2 * event.c Server event handling
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2007 The FreeRADIUS server project
21 * Copyright 2007 Alan DeKok <aland@deployingradius.com>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modules.h>
29 #include <freeradius-devel/event.h>
30 #include <freeradius-devel/detail.h>
32 #include <freeradius-devel/rad_assert.h>
37 #ifdef HAVE_SYS_WAIT_H
38 # include <sys/wait.h>
41 #define USEC (1000000)
43 extern pid_t radius_pid;
45 extern int check_config;
46 extern void force_log_reopen(void);
47 extern char *debug_condition;
50 * Ridiculous amounts of local state.
52 static fr_event_list_t *el = NULL;
53 static fr_packet_list_t *pl = NULL;
54 static int request_num_counter = 0;
55 static struct timeval now;
57 static int have_children;
58 static int just_started = TRUE;
61 static int self_pipe[2];
66 static pthread_mutex_t proxy_mutex;
67 static rad_listen_t *proxy_listener_list = NULL;
68 static int proxy_no_new_sockets = FALSE;
71 #define PTHREAD_MUTEX_LOCK if (have_children) pthread_mutex_lock
72 #define PTHREAD_MUTEX_UNLOCK if (have_children) pthread_mutex_unlock
74 static pthread_t NO_SUCH_CHILD_PID;
77 * This is easier than ifdef's throughout the code.
79 #define PTHREAD_MUTEX_LOCK(_x)
80 #define PTHREAD_MUTEX_UNLOCK(_x)
81 int thread_pool_addrequest(REQUEST *request, RAD_REQUEST_FUNP fun)
83 request->process = fun;
84 radius_handle_request(request, fun);
90 * We need mutexes around the event FD list *only* in certain
93 #if defined (HAVE_PTHREAD_H) && (defined(WITH_PROXY) || defined(WITH_TCP))
94 static pthread_mutex_t fd_mutex;
95 #define FD_MUTEX_LOCK if (have_children) pthread_mutex_lock
96 #define FD_MUTEX_UNLOCK if (have_children) pthread_mutex_unlock
99 * This is easier than ifdef's throughout the code.
101 #define FD_MUTEX_LOCK(_x)
102 #define FD_MUTEX_UNLOCK(_x)
106 #define INSERT_EVENT(_function, _ctx) if (!fr_event_insert(el, _function, _ctx, &((_ctx)->when), &((_ctx)->ev))) { _rad_panic(__FILE__, __LINE__, "Failed to insert event"); }
109 static fr_packet_list_t *proxy_list = NULL;
110 static void remove_from_proxy_hash(REQUEST *request);
112 static void check_for_zombie_home_server(REQUEST *request);
114 #define remove_from_proxy_hash(foo)
117 static void request_post_handler(REQUEST *request);
118 static void wait_a_bit(void *ctx);
119 static void event_socket_handler(fr_event_list_t *xel, UNUSED int fd, void *ctx);
121 static void event_poll_detail(void *ctx);
124 static void NEVER_RETURNS _rad_panic(const char *file, unsigned int line,
127 radlog(L_ERR, "[%s:%d] %s", file, line, msg);
131 #define rad_panic(x) _rad_panic(__FILE__, __LINE__, x)
134 static void tv_add(struct timeval *tv, int usec_delay)
136 if (usec_delay > USEC) {
137 tv->tv_sec += usec_delay / USEC;
140 tv->tv_usec += usec_delay;
142 if (tv->tv_usec > USEC) {
143 tv->tv_sec += tv->tv_usec / USEC;
148 static void remove_from_request_hash(REQUEST *request)
150 if (!request->in_request_hash) return;
152 fr_packet_list_yank(pl, request->packet);
153 request->in_request_hash = FALSE;
155 request_stats_final(request);
158 request->listener->count--;
163 static REQUEST *lookup_in_proxy_hash(RADIUS_PACKET *reply)
166 RADIUS_PACKET **proxy_p;
169 PTHREAD_MUTEX_LOCK(&proxy_mutex);
170 proxy_p = fr_packet_list_find_byreply(proxy_list, reply);
173 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
177 request = fr_packet2myptr(REQUEST, proxy, proxy_p);
178 request->num_proxied_responses++; /* needs to be protected by lock */
180 done = (request->num_proxied_requests == request->num_proxied_responses);
181 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
185 * Catch the most common case of everything working
188 if (done) remove_from_proxy_hash(request);
194 static void remove_from_proxy_hash(REQUEST *request)
197 * Check this without grabbing the mutex because it's a
198 * lot faster that way.
200 if (!request->in_proxy_hash) return;
203 * The "not in hash" flag is definitive. However, if the
204 * flag says that it IS in the hash, there might still be
205 * a race condition where it isn't.
207 PTHREAD_MUTEX_LOCK(&proxy_mutex);
209 if (!request->in_proxy_hash) {
210 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
214 fr_packet_list_yank(proxy_list, request->proxy);
215 fr_packet_list_id_free(proxy_list, request->proxy);
218 * On the FIRST reply, decrement the count of outstanding
219 * requests. Note that this is NOT the count of sent
220 * packets, but whether or not the home server has
223 if (!request->proxy_reply &&
224 request->home_server &&
225 request->home_server->currently_outstanding) {
226 request->home_server->currently_outstanding--;
230 request->proxy_listener->count--;
231 request->proxy_listener = NULL;
235 * Got from YES in hash, to NO, not in hash while we hold
236 * the mutex. This guarantees that when another thread
237 * grabs the mutex, the "not in hash" flag is correct.
239 request->in_proxy_hash = FALSE;
241 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
243 #endif /* WITH_PROXY */
245 static void ev_request_free(REQUEST **prequest)
249 if (!prequest || !*prequest) return;
256 * Divorce the child from the parent first,
257 * then clean up the child.
259 request->coa->parent = NULL;
260 ev_request_free(&request->coa);
264 * Divorce the parent from the child, and leave the
265 * parent still alive.
267 if (request->parent && (request->parent->coa == request)) {
268 request->parent->coa = NULL;
272 if (request->ev) fr_event_delete(el, &request->ev);
274 if (request->in_proxy_hash) remove_from_proxy_hash(request);
276 if (request->in_request_hash) remove_from_request_hash(request);
278 request_free(prequest);
282 static int remove_all_requests(void *ctx, void *data)
284 rad_listen_t *this = ctx;
285 RADIUS_PACKET **packet_p = data;
288 request = fr_packet2myptr(REQUEST, packet, packet_p);
289 if (request->packet->sockfd != this->fd) return 0;
291 switch (request->child_state) {
292 case REQUEST_RUNNING:
293 rad_assert(request->ev != NULL); /* or it's lost forever */
295 request->master_state = REQUEST_STOP_PROCESSING;
299 * Waiting for a reply. There's no point in
300 * doing anything else. We remove it from the
301 * request hash so that we can close the upstream
304 case REQUEST_PROXIED:
305 remove_from_request_hash(request);
306 request->child_state = REQUEST_DONE;
309 case REQUEST_REJECT_DELAY:
310 case REQUEST_CLEANUP_DELAY:
312 ev_request_free(&request);
320 static int remove_all_proxied_requests(void *ctx, void *data)
322 rad_listen_t *this = ctx;
323 RADIUS_PACKET **proxy_p = data;
326 request = fr_packet2myptr(REQUEST, proxy, proxy_p);
327 if (request->proxy->sockfd != this->fd) return 0;
329 switch (request->child_state) {
330 case REQUEST_RUNNING:
331 rad_assert(request->ev != NULL); /* or it's lost forever */
333 request->master_state = REQUEST_STOP_PROCESSING;
337 * Eventually we will discover that there is no
338 * response to the proxied request.
340 case REQUEST_PROXIED:
344 * Keep it in the cache for duplicate detection.
346 case REQUEST_REJECT_DELAY:
347 case REQUEST_CLEANUP_DELAY:
352 remove_from_proxy_hash(request);
355 #endif /* WITH_PROXY */
356 #endif /* WITH_TCP */
360 static int insert_into_proxy_hash(REQUEST *request)
364 void *proxy_listener;
366 rad_assert(request->proxy != NULL);
367 rad_assert(proxy_list != NULL);
371 PTHREAD_MUTEX_LOCK(&proxy_mutex);
372 rcode = fr_packet_list_id_alloc(proxy_list,
373 request->home_server->proto,
374 request->proxy, &proxy_listener);
375 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
378 if (proxy_no_new_sockets) return 0;
381 * Also locks the proxy mutex, so we have to call
382 * it with the mutex unlocked. Some systems
383 * don't support recursive mutexes.
385 if (!proxy_new_listener(request->home_server, 0)) {
386 radlog(L_ERR, "Failed to create a new socket for proxying requests.");
389 request->proxy->src_port = 0; /* Use any new socket */
393 RDEBUG2("ERROR: Failed allocating Id for new socket when proxying requests.");
400 request->proxy_listener = proxy_listener;
402 PTHREAD_MUTEX_LOCK(&proxy_mutex);
403 if (!fr_packet_list_insert(proxy_list, &request->proxy)) {
404 fr_packet_list_id_free(proxy_list, request->proxy);
405 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
406 radlog(L_PROXY, "Failed to insert entry into proxy list");
410 request->in_proxy_hash = TRUE;
413 * Keep track of maximum outstanding requests to a
414 * particular home server. 'max_outstanding' is
415 * enforced in home_server_ldb(), in realms.c.
417 if (request->home_server) {
418 request->home_server->currently_outstanding++;
422 request->proxy_listener->count++;
425 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
427 RDEBUG3(" proxy: allocating destination %s port %d - Id %d",
428 inet_ntop(request->proxy->dst_ipaddr.af,
429 &request->proxy->dst_ipaddr.ipaddr, buf, sizeof(buf)),
430 request->proxy->dst_port,
438 * Called as BOTH an event, and in-line from other functions.
440 static void wait_for_proxy_id_to_expire(void *ctx)
442 REQUEST *request = ctx;
444 rad_assert(request->magic == REQUEST_MAGIC);
445 rad_assert(request->proxy != NULL);
447 fr_event_now(el, &now);
448 request->when = request->proxy_when;
451 if (((request->proxy->code == PW_COA_REQUEST) ||
452 (request->proxy->code == PW_DISCONNECT_REQUEST)) &&
453 (request->packet->code != request->proxy->code)) {
454 request->when.tv_sec += request->home_server->coa_mrd;
457 request->when.tv_sec += request->home_server->response_window;
459 if ((request->num_proxied_requests == request->num_proxied_responses) ||
461 (request->home_server->proto == IPPROTO_TCP) ||
463 timercmp(&now, &request->when, >)) {
464 if (request->packet) {
465 RDEBUG2("Cleaning up request %d ID %d with timestamp +%d",
466 request->number, request->packet->id,
467 (unsigned int) (request->timestamp - fr_start_time));
469 RDEBUG2("Cleaning up request %d with timestamp +%d",
471 (unsigned int) (request->timestamp - fr_start_time));
474 ev_request_free(&request);
478 INSERT_EVENT(wait_for_proxy_id_to_expire, request);
482 #ifdef HAVE_PTHREAD_H
483 static void wait_for_child_to_die(void *ctx)
485 REQUEST *request = ctx;
487 rad_assert(request->magic == REQUEST_MAGIC);
490 * If it's still queued (waiting for a thread to pick it
491 * up) OR, it's running AND there's still a child thread
492 * handling it, THEN delay some more.
494 if ((request->child_state == REQUEST_QUEUED) ||
495 ((request->child_state == REQUEST_RUNNING) &&
496 (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0))) {
499 * Cap delay at five minutes.
501 if (request->delay < (USEC * 60 * 5)) {
502 request->delay += (request->delay >> 1);
503 radlog(L_INFO, "WARNING: Child is hung for request %d.",
506 RDEBUG2("Child is still stuck for request %d",
509 tv_add(&request->when, request->delay);
511 INSERT_EVENT(wait_for_child_to_die, request);
515 RDEBUG2("Child is responsive for request %d", request->number);
516 remove_from_request_hash(request);
519 if (request->proxy) {
520 wait_for_proxy_id_to_expire(request);
525 ev_request_free(&request);
529 static void cleanup_delay(void *ctx)
531 REQUEST *request = ctx;
533 rad_assert(request->magic == REQUEST_MAGIC);
534 rad_assert((request->child_state == REQUEST_CLEANUP_DELAY) ||
535 (request->child_state == REQUEST_DONE));
537 remove_from_request_hash(request);
540 if (request->proxy && request->in_proxy_hash) {
541 wait_for_proxy_id_to_expire(request);
546 RDEBUG2("Cleaning up request %d ID %d with timestamp +%d",
547 request->number, request->packet->id,
548 (unsigned int) (request->timestamp - fr_start_time));
550 ev_request_free(&request);
555 * In daemon mode, AND this request has debug flags set.
