This is a copy of the old diary, where you can find information on various patches I made in the past.
For new stuff look at my blog.

Below are some hacks/scripts/software I made. A lot of stuff is without any formal documentation, however below you will find some notes.
Some Quick Links (look at the diary below for comments/documentation):

OR Logic patch for IC-Radius (documentation)
WCCPv2 for Linux 2.4
check_ifoperstatus2 Nagios plugin
Alternative REALM format patch ("REALM/username") for IC-Radius
Exec-Program-Acct patch for IC-Radius
checkrad patch for Cisco - IOS 12.1T only!
check_ifoperstatus2 Netsaint plugin
WCCPv2 for Linux patch

IC-Radius: OR Logic patch for IC-Radius (documentation) |  "REALM/username" patch |  Exec-Program-Acct patch |  checkrad patch for Cisco IOS 12.1T 

Mon May 24 21:44:46 2004
parprouted 0.63: a bugfix release which fixes a memory leak which appeared during high loads.
Tue Apr 20 13:53:31 2004
parprouted 0.62: Update to 0.6 which fixes problem with systems checking for IP address conflicts, such as Windows XP.
Tue Jan 6 21:24:17 2004
It's been over year since last updates, happy new year 2004 :)
parprouted 0.5: New version with much improved performance and robustness.
Wed 18 Sep 2002 11:23:34 AM EEST
parprouted 0.42: Fixed bug which resulted in an installation of a route for unfinished ARP entry. More aggressive use of mutexes in the code.
Sun 07 Jul 2002 10:07:10 PM EEST
parprouted 0.4: It seems like a better solution is to refresh ARP entries by periodicly sending ARP requests for them. That would allow for mobile hosts but would have the same stability as using permanent entires. However, behavior of parprouted 0.31 can be returned by supplying "-p" switch.
Sun 07 Jul 2002 11:43:17 AM EEST
parprouted 0.31: now ARP entries are permanent. This increases stability. However, if you have mobile hosts, this can cause you problems.
Sun 07 Jul 2002 12:57:12 AM EEST
New release of parprouted (0.3). Essentially total rewrite, should fix problems with switched/more or less complex networks.
Thu 27 Jun 2002 01:34:01 AM EEST
First release of parprouted, a daemon for transparent IP (Layer 3) proxy ARP bridging. Unlike standard bridging, proxy ARP bridging allows to bridge Ethernet networks behind wireless nodes. Normal Layer 2 bridging does not work between 802.11 wireless nodes because wireless does not know about MAC addresses used in the wired Ethernet networks.
Thu 30 May 2002 10:18:05 PM EEST
First public release of WISP-Dist, an embedded Linux distribution aimed at wireless routers (but it can be used for other purposes).
Sun 12 May 2002 02:11:14 AM EEST
Updates to the IC-RADIUS OR-Logic patch: now proxied attributes will not be replaced by same-type attributes from groups included in "realmgroup" table.
Mon 04 Mar 2002 05:34:59 PM EET
I have modified WCCP v2 patch to support later Linux 2.4.X kernels (tested on 2.4.17, 2.4.9).
Tue 12 Feb 2002 01:00:28 PM EET
New goodies for IC-RADIUS: a patch to add support "REALM/username" for style realms (which can be used by GRIC, for example); as well as an update to OR logic patch to support OR logic for realm's groups (realmgroups table).
Download: OR logic patch Alternative REALM format patch

Thu 13 Dec 2001 08:51:56 PM EET
I was preparing transparent FTP/HTTP Linux-based proxy for use with WCCPv2 Cisco routers. Out of that several patches below were born:

redir-dyndest.patch for redir 2.2.1:
Subject: dynamic transproxy destination patch for redir

I made a small patch for redir in transparent proxy mode. If
--caddr is not specified, then the destination (target)
will be taken out from the original intercepted packets.

