2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
21 * @brief Defines the state machines that control how requests are processed.
23 * @copyright 2012 The FreeRADIUS server project
24 * @copyright 2012 Alan DeKok <aland@deployingradius.com>
29 #include <freeradius-devel/radiusd.h>
30 #include <freeradius-devel/process.h>
31 #include <freeradius-devel/modules.h>
33 #include <freeradius-devel/rad_assert.h>
36 #include <freeradius-devel/detail.h>
42 #ifdef HAVE_SYS_WAIT_H
43 # include <sys/wait.h>
46 extern pid_t radius_pid;
47 extern bool check_config;
48 extern fr_cond_t *debug_condition;
50 static bool spawn_flag = false;
51 static bool just_started = true;
52 time_t fr_start_time = (time_t)-1;
53 static fr_packet_list_t *pl = NULL;
54 static fr_event_list_t *el = NULL;
56 fr_event_list_t *radius_event_list_corral(UNUSED event_corral_t hint) {
57 /* Currently we do not run a second event loop for modules. */
61 static char const *action_codes[] = {
73 #ifdef DEBUG_STATE_MACHINE
74 #define TRACE_STATE_MACHINE if (debug_flag) printf("(%u) ********\tSTATE %s action %s live M-%s C-%s\t********\n", request->number, __FUNCTION__, action_codes[action], master_state_names[request->master_state], child_state_names[request->child_state])
76 static char const *master_state_names[REQUEST_MASTER_NUM_STATES] = {
83 static char const *child_state_names[REQUEST_CHILD_NUM_STATES] = {
94 #define TRACE_STATE_MACHINE {}
98 * Declare a state in the state machine.
101 #define STATE_MACHINE_DECL(_x) static void _x(REQUEST *request, int action)
103 #define STATE_MACHINE_TIMER(_x) request->timer_action = _x; \
104 fr_event_insert(el, request_timer, request, \
105 &when, &request->ev);
110 * @section request_timeline
112 * Time sequence of a request
115 * RQ-----------------P=============================Y-J-C
116 * ::::::::::::::::::::::::::::::::::::::::::::::::::::::::M
119 * - R: received. Duplicate detection is done, and request is
122 * - Q: Request is placed onto a queue for child threads to pick up.
123 * If there are no child threads, the request goes immediately
126 * - P: Processing the request through the modules.
128 * - Y: Reply is ready. Rejects MAY be delayed here. All other
129 * replies are sent immediately.
131 * - J: Reject is sent "response_delay" after the reply is ready.
133 * - C: For Access-Requests, After "cleanup_delay", the request is
134 * deleted. Accounting-Request packets go directly from Y to C.
136 * - M: Max request time. If the request hits this timer, it is
139 * Other considerations include duplicate and conflicting
140 * packets. When a dupicate packet is received, it is ignored
141 * until we've reached Y, as no response is ready. If the reply
142 * is a reject, duplicates are ignored until J, when we're ready
143 * to send the reply. In between the reply being sent (Y or J),
144 * and C, the server responds to duplicates by sending the cached
147 * Conflicting packets are sent in 2 situations.
149 * The first is in between R and Y. In that case, we consider
150 * it as a hint that we're taking too long, and the NAS has given
151 * up on the request. We then behave just as if the M timer was
152 * reached, and we discard the current request. This allows us
153 * to process the new one.
155 * The second case is when we're at Y, but we haven't yet
156 * finished processing the request. This is a race condition in
157 * the threading code (avoiding locks is faster). It means that
158 * a thread has actually encoded and sent the reply, and that the
159 * NAS has responded with a new packet. The server can then
160 * safely mark the current request as "OK to delete", and behaves
161 * just as if the M timer was reached. This usually happens only
162 * in high-load situations.
164 * Duplicate packets are sent when the NAS thinks we're taking
165 * too long, and wants a reply. From R-Y, duplicates are
166 * ignored. From Y-J (for Access-Rejects), duplicates are also
167 * ignored. From Y-C, duplicates get a duplicate reply. *And*,
168 * they cause the "cleanup_delay" time to be extended. This
169 * extension means that we're more likely to send a duplicate
170 * reply (if we have one), or to suppress processing the packet
171 * twice if we didn't reply to it.
173 * All functions in this file should be thread-safe, and should
174 * assume thet the REQUEST structure is being accessed
175 * simultaneously by the main thread, and by the child worker
176 * threads. This means that timers, etc. cannot be updated in
179 * Instead, the master thread periodically calls request->process
180 * with action TIMER. It's up to the individual functions to
181 * determine how to handle that. They need to check if they're
182 * being called from a child thread or the master, and then do
183 * different things based on that.
188 static fr_packet_list_t *proxy_list = NULL;
191 #ifdef HAVE_PTHREAD_H
193 static pthread_mutex_t proxy_mutex;
194 static rad_listen_t *proxy_listener_list = NULL;
195 static bool proxy_no_new_sockets = false;
198 #define PTHREAD_MUTEX_LOCK if (spawn_flag) pthread_mutex_lock
199 #define PTHREAD_MUTEX_UNLOCK if (spawn_flag) pthread_mutex_unlock
201 static pthread_t NO_SUCH_CHILD_PID;
202 #define NO_CHILD_THREAD request->child_pid = NO_SUCH_CHILD_PID
206 * This is easier than ifdef's throughout the code.
208 #define PTHREAD_MUTEX_LOCK(_x)
209 #define PTHREAD_MUTEX_UNLOCK(_x)
210 #define NO_CHILD_THREAD
214 * We need mutexes around the event FD list *only* in certain
217 #if defined (HAVE_PTHREAD_H) && (defined(WITH_PROXY) || defined(WITH_TCP))
218 static pthread_mutex_t fd_mutex;
219 #define FD_MUTEX_LOCK if (spawn_flag) pthread_mutex_lock
220 #define FD_MUTEX_UNLOCK if (spawn_flag) pthread_mutex_unlock
223 * This is easier than ifdef's throughout the code.
225 #define FD_MUTEX_LOCK(_x)
226 #define FD_MUTEX_UNLOCK(_x)
229 static int request_num_counter = 0;
231 static int request_will_proxy(REQUEST *request);
232 static int request_proxy(REQUEST *request, int retransmit);
233 STATE_MACHINE_DECL(proxy_wait_for_reply);
234 STATE_MACHINE_DECL(proxy_running);
235 static int process_proxy_reply(REQUEST *request);
236 static void remove_from_proxy_hash(REQUEST *request);
237 static void remove_from_proxy_hash_nl(REQUEST *request, bool yank);
238 static int insert_into_proxy_hash(REQUEST *request);
241 static REQUEST *request_setup(rad_listen_t *listener, RADIUS_PACKET *packet,
242 RADCLIENT *client, RAD_REQUEST_FUNP fun);
244 STATE_MACHINE_DECL(request_common);
246 #if defined(HAVE_PTHREAD_H) && !defined (NDEBUG)
247 static bool we_are_master(void)
250 (pthread_equal(pthread_self(), NO_SUCH_CHILD_PID) == 0)) {
256 #define ASSERT_MASTER if (!we_are_master()) rad_panic("We are not master")
259 #define we_are_master(_x) (1)
260 #define ASSERT_MASTER
263 STATE_MACHINE_DECL(request_response_delay);
264 STATE_MACHINE_DECL(request_cleanup_delay);
265 STATE_MACHINE_DECL(request_running);
267 static void request_coa_originate(REQUEST *request);
268 STATE_MACHINE_DECL(coa_running);
269 STATE_MACHINE_DECL(coa_wait_for_reply);
270 static void request_coa_separate(REQUEST *coa);
274 #define USEC (1000000)
276 #define INSERT_EVENT(_function, _ctx) if (!fr_event_insert(el, _function, _ctx, &((_ctx)->when), &((_ctx)->ev))) { _rad_panic(__FILE__, __LINE__, "Failed to insert event"); }
278 static void _rad_panic(char const *file, unsigned int line, char const *msg)
280 ERROR("[%s:%d] %s", file, line, msg);
287 #define rad_panic(x) _rad_panic(__FILE__, __LINE__, x)
289 static void tv_add(struct timeval *tv, int usec_delay)
291 if (usec_delay >= USEC) {
292 tv->tv_sec += usec_delay / USEC;
295 tv->tv_usec += usec_delay;
297 if (tv->tv_usec >= USEC) {
298 tv->tv_sec += tv->tv_usec / USEC;
304 * In daemon mode, AND this request has debug flags set.
306 #define DEBUG_PACKET if (!debug_flag && request->options && request->radlog) debug_packet
308 static void debug_packet(REQUEST *request, RADIUS_PACKET *packet, int direction)
313 char const *received, *from;
314 fr_ipaddr_t const *ip;
319 rad_assert(request->radlog != NULL);
321 if (direction == 0) {
322 received = "Received";
323 from = "from"; /* what else? */
324 ip = &packet->src_ipaddr;
325 port = packet->src_port;
328 received = "Sending";
329 from = "to"; /* hah! */
330 ip = &packet->dst_ipaddr;
331 port = packet->dst_port;
335 * Client-specific debugging re-prints the input
336 * packet into the client log.
338 * This really belongs in a utility library
340 if (is_radius_code(packet->code)) {
341 RDEBUG("%s %s packet %s host %s port %i, id=%i, length=%zu",
342 received, fr_packet_codes[packet->code], from,
343 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
344 port, packet->id, packet->data_len);
346 RDEBUG("%s packet %s host %s port %d code=%d, id=%d, length=%zu",
348 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
350 packet->code, packet->id, packet->data_len);
353 for (vp = fr_cursor_init(&cursor, &packet->vps);
355 vp = fr_cursor_next(&cursor)) {
356 vp_prints(buffer, sizeof(buffer), vp);
357 RDEBUG("\t%s", buffer);
362 /***********************************************************************
364 * Start of RADIUS server state machine.
366 ***********************************************************************/
369 * Callback for ALL timer events related to the request.
371 static void request_timer(void *ctx)
373 REQUEST *request = ctx;
374 int action = request->timer_action;
378 request->process(request, action);
381 #define USEC (1000000)
384 * Only ever called from the master thread.
386 STATE_MACHINE_DECL(request_done)
388 struct timeval now, when;
397 * CoA requests can be cleaned up in the child thread,
398 * but ONLY if they aren't tied into anything.
400 if (request->parent && (request->parent->coa == request)) {
401 rad_assert(!request->in_request_hash);
402 rad_assert(!request->in_proxy_hash);
403 rad_assert(action == FR_ACTION_DONE);
404 rad_assert(request->ev == NULL);
408 #ifdef HAVE_PTHREAD_H
410 * If called from a child thread, mark ourselves as done,
411 * and wait for the master thread timer to clean us up.
413 if (!we_are_master()) {
414 request->child_state = REQUEST_DONE;
422 * Move the CoA request to its own handler.
425 request_coa_separate(request->coa);
426 } else if (request->parent && (request->parent->coa == request)) {
427 request_coa_separate(request);
433 * It doesn't hurt to send duplicate replies. All other
434 * signals are ignored, as the request will be cleaned up
439 if (request->reply->code != 0) {
440 request->listener->send(request->listener, request);
446 * This is only called from the master thread
447 * when there is a child thread processing the
450 case FR_ACTION_CONFLICTING:
451 if (request->child_state == REQUEST_DONE) break;
454 * If there's a reply packet, then we presume
455 * that the child has sent the reply, and we get
456 * pinged here before the child has a chance to
459 if (request->reply->data) break;
461 RERROR("Received conflicting packet from "
462 "client %s port %d - ID: %u due to "
463 "unfinished request. Giving up on old request.",
464 request->client->shortname,
465 request->packet->src_port, request->packet->id);
469 * Called only when there's an error remembering
470 * the packet, or when the socket gets closed from
474 #ifdef HAVE_PTHREAD_H
476 * Do NOT set child_state to DONE if it's still in the queue.
478 if (we_are_master() && (request->child_state == REQUEST_QUEUED)) {
483 * If we have child threads and we're NOT the
484 * thread handling the request, don't do anything.
487 !pthread_equal(pthread_self(), request->child_pid)) {
491 #ifdef DEBUG_STATE_MACHINE
492 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n",
493 request->number, __FUNCTION__,
494 child_state_names[request->child_state],
495 child_state_names[REQUEST_DONE]);
497 request->child_state = REQUEST_DONE;
501 * Called when the child is taking too long to
502 * finish. We've already marked it "please
503 * stop", so we don't complain any more.
505 case FR_ACTION_TIMER:
510 * Child is still alive, and we're receiving more
511 * packets from the home server.
513 case FR_ACTION_PROXY_REPLY:
514 DEBUG2("Reply from home server %s port %d - ID: %d arrived too late for request %u. Try increasing 'retry_delay' or 'max_request_time'",
515 inet_ntop(request->proxy->src_ipaddr.af,
516 &request->proxy->src_ipaddr.ipaddr,
517 buffer, sizeof(buffer)),
518 request->proxy->dst_port, request->proxy->id,
524 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
529 * Remove it from the request hash.
531 if (request->in_request_hash) {
533 if (!fr_packet_list_yank(pl, request->packet)) {
536 request->in_request_hash = false;
541 * Wait for the proxy ID to expire. This allows us to
542 * avoid re-use of proxy IDs for a while.
544 if (request->in_proxy_hash) {
545 rad_assert(request->proxy != NULL);
547 fr_event_now(el, &now);
548 when = request->proxy->timestamp;
551 if (((request->proxy->code == PW_CODE_COA_REQUEST) ||
552 (request->proxy->code == PW_CODE_DISCONNECT_REQUEST)) &&
553 (request->packet->code != request->proxy->code)) {
554 when.tv_sec += request->home_server->coa_mrd;
557 when.tv_sec += request->home_server->response_window;
560 * We haven't received all responses, AND there's still
561 * time to wait. Do so.
563 if ((request->num_proxied_requests > request->num_proxied_responses) &&
565 (request->home_server->proto != IPPROTO_TCP) &&
567 timercmp(&now, &when, <)) {
568 RDEBUG("Waiting for more responses from the home server");
575 remove_from_proxy_hash(request);
579 #ifdef HAVE_PTHREAD_H
581 * If there's no children, we can mark the request as done.