557 #define DEBUG_PACKET if (!debug_flag && request->options && request->radlog) debug_packet
559 static void debug_packet(REQUEST *request, RADIUS_PACKET *packet, int direction)
563 const char *received, *from;
564 const fr_ipaddr_t *ip;
567 if (!packet || (packet->code == 0)) return;
569 rad_assert(request->radlog != NULL);
571 if (direction == 0) {
572 received = "Received";
573 from = "from"; /* what else? */
574 ip = &packet->src_ipaddr;
575 port = packet->src_port;
578 received = "Sending";
579 from = "to"; /* hah! */
580 ip = &packet->dst_ipaddr;
581 port = packet->dst_port;
585 * Client-specific debugging re-prints the input
586 * packet into the client log.
588 * This really belongs in a utility library
590 if ((packet->code > 0) && (packet->code < FR_MAX_PACKET_CODE)) {
591 RDEBUG("%s %s packet %s host %s port %d, id=%d, length=%d",
592 received, fr_packet_codes[packet->code], from,
593 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
594 port, packet->id, packet->data_len);
596 RDEBUG("%s packet %s host %s port %d code=%d, id=%d, length=%d",
598 inet_ntop(ip->af, &ip->ipaddr, buffer, sizeof(buffer)),
600 packet->code, packet->id, packet->data_len);
603 for (vp = packet->vps; vp != NULL; vp = vp->next) {
604 vp_prints(buffer, sizeof(buffer), vp);
605 request->radlog(L_DBG, 0, request, "\t%s", buffer);
609 static void reject_delay(void *ctx)
611 REQUEST *request = ctx;
613 rad_assert(request->magic == REQUEST_MAGIC);
614 rad_assert(request->child_state == REQUEST_REJECT_DELAY);
616 RDEBUG2("Sending delayed reject for request %d", request->number);
618 DEBUG_PACKET(request, request->reply, 1);
620 request->listener->send(request->listener, request);
622 request->when.tv_sec += request->root->cleanup_delay;
623 request->child_state = REQUEST_CLEANUP_DELAY;
625 INSERT_EVENT(cleanup_delay, request);
630 void revive_home_server(void *ctx)
632 home_server *home = ctx;
636 rad_assert(home->proto != IPPROTO_TCP);
639 home->state = HOME_STATE_ALIVE;
640 home->currently_outstanding = 0;
641 home->revive_time = now;
644 * Delete any outstanding events.
646 if (home->ev) fr_event_delete(el, &home->ev);
648 radlog(L_PROXY, "Marking home server %s port %d alive again... we have no idea if it really is alive or not.",
649 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
650 buffer, sizeof(buffer)),
656 static void no_response_to_ping(void *ctx)
658 REQUEST *request = ctx;
662 rad_assert(request->home_server != NULL);
664 home = request->home_server;
666 rad_assert(home->proto != IPPROTO_TCP);
669 home->num_received_pings = 0;
671 radlog(L_ERR, "No response to status check %d for home server %s port %d",
673 inet_ntop(request->proxy->dst_ipaddr.af,
674 &request->proxy->dst_ipaddr.ipaddr,
675 buffer, sizeof(buffer)),
676 request->proxy->dst_port);
678 check_for_zombie_home_server(request);
680 wait_for_proxy_id_to_expire(request);
684 static void received_response_to_ping(REQUEST *request)
689 rad_assert(request->home_server != NULL);
691 home = request->home_server;
693 rad_assert(home->proto != IPPROTO_TCP);
696 home->num_received_pings++;
698 radlog(L_PROXY, "Received response to status check %d (%d in current sequence)",
699 request->number, home->num_received_pings);
702 * Remove the request from any hashes
704 fr_event_delete(el, &request->ev);
705 remove_from_proxy_hash(request);
706 rad_assert(request->in_request_hash == FALSE);
709 * The control socket may have marked the home server as
710 * alive. OR, it may have suddenly started responding to
711 * requests again. If so, don't re-do the "make alive"
714 if (home->state == HOME_STATE_ALIVE) return;
717 * We haven't received enough ping responses to mark it
718 * "alive". Wait a bit.
720 if (home->num_received_pings < home->num_pings_to_alive) {
724 home->state = HOME_STATE_ALIVE;
725 home->currently_outstanding = 0;
726 home->revive_time = now;
728 if (!fr_event_delete(el, &home->ev)) {
729 RDEBUG2("Hmm... no event for home server. Oh well.");
732 radlog(L_PROXY, "Marking home server %s port %d alive",
733 inet_ntop(request->proxy->dst_ipaddr.af,
734 &request->proxy->dst_ipaddr.ipaddr,
735 buffer, sizeof(buffer)),
736 request->proxy->dst_port);
741 * Called from start of zombie period, OR after control socket
742 * marks the home server dead.
744 static void ping_home_server(void *ctx)
747 home_server *home = ctx;
752 rad_assert(home->proto != IPPROTO_TCP);
755 if ((home->state == HOME_STATE_ALIVE) ||
756 (home->ping_check == HOME_PING_CHECK_NONE) ||
757 (home->ev != NULL)) {
761 request = request_alloc();
762 request->number = request_num_counter++;
764 request->proxy = rad_alloc(1);
765 rad_assert(request->proxy != NULL);
767 fr_event_now(el, &request->when);
768 home->when = request->when;
770 if (home->ping_check == HOME_PING_CHECK_STATUS_SERVER) {
771 request->proxy->code = PW_STATUS_SERVER;
773 radius_pairmake(request, &request->proxy->vps,
774 "Message-Authenticator", "0x00", T_OP_SET);
776 } else if (home->type == HOME_TYPE_AUTH) {
777 request->proxy->code = PW_AUTHENTICATION_REQUEST;
779 radius_pairmake(request, &request->proxy->vps,
780 "User-Name", home->ping_user_name, T_OP_SET);
781 radius_pairmake(request, &request->proxy->vps,
782 "User-Password", home->ping_user_password, T_OP_SET);
783 radius_pairmake(request, &request->proxy->vps,
784 "Service-Type", "Authenticate-Only", T_OP_SET);
785 radius_pairmake(request, &request->proxy->vps,
786 "Message-Authenticator", "0x00", T_OP_SET);
789 #ifdef WITH_ACCOUNTING
790 request->proxy->code = PW_ACCOUNTING_REQUEST;
792 radius_pairmake(request, &request->proxy->vps,
793 "User-Name", home->ping_user_name, T_OP_SET);
794 radius_pairmake(request, &request->proxy->vps,
795 "Acct-Status-Type", "Stop", T_OP_SET);
796 radius_pairmake(request, &request->proxy->vps,
797 "Acct-Session-Id", "00000000", T_OP_SET);
798 vp = radius_pairmake(request, &request->proxy->vps,
799 "Event-Timestamp", "0", T_OP_SET);
800 vp->vp_date = now.tv_sec;
802 rad_assert("Internal sanity check failed");
806 radius_pairmake(request, &request->proxy->vps,
807 "NAS-Identifier", "Status Check. Are you alive?",
810 request->proxy->dst_ipaddr = home->ipaddr;
811 request->proxy->dst_port = home->port;
812 request->home_server = home;
814 rad_assert(request->proxy_listener == NULL);
816 if (!insert_into_proxy_hash(request)) {
817 radlog(L_PROXY, "Failed inserting status check %d into proxy hash. Discarding it.",
819 ev_request_free(&request);
822 rad_assert(request->proxy_listener != NULL);
823 request->proxy_listener->send(request->proxy_listener,
826 request->next_callback = NULL;
827 request->child_state = REQUEST_PROXIED;
828 request->when.tv_sec += home->ping_timeout;;
830 INSERT_EVENT(no_response_to_ping, request);
833 * Add +/- 2s of jitter, as suggested in RFC 3539
834 * and in the Issues and Fixes draft.
836 home->when.tv_sec += home->ping_interval - 2;
839 jitter ^= (jitter >> 10);
840 jitter &= ((1 << 23) - 1); /* 22 bits of 1 */
842 tv_add(&home->when, jitter);
844 INSERT_EVENT(ping_home_server, home);
848 void mark_home_server_dead(home_server *home, struct timeval *when)
850 int previous_state = home->state;
853 radlog(L_PROXY, "Marking home server %s port %d as dead.",
854 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
855 buffer, sizeof(buffer)),
858 home->state = HOME_STATE_IS_DEAD;
859 home->num_received_pings = 0;
861 if (home->ping_check != HOME_PING_CHECK_NONE) {
863 * If the control socket marks us dead, start
864 * pinging. Otherwise, we already started
865 * pinging when it was marked "zombie".
867 if (previous_state == HOME_STATE_ALIVE) {
868 ping_home_server(home);
873 * Revive it after a fixed period of time. This
874 * is very, very, bad.
877 home->when.tv_sec += home->revive_interval;
879 INSERT_EVENT(revive_home_server, home);
883 static void check_for_zombie_home_server(REQUEST *request)
888 home = request->home_server;
890 if (home->state != HOME_STATE_ZOMBIE) return;
892 when = home->zombie_period_start;
893 when.tv_sec += home->zombie_period;
895 fr_event_now(el, &now);
896 if (timercmp(&now, &when, <)) {
900 mark_home_server_dead(home, &request->when);
903 static int proxy_to_virtual_server(REQUEST *request);
905 static int virtual_server_handler(UNUSED REQUEST *request)
907 proxy_to_virtual_server(request);
911 static void proxy_fallback_handler(REQUEST *request)
914 * A proper time is required for wait_a_bit.
916 request->delay = USEC / 10;
917 gettimeofday(&now, NULL);
918 request->next_when = now;
919 tv_add(&request->next_when, request->delay);
920 request->next_callback = wait_a_bit;
923 * Re-queue the request.
925 request->child_state = REQUEST_QUEUED;
927 rad_assert(request->proxy != NULL);
928 if (!thread_pool_addrequest(request, virtual_server_handler)) {
929 request->child_state = REQUEST_DONE;
932 #ifdef HAVE_PTHREAD_H
934 * MAY free the request if we're over max_request_time,
935 * AND we're not in threaded mode!
937 * Note that we call this ONLY if we're threaded, as
938 * if we're NOT threaded, request_post_handler() calls
939 * wait_a_bit(), which means that "request" may not
942 if (have_children) wait_a_bit(request);
947 static int setup_post_proxy_fail(REQUEST *request)
949 DICT_VALUE *dval = NULL;
952 request->child_state = REQUEST_RUNNING;
954 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
955 dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail-Authentication");
957 } else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
958 dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail-Accounting");
962 * See no_response_to_coa_request
964 } else if (((request->packet->code >> 8) & 0xff) == PW_COA_REQUEST) {
965 request->packet->code &= 0xff; /* restore it */
967 if (request->proxy->code == PW_COA_REQUEST) {
968 dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail-CoA");
970 } else if (request->proxy->code == PW_DISCONNECT_REQUEST) {
971 dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail-Disconnect");
981 if (!dval) dval = dict_valbyname(PW_POST_PROXY_TYPE, "Fail");
984 pairdelete(&request->config_items, PW_POST_PROXY_TYPE);
988 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE);
989 if (!vp) vp = radius_paircreate(request, &request->config_items,
990 PW_POST_PROXY_TYPE, PW_TYPE_INTEGER);
991 vp->vp_integer = dval->value;
993 rad_assert(request->proxy_reply == NULL);
999 static int null_handler(UNUSED REQUEST *request)
1004 static void post_proxy_fail_handler(REQUEST *request)
1007 * A proper time is required for wait_a_bit.
1009 request->delay = USEC / 10;
1010 gettimeofday(&now, NULL);
1013 * Not set up to run Post-Proxy-Type = Fail.
1015 * Mark the request as still running, and figure out what
1018 if (!setup_post_proxy_fail(request)) {
1019 request_post_handler(request);
1023 * Re-queue the request.
1025 request->child_state = REQUEST_QUEUED;
1028 * There is a post-proxy-type of fail. We run
1029 * the request through the pre/post proxy
1030 * handlers, just like it was a real proxied
1031 * request. However, we set the per-request
1032 * handler to NULL, as we don't want to do
1035 * Note that when we're not threaded, this will
1036 * process the request even if it's greater than
1037 * max_request_time. That's not fatal.
1039 request->priority = 0;
1040 rad_assert(request->proxy != NULL);
1041 thread_pool_addrequest(request, null_handler);
1045 * MAY free the request if we're over max_request_time,
1046 * AND we're not in threaded mode!
