2 * listen.c Handle socket stuff
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2005,2006 The FreeRADIUS server project
21 * Copyright 2005 Alan DeKok <aland@ox.org>
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modules.h>
29 #include <freeradius-devel/rad_assert.h>
30 #include <freeradius-devel/vqp.h>
31 #include <freeradius-devel/dhcp.h>
33 #include <freeradius-devel/vmps.h>
34 #include <freeradius-devel/detail.h>
37 #include <freeradius-devel/udpfromto.h>
40 #ifdef HAVE_SYS_RESOURCE_H
41 #include <sys/resource.h>
54 * We'll use this below.
56 typedef int (*rad_listen_parse_t)(CONF_SECTION *, rad_listen_t *);
57 typedef void (*rad_listen_free_t)(rad_listen_t *);
59 typedef struct rad_listen_master_t {
60 rad_listen_parse_t parse;
61 rad_listen_free_t free;
62 rad_listen_recv_t recv;
63 rad_listen_send_t send;
64 rad_listen_print_t print;
65 rad_listen_encode_t encode;
66 rad_listen_decode_t decode;
67 } rad_listen_master_t;
69 typedef struct listen_socket_t {
75 #ifdef SO_BINDTODEVICE
76 const char *interface;
78 RADCLIENT_LIST *clients;
81 static rad_listen_t *listen_alloc(RAD_LISTEN_TYPE type);
84 * Find a per-socket client.
86 RADCLIENT *client_listener_find(const rad_listen_t *listener,
87 const fr_ipaddr_t *ipaddr, int src_port)
89 #ifdef WITH_DYNAMIC_CLIENTS
91 listen_socket_t *sock;
97 RADCLIENT_LIST *clients;
99 rad_assert(listener != NULL);
100 rad_assert(ipaddr != NULL);
102 clients = ((listen_socket_t *)listener->data)->clients;
105 * This HAS to have been initialized previously.
107 rad_assert(clients != NULL);
109 client = client_find(clients, ipaddr);
111 static time_t last_printed = 0;
112 char name[256], buffer[128];
114 #ifdef WITH_DYNAMIC_CLIENTS
115 unknown: /* used only for dynamic clients */
119 * DoS attack quenching, but only in debug mode.
120 * If they're running in debug mode, show them
123 if (debug_flag == 0) {
125 if (last_printed == now) return NULL;
130 listener->print(listener, name, sizeof(name));
132 radlog(L_ERR, "Ignoring request to %s from unknown client %s port %d",
133 name, inet_ntop(ipaddr->af, &ipaddr->ipaddr,
134 buffer, sizeof(buffer)),
139 #ifndef WITH_DYNAMIC_CLIENTS
140 return client; /* return the found client. */
144 * No server defined, and it's not dynamic. Return it.
146 if (!client->client_server && !client->dynamic) return client;
151 * It's a dynamically generated client, check it.
153 if (client->dynamic && (src_port != 0)) {
155 * Lives forever. Return it.
157 if (client->lifetime == 0) return client;
160 * Rate-limit the deletion of known clients.
161 * This makes them last a little longer, but
162 * prevents the server from melting down if (say)
163 * 10k clients all expire at once.
165 if (now == client->last_new_client) return client;
168 * It's not dead yet. Return it.
170 if ((client->created + client->lifetime) > now) return client;
173 * This really puts them onto a queue for later
176 client_delete(clients, client);
179 * Go find the enclosing network again.
181 client = client_find(clients, ipaddr);
186 if (!client) goto unknown;
187 if (!client->client_server) goto unknown;
190 * At this point, 'client' is the enclosing
191 * network that configures where dynamic clients
194 rad_assert(client->dynamic == 0);
197 * The IP is unknown, so we've found an enclosing
198 * network. Enable DoS protection. We only
199 * allow one new client per second. Known
200 * clients aren't subject to this restriction.
202 if (now == client->last_new_client) goto unknown;
205 client->last_new_client = now;
207 request = request_alloc();
208 if (!request) goto unknown;
210 request->listener = listener;
211 request->client = client;
212 request->packet = rad_recv(listener->fd, 0x02); /* MSG_PEEK */
213 if (!request->packet) { /* badly formed, etc */
214 request_free(&request);
217 request->reply = rad_alloc_reply(request->packet);
218 if (!request->reply) {
219 request_free(&request);
222 request->packet->timestamp = request->timestamp;
224 request->priority = listener->type;
225 request->server = client->client_server;
226 request->root = &mainconfig;
229 * Run a fake request through the given virtual server.
230 * Look for FreeRADIUS-Client-IP-Address
231 * FreeRADIUS-Client-Secret
234 * and create the RADCLIENT structure from that.
236 DEBUG("server %s {", request->server);
238 rcode = module_authorize(0, request);
240 DEBUG("} # server %s", request->server);
242 if (rcode != RLM_MODULE_OK) {
243 request_free(&request);
248 * If the client was updated by rlm_dynamic_clients,
249 * don't create the client from attribute-value pairs.
251 if (request->client == client) {
252 created = client_create(clients, request);
254 created = request->client;
257 * This frees the client if it isn't valid.
259 if (!client_validate(clients, client, created)) goto unknown;
261 request_free(&request);
263 if (!created) goto unknown;
269 static int listen_bind(rad_listen_t *this);
273 * Process and reply to a server-status request.
274 * Like rad_authenticate and rad_accounting this should
275 * live in it's own file but it's so small we don't bother.
277 static int rad_status_server(REQUEST *request)
279 int rcode = RLM_MODULE_OK;
282 switch (request->listener->type) {
284 case RAD_LISTEN_NONE:
286 case RAD_LISTEN_AUTH:
287 dval = dict_valbyname(PW_AUTZ_TYPE, "Status-Server");
289 rcode = module_authorize(dval->value, request);
291 rcode = RLM_MODULE_OK;
296 case RLM_MODULE_UPDATED:
297 request->reply->code = PW_AUTHENTICATION_ACK;
300 case RLM_MODULE_FAIL:
301 case RLM_MODULE_HANDLED:
302 request->reply->code = 0; /* don't reply */
306 case RLM_MODULE_REJECT:
307 request->reply->code = PW_AUTHENTICATION_REJECT;
312 #ifdef WITH_ACCOUNTING
313 case RAD_LISTEN_ACCT:
314 dval = dict_valbyname(PW_ACCT_TYPE, "Status-Server");
316 rcode = module_accounting(dval->value, request);
318 rcode = RLM_MODULE_OK;
323 case RLM_MODULE_UPDATED:
324 request->reply->code = PW_ACCOUNTING_RESPONSE;
328 request->reply->code = 0; /* don't reply */
336 * This is a vendor extension. Suggested by Glen
337 * Zorn in IETF 72, and rejected by the rest of
338 * the WG. We like it, so it goes in here.