584 request->child_state = REQUEST_DONE;
588 if (request->child_state != REQUEST_DONE) {
589 gettimeofday(&now, NULL);
594 #ifdef HAVE_PTHREAD_H
596 (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0)) {
597 RDEBUG("Waiting for child thread to stop");
602 if (request->delay < (USEC / 3)) request->delay = USEC / 3;
603 tv_add(&when, request->delay);
604 request->delay += request->delay >> 1;
605 if (request->delay > (10 * USEC)) request->delay = 10 * USEC;
607 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
611 #ifdef HAVE_PTHREAD_H
612 rad_assert(request->child_pid == NO_SUCH_CHILD_PID);
616 * @todo: do final states for TCP sockets, too?
618 request_stats_final(request);
620 if (request->listener) request->listener->count--;
623 if (request->packet) {
624 RDEBUG2("Cleaning up request packet ID %u with timestamp +%d",
626 (unsigned int) (request->timestamp - fr_start_time));
627 } /* else don't print anything */
629 if (request->ev) fr_event_delete(el, &request->ev);
631 request_free(&request);
635 static void request_cleanup_delay_init(REQUEST *request, struct timeval const *pnow)
637 struct timeval now, when;
639 if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) goto done;
641 if (!request->root->cleanup_delay) goto done;
646 gettimeofday(&now, NULL);
649 rad_assert(request->reply->timestamp.tv_sec != 0);
650 when = request->reply->timestamp;
652 request->delay = request->root->cleanup_delay;
653 when.tv_sec += request->delay;
656 * Set timer for when we need to clean it up.
658 if (timercmp(&when, &now, >)) {
659 #ifdef DEBUG_STATE_MACHINE
660 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_cleanup_delay");
662 request->process = request_cleanup_delay;
663 request->child_state = REQUEST_DONE;
664 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
669 * Otherwise just clean it up.
672 request_done(request, FR_ACTION_DONE);
677 * Function to do all time-related events.
679 static void request_process_timer(REQUEST *request)
681 struct timeval now, when;
682 rad_assert(request->magic == REQUEST_MAGIC);
683 #ifdef DEBUG_STATE_MACHINE
684 int action = FR_ACTION_TIMER;
692 * If we originated a CoA request, divorce it from the
693 * parent. Then, set up the timers so that we can clean
694 * it up as appropriate.
696 if (request->coa) request_coa_separate(request->coa);
699 * If we're the request, OR it isn't originating a CoA
700 * request, check more things.
702 if (!request->proxy || (request->packet->code == request->proxy->code))
705 rad_assert(request->listener != NULL);
708 * The socket was closed. Tell the request that
709 * there is no point in continuing.
711 if (request->listener->status != RAD_LISTEN_STATUS_KNOWN) {
712 if ((request->master_state == REQUEST_ACTIVE) &&
713 (request->child_state < REQUEST_RESPONSE_DELAY)) {
714 WDEBUG("Socket was closed while processing request %u: Stopping it.", request->number);
715 request->master_state = REQUEST_STOP_PROCESSING;
720 gettimeofday(&now, NULL);
723 * The request was forcibly stopped.
725 if (request->master_state == REQUEST_STOP_PROCESSING) {
726 switch (request->child_state) {
728 case REQUEST_RUNNING:
729 #ifdef HAVE_PTHREAD_H
730 rad_assert(spawn_flag == true);
735 * Sleep for some more. We HOPE that the
736 * child will become responsive at some
737 * point in the future.
740 tv_add(&when, request->delay);
741 request->delay += request->delay >> 1;
742 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
746 * These should all be managed by the master thread
749 case REQUEST_PROXIED:
751 case REQUEST_RESPONSE_DELAY:
752 case REQUEST_CLEANUP_DELAY:
755 request_done(request, FR_ACTION_DONE);
760 rad_assert(request->master_state == REQUEST_ACTIVE);
763 * It's still supposed to be running.
765 switch (request->child_state) {
767 case REQUEST_RUNNING:
769 case REQUEST_PROXIED:
771 when = request->packet->timestamp;
772 when.tv_sec += request->root->max_request_time;
775 * Taking too long: tell it to die.
777 if (timercmp(&now, &when, >=)) {
778 #ifdef HAVE_PTHREAD_H
780 * If there's a child thread processing it,
784 (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0)) {
785 ERROR("Unresponsive child for request %u, in component %s module %s",
787 request->component ? request->component : "<core>",
788 request->module ? request->module : "<core>");
789 exec_trigger(request, NULL, "server.thread.unresponsive", true);
792 request->master_state = REQUEST_STOP_PROCESSING;
797 * We should wait for the proxy reply.
799 if (request->child_state == REQUEST_PROXIED) {
800 if (request->proxy_reply) {
801 request->process = proxy_running;
803 request->process = proxy_wait_for_reply;
809 * If the request has been told to die, we wait.
810 * Otherwise, we wait for the child thread to
815 case REQUEST_RESPONSE_DELAY:
816 rad_assert(request->response_delay > 0);
818 rad_assert(!request->proxy || (request->packet->code == request->proxy->code));
821 request->process = request_response_delay;
823 when = request->reply->timestamp;
825 tv_add(&when, request->response_delay * USEC);
827 if (timercmp(&when, &now, >)) {
828 #ifdef DEBUG_STATE_MACHINE
829 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_response_delay");
831 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
833 } /* else it's time to send the reject */
835 RDEBUG2("Sending delayed response");
836 DEBUG_PACKET(request, request->reply, 1);
837 request->listener->send(request->listener, request);
838 request->child_state = REQUEST_CLEANUP_DELAY;
841 case REQUEST_CLEANUP_DELAY:
842 rad_assert(request->root->cleanup_delay > 0);
845 rad_assert(!request->proxy || (request->packet->code == request->proxy->code));
848 request->process = request_cleanup_delay;
850 when = request->reply->timestamp;
851 when.tv_sec += request->root->cleanup_delay;
853 if (timercmp(&when, &now, >)) {
854 #ifdef DEBUG_STATE_MACHINE
855 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_cleanup_delay");
857 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
859 } /* else it's time to clean up */
868 static void request_queue_or_run(UNUSED REQUEST *request,
869 fr_request_process_t process)
871 #ifdef DEBUG_STATE_MACHINE
872 int action = FR_ACTION_TIMER;
878 * Do this here so that fewer other functions need to do
881 if (request->master_state == REQUEST_STOP_PROCESSING) {
882 #ifdef DEBUG_STATE_MACHINE
883 if (debug_flag) printf("(%u) ********\tSTATE %s M-%s causes C-%s-> C-%s\t********\n",
884 request->number, __FUNCTION__,
885 master_state_names[request->master_state],
886 child_state_names[request->child_state],
887 child_state_names[REQUEST_DONE]);
889 request_done(request, FR_ACTION_DONE);
893 request->process = process;
895 if (we_are_master()) {
899 * (re) set the initial delay.
901 request->delay = USEC / 3;
902 gettimeofday(&when, NULL);
903 tv_add(&when, request->delay);
904 request->delay += request->delay >> 1;
906 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
908 #ifdef HAVE_PTHREAD_H
911 * A child thread will eventually pick it up.
913 if (request_enqueue(request)) return;
916 * Otherwise we're not going to do anything with
919 request_done(request, FR_ACTION_DONE);
925 request->child_state = REQUEST_RUNNING;
926 request->process(request, FR_ACTION_RUN);
930 * Requests that care about child process exit
931 * codes have already either called
932 * rad_waitpid(), or they've given up.
934 while (waitpid(-1, NULL, WNOHANG) > 0);
938 STATE_MACHINE_DECL(request_common)
948 * Bail out as early as possible.
950 if (request->master_state == REQUEST_STOP_PROCESSING) {
951 request_done(request, FR_ACTION_DONE);
959 * We're still waiting for a proxy reply.
961 if (request->child_state == REQUEST_PROXIED) {
962 proxy_wait_for_reply(request, action);
967 ERROR("(%u) Discarding duplicate request from "
968 "client %s port %d - ID: %u due to unfinished request",
969 request->number, request->client->shortname,
970 request->packet->src_port,request->packet->id);
973 case FR_ACTION_CONFLICTING:
975 * We're in the master thread, ask the child to
976 * stop processing the request.
978 request_done(request, action);
981 case FR_ACTION_TIMER:
982 request_process_timer(request);
986 case FR_ACTION_PROXY_REPLY:
987 DEBUG2("Reply from home server %s port %d - ID: %d arrived too late for request %u. Try increasing 'retry_delay' or 'max_request_time'",
988 inet_ntop(request->proxy->src_ipaddr.af,
989 &request->proxy->src_ipaddr.ipaddr,
990 buffer, sizeof(buffer)),
991 request->proxy->dst_port, request->proxy->id,
997 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1002 STATE_MACHINE_DECL(request_cleanup_delay)
1004 struct timeval when;
1006 TRACE_STATE_MACHINE;
1011 if (request->reply->code != 0) {
1012 request->listener->send(request->listener, request);
1014 RDEBUG("No reply. Ignoring retransmit.");
1018 * Double the cleanup_delay to catch retransmits.
1020 when = request->reply->timestamp;
1021 request->delay += request->delay ;
1022 when.tv_sec += request->delay;
1024 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
1028 case FR_ACTION_PROXY_REPLY:
1030 case FR_ACTION_CONFLICTING:
1031 case FR_ACTION_TIMER:
1032 request_common(request, action);
1036 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1041 STATE_MACHINE_DECL(request_response_delay)
1043 TRACE_STATE_MACHINE;
1048 ERROR("(%u) Discarding duplicate request from "
1049 "client %s port %d - ID: %u due to delayed response",
1050 request->number, request->client->shortname,
1051 request->packet->src_port,request->packet->id);
1055 case FR_ACTION_PROXY_REPLY:
1057 case FR_ACTION_CONFLICTING:
1058 case FR_ACTION_TIMER:
1059 request_common(request, action);
1063 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1069 static int request_pre_handler(REQUEST *request, UNUSED int action)
1071 TRACE_STATE_MACHINE;
1075 if (request->master_state == REQUEST_STOP_PROCESSING) return 0;
1078 * Don't decode the packet if it's an internal "fake"
1079 * request. Instead, just return so that the caller can
1082 if (request->packet->dst_port == 0) {
1083 request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
1084 request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
1090 * Put the decoded packet into it's proper place.
1092 if (request->proxy_reply != NULL) {
1094 * There may be a proxy reply, but it may be too late.
1096 if (!request->proxy_listener) return 0;
1098 rcode = request->proxy_listener->decode(request->proxy_listener, request);
1099 DEBUG_PACKET(request, request->proxy_reply, 0);
1102 * Pro-actively remove it from the proxy hash.
1103 * This is later than in 2.1.x, but it means that
1104 * the replies are authenticated before being
1105 * removed from the hash.
1108 (request->num_proxied_requests <= request->num_proxied_responses)) {
1109 remove_from_proxy_hash(request);
1114 if (request->packet->vps == NULL) {
1115 rcode = request->listener->decode(request->listener, request);
1118 if (debug_condition) {
1120 * Ignore parse errors.
1122 if (radius_evaluate_cond(request, RLM_MODULE_OK, 0, debug_condition)) {
1123 request->options = 2;
1124 request->radlog = vradlog_request;
1129 DEBUG_PACKET(request, request->packet, 0);
1135 RDEBUG("Dropping packet without response because of error: %s", fr_strerror());
1136 request->reply->offset = -2; /* bad authenticator */
1140 if (!request->username) {
1141 request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
1145 if (action == FR_ACTION_PROXY_REPLY) {
1146 return process_proxy_reply(request);
1153 STATE_MACHINE_DECL(request_finish)
1157 TRACE_STATE_MACHINE;
1159 (void) action; /* -Wunused */
1161 if (request->master_state == REQUEST_STOP_PROCESSING) return;
1164 * Don't send replies if there are none to send.
1166 if (!request->in_request_hash) {
1168 if ((request->listener->type == RAD_LISTEN_AUTH)
1169 #ifdef WITH_ACCOUNTING
1170 || (request->listener->type == RAD_LISTEN_ACCT)
1173 listen_socket_t *sock = request->listener->data;
1175 if (sock->proto == IPPROTO_UDP) return;
1178 * TCP packets aren't in the request
1188 * Override the response code if a control:Response-Packet-Type attribute is present.
1190 vp = pairfind(request->config_items, PW_RESPONSE_PACKET_TYPE, 0, TAG_ANY);
1192 if (vp->vp_integer == 256) {
1193 RDEBUG2("Not responding to request");
1194 request->reply->code = 0;
1196 request->reply->code = vp->vp_integer;
1200 * Catch Auth-Type := Reject BEFORE proxying the packet.
1202 else if (request->packet->code == PW_CODE_AUTHENTICATION_REQUEST) {
1203 if (request->reply->code == 0) {
1204 vp = pairfind(request->config_items, PW_AUTH_TYPE, 0, TAG_ANY);
1206 if (!vp || (vp->vp_integer != PW_CODE_AUTHENTICATION_REJECT)) {
1207 RDEBUG2("There was no response configured: "
1208 "rejecting request");
1211 request->reply->code = PW_CODE_AUTHENTICATION_REJECT;
1216 * Copy Proxy-State from the request to the reply.
1218 vp = paircopy2(request->reply, request->packet->vps,
1219 PW_PROXY_STATE, 0, TAG_ANY);
1220 if (vp) pairadd(&request->reply->vps, vp);
1222 switch (request->reply->code) {
1223 case PW_CODE_AUTHENTICATION_ACK:
1224 rad_postauth(request);
1226 case PW_CODE_ACCESS_CHALLENGE:
1227 pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0,
1229 vp = pairmake_config("Post-Auth-Type", "Challenge", T_OP_SET);
1230 if (vp) rad_postauth(request);
1237 * Run rejected packets through
1239 * Post-Auth-Type = Reject
1241 * We do this separately so ACK and challenge can change the code
1242 * to reject if a module returns reject.
1244 if (request->reply->code == PW_CODE_AUTHENTICATION_REJECT) {
1245 pairdelete(&request->config_items, PW_POST_AUTH_TYPE, 0, TAG_ANY);
1246 vp = pairmake_config("Post-Auth-Type", "Reject", T_OP_SET);
1247 if (vp) rad_postauth(request);
1251 * Clean up. These are no longer needed.
