Add interim accounting support from Vladislav Bjelic

2005-05-05 10:02:06 +00:00 · 2005-05-05 10:02:06 +00:00 · 1642e0dbaa
commit 1642e0dbaa
parent 81bc9de9de
9 changed files with 119 additions and 74 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 * Thu May 5 2005 Brendan O'Dea <bod@optusnet.com.au> 2.1.0
 - Add IPv6 support from Jonathan McDowell.
 - Add CHAP support from Jordan Hrycaj (work in progress).
+- Add interim accounting support from Vladislav Bjelic.
 - Sanity check that cluster_send_session is not called from a child
  process.
 - Throttle outgoing LASTSEEN packets to at most one per second for a
--- a/1
+++ b/1
@ -15,3 +15,4 @@ Jonathan McDowell          <noodles@earth.li>
 Bjřrn Augestad             <augestad@users.sourceforge.net>
 Roberto Chostakovis        <rchostakovis@users.sourceforge.net>
 Jordan Hrycaj              <jordan@mjh.teddy-net.com>
+Vladislav Bjelic           <vladislav@gmail.com>
--- a/cli.c
+++ b/cli.c
@ -2,7 +2,7 @@
 // vim: sw=8 ts=8

 char const *cvs_name = "$Name:  $";
-char const *cvs_id_cli = "$Id: cli.c,v 1.55 2005/05/02 09:55:04 bodea Exp $";
+char const *cvs_id_cli = "$Id: cli.c,v 1.56 2005/05/05 10:02:07 bodea Exp $";

 #include <stdio.h>
 #include <stdarg.h>
@ -413,7 +413,6 @@ static int cmd_show_session(struct cli_def *cli, char *command, char **argv, int
 			cli_print(cli, "\tBytes In/Out:\t%u/%u", session[s].total_cout, session[s].total_cin);
 			cli_print(cli, "\tPkts In/Out:\t%u/%u", session[s].pout, session[s].pin);
 			cli_print(cli, "\tMRU:\t\t%d", session[s].mru);
-			cli_print(cli, "\tRadius Session:\t%u", session[s].radius);
 			cli_print(cli, "\tRx Speed:\t%u", session[s].rx_connect_speed);
 			cli_print(cli, "\tTx Speed:\t%u", session[s].tx_connect_speed);
 			if (session[s].filter_in && session[s].filter_in <= MAXFILTER)
--- a/cluster.c
+++ b/cluster.c
@ -1,6 +1,6 @@
 // L2TPNS Clustering Stuff

-char const *cvs_id_cluster = "$Id: cluster.c,v 1.34 2005/05/02 09:06:05 bodea Exp $";
+char const *cvs_id_cluster = "$Id: cluster.c,v 1.35 2005/05/05 10:02:07 bodea Exp $";

 #include <stdio.h>
 #include <stdlib.h>
@ -594,7 +594,7 @@ void cluster_check_master(void)

 		sess_local[i].cin = sess_local[i].cout = 0;

-		session[i].radius = 0;	// Reset authentication as the radius blocks aren't up to date.
+		sess_local[i].radius = 0;	// Reset authentication as the radius blocks aren't up to date.

 		if (session[i].unique_id >= high_unique_id)	// This is different to the index into the session table!!!
 			high_unique_id = session[i].unique_id+1;
--- a/constants.c
+++ b/constants.c
@ -1,6 +1,6 @@
 // L2TPNS: constants

-char const *cvs_id_constants = "$Id: constants.c,v 1.4 2005/01/05 13:37:56 bodea Exp $";
+char const *cvs_id_constants = "$Id: constants.c,v 1.5 2005/05/05 10:02:07 bodea Exp $";

 #include <stdio.h>
 #include "constants.h"
@ -156,7 +156,8 @@ CONSTANT(radius_state,
    "RADIUSIPCP",					// 3
    "RADIUSSTART",					// 4
    "RADIUSSTOP",					// 5
-    "RADIUSWAIT"					// 6
+    "RADIUSINTERIM",					// 6
+    "RADIUSWAIT"					// 7
 )

