Hi
This is the instruction to install install feature/ipset.
You must have the latest packetfence release (3.5.1).
1: yum install perl-File-Which perl-NetAddr-IP ipset sudo
2: edit /etc/sudoers>
comment:
#Defaults requiretty
Add:
pf ALL=NOPASSWD: /sbin/iptables, /usr/sbin/ipset
Defaults:pf !requiretty
3: edit /etc/rc.d/init.d/packetfence
The start section should look like that:
start() {
echo -n $"Starting PacketFence..."
IPSET=`command -v ipset`
if [ $IPSET ]; then
modprobe ip_set
fi
/usr/local/pf/bin/pfcmd service pf start
RETVAL=$?
echo
return $RETVAL
4: Apply the patch:
copy ipset.patch in /usr/local/pf
and patch -p1 < ipset.patch
When you restart packetfence you will see the ipset session by launching
ipset -L
Regards
Le 2012-09-07 10:40, Steve Cole a écrit :
On 12-09-05 08:34 PM, Olivier Dumon wrote:
OK
Thanks in advance.
It seems that I always have the bug.
So I'm interested in instructions and patch.
I too am interested in the patch.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
diff --git a/lib/pf/Portal/ProfileFactory.pm b/lib/pf/Portal/ProfileFactory.pm
index 97c1ebf..0c40504 100644
--- a/lib/pf/Portal/ProfileFactory.pm
+++ b/lib/pf/Portal/ProfileFactory.pm
@@ -61,12 +61,14 @@ sub instantiate {
# a portal profile using the previously fetched filters. If no match, we instantiate the default portal profile
my $node_info = node_view($mac);
my $last_ssid = $node_info->{'last_ssid'};
- return pf::Portal::Profile->new(_default_profile()) if (!defined($last_ssid));
-
- foreach my $filter ( keys %filters ) {
- if ( $filter eq $last_ssid ) {
- $logger->info("instantiating new portal profile of type " . $filters{$filter});
- return pf::Portal::Profile->new(_custom_profile($filters{$filter}));
+ return pf::Portal::Profile->new(_default_profile()) if (!(defined($node_info->{'last_ssid'}) || defined($node_info->{'last_vlan'})));
+
+ foreach my $last_info ("last_ssid","last_vlan") {
+ foreach my $filter ( keys %filters ) {
+ if ( $filter eq $node_info->{$last_info} ) {
+ $logger->info("instantiating new portal profile of type " . $filters{$filter});
+ return pf::Portal::Profile->new(_custom_profile($filters{$filter}));
+ }
}
}
diff --git a/lib/pf/config.pm b/lib/pf/config.pm
index 65a6280..7d5364f 100644
--- a/lib/pf/config.pm
+++ b/lib/pf/config.pm
@@ -34,6 +34,7 @@ use POSIX;
use Readonly;
use threads;
use Try::Tiny;
+use File::Which;
# Categorized by feature, pay attention when modifying
our (
@@ -65,6 +66,7 @@ BEGIN {
@inline_enforcement_nets @vlan_enforcement_nets
%guest_self_registration
$IPTABLES_MARK_UNREG $IPTABLES_MARK_REG $IPTABLES_MARK_ISOLATION
+ $IPSET_VERSION
$default_config_file %Default_Config
$config_file %Config
$network_config_file %ConfigNetworks
@@ -212,6 +214,8 @@ $ENV{PATH} = '/sbin:/bin:/usr/bin:/usr/sbin';
Readonly::Scalar our $IPTABLES_MARK_REG => "1";
Readonly::Scalar our $IPTABLES_MARK_ISOLATION => "2";
Readonly::Scalar our $IPTABLES_MARK_UNREG => "3";
+my $ipsetversion = ipset_version();
+Readonly::Scalar our $IPSET_VERSION => $ipsetversion;
Readonly::Scalar our $NO_PORT => 0;
Readonly::Scalar our $NO_VLAN => 0;
@@ -267,6 +271,24 @@ sub load_config {
readFloatingNetworkDeviceFile();
}
+=item ipset_version - check the ipset version on the system
+
+=cut
+
+sub ipset_version {
+ my $logger = Log::Log4perl::get_logger('pf::config');
+ my $exe_path = which('ipset');
+ if (defined($exe_path)) {
+ my $cmd = "sudo ".$exe_path." --version";
+ my $out = `$cmd`;
+ my ($ipset_version) = $out =~ m/^ipset\s+v?([\d+]).*$/ims;
+ return $ipset_version;
+ }
+ else {