341 dval = dict_valbyname(PW_RECV_COA_TYPE, "Status-Server");
343 rcode = module_recv_coa(dval->value, request);
345 rcode = RLM_MODULE_OK;
350 case RLM_MODULE_UPDATED:
351 request->reply->code = PW_COA_ACK;
355 request->reply->code = 0; /* don't reply */
367 * Full statistics are available only on a statistics
370 if (request->listener->type == RAD_LISTEN_NONE) {
371 request_stats_reply(request);
379 static int socket_print(rad_listen_t *this, char *buffer, size_t bufsize)
382 listen_socket_t *sock = this->data;
385 switch (this->type) {
387 case RAD_LISTEN_NONE: /* what a hack... */
392 case RAD_LISTEN_AUTH:
393 name = "authentication";
396 #ifdef WITH_ACCOUNTING
397 case RAD_LISTEN_ACCT:
403 case RAD_LISTEN_PROXY:
415 case RAD_LISTEN_DHCP:
431 #define FORWARD len = strlen(buffer); if (len >= (bufsize + 1)) return 0;buffer += len;bufsize -= len
432 #define ADDSTRING(_x) strlcpy(buffer, _x, bufsize);FORWARD
436 #ifdef SO_BINDTODEVICE
437 if (sock->interface) {
438 ADDSTRING(" interface ");
439 ADDSTRING(sock->interface);
443 ADDSTRING(" address ");
445 if ((sock->ipaddr.af == AF_INET) &&
446 (sock->ipaddr.ipaddr.ip4addr.s_addr == htonl(INADDR_ANY))) {
447 strlcpy(buffer, "*", bufsize);
449 ip_ntoh(&sock->ipaddr, buffer, bufsize);
454 snprintf(buffer, bufsize, "%d", sock->port);
458 ADDSTRING(" as server ");
459 ADDSTRING(this->server);
470 * Parse an authentication or accounting socket.
472 static int common_socket_parse(CONF_SECTION *cs, rad_listen_t *this)
477 listen_socket_t *sock = this->data;
478 char *section_name = NULL;
479 CONF_SECTION *client_cs, *parentcs;
484 ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
485 rcode = cf_item_parse(cs, "ipaddr", PW_TYPE_IPADDR,
486 &ipaddr.ipaddr.ip4addr, NULL);
487 if (rcode < 0) return -1;
489 if (rcode == 0) { /* successfully parsed IPv4 */
492 } else { /* maybe IPv6? */
493 rcode = cf_item_parse(cs, "ipv6addr", PW_TYPE_IPV6ADDR,
494 &ipaddr.ipaddr.ip6addr, NULL);
495 if (rcode < 0) return -1;
498 cf_log_err(cf_sectiontoitem(cs),
499 "No address specified in listen section");
502 ipaddr.af = AF_INET6;
505 rcode = cf_item_parse(cs, "port", PW_TYPE_INTEGER,
507 if (rcode < 0) return -1;
509 if ((listen_port < 0) || (listen_port > 65535)) {
510 cf_log_err(cf_sectiontoitem(cs),
511 "Invalid value for \"port\"");
515 sock->ipaddr = ipaddr;
516 sock->port = listen_port;
519 * If we can bind to interfaces, do so,
522 if (cf_pair_find(cs, "interface")) {
523 #ifndef SO_BINDTODEVICE
524 cf_log_err(cf_sectiontoitem(cs),
525 "System does not support binding to interfaces. Delete this line from the configuration file.");
529 CONF_PAIR *cp = cf_pair_find(cs, "interface");
531 rad_assert(cp != NULL);
532 value = cf_pair_value(cp);
534 cf_log_err(cf_sectiontoitem(cs),
535 "No interface name given");
538 sock->interface = value;
543 * And bind it to the port.
545 if (listen_bind(this) < 0) {
547 cf_log_err(cf_sectiontoitem(cs),
548 "Error binding to port for %s port %d",
549 ip_ntoh(&sock->ipaddr, buffer, sizeof(buffer)),
556 * Proxy sockets don't have clients.
558 if (this->type == RAD_LISTEN_PROXY) return 0;
562 * The more specific configurations are preferred to more
566 parentcs = cf_top_section(cs);
567 rcode = cf_item_parse(cs, "clients", PW_TYPE_STRING_PTR,
568 §ion_name, NULL);
569 if (rcode < 0) return -1; /* bad string */
572 * Explicit list given: use it.
574 client_cs = cf_section_sub_find_name2(parentcs,
578 client_cs = cf_section_find(section_name);
581 cf_log_err(cf_sectiontoitem(cs),
582 "Failed to find clients %s {...}",
588 } /* else there was no "clients = " entry. */
591 CONF_SECTION *server_cs;
593 server_cs = cf_section_sub_find_name2(parentcs,
597 * Found a "server foo" section. If there are clients
601 (cf_section_sub_find(server_cs, "client") != NULL)) {
602 client_cs = server_cs;
607 * Still nothing. Look for global clients.
609 if (!client_cs) client_cs = parentcs;
611 sock->clients = clients_parse_section(client_cs);
612 if (!sock->clients) {
613 cf_log_err(cf_sectiontoitem(cs),
614 "Failed to load clients for this listen section");
622 * Send an authentication response packet
624 static int auth_socket_send(rad_listen_t *listener, REQUEST *request)
626 rad_assert(request->listener == listener);
627 rad_assert(listener->send == auth_socket_send);
629 return rad_send(request->reply, request->packet,
630 request->client->secret);
634 #ifdef WITH_ACCOUNTING
636 * Send an accounting response packet (or not)
638 static int acct_socket_send(rad_listen_t *listener, REQUEST *request)
640 rad_assert(request->listener == listener);
641 rad_assert(listener->send == acct_socket_send);
644 * Accounting reject's are silently dropped.
