2 * listen.c Handle socket stuff
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2005,2006 The FreeRADIUS server project
21 * Copyright 2005 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/autoconf.h>
32 #ifdef HAVE_NETINET_IN_H
33 #include <netinet/in.h>
36 #ifdef HAVE_ARPA_INET_H
37 #include <arpa/inet.h>
40 #include <sys/resource.h>
42 #include <sys/types.h>
43 #include <sys/socket.h>
50 #ifdef HAVE_SYS_STAT_H
55 #include <freeradius-devel/udpfromto.h>
60 #include <freeradius-devel/radiusd.h>
61 #include <freeradius-devel/rad_assert.h>
63 #include <freeradius-devel/radius_snmp.h>
64 #include <freeradius-devel/request_list.h>
66 static time_t start_time = 0;
69 * FIXME: Delete this crap!
71 extern time_t time_now;
74 * We'll use this below.
76 typedef int (*rad_listen_parse_t)(const char *, int, const CONF_SECTION *, rad_listen_t *);
77 typedef void (*rad_listen_free_t)(rad_listen_t *);
79 typedef struct rad_listen_master_t {
80 rad_listen_parse_t parse;
81 rad_listen_free_t free;
82 rad_listen_recv_t recv;
83 rad_listen_send_t send;
84 rad_listen_update_t update;
85 rad_listen_print_t print;
86 } rad_listen_master_t;
88 typedef struct listen_socket_t {
94 RADCLIENT_LIST *clients;
97 typedef struct listen_detail_t {
103 lrad_ipaddr_t client_ip;
110 * Find a per-socket client.
112 static RADCLIENT *client_listener_find(const rad_listen_t *listener,
113 const lrad_ipaddr_t *ipaddr)
115 const RADCLIENT_LIST *clients;
117 rad_assert(listener != NULL);
118 rad_assert(ipaddr != NULL);
120 rad_assert((listener->type == RAD_LISTEN_AUTH) ||
121 (listener->type == RAD_LISTEN_ACCT));
123 clients = ((listen_socket_t *)listener->data)->clients;
124 if (!clients) clients = mainconfig.clients;
126 rad_assert(clients != NULL);
128 return client_find(clients, ipaddr);
131 static int listen_bind(rad_listen_t *this);
134 * FIXME: have the detail reader use another config "exit when done",
135 * so that it can be used as a one-off tool to update stuff.
139 * Process and reply to a server-status request.
140 * Like rad_authenticate and rad_accounting this should
141 * live in it's own file but it's so small we don't bother.
143 static int rad_status_server(REQUEST *request)
145 switch (request->listener->type) {
146 case RAD_LISTEN_AUTH:
147 request->reply->code = PW_AUTHENTICATION_ACK;
150 * Commented out for now.
159 * Reply with an ACK. We might want to add some more
160 * interesting reply attributes, such as server uptime.
162 t = request->timestamp - start_time;
163 sprintf(reply_msg, "FreeRADIUS STUFF %d day%s, %02d:%02d",
164 (int)(t / 86400), (t / 86400) == 1 ? "" : "s",
165 (int)((t / 3600) % 24), (int)(t / 60) % 60);
167 vp = pairmake("Reply-Message", reply_msg, T_OP_SET);
168 pairadd(&request->reply->vps, vp); /* don't need to check if !vp */
173 case RAD_LISTEN_ACCT:
174 request->reply->code = PW_ACCOUNTING_RESPONSE;
185 static int request_num_counter = 0;
188 * Check for dups, etc. Common to Access-Request &&
189 * Accounting-Request packets.
191 static int common_checks(rad_listen_t *listener,
192 RADIUS_PACKET *packet, REQUEST **prequest,
193 const RADCLIENT *client)
198 rad_assert(listener->rl != NULL);
201 * If there is no existing request of id, code, etc.,
202 * then we can return, and let it be processed.
204 if ((curreq = rl_find(listener->rl, packet)) == NULL) {
206 * Count the total number of requests, to see if
207 * there are too many. If so, return with an
210 if (mainconfig.max_requests) {
212 * FIXME: This is now per-socket,
213 * when it should really be global
216 int request_count = rl_num_requests(listener->rl);
219 * This is a new request. Let's see if
220 * it makes us go over our configured
223 if (request_count > mainconfig.max_requests) {
224 radlog(L_ERR, "Dropping request (%d is too many): "
225 "from client %s port %d - ID: %d", request_count,
227 packet->src_port, packet->id);
228 radlog(L_INFO, "WARNING: Please check the %s file.\n"
229 "\tThe value for 'max_requests' is probably set too low.\n", mainconfig.radiusd_conf);
231 } /* else there were a small number of requests */
232 } /* else there was no configured limit for requests */
235 * FIXME: Add checks for system load. If the
236 * system is busy, start dropping requests...
238 * We can probably keep some statistics
239 * ourselves... if there are more requests
240 * coming in than we can handle, start dropping
245 * The current request isn't finished, which
246 * means that the NAS sent us a new packet, while
247 * we are still processing the old request.
249 } else if (!curreq->finished) {
251 * If the authentication vectors are identical,
252 * then the NAS is re-transmitting it, trying to
253 * kick us into responding to the request.
255 if (memcmp(curreq->packet->vector, packet->vector,
256 sizeof(packet->vector)) == 0) {
257 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
260 * It's not finished because the request
261 * was proxied, but there was no reply
262 * from the home server.
264 * This code will never get hit for
265 * accounting packets, as they're always
266 * updated, and never re-transmitted.
268 if (curreq->proxy && !curreq->proxy_reply) {
269 DEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
270 inet_ntop(curreq->proxy->dst_ipaddr.af,
271 &curreq->proxy->dst_ipaddr.ipaddr,
272 buffer, sizeof(buffer)), curreq->proxy->dst_port,
275 curreq->proxy_listener->send(curreq->proxy_listener, curreq);
277 } /* else the packet was not proxied */
280 * Someone's still working on it, so we
281 * ignore the duplicate request.
