2 * listen.c Handle socket stuff
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2005 The FreeRADIUS server project
21 * Copyright 2005 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/autoconf.h>
29 #ifdef HAVE_NETINET_IN_H
30 #include <netinet/in.h>
33 #ifdef HAVE_ARPA_INET_H
34 #include <arpa/inet.h>
37 #include <sys/resource.h>
39 #include <sys/types.h>
40 #include <sys/socket.h>
47 #ifdef HAVE_SYS_STAT_H
52 #include <freeradius-devel/udpfromto.h>
57 #include <freeradius-devel/radiusd.h>
58 #include <freeradius-devel/rad_assert.h>
59 #include <freeradius-devel/conffile.h>
60 #include <freeradius-devel/token.h>
62 #include <freeradius-devel/radius_snmp.h>
63 #include <freeradius-devel/request_list.h>
65 static time_t start_time = 0;
68 * FIXME: Delete this crap!
70 extern time_t time_now;
73 * We'll use this below.
75 typedef int (*rad_listen_parse_t)(const char *, int, const CONF_SECTION *, rad_listen_t *);
76 typedef void (*rad_listen_free_t)(rad_listen_t *);
78 typedef struct rad_listen_master_t {
79 rad_listen_parse_t parse;
80 rad_listen_free_t free;
81 rad_listen_recv_t recv;
82 rad_listen_send_t send;
83 rad_listen_update_t update;
84 rad_listen_print_t print;
85 } rad_listen_master_t;
87 typedef struct listen_socket_t {
93 RADCLIENT_LIST *clients;
96 typedef struct listen_detail_t {
102 lrad_ipaddr_t client_ip;
109 * Find a per-socket client.
111 static RADCLIENT *client_listener_find(const rad_listen_t *listener,
112 const lrad_ipaddr_t *ipaddr)
114 const RADCLIENT_LIST *clients;
116 rad_assert(listener != NULL);
117 rad_assert(ipaddr != NULL);
119 rad_assert((listener->type == RAD_LISTEN_AUTH) ||
120 (listener->type == RAD_LISTEN_ACCT));
122 clients = ((listen_socket_t *)listener->data)->clients;
123 if (!clients) clients = mainconfig.clients;
125 rad_assert(clients != NULL);
127 return client_find(clients, ipaddr);
130 static int listen_bind(rad_listen_t *this);
133 * FIXME: have the detail reader use another config "exit when done",
134 * so that it can be used as a one-off tool to update stuff.
138 * Process and reply to a server-status request.
139 * Like rad_authenticate and rad_accounting this should
140 * live in it's own file but it's so small we don't bother.
142 static int rad_status_server(REQUEST *request)
149 * Reply with an ACK. We might want to add some more
150 * interesting reply attributes, such as server uptime.
152 t = request->timestamp - start_time;
153 sprintf(reply_msg, "FreeRADIUS up %d day%s, %02d:%02d",
154 (int)(t / 86400), (t / 86400) == 1 ? "" : "s",
155 (int)((t / 3600) % 24), (int)(t / 60) % 60);
156 request->reply->code = PW_AUTHENTICATION_ACK;
158 vp = pairmake("Reply-Message", reply_msg, T_OP_SET);
159 pairadd(&request->reply->vps, vp); /* don't need to check if !vp */
164 static int request_num_counter = 0;
167 * Check for dups, etc. Common to Access-Request &&
168 * Accounting-Request packets.
170 static int common_checks(rad_listen_t *listener,
171 RADIUS_PACKET *packet, REQUEST **prequest,
172 const RADCLIENT *client)
177 rad_assert(listener->rl != NULL);
180 * If there is no existing request of id, code, etc.,
181 * then we can return, and let it be processed.
183 if ((curreq = rl_find(listener->rl, packet)) == NULL) {
185 * Count the total number of requests, to see if
186 * there are too many. If so, return with an
189 if (mainconfig.max_requests) {
191 * FIXME: This is now per-socket,
192 * when it should really be global
195 int request_count = rl_num_requests(listener->rl);
198 * This is a new request. Let's see if
199 * it makes us go over our configured
202 if (request_count > mainconfig.max_requests) {
203 radlog(L_ERR, "Dropping request (%d is too many): "
204 "from client %s port %d - ID: %d", request_count,
206 packet->src_port, packet->id);
207 radlog(L_INFO, "WARNING: Please check the %s file.\n"
208 "\tThe value for 'max_requests' is probably set too low.\n", mainconfig.radiusd_conf);
210 } /* else there were a small number of requests */
211 } /* else there was no configured limit for requests */
214 * FIXME: Add checks for system load. If the
215 * system is busy, start dropping requests...
217 * We can probably keep some statistics
218 * ourselves... if there are more requests
219 * coming in than we can handle, start dropping
224 * The current request isn't finished, which
225 * means that the NAS sent us a new packet, while
226 * we are still processing the old request.
228 } else if (!curreq->finished) {
230 * If the authentication vectors are identical,
231 * then the NAS is re-transmitting it, trying to
232 * kick us into responding to the request.
234 if (memcmp(curreq->packet->vector, packet->vector,
235 sizeof(packet->vector)) == 0) {
236 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
239 * It's not finished because the request
240 * was proxied, but there was no reply
241 * from the home server.
243 * This code will never get hit for
244 * accounting packets, as they're always
245 * updated, and never re-transmitted.
247 if (curreq->proxy && !curreq->proxy_reply) {
248 DEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
249 inet_ntop(curreq->proxy->dst_ipaddr.af,
250 &curreq->proxy->dst_ipaddr.ipaddr,
251 buffer, sizeof(buffer)), curreq->proxy->dst_port,
254 listener->send(curreq->proxy_listener, curreq);
256 } /* else the packet was not proxied */
259 * Someone's still working on it, so we
260 * ignore the duplicate request.