646 * We do it here to avoid polluting the rest of the
647 * code with this knowledge
649 if (request->reply->code == 0) return 0;
651 return rad_send(request->reply, request->packet,
652 request->client->secret);
658 * Send a packet to a home server.
660 * FIXME: have different code for proxy auth & acct!
662 static int proxy_socket_send(rad_listen_t *listener, REQUEST *request)
664 listen_socket_t *sock = listener->data;
666 rad_assert(request->proxy_listener == listener);
667 rad_assert(listener->send == proxy_socket_send);
669 request->proxy->src_ipaddr = sock->ipaddr;
670 request->proxy->src_port = sock->port;
672 return rad_send(request->proxy, request->packet,
673 request->home_server->secret);
679 * Check if an incoming request is "ok"
681 * It takes packets, not requests. It sees if the packet looks
682 * OK. If so, it does a number of sanity checks on it.
684 static int stats_socket_recv(rad_listen_t *listener,
685 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
689 RADIUS_PACKET *packet;
691 fr_ipaddr_t src_ipaddr;
693 rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
694 if (rcode < 0) return 0;
696 RAD_STATS_TYPE_INC(listener, total_requests);
698 if (rcode < 20) { /* AUTH_HDR_LEN */
699 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
703 if ((client = client_listener_find(listener,
704 &src_ipaddr, src_port)) == NULL) {
705 rad_recv_discard(listener->fd);
706 RAD_STATS_TYPE_INC(listener, total_invalid_requests);
711 * We only understand Status-Server on this socket.
713 if (code != PW_STATUS_SERVER) {
714 DEBUG("Ignoring packet code %d sent to Status-Server port",
716 rad_recv_discard(listener->fd);
717 RAD_STATS_TYPE_INC(listener, total_unknown_types);
718 RAD_STATS_CLIENT_INC(listener, client, total_unknown_types);
723 * Now that we've sanity checked everything, receive the
726 packet = rad_recv(listener->fd, 1); /* require message authenticator */
728 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
729 DEBUG("%s", fr_strerror());
733 if (!received_request(listener, packet, prequest, client)) {
734 RAD_STATS_TYPE_INC(listener, total_packets_dropped);
735 RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped);
740 *pfun = rad_status_server;
747 * Check if an incoming request is "ok"
749 * It takes packets, not requests. It sees if the packet looks
750 * OK. If so, it does a number of sanity checks on it.
752 static int auth_socket_recv(rad_listen_t *listener,
753 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
757 RADIUS_PACKET *packet;
758 RAD_REQUEST_FUNP fun = NULL;
760 fr_ipaddr_t src_ipaddr;
762 rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
763 if (rcode < 0) return 0;
765 RAD_STATS_TYPE_INC(listener, total_requests);
767 if (rcode < 20) { /* AUTH_HDR_LEN */
768 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
772 if ((client = client_listener_find(listener,
773 &src_ipaddr, src_port)) == NULL) {
774 rad_recv_discard(listener->fd);
775 RAD_STATS_TYPE_INC(listener, total_invalid_requests);
780 * Some sanity checks, based on the packet code.
783 case PW_AUTHENTICATION_REQUEST:
784 RAD_STATS_CLIENT_INC(listener, client, total_requests);
785 fun = rad_authenticate;
788 case PW_STATUS_SERVER:
789 if (!mainconfig.status_server) {
790 rad_recv_discard(listener->fd);
791 RAD_STATS_TYPE_INC(listener, total_packets_dropped);
792 RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped);
793 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
796 fun = rad_status_server;
800 rad_recv_discard(listener->fd);
801 RAD_STATS_INC(radius_auth_stats.total_unknown_types);
802 RAD_STATS_CLIENT_INC(listener, client, total_unknown_types);
804 DEBUG("Invalid packet code %d sent to authentication port from client %s port %d : IGNORED",
805 code, client->shortname, src_port);
808 } /* switch over packet types */
811 * Now that we've sanity checked everything, receive the
814 packet = rad_recv(listener->fd, client->message_authenticator);
816 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
817 DEBUG("%s", fr_strerror());
821 if (!received_request(listener, packet, prequest, client)) {
822 RAD_STATS_TYPE_INC(listener, total_packets_dropped);
823 RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped);
833 #ifdef WITH_ACCOUNTING
835 * Receive packets from an accounting socket
837 static int acct_socket_recv(rad_listen_t *listener,
838 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
842 RADIUS_PACKET *packet;
843 RAD_REQUEST_FUNP fun = NULL;
845 fr_ipaddr_t src_ipaddr;
847 rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
848 if (rcode < 0) return 0;
850 RAD_STATS_TYPE_INC(listener, total_requests);
852 if (rcode < 20) { /* AUTH_HDR_LEN */
853 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
857 if ((client = client_listener_find(listener,
858 &src_ipaddr, src_port)) == NULL) {
859 rad_recv_discard(listener->fd);
860 RAD_STATS_TYPE_INC(listener, total_invalid_requests);
865 * Some sanity checks, based on the packet code.
868 case PW_ACCOUNTING_REQUEST:
869 RAD_STATS_CLIENT_INC(listener, client, total_requests);
870 fun = rad_accounting;
873 case PW_STATUS_SERVER:
874 if (!mainconfig.status_server) {
875 rad_recv_discard(listener->fd);
876 RAD_STATS_TYPE_INC(listener, total_packets_dropped);
877 RAD_STATS_CLIENT_INC(listener, client, total_unknown_types);
879 DEBUG("WARNING: Ignoring Status-Server request due to security configuration");
882 fun = rad_status_server;
886 rad_recv_discard(listener->fd);
887 RAD_STATS_TYPE_INC(listener, total_unknown_types);
888 RAD_STATS_CLIENT_INC(listener, client, total_unknown_types);
890 DEBUG("Invalid packet code %d sent to a accounting port from client %s port %d : IGNORED",
891 code, client->shortname, src_port);
893 } /* switch over packet types */
896 * Now that we've sanity checked everything, receive the
899 packet = rad_recv(listener->fd, 0);
901 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
902 radlog(L_ERR, "%s", fr_strerror());
907 * There can be no duplicate accounting packets.
