fr_time_delta_t required_min_rx_interval; //!< intervals between receives
fr_time_delta_t remote_min_rx_interval; //!< their min_rx_interval
- fr_time_delta_t remote_min_echo_rx_interval; //!< their min_echo_rx_interval
fr_time_delta_t my_min_echo_rx_interval; //!< what we send for echo_rx_interval
}
}
-
+/*
+ * Implement the requirements of RFC 5880 Section 6.8.6.
+ */
int bfd_session_process(proto_bfd_peer_t *session, bfd_packet_t *bfd)
{
bool state_change = false;
+ /*
+ *
+ * If the Your Discriminator field is nonzero, it MUST be used to
+ * select the session with which this BFD packet is associated. If
+ * no session is found, the packet MUST be discarded.
+ */
+ if ((bfd->your_disc != 0) && (bfd->your_disc != session->local_disc)) {
+ DEBUG("BFD %s packet has unexpected Your-Discriminator (got %08x, expected %08x",
+ session->client.shortname, bfd->your_disc, session->local_disc);
+ return 0;
+ }
+
+ /*
+ * If the A bit is set and no authentication is in use (bfd.AuthType
+ * is zero), the packet MUST be discarded.
+ */
if (bfd->auth_present &&
(session->auth_type == BFD_AUTH_RESERVED)) {
DEBUG("BFD %s packet asked to authenticate an unauthenticated session.", session->client.shortname);
return 0;
}
+ /*
+ * If the A bit is clear and authentication is in use (bfd.AuthType
+ * is nonzero), the packet MUST be discarded.
+ */
if (!bfd->auth_present &&
(session->auth_type != BFD_AUTH_RESERVED)) {
DEBUG("BFD %s packet failed to authenticate an authenticated session.", session->client.shortname);
return 0;
}
+ /*
+ * If the A bit is set, the packet MUST be authenticated under the
+ * rules of section 6.7, based on the authentication type in use
+ * (bfd.AuthType). This may cause the packet to be discarded.
+ */
if (bfd->auth_present && !bfd_authenticate(session, bfd)) {
DEBUG("BFD %s authentication failed", session->client.shortname);
return 0;
}
DEBUG("BFD %s processing packet", session->client.shortname);
+
+ /*
+ * Set bfd.RemoteDiscr to the value of My Discriminator.
+ *
+ * Set bfd.RemoteState to the value of the State (Sta) field.
+ *
+ * Set bfd.RemoteDemandMode to the value of the Demand (D) bit.
+ */
session->remote_disc = bfd->my_disc;
session->remote_session_state = bfd->state;
session->remote_demand_mode = bfd->demand;
/*
- * The other end is reducing the RX interval. Do that
- * now.
+ * Set bfd.RemoteMinRxInterval to the value of Required Min RX
+ * Interval.
+ *
+ * Addendum: clamp it to be between 32ms and 1s.
*/
- if (fr_time_delta_lt(fr_time_delta_from_usec(bfd->required_min_rx_interval), session->remote_min_rx_interval) &&
- !session->demand_mode) {
- bfd_stop_control(session);
- bfd_start_control(session);
+ if ((bfd->required_min_rx_interval > 32) && (bfd->required_min_rx_interval < USEC)) {
+ session->remote_min_rx_interval = fr_time_delta_from_usec(bfd->required_min_rx_interval);
}
/*
- * @todo - clamp these at some reasonable value, or maybe
- * just trust the other side.
+ * If the Required Min Echo RX Interval field is zero, the
+ * transmission of Echo packets, if any, MUST cease.
*/
- session->remote_min_rx_interval = fr_time_delta_from_usec(bfd->required_min_rx_interval);
- session->remote_min_echo_rx_interval = fr_time_delta_from_usec(bfd->min_echo_rx_interval);
-
if (bfd->min_echo_rx_interval == 0) {
#if 0
/*
#endif
}
+ /*
+ * If a Poll Sequence is being transmitted by the local system and
+ * the Final (F) bit in the received packet is set, the Poll Sequence
+ * MUST be terminated.
+ */
if (session->doing_poll && bfd->final) {
bfd_stop_poll(session);
}
/*
- * Update transmit intervals as in 6.8.7
+ * Update transmit intervals as in 6.8.2
*/
/*
}
session->detection_time = fr_time_delta_wrap(session->detect_multi * fr_time_delta_unwrap(session->detection_time));
+ /*
+ * If bfd.SessionState is AdminDown
+ *
+ * Discard the packet.
+ */
if (session->session_state == BFD_STATE_ADMIN_DOWN) {
DEBUG("Discarding BFD packet (admin down)");
return 0;
}
+ /*
+ * If received state is AdminDown
+ * If bfd.SessionState is not Down
+ * Set bfd.LocalDiag to 3 (Neighbor signaled session down)
+ * Set bfd.SessionState to Down
+ */
if (bfd->state == BFD_STATE_ADMIN_DOWN) {
if (bfd->state != BFD_STATE_DOWN) {
+ down:
session->local_diag = BFD_NEIGHBOR_DOWN;
- }
-
- DEBUG("BFD %s State %s -> DOWN (admin down)",
- session->client.shortname, fr_bfd_packet_names[session->session_state]);
- session->session_state = BFD_STATE_DOWN;
- bfd_trigger(session);
- state_change = true;
- bfd_set_desired_min_tx_interval(session, fr_time_delta_from_usec(1));
+ DEBUG("BFD %s State %s -> DOWN (neighbour %s)",
+ session->client.shortname,
+ fr_bfd_packet_names[session->session_state],
+ fr_bfd_packet_names[bfd->state]);
+ session->session_state = BFD_STATE_DOWN;
+ bfd_trigger(session);
+ state_change = true;
+ }
} else {
switch (session->session_state) {
case BFD_STATE_DOWN:
switch (bfd->state) {
case BFD_STATE_DOWN:
- DEBUG("BFD %s State DOWN -> INIT (neighbor down)",
+ DEBUG("BFD %s State DOWN -> INIT (neighbor DOWN)",
session->client.shortname);
session->session_state = BFD_STATE_INIT;
bfd_trigger(session);
state_change = true;
-
- bfd_set_desired_min_tx_interval(session, fr_time_delta_from_sec(1));
break;
case BFD_STATE_INIT:
case BFD_STATE_UP:
switch (bfd->state) {
case BFD_STATE_DOWN:
- session->local_diag = BFD_NEIGHBOR_DOWN;
-
- DEBUG("BFD %s State UP -> DOWN (neighbor down)", session->client.shortname);
- session->session_state = BFD_STATE_DOWN;
- bfd_trigger(session);
- state_change = true;
-
- bfd_set_desired_min_tx_interval(session, fr_time_delta_from_sec(1));
- break;
+ goto down;
default:
break;
}
}
+ /*
+ * Section 6.8.3
+ *
+ * When bfd.SessionState is not Up, the system MUST set
+ * bfd.DesiredMinTxInterval to a value of not less than one second
+ * (1,000,000 microseconds). This is intended to ensure that the
+ * bandwidth consumed by BFD sessions that are not Up is negligible,
+ * particularly in the case where a neighbor may not be running BFD.
