2 * realms.c Realm handling code
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2007 The FreeRADIUS server project
21 * Copyright 2007 Alan DeKok <aland@deployingradius.com>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/rad_assert.h>
34 static rbtree_t *realms_byname = NULL;
37 typedef struct realm_regex_t {
39 struct realm_regex_t *next;
42 static realm_regex_t *realms_regex = NULL;
44 #endif /* HAVE_REGEX_H */
46 typedef struct realm_config_t {
52 bool wake_all_if_all_dead;
55 static realm_config_t *realm_config = NULL;
58 static rbtree_t *home_servers_byaddr = NULL;
59 static rbtree_t *home_servers_byname = NULL;
61 static int home_server_max_number = 0;
62 static rbtree_t *home_servers_bynumber = NULL;
65 static rbtree_t *home_pools_byname = NULL;
68 * Map the proxy server configuration parameters to variables.
70 static const CONF_PARSER proxy_config[] = {
71 { "retry_delay", PW_TYPE_INTEGER,
72 offsetof(realm_config_t, retry_delay),
73 NULL, STRINGIFY(RETRY_DELAY) },
75 { "retry_count", PW_TYPE_INTEGER,
76 offsetof(realm_config_t, retry_count),
77 NULL, STRINGIFY(RETRY_COUNT) },
79 { "default_fallback", PW_TYPE_BOOLEAN,
80 offsetof(realm_config_t, fallback),
83 { "dead_time", PW_TYPE_INTEGER,
84 offsetof(realm_config_t, dead_time),
85 NULL, STRINGIFY(DEAD_TIME) },
87 { "wake_all_if_all_dead", PW_TYPE_BOOLEAN,
88 offsetof(realm_config_t, wake_all_if_all_dead),
91 { NULL, -1, 0, NULL, NULL }
95 static int realm_name_cmp(void const *one, void const *two)
100 return strcasecmp(a->name, b->name);
105 static void home_server_free(void *data)
107 home_server_t *home = data;
112 static int home_server_name_cmp(void const *one, void const *two)
114 home_server_t const *a = one;
115 home_server_t const *b = two;
117 if (a->type < b->type) return -1;
118 if (a->type > b->type) return +1;
120 return strcasecmp(a->name, b->name);
123 static int home_server_addr_cmp(void const *one, void const *two)
126 home_server_t const *a = one;
127 home_server_t const *b = two;
129 if (a->server && !b->server) return -1;
130 if (!a->server && b->server) return +1;
131 if (a->server && b->server) {
132 rcode = a->type - b->type;
133 if (rcode != 0) return rcode;
134 return strcmp(a->server, b->server);
137 if (a->port < b->port) return -1;
138 if (a->port > b->port) return +1;
141 if (a->proto < b->proto) return -1;
142 if (a->proto > b->proto) return +1;
145 rcode = fr_ipaddr_cmp(&a->src_ipaddr, &b->src_ipaddr);
146 if (rcode != 0) return rcode;
148 return fr_ipaddr_cmp(&a->ipaddr, &b->ipaddr);
152 static int home_server_number_cmp(void const *one, void const *two)
154 home_server_t const *a = one;
155 home_server_t const *b = two;
157 return (a->number - b->number);
161 static int home_pool_name_cmp(void const *one, void const *two)
163 home_pool_t const *a = one;
164 home_pool_t const *b = two;
166 if (a->server_type < b->server_type) return -1;
167 if (a->server_type > b->server_type) return +1;
169 return strcasecmp(a->name, b->name);
173 static size_t xlat_cs(CONF_SECTION *cs, char const *fmt, char *out, size_t outlen)
176 char const *value = NULL;
181 if (strcmp(fmt, "instance") == 0) {
182 value = cf_section_name2(cs);
190 cp = cf_pair_find(cs, fmt);
191 if (!cp || !(value = cf_pair_value(cp))) {
197 strlcpy(out, value, outlen);
204 * Xlat for %{home_server:foo}
206 static ssize_t xlat_home_server(UNUSED void *instance, REQUEST *request,
207 char const *fmt, char *out, size_t outlen)
209 if (!fmt || !out || (outlen < 1)) return 0;
211 if (!request || !request->home_server) {
212 RWDEBUG("No home_server associated with this request");
218 return xlat_cs(request->home_server->cs, fmt, out, outlen);
223 * Xlat for %{home_server_pool:foo}
225 static ssize_t xlat_server_pool(UNUSED void *instance, REQUEST *request,
226 char const *fmt, char *out, size_t outlen)
228 if (!fmt || !out || (outlen < 1)) return 0;
230 if (!request || !request->home_pool) {
231 RWDEBUG("No home_pool associated with this request");
237 return xlat_cs(request->home_pool->cs, fmt, out, outlen);
241 void realms_free(void)
245 rbtree_free(home_servers_bynumber);
246 home_servers_bynumber = NULL;
249 rbtree_free(home_servers_byname);
250 home_servers_byname = NULL;
252 rbtree_free(home_servers_byaddr);
253 home_servers_byaddr = NULL;
255 rbtree_free(home_pools_byname);
256 home_pools_byname = NULL;
259 rbtree_free(realms_byname);
260 realms_byname = NULL;
264 realm_regex_t *this, *next;
266 for (this = realms_regex; this != NULL; this = next) {
275 talloc_free(realm_config);
281 static CONF_PARSER limit_config[] = {
282 { "max_connections", PW_TYPE_INTEGER,
283 offsetof(home_server_t, limit.max_connections), NULL, "16" },
285 { "max_requests", PW_TYPE_INTEGER,
286 offsetof(home_server_t, limit.max_requests), NULL, "0" },
288 { "lifetime", PW_TYPE_INTEGER,
289 offsetof(home_server_t, limit.lifetime), NULL, "0" },
291 { "idle_timeout", PW_TYPE_INTEGER,
292 offsetof(home_server_t, limit.idle_timeout), NULL, "0" },
294 { NULL, -1, 0, NULL, NULL } /* end the list */
297 static struct in_addr hs_ip4addr;
298 static struct in6_addr hs_ip6addr;
299 static char *hs_srcipaddr = NULL;
300 static char *hs_type = NULL;
301 static char *hs_check = NULL;
302 static char *hs_virtual_server = NULL;
304 static char *hs_proto = NULL;
308 static CONF_PARSER home_server_coa[] = {
309 { "irt", PW_TYPE_INTEGER,
310 offsetof(home_server_t, coa_irt), 0, STRINGIFY(2) },
311 { "mrt", PW_TYPE_INTEGER,
312 offsetof(home_server_t, coa_mrt), 0, STRINGIFY(16) },
313 { "mrc", PW_TYPE_INTEGER,
314 offsetof(home_server_t, coa_mrc), 0, STRINGIFY(5) },
315 { "mrd", PW_TYPE_INTEGER,
316 offsetof(home_server_t, coa_mrd), 0, STRINGIFY(30) },
