Matthew Schumacher wrote:
Lewis Bergman wrote:
Matthew Schumacher wrote:
I'm getting accounting messages like these that seem to be coming from the loopback interface, but `tcpdump -i lo` doesn't see them so they are not coming from a local client. If they are not coming from a local client then how can I figure out where they are coming from?
Thu Jan 12 07:19:58 2006 Acct-Status-Type = Stop NAS-IP-Address = x.x.x.x (legit nas IP) Acct-Delay-Time = 0 User-Name = "user" NAS-Port = 536936515 Acct-Session-Id = "0A000067" Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = x.x.x.x (legit Framed-IP-Address) Acct-Session-Time = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Packets = 0 Acct-Output-Packets = 0 Client-IP-Address = 127.0.0.1 Acct-Unique-Session-Id = "1cc41474b27ed376" Timestamp = 1137082798
These appear to be from the loopback of the NAS, not the radius server.
Thanks for your reply, however it doesn't make sense to me. How can the Client-IP-Address be 127.0.0.1 if the radius server records the source address of the packet in the Client-IP-Address attribute? If the packet came from the loopback of the nas then I would expect the NAS-IP-Address to be 127.0.0.1 but the Client-IP-Address to be where the packet was sourced from.
schu
Okay, I'm looking at the rlm_preprocess.c code and see where the Client-IP-Address is set: /* * Add in a Client-IP-Address, to tell the user * the source IP of the request. That is, the client, * * Note that this MAY BE different from the NAS-IP-Address, * especially if the request is being proxied. * * Note also that this is a server configuration item, * and will NOT make it to any packets being sent from * the server. */ nas = paircreate(PW_CLIENT_IP_ADDRESS, PW_TYPE_IPADDR); if (!nas) { radlog(L_ERR, "No memory"); return -1; } nas->lvalue = request->packet->src_ipaddr; ip_hostname(nas->strvalue, sizeof(nas->strvalue), nas->lvalue); pairadd(&request->packet->vps, nas); return 0; But it looks like it always comes from request->packet->src_ipaddr which leads me to believe that I'm getting a packet sourced from 127.0.0.1 even though tcpdump doesn't see it. I also noticed that the udpfromto source could generate packets from 127.0.0.1 but it was not compiled in, and even if it was I should see it in tcpdump. Any thoughts on this? I need to get rid of these spurious accounting messages. Thanks, schu