2 * listen.c Handle socket stuff
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2005,2006 The FreeRADIUS server project
21 * Copyright 2005 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/autoconf.h>
32 #ifdef HAVE_NETINET_IN_H
33 #include <netinet/in.h>
36 #ifdef HAVE_ARPA_INET_H
37 #include <arpa/inet.h>
40 #include <sys/resource.h>
42 #include <sys/types.h>
43 #include <sys/socket.h>
50 #ifdef HAVE_SYS_STAT_H
55 #include <freeradius-devel/udpfromto.h>
60 #include <freeradius-devel/radiusd.h>
61 #include <freeradius-devel/rad_assert.h>
63 #include <freeradius-devel/radius_snmp.h>
64 #include <freeradius-devel/request_list.h>
66 static time_t start_time = 0;
69 * FIXME: Delete this crap!
71 extern time_t time_now;
74 * We'll use this below.
76 typedef int (*rad_listen_parse_t)(const char *, int, const CONF_SECTION *, rad_listen_t *);
77 typedef void (*rad_listen_free_t)(rad_listen_t *);
79 typedef struct rad_listen_master_t {
80 rad_listen_parse_t parse;
81 rad_listen_free_t free;
82 rad_listen_recv_t recv;
83 rad_listen_send_t send;
84 rad_listen_update_t update;
85 rad_listen_print_t print;
86 } rad_listen_master_t;
88 typedef struct listen_socket_t {
94 RADCLIENT_LIST *clients;
97 typedef struct listen_detail_t {
103 lrad_ipaddr_t client_ip;
110 * Find a per-socket client.
112 static RADCLIENT *client_listener_find(const rad_listen_t *listener,
113 const lrad_ipaddr_t *ipaddr)
115 const RADCLIENT_LIST *clients;
117 rad_assert(listener != NULL);
118 rad_assert(ipaddr != NULL);
120 rad_assert((listener->type == RAD_LISTEN_AUTH) ||
121 (listener->type == RAD_LISTEN_ACCT));
123 clients = ((listen_socket_t *)listener->data)->clients;
124 if (!clients) clients = mainconfig.clients;
126 rad_assert(clients != NULL);
128 return client_find(clients, ipaddr);
131 static int listen_bind(rad_listen_t *this);
134 * FIXME: have the detail reader use another config "exit when done",
135 * so that it can be used as a one-off tool to update stuff.
139 * Process and reply to a server-status request.
140 * Like rad_authenticate and rad_accounting this should
141 * live in it's own file but it's so small we don't bother.
143 static int rad_status_server(REQUEST *request)
145 switch (request->listener->type) {
146 case RAD_LISTEN_AUTH:
147 request->reply->code = PW_AUTHENTICATION_ACK;
150 * Commented out for now.
159 * Reply with an ACK. We might want to add some more
160 * interesting reply attributes, such as server uptime.
162 t = request->timestamp - start_time;
163 sprintf(reply_msg, "FreeRADIUS STUFF %d day%s, %02d:%02d",
164 (int)(t / 86400), (t / 86400) == 1 ? "" : "s",
165 (int)((t / 3600) % 24), (int)(t / 60) % 60);
167 vp = pairmake("Reply-Message", reply_msg, T_OP_SET);
168 pairadd(&request->reply->vps, vp); /* don't need to check if !vp */
173 case RAD_LISTEN_ACCT:
174 request->reply->code = PW_ACCOUNTING_RESPONSE;
185 static int request_num_counter = 0;
188 * Check for dups, etc. Common to Access-Request &&
189 * Accounting-Request packets.
191 static int common_checks(rad_listen_t *listener,
192 RADIUS_PACKET *packet, REQUEST **prequest,
193 const RADCLIENT *client)
198 rad_assert(listener->rl != NULL);
201 * If there is no existing request of id, code, etc.,
202 * then we can return, and let it be processed.
204 if ((curreq = rl_find(listener->rl, packet)) == NULL) {
206 * Count the total number of requests, to see if
207 * there are too many. If so, return with an
210 if (mainconfig.max_requests) {
212 * FIXME: This is now per-socket,
213 * when it should really be global
216 int request_count = rl_num_requests(listener->rl);
219 * This is a new request. Let's see if
220 * it makes us go over our configured
223 if (request_count > mainconfig.max_requests) {
224 radlog(L_ERR, "Dropping request (%d is too many): "
225 "from client %s port %d - ID: %d", request_count,
227 packet->src_port, packet->id);
228 radlog(L_INFO, "WARNING: Please check the %s file.\n"
229 "\tThe value for 'max_requests' is probably set too low.\n", mainconfig.radiusd_conf);
231 } /* else there were a small number of requests */
232 } /* else there was no configured limit for requests */
235 * FIXME: Add checks for system load. If the
236 * system is busy, start dropping requests...
238 * We can probably keep some statistics
239 * ourselves... if there are more requests
240 * coming in than we can handle, start dropping
245 * The current request isn't finished, which
246 * means that the NAS sent us a new packet, while
247 * we are still processing the old request.
249 } else if (!curreq->finished) {
251 * If the authentication vectors are identical,
252 * then the NAS is re-transmitting it, trying to
253 * kick us into responding to the request.
255 if (memcmp(curreq->packet->vector, packet->vector,
256 sizeof(packet->vector)) == 0) {
257 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
260 * It's not finished because the request
261 * was proxied, but there was no reply
262 * from the home server.
264 * This code will never get hit for
265 * accounting packets, as they're always
266 * updated, and never re-transmitted.
268 if (curreq->proxy && !curreq->proxy_reply) {
269 DEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
270 inet_ntop(curreq->proxy->dst_ipaddr.af,
271 &curreq->proxy->dst_ipaddr.ipaddr,
272 buffer, sizeof(buffer)), curreq->proxy->dst_port,
275 curreq->proxy_listener->send(curreq->proxy_listener, curreq);
277 } /* else the packet was not proxied */
280 * Someone's still working on it, so we
281 * ignore the duplicate request.
