char *gw = NULL;
int dev = dev_type_enum(options->dev, options->dev_type);
int metric = 0;
+uint32_t table_id = 0; /* unspec table */
/* if DCO is enabled we have both regular routes and iroutes in the system
* routing table, and normal routes must have a higher metric for that to
@@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options,
{
gw = options->route_default_gateway;
}
+if (options->route_default_table_id)
+{
+table_id = options->route_default_table_id;
+}
if (options->route_default_metric)
{
metric = options->route_default_metric;
@@ -1531,6 +1536,7 @@ do_init_route_list(const struct options *options,
options->routes,
gw,
metric,
+table_id,
link_socket_current_remote(link_socket_info
[Openvpn-devel] [PATCH] Route: add support for user defined routing table
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
The --route(-ipv6) directives have been extended
with an additional argument (5th for --route)
(4th for --route-ipv6) so that each of them
can possibly use an independent routing table.
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Signed-off-by: Gianmarco De Gregori
---
doc/man-sections/vpn-network-options.rst | 16 +++-
src/openvpn/helper.c | 1 +
src/openvpn/init.c | 15 +++-
src/openvpn/options.c| 44 +-
src/openvpn/options.h| 1 +
src/openvpn/route.c | 101 +--
src/openvpn/route.h | 17 +++-
7 files changed, 179 insertions(+), 16 deletions(-)
diff --git a/doc/man-sections/vpn-network-options.rst
b/doc/man-sections/vpn-network-options.rst
index 8e3c92ee..c25bbf31 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -367,6 +367,14 @@ routing.
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
+--route-table id
+ Specify a default table id for use with --route.
+ By default, OpenVPN installs routes in the main routing
+ table of the operating system, but with this option,
+ a user defined routing table can be used instead.
+
+ (Supported on Linux only, on other platforms this is a no-op).
+
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
@@ -379,6 +387,7 @@ routing.
route network/IP netmask
route network/IP netmask gateway
route network/IP netmask gateway metric
+ route network/IP netmask gateway metric table-id
This option is intended as a convenience proxy for the ``route``\(8)
shell command, while at the same time providing portable semantics
@@ -394,6 +403,9 @@ routing.
``metric``
default taken from ``--route-metric`` if set, otherwise :code:`0`.
+ ``table-id`` (Supported on Linux only, on other platforms this is a no-op).
+ default taken from ``--route-table`` if set, otherwise :code:`0`.
+
The default can be specified by leaving an option blank or setting it to
:code:`default`.
@@ -444,12 +456,14 @@ routing.
Valid syntax:
::
- route-ipv6 ipv6addr/bits [gateway] [metric]
+ route-ipv6 ipv6addr/bits [gateway] [metric] [table-id]
The gateway parameter is only used for IPv6 routes across *tap* devices,
and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
``--route-ipv6-gateway`` is used.
+ (table-id supported on Linux only, on other platforms this is a no-op).
+
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index 7c219fdf..4a0e0d85 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -120,6 +120,7 @@ helper_add_route(const in_addr_t network, const in_addr_t
netmask, struct option
print_in_addr_t(network, 0, >gc),
print_in_addr_t(netmask, 0, >gc),
NULL,
+ NULL,
NULL);
}
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad00..8220eb93 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1504,6 +1504,7 @@ do_init_route_list(const struct options *options,
const char *gw = NULL;
int dev = dev_type_enum(options->dev, options->dev_type);
int metric = 0;
+uint32_t table_id = 0; /* unspec table */
/* if DCO is enabled we have both regular routes and iroutes in the system
* routing table, and normal routes must have a higher metric for that to
@@ -1522,6 +1523,10 @@ do_init_route_list(const struct options *options,
{
gw = options->route_default_gateway;
}
+if (options->route_default_table_id)
+{
+table_id = options->route_default_table_id;
+}
if (options->route_default_metric)
{
metric = options->route_default_metric;
@@ -1530,6 +1535,7 @@ do_init_route_list(const struct options *options,
if (init_route_list(route_list,
options->routes,
gw,
+table_id,
metric,
link_socket_current_remote(link_socket_info),
es,
@@ -1549,6 +1555,7 @@ do_init_route_ipv6_list(const struct o