283 radlog(L_ERR, "Discarding duplicate request from "
284 "client %s port %d - ID: %d due to unfinished request %d",
286 packet->src_port, packet->id,
289 } /* else the authentication vectors were different */
292 * We're waiting for a proxy reply, but no one is
293 * currently processing the request. We can
294 * discard the old request, and ignore any reply
295 * from the home server, because the NAS will
298 if (curreq->proxy && !curreq->proxy_reply &&
299 (curreq->child_pid == NO_SUCH_CHILD_PID)) {
300 radlog(L_ERR, "Discarding old proxied request %d from "
301 "client %s port %d - ID: %d due to new request from the client",
302 curreq->number, client->shortname,
303 packet->src_port, packet->id);
306 * The authentication vectors are different, so
307 * the NAS has given up on us, as we've taken too
308 * long to process the request. This is a
311 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
313 radlog(L_ERR, "Dropping conflicting packet from "
314 "client %s port %d - ID: %d due to unfinished request %d",
316 packet->src_port, packet->id,
322 * The old request is finished. We now check the
323 * authentication vectors. If the client has sent us a
324 * request with identical code && ID, but different
325 * vector, then they MUST have gotten our response, so we
326 * can delete the original request, and process the new
329 * If the vectors are the same, then it's a duplicate
330 * request, and we can send a duplicate reply.
332 } else if (memcmp(curreq->packet->vector, packet->vector,
333 sizeof(packet->vector)) == 0) {
334 RAD_SNMP_INC(rad_snmp.auth.total_dup_requests);
337 * If the packet has been delayed, then silently
338 * send a response, and clear the delayed flag.
340 * Note that this means if the NAS kicks us while
341 * we're delaying a reject, then the reject may
342 * be sent sooner than otherwise.
344 * This COULD be construed as a bug. Maybe what
345 * we want to do is to ignore the duplicate
346 * packet, and send the reject later.
348 if (curreq->options & RAD_REQUEST_OPTION_DELAYED_REJECT) {
349 curreq->options &= ~RAD_REQUEST_OPTION_DELAYED_REJECT;
350 rad_assert(curreq->listener == listener);
351 listener->send(listener, curreq);
356 * Maybe we've saved a reply packet. If so,
357 * re-send it. Otherwise, just complain.
359 if (curreq->reply->code != 0) {
360 DEBUG2("Sending duplicate reply "
361 "to client %s port %d - ID: %d",
363 packet->src_port, packet->id);
364 rad_assert(curreq->listener == listener);
365 listener->send(listener, curreq);
370 * Else we never sent a reply to the NAS,
371 * as we decided somehow we didn't like the request.
373 * This shouldn't happen, in general...
375 DEBUG2("Discarding duplicate request from client %s port %d - ID: %d",
376 client->shortname, packet->src_port, packet->id);
378 } /* else the vectors were different, so we discard the old request. */
381 * 'packet' has the same source IP, source port, code,
382 * and Id as 'curreq', but a different authentication
383 * vector. We can therefore delete 'curreq', as we were
384 * only keeping it around to send out duplicate replies,
385 * if the first reply got lost in the network.
388 rl_yank(listener->rl, curreq);
389 request_free(&curreq);
393 * A unique per-request counter.
395 curreq = request_alloc(); /* never fails */
397 if ((curreq->reply = rad_alloc(0)) == NULL) {
398 radlog(L_ERR, "No memory");
401 curreq->listener = listener;
402 curreq->packet = packet;
403 curreq->packet->timestamp = curreq->timestamp;
404 curreq->number = request_num_counter++;
405 strlcpy(curreq->secret, client->secret, sizeof(curreq->secret));
408 * Remember the request in the list.
410 if (!rl_add(listener->rl, curreq)) {
411 radlog(L_ERR, "Failed to insert request %d in the list of live requests: discarding", curreq->number);
412 request_free(&curreq);
417 * The request passes many of our sanity checks.
418 * From here on in, if anything goes wrong, we
419 * send a reject message, instead of dropping the
424 * Build the reply template from the request.
427 curreq->reply->sockfd = curreq->packet->sockfd;
428 curreq->reply->dst_ipaddr = curreq->packet->src_ipaddr;
429 curreq->reply->src_ipaddr = curreq->packet->dst_ipaddr;
430 curreq->reply->dst_port = curreq->packet->src_port;
431 curreq->reply->src_port = curreq->packet->dst_port;
432 curreq->reply->id = curreq->packet->id;
433 curreq->reply->code = 0; /* UNKNOWN code */
434 memcpy(curreq->reply->vector, curreq->packet->vector,
435 sizeof(curreq->reply->vector));
436 curreq->reply->vps = NULL;
437 curreq->reply->data = NULL;
438 curreq->reply->data_len = 0;
445 static int socket_print(rad_listen_t *this, char *buffer, size_t bufsize)
448 listen_socket_t *sock = this->data;
450 if ((sock->ipaddr.af == AF_INET) &&
451 (sock->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) {
454 ip_ntoh(&sock->ipaddr, buffer, bufsize);
457 len = strlen(buffer);
459 return len + snprintf(buffer + len, bufsize - len, " port %d",
465 * Parse an authentication or accounting socket.
467 static int common_socket_parse(const char *filename, int lineno,
468 const CONF_SECTION *cs, rad_listen_t *this)
472 lrad_ipaddr_t ipaddr;
473 listen_socket_t *sock = this->data;
474 const char *section_name = NULL;
475 CONF_SECTION *client_cs;
480 ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
481 rcode = cf_item_parse(cs, "ipaddr", PW_TYPE_IPADDR,
482 &ipaddr.ipaddr.ip4addr, NULL);
483 if (rcode < 0) return -1;
485 if (rcode == 0) { /* successfully parsed IPv4 */
488 } else { /* maybe IPv6? */
489 rcode = cf_item_parse(cs, "ipv6addr", PW_TYPE_IPV6ADDR,
490 &ipaddr.ipaddr.ip6addr, NULL);
491 if (rcode < 0) return -1;
494 radlog(L_ERR, "%s[%d]: No address specified in listen section",
498 ipaddr.af = AF_INET6;
501 rcode = cf_item_parse(cs, "port", PW_TYPE_INTEGER,
503 if (rcode < 0) return -1;
505 sock->ipaddr = ipaddr;
506 sock->port = listen_port;
509 * And bind it to the port.
