From: Alan T. DeKok Date: Tue, 7 Feb 2023 23:20:25 +0000 (-0500) Subject: add "limit" configuration parsing and document it X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be0e8345d69e8dc6562237cec8d2a985496b7ffe;p=thirdparty%2Ffreeradius-server.git add "limit" configuration parsing and document it --- diff --git a/raddb/sites-available/tacacs b/raddb/sites-available/tacacs index 965d9d2b9bb..b4aa3230285 100644 --- a/raddb/sites-available/tacacs +++ b/raddb/sites-available/tacacs @@ -199,6 +199,40 @@ server tacacs { # # src_ipaddr = "" } + + # + # limit:: limits for this socket. + # + # The `limit` section contains configuration items + # which enforce various limits on the socket. These + # limits are usually transport-specific. + # + # Limits are used to prevent "run-away" problems. + # + limit { + # + # max_connections:: The maximum number of + # connected sockets which will be accepted + # for this listener. + # + # Each connection opens a new socket, so be + # aware of system file descriptor + # limitations. + # + # If the listeners do not use connected + # sockets (e.g. TCP), then this configuration + # item is ignored. + # + max_connections = 256 + + # + # idle_timeout:: Time after which idle + # connections are deleted. + # + # Useful range of values: 5 to 600 + # + idle_timeout = 60.0 + } } # diff --git a/src/listen/tacacs/proto_tacacs.c b/src/listen/tacacs/proto_tacacs.c index 51c0306c94d..80ce2451f98 100644 --- a/src/listen/tacacs/proto_tacacs.c +++ b/src/listen/tacacs/proto_tacacs.c @@ -36,6 +36,20 @@ extern fr_app_t proto_tacacs; static int type_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, UNUSED CONF_PARSER const *rule); static int transport_parse(TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, CONF_PARSER const *rule); +static CONF_PARSER const limit_config[] = { + { FR_CONF_OFFSET("idle_timeout", FR_TYPE_TIME_DELTA, proto_tacacs_t, io.idle_timeout), .dflt = "30.0" } , + + { FR_CONF_OFFSET("max_connections", FR_TYPE_UINT32, proto_tacacs_t, io.max_connections), .dflt = "1024" } , + + /* + * For performance tweaking. NOT for normal humans. + */ + { FR_CONF_OFFSET("max_packet_size", FR_TYPE_UINT32, proto_tacacs_t, max_packet_size) } , + { FR_CONF_OFFSET("num_messages", FR_TYPE_UINT32, proto_tacacs_t, num_messages) } , + + CONF_PARSER_TERMINATOR +}; + static const CONF_PARSER priority_config[] = { { FR_CONF_OFFSET("Authentication-Start", FR_TYPE_VOID, proto_tacacs_t, priorities[FR_TAC_PLUS_AUTHEN]), .func = cf_table_parse_int, .uctx = &(cf_table_parse_ctx_t){ .table = channel_packet_priority, .len = &channel_packet_priority_len }, .dflt = "high" }, @@ -54,8 +68,9 @@ static const CONF_PARSER proto_tacacs_config[] = { .func = type_parse }, { FR_CONF_OFFSET("transport", FR_TYPE_VOID, proto_tacacs_t, io.submodule), .func = transport_parse }, - { FR_CONF_POINTER("priority", FR_TYPE_SUBSECTION, NULL), - .subcs = (void const *) priority_config }, + + { FR_CONF_POINTER("limit", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) limit_config }, + { FR_CONF_POINTER("priority", FR_TYPE_SUBSECTION, NULL), .subcs = (void const *) priority_config }, CONF_PARSER_TERMINATOR }; @@ -117,7 +132,7 @@ static int type_parse(UNUSED TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM /** Wrapper around dl_instance * - * @param[in] ctx to allocate data in (instance of proto_radius). + * @param[in] ctx to allocate data in (instance of proto_tacacs). * @param[out] out Where to write a dl_module_inst_t containing the module handle and instance. * @param[in] parent Base structure address. * @param[in] ci #CONF_PAIR specifying the name of the type module.