diff options
Diffstat (limited to 'src/openvpn/helper.c')
-rw-r--r-- | src/openvpn/helper.c | 822 |
1 files changed, 437 insertions, 385 deletions
diff --git a/src/openvpn/helper.c b/src/openvpn/helper.c index 229523d..adcc4f8 100644 --- a/src/openvpn/helper.c +++ b/src/openvpn/helper.c @@ -5,7 +5,7 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -40,101 +40,107 @@ #if P2MP_SERVER static const char * -print_netmask (int netbits, struct gc_arena *gc) +print_netmask(int netbits, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (128, gc); - const in_addr_t netmask = netbits_to_netmask (netbits); + struct buffer out = alloc_buf_gc(128, gc); + const in_addr_t netmask = netbits_to_netmask(netbits); - buf_printf (&out, "%s (/%d)", print_in_addr_t (netmask, 0, gc), netbits); + buf_printf(&out, "%s (/%d)", print_in_addr_t(netmask, 0, gc), netbits); - return BSTR (&out); + return BSTR(&out); } static const char * -print_opt_route_gateway (const in_addr_t route_gateway, struct gc_arena *gc) +print_opt_route_gateway(const in_addr_t route_gateway, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (128, gc); - ASSERT (route_gateway); - buf_printf (&out, "route-gateway %s", print_in_addr_t (route_gateway, 0, gc)); - return BSTR (&out); + struct buffer out = alloc_buf_gc(128, gc); + ASSERT(route_gateway); + buf_printf(&out, "route-gateway %s", print_in_addr_t(route_gateway, 0, gc)); + return BSTR(&out); } static const char * -print_opt_route_gateway_dhcp (struct gc_arena *gc) +print_opt_route_gateway_dhcp(struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (32, gc); - buf_printf (&out, "route-gateway dhcp"); - return BSTR (&out); + struct buffer out = alloc_buf_gc(32, gc); + buf_printf(&out, "route-gateway dhcp"); + return BSTR(&out); } static const char * -print_opt_route (const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc) +print_opt_route(const in_addr_t network, const in_addr_t netmask, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (128, gc); - ASSERT (network); - - if (netmask) - buf_printf (&out, "route %s %s", - print_in_addr_t (network, 0, gc), - print_in_addr_t (netmask, 0, gc)); - else - buf_printf (&out, "route %s", - print_in_addr_t (network, 0, gc)); - - return BSTR (&out); + struct buffer out = alloc_buf_gc(128, gc); + ASSERT(network); + + if (netmask) + { + buf_printf(&out, "route %s %s", + print_in_addr_t(network, 0, gc), + print_in_addr_t(netmask, 0, gc)); + } + else + { + buf_printf(&out, "route %s", + print_in_addr_t(network, 0, gc)); + } + + return BSTR(&out); } static const char * -print_opt_topology (const int topology, struct gc_arena *gc) +print_opt_topology(const int topology, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (128, gc); + struct buffer out = alloc_buf_gc(128, gc); - buf_printf (&out, "topology %s", print_topology (topology)); + buf_printf(&out, "topology %s", print_topology(topology)); - return BSTR (&out); + return BSTR(&out); } static const char * -print_str_int (const char *str, const int i, struct gc_arena *gc) +print_str_int(const char *str, const int i, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (128, gc); - buf_printf (&out, "%s %d", str, i); - return BSTR (&out); + struct buffer out = alloc_buf_gc(128, gc); + buf_printf(&out, "%s %d", str, i); + return BSTR(&out); } static const char * -print_str (const char *str, struct gc_arena *gc) +print_str(const char *str, struct gc_arena *gc) { - struct buffer out = alloc_buf_gc (128, gc); - buf_printf (&out, "%s", str); - return BSTR (&out); + struct buffer out = alloc_buf_gc(128, gc); + buf_printf(&out, "%s", str); + return