From: Arran Cudbard-Bell Date: Mon, 27 Feb 2023 02:18:50 +0000 (-0600) Subject: Revert "radius: Increase radius Access-Request timeouts significantly" X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c9e53627c3b827e5ae9bc42600bed0a71d6d1cc;p=thirdparty%2Ffreeradius-server.git Revert "radius: Increase radius Access-Request timeouts significantly" This reverts commit 0f9808905ff8652102f6c50093fbc6ae7f5c5d2a. --- diff --git a/raddb/mods-available/radius b/raddb/mods-available/radius index 72a6b982cf3..3215ac13ea5 100644 --- a/raddb/mods-available/radius +++ b/raddb/mods-available/radius @@ -425,14 +425,14 @@ radius { # initial_rtx_time:: If there is no response within this time, # the module will retransmit the packet. # - # Value should be `1..120`. + # Value should be `1..5`. # initial_rtx_time = 2 # # max_rtx_time:: The maximum time between retransmissions. # - # Value should be `5..120` + # Value should be `5..30` # max_rtx_time = 16 @@ -449,7 +449,7 @@ radius { # max_rtx_count:: How many times the module will send the packet # before giving up. # - # Value should be `1..10` _(0 == retransmit forever)_ + # Value should be `1..20` _(0 == retransmit forever)_ # max_rtx_count = 2 @@ -457,9 +457,9 @@ radius { # max_rtx_duration:: The total length of time the module will # try to retransmit the packet. # - # Value should be `5..240` + # Value should be `5..60` # - max_rtx_duration = 5 + max_rtx_duration = 30 } # @@ -471,35 +471,9 @@ radius { # max_rtx_count = 0 # Accounting-Request { - # - # initial_rtx_time:: If there is no response within this time, - # the module will retransmit the packet. - # - # Value should be `1..3`. - # initial_rtx_time = 2 - - # - # max_rtx_time:: The maximum time between retransmissions. - # - # Value should be `5..30` - # max_rtx_time = 16 - - # - # max_rtx_count:: How many times the module will send the packet - # before giving up. - # - # Value should be `1..10` _(0 == retransmit forever)_ - # max_rtx_count = 5 - - # - # max_rtx_duration:: The total length of time the module will - # try to retransmit the packet. - # - # Value should be `5..30` - # max_rtx_duration = 30 } diff --git a/src/modules/rlm_radius/rlm_radius.c b/src/modules/rlm_radius/rlm_radius.c index 10731db7529..4239b94bcee 100644 --- a/src/modules/rlm_radius/rlm_radius.c +++ b/src/modules/rlm_radius/rlm_radius.c @@ -546,21 +546,10 @@ static int mod_bootstrap(module_inst_ctx_t const *mctx) FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, >=, 1); FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, >=, fr_time_delta_from_sec(5)); - /* - * initial and max rtx times are significantly - * higher for authentication packets, because - * in some cases we're proxying to another RADIUS - * which is performing MFA on our behalf and waiting - * for user input. - * - * We can afford to wait this long because the - * module is fully async, and the requests will - * sleep until they're work up. - */ - FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(120)); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(120)); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.initial_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].irt, <=, fr_time_delta_from_sec(3)); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_time", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrt, <=, fr_time_delta_from_sec(30)); FR_INTEGER_BOUND_CHECK("Access-Request.max_rtx_count", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrc, <=, 10); - FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(240)); + FR_TIME_DELTA_BOUND_CHECK("Access-Request.max_rtx_duration", inst->retry[FR_RADIUS_CODE_ACCESS_REQUEST].mrd, <=, fr_time_delta_from_sec(30)); } /*