Three patches versus master attached:
The first puts a saner default config for radsec connections from clients,
because in the dominant
use-case for radsec clients (outside federation servers pointing to your IDP
service) these connections
are often nailed up by the client so if they timeout every thirty seconds
(which is
the new default as of the limit structure changes), the client just proceeds to
rebuild them every
30 seconds.
The second patch is a pasto that was preventing dhcp.c from compiling. Note I
don't use this
module, so I haven't tested that at all.
The third patch decrements the client's connection limit counter when a socket
times
out so that a TCP connection falling down and restoring does not eventually run
afoul
of max_connections. Note this problem was pre-existing before for the new
limit structure
changes but also occured with them applied. This is only slightly tested, and
might benefit
from an experienced eyeball or two, especially WRT possibly backporting it.
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index b1c531d..2108bbc 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -243,6 +243,18 @@ listen {
# client = "/path/to/openssl verify -CApath ${..CA_path} %{TLS-Client-Cert-Filename}"
}
}
+
+ # Unless you are doing P2P radsec meshes, or you are a federation
+ # level server, you likely want a long life on connections from
+ # federation servers that are proxying to you. These limits are
+ # applied to each connection on this socket. You should also set
+ # limits for clients as well. Both limits will apply.
+ limit {
+ max_connections = 16
+ lifetime = 7200
+ idle_timeout = 3600
+ }
+
}
clients radsec {
@@ -250,6 +262,19 @@ clients radsec {
ipaddr = 127.0.0.1
proto = tcp
secret = testing123
+
+ # Unless you are doing P2P radsec meshes, or you are a
+ # federation level server, you likely want a long life
+ # on connections from federation servers that are proxying
+ # to you. These limits are applied to each connection from
+ # this client. They will be enforced alongside the
+ # limits defined in the listen directive(s) for the socket(s)
+ # where connections arrive.
+ limit {
+ max_connections = 16
+ lifetime = 7200
+ idle_timeout = 3600
+ }
}
}
diff --git a/src/lib/dhcp.c b/src/lib/dhcp.c
index 1b2a73c..012b7f6 100644
--- a/src/lib/dhcp.c
+++ b/src/lib/dhcp.c
@@ -1551,7 +1551,7 @@ int fr_dhcp_add_arp_entry(int fd, const char *interface,
VALUE_PAIR *macaddr, VALUE_PAIR *ip)
{
#ifdef SIOCSARP
- struct sockaddr_in *sin
+ struct sockaddr_in *sin;
struct arpreq req;
if (macaddr->length > sizeof (req.arp_ha.sa_data)) {
diff --git a/src/main/process.c b/src/main/process.c
index f641e5f..c16e81d 100644
--- a/src/main/process.c
+++ b/src/main/process.c
@@ -3769,6 +3769,10 @@ finish:
}
#endif
+ if (sock->client != NULL) {
+ sock->client->limit.num_connections--;
+ }
+
/*
* Remove any pending cleanups.
*/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