 CONSTANT(radius_code,
--- a/l2tpns.c
+++ b/l2tpns.c
@ -4,7 +4,7 @@
 // Copyright (c) 2002 FireBrick (Andrews & Arnold Ltd / Watchfront Ltd) - GPL licenced
 // vim: sw=8 ts=8

-char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.92 2005/05/05 02:39:54 bodea Exp $";
+char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.93 2005/05/05 10:02:07 bodea Exp $";

 #include <arpa/inet.h>
 #include <assert.h>
@ -55,23 +55,23 @@ char const *cvs_id_l2tpns = "$Id: l2tpns.c,v 1.92 2005/05/05 02:39:54 bodea Exp
 #endif /* BGP */

 // Globals
-configt *config = NULL;			// all configuration
-int tunfd = -1;				// tun interface file handle. (network device)
-int udpfd = -1;				// UDP file handle
-int controlfd = -1;			// Control signal handle
-int clifd = -1;				// Socket listening for CLI connections.
-int snoopfd = -1;			// UDP file handle for sending out intercept data
-int *radfds = NULL;			// RADIUS requests file handles
-int ifrfd = -1;				// File descriptor for routing, etc
-int ifr6fd = -1;			// File descriptor for IPv6 routing, etc
-static int rand_fd = -1;		// Random data source
-time_t basetime = 0;			// base clock
-char hostname[1000] = "";		// us.
-static int tunidx;			// ifr_ifindex of tun device
-static int syslog_log = 0;		// are we logging to syslog
-static FILE *log_stream = stderr;	// file handle for direct logging (i.e. direct into file, not via syslog).
-extern int cluster_sockfd;		// Intra-cluster communications socket.
-uint32_t last_id = 0;			// Unique ID for radius accounting
+configt *config = NULL;		// all configuration
+int tunfd = -1;			// tun interface file handle. (network device)
+int udpfd = -1;			// UDP file handle
+int controlfd = -1;		// Control signal handle
+int clifd = -1;			// Socket listening for CLI connections.
+int snoopfd = -1;		// UDP file handle for sending out intercept data
+int *radfds = NULL;		// RADIUS requests file handles
+int ifrfd = -1;			// File descriptor for routing, etc
+int ifr6fd = -1;		// File descriptor for IPv6 routing, etc
+static int rand_fd = -1;	// Random data source
+time_t basetime = 0;		// base clock
+char hostname[1000] = "";	// us.
+static int tunidx;		// ifr_ifindex of tun device
+static int syslog_log = 0;	// are we logging to syslog
+static FILE *log_stream = 0;	// file handle for direct logging (i.e. direct into file, not via syslog).
+extern int cluster_sockfd;	// Intra-cluster communications socket.
+uint32_t last_id = 0;		// Unique ID for radius accounting

 struct cli_session_actions *cli_session_actions = NULL;	// Pending session changes requested by CLI
 struct cli_tunnel_actions *cli_tunnel_actions = NULL;	// Pending tunnel changes required by CLI
@ -110,6 +110,7 @@ config_descriptt config_values[] = {
 	CONFIG("primary_radius_port", radiusport[0], SHORT),
 	CONFIG("secondary_radius_port", radiusport[1], SHORT),
 	CONFIG("radius_accounting", radius_accounting, BOOL),
+	CONFIG("radius_interim", radius_interim, INT),
 	CONFIG("radius_secret", radiussecret, STRING),
 	CONFIG("radius_authtypes", radius_authtypes_s, STRING),
 	CONFIG("bind_address", bind_address, IPv4),
@ -1455,7 +1456,7 @@ void sessionshutdown(sessionidt s, char *reason, int result, int error)
 	if (session[s].ip && !walled_garden && !session[s].die)
 	{
 		// RADIUS Stop message
-		uint16_t r = session[s].radius;
+		uint16_t r = sess_local[s].radius;
 		if (!r)
 		{
 			if (!(r = radiusnew(s)))
@ -1537,7 +1538,7 @@ void sessionshutdown(sessionidt s, char *reason, int result, int error)
 void sendipcp(tunnelidt t, sessionidt s)
 {
 	uint8_t buf[MAXCONTROL];
-	uint16_t r = session[s].radius;
+	uint16_t r = sess_local[s].radius;
 	uint8_t *q;

