From owner-freebsd-stable@FreeBSD.ORG Wed Sep 19 21:10:12 2007 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94B4516A41B for ; Wed, 19 Sep 2007 21:10:12 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 46B6913C4D0 for ; Wed, 19 Sep 2007 21:10:11 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id ED36A41C712; Wed, 19 Sep 2007 23:10:09 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 9TECUhgBNE5x; Wed, 19 Sep 2007 23:10:06 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 5D7EB41C735; Wed, 19 Sep 2007 23:10:06 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id D89BD444885; Wed, 19 Sep 2007 21:05:38 +0000 (UTC) Date: Wed, 19 Sep 2007 21:05:38 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Scott Lambert In-Reply-To: <20070918192933.GC71361@sysmon.tcworks.net> Message-ID: <20070919202625.Y58095@maildrop.int.zabbadoz.net> References: <20070918192933.GC71361@sysmon.tcworks.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-jail@freebsd.org, freebsd-stable@freebsd.org Subject: Re: Problems with FreeRADIUS in a jail X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Sep 2007 21:10:12 -0000 On Tue, 18 Sep 2007, Scott Lambert wrote: Hi, > I've been trying to get FreeRADIUS 2.0 working inside a FreeBSD > 6.2-STABLE jail. > > The work I've been doing with the Alan DeKok of FreeRADIUS starts with > this message: > > https://lists.freeradius.org/pipermail/freeradius-users/2007-September/065883.html > > Here is the thread index : > > https://lists.freeradius.org/pipermail/freeradius-users/2007-September/thread.html#65883 > > I am way out of my depth at this point. I thought I had the problem > found yesterday in FreeRADIUS but Alan says what I did to "fix" it > shouldn't work at all. if you mean the == INADDR_ANY => != change, Alan should be right from the code you pasted into the mails. > He seems to think it is a jail problem. I haven't read their code but from what I got in the thread it sounds like they seem to be overly clever doing assumtions that are just wrong (no matter if it's a jail or not). So it seems C: bind(INADDR_ANY) C: getsockname returns an address inside the jail C: packet gets out to dstaddr S: the packets gets proccessed S: a reply is send to the IP address from the dstaddr (as used by the client) and it should always be that way (no matter if the C: is in jail or not) C: packets is recved C: ip address is checked and to whatever it would be checked should match - in case they have the IP address it would match, in case they bound to inaddr_any all addresses should match. They might have problems matching up their internal state or overwriting something somewhere. I would assume what could happen is that bind to INADDR_ANY, getsockname returns != INADDR_ANY thus inaddr_any = 0; On recv. they fill in the match from the Client = * definition which would be INADDR_ANY but inaddr_any is set to 0 and thus the check on the ip address does not match because they would need both INADDR_ANY and inaddr_any = 1 for that (for whatever reason they need to duplicate that information). But that's just a wild guess... -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time.