Bug 599528

This feature request did not get resolved in time for Feature Freeze
for the current Red Hat Enterprise Linux release and has now been
denied. You may re-open your request by requesting your support
representative to propose it for the next release.

I've been looking at this patch and I think there is a problem with this part of it:

-	nas=`hostname`
+        if [ "$IPv" = "-6" ]; then
+            nas=`host $HOSTNAME | awk '/has IPv6 address/ {print $NF}'`
+        else
+            nas=`host $HOSTNAME | awk '/has address/ {print $NF}'`
+        fi

This is not the correct way to select an address. Address selection should be done by getaddrinfo and specifying the family. This is exactly what the FreeRADIUS utility ip_hton() does. ip_hton() is invoked for you when you pass a NAS-IP-Address or NAS-IPv6-Address. It accepts a hostname as well as numeric addresses (dotted-decimal for IPv4 or hex for IPv6). If you pass a hostname, the easiest thing to pass, it will select the most appropriate address based on the family (IPv4 or IPv6). The mechanisms of which are beyond the scope of this discussion. The need to specify a numeric address is quite rare. If for some reason you do need to pass a numeric address it should be provided as an argument to the radtest script, the radtest script should NEVER try to deduce an numeric address on it's own (this is why IPv6 added the getaddrinfo() library call).

The output of the host command does not apply the same logic as getaddrinfo() does. Also, using the host command may not be portable across a variety of operating systems FreeRADIUS is deployed on.

Aside from the fact the host command does not provide correct address selection the implementation in the patch has a significant error, it does not account for multiple addresses.

Consider the following example:

$ host ipv6.comcast.net
ipv6.comcast.net has address 69.252.76.96
ipv6.comcast.net has address 68.87.64.59
ipv6.comcast.net has IPv6 address 2001:558:1002:5:68:87:64:59
ipv6.comcast.net has IPv6 address 2001:558:1004:9:69:252:76:96

Using the logic suggested in the patch would result in the IPv6 address attribute being set to a nonsensical multi-value string, e.g:

$ host ipv6.comcast.net | awk '/has IPv6 address/ {print $NF}'
2001:558:1004:9:69:252:76:96
2001:558:1002:5:68:87:64:59

Summary:

The nas should still default to the hostname

The only needed modifications are the address family specification and selecting the radius attribute based on the family.

Updated patch will follow.

Created attachment 478782 [details]
2nd version of the proposed patch

Hi John, 
I absolutely agree, see #c3. Since the bug 599521 is already resolved there is no need to use IPv6 address in $nas. I would propose to use only the remaining parts of the patch (or ensure similar functionality other way). I have attached the new version of the patch.

Created attachment 480593 [details]
add IP family options to radtest to support IPv6 as well as IPv4

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0610.html