909 if (!received_request(listener, packet, prequest, client)) {
910 RAD_STATS_TYPE_INC(listener, total_packets_dropped);
911 RAD_STATS_CLIENT_INC(listener, client, total_packets_dropped);
924 * For now, all CoA requests are *only* originated, and not
925 * proxied. So all of the necessary work is done in the
926 * post-proxy section, which is automatically handled by event.c.
927 * As a result, we don't have to do anything here.
929 static int rad_coa_reply(REQUEST *request)
934 * Inform the user about RFC requirements.
936 s1 = pairfind(request->proxy->vps, PW_STATE);
938 s2 = pairfind(request->proxy_reply->vps, PW_STATE);
941 DEBUG("WARNING: Client was sent State in CoA, and did not respond with State.");
943 } else if ((s1->length != s2->length) ||
944 (memcmp(s1->vp_octets, s2->vp_octets,
946 DEBUG("WARNING: Client was sent State in CoA, and did not respond with the same State.");
950 return RLM_MODULE_OK;
954 * Receive a CoA packet.
956 static int rad_coa_recv(REQUEST *request)
958 int rcode = RLM_MODULE_OK;
963 * Get the correct response
965 switch (request->packet->code) {
971 case PW_DISCONNECT_REQUEST:
972 ack = PW_DISCONNECT_ACK;
973 nak = PW_DISCONNECT_NAK;
976 default: /* shouldn't happen */
977 return RLM_MODULE_FAIL;
981 #define WAS_PROXIED (request->proxy)
983 #define WAS_PROXIED (0)
988 * RFC 5176 Section 3.3. If we have a CoA-Request
989 * with Service-Type = Authorize-Only, it MUST
990 * have a State attribute in it.
992 vp = pairfind(request->packet->vps, PW_SERVICE_TYPE);
993 if (request->packet->code == PW_COA_REQUEST) {
994 if (vp && (vp->vp_integer == 17)) {
995 vp = pairfind(request->packet->vps, PW_STATE);
996 if (!vp || (vp->length == 0)) {
997 RDEBUG("ERROR: CoA-Request with Service-Type = Authorize-Only MUST contain a State attribute");
998 request->reply->code = PW_COA_NAK;
999 return RLM_MODULE_FAIL;
1004 * RFC 5176, Section 3.2.
1006 RDEBUG("ERROR: Disconnect-Request MUST NOT contain a Service-Type attribute");
1007 request->reply->code = PW_DISCONNECT_NAK;
1008 return RLM_MODULE_FAIL;
1011 rcode = module_recv_coa(0, request);
1013 case RLM_MODULE_FAIL:
1014 case RLM_MODULE_INVALID:
1015 case RLM_MODULE_REJECT:
1016 case RLM_MODULE_USERLOCK:
1018 request->reply->code = nak;
1021 case RLM_MODULE_HANDLED:
1024 case RLM_MODULE_NOOP:
1025 case RLM_MODULE_NOTFOUND:
1027 case RLM_MODULE_UPDATED:
1028 request->reply->code = ack;
1033 * Start the reply code with the proxy reply
1036 request->reply->code = request->proxy_reply->code;
1040 * Copy State from the request to the reply.
1041 * See RFC 5176 Section 3.3.
1043 vp = paircopy2(request->packet->vps, PW_STATE);
1044 if (vp) pairadd(&request->reply->vps, vp);
1047 * We may want to over-ride the reply.
1049 rcode = module_send_coa(0, request);
1052 * We need to send CoA-NAK back if Service-Type
1053 * is Authorize-Only. Rely on the user's policy
1054 * to do that. We're not a real NAS, so this
1055 * restriction doesn't (ahem) apply to us.
1057 case RLM_MODULE_FAIL:
1058 case RLM_MODULE_INVALID:
1059 case RLM_MODULE_REJECT:
1060 case RLM_MODULE_USERLOCK:
1063 * Over-ride an ACK with a NAK
1065 request->reply->code = nak;
1068 case RLM_MODULE_HANDLED:
1071 case RLM_MODULE_NOOP:
1072 case RLM_MODULE_NOTFOUND:
1074 case RLM_MODULE_UPDATED:
1076 * Do NOT over-ride a previously set value.
1077 * Otherwise an "ok" here will re-write a
1080 if (request->reply->code == 0) {
1081 request->reply->code = ack;
1087 return RLM_MODULE_OK;
1092 * Check if an incoming request is "ok"
1094 * It takes packets, not requests. It sees if the packet looks
1095 * OK. If so, it does a number of sanity checks on it.
1097 static int coa_socket_recv(rad_listen_t *listener,
1098 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
1102 RADIUS_PACKET *packet;
1103 RAD_REQUEST_FUNP fun = NULL;
1106 fr_ipaddr_t src_ipaddr;
1108 rcode = rad_recv_header(listener->fd, &src_ipaddr, &src_port, &code);
1109 if (rcode < 0) return 0;
1111 RAD_STATS_TYPE_INC(listener, total_requests);
1113 if (rcode < 20) { /* AUTH_HDR_LEN */
1114 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
1118 if ((client = client_listener_find(listener,
1119 &src_ipaddr, src_port)) == NULL) {
1120 rad_recv_discard(listener->fd);
1121 RAD_STATS_TYPE_INC(listener, total_invalid_requests);
1123 if (debug_flag > 0) {
1126 listener->print(listener, name, sizeof(name));
1129 * This is debugging rather than logging, so that
1130 * DoS attacks don't affect us.
1132 DEBUG("Ignoring request to %s from unknown client %s port %d",
1134 inet_ntop(src_ipaddr.af, &src_ipaddr.ipaddr,
1135 buffer, sizeof(buffer)), src_port);
1142 * Some sanity checks, based on the packet code.