1253 pairfree(&request->config_items);
1255 pairfree(&request->packet->vps);
1256 request->username = NULL;
1257 request->password = NULL;
1260 if (request->proxy) {
1261 pairfree(&request->proxy->vps);
1263 if (request->proxy_reply) {
1264 pairfree(&request->proxy_reply->vps);
1268 gettimeofday(&request->reply->timestamp, NULL);
1271 * See if we need to delay an Access-Reject packet.
1273 if ((request->reply->code == PW_CODE_AUTHENTICATION_REJECT) &&
1274 (request->root->reject_delay > 0)) {
1275 request->response_delay = request->root->reject_delay;
1281 if (!request->response_delay) {
1282 DEBUG_PACKET(request, request->reply, 1);
1283 request->listener->send(request->listener,
1285 pairfree(&request->reply->vps);
1287 RDEBUG2("Finished request");
1288 #ifdef WITH_ACCOUNTING
1289 if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
1291 request->child_state = REQUEST_DONE;
1295 if (request->root->cleanup_delay == 0) {
1297 request->child_state = REQUEST_DONE;
1300 request->child_state = REQUEST_CLEANUP_DELAY;
1303 RDEBUG2("Delaying response for %d seconds",
1304 request->response_delay);
1306 request->child_state = REQUEST_RESPONSE_DELAY;
1310 STATE_MACHINE_DECL(request_running)
1312 TRACE_STATE_MACHINE;
1315 case FR_ACTION_TIMER:
1316 request_process_timer(request);
1319 case FR_ACTION_CONFLICTING:
1321 request_common(request, action);
1326 * This can happen due to a race condition where
1327 * we send a proxied request, and immediately get
1328 * another reply, before the timer has a chance
1329 * to update the various states.
1331 case FR_ACTION_PROXY_REPLY:
1332 request->child_state = REQUEST_RUNNING;
1333 request->process = proxy_running;
1338 if (!request_pre_handler(request, action)) {
1339 #ifdef DEBUG_STATE_MACHINE
1340 if (debug_flag) printf("(%u) ********\tSTATE %s failed in pre-handler C-%s -> C-%s\t********\n",
1341 request->number, __FUNCTION__,
1342 child_state_names[request->child_state],
1343 child_state_names[REQUEST_DONE]);
1347 request->child_state = REQUEST_DONE;
1351 rad_assert(request->handle != NULL);
1352 request->handle(request);
1356 * We may need to send a proxied request.
1358 if ((action == FR_ACTION_RUN) &&
1359 request_will_proxy(request)) {
1360 #ifdef DEBUG_STATE_MACHINE
1361 if (debug_flag) printf("(%u) ********\tWill Proxy\t********\n", request->number);
1365 * takes care of setting
1366 * up the post proxy fail
1369 if (request_proxy(request, 0) < 0) goto finished;
1373 #ifdef DEBUG_STATE_MACHINE
1374 if (debug_flag) printf("(%u) ********\tFinished\t********\n", request->number);
1379 * Maybe originate a CoA request.
1381 if ((action == FR_ACTION_RUN) && request->coa) {
1382 request_coa_originate(request);
1389 request_finish(request, action);
1394 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
1399 int request_receive(rad_listen_t *listener, RADIUS_PACKET *packet,
1400 RADCLIENT *client, RAD_REQUEST_FUNP fun)
1403 RADIUS_PACKET **packet_p;
1404 REQUEST *request = NULL;
1406 listen_socket_t *sock = NULL;
1409 * Set the last packet received.
1411 gettimeofday(&now, NULL);
1413 #ifdef WITH_ACCOUNTING
1414 if (listener->type != RAD_LISTEN_DETAIL)
1417 sock = listener->data;
1418 sock->last_packet = now.tv_sec;
1420 packet->timestamp = now;
1423 * Skip everything if required.
1425 if (listener->nodup) goto skip_dup;
1427 packet_p = fr_packet_list_find(pl, packet);
1429 request = fr_packet2myptr(REQUEST, packet, packet_p);
1430 rad_assert(request->in_request_hash);
1433 * Same src/dst ip/port, length, and
1434 * authentication vector: must be a duplicate.
1436 if ((request->packet->data_len == packet->data_len) &&
1437 (memcmp(request->packet->vector, packet->vector,
1438 sizeof(packet->vector)) == 0)) {
1441 switch (packet->code) {
1442 case PW_CODE_AUTHENTICATION_REQUEST:
1443 FR_STATS_INC(auth, total_dup_requests);
1446 #ifdef WITH_ACCOUNTING
1447 case PW_CODE_ACCOUNTING_REQUEST:
1448 FR_STATS_INC(acct, total_dup_requests);
1452 case PW_CODE_COA_REQUEST:
1453 FR_STATS_INC(coa, total_dup_requests);
1456 case PW_CODE_DISCONNECT_REQUEST:
1457 FR_STATS_INC(dsc, total_dup_requests);
1464 #endif /* WITH_STATS */
1466 request->process(request, FR_ACTION_DUP);
1471 * Say we're ignoring the old one, and continue
1472 * to process the new one.
1474 request->process(request, FR_ACTION_CONFLICTING);
1479 * Quench maximum number of outstanding requests.
1481 if (mainconfig.max_requests &&
1482 ((count = fr_packet_list_num_elements(pl)) > mainconfig.max_requests)) {
1483 static time_t last_complained = 0;
1485 if (last_complained == now.tv_sec) return 0;
1487 last_complained = now.tv_sec;
1489 ERROR("Dropping request (%d is too many): from client %s port %d - ID: %d", count,
1491 packet->src_port, packet->id);
1492 WARN("Please check the configuration file.\n"
1493 "\tThe value for 'max_requests' is probably set too low.\n");
1495 exec_trigger(NULL, NULL, "server.max_requests", true);
1501 * Rate-limit the incoming packets
1503 if (sock && sock->max_rate) {
1506 pps = rad_pps(&sock->rate_pps_old, &sock->rate_pps_now,
1507 &sock->rate_time, &now);
1509 if (pps > sock->max_rate) {
1510 DEBUG("Dropping request due to rate limiting");
1513 sock->rate_pps_now++;
1516 request = request_setup(listener, packet, client, fun);
1517 if (!request) return 1;
1520 * Remember the request in the list.
1522 if (!listener->nodup) {
1523 if (!fr_packet_list_insert(pl, &request->packet)) {
1524 RERROR("Failed to insert request in the list of live requests: discarding it");
1525 request_done(request, FR_ACTION_DONE);
1529 request->in_request_hash = true;
1533 * Process it. Send a response, and free it.
1535 if (listener->synchronous) {
1536 request->listener->decode(request->listener, request);
1537 request->username = pairfind(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
1538 request->password = pairfind(request->packet->vps, PW_USER_PASSWORD, 0, TAG_ANY);
1541 request->listener->send(request->listener, request);
1542 request_free(&request);
1547 * Otherwise, insert it into the state machine.
1548 * The child threads will take care of processing it.
1550 request_queue_or_run(request, request_running);
1556 static REQUEST *request_setup(rad_listen_t *listener, RADIUS_PACKET *packet,
1557 RADCLIENT *client, RAD_REQUEST_FUNP fun)
1562 * Create and initialize the new request.
1564 request = request_alloc(NULL);
1565 request->reply = rad_alloc(request, 0);
1566 if (!request->reply) {
1568 request_free(&request);
1572 request->listener = listener;
1573 request->client = client;
1574 request->packet = talloc_steal(request, packet);
1575 request->number = request_num_counter++;
1576 request->priority = listener->type;
1577 request->master_state = REQUEST_ACTIVE;
1578 #ifdef DEBUG_STATE_MACHINE
1579 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n",
1580 request->number, __FUNCTION__,
1581 child_state_names[request->child_state],
1582 child_state_names[REQUEST_RUNNING]);
1584 request->child_state = REQUEST_RUNNING;
1585 request->handle = fun;
1589 request->listener->stats.last_packet = request->packet->timestamp.tv_sec;
1590 if (packet->code == PW_CODE_AUTHENTICATION_REQUEST) {
1591 request->client->auth.last_packet = request->packet->timestamp.tv_sec;
1592 radius_auth_stats.last_packet = request->packet->timestamp.tv_sec;
1593 #ifdef WITH_ACCOUNTING
1594 } else if (packet->code == PW_CODE_ACCOUNTING_REQUEST) {
1595 request->client->acct.last_packet = request->packet->timestamp.tv_sec;
1596 radius_acct_stats.last_packet = request->packet->timestamp.tv_sec;
1599 #endif /* WITH_STATS */
1602 * Status-Server packets go to the head of the queue.
1604 if (request->packet->code == PW_CODE_STATUS_SERVER) request->priority = 0;
1607 * Set virtual server identity
1609 if (client->server) {
1610 request->server = client->server;
1611 } else if (listener->server) {
1612 request->server = listener->server;
1614 request->server = NULL;
1617 request->root = &mainconfig;
1619 request->listener->count++;
1623 * The request passes many of our sanity checks.
1624 * From here on in, if anything goes wrong, we
1625 * send a reject message, instead of dropping the
1630 * Build the reply template from the request.
1633 request->reply->sockfd = request->packet->sockfd;
1634 request->reply->dst_ipaddr = request->packet->src_ipaddr;
1635 request->reply->src_ipaddr = request->packet->dst_ipaddr;
1636 request->reply->dst_port = request->packet->src_port;
1637 request->reply->src_port = request->packet->dst_port;
1638 request->reply->id = request->packet->id;
1639 request->reply->code = 0; /* UNKNOWN code */
1640 memcpy(request->reply->vector, request->packet->vector,
1641 sizeof(request->reply->vector));
1642 request->reply->vps = NULL;
1643 request->reply->data = NULL;
1644 request->reply->data_len = 0;
1650 /***********************************************************************
1654 ***********************************************************************/
1657 * Timer function for all TCP sockets.
1659 static void tcp_socket_timer(void *ctx)
1661 rad_listen_t *listener = ctx;
1662 listen_socket_t *sock = listener->data;
1663 struct timeval end, now;
1665 fr_socket_limit_t *limit;
1667 fr_event_now(el, &now);
1669 if (listener->status != RAD_LISTEN_STATUS_KNOWN) return;
1671 switch (listener->type) {
1673 case RAD_LISTEN_PROXY:
1674 limit = &sock->home->limit;
1678 case RAD_LISTEN_AUTH:
1679 #ifdef WITH_ACCOUNTING
1680 case RAD_LISTEN_ACCT:
1682 limit = &sock->limit;
1690 * If we enforce a lifetime, do it now.
1692 if (limit->lifetime > 0) {
1693 end.tv_sec = sock->opened + limit->lifetime;
1696 if (timercmp(&end, &now, <=)) {
1697 listener->print(listener, buffer, sizeof(buffer));
1698 DEBUG("Reached maximum lifetime on socket %s", buffer);
1702 listener->status = RAD_LISTEN_STATUS_EOL;
1703 event_new_fd(listener);
1712 * Enforce an idle timeout.
1714 if (limit->idle_timeout > 0) {
1715 struct timeval idle;
1717 rad_assert(sock->last_packet != 0);
1718 idle.tv_sec = sock->last_packet + limit->idle_timeout;
1721 if (timercmp(&idle, &now, <=)) {
1722 listener->print(listener, buffer, sizeof(buffer));
1723 DEBUG("Reached idle timeout on socket %s", buffer);
1728 * Enforce the minimum of idle timeout or lifetime.
1730 if (timercmp(&idle, &end, <)) {
1736 * Wake up at t + 0.5s. The code above checks if the timers
1737 * are <= t. This addition gives us a bit of leeway.
1739 end.tv_usec = USEC / 2;
1741 if (!fr_event_insert(el, tcp_socket_timer, listener, &end, &sock->ev)) {
1742 rad_panic("Failed to insert event");
1749 * Add +/- 2s of jitter, as suggested in RFC 3539
1752 static void add_jitter(struct timeval *when)
1759 jitter ^= (jitter >> 10);
1760 jitter &= ((1 << 22) - 1); /* 22 bits of 1 */
1763 * Add in ~ (4 * USEC) of jitter.
1765 tv_add(when, jitter);
1769 * Called by socket_del to remove requests with this socket
1771 static int eol_proxy_listener(void *ctx, void *data)
1773 rad_listen_t *this = ctx;
1774 RADIUS_PACKET **proxy_p = data;
1777 request = fr_packet2myptr(REQUEST, proxy, proxy_p);
1778 if (request->proxy_listener != this) return 0;
1781 * The normal "remove_from_proxy_hash" tries to grab the
1782 * proxy mutex. We already have it held, so grabbing it
1783 * again will cause a deadlock. Instead, call the "no
1784 * lock" version of the function.
1786 rad_assert(request->in_proxy_hash == true);
1787 remove_from_proxy_hash_nl(request, false);
1790 * Don't mark it as DONE. The client can retransmit, and
1791 * the packet SHOULD be re-proxied somewhere else.
1793 * Return "2" means that the rbtree code will remove it
1794 * from the tree, and we don't need to do it ourselves.
1798 #endif /* WITH_PROXY */
1800 static int eol_listener(void *ctx, void *data)
1802 rad_listen_t *this = ctx;
1803 RADIUS_PACKET **packet_p = data;
1806 request = fr_packet2myptr(REQUEST, packet, packet_p);
1807 if (request->listener != this) return 0;
1809 request->master_state = REQUEST_STOP_PROCESSING;
1813 #endif /* WITH_TCP */
1816 /***********************************************************************
1818 * Proxy handlers for the state machine.
1820 ***********************************************************************/
1823 * Called with the proxy mutex held
1825 static void remove_from_proxy_hash_nl(REQUEST *request, bool yank)
1827 if (!request->in_proxy_hash) return;
1829 fr_packet_list_id_free(proxy_list, request->proxy, yank);
1830 request->in_proxy_hash = false;
1833 * On the FIRST reply, decrement the count of outstanding
1834 * requests. Note that this is NOT the count of sent
1835 * packets, but whether or not the home server has
1838 if (request->home_server &&
1839 request->home_server->currently_outstanding) {
1840 request->home_server->currently_outstanding--;
1843 * If we're NOT sending it packets, then we don't know
1844 * if it's alive or dead.