BSTR(&out); } static void -helper_add_route (const in_addr_t network, const in_addr_t netmask, struct options *o) +helper_add_route(const in_addr_t network, const in_addr_t netmask, struct options *o) { - rol_check_alloc (o); - add_route_to_option_list (o->routes, - print_in_addr_t (network, 0, &o->gc), - print_in_addr_t (netmask, 0, &o->gc), - NULL, - NULL); + rol_check_alloc(o); + add_route_to_option_list(o->routes, + print_in_addr_t(network, 0, &o->gc), + print_in_addr_t(netmask, 0, &o->gc), + NULL, + NULL); } static void -verify_common_subnet (const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet) +verify_common_subnet(const char *opt, const in_addr_t a, const in_addr_t b, const in_addr_t subnet) { - struct gc_arena gc = gc_new (); - if ((a & subnet) != (b & subnet)) - msg (M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet", - opt, - print_in_addr_t (a, 0, &gc), - print_in_addr_t (b, 0, &gc), - print_in_addr_t (subnet, 0, &gc)); - gc_free (&gc); + struct gc_arena gc = gc_new(); + if ((a & subnet) != (b & subnet)) + { + msg(M_USAGE, "%s IP addresses %s and %s are not in the same %s subnet", + opt, + print_in_addr_t(a, 0, &gc), + print_in_addr_t(b, 0, &gc), + print_in_addr_t(subnet, 0, &gc)); + } + gc_free(&gc); } -#endif +#endif /* if P2MP_SERVER */ /* * Process server, server-bridge, and client helper @@ -142,309 +148,349 @@ verify_common_subnet (const char *opt, const in_addr_t a, const in_addr_t b, con * parsed and placed in struct options. */ void -helper_client_server (struct options *o) +helper_client_server(struct options *o) { - struct gc_arena gc = gc_new (); + struct gc_arena gc = gc_new(); #if P2MP #if P2MP_SERVER /* - * Get tun/tap/null device type - */ - const int dev = dev_type_enum (o->dev, o->dev_type); - const int topology = o->topology; - - /* - * - * HELPER DIRECTIVE for IPv6 - * - * server-ipv6 2001:db8::/64 - * - * EXPANDS TO: - * - * tun-ipv6 - * push "tun-ipv6" - * ifconfig-ipv6 2001:db8::1 2001:db8::2 - * if !nopool: - * ifconfig-ipv6-pool 2001:db8::1000/64 - * - */ - if ( o->server_ipv6_defined ) - { - if ( ! o->server_defined ) - { - msg (M_USAGE, "--server-ipv6 must be used together with --server"); - } - if ( o->server_flags & SF_NOPOOL ) - { - msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" ); - } - if ( o->ifconfig_ipv6_pool_defined ) - { - msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); - } + * Get tun/tap/null device type + */ + const int dev = dev_type_enum(o->dev, o->dev_type); + const int topology = o->topology; + + /* + * + * HELPER DIRECTIVE for IPv6 + * + * server-ipv6 2001:db8::/64 + * + * EXPANDS TO: + * + * tun-ipv6 + * push "tun-ipv6" + * ifconfig-ipv6 2001:db8::1 2001:db8::2 + * if !nopool: + * ifconfig-ipv6-pool 2001:db8::1000/64 + * + */ + if (o->server_ipv6_defined) + { + if (!o->server_defined) + { + msg(M_USAGE, "--server-ipv6 must be used together with --server"); + } + if (o->server_flags & SF_NOPOOL) + { + msg( M_USAGE, "--server-ipv6 is incompatible with 'nopool' option" ); + } + if (o->ifconfig_ipv6_pool_defined) + { + msg( M_USAGE, "--server-ipv6 already defines an ifconfig-ipv6-pool, so you can't also specify --ifconfig-pool explicitly"); + } /* local ifconfig is "base address + 1" and "+2" */ - o->ifconfig_ipv6_local = - print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc ); - o->ifconfig_ipv6_remote = - print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc ); - o->ifconfig_ipv6_netbits = o->server_netbits_ipv6; - - /* pool starts at "base address + 0x1000" - leave enough room */ - ASSERT( o->server_netbits_ipv6 <= 112 ); /* want 16 bits */ - - o->ifconfig_ipv6_pool_defined = true; - o->ifconfig_ipv6_pool_base = - add_in6_addr( o->server_network_ipv6, 0x1000 ); - o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; - - push_option( o, "tun-ipv6", M_USAGE ); - } - - /* - * - * HELPER DIRECTIVE: - * - * server 10.8.0.0 255.255.255.0 - * - * EXPANDS TO: - * - * mode server - * tls-server - * push "topology [topology]" - * - * if tun AND (topology == net30 OR topology == p2p): - * ifconfig 10.8.0.1 10.8.0.2 - * if !nopool: - * ifconfig-pool 10.8.0.4 10.8.0.251 - * route 10.8.0.0 255.255.255.0 - * if client-to-client: - * push "route 10.8.0.0 255.255.255.0" - * else if topology == net30: - * push "route 10.8.0.1" - * - * if tap OR (tun AND topology == subnet): - * ifconfig 10.8.0.1 255.255.255.0 - * if !nopool: - * ifconfig-pool 10.8.0.2 10.8.0.254 255.255.255.0 - * push "route-gateway 10.8.0.1" - * if route-gateway unset: - * route-gateway 10.8.0.2 - */ - - if (o->server_defined) + o->ifconfig_ipv6_local = + print_in6_addr( add_in6_addr( o->server_network_ipv6, 1), 0, &o->gc ); + o->ifconfig_ipv6_remote = + print_in6_addr( add_in6_addr( o->server_network_ipv6, 2), 0, &o->gc ); + o->ifconfig_ipv6_netbits = o->server_netbits_ipv6; + + /* pool starts at "base address + 0x1000" - leave enough room */ + ASSERT( o->server_netbits_ipv6 <= 112 ); /* want 16 bits */ + + o->ifconfig_ipv6_pool_defined = true; + o->ifconfig_ipv6_pool_base = + add_in6_addr( o->server_network_ipv6, 0x1000 ); + o->ifconfig_ipv6_pool_netbits = o->server_netbits_ipv6; + + push_option( o, "tun-ipv6", M_USAGE ); + } + + /* + * + * HELPER DIRECTIVE: + * + * server 10.8.0.0 255.255.255.0 + * + * EXPANDS TO: + * + * mode server + * tls-server + * push "topology [topology]" + * + * if tun AND (topology == net30 OR topology == p2p): + * ifconfig 10.8.0.1 10.8.0.2 + * if !nopool: + * ifconfig-pool 10.8.0.4 10.8.0.251 + * route 10.8.0.0 255.255.255.0 + * if client-to-client: + * push "route 10.8.0.0 255.255.255.0" + * else if topology == net30: + * push "route 10.8.0.1" + * + * if tap OR (tun AND topology == subnet): + * ifconfig 10.8.0.1 255.255.255.0 + * if !nopool: + * ifconfig-pool 10.8.0.2 10.8.0.253 255.255.255.0 + * push "route-gateway 10.8.0.1" + * if route-gateway unset: + * route-gateway 10.8.0.2 + */ + + if (o->server_defined) { - int netbits = -2; - bool status = false; - - if (o->client) - msg (M_USAGE, "--server and --client cannot be used together"); - - if (o->server_bridge_defined || o->server_bridge_proxy_dhcp) - msg (M_USAGE, "--server and --server-bridge cannot be used together"); - - if (o->shared_secret_file) - msg (M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)"); - - if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) - msg (M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); - - if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN)) - msg (M_USAGE, "--server directive only makes sense with --dev tun or --dev tap"); - - status = netmask_to_netbits (o->server_network, o->server_netmask, &netbits); - if (!status) - msg (M_USAGE, "--server directive network/netmask combination is invalid"); - - if (netbits < 0) - msg (M_USAGE, "--server directive netmask is invalid"); - - if (netbits < IFCONFIG_POOL_MIN_NETBITS) - msg (M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)", - print_netmask (IFCONFIG_POOL_MIN_NETBITS, &gc)); - - if (dev == DEV_TYPE_TUN) - { - int pool_end_reserve = 4; - - if (netbits > 29) - msg (M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower", - print_netmask (29, &gc)); - - if (netbits == 29) - pool_end_reserve = 0; - - o->mode = MODE_SERVER; - o->tls_server = true; - - if (topology == TOP_NET30 || topology == TOP_P2P) - { - o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc); - o->ifconfig_remote_netmask = print_in_addr_t (o->server_network + 2, 0, &o->gc); - - if (!