Hi Sven, > If I replace the JUMP with your NOP-JUMP, the gateway response to the > arp request. The arp request has a length of 60 (and not 28) bytes if I > interpret the wireshark dump right (see attachment).
Maybe your kernel passes up the Ethernet trailer, too. Try the attached patch, it accepts larger packets, but trims the trailer. > Is there a simple way to find out which value BPF_LEN has? I don't think so, unless you pass the complete packet to userspace. Regards Martin
>From 7a628c2adbcf075565fc7644c8326242cffb9905 Mon Sep 17 00:00:00 2001 From: Martin Willi <[email protected]> Date: Wed, 2 Jun 2010 10:05:43 +0200 Subject: [PATCH] Accept ARP requests with an ethernet trailer, but trim it --- src/libcharon/plugins/farp/farp_spoofer.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c index 29e64e3..20bb44f 100644 --- a/src/libcharon/plugins/farp/farp_spoofer.c +++ b/src/libcharon/plugins/farp/farp_spoofer.c @@ -156,8 +156,8 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener) BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3), BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 28, 0, 1), - BPF_STMT(BPF_RET+BPF_A, 0), + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, sizeof(arp_t), 0, 1), + BPF_STMT(BPF_RET+BPF_K, sizeof(arp_t)), BPF_STMT(BPF_RET+BPF_K, 0), }; struct sock_fprog arp_request_filter = { -- 1.7.0.4
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
