Initial commit

Author: BSpendlove

.dockerignore

@@ -0,0 +1,10 @@
+README.md
+CHANGELOG.md
+docker-compose.yml
+Dockerfile
+.git
+.gitattributes
+.gitignore
+logs
+*.log
+tests/

.github/workflows/ci.yml

@@ -0,0 +1,48 @@
+name: Create and publish RADIUS Producer Docker image
+
+on:
+  release:
+    types: [created]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+      - name: Build and push Docker image
+        id: push
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ steps.meta.outputs.tags }}
+            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
+          subject-digest: ${{ steps.push.outputs.digest }}
+          push-to-registry: true

Dockerfile

@@ -0,0 +1,30 @@
+FROM freeradius/freeradius-server:3.2.7
+
+ARG KAFKA_BOOTSTRAP_SERVER
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    python3 python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Create the required directory for your custom Python scripts
+RUN mkdir -p /cgn_ec_freeradius
+
+ENV PYTHONPATH="/cgn_ec_freeradius:$PYTHONPATH"
+
+RUN /usr/bin/python3 -m pip install confluent-kafka==2.8.2
+
+# Set the virtual environment as default
+ENV PATH="/venv/bin:$PATH"
+
+# Copy your custom Python scripts to /cgn_ec_freeradius/mods-config/python3
+COPY ./python3 /cgn_ec_freeradius
+
+# Ensure permissions for the custom Python script
+RUN chown -R freerad:freerad /cgn_ec_freeradius && \
+    chmod -R 755 /cgn_ec_freeradius
+
+COPY ./dictionaries/* /usr/share/freeradius
+
+RUN echo '$INCLUDE dictionary.nfware' >> /usr/share/freeradius/dictionary
+RUN echo '$INCLUDE dictionary.veesixnetworks' >> /usr/share/freeradius/dictionary

clients.conf

@@ -0,0 +1,4 @@
+client cgn_servers {
+    ipaddr  =   172.16.0.0/12
+    secret  =   cgnat
+}

dictionaries/dictionary.nfware

@@ -0,0 +1,38 @@
+# NFWare dictionary.
+#
+# Version:      1.0  26-Sep-2016
+#               $Id$
+#
+VENDOR          NFWare                          46576
+BEGIN-VENDOR    NFWare
+#
+#   vCGNAT accounting
+#
+ATTRIBUTE       NFWare-vCGNAT-Protocol                  1       integer
+ATTRIBUTE       NFWare-vCGNAT-Inside-Addr               2       ipaddr
+ATTRIBUTE       NFWare-vCGNAT-Inside-Port               3       short
+ATTRIBUTE       NFWare-vCGNAT-NAT-Addr                  4       ipaddr
+ATTRIBUTE       NFWare-vCGNAT-NAT-Port                  5       short
+ATTRIBUTE       NFWare-vCGNAT-Dest-Addr                 6       ipaddr
+ATTRIBUTE       NFWare-vCGNAT-Dest-Port                 7       short
+ATTRIBUTE       NFWare-vCGNAT-NAT-Port-Start            8       short
+ATTRIBUTE       NFWare-vCGNAT-NAT-Port-End              9       short
+VALUE   NFWare-vCGNAT-Protocol          ICMP                    1
+VALUE   NFWare-vCGNAT-Protocol          TCP                     6
+VALUE   NFWare-vCGNAT-Protocol          UDP                     17
+VALUE   NFWare-vCGNAT-Protocol          GRE                     47
+VALUE   NFWare-vCGNAT-Protocol          OTHER                   0
+ATTRIBUTE       NFWare-vCGNAT-Action                    10      integer
+VALUE   NFWare-vCGNAT-Action            Port-Allocated          1
+VALUE   NFWare-vCGNAT-Action            Port-Freed              2
+VALUE   NFWare-vCGNAT-Action            Session-Created         3
+VALUE   NFWare-vCGNAT-Action            Session-Deleted         4
+VALUE   NFWare-vCGNAT-Action            Port-Block-Allocated    5
+VALUE   NFWare-vCGNAT-Action            Port-Block-Freed        6
+ATTRIBUTE       NFWare-vCGNAT-Direction                 11      integer
+VALUE   NFWare-vCGNAT-Direction         Outbound                0
+VALUE   NFWare-vCGNAT-Direction         Inbound                 1
+VALUE   NFWare-vCGNAT-Direction         None                    2
+ATTRIBUTE       NFWare-vCGNAT-64-Inside-Addr            12      ipv6addr
+ATTRIBUTE       NFWare-vCGNAT-VRF                       13      integer
+END-VENDOR NFWare

dictionaries/dictionary.veesixnetworks

@@ -0,0 +1,5 @@
+VENDOR          VeesixNetworks                          214457
+BEGIN-VENDOR    VeesixNetworks
+
+ATTRIBUTE       VeesixNetworks-CGN-EC-Kafka-Topic                  1       string
+END-VENDOR VeesixNetworks

