Bug in proxy code with IPv6?

2011-05-11 Thread Stefan Winter 
Hello,

this is about 2.1.10. In my proxy.conf, I have two clauses for a host (
see [1] and [2] below), once with ipaddr for IPv4 and once with ipv6addr
for IPv6.

If I set the pool to use the IPv4 one (see [3]) , packets get proxied
just fine. If I replace with IPv6, no packet leaves the server (i.e.
tcpdump on the FR machine sees no packet leaving) [4].

With tcpdump not seeing anything, I'm pretty sure that something's wrong
inside FR - i.e. not a firewall problem. Host firewall is off anyway.

In -X [5], the server *says* it's going to proxy the packet, but a
simultaneous tcpdump just doesn't see it, and there's no auth happening.

As soon as I change the proxy pool definition back to the v4 variant,
things start working again.

That's a bit strange...

Greetings,

Stefan Winter

[1] IPv4 proxy definition:

home_server radius-int-1-v4 {
type = auth+acct
ipaddr = 158.64.X.Y
port = 1812
secret = ...
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}

[2] IPv6 proxy defintiion:

home_server radius-int-1-v6 {
type = auth+acct
ipv6addr = 2001:a18:X:Y::Z
port = 1812
secret = ..
response_window = 20
zombie_period = 40
revive_interval = 60
status_check = status-server
check_interval = 30
num_answers_to_alive = 3
}

[3] working pool (the non-working one only replaces -v4 with -v6):

home_server_pool RESTENA-internal {
type = fail-over
home_server = radius-int-1-v4
home_server = ... more servers ...
}

[4] access point tries to auth user, packet goes into FR server, but
nothing leaves; in non-proxy operation, server works nicely, see
Status-Server reply:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
14:45:50.592669 IP ap-2.rest.restena.lu.csd-monitor 
galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24
length: 226
14:45:54.644141 IP ap-2.rest.restena.lu.csd-monitor 
galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x44
length: 226
14:45:55.590066 IP ap-2.rest.restena.lu.csd-monitor 
galadriel.restena.lu.radius: RADIUS, Access Request (1), id: 0x24
length: 226
14:45:56.985799 IP haldir.restena.lu.59546 
galadriel.restena.lu.radius: RADIUS, Status Server (12), id: 0x00 length: 38
14:45:56.986208 IP galadriel.restena.lu.radius 
haldir.restena.lu.59546: RADIUS, Access Accept (2), id: 0x00 length: 20

[5] -X:

Ready to process requests.
rad_recv: Access-Request packet from host 158.64.A.B port 3072, id=126,
length=226
User-Name = certuser-2010-...@restena.lu
Service-Type = Framed-User
NAS-IP-Address = 158.64.A.B
NAS-Port = 3
NAS-Port-Id = 3
Called-Station-Id = 00-A0-57-16-91-27:eduroam-restena
Calling-Station-Id = 64-B9-E8-A0-2E-A4
Connect-Info = CONNECT 54 Mbps 802.11g
NAS-Identifier = ap-2.rest
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message =
0x020100210163657274757365722d323031302d3030314072657374656e612e6c75
Message-Authenticator = 0x181d5b6f8959d9d079807ea00c77bcbc
server eduroam {
# Executing section authorize from file
/usr/local/freeradius/config//raddb/sites-enabled/eduroam
+- entering group authorize {...}
++[request] returns notfound
[auth_log] expand:
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail
- /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail
[auth_log]
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/auth-detail
expands to /var/log/radius/radacct/20110511/eduroam-lu-service/auth-detail
[auth_log] expand: %t - Wed May 11 14:57:05 2011
++[auth_log] returns ok
[suffix] Looking up realm restena.lu for User-Name =
certuser-2010-...@restena.lu
[suffix] Found realm restena.lu
[suffix] Adding Realm = restena.lu
[suffix] Proxying request from user certuser-2010-001 to realm restena.lu
[suffix] Preparing to proxy authentication request to realm restena.lu
++[suffix] returns updated
} # server eduroam
# Executing section pre-proxy from file
/usr/local/freeradius/config//raddb/sites-enabled/eduroam
+- entering group pre-proxy {...}
++- entering policy cui_pre-proxy {...}
+++? if (Packet-Type == Access-Request)
? Evaluating (Packet-Type == Access-Request) - TRUE
+++? if (Packet-Type == Access-Request) - TRUE
+++- entering if (Packet-Type == Access-Request) {...}
expand: modules.sql[cui].sp_operator_name -
modules.sql[cui].sp_operator_name
expand: 1%{config:modules.sql[cui].sp_operator_name} - 1restena.lu
[proxy-request] returns noop
+++- if (Packet-Type == Access-Request) returns noop
++- policy cui_pre-proxy returns noop
[pre_proxy_log] expand:
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail
- /var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail
[pre_proxy_log]
/var/log/radius/radacct/%Y%m%d/%{RESTENA-Service-Type}-service/pre-proxy-detail
expands to
/var/log/radius/radacct/20110511/eduroam-lu-service/pre-proxy-detail
[pre_proxy_log] expand: %t - Wed

Re: Bug in proxy code with IPv6?

2011-05-11 Thread Alan DeKok 
Stefan Winter wrote:
 As soon as I change the proxy pool definition back to the v4 variant,
 things start working again.
 
 That's a bit strange...

  Bug #143, fixed in the v2.1.x branch.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bug in proxy code with IPv6?

2011-05-11 Thread Stefan Winter 
Hi,

 That's a bit strange...
   Bug #143, fixed in the v2.1.x branch.

Cool! Looking forward to 2.1.11...

Stefan

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bug in proxy code with IPv6?

2011-05-11 Thread Alan Buxey 
Hi,

 this is about 2.1.10. In my proxy.conf, I have two clauses for a host (
 see [1] and [2] below), once with ipaddr for IPv4 and once with ipv6addr
 for IPv6.

I was going to be reporting the same thing - however, I've delayed since
I could only see this behaviour on a VM system so wasnt sure it
wasnt a VMWare issue (random UDP thing) - as, the exact same code (2.1.8 through
to 2.1.10) on a real physical server didnt show this behaviour.

however, if latest 2.1.x code fixes this, then i can certainly try to verify 
this

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Bug in proxy code with IPv6?

2011-05-11 Thread Stefan Winter 
Hi,

 I was going to be reporting the same thing - however, I've delayed since
 I could only see this behaviour on a VM system so wasnt sure it
 wasnt a VMWare issue (random UDP thing) - as, the exact same code (2.1.8 
 through
 to 2.1.10) on a real physical server didnt show this behaviour.

 however, if latest 2.1.x code fixes this, then i can certainly try to verify 
 this

Verified only minutes after reading the other Alan's answer - now stuff
works. BTW: The parameter src_ipaddr in home_server {} can also take an
IPv6 address as argument, which is quite a blessing for my deployment.

Greetings,

Stefan

 alan
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473




signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html