vvfedorenko / lisg Goto Github PK
View Code? Open in Web Editor NEWThis project forked from leoelan/lisg
linux ISG
License: GNU General Public License v3.0
This project forked from leoelan/lisg
linux ISG
License: GNU General Public License v3.0
debian 11 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux5.10.179-1 (2023-05-12) x86_64 GNU/Linux
lsmod | grep ISG
ipt_ISG 28672 0
x_tables 53248 13 xt_conntrack,iptable_filter,xt_LOG,xt_state,ipt_NETFLOW,xt_nat,ipt_ISG,xt_set,ipt_REJECT,ip_tables,xt_limit,xt_connlimit,iptable_mangle
iptables v1.8.7 (legacy)
Модуль собрался - загрузился, но получаю такое
./ISG.pl
Incorrect packet length (196 bytes)
Recv from kernel: Interrupted system call
Unable to get sessions/services list: Interrupted system call
Describe the solution you'd like
Right now module can authorized and rate-limit only per IP-address session. Some clients want to use multiple IP addresses in one commit rate. For the first let's support networks as session identifier. (e.g. 10.10.10.0/28)
root@leo:/opt/lisg/kernel# ./configure
Kernel version: 5.4.0-42-generic
Iptables binary version: 1.8.4 (legacy) (detected from /usr/sbin/iptables)
Searching for iptables-1.8.4 (legacy) sources..
Found iptables sources at /usr
Iptables module path: /usr/lib/debug/.dwz/x86_64-linux-gnu/iptables.debug (from binary)
Creating Makefile.. done.
Now run: 'make' and (if everything is fine) 'make install'
root@leo:/opt/lisg/kernel# make && make install
echo "" > build.h
printf "/* Compilation date.\n * Written by Makefile (userspace) */\n#define _BUILD_DATE "%s %s"\n" date +'%F %T'
> build.h
make -C /lib/modules/5.4.0-42-generic/build M=/opt/lisg/kernel modules
make[1]: Entering directory '/usr/src/linux-headers-5.4.0-42-generic'
CC [M] /opt/lisg/kernel/isg_main.o
LD [M] /opt/lisg/kernel/ipt_ISG.o
Building modules, stage 2.
MODPOST 1 modules
CC [M] /opt/lisg/kernel/ipt_ISG.mod.o
LD [M] /opt/lisg/kernel/ipt_ISG.ko
make[1]: Leaving directory '/usr/src/linux-headers-5.4.0-42-generic'
gcc -O2 -Wall -Wunused -I/include -DIPTABLES_VERSION="1.8.4 (legacy)" -fPIC -o libipt_ISG_sh.o -c libipt_isg.c
/bin/sh: 1: Syntax error: "(" unexpected
make: *** [Makefile:17: all] Error 2
root@leo:/opt/lisg/kernel# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
root@leo:/opt/lisg/kernel#
Hi!
I have a patch to web authorization (captive portal), but this patch not working on new versions, you can adapt this. Look here
--- sysoleg-lisg-1d05e525c870/ISG/bin/ISGd.pl 2014-03-23 18:18:29.000000000 +0600
+++ web_auth/ISG/bin/ISGd.pl 2015-12-29 22:28:35.000000000 +0500
@@ -58,9 +58,18 @@
my $sig = shift;
$dying = 1;
- do_log("info", "Got signal $sig. Terminating all childs and finishing.");
+ do_log("info", "Got signal $sig. Terminating all children and finishing.");
unlink($cfg{pid_file});
+ if ($cfg{web_auth_enable})
+ {
+ do_log("info", "Cleaning the web_auth ipset table");
+ `ipset flush $cfg{web_auth_ipset_name} 2>/dev/null` ;
+ }
+ do_log("info", "Sending all children the KILL signal");
+ kill('KILL' => keys %child); # Let the workers do the cleanup
+ sleep(1);
+ do_log("info", "Sending all children the TERM signal");
my $count = kill('TERM' => keys %child);
exit(0);
}
@@ -123,6 +132,7 @@
&daemonize() if ($cfg{daemonize});
+init_web_auth() if ($cfg{web_auth_enable});
$jobs{"ISG"} = \&job_isg;
$jobs{"CoA"} = \&job_coa;
$jobs{"TC_Refresh"} = \&job_reload_tc;
@@ -192,7 +202,7 @@
if ($ev->{'flags'} & ISG::IS_SERVICE && $ev->{'type'} == ISG::EVENT_SESS_START) {
do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' started");
} elsif ($ev->{'type'} == ISG::EVENT_SESS_STOP) {
-
+ web_auth("del", $ipaddr);
if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
make_new_child($cfg{cb_on_session_stop}, { "ipaddr" => $ipaddr, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_stop});
do_log("info", "Session '$ipaddr' on 'Virtual" . $ev->{'port_number'} . "' finished");
@@ -200,6 +210,14 @@
do_log("info", "Service '" . $ev->{'service_name'} . "' for '$ipaddr' finished");
}
}
+ if ($ev->{'type'} == ISG::EVENT_SESS_START)
+ {
+ if ($ev->{'flags'} & ISG::IS_APPROVED_SESSION) {
+ web_auth("del", $ipaddr);
+ } else {
+ web_auth("add", $ipaddr);
+ }
+ }
}
} else {
my $src_host = $rsk->peerhost();
@@ -337,7 +355,7 @@