511 if (listen_bind(this) < 0) {
513 radlog(L_CONS|L_ERR, "%s[%d]: Error binding to port for %s port %d",
514 filename, cf_section_lineno(cs),
515 ip_ntoh(&sock->ipaddr, buffer, sizeof(buffer)),
521 * If we can bind to interfaces, do so,
524 if (cf_pair_find(cs, "interface")) {
525 #ifndef SO_BINDTODEVICE
526 radlog(L_CONS|L_ERR, "%s[%d]: System does not support binding to interfaces, delete this line from the configuration file.",
527 filename, cf_section_lineno(cs));
531 const CONF_PAIR *cp = cf_pair_find(cs, "interface");
534 rad_assert(cp != NULL);
535 value = cf_pair_value(cp);
536 rad_assert(value != NULL);
538 strcpy(ifreq.ifr_name, value);
540 if (setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE,
541 (char *)&ifreq, sizeof(ifreq)) < 0) {
542 radlog(L_CONS|L_ERR, "%s[%d]: Failed binding to interface %s: %s",
543 filename, cf_section_lineno(cs),
544 value, strerror(errno));
546 } /* else it worked. */
551 * Look for the name of a section that holds a list
554 rcode = cf_item_parse(cs, "clients", PW_TYPE_STRING_PTR,
555 §ion_name, NULL);
556 if (rcode < 0) return -1; /* bad string */
557 if (rcode > 0) return 0; /* non-existent is OK. */
559 client_cs = cf_section_find(section_name);
562 radlog(L_CONS|L_ERR, "%s[%d]: Failed to find client section %s",
563 filename, cf_section_lineno(cs), section_name);
567 sock->clients = clients_parse_section(filename, client_cs);
568 if (!sock->clients) {
576 * Send an authentication response packet
578 static int auth_socket_send(rad_listen_t *listener, REQUEST *request)
580 rad_assert(request->listener == listener);
581 rad_assert(listener->send == auth_socket_send);
584 * Ensure that the reply is sane
586 if (request->reply->code == 0) {
587 DEBUG2("There was no response configured: rejecting request %d", request->number);
588 request->reply->code = PW_AUTHENTICATION_REJECT;
592 * If we're delaying authentication rejects, then
593 * mark the request as delayed, and do NOT send a
594 * response right now.
596 * However, if it's already marked as delayed, then
599 if ((request->reply->code == PW_AUTHENTICATION_REJECT) &&
600 ((request->options & RAD_REQUEST_OPTION_DELAYED_REJECT) == 0) &&
601 (mainconfig.reject_delay > 0) &&
602 ((request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0)) {
603 DEBUG2("Delaying request %d for %d seconds",
604 request->number, mainconfig.reject_delay);
605 request->options |= RAD_REQUEST_OPTION_DELAYED_REJECT;
609 return rad_send(request->reply, request->packet, request->secret);
614 * Send an accounting response packet (or not)
616 static int acct_socket_send(rad_listen_t *listener, REQUEST *request)
618 rad_assert(request->listener == listener);
619 rad_assert(listener->send == acct_socket_send);
622 * Accounting reject's are silently dropped.
624 * We do it here to avoid polluting the rest of the
625 * code with this knowledge
627 if (request->reply->code == 0) return 0;
629 return rad_send(request->reply, request->packet, request->secret);
634 * Send a packet to a home server.
636 * FIXME: have different code for proxy auth & acct!
638 static int proxy_socket_send(rad_listen_t *listener, REQUEST *request)
640 listen_socket_t *sock = listener->data;
642 rad_assert(request->proxy_listener == listener);
643 rad_assert(listener->send == proxy_socket_send);
645 request->proxy->src_ipaddr = sock->ipaddr;
646 request->proxy->src_port = sock->port;
648 return rad_send(request->proxy, request->packet, request->proxysecret);
653 * Check if an incoming request is "ok"
655 * It takes packets, not requests. It sees if the packet looks
656 * OK. If so, it does a number of sanity checks on it.
658 static int auth_socket_recv(rad_listen_t *listener,
659 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
661 RADIUS_PACKET *packet;
662 RAD_REQUEST_FUNP fun = NULL;
666 packet = rad_recv(listener->fd);
668 radlog(L_ERR, "%s", librad_errstr);
672 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: auth specific */
674 if ((client = client_listener_find(listener,
675 &packet->src_ipaddr)) == NULL) {
676 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
678 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
679 inet_ntop(packet->src_ipaddr.af,
680 &packet->src_ipaddr.ipaddr,
681 buffer, sizeof(buffer)),
688 * Some sanity checks, based on the packet code.
690 switch(packet->code) {
691 case PW_AUTHENTICATION_REQUEST:
692 fun = rad_authenticate;
695 case PW_STATUS_SERVER:
696 if (!mainconfig.status_server) {
697 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
698 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
702 fun = rad_status_server;
706 RAD_SNMP_INC(rad_snmp.auth.total_unknown_types);
708 radlog(L_ERR, "Invalid packet code %d sent to authentication port from client %s port %d "
710 packet->code, client->shortname,
711 packet->src_port, packet->id);
715 } /* switch over packet types */
717 if (!common_checks(listener, packet, prequest, client)) {
728 * Receive packets from an accounting socket
730 static int acct_socket_recv(rad_listen_t *listener,
731 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
733 RADIUS_PACKET *packet;
734 RAD_REQUEST_FUNP fun = NULL;
738 packet = rad_recv(listener->fd);
740 radlog(L_ERR, "%s", librad_errstr);
744 RAD_SNMP_TYPE_INC(listener, total_requests); /* FIXME: acct-specific */
746 if ((client = client_listener_find(listener,
747 &packet->src_ipaddr)) == NULL) {
748 RAD_SNMP_TYPE_INC(listener, total_invalid_requests);
750 radlog(L_ERR, "Ignoring request from unknown client %s port %d",
751 inet_ntop(packet->src_ipaddr.af,
752 &packet->src_ipaddr.ipaddr,
753 buffer, sizeof(buffer)),
759 switch(packet->code) {
760 case PW_ACCOUNTING_REQUEST:
761 fun = rad_accounting;
764 case PW_STATUS_SERVER:
765 if (!mainconfig.status_server) {
766 RAD_SNMP_TYPE_INC(listener, total_packets_dropped);
767 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
771 fun = rad_status_server;
776 * FIXME: Update MIB for packet types?