318 { NULL, -1, 0, NULL, NULL } /* end the list */
322 static CONF_PARSER home_server_config[] = {
323 { "ipaddr", PW_TYPE_IPADDR,
324 0, &hs_ip4addr, NULL },
325 { "ipv6addr", PW_TYPE_IPV6ADDR,
326 0, &hs_ip6addr, NULL },
327 { "virtual_server", PW_TYPE_STRING_PTR,
328 0, &hs_virtual_server, NULL },
330 { "port", PW_TYPE_INTEGER,
331 offsetof(home_server_t,port), NULL, "0" },
333 { "type", PW_TYPE_STRING_PTR,
337 { "proto", PW_TYPE_STRING_PTR,
338 0, &hs_proto, NULL },
341 { "secret", PW_TYPE_STRING_PTR,
342 offsetof(home_server_t,secret), NULL, NULL},
344 { "src_ipaddr", PW_TYPE_STRING_PTR,
345 0, &hs_srcipaddr, NULL },
347 { "response_window", PW_TYPE_INTEGER,
348 offsetof(home_server_t,response_window), NULL, "30" },
349 { "max_outstanding", PW_TYPE_INTEGER,
350 offsetof(home_server_t,max_outstanding), NULL, "65536" },
352 { "zombie_period", PW_TYPE_INTEGER,
353 offsetof(home_server_t,zombie_period), NULL, "40" },
354 { "status_check", PW_TYPE_STRING_PTR,
355 0, &hs_check, "none" },
356 { "ping_check", PW_TYPE_STRING_PTR,
357 0, &hs_check, NULL },
359 { "ping_interval", PW_TYPE_INTEGER,
360 offsetof(home_server_t,ping_interval), NULL, "30" },
361 { "check_interval", PW_TYPE_INTEGER,
362 offsetof(home_server_t,ping_interval), NULL, "30" },
363 { "num_answers_to_alive", PW_TYPE_INTEGER,
364 offsetof(home_server_t,num_pings_to_alive), NULL, "3" },
365 { "revive_interval", PW_TYPE_INTEGER,
366 offsetof(home_server_t,revive_interval), NULL, "300" },
367 { "status_check_timeout", PW_TYPE_INTEGER,
368 offsetof(home_server_t,ping_timeout), NULL, "4" },
370 { "username", PW_TYPE_STRING_PTR,
371 offsetof(home_server_t,ping_user_name), NULL, NULL},
372 { "password", PW_TYPE_STRING_PTR,
373 offsetof(home_server_t,ping_user_password), NULL, NULL},
376 { "historic_average_window", PW_TYPE_INTEGER,
377 offsetof(home_server_t,ema.window), NULL, NULL },
381 { "coa", PW_TYPE_SUBSECTION, 0, NULL, (void const *) home_server_coa },
384 { "limit", PW_TYPE_SUBSECTION, 0, NULL, (void const *) limit_config },
386 { NULL, -1, 0, NULL, NULL } /* end the list */
390 static void null_free(UNUSED void *data)
394 static int home_server_add(realm_config_t *rc, CONF_SECTION *cs)
402 hs_virtual_server = NULL;
404 name2 = cf_section_name2(cs);
407 "Home server section is missing a name.");
411 home = talloc_zero(rc, home_server_t);
415 home->state = HOME_STATE_UNKNOWN;
418 * Last packet sent / received are zero.
421 memset(&hs_ip4addr, 0, sizeof(hs_ip4addr));
422 memset(&hs_ip6addr, 0, sizeof(hs_ip6addr));
423 if (cf_section_parse(cs, home, home_server_config) < 0) {
428 * Figure out which one to use.
430 if (cf_pair_find(cs, "ipaddr")) {
431 home->ipaddr.af = AF_INET;
432 home->ipaddr.ipaddr.ip4addr = hs_ip4addr;
434 } else if (cf_pair_find(cs, "ipv6addr")) {
435 home->ipaddr.af = AF_INET6;
436 home->ipaddr.ipaddr.ip6addr = hs_ip6addr;
438 } else if ((cp = cf_pair_find(cs, "virtual_server")) != NULL) {
439 home->ipaddr.af = AF_UNSPEC;
440 home->server = cf_pair_value(cp);
443 "Invalid value for virtual_server");
447 if (!cf_section_sub_find_name2(rc->cs, "server", home->server)) {
450 "No such server %s", home->server);
455 * When CoA is used, the user has to specify the type
456 * of the home server, even when they point to
459 home->secret = strdup("");
464 "No ipaddr, ipv6addr, or virtual_server defined for home server \"%s\".",
467 TALLOC_FREE(hs_type);
476 if (!home->port || (home->port > 65535)) {
478 "No port, or invalid port defined for home server %s.",
485 "Fatal error! Home server %s is ourselves!",
491 * Use a reasonable default.
494 if (!hs_type) hs_type = talloc_strdup(cs, "auth+acct");
496 if (strcasecmp(hs_type, "auth") == 0) {
497 home->type = HOME_TYPE_AUTH;
499 } else if (strcasecmp(hs_type, "acct") == 0) {
500 home->type = HOME_TYPE_ACCT;
502 } else if (strcasecmp(hs_type, "auth+acct") == 0) {
503 home->type = HOME_TYPE_AUTH;
507 } else if (strcasecmp(hs_type, "coa") == 0) {
508 home->type = HOME_TYPE_COA;
511 if (home->server != NULL) {
513 "Home servers of type \"coa\" cannot point to a virtual server");
520 "Invalid type \"%s\" for home server %s.",
524 if (hs_type) talloc_free(hs_type);
527 if (!hs_check || (strcasecmp(hs_check, "none") == 0)) {
528 home->ping_check = HOME_PING_CHECK_NONE;
530 } else if (strcasecmp(hs_check, "status-server") == 0) {
531 home->ping_check = HOME_PING_CHECK_STATUS_SERVER;
533 } else if (strcasecmp(hs_check, "request") == 0) {
534 home->ping_check = HOME_PING_CHECK_REQUEST;
536 if (!home->ping_user_name ||
537 !*home->ping_user_name) {
538 cf_log_err_cs(cs, "You must supply a 'username' to enable status_check=request");
542 if ((home->type == HOME_TYPE_AUTH) &&
543 (!home->ping_user_password ||
544 !*home->ping_user_password)) {
545 cf_log_err_cs(cs, "You must supply a password to enable status_check=request");
551 "Invalid status_check \"%s\" for home server %s.",
557 if ((home->ping_check != HOME_PING_CHECK_NONE) &&
558 (home->ping_check != HOME_PING_CHECK_STATUS_SERVER)) {
559 if (!home->ping_user_name) {
560 cf_log_err_cs(cs, "You must supply a user name to enable status_check=request");
564 if ((home->type == HOME_TYPE_AUTH) &&
565 !home->ping_user_password) {
566 cf_log_err_cs(cs, "You must supply a password to enable status_check=request");
571 home->proto = IPPROTO_UDP;
574 if (strcmp(hs_proto, "udp") == 0) {
577 } else if (strcmp(hs_proto, "tcp") == 0) {
579 home->proto = IPPROTO_TCP;
581 if (home->ping_check != HOME_PING_CHECK_NONE) {
583 "Only 'status_check = none' is allowed for home servers with 'proto = tcp'");
589 "Unknown proto \"%s\".", hs_proto);
596 rbtree_finddata(home_servers_byaddr, home)) {
597 cf_log_err_cs(cs, "Duplicate home server");
602 * Check the TLS configuration.
