uamanyip patch

wlan at mac.com wlan at mac.com
Fri Apr 4 05:22:48 UTC 2008


Hi Gunther,

I will definitely give it a look, thanks!

Are you already using this code in a live network?

Btw, if you (or anyone) wants to directly help out chilli, send me  
over a htpasswd (using md5) generated username/password and I'll set  
you up.

Cheers,
David

On Apr 4, 2008, at 12:07 AM, Gunther Mayer wrote:

> Hi David,
>
> I've recently tried out the uamanyip option in coova and was very  
> pleased at how well it works. I want to use it all the time in  
> future across our network to simplify troubleshooting, should save  
> a couple of support calls ;-)
>
> However, I found a very annoying side effect of uamanyip: It spoofs  
> ARP requests for just about anything. While that's the point of  
> uamanyip, it makes it impossible to have other devices such as  
> access points that you have to access for management purposes on  
> the chilli network. Say chilli listens on 192.168.182.1 and there's  
> another access point with static ip 192.168.182.2 (of course not  
> part of the dynip range) to increase wireless coverage. As soon as  
> anybody tries to ping or otherwise access 192.168.182.2 because  
> chilli will immediately claim it through arp before the real device  
> has a chance to answer - it creates a race condition. Putting such  
> devices on entirely different subnets makes no difference as their  
> ip's will be stolen too. The only though somewhat ugly way I found  
> around that was to clear the arp cache on my client and then force  
> a mapping with arp -s.
>
> So, I thought wouldn't it be cool to let chilli ignore arp requests  
> for anything other than itself but only on its own subnet. Anything  
> else will still be caught and spoofed as usual. Hence I came up  
> with the below patch, I created it against 1.0.11-stable but  
> applying it to svn (r161) proved trivial, as it's a very short patch.
>
> I think this should be done by default as it allows devices on the  
> chilli subnet to talk to each other properly (of course for real  
> isolation one would use something like ebtables or a/p isolation).  
> But of course the patch could be extended to make this optional  
> (uamanyipignorelan?) if people wanted to keep the current  
> behaviour. Thoughts?
>
> Gunther
>
> Index: dhcp.c
> ===================================================================
> --- dhcp.c      (revision 161)
> +++ dhcp.c      (working copy)
> @@ -2595,6 +2595,14 @@
>       return 0; /* Only reply if he asked for his router address */
>     }
>   }
> +  else if ((taraddr.s_addr != options.dhcplisten.s_addr) &&
> +        ((conn->hisip.s_addr & conn->hismask.s_addr) ==
> +        (reqaddr.s_addr & conn->hismask.s_addr))) {
> +    /* when uamanyip is on we should ignore arp requests that ARE  
> within our subnet except of course the ones for ourselves*/
> +    if (options.debug)
> +      log_dbg("ARP: request for ip other than us within our subnet 
> (uamanyip on), ignoring");
> +    return 0;
> +  }
>   conn->lasttime = mainclock;
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>




More information about the Chilli mailing list