1048 * Note that we call this ONLY if we're threaded, as
1049 * if we're NOT threaded, request_post_handler() calls
1050 * wait_a_bit(), which means that "request" may not
1053 if (have_children) wait_a_bit(request);
1056 /* maybe check this against wait_for_proxy_id_to_expire? */
1057 static void no_response_to_proxied_request(void *ctx)
1059 REQUEST *request = ctx;
1063 rad_assert(request->magic == REQUEST_MAGIC);
1065 if (request->master_state == REQUEST_STOP_PROCESSING) {
1066 ev_request_free(&request);
1070 rad_assert(request->child_state == REQUEST_PROXIED);
1073 * If we've failed over to an internal home server,
1074 * replace the callback with the correct one. This
1075 * is due to locking issues with child threads...
1077 if (request->home_server->server) {
1078 wait_a_bit(request);
1083 if (request->home_server->proto != IPPROTO_TCP)
1085 check_for_zombie_home_server(request);
1087 home = request->home_server;
1090 * The default as of 2.1.7 is to allow requests to
1091 * fail-over to a backup home server when this one does
1092 * not respond. The old behavior can be configured as
1095 if (home->no_response_fail) {
1096 radlog(L_ERR, "Rejecting request %d (proxy Id %d) due to lack of any response from home server %s port %d",
1097 request->number, request->proxy->id,
1098 inet_ntop(request->proxy->dst_ipaddr.af,
1099 &request->proxy->dst_ipaddr.ipaddr,
1100 buffer, sizeof(buffer)),
1101 request->proxy->dst_port);
1103 post_proxy_fail_handler(request);
1106 * Enforce max_request_time.
1108 * We fail over to another backup home server
1109 * when the client re-transmits the request. If
1110 * the client doesn't re-transmit, no fail-over
1113 rad_assert(request->ev == NULL);
1114 request->child_state = REQUEST_RUNNING;
1115 wait_a_bit(request);
1119 * Don't touch request due to race conditions
1124 * Do nothing more. The home server didn't respond,
1125 * but that isn't a catastrophic failure. Some home
1126 * servers don't respond to packets...
1128 if (home->proto == IPPROTO_TCP) {
1130 * FIXME: Set up TCP pinging on this connection.
1132 * Maybe the CONNECTION is dead, but the home
1133 * server is alive. In that case, we need to start
1134 * pinging on the connection.
1136 * This means doing the pinging BEFORE the
1137 * post_proxy_fail_handler above, as it may do
1138 * something with the request, and cause the
1139 * proxy listener to go away!
1145 if (home->state == HOME_STATE_IS_DEAD) {
1146 rad_assert(home->ev != NULL); /* or it will never wake up */
1151 * Enable the zombie period when we notice that the home
1152 * server hasn't responded. We do NOT back-date the start
1153 * of the zombie period.
1155 if (home->state == HOME_STATE_ALIVE) {
1156 home->state = HOME_STATE_ZOMBIE;
1157 home->zombie_period_start = now;
1158 fr_event_delete(el, &home->ev);
1159 home->currently_outstanding = 0;
1160 home->num_received_pings = 0;
1162 radlog(L_PROXY, "Marking home server %s port %d as zombie (it looks like it is dead).",
1163 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr,
1164 buffer, sizeof(buffer)),
1168 * Start pinging the home server.
1170 ping_home_server(home);
1175 static void wait_a_bit(void *ctx)
1177 struct timeval when;
1178 REQUEST *request = ctx;
1179 fr_event_callback_t callback = NULL;
1181 rad_assert(request->magic == REQUEST_MAGIC);
1184 * The socket was closed. Tell the request that
1185 * there is no point in continuing.
1187 if (request->listener->status != RAD_LISTEN_STATUS_KNOWN) {
1188 goto stop_processing;
1193 * The CoA request is a new (internally generated)
1194 * request, created in a child thread. We therefore need
1195 * some way to tie its events back into the main event
1198 if (request->coa && !request->coa->proxy_reply &&
1199 request->coa->next_callback) {
1200 request->coa->when = request->coa->next_when;
1201 INSERT_EVENT(request->coa->next_callback, request->coa);
1202 request->coa->next_callback = NULL;
1203 request->coa->parent = NULL;
1204 request->coa = NULL;
1208 switch (request->child_state) {
1209 case REQUEST_QUEUED:
1210 case REQUEST_RUNNING:
1211 when = request->received;
1212 when.tv_sec += request->root->max_request_time;
1215 * Normally called from the event loop with the
1216 * proper event loop time. Otherwise, called from
1217 * post proxy fail handler, which sets "now", and
1218 * this call won't re-set it, because we're not
1219 * in the event loop.
1221 fr_event_now(el, &now);
1224 * Request still has more time. Continue
1227 if (timercmp(&now, &when, <) ||
1228 ((request->listener->type == RAD_LISTEN_DETAIL) &&
1229 (request->child_state == REQUEST_QUEUED))) {
1230 if (request->delay < (USEC / 10)) {
1231 request->delay = USEC / 10;
1233 request->delay += request->delay >> 1;
1237 * Cap wait at some sane value for detail
1240 if ((request->listener->type == RAD_LISTEN_DETAIL) &&
1241 (request->delay > (request->root->max_request_time * USEC))) {
1242 request->delay = request->root->max_request_time * USEC;
1246 request->when = now;
1247 tv_add(&request->when, request->delay);
1248 callback = wait_a_bit;
1253 #if defined(HAVE_PTHREAD_H) || defined(WITH_PROXY)
1255 * A child thread MAY still be running on the
1256 * request. Ask the thread to stop working on
1259 if (have_children &&
1260 (pthread_equal(request->child_pid, NO_SUCH_CHILD_PID) == 0)) {
1261 request->master_state = REQUEST_STOP_PROCESSING;
1263 radlog(L_ERR, "WARNING: Unresponsive child for request %d, in module %s component %s",
1265 request->module ? request->module : "<server core>",
1266 request->component ? request->component : "<server core>");
1268 request->delay = USEC / 4;
1269 tv_add(&request->when, request->delay);
1270 callback = wait_for_child_to_die;
1276 * Else no child thread is processing the
1277 * request. We probably should have just marked
1278 * the request as 'done' elsewhere, like in the
1279 * post-proxy-fail handler. But doing that would
1280 * involve checking for max_request_time in
1281 * multiple places, so this may be simplest.
1283 request->child_state = REQUEST_DONE;
1287 * Mark the request as no longer running,
1291 #ifdef HAVE_PTHREAD_H
1292 request->child_pid = NO_SUCH_CHILD_PID;
1297 * This is a CoA request. It's been divorced
1298 * from everything else, so we clean it up now.
1300 if (!request->in_request_hash &&
1302 (request->packet->code != request->proxy->code) &&
1303 ((request->proxy->code == PW_COA_REQUEST) ||
1304 (request->proxy->code == PW_DISCONNECT_REQUEST))) {
1306 * FIXME: Do CoA MIBs
1308 ev_request_free(&request);
1312 request_stats_final(request);
1313 cleanup_delay(request);
1316 case REQUEST_REJECT_DELAY:
1317 case REQUEST_CLEANUP_DELAY:
1318 #ifdef HAVE_PTHREAD_H
1319 request->child_pid = NO_SUCH_CHILD_PID;
1321 request_stats_final(request);
1323 case REQUEST_PROXIED:
1324 rad_assert(request->next_callback != NULL);
1325 rad_assert(request->next_callback != wait_a_bit);
1327 request->when = request->next_when;
1328 callback = request->next_callback;
1329 request->next_callback = NULL;
1333 rad_panic("Internal sanity check failure");
1338 * Something major went wrong. Discard the request, and
1341 * FIXME: No idea why this happens or how to fix it...
1342 * It seems to happen *only* when requests are proxied,
1343 * and where the home server doesn't respond. So it looks
1344 * like a race condition above, but it happens in debug
1345 * mode, with no threads...
1348 RDEBUG("WARNING: Internal sanity check failed in event handler for request %d: Discarding the request!", request->number);
1349 ev_request_free(&request);
1353 INSERT_EVENT(callback, request);
1357 static void no_response_to_coa_request(void *ctx)
1359 REQUEST *request = ctx;
1362 rad_assert(request->magic == REQUEST_MAGIC);
1363 rad_assert(request->child_state == REQUEST_PROXIED);
1364 rad_assert(request->home_server != NULL);
1365 rad_assert(!request->in_request_hash);
1367 radlog(L_ERR, "No response to CoA request sent to %s",
1368 inet_ntop(request->proxy->dst_ipaddr.af,
1369 &request->proxy->dst_ipaddr.ipaddr,
1370 buffer, sizeof(buffer)));
1375 request->packet->code |= (PW_COA_REQUEST << 8);
1376 post_proxy_fail_handler(request);
1380 static int update_event_timestamp(RADIUS_PACKET *packet, time_t when)
1384 vp = pairfind(packet->vps, PW_EVENT_TIMESTAMP);
1391 packet->data = NULL;
1392 packet->data_len = 0;
1395 return 1; /* time stamp updated */
1400 * Called when we haven't received a response to a CoA request.
1402 static void retransmit_coa_request(void *ctx)
1406 REQUEST *request = ctx;
1408 rad_assert(request->magic == REQUEST_MAGIC);
1409 rad_assert(request->child_state == REQUEST_PROXIED);
1410 rad_assert(request->home_server != NULL);
1411 rad_assert(!request->in_request_hash);
1412 rad_assert(request->parent == NULL);
1414 fr_event_now(el, &now);
1417 * Cap count at MRC, if it is non-zero.
1419 if (request->home_server->coa_mrc &&
1420 (request->num_coa_requests >= request->home_server->coa_mrc)) {
1421 no_response_to_coa_request(request);
1426 * RFC 5080 Section 2.2.1
1428 * RT = 2*RTprev + RAND*RTprev
1429 * = 1.9 * RTprev + rand(0,.2) * RTprev
1430 * = 1.9 * RTprev + rand(0,1) * (RTprev / 5)
1433 delay ^= (delay >> 16);
1435 frac = request->delay / 5;
1436 delay = ((frac >> 16) * delay) + (((frac & 0xffff) * delay) >> 16);
1438 delay += (2 * request->delay) - (request->delay / 10);
1441 * Cap delay at MRT, if MRT is non-zero.
1443 if (request->home_server->coa_mrt &&
1444 (delay > (request->home_server->coa_mrt * USEC))) {
1445 int mrt_usec = request->home_server->coa_mrt * USEC;
1448 * delay = MRT + RAND * MRT
1449 * = 0.9 MRT + rand(0,.2) * MRT
1452 delay ^= (delay >> 15);
1454 delay = ((mrt_usec >> 16) * delay) + (((mrt_usec & 0xffff) * delay) >> 16);
1455 delay += mrt_usec - (mrt_usec / 10);
1458 request->delay = delay;
1459 request->when = now;
1460 tv_add(&request->when, request->delay);
1461 mrd = request->proxy_when;
1462 mrd.tv_sec += request->home_server->coa_mrd;
1465 * Cap duration at MRD.
1467 if (timercmp(&mrd, &request->when, <)) {
1468 request->when = mrd;
1469 INSERT_EVENT(no_response_to_coa_request, request);
1472 INSERT_EVENT(retransmit_coa_request, request);
1475 if (update_event_timestamp(request->proxy, now.tv_sec)) {
1477 * Keep a copy of the old Id so that the
1478 * re-transmitted request doesn't re-use the old
1481 RADIUS_PACKET old = *request->proxy;
1484 * Don't free the old Id on error.
1486 if (!insert_into_proxy_hash(request)) {
1487 radlog(L_PROXY,"Failed re-inserting CoA request into proxy hash.");
1492 * Now that we have a new Id, free the old one.
1494 PTHREAD_MUTEX_LOCK(&proxy_mutex);
1495 fr_packet_list_yank(proxy_list, &old);
1496 fr_packet_list_id_free(proxy_list, &old);
1497 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
1499 request->num_proxied_requests = 0;
1500 request->num_proxied_responses = 0;
1503 request->num_proxied_requests++;
1504 request->num_coa_requests++; /* is NOT reset by code 3 lines above! */
1506 request->proxy_listener->send(request->proxy_listener,
1512 * The original request is either DONE, or in CLEANUP_DELAY.
1514 static int originated_coa_request(REQUEST *request)
1516 int delay, rcode, pre_proxy_type = 0;
1522 rad_assert(request->proxy == NULL);
1523 rad_assert(!request->in_proxy_hash);
1524 rad_assert(request->proxy_reply == NULL);
1527 * Check whether we want to originate one, or cancel one.
1529 vp = pairfind(request->config_items, PW_SEND_COA_REQUEST);
1530 if (!vp && request->coa) {
1531 vp = pairfind(request->coa->proxy->vps, PW_SEND_COA_REQUEST);
1535 if (vp->vp_integer == 0) {
1536 ev_request_free(&request->coa);
1537 return 1; /* success */
1541 if (!request->coa) request_alloc_coa(request);
1542 if (!request->coa) return 0;
1547 * src_ipaddr will be set up in proxy_encode.
