2 * realms.c Realm handling code
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2007 The FreeRADIUS server project
21 * Copyright 2007 Alan DeKok <aland@deployingradius.com>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/rad_assert.h>
35 #ifdef HAVE_PCREPOSIX_H
36 #include <pcreposix.h>
42 * For POSIX Regular expressions.
43 * (0) Means no extended regular expressions.
44 * REG_EXTENDED means use extended regular expressions.
47 #define REG_EXTENDED (0)
60 static rbtree_t *realms_byname = NULL;
63 typedef struct realm_regex_t {
65 struct realm_regex_t *next;
68 static realm_regex_t *realms_regex = NULL;
70 #endif /* HAVE_REGEX_H */
72 typedef struct realm_config_t {
78 int wake_all_if_all_dead;
81 static realm_config_t *realm_config = NULL;
84 static rbtree_t *home_servers_byaddr = NULL;
85 static rbtree_t *home_servers_byname = NULL;
87 static int home_server_max_number = 0;
88 static rbtree_t *home_servers_bynumber = NULL;
91 static rbtree_t *home_pools_byname = NULL;
94 * Map the proxy server configuration parameters to variables.
96 static const CONF_PARSER proxy_config[] = {
97 { "retry_delay", PW_TYPE_INTEGER,
98 offsetof(realm_config_t, retry_delay),
99 NULL, Stringify(RETRY_DELAY) },
101 { "retry_count", PW_TYPE_INTEGER,
102 offsetof(realm_config_t, retry_count),
103 NULL, Stringify(RETRY_COUNT) },
105 { "default_fallback", PW_TYPE_BOOLEAN,
106 offsetof(realm_config_t, fallback),
109 { "dead_time", PW_TYPE_INTEGER,
110 offsetof(realm_config_t, dead_time),
111 NULL, Stringify(DEAD_TIME) },
113 { "wake_all_if_all_dead", PW_TYPE_BOOLEAN,
114 offsetof(realm_config_t, wake_all_if_all_dead),
117 { NULL, -1, 0, NULL, NULL }
121 static int realm_name_cmp(const void *one, const void *two)
123 const REALM *a = one;
124 const REALM *b = two;
126 return strcasecmp(a->name, b->name);
131 static void home_server_free(void *data)
133 home_server *home = data;
138 static int home_server_name_cmp(const void *one, const void *two)
140 const home_server *a = one;
141 const home_server *b = two;
143 if (a->type < b->type) return -1;
144 if (a->type > b->type) return +1;
146 return strcasecmp(a->name, b->name);
149 static int home_server_addr_cmp(const void *one, const void *two)
152 const home_server *a = one;
153 const home_server *b = two;
155 if (a->server && !b->server) return -1;
156 if (!a->server && b->server) return +1;
157 if (a->server && b->server) {
158 rcode = a->type - b->type;
159 if (rcode != 0) return rcode;
160 return strcmp(a->server, b->server);
163 if (a->port < b->port) return -1;
164 if (a->port > b->port) return +1;
167 if (a->proto < b->proto) return -1;
168 if (a->proto > b->proto) return +1;
171 rcode = fr_ipaddr_cmp(&a->src_ipaddr, &b->src_ipaddr);
172 if (rcode != 0) return rcode;
174 return fr_ipaddr_cmp(&a->ipaddr, &b->ipaddr);
178 static int home_server_number_cmp(const void *one, const void *two)
180 const home_server *a = one;
181 const home_server *b = two;
183 return (a->number - b->number);
187 static int home_pool_name_cmp(const void *one, const void *two)
189 const home_pool_t *a = one;
190 const home_pool_t *b = two;
192 if (a->server_type < b->server_type) return -1;
193 if (a->server_type > b->server_type) return +1;
195 return strcasecmp(a->name, b->name);
199 static size_t xlat_cs(CONF_SECTION *cs, const char *fmt, char *out, size_t outlen)
202 const char *value = NULL;
207 if (strcmp(fmt, "instance") == 0) {
208 value = cf_section_name2(cs);
216 cp = cf_pair_find(cs, fmt);
217 if (!cp || !(value = cf_pair_value(cp))) {
223 strlcpy(out, value, outlen);
230 * Xlat for %{home_server:foo}
232 static size_t xlat_home_server(UNUSED void *instance, REQUEST *request,
233 const char *fmt, char *out, size_t outlen,
234 UNUSED RADIUS_ESCAPE_STRING func)
236 if (!fmt || !out || (outlen < 1)) return 0;
238 if (!request || !request->home_server) {
243 return xlat_cs(request->home_server->cs, fmt, out, outlen);
248 * Xlat for %{home_server_pool:foo}
250 static size_t xlat_server_pool(UNUSED void *instance, REQUEST *request,
251 const char *fmt, char *out, size_t outlen,
252 UNUSED RADIUS_ESCAPE_STRING func)
254 if (!fmt || !out || (outlen < 1)) return 0;
256 if (!request || !request->home_pool) {
261 return xlat_cs(request->home_pool->cs, fmt, out, outlen);
265 void realms_free(void)
269 rbtree_free(home_servers_bynumber);
270 home_servers_bynumber = NULL;
273 rbtree_free(home_servers_byname);
274 home_servers_byname = NULL;
276 rbtree_free(home_servers_byaddr);
277 home_servers_byaddr = NULL;
279 rbtree_free(home_pools_byname);
280 home_pools_byname = NULL;
283 rbtree_free(realms_byname);
284 realms_byname = NULL;
288 realm_regex_t *this, *next;
290 for (this = realms_regex; this != NULL; this = next) {
305 static CONF_PARSER limit_config[] = {
306 { "max_connections", PW_TYPE_INTEGER,
307 offsetof(home_server, limit.max_connections), NULL, "16" },
309 { "max_requests", PW_TYPE_INTEGER,
310 offsetof(home_server, limit.max_requests), NULL, "0" },
312 { "lifetime", PW_TYPE_INTEGER,
313 offsetof(home_server, limit.lifetime), NULL, "0" },
315 { "idle_timeout", PW_TYPE_INTEGER,
316 offsetof(home_server, limit.idle_timeout), NULL, "0" },
318 { NULL, -1, 0, NULL, NULL } /* end the list */
321 static struct in_addr hs_ip4addr;
322 static struct in6_addr hs_ip6addr;
323 static char *hs_srcipaddr = NULL;
324 static char *hs_type = NULL;
325 static char *hs_check = NULL;
326 static char *hs_virtual_server = NULL;
328 static char *hs_proto = NULL;
332 static CONF_PARSER home_server_coa[] = {
333 { "irt", PW_TYPE_INTEGER,
334 offsetof(home_server, coa_irt), 0, Stringify(2) },
335 { "mrt", PW_TYPE_INTEGER,
336 offsetof(home_server, coa_mrt), 0, Stringify(16) },
337 { "mrc", PW_TYPE_INTEGER,
338 offsetof(home_server, coa_mrc), 0, Stringify(5) },
339 { "mrd", PW_TYPE_INTEGER,
340 offsetof(home_server, coa_mrd), 0, Stringify(30) },
342 { NULL, -1, 0, NULL, NULL } /* end the list */
346 static CONF_PARSER home_server_config[] = {
347 { "ipaddr", PW_TYPE_IPADDR,
348 0, &hs_ip4addr, NULL },
349 { "ipv6addr", PW_TYPE_IPV6ADDR,
350 0, &hs_ip6addr, NULL },
351 { "virtual_server", PW_TYPE_STRING_PTR,
352 0, &hs_virtual_server, NULL },
354 { "port", PW_TYPE_INTEGER,
355 offsetof(home_server,port), NULL, "0" },
357 { "type", PW_TYPE_STRING_PTR,
361 { "proto", PW_TYPE_STRING_PTR,
362 0, &hs_proto, NULL },
365 { "secret", PW_TYPE_STRING_PTR,
366 offsetof(home_server,secret), NULL, NULL},
368 { "src_ipaddr", PW_TYPE_STRING_PTR,
369 0, &hs_srcipaddr, NULL },
371 { "response_window", PW_TYPE_INTEGER,
