2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
21 * @brief Defines the state machines that control how requests are processed.
23 * @copyright 2012 The FreeRADIUS server project
24 * @copyright 2012 Alan DeKok <aland@deployingradius.com>
29 #include <freeradius-devel/radiusd.h>
30 #include <freeradius-devel/process.h>
31 #include <freeradius-devel/modules.h>
33 #include <freeradius-devel/rad_assert.h>
36 #include <freeradius-devel/detail.h>
42 #ifdef HAVE_SYS_WAIT_H
43 # include <sys/wait.h>
46 extern pid_t radius_pid;
47 extern bool check_config;
48 extern fr_cond_t *debug_condition;
50 static bool spawn_flag = false;
51 static bool just_started = true;
52 time_t fr_start_time = (time_t)-1;
53 static fr_packet_list_t *pl = NULL;
54 static fr_event_list_t *el = NULL;
56 fr_event_list_t *radius_event_list_corral(UNUSED event_corral_t hint) {
57 /* Currently we do not run a second event loop for modules. */
61 static char const *action_codes[] = {
73 #ifdef DEBUG_STATE_MACHINE
74 #define TRACE_STATE_MACHINE if (debug_flag) do { struct timeval debug_tv; \
75 gettimeofday(&debug_tv, NULL);\
76 debug_tv.tv_sec -= fr_start_time;\
77 printf("(%u) %d.%06d ********\tSTATE %s action %s live M-%s C-%s\t********\n",\
78 request->number, (int) debug_tv.tv_sec, (int) debug_tv.tv_usec, __FUNCTION__, action_codes[action], master_state_names[request->master_state], child_state_names[request->child_state]); } while (0)
80 static char const *master_state_names[REQUEST_MASTER_NUM_STATES] = {
87 static char const *child_state_names[REQUEST_CHILD_NUM_STATES] = {
98 #define TRACE_STATE_MACHINE {}
102 * Declare a state in the state machine.
105 #define STATE_MACHINE_DECL(_x) static void CC_HINT(nonnull) _x(REQUEST *request, int action)
107 #define STATE_MACHINE_TIMER(_x) request->timer_action = _x; \
108 fr_event_insert(el, request_timer, request, \
109 &when, &request->ev);
114 * @section request_timeline
116 * Time sequence of a request
119 * RQ-----------------P=============================Y-J-C
120 * ::::::::::::::::::::::::::::::::::::::::::::::::::::::::M
123 * - R: received. Duplicate detection is done, and request is
126 * - Q: Request is placed onto a queue for child threads to pick up.
127 * If there are no child threads, the request goes immediately
130 * - P: Processing the request through the modules.
132 * - Y: Reply is ready. Rejects MAY be delayed here. All other
133 * replies are sent immediately.
135 * - J: Reject is sent "response_delay" after the reply is ready.
137 * - C: For Access-Requests, After "cleanup_delay", the request is
138 * deleted. Accounting-Request packets go directly from Y to C.
140 * - M: Max request time. If the request hits this timer, it is
143 * Other considerations include duplicate and conflicting
144 * packets. When a dupicate packet is received, it is ignored
145 * until we've reached Y, as no response is ready. If the reply
146 * is a reject, duplicates are ignored until J, when we're ready
147 * to send the reply. In between the reply being sent (Y or J),
148 * and C, the server responds to duplicates by sending the cached
151 * Conflicting packets are sent in 2 situations.
153 * The first is in between R and Y. In that case, we consider
154 * it as a hint that we're taking too long, and the NAS has given
155 * up on the request. We then behave just as if the M timer was
156 * reached, and we discard the current request. This allows us
157 * to process the new one.
159 * The second case is when we're at Y, but we haven't yet
160 * finished processing the request. This is a race condition in
161 * the threading code (avoiding locks is faster). It means that
162 * a thread has actually encoded and sent the reply, and that the
163 * NAS has responded with a new packet. The server can then
164 * safely mark the current request as "OK to delete", and behaves
165 * just as if the M timer was reached. This usually happens only
166 * in high-load situations.
168 * Duplicate packets are sent when the NAS thinks we're taking
169 * too long, and wants a reply. From R-Y, duplicates are
170 * ignored. From Y-J (for Access-Rejects), duplicates are also
171 * ignored. From Y-C, duplicates get a duplicate reply. *And*,
172 * they cause the "cleanup_delay" time to be extended. This
173 * extension means that we're more likely to send a duplicate
174 * reply (if we have one), or to suppress processing the packet
175 * twice if we didn't reply to it.
177 * All functions in this file should be thread-safe, and should
178 * assume thet the REQUEST structure is being accessed
179 * simultaneously by the main thread, and by the child worker
180 * threads. This means that timers, etc. cannot be updated in
183 * Instead, the master thread periodically calls request->process
184 * with action TIMER. It's up to the individual functions to
185 * determine how to handle that. They need to check if they're
186 * being called from a child thread or the master, and then do
187 * different things based on that.
192 static fr_packet_list_t *proxy_list = NULL;
195 #ifdef HAVE_PTHREAD_H
197 static pthread_mutex_t proxy_mutex;
198 static bool proxy_no_new_sockets = false;
201 #define PTHREAD_MUTEX_LOCK if (spawn_flag) pthread_mutex_lock
202 #define PTHREAD_MUTEX_UNLOCK if (spawn_flag) pthread_mutex_unlock
204 static pthread_t NO_SUCH_CHILD_PID;
205 #define NO_CHILD_THREAD request->child_pid = NO_SUCH_CHILD_PID
209 * This is easier than ifdef's throughout the code.
211 #define PTHREAD_MUTEX_LOCK(_x)
212 #define PTHREAD_MUTEX_UNLOCK(_x)
213 #define NO_CHILD_THREAD
216 #if defined(HAVE_PTHREAD_H) && !defined (NDEBUG)
217 static bool we_are_master(void)
220 (pthread_equal(pthread_self(), NO_SUCH_CHILD_PID) == 0)) {
226 #define ASSERT_MASTER if (!we_are_master()) rad_panic("We are not master")
229 #define we_are_master(_x) (1)
230 #define ASSERT_MASTER
233 static int event_new_fd(rad_listen_t *this);
236 * We need mutexes around the event FD list *only* in certain
239 #if defined (HAVE_PTHREAD_H) && (defined(WITH_PROXY) || defined(WITH_TCP))
240 static rad_listen_t *new_listeners = NULL;
242 static pthread_mutex_t fd_mutex;
243 #define FD_MUTEX_LOCK if (spawn_flag) pthread_mutex_lock
244 #define FD_MUTEX_UNLOCK if (spawn_flag) pthread_mutex_unlock
246 void radius_update_listener(rad_listen_t *this)
249 * Just do it ourselves.
251 if (we_are_master()) {
256 FD_MUTEX_LOCK(&fd_mutex);
259 * If it's already in the list, don't add it again.
262 FD_MUTEX_UNLOCK(&fd_mutex);
267 * Otherwise, add it to the list
269 this->next = new_listeners;
270 new_listeners = this;
271 FD_MUTEX_UNLOCK(&fd_mutex);
272 radius_signal_self(RADIUS_SIGNAL_SELF_NEW_FD);
275 void radius_update_listener(rad_listen_t *this)
278 * No threads. Just insert it.
283 * This is easier than ifdef's throughout the code.
285 #define FD_MUTEX_LOCK(_x)
286 #define FD_MUTEX_UNLOCK(_x)
289 static int request_num_counter = 1;
291 static int request_will_proxy(REQUEST *request);
292 static int request_proxy(REQUEST *request, int retransmit);
293 STATE_MACHINE_DECL(proxy_wait_for_reply);
294 STATE_MACHINE_DECL(proxy_no_reply);
295 STATE_MACHINE_DECL(proxy_running);
296 static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply);
297 static void remove_from_proxy_hash(REQUEST *request);
298 static void remove_from_proxy_hash_nl(REQUEST *request, bool yank);
299 static int insert_into_proxy_hash(REQUEST *request);
302 static REQUEST *request_setup(rad_listen_t *listener, RADIUS_PACKET *packet,
303 RADCLIENT *client, RAD_REQUEST_FUNP fun);
305 STATE_MACHINE_DECL(request_common);
306 STATE_MACHINE_DECL(request_response_delay);
307 STATE_MACHINE_DECL(request_cleanup_delay);
308 STATE_MACHINE_DECL(request_running);
310 static void request_coa_originate(REQUEST *request);
311 STATE_MACHINE_DECL(coa_running);
312 STATE_MACHINE_DECL(coa_wait_for_reply);
313 STATE_MACHINE_DECL(coa_no_reply);
314 static void request_coa_separate(REQUEST *coa);
318 #define USEC (1000000)
320 #define INSERT_EVENT(_function, _ctx) if (!fr_event_insert(el, _function, _ctx, &((_ctx)->when), &((_ctx)->ev))) { _rad_panic(__FILE__, __LINE__, "Failed to insert event"); }
322 static void _rad_panic(char const *file, unsigned int line, char const *msg)
324 ERROR("[%s:%d] %s", file, line, msg);
331 #define rad_panic(x) _rad_panic(__FILE__, __LINE__, x)
333 static void tv_add(struct timeval *tv, int usec_delay)
335 if (usec_delay >= USEC) {
336 tv->tv_sec += usec_delay / USEC;
339 tv->tv_usec += usec_delay;
341 if (tv->tv_usec >= USEC) {
342 tv->tv_sec += tv->tv_usec / USEC;
348 * In daemon mode, AND this request has debug flags set.
350 #define DEBUG_PACKET if (!debug_flag && request->log.lvl && request->log.func) debug_packet
352 static void debug_packet(REQUEST *request, RADIUS_PACKET *packet, int direction)
357 char const *received, *from;
358 fr_ipaddr_t const *ip;
363 rad_assert(request->log.func != NULL);
365 if (direction == 0) {
366 received = "Received";
367 from = "from"; /* what else? */
368 ip = &packet->src_ipaddr;
369 port = packet->src_port;
372 received = "Sending";
373 from = "to"; /* hah! */
374 ip = &packet->dst_ipaddr;
375 port = packet->dst_port;
379 * Client-specific debugging re-prints the input
380 * packet into the client log.
382 * This really belongs in a utility library
384 if (is_radius_code(packet->code)) {
385 RDEBUG("%s %s packet %s host %s port %i, id=%i, length=%zu",
386 received, fr_packet_codes[packet->code], from,
387 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
388 port, packet->id, packet->data_len);
390 RDEBUG("%s packet %s host %s port %d code=%d, id=%d, length=%zu",
392 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
394 packet->code, packet->id, packet->data_len);
397 for (vp = fr_cursor_init(&cursor, &packet->vps);
399 vp = fr_cursor_next(&cursor)) {
400 vp_prints(buffer, sizeof(buffer), vp);
401 RDEBUG("\t%s", buffer);
406 /***********************************************************************
408 * Start of RADIUS server state machine.
410 ***********************************************************************/
412 static struct timeval *request_response_window(REQUEST *request)
415 * The client hasn't set the response window. Return
416 * either the home server one, if set, or the global one.
418 if (!timerisset(&request->client->response_window)) {
419 return &request->home_server->response_window;
422 if (timercmp(&request->client->response_window,
423 &request->home_server->response_window, <)) {
424 return &request->client->response_window;
427 return &request->home_server->response_window;
431 * Callback for ALL timer events related to the request.
433 static void request_timer(void *ctx)
435 REQUEST *request = ctx;
436 int action = request->timer_action;
440 request->process(request, action);
444 * Only ever called from the master thread.
446 STATE_MACHINE_DECL(request_done)
448 struct timeval now, when;
457 * CoA requests can be cleaned up in the child thread,
458 * but ONLY if they aren't tied into anything.
460 if (request->parent && (request->parent->coa == request)) {
461 rad_assert(!request->in_request_hash);
462 rad_assert(!request->in_proxy_hash);
463 rad_assert(action == FR_ACTION_DONE);
464 rad_assert(request->ev == NULL);
468 #ifdef HAVE_PTHREAD_H
470 * If called from a child thread, mark ourselves as done,
471 * and wait for the master thread timer to clean us up.
473 if (!we_are_master()) {
474 request->child_state = REQUEST_DONE;
482 * Move the CoA request to its own handler.
485 request_coa_separate(request->coa);
486 } else if (request->parent && (request->parent->coa == request)) {
487 request_coa_separate(request);
493 * It doesn't hurt to send duplicate replies. All other
494 * signals are ignored, as the request will be cleaned up
499 if (request->reply->code != 0) {
500 request->listener->send(request->listener, request);
503 RDEBUG("No reply. Ignoring retransmit");
508 * This is only called from the master thread
509 * when there is a child thread processing the
512 case FR_ACTION_CONFLICTING:
513 if (request->child_state == REQUEST_DONE) break;
516 * If there's a reply packet, then we presume
517 * that the child has sent the reply, and we get
518 * pinged here before the child has a chance to
521 if (request->reply->data) break;
523 RERROR("Received conflicting packet from "
524 "client %s port %d - ID: %u due to "
525 "unfinished request. Giving up on old request.",
526 request->client->shortname,
527 request->packet->src_port, request->packet->id);
531 * Called only when there's an error remembering
532 * the packet, or when the socket gets closed from
536 #ifdef HAVE_PTHREAD_H
538 * Do NOT set child_state to DONE if it's still in the queue.
540 if (we_are_master() && (request->child_state == REQUEST_QUEUED)) {
545 * If we have child threads and we're NOT the
546 * thread handling the request, don't do anything.
549 !pthread_equal(pthread_self(), request->child_pid)) {
553 #ifdef DEBUG_STATE_MACHINE
554 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n",
555 request->number, __FUNCTION__,
556 child_state_names[request->child_state],
557 child_state_names[REQUEST_DONE]);
559 request->child_state = REQUEST_DONE;
563 * Called when the child is taking too long to
564 * finish. We've already marked it "please
565 * stop", so we don't complain any more.
567 case FR_ACTION_TIMER:
572 * Child is still alive, and we're receiving more
573 * packets from the home server.
575 case FR_ACTION_PROXY_REPLY:
576 RDEBUG2("Reply from home server %s port %d - ID: %d arrived too late. Try increasing 'retry_delay' or 'max_request_time'",
577 inet_ntop(request->proxy->src_ipaddr.af,
578 &request->proxy->src_ipaddr.ipaddr,
579 buffer, sizeof(buffer)),
580 request->proxy->dst_port, request->proxy->id);
585 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
590 * Remove it from the request hash.
592 if (request->in_request_hash) {
594 if (!fr_packet_list_yank(pl, request->packet)) {
597 request->in_request_hash = false;
602 * Wait for the proxy ID to expire. This allows us to
603 * avoid re-use of proxy IDs for a while.