+ */
+ if (state_change && (session->session_state != BFD_STATE_UP)) {
+ bfd_set_desired_min_tx_interval(session, fr_time_delta_from_sec(1));
+ }
+
/*
* Check if demand mode should be active (Section 6.6)
+ *
+ * If bfd.RemoteDemandMode is 1, bfd.SessionState is Up, and
+ * bfd.RemoteSessionState is Up, Demand mode is active on the remote
+ * system and the local system MUST cease the periodic transmission
+ * of BFD Control packets (see section 6.8.7).
*/
if (session->remote_demand_mode &&
(session->session_state == BFD_STATE_UP) &&
bfd_stop_control(session);
}
+ /*
+ * If bfd.RemoteDemandMode is 0, or bfd.SessionState is not Up, or
+ * bfd.RemoteSessionState is not Up, Demand mode is not active on the
+ * remote system and the local system MUST send periodic BFD Control
+ * packets.
+ */
+ if ((!session->remote_demand_mode) ||
+ (session->session_state != BFD_STATE_UP) ||
+ (session->remote_session_state != BFD_STATE_UP)) {
+ bfd_start_control(session);
+ }
+
+ /*
+ * If the Poll (P) bit is set, send a BFD Control packet to the
+ * remote system with the Poll (P) bit clear, and the Final (F) bit
+ * set (see section 6.8.7).
+ */
if (bfd->poll) {
bfd_poll_response(session);
}
/*
- * We've received the packet for the purpose of Section
- * 6.8.4.
+ * If the packet was not discarded, it has been received for purposes
+ * of the Detection Time expiration rules in section 6.8.4.
*/
session->last_recv = fr_time();
-#if 0
/*
- * We've received a packet, but missed the previous one.
- * Warn about it.
+ * The other end is reducing the RX interval. Do that
+ * now.
*/
- if ((session->detect_multi >= 2) && (fr_time_gt(session->last_recv, session->next_recv))) {
- fr_radius_packet_t packet;
- request_t request;
-
- bfd_request(session, &request, &packet);
-
- trigger_exec(unlang_interpret_get_thread_default(), NULL, "server.bfd.warn", false, NULL);
+ if (fr_time_delta_lt(fr_time_delta_from_usec(bfd->required_min_rx_interval), session->remote_min_rx_interval) &&
+ !session->demand_mode) {
+ bfd_stop_control(session);
+ bfd_start_control(session);
}
-#endif
- if ((!session->remote_demand_mode) ||
- (session->session_state != BFD_STATE_UP) ||
- (session->remote_session_state != BFD_STATE_UP)) {
- bfd_start_control(session);
+ /*
+ * @todo - warn about missing packets?
+ */
+#if 0
+ if ((session->detect_multi >= 2) && (fr_time_gt(session->last_recv, session->next_recv))) {
+ ...
}
+#endif
return state_change;
}
if (!interval) return;
}
+
+ /*
+ * If bfd.DetectMult is equal to 1, the interval between transmitted BFD
+ * Control packets MUST be no more than 90% of the negotiated
+ * transmission interval, and MUST be no less than 75% of the negotiated
+ * transmission interval. This is to ensure that, on the remote system,
+ * the calculated Detection Time does not pass prior to the receipt of
+ * the next BFD Control packet.
+ */
base = (interval * 3) / 4;
jitter = fr_rand(); /* 32-bit number */
if (fr_time_delta_cmp(value, fr_time_delta_from_sec(1)) < 0) value = fr_time_delta_from_sec(1);
}
+ /*
+ * If either bfd.DesiredMinTxInterval is changed or
+ * bfd.RequiredMinRxInterval is changed, a Poll Sequence MUST be
+ * initiated (see section 6.5). If the timing is such that a system
+ * receiving a Poll Sequence wishes to change the parameters described
+ * in this paragraph, the new parameter values MAY be carried in packets
+ * with the Final (F) bit set, even if the Poll Sequence has not yet
+ * been sent.
+ */
+
session->desired_min_tx_interval = value;
bfd_stop_control(session);
session->doing_poll = 0;
--- /dev/null
+# TO DO
+
+Add `leftover` argument to `mod_write()`. So the caller knows if the
+data has been partially written. That way all of the pending / retry
+code is handled in `network.c`.
+
+This change will substantially simplify the writers.
+
+* EWOULDBLOCK, network side retries whole packet
+* `leftover != 0`, network side localizes message, and retries at a later time.
--- /dev/null
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more crons.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/**
+ * $Id$
+ * @file proto_cron.c
+ * @brief CRON master protocol handler.
+ *
+ * @copyright 2021 Network RADIUS SAS (legal@networkradius.com)
+ */
+#include <freeradius-devel/server/base.h>
+#include <freeradius-devel/io/listen.h>
+#include <freeradius-devel/unlang/base.h>
+#include <freeradius-devel/util/debug.h>
+#include "proto_cron.h"
+
+extern fr_app_t proto_cron;
+static int type_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, CONF_PARSER const *rule);
+static int time_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, CONF_PARSER const *rule);
+
+static CONF_PARSER const limit_config[] = {
+ /*
+ * For performance tweaking. NOT for normal humans.