372 offsetof(home_server,response_window), NULL, "30" },
373 { "no_response_fail", PW_TYPE_BOOLEAN,
374 offsetof(home_server,no_response_fail), NULL, NULL },
375 { "max_outstanding", PW_TYPE_INTEGER,
376 offsetof(home_server,max_outstanding), NULL, "65536" },
377 { "require_message_authenticator", PW_TYPE_BOOLEAN,
378 offsetof(home_server, message_authenticator), 0, NULL },
380 { "zombie_period", PW_TYPE_INTEGER,
381 offsetof(home_server,zombie_period), NULL, "40" },
382 { "status_check", PW_TYPE_STRING_PTR,
383 0, &hs_check, "none" },
384 { "ping_check", PW_TYPE_STRING_PTR,
385 0, &hs_check, NULL },
387 { "ping_interval", PW_TYPE_INTEGER,
388 offsetof(home_server,ping_interval), NULL, "30" },
389 { "check_interval", PW_TYPE_INTEGER,
390 offsetof(home_server,ping_interval), NULL, "30" },
391 { "num_answers_to_alive", PW_TYPE_INTEGER,
392 offsetof(home_server,num_pings_to_alive), NULL, "3" },
393 { "num_pings_to_alive", PW_TYPE_INTEGER,
394 offsetof(home_server,num_pings_to_alive), NULL, "3" },
395 { "revive_interval", PW_TYPE_INTEGER,
396 offsetof(home_server,revive_interval), NULL, "300" },
397 { "status_check_timeout", PW_TYPE_INTEGER,
398 offsetof(home_server,ping_timeout), NULL, "4" },
400 { "username", PW_TYPE_STRING_PTR,
401 offsetof(home_server,ping_user_name), NULL, NULL},
402 { "password", PW_TYPE_STRING_PTR,
403 offsetof(home_server,ping_user_password), NULL, NULL},
406 { "historic_average_window", PW_TYPE_INTEGER,
407 offsetof(home_server,ema.window), NULL, NULL },
411 { "coa", PW_TYPE_SUBSECTION, 0, NULL, (const void *) home_server_coa },
414 { "limit", PW_TYPE_SUBSECTION, 0, NULL, (const void *) limit_config },
416 { NULL, -1, 0, NULL, NULL } /* end the list */
420 static void null_free(UNUSED void *data)
424 static int home_server_add(realm_config_t *rc, CONF_SECTION *cs)
432 free(hs_virtual_server); /* used only for printing during parsing */
433 hs_virtual_server = NULL;
435 name2 = cf_section_name2(cs);
437 cf_log_err(cf_sectiontoitem(cs),
438 "Home server section is missing a name.");
442 home = rad_malloc(sizeof(*home));
443 memset(home, 0, sizeof(*home));
449 * For zombie period calculations. We want to count
450 * zombies from the time when the server starts, instead
453 home->last_packet = time(NULL);
456 * Authentication servers have a default "no_response_fail = 0".
457 * Accounting servers have a default "no_response_fail = 1".
459 * This is because authentication packets are retried, so
460 * they can fail over to another home server. Accounting
461 * packets are not retried, so they cannot fail over, and
462 * instead should be rejected immediately.
464 home->no_response_fail = 2;
466 memset(&hs_ip4addr, 0, sizeof(hs_ip4addr));
467 memset(&hs_ip6addr, 0, sizeof(hs_ip6addr));
468 if (cf_section_parse(cs, home, home_server_config) < 0) {
473 * Figure out which one to use.
475 if (cf_pair_find(cs, "ipaddr")) {
476 home->ipaddr.af = AF_INET;
477 home->ipaddr.ipaddr.ip4addr = hs_ip4addr;
479 } else if (cf_pair_find(cs, "ipv6addr")) {
480 home->ipaddr.af = AF_INET6;
481 home->ipaddr.ipaddr.ip6addr = hs_ip6addr;
483 } else if ((cp = cf_pair_find(cs, "virtual_server")) != NULL) {
484 home->ipaddr.af = AF_UNSPEC;
485 home->server = cf_pair_value(cp);
487 cf_log_err(cf_sectiontoitem(cs),
488 "Invalid value for virtual_server");
492 if (!cf_section_sub_find_name2(rc->cs, "server", home->server)) {
494 cf_log_err(cf_sectiontoitem(cs),
495 "No such server %s", home->server);
500 * When CoA is used, the user has to specify the type
501 * of the home server, even when they point to
504 home->secret = strdup("");
508 cf_log_err(cf_sectiontoitem(cs),
509 "No ipaddr, ipv6addr, or virtual_server defined for home server \"%s\".",
526 if (!home->port || (home->port > 65535)) {
527 cf_log_err(cf_sectiontoitem(cs),
528 "No port, or invalid port defined for home server %s.",
534 cf_log_err(cf_sectiontoitem(cs),
535 "Fatal error! Home server %s is ourselves!",
541 cf_log_err(cf_sectiontoitem(cs),
542 "No shared secret defined for home server %s.",
548 * Use a reasonable default.
551 if (!hs_type) hs_type = strdup("auth+acct");
553 if (strcasecmp(hs_type, "auth") == 0) {
554 home->type = HOME_TYPE_AUTH;
555 if (home->no_response_fail == 2) home->no_response_fail = 0;
557 } else if (strcasecmp(hs_type, "acct") == 0) {
558 home->type = HOME_TYPE_ACCT;
559 if (home->no_response_fail == 2) home->no_response_fail = 1;
561 } else if (strcasecmp(hs_type, "auth+acct") == 0) {
562 home->type = HOME_TYPE_AUTH;
566 } else if (strcasecmp(hs_type, "coa") == 0) {
567 home->type = HOME_TYPE_COA;
570 if (home->server != NULL) {
571 cf_log_err(cf_sectiontoitem(cs),
572 "Home servers of type \"coa\" cannot point to a virtual server");
578 cf_log_err(cf_sectiontoitem(cs),
579 "Invalid type \"%s\" for home server %s.",
586 if (!hs_check || (strcasecmp(hs_check, "none") == 0)) {
587 home->ping_check = HOME_PING_CHECK_NONE;
589 } else if (strcasecmp(hs_check, "status-server") == 0) {
590 home->ping_check = HOME_PING_CHECK_STATUS_SERVER;
592 } else if (strcasecmp(hs_check, "request") == 0) {
593 home->ping_check = HOME_PING_CHECK_REQUEST;
595 if (!home->ping_user_name ||
596 !*home->ping_user_name) {
597 cf_log_err(cf_sectiontoitem(cs), "You must supply a 'username' to enable status_check=request");
601 if ((home->type == HOME_TYPE_AUTH) &&
602 (!home->ping_user_password ||
603 !*home->ping_user_password)) {
604 cf_log_err(cf_sectiontoitem(cs), "You must supply a password to enable status_check=request");
609 cf_log_err(cf_sectiontoitem(cs),
610 "Invalid status__check \"%s\" for home server %s.",
617 if ((home->ping_check != HOME_PING_CHECK_NONE) &&
618 (home->ping_check != HOME_PING_CHECK_STATUS_SERVER)) {
619 if (!home->ping_user_name) {
620 cf_log_err(cf_sectiontoitem(cs), "You must supply a user name to enable status_check=request");
624 if ((home->type == HOME_TYPE_AUTH) &&
625 !home->ping_user_password) {
626 cf_log_err(cf_sectiontoitem(cs), "You must supply a password to enable status_check=request");
631 home->proto = IPPROTO_UDP;
634 if (strcmp(hs_proto, "udp") == 0) {
638 } else if (strcmp(hs_proto, "tcp") == 0) {
641 home->proto = IPPROTO_TCP;
643 if (home->ping_check != HOME_PING_CHECK_NONE) {
644 cf_log_err(cf_sectiontoitem(cs),
645 "Only 'status_check = none' is allowed for home servers with 'proto = tcp'");
650 cf_log_err(cf_sectiontoitem(cs),
651 "Unknown proto \"%s\".", hs_proto);
658 rbtree_finddata(home_servers_byaddr, home)) {
659 cf_log_err(cf_sectiontoitem(cs), "Duplicate home server");
664 * Check the TLS configuration.
