2 * listen.c Handle socket stuff
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2005 The FreeRADIUS server project
21 * Copyright 2005 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/autoconf.h>
29 #ifdef HAVE_NETINET_IN_H
30 #include <netinet/in.h>
33 #ifdef HAVE_ARPA_INET_H
34 #include <arpa/inet.h>
37 #include <sys/resource.h>
39 #include <sys/types.h>
40 #include <sys/socket.h>
47 #ifdef HAVE_SYS_STAT_H
52 #include <freeradius-devel/udpfromto.h>
57 #include <freeradius-devel/radiusd.h>
58 #include <freeradius-devel/rad_assert.h>
59 #include <freeradius-devel/conffile.h>
60 #include <freeradius-devel/token.h>
62 #include <freeradius-devel/radius_snmp.h>
63 #include <freeradius-devel/request_list.h>
65 static time_t start_time = 0;
68 * FIXME: Delete this crap!
70 extern time_t time_now;
73 * We'll use this below.
75 typedef int (*rad_listen_parse_t)(const char *, int, const CONF_SECTION *, rad_listen_t *);
76 typedef void (*rad_listen_free_t)(rad_listen_t *);
78 typedef struct rad_listen_master_t {
79 rad_listen_parse_t parse;
80 rad_listen_free_t free;
81 rad_listen_recv_t recv;
82 rad_listen_send_t send;
83 rad_listen_update_t update;
84 rad_listen_print_t print;
85 } rad_listen_master_t;
87 typedef struct listen_socket_t {
93 RADCLIENT_LIST *clients;
96 typedef struct listen_detail_t {
102 lrad_ipaddr_t client_ip;
109 * Find a per-socket client.
111 static RADCLIENT *client_listener_find(const rad_listen_t *listener,
112 const lrad_ipaddr_t *ipaddr)
114 const RADCLIENT_LIST *clients;
116 rad_assert(listener != NULL);
117 rad_assert(ipaddr != NULL);
119 rad_assert((listener->type == RAD_LISTEN_AUTH) ||
120 (listener->type == RAD_LISTEN_ACCT));
122 clients = ((listen_socket_t *)listener->data)->clients;
123 if (!clients) clients = mainconfig.clients;
125 rad_assert(clients != NULL);
127 return client_find(clients, ipaddr);
130 static int listen_bind(rad_listen_t *this);
133 * FIXME: have the detail reader use another config "exit when done",
134 * so that it can be used as a one-off tool to update stuff.
138 * Process and reply to a server-status request.
139 * Like rad_authenticate and rad_accounting this should
140 * live in it's own file but it's so small we don't bother.
142 static int rad_status_server(REQUEST *request)
149 * Reply with an ACK. We might want to add some more
150 * interesting reply attributes, such as server uptime.
152 t = request->timestamp - start_time;
153 sprintf(reply_msg, "FreeRADIUS up %d day%s, %02d:%02d",
154 (int)(t / 86400), (t / 86400) == 1 ? "" : "s",
155 (int)((t / 3600) % 24), (int)(t / 60) % 60);
156 request->reply->code = PW_AUTHENTICATION_ACK;
158 vp = pairmake("Reply-Message", reply_msg, T_OP_SET);
159 pairadd(&request->reply->vps, vp); /* don't need to check if !vp */
164 static int request_num_counter = 0;
167 * Check for dups, etc. Common to Access-Request &&
168 * Accounting-Request packets.
170 static int common_checks(rad_listen_t *listener,
171 RADIUS_PACKET *packet, REQUEST **prequest,
172 const RADCLIENT *client)
177 rad_assert(listener->rl != NULL);
180 * If there is no existing request of id, code, etc.,
181 * then we can return, and let it be processed.
183 if ((curreq = rl_find(listener->rl, packet)) == NULL) {
185 * Count the total number of requests, to see if
186 * there are too many. If so, return with an
189 if (mainconfig.max_requests) {
191 * FIXME: This is now per-socket,
192 * when it should really be global
195 int request_count = rl_num_requests(listener->rl);
198 * This is a new request. Let's see if
199 * it makes us go over our configured
202 if (request_count > mainconfig.max_requests) {
203 radlog(L_ERR, "Dropping request (%d is too many): "
204 "from client %s port %d - ID: %d", request_count,
206 packet->src_port, packet->id);
207 radlog(L_INFO, "WARNING: Please check the %s file.\n"
208 "\tThe value for 'max_requests' is probably set too low.\n", mainconfig.radiusd_conf);
210 } /* else there were a small number of requests */
211 } /* else there was no configured limit for requests */
214 * FIXME: Add checks for system load. If the
215 * system is busy, start dropping requests...
217 * We can probably keep some statistics
218 * ourselves... if there are more requests
219 * coming in than we can handle, start dropping
224 * The current request isn't finished, which
225 * means that the NAS sent us a new packet, while
226 * we are still processing the old request.
228 } else if (!curreq->finished) {
230 * If the authentication vectors are identical,
231 * then the NAS is re-transmitting it, trying to
232 * kick us into responding to the request.
234 if (memcmp(curreq->packet->vector, packet->vector,
235 sizeof(packet->vector)) == 0) {
236 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
239 * It's not finished because the request
240 * was proxied, but there was no reply
241 * from the home server.
243 * This code will never get hit for
244 * accounting packets, as they're always
245 * updated, and never re-transmitted.
247 if (curreq->proxy && !curreq->proxy_reply) {
248 DEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
249 inet_ntop(curreq->proxy->dst_ipaddr.af,
250 &curreq->proxy->dst_ipaddr.ipaddr,
251 buffer, sizeof(buffer)), curreq->proxy->dst_port,
254 listener->send(curreq->proxy_listener, curreq);
256 } /* else the packet was not proxied */
259 * Someone's still working on it, so we
260 * ignore the duplicate request.