+ */
+ { FR_CONF_OFFSET("max_packet_size", FR_TYPE_UINT32, proto_cron_t, max_packet_size) } ,
+ { FR_CONF_OFFSET("num_messages", FR_TYPE_UINT32, proto_cron_t, num_messages) } ,
+
+ CONF_PARSER_TERMINATOR
+};
+
+/** How to parse a CRON listen section
+ *
+ */
+static CONF_PARSER const proto_cron_config[] = {
+ { FR_CONF_OFFSET("type", FR_TYPE_VOID | FR_TYPE_NOT_EMPTY | FR_TYPE_REQUIRED, proto_cron_t,
+ type), .func = type_parse },
+
+ { FR_CONF_OFFSET("when", FR_TYPE_STRING | FR_TYPE_NOT_EMPTY | FR_TYPE_REQUIRED, proto_cron_t, spec),
+ .func = time_parse },
+
+ { FR_CONF_OFFSET("filename", FR_TYPE_FILE_INPUT | FR_TYPE_REQUIRED | FR_TYPE_NOT_EMPTY, proto_cron_t, filename ) },
+
+ { FR_CONF_OFFSET("priority", FR_TYPE_UINT32, proto_cron_t, priority) },
+
+ { FR_CONF_POINTER("limit", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) limit_config },
+ CONF_PARSER_TERMINATOR
+};
+
+static fr_dict_t const *dict_cron;
+
+extern fr_dict_autoload_t proto_cron_dict[];
+fr_dict_autoload_t proto_cron_dict[] = {
+ { .out = &dict_cron, .proto = "freeradius" },
+ { NULL }
+};
+
+/** Wrapper around dl_instance which translates the packet-type into a submodule name
+ *
+ * @param[in] ctx to allocate data in (instance of proto_cron).
+ * @param[out] out Where to write a dl_module_inst_t containing the module handle and instance.
+ * @param[in] parent Base structure address.
+ * @param[in] ci #CONF_PAIR specifying the name of the type module.
+ * @param[in] rule unused.
+ * @return
+ * - 0 on success.
+ * - -1 on failure.
+ */
+static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, UNUSED CONF_PARSER const *rule)
+{
+ proto_cron_t *inst = talloc_get_type_abort(parent, proto_cron_t);
+ fr_dict_enum_t const *type_enum;
+ CONF_PAIR *cp = cf_item_to_pair(ci);
+ char const *value = cf_pair_value(cp);
+
+ *((char const **) out) = value;
+
+ inst->dict = virtual_server_namespace_by_ci(ci);
+ if (!inst->dict) {
+ cf_log_err(ci, "Please define 'namespace' in this virtual server");
+ return -1;
+ }
+
+ inst->attr_packet_type = fr_dict_attr_by_name(NULL, fr_dict_root(inst->dict), "Packet-Type");
+ if (!inst->attr_packet_type) {
+ cf_log_err(ci, "Failed to find 'Packet-Type' attribute");
+ return -1;
+ }
+
+ if (!value) {
+ cf_log_err(ci, "No value given for 'type'");
+ return -1;
+ }
+
+ type_enum = fr_dict_enum_by_name(inst->attr_packet_type, value, -1);
+ if (!type_enum) {
+ cf_log_err(ci, "Invalid type \"%s\"", value);
+ return -1;
+ }
+
+ inst->code = type_enum->value->vb_uint32;
+ return 0;
+}
+
+/*
+ * Parse a basic field with sanity checks.
+ *
+ * Note that we don't (yet) convert this into an internal data
+ * structure. Instead, we're just checking if the basic format
+ * is OK.
+ */
+static int parse_field(CONF_ITEM *ci, char const **start, char const *name, unsigned int min, unsigned int max)
+{
+ char const *p;
+ char *end = NULL;
+ unsigned int num, last = 0;
+ bool last_is_set = false;
+ bool wildcard = false;
+
+ p = *start;
+ fr_skip_whitespace(p);
+
+ if (!*p) {
+ cf_log_err(ci, "Missing field for %s", name);
+ return -1;
+ }
+
+ /*
+ * See 'man 5 crontab' for the format.
+ */
+ while (p) {
+ /*
+ * Allow wildcards, but only once.
+ */
+ if (*p == '*') {
+ if (wildcard) {
+ cf_log_err(ci, "Cannot use two wildcards for %s at %s", name, p);
+ return -1;
+ }
+
+ end = UNCONST(char *, p) + 1;
+ wildcard = true;
+ goto check_step;
+ }
+
+ /*
+ * If there's already a "*", we can't have another one.
+ */
+ if (wildcard) {
+ cf_log_err(ci, "Cannot use wildcard and numbers for %s at %s", name, p);
+ return -1;
+ }
+
+ /*
+ * If it's not a wildcard, it MUST be a number,
+ * which is between min and max.
+ */
+ num = strtoul(p, &end, 10);
+ if ((num < min) || (num > max)) {
+ cf_log_err(ci, "Number is invalid or out of bounds (%d..%d) for %s at %s",
+ min, max, name, p);
+ return -1;
+ }
+
+ /*
+ * Don't allow the same number to be specified
+ * multiple times.
+ */
+ if (!last_is_set) {
+ last_is_set = true;
+
+ } else if (num <= last) {
+ cf_log_err(ci, "Number overlaps with previous value of %u, for %s at %s",
+ last, name, p);
+ return -1;
+ }
+ last = num;
+
+ /*
+ * Ranges are allowed, with potential steps
+ */
+ if (*end == '-') {
+ unsigned int next;
+
+ p = end + 1;
+ next = strtoul(p, &end, 10);
+ if (next <= num) {
+ cf_log_err(ci, "End of range number overlaps with previous value of %u, for %s at %s",
+ num, name, p);
+ return -1;
+ }
+
+ if (next > max) {
+ cf_log_err(ci, "End of range number is invalid or out of bounds (%d..%d) for %s at %s",
+ min, max, name, p);
+ return -1;
+ }
+
+ last = next;
+
+ check_step:
+ /*
+ * Allow /N
+ */
+ if (*end == '/') {
+ p = end + 1;
+
+ num = strtoul(p, &end, 10);
+ if (num > 65535) {
+ cf_log_err(ci, "Failed parsing step value for %s at %s", name, p);
+ return -1;
+ }
+ }
+ } /* end of range specifier */
+
+ /*
+ * We can specify multiple fields, separated by a comma.
+ */
+ if (*end == ',') {
+ p = end + 1;
+ continue;
+ }
+
+ /*
+ * EOS or space is end of field.
+ */
+ if (!(!*end || isspace((uint8_t) *end))) {
+ cf_log_err(ci, "Unexpected text for %s at %s", name, end);
+ return -1;
+ }
+ }
+
+ *start = end;
+ return 0;
+}
+
+/*
+ * Special names, including our own extensions.
