On Mon, 11 Mar 2002, Chris Parker wrote:
> At 10:18 AM 3/11/2002 -0700, Charlie Watts wrote:
> >I'm having trouble with rlm_attr_filter and Ascend-Data-Filter.
> >
> >attrs:
> >acsinc.net
> > Ascend-Data-Filter := "ip in forward tcp est",
> > Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24",
> > Ascend-Data-Filter := "ip in drop tcp dstport = 25",
> > Ascend-Data-Filter := "ip in forward"
>
> Hmmm, perhaps try using the += operator there.
I don't get them back at all when I use +=. And looking at the docs &
source, += doesn't seem to be supported.
> >And here's some output from the debug log:
> >Sending Access-Accept of id 173 to 199.45.141.1:1026
> > Ascend-Data-Filter = "ip input forward 0"
> > Ascend-Data-Filter = "ip input forward 0"
> > Ascend-Data-Filter = "ip output drop 0"
> > Ascend-Data-Filter = "ip input forward 0"
>
> Here they are set as separate attributes, so it's not a problem with
> the rlm_attr_filter module.
So is it in rlm_attr_filter or the core that the attributes are getting
mangled?
> >And here's what I get back: Vendor-Specific =
>
>>"V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:"
>
> What is this output from?
Hrm, that's a non-freeradius "radtest" client. I was assuming that was the
non-decoded binary Ascend-Data-Filter, but it might just be garbage. The
freeradius "radtest" returns the same thing that the debug log shows.
I uncommented your DEBUG2 lines in rlm_attr_filter.c and re-compiled.
Here's an example of what I see when using the := syntax:
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
attr_filter: Matched entry realm.test at line 79
attr_filter: creating vp Service-Type - 1 - 2
attr_filter: creating vp Login-Service - 1 - 1
attr_filter: creating vp Ascend-Data-Filter - 4 - 0
attr_filter: creating vp Ascend-Data-Filter - 4 - 0
attr_filter: creating vp Ascend-Data-Filter - 4 - 0
attr_filter: creating vp Ascend-Data-Filter - 4 - 0
modcall[authorize]: module "attr_filter" returns updated
modcall[authorize]: module "suffix" returns ok
modcall[authorize]: module "files" returns notfound
modcall: group authorize returns updated
rad_check_password: Found Auth-Type
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [[EMAIL PROTECTED]] (from nas UNKNOWN-NAS port 0)
Sending Access-Accept of id 230 to 199.45.200.140:1484
Service-Type = Framed-User
Login-Service = Rlogin
Ascend-Data-Filter = "ip input forward 0"
Ascend-Data-Filter = "ip input forward 0"
Ascend-Data-Filter = "ip output drop 0"
Ascend-Data-Filter = "ip input forward 0"
Finished request 0
It doesn't work even if I just use one Ascend-Data-Filter:
realm.test
Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24"
Still comes out as "ip input forward 0".
(I see some comments in the source about Fall-Through being incomplete. I
notice that it -always- falls through, despite Fall-Through = No being
set.)
Appreciate your time.
--
Charlie Watts
[EMAIL PROTECTED]
Frontier Internet, Inc.
http://www.frontier.net/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