1846 if ((request->home_server->currently_outstanding == 0) &&
1847 (request->home_server->state == HOME_STATE_ALIVE)) {
1848 request->home_server->state = HOME_STATE_UNKNOWN;
1849 request->home_server->last_packet_sent = 0;
1850 request->home_server->last_packet_recv = 0;
1855 rad_assert(request->proxy_listener != NULL);
1856 request->proxy_listener->count--;
1858 request->proxy_listener = NULL;
1861 * Got from YES in hash, to NO, not in hash while we hold
1862 * the mutex. This guarantees that when another thread
1863 * grabs the mutex, the "not in hash" flag is correct.
1865 RDEBUG3("proxy: request is no longer in proxy hash");
1868 static void remove_from_proxy_hash(REQUEST *request)
1871 * Check this without grabbing the mutex because it's a
1872 * lot faster that way.
1874 if (!request->in_proxy_hash) return;
1877 * The "not in hash" flag is definitive. However, if the
1878 * flag says that it IS in the hash, there might still be
1879 * a race condition where it isn't.
1881 PTHREAD_MUTEX_LOCK(&proxy_mutex);
1883 if (!request->in_proxy_hash) {
1884 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1888 remove_from_proxy_hash_nl(request, true);
1890 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1893 static int insert_into_proxy_hash(REQUEST *request)
1897 void *proxy_listener;
1899 rad_assert(request->proxy != NULL);
1900 rad_assert(request->home_server != NULL);
1901 rad_assert(proxy_list != NULL);
1904 PTHREAD_MUTEX_LOCK(&proxy_mutex);
1905 proxy_listener = NULL;
1906 request->num_proxied_requests = 1;
1907 request->num_proxied_responses = 0;
1909 for (tries = 0; tries < 2; tries++) {
1912 RDEBUG3("proxy: Trying to allocate ID (%d/2)", tries);
1913 rcode = fr_packet_list_id_alloc(proxy_list,
1914 request->home_server->proto,
1915 &request->proxy, &proxy_listener);
1916 if ((debug_flag > 2) && (rcode == 0)) {
1917 RDEBUG("proxy: Failed allocating ID: %s", fr_strerror());
1919 if (rcode > 0) break;
1920 if (tries > 0) continue; /* try opening new socket only once */
1922 #ifdef HAVE_PTHREAD_H
1923 if (proxy_no_new_sockets) break;
1926 RDEBUG3("proxy: Trying to open a new listener to the home server");
1927 this = proxy_new_listener(request->home_server, 0);
1929 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1933 request->proxy->src_port = 0; /* Use any new socket */
1934 proxy_listener = this;
1937 * Add it to the event loop (and to the packet list)
1938 * before we try to grab another Id.
1940 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1941 if (!event_new_fd(this)) {
1942 RDEBUG3("proxy: Failed inserting new socket into event loop");
1946 PTHREAD_MUTEX_LOCK(&proxy_mutex);
1949 if (!proxy_listener || (rcode == 0)) {
1950 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1951 REDEBUG2("proxy: Failed allocating Id for proxied request");
1953 request->proxy_listener = NULL;
1954 request->in_proxy_hash = false;
1958 rad_assert(request->proxy->id >= 0);
1960 request->proxy_listener = proxy_listener;
1961 request->in_proxy_hash = true;
1962 RDEBUG3("proxy: request is now in proxy hash");
1965 * Keep track of maximum outstanding requests to a
1966 * particular home server. 'max_outstanding' is
1967 * enforced in home_server_ldb(), in realms.c.
1969 request->home_server->currently_outstanding++;
1972 request->proxy_listener->count++;
1975 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1977 RDEBUG3(" proxy: allocating destination %s port %d - Id %d",
1978 inet_ntop(request->proxy->dst_ipaddr.af,
1979 &request->proxy->dst_ipaddr.ipaddr, buf, sizeof(buf)),
1980 request->proxy->dst_port,
1981 request->proxy->id);
1986 static int process_proxy_reply(REQUEST *request)
1989 int post_proxy_type = 0;
1993 * Delete any reply we had accumulated until now.
1995 pairfree(&request->reply->vps);
1998 * Run the packet through the post-proxy stage,
1999 * BEFORE playing games with the attributes.
2001 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE, 0, TAG_ANY);
2004 * If we have a proxy_reply, and it was a reject, setup
2005 * post-proxy-type Reject
2007 if (!vp && request->proxy_reply &&
2008 request->proxy_reply->code == PW_CODE_AUTHENTICATION_REJECT) {
2011 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Reject");
2013 vp = radius_paircreate(request, &request->config_items,
2014 PW_POST_PROXY_TYPE, 0);
2016 vp->vp_integer = dval->value;
2021 post_proxy_type = vp->vp_integer;
2023 RDEBUG2(" Found Post-Proxy-Type %s",
2024 dict_valnamebyattr(PW_POST_PROXY_TYPE, 0,
2028 if (request->home_pool && request->home_pool->virtual_server) {
2029 char const *old_server = request->server;
2031 request->server = request->home_pool->virtual_server;
2032 RDEBUG2(" server %s {", request->server);
2033 rcode = process_post_proxy(post_proxy_type, request);
2035 request->server = old_server;
2037 rcode = process_post_proxy(post_proxy_type, request);
2041 if (request->packet->code == request->proxy->code)
2043 * Don't run the next bit if we originated a CoA
2044 * packet, after receiving an Access-Request or
2045 * Accounting-Request.
2050 * There may NOT be a proxy reply, as we may be
2051 * running Post-Proxy-Type = Fail.
2053 if (request->proxy_reply) {
2055 * Delete the Proxy-State Attributes from
2056 * the reply. These include Proxy-State
2057 * attributes from us and remote server.
2059 pairdelete(&request->proxy_reply->vps, PW_PROXY_STATE, 0, TAG_ANY);
2062 * Add the attributes left in the proxy
2063 * reply to the reply list.
2065 pairfilter(request->reply, &request->reply->vps,
2066 &request->proxy_reply->vps, 0, 0, TAG_ANY);
2069 * Free proxy request pairs.
2071 pairfree(&request->proxy->vps);
2075 default: /* Don't do anything */
2077 case RLM_MODULE_FAIL:
2080 case RLM_MODULE_HANDLED:
2087 int request_proxy_reply(RADIUS_PACKET *packet)
2089 RADIUS_PACKET **proxy_p;
2094 PTHREAD_MUTEX_LOCK(&proxy_mutex);
2095 proxy_p = fr_packet_list_find_byreply(proxy_list, packet);
2098 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2099 PROXY( "No outstanding request was found for reply from host %s port %d - ID %u",
2100 inet_ntop(packet->src_ipaddr.af,
2101 &packet->src_ipaddr.ipaddr,
2102 buffer, sizeof(buffer)),
2103 packet->src_port, packet->id);
2107 request = fr_packet2myptr(REQUEST, proxy, proxy_p);
2108 request->num_proxied_responses++; /* needs to be protected by lock */
2110 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
2113 * No reply, BUT the current packet fails verification:
2114 * ignore it. This does the MD5 calculations in the
2115 * server core, but I guess we can fix that later.
2117 if (!request->proxy_reply &&
2118 (rad_verify(packet, request->proxy,
2119 request->home_server->secret) != 0)) {
2120 DEBUG("Ignoring spoofed proxy reply. Signature is invalid");
2125 * The home server sent us a packet which doesn't match
2126 * something we have: ignore it. This is done only to
2127 * catch the case of broken systems.
2129 if (request->proxy_reply &&
2130 (memcmp(request->proxy_reply->vector,
2132 sizeof(request->proxy_reply->vector)) != 0)) {
2133 RDEBUG2("Ignoring conflicting proxy reply");
2137 gettimeofday(&now, NULL);
2140 * Status-Server packets don't count as real packets.
2142 if (request->proxy->code != PW_CODE_STATUS_SERVER) {
2143 listen_socket_t *sock = request->proxy_listener->data;
2145 request->home_server->last_packet_recv = now.tv_sec;
2146 sock->last_packet = now.tv_sec;
2150 * If we have previously seen a reply, ignore the
2153 if (request->proxy_reply) {
2154 RDEBUG2("Discarding duplicate reply from host %s port %d - ID: %d",
2155 inet_ntop(packet->src_ipaddr.af,
2156 &packet->src_ipaddr.ipaddr,
2157 buffer, sizeof(buffer)),
2158 packet->src_port, packet->id);
2163 * Call the state machine to do something useful with the
2166 request->proxy_reply = packet;
2167 packet->timestamp = now;
2168 request->priority = RAD_LISTEN_PROXY;
2171 * We've received a reply. If we hadn't been sending it
2172 * packets for a while, just mark it alive.
2174 if (request->home_server->state == HOME_STATE_UNKNOWN) {
2175 request->home_server->state = HOME_STATE_ALIVE;
2179 request->home_server->stats.last_packet = packet->timestamp.tv_sec;
2180 request->proxy_listener->stats.last_packet = packet->timestamp.tv_sec;
2182 if (request->proxy->code == PW_CODE_AUTHENTICATION_REQUEST) {
2183 proxy_auth_stats.last_packet = packet->timestamp.tv_sec;
2184 #ifdef WITH_ACCOUNTING
2185 } else if (request->proxy->code == PW_CODE_ACCOUNTING_REQUEST) {
2186 proxy_acct_stats.last_packet = packet->timestamp.tv_sec;
2189 #endif /* WITH_STATS */
2193 * When we originate CoA requests, we patch them in here
2194 * so that they don't affect the rest of the state
2197 if (request->parent) {
2198 rad_assert(request->parent->coa == request);
2199 rad_assert((request->proxy->code == PW_CODE_COA_REQUEST) ||
2200 (request->proxy->code == PW_CODE_DISCONNECT_REQUEST));
2201 rad_assert(request->process != NULL);
2202 request_coa_separate(request);
2206 request->process(request, FR_ACTION_PROXY_REPLY);
2212 static int setup_post_proxy_fail(REQUEST *request)
2214 DICT_VALUE const *dval = NULL;
2217 if (request->proxy->code == PW_CODE_AUTHENTICATION_REQUEST) {
2218 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0,
2219 "Fail-Authentication");
2221 } else if (request->proxy->code == PW_CODE_ACCOUNTING_REQUEST) {
2222 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0,
2225 } else if (request->proxy->code == PW_CODE_COA_REQUEST) {
2226 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Fail-CoA");
2228 } else if (request->proxy->code == PW_CODE_DISCONNECT_REQUEST) {
2229 dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Fail-Disconnect");
2232 WDEBUG("Unknown packet type in Post-Proxy-Type Fail: ignoring");
2236 if (!dval) dval = dict_valbyname(PW_POST_PROXY_TYPE, 0, "Fail");
2239 pairdelete(&request->config_items, PW_POST_PROXY_TYPE, 0, TAG_ANY);
2243 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE, 0, TAG_ANY);
2244 if (!vp) vp = radius_paircreate(request, &request->config_items,
2245 PW_POST_PROXY_TYPE, 0);
2246 vp->vp_integer = dval->value;
2251 STATE_MACHINE_DECL(proxy_running)
2253 TRACE_STATE_MACHINE;
2256 case FR_ACTION_CONFLICTING:
2258 case FR_ACTION_TIMER:
2259 case FR_ACTION_PROXY_REPLY:
2260 request_common(request, action);
2264 request_running(request, action);
2268 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
2273 STATE_MACHINE_DECL(request_virtual_server)
2277 TRACE_STATE_MACHINE;
2280 case FR_ACTION_CONFLICTING:
2282 case FR_ACTION_TIMER:
2283 case FR_ACTION_PROXY_REPLY:
2284 request_common(request, action);
2288 old = request->server;
2289 request->server = request->home_server->server;
2290 request_running(request, action);
2291 request->server = old;
2295 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
2301 static int request_will_proxy(REQUEST *request)
2303 int rcode, pre_proxy_type = 0;
2304 char const *realmname = NULL;
2305 VALUE_PAIR *vp, *strippedname;
2306 home_server_t *home;
2307 REALM *realm = NULL;
2308 home_pool_t *pool = NULL;
2310 if (!request->root->proxy_requests) return 0;
2311 if (request->packet->dst_port == 0) return 0;
2312 if (request->packet->code == PW_CODE_STATUS_SERVER) return 0;
2313 if (request->in_proxy_hash) return 0;
2316 * FIXME: for 3.0, allow this only for rejects?
2318 if (request->reply->code != 0) return 0;
2320 vp = pairfind(request->config_items, PW_PROXY_TO_REALM, 0, TAG_ANY);
2322 realm = realm_find2(vp->vp_strvalue);
2324 REDEBUG2("Cannot proxy to unknown realm %s",
2329 realmname = vp->vp_strvalue;
2332 * Figure out which pool to use.
2334 if (request->packet->code == PW_CODE_AUTHENTICATION_REQUEST) {
2335 pool = realm->auth_pool;
2337 #ifdef WITH_ACCOUNTING
2338 } else if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
2339 pool = realm->acct_pool;
2343 } else if ((request->packet->code == PW_CODE_COA_REQUEST) ||
2344 (request->packet->code == PW_CODE_DISCONNECT_REQUEST)) {
2345 pool = realm->coa_pool;
2355 vp = pairfind(request->config_items, PW_HOME_SERVER_POOL, 0, TAG_ANY);
2358 switch (request->packet->code) {
2359 case PW_CODE_AUTHENTICATION_REQUEST:
2360 pool_type = HOME_TYPE_AUTH;
2363 #ifdef WITH_ACCOUNTING
2364 case PW_CODE_ACCOUNTING_REQUEST:
2365 pool_type = HOME_TYPE_ACCT;
2370 case PW_CODE_COA_REQUEST:
2371 case PW_CODE_DISCONNECT_REQUEST:
2372 pool_type = HOME_TYPE_COA;
2380 pool = home_pool_byname(vp->vp_strvalue, pool_type);
2384 RWDEBUG2("Cancelling proxy as no home pool exists");
2388 if (request->listener->synchronous) {
2389 WARN("Cannot proxy a request which is from a 'synchronous' socket");
2393 request->home_pool = pool;
2395 home = home_server_ldb(realmname, pool, request);
2397 REDEBUG2("Failed to find live home server: Cancelling proxy");
2400 home_server_update_request(home, request);
2404 * Once we've decided to proxy a request, we cannot send
2405 * a CoA packet. So we free up any CoA packet here.
