The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
proto_radius_tcp.c
Go to the documentation of this file.
1/*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License as published by
4 * the Free Software Foundation; either version 2 of the License, or
5 * (at your option) any later version.
6 *
7 * This program is distributed in the hope that it will be useful,
8 * but WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
10 * GNU General Public License for more details.
11 *
12 * You should have received a copy of the GNU General Public License
13 * along with this program; if not, write to the Free Software
14 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
15 */
16
17/**
18 * $Id: c6abd459589ba6acdccaf4d1c038d07b1e8a972a $
19 * @file proto_radius_tcp.c
20 * @brief RADIUS handler for TCP.
21 *
22 * @copyright 2016 The FreeRADIUS server project.
23 * @copyright 2016 Alan DeKok (aland@deployingradius.com)
24 */
25#include <netdb.h>
26#include <freeradius-devel/server/protocol.h>
27#include <freeradius-devel/radius/tcp.h>
28#include <freeradius-devel/util/trie.h>
29#include <freeradius-devel/radius/radius.h>
30#include <freeradius-devel/io/application.h>
31#include <freeradius-devel/io/listen.h>
32#include <freeradius-devel/io/schedule.h>
33#include "proto_radius.h"
34
35extern fr_app_io_t proto_radius_tcp;
36
37typedef struct proto_radius_io_thread_s proto_radius_tcp_thread_t;
38
39typedef struct {
40 CONF_SECTION *cs; //!< our configuration
41
42 fr_ipaddr_t ipaddr; //!< IP address to listen on.
43
44 char const *interface; //!< Interface to bind to.
45 char const *port_name; //!< Name of the port for getservent().
46
47 uint32_t recv_buff; //!< How big the kernel's receive buffer should be.
48
49 uint32_t max_packet_size; //!< for message ring buffer.
50 uint32_t max_attributes; //!< Limit maximum decodable attributes.
51
52 uint16_t port; //!< Port to listen on.
53
54 bool recv_buff_is_set; //!< Whether we were provided with a recv_buff
55 bool dynamic_clients; //!< whether we have dynamic clients
56
57 fr_client_list_t *clients; //!< local clients
58
59 fr_trie_t *trie; //!< for parsed networks
60 fr_ipaddr_t *allow; //!< allowed networks for dynamic clients
61 fr_ipaddr_t *deny; //!< denied networks for dynamic clients
62
63 bool read_hexdump; //!< Do we debug hexdump read packets.
64 bool write_hexdump; //!< Do we debug hexdump write packets.
65} proto_radius_tcp_t;
66
67
74
75
76static const conf_parser_t tcp_listen_config[] = {
77 { FR_CONF_OFFSET_TYPE_FLAGS("ipaddr", FR_TYPE_COMBO_IP_ADDR, 0, proto_radius_tcp_t, ipaddr) },
78 { FR_CONF_OFFSET_TYPE_FLAGS("ipv4addr", FR_TYPE_IPV4_ADDR, 0, proto_radius_tcp_t, ipaddr) },
79 { FR_CONF_OFFSET_TYPE_FLAGS("ipv6addr", FR_TYPE_IPV6_ADDR, 0, proto_radius_tcp_t, ipaddr) },
80
81 { FR_CONF_OFFSET("interface", proto_radius_tcp_t, interface) },
82 { FR_CONF_OFFSET("port_name", proto_radius_tcp_t, port_name) },
83
84 { FR_CONF_OFFSET("port", proto_radius_tcp_t, port) },
85 { FR_CONF_OFFSET_IS_SET("recv_buff", FR_TYPE_UINT32, 0, proto_radius_tcp_t, recv_buff) },
86
87 { FR_CONF_OFFSET("dynamic_clients", proto_radius_tcp_t, dynamic_clients) } ,
88 { FR_CONF_POINTER("networks", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) networks_config },
89
90 { FR_CONF_OFFSET("max_packet_size", proto_radius_tcp_t, max_packet_size), .dflt = "4096" } ,
91 { FR_CONF_OFFSET("max_attributes", proto_radius_tcp_t, max_attributes), .dflt = STRINGIFY(RADIUS_MAX_ATTRIBUTES) } ,
92
93 { FR_CONF_OFFSET("read_hexdump", proto_radius_tcp_t, read_hexdump) },
94 { FR_CONF_OFFSET("write_hexdump", proto_radius_tcp_t, write_hexdump) },
95
96 CONF_PARSER_TERMINATOR
97};
98
99
100static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
101{
102 proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
103 proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
104 ssize_t data_size;
105 size_t packet_len, in_buffer;
106 fr_radius_decode_fail_t reason;
107
108 /*
109 * We may have read multiple packets in the previous read. In which case the buffer may already
110 * have packets remaining. In that case, we can return packets directly from the buffer, and
111 * skip the read().
