Hi Stuart, > To disable proxy ARP per-interface, I think it would need to be > exported from the kernel via an ioctl and then exposed by an ifconfig > option (as is done with the option to disable ARP entirely per-interface).
Yes, of course. This would be the easier task I think. The harder tasks are the changes in kernels routing / ARP-code (where to distinguish when to answer a ARP-Request and when not). > Another option is to have a daemon connect to the network via BPF and > answering ARP requests for you. This avoids the need for kernel changes. > One such daemon is "choparp". Very nice hint. At a first sight it seems that choparp would be one possible solution for my problem. Will have closer look to it. Thanks a lot, Hendrik -----Original Message----- From: Stuart Henderson [mailto:[email protected]] Sent: Montag, 23. Januar 2012 18:37 To: Gerlach, Hendrik Cc: [email protected] Subject: Re: Proxy ARP, but network interface specific On 2012/01/23 17:42, Gerlach, Hendrik wrote: > I know the man page, but this doesn't help me. Normally Proxy ARP is used at a > router. But we have the need to use it at a transparent Firewall. Typically on OpenBSD (and I think all BSDs) transparent firewalls have been implemented by bridging rather than arp proxy. But I think this method is not quite what you want. To do what you're asking for, yes I think code changes are necessary. Best starting point in the kernel is probably /sys/netinet/if_ether.c. > > In opposite to Linux it seems to be impossible in OpenBSD to add > > proxy ARP entries only for a specific network interface (missing > > option for the ARP command) nor to disable proxy ARP at all for some > > interfaces (sysctl or ifconfig option). This is usual behaviour for BSD derived OS. To disable proxy ARP per-interface, I think it would need to be exported from the kernel via an ioctl and then exposed by an ifconfig option (as is done with the option to disable ARP entirely per-interface). Another option is to have a daemon connect to the network via BPF and answering ARP requests for you. This avoids the need for kernel changes. One such daemon is "choparp".
