Feature #9206
closed
OpenVPN+RADIUS+Cisco AVPair ACL Enhancements/BugFixes
Added by Shawn Bruce about 6 years ago.
Updated over 4 years ago.
Description
Hello,
I've fixed a race condition where disconnecting and reconnecting a session when using AVPair ACLs would result in no rules being inserted.
Additionally I have added the following:
- Updated the ACL parser to support IP and ICMP protocol options
- Updated the ACL parser to support port operators.
- Added a template variable "{clientip}" that is replaced with the connecting clients VPN IP.
- Target version changed from 48 to 2.5.0
- Status changed from New to Pull Request Review
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
- Status changed from Feedback to Resolved
works as expected on 2.5.0.a.20200414.0021
test radius attributes:
Cisco-AVPair = "ip:outacl#1=permit udp host 4.4.4.4 host 7.7.7.7 range 3110 5000",
Cisco-AVPair += "ip:outacl#2=permit tcp any host 7.7.7.7 gt 333",
Cisco-AVPair += "ip:inacl#1=permit udp host 3.3.3.3 host 7.7.7.7 lt 566",
Cisco-AVPair += "ip:inacl#2=permit udp host 3.3.3.3 host 7.7.7.7 neq 899",
Cisco-AVPair += "ip:inacl#3=permit tcp host 2.2.2.2 host 5.5.5.5 eq 999"
# pfctl -a openvpn/ovpns1_testuser1_1194 -s rules
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port < 566 no state
pass in quick on ovpns1 inet proto udp from 3.3.3.3 to 7.7.7.7 port != 899 no state
pass out quick on ovpns1 inet proto udp from 4.4.4.4 to 7.7.7.7 port 3109 >< 5001 no state
pass out quick on ovpns1 inet proto tcp from any to 7.7.7.7 port > 333 no state
pass in quick on ovpns1 inet proto tcp from 2.2.2.2 to 5.5.5.5 port = garcon no state
Also available in: Atom
PDF