262 radlog(L_ERR, "Discarding duplicate request from "
263 "client %s port %d - ID: %d due to unfinished request %d",
265 packet->src_port, packet->id,
268 } /* else the authentication vectors were different */
271 * The authentication vectors are different, so
272 * the NAS has given up on us, as we've taken too
273 * long to process the request. This is a
276 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
278 radlog(L_ERR, "Dropping conflicting packet from "
279 "client %s port %d - ID: %d due to unfinished request %d",
281 packet->src_port, packet->id,
286 * The old request is finished. We now check the
287 * authentication vectors. If the client has sent us a
288 * request with identical code && ID, but different
289 * vector, then they MUST have gotten our response, so we
290 * can delete the original request, and process the new
293 * If the vectors are the same, then it's a duplicate
294 * request, and we can send a duplicate reply.
296 } else if (memcmp(curreq->packet->vector, packet->vector,
297 sizeof(packet->vector)) == 0) {
298 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
301 * If the packet has been delayed, then silently
302 * send a response, and clear the delayed flag.
304 * Note that this means if the NAS kicks us while
305 * we're delaying a reject, then the reject may
306 * be sent sooner than otherwise.
308 * This COULD be construed as a bug. Maybe what
309 * we want to do is to ignore the duplicate
310 * packet, and send the reject later.
312 if (curreq->options & RAD_REQUEST_OPTION_DELAYED_REJECT) {
313 curreq->options &= ~RAD_REQUEST_OPTION_DELAYED_REJECT;
314 rad_assert(curreq->listener == listener);
315 listener->send(listener, curreq);
320 * Maybe we've saved a reply packet. If so,
321 * re-send it. Otherwise, just complain.
323 if (curreq->reply->code != 0) {
324 DEBUG2("Sending duplicate reply "
325 "to client %s port %d - ID: %d",
327 packet->src_port, packet->id);
328 rad_assert(curreq->listener == listener);
329 listener->send(listener, curreq);
334 * Else we never sent a reply to the NAS,
335 * as we decided somehow we didn't like the request.
337 * This shouldn't happen, in general...
339 DEBUG2("Discarding duplicate request from client %s port %d - ID: %d",
340 client->shortname, packet->src_port, packet->id);
342 } /* else the vectors were different, so we discard the old request. */
345 * 'packet' has the same source IP, source port, code,
346 * and Id as 'curreq', but a different authentication
347 * vector. We can therefore delete 'curreq', as we were
348 * only keeping it around to send out duplicate replies,
349 * if the first reply got lost in the network.
352 RADIUS_PACKET *reply = curreq->reply;
354 rl_yank(listener->rl, curreq);
355 rad_free(&curreq->packet);
358 reply = curreq->reply;
359 pairfree(&reply->vps);
361 memset(reply, 0, sizeof(*reply));
363 memset(curreq, 0, sizeof(*curreq));
365 curreq->magic = REQUEST_MAGIC;
367 curreq->timestamp = time(NULL);
368 curreq->child_pid = NO_SUCH_CHILD_PID;
369 curreq->options = RAD_REQUEST_OPTION_NONE;
370 curreq->reply = reply;
373 * A unique per-request counter.
375 curreq = request_alloc(); /* never fails */
377 if ((curreq->reply = rad_alloc(0)) == NULL) {
378 radlog(L_ERR, "No memory");
382 curreq->listener = listener;
383 curreq->packet = packet;
384 curreq->packet->timestamp = curreq->timestamp;
385 curreq->number = request_num_counter++;
386 strNcpy(curreq->secret, client->secret, sizeof(curreq->secret));
389 * Remember the request in the list.
391 if (!rl_add(listener->rl, curreq)) {
392 radlog(L_ERR, "Failed to insert request %d in the list of live requests: discarding", curreq->number);
393 request_free(&curreq);
398 * The request passes many of our sanity checks.
399 * From here on in, if anything goes wrong, we
400 * send a reject message, instead of dropping the
405 * Build the reply template from the request.
408 curreq->reply->sockfd = curreq->packet->sockfd;
409 curreq->reply->dst_ipaddr = curreq->packet->src_ipaddr;
410 curreq->reply->src_ipaddr = curreq->packet->dst_ipaddr;
411 curreq->reply->dst_port = curreq->packet->src_port;
412 curreq->reply->src_port = curreq->packet->dst_port;
413 curreq->reply->id = curreq->packet->id;
414 curreq->reply->code = 0; /* UNKNOWN code */
415 memcpy(curreq->reply->vector, curreq->packet->vector,
416 sizeof(curreq->reply->vector));
417 curreq->reply->vps = NULL;
418 curreq->reply->data = NULL;
419 curreq->reply->data_len = 0;
426 static int socket_print(rad_listen_t *this, char *buffer, size_t bufsize)
429 listen_socket_t *sock = this->data;
431 if ((sock->ipaddr.af == AF_INET) &&
432 (sock->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) {
435 ip_ntoh(&sock->ipaddr, buffer, bufsize);
438 len = strlen(buffer);
440 return len + snprintf(buffer + len, bufsize - len, " port %d",
446 * Parse an authentication or accounting socket.
448 static int common_socket_parse(const char *filename, int lineno,
449 const CONF_SECTION *cs, rad_listen_t *this)
453 lrad_ipaddr_t ipaddr;
454 listen_socket_t *sock = this->data;
455 const char *section_name = NULL;
456 CONF_SECTION *client_cs;
461 ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
462 rcode = cf_item_parse(cs, "ipaddr", PW_TYPE_IPADDR,
463 &ipaddr.ipaddr.ip4addr, NULL);
464 if (rcode < 0) return -1;
466 if (rcode == 0) { /* successfully parsed IPv4 */
469 } else { /* maybe IPv6? */
470 rcode = cf_item_parse(cs, "ipv6addr", PW_TYPE_IPV6ADDR,
471 &ipaddr.ipaddr.ip6addr, NULL);
472 if (rcode < 0) return -1;
475 radlog(L_ERR, "%s[%d]: No address specified in listen section",
479 ipaddr.af = AF_INET6;
482 rcode = cf_item_parse(cs, "port", PW_TYPE_INTEGER,
484 if (rcode < 0) return -1;
486 sock->ipaddr = ipaddr;
487 sock->port = listen_port;
490 * And bind it to the port.