+ return 0;
+ }
+}
+
=item readPfConfigFiles - pf.conf.defaults & pf.conf
=cut
diff --git a/lib/pf/iptables.pm b/lib/pf/iptables.pm
index 1c899a1..d214ad2 100644
--- a/lib/pf/iptables.pm
+++ b/lib/pf/iptables.pm
@@ -24,6 +24,7 @@ use IPTables::ChainMgr;
use IPTables::Interface;
use Log::Log4perl;
use Readonly;
+use NetAddr::IP;
BEGIN {
use Exporter ();
@@ -40,6 +41,7 @@ use pf::config;
use pf::node qw(nodes_registered_not_violators);
use pf::util;
use pf::violation qw(violation_view_open_uniq violation_count);
+use pf::iplog;
Readonly my $FW_TABLE_FILTER => 'filter';
Readonly my $FW_TABLE_MANGLE => 'mangle';
@@ -61,7 +63,7 @@ TODO: This list is incomplete
=cut
sub iptables_generate {
my $logger = Log::Log4perl::get_logger('pf::iptables');
-
+ $logger->info("IPSET_VERSION ". $IPSET_VERSION);
my %tags = (
'filter_if_src_to_chain' => '', 'filter_forward_inline' => '',
'mangle_if_src_to_chain' => '', 'mangle_prerouting_inline' => '',
@@ -70,7 +72,26 @@ sub iptables_generate {
# global substitution variables
$tags{'web_admin_port'} = $Config{'ports'}{'admin'};
-
+ # init ipset tables
+ if ($IPSET_VERSION > 0) {
+ $logger->warn("We are using IPSET");
+ my $cmd = "sudo ipset --destroy";
+ my $out = `$cmd`;
+ foreach my $network ( keys %ConfigNetworks ) {
+ next if ( !pf::config::is_network_type_inline($network) );
+ my $inline_obj = new Net::Netmask( $network, $ConfigNetworks{$network}{'netmask'} );
+ foreach my $IPTABLES_MARK ($IPTABLES_MARK_UNREG, $IPTABLES_MARK_REG, $IPTABLES_MARK_ISOLATION) {
+ if ($IPSET_VERSION > 4) {
+ $cmd = "sudo ipset --create pfsession_$IPTABLES_MARK\_$network bitmap:ip,mac range $network/$inline_obj->{BITS}";
+ $out = `$cmd`;
+ }
+ else {
+ $cmd = "sudo ipset --create pfsession_$IPTABLES_MARK\_$network macipmap --network $network/$inline_obj->{BITS}";
+ $out = `$cmd`;
+ }
+ }
+ }
+ }
# FILTER
# per interface-type pointers to pre-defined chains
$tags{'filter_if_src_to_chain'} .= generate_filter_if_src_to_chain();
@@ -259,16 +280,42 @@ sub generate_mangle_rules {
# default catch all: mark unreg
$mangle_rules .= "-A $FW_PREROUTING_INT_INLINE --jump MARK --set-mark 0x$IPTABLES_MARK_UNREG\n";
-
+ if ($IPSET_VERSION > 0) {
+ foreach my $network ( keys %ConfigNetworks ) {
+ next if ( !pf::config::is_network_type_inline($network) );
+ foreach my $IPTABLES_MARK ($IPTABLES_MARK_UNREG, $IPTABLES_MARK_REG, $IPTABLES_MARK_ISOLATION) {
+ $mangle_rules .= "-A $FW_PREROUTING_INT_INLINE -m set --match-set pfsession_$IPTABLES_MARK\_$network src,src " .
+ "--jump MARK --set-mark 0x$IPTABLES_MARK\n"
+ ;
+ }
+ }
+ }
# mark registered nodes that should not be isolated
# TODO performance: mark all *inline* registered users only
my @registered = nodes_registered_not_violators();
foreach my $row (@registered) {
- my $mac = $row->{'mac'};
- $mangle_rules .=
- "-A $FW_PREROUTING_INT_INLINE --match mac --mac-source $mac " .
- "--jump MARK --set-mark 0x$IPTABLES_MARK_REG\n"
- ;
+ if ($IPSET_VERSION > 0) {
+ foreach my $network ( keys %ConfigNetworks ) {
+ next if ( !pf::config::is_network_type_inline($network) );
+ my $net_addr = NetAddr::IP->new($network,$ConfigNetworks{$network}{'netmask'});
+ my $mac = $row->{'mac'};
+ my $iplog = mac2ip($mac);
+ if (defined $iplog) {
+ my $ip = new NetAddr::IP::Lite clean_ip($iplog);
+ if ($net_addr->contains($ip)) {
+ my $cmd = "sudo ipset --add pfsession_$IPTABLES_MARK_REG\_$network $iplog,$mac";
+ my $out = `$cmd`;
+ }
+ }
+ }
+ }
+ else {
+ my $mac = $row->{'mac'};
+ $mangle_rules .=
+ "-A $FW_PREROUTING_INT_INLINE --match mac --mac-source $mac " .