1145 case PW_COA_REQUEST:
1146 case PW_DISCONNECT_REQUEST:
1151 rad_recv_discard(listener->fd);
1152 DEBUG("Invalid packet code %d sent to coa port from client %s port %d : IGNORED",
1153 code, client->shortname, src_port);
1156 } /* switch over packet types */
1159 * Now that we've sanity checked everything, receive the
1162 packet = rad_recv(listener->fd, client->message_authenticator);
1164 RAD_STATS_TYPE_INC(listener, total_malformed_requests);
1165 DEBUG("%s", fr_strerror());
1169 if (!received_request(listener, packet, prequest, client)) {
1181 * Recieve packets from a proxy socket.
1183 static int proxy_socket_recv(rad_listen_t *listener,
1184 RAD_REQUEST_FUNP *pfun, REQUEST **prequest)
1187 RADIUS_PACKET *packet;
1188 RAD_REQUEST_FUNP fun = NULL;
1191 packet = rad_recv(listener->fd, 0);
1193 radlog(L_ERR, "%s", fr_strerror());
1198 * FIXME: Client MIB updates?
1200 switch(packet->code) {
1201 case PW_AUTHENTICATION_ACK:
1202 case PW_ACCESS_CHALLENGE:
1203 case PW_AUTHENTICATION_REJECT:
1204 fun = rad_authenticate;
1207 #ifdef WITH_ACCOUNTING
1208 case PW_ACCOUNTING_RESPONSE:
1209 fun = rad_accounting;
1214 case PW_DISCONNECT_ACK:
1215 case PW_DISCONNECT_NAK:
1218 fun = rad_coa_reply;
1224 * FIXME: Update MIB for packet types?
1226 radlog(L_ERR, "Invalid packet code %d sent to a proxy port "
1227 "from home server %s port %d - ID %d : IGNORED",
1229 ip_ntoh(&packet->src_ipaddr, buffer, sizeof(buffer)),
1230 packet->src_port, packet->id);
1235 request = received_proxy_response(packet);
1243 * Distinguish proxied CoA requests from ones we
1246 if ((fun == rad_coa_reply) &&
1247 (request->packet->code == request->proxy->code)) {
1252 rad_assert(fun != NULL);
1254 *prequest = request;
1261 static int client_socket_encode(UNUSED rad_listen_t *listener, REQUEST *request)
1263 if (!request->reply->code) return 0;
1265 rad_encode(request->reply, request->packet,
1266 request->client->secret);
1267 rad_sign(request->reply, request->packet,
1268 request->client->secret);
1274 static int client_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
1276 if (rad_verify(request->packet, NULL,
1277 request->client->secret) < 0) {
1281 return rad_decode(request->packet, NULL,
1282 request->client->secret);
1286 static int proxy_socket_encode(UNUSED rad_listen_t *listener, REQUEST *request)
1288 rad_encode(request->proxy, NULL, request->home_server->secret);
1289 rad_sign(request->proxy, NULL, request->home_server->secret);
1295 static int proxy_socket_decode(UNUSED rad_listen_t *listener, REQUEST *request)
1298 * rad_verify is run in event.c, received_proxy_response()
1301 return rad_decode(request->proxy_reply, request->proxy,
1302 request->home_server->secret);
1308 #include "command.c"
1310 static const rad_listen_master_t master_listen[RAD_LISTEN_MAX] = {
1312 { common_socket_parse, NULL,
1313 stats_socket_recv, auth_socket_send,
1314 socket_print, client_socket_encode, client_socket_decode },
1317 * This always gets defined.
1319 { NULL, NULL, NULL, NULL, NULL, NULL, NULL}, /* RAD_LISTEN_NONE */
1324 { common_socket_parse, NULL,
1325 proxy_socket_recv, proxy_socket_send,
1326 socket_print, proxy_socket_encode, proxy_socket_decode },
1329 /* authentication */
1330 { common_socket_parse, NULL,
1331 auth_socket_recv, auth_socket_send,
1332 socket_print, client_socket_encode, client_socket_decode },
1334 #ifdef WITH_ACCOUNTING
1336 { common_socket_parse, NULL,
1337 acct_socket_recv, acct_socket_send,
1338 socket_print, client_socket_encode, client_socket_decode},
1343 { detail_parse, detail_free,
1344 detail_recv, detail_send,
1345 detail_print, detail_encode, detail_decode },
1349 /* vlan query protocol */
1350 { common_socket_parse, NULL,
1351 vqp_socket_recv, vqp_socket_send,
1352 socket_print, vqp_socket_encode, vqp_socket_decode },
1356 /* dhcp query protocol */
1357 { dhcp_socket_parse, NULL,
1358 dhcp_socket_recv, dhcp_socket_send,
1359 socket_print, dhcp_socket_encode, dhcp_socket_decode },
1362 #ifdef WITH_COMMAND_SOCKET
1363 /* TCP command socket */
1364 { command_socket_parse, NULL,
1365 command_domain_accept, command_domain_send,
1366 command_socket_print, command_socket_encode, command_socket_decode },
1370 /* Change of Authorization */
1371 { common_socket_parse, NULL,
1372 coa_socket_recv, auth_socket_send, /* CoA packets are same as auth */
1373 socket_print, client_socket_encode, client_socket_decode },
1381 * Binds a listener to a socket.
1383 static int listen_bind(rad_listen_t *this)
1386 struct sockaddr_storage salocal;
1388 listen_socket_t *sock = this->data;
1391 * If the port is zero, then it means the appropriate
1392 * thing from /etc/services.
1394 if (sock->port == 0) {
1395 struct servent *svp;
1397 switch (this->type) {
1398 case RAD_LISTEN_AUTH:
1399 svp = getservbyname ("radius", "udp");
1401 sock->port = ntohs(svp->s_port);
1403 sock->port = PW_AUTH_UDP_PORT;
1407 #ifdef WITH_ACCOUNTING
1408 case RAD_LISTEN_ACCT:
1409 svp = getservbyname ("radacct", "udp");
1411 sock->port = ntohs(svp->s_port);
1413 sock->port = PW_ACCT_UDP_PORT;
1419 case RAD_LISTEN_PROXY:
1425 case RAD_LISTEN_VQP:
1431 case RAD_LISTEN_COA:
1432 sock->port = PW_COA_UDP_PORT;
1437 radlog(L_ERR, "ERROR: Non-fatal internal sanity check failed in bind.");
1443 * Copy fr_socket() here, as we may need to bind to a device.
