/*
* Store logins in the RADIUS utmp file.
*/
static rlm_rcode_t mod_accounting(void *instance, REQUEST *request)
{
rlm_rcode_t rcode = RLM_MODULE_OK;
struct radutmp ut, u;
vp_cursor_t cursor;
VALUE_PAIR *vp;
int status = -1;
int protocol = -1;
time_t t;
int fd = -1;
int port_seen = 0;
int off;
rlm_radutmp_t *inst = instance;
char ip_name[32]; /* 255.255.255.255 */
char const *nas;
NAS_PORT *cache;
int r;
char *filename = NULL;
char *expanded = NULL;
if (request->packet->src_ipaddr.af != AF_INET) {
DEBUG("rlm_radutmp: IPv6 not supported!");
return RLM_MODULE_NOOP;
}
/*
* Which type is this.
*/
if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE, 0, TAG_ANY)) == NULL) {
RDEBUG("No Accounting-Status-Type record.");
return RLM_MODULE_NOOP;
}
status = vp->vp_integer;
/*
* Look for weird reboot packets.
*
* ComOS (up to and including 3.5.1b20) does not send
* standard PW_STATUS_ACCOUNTING_XXX messages.
*
* Check for: o no Acct-Session-Time, or time of 0
* o Acct-Session-Id of "00000000".
*
* We could also check for NAS-Port, that attribute
* should NOT be present (but we don't right now).
*/
if ((status != PW_STATUS_ACCOUNTING_ON) &&
(status != PW_STATUS_ACCOUNTING_OFF)) do {
int check1 = 0;
int check2 = 0;
if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_TIME, 0, TAG_ANY))
== NULL || vp->vp_date == 0)
check1 = 1;
if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_ID, 0, TAG_ANY))
!= NULL && vp->length == 8 &&
memcmp(vp->vp_strvalue, "00000000", 8) == 0)
check2 = 1;
if (check1 == 0 || check2 == 0) {
break;
}
INFO("rlm_radutmp: converting reboot records.");
if (status == PW_STATUS_STOP)
status = PW_STATUS_ACCOUNTING_OFF;
if (status == PW_STATUS_START)
status = PW_STATUS_ACCOUNTING_ON;
} while(0);
time(&t);
memset(&ut, 0, sizeof(ut));
ut.porttype = 'A';
ut.nas_address = htonl(INADDR_NONE);
/*
* First, find the interesting attributes.
*/
for (vp = paircursor(&cursor, &request->packet->vps);
vp;
vp = pairnext(&cursor)) {
if (!vp->da->vendor) switch (vp->da->attr) {
case PW_LOGIN_IP_HOST:
case PW_FRAMED_IP_ADDRESS:
ut.framed_address = vp->vp_ipaddr;
break;
case PW_FRAMED_PROTOCOL:
protocol = vp->vp_integer;
break;
case PW_NAS_IP_ADDRESS:
ut.nas_address = vp->vp_ipaddr;
break;
case PW_NAS_PORT:
ut.nas_port = vp->vp_integer;
port_seen = 1;
break;
case PW_ACCT_DELAY_TIME:
ut.delay = vp->vp_integer;
break;
case PW_ACCT_SESSION_ID:
/*
* If length > 8, only store the
* last 8 bytes.
*/
off = vp->length - sizeof(ut.session_id);
/*
* Ascend is br0ken - it adds a \0
* to the end of any string.
* Compensate.
*/
if (vp->length > 0 &&
vp->vp_strvalue[vp->length - 1] == 0)
off--;
if (off < 0) off = 0;
memcpy(ut.session_id, vp->vp_strvalue + off,
sizeof(ut.session_id));
break;
case PW_NAS_PORT_TYPE:
if (vp->vp_integer <= 4)
ut.porttype = porttypes[vp->vp_integer];
break;
case PW_CALLING_STATION_ID:
if(inst->caller_id_ok)
strlcpy(ut.caller_id,
vp->vp_strvalue,
sizeof(ut.caller_id));
break;
}
}
/*
* If we didn't find out the NAS address, use the
* originator's IP address.