604 tls = cf_section_sub_find(cs, "tls");
607 * If were doing RADSEC (tls+tcp) the secret should default
608 * to radsec, else a secret must be set.
612 if (tls && (home->proto == IPPROTO_TCP)) {
613 home->secret = "radsec";
617 cf_log_err_cs(cs, "No shared secret defined for home server %s", name2);
623 * If the home is a virtual server, don't look up source IP.
626 rad_assert(home->ipaddr.af != AF_UNSPEC);
629 * Otherwise look up the source IP using the same
630 * address family as the destination IP.
633 if (ip_hton(hs_srcipaddr, home->ipaddr.af, &home->src_ipaddr) < 0) {
634 cf_log_err_cs(cs, "Failed parsing src_ipaddr");
640 * Source isn't specified: Source is
641 * the correct address family, but all zeros.
643 memset(&home->src_ipaddr, 0, sizeof(home->src_ipaddr));
644 home->src_ipaddr.af = home->ipaddr.af;
647 if (tls && (home->proto != IPPROTO_TCP)) {
648 cf_log_err_cs(cs, "TLS transport is not available for UDP sockets.");
655 cf_log_err_cs(cs, "TLS transport is not available in this executable.");
660 * Parse the SSL client configuration.
663 home->tls = tls_client_conf_parse(tls);
671 cf_log_err_cs(cs, "Virtual home_servers cannot have a \"tls\" subsection");
676 * Make sure that this is set.
678 if (home->src_ipaddr.af == AF_UNSPEC) {
679 home->src_ipaddr.af = home->ipaddr.af;
684 if (rbtree_finddata(home_servers_byname, home) != NULL) {
686 "Duplicate home server name %s.", name2);
691 (rbtree_finddata(home_servers_byaddr, home) != NULL)) {
693 "Duplicate home server IP %s.", name2);
697 if (!rbtree_insert(home_servers_byname, home)) {
699 "Internal error %d adding home server %s.",
705 !rbtree_insert(home_servers_byaddr, home)) {
706 rbtree_deletebydata(home_servers_byname, home);
708 "Internal error %d adding home server %s.",
714 home->number = home_server_max_number++;
715 if (!rbtree_insert(home_servers_bynumber, home)) {
716 rbtree_deletebydata(home_servers_byname, home);
717 if (home->ipaddr.af != AF_UNSPEC) {
718 rbtree_deletebydata(home_servers_byname, home);
721 "Internal error %d adding home server %s.",
727 if (home->max_outstanding < 8) home->max_outstanding = 8;
728 if (home->max_outstanding > 65536*16) home->max_outstanding = 65536*16;
730 if (home->ping_interval < 6) home->ping_interval = 6;
731 if (home->ping_interval > 120) home->ping_interval = 120;
733 if (home->response_window < 1) home->response_window = 1;
734 if (home->response_window > 60) home->response_window = 60;
735 if (home->response_window > mainconfig.max_request_time) home->response_window = mainconfig.max_request_time;
737 if (home->zombie_period < 1) home->zombie_period = 1;
738 if (home->zombie_period > 120) home->zombie_period = 120;
740 if (home->zombie_period < home->response_window) {
741 home->zombie_period = home->response_window;
744 if (home->num_pings_to_alive < 3) home->num_pings_to_alive = 3;
745 if (home->num_pings_to_alive > 10) home->num_pings_to_alive = 10;
747 if (home->ping_timeout < 3) home->ping_timeout = 3;
748 if (home->ping_timeout > 10) home->ping_timeout = 10;
750 if (home->revive_interval < 60) home->revive_interval = 60;
751 if (home->revive_interval > 3600) home->revive_interval = 3600;
754 if (home->coa_irt < 1) home->coa_irt = 1;
755 if (home->coa_irt > 5) home->coa_irt = 5;
757 if (home->coa_mrc < 0) home->coa_mrc = 0;
758 if (home->coa_mrc > 20 ) home->coa_mrc = 20;
760 if (home->coa_mrt < 0) home->coa_mrt = 0;
761 if (home->coa_mrt > 30 ) home->coa_mrt = 30;
763 if (home->coa_mrd < 5) home->coa_mrd = 5;
764 if (home->coa_mrd > 60 ) home->coa_mrd = 60;
767 if (home->limit.max_connections > 1024) home->limit.max_connections = 1024;
771 * UDP sockets can't be connection limited.
773 if (home->proto != IPPROTO_TCP) home->limit.max_connections = 0;
776 if ((home->limit.idle_timeout > 0) && (home->limit.idle_timeout < 5))
777 home->limit.idle_timeout = 5;
778 if ((home->limit.lifetime > 0) && (home->limit.lifetime < 5))
779 home->limit.lifetime = 5;
780 if ((home->limit.lifetime > 0) && (home->limit.idle_timeout > home->limit.lifetime))
781 home->limit.idle_timeout = 0;
783 tls = cf_item_parent(cf_sectiontoitem(cs));
784 if (strcmp(cf_section_name1(tls), "server") == 0) {
785 home->parent_server = cf_section_name2(tls);
789 home_server_t *home2 = talloc(rc, home_server_t);
791 memcpy(home2, home, sizeof(*home2));
793 home2->type = HOME_TYPE_ACCT;
795 home2->ping_user_password = NULL;
797 home2->parent_server = home->parent_server;
799 if (!rbtree_insert(home_servers_byname, home2)) {
801 "Internal error %d adding home server %s.",
808 !rbtree_insert(home_servers_byaddr, home2)) {
809 rbtree_deletebydata(home_servers_byname, home2);
811 "Internal error %d adding home server %s.",
818 home2->number = home_server_max_number++;
819 if (!rbtree_insert(home_servers_bynumber, home2)) {
820 rbtree_deletebydata(home_servers_byname, home2);
821 if (!home2->server) {
822 rbtree_deletebydata(home_servers_byname, home2);
825 "Internal error %d adding home server %s.",
834 * Mark it as already processed
836 cf_data_add(cs, "home_server", null_free, null_free);
842 static home_pool_t *server_pool_alloc(char const *name, home_pool_type_t type,
843 int server_type, int num_home_servers)
847 pool = rad_malloc(sizeof(*pool) + (sizeof(pool->servers[0]) *
849 if (!pool) return NULL; /* just for pairanoia */
851 memset(pool, 0, sizeof(*pool) + (sizeof(pool->servers[0]) *
856 pool->server_type = server_type;
857 pool->num_home_servers = num_home_servers;
863 * Ensure any home_server clauses in a home_server_pool section reference
864 * defined home servers, which should already have been created, regardless
865 * of where they appear in the configuration.
867 static int pool_check_home_server(UNUSED realm_config_t *rc, CONF_PAIR *cp,
868 char const *name, int server_type,
869 home_server_t **phome)
871 home_server_t myhome, *home;
875 "No value given for home_server.");
880 myhome.type = server_type;
881 home = rbtree_finddata(home_servers_byname, &myhome);
887 cf_log_err_cp(cp, "Unknown home_server \"%s\".", name);
892 static int server_pool_add(realm_config_t *rc,
893 CONF_SECTION *cs, int server_type, int do_print)
896 home_pool_t *pool = NULL;
899 int num_home_servers;
902 name2 = cf_section_name1(cs);
903 if (!name2 || ((strcasecmp(name2, "server_pool") != 0) &&
904 (strcasecmp(name2, "home_server_pool") != 0))) {
906 "Section is not a home_server_pool.");
910 name2 = cf_section_name2(cs);
913 "Server pool section is missing a name.");
918 * Count the home servers and initalize them.