1445 this->fd = socket(sock->ipaddr.af, SOCK_DGRAM, 0);
1447 radlog(L_ERR, "Failed opening socket: %s", strerror(errno));
1451 #ifdef SO_BINDTODEVICE
1453 * Bind to a device BEFORE touching IP addresses.
1455 if (sock->interface) {
1457 strcpy(ifreq.ifr_name, sock->interface);
1460 rcode = setsockopt(this->fd, SOL_SOCKET, SO_BINDTODEVICE,
1461 (char *)&ifreq, sizeof(ifreq));
1465 radlog(L_ERR, "Failed binding to interface %s: %s",
1466 sock->interface, strerror(errno));
1468 } /* else it worked. */
1472 #ifdef WITH_UDPFROMTO
1474 * Initialize udpfromto for all sockets.
1476 if (udpfromto_init(this->fd) != 0) {
1483 * Set up sockaddr stuff.
1485 if (!fr_ipaddr2sockaddr(&sock->ipaddr, sock->port, &salocal, &salen)) {
1490 #ifdef HAVE_STRUCT_SOCKADDR_IN6
1491 if (sock->ipaddr.af == AF_INET6) {
1493 * Listening on '::' does NOT get you IPv4 to
1494 * IPv6 mapping. You've got to listen on an IPv4
1495 * address, too. This makes the rest of the server
1496 * design a little simpler.
1500 if (IN6_IS_ADDR_UNSPECIFIED(&sock->ipaddr.ipaddr.ip6addr)) {
1503 setsockopt(this->fd, IPPROTO_IPV6, IPV6_V6ONLY,
1504 (char *)&on, sizeof(on));
1506 #endif /* IPV6_V6ONLY */
1508 #endif /* HAVE_STRUCT_SOCKADDR_IN6 */
1511 * May be binding to priviledged ports.
1514 rcode = bind(this->fd, (struct sockaddr *) &salocal, salen);
1520 this->print(this, buffer, sizeof(buffer));
1521 radlog(L_ERR, "Failed binding to %s: %s\n",
1522 buffer, strerror(errno));
1527 * FreeBSD jail issues. We bind to 0.0.0.0, but the
1528 * kernel instead binds us to a 1.2.3.4. If this
1529 * happens, notice, and remember our real IP.
1532 struct sockaddr_storage src;
1533 socklen_t sizeof_src = sizeof(src);
1535 memset(&src, 0, sizeof_src);
1536 if (getsockname(this->fd, (struct sockaddr *) &src,
1538 radlog(L_ERR, "Failed getting socket name: %s",
1543 if (!fr_sockaddr2ipaddr(&src, sizeof_src,
1544 &sock->ipaddr, &sock->port)) {
1545 radlog(L_ERR, "Socket has unsupported address family");
1554 if ((flags = fcntl(this->fd, F_GETFL, NULL)) < 0) {
1555 radlog(L_ERR, "Failure getting socket flags: %s)\n",
1560 flags |= O_NONBLOCK;
1561 if( fcntl(this->fd, F_SETFL, flags) < 0) {
1562 radlog(L_ERR, "Failure setting socket flags: %s)\n",
1574 * Allocate & initialize a new listener.
1576 static rad_listen_t *listen_alloc(RAD_LISTEN_TYPE type)
1580 this = rad_malloc(sizeof(*this));
1581 memset(this, 0, sizeof(*this));
1584 this->recv = master_listen[this->type].recv;
1585 this->send = master_listen[this->type].send;
1586 this->print = master_listen[this->type].print;
1587 this->encode = master_listen[this->type].encode;
1588 this->decode = master_listen[this->type].decode;
1592 case RAD_LISTEN_NONE:
1594 case RAD_LISTEN_AUTH:
1595 #ifdef WITH_ACCOUNTING
1596 case RAD_LISTEN_ACCT:
1599 case RAD_LISTEN_PROXY:
1602 case RAD_LISTEN_VQP:
1605 case RAD_LISTEN_DHCP:
1608 case RAD_LISTEN_COA:
1610 this->data = rad_malloc(sizeof(listen_socket_t));
1611 memset(this->data, 0, sizeof(listen_socket_t));
1615 case RAD_LISTEN_DETAIL:
1620 #ifdef WITH_COMMAND_SOCKET
1621 case RAD_LISTEN_COMMAND:
1622 this->data = rad_malloc(sizeof(fr_command_socket_t));
1623 memset(this->data, 0, sizeof(fr_command_socket_t));
1628 rad_assert("Unsupported option!" == NULL);
1638 * Externally visible function for creating a new proxy LISTENER.
1640 * Not thread-safe, but all calls to it are protected by the
1641 * proxy mutex in event.c
1643 rad_listen_t *proxy_new_listener(fr_ipaddr_t *ipaddr, int exists)
1645 int last_proxy_port, port;
1646 rad_listen_t *this, *tmp, **last;
1647 listen_socket_t *sock, *old;
1650 * Find an existing proxy socket to copy.
1652 last_proxy_port = 0;
1654 last = &mainconfig.listen;
1655 for (tmp = mainconfig.listen; tmp != NULL; tmp = tmp->next) {
1657 * Not proxy, ignore it.
1659 if (tmp->type != RAD_LISTEN_PROXY) continue;
1664 * If we were asked to copy a specific one, do
1665 * so. If we're just finding one that already
1666 * exists, return a pointer to it. Otherwise,
1667 * create ANOTHER one with the same IP address.
1669 if ((ipaddr->af != AF_UNSPEC) &&
1670 (fr_ipaddr_cmp(&sock->ipaddr, ipaddr) != 0)) {
1671 if (exists) return tmp;
1675 if (sock->port > last_proxy_port) {
1676 last_proxy_port = sock->port + 1;
1678 if (!old) old = sock;
1680 last = &(tmp->next);
1685 * The socket MUST already exist if we're binding
1686 * to an address while proxying.