1549 memset(&ipaddr, 0, sizeof(ipaddr));
1550 vp = pairfind(coa->proxy->vps, PW_PACKET_DST_IP_ADDRESS);
1552 ipaddr.af = AF_INET;
1553 ipaddr.ipaddr.ip4addr.s_addr = vp->vp_ipaddr;
1555 } else if ((vp = pairfind(coa->proxy->vps,
1556 PW_PACKET_DST_IPV6_ADDRESS)) != NULL) {
1557 ipaddr.af = AF_INET6;
1558 ipaddr.ipaddr.ip6addr = vp->vp_ipv6addr;
1560 } else if ((vp = pairfind(coa->proxy->vps,
1561 PW_HOME_SERVER_POOL)) != NULL) {
1562 coa->home_pool = home_pool_byname(vp->vp_strvalue,
1564 if (!coa->home_pool) {
1565 RDEBUG2("WARNING: No such home_server_pool %s",
1568 ev_request_free(&request->coa);
1575 } else if (request->client->coa_pool) {
1576 coa->home_pool = request->client->coa_pool;
1578 } else if (request->client->coa_server) {
1579 coa->home_server = request->client->coa_server;
1583 * If all else fails, send it to the client that
1584 * originated this request.
1586 memcpy(&ipaddr, &request->packet->src_ipaddr, sizeof(ipaddr));
1590 * Use the pool, if it exists.
1592 if (coa->home_pool) {
1593 coa->home_server = home_server_ldb(NULL, coa->home_pool, coa);
1594 if (!coa->home_server) {
1595 RDEBUG("WARNING: No live home server for home_server_pool %s", vp->vp_strvalue);
1599 } else if (!coa->home_server) {
1600 int port = PW_COA_UDP_PORT;
1602 vp = pairfind(coa->proxy->vps, PW_PACKET_DST_PORT);
1603 if (vp) port = vp->vp_integer;
1605 coa->home_server = home_server_find(&ipaddr, port, IPPROTO_UDP);
1606 if (!coa->home_server) {
1607 RDEBUG2("WARNING: Unknown destination %s:%d for CoA request.",
1608 inet_ntop(ipaddr.af, &ipaddr.ipaddr,
1609 buffer, sizeof(buffer)), port);
1614 vp = pairfind(coa->proxy->vps, PW_PACKET_TYPE);
1616 switch (vp->vp_integer) {
1617 case PW_COA_REQUEST:
1618 case PW_DISCONNECT_REQUEST:
1619 coa->proxy->code = vp->vp_integer;
1623 DEBUG("Cannot set CoA Packet-Type to code %d",
1629 if (!coa->proxy->code) coa->proxy->code = PW_COA_REQUEST;
1632 * The rest of the server code assumes that
1633 * request->packet && request->reply exist. Copy them
1634 * from the original request.
1636 rad_assert(coa->packet != NULL);
1637 rad_assert(coa->packet->vps == NULL);
1638 memcpy(coa->packet, request->packet, sizeof(*request->packet));
1639 coa->packet->vps = paircopy(request->packet->vps);
1640 coa->packet->data = NULL;
1641 rad_assert(coa->reply != NULL);
1642 rad_assert(coa->reply->vps == NULL);
1643 memcpy(coa->reply, request->reply, sizeof(*request->reply));
1644 coa->reply->vps = paircopy(request->reply->vps);
1645 coa->reply->data = NULL;
1646 coa->config_items = paircopy(request->config_items);
1649 * Call the pre-proxy routines.
1651 vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE);
1653 RDEBUG2(" Found Pre-Proxy-Type %s", vp->vp_strvalue);
1654 pre_proxy_type = vp->vp_integer;
1657 if (coa->home_pool && coa->home_pool->virtual_server) {
1658 const char *old_server = coa->server;
1660 coa->server = coa->home_pool->virtual_server;
1661 RDEBUG2(" server %s {", coa->server);
1662 rcode = module_pre_proxy(pre_proxy_type, coa);
1664 coa->server = old_server;
1666 rcode = module_pre_proxy(pre_proxy_type, coa);
1673 * Only send the CoA packet if the pre-proxy code succeeded.
1675 case RLM_MODULE_NOOP:
1677 case RLM_MODULE_UPDATED:
1682 * Source IP / port is set when the proxy socket
1685 coa->proxy->dst_ipaddr = coa->home_server->ipaddr;
1686 coa->proxy->dst_port = coa->home_server->port;
1688 if (!insert_into_proxy_hash(coa)) {
1689 radlog(L_PROXY, "Failed inserting CoA request into proxy hash.");
1694 * We CANNOT divorce the CoA request from the parent
1695 * request. This function is running in a child thread,
1696 * and we need access to the main event loop in order to
1697 * to add the timers for the CoA packet. See
1702 * Forget about the original request completely at this
1707 gettimeofday(&request->proxy_when, NULL);
1708 request->received = request->next_when = request->proxy_when;
1709 rad_assert(request->proxy_reply == NULL);
1712 * Implement re-transmit algorithm as per RFC 5080
1715 * We want IRT + RAND*IRT
1716 * or 0.9 IRT + rand(0,.2) IRT
1718 * 2^20 ~ USEC, and we want 2.
1719 * rand(0,0.2) USEC ~ (rand(0,2^21) / 10)
1721 delay = (fr_rand() & ((1 << 22) - 1)) / 10;
1722 request->delay = delay * request->home_server->coa_irt;
1723 delay = request->home_server->coa_irt * USEC;
1724 delay -= delay / 10;
1725 delay += request->delay;
1727 request->delay = delay;
1728 tv_add(&request->next_when, delay);
1729 request->next_callback = retransmit_coa_request;
1732 * Note that we set proxied BEFORE sending the packet.
1734 * Once we send it, the request is tainted, as
1735 * another thread may have picked it up. Don't
1738 request->num_proxied_requests = 1;
1739 request->num_proxied_responses = 0;
1740 request->child_pid = NO_SUCH_CHILD_PID;
1742 update_event_timestamp(request->proxy, request->proxy_when.tv_sec);
1744 request->child_state = REQUEST_PROXIED;
1746 DEBUG_PACKET(request, request->proxy, 1);
1748 request->proxy_listener->send(request->proxy_listener,
1752 #endif /* WITH_COA */
1755 static int process_proxy_reply(REQUEST *request)
1758 int post_proxy_type = 0;
1762 * Delete any reply we had accumulated until now.
1764 pairfree(&request->reply->vps);
1767 * Run the packet through the post-proxy stage,
1768 * BEFORE playing games with the attributes.
1770 vp = pairfind(request->config_items, PW_POST_PROXY_TYPE);
1772 RDEBUG2(" Found Post-Proxy-Type %s", vp->vp_strvalue);
1773 post_proxy_type = vp->vp_integer;
1776 if (request->home_pool && request->home_pool->virtual_server) {
1777 const char *old_server = request->server;
1779 request->server = request->home_pool->virtual_server;
1780 RDEBUG2(" server %s {", request->server);
1781 rcode = module_post_proxy(post_proxy_type, request);
1783 request->server = old_server;
1785 rcode = module_post_proxy(post_proxy_type, request);
1789 if (request->packet->code == request->proxy->code)
1791 * Don't run the next bit if we originated a CoA
1792 * packet, after receiving an Access-Request or
1793 * Accounting-Request.
1798 * There may NOT be a proxy reply, as we may be
1799 * running Post-Proxy-Type = Fail.
1801 if (request->proxy_reply) {
1803 * Delete the Proxy-State Attributes from
1804 * the reply. These include Proxy-State
1805 * attributes from us and remote server.
1807 pairdelete(&request->proxy_reply->vps, PW_PROXY_STATE);
1810 * Add the attributes left in the proxy
1811 * reply to the reply list.
1813 pairadd(&request->reply->vps, request->proxy_reply->vps);
1814 request->proxy_reply->vps = NULL;
1817 * Free proxy request pairs.
1819 pairfree(&request->proxy->vps);
1823 default: /* Don't do anything */
1825 case RLM_MODULE_FAIL:
1826 /* FIXME: debug print stuff */
1827 request->child_state = REQUEST_DONE;
1830 case RLM_MODULE_HANDLED:
1831 /* FIXME: debug print stuff */
1832 request->child_state = REQUEST_DONE;
1840 static int request_pre_handler(REQUEST *request)
1844 rad_assert(request->magic == REQUEST_MAGIC);
1845 rad_assert(request->packet != NULL);
1847 request->child_state = REQUEST_RUNNING;
1850 * Don't decode the packet if it's an internal "fake"
1851 * request. Instead, just return so that the caller can
1854 if (request->packet->dst_port == 0) {
1855 request->username = pairfind(request->packet->vps,
1857 request->password = pairfind(request->packet->vps,
1864 * Put the decoded packet into it's proper place.
1866 if (request->proxy_reply != NULL) {
1868 * FIXME: For now, we can only proxy RADIUS packets.
1870 * In order to proxy other packets, we need to
1871 * somehow cache the "decode" function.
1873 rcode = rad_decode(request->proxy_reply, request->proxy,
1874 request->home_server->secret);
1875 DEBUG_PACKET(request, request->proxy_reply, 0);
1878 if (request->packet->vps == NULL) {
1879 rcode = request->listener->decode(request->listener, request);
1881 if (debug_condition) {
1883 const char *my_debug = debug_condition;
1886 * Ignore parse errors.
1888 radius_evaluate_condition(request, RLM_MODULE_OK, 0,
1892 request->options = 2;
1893 request->radlog = radlog_request;
1897 DEBUG_PACKET(request, request->packet, 0);
1903 RDEBUG("%s Dropping packet without response.", fr_strerror());
1904 request->reply->offset = -2; /* bad authenticator */
1905 request->child_state = REQUEST_DONE;
1909 if (!request->username) {
1910 request->username = pairfind(request->packet->vps,
1915 if (request->proxy) {
1916 return process_proxy_reply(request);
1926 * Do state handling when we proxy a request.
1928 static int proxy_request(REQUEST *request)
1930 struct timeval when;
1933 if (request->home_server->server) {
1934 RDEBUG("ERROR: Cannot perform real proxying to a virtual server.");
1938 if (!insert_into_proxy_hash(request)) {
1939 radlog(L_PROXY, "Failed inserting request into proxy hash.");
1943 request->proxy_listener->encode(request->proxy_listener, request);
1945 when = request->received;
1946 when.tv_sec += request->root->max_request_time;
1948 gettimeofday(&request->proxy_when, NULL);
1950 request->next_when = request->proxy_when;
1951 request->next_when.tv_sec += request->home_server->response_window;
1953 rad_assert(request->home_server->response_window > 0);
1955 if (timercmp(&when, &request->next_when, <)) {
1956 request->next_when = when;
1958 request->next_callback = no_response_to_proxied_request;
1960 RDEBUG2("Proxying request %d to home server %s port %d",
1962 inet_ntop(request->proxy->dst_ipaddr.af,
1963 &request->proxy->dst_ipaddr.ipaddr,
1964 buffer, sizeof(buffer)),
1965 request->proxy->dst_port);
1968 * Note that we set proxied BEFORE sending the packet.
1970 * Once we send it, the request is tainted, as
1971 * another thread may have picked it up. Don't
1974 request->num_proxied_requests = 1;
1975 request->num_proxied_responses = 0;
1976 #ifdef HAVE_PTHREAD_H
1977 request->child_pid = NO_SUCH_CHILD_PID;
1979 request->child_state = REQUEST_PROXIED;
1981 DEBUG_PACKET(request, request->proxy, 1);
1983 request->proxy_listener->send(request->proxy_listener,
1990 * "Proxy" the request by sending it to a new virtual server.
1992 static int proxy_to_virtual_server(REQUEST *request)
1996 if (!request->home_server || !request->home_server->server) return 0;
1998 if (request->parent) {
1999 RDEBUG2("WARNING: Cancelling proxy request to virtual server %s as this request was itself proxied.", request->home_server->server);
2003 fake = request_alloc_fake(request);
2005 RDEBUG2("WARNING: Out of memory");
2009 fake->packet->vps = paircopy(request->proxy->vps);
2010 fake->server = request->home_server->server;
2012 if ((request->proxy->code != PW_AUTHENTICATION_REQUEST)
2013 #ifdef WITH_ACCOUNTING
2014 && (request->proxy->code == PW_ACCOUNTING_REQUEST)
2017 RDEBUG2("Unknown packet type %d", request->proxy->code);
2018 ev_request_free(&fake);
2022 rad_assert(request->process != NULL);
2024 RDEBUG2(">>> Sending proxied request internally to virtual server.");
2025 radius_handle_request(fake, fake->process);
2026 RDEBUG2("<<< Received proxied response code %d from internal virtual server.", fake->reply->code);
2028 if (fake->reply->code != 0) {
2029 request->proxy_reply = fake->reply;
2033 * There was no response
2035 setup_post_proxy_fail(request);
2038 ev_request_free(&fake);
2040 process_proxy_reply(request);
2043 * Process it through the normal section again, but ONLY
2044 * if we received a proxy reply..