666 tls = cf_section_sub_find(cs, "tls");
669 * If the home is a virtual server, don't look up source IP.
672 rad_assert(home->ipaddr.af != AF_UNSPEC);
675 * Otherwise look up the source IP using the same
676 * address family as the destination IP.
679 if (ip_hton(hs_srcipaddr, home->ipaddr.af, &home->src_ipaddr) < 0) {
680 cf_log_err(cf_sectiontoitem(cs), "Failed parsing src_ipaddr");
686 * Source isn't specified: Source is
687 * the correct address family, but all zeros.
689 memset(&home->src_ipaddr, 0, sizeof(home->src_ipaddr));
690 home->src_ipaddr.af = home->ipaddr.af;
693 if (tls && (home->proto != IPPROTO_TCP)) {
694 cf_log_err(cf_sectiontoitem(cs), "TLS transport is not available for UDP sockets.");
701 cf_log_err(cf_sectiontoitem(cs), "TLS transport is not available in this executable.");
706 * Parse the SSL client configuration.
709 home->tls = tls_client_conf_parse(tls);
717 cf_log_err(cf_sectiontoitem(cs), "Virtual home_servers cannot have a \"tls\" subsection");
722 * Make sure that this is set.
724 if (home->src_ipaddr.af == AF_UNSPEC) {
725 home->src_ipaddr.af = home->ipaddr.af;
731 if (rbtree_finddata(home_servers_byname, home) != NULL) {
732 cf_log_err(cf_sectiontoitem(cs),
733 "Duplicate home server name %s.", name2);
738 (rbtree_finddata(home_servers_byaddr, home) != NULL)) {
739 cf_log_err(cf_sectiontoitem(cs),
740 "Duplicate home server IP %s.", name2);
744 if (!rbtree_insert(home_servers_byname, home)) {
745 cf_log_err(cf_sectiontoitem(cs),
746 "Internal error %d adding home server %s.",
752 !rbtree_insert(home_servers_byaddr, home)) {
753 rbtree_deletebydata(home_servers_byname, home);
754 cf_log_err(cf_sectiontoitem(cs),
755 "Internal error %d adding home server %s.",
761 home->number = home_server_max_number++;
762 if (!rbtree_insert(home_servers_bynumber, home)) {
763 rbtree_deletebydata(home_servers_byname, home);
764 if (home->ipaddr.af != AF_UNSPEC) {
765 rbtree_deletebydata(home_servers_byname, home);
767 cf_log_err(cf_sectiontoitem(cs),
768 "Internal error %d adding home server %s.",
774 if (home->max_outstanding < 8) home->max_outstanding = 8;
775 if (home->max_outstanding > 65536*16) home->max_outstanding = 65536*16;
777 if (home->ping_interval < 6) home->ping_interval = 6;
778 if (home->ping_interval > 120) home->ping_interval = 120;
780 if (home->response_window < 1) home->response_window = 1;
781 if (home->response_window > 60) home->response_window = 60;
782 if (home->response_window > mainconfig.max_request_time) home->response_window = mainconfig.max_request_time;
784 if (home->zombie_period < 1) home->zombie_period = 1;
785 if (home->zombie_period > 120) home->zombie_period = 120;
787 if (home->zombie_period < home->response_window) {
788 home->zombie_period = home->response_window;
791 if (home->num_pings_to_alive < 3) home->num_pings_to_alive = 3;
792 if (home->num_pings_to_alive > 10) home->num_pings_to_alive = 10;
794 if (home->ping_timeout < 3) home->ping_timeout = 3;
795 if (home->ping_timeout > 10) home->ping_timeout = 10;
797 if (home->revive_interval < 60) home->revive_interval = 60;
798 if (home->revive_interval > 3600) home->revive_interval = 3600;
801 if (home->coa_irt < 1) home->coa_irt = 1;
802 if (home->coa_irt > 5) home->coa_irt = 5;
804 if (home->coa_mrc < 0) home->coa_mrc = 0;
805 if (home->coa_mrc > 20 ) home->coa_mrc = 20;
807 if (home->coa_mrt < 0) home->coa_mrt = 0;
808 if (home->coa_mrt > 30 ) home->coa_mrt = 30;
810 if (home->coa_mrd < 5) home->coa_mrd = 5;
811 if (home->coa_mrd > 60 ) home->coa_mrd = 60;
814 if (home->limit.max_connections > 1024) home->limit.max_connections = 1024;
818 * UDP sockets can't be connection limited.
820 if (home->proto != IPPROTO_TCP) home->limit.max_connections = 0;
823 if ((home->limit.idle_timeout > 0) && (home->limit.idle_timeout < 5))
824 home->limit.idle_timeout = 5;
825 if ((home->limit.lifetime > 0) && (home->limit.lifetime < 5))
826 home->limit.lifetime = 5;
827 if ((home->limit.lifetime > 0) && (home->limit.idle_timeout > home->limit.lifetime))
828 home->limit.idle_timeout = 0;
830 tls = cf_item_parent(cf_sectiontoitem(cs));
831 if (strcmp(cf_section_name1(tls), "server") == 0) {
832 home->parent_server = cf_section_name2(tls);
836 home_server *home2 = rad_malloc(sizeof(*home2));
838 memcpy(home2, home, sizeof(*home2));
840 home2->type = HOME_TYPE_ACCT;
842 home2->ping_user_password = NULL;
844 home2->parent_server = home->parent_server;
846 if (home->no_response_fail == 2) home->no_response_fail = 0;
847 if (home2->no_response_fail == 2) home2->no_response_fail = 1;
849 if (!rbtree_insert(home_servers_byname, home2)) {
850 cf_log_err(cf_sectiontoitem(cs),
851 "Internal error %d adding home server %s.",
858 !rbtree_insert(home_servers_byaddr, home2)) {
859 rbtree_deletebydata(home_servers_byname, home2);
860 cf_log_err(cf_sectiontoitem(cs),
861 "Internal error %d adding home server %s.",
868 home2->number = home_server_max_number++;
869 if (!rbtree_insert(home_servers_bynumber, home2)) {
870 rbtree_deletebydata(home_servers_byname, home2);
871 if (!home2->server) {
872 rbtree_deletebydata(home_servers_byname, home2);
874 cf_log_err(cf_sectiontoitem(cs),
875 "Internal error %d adding home server %s.",
884 * Mark it as already processed
886 cf_data_add(cs, "home_server", null_free, null_free);
892 static home_pool_t *server_pool_alloc(const char *name, home_pool_type_t type,
893 int server_type, int num_home_servers)
897 pool = rad_malloc(sizeof(*pool) + (sizeof(pool->servers[0]) *
899 if (!pool) return NULL; /* just for pairanoia */
901 memset(pool, 0, sizeof(*pool) + (sizeof(pool->servers[0]) *
906 pool->server_type = server_type;
907 pool->num_home_servers = num_home_servers;
912 static int pool_check_home_server(realm_config_t *rc, CONF_PAIR *cp,
913 const char *name, int server_type,
916 home_server myhome, *home;
917 CONF_SECTION *server_cs;
920 cf_log_err(cf_pairtoitem(cp),
921 "No value given for home_server.");
926 myhome.type = server_type;
927 home = rbtree_finddata(home_servers_byname, &myhome);
933 server_cs = cf_section_sub_find_name2(rc->cs, "home_server", name);
935 cf_log_err(cf_pairtoitem(cp),
936 "Unknown home_server \"%s\".", name);
940 home = rbtree_finddata(home_servers_byname, &myhome);
942 cf_log_err(cf_pairtoitem(cp),
943 "Internal error %d adding home server \"%s\".",
953 static int server_pool_add(realm_config_t *rc,
954 CONF_SECTION *cs, int server_type, int do_print)
957 home_pool_t *pool = NULL;
960 int num_home_servers;
963 name2 = cf_section_name1(cs);
964 if (!name2 || ((strcasecmp(name2, "server_pool") != 0) &&
965 (strcasecmp(name2, "home_server_pool") != 0))) {
966 cf_log_err(cf_sectiontoitem(cs),
967 "Section is not a home_server_pool.");
971 name2 = cf_section_name2(cs);
973 cf_log_err(cf_sectiontoitem(cs),
974 "Server pool section is missing a name.");
979 * Count the home servers and initalize them.