283 radlog(L_ERR, "Discarding duplicate request from "
284 "client %s port %d - ID: %d due to unfinished request %d",
286 packet->src_port, packet->id,
289 } /* else the authentication vectors were different */
292 * We're waiting for a proxy reply, but no one is
293 * currently processing the request. We can
294 * discard the old request, and ignore any reply
295 * from the home server, because the NAS will
298 if (curreq->proxy && !curreq->proxy_reply &&
299 (curreq->child_pid == NO_SUCH_CHILD_PID)) {
300 radlog(L_ERR, "Discarding old proxied request %d from "
301 "client %s port %d - ID: %d due to new request from the client",
302 curreq->number, client->shortname,
303 packet->src_port, packet->id);
306 * The authentication vectors are different, so
307 * the NAS has given up on us, as we've taken too
308 * long to process the request. This is a
311 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
313 radlog(L_ERR, "Dropping conflicting packet from "
314 "client %s port %d - ID: %d due to unfinished request %d",
316 packet->src_port, packet->id,
322 * The old request is finished. We now check the
323 * authentication vectors. If the client has sent us a
324 * request with identical code && ID, but different
325 * vector, then they MUST have gotten our response, so we
326 * can delete the original request, and process the new
329 * If the vectors are the same, then it's a duplicate
330 * request, and we can send a duplicate reply.
332 } else if (memcmp(curreq->packet->vector, packet->vector,
333 sizeof(packet->vector)) == 0) {
334 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
337 * If the packet has been delayed, then silently
338 * send a response, and clear the delayed flag.
340 * Note that this means if the NAS kicks us while
341 * we're delaying a reject, then the reject may
342 * be sent sooner than otherwise.
344 * This COULD be construed as a bug. Maybe what
345 * we want to do is to ignore the duplicate
346 * packet, and send the reject later.
348 if (curreq->options & RAD_REQUEST_OPTION_DELAYED_REJECT) {
349 curreq->options &= ~RAD_REQUEST_OPTION_DELAYED_REJECT;
350 rad_assert(curreq->listener == listener);
351 listener->send(listener, curreq);
356 * Maybe we've saved a reply packet. If so,
357 * re-send it. Otherwise, just complain.
359 if (curreq->reply->code != 0) {
360 DEBUG2("Sending duplicate reply "
361 "to client %s port %d - ID: %d",
363 packet->src_port, packet->id);
364 rad_assert(curreq->listener == listener);
365 listener->send(listener, curreq);
370 * Else we never sent a reply to the NAS,
371 * as we decided somehow we didn't like the request.
373 * This shouldn't happen, in general...
375 DEBUG2("Discarding duplicate request from client %s port %d - ID: %d",
376 client->shortname, packet->src_port, packet->id);
378 } /* else the vectors were different, so we discard the old request. */
381 * 'packet' has the same source IP, source port, code,
382 * and Id as 'curreq', but a different authentication
383 * vector. We can therefore delete 'curreq', as we were
384 * only keeping it around to send out duplicate replies,
385 * if the first reply got lost in the network.
388 rl_yank(listener->rl, curreq);
389 request_free(&curreq);
393 * A unique per-request counter.
395 curreq = request_alloc(); /* never fails */
397 if ((curreq->reply = rad_alloc(0)) == NULL) {
398 radlog(L_ERR, "No memory");
401 curreq->listener = listener;
402 curreq->packet = packet;
403 curreq->packet->timestamp = curreq->timestamp;
404 curreq->number = request_num_counter++;
405 strlcpy(curreq->secret, client->secret, sizeof(curreq->secret));
408 * Remember the request in the list.
410 if (!rl_add(listener->rl, curreq)) {
411 radlog(L_ERR, "Failed to insert request %d in the list of live requests: discarding", curreq->number);
412 request_free(&curreq);
417 * The request passes many of our sanity checks.
418 * From here on in, if anything goes wrong, we
419 * send a reject message, instead of dropping the
424 * Build the reply template from the request.
427 curreq->reply->sockfd = curreq->packet->sockfd;
428 curreq->reply->dst_ipaddr = curreq->packet->src_ipaddr;
429 curreq->reply->src_ipaddr = curreq->packet->dst_ipaddr;
430 curreq->reply->dst_port = curreq->packet->src_port;
431 curreq->reply->src_port = curreq->packet->dst_port;
432 curreq->reply->id = curreq->packet->id;
433 curreq->reply->code = 0; /* UNKNOWN code */
434 memcpy(curreq->reply->vector, curreq->packet->vector,
435 sizeof(curreq->reply->vector));
436 curreq->reply->vps = NULL;
437 curreq->reply->data = NULL;
438 curreq->reply->data_len = 0;
445 static int socket_print(rad_listen_t *this, char *buffer, size_t bufsize)
448 listen_socket_t *sock = this->data;
450 if ((sock->ipaddr.af == AF_INET) &&
451 (sock->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) {
454 ip_ntoh(&sock->ipaddr, buffer, bufsize);
457 len = strlen(buffer);
459 return len + snprintf(buffer + len, bufsize - len, " port %d",
465 * Parse an authentication or accounting socket.
467 static int common_socket_parse(const char *filename, int lineno,
468 const CONF_SECTION *cs, rad_listen_t *this)
472 lrad_ipaddr_t ipaddr;
473 listen_socket_t *sock = this->data;
474 const char *section_name = NULL;
475 CONF_SECTION *client_cs;
480 ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
481 rcode = cf_item_parse(cs, "ipaddr", PW_TYPE_IPADDR,
482 &ipaddr.ipaddr.ip4addr, NULL);
483 if (rcode < 0) return -1;
485 if (rcode == 0) { /* successfully parsed IPv4 */
488 } else { /* maybe IPv6? */
489 rcode = cf_item_parse(cs, "ipv6addr", PW_TYPE_IPV6ADDR,
490 &ipaddr.ipaddr.ip6addr, NULL);
491 if (rcode < 0) return -1;
494 radlog(L_ERR, "%s[%d]: No address specified in listen section",
498 ipaddr.af = AF_INET6;
501 rcode = cf_item_parse(cs, "port", PW_TYPE_INTEGER,
503 if (rcode < 0) return -1;
505 sock->ipaddr = ipaddr;
506 sock->port = listen_port;
509 * And bind it to the port.