2046 if (request->proxy_reply) {
2047 if (request->server) RDEBUG("server %s {",
2048 request->server != NULL ?
2049 request->server : "");
2050 request->process(request);
2052 if (request->server) RDEBUG("} # server %s",
2053 request->server != NULL ?
2054 request->server : "");
2057 return 2; /* success, but NOT '1' !*/
2061 * Return 1 if we did proxy it, or the proxy attempt failed
2062 * completely. Either way, the caller doesn't touch the request
2063 * any more if we return 1.
2065 static int successfully_proxied_request(REQUEST *request)
2068 int pre_proxy_type = 0;
2069 VALUE_PAIR *realmpair;
2070 VALUE_PAIR *strippedname;
2072 char *realmname = NULL;
2074 REALM *realm = NULL;
2078 * If it was already proxied, do nothing.
2080 * FIXME: This should really be a serious error.
2082 if (request->in_proxy_hash ||
2083 (request->proxy_reply && (request->proxy_reply->code != 0))) {
2087 realmpair = pairfind(request->config_items, PW_PROXY_TO_REALM);
2088 if (!realmpair || (realmpair->length == 0)) {
2091 vp = pairfind(request->config_items, PW_HOME_SERVER_POOL);
2094 switch (request->packet->code) {
2095 case PW_AUTHENTICATION_REQUEST:
2096 pool_type = HOME_TYPE_AUTH;
2099 #ifdef WITH_ACCOUNTING
2100 case PW_ACCOUNTING_REQUEST:
2101 pool_type = HOME_TYPE_ACCT;
2106 case PW_COA_REQUEST:
2107 case PW_DISCONNECT_REQUEST:
2108 pool_type = HOME_TYPE_COA;
2116 pool = home_pool_byname(vp->vp_strvalue, pool_type);
2118 RDEBUG2("ERROR: Cannot proxy to unknown pool %s",
2123 realmname = NULL; /* no realms */
2128 realmname = (char *) realmpair->vp_strvalue;
2130 realm = realm_find2(realmname);
2132 RDEBUG2("ERROR: Cannot proxy to unknown realm %s", realmname);
2137 * Figure out which pool to use.
2139 if (request->packet->code == PW_AUTHENTICATION_REQUEST) {
2140 pool = realm->auth_pool;
2142 #ifdef WITH_ACCOUNTING
2143 } else if (request->packet->code == PW_ACCOUNTING_REQUEST) {
2144 pool = realm->acct_pool;
2148 } else if ((request->packet->code == PW_COA_REQUEST) ||
2149 (request->packet->code == PW_DISCONNECT_REQUEST)) {
2150 pool = realm->acct_pool;
2154 rad_panic("Internal sanity check failed");
2158 RDEBUG2(" WARNING: Cancelling proxy to Realm %s, as the realm is local.",
2164 home = home_server_ldb(realmname, pool, request);
2166 RDEBUG2("ERROR: Failed to find live home server for realm %s",
2170 request->home_pool = pool;
2174 * Once we've decided to proxy a request, we cannot send
2175 * a CoA packet. So we free up any CoA packet here.
2177 ev_request_free(&request->coa);
2180 * Remember that we sent the request to a Realm.
2182 if (realmname) pairadd(&request->packet->vps,
2183 pairmake("Realm", realmname, T_OP_EQ));
2186 * Strip the name, if told to.
2188 * Doing it here catches the case of proxied tunneled
2191 if (realm && (realm->striprealm == TRUE) &&
2192 (strippedname = pairfind(request->proxy->vps, PW_STRIPPED_USER_NAME)) != NULL) {
2194 * If there's a Stripped-User-Name attribute in
2195 * the request, then use THAT as the User-Name
2196 * for the proxied request, instead of the
2199 * This is done by making a copy of the
2200 * Stripped-User-Name attribute, turning it into
2201 * a User-Name attribute, deleting the
2202 * Stripped-User-Name and User-Name attributes
2203 * from the vps list, and making the new
2204 * User-Name the head of the vps list.
2206 vp = pairfind(request->proxy->vps, PW_USER_NAME);
2208 vp = radius_paircreate(request, NULL,
2209 PW_USER_NAME, PW_TYPE_STRING);
2210 rad_assert(vp != NULL); /* handled by above function */
2211 /* Insert at the START of the list */
2212 vp->next = request->proxy->vps;
2213 request->proxy->vps = vp;
2215 memcpy(vp->vp_strvalue, strippedname->vp_strvalue,
2216 sizeof(vp->vp_strvalue));
2217 vp->length = strippedname->length;
2220 * Do NOT delete Stripped-User-Name.
2225 * If there is no PW_CHAP_CHALLENGE attribute but
2226 * there is a PW_CHAP_PASSWORD we need to add it
2227 * since we can't use the request authenticator
2228 * anymore - we changed it.
2230 if ((request->packet->code == PW_AUTHENTICATION_REQUEST) &&
2231 pairfind(request->proxy->vps, PW_CHAP_PASSWORD) &&
2232 pairfind(request->proxy->vps, PW_CHAP_CHALLENGE) == NULL) {
2233 vp = radius_paircreate(request, &request->proxy->vps,
2234 PW_CHAP_CHALLENGE, PW_TYPE_OCTETS);
2235 vp->length = AUTH_VECTOR_LEN;
2236 memcpy(vp->vp_strvalue, request->packet->vector, AUTH_VECTOR_LEN);
2240 * The RFC's say we have to do this, but FreeRADIUS
2243 vp = radius_paircreate(request, &request->proxy->vps,
2244 PW_PROXY_STATE, PW_TYPE_OCTETS);
2245 snprintf(vp->vp_strvalue, sizeof(vp->vp_strvalue), "%d",
2246 request->packet->id);
2247 vp->length = strlen(vp->vp_strvalue);
2250 * Should be done BEFORE inserting into proxy hash, as
2251 * pre-proxy may use this information, or change it.
2253 request->proxy->code = request->packet->code;
2256 * Call the pre-proxy routines.
2258 vp = pairfind(request->config_items, PW_PRE_PROXY_TYPE);
2260 RDEBUG2(" Found Pre-Proxy-Type %s", vp->vp_strvalue);
2261 pre_proxy_type = vp->vp_integer;
2264 rad_assert(request->home_pool != NULL);
2266 if (request->home_pool->virtual_server) {
2267 const char *old_server = request->server;
2269 request->server = request->home_pool->virtual_server;
2270 RDEBUG2(" server %s {", request->server);
2271 rcode = module_pre_proxy(pre_proxy_type, request);
2273 request->server = old_server;
2275 rcode = module_pre_proxy(pre_proxy_type, request);
2278 case RLM_MODULE_FAIL:
2279 case RLM_MODULE_INVALID:
2280 case RLM_MODULE_NOTFOUND:
2281 case RLM_MODULE_USERLOCK:
2283 /* FIXME: debug print failed stuff */
2286 case RLM_MODULE_REJECT:
2287 case RLM_MODULE_HANDLED:
2291 * Only proxy the packet if the pre-proxy code succeeded.
2293 case RLM_MODULE_NOOP:
2295 case RLM_MODULE_UPDATED:
2300 * If it's a fake request, don't send the proxy
2301 * packet. The outer tunnel session will take
2302 * care of doing that.
2304 if (request->packet->dst_port == 0) {
2305 request->home_server = NULL;
2309 if (request->home_server->server) {
2310 return proxy_to_virtual_server(request);
2313 if (!proxy_request(request)) {
2314 RDEBUG("ERROR: Failed to proxy request %d", request->number);
2322 static void request_post_handler(REQUEST *request)
2324 int child_state = -1;
2325 struct timeval when;
2328 if ((request->master_state == REQUEST_STOP_PROCESSING) ||
2330 (request->parent->master_state == REQUEST_STOP_PROCESSING))) {
2331 RDEBUG2("Request %d was cancelled.", request->number);
2332 #ifdef HAVE_PTHREAD_H
2333 request->child_pid = NO_SUCH_CHILD_PID;
2335 child_state = REQUEST_DONE;
2339 if (request->child_state != REQUEST_RUNNING) {
2340 rad_panic("Internal sanity check failed");
2345 * If it's not in the request hash, it's a CoA request.
2348 if (!request->in_request_hash &&
2350 ((request->proxy->code == PW_COA_REQUEST) ||
2351 (request->proxy->code == PW_DISCONNECT_REQUEST))) {
2352 request->next_callback = NULL;
2353 child_state = REQUEST_DONE;
2359 * Catch Auth-Type := Reject BEFORE proxying the packet.
2361 if ((request->packet->code == PW_AUTHENTICATION_REQUEST) &&
2362 (request->reply->code == 0) &&
2363 ((vp = pairfind(request->config_items, PW_AUTH_TYPE)) != NULL) &&
2364 (vp->vp_integer == PW_AUTHTYPE_REJECT)) {
2365 request->reply->code = PW_AUTHENTICATION_REJECT;
2369 if (request->root->proxy_requests &&
2370 !request->in_proxy_hash &&
2371 (request->reply->code == 0) &&
2372 (request->packet->dst_port != 0) &&
2373 (request->packet->code != PW_STATUS_SERVER)) {
2374 int rcode = successfully_proxied_request(request);
2376 if (rcode == 1) return; /* request is invalid */
2379 * Failed proxying it (dead home servers, etc.)
2380 * Run it through Post-Proxy-Type = Fail, and
2381 * respond to the request.
2383 * Note that we're in a child thread here, so we
2384 * do NOT re-schedule the request. Instead, we
2385 * do what we would have done, which is run the
2386 * pre-handler, a NULL request handler, and then
2389 if ((rcode < 0) && setup_post_proxy_fail(request)) {
2390 request_pre_handler(request);
2394 * Else we weren't supposed to proxy it,
2395 * OR we proxied it internally to a virutal server.
2401 * Fake requests don't get encoded or signed. The caller
2402 * also requires the reply VP's, so we don't free them
2405 if (request->packet->dst_port == 0) {
2406 /* FIXME: RDEBUG going to the next request */
2407 #ifdef HAVE_PTHREAD_H
2408 request->child_pid = NO_SUCH_CHILD_PID;
2410 request->child_state = REQUEST_DONE;
2416 * Copy Proxy-State from the request to the reply.
2418 vp = paircopy2(request->packet->vps, PW_PROXY_STATE);
2419 if (vp) pairadd(&request->reply->vps, vp);
2423 * Access-Requests get delayed or cached.
2425 switch (request->packet->code) {
2426 case PW_AUTHENTICATION_REQUEST:
2427 gettimeofday(&request->next_when, NULL);
2429 if (request->reply->code == 0) {
2431 * Check if the lack of response is intentional.
2433 vp = pairfind(request->config_items,
2434 PW_RESPONSE_PACKET_TYPE);
2436 RDEBUG2("There was no response configured: rejecting request %d",
2438 request->reply->code = PW_AUTHENTICATION_REJECT;
2440 } else if (vp->vp_integer == 256) {
2441 RDEBUG2("Not responding to request %d",
2445 * Force cleanup after a long
2446 * time, so that we don't
2447 * re-process the packet.
2449 request->next_when.tv_sec += request->root->max_request_time;
2450 request->next_callback = cleanup_delay;
2451 child_state = REQUEST_CLEANUP_DELAY;
2454 request->reply->code = vp->vp_integer;
2460 * Run rejected packets through
2462 * Post-Auth-Type = Reject
2464 if (request->reply->code == PW_AUTHENTICATION_REJECT) {
2465 pairdelete(&request->config_items, PW_POST_AUTH_TYPE);
2466 vp = radius_pairmake(request, &request->config_items,
2467 "Post-Auth-Type", "Reject",
2469 if (vp) rad_postauth(request);
2472 * If configured, delay Access-Reject packets.
2474 * If request->root->reject_delay = 0, we discover
2475 * that we have to send the packet now.