920 num_home_servers = 0;
921 for (cp = cf_pair_find(cs, "home_server");
923 cp = cf_pair_find_next(cs, cp, "home_server")) {
926 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
927 server_type, &home)) {
932 if (num_home_servers == 0) {
934 "No home servers defined in pool %s",
939 pool = server_pool_alloc(name2, HOME_POOL_FAIL_OVER, server_type,
942 cf_log_err_cs(cs, "Failed allocating memory for pool");
949 * Fallback servers must be defined, and must be
952 cp = cf_pair_find(cs, "fallback");
955 if (server_type == HOME_TYPE_COA) {
956 cf_log_err_cs(cs, "Home server pools of type \"coa\" cannot have a fallback virtual server.");
961 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
962 server_type, &pool->fallback)) {
967 if (!pool->fallback->server) {
968 cf_log_err_cs(cs, "Fallback home_server %s does NOT contain a virtual_server directive.", pool->fallback->name);
973 if (do_print) cf_log_info(cs, " home_server_pool %s {", name2);
975 cp = cf_pair_find(cs, "type");
977 static FR_NAME_NUMBER pool_types[] = {
978 { "load-balance", HOME_POOL_LOAD_BALANCE },
980 { "fail-over", HOME_POOL_FAIL_OVER },
981 { "fail_over", HOME_POOL_FAIL_OVER },
983 { "round-robin", HOME_POOL_LOAD_BALANCE },
984 { "round_robin", HOME_POOL_LOAD_BALANCE },
986 { "client-balance", HOME_POOL_CLIENT_BALANCE },
987 { "client-port-balance", HOME_POOL_CLIENT_PORT_BALANCE },
988 { "keyed-balance", HOME_POOL_KEYED_BALANCE },
992 value = cf_pair_value(cp);
995 "No value given for type.");
999 pool->type = fr_str2int(pool_types, value, 0);
1002 "Unknown type \"%s\".",
1007 if (do_print) cf_log_info(cs, "\ttype = %s", value);
1010 cp = cf_pair_find(cs, "virtual_server");
1012 pool->virtual_server = cf_pair_value(cp);
1013 if (!pool->virtual_server) {
1014 cf_log_err_cp(cp, "No value given for virtual_server");
1019 cf_log_info(cs, "\tvirtual_server = %s", pool->virtual_server);
1022 if (!cf_section_sub_find_name2(rc->cs, "server",
1023 pool->virtual_server)) {
1024 cf_log_err_cp(cp, "No such server %s",
1025 pool->virtual_server);
1031 num_home_servers = 0;
1032 for (cp = cf_pair_find(cs, "home_server");
1034 cp = cf_pair_find_next(cs, cp, "home_server")) {
1035 home_server_t myhome;
1037 value = cf_pair_value(cp);
1039 memset(&myhome, 0, sizeof(myhome));
1040 myhome.name = value;
1041 myhome.type = server_type;
1043 home = rbtree_finddata(home_servers_byname, &myhome);
1045 DEBUG2("Internal sanity check failed");
1050 WDEBUG2("Duplicate home server %s in server pool %s", home->name, pool->name);
1054 if (do_print) cf_log_info(cs, "\thome_server = %s", home->name);
1055 pool->servers[num_home_servers++] = home;
1056 } /* loop over home_server's */
1058 if (pool->fallback && do_print) {
1059 cf_log_info(cs, "\tfallback = %s", pool->fallback->name);
1062 if (!rbtree_insert(home_pools_byname, pool)) {
1063 rad_assert("Internal sanity check failed");
1067 if (do_print) cf_log_info(cs, " }");
1069 cf_data_add(cs, "home_server_pool", pool, free);
1071 rad_assert(pool->server_type != 0);
1076 if (do_print) cf_log_info(cs, " }");
1082 static int old_server_add(realm_config_t *rc, CONF_SECTION *cs,
1084 char const *name, char const *secret,
1085 home_pool_type_t ldflag, home_pool_t **pool_p,
1086 int type, char const *server)
1089 int i, insert_point, num_home_servers;
1090 home_server_t myhome, *home;
1091 home_pool_t mypool, *pool;
1092 CONF_SECTION *subcs;
1094 (void) rc; /* -Wunused */
1103 * LOCAL realms get sanity checked, and nothing else happens.
1105 if (strcmp(name, "LOCAL") == 0) {
1107 cf_log_err_cs(cs, "Realm \"%s\" cannot be both LOCAL and remote", name);
1114 return 0; /* Not proxying. Can't do non-LOCAL realms */
1117 mypool.name = realm;
1118 mypool.server_type = type;
1119 pool = rbtree_finddata(home_pools_byname, &mypool);
1121 if (pool->type != ldflag) {
1122 cf_log_err_cs(cs, "Inconsistent ldflag for server pool \"%s\"", name);
1126 if (pool->server_type != type) {
1127 cf_log_err_cs(cs, "Inconsistent home server type for server pool \"%s\"", name);
1134 home = rbtree_finddata(home_servers_byname, &myhome);
1136 if (secret && (strcmp(home->secret, secret) != 0)) {
1137 cf_log_err_cs(cs, "Inconsistent shared secret for home server \"%s\"", name);
1141 if (home->type != type) {
1142 cf_log_err_cs(cs, "Inconsistent type for home server \"%s\"", name);
1147 * See if the home server is already listed
1148 * in the pool. If so, do nothing else.
1150 if (pool) for (i = 0; i < pool->num_home_servers; i++) {
1151 if (pool->servers[i] == home) {
1158 * If we do have a pool, check that there is room to
1159 * insert the home server we've found, or the one that we
1162 * Note that we insert it into the LAST available
1163 * position, in order to maintain the same order as in
1164 * the configuration files.
1168 for (i = pool->num_home_servers - 1; i >= 0; i--) {
1169 if (pool->servers[i]) break;
1171 if (!pool->servers[i]) {
1176 if (insert_point < 0) {
1177 cf_log_err_cs(cs, "No room in pool to add home server \"%s\". Please update the realm configuration to use the new-style home servers and server pools.", name);
1183 * No home server, allocate one.
1189 home = talloc_zero(rc, home_server_t);
1191 home->hostname = name;
1193 home->secret = secret;
1195 home->proto = IPPROTO_UDP;
1197 p = strchr(name, ':');
1199 if (type == HOME_TYPE_AUTH) {
1200 home->port = PW_AUTH_UDP_PORT;
1202 home->port = PW_ACCT_UDP_PORT;
1208 } else if (p == name) {
1210 "Invalid hostname %s.",
1216 home->port = atoi(p + 1);
1217 if ((home->port == 0) || (home->port > 65535)) {
1225 q = rad_malloc((p - name) + 1);
1226 memcpy(q, name, (p - name));
1232 if (ip_hton(p, AF_UNSPEC, &home->ipaddr) < 0) {
1234 "Failed looking up hostname %s.",
1240 home->src_ipaddr.af = home->ipaddr.af;
1242 home->ipaddr.af = AF_UNSPEC;
1243 home->server = server;
1248 * Use the old-style configuration.