511 if (listen_bind(this) < 0) {
513 radlog(L_CONS|L_ERR, "%s[%d]: Error binding to port for %s port %d",
514 filename, cf_section_lineno(cs),
515 ip_ntoh(&sock->ipaddr, buffer, sizeof(buffer)),
521 * If we can bind to interfaces, do so,
524 if (cf_pair_find(cs, "interface")) {
525 #ifndef SO_BINDTODEVICE
526 radlog(L_CONS|L_ERR, "%s[%d]: System does not support binding to interfaces, delete this line from the configuration file.",
527 filename, cf_section_lineno(cs));
531 const CONF_PAIR *cp = cf_pair_find(cs, "interface");
534 rad_assert(cp != NULL);
535 value = cf_pair_value(cp);
536 rad_assert(value != NULL);
538 strcpy(ifreq.ifr_name, value);
540 if (setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE,
541 (char *)&ifreq, sizeof(ifreq)) < 0) {
542 radlog(L_CONS|L_ERR, "%s[%d]: Failed binding to interface %s: %s",
543 filename, cf_section_lineno(cs),
544 value, strerror(errno));
546 } /* else it worked. */
551 * Look for the name of a section that holds a list
554 rcode = cf_item_parse(cs, "clients", PW_TYPE_STRING_PTR,
555 §ion_name, NULL);
556 if (rcode < 0) return -1; /* bad string */
557 if (rcode > 0) return 0; /* non-existent is OK. */
559 client_cs = cf_section_find(section_name);
561 radlog(L_CONS|L_ERR, "%s[%d]: Failed to find client section %s",
562 filename, cf_section_lineno(cs), section_name);
566 sock->clients = clients_parse_section(filename, client_cs);
567 if (!sock->clients) {
575 * Send an authentication response packet
577 static int auth_socket_send(rad_listen_t *listener, REQUEST *request)
579 rad_assert(request->listener == listener);
580 rad_assert(listener->send == auth_socket_send);
583 * Ensure that the reply is sane
585 if (request->reply->code == 0) {
586 DEBUG2("There was no response configured: rejecting request %d", request->number);
587 request->reply->code = PW_AUTHENTICATION_REJECT;
591 * If we're delaying authentication rejects, then
592 * mark the request as delayed, and do NOT send a
593 * response right now.
595 * However, if it's already marked as delayed, then
598 if ((request->reply->code == PW_AUTHENTICATION_REJECT) &&
599 ((request->options & RAD_REQUEST_OPTION_DELAYED_REJECT) == 0) &&
600 (mainconfig.reject_delay > 0) &&
601 ((request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0)) {
602 DEBUG2("Delaying request %d for %d seconds",
603 request->number, mainconfig.reject_delay);
604 request->options |= RAD_REQUEST_OPTION_DELAYED_REJECT;
608 return rad_send(request->reply, request->packet, request->secret);
613 * Send an accounting response packet (or not)
615 static int acct_socket_send(rad_listen_t *listener, REQUEST *request)
617 rad_assert(request->listener == listener);
618 rad_assert(listener->send == acct_socket_send);
621 * Accounting reject's are silently dropped.
623 * We do it here to avoid polluting the rest of the
624 * code with this knowledge
626 if (request->reply->code == 0) return 0;
628 return rad_send(request->reply, request->packet, request->secret);
633 * Send a packet to a home server.
635 * FIXME: have different code for proxy auth & acct!
637 static int proxy_socket_send(rad_listen_t *listener, REQUEST *request)
639 listen_socket_t *sock = listener->data;
641 rad_assert(request->proxy_listener == listener);
642 rad_assert(listener->send == proxy_socket_send);
644 request->proxy->src_ipaddr = sock->ipaddr;
645 request->proxy->src_port = sock->port;
647 return rad_send(request->proxy, request->packet, request->proxysecret);
652 * Check if an incoming request is "ok"
654 * It takes packets, not requests. It sees if the packet looks
655 * OK. If so, it does a number of sanity checks on it.
657 static int auth_socket_recv(rad_listen_t *listener,
658 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
660 RADIUS_PACKET *packet;
661 RAD_REQUEST_FUNP fun = NULL;
665 packet = rad_recv(listener->fd);
667 radlog(L_ERR, "%s", librad_errstr);
671 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: auth specific */
673 if ((client = client_listener_find(listener,
674 &packet->src_ipaddr)) == NULL) {
675 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
677 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
678 inet_ntop(packet->src_ipaddr.af,
679 &packet->src_ipaddr.ipaddr,
680 buffer, sizeof(buffer)),
687 * Some sanity checks, based on the packet code.
689 switch(packet->code) {
690 case PW_AUTHENTICATION_REQUEST:
691 fun = rad_authenticate;
694 case PW_STATUS_SERVER:
695 if (!mainconfig.status_server) {
696 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
697 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
701 fun = rad_status_server;
705 RAD_SNMP_INC(rad_snmp.auth.total_unknown_types);
707 radlog(L_ERR, "Invalid packet code %d sent to authentication port from client %s port %d "
709 packet->code, client->shortname,
710 packet->src_port, packet->id);
714 } /* switch over packet types */
716 if (!common_checks(listener, packet, prequest, client)) {
727 * Receive packets from an accounting socket
729 static int acct_socket_recv(rad_listen_t *listener,
730 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
732 RADIUS_PACKET *packet;
733 RAD_REQUEST_FUNP fun = NULL;
737 packet = rad_recv(listener->fd);
739 radlog(L_ERR, "%s", librad_errstr);
743 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: acct-specific */
745 if ((client = client_listener_find(listener,
746 &packet->src_ipaddr)) == NULL) {
747 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
749 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
750 inet_ntop(packet->src_ipaddr.af,
751 &packet->src_ipaddr.ipaddr,
752 buffer, sizeof(buffer)),
758 switch(packet->code) {
759 case PW_ACCOUNTING_REQUEST:
760 fun = rad_accounting;
763 case PW_STATUS_SERVER:
764 if (!mainconfig.status_server) {
765 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
766 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
770 fun = rad_status_server;
775 * FIXME: Update MIB for packet types?
