2 * event.c Server event handling
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2007 The FreeRADIUS server project
21 * Copyright 2007 Alan DeKok <aland@deployingradius.com>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modules.h>
29 #include <freeradius-devel/event.h>
30 #include <freeradius-devel/detail.h>
31 #include <freeradius-devel/radius_snmp.h>
33 #include <freeradius-devel/rad_assert.h>
38 #ifdef HAVE_SYS_WAIT_H
39 # include <sys/wait.h>
42 #define USEC (1000000)
44 extern pid_t radius_pid;
46 extern int check_config;
47 extern void force_log_reopen(void);
50 * Ridiculous amounts of local state.
52 static fr_event_list_t *el = NULL;
53 static fr_packet_list_t *pl = NULL;
54 static int request_num_counter = 0;
55 static struct timeval now;
56 static time_t start_time;
57 static int have_children;
58 static int has_detail_listener = FALSE;
59 static int just_started = FALSE;
62 static int self_pipe[2];
67 static pthread_mutex_t proxy_mutex;
70 #define PTHREAD_MUTEX_LOCK if (have_children) pthread_mutex_lock
71 #define PTHREAD_MUTEX_UNLOCK if (have_children) pthread_mutex_unlock
74 * This is easier than ifdef's throughout the code.
76 #define PTHREAD_MUTEX_LOCK(_x)
77 #define PTHREAD_MUTEX_UNLOCK(_x)
78 #define thread_pool_addrequest radius_handle_request
81 #define INSERT_EVENT(_function, _ctx) if (!fr_event_insert(el, _function, _ctx, &((_ctx)->when), &((_ctx)->ev))) { _rad_panic(__FILE__, __LINE__, "Failed to insert event"); }
84 static fr_packet_list_t *proxy_list = NULL;
87 * We keep the proxy FD's here. The RADIUS Id's are marked
88 * "allocated" per Id, via a bit per proxy FD.
90 static int proxy_fds[32];
91 static rad_listen_t *proxy_listeners[32];
93 #define remove_from_proxy_hash(foo)
96 static void request_post_handler(REQUEST *request);
97 static void wait_a_bit(void *ctx);
98 static void event_socket_handler(fr_event_list_t *xel, UNUSED int fd, void *ctx);
100 static void NEVER_RETURNS _rad_panic(const char *file, unsigned int line,
103 radlog(L_ERR, "[%s:%d] %s", file, line, msg);
107 #define rad_panic(x) _rad_panic(__FILE__, __LINE__, x)
110 static void tv_add(struct timeval *tv, int usec_delay)
112 if (usec_delay > USEC) {
113 tv->tv_sec += usec_delay / USEC;
116 tv->tv_usec += usec_delay;
118 if (tv->tv_usec > USEC) {
125 static void snmp_inc_counters(REQUEST *request)
127 if (!request->root->do_snmp) return;
129 if (request->master_state == REQUEST_COUNTED) return;
131 if ((request->listener->type != RAD_LISTEN_AUTH) &&
132 (request->listener->type != RAD_LISTEN_ACCT)) return;
135 * Update the SNMP statistics.
137 * Note that we do NOT do this in a child thread.
138 * Instead, we update the stats when a request is
139 * deleted, because only the main server thread calls
140 * this function, which makes it thread-safe.
142 switch (request->reply->code) {
143 case PW_AUTHENTICATION_ACK:
144 rad_snmp.auth.total_responses++;
145 rad_snmp.auth.total_access_accepts++;
146 if (request->client && request->client->auth) {
147 request->client->auth->accepts++;
151 case PW_AUTHENTICATION_REJECT:
152 rad_snmp.auth.total_responses++;
153 rad_snmp.auth.total_access_rejects++;
154 if (request->client && request->client->auth) {
155 request->client->auth->rejects++;
159 case PW_ACCESS_CHALLENGE:
160 rad_snmp.auth.total_responses++;
161 rad_snmp.auth.total_access_challenges++;
162 if (request->client && request->client->auth) {
163 request->client->auth->challenges++;
167 #ifdef WITH_ACCOUNTING
168 case PW_ACCOUNTING_RESPONSE:
169 rad_snmp.acct.total_responses++;
170 if (request->client && request->client->acct) {
171 request->client->acct->responses++;
177 * No response, it must have been a bad
181 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
182 rad_snmp.auth.total_bad_authenticators++;
183 if (request->client && request->client->auth) {
184 request->client->auth->bad_authenticators++;
193 request->master_state = REQUEST_COUNTED;
196 #define snmp_inc_counters(_x)
200 static void remove_from_request_hash(REQUEST *request)
202 if (!request->in_request_hash) return;
204 fr_packet_list_yank(pl, request->packet);
205 request->in_request_hash = FALSE;
207 snmp_inc_counters(request);
212 static REQUEST *lookup_in_proxy_hash(RADIUS_PACKET *reply)
214 RADIUS_PACKET **proxy_p;
217 PTHREAD_MUTEX_LOCK(&proxy_mutex);
218 proxy_p = fr_packet_list_find_byreply(proxy_list, reply);
221 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
225 request = fr_packet2myptr(REQUEST, proxy, proxy_p);
228 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
232 request->num_proxied_responses++;
235 * Catch the most common case of everything working
238 if (request->num_proxied_requests == request->num_proxied_responses) {
239 fr_packet_list_yank(proxy_list, request->proxy);
240 fr_packet_list_id_free(proxy_list, request->proxy);
241 request->in_proxy_hash = FALSE;
245 * On the FIRST reply, decrement the count of outstanding
246 * requests. Note that this is NOT the count of sent
247 * packets, but whether or not the home server has
250 if (!request->proxy_reply &&
251 request->home_server->currently_outstanding) {
252 request->home_server->currently_outstanding--;
255 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
261 static void remove_from_proxy_hash(REQUEST *request)
263 if (!request->in_proxy_hash) return;
265 PTHREAD_MUTEX_LOCK(&proxy_mutex);
266 fr_packet_list_yank(proxy_list, request->proxy);
267 fr_packet_list_id_free(proxy_list, request->proxy);
270 * The home server hasn't replied, but we've given up on
271 * this request. Don't count this request against the
274 if (!request->proxy_reply &&
275 request->home_server->currently_outstanding) {
276 request->home_server->currently_outstanding--;
279 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
281 request->in_proxy_hash = FALSE;
285 static int insert_into_proxy_hash(REQUEST *request)
290 rad_assert(request->proxy != NULL);
291 rad_assert(proxy_list != NULL);
293 request->proxy->sockfd = -1;
295 PTHREAD_MUTEX_LOCK(&proxy_mutex);
297 request->home_server->currently_outstanding++;
298 request->home_server->total_requests_sent++;
301 * On overflow, back up to ~0.
303 if (!request->home_server->total_requests_sent) {
304 request->home_server->total_requests_sent--;
307 if (!fr_packet_list_id_alloc(proxy_list, request->proxy)) {
309 rad_listen_t *proxy_listener;
312 * Allocate a new proxy fd. This function adds
313 * it to the tail of the list of listeners. With
314 * some care, this can be thread-safe.
316 proxy_listener = proxy_new_listener();
317 if (!proxy_listener) {
318 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
319 DEBUG2("ERROR: Failed to create a new socket for proxying requests.");
327 proxy = proxy_listener->fd;
328 for (i = 0; i < 32; i++) {
330 * Found a free entry. Save the socket,
331 * and remember where we saved it.
333 if (proxy_fds[(proxy + i) & 0x1f] == -1) {
334 found = (proxy + i) & 0x1f;
335 proxy_fds[found] = proxy;
336 proxy_listeners[found] = proxy_listener;
340 rad_assert(found >= 0);
342 if (!fr_packet_list_socket_add(proxy_list, proxy_listener->fd)) {
343 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
344 DEBUG2("ERROR: Failed to create a new socket for proxying requests.");
349 if (!fr_packet_list_id_alloc(proxy_list, request->proxy)) {
350 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
351 DEBUG2("ERROR: Failed to create a new socket for proxying requests.");
356 * Signal the main thread to add the new FD to the list
359 radius_signal_self(RADIUS_SIGNAL_SELF_NEW_FD);
361 rad_assert(request->proxy->sockfd >= 0);
364 * FIXME: Hack until we get rid of rad_listen_t, and put
365 * the information into the packet_list.
368 for (i = 0; i < 32; i++) {
369 if (proxy_fds[i] == request->proxy->sockfd) {
376 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
377 DEBUG2("ERROR: All sockets are full.");
381 rad_assert(proxy_fds[proxy] != -1);
382 rad_assert(proxy_listeners[proxy] != NULL);
383 request->proxy_listener = proxy_listeners[proxy];
385 if (!fr_packet_list_insert(proxy_list, &request->proxy)) {
386 fr_packet_list_id_free(proxy_list, request->proxy);
387 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
388 DEBUG2("ERROR: Failed to insert entry into proxy list");
392 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
394 DEBUG3(" proxy: allocating destination %s port %d - Id %d",
395 inet_ntop(request->proxy->dst_ipaddr.af,
396 &request->proxy->dst_ipaddr.ipaddr, buf, sizeof(buf)),
397 request->proxy->dst_port,
400 request->in_proxy_hash = TRUE;
407 * Called as BOTH an event, and in-line from other functions.
