vvfedorenko / lisg Goto Github PK
View Code? Open in Web Editor NEWThis project forked from leoelan/lisg
linux ISG
License: GNU General Public License v3.0
lisg's People
Contributors
Stargazers
Watchers
Forkers
pasha49lisg's Issues
Debian 11 не подключается к модулю
debian 11 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux5.10.179-1 (2023-05-12) x86_64 GNU/Linux
lsmod | grep ISG
ipt_ISG 28672 0
x_tables 53248 13 xt_conntrack,iptable_filter,xt_LOG,xt_state,ipt_NETFLOW,xt_nat,ipt_ISG,xt_set,ipt_REJECT,ip_tables,xt_limit,xt_connlimit,iptable_mangle
iptables v1.8.7 (legacy)
Модуль собрался - загрузился, но получаю такое
./ISG.pl
Incorrect packet length (196 bytes)
Recv from kernel: Interrupted system call
Unable to get sessions/services list: Interrupted system call
Add support for IPv4 network session
Describe the solution you'd like
Right now module can authorized and rate-limit only per IP-address session. Some clients want to use multiple IP addresses in one commit rate. For the first let's support networks as session identifier. (e.g. 10.10.10.0/28)
Ubuntu 20.04 LTS don not compiles
root@leo:/opt/lisg/kernel# ./configure
Kernel version: 5.4.0-42-generic
Iptables binary version: 1.8.4 (legacy) (detected from /usr/sbin/iptables)
Searching for iptables-1.8.4 (legacy) sources..
Found iptables sources at /usr
Iptables module path: /usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug (from binary)
Creating Makefile.. done.
Now run: 'make' and (if everything is fine) 'make install'
root@leo:/opt/lisg/kernel# make && make install
echo "" > build.h
printf "/* Compilation date.\n * Written by Makefile (userspace) */\n#define _BUILD_DATE "%s %s"\n" date +'%F %T' > build.h
make -C /lib/modules/5.4.0-42-generic/build M=/opt/lisg/kernel modules
make[1]: Entering directory '/usr/src/linux-headers-5.4.0-42-generic'
CC [M] /opt/lisg/kernel/isg_main.o
LD [M] /opt/lisg/kernel/ipt_ISG.o
Building modules, stage 2.
MODPOST 1 modules
CC [M] /opt/lisg/kernel/ipt_ISG.mod.o
LD [M] /opt/lisg/kernel/ipt_ISG.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-42-generic'
gcc -O2 -Wall -Wunused -I/include -DIPTABLES_VERSION="1.8.4 (legacy)" -fPIC -o libipt_ISG_sh.o -c libipt_isg.c
/bin/sh: 1: Syntax error: "(" unexpected
make: *** [Makefile:17: all] Error 2
root@leo:/opt/lisg/kernel# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
root@leo:/opt/lisg/kernel#
[Feature Request] Captive Portal
Hi!
I have a patch to web authorization (captive portal), but this patch not working on new versions, you can adapt this. Look here
--- sysoleg-lisg-1d05e525c870/ISG/bin/ISGd.pl 2014-03-23 18:18:29.000000000 +0600
+++ web_auth/ISG/bin/ISGd.pl 2015-12-29 22:28:35.000000000 +0500
@@ -58,9 +58,18 @@
my $sig = shift;
$dying = 1;
- do_log("info", "Got signal $sig. Terminating all childs and finishing.");
+ do_log("info", "Got signal $sig. Terminating all children and finishing.");
unlink($cfg{pid_file});
+ if ($cfg{web_auth_enable})
+ {
+ do_log("info", "Cleaning the web_auth ipset table");
+ `ipset flush $cfg{web_auth_ipset_name} 2>/dev/null` ;
+ }
+ do_log("info", "Sending all children the KILL signal");
+ kill('KILL' => keys %child); # Let the workers do the cleanup
+ sleep(1);
+ do_log("info", "Sending all children the TERM signal");
my $count = kill('TERM' => keys %child);
exit(0);
}
@@ -123,6 +132,7 @@
&daemonize() if ($cfg{daemonize});
+init_web_auth() if ($cfg{web_auth_enable});
$jobs{"ISG"} = \&job_isg;
$jobs{"CoA"} = \&job_coa;
$jobs{"TC_Refresh"} = \&job_reload_tc;
@@ -192,7 +202,7 @@
if ($ev->{'flags'} & ISG::IS_SERVICE && $ev->{'type'} == ISG::EVENT_SESS_START) {
do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' started");
} elsif ($ev->{'type'} == ISG::EVENT_SESS_STOP) {
-
+ web_auth("del", $ipaddr);
if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
make_new_child($cfg{cb_on_session_stop}, { "ipaddr" => $ipaddr, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_stop});
do_log("info", "Session '$ipaddr' on 'Virtual" . $ev->{'port_number'} . "' finished");
@@ -200,6 +210,14 @@
do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' finished");
}
}
+ if ($ev->{'type'} == ISG::EVENT_SESS_START)
+ {
+ if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
+ web_auth("del", $ipaddr);
+ } else {
+ web_auth("add", $ipaddr);
+ }
+ }
}
} else {
my $src_host = $rsk->peerhost();
@@ -337,7 +355,7 @@