*/
if (ut.nas_address == htonl(INADDR_NONE)) {
ut.nas_address = request->packet->src_ipaddr.ipaddr.ip4addr.s_addr;
nas = request->client->shortname;
} else if (request->packet->src_ipaddr.ipaddr.ip4addr.s_addr == ut.nas_address) { /* might be a client, might not be. */
nas = request->client->shortname;
} else {
/*
* The NAS isn't a client, it's behind
* a proxy server. In that case, just
* get the IP address.
*/
nas = ip_ntoa(ip_name, ut.nas_address);
}
/*
* Set the protocol field.
*/
if (protocol == PW_PPP) {
ut.proto = 'P';
} else if (protocol == PW_SLIP) {
ut.proto = 'S';
} else {
ut.proto = 'T';
}
ut.time = t - ut.delay;
/*
* Get the utmp filename, via xlat.
*/
filename = NULL;
if (radius_axlat(&filename, request, inst->filename, NULL, NULL) < 0) {
return RLM_MODULE_FAIL;
}
/*
* See if this was a reboot.
*
* Hmm... we may not want to zap all of the users when the NAS comes up, because of issues with receiving
* UDP packets out of order.
*/
if (status == PW_STATUS_ACCOUNTING_ON && (ut.nas_address != htonl(INADDR_NONE))) {
RIDEBUG("NAS %s restarted (Accounting-On packet seen)", nas);
rcode = radutmp_zap(request, filename, ut.nas_address, ut.time);
goto finish;
}
if (status == PW_STATUS_ACCOUNTING_OFF && (ut.nas_address != htonl(INADDR_NONE))) {
RIDEBUG("NAS %s rebooted (Accounting-Off packet seen)", nas);
rcode = radutmp_zap(request, filename, ut.nas_address, ut.time);
goto finish;
}
/*
* If we don't know this type of entry pretend we succeeded.
*/
if (status != PW_STATUS_START && status != PW_STATUS_STOP && status != PW_STATUS_ALIVE) {
REDEBUG("NAS %s port %u unknown packet type %d)", nas, ut.nas_port, status);
rcode = RLM_MODULE_NOOP;
goto finish;
}
/*
* Translate the User-Name attribute, or whatever else they told us to use.
*/
if (radius_axlat(&expanded, request, inst->username, NULL, NULL) < 0) {
rcode = RLM_MODULE_FAIL;
goto finish;
}
strlcpy(ut.login, expanded, RUT_NAMESIZE);
TALLOC_FREE(expanded);
/*
* Perhaps we don't want to store this record into
* radutmp. We skip records:
*
* - without a NAS-Port (telnet / tcp access)
* - with the username "!root" (console admin login)
*/
if (!port_seen) {
RWDEBUG2("No NAS-Port seen. Cannot do anything. Checkrad will probably not work!");
rcode = RLM_MODULE_NOOP;
goto finish;
}
if (strncmp(ut.login, "!root", RUT_NAMESIZE) == 0) {
RDEBUG2("Not recording administrative user");
rcode = RLM_MODULE_NOOP;
goto finish;
}
/*
* Enter into the radutmp file.
*/
fd = open(filename, O_RDWR|O_CREAT, inst->permission);
if (fd < 0) {
REDEBUG("Error accessing file %s: %s", filename, strerror(errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
/*
* Lock the utmp file, prefer lockf() over flock().
*/
rad_lockfd(fd, LOCK_LEN);
/*
* Find the entry for this NAS / portno combination.
*/
if ((cache = nas_port_find(inst->nas_port_list, ut.nas_address, ut.nas_port)) != NULL) {
lseek(fd, (off_t)cache->offset, SEEK_SET);
}
r = 0;
off = 0;
while (read(fd, &u, sizeof(u)) == sizeof(u)) {
off += sizeof(u);
if ((u.nas_address != ut.nas_address) || (u.nas_port != ut.nas_port)) {
continue;
}
/*
* Don't compare stop records to unused entries.
*/
if (status == PW_STATUS_STOP && u.type == P_IDLE) {
continue;
}
if ((status == PW_STATUS_STOP) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) != 0) {
/*
* Don't complain if this is not a
* login record (some clients can
* send _only_ logout records).