This way it permits me to use redir as a generic transparent TCP
frox-transdataports.patch for FROX:
Subject: transparent passive ports patch


I made a small patch to FROX (I guess a bit dirty). It does the
following: passive data ports for transparent PASV connections
are spoofed now. The destination port number given by PASV would
be the same as the one which FROX uses for DNAT redirection, e.g.
in the range defined by PassivePorts. The reason for this is that
I use FROX together with Cisco routers configured for WCCPv2.
WCCPv2 is a protocol which redirects packets to cache servers
according to a certain criteria. I needed a way to detect FTP
data connection packets and therefore made this patch, otherwise
ports would be random and I wouldn't be able to make necessary
access list on Cisco.

Oh, and I cannot use FROX in standard, non-transparent mode
because Cisco PIX firewall drops FTP connection when data
connection IP address is different from control connection IP
wccp2-dynamic-svc.patch for OOPS! proxy server:
Please find attached three patches to the OOPS experimental
release (1.5.21):

1) environment-rh72.patch & gnu_regex.c.diff - for compilation
under RedHat Linux 7.2.
2) wccp2-dynamic-svc.patch - to make dynamic WCCPv2 work.
Protocol field was not set to TCP and service-group ID was
translated to network byte order, which is not needed.
Tue 20 Nov 2001 10:52:04 AM EET
I released a plugin for Netsaint which allows to minitor SNMP interface according to its name, not index number. This helps in cases where interface names on routers change after reboot.
Fri 09 Nov 2001 06:31:59 PM EET.
First version of a patch for Exec-Program-Acct is ready (execution of a program on arrival of RADIUS accounting Start/Stop/... records). Seems to be working, however it is very experimental as only minimal testing was done. Please report any problems. Documentation on how to use it is inside the archive.
Fri 09 Nov 2001 11:07:26 AM EET.
I rechecked and it seems that OR Logic works ok on the 0.18.1. Nevertheless there was a small bit of cisco_hack.patch which got in the latest version I published so I released an update of OR Logic patch.

Sun 04 Nov 2001 09:48:15 PM EET.
Another checkrad patch for Cisco. Adds a new a nas type, cisco_compat (don't forget to change type in the RADIUS server's configs). Should be compatible with both Cisctron and ICRADIUS' checkrad.
This should work on almost all versions of IOS as it uses Cisco POP MGMT MIB, which has been available for a long time. Also it is compatible with both analog and ISDN ports.
Fri 09 Nov 2001 08:29:02 PM EET Update: I found out that it will not work for over 1 PRI. :-(

Thu 16 Aug 2001 02:59:29 PM EEST.
Some tips regarding or_logic.patch for ICRADIUS:
To install patch, you must use "patch" command. For example, run "patch -p1 -s < or_logic.patch" from your ICRadius src/ directory.
To debug how patch works, use "radiusd -sxxxxx" command. The best way is to redirect output of radiusd into a file.

Sun 24 Jun 2001 12:45:28 AM EEST.
Wrote a small CGI script to search IMDB (movie database @ using WAP. Useful when you're out to rent some DVDs...

Sat 05 May 2001 09:58:10 AM EEST.
I forgot to inform that OR groups should now have __OR__ inside them in any place (instead of OR_ in the beginning). This way you can play with their check order (all groups are checked in alphabetical order).
And here is an example of using the patch.

check items:

Caller-Station-Id : 1234
Caller-Station-Id : 2345
Auth-Type: Reject
Fall-Through : Yes

WHAT IT DOES: This group rejects all users whose phone number is in the
blacklist. Because it starts with "=", it will be the first group which
will be checked.

check items:

NAS-IP-Address :
Auth-Type : Accept
Fall-Through : Yes

reply items:

Framed-Protocol : PPP
Service-Type : Framed-User

WHAT IT DOES: Checks that a user is coming from NAS and sets
service type to Framed-User, also has Auth-Type accept, which will remove
all Auth-Type rejects in other groups that follow.

check items:

NAS-IP-Address :
Auth-Type : Accept
Fall-Through : Yes

reply items:

Framed-Protocol : PPP
Service-Type : Framed-User

WHAT IT DOES: Same as for NAS2, but for a different access server

Auth-Type: Reject

WHAT IT DOES: Default catch-all deny rule, starts with "_", so will be 
parsed last. Authentification will be rejected if at least one group
didn't succeed before. For example it is necessary if you have users can
dial only to specific NAS (otherwise, all group checks will be done, and
if user's personal check items are satisfied, authentification will
succeed). It is a good idea to have it just in case you didn't think
about some possible way for a user to get in.