112 */
113 if (*leftover >= RADIUS_HEADER_LENGTH) {
114 packet_len = fr_nbo_to_uint16(buffer + 2);
115
116 if (packet_len <= *leftover) {
117 data_size = 0;
118 goto have_packet;
119 }
120
121 /*
122 * Else we don't have a full packet, try to read more data from the network.
123 */
124 }
125
126 /*
127 * Read data into the buffer.
128 */
129 data_size = read(thread->sockfd, buffer + *leftover, buffer_len - *leftover);
130 if (data_size < 0) {
131 switch (errno) {
132#if defined(EWOULDBLOCK) && (EWOULDBLOCK != EAGAIN)
133 case EWOULDBLOCK:
134#endif
135 case EAGAIN:
136 /*
137 * We didn't read any data; leave the buffers alone.
138 *
139 * i.e. if we had a partial packet in the buffer and we didn't read any data,
140 * then the partial packet is still left in the buffer.
141 */
142 return 0;
143
144 default:
145 break;
146 }
147
148 proto_radius_log(li, FR_RADIUS_FAIL_IO_ERROR, NULL,
149 "%s", fr_strerror());
150 return data_size;
151 }
152
153 /*
154 * Note that we return ERROR for all bad packets, as
155 * there's no point in reading RADIUS packets from a TCP
156 * connection which isn't sending us RADIUS packets.
157 */
158
159 /*
160 * TCP read of zero means the socket is dead.
161 */
162 if (!data_size) {
163 proto_radius_log(li, FR_RADIUS_FAIL_IO_ERROR, NULL,
164 "Client closed the connection");
165 return -1;
166 }
167
168have_packet:
169 /*
170 * We MUST always start with a known RADIUS packet.
171 */
172 if ((buffer[0] == 0) || (buffer[0] >= FR_RADIUS_CODE_MAX)) {
173 proto_radius_log(li, FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE, NULL,
174 "Received packet code %u", buffer[0]);
175 thread->stats.total_unknown_types++;
176 return -1;
177 }
178
179 in_buffer = data_size + *leftover;
180
181 /*
182 * Not enough for one packet. Tell the caller that we need to read more.
183 */
184 if (in_buffer < RADIUS_HEADER_LENGTH) {
185 *leftover = in_buffer;
186 return 0;
187 }
188
189 /*
190 * Figure out how large the RADIUS packet is.
191 */
192 packet_len = fr_nbo_to_uint16(buffer + 2);
193
194 /*
195 * We don't have a complete RADIUS packet. Tell the
196 * caller that we need to read more.
197 */
198 if (in_buffer < packet_len) {
199 *leftover = in_buffer;
200 return 0;
201 }
202
203 /*
204 * We've read at least one packet. Tell the caller that
205 * there's more data available, and return only one packet.
206 */
207 *leftover = in_buffer - packet_len;
208
209 /*
210 * If it's not a RADIUS packet, ignore it.
211 */
212 if (!fr_radius_ok(buffer, &packet_len, inst->max_attributes, false, &reason)) {
213 proto_radius_log(li, reason, NULL, "Received invalid packet");
214 thread->stats.total_malformed_requests++;
215 return -1;
216 }
217
218 *recv_time_p = fr_time();
219 thread->stats.total_requests++;
220
221 /*
222 * proto_radius sets the priority
223 */
224
225 /*
226 * Print out what we received.
227 */
228 DEBUG2("proto_radius_tcp - Received %s ID %d length %d %s",
229 fr_radius_packet_name[buffer[0]], buffer[1],
230 (int) packet_len, thread->name);
231
232 return packet_len;
233}
234
235
236static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t request_time,
237 uint8_t *buffer, size_t buffer_len, size_t written)
238{
239 proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
240 fr_io_track_t *track = talloc_get_type_abort(packet_ctx, fr_io_track_t);
241 ssize_t data_size;
242
243 /*
244 * @todo - share a stats interface with the parent? or
245 * put the stats in the listener, so that proto_radius
246 * can update them, too.. <sigh>
247 */
248 if (!written) thread->stats.total_responses++;
249
250 /*
251 * This handles the race condition where we get a DUP,
252 * but the original packet replies before we're run.
253 * i.e. this packet isn't marked DUP, so we have to
254 * discover it's a dup later...
255 *
256 * As such, if there's already a reply, then we ignore
257 * the encoded reply (which is probably going to be a
258 * NAK), and instead just ignore the DUP and don't reply.
259 */
260 if (track->reply_len) {
261 return buffer_len;
262 }
263
264 /*
265 * We only write RADIUS packets.
266 */
267 fr_assert(buffer_len >= 20);
268 fr_assert(written < buffer_len);
269
270 /*
271 * Only write replies if they're RADIUS packets.
272 * sometimes we want to NOT send a reply...