981 num_home_servers = 0;
982 for (cp = cf_pair_find(cs, "home_server");
984 cp = cf_pair_find_next(cs, cp, "home_server")) {
987 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
988 server_type, &home)) {
993 if (num_home_servers == 0) {
994 cf_log_err(cf_sectiontoitem(cs),
995 "No home servers defined in pool %s",
1000 pool = server_pool_alloc(name2, HOME_POOL_FAIL_OVER, server_type,
1006 * Fallback servers must be defined, and must be
1009 cp = cf_pair_find(cs, "fallback");
1012 if (server_type == HOME_TYPE_COA) {
1013 cf_log_err(cf_sectiontoitem(cs), "Home server pools of type \"coa\" cannot have a fallback virtual server.");
1018 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
1019 server_type, &pool->fallback)) {
1024 if (!pool->fallback->server) {
1025 cf_log_err(cf_sectiontoitem(cs), "Fallback home_server %s does NOT contain a virtual_server directive.", pool->fallback->name);
1030 if (do_print) cf_log_info(cs, " home_server_pool %s {", name2);
1032 cp = cf_pair_find(cs, "type");
1034 static FR_NAME_NUMBER pool_types[] = {
1035 { "load-balance", HOME_POOL_LOAD_BALANCE },
1036 { "fail-over", HOME_POOL_FAIL_OVER },
1037 { "round_robin", HOME_POOL_LOAD_BALANCE },
1038 { "fail_over", HOME_POOL_FAIL_OVER },
1039 { "client-balance", HOME_POOL_CLIENT_BALANCE },
1040 { "client-port-balance", HOME_POOL_CLIENT_PORT_BALANCE },
1041 { "keyed-balance", HOME_POOL_KEYED_BALANCE },
1045 value = cf_pair_value(cp);
1047 cf_log_err(cf_pairtoitem(cp),
1048 "No value given for type.");
1052 pool->type = fr_str2int(pool_types, value, 0);
1054 cf_log_err(cf_pairtoitem(cp),
1055 "Unknown type \"%s\".",
1060 if (do_print) cf_log_info(cs, "\ttype = %s", value);
1063 cp = cf_pair_find(cs, "virtual_server");
1065 pool->virtual_server = cf_pair_value(cp);
1066 if (!pool->virtual_server) {
1067 cf_log_err(cf_pairtoitem(cp), "No value given for virtual_server");
1072 cf_log_info(cs, "\tvirtual_server = %s", pool->virtual_server);
1075 if (!cf_section_sub_find_name2(rc->cs, "server",
1076 pool->virtual_server)) {
1077 cf_log_err(cf_pairtoitem(cp), "No such server %s",
1078 pool->virtual_server);
1084 num_home_servers = 0;
1085 for (cp = cf_pair_find(cs, "home_server");
1087 cp = cf_pair_find_next(cs, cp, "home_server")) {
1090 value = cf_pair_value(cp);
1092 memset(&myhome, 0, sizeof(myhome));
1093 myhome.name = value;
1094 myhome.type = server_type;
1096 home = rbtree_finddata(home_servers_byname, &myhome);
1098 DEBUG2("Internal sanity check failed");
1103 DEBUG2("Warning: Duplicate home server %s in server pool %s", home->name, pool->name);
1107 if (do_print) cf_log_info(cs, "\thome_server = %s", home->name);
1108 pool->servers[num_home_servers++] = home;
1109 } /* loop over home_server's */
1111 if (pool->fallback && do_print) {
1112 cf_log_info(cs, "\tfallback = %s", pool->fallback->name);
1115 if (!rbtree_insert(home_pools_byname, pool)) {
1116 rad_assert("Internal sanity check failed");
1120 if (do_print) cf_log_info(cs, " }");
1122 cf_data_add(cs, "home_server_pool", pool, free);
1124 rad_assert(pool->server_type != 0);
1129 if (do_print) cf_log_info(cs, " }");
1135 static int old_server_add(realm_config_t *rc, CONF_SECTION *cs,
1137 const char *name, const char *secret,
1138 home_pool_type_t ldflag, home_pool_t **pool_p,
1139 int type, const char *server)
1142 int i, insert_point, num_home_servers;
1143 home_server myhome, *home;
1144 home_pool_t mypool, *pool;
1145 CONF_SECTION *subcs;
1147 rc = rc; /* -Wunused */
1156 * LOCAL realms get sanity checked, and nothing else happens.
1158 if (strcmp(name, "LOCAL") == 0) {
1160 cf_log_err(cf_sectiontoitem(cs), "Realm \"%s\" cannot be both LOCAL and remote", name);
1167 return 0; /* Not proxying. Can't do non-LOCAL realms */
1170 mypool.name = realm;
1171 mypool.server_type = type;
1172 pool = rbtree_finddata(home_pools_byname, &mypool);
1174 if (pool->type != ldflag) {
1175 cf_log_err(cf_sectiontoitem(cs), "Inconsistent ldflag for server pool \"%s\"", name);
1179 if (pool->server_type != type) {
1180 cf_log_err(cf_sectiontoitem(cs), "Inconsistent home server type for server pool \"%s\"", name);
1187 home = rbtree_finddata(home_servers_byname, &myhome);
1189 if (secret && (strcmp(home->secret, secret) != 0)) {
1190 cf_log_err(cf_sectiontoitem(cs), "Inconsistent shared secret for home server \"%s\"", name);
1194 if (home->type != type) {
1195 cf_log_err(cf_sectiontoitem(cs), "Inconsistent type for home server \"%s\"", name);
1200 * See if the home server is already listed
1201 * in the pool. If so, do nothing else.