2407 if (request->coa) request_done(request->coa, FR_ACTION_DONE);
2411 * Remember that we sent the request to a Realm.
2413 if (realmname) pairmake_packet("Realm", realmname, T_OP_EQ);
2416 * Strip the name, if told to.
2418 * Doing it here catches the case of proxied tunneled
2421 if (realm && (realm->striprealm == true) &&
2422 (strippedname = pairfind(request->proxy->vps, PW_STRIPPED_USER_NAME, 0, TAG_ANY)) != NULL) {
2424 * If there's a Stripped-User-Name attribute in
2425 * the request, then use THAT as the User-Name
2426 * for the proxied request, instead of the
2429 * This is done by making a copy of the
2430 * Stripped-User-Name attribute, turning it into
2431 * a User-Name attribute, deleting the
2432 * Stripped-User-Name and User-Name attributes
2433 * from the vps list, and making the new
2434 * User-Name the head of the vps list.
2436 vp = pairfind(request->proxy->vps, PW_USER_NAME, 0, TAG_ANY);
2439 vp = radius_paircreate(request, NULL,
2441 rad_assert(vp != NULL); /* handled by above function */
2442 /* Insert at the START of the list */
2443 /* FIXME: Can't make assumptions about ordering */
2444 fr_cursor_init(&cursor, &vp);
2445 fr_cursor_insert(&cursor, request->proxy->vps);
2446 request->proxy->vps = vp;
2448 pairstrcpy(vp, strippedname->vp_strvalue);
2451 * Do NOT delete Stripped-User-Name.
2456 * If there is no PW_CHAP_CHALLENGE attribute but
2457 * there is a PW_CHAP_PASSWORD we need to add it
2458 * since we can't use the request authenticator
2459 * anymore - we changed it.
2461 if ((request->packet->code == PW_CODE_AUTHENTICATION_REQUEST) &&
2462 pairfind(request->proxy->vps, PW_CHAP_PASSWORD, 0, TAG_ANY) &&
2463 pairfind(request->proxy->vps, PW_CHAP_CHALLENGE, 0, TAG_ANY) == NULL) {
2464 vp = radius_paircreate(request, &request->proxy->vps, PW_CHAP_CHALLENGE, 0);
2465 pairmemcpy(vp, request->packet->vector, sizeof(request->packet->vector));
2469 * The RFC's say we have to do this, but FreeRADIUS
2472 vp = radius_paircreate(request, &request->proxy->vps, PW_PROXY_STATE, 0);
2473 pairsprintf(vp, "%u", request->packet->id);
2476 * Should be done BEFORE inserting into proxy hash, as
2477 * pre-proxy may use this information, or change it.
2479 request->proxy->code = request->packet->code;
2482 * Call the pre-proxy routines.
2484 vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE, 0, TAG_ANY);
2486 DICT_VALUE const *dval = dict_valbyattr(vp->da->attr, vp->da->vendor, vp->vp_integer);
2487 /* Must be a validation issue */
2489 RDEBUG2(" Found Pre-Proxy-Type %s", dval->name);
2490 pre_proxy_type = vp->vp_integer;
2493 rad_assert(request->home_pool != NULL);
2495 if (request->home_pool->virtual_server) {
2496 char const *old_server = request->server;
2498 request->server = request->home_pool->virtual_server;
2499 RDEBUG2(" server %s {", request->server);
2500 rcode = process_pre_proxy(pre_proxy_type, request);
2502 request->server = old_server;
2504 rcode = process_pre_proxy(pre_proxy_type, request);
2507 case RLM_MODULE_FAIL:
2508 case RLM_MODULE_INVALID:
2509 case RLM_MODULE_NOTFOUND:
2510 case RLM_MODULE_USERLOCK:
2512 /* FIXME: debug print failed stuff */
2515 case RLM_MODULE_REJECT:
2516 case RLM_MODULE_HANDLED:
2520 * Only proxy the packet if the pre-proxy code succeeded.
2522 case RLM_MODULE_NOOP:
2524 case RLM_MODULE_UPDATED:
2531 static int request_proxy(REQUEST *request, int retransmit)
2535 rad_assert(request->parent == NULL);
2536 rad_assert(request->home_server != NULL);
2538 if (request->master_state == REQUEST_STOP_PROCESSING) return 0;
2542 RWDEBUG("Cannot proxy and originate CoA packets at the same time. Cancelling CoA request");
2543 request_done(request->coa, FR_ACTION_DONE);
2548 * The request may be sent to a virtual server. If we're
2549 * in a child thread, just process it here. If we're the
2550 * master, push it back onto the queue for later
2553 if (request->home_server->server) {
2554 DEBUG("Proxying to virtual server %s",
2555 request->home_server->server);
2557 if (!we_are_master()) {
2558 request_virtual_server(request, FR_ACTION_RUN);
2563 request_queue_or_run(request, request_virtual_server);
2568 * We're actually sending a proxied packet. Do that now.
2570 if (!request->in_proxy_hash && !insert_into_proxy_hash(request)) {
2571 EDEBUG("Failed to insert request into the proxy list.");
2575 rad_assert(request->proxy->id >= 0);
2578 if (request->home_server->tls) {
2579 RDEBUG2("Proxying request to home server %s port %d (TLS)",
2580 inet_ntop(request->proxy->dst_ipaddr.af,
2581 &request->proxy->dst_ipaddr.ipaddr,
2582 buffer, sizeof(buffer)),
2583 request->proxy->dst_port);
2586 RDEBUG2("Proxying request to home server %s port %d",
2587 inet_ntop(request->proxy->dst_ipaddr.af,
2588 &request->proxy->dst_ipaddr.ipaddr,
2589 buffer, sizeof(buffer)),
2590 request->proxy->dst_port);
2592 DEBUG_PACKET(request, request->proxy, 1);
2594 gettimeofday(&request->proxy_retransmit, NULL);
2596 request->proxy->timestamp = request->proxy_retransmit;
2597 request->home_server->last_packet_sent = request->proxy_retransmit.tv_sec;
2600 FR_STATS_TYPE_INC(request->home_server->stats.total_requests);
2602 request->child_state = REQUEST_PROXIED;
2603 request->proxy_listener->send(request->proxy_listener,
2609 * Proxy the packet as if it was new.
2611 static int request_proxy_anew(REQUEST *request)
2613 home_server_t *home;
2616 * Delete the request from the proxy list.
2618 * The packet list code takes care of ensuring that IDs
2619 * aren't reused until all 256 IDs have been used. So
2620 * there's a 1/256 chance of re-using the same ID when
2621 * we're sending to the same home server. Which is
2624 remove_from_proxy_hash(request);
2627 * Find a live home server for the request.
2629 home = home_server_ldb(NULL, request->home_pool, request);
2631 REDEBUG2("Failed to find live home server for request");
2633 if (setup_post_proxy_fail(request)) {
2634 request_queue_or_run(request, proxy_running);
2636 gettimeofday(&request->reply->timestamp, NULL);
2637 request_cleanup_delay_init(request, NULL);
2641 home_server_update_request(home, request);
2643 if (!insert_into_proxy_hash(request)) {
2644 RPROXY("Failed to insert retransmission into the proxy list.");
2645 goto post_proxy_fail;
2649 * Free the old packet, to force re-encoding
2651 talloc_free(request->proxy->data);
2652 request->proxy->data = NULL;
2653 request->proxy->data_len = 0;
2655 #ifdef WITH_ACCOUNTING
2657 * Update the Acct-Delay-Time attribute.
2659 if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
2662 vp = pairfind(request->proxy->vps, PW_ACCT_DELAY_TIME, 0, TAG_ANY);
2663 if (!vp) vp = radius_paircreate(request,
2664 &request->proxy->vps,
2665 PW_ACCT_DELAY_TIME, 0);
2669 gettimeofday(&now, NULL);
2670 vp->vp_integer += now.tv_sec - request->proxy_retransmit.tv_sec;
2675 if (request_proxy(request, 1) != 1) goto post_proxy_fail;
2680 STATE_MACHINE_DECL(request_ping)
2682 home_server_t *home = request->home_server;
2685 TRACE_STATE_MACHINE;
2689 case FR_ACTION_TIMER:
2690 ERROR("No response to status check %d for home server %s port %d",
2692 inet_ntop(request->proxy->dst_ipaddr.af,
2693 &request->proxy->dst_ipaddr.ipaddr,
2694 buffer, sizeof(buffer)),
2695 request->proxy->dst_port);
2698 case FR_ACTION_PROXY_REPLY:
2699 rad_assert(request->in_proxy_hash);
2701 request->home_server->num_received_pings++;
2702 RPROXY("Received response to status check %d (%d in current sequence)",
2703 request->number, home->num_received_pings);
2706 * Remove the request from any hashes
2708 fr_event_delete(el, &request->ev);
2709 remove_from_proxy_hash(request);
2712 * The control socket may have marked the home server as
2713 * alive. OR, it may have suddenly started responding to
2714 * requests again. If so, don't re-do the "make alive"
2717 if (home->state == HOME_STATE_ALIVE) break;
2720 * It's dead, and we haven't received enough ping
2721 * responses to mark it "alive". Wait a bit.
2723 * If it's zombie, we mark it alive immediately.
2725 if ((home->state == HOME_STATE_IS_DEAD) &&
2726 (home->num_received_pings < home->num_pings_to_alive)) {
2731 * Mark it alive and delete any outstanding
2734 home->state = HOME_STATE_ALIVE;
2735 exec_trigger(request, home->cs, "home_server.alive", false);
2736 home->currently_outstanding = 0;
2737 home->num_sent_pings = 0;
2738 home->num_received_pings = 0;
2739 gettimeofday(&home->revive_time, NULL);
2741 fr_event_delete(el, &home->ev);
2743 RPROXY("Marking home server %s port %d alive",
2744 inet_ntop(request->proxy->dst_ipaddr.af,
2745 &request->proxy->dst_ipaddr.ipaddr,
2746 buffer, sizeof(buffer)),
2747 request->proxy->dst_port);
2751 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
2755 rad_assert(!request->in_request_hash);
2756 rad_assert(request->ev == NULL);
2757 request_done(request, FR_ACTION_DONE);
2761 * Called from start of zombie period, OR after control socket
2762 * marks the home server dead.
2764 static void ping_home_server(void *ctx)
2766 home_server_t *home = ctx;
2769 struct timeval when, now;
2771 if ((home->state == HOME_STATE_ALIVE) ||
2772 (home->ping_check == HOME_PING_CHECK_NONE) ||
2774 (home->proto == IPPROTO_TCP) ||
2776 (home->ev != NULL)) {
2780 gettimeofday(&now, NULL);
2782 if (home->state == HOME_STATE_ZOMBIE) {
2783 when = home->zombie_period_start;
2784 when.tv_sec += home->zombie_period;
2786 if (timercmp(&when, &now, <)) {
2787 DEBUG("PING: Zombie period is over for home server %s",
2789 mark_home_server_dead(home, &now);
2793 request = request_alloc(NULL);
2794 request->number = request_num_counter++;
2797 request->proxy = rad_alloc(request, 1);
2798 rad_assert(request->proxy != NULL);
2800 if (home->ping_check == HOME_PING_CHECK_STATUS_SERVER) {
2801 request->proxy->code = PW_CODE_STATUS_SERVER;
2803 pairmake(request->proxy, &request->proxy->vps,
2804 "Message-Authenticator", "0x00", T_OP_SET);
2806 } else if (home->type == HOME_TYPE_AUTH) {
2807 request->proxy->code = PW_CODE_AUTHENTICATION_REQUEST;
2809 pairmake(request->proxy, &request->proxy->vps,
2810 "User-Name", home->ping_user_name, T_OP_SET);
2811 pairmake(request->proxy, &request->proxy->vps,
2812 "User-Password", home->ping_user_password, T_OP_SET);
2813 pairmake(request->proxy, &request->proxy->vps,
2814 "Service-Type", "Authenticate-Only", T_OP_SET);
2815 pairmake(request->proxy, &request->proxy->vps,
2816 "Message-Authenticator", "0x00", T_OP_SET);
2819 #ifdef WITH_ACCOUNTING
2820 request->proxy->code = PW_CODE_ACCOUNTING_REQUEST;
2822 pairmake(request->proxy, &request->proxy->vps,
2823 "User-Name", home->ping_user_name, T_OP_SET);
2824 pairmake(request->proxy, &request->proxy->vps,
2825 "Acct-Status-Type", "Stop", T_OP_SET);
2826 pairmake(request->proxy, &request->proxy->vps,
2827 "Acct-Session-Id", "00000000", T_OP_SET);
2828 vp = pairmake(request->proxy, &request->proxy->vps,
2829 "Event-Timestamp", "0", T_OP_SET);
2830 vp->vp_date = now.tv_sec;
2832 rad_assert("Internal sanity check failed");
2836 vp = pairmake(request->proxy, &request->proxy->vps,
2837 "NAS-Identifier", "", T_OP_SET);
2839 pairsprintf(vp, "Status Check %u. Are you alive?",
2840 home->num_sent_pings);
2843 request->proxy->src_ipaddr = home->src_ipaddr;
2844 request->proxy->dst_ipaddr = home->ipaddr;
2845 request->proxy->dst_port = home->port;
2846 request->home_server = home;
2847 #ifdef DEBUG_STATE_MACHINE
2848 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n", request->number, __FUNCTION__,
2849 child_state_names[request->child_state],
2850 child_state_names[REQUEST_DONE]);
2851 if (debug_flag) printf("(%u) ********\tNEXT-STATE %s -> %s\n", request->number, __FUNCTION__, "request_ping");
2853 #ifdef HAVE_PTHREAD_H
2854 rad_assert(request->child_pid == NO_SUCH_CHILD_PID);
2856 request->child_state = REQUEST_DONE;
2857 request->process = request_ping;
2859 rad_assert(request->proxy_listener == NULL);
2861 if (!insert_into_proxy_hash(request)) {
2862 RPROXY("Failed to insert status check %d into proxy list. Discarding it.",
2865 rad_assert(!request->in_request_hash);
2866 rad_assert(!request->in_proxy_hash);
2867 rad_assert(request->ev == NULL);
2868 request_free(&request);
2873 * Set up the timer callback.
