From: Jorge Pereira Date: Tue, 16 Aug 2022 01:27:10 +0000 (-0300) Subject: More "update {....}" to edit against policy.d/* X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1a4c54a3636a9faf4a267f89e4d3a7035a543cce;p=thirdparty%2Ffreeradius-server.git More "update {....}" to edit against policy.d/* --- diff --git a/raddb/policy.d/abfab-tr b/raddb/policy.d/abfab-tr index 37c001340fa..816ac5f6313 100644 --- a/raddb/policy.d/abfab-tr +++ b/raddb/policy.d/abfab-tr @@ -15,9 +15,8 @@ abfab_psk_authorize { # do things here } else { - update reply { - &Reply-Message = "RP not authorized for this ABFAB request" - } + &reply.Reply-Message = "RP not authorized for this ABFAB request" + reject } } @@ -27,25 +26,20 @@ abfab_client_check { # check that the acceptor host name is correct if ("%(client:gss_acceptor_host_name)" && &GSS-acceptor-host-name) { if ("%(client:gss_acceptor_host_name)" != "%{gss-acceptor-host-name}") { - update reply { - &Reply-Message = "GSS-Acceptor-Host-Name incorrect" - } + &reply.Reply-Message = "GSS-Acceptor-Host-Name incorrect" + reject } } # set trust-router-coi attribute from the client configuration if ("%(client:trust_router_coi)") { - update request { - &Trust-Router-COI := "%(client:trust_router_coi)" - } + &request.Trust-Router-COI := "%(client:trust_router_coi)" } # set gss-acceptor-realm-name attribute from the client configuration if ("%(client:gss_acceptor_realm_name)") { - update request { - &GSS-Acceptor-Realm-Name := "%(client:gss_acceptor_realm_name)" - } + &request.GSS-Acceptor-Realm-Name := "%(client:gss_acceptor_realm_name)" } } @@ -65,9 +59,7 @@ abfab_channel_bindings { } if (&GSS-Acceptor-Service-Name || &GSS-Acceptor-Realm-Name || &GSS-Acceptor-Host-Name) { - update control { - &Chbind-Response-Code := success - } + &control.Chbind-Response-Code := success # # ACK the attributes in the request. @@ -75,11 +67,9 @@ abfab_channel_bindings { # If any one of these attributes don't exist in the request, # then they won't be copied to the reply. # - update reply { - &GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name - &GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name - &GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name - } + &reply.GSS-Acceptor-Service-Name = &GSS-Acceptor-Service-Name + &reply.GSS-Acceptor-Host-Name = &GSS-Acceptor-Host-Name + &reply.GSS-Acceptor-Realm-Name = &GSS-Acceptor-Realm-Name } # diff --git a/raddb/policy.d/accounting b/raddb/policy.d/accounting index 38789616a99..dd721539619 100644 --- a/raddb/policy.d/accounting +++ b/raddb/policy.d/accounting @@ -52,9 +52,7 @@ acct_unique { # wireless environment). # if ("%{string:Class}" =~ /${policy.class_value_prefix}([0-9a-f]{32})/i) { - update request { - &Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{1},%{Acct-Session-ID}}}}" - } + &request.Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{1},%{Acct-Session-ID}}}}" } # @@ -64,23 +62,17 @@ acct_unique { # is not included # else { - update request { - &Acct-Unique-Session-Id := "%{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}}" - } + &request.Acct-Unique-Session-Id := %{hex:%{md5:%{string:%{User-Name},%{Acct-Multi-Session-ID},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}}} } - update request { - &Tmp-String-9 !* ANY - } + &request -= &Tmp-String-9[*] } # # Insert a (hopefully unique) value into class # insert_acct_class { - update reply { - &Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}" - } + &reply.Class = "${policy.class_value_prefix}%{md5:%t,%I,%{Packet-Src-Port},%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}},%{NAS-IP-Address},%{Calling-Station-ID},%{User-Name}}" } # @@ -90,24 +82,16 @@ insert_acct_class { # acct_counters64.preacct { if (!