(o->server_flags & SF_NOPOOL)) - { - o->ifconfig_pool_defined = true; - o->ifconfig_pool_start = o->server_network + 4; - o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve; - ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); - } - - helper_add_route (o->server_network, o->server_netmask, o); - if (o->enable_c2c) - push_option (o, print_opt_route (o->server_network, o->server_netmask, &o->gc), M_USAGE); - else if (topology == TOP_NET30) - push_option (o, print_opt_route (o->server_network + 1, 0, &o->gc), M_USAGE); - } - else if (topology == TOP_SUBNET) - { - o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc); - o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc); - - if (!(o->server_flags & SF_NOPOOL)) - { - o->ifconfig_pool_defined = true; - o->ifconfig_pool_start = o->server_network + 2; - o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2; - ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); - } - o->ifconfig_pool_netmask = o->server_netmask; - - push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE); - if (!o->route_default_gateway) - o->route_default_gateway = print_in_addr_t (o->server_network + 2, 0, &o->gc); - } - else - ASSERT (0); - - push_option (o, print_opt_topology (topology, &o->gc), M_USAGE); - } - else if (dev == DEV_TYPE_TAP) - { - if (netbits > 30) - msg (M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower", - print_netmask (30, &gc)); - - o->mode = MODE_SERVER; - o->tls_server = true; - o->ifconfig_local = print_in_addr_t (o->server_network + 1, 0, &o->gc); - o->ifconfig_remote_netmask = print_in_addr_t (o->server_netmask, 0, &o->gc); - - if (!(o->server_flags & SF_NOPOOL)) - { - o->ifconfig_pool_defined = true; - o->ifconfig_pool_start = o->server_network + 2; - o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1; - ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); - } - o->ifconfig_pool_netmask = o->server_netmask; - - push_option (o, print_opt_route_gateway (o->server_network + 1, &o->gc), M_USAGE); - } - else - { - ASSERT (0); - } - - /* set push-ifconfig-constraint directive */ - if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET)) - { - o->push_ifconfig_constraint_defined = true; - o->push_ifconfig_constraint_network = o->server_network; - o->push_ifconfig_constraint_netmask = o->server_netmask; - } + int netbits = -2; + bool status = false; + + if (o->client) + { + msg(M_USAGE, "--server and --client cannot be used together"); + } + + if (o->server_bridge_defined || o->server_bridge_proxy_dhcp) + { + msg(M_USAGE, "--server and --server-bridge cannot be used together"); + } + + if (o->shared_secret_file) + { + msg(M_USAGE, "--server and --secret cannot be used together (you must use SSL/TLS keys)"); + } + + if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) + { + msg(M_USAGE, "--server already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); + } + + if (!