273 */
274 data_size = write(thread->sockfd, buffer + written, buffer_len - written);
275
276 /*
277 * This socket is dead. That's an error...
278 */
279 if (data_size <= 0) return data_size;
280
281#if 0
282 /*
283 * If we're not tracking duplicates, then track->packet is NULL.
284 *
285 * There's no reason to fix this now, as all of this will
286 * be rewritten when the bio stuff works. Since this
287 * code doesn't do anything anyways, it's best to just
288 * comment it out.
289 */
290
291 /*
292 * Root through the reply to determine any
293 * connection-level negotiation data, but only the first
294 * time the packet is being written.
295 */
296 if ((written == 0) && (track->packet[0] == FR_RADIUS_CODE_STATUS_SERVER)) {
297// status_check_reply(inst, buffer, buffer_len);
298 }
299#endif
300
301 /*
302 * Add in previously written data to the response.
303 */
304 return data_size + written;
305}
306
307
308static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
309{
310 proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
311
312 thread->connection = connection;
313 return 0;
314}
315
316
317static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
318{
319 proto_radius_tcp_t *inst = talloc_get_type_abort(instance, proto_radius_tcp_t);
320
321 *ipproto = IPPROTO_TCP;
322 *dynamic_clients = inst->dynamic_clients;
323 *trie = inst->trie;
324}
325
326
327/** Open a TCP listener for RADIUS
328 *
329 */
330static int mod_open(fr_listen_t *li)
331{
332 proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
333 proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
334
335 int sockfd;
336 fr_ipaddr_t ipaddr = inst->ipaddr;
337 uint16_t port = inst->port;
338
339 fr_assert(!thread->connection);
340
341 li->fd = sockfd = fr_socket_server_tcp(&inst->ipaddr, &port, inst->port_name, true);
342 if (sockfd < 0) {
343 cf_log_err(li->cs, "Failed opening TCP socket - %s", fr_strerror());
344 error:
345 return -1;
346 }
347
348 (void) fr_nonblock(sockfd);
349
350 if (fr_socket_bind(sockfd, inst->interface, &ipaddr, &port) < 0) {
351 close(sockfd);
352 cf_log_err(li->cs, "Failed binding to socket - %s", fr_strerror());
353 cf_log_err(li->cs, DOC_ROOT_REF(troubleshooting/network/bind));
354 goto error;
355 }
356
357 if (listen(sockfd, 8) < 0) {
358 close(sockfd);
359 cf_log_err(li->cs, "Failed listening on socket - %s", fr_syserror(errno));
360 goto error;
361 }
362
363 thread->sockfd = sockfd;
364
365 fr_assert((cf_parent(inst->cs) != NULL) && (cf_parent(cf_parent(inst->cs)) != NULL)); /* listen { ... } */
366
367 thread->name = fr_app_io_socket_name(thread, &proto_radius_tcp,
368 NULL, 0,
369 &inst->ipaddr, inst->port,
370 inst->interface);
371
372 return 0;
373}
374
375
376/** Set the file descriptor for this socket.
377 */
378static int mod_fd_set(fr_listen_t *li, int fd)
379{
380 proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
381 proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
382
383 thread->sockfd = fd;
384
385 thread->name = fr_app_io_socket_name(thread, &proto_radius_tcp,
386 &thread->connection->socket.inet.src_ipaddr, thread->connection->socket.inet.src_port,
387 &inst->ipaddr, inst->port,
388 inst->interface);
389
390 return 0;
391}
392
393static int mod_track_compare(UNUSED void const *instance, UNUSED void *thread_instance, UNUSED fr_client_t *client,
394 void const *one, void const *two)
395{
396 int ret;
397 uint8_t const *a = one;
398 uint8_t const *b = two;
399
400 /*
401 * The tree is ordered by IDs, which are (hopefully)
402 * pseudo-randomly distributed.
403 */
404 ret = (a[1] < b[1]) - (a[1] > b[1]);
405 if (ret != 0) return ret;
406
407 /*
408 * Then ordered by code, which is usually the same.
409 */
410 return (a[0] < b[0]) - (a[0] > b[0]);
411}
412
413
414static char const *mod_name(fr_listen_t *li)
415{
416 proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
417
418 return thread->name;
419}
420
421static void mod_hexdump_set(fr_listen_t *li, void *data)
422{
423 proto_radius_tcp_t *inst = talloc_get_type_abort(data, proto_radius_tcp_t);
424 li->read_hexdump = inst->read_hexdump;
425 li->write_hexdump = inst->write_hexdump;
426}
427
428static int mod_instantiate(module_inst_ctx_t const *mctx)
429{
430 proto_radius_tcp_t *inst = talloc_get_type_abort(mctx->mi->data, proto_radius_tcp_t);
431 CONF_SECTION *conf = mctx->mi->conf;
432 size_t i, num;
433 CONF_ITEM *ci;
434 CONF_SECTION *server_cs;
435
436 inst->cs = conf;
437
438 /*
439 * Complain if no "ipaddr" is set.