777 radlog(L_ERR, "Invalid packet code %d sent to a accounting port "
778 "from client %s port %d - ID %d : IGNORED",
779 packet->code, client->shortname,
780 packet->src_port, packet->id);
786 * FIXME: Accounting duplicates should be handled
787 * differently than authentication duplicates.
789 if (!common_checks(listener, packet, prequest, client)) {
800 * Recieve packets from a proxy socket.
802 static int proxy_socket_recv(rad_listen_t *listener,
803 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
807 RADIUS_PACKET *packet;
808 RAD_REQUEST_FUNP fun = NULL;
811 packet = rad_recv(listener->fd);
813 radlog(L_ERR, "%s", librad_errstr);
820 if (packet->src_ipaddr.af != AF_INET) {
821 rad_assert("PROXY IPV6 NOT SUPPORTED" == NULL);
825 * FIXME: Add support for home servers!
827 if ((cl = realm_findbyaddr(packet->src_ipaddr.ipaddr.ip4addr.s_addr,
828 packet->src_port)) == NULL) {
829 radlog(L_ERR, "Ignoring request from unknown home server %s port %d",
830 inet_ntop(packet->src_ipaddr.af,
831 &packet->src_ipaddr.ipaddr,
832 buffer, sizeof(buffer)),
839 * FIXME: Client MIB updates?
841 switch(packet->code) {
842 case PW_AUTHENTICATION_ACK:
843 case PW_ACCESS_CHALLENGE:
844 case PW_AUTHENTICATION_REJECT:
845 fun = rad_authenticate;
848 case PW_ACCOUNTING_RESPONSE:
849 fun = rad_accounting;
854 * FIXME: Update MIB for packet types?
856 radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
857 "from home server %s port %d - ID %d : IGNORED",
859 ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
860 packet->src_port, packet->id);
866 * Find the original request in the request list
868 oldreq = rl_find_proxy(packet);
871 * If we haven't found the original request which was
872 * sent, to get this reply. Complain, and discard this
873 * request, as there's no way for us to send it to a NAS.
876 radlog(L_PROXY, "No outstanding request was found for proxy reply from home server %s port %d - ID %d",
877 inet_ntop(packet->src_ipaddr.af,
878 &packet->src_ipaddr.ipaddr,
879 buffer, sizeof(buffer)),
880 packet->src_port, packet->id);
886 * The proxy reply has arrived too late, as the original
887 * (old) request has timed out, been rejected, and marked
888 * as finished. The client has already received a
889 * response, so there is nothing that can be done. Delete
890 * the tardy reply from the home server, and return nothing.
892 if ((oldreq->reply->code != 0) ||
893 (oldreq->finished)) {
894 radlog(L_ERR, "Reply from home server %s port %d - ID: %d arrived too late for request %d. Try increasing 'retry_delay' or 'max_request_time'",
895 inet_ntop(packet->src_ipaddr.af,
896 &packet->src_ipaddr.ipaddr,
897 buffer, sizeof(buffer)),
898 packet->src_port, packet->id,
905 * If there is already a reply, maybe this one is a
908 if (oldreq->proxy_reply) {
909 if (memcmp(oldreq->proxy_reply->vector,
911 sizeof(oldreq->proxy_reply->vector)) == 0) {
912 radlog(L_ERR, "Discarding duplicate reply from home server %s port %d - ID: %d for request %d",
913 inet_ntop(packet->src_ipaddr.af,
914 &packet->src_ipaddr.ipaddr,
915 buffer, sizeof(buffer)),
916 packet->src_port, packet->id,
920 * ? The home server gave us a new proxy
921 * reply, which doesn't match the old
924 DEBUG2("Ignoring conflicting proxy reply");
928 * We've already received a reply, so
929 * we discard this one, as we don't want
930 * to do duplicate work.
934 } /* else there wasn't a proxy reply yet, so we can process it */
937 * Refresh the old request, and update it with the proxy
940 * ? Can we delete the proxy request here? * Is there
941 * any more need for it?
943 * FIXME: we probably shouldn't be updating the time
946 oldreq->timestamp = time_now;
947 oldreq->proxy_reply = packet;
950 * FIXME: we should really verify the digest here,
951 * before marking this packet as a valid response.
953 * This is a security problem, I think...
957 * Now that we've verified the packet IS actually from
958 * that home server, and not forged, we can go mark the
959 * entries for this home server as active.
961 * If we had done this check in the 'find realm by IP address'
962 * function, then an attacker could force us to use a home
963 * server which was inactive, by forging reply packets
964 * which didn't match any request. We would think that
965 * the reply meant the home server was active, would
966 * re-activate the realms, and THEN bounce the packet
969 for (cl = mainconfig.realms; cl != NULL; cl = cl->next) {
970 if (oldreq->proxy_reply->src_ipaddr.af != cl->ipaddr.af) continue;
971 if (cl->ipaddr.af != AF_INET) continue; /* FIXME */
973 if (oldreq->proxy_reply->src_ipaddr.ipaddr.ip4addr.s_addr == cl->ipaddr.ipaddr.ip4addr.s_addr) {
974 if (oldreq->proxy_reply->src_port == cl->auth_port) {
976 cl->last_reply = oldreq->timestamp;
977 } else if (oldreq->proxy_reply->src_port == cl->acct_port) {
978 cl->acct_active = TRUE;
979 cl->last_reply = oldreq->timestamp;
984 rad_assert(fun != NULL);
991 #define STATE_UNOPENED (0)
992 #define STATE_UNLOCKED (1)
993 #define STATE_HEADER (2)
994 #define STATE_READING (3)
995 #define STATE_DONE (4)
996 #define STATE_WAITING (5)
999 * If we're limiting outstanding packets, then mark the response
1002 static int detail_send(rad_listen_t *listener, REQUEST *request)
1004 listen_detail_t *data = listener->data;
1006 rad_assert(request->listener == listener);
1007 rad_assert(listener->send == detail_send);
1009 if (request->simul_max >= 0) {
1010 rad_assert(data->outstanding != NULL);
1011 rad_assert(request->simul_max < data->max_outstanding);
1013 data->outstanding[request->simul_max] = 0;
1021 * Open the detail file..
1023 * FIXME: create it, if it's not already there, so that the main
1024 * server select() will wake us up if there's anything to read.