(dev == DEV_TYPE_TAP || dev == DEV_TYPE_TUN)) + { + msg(M_USAGE, "--server directive only makes sense with --dev tun or --dev tap"); + } + + status = netmask_to_netbits(o->server_network, o->server_netmask, &netbits); + if (!status) + { + msg(M_USAGE, "--server directive network/netmask combination is invalid"); + } + + if (netbits < 0) + { + msg(M_USAGE, "--server directive netmask is invalid"); + } + + if (netbits < IFCONFIG_POOL_MIN_NETBITS) + { + msg(M_USAGE, "--server directive netmask allows for too many host addresses (subnet must be %s or higher)", + print_netmask(IFCONFIG_POOL_MIN_NETBITS, &gc)); + } + + if (dev == DEV_TYPE_TUN) + { + int pool_end_reserve = 4; + + if (netbits > 29) + { + msg(M_USAGE, "--server directive when used with --dev tun must define a subnet of %s or lower", + print_netmask(29, &gc)); + } + + if (netbits == 29) + { + pool_end_reserve = 0; + } + + o->mode = MODE_SERVER; + o->tls_server = true; + + if (topology == TOP_NET30 || topology == TOP_P2P) + { + o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); + o->ifconfig_remote_netmask = print_in_addr_t(o->server_network + 2, 0, &o->gc); + + if (!(o->server_flags & SF_NOPOOL)) + { + o->ifconfig_pool_defined = true; + o->ifconfig_pool_start = o->server_network + 4; + o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - pool_end_reserve; + ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); + } + + helper_add_route(o->server_network, o->server_netmask, o); + if (o->enable_c2c) + { + push_option(o, print_opt_route(o->server_network, o->server_netmask, &o->gc), M_USAGE); + } + else if (topology == TOP_NET30) + { + push_option(o, print_opt_route(o->server_network + 1, 0, &o->gc), M_USAGE); + } + } + else if (topology == TOP_SUBNET) + { + o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); + o->ifconfig_remote_netmask = print_in_addr_t(o->server_netmask, 0, &o->gc); + + if (!(o->server_flags & SF_NOPOOL)) + { + o->ifconfig_pool_defined = true; + o->ifconfig_pool_start = o->server_network + 2; + o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 2; + ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); + } + o->ifconfig_pool_netmask = o->server_netmask; + + push_option(o, print_opt_route_gateway(o->server_network + 1, &o->gc), M_USAGE); + if (!o->route_default_gateway) + { + o->route_default_gateway = print_in_addr_t(o->server_network + 2, 0, &o->gc); + } + } + else + { + ASSERT(0); + } + + push_option(o, print_opt_topology(topology, &o->gc), M_USAGE); + } + else if (dev == DEV_TYPE_TAP) + { + if (netbits > 30) + { + msg(M_USAGE, "--server directive when used with --dev tap must define a subnet of %s or lower", + print_netmask(30, &gc)); + } + + o->mode = MODE_SERVER; + o->tls_server = true; + o->ifconfig_local = print_in_addr_t(o->server_network + 1, 0, &o->gc); + o->ifconfig_remote_netmask = print_in_addr_t(o->server_netmask, 0, &o->gc); + + if (!(o->server_flags & SF_NOPOOL)) + { + o->ifconfig_pool_defined = true; + o->ifconfig_pool_start = o->server_network + 2; + o->ifconfig_pool_end = (o->server_network | ~o->server_netmask) - 1; + ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); + } + o->ifconfig_pool_netmask = o->server_netmask; + + push_option(o, print_opt_route_gateway(o->server_network + 1, &o->gc), M_USAGE); + } + else + { + ASSERT(0); + } + + /* set push-ifconfig-constraint directive */ + if ((dev == DEV_TYPE_TAP || topology == TOP_SUBNET)) + { + o->push_ifconfig_constraint_defined = true; + o->push_ifconfig_constraint_network = o->server_network; + o->push_ifconfig_constraint_netmask = o->server_netmask; + } } - /* - * HELPER DIRECTIVE: - * - * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 - * - * EXPANDS TO: - * - * mode server - * tls-server - * - * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 - * push "route-gateway 10.8.0.4" - * - * OR - * - * server-bridge - * - * EXPANDS TO: - * - * mode server - * tls-server - * - * if !nogw: - * push "route-gateway dhcp" - */ - else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) + /* + * HELPER DIRECTIVE: + * + * server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 + * + * EXPANDS TO: + * + * mode server + * tls-server + * + * ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 + * push "route-gateway 10.8.0.4" + * + * OR + * + * server-bridge + * + * EXPANDS TO: + * + * mode server + * tls-server + * + * if !nogw: + * push "route-gateway dhcp" + */ + else if (o->server_bridge_defined | o->server_bridge_proxy_dhcp) { - if (o->client) - msg (M_USAGE, "--server-bridge and --client cannot be used together"); - - if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) - msg (M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); - - if (o->shared_secret_file) - msg (M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)"); - - if (dev != DEV_TYPE_TAP) - msg (M_USAGE, "--server-bridge directive only makes sense with --dev tap"); - - if (o->server_bridge_defined) - { - verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask); - verify_common_subnet ("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask); - verify_common_subnet ("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask); - } - - o->mode = MODE_SERVER; - o->tls_server = true; - - if (o->server_bridge_defined) - { - o->ifconfig_pool_defined = true; - o->ifconfig_pool_start = o->server_bridge_pool_start; - o->ifconfig_pool_end = o->server_bridge_pool_end; - ifconfig_pool_verify_range (M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); - o->ifconfig_pool_netmask = o->server_bridge_netmask; - push_option (o, print_opt_route_gateway (o->server_bridge_ip, &o->gc), M_USAGE); - } - else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY)) - { - push_option (o, print_opt_route_gateway_dhcp (&o->gc), M_USAGE); - } + if (o->client) + { + msg(M_USAGE, "--server-bridge and --client cannot be used together"); + } + + if (!(o->server_flags & SF_NOPOOL) && o->ifconfig_pool_defined) + { + msg(M_USAGE, "--server-bridge already defines an ifconfig-pool, so you can't also specify --ifconfig-pool explicitly"); + } + + if (o->shared_secret_file) + { + msg(M_USAGE, "--server-bridge and --secret cannot be used together (you must use SSL/TLS keys)"); + } + + if (dev != DEV_TYPE_TAP) + { + msg(M_USAGE, "--server-bridge directive only makes sense with --dev tap"); + } + + if (o->server_bridge_defined) + { + verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_start, o->server_bridge_netmask); + verify_common_subnet("--server-bridge", o->server_bridge_pool_start, o->server_bridge_pool_end, o->server_bridge_netmask); + verify_common_subnet("--server-bridge", o->server_bridge_ip, o->server_bridge_pool_end, o->server_bridge_netmask); + } + + o->mode = MODE_SERVER; + o->tls_server = true; + + if (o->server_bridge_defined) + { + o->ifconfig_pool_defined = true; + o->ifconfig_pool_start = o->server_bridge_pool_start; + o->ifconfig_pool_end = o->server_bridge_pool_end; + ifconfig_pool_verify_range(M_USAGE, o->ifconfig_pool_start, o->ifconfig_pool_end); + o->ifconfig_pool_netmask = o->server_bridge_netmask; + push_option(o, print_opt_route_gateway(o->server_bridge_ip, &o->gc), M_USAGE); + } + else if (o->server_bridge_proxy_dhcp && !