2 * realms.c Realm handling code
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2007 The FreeRADIUS server project
21 * Copyright 2007 Alan DeKok <aland@deployingradius.com>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/rad_assert.h>
34 static rbtree_t *realms_byname = NULL;
36 bool home_servers_udp = false;
40 typedef struct realm_regex_t {
42 struct realm_regex_t *next;
45 static realm_regex_t *realms_regex = NULL;
47 #endif /* HAVE_REGEX */
49 typedef struct realm_config_t {
56 bool wake_all_if_all_dead;
59 static realm_config_t *realm_config = NULL;
60 static bool realms_initialized = false;
63 static rbtree_t *home_servers_byaddr = NULL;
64 static rbtree_t *home_servers_byname = NULL;
66 static int home_server_max_number = 0;
67 static rbtree_t *home_servers_bynumber = NULL;
70 static rbtree_t *home_pools_byname = NULL;
73 * Map the proxy server configuration parameters to variables.
75 static const CONF_PARSER proxy_config[] = {
76 { "retry_delay", FR_CONF_OFFSET(PW_TYPE_INTEGER, realm_config_t, retry_delay), STRINGIFY(RETRY_DELAY) },
78 { "retry_count", FR_CONF_OFFSET(PW_TYPE_INTEGER, realm_config_t, retry_count), STRINGIFY(RETRY_COUNT) },
80 { "default_fallback", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, realm_config_t, fallback), "no" },
82 { "dynamic", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, realm_config_t, dynamic), NULL },
84 { "dead_time", FR_CONF_OFFSET(PW_TYPE_INTEGER, realm_config_t, dead_time), STRINGIFY(DEAD_TIME) },
86 { "wake_all_if_all_dead", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, realm_config_t, wake_all_if_all_dead), "no" },
88 { NULL, -1, 0, NULL, NULL }
92 static int realm_name_cmp(void const *one, void const *two)
97 return strcasecmp(a->name, b->name);
102 static void home_server_free(void *data)
104 home_server_t *home = data;
109 static int home_server_name_cmp(void const *one, void const *two)
111 home_server_t const *a = one;
112 home_server_t const *b = two;
114 if (a->type < b->type) return -1;
115 if (a->type > b->type) return +1;
117 return strcasecmp(a->name, b->name);
120 static int home_server_addr_cmp(void const *one, void const *two)
123 home_server_t const *a = one;
124 home_server_t const *b = two;
126 if (a->server && !b->server) return -1;
127 if (!a->server && b->server) return +1;
128 if (a->server && b->server) {
129 rcode = a->type - b->type;
130 if (rcode != 0) return rcode;
131 return strcmp(a->server, b->server);
134 if (a->port < b->port) return -1;
135 if (a->port > b->port) return +1;
138 if (a->proto < b->proto) return -1;
139 if (a->proto > b->proto) return +1;
142 rcode = fr_ipaddr_cmp(&a->src_ipaddr, &b->src_ipaddr);
143 if (rcode != 0) return rcode;
145 return fr_ipaddr_cmp(&a->ipaddr, &b->ipaddr);
149 static int home_server_number_cmp(void const *one, void const *two)
151 home_server_t const *a = one;
152 home_server_t const *b = two;
154 return (a->number - b->number);
158 static int home_pool_name_cmp(void const *one, void const *two)
160 home_pool_t const *a = one;
161 home_pool_t const *b = two;
163 if (a->server_type < b->server_type) return -1;
164 if (a->server_type > b->server_type) return +1;
166 return strcasecmp(a->name, b->name);
170 static size_t CC_HINT(nonnull) xlat_cs(CONF_SECTION *cs, char const *fmt, char *out, size_t outlen)
172 char const *value = NULL;
177 if (strcmp(fmt, "instance") == 0) {
178 value = cf_section_name2(cs);
186 cp = cf_pair_find(cs, fmt);
187 if (!cp || !(value = cf_pair_value(cp))) {
193 strlcpy(out, value, outlen);
200 * Xlat for %{home_server:foo}
202 static ssize_t CC_HINT(nonnull) xlat_home_server(UNUSED void *instance, REQUEST *request,
203 char const *fmt, char *out, size_t outlen)
205 if (!request->home_server) {
206 RWDEBUG("No home_server associated with this request");
212 return xlat_cs(request->home_server->cs, fmt, out, outlen);
217 * Xlat for %{home_server_pool:foo}
219 static ssize_t CC_HINT(nonnull) xlat_server_pool(UNUSED void *instance, REQUEST *request,
220 char const *fmt, char *out, size_t outlen)
222 if (!request->home_pool) {
223 RWDEBUG("No home_pool associated with this request");
229 return xlat_cs(request->home_pool->cs, fmt, out, outlen);
233 void realms_free(void)
237 rbtree_free(home_servers_bynumber);
238 home_servers_bynumber = NULL;
241 rbtree_free(home_servers_byname);
242 home_servers_byname = NULL;
244 rbtree_free(home_servers_byaddr);
245 home_servers_byaddr = NULL;
247 rbtree_free(home_pools_byname);
248 home_pools_byname = NULL;
251 rbtree_free(realms_byname);
252 realms_byname = NULL;
256 realm_regex_t *this, *next;
258 for (this = realms_regex; this != NULL; this = next) {
267 realm_pool_free(NULL);
269 talloc_free(realm_config);
275 static CONF_PARSER limit_config[] = {
276 { "max_connections", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.max_connections), "16" },
277 { "max_requests", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.max_requests), "0" },
278 { "lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.lifetime), "0" },
279 { "idle_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.idle_timeout), "0" },
281 { NULL, -1, 0, NULL, NULL } /* end the list */
284 static fr_ipaddr_t hs_ipaddr;
285 static char const *hs_srcipaddr = NULL;
286 static char const *hs_type = NULL;
287 static char const *hs_check = NULL;
288 static char const *hs_virtual_server = NULL;
290 static char const *hs_proto = NULL;
294 static CONF_PARSER home_server_coa[] = {
295 { "irt", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_irt), STRINGIFY(2) },
296 { "mrt", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_mrt), STRINGIFY(16) },
297 { "mrc", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_mrc), STRINGIFY(5) },
298 { "mrd", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_mrd), STRINGIFY(30) },
300 { NULL, -1, 0, NULL, NULL } /* end the list */
304 static CONF_PARSER home_server_config[] = {
305 { "ipaddr", FR_CONF_POINTER(PW_TYPE_IP_ADDR, &hs_ipaddr), NULL },
306 { "ipv4addr", FR_CONF_POINTER(PW_TYPE_IPV4_ADDR, &hs_ipaddr), NULL },
307 { "ipv6addr", FR_CONF_POINTER(PW_TYPE_IPV6_ADDR, &hs_ipaddr), NULL },
308 { "virtual_server", FR_CONF_POINTER(PW_TYPE_STRING, &hs_virtual_server), NULL },
310 { "port", FR_CONF_OFFSET(PW_TYPE_SHORT, home_server_t, port), "0" },
312 { "type", FR_CONF_POINTER(PW_TYPE_STRING, &hs_type), NULL },
315 { "proto", FR_CONF_POINTER(PW_TYPE_STRING, &hs_proto), NULL },
318 { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, home_server_t, secret), NULL },
320 { "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &hs_srcipaddr), NULL },
322 { "response_window", FR_CONF_OFFSET(PW_TYPE_TIMEVAL, home_server_t, response_window), "30" },
323 { "response_timeouts", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, max_response_timeouts), "1" },
324 { "max_outstanding", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, max_outstanding), "65536" },
326 { "zombie_period", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, zombie_period), "40" },
327 { "status_check", FR_CONF_POINTER(PW_TYPE_STRING, &hs_check), "none" },
328 { "ping_check", FR_CONF_POINTER(PW_TYPE_STRING, &hs_check), NULL },
330 { "ping_interval", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_interval), "30" },
331 { "check_interval", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_interval), "30" },
333 { "check_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_timeout), "4" },
334 { "status_check_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_timeout), NULL },
336 { "num_answers_to_alive", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, num_pings_to_alive), "3" },
337 { "revive_interval", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, revive_interval), "300" },
339 { "username", FR_CONF_OFFSET(PW_TYPE_STRING, home_server_t, ping_user_name), NULL },
340 { "password", FR_CONF_OFFSET(PW_TYPE_STRING, home_server_t, ping_user_password), NULL },
343 { "historic_average_window", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ema.window), NULL },
347 { "coa", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) home_server_coa },
350 { "limit", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) limit_config },
352 { NULL, -1, 0, NULL, NULL } /* end the list */
356 static void null_free(UNUSED void *data)
361 * Ensure that all of the parameters in the home server are OK.