1688 * If we're initializing the server, it's OK for the
1689 * socket to NOT exist.
1691 if (!exists) return NULL;
1693 this = listen_alloc(RAD_LISTEN_PROXY);
1696 sock->ipaddr = *ipaddr;
1699 this = listen_alloc(RAD_LISTEN_PROXY);
1702 sock->ipaddr = old->ipaddr;
1706 * Keep going until we find an unused port.
1708 for (port = last_proxy_port; port < 64000; port++) {
1713 rcode = listen_bind(this);
1720 * Add the new listener to the list of
1732 static const FR_NAME_NUMBER listen_compare[] = {
1734 { "status", RAD_LISTEN_NONE },
1736 { "auth", RAD_LISTEN_AUTH },
1737 #ifdef WITH_ACCOUNTING
1738 { "acct", RAD_LISTEN_ACCT },
1741 { "detail", RAD_LISTEN_DETAIL },
1744 { "proxy", RAD_LISTEN_PROXY },
1747 { "vmps", RAD_LISTEN_VQP },
1750 { "dhcp", RAD_LISTEN_DHCP },
1752 #ifdef WITH_COMMAND_SOCKET
1753 { "control", RAD_LISTEN_COMMAND },
1756 { "coa", RAD_LISTEN_COA },
1762 static rad_listen_t *listen_parse(CONF_SECTION *cs, const char *server)
1770 cf_log_info(cs, "listen {");
1772 rcode = cf_item_parse(cs, "type", PW_TYPE_STRING_PTR,
1774 if (rcode < 0) return NULL;
1777 cf_log_err(cf_sectiontoitem(cs),
1778 "No type specified in listen section");
1782 type = fr_str2int(listen_compare, listen_type, -1);
1784 cf_log_err(cf_sectiontoitem(cs),
1785 "Invalid type \"%s\" in listen section.",
1793 * Allow listen sections in the default config to
1794 * refer to a server.
1797 rcode = cf_item_parse(cs, "virtual_server", PW_TYPE_STRING_PTR,
1799 if (rcode == 1) { /* compatiblity with 2.0-pre */
1800 rcode = cf_item_parse(cs, "server", PW_TYPE_STRING_PTR,
1803 if (rcode < 0) return NULL;
1807 * Set up cross-type data.
1809 this = listen_alloc(type);
1810 this->server = server;
1814 * Call per-type parser.
1816 if (master_listen[type].parse(cs, this) < 0) {
1821 cf_log_info(cs, "}");
1827 * Generate a list of listeners. Takes an input list of
1828 * listeners, too, so we don't close sockets with waiting packets.
1830 int listen_init(CONF_SECTION *config, rad_listen_t **head)
1832 int override = FALSE;
1834 CONF_SECTION *cs = NULL;
1835 rad_listen_t **last;
1837 fr_ipaddr_t server_ipaddr;
1840 int defined_proxy = 0;
1844 * We shouldn't be called with a pre-existing list.
1846 rad_assert(head && (*head == NULL));
1849 server_ipaddr.af = AF_UNSPEC;
1852 * If the port is specified on the command-line,
1853 * it over-rides the configuration file.
1855 * FIXME: If argv[0] == "vmpsd", then don't listen on auth/acct!
1857 if (mainconfig.port >= 0) auth_port = mainconfig.port;
1860 * If the IP address was configured on the command-line,
1861 * use that as the "bind_address"
1863 if (mainconfig.myip.af != AF_UNSPEC) {
1864 memcpy(&server_ipaddr, &mainconfig.myip,
1865 sizeof(server_ipaddr));
1871 * Else look for bind_address and/or listen sections.
1873 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_NONE);
1874 rcode = cf_item_parse(config, "bind_address",
1876 &server_ipaddr.ipaddr.ip4addr, NULL);
1877 if (rcode < 0) return -1; /* error parsing it */
1879 if (rcode == 0) { /* successfully parsed IPv4 */
1880 listen_socket_t *sock;
1881 server_ipaddr.af = AF_INET;
1883 radlog(L_INFO, "WARNING: The directive 'bind_adress' is deprecated, and will be removed in future versions of FreeRADIUS. Please edit the configuration files to use the directive 'listen'.");
1887 if (strcmp(progname, "vmpsd") == 0) {
1888 this = listen_alloc(RAD_LISTEN_VQP);
1889 if (!auth_port) auth_port = 1589;
1892 this = listen_alloc(RAD_LISTEN_AUTH);
1896 sock->ipaddr = server_ipaddr;
1897 sock->port = auth_port;
1899 sock->clients = clients_parse_section(config);
1900 if (!sock->clients) {
1901 cf_log_err(cf_sectiontoitem(config),
1902 "Failed to find any clients for this listen section");
1907 if (listen_bind(this) < 0) {
1909 radlog(L_ERR, "There appears to be another RADIUS server running on the authentication port %d", sock->port);
1913 auth_port = sock->port; /* may have been updated in listen_bind */
1915 cs = cf_section_sub_find_name2(config, "server",
1917 if (cs) this->server = mainconfig.name;
1921 last = &(this->next);
1927 if (strcmp(progname, "vmpsd") == 0) goto do_proxy;
1930 #ifdef WITH_ACCOUNTING
1932 * Open Accounting Socket.
1934 * If we haven't already gotten acct_port from
1935 * /etc/services, then make it auth_port + 1.
1937 this = listen_alloc(RAD_LISTEN_ACCT);
1941 * Create the accounting socket.
1943 * The accounting port is always the
1944 * authentication port + 1
1946 sock->ipaddr = server_ipaddr;
1947 sock->port = auth_port + 1;
1949 sock->clients = clients_parse_section(config);
1950 if (!sock->clients) {
1951 cf_log_err(cf_sectiontoitem(config),
1952 "Failed to find any clients for this listen section");
1956 if (listen_bind(this) < 0) {
1959 radlog(L_ERR, "There appears to be another RADIUS server running on the accounting port %d", sock->port);
1964 cs = cf_section_sub_find_name2(config, "server",
1966 if (cs) this->server = mainconfig.name;
1970 last = &(this->next);
1972 } else if (mainconfig.port > 0) { /* no bind address, but a port */
1973 radlog(L_ERR, "The command-line says \"-p %d\", but there is no associated IP address to use",
1979 * They specified an IP on the command-line, ignore
1980 * all listen sections except the one in '-n'.