&Acct-Input-Gigawords) { - update request { - &Acct-Input-Octets64 := "%{%{Acct-Input-Octets}:-0}" - } + &request.Acct-Input-Octets64 := "%{%{Acct-Input-Octets}:-0}" } else { - update request { - &Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}" - } + &request.Acct-Input-Octets64 = "%{expr:(&Acct-Input-Gigawords << 32) | &Acct-Input-Octets}" } if (!&Acct-Output-Gigawords) { - update request { - &Acct-Output-Octets64 := "%{%{Acct-Output-Octets}:-0}" - } + &request.Acct-Output-Octets64 := "%{%{Acct-Output-Octets}:-0}" } else { - update request { - &Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}" - } + &request.Acct-Output-Octets64 = "%{expr:(&Acct-Output-Gigawords << 32) | &Acct-Output-Octets}" } } diff --git a/raddb/policy.d/canonicalisation b/raddb/policy.d/canonicalisation index 96f39497ed1..9d42a006312 100644 --- a/raddb/policy.d/canonicalisation +++ b/raddb/policy.d/canonicalisation @@ -18,17 +18,14 @@ nai_regexp = '^([^@]*)(@([-[:alnum:]]+\.[-[:alnum:].]+))?$' split_username_nai { if (&User-Name && (&User-Name =~ /${policy.nai_regexp}/)) { - update request { - &Stripped-User-Name := "%{1}" - } + &request.Stripped-User-Name := "%{1}" + # Only add the Stripped-User-Domain attribute if # we have a domain. This means presence checks # for Stripped-User-Domain work. if ("%{3}" != '') { - update request { - &Stripped-User-Domain = "%{3}" - } + &request.Stripped-User-Domain = "%{3}" } # If any of the expansions result in a null @@ -55,15 +52,11 @@ mac-addr-regexp = '([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^ # rewrite_called_station_id { if (&Called-Station-Id && (&Called-Station-Id =~ /^${policy.mac-addr-regexp}([^0-9a-f](.+))?$/i)) { - update request { - &Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" - } + &request.Called-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" # SSID component? if ("%{8}") { - update request { - &Called-Station-SSID := "%{8}" - } + &request.Called-Station-SSID := "%{8}" } updated } @@ -81,13 +74,11 @@ rewrite_called_station_id { # rewrite_calling_station_id { if (&Calling-Station-Id && (&Calling-Station-Id =~ /^${policy.mac-addr-regexp}$/i)) { - update request { - &Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" - } + &request.Calling-Station-Id := "%{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}" + updated } else { noop } } - diff --git a/raddb/policy.d/control b/raddb/policy.d/control index b890a8f3092..1393c052a34 100644 --- a/raddb/policy.d/control +++ b/raddb/policy.d/control @@ -3,9 +3,8 @@ # then use the "do_not_respond" policy. # do_not_respond { - update reply { - &Packet-Type := Do-Not-Respond - } + &reply.Packet-Type := Do-Not-Respond + handled } @@ -13,9 +12,8 @@ do_not_respond { # Send Access-Accept immediately # accept { - update reply { - &Packet-Type := Access-Accept - } + &reply.Packet-Type := Access-Accept + handled } @@ -23,9 +21,8 @@ accept { # Send Access-Challenge immediately # challenge { - update reply { - &Packet-Type := Access-Challenge - } + &reply.Packet-Type := Access-Challenge + handled } @@ -33,9 +30,8 @@ challenge { # Send an Accounting-Response immediately # acct_response { - update reply { - &Packet-Type := Accounting-Response - } + &reply.Packet-Type := Accounting-Response + handled } @@ -46,10 +42,9 @@ acct_response { # include the original packet code in the reply. # protocol_error { - update reply { - &Packet-Type := Accounting-Response - &Original-Packet-Code := "%{Packet-Type}" - } + &reply.Packet-Type := Accounting-Response + &reply.Original-Packet-Code := "%{Packet-Type}" + handled } @@ -57,8 +52,7 @@ protocol_error { # Discard the packet without replying # discard { - update reply { - &Packet-Type := Do-Not-Respond - } + &reply.Packet-Type := Do-Not-Respond + handled } diff --git a/raddb/policy.d/cui b/raddb/policy.d/cui index 4cfbc68ea2d..93f20f141e4 100644 --- a/raddb/policy.d/cui +++ b/raddb/policy.d/cui @@ -40,9 +40,7 @@ cui_require_operator_name = "no" # cui.authorize { if ("%(client:add_cui)" == 'yes') { - update request { - &Chargeable-User-Identity := 0x00 - } + &request.Chargeable-User-Identity := 0x00 } } @@ -56,9 +54,7 @@ cui.authorize { cui.post-auth { if (!&control.Proxy-To-Realm && &Chargeable-User-Identity && !&reply.Chargeable-User-Identity && (&Operator-Name || ('${policy.cui_require_operator_name}' != 'yes')) ) { - update reply { - &Chargeable-User-Identity = "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}}" - } + &reply.Chargeable-User-Identity = %{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{Operator-Name}:-}}} } # @@ -71,9 +67,8 @@ cui.post-auth { # if (&reply.Chargeable-User-Identity) { # Force User-Name to be the User-Name from the request - update { - &reply.User-Name := &request.User-Name - } + &reply.User-Name := &request.User-Name + cuisql } } @@ -82,9 +77,7 @@ cui.post-auth { cui-inner.post-auth { if (&outer.request.Chargeable-User-Identity && \ (&outer.request.Operator-Name || ('${policy.cui_require_operator_name}' != 'yes'))) { - update reply { - &Chargeable-User-Identity := "%{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request.Operator-Name}:-}}}" - } + &reply.Chargeable-User-Identity := %{sha1:${policy.cui_hash_key}%{tolower:%{User-Name}%{%{outer.request.Operator-Name}:-}}} } } @@ -100,13 +93,11 @@ cui.accounting { # in the DB. # if (!&Chargeable-User-Identity) { - update request { - &Chargeable-User-Identity := "%{cuisql:\ + &request.Chargeable-User-Identity := %{cuisql:\ SELECT cui FROM cui \ WHERE clientipaddress = '%{%{Packet-Src-IPv6-Address}:-%{Packet-Src-IP-Address}}' \ AND callingstationid = '%{Calling-Station-Id}' \ - AND username = '%{User-Name}'}" - } + AND username = '%{User-Name}'} } # diff --git a/raddb/policy.d/dhcp b/raddb/policy.d/dhcp index db0d4536d24..5a5b15222aa 100644 --- a/raddb/policy.d/dhcp +++ b/raddb/policy.d/dhcp @@ -3,13 +3,11 @@ dhcp_common { # The contents here are invented. Change them! # Lease time is referencing the lease time set in the # named module instance configuration - update reply { - &Domain-Name-Server = 127.0.0.1 - &Domain-Name-Server = 127.0.0.2 - &Subnet-Mask = 255.255.255.0 - &Router-Address = 192.0.2.1 - &IP-Address-Lease-Time = 7200 -# &IP-Address-Lease-Time = "${modules.sqlippool[dhcp_sqlippool].lease_duration}" - &Server-Identifier = &control.Server-Identifier - } + &reply.Domain-Name-Server = 127.0.0.1 + &reply.Domain-Name-Server = 127.0.0.2 + &reply.Subnet-Mask = 255.255.255.0 + &reply.Router-Address = 192.0.2.1 + &reply.IP-Address-Lease-Time = 7200 +# &reply.IP-Address-Lease-Time = "${modules.sqlippool[dhcp_sqlippool].lease_duration}" + &reply.Server-Identifier = &control.Server-Identifier } diff --git a/raddb/policy.d/eap b/raddb/policy.d/eap index 0309e83ae69..0800c0f72b7 100644 --- a/raddb/policy.d/eap +++ b/raddb/policy.d/eap @@ -8,14 +8,11 @@ Xeap.authorize { # Expire previous cache entry # if (&control.State) { - update control { - &Cache-TTL := 0 - } + &control.Cache-TTL := 0 + cache_eap - update control { - &State !* ANY - } + &control -= &State[*] } handled @@ -74,9 +71,7 @@ permit_only_eap { # remove_reply_message_if_eap { if (&reply.EAP-Message && &reply.Reply-Message) { - update reply { - &Reply-Message !