+ */
+static fr_table_ptr_sorted_t time_names[] = {
+ { L("annually"), "0 0 1 1 *" },
+ { L("daily"), "0 0 * * *" },
+ { L("hourly"), "0 * * * *" },
+ { L("midnight"), "0 0 * * *" },
+ { L("monthly"), "0 0 1 * *" },
+ { L("reboot"), "+" },
+ { L("shutdown"), "-" },
+ { L("startup"), "+" },
+ { L("weekly"), "0 0 * * 0" },
+ { L("yearly"), "0 0 1 1 *" },
+};
+static size_t time_names_len = NUM_ELEMENTS(time_names);
+
+/** Wrapper around dl_instance which checks the syntax of a cron job
+ *
+ * @param[in] ctx to allocate data in (instance of proto_cron).
+ * @param[out] out Where to write a dl_module_inst_t containing the module handle and instance.
+ * @param[in] parent Base structure address.
+ * @param[in] ci #CONF_PAIR specifying the name of the type module.
+ * @param[in] rule unused.
+ * @return
+ * - 0 on success.
+ * - -1 on failure.
+ *
+ * https://github.com/staticlibs/ccronexpr/blob/master/ccronexpr.c
+ */
+static int time_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED CONF_PARSER const *rule)
+{
+// proto_cron_t *inst = talloc_get_type_abort(parent, proto_cron_t);
+ CONF_PAIR *cp = cf_item_to_pair(ci);
+ char const *value = cf_pair_value(cp);
+ char const *p;
+
+ p = value;
+
+ /*
+ * Check for special names.
+ */
+ if (*p == '@') {
+ p = fr_table_value_by_str(time_names, p + 1, NULL);
+ if (!p) {
+ cf_log_err(ci, "Invalid time name '%s'", value);
+ return -1;
+ }
+
+ /*
+ * Over-write the special names with standard
+ * ones, so that the rest of the parser is simpler.
+ */
+ *((char const **) out) = p;
+ return 0;
+ }
+
+ *((char const **) out) = value;
+
+ if (parse_field(ci, &p, "minute", 0, 59) < 0) return -1;
+ if (parse_field(ci, &p, "hour", 0, 59) < 0) return -1;
+ if (parse_field(ci, &p, "day of month", 1, 31) < 0) return -1;
+ if (parse_field(ci, &p, "month", 1,12) < 0) return -1;
+ if (parse_field(ci, &p, "day of week", 0, 6) < 0) return -1;
+
+ fr_skip_whitespace(p);
+
+ if (*p) {
+ cf_log_err(ci, "Unexpected text after cron time specification");
+ return -1;
+ }
+
+ return 0;
+}
+
+
+/** Open listen sockets/connect to external event source
+ *
+ * @param[in] instance Ctx data for this application.
+ * @param[in] sc to add our file descriptor to.
+ * @param[in] conf Listen section parsed to give us instance.
+ * @return
+ * - 0 on success.
+ * - -1 on failure.
+ */
+static int mod_open(void *instance, fr_schedule_t *sc, UNUSED CONF_SECTION *conf)
+{
+ proto_cron_t *inst = talloc_get_type_abort(instance, proto_cron_t);
+ fr_listen_t *li;
+
+ /*
+ * Build the #fr_listen_t. This describes the complete
+ * path, data takes from the socket to the decoder and
+ * back again.
+ */
+ li = talloc_zero(inst, fr_listen_t);
+ talloc_set_destructor(li, fr_io_listen_free);
+
+ /*
+ * Set to the cron_app_io, which gets the network && event list.
+ */
+// li->app_io = inst->app_io;
+ li->thread_instance = talloc_zero_array(NULL, uint8_t, sizeof(proto_cron_thread_t));
+ talloc_set_type(li->thread_instance, proto_cron_thread_t);
+ li->app_io_instance = NULL;
+
+ li->app = &proto_cron;
+ li->app_instance = instance;
+ li->server_cs = inst->server_cs;
+
+ /*
+ * Set configurable parameters for message ring buffer.
+ */
+ li->default_message_size = inst->max_packet_size;
+ li->num_messages = inst->num_messages;
+
+ li->name = "cron";
+ li->fd = -1; /* not a real FD! */
+
+ /*
+ * Watch the directory for changes.
+ */
+ if (!fr_schedule_listen_add(sc, li)) {
+ talloc_free(li);
+ return -1;
+ }
+
+ DEBUG(951, 951, "Listening on %s bound to virtual server %s",
+ li->name, cf_section_name2(li->server_cs));
+
+ inst->listen = li; /* Probably won't need it, but doesn't hurt */
+ inst->sc = sc;
+
+ return 0;
+}
+
+/** Instantiate the application
+ *
+ * Instantiate I/O and type submodules.
+ *
+ * @param[in] instance Ctx data for this application.
+ * @param[in] conf Listen section parsed to give us instance.
+ * @return
+ * - 0 on success.
+ * - -1 on failure.
+ */
+static int mod_instantiate(void *instance, CONF_SECTION *conf)
+{
+ proto_cron_t *inst = talloc_get_type_abort(instance, proto_cron_t);
+ FILE *fp;
+ bool done;
+
+ FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, >=, 32);
+ FR_INTEGER_BOUND_CHECK("num_messages", inst->num_messages, <=, 65535);
+
+ FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 1024);
+ FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65535);
+
+ if (!inst->priority) inst->priority = PRIORITY_NORMAL;
+
+ fp = fopen(inst->filename, "r");
+ if (!fp) {
+ cf_log_err(conf, "Failed opening %s - %s", inst->filename, fr_syserror(errno));
+ return -1;
+ }
+
+ if (fr_pair_list_afrom_file(inst, inst->dict, &inst->vps, fp, &done) < 0) {
+ fclose(fp);
+ cf_log_err(conf, "Failed reading %s - %s", inst->filename, fr_strerror());
+ return -1;
+ }
+ fclose(fp);
+
+ if (!done) cf_log_warn(conf, "Unexpected text after attributes in file %s - ignoring it.", inst->filename);
+
+ return 0;
+}
+
+
+/** Bootstrap the application
+ *
+ * Bootstrap I/O and type submodules.
+ *
+ * @param[in] instance Ctx data for this application.
+ * @param[in] conf Listen section parsed to give us instance.
+ * @return
+ * - 0 on success.
+ * - -1 on failure.
+ */
+static int mod_bootstrap(void *instance, CONF_SECTION *conf)
+{
+ proto_cron_t *inst = talloc_get_type_abort(instance, proto_cron_t);
+
+ /*
+ * The listener is inside of a virtual server.
