Radius Client UDP port selection
Brian Candler
B.Candler at pobox.com
Sun Feb 6 12:17:40 CET 2011
On Sun, Feb 06, 2011 at 11:11:58AM +0000, Brian Candler wrote:
> 1. If pam_radius_client doesn't have the ability to bind to a particular
> port, then you can modify the source code to do so. The call you need is
> bind() after the socket has been created.
Ah, it turns out the code to do this is already there: (pam_radius_auth.c)
/*
* Use our process ID as a local port for RADIUS.
*/
local_port = (getpid() & 0x7fff) + 1024;
do {
local_port++;
s_in->sin_port = htons(local_port);
} while ((bind(conf->sockfd, &salocal, sizeof (struct sockaddr_in)) < 0) &&
(local_port < 64000));
if (local_port >= 64000) {
close(conf->sockfd);
_pam_log(LOG_ERR, "No open port we could bind to.");
return PAM_AUTHINFO_UNAVAIL;
}
As you can see, the initial local_port is currently chosen in the range 1024
to 33791 (1024+32767), essentially at random, and if that one is in use then
it keeps incrementing until it finds a free one under 64000.
Adjust to use whatever range you like.
> 2. I think you said before you only wanted to make sure that the port was
> >32768. So you can configure your OS so that *all* outbound connections bind
> to ports >32768.
Sorry, that won't work here, because the code is choosing its local port
explicitly.
Regards,
Brian.
More information about the Freeradius-Users
mailing list