363 void realm_home_server_sanitize(home_server_t *home, CONF_SECTION *cs)
365 CONF_SECTION *parent = NULL;
367 FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, >=, 8);
368 FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, <=, 65536*16);
370 FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, >=, 6);
371 FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, <=, 120);
373 FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, >=, 0, 1000);
374 FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=, 60, 0);
375 FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=,
376 main_config.max_request_time, 0);
378 FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, >=, 1);
379 FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, <=, 1000);
382 * Track the minimum response window, so that we can
383 * correctly set the timers in process.c
385 if (timercmp(&main_config.init_delay, &home->response_window, >)) {
386 main_config.init_delay = home->response_window;
389 FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, 1);
390 FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, <=, 120);
391 FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, (uint32_t) home->response_window.tv_sec);
393 FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, >=, 3);
394 FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, <=, 10);
396 FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, >=, 1);
397 FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, <=, 10);
399 FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, >=, 60);
400 FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, <=, 3600);
403 FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, >=, 1);
404 FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, <=, 5);
406 FR_INTEGER_BOUND_CHECK("coa_mrc", home->coa_mrc, <=, 20);
408 FR_INTEGER_BOUND_CHECK("coa_mrt", home->coa_mrt, <=, 30);
410 FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, >=, 5);
411 FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, <=, 60);
414 FR_INTEGER_BOUND_CHECK("max_connections", home->limit.max_connections, <=, 1024);
418 * UDP sockets can't be connection limited.
420 if (home->proto != IPPROTO_TCP) home->limit.max_connections = 0;
423 if ((home->limit.idle_timeout > 0) && (home->limit.idle_timeout < 5))
424 home->limit.idle_timeout = 5;
425 if ((home->limit.lifetime > 0) && (home->limit.lifetime < 5))
426 home->limit.lifetime = 5;
427 if ((home->limit.lifetime > 0) && (home->limit.idle_timeout > home->limit.lifetime))
428 home->limit.idle_timeout = 0;
430 parent = cf_item_parent(cf_sectiontoitem(cs));
431 if (parent && strcmp(cf_section_name1(parent), "server") == 0) {
432 home->parent_server = cf_section_name2(parent);
436 static int home_server_add(realm_config_t *rc, CONF_SECTION *cs)
444 hs_virtual_server = NULL;
446 name2 = cf_section_name2(cs);
448 cf_log_err_cs(cs, "Home server section is missing a name");
452 home = talloc_zero(rc, home_server_t);
456 home->state = HOME_STATE_UNKNOWN;
459 * Last packet sent / received are zero.
462 memset(&hs_ipaddr, 0, sizeof(hs_ipaddr));
463 if (cf_section_parse(cs, home, home_server_config) < 0) {
468 * Figure out which one to use.
470 if (cf_pair_find(cs, "ipaddr") || cf_pair_find(cs, "ipv4addr") || cf_pair_find(cs, "ipv6addr")) {
471 if (is_wildcard(&hs_ipaddr)) {
472 cf_log_err_cs(cs, "Wildcard '*' addresses are not permitted for home servers");
475 home->ipaddr = hs_ipaddr;
476 } else if ((cp = cf_pair_find(cs, "virtual_server")) != NULL) {
477 home->ipaddr.af = AF_UNSPEC;
478 home->server = cf_pair_value(cp);
481 "Invalid value for virtual_server");
485 if (!cf_section_sub_find_name2(rc->cs, "server", home->server)) {
488 "No such server %s", home->server);
493 * When CoA is used, the user has to specify the type
494 * of the home server, even when they point to
497 home->secret = strdup("");
501 cf_log_err_cs(cs, "No ipaddr, ipv4addr, ipv6addr, or virtual_server defined for home server \"%s\"", name2);
512 if (home->port == 0) {
513 cf_log_err_cs(cs, "No port, or invalid port defined for home server %s", name2);
518 * Use a reasonable default.
521 if (!hs_type || (strcasecmp(hs_type, "auth+acct") == 0)) {
522 home->type = HOME_TYPE_AUTH;
524 } else if (strcasecmp(hs_type, "auth") == 0) {
525 home->type = HOME_TYPE_AUTH;
527 } else if (strcasecmp(hs_type, "acct") == 0) {
528 home->type = HOME_TYPE_ACCT;
530 } else if (strcasecmp(hs_type, "coa") == 0) {
531 home->type = HOME_TYPE_COA;
534 if (home->server != NULL) {
535 cf_log_err_cs(cs, "Home servers of type \"coa\" cannot point to a virtual server");
541 cf_log_err_cs(cs, "Invalid type \"%s\" for home server %s.", hs_type, name2);
546 if (!hs_check || (strcasecmp(hs_check, "none") == 0)) {
547 home->ping_check = HOME_PING_CHECK_NONE;
549 } else if (strcasecmp(hs_check, "status-server") == 0) {
550 home->ping_check = HOME_PING_CHECK_STATUS_SERVER;
552 } else if (strcasecmp(hs_check, "request") == 0) {
553 home->ping_check = HOME_PING_CHECK_REQUEST;
555 if (!home->ping_user_name ||
556 !*home->ping_user_name) {
557 cf_log_err_cs(cs, "You must supply a 'username' to enable status_check=request");
561 if ((home->type == HOME_TYPE_AUTH) &&
562 (!home->ping_user_password ||
563 !*home->ping_user_password)) {
564 cf_log_err_cs(cs, "You must supply a password to enable status_check=request");
570 "Invalid status_check \"%s\" for home server %s.",
576 if ((home->ping_check != HOME_PING_CHECK_NONE) &&
577 (home->ping_check != HOME_PING_CHECK_STATUS_SERVER)) {
578 if (!home->ping_user_name) {
579 cf_log_err_cs(cs, "You must supply a user name to enable status_check=request");
583 if ((home->type == HOME_TYPE_AUTH) &&
584 !home->ping_user_password) {
585 cf_log_err_cs(cs, "You must supply a password to enable status_check=request");
590 home->proto = IPPROTO_UDP;
593 home_servers_udp = true;
596 if (strcmp(hs_proto, "udp") == 0) {
598 home_servers_udp = true;
600 } else if (strcmp(hs_proto, "tcp") == 0) {
602 home->proto = IPPROTO_TCP;
604 if (home->ping_check != HOME_PING_CHECK_NONE) {
606 "Only 'status_check = none' is allowed for home servers with 'proto = tcp'");
612 "Unknown proto \"%s\".", hs_proto);
619 rbtree_finddata(home_servers_byaddr, home)) {
620 cf_log_err_cs(cs, "Duplicate home server");
625 * Check the TLS configuration.