 	CSTAT(sendipcp);
@ -1616,8 +1617,8 @@ void sessionkill(sessionidt s, char *reason)

 	session[s].die = TIME;
 	sessionshutdown(s, reason, 3, 0);  // close radius/routes, etc.
-	if (session[s].radius)
-		radiusclear(session[s].radius, s); // cant send clean accounting data, session is killed
+	if (sess_local[s].radius)
+		radiusclear(sess_local[s].radius, s); // cant send clean accounting data, session is killed

 	LOG(2, s, session[s].tunnel, "Kill session %d (%s): %s\n", s, session[s].user, reason);

@ -2189,16 +2190,17 @@ void processudp(uint8_t * buf, int len, struct sockaddr_in *addr)
 					}
 				case 31:    // Proxy Authentication Challenge
 					{
-						memcpy(radius[session[s].radius].auth, b, 16);
 						LOG(4, s, t, "   Proxy Auth Challenge\n");
+						if (sess_local[s].radius)
+							memcpy(radius[sess_local[s].radius].auth, b, 16);
 						break;
 					}
 				case 32:    // Proxy Authentication ID
 					{
 						uint16_t authid = ntohs(*(uint16_t *)(b));
 						LOG(4, s, t, "   Proxy Auth ID (%d)\n", authid);
-						if (session[s].radius)
-							radius[session[s].radius].id = authid;
+						if (sess_local[s].radius)
+							radius[sess_local[s].radius].id = authid;
 						break;
 					}
 				case 33:    // Proxy Authentication Response
@ -2618,21 +2620,24 @@ static int regular_cleanups(void)
 		if (!session[s].opened)	// Session isn't in use
 			continue;

-		if (!session[s].die && session[s].ip && !(session[s].flags & SF_IPCP_ACKED))
+		// check for expired sessions
+		if (session[s].die)
+		{
+			if (session[s].die <= TIME)
+			{
+				sessionkill(s, "Expired");
+				if (++count >= MAX_ACTIONS) break;
+			}
+			continue;
+		}
+
+		if (session[s].ip && !(session[s].flags & SF_IPCP_ACKED))
 		{
 			// IPCP has not completed yet. Resend
 			LOG(3, s, session[s].tunnel, "No ACK for initial IPCP ConfigReq... resending\n");
 			sendipcp(session[s].tunnel, s);
 		}

-		// check for expired sessions
-		if (session[s].die && session[s].die <= TIME)
-		{
-			sessionkill(s, "Expired");
-			if (++count >= MAX_ACTIONS) break;
-			continue;
-		}
-
 		// Drop sessions who have not responded within IDLE_TIMEOUT seconds
 		if (session[s].last_packet && (time_now - session[s].last_packet >= IDLE_TIMEOUT))
 		{
@ -2729,6 +2734,31 @@ static int regular_cleanups(void)

 			if (++count >= MAX_ACTIONS) break;
 		}
+
+		// RADIUS interim accounting
+		if (config->radius_accounting && config->radius_interim > 0
+		    && session[s].ip && !session[s].walled_garden
+		    && !sess_local[s].radius // RADIUS already in progress
+		    && time_now - sess_local[s].last_interim >= config->radius_interim)
+		{
+			if (!radiusnew(s))
+			{
+				LOG(1, s, session[s].tunnel, "No free RADIUS sessions for Interim message\n");
+				STAT(radius_overflow);
+				continue;
+			}
+
+			random_data(radius[r].auth, sizeof(radius[r].auth));
+
+			LOG(3, s, session[s].tunnel, "Sending RADIUS Interim for %s (%u)\n",
+				session[s].user, session[s].unique_id);
+
+			radiussend(r, RADIUSINTERIM);
+			sess_local[s].last_interim = time_now;
+
+			if (++count >= MAX_ACTIONS)
+				break;
+		}
 	}

 	if (*config->accounting_dir)
@ -3155,6 +3185,8 @@ static void initdata(int optdebug, char *optconfig)
 	config->rl_rate = 28; // 28kbps
 	strcpy(config->random_device, RANDOMDEVICE);