492 if (listen_bind(this) < 0) {
494 radlog(L_CONS|L_ERR, "%s[%d]: Error binding to port for %s port %d",
495 filename, cf_section_lineno(cs),
496 ip_ntoh(&sock->ipaddr, buffer, sizeof(buffer)),
502 * If we can bind to interfaces, do so,
505 if (cf_pair_find(cs, "interface")) {
506 #ifndef SO_BINDTODEVICE
507 radlog(L_CONS|L_ERR, "%s[%d]: System does not support binding to interfaces, delete this line from the configuration file.",
508 filename, cf_section_lineno(cs));
512 const CONF_PAIR *cp = cf_pair_find(cs, "interface");
515 rad_assert(cp != NULL);
516 value = cf_pair_value(cp);
517 rad_assert(value != NULL);
519 strcpy(ifreq.ifr_name, value);
521 if (setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE,
522 (char *)&ifreq, sizeof(ifreq)) < 0) {
523 radlog(L_CONS|L_ERR, "%s[%d]: Failed binding to interface %s: %s",
524 filename, cf_section_lineno(cs),
525 value, strerror(errno));
527 } /* else it worked. */
532 * Look for the name of a section that holds a list
535 rcode = cf_item_parse(cs, "clients", PW_TYPE_STRING_PTR,
536 §ion_name, NULL);
537 if (rcode < 0) return -1; /* bad string */
538 if (rcode > 0) return 0; /* non-existent is OK. */
540 client_cs = cf_section_find(section_name);
542 radlog(L_CONS|L_ERR, "%s[%d]: Failed to find client section %s",
543 filename, cf_section_lineno(cs), section_name);
547 sock->clients = clients_parse_section(filename, client_cs);
548 if (!sock->clients) {
556 * Send an authentication response packet
558 static int auth_socket_send(rad_listen_t *listener, REQUEST *request)
560 rad_assert(request->listener == listener);
561 rad_assert(listener->send == auth_socket_send);
564 * Ensure that the reply is sane
566 if (request->reply->code == 0) {
567 DEBUG2("There was no response configured: rejecting request %d", request->number);
568 request->reply->code = PW_AUTHENTICATION_REJECT;
572 * If we're delaying authentication rejects, then
573 * mark the request as delayed, and do NOT send a
574 * response right now.
576 * However, if it's already marked as delayed, then
579 if ((request->reply->code == PW_AUTHENTICATION_REJECT) &&
580 ((request->options & RAD_REQUEST_OPTION_DELAYED_REJECT) == 0) &&
581 (mainconfig.reject_delay > 0) &&
582 ((request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0)) {
583 DEBUG2("Delaying request %d for %d seconds",
584 request->number, mainconfig.reject_delay);
585 request->options |= RAD_REQUEST_OPTION_DELAYED_REJECT;
589 return rad_send(request->reply, request->packet, request->secret);
594 * Send an accounting response packet (or not)
596 static int acct_socket_send(rad_listen_t *listener, REQUEST *request)
598 rad_assert(request->listener == listener);
599 rad_assert(listener->send == acct_socket_send);
602 * Accounting reject's are silently dropped.
604 * We do it here to avoid polluting the rest of the
605 * code with this knowledge
607 if (request->reply->code == 0) return 0;
609 return rad_send(request->reply, request->packet, request->secret);
614 * Send a packet to a home server.
616 * FIXME: have different code for proxy auth & acct!
618 static int proxy_socket_send(rad_listen_t *listener, REQUEST *request)
620 listen_socket_t *sock = listener->data;
622 rad_assert(request->proxy_listener == listener);
623 rad_assert(listener->send == proxy_socket_send);
625 request->proxy->src_ipaddr = sock->ipaddr;
626 request->proxy->src_port = sock->port;
628 return rad_send(request->proxy, request->packet, request->proxysecret);
633 * Check if an incoming request is "ok"
635 * It takes packets, not requests. It sees if the packet looks
636 * OK. If so, it does a number of sanity checks on it.
638 static int auth_socket_recv(rad_listen_t *listener,
639 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
641 RADIUS_PACKET *packet;
642 RAD_REQUEST_FUNP fun = NULL;
646 packet = rad_recv(listener->fd);
648 radlog(L_ERR, "%s", librad_errstr);
652 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: auth specific */
654 if ((client = client_listener_find(listener,
655 &packet->src_ipaddr)) == NULL) {
656 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
658 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
659 inet_ntop(packet->src_ipaddr.af,
660 &packet->src_ipaddr.ipaddr,
661 buffer, sizeof(buffer)),
668 * Some sanity checks, based on the packet code.
670 switch(packet->code) {
671 case PW_AUTHENTICATION_REQUEST:
672 fun = rad_authenticate;
675 case PW_STATUS_SERVER:
676 if (!mainconfig.status_server) {
677 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
678 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
682 fun = rad_status_server;
686 RAD_SNMP_INC(rad_snmp.auth.total_unknown_types);
688 radlog(L_ERR, "Invalid packet code %d sent to authentication port from client %s port %d "
690 packet->code, client->shortname,
691 packet->src_port, packet->id);
695 } /* switch over packet types */
697 if (!common_checks(listener, packet, prequest, client)) {
708 * Receive packets from an accounting socket
710 static int acct_socket_recv(rad_listen_t *listener,
711 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
713 RADIUS_PACKET *packet;
714 RAD_REQUEST_FUNP fun = NULL;
718 packet = rad_recv(listener->fd);
720 radlog(L_ERR, "%s", librad_errstr);
724 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: acct-specific */
726 if ((client = client_listener_find(listener,
727 &packet->src_ipaddr)) == NULL) {
728 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
730 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
731 inet_ntop(packet->src_ipaddr.af,
732 &packet->src_ipaddr.ipaddr,
733 buffer, sizeof(buffer)),
739 switch(packet->code) {
740 case PW_ACCOUNTING_REQUEST:
741 fun = rad_accounting;
746 * FIXME: Update MIB for packet types?