+ "--jump MARK --set-mark 0x$IPTABLES_MARK_REG\n"
+ ;
+ }
}
# mark all open violations
@@ -276,11 +323,28 @@ sub generate_mangle_rules {
my @macarray = violation_view_open_uniq();
if ( $macarray[0] ) {
foreach my $row (@macarray) {
- my $mac = $row->{'mac'};
- $mangle_rules .=
- "-A $FW_PREROUTING_INT_INLINE --match mac --mac-source $mac " .
- "--jump MARK --set-mark 0x$IPTABLES_MARK_ISOLATION\n"
- ;
+ if ($IPSET_VERSION > 0) {
+ foreach my $network ( keys %ConfigNetworks ) {
+ next if ( !pf::config::is_network_type_inline($network) );
+ my $net_addr = NetAddr::IP->new($network,$ConfigNetworks{$network}{'netmask'});
+ my $mac = $row->{'mac'};
+ my $iplog = mac2ip($mac);
+ if (defined $iplog) {
+ my $ip = new NetAddr::IP::Lite clean_ip($iplog);
+ if ($net_addr->contains($ip)) {
+ my $cmd = "sudo ipset --add pfsession_$IPTABLES_MARK_ISOLATION\_$network $iplog,$mac";
+ my $out = `$cmd`;
+ }
+ }
+ }
+ }
+ else {
+ my $mac = $row->{'mac'};
+ $mangle_rules .=
+ "-A $FW_PREROUTING_INT_INLINE --match mac --mac-source $mac " .
+ "--jump MARK --set-mark 0x$IPTABLES_MARK_ISOLATION\n"
+ ;
+ }
}
}
@@ -334,39 +398,80 @@ sub generate_nat_redirect_rules {
sub iptables_mark_node {
my ( $mac, $mark ) = @_;
my $logger = Log::Log4perl::get_logger('pf::iptables');
- my $iptables = IPTables::Interface::new('mangle')
- || logger->logcroak("unable to create IPTables::Interface object");
+ if ($IPSET_VERSION > 0) {
+ foreach my $network ( keys %ConfigNetworks ) {
+ next if ( !pf::config::is_network_type_inline($network) );
+ my $net_addr = NetAddr::IP->new($network,$ConfigNetworks{$network}{'netmask'});
+ my $iplog = mac2ip($mac);
+ if (defined $iplog) {
+ my $ip = new NetAddr::IP::Lite clean_ip($iplog);
+ if ($net_addr->contains($ip)) {
+ my $cmd = "sudo ipset --add pfsession_$mark\_$network $iplog,$mac";
+ my $out = `$cmd`;
+ }
+ }
+ else {
+ $logger->error("Unable to mark mac $mac");
+ return;
+ }
+ }
+ return (1);
+ }
+ else {
+ my $iptables = IPTables::Interface::new('mangle')
+ || logger->logcroak("unable to create IPTables::Interface object");
- $logger->debug("marking node $mac with mark 0x$mark");
- my $success = $iptables->iptables_do_command(
- "-A $FW_PREROUTING_INT_INLINE", "--match mac --mac-source $mac", "--jump MARK --set-mark 0x$mark"
- );
+ $logger->debug("marking node $mac with mark 0x$mark");
+ my $success = $iptables->iptables_do_command(
+ "-A $FW_PREROUTING_INT_INLINE", "--match mac --mac-source $mac", "--jump MARK --set-mark 0x$mark"
+ );
- if (!$success) {
- $logger->error("Unable to mark mac $mac: $!");
- return;
+ if (!$success) {
+ $logger->error("Unable to mark mac $mac: $!");
+ return;
+ }
+ $iptables->commit();
+ return (1);
}
- $iptables->commit();
- return (1);
}
-
sub iptables_unmark_node {
my ( $mac, $mark ) = @_;
my $logger = Log::Log4perl::get_logger('pf::iptables');
- my $iptables = IPTables::Interface::new('mangle')
- || logger->logcroak("unable to create IPTables::Interface object");
+ if ($IPSET_VERSION > 0) {
+ foreach my $network ( keys %ConfigNetworks ) {
+ next if ( !pf::config::is_network_type_inline($network) );
+ my $net_addr = NetAddr::IP->new($network,$ConfigNetworks{$network}{'netmask'});
+ my $iplog = mac2ip($mac);
+ if (defined $iplog) {
+ my $ip = new NetAddr::IP::Lite clean_ip($iplog);
+ if ($net_addr->contains($ip)) {
+ my $cmd = "sudo ipset --del pfsession_$mark\_$network $iplog,$mac";
+ my $out = `$cmd`;
+ }
+ }
+ else {
+ $logger->error("Unable to unmark mac $mac");
+ return;
+ }
+ }
+ return (1);
+ }
+ else {
+ my $iptables = IPTables::Interface::new('mangle')
+ || logger->logcroak("unable to create IPTables::Interface object");
- $logger->debug("removing mark 0x$mark on node $mac");
- my $success = $iptables->iptables_do_command(
- "-D $FW_PREROUTING_INT_INLINE", "--match mac --mac-source $mac", "--jump MARK --set-mark 0x$mark"
- );
+ $logger->debug("removing mark 0x$mark on node $mac");
+ my $success = $iptables->iptables_do_command(
+ "-D $FW_PREROUTING_INT_INLINE", "--match mac --mac-source $mac", "--jump MARK --set-mark 0x$mark"
+ );
- if (!$success) {
- $logger->error("Unable to unmark mac $mac: $!");
- return;
+ if (!$success) {
+ $logger->error("Unable to unmark mac $mac: $!");
+ return;
+ }
+ $iptables->commit();
+ return (1);
}
- $iptables->commit();
- return (1);
}
=item get_mangle_mark_for_mac
@@ -381,31 +486,56 @@ Returns IPTABLES MARK constant ($IPTABLES_MARK_...) or undef on failure.