+	log_stream = stderr;
+
 #ifdef RINGBUFFER
 	if (!(ringbuffer = shared_malloc(sizeof(struct Tringbuffer))))
 	{
--- a/l2tpns.h
+++ b/l2tpns.h
@ -1,5 +1,5 @@
 // L2TPNS Global Stuff
-// $Id: l2tpns.h,v 1.64 2005/04/18 05:32:16 bodea Exp $
+// $Id: l2tpns.h,v 1.65 2005/05/05 10:02:08 bodea Exp $

 #ifndef __L2TPNS_H__
 #define __L2TPNS_H__
@ -181,7 +181,6 @@ typedef struct
 	time_t last_packet;		// Last packet from the user (used for idle timeouts)
 	in_addr_t dns1, dns2;		// DNS servers
 	routet route[MAXROUTE];		// static routes
-	uint16_t radius;		// which radius session is being used (0 for not waiting on authentication)
 	uint16_t mru;			// maximum receive unit
 	uint16_t tbf_in;		// filter bucket for throttling in from the user.
 	uint16_t tbf_out;		// filter bucket for throttling out to the user.
@ -225,6 +224,12 @@ typedef struct
 	clockt last_packet_out;
 	uint32_t packets_out;
 	uint32_t packets_dropped;
+
+	// RADIUS session in use
+	uint16_t radius;
+
+	// interim RADIUS
+	time_t last_interim;
 } sessionlocalt;

 #define	SESSIONPFC	1	// PFC negotiated flags
@ -313,8 +318,8 @@ enum
 	RADIUSIPCP,             // sending IPCP to end user
 	RADIUSSTART,            // sending start accounting to RADIUS server
 	RADIUSSTOP,             // sending stop accounting to RADIUS server
+	RADIUSINTERIM,		// sending interim accounting to RADIUS server
 	RADIUSWAIT,		// waiting timeout before available, in case delayed replies
-	RADIUSDEAD,		// errored while talking to radius server.
 };

 struct Tstats
@ -442,6 +447,7 @@ typedef struct

 	char		radiussecret[64];
 	int		radius_accounting;
+	int		radius_interim;
 	in_addr_t	radiusserver[MAXRADSERVER];	// radius servers
 	uint16_t	radiusport[MAXRADSERVER];	// radius base ports
 	uint8_t		numradiusservers;		// radius server count
--- a/ppp.c
+++ b/ppp.c
@ -1,6 +1,6 @@
 // L2TPNS PPP Stuff

-char const *cvs_id_ppp = "$Id: ppp.c,v 1.47 2005/04/27 13:53:17 bodea Exp $";
+char const *cvs_id_ppp = "$Id: ppp.c,v 1.48 2005/05/05 10:02:08 bodea Exp $";

 #include <stdio.h>
 #include <string.h>
@ -77,7 +77,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 		}
 		LOG(3, s, t, "PAP login %s/%s\n", user, pass);
 	}
-	if (session[s].ip || !session[s].radius)
+	if (session[s].ip || !sess_local[s].radius)
 	{
 		// respond now, either no RADIUS available or already authenticated
 		uint8_t b[MAXCONTROL];
@ -110,7 +110,7 @@ void processpap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 	else
 	{
 		// set up RADIUS request
-		uint16_t r = session[s].radius;
+		uint16_t r = sess_local[s].radius;