262 radlog(L_ERR, "Discarding duplicate request from "
263 "client %s port %d - ID: %d due to unfinished request %d",
265 packet->src_port, packet->id,
268 } /* else the authentication vectors were different */
271 * We're waiting for a proxy reply, but no one is
272 * currently processing the request. We can
273 * discard the old request, and ignore any reply
274 * from the home server, because the NAS will
277 if (curreq->proxy && !curreq->proxy_reply &&
278 (curreq->child_pid == NO_SUCH_CHILD_PID)) {
279 radlog(L_ERR, "Discarding old proxied request %d from "
280 "client %s port %d - ID: %d due to new request from the client",
281 curreq->number, client->shortname,
282 packet->src_port, packet->id);
285 * The authentication vectors are different, so
286 * the NAS has given up on us, as we've taken too
287 * long to process the request. This is a
290 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
292 radlog(L_ERR, "Dropping conflicting packet from "
293 "client %s port %d - ID: %d due to unfinished request %d",
295 packet->src_port, packet->id,
301 * The old request is finished. We now check the
302 * authentication vectors. If the client has sent us a
303 * request with identical code && ID, but different
304 * vector, then they MUST have gotten our response, so we
305 * can delete the original request, and process the new
308 * If the vectors are the same, then it's a duplicate
309 * request, and we can send a duplicate reply.
311 } else if (memcmp(curreq->packet->vector, packet->vector,
312 sizeof(packet->vector)) == 0) {
313 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
316 * If the packet has been delayed, then silently
317 * send a response, and clear the delayed flag.
319 * Note that this means if the NAS kicks us while
320 * we're delaying a reject, then the reject may
321 * be sent sooner than otherwise.
323 * This COULD be construed as a bug. Maybe what
324 * we want to do is to ignore the duplicate
325 * packet, and send the reject later.
327 if (curreq->options & RAD_REQUEST_OPTION_DELAYED_REJECT) {
328 curreq->options &= ~RAD_REQUEST_OPTION_DELAYED_REJECT;
329 rad_assert(curreq->listener == listener);
330 listener->send(listener, curreq);
335 * Maybe we've saved a reply packet. If so,
336 * re-send it. Otherwise, just complain.
338 if (curreq->reply->code != 0) {
339 DEBUG2("Sending duplicate reply "
340 "to client %s port %d - ID: %d",
342 packet->src_port, packet->id);
343 rad_assert(curreq->listener == listener);
344 listener->send(listener, curreq);
349 * Else we never sent a reply to the NAS,
350 * as we decided somehow we didn't like the request.
352 * This shouldn't happen, in general...
354 DEBUG2("Discarding duplicate request from client %s port %d - ID: %d",
355 client->shortname, packet->src_port, packet->id);
357 } /* else the vectors were different, so we discard the old request. */
360 * 'packet' has the same source IP, source port, code,
361 * and Id as 'curreq', but a different authentication
362 * vector. We can therefore delete 'curreq', as we were
363 * only keeping it around to send out duplicate replies,
364 * if the first reply got lost in the network.
367 rl_yank(listener->rl, curreq);
368 request_free(&curreq);
372 * A unique per-request counter.
374 curreq = request_alloc(); /* never fails */
376 if ((curreq->reply = rad_alloc(0)) == NULL) {
377 radlog(L_ERR, "No memory");
380 curreq->listener = listener;
381 curreq->packet = packet;
382 curreq->packet->timestamp = curreq->timestamp;
383 curreq->number = request_num_counter++;
384 strNcpy(curreq->secret, client->secret, sizeof(curreq->secret));
387 * Remember the request in the list.
389 if (!rl_add(listener->rl, curreq)) {
390 radlog(L_ERR, "Failed to insert request %d in the list of live requests: discarding", curreq->number);
391 request_free(&curreq);
396 * The request passes many of our sanity checks.
397 * From here on in, if anything goes wrong, we
398 * send a reject message, instead of dropping the
403 * Build the reply template from the request.
406 curreq->reply->sockfd = curreq->packet->sockfd;
407 curreq->reply->dst_ipaddr = curreq->packet->src_ipaddr;
408 curreq->reply->src_ipaddr = curreq->packet->dst_ipaddr;
409 curreq->reply->dst_port = curreq->packet->src_port;
410 curreq->reply->src_port = curreq->packet->dst_port;
411 curreq->reply->id = curreq->packet->id;
412 curreq->reply->code = 0; /* UNKNOWN code */
413 memcpy(curreq->reply->vector, curreq->packet->vector,
414 sizeof(curreq->reply->vector));
415 curreq->reply->vps = NULL;
416 curreq->reply->data = NULL;
417 curreq->reply->data_len = 0;
424 static int socket_print(rad_listen_t *this, char *buffer, size_t bufsize)
427 listen_socket_t *sock = this->data;
429 if ((sock->ipaddr.af == AF_INET) &&
430 (sock->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) {
433 ip_ntoh(&sock->ipaddr, buffer, bufsize);
436 len = strlen(buffer);
438 return len + snprintf(buffer + len, bufsize - len, " port %d",
444 * Parse an authentication or accounting socket.
446 static int common_socket_parse(const char *filename, int lineno,
447 const CONF_SECTION *cs, rad_listen_t *this)
451 lrad_ipaddr_t ipaddr;
452 listen_socket_t *sock = this->data;
453 const char *section_name = NULL;
454 CONF_SECTION *client_cs;
459 ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
460 rcode = cf_item_parse(cs, "ipaddr", PW_TYPE_IPADDR,
461 &ipaddr.ipaddr.ip4addr, NULL);
462 if (rcode < 0) return -1;
464 if (rcode == 0) { /* successfully parsed IPv4 */
467 } else { /* maybe IPv6? */
468 rcode = cf_item_parse(cs, "ipv6addr", PW_TYPE_IPV6ADDR,
469 &ipaddr.ipaddr.ip6addr, NULL);
470 if (rcode < 0) return -1;
473 radlog(L_ERR, "%s[%d]: No address specified in listen section",
477 ipaddr.af = AF_INET6;
480 rcode = cf_item_parse(cs, "port", PW_TYPE_INTEGER,
482 if (rcode < 0) return -1;
484 sock->ipaddr = ipaddr;
485 sock->port = listen_port;
488 * And bind it to the port.