409 static void wait_for_proxy_id_to_expire(void *ctx)
411 REQUEST *request = ctx;
412 home_server *home = request->home_server;
414 rad_assert(request->magic == REQUEST_MAGIC);
415 rad_assert(request->proxy != NULL);
417 if (!fr_event_now(el, &now)) gettimeofday(&now, NULL);
418 request->when = request->proxy_when;
419 request->when.tv_sec += home->response_window;
421 if ((request->num_proxied_requests == request->num_proxied_responses) ||
422 timercmp(&now, &request->when, >)) {
423 if (request->packet) {
424 DEBUG2("Cleaning up request %d ID %d with timestamp +%d",
425 request->number, request->packet->id,
426 (unsigned int) (request->timestamp - start_time));
428 DEBUG2("Cleaning up request %d with timestamp +%d",
430 (unsigned int) (request->timestamp - start_time));
432 fr_event_delete(el, &request->ev);
433 remove_from_proxy_hash(request);
434 remove_from_request_hash(request);
435 request_free(&request);
439 INSERT_EVENT(wait_for_proxy_id_to_expire, request);
444 * If we don't have pthreads, we MAY be proxying.
445 * If we don't have either, then this function isn't necessary.
447 #if defined(HAVE_PTHREAD_H) || defined(WITH_PROXY)
448 static void wait_for_child_to_die(void *ctx)
450 REQUEST *request = ctx;
452 rad_assert(request->magic == REQUEST_MAGIC);
454 if ((request->child_state == REQUEST_QUEUED) |
455 (request->child_state == REQUEST_RUNNING)) {
456 request->delay += (request->delay >> 1);
457 tv_add(&request->when, request->delay);
459 DEBUG2("Child is still stuck for request %d", request->number);
461 INSERT_EVENT(wait_for_child_to_die, request);
465 DEBUG2("Child is finally responsive for request %d", request->number);
466 remove_from_request_hash(request);
469 if (request->proxy) {
470 wait_for_proxy_id_to_expire(request);
475 request_free(&request);
479 static void cleanup_delay(void *ctx)
481 REQUEST *request = ctx;
483 rad_assert(request->magic == REQUEST_MAGIC);
484 rad_assert((request->child_state == REQUEST_CLEANUP_DELAY) ||
485 (request->child_state == REQUEST_DONE));
487 remove_from_request_hash(request);
490 if (request->proxy && request->in_proxy_hash) {
491 wait_for_proxy_id_to_expire(request);
496 DEBUG2("Cleaning up request %d ID %d with timestamp +%d",
497 request->number, request->packet->id,
498 (unsigned int) (request->timestamp - start_time));
500 fr_event_delete(el, &request->ev);
501 request_free(&request);
505 static void reject_delay(void *ctx)
507 REQUEST *request = ctx;
509 rad_assert(request->magic == REQUEST_MAGIC);
510 rad_assert(request->child_state == REQUEST_REJECT_DELAY);
512 DEBUG2("Sending delayed reject for request %d", request->number);
514 request->listener->send(request->listener, request);
516 request->when.tv_sec += request->root->cleanup_delay;
517 request->child_state = REQUEST_CLEANUP_DELAY;
519 INSERT_EVENT(cleanup_delay, request);
524 static void revive_home_server(void *ctx)
526 home_server *home = ctx;
529 home->state = HOME_STATE_ALIVE;
530 radlog(L_INFO, "PROXY: Marking home server %s port %d alive again... we have no idea if it really is alive or not.",
531 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
532 buffer, sizeof(buffer)),
534 home->currently_outstanding = 0;
538 static void no_response_to_ping(void *ctx)
540 REQUEST *request = ctx;
541 home_server *home = request->home_server;
544 home->num_received_pings = 0;
546 DEBUG2("No response to status check %d from home server %s port %d",
548 inet_ntop(request->proxy->dst_ipaddr.af,
549 &request->proxy->dst_ipaddr.ipaddr,
550 buffer, sizeof(buffer)),
551 request->proxy->dst_port);
553 wait_for_proxy_id_to_expire(request);
557 static void received_response_to_ping(REQUEST *request)
559 home_server *home = request->home_server;
562 home->num_received_pings++;
564 DEBUG2("Received response to status check %d (%d in current sequence)",
565 request->number, home->num_received_pings);
567 if (home->num_received_pings < home->num_pings_to_alive) {
568 wait_for_proxy_id_to_expire(request);
572 radlog(L_INFO, "PROXY: Marking home server %s port %d alive",
573 inet_ntop(request->proxy->dst_ipaddr.af,
574 &request->proxy->dst_ipaddr.ipaddr,
575 buffer, sizeof(buffer)),
576 request->proxy->dst_port);
578 if (!fr_event_delete(el, &home->ev)) {
579 DEBUG2("Hmm... no event for home server, WTF?");
582 if (!fr_event_delete(el, &request->ev)) {
583 DEBUG2("Hmm... no event for request, WTF?");
586 wait_for_proxy_id_to_expire(request);
588 home->state = HOME_STATE_ALIVE;
589 home->currently_outstanding = 0;
593 static void ping_home_server(void *ctx)
596 home_server *home = ctx;
600 if (home->state == HOME_STATE_ALIVE) {
601 radlog(L_INFO, "Suspicious proxy state... continuing");
605 request = request_alloc();
606 request->number = request_num_counter++;
608 request->proxy = rad_alloc(1);
609 rad_assert(request->proxy != NULL);
611 fr_event_now(el, &request->when);
612 home->when = request->when;
614 if (home->ping_check == HOME_PING_CHECK_STATUS_SERVER) {
615 request->proxy->code = PW_STATUS_SERVER;
617 radius_pairmake(request, &request->proxy->vps,
618 "Message-Authenticator", "0x00", T_OP_SET);
620 } else if (home->type == HOME_TYPE_AUTH) {
621 request->proxy->code = PW_AUTHENTICATION_REQUEST;
623 radius_pairmake(request, &request->proxy->vps,
624 "User-Name", home->ping_user_name, T_OP_SET);
625 radius_pairmake(request, &request->proxy->vps,
626 "User-Password", home->ping_user_password, T_OP_SET);
627 radius_pairmake(request, &request->proxy->vps,
628 "Service-Type", "Authenticate-Only", T_OP_SET);
629 radius_pairmake(request, &request->proxy->vps,
630 "Message-Authenticator", "0x00", T_OP_SET);
633 #ifdef WITH_ACCOUNTING
634 request->proxy->code = PW_ACCOUNTING_REQUEST;
636 radius_pairmake(request, &request->proxy->vps,
637 "User-Name", home->ping_user_name, T_OP_SET);
638 radius_pairmake(request, &request->proxy->vps,
639 "Acct-Status-Type", "Stop", T_OP_SET);
640 radius_pairmake(request, &request->proxy->vps,
641 "Acct-Session-Id", "00000000", T_OP_SET);
642 vp = radius_pairmake(request, &request->proxy->vps,
643 "Event-Timestamp", "0", T_OP_SET);
644 vp->vp_date = now.tv_sec;
646 rad_assert("Internal sanity check failed");
650 radius_pairmake(request, &request->proxy->vps,
651 "NAS-Identifier", "Status Check. Are you alive?",
654 request->proxy->dst_ipaddr = home->ipaddr;
655 request->proxy->dst_port = home->port;
656 request->home_server = home;
658 rad_assert(request->proxy_listener == NULL);
660 if (!insert_into_proxy_hash(request)) {
661 DEBUG2("ERROR: Failed inserting status check %d into proxy hash. Discarding it.",
663 request_free(&request);
666 rad_assert(request->proxy_listener != NULL);
667 request->proxy_listener->send(request->proxy_listener,
670 request->next_callback = NULL;
671 request->child_state = REQUEST_PROXIED;
672 request->when.tv_sec += home->ping_timeout;;
674 INSERT_EVENT(no_response_to_ping, request);
677 * Add +/- 2s of jitter, as suggested in RFC 3539
678 * and in the Issues and Fixes draft.
