-* Wed Apr 5 2006 Brendan O'Dea <bod@optus.net> 2.1.17
+* Thu Apr 13 2006 Brendan O'Dea <bod@optus.net> 2.1.17
- Fix IPCP length test to allow Terminate-Request (4 bytes).
- Send nsctl responses back using the correct source address (thanks ltd).
- Similarly set the source for DAE responses; use bind_address when
handling forwarded packets on the master.
+- Add Acct-Terminate-Cause to RADIUS stop records.
* Thu Feb 23 2006 Brendan O'Dea <bod@optus.net> 2.1.16
- Send configured magic-no in LCP EchoReq when LCP is opened.
// Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced
// vim: sw=8 ts=8
-char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.159 2006/04/05 02:13:48 bodea Exp $";
+char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.160 2006/04/13 11:14:35 bodea Exp $";
#include <arpa/inet.h>
#include <assert.h>
}
// start tidy shutdown of session
-void sessionshutdown(sessionidt s, char *reason, int result, int error)
+void sessionshutdown(sessionidt s, char const *reason, int cdn_result, int cdn_error, int term_cause)
{
int walled_garden = session[s].walled_garden;
{
// stop, if not already trying
if (radius[r].state != RADIUSSTOP)
+ {
+ radius[r].term_cause = term_cause;
+ radius[r].term_msg = reason;
radiussend(r, RADIUSSTOP);
+ }
}
else
LOG(1, s, session[s].tunnel, "No free RADIUS sessions for Stop message\n");
if (session[s].throttle_in || session[s].throttle_out) // Unthrottle if throttled.
throttle_session(s, 0, 0);
- if (result)
+ if (cdn_result)
{ // Send CDN
controlt *c = controlnew(14); // sending CDN
- if (error)
+ if (cdn_error)
{
uint8_t buf[4];
- *(uint16_t *) buf = htons(result);
- *(uint16_t *) (buf+2) = htons(error);
+ *(uint16_t *) buf = htons(cdn_result);
+ *(uint16_t *) (buf+2) = htons(cdn_error);
controlb(c, 1, buf, 4, 1);
}
else
- control16(c, 1, result, 1);
+ control16(c, 1, cdn_result, 1);
control16(c, 14, s, 1); // assigned session (our end)
controladd(c, session[s].far, session[s].tunnel); // send the message
}
session[s].die = TIME;
- sessionshutdown(s, reason, 3, 0); // close radius/routes, etc.
+ sessionshutdown(s, reason, CDN_ADMIN_DISC, TERM_ADMIN_RESET); // close radius/routes, etc.
if (sess_local[s].radius)
radiusclear(sess_local[s].radius, s); // cant send clean accounting data, session is killed
// close session
for (s = 1; s <= config->cluster_highest_sessionid ; ++s)
if (session[s].tunnel == t)
- sessionshutdown(s, reason, 0, 0);
+ sessionshutdown(s, reason, CDN_NONE, TERM_ADMIN_RESET);
tunnel[t].state = TUNNELDIE;
tunnel[t].die = TIME + 700; // Clean up in 70 seconds
int error = 0;
char *msg = 0;
+ // default disconnect cause/message on receipt
+ // of CDN (set to more specific value from
+ // attribute 46 if present below).