605 if (request->in_proxy_hash) {
606 rad_assert(request->proxy != NULL);
608 fr_event_now(el, &now);
609 when = request->proxy->timestamp;
612 if (((request->proxy->code == PW_CODE_COA_REQUEST) ||
613 (request->proxy->code == PW_CODE_DISCONNECT_REQUEST)) &&
614 (request->packet->code != request->proxy->code)) {
615 when.tv_sec += request->home_server->coa_mrd;
618 timeradd(&when, request_response_window(request), &when);
621 * We haven't received all responses, AND there's still
622 * time to wait. Do so.
624 if ((request->num_proxied_requests > request->num_proxied_responses) &&
626 (request->home_server->proto != IPPROTO_TCP) &&
628 timercmp(&now, &when, <)) {
629 RDEBUG("Waiting for more responses from the home server");
636 remove_from_proxy_hash(request);
640 #ifdef HAVE_PTHREAD_H
642 * If there's no children, we can mark the request as done.
645 request->child_state = REQUEST_DONE;
649 if (request->child_state != REQUEST_DONE) {
650 gettimeofday(&now, NULL);
655 #ifdef HAVE_PTHREAD_H
657 (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0)) {
658 RDEBUG("Waiting for child thread to stop");
663 if (request->delay < (USEC / 3)) request->delay = USEC / 3;
664 tv_add(&when, request->delay);
665 request->delay += request->delay >> 1;
666 if (request->delay > (10 * USEC)) request->delay = 10 * USEC;
668 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
672 #ifdef HAVE_PTHREAD_H
673 rad_assert(request->child_pid == NO_SUCH_CHILD_PID);
677 * @todo: do final states for TCP sockets, too?
679 request_stats_final(request);
681 if (request->listener) request->listener->count--;
684 if (request->packet) {
685 RDEBUG2("Cleaning up request packet ID %u with timestamp +%d",
687 (unsigned int) (request->timestamp - fr_start_time));
688 } /* else don't print anything */
690 if (request->ev) fr_event_delete(el, &request->ev);
692 talloc_free(request);
696 static void request_cleanup_delay_init(REQUEST *request, struct timeval const *pnow)
698 struct timeval now, when;
700 if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) goto done;
702 if (!request->root->cleanup_delay) goto done;
707 gettimeofday(&now, NULL);
710 rad_assert(request->reply->timestamp.tv_sec != 0);
711 when = request->reply->timestamp;
713 request->delay = request->root->cleanup_delay;
714 when.tv_sec += request->delay;
717 * Set timer for when we need to clean it up.
719 if (timercmp(&when, &now, >)) {
720 #ifdef DEBUG_STATE_MACHINE
721 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_cleanup_delay");
723 request->process = request_cleanup_delay;
724 request->child_state = REQUEST_DONE;
725 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
730 * Otherwise just clean it up.
733 request_done(request, FR_ACTION_DONE);
738 * Function to do all time-related events.
740 static void request_process_timer(REQUEST *request)
742 struct timeval now, when;
743 rad_assert(request->magic == REQUEST_MAGIC);
744 #ifdef DEBUG_STATE_MACHINE
745 int action = FR_ACTION_TIMER;
753 * If we originated a CoA request, divorce it from the
754 * parent. Then, set up the timers so that we can clean
755 * it up as appropriate.
757 if (request->coa) request_coa_separate(request->coa);
760 * If we're the request, OR it isn't originating a CoA
761 * request, check more things.
763 if (!request->proxy || (request->packet->code == request->proxy->code))
766 rad_assert(request->listener != NULL);
769 * The socket was closed. Tell the request that
770 * there is no point in continuing.
772 if (request->listener->status != RAD_LISTEN_STATUS_KNOWN) {
773 if ((request->master_state == REQUEST_ACTIVE) &&
774 (request->child_state < REQUEST_RESPONSE_DELAY)) {
775 WARN("Socket was closed while processing request %u: Stopping it.", request->number);
776 request->master_state = REQUEST_STOP_PROCESSING;
781 gettimeofday(&now, NULL);
784 * The request was forcibly stopped.
786 if (request->master_state == REQUEST_STOP_PROCESSING) {
787 switch (request->child_state) {
789 case REQUEST_RUNNING:
790 #ifdef HAVE_PTHREAD_H
791 rad_assert(spawn_flag == true);
796 * Sleep for some more. We HOPE that the
797 * child will become responsive at some
798 * point in the future.
801 tv_add(&when, request->delay);
802 request->delay += request->delay >> 1;
803 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
807 * These should all be managed by the master thread
810 case REQUEST_PROXIED:
812 case REQUEST_RESPONSE_DELAY:
813 case REQUEST_CLEANUP_DELAY:
816 request_done(request, FR_ACTION_DONE);
821 rad_assert(request->master_state == REQUEST_ACTIVE);
824 * It's still supposed to be running.
826 switch (request->child_state) {
828 case REQUEST_RUNNING:
829 when = request->packet->timestamp;
830 when.tv_sec += request->root->max_request_time;
833 * Taking too long: tell it to die.
835 if (timercmp(&now, &when, >=)) {
836 #ifdef HAVE_PTHREAD_H
838 * If there's a child thread processing it,
842 (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0)) {
843 ERROR("Unresponsive child for request %u, in component %s module %s",
845 request->component ? request->component : "<core>",
846 request->module ? request->module : "<core>");
847 exec_trigger(request, NULL, "server.thread.unresponsive", true);
850 request->master_state = REQUEST_STOP_PROCESSING;
852 goto delay; /* sleep some more */
855 case REQUEST_PROXIED:
856 when = request->packet->timestamp;
857 when.tv_sec += request->root->max_request_time;
859 if (timercmp(&now, &when, >=)) {
860 RWDEBUG("No response to proxied request in 'max_request_time'. Stopping it.");
861 request->master_state = REQUEST_STOP_PROCESSING;
862 request_done(request, FR_ACTION_DONE);
866 rad_assert(request->proxy != NULL);
871 if (request->packet->code != request->proxy->code) {
872 if (request->proxy_reply) {
873 request->process = coa_running;
875 request->process = coa_wait_for_reply;
880 if (request->proxy_reply) {
881 request->process = proxy_running;
883 request->process = proxy_wait_for_reply;
886 when = request->proxy->timestamp;
887 tv_add(&when, request->delay);
889 if (timercmp(&now, &when, >=)) {
890 request->process(request, FR_ACTION_TIMER);
895 * Leave the initial delay alone.
897 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
899 #endif /* WITH_PROXY */
901 case REQUEST_RESPONSE_DELAY:
902 rad_assert(request->response_delay > 0);
904 rad_assert(!request->proxy || (request->packet->code == request->proxy->code));
907 request->process = request_response_delay;
909 when = request->reply->timestamp;
911 tv_add(&when, request->response_delay * USEC);
913 if (timercmp(&when, &now, >)) {
914 #ifdef DEBUG_STATE_MACHINE
915 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_response_delay");
917 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
919 } /* else it's time to send the reject */
921 RDEBUG2("Sending delayed response");
922 DEBUG_PACKET(request, request->reply, 1);
923 request->listener->send(request->listener, request);
924 request->child_state = REQUEST_CLEANUP_DELAY;
927 case REQUEST_CLEANUP_DELAY:
928 rad_assert(request->root->cleanup_delay > 0);
931 rad_assert(!request->proxy || (request->packet->code == request->proxy->code));
934 request->process = request_cleanup_delay;
936 when = request->reply->timestamp;
937 when.tv_sec += request->root->cleanup_delay;
939 if (timercmp(&when, &now, >)) {
940 #ifdef DEBUG_STATE_MACHINE
941 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_cleanup_delay");
943 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
945 } /* else it's time to clean up */
954 static void request_queue_or_run(UNUSED REQUEST *request,
955 fr_request_process_t process)
957 #ifdef DEBUG_STATE_MACHINE
958 int action = FR_ACTION_TIMER;
964 * Do this here so that fewer other functions need to do
967 if (request->master_state == REQUEST_STOP_PROCESSING) {
968 #ifdef DEBUG_STATE_MACHINE
969 if (debug_flag) printf("(%u) ********\tSTATE %s M-%s causes C-%s-> C-%s\t********\n",
970 request->number, __FUNCTION__,
971 master_state_names[request->master_state],
972 child_state_names[request->child_state],
973 child_state_names[REQUEST_DONE]);
975 request_done(request, FR_ACTION_DONE);
979 request->process = process;
981 if (we_are_master()) {
985 * (re) set the initial delay.
987 request->delay = (main_config.init_delay.tv_sec * USEC) + main_config.init_delay.tv_usec;
988 if (request->delay > USEC) request->delay = USEC;
989 gettimeofday(&when, NULL);
990 tv_add(&when, request->delay);
991 request->delay += request->delay >> 1;
993 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
995 #ifdef HAVE_PTHREAD_H
998 * A child thread will eventually pick it up.
1000 if (request_enqueue(request)) return;
1003 * Otherwise we're not going to do anything with
1006 request_done(request, FR_ACTION_DONE);
1012 request->child_state = REQUEST_RUNNING;
1013 request->process(request, FR_ACTION_RUN);
1017 * Requests that care about child process exit
1018 * codes have already either called
1019 * rad_waitpid(), or they've given up.
1021 while (waitpid(-1, NULL, WNOHANG) > 0);
1025 STATE_MACHINE_DECL(request_common)
1031 TRACE_STATE_MACHINE;
1035 * Bail out as early as possible.
1037 if (request->master_state == REQUEST_STOP_PROCESSING) {
1038 request_done(request, FR_ACTION_DONE);
1046 * We're still waiting for a proxy reply.
1048 if (request->child_state == REQUEST_PROXIED) {
1049 request->process = proxy_wait_for_reply;
1050 proxy_wait_for_reply(request, action);
1055 ERROR("(%u) Ignoring duplicate packet from "
1056 "client %s port %d - ID: %u due to unfinished request "
1057 "in component %s module %s",
1058 request->number, request->client->shortname,
1059 request->packet->src_port,request->packet->id,
1060 request->component, request->module);
1063 case FR_ACTION_CONFLICTING:
1065 * We're in the master thread, ask the child to
1066 * stop processing the request.
1068 request_done(request, action);
1071 case FR_ACTION_TIMER:
1072 request_process_timer(request);
1076 case FR_ACTION_PROXY_REPLY:
1077 RDEBUG2("Reply from home server %s port %d - ID: %d arrived too late. Try increasing 'retry_delay' or 'max_request_time'",
1078 inet_ntop(request->proxy->dst_ipaddr.af,
1079 &request->proxy->dst_ipaddr.ipaddr,
1080 buffer, sizeof(buffer)),
1081 request->proxy->dst_port, request->proxy->id);
1086 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1091 STATE_MACHINE_DECL(request_cleanup_delay)
1093 struct timeval when;
1095 TRACE_STATE_MACHINE;
1100 if (request->reply->code != 0) {
1101 request->listener->send(request->listener, request);
1103 RDEBUG("No reply. Ignoring retransmit");
1107 * Double the cleanup_delay to catch retransmits.
1109 when = request->reply->timestamp;
1110 request->delay += request->delay ;
1111 when.tv_sec += request->delay;
1113 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
1116 case FR_ACTION_CONFLICTING:
1117 request_done(request, FR_ACTION_DONE);
1121 case FR_ACTION_PROXY_REPLY:
1123 case FR_ACTION_TIMER:
1124 request_common(request, action);
1128 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1133 STATE_MACHINE_DECL(request_response_delay)
1135 TRACE_STATE_MACHINE;
1140 ERROR("(%u) Discarding duplicate request from "
1141 "client %s port %d - ID: %u due to delayed response",
1142 request->number, request->client->shortname,
1143 request->packet->src_port,request->packet->id);
1147 case FR_ACTION_PROXY_REPLY:
1149 case FR_ACTION_CONFLICTING:
1150 case FR_ACTION_TIMER:
1151 request_common(request, action);
1155 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1161 static int CC_HINT(nonnull) request_pre_handler(REQUEST *request, UNUSED int action)
1163 TRACE_STATE_MACHINE;
1167 if (request->master_state == REQUEST_STOP_PROCESSING) return 0;
1170 * Don't decode the packet if it's an internal "fake"
1171 * request. Instead, just return so that the caller can
1174 if (request->packet->dst_port == 0) {
1175 request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
1176 request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
1180 if (!request->packet->vps) { /* FIXME: check for correct state */
1181 rcode = request->listener->decode(request->listener, request);
1184 if (debug_condition) {
1186 * Ignore parse errors.
1188 if (radius_evaluate_cond(request, RLM_MODULE_OK, 0, debug_condition)) {
1189 request->log.lvl = L_DBG_LVL_2;
1190 request->log.func = vradlog_request;
1195 DEBUG_PACKET(request, request->packet, 0);
1201 RDEBUG("Dropping packet without response because of error: %s", fr_strerror());
1202 request->reply->offset = -2; /* bad authenticator */
1206 if (!request->username) {
1207 request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
1213 STATE_MACHINE_DECL(request_finish)
1217 TRACE_STATE_MACHINE;
1219 (void) action; /* -Wunused */
1221 if (request->master_state == REQUEST_STOP_PROCESSING) {
1227 * Don't send replies if there are none to send.
1229 if (!request->in_request_hash) {
1231 if ((request->listener->type == RAD_LISTEN_AUTH)
1232 #ifdef WITH_ACCOUNTING
1233 || (request->listener->type == RAD_LISTEN_ACCT)
1236 listen_socket_t *sock = request->listener->data;
1238 if (sock->proto == IPPROTO_UDP) return;
1241 * TCP packets aren't in the request
1252 * Override the response code if a control:Response-Packet-Type attribute is present.
1254 vp = pairfind(request->config_items, PW_RESPONSE_PACKET_TYPE, 0, TAG_ANY);
1256 if (vp->vp_integer == 256) {
1257 RDEBUG2("Not responding to request");
1258 request->reply->code = 0;
1260 request->reply->code = vp->vp_integer;
1264 * Catch Auth-Type := Reject BEFORE proxying the packet.
1266 else if (request->packet->code == PW_CODE_AUTHENTICATION_REQUEST) {
1267 if (request->reply->code == 0) {
1268 vp = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
1270 if (!vp || (vp->vp_integer != PW_CODE_AUTHENTICATION_REJECT)) {
1271 RDEBUG2("There was no response configured: "
1272 "rejecting request");
1275 request->reply->code = PW_CODE_AUTHENTICATION_REJECT;
1280 * Copy Proxy-State from the request to the reply.
1282 vp = paircopy2(request->reply, request->packet->vps,
1283 PW_PROXY_STATE, 0, TAG_ANY);
1284 if (vp) pairadd(&request->reply->vps, vp);
1286 switch (request->reply->code) {
1287 case PW_CODE_AUTHENTICATION_ACK:
1288 rad_postauth(request);
1290 case PW_CODE_ACCESS_CHALLENGE:
1291 pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0,
1293 vp = pairmake_config("Post-Auth-Type", "Challenge", T_OP_SET);
1294 if (vp) rad_postauth(request);
1301 * Run rejected packets through
1303 * Post-Auth-Type = Reject
1305 * We do this separately so ACK and challenge can change the code
1306 * to reject if a module returns reject.
