Project

General

Profile

Bug #11569

ACLs generated from RADIUS reply attributes have incorrect syntax

Added by Dmitry Bashkarev about 2 months ago. Updated 25 days ago.

Status:
Resolved
Priority:
Very Low
Category:
OpenVPN
Target version:
Start date:
02/27/2021
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

FreeRADIUS ACLs:

Cisco-AVPair = "ip:inacl#1=permit tcp 192.168.1.2 0.0.0.0 any",
Cisco-AVPair += "ip:inacl#2=permit tcp 192.168.1.1 0.0.0.0 10.10.128.151 0.0.0.0 eq 80",

Created OpenVPN rules:

pass in quick on ovpns1 inet proto tcp from 192.168.1.2/32to any  
pass in quick on ovpns1 inet proto tcp from 192.168.1.1/32to 10.10.128.151/32port = 80  

Expected OpenVPN rules:

pass in quick on ovpns1 inet proto tcp from 192.168.1.2/32 to any
pass in quick on ovpns1 inet proto tcp from 192.168.1.1/32 to 10.10.128.151/32 port = 80

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review
  • Target version changed from 2.5.1 to CE-Next

I thought this got fixed with #10803 but apparently not.

#3 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho

PR has been merged. Thanks!

#4 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1

#5 Updated by Renato Botelho about 1 month ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

#6 Updated by Jim Pingle about 1 month ago

  • Subject changed from Parsing cisco acl to ACLs generated from RADIUS reply attributes have incorrect syntax

Updating subject for release notes.

#7 Updated by Viktor Gurov 25 days ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.1.r.20210324.0300

RADIUS attributes:

Cisco-AVPair = "ip:inacl#1=permit ip host 10.3.0.99 10.1.10.0 0.0.0.255",
Cisco-AVPair += "ip:inacl#2=permit ip host 10.3.0.99 host 10.10.0.55",
Cisco-AVPair += "ip:inacl#3=permit ip host 10.3.0.99 172.20.0.0 0.0.255.255",
Cisco-AVPair += "ip:inacl#4=permit ip host 10.3.0.99 host 10.10.4.5" 

result:

# pfctl -a openvpn/ovpns1_testuser_29199 -sr
pass in quick on ovpns1 inet from 10.3.0.99 to 10.1.10.0/24 flags S/SA keep state
pass in quick on ovpns1 inet from 10.3.0.99 to 10.10.0.55 flags S/SA keep state
pass in quick on ovpns1 inet from 10.3.0.99 to 172.20.0.0/16 flags S/SA keep state
pass in quick on ovpns1 inet from 10.3.0.99 to 10.10.4.5 flags S/SA keep state

Also available in: Atom PDF