Please note that if user has Auth-Type: Reject in user's personal check
items authentification will fail immidiately as it did before.

Wed 25 Apr 2001 01:59:35 PM GMT+2
A new bugfix update for ICRadius or_logic patch.

Fri 20 Apr 2001 11:15:54 PM GMT+2
Bugfix update for ICRadius or_logic patch.

Wed 18 Apr 2001 10:17:05 PM EEST
Update regarding checkrad patch: it seems that AS5350 doesn't support all AAA Session MIB, so it doesn't work on AS5350. :-(

Sun 15 Apr 2001 02:46:18 AM EEST
checkrad patch for Cisco (AS5300, should work for other IOS based access servers as well). Previously was able to check Simultaneous-Use for analog connections only. After applying this patch check will be performed for both analog & ISDN connections.

Fri 13 Apr 2001 04:39:08 PM EEST
End of cyrus-imapd-sql
I'm extremely sorry but I have changed my setup to Courier IMAP (to make load-balancing/high availability server setup), and no longer work with Cyrus.

Should anybody to continue maintaining, I'll be happy to help.

Mon 02 Apr 2001 02:09:02 PM EEST
New version of or_logic.patch for ICRadius, this time I believe it is safe to call it beta1.
OR logic for group membership: if a group has "Fall-Through = Yes" check item, then if this group check items are not satisfied group's reply items will be removed and authentication will not fail.
OR logic for group check items: if group's name start with "OR_", then all group's check items will be ORed with each other. That means, if one of the check items succeeds, group membership will suceed as well, and group reply items will be added to request reply list. Useful for phone number blacklists.
AND logic for groups:If a group has Auth-Type: Accept check item and group check items are satisfied, then all Auth-Type: Reject's will be removed from the check item lists. This allows for AND logic, where it is required for at least one group membership to succeed, or authentication will fail. Please note that groups are scanned in ALPHABETICAL order, so a good idea is to add a special deny group, like "_ACCESS_CHECK", which has Auth-Type: Reject and will be scanned last (so Auth-Type: Accept groups have a chance to remove the Auth-Type: Reject).
NOT logic for groups:If a group has Auth-Type: Reject check item and group check items are satisfied, then authentication request will fail immediately.

Please note that various types of logic can be combined (where it makes sense). Like, you can combine OR logic for group membership with OR logic for group check items, OR logic for group check items with AND logic for groups and so on.

Wed 07 Mar 2001 11:57:20 AM EET
I have released new version of patch for radiusd. Make sure that all your users have an Auth-Type option. If they do not, then please for an update which will remove this incompatibility.
This new patch provides reduimentary NOT logic: if the group has an Auth-Type attribute set to Reject, then authentication will FAIL if membership within this group SUCCEEDS.

Tue 06 Mar 2001 11:25:13 AM EET
Apache: I updated Apache to ver 1.24 with mod_perl and PHP4 (4.0.4) compiled as DSO. Please note that it requires Perl 5.6, which is available in the apache/perl/ subdirectory (and is a copy of distribution from Mandrake 7.2, which installs rather cleanly on RH6.2).
Alternatively, you can recompile it yourself with your target Perl using SRPMS.
Thu 15 Feb 2001 05:59:43 PM EET
OR logic for groups & check items patch bugfix for a missing check-item (for description, see below).

Thu 15 Feb 2001 04:27:43 PM EET
Chroot BIND 8.2.3 RPMs.