778 radlog(L_ERR, "Invalid packet code %d sent to a accounting port "
779 "from client %s port %d - ID %d : IGNORED",
780 packet->code, client->shortname,
781 packet->src_port, packet->id);
787 * FIXME: Accounting duplicates should be handled
788 * differently than authentication duplicates.
790 if (!common_checks(listener, packet, prequest, client)) {
801 * Recieve packets from a proxy socket.
803 static int proxy_socket_recv(rad_listen_t *listener,
804 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
808 RADIUS_PACKET *packet;
809 RAD_REQUEST_FUNP fun = NULL;
812 packet = rad_recv(listener->fd);
814 radlog(L_ERR, "%s", librad_errstr);
821 if (packet->src_ipaddr.af != AF_INET) {
822 rad_assert("PROXY IPV6 NOT SUPPORTED" == NULL);
826 * FIXME: Add support for home servers!
828 if ((cl = realm_findbyaddr(packet->src_ipaddr.ipaddr.ip4addr.s_addr,
829 packet->src_port)) == NULL) {
830 radlog(L_ERR, "Ignoring request from unknown home server %s port %d",
831 inet_ntop(packet->src_ipaddr.af,
832 &packet->src_ipaddr.ipaddr,
833 buffer, sizeof(buffer)),
840 * FIXME: Client MIB updates?
842 switch(packet->code) {
843 case PW_AUTHENTICATION_ACK:
844 case PW_ACCESS_CHALLENGE:
845 case PW_AUTHENTICATION_REJECT:
846 fun = rad_authenticate;
849 case PW_ACCOUNTING_RESPONSE:
850 fun = rad_accounting;
855 * FIXME: Update MIB for packet types?
857 radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
858 "from home server %s port %d - ID %d : IGNORED",
860 ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
861 packet->src_port, packet->id);
867 * Find the original request in the request list
869 oldreq = rl_find_proxy(packet);
872 * If we haven't found the original request which was
873 * sent, to get this reply. Complain, and discard this
874 * request, as there's no way for us to send it to a NAS.
877 radlog(L_PROXY, "No outstanding request was found for proxy reply from home server %s port %d - ID %d",
878 inet_ntop(packet->src_ipaddr.af,
879 &packet->src_ipaddr.ipaddr,
880 buffer, sizeof(buffer)),
881 packet->src_port, packet->id);
887 * The proxy reply has arrived too late, as the original
888 * (old) request has timed out, been rejected, and marked
889 * as finished. The client has already received a
890 * response, so there is nothing that can be done. Delete
891 * the tardy reply from the home server, and return nothing.
893 if ((oldreq->reply->code != 0) ||
894 (oldreq->finished)) {
895 radlog(L_ERR, "Reply from home server %s port %d - ID: %d arrived too late for request %d. Try increasing 'retry_delay' or 'max_request_time'",
896 inet_ntop(packet->src_ipaddr.af,
897 &packet->src_ipaddr.ipaddr,
898 buffer, sizeof(buffer)),
899 packet->src_port, packet->id,
906 * If there is already a reply, maybe this one is a
909 if (oldreq->proxy_reply) {
910 if (memcmp(oldreq->proxy_reply->vector,
912 sizeof(oldreq->proxy_reply->vector)) == 0) {
913 radlog(L_ERR, "Discarding duplicate reply from home server %s port %d - ID: %d for request %d",
914 inet_ntop(packet->src_ipaddr.af,
915 &packet->src_ipaddr.ipaddr,
916 buffer, sizeof(buffer)),
917 packet->src_port, packet->id,
921 * ? The home server gave us a new proxy
922 * reply, which doesn't match the old
925 DEBUG2("Ignoring conflicting proxy reply");
929 * We've already received a reply, so
930 * we discard this one, as we don't want
931 * to do duplicate work.
935 } /* else there wasn't a proxy reply yet, so we can process it */
938 * Refresh the old request, and update it with the proxy
941 * ? Can we delete the proxy request here? * Is there
942 * any more need for it?
944 * FIXME: we probably shouldn't be updating the time
947 oldreq->timestamp = time_now;
948 oldreq->proxy_reply = packet;
951 * FIXME: we should really verify the digest here,
952 * before marking this packet as a valid response.
954 * This is a security problem, I think...
958 * Now that we've verified the packet IS actually from
959 * that home server, and not forged, we can go mark the
960 * entries for this home server as active.
962 * If we had done this check in the 'find realm by IP address'
963 * function, then an attacker could force us to use a home
964 * server which was inactive, by forging reply packets
965 * which didn't match any request. We would think that
966 * the reply meant the home server was active, would
967 * re-activate the realms, and THEN bounce the packet
970 for (cl = mainconfig.realms; cl != NULL; cl = cl->next) {
971 if (oldreq->proxy_reply->src_ipaddr.af != cl->ipaddr.af) continue;
972 if (cl->ipaddr.af != AF_INET) continue; /* FIXME */
974 if (oldreq->proxy_reply->src_ipaddr.ipaddr.ip4addr.s_addr == cl->ipaddr.ipaddr.ip4addr.s_addr) {
975 if (oldreq->proxy_reply->src_port == cl->auth_port) {
977 cl->last_reply = oldreq->timestamp;
978 } else if (oldreq->proxy_reply->src_port == cl->acct_port) {
979 cl->acct_active = TRUE;
980 cl->last_reply = oldreq->timestamp;
985 rad_assert(fun != NULL);
992 #define STATE_UNOPENED (0)
993 #define STATE_UNLOCKED (1)
994 #define STATE_HEADER (2)
995 #define STATE_READING (3)
996 #define STATE_DONE (4)
997 #define STATE_WAITING (5)
1000 * If we're limiting outstanding packets, then mark the response
1003 static int detail_send(rad_listen_t *listener, REQUEST *request)
1005 listen_detail_t *data = listener->data;
1007 rad_assert(request->listener == listener);
1008 rad_assert(listener->send == detail_send);
1010 if (request->simul_max >= 0) {
1011 rad_assert(data->outstanding != NULL);
1012 rad_assert(request->simul_max < data->max_outstanding);
1014 data->outstanding[request->simul_max] = 0;
1022 * Open the detail file..
1024 * FIXME: create it, if it's not already there, so that the main
1025 * server select() will wake us up if there's anything to read.
