2 * realms.c Realm handling code
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2007 The FreeRADIUS server project
21 * Copyright 2007 Alan DeKok <aland@deployingradius.com>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/rad_assert.h>
39 * For POSIX Regular expressions.
40 * (0) Means no extended regular expressions.
41 * REG_EXTENDED means use extended regular expressions.
44 #define REG_EXTENDED (0)
56 static rbtree_t *realms_byname = NULL;
59 typedef struct realm_regex_t {
61 struct realm_regex_t *next;
64 static realm_regex_t *realms_regex = NULL;
66 #endif /* HAVE_REGEX_H */
68 typedef struct realm_config_t {
74 int wake_all_if_all_dead;
77 static realm_config_t *realm_config = NULL;
80 static rbtree_t *home_servers_byaddr = NULL;
81 static rbtree_t *home_servers_byname = NULL;
83 static int home_server_max_number = 0;
84 static rbtree_t *home_servers_bynumber = NULL;
87 static rbtree_t *home_pools_byname = NULL;
90 * Map the proxy server configuration parameters to variables.
92 static const CONF_PARSER proxy_config[] = {
93 { "retry_delay", PW_TYPE_INTEGER,
94 offsetof(realm_config_t, retry_delay),
95 NULL, Stringify(RETRY_DELAY) },
97 { "retry_count", PW_TYPE_INTEGER,
98 offsetof(realm_config_t, retry_count),
99 NULL, Stringify(RETRY_COUNT) },
101 { "default_fallback", PW_TYPE_BOOLEAN,
102 offsetof(realm_config_t, fallback),
105 { "dead_time", PW_TYPE_INTEGER,
106 offsetof(realm_config_t, dead_time),
107 NULL, Stringify(DEAD_TIME) },
109 { "wake_all_if_all_dead", PW_TYPE_BOOLEAN,
110 offsetof(realm_config_t, wake_all_if_all_dead),
113 { NULL, -1, 0, NULL, NULL }
117 static int realm_name_cmp(const void *one, const void *two)
119 const REALM *a = one;
120 const REALM *b = two;
122 return strcasecmp(a->name, b->name);
127 static int home_server_name_cmp(const void *one, const void *two)
129 const home_server *a = one;
130 const home_server *b = two;
132 if (a->type < b->type) return -1;
133 if (a->type > b->type) return +1;
135 return strcasecmp(a->name, b->name);
138 static int home_server_addr_cmp(const void *one, const void *two)
140 const home_server *a = one;
141 const home_server *b = two;
143 if (a->server && !b->server) return -1;
144 if (!a->server && b->server) return +1;
145 if (a->server && b->server) {
146 int rcode = a->type - b->type;
147 if (rcode != 0) return rcode;
148 return strcmp(a->server, b->server);
151 if (a->port < b->port) return -1;
152 if (a->port > b->port) return +1;
154 return fr_ipaddr_cmp(&a->ipaddr, &b->ipaddr);
158 static int home_server_number_cmp(const void *one, const void *two)
160 const home_server *a = one;
161 const home_server *b = two;
163 return (a->number - b->number);
167 static int home_pool_name_cmp(const void *one, const void *two)
169 const home_pool_t *a = one;
170 const home_pool_t *b = two;
172 if (a->server_type < b->server_type) return -1;
173 if (a->server_type > b->server_type) return +1;
175 return strcasecmp(a->name, b->name);
180 * Xlat for %{home_server:foo}
182 static size_t xlat_home_server(UNUSED void *instance, REQUEST *request,
183 char *fmt, char *out, size_t outlen,
184 UNUSED RADIUS_ESCAPE_STRING func)
186 const char *value = NULL;
189 if (!fmt || !out || (outlen < 1)) return 0;
191 if (!request || !request->home_server) {
196 cp = cf_pair_find(request->home_server->cs, fmt);
197 if (!cp || !(value = cf_pair_value(cp))) {
202 strlcpy(out, value, outlen);
209 * Xlat for %{home_server_pool:foo}
211 static size_t xlat_server_pool(UNUSED void *instance, REQUEST *request,
212 char *fmt, char *out, size_t outlen,
213 UNUSED RADIUS_ESCAPE_STRING func)
215 const char *value = NULL;
218 if (!fmt || !out || (outlen < 1)) return 0;
220 if (!request || !request->home_pool) {
225 cp = cf_pair_find(request->home_pool->cs, fmt);
226 if (!cp || !(value = cf_pair_value(cp))) {
231 strlcpy(out, value, outlen);
237 void realms_free(void)
241 rbtree_free(home_servers_bynumber);
242 home_servers_bynumber = NULL;
245 rbtree_free(home_servers_byname);
246 home_servers_byname = NULL;
248 rbtree_free(home_servers_byaddr);
