Attention is currently required from: cron2, flichtenheld, its_Giaan, plaisthos.
Hello cron2, flichtenheld, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/524?usp=email
to look at the new patch set (#7).
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld, Code-Review-1 by cron2
The change is no longer submittable: Code-Review and checks~ChecksSubmitRule
are unsatisfied now.
Change subject: Route: add support for user defined routing table
......................................................................
Route: add support for user defined routing table
Add the ability for users to specify a custom
routing table where routes should be installed in.
As of now routes are always installed in the main
routing table of the operating system, however,
with the new --route-table option it is possibile
to specify the ID of the default routing table
to be used by --route(-ipv6).
Please note: this feature is currently supported
only by Linux/SITNL.
Support for other platforms should be added in related backends.
Trac #1399
Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7
Signed-off-by: Gianmarco De Gregori <[email protected]>
---
M doc/man-sections/vpn-network-options.rst
M src/openvpn/helper.c
M src/openvpn/init.c
M src/openvpn/options.c
M src/openvpn/options.h
M src/openvpn/route.c
M src/openvpn/route.h
7 files changed, 76 insertions(+), 19 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/24/524/7
diff --git a/doc/man-sections/vpn-network-options.rst
b/doc/man-sections/vpn-network-options.rst
index 84d4273..9d4235b 100644
--- a/doc/man-sections/vpn-network-options.rst
+++ b/doc/man-sections/vpn-network-options.rst
@@ -371,6 +371,14 @@
Like ``--redirect-gateway``, but omit actually changing the default gateway.
Useful when pushing private subnets.
+--route-table id
+ Specify a default table id for use with --route.
+ By default, OpenVPN installs routes in the main routing
+ table of the operating system, but with this option,
+ a user defined routing table can be used instead.
+
+ (Supported on Linux only, on other platforms this is a no-op).
+
--route args
Add route to routing table after connection is established. Multiple
routes can be specified. Routes will be automatically torn down in
@@ -445,14 +453,20 @@
Setup IPv6 routing in the system to send the specified IPv6 network into
OpenVPN's *tun*.
- Valid syntax:
+ Valid syntaxes:
::
- route-ipv6 ipv6addr/bits [gateway] [metric]
+ route-ipv6 ipv6addr/bits
+ route-ipv6 ipv6addr/bits gateway
+ route-ipv6 ipv6addr/bits gateway metric
- The gateway parameter is only used for IPv6 routes across *tap* devices,
- and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
- ``--route-ipv6-gateway`` is used.
+ ``gateway``
+ Only used for IPv6 routes across *tap* devices,
+ and if missing, the ``ipv6remote`` field from ``--ifconfig-ipv6`` or
+ ``--route-ipv6-gateway`` is used.
+
+ ``metric``
+ default taken from ``--route-metric`` if set, otherwise :code:`0`.
--route-gateway arg
Specify a default *gateway* for use with ``--route``.
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c
index bbdbc04..2306760 100644
--- a/src/openvpn/helper.c
+++ b/src/openvpn/helper.c
@@ -118,7 +118,8 @@
print_in_addr_t(network, 0, &o->gc),
print_in_addr_t(netmask, 0, &o->gc),
NULL,
- NULL);
+ NULL,
+ o->route_default_table_id);
}
static void
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 83cc670..d32b903 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -1499,6 +1499,7 @@
options->routes,
gw,
metric,
+ options->route_default_table_id,
link_socket_current_remote(link_socket_info),
es,
ctx))
@@ -1546,7 +1547,7 @@
{
add_route_ipv6_to_option_list( options->routes_ipv6,
string_alloc(opt_list[i],
options->routes_ipv6->gc),
- NULL, NULL );
+ NULL, NULL,
options->route_default_table_id);
}
}
@@ -1554,6 +1555,7 @@
options->routes_ipv6,
gw,
metric,
+ options->route_default_table_id,
link_socket_current_remote_ipv6(link_socket_info),
es,
ctx))