+ int disc_cause = TERM_NAS_REQUEST;
+ char const *disc_reason = "Closed (Received CDN).";
+
// process AVPs
while (l && !(fatal & 0x80)) // 0x80 = mandatory AVP
{
uint8_t *b = p;
uint8_t flags = *p;
uint16_t mtype;
+
if (n > l)
{
LOG(1, s, t, "Invalid length in AVP\n");
}
break;
case 3: // framing capabilities
-// LOG(4, s, t, "Framing capabilities\n");
break;
case 4: // bearer capabilities
-// LOG(4, s, t, "Bearer capabilities\n");
break;
case 5: // tie breaker
// We never open tunnels, so we don't care about tie breakers
-// LOG(4, s, t, "Tie breaker\n");
continue;
case 6: // firmware revision
-// LOG(4, s, t, "Firmware revision\n");
break;
case 7: // host name
memset(tunnel[t].hostname, 0, sizeof(tunnel[t].hostname));
memcpy(session[s].random_vector, b, n);
session[s].random_vector_length = n;
break;
+ case 46: // ppp disconnect cause
+ if (n >= 5)
+ {
+ uint16_t code = ntohs(*(uint16_t *) b);
+ uint16_t proto = ntohs(*(uint16_t *) (b + 2));
+ uint8_t dir = *(b + 4);
+
+ LOG(4, s, t, " PPP disconnect cause "
+ "(code=%u, proto=%04X, dir=%u, msg=\"%.*s\")\n",
+ code, proto, dir, n - 5, b + 5);
+
+ switch (code)
+ {
+ case 1: // admin disconnect
+ disc_cause = TERM_ADMIN_RESET;
+ disc_reason = "Administrative disconnect";
+ break;
+ case 3: // lcp terminate
+ if (dir != 1) break; // 1=peer, 2=local
+ disc_cause = TERM_USER_REQUEST;
+ disc_reason = "Normal disconnection";
+ break;
+ case 4: // compulsory encryption unavailable
+ if (dir != 2) break; // 1=refused by peer, 2=local
+ disc_cause = TERM_USER_ERROR;
+ disc_reason = "Compulsory encryption refused";
+ break;
+ case 5: // lcp: fsm timeout
+ disc_cause = TERM_PORT_ERROR;
+ disc_reason = "LCP: FSM timeout";
+ break;
+ case 6: // lcp: no recognisable lcp packets received
+ disc_cause = TERM_PORT_ERROR;
+ disc_reason = "LCP: no recognisable LCP packets";
+ break;
+ case 7: // lcp: magic-no error (possibly looped back)
+ disc_cause = TERM_PORT_ERROR;
+ disc_reason = "LCP: magic-no error (possible loop)";
+ break;
+ case 8: // lcp: echo request timeout
+ disc_cause = TERM_PORT_ERROR;
+ disc_reason = "LCP: echo request timeout";
+ break;
+ case 13: // auth: fsm timeout
+ disc_cause = TERM_SERVICE_UNAVAILABLE;
+ disc_reason = "Authentication: FSM timeout";
+ break;
+ case 15: // auth: unacceptable auth protocol
+ disc_cause = TERM_SERVICE_UNAVAILABLE;
+ disc_reason = "Unacceptable authentication protocol";
+ break;
+ case 16: // auth: authentication failed
+ disc_cause = TERM_SERVICE_UNAVAILABLE;
+ disc_reason = "Authentication failed";
+ break;
+ case 17: // ncp: fsm timeout
+ disc_cause = TERM_SERVICE_UNAVAILABLE;
+ disc_reason = "NCP: FSM timeout";
+ break;
+ case 18: // ncp: no ncps available
+ disc_cause = TERM_SERVICE_UNAVAILABLE;
+ disc_reason = "NCP: no NCPs available";
+ break;
+ case 19: // ncp: failure to converge on acceptable address
+ disc_cause = TERM_SERVICE_UNAVAILABLE;
+ disc_reason = (dir == 1)
+ ? "NCP: too many Configure-Naks received from peer"
+ : "NCP: too many Configure-Naks sent to peer";
+ break;
+ case 20: // ncp: user not permitted to use any address
+ disc_cause = TERM_SERVICE_UNAVAILABLE;
+ disc_reason = (dir == 1)
+ ? "NCP: local link address not acceptable to peer"
+ : "NCP: remote link address not acceptable";
+ break;
+ }
+ }
+ break;
default:
{
static char e[] = "unknown AVP 0xXXXX";
case 14: // CDN
controlnull(t); // ack
- sessionshutdown(s, "Closed (Received CDN).", 0, 0);
