From: Arran Cudbard-Bell Date: Mon, 4 Jul 2011 08:47:04 +0000 (+0200) Subject: Add relax-filter check item to override the relaxed config item on a filter by filter... X-Git-Tag: release_3_0_0_beta0~730 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7200582123957e4e933343e3967f1e1be9d48753;p=thirdparty%2Ffreeradius-server.git Add relax-filter check item to override the relaxed config item on a filter by filter basis --- diff --git a/man/man5/rlm_attr_filter.5 b/man/man5/rlm_attr_filter.5 index ce4116865b9..7845c6cce49 100644 --- a/man/man5/rlm_attr_filter.5 +++ b/man/man5/rlm_attr_filter.5 @@ -113,7 +113,9 @@ attribute that exists in the request. Note that the module always keys off of attributes in the request, and NOT in any other packet. .IP relaxed If set to 'yes', then attributes which do not match any filter rules -explicitly, will also be allowed. The default is 'no'. +explicitly, will also be allowed. This behaviour may be overridden +for an individual filter block using the Relax-Filter check item. +The default for this configuration item is 'no'. .PP .SH SECTIONS .IP preacct diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal index e0b5dd291cc..15ac53ecfbe 100644 --- a/share/dictionary.freeradius.internal +++ b/share/dictionary.freeradius.internal @@ -12,6 +12,7 @@ # These attributes CAN go in the reply item list. ATTRIBUTE Fall-Through 500 integer +ATTRIBUTE Relax-Filter 501 integer ATTRIBUTE Exec-Program 502 string ATTRIBUTE Exec-Program-Wait 503 string @@ -470,6 +471,9 @@ VALUE Post-Auth-Type Local 0 VALUE Fall-Through No 0 VALUE Fall-Through Yes 1 +VALUE Relax-Filter No 0 +VALUE Relax-Filter Yes 1 + VALUE Strip-User-Name No 0 VALUE Strip-User-Name Yes 1 diff --git a/src/include/radius.h b/src/include/radius.h index 34bcb6d88ee..8020fd5a883 100644 --- a/src/include/radius.h +++ b/src/include/radius.h @@ -132,6 +132,7 @@ #define PW_DIGEST_ATTRIBUTES 207 #define PW_FALL_THROUGH 500 +#define PW_RELAX_FILTER 501 #define PW_EXEC_PROGRAM 502 #define PW_EXEC_PROGRAM_WAIT 503 diff --git a/src/modules/rlm_attr_filter/rlm_attr_filter.c b/src/modules/rlm_attr_filter/rlm_attr_filter.c index b32cbb67ed0..5439ccdb3a9 100644 --- a/src/modules/rlm_attr_filter/rlm_attr_filter.c +++ b/src/modules/rlm_attr_filter/rlm_attr_filter.c @@ -214,6 +214,7 @@ static int attr_filter_common(void *instance, REQUEST *request, */ for (pl = inst->attrs; pl; pl = pl->next) { int fall_through = 0; + int relax_filter = inst->relaxed; /* * If the current entry is NOT a default, @@ -225,18 +226,26 @@ static int attr_filter_common(void *instance, REQUEST *request, continue; } - DEBUG2(" attr_filter: Matched entry %s at line %d", pl->name, + DEBUG2("attr_filter: Matched entry %s at line %d", pl->name, pl->lineno); found = 1; for (check_item = pl->check; - check_item != NULL; - check_item = check_item->next) { + check_item != NULL; + check_item = check_item->next) { if ((check_item->attribute == PW_FALL_THROUGH) && - (check_item->vp_integer == 1)) { + (check_item->vp_integer == 1)) { fall_through = 1; continue; } + else if (check_item->attribute == PW_RELAX_FILTER) { + if ( check_item->vp_integer != inst->relaxed ) { + DEBUG3("attr_filter: Overriding relaxed config-item with check-item value %d", + check_item->vp_integer); + relax_filter = check_item->vp_integer; + } + continue; + } /* * If it is a SET operator, add the attribute to @@ -278,8 +287,8 @@ static int attr_filter_common(void *instance, REQUEST *request, * is always true. */ if ((check_item->attribute == PW_VENDOR_SPECIFIC) && - (vp->vendor != 0) && - (check_item->operator == T_OP_CMP_TRUE)) { + (vp->vendor != 0) && + (check_item->operator == T_OP_CMP_TRUE)) { pass++; continue; } @@ -295,7 +304,10 @@ static int attr_filter_common(void *instance, REQUEST *request, * or if the config says we should copy unmatched * attributes ('relaxed' mode). */ - if (fail == 0 && (pass > 0 || inst->relaxed)) { + if (fail == 0 && (pass > 0 || relax_filter)) { + if (!pass) { + DEBUG3("attr_filter: Attribute (%s) allowed by relaxed mode", vp->name); + } *output_tail = paircopyvp(vp); if (!*output_tail) { pairfree(&output);