440 */
441 if (inst->ipaddr.af == AF_UNSPEC) {
442 cf_log_err(conf, "No 'ipaddr' was specified in the 'tcp' section");
443 return -1;
444 }
445
446 if (inst->recv_buff_is_set) {
447 FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, >=, 32);
448 FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, <=, INT_MAX);
449 }
450
451 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 20);
452 FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65536);
453
454 if (!inst->port) {
455 struct servent *s;
456
457 if (!inst->port_name) {
458 cf_log_err(conf, "No 'port' was specified in the 'tcp' section");
459 return -1;
460 }
461
462 s = getservbyname(inst->port_name, "tcp");
463 if (!s) {
464 cf_log_err(conf, "Unknown value for 'port_name = %s", inst->port_name);
465 return -1;
466 }
467
468 inst->port = ntohl(s->s_port);
469 }
470
471 /*
472 * Parse and create the trie for dynamic clients, even if
473 * there's no dynamic clients.
474 *
475 * @todo - we could use this for source IP filtering?
476 * e.g. allow clients from a /16, but not from a /24
477 * within that /16.
478 */
479 num = talloc_array_length(inst->allow);
480 if (!num) {
481 if (inst->dynamic_clients) {
482 cf_log_err(conf, "The 'allow' subsection MUST contain at least one 'network' entry when 'dynamic_clients = true'.");
483 return -1;
484 }
485 } else {
486 MEM(inst->trie = fr_trie_alloc(inst, NULL, NULL));
487
488 for (i = 0; i < num; i++) {
489 fr_ipaddr_t *network;
490
491 /*
492 * Can't add v4 networks to a v6 socket, or vice versa.
493 */
494 if (inst->allow[i].af != inst->ipaddr.af) {
495 cf_log_err(conf, "Address family in entry %zd - 'allow = %pV' does not match 'ipaddr'",
496 i + 1, fr_box_ipaddr(inst->allow[i]));
497 return -1;
498 }
499
500 /*
501 * Duplicates are bad.
502 */
503 network = fr_trie_match_by_key(inst->trie,
504 &inst->allow[i].addr, inst->allow[i].prefix);
505 if (network) {
506 cf_log_err(conf, "Cannot add duplicate entry 'allow = %pV'",
507 fr_box_ipaddr(inst->allow[i]));
508 return -1;
509 }
510
511 /*
512 * Look for overlapping entries.
513 * i.e. the networks MUST be disjoint.
514 *
515 * Note that this catches 192.168.1/24
516 * followed by 192.168/16, but NOT the
517 * other way around. The best fix is
518 * likely to add a flag to
519 * fr_trie_alloc() saying "we can only
520 * have terminal fr_trie_user_t nodes"
521 */
522 network = fr_trie_lookup_by_key(inst->trie,
523 &inst->allow[i].addr, inst->allow[i].prefix);
524 if (network && (network->prefix <= inst->allow[i].prefix)) {
525 cf_log_err(conf, "Cannot add overlapping entry 'allow = %pV'",
526 fr_box_ipaddr(inst->allow[i]));
527 cf_log_err(conf, "Entry is completely enclosed inside of a previously defined network");
528 return -1;
529 }
530
531 /*
532 * Insert the network into the trie.
533 * Lookups will return the fr_ipaddr_t of
534 * the network.
535 */
536 if (fr_trie_insert_by_key(inst->trie,
537 &inst->allow[i].addr, inst->allow[i].prefix,
538 &inst->allow[i]) < 0) {
539 cf_log_err(conf, "Failed adding 'allow = %pV' to tracking table",
540 fr_box_ipaddr(inst->allow[i]));
541 return -1;
542 }
543 }
544
545 /*
546 * And now check denied networks.
547 */
548 num = talloc_array_length(inst->deny);
549 if (!num) return 0;
550
551 /*
552 * Since the default is to deny, you can only add
553 * a "deny" inside of a previous "allow".
554 */
555 for (i = 0; i < num; i++) {
556 fr_ipaddr_t *network;
557
558 /*
559 * Can't add v4 networks to a v6 socket, or vice versa.
560 */
561 if (inst->deny[i].af != inst->ipaddr.af) {
562 cf_log_err(conf, "Address family in entry %zd - 'deny = %pV' does not match 'ipaddr'",
563 i + 1, fr_box_ipaddr(inst->deny[i]));
564 return -1;
565 }
566
567 /*
568 * Duplicates are bad.
569 */
570 network = fr_trie_match_by_key(inst->trie,
571 &inst->deny[i].addr, inst->deny[i].prefix);
572 if (network) {
573 cf_log_err(conf, "Cannot add duplicate entry 'deny = %pV'", fr_box_ipaddr(inst->deny[i]));
574 return -1;
575 }
576
577 /*
578 * A "deny" can only be within a previous "allow".
