The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
proto_radius_tcp.c
Go to the documentation of this file.
1 /*
2  * This program is free software; you can redistribute it and/or modify
3  * it under the terms of the GNU General Public License as published by
4  * the Free Software Foundation; either version 2 of the License, or
5  * (at your option) any later version.
6  *
7  * This program is distributed in the hope that it will be useful,
8  * but WITHOUT ANY WARRANTY; without even the implied warranty of
9  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10  * GNU General Public License for more details.
11  *
12  * You should have received a copy of the GNU General Public License
13  * along with this program; if not, write to the Free Software
14  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15  */
16 
17 /**
18  * $Id: dd0438cb9efc010b328c6ee915bfae8eb6609e6a $
19  * @file proto_radius_tcp.c
20  * @brief RADIUS handler for TCP.
21  *
22  * @copyright 2016 The FreeRADIUS server project.
23  * @copyright 2016 Alan DeKok (aland@deployingradius.com)
24  */
25 #include <netdb.h>
26 #include <freeradius-devel/server/protocol.h>
27 #include <freeradius-devel/radius/tcp.h>
28 #include <freeradius-devel/util/trie.h>
29 #include <freeradius-devel/radius/radius.h>
30 #include <freeradius-devel/io/application.h>
31 #include <freeradius-devel/io/listen.h>
32 #include <freeradius-devel/io/schedule.h>
33 #include "proto_radius.h"
34 
36 
37 typedef struct {
38  char const *name; //!< socket name
39  int sockfd;
40 
41  fr_io_address_t *connection; //!< for connected sockets.
42 
43  fr_stats_t stats; //!< statistics for this socket
45 
46 typedef struct {
47  CONF_SECTION *cs; //!< our configuration
48 
49  fr_ipaddr_t ipaddr; //!< IP address to listen on.
50 
51  char const *interface; //!< Interface to bind to.
52  char const *port_name; //!< Name of the port for getservent().
53 
54  uint32_t recv_buff; //!< How big the kernel's receive buffer should be.
55 
56  uint32_t max_packet_size; //!< for message ring buffer.
57  uint32_t max_attributes; //!< Limit maximum decodable attributes.
58 
59  uint16_t port; //!< Port to listen on.
60 
61  bool recv_buff_is_set; //!< Whether we were provided with a recv_buff
62  bool dynamic_clients; //!< whether we have dynamic clients
63  bool dedup_authenticator; //!< dedup using the request authenticator
64 
65  fr_client_list_t *clients; //!< local clients
66 
67  fr_trie_t *trie; //!< for parsed networks
68  fr_ipaddr_t *allow; //!< allowed networks for dynamic clients
69  fr_ipaddr_t *deny; //!< denied networks for dynamic clients
71 
72 
73 static const conf_parser_t networks_config[] = {
76 
78 };
79 
80 
81 static const conf_parser_t tcp_listen_config[] = {
85 
86  { FR_CONF_OFFSET("interface", proto_radius_tcp_t, interface) },
87  { FR_CONF_OFFSET("port_name", proto_radius_tcp_t, port_name) },
88 
89  { FR_CONF_OFFSET("port", proto_radius_tcp_t, port) },
90  { FR_CONF_OFFSET_IS_SET("recv_buff", FR_TYPE_UINT32, 0, proto_radius_tcp_t, recv_buff) },
91 
92  { FR_CONF_OFFSET("dynamic_clients", proto_radius_tcp_t, dynamic_clients) } ,
93  { FR_CONF_OFFSET("accept_conflicting_packets", proto_radius_tcp_t, dedup_authenticator) } ,
94  { FR_CONF_POINTER("networks", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) networks_config },
95 
96  { FR_CONF_OFFSET("max_packet_size", proto_radius_tcp_t, max_packet_size), .dflt = "4096" } ,
97  { FR_CONF_OFFSET("max_attributes", proto_radius_tcp_t, max_attributes), .dflt = STRINGIFY(RADIUS_MAX_ATTRIBUTES) } ,
98 
100 };
101 
102 
103 static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
104 {
106  proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
107  ssize_t data_size;
108  size_t packet_len, in_buffer;
109  decode_fail_t reason;
110 
111  /*
112  * We may have read multiple packets in the previous read. In which case the buffer may already
113  * have packets remaining. In that case, we can return packets directly from the buffer, and
114  * skip the read().