sub get_mangle_mark_for_mac {
my ( $mac ) = @_;
my $logger = Log::Log4perl::get_logger('pf::iptables');
- my $iptables = new IPTables::ChainMgr('ipt_exec_style' => 'system')
- || logger->logcroak("unable to create IPTables::ChainMgr object");
- my $iptables_cmd = $iptables->{'_iptables'};
-
- # list mangle rules
- my ($rv, $out_ar, $errs_ar) = $iptables->run_ipt_cmd("$iptables_cmd -t mangle -L -v -n");
- if ($rv) {
- # MAC in iptables -L -nv are uppercase
- $mac = uc($mac);
- foreach my $ipt_line (@$out_ar) {
- chomp($ipt_line);
- # matching with end of line ($) for performance
- # saw some instances were a space was present at the end of the line
- if ($ipt_line =~ /MAC $mac MARK set 0x(\d+)\s*$/) {
- return $1;
+ if ($IPSET_VERSION > 0) {
+ foreach my $network ( keys %ConfigNetworks ) {
+ next if ( !pf::config::is_network_type_inline($network) );
+ my $net_addr = NetAddr::IP->new($network,$ConfigNetworks{$network}{'netmask'});
+ my $iplog = mac2ip($mac);
+ if (defined $iplog) {
+ my $ip = new NetAddr::IP::Lite clean_ip($iplog);
+ if ($net_addr->contains($ip)) {
+ foreach my $IPTABLES_MARK ($IPTABLES_MARK_UNREG, $IPTABLES_MARK_REG, $IPTABLES_MARK_ISOLATION) {
+ my $cmd = "sudo ipset --test pfsession_$IPTABLES_MARK\_$network $iplog,$mac";
+ my @out = `$cmd 2>&1`;
+ if (!($out[0] =~ m/NOT/i)) {
+ return $IPTABLES_MARK;
+ }
+ }
+ }
+ }
+ else {
+ $logger->error("Unable to list iptables mangle table: $!");
+ return;
}
- }
- } else {
- if (@$errs_ar) {
- $logger->error("Unable to list iptables mangle table: $!");
- return;
}
}
- # if we didn't find him it means it's the catch all which is
- return $IPTABLES_MARK_UNREG;
+ else {
+ my $iptables = new IPTables::ChainMgr('ipt_exec_style' => 'system')
+ || logger->logcroak("unable to create IPTables::ChainMgr object");
+ my $iptables_cmd = $iptables->{'_iptables'};
+
+ # list mangle rules
+ my ($rv, $out_ar, $errs_ar) = $iptables->run_ipt_cmd("$iptables_cmd -t mangle -L -v -n");
+ if ($rv) {
+ # MAC in iptables -L -nv are uppercase
+ $mac = uc($mac);
+ foreach my $ipt_line (@$out_ar) {
+ chomp($ipt_line);
+ # matching with end of line ($) for performance
+ # saw some instances were a space was present at the end of the line
+ if ($ipt_line =~ /MAC $mac MARK set 0x(\d+)\s*$/) {
+ return $1;
+ }
+ }
+ } else {
+ if (@$errs_ar) {
+ $logger->error("Unable to list iptables mangle table: $!");
+ return;
+ }
+ }
+ # if we didn't find him it means it's the catch all which is
+ }
+ return $IPTABLES_MARK_UNREG;
}
=item update_mark
@@ -632,6 +762,8 @@ David LaPorte <[email protected]>
Kevin Amorin <[email protected]>
+Fabrice Durand <[email protected]>
+
=head1 COPYRIGHT
Copyright (C) 2005 David LaPorte
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