490 if (listen_bind(this) < 0) {
492 radlog(L_CONS|L_ERR, "%s[%d]: Error binding to port for %s port %d",
493 filename, cf_section_lineno(cs),
494 ip_ntoh(&sock->ipaddr, buffer, sizeof(buffer)),
500 * If we can bind to interfaces, do so,
503 if (cf_pair_find(cs, "interface")) {
504 #ifndef SO_BINDTODEVICE
505 radlog(L_CONS|L_ERR, "%s[%d]: System does not support binding to interfaces, delete this line from the configuration file.",
506 filename, cf_section_lineno(cs));
510 const CONF_PAIR *cp = cf_pair_find(cs, "interface");
513 rad_assert(cp != NULL);
514 value = cf_pair_value(cp);
515 rad_assert(value != NULL);
517 strcpy(ifreq.ifr_name, value);
519 if (setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE,
520 (char *)&ifreq, sizeof(ifreq)) < 0) {
521 radlog(L_CONS|L_ERR, "%s[%d]: Failed binding to interface %s: %s",
522 filename, cf_section_lineno(cs),
523 value, strerror(errno));
525 } /* else it worked. */
530 * Look for the name of a section that holds a list
533 rcode = cf_item_parse(cs, "clients", PW_TYPE_STRING_PTR,
534 §ion_name, NULL);
535 if (rcode < 0) return -1; /* bad string */
536 if (rcode > 0) return 0; /* non-existent is OK. */
538 client_cs = cf_section_find(section_name);
540 radlog(L_CONS|L_ERR, "%s[%d]: Failed to find client section %s",
541 filename, cf_section_lineno(cs), section_name);
545 sock->clients = clients_parse_section(filename, client_cs);
546 if (!sock->clients) {
554 * Send an authentication response packet
556 static int auth_socket_send(rad_listen_t *listener, REQUEST *request)
558 rad_assert(request->listener == listener);
559 rad_assert(listener->send == auth_socket_send);
562 * Ensure that the reply is sane
564 if (request->reply->code == 0) {
565 DEBUG2("There was no response configured: rejecting request %d", request->number);
566 request->reply->code = PW_AUTHENTICATION_REJECT;
570 * If we're delaying authentication rejects, then
571 * mark the request as delayed, and do NOT send a
572 * response right now.
574 * However, if it's already marked as delayed, then
577 if ((request->reply->code == PW_AUTHENTICATION_REJECT) &&
578 ((request->options & RAD_REQUEST_OPTION_DELAYED_REJECT) == 0) &&
579 (mainconfig.reject_delay > 0) &&
580 ((request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0)) {
581 DEBUG2("Delaying request %d for %d seconds",
582 request->number, mainconfig.reject_delay);
583 request->options |= RAD_REQUEST_OPTION_DELAYED_REJECT;
587 return rad_send(request->reply, request->packet, request->secret);
592 * Send an accounting response packet (or not)
594 static int acct_socket_send(rad_listen_t *listener, REQUEST *request)
596 rad_assert(request->listener == listener);
597 rad_assert(listener->send == acct_socket_send);
600 * Accounting reject's are silently dropped.
602 * We do it here to avoid polluting the rest of the
603 * code with this knowledge
605 if (request->reply->code == 0) return 0;
607 return rad_send(request->reply, request->packet, request->secret);
612 * Send a packet to a home server.
614 * FIXME: have different code for proxy auth & acct!
616 static int proxy_socket_send(rad_listen_t *listener, REQUEST *request)
618 listen_socket_t *sock = listener->data;
620 rad_assert(request->proxy_listener == listener);
621 rad_assert(listener->send == proxy_socket_send);
623 request->proxy->src_ipaddr = sock->ipaddr;
624 request->proxy->src_port = sock->port;
626 return rad_send(request->proxy, request->packet, request->proxysecret);
631 * Check if an incoming request is "ok"
633 * It takes packets, not requests. It sees if the packet looks
634 * OK. If so, it does a number of sanity checks on it.
636 static int auth_socket_recv(rad_listen_t *listener,
637 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
639 RADIUS_PACKET *packet;
640 RAD_REQUEST_FUNP fun = NULL;
644 packet = rad_recv(listener->fd);
646 radlog(L_ERR, "%s", librad_errstr);
650 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: auth specific */
652 if ((client = client_listener_find(listener,
653 &packet->src_ipaddr)) == NULL) {
654 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
656 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
657 inet_ntop(packet->src_ipaddr.af,
658 &packet->src_ipaddr.ipaddr,
659 buffer, sizeof(buffer)),
666 * Some sanity checks, based on the packet code.
668 switch(packet->code) {
669 case PW_AUTHENTICATION_REQUEST:
670 fun = rad_authenticate;
673 case PW_STATUS_SERVER:
674 if (!mainconfig.status_server) {
675 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
676 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
680 fun = rad_status_server;
684 RAD_SNMP_INC(rad_snmp.auth.total_unknown_types);
686 radlog(L_ERR, "Invalid packet code %d sent to authentication port from client %s port %d "
688 packet->code, client->shortname,
689 packet->src_port, packet->id);
693 } /* switch over packet types */
695 if (!common_checks(listener, packet, prequest, client)) {
706 * Receive packets from an accounting socket
708 static int acct_socket_recv(rad_listen_t *listener,
709 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
711 RADIUS_PACKET *packet;
712 RAD_REQUEST_FUNP fun = NULL;
716 packet = rad_recv(listener->fd);
718 radlog(L_ERR, "%s", librad_errstr);
722 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: acct-specific */
724 if ((client = client_listener_find(listener,
725 &packet->src_ipaddr)) == NULL) {
726 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
728 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
729 inet_ntop(packet->src_ipaddr.af,
730 &packet->src_ipaddr.ipaddr,
731 buffer, sizeof(buffer)),
737 switch(packet->code) {
738 case PW_ACCOUNTING_REQUEST:
739 fun = rad_accounting;
744 * FIXME: Update MIB for packet types?
746 radlog(L_ERR, "Invalid packet code %d sent to a accounting port "
747 "from client %s port %d - ID %d : IGNORED",
748 packet->code, client->shortname,
749 packet->src_port, packet->id);
755 * FIXME: Accounting duplicates should be handled
756 * differently than authentication duplicates.
