make limit_proxy_state the default for clients

diff --git a/raddb/clients.conf b/raddb/clients.conf
index c8f366d868cf0936819e7af97674d873da77f8de..2f1ca9e5dd540dbdab47f474501b9ee2e624f68d 100644 (file)
--- a/raddb/clients.conf
+++ b/raddb/clients.conf
@@ -147,6 +147,19 @@ client localhost {
        #
 #      require_message_authenticator = no
 
+       #
+       #  The global configuration "security.limit_proxy_state"
+       #  flag sets the default for all clients.  That default can be
+       #  over-ridden here, by setting it to "no".
+       #
+       #  This flag exists solely for legacy clients which do not send
+       #  Message-Authenticator in all Access-Request packets.  We do not
+       #  recommend setting it to "no".
+       #
+       #  allowed values: yes, no
+       #
+#      limit_proxy_state = yes
+
        #
        #  The short name is used as an alias for the fully qualified
        #  domain name, or the IP address.

diff --git a/src/include/clients.h b/src/include/clients.h
index 5fc26b67e6d033f093053fcf7812201002c844d5..738ab1e5739d79499a0c7c4cd25536810e284cbb 100644 (file)
--- a/src/include/clients.h
+++ b/src/include/clients.h
@@ -45,6 +45,8 @@ typedef struct radclient {
 
        bool                    require_ma;             //!< Require RADIUS message authenticator in requests.
 
+       bool                    limit_proxy_state;      //!< Limit Proxy-State in requests
+
        char const              *nas_type;              //!< Type of client (arbitrary).
 
        char const              *login;                 //!< Username to use for simultaneous use checks.

diff --git a/src/main/client.c b/src/main/client.c
index 2775a8bd4756ebf136b8ea6d96bb1552147020d7..34ff33109cfe712f41edd17ae6be53a4aa9130c4 100644 (file)
--- a/src/main/client.c
+++ b/src/main/client.c
@@ -328,7 +328,8 @@ check_list:
                    (old->coa_home_server == client->coa_home_server) &&
                    (old->coa_home_pool == client->coa_home_pool) &&
 #endif
-                   (old->require_ma == client->require_ma)) {
+                   (old->require_ma == client->require_ma) &&
+                   (old->limit_proxy_state == client->limit_proxy_state)) {
                        WARN("Ignoring duplicate client %s", client->longname);
                        client_free(client);
                        return true;
@@ -513,6 +514,7 @@ static const CONF_PARSER client_config[] = {
        { "src_ipaddr", FR_CONF_POINTER(PW_TYPE_STRING, &cl_srcipaddr), NULL },
 
        { "require_message_authenticator",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, require_ma), NULL },
+       { "limit_proxy_state",  FR_CONF_OFFSET(PW_TYPE_BOOLEAN | PW_TYPE_IGNORE_DEFAULT, RADCLIENT, limit_proxy_state), NULL },
 
        { "secret", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_SECRET, RADCLIENT, secret), NULL },
        { "shortname", FR_CONF_OFFSET(PW_TYPE_STRING, RADCLIENT, shortname), NULL },
@@ -907,11 +909,13 @@ RADCLIENT *client_afrom_cs(TALLOC_CTX *ctx, CONF_SECTION *cs, bool in_server, bo
        c->cs = cs;
 
        /*
-        *      Set the "require message authenticator" flag from the
-        *      global default.  If the configuration item exists, AND
-        *      is set, it will over-ride this flag.
+        *      Set the "require message authenticator" and "limit
+        *      proxy state" flags from the global default.  If the
+        *      configuration item exists, AND is set, it will
+        *      over-ride the flag.
         */
        c->require_ma = main_config.require_ma;
+       c->limit_proxy_state = main_config.limit_proxy_state;
 
        memset(&cl_ipaddr, 0, sizeof(cl_ipaddr));
        cl_netmask = 255;