Segfault in module accessing custom attributes fields
Hi all, I am having some problems in trying to write a little module to handle some custom attributes. Because I have a project regarding very specific requirements I preferred to write a module instead of trying to use the existing ones, so I can know in a better way where to go to change things when I want a different behaviour. What I am doing right now is trying to have a testbed with a client, a proxy and a server, exchanging some custom attributes saved in the users file of the server and transmitted with auth-accept messages. The proxy should intercept these new attributes and save them in a specific syntax in a local file. I managed to create and transfer successfully the custom attributes and to have them saved in a local file by the proxy. The problem is that if these attributes have a string as a value, there is no problem in reading it using the field vp_strvalue. If these attributes have the attribute ipv6address, when I try to access to them using vp_ipv6address I get a segFault. The values are correctly stored in the packets because I can see them with wireshark and the client receives them successfully. In the documentation (the wiki) there is written to access the attributes through request-packet-vps but I managed to do it only with request-reply-vps. (initially I wanted to save this local file using the post-proxy section because I was thinking that it was the best place to do it (it's an action to do when the proxy receives the reply from the server) but I couldn't access the right packet through the API and so I found out that I could do it in the post-auth phase) I would not want to disturb you too much but the problem is that it seems to me that there is a bit of lack in the documentation regarding how write modules in the newer versions of freeradius and so I didn't know other places to look (I have been looking at the source code for all the day but maybe I can do it faster if pointed into the right direction) Thank you in advance for any answer, Best regards, D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy with two interfaces configuration
Hello all,
I am using freeradius 2.1.0 on two ubuntu machines, one of which is
configured as server and one as proxy.
The network is configured in ipv6 but that's not the problem here
(everything regarding ipv6 works well now)
I am trying to create a testbed where there is three machines:
-one server, which listens to an interface
-one client (for testing I am just using radclient) that sends auth
requests to a proxy
-one proxy, in the middle of the two other machines, that proxies auth
requests to the server. This proxy has two interfaces, one connected to
the client and one to the server.
All following ipv6 addresses are to be read with global scope (but as I
said, if they were ipv4 it would be the same I think)
Server address : 2001::400
Proxy (interface to the server) 2001::300
Proxy (interface to the client) 2000::300
Client 2000:200
Now when I try to run the test what it happens is that the client sends
the auth request, the proxy correctly forwards it to the server, and the
server correctly authenticate the client. The problem is that the proxy
sends the proxied message with the address 2000::300, not 2001::300.
When the server tries to reply to the proxy, it tries to send the packet
to 2000::300 but since it is a different network there is no route for
it.
I have been searching for a while in the users / radiusd.conf /
clients.conf / proxy.conf for a option to set the proxy ip address when
proxying messages. It seemed to me that I saw something like that , but
if I did I just can't find it again.
If it exists it would be sufficient to tell me where to find it and I
will hopefully solve this issue on my own.
I attach some config files:
Server:
Clients.conf
# IPv6 Client
client 2000::300 {
nastype = other
secret = testing123
shortname = relay
}
(if I set 2001::300 it tells me that it receives a packet from the
unknown host 2000::300 and discards it)
Radiusd.conf
listen {
# ipaddr = *
ipv6addr = 2001::400
port = 0
type = auth
}
Proxy
Clients.conf
# IPv6 Client
client 2000::200 {
secret = testing123
shortname = mobile
}
Proxy.conf
home_server rad_server {
type = auth
ipv6addr = 2001::400
port = 1812
secret =testing123
}
home_server_pool my_auth {
type = fail-over
home_server = rad_server
}
realm example.com {
auth_pool = my_auth
}
(example.com is the realm I use in the test)
P.S: another quick question. It is possible with some logging option (or
in other ways) to save the attributes that the server adds to the auth
accept message locally in a file in the proxy machine? I saw that there
is some options to add/modify the attributes in the reply, but it is
possible to save them in a file?
Thanks in advance for the help and sorry if I am missing out something
obvious.