748 radlog(L_ERR, "Invalid packet code %d sent to a accounting port "
749 "from client %s port %d - ID %d : IGNORED",
750 packet->code, client->shortname,
751 packet->src_port, packet->id);
757 * FIXME: Accounting duplicates should be handled
758 * differently than authentication duplicates.
760 if (!common_checks(listener, packet, prequest, client)) {
771 * Recieve packets from a proxy socket.
773 static int proxy_socket_recv(rad_listen_t *listener,
774 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
778 RADIUS_PACKET *packet;
779 RAD_REQUEST_FUNP fun = NULL;
782 packet = rad_recv(listener->fd);
784 radlog(L_ERR, "%s", librad_errstr);
791 if (packet->src_ipaddr.af != AF_INET) {
792 rad_assert("PROXY IPV6 NOT SUPPORTED" == NULL);
796 * FIXME: Add support for home servers!
798 if ((cl = realm_findbyaddr(packet->src_ipaddr.ipaddr.ip4addr.s_addr,
799 packet->src_port)) == NULL) {
800 radlog(L_ERR, "Ignoring request from unknown home server %s port %d",
801 inet_ntop(packet->src_ipaddr.af,
802 &packet->src_ipaddr.ipaddr,
803 buffer, sizeof(buffer)),
810 * FIXME: Client MIB updates?
812 switch(packet->code) {
813 case PW_AUTHENTICATION_ACK:
814 case PW_ACCESS_CHALLENGE:
815 case PW_AUTHENTICATION_REJECT:
816 fun = rad_authenticate;
819 case PW_ACCOUNTING_RESPONSE:
820 fun = rad_accounting;
825 * FIXME: Update MIB for packet types?
827 radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
828 "from home server %s port %d - ID %d : IGNORED",
830 ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
831 packet->src_port, packet->id);
837 * Find the original request in the request list
839 oldreq = rl_find_proxy(packet);
842 * If we haven't found the original request which was
843 * sent, to get this reply. Complain, and discard this
844 * request, as there's no way for us to send it to a NAS.
847 radlog(L_PROXY, "No outstanding request was found for proxy reply from home server %s port %d - ID %d",
848 inet_ntop(packet->src_ipaddr.af,
849 &packet->src_ipaddr.ipaddr,
850 buffer, sizeof(buffer)),
851 packet->src_port, packet->id);
857 * The proxy reply has arrived too late, as the original
858 * (old) request has timed out, been rejected, and marked
859 * as finished. The client has already received a
860 * response, so there is nothing that can be done. Delete
861 * the tardy reply from the home server, and return nothing.
863 if ((oldreq->reply->code != 0) ||
864 (oldreq->finished)) {
865 radlog(L_ERR, "Reply from home server %s port %d - ID: %d arrived too late for request %d. Try increasing 'retry_delay' or 'max_request_time'",
866 inet_ntop(packet->src_ipaddr.af,
867 &packet->src_ipaddr.ipaddr,
868 buffer, sizeof(buffer)),
869 packet->src_port, packet->id,
876 * If there is already a reply, maybe this one is a
879 if (oldreq->proxy_reply) {
880 if (memcmp(oldreq->proxy_reply->vector,
882 sizeof(oldreq->proxy_reply->vector)) == 0) {
883 radlog(L_ERR, "Discarding duplicate reply from home server %s port %d - ID: %d for request %d",
884 inet_ntop(packet->src_ipaddr.af,
885 &packet->src_ipaddr.ipaddr,
886 buffer, sizeof(buffer)),
887 packet->src_port, packet->id,
891 * ? The home server gave us a new proxy
892 * reply, which doesn't match the old
895 DEBUG2("Ignoring conflicting proxy reply");
899 * We've already received a reply, so
900 * we discard this one, as we don't want
901 * to do duplicate work.
905 } /* else there wasn't a proxy reply yet, so we can process it */
908 * Refresh the old request, and update it with the proxy
911 * ? Can we delete the proxy request here? * Is there
912 * any more need for it?
914 * FIXME: we probably shouldn't be updating the time
917 oldreq->timestamp = time_now;
918 oldreq->proxy_reply = packet;
921 * FIXME: we should really verify the digest here,
922 * before marking this packet as a valid response.
924 * This is a security problem, I think...
928 * Now that we've verified the packet IS actually from
929 * that home server, and not forged, we can go mark the
930 * entries for this home server as active.
932 * If we had done this check in the 'find realm by IP address'
933 * function, then an attacker could force us to use a home
934 * server which was inactive, by forging reply packets
935 * which didn't match any request. We would think that
936 * the reply meant the home server was active, would
937 * re-activate the realms, and THEN bounce the packet
940 for (cl = mainconfig.realms; cl != NULL; cl = cl->next) {
941 if (oldreq->proxy_reply->src_ipaddr.af != cl->ipaddr.af) continue;
942 if (cl->ipaddr.af != AF_INET) continue; /* FIXME */
944 if (oldreq->proxy_reply->src_ipaddr.ipaddr.ip4addr.s_addr == cl->ipaddr.ipaddr.ip4addr.s_addr) {
945 if (oldreq->proxy_reply->src_port == cl->auth_port) {
947 cl->last_reply = oldreq->timestamp;
948 } else if (oldreq->proxy_reply->src_port == cl->acct_port) {
949 cl->acct_active = TRUE;
950 cl->last_reply = oldreq->timestamp;
955 rad_assert(fun != NULL);
962 #define STATE_UNOPENED (0)
963 #define STATE_UNLOCKED (1)
964 #define STATE_HEADER (2)
965 #define STATE_READING (3)
966 #define STATE_DONE (4)
967 #define STATE_WAITING (5)
970 * If we're limiting outstanding packets, then mark the response
973 static int detail_send(rad_listen_t *listener, REQUEST *request)
975 listen_detail_t *data = listener->data;
977 rad_assert(request->listener == listener);
978 rad_assert(listener->send == detail_send);
980 if (request->simul_max >= 0) {
981 rad_assert(data->outstanding != NULL);
982 rad_assert(request->simul_max < data->max_outstanding);
984 data->outstanding[request->simul_max] = 0;
992 * Open the detail file..