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 61f6285..4516a58 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -201,6 +201,10 @@
" pass --ifconfig parms by environment to scripts.\n"
"--ifconfig-nowarn : Don't warn if the --ifconfig option on this side of
the\n"
" connection doesn't match the remote side.\n"
+#ifdef TARGET_LINUX
+ "--route-table table_id : Specify a custom routing table for use with
--route(-ipv6).\n"
+ " If not specified, the id of the default
routing table will be used.\n"
+#endif
"--route network [netmask] [gateway] [metric] :\n"
" Add route to routing table after connection\n"
" is established. Multiple routes can be specified.\n"
@@ -819,6 +823,7 @@
o->ce.mssfix = 0;
o->ce.mssfix_default = true;
o->ce.mssfix_encap = true;
+ o->route_default_table_id = 0;
o->route_delay_window = 30;
o->resolve_retry_seconds = RESOLV_RETRY_INFINITE;
o->resolve_in_advance = false;
@@ -1910,6 +1915,7 @@
SHOW_STR(route_script);
SHOW_STR(route_default_gateway);
SHOW_INT(route_default_metric);
+ SHOW_INT(route_default_table_id);
SHOW_BOOL(route_noexec);
SHOW_INT(route_delay);
SHOW_INT(route_delay_window);
@@ -7005,6 +7011,14 @@
cnol_check_alloc(options);
add_client_nat_to_option_list(options->client_nat, p[1], p[2], p[3],
p[4], msglevel);
}
+ else if (streq(p[0], "route-table") && p[1] && !p[2])
+ {
+#ifndef ENABLE_SITNL
+ msg(M_WARN, "NOTE: --route-table is supported only on Linux when SITNL
is built-in");
+#endif
+ VERIFY_PERMISSION(OPT_P_ROUTE_TABLE);
+ options->route_default_table_id = positive_atoi(p[1]);
+ }
else if (streq(p[0], "route") && p[1] && !p[5])
{
VERIFY_PERMISSION(OPT_P_ROUTE);
@@ -7026,8 +7040,10 @@
msg(msglevel, "route parameter gateway '%s' must be a valid
address", p[3]);
goto err;
}
+ /* p[4] is metric, if specified */
}
- add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4]);
+
+ add_route_to_option_list(options->routes, p[1], p[2], p[3], p[4],
options->route_default_table_id);
}
else if (streq(p[0], "route-ipv6") && p[1] && !p[4])
{
@@ -7045,9 +7061,10 @@
msg(msglevel, "route-ipv6 parameter gateway '%s' must be a
valid address", p[2]);
goto err;
}
- /* p[3] is metric, if present */
+ /* p[3] is metric, if specified */
}
- add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3]);
+
+ add_route_ipv6_to_option_list(options->routes_ipv6, p[1], p[2], p[3],
options->route_default_table_id);
}
else if (streq(p[0], "max-routes") && !p[2])
{
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index ee39dbb..bc41988 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -413,6 +413,7 @@
const char *route_predown_script;
const char *route_default_gateway;
const char *route_ipv6_default_gateway;
+ int route_default_table_id;
int route_default_metric;
bool route_noexec;
int route_delay;
@@ -743,6 +744,7 @@
#define OPT_P_PEER_ID (1<<28)
#define OPT_P_INLINE (1<<29)
#define OPT_P_PUSH_MTU (1<<30)
+#define OPT_P_ROUTE_TABLE (1<<31)
#define OPT_P_DEFAULT (~(OPT_P_INSTANCE|OPT_P_PULL_MODE))
diff --git a/src/openvpn/route.c b/src/openvpn/route.c
index 2e584c7..3d1d6bb 100644
--- a/src/openvpn/route.c
+++ b/src/openvpn/route.c
@@ -328,7 +328,6 @@
CLEAR(*r);
r->option = ro;
-
/* network */
if (!is_route_parm_defined(ro->network))
@@ -442,6 +441,9 @@
r->flags |= RT_DEFINED;
+ /* routing table id */
+ r->table_id = ro->table_id;
+
return true;
fail:
@@ -498,6 +500,9 @@
r6->flags |= RT_DEFINED;
+ /* routing table id */
+ r6->table_id = r6o->table_id;
+
return true;
fail:
@@ -511,7 +516,8 @@
const char *network,
const char *netmask,
const char *gateway,
- const char *metric)
+ const char *metric,
+ int table_id)
{
struct route_option *ro;
ALLOC_OBJ_GC(ro, struct route_option, l->gc);
@@ -519,6 +525,7 @@
ro->netmask = netmask;
ro->gateway = gateway;
ro->metric = metric;
+ ro->table_id = table_id;
ro->next = l->routes;
l->routes = ro;
@@ -528,13 +535,15 @@
add_route_ipv6_to_option_list(struct route_ipv6_option_list *l,
const char *prefix,
const char *gateway,
- const char *metric)
