Is there any reason why arp_filter in net/ipv4/arp.c uses
ip_route_output() instead of just seeing if the target IP
is assigned to the device?
The current arp_filter breaks when using FreeS/WAN to
create an IPSec tunnel to a directly connected peer.
This is because FreeS/WAN adds a route to that peer via
the ipsec interface.
The patch below is the logic I would have expected to see.
Regards,
Phil
diff -u -r1.1.1.3 arp.c
--- arp.c 2 Oct 2001 09:36:12 -0000 1.1.1.3
+++ arp.c 11 Mar 2002 07:32:14 -0000
@@ -345,20 +345,17 @@
read_unlock_bh(&neigh->lock);
}
-static int arp_filter(__u32 sip, __u32 tip, struct net_device *dev)
+static int arp_filter(__u32 tip, struct in_device *in_dev)
{
- struct rtable *rt;
- int flag = 0;
- /*unsigned long now; */
-
- if (ip_route_output(&rt, sip, tip, 0, 0) < 0)
- return 1;
- if (rt->u.dst.dev != dev) {
- NET_INC_STATS_BH(ArpFilter);
- flag = 1;
- }
- ip_rt_put(rt);
- return flag;
+ read_lock(&in_dev->lock);
+ for_ifa(in_dev) {
+ if (tip == ifa->ifa_address) {
+ read_unlock(&in_dev->lock);
+ return 0;
+ }
+ } endfor_ifa(in_dev);
+ read_unlock(&in_dev->lock);
+ return 1;
}
/* OBSOLETE FUNCTIONS */
@@ -758,7 +755,7 @@
if (n) {
int dont_send = 0;
if (IN_DEV_ARPFILTER(in_dev))
- dont_send |= arp_filter(sip,tip,dev);
+ dont_send |= arp_filter(tip,in_dev);
if (!dont_send)
arp_send(ARPOP_REPLY,ETH_P_ARP,sip,dev,tip,sha,dev->dev_addr,sha);
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
