Abort in case of unexpected default route

This is a common misconfiguration that may break internet acces for other peers. We also stop checking for child process termination when used without tunnel manager (i.e. with --client or --client-count=0) because it conflicts with the 'ip route' command that is called every minute if --table=0 is used. Anyway, with a tunnel manager, only openvpn client are watched.

Abort in case of unexpected default route
This is a common misconfiguration that may break internet acces for other peers. We also stop checking for child process termination when used without tunnel manager (i.e. with --client or --client-count=0) because it conflicts with the 'ip route' command that is called every minute if --table=0 is used. Anyway, with a tunnel manager, only openvpn client are watched.
eba6c762 · Julien Muchembled · c1749ede · eba6c762 · eba6c762 · eba6c762
Commit eba6c762 authored May 13, 2013 by Julien Muchembled
13 changed files
--- a/TODO
+++ b/TODO
@@ -25,3 +25,6 @@
 - Is it useful that each node regenerates its own DH parameter ?
 - Filter non-routable IPs. Add an option not to do it.
+- Abort in case of import child process failure (babel, openvpn server,
+  openvpn client if run with --client).
\ No newline at end of file
--- a/demo/demo
+++ b/demo/demo
@@ -194,7 +194,7 @@ if 1:
            p.communicate(str(token[0]))
            os.remove(dh_path)
            os.remove(folder + '/ca.crt')
-        node.screen('../re6stnet @%s/re6stnet.conf --table 0 -v%u --registry %s %s'
+        node.screen('../re6stnet @%s/re6stnet.conf -v%u --registry %s %s'
                    % (folder, VERBOSE, registry, args))
    re6stnet(registry, 'registry', '--ip ' + REGISTRY, registry='http://localhost/')
    re6stnet(machine1, 'm1', '-I%s' % m1_if_0.name)

--- a/demo/m1/re6stnet.conf
+++ b/demo/m1/re6stnet.conf
@@ -7,5 +7,6 @@ dh dh2048.pem
 ca ca.crt
 cert m1/cert.crt
 key m1/cert.key
+table 0
 client-count 2
 tunnel-refresh 100
--- a/demo/m2/re6stnet.conf
+++ b/demo/m2/re6stnet.conf
@@ -7,5 +7,6 @@ dh dh2048.pem
 ca ca.crt
 cert m2/cert.crt
 key m2/cert.key
+table 0
 client-count 2
 tunnel-refresh 100
--- a/demo/m3/re6stnet.conf
+++ b/demo/m3/re6stnet.conf
@@ -7,5 +7,6 @@ dh dh2048.pem
 ca ca.crt
 cert m3/cert.crt
 key m3/cert.key
+table 0
 client-count 2
 tunnel-refresh 100
--- a/demo/m4/re6stnet.conf
+++ b/demo/m4/re6stnet.conf
@@ -7,5 +7,6 @@ dh dh2048.pem
 ca ca.crt
 cert m4/cert.crt
 key m4/cert.key
+table 0
 client-count 2
 tunnel-refresh 100
--- a/demo/m5/re6stnet.conf
+++ b/demo/m5/re6stnet.conf
@@ -5,5 +5,6 @@ hello 4
 ca ca.crt
 cert m5/cert.crt
 key m5/cert.key
+table 0
 client-count 0
 max-clients 0
--- a/demo/m6/re6stnet.conf
+++ b/demo/m6/re6stnet.conf
@@ -7,6 +7,7 @@ dh dh2048.pem
 ca ca.crt
 cert m6/cert.crt
 key m6/cert.key
+table 0
 client-count 2
 tunnel-refresh 100
 # TODO: Run a DHCPv4 client on machine9. Unfortunately, isc-dhcp-client 4.2.4

