Hello Nicolas, and all other to! I tried this patch and it worked partialy. I have to note we are currently using the 1.0.0 pre2 release.
I think i need to describe our scenario We used to bind our roamingpartners with an ipsectunnel which terminates on private ip's (let's call them 10.4). Now we want our new roamingpartners to use public ip addresses (62.4) without tunnels, but to leave the old roamingpartners enough time (and we know some would not change it) to change we want the server to listen to both ip addresses, the 10.4 and the 62.4. with the UDPFROMTO option and the patch from Nicolas this works great for local auth/acct, but it does not work for roaming. If the server want's to roam, the src ip address field in the packet field was empty, so i resumed the kernel choose the ip to send from and it seemed so as it tooks the ip which was used to send to the default gateway. I patched the freeradius server so i can add in the proxy.conf file for every realm an proxyiface option which defines the IPaddress which should be used for proxying. If the src address in the packet is empty, i take the IP from the proxy.conf and it seemed to work. But THERE is somewhere a problem i could not figure out until now: If the 62.4 and the 10.4 are on different interfaces (eth0=62.4/eth1=10.4) the packet is send to the roamingpartner and the roamingpartner answers (i verified it with tcpdump) BUT the radius server did not seem to receive this packet. I tried from localhost to connect with netcat to the proxy port 1814 and the server recieved something (as i typed nonsens, it put's malformed packet in the logfile, but it was receiving something). Netstat displayed the 62.4 and 10.4 listening on 1812 and 1813 and * (0.0.0.0) listening on 1814. After that i tried to make 10.4 an alias on the eth0 interface (eth0:1) and since that time it worked perfectly! Right now i talked with our network guy and he told me that it could be that listening on * (as for proxying is done) differs between listening on all ip addresses and listening on all devices, so that there are some interface-binding problems, but i do not know. Currently our implementation works very well and i also could create a heartbeat interface now, as it is possible to listen on more ip-addresses, but it is not a clean solution, i want to fix this proxy behavior in the right way and put my patches into radius itself soon, as it seems without this outstanding fixes the UDPFROMTO patch is not complete! Best regards and hope of much helping heads ;-) Raimund Sacherer Am Mittwoch, den 15.09.2004, 16:48 +0200 schrieb Nicolas Baradakis: > Raimund Sacherer wrote: > > > we want the server to listen on 2 interfaces, but there is a problem, if > > i tell it to bind to * (any device) it seems to NOT sent the package out > > to the client on the same interface it gots in, in fact, it seems it's > > randomly choosing on which interface it sends the package out. > > > > so, the client send's to X.X.X.X but the reply comes from X.X.X.Y and > > the client does not accept the package ... > > > > is this a bug or am i missing something? > > I run into a similar problem a long time ago. A patch was submitted on > the development list[1], but it's not enabled by default. You have to > build the server with : > $ ./configure --with-udpfromto > > [1] http://lists.cistron.nl/archives/freeradius-devel/2003/09/frm00034.html > > It solved the problem of "received response to request we did not send" > for me with Freeradius 0.9.x > > However I recently tested 1.0.0 version and found out that a line of > the patch was not included in the source tree. And it looks like I > found a volunteer to test the following patch :-) > > Index: src/main/mainconfig.c > =================================================================== > RCS file: /source/radiusd/src/main/mainconfig.c,v > retrieving revision 1.39 > diff -u -r1.39 mainconfig.c > --- src/main/mainconfig.c 10 Jun 2004 18:23:10 -0000 1.39 > +++ src/main/mainconfig.c 15 Sep 2004 13:38:01 -0000 > @@ -49,6 +49,9 @@ > #include <grp.h> > #include <pwd.h> > > +#ifdef WITH_UDPFROMTO > +#include "udpfromto.h" > +#endif > > #ifdef HAVE_SYSLOG_H > # include <syslog.h> > @@ -935,7 +938,13 @@ > if (this->fd < 0) { > return -1; > } > - > + > +#ifdef WITH_UDPFROMTO > + if (udpfromto_init(this->fd) != 0) { > + radlog(L_ERR|L_CONS, "ERROR: udpfromto init failed."); > + } > +#endif > + > sa = (struct sockaddr_in *) &salocal; > memset ((char *) sa, '\0', sizeof(salocal)); > sa->sin_family = AF_INET; > >
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