1026 static int detail_open(rad_listen_t *this)
1030 listen_detail_t *data = this->data;
1032 rad_assert(data->state == STATE_UNOPENED);
1033 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1036 * FIXME: Have "one-shot" configuration, where it
1037 * will read the detail file, and exit once it's
1040 * FIXME: Try harder to open the detail file.
1041 * Maybe sleep for X usecs if it doesn't exist?
1045 * Open detail.work first, so we don't lose
1046 * accounting packets. It's probably better to
1047 * duplicate them than to lose them.
1049 * Note that we're not writing to the file, but
1050 * we've got to open it for writing in order to
1051 * establish the lock, to prevent rlm_detail from
1054 this->fd = open(buffer, O_RDWR);
1057 * Try reading the detail file. If it
1058 * doesn't exist, we can't do anything.
1060 * Doing the stat will tell us if the file
1061 * exists, even if we don't have permissions
1064 if (stat(data->detail, &st) < 0) {
1069 * Open it BEFORE we rename it, just to
1072 this->fd = open(data->detail, O_RDWR);
1074 radlog(L_ERR, "Failed to open %s: %s",
1075 data->detail, strerror(errno));
1080 * Rename detail to detail.work
1082 if (rename(data->detail, buffer) < 0) {
1087 } /* else detail.work existed, and we opened it */
1089 rad_assert(data->vps == NULL);
1091 rad_assert(data->fp == NULL);
1092 data->fp = fdopen(this->fd, "r");
1094 radlog(L_ERR, "Failed to re-open %s: %s",
1095 data->detail, strerror(errno));
1099 data->state = STATE_UNLOCKED;
1101 data->client_ip.af = AF_UNSPEC;
1102 data->timestamp = 0;
1108 * This is a bad hack, just so complaints have meaningful text.
1110 static const RADCLIENT detail_client = {
1125 static int detail_recv(rad_listen_t *listener,
1126 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
1129 char key[256], value[1024];
1130 VALUE_PAIR *vp, **tail;
1131 RADIUS_PACKET *packet;
1133 listen_detail_t *data = listener->data;
1135 if (data->state == STATE_UNOPENED) {
1136 rad_assert(listener->fd < 0);
1137 if (!detail_open(listener)) return 0;
1139 rad_assert(listener->fd >= 0);
1142 * Try to lock fd. If we can't, return. If we can,
1143 * continue. This means that the server doesn't block
1144 * while waiting for the lock to open...
1146 if (data->state == STATE_UNLOCKED) {
1148 * Note that we do NOT block waiting for the
1149 * lock. We've re-named the file above, so we've
1150 * already guaranteed that any *new* detail
1151 * writer will not be opening this file. The
1152 * only purpose of the lock is to catch a race
1153 * condition where the execution "ping-pongs"
1154 * between radiusd & radrelay.
1156 if (rad_lockfd_nonblock(listener->fd, 0) < 0) {
1160 * Look for the header
1162 data->state = STATE_HEADER;
1166 * If we keep track of the outstanding requests, do so
1167 * here. Note that to minimize potential work, we do
1168 * so only once the file is opened & locked.
1170 if (data->max_outstanding) {
1173 for (i = 0; i < data->max_outstanding; i++) {
1174 if (!data->outstanding[i]) {
1181 * All of the slots are full, don't read data.
1183 if (free_slot < 0) return 0;
1187 * Catch an out of memory condition which will most likely
1190 if (data->state == STATE_DONE) goto alloc_packet;
1193 * If we're in another state, then it means that we read
1194 * a partial packet, which is bad.
1196 rad_assert(data->state == STATE_HEADER);
1197 rad_assert(data->vps == NULL);
1200 * We read the last packet, and returned it for
1201 * processing. We later come back here to shut
1202 * everything down, and unlink the file.
1204 if (feof(data->fp)) {
1205 rad_assert(data->state == STATE_HEADER);
1208 * Don't unlink the file until we've received
1209 * all of the responses.
1211 if (data->max_outstanding > 0) {
1214 for (i = 0; i < data->max_outstanding; i++) {
1216 * FIXME: close the file?
1218 if (data->outstanding[i]) {
1219 data->state = STATE_WAITING;
1226 rad_assert(data->vps == NULL);
1228 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1230 fclose(data->fp); /* closes listener->fd */
1233 data->state = STATE_UNOPENED;
1236 * Try to open "detail" again. If we're on a
1237 * busy RADIUS server, odds are that it will
1240 detail_open(listener);
1247 * Fill the buffer...
1249 while (fgets(buffer, sizeof(buffer), data->fp)) {
1253 if (!strchr(buffer, '\n')) {
1254 pairfree(&data->vps);
1259 * We've read a header, possibly packet contents,
1260 * and are now at the end of the packet.
1262 if ((data->state == STATE_READING) &&
1263 (buffer[0] == '\n')) {
1264 data->state = STATE_DONE;
1269 * Look for date/time header, and read VP's if
1270 * found. If not, keep reading lines until we
1273 if (data->state == STATE_HEADER) {
1276 if (sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) {
1277 data->state = STATE_READING;
1283 * We have a full "attribute = value" line.
1284 * If it doesn't look reasonable, skip it.
1286 if (sscanf(buffer, "%255s = %1023s", key, value) != 2) {
1291 * Skip non-protocol attributes.
1293 if (!strcasecmp(key, "Request-Authenticator")) continue;
1296 * Set the original client IP address, based on
1297 * what's in the detail file.
1299 * Hmm... we don't set the server IP address.
1302 if (!strcasecmp(key, "Client-IP-Address")) {
1303 data->client_ip.af = AF_INET;
1304 ip_hton(value, AF_INET, &data->client_ip);
1309 * The original time at which we received the
1310 * packet. We need this to properly calculate
1313 if (!strcasecmp(key, "Timestamp")) {
1314 data->timestamp = atoi(value);
1321 * FIXME: do we want to check for non-protocol
1322 * attributes like radsqlrelay does?
1325 if ((userparse(buffer, &vp) > 0) &&
1333 * We got to EOF, If we're in STATE_HEADER, it's OK.
