uamanyip patch
wlan at mac.com
wlan at mac.com
Fri Apr 4 05:22:48 UTC 2008
Hi Gunther,
I will definitely give it a look, thanks!
Are you already using this code in a live network?
Btw, if you (or anyone) wants to directly help out chilli, send me
over a htpasswd (using md5) generated username/password and I'll set
you up.
Cheers,
David
On Apr 4, 2008, at 12:07 AM, Gunther Mayer wrote:
> Hi David,
>
> I've recently tried out the uamanyip option in coova and was very
> pleased at how well it works. I want to use it all the time in
> future across our network to simplify troubleshooting, should save
> a couple of support calls ;-)
>
> However, I found a very annoying side effect of uamanyip: It spoofs
> ARP requests for just about anything. While that's the point of
> uamanyip, it makes it impossible to have other devices such as
> access points that you have to access for management purposes on
> the chilli network. Say chilli listens on 192.168.182.1 and there's
> another access point with static ip 192.168.182.2 (of course not
> part of the dynip range) to increase wireless coverage. As soon as
> anybody tries to ping or otherwise access 192.168.182.2 because
> chilli will immediately claim it through arp before the real device
> has a chance to answer - it creates a race condition. Putting such
> devices on entirely different subnets makes no difference as their
> ip's will be stolen too. The only though somewhat ugly way I found
> around that was to clear the arp cache on my client and then force
> a mapping with arp -s.
>
> So, I thought wouldn't it be cool to let chilli ignore arp requests
> for anything other than itself but only on its own subnet. Anything
> else will still be caught and spoofed as usual. Hence I came up
> with the below patch, I created it against 1.0.11-stable but
> applying it to svn (r161) proved trivial, as it's a very short patch.
>
> I think this should be done by default as it allows devices on the
> chilli subnet to talk to each other properly (of course for real
> isolation one would use something like ebtables or a/p isolation).
> But of course the patch could be extended to make this optional
> (uamanyipignorelan?) if people wanted to keep the current
> behaviour. Thoughts?
>
> Gunther
>
> Index: dhcp.c
> ===================================================================
> --- dhcp.c (revision 161)
> +++ dhcp.c (working copy)
> @@ -2595,6 +2595,14 @@
> return 0; /* Only reply if he asked for his router address */
> }
> }
> + else if ((taraddr.s_addr != options.dhcplisten.s_addr) &&
> + ((conn->hisip.s_addr & conn->hismask.s_addr) ==
> + (reqaddr.s_addr & conn->hismask.s_addr))) {
> + /* when uamanyip is on we should ignore arp requests that ARE
> within our subnet except of course the ones for ourselves*/
> + if (options.debug)
> + log_dbg("ARP: request for ip other than us within our subnet
> (uamanyip on), ignoring");
> + return 0;
> + }
> conn->lasttime = mainclock;
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>
More information about the Chilli
mailing list