Re: [Swan-dev] xauth and proxy arp

Tue, 28 Apr 2015 04:29:53 -0700 

On Wed, 05 Nov 2014 17:47:59 +0100
Wolfgang Nothdurft <[email protected]> wrote:

> When using modecfg to assign a local ip address to a xauth client,
> you have the problem that you can't access local machines, because of
> the missing arp answer.
> 
> Maybe I missed something, but I don't found any info, how to solve
> this scenario.
> 
> So I added a function to _updown.klips.
> 
> It checks if the ip address of the peer is local routed and if so
> adds a proxy arp entry.
> The check must be done before the eroute is set, otherwise you get
> the ipsec device.
> 
> I don't know, if netkey has the same problem.
> 
> One thing todo is maybe to call this function only with xauth
> connections.

Wolfgang, could you test this modified patch, I converted it to use
iproute2 instead of legacy arp command. But you have ready test
setup so I'd like to hear your comments before we apply this and try to
create a test case. Another question is: you used
${PLUTO_PEER_CLIENT_NET} - shouldn't that be ${PLUTO_PEER}?

-- 
Tuomo Soini <[email protected]>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

diff --git a/programs/_updown.klips/_updown.klips.in b/programs/_updown.klips/_updown.klips.in
index 7f18298..9b0782a 100644
--- a/programs/_updown.klips/_updown.klips.in
+++ b/programs/_updown.klips/_updown.klips.in
@@ -176,6 +176,7 @@ esac
 # utility functions for route manipulation
 # Meddling with this stuff should not be necessary and requires great care.
 uproute() {
+    doproxyarp add
     doroute add
     ip route flush cache
 }
@@ -183,6 +184,7 @@ uproute() {
 downroute() {
     doroute delete
     ip route flush cache
+    doproxyarp delete
 }
 
 uprule() {
@@ -450,6 +452,19 @@ dorule() {
     return ${st}
 }
 
+doproxyarp() {
+    # ignore gateway routes
+    if ip -o route get ${PLUTO_PEER_CLIENT_NET} | grep -qs -v via; then
+	iface=$(ip -o route get ${PLUTO_PEER_CLIENT_NET} | awk '{print $3}')
+	macaddr=$(cat /sys/class/net/${iface}/address)
+	if [ $1 == "add" ]; then
+	    ip neigh add proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface} \
+		lladdr ${macaddr} nud permanent
+	else
+	    ip neigh del proxy ${PLUTO_PEER_CLIENT_NET} dev ${iface}
+	fi
+    fi
+}
 
 doroute() {
     st=0
@@ -522,7 +537,6 @@ doroute() {
     return ${st}
 }
 
-
 # the big choice
 case "${PLUTO_VERB}:${1}" in
     prepare-host:*|prepare-client:*)

_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev

Reply via email to