+ sessionshutdown(s, disc_reason, CDN_NONE, disc_cause);
break;
case 0xFFFF:
LOG(1, s, t, "Missing message type\n");
}
else
{
- sessionshutdown(s, "No response to LCP ConfigReq.", 3, 0);
+ sessionshutdown(s, "No response to LCP ConfigReq.", CDN_ADMIN_DISC, TERM_LOST_SERVICE);
STAT(session_timeout);
}
}
else
{
- sessionshutdown(s, "No response to IPCP ConfigReq.", 3, 0);
+ sessionshutdown(s, "No response to IPCP ConfigReq.", CDN_ADMIN_DISC, TERM_LOST_SERVICE);
STAT(session_timeout);
}
// Drop sessions who have not responded within IDLE_TIMEOUT seconds
if (session[s].last_packet && (time_now - session[s].last_packet >= IDLE_TIMEOUT))
{
- sessionshutdown(s, "No response to LCP ECHO requests.", 3, 0);
+ sessionshutdown(s, "No response to LCP ECHO requests.", CDN_ADMIN_DISC, TERM_LOST_SERVICE);
STAT(session_timeout);
s_actions++;
continue;
if (a & CLI_SESS_KILL)
{
LOG(2, s, session[s].tunnel, "Dropping session by CLI\n");
- sessionshutdown(s, "Requested by administrator.", 3, 0);
+ sessionshutdown(s, "Requested by administrator.", CDN_ADMIN_DISC, TERM_ADMIN_RESET);
a = 0; // dead, no need to check for other actions
s_actions++;
}
if (!session[s].ip)
{
LOG(0, s, t, " No IP allocated. The IP address pool is FULL!\n");
- sessionshutdown(s, "No IP addresses available.", 2, 7); // try another
+ sessionshutdown(s, "No IP addresses available.", CDN_TRY_ANOTHER, TERM_SERVICE_UNAVAILABLE);
return 0;
}
LOG(3, s, t, " No IP allocated. Assigned %s from pool\n",
// L2TPNS Global Stuff
-// $Id: l2tpns.h,v 1.111 2006/04/05 02:13:48 bodea Exp $
+// $Id: l2tpns.h,v 1.112 2006/04/13 11:14:35 bodea Exp $
#ifndef __L2TPNS_H__
#define __L2TPNS_H__
}
tunnelt;
-// 160 bytes per radius session
+// 164 bytes per radius session
typedef struct // outstanding RADIUS requests
{
sessionidt session; // which session this applies to
uint8_t try; // which try we are on
uint8_t state; // state of radius requests
uint8_t chap; // set if CHAP used (is CHAP identifier)
+ uint8_t term_cause; // Stop record: Acct-Terminate-Cause
+ char const *term_msg; // terminate reason
}
radiust;
int used; // session ref count
} ip_filtert;
+// CDN result/error codes
+#define CDN_NONE 0, 0
+#define CDN_TRY_ANOTHER 2, 7
+#define CDN_ADMIN_DISC 3, 0
+#define CDN_UNAVAILABLE 4, 0
+
+// RADIUS Acct-Terminate-Cause values
+#define TERM_USER_REQUEST 1
+#define TERM_LOST_CARRIER 2
+#define TERM_LOST_SERVICE 3
+#define TERM_IDLE_TIMEOUT 4
+#define TERM_SESSION_TIMEOUT 5
+#define TERM_ADMIN_RESET 6
+#define TERM_ADMIN_REBOOT 7
+#define TERM_PORT_ERROR 8
+#define TERM_NAS_ERROR 9
+#define TERM_NAS_REQUEST 10
+#define TERM_NAS_REBOOT 11
+#define TERM_PORT_UNNEEDED 12
+#define TERM_PORT_PREEMPTED 13
+#define TERM_PORT_SUSPENDED 14
+#define TERM_SERVICE_UNAVAILABLE 15
+#define TERM_CALLBACK 16
+#define TERM_USER_ERROR 17
+#define TERM_HOST_REQUEST 18
+#define TERM_SUPPLICANT_RESTART 19
+#define TERM_REAUTHENTICATION_FAILURE 20
+#define TERM_PORT_REINIT 21
+#define TERM_PORT_DISABLED 22
+
// arp.c
void sendarp(int ifr_idx, const unsigned char* mac, in_addr_t ip);
void increment_counter(uint32_t *counter, uint32_t *wrap, uint32_t delta);
void random_data(uint8_t *buf, int len);
void sessionkill(sessionidt s, char *reason);
-void sessionshutdown(sessionidt s, char *reason, int result, int error);
+void sessionshutdown(sessionidt s, char const *reason, int cdn_result, int cdn_error, int term_cause);
void filter_session(sessionidt s, int filter_in, int filter_out);