1203 if (pool) for (i = 0; i < pool->num_home_servers; i++) {
1204 if (pool->servers[i] == home) {
1211 * If we do have a pool, check that there is room to
1212 * insert the home server we've found, or the one that we
1215 * Note that we insert it into the LAST available
1216 * position, in order to maintain the same order as in
1217 * the configuration files.
1221 for (i = pool->num_home_servers - 1; i >= 0; i--) {
1222 if (pool->servers[i]) break;
1224 if (!pool->servers[i]) {
1229 if (insert_point < 0) {
1230 cf_log_err(cf_sectiontoitem(cs), "No room in pool to add home server \"%s\". Please update the realm configuration to use the new-style home servers and server pools.", name);
1236 * No home server, allocate one.
1242 home = rad_malloc(sizeof(*home));
1243 memset(home, 0, sizeof(*home));
1246 home->hostname = name;
1248 home->secret = secret;
1250 home->proto = IPPROTO_UDP;
1252 p = strchr(name, ':');
1254 if (type == HOME_TYPE_AUTH) {
1255 home->port = PW_AUTH_UDP_PORT;
1257 home->port = PW_ACCT_UDP_PORT;
1263 } else if (p == name) {
1264 cf_log_err(cf_sectiontoitem(cs),
1265 "Invalid hostname %s.",
1271 home->port = atoi(p + 1);
1272 if ((home->port == 0) || (home->port > 65535)) {
1273 cf_log_err(cf_sectiontoitem(cs),
1280 q = rad_malloc((p - name) + 1);
1281 memcpy(q, name, (p - name));
1287 if (ip_hton(p, AF_UNSPEC, &home->ipaddr) < 0) {
1288 cf_log_err(cf_sectiontoitem(cs),
1289 "Failed looking up hostname %s.",
1295 home->src_ipaddr.af = home->ipaddr.af;
1297 home->ipaddr.af = AF_UNSPEC;
1298 home->server = server;
1303 * Use the old-style configuration.
1305 home->max_outstanding = 65535*16;
1306 home->zombie_period = rc->retry_delay * rc->retry_count;
1307 if (home->zombie_period == 0) home->zombie_period =30;
1308 home->response_window = home->zombie_period - 1;
1310 home->ping_check = HOME_PING_CHECK_NONE;
1312 home->revive_interval = rc->dead_time;
1314 if (rbtree_finddata(home_servers_byaddr, home)) {
1315 cf_log_err(cf_sectiontoitem(cs), "Home server %s has the same IP address and/or port as another home server.", name);
1320 if (!rbtree_insert(home_servers_byname, home)) {
1321 cf_log_err(cf_sectiontoitem(cs), "Internal error %d adding home server %s.", __LINE__, name);
1326 if (!rbtree_insert(home_servers_byaddr, home)) {
1327 rbtree_deletebydata(home_servers_byname, home);
1328 cf_log_err(cf_sectiontoitem(cs), "Internal error %d adding home server %s.", __LINE__, name);
1334 home->number = home_server_max_number++;
1335 if (!rbtree_insert(home_servers_bynumber, home)) {
1336 rbtree_deletebydata(home_servers_byname, home);
1337 if (home->ipaddr.af != AF_UNSPEC) {
1338 rbtree_deletebydata(home_servers_byname, home);
1340 cf_log_err(cf_sectiontoitem(cs),
1341 "Internal error %d adding home server %s.",
1350 * We now have a home server, see if we can insert it
1351 * into pre-existing pool.
1353 if (insert_point >= 0) {
1354 rad_assert(pool != NULL);
1355 pool->servers[insert_point] = home;
1359 rad_assert(pool == NULL);
1360 rad_assert(home != NULL);
1363 * Count the old-style realms of this name.
1365 num_home_servers = 0;
1366 for (subcs = cf_section_find_next(cs, NULL, "realm");
1368 subcs = cf_section_find_next(cs, subcs, "realm")) {
1369 const char *this = cf_section_name2(subcs);
1371 if (!this || (strcmp(this, realm) != 0)) continue;
1375 if (num_home_servers == 0) {
1376 cf_log_err(cf_sectiontoitem(cs), "Internal error counting pools for home server %s.", name);
1381 pool = server_pool_alloc(realm, ldflag, type, num_home_servers);
1384 pool->servers[0] = home;
1386 if (!rbtree_insert(home_pools_byname, pool)) {
1387 rad_assert("Internal sanity check failed");
1397 static int old_realm_config(realm_config_t *rc, CONF_SECTION *cs, REALM *r)
1400 const char *secret = NULL;
1401 home_pool_type_t ldflag;
1404 cp = cf_pair_find(cs, "ldflag");
1405 ldflag = HOME_POOL_FAIL_OVER;
1407 host = cf_pair_value(cp);
1409 cf_log_err(cf_pairtoitem(cp), "No value specified for ldflag");
1413 if (strcasecmp(host, "fail_over") == 0) {
1414 cf_log_info(cs, "\tldflag = fail_over");
1416 } else if (strcasecmp(host, "round_robin") == 0) {
1417 ldflag = HOME_POOL_LOAD_BALANCE;
1418 cf_log_info(cs, "\tldflag = round_robin");
1421 cf_log_err(cf_sectiontoitem(cs), "Unknown value \"%s\" for ldflag", host);
1424 } /* else don't print it. */
1427 * Allow old-style if it doesn't exist, or if it exists and
1430 cp = cf_pair_find(cs, "authhost");
1432 host = cf_pair_value(cp);
1434 cf_log_err(cf_pairtoitem(cp), "No value specified for authhost");
1438 if (strcmp(host, "LOCAL") != 0) {
1439 cp = cf_pair_find(cs, "secret");
1441 cf_log_err(cf_sectiontoitem(cs), "No shared secret supplied for realm: %s", r->name);
1445 secret = cf_pair_value(cp);
1447 cf_log_err(cf_pairtoitem(cp), "No value specified for secret");
1452 cf_log_info(cs, "\tauthhost = %s", host);
1454 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1455 &r->auth_pool, HOME_TYPE_AUTH, NULL)) {
1460 cp = cf_pair_find(cs, "accthost");
1462 host = cf_pair_value(cp);
1464 cf_log_err(cf_pairtoitem(cp), "No value specified for accthost");
1469 * Don't look for a secret again if it was found
1472 if ((strcmp(host, "LOCAL") != 0) && !secret) {
1473 cp = cf_pair_find(cs, "secret");
1475 cf_log_err(cf_sectiontoitem(cs), "No shared secret supplied for realm: %s", r->name);
1479 secret = cf_pair_value(cp);
1481 cf_log_err(cf_pairtoitem(cp), "No value specified for secret");
1486 cf_log_info(cs, "\taccthost = %s", host);
1488 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1489 &r->acct_pool, HOME_TYPE_ACCT, NULL)) {
1494 cp = cf_pair_find(cs, "virtual_server");
1496 host = cf_pair_value(cp);
1498 cf_log_err(cf_pairtoitem(cp), "No value specified for virtual_server");
1502 cf_log_info(cs, "\tvirtual_server = %s", host);
1504 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1505 &r->auth_pool, HOME_TYPE_AUTH, host)) {
1508 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1509 &r->acct_pool, HOME_TYPE_ACCT, host)) {
1514 if (secret) cf_log_info(cs, "\tsecret = %s", secret);
1522 static int add_pool_to_realm(realm_config_t *rc, CONF_SECTION *cs,
1523 const char *name, home_pool_t **dest,
1524 int server_type, int do_print)
1526 home_pool_t mypool, *pool;
1529 mypool.server_type = server_type;
1531 pool = rbtree_finddata(home_pools_byname, &mypool);
1533 CONF_SECTION *pool_cs;
1535 pool_cs = cf_section_sub_find_name2(rc->cs,
1539 pool_cs = cf_section_sub_find_name2(rc->cs,
1544 cf_log_err(cf_sectiontoitem(cs), "Failed to find home_server_pool \"%s\"", name);
1548 if (!server_pool_add(rc, pool_cs, server_type, do_print)) {
1552 pool = rbtree_finddata(home_pools_byname, &mypool);
1554 radlog(L_ERR, "Internal sanity check failed in add_pool_to_realm");
1559 if (pool->server_type != server_type) {
1560 cf_log_err(cf_sectiontoitem(cs), "Incompatible home_server_pool \"%s\" (mixed auth_pool / acct_pool)", name);
1571 static int realm_add(realm_config_t *rc, CONF_SECTION *cs)
1577 home_pool_t *auth_pool, *acct_pool;
1578 const char *auth_pool_name, *acct_pool_name;
1580 const char *coa_pool_name;
1581 home_pool_t *coa_pool;
1585 name2 = cf_section_name1(cs);
1586 if (!name2 || (strcasecmp(name2, "realm") != 0)) {
1587 cf_log_err(cf_sectiontoitem(cs), "Section is not a realm.");
1591 name2 = cf_section_name2(cs);
1593 cf_log_err(cf_sectiontoitem(cs), "Realm section is missing the realm name.");
1598 auth_pool = acct_pool = NULL;
1599 auth_pool_name = acct_pool_name = NULL;
1602 coa_pool_name = NULL;
1606 * Prefer new configuration to old one.