2876 when.tv_sec += home->ping_timeout;
2878 DEBUG("PING: Waiting %u seconds for response to ping",
2879 home->ping_timeout);
2881 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
2882 home->num_sent_pings++;
2884 rad_assert(request->proxy_listener != NULL);
2885 request->proxy_listener->send(request->proxy_listener,
2889 * Add +/- 2s of jitter, as suggested in RFC 3539
2890 * and in the Issues and Fixes draft.
2893 home->when.tv_sec += home->ping_interval;
2895 add_jitter(&home->when);
2897 DEBUG("PING: Next status packet in %u seconds", home->ping_interval);
2898 INSERT_EVENT(ping_home_server, home);
2901 static void home_trigger(home_server_t *home, char const *trigger)
2904 RADIUS_PACKET my_packet;
2906 memset(&my_request, 0, sizeof(my_request));
2907 memset(&my_packet, 0, sizeof(my_packet));
2908 my_request.proxy = &my_packet;
2909 my_packet.dst_ipaddr = home->ipaddr;
2910 my_packet.src_ipaddr = home->src_ipaddr;
2912 exec_trigger(&my_request, home->cs, trigger, false);
2915 static void mark_home_server_zombie(home_server_t *home, struct timeval *now)
2922 rad_assert((home->state == HOME_STATE_ALIVE) ||
2923 (home->state == HOME_STATE_UNKNOWN));
2926 if (home->proto == IPPROTO_TCP) {
2927 WDEBUG("Not marking TCP server %s zombie", home->name);
2933 * We've received a real packet recently. Don't mark the
2934 * server as zombie until we've received NO packets for a
2935 * while. The "1/4" of zombie period was chosen rather
2936 * arbitrarily. It's a balance between too short, which
2937 * gives quick fail-over and fail-back, or too long,
2938 * where the proxy still sends packets to an unresponsive
2941 start = now->tv_sec - ((home->zombie_period + 3) / 4);
2942 if (home->last_packet_recv >= start) {
2943 DEBUG("Recieved reply from home server %d seconds ago. Might not be zombie.",
2944 (int) (now->tv_sec - home->last_packet_recv));
2948 home->state = HOME_STATE_ZOMBIE;
2949 home_trigger(home, "home_server.zombie");
2952 * Set the home server to "zombie", as of the time
2955 home->zombie_period_start.tv_sec = start;
2956 home->zombie_period_start.tv_usec = USEC / 2;
2958 fr_event_delete(el, &home->ev);
2959 home->num_sent_pings = 0;
2960 home->num_received_pings = 0;
2962 PROXY( "Marking home server %s port %d as zombie (it has not responded in %d seconds).",
2963 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
2964 buffer, sizeof(buffer)),
2965 home->port, home->response_window);
2967 ping_home_server(home);
2971 void revive_home_server(void *ctx)
2973 home_server_t *home = ctx;
2977 rad_assert(home->proto != IPPROTO_TCP);
2980 home->state = HOME_STATE_ALIVE;
2981 home_trigger(home, "home_server.alive");
2982 home->currently_outstanding = 0;
2983 gettimeofday(&home->revive_time, NULL);
2986 * Delete any outstanding events.
2988 if (home->ev) fr_event_delete(el, &home->ev);
2990 PROXY( "Marking home server %s port %d alive again... we have no idea if it really is alive or not.",
2991 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
2992 buffer, sizeof(buffer)),
2996 void mark_home_server_dead(home_server_t *home, struct timeval *when)
2998 int previous_state = home->state;
3002 if (home->proto == IPPROTO_TCP) {
3003 WDEBUG("Not marking TCP server dead");
3008 PROXY( "Marking home server %s port %d as dead.",
3009 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
3010 buffer, sizeof(buffer)),
3013 home->state = HOME_STATE_IS_DEAD;
3014 home_trigger(home, "home_server.dead");
3016 if (home->ping_check != HOME_PING_CHECK_NONE) {
3018 * If the control socket marks us dead, start
3019 * pinging. Otherwise, we already started
3020 * pinging when it was marked "zombie".
3022 if (previous_state == HOME_STATE_ALIVE) {
3023 ping_home_server(home);
3025 DEBUG("PING: Already pinging home server %s",
3031 * Revive it after a fixed period of time. This
3032 * is very, very, bad.
3035 home->when.tv_sec += home->revive_interval;
3037 DEBUG("PING: Reviving home server %s in %u seconds",
3038 home->name, home->revive_interval);
3039 INSERT_EVENT(revive_home_server, home);
3043 STATE_MACHINE_DECL(proxy_wait_for_reply)
3045 struct timeval now, when;
3046 home_server_t *home = request->home_server;
3049 TRACE_STATE_MACHINE;
3051 rad_assert(request->packet->code != PW_CODE_STATUS_SERVER);
3052 rad_assert(request->home_server != NULL);
3054 if (request->master_state == REQUEST_STOP_PROCESSING) {
3055 request->child_state = REQUEST_DONE;
3059 gettimeofday(&now, NULL);
3063 if (request->proxy_reply) return;
3065 if ((home->state == HOME_STATE_IS_DEAD) ||
3066 !request->proxy_listener ||
3067 (request->proxy_listener->status != RAD_LISTEN_STATUS_KNOWN)) {
3068 request_proxy_anew(request);
3073 if (home->proto == IPPROTO_TCP) {
3074 DEBUG2("Suppressing duplicate proxied request (tcp) to home server %s port %d proto TCP - ID: %d",
3075 inet_ntop(request->proxy->dst_ipaddr.af,
3076 &request->proxy->dst_ipaddr.ipaddr,
3077 buffer, sizeof(buffer)),
3078 request->proxy->dst_port,
3079 request->proxy->id);
3085 * More than one retransmit a second is stupid,
3086 * and should be suppressed by the proxy.
3088 when = request->proxy_retransmit;
3091 if (timercmp(&now, &when, <)) {
3092 DEBUG2("Suppressing duplicate proxied request (too fast) to home server %s port %d proto TCP - ID: %d",
3093 inet_ntop(request->proxy->dst_ipaddr.af,
3094 &request->proxy->dst_ipaddr.ipaddr,
3095 buffer, sizeof(buffer)),
3096 request->proxy->dst_port,
3097 request->proxy->id);
3101 #ifdef WITH_ACCOUNTING
3103 * If we update the Acct-Delay-Time, we need to
3106 if ((request->packet->code == PW_CODE_ACCOUNTING_REQUEST) &&
3107 pairfind(request->proxy->vps, PW_ACCT_DELAY_TIME, 0, TAG_ANY)) {
3108 request_proxy_anew(request);
3113 RDEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
3114 inet_ntop(request->proxy->dst_ipaddr.af,
3115 &request->proxy->dst_ipaddr.ipaddr,
3116 buffer, sizeof(buffer)),
3117 request->proxy->dst_port,
3118 request->proxy->id);
3119 request->num_proxied_requests++;
3121 rad_assert(request->proxy_listener != NULL);;
3122 DEBUG_PACKET(request, request->proxy, 1);
3123 FR_STATS_TYPE_INC(home->stats.total_requests);
3124 home->last_packet_sent = now.tv_sec;
3125 request->proxy_retransmit = now;
3126 request->proxy_listener->send(request->proxy_listener,
3130 case FR_ACTION_TIMER:
3132 if (!request->proxy_listener ||
3133 (request->proxy_listener->status != RAD_LISTEN_STATUS_KNOWN)) {
3134 remove_from_proxy_hash(request);
3136 when = request->packet->timestamp;
3137 when.tv_sec += request->root->max_request_time;
3139 if (timercmp(&when, &now, >)) {
3140 RDEBUG("Waiting for client retransmission in order to do a proxy retransmit");
3141 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3148 * Wake up "response_window" time in the future.
3149 * i.e. when MY packet hasn't received a response.
3151 * Note that we DO NOT mark the home server as
3152 * zombie if it doesn't respond to us. It may be
3153 * responding to other (better looking) packets.
3155 when = request->proxy->timestamp;
3156 when.tv_sec += home->response_window;
3159 * Not at the response window. Set the timer for
3162 if (timercmp(&when, &now, >)) {
3163 RDEBUG("Expecting proxy response no later than %d seconds from now", home->response_window);
3164 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3169 RDEBUG("No proxy response, giving up on request and marking it done");
3172 * If we haven't received any packets for
3173 * "response_window", then mark the home server
3176 * If the connection is TCP, then another
3177 * "watchdog timer" function takes care of pings,
3178 * etc. So we don't need to do it here.
3180 * This check should really be part of a home
3181 * server state machine.
3183 if (((home->state == HOME_STATE_ALIVE) ||
3184 (home->state == HOME_STATE_UNKNOWN))
3186 && (home->proto != IPPROTO_TCP)
3189 mark_home_server_zombie(home, &now);
3192 FR_STATS_TYPE_INC(home->stats.total_timeouts);
3193 if (home->type == HOME_TYPE_AUTH) {
3194 if (request->proxy_listener) FR_STATS_TYPE_INC(request->proxy_listener->stats.total_timeouts);
3195 FR_STATS_TYPE_INC(proxy_auth_stats.total_timeouts);
3198 else if (home->type == HOME_TYPE_ACCT) {
3199 if (request->proxy_listener) FR_STATS_TYPE_INC(request->proxy_listener->stats.total_timeouts);
3200 FR_STATS_TYPE_INC(proxy_acct_stats.total_timeouts);
3205 * There was no response within the window. Stop
3206 * the request. If the client retransmitted, it
3207 * may have failed over to another home server.
3208 * But that one may be dead, too.
3210 RERROR("Failing request - proxy ID %u, due to lack of any response from home server %s port %d",
3212 inet_ntop(request->proxy->dst_ipaddr.af,
3213 &request->proxy->dst_ipaddr.ipaddr,
3214 buffer, sizeof(buffer)),
3215 request->proxy->dst_port);
3217 if (!setup_post_proxy_fail(request)) {
3218 gettimeofday(&request->reply->timestamp, NULL);
3219 request_cleanup_delay_init(request, NULL);
3225 * Duplicate proxy replies have been quenched by
3226 * now. This state is only called ONCE, when we
3227 * receive a new reply from the home server.
3229 case FR_ACTION_PROXY_REPLY:
3230 request_queue_or_run(request, proxy_running);
3233 case FR_ACTION_CONFLICTING:
3234 request_done(request, action);
3238 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
3242 #endif /* WITH_PROXY */
3244 /***********************************************************************
3248 ***********************************************************************/
3250 static int null_handler(UNUSED REQUEST *request)
3256 * See if we need to originate a CoA request.
3258 static void request_coa_originate(REQUEST *request)
3260 int rcode, pre_proxy_type = 0;
3266 rad_assert(request != NULL);
3267 rad_assert(request->coa != NULL);
3268 rad_assert(request->proxy == NULL);
3269 rad_assert(!request->in_proxy_hash);
3270 rad_assert(request->proxy_reply == NULL);
3273 * Check whether we want to originate one, or cancel one.
3275 vp = pairfind(request->config_items, PW_SEND_COA_REQUEST, 0, TAG_ANY);
3277 vp = pairfind(request->coa->proxy->vps, PW_SEND_COA_REQUEST, 0, TAG_ANY);
3281 if (vp->vp_integer == 0) {
3283 request_free(&request->coa);
3291 * src_ipaddr will be set up in proxy_encode.
3293 memset(&ipaddr, 0, sizeof(ipaddr));
3294 vp = pairfind(coa->proxy->vps, PW_PACKET_DST_IP_ADDRESS, 0, TAG_ANY);
3296 ipaddr.af = AF_INET;
3297 ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
3299 } else if ((vp = pairfind(coa->proxy->vps, PW_PACKET_DST_IPV6_ADDRESS, 0, TAG_ANY)) != NULL) {
3300 ipaddr.af = AF_INET6;
3301 ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
3303 } else if ((vp = pairfind(coa->proxy->vps, PW_HOME_SERVER_POOL, 0, TAG_ANY)) != NULL) {
3304 coa->home_pool = home_pool_byname(vp->vp_strvalue,
3306 if (!coa->home_pool) {
3307 RWDEBUG2("No such home_server_pool %s",
3313 * Prefer the pool to one server
3315 } else if (request->client->coa_pool) {
3316 coa->home_pool = request->client->coa_pool;
3318 } else if (request->client->coa_server) {
3319 coa->home_server = request->client->coa_server;
3323 * If all else fails, send it to the client that
3324 * originated this request.
3326 memcpy(&ipaddr, &request->packet->src_ipaddr, sizeof(ipaddr));
3330 * Use the pool, if it exists.
3332 if (coa->home_pool) {
3333 coa->home_server = home_server_ldb(NULL, coa->home_pool, coa);
3334 if (!coa->home_server) {
3335 RWDEBUG("No live home server for home_server_pool %s", coa->home_pool->name);
3338 home_server_update_request(coa->home_server, coa);
3340 } else if (!coa->home_server) {
3341 int port = PW_COA_UDP_PORT;
3343 vp = pairfind(coa->proxy->vps, PW_PACKET_DST_PORT, 0, TAG_ANY);
3344 if (vp) port = vp->vp_integer;
3346 coa->home_server = home_server_find(&ipaddr, port, IPPROTO_UDP);
3347 if (!coa->home_server) {
3348 RWDEBUG2("Unknown destination %s:%d for CoA request.",
3349 inet_ntop(ipaddr.af, &ipaddr.ipaddr,
3350 buffer, sizeof(buffer)), port);
3355 vp = pairfind(coa->proxy->vps, PW_PACKET_TYPE, 0, TAG_ANY);
3357 switch (vp->vp_integer) {
3358 case PW_CODE_COA_REQUEST:
3359 case PW_CODE_DISCONNECT_REQUEST:
3360 coa->proxy->code = vp->vp_integer;
3364 DEBUG("Cannot set CoA Packet-Type to code %d",
3370 if (!coa->proxy->code) coa->proxy->code = PW_CODE_COA_REQUEST;
3373 * The rest of the server code assumes that
3374 * request->packet && request->reply exist. Copy them
3375 * from the original request.