115  */
116  if (*leftover >= RADIUS_HEADER_LENGTH) {
117  packet_len = fr_nbo_to_uint16(buffer + 2);
118 
119  if (packet_len <= *leftover) {
120  data_size = 0;
121  goto have_packet;
122  }
123 
124  /*
125  * Else we don't have a full packet, try to read more data from the network.
126  */
127  }
128 
129  /*
130  * Read data into the buffer.
131  */
132  data_size = read(thread->sockfd, buffer + *leftover, buffer_len - *leftover);
133  if (data_size < 0) {
134  switch (errno) {
135 #if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
136  case EWOULDBLOCK:
137 #endif
138  case EAGAIN:
139  /*
140  * We didn't read any data; leave the buffers alone.
141  *
142  * i.e. if we had a partial packet in the buffer and we didn't read any data,
143  * then the partial packet is still left in the buffer.
144  */
145  return 0;
146 
147  default:
148  break;
149  }
150 
151  PDEBUG2("proto_radius_tcp got read error (%zd) - %s", data_size, fr_syserror(errno));
152  return data_size;
153  }
154 
155  /*
156  * Note that we return ERROR for all bad packets, as
157  * there's no point in reading RADIUS packets from a TCP
158  * connection which isn't sending us RADIUS packets.
159  */
160 
161  /*
162  * TCP read of zero means the socket is dead.
163  */
164  if (!data_size) {
165  DEBUG2("proto_radius_tcp - other side closed the socket.");
166  return -1;
167  }
168 
169 have_packet:
170  /*
171  * We MUST always start with a known RADIUS packet.
172  */
173  if ((buffer[0] == 0) || (buffer[0] >= FR_RADIUS_CODE_MAX)) {
174  DEBUG("proto_radius_tcp got invalid packet code %d", buffer[0]);
175  thread->stats.total_unknown_types++;
176  return -1;
177  }
178 
179  in_buffer = data_size + *leftover;
180 
181  /*
182  * Not enough for one packet. Tell the caller that we need to read more.
183  */
184  if (in_buffer < RADIUS_HEADER_LENGTH) {
185  *leftover = in_buffer;
186  return 0;
187  }
188 
189  /*
190  * Figure out how large the RADIUS packet is.
191  */
192  packet_len = fr_nbo_to_uint16(buffer + 2);
193 
194  /*
195  * We don't have a complete RADIUS packet. Tell the
196  * caller that we need to read more.
197  */
198  if (in_buffer < packet_len) {
199  *leftover = in_buffer;
200  return 0;
201  }
202 
203  /*
204  * We've read at least one packet. Tell the caller that
205  * there's more data available, and return only one packet.
206  */
207  *leftover = in_buffer - packet_len;
208 
209  /*
210  * If it's not a RADIUS packet, ignore it.
211  */
212  if (!fr_radius_ok(buffer, &packet_len, inst->max_attributes, false, &reason)) {
213  /*
214  * @todo - check for F5 load balancer packets. <sigh>
215  */
216  DEBUG2("proto_radius_tcp got a packet which isn't RADIUS");
218  return -1;
219  }
220 
221  *recv_time_p = fr_time();
222  thread->stats.total_requests++;
223 
224  /*
225  * proto_radius sets the priority
226  */
227 
228  /*
229  * Print out what we received.
230  */
231  DEBUG2("proto_radius_tcp - Received %s ID %d length %d %s",
233  (int) packet_len, thread->name);
234 
235  return packet_len;
236 }
237 
238 
239 static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t request_time,
240  uint8_t *buffer, size_t buffer_len, size_t written)
241 {
242  proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
243  fr_io_track_t *track = talloc_get_type_abort(packet_ctx, fr_io_track_t);
244  ssize_t data_size;
245 
246  /*
247  * @todo - share a stats interface with the parent? or
248  * put the stats in the listener, so that proto_radius
249  * can update them, too.. <sigh>
250  */
251  if (!written) thread->stats.total_responses++;
252 
253  /*
254  * This handles the race condition where we get a DUP,
255  * but the original packet replies before we're run.