(o->server_flags & SF_NO_PUSH_ROUTE_GATEWAY)) + { + push_option(o, print_opt_route_gateway_dhcp(&o->gc), M_USAGE); + } } - else + else #endif /* P2MP_SERVER */ - /* - * HELPER DIRECTIVE: - * - * client - * - * EXPANDS TO: - * - * pull - * tls-client - */ - if (o->client) + /* + * HELPER DIRECTIVE: + * + * client + * + * EXPANDS TO: + * + * pull + * tls-client + */ + if (o->client) { - if (o->key_method != 2) - msg (M_USAGE, "--client requires --key-method 2"); + if (o->key_method != 2) + { + msg(M_USAGE, "--client requires --key-method 2"); + } - o->pull = true; - o->tls_client = true; + o->pull = true; + o->tls_client = true; } #endif /* P2MP */ - gc_free (&gc); + gc_free(&gc); } /* @@ -465,45 +511,51 @@ helper_client_server (struct options *o) * ping-restart 60 */ void -helper_keepalive (struct options *o) +helper_keepalive(struct options *o) { - if (o->keepalive_ping || o->keepalive_timeout) + if (o->keepalive_ping || o->keepalive_timeout) { - /* - * Sanity checks. - */ - if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0) - msg (M_USAGE, "--keepalive parameters must be > 0"); - if (o->keepalive_ping * 2 > o->keepalive_timeout) - msg (M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.", - o->keepalive_timeout, - o->keepalive_ping); - if (o->ping_send_timeout || o->ping_rec_timeout) - msg (M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives."); - - /* - * Expand. - */ - if (o->mode == MODE_POINT_TO_POINT) - { - o->ping_rec_timeout_action = PING_RESTART; - o->ping_send_timeout = o->keepalive_ping; - o->ping_rec_timeout = o->keepalive_timeout; - } + /* + * Sanity checks. + */ + if (o->keepalive_ping <= 0 || o->keepalive_timeout <= 0) + { + msg(M_USAGE, "--keepalive parameters must be > 0"); + } + if (o->keepalive_ping * 2 > o->keepalive_timeout) + { + msg(M_USAGE, "the second parameter to --keepalive (restart timeout=%d) must be at least twice the value of the first parameter (ping interval=%d). A ratio of 1:5 or 1:6 would be even better. Recommended setting is --keepalive 10 60.", + o->keepalive_timeout, + o->keepalive_ping); + } + if (o->ping_send_timeout || o->ping_rec_timeout) + { + msg(M_USAGE, "--keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives."); + } + + /* + * Expand. + */ + if (o->mode == MODE_POINT_TO_POINT) + { + o->ping_rec_timeout_action = PING_RESTART; + o->ping_send_timeout = o->keepalive_ping; + o->ping_rec_timeout = o->keepalive_timeout; + } #if P2MP_SERVER - else if (o->mode == MODE_SERVER) - { - o->ping_rec_timeout_action = PING_RESTART; - o->ping_send_timeout = o->keepalive_ping; - o->ping_rec_timeout = o->keepalive_timeout * 2; - push_option (o, print_str_int ("ping", o->keepalive_ping, &o->gc), M_USAGE); - push_option (o, print_str_int ("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE); - } + else if (o->mode == MODE_SERVER) + { + o->ping_rec_timeout_action = PING_RESTART; + o->ping_send_timeout = o->keepalive_ping; + o->ping_rec_timeout = o->keepalive_timeout * 2; + push_option(o, print_str_int("ping", o->keepalive_ping, &o->gc), M_USAGE); + push_option(o, print_str_int("ping-restart", o->keepalive_timeout, &o->gc), M_USAGE); + } #endif - else - { - ASSERT (0); - } + else + { + ASSERT(0); + } } } @@ -520,20 +572,20 @@ helper_keepalive (struct options *o) * push "socket-flags TCP_NODELAY" */ void -helper_tcp_nodelay (struct options *o) +helper_tcp_nodelay(struct options *o) { #if P2MP_SERVER - if (o->server_flags & SF_TCP_NODELAY_HELPER) + if (o->server_flags & SF_TCP_NODELAY_HELPER) { - if (o->mode == MODE_SERVER) - { - o->sockflags |= SF_TCP_NODELAY; - push_option (o, print_str ("socket-flags TCP_NODELAY", &o->gc), M_USAGE); - } - else - { - o->sockflags |= SF_TCP_NODELAY; - } + if (o->mode == MODE_SERVER) + { + o->sockflags |= SF_TCP_NODELAY; + push_option(o, print_str("socket-flags TCP_NODELAY", &o->gc), M_USAGE); + } + else + { + o->sockflags |= SF_TCP_NODELAY; + } } #endif } |