Skip to content
Commits on Source (5)
Hide whitespace changes
Inline Side-by-side
.travis.yml
View file @ 714c9d43
......@@ -3,14 +3,17 @@ compiler:
- clang
- gcc
sudo: false
cache:
apt: true
env:
global:
- PANIC_ACTION="gdb -batch -x raddb/panic.gdb %e %p 1>&0 2>&0"
- secure: "H+uQeyOgsIyXtIPPG2VzAG8S/8KYGHlHaWhdiNuz1LM3SMcEKoPqG6o/P+HO8HVvYnA6nelyGuEryV90UfuwGY9YC6A/pqPQvx/gXSso63Zt66XSaiZjulCSm9OV8EB3wyWF7VSQ/ZHcn+L01hIlsQXTqLprMaC33cM0FYPr9fY="
matrix:
- DO_BUILD=yes LIBS_OPTIONAL=no LIBS_SHARED=yes BUILD_CFLAGS="-DWITH_EVAL_DEBUG"
- DO_BUILD=yes LIBS_OPTIONAL=yes LIBS_SHARED=yes BUILD_CFLAGS="-DWITH_EVAL_DEBUG"
- DO_BUILD=yes LIBS_OPTIONAL=yes LIBS_SHARED=yes BUILD_CFLAGS="-DWITH_EVAL_DEBUG -O2 -g3"
- DO_BUILD=yes LIBS_OPTIONAL=no LIBS_SHARED=yes REPRODUCIBLE=no BUILD_CFLAGS="-DWITH_EVAL_DEBUG"
- DO_BUILD=yes LIBS_OPTIONAL=yes LIBS_SHARED=yes REPRODUCIBLE=no BUILD_CFLAGS="-DWITH_EVAL_DEBUG"
- DO_BUILD=yes LIBS_OPTIONAL=yes LIBS_SHARED=yes REPRODUCIBLE=yes BUILD_CFLAGS="-DWITH_EVAL_DEBUG"
- DO_BUILD=yes LIBS_OPTIONAL=yes LIBS_SHARED=yes REPRODUCIBLE=no BUILD_CFLAGS="-DWITH_EVAL_DEBUG -O2 -g3"
- DO_BUILD=no
addons:
coverity_scan:
......@@ -23,6 +26,8 @@ addons:
build_command: make
branch_pattern: coverity_scan
apt:
config:
retries: true
sources:
- couchbase-precise
packages:
......@@ -38,6 +43,7 @@ addons:
- lintian
- pbuilder
- python-dev
- python3-dev
- quilt
- libruby
- ruby-dev
......@@ -76,7 +82,7 @@ before_install:
- $CC --version
before_script:
# Configure the server
- if [ "${DO_BUILD}" = 'yes' ]; then CFLAGS="${BUILD_CFLAGS}" ./configure -C --enable-werror --prefix=$HOME/freeradius --with-shared-libs=$LIBS_SHARED --with-threads=$LIBS_OPTIONAL --with-udpfromto=$LIBS_OPTIONAL --with-openssl=$LIBS_OPTIONAL --with-pcre=$LIBS_OPTIONAL; fi
- if [ "${DO_BUILD}" = 'yes' ]; then CFLAGS="${BUILD_CFLAGS}" ./configure -C --enable-werror --prefix=$HOME/freeradius --with-shared-libs=$LIBS_SHARED --with-threads=$LIBS_OPTIONAL --with-udpfromto=$LIBS_OPTIONAL --with-openssl=$LIBS_OPTIONAL --with-pcre=$LIBS_OPTIONAL --enable-reproducible-builds=${REPRODUCIBLE}; fi
- if [ "${DO_BUILD}" = 'no' ]; then ./configure -C --without-modules; fi
# Build the server
- if [ "${DO_BUILD}" = 'yes' ]; then make -j8; fi
......
Makefile
View file @ 714c9d43
......@@ -89,14 +89,13 @@ test: ${BUILD_DIR}/bin/radiusd ${BUILD_DIR}/bin/radclient tests.unit tests.xlat
# Tests specifically for Travis. We do a LOT more than just
# the above tests
ifneq "$(findstring travis,${prefix})" ""
travis-test: raddb/test.conf test
@FR_LIBRARY_PATH=./build/lib/local/.libs/ ./build/make/jlibtool --mode=execute ./build/bin/radiusd -xxxv -n test
@rm -f raddb/test.conf
@$(MAKE) install
@perl -p -i -e 's/allow_vulnerable_openssl = no/allow_vulnerable_openssl = yes/' ${raddbdir}/radiusd.conf
@sh ${HOME}/freeradius/etc/raddb/certs
@${sbindir}/radiusd -XC
endif
#
# The $(R) is a magic variable not defined anywhere in this source.
......@@ -125,9 +124,14 @@ $(R)$(dictdir)/%: share/%
@$(INSTALL) -m 644 $< $@
MANFILES := $(wildcard man/man*/*.?)