249 home_servers_byaddr = NULL;
251 rbtree_free(home_pools_byname);
252 home_pools_byname = NULL;
255 rbtree_free(realms_byname);
256 realms_byname = NULL;
260 realm_regex_t *this, *next;
262 for (this = realms_regex; this != NULL; this = next) {
275 static struct in_addr hs_ip4addr;
276 static struct in6_addr hs_ip6addr;
277 static char *hs_type = NULL;
278 static char *hs_check = NULL;
279 static char *hs_virtual_server = NULL;
281 static CONF_PARSER home_server_config[] = {
282 { "ipaddr", PW_TYPE_IPADDR,
283 0, &hs_ip4addr, NULL },
284 { "ipv6addr", PW_TYPE_IPV6ADDR,
285 0, &hs_ip6addr, NULL },
286 { "virtual_server", PW_TYPE_STRING_PTR,
287 0, &hs_virtual_server, NULL },
289 { "port", PW_TYPE_INTEGER,
290 offsetof(home_server,port), NULL, "0" },
292 { "type", PW_TYPE_STRING_PTR,
295 { "secret", PW_TYPE_STRING_PTR,
296 offsetof(home_server,secret), NULL, NULL},
298 { "response_window", PW_TYPE_INTEGER,
299 offsetof(home_server,response_window), NULL, "30" },
300 { "max_outstanding", PW_TYPE_INTEGER,
301 offsetof(home_server,max_outstanding), NULL, "65536" },
303 { "zombie_period", PW_TYPE_INTEGER,
304 offsetof(home_server,zombie_period), NULL, "40" },
305 { "status_check", PW_TYPE_STRING_PTR,
306 0, &hs_check, "none" },
307 { "ping_check", PW_TYPE_STRING_PTR,
308 0, &hs_check, NULL },
310 { "ping_interval", PW_TYPE_INTEGER,
311 offsetof(home_server,ping_interval), NULL, "30" },
312 { "check_interval", PW_TYPE_INTEGER,
313 offsetof(home_server,ping_interval), NULL, "30" },
314 { "num_answers_to_alive", PW_TYPE_INTEGER,
315 offsetof(home_server,num_pings_to_alive), NULL, "3" },
316 { "num_pings_to_alive", PW_TYPE_INTEGER,
317 offsetof(home_server,num_pings_to_alive), NULL, "3" },
318 { "revive_interval", PW_TYPE_INTEGER,
319 offsetof(home_server,revive_interval), NULL, "300" },
320 { "status_check_timeout", PW_TYPE_INTEGER,
321 offsetof(home_server,ping_timeout), NULL, "4" },
323 { "username", PW_TYPE_STRING_PTR,
324 offsetof(home_server,ping_user_name), NULL, NULL},
325 { "password", PW_TYPE_STRING_PTR,
326 offsetof(home_server,ping_user_password), NULL, NULL},
329 { "historic_average_window", PW_TYPE_INTEGER,
330 offsetof(home_server,ema.window), NULL, NULL },
333 { NULL, -1, 0, NULL, NULL } /* end the list */
338 static int home_server_add(realm_config_t *rc, CONF_SECTION *cs, int type)
345 free(hs_virtual_server); /* used only for printing during parsing */
346 hs_virtual_server = NULL;
348 name2 = cf_section_name1(cs);
349 if (!name2 || (strcasecmp(name2, "home_server") != 0)) {
350 cf_log_err(cf_sectiontoitem(cs),
351 "Section is not a home_server.");
355 name2 = cf_section_name2(cs);
357 cf_log_err(cf_sectiontoitem(cs),
358 "Home server section is missing a name.");
362 home = rad_malloc(sizeof(*home));
363 memset(home, 0, sizeof(*home));
368 memset(&hs_ip4addr, 0, sizeof(hs_ip4addr));
369 memset(&hs_ip6addr, 0, sizeof(hs_ip6addr));
370 cf_section_parse(cs, home, home_server_config);
373 * Figure out which one to use.
375 if (cf_pair_find(cs, "ipaddr")) {
376 home->ipaddr.af = AF_INET;
377 home->ipaddr.ipaddr.ip4addr = hs_ip4addr;
379 } else if (cf_pair_find(cs, "ipv6addr")) {
380 home->ipaddr.af = AF_INET6;
381 home->ipaddr.ipaddr.ip6addr = hs_ip6addr;
383 } else if ((cp = cf_pair_find(cs, "virtual_server")) != NULL) {
384 home->ipaddr.af = AF_UNSPEC;
385 home->server = cf_pair_value(cp);
387 cf_log_err(cf_sectiontoitem(cs),
388 "Invalid value for virtual_server");
392 if (!cf_section_sub_find_name2(rc->cs, "server", home->server)) {
394 cf_log_err(cf_sectiontoitem(cs),
395 "No such server %s", home->server);
401 home->secret = strdup("");
405 cf_log_err(cf_sectiontoitem(cs),
406 "No ipaddr, ipv6addr, or virtual_server defined for home server \"%s\".",
417 if (!home->port || (home->port > 65535)) {
418 cf_log_err(cf_sectiontoitem(cs),
419 "No port, or invalid port defined for home server %s.",
425 cf_log_err(cf_sectiontoitem(cs),
426 "Fatal error! Home server %s is ourselves!",
432 cf_log_err(cf_sectiontoitem(cs),
433 "No shared secret defined for home server %s.",
440 * Use a reasonable default.