1308 if (request->reply->code == PW_CODE_AUTHENTICATION_REJECT) {
1309 pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
1310 vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
1311 if (vp) rad_postauth(request);
1315 * Clean up. These are no longer needed.
1317 pairfree(&request->config_items);
1319 pairfree(&request->packet->vps);
1320 request->username = NULL;
1321 request->password = NULL;
1324 if (request->proxy) {
1325 pairfree(&request->proxy->vps);
1327 if (request->proxy_reply) {
1328 pairfree(&request->proxy_reply->vps);
1332 gettimeofday(&request->reply->timestamp, NULL);
1335 * Ignore all "do not respond" packets.
1337 if (!request->reply->code) {
1338 RDEBUG("Not sending reply");
1343 * See if we need to delay an Access-Reject packet.
1345 if ((request->reply->code == PW_CODE_AUTHENTICATION_REJECT) &&
1346 (request->root->reject_delay > 0)) {
1347 request->response_delay = request->root->reject_delay;
1351 * If we timed out a proxy packet, don't delay
1352 * the reject any more.
1354 if (request->proxy && !request->proxy_reply) {
1355 request->response_delay = 0;
1364 if (!request->response_delay) {
1365 DEBUG_PACKET(request, request->reply, 1);
1366 request->listener->send(request->listener,
1370 pairfree(&request->reply->vps);
1372 RDEBUG2("Finished request");
1373 #ifdef WITH_ACCOUNTING
1374 if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
1376 request->child_state = REQUEST_DONE;
1380 if (request->root->cleanup_delay == 0) {
1382 request->child_state = REQUEST_DONE;
1385 request->child_state = REQUEST_CLEANUP_DELAY;
1388 RDEBUG2("Delaying response for %d seconds",
1389 request->response_delay);
1391 request->child_state = REQUEST_RESPONSE_DELAY;
1395 STATE_MACHINE_DECL(request_running)
1397 TRACE_STATE_MACHINE;
1400 case FR_ACTION_TIMER:
1401 request_process_timer(request);
1404 case FR_ACTION_CONFLICTING:
1406 request_common(request, action);
1411 * This can happen due to a race condition where
1412 * we send a proxied request, and immediately get
1413 * another reply, before the timer has a chance
1414 * to update the various states.
1416 case FR_ACTION_PROXY_REPLY:
1417 request->child_state = REQUEST_RUNNING;
1418 request->process = proxy_running;
1419 request->process(request, FR_ACTION_RUN);
1424 if (!request_pre_handler(request, action)) {
1425 #ifdef DEBUG_STATE_MACHINE
1426 if (debug_flag) printf("(%u) ********\tSTATE %s failed in pre-handler C-%s -> C-%s\t********\n",
1427 request->number, __FUNCTION__,
1428 child_state_names[request->child_state],
1429 child_state_names[REQUEST_DONE]);
1433 request->child_state = REQUEST_DONE;
1437 rad_assert(request->handle != NULL);
1438 request->handle(request);
1442 * We may need to send a proxied request.
1444 if ((action == FR_ACTION_RUN) &&
1445 request_will_proxy(request)) {
1446 #ifdef DEBUG_STATE_MACHINE
1447 if (debug_flag) printf("(%u) ********\tWill Proxy\t********\n", request->number);
1451 * takes care of setting
1452 * up the post proxy fail
1455 if (request_proxy(request, 0) < 0) goto finished;
1459 #ifdef DEBUG_STATE_MACHINE
1460 if (debug_flag) printf("(%u) ********\tFinished\t********\n", request->number);
1465 * Maybe originate a CoA request.
1467 if ((action == FR_ACTION_RUN) && request->coa) {
1468 request_coa_originate(request);
1475 request_finish(request, action);
1480 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1485 int request_receive(rad_listen_t *listener, RADIUS_PACKET *packet,
1486 RADCLIENT *client, RAD_REQUEST_FUNP fun)
1489 RADIUS_PACKET **packet_p;
1490 REQUEST *request = NULL;
1492 listen_socket_t *sock = NULL;
1495 * Set the last packet received.
1497 gettimeofday(&now, NULL);
1499 #ifdef WITH_ACCOUNTING
1500 if (listener->type != RAD_LISTEN_DETAIL)
1503 sock = listener->data;
1504 sock->last_packet = now.tv_sec;
1506 packet->timestamp = now;
1509 * Skip everything if required.
1511 if (listener->nodup) goto skip_dup;
1513 packet_p = fr_packet_list_find(pl, packet);
1515 request = fr_packet2myptr(REQUEST, packet, packet_p);
1516 rad_assert(request->in_request_hash);
1519 * Same src/dst ip/port, length, and
1520 * authentication vector: must be a duplicate.
1522 if ((request->packet->data_len == packet->data_len) &&
1523 (memcmp(request->packet->vector, packet->vector,
1524 sizeof(packet->vector)) == 0)) {
1527 * If the request is running, it'
1529 if (request->child_state != REQUEST_DONE) {
1530 request->process(request, FR_ACTION_DUP);
1533 switch (packet->code) {
1534 case PW_CODE_AUTHENTICATION_REQUEST:
1535 FR_STATS_INC(auth, total_dup_requests);
1538 #ifdef WITH_ACCOUNTING
1539 case PW_CODE_ACCOUNTING_REQUEST:
1540 FR_STATS_INC(acct, total_dup_requests);
1544 case PW_CODE_COA_REQUEST:
1545 FR_STATS_INC(coa, total_dup_requests);
1548 case PW_CODE_DISCONNECT_REQUEST:
1549 FR_STATS_INC(dsc, total_dup_requests);
1556 #endif /* WITH_STATS */
1557 return 0; /* duplicate of live request */
1559 #ifdef HAVE_PTHREAD_H
1561 * There should no longer be a child
1562 * thread associated with this request.
1564 rad_assert(pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) != 0);
1568 * Clean up the old request, and allow
1569 * the new one to continue.
1571 request_done(request, FR_ACTION_DONE);
1576 * Say we're ignoring the old one, and continue
1577 * to process the new one.
1579 request->process(request, FR_ACTION_CONFLICTING);
1585 * Quench maximum number of outstanding requests.
1587 if (main_config.max_requests &&
1588 ((count = fr_packet_list_num_elements(pl)) > main_config.max_requests)) {
1589 RATE_LIMIT(ERROR("Dropping request (%d is too many): from client %s port %d - ID: %d", count,
1591 packet->src_port, packet->id);
1592 WARN("Please check the configuration file.\n"
1593 "\tThe value for 'max_requests' is probably set too low.\n"));
1595 exec_trigger(NULL, NULL, "server.max_requests", true);
1601 * Rate-limit the incoming packets
1603 if (sock && sock->max_rate) {
1606 pps = rad_pps(&sock->rate_pps_old, &sock->rate_pps_now, &sock->rate_time, &now);
1607 if (pps > sock->max_rate) {
1608 DEBUG("Dropping request due to rate limiting");
1611 sock->rate_pps_now++;
1614 request = request_setup(listener, packet, client, fun);
1615 if (!request) return 1;
1618 * Remember the request in the list.
1620 if (!listener->nodup) {
1621 if (!fr_packet_list_insert(pl, &request->packet)) {
1622 RERROR("Failed to insert request in the list of live requests: discarding it");
1623 request_done(request, FR_ACTION_DONE);
1627 request->in_request_hash = true;
1631 * Process it. Send a response, and free it.
1633 if (listener->synchronous) {
1634 request->listener->decode(request->listener, request);
1635 request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
1636 request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
1640 if (request->reply->code != 0) {
1641 request->listener->send(request->listener, request);
1643 RDEBUG("Not sending reply");
1645 talloc_free(request);
1650 * Otherwise, insert it into the state machine.
1651 * The child threads will take care of processing it.
1653 request_queue_or_run(request, request_running);
1659 static REQUEST *request_setup(rad_listen_t *listener, RADIUS_PACKET *packet,
1660 RADCLIENT *client, RAD_REQUEST_FUNP fun)
1665 * Create and initialize the new request.
1667 request = request_alloc(NULL);
1668 request->reply = rad_alloc(request, 0);
1669 if (!request->reply) {
1671 talloc_free(request);
1675 request->listener = listener;
1676 request->client = client;
1677 request->packet = talloc_steal(request, packet);
1678 request->number = request_num_counter++;
1679 request->priority = listener->type;
1680 request->master_state = REQUEST_ACTIVE;
1681 #ifdef DEBUG_STATE_MACHINE
1682 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n",
1683 request->number, __FUNCTION__,
1684 child_state_names[request->child_state],
1685 child_state_names[REQUEST_RUNNING]);
1687 request->child_state = REQUEST_RUNNING;
1688 request->handle = fun;
1692 request->listener->stats.last_packet = request->packet->timestamp.tv_sec;
1693 if (packet->code == PW_CODE_AUTHENTICATION_REQUEST) {
1694 request->client->auth.last_packet = request->packet->timestamp.tv_sec;
1695 radius_auth_stats.last_packet = request->packet->timestamp.tv_sec;
1696 #ifdef WITH_ACCOUNTING
1697 } else if (packet->code == PW_CODE_ACCOUNTING_REQUEST) {
1698 request->client->acct.last_packet = request->packet->timestamp.tv_sec;
1699 radius_acct_stats.last_packet = request->packet->timestamp.tv_sec;
1702 #endif /* WITH_STATS */
1705 * Status-Server packets go to the head of the queue.
1707 if (request->packet->code == PW_CODE_STATUS_SERVER) request->priority = 0;
1710 * Set virtual server identity
1712 if (client->server) {
1713 request->server = client->server;
1714 } else if (listener->server) {
1715 request->server = listener->server;
1717 request->server = NULL;
1720 request->root = &main_config;
1722 request->listener->count++;
1726 * The request passes many of our sanity checks.
1727 * From here on in, if anything goes wrong, we
1728 * send a reject message, instead of dropping the
1733 * Build the reply template from the request.
1736 request->reply->sockfd = request->packet->sockfd;
1737 request->reply->dst_ipaddr = request->packet->src_ipaddr;
1738 request->reply->src_ipaddr = request->packet->dst_ipaddr;
1739 request->reply->dst_port = request->packet->src_port;
1740 request->reply->src_port = request->packet->dst_port;
1741 request->reply->id = request->packet->id;
1742 request->reply->code = 0; /* UNKNOWN code */
1743 memcpy(request->reply->vector, request->packet->vector,
1744 sizeof(request->reply->vector));
1745 request->reply->vps = NULL;
1746 request->reply->data = NULL;
1747 request->reply->data_len = 0;
1753 /***********************************************************************
1757 ***********************************************************************/
1760 * Timer function for all TCP sockets.
1762 static void tcp_socket_timer(void *ctx)
1764 rad_listen_t *listener = ctx;
1765 listen_socket_t *sock = listener->data;
1766 struct timeval end, now;
1768 fr_socket_limit_t *limit;
1772 fr_event_now(el, &now);
1774 if (listener->status != RAD_LISTEN_STATUS_KNOWN) return;
1776 switch (listener->type) {
1778 case RAD_LISTEN_PROXY:
1779 limit = &sock->home->limit;
1783 case RAD_LISTEN_AUTH:
1784 #ifdef WITH_ACCOUNTING
1785 case RAD_LISTEN_ACCT:
1787 limit = &sock->limit;
1795 * If we enforce a lifetime, do it now.
1797 if (limit->lifetime > 0) {
1798 end.tv_sec = sock->opened + limit->lifetime;
1801 if (timercmp(&end, &now, <=)) {
1802 listener->print(listener, buffer, sizeof(buffer));
1803 DEBUG("Reached maximum lifetime on socket %s", buffer);
1807 listener->status = RAD_LISTEN_STATUS_EOL;
1808 event_new_fd(listener);
1817 * Enforce an idle timeout.
1819 if (limit->idle_timeout > 0) {
1820 struct timeval idle;
1822 rad_assert(sock->last_packet != 0);
1823 idle.tv_sec = sock->last_packet + limit->idle_timeout;
1826 if (timercmp(&idle, &now, <=)) {
1827 listener->print(listener, buffer, sizeof(buffer));
1828 DEBUG("Reached idle timeout on socket %s", buffer);
1833 * Enforce the minimum of idle timeout or lifetime.
1835 if (timercmp(&idle, &end, <)) {
1841 * Wake up at t + 0.5s. The code above checks if the timers
1842 * are <= t. This addition gives us a bit of leeway.
1844 end.tv_usec = USEC / 2;
1846 if (!fr_event_insert(el, tcp_socket_timer, listener, &end, &sock->ev)) {
1847 rad_panic("Failed to insert event");
1854 * Add +/- 2s of jitter, as suggested in RFC 3539
1857 static void add_jitter(struct timeval *when)
1864 jitter ^= (jitter >> 10);
1865 jitter &= ((1 << 22) - 1); /* 22 bits of 1 */
1868 * Add in ~ (4 * USEC) of jitter.
1870 tv_add(when, jitter);
1874 * Called by socket_del to remove requests with this socket
1876 static int eol_proxy_listener(void *ctx, void *data)
1878 rad_listen_t *this = ctx;
1879 RADIUS_PACKET **proxy_p = data;
1882 request = fr_packet2myptr(REQUEST, proxy, proxy_p);
1883 if (request->proxy_listener != this) return 0;
1886 * The normal "remove_from_proxy_hash" tries to grab the
1887 * proxy mutex. We already have it held, so grabbing it
1888 * again will cause a deadlock. Instead, call the "no
1889 * lock" version of the function.
1891 rad_assert(request->in_proxy_hash == true);
1892 remove_from_proxy_hash_nl(request, false);
1895 * Don't mark it as DONE. The client can retransmit, and
1896 * the packet SHOULD be re-proxied somewhere else.
1898 * Return "2" means that the rbtree code will remove it
1899 * from the tree, and we don't need to do it ourselves.
1903 #endif /* WITH_PROXY */
1905 static int eol_listener(void *ctx, void *data)
1907 rad_listen_t *this = ctx;
1908 RADIUS_PACKET **packet_p = data;
1911 request = fr_packet2myptr(REQUEST, packet, packet_p);
1912 if (request->listener != this) return 0;
1914 request->master_state = REQUEST_STOP_PROCESSING;
1918 #endif /* WITH_TCP */
1921 /***********************************************************************
1923 * Proxy handlers for the state machine.