256  * i.e. this packet isn't marked DUP, so we have to
257  * discover it's a dup later...
258  *
259  * As such, if there's already a reply, then we ignore
260  * the encoded reply (which is probably going to be a
261  * NAK), and instead just ignore the DUP and don't reply.
262  */
263  if (track->reply_len) {
264  return buffer_len;
265  }
266 
267  /*
268  * We only write RADIUS packets.
269  */
270  fr_assert(buffer_len >= 20);
271  fr_assert(written < buffer_len);
272 
273  /*
274  * Only write replies if they're RADIUS packets.
275  * sometimes we want to NOT send a reply...
276  */
277  data_size = write(thread->sockfd, buffer + written, buffer_len - written);
278 
279  /*
280  * This socket is dead. That's an error...
281  */
282  if (data_size <= 0) return data_size;
283 
284 #if 0
285  /*
286  * If we're not tracking duplicates, then track->packet is NULL.
287  *
288  * There's no reason to fix this now, as all of this will
289  * be rewritten when the bio stuff works. Since this
290  * code doesn't do anything anyways, it's best to just
291  * comment it out.
292  */
293 
294  /*
295  * Root through the reply to determine any
296  * connection-level negotiation data, but only the first
297  * time the packet is being written.
298  */
299  if ((written == 0) && (track->packet[0] == FR_RADIUS_CODE_STATUS_SERVER)) {
300 // status_check_reply(inst, buffer, buffer_len);
301  }
302 #endif
303 
304  /*
305  * Add in previously written data to the response.
306  */
307  return data_size + written;
308 }
309 
310 
311 static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
312 {
313  proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
314 
315  thread->connection = connection;
316  return 0;
317 }
318 
319 
320 static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
321 {
322  proto_radius_tcp_t *inst = talloc_get_type_abort(instance, proto_radius_tcp_t);
323 
324  *ipproto = IPPROTO_TCP;
325  *dynamic_clients = inst->dynamic_clients;
326  *trie = inst->trie;
327 }
328 
329 
330 /** Open a TCP listener for RADIUS
331  *
332  */
333 static int mod_open(fr_listen_t *li)
334 {
336  proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
337 
338  int sockfd;
339  fr_ipaddr_t ipaddr = inst->ipaddr;
340  uint16_t port = inst->port;
341 
342  fr_assert(!thread->connection);
343 
344  li->fd = sockfd = fr_socket_server_tcp(&inst->ipaddr, &port, inst->port_name, true);
345  if (sockfd < 0) {
346  PERROR("Failed opening TCP socket");
347  error:
348  return -1;
349  }
350 
351  (void) fr_nonblock(sockfd);
352 
353  if (fr_socket_bind(sockfd, inst->interface, &ipaddr, &port) < 0) {
354  close(sockfd);
355  PERROR("Failed binding socket");
356  goto error;
357  }
358 
359  if (listen(sockfd, 8) < 0) {
360  close(sockfd);
361  PERROR("Failed listening on socket");
362  goto error;
363  }
364 
365  thread->sockfd = sockfd;
366 
367  fr_assert((cf_parent(inst->cs) != NULL) && (cf_parent(cf_parent(inst->cs)) != NULL)); /* listen { ... } */
368 
369  thread->name = fr_app_io_socket_name(thread, &proto_radius_tcp,
370  NULL, 0,
371  &inst->ipaddr, inst->port,
372  inst->interface);
373 
374  return 0;
375 }
376 
377 
378 /** Set the file descriptor for this socket.
379  */
380 static int mod_fd_set(fr_listen_t *li, int fd)
381 {
383  proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
384 
385  thread->sockfd = fd;
386 
387  thread->name = fr_app_io_socket_name(thread, &proto_radius_tcp,
388  &thread->connection->socket.inet.src_ipaddr, thread->connection->socket.inet.src_port,
389  &inst->ipaddr, inst->port,
390  inst->interface);
391 
392  return 0;
393 }
394 
395 static int mod_track_compare(void const *instance, UNUSED void *thread_instance, UNUSED fr_client_t *client,
396  void const *one, void const *two)
397 {
398  int ret;
400 
401  uint8_t const *a = one;
402  uint8_t const *b = two;
403 
404  /*
405  * Do a better job of deduping input packet.