758 if (!common_checks(listener, packet, prequest, client)) {
769 * Recieve packets from a proxy socket.
771 static int proxy_socket_recv(rad_listen_t *listener,
772 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
776 RADIUS_PACKET *packet;
777 RAD_REQUEST_FUNP fun = NULL;
780 packet = rad_recv(listener->fd);
782 radlog(L_ERR, "%s", librad_errstr);
789 if (packet->src_ipaddr.af != AF_INET) {
790 rad_assert("PROXY IPV6 NOT SUPPORTED" == NULL);
794 * FIXME: Add support for home servers!
796 if ((cl = realm_findbyaddr(packet->src_ipaddr.ipaddr.ip4addr.s_addr,
797 packet->src_port)) == NULL) {
798 radlog(L_ERR, "Ignoring request from unknown home server %s port %d",
799 inet_ntop(packet->src_ipaddr.af,
800 &packet->src_ipaddr.ipaddr,
801 buffer, sizeof(buffer)),
808 * FIXME: Client MIB updates?
810 switch(packet->code) {
811 case PW_AUTHENTICATION_ACK:
812 case PW_ACCESS_CHALLENGE:
813 case PW_AUTHENTICATION_REJECT:
814 fun = rad_authenticate;
817 case PW_ACCOUNTING_RESPONSE:
818 fun = rad_accounting;
823 * FIXME: Update MIB for packet types?
825 radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
826 "from home server %s port %d - ID %d : IGNORED",
828 ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
829 packet->src_port, packet->id);
835 * Find the original request in the request list
837 oldreq = rl_find_proxy(packet);
840 * If we haven't found the original request which was
841 * sent, to get this reply. Complain, and discard this
842 * request, as there's no way for us to send it to a NAS.
845 radlog(L_PROXY, "No outstanding request was found for proxy reply from home server %s port %d - ID %d",
846 inet_ntop(packet->src_ipaddr.af,
847 &packet->src_ipaddr.ipaddr,
848 buffer, sizeof(buffer)),
849 packet->src_port, packet->id);
855 * The proxy reply has arrived too late, as the original
856 * (old) request has timed out, been rejected, and marked
857 * as finished. The client has already received a
858 * response, so there is nothing that can be done. Delete
859 * the tardy reply from the home server, and return nothing.
861 if ((oldreq->reply->code != 0) ||
862 (oldreq->finished)) {
863 radlog(L_ERR, "Reply from home server %s port %d - ID: %d arrived too late for request %d. Try increasing 'retry_delay' or 'max_request_time'",
864 inet_ntop(packet->src_ipaddr.af,
865 &packet->src_ipaddr.ipaddr,
866 buffer, sizeof(buffer)),
867 packet->src_port, packet->id,
874 * If there is already a reply, maybe this one is a
877 if (oldreq->proxy_reply) {
878 if (memcmp(oldreq->proxy_reply->vector,
880 sizeof(oldreq->proxy_reply->vector)) == 0) {
881 radlog(L_ERR, "Discarding duplicate reply from home server %s port %d - ID: %d for request %d",
882 inet_ntop(packet->src_ipaddr.af,
883 &packet->src_ipaddr.ipaddr,
884 buffer, sizeof(buffer)),
885 packet->src_port, packet->id,
889 * ? The home server gave us a new proxy
890 * reply, which doesn't match the old
893 DEBUG2("Ignoring conflicting proxy reply");
897 * We've already received a reply, so
898 * we discard this one, as we don't want
899 * to do duplicate work.
903 } /* else there wasn't a proxy reply yet, so we can process it */
906 * Refresh the old request, and update it with the proxy
909 * ? Can we delete the proxy request here? * Is there
910 * any more need for it?
912 * FIXME: we probably shouldn't be updating the time
915 oldreq->timestamp = time_now;
916 oldreq->proxy_reply = packet;
919 * FIXME: we should really verify the digest here,
920 * before marking this packet as a valid response.
922 * This is a security problem, I think...
926 * Now that we've verified the packet IS actually from
927 * that home server, and not forged, we can go mark the
928 * entries for this home server as active.
930 * If we had done this check in the 'find realm by IP address'
931 * function, then an attacker could force us to use a home
932 * server which was inactive, by forging reply packets
933 * which didn't match any request. We would think that
934 * the reply meant the home server was active, would
935 * re-activate the realms, and THEN bounce the packet
938 for (cl = mainconfig.realms; cl != NULL; cl = cl->next) {
939 if (oldreq->proxy_reply->src_ipaddr.af != cl->ipaddr.af) continue;
940 if (cl->ipaddr.af != AF_INET) continue; /* FIXME */
942 if (oldreq->proxy_reply->src_ipaddr.ipaddr.ip4addr.s_addr == cl->ipaddr.ipaddr.ip4addr.s_addr) {
943 if (oldreq->proxy_reply->src_port == cl->auth_port) {
945 cl->last_reply = oldreq->timestamp;
946 } else if (oldreq->proxy_reply->src_port == cl->acct_port) {
947 cl->acct_active = TRUE;
948 cl->last_reply = oldreq->timestamp;
953 rad_assert(fun != NULL);
960 #define STATE_UNOPENED (0)
961 #define STATE_UNLOCKED (1)
962 #define STATE_HEADER (2)
963 #define STATE_READING (3)
964 #define STATE_DONE (4)
965 #define STATE_WAITING (5)
968 * If we're limiting outstanding packets, then mark the response
971 static int detail_send(rad_listen_t *listener, REQUEST *request)
973 listen_detail_t *data = listener->data;
975 rad_assert(request->listener == listener);
976 rad_assert(listener->send == detail_send);
978 if (request->simul_max >= 0) {
979 rad_assert(data->outstanding != NULL);
980 rad_assert(request->simul_max < data->max_outstanding);
982 data->outstanding[request->simul_max] = 0;
990 * Open the detail file..
992 * FIXME: create it, if it's not already there, so that the main
993 * server select() will wake us up if there's anything to read.