Fri 09 Feb 2001 06:50:33 AM EET
Unfortunately due to a stupid mistake I have deleted all updates until Feb 9 2001. Of you have a recent copy of this page lying somewhere (for example, in your browsers/proxy cache) - please send it to me.
Anyway, patches for Radius:
cisco_hack.patch: a patch for Cistron/ICRadius to correctly handle users with Port no. > 20000 (ISDN users). This patch fixes Framed-IP-Address = a.b.c.d+ behavior. Adds CISCO_HACK define to conf.h.
or_logic.patch: a patch for ICRadius for OR logic for groups & check items.
OR groups: if you put a "Fall-Through" check item in group's check attributes, membership in this group will not be mandatory. That is, if a user fails to satisfy group's requirements, group's reply items will not be added, and authentication will succeed (instead of failing).
OR check items: if a group name starts with an OR_, than all check items in this group have "OR" logic, and only one of them has to be satisfied in order to acquire group membership.

Mon 27 Nov 2000 11:35:46 AM EET
I plan to issue an update to cyrus-imapd-sql, which allows usernames like by default. Stay tuned.

Some recommendations regarding Cyrus-imapd-sql on RedHat 7.0. I don't have RedHat 7.0 installed, and most probably will wait till RedHat 7.1 and stay with 6.2 for now. If you didn't upgrade yet - better not to do it, as there are known problems with the compilers shipped with RH7.
If you will try to compile SRPM, you can have a few problems. If it will start complaining about gdbm.h, move it to /usr/include. Same concerns about bison.simple - move it to /usr/lib.
Also RH7 uses xinetd instead of inetd, so standard post-install RPM script will fail when it will try to install to /etc/inetd.conf.

Wed 12 Jul 2000 10:36:57 AM EEST
Finally updated cyrus-imapd-sql packages to new version of Cyrus IMAP and authcheck (thanks go to Jeremy Howard for essentially doing a complete reprogramming of authcheck).
Download. Also should be available on soon.

Mon 27 Mar 2000 08:12:30 PM EEST
Updated apache+php3+mod_perl package to Apache 1.3.12 (see description somewhere below).

Mon 21 Feb 2000 02:40:03 PM EET
Updates to cyrus-imapd-sql package - new version of authcheck which is more tolerant to database connection errors.

Wed 09 Feb 2000 10:13:51 PM EET
Apache::Session modified to use with Sybase. Courtesy of Mark Landry. Download here.

Fri 14 Jan 2000 11:44:32 PM EET
Ghostscript with HP DeskJet 670/850/880/890/1600 support available in RPM format here (should also be available through

Fri 07 Jan 2000 11:40:29 AM EET: bugfix

Thu 06 Jan 2000 09:37:29 PM EET
MIME::Parser speedup patch
I have made a small patch which speeds Mime::Parser up at least 15-20 times for me. It changes the way MIME part is read from IO::Handle - please note that it wouldn't work for handles which do not support seek() or tell().
Download it here.

Tue 28 Dec 1999 07:54:25 PM EET

Finished rebuilding Apache with builtin mod_perl and php3 with Sybase/IMAP/GD/FreeType support.
apache-1.3.9-13.i386.rpm (and SRPM) should be available locally as well as from
Wed 29 Dec 1999 11:34:29 AM EET: Non-Sybase RPMs are available as well.
Thu 30 Dec 1999 09:19:01 AM EET: changed package names to apache-php3perl, to avoid confusion during upgrades.
cyrus-imapd-1.6.20-3.i386.rpm, cyrus-sasl-1.5.13-6.i386.rpm Wed Dec 22 22:06:02 1999: uploaded to, as well as available locally. Update: The packages are now tuned so that you can easily hook up SQL authentication (see below).
Mon 03 Jan 2000 02:57:54 PM EET: You can find information on how to setup SQL authentication, virtual mail domains and administration CGIs here. The RPMs are repackaged as well.

afio-2.4.6.i386.rpm Tue 21 Dec 1999 11:21:04 AM EET: uploaded to

LogScanner plugin for SNORT and fixes, Thu Dec 16 09:43:13 1999
Update:Sat Dec 18 18:29:36 1999: Some fixes

LogScanner is a nice perl script for real-time log monitoring, which allows you to setup alerts based on several log lines (i.e. several attempts within 5 minutes) and other nice stuff. I made a mod for it to check for snort alerts, and along the way also fixed its sample_functions.mod (wrong log lines could be checked in failed_multiple_* and alert conditions could go unnoticed) and logscanner itself (it didn't use to go idle when no more logs were available, constantly eating 99% of server CPU).