1334 * Otherwise it's a problem. In any case, nuke the file
1335 * and start over from scratch,
1337 if (feof(data->fp)) {
1342 * FIXME: Do load management.
1346 * If we're not done, then there's a problem. The checks
1349 rad_assert(data->state == STATE_DONE);
1352 * The packet we read was empty, re-set the state to look
1353 * for a header, and don't return anything.
1356 data->state = STATE_HEADER;
1361 * Allocate the packet. If we fail, it's a serious
1365 packet = rad_alloc(1);
1367 return 0; /* maybe memory will magically free up... */
1370 memset(packet, 0, sizeof(*packet));
1371 packet->sockfd = -1;
1372 packet->src_ipaddr.af = AF_INET;
1373 packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1374 packet->code = PW_ACCOUNTING_REQUEST;
1375 packet->timestamp = time(NULL);
1378 * Look for Acct-Delay-Time, and update
1379 * based on Acct-Delay-Time += (time(NULL) - timestamp)
1381 vp = pairfind(packet->vps, PW_ACCT_DELAY_TIME);
1383 vp = paircreate(PW_ACCT_DELAY_TIME, PW_TYPE_INTEGER);
1384 rad_assert(vp != NULL);
1386 if (data->timestamp != 0) {
1387 vp->lvalue += time(NULL) - data->timestamp;
1391 * Remember where it came from, so that we don't
1392 * proxy it to the place it came from...
1394 if (data->client_ip.af != AF_UNSPEC) {
1395 packet->src_ipaddr = data->client_ip;
1398 vp = pairfind(packet->vps, PW_PACKET_SRC_IP_ADDRESS);
1400 packet->src_ipaddr.af = AF_INET;
1401 packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->lvalue;
1403 vp = pairfind(packet->vps, PW_PACKET_SRC_IPV6_ADDRESS);
1405 packet->src_ipaddr.af = AF_INET6;
1406 memcpy(&packet->src_ipaddr.ipaddr.ip6addr,
1407 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1411 vp = pairfind(packet->vps, PW_PACKET_DST_IP_ADDRESS);
1413 packet->dst_ipaddr.af = AF_INET;
1414 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->lvalue;
1416 vp = pairfind(packet->vps, PW_PACKET_DST_IPV6_ADDRESS);
1418 packet->dst_ipaddr.af = AF_INET6;
1419 memcpy(&packet->dst_ipaddr.ipaddr.ip6addr,
1420 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1425 * We've got to give SOME value for Id & ports, so that
1426 * the packets can be added to the request queue.
1427 * However, we don't want to keep track of used/unused
1428 * id's and ports, as that's a lot of work. This hack
1429 * ensures that (if we have real random numbers), that
1430 * there will be a collision on every (2^(16+16+2+24))/2
1431 * packets, on average. That means we can read 2^32 (4G)
1432 * packets before having a collision, which means it's
1433 * effectively impossible. Having 4G packets currently
1434 * being process is ridiculous.
1436 packet->id = lrad_rand() & 0xff;
1437 packet->src_port = lrad_rand() & 0xffff;
1438 packet->dst_port = lrad_rand() & 0xffff;
1440 packet->dst_ipaddr.af = AF_INET;
1441 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl((INADDR_LOOPBACK & ~0xffffff) | (lrad_rand() & 0xffffff));
1443 packet->vps = data->vps;
1449 data->state = STATE_HEADER;
1452 * FIXME: many of these checks may not be necessary...
1454 if (!common_checks(listener, packet, prequest, &detail_client)) {
1460 * Keep track of free slots, as a hack, in an otherwise
1463 (*prequest)->simul_max = free_slot;
1464 if (free_slot) data->outstanding[free_slot] = 1;
1466 *pfun = rad_accounting;
1469 printf("detail_recv: Read packet from %s\n", data->detail);
1470 for (vp = packet->vps; vp; vp = vp->next) {
1472 vp_print(stdout, vp);
1482 * Free detail-specific stuff.
1484 static void detail_free(rad_listen_t *this)
1486 listen_detail_t *data = this->data;
1489 pairfree(&data->vps);
1490 free(data->outstanding);
1492 if (data->fp != NULL) fclose(data->fp);
1496 static int detail_print(rad_listen_t *this, char *buffer, size_t bufsize)
1498 return snprintf(buffer, bufsize, "%s",
1499 ((listen_detail_t *)(this->data))->detail);
1503 static const CONF_PARSER detail_config[] = {
1504 { "detail", PW_TYPE_STRING_PTR,
1505 offsetof(listen_detail_t, detail), NULL, NULL },
1506 { "max_outstanding", PW_TYPE_INTEGER,
1507 offsetof(listen_detail_t, max_outstanding), NULL, "100" },
1509 { NULL, -1, 0, NULL, NULL } /* end the list */
1514 * Parse a detail section.
1516 static int detail_parse(const char *filename, int lineno,
1517 const CONF_SECTION *cs, rad_listen_t *this)
1520 listen_detail_t *data;
1524 rcode = cf_section_parse(cs, data, detail_config);
1526 radlog(L_ERR, "%s[%d]: Failed parsing listen section",
1531 if (!data->detail) {
1532 radlog(L_ERR, "%s[%d]: No detail file specified in listen section",
1539 data->state = STATE_UNOPENED;
1541 if (data->max_outstanding > 32768) data->max_outstanding = 32768;
1543 if (data->max_outstanding > 0) {
1544 data->outstanding = rad_malloc(sizeof(int) * data->max_outstanding);
1554 * See radiusd.c & request_list.c
1556 #define SLEEP_FOREVER (65536)
1558 * A generic "update the request list once a second" function.
1560 static int generic_update(rad_listen_t *this, time_t now)
1562 if (!this->rl) return SLEEP_FOREVER;
1564 return rl_clean_list(this->rl, now);
1569 static const rad_listen_master_t master_listen[RAD_LISTEN_MAX] = {
1570 { NULL, NULL, NULL, NULL, NULL, NULL}, /* RAD_LISTEN_NONE */
1572 /* authentication */
1573 { common_socket_parse, NULL,
1574 auth_socket_recv, auth_socket_send,
1575 generic_update, socket_print },
1578 { common_socket_parse, NULL,
1579 acct_socket_recv, acct_socket_send,
1580 generic_update, socket_print},
1584 proxy_socket_recv, proxy_socket_send,
1585 generic_update, socket_print }, /* FIXME: update func is wrong! */
1588 { detail_parse, detail_free,
1589 detail_recv, detail_send,
1590 generic_update, detail_print }
1595 * Binds a listener to a socket.