1925 ***********************************************************************/
1928 * Called with the proxy mutex held
1930 static void remove_from_proxy_hash_nl(REQUEST *request, bool yank)
1932 if (!request->in_proxy_hash) return;
1934 fr_packet_list_id_free(proxy_list, request->proxy, yank);
1935 request->in_proxy_hash = false;
1938 * On the FIRST reply, decrement the count of outstanding
1939 * requests. Note that this is NOT the count of sent
1940 * packets, but whether or not the home server has
1943 if (request->home_server &&
1944 request->home_server->currently_outstanding) {
1945 request->home_server->currently_outstanding--;
1948 * If we're NOT sending it packets, then we don't know
1949 * if it's alive or dead.
1951 if ((request->home_server->currently_outstanding == 0) &&
1952 (request->home_server->state == HOME_STATE_ALIVE)) {
1953 request->home_server->state = HOME_STATE_UNKNOWN;
1954 request->home_server->last_packet_sent = 0;
1955 request->home_server->last_packet_recv = 0;
1960 rad_assert(request->proxy_listener != NULL);
1961 request->proxy_listener->count--;
1963 request->proxy_listener = NULL;
1966 * Got from YES in hash, to NO, not in hash while we hold
1967 * the mutex. This guarantees that when another thread
1968 * grabs the mutex, the "not in hash" flag is correct.
1970 RDEBUG3("proxy: request is no longer in proxy hash");
1973 static void remove_from_proxy_hash(REQUEST *request)
1976 * Check this without grabbing the mutex because it's a
1977 * lot faster that way.
1979 if (!request->in_proxy_hash) return;
1982 * The "not in hash" flag is definitive. However, if the
1983 * flag says that it IS in the hash, there might still be
1984 * a race condition where it isn't.
1986 PTHREAD_MUTEX_LOCK(&proxy_mutex);
1988 if (!request->in_proxy_hash) {
1989 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1993 remove_from_proxy_hash_nl(request, true);
1995 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1998 static int insert_into_proxy_hash(REQUEST *request)
2002 void *proxy_listener;
2004 rad_assert(request->proxy != NULL);
2005 rad_assert(request->home_server != NULL);
2006 rad_assert(proxy_list != NULL);
2009 PTHREAD_MUTEX_LOCK(&proxy_mutex);
2010 proxy_listener = NULL;
2011 request->num_proxied_requests = 1;
2012 request->num_proxied_responses = 0;
2014 for (tries = 0; tries < 2; tries++) {
2016 listen_socket_t *sock;
2018 RDEBUG3("proxy: Trying to allocate ID (%d/2)", tries);
2019 rcode = fr_packet_list_id_alloc(proxy_list,
2020 request->home_server->proto,
2021 &request->proxy, &proxy_listener);
2022 if ((debug_flag > 2) && (rcode == 0)) {
2023 RDEBUG("proxy: Failed allocating ID: %s", fr_strerror());
2025 if (rcode > 0) break;
2026 if (tries > 0) continue; /* try opening new socket only once */
2028 #ifdef HAVE_PTHREAD_H
2029 if (proxy_no_new_sockets) break;
2032 RDEBUG3("proxy: Trying to open a new listener to the home server");
2033 this = proxy_new_listener(request->home_server, 0);
2035 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2039 request->proxy->src_port = 0; /* Use any new socket */
2040 proxy_listener = this;
2043 if (!fr_packet_list_socket_add(proxy_list, this->fd,
2045 &sock->other_ipaddr, sock->other_port,
2048 #ifdef HAVE_PTHREAD_H
2049 proxy_no_new_sockets = true;
2051 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2054 * This is bad. However, the
2055 * packet list now supports 256
2056 * open sockets, which should
2057 * minimize this problem.
2059 ERROR("Failed adding proxy socket: %s",
2065 * Add it to the event loop. Ensure that we have
2066 * only one mutex locked at a time.
2068 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2069 radius_update_listener(this);
2070 PTHREAD_MUTEX_LOCK(&proxy_mutex);
2073 if (!proxy_listener || (rcode == 0)) {
2074 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2075 REDEBUG2("proxy: Failed allocating Id for proxied request");
2077 request->proxy_listener = NULL;
2078 request->in_proxy_hash = false;
2082 rad_assert(request->proxy->id >= 0);
2084 request->proxy_listener = proxy_listener;
2085 request->in_proxy_hash = true;
2086 RDEBUG3("proxy: request is now in proxy hash");
2089 * Keep track of maximum outstanding requests to a
2090 * particular home server. 'max_outstanding' is
2091 * enforced in home_server_ldb(), in realms.c.
2093 request->home_server->currently_outstanding++;
2096 request->proxy_listener->count++;
2099 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2101 RDEBUG3("proxy: allocating destination %s port %d - Id %d",
2102 inet_ntop(request->proxy->dst_ipaddr.af,
2103 &request->proxy->dst_ipaddr.ipaddr, buf, sizeof(buf)),
2104 request->proxy->dst_port,
2105 request->proxy->id);
2110 static int process_proxy_reply(REQUEST *request, RADIUS_PACKET *reply)
2113 int post_proxy_type = 0;
2117 * There may be a proxy reply, but it may be too late.
2119 if (!request->proxy_listener) return 0;
2122 * Delete any reply we had accumulated until now.
2124 pairfree(&request->reply->vps);
2127 * Run the packet through the post-proxy stage,
2128 * BEFORE playing games with the attributes.
2130 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE, 0, TAG_ANY);
2133 * If we have a proxy_reply, and it was a reject, setup
2134 * post-proxy-type Reject
2137 reply->code == PW_CODE_AUTHENTICATION_REJECT) {
2140 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Reject");
2142 vp = radius_paircreate(request, &request->config_items,
2143 PW_POST_PROXY_TYPE, 0);
2145 vp->vp_integer = dval->value;
2150 post_proxy_type = vp->vp_integer;
2152 RDEBUG2("Found Post-Proxy-Type %s", dict_valnamebyattr(PW_POST_PROXY_TYPE, 0, post_proxy_type));
2157 * Decode the packet.
2159 rcode = request->proxy_listener->decode(request->proxy_listener, request);
2160 DEBUG_PACKET(request, reply, 0);
2163 * Pro-actively remove it from the proxy hash.
2164 * This is later than in 2.1.x, but it means that
2165 * the replies are authenticated before being
2166 * removed from the hash.
2169 (request->num_proxied_requests <= request->num_proxied_responses)) {
2170 remove_from_proxy_hash(request);
2173 remove_from_proxy_hash(request);
2176 if (request->home_pool && request->home_pool->virtual_server) {
2177 char const *old_server = request->server;
2179 request->server = request->home_pool->virtual_server;
2180 RDEBUG2("server %s {", request->server);
2182 rcode = process_post_proxy(post_proxy_type, request);
2185 request->server = old_server;
2187 rcode = process_post_proxy(post_proxy_type, request);
2191 if (request->packet->code == request->proxy->code)
2193 * Don't run the next bit if we originated a CoA
2194 * packet, after receiving an Access-Request or
2195 * Accounting-Request.
2200 * There may NOT be a proxy reply, as we may be
2201 * running Post-Proxy-Type = Fail.
2204 pairadd(&request->reply->vps, paircopy(request->reply, reply->vps));
2207 * Delete the Proxy-State Attributes from
2208 * the reply. These include Proxy-State
2209 * attributes from us and remote server.
2211 pairdelete(&request->reply->vps, PW_PROXY_STATE, 0, TAG_ANY);
2215 default: /* Don't do anything */
2217 case RLM_MODULE_FAIL:
2220 case RLM_MODULE_HANDLED:
2227 int request_proxy_reply(RADIUS_PACKET *packet)
2229 RADIUS_PACKET **proxy_p;
2234 PTHREAD_MUTEX_LOCK(&proxy_mutex);
2235 proxy_p = fr_packet_list_find_byreply(proxy_list, packet);
2238 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2239 PROXY( "No outstanding request was found for reply from host %s port %d - ID %u",
2240 inet_ntop(packet->src_ipaddr.af,
2241 &packet->src_ipaddr.ipaddr,
2242 buffer, sizeof(buffer)),
2243 packet->src_port, packet->id);
2247 request = fr_packet2myptr(REQUEST, proxy, proxy_p);
2248 request->num_proxied_responses++; /* needs to be protected by lock */
2250 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2253 * No reply, BUT the current packet fails verification:
2254 * ignore it. This does the MD5 calculations in the
2255 * server core, but I guess we can fix that later.
2257 if (!request->proxy_reply &&
2258 (rad_verify(packet, request->proxy,
2259 request->home_server->secret) != 0)) {
2260 DEBUG("Ignoring spoofed proxy reply. Signature is invalid");
2265 * The home server sent us a packet which doesn't match
2266 * something we have: ignore it. This is done only to
2267 * catch the case of broken systems.
2269 if (request->proxy_reply &&
2270 (memcmp(request->proxy_reply->vector,
2272 sizeof(request->proxy_reply->vector)) != 0)) {
2273 RDEBUG2("Ignoring conflicting proxy reply");
2277 gettimeofday(&now, NULL);
2280 * Status-Server packets don't count as real packets.
2282 if (request->proxy->code != PW_CODE_STATUS_SERVER) {
2283 listen_socket_t *sock = request->proxy_listener->data;
2285 request->home_server->last_packet_recv = now.tv_sec;
2286 sock->last_packet = now.tv_sec;
2290 * If we have previously seen a reply, ignore the
2293 if (request->proxy_reply) {
2294 RDEBUG2("Discarding duplicate reply from host %s port %d - ID: %d",
2295 inet_ntop(packet->src_ipaddr.af,
2296 &packet->src_ipaddr.ipaddr,
2297 buffer, sizeof(buffer)),
2298 packet->src_port, packet->id);
2303 * Call the state machine to do something useful with the
2306 request->proxy_reply = talloc_steal(request, packet);
2307 packet->timestamp = now;
2308 request->priority = RAD_LISTEN_PROXY;
2311 * We've received a reply. If we hadn't been sending it
2312 * packets for a while, just mark it alive.
2314 if (request->home_server->state == HOME_STATE_UNKNOWN) {
2315 request->home_server->state = HOME_STATE_ALIVE;
2319 request->home_server->stats.last_packet = packet->timestamp.tv_sec;
2320 request->proxy_listener->stats.last_packet = packet->timestamp.tv_sec;
2322 if (request->proxy->code == PW_CODE_AUTHENTICATION_REQUEST) {
2323 proxy_auth_stats.last_packet = packet->timestamp.tv_sec;
2324 #ifdef WITH_ACCOUNTING
2325 } else if (request->proxy->code == PW_CODE_ACCOUNTING_REQUEST) {
2326 proxy_acct_stats.last_packet = packet->timestamp.tv_sec;
2329 #endif /* WITH_STATS */
2333 * When we originate CoA requests, we patch them in here
2334 * so that they don't affect the rest of the state
2337 if (request->parent) {
2338 rad_assert(request->parent->coa == request);
2339 rad_assert((request->proxy->code == PW_CODE_COA_REQUEST) ||
2340 (request->proxy->code == PW_CODE_DISCONNECT_REQUEST));
2341 rad_assert(request->process != NULL);
2342 request_coa_separate(request);
2346 request->process(request, FR_ACTION_PROXY_REPLY);
2352 static int setup_post_proxy_fail(REQUEST *request)
2354 DICT_VALUE const *dval = NULL;
2357 if (request->proxy->code == PW_CODE_AUTHENTICATION_REQUEST) {
2358 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0,
2359 "Fail-Authentication");
2361 } else if (request->proxy->code == PW_CODE_ACCOUNTING_REQUEST) {
2362 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0,
2365 } else if (request->proxy->code == PW_CODE_COA_REQUEST) {
2366 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Fail-CoA");
2368 } else if (request->proxy->code == PW_CODE_DISCONNECT_REQUEST) {
2369 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Fail-Disconnect");
2372 WARN("Unknown packet type in Post-Proxy-Type Fail: ignoring");
2376 if (!dval) dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Fail");
2379 pairdelete(&request->config_items, PW_POST_PROXY_TYPE, 0, TAG_ANY);
2383 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE, 0, TAG_ANY);
2384 if (!vp) vp = radius_paircreate(request, &request->config_items,
2385 PW_POST_PROXY_TYPE, 0);
2386 vp->vp_integer = dval->value;
2391 STATE_MACHINE_DECL(proxy_no_reply)
2393 TRACE_STATE_MACHINE;
2396 case FR_ACTION_CONFLICTING:
2398 case FR_ACTION_TIMER:
2399 case FR_ACTION_PROXY_REPLY:
2400 request_common(request, action);
2404 if (process_proxy_reply(request, NULL)) {
2405 request_finish(request, action);
2407 request_done(request, FR_ACTION_DONE);
2411 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
2416 STATE_MACHINE_DECL(proxy_running)
2418 TRACE_STATE_MACHINE;
2421 case FR_ACTION_CONFLICTING:
2423 case FR_ACTION_TIMER:
2424 case FR_ACTION_PROXY_REPLY:
2425 request_common(request, action);
2429 if (process_proxy_reply(request, request->proxy_reply)) {
2430 request->handle(request);
2431 request_finish(request, action);
2433 request_done(request, FR_ACTION_DONE);
2438 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
2443 static int request_will_proxy(REQUEST *request)
2445 int rcode, pre_proxy_type = 0;
2446 char const *realmname = NULL;
2447 VALUE_PAIR *vp, *strippedname;
2448 home_server_t *home;
2449 REALM *realm = NULL;
2450 home_pool_t *pool = NULL;
2452 if (!request->root->proxy_requests) return 0;
2453 if (request->packet->dst_port == 0) return 0;
2454 if (request->packet->code == PW_CODE_STATUS_SERVER) return 0;
2455 if (request->in_proxy_hash) return 0;
2458 * FIXME: for 3.0, allow this only for rejects?
2460 if (request->reply->code != 0) return 0;
2462 vp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0, TAG_ANY);
2464 realm = realm_find2(vp->vp_strvalue);
2466 REDEBUG2("Cannot proxy to unknown realm %s",
2471 realmname = vp->vp_strvalue;
2474 * Figure out which pool to use.