443 if (!hs_type) hs_type = strdup("auth+acct");
445 if (strcasecmp(hs_type, "auth") == 0) {
446 home->type = HOME_TYPE_AUTH;
447 if (type != home->type) {
448 cf_log_err(cf_sectiontoitem(cs),
449 "Server pool of \"acct\" servers cannot include home server %s of type \"auth\"",
455 } else if (strcasecmp(hs_type, "acct") == 0) {
456 home->type = HOME_TYPE_ACCT;
457 if (type != home->type) {
458 cf_log_err(cf_sectiontoitem(cs),
459 "Server pool of \"auth\" servers cannot include home server %s of type \"acct\"",
465 } else if (strcasecmp(hs_type, "auth+acct") == 0) {
466 home->type = HOME_TYPE_AUTH;
470 cf_log_err(cf_sectiontoitem(cs),
471 "Invalid type \"%s\" for home server %s.",
483 if (!hs_check || (strcasecmp(hs_check, "none") == 0)) {
484 home->ping_check = HOME_PING_CHECK_NONE;
486 } else if (strcasecmp(hs_check, "status-server") == 0) {
487 home->ping_check = HOME_PING_CHECK_STATUS_SERVER;
489 } else if (strcasecmp(hs_check, "request") == 0) {
490 home->ping_check = HOME_PING_CHECK_REQUEST;
493 cf_log_err(cf_sectiontoitem(cs),
494 "Invalid ping_check \"%s\" for home server %s.",
504 if ((home->ping_check != HOME_PING_CHECK_NONE) &&
505 (home->ping_check != HOME_PING_CHECK_STATUS_SERVER)) {
506 if (!home->ping_user_name) {
507 cf_log_err(cf_sectiontoitem(cs), "You must supply a user name to enable ping checks");
512 if ((home->type == HOME_TYPE_AUTH) &&
513 !home->ping_user_password) {
514 cf_log_err(cf_sectiontoitem(cs), "You must supply a password to enable ping checks");
520 if ((home->ipaddr.af != AF_UNSPEC) && /* could be virtual server */
521 rbtree_finddata(home_servers_byaddr, home)) {
522 DEBUG2("Ignoring duplicate home server %s.", name2);
526 if (!rbtree_insert(home_servers_byname, home)) {
527 cf_log_err(cf_sectiontoitem(cs),
528 "Internal error %d adding home server %s.",
534 if ((home->ipaddr.af != AF_UNSPEC) && /* could be virtual server */
535 !rbtree_insert(home_servers_byaddr, home)) {
536 rbtree_deletebydata(home_servers_byname, home);
537 cf_log_err(cf_sectiontoitem(cs),
538 "Internal error %d adding home server %s.",
545 home->number = home_server_max_number++;
546 if (!rbtree_insert(home_servers_bynumber, home)) {
547 rbtree_deletebydata(home_servers_byname, home);
548 if (home->ipaddr.af != AF_UNSPEC) {
549 rbtree_deletebydata(home_servers_byname, home);
551 cf_log_err(cf_sectiontoitem(cs),
552 "Internal error %d adding home server %s.",
559 if (home->response_window < 5) home->response_window = 5;
560 if (home->response_window > 60) home->response_window = 60;
562 if (home->max_outstanding < 8) home->max_outstanding = 8;
563 if (home->max_outstanding > 65536*16) home->max_outstanding = 65536*16;
565 if (home->ping_interval < 6) home->ping_interval = 6;
566 if (home->ping_interval > 120) home->ping_interval = 120;
568 if (home->zombie_period < 20) home->zombie_period = 20;
569 if (home->zombie_period > 120) home->zombie_period = 120;
571 if (home->zombie_period < home->response_window) {
572 home->zombie_period = home->response_window;
575 if (home->num_pings_to_alive < 3) home->num_pings_to_alive = 3;
576 if (home->num_pings_to_alive > 10) home->num_pings_to_alive = 10;
578 if (home->ping_timeout < 3) home->ping_timeout = 3;
579 if (home->ping_timeout > 10) home->ping_timeout = 10;
581 if (home->revive_interval < 60) home->revive_interval = 60;
582 if (home->revive_interval > 3600) home->revive_interval = 3600;
585 home_server *home2 = rad_malloc(sizeof(*home2));
587 memcpy(home2, home, sizeof(*home2));
589 home2->type = HOME_TYPE_ACCT;
591 home2->ping_user_password = NULL;
594 if (!rbtree_insert(home_servers_byname, home2)) {
595 cf_log_err(cf_sectiontoitem(cs),
596 "Internal error %d adding home server %s.",
602 if ((home->ipaddr.af != AF_UNSPEC) &&
603 !rbtree_insert(home_servers_byaddr, home2)) {
604 rbtree_deletebydata(home_servers_byname, home2);
605 cf_log_err(cf_sectiontoitem(cs),
606 "Internal error %d adding home server %s.",
613 home2->number = home_server_max_number++;
614 if (!rbtree_insert(home_servers_bynumber, home2)) {
615 rbtree_deletebydata(home_servers_byname, home2);
616 if (home2->ipaddr.af != AF_UNSPEC) {
617 rbtree_deletebydata(home_servers_byname, home2);
619 cf_log_err(cf_sectiontoitem(cs),
620 "Internal error %d adding home server %s.",
632 static home_pool_t *server_pool_alloc(const char *name, home_pool_type_t type,
633 int server_type, int num_home_servers)
637 pool = rad_malloc(sizeof(*pool) + (sizeof(pool->servers[0]) *
639 if (!pool) return NULL; /* just for pairanoia */
641 memset(pool, 0, sizeof(*pool) + (sizeof(pool->servers[0]) *
646 pool->server_type = server_type;
647 pool->num_home_servers = num_home_servers;
652 static int pool_check_home_server(realm_config_t *rc, CONF_PAIR *cp,
653 const char *name, int server_type,
656 home_server myhome, *home;
657 CONF_SECTION *server_cs;
660 cf_log_err(cf_pairtoitem(cp),
661 "No value given for home_server.");
666 myhome.type = server_type;
667 home = rbtree_finddata(home_servers_byname, &myhome);
673 server_cs = cf_section_sub_find_name2(rc->cs, "home_server", name);
675 cf_log_err(cf_pairtoitem(cp),
676 "Unknown home_server \"%s\".", name);
680 if (!home_server_add(rc, server_cs, server_type)) {
684 home = rbtree_finddata(home_servers_byname, &myhome);
686 radlog(L_ERR, "Internal sanity check failed %d",
696 static int server_pool_add(realm_config_t *rc,
697 CONF_SECTION *cs, int server_type, int do_print)
700 home_pool_t *pool = NULL;
703 int num_home_servers;
706 name2 = cf_section_name1(cs);
707 if (!name2 || ((strcasecmp(name2, "server_pool") != 0) &&
708 (strcasecmp(name2, "home_server_pool") != 0))) {
709 cf_log_err(cf_sectiontoitem(cs),
710 "Section is not a home_server_pool.");
714 name2 = cf_section_name2(cs);
716 cf_log_err(cf_sectiontoitem(cs),
717 "Server pool section is missing a name.");
722 * Count the home servers and initalize them.