1597 static int listen_bind(rad_listen_t *this)
1599 rad_listen_t **last;
1600 listen_socket_t *sock = this->data;
1603 * If the port is zero, then it means the appropriate
1604 * thing from /etc/services.
1606 if (sock->port == 0) {
1607 struct servent *svp;
1609 switch (this->type) {
1610 case RAD_LISTEN_AUTH:
1611 svp = getservbyname ("radius", "udp");
1613 sock->port = ntohs(svp->s_port);
1615 sock->port = PW_AUTH_UDP_PORT;
1619 case RAD_LISTEN_ACCT:
1620 svp = getservbyname ("radacct", "udp");
1622 sock->port = ntohs(svp->s_port);
1624 sock->port = PW_ACCT_UDP_PORT;
1629 radlog(L_ERR|L_CONS, "ERROR: Non-fatal internal sanity check failed in bind.");
1635 * Find it in the old list, AFTER updating the port. If
1636 * it's there, use that, rather than creating a new
1637 * socket. This allows HUP's to re-use the old sockets,
1638 * which means that packets waiting in the socket queue
1641 for (last = &mainconfig.listen;
1643 last = &((*last)->next)) {
1644 if ((this->type == (*last)->type) &&
1645 (sock->port == ((listen_socket_t *)((*last)->data))->port) &&
1646 (sock->ipaddr.af == ((listen_socket_t *)((*last)->data))->ipaddr.af)) {
1649 if (sock->ipaddr.af == AF_INET) {
1650 equal = (sock->ipaddr.ipaddr.ip4addr.s_addr == ((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip4addr.s_addr);
1651 } else if (sock->ipaddr.af == AF_INET6) {
1652 equal = IN6_ARE_ADDR_EQUAL(&(sock->ipaddr.ipaddr.ip6addr), &(((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip6addr));
1658 this->rl = (*last)->rl;
1659 this->fd = (*last)->fd;
1667 this->fd = lrad_socket(&sock->ipaddr, sock->port);
1669 radlog(L_ERR|L_CONS, "ERROR: Failed to open socket: %s",
1679 * Allocate & initialize a new listener.
1681 static rad_listen_t *listen_alloc(RAD_LISTEN_TYPE type)
1685 this = rad_malloc(sizeof(*this));
1686 memset(this, 0, sizeof(*this));
1689 this->recv = master_listen[this->type].recv;
1690 this->send = master_listen[this->type].send;
1691 this->update = master_listen[this->type].update;
1692 this->print = master_listen[this->type].print;
1695 case RAD_LISTEN_AUTH:
1696 case RAD_LISTEN_ACCT:
1697 case RAD_LISTEN_PROXY:
1698 this->data = rad_malloc(sizeof(listen_socket_t));
1699 memset(this->data, 0, sizeof(listen_socket_t));
1702 case RAD_LISTEN_DETAIL:
1703 this->data = rad_malloc(sizeof(listen_detail_t));
1704 memset(this->data, 0, sizeof(listen_detail_t));
1715 * Externally visible function for creating a new proxy LISTENER.
1717 * For now, don't take ipaddr or port.
1719 * Not thread-safe, but all calls to it are protected by the
1720 * proxy mutex in request_list.c
1722 rad_listen_t *proxy_new_listener()
1724 int last_proxy_port, port;
1725 rad_listen_t *this, *tmp, **last;
1726 listen_socket_t *sock, *old;
1728 this = listen_alloc(RAD_LISTEN_PROXY);
1731 * Find an existing proxy socket to copy.
1733 * FIXME: Make it per-realm, or per-home server!
1735 last_proxy_port = 0;
1737 last = &mainconfig.listen;
1738 for (tmp = mainconfig.listen; tmp != NULL; tmp = tmp->next) {
1739 if (tmp->type == RAD_LISTEN_PROXY) {
1741 if (sock->port > last_proxy_port) {
1742 last_proxy_port = sock->port + 1;
1744 if (!old) old = sock;
1747 last = &(tmp->next);
1750 if (!old) return NULL; /* This is a serious error. */
1753 * FIXME: find a new IP address to listen on?
1756 memcpy(&sock->ipaddr, &old->ipaddr, sizeof(sock->ipaddr));
1759 * Keep going until we find an unused port.
1761 for (port = last_proxy_port; port < 64000; port++) {
1763 if (listen_bind(this) == 0) {
1765 * Add the new listener to the list of
1777 static const LRAD_NAME_NUMBER listen_compare[] = {
1778 { "auth", RAD_LISTEN_AUTH },
1779 { "acct", RAD_LISTEN_ACCT },
1780 { "detail", RAD_LISTEN_DETAIL },
1786 * Generate a list of listeners. Takes an input list of
1787 * listeners, too, so we don't close sockets with waiting packets.
1789 int listen_init(const char *filename, rad_listen_t **head)
1793 rad_listen_t **last;
1795 lrad_ipaddr_t server_ipaddr;
1799 * We shouldn't be called with a pre-existing list.
1801 rad_assert(head && (*head == NULL));
1803 if (start_time != 0) start_time = time(NULL);
1806 server_ipaddr.af = AF_UNSPEC;
1809 * If the port is specified on the command-line,
1810 * it over-rides the configuration file.
1812 if (mainconfig.port >= 0) {
1813 auth_port = mainconfig.port;
1815 rcode = cf_item_parse(mainconfig.config, "port",
1816 PW_TYPE_INTEGER, &auth_port,
1817 Stringify(PW_AUTH_UDP_PORT));
1818 if (rcode < 0) return -1; /* error parsing it */
1821 radlog(L_INFO, "WARNING: The directive 'port' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1825 * If the IP address was configured on the command-line,
1826 * use that as the "bind_address"
1828 if (mainconfig.myip.af != AF_UNSPEC) {
1829 memcpy(&server_ipaddr, &mainconfig.myip,
1830 sizeof(server_ipaddr));
1835 * Else look for bind_address and/or listen sections.
