2 * realms.c Realm handling code
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2007 The FreeRADIUS server project
21 * Copyright 2007 Alan DeKok <aland@deployingradius.com>
26 #include <freeradius-devel/radiusd.h>
27 #include <freeradius-devel/realms.h>
28 #include <freeradius-devel/rad_assert.h>
35 static rbtree_t *realms_byname = NULL;
37 bool home_servers_udp = false;
41 typedef struct realm_regex realm_regex_t;
43 /** Regular expression associated with a realm
47 REALM *realm; //!< The realm this regex matches.
48 regex_t *preg; //!< The pre-compiled regular expression.
49 realm_regex_t *next; //!< The next realm in the list of regular expressions.
51 static realm_regex_t *realms_regex = NULL;
52 #endif /* HAVE_REGEX */
61 bool wake_all_if_all_dead;
64 static const FR_NAME_NUMBER home_server_types[] = {
65 { "auth", HOME_TYPE_AUTH },
66 { "acct", HOME_TYPE_ACCT },
67 { "auth+acct", HOME_TYPE_AUTH_ACCT },
68 { "coa", HOME_TYPE_COA },
72 static const FR_NAME_NUMBER home_ping_check[] = {
73 { "none", HOME_PING_CHECK_NONE },
74 { "status-server", HOME_PING_CHECK_STATUS_SERVER },
75 { "request", HOME_PING_CHECK_REQUEST },
79 static const FR_NAME_NUMBER home_proto[] = {
80 { "UDP", IPPROTO_UDP },
81 { "TCP", IPPROTO_TCP },
86 static realm_config_t *realm_config = NULL;
89 static rbtree_t *home_servers_byaddr = NULL;
90 static rbtree_t *home_servers_byname = NULL;
92 static int home_server_max_number = 0;
93 static rbtree_t *home_servers_bynumber = NULL;
96 static rbtree_t *home_pools_byname = NULL;
99 * Map the proxy server configuration parameters to variables.
101 static const CONF_PARSER proxy_config[] = {
102 { "retry_delay", FR_CONF_OFFSET(PW_TYPE_INTEGER, realm_config_t, retry_delay), STRINGIFY(RETRY_DELAY) },
104 { "retry_count", FR_CONF_OFFSET(PW_TYPE_INTEGER, realm_config_t, retry_count), STRINGIFY(RETRY_COUNT) },
106 { "default_fallback", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, realm_config_t, fallback), "no" },
108 { "dynamic", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, realm_config_t, dynamic), NULL },
110 { "dead_time", FR_CONF_OFFSET(PW_TYPE_INTEGER, realm_config_t, dead_time), STRINGIFY(DEAD_TIME) },
112 { "wake_all_if_all_dead", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, realm_config_t, wake_all_if_all_dead), "no" },
113 CONF_PARSER_TERMINATOR
117 static int realm_name_cmp(void const *one, void const *two)
119 REALM const *a = one;
120 REALM const *b = two;
122 return strcasecmp(a->name, b->name);
127 static void home_server_free(void *data)
129 home_server_t *home = talloc_get_type_abort(data, home_server_t);
134 static int home_server_name_cmp(void const *one, void const *two)
136 home_server_t const *a = one;
137 home_server_t const *b = two;
139 if (a->type < b->type) return -1;
140 if (a->type > b->type) return +1;
142 return strcasecmp(a->name, b->name);
145 static int home_server_addr_cmp(void const *one, void const *two)
148 home_server_t const *a = one;
149 home_server_t const *b = two;
151 if (a->server && !b->server) return -1;
152 if (!a->server && b->server) return +1;
153 if (a->server && b->server) {
154 rcode = a->type - b->type;
155 if (rcode != 0) return rcode;
156 return strcmp(a->server, b->server);
159 if (a->port < b->port) return -1;
160 if (a->port > b->port) return +1;
163 if (a->proto < b->proto) return -1;
164 if (a->proto > b->proto) return +1;
167 rcode = fr_ipaddr_cmp(&a->src_ipaddr, &b->src_ipaddr);
168 if (rcode != 0) return rcode;
170 return fr_ipaddr_cmp(&a->ipaddr, &b->ipaddr);
174 static int home_server_number_cmp(void const *one, void const *two)
176 home_server_t const *a = one;
177 home_server_t const *b = two;
179 return (a->number - b->number);
183 static int home_pool_name_cmp(void const *one, void const *two)
185 home_pool_t const *a = one;
186 home_pool_t const *b = two;
188 if (a->server_type < b->server_type) return -1;
189 if (a->server_type > b->server_type) return +1;
191 return strcasecmp(a->name, b->name);
195 static size_t xlat_cs(CONF_SECTION *cs, char const *fmt, char *out, size_t outlen)
197 char const *value = NULL;
200 DEBUG("No configuration item requested. Ignoring.");
209 if (strcmp(fmt, "instance") == 0) {
210 value = cf_section_name2(cs);
218 cp = cf_pair_find(cs, fmt);
219 if (!cp || !(value = cf_pair_value(cp))) {
225 strlcpy(out, value, outlen);
232 * Xlat for %{home_server:foo}
234 static ssize_t xlat_home_server(UNUSED void *instance, REQUEST *request,
235 char const *fmt, char *out, size_t outlen)
237 if (!request->home_server) {
238 RWDEBUG("No home_server associated with this request");
245 RWDEBUG("No configuration item requested. Ignoring.");
251 if (strcmp(fmt, "state") == 0) {
254 switch (request->home_server->state) {
255 case HOME_STATE_ALIVE:
259 case HOME_STATE_ZOMBIE:
263 case HOME_STATE_IS_DEAD:
272 strlcpy(out, state, outlen);
276 return xlat_cs(request->home_server->cs, fmt, out, outlen);
281 * Xlat for %{home_server_pool:foo}
283 static ssize_t xlat_server_pool(UNUSED void *instance, REQUEST *request,
284 char const *fmt, char *out, size_t outlen)
286 if (!request->home_pool) {
287 RWDEBUG("No home_pool associated with this request");
294 RWDEBUG("No configuration item requested. Ignoring.");
300 if (strcmp(fmt, "state") == 0) {
303 if (request->home_pool->in_fallback) {
310 strlcpy(out, state, outlen);
314 return xlat_cs(request->home_pool->cs, fmt, out, outlen);
318 void realms_free(void)
322 rbtree_free(home_servers_bynumber);
323 home_servers_bynumber = NULL;
326 rbtree_free(home_servers_byname);
327 home_servers_byname = NULL;
329 rbtree_free(home_servers_byaddr);
330 home_servers_byaddr = NULL;
332 rbtree_free(home_pools_byname);
333 home_pools_byname = NULL;
336 rbtree_free(realms_byname);
337 realms_byname = NULL;
339 realm_pool_free(NULL);
341 talloc_free(realm_config);
347 static CONF_PARSER limit_config[] = {
348 { "max_connections", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.max_connections), "16" },
349 { "max_requests", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.max_requests), "0" },
350 { "lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.lifetime), "0" },
351 { "idle_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, limit.idle_timeout), "0" },
352 CONF_PARSER_TERMINATOR
356 static CONF_PARSER home_server_coa[] = {
357 { "irt", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_irt), STRINGIFY(2) },
358 { "mrt", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_mrt), STRINGIFY(16) },
359 { "mrc", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_mrc), STRINGIFY(5) },
360 { "mrd", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, coa_mrd), STRINGIFY(30) },
361 CONF_PARSER_TERMINATOR
365 static CONF_PARSER home_server_config[] = {
366 { "ipaddr", FR_CONF_OFFSET(PW_TYPE_COMBO_IP_ADDR, home_server_t, ipaddr), NULL },
367 { "ipv4addr", FR_CONF_OFFSET(PW_TYPE_IPV4_ADDR, home_server_t, ipaddr), NULL },
368 { "ipv6addr", FR_CONF_OFFSET(PW_TYPE_IPV6_ADDR, home_server_t, ipaddr), NULL },
369 { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_NOT_EMPTY, home_server_t, server), NULL },
371 { "port", FR_CONF_OFFSET(PW_TYPE_SHORT, home_server_t, port), "0" },
373 { "type", FR_CONF_OFFSET(PW_TYPE_STRING, home_server_t, type_str), NULL },
376 { "proto", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_NOT_EMPTY, home_server_t, proto_str), NULL },
379 { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, home_server_t, secret), NULL },
381 { "src_ipaddr", FR_CONF_OFFSET(PW_TYPE_STRING, home_server_t, src_ipaddr_str), NULL },
383 { "response_window", FR_CONF_OFFSET(PW_TYPE_TIMEVAL, home_server_t, response_window), "30" },
384 { "response_timeouts", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, max_response_timeouts), "1" },
385 { "max_outstanding", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, max_outstanding), "65536" },
387 { "zombie_period", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, zombie_period), "40" },
389 { "status_check", FR_CONF_OFFSET(PW_TYPE_STRING, home_server_t, ping_check_str), "none" },
390 { "ping_check", FR_CONF_OFFSET(PW_TYPE_STRING, home_server_t, ping_check_str), NULL },
392 { "ping_interval", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_interval), "30" },
393 { "check_interval", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_interval), NULL },
395 { "check_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_timeout), "4" },
396 { "status_check_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ping_timeout), NULL },
398 { "num_answers_to_alive", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, num_pings_to_alive), "3" },
399 { "revive_interval", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, revive_interval), "300" },
401 { "username", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_NOT_EMPTY, home_server_t, ping_user_name), NULL },
402 { "password", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_NOT_EMPTY, home_server_t, ping_user_password), NULL },
405 { "historic_average_window", FR_CONF_OFFSET(PW_TYPE_INTEGER, home_server_t, ema.window), NULL },
408 { "limit", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) limit_config },
411 { "coa", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) home_server_coa },
414 CONF_PARSER_TERMINATOR
418 static void null_free(UNUSED void *data)
423 * Ensure that all of the parameters in the home server are OK.
