uamanyip patch
lc
chilli at silverserver.at
Fri Apr 4 05:10:09 UTC 2008
Hi,
This is an interesting point. I use a different subnet to have access
to access points on the chilli network. So I think the suggested
uamanyipignorelan option would be excellent if the network to be
ignored could be defined.
Cheers,
lc
Am 04.04.2008 um 00:07 schrieb Gunther Mayer:
> Hi David,
>
> I've recently tried out the uamanyip option in coova and was very
> pleased at how well it works. I want to use it all the time in
> future across our network to simplify troubleshooting, should save a
> couple of support calls ;-)
>
> However, I found a very annoying side effect of uamanyip: It spoofs
> ARP requests for just about anything. While that's the point of
> uamanyip, it makes it impossible to have other devices such as
> access points that you have to access for management purposes on the
> chilli network. Say chilli listens on 192.168.182.1 and there's
> another access point with static ip 192.168.182.2 (of course not
> part of the dynip range) to increase wireless coverage. As soon as
> anybody tries to ping or otherwise access 192.168.182.2 because
> chilli will immediately claim it through arp before the real device
> has a chance to answer - it creates a race condition. Putting such
> devices on entirely different subnets makes no difference as their
> ip's will be stolen too. The only though somewhat ugly way I found
> around that was to clear the arp cache on my client and then force a
> mapping with arp -s.
>
> So, I thought wouldn't it be cool to let chilli ignore arp requests
> for anything other than itself but only on its own subnet. Anything
> else will still be caught and spoofed as usual. Hence I came up with
> the below patch, I created it against 1.0.11-stable but applying it
> to svn (r161) proved trivial, as it's a very short patch.
>
> I think this should be done by default as it allows devices on the
> chilli subnet to talk to each other properly (of course for real
> isolation one would use something like ebtables or a/p isolation).
> But of course the patch could be extended to make this optional
> (uamanyipignorelan?) if people wanted to keep the current behaviour.
> Thoughts?
>
> Gunther
>
> Index: dhcp.c
> ===================================================================
> --- dhcp.c (revision 161)
> +++ dhcp.c (working copy)
> @@ -2595,6 +2595,14 @@
> return 0; /* Only reply if he asked for his router address */
> }
> }
> + else if ((taraddr.s_addr != options.dhcplisten.s_addr) &&
> + ((conn->hisip.s_addr & conn->hismask.s_addr) ==
> + (reqaddr.s_addr & conn->hismask.s_addr))) {
> + /* when uamanyip is on we should ignore arp requests that ARE
> within our subnet except of course the ones for ourselves*/
> + if (options.debug)
> + log_dbg("ARP: request for ip other than us within our
> subnet(uamanyip on), ignoring");
> + return 0;
> + }
> conn->lasttime = mainclock;
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>
More information about the Chilli
mailing list