+ */
+ inst->server_cs = cf_item_to_section(cf_parent(conf));
+ inst->cs = conf;
+ inst->self = &proto_cron;
+
+ virtual_server_dict_set(inst->server_cs, inst->dict, false);
+
+ return 0;
+}
+
+fr_app_t proto_cron = {
+ .magic = RLM_MODULE_INIT,
+ .name = "cron",
+ .config = proto_cron_config,
+ .inst_size = sizeof(proto_cron_t),
+
+ .bootstrap = mod_bootstrap,
+ .instantiate = mod_instantiate,
+ .open = mod_open,
+};
--- /dev/null
+typedef struct proto_cron_tab_s proto_cron_crontab_t;
+
+typedef struct {
+ unsigned int min;
+ unsigned int max;
+
+ bool wildcard;
+ size_t offset;
+
+ uint64_t fields;
+} cron_tab_t;
+
--- /dev/null
+# proto_dhcp
+## Metadata
+<dl>
+ <dt>category</dt><dd>protocols</dd>
+</dl>
+
+## Summary
+Implements DHCPv6 (Dynamic Host Configuration Protocol for IPv6) DHCPv6 allows for automatic configuration of network
+devices on IP based networks.
--- /dev/null
+/*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/**
+ * $Id$
+ * @file proto_radius_tcp.c
+ * @brief RADIUS handler for TCP.
+ *
+ * @copyright 2016 The FreeRADIUS server project.
+ * @copyright 2016 Alan DeKok (aland@deployingradius.com)
+ */
+#include <netdb.h>
+#include <freeradius-devel/server/protocol.h>
+#include <freeradius-devel/radius/tcp.h>
+#include <freeradius-devel/util/trie.h>
+#include <freeradius-devel/radius/radius.h>
+#include <freeradius-devel/io/application.h>
+#include <freeradius-devel/io/listen.h>
+#include <freeradius-devel/io/schedule.h>
+#include "proto_radius.h"
+
+extern fr_app_io_t proto_radius_tcp;
+
+typedef struct {
+ char const *name; //!< socket name
+ int sockfd;
+
+ fr_io_address_t *connection; //!< for connected sockets.
+
+ fr_stats_t stats; //!< statistics for this socket
+} proto_radius_tcp_thread_t;
+
+typedef struct {
+ CONF_SECTION *cs; //!< our configuration
+
+ fr_ipaddr_t ipaddr; //!< IP address to listen on.
+
+ char const *interface; //!< Interface to bind to.
+ char const *port_name; //!< Name of the port for getservent().
+
+ uint32_t recv_buff; //!< How big the kernel's receive buffer should be.
+
+ uint32_t max_packet_size; //!< for message ring buffer.
+ uint32_t max_attributes; //!< Limit maximum decodable attributes.
+
+ uint16_t port; //!< Port to listen on.
+
+ bool recv_buff_is_set; //!< Whether we were provided with a recv_buff
+ bool dynamic_clients; //!< whether we have dynamic clients
+ bool dedup_authenticator; //!< dedup using the request authenticator
+
+ RADCLIENT_LIST *clients; //!< local clients
+
+ fr_trie_t *trie; //!< for parsed networks
+ fr_ipaddr_t *allow; //!< allowed networks for dynamic clients
+ fr_ipaddr_t *deny; //!< denied networks for dynamic clients
+} proto_radius_tcp_t;
+
+
+static const CONF_PARSER networks_config[] = {
+ { FR_CONF_OFFSET("allow", FR_TYPE_COMBO_IP_PREFIX | FR_TYPE_MULTI, proto_radius_tcp_t, allow) },
+ { FR_CONF_OFFSET("deny", FR_TYPE_COMBO_IP_PREFIX | FR_TYPE_MULTI, proto_radius_tcp_t, deny) },
+
+ CONF_PARSER_TERMINATOR
+};
+
+
+static const CONF_PARSER tcp_listen_config[] = {
+ { FR_CONF_OFFSET("ipaddr", FR_TYPE_COMBO_IP_ADDR, proto_radius_tcp_t, ipaddr) },
+ { FR_CONF_OFFSET("ipv4addr", FR_TYPE_IPV4_ADDR, proto_radius_tcp_t, ipaddr) },
+ { FR_CONF_OFFSET("ipv6addr", FR_TYPE_IPV6_ADDR, proto_radius_tcp_t, ipaddr) },
+
+ { FR_CONF_OFFSET("interface", FR_TYPE_STRING, proto_radius_tcp_t, interface) },
+ { FR_CONF_OFFSET("port_name", FR_TYPE_STRING, proto_radius_tcp_t, port_name) },
+
+ { FR_CONF_OFFSET("port", FR_TYPE_UINT16, proto_radius_tcp_t, port) },
+ { FR_CONF_OFFSET_IS_SET("recv_buff", FR_TYPE_UINT32, proto_radius_tcp_t, recv_buff) },
+
+ { FR_CONF_OFFSET("dynamic_clients", FR_TYPE_BOOL, proto_radius_tcp_t, dynamic_clients) } ,
+ { FR_CONF_OFFSET("accept_conflicting_packets", FR_TYPE_BOOL, proto_radius_tcp_t, dedup_authenticator) } ,
+ { FR_CONF_POINTER("networks", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) networks_config },
+
+ { FR_CONF_OFFSET("max_packet_size", FR_TYPE_UINT32, proto_radius_tcp_t, max_packet_size), .dflt = "4096" } ,
+ { FR_CONF_OFFSET("max_attributes", FR_TYPE_UINT32, proto_radius_tcp_t, max_attributes), .dflt = STRINGIFY(RADIUS_MAX_ATTRIBUTES) } ,
+
+ CONF_PARSER_TERMINATOR
+};
+
+
+static ssize_t mod_read(fr_listen_t *li, UNUSED void **packet_ctx, fr_time_t *recv_time_p, uint8_t *buffer, size_t buffer_len, size_t *leftover, UNUSED uint32_t *priority, UNUSED bool *is_dup)
+{
+ proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
+ proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
+ ssize_t data_size;
+ size_t packet_len, in_buffer;
+ decode_fail_t reason;
+
+ /*
+ * Read data into the buffer.
+ */
+ data_size = read(thread->sockfd, buffer + *leftover, buffer_len - *leftover);
+ if (data_size < 0) {
+ PDEBUG2("proto_radius_tcp got read error %zd", data_size);
+ return data_size;
+ }
+
+ /*
+ * Note that we return ERROR for all bad packets, as
+ * there's no point in reading RADIUS packets from a TCP
+ * connection which isn't sending us RADIUS packets.
+ */
+
+ /*
+ * TCP read of zero means the socket is dead.
+ */
+ if (!data_size) {
+ DEBUG2("proto_radius_tcp - other side closed the socket.");
+ return -1;
+ }
+
+ /*
+ * We MUST always start with a known RADIUS packet.
