bairdo / gasket Goto Github PK
View Code? Open in Web Editor NEWGasket is a system that provides authentication and authorisation to the https://github.com/faucetsdn/faucet network controller.
Gasket is a system that provides authentication and authorisation to the https://github.com/faucetsdn/faucet network controller.
If a client authenticates with hostapd on the link022 ap, gasket will not know where the host is until it has been seen by the switch. but seeing as it knows which hostapd it came from we do actually know which switch port it is on.
it looks like the main loop is signalling faucet every time, however most of these is premetheus learning.
Could also do something about prometheus learning (if its already learnt its not really being learnt).
(unix socket is tested).
if the hostapd sockets have not closed they will still be sent. this is messy if using the socket bind port option as gasket will receive duplicate messages.
related to #18
possibly when faucet has not started up yet
hub: uncaught exception: Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ryu/lib/hub.py", line 60, in _launch
return func(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/gasket/auth_app.py", line 158, in run
self._init_unsolicited_socket()
File "/usr/lib/python3.6/site-packages/gasket/auth_app.py", line 90, in _init_unsolicited_socket
self.logger)
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 286, in unsolicited_socket_udp
s = request_socket_udp(host, port, bind_address, bind_port, hsoc_type, timeout, logger)
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 273, in request_socket_udp
return HostapdCtrlUDP(addrinfo[0], addrinfo[4], bind_address, bind_port, hsoc_type, timeout, logger)
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 232, in __init__
self.connect(sockaddr)
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 243, in connect
c = self.get_cookie()
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 258, in get_cookie
return str(self.request('GET_COOKIE'))
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 38, in request
return self.receive(size=4096)
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 156, in receive
return str(self.soc.recv(size))
File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 354, in recv
return self._recv_loop(self.fd.recv, b'', bufsize, flags)
File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 348, in _recv_loop
self._read_trampoline()
File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 319, in _read_trampoline
timeout_exc=socket.timeout("timed out"))
File "/usr/lib/python3.6/site-packages/eventlet/greenio/base.py", line 203, in _trampoline
mark_as_closed=self._mark_as_closed)
File "/usr/lib/python3.6/site-packages/eventlet/hubs/__init__.py", line 162, in trampoline
return hub.switch()
File "/usr/lib/python3.6/site-packages/eventlet/hubs/hub.py", line 294, in switch
return self.greenlet.switch()
socket.timeout: timed out
Configure port's VLAN on user (de)auth.
Allow user's traffic to be put in a VLAN.
what will happen to already authed users?
a) auth stays exactly the same.
b) auth removed
c) auth reapplied with new details. (e.g. if rules.yaml changed user is still authed but the acls may change)
a or c seem preferable.
When a port goes down clients on that port should have to re authenticate.
logging is a mess with things that dont need to be logged, that were used when debugging.
use correct log levels for messages that are still useful.
capitalise the b in bairdo
as well as MAC & port.
But how get the IP associated with the user?
e.g. WiFi do not want someone to have to authenticate everytime they move AP.
Maybe useful where the NFV hostapd is providing the authentication instead of the AP (as with link022).
docker/runauth.sh This seems kind of messy.
Perhaps have gasket catch the signals. and another flag for the base config stuff (starting fresh or not).
In fact whether we start fresh or not should be decided by the user. so add an option for that (passing env variables in docker??)
how would docker restart mode work then - if wanted to keep the current rules after a crash?
Each hostapd socket only receives messages for one interface on the hostapd machine.
With the link022 stuff there can be multiple SSIDs (NICs), but we can only listen to one.
Also implies allowing multiple hostapd NFV servers.
see ryu_app.close()
and where hostapd is only managing one port. or many ports. or many hostapds managing the same ports.
remove the hardcoded "AccessAccept:Vendor-Specific:%d:%d"
auth_app.py:117
allow a user specified attribute to be used. e.g. filter-id. vlan vid. anything.
port_<dp_name>_<port_number>
Maybe also use faucet's new acl_in syntax (list)
#89acls_in: [1x_to_hostapd, some_user_defined_port_rules, authentications_for_dp_1_port_3, all_to_hostapd]
and then create a script to generate these acls/faucet conf. #90
e.g. auth.yaml
hostapd-mac: 44:44:44:44:44:44
base-acls.yaml contains the 'some_user_defined_port_rules' and nothing else.
so auth.yaml + base-acls.yaml = faucet.yaml (+ faucet-acl.yaml)
e.g. if rejected put mac into a quarantine VLAN (only access very limited number of services) or similar.
or
direct to a captive portal
e.g.
users in p1 (admins) might want to override security acls.
security acls = no telnet, etc
There is no intention to fix this anytime soon.
Currently only external radius servers can be used if radius attributes need to be saved.
Off memory the issue might be that hostapd receives a packet (off the network) for external servers.
so perhaps we are processing it too early or something.
Maybe (idk) the internal radius server is handled internally by hostapd (and not on the network - localhost)
ovs-docker del-port s1 eth3 gasket_hostapd_1
Readme.docker.md
docker/runtests.sh
before ping6 ...
sysctl -w net.ipv6.conf.lo.disable_ipv6=0
can signal faucet container via the docker unix socket.
mount /var/run/docker.sock
whos logged on,
where?
everything possible.
start with a framework.
caused when hostapd is reloaded.
perhaps:
have the switch connect to multiple controllers (faucet and gasket) on different ports.
exceptions are not really printed in the logs
the Prometheus output changed and broke a regex
etc/ryu/faucet -> etc/faucet
hostapd has its own container now.