627 tls = cf_section_sub_find(cs, "tls");
630 * If were doing RADSEC (tls+tcp) the secret should default
631 * to radsec, else a secret must be set.
635 if (tls && (home->proto == IPPROTO_TCP)) {
636 home->secret = "radsec";
640 cf_log_err_cs(cs, "No shared secret defined for home server %s", name2);
646 * If the home is a virtual server, don't look up source IP.
649 rad_assert(home->ipaddr.af != AF_UNSPEC);
652 * Otherwise look up the source IP using the same
653 * address family as the destination IP.
656 if (ip_hton(&home->src_ipaddr, home->ipaddr.af, hs_srcipaddr, false) < 0) {
657 cf_log_err_cs(cs, "Failed parsing src_ipaddr");
663 * Source isn't specified: Source is
664 * the correct address family, but all zeros.
666 memset(&home->src_ipaddr, 0, sizeof(home->src_ipaddr));
667 home->src_ipaddr.af = home->ipaddr.af;
670 if (tls && (home->proto != IPPROTO_TCP)) {
671 cf_log_err_cs(cs, "TLS transport is not available for UDP sockets");
678 cf_log_err_cs(cs, "TLS transport is not available in this executable");
683 * Parse the SSL client configuration.
686 home->tls = tls_client_conf_parse(tls);
694 cf_log_err_cs(cs, "Virtual home_servers cannot have a \"tls\" subsection");
700 return realm_home_server_add(home, cs, dual);
703 int realm_home_server_add(home_server_t *home, CONF_SECTION *cs, int dual)
705 const char *name2 = home->name;
708 * The structs aren't mutex protected. Refuse to destroy
711 if (realms_initialized && !realm_config->dynamic) {
712 DEBUG("Must set \"dynamic = true\" in proxy.conf");
717 * Make sure that this is set.
719 if (home->src_ipaddr.af == AF_UNSPEC) {
720 home->src_ipaddr.af = home->ipaddr.af;
723 if (rbtree_finddata(home_servers_byname, home) != NULL) {
725 "Duplicate home server name %s.", name2);
730 (rbtree_finddata(home_servers_byaddr, home) != NULL)) {
732 "Duplicate home server IP %s.", name2);
736 if (!rbtree_insert(home_servers_byname, home)) {
738 "Internal error %d adding home server %s.",
744 !rbtree_insert(home_servers_byaddr, home)) {
745 rbtree_deletebydata(home_servers_byname, home);
747 "Internal error %d adding home server %s.",
753 home->number = home_server_max_number++;
754 if (!rbtree_insert(home_servers_bynumber, home)) {
755 rbtree_deletebydata(home_servers_byname, home);
756 if (home->ipaddr.af != AF_UNSPEC) {
757 rbtree_deletebydata(home_servers_byname, home);
760 "Internal error %d adding home server %s.",
766 realm_home_server_sanitize(home, cs);
769 home_server_t *home2 = talloc(home, home_server_t);
771 memcpy(home2, home, sizeof(*home2));
773 home2->type = HOME_TYPE_ACCT;
775 home2->ping_user_password = NULL;
777 home2->parent_server = home->parent_server;
779 if (!rbtree_insert(home_servers_byname, home2)) {
781 "Internal error %d adding home server %s.",
788 !rbtree_insert(home_servers_byaddr, home2)) {
789 rbtree_deletebydata(home_servers_byname, home2);
791 "Internal error %d adding home server %s.",
799 home2->number = home_server_max_number++;
800 if (!rbtree_insert(home_servers_bynumber, home2)) {
801 rbtree_deletebydata(home_servers_byname, home2);
802 if (!home2->server) {
803 rbtree_deletebydata(home_servers_byname, home2);
806 "Internal error %d adding home server %s.",
815 * Mark it as already processed
817 cf_data_add(cs, "home_server", null_free, null_free);
823 static home_pool_t *server_pool_alloc(char const *name, home_pool_type_t type,
824 int server_type, int num_home_servers)
828 pool = rad_malloc(sizeof(*pool) + (sizeof(pool->servers[0]) *
830 if (!pool) return NULL; /* just for pairanoia */
832 memset(pool, 0, sizeof(*pool) + (sizeof(pool->servers[0]) *
837 pool->server_type = server_type;
838 pool->num_home_servers = num_home_servers;
844 * Ensure any home_server clauses in a home_server_pool section reference
845 * defined home servers, which should already have been created, regardless
846 * of where they appear in the configuration.
848 static int pool_check_home_server(UNUSED realm_config_t *rc, CONF_PAIR *cp,
849 char const *name, int server_type,
850 home_server_t **phome)
852 home_server_t myhome, *home;
856 "No value given for home_server");
861 myhome.type = server_type;
862 home = rbtree_finddata(home_servers_byname, &myhome);
868 cf_log_err_cp(cp, "Unknown home_server \"%s\".", name);
873 #ifndef HAVE_PTHREAD_H
874 void realm_pool_free(home_pool_t *pool)
876 if (!realms_initialized) return;
877 if (!realm_config->dynamic) return;
881 #else /* HAVE_PTHREAD_H */
882 typedef struct pool_list_t pool_list_t;
890 static bool pool_free_init = false;
891 static pthread_mutex_t pool_free_mutex;
892 static pool_list_t *pool_list = NULL;
894 void realm_pool_free(home_pool_t *pool)
898 pool_list_t *this, **last;
900 if (!realms_initialized) return;
901 if (!realm_config->dynamic) return;
905 * Double-check that the realm wasn't loaded from the
906 * configuration files.
908 for (i = 0; i < pool->num_home_servers; i++) {
909 if (pool->servers[i]->cs) {
916 if (!pool_free_init) {
917 pthread_mutex_init(&pool_free_mutex, NULL);
918 pool_free_init = true;
921 pthread_mutex_lock(&pool_free_mutex);
924 * Free all of the pools.
927 while ((this = pool_list) != NULL) {
928 pool_list = this->next;
929 talloc_free(this->pool);
932 pthread_mutex_lock(&pool_free_mutex);
939 * Free the oldest pool(s)
941 while ((this = pool_list) != NULL) {
942 if (this->when > now) break;
944 pool_list = this->next;
945 talloc_free(this->pool);
950 * Add this pool to the end of the list.
952 for (last = &pool_list;
954 last = &((*last))->next) {
958 *last = this = talloc(NULL, pool_list_t);
960 talloc_free(pool); /* hope for the best */
961 pthread_mutex_unlock(&pool_free_mutex);
966 this->when = now + 60;
969 #endif /* HAVE_PTHREAD_H */
971 int realm_pool_add(home_pool_t *pool, UNUSED CONF_SECTION *cs)
974 * The structs aren't mutex protected. Refuse to destroy
977 if (realms_initialized && !realm_config->dynamic) {
978 DEBUG("Must set \"dynamic = true\" in proxy.conf");
982 if (!rbtree_insert(home_pools_byname, pool)) {
983 rad_assert("Internal sanity check failed" == NULL);
990 static int server_pool_add(realm_config_t *rc,
991 CONF_SECTION *cs, int server_type, int do_print)
994 home_pool_t *pool = NULL;
997 int num_home_servers;
1000 name2 = cf_section_name1(cs);
1001 if (!name2 || ((strcasecmp(name2, "server_pool") != 0) &&
1002 (strcasecmp(name2, "home_server_pool") != 0))) {
1004 "Section is not a home_server_pool");
1008 name2 = cf_section_name2(cs);
1011 "Server pool section is missing a name");
1016 * Count the home servers and initalize them.