406  */
407  if (inst->dedup_authenticator) {
408  ret = memcmp(a + 4, b + 4, RADIUS_AUTH_VECTOR_LENGTH);
409  if (ret != 0) return ret;
410  }
411 
412  /*
413  * The tree is ordered by IDs, which are (hopefully)
414  * pseudo-randomly distributed.
415  */
416  ret = (a[1] < b[1]) - (a[1] > b[1]);
417  if (ret != 0) return ret;
418 
419  /*
420  * Then ordered by code, which is usually the same.
421  */
422  return (a[0] < b[0]) - (a[0] > b[0]);
423 }
424 
425 
426 static char const *mod_name(fr_listen_t *li)
427 {
428  proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
429 
430  return thread->name;
431 }
432 
433 static int mod_instantiate(module_inst_ctx_t const *mctx)
434 {
435  proto_radius_tcp_t *inst = talloc_get_type_abort(mctx->mi->data, proto_radius_tcp_t);
436  CONF_SECTION *conf = mctx->mi->conf;
437  size_t i, num;
438  CONF_ITEM *ci;
439  CONF_SECTION *server_cs;
440 
441  inst->cs = conf;
442 
443  /*
444  * Complain if no "ipaddr" is set.
445  */
446  if (inst->ipaddr.af == AF_UNSPEC) {
447  cf_log_err(conf, "No 'ipaddr' was specified in the 'tcp' section");
448  return -1;
449  }
450 
451  if (inst->recv_buff_is_set) {
452  FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, >=, 32);
453  FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, <=, INT_MAX);
454  }
455 
456  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 20);
457  FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65536);
458 
459  if (!inst->port) {
460  struct servent *s;
461 
462  if (!inst->port_name) {
463  cf_log_err(conf, "No 'port' was specified in the 'tcp' section");
464  return -1;
465  }
466 
467  s = getservbyname(inst->port_name, "tcp");
468  if (!s) {
469  cf_log_err(conf, "Unknown value for 'port_name = %s", inst->port_name);
470  return -1;
471  }
472 
473  inst->port = ntohl(s->s_port);
474  }
475 
476  /*
477  * Parse and create the trie for dynamic clients, even if
478  * there's no dynamic clients.
479  *
480  * @todo - we could use this for source IP filtering?
481  * e.g. allow clients from a /16, but not from a /24
482  * within that /16.
483  */
484  num = talloc_array_length(inst->allow);
485  if (!num) {
486  if (inst->dynamic_clients) {
487  cf_log_err(conf, "The 'allow' subsection MUST contain at least one 'network' entry when 'dynamic_clients = true'.");
488  return -1;
489  }
490  } else {
491  MEM(inst->trie = fr_trie_alloc(inst, NULL, NULL));
492 
493  for (i = 0; i < num; i++) {
494  fr_ipaddr_t *network;
495 
496  /*
497  * Can't add v4 networks to a v6 socket, or vice versa.
498  */
499  if (inst->allow[i].af != inst->ipaddr.af) {
500  cf_log_err(conf, "Address family in entry %zd - 'allow = %pV' does not match 'ipaddr'",
501  i + 1, fr_box_ipaddr(inst->allow[i]));
502  return -1;
503  }
504 
505  /*
506  * Duplicates are bad.
507  */
508  network = fr_trie_match_by_key(inst->trie,
509  &inst->allow[i].addr, inst->allow[i].prefix);
510  if (network) {
511  cf_log_err(conf, "Cannot add duplicate entry 'allow = %pV'",
512  fr_box_ipaddr(inst->allow[i]));
513  return -1;
514  }
515 
516  /*
517  * Look for overlapping entries.
518  * i.e. the networks MUST be disjoint.
519  *
520  * Note that this catches 192.168.1/24
521  * followed by 192.168/16, but NOT the
522  * other way around. The best fix is
523  * likely to add a flag to
524  * fr_trie_alloc() saying "we can only
525  * have terminal fr_trie_user_t nodes"
526  */
527  network = fr_trie_lookup_by_key(inst->trie,
528  &inst->allow[i].addr, inst->allow[i].prefix);
529  if (network && (network->prefix <= inst->allow[i].prefix)) {
530  cf_log_err(conf, "Cannot add overlapping entry 'allow = %pV'",
531  fr_box_ipaddr(inst->allow[i]));
532  cf_log_err(conf, "Entry is completely enclosed inside of a previously defined network");
533  return -1;
534  }
535 
536  /*
537  * Insert the network into the trie.