VUW policy language has rules timeout.
use faucet config parser like hostapd_conf.py for everything (provides defaults and errors out as needed)
user logs on (via link022) and is assigned to vlan by hostapd (based on what ssid was used).
The current acl does not specify the vlan, so it might be possible for the same mac to appear on a different vlan on the same port and be allowed through when it should be dropped. (we've gained access to a vlan we shouldn't be in).
This relates to issue #38
I'm thinking add an auth-vlan value.
3 ways to 'learn' the vlan a host is/should be on:
In the case of WiFi in particular using a Captive Portal. A client may be authenticated for a long time - months/years. However they may not be on campus or even near certain access points, so there is no point having rules associated with that user installed on the switch.
In theory there is no reason it should be limited to Captive Portal.
May also be desirable to implement where nearby access points have the rules added to improve re-connection delays (Alex Deng's work).
After some time hostapd control interface messages no longer get received by gasket.
problem is likely with the port forwarding/ping to keep firewall open.
MAC rewrite becomes dodgy when multiple switches are managed by a single gasket. switch must know how to forward the rewritten address or else a broadcast occurs.
Another option could be use of action output port. but this means the controller will not learn the client MAC, which is useful for forwarding the reply to only the client's port, and knowing where to put the new rules.
X) 1 port - 1 1X host
Y) 1 port - 1 1X host, N non 1X hosts
Z) 1 port - N 1X hosts.
Useful for devices behind IP phones, etc.
(Z) wifi
the auth_port is tested implicitly tested.
how to start with new docker containers (rabbit)
add a config item to the hostapd_conf for log level.
debug - print request,
info - ping, etc
...
Use Faucet's new event interface https://github.com/faucetsdn/faucet/tree/master/adapters for receiving new MAC learning info.
Maybe/probably also port status.
host authenticates fine. but after a while looses connection.
Might be when disconnecting (via moving away), then reconnecting.
this might be just a symptom of a nother issue.
pr 03 21:53:50-617 link023-1ssid DEBUG waiting for receive
Apr 03 21:53:54-384 link023-2ssid DEBUG request is "COOKIE=c61f340e380446d0 PING"
Apr 03 21:53:54-622 link023-1ssid DEBUG request is "COOKIE=7d1a941757f2b2fe PING"
Apr 03 21:53:58-388 link023-2ssid DEBUG ping timed out.
Apr 03 21:53:58-388 link023-2ssid INFO Connection to hostapd lost. Retrying to connect
Apr 03 21:53:58-389 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:53:58-627 link023-1ssid DEBUG ping timed out.
Apr 03 21:53:58-629 link023-1ssid INFO Connection to hostapd lost. Retrying to connect
Apr 03 21:53:58-630 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:02-395 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:02-395 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:02-636 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:02-637 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:06-401 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:06-402 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:06-642 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:06-643 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:10-408 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:10-649 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:12-411 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:12-652 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:16-417 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:16-418 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:16-658 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:16-658 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:20-424 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:20-424 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:20-664 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:20-665 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:24-428 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:24-671 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:26-431 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:26-674 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:30-436 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:30-437 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:30-679 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:30-680 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:34-443 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:34-463 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:34-686 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:34-687 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:38-469 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:54:38-693 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:54:40-472 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:40-696 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:54:44-478 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
...
Apr 03 21:55:34-579 link023-2ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.6', 8888)
Apr 03 21:55:34-771 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:55:36-582 link023-2ssid DEBUG request is "GET_COOKIE"
Apr 03 21:55:36-774 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:55:37-85 link023-2ssid ERROR OSError exception in run. self.stop has not been set.
Apr 03 21:55:37-86 link023-2ssid ERROR [Errno 111] Connection refused
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 56, in run
data = str(self.unsolicited_sock.receive())
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
return self.soc.recv(size).decode()
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 58, in run
self.request_sock.ping()
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 147, in ping
if not self.soc and self.reconnect(self.ifname):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 326, in reconnect
if not self.open_connection(ifname):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 362, in open_connection
cookie = self.get_cookie()
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 381, in get_cookie
return self.request('GET_COOKIE')
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 39, in request
return self.receive(size=4096)
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
return self.soc.recv(size).decode()
ConnectionRefusedError: [Errno 111] Connection refused
Apr 03 21:55:40-779 link023-1ssid DEBUG Couldn't connect (get cookie) to UDP socket ('192.168.11.7', 8888)
Apr 03 21:55:40-780 link023-1ssid DEBUG request is "GET_COOKIE"
Apr 03 21:55:40-784 link023-1ssid ERROR OSError exception in run. self.stop has not been set.
Apr 03 21:55:40-786 link023-1ssid ERROR [Errno 111] Connection refused
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 56, in run
data = str(self.unsolicited_sock.receive())
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
return self.soc.recv(size).decode()
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_socket_thread.py", line 58, in run
self.request_sock.ping()
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 147, in ping
if not self.soc and self.reconnect(self.ifname):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 326, in reconnect
if not self.open_connection(ifname):
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 362, in open_connection
cookie = self.get_cookie()
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 381, in get_cookie
return self.request('GET_COOKIE')
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 39, in request
return self.receive(size=4096)
File "/usr/lib/python3.6/site-packages/gasket/hostapd_ctrl.py", line 177, in receive
return self.soc.recv(size).decode()
ConnectionRefusedError: [Errno 111] Connection refused
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.