MANDIR := $(wildcard man/man*)
install.man: $(subst man/,$(R)$(mandir)/,$(MANFILES))
$(R)$(mandir)/%: man/%
$(MANDIR):
@echo INSTALL $(patsubst $(R)$(mandir)/%,man/%,$@)
@$(INSTALL) -d -m 755 $@
$(R)$(mandir)/%: man/% | $(dir $@)
@echo INSTALL $(notdir $<)
@sed -e "s,/etc/raddb,$(raddbdir),g" \
-e "s,/usr/local/share,$(datarootdir),g" \
......
README.rst
View file @ 714c9d43
......@@ -169,7 +169,7 @@ Commercial support
Technical support, managed systems support, custom deployments,
sponsored feature development and many other commercial services
are available from `Network RADIUS <http://www.networkradius.com>`_.
are available from `Network RADIUS <https://networkradius.com>`_.
.. |CoverityStatus| image:: https://scan.coverity.com/projects/58/badge.svg?
......
configure
View file @ 714c9d43
......@@ -11204,6 +11204,9 @@ $as_echo "$ax_cv_cc_wdocumentation_flag" >&6; }
if test "x$ax_cv_cc_wdocumentation_flag" = "xyes"; then
devflags="-Wdocumentation"
$as_echo "#define HAVE_WDOCUMENTATION 1" >>confdefs.h
fi
......@@ -13065,6 +13068,66 @@ $as_echo "#define HAVE_BINSAFE_REGEX 1" >>confdefs.h
fi
fi
#
# Some platforms require an explicit -latomic
#
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing __atomic_load_4" >&5
$as_echo_n "checking for library containing __atomic_load_4... " >&6; }
if ${ac_cv_search___atomic_load_4+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_func_search_save_LIBS=$LIBS
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char __atomic_load_4 ();
int
main ()
{
return __atomic_load_4 ();
;
return 0;
}
_ACEOF
for ac_lib in '' atomic; do
if test -z "$ac_lib"; then
ac_res="none required"
else
ac_res=-l$ac_lib
LIBS="-l$ac_lib $ac_func_search_save_LIBS"
fi
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_search___atomic_load_4=$ac_res
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext
if ${ac_cv_search___atomic_load_4+:} false; then :
break
fi
done
if ${ac_cv_search___atomic_load_4+:} false; then :
else
ac_cv_search___atomic_load_4=no
fi
rm conftest.$ac_ext
LIBS=$ac_func_search_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search___atomic_load_4" >&5
$as_echo "$ac_cv_search___atomic_load_4" >&6; }
ac_res=$ac_cv_search___atomic_load_4
if test "$ac_res" != no; then :
test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
fi
if test "x$REGEX" = "xyes"; then
$as_echo "#define HAVE_REGEX 1" >>confdefs.h
......
configure.ac
View file @ 714c9d43
......@@ -1729,6 +1729,7 @@ if test "x$developer" = "xyes"; then
AX_CC_WDOCUMENTATION_FLAG
if test "x$ax_cv_cc_wdocumentation_flag" = "xyes"; then
devflags="-Wdocumentation"
AC_DEFINE([HAVE_WDOCUMENTATION],1,[Define if the compiler supports -Wdocumentation])
fi
dnl #
......@@ -2032,6 +2033,11 @@ if test "x$REGEX" = "x"; then
fi
fi
#
# Some platforms require an explicit -latomic
#
AC_SEARCH_LIBS([__atomic_load_4], [atomic])
if test "x$REGEX" = "xyes"; then
AC_DEFINE(HAVE_REGEX, 1, [Define if we have any regular expression library])
fi
......
debian/changelog
View file @ 714c9d43
freeradius (3.0.20+dfsg-1) unstable; urgency=medium
* New upstream version 3.0.20+dfsg
* Fix reload action on sysvinit (Closes: #940608)
-- Bernhard Schmidt <berni@debian.org> Fri, 29 Nov 2019 18:03:07 +0100
freeradius (3.0.19+dfsg-3) unstable; urgency=medium
* Drop collectd integration from freeradius-utils - temporarily?
