Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2

Scott Lambert lambert at lambertfam.org
Thu Sep 13 00:42:51 CEST 2007


On Mon, Sep 03, 2007 at 10:52:27AM +0200, Alan DeKok wrote:
> Scott Lambert wrote:
> > I decided to simplify and try just using radclient from the new server
> > and leaving the FreeRADIUS daemon out of it.  That also gets replies but
> > radclient throws them out because it doesn't think it sent the request.
> 
>   Ok.  Both the server and radclient now use the same code to match
> replies to requests, so it's expected that they will have the same issues.
> 
> > I suspect that the jail has a lot to do with the problem.
> 
>   Try running a test system outside of the jail.  If that works, then
> the problem will at least be narrowed down to the jail.
> 
> > tcpdump of the request:
> ...
> 
>   That looks OK.
> 
>   Another option is to instrument src/lib/packet.c, function
> lrad_packet_cmp().  Have it print out WHAT it's comparing, and WHEN it's
> returning.  You'll get a lot of spurious output, but you'll also find
> out why the reply isn't being matched to a request.

I've been instrumenting the heck out of anything I thought might be
useful.  My coding skills are very rusty, but here's what I've come up
with.  

src/lib/packet.c:lrad_packet_cmp() likes the response packet.  
src/lib/packet.c:lrad_packet_find_by_reply() seems to be failing.

radclient appears to be using 0.0.0.0 as the source IP address.  
lrad_packet_cmp appears to be seeing the source IP address as 69.153.112.27.  

I haven't figured out how to instrument lrad_hash_table_finddata and the
stuff chained from there in a meaningful way.  I'm getting lost in the
execution path.

Based on the above, I changed the listen stanza in radius.conf 
-       ipaddr = *
+       ipaddr = 69.153.112.27

This permits the server to succesfully proxy requests to other servers.

I don't see a way to get radclient to use a specific source IP address.

$ ( echo "User-Name = \"testuser1\""; echo "User-Password = \"shhhhh!\""; echo "NAS-IP-Address = 69.153.112.27"; echo "NAS-Port = 1645"; echo "Framed-Protocol = PPP") | ./radclient -r 2 -x 216.61.218.2:1645 auth radius_secret
Sending Access-Request of id 233 to 216.61.218.2 port 1645
        User-Name = "testuser1"
        User-Password = "shhhhh!"
        NAS-IP-Address = 69.153.112.27
        NAS-Port = 1645
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=233, length=366
radclient: recv_one_packet: client_ipaddr.af = 2
radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0
lrad_packet_list_find_byreply: lrad_socket_find returned 134591488
lrad_packet_list_find_byreply: ps->inaddr_any false, reply->dst_ipaddr.ipaddr.ip4addr = 0 

# the above is the false path of the if statment based on ps->inaddr_any.

lrad_packet_list_find_byreply: reply->src_ipaddr.ipaddr.ip4addr = 47857112      reply->src_port = 1645
lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 0
radclient: received response to request we did not send. (id=233 socket 3)
Sending Access-Request of id 233 to 216.61.218.2 port 1645
        User-Name = "testuser1"
        User-Password = "shhhhh!"
        NAS-IP-Address = 69.153.112.27
        NAS-Port = 1645
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=233, length=366
radclient: recv_one_packet: client_ipaddr.af = 2
radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0
lrad_packet_list_find_byreply: lrad_socket_find returned 134591488
lrad_packet_list_find_byreply: ps->inaddr_any false, reply->dst_ipaddr.ipaddr.ip4addr = 0
lrad_packet_list_find_byreply: reply->src_ipaddr.ipaddr.ip4addr = 47857112      reply->src_port = 1645
lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 0
radclient: received response to request we did not send. (id=233 socket 3)
lrad_packet_cmp: a->sockfd=3    b->sockfd=3
lrad_packet_cmp: a->id=233      b->id=233
lrad_packet_cmp: a->src_port=62844      b->src_port=62844
lrad_packet_cmp: a->dst_port=1645       b->dst_port=1645
lrad_packet_cmp: a->dst_ipaddr=2        b->dst_ipaddr=47857112
lrad_packet_cmp: a->dst_ipaddr.af=2     b->dst_ipaddr.af=2
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112  b->dst_ipaddr.ipaddr.ip4addr=47857112
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2      b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2
lrad_packet_cmp: a->src_ipaddr=2        b->src_ipaddr=460364101
lrad_packet_cmp: a->src_ipaddr.af=2     b->src_ipaddr.af=2
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=460364101 b->src_ipaddr.ipaddr.ip4addr=460364101
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=69.153.112.27     b->src_ipaddr.ipaddr.ip4addr=69.153.112.27
lrad_packet_cmp: lrad_ipaddr_cmp = 0
lrad_packet_cmp: a->sockfd=3    b->sockfd=3
lrad_packet_cmp: a->id=233      b->id=233
lrad_packet_cmp: a->src_port=62844      b->src_port=62844
lrad_packet_cmp: a->dst_port=1645       b->dst_port=1645
lrad_packet_cmp: a->dst_ipaddr=2        b->dst_ipaddr=47857112
lrad_packet_cmp: a->dst_ipaddr.af=2     b->dst_ipaddr.af=2
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112  b->dst_ipaddr.ipaddr.ip4addr=47857112
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2      b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2
lrad_packet_cmp: a->src_ipaddr=2        b->src_ipaddr=460364101
lrad_packet_cmp: a->src_ipaddr.af=2     b->src_ipaddr.af=2
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=460364101 b->src_ipaddr.ipaddr.ip4addr=460364101
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=69.153.112.27     b->src_ipaddr.ipaddr.ip4addr=69.153.112.27
lrad_packet_cmp: lrad_ipaddr_cmp = 0
radclient: no response from server for ID 233 socket 3