579 */
580 network = fr_trie_lookup_by_key(inst->trie,
581 &inst->deny[i].addr, inst->deny[i].prefix);
582 if (!network) {
583 cf_log_err(conf, "The network in entry %zd - 'deny = %pV' is not contained "
584 "within a previous 'allow'", i + 1, fr_box_ipaddr(inst->deny[i]));
585 return -1;
586 }
587
588 /*
589 * We hack the AF in "deny" rules. If
590 * the lookup gets AF_UNSPEC, then we're
591 * adding a "deny" inside of a "deny".
592 */
593 if (network->af != inst->ipaddr.af) {
594 cf_log_err(conf, "The network in entry %zd - 'deny = %pV' overlaps with "
595 "another 'deny' rule", i + 1, fr_box_ipaddr(inst->deny[i]));
596 return -1;
597 }
598
599 /*
600 * Insert the network into the trie.
601 * Lookups will return the fr_ipaddr_t of
602 * the network.
603 */
604 if (fr_trie_insert_by_key(inst->trie,
605 &inst->deny[i].addr, inst->deny[i].prefix,
606 &inst->deny[i]) < 0) {
607 cf_log_err(conf, "Failed adding 'deny = %pV' to tracking table",
608 fr_box_ipaddr(inst->deny[i]));
609 return -1;
610 }
611
612 /*
613 * Hack it to make it a deny rule.
614 */
615 inst->deny[i].af = AF_UNSPEC;
616 }
617 }
618
619 ci = cf_section_to_item(mctx->mi->parent->conf); /* listen { ... } */
620 fr_assert(ci != NULL);
621 ci = cf_parent(ci);
622 fr_assert(ci != NULL);
623
624 server_cs = cf_item_to_section(ci);
625
626 /*
627 * Look up local clients, if they exist.
628 */
629 if (cf_section_find_next(server_cs, NULL, "client", CF_IDENT_ANY)) {
630 inst->clients = client_list_parse_section(server_cs, IPPROTO_TCP, false);
631 if (!inst->clients) {
632 cf_log_err(conf, "Failed creating local clients");
633 return -1;
634 }
635 }
636
637 return 0;
638}
639
640static fr_client_t *mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
641{
642 proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
643
644 /*
645 * Prefer local clients.
646 */
647 if (inst->clients) {
648 fr_client_t *client;
649
650 client = client_find(inst->clients, ipaddr, ipproto);
651 if (client) return client;
652 }
653
654 return client_find(NULL, ipaddr, ipproto);
655}
656
657fr_app_io_t proto_radius_tcp = {
658 .common = {
659 .magic = MODULE_MAGIC_INIT,
660 .name = "radius_tcp",
661 .config = tcp_listen_config,
662 .inst_size = sizeof(proto_radius_tcp_t),
663 .thread_inst_size = sizeof(proto_radius_tcp_thread_t),
664 .instantiate = mod_instantiate,
665 },
666 .default_message_size = 4096,
667
668 .open = mod_open,
669 .read = mod_read,
670 .write = mod_write,
671 .fd_set = mod_fd_set,
672 .track_compare = mod_track_compare,
673 .connection_set = mod_connection_set,
674 .network_get = mod_network_get,
675 .client_find = mod_client_find,
676 .get_name = mod_name,
677 .hexdump_set = mod_hexdump_set,
678};
buffer
static int const char char buffer[256]
Definition acutest.h:578
fr_app_io_socket_name
char const * fr_app_io_socket_name(TALLOC_CTX *ctx, fr_app_io_t const *app_io, fr_ipaddr_t const *src_ipaddr, int src_port, fr_ipaddr_t const *dst_ipaddr, int dst_port, char const *interface)
Definition app_io.c:32
fr_app_io_t::common
module_t common
Common fields to all loadable modules.
Definition app_io.h:34
fr_app_io_t
Public structure describing an I/O path for a protocol.
Definition app_io.h:33
STRINGIFY
#define STRINGIFY(x)
Definition build.h:197
UNUSED
#define UNUSED
Definition build.h:317
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:660
FR_INTEGER_BOUND_CHECK
#define FR_INTEGER_BOUND_CHECK(_name, _var, _op, _bound)
Definition cf_parse.h:520
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:283
FR_CONF_POINTER
#define FR_CONF_POINTER(_name, _type, _flags, _res_p)
conf_parser_t which parses a single CONF_PAIR producing a single global result
Definition cf_parse.h:337
FR_CONF_OFFSET_IS_SET
#define FR_CONF_OFFSET_IS_SET(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct,...
Definition cf_parse.h:297
CONF_FLAG_MULTI
@ CONF_FLAG_MULTI
CONF_PAIR can have multiple copies.