1018 num_home_servers = 0;
1019 for (cp = cf_pair_find(cs, "home_server");
1021 cp = cf_pair_find_next(cs, cp, "home_server")) {
1024 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
1025 server_type, &home)) {
1030 if (num_home_servers == 0) {
1032 "No home servers defined in pool %s",
1037 pool = server_pool_alloc(name2, HOME_POOL_FAIL_OVER, server_type,
1040 cf_log_err_cs(cs, "Failed allocating memory for pool");
1047 * Fallback servers must be defined, and must be
1050 cp = cf_pair_find(cs, "fallback");
1053 if (server_type == HOME_TYPE_COA) {
1054 cf_log_err_cs(cs, "Home server pools of type \"coa\" cannot have a fallback virtual server");
1059 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
1060 server_type, &pool->fallback)) {
1065 if (!pool->fallback->server) {
1066 cf_log_err_cs(cs, "Fallback home_server %s does NOT contain a virtual_server directive.", pool->fallback->name);
1071 if (do_print) cf_log_info(cs, " home_server_pool %s {", name2);
1073 cp = cf_pair_find(cs, "type");
1075 static FR_NAME_NUMBER pool_types[] = {
1076 { "load-balance", HOME_POOL_LOAD_BALANCE },
1078 { "fail-over", HOME_POOL_FAIL_OVER },
1079 { "fail_over", HOME_POOL_FAIL_OVER },
1081 { "round-robin", HOME_POOL_LOAD_BALANCE },
1082 { "round_robin", HOME_POOL_LOAD_BALANCE },
1084 { "client-balance", HOME_POOL_CLIENT_BALANCE },
1085 { "client-port-balance", HOME_POOL_CLIENT_PORT_BALANCE },
1086 { "keyed-balance", HOME_POOL_KEYED_BALANCE },
1090 value = cf_pair_value(cp);
1093 "No value given for type");
1097 pool->type = fr_str2int(pool_types, value, 0);
1100 "Unknown type \"%s\".",
1105 if (do_print) cf_log_info(cs, "\ttype = %s", value);
1108 cp = cf_pair_find(cs, "virtual_server");
1110 pool->virtual_server = cf_pair_value(cp);
1111 if (!pool->virtual_server) {
1112 cf_log_err_cp(cp, "No value given for virtual_server");
1117 cf_log_info(cs, "\tvirtual_server = %s", pool->virtual_server);
1120 if (!cf_section_sub_find_name2(rc->cs, "server",
1121 pool->virtual_server)) {
1122 cf_log_err_cp(cp, "No such server %s",
1123 pool->virtual_server);
1129 num_home_servers = 0;
1130 for (cp = cf_pair_find(cs, "home_server");
1132 cp = cf_pair_find_next(cs, cp, "home_server")) {
1133 home_server_t myhome;
1135 value = cf_pair_value(cp);
1137 memset(&myhome, 0, sizeof(myhome));
1138 myhome.name = value;
1139 myhome.type = server_type;
1141 home = rbtree_finddata(home_servers_byname, &myhome);
1143 DEBUG2("Internal sanity check failed");
1148 WARN("Duplicate home server %s in server pool %s", home->name, pool->name);
1152 if (do_print) cf_log_info(cs, "\thome_server = %s", home->name);
1153 pool->servers[num_home_servers++] = home;
1154 } /* loop over home_server's */
1156 if (pool->fallback && do_print) {
1157 cf_log_info(cs, "\tfallback = %s", pool->fallback->name);
1160 if (!realm_pool_add(pool, cs)) goto error;
1162 if (do_print) cf_log_info(cs, " }");
1164 cf_data_add(cs, "home_server_pool", pool, free);
1166 rad_assert(pool->server_type != 0);
1171 if (do_print) cf_log_info(cs, " }");
1177 static int old_server_add(realm_config_t *rc, CONF_SECTION *cs,
1179 char const *name, char const *secret,
1180 home_pool_type_t ldflag, home_pool_t **pool_p,
1181 int type, char const *server)
1184 int i, insert_point, num_home_servers;
1185 home_server_t myhome, *home;
1186 home_pool_t mypool, *pool;
1187 CONF_SECTION *subcs;
1189 (void) rc; /* -Wunused */
1198 * LOCAL realms get sanity checked, and nothing else happens.
1200 if (strcmp(name, "LOCAL") == 0) {
1202 cf_log_err_cs(cs, "Realm \"%s\" cannot be both LOCAL and remote", name);
1209 return 0; /* Not proxying. Can't do non-LOCAL realms */
1212 mypool.name = realm;
1213 mypool.server_type = type;
1214 pool = rbtree_finddata(home_pools_byname, &mypool);
1216 if (pool->type != ldflag) {
1217 cf_log_err_cs(cs, "Inconsistent ldflag for server pool \"%s\"", name);
1221 if (pool->server_type != type) {
1222 cf_log_err_cs(cs, "Inconsistent home server type for server pool \"%s\"", name);
1229 home = rbtree_finddata(home_servers_byname, &myhome);
1231 if (secret && (strcmp(home->secret, secret) != 0)) {
1232 cf_log_err_cs(cs, "Inconsistent shared secret for home server \"%s\"", name);
1236 if (home->type != type) {
1237 cf_log_err_cs(cs, "Inconsistent type for home server \"%s\"", name);
1242 * See if the home server is already listed
1243 * in the pool. If so, do nothing else.
1245 if (pool) for (i = 0; i < pool->num_home_servers; i++) {
1246 if (pool->servers[i] == home) {
1253 * If we do have a pool, check that there is room to
1254 * insert the home server we've found, or the one that we
1257 * Note that we insert it into the LAST available
1258 * position, in order to maintain the same order as in
1259 * the configuration files.
1263 for (i = pool->num_home_servers - 1; i >= 0; i--) {
1264 if (pool->servers[i]) break;
1266 if (!pool->servers[i]) {
1271 if (insert_point < 0) {
1272 cf_log_err_cs(cs, "No room in pool to add home server \"%s\". Please update the realm configuration to use the new-style home servers and server pools.", name);
1278 * No home server, allocate one.
1284 home = talloc_zero(rc, home_server_t);
1286 home->hostname = name;
1288 home->secret = secret;
1290 home->proto = IPPROTO_UDP;
1292 p = strchr(name, ':');
1294 if (type == HOME_TYPE_AUTH) {
1295 home->port = PW_AUTH_UDP_PORT;
1297 home->port = PW_ACCT_UDP_PORT;
1303 } else if (p == name) {
1304 cf_log_err_cs(cs, "Invalid hostname %s", name);
1308 unsigned long port = strtoul(p + 1, NULL, 0);
1309 if ((port == 0) || (port > 65535)) {
1310 cf_log_err_cs(cs, "Invalid port %s", p + 1);
1315 home->port = (uint16_t)port;
1316 q = talloc_array(home, char, (p - name) + 1);
1317 memcpy(q, name, (p - name));
1323 if (ip_hton(&home->ipaddr, AF_UNSPEC, p, false) < 0) {
1325 "Failed looking up hostname %s.",
1331 home->src_ipaddr.af = home->ipaddr.af;
1333 home->ipaddr.af = AF_UNSPEC;
1334 home->server = server;
1339 * Use the old-style configuration.