1027 static int detail_open(rad_listen_t *this)
1031 listen_detail_t *data = this->data;
1033 rad_assert(data->state == STATE_UNOPENED);
1034 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1037 * FIXME: Have "one-shot" configuration, where it
1038 * will read the detail file, and exit once it's
1041 * FIXME: Try harder to open the detail file.
1042 * Maybe sleep for X usecs if it doesn't exist?
1046 * Open detail.work first, so we don't lose
1047 * accounting packets. It's probably better to
1048 * duplicate them than to lose them.
1050 * Note that we're not writing to the file, but
1051 * we've got to open it for writing in order to
1052 * establish the lock, to prevent rlm_detail from
1055 this->fd = open(buffer, O_RDWR);
1058 * Try reading the detail file. If it
1059 * doesn't exist, we can't do anything.
1061 * Doing the stat will tell us if the file
1062 * exists, even if we don't have permissions
1065 if (stat(data->detail, &st) < 0) {
1070 * Open it BEFORE we rename it, just to
1073 this->fd = open(data->detail, O_RDWR);
1075 radlog(L_ERR, "Failed to open %s: %s",
1076 data->detail, strerror(errno));
1081 * Rename detail to detail.work
1083 if (rename(data->detail, buffer) < 0) {
1088 } /* else detail.work existed, and we opened it */
1090 rad_assert(data->vps == NULL);
1092 rad_assert(data->fp == NULL);
1093 data->fp = fdopen(this->fd, "r");
1095 radlog(L_ERR, "Failed to re-open %s: %s",
1096 data->detail, strerror(errno));
1100 data->state = STATE_UNLOCKED;
1102 data->client_ip.af = AF_UNSPEC;
1103 data->timestamp = 0;
1109 * This is a bad hack, just so complaints have meaningful text.
1111 static const RADCLIENT detail_client = {
1126 static int detail_recv(rad_listen_t *listener,
1127 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
1130 char key[256], value[1024];
1131 VALUE_PAIR *vp, **tail;
1132 RADIUS_PACKET *packet;
1134 listen_detail_t *data = listener->data;
1136 if (data->state == STATE_UNOPENED) {
1137 rad_assert(listener->fd < 0);
1138 if (!detail_open(listener)) return 0;
1140 rad_assert(listener->fd >= 0);
1143 * Try to lock fd. If we can't, return. If we can,
1144 * continue. This means that the server doesn't block
1145 * while waiting for the lock to open...
1147 if (data->state == STATE_UNLOCKED) {
1149 * Note that we do NOT block waiting for the
1150 * lock. We've re-named the file above, so we've
1151 * already guaranteed that any *new* detail
1152 * writer will not be opening this file. The
1153 * only purpose of the lock is to catch a race
1154 * condition where the execution "ping-pongs"
1155 * between radiusd & radrelay.
1157 if (rad_lockfd_nonblock(listener->fd, 0) < 0) {
1161 * Look for the header
1163 data->state = STATE_HEADER;
1167 * If we keep track of the outstanding requests, do so
1168 * here. Note that to minimize potential work, we do
1169 * so only once the file is opened & locked.
1171 if (data->max_outstanding) {
1174 for (i = 0; i < data->max_outstanding; i++) {
1175 if (!data->outstanding[i]) {
1182 * All of the slots are full, don't read data.
1184 if (free_slot < 0) return 0;
1188 * Catch an out of memory condition which will most likely
1191 if (data->state == STATE_DONE) goto alloc_packet;
1194 * If we're in another state, then it means that we read
1195 * a partial packet, which is bad.
1197 rad_assert(data->state == STATE_HEADER);
1198 rad_assert(data->vps == NULL);
1201 * We read the last packet, and returned it for
1202 * processing. We later come back here to shut
1203 * everything down, and unlink the file.
1205 if (feof(data->fp)) {
1206 rad_assert(data->state == STATE_HEADER);
1209 * Don't unlink the file until we've received
1210 * all of the responses.
1212 if (data->max_outstanding > 0) {
1215 for (i = 0; i < data->max_outstanding; i++) {
1217 * FIXME: close the file?
1219 if (data->outstanding[i]) {
1220 data->state = STATE_WAITING;
1227 rad_assert(data->vps == NULL);
1229 snprintf(buffer, sizeof(buffer), "%s.work", data->detail);
1231 fclose(data->fp); /* closes listener->fd */
1234 data->state = STATE_UNOPENED;
1237 * Try to open "detail" again. If we're on a
1238 * busy RADIUS server, odds are that it will
1241 detail_open(listener);
1248 * Fill the buffer...
1250 while (fgets(buffer, sizeof(buffer), data->fp)) {
1254 if (!strchr(buffer, '\n')) {
1255 pairfree(&data->vps);
1260 * We've read a header, possibly packet contents,
1261 * and are now at the end of the packet.
1263 if ((data->state == STATE_READING) &&
1264 (buffer[0] == '\n')) {
1265 data->state = STATE_DONE;
1270 * Look for date/time header, and read VP's if
1271 * found. If not, keep reading lines until we
1274 if (data->state == STATE_HEADER) {
1277 if (sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) {
1278 data->state = STATE_READING;
1284 * We have a full "attribute = value" line.
1285 * If it doesn't look reasonable, skip it.
1287 if (sscanf(buffer, "%255s = %1023s", key, value) != 2) {
1292 * Skip non-protocol attributes.
1294 if (!strcasecmp(key, "Request-Authenticator")) continue;
1297 * Set the original client IP address, based on
1298 * what's in the detail file.
1300 * Hmm... we don't set the server IP address.
1303 if (!strcasecmp(key, "Client-IP-Address")) {
1304 data->client_ip.af = AF_INET;
1305 ip_hton(value, AF_INET, &data->client_ip);
1310 * The original time at which we received the
1311 * packet. We need this to properly calculate
1314 if (!strcasecmp(key, "Timestamp")) {
1315 data->timestamp = atoi(value);
1322 * FIXME: do we want to check for non-protocol
1323 * attributes like radsqlrelay does?
1326 if ((userparse(buffer, &vp) > 0) &&
1334 * We got to EOF, If we're in STATE_HEADER, it's OK.