425 void realm_home_server_sanitize(home_server_t *home, CONF_SECTION *cs)
427 CONF_SECTION *parent = NULL;
429 FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, >=, 8);
430 FR_INTEGER_BOUND_CHECK("max_outstanding", home->max_outstanding, <=, 65536*16);
432 FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, >=, 6);
433 FR_INTEGER_BOUND_CHECK("ping_interval", home->ping_interval, <=, 120);
435 FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, >=, 0, 1000);
436 FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=, 60, 0);
437 FR_TIMEVAL_BOUND_CHECK("response_window", &home->response_window, <=,
438 main_config.max_request_time, 0);
440 FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, >=, 1);
441 FR_INTEGER_BOUND_CHECK("response_timeouts", home->max_response_timeouts, <=, 1000);
444 * Track the minimum response window, so that we can
445 * correctly set the timers in process.c
447 if (timercmp(&main_config.init_delay, &home->response_window, >)) {
448 main_config.init_delay = home->response_window;
451 FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, 1);
452 FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, <=, 120);
453 FR_INTEGER_BOUND_CHECK("zombie_period", home->zombie_period, >=, (uint32_t) home->response_window.tv_sec);
455 FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, >=, 3);
456 FR_INTEGER_BOUND_CHECK("num_pings_to_alive", home->num_pings_to_alive, <=, 10);
458 FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, >=, 1);
459 FR_INTEGER_BOUND_CHECK("check_timeout", home->ping_timeout, <=, 10);
461 FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, >=, 60);
462 FR_INTEGER_BOUND_CHECK("revive_interval", home->revive_interval, <=, 3600);
465 FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, >=, 1);
466 FR_INTEGER_BOUND_CHECK("coa_irt", home->coa_irt, <=, 5);
468 FR_INTEGER_BOUND_CHECK("coa_mrc", home->coa_mrc, <=, 20);
470 FR_INTEGER_BOUND_CHECK("coa_mrt", home->coa_mrt, <=, 30);
472 FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, >=, 5);
473 FR_INTEGER_BOUND_CHECK("coa_mrd", home->coa_mrd, <=, 60);
476 FR_INTEGER_BOUND_CHECK("max_connections", home->limit.max_connections, <=, 1024);
480 * UDP sockets can't be connection limited.
482 if (home->proto != IPPROTO_TCP) home->limit.max_connections = 0;
485 if ((home->limit.idle_timeout > 0) && (home->limit.idle_timeout < 5))
486 home->limit.idle_timeout = 5;
487 if ((home->limit.lifetime > 0) && (home->limit.lifetime < 5))
488 home->limit.lifetime = 5;
489 if ((home->limit.lifetime > 0) && (home->limit.idle_timeout > home->limit.lifetime))
490 home->limit.idle_timeout = 0;
493 * Make sure that this is set.
495 if (home->src_ipaddr.af == AF_UNSPEC) {
496 home->src_ipaddr.af = home->ipaddr.af;
499 parent = cf_item_parent(cf_section_to_item(cs));
500 if (parent && strcmp(cf_section_name1(parent), "server") == 0) {
501 home->parent_server = cf_section_name2(parent);
505 /** Insert a new home server into the various internal lookup trees
507 * @param home server to add.
508 * @param cs That defined the home server.
509 * @return true on success else false.
511 static bool home_server_insert(home_server_t *home, CONF_SECTION *cs)
513 if (home->name && !rbtree_insert(home_servers_byname, home)) {
514 cf_log_err_cs(cs, "Internal error %d adding home server %s", __LINE__, home->log_name);
518 if (!home->server && !rbtree_insert(home_servers_byaddr, home)) {
519 rbtree_deletebydata(home_servers_byname, home);
520 cf_log_err_cs(cs, "Internal error %d adding home server %s", __LINE__, home->log_name);
525 home->number = home_server_max_number++;
526 if (!rbtree_insert(home_servers_bynumber, home)) {
527 rbtree_deletebydata(home_servers_byname, home);
528 if (home->ipaddr.af != AF_UNSPEC) {
529 rbtree_deletebydata(home_servers_byname, home);
531 cf_log_err_cs(cs, "Internal error %d adding home server %s", __LINE__, home->log_name);
539 /** Add an already allocate home_server_t to the various trees
541 * @param home server to add.
542 * @return true on success, else false on error.
544 bool realm_home_server_add(home_server_t *home)
547 * The structs aren't mutex protected. Refuse to destroy
550 if (event_loop_started && !realm_config->dynamic) {
551 ERROR("Failed to add dynamic home server, \"dynamic = yes\" must be set in proxy.conf");
555 if (home->name && (rbtree_finddata(home_servers_byname, home) != NULL)) {
556 cf_log_err_cs(home->cs, "Duplicate home server name %s", home->name);
560 if (!home->server && (rbtree_finddata(home_servers_byaddr, home) != NULL)) {
561 char buffer[INET6_ADDRSTRLEN + 3];
563 inet_ntop(home->ipaddr.af, &home->ipaddr.ipaddr, buffer, sizeof(buffer));
565 cf_log_err_cs(home->cs, "Duplicate home server address%s%s%s: %s:%s%s/%i",
566 home->name ? " (already in use by " : "",
567 home->name ? home->name : "",
568 home->name ? ")" : "",
570 fr_int2str(home_proto, home->proto, "<INVALID>"),
572 home->tls ? "+tls" : "",
581 if (!home_server_insert(home, home->cs)) return false;
584 * Dual home servers cause us to auto-create an
585 * accounting server for UDP sockets, and leave
586 * everything alone for TLS sockets.
593 home_server_t *home2 = talloc(talloc_parent(home), home_server_t);
595 memcpy(home2, home, sizeof(*home2));
597 home2->type = HOME_TYPE_ACCT;
601 home2->ping_user_password = NULL;
602 home2->cs = home->cs;
603 home2->parent_server = home->parent_server;
605 if (!home_server_insert(home2, home->cs)) {
612 * Mark it as already processed
614 cf_data_add(home->cs, "home_server", (void *)null_free, null_free);
619 /** Alloc a new home server defined by a CONF_SECTION
621 * @param ctx to allocate home_server_t in.
622 * @param rc Realm config, may be NULL in which case the global realm_config will be used.
623 * @param cs Configuration section containing home server parameters.
624 * @return a new home_server_t alloced in the context of the realm_config, or NULL on error.
626 home_server_t *home_server_afrom_cs(TALLOC_CTX *ctx, realm_config_t *rc, CONF_SECTION *cs)
631 if (!rc) rc = realm_config; /* Use the global config */
633 home = talloc_zero(ctx, home_server_t);
634 home->name = cf_section_name2(cs);
635 home->log_name = talloc_typed_strdup(home, home->name);
637 home->state = HOME_STATE_UNKNOWN;
638 home->proto = IPPROTO_UDP;
641 * Parse the configuration into the home server
644 if (cf_section_parse(cs, home, home_server_config) < 0) goto error;
647 * It has an IP address, it must be a remote server.