1250 home->max_outstanding = 65535*16;
1251 home->zombie_period = rc->retry_delay * rc->retry_count;
1252 if (home->zombie_period == 0) home->zombie_period =30;
1253 home->response_window = home->zombie_period - 1;
1255 home->ping_check = HOME_PING_CHECK_NONE;
1257 home->revive_interval = rc->dead_time;
1259 if (rbtree_finddata(home_servers_byaddr, home)) {
1260 cf_log_err_cs(cs, "Home server %s has the same IP address and/or port as another home server.", name);
1265 if (!rbtree_insert(home_servers_byname, home)) {
1266 cf_log_err_cs(cs, "Internal error %d adding home server %s.", __LINE__, name);
1271 if (!rbtree_insert(home_servers_byaddr, home)) {
1272 rbtree_deletebydata(home_servers_byname, home);
1273 cf_log_err_cs(cs, "Internal error %d adding home server %s.", __LINE__, name);
1279 home->number = home_server_max_number++;
1280 if (!rbtree_insert(home_servers_bynumber, home)) {
1281 rbtree_deletebydata(home_servers_byname, home);
1282 if (home->ipaddr.af != AF_UNSPEC) {
1283 rbtree_deletebydata(home_servers_byname, home);
1286 "Internal error %d adding home server %s.",
1295 * We now have a home server, see if we can insert it
1296 * into pre-existing pool.
1298 if (insert_point >= 0) {
1299 rad_assert(pool != NULL);
1300 pool->servers[insert_point] = home;
1304 rad_assert(pool == NULL);
1305 rad_assert(home != NULL);
1308 * Count the old-style realms of this name.
1310 num_home_servers = 0;
1311 for (subcs = cf_section_find_next(cs, NULL, "realm");
1313 subcs = cf_section_find_next(cs, subcs, "realm")) {
1314 char const *this = cf_section_name2(subcs);
1316 if (!this || (strcmp(this, realm) != 0)) continue;
1320 if (num_home_servers == 0) {
1321 cf_log_err_cs(cs, "Internal error counting pools for home server %s.", name);
1326 pool = server_pool_alloc(realm, ldflag, type, num_home_servers);
1329 pool->servers[0] = home;
1331 if (!rbtree_insert(home_pools_byname, pool)) {
1332 rad_assert("Internal sanity check failed");
1342 static int old_realm_config(realm_config_t *rc, CONF_SECTION *cs, REALM *r)
1345 char const *secret = NULL;
1346 home_pool_type_t ldflag;
1349 cp = cf_pair_find(cs, "ldflag");
1350 ldflag = HOME_POOL_FAIL_OVER;
1352 host = cf_pair_value(cp);
1354 cf_log_err_cp(cp, "No value specified for ldflag");
1358 if (strcasecmp(host, "fail_over") == 0) {
1359 cf_log_info(cs, "\tldflag = fail_over");
1361 } else if (strcasecmp(host, "round_robin") == 0) {
1362 ldflag = HOME_POOL_LOAD_BALANCE;
1363 cf_log_info(cs, "\tldflag = round_robin");
1366 cf_log_err_cs(cs, "Unknown value \"%s\" for ldflag", host);
1369 } /* else don't print it. */
1372 * Allow old-style if it doesn't exist, or if it exists and
1375 cp = cf_pair_find(cs, "authhost");
1377 host = cf_pair_value(cp);
1379 cf_log_err_cp(cp, "No value specified for authhost");
1383 if (strcmp(host, "LOCAL") != 0) {
1384 cp = cf_pair_find(cs, "secret");
1386 cf_log_err_cs(cs, "No shared secret supplied for realm: %s", r->name);
1390 secret = cf_pair_value(cp);
1392 cf_log_err_cp(cp, "No value specified for secret");
1397 cf_log_info(cs, "\tauthhost = %s", host);
1399 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1400 &r->auth_pool, HOME_TYPE_AUTH, NULL)) {
1405 cp = cf_pair_find(cs, "accthost");
1407 host = cf_pair_value(cp);
1409 cf_log_err_cp(cp, "No value specified for accthost");
1414 * Don't look for a secret again if it was found
1417 if ((strcmp(host, "LOCAL") != 0) && !secret) {
1418 cp = cf_pair_find(cs, "secret");
1420 cf_log_err_cs(cs, "No shared secret supplied for realm: %s", r->name);
1424 secret = cf_pair_value(cp);
1426 cf_log_err_cp(cp, "No value specified for secret");
1431 cf_log_info(cs, "\taccthost = %s", host);
1433 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1434 &r->acct_pool, HOME_TYPE_ACCT, NULL)) {
1439 cp = cf_pair_find(cs, "virtual_server");
1441 host = cf_pair_value(cp);
1443 cf_log_err_cp(cp, "No value specified for virtual_server");
1447 cf_log_info(cs, "\tvirtual_server = %s", host);
1449 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1450 &r->auth_pool, HOME_TYPE_AUTH, host)) {
1453 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1454 &r->acct_pool, HOME_TYPE_ACCT, host)) {
1459 if (secret) cf_log_info(cs, "\tsecret = %s", secret);
1467 static int add_pool_to_realm(realm_config_t *rc, CONF_SECTION *cs,
1468 char const *name, home_pool_t **dest,
1469 int server_type, int do_print)
1471 home_pool_t mypool, *pool;
1474 mypool.server_type = server_type;
1476 pool = rbtree_finddata(home_pools_byname, &mypool);
1478 CONF_SECTION *pool_cs;
1480 pool_cs = cf_section_sub_find_name2(rc->cs,
1484 pool_cs = cf_section_sub_find_name2(rc->cs,
1489 cf_log_err_cs(cs, "Failed to find home_server_pool \"%s\"", name);
1493 if (!server_pool_add(rc, pool_cs, server_type, do_print)) {
1497 pool = rbtree_finddata(home_pools_byname, &mypool);
1499 ERROR("Internal sanity check failed in add_pool_to_realm");
1504 if (pool->server_type != server_type) {
1505 cf_log_err_cs(cs, "Incompatible home_server_pool \"%s\" (mixed auth_pool / acct_pool)", name);
1516 static int realm_add(realm_config_t *rc, CONF_SECTION *cs)
1522 home_pool_t *auth_pool, *acct_pool;
1523 char const *auth_pool_name, *acct_pool_name;
1525 char const *coa_pool_name;
1526 home_pool_t *coa_pool;
1530 name2 = cf_section_name1(cs);
1531 if (!name2 || (strcasecmp(name2, "realm") != 0)) {
1532 cf_log_err_cs(cs, "Section is not a realm.");
1536 name2 = cf_section_name2(cs);
1538 cf_log_err_cs(cs, "Realm section is missing the realm name.");
1543 auth_pool = acct_pool = NULL;
1544 auth_pool_name = acct_pool_name = NULL;
1547 coa_pool_name = NULL;
1551 * Prefer new configuration to old one.