1335 * Otherwise it's a problem. In any case, nuke the file
1336 * and start over from scratch,
1338 if (feof(data->fp)) {
1343 * FIXME: Do load management.
1347 * If we're not done, then there's a problem. The checks
1350 rad_assert(data->state == STATE_DONE);
1353 * The packet we read was empty, re-set the state to look
1354 * for a header, and don't return anything.
1357 data->state = STATE_HEADER;
1362 * Allocate the packet. If we fail, it's a serious
1366 packet = rad_alloc(1);
1368 return 0; /* maybe memory will magically free up... */
1371 memset(packet, 0, sizeof(*packet));
1372 packet->sockfd = -1;
1373 packet->src_ipaddr.af = AF_INET;
1374 packet->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1375 packet->code = PW_ACCOUNTING_REQUEST;
1376 packet->timestamp = time(NULL);
1379 * Look for Acct-Delay-Time, and update
1380 * based on Acct-Delay-Time += (time(NULL) - timestamp)
1382 vp = pairfind(packet->vps, PW_ACCT_DELAY_TIME);
1384 vp = paircreate(PW_ACCT_DELAY_TIME, PW_TYPE_INTEGER);
1385 rad_assert(vp != NULL);
1387 if (data->timestamp != 0) {
1388 vp->lvalue += time(NULL) - data->timestamp;
1392 * Remember where it came from, so that we don't
1393 * proxy it to the place it came from...
1395 if (data->client_ip.af != AF_UNSPEC) {
1396 packet->src_ipaddr = data->client_ip;
1399 vp = pairfind(packet->vps, PW_PACKET_SRC_IP_ADDRESS);
1401 packet->src_ipaddr.af = AF_INET;
1402 packet->src_ipaddr.ipaddr.ip4addr.s_addr = vp->lvalue;
1404 vp = pairfind(packet->vps, PW_PACKET_SRC_IPV6_ADDRESS);
1406 packet->src_ipaddr.af = AF_INET6;
1407 memcpy(&packet->src_ipaddr.ipaddr.ip6addr,
1408 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1412 vp = pairfind(packet->vps, PW_PACKET_DST_IP_ADDRESS);
1414 packet->dst_ipaddr.af = AF_INET;
1415 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->lvalue;
1417 vp = pairfind(packet->vps, PW_PACKET_DST_IPV6_ADDRESS);
1419 packet->dst_ipaddr.af = AF_INET6;
1420 memcpy(&packet->dst_ipaddr.ipaddr.ip6addr,
1421 &vp->vp_ipv6addr, sizeof(vp->vp_ipv6addr));
1426 * We've got to give SOME value for Id & ports, so that
1427 * the packets can be added to the request queue.
1428 * However, we don't want to keep track of used/unused
1429 * id's and ports, as that's a lot of work. This hack
1430 * ensures that (if we have real random numbers), that
1431 * there will be a collision on every (2^(16+16+2+24))/2
1432 * packets, on average. That means we can read 2^32 (4G)
1433 * packets before having a collision, which means it's
1434 * effectively impossible. Having 4G packets currently
1435 * being process is ridiculous.
1437 packet->id = lrad_rand() & 0xff;
1438 packet->src_port = lrad_rand() & 0xffff;
1439 packet->dst_port = lrad_rand() & 0xffff;
1441 packet->dst_ipaddr.af = AF_INET;
1442 packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl((INADDR_LOOPBACK & ~0xffffff) | (lrad_rand() & 0xffffff));
1444 packet->vps = data->vps;
1450 data->state = STATE_HEADER;
1453 * FIXME: many of these checks may not be necessary...
1455 if (!common_checks(listener, packet, prequest, &detail_client)) {
1461 * Keep track of free slots, as a hack, in an otherwise
1464 (*prequest)->simul_max = free_slot;
1465 if (free_slot) data->outstanding[free_slot] = 1;
1467 *pfun = rad_accounting;
1470 printf("detail_recv: Read packet from %s\n", data->detail);
1471 for (vp = packet->vps; vp; vp = vp->next) {
1473 vp_print(stdout, vp);
1483 * Free detail-specific stuff.
1485 static void detail_free(rad_listen_t *this)
1487 listen_detail_t *data = this->data;
1490 pairfree(&data->vps);
1491 free(data->outstanding);
1493 if (data->fp != NULL) fclose(data->fp);
1497 static int detail_print(rad_listen_t *this, char *buffer, size_t bufsize)
1499 return snprintf(buffer, bufsize, "%s",
1500 ((listen_detail_t *)(this->data))->detail);
1504 static const CONF_PARSER detail_config[] = {
1505 { "detail", PW_TYPE_STRING_PTR,
1506 offsetof(listen_detail_t, detail), NULL, NULL },
1507 { "max_outstanding", PW_TYPE_INTEGER,
1508 offsetof(listen_detail_t, max_outstanding), NULL, "100" },
1510 { NULL, -1, 0, NULL, NULL } /* end the list */
1515 * Parse a detail section.
1517 static int detail_parse(const char *filename, int lineno,
1518 const CONF_SECTION *cs, rad_listen_t *this)
1521 listen_detail_t *data;
1525 rcode = cf_section_parse(cs, data, detail_config);
1527 radlog(L_ERR, "%s[%d]: Failed parsing listen section",
1532 if (!data->detail) {
1533 radlog(L_ERR, "%s[%d]: No detail file specified in listen section",
1540 data->state = STATE_UNOPENED;
1542 if (data->max_outstanding > 32768) data->max_outstanding = 32768;
1544 if (data->max_outstanding > 0) {
1545 data->outstanding = rad_malloc(sizeof(int) * data->max_outstanding);
1555 * See radiusd.c & request_list.c
1557 #define SLEEP_FOREVER (65536)
1559 * A generic "update the request list once a second" function.
1561 static int generic_update(rad_listen_t *this, time_t now)
1563 if (!this->rl) return SLEEP_FOREVER;
1565 return rl_clean_list(this->rl, now);
1570 static const rad_listen_master_t master_listen[RAD_LISTEN_MAX] = {
1571 { NULL, NULL, NULL, NULL, NULL, NULL}, /* RAD_LISTEN_NONE */
1573 /* authentication */
1574 { common_socket_parse, NULL,
1575 auth_socket_recv, auth_socket_send,
1576 generic_update, socket_print },
1579 { common_socket_parse, NULL,
1580 acct_socket_recv, acct_socket_send,
1581 generic_update, socket_print},
1585 proxy_socket_recv, proxy_socket_send,
1586 generic_update, socket_print }, /* FIXME: update func is wrong! */
1589 { detail_parse, detail_free,
1590 detail_recv, detail_send,
1591 generic_update, detail_print }
1596 * Binds a listener to a socket.
