| Age | Commit message (Collapse) | Author |
|---|
|
|
|
default stateful ipv6 address & prefix radius attrs are per-rfc6911:
171 Delegated-IPv6-Prefix-Pool
172 Stateful-IPv6-Address-Pool
the single pool name from chap-secret file pool is shared for
ipv4/ipv6/ipv6 dp, new config syntax TBD.
per-proto pool names are still for ipv4 only, new config syntax TBD.
|
|
|
|
once radius server has returned User-Name attribute in Access-Accept
packet, it'll be used for any subsequent Accounting-Request packets
instead of internal username per RFC2865 5.1
other way of just replacing session username is possible, but not
desired at the moment due potential issues with single-session modes
in case of different ppp logins / ipoe macs and same contract number
returned by radius for that accounts.
|
|
|
|
|
|
|
|
|
|
Be more specific about which route we want to remove. By not specifying
the gateway we could remove a different route than the one we
originally inserted.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
Rework iproute_del() to have the same parameters as iproute_add().
This will allow callers to specify more precisely the route they want
to delete.
Callers will later be converted to make use of these parameters to
ensure that the removed route precisely matches the one that was
originaly inserted.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
Framed-IPv6-Route is the IPv6 counterpart of Framed-Route. It's only
used for defining routes to be added locally by accel-ppp. Routes that
should be announced to the peer using Router Advertisements should be
defined in the Route-IPv6-Information attribute (but that's currently
not implemented).
Framed-IPv6-Route format is:
<network in CIDR notation> [<gateway IPv6 address> [<route metric>]]
The gateway address and the route metric are optionals, but the metric
can only be set if a gateway address is given. One can use the
unspecified address '::' to define a route with no gateway and a
non-default route metric.
When no gateway address is defined, the session's network interface is
used directly.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
When handling the EV_WINS event, IPCP assumes that the ->wins1 and
->wins2 fields of the event structure are properly set. But that may
not be the case.
If only one of the MS-Primary-NBNS-Server or MS-Secondary-NBNS-Server
RADIUS attributes was received, then only ->wins1 or ->wins2 is set,
while the other keeps a non initialised value. This uninitialised value
is then copied by ev_wins() and proposed to the peer when negociating
the Primary-NBNS-Address or Secondary-NBNS-Address IPCP options.
That leaks four bytes of the stack to the network and prevents using
the values found in the [wins] section of accel-ppp.conf as fallback.
Fix this by initialising the whole event structure in rad_proc_attrs().
Then, in ev_wins(), we can check if ->wins1 or ->wins2 is properly set
before copying them. That allows to propery fallback to accel-ppp.conf
values when one of the values was not provided by RADIUS.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
When handling the EV_DNS event, IPCP assumes that the ->dns1 and ->dns2
fields of the event structure are properly set. But that may not be the
case.
If only one of the MS-Primary-DNS-Server or MS-Secondary-DNS-Server
RADIUS attributes was received, then only ->dns1 or ->dns2 is set,
while the other keeps a non initialised value. This uninitialised value
is then copied by ev_dns() and proposed to the peer when negociating
the Primary-DNS-Address or Secondary-DNS-Address IPCP options.
That leaks four bytes of the stack to the network and prevents using
the values found in the [dns] section of accel-ppp.conf as fallback.
Fix this by initialising the whole event structure in rad_proc_attrs().
Then, in ev_dns(), we can check if ->dns1 or ->dns2 is properly set
before copying them. That allows to propery fallback to accel-ppp.conf
values when one of the values was not provided by RADIUS.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
We need to include "list.h" to define 'struct list_head' and
<netinet/in.h> for 'in_addr_t' and 'struct in6_addr'.
Also, let's include "ap_session.h" so that we don't need a forward
declaration for 'struct ap_session'.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
|
|
|
|
|
|
Let an optional route priority (aka metric) be defined in RADIUS
Framed-Route attributes.
The priority is an integer placed at the end of the route string. This
is backward compatible with the previous format and also conforms with
the recommended format defined by RFC 2865 (although we don't allow
multiple metrics).
Framed-Route format is:
<network> [<gateway> [<priority>]]
For example, 'Framed-Route = "192.0.2.0/24 203.0.113.1 8"' will let
the following route be installed (assuming 203.0.113.1 is routed
through eth0):
$ ip route show
[...]
192.0.2.0/24 via 203.0.113.1 dev eth0 metric 8
It's possible to use the unspecified gateway (0.0.0.0) if one wants to
set a priority without specifying a gateway address.
Finally, route deletion now also takes the priority into account, in
order to avoid removing a different route accidentally.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
|
|
Introduced 4 priorities:
0 - management (cli)
1 - starting sessions (default priority)
2 - active sessions
3 - finishing sessions
|
|
|
|
|
|
|
|
to get radius object use session:module("radius") function
radius object provides flollowing functions:
radius:attrs() - returns array of attributes {"name" = NAME, "vendor" = VENDOR|nil}
radius:attr(name[,vendor]) - returns value of attribute (may return multiple results)
Example:
function ip_up(ses)
rad = ses:module("radius")
attrs = rad:attrs()
if attrs then
print("attrs:")
for _,a in pairs(attrs) do
io.write("\t")
if a.vendor then io.write(a.vendor..":") end
io.write(a.name.."=")
print(rad:attr(a.name, a.vendor))
end
end
end
|
|
1 - is high priority queue for Access-Request and Account-Request(Start)
2 - is low priority queue for Account-Request(Alive) and Account-Request(Stop)
This patch intended to prioritize sessions connecting requests over disconnects and interim updates.
|
|
|
|
later use
Bacause interface may not still exists in authentication phase
|
|
|
|
|
|
|
|
The 'installed' bit of the allocated ipv6db_addr_t structure needs to
be initialised. This is because ap_session_ifdown() reads this bit to
know if the address or route needs to be removed from the kernel.
The 'installed' bit is set by ap_session_accounting_started() and the
ND and DHCPV6 protocol handlers, but disconnection could happen before
these steps.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
|
|
|
|
|
|
|
|
If start=auto is specified then accel-pppd automatically starts session with username = interface name on shared=0 interfaces.
Use it with conjuction vlan_mon. So any packet may start session.
|
|
radius server error packet may be coredump.
|
|
Framed-Route has following syntax: Framed-Route=address[/mask] [gateway]
If gateway is not specified then route would be attached to session interface.
|
|
and Session-Timeout attributes
|
|
Signed-off-by: François Cachereul <f.cachereul@alphalink.fr>
|
|
|
|
|
|
conditions)
|
|
|
|
|
|
The mistake was revealed by gcc 4.9.0
Signed-off-by: François Cachereul <f.cachereul@alphalink.fr>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: Dmitry Kozlov <xeb@mail.ru>
|
|
|
|
|
|
Before this patch any single fail (no responce for max_try requests) caused radius server to enter "fail" state,
which may be unwanted behaviour, because radius may not respond for interim Accounting-Request by some reasons.
This patch introduces "max-fail" option which specifies number of unreplied requests in a row after which server enters into "fail" state.
(Actual only for multi-server configurations)
|
|
|
|
not respond
|