 		// Run PRE_AUTH plugins
 		struct param_pre_auth packet = { &tunnel[t], &session[s], strdup(user), strdup(pass), PPPPAP, 1 };
@ -144,7 +144,7 @@ void processchap(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 	CSTAT(processchap);

 	LOG_HEX(5, "CHAP", p, l);
-	r = session[s].radius;
+	r = sess_local[s].radius;
 	if (!r)
 	{
 		LOG(1, s, t, "Unexpected CHAP message\n");
@ -592,7 +592,7 @@ void processipcp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 	if (*p == ConfigAck)
 	{
 		// happy with our IPCP
-		uint16_t r = session[s].radius;
+		uint16_t r = sess_local[s].radius;
 		if ((!r || radius[r].state == RADIUSIPCP) && !session[s].walled_garden)
 		{
 			if (!r)
@ -1084,9 +1084,8 @@ void processccp(tunnelidt t, sessionidt s, uint8_t *p, uint16_t l)
 void sendchap(tunnelidt t, sessionidt s)
 {
 	uint8_t b[MAXCONTROL];
-	uint16_t r = session[s].radius;
+	uint16_t r = sess_local[s].radius;
 	uint8_t *q;
-	uint8_t *l;

 	CSTAT(sendchap);

--- a/radius.c
+++ b/radius.c
@ -1,6 +1,6 @@
 // L2TPNS Radius Stuff

-char const *cvs_id_radius = "$Id: radius.c,v 1.28 2005/05/03 05:11:34 bodea Exp $";
+char const *cvs_id_radius = "$Id: radius.c,v 1.29 2005/05/05 10:02:08 bodea Exp $";

 #include <time.h>
 #include <stdio.h>
@ -42,7 +42,7 @@ void initrad(void)

 void radiusclear(uint16_t r, sessionidt s)
 {
-	if (s) session[s].radius = 0;
+	if (s) sess_local[s].radius = 0;
 	memset(&radius[r], 0, sizeof(radius[r])); // radius[r].state = RADIUSNULL;
 }

@ -69,7 +69,7 @@ static uint16_t get_free_radius()

 uint16_t radiusnew(sessionidt s)
 {
-	uint16_t r = session[s].radius;
+	uint16_t r = sess_local[s].radius;

 	/* re-use */
 	if (r)
@ -86,7 +86,7 @@ uint16_t radiusnew(sessionidt s)
 	};

 	memset(&radius[r], 0, sizeof(radius[r]));
-	session[s].radius = r;
+	sess_local[s].radius = r;
 	radius[r].session = s;
 	radius[r].state = RADIUSWAIT;
 	radius[r].retry = TIME + 1200; // Wait at least 120 seconds to re-claim this.
@ -165,6 +165,7 @@ void radiussend(uint16_t r, uint8_t state)
 			break;
 		case RADIUSSTART:
 		case RADIUSSTOP:
+		case RADIUSINTERIM:
 			b[0] = 4;               // accounting request
 			break;
 		default:
@ -229,11 +230,11 @@ void radiussend(uint16_t r, uint8_t state)
 			p += p[1];
 		}
 	}
-	else if (state == RADIUSSTART || state == RADIUSSTOP)
+	else if (state == RADIUSSTART || state == RADIUSSTOP || state == RADIUSINTERIM)
 	{                          // accounting
 		*p = 40;                // accounting type
 		p[1] = 6;
-		*(uint32_t *) (p + 2) = htonl((state == RADIUSSTART) ? 1 : 2);
+		*(uint32_t *) (p + 2) = htonl(state - RADIUSSTART + 1); // start=1, stop=2, interim=3
 		p += p[1];
 		if (s)
 		{
@ -241,8 +242,16 @@ void radiussend(uint16_t r, uint8_t state)
 			p[1] = 18;
 			sprintf(p + 2, "%08X%08X", session[s].unique_id, session[s].opened);
 			p += p[1];
-			if (state == RADIUSSTOP)
-			{                // stop
+			if (state == RADIUSSTART)
+			{                // start
+				*p = 41;      // delay
+				p[1] = 6;
+				*(uint32_t *) (p + 2) = htonl(time(NULL) - session[s].opened);
+				p += p[1];
+				sess_local[s].last_interim = time_now; // Setup "first" Interim
+			}
+			else
+			{                // stop, interim
 				*p = 42;      // input octets
 				p[1] = 6;
 				*(uint32_t *) (p + 2) = htonl(session[s].cin);
@ -264,13 +273,6 @@ void radiussend(uint16_t r, uint8_t state)
 				*(uint32_t *) (p + 2) = htonl(session[s].pout);
 				p += p[1];
 			}
-			else
-			{                // start
-				*p = 41;      // delay
-				p[1] = 6;
-				*(uint32_t *) (p + 2) = htonl(time(NULL) - session[s].opened);
-				p += p[1];
-			}