Definition cf_parse.h:449
CONF_FLAG_SUBSECTION
@ CONF_FLAG_SUBSECTION
Instead of putting the information into a configuration structure, the configuration file routines MA...
Definition cf_parse.h:426
FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:597
cf_item
Common header for all CONF_* types.
Definition cf_priv.h:49
cf_section
A section grouping multiple CONF_PAIR.
Definition cf_priv.h:101
cf_section_to_item
CONF_ITEM * cf_section_to_item(CONF_SECTION const *cs)
Cast a CONF_SECTION to a CONF_ITEM.
Definition cf_util.c:737
cf_item_to_section
CONF_SECTION * cf_item_to_section(CONF_ITEM const *ci)
Cast a CONF_ITEM to a CONF_SECTION.
Definition cf_util.c:683
cf_section_find_next
CONF_SECTION * cf_section_find_next(CONF_SECTION const *cs, CONF_SECTION const *prev, char const *name1, char const *name2)
Return the next matching section.
Definition cf_util.c:1048
cf_log_err
#define cf_log_err(_cf, _fmt,...)
Definition cf_util.h:288
cf_parent
#define cf_parent(_cf)
Definition cf_util.h:101
CF_IDENT_ANY
#define CF_IDENT_ANY
Definition cf_util.h:78
MEM
#define MEM(x)
Definition debug.h:36
FR_RADIUS_CODE_MAX
@ FR_RADIUS_CODE_MAX
Maximum possible protocol code.
Definition defs.h:53
FR_RADIUS_CODE_STATUS_SERVER
@ FR_RADIUS_CODE_STATUS_SERVER
RFC2865/RFC5997 - Status Server (request)
Definition defs.h:44
sockfd
static int sockfd
Definition dhcpclient.c:56
MODULE_MAGIC_INIT
#define MODULE_MAGIC_INIT
Stop people using different module/library/server versions together.
Definition dl_module.h:63
fr_ipaddr_t::prefix
uint8_t prefix
Prefix length - Between 0-32 for IPv4 and 0-128 for IPv6.
Definition inet.h:69
fr_ipaddr_t::af
int af
Address family.
Definition inet.h:64
fr_ipaddr_t
IPv4/6 prefix.
Definition merged_model.c:266
fr_io_address_t::socket
fr_socket_t socket
src/dst ip and port.
Definition base.h:336
fr_io_address_t
Definition base.h:335
fr_listen::read_hexdump
bool read_hexdump
Do we debug hexdump packets as they're read.
Definition listen.h:53
fr_listen::cs
CONF_SECTION * cs
of this listener
Definition listen.h:41
fr_listen::write_hexdump
bool write_hexdump
Do we debug hexdump packets as they're written.
Definition listen.h:54
fr_listen::app_io_instance
void const * app_io_instance
I/O path configuration context.
Definition listen.h:33
fr_listen::thread_instance
void * thread_instance
thread / socket context
Definition listen.h:34
fr_listen::fd
int fd
file descriptor for this socket - set by open
Definition listen.h:28
fr_listen
Definition listen.h:25
fr_client_s
Describes a host allowed to send packets to the server.
Definition client.h:80
fr_stats_t::total_responses
uint64_t total_responses
Definition stats.h:38
fr_stats_t::total_unknown_types
uint64_t total_unknown_types
Definition stats.h:46
fr_stats_t::total_requests
uint64_t total_requests
Definition stats.h:35
fr_stats_t::total_malformed_requests
uint64_t total_malformed_requests
Definition stats.h:42
fr_io_track_s::packet
uint8_t * packet
really a tracking structure, not a packet
Definition master.h:57
fr_io_track_s::reply_len
size_t reply_len
length of reply, or 1 for "do not reply"
Definition master.h:48
fr_io_track_s
Definition master.h:40
fr_radius_ok
bool fr_radius_ok(uint8_t const *packet, size_t *packet_len_p, uint32_t max_attributes, bool require_message_authenticator, decode_fail_t *reason)
Definition merged_model.c:253
uint16_t
unsigned short uint16_t
Definition merged_model.c:31
FR_TYPE_IPV4_ADDR
@ FR_TYPE_IPV4_ADDR
32 Bit IPv4 Address.
Definition merged_model.c:86
FR_TYPE_COMBO_IP_PREFIX
@ FR_TYPE_COMBO_IP_PREFIX
IPv4 or IPv6 address prefix depending on length.
Definition merged_model.c:92
FR_TYPE_UINT32
@ FR_TYPE_UINT32
32 Bit unsigned integer.
Definition merged_model.c:99
FR_TYPE_IPV6_ADDR
@ FR_TYPE_IPV6_ADDR
128 Bit IPv6 Address.
Definition merged_model.c:88
FR_TYPE_COMBO_IP_ADDR
@ FR_TYPE_COMBO_IP_ADDR
IPv4 or IPv6 address depending on length.
