[NoCat] patch to accounting patch (stats.fw)

Alain Fauconnet alain at ait.ac.th
Tue, 10 Feb 2004 16:10:33 +0700 

--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Yeaaah! I've reached the Graal.

After  days  fighting  with  NoCat  and  the  accounting  patch,  I've
eventually made it. It works and sends proper traffic accounting to my
Radius server.

Most of the errors were mine, especially:
- patching the nightly snapshot instead of pure 0.82
- patching the auth gateway as well (from the docs, it  seems  like  a
  bad thing to do -- see below for a question about this)
- various Radius misconfigurations
- many more...

However I've spotted a problem in the stats.fw  script:  when  running
with  IgnoreMAC  = 1  (routing,  not  bridging  gateway),  stats.fw is
invoked  by the accounting code with a single argument: the IP address
of the client. This caused it to fail.

I've  come  up  with  the  following quick-and-dirty patch (attached),
which also changes the header comments according to _my_ understanding
of things (which may be close to reality or not!).

It made the trick for me, so I thought it might be useful to others...

I  have  some  more questions here. Feel free to point me to the right
places if this has been asked before:

1)  why  does  the accounting patch comes with its own Authen::Radius?
can't it work with the CPAN module installed the  usual  way  in  Perl
dirs?

2) how stable are the changes to the auth gateway code? right now  I'm
running  pure  0.82  on  the  gateway,  but  some  of the changes seem
interesting enough

3) could be related: RADIUS_TimeOut seems to be a mandatory  parameter
in  nocat.conf.  If  not  set,  a "Use of uninitialized value... blah'
error comes up. Just wondering, since the comments in  nocat.conf  say
that it's optional.

4)  could  as  well:  the  format  to  specify  Radius server(s) isn't
consistent between the gateway and the  auth  server  with  the  patch
applied.   The   auth   server   doesn't   seem   to    support    the
'host:port*secret' format,  whereas  the  gateway  does.  Auth  server
seems  to  require  a separate RADIUS_Secret setting (it uses the CPAN
Authen::Radius module)

Thanks  for  that  wonderful  piece  of code and great patch ... I was
about to start an accounting system from scratch when I've found it!

Greets,
_Alain_

-- 
Alain Fauconnet
IT Security Specialist & CISO -- ITServ
Asian Institute of Technology


--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="stats.fw.patch"

*** stats.fw.org	Tue Feb 10 11:32:55 2004
--- stats.fw	Tue Feb 10 16:09:38 2004
***************
*** 1,13 ****
  #!/bin/sh 
! # Specific
! # Must output in the following form:
! # <in octets> <out octets> ???<last packet time>
  #
  
  if [ "$1" != "" ]; then
  {
  
! { iptables -L NoCat_Inbound -t filter -vnx --line-numbers;iptables -L NoCat -t mangle -vnx --line-numbers;} | awk -v IP=$2 -- ' 
  { 
  		if( /ACCEPT/)
  		{
--- 1,32 ----
  #!/bin/sh 
! 
! #####################################################
! # stats.fw [<IP address>|<MAC address> <IP address>]
! #####################################################
! # If no argument, will return data for all active
! # sessions, one session per line.
! # If MAC address is omitted, first (and only) argument
! # is taken as IP address
! 
! # This version is specific to iptables (Linux Netfilter)
! 
! # Output is:
! # - if no argument specified:
! #   <IP address> <in octets> <out octets>  (for each address)
! # - if argument specified:
! #   <in octets> <out octets>
  #
  
  if [ "$1" != "" ]; then
+  if [ "$2" != "" ]; then
+   MAC=$1
+   IP=$2
+  else
+   IP=$1
+  fi
  {
  
! { iptables -L NoCat_Inbound -t filter -vnx --line-numbers;iptables -L NoCat -t mangle -vnx --line-numbers;} | awk -v IP=$IP -- ' 
  { 
  		if( /ACCEPT/)
  		{

--zYM0uCDKw75PZbzx--