*/
if (u.type == P_LOGIN) {
RWDEBUG("Logout entry for NAS %s port %u has wrong ID", nas, u.nas_port);
}
r = -1;
break;
}
if ((status == PW_STATUS_START) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) == 0 &&
u.time >= ut.time) {
if (u.type == P_LOGIN) {
INFO("rlm_radutmp: Login entry for NAS %s port %u duplicate",
nas, u.nas_port);
r = -1;
break;
}
RWDEBUG("Login entry for NAS %s port %u wrong order", nas, u.nas_port);
r = -1;
break;
}
/*
* FIXME: the ALIVE record could need some more checking, but anyway I'd
* rather rewrite this mess -- miquels.
*/
if ((status == PW_STATUS_ALIVE) && strncmp(ut.session_id, u.session_id, sizeof(u.session_id)) == 0 &&
u.type == P_LOGIN) {
/*
* Keep the original login time.
*/
ut.time = u.time;
}
if (lseek(fd, -(off_t)sizeof(u), SEEK_CUR) < 0) {
RWDEBUG("negative lseek!");
lseek(fd, (off_t)0, SEEK_SET);
off = 0;
} else {
off -= sizeof(u);
}
r = 1;
break;
} /* read the file until we find a match */
/*
* Found the entry, do start/update it with
* the information from the packet.
*/
if ((r >= 0) && (status == PW_STATUS_START || status == PW_STATUS_ALIVE)) {
/*
* Remember where the entry was, because it's
* easier than searching through the entire file.
*/
if (!cache) {
cache = talloc_zero(inst, NAS_PORT);
if (cache) {
cache->nasaddr = ut.nas_address;
cache->port = ut.nas_port;
cache->offset = off;
cache->next = inst->nas_port_list;
inst->nas_port_list = cache;
}
}
ut.type = P_LOGIN;
if (write(fd, &ut, sizeof(u)) < 0) {
REDEBUG("Failed writing: %s", strerror(errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
}
/*
* The user has logged off, delete the entry by
* re-writing it in place.
*/
if (status == PW_STATUS_STOP) {
if (r > 0) {
u.type = P_IDLE;
u.time = ut.time;
u.delay = ut.delay;
if (write(fd, &u, sizeof(u)) < 0) {
REDEBUG("Failed writing: %s", strerror(errno));
rcode = RLM_MODULE_FAIL;
goto finish;
}
} else if (r == 0) {
RWDEBUG("Logout for NAS %s port %u, but no Login record", nas, ut.nas_port);
}
}
finish:
talloc_free(filename);
if (fd > -1) {
close(fd); /* and implicitely release the locks */
}
return rcode;
}
/** Print out attribute info
*
* Prints out all instances of a current attribute, or all attributes in a list.
*
* At higher debugging levels, also prints out alternative decodings of the same
* value. This is helpful to determine types for unknown attributes of long
* passed vendors, or just crazy/broken NAS.
*
* It's also useful for exposing issues in the packet decoding functions, as in
* some cases they get fed random garbage data.
*
* This expands to a zero length string.
*/
static ssize_t xlat_debug_attr(UNUSED void *instance, REQUEST *request, char const *fmt,
char *out, UNUSED size_t outlen)
{
VALUE_PAIR *vp, **vps;
REQUEST *current;
value_pair_tmpl_t vpt;
vp_cursor_t cursor;
char buffer[1024];
if (!RDEBUG_ENABLED2) {
*out = '\0';
return -1;
}
while (isspace((int) *fmt)) fmt++;
if (*fmt == '&') fmt++;
if (radius_parse_attr(fmt, &vpt, REQUEST_CURRENT, PAIR_LIST_REQUEST) < 0) {
return -1;
}
current = request;
if (radius_request(¤t, vpt.request) < 0) return -2;
vps = radius_list(current, vpt.list);
if (!vps) {
return -2;
}
RIDEBUG("Attributes matching \"%s\"", fmt);
vp = fr_cursor_init(&cursor, vps);
if (vpt.da) {
vp = fr_cursor_next_by_num(&cursor, vpt.da->attr, vpt.da->vendor, TAG_ANY);
}
while (vp) {
