This is a copy of the old diary, where you can find information on various patches I made in the past.
For new stuff look at my blog.
Hmm... Welcome to my "homepage", stranger.
[ I don't want to scare you, so no photograph here ]
Below are some hacks/scripts/software I made. A lot of stuff is without
any formal documentation, however below you will find some
Some Quick Links (look at the diary below for comments/documentation):
OR Logic patch for IC-Radius (documentation)
Alternative REALM format patch ("REALM/username") for IC-Radius
Exec-Program-Acct patch for IC-Radius
checkrad patch for Cisco - IOS 12.1T only!
check_ifoperstatus2 Netsaint plugin
WCCPv2 for Linux patch
Mon May 24 21:44:46 2004
parprouted 0.63: a bugfix release which fixes
a memory leak which appeared during high loads.
Tue Apr 20 13:53:31 2004
parprouted 0.62: Update to 0.6 which fixes
problem with systems checking for IP address conflicts, such as
Tue Jan 6 21:24:17 2004
It's been over year since last updates, happy new year 2004 :)
parprouted 0.5: New version with much improved
performance and robustness.
Wed 18 Sep 2002 11:23:34 AM EEST
parprouted 0.42: Fixed bug which resulted in an
installation of a route for unfinished ARP entry. More aggressive use of
mutexes in the code.
Sun 07 Jul 2002 10:07:10 PM EEST
parprouted 0.4: It seems like a better solution is
to refresh ARP entries by periodicly sending ARP requests for them. That
would allow for mobile hosts but would have the same stability as using
permanent entires. However, behavior of parprouted 0.31 can be returned
by supplying "-p" switch.
Sun 07 Jul 2002 11:43:17 AM EEST
parprouted 0.31: now ARP entries are permanent.
This increases stability. However, if you have mobile hosts, this
can cause you problems.
Sun 07 Jul 2002 12:57:12 AM EEST
New release of parprouted (0.3). Essentially total rewrite, should fix
problems with switched/more or less complex networks.
Thu 27 Jun 2002 01:34:01 AM EEST
First release of parprouted, a daemon for
transparent IP (Layer 3) proxy ARP bridging. Unlike standard bridging, proxy ARP
bridging allows to bridge Ethernet networks behind wireless nodes. Normal Layer 2
bridging does not work between 802.11 wireless nodes because wireless does
not know about MAC addresses used in the wired Ethernet networks.
Thu 30 May 2002 10:18:05 PM EEST
First public release of WISP-Dist, an embedded Linux
distribution aimed at wireless routers (but it can be used for other purposes).
Sun 12 May 2002 02:11:14 AM EEST
Updates to the IC-RADIUS OR-Logic patch: now proxied attributes will not be
replaced by same-type attributes from groups included in "realmgroup" table.
Mon 04 Mar 2002 05:34:59 PM EET
I have modified WCCP v2 patch to support later Linux 2.4.X kernels (tested on 2.4.17, 2.4.9).
Tue 12 Feb 2002 01:00:28 PM EET
New goodies for IC-RADIUS: a patch to add support "REALM/username" for style realms
(which can be used by GRIC, for example); as well as an update to OR logic
patch to support OR logic for realm's groups (realmgroups table).
Download: OR logic patch Alternative REALM format patch
Thu 13 Dec 2001 08:51:56 PM EET
I was preparing transparent FTP/HTTP Linux-based proxy for use with WCCPv2
Cisco routers. Out of that several patches below were born:
redir-dyndest.patch for redir 2.2.1:
Subject: dynamic transproxy destination patch for redir
I made a small patch for redir in transparent proxy mode. If
--caddr is not specified, then the destination (target)
will be taken out from the original intercepted packets.
This way it permits me to use redir as a generic transparent TCP
frox-transdataports.patch for FROX:
Subject: transparent passive ports patch
I made a small patch to FROX (I guess a bit dirty). It does the
following: passive data ports for transparent PASV connections
are spoofed now. The destination port number given by PASV would
be the same as the one which FROX uses for DNAT redirection, e.g.
in the range defined by PassivePorts. The reason for this is that
I use FROX together with Cisco routers configured for WCCPv2.