1341 home->max_outstanding = 65535*16;
1342 home->zombie_period = rc->retry_delay * rc->retry_count;
1343 if (home->zombie_period < 2) home->zombie_period = 30;
1344 home->response_window.tv_sec = home->zombie_period - 1;
1345 home->response_window.tv_usec = 0;
1347 home->ping_check = HOME_PING_CHECK_NONE;
1349 home->revive_interval = rc->dead_time;
1351 if (rbtree_finddata(home_servers_byaddr, home)) {
1352 cf_log_err_cs(cs, "Home server %s has the same IP address and/or port as another home server.", name);
1357 if (!rbtree_insert(home_servers_byname, home)) {
1358 cf_log_err_cs(cs, "Internal error %d adding home server %s.", __LINE__, name);
1363 if (!rbtree_insert(home_servers_byaddr, home)) {
1364 rbtree_deletebydata(home_servers_byname, home);
1365 cf_log_err_cs(cs, "Internal error %d adding home server %s.", __LINE__, name);
1371 home->number = home_server_max_number++;
1372 if (!rbtree_insert(home_servers_bynumber, home)) {
1373 rbtree_deletebydata(home_servers_byname, home);
1374 if (home->ipaddr.af != AF_UNSPEC) {
1375 rbtree_deletebydata(home_servers_byname, home);
1378 "Internal error %d adding home server %s.",
1387 * We now have a home server, see if we can insert it
1388 * into pre-existing pool.
1390 if (insert_point >= 0) {
1391 rad_assert(pool != NULL);
1392 pool->servers[insert_point] = home;
1396 rad_assert(pool == NULL);
1397 rad_assert(home != NULL);
1400 * Count the old-style realms of this name.
1402 num_home_servers = 0;
1403 for (subcs = cf_section_find_next(cs, NULL, "realm");
1405 subcs = cf_section_find_next(cs, subcs, "realm")) {
1406 char const *this = cf_section_name2(subcs);
1408 if (!this || (strcmp(this, realm) != 0)) continue;
1412 if (num_home_servers == 0) {
1413 cf_log_err_cs(cs, "Internal error counting pools for home server %s.", name);
1418 pool = server_pool_alloc(realm, ldflag, type, num_home_servers);
1420 cf_log_err_cs(cs, "Out of memory");
1426 pool->servers[0] = home;
1428 if (!rbtree_insert(home_pools_byname, pool)) {
1429 rad_assert("Internal sanity check failed" == NULL);
1439 static int old_realm_config(realm_config_t *rc, CONF_SECTION *cs, REALM *r)
1442 char const *secret = NULL;
1443 home_pool_type_t ldflag;
1446 cp = cf_pair_find(cs, "ldflag");
1447 ldflag = HOME_POOL_FAIL_OVER;
1449 host = cf_pair_value(cp);
1451 cf_log_err_cp(cp, "No value specified for ldflag");
1455 if (strcasecmp(host, "fail_over") == 0) {
1456 cf_log_info(cs, "\tldflag = fail_over");
1458 } else if (strcasecmp(host, "round_robin") == 0) {
1459 ldflag = HOME_POOL_LOAD_BALANCE;
1460 cf_log_info(cs, "\tldflag = round_robin");
1463 cf_log_err_cs(cs, "Unknown value \"%s\" for ldflag", host);
1466 } /* else don't print it. */
1469 * Allow old-style if it doesn't exist, or if it exists and
1472 cp = cf_pair_find(cs, "authhost");
1474 host = cf_pair_value(cp);
1476 cf_log_err_cp(cp, "No value specified for authhost");
1480 if (strcmp(host, "LOCAL") != 0) {
1481 cp = cf_pair_find(cs, "secret");
1483 cf_log_err_cs(cs, "No shared secret supplied for realm: %s", r->name);
1487 secret = cf_pair_value(cp);
1489 cf_log_err_cp(cp, "No value specified for secret");
1494 cf_log_info(cs, "\tauthhost = %s", host);
1496 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1497 &r->auth_pool, HOME_TYPE_AUTH, NULL)) {
1502 cp = cf_pair_find(cs, "accthost");
1504 host = cf_pair_value(cp);
1506 cf_log_err_cp(cp, "No value specified for accthost");
1511 * Don't look for a secret again if it was found
1514 if ((strcmp(host, "LOCAL") != 0) && !secret) {
1515 cp = cf_pair_find(cs, "secret");
1517 cf_log_err_cs(cs, "No shared secret supplied for realm: %s", r->name);
1521 secret = cf_pair_value(cp);
1523 cf_log_err_cp(cp, "No value specified for secret");
1528 cf_log_info(cs, "\taccthost = %s", host);
1530 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1531 &r->acct_pool, HOME_TYPE_ACCT, NULL)) {
1536 cp = cf_pair_find(cs, "virtual_server");
1538 host = cf_pair_value(cp);
1540 cf_log_err_cp(cp, "No value specified for virtual_server");
1544 cf_log_info(cs, "\tvirtual_server = %s", host);
1546 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1547 &r->auth_pool, HOME_TYPE_AUTH, host)) {
1550 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1551 &r->acct_pool, HOME_TYPE_ACCT, host)) {
1556 if (secret) cf_log_info(cs, "\tsecret = %s", secret);
1564 static int add_pool_to_realm(realm_config_t *rc, CONF_SECTION *cs,
1565 char const *name, home_pool_t **dest,
1566 int server_type, int do_print)
1568 home_pool_t mypool, *pool;
1571 mypool.server_type = server_type;
1573 pool = rbtree_finddata(home_pools_byname, &mypool);
1575 CONF_SECTION *pool_cs;
1577 pool_cs = cf_section_sub_find_name2(rc->cs,
1581 pool_cs = cf_section_sub_find_name2(rc->cs,
1586 cf_log_err_cs(cs, "Failed to find home_server_pool \"%s\"", name);
1590 if (!server_pool_add(rc, pool_cs, server_type, do_print)) {
1594 pool = rbtree_finddata(home_pools_byname, &mypool);
1596 ERROR("Internal sanity check failed in add_pool_to_realm");
1601 if (pool->server_type != server_type) {
1602 cf_log_err_cs(cs, "Incompatible home_server_pool \"%s\" (mixed auth_pool / acct_pool)", name);
1613 static int realm_add(realm_config_t *rc, CONF_SECTION *cs)
1619 home_pool_t *auth_pool, *acct_pool;
1620 char const *auth_pool_name, *acct_pool_name;
1622 char const *coa_pool_name;
1623 home_pool_t *coa_pool;
1627 name2 = cf_section_name1(cs);
1628 if (!name2 || (strcasecmp(name2, "realm") != 0)) {
1629 cf_log_err_cs(cs, "Section is not a realm");
1633 name2 = cf_section_name2(cs);
1635 cf_log_err_cs(cs, "Realm section is missing the realm name");
1640 auth_pool = acct_pool = NULL;
1641 auth_pool_name = acct_pool_name = NULL;
1644 coa_pool_name = NULL;
1648 * Prefer new configuration to old one.