680 home->when.tv_sec += home->ping_interval - 2;
683 jitter ^= (jitter >> 10);
684 jitter &= ((1 << 23) - 1); /* 22 bits of 1 */
686 tv_add(&home->when, jitter);
689 INSERT_EVENT(ping_home_server, home);
693 static void check_for_zombie_home_server(REQUEST *request)
699 home = request->home_server;
701 if (home->state != HOME_STATE_ZOMBIE) return;
703 when = home->zombie_period_start;
704 when.tv_sec += home->zombie_period;
706 fr_event_now(el, &now);
707 if (timercmp(&now, &when, <)) {
712 * It's been a zombie for too long, mark it as
715 radlog(L_INFO, "PROXY: Marking home server %s port %d as dead.",
716 inet_ntop(request->proxy->dst_ipaddr.af,
717 &request->proxy->dst_ipaddr.ipaddr,
718 buffer, sizeof(buffer)),
719 request->proxy->dst_port);
720 home->state = HOME_STATE_IS_DEAD;
721 home->num_received_pings = 0;
722 home->when = request->when;
724 if (home->ping_check != HOME_PING_CHECK_NONE) {
725 rad_assert((home->ping_check == HOME_PING_CHECK_STATUS_SERVER) ||
726 (home->ping_user_name != NULL));
727 home->when.tv_sec += home->ping_interval;
729 INSERT_EVENT(ping_home_server, home);
731 home->when.tv_sec += home->revive_interval;
733 INSERT_EVENT(revive_home_server, home);
737 static int proxy_to_virtual_server(REQUEST *request);
739 static int virtual_server_handler(UNUSED REQUEST *request)
741 proxy_to_virtual_server(request);
745 static void proxy_fallback_handler(REQUEST *request)
748 * A proper time is required for wait_a_bit.
750 request->delay = USEC / 10;
751 gettimeofday(&now, NULL);
752 request->next_when = now;
753 tv_add(&request->next_when, request->delay);
754 request->next_callback = wait_a_bit;
757 * Re-queue the request.
759 request->child_state = REQUEST_QUEUED;
761 rad_assert(request->proxy != NULL);
762 if (!thread_pool_addrequest(request, virtual_server_handler)) {
763 request->child_state = REQUEST_DONE;
766 #ifdef HAVE_PTHREAD_H
768 * MAY free the request if we're over max_request_time,
769 * AND we're not in threaded mode!
771 * Note that we call this ONLY if we're threaded, as
772 * if we're NOT threaded, request_post_handler() calls
773 * wait_a_bit(), which means that "request" may not
776 if (have_children) wait_a_bit(request);
781 static int setup_post_proxy_fail(REQUEST *request)
783 DICT_VALUE *dval = NULL;
786 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
787 dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail-Authentication");
789 } else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
790 dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail-Accounting");
796 if (!dval) dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail");
799 pairdelete(&request->config_items, PW_POST_PROXY_TYPE);
803 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE);
804 if (!vp) vp = radius_paircreate(request, &request->config_items,
805 PW_POST_PROXY_TYPE, PW_TYPE_INTEGER);
806 vp->vp_integer = dval->value;
808 rad_assert(request->proxy_reply == NULL);
814 static int null_handler(UNUSED REQUEST *request)
819 static void post_proxy_fail_handler(REQUEST *request)
822 * A proper time is required for wait_a_bit.
824 request->delay = USEC / 10;
825 gettimeofday(&now, NULL);
828 * Not set up to run Post-Proxy-Type = Fail.
830 * Mark the request as still running, and figure out what
833 if (!setup_post_proxy_fail(request)) {
834 request->child_state = REQUEST_RUNNING;
835 request_post_handler(request);
839 * Re-queue the request.
841 request->child_state = REQUEST_QUEUED;
844 * There is a post-proxy-type of fail. We run
845 * the request through the pre/post proxy
846 * handlers, just like it was a real proxied
847 * request. However, we set the per-request
848 * handler to NULL, as we don't want to do
851 * Note that when we're not threaded, this will
852 * process the request even if it's greater than
853 * max_request_time. That's not fatal.
855 request->priority = 0;
856 rad_assert(request->proxy != NULL);
857 thread_pool_addrequest(request, null_handler);
861 * MAY free the request if we're over max_request_time,
862 * AND we're not in threaded mode!
864 * Note that we call this ONLY if we're threaded, as
865 * if we're NOT threaded, request_post_handler() calls
866 * wait_a_bit(), which means that "request" may not
869 if (have_children) wait_a_bit(request);
873 /* maybe check this against wait_for_proxy_id_to_expire? */
874 static void no_response_to_proxied_request(void *ctx)
876 REQUEST *request = ctx;
880 rad_assert(request->magic == REQUEST_MAGIC);
881 rad_assert(request->child_state == REQUEST_PROXIED);
884 * If we've failed over to an internal home server,
885 * replace the callback with the correct one. This
886 * is due to locking issues with child threads...
888 if (request->home_server->server) {
893 radlog(L_ERR, "Rejecting request %d due to lack of any response from home server %s port %d",
895 inet_ntop(request->proxy->dst_ipaddr.af,
896 &request->proxy->dst_ipaddr.ipaddr,
897 buffer, sizeof(buffer)),
898 request->proxy->dst_port);
900 check_for_zombie_home_server(request);
902 home = request->home_server;
904 post_proxy_fail_handler(request);
907 * Don't touch request due to race conditions
909 if (home->state == HOME_STATE_IS_DEAD) {
910 rad_assert(home->ev != NULL); /* or it will never wake up */
915 * Enable the zombie period when we notice that the home
916 * server hasn't responded. We also back-date the start
917 * of the zombie period to when the proxied request was
920 if (home->state == HOME_STATE_ALIVE) {
921 radlog(L_ERR, "PROXY: Marking home server %s port %d as zombie (it looks like it is dead).",
922 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
923 buffer, sizeof(buffer)),
925 home->state = HOME_STATE_ZOMBIE;
926 home->zombie_period_start = now;
927 home->zombie_period_start.tv_sec -= home->response_window;
933 static void wait_a_bit(void *ctx)
936 REQUEST *request = ctx;
937 fr_event_callback_t callback = NULL;
939 rad_assert(request->magic == REQUEST_MAGIC);
941 switch (request->child_state) {
943 case REQUEST_RUNNING:
944 when = request->received;
945 when.tv_sec += request->root->max_request_time;
948 * Normally called from the event loop with the
949 * proper event loop time. Otherwise, called from
950 * post proxy fail handler, which sets "now", and
951 * this call won't re-set it, because we're not
954 fr_event_now(el, &now);
957 * Request still has more time. Continue
960 if (timercmp(&now, &when, <) ||
961 ((request->listener->type == RAD_LISTEN_DETAIL) &&
962 (request->child_state == REQUEST_QUEUED))) {
963 if (request->delay < (USEC / 10)) {
964 request->delay = USEC / 10;
966 request->delay += request->delay >> 1;
970 * Cap wait at some sane value for detail
973 if ((request->listener->type == RAD_LISTEN_DETAIL) &&
974 (request->delay > (request->root->max_request_time * USEC))) {
975 request->delay = request->root->max_request_time * USEC;
980 tv_add(&request->when, request->delay);
981 callback = wait_a_bit;
985 #if defined(HAVE_PTHREAD_H) || defined(WITH_PROXY)
987 * A child thread MAY still be running on the
988 * request. Ask the thread to stop working on
992 /* FIXME: kill unresponsive children? */
995 * Print this error message ONLY if
996 * there's a child currently processing
997 * the request. As we don't have thread
998 * locks here, there may be race
999 * conditions on this check. But it's
1000 * just an error message, so that's OK.
1002 if (request->child_pid != NO_SUCH_CHILD_PID) {
1003 radlog(L_ERR, "WARNING: Unresponsive child (id %lu) for request %d, in module %s component %s",
1004 (unsigned long)request->child_pid, request->number,
1005 request->module ? request->module : "<server core>",
1006 request->component ? request->component : "<server core>");
1009 request->master_state = REQUEST_STOP_PROCESSING;
1011 request->delay = USEC / 4;
1012 tv_add(&request->when, request->delay);
1013 callback = wait_for_child_to_die;
1019 * Else there are no child threads. We probably
1020 * should have just marked the request as 'done'
1021 * elsewhere, like in the post-proxy-fail
1022 * handler. But doing that would involve
1023 * checking for max_request_time in multiple
1024 * places, so this may be simplest.
1026 request->child_state = REQUEST_DONE;
1030 * Mark the request as no longer running,
1034 #ifdef HAVE_PTHREAD_H
1035 request->child_pid = NO_SUCH_CHILD_PID;
1037 snmp_inc_counters(request);
1038 cleanup_delay(request);
1041 case REQUEST_REJECT_DELAY:
1042 case REQUEST_CLEANUP_DELAY:
1043 #ifdef HAVE_PTHREAD_H
1044 request->child_pid = NO_SUCH_CHILD_PID;
1046 snmp_inc_counters(request);
1048 case REQUEST_PROXIED:
1049 rad_assert(request->next_callback != NULL);
1050 rad_assert(request->next_callback != wait_a_bit);
1052 request->when = request->next_when;
1053 callback = request->next_callback;
1054 request->next_callback = NULL;
1058 rad_panic("Internal sanity check failure");
1063 * Something major went wrong. Discard the request, and
1066 * FIXME: No idea why this happens or how to fix it...
1067 * It seems to happen *only* when requests are proxied,
1068 * and where the home server doesn't respond. So it looks
1069 * like a race condition above, but it happens in debug
1070 * mode, with no threads...