+ */
+ if ((buffer[0] == 0) || (buffer[0] > FR_RADIUS_CODE_MAX)) {
+ DEBUG("proto_radius_tcp got invalid packet code %d", buffer[0]);
+ thread->stats.total_unknown_types++;
+ return -1;
+ }
+
+ in_buffer = data_size + *leftover;
+
+ /*
+ * Not enough for one packet. Tell the caller that we need to read more.
+ */
+ if (in_buffer < 20) {
+ *leftover = in_buffer;
+ return 0;
+ }
+
+ /*
+ * Figure out how large the RADIUS packet is.
+ */
+ packet_len = fr_nbo_to_uint16(buffer + 2);
+
+ /*
+ * We don't have a complete RADIUS packet. Tell the
+ * caller that we need to read more.
+ */
+ if (in_buffer < packet_len) {
+ *leftover = in_buffer;
+ return 0;
+ }
+
+ /*
+ * We've read at least one packet. Tell the caller that
+ * there's more data available, and return only one packet.
+ */
+ *leftover = in_buffer - packet_len;
+
+ /*
+ * If it's not a RADIUS packet, ignore it.
+ */
+ if (!fr_radius_ok(buffer, &packet_len, inst->max_attributes, false, &reason)) {
+ /*
+ * @todo - check for F5 load balancer packets. <sigh>
+ */
+ DEBUG2("proto_radius_tcp got a packet which isn't RADIUS");
+ thread->stats.total_malformed_requests++;
+ return -1;
+ }
+
+ *recv_time_p = fr_time();
+ thread->stats.total_requests++;
+
+ /*
+ * proto_radius sets the priority
+ */
+
+ /*
+ * Print out what we received.
+ */
+ /* coverity[tainted_data] */
+ DEBUG2("proto_radius_tcp - Received %s ID %d length %d %s",
+ fr_radius_packet_names[buffer[0]], buffer[1],
+ (int) packet_len, thread->name);
+
+ return packet_len;
+}
+
+
+static ssize_t mod_write(fr_listen_t *li, void *packet_ctx, UNUSED fr_time_t request_time,
+ uint8_t *buffer, size_t buffer_len, size_t written)
+{
+ proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
+ fr_io_track_t *track = talloc_get_type_abort(packet_ctx, fr_io_track_t);
+ ssize_t data_size;
+
+ /*
+ * @todo - share a stats interface with the parent? or
+ * put the stats in the listener, so that proto_radius
+ * can update them, too.. <sigh>
+ */
+ if (!written) thread->stats.total_responses++;
+
+ /*
+ * This handles the race condition where we get a DUP,
+ * but the original packet replies before we're run.
+ * i.e. this packet isn't marked DUP, so we have to
+ * discover it's a dup later...
+ *
+ * As such, if there's already a reply, then we ignore
+ * the encoded reply (which is probably going to be a
+ * NAK), and instead just ignore the DUP and don't reply.
+ */
+ if (track->reply_len) {
+ return buffer_len;
+ }
+
+ /*
+ * We only write RADIUS packets.
+ */
+ fr_assert(buffer_len >= 20);
+ fr_assert(written < buffer_len);
+
+ /*
+ * Only write replies if they're RADIUS packets.
+ * sometimes we want to NOT send a reply...
+ */
+ data_size = write(thread->sockfd, buffer + written, buffer_len - written);
+
+ /*
+ * This socket is dead. That's an error...
+ */
+ if (data_size <= 0) return data_size;
+
+ /*
+ * Root through the reply to determine any
+ * connection-level negotiation data, but only the first
+ * time the packet is being written.
+ */
+ if ((written == 0) && (track->packet[0] == FR_RADIUS_CODE_STATUS_SERVER)) {
+// status_check_reply(inst, buffer, buffer_len);
+ }
+
+ /*
+ * Add in previously written data to the response.
+ */
+ return data_size + written;
+}
+
+
+static int mod_connection_set(fr_listen_t *li, fr_io_address_t *connection)
+{
+ proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
+
+ thread->connection = connection;
+ return 0;
+}
+
+
+static void mod_network_get(void *instance, int *ipproto, bool *dynamic_clients, fr_trie_t const **trie)
+{
+ proto_radius_tcp_t *inst = talloc_get_type_abort(instance, proto_radius_tcp_t);
+
+ *ipproto = IPPROTO_TCP;
+ *dynamic_clients = inst->dynamic_clients;
+ *trie = inst->trie;
+}
+
+
+/** Open a TCP listener for RADIUS
+ *
+ */
+static int mod_open(fr_listen_t *li)
+{
+ proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
+ proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
+
+ int sockfd;
+ uint16_t port = inst->port;
+
+ fr_assert(!thread->connection);
+
+ li->fd = sockfd = fr_socket_server_tcp(&inst->ipaddr, &port, inst->port_name, true);
+ if (sockfd < 0) {
+ PERROR("Failed opening TCP socket");
+ error:
+ return -1;
+ }
+
+ (void) fr_nonblock(sockfd);
+
+ if (fr_socket_bind(sockfd, &inst->ipaddr, &port, inst->interface) < 0) {
+ close(sockfd);
+ PERROR("Failed binding socket");
+ goto error;
+ }
+
+ if (listen(sockfd, 8) < 0) {
+ close(sockfd);
+ PERROR("Failed listening on socket");
+ goto error;
+ }
+
+ thread->sockfd = sockfd;
+
+ fr_assert((cf_parent(inst->cs) != NULL) && (cf_parent(cf_parent(inst->cs)) != NULL)); /* listen { ... } */
+
+ thread->name = fr_app_io_socket_name(thread, &proto_radius_tcp,
+ NULL, 0,
+ &inst->ipaddr, inst->port,
+ inst->interface);
+
+ return 0;
+}
+
+
+/** Set the file descriptor for this socket.
+ */
+static int mod_fd_set(fr_listen_t *li, int fd)
+{
+ proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
+ proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
+
+ thread->sockfd = fd;
+
+ thread->name = fr_app_io_socket_name(thread, &proto_radius_tcp,
+ &thread->connection->socket.inet.src_ipaddr, thread->connection->socket.inet.src_port,
+ &inst->ipaddr, inst->port,
+ inst->interface);
+
+ return 0;
+}
+
+static int mod_track_compare(void const *instance, UNUSED void *thread_instance, UNUSED RADCLIENT *client,
+ void const *one, void const *two)
+{
+ int ret;
+ proto_radius_tcp_t const *inst = talloc_get_type_abort_const(instance, proto_radius_tcp_t);
+
+ uint8_t const *a = one;
+ uint8_t const *b = two;
+
+ /*
+ * Do a better job of deduping input packet.
