/*
* Add the request to the list of outstanding requests.
- * Note that request->proxy->id is a 16 bits value,
- * while rad_send sends only the 8 least significant
- * bits of that same value.
+ * Note that request->proxy->id is a 16 bits value, while
+ * the RADIUS id has only the 8 least significant bits of
+ * that same value.
*/
request->proxy->id = (proxy_id++) & 0xff;
proxy_id &= 0xffff;
(rcode == RLM_MODULE_NOOP) ||
(rcode == RLM_MODULE_UPDATED)) {
request->options |= RAD_REQUEST_OPTION_PROXIED;
- rad_send(request->proxy, NULL, (char *)request->proxysecret);
+
+ /*
+ * IF it's a fake request, don't send the proxy
+ * packet. The outer tunnel session will take
+ * care of doing that.
+ */
+ if ((request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0) {
+ rad_send(request->proxy, NULL,
+ (char *)request->proxysecret);
+ }
rcode = RLM_MODULE_HANDLED; /* caller doesn't reply */
} else {
rcode = RLM_MODULE_FAIL; /* caller doesn't reply */
rad_listen_t *listener)
{
REQUEST *curreq;
- RAD_REQUEST_FUNP fun;
+ RAD_REQUEST_FUNP fun = NULL;
/*
* Some sanity checks, based on the packet code.
}
/*
+ * "fake" requests MUST NEVER be in the request list.
+ *
+ * They're used internally in the server. Any reply
+ * is a reply to the local server, and any proxied packet
+ * gets sent outside of the tunnel.
+ */
+ rad_assert((curreq->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0);
+
+ /*
* The current request isn't finished, which
* means that the NAS sent us a new packet, while
* we are still processing the old request.
*/
if ((request->reply->code != PW_AUTHENTICATION_REJECT) ||
(mainconfig.reject_delay == 0)) {
- rad_send(request->reply, request->packet,
- request->secret);
+ /*
+ * Send the response. IF it's a real request.
+ */
+ if ((request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0) {
+ rad_send(request->reply, request->packet,
+ request->secret);
+ }
+ /*
+ * Otherwise, it's a tunneled request.
+ * Don't do anything.
+ */
} else {
DEBUG2("Delaying request %d for %d seconds",
request->number, mainconfig.reject_delay);
sig = sig; /* -Wunused */
reset_signal(SIGHUP, sig_hup);
+ exit(0);
+
/*
* Only do the reload if we're the main server, both
* for processes, and for threads.
/*
* If the request is currently being processed, then that
- * MAY be OK, if it's a proxy reply. In that case, the
- * rad_send() of the packet may result in a reply being
+ * MAY be OK, if it's a proxy reply. In that case,
+ * sending the packet may result in a reply being
* received before that thread clears the child_pid.
*
* In that case, we busy-wait for the request to be free.
}
/*
- * If a reply exists, send it.
+ * If a reply exists, send it.
+ *
+ * But DON'T send a RADIUS packet for a fake request.
*/
- if (request->reply->code != 0) {
+ if ((request->reply->code != 0) &&
+ ((request->options & RAD_REQUEST_OPTION_FAKE_REQUEST) == 0)) {
/*
* If we're not delaying authentication rejects,
* then send the response immediately. Otherwise,
*/
if (mainconfig.reject_delay == 0) {
rad_send(request->reply, request->packet,
- request->secret);
+ request->secret);
} else {
request->options |= RAD_REQUEST_OPTION_DELAYED_REJECT;
}