649 if (cf_pair_find(cs, "ipaddr") || cf_pair_find(cs, "ipv4addr") || cf_pair_find(cs, "ipv6addr")) {
650 if (fr_inaddr_any(&home->ipaddr) == 1) {
651 cf_log_err_cs(cs, "Wildcard '*' addresses are not permitted for home servers");
655 if (!home->log_name) {
656 char buffer[INET6_ADDRSTRLEN + 3];
658 fr_ntop(buffer, sizeof(buffer), &home->ipaddr);
660 home->log_name = talloc_asprintf(home, "%s:%i", buffer, home->port);
663 * If it has a 'virtual_Server' config item, it's
664 * a loopback into a virtual server.
666 } else if (cf_pair_find(cs, "virtual_server") != NULL) {
667 home->ipaddr.af = AF_UNSPEC; /* mark ipaddr as unused */
670 cf_log_err_cs(cs, "Invalid value for virtual_server");
675 * Try and find a 'server' section off the root of
676 * the config with a name that matches the
679 if (!cf_section_sub_find_name2(rc->cs, "server", home->server)) {
680 cf_log_err_cs(cs, "No such server %s", home->server);
685 home->log_name = talloc_typed_strdup(home, home->server);
687 * Otherwise it's an invalid config section and we
691 cf_log_err_cs(cs, "No ipaddr, ipv4addr, ipv6addr, or virtual_server defined "
699 home_type_t type = HOME_TYPE_AUTH_ACCT;
701 if (home->type_str) type = fr_str2int(home_server_types, home->type_str, HOME_TYPE_INVALID);
706 case HOME_TYPE_AUTH_ACCT:
716 if (home->server != NULL) {
717 cf_log_err_cs(cs, "Home servers of type \"coa\" cannot point to a virtual server");
723 case HOME_TYPE_INVALID:
724 cf_log_err_cs(cs, "Invalid type \"%s\" for home server %s", home->type_str, home->log_name);
730 home_ping_check_t type = HOME_PING_CHECK_NONE;
732 if (home->ping_check_str) type = fr_str2int(home_ping_check, home->ping_check_str,
733 HOME_PING_CHECK_INVALID);
736 case HOME_PING_CHECK_STATUS_SERVER:
737 case HOME_PING_CHECK_NONE:
740 case HOME_PING_CHECK_REQUEST:
741 if (!home->ping_user_name) {
742 cf_log_err_cs(cs, "You must supply a 'username' to enable status_check=request");
746 if (((home->type == HOME_TYPE_AUTH) ||
747 (home->type == HOME_TYPE_AUTH_ACCT)) && !home->ping_user_password) {
748 cf_log_err_cs(cs, "You must supply a 'password' to enable status_check=request");
754 case HOME_PING_CHECK_INVALID:
755 cf_log_err_cs(cs, "Invalid status_check \"%s\" for home server %s",
756 home->ping_check_str, home->log_name);
760 home->ping_check = type;
764 int proto = IPPROTO_UDP;
766 if (home->proto_str) proto = fr_str2int(home_proto, home->proto_str, -1);
770 home_servers_udp = true;
775 cf_log_err_cs(cs, "Server not built with support for RADIUS over TCP");
778 if (home->ping_check != HOME_PING_CHECK_NONE) {
779 cf_log_err_cs(cs, "Only 'status_check = none' is allowed for home "
780 "servers with 'proto = tcp'");
786 cf_log_err_cs(cs, "Unknown proto \"%s\"", home->proto_str);
793 if (!home->server && rbtree_finddata(home_servers_byaddr, home)) {
794 cf_log_err_cs(cs, "Duplicate home server");
799 * Check the TLS configuration.
801 tls = cf_section_sub_find(cs, "tls");
804 cf_log_err_cs(cs, "TLS transport is not available in this executable");
810 * If were doing RADSEC (tls+tcp) the secret should default
811 * to radsec, else a secret must be set.
815 if (tls && (home->proto == IPPROTO_TCP)) {
816 home->secret = "radsec";
820 cf_log_err_cs(cs, "No shared secret defined for home server %s", home->log_name);
826 * Virtual servers have some TLS restrictions.
830 cf_log_err_cs(cs, "Virtual home_servers cannot have a \"tls\" subsection");
835 * If the home is not a virtual server, guess the port
836 * and look up the source ip address.
838 rad_assert(home->ipaddr.af != AF_UNSPEC);
841 if (tls && (home->proto != IPPROTO_TCP)) {
842 cf_log_err_cs(cs, "TLS transport is not available for UDP sockets");
848 * Set the default port if necessary.
850 if (home->port == 0) {
851 char buffer[INET6_ADDRSTRLEN + 3];
854 * For RADSEC we use the special RADIUS over TCP/TLS port
855 * for both accounting and authentication, but for some
856 * bizarre reason for RADIUS over plain TCP we use separate
857 * ports 1812 and 1813.
861 home->port = PW_RADIUS_TLS_PORT;
864 switch (home->type) {
870 home->port = PW_AUTH_UDP_PORT;
874 home->port = PW_ACCT_UDP_PORT;
878 home->port = PW_COA_UDP_PORT;
883 * Now that we have a real port, use that.
885 rad_const_free(home->log_name);
887 fr_ntop(buffer, sizeof(buffer), &home->ipaddr);
889 home->log_name = talloc_asprintf(home, "%s:%i", buffer, home->port);
893 * If we have a src_ipaddr_str resolve it to
894 * the same address family as the destination
897 if (home->src_ipaddr_str) {
898 if (ip_hton(&home->src_ipaddr, home->ipaddr.af, home->src_ipaddr_str, false) < 0) {
899 cf_log_err_cs(cs, "Failed parsing src_ipaddr");
903 * Source isn't specified, set it to the
904 * correct address family, but leave it as
908 home->src_ipaddr.af = home->ipaddr.af;
913 * Parse the SSL client configuration.
916 home->tls = tls_client_conf_parse(tls);
922 } /* end of parse home server */
924 realm_home_server_sanitize(home, cs);
929 /** Fixup a client configuration section to specify a home server
931 * This is used to create the equivalent CoA home server entry for a client,
932 * so that the server can originate CoA messages.
934 * The server section automatically inherits the following fields from the client:
935 * - ipaddr/ipv4addr/ipv6addr
939 * @note new CONF_SECTION will be allocated in the context of the client, but the client
940 * CONF_SECTION will not be modified.
942 * @param client CONF_SECTION to inherit values from.
943 * @return a new server CONF_SCTION, or a pointer to the existing CONF_SECTION in the client.
945 CONF_SECTION *home_server_cs_afrom_client(CONF_SECTION *client)
947 CONF_SECTION *server, *cs;
951 * Alloc a plain home server for both cases
953 * There's no way these can be referenced by a pool,
954 * and they may conflict with home servers in proxy.conf
955 * so it's easier to not set a name.
960 * Duplicate the server section, so we don't mangle
961 * the client CONF_SECTION we were passed.
963 cs = cf_section_sub_find(client, "coa_server");
965 server = cf_section_dup(client, cs, "home_server", NULL, true);
967 server = cf_section_alloc(client, "home_server", cf_section_name2(client));
970 if (!cs || (!cf_pair_find(cs, "ipaddr") && !cf_pair_find(cs, "ipv4addr") && !cf_pair_find(cs, "ipv6addr"))) {
971 cp = cf_pair_find(client, "ipaddr");
972 if (!cp) cp = cf_pair_find(client, "ipv4addr");
973 if (!cp) cp = cf_pair_find(client, "ipv6addr");
975 cf_pair_add(server, cf_pair_dup(server, cp));
978 if (!cs || !cf_pair_find(cs, "secret")) {
979 cp = cf_pair_find(client, "secret");
980 if (cp) cf_pair_add(server, cp);
983 if (!cs || !cf_pair_find(cs, "src_ipaddr")) {
984 cp = cf_pair_find(client, "src_ipaddr");
985 if (cp) cf_pair_add(server, cf_pair_dup(server, cp));
988 if (!cs || !(cp = cf_pair_find(cs, "type"))) {
989 cp = cf_pair_alloc(server, "type", "coa", T_OP_EQ, T_BARE_WORD, T_SINGLE_QUOTED_STRING);
990 if (cp) cf_pair_add(server, cf_pair_dup(server, cp));
991 } else if (strcmp(cf_pair_value(cp), "coa") != 0) {
993 cf_log_err_cs(server, "server.type must be \"coa\"");
1000 static home_pool_t *server_pool_alloc(char const *name, home_pool_type_t type,
1001 home_type_t server_type, int num_home_servers)
1005 pool = rad_malloc(sizeof(*pool) + (sizeof(pool->servers[0]) * num_home_servers));
1006 if (!pool) return NULL; /* just for pairanoia */
1008 memset(pool, 0, sizeof(*pool) + (sizeof(pool->servers[0]) * num_home_servers));
1012 pool->server_type = server_type;
1013 pool->num_home_servers = num_home_servers;
1019 * Ensure any home_server clauses in a home_server_pool section reference
1020 * defined home servers, which should already have been created, regardless
1021 * of where they appear in the configuration.