724 num_home_servers = 0;
725 for (cp = cf_pair_find(cs, "home_server");
727 cp = cf_pair_find_next(cs, cp, "home_server")) {
730 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
731 server_type, &home)) {
737 if (num_home_servers == 0) {
738 cf_log_err(cf_sectiontoitem(cs),
739 "No home servers defined in pool %s",
744 pool = server_pool_alloc(name2, HOME_POOL_FAIL_OVER, server_type,
750 * Fallback servers must be defined, and must be
753 cp = cf_pair_find(cs, "fallback");
755 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
756 server_type, &pool->fallback)) {
761 if (!pool->fallback->server) {
762 cf_log_err(cf_sectiontoitem(cs), "Fallback home_server %s does NOT contain a virtual_server directive.", pool->fallback->name);
767 if (do_print) cf_log_info(cs, " home_server_pool %s {", name2);
769 cp = cf_pair_find(cs, "type");
771 static FR_NAME_NUMBER pool_types[] = {
772 { "load-balance", HOME_POOL_LOAD_BALANCE },
773 { "fail-over", HOME_POOL_FAIL_OVER },
774 { "round_robin", HOME_POOL_LOAD_BALANCE },
775 { "fail_over", HOME_POOL_FAIL_OVER },
776 { "client-balance", HOME_POOL_CLIENT_BALANCE },
777 { "client-port-balance", HOME_POOL_CLIENT_PORT_BALANCE },
778 { "keyed-balance", HOME_POOL_KEYED_BALANCE },
782 value = cf_pair_value(cp);
784 cf_log_err(cf_pairtoitem(cp),
785 "No value given for type.");
789 pool->type = fr_str2int(pool_types, value, 0);
791 cf_log_err(cf_pairtoitem(cp),
792 "Unknown type \"%s\".",
797 if (do_print) cf_log_info(cs, "\ttype = %s", value);
800 cp = cf_pair_find(cs, "virtual_server");
802 pool->virtual_server = cf_pair_value(cp);
803 if (!pool->virtual_server) {
804 cf_log_err(cf_pairtoitem(cp), "No value given for virtual_server");
809 cf_log_info(cs, "\tvirtual_server = %s", pool->virtual_server);
812 if (!cf_section_sub_find_name2(rc->cs, "server",
813 pool->virtual_server)) {
814 cf_log_err(cf_pairtoitem(cp), "No such server %s",
815 pool->virtual_server);
821 num_home_servers = 0;
822 for (cp = cf_pair_find(cs, "home_server");
824 cp = cf_pair_find_next(cs, cp, "home_server")) {
827 value = cf_pair_value(cp);
829 memset(&myhome, 0, sizeof(&myhome));
831 myhome.type = server_type;
833 home = rbtree_finddata(home_servers_byname, &myhome);
835 DEBUG2("Internal sanity check failed");
840 DEBUG2("Warning: Duplicate home server %s in server pool %s", home->name, pool->name);
844 if (do_print) cf_log_info(cs, "\thome_server = %s", home->name);
845 pool->servers[num_home_servers++] = home;
846 } /* loop over home_server's */
848 if (pool->fallback && do_print) {
849 cf_log_info(cs, "\tfallback = %s", pool->fallback->name);
852 if (!rbtree_insert(home_pools_byname, pool)) {
853 rad_assert("Internal sanity check failed");
857 if (do_print) cf_log_info(cs, " }");
859 rad_assert(pool->server_type != 0);
864 if (do_print) cf_log_info(cs, " }");
870 static int old_server_add(realm_config_t *rc, CONF_SECTION *cs,
872 const char *name, const char *secret,
873 home_pool_type_t ldflag, home_pool_t **pool_p,
874 int type, const char *server)
877 int i, insert_point, num_home_servers;
878 home_server myhome, *home;
879 home_pool_t mypool, *pool;
882 rc = rc; /* -Wunused */
891 * LOCAL realms get sanity checked, and nothing else happens.
893 if (strcmp(name, "LOCAL") == 0) {
895 cf_log_err(cf_sectiontoitem(cs), "Realm \"%s\" cannot be both LOCAL and remote", name);
902 return 0; /* Not proxying. Can't do non-LOCAL realms */
906 mypool.server_type = type;
907 pool = rbtree_finddata(home_pools_byname, &mypool);
909 if (pool->type != ldflag) {
910 cf_log_err(cf_sectiontoitem(cs), "Inconsistent ldflag for server pool \"%s\"", name);
914 if (pool->server_type != type) {
915 cf_log_err(cf_sectiontoitem(cs), "Inconsistent home server type for server pool \"%s\"", name);
922 home = rbtree_finddata(home_servers_byname, &myhome);
924 if (secret && (strcmp(home->secret, secret) != 0)) {
925 cf_log_err(cf_sectiontoitem(cs), "Inconsistent shared secret for home server \"%s\"", name);
929 if (home->type != type) {
930 cf_log_err(cf_sectiontoitem(cs), "Inconsistent type for home server \"%s\"", name);
935 * See if the home server is already listed
936 * in the pool. If so, do nothing else.