if (isg_send_event($sk, $oev) < 0) {
do_log("err", "Error sending EVENT_SESS_APPROVE: $!");
}
-
+ web_auth("del",$exp_login);
make_new_child($cfg{cb_on_session_start}, { "ipaddr" => $exp_login, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_start});
do_log("info", "Session '$exp_login' on 'Virtual" . $exp_ev->{'port_number'} ."' accepted by '$src_host:$src_port'");
@@ -345,6 +363,7 @@
my $oev;
do_log("info", "Session '$exp_login' rejected by '$src_host:$src_port'");
+ web_auth("add",$exp_login);
$oev->{'type'} = ISG::EVENT_SESS_CHANGE;
$oev->{'port_number'} = $exp_ev->{'port_number'};
@@ -600,6 +619,10 @@
$out_err = "Session-Context-Not-Found";
} else {
$out_code = $ack_code;
+ if ($rp->code eq "Disconnect-Request")
+ {
+ web_auth("del","$ev->{'ipaddr'}");
+ }
}
send_rp:
@@ -1093,3 +1116,90 @@
$job->(defined($par) ? $par : 0);
exit;
}
+
+sub web_auth {
+ my ($act, $local_ip) = @_;
+
+ return if ($act ne "add" && $act ne "del");
+
+ if ($cfg{web_auth_enable})
+ {
+ `ipset $act $cfg{web_auth_ipset_name} $local_ip 2>/dev/null`;
+ if ($act eq "add")
+ {
+ do_log("info", "Adding $local_ip to web auth list");
+ }
+ else
+ {
+ do_log("info", "Removing $local_ip from web auth list");
+ }
+ }
+}
+
+sub init_web_auth {
+ `ipset create $cfg{web_auth_ipset_name} hash:ip`;
+ reload_web_auth();
+}
+
+sub reload_web_auth {
+ `ipset flush $cfg{web_auth_ipset_name} 2>/dev/null`;
+ my $sk = prepare_netlink_socket();
+ if ($sk < 0) {
+ do_log("err", "Unable to open netlink socket: $!");
+ exit(1);
+ }
+ my $data;
+ my %ev;
+ $ev->{'type'} = ISG::EVENT_SESS_GETLIST;
+
+ if (isg_send_event($sk, $ev) < 0) {
+ do_log("err", "Unable to get sessions list: $!");
+ return;
+ }
+
+ my $tot_msg_sz = ISG::NL_HDR_LEN + ISG::IN_EVENT_MSG_LEN;
+ my $stop = 0;
+ while (!$stop) {
+ if (!(my $read_b = netlink_read($sk, \$data, 16384, 10))) {
+ do_log("err", "Recv from kernel: $!");
+ last;
+ } else {
+ if ($read_b < $tot_msg_sz) {
+ do_log("err", "Packet too small ($read_b bytes)");
+ next;
+ }
+ if ($read_b % $tot_msg_sz) {
+ do_log("err", "Incorrect packet length ($read_b bytes)");
+ next;
+ }
+ my $pkts_cnt = $read_b / $tot_msg_sz;
+
+ for (my $i = 0; $i < $pkts_cnt; $i++) {
+ my $offset = $i * $tot_msg_sz;
+
+ $ev = isg_parse_event(substr($data, $offset, $tot_msg_sz));
+
+ if ($ev->{'type'} == ISG::EVENT_SESS_INFO) {
+ if ($ev->{'flags'})
+ {
+ if (!($ev->{'flags'} & ISG::IS_SERVICE) &&
+ !($ev->{'flags'} & ISG::IS_APPROVED_SESSION))
+ {
+ web_auth("add",ISG::long2ip($ev->{'ipaddr'}));
+ }
+ }
+ else
+ {
+ web_auth("add",ISG::long2ip($ev->{'ipaddr'}))
+ if (ISG::long2ip($ev->{'ipaddr'}) ne '0.0.0.0')
+ }
+ }
+
+ if ($ev->{'nlhdr_type'} == ISG::NLMSG_DONE) {
+ $stop = 1;
+ last;
+ }
+ }
+ }
+ }
+}
[Feature Request] Authorize by Framed-IP-Address
Hi!
We are using Linux ISG from sysoleg.
We are using NETMAP rules for Full Cone NAT (NAT 1:1) - based on authorization packets in ISG and if RADIUS Attribute has != 0.0.0.0
$cfg{cb_on_session_start} = sub {
my $pars = shift;
my $ipaddr = $pars->{"ipaddr"};
my $nat_ipaddr = $pars->{"nat_ipaddr"};
if ($nat_ipaddr != '0.0.0.0'){
iptables -t nat -A binat_dst -d $nat_ipaddr/32 -j NETMAP --to $ipaddr;
iptables -t nat -A binat_src -s $ipaddr/32 -j NETMAP --to $nat_ipaddr;
ipset add smtp_pass $ipaddr -exist;
}
do_log("info", "Adding $ipaddr to ipset table fwd_allow\n");
ipset add fwd_allow $ipaddr -exist;
};
So, subscriber address has 192.168.0.1 address and NAT IP-address 167.80.45.50
In this case local subscriber can initiate session from LAN (by User-Name = 192.168.0.1), but session not will be authorized if other public service send a request to NAT IP-address 167.80.45.50 (because its not authorize packet by NAT IP-address(Framed-IP-Address)).
How can we add to Linux ISG authorization by Framed-IP-Address?
[Feature Request] nftables module
Hi!
Is there any plans to adopt this to nftables new linux firewall stack?
Add support for IPv6 sessions
Is your feature request related to a problem? Please describe.
The module does not support IPv6, but this is good point of grow.
Describe the solution you'd like
The best solution would be to have dual-stack shaper to limit user speed in both address family at the same time.
Describe alternatives you've considered
There is no alternatives except specialized hardware BRAS.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.