1023 static int pool_check_home_server(UNUSED realm_config_t *rc, CONF_PAIR *cp,
1024 char const *name, home_type_t server_type,
1025 home_server_t **phome)
1027 home_server_t myhome, *home;
1031 "No value given for home_server");
1036 myhome.type = server_type;
1037 home = rbtree_finddata(home_servers_byname, &myhome);
1043 switch (server_type) {
1044 case HOME_TYPE_AUTH:
1045 case HOME_TYPE_ACCT:
1046 myhome.type = HOME_TYPE_AUTH_ACCT;
1047 home = rbtree_finddata(home_servers_byname, &myhome);
1058 cf_log_err_cp(cp, "Unknown home_server \"%s\".", name);
1063 #ifndef HAVE_PTHREAD_H
1064 void realm_pool_free(home_pool_t *pool)
1066 if (!event_loop_started) return;
1067 if (!realm_config->dynamic) return;
1071 #else /* HAVE_PTHREAD_H */
1072 typedef struct pool_list_t pool_list_t;
1074 struct pool_list_t {
1080 static bool pool_free_init = false;
1081 static pthread_mutex_t pool_free_mutex;
1082 static pool_list_t *pool_list = NULL;
1084 void realm_pool_free(home_pool_t *pool)
1088 pool_list_t *this, **last;
1090 if (!event_loop_started) return;
1091 if (!realm_config->dynamic) return;
1095 * Double-check that the realm wasn't loaded from the
1096 * configuration files.
1098 for (i = 0; i < pool->num_home_servers; i++) {
1099 if (pool->servers[i]->cs) {
1106 if (!pool_free_init) {
1107 pthread_mutex_init(&pool_free_mutex, NULL);
1108 pool_free_init = true;
1112 * Ensure only one caller at a time is freeing a pool.
1114 pthread_mutex_lock(&pool_free_mutex);
1117 * Free all of the pools.
1120 while ((this = pool_list) != NULL) {
1121 pool_list = this->next;
1122 talloc_free(this->pool);
1125 pthread_mutex_unlock(&pool_free_mutex);
1132 * Free the oldest pool(s)
1134 while ((this = pool_list) != NULL) {
1135 if (this->when > now) break;
1137 pool_list = this->next;
1138 talloc_free(this->pool);
1143 * Add this pool to the end of the list.
1145 for (last = &pool_list;
1147 last = &((*last))->next) {
1151 *last = this = talloc(NULL, pool_list_t);
1153 talloc_free(pool); /* hope for the best */
1154 pthread_mutex_unlock(&pool_free_mutex);
1159 this->when = now + 60;
1161 pthread_mutex_unlock(&pool_free_mutex);
1163 #endif /* HAVE_PTHREAD_H */
1165 int realm_pool_add(home_pool_t *pool, UNUSED CONF_SECTION *cs)
1168 * The structs aren't mutex protected. Refuse to destroy
1171 if (event_loop_started && !realm_config->dynamic) {
1172 DEBUG("Must set \"dynamic = true\" in proxy.conf");
1176 if (!rbtree_insert(home_pools_byname, pool)) {
1177 rad_assert("Internal sanity check failed" == NULL);
1184 static int server_pool_add(realm_config_t *rc,
1185 CONF_SECTION *cs, home_type_t server_type, bool do_print)
1188 home_pool_t *pool = NULL;
1191 int num_home_servers;
1192 home_server_t *home;
1194 name2 = cf_section_name1(cs);
1195 if (!name2 || ((strcasecmp(name2, "server_pool") != 0) &&
1196 (strcasecmp(name2, "home_server_pool") != 0))) {
1198 "Section is not a home_server_pool");
1202 name2 = cf_section_name2(cs);
1205 "Server pool section is missing a name");
1210 * Count the home servers and initalize them.
1212 num_home_servers = 0;
1213 for (cp = cf_pair_find(cs, "home_server");
1215 cp = cf_pair_find_next(cs, cp, "home_server")) {
1218 if (!pool_check_home_server(rc, cp, cf_pair_value(cp),
1219 server_type, &home)) {
1224 if (num_home_servers == 0) {
1226 "No home servers defined in pool %s",
1231 pool = server_pool_alloc(name2, HOME_POOL_FAIL_OVER, server_type,
1234 cf_log_err_cs(cs, "Failed allocating memory for pool");
1241 * Fallback servers must be defined, and must be
1244 cp = cf_pair_find(cs, "fallback");
1247 if (server_type == HOME_TYPE_COA) {
1248 cf_log_err_cs(cs, "Home server pools of type \"coa\" cannot have a fallback virtual server");
1253 if (!pool_check_home_server(rc, cp, cf_pair_value(cp), server_type, &pool->fallback)) {
1257 if (!pool->fallback->server) {
1258 cf_log_err_cs(cs, "Fallback home_server %s does NOT contain a virtual_server directive",
1259 pool->fallback->log_name);
1264 if (do_print) cf_log_info(cs, " home_server_pool %s {", name2);
1266 cp = cf_pair_find(cs, "type");
1268 static FR_NAME_NUMBER pool_types[] = {
1269 { "load-balance", HOME_POOL_LOAD_BALANCE },
1271 { "fail-over", HOME_POOL_FAIL_OVER },
1272 { "fail_over", HOME_POOL_FAIL_OVER },
1274 { "round-robin", HOME_POOL_LOAD_BALANCE },
1275 { "round_robin", HOME_POOL_LOAD_BALANCE },
1277 { "client-balance", HOME_POOL_CLIENT_BALANCE },
1278 { "client-port-balance", HOME_POOL_CLIENT_PORT_BALANCE },
1279 { "keyed-balance", HOME_POOL_KEYED_BALANCE },
1283 value = cf_pair_value(cp);
1286 "No value given for type");
1290 pool->type = fr_str2int(pool_types, value, 0);
1293 "Unknown type \"%s\".",
1298 if (do_print) cf_log_info(cs, "\ttype = %s", value);
1301 cp = cf_pair_find(cs, "virtual_server");
1303 pool->virtual_server = cf_pair_value(cp);
1304 if (!pool->virtual_server) {
1305 cf_log_err_cp(cp, "No value given for virtual_server");
1310 cf_log_info(cs, "\tvirtual_server = %s", pool->virtual_server);
1313 if (!cf_section_sub_find_name2(rc->cs, "server", pool->virtual_server)) {
1314 cf_log_err_cp(cp, "No such server %s", pool->virtual_server);
1320 num_home_servers = 0;
1321 for (cp = cf_pair_find(cs, "home_server");
1323 cp = cf_pair_find_next(cs, cp, "home_server")) {
1324 home_server_t myhome;
1326 value = cf_pair_value(cp);
1328 memset(&myhome, 0, sizeof(myhome));
1329 myhome.name = value;
1330 myhome.type = server_type;
1332 home = rbtree_finddata(home_servers_byname, &myhome);
1334 switch (server_type) {
1335 case HOME_TYPE_AUTH:
1336 case HOME_TYPE_ACCT:
1337 myhome.type = HOME_TYPE_AUTH_ACCT;
1338 home = rbtree_finddata(home_servers_byname, &myhome);
1347 ERROR("Failed to find home server %s", value);
1351 if (do_print) cf_log_info(cs, "\thome_server = %s", home->name);
1352 pool->servers[num_home_servers++] = home;
1353 } /* loop over home_server's */
1355 if (pool->fallback && do_print) {
1356 cf_log_info(cs, "\tfallback = %s", pool->fallback->name);
1359 if (!realm_pool_add(pool, cs)) goto error;
1361 if (do_print) cf_log_info(cs, " }");
1363 cf_data_add(cs, "home_server_pool", pool, free);
1365 rad_assert(pool->server_type != 0);
1370 if (do_print) cf_log_info(cs, " }");
1376 static int old_server_add(realm_config_t *rc, CONF_SECTION *cs,
1378 char const *name, char const *secret,
1379 home_pool_type_t ldflag, home_pool_t **pool_p,
1380 home_type_t type, char const *server)
1383 int i, insert_point, num_home_servers;
1384 home_server_t myhome, *home;
1385 home_pool_t mypool, *pool;
1386 CONF_SECTION *subcs;
1388 (void) rc; /* -Wunused */
1397 * LOCAL realms get sanity checked, and nothing else happens.