995 static int detail_open(rad_listen_t *this)
999 listen_detail_t *data = this->data;
1001 rad_assert(data->state == STATE_UNOPENED);
1002 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1005 * FIXME: Have "one-shot" configuration, where it
1006 * will read the detail file, and exit once it's
1009 * FIXME: Try harder to open the detail file.
1010 * Maybe sleep for X usecs if it doesn't exist?
1014 * Open detail.work first, so we don't lose
1015 * accounting packets. It's probably better to
1016 * duplicate them than to lose them.
1018 * Note that we're not writing to the file, but
1019 * we've got to open it for writing in order to
1020 * establish the lock, to prevent rlm_detail from
1023 this->fd = open(buffer, O_RDWR);
1026 * Try reading the detail file. If it
1027 * doesn't exist, we can't do anything.
1029 * Doing the stat will tell us if the file
1030 * exists, even if we don't have permissions
1033 if (stat(data->detail, &st) < 0) {
1038 * Open it BEFORE we rename it, just to
1041 this->fd = open(data->detail, O_RDWR);
1043 radlog(L_ERR, "Failed to open %s: %s",
1044 data->detail, strerror(errno));
1049 * Rename detail to detail.work
1051 if (rename(data->detail, buffer) < 0) {
1056 } /* else detail.work existed, and we opened it */
1058 rad_assert(data->vps == NULL);
1060 rad_assert(data->fp == NULL);
1061 data->fp = fdopen(this->fd, "r");
1063 radlog(L_ERR, "Failed to re-open %s: %s",
1064 data->detail, strerror(errno));
1068 data->state = STATE_UNLOCKED;
1070 data->client_ip.af = AF_UNSPEC;
1071 data->timestamp = 0;
1077 * This is a bad hack, just so complaints have meaningful text.
1079 static const RADCLIENT detail_client = {
1094 static int detail_recv(rad_listen_t *listener,
1095 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
1098 char key[256], value[1024];
1099 VALUE_PAIR *vp, **tail;
1100 RADIUS_PACKET *packet;
1102 listen_detail_t *data = listener->data;
1104 if (data->state == STATE_UNOPENED) {
1105 rad_assert(listener->fd < 0);
1106 if (!detail_open(listener)) return 0;
1108 rad_assert(listener->fd >= 0);
1111 * Try to lock fd. If we can't, return. If we can,
1112 * continue. This means that the server doesn't block
1113 * while waiting for the lock to open...
1115 if (data->state == STATE_UNLOCKED) {
1117 * Note that we do NOT block waiting for the
1118 * lock. We've re-named the file above, so we've
1119 * already guaranteed that any *new* detail
1120 * writer will not be opening this file. The
1121 * only purpose of the lock is to catch a race
1122 * condition where the execution "ping-pongs"
1123 * between radiusd & radrelay.
1125 if (rad_lockfd_nonblock(listener->fd, 0) < 0) {
1129 * Look for the header
1131 data->state = STATE_HEADER;
1135 * If we keep track of the outstanding requests, do so
1136 * here. Note that to minimize potential work, we do
1137 * so only once the file is opened & locked.
1139 if (data->max_outstanding) {
1142 for (i = 0; i < data->max_outstanding; i++) {
1143 if (!data->outstanding[i]) {
1150 * All of the slots are full, don't read data.
1152 if (free_slot < 0) return 0;
1156 * Catch an out of memory condition which will most likely
1159 if (data->state == STATE_DONE) goto alloc_packet;
1162 * If we're in another state, then it means that we read
1163 * a partial packet, which is bad.
1165 rad_assert(data->state == STATE_HEADER);
1166 rad_assert(data->vps == NULL);
1169 * We read the last packet, and returned it for
1170 * processing. We later come back here to shut
1171 * everything down, and unlink the file.
1173 if (feof(data->fp)) {
1174 rad_assert(data->state == STATE_HEADER);
1177 * Don't unlink the file until we've received
1178 * all of the responses.
1180 if (data->max_outstanding > 0) {
1183 for (i = 0; i < data->max_outstanding; i++) {
1185 * FIXME: close the file?
1187 if (data->outstanding[i]) {
1188 data->state = STATE_WAITING;
1195 rad_assert(data->vps == NULL);
1197 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1199 fclose(data->fp); /* closes listener->fd */
1202 data->state = STATE_UNOPENED;
1205 * Try to open "detail" again. If we're on a
1206 * busy RADIUS server, odds are that it will
1209 detail_open(listener);
1216 * Fill the buffer...
1218 while (fgets(buffer, sizeof(buffer), data->fp)) {
1222 if (!strchr(buffer, '\n')) {
1223 pairfree(&data->vps);
1228 * We've read a header, possibly packet contents,
1229 * and are now at the end of the packet.
1231 if ((data->state == STATE_READING) &&
1232 (buffer[0] == '\n')) {
1233 data->state = STATE_DONE;
1238 * Look for date/time header, and read VP's if
1239 * found. If not, keep reading lines until we
1242 if (data->state == STATE_HEADER) {
1245 if (sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) {
1246 data->state = STATE_READING;
1252 * We have a full "attribute = value" line.
1253 * If it doesn't look reasonable, skip it.
1255 if (sscanf(buffer, "%255s = %1023s", key, value) != 2) {
1260 * Skip non-protocol attributes.
1262 if (!strcasecmp(key, "Request-Authenticator")) continue;
1265 * Set the original client IP address, based on
1266 * what's in the detail file.
1268 * Hmm... we don't set the server IP address.
1271 if (!strcasecmp(key, "Client-IP-Address")) {
1272 data->client_ip.af = AF_INET;
1273 ip_hton(value, AF_INET, &data->client_ip);
1278 * The original time at which we received the
1279 * packet. We need this to properly calculate
1282 if (!strcasecmp(key, "Timestamp")) {
1283 data->timestamp = atoi(value);
1290 * FIXME: do we want to check for non-protocol
1291 * attributes like radsqlrelay does?
1294 if ((userparse(buffer, &vp) > 0) &&
1302 * We got to EOF, If we're in STATE_HEADER, it's OK.
1303 * Otherwise it's a problem. In any case, nuke the file
1304 * and start over from scratch,
1306 if (feof(data->fp)) {
1311 * FIXME: Do load management.
