2 * dhcp.c DHCP processing.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2008 The FreeRADIUS server project
21 * Copyright 2008,2011 Alan DeKok <aland@deployingradius.com>
26 * INADDR_ANY : 68 -> INADDR_BROADCAST : 67 DISCOVER
27 * CLIENT_IP : 68 <- DHCP_SERVER_IP : 67 OFFER
28 * INADDR_ANY : 68 -> INADDR_BROADCAST : 67 REQUEST
29 * CLIENT_IP : 68 <- DHCP_SERVER_IP : 67 ACK
32 * INADDR_ANY : 68 -> INADDR_BROADCAST : 67 DISCOVER
33 * RELAY_IP : 67 -> NEXT_SERVER_IP : 67 DISCOVER
34 * (NEXT_SERVER_IP can be a relay itself)
35 * FIRST_RELAY_IP : 67 <- DHCP_SERVER_IP : 67 OFFER
36 * CLIENT_IP : 68 <- FIRST_RELAY_IP : 67 OFFER
37 * INADDR_ANY : 68 -> INADDR_BROADCAST : 67 REQUEST
38 * RELAY_IP : 67 -> NEXT_SERVER_IP : 67 REQUEST
39 * (NEXT_SERVER_IP can be a relay itself)
40 * FIRST_RELAY_IP : 67 <- DHCP_SERVER_IP : 67 ACK
41 * CLIENT_IP : 68 <- FIRST_RELAY_IP : 67 ACK
43 * Note: NACK are broadcasted, rest is unicast, unless client asked
48 #include <freeradius-devel/radiusd.h>
49 #include <freeradius-devel/modules.h>
50 #include <freeradius-devel/protocol.h>
51 #include <freeradius-devel/process.h>
52 #include <freeradius-devel/dhcp.h>
53 #include <freeradius-devel/rad_assert.h>
56 #include <sys/ioctl.h>
59 extern bool check_config; /* @todo globals are bad, m'kay? */
62 * Same contents as listen_socket_t.
64 typedef struct dhcp_socket_t {
65 listen_socket_t lsock;
68 * DHCP-specific additions.
70 bool suppress_responses;
71 RADCLIENT dhcp_client;
72 char const *src_interface;
73 fr_ipaddr_t src_ipaddr;
77 static int dhcprelay_process_client_request(REQUEST *request)
80 VALUE_PAIR *vp, *giaddr;
83 rad_assert(request->packet->data[0] == 1);
86 * Do the forward by ourselves, do not rely on dhcp_socket_send()
88 request->reply->code = 0;
91 * It's invalid to have giaddr=0 AND a relay option
93 giaddr = pairfind(request->packet->vps, 266, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Gateway-IP-Address */
94 if (giaddr && (giaddr->vp_ipaddr == htonl(INADDR_ANY)) &&
95 pairfind(request->packet->vps, 82, DHCP_MAGIC_VENDOR, TAG_ANY)) { /* DHCP-Relay-Agent-Information */
96 DEBUG("DHCP: Received packet with giaddr = 0 and containing relay option: Discarding packet\n");
101 * RFC 1542 (BOOTP), page 15
103 * Drop requests if hop-count > 16 or admin specified another value
105 if ((vp = pairfind(request->config_items, 271, DHCP_MAGIC_VENDOR, TAG_ANY))) { /* DHCP-Relay-Max-Hop-Count */
106 maxhops = vp->vp_integer;
108 vp = pairfind(request->packet->vps, 259, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Hop-Count */
109 rad_assert(vp != NULL);
110 if (vp->vp_integer > maxhops) {
111 DEBUG("DHCP: Number of hops is greater than %d: not relaying\n", maxhops);
114 /* Increment hop count */
118 sock = request->listener->data;
121 * Forward the request to the next server using the
122 * incoming request as a template.
124 /* set SRC ipaddr/port to the listener ipaddr/port */
125 request->packet->src_ipaddr.af = AF_INET;
126 request->packet->src_ipaddr.ipaddr.ip4addr.s_addr = sock->lsock.my_ipaddr.ipaddr.ip4addr.s_addr;
127 request->packet->src_port = sock->lsock.my_port;
129 vp = pairfind(request->config_items, 270, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Relay-To-IP-Address */
130 rad_assert(vp != NULL);
132 /* set DEST ipaddr/port to the next server ipaddr/port */
133 request->packet->dst_ipaddr.af = AF_INET;
134 request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
136 if (fr_dhcp_encode(request->packet) < 0) {
137 DEBUG("dhcprelay_process_client_request: ERROR in fr_dhcp_encode\n");
141 return fr_dhcp_send(request->packet);
146 * We've seen a reply from a server.
