3 Attribute Filtering Module
13 This module exists for filtering certain attributes and values in received
14 radius packets from remote proxy servers. It gives the proxier (us) a very
15 flexible framework to filter the attributes that proxy servers send us in
16 their replies. This makes sense in an out-sourced dialup situation for
17 example, where the client proxy is permitted only certain values for setting
20 Filter rules are defined and applied on a per-realm basis, where the realm
21 can be anything you have defined via the rlm_realm module.
23 1. MODULE CONFIGURATION
25 The module configuration section is very simple. There is only one attribute
26 that needs to be set, the file to read the filter rules from.
28 As an example, here is the default configuration from radiusd.conf:
33 attrsfile = ${confdir}/attrs
38 If attrsfile is not specified, it defaults to the above configuration.
40 This module supports multiple named instances per the normal method.
42 Once defined in the modules section of the config file, you must add the
43 module instance name ( the name of the module itself by default ) into the
44 'authorize{}' section. It should be placed *before* the realm modules.
55 If the incoming packet is not a proxy reply, the module returns a NOOP,
56 so that the rest of the 'authorize{}' is called normally.
60 The file that defines the attribute filter rules is layed out and parsed
61 very similar to the users file. There are a couple main differences:
63 o There are no "check items" on the first line of the profile other
66 o There is only one DEFAULT entry. This is due to the fact that there
67 are no "check items" beyond the realm name. Fall-Through does work
68 though, allowing you to put the commonly allowed attribute rules into
69 the DEFAULT entry and only put realm specific rules in the specific
72 o The operators used for specifying the attributes are as follows:
74 = - NOT ALLOWED. If used, it becomes "=="
76 := - Set ( used to ensure a specific a/v is present )
78 =* - Always Equal ( will allow all values for attribute )
79 !* - Always Not Equal ( will block all values for attribute )
81 >= - Greater than or equal to
82 <= - Less than or equal to
86 If you have regular expressions enabled you also have:
88 =~ - Regular expression equal
89 !~ - Regular expression not equal
92 See the comments in the default 'attrs' file for examples and additional
97 The way the module works is as follows:
99 o Build a list of a/v pair rules from the 'attrs' file at module
102 o When a proxy reply packet is received and passed to the module, it
103 checks for a Realm attribute in the original request a/v pairs.
104 ( The Realm attribute is added there by the proxy code ).
106 o The module walks the list of a/v pair rules until it finds a
107 match for the Realm value or it reaches the DEFAULT entry.
109 o If there are any rules with SET operators, those attributes are
110 added to the top of a temporary reply list.
112 o Each a/v pair in the proxy reply is compared to the list of
115 o If an a/v pair in the proxy reply passes *ALL* of the rules that
116 relate to the attribute, the a/v is added to a temporary list.
117 ( Note, if it fails 1 or more rules, or is not matched, then the
118 a/v pair will *NOT* be transferred to the temporary list. )
120 o When all the reply vps have been checked, the original proxy reply
121 vps are freed and the temporary list ( containing only those a/v
122 that passed the rules ) becomes the new proxy reply vps.
124 o The module then returns UPDATED and the rest of the authorize block
128 Please send corrections/input/comments/flames to <cparker@starnetusa.net>