Best Regards,
--
D'Avella Stefano
Bell Labs
Alcatel-Lucent
Centre de Villarceaux
Route de Villejust
91625 NOZAY
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy with two interfaces configuration
P.S: another quick question. It is possible with some logging option (or in other ways) to save the attributes that the server adds to the auth accept message locally in a file in the proxy machine? I saw that there is some options to add/modify the attributes in the reply, but it is possible to save them in a file? I answered the second question reading with more accuracy the modules documentation. Thank you anyway. (The proxy problem is still there anyway) -- D'Avella Stefano Bell Labs Alcatel-Lucent Centre de Villarceaux Route de Villejust 91625 NOZAY - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
I didn't enabled it but maybe the debian-build made it for me without noticing it. Anyway it's definetely the udpfromto problem. For debugging I just forced the define of HAVE_AF_INET6 (that it was not defined and so made udpfromto_init return -1) and now the code works. Or better, there is a problem but it is different. Now I can listen on ipv6, but only on localhost. On localhost it works (just tested with radclient). If I tried to assign any other address (any ::, or a specific one) it tells me that the address is already assigned and it exits. Can it be related to udpfromto or it is another problem? D'AVELLA STEFANO wrote: Exactly the problem is in the udpfromto_init() call inside the listen_bind() function. Then disable udpfromto. It is NOT enabled in the default build of the server, so the only way you can run into this problem is if you enable a non-standard feature. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Setting the flag --without-udpfromto inside debian/rules solved the issue. Probably debian/ubuntu testers added it in the default config because they didn't test it with ipv6, I don't know. Anyway now it works, thanks all for the help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Thanks for the suggestion but of course I tried different ways to try to grep the process :) I just mentioned one of the command I used to make people understand that I checked the process list :) Still no clue about the problem anyway... Try just 'ps -e|grep radius' that will catch freeradius aswell as radiusd which it is called on some. -- Leigh On Mon, Feb 9, 2009 at 12:02 PM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. Thanks for the quick answer. I have thought the same because also some old mailing list post seemed to be related to this problem. I checked this possible problem before posting, but as far as I can see there is no other instance of freeradius running (ps -e | grep freeradius returns empty), and nothing is listening on that port (according to netstat). I also tried to change port several times but it's not working In /etc/services the port 1812 both tcp and udp are correctly assigned to radius (in fact in the error message it correctly use the port 1812). Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
I don't have selinux installed on the machine, the only installed package about selinux is the shared library libselinux1, so I don't think that is the problem. I am thinking that it is something about the ipv6 config in ubuntu but I am not sure. What I am doing right now is trying to backtrace the exact function that creates the problem. I just started right now and I see that it is somewhere inside listen_init() in listen.c. When I will get the exact function that it is not working as it should be maybe there will be some more ideas about what's going on... No problem :) Maybe a shot in the dark but is selinux enabled? check your logs to see if any policies are blocking it or type 'echo 0 /selinux/enforce' then try to start it again. -- Leigh On Tue, Feb 10, 2009 at 3:19 AM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: Thanks for the suggestion but of course I tried different ways to try to grep the process :) I just mentioned one of the command I used to make people understand that I checked the process list :) Still no clue about the problem anyway... Try just 'ps -e|grep radius' that will catch freeradius aswell as radiusd which it is called on some. -- Leigh On Mon, Feb 9, 2009 at 12:02 PM, D'AVELLA STEFANO stefano.dave...@alcatel-lucent.com wrote: Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. Thanks for the quick answer. I have thought the same because also some old mailing list post seemed to be related to this problem. I checked this possible problem before posting, but as far as I can see there is no other instance of freeradius running (ps -e | grep freeradius returns empty), and nothing is listening on that port (according to netstat). I also tried to change port several times but it's not working In /etc/services the port 1812 both tcp and udp are correctly assigned to radius (in fact in the error message it correctly use the port 1812). Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Ok I have traced where the problem is (of course it was in the actual
binding of the port).
Listen_init() calls listen_parse() that calls common_socket_parse().
Inside this function around line 510 of listen.c there is this line:
/*
* And bind it to the port.
*/
if (listen_bind(this) 0) {
the call to listen_bind() actually returns -1 and that's the problem.