1650 cp = cf_pair_find(cs, "pool");
1651 if (!cp) cp = cf_pair_find(cs, "home_server_pool");
1652 if (cp) auth_pool_name = cf_pair_value(cp);
1653 if (cp && auth_pool_name) {
1654 acct_pool_name = auth_pool_name;
1655 if (!add_pool_to_realm(rc, cs,
1656 auth_pool_name, &auth_pool,
1657 HOME_TYPE_AUTH, 1)) {
1660 if (!add_pool_to_realm(rc, cs,
1661 auth_pool_name, &acct_pool,
1662 HOME_TYPE_ACCT, 0)) {
1667 cp = cf_pair_find(cs, "auth_pool");
1668 if (cp) auth_pool_name = cf_pair_value(cp);
1669 if (cp && auth_pool_name) {
1671 cf_log_err_cs(cs, "Cannot use \"pool\" and \"auth_pool\" at the same time");
1674 if (!add_pool_to_realm(rc, cs,
1675 auth_pool_name, &auth_pool,
1676 HOME_TYPE_AUTH, 1)) {
1681 cp = cf_pair_find(cs, "acct_pool");
1682 if (cp) acct_pool_name = cf_pair_value(cp);
1683 if (cp && acct_pool_name) {
1684 bool do_print = true;
1687 cf_log_err_cs(cs, "Cannot use \"pool\" and \"acct_pool\" at the same time");
1693 (strcmp(auth_pool_name, acct_pool_name) != 0))) {
1697 if (!add_pool_to_realm(rc, cs,
1698 acct_pool_name, &acct_pool,
1699 HOME_TYPE_ACCT, do_print)) {
1705 cp = cf_pair_find(cs, "coa_pool");
1706 if (cp) coa_pool_name = cf_pair_value(cp);
1707 if (cp && coa_pool_name) {
1708 bool do_print = true;
1710 if (!add_pool_to_realm(rc, cs,
1711 coa_pool_name, &coa_pool,
1712 HOME_TYPE_COA, do_print)) {
1719 cf_log_info(cs, " realm %s {", name2);
1723 * The realm MAY already exist if it's an old-style realm.
1724 * In that case, merge the old-style realm with this one.
1726 r = realm_find2(name2);
1727 if (r && (strcmp(r->name, name2) == 0)) {
1728 if (cf_pair_find(cs, "auth_pool") ||
1729 cf_pair_find(cs, "acct_pool")) {
1730 cf_log_err_cs(cs, "Duplicate realm \"%s\"", name2);
1734 if (!old_realm_config(rc, cs, r)) {
1738 cf_log_info(cs, " } # realm %s", name2);
1743 r = rad_malloc(sizeof(*r));
1744 memset(r, 0, sizeof(*r));
1749 r->auth_pool = auth_pool;
1750 r->acct_pool = acct_pool;
1752 r->coa_pool = coa_pool;
1755 if (auth_pool_name &&
1756 (auth_pool_name == acct_pool_name)) { /* yes, ptr comparison */
1757 cf_log_info(cs, "\tpool = %s", auth_pool_name);
1759 if (auth_pool_name) cf_log_info(cs, "\tauth_pool = %s", auth_pool_name);
1760 if (acct_pool_name) cf_log_info(cs, "\tacct_pool = %s", acct_pool_name);
1762 if (coa_pool_name) cf_log_info(cs, "\tcoa_pool = %s", coa_pool_name);
1767 cp = cf_pair_find(cs, "nostrip");
1768 if (cp && (cf_pair_value(cp) == NULL)) {
1770 cf_log_info(cs, "\tnostrip");
1774 * We're a new-style realm. Complain if we see the old
1777 if (r->auth_pool || r->acct_pool) {
1778 if (((cp = cf_pair_find(cs, "authhost")) != NULL) ||
1779 ((cp = cf_pair_find(cs, "accthost")) != NULL) ||
1780 ((cp = cf_pair_find(cs, "secret")) != NULL) ||
1781 ((cp = cf_pair_find(cs, "ldflag")) != NULL)) {
1782 WARN("Ignoring old-style configuration entry \"%s\" in realm \"%s\"", cf_pair_attr(cp), r->name);
1787 * The realm MAY be an old-style realm, as there
1788 * was no auth_pool or acct_pool. Double-check
1789 * it, just to be safe.
1791 } else if (!old_realm_config(rc, cs, r)) {
1795 if (!realm_realm_add(r, cs)) {
1799 cf_log_info(cs, " }");
1804 cf_log_info(cs, " } # realm %s", name2);
1810 int realm_realm_add(REALM *r, CONF_SECTION *cs)
1812 int realm_realm_add(REALM *r, UNUSED CONF_SECTION *cs)
1816 * The structs aren't mutex protected. Refuse to destroy
1819 if (realms_initialized && !realm_config->dynamic) {
1820 DEBUG("Must set \"dynamic = true\" in proxy.conf");
1826 * It's a regex. Sanity check it, and add it to a
1829 if (r->name[0] == '~') {
1831 realm_regex_t *rr, **last;
1835 * Include substring matches.
1837 rcode = regcomp(®, r->name + 1, REG_EXTENDED | REG_NOSUB | REG_ICASE);
1841 regerror(rcode, ®, buffer, sizeof(buffer));
1844 "Invalid regex \"%s\": %s",
1845 r->name + 1, buffer);
1850 rr = rad_malloc(sizeof(*rr));
1852 last = &realms_regex;
1853 while (*last) last = &((*last)->next); /* O(N^2)... sue me. */
1863 if (!rbtree_insert(realms_byname, r)) {
1864 rad_assert("Internal sanity check failed" == NULL);
1872 static const FR_NAME_NUMBER home_server_types[] = {
1873 { "auth", HOME_TYPE_AUTH },
1874 { "auth+acct", HOME_TYPE_AUTH },
1875 { "acct", HOME_TYPE_ACCT },
1876 { "coa", HOME_TYPE_COA },
1880 static int pool_peek_type(CONF_SECTION *config, CONF_SECTION *cs)
1883 char const *name, *type;
1885 CONF_SECTION *server_cs;
1887 cp = cf_pair_find(cs, "home_server");
1889 cf_log_err_cs(cs, "Pool does not contain a \"home_server\" entry");
1890 return HOME_TYPE_INVALID;
1893 name = cf_pair_value(cp);
1895 cf_log_err_cp(cp, "home_server entry does not reference a home server");
1896 return HOME_TYPE_INVALID;
1899 server_cs = cf_section_sub_find_name2(config, "home_server", name);
1901 cf_log_err_cp(cp, "home_server \"%s\" does not exist", name);
1902 return HOME_TYPE_INVALID;
1905 cp = cf_pair_find(server_cs, "type");
1907 cf_log_err_cs(server_cs, "home_server %s does not contain a \"type\" entry", name);
1908 return HOME_TYPE_INVALID;
1911 type = cf_pair_value(cp);
1913 cf_log_err_cs(server_cs, "home_server %s contains an empty \"type\" entry", name);
1914 return HOME_TYPE_INVALID;
1917 home = fr_str2int(home_server_types, type, HOME_TYPE_INVALID);
1918 if (home == HOME_TYPE_INVALID) {
1919 cf_log_err_cs(server_cs, "home_server %s contains an invalid \"type\" entry of value \"%s\"", name, type);
1920 return HOME_TYPE_INVALID;
1923 return home; /* 'cause we miss it so much */
1927 int realms_init(CONF_SECTION *config)
1932 CONF_SECTION *server_cs;
1936 if (realms_initialized) return 1;
1938 rc = talloc_zero(NULL, realm_config_t);
1942 cs = cf_subsection_find_next(config, NULL, "proxy");
1944 if (cf_section_parse(cs, rc, proxy_config) < 0) {
1945 ERROR("Failed parsing proxy section");
1949 rc->dead_time = DEAD_TIME;
1950 rc->retry_count = RETRY_COUNT;
1951 rc->retry_delay = RETRY_DELAY;
1952 rc->fallback = false;
1953 rc->dynamic = false;
1954 rc->wake_all_if_all_dead= 0;
1958 flags = RBTREE_FLAG_LOCK;
1961 home_servers_byaddr = rbtree_create(NULL, home_server_addr_cmp, home_server_free, flags);
1962 if (!home_servers_byaddr) goto error;
1964 home_servers_byname = rbtree_create(NULL, home_server_name_cmp, NULL, flags);
1965 if (!home_servers_byname) goto error;
1968 home_servers_bynumber = rbtree_create(NULL, home_server_number_cmp, NULL, flags);
1969 if (!home_servers_bynumber) goto error;
1972 home_pools_byname = rbtree_create(NULL, home_pool_name_cmp, NULL, flags);
1973 if (!home_pools_byname) goto error;
1975 for (cs = cf_subsection_find_next(config, NULL, "home_server");
1977 cs = cf_subsection_find_next(config, cs, "home_server")) {
1978 if (!home_server_add(rc, cs)) goto error;
1982 * Loop over virtual servers to find home servers which
1983 * are defined in them.
