add @policy example with pre/post proxy

Hmm... the "conf2adoc" functionality doesn't put the configuration
in-line for @policy statements.  We'll have to edit that, and then
regenerate the examples

diff --git a/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc b/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc
index 8c3ffaeea20db1079543a6e15ec0e1152f533ddb..44ae95ff9c63332f6084bd109d7585a4cedc8b31 100644 (file)
--- a/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc
+++ b/doc/antora/modules/reference/pages/raddb/mods-available/radius.adoc
@@ -902,6 +902,52 @@ the connection.
 
 
 
+
+## Policy Over-rides
+
+The proxy policy overrides enables functionality similar to the
+version 3 pre/post-proxy sections.
+
+
+
+Create a subrequest which we can edit.  When the subrequest
+section is done,
+
+
+Initialize the proxied packet from the request.
+
+This is the "pre-proxy" section.
+
+
+
+Run the "radius proxy" module noted above.
+
+
+
+Edit the reply from the home server here.
+
+This is the "post-proxy" section.
+
+Note that the Proxy-State attributes have already
+been deleted from the reply, so you don't need to
+do that here.  Those attributes are not needed by
+anyone for anything, and confuse things if they're
+copied to the original request.  The `radius`
+module therefore deletes them, to make your life
+easier.
+
+
+
+Like v3, remove all pre-existing attributes in the
+original reply, and replace them with the reply
+from the home server.
+
+It is also possible to copy over some, or none of
+the attributes in the reply from the home server.
+The configuration here is just an example, and can
+be edited.
+
+
 == Default Configuration
 
 ```
@@ -1047,6 +1093,13 @@ radius proxy {
                }
        }
 }
+@policy proxy {
+       subrequest {
+               request := parent.request
+               proxy
+               parent.reply := reply
+       }
+}
 ```
 
 // Copyright (C) 2025 Network RADIUS SAS.  Licenced under CC-by-NC 4.0.

diff --git a/raddb/mods-available/radius b/raddb/mods-available/radius
index dfd64ebcd59f47c90d2839caac997d9b74395db4..ad9cf6bbe14886734adcc1b04200b5afd5341002 100644 (file)
--- a/raddb/mods-available/radius
+++ b/raddb/mods-available/radius
@@ -1047,3 +1047,57 @@ radius proxy {
 
        }
 }
+
+
+#
+#  ## Policy Over-rides
+#
+#  The proxy policy overrides enables functionality similar to the
+#  version 3 pre/post-proxy sections.
+#
+
+@policy proxy {
+       #
+       #  Create a subrequest which we can edit.  When the subrequest
+       #  section is done,
+       #
+       subrequest {
+               #
+               #  Initialize the proxied packet from the request.
+               #
+               #  This is the "pre-proxy" section.
+               #
+               request := parent.request
+
+               #
+               #  Run the "radius proxy" module noted above.
+               #
+               proxy
+
+               #
+               #  Edit the reply from the home server here.
+               #
+               #  This is the "post-proxy" section.
+               #
+               #  Note that the Proxy-State attributes have already
+               #  been deleted from the reply, so you don't need to
+               #  do that here.  Those attributes are not needed by
+               #  anyone for anything, and confuse things if they're
+               #  copied to the original request.  The `radius`
+               #  module therefore deletes them, to make your life
+               #  easier.
+               #
+
+               #
+               #  Like v3, remove all pre-existing attributes in the
+               #  original reply, and replace them with the reply
+               #  from the home server.
+               #
+               #  It is also possible to copy over some, or none of
+               #  the attributes in the reply from the home server.
+               #  The configuration here is just an example, and can
+               #  be edited.
+               #
+               parent.reply := reply
+       }
+}