1399 if (strcmp(name, "LOCAL") == 0) {
1401 cf_log_err_cs(cs, "Realm \"%s\" cannot be both LOCAL and remote", name);
1408 return 0; /* Not proxying. Can't do non-LOCAL realms */
1411 mypool.name = realm;
1412 mypool.server_type = type;
1413 pool = rbtree_finddata(home_pools_byname, &mypool);
1415 if (pool->type != ldflag) {
1416 cf_log_err_cs(cs, "Inconsistent ldflag for server pool \"%s\"", name);
1420 if (pool->server_type != type) {
1421 cf_log_err_cs(cs, "Inconsistent home server type for server pool \"%s\"", name);
1428 home = rbtree_finddata(home_servers_byname, &myhome);
1430 WARN("Please use pools instead of authhost and accthost");
1432 if (secret && (strcmp(home->secret, secret) != 0)) {
1433 cf_log_err_cs(cs, "Inconsistent shared secret for home server \"%s\"", name);
1437 if (home->type != type) {
1438 cf_log_err_cs(cs, "Inconsistent type for home server \"%s\"", name);
1443 * See if the home server is already listed
1444 * in the pool. If so, do nothing else.
1446 if (pool) for (i = 0; i < pool->num_home_servers; i++) {
1447 if (pool->servers[i] == home) {
1454 * If we do have a pool, check that there is room to
1455 * insert the home server we've found, or the one that we
1458 * Note that we insert it into the LAST available
1459 * position, in order to maintain the same order as in
1460 * the configuration files.
1464 for (i = pool->num_home_servers - 1; i >= 0; i--) {
1465 if (pool->servers[i]) break;
1467 if (!pool->servers[i]) {
1472 if (insert_point < 0) {
1473 cf_log_err_cs(cs, "No room in pool to add home server \"%s\". Please update the realm configuration to use the new-style home servers and server pools.", name);
1479 * No home server, allocate one.
1485 home = talloc_zero(rc, home_server_t);
1488 home->secret = secret;
1490 home->proto = IPPROTO_UDP;
1492 p = strchr(name, ':');
1494 if (type == HOME_TYPE_AUTH) {
1495 home->port = PW_AUTH_UDP_PORT;
1497 home->port = PW_ACCT_UDP_PORT;
1503 } else if (p == name) {
1504 cf_log_err_cs(cs, "Invalid hostname %s", name);
1508 unsigned long port = strtoul(p + 1, NULL, 0);
1509 if ((port == 0) || (port > 65535)) {
1510 cf_log_err_cs(cs, "Invalid port %s", p + 1);
1515 home->port = (uint16_t)port;
1516 q = talloc_array(home, char, (p - name) + 1);
1517 memcpy(q, name, (p - name));
1523 if (ip_hton(&home->ipaddr, AF_UNSPEC, p, false) < 0) {
1525 "Failed looking up hostname %s.",
1531 home->src_ipaddr.af = home->ipaddr.af;
1533 home->ipaddr.af = AF_UNSPEC;
1534 home->server = server;
1539 * Use the old-style configuration.
1541 home->max_outstanding = 65535*16;
1542 home->zombie_period = rc->retry_delay * rc->retry_count;
1543 if (home->zombie_period < 2) home->zombie_period = 30;
1544 home->response_window.tv_sec = home->zombie_period - 1;
1545 home->response_window.tv_usec = 0;
1547 home->ping_check = HOME_PING_CHECK_NONE;
1549 home->revive_interval = rc->dead_time;
1551 if (rbtree_finddata(home_servers_byaddr, home)) {
1552 cf_log_err_cs(cs, "Home server %s has the same IP address and/or port as another home server.", name);
1557 if (!rbtree_insert(home_servers_byname, home)) {
1558 cf_log_err_cs(cs, "Internal error %d adding home server %s.", __LINE__, name);
1563 if (!rbtree_insert(home_servers_byaddr, home)) {
1564 rbtree_deletebydata(home_servers_byname, home);
1565 cf_log_err_cs(cs, "Internal error %d adding home server %s.", __LINE__, name);
1571 home->number = home_server_max_number++;
1572 if (!rbtree_insert(home_servers_bynumber, home)) {
1573 rbtree_deletebydata(home_servers_byname, home);
1574 if (home->ipaddr.af != AF_UNSPEC) {
1575 rbtree_deletebydata(home_servers_byname, home);
1578 "Internal error %d adding home server %s.",
1587 * We now have a home server, see if we can insert it
1588 * into pre-existing pool.
1590 if (insert_point >= 0) {
1591 rad_assert(pool != NULL);
1592 pool->servers[insert_point] = home;
1596 rad_assert(pool == NULL);
1597 rad_assert(home != NULL);
1600 * Count the old-style realms of this name.
1602 num_home_servers = 0;
1603 for (subcs = cf_section_find_next(cs, NULL, "realm");
1605 subcs = cf_section_find_next(cs, subcs, "realm")) {
1606 char const *this = cf_section_name2(subcs);
1608 if (!this || (strcmp(this, realm) != 0)) continue;
1612 if (num_home_servers == 0) {
1613 cf_log_err_cs(cs, "Internal error counting pools for home server %s.", name);
1618 pool = server_pool_alloc(realm, ldflag, type, num_home_servers);
1620 cf_log_err_cs(cs, "Out of memory");
1626 pool->servers[0] = home;
1628 if (!rbtree_insert(home_pools_byname, pool)) {
1629 rad_assert("Internal sanity check failed" == NULL);
1639 static int old_realm_config(realm_config_t *rc, CONF_SECTION *cs, REALM *r)
1642 char const *secret = NULL;
1643 home_pool_type_t ldflag;
1646 cp = cf_pair_find(cs, "ldflag");
1647 ldflag = HOME_POOL_FAIL_OVER;
1649 host = cf_pair_value(cp);
1651 cf_log_err_cp(cp, "No value specified for ldflag");
1655 if (strcasecmp(host, "fail_over") == 0) {
1656 cf_log_info(cs, "\tldflag = fail_over");
1658 } else if (strcasecmp(host, "round_robin") == 0) {
1659 ldflag = HOME_POOL_LOAD_BALANCE;
1660 cf_log_info(cs, "\tldflag = round_robin");
1663 cf_log_err_cs(cs, "Unknown value \"%s\" for ldflag", host);
1666 } /* else don't print it. */
1669 * Allow old-style if it doesn't exist, or if it exists and
1672 cp = cf_pair_find(cs, "authhost");
1674 host = cf_pair_value(cp);
1676 cf_log_err_cp(cp, "No value specified for authhost");
1680 if (strcmp(host, "LOCAL") != 0) {
1681 cp = cf_pair_find(cs, "secret");
1683 cf_log_err_cs(cs, "No shared secret supplied for realm: %s", r->name);
1687 secret = cf_pair_value(cp);
1689 cf_log_err_cp(cp, "No value specified for secret");
1694 cf_log_info(cs, "\tauthhost = %s", host);
1696 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1697 &r->auth_pool, HOME_TYPE_AUTH, NULL)) {
1702 cp = cf_pair_find(cs, "accthost");
1704 host = cf_pair_value(cp);
1706 cf_log_err_cp(cp, "No value specified for accthost");
1711 * Don't look for a secret again if it was found