1553 cp = cf_pair_find(cs, "pool");
1554 if (!cp) cp = cf_pair_find(cs, "home_server_pool");
1555 if (cp) auth_pool_name = cf_pair_value(cp);
1556 if (cp && auth_pool_name) {
1557 acct_pool_name = auth_pool_name;
1558 if (!add_pool_to_realm(rc, cs,
1559 auth_pool_name, &auth_pool,
1560 HOME_TYPE_AUTH, 1)) {
1563 if (!add_pool_to_realm(rc, cs,
1564 auth_pool_name, &acct_pool,
1565 HOME_TYPE_ACCT, 0)) {
1570 cp = cf_pair_find(cs, "auth_pool");
1571 if (cp) auth_pool_name = cf_pair_value(cp);
1572 if (cp && auth_pool_name) {
1574 cf_log_err_cs(cs, "Cannot use \"pool\" and \"auth_pool\" at the same time.");
1577 if (!add_pool_to_realm(rc, cs,
1578 auth_pool_name, &auth_pool,
1579 HOME_TYPE_AUTH, 1)) {
1584 cp = cf_pair_find(cs, "acct_pool");
1585 if (cp) acct_pool_name = cf_pair_value(cp);
1586 if (cp && acct_pool_name) {
1587 int do_print = true;
1590 cf_log_err_cs(cs, "Cannot use \"pool\" and \"acct_pool\" at the same time.");
1596 (strcmp(auth_pool_name, acct_pool_name) != 0))) {
1600 if (!add_pool_to_realm(rc, cs,
1601 acct_pool_name, &acct_pool,
1602 HOME_TYPE_ACCT, do_print)) {
1608 cp = cf_pair_find(cs, "coa_pool");
1609 if (cp) coa_pool_name = cf_pair_value(cp);
1610 if (cp && coa_pool_name) {
1611 int do_print = true;
1613 if (!add_pool_to_realm(rc, cs,
1614 coa_pool_name, &coa_pool,
1615 HOME_TYPE_COA, do_print)) {
1622 cf_log_info(cs, " realm %s {", name2);
1626 * The realm MAY already exist if it's an old-style realm.
1627 * In that case, merge the old-style realm with this one.
1629 r = realm_find2(name2);
1630 if (r && (strcmp(r->name, name2) == 0)) {
1631 if (cf_pair_find(cs, "auth_pool") ||
1632 cf_pair_find(cs, "acct_pool")) {
1633 cf_log_err_cs(cs, "Duplicate realm \"%s\"", name2);
1637 if (!old_realm_config(rc, cs, r)) {
1641 cf_log_info(cs, " } # realm %s", name2);
1647 if (name2[0] == '~') {
1652 * Include substring matches.
1654 rcode = regcomp(®, name2 + 1, REG_EXTENDED | REG_NOSUB | REG_ICASE);
1658 regerror(rcode, ®, buffer, sizeof(buffer));
1661 "Invalid regex \"%s\": %s",
1669 r = rad_malloc(sizeof(*r));
1670 memset(r, 0, sizeof(*r));
1675 r->auth_pool = auth_pool;
1676 r->acct_pool = acct_pool;
1678 r->coa_pool = coa_pool;
1681 if (auth_pool_name &&
1682 (auth_pool_name == acct_pool_name)) { /* yes, ptr comparison */
1683 cf_log_info(cs, "\tpool = %s", auth_pool_name);
1685 if (auth_pool_name) cf_log_info(cs, "\tauth_pool = %s", auth_pool_name);
1686 if (acct_pool_name) cf_log_info(cs, "\tacct_pool = %s", acct_pool_name);
1688 if (coa_pool_name) cf_log_info(cs, "\tcoa_pool = %s", coa_pool_name);
1693 cp = cf_pair_find(cs, "nostrip");
1694 if (cp && (cf_pair_value(cp) == NULL)) {
1696 cf_log_info(cs, "\tnostrip");
1700 * We're a new-style realm. Complain if we see the old
1703 if (r->auth_pool || r->acct_pool) {
1704 if (((cp = cf_pair_find(cs, "authhost")) != NULL) ||
1705 ((cp = cf_pair_find(cs, "accthost")) != NULL) ||
1706 ((cp = cf_pair_find(cs, "secret")) != NULL) ||
1707 ((cp = cf_pair_find(cs, "ldflag")) != NULL)) {
1708 WDEBUG2("Ignoring old-style configuration entry \"%s\" in realm \"%s\"", cf_pair_attr(cp), r->name);
1713 * The realm MAY be an old-style realm, as there
1714 * was no auth_pool or acct_pool. Double-check
1715 * it, just to be safe.
1717 } else if (!old_realm_config(rc, cs, r)) {
1723 * It's a regex. Add it to a separate list.
1725 if (name2[0] == '~') {
1726 realm_regex_t *rr, **last;
1728 rr = rad_malloc(sizeof(*rr));
1730 last = &realms_regex;
1731 while (*last) last = &((*last)->next); /* O(N^2)... sue me. */
1739 cf_log_info(cs, " }");
1744 if (!rbtree_insert(realms_byname, r)) {
1745 rad_assert("Internal sanity check failed");
1749 cf_log_info(cs, " }");
1754 cf_log_info(cs, " } # realm %s", name2);
1760 static const FR_NAME_NUMBER home_server_types[] = {
1761 { "auth", HOME_TYPE_AUTH },
1762 { "auth+acct", HOME_TYPE_AUTH },
1763 { "acct", HOME_TYPE_ACCT },
1764 { "coa", HOME_TYPE_COA },
1768 static int pool_peek_type(CONF_SECTION *config, CONF_SECTION *cs)
1771 char const *name, *type;
1773 CONF_SECTION *server_cs;
1775 cp = cf_pair_find(cs, "home_server");
1777 cf_log_err_cs(cs, "Pool does not contain a \"home_server\" entry");
1778 return HOME_TYPE_INVALID;
1781 name = cf_pair_value(cp);
1783 cf_log_err_cp(cp, "home_server entry does not reference a home server");
1784 return HOME_TYPE_INVALID;
1787 server_cs = cf_section_sub_find_name2(config, "home_server", name);
1789 cf_log_err_cp(cp, "home_server \"%s\" does not exist", name);
1790 return HOME_TYPE_INVALID;
1793 cp = cf_pair_find(server_cs, "type");
1795 cf_log_err_cs(server_cs, "home_server %s does not contain a \"type\" entry", name);
1796 return HOME_TYPE_INVALID;
1799 type = cf_pair_value(cp);
1801 cf_log_err_cs(server_cs, "home_server %s contains an empty \"type\" entry", name);
1802 return HOME_TYPE_INVALID;
1805 home = fr_str2int(home_server_types, type, HOME_TYPE_INVALID);
1806 if (home == HOME_TYPE_INVALID) {
1807 cf_log_err_cs(server_cs, "home_server %s contains an invalid \"type\" entry of value \"%s\"", name, type);
1808 return HOME_TYPE_INVALID;
1811 return home; /* 'cause we miss it so much */
1815 int realms_init(CONF_SECTION *config)
1819 CONF_SECTION *server_cs;
1821 realm_config_t *rc, *old_rc;
1823 if (realms_byname) return 1;
1825 realms_byname = rbtree_create(realm_name_cmp, free, 0);
1826 if (!realms_byname) {
1832 home_servers_byaddr = rbtree_create(home_server_addr_cmp, home_server_free, 0);
1833 if (!home_servers_byaddr) {
1838 home_servers_byname = rbtree_create(home_server_name_cmp, NULL, 0);
1839 if (!home_servers_byname) {
1845 home_servers_bynumber = rbtree_create(home_server_number_cmp, NULL, 0);
1846 if (!home_servers_bynumber) {
1852 home_pools_byname = rbtree_create(home_pool_name_cmp, NULL, 0);
1853 if (!home_pools_byname) {
1859 rc = talloc_zero(NULL, realm_config_t);
1863 cs = cf_subsection_find_next(config, NULL, "proxy");
1865 if (cf_section_parse(cs, rc, proxy_config) < 0) {
1866 ERROR("Failed parsing proxy section");
1870 * Must be called after realms_free as home_servers
1871 * parented by rc are in trees freed by realms_free()
1877 rc->dead_time = DEAD_TIME;
1878 rc->retry_count = RETRY_COUNT;
1879 rc->retry_delay = RETRY_DELAY;
1881 rc->wake_all_if_all_dead= 0;
1884 for (cs = cf_subsection_find_next(config, NULL, "home_server");
1886 cs = cf_subsection_find_next(config, cs, "home_server")) {
1887 if (!home_server_add(rc, cs)) goto error;
1891 * Loop over virtual servers to find homes which are
1894 for (server_cs = cf_subsection_find_next(config, NULL, "server");
1896 server_cs = cf_subsection_find_next(config, server_cs, "server")) {
1897 for (cs = cf_subsection_find_next(server_cs, NULL, "home_server");
1899 cs = cf_subsection_find_next(server_cs, cs, "home_server")) {
1900 if (!home_server_add(rc, cs)) goto error;
1905 for (cs = cf_subsection_find_next(config, NULL, "realm");
1907 cs = cf_subsection_find_next(config, cs, "realm")) {
1908 if (!realm_add(rc, cs)) goto error;
1913 * CoA pools aren't necessarily tied to realms.