void send_garp(in_addr_t ip);
void tunnelsend(uint8_t *buf, uint16_t l, tunnelidt t);
%attr(644,root,root) /usr/share/man/man[58]/*
%changelog
-* Wed Apr 5 2006 Brendan O'Dea <bod@optus.net> 2.1.17-1
+* Thu Apr 13 2006 Brendan O'Dea <bod@optus.net> 2.1.17-1
- 2.1.17 release, see /usr/share/doc/l2tpns-2.1.17/Changes
#ifndef __PLUGIN_H__
#define __PLUGIN_H__
-#define PLUGIN_API_VERSION 6
+#define PLUGIN_API_VERSION 7
#define MAX_PLUGIN_TYPES 30
enum
uint16_t (*radiusnew)(sessionidt s);
void (*radiussend)(uint16_t r, uint8_t state);
void *(*getconfig)(char *key, enum config_typet type);
- void (*sessionshutdown)(sessionidt s, char *reason, int result, int error);
+ void (*sessionshutdown)(sessionidt s, char const *reason, int result, int error, int term_cause);
void (*sessionkill)(sessionidt s, char *reason);
void (*throttle)(sessionidt s, int rate_in, int rate_out);
int (*session_changed)(int sid);
// L2TPNS PPP Stuff
-char const *cvs_id_ppp = "$Id: ppp.c,v 1.97 2006/03/27 03:01:08 bodea Exp $";
+char const *cvs_id_ppp = "$Id: ppp.c,v 1.98 2006/04/13 11:14:35 bodea Exp $";
#include <stdio.h>
#include <string.h>
{
LOG(1, s, t, "Short PAP %u bytes\n", l);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "Short PAP packet.", 3, 0);
+ sessionshutdown(s, "Short PAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
{
LOG(1, s, t, "Length mismatch PAP %u/%u\n", hl, l);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "PAP length mismatch.", 3, 0);
+ sessionshutdown(s, "PAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
l = hl;
{
LOG(1, s, t, "Unexpected PAP code %d\n", *p);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "Unexpected PAP code.", 3, 0);
+ sessionshutdown(s, "Unexpected PAP code.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
else
{
LOG(1, s, t, "No RADIUS session available to authenticate session...\n");
- sessionshutdown(s, "No free RADIUS sessions.", 4, 0);
+ sessionshutdown(s, "No free RADIUS sessions.", CDN_UNAVAILABLE, TERM_SERVICE_UNAVAILABLE);
}
}
else
{
LOG(1, s, t, "Short CHAP %u bytes\n", l);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "Short CHAP packet.", 3, 0);
+ sessionshutdown(s, "Short CHAP packet.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
{
LOG(1, s, t, "Length mismatch CHAP %u/%u\n", hl, l);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "CHAP length mismatch.", 3, 0);
+ sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
l = hl;
{
LOG(1, s, t, "Unexpected CHAP response code %d\n", *p);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "CHAP length mismatch.", 3, 0);
+ sessionshutdown(s, "CHAP length mismatch.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
{
LOG(1, s, t, "Wrong CHAP response ID %d (should be %d) (%d)\n", p[1], radius[r].id, r);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "Unexpected CHAP response ID.", 3, 0);
+ sessionshutdown(s, "Unexpected CHAP response ID.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
{
LOG(1, s, t, "Bad CHAP response length %d\n", l < 5 ? -1 : p[4]);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "Bad CHAP response length.", 3, 0);
+ sessionshutdown(s, "Bad CHAP response length.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
{
LOG(1, s, t, "CHAP user too long %d\n", l - 16);
STAT(tunnel_rx_errors);
- sessionshutdown(s, "CHAP username too long.", 3, 0);
+ sessionshutdown(s, "CHAP username too long.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