1073 DEBUG("WARNING: Internal sanity check failed in event handler for request %d: Discarding the request!", request->number);
1074 fr_event_delete(el, &request->ev);
1075 remove_from_proxy_hash(request);
1076 remove_from_request_hash(request);
1077 request_free(&request);
1081 INSERT_EVENT(callback, request);
1086 static int process_proxy_reply(REQUEST *request)
1089 int post_proxy_type = 0;
1093 * Delete any reply we had accumulated until now.
1095 pairfree(&request->reply->vps);
1098 * Run the packet through the post-proxy stage,
1099 * BEFORE playing games with the attributes.
1101 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE);
1103 DEBUG2(" Found Post-Proxy-Type %s", vp->vp_strvalue);
1104 post_proxy_type = vp->vp_integer;
1107 rad_assert(request->home_pool != NULL);
1109 if (request->home_pool->virtual_server) {
1110 const char *old_server = request->server;
1112 request->server = request->home_pool->virtual_server;
1113 DEBUG2(" server %s {", request->server);
1114 rcode = module_post_proxy(post_proxy_type, request);
1116 request->server = old_server;
1118 rcode = module_post_proxy(post_proxy_type, request);
1122 * There may NOT be a proxy reply, as we may be
1123 * running Post-Proxy-Type = Fail.
1125 if (request->proxy_reply) {
1127 * Delete the Proxy-State Attributes from
1128 * the reply. These include Proxy-State
1129 * attributes from us and remote server.
1131 pairdelete(&request->proxy_reply->vps, PW_PROXY_STATE);
1134 * Add the attributes left in the proxy
1135 * reply to the reply list.
1137 pairadd(&request->reply->vps, request->proxy_reply->vps);
1138 request->proxy_reply->vps = NULL;
1141 * Free proxy request pairs.
1143 pairfree(&request->proxy->vps);
1147 default: /* Don't do anything */
1149 case RLM_MODULE_FAIL:
1150 /* FIXME: debug print stuff */
1151 request->child_state = REQUEST_DONE;
1154 case RLM_MODULE_HANDLED:
1155 /* FIXME: debug print stuff */
1156 request->child_state = REQUEST_DONE;
1164 static int request_pre_handler(REQUEST *request)
1168 rad_assert(request->magic == REQUEST_MAGIC);
1169 rad_assert(request->packet != NULL);
1171 request->child_state = REQUEST_RUNNING;
1174 * Don't decode the packet if it's an internal "fake"
1175 * request. Instead, just return so that the caller can
1178 if (request->packet->dst_port == 0) {
1179 request->username = pairfind(request->packet->vps,
1181 request->password = pairfind(request->packet->vps,
1188 * Put the decoded packet into it's proper place.
1190 if (request->proxy_reply != NULL) {
1191 rcode = request->proxy_listener->decode(request->proxy_listener,
1195 if (request->packet->vps == NULL) {
1196 rcode = request->listener->decode(request->listener, request);
1203 radlog(L_ERR, "%s Dropping packet without response.", librad_errstr);
1204 request->child_state = REQUEST_DONE;
1209 if (!request->proxy)
1212 request->username = pairfind(request->packet->vps,
1217 return process_proxy_reply(request);
1227 * Do state handling when we proxy a request.
1229 static int proxy_request(REQUEST *request)
1231 struct timeval when;
1234 if (request->home_server->server) {
1235 DEBUG("ERROR: Cannot perform real proxying to a virtual server.");
1239 if (!insert_into_proxy_hash(request)) {
1240 DEBUG("ERROR: Failed inserting request into proxy hash.");
1244 request->proxy_listener->encode(request->proxy_listener, request);
1246 when = request->received;
1247 when.tv_sec += request->root->max_request_time;
1249 gettimeofday(&request->proxy_when, NULL);
1251 request->next_when = request->proxy_when;
1252 request->next_when.tv_sec += request->home_server->response_window;
1254 rad_assert(request->home_server->response_window > 0);
1256 if (timercmp(&when, &request->next_when, <)) {
1257 request->next_when = when;
1259 request->next_callback = no_response_to_proxied_request;
1261 DEBUG2("Proxying request %d to home server %s port %d",
1263 inet_ntop(request->proxy->dst_ipaddr.af,
1264 &request->proxy->dst_ipaddr.ipaddr,
1265 buffer, sizeof(buffer)),
1266 request->proxy->dst_port);
1269 * Note that we set proxied BEFORE sending the packet.
1271 * Once we send it, the request is tainted, as
1272 * another thread may have picked it up. Don't
1275 request->num_proxied_requests = 1;
1276 request->num_proxied_responses = 0;
1277 #ifdef HAVE_PTHREAD_H
1278 request->child_pid = NO_SUCH_CHILD_PID;
1280 request->child_state = REQUEST_PROXIED;
1281 request->proxy_listener->send(request->proxy_listener,
1288 * "Proxy" the request by sending it to a new virtual server.
1290 static int proxy_to_virtual_server(REQUEST *request)
1293 RAD_REQUEST_FUNP fun;
1295 if (!request->home_server || !request->home_server->server) return 0;
1297 if (request->parent) {
1298 DEBUG2("WARNING: Cancelling proxy request to virtual server %s as this request was itself proxied.", request->home_server->server);
1302 fake = request_alloc_fake(request);
1304 DEBUG2("WARNING: Out of memory");
1308 fake->packet->vps = paircopy(request->proxy->vps);
1309 fake->server = request->home_server->server;
1311 if (request->proxy->code == PW_AUTHENTICATION_REQUEST) {
1312 fun = rad_authenticate;
1314 #ifdef WITH_ACCOUNTING
1315 } else if (request->proxy->code == PW_ACCOUNTING_REQUEST) {
1316 fun = rad_accounting;
1320 DEBUG2("Unknown packet type %d", request->proxy->code);
1324 DEBUG2(">>> Sending proxied request internally to virtual server.");
1325 radius_handle_request(fake, fun);
1326 DEBUG2("<<< Received proxied response from internal virtual server.");
1328 request->proxy_reply = fake->reply;
1331 request_free(&fake);
1333 process_proxy_reply(request);
1336 return 2; /* success, but NOT '1' !*/
1341 * Return 1 if we did proxy it, or the proxy attempt failed
1342 * completely. Either way, the caller doesn't touch the request
1343 * any more if we return 1.
1345 static int successfully_proxied_request(REQUEST *request)
1348 int pre_proxy_type = 0;
1349 VALUE_PAIR *realmpair;
1350 VALUE_PAIR *strippedname;
1354 REALM *realm = NULL;
1358 * If it was already proxied, do nothing.
1360 * FIXME: This should really be a serious error.
1362 if (request->in_proxy_hash) {
1366 realmpair = pairfind(request->config_items, PW_PROXY_TO_REALM);
1367 if (!realmpair || (realmpair->length == 0)) {
1371 realmname = (char *) realmpair->vp_strvalue;
1373 realm = realm_find2(realmname);
1375 DEBUG2("ERROR: Cannot proxy to unknown realm %s", realmname);
1380 * Figure out which pool to use.
1382 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
1383 pool = realm->auth_pool;
1385 #ifdef WITH_ACCOUNTING
1386 } else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
1387 pool = realm->acct_pool;
1391 rad_panic("Internal sanity check failed");
1395 DEBUG2(" WARNING: Cancelling proxy to Realm %s, as the realm is local.",
1400 home = home_server_ldb(realmname, pool, request);
1402 DEBUG2("ERROR: Failed to find live home server for realm %s",
1406 request->home_pool = pool;
1409 * Remember that we sent the request to a Realm.
1411 pairadd(&request->packet->vps,
1412 pairmake("Realm", realmname, T_OP_EQ));
1416 * We read the packet from a detail file, AND it came from
1417 * the server we're about to send it to. Don't do that.
1419 if ((request->packet->code == PW_ACCOUNTING_REQUEST) &&
1420 (request->listener->type == RAD_LISTEN_DETAIL) &&
1421 (home->ipaddr.af == AF_INET) &&
1422 (request->packet->src_ipaddr.af == AF_INET) &&
1423 (home->ipaddr.ipaddr.ip4addr.s_addr == request->packet->src_ipaddr.ipaddr.ip4addr.s_addr)) {
1424 DEBUG2(" rlm_realm: Packet came from realm %s, proxy cancelled", realmname);
1430 * Allocate the proxy packet, only if it wasn't already
1431 * allocated by a module. This check is mainly to support
1432 * the proxying of EAP-TTLS and EAP-PEAP tunneled requests.
1434 * In those cases, the EAP module creates a "fake"
1435 * request, and recursively passes it through the
1436 * authentication stage of the server. The module then
1437 * checks if the request was supposed to be proxied, and
1438 * if so, creates a proxy packet from the TUNNELED request,
1439 * and not from the EAP request outside of the tunnel.
1441 * The proxy then works like normal, except that the response
1442 * packet is "eaten" by the EAP module, and encapsulated into
1445 if (!request->proxy) {
1446 if ((request->proxy = rad_alloc(TRUE)) == NULL) {
1447 radlog(L_ERR|L_CONS, "no memory");
1452 * Copy the request, then look up name and
1453 * plain-text password in the copy.
