From c801c643d40908765bab059fc6bc32fa0b5b0d6b Mon Sep 17 00:00:00 2001 From: Dmitry Kozlov Date: Tue, 28 Oct 2014 22:28:04 +0300 Subject: ipoe: implemented "L4 redirect on reject" for DHCP sessions If authentication rejects session, but l4-redirect-on-reject is specified in config then temporary session will be created and l4 redirect rule will be applied to IP of that session. Session will be terminated after specified number of seconds. Also if l4-redirect-ip-pool option is specified then IP will be allocated from that special pool. --- accel-pppd/accel-ppp.conf | 1 + accel-pppd/accel-ppp.conf.5 | 3 +++ accel-pppd/ctrl/ipoe/ipoe.c | 36 ++++++++++++++++++++++++++++++++++++ accel-pppd/ctrl/ipoe/ipoe.h | 1 + 4 files changed, 41 insertions(+) diff --git a/accel-pppd/accel-ppp.conf b/accel-pppd/accel-ppp.conf index 25d7aa11..b7187f3e 100644 --- a/accel-pppd/accel-ppp.conf +++ b/accel-pppd/accel-ppp.conf @@ -106,6 +106,7 @@ max-lease-time=3600 #l4-redirect-table=4 #l4-redirect-ipset=l4 #l4-redirect-on-reject=300 +#l4-redirect-ip-pool=pool1 shared=0 ifcfg=1 mode=L2 diff --git a/accel-pppd/accel-ppp.conf.5 b/accel-pppd/accel-ppp.conf.5 index f350b7b2..27e8f3d0 100644 --- a/accel-pppd/accel-ppp.conf.5 +++ b/accel-pppd/accel-ppp.conf.5 @@ -249,6 +249,9 @@ If specified then if radius rejects access 'ip rule add from ip_addr table l4-re .B n seconds. .TP +.BI "l4-redirect-ip-pool=" name +If specified then if radius rejects access and session is DHCP then ip will be allocated from specified pool name. +.TP .BI "gw-ip-address="x.x.x.x/mask Specifies address to be used as server ip address if radius can assign only client address. In such case if client address is matched network and mask then specified address and mask will be used. You can specify multiple such options. .TP diff --git a/accel-pppd/ctrl/ipoe/ipoe.c b/accel-pppd/ctrl/ipoe/ipoe.c index 87aa897f..0dca96eb 100644 --- a/accel-pppd/ctrl/ipoe/ipoe.c +++ b/accel-pppd/ctrl/ipoe/ipoe.c @@ -105,6 +105,7 @@ static int conf_arp; static int conf_ipv6; static uint32_t conf_src; static const char *conf_ip_pool; +static const char *conf_l4_redirect_pool; //static int conf_dhcpv6; static int conf_username; static const char *conf_password; @@ -307,6 +308,17 @@ static void ipoe_session_timeout(struct triton_timer_t *t) ap_session_terminate(&ses->ses, TERM_LOST_CARRIER, 0); } +static void ipoe_session_l4_redirect_timeout(struct triton_timer_t *t) +{ + struct ipoe_session *ses = container_of(t, typeof(*ses), l4_redirect_timer); + + triton_timer_del(t); + + log_ppp_info2("ipoe: session timed out\n"); + + ap_session_terminate(&ses->ses, TERM_NAS_REQUEST, 0); +} + static void ipoe_relay_timeout(struct triton_timer_t *t) { struct ipoe_session *ses = container_of(t, typeof(*ses), timer); @@ -505,6 +517,24 @@ static void auth_result(struct ipoe_session *ses, int r) ses->username = NULL; if (r == PWDB_DENIED) { + if (conf_l4_redirect_on_reject && ses->dhcpv4_request) { + ses->l4_redirect = 1; + if (conf_l4_redirect_pool) { + if (ses->ses.ipv4_pool_name) + _free(ses->ses.ipv4_pool_name); + ses->ses.ipv4_pool_name = _strdup(conf_l4_redirect_pool); + } + + ses->l4_redirect_timer.expire = ipoe_session_l4_redirect_timeout; + ses->l4_redirect_timer.expire_tv.tv_sec = conf_l4_redirect_on_reject; + triton_timer_add(&ses->ctx, &ses->l4_redirect_timer, 0); + + ap_session_set_username(&ses->ses, username); + log_ppp_info1("%s: authentication failed\n", ses->ses.username); + log_ppp_info1("%s: start temporary session (l4-redirect)\n", ses->ses.username); + goto cont; + } + pthread_rwlock_wrlock(&ses_lock); ses->ses.username = username; ses->ses.terminate_cause = TERM_AUTH_ERROR; @@ -519,6 +549,8 @@ static void auth_result(struct ipoe_session *ses, int r) ap_session_set_username(&ses->ses, username); log_ppp_info1("%s: authentication succeeded\n", ses->ses.username); + +cont: triton_event_fire(EV_SES_AUTHORIZED, &ses->ses); if (ses->serv->opt_nat) @@ -999,6 +1031,9 @@ static void ipoe_session_free(struct ipoe_session *ses) if (ses->timer.tpd) triton_timer_del(&ses->timer); + + if (ses->l4_redirect_timer.tpd) + triton_timer_del(&ses->timer); if (ses->dhcpv4_request) dhcpv4_packet_free(ses->dhcpv4_request); @@ -3103,6 +3138,7 @@ static void load_config(void) conf_offer_timeout = 10; conf_ip_pool = conf_get_opt("ipoe", "ip-pool"); + conf_l4_redirect_pool = conf_get_opt("ipoe", "l4-redirect-ip-pool"); conf_vlan_name = conf_get_opt("ipoe", "vlan-name"); if (!conf_vlan_name) diff --git a/accel-pppd/ctrl/ipoe/ipoe.h b/accel-pppd/ctrl/ipoe/ipoe.h index b06aa8b5..555d314b 100644 --- a/accel-pppd/ctrl/ipoe/ipoe.h +++ b/accel-pppd/ctrl/ipoe/ipoe.h @@ -58,6 +58,7 @@ struct ipoe_session { struct list_head entry; struct triton_context_t ctx; struct triton_timer_t timer; + struct triton_timer_t l4_redirect_timer; struct ipoe_serv *serv; struct dhcpv4_serv *dhcpv4; struct ap_ctrl ctrl; -- cgit v1.2.3