DICT_ATTR *dac = NULL;
DICT_VENDOR *dv;
VALUE_PAIR *vpc = NULL;
FR_NAME_NUMBER const *type;
vp_prints_value(buffer, sizeof(buffer), vp, '\'');
if (vp->da->flags.has_tag) {
RIDEBUG2("\t%s:%s:%i %s %s",
fr_int2str(pair_lists, vpt.list, "<INVALID>"),
vp->da->name,
vp->tag,
fr_int2str(fr_tokens, vp->op, "<INVALID>"),
buffer);
} else {
RIDEBUG2("\t%s:%s %s %s",
fr_int2str(pair_lists, vpt.list, "<INVALID>"),
vp->da->name,
fr_int2str(fr_tokens, vp->op, "<INVALID>"),
buffer);
}
if (!RDEBUG_ENABLED3) {
goto next_vp;
}
if (vp->da->vendor) {
dv = dict_vendorbyvalue(vp->da->vendor);
RDEBUG3("\t\tvendor : %i (%s)", vp->da->vendor, dv ? dv->name : "unknown");
}
RDEBUG3("\t\ttype : %s", fr_int2str(dict_attr_types, vp->da->type, "<INVALID>"));
RDEBUG3("\t\tlength : %zu", vp->length);
dac = talloc_memdup(request, vp->da, sizeof(DICT_ATTR));
if (!dac) {
return -1;
}
dac->flags.vp_free = 0;
if (!RDEBUG_ENABLED4) {
goto next_vp;
}
type = dict_attr_types;
while (type->name) {
int pad;
ssize_t len;
uint8_t const *data = NULL;
vpc = NULL;
if ((PW_TYPE) type->number == vp->da->type) {
goto next_type;
}
switch (type->number) {
case PW_TYPE_INVALID: /* Not real type */
case PW_TYPE_MAX: /* Not real type */
case PW_TYPE_EXTENDED: /* Not safe/appropriate */
case PW_TYPE_LONG_EXTENDED: /* Not safe/appropriate */
case PW_TYPE_TLV: /* Not safe/appropriate */
case PW_TYPE_VSA: /* @fixme We need special behaviour for these */
goto next_type;
default:
break;
}
dac->type = type->number;
len = rad_vp2data(&data, vp);
if (len < 0) {
goto next_type;
}
if (data2vp(NULL, NULL, NULL, dac, data, len, len, &vpc) < 0) {
goto next_type;
}
/*
* data2vp has knowledge of expected format lengths, if the length
* from rad_vp2data doesn't match, it encodes the attribute
* as raw octets. This results in many useless debug lines with
* the same hex string.
*/
if ((type->number != PW_TYPE_OCTETS) && (vpc->da->type == PW_TYPE_OCTETS)) {
goto next_type;
}
if (!vp_prints_value(buffer, sizeof(buffer), vpc, '\'')) {
goto next_type;
}
if ((pad = (11 - strlen(type->name))) < 0) {
pad = 0;
}
/*
* @fixme: if the value happens to decode as a VSA
* (someone put a VSA into a VSA?), we probably to print
* extended info for that/reparse
*/
RDEBUG4("\t\tas %s%*s: %s", type->name, pad, " ", buffer);
next_type:
talloc_free(vpc);
type++;
}
next_vp:
talloc_free(dac);
if (vpt.da) {
vp = fr_cursor_next_by_num(&cursor, vpt.da->attr, vpt.da->vendor, TAG_ANY);
} else {
vp = fr_cursor_next(&cursor);
}
}
*out = '\0';
return 0;
}
/*
* Preprocess a request before accounting
*/
static rlm_rcode_t CC_HINT(nonnull) mod_preaccounting(void *instance, REQUEST *request)
{
int r;
VALUE_PAIR *vp;
rlm_preprocess_t *inst = instance;
/*
* Ensure that we have the SAME user name for both
* authentication && accounting.
*/
rad_mangle(inst, request);
if (inst->with_cisco_vsa_hack) {
/*
* We need to run this hack because the h323-conf-id
* attribute should be used.
*/
cisco_vsa_hack(request);
}
if (inst->with_alvarion_vsa_hack) {
/*
* We need to run this hack because the Alvarion
* people are crazy.
*/
alvarion_vsa_hack(request->packet->vps);
}
if (inst->with_cablelabs_vsa_hack) {
/*
* We need to run this hack because the Cablelabs
* people are crazy.
*/
cablelabs_vsa_hack(&request->packet->vps);
}
/*
* Ensure that we log the NAS IP Address in the packet.