147 * i.e. we're a relay.
149 static int dhcprelay_process_server_reply(REQUEST *request)
151 VALUE_PAIR *vp, *giaddr;
154 rad_assert(request->packet->data[0] == 2);
157 * Do the forward by ourselves, do not rely on dhcp_socket_send()
159 request->reply->code = 0;
161 sock = request->listener->data;
164 * Check that packet is for us.
166 giaddr = pairfind(request->packet->vps, 266, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Gateway-IP-Address */
168 /* --with-udpfromto is needed just for the following test */
169 if (!giaddr || giaddr->vp_ipaddr != request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr) {
170 DEBUG("DHCP: Packet received from server was not for us (was for 0x%x). Discarding packet",
171 ntohl(request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr));
175 /* set SRC ipaddr/port to the listener ipaddr/port */
176 request->packet->src_ipaddr.af = AF_INET;
177 request->packet->src_port = sock->lsock.my_port;
179 /* set DEST ipaddr/port to clientip/68 or broadcast in specific cases */
180 request->packet->dst_ipaddr.af = AF_INET;
183 * We're a relay, and send the reply to giaddr.
185 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = giaddr->vp_ipaddr;
186 request->reply->dst_port = request->packet->dst_port; /* server port */
188 if ((request->packet->code == PW_DHCP_NAK) ||
189 !sock->src_interface ||
190 ((vp = pairfind(request->packet->vps, 262, DHCP_MAGIC_VENDOR, TAG_ANY)) /* DHCP-Flags */ &&
191 (vp->vp_integer & 0x8000) &&
192 ((vp = pairfind(request->packet->vps, 263, DHCP_MAGIC_VENDOR, TAG_ANY)) /* DHCP-Client-IP-Address */ &&
193 (vp->vp_ipaddr == htonl(INADDR_ANY))))) {
200 * - Broadcast flag is set up and ciaddr == NULL
202 RDEBUG("DHCP: response will be broadcast");
203 request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_BROADCAST);
209 * - ciaddr if present
210 * otherwise to yiaddr
212 if ((vp = pairfind(request->packet->vps, 263, DHCP_MAGIC_VENDOR, TAG_ANY)) /* DHCP-Client-IP-Address */ &&
213 (vp->vp_ipaddr != htonl(INADDR_ANY))) {
214 request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
216 vp = pairfind(request->packet->vps, 264, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Your-IP-Address */
218 DEBUG("DHCP: Failed to find IP Address for request.");
222 RDEBUG("DHCP: response will be unicast to your-ip-address");
223 request->packet->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
226 * When sending a DHCP_OFFER, make sure our ARP table
227 * contains an entry for the client IP address, or else
228 * packet may not be forwarded if it was the first time
229 * the client was requesting an IP address.
231 if (request->packet->code == PW_DHCP_OFFER) {
232 VALUE_PAIR *hwvp = pairfind(request->packet->vps, 267, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Client-Hardware-Address */
234 DEBUG("DHCP: DHCP_OFFER packet received with "
235 "no Client Hardware Address. Discarding packet");
238 if (fr_dhcp_add_arp_entry(request->packet->sockfd, sock->src_interface, hwvp, vp) < 0) {
239 DEBUG("%s", fr_strerror());
246 if (fr_dhcp_encode(request->packet) < 0) {
247 DEBUG("dhcprelay_process_server_reply: ERROR in fr_dhcp_encode\n");
251 return fr_dhcp_send(request->packet);
253 #else /* WITH_UDPFROMTO */
254 static int dhcprelay_process_server_reply(UNUSED REQUEST *request)
256 WDEBUG("DHCP Relaying requires the server to be configured with UDPFROMTO");
260 static int dhcprelay_process_client_request(UNUSED REQUEST *request)
262 WDEBUG("DHCP Relaying requires the server to be configured with UDPFROMTO");
266 #endif /* WITH_UDPFROMTO */
268 static const uint32_t attrnums[] = {
269 57, /* DHCP-DHCP-Maximum-Msg-Size */
270 256, /* DHCP-Opcode */
271 257, /* DHCP-Hardware-Type */
272 258, /* DHCP-Hardware-Address-Length */
273 259, /* DHCP-Hop-Count */
274 260, /* DHCP-Transaction-Id */
275 262, /* DHCP-Flags */
276 263, /* DHCP-Client-IP-Address */
277 266, /* DHCP-Gateway-IP-Address */
278 267 /* DHCP-Client-Hardware-Address */
