Where are these "Client-IP-Address = 127.0.0.1" messages coming from?

Thu Jan 12 20:44:45 CET 2006

Matthew Schumacher wrote:
> Lewis Bergman wrote:
> 
>>Matthew Schumacher wrote:
>>
>>
>>>I'm getting accounting messages like these that seem to be coming from
>>>the loopback interface, but `tcpdump -i lo` doesn't see them so they are
>>>not coming from a local client.  If they are not coming from a local
>>>client then how can I figure out where they are coming from?
>>>
>>>Thu Jan 12 07:19:58 2006
>>>        Acct-Status-Type = Stop
>>>        NAS-IP-Address = x.x.x.x      (legit nas IP)
>>>        Acct-Delay-Time = 0
>>>        User-Name = "user"
>>>        NAS-Port = 536936515
>>>        Acct-Session-Id = "0A000067"
>>>        Service-Type = Framed-User
>>>        Framed-Protocol = PPP
>>>        Framed-IP-Address = x.x.x.x    (legit Framed-IP-Address)
>>>        Acct-Session-Time = 0
>>>        Acct-Input-Octets = 0
>>>        Acct-Output-Octets = 0
>>>        Acct-Input-Packets = 0
>>>        Acct-Output-Packets = 0
>>>        Client-IP-Address = 127.0.0.1
>>>        Acct-Unique-Session-Id = "1cc41474b27ed376"
>>>        Timestamp = 1137082798
>>
>>These appear to be from the loopback of the NAS, not the radius server.
>>
> 
> 
> Thanks for your reply, however it doesn't make sense to me.  How can the
> Client-IP-Address be 127.0.0.1 if the radius server records the source
> address of the packet in the Client-IP-Address attribute?  If the packet
> came from the loopback of the nas then I would expect the NAS-IP-Address
> to be 127.0.0.1 but the Client-IP-Address to be where the packet was
> sourced from.
> 
> schu

Okay, I'm looking at the rlm_preprocess.c code and see where the
Client-IP-Address is set:

        /*
         *      Add in a Client-IP-Address, to tell the user
         *      the source IP of the request.  That is, the client,
         *
         *      Note that this MAY BE different from the NAS-IP-Address,
         *      especially if the request is being proxied.
         *
         *      Note also that this is a server configuration item,
         *      and will NOT make it to any packets being sent from
         *      the server.
         */
        nas = paircreate(PW_CLIENT_IP_ADDRESS, PW_TYPE_IPADDR);
        if (!nas) {
          radlog(L_ERR, "No memory");
          return -1;
        }
        nas->lvalue = request->packet->src_ipaddr;
        ip_hostname(nas->strvalue, sizeof(nas->strvalue), nas->lvalue);
        pairadd(&request->packet->vps, nas);
        return 0;

But it looks like it always comes from request->packet->src_ipaddr which
leads me to believe that I'm getting a packet sourced from 127.0.0.1
even though tcpdump doesn't see it.

I also noticed that the udpfromto source could generate packets from
127.0.0.1 but it was not compiled in, and even if it was I should see it
in tcpdump.

Any thoughts on this?  I need to get rid of these spurious accounting
messages.

Thanks,
schu