WCCPv2 is a protocol which redirects packets to cache servers
according to a certain criteria. I needed a way to detect FTP
data connection packets and therefore made this patch, otherwise
ports would be random and I wouldn't be able to make necessary
access list on Cisco.
Oh, and I cannot use FROX in standard, non-transparent mode
because Cisco PIX firewall drops FTP connection when data
connection IP address is different from control connection IP
wccp2-dynamic-svc.patch for OOPS! proxy server:
Please find attached three patches to the OOPS experimental
1) environment-rh72.patch & gnu_regex.c.diff - for compilation
under RedHat Linux 7.2.
2) wccp2-dynamic-svc.patch - to make dynamic WCCPv2 work.
Protocol field was not set to TCP and service-group ID was
translated to network byte order, which is not needed.
Tue 20 Nov 2001 10:52:04 AM EET
I released a plugin for Netsaint which allows to minitor SNMP interface according
to its name, not index number. This helps in cases where interface names on routers change after
Fri 09 Nov 2001 06:31:59 PM EET.
First version of a patch for Exec-Program-Acct is ready (execution of a
program on arrival of RADIUS accounting Start/Stop/... records).
Seems to be working, however it is very experimental as only minimal
testing was done. Please report any problems. Documentation on how to use it
is inside the archive.
Fri 09 Nov 2001 11:07:26 AM EET.
I rechecked and it seems that OR Logic works ok on the 0.18.1. Nevertheless
there was a small bit of cisco_hack.patch which got in the latest version
I published so I released an update of OR Logic patch.
Sun 04 Nov 2001 09:48:15 PM EET.
Another checkrad patch for Cisco. Adds a new a nas type, cisco_compat (don't
forget to change type in the RADIUS server's configs). Should be compatible
with both Cisctron and ICRADIUS' checkrad.
This should work on almost all versions of IOS as it uses Cisco POP MGMT
MIB, which has been available for a long time. Also it is compatible with
both analog and ISDN ports.
Fri 09 Nov 2001 08:29:02 PM EET Update: I found out that it will not work for over 1 PRI. :-(
Thu 16 Aug 2001 02:59:29 PM EEST.
Some tips regarding or_logic.patch for ICRADIUS:
To install patch, you must use "patch" command. For example, run
"patch -p1 -s < or_logic.patch" from your ICRadius src/ directory.
To debug how patch works, use "radiusd -sxxxxx" command. The best way is to
redirect output of radiusd into a file.
Sun 24 Jun 2001 12:45:28 AM EEST.
Wrote a small CGI script to search IMDB (movie database @ http://www.imdb.com) using WAP. Useful when you're out to
rent some DVDs... http://www.hazard.maks.net/wap/imdb.wml
Sat 05 May 2001 09:58:10 AM EEST.
I forgot to inform that OR groups should now have __OR__ inside them
in any place (instead of OR_ in the beginning). This way you can play
with their check order (all groups are checked in alphabetical order).
And here is an example of using the patch.
Caller-Station-Id : 1234
Caller-Station-Id : 2345
Fall-Through : Yes
WHAT IT DOES: This group rejects all users whose phone number is in the
blacklist. Because it starts with "=", it will be the first group which
will be checked.
NAS-IP-Address : 184.108.40.206
Auth-Type : Accept
Fall-Through : Yes
Framed-Protocol : PPP
Service-Type : Framed-User
WHAT IT DOES: Checks that a user is coming from NAS 220.127.116.11 and sets
service type to Framed-User, also has Auth-Type accept, which will remove
all Auth-Type rejects in other groups that follow.
NAS-IP-Address : 18.104.22.168
Auth-Type : Accept
Fall-Through : Yes
Framed-Protocol : PPP
Service-Type : Framed-User
WHAT IT DOES: Same as for NAS2, but for a different access server
WHAT IT DOES: Default catch-all deny rule, starts with "_", so will be
parsed last. Authentification will be rejected if at least one group
didn't succeed before. For example it is necessary if you have users can
dial only to specific NAS (otherwise, all group checks will be done, and
if user's personal check items are satisfied, authentification will
succeed). It is a good idea to have it just in case you didn't think
about some possible way for a user to get in.