......
debian/freeradius.init
View file @ 714c9d43
......@@ -79,7 +79,7 @@ case "$1" in
if status_of_proc -p "$PIDFILE" "$PROG" "$DESCR"; then
log_daemon_msg "Reloading $DESCR" "$PROG"
start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE || ret=$?
start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE --exec $PROGRAM || ret=$?
log_end_msg $ret
fi
;;
......
debian/patches/atomics.diff deleted 100644 → 0
View file @ ebb0c0a0
From 5a7df325116a3c2e995e5b37d8f77665336f1caf Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Thu, 1 Aug 2019 08:51:18 -0400
Subject: [PATCH] add configure checks for -latomic. Helps with #2828
---
configure | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++
configure.ac | 5 +++++
2 files changed, 65 insertions(+)
diff --git a/configure b/configure
index 680dca8d31..e8295edc88 100755
--- a/configure
+++ b/configure
@@ -13068,6 +13068,66 @@ $as_echo "#define HAVE_BINSAFE_REGEX 1" >>confdefs.h
fi
fi
+#
+# Some platforms require an explicit -latomic
+#
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing __atomic_load_4" >&5
+$as_echo_n "checking for library containing __atomic_load_4... " >&6; }
+if ${ac_cv_search___atomic_load_4+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char __atomic_load_4 ();
+int
+main ()
+{
+return __atomic_load_4 ();
+ ;
+ return 0;
+}
+_ACEOF
+for ac_lib in '' atomic; do
+ if test -z "$ac_lib"; then
+ ac_res="none required"
+ else
+ ac_res=-l$ac_lib
+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
+ fi
+ if ac_fn_c_try_link "$LINENO"; then :
+ ac_cv_search___atomic_load_4=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext
+ if ${ac_cv_search___atomic_load_4+:} false; then :
+ break
+fi
+done
+if ${ac_cv_search___atomic_load_4+:} false; then :
+
+else
+ ac_cv_search___atomic_load_4=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search___atomic_load_4" >&5
+$as_echo "$ac_cv_search___atomic_load_4" >&6; }
+ac_res=$ac_cv_search___atomic_load_4
+if test "$ac_res" != no; then :
+ test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+fi
+
+
if test "x$REGEX" = "xyes"; then
$as_echo "#define HAVE_REGEX 1" >>confdefs.h
diff --git a/configure.ac b/configure.ac
index 73dc9f70d1..c68124a226 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2033,6 +2033,11 @@ if test "x$REGEX" = "x"; then
fi
fi
+#
+# Some platforms require an explicit -latomic
+#
+AC_SEARCH_LIBS([__atomic_load_4], [atomic])
+
if test "x$REGEX" = "xyes"; then
AC_DEFINE(HAVE_REGEX, 1, [Define if we have any regular expression library])
fi
debian/patches/series
View file @ 714c9d43
......@@ -6,4 +6,3 @@ debian-local/0010-version.c-disable-openssl-version-check.patch
dont-install-tests.diff
mkdirp.diff
snakeoil-certs.diff
atomics.diff
doc/ChangeLog
View file @ 714c9d43
FreeRADIUS 3.0.20 Thu 14 Nov 2019 12:00:00 EDT urgency=medium
Feature improvements
* Add Jenkins continuous integration. Fixes #2620.
Used to build http://packages.networkradius.com/
* Added Force10 dictionary.
* Update dictionary.hp with new attributes. #2690
* Update dictionary.aruba with new attributes. #2696
* Update logrotate settings to rotate as non-root user. #2666
* Fix side-channel leak in EAP-PWD. Patch from Mathy Vanhoef.
* Relax OpenSSL version checks, now that their API is both
public, and stable.
* Note that tls_min_version/tls_max_version also support "1.3"
Since there is no standard yet for EAP with TLS 1.3, it
will not work.
* Added tripplite dictionary from #2760.
* Switch to the async interface for rlm_sql_postgresql so that
we can enforce query_timeout.
* Added new LDAP option 'allow_dangling_group_ref'.
* Updated documentation and functionality for EAP session caching.
See "cache" section of mods-available/eap.
* Tighten systemd unit file security. Fixes #2637.
* Disable TLS 1.0 and TLS 1.1 support in the default configuration.
We STRONGLY recommend doing this for all installations.
* Add expansions for *outgoing* Radsec connections.
"%{proxy_listen:TLS-...}" for TLS-Client-Cert-* and TLS-Cert-*
attributes. Fixes #2839.
* Add %{listen:tls} which returns "yes" or "no" for TLS or non-TLS
connections.
