From owner-freebsd-net@FreeBSD.ORG Fri Oct 7 14:58:59 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87C9E16A41F for ; Fri, 7 Oct 2005 14:58:59 +0000 (GMT) (envelope-from tbyte@otel.net) Received: from mail.otel.net (gw3.OTEL.net [212.36.8.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1661443D48 for ; Fri, 7 Oct 2005 14:58:58 +0000 (GMT) (envelope-from tbyte@otel.net) Received: from dragon.otel.net ([212.36.8.135] helo=DraGoN.OTEL.net.) by mail.otel.net with esmtp (Exim 4.30; FreeBSD) id 1ENtgV-000Dtx-Vl for freebsd-net@freebsd.org; Fri, 07 Oct 2005 17:58:55 +0300 From: Iasen Kostov To: freebsd-net@freebsd.org Content-Type: multipart/mixed; boundary="=-ZBrDdf1kBks9icJtvY6g" Date: Fri, 07 Oct 2005 17:58:55 +0300 Message-Id: <1128697135.71975.24.camel@DraGoN.OTEL.net> Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 FreeBSD GNOME Team Port Subject: Proxy arp should only replay on specified interface. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2005 14:58:59 -0000 --=-ZBrDdf1kBks9icJtvY6g Content-Type: text/plain Content-Transfer-Encoding: 7bit IMHO proxy arp should only replay on specified interface not on every arp capable interface which recieved request for the proxied address. If lets say host A have arp capable if0 and if1 interfaces and U set: route add -host 1.0.0.2 -iface if1 -proxy and then a request is recieved on if0 for 1.0.0.2, host A will replay that it has it (which IMHO is wrong as the proxy route is set for if1). This sometimes is a big problem for our PPPoE/VPN server when the client uses linux or some small routers (e.g Linksys or something) probably linux based. It happen that sometimes (when the link is down or god knows why) it broadcasts arp "who-has" and the gateway replays. Then this host try to use ethernet path and not the (right) tunnel path until arp cache expires (which is not real fun as there is firewall rules blocking ethernet path :)). And even worse :) - I can think of ways to bypass routing protocols using proxy-arp routes like the one mentioned above. But it will not work if proxy-arp behaves the way it does now. And 1 thing more - there could be a switch which restores (or turns on) old behavior. (patch agains 5.4-STABLE is attached) regards. --=-ZBrDdf1kBks9icJtvY6g Content-Disposition: attachment; filename=if_ether.c.diff Content-Type: text/x-patch; name=if_ether.c.diff; charset=UTF-8 Content-Transfer-Encoding: 7bit --- if_ether.c.orig Fri Apr 1 23:18:43 2005 +++ if_ether.c Fri Oct 7 16:56:19 2005 @@ -796,6 +796,13 @@ #endif } else { rt = la->la_rt; + if (rt->rt_ifp != ifp) { +#ifdef DEBUG_PROXY + printf("arp: droped proxy request for %s on wrong interface %s\n", + inet_ntoa(itaddr), ifp->if_xname); +#endif + goto drop; + } (void)memcpy(ar_tha(ah), ar_sha(ah), ah->ar_hln); sdl = SDL(rt->rt_gateway); (void)memcpy(ar_sha(ah), LLADDR(sdl), ah->ar_hln); --=-ZBrDdf1kBks9icJtvY6g--