1455 * Note that the User-Name attribute is the
1456 * *original* as sent over by the client. The
1457 * Stripped-User-Name attribute is the one hacked
1458 * through the 'hints' file.
1460 request->proxy->vps = paircopy(request->packet->vps);
1464 * Strip the name, if told to.
1466 * Doing it here catches the case of proxied tunneled
1469 if (realm->striprealm == TRUE &&
1470 (strippedname = pairfind(request->proxy->vps, PW_STRIPPED_USER_NAME)) != NULL) {
1472 * If there's a Stripped-User-Name attribute in
1473 * the request, then use THAT as the User-Name
1474 * for the proxied request, instead of the
1477 * This is done by making a copy of the
1478 * Stripped-User-Name attribute, turning it into
1479 * a User-Name attribute, deleting the
1480 * Stripped-User-Name and User-Name attributes
1481 * from the vps list, and making the new
1482 * User-Name the head of the vps list.
1484 vp = pairfind(request->proxy->vps, PW_USER_NAME);
1486 vp = radius_paircreate(request, NULL,
1487 PW_USER_NAME, PW_TYPE_STRING);
1488 rad_assert(vp != NULL); /* handled by above function */
1489 /* Insert at the START of the list */
1490 vp->next = request->proxy->vps;
1491 request->proxy->vps = vp;
1493 memcpy(vp->vp_strvalue, strippedname->vp_strvalue,
1494 sizeof(vp->vp_strvalue));
1495 vp->length = strippedname->length;
1498 * Do NOT delete Stripped-User-Name.
1503 * If there is no PW_CHAP_CHALLENGE attribute but
1504 * there is a PW_CHAP_PASSWORD we need to add it
1505 * since we can't use the request authenticator
1506 * anymore - we changed it.
1508 if (pairfind(request->proxy->vps, PW_CHAP_PASSWORD) &&
1509 pairfind(request->proxy->vps, PW_CHAP_CHALLENGE) == NULL) {
1510 vp = radius_paircreate(request, &request->proxy->vps,
1511 PW_CHAP_CHALLENGE, PW_TYPE_OCTETS);
1512 vp->length = AUTH_VECTOR_LEN;
1513 memcpy(vp->vp_strvalue, request->packet->vector, AUTH_VECTOR_LEN);
1517 * The RFC's say we have to do this, but FreeRADIUS
1520 vp = radius_paircreate(request, &request->proxy->vps,
1521 PW_PROXY_STATE, PW_TYPE_OCTETS);
1522 snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%d",
1523 request->packet->id);
1524 vp->length = strlen(vp->vp_strvalue);
1527 * Should be done BEFORE inserting into proxy hash, as
1528 * pre-proxy may use this information, or change it.
1530 request->proxy->code = request->packet->code;
1531 request->proxy->dst_ipaddr = home->ipaddr;
1532 request->proxy->dst_port = home->port;
1533 request->home_server = home;
1536 * Call the pre-proxy routines.
1538 vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE);
1540 DEBUG2(" Found Pre-Proxy-Type %s", vp->vp_strvalue);
1541 pre_proxy_type = vp->vp_integer;
1544 rad_assert(request->home_pool != NULL);
1546 if (request->home_pool->virtual_server) {
1547 const char *old_server = request->server;
1549 request->server = request->home_pool->virtual_server;
1550 DEBUG2(" server %s {", request->server);
1551 rcode = module_pre_proxy(pre_proxy_type, request);
1553 request->server = old_server;
1555 rcode = module_pre_proxy(pre_proxy_type, request);
1558 case RLM_MODULE_FAIL:
1559 case RLM_MODULE_INVALID:
1560 case RLM_MODULE_NOTFOUND:
1561 case RLM_MODULE_USERLOCK:
1563 /* FIXME: debug print failed stuff */
1566 case RLM_MODULE_REJECT:
1567 case RLM_MODULE_HANDLED:
1571 * Only proxy the packet if the pre-proxy code succeeded.
1573 case RLM_MODULE_NOOP:
1575 case RLM_MODULE_UPDATED:
1580 * If it's a fake request, don't send the proxy
1581 * packet. The outer tunnel session will take
1582 * care of doing that.
1584 if (request->packet->dst_port == 0) {
1585 request->home_server = NULL;
1589 if (request->home_server->server) {
1590 return proxy_to_virtual_server(request);
1593 if (!proxy_request(request)) {
1594 DEBUG("ERROR: Failed to proxy request %d", request->number);
1603 static void request_post_handler(REQUEST *request)
1605 int child_state = -1;
1606 struct timeval when;
1609 if ((request->master_state == REQUEST_STOP_PROCESSING) ||
1611 (request->parent->master_state == REQUEST_STOP_PROCESSING))) {
1612 DEBUG2("Request %d was cancelled.", request->number);
1613 #ifdef HAVE_PTHREAD_H
1614 request->child_pid = NO_SUCH_CHILD_PID;
1616 request->child_state = REQUEST_DONE;
1620 if (request->child_state != REQUEST_RUNNING) {
1621 rad_panic("Internal sanity check failed");
1624 if ((request->reply->code == 0) &&
1625 ((vp = pairfind(request->config_items, PW_AUTH_TYPE)) != NULL) &&
1626 (vp->vp_integer == PW_AUTHTYPE_REJECT)) {
1627 request->reply->code = PW_AUTHENTICATION_REJECT;
1631 if (request->root->proxy_requests &&
1632 !request->in_proxy_hash &&
1633 (request->reply->code == 0) &&
1634 (request->packet->dst_port != 0) &&
1635 (request->packet->code != PW_STATUS_SERVER)) {
1636 int rcode = successfully_proxied_request(request);
1638 if (rcode == 1) return;
1641 * Failed proxying it (dead home servers, etc.)
1642 * Run it through Post-Proxy-Type = Fail, and
1643 * respond to the request.
1645 * Note that we're in a child thread here, so we
1646 * do NOT re-schedule the request. Instead, we
1647 * do what we would have done, which is run the
1648 * pre-handler, a NULL request handler, and then
1651 if ((rcode < 0) && setup_post_proxy_fail(request)) {
1652 request_pre_handler(request);
1656 * Else we weren't supposed to proxy it,
1657 * OR we proxied it internally to a virutal server.
1663 * Fake requests don't get encoded or signed. The caller
1664 * also requires the reply VP's, so we don't free them
1667 if (request->packet->dst_port == 0) {
1668 /* FIXME: DEBUG going to the next request */
1669 #ifdef HAVE_PTHREAD_H
1670 request->child_pid = NO_SUCH_CHILD_PID;
1672 request->child_state = REQUEST_DONE;
1678 * Copy Proxy-State from the request to the reply.
1680 vp = paircopy2(request->packet->vps, PW_PROXY_STATE);
1681 if (vp) pairadd(&request->reply->vps, vp);
1685 * Access-Requests get delayed or cached.
1687 switch (request->packet->code) {
1688 case PW_AUTHENTICATION_REQUEST:
1689 gettimeofday(&request->next_when, NULL);
1691 if (request->reply->code == 0) {
1693 * Check if the lack of response is intentional.
1695 vp = pairfind(request->config_items,
1696 PW_RESPONSE_PACKET_TYPE);
1698 DEBUG2("There was no response configured: rejecting request %d",
1700 request->reply->code = PW_AUTHENTICATION_REJECT;
1701 } else if (vp->vp_integer == 256) {
1702 DEBUG2("Not responding to request %d",
1706 request->reply->code = vp->vp_integer;
1712 * Run rejected packets through
1714 * Post-Auth-Type = Reject
1716 if (request->reply->code == PW_AUTHENTICATION_REJECT) {
1717 pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
1718 vp = radius_pairmake(request, &request->config_items,
1719 "Post-Auth-Type", "Reject",
1721 if (vp) rad_postauth(request);
1724 * If configured, delay Access-Reject packets.
1726 * If request->root->reject_delay = 0, we discover
1727 * that we have to send the packet now.
1729 when = request->received;
1730 when.tv_sec += request->root->reject_delay;
1732 if (timercmp(&when, &request->next_when, >)) {
1733 DEBUG2("Delaying reject of request %d for %d seconds",
1735 request->root->reject_delay);
1736 request->next_when = when;
1737 request->next_callback = reject_delay;
1738 #ifdef HAVE_PTHREAD_H
1739 request->child_pid = NO_SUCH_CHILD_PID;
1741 request->child_state = REQUEST_REJECT_DELAY;
1746 request->next_when.tv_sec += request->root->cleanup_delay;
1747 request->next_callback = cleanup_delay;
1748 child_state = REQUEST_CLEANUP_DELAY;
1751 case PW_ACCOUNTING_REQUEST:
1752 request->next_callback = NULL; /* just to be safe */
1753 child_state = REQUEST_DONE;
1757 * FIXME: Status-Server should probably not be
1760 case PW_STATUS_SERVER:
1761 request->next_callback = NULL;
1762 child_state = REQUEST_DONE;
1766 if ((request->packet->code > 1024) &&
1767 (request->packet->code < (1024 + 254 + 1))) {
1768 request->next_callback = NULL;
1769 child_state = REQUEST_DONE;
1773 radlog(L_ERR, "Unknown packet type %d", request->packet->code);
1774 rad_panic("Unknown packet type");
1779 * Suppress "no reply" packets here, unless we're reading
1780 * from the "detail" file. In that case, we've got to
1781 * tell the detail file handler that the request is dead,
1782 * and it should re-send it.