538  * Lookups will return the fr_ipaddr_t of
539  * the network.
540  */
541  if (fr_trie_insert_by_key(inst->trie,
542  &inst->allow[i].addr, inst->allow[i].prefix,
543  &inst->allow[i]) < 0) {
544  cf_log_err(conf, "Failed adding 'allow = %pV' to tracking table",
545  fr_box_ipaddr(inst->allow[i]));
546  return -1;
547  }
548  }
549 
550  /*
551  * And now check denied networks.
552  */
553  num = talloc_array_length(inst->deny);
554  if (!num) return 0;
555 
556  /*
557  * Since the default is to deny, you can only add
558  * a "deny" inside of a previous "allow".
559  */
560  for (i = 0; i < num; i++) {
561  fr_ipaddr_t *network;
562 
563  /*
564  * Can't add v4 networks to a v6 socket, or vice versa.
565  */
566  if (inst->deny[i].af != inst->ipaddr.af) {
567  cf_log_err(conf, "Address family in entry %zd - 'deny = %pV' does not match 'ipaddr'",
568  i + 1, fr_box_ipaddr(inst->deny[i]));
569  return -1;
570  }
571 
572  /*
573  * Duplicates are bad.
574  */
575  network = fr_trie_match_by_key(inst->trie,
576  &inst->deny[i].addr, inst->deny[i].prefix);
577  if (network) {
578  cf_log_err(conf, "Cannot add duplicate entry 'deny = %pV'", fr_box_ipaddr(inst->deny[i]));
579  return -1;
580  }
581 
582  /*
583  * A "deny" can only be within a previous "allow".
584  */
585  network = fr_trie_lookup_by_key(inst->trie,
586  &inst->deny[i].addr, inst->deny[i].prefix);
587  if (!network) {
588  cf_log_err(conf, "The network in entry %zd - 'deny = %pV' is not contained "
589  "within a previous 'allow'", i + 1, fr_box_ipaddr(inst->deny[i]));
590  return -1;
591  }
592 
593  /*
594  * We hack the AF in "deny" rules. If
595  * the lookup gets AF_UNSPEC, then we're
596  * adding a "deny" inside of a "deny".
597  */
598  if (network->af != inst->ipaddr.af) {
599  cf_log_err(conf, "The network in entry %zd - 'deny = %pV' overlaps with "
600  "another 'deny' rule", i + 1, fr_box_ipaddr(inst->deny[i]));
601  return -1;
602  }
603 
604  /*
605  * Insert the network into the trie.
606  * Lookups will return the fr_ipaddr_t of
607  * the network.
608  */
609  if (fr_trie_insert_by_key(inst->trie,
610  &inst->deny[i].addr, inst->deny[i].prefix,
611  &inst->deny[i]) < 0) {
612  cf_log_err(conf, "Failed adding 'deny = %pV' to tracking table",
613  fr_box_ipaddr(inst->deny[i]));
614  return -1;
615  }
616 
617  /*
618  * Hack it to make it a deny rule.
619  */
620  inst->deny[i].af = AF_UNSPEC;
621  }
622  }
623 
624  ci = cf_section_to_item(mctx->mi->parent->conf); /* listen { ... } */
625  fr_assert(ci != NULL);
626  ci = cf_parent(ci);
627  fr_assert(ci != NULL);
628 
629  server_cs = cf_item_to_section(ci);
630 
631  /*
632  * Look up local clients, if they exist.
633  */
634  if (cf_section_find_next(server_cs, NULL, "client", CF_IDENT_ANY)) {
635  inst->clients = client_list_parse_section(server_cs, IPPROTO_TCP, false);
636  if (!inst->clients) {
637  cf_log_err(conf, "Failed creating local clients");
638  return -1;
639  }
640  }
641 
642  return 0;
643 }
644 
646 {
648 
649  /*
650  * Prefer local clients.