Definition merged_model.c:91
uint32_t
unsigned int uint32_t
Definition merged_model.c:33
ssize_t
long int ssize_t
Definition merged_model.c:24
uint8_t
unsigned char uint8_t
Definition merged_model.c:30
fr_nonblock
int fr_nonblock(UNUSED int fd)
Definition misc.c:294
module_inst_ctx_t::mi
module_instance_t * mi
Instance of the module being instantiated.
Definition module_ctx.h:51
module_inst_ctx_t
Temporary structure to hold arguments for instantiation calls.
Definition module_ctx.h:50
fr_nbo_to_uint16
static uint16_t fr_nbo_to_uint16(uint8_t const data[static sizeof(uint16_t)])
Read an unsigned 16bit integer from wire format (big endian)
Definition nbo.h:146
RADIUS_HEADER_LENGTH
#define RADIUS_HEADER_LENGTH
Definition net.h:80
proto_radius_log
void proto_radius_log(fr_listen_t const *li, fr_radius_decode_fail_t reason, fr_socket_t const *sock, char const *fmt,...)
Log a message in a canonical format.
Definition proto_radius.c:228
proto_radius.h
proto_radius_io_thread_s::sockfd
int sockfd
Definition proto_radius.h:51
proto_radius_io_thread_s::stats
fr_stats_t stats
statistics for this socket
Definition proto_radius.h:55
proto_radius_io_thread_s::name
char const * name
socket name
Definition proto_radius.h:50
proto_radius_io_thread_s::connection
fr_io_address_t * connection
for connected sockets.
Definition proto_radius.h:53
proto_radius_io_thread_s
Definition proto_radius.h:49
proto_radius_tcp
fr_app_io_t proto_radius_tcp
Definition proto_radius_tcp.c:657
proto_radius_tcp_t::clients
fr_client_list_t * clients
local clients
Definition proto_radius_tcp.c:57
mod_hexdump_set
static void mod_hexdump_set(fr_listen_t *li, void *data)
Definition proto_radius_tcp.c:421
proto_radius_tcp_t::interface
char const * interface
Interface to bind to.
Definition proto_radius_tcp.c:44
proto_radius_tcp_t::allow
fr_ipaddr_t * allow
allowed networks for dynamic clients
Definition proto_radius_tcp.c:60
proto_radius_tcp_t::port
uint16_t port
Port to listen on.
Definition proto_radius_tcp.c:52
proto_radius_tcp_t::trie
fr_trie_t * trie
for parsed networks
Definition proto_radius_tcp.c:59
proto_radius_tcp_t::write_hexdump
bool write_hexdump
Do we debug hexdump write packets.
Definition proto_radius_tcp.c:64
mod_client_find
static fr_client_t * mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
Definition proto_radius_tcp.c:640
mod_open
static int mod_open(fr_listen_t *li)
Open a TCP listener for RADIUS.
Definition proto_radius_tcp.c:330
proto_radius_tcp_t::dynamic_clients
bool dynamic_clients
whether we have dynamic clients
Definition proto_radius_tcp.c:55
mod_network_get
static void mod_network_get(int *ipproto, bool *dynamic_clients, fr_trie_t const **trie, void *instance)
Definition proto_radius_tcp.c:317
proto_radius_tcp_t::max_packet_size
uint32_t max_packet_size
for message ring buffer.
Definition proto_radius_tcp.c:49
proto_radius_tcp_t::deny
fr_ipaddr_t * deny
denied networks for dynamic clients
Definition proto_radius_tcp.c:61
networks_config
static const conf_parser_t networks_config[]
Definition proto_radius_tcp.c:68
mod_read
static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover)
Definition proto_radius_tcp.c:100
proto_radius_tcp_t::port_name
char const * port_name
Name of the port for getservent().
Definition proto_radius_tcp.c:45
mod_write
static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t request_time, uint8_t *buffer, size_t buffer_len, size_t written)
Definition proto_radius_tcp.c:236
proto_radius_tcp_t::ipaddr
fr_ipaddr_t ipaddr
IP address to listen on.
Definition proto_radius_tcp.c:42
mod_track_compare
static int mod_track_compare(UNUSED void const *instance, UNUSED void *thread_instance, UNUSED fr_client_t *client, void const *one, void const *two)
Definition proto_radius_tcp.c:393
mod_connection_set
static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
Definition proto_radius_tcp.c:308
mod_fd_set
static int mod_fd_set(fr_listen_t *li, int fd)
Set the file descriptor for this socket.
Definition proto_radius_tcp.c:378
proto_radius_tcp_t::max_attributes
uint32_t max_attributes
Limit maximum decodable attributes.
Definition proto_radius_tcp.c:50
mod_name
static char const * mod_name(fr_listen_t *li)
Definition proto_radius_tcp.c:414
proto_radius_tcp_t::recv_buff
uint32_t recv_buff
How big the kernel's receive buffer should be.