1714 if ((strcmp(host, "LOCAL") != 0) && !secret) {
1715 cp = cf_pair_find(cs, "secret");
1717 cf_log_err_cs(cs, "No shared secret supplied for realm: %s", r->name);
1721 secret = cf_pair_value(cp);
1723 cf_log_err_cp(cp, "No value specified for secret");
1728 cf_log_info(cs, "\taccthost = %s", host);
1730 if (!old_server_add(rc, cs, r->name, host, secret, ldflag,
1731 &r->acct_pool, HOME_TYPE_ACCT, NULL)) {
1736 cp = cf_pair_find(cs, "virtual_server");
1738 host = cf_pair_value(cp);
1740 cf_log_err_cp(cp, "No value specified for virtual_server");
1744 cf_log_info(cs, "\tvirtual_server = %s", host);
1746 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1747 &r->auth_pool, HOME_TYPE_AUTH, host)) {
1750 if (!old_server_add(rc, cs, r->name, host, "", ldflag,
1751 &r->acct_pool, HOME_TYPE_ACCT, host)) {
1757 if (rad_debug_lvl <= 2) {
1758 cf_log_info(cs, "\tsecret = <<< secret >>>");
1760 cf_log_info(cs, "\tsecret = %s", secret);
1770 static int add_pool_to_realm(realm_config_t *rc, CONF_SECTION *cs,
1771 char const *name, home_pool_t **dest,
1772 home_type_t server_type, bool do_print)
1774 home_pool_t mypool, *pool;
1777 mypool.server_type = server_type;
1779 pool = rbtree_finddata(home_pools_byname, &mypool);
1781 CONF_SECTION *pool_cs;
1783 pool_cs = cf_section_sub_find_name2(rc->cs,
1787 pool_cs = cf_section_sub_find_name2(rc->cs,
1792 cf_log_err_cs(cs, "Failed to find home_server_pool \"%s\"", name);
1796 if (!server_pool_add(rc, pool_cs, server_type, do_print)) {
1800 pool = rbtree_finddata(home_pools_byname, &mypool);
1802 ERROR("Internal sanity check failed in add_pool_to_realm");
1807 if (pool->server_type != server_type) {
1808 cf_log_err_cs(cs, "Incompatible home_server_pool \"%s\" (mixed auth_pool / acct_pool)", name);
1819 static int realm_add(realm_config_t *rc, CONF_SECTION *cs)
1825 home_pool_t *auth_pool, *acct_pool;
1826 char const *auth_pool_name, *acct_pool_name;
1828 char const *coa_pool_name;
1829 home_pool_t *coa_pool;
1833 name2 = cf_section_name1(cs);
1834 if (!name2 || (strcasecmp(name2, "realm") != 0)) {
1835 cf_log_err_cs(cs, "Section is not a realm");
1839 name2 = cf_section_name2(cs);
1841 cf_log_err_cs(cs, "Realm section is missing the realm name");
1846 auth_pool = acct_pool = NULL;
1847 auth_pool_name = acct_pool_name = NULL;
1850 coa_pool_name = NULL;
1854 * Prefer new configuration to old one.
1856 cp = cf_pair_find(cs, "pool");
1857 if (!cp) cp = cf_pair_find(cs, "home_server_pool");
1858 if (cp) auth_pool_name = cf_pair_value(cp);
1859 if (cp && auth_pool_name) {
1860 acct_pool_name = auth_pool_name;
1861 if (!add_pool_to_realm(rc, cs,
1862 auth_pool_name, &auth_pool,
1863 HOME_TYPE_AUTH, 1)) {
1866 if (!add_pool_to_realm(rc, cs,
1867 auth_pool_name, &acct_pool,
1868 HOME_TYPE_ACCT, 0)) {
1873 cp = cf_pair_find(cs, "auth_pool");
1874 if (cp) auth_pool_name = cf_pair_value(cp);
1875 if (cp && auth_pool_name) {
1877 cf_log_err_cs(cs, "Cannot use \"pool\" and \"auth_pool\" at the same time");
1880 if (!add_pool_to_realm(rc, cs,
1881 auth_pool_name, &auth_pool,
1882 HOME_TYPE_AUTH, 1)) {
1887 cp = cf_pair_find(cs, "acct_pool");
1888 if (cp) acct_pool_name = cf_pair_value(cp);
1889 if (cp && acct_pool_name) {
1890 bool do_print = true;
1893 cf_log_err_cs(cs, "Cannot use \"pool\" and \"acct_pool\" at the same time");
1899 (strcmp(auth_pool_name, acct_pool_name) != 0))) {
1903 if (!add_pool_to_realm(rc, cs,
1904 acct_pool_name, &acct_pool,
1905 HOME_TYPE_ACCT, do_print)) {
1911 cp = cf_pair_find(cs, "coa_pool");
1912 if (cp) coa_pool_name = cf_pair_value(cp);
1913 if (cp && coa_pool_name) {
1914 bool do_print = true;
1916 if (!add_pool_to_realm(rc, cs,
1917 coa_pool_name, &coa_pool,
1918 HOME_TYPE_COA, do_print)) {
1925 cf_log_info(cs, " realm %s {", name2);
1929 * The realm MAY already exist if it's an old-style realm.
1930 * In that case, merge the old-style realm with this one.
1932 r = realm_find2(name2);
1933 if (r && (strcmp(r->name, name2) == 0)) {
1934 if (cf_pair_find(cs, "auth_pool") ||
1935 cf_pair_find(cs, "acct_pool")) {
1936 cf_log_err_cs(cs, "Duplicate realm \"%s\"", name2);
1940 if (!old_realm_config(rc, cs, r)) {
1944 cf_log_info(cs, " } # realm %s", name2);
1949 r = talloc_zero(rc, REALM);
1951 r->strip_realm = true;
1953 r->auth_pool = auth_pool;
1954 r->acct_pool = acct_pool;
1956 r->coa_pool = coa_pool;
1959 if (auth_pool_name &&
1960 (auth_pool_name == acct_pool_name)) { /* yes, ptr comparison */
1961 cf_log_info(cs, "\tpool = %s", auth_pool_name);
1963 if (auth_pool_name) cf_log_info(cs, "\tauth_pool = %s", auth_pool_name);
1964 if (acct_pool_name) cf_log_info(cs, "\tacct_pool = %s", acct_pool_name);
1966 if (coa_pool_name) cf_log_info(cs, "\tcoa_pool = %s", coa_pool_name);
1971 cp = cf_pair_find(cs, "nostrip");
1972 if (cp && (cf_pair_value(cp) == NULL)) {
1973 r->strip_realm = false;
1974 cf_log_info(cs, "\tnostrip");
1978 * We're a new-style realm. Complain if we see the old
1981 if (r->auth_pool || r->acct_pool) {
1982 if (((cp = cf_pair_find(cs, "authhost")) != NULL) ||
1983 ((cp = cf_pair_find(cs, "accthost")) != NULL) ||
1984 ((cp = cf_pair_find(cs, "secret")) != NULL) ||
1985 ((cp = cf_pair_find(cs, "ldflag")) != NULL)) {
1986 WARN("Ignoring old-style configuration entry \"%s\" in realm \"%s\"", cf_pair_attr(cp), r->name);
1991 * The realm MAY be an old-style realm, as there
1992 * was no auth_pool or acct_pool. Double-check
1993 * it, just to be safe.
1995 } else if (!old_realm_config(rc, cs, r)) {
1999 if (!realm_realm_add(r, cs)) {
2003 cf_log_info(cs, " }");
2008 cf_log_info(cs, " } # realm %s", name2);
2013 int realm_realm_add(REALM *r, CONF_SECTION *cs)
2015 int realm_realm_add(REALM *r, UNUSED CONF_SECTION *cs)
2019 * The structs aren't mutex protected. Refuse to destroy
2022 if (event_loop_started && !realm_config->dynamic) {
2023 DEBUG("Must set \"dynamic = true\" in proxy.conf");
2029 * It's a regex. Sanity check it, and add it to a
2032 if (r->name[0] == '~') {
2034 realm_regex_t *rr, **last;
2036 rr = talloc(r, realm_regex_t);
2039 * Include substring matches.