651  */
652  if (inst->clients) {
653  fr_client_t *client;
654 
655  client = client_find(inst->clients, ipaddr, ipproto);
656  if (client) return client;
657  }
658 
659  return client_find(NULL, ipaddr, ipproto);
660 }
661 
663  .common = {
664  .magic = MODULE_MAGIC_INIT,
665  .name = "radius_tcp",
666  .config = tcp_listen_config,
667  .inst_size = sizeof(proto_radius_tcp_t),
668  .thread_inst_size = sizeof(proto_radius_tcp_thread_t),
669  .instantiate = mod_instantiate,
670  },
671  .default_message_size = 4096,
672 
673  .open = mod_open,
674  .read = mod_read,
675  .write = mod_write,
676  .fd_set = mod_fd_set,
677  .track_compare = mod_track_compare,
678  .connection_set = mod_connection_set,
679  .network_get = mod_network_get,
680  .client_find = mod_client_find,
681  .get_name = mod_name,
682 };
static int const char char buffer[256]
Definition: acutest.h:574
char const * fr_app_io_socket_name(TALLOC_CTX *ctx, fr_app_io_t const *app_io, fr_ipaddr_t const *src_ipaddr, int src_port, fr_ipaddr_t const *dst_ipaddr, int dst_port, char const *interface)
Definition: app_io.c:32
module_t common
Common fields to all loadable modules.
Definition: app_io.h:34
Public structure describing an I/O path for a protocol.
Definition: app_io.h:33
#define STRINGIFY(x)
Definition: build.h:195
#define UNUSED
Definition: build.h:313
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:627
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition: cf_parse.h:487
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition: cf_parse.h:310
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition: cf_parse.h:282
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition: cf_parse.h:419
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition: cf_parse.h:399
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:241
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:564
Common header for all CONF_* types.
Definition: cf_priv.h:49
A section grouping multiple CONF_PAIR.
Definition: cf_priv.h:101
CONF_ITEM * cf_section_to_item(CONF_SECTION const *cs)
Cast a CONF_SECTION to a CONF_ITEM.
Definition: cf_util.c:738
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition: cf_util.c:684
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
Definition: cf_util.c:1049
#define cf_log_err(_cf, _fmt,...)
Definition: cf_util.h:289
#define cf_parent(_cf)
Definition: cf_util.h:101
#define CF_IDENT_ANY
Definition: cf_util.h:78
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition: defs.h:53
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition: defs.h:44
static int sockfd
Definition: dhcpclient.c:56
#define DEBUG(fmt,...)
Definition: dhcpclient.c:39
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition: dl_module.h:63
uint8_t prefix
Prefix length - Between 0-32 for IPv4 and 0-128 for IPv6.
Definition: inet.h:69
int af
Address family.
Definition: inet.h:64
IPv4/6 prefix.
Definition: merged_model.c:272
fr_socket_t socket
src/dst ip and port.
Definition: base.h:336
void const * app_io_instance
I/O path configuration context.
Definition: listen.h:32
void * thread_instance
thread / socket context
Definition: listen.h:33
int fd
file descriptor for this socket - set by open
Definition: listen.h:28
Describes a host allowed to send packets to the server.
Definition: client.h:80
#define PERROR(_fmt,...)
Definition: log.h:228
#define PDEBUG2(_fmt,...)
Definition: log.h:272
uint8_t * packet
really a tracking structure, not a packet
Definition: master.h:56
size_t reply_len
length of reply, or 1 for "do not reply"
Definition: master.h:47
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
Definition: merged_model.c:259
unsigned short uint16_t
Definition: merged_model.c:31
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition: merged_model.c:86
@ FR_TYPE_COMBO_IP_PREFIX
IPv4 or IPv6 address prefix depending on length.
Definition: merged_model.c:92
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition: merged_model.c:99
@ FR_TYPE_IPV6_ADDR
128 Bit IPv6 Address.
Definition: merged_model.c:88
@ FR_TYPE_COMBO_IP_ADDR
IPv4 or IPv6 address depending on length.
Definition: merged_model.c:91
unsigned int uint32_t
Definition: merged_model.c:33
long int ssize_t
Definition: merged_model.c:24
unsigned char uint8_t
Definition: merged_model.c:30
int fr_nonblock(UNUSED int fd)
Definition: misc.c:293
module_instance_t * mi
Instance of the module being instantiated.