2477 when = request->received;
2478 when.tv_sec += request->root->reject_delay;
2480 if (timercmp(&when, &request->next_when, >)) {
2481 RDEBUG2("Delaying reject of request %d for %d seconds",
2483 request->root->reject_delay);
2484 request->next_when = when;
2485 request->next_callback = reject_delay;
2486 #ifdef HAVE_PTHREAD_H
2487 request->child_pid = NO_SUCH_CHILD_PID;
2489 request->child_state = REQUEST_REJECT_DELAY;
2495 case PW_COA_REQUEST:
2496 case PW_DISCONNECT_REQUEST:
2498 request->next_when.tv_sec += request->root->cleanup_delay;
2499 request->next_callback = cleanup_delay;
2500 child_state = REQUEST_CLEANUP_DELAY;
2503 case PW_ACCOUNTING_REQUEST:
2504 request->next_callback = NULL; /* just to be safe */
2505 child_state = REQUEST_DONE;
2509 * FIXME: Status-Server should probably not be
2512 case PW_STATUS_SERVER:
2513 request->next_callback = NULL;
2514 child_state = REQUEST_DONE;
2521 request->next_callback = NULL;
2522 child_state = REQUEST_DONE;
2526 DEBUG_PACKET(request, request->reply, 1);
2527 request->listener->send(request->listener, request);
2531 * Now that we've completely processed the request,
2532 * see if we need to originate a CoA request.
2535 (pairfind(request->config_items, PW_SEND_COA_REQUEST) != NULL)) {
2536 if (!originated_coa_request(request)) {
2537 RDEBUG2("Do CoA Fail handler here");
2539 /* request->coa is stil set, so we can update events */
2545 * Clean up. These are no longer needed.
2547 pairfree(&request->config_items);
2549 pairfree(&request->packet->vps);
2550 request->username = NULL;
2551 request->password = NULL;
2553 pairfree(&request->reply->vps);
2556 if (request->proxy) {
2557 pairfree(&request->proxy->vps);
2559 if (request->proxy_reply) {
2560 pairfree(&request->proxy_reply->vps);
2565 * We're not tracking responses from the home
2566 * server, we can therefore free this memory in
2569 if (!request->in_proxy_hash) {
2570 rad_free(&request->proxy);
2571 rad_free(&request->proxy_reply);
2572 request->home_server = NULL;
2578 RDEBUG2("Finished request %d.", request->number);
2579 rad_assert(child_state >= 0);
2580 request->child_state = child_state;
2583 * Single threaded mode: update timers now.
2585 if (!have_children) wait_a_bit(request);
2589 static void received_retransmit(REQUEST *request, const RADCLIENT *client)
2595 RAD_STATS_TYPE_INC(request->listener, total_dup_requests);
2596 RAD_STATS_CLIENT_INC(request->listener, client, total_dup_requests);
2598 switch (request->child_state) {
2599 case REQUEST_QUEUED:
2600 case REQUEST_RUNNING:
2604 radlog(L_ERR, "Discarding duplicate request from "
2605 "client %s port %d - ID: %d due to unfinished request %d",
2607 request->packet->src_port,request->packet->id,
2612 case REQUEST_PROXIED:
2614 * We're not supposed to have duplicate
2615 * accounting packets. The other states handle
2616 * duplicates fine (discard, or send duplicate
2617 * reply). But we do NOT want to retransmit an
2618 * accounting request here, because that would
2619 * involve updating the Acct-Delay-Time, and
2620 * therefore changing the packet Id, etc.
2622 * Instead, we just discard the packet. We may
2623 * eventually respond, or the client will send a
2624 * new accounting packet.
2626 * The same comments go for Status-Server, and
2627 * other packet types.
2629 * FIXME: coa: when we proxy CoA && Disconnect
2630 * packets, this logic has to be fixed.
2632 if (request->packet->code != PW_AUTHENTICATION_REQUEST) {
2636 check_for_zombie_home_server(request);
2639 * If we've just discovered that the home server
2640 * is dead, OR the socket has been closed, look for
2641 * another connection to a home server.
2643 if (((request->packet->dst_port != 0) &&
2644 (request->home_server->state == HOME_STATE_IS_DEAD)) ||
2645 (request->proxy_listener->status != RAD_LISTEN_STATUS_KNOWN)) {
2648 remove_from_proxy_hash(request);
2650 home = home_server_ldb(NULL, request->home_pool, request);
2652 RDEBUG2("Failed to find live home server for request %d", request->number);
2655 * Do post-request processing,
2656 * and any insertion of necessary
2659 post_proxy_fail_handler(request);
2663 request->proxy->code = request->packet->code;
2666 * Free the old packet, to force re-encoding
2668 free(request->proxy->data);
2669 request->proxy->data = NULL;
2670 request->proxy->data_len = 0;
2673 * This request failed over to a virtual
2674 * server. Push it back onto the queue
2677 if (request->home_server->server) {
2678 proxy_fallback_handler(request);
2683 * Try to proxy the request.
2685 if (!proxy_request(request)) {
2686 RDEBUG("ERROR: Failed to re-proxy request %d", request->number);
2687 goto no_home_servers;
2691 * This code executes in the main server
2692 * thread, so there's no need for locking.
2694 rad_assert(request->next_callback != NULL);
2695 INSERT_EVENT(request->next_callback, request);
2696 request->next_callback = NULL;
2698 } /* else the home server is still alive */
2701 if (request->home_server->proto == IPPROTO_TCP) {
2702 DEBUG2("Suppressing duplicate proxied request to home server %s port %d proto TCP - ID: %d",
2703 inet_ntop(request->proxy->dst_ipaddr.af,
2704 &request->proxy->dst_ipaddr.ipaddr,
2705 buffer, sizeof(buffer)),
2706 request->proxy->dst_port,
2707 request->proxy->id);
2712 RDEBUG2("Sending duplicate proxied request to home server %s port %d - ID: %d",
2713 inet_ntop(request->proxy->dst_ipaddr.af,
2714 &request->proxy->dst_ipaddr.ipaddr,
2715 buffer, sizeof(buffer)),
2716 request->proxy->dst_port,
2717 request->proxy->id);
2718 request->num_proxied_requests++;
2720 DEBUG_PACKET(request, request->proxy, 1);
2721 request->proxy_listener->send(request->proxy_listener,
2726 case REQUEST_REJECT_DELAY:
2727 RDEBUG2("Waiting to send Access-Reject "
2728 "to client %s port %d - ID: %d",
2730 request->packet->src_port, request->packet->id);
2733 case REQUEST_CLEANUP_DELAY:
2735 if (request->reply->code == 0) {
2736 RDEBUG2("Ignoring retransmit from client %s port %d "
2737 "- ID: %d, no reply was configured",
2739 request->packet->src_port, request->packet->id);
2744 * FIXME: This sends duplicate replies to
2745 * accounting requests, even if Acct-Delay-Time
2746 * or Event-Timestamp is in the packet. In those
2747 * cases, the Id should be changed, and the packet
2750 RDEBUG2("Sending duplicate reply "
2751 "to client %s port %d - ID: %d",
2753 request->packet->src_port, request->packet->id);
2754 DEBUG_PACKET(request, request->reply, 1);
2755 request->listener->send(request->listener, request);
2761 static void received_conflicting_request(REQUEST *request,
2762 const RADCLIENT *client)
2764 radlog(L_ERR, "Received conflicting packet from "
2765 "client %s port %d - ID: %d due to unfinished request %d. Giving up on old request.",
2767 request->packet->src_port, request->packet->id,
2771 * Nuke it from the request hash, so we can receive new
2774 remove_from_request_hash(request);
2776 switch (request->child_state) {
2778 * Tell it to stop, and wait for it to do so.
2781 request->master_state = REQUEST_STOP_PROCESSING;
2782 request->delay += request->delay >> 1;
2784 tv_add(&request->when, request->delay);
2786 INSERT_EVENT(wait_for_child_to_die, request);
2790 * Catch race conditions. It may have switched
2791 * from running to done while this code is being
2794 case REQUEST_REJECT_DELAY:
2795 case REQUEST_CLEANUP_DELAY:
2802 static int can_handle_new_request(RADIUS_PACKET *packet,
2804 struct main_config_t *root)
2807 * Count the total number of requests, to see if
2808 * there are too many. If so, return with an
2811 if (root->max_requests) {
2812 int request_count = fr_packet_list_num_elements(pl);
2815 * This is a new request. Let's see if
2816 * it makes us go over our configured
2819 if (request_count > root->max_requests) {
2820 radlog(L_ERR, "Dropping request (%d is too many): "
2821 "from client %s port %d - ID: %d", request_count,
2823 packet->src_port, packet->id);
2824 radlog(L_INFO, "WARNING: Please check the configuration file.\n"
2825 "\tThe value for 'max_requests' is probably set too low.\n");
2827 } /* else there were a small number of requests */
2828 } /* else there was no configured limit for requests */
2831 * FIXME: Add per-client checks. If one client is sending
2832 * too many packets, start discarding them.
2834 * We increment the counters here, and decrement them
2835 * when the response is sent... somewhere in this file.
2839 * FUTURE: Add checks for system load. If the system is
2840 * busy, start dropping requests...
2842 * We can probably keep some statistics ourselves... if
2843 * there are more requests coming in than we can handle,
2844 * start dropping some.
2851 int received_request(rad_listen_t *listener,
2852 RADIUS_PACKET *packet, REQUEST **prequest,
2855 RADIUS_PACKET **packet_p;
2856 REQUEST *request = NULL;
2857 struct main_config_t *root = &mainconfig;
2859 packet_p = fr_packet_list_find(pl, packet);
2861 request = fr_packet2myptr(REQUEST, packet, packet_p);
2862 rad_assert(request->in_request_hash);
2864 if ((request->packet->data_len == packet->data_len) &&
2865 (memcmp(request->packet->vector, packet->vector,
2866 sizeof(packet->vector)) == 0)) {
2867 received_retransmit(request, client);
2872 * The new request is different from the old one,
2873 * but maybe the old is finished. If so, delete
2876 switch (request->child_state) {
2877 struct timeval when;
2881 * Special hacks for race conditions.
2882 * The reply is encoded, and therefore
2883 * likely sent. We received a *new*
2884 * packet from the client, likely before
2885 * the next line or two of code which
2886 * updated the child state. In this
2887 * case, just accept the new request.
2889 if ((request->reply->code != 0) &&
2890 request->reply->data) {
2891 radlog(L_INFO, "WARNING: Allowing fast client %s port %d - ID: %d for recent request %d.",
2893 packet->src_port, packet->id,
2895 remove_from_request_hash(request);
2900 gettimeofday(&when, NULL);
2904 * If the cached request was received
2905 * within the last second, then we
2906 * discard the NEW request instead of the
2907 * old one. This will happen ONLY when
2908 * the client is severely broken, and is
2909 * sending conflicting packets very
2912 if (timercmp(&when, &request->received, <)) {
2913 radlog(L_ERR, "Discarding conflicting packet from "
2914 "client %s port %d - ID: %d due to recent request %d.",
2916 packet->src_port, packet->id,
2921 received_conflicting_request(request, client);
2925 case REQUEST_REJECT_DELAY:
2926 case REQUEST_CLEANUP_DELAY:
2927 request->child_state = REQUEST_DONE;
2929 cleanup_delay(request);
2936 * We may want to quench the new request.
2938 if ((listener->type != RAD_LISTEN_DETAIL) &&
2939 !can_handle_new_request(packet, client, root)) {
2944 * Create and initialize the new request.
2946 request = request_alloc(); /* never fails */
2948 if ((request->reply = rad_alloc(0)) == NULL) {
2949 radlog(L_ERR, "No memory");
2953 request->listener = listener;
2954 request->client = client;
2955 request->packet = packet;
2956 request->packet->timestamp = request->timestamp;
2957 request->number = request_num_counter++;
2958 request->priority = listener->type;
2959 #ifdef HAVE_PTHREAD_H
2960 request->child_pid = NO_SUCH_CHILD_PID;
2964 * Status-Server packets go to the head of the queue.
2966 if (request->packet->code == PW_STATUS_SERVER) request->priority = 0;
2969 * Set virtual server identity
2971 if (client->server) {
2972 request->server = client->server;
2973 } else if (listener->server) {
2974 request->server = listener->server;
2976 request->server = NULL;
2980 * Remember the request in the list.
2982 if (!fr_packet_list_insert(pl, &request->packet)) {
2983 radlog(L_ERR, "Failed to insert request %d in the list of live requests: discarding", request->number);
2984 ev_request_free(&request);
2988 request->in_request_hash = TRUE;
2989 request->root = root;
2992 request->listener->count++;
2996 * The request passes many of our sanity checks.
2997 * From here on in, if anything goes wrong, we
2998 * send a reject message, instead of dropping the
3003 * Build the reply template from the request.