1598 static int listen_bind(rad_listen_t *this)
1600 rad_listen_t **last;
1601 listen_socket_t *sock = this->data;
1604 * If the port is zero, then it means the appropriate
1605 * thing from /etc/services.
1607 if (sock->port == 0) {
1608 struct servent *svp;
1610 switch (this->type) {
1611 case RAD_LISTEN_AUTH:
1612 svp = getservbyname ("radius", "udp");
1614 sock->port = ntohs(svp->s_port);
1616 sock->port = PW_AUTH_UDP_PORT;
1620 case RAD_LISTEN_ACCT:
1621 svp = getservbyname ("radacct", "udp");
1623 sock->port = ntohs(svp->s_port);
1625 sock->port = PW_ACCT_UDP_PORT;
1630 radlog(L_ERR|L_CONS, "ERROR: Non-fatal internal sanity check failed in bind.");
1636 * Find it in the old list, AFTER updating the port. If
1637 * it's there, use that, rather than creating a new
1638 * socket. This allows HUP's to re-use the old sockets,
1639 * which means that packets waiting in the socket queue
1642 for (last = &mainconfig.listen;
1644 last = &((*last)->next)) {
1645 if ((this->type == (*last)->type) &&
1646 (sock->port == ((listen_socket_t *)((*last)->data))->port) &&
1647 (sock->ipaddr.af == ((listen_socket_t *)((*last)->data))->ipaddr.af)) {
1650 if (sock->ipaddr.af == AF_INET) {
1651 equal = (sock->ipaddr.ipaddr.ip4addr.s_addr == ((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip4addr.s_addr);
1652 } else if (sock->ipaddr.af == AF_INET6) {
1653 equal = IN6_ARE_ADDR_EQUAL(&(sock->ipaddr.ipaddr.ip6addr), &(((listen_socket_t *)((*last)->data))->ipaddr.ipaddr.ip6addr));
1659 this->rl = (*last)->rl;
1660 this->fd = (*last)->fd;
1668 this->fd = lrad_socket(&sock->ipaddr, sock->port);
1670 radlog(L_ERR|L_CONS, "ERROR: Failed to open socket: %s",
1680 * Allocate & initialize a new listener.
1682 static rad_listen_t *listen_alloc(RAD_LISTEN_TYPE type)
1686 this = rad_malloc(sizeof(*this));
1687 memset(this, 0, sizeof(*this));
1690 this->recv = master_listen[this->type].recv;
1691 this->send = master_listen[this->type].send;
1692 this->update = master_listen[this->type].update;
1693 this->print = master_listen[this->type].print;
1696 case RAD_LISTEN_AUTH:
1697 case RAD_LISTEN_ACCT:
1698 case RAD_LISTEN_PROXY:
1699 this->data = rad_malloc(sizeof(listen_socket_t));
1700 memset(this->data, 0, sizeof(listen_socket_t));
1703 case RAD_LISTEN_DETAIL:
1704 this->data = rad_malloc(sizeof(listen_detail_t));
1705 memset(this->data, 0, sizeof(listen_detail_t));
1716 * Externally visible function for creating a new proxy LISTENER.
1718 * For now, don't take ipaddr or port.
1720 * Not thread-safe, but all calls to it are protected by the
1721 * proxy mutex in request_list.c
1723 rad_listen_t *proxy_new_listener()
1725 int last_proxy_port, port;
1726 rad_listen_t *this, *tmp, **last;
1727 listen_socket_t *sock, *old;
1729 this = listen_alloc(RAD_LISTEN_PROXY);
1732 * Find an existing proxy socket to copy.
1734 * FIXME: Make it per-realm, or per-home server!
1736 last_proxy_port = 0;
1738 last = &mainconfig.listen;
1739 for (tmp = mainconfig.listen; tmp != NULL; tmp = tmp->next) {
1740 if (tmp->type == RAD_LISTEN_PROXY) {
1742 if (sock->port > last_proxy_port) {
1743 last_proxy_port = sock->port + 1;
1745 if (!old) old = sock;
1748 last = &(tmp->next);
1751 if (!old) return NULL; /* This is a serious error. */
1754 * FIXME: find a new IP address to listen on?
1757 memcpy(&sock->ipaddr, &old->ipaddr, sizeof(sock->ipaddr));
1760 * Keep going until we find an unused port.
1762 for (port = last_proxy_port; port < 64000; port++) {
1764 if (listen_bind(this) == 0) {
1766 * Add the new listener to the list of
1778 static const LRAD_NAME_NUMBER listen_compare[] = {
1779 { "auth", RAD_LISTEN_AUTH },
1780 { "acct", RAD_LISTEN_ACCT },
1781 { "detail", RAD_LISTEN_DETAIL },
1787 * Generate a list of listeners. Takes an input list of
1788 * listeners, too, so we don't close sockets with waiting packets.
1790 int listen_init(const char *filename, rad_listen_t **head)
1794 rad_listen_t **last;
1796 lrad_ipaddr_t server_ipaddr;
1800 * We shouldn't be called with a pre-existing list.
1802 rad_assert(head && (*head == NULL));
1804 if (start_time != 0) start_time = time(NULL);
1807 server_ipaddr.af = AF_UNSPEC;
1810 * If the port is specified on the command-line,
1811 * it over-rides the configuration file.
1813 if (mainconfig.port >= 0) {
1814 auth_port = mainconfig.port;
1816 rcode = cf_item_parse(mainconfig.config, "port",
1817 PW_TYPE_INTEGER, &auth_port,
1818 Stringify(PW_AUTH_UDP_PORT));
1819 if (rcode < 0) return -1; /* error parsing it */
1822 radlog(L_INFO, "WARNING: The directive 'port' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1826 * If the IP address was configured on the command-line,
1827 * use that as the "bind_address"
1829 if (mainconfig.myip.af != AF_UNSPEC) {
1830 memcpy(&server_ipaddr, &mainconfig.myip,
1831 sizeof(server_ipaddr));
1836 * Else look for bind_address and/or listen sections.
