Hi, i compiled freeradius (1.0.1) with the UDPFROMTO configure option and i applied the patch from nicolas (http://www.mail-archive.com/[EMAIL PROTECTED]/msg09417.html) and now receiving/sending local auth/acct packets with more than one ip address works as expected.
There where two problems with proxying, first, i listen to 2 ip
addresses, if those where on different interfaces (eth0/eth1) it is not
working, the problem is, the packet is sent to the roamingpartner, but
the response is not recognized by freeradius (where a local test with
netcat is recognized), but i can see it clearly with tcpdump.
It works well if these 2 ip addresses are on the same interface (with
ip-alias).
The second problem with proxying is that it used the interface which was
defined to send data to the standard gateway as the src-ip address for
sending proxy-packets.
That was a problem for our scenario, as we have roamingpartners which
are listening for our packets on the first ip and others on the other,
therefore i patched freeradius to except in the realm-configuration
another parameter which tells the proxy_send method which src-ip it
should use to send the data, this is working and solved this second
problem, i have the patch attached and would be happy if it made it's
way into the source.
Technical Detail about the Patch:
1. Add Proxy IP Address to CONF_PARSER proxy_config[], MAIN_CONFIG_T and
into the REALM struct.
2. In generate_realms check if there is a proxy_ip set for this realm or
a global (mainconfig.proxy_ipaddr) one. If so, apply it.
3. In proxy_send check if in the REALM is an IP address set, if so, set
it in request->proxy->src_ipaddr so we have a src IP.
--- snip ---
--- freeradius-1.0.0-pre2/src/include/radiusd.h 2004-10-04
10:27:37.000000000 +0200
+++ /tmp/freeradius-1.0.0-pre2-ewave/src/include/radiusd.h 2004-10-12
12:45:24.353286104 +0200
@@ -124,6 +124,7 @@
char server[64];
char acct_server[64];
uint32_t ipaddr; /* authentication */
+ uint32_t proxy_ipaddr; /* proxy via interface, rsacherer */
uint32_t acct_ipaddr;
u_char secret[32];
time_t last_reply; /* last time we saw a packet */
@@ -194,6 +195,7 @@
int proxy_retry_count;
int proxy_retry_delay;
int proxy_fallback;
+ char *proxy_ipaddr; /* proxy via interface, rsacherer */
int reject_delay;
int status_server;
int max_request_time;
--- freeradius-1.0.0-pre2/src/main/mainconfig.c 2004-10-04
10:27:38.000000000 +0200
+++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/mainconfig.c 2004-10-12
12:45:16.593465776 +0200
@@ -76,6 +79,7 @@
{ "dead_time", PW_TYPE_INTEGER, 0, &mainconfig.proxy_dead_time,
Stringify(DEAD_TIME) },
{ "post_proxy_authorize", PW_TYPE_BOOLEAN, 0,
&mainconfig.post_proxy_authorize, "yes" },
{ "wake_all_if_all_dead", PW_TYPE_BOOLEAN, 0,
&mainconfig.wake_all_if_all_dead, "no" },
+ { "proxyip", PW_TYPE_STRING_PTR, 0, &mainconfig.proxy_ipaddr, NULL },
{ NULL, -1, 0, NULL, NULL }
};
@@ -347,7 +351,7 @@
CONF_SECTION *cs;
REALM *my_realms = NULL;
REALM *c, **tail;
- char *s, *t, *authhost, *accthost;
+ char *s, *t, *authhost, *accthost, *proxy_ipaddr;
char *name2;
tail = &my_realms;
@@ -369,6 +373,28 @@
c->secret[0] = '\0';
/*
+ * Check first if a realm IP is set, if not
+ * check the Mainconfig item, else it means 0 ;-)
+ * rsacherer
+ */
+ if ((proxy_ipaddr = cf_section_value_find(cs, "proxyip")) == NULL) {
+ proxy_ipaddr = mainconfig.proxy_ipaddr;
+ }
+
+ if (proxy_ipaddr == NULL) {
+ c->proxy_ipaddr = htonl(INADDR_NONE);
+ } else {
+ c->proxy_ipaddr = ip_getaddr(proxy_ipaddr);
+ if (c->proxy_ipaddr == htonl(INADDR_NONE)) {
+ radlog(L_ERR, "%s[%d]: Host %s not found",
+ filename, cf_section_lineno(cs),
+ proxy_ipaddr);
+ return -1;
+ }
+ }
+
+
+ /*
* No authhost means LOCAL.
*/
if ((authhost = cf_section_value_find(cs, "authhost")) == NULL) {
--- freeradius-1.0.0-pre2/src/main/proxy.c 2004-10-04 10:27:38.000000000
+0200
+++ /tmp/freeradius-1.0.0-pre2-ewave/src/main/proxy.c 2004-10-12
12:45:16.701449360 +0200
@@ -430,6 +430,14 @@
request->proxy->timestamp = request->timestamp - (delaypair ?
delaypair->lvalue : 0);
/*
+ * Add the proxy_ipaddr as the source ip address, if one is set
+ * rsacherer
+ */
+ if (realm->proxy_ipaddr != htonl(INADDR_NONE)) {
+ request->proxy->src_ipaddr = realm->proxy_ipaddr;
+ }
+
+ /*
* Do pre-proxying
*/
rcode = module_pre_proxy(request);
signature.asc
Description: This is a digitally signed message part