* Update dictionary.lancom with new attributes. #2847
* Added rlm_sql_mongo. See raddb/mods-available/sql. Note that
this module is experimental.
* Added more documentation in sites-available/robust-proxy-accounting
* sqlippool now re-allocates unexpired leases, to prevent IP pool
exhaustion when clients perform multiple reauthentication attempts.
Patch from Terry Burton.
* Add support to radmin keep the history in ~/.radmin_history
* Add support for ENV and LD_PRELOAD in radiusd.conf. See the new
ENV sub-section of radiusd.conf.
* Update dictionary.aptilo. #3002
* Update dictionary.airespace. #3039
* Add sites-available/coa-relay, which makes CoA easier.
Patch from Terry Burton. #3045.
* Add example stored procedure for IP Pools in MySQL.
See mods-config/sql/ippool/mysql/procedure.sql
Patch from Terry Burton. #3048.
* Update dictionary.dhcp dictionary with the recent hardware types.
* Add experimental rlm_python3. This should largely work the same
as rlm_python, which was Python2 only.
* Add Dockerfiles for Debian10 and CentOS8.
* Add RPM spec file compatibility for RHEL/CentOS 8.
* Notes on iOS 13 certificate issues. See
https://support.apple.com/en-us/HT210176.
* Notes on certificate constraints. See raddb/certs/server.cnf.
* Add NAIRealm example to raddb/certs/server.cnf, for RFC 7585.
Bug fixes
* Allow listen.ipaddr to reference an IPv6-only host. Fixes #2627.
* ERX-Acct-Request-Reason is "integer". Closes #2635.
* Fix a slow memory leak in the file management code.
* Try to fix file permissions if they get modified while
the server is running.
* Fix slow memory leak with clients.
* Fix request and connection timeouts in rlm_rest.
* Fix systemd issues. Patches from Daniele Rondina.
* Fixes from clang analyzer.
* Fix missing include for the dictionaries: alcatel.esam,
altiga,alvarion.wimax.v2_2,aptis,asn,audiocodes,avaya,bristol,
columbia_university,freedhcp,garderos,infoblox,motorola.illegal,
starent.vsa1, telkom, wimax.wichorus.
* Fix internal sanity check when running with "-Xx"
* Allow "inner-tunnel" virtual servers to work better with
"accept" and "reject" policies.
* Fix dictionary.huawei data types for Huawei-DNS-Server-IPv6-address
and Huawei-Framed-IPv6-Address. Fixes #2803
* Framed-Interface-ID in postgresql/queries.conf is string, not inet
Fixes #2817.
* Fix rlm_cache to complain on unknown attributes in the
"update" section of its configuration.
* Add configure checks for -latomic. This helps on armel, mips
and mipsel. Fixes #2828.
* Add support to Oracle 19 and 18. Via #2857
* Add support for decoding tags in rlm_rest. Fixes #2848.
* Use correct passwords when updating CRLs in raddb/certs/
* Properly separate "originate-coa" packets when accounting packets
are read from the detail file reader.
* Use the correct virtual server for pre/post-proxy.
* radsqlrelay fixes backported from "master" branch.
Patches from Terry Burton.
* Fix DoS issues due to multithreaded BN_CTX access.
Patch from Mathy Vanhoef. CVE-2019-17185
FreeRADIUS 3.0.19 Wed 10 Apr 2019 09:00:00 EDT urgency=high
Feature improvements
* Update dictionary.cisco
......
doc/all.mk
View file @ 714c9d43
......@@ -17,7 +17,7 @@ $(DOCDIRS):
$(DOCINSTALL): | $(DOCDIRS)
# Wildcard installation rule
$(R)$(docdir)/%: doc/%
$(R)$(docdir)/%: doc/% | $(dir $@)
@echo INSTALL $<
@$(INSTALL) -m 644 $< $@
......
doc/source/extra/toc.c
View file @ 714c9d43
......@@ -25,21 +25,10 @@ of modules in each stage.
@section main_branches GIT Branch
@subsection branch_master Experimental Branch
@code
git clone git@github.com:FreeRADIUS/freeradius-server.git
@endcode
- Web: http://github.com/FreeRADIUS/freeradius-server/tree/master
@subsection branch_master Master (v4) feature branch
@note Submit pull requests for new features or modules against this branch.
@code
git clone git@github.com:FreeRADIUS/freeradius-server.git
cd freeradius-server
git checkout master
@endcode
- Web: http://github.com/FreeRADIUS/freeradius-server/tree/master
......
man/man8/radsqlrelay.8
View file @ 714c9d43
......@@ -41,9 +41,9 @@ radsqlrelay - relay SQL queries to a central database server
to a database server. Used to replicate accounting records to one
(central) database, even if the database has extended downtime.
