We want to proxy RADIUS requests based on what phone number the
user called. The CALLED_STATION_REALM_HACK does that. The Cistron server
running as a proxy ONLY proxies, and we want to assign static IPs to some
users, and the allowed proxy attributes was interfering with that. That's
why I did the DANGEROUS_TRANSPARENT_PROXY thing.
If you could look these over and tell me whether I've done this
totally wrong, I'd appreciate it. I made these hacks late at night, and I
can't say I've looked over the whole of the code in any way. I'm afraid I
might be leaking memory or doing some other rude thing, but it's been
running for a while now without trouble. Thanks.
If I'm feeling really ambitious I might make these things user
configurable instead of compiled right into the program. An 'allowall'
option in the realms file could do the DANGEROUS_TRANSPARENT_PROXY thing,
but I don't know the "right" way to support CALLED_STATION_REALM_HACK.
Thanks for your time, and thanks for the server!
*** proxy.c.dist Sun Aug 1 11:28:14 1999
--- proxy.c Sun Aug 1 02:16:00 1999
***************
*** 266,271 ****
--- 266,286 ----
namepair->strvalue[sizeof(namepair->strvalue) - 1] = 0;
}
+ /* If we got a Called-Station-Id, we're going to stick that
+ on the end of the user name as if it's a realm. That way
+ we can do different things with different users based on
+ which number they called. */
+ #ifdef CALLED_STATION_REALM_HACK
+ if ((vp = pairfind(authreq->request, PW_CALLED_STATION_ID))
+ && sizeof(namepair->strvalue) > strlen(namepair->strvalue)
+ + strlen(vp->strvalue) + 1) {
+ strcat(namepair->strvalue, "@");
+ strcat(namepair->strvalue, vp->strvalue);
+ namepair->length = strlen(namepair->strvalue);
+ log(L_PROXY, "Added realm %s: %s", vp->strvalue, namepair->strvalue);
+ }
+ #endif
+
/*
* Now check if we know this realm!
* A NULL realm is OK.
***************
*** 648,653 ****
--- 663,669 ----
vp->length = strlen(vp->strvalue);
#endif
+ #ifndef DANGEROUS_TRANSPARENT_PROXY
/*
* Only allow some attributes to be propagated from
* the remote server back to the NAS, for security.
***************
*** 656,667 ****
for(i = 0; allowed[i]; i++)
pairmove2(&allowed_pairs, &(authreq->request), allowed[i]);
pairfree(authreq->request);
!
/*
* Now rebuild the AUTHREQ struct, so that the
* normal functions can process it.
*/
oldreq->server_reply = allowed_pairs;
oldreq->server_code = authreq->code;
oldreq->validated = 1;
memcpy(authreq->data, oldreq->data, oldreq->data_len);
--- 672,687 ----
for(i = 0; allowed[i]; i++)
pairmove2(&allowed_pairs, &(authreq->request), allowed[i]);
pairfree(authreq->request);
! #endif
/*
* Now rebuild the AUTHREQ struct, so that the
* normal functions can process it.
*/
+ #ifdef DANGEROUS_TRANSPARENT_PROXY
+ oldreq->server_reply = authreq->request;
+ #else
oldreq->server_reply = allowed_pairs;
+ #endif
oldreq->server_code = authreq->code;
oldreq->validated = 1;
memcpy(authreq->data, oldreq->data, oldreq->data_len);
--
Kyle Hasselbacher Dumber than advertised!
kyle@toehold.com