On Mon, 11 Mar 2002, Chris Parker wrote: > At 10:18 AM 3/11/2002 -0700, Charlie Watts wrote: > >I'm having trouble with rlm_attr_filter and Ascend-Data-Filter. > > > >attrs: > >acsinc.net > > Ascend-Data-Filter := "ip in forward tcp est", > > Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24", > > Ascend-Data-Filter := "ip in drop tcp dstport = 25", > > Ascend-Data-Filter := "ip in forward" > > Hmmm, perhaps try using the += operator there.
I don't get them back at all when I use +=. And looking at the docs & source, += doesn't seem to be supported. > >And here's some output from the debug log: > >Sending Access-Accept of id 173 to 199.45.141.1:1026 > > Ascend-Data-Filter = "ip input forward 0" > > Ascend-Data-Filter = "ip input forward 0" > > Ascend-Data-Filter = "ip output drop 0" > > Ascend-Data-Filter = "ip input forward 0" > > Here they are set as separate attributes, so it's not a problem with > the rlm_attr_filter module. So is it in rlm_attr_filter or the core that the attributes are getting mangled? > >And here's what I get back: Vendor-Specific = > >>"V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:" > > What is this output from? Hrm, that's a non-freeradius "radtest" client. I was assuming that was the non-decoded binary Ascend-Data-Filter, but it might just be garbage. The freeradius "radtest" returns the same thing that the debug log shows. I uncommented your DEBUG2 lines in rlm_attr_filter.c and re-compiled. Here's an example of what I see when using the := syntax: modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok attr_filter: Matched entry realm.test at line 79 attr_filter: creating vp Service-Type - 1 - 2 attr_filter: creating vp Login-Service - 1 - 1 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 attr_filter: creating vp Ascend-Data-Filter - 4 - 0 modcall[authorize]: module "attr_filter" returns updated modcall[authorize]: module "suffix" returns ok modcall[authorize]: module "files" returns notfound modcall: group authorize returns updated rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [[EMAIL PROTECTED]] (from nas UNKNOWN-NAS port 0) Sending Access-Accept of id 230 to 199.45.200.140:1484 Service-Type = Framed-User Login-Service = Rlogin Ascend-Data-Filter = "ip input forward 0" Ascend-Data-Filter = "ip input forward 0" Ascend-Data-Filter = "ip output drop 0" Ascend-Data-Filter = "ip input forward 0" Finished request 0 It doesn't work even if I just use one Ascend-Data-Filter: realm.test Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24" Still comes out as "ip input forward 0". (I see some comments in the source about Fall-Through being incomplete. I notice that it -always- falls through, despite Fall-Through = No being set.) Appreciate your time. -- Charlie Watts [EMAIL PROTECTED] Frontier Internet, Inc. http://www.frontier.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html