*/
if (add_nas_attr(request) < 0) {
return RLM_MODULE_FAIL;
}
hints_setup(inst->hints, request);
/*
* Add an event timestamp. This means that the rest of
* the server can use it, rather than various error-prone
* manual calculations.
*/
vp = pairfind(request->packet->vps, PW_EVENT_TIMESTAMP, 0, TAG_ANY);
if (!vp) {
VALUE_PAIR *delay;
vp = radius_paircreate(request->packet, &request->packet->vps, PW_EVENT_TIMESTAMP, 0);
vp->vp_date = request->packet->timestamp.tv_sec;
delay = pairfind(request->packet->vps, PW_ACCT_DELAY_TIME, 0, TAG_ANY);
if (delay) {
vp->vp_date -= delay->vp_integer;
}
}
if ((r = huntgroup_access(request, inst->huntgroups)) != RLM_MODULE_OK) {
char buf[1024];
RIDEBUG("No huntgroup access: [%s] (%s)",
request->username ? request->username->vp_strvalue : "<NO User-Name>",
auth_name(buf, sizeof(buf), request, 1));
return r;
}
return r;
}
/*
* Preprocess a request.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void *instance, REQUEST *request)
{
int r;
rlm_preprocess_t *inst = instance;
/*
* Mangle the username, to get rid of stupid implementation
* bugs.
*/
rad_mangle(inst, request);
if (inst->with_ascend_hack) {
/*
* If we're using Ascend systems, hack the NAS-Port-Id
* in place, to go from Ascend's weird values to something
* approaching rationality.
*/
ascend_nasport_hack(pairfind(request->packet->vps, PW_NAS_PORT, 0, TAG_ANY),
inst->ascend_channels_per_line);
}
if (inst->with_cisco_vsa_hack) {
/*
* We need to run this hack because the h323-conf-id
* attribute should be used.
*/
cisco_vsa_hack(request);
}
if (inst->with_alvarion_vsa_hack) {
/*
* We need to run this hack because the Alvarion
* people are crazy.
*/
alvarion_vsa_hack(request->packet->vps);
}
if (inst->with_cablelabs_vsa_hack) {
/*
* We need to run this hack because the Cablelabs
* people are crazy.
*/
cablelabs_vsa_hack(&request->packet->vps);
}
/*
* Note that we add the Request-Src-IP-Address to the request
* structure BEFORE checking huntgroup access. This allows
* the Request-Src-IP-Address to be used for huntgroup
* comparisons.
*/
if (add_nas_attr(request) < 0) {
return RLM_MODULE_FAIL;
}
hints_setup(inst->hints, request);
/*
* If there is a PW_CHAP_PASSWORD attribute but there
* is PW_CHAP_CHALLENGE we need to add it so that other
* modules can use it as a normal attribute.
*/
if (pairfind(request->packet->vps, PW_CHAP_PASSWORD, 0, TAG_ANY) &&
pairfind(request->packet->vps, PW_CHAP_CHALLENGE, 0, TAG_ANY) == NULL) {
VALUE_PAIR *vp;
vp = radius_paircreate(request->packet, &request->packet->vps, PW_CHAP_CHALLENGE, 0);
pairmemcpy(vp, request->packet->vector, AUTH_VECTOR_LEN);
}
if ((r = huntgroup_access(request, inst->huntgroups)) != RLM_MODULE_OK) {
char buf[1024];
RIDEBUG("No huntgroup access: [%s] (%s)",
request->username ? request->username->vp_strvalue : "<NO User-Name>",
auth_name(buf, sizeof(buf), request, 1));
return r;
}
return RLM_MODULE_OK; /* Meaning: try next authorization module */
}
static void rs_packet_process(uint64_t count, rs_event_t *event, struct pcap_pkthdr const *header, uint8_t const *data)
{
rs_stats_t *stats = event->stats;
struct timeval elapsed;
struct timeval latency;
/*
* Pointers into the packet data we just received
*/
size_t len;
uint8_t const *p = data;
struct ip_header const *ip = NULL; /* The IP header */
struct ip_header6 const *ip6 = NULL; /* The IPv6 header */
struct udp_header const *udp; /* The UDP header */
uint8_t version; /* IP header version */
bool response; /* Was it a response code */