default:
LOG(2, s, t, "LCP: remote sent %s for type %u?\n", ppp_code(*p), type);
- sessionshutdown(s, "Unable to negotiate LCP.", 3, 0);
+ sessionshutdown(s, "Unable to negotiate LCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
x -= length;
if (!authtype)
{
- sessionshutdown(s, "Unsupported authentication.", 3, 0);
+ sessionshutdown(s, "Unsupported authentication.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
if (config->debug > 3) dumplcp(q, l);
tunnelsend(b, l + (q - b), t); // send it
- sessionshutdown(s, "Remote end closed connection.", 3, 0);
+ sessionshutdown(s, "Remote end closed connection.", CDN_ADMIN_DISC, TERM_USER_REQUEST);
}
else if (*p == TerminateAck)
{
- sessionshutdown(s, "Connection closed.", 3, 0);
+ sessionshutdown(s, "Connection closed.", CDN_ADMIN_DISC, TERM_NAS_REQUEST);
}
else if (*p == ProtocolRej)
{
q = ppp_conf_nak(s, b, sizeof(b), PPPIPCP, &response, q, p, o, (uint8_t *) &addr, sizeof(addr));
if (!q || (q != oq && *response == ConfigRej))
{
- sessionshutdown(s, "Can't negotiate IPCP.", 3, 0);
+ sessionshutdown(s, "Can't negotiate IPCP.", CDN_ADMIN_DISC, TERM_USER_ERROR);
return;
}
}
radius[r].retry = backoff(radius[r].try++);
if (radius[r].try > 5)
{
- sessionshutdown(s, "CHAP timeout.", 3, 0);
+ sessionshutdown(s, "CHAP timeout.", CDN_ADMIN_DISC, TERM_REAUTHENTICATION_FAILURE);
STAT(tunnel_tx_errors);
return ;
}
// L2TPNS Radius Stuff
-char const *cvs_id_radius = "$Id: radius.c,v 1.48 2006/04/05 02:13:48 bodea Exp $";
+char const *cvs_id_radius = "$Id: radius.c,v 1.49 2006/04/13 11:14:35 bodea Exp $";
#include <time.h>
#include <stdio.h>
if (s)
{
if (state == RADIUSAUTH)
- sessionshutdown(s, "RADIUS timeout.", 3, 0);
+ sessionshutdown(s, "RADIUS timeout.", CDN_ADMIN_DISC, TERM_REAUTHENTICATION_FAILURE);
else
{
LOG(1, s, session[s].tunnel, "RADIUS timeout, but in state %s so don't timeout session\n",
p += p[1];
}
}
- else if (state == RADIUSSTART || state == RADIUSSTOP || state == RADIUSINTERIM)
- { // accounting
+ else // accounting
+ {
*p = 40; // accounting type
p[1] = 6;
*(uint32_t *) (p + 2) = htonl(state - RADIUSSTART + 1); // start=1, stop=2, interim=3
p[1] = 6;
*(uint32_t *) (p + 2) = htonl(session[s].cout_wrap);
p += p[1];
+
+ if (state == RADIUSSTOP && radius[r].term_cause)
+ {
+ *p = 49; // acct-terminate-cause
+ p[1] = 6;
+ *(uint32_t *) (p + 2) = htonl(radius[r].term_cause);
+ p += p[1];
+
+ if (radius[r].term_msg)
+ {
+ *p = 26; // vendor-specific
+ *(uint32_t *) (p + 2) = htonl(9); // Cisco
+ p[6] = 1; // Cisco-AVPair
+ p[7] = 2 + sprintf((char *) p + 8, "disc-cause-ext=%s", radius[r].term_msg);
+ p[1] = p[7] + 6;
+ p += p[1];
+ }
+ }
}
{
LOG(3, s, t, " DAE Disconnect %d (%s)\n", s, session[s].user);
r_code = DisconnectACK;
- sessionshutdown(s, "Requested by PoD", 3, 0); // disconnect session
+ sessionshutdown(s, "Requested by PoD", CDN_ADMIN_DISC, TERM_ADMIN_RESET); // disconnect session
break;
case CoARequest: // Change of Authorization
/* session control */
-char const *cvs_id = "$Id: sessionctl.c,v 1.4 2005/10/11 09:04:53 bodea Exp $";
+char const *cvs_id = "$Id: sessionctl.c,v 1.5 2006/04/13 11:14:35 bodea Exp $";
int plugin_api_version = PLUGIN_API_VERSION;
static struct pluginfuncs *f = 0;
reason = "Requested by administrator.";
if (data->argv[0][0] == 'd')
- f->sessionshutdown(session, reason, 3, 0);
+ f->sessionshutdown(session, reason, CDN_ADMIN_DISC, TERM_ADMIN_RESET);
else
f->sessionkill(session, reason);