3377 rad_assert(coa->packet != NULL);
3378 rad_assert(coa->packet->vps == NULL);
3380 coa->packet = rad_copy_packet(coa, request->packet);
3381 coa->reply = rad_copy_packet(coa, request->reply);
3383 coa->config_items = paircopy(coa, request->config_items);
3384 coa->num_coa_requests = 0;
3385 coa->handle = null_handler;
3386 coa->number = request->number; /* it's associated with the same request */
3389 * Call the pre-proxy routines.
3391 vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE, 0, TAG_ANY);
3393 DICT_VALUE const *dval = dict_valbyattr(vp->da->attr, vp->da->vendor, vp->vp_integer);
3394 /* Must be a validation issue */
3396 RDEBUG2(" Found Pre-Proxy-Type %s", dval->name);
3397 pre_proxy_type = vp->vp_integer;
3400 if (coa->home_pool && coa->home_pool->virtual_server) {
3401 char const *old_server = coa->server;
3403 coa->server = coa->home_pool->virtual_server;
3404 RDEBUG2(" server %s {", coa->server);
3405 rcode = process_pre_proxy(pre_proxy_type, coa);
3407 coa->server = old_server;
3409 rcode = process_pre_proxy(pre_proxy_type, coa);
3416 * Only send the CoA packet if the pre-proxy code succeeded.
3418 case RLM_MODULE_NOOP:
3420 case RLM_MODULE_UPDATED:
3425 * Source IP / port is set when the proxy socket
3428 coa->proxy->dst_ipaddr = coa->home_server->ipaddr;
3429 coa->proxy->dst_port = coa->home_server->port;
3431 if (!insert_into_proxy_hash(coa)) {
3432 radlog_request(L_PROXY, 0, coa, "Failed to insert CoA request into proxy list.");
3437 * We CANNOT divorce the CoA request from the parent
3438 * request. This function is running in a child thread,
3439 * and we need access to the main event loop in order to
3440 * to add the timers for the CoA packet.
3442 * Instead, we wait for the timer on the parent request
3445 gettimeofday(&coa->proxy->timestamp, NULL);
3446 coa->packet->timestamp = coa->proxy->timestamp; /* for max_request_time */
3447 coa->delay = 0; /* need to calculate a new delay */
3449 DEBUG_PACKET(coa, coa->proxy, 1);
3451 coa->process = coa_wait_for_reply;
3452 #ifdef DEBUG_STATE_MACHINE
3453 if (debug_flag) printf("(%u) ********\tSTATE %s C-%s -> C-%s\t********\n", request->number, __FUNCTION__,
3454 child_state_names[request->child_state],
3455 child_state_names[REQUEST_RUNNING]);
3457 #ifdef HAVE_PTHREAD_H
3458 coa->child_pid = NO_SUCH_CHILD_PID;
3460 coa->child_state = REQUEST_PROXIED;
3461 rad_assert(coa->proxy_reply == NULL);
3462 FR_STATS_TYPE_INC(coa->home_server->stats.total_requests);
3463 coa->home_server->last_packet_sent = coa->proxy->timestamp.tv_sec;
3464 coa->proxy_listener->send(coa->proxy_listener, coa);
3468 static void coa_timer(REQUEST *request)
3471 struct timeval now, when, mrd;
3473 rad_assert(request->parent == NULL);
3475 if (request->proxy_reply) return request_process_timer(request);
3477 gettimeofday(&now, NULL);
3479 if (request->delay == 0) {
3481 * Implement re-transmit algorithm as per RFC 5080
3484 * We want IRT + RAND*IRT
3485 * or 0.9 IRT + rand(0,.2) IRT
3487 * 2^20 ~ USEC, and we want 2.
3488 * rand(0,0.2) USEC ~ (rand(0,2^21) / 10)
3490 delay = (fr_rand() & ((1 << 22) - 1)) / 10;
3491 request->delay = delay * request->home_server->coa_irt;
3492 delay = request->home_server->coa_irt * USEC;
3493 delay -= delay / 10;
3494 delay += request->delay;
3495 request->delay = delay;
3497 when = request->proxy->timestamp;
3498 tv_add(&when, delay);
3500 if (timercmp(&when, &now, >)) {
3501 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3507 * Retransmit CoA request.
3511 * Cap count at MRC, if it is non-zero.
3513 if (request->home_server->coa_mrc &&
3514 (request->num_coa_requests >= request->home_server->coa_mrc)) {
3517 RERROR("Failing request - originate-coa ID %u, due to lack of any response from coa server %s port %d",
3519 inet_ntop(request->proxy->dst_ipaddr.af,
3520 &request->proxy->dst_ipaddr.ipaddr,
3521 buffer, sizeof(buffer)),
3522 request->proxy->dst_port);
3523 if (!setup_post_proxy_fail(request)) {
3524 request_done(request, FR_ACTION_DONE);
3528 request_queue_or_run(request, coa_running);
3533 * RFC 5080 Section 2.2.1
3535 * RT = 2*RTprev + RAND*RTprev
3536 * = 1.9 * RTprev + rand(0,.2) * RTprev
3537 * = 1.9 * RTprev + rand(0,1) * (RTprev / 5)
3540 delay ^= (delay >> 16);
3542 frac = request->delay / 5;
3543 delay = ((frac >> 16) * delay) + (((frac & 0xffff) * delay) >> 16);
3545 delay += (2 * request->delay) - (request->delay / 10);
3548 * Cap delay at MRT, if MRT is non-zero.
3550 if (request->home_server->coa_mrt &&
3551 (delay > (request->home_server->coa_mrt * USEC))) {
3552 int mrt_usec = request->home_server->coa_mrt * USEC;
3555 * delay = MRT + RAND * MRT
3556 * = 0.9 MRT + rand(0,.2) * MRT
3559 delay ^= (delay >> 15);
3561 delay = ((mrt_usec >> 16) * delay) + (((mrt_usec & 0xffff) * delay) >> 16);
3562 delay += mrt_usec - (mrt_usec / 10);
3565 request->delay = delay;
3567 tv_add(&when, request->delay);
3568 mrd = request->proxy->timestamp;
3569 mrd.tv_sec += request->home_server->coa_mrd;
3572 * Cap duration at MRD.
3574 if (timercmp(&mrd, &when, <)) {
3577 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3579 request->num_coa_requests++; /* is NOT reset by code 3 lines above! */
3581 FR_STATS_TYPE_INC(request->home_server->stats.total_requests);
3584 * Status servers don't count as real packets sent.
3586 request->proxy_listener->send(request->proxy_listener,
3590 STATE_MACHINE_DECL(coa_wait_for_reply)
3592 rad_assert(request->parent == NULL);
3594 TRACE_STATE_MACHINE;
3597 case FR_ACTION_TIMER:
3599 * This is big enough to be in it's own function.
3604 case FR_ACTION_PROXY_REPLY:
3605 rad_assert(request->parent == NULL);
3606 #ifdef HAVE_PTHREAD_H
3608 * Catch the case of a proxy reply when called
3609 * from the main worker thread.
3611 if (we_are_master()) {
3612 request_queue_or_run(request, coa_running);
3618 request_running(request, action);
3622 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
3627 static void request_coa_separate(REQUEST *request)
3629 #ifdef DEBUG_STATE_MACHINE
3630 int action = FR_ACTION_TIMER;
3632 TRACE_STATE_MACHINE;
3634 rad_assert(request->parent != NULL);
3635 rad_assert(request->parent->coa == request);
3636 rad_assert(request->ev == NULL);
3637 rad_assert(!request->in_request_hash);
3638 rad_assert(request->coa == NULL);
3640 rad_assert(request->proxy_listener != NULL);
3642 (void) talloc_steal(NULL, request);
3643 request->parent->coa = NULL;
3644 request->parent = NULL;
3647 * Should be coa_wait_for_reply()
3649 request->process(request, FR_ACTION_TIMER);
3652 STATE_MACHINE_DECL(coa_running)
3654 TRACE_STATE_MACHINE;
3657 case FR_ACTION_TIMER:
3658 request_process_timer(request);
3661 case FR_ACTION_PROXY_REPLY:
3662 request_common(request, action);
3666 request_running(request, FR_ACTION_PROXY_REPLY);
3670 RDEBUG3("%s: Ignoring action %s", __FUNCTION__, action_codes[action]);
3674 #endif /* WITH_COA */
3676 /***********************************************************************
3678 * End of the State machine. Start of additional helper code.
3680 ***********************************************************************/
3682 /***********************************************************************
3686 ***********************************************************************/
3687 static void event_socket_handler(UNUSED fr_event_list_t *xel, UNUSED int fd, void *ctx)
3689 rad_listen_t *listener = ctx;
3691 rad_assert(xel == el);
3695 (listener->type != RAD_LISTEN_DETAIL) &&
3697 (listener->fd < 0)) {
3700 listener->print(listener, buffer, sizeof(buffer));
3701 ERROR("FATAL: Asked to read from closed socket: %s",
3704 rad_panic("Socket was closed on us!");
3708 listener->recv(listener);
3713 * This function is called periodically to see if this detail
3714 * file is available for reading.
3716 static void event_poll_detail(void *ctx)
3719 rad_listen_t *this = ctx;
3720 struct timeval when, now;
3721 listen_detail_t *detail = this->data;
3723 rad_assert(this->type == RAD_LISTEN_DETAIL);
3726 event_socket_handler(el, this->fd, this);
3728 fr_event_now(el, &now);
3732 * Backdoor API to get the delay until the next poll
3735 delay = this->encode(this, NULL);
3736 if (delay == 0) goto redo;
3738 tv_add(&when, delay);
3740 if (!fr_event_insert(el, event_poll_detail, this,
3741 &when, &detail->ev)) {
3742 ERROR("Failed creating handler");
3748 static void event_status(struct timeval *wake)
3750 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
3754 if (debug_flag == 0) {
3756 INFO("Ready to process requests.");
3757 just_started = false;
3763 INFO("Ready to process requests.");
3765 } else if ((wake->tv_sec != 0) ||
3766 (wake->tv_usec >= 100000)) {
3767 DEBUG("Waking up in %d.%01u seconds.",
3768 (int) wake->tv_sec, (unsigned int) wake->tv_usec / 100000);
3773 * FIXME: Put this somewhere else, where it isn't called
3774 * all of the time...
3777 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
3779 * If there are no child threads, then there may
3780 * be child processes. In that case, wait for
3781 * their exit status, and throw that exit status
3782 * away. This helps get rid of zxombie children.
3784 while (waitpid(-1, &argval, WNOHANG) > 0) {
3792 static void listener_free_cb(void *ctx)
3794 rad_listen_t *this = ctx;
3797 if (this->count > 0) {
3798 struct timeval when;
3799 listen_socket_t *sock = this->data;
3801 fr_event_now(el, &when);
3804 if (!fr_event_insert(el, listener_free_cb, this, &when,
3806 rad_panic("Failed to insert event");
3813 * It's all free, close the socket.
3816 this->print(this, buffer, sizeof(buffer));
3817 DEBUG("... cleaning up socket %s", buffer);
3823 static int proxy_eol_cb(void *ctx, void *data)
3825 struct timeval when;
3826 REQUEST *request = fr_packet2myptr(REQUEST, proxy, data);
3828 if (request->proxy_listener != ctx) return 0;
3831 * We don't care if it's being processed in a child thread.
3834 #ifdef WITH_ACCOUNTING
3836 * Accounting packets should be deleted immediately.
3837 * They will never be retransmitted by the client.
3839 if (request->proxy->code == PW_CODE_ACCOUNTING_REQUEST) {
3840 RDEBUG("Stopping request due to failed connection to home server");
3841 request->master_state = REQUEST_STOP_PROCESSING;
3846 * Reset the timer to be now, so that the request is
3847 * quickly updated. But spread the requests randomly
3848 * over the next second, so that we don't overload the
3851 fr_event_now(el, &when);
3852 tv_add(&when, fr_rand() % USEC);
3853 STATE_MACHINE_TIMER(FR_ACTION_TIMER);
3856 * Don't delete it from the list.
3862 int event_new_fd(rad_listen_t *this)
3866 if (this->status == RAD_LISTEN_STATUS_KNOWN) return 1;
3868 this->print(this, buffer, sizeof(buffer));
3870 if (this->status == RAD_LISTEN_STATUS_INIT) {
3871 listen_socket_t *sock = this->data;
3874 DEBUG("Listening on %s", buffer);
3876 INFO(" ... adding new socket %s", buffer);
3881 * Add it to the list of sockets we can use.
3882 * Server sockets (i.e. auth/acct) are never
3883 * added to the packet list.
3885 if (this->type == RAD_LISTEN_PROXY) {
3886 PTHREAD_MUTEX_LOCK(&proxy_mutex);
3887 if (!fr_packet_list_socket_add(proxy_list, this->fd,
3889 &sock->other_ipaddr, sock->other_port,
3892 #ifdef HAVE_PTHREAD_H
3893 proxy_no_new_sockets = true;
3895 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3898 * This is bad. However, the
3899 * packet list now supports 256
3900 * open sockets, which should
3901 * minimize this problem.
3903 ERROR("Failed adding proxy socket: %s",
3909 sock->home->limit.num_connections++;
3911 #ifdef HAVE_PTHREAD_H
3913 * If necessary, add it to the list of
3914 * new proxy listeners.
3916 if (sock->home->limit.lifetime || sock->home->limit.idle_timeout) {
3917 this->next = proxy_listener_list;
3918 proxy_listener_list = this;
3922 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3925 * Tell the main thread that we've added
3926 * a proxy listener, but only if we need
3927 * to update the event list. Do this
3928 * with the mutex unlocked, to reduce
3932 if (sock->home->limit.lifetime || sock->home->limit.idle_timeout) {
3933 radius_signal_self(RADIUS_SIGNAL_SELF_NEW_FD);
3941 * Detail files are always known, and aren't
3942 * put into the socket event loop.
3944 if (this->type == RAD_LISTEN_DETAIL) {
3945 this->status = RAD_LISTEN_STATUS_KNOWN;
3948 * Set up the first poll interval.