decode_fail_t reason; /* Why we failed decoding the packet */
static uint64_t captured = 0;
RADIUS_PACKET *current; /* Current packet were processing */
rs_request_t *original;
if (!start_pcap.tv_sec) {
start_pcap = header->ts;
}
if (header->caplen <= 5) {
INFO("Packet too small, captured %i bytes", header->caplen);
return;
}
/*
* Loopback header
*/
if ((p[0] == 2) && (p[1] == 0) && (p[2] == 0) && (p[3] == 0)) {
p += 4;
/*
* Ethernet header
*/
} else {
p += sizeof(struct ethernet_header);
}
version = (p[0] & 0xf0) >> 4;
switch (version) {
case 4:
ip = (struct ip_header const *)p;
len = (0x0f & ip->ip_vhl) * 4; /* ip_hl specifies length in 32bit words */
p += len;
break;
case 6:
ip6 = (struct ip_header6 const *)p;
p += sizeof(struct ip_header6);
break;
default:
DEBUG("IP version invalid %i", version);
return;
}
/*
* End of variable length bits, do basic check now to see if packet looks long enough
*/
len = (p - data) + sizeof(struct udp_header) + (sizeof(radius_packet_t) - 1); /* length value */
if (len > header->caplen) {
DEBUG("Packet too small, we require at least %zu bytes, captured %i bytes",
(size_t) len, header->caplen);
return;
}
udp = (struct udp_header const *)p;
p += sizeof(struct udp_header);
/*
* With artificial talloc memory limits there's a good chance we can
* recover once some requests timeout, so make an effort to deal
* with allocation failures gracefully.
*/
current = rad_alloc(conf, 0);
if (!current) {
ERROR("Failed allocating memory to hold decoded packet");
rs_tv_add_ms(&header->ts, conf->stats.timeout, &stats->quiet);
return;
}
current->timestamp = header->ts;
current->data_len = header->caplen - (p - data);
memcpy(¤t->data, &p, sizeof(current->data));
/*
* Populate IP/UDP fields from PCAP data
*/
if (ip) {
current->src_ipaddr.af = AF_INET;
current->src_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_src.s_addr;
current->dst_ipaddr.af = AF_INET;
current->dst_ipaddr.ipaddr.ip4addr.s_addr = ip->ip_dst.s_addr;
} else {
current->src_ipaddr.af = AF_INET6;
memcpy(¤t->src_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_src.s6_addr,
sizeof(current->src_ipaddr.ipaddr.ip6addr.s6_addr));
current->dst_ipaddr.af = AF_INET6;
memcpy(¤t->dst_ipaddr.ipaddr.ip6addr.s6_addr, &ip6->ip_dst.s6_addr,
sizeof(current->dst_ipaddr.ipaddr.ip6addr.s6_addr));
}
current->src_port = ntohs(udp->udp_sport);
current->dst_port = ntohs(udp->udp_dport);
if (!rad_packet_ok(current, 0, &reason)) {
RIDEBUG("(%" PRIu64 ") ** %s **", count, fr_strerror());
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d -> %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
rad_free(¤t);
return;
}
switch (current->code) {
case PW_CODE_ACCOUNTING_RESPONSE:
case PW_CODE_AUTHENTICATION_REJECT:
case PW_CODE_AUTHENTICATION_ACK:
case PW_CODE_COA_NAK:
case PW_CODE_COA_ACK:
case PW_CODE_DISCONNECT_NAK:
case PW_CODE_DISCONNECT_ACK:
case PW_CODE_STATUS_CLIENT:
{
rs_request_t search;
struct timeval when;
rs_tv_add_ms(&header->ts, conf->stats.timeout, &when);
/* look for a matching request and use it for decoding */
search.packet = current;
original = rbtree_finddata(request_tree, &search);
/*
* Only decode attributes if we want to print them or filter on them
* rad_packet_ok does checks to verify the packet is actually valid.
*/
if (filter_vps || conf->print_packet) {
if (rad_decode(current, original ? original->packet : NULL,
conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
}
/*
* Check if we've managed to link it to a request
*/
if (original) {
/*
* Is this a retransmit?