281 static int dhcp_process(REQUEST *request)
289 * If there's a giaddr, save it as the Relay-IP-Address
290 * in the response. That way the later code knows where
293 vp = pairfind(request->packet->vps, 266, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Gateway-IP-Address */
294 if (vp && (vp->vp_ipaddr != htonl(INADDR_ANY))) {
297 /* DHCP-Relay-IP-Address */
298 relay = radius_paircreate(request, &request->reply->vps,
299 272, DHCP_MAGIC_VENDOR);
300 if (relay) relay->vp_ipaddr = vp->vp_ipaddr;
303 vp = pairfind(request->packet->vps, 53, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Message-Type */
305 DICT_VALUE *dv = dict_valbyattr(53, DHCP_MAGIC_VENDOR, vp->vp_integer);
306 DEBUG("Trying sub-section dhcp %s {...}",
307 dv->name ? dv->name : "<unknown>");
308 rcode = process_post_auth(vp->vp_integer, request);
310 DEBUG("DHCP: Failed to find DHCP-Message-Type in packet!");
311 rcode = RLM_MODULE_FAIL;
314 vp = pairfind(request->reply->vps, 53, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Message-Type */
316 request->reply->code = vp->vp_integer;
317 if ((request->reply->code != 0) &&
318 (request->reply->code < PW_DHCP_OFFSET)) {
319 request->reply->code += PW_DHCP_OFFSET;
322 else switch (rcode) {
324 case RLM_MODULE_UPDATED:
325 if (request->packet->code == PW_DHCP_DISCOVER) {
326 request->reply->code = PW_DHCP_OFFER;
329 } else if (request->packet->code == PW_DHCP_REQUEST) {
330 request->reply->code = PW_DHCP_ACK;
333 request->reply->code = PW_DHCP_NAK;
337 case RLM_MODULE_REJECT:
338 case RLM_MODULE_FAIL:
339 case RLM_MODULE_INVALID:
340 case RLM_MODULE_NOOP:
341 case RLM_MODULE_NOTFOUND:
342 if (request->packet->code == PW_DHCP_DISCOVER) {
343 request->reply->code = 0; /* ignore the packet */
345 request->reply->code = PW_DHCP_NAK;
349 case RLM_MODULE_HANDLED:
350 request->reply->code = 0; /* ignore the packet */
355 * TODO: Handle 'output' of RLM_MODULE when acting as a
356 * DHCP relay We may want to not forward packets in
357 * certain circumstances.
361 * Handle requests when acting as a DHCP relay
363 vp = pairfind(request->packet->vps, 256, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Opcode */
365 RDEBUG("FAILURE: Someone deleted the DHCP-Opcode!");
369 /* BOOTREPLY received on port 67 (i.e. from a server) */
370 if (vp->vp_integer == 2) {
371 return dhcprelay_process_server_reply(request);
374 /* Packet from client, and we have DHCP-Relay-To-IP-Address */
375 if (pairfind(request->config_items, 270, DHCP_MAGIC_VENDOR, TAG_ANY)) {
376 return dhcprelay_process_client_request(request);
379 /* else it's a packet from a client, without relaying */
380 rad_assert(vp->vp_integer == 1); /* BOOTREQUEST */
382 sock = request->listener->data;
385 * Handle requests when acting as a DHCP server
389 * Releases don't get replies.
391 if (request->packet->code == PW_DHCP_RELEASE) {
392 request->reply->code = 0;
395 if (request->reply->code == 0) {
399 request->reply->sockfd = request->packet->sockfd;
402 * Copy specific fields from packet to reply, if they
403 * don't already exist
405 for (i = 0; i < sizeof(attrnums) / sizeof(attrnums[0]); i++) {
406 uint32_t attr = attrnums[i];
408 if (pairfind(request->reply->vps, attr, DHCP_MAGIC_VENDOR, TAG_ANY)) continue;
410 vp = pairfind(request->packet->vps, attr, DHCP_MAGIC_VENDOR, TAG_ANY);
412 pairadd(&request->reply->vps, paircopyvp(request->reply, vp));
416 vp = pairfind(request->reply->vps, 256, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Opcode */
417 rad_assert(vp != NULL);
418 vp->vp_integer = 2; /* BOOTREPLY */
421 * Prepare the reply packet for sending through dhcp_socket_send()
423 request->reply->dst_ipaddr.af = AF_INET;
424 request->reply->src_ipaddr.af = AF_INET;
425 request->reply->src_ipaddr.ipaddr.ip4addr.s_addr = sock->src_ipaddr.ipaddr.ip4addr.s_addr;
427 request->reply->dst_port = request->packet->src_port;
428 request->reply->src_port = request->packet->dst_port;
431 * Answer to client's nearest DHCP relay.