1783 * If configured, encode, sign, and send.
1785 if ((request->reply->code != 0) ||
1786 (request->listener->type == RAD_LISTEN_DETAIL)) {
1787 request->listener->send(request->listener, request);
1791 * Clean up. These are no longer needed.
1793 pairfree(&request->config_items);
1795 pairfree(&request->packet->vps);
1796 request->username = NULL;
1797 request->password = NULL;
1799 pairfree(&request->reply->vps);
1802 if (request->proxy) {
1803 pairfree(&request->proxy->vps);
1805 if (request->proxy_reply) {
1806 pairfree(&request->proxy_reply->vps);
1810 * We're not tracking responses from the home
1811 * server, we can therefore free this memory in
1814 if (!request->in_proxy_hash) {
1815 rad_free(&request->proxy);
1816 rad_free(&request->proxy_reply);
1817 request->home_server = NULL;
1822 DEBUG2("Finished request %d.", request->number);
1824 request->child_state = child_state;
1827 * Single threaded mode: update timers now.
1829 if (!have_children) wait_a_bit(request);
1833 static void received_retransmit(REQUEST *request, const RADCLIENT *client)
1839 RAD_SNMP_TYPE_INC(request->listener, total_dup_requests);
1840 RAD_SNMP_CLIENT_INC(request->listener, client, dup_requests);
1842 switch (request->child_state) {
1843 case REQUEST_QUEUED:
1844 case REQUEST_RUNNING:
1848 radlog(L_ERR, "Discarding duplicate request from "
1849 "client %s port %d - ID: %d due to unfinished request %d",
1851 request->packet->src_port,request->packet->id,
1856 case REQUEST_PROXIED:
1858 * We're not supposed to have duplicate
1859 * accounting packets. The other states handle
1860 * duplicates fine (discard, or send duplicate
1861 * reply). But we do NOT want to retransmit an
1862 * accounting request here, because that would
1863 * involve updating the Acct-Delay-Time, and
1864 * therefore changing the packet Id, etc.
1866 * Instead, we just discard the packet. We may
1867 * eventually respond, or the client will send a
1868 * new accounting packet.
1870 if (request->packet->code == PW_ACCOUNTING_REQUEST) {
1874 check_for_zombie_home_server(request);
1877 * If we've just discovered that the home server is
1878 * dead, send the packet to another one.
1880 if ((request->packet->dst_port != 0) &&
1881 (request->home_server->state == HOME_STATE_IS_DEAD)) {
1884 remove_from_proxy_hash(request);
1886 home = home_server_ldb(NULL, request->home_pool, request);
1888 DEBUG2("Failed to find live home server for request %d", request->number);
1891 * Do post-request processing,
1892 * and any insertion of necessary
1895 post_proxy_fail_handler(request);
1899 request->proxy->code = request->packet->code;
1900 request->proxy->dst_ipaddr = home->ipaddr;
1901 request->proxy->dst_port = home->port;
1902 request->home_server = home;
1905 * Free the old packet, to force re-encoding
1907 free(request->proxy->data);
1908 request->proxy->data = NULL;
1909 request->proxy->data_len = 0;
1912 * This request failed over to a virtual
1913 * server. Push it back onto the queue
1916 if (request->home_server->server) {
1917 proxy_fallback_handler(request);
1922 * Try to proxy the request.
1924 if (!proxy_request(request)) {
1925 DEBUG("ERROR: Failed to re-proxy request %d", request->number);
1926 goto no_home_servers;
1930 * This code executes in the main server
1931 * thread, so there's no need for locking.
1933 rad_assert(request->next_callback != NULL);
1934 INSERT_EVENT(request->next_callback, request);
1935 request->next_callback = NULL;
1937 } /* else the home server is still alive */
1939 DEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
1940 inet_ntop(request->proxy->dst_ipaddr.af,
1941 &request->proxy->dst_ipaddr.ipaddr,
1942 buffer, sizeof(buffer)),
1943 request->proxy->dst_port,
1944 request->proxy->id);
1945 request->num_proxied_requests++;
1946 request->proxy_listener->send(request->proxy_listener,
1951 case REQUEST_REJECT_DELAY:
1952 DEBUG2("Waiting to send Access-Reject "
1953 "to client %s port %d - ID: %d",
1955 request->packet->src_port, request->packet->id);
1958 case REQUEST_CLEANUP_DELAY:
1960 DEBUG2("Sending duplicate reply "
1961 "to client %s port %d - ID: %d",
1963 request->packet->src_port, request->packet->id);
1964 request->listener->send(request->listener, request);
1970 static void received_conflicting_request(REQUEST *request,
1971 const RADCLIENT *client)
1973 radlog(L_ERR, "Received conflicting packet from "
1974 "client %s port %d - ID: %d due to unfinished request %d. Giving up on old request.",
1976 request->packet->src_port, request->packet->id,
1980 * Nuke it from the request hash, so we can receive new
1983 remove_from_request_hash(request);
1985 switch (request->child_state) {
1987 * It's queued or running. Tell it to stop, and
1988 * wait for it to do so.
1990 case REQUEST_QUEUED:
1991 case REQUEST_RUNNING:
1992 request->master_state = REQUEST_STOP_PROCESSING;
1993 request->delay += request->delay >> 1;
1995 tv_add(&request->when, request->delay);
1997 INSERT_EVENT(wait_for_child_to_die, request);
2001 * It's in some other state, and therefore also
2002 * in the event queue. At some point, the
2003 * child will notice, and we can then delete it.
2006 rad_assert(request->ev != NULL);
2012 static int can_handle_new_request(RADIUS_PACKET *packet,
2014 struct main_config_t *root)
2017 * Count the total number of requests, to see if
2018 * there are too many. If so, return with an
2021 if (root->max_requests) {
2022 int request_count = fr_packet_list_num_elements(pl);
2025 * This is a new request. Let's see if
2026 * it makes us go over our configured
2029 if (request_count > root->max_requests) {
2030 radlog(L_ERR, "Dropping request (%d is too many): "
2031 "from client %s port %d - ID: %d", request_count,
2033 packet->src_port, packet->id);
2034 radlog(L_INFO, "WARNING: Please check the configuration file.\n"
2035 "\tThe value for 'max_requests' is probably set too low.\n");
2037 } /* else there were a small number of requests */
2038 } /* else there was no configured limit for requests */
2041 * FIXME: Add per-client checks. If one client is sending
2042 * too many packets, start discarding them.
2044 * We increment the counters here, and decrement them
2045 * when the response is sent... somewhere in this file.
2049 * FUTURE: Add checks for system load. If the system is
2050 * busy, start dropping requests...
2052 * We can probably keep some statistics ourselves... if
2053 * there are more requests coming in than we can handle,
2054 * start dropping some.
2061 int received_request(rad_listen_t *listener,
2062 RADIUS_PACKET *packet, REQUEST **prequest,
2065 RADIUS_PACKET **packet_p;
2066 REQUEST *request = NULL;
2067 struct main_config_t *root = &mainconfig;
2069 packet_p = fr_packet_list_find(pl, packet);
2071 request = fr_packet2myptr(REQUEST, packet, packet_p);
2072 rad_assert(request->in_request_hash);
2074 if ((request->packet->data_len == packet->data_len) &&
2075 (memcmp(request->packet->vector, packet->vector,
2076 sizeof(packet->vector)) == 0)) {
2077 received_retransmit(request, client);
2082 * The new request is different from the old one,
2083 * but maybe the old is finished. If so, delete
2086 switch (request->child_state) {
2087 struct timeval when;
2090 gettimeofday(&when, NULL);
2094 * If the cached request was received
2095 * within the last second, then we
2096 * discard the NEW request instead of the
2097 * old one. This will happen ONLY when
2098 * the client is severely broken, and is
2099 * sending conflicting packets very
2102 if (timercmp(&when, &request->received, <)) {
2103 radlog(L_ERR, "Discarding conflicting packet from "
2104 "client %s port %d - ID: %d due to recent request %d.",
2106 packet->src_port, packet->id,
2111 received_conflicting_request(request, client);
2115 case REQUEST_REJECT_DELAY:
2116 case REQUEST_CLEANUP_DELAY:
2117 request->child_state = REQUEST_DONE;
2119 cleanup_delay(request);
2126 * We may want to quench the new request.
2128 if ((listener->type != RAD_LISTEN_DETAIL) &&
2129 !can_handle_new_request(packet, client, root)) {
2134 * Create and initialize the new request.
