[Chilli] [Layer3] Like uamallowed, but for source address - like macallowed but for IPs - ip source whitelist - server whitelist

David Bird david at coova.com
Thu Nov 28 18:00:52 UTC 2013 

Thanks! 

Could you resubmit your patches as attachments and "sign-off" on them
based acknowledging:
http://dev.coova.org/svn/coova-chilli/Contributing ?

That would be appreciated. 

Doing an "ipauth" similar to macauth shouldn't be too hard, but you'd
want to maintain a session for the device so that accounting would
follow the auth. 

Thanks!
David



On Wed, 2013-11-27 at 19:07 +0100, Michele Bergonzoni wrote:
> In a Layer3 environment where there are servers and "special" devices in 
> the same network as the guests, you might need to whitelist some source IPs.
> 
> I found no usable solution for this (an old thread in this list ends 
> with a cron job that uses chilli_query, something that is not quite 
> perfect), so I wrote the following. It defines a new configuration 
> parameter and command-line switch ipsrcallowed, that you can control in 
> chilli/config with HS_IPSRCALLOWED, with the same syntax as uamallowed: 
> comma separated list of single IP addresses or IP prefixes (also domain 
> names, but that is not intended to work nor tested and will probably break).
> 
> Clients with IPs in that list will not be redirected. Sessions will not 
> be created, so you will not see them in "chilli_query list".
> 
> This patch is relative to current SVN, with EDNS and previous patch applied.
> 
> My first try was with a layer3 version of macauth, to query a RADIUS 
> server with the IP address before redirecting, but it was too hard 
> (Coovachilli in my opinion would benefit from some refactoring). If 
> someone knows how to do that, please tell.
> 
> Regards,
> 				Bergonz
> 
> Index: conf/functions.in
> ===================================================================
> --- conf/functions.in   (revision 485)
> +++ conf/functions.in   (working copy)
> @@ -179,6 +179,9 @@
>       HS_UAMALLOW=$(echo $HS_UAMALLOW|sed 's/ /,/g')
>       uamallow=${HS_UAMALLOW:+",$HS_UAMALLOW"}
> 
> +    HS_IPSRCALLOWED=$(echo $HS_IPSRCALLOWED|sed 's/ /,/g')
> +    addconfig1 ${HS_IPSRCALLOWED:+"ipsrcallowed $HS_IPSRCALLOWED"}
> +
>       addconfig1 ${HS_MAXCLIENTS:+"maxclients $HS_MAXCLIENTS"}
>       addconfig1 ${HS_RADIUSQSIZE:+"radiusqsize $HS_RADIUSQSIZE"}
>       addconfig1 ${HS_DHCPHASHSIZE:+"dhcphashsize $HS_DHCPHASHSIZE"}
> Index: src/options.h
> ===================================================================
> --- src/options.h       (revision 485)
> +++ src/options.h       (working copy)
> @@ -302,6 +302,11 @@
>     uint32_t regex_num_pass_throughs;
>   #endif
> 
> +#ifdef ENABLE_LAYER3
> +  pass_through ipsrc_pass_throughs[MAX_IPSRC_PASS_THROUGHS];
> +  uint32_t ipsrc_num_pass_throughs;
> +#endif
> +
>     char* uamdomains[MAX_UAM_DOMAINS];
>     int uamdomain_ttl;
> 
> Index: src/cmdline.ggo
> ===================================================================
> --- src/cmdline.ggo     (revision 485)
> +++ src/cmdline.ggo     (working copy)
> @@ -266,6 +266,7 @@
>   option "uamdomainfile" - "Load uamdomains (regex) from file" string no
> 
>   option "layer3" - "Layer3 only" flag off
> +option "ipsrcallowed"  - "List of allowed source IP addresses, for 
> Layer3" string no multiple
>   option "patricia" - "Use patricia tries for walled garden lookup" flag off
>   option "redirdnsreq" - "Send DNS query on redirect to pick of DNS 
> based walled garden" flag off
> 
> Index: src/dhcp.c
> ===================================================================
> --- src/dhcp.c  (revision 485)
> +++ src/dhcp.c  (working copy)
> @@ -2503,6 +2503,23 @@
>       found = 1;
>   #endif
> 
> +#ifdef ENABLE_LAYER3
> +  if (!found && _options.ipsrc_pass_throughs){
> +    if (garden_check(_options.ipsrc_pass_throughs,
> +                       &_options.ipsrc_num_pass_throughs, &pt,
> +                       ipph, !dst
> +#ifdef HAVE_PATRICIA
> +                       , 0
> +#endif
> +                       )) {
> +      found = 1;
> +#if(_debug_ > 1)
> +      log_dbg("Packet matches ipsrcallowed");
> +#endif
> +    }
> +  }
> +#endif
> +
>   #ifdef ENABLE_GARDENACCOUNTING
>     if (_options.uamgardendata) {
> 
> 
> Index: src/main-opt.c
> ===================================================================
> --- src/main-opt.c      (revision 485)
> +++ src/main-opt.c      (working copy)
> @@ -724,6 +724,18 @@
>   #endif
>         );
>     }
> +#ifdef ENABLE_LAYER3
> +  for (numargs = 0; numargs < args_info.ipsrcallowed_given; ++numargs) {
> +    pass_throughs_from_string(_options.ipsrc_pass_throughs,
> +                             MAX_IPSRC_PASS_THROUGHS,
> +                             &_options.ipsrc_num_pass_throughs,
> +                             args_info.ipsrcallowed_arg[numargs], 0, 0
> +#ifdef HAVE_PATRICIA
> +                             , 0
> +#endif
> +      );
> +  }
> +#endif
> 
>     _options.uamauthedallowed = args_info.uamauthedallowed_flag;
>   #ifdef ENABLE_AUTHEDALLOWED
> Index: src/chilli_limits.h
> ===================================================================
> --- src/chilli_limits.h (revision 485)
> +++ src/chilli_limits.h (working copy)
> @@ -134,4 +134,12 @@
>   #define RADIUS_QUEUE_PACKET_PTR 1
>   #endif
> 
> +#ifdef ENABLE_LAYER3
> +#ifdef ENABLE_LARGELIMITS
> +#define MAX_IPSRC_PASS_THROUGHS               512 /* Max number of 
> allowed IP source addresses, for Layer3 */
> +#else
> +#define MAX_IPSRC_PASS_THROUGHS               8 /* Max number of 
> allowed IP source addresses, for Layer3 */
>   #endif
> +#endif
> +
> +#endif
> 
> _______________________________________________
> Chilli mailing list
> Chilli at coova.org
> http://lists.coova.org/cgi-bin/mailman/listinfo/chilli

More information about the Chilli mailing list