1315 * If we're not done, then there's a problem. The checks
1318 rad_assert(data->state == STATE_DONE);
1321 * The packet we read was empty, re-set the state to look
1322 * for a header, and don't return anything.
1325 data->state = STATE_HEADER;
1330 * Allocate the packet. If we fail, it's a serious
1334 packet = rad_alloc(1);
1336 return 0; /* maybe memory will magically free up... */
1339 memset(packet, 0, sizeof(*packet));
1340 packet->sockfd = -1;
1341 packet->src_ipaddr.af = AF_INET;
1342 packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1343 packet->code = PW_ACCOUNTING_REQUEST;
1344 packet->timestamp = time(NULL);
1347 * Look for Acct-Delay-Time, and update
1348 * based on Acct-Delay-Time += (time(NULL) - timestamp)
1350 vp = pairfind(packet->vps, PW_ACCT_DELAY_TIME);
1352 vp = paircreate(PW_ACCT_DELAY_TIME, PW_TYPE_INTEGER);
1353 rad_assert(vp != NULL);
1355 if (data->timestamp != 0) {
1356 vp->lvalue += time(NULL) - data->timestamp;
1360 * Remember where it came from, so that we don't
1361 * proxy it to the place it came from...
1363 if (data->client_ip.af != AF_UNSPEC) {
1364 packet->src_ipaddr = data->client_ip;
1367 vp = pairfind(packet->vps, PW_PACKET_SRC_IP_ADDRESS);
1369 packet->src_ipaddr.af = AF_INET;
1370 packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->lvalue;
1372 vp = pairfind(packet->vps, PW_PACKET_SRC_IPV6_ADDRESS);
1374 packet->src_ipaddr.af = AF_INET6;
1375 memcpy(&packet->src_ipaddr.ipaddr.ip6addr,
1376 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1380 vp = pairfind(packet->vps, PW_PACKET_DST_IP_ADDRESS);
1382 packet->dst_ipaddr.af = AF_INET;
1383 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->lvalue;
1385 vp = pairfind(packet->vps, PW_PACKET_DST_IPV6_ADDRESS);
1387 packet->dst_ipaddr.af = AF_INET6;
1388 memcpy(&packet->dst_ipaddr.ipaddr.ip6addr,
1389 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1394 * We've got to give SOME value for Id & ports, so that
1395 * the packets can be added to the request queue.
1396 * However, we don't want to keep track of used/unused
1397 * id's and ports, as that's a lot of work. This hack
1398 * ensures that (if we have real random numbers), that
1399 * there will be a collision on every (2^(16+16+2+24))/2
1400 * packets, on average. That means we can read 2^32 (4G)
1401 * packets before having a collision, which means it's
1402 * effectively impossible. Having 4G packets currently
1403 * being process is ridiculous.
1405 packet->id = lrad_rand() & 0xff;
1406 packet->src_port = lrad_rand() & 0xffff;
1407 packet->dst_port = lrad_rand() & 0xffff;
1409 packet->dst_ipaddr.af = AF_INET;
1410 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl((INADDR_LOOPBACK & ~0xffffff) | (lrad_rand() & 0xffffff));
1412 packet->vps = data->vps;
1418 data->state = STATE_HEADER;
1421 * FIXME: many of these checks may not be necessary...
1423 if (!common_checks(listener, packet, prequest, &detail_client)) {
1429 * Keep track of free slots, as a hack, in an otherwise
1432 (*prequest)->simul_max = free_slot;
1433 if (free_slot) data->outstanding[free_slot] = 1;
1435 *pfun = rad_accounting;
1438 printf("detail_recv: Read packet from %s\n", data->detail);
1439 for (vp = packet->vps; vp; vp = vp->next) {
1441 vp_print(stdout, vp);
1451 * Free detail-specific stuff.
1453 static void detail_free(rad_listen_t *this)
1455 listen_detail_t *data = this->data;
1458 pairfree(&data->vps);
1459 free(data->outstanding);
1461 if (data->fp != NULL) fclose(data->fp);
1465 static int detail_print(rad_listen_t *this, char *buffer, size_t bufsize)
1467 return snprintf(buffer, bufsize, "%s",
1468 ((listen_detail_t *)(this->data))->detail);
1472 static const CONF_PARSER detail_config[] = {
1473 { "detail", PW_TYPE_STRING_PTR,
1474 offsetof(listen_detail_t, detail), NULL, NULL },
1475 { "max_outstanding", PW_TYPE_INTEGER,
1476 offsetof(listen_detail_t, max_outstanding), NULL, "100" },
1478 { NULL, -1, 0, NULL, NULL } /* end the list */
1483 * Parse a detail section.
1485 static int detail_parse(const char *filename, int lineno,
1486 const CONF_SECTION *cs, rad_listen_t *this)
1489 listen_detail_t *data;
1493 rcode = cf_section_parse(cs, data, detail_config);
1495 radlog(L_ERR, "%s[%d]: Failed parsing listen section",
1500 if (!data->detail) {
1501 radlog(L_ERR, "%s[%d]: No detail file specified in listen section",
1508 data->state = STATE_UNOPENED;
1510 if (data->max_outstanding > 32768) data->max_outstanding = 32768;
1512 if (data->max_outstanding > 0) {
1513 data->outstanding = rad_malloc(sizeof(int) * data->max_outstanding);
1523 * See radiusd.c & request_list.c
1525 #define SLEEP_FOREVER (65536)
1527 * A generic "update the request list once a second" function.
1529 static int generic_update(rad_listen_t *this, time_t now)
1531 if (!this->rl) return SLEEP_FOREVER;
1533 return rl_clean_list(this->rl, now);
1538 static const rad_listen_master_t master_listen[RAD_LISTEN_MAX] = {
1539 { NULL, NULL, NULL, NULL, NULL, NULL}, /* RAD_LISTEN_NONE */
1541 /* authentication */
1542 { common_socket_parse, NULL,
1543 auth_socket_recv, auth_socket_send,
1544 generic_update, socket_print },
1547 { common_socket_parse, NULL,
1548 acct_socket_recv, acct_socket_send,
1549 generic_update, socket_print},
1553 proxy_socket_recv, proxy_socket_send,
1554 generic_update, socket_print }, /* FIXME: update func is wrong! */
1557 { detail_parse, detail_free,
1558 detail_recv, detail_send,
1559 generic_update, detail_print }
1564 * Binds a listener to a socket.