Please note that if user has Auth-Type: Reject in user's personal check
items authentification will fail immidiately as it did before.
Wed 25 Apr 2001 01:59:35 PM GMT+2
A new bugfix update for ICRadius or_logic patch.
Fri 20 Apr 2001 11:15:54 PM GMT+2
Bugfix update for ICRadius or_logic patch.
Wed 18 Apr 2001 10:17:05 PM EEST
Update regarding checkrad patch: it seems that AS5350
doesn't support all AAA Session MIB, so it doesn't work on AS5350. :-(
Sun 15 Apr 2001 02:46:18 AM EEST
checkrad patch for Cisco (AS5300, should work for other IOS based
access servers as well). Previously checkrad.pl was able to check Simultaneous-Use
for analog connections only. After applying this patch check will be performed
for both analog & ISDN connections.
Fri 13 Apr 2001 04:39:08 PM EEST
End of cyrus-imapd-sql
I'm extremely sorry but I have changed my setup to Courier IMAP (to make
load-balancing/high availability server setup), and no longer work with
Should anybody to continue maintaining, I'll be happy to help.
Mon 02 Apr 2001 02:09:02 PM EEST
New version of or_logic.patch for ICRadius, this time I believe
it is safe to call it beta1.
OR logic for group membership: if a group has "Fall-Through = Yes"
check item, then if this group check items are not satisfied
group's reply items will be removed and authentication will not fail.
OR logic for group check items: if group's name start with
"OR_", then all group's check items will be ORed with each other. That means,
if one of the check items succeeds, group membership will suceed as well,
and group reply items will be added to request reply list. Useful
for phone number blacklists.
AND logic for groups:If a group has Auth-Type: Accept check item and
group check items are satisfied, then all Auth-Type: Reject's will be removed
from the check item lists. This allows for AND logic, where it is required
for at least one group membership to succeed, or authentication will fail.
Please note that groups are scanned in ALPHABETICAL order, so a good
idea is to add a special deny group, like "_ACCESS_CHECK", which has
Auth-Type: Reject and will be scanned last (so Auth-Type: Accept groups
have a chance to remove the Auth-Type: Reject).
NOT logic for groups:If a group has Auth-Type: Reject check item and
group check items are satisfied, then authentication request will
Please note that various types of logic can be combined (where it makes
sense). Like, you can combine OR logic for group membership with OR logic
for group check items, OR logic for group check items with AND logic for
groups and so on.
Wed 07 Mar 2001 11:57:20 AM EET
I have released new version of patch for radiusd. Make sure
that all your users have an Auth-Type option. If they do not, then
please for an update which will remove this incompatibility.
This new patch provides reduimentary NOT logic: if the group has an
Auth-Type attribute set to Reject, then authentication will FAIL
if membership within this group SUCCEEDS.
Tue 06 Mar 2001 11:25:13 AM EET
Apache: I updated Apache to ver 1.24 with mod_perl and PHP4 (4.0.4) compiled
as DSO. Please note that it requires Perl 5.6, which is available in the
apache/perl/ subdirectory (and is a copy of distribution from Mandrake 7.2,
which installs rather cleanly on RH6.2).
Alternatively, you can recompile it yourself with your target Perl using SRPMS.
Thu 15 Feb 2001 05:59:43 PM EET
OR logic for groups & check items patch bugfix for a missing check-item (for description, see below).
Thu 15 Feb 2001 04:27:43 PM EET
Chroot BIND 8.2.3 RPMs.
Fri 09 Feb 2001 06:50:33 AM EET
Unfortunately due to a stupid mistake I have deleted all updates until
Feb 9 2001. Of you have a recent copy of this page lying somewhere (for example,
in your browsers/proxy cache) - please send it to me.