1838 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1839 rcode = cf_item_parse(mainconfig.config, "bind_address",
1841 &server_ipaddr.ipaddr.ip4addr, NULL);
1842 if (rcode < 0) return -1; /* error parsing it */
1844 if (rcode == 0) { /* successfully parsed IPv4 */
1845 listen_socket_t *sock;
1846 server_ipaddr.af = AF_INET;
1848 radlog(L_INFO, "WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1851 this = listen_alloc(RAD_LISTEN_AUTH);
1854 sock->ipaddr = server_ipaddr;
1855 sock->port = auth_port;
1857 if (listen_bind(this) < 0) {
1860 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the authentication port %d", sock->port);
1863 auth_port = sock->port; /* may have been updated in listen_bind */
1865 last = &(this->next);
1868 * Open Accounting Socket.
1870 * If we haven't already gotten acct_port from
1871 * /etc/services, then make it auth_port + 1.
1873 this = listen_alloc(RAD_LISTEN_ACCT);
1877 * Create the accounting socket.
1879 * The accounting port is always the
1880 * authentication port + 1
1882 sock->ipaddr = server_ipaddr;
1883 sock->port = auth_port + 1;
1885 if (listen_bind(this) < 0) {
1888 radlog(L_CONS|L_ERR, "There appears to be another RADIUS server running on the accounting port %d", sock->port);
1893 last = &(this->next);
1895 } else if (mainconfig.port > 0) { /* no bind address, but a port */
1896 radlog(L_CONS|L_ERR, "The command-line says \"-p %d\", but there is no associated IP address to use",
1902 * They specified an IP on the command-line, ignore
1903 * all listen sections.
1905 if (mainconfig.myip.af != AF_UNSPEC) goto do_proxy;
1908 * Walk through the "listen" sections, if they exist.
1910 for (cs = cf_subsection_find_next(mainconfig.config, NULL, "listen");
1912 cs = cf_subsection_find_next(mainconfig.config, cs, "listen")) {
1914 char *listen_type, *identity;
1915 int lineno = cf_section_lineno(cs);
1917 listen_type = identity = NULL;
1919 rcode = cf_item_parse(cs, "type", PW_TYPE_STRING_PTR,
1921 if (rcode < 0) return -1;
1925 radlog(L_ERR, "%s[%d]: No type specified in listen section",
1931 * See if there's an identity.
1933 rcode = cf_item_parse(cs, "identity", PW_TYPE_STRING_PTR,
1941 type = lrad_str2int(listen_compare, listen_type,
1944 if (type == RAD_LISTEN_NONE) {
1946 radlog(L_CONS|L_ERR, "%s[%d]: Invalid type in listen section.",
1952 * Set up cross-type data.
1954 this = listen_alloc(type);
1955 this->identity = identity;
1959 * Call per-type parser.
1961 if (master_listen[type].parse(filename, lineno,
1969 last = &(this->next);
1973 * If we're proxying requests, open the proxy FD.
1974 * Otherwise, don't do anything.
1977 if (mainconfig.proxy_requests == TRUE) {
1979 listen_socket_t *sock = NULL;
1982 * No sockets to receive packets, therefore
1983 * proxying is pointless.
1985 if (!*head) return -1;
1988 * If we previously had proxy sockets, copy them
1989 * to the new config.
1991 if (mainconfig.listen != NULL) {
1992 rad_listen_t *old, *next, **tail;
1994 tail = &mainconfig.listen;
1995 for (old = mainconfig.listen;
2000 if (old->type != RAD_LISTEN_PROXY) {
2001 tail = &((*tail)->next);
2008 last = &(old->next);
2015 * Find the first authentication port,
2018 for (this = *head; this != NULL; this = this->next) {
2019 if (this->type == RAD_LISTEN_AUTH) {
2021 if (server_ipaddr.af == AF_UNSPEC) {
2022 server_ipaddr = sock->ipaddr;
2024 port = sock->port + 2; /* skip acct port */
2029 if (port < 0) port = 1024 + (lrad_rand() & 0x1ff);
2032 * Address is still unspecified, use IPv4.
2034 if (server_ipaddr.af == AF_UNSPEC) {
2035 server_ipaddr.af = AF_INET;
2036 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_ANY);
2039 this = listen_alloc(RAD_LISTEN_PROXY);
2043 * Create the first proxy socket.
2045 sock->ipaddr = server_ipaddr;
2048 * Try to find a proxy port (value doesn't matter)
2050 for (sock->port = port;
2053 if (listen_bind(this) == 0) {
2055 last = &(this->next); /* just in case */
2060 if (sock->port >= 64000) {
2063 radlog(L_ERR|L_CONS, "Failed to open socket for proxying");
2069 * Sanity check the configuration.
2072 for (this = *head; this != NULL; this = this->next) {
2073 if ((this->type != RAD_LISTEN_PROXY) &&
2076 * FIXME: Pass type to rl_init, so that
2077 * it knows how to deal with accounting
2078 * packets. i.e. it caches them, but
2079 * doesn't bother trying to re-transmit.
2081 this->rl = rl_init();
2083 rad_assert(0 == 1); /* FIXME: */
2087 if (((this->type == RAD_LISTEN_ACCT) &&
2088 (rcode == RAD_LISTEN_DETAIL)) ||
2089 ((this->type == RAD_LISTEN_DETAIL) &&
2090 (rcode == RAD_LISTEN_ACCT))) {
2091 rad_assert(0 == 1); /* FIXME: configuration error */
2094 if (rcode != 0) continue;
2096 if ((this->type == RAD_LISTEN_ACCT) ||
2097 (this->type == RAD_LISTEN_DETAIL)) {
2107 * Free a linked list of listeners;
2109 void listen_free(rad_listen_t **head)
2113 if (!head || !*head) return;
2117 rad_listen_t *next = this->next;
2119 free(this->identity);
2121 rl_deinit(this->rl);
2124 * Other code may have eaten the FD.
2126 if (this->fd >= 0) close(this->fd);
2128 if (master_listen[this->type].free) {
2129 master_listen[this->type].free(this);