mods-enabled/always

@@ -0,0 +1,81 @@
+# -*- text -*-
+#
+#  $Id$
+
+#
+#  The "always" module is here for debugging purposes, or
+#  for use in complex policies.
+#  Instance simply returns the same result, always, without
+#  doing anything.
+#
+#  rcode may be one of the following values:
+#  - reject   - Reject the user.
+#  - fail     - Simulate or indicate a failure.
+#  - ok       - Simulate or indicate a success.
+#  - handled  - Indicate that the request has been handled,
+#               stop processing, and send response if set.
+#  - invalid  - Indicate that the request is invalid.
+#  - userlock - Indicate that the user account has been
+#               locked out.
+#  - notfound - Indicate that a user account can't be found.
+#  - noop     - Simulate a no-op.
+#  - updated  - Indicate that the request has been updated.
+#
+#  If an instance is listed in a session {}  section, 
+#  this simulates a user having <integer> sessions.
+#  
+#  simulcount = <integer>
+#
+#  If an instance is listed in a session {}  section, 
+#  this simulates the user having multilink
+#  sessions.
+#
+#  mpp = <integer>
+#
+#  An xlat based on the instance name can be called to change the status
+#  returned by the instance, in this example "always db_status { ... }"
+#
+#  Force the module status to be alive or dead:
+#
+#  %{db_status:alive}
+#  %{db_status:dead}
+#
+#  Update the rcode returned by an alive module (a dead module returns fail):
+#
+#  %{db_status:ok}
+#  %{db_status:fail}
+#  %{db_status:notfound}
+#  ...
+#
+#  The above xlats expand to the current status of the module. To fetch the
+#  current status without affecting it call the xlat with an empty argument:
+#
+#  %{db_status:}
+#
+always reject {
+	rcode = reject
+}
+always fail {
+	rcode = fail
+}
+always ok {
+	rcode = ok
+}
+always handled {
+	rcode = handled
+}
+always invalid {
+	rcode = invalid
+}
+always userlock {
+	rcode = userlock
+}
+always notfound {
+	rcode = notfound
+}
+always noop {
+	rcode = noop
+}
+always updated {
+	rcode = updated
+}

mods-enabled/python3

@@ -0,0 +1,76 @@
+#
+# Make sure the PYTHONPATH environmental variable contains the
+# directory(s) for the modules listed below.
+#
+# Uncomment any func_* which are included in your module. If
+# rlm_python is called for a section which does not have
+# a function defined, it will return NOOP.
+#
+python3 {
+	#  Path to the python modules
+	#
+	#  Note that due to limitations on Python, this configuration
+	#  item is GLOBAL TO THE SERVER.  That is, you cannot have two
+	#  instances of the python module, each with a different path.
+	#
+    python_path="${modconfdir}/${.:name}:/cgn_ec_freeradius:/usr/local/lib/python3.10/dist-packages"
+
+	# How to use "python_path"
+	#
+	#  - "append" - append to system path
+	#  - "prepend" - prepend to the system path
+	#  - "overwrite" - overwrite the system path
+	#
+	#  Note: Take care when using "prepend" - the paths searched
+	#  should not be writeable by any un-trusted users or services
+	#  to avoid overriding standard functionality with malicious code.
+#	python_path_mode = append
+
+	module = kafka_producer
+
+	# Pass all VPS lists as a 6-tuple to the callbacks
+	# (request, reply, config, state, proxy_req, proxy_reply)
+#	pass_all_vps = no
+
+	# Pass all VPS lists as a dictionary to the callbacks
+	# Keys: "request", "reply", "config", "session-state", "proxy-request",
+	#       "proxy-reply"
+	# This option prevales over "pass_all_vps"
+	pass_all_vps_dict = yes
+
+	mod_instantiate = ${.module}
+	func_instantiate = instantiate
+
+#	mod_detach = ${.module}
+#	func_detach = detach
+
+#	mod_authorize = ${.module}
+#	func_authorize = authorize
+
+#	mod_authenticate = ${.module}
+#	func_authenticate = authenticate
+
+#	mod_preacct = ${.module}
+#	func_preacct = preacct
+
+	mod_accounting = ${.module}
+	func_accounting = accounting
+
+#	mod_checksimul = ${.module}
+#	func_checksimul = checksimul
+
+#	mod_pre_proxy = ${.module}
+#	func_pre_proxy = pre_proxy
+
+#	mod_post_proxy = ${.module}
+#	func_post_proxy = post_proxy
+
+#	mod_post_auth = ${.module}
+#	func_post_auth = post_auth
+
+#	mod_recv_coa = ${.module}
+#	func_recv_coa = recv_coa
+
+#	mod_send_coa = ${.module}
+#	func_send_coa = send_coa
+}

policy.d/veesixnetworks

@@ -0,0 +1,13 @@
+populate_cgn_vendor {
+    if (&NFWare-vCGNAT-Action) {
+        update config {
+            VeesixNetworks-CGN-EC-Kafka-Topic = "cgnat.accounting.nfware"
+        }
+
+        # https://docs.nfware.com/en/6.3/nat/logging.html#id6
+        # NFWare CGN does not expect Accounting-Response
+        update control {
+            Response-Packet-Type := "Do-Not-Respond"
+        }
+    }
+}

python3/kafka_producer.py

@@ -0,0 +1,49 @@
+from confluent_kafka import Producer
+import json
+import socket
+import radiusd
+import os
+
+conf = {
+    "bootstrap.servers": os.environ["KAFKA_BOOTSTRAP_SERVER"],
+    "client.id": socket.gethostname(),
+}
+
+producer = Producer(conf)
+
+
+def transform_tuple(data):
+    transformed_dict = {}
+
+    for t in data:
+        k, v = t
+        transformed_dict[k] = v
+
+    return transformed_dict
+
+
+def instantiate(p):
+    print("*** instantiate ***")
+    print(p)
+
+
+"""
+def preacct(p):
+    print("*** preacct ***")
+    print(p)
+    return freeradius.RLM_MODULE_OK
+"""
+
+
+def accounting(p: dict):
+    print("*** accounting ***")
+
+    request = p["request"]
+    config = transform_tuple(p["config"])
+    accounting_attributes = transform_tuple(request)
+    producer.produce(
+        config.get("VeesixNetworks-CGN-EC-Kafka-Topic", "cgnat.accounting.generic"),
+        value=json.dumps(accounting_attributes).encode("UTF-8"),
+    )
+    radiusd.radlog(radiusd.L_DBG, str(accounting_attributes))
+    return radiusd.RLM_MODULE_OK