From: Arran Cudbard-Bell Date: Mon, 4 Jul 2011 08:47:04 +0000 (+0200) Subject: Add relax-filter check item to override the relaxed config item on a filter by filter... X-Git-Tag: release_2_1_12~78 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0910124d64118680e72254e28f3b070f36bb3e22;p=thirdparty%2Ffreeradius-server.git Add relax-filter check item to override the relaxed config item on a filter by filter basis Conflicts: src/modules/rlm_attr_filter/rlm_attr_filter.c --- diff --git a/man/man5/rlm_attr_filter.5 b/man/man5/rlm_attr_filter.5 index ce4116865b9..7845c6cce49 100644 --- a/man/man5/rlm_attr_filter.5 +++ b/man/man5/rlm_attr_filter.5 @@ -113,7 +113,9 @@ attribute that exists in the request. Note that the module always keys off of attributes in the request, and NOT in any other packet. .IP relaxed If set to 'yes', then attributes which do not match any filter rules -explicitly, will also be allowed. The default is 'no'. +explicitly, will also be allowed. This behaviour may be overridden +for an individual filter block using the Relax-Filter check item. +The default for this configuration item is 'no'. .PP .SH SECTIONS .IP preacct diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index f644e1989ba..a2ce7557e1f 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -12,6 +12,7 @@ # These attributes CAN go in the reply item list. ATTRIBUTE Fall-Through 500 integer +ATTRIBUTE Relax-Filter 501 integer ATTRIBUTE Exec-Program 502 string ATTRIBUTE Exec-Program-Wait 503 string @@ -465,6 +466,9 @@ VALUE Post-Auth-Type Local 0 VALUE Fall-Through No 0 VALUE Fall-Through Yes 1 +VALUE Relax-Filter No 0 +VALUE Relax-Filter Yes 1 + VALUE Strip-User-Name No 0 VALUE Strip-User-Name Yes 1 diff --git a/src/include/radius.h b/src/include/radius.h index 3cf50282310..e7dcfae21f3 100644 --- a/src/include/radius.h +++ b/src/include/radius.h @@ -127,6 +127,7 @@ #define PW_DIGEST_ATTRIBUTES 207 #define PW_FALL_THROUGH 500 +#define PW_RELAX_FILTER 501 #define PW_EXEC_PROGRAM 502 #define PW_EXEC_PROGRAM_WAIT 503 diff --git a/src/modules/rlm_attr_filter/rlm_attr_filter.c b/src/modules/rlm_attr_filter/rlm_attr_filter.c index b4dbd04db09..2c5cd3d5d65 100644 --- a/src/modules/rlm_attr_filter/rlm_attr_filter.c +++ b/src/modules/rlm_attr_filter/rlm_attr_filter.c @@ -214,6 +214,7 @@ static int attr_filter_common(void *instance, REQUEST *request, */ for (pl = inst->attrs; pl; pl = pl->next) { int fall_through = 0; + int relax_filter = inst->relaxed; /* * If the current entry is NOT a default, @@ -225,18 +226,26 @@ static int attr_filter_common(void *instance, REQUEST *request, continue; } - DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name, + DEBUG2("attr_filter: Matched entry %s at line %d", pl->name, pl->lineno); found = 1; for (check_item = pl->check; - check_item != NULL; - check_item = check_item->next) { + check_item != NULL; + check_item = check_item->next) { if ((check_item->attribute == PW_FALL_THROUGH) && - (check_item->vp_integer == 1)) { + (check_item->vp_integer == 1)) { fall_through = 1; continue; } + else if (check_item->attribute == PW_RELAX_FILTER) { + if ( check_item->vp_integer != inst->relaxed ) { + DEBUG3("attr_filter: Overriding relaxed config-item with check-item value %d", + check_item->vp_integer); + relax_filter = check_item->vp_integer; + } + continue; + } /* * If it is a SET operator, add the attribute to @@ -295,7 +304,10 @@ static int attr_filter_common(void *instance, REQUEST *request, * or if the config says we should copy unmatched * attributes ('relaxed' mode). */ - if (fail == 0 && (pass > 0 || inst->relaxed)) { + if (fail == 0 && (pass > 0 || relax_filter)) { + if (!pass) { + DEBUG3("attr_filter: Attribute (%s) allowed by relaxed mode", vp->name); + } *output_tail = paircopyvp(vp); if (!*output_tail) { pairfree(&output);