3950 event_poll_detail(this);
3957 * Add timers to child sockets, if necessary.
3959 if (sock->proto == IPPROTO_TCP && sock->opened &&
3960 (sock->limit.lifetime || sock->limit.idle_timeout)) {
3961 struct timeval when;
3965 when.tv_sec = sock->opened + 1;
3968 if (!fr_event_insert(el, tcp_socket_timer, this, &when,
3970 rad_panic("Failed to insert event");
3975 FD_MUTEX_LOCK(&fd_mutex);
3976 if (!fr_event_fd_insert(el, 0, this->fd,
3977 event_socket_handler, this)) {
3978 ERROR("Failed adding event handler for socket!");
3981 FD_MUTEX_UNLOCK(&fd_mutex);
3983 this->status = RAD_LISTEN_STATUS_KNOWN;
3989 * Stop using this socket, if at all possible.
3991 if (this->status == RAD_LISTEN_STATUS_EOL) {
3993 * Remove it from the list of live FD's.
3995 FD_MUTEX_LOCK(&fd_mutex);
3996 fr_event_fd_delete(el, 0, this->fd);
3997 FD_MUTEX_UNLOCK(&fd_mutex);
4001 * Proxy sockets get frozen, so that we don't use
4002 * them for new requests. But we do keep them
4003 * open to listen for replies to requests we had
4006 if (this->type == RAD_LISTEN_PROXY) {
4007 PTHREAD_MUTEX_LOCK(&proxy_mutex);
4008 if (!fr_packet_list_socket_freeze(proxy_list,
4010 ERROR("Fatal error freezing socket: %s", fr_strerror());
4014 fr_packet_list_walk(proxy_list, this, proxy_eol_cb);
4015 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
4020 * Requests are still using the socket. Wait for
4023 if (this->count > 0) {
4024 struct timeval when;
4025 listen_socket_t *sock = this->data;
4028 * Try again to clean up the socket in 30
4031 gettimeofday(&when, NULL);
4034 if (!fr_event_insert(el,
4035 (fr_event_callback_t) event_new_fd,
4036 this, &when, &sock->ev)) {
4037 rad_panic("Failed to insert event");
4044 * No one is using the socket. We can remove it now.
4046 this->status = RAD_LISTEN_STATUS_REMOVE_NOW;
4047 } /* socket is at EOL */
4053 if (this->status == RAD_LISTEN_STATUS_REMOVE_NOW) {
4056 listen_socket_t *sock = this->data;
4058 struct timeval when;
4061 * Re-open the socket, pointing it to /dev/null.
4062 * This means that all writes proceed without
4063 * blocking, and all reads return "no data".
4065 * This leaves the socket active, so any child
4066 * threads won't go insane. But it means that
4067 * they cannot send or receive any packets.
4069 * This is EXTRA work in the normal case, when
4070 * sockets are closed without error. But it lets
4071 * us have one simple processing method for all
4074 devnull = open("/dev/null", O_RDWR);
4076 ERROR("FATAL failure opening /dev/null: %s",
4077 fr_syserror(errno));
4080 if (dup2(devnull, this->fd) < 0) {
4081 ERROR("FATAL failure closing socket: %s",
4082 fr_syserror(errno));
4088 rad_assert(this->type != RAD_LISTEN_DETAIL);
4092 INFO(" ... shutting down socket %s", buffer);
4096 * The socket is dead. Force all proxied packets
4097 * to stop using it. And then remove it from the
4098 * list of outgoing sockets.
4100 if (this->type == RAD_LISTEN_PROXY) {
4101 PTHREAD_MUTEX_LOCK(&proxy_mutex);
4102 fr_packet_list_walk(proxy_list, this, eol_proxy_listener);
4104 if (!fr_packet_list_socket_del(proxy_list, this->fd)) {
4105 ERROR("Fatal error removing socket %s: %s",
4106 buffer, fr_strerror());
4109 if (sock->home && sock->home->limit.num_connections) {
4110 sock->home->limit.num_connections--;
4112 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
4117 * EOL all requests using this socket.
4119 fr_packet_list_walk(pl, this, eol_listener);
4123 * No child threads, clean it up now.
4126 if (sock->ev) fr_event_delete(el, &sock->ev);
4132 * Wait until all requests using this socket are done.
4134 gettimeofday(&when, NULL);
4137 if (!fr_event_insert(el, listener_free_cb, this, &when,
4139 rad_panic("Failed to insert event");
4142 #endif /* WITH_TCP */
4147 /***********************************************************************
4151 ***********************************************************************/
4153 static void handle_signal_self(int flag)
4155 if ((flag & (RADIUS_SIGNAL_SELF_EXIT | RADIUS_SIGNAL_SELF_TERM)) != 0) {
4156 if ((flag & RADIUS_SIGNAL_SELF_EXIT) != 0) {
4157 INFO("Signalled to exit");
4158 fr_event_loop_exit(el, 1);
4160 INFO("Signalled to terminate");
4161 exec_trigger(NULL, NULL, "server.signal.term", true);
4162 fr_event_loop_exit(el, 2);
4166 } /* else exit/term flags weren't set */
4169 * Tell the even loop to stop processing.
4171 if ((flag & RADIUS_SIGNAL_SELF_HUP) != 0) {
4173 static time_t last_hup = 0;
4176 if ((int) (when - last_hup) < 5) {
4177 INFO("Ignoring HUP (less than 5s since last one)");
4181 INFO("Received HUP signal.");
4185 exec_trigger(NULL, NULL, "server.signal.hup", true);
4186 fr_event_loop_exit(el, 0x80);
4190 if ((flag & RADIUS_SIGNAL_SELF_DETAIL) != 0) {
4194 * FIXME: O(N) loops suck.
4196 for (this = mainconfig.listen;
4198 this = this->next) {
4199 if (this->type != RAD_LISTEN_DETAIL) continue;
4202 * This one didn't send the signal, skip
4205 if (!this->decode(this, NULL)) continue;
4208 * Go service the interrupt.
4210 event_poll_detail(this);
4217 #ifdef HAVE_PTHREAD_H
4219 * Add event handlers for idle timeouts && maximum lifetime.
4221 if ((flag & RADIUS_SIGNAL_SELF_NEW_FD) != 0) {
4222 struct timeval when, now;
4224 fr_event_now(el, &now);
4226 PTHREAD_MUTEX_LOCK(&proxy_mutex);
4228 while (proxy_listener_list) {
4229 rad_listen_t *this = proxy_listener_list;
4230 listen_socket_t *sock = this->data;
4232 rad_assert(sock->proto == IPPROTO_TCP);
4233 proxy_listener_list = this->next;
4236 if (!sock->home) continue; /* skip UDP sockets */
4241 * Sockets should only be added to the
4242 * proxy_listener_list if they have limits.
4245 rad_assert(sock->home->limit.lifetime || sock->home->limit.idle_timeout);
4247 if (!fr_event_insert(el, tcp_socket_timer, this, &when,
4249 rad_panic("Failed to insert event");
4253 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
4255 #endif /* HAVE_PTHREAD_H */
4256 #endif /* WITH_PROXY */
4257 #endif /* WITH_TCP */
4260 #ifndef WITH_SELF_PIPE
4261 void radius_signal_self(int flag)
4263 handle_signal_self(flag);
4267 * Inform ourselves that we received a signal.
4269 void radius_signal_self(int flag)
4275 * The read MUST be non-blocking for this to work.
4277 rcode = read(self_pipe[0], buffer, sizeof(buffer));
4281 for (i = 0; i < rcode; i++) {
4282 buffer[0] |= buffer[i];
4290 write(self_pipe[1], buffer, 1);
4294 static void event_signal_handler(UNUSED fr_event_list_t *xel,
4295 UNUSED int fd, UNUSED void *ctx)
4300 rcode = read(self_pipe[0], buffer, sizeof(buffer));
4301 if (rcode <= 0) return;
4304 * Merge pending signals.
4306 for (i = 0; i < rcode; i++) {
4307 buffer[0] |= buffer[i];
4310 handle_signal_self(buffer[0]);
4314 /***********************************************************************
4316 * Bootstrapping code.
4318 ***********************************************************************/
4321 * Externally-visibly functions.
4323 int radius_event_init(TALLOC_CTX *ctx) {
4324 el = fr_event_list_create(ctx, event_status);
4330 int radius_event_start(CONF_SECTION *cs, bool have_children)
4332 rad_listen_t *head = NULL;
4334 if (fr_start_time != (time_t)-1) return 0;
4336 time(&fr_start_time);
4339 * radius_event_init() must be called first
4342 if (fr_start_time == (time_t)-1) return 0;
4344 pl = fr_packet_list_create(0);
4345 if (!pl) return 0; /* leak el */
4347 request_num_counter = 0;
4350 if (mainconfig.proxy_requests) {
4352 * Create the tree for managing proxied requests and
4355 proxy_list = fr_packet_list_create(1);
4356 if (!proxy_list) return 0;
4358 #ifdef HAVE_PTHREAD_H
4359 if (pthread_mutex_init(&proxy_mutex, NULL) != 0) {
4360 ERROR("FATAL: Failed to initialize proxy mutex: %s",
4361 fr_syserror(errno));
4369 * Move all of the thread calls to this file?
4371 * It may be best for the mutexes to be in this file...
4373 spawn_flag = have_children;
4375 #ifdef HAVE_PTHREAD_H
4376 NO_SUCH_CHILD_PID = pthread_self(); /* not a child thread */
4379 * Initialize the threads ONLY if we're spawning, AND
4380 * we're running normally.
4382 if (have_children && !check_config &&
4383 (thread_pool_init(cs, &spawn_flag) < 0)) {
4389 DEBUG("%s: #### Skipping IP addresses and Ports ####",
4391 if (listen_init(cs, &head, spawn_flag) < 0) {
4398 #ifdef WITH_SELF_PIPE
4400 * Child threads need a pipe to signal us, as do the
4403 if (pipe(self_pipe) < 0) {
4404 ERROR("radiusd: Error opening internal pipe: %s",
4405 fr_syserror(errno));
4408 if ((fcntl(self_pipe[0], F_SETFL, O_NONBLOCK) < 0) ||
4409 (fcntl(self_pipe[0], F_SETFD, FD_CLOEXEC) < 0)) {
4410 ERROR("radiusd: Error setting internal flags: %s",
4411 fr_syserror(errno));
4414 if ((fcntl(self_pipe[1], F_SETFL, O_NONBLOCK) < 0) ||
4415 (fcntl(self_pipe[1], F_SETFD, FD_CLOEXEC) < 0)) {
4416 ERROR("radiusd: Error setting internal flags: %s",
4417 fr_syserror(errno));
4421 if (!fr_event_fd_insert(el, 0, self_pipe[0],
4422 event_signal_handler, el)) {
4423 ERROR("Failed creating handler for signals");
4426 #endif /* WITH_SELF_PIPE */
4428 DEBUG("%s: #### Opening IP addresses and Ports ####",
4432 * The server temporarily switches to an unprivileged
4433 * user very early in the bootstrapping process.
4434 * However, some sockets MAY require privileged access
4435 * (bind to device, or to port < 1024, or to raw
4436 * sockets). Those sockets need to call suid up/down
4437 * themselves around the functions that need a privileged
4440 if (listen_init(cs, &head, spawn_flag) < 0) {
4444 mainconfig.listen = head;
4447 * At this point, no one has any business *ever* going
4450 fr_suid_down_permanent();
4457 static int proxy_delete_cb(UNUSED void *ctx, void *data)
4459 REQUEST *request = fr_packet2myptr(REQUEST, proxy, data);
4461 request->master_state = REQUEST_STOP_PROCESSING;
4463 #ifdef HAVE_PTHREAD_H
4464 if (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0) return 0;
4468 * If it's queued we can't delete it from the queue.
4470 * Otherwise, it's OK to delete it. Even RUNNING, because
4471 * that will get caught by the check above.
4473 if (request->child_state == REQUEST_QUEUED) return 0;
4475 request->in_proxy_hash = false;
4477 if (!request->in_request_hash) {
4478 request_done(request, FR_ACTION_DONE);
4482 * Delete it from the list.
4489 static int request_delete_cb(UNUSED void *ctx, void *data)
4491 REQUEST *request = fr_packet2myptr(REQUEST, packet, data);
4493 request->master_state = REQUEST_STOP_PROCESSING;
4496 * Not done, or the child thread is still processing it.
4498 if (request->child_state < REQUEST_RESPONSE_DELAY) return 0; /* continue */
4500 #ifdef HAVE_PTHREAD_H
4501 if (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0) return 0;
4505 rad_assert(request->in_proxy_hash == false);
4508 request->in_request_hash = false;
4509 if (request->ev) fr_event_delete(el, &request->ev);
4511 if (mainconfig.memory_report) {
4512 RDEBUG2("Cleaning up request packet ID %u with timestamp +%d",
4513 request->packet->id,
4514 (unsigned int) (request->timestamp - fr_start_time));
4519 rad_assert(!request->coa->in_proxy_hash);
4523 request_free(&request);
4526 * Delete it from the list, and continue;
4532 void radius_event_free(void)
4538 * There are requests in the proxy hash that aren't
4539 * referenced from anywhere else. Remove them first.
4542 fr_packet_list_walk(proxy_list, NULL, proxy_delete_cb);
4546 fr_packet_list_walk(pl, NULL, request_delete_cb);
4550 * Now that all requests have been marked "please stop",
4551 * ensure that all of the threads have exited.
4553 #ifdef HAVE_PTHREAD_H
4558 * Walk the lists again, ensuring that all
4559 * requests are done.
4561 if (mainconfig.memory_report) {
4566 fr_packet_list_walk(proxy_list, NULL, proxy_delete_cb);
4567 num = fr_packet_list_num_elements(proxy_list);
4569 ERROR("Proxy list has %d requests still in it.", num);
4574 fr_packet_list_walk(pl, NULL, request_delete_cb);
4575 num = fr_packet_list_num_elements(pl);
4577 ERROR("Request list has %d requests still in it.", num);
4582 fr_packet_list_free(pl);
4586 fr_packet_list_free(proxy_list);
4592 if (debug_condition) talloc_free(debug_condition);
4595 int radius_event_process(void)
4599 return fr_event_loop(el);