Add relax-filter check item to override the relaxed config item on a filter by filter...

diff --git a/man/man5/rlm_attr_filter.5 b/man/man5/rlm_attr_filter.5
index ce4116865b93826e2f5f7ea298bb41a7c138d86b..7845c6cce498050b0c059b877215bbfb63ecaaa6 100644 (file)
--- a/man/man5/rlm_attr_filter.5
+++ b/man/man5/rlm_attr_filter.5
@@ -113,7 +113,9 @@ attribute that exists in the request.  Note that the module always
 keys off of attributes in the request, and NOT in any other packet.
 .IP relaxed
 If set to 'yes', then attributes which do not match any filter rules
-explicitly, will also be allowed. The default is 'no'.
+explicitly, will also be allowed. This behaviour may be overridden 
+for an individual filter block using the Relax-Filter check item.
+The default for this configuration item is 'no'.
 .PP
 .SH SECTIONS
 .IP preacct

diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index e0b5dd291cce2fdd0bc05578654b7053c1baaf38..15ac53ecfbe06c25f517a559c268541a6d65de5f 100644 (file)
--- a/share/dictionary.freeradius.internal
+++ b/share/dictionary.freeradius.internal
@@ -12,6 +12,7 @@
 
 #      These attributes CAN go in the reply item list.
 ATTRIBUTE      Fall-Through                            500     integer
+ATTRIBUTE      Relax-Filter                            501     integer
 ATTRIBUTE      Exec-Program                            502     string
 ATTRIBUTE      Exec-Program-Wait                       503     string
 
@@ -470,6 +471,9 @@ VALUE       Post-Auth-Type                  Local                   0
 VALUE  Fall-Through                    No                      0
 VALUE  Fall-Through                    Yes                     1
 
+VALUE  Relax-Filter                    No                      0
+VALUE  Relax-Filter                    Yes                     1
+
 VALUE  Strip-User-Name                 No                      0
 VALUE  Strip-User-Name                 Yes                     1
 

diff --git a/src/include/radius.h b/src/include/radius.h
index 34bcb6d88ee002c478158860b4c8567cef407e71..8020fd5a883cf4a28f848199cec0509f709df16f 100644 (file)
--- a/src/include/radius.h
+++ b/src/include/radius.h
@@ -132,6 +132,7 @@
 #define PW_DIGEST_ATTRIBUTES           207
 
 #define PW_FALL_THROUGH                        500
+#define PW_RELAX_FILTER                        501
 #define PW_EXEC_PROGRAM                        502
 #define PW_EXEC_PROGRAM_WAIT           503
 

diff --git a/src/modules/rlm_attr_filter/rlm_attr_filter.c b/src/modules/rlm_attr_filter/rlm_attr_filter.c
index b32cbb67ed0d3230ecd1171634cf9286e3688e6b..5439ccdb3a97eec289d0e2cbc05aee3a522d12f4 100644 (file)
--- a/src/modules/rlm_attr_filter/rlm_attr_filter.c
+++ b/src/modules/rlm_attr_filter/rlm_attr_filter.c
@@ -214,6 +214,7 @@ static int attr_filter_common(void *instance, REQUEST *request,
         */
        for (pl = inst->attrs; pl; pl = pl->next) {
                int fall_through = 0;
+               int relax_filter = inst->relaxed;
 
                /*
                 *  If the current entry is NOT a default,
@@ -225,18 +226,26 @@ static int attr_filter_common(void *instance, REQUEST *request,
                    continue;
                }
 
-               DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name,
+               DEBUG2("attr_filter: Matched entry %s at line %d", pl->name,
                       pl->lineno);
                found = 1;
 
                for (check_item = pl->check;
-                    check_item != NULL;
-                    check_item = check_item->next) {
+                       check_item != NULL;
+                       check_item = check_item->next) {
                        if ((check_item->attribute == PW_FALL_THROUGH) &&
-                           (check_item->vp_integer == 1)) {
+                               (check_item->vp_integer == 1)) {
                                fall_through = 1;
                                continue;
                        }
+                       else if (check_item->attribute == PW_RELAX_FILTER) {
+                               if ( check_item->vp_integer != inst->relaxed ) {
+                                       DEBUG3("attr_filter: Overriding relaxed config-item with check-item value %d",
+                                               check_item->vp_integer);
+                                       relax_filter = check_item->vp_integer;
+                               }
+                               continue;
+                       }
 
                        /*
                         *    If it is a SET operator, add the attribute to
@@ -278,8 +287,8 @@ static int attr_filter_common(void *instance, REQUEST *request,
                                 *      is always true.
                                 */
                                if ((check_item->attribute == PW_VENDOR_SPECIFIC) &&
-                                   (vp->vendor != 0) &&
-                                   (check_item->operator == T_OP_CMP_TRUE)) {
+                                       (vp->vendor != 0) &&
+                                       (check_item->operator == T_OP_CMP_TRUE)) {
                                        pass++;
                                        continue;
                                }
@@ -295,7 +304,10 @@ static int attr_filter_common(void *instance, REQUEST *request,
                         *  or if the config says we should copy unmatched
                         *  attributes ('relaxed' mode).
                         */
-                       if (fail == 0 && (pass > 0 || inst->relaxed)) {
+                       if (fail == 0 && (pass > 0 || relax_filter)) {
+                               if (!pass) {
+                                       DEBUG3("attr_filter: Attribute (%s) allowed by relaxed mode", vp->name);
+                               }
                                *output_tail = paircopyvp(vp);
                                if (!*output_tail) {
                                        pairfree(&output);