[Swan-dev] xauth and proxy arp
Wolfgang Nothdurft
wolfgang at linogate.de
Wed Apr 29 11:58:53 EEST 2015
Am 28.04.2015 um 13:23 schrieb Tuomo Soini:
> On Wed, 05 Nov 2014 17:47:59 +0100
> Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>
>> When using modecfg to assign a local ip address to a xauth client,
>> you have the problem that you can't access local machines, because of
>> the missing arp answer.
>>
>> Maybe I missed something, but I don't found any info, how to solve
>> this scenario.
>>
>> So I added a function to _updown.klips.
>>
>> It checks if the ip address of the peer is local routed and if so
>> adds a proxy arp entry.
>> The check must be done before the eroute is set, otherwise you get
>> the ipsec device.
>>
>> I don't know, if netkey has the same problem.
>>
>> One thing todo is maybe to call this function only with xauth
>> connections.
>
> Wolfgang, could you test this modified patch, I converted it to use
> iproute2 instead of legacy arp command. But you have ready test
> setup so I'd like to hear your comments before we apply this and try to
> create a test case. Another question is: you used
>
This worked, but I added an extra Test for empty mac addresses (non
ethernet devices).
For example if your default route points to ppp0.
I found no way to catch this with the ip route get command itself.
> ${PLUTO_PEER_CLIENT_NET} - shouldn't that be ${PLUTO_PEER}?
The proxy arp entry is for the local address the client gets.
When your local net is 192.186.0.0/24 and the client for example gets an
ip adress from this range, you need a proxy arp entry to communicate
with other local clients.
The script check if the client ip is routable on local ethernet devices
and add a proxy arp entry.
Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the
correct ip without /32 mask.
Wolfgang
-------------- next part --------------
diff --git a/programs/_updown.klips/_updown.klips.in b/programs/_updown.klips/_updown.klips.in
index 7f18298..1c85e47 100644
--- a/programs/_updown.klips/_updown.klips.in
+++ b/programs/_updown.klips/_updown.klips.in
@@ -176,6 +176,7 @@ esac
# utility functions for route manipulation
# Meddling with this stuff should not be necessary and requires great care.
uproute() {
+ doproxyarp add
doroute add
ip route flush cache
}
@@ -183,6 +184,7 @@ uproute() {
downroute() {
doroute delete
ip route flush cache
+ doproxyarp delete
}
uprule() {
@@ -450,6 +452,22 @@ dorule() {
return ${st}
}
+doproxyarp() {
+ # check if client is routeable local
+ if ip -o route get ${PLUTO_PEER_CLIENT_NET} | grep -qs -v via; then
+ iface=$(ip -o route get ${PLUTO_PEER_CLIENT_NET} | awk '{print $3}')
+ macaddr=$(cat /sys/class/net/${iface}/address)
+ # add/remove arp entry for the client on ethernet devices only
+ if [ "${macaddr}" ]; then
+ if [ $1 == "add" ]; then
+ ip neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \
+ lladdr ${macaddr} nud permanent
+ else
+ ip neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface}
+ fi
+ fi
+ fi
+}
doroute() {
st=0
More information about the Swan-dev
mailing list