*/
if (!original->linked) {
original->stats_rsp = &stats->exchange[current->code];
} else {
RDEBUG("(%" PRIu64 ") ** RETRANSMISSION **", count);
original->rt_rsp++;
rad_free(&original->linked);
fr_event_delete(event->list, &original->event);
}
original->linked = talloc_steal(original, current);
/*
* Some RADIUS servers and proxy servers may not cache
* Accounting-Responses (and possibly other code),
* and may immediately re-use a RADIUS packet src
* port/id combination on receipt of a response.
*/
if (conf->dequeue[current->code]) {
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
} else {
if (!fr_event_insert(event->list, rs_packet_cleanup, original, &when,
&original->event)) {
ERROR("Failed inserting new event");
/*
* Delete the original request/event, it's no longer valid
* for statistics.
*/
original->forced_cleanup = true;
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
return;
}
}
/*
* No request seen, or request was dropped by attribute filter
*/
} else {
/*
* If filter_vps are set assume the original request was dropped,
* the alternative is maintaining another 'filter', but that adds
* complexity, reduces max capture rate, and is generally a PITA.
*/
if (filter_vps) {
rad_free(¤t);
RDEBUG2("(%" PRIu64 ") Dropped by attribute filter", count);
return;
}
RDEBUG("(%" PRIu64 ") ** UNLINKED **", count);
stats->exchange[current->code].interval.unlinked_total++;
}
response = true;
}
break;
case PW_CODE_ACCOUNTING_REQUEST:
case PW_CODE_AUTHENTICATION_REQUEST:
case PW_CODE_COA_REQUEST:
case PW_CODE_DISCONNECT_REQUEST:
case PW_CODE_STATUS_SERVER:
{
rs_request_t search;
struct timeval when;
/*
* Only decode attributes if we want to print them or filter on them
* rad_packet_ok does checks to verify the packet is actually valid.
*/
if (filter_vps || conf->print_packet) {
if (rad_decode(current, NULL, conf->radius_secret) != 0) {
rad_free(¤t);
fr_perror("decode");
return;
}
}
/*
* Now verify the packet passes the attribute filter
*/
if (filter_vps && !pairvalidate_relaxed(filter_vps, current->vps)) {
rad_free(¤t);
RDEBUG2("(%" PRIu64 ") Dropped by attribute filter", count);
return;
}
/*
* save the request for later matching
*/
search.packet = rad_alloc_reply(conf, current);
if (!search.packet) {
ERROR("Failed allocating memory to hold expected reply");
rs_tv_add_ms(&header->ts, conf->stats.timeout, &stats->quiet);
rad_free(¤t);
return;
}
search.packet->code = current->code;
rs_tv_add_ms(&header->ts, conf->stats.timeout, &when);
original = rbtree_finddata(request_tree, &search);
/*
* Upstream device re-used src/dst ip/port id without waiting
* for the timeout period to expire, or a response.
*/
if (original && memcmp(original->packet->vector, current->vector,
sizeof(original->packet->vector) != 0)) {
RDEBUG2("(%" PRIu64 ") ** PREMATURE ID RE-USE **", count);
stats->exchange[current->code].interval.reused_total++;
original->forced_cleanup = true;
fr_event_delete(event->list, &original->event);
rbtree_deletebydata(request_tree, original);
original = NULL;
}
if (original) {
RDEBUG("(%" PRIu64 ") ** RETRANSMISSION **", count);
original->rt_req++;
rad_free(&original->packet);
original->packet = talloc_steal(original, search.packet);
/* We may of seen the response, but it may of been lost upstream */
rad_free(&original->linked);
fr_event_delete(event->list, &original->event);
} else {
original = talloc_zero(conf, rs_request_t);
talloc_set_destructor(original, _request_free);
original->id = count;
original->in = event->in;
original->stats_req = &stats->exchange[current->code];
original->packet = talloc_steal(original, search.packet);
rbtree_insert(request_tree, original);
}
/* update the timestamp in either case */
original->packet->timestamp = header->ts;
if (!fr_event_insert(event->list, rs_packet_cleanup, original, &when, &original->event)) {
ERROR("Failed inserting new event");
rbtree_deletebydata(request_tree, original);
return;
}
response = false;
}
break;
default:
RDEBUG("** Unsupported code %i **", current->code);
rad_free(¤t);
return;
}
if (event->out) {
pcap_dump((void *) (event->out->dumper), header, data);
}
rs_tv_sub(&header->ts, &start_pcap, &elapsed);
/*
* Increase received count
*/
stats->exchange[current->code].interval.received_total++;
/*
* It's a linked response
*/
if (original && original->linked) {
rs_tv_sub(¤t->timestamp, &original->packet->timestamp, &latency);
/*
* Update stats for both the request and response types.