.PP
The SQL logfile is created by the \fBrlm_sql_log\fP module. The module
must be configured in the \fBradiusd\fP server before you can use
\fBradsqlrelay\fP.
The SQL logfile is created by the \fBrlm_sql\fP module with the
rlm_sql_null driver logging to disk.. The module must be configured in
the \fBradiusd\fP server before you can use \fBradsqlrelay\fP.
.SH OPTIONS
.IP "\-?"
......@@ -86,8 +86,5 @@ db.domain.tld =
)
.DE
.SH SEE ALSO
.BR rlm_sql_log (5)
.SH AUTHOR
Nicolas Baradakis <nicolas.baradakis@cegetel.net>
raddb/certs/.gitignore
View file @ 714c9d43
......@@ -5,6 +5,7 @@
*.p12
*.old
*.attr
*.crl
dh
index.txt
random
......
raddb/certs/Makefile
View file @ 714c9d43
......@@ -34,7 +34,7 @@ all: index.txt serial dh server ca client
client: client.pem
.PHONY: ca
ca: ca.der
ca: ca.der ca.crl
.PHONY: server
server: server.pem server.vrfy
......@@ -70,12 +70,18 @@ ca.key ca.pem: ca.cnf
@[ -f index.txt ] || $(MAKE) index.txt
@[ -f serial ] || $(MAKE) serial
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
chmod g+r ca.key
ca.der: ca.pem
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
ca.crl: ca.pem
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
rm ca-crl.pem
######################################################################
#
# Create a new server certificate, signed by the above CA.
......@@ -176,4 +182,4 @@ clean:
#
destroycerts:
rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \
serial* *\.0 *\.1
serial* *\.0 *\.1 ca-crl.pem ca.crl
raddb/certs/README
View file @ 714c9d43
......@@ -180,6 +180,9 @@ $ openssl speed rsa2048
The certificates created using this method are known to be compatible
with ALL operating systems. Some common issues are:
- iOS 13 has stringent new requirements on certificates. See:
https://support.apple.com/en-us/HT210176
- Windows requires certain OIDs in the certificates. If it doesn't
see them, it will stop doing EAP. The most visible effect is
that the client starts EAP, gets a few Access-Challenge packets,
......
raddb/certs/server.cnf
View file @ 714c9d43
......@@ -43,6 +43,7 @@ distinguished_name = server
default_bits = 2048
input_password = whatever
output_password = whatever
req_extensions = v3_req
[server]
countryName = FR
......@@ -52,3 +53,17 @@ organizationName = Example Inc.
emailAddress = admin@example.org
commonName = "Example Server Certificate"
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
# This should be a host name of the RADIUS server.
# Note that the host name is exchanged in EAP *before*
# the user machine has network access. So the host name
# here doesn't really have to match anything in DNS.
[alt_names]
DNS.1 = radius.example.com
# NAIRealm from RFC 7585
otherName.0 = 1.3.6.1.5.5.7.8.8;FORMAT:UTF8,UTF8:*.example.com
raddb/certs/xpextensions
View file @ 714c9d43
#
# File containing the OIDs required for Windows.
# File containing the OIDs required for Windows
# and iOS
#
# http://support.microsoft.com/kb/814394/en-us
#
# https://support.apple.com/en-us/HT210176
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2
crlDistributionPoints = URI:http://www.example.com/example_ca.crl
......
raddb/mods-available/README.rst
View file @ 714c9d43
......@@ -77,3 +77,40 @@ method described above.
Once the module is enabled, it will automatically be used in the
default configuration.
Multiple Instances
------------------
It is sometimes necessary to have the same module do two different
things. The server supports this functionality via "instances" of
modules.
Normally, a module configuration looks like this:
sql {
... sql stuff ...
}
This module is then refereed to as the "sql" module.
But what happens if you want to connect to two different SQL
databases? The solution is simple; copy the "sql" module
configuration, and add an instance name after the "sql" string:
sql mysql1 {
... configuration for connecting to mysql11 ...
}
sql mysql2 {
... configuration for connecting to mysql12 ...
}
This configuration says "load the SQL module, but create two copies of
it, with different configurations". The different configurations can
be referred to by name, as "mysql1" and "mysql2". That is, anywhere
you would normally use "sql", you could use either "mysql1" or
"mysql2".
For further examples of using module instances, see the "attr_filter"
module configuration in this directory.