Proposed new target SESSION allow for session/accounting management [RADIUS/802.1x]

Proposed new target SESSION allow for session/accounting management [RADIUS/802.1x]

[Gregory Nietsky]

Ive got a requirement for disabling / enabling IP based on the following 
criteria

- Only allow pre authenticated traffic [hostapd/wired 802.1x for example]
- Limit this to a predetermined session limit by duration or throughput
- Disable traffic once idle for a predetermined duration
- Ability to read the information / reset sessions from user space

the application in mind is to deliver small micro servers running our 
linux distro
for remote office / SOHO VPN connectivity with out the need for mid to 
high end
switches control and monitor the usage on the VPN and or other points after
authenticating to the Remote site.

i have a embryonic framework of this that is coming together nicely and 
consists of the following

a table structure consisting of 2 list head pointers [arrays] one for 
mac one for ipaddr the
list data is linked to each based on jhash of mac address [only 
information available from userland pre dhcp]
and the IP[4/6] addr set latter by the target [ideally based on DHCP  i 
may add a DHCP protocol
based match target] this allows for quick lookups and access based on 
IP/MAC pair.

the block of memory used for this is  (2 + 2 * num_buckets)  *  
sizeof(struct list_head).
struct list_head consists of 2 pointers [next/prev].

this is similar to the method borrowed from the xt_recent match.

the userland interface is done via a char dev with sysfs/udev support

- /proc/net/ interface using seq operations for listing all sessions

- /dev/ char dev for reading / writing session information memory is 
allocated
   for each access and a buffer used for reading / writing userland will 
write a
   action [add/delete/view/....] the output will be placed in a buffer 
to be read

- netfilter target and iptables extension that will restrict traffic
   im currently busy with this. it at the moment passes traffic has no check
   and allows 2 flags --use-dest [should not be needed] --save-ip [to 
assosiate the
   ip with MAC this should ideally be done based on the IP assigned via 
DHCP] this
   will only be done if there is no IP set. as the MAC is only available 
on INPUT traffic
   we need to have the IP for accounting of traffic from dest.

using the incoming packet look up the session by mac addr and store the 
source IP
to match returning traffic latter if there is no session traffic is 
DROPED if the ip
is set and the IP/MAC is mismatched drop the packet

iptables -A [INPUT/FORWARD/PREROUTING] -j SESSION --save-ip

once the IP has been set returning packets will be allowed as the IP 
will be
looked up and if assosiated to a valid session it will be allowed to 
continue

iptables -A [ANY] -j SESSION [--use-dest]

for every packet that is allowd the len / time will be updated in the 
session.

a session is only valid when a MAC[if avail]/IP match or the session 
timer has not
expired or the last packet seen and current packet do not differ by more 
than optional
idle time.

the current code is available here
http://pbx.distrotech.co.za/svn/netfilter_session/

please note work is been done on the actual target and what is written 
here is a proposal
the current target passes all traffic.

once the module is loaded the following works
echo "[6 char]" > /dev/8021x
cat /proc/net/8021x

ie
echo "abcdef" > /dev/8021x
cat /proc/net/8021x
61:62:63:64:65:66       1333973169

this creates the session for MAC 61:62:63:64:65:66 @ timestamp there is 
no session limit or time out so all traffic will pass once the ip
is registered.

Hope this is found to be potentially useful something that is suitable 
for inclusion once complete.

all comments are welcomed

Regards Greg

--
This message has been scanned for viruses and
dangerous content by Distrotech Solutions, 
it is believed to be clean.

http://www.distrotech.co.za

Re: Proposed new target SESSION allow for session/accounting management [RADIUS/802.1x]

[Pablo Neira Ayuso]

On Mon, Apr 09, 2012 at 02:14:49PM +0200, Gregory Nietsky wrote:
> 
> Ive got a requirement for disabling / enabling IP based on the
> following criteria
> 
> - Only allow pre authenticated traffic [hostapd/wired 802.1x for example]
> - Limit this to a predetermined session limit by duration or throughput
> - Disable traffic once idle for a predetermined duration
> - Ability to read the information / reset sessions from user space
> 
> the application in mind is to deliver small micro servers running
> our linux distro
> for remote office / SOHO VPN connectivity with out the need for mid
> to high end
> switches control and monitor the usage on the VPN and or other points after
> authenticating to the Remote site.
> 
> i have a embryonic framework of this that is coming together nicely
> and consists of the following
> 
> a table structure consisting of 2 list head pointers [arrays] one
> for mac one for ipaddr the
> list data is linked to each based on jhash of mac address [only
> information available from userland pre dhcp]
> and the IP[4/6] addr set latter by the target [ideally based on DHCP
> i may add a DHCP protocol
> based match target] this allows for quick lookups and access based
> on IP/MAC pair.
> 
> the block of memory used for this is  (2 + 2 * num_buckets)  *
> sizeof(struct list_head).
> struct list_head consists of 2 pointers [next/prev].
> 
> this is similar to the method borrowed from the xt_recent match.
> 
> the userland interface is done via a char dev with sysfs/udev support
> 
> - /proc/net/ interface using seq operations for listing all sessions
> 
> - /dev/ char dev for reading / writing session information memory is
> allocated
>   for each access and a buffer used for reading / writing userland
> will write a
>   action [add/delete/view/....] the output will be placed in a
> buffer to be read
> 
> - netfilter target and iptables extension that will restrict traffic
>   im currently busy with this. it at the moment passes traffic has no check
>   and allows 2 flags --use-dest [should not be needed] --save-ip [to
> assosiate the
>   ip with MAC this should ideally be done based on the IP assigned
> via DHCP] this
>   will only be done if there is no IP set. as the MAC is only
> available on INPUT traffic
>   we need to have the IP for accounting of traffic from dest.
> 
> using the incoming packet look up the session by mac addr and store
> the source IP
> to match returning traffic latter if there is no session traffic is
> DROPED if the ip
> is set and the IP/MAC is mismatched drop the packet
> 
> iptables -A [INPUT/FORWARD/PREROUTING] -j SESSION --save-ip
> 
> once the IP has been set returning packets will be allowed as the IP
> will be
> looked up and if assosiated to a valid session it will be allowed to
> continue
> 
> iptables -A [ANY] -j SESSION [--use-dest]
> 
> for every packet that is allowd the len / time will be updated in
> the session.
> 
> a session is only valid when a MAC[if avail]/IP match or the session
> timer has not
> expired or the last packet seen and current packet do not differ by
> more than optional
> idle time.
> 
> the current code is available here
> http://pbx.distrotech.co.za/svn/netfilter_session/
> 
> please note work is been done on the actual target and what is
> written here is a proposal
> the current target passes all traffic.
> 
> once the module is loaded the following works
> echo "[6 char]" > /dev/8021x
> cat /proc/net/8021x
> 
> ie
> echo "abcdef" > /dev/8021x
> cat /proc/net/8021x
> 61:62:63:64:65:66       1333973169
> 
> this creates the session for MAC 61:62:63:64:65:66 @ timestamp there
> is no session limit or time out so all traffic will pass once the ip
> is registered.
> 
> Hope this is found to be potentially useful something that is
> suitable for inclusion once complete.

This looks to me like an ad-hoc all-in-one target. I'm not telling
that this is not useful for you, but there's no room for this in
mainline, sorry.