994 * FIXME: create it, if it's not already there, so that the main
995 * server select() will wake us up if there's anything to read.
997 static int detail_open(rad_listen_t *this)
1001 listen_detail_t *data = this->data;
1003 rad_assert(data->state == STATE_UNOPENED);
1004 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1007 * FIXME: Have "one-shot" configuration, where it
1008 * will read the detail file, and exit once it's
1011 * FIXME: Try harder to open the detail file.
1012 * Maybe sleep for X usecs if it doesn't exist?
1016 * Open detail.work first, so we don't lose
1017 * accounting packets. It's probably better to
1018 * duplicate them than to lose them.
1020 * Note that we're not writing to the file, but
1021 * we've got to open it for writing in order to
1022 * establish the lock, to prevent rlm_detail from
1025 this->fd = open(buffer, O_RDWR);
1028 * Try reading the detail file. If it
1029 * doesn't exist, we can't do anything.
1031 * Doing the stat will tell us if the file
1032 * exists, even if we don't have permissions
1035 if (stat(data->detail, &st) < 0) {
1040 * Open it BEFORE we rename it, just to
1043 this->fd = open(data->detail, O_RDWR);
1045 radlog(L_ERR, "Failed to open %s: %s",
1046 data->detail, strerror(errno));
1051 * Rename detail to detail.work
1053 if (rename(data->detail, buffer) < 0) {
1058 } /* else detail.work existed, and we opened it */
1060 rad_assert(data->vps == NULL);
1062 rad_assert(data->fp == NULL);
1063 data->fp = fdopen(this->fd, "r");
1065 radlog(L_ERR, "Failed to re-open %s: %s",
1066 data->detail, strerror(errno));
1070 data->state = STATE_UNLOCKED;
1072 data->client_ip.af = AF_UNSPEC;
1073 data->timestamp = 0;
1079 * This is a bad hack, just so complaints have meaningful text.
1081 static const RADCLIENT detail_client = {
1096 static int detail_recv(rad_listen_t *listener,
1097 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
1100 char key[256], value[1024];
1101 VALUE_PAIR *vp, **tail;
1102 RADIUS_PACKET *packet;
1104 listen_detail_t *data = listener->data;
1106 if (data->state == STATE_UNOPENED) {
1107 rad_assert(listener->fd < 0);
1108 if (!detail_open(listener)) return 0;
1110 rad_assert(listener->fd >= 0);
1113 * Try to lock fd. If we can't, return. If we can,
1114 * continue. This means that the server doesn't block
1115 * while waiting for the lock to open...
1117 if (data->state == STATE_UNLOCKED) {
1119 * Note that we do NOT block waiting for the
1120 * lock. We've re-named the file above, so we've
1121 * already guaranteed that any *new* detail
1122 * writer will not be opening this file. The
1123 * only purpose of the lock is to catch a race
1124 * condition where the execution "ping-pongs"
1125 * between radiusd & radrelay.
1127 if (rad_lockfd_nonblock(listener->fd, 0) < 0) {
1131 * Look for the header
1133 data->state = STATE_HEADER;
1137 * If we keep track of the outstanding requests, do so
1138 * here. Note that to minimize potential work, we do
1139 * so only once the file is opened & locked.
1141 if (data->max_outstanding) {
1144 for (i = 0; i < data->max_outstanding; i++) {
1145 if (!data->outstanding[i]) {
1152 * All of the slots are full, don't read data.
1154 if (free_slot < 0) return 0;
1158 * Catch an out of memory condition which will most likely
1161 if (data->state == STATE_DONE) goto alloc_packet;
1164 * If we're in another state, then it means that we read
1165 * a partial packet, which is bad.
1167 rad_assert(data->state == STATE_HEADER);
1168 rad_assert(data->vps == NULL);
1171 * We read the last packet, and returned it for
1172 * processing. We later come back here to shut
1173 * everything down, and unlink the file.
1175 if (feof(data->fp)) {
1176 rad_assert(data->state == STATE_HEADER);
1179 * Don't unlink the file until we've received
1180 * all of the responses.
1182 if (data->max_outstanding > 0) {
1185 for (i = 0; i < data->max_outstanding; i++) {
1187 * FIXME: close the file?
1189 if (data->outstanding[i]) {
1190 data->state = STATE_WAITING;
1197 rad_assert(data->vps == NULL);
1199 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1201 fclose(data->fp); /* closes listener->fd */
1204 data->state = STATE_UNOPENED;
1207 * Try to open "detail" again. If we're on a
1208 * busy RADIUS server, odds are that it will
1211 detail_open(listener);
1218 * Fill the buffer...
1220 while (fgets(buffer, sizeof(buffer), data->fp)) {
1224 if (!strchr(buffer, '\n')) {
1225 pairfree(&data->vps);
1230 * We've read a header, possibly packet contents,
1231 * and are now at the end of the packet.
1233 if ((data->state == STATE_READING) &&
1234 (buffer[0] == '\n')) {
1235 data->state = STATE_DONE;
1240 * Look for date/time header, and read VP's if
1241 * found. If not, keep reading lines until we
1244 if (data->state == STATE_HEADER) {
1247 if (sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) {
1248 data->state = STATE_READING;
1254 * We have a full "attribute = value" line.
1255 * If it doesn't look reasonable, skip it.
1257 if (sscanf(buffer, "%255s = %1023s", key, value) != 2) {
1262 * Skip non-protocol attributes.
1264 if (!strcasecmp(key, "Request-Authenticator")) continue;
1267 * Set the original client IP address, based on
1268 * what's in the detail file.
1270 * Hmm... we don't set the server IP address.
