Ah, progress! I added the $response variable to the logging output in
pf_run to see the output of ipset. It was: sudo: sorry, you must have a tty
to run sudo
So, in my sudoers file I have this: Defaults requiretty
Then I override it at the end for the user pf.
If I comment out that Defaults requiretty, packetfence works fine. I assume
the Defaults:pf !requiretty override is working, as I can run the command
when su'd as pf. Would this command be being run as another user or
something?
On Thu, May 30, 2013 at 8:46 AM, Fletcher Haynes <[email protected]>wrote:
> It appears to work fine with sudo. My test VM got internet access after I
> ran the command. Here is the log...
> [root@packetfence fhaynes]# su pf
> sh-4.1$ ipset --add pfsession_Reg_10.84.0.0
> 10.84.109.110,00:50:56:b4:7d:1b 2>&1
> ipset v6.11: Kernel error received: Operation not permitted
> sh-4.1$ sudo ipset --add pfsession_Reg_10.84.0.0
> 10.84.109.110,00:50:56:b4:7d:1b 2>&1
> sh-4.1$
>
> Interestingly, restarting the packetfence process also seems to resolve
> the issue for the test VM.
>
>
> On Thu, May 30, 2013 at 8:21 AM, Fabrice DURAND <[email protected]>wrote:
>
>> Try to run ipset command under the pf user.
>>
>>
>> Le 2013-05-30 11:08, Fletcher Haynes a écrit :
>>
>> Hi Fabrice,
>>
>> Here is the entry I have in sudoers for pf user:
>> pf ALL=NOPASSWD: /sbin/iptables, /usr/sbin/ipset
>> Defaults:pf !requiretty
>>
>>
>> On Thu, May 30, 2013 at 8:05 AM, Fabrice DURAND <[email protected]>wrote:
>>
>>> Hi Fletcher,
>>> can you check in the sudoers file if there is an entry for ipset ?
>>>
>>> Thanks
>>> Fabrice
>>>
>>> Le 2013-05-29 19:41, Fletcher Haynes a écrit :
>>>
>>> Hello everyone,
>>>
>>> I have deployed packetfence in an OOB mode and it works great. I am
>>> now experimenting with the inline mode to handle a different use case. I
>>> can get through the captive portal on my test machine, but right after
>>> registration, ipset seems to have issues. I see the following log messages
>>> quite a bit:
>>>
>>> May 29 16:35:53 pfdhcplistener(12707) WARN: Problem trying to run
>>> command: LANG=C sudo ipset --list pfsession_Unreg_10.84.0.0 2>&1 called
>>> from get_ip_from_ipset_by_mac. Child exited with non-zero value 1
>>> (pf::util::pf_run)
>>>
>>> May 29 16:35:54 pfdhcplistener(12707) WARN: Problem trying to run
>>> command: LANG=C sudo ipset --list pfsession_Reg_10.84.0.0 2>&1 called from
>>> ipset_remove_ip. Child exited with non-zero value 1 (pf::util::pf_run)
>>>
>>> May 29 16:35:54 pfdhcplistener(12707) WARN: Problem trying to run
>>> command: LANG=C sudo ipset --add pfsession_Reg_10.84.0.0
>>> 10.84.109.110,00:50:56:b4:7d:1b 2>&1 called from iptables_mark_node. Child
>>> exited with non-zero value 1 (pf::util::pf_run)
>>>
>>> May 29 16:34:38 pfsetvlan(9) WARN: Problem trying to run command:
>>> LANG=C sudo ipset --list pfsession_Unreg_10.84.0.0 2>&1 called from
>>> get_ip_from_ipset_by_mac. Child exited with non-zero value 1
>>> (pf::util::pf_run)
>>>
>>> Use of uninitialized value $out in split at /usr/local/pf/lib/pf/
>>> ipset.pm line 304.
>>> May 29 16:34:38 pfsetvlan(9) WARN: Problem trying to run command: LANG=C
>>> sudo ipset --list pfsession_Reg_10.84.0.0 2>&1 called from ipset_remove_ip.
>>> Child exited with non-zero value 1 (pf::util::pf_run)
>>> Use of uninitialized value $out in split at /usr/local/pf/lib/pf/
>>> ipset.pm line 266.
>>>
>>> My test machine does not have any network access. However, if I run
>>> the ipset --add command manually (I copy and paste it right out of the log
>>> message) then it works fine.
>>>
>>> This is my pf.conf for the interface on the inline network:
>>> [interface eth4]
>>> ip=10.84.0.1
>>> mask=255.255.0.0
>>> type=internal
>>> enforcement=inline
>>> gateway=10.84.0.1
>>>
>>> And this is my networks.conf for that network:
>>> [10.84.0.0]
>>> type=inline
>>> named=enabled
>>> dhcpd=enabled
>>> netmask=255.255.0.0
>>> gateway=10.84.0.1
>>> next_hop=
>>> domain-name=kiosk.willamette.edu
>>> dns=158.104.100.1
>>> dhcp_start=10.84.0.2
>>> dhcp_end=10.84.254.254
>>> dhcp_default_lease_time=300
>>> dhcp_max_lease_time=30
>>>
>>> I also enabled ipv4 forwarding in sysctl. Did I miss something? Any help
>>> would be greatly appreciated!
>>>
>>> Thanks,
>>> --
>>> Fletcher Haynes <[email protected]>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>>> Get 100% visibility into your production application - at no cost.
>>> Code-level diagnostics for performance bottlenecks with <2% overhead
>>> Download for free and get started troubleshooting in
>>> minutes.http://p.sf.net/sfu/appdyn_d2d_ap1
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> --
>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>>> Get 100% visibility into your production application - at no cost.
>>> Code-level diagnostics for performance bottlenecks with <2% overhead
>>> Download for free and get started troubleshooting in minutes.
>>> http://p.sf.net/sfu/appdyn_d2d_ap1
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>> --
>> Fletcher Haynes <[email protected]>
>> Systems Administrator/Network Services Consultant
>> Willamette Integrated Technology Services
>> Willamette University, Salem, OR
>> Phone: 503.370.6016
>>
>>
>> ------------------------------------------------------------------------------
>> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>> Get 100% visibility into your production application - at no cost.
>> Code-level diagnostics for performance bottlenecks with <2% overhead
>> Download for free and get started troubleshooting in
>> minutes.http://p.sf.net/sfu/appdyn_d2d_ap1
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
>> Get 100% visibility into your production application - at no cost.
>> Code-level diagnostics for performance bottlenecks with <2% overhead
>> Download for free and get started troubleshooting in minutes.
>> http://p.sf.net/sfu/appdyn_d2d_ap1
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
>
> --
> Fletcher Haynes <[email protected]>
> Systems Administrator/Network Services Consultant
> Willamette Integrated Technology Services
> Willamette University, Salem, OR
> Phone: 503.370.6016
>
--
Fletcher Haynes <[email protected]>
Systems Administrator/Network Services Consultant
Willamette Integrated Technology Services
Willamette University, Salem, OR
Phone: 503.370.6016
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