Anyway, patches for Radius:
cisco_hack.patch: a patch for Cistron/ICRadius
to correctly handle users with Port no. > 20000 (ISDN users). This patch
fixes Framed-IP-Address = a.b.c.d+ behavior. Adds CISCO_HACK define
or_logic.patch: a patch for ICRadius for
OR logic for groups & check items.
OR groups: if you put a "Fall-Through" check item in group's check attributes,
membership in this group will not be mandatory. That is, if a user fails
to satisfy group's requirements, group's reply items will not be added,
and authentication will succeed (instead of failing).
OR check items: if a group name starts with an OR_, than all check items
in this group have "OR" logic, and only one of them has to be satisfied
in order to acquire group membership.
Mon 27 Nov 2000 11:35:46 AM EET
I plan to issue an update to cyrus-imapd-sql, which allows
usernames like email@example.com by default. Stay tuned.
Some recommendations regarding Cyrus-imapd-sql on RedHat 7.0. I don't
have RedHat 7.0 installed, and most probably will wait till RedHat 7.1 and
stay with 6.2 for now. If you didn't upgrade yet - better not to do it,
as there are known problems with the compilers shipped with RH7.
If you will try to compile SRPM, you can have a few problems. If it will
start complaining about gdbm.h, move it to /usr/include. Same concerns
about bison.simple - move it to /usr/lib.
Also RH7 uses xinetd instead of inetd, so standard post-install RPM script
will fail when it will try to install to /etc/inetd.conf.
Wed 12 Jul 2000 10:36:57 AM EEST
Finally updated cyrus-imapd-sql packages to new version of Cyrus IMAP
and authcheck (thanks go to Jeremy Howard for essentially doing a complete
reprogramming of authcheck).
Download. Also should be available on contrib.redhat.com soon.
Mon 27 Mar 2000 08:12:30 PM EEST
Updated apache+php3+mod_perl package to Apache 1.3.12 (see description somewhere below).
Mon 21 Feb 2000 02:40:03 PM EET
Updates to cyrus-imapd-sql package - new version of authcheck
which is more tolerant to database connection errors.
Wed 09 Feb 2000 10:13:51 PM EET
Apache::Session modified to use with Sybase. Courtesy of Mark Landry.
Fri 14 Jan 2000 11:44:32 PM EET
Ghostscript with HP DeskJet 670/850/880/890/1600 support available
in RPM format here (should also be
available through contrib.redhat.com).
Fri 07 Jan 2000 11:40:29 AM EET: bugfix
Thu 06 Jan 2000 09:37:29 PM EET
MIME::Parser speedup patch
I have made a small patch which speeds Mime::Parser up at least 15-20 times
for me. It changes the way MIME part is read from IO::Handle - please
note that it wouldn't work for handles which do not support seek() or
Download it here.
Tue 28 Dec 1999 07:54:25 PM EET
Finished rebuilding Apache with builtin mod_perl and php3 with
apache-1.3.9-13.i386.rpm (and SRPM) should be available
locally as well as from contrib.redhat.com.
Wed 29 Dec 1999 11:34:29 AM EET: Non-Sybase RPMs are
available as well.
Thu 30 Dec 1999 09:19:01 AM EET: changed package names to apache-php3perl,
to avoid confusion during upgrades.
Wed Dec 22 22:06:02 1999: uploaded to incoming.redhat.com, as well
as available locally. Update: The packages are
now tuned so that you can easily hook up SQL authentication (see below).
Mon 03 Jan 2000 02:57:54 PM EET: You can find information
on how to setup SQL authentication, virtual mail domains and administration
CGIs here. The RPMs are repackaged as well.
afio-2.4.6.i386.rpm Tue 21 Dec 1999 11:21:04 AM EET: uploaded to incoming.redhat.com.