1608 cp = cf_pair_find(cs, "pool");
1609 if (!cp) cp = cf_pair_find(cs, "home_server_pool");
1610 if (cp) auth_pool_name = cf_pair_value(cp);
1611 if (cp && auth_pool_name) {
1612 acct_pool_name = auth_pool_name;
1613 if (!add_pool_to_realm(rc, cs,
1614 auth_pool_name, &auth_pool,
1615 HOME_TYPE_AUTH, 1)) {
1618 if (!add_pool_to_realm(rc, cs,
1619 auth_pool_name, &acct_pool,
1620 HOME_TYPE_ACCT, 0)) {
1625 cp = cf_pair_find(cs, "auth_pool");
1626 if (cp) auth_pool_name = cf_pair_value(cp);
1627 if (cp && auth_pool_name) {
1629 cf_log_err(cf_sectiontoitem(cs), "Cannot use \"pool\" and \"auth_pool\" at the same time.");
1632 if (!add_pool_to_realm(rc, cs,
1633 auth_pool_name, &auth_pool,
1634 HOME_TYPE_AUTH, 1)) {
1639 cp = cf_pair_find(cs, "acct_pool");
1640 if (cp) acct_pool_name = cf_pair_value(cp);
1641 if (cp && acct_pool_name) {
1642 int do_print = TRUE;
1645 cf_log_err(cf_sectiontoitem(cs), "Cannot use \"pool\" and \"acct_pool\" at the same time.");
1651 (strcmp(auth_pool_name, acct_pool_name) != 0))) {
1655 if (!add_pool_to_realm(rc, cs,
1656 acct_pool_name, &acct_pool,
1657 HOME_TYPE_ACCT, do_print)) {
1663 cp = cf_pair_find(cs, "coa_pool");
1664 if (cp) coa_pool_name = cf_pair_value(cp);
1665 if (cp && coa_pool_name) {
1666 int do_print = TRUE;
1668 if (!add_pool_to_realm(rc, cs,
1669 coa_pool_name, &coa_pool,
1670 HOME_TYPE_COA, do_print)) {
1677 cf_log_info(cs, " realm %s {", name2);
1681 * The realm MAY already exist if it's an old-style realm.
1682 * In that case, merge the old-style realm with this one.
1684 r = realm_find2(name2);
1685 if (r && (strcmp(r->name, name2) == 0)) {
1686 if (cf_pair_find(cs, "auth_pool") ||
1687 cf_pair_find(cs, "acct_pool")) {
1688 cf_log_err(cf_sectiontoitem(cs), "Duplicate realm \"%s\"", name2);
1692 if (!old_realm_config(rc, cs, r)) {
1696 cf_log_info(cs, " } # realm %s", name2);
1702 if (name2[0] == '~') {
1707 * Include substring matches.
1709 rcode = regcomp(®, name2 + 1,
1710 REG_EXTENDED | REG_NOSUB | REG_ICASE);
1714 regerror(rcode, ®, buffer, sizeof(buffer));
1716 cf_log_err(cf_sectiontoitem(cs),
1717 "Invalid regex \"%s\": %s",
1725 r = rad_malloc(sizeof(*r));
1726 memset(r, 0, sizeof(*r));
1731 r->auth_pool = auth_pool;
1732 r->acct_pool = acct_pool;
1734 r->coa_pool = coa_pool;
1737 if (auth_pool_name &&
1738 (auth_pool_name == acct_pool_name)) { /* yes, ptr comparison */
1739 cf_log_info(cs, "\tpool = %s", auth_pool_name);
1741 if (auth_pool_name) cf_log_info(cs, "\tauth_pool = %s", auth_pool_name);
1742 if (acct_pool_name) cf_log_info(cs, "\tacct_pool = %s", acct_pool_name);
1744 if (coa_pool_name) cf_log_info(cs, "\tcoa_pool = %s", coa_pool_name);
1749 cp = cf_pair_find(cs, "nostrip");
1750 if (cp && (cf_pair_value(cp) == NULL)) {
1752 cf_log_info(cs, "\tnostrip");
1756 * We're a new-style realm. Complain if we see the old
1759 if (r->auth_pool || r->acct_pool) {
1760 if (((cp = cf_pair_find(cs, "authhost")) != NULL) ||
1761 ((cp = cf_pair_find(cs, "accthost")) != NULL) ||
1762 ((cp = cf_pair_find(cs, "secret")) != NULL) ||
1763 ((cp = cf_pair_find(cs, "ldflag")) != NULL)) {
1764 DEBUG2("WARNING: Ignoring old-style configuration entry \"%s\" in realm \"%s\"", cf_pair_attr(cp), r->name);
1769 * The realm MAY be an old-style realm, as there
1770 * was no auth_pool or acct_pool. Double-check
1771 * it, just to be safe.
1773 } else if (!old_realm_config(rc, cs, r)) {
1779 * It's a regex. Add it to a separate list.
