vendor = htonl(vendor);
memcpy(v, &vendor, 4);
tlv2buf(v + 4, attr);
+ v[5] += 2;
vattr = maketlv(RAD_Attr_Vendor_Specific, l, v);
if (vattr && radmsg_add(msg, vattr))
return 1;
return 1;
}
-int dottl(struct radmsg *msg, uint32_t *attrtype, uint8_t addttl) {
+/* returns -1 if no ttl, 0 if exceeded, 1 if ok */
+int checkttl(struct radmsg *msg, uint32_t *attrtype) {
uint8_t alen, *subattrs;
struct tlv *attr;
struct list_node *node;
subattrs += alen;
}
}
- if (addttl)
- addttlattr(msg, attrtype, addttl);
- return 1;
+ return -1;
}
const char *radmsgtype2string(uint8_t code) {
struct realm *realm = NULL;
struct server *to = NULL;
struct client *from = rq->from;
+ int ttlres;
msg = buf2radmsg(rq->buf, (uint8_t *)from->conf->secret, NULL);
free(rq->buf);
if (from->conf->rewritein && !dorewrite(msg, from->conf->rewritein))
goto rmclrqexit;
- if (!dottl(msg, options.ttlattrtype, options.addttl)) {
+ ttlres = checkttl(msg, options.ttlattrtype);
+ if (!ttlres) {
debug(DBG_WARN, "radsrv: ignoring request from client %s (%s), ttl exceeded", from->conf->name, addr2string(from->addr));
goto exit;
}
if (to->conf->rewriteout && !dorewrite(msg, to->conf->rewriteout))
goto rmclrqexit;
+ if (ttlres == -1 && (options.addttl || to->conf->addttl))
+ addttlattr(msg, options.ttlattrtype, to->conf->addttl ? to->conf->addttl : options.addttl);
+
free(userascii);
rq->to = to;
sendrq(rq);
void replyh(struct server *server, unsigned char *buf) {
struct client *from;
struct rqout *rqout;
- int sublen;
+ int sublen, ttlres;
unsigned char *subattrs;
uint8_t *username, *stationid, *replymsg;
struct radmsg *msg = NULL;
goto errunlock;
}
- if (!dottl(msg, options.ttlattrtype, options.addttl)) {
+ ttlres = checkttl(msg, options.ttlattrtype);
+ if (!ttlres) {
debug(DBG_WARN, "replyh: ignoring reply from server %s, ttl exceeded", server->conf->host);
goto errunlock;
}
debug(DBG_WARN, "replyh: rewriteout failed");
goto errunlock;
}
+
+ if (ttlres == -1 && (options.addttl || from->conf->addttl))
+ addttlattr(msg, options.ttlattrtype, from->conf->addttl ? from->conf->addttl : options.addttl);
debug(DBG_INFO, "replyh: passing reply to client %s (%s)", from->conf->name, addr2string(from->addr));
radmsg_free(rqout->rq->msg);
int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) {
struct clsrvconf *conf;
char *conftype = NULL, *rewriteinalias = NULL;
- long int dupinterval = LONG_MIN;
+ long int dupinterval = LONG_MIN, addttl = LONG_MIN;
debug(DBG_DBG, "confclient_cb called for %s", block);
conf->certnamecheck = 1;
if (!getgenericconfig(cf, block,
- "type", CONF_STR, &conftype,
- "host", CONF_STR, &conf->host,
- "secret", CONF_STR, &conf->secret,
- "tls", CONF_STR, &conf->tls,
- "matchcertificateattribute", CONF_STR, &conf->matchcertattr,
- "CertificateNameCheck", CONF_BLN, &conf->certnamecheck,
- "DuplicateInterval", CONF_LINT, &dupinterval,
- "rewrite", CONF_STR, &rewriteinalias,
- "rewriteIn", CONF_STR, &conf->confrewritein,
- "rewriteOut", CONF_STR, &conf->confrewriteout,
- "rewriteattribute", CONF_STR, &conf->confrewriteusername,
- NULL
+ "type", CONF_STR, &conftype,
+ "host", CONF_STR, &conf->host,
+ "secret", CONF_STR, &conf->secret,
+ "tls", CONF_STR, &conf->tls,
+ "matchcertificateattribute", CONF_STR, &conf->matchcertattr,
+ "CertificateNameCheck", CONF_BLN, &conf->certnamecheck,
+ "DuplicateInterval", CONF_LINT, &dupinterval,
+ "addTTL", CONF_LINT, &addttl,
+ "rewrite", CONF_STR, &rewriteinalias,
+ "rewriteIn", CONF_STR, &conf->confrewritein,
+ "rewriteOut", CONF_STR, &conf->confrewriteout,
+ "rewriteattribute", CONF_STR, &conf->confrewriteusername,
+ NULL
))
debugx(1, DBG_ERR, "configuration error");
} else