1566 static int listen_bind(rad_listen_t *this)
1568 rad_listen_t **last;
1569 listen_socket_t *sock = this->data;
1572 * If the port is zero, then it means the appropriate
1573 * thing from /etc/services.
1575 if (sock->port == 0) {
1576 struct servent *svp;
1578 switch (this->type) {
1579 case RAD_LISTEN_AUTH:
1580 svp = getservbyname ("radius", "udp");
1582 sock->port = ntohs(svp->s_port);
1584 sock->port = PW_AUTH_UDP_PORT;
1588 case RAD_LISTEN_ACCT:
1589 svp = getservbyname ("radacct", "udp");
1591 sock->port = ntohs(svp->s_port);
1593 sock->port = PW_ACCT_UDP_PORT;
1598 radlog(L_ERR|L_CONS, "ERROR: Non-fatal internal sanity check failed in bind.");
1604 * Find it in the old list, AFTER updating the port. If
1605 * it's there, use that, rather than creating a new
1606 * socket. This allows HUP's to re-use the old sockets,
1607 * which means that packets waiting in the socket queue
1610 for (last = &mainconfig.listen;
1612 last = &((*last)->next)) {
1613 if ((this->type == (*last)->type) &&
1614 (sock->port == ((listen_socket_t *)((*last)->data))->port) &&
1615 (sock->ipaddr.af == ((listen_socket_t *)((*last)->data))->ipaddr.af)) {
1618 if (sock->ipaddr.af == AF_INET) {
1619 equal = (sock->ipaddr.ipaddr.ip4addr.s_addr == ((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip4addr.s_addr);
1620 } else if (sock->ipaddr.af == AF_INET6) {
1621 equal = IN6_ARE_ADDR_EQUAL(&(sock->ipaddr.ipaddr.ip6addr), &(((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip6addr));
1627 this->rl = (*last)->rl;
1628 this->fd = (*last)->fd;
1636 this->fd = lrad_socket(&sock->ipaddr, sock->port);
1638 radlog(L_ERR|L_CONS, "ERROR: Failed to open socket: %s",
1648 * Allocate & initialize a new listener.
1650 static rad_listen_t *listen_alloc(RAD_LISTEN_TYPE type)
1654 this = rad_malloc(sizeof(*this));
1655 memset(this, 0, sizeof(*this));
1658 this->recv = master_listen[this->type].recv;
1659 this->send = master_listen[this->type].send;
1660 this->update = master_listen[this->type].update;
1661 this->print = master_listen[this->type].print;
1664 case RAD_LISTEN_AUTH:
1665 case RAD_LISTEN_ACCT:
1666 case RAD_LISTEN_PROXY:
1667 this->data = rad_malloc(sizeof(listen_socket_t));
1668 memset(this->data, 0, sizeof(listen_socket_t));
1671 case RAD_LISTEN_DETAIL:
1672 this->data = rad_malloc(sizeof(listen_detail_t));
1673 memset(this->data, 0, sizeof(listen_detail_t));
1684 * Externally visible function for creating a new proxy LISTENER.
1686 * For now, don't take ipaddr or port.
1688 * Not thread-safe, but all calls to it are protected by the
1689 * proxy mutex in request_list.c
1691 rad_listen_t *proxy_new_listener()
1693 int last_proxy_port, port;
1694 rad_listen_t *this, *tmp, **last;
1695 listen_socket_t *sock, *old;
1697 this = listen_alloc(RAD_LISTEN_PROXY);
1700 * Find an existing proxy socket to copy.
1702 * FIXME: Make it per-realm, or per-home server!
1704 last_proxy_port = 0;
1706 last = &mainconfig.listen;
1707 for (tmp = mainconfig.listen; tmp != NULL; tmp = tmp->next) {
1708 if (tmp->type == RAD_LISTEN_PROXY) {
1710 if (sock->port > last_proxy_port) {
1711 last_proxy_port = sock->port + 1;
1713 if (!old) old = sock;
1716 last = &(tmp->next);
1719 if (!old) return NULL; /* This is a serious error. */
1722 * FIXME: find a new IP address to listen on?
1725 memcpy(&sock->ipaddr, &old->ipaddr, sizeof(sock->ipaddr));
1728 * Keep going until we find an unused port.
1730 for (port = last_proxy_port; port < 64000; port++) {
1732 if (listen_bind(this) == 0) {
1734 * Add the new listener to the list of
1746 static const LRAD_NAME_NUMBER listen_compare[] = {
1747 { "auth", RAD_LISTEN_AUTH },
1748 { "acct", RAD_LISTEN_ACCT },
1749 { "detail", RAD_LISTEN_DETAIL },
1755 * Generate a list of listeners. Takes an input list of
1756 * listeners, too, so we don't close sockets with waiting packets.
1758 int listen_init(const char *filename, rad_listen_t **head)
1762 rad_listen_t **last;
1764 lrad_ipaddr_t server_ipaddr;
1768 * We shouldn't be called with a pre-existing list.
1770 rad_assert(head && (*head == NULL));
1772 if (start_time != 0) start_time = time(NULL);
1775 server_ipaddr.af = AF_UNSPEC;
1778 * If the port is specified on the command-line,
1779 * it over-rides the configuration file.
1781 if (mainconfig.port >= 0) {
1782 auth_port = mainconfig.port;
1784 rcode = cf_item_parse(mainconfig.config, "port",
1785 PW_TYPE_INTEGER, &auth_port,
1786 Stringify(PW_AUTH_UDP_PORT));
1787 if (rcode < 0) return -1; /* error parsing it */
1790 radlog(L_INFO, "WARNING: The directive 'port' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1794 * If the IP address was configured on the command-line,
1795 * use that as the "bind_address"
1797 if (mainconfig.myip.af != AF_UNSPEC) {
1798 memcpy(&server_ipaddr, &mainconfig.myip,
1799 sizeof(server_ipaddr));
1804 * Else look for bind_address and/or listen sections.