* ANY - } + &reply -= &Reply-Message[*] } else { noop @@ -91,10 +86,8 @@ remove_reply_message_if_eap { # to copy now have to be explicitly listed. # copy_request_to_tunnel { - update request { - Calling-Station-Id = &outer.request.Calling-Station-Id - Called-Station-Id = &outer.request.Called-Station-Id - } + &request.Calling-Station-Id = &outer.request.Calling-Station-Id + &request.Called-Station-Id = &outer.request.Called-Station-Id } # @@ -109,16 +102,7 @@ use_tunneled_reply { # These attributes are for the inner-tunnel only, # and MUST NOT be copied to the outer reply. # - update reply { - User-Name !* ANY - Message-Authenticator !* ANY - EAP-Message !* ANY - Proxy-State !* ANY - MS-CHAP-NT-Enc-PW !* ANY - MS-MPPE-Encryption-Types !* ANY - MS-MPPE-Send-Key !* ANY - MS-MPPE-Recv-Key !* ANY - } + &reply -= &User-Name[*] # # Copy the remaining inner reply attributes to the outer @@ -129,8 +113,6 @@ use_tunneled_reply { # 'send Access-Accept' policy in sites-available/default will # copy the outer session-state list to the final reply. # - update { - &outer.session-state. += &reply - } + &outer.session-state += &reply } diff --git a/raddb/policy.d/filter b/raddb/policy.d/filter index f8443a4171c..b5733e06bec 100644 --- a/raddb/policy.d/filter +++ b/raddb/policy.d/filter @@ -19,15 +19,15 @@ filter_username { if (&State) { if (&User-Name) { if (!&session-state.Session-State-User-Name) { - update request { - &Module-Failure-Message += 'No cached session-state.Session-State-User-Name' + &request += { + &Module-Failure-Message = "No cached session-state.Session-State-User-Name" } reject } if (&User-Name != &session-state.Session-State-User-Name) { - update request { - &Module-Failure-Message += 'User-Name does not match cached session-state.Session-State-User-Name' + &request += { + &Module-Failure-Message = "User-Name does not match cached session-state.Session-State-User-Name" } reject } @@ -46,8 +46,8 @@ filter_username { # e.g. "user@ site.com", or "us er", or " user", or "user " # if (&User-Name =~ / /) { - update request { - &Module-Failure-Message += 'User-Name contains whitespace' + &request += { + &Module-Failure-Message = "User-Name contains whitespace" } reject } @@ -57,8 +57,8 @@ filter_username { # e.g. "user@site.com@site.com" # if (&User-Name =~ /@[^@]*@/ ) { - update request { - &Module-Failure-Message += 'Multiple @ in User-Name' + &request += { + &Module-Failure-Message = "Multiple @ in User-Name" } reject } @@ -68,8 +68,8 @@ filter_username { # e.g. "user@site..com" # if (&User-Name =~ /\.\./ ) { - update request { - &Module-Failure-Message += 'User-Name contains multiple dots (e.g. user@site..com)' + &request += { + &Module-Failure-Message = "User-Name contains multiple dots (e.g. user@site..com)" } reject } @@ -79,8 +79,8 @@ filter_username { # e.g. "user@site.com" # if ((&User-Name =~ /@/) && (&User-Name !~ /@[^.]+(\.[^.]+)+$/)) { - update request { - &Module-Failure-Message += 'Realm does not have at least one dot separator' + &request += { + &Module-Failure-Message = "Realm does not have at least one dot separator" } reject } @@ -90,8 +90,8 @@ filter_username { # e.g. "user@site.com." # if (&User-Name =~ /\.