2476 if (request->packet->code == PW_CODE_AUTHENTICATION_REQUEST) {
2477 pool = realm->auth_pool;
2479 #ifdef WITH_ACCOUNTING
2480 } else if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
2481 pool = realm->acct_pool;
2485 } else if ((request->packet->code == PW_CODE_COA_REQUEST) ||
2486 (request->packet->code == PW_CODE_DISCONNECT_REQUEST)) {
2487 pool = realm->coa_pool;
2497 vp = pairfind(request->config_items, PW_HOME_SERVER_POOL, 0, TAG_ANY);
2500 switch (request->packet->code) {
2501 case PW_CODE_AUTHENTICATION_REQUEST:
2502 pool_type = HOME_TYPE_AUTH;
2505 #ifdef WITH_ACCOUNTING
2506 case PW_CODE_ACCOUNTING_REQUEST:
2507 pool_type = HOME_TYPE_ACCT;
2512 case PW_CODE_COA_REQUEST:
2513 case PW_CODE_DISCONNECT_REQUEST:
2514 pool_type = HOME_TYPE_COA;
2522 pool = home_pool_byname(vp->vp_strvalue, pool_type);
2526 RWDEBUG2("Cancelling proxy as no home pool exists");
2530 if (request->listener->synchronous) {
2531 WARN("Cannot proxy a request which is from a 'synchronous' socket");
2535 request->home_pool = pool;
2537 home = home_server_ldb(realmname, pool, request);
2539 REDEBUG2("Failed to find live home server: Cancelling proxy");
2542 home_server_update_request(home, request);
2546 * Once we've decided to proxy a request, we cannot send
2547 * a CoA packet. So we free up any CoA packet here.
2549 if (request->coa) request_done(request->coa, FR_ACTION_DONE);
2553 * Remember that we sent the request to a Realm.
2555 if (realmname) pairmake_packet("Realm", realmname, T_OP_EQ);
2558 * Strip the name, if told to.
2560 * Doing it here catches the case of proxied tunneled
2563 if (realm && (realm->striprealm == true) &&
2564 (strippedname = pairfind(request->proxy->vps, PW_STRIPPED_USER_NAME, 0, TAG_ANY)) != NULL) {
2566 * If there's a Stripped-User-Name attribute in
2567 * the request, then use THAT as the User-Name
2568 * for the proxied request, instead of the
2571 * This is done by making a copy of the
2572 * Stripped-User-Name attribute, turning it into
2573 * a User-Name attribute, deleting the
2574 * Stripped-User-Name and User-Name attributes
2575 * from the vps list, and making the new
2576 * User-Name the head of the vps list.
2578 vp = pairfind(request->proxy->vps, PW_USER_NAME, 0, TAG_ANY);
2581 vp = radius_paircreate(NULL, NULL,
2583 rad_assert(vp != NULL); /* handled by above function */
2584 /* Insert at the START of the list */
2585 /* FIXME: Can't make assumptions about ordering */
2586 fr_cursor_init(&cursor, &vp);
2587 fr_cursor_insert(&cursor, request->proxy->vps);
2588 request->proxy->vps = vp;
2590 pairstrcpy(vp, strippedname->vp_strvalue);
2593 * Do NOT delete Stripped-User-Name.
2598 * If there is no PW_CHAP_CHALLENGE attribute but
2599 * there is a PW_CHAP_PASSWORD we need to add it
2600 * since we can't use the request authenticator
2601 * anymore - we changed it.
2603 if ((request->packet->code == PW_CODE_AUTHENTICATION_REQUEST) &&
2604 pairfind(request->proxy->vps, PW_CHAP_PASSWORD, 0, TAG_ANY) &&
2605 pairfind(request->proxy->vps, PW_CHAP_CHALLENGE, 0, TAG_ANY) == NULL) {
2606 vp = radius_paircreate(request->proxy, &request->proxy->vps, PW_CHAP_CHALLENGE, 0);
2607 pairmemcpy(vp, request->packet->vector, sizeof(request->packet->vector));
2611 * The RFC's say we have to do this, but FreeRADIUS
2614 vp = radius_paircreate(request->proxy, &request->proxy->vps, PW_PROXY_STATE, 0);
2615 pairsprintf(vp, "%u", request->packet->id);
2618 * Should be done BEFORE inserting into proxy hash, as
2619 * pre-proxy may use this information, or change it.
2621 request->proxy->code = request->packet->code;
2624 * Call the pre-proxy routines.
2626 vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE, 0, TAG_ANY);
2628 DICT_VALUE const *dval = dict_valbyattr(vp->da->attr, vp->da->vendor, vp->vp_integer);
2629 /* Must be a validation issue */
2631 RDEBUG2("Found Pre-Proxy-Type %s", dval->name);
2632 pre_proxy_type = vp->vp_integer;
2635 rad_assert(request->home_pool != NULL);
2637 if (request->home_pool->virtual_server) {
2638 char const *old_server = request->server;
2640 request->server = request->home_pool->virtual_server;
2642 RDEBUG2("server %s {", request->server);
2644 rcode = process_pre_proxy(pre_proxy_type, request);
2648 request->server = old_server;
2650 rcode = process_pre_proxy(pre_proxy_type, request);
2653 case RLM_MODULE_FAIL:
2654 case RLM_MODULE_INVALID:
2655 case RLM_MODULE_NOTFOUND:
2656 case RLM_MODULE_USERLOCK:
2658 /* FIXME: debug print failed stuff */
2661 case RLM_MODULE_REJECT:
2662 case RLM_MODULE_HANDLED:
2666 * Only proxy the packet if the pre-proxy code succeeded.
2668 case RLM_MODULE_NOOP:
2670 case RLM_MODULE_UPDATED:
2677 static int request_proxy(REQUEST *request, int retransmit)
2681 rad_assert(request->parent == NULL);
2682 rad_assert(request->home_server != NULL);
2684 if (request->master_state == REQUEST_STOP_PROCESSING) return 0;
2688 RWDEBUG("Cannot proxy and originate CoA packets at the same time. Cancelling CoA request");
2689 request_done(request->coa, FR_ACTION_DONE);
2694 * The request may need sending to a virtual server.
2695 * This code is more than a little screwed up. The rest
2696 * of the state machine doesn't handle parent / child
2697 * relationships well. i.e. if the child request takes
2698 * too long, the core will mark the *parent* as "stop
2699 * processing". And the child will continue without
2700 * knowing anything...
2702 * So, we have some horrible hacks to get around that.
2704 if (request->home_server->server) {
2707 if (request->packet->dst_port == 0) {
2708 WARN("Cannot proxy an internal request");
2712 DEBUG("Proxying to virtual server %s",
2713 request->home_server->server);
2716 * Packets to virtual serrers don't get
2717 * retransmissions sent to them. And the virtual
2718 * server is run ONLY if we have no child
2719 * threads, or we're running in a child thread.
2721 rad_assert(retransmit == 0);
2722 rad_assert(!spawn_flag || !we_are_master());
2724 fake = request_alloc_fake(request);
2726 fake->packet->vps = paircopy(fake->packet, request->packet->vps);
2727 talloc_free(request->proxy);
2729 fake->server = request->home_server->server;
2730 fake->handle = request->handle;
2731 fake->process = NULL; /* should never be run for anything */
2734 * Run the virtual server.
2736 request_running(fake, FR_ACTION_RUN);
2738 request->proxy = talloc_steal(request, fake->packet);
2739 fake->packet = NULL;
2740 request->proxy_reply = talloc_steal(request, fake->reply);
2746 * Just do the work here, rather than trying to
2747 * run the "decode proxy reply" stuff...
2749 process_proxy_reply(request, request->proxy_reply);
2751 request->handle(request); /* to do more post-proxy stuff */
2753 return -1; /* so we call request_finish */
2757 * We're actually sending a proxied packet. Do that now.
2759 if (!request->in_proxy_hash && !insert_into_proxy_hash(request)) {
2760 ERROR("Failed to insert request into the proxy list");
2764 rad_assert(request->proxy->id >= 0);
2767 struct timeval *response_window;
2769 response_window = request_response_window(request);
2772 if (request->home_server->tls) {
2773 RDEBUG2("Proxying request to home server %s port %d (TLS) timeout %d.%06d",
2774 inet_ntop(request->proxy->dst_ipaddr.af,
2775 &request->proxy->dst_ipaddr.ipaddr,
2776 buffer, sizeof(buffer)),
2777 request->proxy->dst_port,
2778 (int) response_window->tv_sec, (int) response_window->tv_usec);
2781 RDEBUG2("Proxying request to home server %s port %d timeout %d.%06d",
2782 inet_ntop(request->proxy->dst_ipaddr.af,
2783 &request->proxy->dst_ipaddr.ipaddr,
2784 buffer, sizeof(buffer)),
2785 request->proxy->dst_port,
2786 (int) response_window->tv_sec, (int) response_window->tv_usec);
2788 DEBUG_PACKET(request, request->proxy, 1);
2791 gettimeofday(&request->proxy_retransmit, NULL);
2793 request->proxy->timestamp = request->proxy_retransmit;
2794 request->home_server->last_packet_sent = request->proxy_retransmit.tv_sec;
2797 FR_STATS_TYPE_INC(request->home_server->stats.total_requests);
2799 request->child_state = REQUEST_PROXIED;
2800 request->proxy_listener->send(request->proxy_listener,
2806 * Proxy the packet as if it was new.
2808 static int request_proxy_anew(REQUEST *request)
2810 home_server_t *home;
2813 * Delete the request from the proxy list.
2815 * The packet list code takes care of ensuring that IDs
2816 * aren't reused until all 256 IDs have been used. So
2817 * there's a 1/256 chance of re-using the same ID when
2818 * we're sending to the same home server. Which is
2821 remove_from_proxy_hash(request);
2824 * Find a live home server for the request.
2826 home = home_server_ldb(NULL, request->home_pool, request);
2828 REDEBUG2("Failed to find live home server for request");
2830 if (setup_post_proxy_fail(request)) {
2831 request_queue_or_run(request, proxy_running);
2833 gettimeofday(&request->reply->timestamp, NULL);
2834 request_cleanup_delay_init(request, NULL);
2838 home_server_update_request(home, request);
2840 if (!insert_into_proxy_hash(request)) {
2841 RPROXY("Failed to insert retransmission into the proxy list");
2842 goto post_proxy_fail;
2846 * Free the old packet, to force re-encoding
2848 talloc_free(request->proxy->data);
2849 request->proxy->data = NULL;
2850 request->proxy->data_len = 0;
2852 #ifdef WITH_ACCOUNTING
2854 * Update the Acct-Delay-Time attribute.
2856 if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
2859 vp = pairfind(request->proxy->vps, PW_ACCT_DELAY_TIME, 0, TAG_ANY);
2860 if (!vp) vp = radius_paircreate(request->proxy,
2861 &request->proxy->vps,
2862 PW_ACCT_DELAY_TIME, 0);
2866 gettimeofday(&now, NULL);
2867 vp->vp_integer += now.tv_sec - request->proxy_retransmit.tv_sec;
2872 if (request_proxy(request, 1) != 1) goto post_proxy_fail;
2877 STATE_MACHINE_DECL(request_ping)
2879 home_server_t *home = request->home_server;
2882 TRACE_STATE_MACHINE;
2886 case FR_ACTION_TIMER:
2887 ERROR("No response to status check %d for home server %s port %d",
2889 inet_ntop(request->proxy->dst_ipaddr.af,
2890 &request->proxy->dst_ipaddr.ipaddr,
2891 buffer, sizeof(buffer)),
2892 request->proxy->dst_port);
2895 case FR_ACTION_PROXY_REPLY:
2896 rad_assert(request->in_proxy_hash);
2898 request->home_server->num_received_pings++;
2899 RPROXY("Received response to status check %d (%d in current sequence)",
2900 request->number, home->num_received_pings);
2903 * Remove the request from any hashes
2905 fr_event_delete(el, &request->ev);
2906 remove_from_proxy_hash(request);
2909 * The control socket may have marked the home server as
2910 * alive. OR, it may have suddenly started responding to
2911 * requests again. If so, don't re-do the "make alive"
2914 if (home->state == HOME_STATE_ALIVE) break;
2917 * It's dead, and we haven't received enough ping
2918 * responses to mark it "alive". Wait a bit.
2920 * If it's zombie, we mark it alive immediately.
2922 if ((home->state == HOME_STATE_IS_DEAD) &&
2923 (home->num_received_pings < home->num_pings_to_alive)) {
2928 * Mark it alive and delete any outstanding
2931 home->state = HOME_STATE_ALIVE;
2932 exec_trigger(request, home->cs, "home_server.alive", false);
2933 home->currently_outstanding = 0;
2934 home->num_sent_pings = 0;
2935 home->num_received_pings = 0;
2936 gettimeofday(&home->revive_time, NULL);
2938 fr_event_delete(el, &home->ev);
2940 RPROXY("Marking home server %s port %d alive",
2941 inet_ntop(request->proxy->dst_ipaddr.af,
2942 &request->proxy->dst_ipaddr.ipaddr,
2943 buffer, sizeof(buffer)),
2944 request->proxy->dst_port);
2948 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
2952 rad_assert(!request->in_request_hash);
2953 rad_assert(request->ev == NULL);
2954 request_done(request, FR_ACTION_DONE);
2958 * Called from start of zombie period, OR after control socket
2959 * marks the home server dead.
2961 static void ping_home_server(void *ctx)
2963 home_server_t *home = ctx;
2966 struct timeval when, now;
2968 if ((home->state == HOME_STATE_ALIVE) ||
2969 (home->ping_check == HOME_PING_CHECK_NONE) ||
2971 (home->proto == IPPROTO_TCP) ||
2973 (home->ev != NULL)) {
2977 gettimeofday(&now, NULL);
2979 if (home->state == HOME_STATE_ZOMBIE) {
2980 when = home->zombie_period_start;
2981 when.tv_sec += home->zombie_period;
2983 if (timercmp(&when, &now, <)) {
2984 DEBUG("PING: Zombie period is over for home server %s",
2986 mark_home_server_dead(home, &now);
2990 request = request_alloc(NULL);
2991 request->number = request_num_counter++;
2994 request->proxy = rad_alloc(request, 1);
2995 rad_assert(request->proxy != NULL);
2997 if (home->ping_check == HOME_PING_CHECK_STATUS_SERVER) {
2998 request->proxy->code = PW_CODE_STATUS_SERVER;
3000 pairmake(request->proxy, &request->proxy->vps,
3001 "Message-Authenticator", "0x00", T_OP_SET);
3003 } else if (home->type == HOME_TYPE_AUTH) {
3004 request->proxy->code = PW_CODE_AUTHENTICATION_REQUEST;
3006 pairmake(request->proxy, &request->proxy->vps,
3007 "User-Name", home->ping_user_name, T_OP_SET);
3008 pairmake(request->proxy, &request->proxy->vps,
3009 "User-Password", home->ping_user_password, T_OP_SET);
3010 pairmake(request->proxy, &request->proxy->vps,
3011 "Service-Type", "Authenticate-Only", T_OP_SET);
3012 pairmake(request->proxy, &request->proxy->vps,
3013 "Message-Authenticator", "0x00", T_OP_SET);
3016 #ifdef WITH_ACCOUNTING
3017 request->proxy->code = PW_CODE_ACCOUNTING_REQUEST;
3019 pairmake(request->proxy, &request->proxy->vps,
3020 "User-Name", home->ping_user_name, T_OP_SET);
3021 pairmake(request->proxy, &request->proxy->vps,
3022 "Acct-Status-Type", "Stop", T_OP_SET);
3023 pairmake(request->proxy, &request->proxy->vps,
3024 "Acct-Session-Id", "00000000", T_OP_SET);
3025 vp = pairmake(request->proxy, &request->proxy->vps,
3026 "Event-Timestamp", "0", T_OP_SET);
3027 vp->vp_date = now.tv_sec;
3029 rad_assert("Internal sanity check failed");
3033 vp = pairmake(request->proxy, &request->proxy->vps,
3034 "NAS-Identifier", "", T_OP_SET);
3036 pairsprintf(vp, "Status Check %u. Are you alive?",
3037 home->num_sent_pings);
3040 request->proxy->src_ipaddr = home->src_ipaddr;
3041 request->proxy->dst_ipaddr = home->ipaddr;
3042 request->proxy->dst_port = home->port;
3043 request->home_server = home;
3044 #ifdef DEBUG_STATE_MACHINE
3045 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n", request->number, __FUNCTION__,
3046 child_state_names[request->child_state],
3047 child_state_names[REQUEST_DONE]);
3048 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_ping");
3050 #ifdef HAVE_PTHREAD_H
3051 rad_assert(request->child_pid == NO_SUCH_CHILD_PID);
3053 request->child_state = REQUEST_DONE;
3054 request->process = request_ping;
3056 rad_assert(request->proxy_listener == NULL);
3058 if (!insert_into_proxy_hash(request)) {
3059 RPROXY("Failed to insert status check %d into proxy list. Discarding it.",
3062 rad_assert(!request->in_request_hash);
3063 rad_assert(!request->in_proxy_hash);
3064 rad_assert(request->ev == NULL);
3065 talloc_free(request);
3070 * Set up the timer callback.