3006 request->reply->sockfd = request->packet->sockfd;
3007 request->reply->dst_ipaddr = request->packet->src_ipaddr;
3008 request->reply->src_ipaddr = request->packet->dst_ipaddr;
3009 request->reply->dst_port = request->packet->src_port;
3010 request->reply->src_port = request->packet->dst_port;
3011 request->reply->id = request->packet->id;
3012 request->reply->code = 0; /* UNKNOWN code */
3013 memcpy(request->reply->vector, request->packet->vector,
3014 sizeof(request->reply->vector));
3015 request->reply->vps = NULL;
3016 request->reply->data = NULL;
3017 request->reply->data_len = 0;
3019 request->master_state = REQUEST_ACTIVE;
3020 request->child_state = REQUEST_QUEUED;
3021 request->next_callback = NULL;
3023 gettimeofday(&request->received, NULL);
3024 request->timestamp = request->received.tv_sec;
3025 request->when = request->received;
3027 request->delay = USEC;
3029 tv_add(&request->when, request->delay);
3031 INSERT_EVENT(wait_a_bit, request);
3033 *prequest = request;
3039 REQUEST *received_proxy_response(RADIUS_PACKET *packet)
3045 * Also removes from the proxy hash if responses == requests
3047 request = lookup_in_proxy_hash(packet);
3050 radlog(L_PROXY, "No outstanding request was found for reply from host %s port %d - ID %d",
3051 inet_ntop(packet->src_ipaddr.af,
3052 &packet->src_ipaddr.ipaddr,
3053 buffer, sizeof(buffer)),
3054 packet->src_port, packet->id);
3059 * We haven't replied to the NAS, but we have seen an
3060 * earlier reply from the home server. Ignore this packet,
3061 * as we're likely still processing the previous reply.
3063 if (request->proxy_reply) {
3064 if (memcmp(request->proxy_reply->vector,
3066 sizeof(request->proxy_reply->vector)) == 0) {
3067 RDEBUG2("Discarding duplicate reply from host %s port %d - ID: %d for request %d",
3068 inet_ntop(packet->src_ipaddr.af,
3069 &packet->src_ipaddr.ipaddr,
3070 buffer, sizeof(buffer)),
3071 packet->src_port, packet->id,
3075 * ? The home server gave us a new proxy
3076 * reply which doesn't match the old
3079 RDEBUG2("Ignoring conflicting proxy reply");
3082 /* assert that there's an event queued for request? */
3087 * Verify the packet before doing ANYTHING with it. This
3088 * means we're doing more MD5 checks in the server core.
3089 * However, we can fix that by moving to multiple threads
3090 * listening on sockets.
3092 * We do this AFTER looking the request up in the hash,
3093 * and AFTER vhecking if we saw a previous request. This
3094 * helps minimize the DoS effect of people attacking us
3095 * with spoofed packets.
3097 if (rad_verify(packet, request->proxy,
3098 request->home_server->secret) != 0) {
3099 DEBUG("Ignoring spoofed proxy reply. Signature is invalid");
3103 gettimeofday(&now, NULL);
3106 * Maybe move this earlier in the decision process?
3107 * Having it here means that late or duplicate proxy
3108 * replies no longer get the home server marked as
3109 * "alive". This might be good for stability, though.
3111 * FIXME: Do we really want to do this whenever we
3112 * receive a packet? Setting this here means that we
3113 * mark it alive on *any* packet, even if it's lost all
3114 * of the *other* packets in the last 10s.
3116 if (request->proxy->code != PW_STATUS_SERVER) {
3117 request->home_server->state = HOME_STATE_ALIVE;
3122 * When originating CoA, the "proxy" reply is the reply
3123 * to the CoA request that we originated. At this point,
3124 * the original request is finished, and it has a reply.
3126 * However, if we haven't separated the two requests, do
3127 * so now. This is done so that cleaning up the original
3128 * request won't cause the CoA request to be free'd. See
3129 * util.c, request_free()
3131 if (request->parent && (request->parent->coa == request)) {
3132 request->parent->coa = NULL;
3133 request->parent = NULL;
3137 * Skip the next set of checks, as the original
3138 * reply is cached. We want to be able to still
3139 * process the CoA reply, AND to reference the
3140 * original request/reply.
3142 * This is getting to be really quite a bit of a
3148 * If there's a reply to the NAS, ignore everything
3149 * related to proxy responses
3151 if (request->reply && request->reply->code != 0) {
3152 RDEBUG2("Ignoring proxy reply that arrived after we sent a reply to the NAS");
3158 * The average includes our time to receive packets and
3159 * look them up in the hashes, which should be the same
3162 * We update the response time only for the FIRST packet
3165 if (request->home_server->ema.window > 0) {
3166 radius_stats_ema(&request->home_server->ema,
3167 &now, &request->proxy_when);
3171 switch (request->child_state) {
3172 case REQUEST_QUEUED:
3173 case REQUEST_RUNNING:
3174 radlog(L_ERR, "Internal sanity check failed for child state");
3177 case REQUEST_REJECT_DELAY:
3178 case REQUEST_CLEANUP_DELAY:
3180 radlog(L_ERR, "Reply from home server %s port %d - ID: %d arrived too late for request %d. Try increasing 'retry_delay' or 'max_request_time'",
3181 inet_ntop(packet->src_ipaddr.af,
3182 &packet->src_ipaddr.ipaddr,
3183 buffer, sizeof(buffer)),
3184 packet->src_port, packet->id,
3186 /* assert that there's an event queued for request? */
3189 case REQUEST_PROXIED:
3193 request->proxy_reply = packet;
3197 * Perform RTT calculations, as per RFC 2988 (for TCP).
3198 * Note that we only do so on the first response.
3200 if ((request->num_proxied_responses == 1)
3202 home_server *home = request->home_server;
3204 rtt = now.tv_sec - request->proxy_when.tv_sec;
3207 rtt -= request->proxy_when.tv_usec;
3209 if (!home->has_rtt) {
3210 home->has_rtt = TRUE;
3213 home->rttvar = rtt / 2;
3216 home->rttvar -= home->rttvar >> 2;
3217 home->rttvar += (home->srtt - rtt);
3218 home->srtt -= home->srtt >> 3;
3219 home->srtt += rtt >> 3;
3222 home->rto = home->srtt;
3223 if (home->rttvar > (USEC / 4)) {
3224 home->rto += home->rttvar * 4;
3232 * There's no incoming request, so it's a proxied packet
3235 if (!request->packet) {
3236 received_response_to_ping(request);
3237 request->proxy_reply = NULL; /* caller will free it */
3238 ev_request_free(&request);
3242 request->child_state = REQUEST_QUEUED;
3243 request->when = now;
3244 request->delay = USEC;
3245 request->priority = RAD_LISTEN_PROXY;
3246 tv_add(&request->when, request->delay);
3249 * Wait a bit will take care of max_request_time
3251 INSERT_EVENT(wait_a_bit, request);
3256 #endif /* WITH_PROXY */
3259 static void tcp_socket_lifetime(void *ctx)
3261 rad_listen_t *listener = ctx;
3264 listener->print(listener, buffer, sizeof(buffer));
3266 DEBUG("Reached maximum lifetime on socket %s", buffer);
3268 listener->status = RAD_LISTEN_STATUS_CLOSED;
3269 event_new_fd(listener);
3272 static void tcp_socket_idle_timeout(void *ctx)
3274 rad_listen_t *listener = ctx;
3275 listen_socket_t *sock = listener->data;
3278 fr_event_now(el, &now); /* should always succeed... */
3280 rad_assert(sock->home != NULL);
3283 * We implement idle timeout by polling, because it's
3284 * cheaper than resetting the idle timeout every time
3285 * we send / receive a packet.
3287 if ((sock->last_packet + sock->home->idle_timeout) > now.tv_sec) {
3288 struct timeval when;
3289 void *fun = tcp_socket_idle_timeout;
3291 when.tv_sec = sock->last_packet;
3292 when.tv_sec += sock->home->idle_timeout;
3295 if (sock->home->lifetime &&
3296 (sock->opened + sock->home->lifetime < when.tv_sec)) {
3297 when.tv_sec = sock->opened + sock->home->lifetime;
3298 fun = tcp_socket_lifetime;
3301 if (!fr_event_insert(el, fun, listener, &when, &sock->ev)) {
3302 rad_panic("Failed to insert event");
3308 listener->print(listener, buffer, sizeof(buffer));
3310 DEBUG("Reached idle timeout on socket %s", buffer);
3312 listener->status = RAD_LISTEN_STATUS_CLOSED;
3313 event_new_fd(listener);
3317 void event_new_fd(rad_listen_t *this)
3321 if (this->status == RAD_LISTEN_STATUS_KNOWN) return;
3323 this->print(this, buffer, sizeof(buffer));
3325 if (this->status == RAD_LISTEN_STATUS_INIT) {
3327 DEBUG("Listening on %s", buffer);
3329 radlog(L_INFO, " ... adding new socket %s", buffer);
3334 * Add it to the list of sockets we can use.
3335 * Server sockets (i.e. auth/acct) are never
3336 * added to the packet list.
3338 if (this->type == RAD_LISTEN_PROXY) {
3339 listen_socket_t *sock = this->data;
3341 PTHREAD_MUTEX_LOCK(&proxy_mutex);
3342 if (!fr_packet_list_socket_add(proxy_list, this->fd,
3344 &sock->other_ipaddr, sock->other_port,
3347 proxy_no_new_sockets = TRUE;
3349 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3352 * This is bad. However, the
3353 * packet list now supports 256
3354 * open sockets, which should
3355 * minimize this problem.
3357 radlog(L_ERR, "Failed adding proxy socket: %s",
3363 sock->home->num_connections++;
3366 * If necessary, add it to the list of
3367 * new proxy listeners.
3369 if (sock->home->lifetime || sock->home->idle_timeout) {
3370 this->next = proxy_listener_list;
3371 proxy_listener_list = this;
3374 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3377 * Tell the main thread that we've added
3378 * a proxy listener, but only if we need
3379 * to update the event list. Do this
3380 * with the mutex unlocked, to reduce
3384 if (sock->home->lifetime || sock->home->idle_timeout) {
3385 radius_signal_self(RADIUS_SIGNAL_SELF_NEW_FD);
3393 * Detail files are always known, and aren't
3394 * put into the socket event loop.
3396 if (this->type == RAD_LISTEN_DETAIL) {
3397 this->status = RAD_LISTEN_STATUS_KNOWN;
3400 * Set up the first poll interval.
3402 event_poll_detail(this);
3407 FD_MUTEX_LOCK(&fd_mutex);
3408 if (!fr_event_fd_insert(el, 0, this->fd,
3409 event_socket_handler, this)) {
3410 radlog(L_ERR, "Failed adding event handler for proxy socket!");
3413 FD_MUTEX_UNLOCK(&fd_mutex);
3415 this->status = RAD_LISTEN_STATUS_KNOWN;
3420 * Something went wrong with the socket: make it harmless.
3422 if (this->status == RAD_LISTEN_STATUS_REMOVE_FD) {
3426 * Remove it from the list of live FD's.
3428 FD_MUTEX_LOCK(&fd_mutex);
3429 fr_event_fd_delete(el, 0, this->fd);
3430 FD_MUTEX_UNLOCK(&fd_mutex);
3434 * We track requests using this socket only for
3435 * TCP. For UDP, we don't currently close
3439 if (this->type != RAD_LISTEN_PROXY)
3442 if (this->count != 0) {
3443 fr_packet_list_walk(pl, this,
3444 remove_all_requests);
3447 if (this->count == 0) {
3448 this->status = RAD_LISTEN_STATUS_FINISH;
3454 int count = this->count;
3459 PTHREAD_MUTEX_LOCK(&proxy_mutex);
3460 if (!fr_packet_list_socket_freeze(proxy_list,
3462 radlog(L_ERR, "Fatal error freezing socket: %s",
3468 * Doing this with the proxy mutex held
3469 * is a Bad Thing. We should move to
3470 * finer-grained mutexes.
3472 count = this->count;
3474 fr_packet_list_walk(proxy_list, this,
3475 remove_all_proxied_requests);
3477 count = this->count; /* protected by mutex */
3478 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3481 this->status = RAD_LISTEN_STATUS_FINISH;
3485 #endif /* WITH_PROXY */
3486 #endif /* WITH_TCP */
3489 * Re-open the socket, pointing it to /dev/null.
3490 * This means that all writes proceed without
3491 * blocking, and all reads return "no data".
3493 * This leaves the socket active, so any child
3494 * threads won't go insane. But it means that
3495 * they cannot send or receive any packets.
3497 * This is EXTRA work in the normal case, when
3498 * sockets are closed without error. But it lets
3499 * us have one simple processing method for all
3502 devnull = open("/dev/null", O_RDWR);
3504 radlog(L_ERR, "FATAL failure opening /dev/null: %s",
3508 if (dup2(devnull, this->fd) < 0) {
3509 radlog(L_ERR, "FATAL failure closing socket: %s",
3515 this->status = RAD_LISTEN_STATUS_CLOSED;
3518 * Fall through to the next section.
3524 * Called ONLY from the main thread. On the following
3530 * (and falling through from "forcibly close FD" above)
3531 * client closed connection on us
3532 * client sent us a bad packet.