2041 slen = regex_compile(rr, &rr->preg, r->name + 1, strlen(r->name) - 1, true, false, false, false);
2043 char *spaces, *text;
2045 fr_canonicalize_error(r, &spaces, &text, slen, r->name + 1);
2047 cf_log_err_cs(cs, "Invalid regular expression:");
2048 cf_log_err_cs(cs, "%s", text);
2049 cf_log_err_cs(cs, "%s^ %s", spaces, fr_strerror());
2051 talloc_free(spaces);
2058 last = &realms_regex;
2059 while (*last) last = &((*last)->next); /* O(N^2)... sue me. */
2069 if (!rbtree_insert(realms_byname, r)) {
2070 rad_assert("Internal sanity check failed" == NULL);
2079 static int pool_peek_type(CONF_SECTION *config, CONF_SECTION *cs)
2082 char const *name, *type;
2084 CONF_SECTION *server_cs;
2086 cp = cf_pair_find(cs, "home_server");
2088 cf_log_err_cs(cs, "Pool does not contain a \"home_server\" entry");
2089 return HOME_TYPE_INVALID;
2092 name = cf_pair_value(cp);
2094 cf_log_err_cp(cp, "home_server entry does not reference a home server");
2095 return HOME_TYPE_INVALID;
2098 server_cs = cf_section_sub_find_name2(config, "home_server", name);
2100 cf_log_err_cp(cp, "home_server \"%s\" does not exist", name);
2101 return HOME_TYPE_INVALID;
2104 cp = cf_pair_find(server_cs, "type");
2106 cf_log_err_cs(server_cs, "home_server %s does not contain a \"type\" entry", name);
2107 return HOME_TYPE_INVALID;
2110 type = cf_pair_value(cp);
2112 cf_log_err_cs(server_cs, "home_server %s contains an empty \"type\" entry", name);
2113 return HOME_TYPE_INVALID;
2116 home = fr_str2int(home_server_types, type, HOME_TYPE_INVALID);
2117 if (home == HOME_TYPE_INVALID) {
2118 cf_log_err_cs(server_cs, "home_server %s contains an invalid \"type\" entry of value \"%s\"", name, type);
2119 return HOME_TYPE_INVALID;
2122 return home; /* 'cause we miss it so much */
2126 int realms_init(CONF_SECTION *config)
2131 CONF_SECTION *server_cs;
2135 if (event_loop_started) return 1;
2137 rc = talloc_zero(NULL, realm_config_t);
2141 cs = cf_subsection_find_next(config, NULL, "proxy");
2143 if (cf_section_parse(cs, rc, proxy_config) < 0) {
2144 ERROR("Failed parsing proxy section");
2148 rc->dead_time = DEAD_TIME;
2149 rc->retry_count = RETRY_COUNT;
2150 rc->retry_delay = RETRY_DELAY;
2151 rc->fallback = false;
2152 rc->dynamic = false;
2153 rc->wake_all_if_all_dead= 0;
2157 flags = RBTREE_FLAG_LOCK;
2160 home_servers_byaddr = rbtree_create(NULL, home_server_addr_cmp, home_server_free, flags);
2161 if (!home_servers_byaddr) goto error;
2163 home_servers_byname = rbtree_create(NULL, home_server_name_cmp, NULL, flags);
2164 if (!home_servers_byname) goto error;
2167 home_servers_bynumber = rbtree_create(NULL, home_server_number_cmp, NULL, flags);
2168 if (!home_servers_bynumber) goto error;
2171 home_pools_byname = rbtree_create(NULL, home_pool_name_cmp, NULL, flags);
2172 if (!home_pools_byname) goto error;
2174 for (cs = cf_subsection_find_next(config, NULL, "home_server");
2176 cs = cf_subsection_find_next(config, cs, "home_server")) {
2177 home_server_t *home;
2179 home = home_server_afrom_cs(rc, rc, cs);
2180 if (!home) goto error;
2181 if (!realm_home_server_add(home)) goto error;
2185 * Loop over virtual servers to find home servers which
2186 * are defined in them.
2188 for (server_cs = cf_subsection_find_next(config, NULL, "server");
2190 server_cs = cf_subsection_find_next(config, server_cs, "server")) {
2191 for (cs = cf_subsection_find_next(server_cs, NULL, "home_server");
2193 cs = cf_subsection_find_next(server_cs, cs, "home_server")) {
2194 home_server_t *home;
2196 home = home_server_afrom_cs(rc, rc, cs);
2197 if (!home) goto error;
2198 if (!realm_home_server_add(home)) goto error;
2204 * Now create the realms, which point to the home servers
2205 * and home server pools.
2207 realms_byname = rbtree_create(NULL, realm_name_cmp, NULL, flags);
2208 if (!realms_byname) goto error;
2210 for (cs = cf_subsection_find_next(config, NULL, "realm");
2212 cs = cf_subsection_find_next(config, cs, "realm")) {
2213 if (!realm_add(rc, cs)) {
2217 * Must be called after realms_free as home_servers
2218 * parented by rc are in trees freed by realms_free()
2227 * CoA pools aren't necessarily tied to realms.
2229 for (cs = cf_subsection_find_next(config, NULL, "home_server_pool");
2231 cs = cf_subsection_find_next(config, cs, "home_server_pool")) {
2235 * Pool was already loaded.
2237 if (cf_data_find(cs, "home_server_pool")) continue;
2239 type = pool_peek_type(config, cs);
2240 if (type == HOME_TYPE_INVALID) goto error;
2241 if (!server_pool_add(rc, cs, type, true)) goto error;
2246 xlat_register("home_server", xlat_home_server, NULL, NULL);
2247 xlat_register("home_server_pool", xlat_server_pool, NULL, NULL);
2255 * Find a realm where "name" might be the regex.
2257 REALM *realm_find2(char const *name)
2262 if (!name) name = "NULL";
2264 myrealm.name = name;
2265 realm = rbtree_finddata(realms_byname, &myrealm);
2266 if (realm) return realm;
2270 realm_regex_t *this;
2272 for (this = realms_regex; this != NULL; this = this->next) {
2273 if (strcmp(this->realm->name, name) == 0) {
2281 * Couldn't find a realm. Look for DEFAULT.
2283 myrealm.name = "DEFAULT";
2284 return rbtree_finddata(realms_byname, &myrealm);
2289 * Find a realm in the REALM list.
2291 REALM *realm_find(char const *name)
2296 if (!name) name = "NULL";
2298 myrealm.name = name;
2299 realm = rbtree_finddata(realms_byname, &myrealm);
2300 if (realm) return realm;
2304 realm_regex_t *this;
2306 for (this = realms_regex;
2308 this = this->next) {
2311 compare = regex_exec(this->preg, name, strlen(name), NULL, NULL);
2313 ERROR("Failed performing realm comparison: %s", fr_strerror());
2316 if (compare == 1) return this->realm;
2322 * Couldn't find a realm. Look for DEFAULT.
2324 myrealm.name = "DEFAULT";
2325 return rbtree_finddata(realms_byname, &myrealm);
2332 * Allocate the proxy list if it doesn't already exist, and copy request
2333 * VPs into it. Setup src/dst IP addresses based on home server, and
2334 * calculate and add the message-authenticator.
2336 * This is a distinct function from home_server_ldb, as not all home_server_t
2337 * lookups result in the *CURRENT* request being proxied,
2338 * as in rlm_replicate, and this may trigger asserts elsewhere in the
2341 void home_server_update_request(home_server_t *home, REQUEST *request)
2345 * Allocate the proxy packet, only if it wasn't
2346 * already allocated by a module. This check is
2347 * mainly to support the proxying of EAP-TTLS and
2348 * EAP-PEAP tunneled requests.
2350 * In those cases, the EAP module creates a
2351 * "fake" request, and recursively passes it
2352 * through the authentication stage of the
2353 * server. The module then checks if the request
2354 * was supposed to be proxied, and if so, creates
2355 * a proxy packet from the TUNNELED request, and
2356 * not from the EAP request outside of the
2359 * The proxy then works like normal, except that
2360 * the response packet is "eaten" by the EAP
2361 * module, and encapsulated into an EAP packet.
2363 if (!request->proxy) {
2364 request->proxy = rad_alloc(request, true);
2365 if (!request->proxy) {
2371 * Copy the request, then look up name
2372 * and plain-text password in the copy.
2374 * Note that the User-Name attribute is
2375 * the *original* as sent over by the
2376 * client. The Stripped-User-Name
2377 * attribute is the one hacked through
2380 request->proxy->vps = fr_pair_list_copy(request->proxy,
2381 request->packet->vps);
2385 * Update the various fields as appropriate.
2387 request->proxy->src_ipaddr = home->src_ipaddr;
2388 request->proxy->src_port = 0;
2389 request->proxy->dst_ipaddr = home->ipaddr;
2390 request->proxy->dst_port = home->port;
2392 request->proxy->proto = home->proto;
2394 request->home_server = home;
2397 * Access-Requests have a Message-Authenticator added,
2398 * unless one already exists.