 			if (session[s].snoop_ip && session[s].snoop_port)
 			{
@ -393,7 +395,8 @@ void processrad(uint8_t *buf, int len, char socket_index)
 		LOG(1, s, session[s].tunnel, "   Unexpected RADIUS response\n");
 		return;
 	}
-	if (radius[r].state != RADIUSAUTH && radius[r].state != RADIUSSTART && radius[r].state != RADIUSSTOP)
+	if (radius[r].state != RADIUSAUTH && radius[r].state != RADIUSSTART
+	    && radius[r].state != RADIUSSTOP && radius[r].state != RADIUSINTERIM)
 	{
 		LOG(1, s, session[s].tunnel, "   Unexpected RADIUS response\n");
 		return;
@ -413,7 +416,7 @@ void processrad(uint8_t *buf, int len, char socket_index)
 		}

 		if ((radius[r].state == RADIUSAUTH && r_code != AccessAccept && r_code != AccessReject) ||
-			((radius[r].state == RADIUSSTART || radius[r].state == RADIUSSTOP) && r_code != AccountingResponse))
+			((radius[r].state == RADIUSSTART || radius[r].state == RADIUSSTOP || radius[r].state == RADIUSINTERIM) && r_code != AccountingResponse))
 		{
 			LOG(1, s, session[s].tunnel, "   Unexpected RADIUS response %s\n", radius_code(r_code));
 			return; // We got something we didn't expect. Let the timeouts take
@ -709,24 +712,27 @@ void radiusretry(uint16_t r)
 	radius[r].retry = backoff(radius[r].try + 1);
 	switch (radius[r].state)
 	{
-		case RADIUSCHAP:           // sending CHAP down PPP
+		case RADIUSCHAP:	// sending CHAP down PPP
 			sendchap(t, s);
 			break;
 		case RADIUSIPCP:
-			sendipcp(t, s);         // send IPCP
+			sendipcp(t, s);	// send IPCP
 			break;
-		case RADIUSAUTH:           // sending auth to RADIUS server
+		case RADIUSAUTH:	// sending auth to RADIUS server
 			radiussend(r, RADIUSAUTH);
 			break;
-		case RADIUSSTART:          // sending start accounting to RADIUS server
+		case RADIUSSTART:	// sending start accounting to RADIUS server
 			radiussend(r, RADIUSSTART);
 			break;
-		case RADIUSSTOP:           // sending stop accounting to RADIUS server
+		case RADIUSSTOP:	// sending stop accounting to RADIUS server
 			radiussend(r, RADIUSSTOP);
 			break;
+		case RADIUSINTERIM:	// sending interim accounting to RADIUS server
+			radiussend(r, RADIUSINTERIM);
+			break;
 		default:
-		case RADIUSNULL:           // Not in use
-		case RADIUSWAIT:           // waiting timeout before available, in case delayed reply from RADIUS server
+		case RADIUSNULL:	// Not in use
+		case RADIUSWAIT:	// waiting timeout before available, in case delayed reply from RADIUS server
 			// free up RADIUS task
 			radiusclear(r, s);
 			LOG(3, s, session[s].tunnel, "Freeing up radius session %d\n", r);