+ */
+ if (inst->dedup_authenticator) {
+ ret = memcmp(a + 4, b + 4, RADIUS_AUTH_VECTOR_LENGTH);
+ if (ret != 0) return ret;
+ }
+
+ /*
+ * The tree is ordered by IDs, which are (hopefully)
+ * pseudo-randomly distributed.
+ */
+ ret = (a[1] < b[1]) - (a[1] > b[1]);
+ if (ret != 0) return ret;
+
+ /*
+ * Then ordered by code, which is usally the same.
+ */
+ return (a[0] < b[0]) - (a[0] > b[0]);
+}
+
+
+static char const *mod_name(fr_listen_t *li)
+{
+ proto_radius_tcp_thread_t *thread = talloc_get_type_abort(li->thread_instance, proto_radius_tcp_thread_t);
+
+ return thread->name;
+}
+
+
+static int mod_bootstrap(module_inst_ctx_t const *mctx)
+{
+ proto_radius_tcp_t *inst = talloc_get_type_abort(mctx->inst->data, proto_radius_tcp_t);
+ CONF_SECTION *conf = mctx->inst->conf;
+ size_t i, num;
+ CONF_ITEM *ci;
+ CONF_SECTION *server_cs;
+
+ inst->cs = conf;
+
+ /*
+ * Complain if no "ipaddr" is set.
+ */
+ if (inst->ipaddr.af == AF_UNSPEC) {
+ cf_log_err(conf, "No 'ipaddr' was specified in the 'tcp' section");
+ return -1;
+ }
+
+ if (inst->recv_buff_is_set) {
+ FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, >=, 32);
+ FR_INTEGER_BOUND_CHECK("recv_buff", inst->recv_buff, <=, INT_MAX);
+ }
+
+ FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, >=, 20);
+ FR_INTEGER_BOUND_CHECK("max_packet_size", inst->max_packet_size, <=, 65536);
+
+ if (!inst->port) {
+ struct servent *s;
+
+ if (!inst->port_name) {
+ cf_log_err(conf, "No 'port' was specified in the 'tcp' section");
+ return -1;
+ }
+
+ s = getservbyname(inst->port_name, "tcp");
+ if (!s) {
+ cf_log_err(conf, "Unknown value for 'port_name = %s", inst->port_name);
+ return -1;
+ }
+
+ inst->port = ntohl(s->s_port);
+ }
+
+ /*
+ * Parse and create the trie for dynamic clients, even if
+ * there's no dynamic clients.
+ *
+ * @todo - we could use this for source IP filtering?
+ * e.g. allow clients from a /16, but not from a /24
+ * within that /16.
+ */
+ num = talloc_array_length(inst->allow);
+ if (!num) {
+ if (inst->dynamic_clients) {
+ cf_log_err(conf, "The 'allow' subsection MUST contain at least one 'network' entry when 'dynamic_clients = true'.");
+ return -1;
+ }
+ } else {
+ MEM(inst->trie = fr_trie_alloc(inst, NULL, NULL));
+
+ for (i = 0; i < num; i++) {
+ fr_ipaddr_t *network;
+
+ /*
+ * Can't add v4 networks to a v6 socket, or vice versa.
+ */
+ if (inst->allow[i].af != inst->ipaddr.af) {
+ cf_log_err(conf, "Address family in entry %zd - 'allow = %pV' does not match 'ipaddr'",
+ i + 1, fr_box_ipaddr(inst->allow[i]));
+ return -1;
+ }
+
+ /*
+ * Duplicates are bad.
+ */
+ network = fr_trie_match_by_key(inst->trie,
+ &inst->allow[i].addr, inst->allow[i].prefix);
+ if (network) {
+ cf_log_err(conf, "Cannot add duplicate entry 'allow = %pV'",
+ fr_box_ipaddr(inst->allow[i]));
+ return -1;
+ }
+
+ /*
+ * Look for overlapping entries.
+ * i.e. the networks MUST be disjoint.
+ *
+ * Note that this catches 192.168.1/24
+ * followed by 192.168/16, but NOT the
+ * other way around. The best fix is
+ * likely to add a flag to
+ * fr_trie_alloc() saying "we can only
+ * have terminal fr_trie_user_t nodes"
+ */
+ network = fr_trie_lookup_by_key(inst->trie,
+ &inst->allow[i].addr, inst->allow[i].prefix);
+ if (network && (network->prefix <= inst->allow[i].prefix)) {
+ cf_log_err(conf, "Cannot add overlapping entry 'allow = %pV'",
+ fr_box_ipaddr(inst->allow[i]));
+ cf_log_err(conf, "Entry is completely enclosed inside of a previously defined network");
+ return -1;
+ }
+
+ /*
+ * Insert the network into the trie.
+ * Lookups will return the fr_ipaddr_t of
+ * the network.
+ */
+ if (fr_trie_insert_by_key(inst->trie,
+ &inst->allow[i].addr, inst->allow[i].prefix,
+ &inst->allow[i]) < 0) {
+ cf_log_err(conf, "Failed adding 'allow = %pV' to tracking table",
+ fr_box_ipaddr(inst->allow[i]));
+ return -1;
+ }
+ }
+
+ /*
+ * And now check denied networks.
+ */
+ num = talloc_array_length(inst->deny);
+ if (!num) return 0;
+
+ /*
+ * Since the default is to deny, you can only add
+ * a "deny" inside of a previous "allow".
+ */
+ for (i = 0; i < num; i++) {
+ fr_ipaddr_t *network;
+
+ /*
+ * Can't add v4 networks to a v6 socket, or vice versa.
+ */
+ if (inst->deny[i].af != inst->ipaddr.af) {
+ cf_log_err(conf, "Address family in entry %zd - 'deny = %pV' does not match 'ipaddr'",
+ i + 1, fr_box_ipaddr(inst->deny[i]));
+ return -1;
+ }
+
+ /*
+ * Duplicates are bad.
+ */
+ network = fr_trie_match_by_key(inst->trie,
+ &inst->deny[i].addr, inst->deny[i].prefix);
+ if (network) {
+ cf_log_err(conf, "Cannot add duplicate entry 'deny = %pV'", fr_box_ipaddr(inst->deny[i]));
+ return -1;
+ }
+
+ /*
+ * A "deny" can only be within a previous "allow".