conf->dupinterval = conf->pdef->duplicateintervaldefault;
+ if (addttl != LONG_MIN) {
+ if (addttl < 1 || addttl > 255)
+ debugx(1, DBG_ERR, "error in block %s, value of option addTTL is %d, must be 1-255", block, addttl);
+ conf->addttl = (uint8_t)addttl;
+ }
+
if (!conf->confrewritein)
conf->confrewritein = rewriteinalias;
else
int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) {
struct clsrvconf *conf, *resconf;
char *conftype = NULL, *rewriteinalias = NULL;
- long int retryinterval = LONG_MIN, retrycount = LONG_MIN;
+ long int retryinterval = LONG_MIN, retrycount = LONG_MIN, addttl = LONG_MIN;
debug(DBG_DBG, "confserver_cb called for %s", block);
"secret", CONF_STR, &conf->secret,
"tls", CONF_STR, &conf->tls,
"MatchCertificateAttribute", CONF_STR, &conf->matchcertattr,
+ "addTTL", CONF_LINT, &addttl,
"rewrite", CONF_STR, &rewriteinalias,
"rewriteIn", CONF_STR, &conf->confrewritein,
"rewriteOut", CONF_STR, &conf->confrewriteout,
} else
conf->retrycount = 255;
+ if (addttl != LONG_MIN) {
+ if (addttl < 1 || addttl > 255) {
+ debug(DBG_ERR, "error in block %s, value of option addTTL is %d, must be 1-255", block, addttl);
+ goto errexit;
+ }
+ conf->addttl = (uint8_t)addttl;
+ }
+
if (resconf) {
if (!mergesrvconf(resconf, conf))
goto errexit;
debug(DBG_DBG, "confrealm_cb called for %s", block);
if (!getgenericconfig(cf, block,
- "server", CONF_MSTR, &servers,
- "accountingServer", CONF_MSTR, &accservers,
- "ReplyMessage", CONF_STR, &msg,
- "AccountingResponse", CONF_BLN, &accresp,
- NULL
+ "server", CONF_MSTR, &servers,
+ "accountingServer", CONF_MSTR, &accservers,
+ "ReplyMessage", CONF_STR, &msg,
+ "AccountingResponse", CONF_BLN, &accresp,
+ NULL
))
debugx(1, DBG_ERR, "configuration error");
memset(conf, 0, sizeof(struct tls));
if (!getgenericconfig(cf, block,
- "CACertificateFile", CONF_STR, &conf->cacertfile,
- "CACertificatePath", CONF_STR, &conf->cacertpath,
- "CertificateFile", CONF_STR, &conf->certfile,
- "CertificateKeyFile", CONF_STR, &conf->certkeyfile,
- "CertificateKeyPassword", CONF_STR, &conf->certkeypwd,
- "CacheExpiry", CONF_LINT, &expiry,
- "CRLCheck", CONF_BLN, &conf->crlcheck,
- "PolicyOID", CONF_MSTR, &conf->policyoids,
- NULL
+ "CACertificateFile", CONF_STR, &conf->cacertfile,
+ "CACertificatePath", CONF_STR, &conf->cacertpath,
+ "CertificateFile", CONF_STR, &conf->certfile,
+ "CertificateKeyFile", CONF_STR, &conf->certkeyfile,
+ "CertificateKeyPassword", CONF_STR, &conf->certkeypwd,
+ "CacheExpiry", CONF_LINT, &expiry,
+ "CRLCheck", CONF_BLN, &conf->crlcheck,
+ "PolicyOID", CONF_MSTR, &conf->policyoids,
+ NULL
)) {
debug(DBG_ERR, "conftls_cb: configuration error in block %s", val);
goto errexit;
debug(DBG_DBG, "confrewrite_cb called for %s", block);
if (!getgenericconfig(cf, block,
- "removeAttribute", CONF_MSTR, &rmattrs,
- "removeVendorAttribute", CONF_MSTR, &rmvattrs,
- "addAttribute", CONF_MSTR, &addattrs,
- "modifyAttribute", CONF_MSTR, &modattrs,
- NULL
+ "removeAttribute", CONF_MSTR, &rmattrs,
+ "removeVendorAttribute", CONF_MSTR, &rmvattrs,
+ "addAttribute", CONF_MSTR, &addattrs,
+ "modifyAttribute", CONF_MSTR, &modattrs,
+ NULL
))
debugx(1, DBG_ERR, "configuration error");
addrewrite(val, rmattrs, rmvattrs, addattrs, modattrs);
*pretend = 1;
break;
case 'v':
- debugx(0, DBG_ERR, "radsecproxy revision $Rev$");
+ debugx(0, DBG_ERR, "radsecproxy devel-20081106");
default:
goto usage;
}
debugx(1, DBG_ERR, "daemon() failed: %s", strerror(errno));
debug_timestamp_on();
- debug(DBG_INFO, "radsecproxy revision $Rev$ starting");
+ debug(DBG_INFO, "radsecproxy devel-20081106 starting");
sigemptyset(&sigset);
/* exit on all but SIGPIPE, ignore more? */
\\$2 \(la\\$1\(ra\\$3
..