1985 for (server_cs = cf_subsection_find_next(config, NULL, "server");
1987 server_cs = cf_subsection_find_next(config, server_cs, "server")) {
1988 for (cs = cf_subsection_find_next(server_cs, NULL, "home_server");
1990 cs = cf_subsection_find_next(server_cs, cs, "home_server")) {
1991 if (!home_server_add(rc, cs)) goto error;
1997 * Now create the realms, which point to the home servers
1998 * and home server pools.
2000 realms_byname = rbtree_create(NULL, realm_name_cmp, NULL, flags);
2001 if (!realms_byname) goto error;
2003 for (cs = cf_subsection_find_next(config, NULL, "realm");
2005 cs = cf_subsection_find_next(config, cs, "realm")) {
2006 if (!realm_add(rc, cs)) {
2010 * Must be called after realms_free as home_servers
2011 * parented by rc are in trees freed by realms_free()
2020 * CoA pools aren't necessarily tied to realms.
2022 for (cs = cf_subsection_find_next(config, NULL, "home_server_pool");
2024 cs = cf_subsection_find_next(config, cs, "home_server_pool")) {
2028 * Pool was already loaded.
2030 if (cf_data_find(cs, "home_server_pool")) continue;
2032 type = pool_peek_type(config, cs);
2033 if (type == HOME_TYPE_INVALID) goto error;
2034 if (!server_pool_add(rc, cs, type, true)) goto error;
2039 xlat_register("home_server", xlat_home_server, NULL, NULL);
2040 xlat_register("home_server_pool", xlat_server_pool, NULL, NULL);
2044 realms_initialized = true;
2049 * Find a realm where "name" might be the regex.
2051 REALM *realm_find2(char const *name)
2056 if (!name) name = "NULL";
2058 myrealm.name = name;
2059 realm = rbtree_finddata(realms_byname, &myrealm);
2060 if (realm) return realm;
2064 realm_regex_t *this;
2066 for (this = realms_regex; this != NULL; this = this->next) {
2067 if (strcmp(this->realm->name, name) == 0) {
2075 * Couldn't find a realm. Look for DEFAULT.
2077 myrealm.name = "DEFAULT";
2078 return rbtree_finddata(realms_byname, &myrealm);
2083 * Find a realm in the REALM list.
2085 REALM *realm_find(char const *name)
2090 if (!name) name = "NULL";
2092 myrealm.name = name;
2093 realm = rbtree_finddata(realms_byname, &myrealm);
2094 if (realm) return realm;
2098 realm_regex_t *this;
2100 for (this = realms_regex; this != NULL; this = this->next) {
2105 * Include substring matches.
2107 if (regcomp(®, this->realm->name + 1, REG_EXTENDED | REG_NOSUB | REG_ICASE) != 0) {
2111 compare = regexec(®, name, 0, NULL, 0);
2114 if (compare == 0) return this->realm;
2120 * Couldn't find a realm. Look for DEFAULT.
2122 myrealm.name = "DEFAULT";
2123 return rbtree_finddata(realms_byname, &myrealm);
2130 * Allocate the proxy list if it doesn't already exist, and copy request
2131 * VPs into it. Setup src/dst IP addresses based on home server, and
2132 * calculate and add the message-authenticator.
2134 * This is a distinct function from home_server_ldb, as not all home_server_t
2135 * lookups result in the *CURRENT* request being proxied,
2136 * as in rlm_replicate, and this may trigger asserts elsewhere in the
2139 void home_server_update_request(home_server_t *home, REQUEST *request)
2143 * Allocate the proxy packet, only if it wasn't
2144 * already allocated by a module. This check is
2145 * mainly to support the proxying of EAP-TTLS and
2146 * EAP-PEAP tunneled requests.
2148 * In those cases, the EAP module creates a
2149 * "fake" request, and recursively passes it
2150 * through the authentication stage of the
2151 * server. The module then checks if the request
2152 * was supposed to be proxied, and if so, creates
2153 * a proxy packet from the TUNNELED request, and
2154 * not from the EAP request outside of the
2157 * The proxy then works like normal, except that
2158 * the response packet is "eaten" by the EAP
2159 * module, and encapsulated into an EAP packet.
2161 if (!request->proxy) {
2162 request->proxy = rad_alloc(request, true);
2163 if (!request->proxy) {
2170 * Copy the request, then look up name
2171 * and plain-text password in the copy.
2173 * Note that the User-Name attribute is
2174 * the *original* as sent over by the
2175 * client. The Stripped-User-Name
2176 * attribute is the one hacked through
2179 request->proxy->vps = paircopy(request->proxy,
2180 request->packet->vps);
2184 * Update the various fields as appropriate.
2186 request->proxy->src_ipaddr = home->src_ipaddr;
2187 request->proxy->src_port = 0;
2188 request->proxy->dst_ipaddr = home->ipaddr;
2189 request->proxy->dst_port = home->port;
2191 request->proxy->proto = home->proto;
2193 request->home_server = home;
2194 talloc_reference(request, request->home_server);
2197 * Access-Requests have a Message-Authenticator added,
2198 * unless one already exists.
2200 if ((request->packet->code == PW_CODE_ACCESS_REQUEST) &&
2201 !pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY)) {
2202 pairmake(request->proxy, &request->proxy->vps,
2203 "Message-Authenticator", "0x00",
2208 home_server_t *home_server_ldb(char const *realmname,
2209 home_pool_t *pool, REQUEST *request)
2213 home_server_t *found = NULL;
2214 home_server_t *zombie = NULL;
2218 * Determine how to pick choose the home server.
2220 switch (pool->type) {
2224 * For load-balancing by client IP address, we
2225 * pick a home server by hashing the client IP.