$/) { - update request { - &Module-Failure-Message += 'Realm ends with a dot' + &request += { + &Module-Failure-Message = "Realm ends with a dot" } reject } @@ -101,15 +101,13 @@ filter_username { # e.g. "user@.site.com" # if (&User-Name =~ /@\./) { - update request { - &Module-Failure-Message += 'Realm begins with a dot' + &request += { + &Module-Failure-Message = "Realm begins with a dot" } reject } - update session-state { - &Session-State-User-Name := &User-Name - } + &session-state.Session-State-User-Name := &User-Name } } @@ -122,10 +120,8 @@ filter_username { filter_password { if (&User-Password && \ (&User-Password != "%{string:User-Password}")) { - update request { - &Tmp-String-0 := "%{string:User-Password}" - &User-Password := "%{string:Tmp-String-0}" - } + &request.Tmp-String-0 := %{string:User-Password} + &request.User-Password := %{string:Tmp-String-0} } } @@ -134,8 +130,8 @@ filter_inner_identity { # No names, reject. # if (!&outer.request.User-Name || !&User-Name) { - update request { - &Module-Failure-Message += "User-Name is required for tunneled authentication" + &request += { + &Module-Failure-Message = "User-Name is required for tunneled authentication" } reject } @@ -152,9 +148,7 @@ filter_inner_identity { # Get the outer realm. # if (&outer.request.User-Name =~ /@([^@]+)$/) { - update request { - &Outer-Realm-Name = "%{1}" - } + &request.Outer-Realm-Name = "%{1}" # # When we have an outer realm name, the user portion @@ -164,8 +158,8 @@ filter_inner_identity { # some vendors don't follow the standards. # if (&outer.request.User-Name !~ /^(anon|@)/) { - update request { - &Module-Failure-Message += "User-Name is not anonymized" + &request += { + &Module-Failure-Message = "User-Name is not anonymized" } reject } @@ -179,8 +173,8 @@ filter_inner_identity { # and we'd have no idea which one was correct. # elsif (&outer.request.User-Name !~ /^anon/) { - update request { - &Module-Failure-Message += "User-Name is not anonymized" + &request += { + &Module-Failure-Message = "User-Name is not anonymized" } reject } @@ -189,9 +183,7 @@ filter_inner_identity { # Get the inner realm. # if (&User-Name =~ /@([^@]+)$/) { - update request { - &Inner-Realm-Name = "%{1}" - } + &request.Inner-Realm-Name = "%{1}" # # Note that we do EQUALITY checks for realm names. @@ -207,8 +199,8 @@ filter_inner_identity { if (&Outer-Realm-Name && \ (&Inner-Realm-Name != &Outer-Realm-Name) && \ (&Inner-Realm-Name !~ /\.%{Outer-Realm-Name}$/)) { - update request { - &Module-Failure-Message += "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain." + &request += { + &Module-Failure-Message = "Inner realm '%{Inner-Realm-Name}' and outer realm '%{Outer-Realm-Name}' are not from the same domain." } reject } diff --git a/raddb/policy.d/operator-name b/raddb/policy.d/operator-name index 279e2932dc2..d3abae9b3ad 100644 --- a/raddb/policy.d/operator-name +++ b/raddb/policy.d/operator-name @@ -27,8 +27,6 @@ # operator-name.authorize { if ("%(client:Operator-Name)") { - update request { - &Operator-Name = "%(client:Operator-Name)" - } + &request.Operator-Name = "%(client:Operator-Name)" } } diff --git a/raddb/policy.d/tacacs b/raddb/policy.d/tacacs index 09c097ba206..d79d4b785ac 100644 --- a/raddb/policy.d/tacacs +++ b/raddb/policy.d/tacacs @@ -4,23 +4,18 @@ tacacs_set_authentication_status { if (ok) { - update reply { - &Authentication-Status = Pass - } + &reply.Authentication-Status = Pass } else { - update reply { - &Authentication-Status = Fail - } + &reply.Authentication-Status = Fail } } tacacs_pap { subrequest RADIUS.Access-Request { - update { - &request.User-Name := &parent.request.User-Name - &request.User-Password := &parent.request.Data - &control.Password.Cleartext := &parent.control.Password.Cleartext - } + &request.User-Name := &parent.request.User-Name + &request.User-Password := &parent.request.Data + &control.Password.Cleartext := &parent.control.Password.Cleartext + pap.authorize pap.authenticate } @@ -30,21 +25,20 @@ tacacs_pap { tacacs_chap { subrequest RADIUS.Access-Request { - update { - &request.User-Name := &parent.request.User-Name + &request.User-Name := &parent.request.User-Name + + # + # Data length N is 1 octet of ID, followed by + # N-17 octets of challenge, followed by 16 octets of + # CHAP-Password. + # + # @todo - update code to create these, so that the + # poor user doesn't need to. + # +# &request.CHAP-Password := ... +# &request.CHAP-Challenge := ... + &control.Password.Cleartext := &parent.control.Password.Cleartext - # - # Data length N is 1 octet of ID, followed by - # N-17 octets of challenge, followed by 16 octets of - # CHAP-Password. - # - # @todo - update code to create these, so that the - # poor user doesn't need to. - # -# &request.CHAP-Password := ... -# &request.CHAP-Challenge := ... - &control.Password.Cleartext := &parent.control.Password.Cleartext - } chap.authenticate } @@ -53,21 +47,20 @@ tacacs_chap { tacacs_mschap { subrequest RADIUS.Access-Request { - update { - &request.User-Name := &parent.request.User-Name + &request.User-Name := &parent.request.User-Name + + # + # Data length N is 1 octet of ID, followed by + # N-49 octets of challenge, followed by 49 octets of + # MS-CHAP stuff. + # + # @todo - update code to create these, so that the + # poor user doesn't need to. + # +# &request.MS-CHAP-Challenge := ... +# &request.MS-CHAP-Response := ... + &control.Password.Cleartext := &parent.control.Password.Cleartext - # - # Data length N is 1 octet of ID, followed by - # N-49 octets of challenge, followed by 49 octets of - # MS-CHAP stuff. - # - # @todo - update code to create these, so that the - # poor user doesn't need to. - # -# &request.MS-CHAP-Challenge := ... -# &request.MS-CHAP-Response := ... - &control.Password.Cleartext := &parent.control.Password.Cleartext - } chap.authenticate } diff --git a/raddb/policy.d/time b/raddb/policy.d/time index 709f267cda8..f9dd0e50781 100644 --- a/raddb/policy.d/time +++ b/raddb/policy.d/time @@ -2,18 +2,14 @@ # # Sets Tmp-uint64-0 with the current epoch time in ms time_current_ms { - update request { - Tmp-uint64-0 := "%{expr:(%c*1000) + (%C/1000)}" - } + &request.Tmp-uint64-0 := %{expr:(%c*1000) + (%C/1000)} } # Returns elapsed time in ms since time_current_ms # # Sets Tmp-uint64-1 with number of milliseconds time_elapsed_ms { - update request { - Tmp-uint64-1 := "%{expr:(%c*1000) + (%C/1000) - %{Tmp-uint64-0}}" - } + &request.Tmp-uint64-1 := %{expr:(%c*1000) + (%C/1000) - %{Tmp-uint64-0}} } # Handles the Expiration attribute @@ -25,9 +21,7 @@ expiration { } elsif (!&reply.Session-Timeout || (&Session-Timeout > "%{expr:%{Expiration} - %l}")) { - update reply { - &Session-Timeout := "%{expr:%{Expiration} - %l}" - } + &reply.Session-Timeout := %{expr:%{Expiration} - %l} } } } diff --git a/raddb/policy.d/vendor b/raddb/policy.d/vendor index 5358c121f6c..eb7c68ba79d 100644 --- a/raddb/policy.d/vendor +++ b/raddb/policy.d/vendor @@ -7,9 +7,8 @@ broadsoft-decode { foreach &BroadSoft-Attr-255 { if ("%{Foreach-Variable-0}" =~ /^([0-9]+)=(.*)$/) { - update request { -# Broadsoft-Attr-255 -= "%{Foreach-Variable-0}" - "BroadSoft-Attr-%{1}" += "%{2}" +# &request.Broadsoft-Attr-255 -= "%{Foreach-Variable-0}" + "&request.BroadSoft-Attr-%{1}" += "%{2}" } } } diff --git a/raddb/radclient.conf b/raddb/radclient.conf index 79dc7922266..024cbde2372 100644 --- a/raddb/radclient.conf +++ b/raddb/radclient.conf @@ -54,9 +54,7 @@ server default { recv Access-Request { radius if (ok) { - update reply { - &Packet-Type := Access-Accept - } + &reply.Packet-Type := Access-Accept } } send Access-Accept {