[Chilli] [Layer3] Like uamallowed, but for source address - like macallowed but for IPs - ip source whitelist - server whitelist

Michele Bergonzoni bergonz at labs.it
Wed Nov 27 18:07:35 UTC 2013 

In a Layer3 environment where there are servers and "special" devices in 
the same network as the guests, you might need to whitelist some source IPs.

I found no usable solution for this (an old thread in this list ends 
with a cron job that uses chilli_query, something that is not quite 
perfect), so I wrote the following. It defines a new configuration 
parameter and command-line switch ipsrcallowed, that you can control in 
chilli/config with HS_IPSRCALLOWED, with the same syntax as uamallowed: 
comma separated list of single IP addresses or IP prefixes (also domain 
names, but that is not intended to work nor tested and will probably break).

Clients with IPs in that list will not be redirected. Sessions will not 
be created, so you will not see them in "chilli_query list".

This patch is relative to current SVN, with EDNS and previous patch applied.

My first try was with a layer3 version of macauth, to query a RADIUS 
server with the IP address before redirecting, but it was too hard 
(Coovachilli in my opinion would benefit from some refactoring). If 
someone knows how to do that, please tell.

Regards,
				Bergonz

Index: conf/functions.in
===================================================================
--- conf/functions.in   (revision 485)
+++ conf/functions.in   (working copy)
@@ -179,6 +179,9 @@
      HS_UAMALLOW=$(echo $HS_UAMALLOW|sed 's/ /,/g')
      uamallow=${HS_UAMALLOW:+",$HS_UAMALLOW"}

+    HS_IPSRCALLOWED=$(echo $HS_IPSRCALLOWED|sed 's/ /,/g')
+    addconfig1 ${HS_IPSRCALLOWED:+"ipsrcallowed $HS_IPSRCALLOWED"}
+
      addconfig1 ${HS_MAXCLIENTS:+"maxclients $HS_MAXCLIENTS"}
      addconfig1 ${HS_RADIUSQSIZE:+"radiusqsize $HS_RADIUSQSIZE"}
      addconfig1 ${HS_DHCPHASHSIZE:+"dhcphashsize $HS_DHCPHASHSIZE"}
Index: src/options.h
===================================================================
--- src/options.h       (revision 485)
+++ src/options.h       (working copy)
@@ -302,6 +302,11 @@
    uint32_t regex_num_pass_throughs;
  #endif

+#ifdef ENABLE_LAYER3
+  pass_through ipsrc_pass_throughs[MAX_IPSRC_PASS_THROUGHS];
+  uint32_t ipsrc_num_pass_throughs;
+#endif
+
    char* uamdomains[MAX_UAM_DOMAINS];
    int uamdomain_ttl;

Index: src/cmdline.ggo
===================================================================
--- src/cmdline.ggo     (revision 485)
+++ src/cmdline.ggo     (working copy)
@@ -266,6 +266,7 @@
  option "uamdomainfile" - "Load uamdomains (regex) from file" string no

  option "layer3" - "Layer3 only" flag off
+option "ipsrcallowed"  - "List of allowed source IP addresses, for 
Layer3" string no multiple
  option "patricia" - "Use patricia tries for walled garden lookup" flag off
  option "redirdnsreq" - "Send DNS query on redirect to pick of DNS 
based walled garden" flag off

Index: src/dhcp.c
===================================================================
--- src/dhcp.c  (revision 485)
+++ src/dhcp.c  (working copy)
@@ -2503,6 +2503,23 @@
      found = 1;
  #endif

+#ifdef ENABLE_LAYER3
+  if (!found && _options.ipsrc_pass_throughs){
+    if (garden_check(_options.ipsrc_pass_throughs,
+                       &_options.ipsrc_num_pass_throughs, &pt,
+                       ipph, !dst
+#ifdef HAVE_PATRICIA
+                       , 0
+#endif
+                       )) {
+      found = 1;
+#if(_debug_ > 1)
+      log_dbg("Packet matches ipsrcallowed");
+#endif
+    }
+  }
+#endif
+
  #ifdef ENABLE_GARDENACCOUNTING
    if (_options.uamgardendata) {


Index: src/main-opt.c
===================================================================
--- src/main-opt.c      (revision 485)
+++ src/main-opt.c      (working copy)
@@ -724,6 +724,18 @@
  #endif
        );
    }
+#ifdef ENABLE_LAYER3
+  for (numargs = 0; numargs < args_info.ipsrcallowed_given; ++numargs) {
+    pass_throughs_from_string(_options.ipsrc_pass_throughs,
+                             MAX_IPSRC_PASS_THROUGHS,
+                             &_options.ipsrc_num_pass_throughs,
+                             args_info.ipsrcallowed_arg[numargs], 0, 0
+#ifdef HAVE_PATRICIA
+                             , 0
+#endif
+      );
+  }
+#endif

    _options.uamauthedallowed = args_info.uamauthedallowed_flag;
  #ifdef ENABLE_AUTHEDALLOWED
Index: src/chilli_limits.h
===================================================================
--- src/chilli_limits.h (revision 485)
+++ src/chilli_limits.h (working copy)
@@ -134,4 +134,12 @@
  #define RADIUS_QUEUE_PACKET_PTR 1
  #endif

+#ifdef ENABLE_LAYER3
+#ifdef ENABLE_LARGELIMITS
+#define MAX_IPSRC_PASS_THROUGHS               512 /* Max number of 
allowed IP source addresses, for Layer3 */
+#else
+#define MAX_IPSRC_PASS_THROUGHS               8 /* Max number of 
allowed IP source addresses, for Layer3 */
  #endif
+#endif
+
+#endif

More information about the Chilli mailing list