*
* This isn't useful for things like Access-Requests, but will be useful for
* CoA and Disconnect Messages, as we get the average latency across both
* response types.
*
* It also justifies allocating 255 instances rs_latency_t.
*/
rs_stats_update_latency(&stats->exchange[current->code], &latency);
rs_stats_update_latency(&stats->exchange[original->packet->code], &latency);
/*
* Print info about the request/response.
*/
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000),
(unsigned int) latency.tv_sec, ((unsigned int) latency.tv_usec / 1000));
/*
* It's the original request
*/
} else {
/*
* Print info about the request
*/
RIDEBUG("(%" PRIu64 ") %s Id %i %s:%s:%d %s %s:%d\t+%u.%03u", count,
fr_packet_codes[current->code], current->id,
event->in->name,
fr_inet_ntop(current->src_ipaddr.af, ¤t->src_ipaddr.ipaddr), current->src_port,
response ? "<-" : "->",
fr_inet_ntop(current->dst_ipaddr.af, ¤t->dst_ipaddr.ipaddr), current->dst_port,
(unsigned int) elapsed.tv_sec, ((unsigned int) elapsed.tv_usec / 1000));
}
if (conf->print_packet && (fr_debug_flag > 1) && current->vps) {
pairsort(¤t->vps, true);
vp_printlist(log_dst, current->vps);
pairfree(¤t->vps);
}
if (!conf->to_stdout && (fr_debug_flag > 4)) {
rad_print_hex(current);
}
fflush(log_dst);
/*
* If it's a request, a duplicate of the packet will of already been stored.
* If it's a unlinked response, we need to free it explicitly, as it will
* not be done by the event queue.
*/
if (!response || !original) {
rad_free(¤t);
}
captured++;
/*
* We've hit our capture limit, break out of the event loop
*/
if ((conf->limit > 0) && (captured >= conf->limit)) {
INFO("Captured %" PRIu64 " packets, exiting...", captured);
fr_event_loop_exit(events, 1);
}
}
static void rs_packet_cleanup(void *ctx)
{
rs_request_t *request = talloc_get_type_abort(ctx, rs_request_t);
RADIUS_PACKET *packet = request->packet;
assert(request->stats_req);
assert(!request->rt_rsp || request->stats_rsp);
assert(packet);
/*
* Don't pollute stats or print spurious messages as radsniff closes.
*/
if (cleanup) {
goto skip;
}
/*
* Were at packet cleanup time which is when the packet was received + timeout
* and it's not been linked with a forwarded packet or a response.
*
* We now count it as lost.
*/
if (!request->linked && !request->forced_cleanup) {
request->stats_req->interval.lost_total++;
RDEBUG("(%i) ** LOST **", request->id);
RIDEBUG("(%i) %s Id %i %s:%s:%d -> %s:%d", request->id,
fr_packet_codes[packet->code], packet->id,
request->in->name,
fr_inet_ntop(packet->dst_ipaddr.af, &packet->dst_ipaddr.ipaddr), packet->dst_port,
fr_inet_ntop(packet->src_ipaddr.af, &packet->src_ipaddr.ipaddr), packet->src_port);
}
/*
* Now the request is done, we can update the retransmission stats
*/
if (request->rt_req > RS_RETRANSMIT_MAX) {
request->stats_req->interval.rt_total[RS_RETRANSMIT_MAX]++;
} else {
request->stats_req->interval.rt_total[request->rt_req]++;
}
if (request->rt_rsp) {
if (request->rt_rsp > RS_RETRANSMIT_MAX) {
request->stats_rsp->interval.rt_total[RS_RETRANSMIT_MAX]++;
} else {
request->stats_rsp->interval.rt_total[request->rt_rsp]++;
}
}
skip:
/*
* If were attempting to cleanup the request, and it's no longer in the request_tree
* something has gone very badly wrong.
*/
assert(rbtree_deletebydata(request_tree, request));
if (fr_event_list_num_elements(events) == 0) {
fr_event_loop_exit(events, 1);
}
}