1837 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1838 rcode = cf_item_parse(mainconfig.config, "bind_address",
1840 &server_ipaddr.ipaddr.ip4addr, NULL);
1841 if (rcode < 0) return -1; /* error parsing it */
1843 if (rcode == 0) { /* successfully parsed IPv4 */
1844 listen_socket_t *sock;
1845 server_ipaddr.af = AF_INET;
1847 radlog(L_INFO, "WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1850 this = listen_alloc(RAD_LISTEN_AUTH);
1853 sock->ipaddr = server_ipaddr;
1854 sock->port = auth_port;
1856 if (listen_bind(this) < 0) {
1859 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the authentication port %d", sock->port);
1862 auth_port = sock->port; /* may have been updated in listen_bind */
1864 last = &(this->next);
1867 * Open Accounting Socket.
1869 * If we haven't already gotten acct_port from
1870 * /etc/services, then make it auth_port + 1.
1872 this = listen_alloc(RAD_LISTEN_ACCT);
1876 * Create the accounting socket.
1878 * The accounting port is always the
1879 * authentication port + 1
1881 sock->ipaddr = server_ipaddr;
1882 sock->port = auth_port + 1;
1884 if (listen_bind(this) < 0) {
1887 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the accounting port %d", sock->port);
1892 last = &(this->next);
1894 } else if (mainconfig.port > 0) { /* no bind address, but a port */
1895 radlog(L_CONS|L_ERR, "The command-line says \"-p %d\", but there is no associated IP address to use",
1901 * They specified an IP on the command-line, ignore
1902 * all listen sections.
1904 if (mainconfig.myip.af != AF_UNSPEC) goto do_proxy;
1907 * Walk through the "listen" sections, if they exist.
1909 for (cs = cf_subsection_find_next(mainconfig.config, NULL, "listen");
1911 cs = cf_subsection_find_next(mainconfig.config, cs, "listen")) {
1913 char *listen_type, *identity;
1914 int lineno = cf_section_lineno(cs);
1916 listen_type = identity = NULL;
1918 rcode = cf_item_parse(cs, "type", PW_TYPE_STRING_PTR,
1920 if (rcode < 0) return -1;
1924 radlog(L_ERR, "%s[%d]: No type specified in listen section",
1930 * See if there's an identity.
1932 rcode = cf_item_parse(cs, "identity", PW_TYPE_STRING_PTR,
1940 type = lrad_str2int(listen_compare, listen_type,
1943 if (type == RAD_LISTEN_NONE) {
1945 radlog(L_CONS|L_ERR, "%s[%d]: Invalid type in listen section.",
1951 * Set up cross-type data.
1953 this = listen_alloc(type);
1954 this->identity = identity;
1958 * Call per-type parser.
1960 if (master_listen[type].parse(filename, lineno,
1968 last = &(this->next);
1972 * If we're proxying requests, open the proxy FD.
1973 * Otherwise, don't do anything.
1976 if (mainconfig.proxy_requests == TRUE) {
1978 listen_socket_t *sock = NULL;
1981 * No sockets to receive packets, therefore
1982 * proxying is pointless.
1984 if (!*head) return -1;
1987 * If we previously had proxy sockets, copy them
1988 * to the new config.
1990 if (mainconfig.listen != NULL) {
1991 rad_listen_t *old, *next, **tail;
1993 tail = &mainconfig.listen;
1994 for (old = mainconfig.listen;
1999 if (old->type != RAD_LISTEN_PROXY) {
2000 tail = &((*tail)->next);
2007 last = &(old->next);
2014 * Find the first authentication port,
2017 for (this = *head; this != NULL; this = this->next) {
2018 if (this->type == RAD_LISTEN_AUTH) {
2020 if (server_ipaddr.af == AF_UNSPEC) {
2021 server_ipaddr = sock->ipaddr;
2023 port = sock->port + 2; /* skip acct port */
2028 if (port < 0) port = 1024 + (lrad_rand() & 0x1ff);
2031 * Address is still unspecified, use IPv4.
2033 if (server_ipaddr.af == AF_UNSPEC) {
2034 server_ipaddr.af = AF_INET;
2035 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_ANY);
2038 this = listen_alloc(RAD_LISTEN_PROXY);
2042 * Create the first proxy socket.
2044 sock->ipaddr = server_ipaddr;
2047 * Try to find a proxy port (value doesn't matter)
2049 for (sock->port = port;
2052 if (listen_bind(this) == 0) {
2054 last = &(this->next); /* just in case */
2059 if (sock->port >= 64000) {
2062 radlog(L_ERR|L_CONS, "Failed to open socket for proxying");
2068 * Sanity check the configuration.
2071 for (this = *head; this != NULL; this = this->next) {
2072 if ((this->type != RAD_LISTEN_PROXY) &&
2075 * FIXME: Pass type to rl_init, so that
2076 * it knows how to deal with accounting
2077 * packets. i.e. it caches them, but
2078 * doesn't bother trying to re-transmit.
2080 this->rl = rl_init();
2082 rad_assert(0 == 1); /* FIXME: */
2086 if (((this->type == RAD_LISTEN_ACCT) &&
2087 (rcode == RAD_LISTEN_DETAIL)) ||
2088 ((this->type == RAD_LISTEN_DETAIL) &&
2089 (rcode == RAD_LISTEN_ACCT))) {
2090 rad_assert(0 == 1); /* FIXME: configuration error */
2093 if (rcode != 0) continue;
2095 if ((this->type == RAD_LISTEN_ACCT) ||
2096 (this->type == RAD_LISTEN_DETAIL)) {
2106 * Free a linked list of listeners;
2108 void listen_free(rad_listen_t **head)
2112 if (!head || !*head) return;
2116 rad_listen_t *next = this->next;
2118 free(this->identity);
2120 rl_deinit(this->rl);
2123 * Other code may have eaten the FD.
2125 if (this->fd >= 0) close(this->fd);
2127 if (master_listen[this->type].free) {
2128 master_listen[this->type].free(this);