> I suppose that this is what the concept of an External Network Modifier (ENM) > is meant to be - but now that I think about it, I don't know how if nwamd > would behave any differently if an ENM was active that did similar things to > punchin... Especially when it comes to the DNS information and the Automatic > Location profile, but I'm no expert on the inner workings of nwamd. >
You can think of punchin (or any VPN) as being a separate location when you are connected. The tunnel or lack thereof shouldn't really matter, it is more the state of being connected to a VPN that changes your routing and name service status. Also, outside the realm of punchin and Cisco VPN at Sun, which default to "everything must go through the tunnel or gets dropped", with soem VPN implementations you can have split tunnels as well, where you only go through the tunnel for company resources and continue to use outside name servers and routes for other access. On punchin, currently the name service information is in a text file on the system that is used to construct the various files. It just consists of shell style variables. That's just an implementation detail. It could very easily construct a "punchin" location on the fly and populate that and activate it as need-be. On Linux we use "resolvconf" when available, which is a more system-wide method for dealing with resolv.conf so apps don't step on each other. On MacOS, we use the name service API to override the various settings for routing and nameservices. I assume that NWAM phase 1 has a similar methodology, but I haven't looked at what you're doing. The other thing we've done with punchin and DHCP, outside the scope of NWAM, is to have a dhcp eventhook file to make certain DHCP events not happen, like adding back in the original default route. With IPS packaging, there is no way to do postinstall, so no way to shoehorn it in, so you have to copy it in manually now. /usr/local/etc/punchin/eventhook.example -> /etc/dhcp/eventhook I don't know if the new NWAM phase 1 stuff allows swapping eventhook files in and out, but that might help as well. -Paul
