uamanyip patch

Gunther Mayer gunther.mayer at googlemail.com
Sat May 3 19:16:25 UTC 2008 

lc wrote:
> Hi,
>
> This is an interesting point. I use a different subnet to have access 
> to access points on the chilli network. So I think the suggested 
> uamanyipignorelan option would be excellent if the network to be 
> ignored could be defined.
I rewrote my previous patch which wasn't working too well and submitted 
the now tested and working version as r168. As originally advertised it 
ignores (i.e. doesn't spoof) all arp requests within chilli's own 
subnet. I'm busy rolling this out to a couple of live sites but I don't 
expect any issues as I've tested it quite substantially, it's a very 
minor patch as well.

Regarding an option to specify such a subnet to ignore, I've started on 
a customisable "noarp <subnet>,<subnet>,..." option but gave up soon 
after I realised just how many source files need to be changed in order 
to add a new option. I don't have time right now for such an extensive 
patch but I'm willing to assist anyone who does.
>
> Am 04.04.2008 um 00:07 schrieb Gunther Mayer:
>
>> Hi David,
>>
>> I've recently tried out the uamanyip option in coova and was very 
>> pleased at how well it works. I want to use it all the time in future 
>> across our network to simplify troubleshooting, should save a couple 
>> of support calls ;-)
>>
>> However, I found a very annoying side effect of uamanyip: It spoofs 
>> ARP requests for just about anything. While that's the point of 
>> uamanyip, it makes it impossible to have other devices such as access 
>> points that you have to access for management purposes on the chilli 
>> network. Say chilli listens on 192.168.182.1 and there's another 
>> access point with static ip 192.168.182.2 (of course not part of the 
>> dynip range) to increase wireless coverage. As soon as anybody tries 
>> to ping or otherwise access 192.168.182.2 because chilli will 
>> immediately claim it through arp before the real device has a chance 
>> to answer - it creates a race condition. Putting such devices on 
>> entirely different subnets makes no difference as their ip's will be 
>> stolen too. The only though somewhat ugly way I found around that was 
>> to clear the arp cache on my client and then force a mapping with arp 
>> -s.
>>
>> So, I thought wouldn't it be cool to let chilli ignore arp requests 
>> for anything other than itself but only on its own subnet. Anything 
>> else will still be caught and spoofed as usual. Hence I came up with 
>> the below patch, I created it against 1.0.11-stable but applying it 
>> to svn (r161) proved trivial, as it's a very short patch.
>>
>> I think this should be done by default as it allows devices on the 
>> chilli subnet to talk to each other properly (of course for real 
>> isolation one would use something like ebtables or a/p isolation). 
>> But of course the patch could be extended to make this optional 
>> (uamanyipignorelan?) if people wanted to keep the current behaviour. 
>> Thoughts?
>>
>> Gunther
>>
>> Index: dhcp.c
>> ===================================================================
>> --- dhcp.c      (revision 161)
>> +++ dhcp.c      (working copy)
>> @@ -2595,6 +2595,14 @@
>>      return 0; /* Only reply if he asked for his router address */
>>    }
>>  }
>> +  else if ((taraddr.s_addr != options.dhcplisten.s_addr) &&
>> +        ((conn->hisip.s_addr & conn->hismask.s_addr) ==
>> +        (reqaddr.s_addr & conn->hismask.s_addr))) {
>> +    /* when uamanyip is on we should ignore arp requests that ARE 
>> within our subnet except of course the ones for ourselves*/
>> +    if (options.debug)
>> +      log_dbg("ARP: request for ip other than us within our 
>> subnet(uamanyip on), ignoring");
>> +    return 0;
>> +  }
>>  conn->lasttime = mainclock;
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
>> For additional commands, e-mail: chilli-help at coova.org
>> Wiki: http://coova.org/wiki/index.php/CoovaChilli
>> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4
>
>

More information about the Chilli mailing list