Attention is currently required from: cron2, flichtenheld, mrbff, plaisthos.
Hello flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/677?usp=email
to look at the new patch set (#12).
The following approvals got outdated and were removed:
Code-Review-1 by plaisthos
Change subject: route: copied 'gateway_needed' logic from add_route_ipv6 to
add_route
..
route: copied 'gateway_needed' logic from add_route_ipv6 to add_route
Under certain circumstances it may not be necessary to pass the
gateway when adding a new route via net_route_v4_add() API function.
add_route_ipv6() already accounts for some of these cases and
therefore this patch copies the same logic to add_route().
Change-Id: Id1ec0c6e4c391604ec5dbb8b7122f2e47ad186d1
Signed-off-by: Marco Baffo
---
M Changes.rst
M src/openvpn/route.c
2 files changed, 51 insertions(+), 3 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/77/677/12
diff --git a/Changes.rst b/Changes.rst
index 4feacad2..a3e00c2 100644
--- a/Changes.rst
+++ b/Changes.rst
@@ -170,6 +170,13 @@
COPYING: license details only relevant to our Windows installers have
been updated and moved to the openvpn-build repo
+The route gateway is now only added for IPv4 when strictly necessary.
+ The gateway-needed logic previously applied to IPv6 only has been copied
+ and extended to IPv4 route handling. Route additions now omit the
+ gateway unless required after checking device type, special routes,
+ on-link gateways, and whether the gateway lies inside the VPN subnet,
+ optimizing route configuration and potentially reducing redundant route
+ entries.
Deprecated features
---
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 7d988da..c249b38 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -1479,6 +1479,7 @@
{
int status = 0;
int is_local_route;
+bool gateway_needed = false;
if (!(r->flags & RT_DEFINED))
{
@@ -1488,8 +1489,8 @@
struct argv argv = argv_new();
struct gc_arena gc = gc_new();
-#if !defined(TARGET_LINUX)
const char *network = print_in_addr_t(r->network, 0, &gc);
+#if !defined(TARGET_LINUX)
#if !defined(TARGET_AIX)
const char *netmask = print_in_addr_t(r->netmask, 0, &gc);
#endif
@@ -1502,8 +1503,47 @@
goto done;
}
+#ifndef _WIN32
+/* server told us which interface to use; pass gateway if it gave one */
+if (rgi && (rgi->flags & RGI_IFACE_DEFINED) && rgi->iface[0] != 0)
+{
+if (rgi->flags & RGI_ADDR_DEFINED && r->gateway != 0)
+{
+gateway_needed = true;
+}
+}
+#endif
+
+/* TAP is an L2 device, so for destinations that are not explicitly
+ * on-link the kernel needs a gateway so it can ARP/ND for the
+ * MAC address. We make an exception only when the user explicitly sets
+ * metric 0, which is taken as a request for an on-link “route to
+ * interface” (no gateway). This keeps parity with the IPv6 code.
+ */
+if (tt->type == DEV_TYPE_TAP
+&& !((r->flags & RT_METRIC_DEFINED) && r->metric == 0))
+{
+gateway_needed = true;
+}
+
+if (gateway_needed && r->gateway == 0)
+{
+msg(M_WARN, "ROUTE WARNING: " PACKAGE_NAME " needs a gateway "
+"parameter for a --route option and no default was set via
"
+"--route-gateway or --ifconfig option. Not installing "
+"IPv4 route to %s/%d.",
+network, netmask_to_netbits2(r->netmask));
+status = 0;
+goto done;
+}
+
#if defined(TARGET_LINUX)
-const char *iface = NULL;
+const char *iface = tt->actual_name;
+if (!gateway_needed && rgi && (rgi->flags & RGI_IFACE_DEFINED) &&
rgi->iface[0] != 0) /* vpn server special route */
+{
+iface = rgi->iface;
+}
+
int metric = -1;
if (is_on_link(is_local_route, flags, rgi))
@@ -1518,7 +1558,8 @@
status = RTA_SUCCESS;
-int ret = net_route_v4_add(ctx, &r->network,
netmask_to_netbits2(r->netmask), &r->gateway,
+int ret = net_route_v4_add(ctx, &r->network,
netmask_to_netbits2(r->netmask),
+ gateway_needed ? &r->gateway : NULL,
iface, r->table_id, metric);
if (ret == -EEXIST)
{
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/677?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Id1ec0c6e4c391604ec5dbb8b7122f2e47ad186d1
Gerrit-Change-Number: 677
Gerrit-PatchSet: 12
Gerrit-Owner: mrbff
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: plaisthos
Gerrit-CC: cron2
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-Attention: cron2
Gerri