938 if (pool) for (i = 0; i < pool->num_home_servers; i++) {
939 if (pool->servers[i] == home) {
946 * If we do have a pool, check that there is room to
947 * insert the home server we've found, or the one that we
950 * Note that we insert it into the LAST available
951 * position, in order to maintain the same order as in
952 * the configuration files.
956 for (i = pool->num_home_servers - 1; i >= 0; i--) {
957 if (pool->servers[i]) break;
959 if (!pool->servers[i]) {
964 if (insert_point < 0) {
965 cf_log_err(cf_sectiontoitem(cs), "No room in pool to add home server \"%s\". Please update the realm configuration to use the new-style home servers and server pools.", name);
971 * No home server, allocate one.
977 home = rad_malloc(sizeof(*home));
978 memset(home, 0, sizeof(*home));
981 home->hostname = name;
983 home->secret = secret;
986 p = strchr(name, ':');
988 if (type == HOME_TYPE_AUTH) {
989 home->port = PW_AUTH_UDP_PORT;
991 home->port = PW_ACCT_UDP_PORT;
997 } else if (p == name) {
998 cf_log_err(cf_sectiontoitem(cs),
999 "Invalid hostname %s.",
1005 home->port = atoi(p + 1);
1006 if ((home->port == 0) || (home->port > 65535)) {
1007 cf_log_err(cf_sectiontoitem(cs),
1014 q = rad_malloc((p - name) + 1);
1015 memcpy(q, name, (p - name));
1021 if (ip_hton(p, AF_UNSPEC, &home->ipaddr) < 0) {
1022 cf_log_err(cf_sectiontoitem(cs),
1023 "Failed looking up hostname %s.",
1030 home->ipaddr.af = AF_UNSPEC;
1031 home->server = server;
1036 * Use the old-style configuration.
1038 home->max_outstanding = 65535*16;
1039 home->zombie_period = rc->retry_delay * rc->retry_count;
1040 if (home->zombie_period == 0) home->zombie_period =30;
1041 home->response_window = home->zombie_period - 1;
1043 home->ping_check = HOME_PING_CHECK_NONE;
1045 home->revive_interval = rc->dead_time;
1047 if (rbtree_finddata(home_servers_byaddr, home)) {
1048 cf_log_err(cf_sectiontoitem(cs), "Home server %s has the same IP address and/or port as another home server.", name);
1053 if (!rbtree_insert(home_servers_byname, home)) {
1054 cf_log_err(cf_sectiontoitem(cs), "Internal error %d adding home server %s.", __LINE__, name);
1059 if (!rbtree_insert(home_servers_byaddr, home)) {
1060 rbtree_deletebydata(home_servers_byname, home);
1061 cf_log_err(cf_sectiontoitem(cs), "Internal error %d adding home server %s.", __LINE__, name);
1067 home->number = home_server_max_number++;
1068 if (!rbtree_insert(home_servers_bynumber, home)) {
1069 rbtree_deletebydata(home_servers_byname, home);
1070 if (home->ipaddr.af != AF_UNSPEC) {
1071 rbtree_deletebydata(home_servers_byname, home);
1073 cf_log_err(cf_sectiontoitem(cs),
1074 "Internal error %d adding home server %s.",
1083 * We now have a home server, see if we can insert it
1084 * into pre-existing pool.
1086 if (insert_point >= 0) {
1087 rad_assert(pool != NULL);
1088 pool->servers[insert_point] = home;
1092 rad_assert(pool == NULL);
1093 rad_assert(home != NULL);
1096 * Count the old-style realms of this name.
1098 num_home_servers = 0;
1099 for (subcs = cf_section_find_next(cs, NULL, "realm");
1101 subcs = cf_section_find_next(cs, subcs, "realm")) {
1102 const char *this = cf_section_name2(subcs);
1104 if (!this || (strcmp(this, realm) != 0)) continue;
1108 if (num_home_servers == 0) {
1109 cf_log_err(cf_sectiontoitem(cs), "Internal error counting pools for home server %s.", name);
1114 pool = server_pool_alloc(realm, ldflag, type, num_home_servers);
1117 pool->servers[0] = home;
1119 if (!rbtree_insert(home_pools_byname, pool)) {
1120 rad_assert("Internal sanity check failed");
1130 static int old_realm_config(realm_config_t *rc, CONF_SECTION *cs, REALM *r)
1133 const char *secret = NULL;
1134 home_pool_type_t ldflag;
1137 cp = cf_pair_find(cs, "ldflag");
1138 ldflag = HOME_POOL_FAIL_OVER;
1140 host = cf_pair_value(cp);
1142 cf_log_err(cf_pairtoitem(cp), "No value specified for ldflag");
1146 if (strcasecmp(host, "fail_over") == 0) {
1147 cf_log_info(cs, "\tldflag = fail_over");
1149 } else if (strcasecmp(host, "round_robin") == 0) {
1150 ldflag = HOME_POOL_LOAD_BALANCE;
1151 cf_log_info(cs, "\tldflag = round_robin");
1154 cf_log_err(cf_sectiontoitem(cs), "Unknown value \"%s\" for ldflag", host);
1157 } /* else don't print it. */
1160 * Allow old-style if it doesn't exist, or if it exists and
1163 cp = cf_pair_find(cs, "authhost");