=================================================================
Outside the jail on the same hardware/freeradius binaries, this is what
the radclient output looks like:

$  ( echo "User-Name = \"testuser1\""; echo "User-Password = \"shhhhh!\""; echo "NAS-IP-Address = 69.153.112.27"; echo "NAS-Port = 16"; echo "Framed-Protocol = PPP") | ./radclient -r 2 -x 216.61.218.2:1645 auth radius_secret 
Sending Access-Request of id 39 to 216.61.218.2 port 1645
        User-Name = "testuser1"
        User-Password = "shhhhh!"
        NAS-IP-Address = 69.153.112.27
        NAS-Port = 16
        Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=39, length=366
radclient: recv_one_packet: client_ipaddr.af = 2
radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0
lrad_packet_list_find_byreply: lrad_socket_find returned 134593536
lrad_packet_list_find_byreply: ps->inaddr_any true, ps->ipaddr = 2

# the above is the true path of the if statment based on ps->inaddr_any.

lrad_packet_list_find_byreply: reply->src_ipaddr.ipaddr.ip4addr = 47857112      reply->src_port = 1645
lrad_packet_cmp: a->sockfd=3    b->sockfd=3
lrad_packet_cmp: a->id=39       b->id=39
lrad_packet_cmp: a->src_port=63507      b->src_port=63507
lrad_packet_cmp: a->dst_port=1645       b->dst_port=1645
lrad_packet_cmp: a->dst_ipaddr=2        b->dst_ipaddr=47857112
lrad_packet_cmp: a->dst_ipaddr.af=2     b->dst_ipaddr.af=2
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112  b->dst_ipaddr.ipaddr.ip4addr=47857112
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2      b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2
lrad_packet_cmp: a->src_ipaddr=2        b->src_ipaddr=0
lrad_packet_cmp: a->src_ipaddr.af=2     b->src_ipaddr.af=2
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0 b->src_ipaddr.ipaddr.ip4addr=0
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0.0.0.0   b->src_ipaddr.ipaddr.ip4addr=0.0.0.0
lrad_packet_cmp: lrad_ipaddr_cmp = 0
lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 134571284
lrad_packet_cmp: a->sockfd=3    b->sockfd=3
lrad_packet_cmp: a->id=39       b->id=39
lrad_packet_cmp: a->src_port=63507      b->src_port=63507
lrad_packet_cmp: a->dst_port=1645       b->dst_port=1645
lrad_packet_cmp: a->dst_ipaddr=2        b->dst_ipaddr=47857112
lrad_packet_cmp: a->dst_ipaddr.af=2     b->dst_ipaddr.af=2
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112  b->dst_ipaddr.ipaddr.ip4addr=47857112 
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2      b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2
lrad_packet_cmp: a->src_ipaddr=2        b->src_ipaddr=0
lrad_packet_cmp: a->src_ipaddr.af=2     b->src_ipaddr.af=2
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0 b->src_ipaddr.ipaddr.ip4addr=0
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0.0.0.0   b->src_ipaddr.ipaddr.ip4addr=0.0.0.0
lrad_packet_cmp: lrad_ipaddr_cmp = 0
lrad_packet_cmp: a->sockfd=3    b->sockfd=3
lrad_packet_cmp: a->id=39       b->id=39
lrad_packet_cmp: a->src_port=63507      b->src_port=63507
lrad_packet_cmp: a->dst_port=1645       b->dst_port=1645
lrad_packet_cmp: a->dst_ipaddr=2        b->dst_ipaddr=47857112
lrad_packet_cmp: a->dst_ipaddr.af=2     b->dst_ipaddr.af=2
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112  b->dst_ipaddr.ipaddr.ip4addr=47857112
lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2      b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2
lrad_packet_cmp: a->src_ipaddr=2        b->src_ipaddr=0
lrad_packet_cmp: a->src_ipaddr.af=2     b->src_ipaddr.af=2
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0 b->src_ipaddr.ipaddr.ip4addr=0
lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0.0.0.0   b->src_ipaddr.ipaddr.ip4addr=0.0.0.0
lrad_packet_cmp: lrad_ipaddr_cmp = 0
        Service-Type = Framed-User
	...

Do I need to take this to the FreeBSD folks, or is this fixable in
FreeRADIUS?

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org




More information about the Freeradius-Users mailing list