2136 request = request_alloc(); /* never fails */
2138 if ((request->reply = rad_alloc(0)) == NULL) {
2139 radlog(L_ERR, "No memory");
2143 request->listener = listener;
2144 request->client = client;
2145 request->packet = packet;
2146 request->packet->timestamp = request->timestamp;
2147 request->number = request_num_counter++;
2148 request->priority = listener->type;
2151 * Set virtual server identity
2153 if (client->server) {
2154 request->server = client->server;
2155 } else if (listener->server) {
2156 request->server = listener->server;
2158 request->server = NULL;
2162 * Remember the request in the list.
2164 if (!fr_packet_list_insert(pl, &request->packet)) {
2165 radlog(L_ERR, "Failed to insert request %d in the list of live requests: discarding", request->number);
2166 request_free(&request);
2170 request->in_request_hash = TRUE;
2171 request->root = root;
2175 * The request passes many of our sanity checks.
2176 * From here on in, if anything goes wrong, we
2177 * send a reject message, instead of dropping the
2182 * Build the reply template from the request.
2185 request->reply->sockfd = request->packet->sockfd;
2186 request->reply->dst_ipaddr = request->packet->src_ipaddr;
2187 request->reply->src_ipaddr = request->packet->dst_ipaddr;
2188 request->reply->dst_port = request->packet->src_port;
2189 request->reply->src_port = request->packet->dst_port;
2190 request->reply->id = request->packet->id;
2191 request->reply->code = 0; /* UNKNOWN code */
2192 memcpy(request->reply->vector, request->packet->vector,
2193 sizeof(request->reply->vector));
2194 request->reply->vps = NULL;
2195 request->reply->data = NULL;
2196 request->reply->data_len = 0;
2198 request->master_state = REQUEST_ACTIVE;
2199 request->child_state = REQUEST_QUEUED;
2200 request->next_callback = NULL;
2202 gettimeofday(&request->received, NULL);
2203 request->timestamp = request->received.tv_sec;
2204 request->when = request->received;
2206 request->delay = USEC;
2208 tv_add(&request->when, request->delay);
2210 INSERT_EVENT(wait_a_bit, request);
2212 *prequest = request;
2218 REQUEST *received_proxy_response(RADIUS_PACKET *packet)
2224 if (!home_server_find(&packet->src_ipaddr, packet->src_port)) {
2225 radlog(L_ERR, "Ignoring request from unknown home server %s port %d",
2226 inet_ntop(packet->src_ipaddr.af,
2227 &packet->src_ipaddr.ipaddr,
2228 buffer, sizeof(buffer)),
2235 * Also removes from the proxy hash if responses == requests
2237 request = lookup_in_proxy_hash(packet);
2240 radlog(L_PROXY, "No outstanding request was found for proxy reply from home server %s port %d - ID %d",
2241 inet_ntop(packet->src_ipaddr.af,
2242 &packet->src_ipaddr.ipaddr,
2243 buffer, sizeof(buffer)),
2244 packet->src_port, packet->id);
2249 home = request->home_server;
2251 gettimeofday(&now, NULL);
2252 home->state = HOME_STATE_ALIVE;
2254 if (request->reply && request->reply->code != 0) {
2255 DEBUG2("We already replied to this request. Discarding response from home server.");
2261 * We had previously received a reply, so we don't need
2262 * to do anything here.
2264 if (request->proxy_reply) {
2265 if (memcmp(request->proxy_reply->vector,
2267 sizeof(request->proxy_reply->vector)) == 0) {
2268 DEBUG2("Discarding duplicate reply from home server %s port %d - ID: %d for request %d",
2269 inet_ntop(packet->src_ipaddr.af,
2270 &packet->src_ipaddr.ipaddr,
2271 buffer, sizeof(buffer)),
2272 packet->src_port, packet->id,
2276 * ? The home server gave us a new proxy
2277 * reply, which doesn't match the old
2280 DEBUG2("Ignoring conflicting proxy reply");
2283 /* assert that there's an event queued for request? */
2288 switch (request->child_state) {
2289 case REQUEST_QUEUED:
2290 case REQUEST_RUNNING:
2291 rad_panic("Internal sanity check failed for child state");
2294 case REQUEST_REJECT_DELAY:
2295 case REQUEST_CLEANUP_DELAY:
2297 radlog(L_ERR, "Reply from home server %s port %d - ID: %d arrived too late for request %d. Try increasing 'retry_delay' or 'max_request_time'",
2298 inet_ntop(packet->src_ipaddr.af,
2299 &packet->src_ipaddr.ipaddr,
2300 buffer, sizeof(buffer)),
2301 packet->src_port, packet->id,
2303 /* assert that there's an event queued for request? */
2307 case REQUEST_PROXIED:
2311 request->proxy_reply = packet;
2315 * Perform RTT calculations, as per RFC 2988 (for TCP).
2316 * Note that we do so only if we sent one request, and
2317 * received one response. If we sent two requests, we
2318 * have no idea if the response is for the first, or for
2319 * the second request/
2321 if (request->num_proxied_requests == 1) {
2323 home_server *home = request->home_server;
2325 rtt = now.tv_sec - request->proxy_when.tv_sec;
2328 rtt -= request->proxy_when.tv_usec;
2330 if (!home->has_rtt) {
2331 home->has_rtt = TRUE;
2334 home->rttvar = rtt / 2;
2337 home->rttvar -= home->rttvar >> 2;
2338 home->rttvar += (home->srtt - rtt);
2339 home->srtt -= home->srtt >> 3;
2340 home->srtt += rtt >> 3;
2343 home->rto = home->srtt;
2344 if (home->rttvar > (USEC / 4)) {
2345 home->rto += home->rttvar * 4;
2353 * There's no incoming request, so it's a proxied packet
2356 if (!request->packet) {
2357 received_response_to_ping(request);
2361 request->child_state = REQUEST_QUEUED;
2362 request->when = now;
2363 request->delay = USEC;
2364 request->priority = RAD_LISTEN_PROXY;
2365 tv_add(&request->when, request->delay);
2368 * Wait a bit will take care of max_request_time
2370 INSERT_EVENT(wait_a_bit, request);
2377 static void event_detail_timer(void *ctx)
2379 rad_listen_t *listener = ctx;
2380 RAD_REQUEST_FUNP fun;
2383 if (listener->recv(listener, &fun, &request)) {
2384 if (!thread_pool_addrequest(request, fun)) {
2385 request->child_state = REQUEST_DONE;
2391 static void handle_signal_self(int flag)
2393 if ((flag & (RADIUS_SIGNAL_SELF_EXIT | RADIUS_SIGNAL_SELF_TERM)) != 0) {
2394 if ((flag & RADIUS_SIGNAL_SELF_EXIT) != 0) {
2395 fr_event_loop_exit(el, 1);
2397 fr_event_loop_exit(el, 2);
2401 } /* else exit/term flags weren't set */
2404 * Tell the even loop to stop processing.
2406 if ((flag & RADIUS_SIGNAL_SELF_HUP) != 0) {
2408 static time_t last_hup = 0;
2410 DEBUG("Received HUP signal.");
2413 if ((int) (when - last_hup) < 5) {
2414 radlog(L_INFO, "Ignoring HUP (less than 5s since last one)");
2419 fr_event_loop_exit(el, 0x80);
2423 if ((flag & RADIUS_SIGNAL_SELF_DETAIL) != 0) {
2426 for (this = mainconfig.listen;
2428 this = this->next) {
2430 struct timeval when;
2432 if (this->type != RAD_LISTEN_DETAIL) continue;
2434 delay = detail_delay(this);
2435 if (!delay) continue;
2437 fr_event_now(el, &now);
2439 tv_add(&when, delay);
2441 if (delay > 100000) {
2442 DEBUG2("Delaying next detail event for %d.%01u seconds.",
2443 delay / USEC, (delay % USEC) / 100000);
2446 if (!fr_event_insert(el, event_detail_timer, this,
2448 radlog(L_ERR, "Failed remembering timer");
2455 if ((flag & RADIUS_SIGNAL_SELF_NEW_FD) != 0) {
2458 for (this = mainconfig.listen;
2460 this = this->next) {
2461 if (this->type != RAD_LISTEN_PROXY) continue;
2463 if (!fr_event_fd_insert(el, 0, this->fd,
2464 event_socket_handler, this)) {
2465 radlog(L_ERR, "Failed remembering handle for proxy socket!");
2473 void radius_signal_self(int flag)
2475 handle_signal_self(flag);
2479 * Inform ourselves that we received a signal.
2481 void radius_signal_self(int flag)
2487 * The read MUST be non-blocking for this to work.
2489 rcode = read(self_pipe[0], buffer, sizeof(buffer));
2493 for (i = 0; i < rcode; i++) {
2494 buffer[0] |= buffer[i];
2502 write(self_pipe[1], buffer, 1);
2506 static void event_signal_handler(UNUSED fr_event_list_t *xel,
2507 UNUSED int fd, UNUSED void *ctx)
2512 rcode = read(self_pipe[0], buffer, sizeof(buffer));
2513 if (rcode <= 0) return;
2516 * Merge pending signals.