--- a/demo/m7/re6stnet.conf
+++ b/demo/m7/re6stnet.conf
@@ -7,5 +7,6 @@ dh dh2048.pem
 ca ca.crt
 cert m7/cert.crt
 key m7/cert.key
+table 0
 client-count 2
 tunnel-refresh 100
--- a/demo/m8/re6stnet.conf
+++ b/demo/m8/re6stnet.conf
@@ -5,4 +5,5 @@ hello 4
 ca ca.crt
 cert m8/cert.crt
 key m8/cert.key
+table 0
 client 10.0.1.2,1194,udp;10.0.1.3,1194,udp
--- a/demo/registry/re6stnet.conf
+++ b/demo/registry/re6stnet.conf
@@ -6,5 +6,6 @@ dh dh2048.pem
 ca ca.crt
 cert registry/cert.crt
 key registry/cert.key
+gateway
 client-count 2
 tunnel-refresh 100
--- a/re6st/utils.py
+++ b/re6st/utils.py
 import argparse, calendar, errno, logging, os, shlex, signal, socket
-import struct, subprocess, textwrap, threading, time
+import struct, subprocess, sys, textwrap, threading, time, traceback
 logging_levels = logging.WARNING, logging.INFO, logging.DEBUG, 5
@@ -44,6 +44,10 @@ def setupLog(log_level, filename=None, **kw):
    logging.addLevelName(5, 'TRACE')
    logging.trace = lambda *args, **kw: logging.log(5, *args, **kw)
+def log_exception():
+    f = traceback.format_exception(*sys.exc_info())
+    logging.error('%s%s', f.pop(), ''.join(f))
 class HelpFormatter(argparse.ArgumentDefaultsHelpFormatter):

--- a/re6stnet
+++ b/re6stnet
 #!/usr/bin/python
 import atexit, errno, logging, os, select, signal
-import sqlite3, subprocess, sys, time, traceback
+import sqlite3, subprocess, sys, time, threading
 from collections import deque
 from OpenSSL import crypto
 from re6st import db, plib, tunnel, utils
@@ -65,12 +65,14 @@ def getConfig():
             " hello interval for Babel to re-establish connection with a"
             " node for which the direct connection has been cut.")
    _('--table', type=int, default=42,
-        help="Use given table id. Set 0 to use the main table, if:\n"
+        help="Use given table id. Set 0 to use the main table, if you want to"
-             "- you are a gateway of this network (the default route will be"
+             " access internet via this network (in this case, make sure you"
-             "  exported)\n"
+             " don't already have a default route). Don't use this option with"
-             "- or you want to use the default route of this network for all"
+             " --gateway (main table is automatically used).")
-             " communications (in this case, make sure you don't already have"
+    _('--gateway', action='store_true',
-             " a default route).\n")
+        help="Act as a gateway for this network (the default route will be"
+             " exported). Do never use it if you don't know what it means.")
    _ = parser.add_argument_group('tunnelling').add_argument
    _('-O', dest='openvpn_args', metavar='ARG', action='append', default=[],
        help="Extra arguments to forward to both server and client OpenVPN"
@@ -319,7 +321,9 @@ def main():
            if_rt[4] = my_subnet
            cleanup.append(lambda: subprocess.call(if_rt))
            x = [my_network]
-            if config.table:
+            if config.gateway:
+                config.table = 0
+            elif config.table:
                x += 'table', str(config.table)
                try:
                    ip('rule', 'from', *x)
@@ -333,6 +337,25 @@ def main():
                call(if_rt)
                if_rt += x[1:]
                call(if_rt[:3] + ['add', 'proto', 'static'] + if_rt[4:])
+            else:
+                def check_no_default_route():
+                    try:
+                        while True:
+                            for route in call(('ip', '-6', 'route', 'show',
+                                               'default')).splitlines():
+                                if ' proto 42 ' not in route:
+                                    logging.fatal("Detected default route (%s)"
+                                        " whereas you specified --table=0."
+                                        " Fix your configuration.", route)
+                                    return
+                            time.sleep(60)
+                    except:
+                        utils.log_exception()
+                    finally:
+                        exit(1)
+                t = threading.Thread(target=check_no_default_route)
+                t.daemon = True
+                t.start()
            ip('route', 'unreachable', *x)
            config.babel_args += config.iface_list
@@ -350,10 +373,6 @@ def main():
            # main loop
            if tunnel_manager is None:
-                t = threading.Thread(target=lambda:
-                    exit(os.WEXITSTATUS(os.wait()[1])))
-                t.daemon = True
-                t.start()
                time.sleep(max(0, next_renew - time.time()))
                raise ReexecException("Restart to renew certificate")
            cleanup += tunnel_manager.delInterfaces, tunnel_manager.killAll
@@ -393,8 +412,7 @@ def main():
    except KeyboardInterrupt:
        return 0
    except Exception:
-        f = traceback.format_exception(*sys.exc_info())
+        utils.log_exception()
-        logging.error('%s%s', f.pop(), ''.join(f))
        sys.exit(1)
    try:
        sys.exitfunc()