LogScanner plugin for SNORT and fixes, Thu Dec 16 09:43:13 1999
Update:Sat Dec 18 18:29:36 1999: Some fixes
LogScanner is a nice perl script for real-time log monitoring,
which allows you to setup alerts based on several log lines (i.e. several
attempts within 5 minutes) and other nice stuff. I made a mod for it
to check for snort alerts, and along the way also fixed its sample_functions.mod
(wrong log lines could be checked in failed_multiple_* and alert conditions could go
logscanner itself (it didn't use to go idle when no more logs were available, constantly eating 99% of server CPU).
Support for snort - hazard_functions.mod
The same + bugfixes - logscanner_hzdpatch.tar.gz
Apcupsd 3.7.0-beta1 fixes
I made some fixes (actually, hacks) to apcupsd-3.7.0 to make it work over network.
Also I hardcoded that apcupsd's network processes drop their priviliges to nobody.
apcupsd-37b1-diffs.tar.gz (readme inside)
isinglass-hzd firewalling script:
WARNING: Outdated. Almost everything is integrated into stock
Original version is done by tummy.com, and it is hoped that they will integrate
the new features of isinglass-hzd-1.14 into next release of original isinglass.
From original tummy.com's README:
IsinGlass is a script which is meant to make the average user's machine
more secure when connected to the Internet, for example, when dialing
up via a local ISP. The problem is that the average computer is running
background processes (daemons) that the average user doesn't even know are
running. Many of these have exploits which can allow another user on the
Internet to gain access.
This script has been developed for Linux, and does require kernel support
for firewalling. Additionally, the "ipfwadm" (or "ipchains" for 2.2
kernels) program must be installed. For RedHat Linux, the standard kernels
have firewall support, and the "ipfwadm"/"ipchains" are available
in RPM format.
The script is intended to be easy to use for a novice user and can be
installed with minimal configuring of the system, especially when using
Please report any bugs you find in isinglass-hzd to ME, not to tummy.com.
Я потерял оригинальный SRPM, так что следующая версия пакета наврядли
когда-либо увидит свет. Если хотите - пользуйтесь этой, и после инсталяции
добавьте пути к /usr/X11R6/lib/X11/fonts/100dpi, Type1 и Speedo в конец
списка шрифтов в /etc/X11/XF86Config (иначе например не будет работать
java в нетскейпе - баг текущей версии пакета).
Новая версия с исправленными ошибками!
После установки не забудьте запустить Xconfigurator и Xnetscapesetup !
RPM для тотальной кириллизации X-Window и Netscape Communicator 4.0x насильственными методами (подробности читайте в README).
Radius-related stuff I use:
WARNING: Outdated. Almost everything is integrated into stock cistron-Radiusd now.
Version of Cistron radiusd I use for authentication/accounting uses of
dialup and leased line users.
Has the following patches applied:
MySQL_auth_logging.patch - allows authentication & logging via MySQL, by firstname.lastname@example.org.
hazard.radiusd-cistron-TimeOut.patch - allows setting Session-Timeout attribute
via external script. I use this to limit session time of pre-paid dialup users.
Original patch made by email@example.com, I updated it for new radiusd version.
** UPDATED version of the TimeOut patch for cistron-beta18 by Dmitriy Niqiforoff (untested by me):
Sample scripts to use with Session-Timeout patch.
I'm also working on a Cistron Radius Server FAQ, you can find it somewhere in the
cistron-radius mailing list archives.
Portslave-1.16 with the following patches:
filterid (allows execution of external scripts, with some additions by me)
ppp-setresource (prevent pppd locking up and eating CPU time)
hazard.ivan-realm+ssh-diffs.diff (original by firstname.lastname@example.org, allows
command line parsing for execution from mgetty, passthrough accounts, realms,
ssh support, session-timeout support, periodic modem checking)
hazard.ivan-realm+ssh-diffs.dif (updated for portslave-1.16-release)
hazard.radiusd-cistron-TimeOut.patch (updated for cistron-radiusd-22.214.171.124-beta8)
As usual, I don't guarantee that this stuff works as desired and there is no support. Especially this concerns portslave, as I didn't test all its features.
However feel free to contact me :-)
Vladimir Ivaschenko <vi -at- maks.net>
** DO NOT email here: email@example.com - this is a S P A M trap **