+ const char *metric,
+ int table_id)
{
struct route_ipv6_option *ro;
ALLOC_OBJ_GC(ro, struct route_ipv6_option, l->gc);
ro->prefix = prefix;
ro->gateway = gateway;
ro->metric = metric;
+ ro->table_id = table_id;
ro->next = l->routes_ipv6;
l->routes_ipv6 = ro;
}
@@ -632,6 +641,7 @@
const struct route_option_list *opt,
const char *remote_endpoint,
int default_metric,
+ int table_id,
in_addr_t remote_host,
struct env_set *es,
openvpn_net_ctx_t *ctx)
@@ -791,6 +801,7 @@
const struct route_ipv6_option_list *opt6,
const char *remote_endpoint,
int default_metric,
+ int table_id,
const struct in6_addr *remote_host_ipv6,
struct env_set *es,
openvpn_net_ctx_t *ctx)
@@ -1611,9 +1622,10 @@
metric = r->metric;
}
+
status = RTA_SUCCESS;
int ret = net_route_v4_add(ctx, &r->network,
netmask_to_netbits2(r->netmask),
- &r->gateway, iface, 0, metric);
+ &r->gateway, iface, r->table_id, metric);
if (ret == -EEXIST)
{
msg(D_ROUTE, "NOTE: Linux route add command failed because route
exists");
@@ -1994,7 +2006,7 @@
status = RTA_SUCCESS;
int ret = net_route_v6_add(ctx, &r6->network, r6->netbits,
gateway_needed ? &r6->gateway : NULL,
- device, 0, metric);
+ device, r6->table_id, metric);
if (ret == -EEXIST)
{
msg(D_ROUTE, "NOTE: Linux route add command failed because route
exists");
@@ -2200,7 +2212,7 @@
}
if (net_route_v4_del(ctx, &r->network, netmask_to_netbits2(r->netmask),
- &r->gateway, NULL, 0, metric) < 0)
+ &r->gateway, NULL, r->table_id, metric) < 0)
{
msg(M_WARN, "ERROR: Linux route delete command failed");
}
@@ -2413,7 +2425,7 @@
}
if (net_route_v6_del(ctx, &r6->network, r6->netbits,
- gateway_needed ? &r6->gateway : NULL, device, 0,
+ gateway_needed ? &r6->gateway : NULL, device,
r6->table_id,
metric) < 0)
{
msg(M_WARN, "ERROR: Linux route v6 delete command failed");
diff --git a/src/openvpn/route.h b/src/openvpn/route.h
index 421e7d2..fb2b311 100644
--- a/src/openvpn/route.h
+++ b/src/openvpn/route.h
@@ -69,6 +69,7 @@
in_addr_t remote_host;
int remote_host_local; /* TLA_x value */
struct route_bypass bypass;
+ int table_id;
int default_metric;
};
@@ -77,6 +78,7 @@
const char *network;
const char *netmask;
const char *gateway;
+ int table_id;
const char *metric;
};
@@ -101,6 +103,7 @@
const char *prefix; /* e.g. "2001:db8:1::/64" */
const char *gateway; /* e.g. "2001:db8:0::2" */
const char *metric; /* e.g. "5" */
+ int table_id;
};
struct route_ipv6_option_list {
@@ -119,6 +122,7 @@
in_addr_t network;
in_addr_t netmask;
in_addr_t gateway;
+ int table_id;
int metric;
};
@@ -129,6 +133,7 @@
unsigned int netbits;
struct in6_addr gateway;
int metric;
+ int table_id;
/* gateway interface */
#ifdef _WIN32
DWORD adapter_index; /* interface or ~0 if undefined */
@@ -283,17 +288,20 @@
const char *network,
const char *netmask,
const char *gateway,
- const char *metric);
+ const char *metric,
+ int table_id);
void add_route_ipv6_to_option_list(struct route_ipv6_option_list *l,
const char *prefix,
const char *gateway,
- const char *metric);
+ const char *metric,
+ int table_id);
bool init_route_list(struct route_list *rl,
const struct route_option_list *opt,
const char *remote_endpoint,
int default_metric,
+ int table_id,
in_addr_t remote_host,
struct env_set *es,
openvpn_net_ctx_t *ctx);
@@ -302,6 +310,7 @@
const struct route_ipv6_option_list *opt6,
const char *remote_endpoint,
int default_metric,
+ int table_id,
const struct in6_addr *remote_host,
struct env_set *es,
openvpn_net_ctx_t *ctx);
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/524?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I3e4ebef484d2a04a383a65ede5617ee98bf218a7
Gerrit-Change-Number: 524
Gerrit-PatchSet: 7
Gerrit-Owner: its_Giaan <[email protected]>
Gerrit-Reviewer: cron2 <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-Attention: cron2 <[email protected]>
Gerrit-Attention: its_Giaan <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
Gerrit-MessageType: newpatchset
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