2400 if ((request->packet->code == PW_CODE_ACCESS_REQUEST) &&
2401 !fr_pair_find_by_num(request->proxy->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY)) {
2402 fr_pair_make(request->proxy, &request->proxy->vps,
2403 "Message-Authenticator", "0x00",
2408 home_server_t *home_server_ldb(char const *realmname,
2409 home_pool_t *pool, REQUEST *request)
2413 home_server_t *found = NULL;
2414 home_server_t *zombie = NULL;
2419 * Determine how to pick choose the home server.
2421 switch (pool->type) {
2425 * For load-balancing by client IP address, we
2426 * pick a home server by hashing the client IP.
2428 * This isn't as even a load distribution as
2429 * tracking the State attribute, but it's better
2432 case HOME_POOL_CLIENT_BALANCE:
2433 switch (request->packet->src_ipaddr.af) {
2435 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2436 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2440 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2441 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2448 start = hash % pool->num_home_servers;
2451 case HOME_POOL_CLIENT_PORT_BALANCE:
2452 switch (request->packet->src_ipaddr.af) {
2454 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip4addr,
2455 sizeof(request->packet->src_ipaddr.ipaddr.ip4addr));
2459 hash = fr_hash(&request->packet->src_ipaddr.ipaddr.ip6addr,
2460 sizeof(request->packet->src_ipaddr.ipaddr.ip6addr));
2467 hash = fr_hash_update(&request->packet->src_port,
2468 sizeof(request->packet->src_port), hash);
2469 start = hash % pool->num_home_servers;
2472 case HOME_POOL_KEYED_BALANCE:
2473 if ((vp = fr_pair_find_by_num(request->config, PW_LOAD_BALANCE_KEY, 0, TAG_ANY)) != NULL) {
2474 hash = fr_hash(vp->vp_strvalue, vp->vp_length);
2475 start = hash % pool->num_home_servers;
2480 case HOME_POOL_LOAD_BALANCE:
2481 case HOME_POOL_FAIL_OVER:
2485 default: /* this shouldn't happen... */
2492 * Starting with the home server we chose, loop through
2493 * all home servers. If the current one is dead, skip
2494 * it. If it is too busy, skip it.
2496 * Otherwise, use it.
2498 for (count = 0; count < pool->num_home_servers; count++) {
2499 home_server_t *home = pool->servers[(start + count) % pool->num_home_servers];
2501 if (!home) continue;
2504 * Skip dead home servers.
2506 * Home servers that are unknown, alive, or zombie
2507 * are used for proxying.
2509 if (home->state == HOME_STATE_IS_DEAD) {
2514 * This home server is too busy. Choose another one.
2516 if (home->currently_outstanding >= home->max_outstanding) {
2522 * We read the packet from a detail file, AND it
2523 * came from this server. Don't re-proxy it
2526 if ((request->listener->type == RAD_LISTEN_DETAIL) &&
2527 (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) &&
2528 (fr_ipaddr_cmp(&home->ipaddr, &request->packet->src_ipaddr) == 0)) {
2534 * Default virtual: ignore homes tied to a
2537 if (!request->server && home->parent_server) {
2542 * A virtual AND home is tied to virtual,
2543 * ignore ones which don't match.
2545 if (request->server && home->parent_server &&
2546 strcmp(request->server, home->parent_server) != 0) {
2551 * Allow request->server && !home->parent_server
2553 * i.e. virtuals can proxy to globally defined
2558 * It's zombie, so we remember the first zombie
2559 * we find, but we don't mark it as a "live"
2562 if (home->state == HOME_STATE_ZOMBIE) {
2563 if (!zombie) zombie = home;
2568 * We've found the first "live" one. Use that.
2570 if (pool->type != HOME_POOL_LOAD_BALANCE) {
2576 * Otherwise we're doing some kind of load balancing.
2577 * If we haven't found one yet, pick this one.
2584 RDEBUG3("PROXY %s %d\t%s %d",
2585 found->log_name, found->currently_outstanding,
2586 home->log_name, home->currently_outstanding);
2589 * Prefer this server if it's less busy than the
2590 * one we had previously found.
2592 if (home->currently_outstanding < found->currently_outstanding) {
2593 RDEBUG3("PROXY Choosing %s: It's less busy than %s",
2594 home->log_name, found->log_name);
2600 * Ignore servers which are busier than the one
2603 if (home->currently_outstanding > found->currently_outstanding) {
2604 RDEBUG3("PROXY Skipping %s: It's busier than %s",
2605 home->log_name, found->log_name);
2610 * From the list of servers which have the same
2611 * load, choose one at random.
2613 if (((count + 1) * (fr_rand() & 0xffff)) < (uint32_t) 0x10000) {
2616 } /* loop over the home servers */
2619 * We have no live servers, BUT we have a zombie. Use
2620 * the zombie as a last resort.
2622 if (!found && zombie) {
2628 * There's a fallback if they're all dead.
2630 if (!found && pool->fallback) {
2631 found = pool->fallback;
2633 WARN("Home server pool %s failing over to fallback %s",
2634 pool->name, found->server);
2635 if (pool->in_fallback) goto update_and_return;
2637 pool->in_fallback = true;
2640 * Run the trigger once an hour saying that
2643 if ((pool->time_all_dead + 3600) < request->timestamp) {
2644 pool->time_all_dead = request->timestamp;
2645 exec_trigger(request, pool->cs, "home_server_pool.fallback", false);
2651 if ((found != pool->fallback) && pool->in_fallback) {
2652 pool->in_fallback = false;
2653 exec_trigger(request, pool->cs, "home_server_pool.normal", false);
2660 * No live match found, and no fallback to the "DEFAULT"
2661 * realm. We fix this by blindly marking all servers as
2662 * "live". But only do it for ones that don't support
2663 * "pings", as they will be marked live when they
2664 * actually are live.
2666 if (!realm_config->fallback &&
2667 realm_config->wake_all_if_all_dead) {
2668 for (count = 0; count < pool->num_home_servers; count++) {
2669 home_server_t *home = pool->servers[count];
2671 if (!home) continue;
2673 if ((home->state == HOME_STATE_IS_DEAD) &&
2674 (home->ping_check == HOME_PING_CHECK_NONE)) {
2675 home->state = HOME_STATE_ALIVE;
2676 home->response_timeouts = 0;
2677 if (!found) found = home;
2681 if (found) goto update_and_return;
2685 * Still nothing. Look up the DEFAULT realm, but only
2686 * if we weren't looking up the NULL or DEFAULT realms.
2688 if (realm_config->fallback &&
2690 (strcmp(realmname, "NULL") != 0) &&
2691 (strcmp(realmname, "DEFAULT") != 0)) {
2692 REALM *rd = realm_find("DEFAULT");
2694 if (!rd) return NULL;
2697 if (request->packet->code == PW_CODE_ACCESS_REQUEST) {
2698 pool = rd->auth_pool;
2700 } else if (request->packet->code == PW_CODE_ACCOUNTING_REQUEST) {
2701 pool = rd->acct_pool;
2703 if (!pool) return NULL;
2705 RDEBUG2("PROXY - realm %s has no live home servers. Falling back to the DEFAULT realm.", realmname);
2706 return home_server_ldb(rd->name, pool, request);
2710 * Still haven't found anything. Oh well.
2716 home_server_t *home_server_find(fr_ipaddr_t *ipaddr, uint16_t port,
2722 home_server_t myhome;
2724 memset(&myhome, 0, sizeof(myhome));
2725 myhome.ipaddr = *ipaddr;
2726 myhome.src_ipaddr.af = ipaddr->af;
2729 myhome.proto = proto;
2731 myhome.proto = IPPROTO_UDP;
2733 myhome.server = NULL; /* we're not called for internal proxying */
2735 return rbtree_finddata(home_servers_byaddr, &myhome);
2739 home_server_t *home_server_byname(char const *name, int type)
2741 home_server_t myhome;
2743 memset(&myhome, 0, sizeof(myhome));
2747 return rbtree_finddata(home_servers_byname, &myhome);
2752 home_server_t *home_server_bynumber(int number)
2754 home_server_t myhome;
2756 memset(&myhome, 0, sizeof(myhome));
2757 myhome.number = number;
2758 myhome.server = NULL; /* we're not called for internal proxying */
2760 return rbtree_finddata(home_servers_bynumber, &myhome);
2764 home_pool_t *home_pool_byname(char const *name, int type)
2768 memset(&mypool, 0, sizeof(mypool));
2770 mypool.server_type = type;
2771 return rbtree_finddata(home_pools_byname, &mypool);