if (isg_send_event($sk, $oev) < 0) {
do_log("err", "Error sending EVENT_SESS_APPROVE: $!");
}
-
+ web_auth("del",$exp_login);
make_new_child($cfg{cb_on_session_start}, { "ipaddr" => $exp_login, "nat_ipaddr" => $nat_ipaddr }) if defined($cfg{cb_on_session_start});
do_log("info", "Session '$exp_login' on 'Virtual" . $exp_ev->{'port_number'} ."' accepted by '$src_host:$src_port'");
@@ -345,6 +363,7 @@
my $oev;
do_log("info", "Session '$exp_login' rejected by '$src_host:$src_port'");
+ web_auth("add",$exp_login);
$oev->{'type'} = ISG::EVENT_SESS_CHANGE;
$oev->{'port_number'} = $exp_ev->{'port_number'};
@@ -600,6 +619,10 @@
$out_err = "Session-Context-Not-Found";
} else {
$out_code = $ack_code;
+ if ($rp->code eq "Disconnect-Request")
+ {
+ web_auth("del","$ev->{'ipaddr'}");
+ }
}
send_rp:
@@ -1093,3 +1116,90 @@
$job->(defined($par) ? $par : 0);
exit;
}
+
+sub web_auth {
+ my ($act, $local_ip) = @_;
+
+ return if ($act ne "add" && $act ne "del");
+
+ if ($cfg{web_auth_enable})
+ {
+ `ipset $act $cfg{web_auth_ipset_name} $local_ip 2>/dev/null`;
+ if ($act eq "add")
+ {
+ do_log("info", "Adding $local_ip to web auth list");
+ }
+ else
+ {
+ do_log("info", "Removing $local_ip from web auth list");
+ }
+ }
+}
+
+sub init_web_auth {
+ `ipset create $cfg{web_auth_ipset_name} hash:ip`;
+ reload_web_auth();
+}
+
+sub reload_web_auth {
+ `ipset flush $cfg{web_auth_ipset_name} 2>/dev/null`;
+ my $sk = prepare_netlink_socket();
+ if ($sk < 0) {
+ do_log("err", "Unable to open netlink socket: $!");
+ exit(1);
+ }
+ my $data;
+ my %ev;
+ $ev->{'type'} = ISG::EVENT_SESS_GETLIST;
+
+ if (isg_send_event($sk, $ev) < 0) {
+ do_log("err", "Unable to get sessions list: $!");
+ return;
+ }
+
+ my $tot_msg_sz = ISG::NL_HDR_LEN + ISG::IN_EVENT_MSG_LEN;
+ my $stop = 0;
+ while (!$stop) {
+ if (!(my $read_b = netlink_read($sk, \$data, 16384, 10))) {
+ do_log("err", "Recv from kernel: $!");
+ last;
+ } else {
+ if ($read_b < $tot_msg_sz) {
+ do_log("err", "Packet too small ($read_b bytes)");
+ next;
+ }
+ if ($read_b % $tot_msg_sz) {
+ do_log("err", "Incorrect packet length ($read_b bytes)");
+ next;
+ }
+ my $pkts_cnt = $read_b / $tot_msg_sz;
+
+ for (my $i = 0; $i < $pkts_cnt; $i++) {
+ my $offset = $i * $tot_msg_sz;
+
+ $ev = isg_parse_event(substr($data, $offset, $tot_msg_sz));
+
+ if ($ev->{'type'} == ISG::EVENT_SESS_INFO) {
+ if ($ev->{'flags'})
+ {
+ if (!($ev->{'flags'} & ISG::IS_SERVICE) &&
+ !($ev->{'flags'} & ISG::IS_APPROVED_SESSION))
+ {
+ web_auth("add",ISG::long2ip($ev->{'ipaddr'}));
+ }
+ }
+ else
+ {
+ web_auth("add",ISG::long2ip($ev->{'ipaddr'}))
+ if (ISG::long2ip($ev->{'ipaddr'}) ne '0.0.0.0')
+ }
+ }
+
+ if ($ev->{'nlhdr_type'} == ISG::NLMSG_DONE) {
+ $stop = 1;
+ last;
+ }
+ }
+ }
+ }
+}
Hi!
We are using Linux ISG from sysoleg.
We are using NETMAP rules for Full Cone NAT (NAT 1:1) - based on authorization packets in ISG and if RADIUS Attribute has != 0.0.0.0
$cfg{cb_on_session_start} = sub {
my $pars = shift;
my $ipaddr = $pars->{"ipaddr"};
my $nat_ipaddr = $pars->{"nat_ipaddr"};
if ($nat_ipaddr != '0.0.0.0'){
iptables -t nat -A binat_dst -d $nat_ipaddr/32 -j NETMAP --to $ipaddr
;
iptables -t nat -A binat_src -s $ipaddr/32 -j NETMAP --to $nat_ipaddr
;
ipset add smtp_pass $ipaddr -exist
;
}
do_log("info", "Adding $ipaddr to ipset table fwd_allow\n");
ipset add fwd_allow $ipaddr -exist
;
};
So, subscriber address has 192.168.0.1 address and NAT IP-address 167.80.45.50
In this case local subscriber can initiate session from LAN (by User-Name = 192.168.0.1), but session not will be authorized if other public service send a request to NAT IP-address 167.80.45.50 (because its not authorize packet by NAT IP-address(Framed-IP-Address)).
How can we add to Linux ISG authorization by Framed-IP-Address?
Hi!
Is there any plans to adopt this to nftables new linux firewall stack?
Is your feature request related to a problem? Please describe.
The module does not support IPv6, but this is good point of grow.
Describe the solution you'd like
The best solution would be to have dual-stack shaper to limit user speed in both address family at the same time.
Describe alternatives you've considered
There is no alternatives except specialized hardware BRAS.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.