1273 if (!strcasecmp(key, "Client-IP-Address")) {
1274 data->client_ip.af = AF_INET;
1275 ip_hton(value, AF_INET, &data->client_ip);
1280 * The original time at which we received the
1281 * packet. We need this to properly calculate
1284 if (!strcasecmp(key, "Timestamp")) {
1285 data->timestamp = atoi(value);
1292 * FIXME: do we want to check for non-protocol
1293 * attributes like radsqlrelay does?
1296 if ((userparse(buffer, &vp) > 0) &&
1304 * We got to EOF, If we're in STATE_HEADER, it's OK.
1305 * Otherwise it's a problem. In any case, nuke the file
1306 * and start over from scratch,
1308 if (feof(data->fp)) {
1313 * FIXME: Do load management.
1317 * If we're not done, then there's a problem. The checks
1320 rad_assert(data->state == STATE_DONE);
1323 * The packet we read was empty, re-set the state to look
1324 * for a header, and don't return anything.
1327 data->state = STATE_HEADER;
1332 * Allocate the packet. If we fail, it's a serious
1336 packet = rad_alloc(1);
1338 return 0; /* maybe memory will magically free up... */
1341 memset(packet, 0, sizeof(*packet));
1342 packet->sockfd = -1;
1343 packet->src_ipaddr.af = AF_INET;
1344 packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1345 packet->code = PW_ACCOUNTING_REQUEST;
1346 packet->timestamp = time(NULL);
1349 * Look for Acct-Delay-Time, and update
1350 * based on Acct-Delay-Time += (time(NULL) - timestamp)
1352 vp = pairfind(packet->vps, PW_ACCT_DELAY_TIME);
1354 vp = paircreate(PW_ACCT_DELAY_TIME, PW_TYPE_INTEGER);
1355 rad_assert(vp != NULL);
1357 if (data->timestamp != 0) {
1358 vp->lvalue += time(NULL) - data->timestamp;
1362 * Remember where it came from, so that we don't
1363 * proxy it to the place it came from...
1365 if (data->client_ip.af != AF_UNSPEC) {
1366 packet->src_ipaddr = data->client_ip;
1370 * We've got to give SOME value for Id & ports, so that
1371 * the packets can be added to the request queue.
1372 * However, we don't want to keep track of used/unused
1373 * id's and ports, as that's a lot of work. This hack
1374 * ensures that (if we have real random numbers), that
1375 * there will be a collision on every (2^(16+16+2+24))/2
1376 * packets, on average. That means we can read 2^32 (4G)
1377 * packets before having a collision, which means it's
1378 * effectively impossible. Having 4G packets currently
1379 * being process is ridiculous.
1381 packet->id = lrad_rand() & 0xff;
1382 packet->src_port = lrad_rand() & 0xffff;
1383 packet->dst_port = lrad_rand() & 0xffff;
1385 packet->dst_ipaddr.af = AF_INET;
1386 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl((INADDR_LOOPBACK & ~0xffffff) | (lrad_rand() & 0xffffff));
1388 packet->vps = data->vps;
1394 data->state = STATE_HEADER;
1397 * FIXME: many of these checks may not be necessary...
1399 if (!common_checks(listener, packet, prequest, &detail_client)) {
1405 * Keep track of free slots, as a hack, in an otherwise
1408 (*prequest)->simul_max = free_slot;
1409 if (free_slot) data->outstanding[free_slot] = 1;
1411 *pfun = rad_accounting;
1414 printf("detail_recv: Read packet from %s\n", data->detail);
1415 for (vp = packet->vps; vp; vp = vp->next) {
1417 vp_print(stdout, vp);
1427 * Free detail-specific stuff.
1429 static void detail_free(rad_listen_t *this)
1431 listen_detail_t *data = this->data;
1434 pairfree(&data->vps);
1435 free(data->outstanding);
1437 if (data->fp != NULL) fclose(data->fp);
1441 static int detail_print(rad_listen_t *this, char *buffer, size_t bufsize)
1443 return snprintf(buffer, bufsize, "%s",
1444 ((listen_detail_t *)(this->data))->detail);
1448 static const CONF_PARSER detail_config[] = {
1449 { "detail", PW_TYPE_STRING_PTR,
1450 offsetof(listen_detail_t, detail), NULL, NULL },
1451 { "max_outstanding", PW_TYPE_INTEGER,
1452 offsetof(listen_detail_t, max_outstanding), NULL, "100" },
1454 { NULL, -1, 0, NULL, NULL } /* end the list */
1459 * Parse a detail section.
1461 static int detail_parse(const char *filename, int lineno,
1462 const CONF_SECTION *cs, rad_listen_t *this)
1465 listen_detail_t *data;
1469 rcode = cf_section_parse(cs, data, detail_config);
1471 radlog(L_ERR, "%s[%d]: Failed parsing listen section",
1476 if (!data->detail) {
1477 radlog(L_ERR, "%s[%d]: No detail file specified in listen section",
1484 data->state = STATE_UNOPENED;
1486 if (data->max_outstanding > 32768) data->max_outstanding = 32768;
1488 if (data->max_outstanding > 0) {
1489 data->outstanding = rad_malloc(sizeof(int) * data->max_outstanding);
1499 * See radiusd.c & request_list.c
1501 #define SLEEP_FOREVER (65536)
1503 * A generic "update the request list once a second" function.
1505 static int generic_update(rad_listen_t *this, time_t now)
1507 if (!this->rl) return SLEEP_FOREVER;
1509 return rl_clean_list(this->rl, now);
1514 static const rad_listen_master_t master_listen[RAD_LISTEN_MAX] = {
1515 { NULL, NULL, NULL, NULL, NULL, NULL}, /* RAD_LISTEN_NONE */
1517 /* authentication */
1518 { common_socket_parse, NULL,
1519 auth_socket_recv, auth_socket_send,
1520 generic_update, socket_print },
1523 { common_socket_parse, NULL,
1524 acct_socket_recv, acct_socket_send,
1525 generic_update, socket_print},
1529 proxy_socket_recv, proxy_socket_send,
1530 generic_update, socket_print }, /* FIXME: update func is wrong! */
1533 { detail_parse, detail_free,
1534 detail_recv, detail_send,
1535 generic_update, detail_print }
1540 * Binds a listener to a socket.
