opennhrp-script − NHRP peer configuration script
NHRP peer configuration script is used invoked by opennhrp(8).
This script can be used to establish a direct NBMA peer to peer connection after NHRP Resolution Reply has been received, but prior to injecting the peer address to kernel neighbor table. This could be to insert firewall rules allowing the traffic and/or establishing an IPsec connection (or some other secure communication channel). The script is also called when the cached peer information expires.
When opennhrp needs to invoke the peer configuration script, it defines a set of variables in the environment and then executes the script with exactly one argument. The argument is set to the name of the reason why the script has been invoked. The following reasons are currently defined: interface-up, peer-register, peer-up, peer-down, nhs-up, nhs-down, route-up and route-down.
Interface has been just discovered, or it is has changed state from down to up. This is the place to clean up old routes if needed.
A peer registration request has been received. The script is run before the internal peer cache is altered and this allows the script to reject registration without it deleting old peers. This could be used to check that IPsec connection is up or one might encode allowed protocol-addresses in the certificate and it could be enforced here. This hook is executed synchronously so it should be fast.
A peer has been discovered (either by means of static configuration, dynamic client registration or resolution reply arrival to initiate shortcut). This hook is invoked right after the peer’s NBMA address is available. For all other than dynamic-map entries the protocol address is available too. The information will not be injected to the kernel ARP cache until the script has returned zero. If non-zero return value is returned, the peer entry is marked as invalid and negative cached for a short period of time.
A peer connection is about to be cleared. This can happend for dynamic client registrations or cached information. Dynamic client registrations are teared down when registration holding time expires (and no re-registration has occured) or if it explicitely removed using Purge Request. Cached entries are removed when holding time expires (and there has been no traffic to trigger renewal of the peer address information) or when it is explicitely removed with Purge Request.
This is called for NHS right after the first succesful Registration Reply is received. This can be used to update application level configuration about which servers to use.
Informs that the specified NHS is no longer available.
In reply to resolution request we have received a shortcut route with destination off the NBMA subnetwork. The script should insert appropriate entry to kernel routing table.
The associated shortcut route information is no longer valid and should be removed from kernel routing table.
NHRP_TYPE
For peer-up and peer-down reasons this can be: static (configured information), dynamic-nhs (configured NHS with only NBMA address known), dynamic (client registered) or cached (resolved since we had packets going there).
The nhs-up and nhs-down reasons are called for static entries with register keyword and dynamic-nhs entries.
For peer-register this is always dynamic.
For route-up and route-down reasons this is always defined as route.
For interface-up reason this is irrelevant, but always defined as interface.
NHRP_INTERFACE
The network interface to which this event is related to.
NHRP_GRE_KEY
The GRE key assigned to the related network interface.
NHRP_DESTADDR
Destination protocol address. E.g. for NBMA GRE tunnels this is the IP address assigned to the tunnel interface being used.
NHRP_DESTPREFIX
Subnet prefix length for destination protocol address.
NHRP_DESTNBMA
Defined only for peer-up and peer-down reasons. This contains the NBMA address of the destination. E.g. for NBMA GRE this contains the public IP of the peer.
NHRP_DESTMTU
Defined only for peer-up reasons. This contains the MTU for NBMA address of the destination.
NHRP_NEXTHOP
Defined only for route-up and route-down reasons. This is the protocol address of the next hop to be used in routing.
NHRP_PEER_DOWN_REASON
Defined only for peer-down reason. This describes why the peer has been deleted. Currently it is one of expired, user-request or lower-down.
opennhrp(8)
Timo Teras <[email protected]>