3073 when.tv_sec += home->ping_timeout;
3075 DEBUG("PING: Waiting %u seconds for response to ping",
3076 home->ping_timeout);
3078 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3079 home->num_sent_pings++;
3081 rad_assert(request->proxy_listener != NULL);
3082 request->proxy_listener->send(request->proxy_listener,
3086 * Add +/- 2s of jitter, as suggested in RFC 3539
3087 * and in the Issues and Fixes draft.
3090 home->when.tv_sec += home->ping_interval;
3092 add_jitter(&home->when);
3094 DEBUG("PING: Next status packet in %u seconds", home->ping_interval);
3095 INSERT_EVENT(ping_home_server, home);
3098 static void home_trigger(home_server_t *home, char const *trigger)
3101 RADIUS_PACKET my_packet;
3103 memset(&my_request, 0, sizeof(my_request));
3104 memset(&my_packet, 0, sizeof(my_packet));
3105 my_request.proxy = &my_packet;
3106 my_packet.dst_ipaddr = home->ipaddr;
3107 my_packet.src_ipaddr = home->src_ipaddr;
3109 exec_trigger(&my_request, home->cs, trigger, false);
3112 static void mark_home_server_zombie(home_server_t *home, struct timeval *now, struct timeval *response_window)
3119 rad_assert((home->state == HOME_STATE_ALIVE) ||
3120 (home->state == HOME_STATE_UNKNOWN));
3123 if (home->proto == IPPROTO_TCP) {
3124 WARN("Not marking TCP server %s zombie", home->name);
3130 * We've received a real packet recently. Don't mark the
3131 * server as zombie until we've received NO packets for a
3132 * while. The "1/4" of zombie period was chosen rather
3133 * arbitrarily. It's a balance between too short, which
3134 * gives quick fail-over and fail-back, or too long,
3135 * where the proxy still sends packets to an unresponsive
3138 start = now->tv_sec - ((home->zombie_period + 3) / 4);
3139 if (home->last_packet_recv >= start) {
3140 DEBUG("Recieved reply from home server %d seconds ago. Might not be zombie.",
3141 (int) (now->tv_sec - home->last_packet_recv));
3145 home->state = HOME_STATE_ZOMBIE;
3146 home_trigger(home, "home_server.zombie");
3149 * Set the home server to "zombie", as of the time
3152 home->zombie_period_start.tv_sec = start;
3153 home->zombie_period_start.tv_usec = USEC / 2;
3155 fr_event_delete(el, &home->ev);
3156 home->num_sent_pings = 0;
3157 home->num_received_pings = 0;
3159 PROXY( "Marking home server %s port %d as zombie (it has not responded in %d.%06d seconds).",
3160 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
3161 buffer, sizeof(buffer)),
3162 home->port, (int) response_window->tv_sec, (int) response_window->tv_usec);
3164 ping_home_server(home);
3168 void revive_home_server(void *ctx)
3170 home_server_t *home = ctx;
3174 rad_assert(home->proto != IPPROTO_TCP);
3177 home->state = HOME_STATE_ALIVE;
3178 home_trigger(home, "home_server.alive");
3179 home->currently_outstanding = 0;
3180 gettimeofday(&home->revive_time, NULL);
3183 * Delete any outstanding events.
3185 if (home->ev) fr_event_delete(el, &home->ev);
3187 PROXY( "Marking home server %s port %d alive again... we have no idea if it really is alive or not.",
3188 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
3189 buffer, sizeof(buffer)),
3193 void mark_home_server_dead(home_server_t *home, struct timeval *when)
3195 int previous_state = home->state;
3199 if (home->proto == IPPROTO_TCP) {
3200 WARN("Not marking TCP server dead");
3205 PROXY( "Marking home server %s port %d as dead.",
3206 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
3207 buffer, sizeof(buffer)),
3210 home->state = HOME_STATE_IS_DEAD;
3211 home_trigger(home, "home_server.dead");
3213 if (home->ping_check != HOME_PING_CHECK_NONE) {
3215 * If the control socket marks us dead, start
3216 * pinging. Otherwise, we already started
3217 * pinging when it was marked "zombie".
3219 if (previous_state == HOME_STATE_ALIVE) {
3220 ping_home_server(home);
3222 DEBUG("PING: Already pinging home server %s",
3228 * Revive it after a fixed period of time. This
3229 * is very, very, bad.
3232 home->when.tv_sec += home->revive_interval;
3234 DEBUG("PING: Reviving home server %s in %u seconds",
3235 home->name, home->revive_interval);
3236 INSERT_EVENT(revive_home_server, home);
3240 STATE_MACHINE_DECL(proxy_wait_for_reply)
3242 struct timeval now, when;
3243 struct timeval *response_window = NULL;
3244 home_server_t *home = request->home_server;
3247 TRACE_STATE_MACHINE;
3249 rad_assert(request->packet->code != PW_CODE_STATUS_SERVER);
3250 rad_assert(request->home_server != NULL);
3252 if (request->master_state == REQUEST_STOP_PROCESSING) {
3253 request->child_state = REQUEST_DONE;
3257 gettimeofday(&now, NULL);
3262 * We have a reply, ignore the retransmit.
3264 if (request->proxy_reply) return;
3267 * The request was proxied to a virtual server.
3268 * Ignore the retransmit.
3270 if (request->home_server->server) return;
3272 if ((home->state == HOME_STATE_IS_DEAD) ||
3273 !request->proxy_listener ||
3274 (request->proxy_listener->status != RAD_LISTEN_STATUS_KNOWN)) {
3275 request_proxy_anew(request);
3280 if (home->proto == IPPROTO_TCP) {
3281 DEBUG2("Suppressing duplicate proxied request (tcp) to home server %s port %d proto TCP - ID: %d",
3282 inet_ntop(request->proxy->dst_ipaddr.af,
3283 &request->proxy->dst_ipaddr.ipaddr,
3284 buffer, sizeof(buffer)),
3285 request->proxy->dst_port,
3286 request->proxy->id);
3292 * More than one retransmit a second is stupid,
3293 * and should be suppressed by the proxy.
3295 when = request->proxy_retransmit;
3298 if (timercmp(&now, &when, <)) {
3299 DEBUG2("Suppressing duplicate proxied request (too fast) to home server %s port %d proto TCP - ID: %d",
3300 inet_ntop(request->proxy->dst_ipaddr.af,
3301 &request->proxy->dst_ipaddr.ipaddr,
3302 buffer, sizeof(buffer)),
3303 request->proxy->dst_port,
3304 request->proxy->id);
3308 #ifdef WITH_ACCOUNTING
3310 * If we update the Acct-Delay-Time, we need to
3313 if ((request->packet->code == PW_CODE_ACCOUNTING_REQUEST) &&
3314 pairfind(request->proxy->vps, PW_ACCT_DELAY_TIME, 0, TAG_ANY)) {
3315 request_proxy_anew(request);
3320 RDEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
3321 inet_ntop(request->proxy->dst_ipaddr.af,
3322 &request->proxy->dst_ipaddr.ipaddr,
3323 buffer, sizeof(buffer)),
3324 request->proxy->dst_port,
3325 request->proxy->id);
3326 request->num_proxied_requests++;
3328 rad_assert(request->proxy_listener != NULL);;
3329 DEBUG_PACKET(request, request->proxy, 1);
3330 FR_STATS_TYPE_INC(home->stats.total_requests);
3331 home->last_packet_sent = now.tv_sec;
3332 request->proxy_retransmit = now;
3333 request->proxy_listener->send(request->proxy_listener,
3337 case FR_ACTION_TIMER:
3338 response_window = request_response_window(request);
3341 if (!request->proxy_listener ||
3342 (request->proxy_listener->status != RAD_LISTEN_STATUS_KNOWN)) {
3343 remove_from_proxy_hash(request);
3345 when = request->packet->timestamp;
3346 when.tv_sec += request->root->max_request_time;
3348 if (timercmp(&when, &now, >)) {
3349 RDEBUG("Waiting for client retransmission in order to do a proxy retransmit");
3350 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3357 * Wake up "response_window" time in the future.
3358 * i.e. when MY packet hasn't received a response.
3360 * Note that we DO NOT mark the home server as
3361 * zombie if it doesn't respond to us. It may be
3362 * responding to other (better looking) packets.
3364 when = request->proxy->timestamp;
3365 timeradd(&when, response_window, &when);
3368 * Not at the response window. Set the timer for
3371 if (timercmp(&when, &now, >)) {
3372 struct timeval diff;
3373 timersub(&when, &now, &diff);
3375 RDEBUG("Expecting proxy response no later than %d.%06d seconds from now",
3376 (int) diff.tv_sec, (int) diff.tv_usec);
3377 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3382 RDEBUG("No proxy response, giving up on request and marking it done");
3385 * If we haven't received any packets for
3386 * "response_window", then mark the home server
3389 * If the connection is TCP, then another
3390 * "watchdog timer" function takes care of pings,
3391 * etc. So we don't need to do it here.
3393 * This check should really be part of a home
3394 * server state machine.
3396 if (((home->state == HOME_STATE_ALIVE) ||
3397 (home->state == HOME_STATE_UNKNOWN))
3399 && (home->proto != IPPROTO_TCP)
3402 mark_home_server_zombie(home, &now, response_window);
3405 FR_STATS_TYPE_INC(home->stats.total_timeouts);
3406 if (home->type == HOME_TYPE_AUTH) {
3407 if (request->proxy_listener) FR_STATS_TYPE_INC(request->proxy_listener->stats.total_timeouts);
3408 FR_STATS_TYPE_INC(proxy_auth_stats.total_timeouts);
3411 else if (home->type == HOME_TYPE_ACCT) {
3412 if (request->proxy_listener) FR_STATS_TYPE_INC(request->proxy_listener->stats.total_timeouts);
3413 FR_STATS_TYPE_INC(proxy_acct_stats.total_timeouts);
3418 * There was no response within the window. Stop
3419 * the request. If the client retransmitted, it
3420 * may have failed over to another home server.
3421 * But that one may be dead, too.
3423 RERROR("Failing proxied request, due to lack of any response from home server %s port %d",
3424 inet_ntop(request->proxy->dst_ipaddr.af,
3425 &request->proxy->dst_ipaddr.ipaddr,
3426 buffer, sizeof(buffer)),
3427 request->proxy->dst_port);
3429 if (setup_post_proxy_fail(request)) {
3430 request_queue_or_run(request, proxy_no_reply);
3432 gettimeofday(&request->reply->timestamp, NULL);
3433 request_cleanup_delay_init(request, NULL);
3438 * Duplicate proxy replies have been quenched by
3439 * now. This state is only called ONCE, when we
3440 * receive a new reply from the home server.
3442 case FR_ACTION_PROXY_REPLY:
3443 request_queue_or_run(request, proxy_running);
3446 case FR_ACTION_CONFLICTING:
3447 request_done(request, action);
3451 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
3455 #endif /* WITH_PROXY */
3457 /***********************************************************************
3461 ***********************************************************************/
3463 static int null_handler(UNUSED REQUEST *request)
3469 * See if we need to originate a CoA request.
3471 static void request_coa_originate(REQUEST *request)
3473 int rcode, pre_proxy_type = 0;
3479 rad_assert(request != NULL);
3480 rad_assert(request->coa != NULL);
3481 rad_assert(request->proxy == NULL);
3482 rad_assert(!request->in_proxy_hash);
3483 rad_assert(request->proxy_reply == NULL);
3486 * Check whether we want to originate one, or cancel one.
3488 vp = pairfind(request->config_items, PW_SEND_COA_REQUEST, 0, TAG_ANY);
3490 vp = pairfind(request->coa->proxy->vps, PW_SEND_COA_REQUEST, 0, TAG_ANY);
3494 if (vp->vp_integer == 0) {
3496 TALLOC_FREE(request->coa);
3504 * src_ipaddr will be set up in proxy_encode.
3506 memset(&ipaddr, 0, sizeof(ipaddr));
3507 vp = pairfind(coa->proxy->vps, PW_PACKET_DST_IP_ADDRESS, 0, TAG_ANY);
3509 ipaddr.af = AF_INET;
3510 ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
3512 } else if ((vp = pairfind(coa->proxy->vps, PW_PACKET_DST_IPV6_ADDRESS, 0, TAG_ANY)) != NULL) {
3513 ipaddr.af = AF_INET6;
3514 ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
3516 } else if ((vp = pairfind(coa->proxy->vps, PW_HOME_SERVER_POOL, 0, TAG_ANY)) != NULL) {
3517 coa->home_pool = home_pool_byname(vp->vp_strvalue,
3519 if (!coa->home_pool) {
3520 RWDEBUG2("No such home_server_pool %s",
3526 * Prefer the pool to one server
3528 } else if (request->client->coa_pool) {
3529 coa->home_pool = request->client->coa_pool;
3531 } else if (request->client->coa_server) {
3532 coa->home_server = request->client->coa_server;
3536 * If all else fails, send it to the client that
3537 * originated this request.
3539 memcpy(&ipaddr, &request->packet->src_ipaddr, sizeof(ipaddr));
3543 * Use the pool, if it exists.
