Add relax-filter check item to override the relaxed config item on a filter by filter...

Conflicts:

	src/modules/rlm_attr_filter/rlm_attr_filter.c

diff --git a/man/man5/rlm_attr_filter.5 b/man/man5/rlm_attr_filter.5
index ce4116865b93826e2f5f7ea298bb41a7c138d86b..7845c6cce498050b0c059b877215bbfb63ecaaa6 100644 (file)
--- a/man/man5/rlm_attr_filter.5
+++ b/man/man5/rlm_attr_filter.5
@@ -113,7 +113,9 @@ attribute that exists in the request.  Note that the module always
 keys off of attributes in the request, and NOT in any other packet.
 .IP relaxed
 If set to 'yes', then attributes which do not match any filter rules
-explicitly, will also be allowed. The default is 'no'.
+explicitly, will also be allowed. This behaviour may be overridden 
+for an individual filter block using the Relax-Filter check item.
+The default for this configuration item is 'no'.
 .PP
 .SH SECTIONS
 .IP preacct

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index f644e1989ba24abe47bffd4a324ed6269ebe7cc3..a2ce7557e1f8eb52b9bb917b50986f34713d63de 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -12,6 +12,7 @@
 
 #      These attributes CAN go in the reply item list.
 ATTRIBUTE      Fall-Through                            500     integer
+ATTRIBUTE      Relax-Filter                            501     integer
 ATTRIBUTE      Exec-Program                            502     string
 ATTRIBUTE      Exec-Program-Wait                       503     string
 
@@ -465,6 +466,9 @@ VALUE       Post-Auth-Type                  Local                   0
 VALUE  Fall-Through                    No                      0
 VALUE  Fall-Through                    Yes                     1
 
+VALUE  Relax-Filter                    No                      0
+VALUE  Relax-Filter                    Yes                     1
+
 VALUE  Strip-User-Name                 No                      0
 VALUE  Strip-User-Name                 Yes                     1
 

diff --git a/src/include/radius.h b/src/include/radius.h
index 3cf50282310a0b9ee24185a9c8726d9dda24d9db..e7dcfae21f31e6bf9dbbf97ed066e7b42ffd5559 100644 (file)
--- a/src/include/radius.h
+++ b/src/include/radius.h
@@ -127,6 +127,7 @@
 #define PW_DIGEST_ATTRIBUTES           207
 
 #define PW_FALL_THROUGH                        500
+#define PW_RELAX_FILTER                        501
 #define PW_EXEC_PROGRAM                        502
 #define PW_EXEC_PROGRAM_WAIT           503
 

diff --git a/src/modules/rlm_attr_filter/rlm_attr_filter.c b/src/modules/rlm_attr_filter/rlm_attr_filter.c
index b4dbd04db09a092e9ef4a3fa191697ab0edd5882..2c5cd3d5d65a9d74a9d89ab959678540caa3f255 100644 (file)
--- a/src/modules/rlm_attr_filter/rlm_attr_filter.c
+++ b/src/modules/rlm_attr_filter/rlm_attr_filter.c
@@ -214,6 +214,7 @@ static int attr_filter_common(void *instance, REQUEST *request,
         */
        for (pl = inst->attrs; pl; pl = pl->next) {
                int fall_through = 0;
+               int relax_filter = inst->relaxed;
 
                /*
                 *  If the current entry is NOT a default,
@@ -225,18 +226,26 @@ static int attr_filter_common(void *instance, REQUEST *request,
                    continue;
                }
 
-               DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
+               DEBUG2("attr_filter: Matched entry %s at line %d", pl->name,
                       pl->lineno);
                found = 1;
 
                for (check_item = pl->check;
-                    check_item != NULL;
-                    check_item = check_item->next) {
+                       check_item != NULL;
+                       check_item = check_item->next) {
                        if ((check_item->attribute == PW_FALL_THROUGH) &&
-                           (check_item->vp_integer == 1)) {
+                               (check_item->vp_integer == 1)) {
                                fall_through = 1;
                                continue;
                        }
+                       else if (check_item->attribute == PW_RELAX_FILTER) {
+                               if ( check_item->vp_integer != inst->relaxed ) {
+                                       DEBUG3("attr_filter: Overriding relaxed config-item with check-item value %d",
+                                               check_item->vp_integer);
+                                       relax_filter = check_item->vp_integer;
+                               }
+                               continue;
+                       }
 
                        /*
                         *    If it is a SET operator, add the attribute to
@@ -295,7 +304,10 @@ static int attr_filter_common(void *instance, REQUEST *request,
                         *  or if the config says we should copy unmatched
                         *  attributes ('relaxed' mode).
                         */
-                       if (fail == 0 && (pass > 0 || inst->relaxed)) {
+                       if (fail == 0 && (pass > 0 || relax_filter)) {
+                               if (!pass) {
+                                       DEBUG3("attr_filter: Attribute (%s) allowed by relaxed mode", vp->name);
+                               }
                                *output_tail = paircopyvp(vp);
                                if (!*output_tail) {
                                        pairfree(&output);