[Swan-dev] xauth and proxy arp

[Wolfgang Nothdurft]

When using modecfg to assign a local ip address to a xauth client, you 
have the problem that you can't access local machines, because of the 
missing arp answer.

Maybe I missed something, but I don't found any info, how to solve this 
scenario.

So I added a function to _updown.klips.

It checks if the ip address of the peer is local routed and if so adds a 
proxy arp entry.
The check must be done before the eroute is set, otherwise you get the 
ipsec device.

I don't know, if netkey has the same problem.

One thing todo is maybe to call this function only with xauth connections.

Thanks
Wolfgang
-------------- next part --------------
diff --git a/programs/_updown.klips/_updown.klips.in b/programs/_updown.klips/_updown.klips.in
index 7f18298..08f7335 100644
--- a/programs/_updown.klips/_updown.klips.in
+++ b/programs/_updown.klips/_updown.klips.in
@@ -176,6 +176,7 @@ esac
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
 uproute() {
+    doproxyarp add
     doroute add
     ip route flush cache
 }
@@ -183,6 +184,7 @@ uproute() {
 downroute() {
     doroute delete
     ip route flush cache
+    doproxyarp delete
 }
 
 uprule() {
@@ -450,6 +452,18 @@ dorule() {
     return ${st}
 }
 
+doproxyarp() {
+   # ignore gateway routes
+    if ip -o route get ${PLUTO_PEER_CLIENT_NET} | grep -qs -v via; then
+      iface=$(ip -o route get ${PLUTO_PEER_CLIENT_NET} | awk '{print $3}')
+      macaddr=$(cat /sys/class/net/${iface}/address)
+      if [ $1 == "add" ]; then
+           arp -i $iface -s ${PLUTO_PEER_CLIENT_NET} ${macaddr} pub
+      else
+           arp -i $iface -d ${PLUTO_PEER_CLIENT_NET} pub
+      fi
+    fi
+}
 
 doroute() {
     st=0
@@ -522,7 +536,6 @@ doroute() {
     return ${st}
 }
 
-
 # the big choice
 case "${PLUTO_VERB}:${1}" in
     prepare-host:*|prepare-client:*)