[Swan-dev] xauth and proxy arp
Wolfgang Nothdurft
wolfgang at linogate.de
Wed Nov 5 18:47:59 EET 2014
When using modecfg to assign a local ip address to a xauth client, you
have the problem that you can't access local machines, because of the
missing arp answer.
Maybe I missed something, but I don't found any info, how to solve this
scenario.
So I added a function to _updown.klips.
It checks if the ip address of the peer is local routed and if so adds a
proxy arp entry.
The check must be done before the eroute is set, otherwise you get the
ipsec device.
I don't know, if netkey has the same problem.
One thing todo is maybe to call this function only with xauth connections.
Thanks
Wolfgang
-------------- next part --------------
diff --git a/programs/_updown.klips/_updown.klips.in b/programs/_updown.klips/_updown.klips.in
index 7f18298..08f7335 100644
--- a/programs/_updown.klips/_updown.klips.in
+++ b/programs/_updown.klips/_updown.klips.in
@@ -176,6 +176,7 @@ esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
+ doproxyarp add
doroute add
ip route flush cache
}
@@ -183,6 +184,7 @@ uproute() {
downroute() {
doroute delete
ip route flush cache
+ doproxyarp delete
}
uprule() {
@@ -450,6 +452,18 @@ dorule() {
return ${st}
}
+doproxyarp() {
+ # ignore gateway routes
+ if ip -o route get ${PLUTO_PEER_CLIENT_NET} | grep -qs -v via; then
+ iface=$(ip -o route get ${PLUTO_PEER_CLIENT_NET} | awk '{print $3}')
+ macaddr=$(cat /sys/class/net/${iface}/address)
+ if [ $1 == "add" ]; then
+ arp -i $iface -s ${PLUTO_PEER_CLIENT_NET} ${macaddr} pub
+ else
+ arp -i $iface -d ${PLUTO_PEER_CLIENT_NET} pub
+ fi
+ fi
+}
doroute() {
st=0
@@ -522,7 +536,6 @@ doroute() {
return ${st}
}
-
# the big choice
case "${PLUTO_VERB}:${1}" in
prepare-host:*|prepare-client:*)
More information about the Swan-dev
mailing list