1982 if (mainconfig.myip.af != AF_UNSPEC) {
1983 CONF_SECTION *subcs;
1984 const char *name2 = cf_section_name2(cs);
1986 cs = cf_section_sub_find_name2(config, "server",
1988 if (!cs) goto do_proxy;
1991 * Should really abstract this code...
1993 for (subcs = cf_subsection_find_next(cs, NULL, "listen");
1995 subcs = cf_subsection_find_next(cs, subcs, "listen")) {
1996 this = listen_parse(subcs, name2);
2003 if (this->type == RAD_LISTEN_PROXY) defined_proxy = 1;
2007 last = &(this->next);
2008 } /* loop over "listen" directives in server <foo> */
2014 * Walk through the "listen" sections, if they exist.
2016 for (cs = cf_subsection_find_next(config, NULL, "listen");
2018 cs = cf_subsection_find_next(config, cs, "listen")) {
2019 this = listen_parse(cs, NULL);
2026 if (this->type == RAD_LISTEN_PROXY) defined_proxy = 1;
2030 last = &(this->next);
2034 * Check virtual servers for "listen" sections, too.
2036 * FIXME: Move to virtual server init?
2038 for (cs = cf_subsection_find_next(config, NULL, "server");
2040 cs = cf_subsection_find_next(config, cs, "server")) {
2041 CONF_SECTION *subcs;
2042 const char *name2 = cf_section_name2(cs);
2044 for (subcs = cf_subsection_find_next(cs, NULL, "listen");
2046 subcs = cf_subsection_find_next(cs, subcs, "listen")) {
2047 this = listen_parse(subcs, name2);
2054 if (this->type == RAD_LISTEN_PROXY) {
2055 radlog(L_ERR, "Error: listen type \"proxy\" Cannot appear in a virtual server section");
2062 last = &(this->next);
2063 } /* loop over "listen" directives in virtual servers */
2064 } /* loop over virtual servers */
2067 * If we're proxying requests, open the proxy FD.
2068 * Otherwise, don't do anything.
2072 if (mainconfig.proxy_requests == TRUE) {
2074 listen_socket_t *sock = NULL;
2077 * No sockets to receive packets, therefore
2078 * proxying is pointless.
2080 if (!*head) return -1;
2082 if (defined_proxy) goto check_home_servers;
2085 * Find the first authentication port,
2088 for (this = *head; this != NULL; this = this->next) {
2089 if (this->type == RAD_LISTEN_AUTH) {
2091 if (server_ipaddr.af == AF_UNSPEC) {
2092 server_ipaddr = sock->ipaddr;
2094 port = sock->port + 2; /* skip acct port */
2098 if (this->type == RAD_LISTEN_VQP) {
2100 if (server_ipaddr.af == AF_UNSPEC) {
2101 server_ipaddr = sock->ipaddr;
2103 port = sock->port + 1;
2109 if (port < 0) port = 1024 + (fr_rand() & 0x1ff);
2112 * Address is still unspecified, use IPv4.
2114 if (server_ipaddr.af == AF_UNSPEC) {
2115 server_ipaddr.af = AF_INET;
2116 server_ipaddr.ipaddr.ip4addr.s_addr = htonl(INADDR_ANY);
2119 this = listen_alloc(RAD_LISTEN_PROXY);
2123 * Create the first proxy socket.
2125 sock->ipaddr = server_ipaddr;
2128 * Try to find a proxy port (value doesn't matter)
2130 for (sock->port = port;
2133 if (listen_bind(this) == 0) {
2135 last = &(this->next); /* just in case */
2140 if (sock->port >= 64000) {
2143 radlog(L_ERR, "Failed to open socket for proxying");
2148 * Create *additional* proxy listeners, based
2149 * on their src_ipaddr.
2152 if (home_server_create_listeners(*head) != 0) return -1;
2160 * Free a linked list of listeners;
2162 void listen_free(rad_listen_t **head)
2166 if (!head || !*head) return;
2170 rad_listen_t *next = this->next;
2173 * Other code may have eaten the FD.
2175 if (this->fd >= 0) close(this->fd);
2177 if (master_listen[this->type].free) {
2178 master_listen[this->type].free(this);
2190 RADCLIENT_LIST *listener_find_client_list(const fr_ipaddr_t *ipaddr,
2195 for (this = mainconfig.listen; this != NULL; this = this->next) {
2196 listen_socket_t *sock;
2198 if ((this->type != RAD_LISTEN_AUTH) &&
2199 (this->type != RAD_LISTEN_ACCT)) continue;
2203 if ((sock->port == port) &&
2204 (fr_ipaddr_cmp(ipaddr, &sock->ipaddr) == 0)) {
2205 return sock->clients;
2213 rad_listen_t *listener_find_byipaddr(const fr_ipaddr_t *ipaddr, int port)
2217 for (this = mainconfig.listen; this != NULL; this = this->next) {
2218 listen_socket_t *sock;
2221 * FIXME: For TCP, ignore the *secondary*
2222 * listeners associated with the main socket.
2224 if ((this->type != RAD_LISTEN_AUTH) &&
2225 (this->type != RAD_LISTEN_ACCT)) continue;
2229 if ((sock->port == port) &&
2230 (fr_ipaddr_cmp(ipaddr, &sock->ipaddr) == 0)) {
2234 if ((sock->port == port) &&
2235 ((sock->ipaddr.af == AF_INET) &&
2236 (sock->ipaddr.ipaddr.ip4addr.s_addr == INADDR_ANY))) {
2240 #ifdef HAVE_STRUCT_SOCKADDR_IN6
2241 if ((sock->port == port) &&
2242 (sock->ipaddr.af == AF_INET6) &&
2243 (IN6_IS_ADDR_UNSPECIFIED(&sock->ipaddr.ipaddr.ip6addr))) {