@@ -587,7 +587,7 @@ radius {
587587 #
588588
589589 #
590- # ### Access requests packets
590+ # ### Access Request packets
591591 #
592592 Access-Request {
593593 #
@@ -767,14 +767,42 @@ radius replicate {
767767}
768768
769769#
770- # A dynamic proxy module
770+ # ## Dynamic Proxying
771+ #
772+ # This module supports dynamic proxying via a run-time function:
773+ #
774+ # %proxy.sendto.ipaddr(127.0.0.1, 1812, "testing123")
775+ #
776+ # The first part of the function name (e.g. `proxy`) is taken from
777+ # the module name. The rest is fixed as `sendto.ipaddr()`
778+ #
779+ # The arguments to the function are:
780+ #
781+ # * destination IP address.
782+ # * destination port
783+ # * shared secret
784+ #
785+ # The function will return the type of response packet if it receives
786+ # as a response, or else the function all will fail.
787+ #
788+ # if (%proxy.sendto.ipaddr(127.0.0.1, 1812, "testing123") == 'Access-Accept') {
789+ # ...
790+ # }
791+ #
792+ # The packet name must be a quoted string.
793+ #
794+ # The proxying is done asynchronously. i.e. the packet is sent, and
795+ # the server goes on to do other work. At some point in the future,
796+ # a response is received, the module processes it, and the server
797+ # continues.
798+ #
799+ # The timeouts are controlled as described above.
771800#
772801radius proxy {
773802 type = Access-Request
774803
775804 #
776- # We are not opening a socket from our server to their
777- # server. We are replicating packets.
805+ # The mode.
778806 #
779807 mode = dynamic-proxy
780808
@@ -813,12 +841,12 @@ radius proxy {
813841 # These two configuratiuon items can only be used for
814842 # UDP sockets.
815843 #
816- # src_port_start = 10000
844+ src_port_start = 10000
817845
818846 #
819847 # src_port_end:: End of source port range.
820848 #
821- # src_port_end = 11000
849+ src_port_end = 11000
822850
823851 #
824852 # `src_port` cannot be used. If it is used here, the
@@ -830,6 +858,55 @@ radius proxy {
830858 #
831859 }
832860
861+ #
862+ # Dynamic proxying does *not* support the `status_check`
863+ # section.
864+ #
865+
866+ #
867+ # home_server_lifetime:: The lifetime of the home server.
868+ #
869+ # When a new dynamic home server is used, the module caches
870+ # information about it. So long as the home server is still
871+ # being used, it will not expire. But if it has received all
872+ # expected responses (or timeouts), _and_ it has reached its
873+ # expected lifetime, then the home server will be deleted.
874+ #
875+ # This process allows for the secret to change over time.
876+ # However, the secret can only be changed if there are no
877+ # outstanding packets. Otherwise, changing the secret would
878+ # involve having multiple packets outstanding which have
879+ # different secrets. That doesn't work, and can't be fixed
880+ # through any code changes on the server.
881+ #
882+ # The solution to that is to switch to using TLS.
883+ #
884+ home_server_lifetime = 3600
885+
886+ #
887+ # These are allowed, but are less useful. If the home server
888+ # doesn't respond, it will often just hit the home server
889+ # lifetime, and be deleted.
890+ #
891+ response_window = 15
892+ zombie_period = 10
893+ revive_interval = 3600
894+
895+
896+ #
897+ # ## Timeouts
898+ #
899+ # Timeouts for proxying are controlled in sections named for
900+ # the packet type. See the examples above for full
901+ # documentation.
902+ #
903+ Access-Request {
904+ initial_rtx_time = 2
905+ max_rtx_time = 16
906+ max_rtx_count = 5
907+ max_rtx_duration = 30
908+ }
909+
833910 #
834911 # ## Connection trunking
835912 #
0 commit comments