Definition: module_ctx.h:51
Temporary structure to hold arguments for instantiation calls.
Definition: module_ctx.h:50
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition: nbo.h:144
#define RADIUS_HEADER_LENGTH
Definition: net.h:80
#define RADIUS_AUTH_VECTOR_LENGTH
Definition: net.h:89
fr_app_io_t proto_radius_tcp
fr_client_list_t * clients
local clients
static fr_client_t * mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
char const * interface
Interface to bind to.
fr_io_address_t * connection
for connected sockets.
fr_ipaddr_t * allow
allowed networks for dynamic clients
uint16_t port
Port to listen on.
fr_trie_t * trie
for parsed networks
static int mod_open(fr_listen_t *li)
Open a TCP listener for RADIUS.
bool dynamic_clients
whether we have dynamic clients
static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
uint32_t max_packet_size
for message ring buffer.
fr_ipaddr_t * deny
denied networks for dynamic clients
static char const * mod_name(fr_listen_t *li)
static const conf_parser_t networks_config[]
static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
char const * port_name
Name of the port for getservent().
static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t request_time, uint8_t *buffer, size_t buffer_len, size_t written)
fr_ipaddr_t ipaddr
IP address to listen on.
char const * name
socket name
static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
static int mod_fd_set(fr_listen_t *li, int fd)
Set the file descriptor for this socket.
uint32_t max_attributes
Limit maximum decodable attributes.
bool dedup_authenticator
dedup using the request authenticator
fr_stats_t stats
statistics for this socket
uint32_t recv_buff
How big the kernel's receive buffer should be.
bool recv_buff_is_set
Whether we were provided with a recv_buff.
CONF_SECTION * cs
our configuration
static int mod_instantiate(module_inst_ctx_t const *mctx)
static const conf_parser_t tcp_listen_config[]
static int mod_track_compare(void const *instance, UNUSED void *thread_instance, UNUSED fr_client_t *client, void const *one, void const *two)
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition: base.c:112
static int ipproto
Definition: radclient-ng.c:92
#define DEBUG2(fmt,...)
Definition: radclient.h:43
#define RADIUS_MAX_ATTRIBUTES
Definition: radius.h:40
static rs_t * conf
Definition: radsniff.c:53
CONF_SECTION * conf
Module's instance configuration.
Definition: module.h:329
void * data
Module's instance data.
Definition: module.h:271
module_instance_t const * parent
Parent module's instance (if any).
Definition: module.h:337
fr_uint_t total_responses
Definition: stats.h:45
fr_uint_t total_unknown_types
Definition: stats.h:53
fr_uint_t total_malformed_requests
Definition: stats.h:49
fr_uint_t total_requests
Definition: stats.h:42
int fr_socket_server_tcp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 TCP socket.
Definition: socket.c:969
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
Definition: socket.c:229
fr_client_t * client_find(fr_client_list_t const *clients, fr_ipaddr_t const *ipaddr, int proto)
Definition: client.c:378
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
Definition: client.c:478
Group of clients.
Definition: client.c:55
fr_assert(0)
MEM(pair_append_request(&vp, attr_eap_aka_sim_identity) >=0)
eap_aka_sim_process_conf_t * inst
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition: state_test.c:8
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition: syserror.c:243
#define talloc_get_type_abort_const
Definition: talloc.h:282
"server local" time.
Definition: time.h:69
fr_trie_t * fr_trie_alloc(TALLOC_CTX *ctx, fr_trie_key_t get_key, fr_free_t free_data)
Allocate a trie.
Definition: trie.c:741
void * fr_trie_match_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Match a key and length in a trie and return user ctx, if any.
Definition: trie.c:1286
int fr_trie_insert_by_key(fr_trie_t *ft, void const *key, size_t keylen, void const *data)
Insert a key and user ctx into a trie.
Definition: trie.c:1875
void * fr_trie_lookup_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Lookup a key in a trie and return user ctx, if any.
Definition: trie.c:1262
close(uq->fd)
#define fr_box_ipaddr(_val)
Definition: value.h:294