Because I am new at ipv6 too I will get sometime to examine what
listen_bind() exactly do (and why it returns -1), anyway meanwhile I
printed the variable this passed to it and the variable this-data
that inside the function is assigned to sock. Here are the results:
print *this
$30 = {next = 0x0, type = RAD_LISTEN_AUTH, fd = -1, server = 0x0, status
= 0,
recv = 0x8059ba0 auth_socket_recv, send = 0x8057640
auth_socket_send,
encode = 0x8057960 client_socket_encode,
decode = 0x8057880 client_socket_decode, print = 0x8057b40
socket_print,
data = 0x8cd40a0, stats = {total_requests = 0, total_invalid_requests
= 0,
total_dup_requests = 0, total_responses = 0, total_access_accepts =
0,
total_access_rejects = 0, total_access_challenges = 0,
total_malformed_requests = 0, total_bad_authenticators = 0,
total_packets_dropped = 0, total_no_records = 0, total_unknown_types
= 0}
print *(listen_socket_t *) this-data
$33 = {ipaddr = {af = 10, ipaddr = {ip4addr = {s_addr = 288}, ip6addr =
{
__in6_u = {__u6_addr8 = \001, '\0' repeats 12 times,
\003P,
__u6_addr16 = {288, 0, 0, 0, 0, 0, 0, 20483}, __u6_addr32 =
{288, 0,
0, 1342373888}, port = 0, interface = 0x8bdea7e eth3,
clients = 0x0}
(I couldn't print directly sock because gdb didn't allow me to access
that memory address).
If somebody sees something wrong please tells me (I have still to check
how the two structs are organized so for the moment I still don't know)
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Exactly the problem is in the udpfromto_init() call inside the listen_bind() function. Inside this function the return value is set to be: return setsockopt(s, proto, flag, opt, sizeof(opt)); with the ipv6 address, it returns -1 (and after a couple of calls and error logs, the program exits) with the ipv4 address it returns the correct 0 value. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error binding port to ipv6 address
Hello,
I am new to Freeradius. I am running Freeradius 2.1.0 on Ubuntu 8.10,
built from source.
I have already read all the documentation I could find in the config
files and in the wiki.
The machine has two network interfaces, eth0 and eth1, the first
configured with ipv4 and the second with ipv6.
I am interested on using freeradius with ipv6 support so I would like to
test it using it only on eth1 interface.
The point of my testbed will be to define a new attribute and transfer
it to the client when it is authorized.
But before doing it I am finding some problems in opening the ip6
socket in the server.
In fact I configured users and clients.conf to allow my ip6 client to
connect to the server, and then in the radiusd.conf file I commented the
ip4 listening option and uncommented the ip6 one. (I also commented the
accounting listening part because I am not interested in it).
The problem is that when I run the server it exits saying (last lines):
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: Opening IP addresses and Ports
listen {
type = auth
ipv6addr = :: IPv6 address [::]
port = 0
/etc/freeradius/radiusd.conf[236]: Error binding to port for :: port
1812
I checked if the ip6 interface is properly configured, and it seems so
(i can ping other ip6 nodes, and also writing another little c program
to bind an ip6 socket works fine)
Changing port doesn't solve the issue.
Commenting or uncommenting the interface line in radiusd.conf doesn't
change anything.
Trying different types of ip6 addresses (::1, or manually assigned ones)
doesn't work either.
Obviously with ip4 I don't have any kind of problem.
I can't understand if it a freeradius configuration problem or a system
configuration one.
Thank you for you help!
Regards,
--
Stefano D'Avella
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Error binding port to ipv6 address
Be sure that no other freeradius is running and also that you have enough rights to open such a port. Look in your inet.d or similar to avoid that another service is run instead of the planned freeradius. Thanks for the quick answer. I have thought the same because also some old mailing list post seemed to be related to this problem. I checked this possible problem before posting, but as far as I can see there is no other instance of freeradius running (ps -e | grep freeradius returns empty), and nothing is listening on that port (according to netstat). I also tried to change port several times but it's not working In /etc/services the port 1812 both tcp and udp are correctly assigned to radius (in fact in the error message it correctly use the port 1812). Regards, -- Stefano D'Avella - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