Support for snort - hazard_functions.mod
The same + bugfixes - logscanner_hzdpatch.tar.gz
Apcupsd 3.7.0-beta1 fixes
I made some fixes (actually, hacks) to apcupsd-3.7.0 to make it work over network. Also I hardcoded that apcupsd's network processes drop their priviliges to nobody.

apcupsd-37b1-diffs.tar.gz (readme inside)
isinglass-hzd firewalling script:

WARNING: Outdated. Almost everything is integrated into stock isinglass now.
Download isinglass-hzd
Original version is done by, and it is hoped that they will integrate the new features of isinglass-hzd-1.14 into next release of original isinglass.

From original's README:

IsinGlass is a script which is meant to make the average user's machine more secure when connected to the Internet, for example, when dialing up via a local ISP. The problem is that the average computer is running background processes (daemons) that the average user doesn't even know are running. Many of these have exploits which can allow another user on the Internet to gain access.
This script has been developed for Linux, and does require kernel support for firewalling. Additionally, the "ipfwadm" (or "ipchains" for 2.2 kernels) program must be installed. For RedHat Linux, the standard kernels have firewall support, and the "ipfwadm"/"ipchains" are available in RPM format.

The script is intended to be easy to use for a novice user and can be installed with minimal configuring of the system, especially when using RPM package.
Please report any bugs you find in isinglass-hzd to ME, not to

XWindow Cyrillisation:

update: 14/03/99
Я потерял оригинальный SRPM, так что следующая версия пакета наврядли когда-либо увидит свет. Если хотите - пользуйтесь этой, и после инсталяции добавьте пути к /usr/X11R6/lib/X11/fonts/100dpi, Type1 и Speedo в конец списка шрифтов в /etc/X11/XF86Config (иначе например не будет работать java в нетскейпе - баг текущей версии пакета).

update: 27/12/98
Новая версия с исправленными ошибками!

После установки не забудьте запустить Xconfigurator и Xnetscapesetup !
RPM для тотальной кириллизации X-Window и Netscape Communicator 4.0x насильственными методами (подробности читайте в README).
Bad_XCyrillisation-1.1-4.i386.rpm (
Bad_XCyrillisation-1.1-4.i386.rpm (
Radius-related stuff I use:

WARNING: Outdated. Almost everything is integrated into stock cistron-Radiusd now.
radiusd-cistron- (RH5.0, beta8)

Version of Cistron radiusd I use for authentication/accounting uses of dialup and leased line users.
Has the following patches applied:
MySQL_auth_logging.patch - allows authentication & logging via MySQL, by
hazard.radiusd-cistron-TimeOut.patch - allows setting Session-Timeout attribute via external script. I use this to limit session time of pre-paid dialup users. Original patch made by offset@eunet.yu, I updated it for new radiusd version.
** UPDATED version of the TimeOut patch for cistron-beta18 by Dmitriy Niqiforoff (untested by me): hazard.radiusd-cistron-TimeOut.patch.dniq

radiusd-mysql-accounting.tgz Sample scripts to use with Session-Timeout patch.

I'm also working on a Cistron Radius Server FAQ, you can find it somewhere in the cistron-radius mailing list archives.

Portslave-1.16 with the following patches:
filterid (allows execution of external scripts, with some additions by me)
ppp-setresource (prevent pppd locking up and eating CPU time)
hazard.ivan-realm+ssh-diffs.diff (original by, allows command line parsing for execution from mgetty, passthrough accounts, realms, ssh support, session-timeout support, periodic modem checking)

Standalone patches:
hazard.ivan-realm+ssh-diffs.dif (updated for portslave-1.16-release)
hazard.radiusd-cistron-TimeOut.patch (updated for cistron-radiusd-

As usual, I don't guarantee that this stuff works as desired and there is no support. Especially this concerns portslave, as I didn't test all its features.
However feel free to contact me :-)

Vladimir Ivaschenko <vi -at->
** DO NOT email here: - this is a S P A M trap **