433 * Which may be different than the giaddr given in the
434 * packet to the client. i.e. the relay may have a
435 * public IP, but the gateway a private one.
437 vp = pairfind(request->reply->vps, 272, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Relay-IP-Address */
439 RDEBUG("DHCP: Reply will be unicast to giaddr from original packet");
440 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
445 * Answer to client's nearest DHCP gateway. In this
446 * case, the client can reach the gateway, as can the
449 * We also use *our* source port as the destination port.
450 * Gateways are servers, and listen on the server port,
451 * not the client port.
453 vp = pairfind(request->reply->vps, 266, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Gateway-IP-Address */
454 if (vp && (vp->vp_ipaddr != htonl(INADDR_ANY))) {
455 RDEBUG("DHCP: Reply will be unicast to giaddr");
456 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
457 request->reply->dst_port = request->packet->dst_port;
462 * If it's a NAK, or the broadcast flag was set, ond
463 * there's no client-ip-address, send a broadcast.
465 if ((request->reply->code == PW_DHCP_NAK) ||
466 ((vp = pairfind(request->reply->vps, 262, DHCP_MAGIC_VENDOR, TAG_ANY)) && /* DHCP-Flags */
467 (vp->vp_integer & 0x8000) &&
468 ((vp = pairfind(request->reply->vps, 263, DHCP_MAGIC_VENDOR, TAG_ANY)) && /* DHCP-Client-IP-Address */
469 (vp->vp_ipaddr == htonl(INADDR_ANY))))) {
476 * - Broadcast flag is set up and ciaddr == NULL
478 RDEBUG("DHCP: Reply will be broadcast");
479 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_BROADCAST);
486 * Unicast to ciaddr if present, otherwise to yiaddr.
488 if ((vp = pairfind(request->reply->vps, 263, DHCP_MAGIC_VENDOR, TAG_ANY)) && /* DHCP-Client-IP-Address */
489 (vp->vp_ipaddr != htonl(INADDR_ANY))) {
490 RDEBUG("DHCP: Reply will be sent unicast to client-ip-address");
491 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
495 vp = pairfind(request->reply->vps, 264, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Your-IP-Address */
497 DEBUG("DHCP: Failed to find DHCP-Client-IP-Address or DHCP-Your-IP-Address");
498 DEBUG(" for request; not responding.");
500 * There is nowhere to send the response to, so don't bother.
502 request->reply->code = 0;
508 * The system is configured to listen for broadcast
509 * packets, which means we'll need to send unicast
510 * replies, to IPs which haven't yet been assigned.
511 * Therefore, we need to update the ARP table.
513 * However, they haven't specified a interface. So we
514 * can't update the ARP table. And we must send a
515 * broadcast response.
517 if (sock->lsock.broadcast && !sock->src_interface) {
518 WARN("You MUST set \"interface\" if you have \"broadcast = yes\"");
519 RDEBUG("DHCP: Reply will be broadcast as no interface was defined");
520 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_BROADCAST);
524 RDEBUG("DHCP: Reply will be unicast to your-ip-address");
525 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
528 * When sending a DHCP_OFFER, make sure our ARP table
529 * contains an entry for the client IP address.
530 * Otherwise the packet may not be sent to the client, as
531 * the OS has no ARP entry for it.
533 * This is a cute hack to avoid us having to create a raw
534 * socket to send DHCP packets.