2227 * This isn't as even a load distribution as
2228 * tracking the State attribute, but it's better
2231 case HOME_POOL_CLIENT_BALANCE:
2232 switch (request->packet->src_ipaddr.af) {
2234 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2235 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2239 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2240 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2247 start = hash % pool->num_home_servers;
2250 case HOME_POOL_CLIENT_PORT_BALANCE:
2251 switch (request->packet->src_ipaddr.af) {
2253 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2254 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2258 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2259 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2266 fr_hash_update(&request->packet->src_port,
2267 sizeof(request->packet->src_port), hash);
2268 start = hash % pool->num_home_servers;
2271 case HOME_POOL_KEYED_BALANCE:
2272 if ((vp = pairfind(request->config_items, PW_LOAD_BALANCE_KEY, 0, TAG_ANY)) != NULL) {
2273 hash = fr_hash(vp->vp_strvalue, vp->length);
2274 start = hash % pool->num_home_servers;
2279 case HOME_POOL_LOAD_BALANCE:
2280 case HOME_POOL_FAIL_OVER:
2284 default: /* this shouldn't happen... */
2291 * Starting with the home server we chose, loop through
2292 * all home servers. If the current one is dead, skip
2293 * it. If it is too busy, skip it.
2295 * Otherwise, use it.
2297 for (count = 0; count < pool->num_home_servers; count++) {
2298 home_server_t *home = pool->servers[(start + count) % pool->num_home_servers];
2300 if (!home) continue;
2303 * Skip dead home servers.
2305 * Home servers that are unknown, alive, or zombie
2306 * are used for proxying.
2308 if (home->state == HOME_STATE_IS_DEAD) {
2313 * This home server is too busy. Choose another one.
2315 if (home->currently_outstanding >= home->max_outstanding) {
2321 * We read the packet from a detail file, AND it
2322 * came from this server. Don't re-proxy it
2325 if ((request->listener->type == RAD_LISTEN_DETAIL) &&
2326 (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) &&
2327 (fr_ipaddr_cmp(&home->ipaddr, &request->packet->src_ipaddr) == 0)) {
2333 * Default virtual: ignore homes tied to a
2336 if (!request->server && home->parent_server) {
2341 * A virtual AND home is tied to virtual,
2342 * ignore ones which don't match.
2344 if (request->server && home->parent_server &&
2345 strcmp(request->server, home->parent_server) != 0) {
2350 * Allow request->server && !home->parent_server
2352 * i.e. virtuals can proxy to globally defined
2357 * It's zombie, so we remember the first zombie
2358 * we find, but we don't mark it as a "live"
2361 if (home->state == HOME_STATE_ZOMBIE) {
2362 if (!zombie) zombie = home;
2367 * We've found the first "live" one. Use that.
2369 if (pool->type != HOME_POOL_LOAD_BALANCE) {
2375 * Otherwise we're doing some kind of load balancing.
2376 * If we haven't found one yet, pick this one.
2383 RDEBUG3("PROXY %s %d\t%s %d",
2384 found->name, found->currently_outstanding,
2385 home->name, home->currently_outstanding);
2388 * Prefer this server if it's less busy than the
2389 * one we had previously found.
2391 if (home->currently_outstanding < found->currently_outstanding) {
2392 RDEBUG3("PROXY Choosing %s: It's less busy than %s",
2393 home->name, found->name);
2399 * Ignore servers which are busier than the one
2402 if (home->currently_outstanding > found->currently_outstanding) {
2403 RDEBUG3("PROXY Skipping %s: It's busier than %s",
2404 home->name, found->name);
2409 * From the list of servers which have the same
2410 * load, choose one at random.
2412 if (((count + 1) * (fr_rand() & 0xffff)) < (uint32_t) 0x10000) {
2415 } /* loop over the home servers */
2418 * We have no live servers, BUT we have a zombie. Use
2419 * the zombie as a last resort.
2421 if (!found && zombie) {
2427 * There's a fallback if they're all dead.
2429 if (!found && pool->fallback) {
2430 found = pool->fallback;
2432 WARN("Home server pool %s failing over to fallback %s",
2433 pool->name, found->server);
2434 if (pool->in_fallback) goto update_and_return;
2436 pool->in_fallback = true;
2439 * Run the trigger once an hour saying that
2442 if ((pool->time_all_dead + 3600) < request->timestamp) {
2443 pool->time_all_dead = request->timestamp;
2444 exec_trigger(request, pool->cs, "home_server_pool.fallback", false);
2450 if ((found != pool->fallback) && pool->in_fallback) {
2451 pool->in_fallback = false;
2452 exec_trigger(request, pool->cs, "home_server_pool.normal", false);
2459 * No live match found, and no fallback to the "DEFAULT"
2460 * realm. We fix this by blindly marking all servers as
2461 * "live". But only do it for ones that don't support
2462 * "pings", as they will be marked live when they
2463 * actually are live.
2465 if (!realm_config->fallback &&
2466 realm_config->wake_all_if_all_dead) {
2467 for (count = 0; count < pool->num_home_servers; count++) {
2468 home_server_t *home = pool->servers[count];
2470 if (!home) continue;
2472 if ((home->state == HOME_STATE_IS_DEAD) &&
2473 (home->ping_check == HOME_PING_CHECK_NONE)) {
2474 home->state = HOME_STATE_ALIVE;
2475 home->response_timeouts = 0;
2476 if (!found) found = home;
2480 if (found) goto update_and_return;
2484 * Still nothing. Look up the DEFAULT realm, but only
2485 * if we weren't looking up the NULL or DEFAULT realms.
2487 if (realm_config->fallback &&
2489 (strcmp(realmname, "NULL") != 0) &&
2490 (strcmp(realmname, "DEFAULT") != 0)) {
2491 REALM *rd = realm_find("DEFAULT");
2493 if (!rd) return NULL;
2496 if (request->packet->code == PW_CODE_ACCESS_REQUEST) {
2497 pool = rd->auth_pool;
2499 } else if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
2500 pool = rd->acct_pool;
2502 if (!pool) return NULL;
2504 RDEBUG2("PROXY - realm %s has no live home servers. Falling back to the DEFAULT realm.", realmname);
2505 return home_server_ldb(rd->name, pool, request);
2509 * Still haven't found anything. Oh well.
2515 home_server_t *home_server_find(fr_ipaddr_t *ipaddr, uint16_t port, int proto)
2517 home_server_t myhome;
2519 memset(&myhome, 0, sizeof(myhome));
2520 myhome.ipaddr = *ipaddr;
2521 myhome.src_ipaddr.af = ipaddr->af;
2524 myhome.proto = proto;
2526 myhome.proto = IPPROTO_UDP;
2528 myhome.server = NULL; /* we're not called for internal proxying */
2530 return rbtree_finddata(home_servers_byaddr, &myhome);
2534 home_server_t *home_server_byname(char const *name, int type)
2536 home_server_t myhome;
2538 memset(&myhome, 0, sizeof(myhome));
2542 return rbtree_finddata(home_servers_byname, &myhome);
2547 home_server_t *home_server_bynumber(int number)
2549 home_server_t myhome;
2551 memset(&myhome, 0, sizeof(myhome));
2552 myhome.number = number;
2553 myhome.server = NULL; /* we're not called for internal proxying */
2555 return rbtree_finddata(home_servers_bynumber, &myhome);
2559 home_pool_t *home_pool_byname(char const *name, int type)
2563 memset(&mypool, 0, sizeof(mypool));
2565 mypool.server_type = type;
2566 return rbtree_finddata(home_pools_byname, &mypool);