.if \n(.g .mso www.tmac
-.TH "radsecproxy.conf " 5 2008-10-16 "radsecproxy devel 2008-10-16" ""
+.TH "radsecproxy.conf " 5 2008-11-06 "radsecproxy devel-20081106" ""
.SH NAME
radsecproxy.conf
\- Radsec proxy configuration file
This can be used to specify source address and/or source port that the proxy
will use for DTLS connections.
.TP
+\*(T<TTLAttribute\*(T>
+This can be used to change the default TTL attribute. Only change this if
+you know what you are doing. The syntax is either a numerical value
+denoting the TTL attribute, or two numerical values separated by column
+specifying a vendor attribute, i.e. \*(T<vendorid:attribute\*(T>.
+.TP
+\*(T<addTTL\*(T>
+If a TTL attribute is present, the proxy will decrement the value and
+discard the message if zero. Normally the proxy does nothing if no TTL
+attribute is present. If you use the addTTL option with a value 1-255,
+the proxy will when forwarding a message with no TTL attribute, add one
+with the specified value. Note that this option can also be specified
+for a client/server. It will then override this setting when forwarding
+a message to that client/server.
+.TP
\*(T<loopPrevention\*(T>
This can be set to \*(T<on\*(T> or \*(T<off\*(T> with
\*(T<off\*(T> being the default. When this is enabled, a request
\*(T<type\*(T>, \*(T<secret\*(T>, \*(T<tls\*(T>,
\*(T<certificateNameCheck\*(T>,
\*(T<matchCertificateAttribute\*(T>,
-\*(T<duplicateInterval\*(T>, \*(T<rewrite\*(T>,
-\*(T<rewriteIn\*(T>, \*(T<rewriteOut\*(T> and
-\*(T<rewriteAttribute\*(T>. We already discussed the
+\*(T<duplicateInterval\*(T>, \*(T<addTTL\*(T>,
+\*(T<rewrite\*(T>, \*(T<rewriteIn\*(T>,
+\*(T<rewriteOut\*(T> and \*(T<rewriteAttribute\*(T>.
+We already discussed the
\*(T<host\*(T> option. The value of \*(T<type\*(T> must be
one of \*(T<udp\*(T>, \*(T<tcp\*(T>, \*(T<tls\*(T>
or \*(T<dtls\*(T>. The value of \*(T<secret\*(T> is the
ignore the new request (if it is still processing the previous one), or
returned a copy of the previous reply.
.PP
+The \*(T<addTTL\*(T> option is similar to the
+\*(T<addTTL\*(T> option used in the basic config. See that for
+details. Any value configured here overrides the basic one when sending
+messages to this client.
+.PP
The \*(T<rewrite\*(T> option is deprecated. Use
\*(T<rewriteIn\*(T> instead.
.PP
The allowed options in a server block are \*(T<host\*(T>,
\*(T<port\*(T>, \*(T<type\*(T>, \*(T<secret\*(T>,
\*(T<tls\*(T>, \*(T<certificateNameCheck\*(T>,
-\*(T<matchCertificateAttribute\*(T>, \*(T<rewrite\*(T>,
+\*(T<matchCertificateAttribute\*(T>, \*(T<addTTL\*(T>,
+\*(T<rewrite\*(T>,
\*(T<rewriteIn\*(T>, \*(T<rewriteOut\*(T>,
\*(T<statusServer\*(T>, \*(T<retryCount\*(T>,
\*(T<retryInterval\*(T> and \*(T<dynamicLookupCommand\*(T>.