1165 host = cf_pair_value(cp);
1167 cf_log_err(cf_pairtoitem(cp), "No value specified for authhost");
1171 if (strcmp(host, "LOCAL") != 0) {
1172 cp = cf_pair_find(cs, "secret");
1174 cf_log_err(cf_sectiontoitem(cs), "No shared secret supplied for realm: %s", r->name);
1178 secret = cf_pair_value(cp);
1180 cf_log_err(cf_pairtoitem(cp), "No value specified for secret");
1185 cf_log_info(cs, "\tauthhost = %s", host);
1187 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1188 &r->auth_pool, HOME_TYPE_AUTH, NULL)) {
1193 cp = cf_pair_find(cs, "accthost");
1195 host = cf_pair_value(cp);
1197 cf_log_err(cf_pairtoitem(cp), "No value specified for accthost");
1202 * Don't look for a secret again if it was found
1205 if ((strcmp(host, "LOCAL") != 0) && !secret) {
1206 cp = cf_pair_find(cs, "secret");
1208 cf_log_err(cf_sectiontoitem(cs), "No shared secret supplied for realm: %s", r->name);
1212 secret = cf_pair_value(cp);
1214 cf_log_err(cf_pairtoitem(cp), "No value specified for secret");
1219 cf_log_info(cs, "\taccthost = %s", host);
1221 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1222 &r->acct_pool, HOME_TYPE_ACCT, NULL)) {
1227 cp = cf_pair_find(cs, "virtual_server");
1229 host = cf_pair_value(cp);
1231 cf_log_err(cf_pairtoitem(cp), "No value specified for virtual_server");
1235 cf_log_info(cs, "\tvirtual_server = %s", host);
1237 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1238 &r->auth_pool, HOME_TYPE_AUTH, host)) {
1241 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1242 &r->acct_pool, HOME_TYPE_ACCT, host)) {
1247 if (secret) cf_log_info(cs, "\tsecret = %s", secret);
1255 static int add_pool_to_realm(realm_config_t *rc, CONF_SECTION *cs,
1256 const char *name, home_pool_t **dest,
1257 int server_type, int do_print)
1259 home_pool_t mypool, *pool;
1262 mypool.server_type = server_type;
1264 pool = rbtree_finddata(home_pools_byname, &mypool);
1266 CONF_SECTION *pool_cs;
1268 pool_cs = cf_section_sub_find_name2(rc->cs,
1272 pool_cs = cf_section_sub_find_name2(rc->cs,
1277 cf_log_err(cf_sectiontoitem(cs), "Failed to find home_server_pool \"%s\"", name);
1281 if (!server_pool_add(rc, pool_cs, server_type, do_print)) {
1285 pool = rbtree_finddata(home_pools_byname, &mypool);
1287 radlog(L_ERR, "Internal sanity check failed in add_pool_to_realm");
1292 if (pool->server_type != server_type) {
1293 cf_log_err(cf_sectiontoitem(cs), "Incompatible home_server_pool \"%s\" (mixed auth_pool / acct_pool)", name);
1304 static int realm_add(realm_config_t *rc, CONF_SECTION *cs)
1310 home_pool_t *auth_pool, *acct_pool;
1311 const char *auth_pool_name, *acct_pool_name;
1314 name2 = cf_section_name1(cs);
1315 if (!name2 || (strcasecmp(name2, "realm") != 0)) {
1316 cf_log_err(cf_sectiontoitem(cs), "Section is not a realm.");
1320 name2 = cf_section_name2(cs);
1322 cf_log_err(cf_sectiontoitem(cs), "Realm section is missing the realm name.");
1327 auth_pool = acct_pool = NULL;
1328 auth_pool_name = acct_pool_name = NULL;
1331 * Prefer new configuration to old one.
1333 cp = cf_pair_find(cs, "pool");
1334 if (!cp) cp = cf_pair_find(cs, "home_server_pool");
1335 if (cp) auth_pool_name = cf_pair_value(cp);
1336 if (cp && auth_pool_name) {
1337 acct_pool_name = auth_pool_name;
1338 if (!add_pool_to_realm(rc, cs,
1339 auth_pool_name, &auth_pool,
1340 HOME_TYPE_AUTH, 1)) {
1343 if (!add_pool_to_realm(rc, cs,
1344 auth_pool_name, &acct_pool,
1345 HOME_TYPE_ACCT, 0)) {
1350 cp = cf_pair_find(cs, "auth_pool");
1351 if (cp) auth_pool_name = cf_pair_value(cp);
1352 if (cp && auth_pool_name) {
1354 cf_log_err(cf_sectiontoitem(cs), "Cannot use \"pool\" and \"auth_pool\" at the same time.");
1357 if (!add_pool_to_realm(rc, cs,
1358 auth_pool_name, &auth_pool,
1359 HOME_TYPE_AUTH, 1)) {
1364 cp = cf_pair_find(cs, "acct_pool");
1365 if (cp) acct_pool_name = cf_pair_value(cp);
1366 if (cp && acct_pool_name) {
1367 int do_print = TRUE;
1370 cf_log_err(cf_sectiontoitem(cs), "Cannot use \"pool\" and \"acct_pool\" at the same time.");
1375 (strcmp(auth_pool_name, acct_pool_name) != 0)) {
1379 if (!add_pool_to_realm(rc, cs,
1380 acct_pool_name, &acct_pool,
1381 HOME_TYPE_ACCT, do_print)) {
1387 cf_log_info(cs, " realm %s {", name2);
1391 * The realm MAY already exist if it's an old-style realm.
1392 * In that case, merge the old-style realm with this one.