536 if (request->reply->code == PW_DHCP_OFFER) {
537 VALUE_PAIR *hwvp = pairfind(request->reply->vps, 267, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Client-Hardware-Address */
539 if (!hwvp) return -1;
541 if (fr_dhcp_add_arp_entry(request->reply->sockfd, sock->src_interface, hwvp, vp) < 0) {
542 RDEBUG("Failed adding arp entry: %s", fr_strerror());
547 RDEBUG("DHCP: Reply will be broadcast as this system does not support ARP updates");
548 request->reply->dst_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_BROADCAST);
554 static int dhcp_socket_parse(CONF_SECTION *cs, rad_listen_t *this)
556 int rcode, broadcast = 1;
562 rcode = common_socket_parse(cs, this);
563 if (rcode != 0) return rcode;
565 if (check_config) return 0;
569 if (!sock->lsock.interface) {
570 WDEBUG("No \"interface\" setting is defined. Only unicast DHCP will work.");
574 * See whether or not we enable broadcast packets.
576 cp = cf_pair_find(cs, "broadcast");
578 char const *value = cf_pair_value(cp);
579 if (value && (strcmp(value, "no") == 0)) {
585 if (setsockopt(this->fd, SOL_SOCKET, SO_BROADCAST, &on, sizeof(on)) < 0) {
586 ERROR("Can't set broadcast option: %s\n",
592 if (setsockopt(this->fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0) {
593 ERROR("Can't set re-use addres option: %s\n",
599 * Undocumented extension for testing without
600 * destroying your network!
602 sock->suppress_responses = false;
603 cp = cf_pair_find(cs, "suppress_responses");
605 cf_item_parse(cs, "suppress_responses", PW_TYPE_BOOLEAN,
606 &sock->suppress_responses, NULL);
609 cp = cf_pair_find(cs, "src_interface");
611 cf_item_parse(cs, "src_interface", PW_TYPE_STRING_PTR,
612 &sock->src_interface, NULL);
614 sock->src_interface = sock->lsock.interface;
617 if (!sock->src_interface && sock->lsock.interface) {
618 sock->src_interface = talloc_strdup(sock, sock->lsock.interface);
621 cp = cf_pair_find(cs, "src_ipaddr");
623 memset(&sock->src_ipaddr, 0, sizeof(sock->src_ipaddr));
624 sock->src_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
625 rcode = cf_item_parse(cs, "src_ipaddr", PW_TYPE_IPADDR,
626 &sock->src_ipaddr.ipaddr.ip4addr, NULL);
627 if (rcode < 0) return -1;
629 sock->src_ipaddr.af = AF_INET;
631 memcpy(&sock->src_ipaddr, &sock->lsock.my_ipaddr, sizeof(sock->src_ipaddr));
635 * Initialize the fake client.
637 client = &sock->dhcp_client;
638 memset(client, 0, sizeof(*client));
639 client->ipaddr.af = AF_INET;
640 client->ipaddr.ipaddr.ip4addr.s_addr = INADDR_NONE;
642 client->longname = client->shortname = "dhcp";
643 client->secret = client->shortname;
644 client->nas_type = talloc_strdup(sock, "none");
651 * Check if an incoming request is "ok"
653 * It takes packets, not requests. It sees if the packet looks
654 * OK. If so, it does a number of sanity checks on it.
656 static int dhcp_socket_recv(rad_listen_t *listener)
658 RADIUS_PACKET *packet;
661 packet = fr_dhcp_recv(listener->fd);
663 ERROR("%s", fr_strerror());
667 sock = listener->data;
668 if (!request_receive(listener, packet, &sock->dhcp_client, dhcp_process)) {
678 * Send an authentication response packet
680 static int dhcp_socket_send(rad_listen_t *listener, REQUEST *request)
684 rad_assert(request->listener == listener);
685 rad_assert(listener->send == dhcp_socket_send);
687 if (request->reply->code == 0) return 0; /* don't reply */
689 if (fr_dhcp_encode(request->reply) < 0) {
690 DEBUG("dhcp_socket_send: ERROR\n");
694 sock = listener->data;
695 if (sock->suppress_responses) return 0;
697 return fr_dhcp_send(request->reply);
701 static int dhcp_socket_encode(UNUSED rad_listen_t *listener, UNUSED REQUEST *request)
703 DEBUG2("NO ENCODE!");
708 static int dhcp_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
710 return fr_dhcp_decode(request->packet);
713 fr_protocol_t proto_dhcp = {
716 sizeof(dhcp_socket_t),
718 dhcp_socket_parse, NULL,
719 dhcp_socket_recv, dhcp_socket_send,
720 common_socket_print, dhcp_socket_encode, dhcp_socket_decode
projects / freeradius.git / blob