\*(T<port\*(T> option allows you to specify which port number the
server uses. The usage of \*(T<type\*(T>, \*(T<secret\*(T>,
\*(T<tls\*(T>, \*(T<certificateNameCheck\*(T>,
-\*(T<matchCertificateAttribute\*(T>, \*(T<rewrite\*(T>,
+\*(T<matchCertificateAttribute\*(T>, \*(T<addTTL\*(T>,
+\*(T<rewrite\*(T>,
\*(T<rewriteIn\*(T> and \*(T<rewriteOut\*(T> are just as
specified for the \*(T<client block\*(T> above, except that
\*(T<defaultServer\*(T> (and not \*(T<defaultClient\*(T>)
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry>
<refentryinfo>
- <date>2008-10-16</date>
+ <date>2008-11-06</date>
</refentryinfo>
<refmeta>
<refentrytitle>
<application>radsecproxy.conf</application>
</refentrytitle>
<manvolnum>5</manvolnum>
- <refmiscinfo>radsecproxy devel 2008-10-16</refmiscinfo>
+ <refmiscinfo>radsecproxy devel-20081106</refmiscinfo>
</refmeta>
<refnamediv>
<refname>
</listitem>
</varlistentry>
<varlistentry>
+ <term><literal>TTLAttribute</literal></term>
+ <listitem>
+ <para>
+This can be used to change the default TTL attribute. Only change this if
+you know what you are doing. The syntax is either a numerical value
+denoting the TTL attribute, or two numerical values separated by column
+specifying a vendor attribute, i.e. <literal>vendorid:attribute</literal>.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><literal>addTTL</literal></term>
+ <listitem>
+ <para>
+If a TTL attribute is present, the proxy will decrement the value and
+discard the message if zero. Normally the proxy does nothing if no TTL
+attribute is present. If you use the addTTL option with a value 1-255,
+the proxy will when forwarding a message with no TTL attribute, add one
+with the specified value. Note that this option can also be specified
+for a client/server. It will then override this setting when forwarding
+a message to that client/server.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><literal>loopPrevention</literal></term>
<listitem>
<para>
<literal>type</literal>, <literal>secret</literal>, <literal>tls</literal>,
<literal>certificateNameCheck</literal>,
<literal>matchCertificateAttribute</literal>,
-<literal>duplicateInterval</literal>, <literal>rewrite</literal>,
-<literal>rewriteIn</literal>, <literal>rewriteOut</literal> and
-<literal>rewriteAttribute</literal>. We already discussed the
+<literal>duplicateInterval</literal>, <literal>addTTL</literal>,
+<literal>rewrite</literal>, <literal>rewriteIn</literal>,
+<literal>rewriteOut</literal> and <literal>rewriteAttribute</literal>.
+We already discussed the
<literal>host</literal> option. The value of <literal>type</literal> must be
one of <literal>udp</literal>, <literal>tcp</literal>, <literal>tls</literal>
or <literal>dtls</literal>. The value of <literal>secret</literal> is the
returned a copy of the previous reply.
</para>
<para>
+The <literal>addTTL</literal> option is similar to the
+<literal>addTTL</literal> option used in the basic config. See that for
+details. Any value configured here overrides the basic one when sending
+messages to this client.
+ </para>
+ <para>
The <literal>rewrite</literal> option is deprecated. Use
<literal>rewriteIn</literal> instead.
</para>
The allowed options in a server block are <literal>host</literal>,
<literal>port</literal>, <literal>type</literal>, <literal>secret</literal>,
<literal>tls</literal>, <literal>certificateNameCheck</literal>,
-<literal>matchCertificateAttribute</literal>, <literal>rewrite</literal>,
+<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>,
+<literal>rewrite</literal>,
<literal>rewriteIn</literal>, <literal>rewriteOut</literal>,
<literal>statusServer</literal>, <literal>retryCount</literal>,
<literal>retryInterval</literal> and <literal>dynamicLookupCommand</literal>.
<literal>port</literal> option allows you to specify which port number the
server uses. The usage of <literal>type</literal>, <literal>secret</literal>,
<literal>tls</literal>, <literal>certificateNameCheck</literal>,
-<literal>matchCertificateAttribute</literal>, <literal>rewrite</literal>,
+<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>,
+<literal>rewrite</literal>,
<literal>rewriteIn</literal> and <literal>rewriteOut</literal> are just as
specified for the <literal>client block</literal> above, except that
<literal>defaultServer</literal> (and not <literal>defaultClient</literal>)