1394 r = realm_find2(name2);
1395 if (r && (strcmp(r->name, name2) == 0)) {
1396 if (cf_pair_find(cs, "auth_pool") ||
1397 cf_pair_find(cs, "acct_pool")) {
1398 cf_log_err(cf_sectiontoitem(cs), "Duplicate realm \"%s\"", name2);
1402 if (!old_realm_config(rc, cs, r)) {
1406 cf_log_info(cs, " } # realm %s", name2);
1412 if (name2[0] == '~') {
1416 * Include substring matches.
1418 if (regcomp(®, name2 + 1,
1419 REG_EXTENDED | REG_NOSUB | REG_ICASE) != 0) {
1420 cf_log_err(cf_sectiontoitem(cs),
1421 "Invalid regex in realm \"%s\"", name2);
1428 r = rad_malloc(sizeof(*r));
1429 memset(r, 0, sizeof(*r));
1434 r->auth_pool = auth_pool;
1435 r->acct_pool = acct_pool;
1437 if (auth_pool_name &&
1438 (auth_pool_name == acct_pool_name)) { /* yes, ptr comparison */
1439 cf_log_info(cs, "\tpool = %s", auth_pool_name);
1441 if (auth_pool_name) cf_log_info(cs, "\tauth_pool = %s", auth_pool_name);
1442 if (acct_pool_name) cf_log_info(cs, "\tacct_pool = %s", acct_pool_name);
1446 cp = cf_pair_find(cs, "nostrip");
1447 if (cp && (cf_pair_value(cp) == NULL)) {
1449 cf_log_info(cs, "\tnostrip");
1453 * We're a new-style realm. Complain if we see the old
1456 if (r->auth_pool || r->acct_pool) {
1457 if (((cp = cf_pair_find(cs, "authhost")) != NULL) ||
1458 ((cp = cf_pair_find(cs, "accthost")) != NULL) ||
1459 ((cp = cf_pair_find(cs, "secret")) != NULL) ||
1460 ((cp = cf_pair_find(cs, "ldflag")) != NULL)) {
1461 DEBUG2("WARNING: Ignoring old-style configuration entry \"%s\" in realm \"%s\"", cf_pair_attr(cp), r->name);
1466 * The realm MAY be an old-style realm, as there
1467 * was no auth_pool or acct_pool. Double-check
1468 * it, just to be safe.
1470 } else if (!old_realm_config(rc, cs, r)) {
1476 * It's a regex. Add it to a separate list.
1478 if (name2[0] == '~') {
1479 realm_regex_t *rr, **last;
1481 rr = rad_malloc(sizeof(*rr));
1483 last = &realms_regex;
1484 while (*last) last = &((*last)->next); /* O(N^2)... sue me. */
1492 cf_log_info(cs, " }");
1497 if (!rbtree_insert(realms_byname, r)) {
1498 rad_assert("Internal sanity check failed");
1502 cf_log_info(cs, " }");
1507 cf_log_info(cs, " } # realm %s", name2);
1513 int realms_init(CONF_SECTION *config)
1516 realm_config_t *rc, *old_rc;
1518 if (realms_byname) return 1;
1520 realms_byname = rbtree_create(realm_name_cmp, free, 0);
1521 if (!realms_byname) {
1527 home_servers_byaddr = rbtree_create(home_server_addr_cmp, free, 0);
1528 if (!home_servers_byaddr) {
1533 home_servers_byname = rbtree_create(home_server_name_cmp, NULL, 0);
1534 if (!home_servers_byname) {
1540 home_servers_bynumber = rbtree_create(home_server_number_cmp, NULL, 0);
1541 if (!home_servers_bynumber) {
1547 home_pools_byname = rbtree_create(home_pool_name_cmp, free, 0);
1548 if (!home_pools_byname) {
1554 rc = rad_malloc(sizeof(*rc));
1555 memset(rc, 0, sizeof(*rc));
1559 cs = cf_subsection_find_next(config, NULL, "proxy");
1561 cf_section_parse(cs, rc, proxy_config);
1563 rc->dead_time = DEAD_TIME;
1564 rc->retry_count = RETRY_COUNT;
1565 rc->retry_delay = RETRY_DELAY;
1567 rc->wake_all_if_all_dead= 0;
1571 for (cs = cf_subsection_find_next(config, NULL, "realm");
1573 cs = cf_subsection_find_next(config, cs, "realm")) {
1574 if (!realm_add(rc, cs)) {
1582 xlat_register("home_server", xlat_home_server, NULL);
1583 xlat_register("home_server_pool", xlat_server_pool, NULL);
1587 * Swap pointers atomically.
1589 old_rc = realm_config;
1597 * Find a realm where "name" might be the regex.
1599 REALM *realm_find2(const char *name)
1604 if (!name) name = "NULL";
1606 myrealm.name = name;
1607 realm = rbtree_finddata(realms_byname, &myrealm);
1608 if (realm) return realm;
1612 realm_regex_t *this;
1614 for (this = realms_regex; this != NULL; this = this->next) {
1615 if (strcmp(this->realm->name, name) == 0) {
1623 * Couldn't find a realm. Look for DEFAULT.
1625 myrealm.name = "DEFAULT";
1626 return rbtree_finddata(realms_byname, &myrealm);
1631 * Find a realm in the REALM list.
1633 REALM *realm_find(const char *name)
1638 if (!name) name = "NULL";
1640 myrealm.name = name;
1641 realm = rbtree_finddata(realms_byname, &myrealm);
1642 if (realm) return realm;
1646 realm_regex_t *this;
1648 for (this = realms_regex; this != NULL; this = this->next) {
1653 * Include substring matches.