3545 if (coa->home_pool) {
3546 coa->home_server = home_server_ldb(NULL, coa->home_pool, coa);
3547 if (!coa->home_server) {
3548 RWDEBUG("No live home server for home_server_pool %s", coa->home_pool->name);
3551 home_server_update_request(coa->home_server, coa);
3553 } else if (!coa->home_server) {
3554 uint16_t port = PW_COA_UDP_PORT;
3556 vp = pairfind(coa->proxy->vps, PW_PACKET_DST_PORT, 0, TAG_ANY);
3557 if (vp) port = vp->vp_integer;
3559 coa->home_server = home_server_find(&ipaddr, port, IPPROTO_UDP);
3560 if (!coa->home_server) {
3561 RWDEBUG2("Unknown destination %s:%d for CoA request.",
3562 inet_ntop(ipaddr.af, &ipaddr.ipaddr,
3563 buffer, sizeof(buffer)), port);
3568 vp = pairfind(coa->proxy->vps, PW_PACKET_TYPE, 0, TAG_ANY);
3570 switch (vp->vp_integer) {
3571 case PW_CODE_COA_REQUEST:
3572 case PW_CODE_DISCONNECT_REQUEST:
3573 coa->proxy->code = vp->vp_integer;
3577 DEBUG("Cannot set CoA Packet-Type to code %d",
3583 if (!coa->proxy->code) coa->proxy->code = PW_CODE_COA_REQUEST;
3586 * The rest of the server code assumes that
3587 * request->packet && request->reply exist. Copy them
3588 * from the original request.
3590 rad_assert(coa->packet != NULL);
3591 rad_assert(coa->packet->vps == NULL);
3593 coa->packet = rad_copy_packet(coa, request->packet);
3594 coa->reply = rad_copy_packet(coa, request->reply);
3596 coa->config_items = paircopy(coa, request->config_items);
3597 coa->num_coa_requests = 0;
3598 coa->handle = null_handler;
3599 coa->number = request->number; /* it's associated with the same request */
3602 * Call the pre-proxy routines.
3604 vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE, 0, TAG_ANY);
3606 DICT_VALUE const *dval = dict_valbyattr(vp->da->attr, vp->da->vendor, vp->vp_integer);
3607 /* Must be a validation issue */
3609 RDEBUG2("Found Pre-Proxy-Type %s", dval->name);
3610 pre_proxy_type = vp->vp_integer;
3613 if (coa->home_pool && coa->home_pool->virtual_server) {
3614 char const *old_server = coa->server;
3616 coa->server = coa->home_pool->virtual_server;
3617 RDEBUG2("server %s {", coa->server);
3619 rcode = process_pre_proxy(pre_proxy_type, coa);
3622 coa->server = old_server;
3624 rcode = process_pre_proxy(pre_proxy_type, coa);
3631 * Only send the CoA packet if the pre-proxy code succeeded.
3633 case RLM_MODULE_NOOP:
3635 case RLM_MODULE_UPDATED:
3640 * Source IP / port is set when the proxy socket
3643 coa->proxy->dst_ipaddr = coa->home_server->ipaddr;
3644 coa->proxy->dst_port = coa->home_server->port;
3646 if (!insert_into_proxy_hash(coa)) {
3647 radlog_request(L_PROXY, 0, coa, "Failed to insert CoA request into proxy list");
3652 * We CANNOT divorce the CoA request from the parent
3653 * request. This function is running in a child thread,
3654 * and we need access to the main event loop in order to
3655 * to add the timers for the CoA packet.
3657 * Instead, we wait for the timer on the parent request
3660 gettimeofday(&coa->proxy->timestamp, NULL);
3661 coa->packet->timestamp = coa->proxy->timestamp; /* for max_request_time */
3662 coa->delay = 0; /* need to calculate a new delay */
3664 DEBUG_PACKET(coa, coa->proxy, 1);
3666 coa->process = coa_wait_for_reply;
3667 #ifdef DEBUG_STATE_MACHINE
3668 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n", request->number, __FUNCTION__,
3669 child_state_names[request->child_state],
3670 child_state_names[REQUEST_RUNNING]);
3672 #ifdef HAVE_PTHREAD_H
3673 coa->child_pid = NO_SUCH_CHILD_PID;
3675 coa->child_state = REQUEST_PROXIED;
3676 rad_assert(coa->proxy_reply == NULL);
3677 FR_STATS_TYPE_INC(coa->home_server->stats.total_requests);
3678 coa->home_server->last_packet_sent = coa->proxy->timestamp.tv_sec;
3679 coa->proxy_listener->send(coa->proxy_listener, coa);
3683 static void coa_timer(REQUEST *request)
3685 uint32_t delay, frac;
3686 struct timeval now, when, mrd;
3688 rad_assert(request->parent == NULL);
3690 if (request->proxy_reply) return request_process_timer(request);
3692 gettimeofday(&now, NULL);
3694 if (request->delay == 0) {
3696 * Implement re-transmit algorithm as per RFC 5080
3699 * We want IRT + RAND*IRT
3700 * or 0.9 IRT + rand(0,.2) IRT
3702 * 2^20 ~ USEC, and we want 2.
3703 * rand(0,0.2) USEC ~ (rand(0,2^21) / 10)
3705 delay = (fr_rand() & ((1 << 22) - 1)) / 10;
3706 request->delay = delay * request->home_server->coa_irt;
3707 delay = request->home_server->coa_irt * USEC;
3708 delay -= delay / 10;
3709 delay += request->delay;
3710 request->delay = delay;
3712 when = request->proxy->timestamp;
3713 tv_add(&when, delay);
3715 if (timercmp(&when, &now, >)) {
3716 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3722 * Retransmit CoA request.
3726 * Cap count at MRC, if it is non-zero.
3728 if (request->home_server->coa_mrc &&
3729 (request->num_coa_requests >= request->home_server->coa_mrc)) {
3732 RERROR("Failing request - originate-coa ID %u, due to lack of any response from coa server %s port %d",
3734 inet_ntop(request->proxy->dst_ipaddr.af,
3735 &request->proxy->dst_ipaddr.ipaddr,
3736 buffer, sizeof(buffer)),
3737 request->proxy->dst_port);
3739 if (setup_post_proxy_fail(request)) {
3740 request_queue_or_run(request, coa_no_reply);
3742 request_done(request, FR_ACTION_DONE);
3748 * RFC 5080 Section 2.2.1
3750 * RT = 2*RTprev + RAND*RTprev
3751 * = 1.9 * RTprev + rand(0,.2) * RTprev
3752 * = 1.9 * RTprev + rand(0,1) * (RTprev / 5)
3755 delay ^= (delay >> 16);
3757 frac = request->delay / 5;
3758 delay = ((frac >> 16) * delay) + (((frac & 0xffff) * delay) >> 16);
3760 delay += (2 * request->delay) - (request->delay / 10);
3763 * Cap delay at MRT, if MRT is non-zero.
3765 if (request->home_server->coa_mrt &&
3766 (delay > (request->home_server->coa_mrt * USEC))) {
3767 int mrt_usec = request->home_server->coa_mrt * USEC;
3770 * delay = MRT + RAND * MRT
3771 * = 0.9 MRT + rand(0,.2) * MRT
3774 delay ^= (delay >> 15);
3776 delay = ((mrt_usec >> 16) * delay) + (((mrt_usec & 0xffff) * delay) >> 16);
3777 delay += mrt_usec - (mrt_usec / 10);
3780 request->delay = delay;
3782 tv_add(&when, request->delay);
3783 mrd = request->proxy->timestamp;
3784 mrd.tv_sec += request->home_server->coa_mrd;
3787 * Cap duration at MRD.
3789 if (timercmp(&mrd, &when, <)) {
3792 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3794 request->num_coa_requests++; /* is NOT reset by code 3 lines above! */
3796 FR_STATS_TYPE_INC(request->home_server->stats.total_requests);
3799 * Status servers don't count as real packets sent.
3801 request->proxy_listener->send(request->proxy_listener,
3805 STATE_MACHINE_DECL(coa_wait_for_reply)
3807 rad_assert(request->parent == NULL);
3809 TRACE_STATE_MACHINE;
3812 case FR_ACTION_TIMER:
3814 * This is big enough to be in it's own function.
3819 case FR_ACTION_PROXY_REPLY:
3820 rad_assert(request->parent == NULL);
3821 request_queue_or_run(request, coa_running);
3825 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
3830 static void request_coa_separate(REQUEST *request)
3832 #ifdef DEBUG_STATE_MACHINE
3833 int action = FR_ACTION_TIMER;
3835 TRACE_STATE_MACHINE;
3837 rad_assert(request->parent != NULL);
3838 rad_assert(request->parent->coa == request);
3839 rad_assert(request->ev == NULL);
3840 rad_assert(!request->in_request_hash);
3841 rad_assert(request->coa == NULL);
3843 rad_assert(request->proxy_listener != NULL);
3845 (void) talloc_steal(NULL, request);
3846 request->parent->coa = NULL;
3847 request->parent = NULL;
3850 * Should be coa_wait_for_reply()
3852 request->process(request, FR_ACTION_TIMER);
3855 STATE_MACHINE_DECL(coa_no_reply)
3859 TRACE_STATE_MACHINE;
3862 case FR_ACTION_TIMER:
3863 request_common(request, action);
3866 case FR_ACTION_PROXY_REPLY: /* too late! */
3867 RDEBUG2("Reply from CoA server %s port %d - ID: %d arrived too late.",
3868 inet_ntop(request->proxy->src_ipaddr.af,
3869 &request->proxy->src_ipaddr.ipaddr,
3870 buffer, sizeof(buffer)),
3871 request->proxy->dst_port, request->proxy->id);
3876 * FIXME: do recv_coa Fail
3878 (void) process_proxy_reply(request, NULL);
3879 request_done(request, FR_ACTION_DONE);
3883 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
3888 STATE_MACHINE_DECL(coa_running)
3890 TRACE_STATE_MACHINE;
3893 case FR_ACTION_TIMER:
3894 request_process_timer(request);
3897 case FR_ACTION_PROXY_REPLY:
3898 request_common(request, action);
3902 if (process_proxy_reply(request, request->proxy_reply)) {
3903 request->handle(request);
3904 request_finish(request, action);
3906 request_done(request, FR_ACTION_DONE);
3911 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
3915 #endif /* WITH_COA */
3917 /***********************************************************************
3919 * End of the State machine. Start of additional helper code.
3921 ***********************************************************************/
3923 /***********************************************************************
3927 ***********************************************************************/
3928 static void event_socket_handler(UNUSED fr_event_list_t *xel, UNUSED int fd, void *ctx)
3930 rad_listen_t *listener = ctx;
3932 rad_assert(xel == el);
3936 (listener->type != RAD_LISTEN_DETAIL) &&
3938 (listener->fd < 0)) {
3941 listener->print(listener, buffer, sizeof(buffer));
3942 ERROR("FATAL: Asked to read from closed socket: %s",
3945 rad_panic("Socket was closed on us!");
3949 listener->recv(listener);
3953 #ifdef WITH_DETAIL_THREAD
3956 * This function is called periodically to see if this detail
3957 * file is available for reading.
3959 static void event_poll_detail(void *ctx)
3962 rad_listen_t *this = ctx;
3963 struct timeval when, now;
3964 listen_detail_t *detail = this->data;
3966 rad_assert(this->type == RAD_LISTEN_DETAIL);
3969 event_socket_handler(el, this->fd, this);
3971 fr_event_now(el, &now);
3975 * Backdoor API to get the delay until the next poll
3978 delay = this->encode(this, NULL);
3979 if (delay == 0) goto redo;
3981 tv_add(&when, delay);
3983 if (!fr_event_insert(el, event_poll_detail, this,
3984 &when, &detail->ev)) {
3985 ERROR("Failed creating handler");
3989 #endif /* WITH_DETAIL_THREAD */
3990 #endif /* WITH_DETAIL */
3992 static void event_status(struct timeval *wake)
3994 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
3998 if (debug_flag == 0) {
4000 INFO("Ready to process requests");
4001 just_started = false;
4007 INFO("Ready to process requests");
4009 } else if ((wake->tv_sec != 0) ||
4010 (wake->tv_usec >= 100000)) {
4011 DEBUG("Waking up in %d.%01u seconds.",
4012 (int) wake->tv_sec, (unsigned int) wake->tv_usec / 100000);
4017 * FIXME: Put this somewhere else, where it isn't called
4018 * all of the time...
4021 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
4023 * If there are no child threads, then there may
4024 * be child processes. In that case, wait for
4025 * their exit status, and throw that exit status
4026 * away. This helps get rid of zxombie children.
4028 while (waitpid(-1, &argval, WNOHANG) > 0) {
4036 static void listener_free_cb(void *ctx)
4038 rad_listen_t *this = ctx;
4041 if (this->count > 0) {
4042 struct timeval when;
4043 listen_socket_t *sock = this->data;
4045 fr_event_now(el, &when);
4048 if (!fr_event_insert(el, listener_free_cb, this, &when,
4050 rad_panic("Failed to insert event");
4057 * It's all free, close the socket.
4060 this->print(this, buffer, sizeof(buffer));
4061 DEBUG("... cleaning up socket %s", buffer);
4067 static int proxy_eol_cb(void *ctx, void *data)
4069 struct timeval when;
4070 REQUEST *request = fr_packet2myptr(REQUEST, proxy, data);
4072 if (request->proxy_listener != ctx) return 0;
4075 * We don't care if it's being processed in a child thread.
4078 #ifdef WITH_ACCOUNTING
4080 * Accounting packets should be deleted immediately.
4081 * They will never be retransmitted by the client.
4083 if (request->proxy->code == PW_CODE_ACCOUNTING_REQUEST) {
4084 RDEBUG("Stopping request due to failed connection to home server");
4085 request->master_state = REQUEST_STOP_PROCESSING;
4090 * Reset the timer to be now, so that the request is
4091 * quickly updated. But spread the requests randomly
4092 * over the next second, so that we don't overload the
4095 fr_event_now(el, &when);
4096 tv_add(&when, fr_rand() % USEC);
4097 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
4100 * Don't delete it from the list.
4106 static int event_new_fd(rad_listen_t *this)
4112 if (this->status == RAD_LISTEN_STATUS_KNOWN) return 1;
4114 this->print(this, buffer, sizeof(buffer));
4116 if (this->status == RAD_LISTEN_STATUS_INIT) {
4117 listen_socket_t *sock = this->data;
4120 DEBUG("Listening on %s", buffer);
4122 INFO(" ... adding new socket %s", buffer);
4125 switch (this->type) {
4128 * Detail files are always known, and aren't
4129 * put into the socket event loop.
4131 case RAD_LISTEN_DETAIL:
4132 this->status = RAD_LISTEN_STATUS_KNOWN;
4134 #ifndef WITH_DETAIL_THREAD
4136 * Set up the first poll interval.