1806 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1807 rcode = cf_item_parse(mainconfig.config, "bind_address",
1809 &server_ipaddr.ipaddr.ip4addr, NULL);
1810 if (rcode < 0) return -1; /* error parsing it */
1812 if (rcode == 0) { /* successfully parsed IPv4 */
1813 listen_socket_t *sock;
1814 server_ipaddr.af = AF_INET;
1816 radlog(L_INFO, "WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1819 this = listen_alloc(RAD_LISTEN_AUTH);
1822 sock->ipaddr = server_ipaddr;
1823 sock->port = auth_port;
1825 if (listen_bind(this) < 0) {
1828 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the authentication port %d", sock->port);
1831 auth_port = sock->port; /* may have been updated in listen_bind */
1833 last = &(this->next);
1836 * Open Accounting Socket.
1838 * If we haven't already gotten acct_port from
1839 * /etc/services, then make it auth_port + 1.
1841 this = listen_alloc(RAD_LISTEN_ACCT);
1845 * Create the accounting socket.
1847 * The accounting port is always the
1848 * authentication port + 1
1850 sock->ipaddr = server_ipaddr;
1851 sock->port = auth_port + 1;
1853 if (listen_bind(this) < 0) {
1856 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the accounting port %d", sock->port);
1861 last = &(this->next);
1863 } else if (mainconfig.port > 0) { /* no bind address, but a port */
1864 radlog(L_CONS|L_ERR, "The command-line says \"-p %d\", but there is no associated IP address to use",
1870 * They specified an IP on the command-line, ignore
1871 * all listen sections.
1873 if (mainconfig.myip.af != AF_UNSPEC) goto do_proxy;
1876 * Walk through the "listen" sections, if they exist.
1878 for (cs = cf_subsection_find_next(mainconfig.config, NULL, "listen");
1880 cs = cf_subsection_find_next(mainconfig.config, cs, "listen")) {
1882 char *listen_type, *identity;
1883 int lineno = cf_section_lineno(cs);
1885 listen_type = identity = NULL;
1887 rcode = cf_item_parse(cs, "type", PW_TYPE_STRING_PTR,
1889 if (rcode < 0) return -1;
1893 radlog(L_ERR, "%s[%d]: No type specified in listen section",
1899 * See if there's an identity.
1901 rcode = cf_item_parse(cs, "identity", PW_TYPE_STRING_PTR,
1909 type = lrad_str2int(listen_compare, listen_type,
1912 if (type == RAD_LISTEN_NONE) {
1914 radlog(L_CONS|L_ERR, "%s[%d]: Invalid type in listen section.",
1920 * Set up cross-type data.
1922 this = listen_alloc(type);
1923 this->identity = identity;
1927 * Call per-type parser.
1929 if (master_listen[type].parse(filename, lineno,
1937 last = &(this->next);
1941 * If we're proxying requests, open the proxy FD.
1942 * Otherwise, don't do anything.
1945 if (mainconfig.proxy_requests == TRUE) {
1947 listen_socket_t *sock = NULL;
1950 * No sockets to receive packets, therefore
1951 * proxying is pointless.
1953 if (!*head) return -1;
1956 * If we previously had proxy sockets, copy them
1957 * to the new config.
1959 if (mainconfig.listen != NULL) {
1960 rad_listen_t *old, *next, **tail;
1962 tail = &mainconfig.listen;
1963 for (old = mainconfig.listen;
1968 if (old->type != RAD_LISTEN_PROXY) {
1969 tail = &((*tail)->next);
1976 last = &(old->next);
1983 * Find the first authentication port,
1986 for (this = *head; this != NULL; this = this->next) {
1987 if (this->type == RAD_LISTEN_AUTH) {
1989 if (server_ipaddr.af == AF_UNSPEC) {
1990 server_ipaddr = sock->ipaddr;
1992 port = sock->port + 2; /* skip acct port */
1996 rad_assert(port > 0); /* must have found at least one entry! */
1999 * Address is still unspecified, use IPv4.
2001 if (server_ipaddr.af == AF_UNSPEC) {
2002 server_ipaddr.af = AF_INET;
2003 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_ANY);
2006 this = listen_alloc(RAD_LISTEN_PROXY);
2010 * Create the first proxy socket.
2012 sock->ipaddr = server_ipaddr;
2015 * Try to find a proxy port (value doesn't matter)
2017 for (sock->port = port;
2020 if (listen_bind(this) == 0) {
2022 last = &(this->next); /* just in case */
2027 if (sock->port >= 64000) {
2030 radlog(L_ERR|L_CONS, "Failed to open socket for proxying");
2036 * Sanity check the configuration.
2039 for (this = *head; this != NULL; this = this->next) {
2040 if ((this->type != RAD_LISTEN_PROXY) &&
2043 * FIXME: Pass type to rl_init, so that
2044 * it knows how to deal with accounting
2045 * packets. i.e. it caches them, but
2046 * doesn't bother trying to re-transmit.
2048 this->rl = rl_init();
2050 rad_assert(0 == 1); /* FIXME: */
2054 if (((this->type == RAD_LISTEN_ACCT) &&
2055 (rcode == RAD_LISTEN_DETAIL)) ||
2056 ((this->type == RAD_LISTEN_DETAIL) &&
2057 (rcode == RAD_LISTEN_ACCT))) {
2058 rad_assert(0 == 1); /* FIXME: configuration error */
2061 if (rcode != 0) continue;
2063 if ((this->type == RAD_LISTEN_ACCT) ||
2064 (this->type == RAD_LISTEN_DETAIL)) {
2074 * Free a linked list of listeners;
2076 void listen_free(rad_listen_t **head)
2080 if (!head || !*head) return;
2084 rad_listen_t *next = this->next;
2086 free(this->identity);
2088 rl_deinit(this->rl);
2091 * Other code may have eaten the FD.
2093 if (this->fd >= 0) close(this->fd);
2095 if (master_listen[this->type].free) {
2096 master_listen[this->type].free(this);