summaryrefslogtreecommitdiffstats
path: root/src/main/mainconfig.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/main/mainconfig.c')
-rw-r--r--src/main/mainconfig.c104
1 files changed, 104 insertions, 0 deletions
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 227ae4a..2b2dda8 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -73,6 +73,8 @@ static char const *gid_name = NULL;
static char const *chroot_dir = NULL;
static bool allow_core_dumps = false;
static char const *radlog_dest = NULL;
+static char const *require_message_authenticator = NULL;
+static char const *limit_proxy_state = NULL;
/*
* These are not used anywhere else..
@@ -87,6 +89,56 @@ static bool do_colourise = false;
static char const *radius_dir = NULL; //!< Path to raddb directory
+#ifndef HAVE_KQUEUE
+static uint32_t max_fds = 0;
+#endif
+
+static const FR_NAME_NUMBER fr_bool_auto_names[] = {
+ { "false", FR_BOOL_FALSE },
+ { "no", FR_BOOL_FALSE },
+ { "0", FR_BOOL_FALSE },
+
+ { "true", FR_BOOL_TRUE },
+ { "yes", FR_BOOL_TRUE },
+ { "1", FR_BOOL_TRUE },
+
+ { "auto", FR_BOOL_AUTO },
+
+ { NULL, 0 }
+};
+
+/*
+ * Get decent values for false / true / auto
+ */
+int fr_bool_auto_parse(CONF_PAIR *cp, fr_bool_auto_t *out, char const *str)
+{
+ int value;
+
+ /*
+ * Don't change anything.
+ */
+ if (!str) return 0;
+
+ value = fr_str2int(fr_bool_auto_names, str, -1);
+ if (value >= 0) {
+ *out = value;
+ return 0;
+ }
+
+ /*
+ * This should never happen, as the defaults are in the
+ * source code. If there's no CONF_PAIR, and there's a
+ * parse error, then the source code is wrong.
+ */
+ if (!cp) {
+ fprintf(stderr, "%s: Error - Invalid value in configuration", main_config.name);
+ return -1;
+ }
+
+ cf_log_err(cf_pair_to_item(cp), "Invalid value for \"%s\"", cf_pair_attr(cp));
+ return -1;
+}
+
/**********************************************************************
*
* We need to figure out where the logs go, before doing anything
@@ -160,6 +212,8 @@ static const CONF_PARSER security_config[] = {
{ "max_attributes", FR_CONF_POINTER(PW_TYPE_INTEGER, &fr_max_attributes), STRINGIFY(0) },
{ "reject_delay", FR_CONF_POINTER(PW_TYPE_TIMEVAL, &main_config.reject_delay), STRINGIFY(0) },
{ "status_server", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.status_server), "no"},
+ { "require_message_authenticator", FR_CONF_POINTER(PW_TYPE_STRING, &require_message_authenticator), "auto"},
+ { "limit_proxy_state", FR_CONF_POINTER(PW_TYPE_STRING, &limit_proxy_state), "auto"},
#ifdef ENABLE_OPENSSL_VERSION_CHECK
{ "allow_vulnerable_openssl", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.allow_vulnerable_openssl), "no"},
#endif
@@ -195,8 +249,12 @@ static const CONF_PARSER server_config[] = {
{ "panic_action", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.panic_action), NULL},
{ "hostname_lookups", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &fr_dns_lookups), "no" },
{ "max_request_time", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_request_time), STRINGIFY(MAX_REQUEST_TIME) },
+ { "proxy_dedup_window", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.proxy_dedup_window), "1" },
{ "cleanup_delay", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.cleanup_delay), STRINGIFY(CLEANUP_DELAY) },
{ "max_requests", FR_CONF_POINTER(PW_TYPE_INTEGER, &main_config.max_requests), STRINGIFY(MAX_REQUESTS) },
+#ifndef HAVE_KQUEUE
+ { "max_fds", FR_CONF_POINTER(PW_TYPE_INTEGER, &max_fds), "512" },
+#endif
{ "postauth_client_lost", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.postauth_client_lost), "no" },
{ "pidfile", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.pid_file), "${run_dir}/radiusd.pid"},
{ "checkrad", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.checkrad), "${sbindir}/checkrad" },
@@ -864,6 +922,8 @@ int main_config_init(void)
if (!main_config.dictionary_dir) {
main_config.dictionary_dir = DICTDIR;
}
+ main_config.require_ma = FR_BOOL_AUTO;
+ main_config.limit_proxy_state = FR_BOOL_AUTO;
/*
* About sizeof(REQUEST) + sizeof(RADIUS_PACKET) * 2 + sizeof(VALUE_PAIR) * 400
@@ -1144,6 +1204,10 @@ do {\
if ((main_config.reject_delay.tv_sec != 0) || (main_config.reject_delay.tv_usec != 0)) {
FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, >=, 1, 0);
}
+
+ FR_INTEGER_BOUND_CHECK("proxy_dedup_window", main_config.proxy_dedup_window, <=, 10);
+ FR_INTEGER_BOUND_CHECK("proxy_dedup_window", main_config.proxy_dedup_window, >=, 1);
+
FR_TIMEVAL_BOUND_CHECK("reject_delay", &main_config.reject_delay, <=, 10, 0);
FR_INTEGER_BOUND_CHECK("cleanup_delay", main_config.cleanup_delay, <=, 30);
@@ -1159,6 +1223,46 @@ do {\
main_config.init_delay.tv_sec = 0;
main_config.init_delay.tv_usec = 2* (1000000 / 3);
+ {
+ CONF_PAIR *cp = NULL;
+
+ subcs = cf_section_sub_find(cs, "security");
+ if (subcs) cp = cf_pair_find(subcs, "require_message_authenticator");
+ if (fr_bool_auto_parse(cp, &main_config.require_ma, require_message_authenticator) < 0) {
+ cf_file_free(cs);
+ return -1;
+ }
+
+ if (subcs) cp = cf_pair_find(subcs, "limit_proxy_state");
+ if (fr_bool_auto_parse(cp, &main_config.limit_proxy_state, limit_proxy_state) < 0) {
+ cf_file_free(cs);
+ return -1;
+ }
+ }
+
+#ifndef HAVE_KQUEUE
+ /*
+ * select() is limited to 1024 file descriptors. :(
+ */
+ if (max_fds) {
+ if (max_fds > FD_SETSIZE) {
+ fr_ev_max_fds = FD_SETSIZE;
+ } else {
+ /*
+ * Round up to the next highest power of 2.
+ */
+ max_fds--;
+ max_fds |= max_fds >> 1;
+ max_fds |= max_fds >> 2;
+ max_fds |= max_fds >> 4;
+ max_fds |= max_fds >> 8;
+ max_fds |= max_fds >> 16;
+ max_fds++;
+ fr_ev_max_fds = max_fds;
+ }
+ }
+#endif
+
/*
* Free the old configuration items, and replace them
* with the new ones.