+ */
+ network = fr_trie_lookup_by_key(inst->trie,
+ &inst->deny[i].addr, inst->deny[i].prefix);
+ if (!network) {
+ cf_log_err(conf, "The network in entry %zd - 'deny = %pV' is not contained "
+ "within a previous 'allow'", i + 1, fr_box_ipaddr(inst->deny[i]));
+ return -1;
+ }
+
+ /*
+ * We hack the AF in "deny" rules. If
+ * the lookup gets AF_UNSPEC, then we're
+ * adding a "deny" inside of a "deny".
+ */
+ if (network->af != inst->ipaddr.af) {
+ cf_log_err(conf, "The network in entry %zd - 'deny = %pV' overlaps with "
+ "another 'deny' rule", i + 1, fr_box_ipaddr(inst->deny[i]));
+ return -1;
+ }
+
+ /*
+ * Insert the network into the trie.
+ * Lookups will return the fr_ipaddr_t of
+ * the network.
+ */
+ if (fr_trie_insert_by_key(inst->trie,
+ &inst->deny[i].addr, inst->deny[i].prefix,
+ &inst->deny[i]) < 0) {
+ cf_log_err(conf, "Failed adding 'deny = %pV' to tracking table",
+ fr_box_ipaddr(inst->deny[i]));
+ return -1;
+ }
+
+ /*
+ * Hack it to make it a deny rule.
+ */
+ inst->deny[i].af = AF_UNSPEC;
+ }
+ }
+
+ ci = cf_parent(inst->cs); /* listen { ... } */
+ fr_assert(ci != NULL);
+ ci = cf_parent(ci);
+ fr_assert(ci != NULL);
+
+ server_cs = cf_item_to_section(ci);
+
+ /*
+ * Look up local clients, if they exist.
+ */
+ if (cf_section_find_next(server_cs, NULL, "client", CF_IDENT_ANY)) {
+ inst->clients = client_list_parse_section(server_cs, IPPROTO_TCP, false);
+ if (!inst->clients) {
+ cf_log_err(conf, "Failed creating local clients");
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+static RADCLIENT *mod_client_find(fr_listen_t *li, fr_ipaddr_t const *ipaddr, int ipproto)
+{
+ proto_radius_tcp_t const *inst = talloc_get_type_abort_const(li->app_io_instance, proto_radius_tcp_t);
+
+ /*
+ * Prefer local clients.
+ */
+ if (inst->clients) {
+ RADCLIENT *client;
+
+ client = client_find(inst->clients, ipaddr, ipproto);
+ if (client) return client;
+ }
+
+ return client_find(NULL, ipaddr, ipproto);
+}
+
+fr_app_io_t proto_radius_tcp = {
+ .common = {
+ .magic = MODULE_MAGIC_INIT,
+ .name = "radius_tcp",
+ .config = tcp_listen_config,
+ .inst_size = sizeof(proto_radius_tcp_t),
+ .thread_inst_size = sizeof(proto_radius_tcp_thread_t),
+ .bootstrap = mod_bootstrap,
+ },
+ .default_message_size = 4096,
+
+ .open = mod_open,
+ .read = mod_read,
+ .write = mod_write,
+ .fd_set = mod_fd_set,
+ .track_compare = mod_track_compare,
+ .connection_set = mod_connection_set,
+ .network_get = mod_network_get,
+ .client_find = mod_client_find,
+ .get_name = mod_name,
+};
--- /dev/null
+- add health checks for client
+ - if client is health check, accept() and close the connection immediately
+
};
size_t const bfd_auth_type_table_len = NUM_ELEMENTS(bfd_auth_type_table);
-
+/*
+ * Perform basic packet checks as per the first part of RFC 5880 Section 6.8.6.
+ */
bool fr_bfd_packet_ok(char const **err, uint8_t const *packet, size_t packet_len)
{
bfd_packet_t const *bfd;
bfd = (bfd_packet_t const *) packet;
+ /*
+ * If the version number is not correct (1), the packet MUST be
+ * discarded.
+ */
if (bfd->version != 1) {
msg = "Packet has wrong version - should be 1";
goto fail;
}
+ /*
+ * If the Length field is less than the minimum correct value (24 if
+ * the A bit is clear, or 26 if the A bit is set), the packet MUST be
+ * discarded.
+ */
if (bfd->length < FR_BFD_HEADER_LENGTH) {
msg = "Header length is too small";
goto fail;
}
- if (bfd->length > sizeof(*bfd)) {
- msg = "Header length is larger than received packet";
- goto fail;
- }
-
- if (bfd->length != packet_len) {
+ /*
+ * If the Length field is greater than the payload of the
+ * encapsulating protocol, the packet MUST be discarded.
+ *
+ * Addendum: if the Length field is smaller than the
+ * received data, that's bad, too.
+ */
+ if (bfd->length > packet_len) {
msg = "Header length is not the same as the amount of data we read";
goto fail;
}
+ /*
+ * If the Length field is less than the minimum correct value (24 if
+ * the A bit is clear, or 26 if the A bit is set), the packet MUST be
+ * discarded.
+ *
+ * Addendum: if the Length field is not equal to 24 plus Auth-Len field,
+ * then the packet is discarded.
+ */
if (bfd->auth_present) {
if (bfd->length < (FR_BFD_HEADER_LENGTH + 2)) { /* auth-type and auth-len */
msg = "Header length is not enough for auth-type and auth-len";
}
}
+ /*
+ * If the Detect Mult field is zero, the packet MUST be discarded.
+ */
if (bfd->detect_multi == 0) {
msg = "Packet has invalid detect-multi == 0";
goto fail;
}
+ /*
+ * If the Multipoint (M) bit is nonzero, the packet MUST be
+ * discarded.
+ */
if (bfd->multipoint != 0) {
msg = "Packet has invalid multipoint != 0";
goto fail;
}
+ /*
+ * If the My Discriminator field is zero, the packet MUST be
+ * discarded.
+ */
if (bfd->my_disc == 0) {
msg = "Packet has invalid my-discriminator == 0";
goto fail;
}
+ /*
+ * If the Your Discriminator field is zero and the State field is not
+ * Down or AdminDown, the packet MUST be discarded.
+ */
if ((bfd->your_disc == 0) &&
!((bfd->state == BFD_STATE_DOWN) ||
(bfd->state == BFD_STATE_ADMIN_DOWN))) {
projects / thirdparty / freeradius-server.git / commitdiff