Definition proto_radius_tcp.c:47
proto_radius_tcp_t::recv_buff_is_set
bool recv_buff_is_set
Whether we were provided with a recv_buff.
Definition proto_radius_tcp.c:54
proto_radius_tcp_t::cs
CONF_SECTION * cs
our configuration
Definition proto_radius_tcp.c:40
mod_instantiate
static int mod_instantiate(module_inst_ctx_t const *mctx)
Definition proto_radius_tcp.c:428
tcp_listen_config
static const conf_parser_t tcp_listen_config[]
Definition proto_radius_tcp.c:76
proto_radius_tcp_t::read_hexdump
bool read_hexdump
Do we debug hexdump read packets.
Definition proto_radius_tcp.c:63
proto_radius_tcp_t
Definition proto_radius_tcp.c:39
fr_radius_packet_name
char const * fr_radius_packet_name[FR_RADIUS_CODE_MAX]
Definition base.c:116
fr_assert
#define fr_assert(_expr)
Definition rad_assert.h:38
ipproto
static int ipproto
Definition radclient-ng.c:94
DEBUG2
#define DEBUG2(fmt,...)
Definition radclient.h:43
fr_radius_decode_fail_t
fr_radius_decode_fail_t
Failure reasons.
Definition radius.h:90
FR_RADIUS_FAIL_IO_ERROR
@ FR_RADIUS_FAIL_IO_ERROR
Definition radius.h:115
FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE
@ FR_RADIUS_FAIL_UNKNOWN_PACKET_CODE
Definition radius.h:96
RADIUS_MAX_ATTRIBUTES
#define RADIUS_MAX_ATTRIBUTES
Definition radius.h:40
conf
static rs_t * conf
Definition radsniff.c:53
module_instance_s::conf
CONF_SECTION * conf
Module's instance configuration.
Definition module.h:349
module_instance_s::data
void * data
Module's instance data.
Definition module.h:291
module_instance_s::parent
module_instance_t const * parent
Parent module's instance (if any).
Definition module.h:357
module_s::config
conf_parser_t const * config
How to convert a CONF_SECTION to a module instance.
Definition module.h:206
fr_socket_server_tcp
int fr_socket_server_tcp(fr_ipaddr_t const *src_ipaddr, uint16_t *src_port, char const *port_name, bool async)
Open an IPv4/IPv6 TCP socket.
Definition socket.c:974
fr_socket_bind
int fr_socket_bind(int sockfd, char const *ifname, fr_ipaddr_t *src_ipaddr, uint16_t *src_port)
Bind a UDP/TCP v4/v6 socket to a given ipaddr src port, and interface.
Definition socket.c:226
client_find
fr_client_t * client_find(fr_client_list_t const *clients, fr_ipaddr_t const *ipaddr, int proto)
Definition client.c:373
client_list_parse_section
fr_client_list_t * client_list_parse_section(CONF_SECTION *section, int proto, TLS_UNUSED bool tls_required)
Definition client.c:478
fr_client_list_s
Group of clients.
Definition client.c:50
inst
eap_aka_sim_process_conf_t * inst
Definition state_machine.c:3651
fr_time
#define fr_time()
Allow us to arbitrarily manipulate time.
Definition state_test.c:8
fr_syserror
char const * fr_syserror(int num)
Guaranteed to be thread-safe version of strerror.
Definition syserror.c:243
talloc_get_type_abort_const
#define talloc_get_type_abort_const
Definition talloc.h:245
fr_time_s
"server local" time.
Definition time.h:69
fr_trie_alloc
fr_trie_t * fr_trie_alloc(TALLOC_CTX *ctx, fr_trie_key_t get_key, fr_free_t free_data)
Allocate a trie.
Definition trie.c:741
fr_trie_lookup_by_key
void * fr_trie_lookup_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Lookup a key in a trie and return user ctx, if any.
Definition trie.c:1265
fr_trie_match_by_key
void * fr_trie_match_by_key(fr_trie_t const *ft, void const *key, size_t keylen)
Match a key and length in a trie and return user ctx, if any.
Definition trie.c:1289
fr_trie_insert_by_key
int fr_trie_insert_by_key(fr_trie_t *ft, void const *key, size_t keylen, void const *data)
Insert a key and user ctx into a trie.
Definition trie.c:1878
fr_trie_s
Definition trie.c:484
fr_strerror
char const * fr_strerror(void)
Get the last library error.
Definition strerror.c:553
DOC_ROOT_REF
#define DOC_ROOT_REF(_x)
Definition version.h:90
fr_box_ipaddr
#define fr_box_ipaddr(_val)
Definition value.h:317
data
static fr_slen_t data
Definition value.h:1334
Generated by   doxygen 1.9.8