[Swan-dev] xauth and proxy arp

[Wolfgang Nothdurft]

Am 28.04.2015 um 13:23 schrieb Tuomo Soini:
> On Wed, 05 Nov 2014 17:47:59 +0100
> Wolfgang Nothdurft <wolfgang at linogate.de> wrote:
>
>> When using modecfg to assign a local ip address to a xauth client,
>> you have the problem that you can't access local machines, because of
>> the missing arp answer.
>>
>> Maybe I missed something, but I don't found any info, how to solve
>> this scenario.
>>
>> So I added a function to _updown.klips.
>>
>> It checks if the ip address of the peer is local routed and if so
>> adds a proxy arp entry.
>> The check must be done before the eroute is set, otherwise you get
>> the ipsec device.
>>
>> I don't know, if netkey has the same problem.
>>
>> One thing todo is maybe to call this function only with xauth
>> connections.
>
> Wolfgang, could you test this modified patch, I converted it to use
> iproute2 instead of legacy arp command. But you have ready test
> setup so I'd like to hear your comments before we apply this and try to
> create a test case. Another question is: you used
>

This worked, but I added an extra Test for empty mac addresses (non 
ethernet devices).

For example if your default route points to ppp0.

I found no way to catch this with the ip route get command itself.

 > ${PLUTO_PEER_CLIENT_NET} - shouldn't that be ${PLUTO_PEER}?

The proxy arp entry is for the local address the client gets.

When your local net is 192.186.0.0/24 and the client for example gets an 
ip adress from this range, you need a proxy arp entry to communicate 
with other local clients.

The script check if the client ip is routable on local ethernet devices 
and add a proxy arp entry.

Normally this is PLUTO_PEER_CLIENT, but PLUTO_PEER_CLIENT_NET has the 
correct ip without /32 mask.

Wolfgang
-------------- next part --------------
diff --git a/programs/_updown.klips/_updown.klips.in b/programs/_updown.klips/_updown.klips.in
index 7f18298..1c85e47 100644
--- a/programs/_updown.klips/_updown.klips.in
+++ b/programs/_updown.klips/_updown.klips.in
@@ -176,6 +176,7 @@ esac
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
 uproute() {
+    doproxyarp add
     doroute add
     ip route flush cache
 }
@@ -183,6 +184,7 @@ uproute() {
 downroute() {
     doroute delete
     ip route flush cache
+    doproxyarp delete
 }
 
 uprule() {
@@ -450,6 +452,22 @@ dorule() {
     return ${st}
 }
 
+doproxyarp() {
+    # check if client is routeable local
+    if ip -o route get ${PLUTO_PEER_CLIENT_NET} | grep -qs -v via; then
+	iface=$(ip -o route get ${PLUTO_PEER_CLIENT_NET} | awk '{print $3}')
+	macaddr=$(cat /sys/class/net/${iface}/address)
+	# add/remove arp entry for the client on ethernet devices only
+	if [ "${macaddr}" ]; then
+	    if [ $1 == "add" ]; then
+		ip neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \
+		    lladdr ${macaddr} nud permanent
+	    else
+		ip neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface}
+	    fi
+	fi
+    fi
+}
 
 doroute() {
     st=0