1542 static int listen_bind(rad_listen_t *this)
1544 rad_listen_t **last;
1545 listen_socket_t *sock = this->data;
1548 * If the port is zero, then it means the appropriate
1549 * thing from /etc/services.
1551 if (sock->port == 0) {
1552 struct servent *svp;
1554 switch (this->type) {
1555 case RAD_LISTEN_AUTH:
1556 svp = getservbyname ("radius", "udp");
1558 sock->port = ntohs(svp->s_port);
1560 sock->port = PW_AUTH_UDP_PORT;
1564 case RAD_LISTEN_ACCT:
1565 svp = getservbyname ("radacct", "udp");
1567 sock->port = ntohs(svp->s_port);
1569 sock->port = PW_ACCT_UDP_PORT;
1574 radlog(L_ERR|L_CONS, "ERROR: Non-fatal internal sanity check failed in bind.");
1580 * Find it in the old list, AFTER updating the port. If
1581 * it's there, use that, rather than creating a new
1582 * socket. This allows HUP's to re-use the old sockets,
1583 * which means that packets waiting in the socket queue
1586 for (last = &mainconfig.listen;
1588 last = &((*last)->next)) {
1589 if ((this->type == (*last)->type) &&
1590 (sock->port == ((listen_socket_t *)((*last)->data))->port) &&
1591 (sock->ipaddr.af == ((listen_socket_t *)((*last)->data))->ipaddr.af)) {
1594 if (sock->ipaddr.af == AF_INET) {
1595 equal = (sock->ipaddr.ipaddr.ip4addr.s_addr == ((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip4addr.s_addr);
1596 } else if (sock->ipaddr.af == AF_INET6) {
1597 equal = IN6_ARE_ADDR_EQUAL(&(sock->ipaddr.ipaddr.ip6addr), &(((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip6addr));
1603 this->rl = (*last)->rl;
1604 this->fd = (*last)->fd;
1612 this->fd = lrad_socket(&sock->ipaddr, sock->port);
1614 radlog(L_ERR|L_CONS, "ERROR: Failed to open socket: %s",
1624 * Allocate & initialize a new listener.
1626 static rad_listen_t *listen_alloc(RAD_LISTEN_TYPE type)
1630 this = rad_malloc(sizeof(*this));
1631 memset(this, 0, sizeof(*this));
1634 this->recv = master_listen[this->type].recv;
1635 this->send = master_listen[this->type].send;
1636 this->update = master_listen[this->type].update;
1637 this->print = master_listen[this->type].print;
1640 case RAD_LISTEN_AUTH:
1641 case RAD_LISTEN_ACCT:
1642 case RAD_LISTEN_PROXY:
1643 this->data = rad_malloc(sizeof(listen_socket_t));
1644 memset(this->data, 0, sizeof(listen_socket_t));
1647 case RAD_LISTEN_DETAIL:
1648 this->data = rad_malloc(sizeof(listen_detail_t));
1649 memset(this->data, 0, sizeof(listen_detail_t));
1660 * Externally visible function for creating a new proxy LISTENER.
1662 * For now, don't take ipaddr or port.
1664 * Not thread-safe, but all calls to it are protected by the
1665 * proxy mutex in request_list.c
1667 rad_listen_t *proxy_new_listener()
1669 int last_proxy_port, port;
1670 rad_listen_t *this, *tmp, **last;
1671 listen_socket_t *sock, *old;
1673 this = listen_alloc(RAD_LISTEN_PROXY);
1676 * Find an existing proxy socket to copy.
1678 * FIXME: Make it per-realm, or per-home server!
1680 last_proxy_port = 0;
1682 last = &mainconfig.listen;
1683 for (tmp = mainconfig.listen; tmp != NULL; tmp = tmp->next) {
1684 if (tmp->type == RAD_LISTEN_PROXY) {
1686 if (sock->port > last_proxy_port) {
1687 last_proxy_port = sock->port + 1;
1689 if (!old) old = sock;
1692 last = &(tmp->next);
1695 if (!old) return NULL; /* This is a serious error. */
1698 * FIXME: find a new IP address to listen on?
1701 memcpy(&sock->ipaddr, &old->ipaddr, sizeof(sock->ipaddr));
1704 * Keep going until we find an unused port.
1706 for (port = last_proxy_port; port < 64000; port++) {
1708 if (listen_bind(this) == 0) {
1710 * Add the new listener to the list of
1722 static const LRAD_NAME_NUMBER listen_compare[] = {
1723 { "auth", RAD_LISTEN_AUTH },
1724 { "acct", RAD_LISTEN_ACCT },
1725 { "detail", RAD_LISTEN_DETAIL },
1731 * Generate a list of listeners. Takes an input list of
1732 * listeners, too, so we don't close sockets with waiting packets.
1734 int listen_init(const char *filename, rad_listen_t **head)
1738 rad_listen_t **last;
1740 lrad_ipaddr_t server_ipaddr;
1744 * We shouldn't be called with a pre-existing list.
1746 rad_assert(head && (*head == NULL));
1748 if (start_time != 0) start_time = time(NULL);
1751 server_ipaddr.af = AF_UNSPEC;
1754 * If the port is specified on the command-line,
1755 * it over-rides the configuration file.
1757 if (mainconfig.port >= 0) {
1758 auth_port = mainconfig.port;
1760 rcode = cf_item_parse(mainconfig.config, "port",
1761 PW_TYPE_INTEGER, &auth_port,
1762 Stringify(PW_AUTH_UDP_PORT));
1763 if (rcode < 0) return -1; /* error parsing it */
1766 radlog(L_INFO, "WARNING: The directive 'port' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1770 * If the IP address was configured on the command-line,
1771 * use that as the "bind_address"
1773 if (mainconfig.myip.af != AF_UNSPEC) {
1774 memcpy(&server_ipaddr, &mainconfig.myip,
1775 sizeof(server_ipaddr));
1780 * Else look for bind_address and/or listen sections.