1781 if (name2[0] == '~') {
1782 realm_regex_t *rr, **last;
1784 rr = rad_malloc(sizeof(*rr));
1786 last = &realms_regex;
1787 while (*last) last = &((*last)->next); /* O(N^2)... sue me. */
1795 cf_log_info(cs, " }");
1800 if (!rbtree_insert(realms_byname, r)) {
1801 rad_assert("Internal sanity check failed");
1805 cf_log_info(cs, " }");
1810 cf_log_info(cs, " } # realm %s", name2);
1816 static const FR_NAME_NUMBER home_server_types[] = {
1817 { "auth", HOME_TYPE_AUTH },
1818 { "auth+acct", HOME_TYPE_AUTH },
1819 { "acct", HOME_TYPE_ACCT },
1820 { "coa", HOME_TYPE_COA },
1824 static int pool_peek_type(CONF_SECTION *config, CONF_SECTION *cs)
1827 const char *name, *type;
1829 CONF_SECTION *server_cs;
1831 cp = cf_pair_find(cs, "home_server");
1833 cf_log_err(cf_sectiontoitem(cs), "Pool does not contain a \"home_server\" entry");
1834 return HOME_TYPE_INVALID;
1837 name = cf_pair_value(cp);
1839 cf_log_err(cf_pairtoitem(cp), "home_server entry does not reference a home server");
1840 return HOME_TYPE_INVALID;
1843 server_cs = cf_section_sub_find_name2(config, "home_server", name);
1845 cf_log_err(cf_pairtoitem(cp), "home_server \"%s\" does not exist", name);
1846 return HOME_TYPE_INVALID;
1849 cp = cf_pair_find(server_cs, "type");
1851 cf_log_err(cf_sectiontoitem(server_cs), "home_server %s does not contain a \"type\" entry", name);
1852 return HOME_TYPE_INVALID;
1855 type = cf_pair_value(cp);
1857 cf_log_err(cf_sectiontoitem(server_cs), "home_server %s contains an empty \"type\" entry", name);
1858 return HOME_TYPE_INVALID;
1861 home = fr_str2int(home_server_types, type, HOME_TYPE_INVALID);
1862 if (home == HOME_TYPE_INVALID) {
1863 cf_log_err(cf_sectiontoitem(server_cs), "home_server %s contains an invalid \"type\" entry of value \"%s\"", name, type);
1864 return HOME_TYPE_INVALID;
1867 return home; /* 'cause we miss it so much */
1871 int realms_init(CONF_SECTION *config)
1875 CONF_SECTION *server_cs;
1877 realm_config_t *rc, *old_rc;
1879 if (realms_byname) return 1;
1881 realms_byname = rbtree_create(realm_name_cmp, free, 0);
1882 if (!realms_byname) {
1888 home_servers_byaddr = rbtree_create(home_server_addr_cmp, home_server_free, 0);
1889 if (!home_servers_byaddr) {
1894 home_servers_byname = rbtree_create(home_server_name_cmp, NULL, 0);
1895 if (!home_servers_byname) {
1901 home_servers_bynumber = rbtree_create(home_server_number_cmp, NULL, 0);
1902 if (!home_servers_bynumber) {
1908 home_pools_byname = rbtree_create(home_pool_name_cmp, NULL, 0);
1909 if (!home_pools_byname) {
1915 rc = rad_malloc(sizeof(*rc));
1916 memset(rc, 0, sizeof(*rc));
1920 cs = cf_subsection_find_next(config, NULL, "proxy");
1922 cf_section_parse(cs, rc, proxy_config);
1924 rc->dead_time = DEAD_TIME;
1925 rc->retry_count = RETRY_COUNT;
1926 rc->retry_delay = RETRY_DELAY;
1928 rc->wake_all_if_all_dead= 0;
1931 for (cs = cf_subsection_find_next(config, NULL, "home_server");
1933 cs = cf_subsection_find_next(config, cs, "home_server")) {
1934 if (!home_server_add(rc, cs)) {
1942 * Loop over virtual servers to find homes which are
1945 for (server_cs = cf_subsection_find_next(config, NULL, "server");
1947 server_cs = cf_subsection_find_next(config, server_cs, "server")) {
1948 for (cs = cf_subsection_find_next(server_cs, NULL, "home_server");
1950 cs = cf_subsection_find_next(server_cs, cs, "home_server")) {
1951 if (!home_server_add(rc, cs)) {
1960 for (cs = cf_subsection_find_next(config, NULL, "realm");
1962 cs = cf_subsection_find_next(config, cs, "realm")) {
1963 if (!realm_add(rc, cs)) {
1972 * CoA pools aren't necessarily tied to realms.
1974 for (cs = cf_subsection_find_next(config, NULL, "home_server_pool");
1976 cs = cf_subsection_find_next(config, cs, "home_server_pool")) {
1980 * Pool was already loaded.
1982 if (cf_data_find(cs, "home_server_pool")) continue;
1984 type = pool_peek_type(config, cs);
1985 if (type == HOME_TYPE_INVALID) {
1991 if (!server_pool_add(rc, cs, type, TRUE)) {
2001 xlat_register("home_server", xlat_home_server, NULL);
2002 xlat_register("home_server_pool", xlat_server_pool, NULL);
2006 * Swap pointers atomically.
2008 old_rc = realm_config;
2016 * Find a realm where "name" might be the regex.
2018 REALM *realm_find2(const char *name)
2023 if (!name) name = "NULL";
2025 myrealm.name = name;
2026 realm = rbtree_finddata(realms_byname, &myrealm);
2027 if (realm) return realm;
2031 realm_regex_t *this;
2033 for (this = realms_regex; this != NULL; this = this->next) {
2034 if (strcmp(this->realm->name, name) == 0) {
2042 * Couldn't find a realm. Look for DEFAULT.
2044 myrealm.name = "DEFAULT";
2045 return rbtree_finddata(realms_byname, &myrealm);
2050 * Find a realm in the REALM list.
2052 REALM *realm_find(const char *name)
2057 if (!name) name = "NULL";
2059 myrealm.name = name;
2060 realm = rbtree_finddata(realms_byname, &myrealm);
2061 if (realm) return realm;
2065 realm_regex_t *this;
2067 for (this = realms_regex; this != NULL; this = this->next) {
2072 * Include substring matches.
2074 if (regcomp(®, this->realm->name + 1,
2075 REG_EXTENDED | REG_NOSUB | REG_ICASE) != 0) {
2079 compare = regexec(®, name, 0, NULL, 0);
2082 if (compare == 0) return this->realm;
2088 * Couldn't find a realm. Look for DEFAULT.
2090 myrealm.name = "DEFAULT";
2091 return rbtree_finddata(realms_byname, &myrealm);
2096 home_server *home_server_ldb(const char *realmname,
2097 home_pool_t *pool, REQUEST *request)
2101 home_server *found = NULL;
2102 home_server *zombie = NULL;
2106 * Determine how to pick choose the home server.
2108 switch (pool->type) {
2112 * For load-balancing by client IP address, we
2113 * pick a home server by hashing the client IP.
2115 * This isn't as even a load distribution as
2116 * tracking the State attribute, but it's better
2119 case HOME_POOL_CLIENT_BALANCE:
2120 switch (request->packet->src_ipaddr.af) {
2122 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2123 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2126 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2127 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2133 start = hash % pool->num_home_servers;
2136 case HOME_POOL_CLIENT_PORT_BALANCE:
2137 switch (request->packet->src_ipaddr.af) {
2139 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2140 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2143 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2144 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2150 fr_hash_update(&request->packet->src_port,
2151 sizeof(request->packet->src_port), hash);
2152 start = hash % pool->num_home_servers;
2155 case HOME_POOL_KEYED_BALANCE:
2156 if ((vp = pairfind(request->config_items, PW_LOAD_BALANCE_KEY, 0)) != NULL) {
2157 hash = fr_hash(vp->vp_strvalue, vp->length);
2158 start = hash % pool->num_home_servers;
2163 case HOME_POOL_LOAD_BALANCE:
2164 case HOME_POOL_FAIL_OVER:
2168 default: /* this shouldn't happen... */
2175 * Starting with the home server we chose, loop through
2176 * all home servers. If the current one is dead, skip
2177 * it. If it is too busy, skip it.
2179 * Otherwise, use it.
2181 for (count = 0; count < pool->num_home_servers; count++) {
2182 home_server *home = pool->servers[(start + count) % pool->num_home_servers];
2184 if (!home) continue;
2187 * Skip dead home servers.
2189 if (home->state == HOME_STATE_IS_DEAD) {
2194 * This home server is too busy. Choose another one.