1915 for (cs = cf_subsection_find_next(config, NULL, "home_server_pool");
1917 cs = cf_subsection_find_next(config, cs, "home_server_pool")) {
1921 * Pool was already loaded.
1923 if (cf_data_find(cs, "home_server_pool")) continue;
1925 type = pool_peek_type(config, cs);
1926 if (type == HOME_TYPE_INVALID) goto error;
1927 if (!server_pool_add(rc, cs, type, true)) goto error;
1933 xlat_register("home_server", xlat_home_server, NULL, NULL);
1934 xlat_register("home_server_pool", xlat_server_pool, NULL, NULL);
1938 * Swap pointers atomically.
1940 old_rc = realm_config;
1942 talloc_free(old_rc);
1948 * Find a realm where "name" might be the regex.
1950 REALM *realm_find2(char const *name)
1955 if (!name) name = "NULL";
1957 myrealm.name = name;
1958 realm = rbtree_finddata(realms_byname, &myrealm);
1959 if (realm) return realm;
1963 realm_regex_t *this;
1965 for (this = realms_regex; this != NULL; this = this->next) {
1966 if (strcmp(this->realm->name, name) == 0) {
1974 * Couldn't find a realm. Look for DEFAULT.
1976 myrealm.name = "DEFAULT";
1977 return rbtree_finddata(realms_byname, &myrealm);
1982 * Find a realm in the REALM list.
1984 REALM *realm_find(char const *name)
1989 if (!name) name = "NULL";
1991 myrealm.name = name;
1992 realm = rbtree_finddata(realms_byname, &myrealm);
1993 if (realm) return realm;
1997 realm_regex_t *this;
1999 for (this = realms_regex; this != NULL; this = this->next) {
2004 * Include substring matches.
2006 if (regcomp(®, this->realm->name + 1, REG_EXTENDED | REG_NOSUB | REG_ICASE) != 0) {
2010 compare = regexec(®, name, 0, NULL, 0);
2013 if (compare == 0) return this->realm;
2019 * Couldn't find a realm. Look for DEFAULT.
2021 myrealm.name = "DEFAULT";
2022 return rbtree_finddata(realms_byname, &myrealm);
2029 * Allocate the proxy list if it doesn't already exist, and copy request
2030 * VPs into it. Setup src/dst IP addresses based on home server, and
2031 * calculate and add the message-authenticator.
2033 * This is a distinct function from home_server_ldb, as not all home_server_t
2034 * lookups result in the *CURRENT* request being proxied,
2035 * as in rlm_replicate, and this may trigger asserts elsewhere in the
2038 void home_server_update_request(home_server_t *home, REQUEST *request)
2042 * Allocate the proxy packet, only if it wasn't
2043 * already allocated by a module. This check is
2044 * mainly to support the proxying of EAP-TTLS and
2045 * EAP-PEAP tunneled requests.
2047 * In those cases, the EAP module creates a
2048 * "fake" request, and recursively passes it
2049 * through the authentication stage of the
2050 * server. The module then checks if the request
2051 * was supposed to be proxied, and if so, creates
2052 * a proxy packet from the TUNNELED request, and
2053 * not from the EAP request outside of the
2056 * The proxy then works like normal, except that
2057 * the response packet is "eaten" by the EAP
2058 * module, and encapsulated into an EAP packet.
2060 if (!request->proxy) {
2061 request->proxy = rad_alloc(request, true);
2062 if (!request->proxy) {
2069 * Copy the request, then look up name
2070 * and plain-text password in the copy.
2072 * Note that the User-Name attribute is
2073 * the *original* as sent over by the
2074 * client. The Stripped-User-Name
2075 * attribute is the one hacked through
2078 request->proxy->vps = paircopy(request->proxy,
2079 request->packet->vps);
2083 * Update the various fields as appropriate.
2085 request->proxy->src_ipaddr = home->src_ipaddr;
2086 request->proxy->src_port = 0;
2087 request->proxy->dst_ipaddr = home->ipaddr;
2088 request->proxy->dst_port = home->port;
2089 request->home_server = home;
2092 * Access-Requests have a Message-Authenticator added,
2093 * unless one already exists.
2095 if ((request->packet->code == PW_AUTHENTICATION_REQUEST) &&
2096 !pairfind(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY)) {
2097 pairmake(request->proxy, &request->proxy->vps,
2098 "Message-Authenticator", "0x00",
2103 home_server_t *home_server_ldb(char const *realmname,
2104 home_pool_t *pool, REQUEST *request)
2108 home_server_t *found = NULL;
2109 home_server_t *zombie = NULL;
2113 * Determine how to pick choose the home server.
2115 switch (pool->type) {
2119 * For load-balancing by client IP address, we
2120 * pick a home server by hashing the client IP.