1782 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1783 rcode = cf_item_parse(mainconfig.config, "bind_address",
1785 &server_ipaddr.ipaddr.ip4addr, NULL);
1786 if (rcode < 0) return -1; /* error parsing it */
1788 if (rcode == 0) { /* successfully parsed IPv4 */
1789 listen_socket_t *sock;
1790 server_ipaddr.af = AF_INET;
1792 radlog(L_INFO, "WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1795 this = listen_alloc(RAD_LISTEN_AUTH);
1798 sock->ipaddr = server_ipaddr;
1799 sock->port = auth_port;
1801 if (listen_bind(this) < 0) {
1804 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the authentication port %d", sock->port);
1807 auth_port = sock->port; /* may have been updated in listen_bind */
1809 last = &(this->next);
1812 * Open Accounting Socket.
1814 * If we haven't already gotten acct_port from
1815 * /etc/services, then make it auth_port + 1.
1817 this = listen_alloc(RAD_LISTEN_ACCT);
1821 * Create the accounting socket.
1823 * The accounting port is always the
1824 * authentication port + 1
1826 sock->ipaddr = server_ipaddr;
1827 sock->port = auth_port + 1;
1829 if (listen_bind(this) < 0) {
1832 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the accounting port %d", sock->port);
1837 last = &(this->next);
1839 } else if (mainconfig.port > 0) { /* no bind address, but a port */
1840 radlog(L_CONS|L_ERR, "The command-line says \"-p %d\", but there is no associated IP address to use",
1846 * They specified an IP on the command-line, ignore
1847 * all listen sections.
1849 if (mainconfig.myip.af != AF_UNSPEC) goto do_proxy;
1852 * Walk through the "listen" sections, if they exist.
1854 for (cs = cf_subsection_find_next(mainconfig.config, NULL, "listen");
1856 cs = cf_subsection_find_next(mainconfig.config, cs, "listen")) {
1858 char *listen_type, *identity;
1859 int lineno = cf_section_lineno(cs);
1861 listen_type = identity = NULL;
1863 rcode = cf_item_parse(cs, "type", PW_TYPE_STRING_PTR,
1865 if (rcode < 0) return -1;
1869 radlog(L_ERR, "%s[%d]: No type specified in listen section",
1875 * See if there's an identity.
1877 rcode = cf_item_parse(cs, "identity", PW_TYPE_STRING_PTR,
1885 type = lrad_str2int(listen_compare, listen_type,
1888 if (type == RAD_LISTEN_NONE) {
1890 radlog(L_CONS|L_ERR, "%s[%d]: Invalid type in listen section.",
1896 * Set up cross-type data.
1898 this = listen_alloc(type);
1899 this->identity = identity;
1903 * Call per-type parser.
1905 if (master_listen[type].parse(filename, lineno,
1913 last = &(this->next);
1917 * If we're proxying requests, open the proxy FD.
1918 * Otherwise, don't do anything.
1921 if (mainconfig.proxy_requests == TRUE) {
1923 listen_socket_t *sock = NULL;
1926 * No sockets to receive packets, therefore
1927 * proxying is pointless.
1929 if (!*head) return -1;
1932 * If we previously had proxy sockets, copy them
1933 * to the new config.
1935 if (mainconfig.listen != NULL) {
1936 rad_listen_t *old, *next, **tail;
1938 tail = &mainconfig.listen;
1939 for (old = mainconfig.listen;
1944 if (old->type != RAD_LISTEN_PROXY) {
1945 tail = &((*tail)->next);
1952 last = &(old->next);
1959 * Find the first authentication port,
1962 for (this = *head; this != NULL; this = this->next) {
1963 if (this->type == RAD_LISTEN_AUTH) {
1965 if (server_ipaddr.af == AF_UNSPEC) {
1966 server_ipaddr = sock->ipaddr;
1968 port = sock->port + 2; /* skip acct port */
1972 rad_assert(port > 0); /* must have found at least one entry! */
1975 * Address is still unspecified, use IPv4.
1977 if (server_ipaddr.af == AF_UNSPEC) {
1978 server_ipaddr.af = AF_INET;
1979 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_ANY);
1982 this = listen_alloc(RAD_LISTEN_PROXY);
1986 * Create the first proxy socket.
1988 sock->ipaddr = server_ipaddr;
1991 * Try to find a proxy port (value doesn't matter)
1993 for (sock->port = port;
1996 if (listen_bind(this) == 0) {
1998 last = &(this->next); /* just in case */
2003 if (sock->port >= 64000) {
2006 radlog(L_ERR|L_CONS, "Failed to open socket for proxying");
2012 * Sanity check the configuration.
2015 for (this = *head; this != NULL; this = this->next) {
2016 if ((this->type != RAD_LISTEN_PROXY) &&
2019 * FIXME: Pass type to rl_init, so that
2020 * it knows how to deal with accounting
2021 * packets. i.e. it caches them, but
2022 * doesn't bother trying to re-transmit.
2024 this->rl = rl_init();
2026 rad_assert(0 == 1); /* FIXME: */
2030 if (((this->type == RAD_LISTEN_ACCT) &&
2031 (rcode == RAD_LISTEN_DETAIL)) ||
2032 ((this->type == RAD_LISTEN_DETAIL) &&
2033 (rcode == RAD_LISTEN_ACCT))) {
2034 rad_assert(0 == 1); /* FIXME: configuration error */
2037 if (rcode != 0) continue;
2039 if ((this->type == RAD_LISTEN_ACCT) ||
2040 (this->type == RAD_LISTEN_DETAIL)) {
2050 * Free a linked list of listeners;
2052 void listen_free(rad_listen_t **head)
2056 if (!head || !*head) return;
2060 rad_listen_t *next = this->next;
2062 free(this->identity);
2064 rl_deinit(this->rl);
2067 * Other code may have eaten the FD.
2069 if (this->fd >= 0) close(this->fd);
2071 if (master_listen[this->type].free) {
2072 master_listen[this->type].free(this);