2196 if (home->currently_outstanding >= home->max_outstanding) {
2202 * We read the packet from a detail file, AND it
2203 * came from this server. Don't re-proxy it
2206 if ((request->listener->type == RAD_LISTEN_DETAIL) &&
2207 (request->packet->code == PW_ACCOUNTING_REQUEST) &&
2208 (fr_ipaddr_cmp(&home->ipaddr, &request->packet->src_ipaddr) == 0)) {
2214 * Default virtual: ignore homes tied to a
2217 if (!request->server && home->parent_server) {
2222 * A virtual AND home is tied to virtual,
2223 * ignore ones which don't match.
2225 if (request->server && home->parent_server &&
2226 strcmp(request->server, home->parent_server) != 0) {
2231 * Allow request->server && !home->parent_server
2233 * i.e. virtuals can proxy to globally defined
2238 * It's zombie, so we remember the first zombie
2239 * we find, but we don't mark it as a "live"
2242 if (home->state == HOME_STATE_ZOMBIE) {
2243 if (!zombie) zombie = home;
2248 * We've found the first "live" one. Use that.
2250 if (pool->type != HOME_POOL_LOAD_BALANCE) {
2256 * Otherwise we're doing some kind of load balancing.
2257 * If we haven't found one yet, pick this one.
2264 RDEBUG3("PROXY %s %d\t%s %d",
2265 found->name, found->currently_outstanding,
2266 home->name, home->currently_outstanding);
2269 * Prefer this server if it's less busy than the
2270 * one we had previously found.
2272 if (home->currently_outstanding < found->currently_outstanding) {
2273 RDEBUG3("PROXY Choosing %s: It's less busy than %s",
2274 home->name, found->name);
2280 * Ignore servers which are busier than the one
2283 if (home->currently_outstanding > found->currently_outstanding) {
2284 RDEBUG3("PROXY Skipping %s: It's busier than %s",
2285 home->name, found->name);
2290 * From the list of servers which have the same
2291 * load, choose one at random.
2293 if (((count + 1) * (fr_rand() & 0xffff)) < (uint32_t) 0x10000) {
2296 } /* loop over the home servers */
2299 * We have no live servers, BUT we have a zombie. Use
2300 * the zombie as a last resort.
2302 if (!found && zombie) {
2308 * There's a fallback if they're all dead.
2310 if (!found && pool->fallback) {
2311 found = pool->fallback;
2313 DEBUG("WARNING: Home server pool %s failing over to fallback %s",
2314 pool->name, found->server);
2315 if (pool->in_fallback) goto update_and_return;
2317 pool->in_fallback = TRUE;
2320 * Run the trigger once an hour saying that
2323 if ((pool->time_all_dead + 3600) < request->timestamp) {
2324 pool->time_all_dead = request->timestamp;
2325 exec_trigger(request, pool->cs, "home_server_pool.fallback", FALSE);
2331 if ((found != pool->fallback) && pool->in_fallback) {
2332 pool->in_fallback = FALSE;
2333 exec_trigger(request, pool->cs, "home_server_pool.normal", FALSE);
2337 * Allocate the proxy packet, only if it wasn't
2338 * already allocated by a module. This check is
2339 * mainly to support the proxying of EAP-TTLS and
2340 * EAP-PEAP tunneled requests.
2342 * In those cases, the EAP module creates a
2343 * "fake" request, and recursively passes it
2344 * through the authentication stage of the
2345 * server. The module then checks if the request
2346 * was supposed to be proxied, and if so, creates
2347 * a proxy packet from the TUNNELED request, and
2348 * not from the EAP request outside of the
2351 * The proxy then works like normal, except that
2352 * the response packet is "eaten" by the EAP
2353 * module, and encapsulated into an EAP packet.
2355 if (!request->proxy) {
2356 if ((request->proxy = rad_alloc(TRUE)) == NULL) {
2357 radlog(L_ERR|L_CONS, "no memory");
2362 * Copy the request, then look up name
2363 * and plain-text password in the copy.
2365 * Note that the User-Name attribute is
2366 * the *original* as sent over by the
2367 * client. The Stripped-User-Name
2368 * attribute is the one hacked through
2371 request->proxy->vps = paircopy(request->packet->vps);
2375 * Update the various fields as appropriate.
2377 request->proxy->src_ipaddr = found->src_ipaddr;
2378 request->proxy->src_port = 0;
2379 request->proxy->dst_ipaddr = found->ipaddr;
2380 request->proxy->dst_port = found->port;
2381 request->home_server = found;
2384 * We're supposed to add a Message-Authenticator
2385 * if it doesn't exist, and it doesn't exist.
2387 if (found->message_authenticator &&
2388 (request->packet->code == PW_AUTHENTICATION_REQUEST) &&
2389 !pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0)) {
2390 radius_pairmake(request, &request->proxy->vps,
2391 "Message-Authenticator", "0x00",
2399 * No live match found, and no fallback to the "DEFAULT"
2400 * realm. We fix this by blindly marking all servers as
2401 * "live". But only do it for ones that don't support
2402 * "pings", as they will be marked live when they
2403 * actually are live.
2405 if (!realm_config->fallback &&
2406 realm_config->wake_all_if_all_dead) {
2407 for (count = 0; count < pool->num_home_servers; count++) {
2408 home_server *home = pool->servers[count];
2410 if (!home) continue;
2412 if ((home->state == HOME_STATE_IS_DEAD) &&
2413 (home->ping_check == HOME_PING_CHECK_NONE)) {
2414 home->state = HOME_STATE_ALIVE;
2415 if (!found) found = home;
2419 if (found) goto update_and_return;
2423 * Still nothing. Look up the DEFAULT realm, but only
2424 * if we weren't looking up the NULL or DEFAULT realms.
2426 if (realm_config->fallback &&
2428 (strcmp(realmname, "NULL") != 0) &&
2429 (strcmp(realmname, "DEFAULT") != 0)) {
2430 REALM *rd = realm_find("DEFAULT");
2432 if (!rd) return NULL;
2435 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
2436 pool = rd->auth_pool;
2438 } else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
2439 pool = rd->acct_pool;
2441 if (!pool) return NULL;
2443 RDEBUG2("PROXY - realm %s has no live home servers. Falling back to the DEFAULT realm.", realmname);
2444 return home_server_ldb(rd->name, pool, request);
2448 * Still haven't found anything. Oh well.
2454 home_server *home_server_find(fr_ipaddr_t *ipaddr, int port, int proto)
2458 memset(&myhome, 0, sizeof(myhome));
2459 myhome.ipaddr = *ipaddr;
2460 myhome.src_ipaddr.af = ipaddr->af;
2463 myhome.proto = proto;
2465 myhome.proto = IPPROTO_UDP;
2467 myhome.server = NULL; /* we're not called for internal proxying */
2469 return rbtree_finddata(home_servers_byaddr, &myhome);
2473 home_server *home_server_byname(const char *name, int type)
2477 memset(&myhome, 0, sizeof(myhome));
2481 return rbtree_finddata(home_servers_byname, &myhome);
2486 home_server *home_server_bynumber(int number)
2490 memset(&myhome, 0, sizeof(myhome));
2491 myhome.number = number;
2492 myhome.server = NULL; /* we're not called for internal proxying */
2494 return rbtree_finddata(home_servers_bynumber, &myhome);
2498 home_pool_t *home_pool_byname(const char *name, int type)
2502 memset(&mypool, 0, sizeof(mypool));
2504 mypool.server_type = type;
2505 return rbtree_finddata(home_pools_byname, &mypool);