1655 if (regcomp(®, this->realm->name + 1,
1656 REG_EXTENDED | REG_NOSUB | REG_ICASE) != 0) {
1660 compare = regexec(®, name, 0, NULL, 0);
1663 if (compare == 0) return this->realm;
1669 * Couldn't find a realm. Look for DEFAULT.
1671 myrealm.name = "DEFAULT";
1672 return rbtree_finddata(realms_byname, &myrealm);
1677 home_server *home_server_ldb(const char *realmname,
1678 home_pool_t *pool, REQUEST *request)
1682 home_server *found = NULL;
1688 * Determine how to pick choose the home server.
1690 switch (pool->type) {
1694 * For load-balancing by client IP address, we
1695 * pick a home server by hashing the client IP.
1697 * This isn't as even a load distribution as
1698 * tracking the State attribute, but it's better
1701 case HOME_POOL_CLIENT_BALANCE:
1702 switch (request->packet->src_ipaddr.af) {
1704 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
1705 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
1708 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
1709 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
1715 start = hash % pool->num_home_servers;
1718 case HOME_POOL_CLIENT_PORT_BALANCE:
1719 switch (request->packet->src_ipaddr.af) {
1721 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
1722 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
1725 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
1726 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
1732 fr_hash_update(&request->packet->src_port,
1733 sizeof(request->packet->src_port), hash);
1734 start = hash % pool->num_home_servers;
1737 case HOME_POOL_KEYED_BALANCE:
1738 if ((vp = pairfind(request->config_items, PW_LOAD_BALANCE_KEY)) != NULL) {
1739 hash = fr_hash(vp->vp_strvalue, vp->length);
1740 start = hash % pool->num_home_servers;
1745 case HOME_POOL_LOAD_BALANCE:
1746 found = pool->servers[0];
1754 * Starting with the home server we chose, loop through
1755 * all home servers. If the current one is dead, skip
1756 * it. If it is too busy, skip it.
1758 * Otherwise, use it.
1760 for (count = 0; count < pool->num_home_servers; count++) {
1761 home_server *home = pool->servers[(start + count) % pool->num_home_servers];
1763 if (home->state == HOME_STATE_IS_DEAD) {
1768 * This home server is too busy. Choose another one.
1770 if (home->currently_outstanding >= home->max_outstanding) {
1774 if (pool->type != HOME_POOL_LOAD_BALANCE) {
1778 RDEBUG3("PROXY %s %d\t%s %d",
1779 found->name, found->currently_outstanding,
1780 home->name, home->currently_outstanding);
1783 * Prefer this server if it's less busy than the
1784 * one we previously found.
1786 if (home->currently_outstanding < found->currently_outstanding) {
1787 RDEBUG3("PROXY Choosing %s: It's less busy than %s",
1788 home->name, found->name);
1794 * Ignore servers which are busier than the one
1797 if (home->currently_outstanding > found->currently_outstanding) {
1798 RDEBUG3("PROXY Skipping %s: It's busier than %s",
1799 home->name, found->name);
1804 * From the list of servers which have the same
1805 * load, choose one at random.
1807 if (((count + 1) * (fr_rand() & 0xffff)) < (uint32_t) 0x10000) {
1811 } /* loop over the home servers */
1813 if (found) return found;
1816 * There's a fallback if they're all dead.
1818 if (pool->fallback) {
1819 return pool->fallback;
1823 * No live match found, and no fallback to the "DEFAULT"
1824 * realm. We fix this by blindly marking all servers as
1825 * "live". But only do it for ones that don't support
1826 * "pings", as they will be marked live when they
1827 * actually are live.
1829 if (!realm_config->fallback &&
1830 realm_config->wake_all_if_all_dead) {
1831 home_server *lb = NULL;
1833 for (count = 0; count < pool->num_home_servers; count++) {
1834 home_server *home = pool->servers[count];
1836 if ((home->state == HOME_STATE_IS_DEAD) &&
1837 (home->ping_check == HOME_PING_CHECK_NONE)) {
1838 home->state = HOME_STATE_ALIVE;
1847 * Still nothing. Look up the DEFAULT realm, but only
1848 * if we weren't looking up the NULL or DEFAULT realms.
1850 if (realm_config->fallback &&
1852 (strcmp(realmname, "NULL") != 0) &&
1853 (strcmp(realmname, "DEFAULT") != 0)) {
1854 REALM *rd = realm_find("DEFAULT");
1856 if (!rd) return NULL;
1859 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
1860 pool = rd->auth_pool;
1862 } else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
1863 pool = rd->acct_pool;
1865 if (!pool) return NULL;
1867 RDEBUG2("PROXY - realm %s has no live home servers. Falling back to the DEFAULT realm.", realmname);
1868 return home_server_ldb(rd->name, pool, request);
1872 * Still haven't found anything. Oh well.
1878 home_server *home_server_find(fr_ipaddr_t *ipaddr, int port)
1882 memset(&myhome, 0, sizeof(myhome));
1883 myhome.ipaddr = *ipaddr;
1885 myhome.server = NULL; /* we're not called for internal proxying */
1887 return rbtree_finddata(home_servers_byaddr, &myhome);
1891 home_server *home_server_bynumber(int number)
1895 memset(&myhome, 0, sizeof(myhome));
1896 myhome.number = number;
1897 myhome.server = NULL; /* we're not called for internal proxying */
1899 return rbtree_finddata(home_servers_bynumber, &myhome);