4138 event_poll_detail(this);
4141 break; /* add the FD to the list */
4143 #endif /* WITH_DETAIL */
4147 * Add it to the list of sockets we can use.
4148 * Server sockets (i.e. auth/acct) are never
4149 * added to the packet list.
4151 case RAD_LISTEN_PROXY:
4154 * Add timers to outgoing child sockets, if necessary.
4156 if (sock->proto == IPPROTO_TCP && sock->opened &&
4157 (sock->home->limit.lifetime || sock->home->limit.idle_timeout)) {
4158 struct timeval when;
4160 when.tv_sec = sock->opened + 1;
4163 if (!fr_event_insert(el, tcp_socket_timer, this, &when,
4165 rad_panic("Failed to insert event");
4170 #endif /* WITH_PROXY */
4173 * FIXME: put idle timers on command sockets.
4179 * Add timers to incoming child sockets, if necessary.
4181 if (sock->proto == IPPROTO_TCP && sock->opened &&
4182 (sock->limit.lifetime || sock->limit.idle_timeout)) {
4183 struct timeval when;
4185 when.tv_sec = sock->opened + 1;
4188 if (!fr_event_insert(el, tcp_socket_timer, this, &when,
4190 rad_panic("Failed to insert event");
4195 } /* switch over listener types */
4198 * All sockets: add the FD to the event handler.
4200 if (!fr_event_fd_insert(el, 0, this->fd,
4201 event_socket_handler, this)) {
4202 ERROR("Failed adding event handler for socket!");
4206 this->status = RAD_LISTEN_STATUS_KNOWN;
4212 * Stop using this socket, if at all possible.
4214 if (this->status == RAD_LISTEN_STATUS_EOL) {
4216 * Remove it from the list of live FD's.
4218 fr_event_fd_delete(el, 0, this->fd);
4222 * Proxy sockets get frozen, so that we don't use
4223 * them for new requests. But we do keep them
4224 * open to listen for replies to requests we had
4227 if (this->type == RAD_LISTEN_PROXY) {
4228 PTHREAD_MUTEX_LOCK(&proxy_mutex);
4229 if (!fr_packet_list_socket_freeze(proxy_list,
4231 ERROR("Fatal error freezing socket: %s", fr_strerror());
4235 fr_packet_list_walk(proxy_list, this, proxy_eol_cb);
4236 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
4241 * Requests are still using the socket. Wait for
4244 if (this->count > 0) {
4245 struct timeval when;
4246 listen_socket_t *sock = this->data;
4249 * Try again to clean up the socket in 30
4252 gettimeofday(&when, NULL);
4255 if (!fr_event_insert(el,
4256 (fr_event_callback_t) event_new_fd,
4257 this, &when, &sock->ev)) {
4258 rad_panic("Failed to insert event");
4265 * No one is using the socket. We can remove it now.
4267 this->status = RAD_LISTEN_STATUS_REMOVE_NOW;
4268 } /* socket is at EOL */
4274 if (this->status == RAD_LISTEN_STATUS_REMOVE_NOW) {
4277 listen_socket_t *sock = this->data;
4279 struct timeval when;
4282 * Re-open the socket, pointing it to /dev/null.
4283 * This means that all writes proceed without
4284 * blocking, and all reads return "no data".
4286 * This leaves the socket active, so any child
4287 * threads won't go insane. But it means that
4288 * they cannot send or receive any packets.
4290 * This is EXTRA work in the normal case, when
4291 * sockets are closed without error. But it lets
4292 * us have one simple processing method for all
4295 devnull = open("/dev/null", O_RDWR);
4297 ERROR("FATAL failure opening /dev/null: %s",
4298 fr_syserror(errno));
4301 if (dup2(devnull, this->fd) < 0) {
4302 ERROR("FATAL failure closing socket: %s",
4303 fr_syserror(errno));
4309 rad_assert(this->type != RAD_LISTEN_DETAIL);
4313 INFO(" ... shutting down socket %s", buffer);
4317 * The socket is dead. Force all proxied packets
4318 * to stop using it. And then remove it from the
4319 * list of outgoing sockets.
4321 if (this->type == RAD_LISTEN_PROXY) {
4322 PTHREAD_MUTEX_LOCK(&proxy_mutex);
4323 fr_packet_list_walk(proxy_list, this, eol_proxy_listener);
4325 if (!fr_packet_list_socket_del(proxy_list, this->fd)) {
4326 ERROR("Fatal error removing socket %s: %s",
4327 buffer, fr_strerror());
4330 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
4335 * EOL all requests using this socket.
4337 fr_packet_list_walk(pl, this, eol_listener);
4341 * No child threads, clean it up now.
4344 if (sock->ev) fr_event_delete(el, &sock->ev);
4350 * Wait until all requests using this socket are done.
4352 gettimeofday(&when, NULL);
4355 if (!fr_event_insert(el, listener_free_cb, this, &when,
4357 rad_panic("Failed to insert event");
4360 #endif /* WITH_TCP */
4365 /***********************************************************************
4369 ***********************************************************************/
4371 static void handle_signal_self(int flag)
4375 if ((flag & (RADIUS_SIGNAL_SELF_EXIT | RADIUS_SIGNAL_SELF_TERM)) != 0) {
4376 if ((flag & RADIUS_SIGNAL_SELF_EXIT) != 0) {
4377 INFO("Signalled to exit");
4378 fr_event_loop_exit(el, 1);
4380 INFO("Signalled to terminate");
4381 exec_trigger(NULL, NULL, "server.signal.term", true);
4382 fr_event_loop_exit(el, 2);
4386 } /* else exit/term flags weren't set */
4389 * Tell the even loop to stop processing.
4391 if ((flag & RADIUS_SIGNAL_SELF_HUP) != 0) {
4393 static time_t last_hup = 0;
4396 if ((int) (when - last_hup) < 5) {
4397 INFO("Ignoring HUP (less than 5s since last one)");
4401 INFO("Received HUP signal");
4405 exec_trigger(NULL, NULL, "server.signal.hup", true);
4406 fr_event_loop_exit(el, 0x80);
4410 #ifndef WITH_DETAIL_THREAD
4411 if ((flag & RADIUS_SIGNAL_SELF_DETAIL) != 0) {
4415 * FIXME: O(N) loops suck.
4417 for (this = main_config.listen;
4419 this = this->next) {
4420 if (this->type != RAD_LISTEN_DETAIL) continue;
4423 * This one didn't send the signal, skip
4426 if (!this->decode(this, NULL)) continue;
4429 * Go service the interrupt.
4431 event_poll_detail(this);
4439 #ifdef HAVE_PTHREAD_H
4441 * There are new listeners in the list. Run
4442 * event_new_fd() on them.
4444 if ((flag & RADIUS_SIGNAL_SELF_NEW_FD) != 0) {
4445 rad_listen_t *this, *next;
4447 FD_MUTEX_LOCK(&fd_mutex);
4450 * FIXME: unlock the mutex before calling
4453 for (this = new_listeners; this != NULL; this = next) {
4460 new_listeners = NULL;
4461 FD_MUTEX_UNLOCK(&fd_mutex);
4463 #endif /* HAVE_PTHREAD_H */
4464 #endif /* WITH_PROXY */
4465 #endif /* WITH_TCP */
4468 #ifndef HAVE_PTHREAD_H
4469 void radius_signal_self(int flag)
4471 return handle_signal_self(flag);
4475 static int self_pipe[2] = { -1, -1 };
4478 * Inform ourselves that we received a signal.
4480 void radius_signal_self(int flag)
4486 * The read MUST be non-blocking for this to work.
4488 rcode = read(self_pipe[0], buffer, sizeof(buffer));
4492 for (i = 0; i < rcode; i++) {
4493 buffer[0] |= buffer[i];
4501 if (write(self_pipe[1], buffer, 1) < 0) fr_exit(0);
4505 static void event_signal_handler(UNUSED fr_event_list_t *xel,
4506 UNUSED int fd, UNUSED void *ctx)
4511 rcode = read(self_pipe[0], buffer, sizeof(buffer));
4512 if (rcode <= 0) return;
4515 * Merge pending signals.
4517 for (i = 0; i < rcode; i++) {
4518 buffer[0] |= buffer[i];
4521 handle_signal_self(buffer[0]);
4523 #endif /* HAVE_PTHREAD_H */
4525 /***********************************************************************
4527 * Bootstrapping code.
4529 ***********************************************************************/
4532 * Externally-visibly functions.
4534 int radius_event_init(TALLOC_CTX *ctx) {
4535 el = fr_event_list_create(ctx, event_status);
4541 int radius_event_start(CONF_SECTION *cs, bool have_children)
4543 rad_listen_t *head = NULL;
4545 if (fr_start_time != (time_t)-1) return 0;
4547 time(&fr_start_time);
4549 if (!check_config) {
4551 * radius_event_init() must be called first
4555 pl = fr_packet_list_create(0);
4556 if (!pl) return 0; /* leak el */
4559 request_num_counter = 0;
4562 if (main_config.proxy_requests) {
4564 * Create the tree for managing proxied requests and
4567 proxy_list = fr_packet_list_create(1);
4568 if (!proxy_list) return 0;
4570 #ifdef HAVE_PTHREAD_H
4571 if (pthread_mutex_init(&proxy_mutex, NULL) != 0) {
4572 ERROR("FATAL: Failed to initialize proxy mutex: %s",
4573 fr_syserror(errno));
4579 * The "init_delay" is set to "response_window".
4580 * Reset it to half of "response_window" in order
4581 * to give the event loop enough time to service
4582 * the event before hitting "response_window".
4584 main_config.init_delay.tv_usec += (main_config.init_delay.tv_sec & 0x01) * USEC;
4585 main_config.init_delay.tv_usec >>= 1;
4586 main_config.init_delay.tv_sec >>= 1;
4592 * Move all of the thread calls to this file?
4594 * It may be best for the mutexes to be in this file...
4596 spawn_flag = have_children;
4598 #ifdef HAVE_PTHREAD_H
4599 NO_SUCH_CHILD_PID = pthread_self(); /* not a child thread */
4602 * Initialize the threads ONLY if we're spawning, AND
4603 * we're running normally.
4605 if (have_children && !check_config &&
4606 (thread_pool_init(cs, &spawn_flag) < 0)) {
4612 DEBUG("%s: #### Skipping IP addresses and Ports ####",
4614 if (listen_init(cs, &head, spawn_flag) < 0) {
4621 #ifdef HAVE_PTHREAD_H
4623 * Child threads need a pipe to signal us, as do the
4626 if (pipe(self_pipe) < 0) {
4627 ERROR("radiusd: Error opening internal pipe: %s",
4628 fr_syserror(errno));
4631 if ((fcntl(self_pipe[0], F_SETFL, O_NONBLOCK) < 0) ||
4632 (fcntl(self_pipe[0], F_SETFD, FD_CLOEXEC) < 0)) {
4633 ERROR("radiusd: Error setting internal flags: %s",
4634 fr_syserror(errno));
4637 if ((fcntl(self_pipe[1], F_SETFL, O_NONBLOCK) < 0) ||
4638 (fcntl(self_pipe[1], F_SETFD, FD_CLOEXEC) < 0)) {
4639 ERROR("radiusd: Error setting internal flags: %s",
4640 fr_syserror(errno));
4644 if (!fr_event_fd_insert(el, 0, self_pipe[0],
4645 event_signal_handler, el)) {
4646 ERROR("Failed creating handler for signals");
4651 DEBUG("%s: #### Opening IP addresses and Ports ####",
4655 * The server temporarily switches to an unprivileged
4656 * user very early in the bootstrapping process.
4657 * However, some sockets MAY require privileged access
4658 * (bind to device, or to port < 1024, or to raw
4659 * sockets). Those sockets need to call suid up/down
4660 * themselves around the functions that need a privileged
4663 if (listen_init(cs, &head, spawn_flag) < 0) {
4667 main_config.listen = head;
4670 * At this point, no one has any business *ever* going
4673 fr_suid_down_permanent();
4680 static int proxy_delete_cb(UNUSED void *ctx, void *data)
4682 REQUEST *request = fr_packet2myptr(REQUEST, proxy, data);
4684 request->master_state = REQUEST_STOP_PROCESSING;
4686 #ifdef HAVE_PTHREAD_H
4687 if (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0) return 0;
4691 * If it's queued we can't delete it from the queue.
4693 * Otherwise, it's OK to delete it. Even RUNNING, because
4694 * that will get caught by the check above.
4696 if (request->child_state == REQUEST_QUEUED) return 0;
4698 request->in_proxy_hash = false;
4700 if (!request->in_request_hash) {
4701 request_done(request, FR_ACTION_DONE);
4705 * Delete it from the list.
4712 static int request_delete_cb(UNUSED void *ctx, void *data)
4714 REQUEST *request = fr_packet2myptr(REQUEST, packet, data);
4716 request->master_state = REQUEST_STOP_PROCESSING;
4719 * Not done, or the child thread is still processing it.
4721 if (request->child_state < REQUEST_RESPONSE_DELAY) return 0; /* continue */
4723 #ifdef HAVE_PTHREAD_H
4724 if (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0) return 0;
4728 rad_assert(request->in_proxy_hash == false);
4731 request->in_request_hash = false;
4732 if (request->ev) fr_event_delete(el, &request->ev);
4734 if (main_config.memory_report) {
4735 RDEBUG2("Cleaning up request packet ID %u with timestamp +%d",
4736 request->packet->id,
4737 (unsigned int) (request->timestamp - fr_start_time));
4742 rad_assert(!request->coa->in_proxy_hash);
4746 talloc_free(request);
4749 * Delete it from the list, and continue;
4755 void radius_event_free(void)
4761 * There are requests in the proxy hash that aren't
4762 * referenced from anywhere else. Remove them first.
4765 fr_packet_list_walk(proxy_list, NULL, proxy_delete_cb);
4769 fr_packet_list_walk(pl, NULL, request_delete_cb);
4773 * Now that all requests have been marked "please stop",
4774 * ensure that all of the threads have exited.
4776 #ifdef HAVE_PTHREAD_H
4781 * Walk the lists again, ensuring that all
4782 * requests are done.
4784 if (main_config.memory_report) {
4789 fr_packet_list_walk(proxy_list, NULL, proxy_delete_cb);
4790 num = fr_packet_list_num_elements(proxy_list);
4792 ERROR("Proxy list has %d requests still in it.", num);
4797 fr_packet_list_walk(pl, NULL, request_delete_cb);
4798 num = fr_packet_list_num_elements(pl);
4800 ERROR("Request list has %d requests still in it.", num);
4805 fr_packet_list_free(pl);
4809 fr_packet_list_free(proxy_list);
4815 if (debug_condition) talloc_free(debug_condition);
4818 int radius_event_process(void)
4822 return fr_event_loop(el);