Possible FreeBSD Jail problem, or other bug in/with FreeRADIUS 2.0.0-pre2
Alan DeKok
aland at deployingradius.com
Tue Sep 18 09:54:33 CEST 2007
Scott Lambert wrote:
> lrad_packet_list_socket_add() is called with a pointer to the radius
> request packet list structure and the socket file descriptor of the
> socket which has been created with the call to socket() and bound to an
> IP and port by bind() during the prior call to lrad_socket(). Is that
> correct?
Yes. In the jail, it asks to bind to 0.0.0.0, but the socket
*actually* binds to the jail IP. This is why the "inaddr_any" check
doesn't match.
> So, should we be looking for != in the above if() from
> lrad_packet_list_socket_add()?
... no. The issue is that when udpfromto is used, we have:
a) socket binds to 0.0.0.0 (really, outside of the jail)
b) the server doesn't know which IP is used to send a packet
c) the server DOES know which IP the response is sent to
Since the "received" IP doesn't match the "source" IP, there's a
little bit of tweaking that has to be done to match the response to an
outstanding request. That's what that check is for.
> I flipped that to a != comparison and it seems to work inside or outside
> the jail with or without specifying the "Packet_Src-IP-Address".
I have no idea why that would work...
> Problem solved? Or, is this going to break other things?
It should really break things...
> ===================================
> jail with Packet-Src-IP-Address:
But that tells the server which IP to use for the source IP, so the
whole "inaddr_any" checks don't apply.
Alan DeKok.
More information about the Freeradius-Users
mailing list