3534 if (this->status == RAD_LISTEN_STATUS_CLOSED) {
3535 int count = this->count;
3536 rad_assert(this->type != RAD_LISTEN_DETAIL);
3540 * Remove it from the list of active sockets, so
3541 * that it isn't used when proxying new packets.
3543 if (this->type == RAD_LISTEN_PROXY) {
3544 PTHREAD_MUTEX_LOCK(&proxy_mutex);
3545 if (!fr_packet_list_socket_freeze(proxy_list,
3547 radlog(L_ERR, "Fatal error freezing socket: %s",
3551 count = this->count; /* protected by mutex */
3552 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3557 * Requests are still using the socket. Wait for
3561 struct timeval when;
3562 listen_socket_t *sock = this->data;
3565 * Try again to clean up the socket in 30
3568 gettimeofday(&when, NULL);
3571 if (!fr_event_insert(el,
3572 (fr_event_callback_t) event_new_fd,
3573 this, &when, &sock->ev)) {
3574 rad_panic("Failed to insert event");
3581 * No one is using this socket: we can delete it
3584 this->status = RAD_LISTEN_STATUS_FINISH;
3588 if (this->status == RAD_LISTEN_STATUS_FINISH) {
3589 listen_socket_t *sock = this->data;
3591 rad_assert(this->count == 0);
3592 radlog(L_INFO, " ... closing socket %s", buffer);
3595 * Remove it from the list of live FD's. Note
3596 * that it MAY also have been removed above. We
3597 * do it again here, to catch the case of sockets
3598 * closing on idle timeout, or max
3599 * lifetime... AFTER all requests have finished
3602 FD_MUTEX_LOCK(&fd_mutex);
3603 fr_event_fd_delete(el, 0, this->fd);
3604 FD_MUTEX_UNLOCK(&fd_mutex);
3608 * Remove it from the list of sockets to be used
3611 if (this->type == RAD_LISTEN_PROXY) {
3612 PTHREAD_MUTEX_LOCK(&proxy_mutex);
3613 if (!fr_packet_list_socket_remove(proxy_list,
3615 radlog(L_ERR, "Fatal error removing socket: %s",
3619 if (sock->home) sock->home->num_connections--;
3620 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3625 * Remove any pending cleanups.
3627 if (sock->ev) fr_event_delete(el, &sock->ev);
3630 * And finally, close the socket.
3634 #endif /* WITH_TCP */
3639 static void handle_signal_self(int flag)
3641 if ((flag & (RADIUS_SIGNAL_SELF_EXIT | RADIUS_SIGNAL_SELF_TERM)) != 0) {
3642 if ((flag & RADIUS_SIGNAL_SELF_EXIT) != 0) {
3643 radlog(L_INFO, "Received TERM signal");
3644 fr_event_loop_exit(el, 1);
3646 fr_event_loop_exit(el, 2);
3650 } /* else exit/term flags weren't set */
3653 * Tell the even loop to stop processing.
3655 if ((flag & RADIUS_SIGNAL_SELF_HUP) != 0) {
3657 static time_t last_hup = 0;
3659 radlog(L_INFO, "Received HUP signal.");
3662 if ((int) (when - last_hup) < 5) {
3663 radlog(L_INFO, "Ignoring HUP (less than 5s since last one)");
3668 fr_event_loop_exit(el, 0x80);
3672 if ((flag & RADIUS_SIGNAL_SELF_DETAIL) != 0) {
3676 * FIXME: O(N) loops suck.
3678 for (this = mainconfig.listen;
3680 this = this->next) {
3681 if (this->type != RAD_LISTEN_DETAIL) continue;
3684 * This one didn't send the signal, skip
3687 if (!this->decode(this, NULL)) continue;
3690 * Go service the interrupt.
3692 event_poll_detail(this);
3700 * Add event handlers for idle timeouts && maximum lifetime.
3702 if ((flag & RADIUS_SIGNAL_SELF_NEW_FD) != 0) {
3703 struct timeval when;
3706 fr_event_now(el, &now);
3708 PTHREAD_MUTEX_LOCK(&proxy_mutex);
3710 while (proxy_listener_list) {
3711 rad_listen_t *this = proxy_listener_list;
3712 listen_socket_t *sock = this->data;
3714 proxy_listener_list = this->next;
3717 if (!sock->home) continue; /* skip UDP sockets */
3721 if (!sock->home->idle_timeout) {
3722 rad_assert(sock->home->lifetime != 0);
3724 when.tv_sec += sock->home->lifetime;
3725 fun = tcp_socket_lifetime;
3727 rad_assert(sock->home->idle_timeout != 0);
3729 when.tv_sec += sock->home->idle_timeout;
3730 fun = tcp_socket_idle_timeout;
3733 if (!fr_event_insert(el, fun, this, &when,
3735 rad_panic("Failed to insert event");
3739 PTHREAD_MUTEX_UNLOCK(&proxy_mutex);
3741 #endif /* WITH_PROXY */
3742 #endif /* WITH_TCP */
3746 void radius_signal_self(int flag)
3748 handle_signal_self(flag);
3752 * Inform ourselves that we received a signal.
3754 void radius_signal_self(int flag)
3760 * The read MUST be non-blocking for this to work.
3762 rcode = read(self_pipe[0], buffer, sizeof(buffer));
3766 for (i = 0; i < rcode; i++) {
3767 buffer[0] |= buffer[i];
3775 write(self_pipe[1], buffer, 1);
3779 static void event_signal_handler(UNUSED fr_event_list_t *xel,
3780 UNUSED int fd, UNUSED void *ctx)
3785 rcode = read(self_pipe[0], buffer, sizeof(buffer));
3786 if (rcode <= 0) return;
3789 * Merge pending signals.
3791 for (i = 0; i < rcode; i++) {
3792 buffer[0] |= buffer[i];
3795 handle_signal_self(buffer[0]);
3800 static void event_socket_handler(fr_event_list_t *xel, UNUSED int fd,
3803 rad_listen_t *listener = ctx;
3804 RAD_REQUEST_FUNP fun;
3807 rad_assert(xel == el);
3811 if (listener->fd < 0) rad_panic("Socket was closed on us!");
3813 if (!listener->recv(listener, &fun, &request)) return;
3815 if (!thread_pool_addrequest(request, fun)) {
3816 request->child_state = REQUEST_DONE;
3822 * This function is called periodically to see if this detail
3823 * file is available for reading.
3825 static void event_poll_detail(void *ctx)
3828 RAD_REQUEST_FUNP fun;
3830 rad_listen_t *this = ctx;
3831 struct timeval when;
3832 listen_detail_t *detail = this->data;
3834 rad_assert(this->type == RAD_LISTEN_DETAIL);
3837 * Try to read something.
3839 * FIXME: This does poll AND receive.
3841 rcode = this->recv(this, &fun, &request);
3843 rad_assert(fun != NULL);
3844 rad_assert(request != NULL);
3846 if (!thread_pool_addrequest(request, fun)) {
3847 request->child_state = REQUEST_DONE;
3851 fr_event_now(el, &now);
3855 * Backdoor API to get the delay until the next poll
3858 delay = this->encode(this, NULL);
3859 tv_add(&when, delay);
3861 if (!fr_event_insert(el, event_poll_detail, this,
3862 &when, &detail->ev)) {
3863 radlog(L_ERR, "Failed creating handler");
3869 static void event_status(struct timeval *wake)
3871 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
3875 if (debug_flag == 0) {
3877 radlog(L_INFO, "Ready to process requests.");
3878 just_started = FALSE;
3884 radlog(L_INFO, "Ready to process requests.");
3886 } else if ((wake->tv_sec != 0) ||
3887 (wake->tv_usec >= 100000)) {
3888 DEBUG("Waking up in %d.%01u seconds.",
3889 (int) wake->tv_sec, (unsigned int) wake->tv_usec / 100000);
3894 * FIXME: Put this somewhere else, where it isn't called
3895 * all of the time...
3898 #if !defined(HAVE_PTHREAD_H) && defined(WNOHANG)
3900 * If there are no child threads, then there may
3901 * be child processes. In that case, wait for
3902 * their exit status, and throw that exit status
3903 * away. This helps get rid of zxombie children.
3905 while (waitpid(-1, &argval, WNOHANG) > 0) {
3913 * Externally-visibly functions.
3915 int radius_event_init(CONF_SECTION *cs, int spawn_flag)
3917 rad_listen_t *head = NULL;
3921 time(&fr_start_time);
3923 el = fr_event_list_create(event_status);
3926 pl = fr_packet_list_create(0);
3927 if (!pl) return 0; /* leak el */
3929 request_num_counter = 0;
3932 if (mainconfig.proxy_requests) {
3934 * Create the tree for managing proxied requests and
3937 proxy_list = fr_packet_list_create(1);
3938 if (!proxy_list) return 0;
3940 #ifdef HAVE_PTHREAD_H
3941 if (pthread_mutex_init(&proxy_mutex, NULL) != 0) {
3942 radlog(L_ERR, "FATAL: Failed to initialize proxy mutex: %s",
3951 * Just before we spawn the child threads, force the log
3952 * subsystem to re-open the log file for every write.
3954 if (spawn_flag) force_log_reopen();
3956 #ifdef HAVE_PTHREAD_H
3958 NO_SUCH_CHILD_PID = (pthread_t ) (0);
3960 NO_SUCH_CHILD_PID = pthread_self(); /* not a child thread */
3963 * Initialize the threads ONLY if we're spawning, AND
3964 * we're running normally.
3966 if (spawn_flag && !check_config &&
3967 (thread_pool_init(cs, &spawn_flag) < 0)) {
3973 * Move all of the thread calls to this file?
3975 * It may be best for the mutexes to be in this file...
3977 have_children = spawn_flag;
3980 DEBUG("%s: #### Skipping IP addresses and Ports ####",
3987 * Child threads need a pipe to signal us, as do the
3990 if (pipe(self_pipe) < 0) {
3991 radlog(L_ERR, "radiusd: Error opening internal pipe: %s",
3995 if (fcntl(self_pipe[0], F_SETFL, O_NONBLOCK | FD_CLOEXEC) < 0) {
3996 radlog(L_ERR, "radiusd: Error setting internal flags: %s",
4000 if (fcntl(self_pipe[1], F_SETFL, O_NONBLOCK | FD_CLOEXEC) < 0) {
4001 radlog(L_ERR, "radiusd: Error setting internal flags: %s",
4006 if (!fr_event_fd_insert(el, 0, self_pipe[0],
4007 event_signal_handler, el)) {
4008 radlog(L_ERR, "Failed creating handler for signals");
4013 DEBUG("%s: #### Opening IP addresses and Ports ####",
4017 * The server temporarily switches to an unprivileged
4018 * user very early in the bootstrapping process.
4019 * However, some sockets MAY require privileged access
4020 * (bind to device, or to port < 1024, or to raw
4021 * sockets). Those sockets need to call suid up/down
4022 * themselves around the functions that need a privileged
4025 if (listen_init(cs, &head) < 0) {
4029 mainconfig.listen = head;
4032 * At this point, no one has any business *ever* going
4035 fr_suid_down_permanent();
4041 static int request_hash_cb(UNUSED void *ctx, void *data)
4043 REQUEST *request = fr_packet2myptr(REQUEST, packet, data);
4046 rad_assert(request->in_proxy_hash == FALSE);
4049 ev_request_free(&request);
4056 static int proxy_hash_cb(UNUSED void *ctx, void *data)
4058 REQUEST *request = fr_packet2myptr(REQUEST, proxy, data);
4060 ev_request_free(&request);
4066 void radius_event_free(void)
4069 * FIXME: Stop all threads, or at least check that
4070 * they're all waiting on the semaphore, and the queues
4076 * There are requests in the proxy hash that aren't
4077 * referenced from anywhere else. Remove them first.
4080 fr_packet_list_walk(proxy_list, NULL, proxy_hash_cb);
4081 fr_packet_list_free(proxy_list);
4086 fr_packet_list_walk(pl, NULL, request_hash_cb);
4088 fr_packet_list_free(pl);
4091 fr_event_list_free(el);
4094 int radius_event_process(void)
4098 return fr_event_loop(el);
4101 void radius_handle_request(REQUEST *request, RAD_REQUEST_FUNP fun)
4103 request->options = RAD_REQUEST_OPTION_DEBUG2;
4105 if (request_pre_handler(request)) {
4106 rad_assert(fun != NULL);
4107 rad_assert(request != NULL);
4109 if (request->server) RDEBUG("server %s {",
4110 request->server != NULL ?
4111 request->server : "");
4114 if (request->server) RDEBUG("} # server %s",
4115 request->server != NULL ?
4116 request->server : "");
4118 request_post_handler(request);
4121 DEBUG2("Going to the next request");