2122 * This isn't as even a load distribution as
2123 * tracking the State attribute, but it's better
2126 case HOME_POOL_CLIENT_BALANCE:
2127 switch (request->packet->src_ipaddr.af) {
2129 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2130 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2133 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2134 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2140 start = hash % pool->num_home_servers;
2143 case HOME_POOL_CLIENT_PORT_BALANCE:
2144 switch (request->packet->src_ipaddr.af) {
2146 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2147 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2150 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2151 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2157 fr_hash_update(&request->packet->src_port,
2158 sizeof(request->packet->src_port), hash);
2159 start = hash % pool->num_home_servers;
2162 case HOME_POOL_KEYED_BALANCE:
2163 if ((vp = pairfind(request->config_items, PW_LOAD_BALANCE_KEY, 0, TAG_ANY)) != NULL) {
2164 hash = fr_hash(vp->vp_strvalue, vp->length);
2165 start = hash % pool->num_home_servers;
2170 case HOME_POOL_LOAD_BALANCE:
2171 case HOME_POOL_FAIL_OVER:
2175 default: /* this shouldn't happen... */
2182 * Starting with the home server we chose, loop through
2183 * all home servers. If the current one is dead, skip
2184 * it. If it is too busy, skip it.
2186 * Otherwise, use it.
2188 for (count = 0; count < pool->num_home_servers; count++) {
2189 home_server_t *home = pool->servers[(start + count) % pool->num_home_servers];
2191 if (!home) continue;
2194 * Skip dead home servers.
2196 * Home servers that are unknown, alive, or zombie
2197 * are used for proxying.
2199 if (home->state == HOME_STATE_IS_DEAD) {
2204 * This home server is too busy. Choose another one.
2206 if (home->currently_outstanding >= home->max_outstanding) {
2212 * We read the packet from a detail file, AND it
2213 * came from this server. Don't re-proxy it
2216 if ((request->listener->type == RAD_LISTEN_DETAIL) &&
2217 (request->packet->code == PW_ACCOUNTING_REQUEST) &&
2218 (fr_ipaddr_cmp(&home->ipaddr, &request->packet->src_ipaddr) == 0)) {
2224 * Default virtual: ignore homes tied to a
2227 if (!request->server && home->parent_server) {
2232 * A virtual AND home is tied to virtual,
2233 * ignore ones which don't match.
2235 if (request->server && home->parent_server &&
2236 strcmp(request->server, home->parent_server) != 0) {
2241 * Allow request->server && !home->parent_server
2243 * i.e. virtuals can proxy to globally defined
2248 * It's zombie, so we remember the first zombie
2249 * we find, but we don't mark it as a "live"
2252 if (home->state == HOME_STATE_ZOMBIE) {
2253 if (!zombie) zombie = home;
2258 * We've found the first "live" one. Use that.
2260 if (pool->type != HOME_POOL_LOAD_BALANCE) {
2266 * Otherwise we're doing some kind of load balancing.
2267 * If we haven't found one yet, pick this one.
2274 RDEBUG3("PROXY %s %d\t%s %d",
2275 found->name, found->currently_outstanding,
2276 home->name, home->currently_outstanding);
2279 * Prefer this server if it's less busy than the
2280 * one we had previously found.
2282 if (home->currently_outstanding < found->currently_outstanding) {
2283 RDEBUG3("PROXY Choosing %s: It's less busy than %s",
2284 home->name, found->name);
2290 * Ignore servers which are busier than the one
2293 if (home->currently_outstanding > found->currently_outstanding) {
2294 RDEBUG3("PROXY Skipping %s: It's busier than %s",
2295 home->name, found->name);
2300 * From the list of servers which have the same
2301 * load, choose one at random.
2303 if (((count + 1) * (fr_rand() & 0xffff)) < (uint32_t) 0x10000) {
2306 } /* loop over the home servers */
2309 * We have no live servers, BUT we have a zombie. Use
2310 * the zombie as a last resort.
2312 if (!found && zombie) {
2318 * There's a fallback if they're all dead.
2320 if (!found && pool->fallback) {
2321 found = pool->fallback;
2323 WDEBUG("Home server pool %s failing over to fallback %s",
2324 pool->name, found->server);
2325 if (pool->in_fallback) goto update_and_return;
2327 pool->in_fallback = true;
2330 * Run the trigger once an hour saying that
2333 if ((pool->time_all_dead + 3600) < request->timestamp) {
2334 pool->time_all_dead = request->timestamp;
2335 exec_trigger(request, pool->cs, "home_server_pool.fallback", false);
2341 if ((found != pool->fallback) && pool->in_fallback) {
2342 pool->in_fallback = false;
2343 exec_trigger(request, pool->cs, "home_server_pool.normal", false);
2350 * No live match found, and no fallback to the "DEFAULT"
2351 * realm. We fix this by blindly marking all servers as
2352 * "live". But only do it for ones that don't support
2353 * "pings", as they will be marked live when they
2354 * actually are live.
2356 if (!realm_config->fallback &&
2357 realm_config->wake_all_if_all_dead) {
2358 for (count = 0; count < pool->num_home_servers; count++) {
2359 home_server_t *home = pool->servers[count];
2361 if (!home) continue;
2363 if ((home->state == HOME_STATE_IS_DEAD) &&
2364 (home->ping_check == HOME_PING_CHECK_NONE)) {
2365 home->state = HOME_STATE_ALIVE;
2366 if (!found) found = home;
2370 if (found) goto update_and_return;
2374 * Still nothing. Look up the DEFAULT realm, but only
2375 * if we weren't looking up the NULL or DEFAULT realms.
2377 if (realm_config->fallback &&
2379 (strcmp(realmname, "NULL") != 0) &&
2380 (strcmp(realmname, "DEFAULT") != 0)) {
2381 REALM *rd = realm_find("DEFAULT");
2383 if (!rd) return NULL;
2386 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
2387 pool = rd->auth_pool;
2389 } else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
2390 pool = rd->acct_pool;
2392 if (!pool) return NULL;
2394 RDEBUG2("PROXY - realm %s has no live home servers. Falling back to the DEFAULT realm.", realmname);
2395 return home_server_ldb(rd->name, pool, request);
2399 * Still haven't found anything. Oh well.
2405 home_server_t *home_server_find(fr_ipaddr_t *ipaddr, int port, int proto)
2407 home_server_t myhome;
2409 memset(&myhome, 0, sizeof(myhome));
2410 myhome.ipaddr = *ipaddr;
2411 myhome.src_ipaddr.af = ipaddr->af;
2414 myhome.proto = proto;
2416 myhome.proto = IPPROTO_UDP;
2418 myhome.server = NULL; /* we're not called for internal proxying */
2420 return rbtree_finddata(home_servers_byaddr, &myhome);
2424 home_server_t *home_server_byname(char const *name, int type)
2426 home_server_t myhome;
2428 memset(&myhome, 0, sizeof(myhome));
2432 return rbtree_finddata(home_servers_byname, &myhome);
2437 home_server_t *home_server_bynumber(int number)
2439 home_server_t myhome;
2441 memset(&myhome, 0, sizeof(myhome));
2442 myhome.number = number;
2443 myhome.server = NULL; /* we're not called for internal proxying */
2445 return rbtree_finddata(home_servers_bynumber, &myhome);
2449 home_pool_t *home_pool_byname(char const *name, int type)
2453 memset(&mypool, 0, sizeof(mypool));
2455 mypool.server_type = type;
2456 return rbtree_finddata(home_pools_byname, &mypool);