2518 for (i = 0; i < rcode; i++) {
2519 buffer[0] |= buffer[i];
2522 handle_signal_self(buffer[0]);
2527 static void event_socket_handler(fr_event_list_t *xel, UNUSED int fd,
2530 rad_listen_t *listener = ctx;
2531 RAD_REQUEST_FUNP fun;
2534 rad_assert(xel == el);
2538 if (listener->fd < 0) rad_panic("Socket was closed on us!");
2540 if (!listener->recv(listener, &fun, &request)) return;
2542 if (!thread_pool_addrequest(request, fun)) {
2543 request->child_state = REQUEST_DONE;
2549 * This function is called periodically to see if any FD's are
2550 * available for reading.
2552 static void event_poll_fds(UNUSED void *ctx)
2555 RAD_REQUEST_FUNP fun;
2558 struct timeval when;
2560 fr_event_now(el, &now);
2564 for (this = mainconfig.listen; this != NULL; this = this->next) {
2565 if (this->fd >= 0) continue;
2568 * Try to read something.
2570 * FIXME: This does poll AND receive.
2572 rcode = this->recv(this, &fun, &request);
2573 if (!rcode) continue;
2575 rad_assert(fun != NULL);
2576 rad_assert(request != NULL);
2578 if (!thread_pool_addrequest(request, fun)) {
2579 request->child_state = REQUEST_DONE;
2583 * We have an FD. Start watching it.
2585 if (this->fd >= 0) {
2588 * ... unless it's a detail file. In
2589 * that case, we rely on the signal to
2590 * self to know when to continue
2591 * processing the detail file.
2593 if (this->type == RAD_LISTEN_DETAIL) continue;
2597 * FIXME: this should be SNMP handler,
2598 * and we should do SOMETHING when the
2601 if (!fr_event_fd_insert(el, 0, this->fd,
2602 event_socket_handler, this)) {
2605 this->print(this, buffer, sizeof(buffer));
2606 rad_panic("Failed creating handler for snmp");
2614 if (!fr_event_insert(el, event_poll_fds, NULL,
2616 radlog(L_ERR, "Failed creating handler");
2622 static void event_status(struct timeval *wake)
2624 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
2628 if (debug_flag == 0) {
2630 radlog(L_INFO, "Ready to process requests.");
2631 just_started = FALSE;
2637 DEBUG("Ready to process requests.");
2639 } else if ((wake->tv_sec != 0) ||
2640 (wake->tv_usec >= 100000)) {
2641 DEBUG("Waking up in %d.%01u seconds.",
2642 (int) wake->tv_sec, (unsigned int) wake->tv_usec / 100000);
2647 * FIXME: Put this somewhere else, where it isn't called
2648 * all of the time...
2651 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
2653 * If there are no child threads, then there may
2654 * be child processes. In that case, wait for
2655 * their exit status, and throw that exit status
2656 * away. This helps get rid of zxombie children.
2658 while (waitpid(-1, &argval, WNOHANG) > 0) {
2667 * Externally-visibly functions.
2669 int radius_event_init(CONF_SECTION *cs, int spawn_flag)
2671 int has_snmp_listener = FALSE;
2672 rad_listen_t *this, *head = NULL;
2678 el = fr_event_list_create(event_status);
2681 pl = fr_packet_list_create(0);
2684 request_num_counter = 0;
2687 * Move all of the thread calls to this file?
2689 * It may be best for the mutexes to be in this file...
2691 have_children = spawn_flag;
2694 if (mainconfig.proxy_requests) {
2696 * Create the tree for managing proxied requests and
2699 proxy_list = fr_packet_list_create(1);
2700 if (!proxy_list) return 0;
2702 #ifdef HAVE_PTHREAD_H
2703 if (pthread_mutex_init(&proxy_mutex, NULL) != 0) {
2704 radlog(L_ERR, "FATAL: Failed to initialize proxy mutex: %s",
2713 * Just before we spawn the child threads, force the log
2714 * subsystem to re-open the log file for every write.
2716 if (spawn_flag) force_log_reopen();
2718 #ifdef HAVE_PTHREAD_H
2719 if (thread_pool_init(cs, spawn_flag) < 0) {
2725 DEBUG2("%s: #### Skipping IP addresses and Ports ####",
2732 * Child threads need a pipe to signal us, as do the
2735 if (pipe(self_pipe) < 0) {
2736 radlog(L_ERR, "radiusd: Error opening internal pipe: %s",
2740 if (fcntl(self_pipe[0], F_SETFL, O_NONBLOCK | FD_CLOEXEC) < 0) {
2741 radlog(L_ERR, "radiusd: Error setting internal flags: %s",
2745 if (fcntl(self_pipe[1], F_SETFL, O_NONBLOCK | FD_CLOEXEC) < 0) {
2746 radlog(L_ERR, "radiusd: Error setting internal flags: %s",
2751 if (!fr_event_fd_insert(el, 0, self_pipe[0],
2752 event_signal_handler, el)) {
2753 radlog(L_ERR, "Failed creating handler for signals");
2760 * Mark the proxy Fd's as unused.
2765 for (i = 0; i < 32; i++) proxy_fds[i] = -1;
2769 DEBUG2("%s: #### Opening IP addresses and Ports ####",
2772 if (listen_init(cs, &head) < 0) {
2777 * Add all of the sockets to the event loop.
2781 this = this->next) {
2784 this->print(this, buffer, sizeof(buffer));
2786 switch (this->type) {
2788 case RAD_LISTEN_DETAIL:
2789 DEBUG("Listening on %s", buffer);
2790 has_detail_listener = TRUE;
2795 case RAD_LISTEN_SNMP:
2796 DEBUG("Listening on SNMP %s", buffer);
2797 has_snmp_listener = TRUE;
2802 case RAD_LISTEN_PROXY:
2803 rad_assert(proxy_fds[this->fd & 0x1f] == -1);
2804 rad_assert(proxy_listeners[this->fd & 0x1f] == NULL);
2806 proxy_fds[this->fd & 0x1f] = this->fd;
2807 proxy_listeners[this->fd & 0x1f] = this;
2808 if (!fr_packet_list_socket_add(proxy_list,
2816 DEBUG("Listening on %s", buffer);
2821 * The file descriptor isn't ready. Poll for
2822 * when it will become ready. This is for SNMP
2823 * and detail file fd's.
2830 * The socket is open. It MUST be a socket,
2831 * as we don't pre-open the detail files (yet).
2833 * FIXME: if we DO open the detail files automatically,
2834 * then much of this code becomes simpler.
2836 if (!fr_event_fd_insert(el, 0, this->fd,
2837 event_socket_handler, this)) {
2838 this->print(this, buffer, sizeof(buffer));
2839 radlog(L_ERR, "Failed creating handler for socket %s",
2845 if (has_detail_listener || has_snmp_listener) {
2846 struct timeval when;
2848 gettimeofday(&when, NULL);
2851 if (!fr_event_insert(el, event_poll_fds, NULL,
2853 radlog(L_ERR, "Failed creating handler");
2858 mainconfig.listen = head;
2864 static int request_hash_cb(UNUSED void *ctx, void *data)
2866 REQUEST *request = fr_packet2myptr(REQUEST, packet, data);
2869 rad_assert(request->in_proxy_hash == FALSE);
2872 fr_event_delete(el, &request->ev);
2873 remove_from_request_hash(request);
2874 request_free(&request);
2881 static int proxy_hash_cb(UNUSED void *ctx, void *data)
2883 REQUEST *request = fr_packet2myptr(REQUEST, proxy, data);
2885 fr_packet_list_yank(proxy_list, request->proxy);
2886 request->in_proxy_hash = FALSE;
2888 if (!request->in_request_hash) {
2889 fr_event_delete(el, &request->ev);
2890 request_free(&request);
2897 void radius_event_free(void)
2900 * FIXME: Stop all threads, or at least check that
2901 * they're all waiting on the semaphore, and the queues
2907 * There are requests in the proxy hash that aren't
2908 * referenced from anywhere else. Remove them first.
2911 PTHREAD_MUTEX_LOCK(&proxy_mutex);
2912 fr_packet_list_walk(proxy_list, NULL, proxy_hash_cb);
2913 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2914 fr_packet_list_free(proxy_list);
2919 fr_packet_list_walk(pl, NULL, request_hash_cb);
2921 fr_packet_list_free(pl);
2924 fr_event_list_free(el);
2927 int radius_event_process(void)
2931 just_started = TRUE;
2933 return fr_event_loop(el);
2936 void radius_handle_request(REQUEST *request, RAD_REQUEST_FUNP fun)
2938 if (request_pre_handler(request)) {
2939 rad_assert(fun != NULL);
2940 rad_assert(request != NULL);
2942 if (request->server) DEBUG("server %s {",
2946 if (request->server) DEBUG("} # server %s",
2949 request_post_handler(request);
2952 DEBUG2("Going to the next request");