2 * rlm_protocol_filter.c
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2004 Cladju Consulting, Inc. <aland@cladju.com>
21 * Copyright 2006 The FreeRADIUS server project
24 #include <freeradius-devel/ident.h>
27 #include <freeradius-devel/radiusd.h>
28 #include <freeradius-devel/modules.h>
31 * Define a structure for our module configuration.
34 typedef struct rlm_protocol_filter_t {
38 } rlm_protocol_filter_t;
41 * A mapping of configuration file names to internal variables.
43 * Note that the string is dynamically allocated, so it MUST
44 * be freed. When the configuration file parse re-reads the string,
45 * it free's the old one, and strdup's the new one, placing the pointer
46 * to the strdup'd string into 'config.string'. This gets around
49 static const CONF_PARSER module_config[] = {
50 { "filename", PW_TYPE_FILENAME,
51 offsetof(rlm_protocol_filter_t,filename), NULL,
52 "${raddbdir}/protocol_filter.conf"},
54 { "key", PW_TYPE_STRING_PTR,
55 offsetof(rlm_protocol_filter_t,key), NULL, "%{Realm:-DEFAULT}"},
57 { NULL, -1, 0, NULL, NULL } /* end the list */
60 static int filter_detach(void *instance)
62 rlm_protocol_filter_t *inst = instance;
64 if (inst->cs) cf_section_free(&(inst->cs));
72 * Do any per-module initialization that is separate to each
73 * configured instance of the module. e.g. set up connections
74 * to external databases, read configuration files, set up
75 * dictionary entries, etc.
77 * If configuration information is given in the config section
78 * that must be referenced in later calls, store a handle to it
79 * in *instance otherwise put a null pointer there.
81 static int filter_instantiate(CONF_SECTION *conf, void **instance)
83 rlm_protocol_filter_t *inst;
86 * Set up a storage area for instance data
88 inst = rad_malloc(sizeof(*inst));
92 memset(inst, 0, sizeof(*inst));
95 * If the configuration parameters can't be parsed, then
98 if (cf_section_parse(conf, inst, module_config) < 0) {
103 inst->cs = conf_read("rlm_protocol_filter", 0,
104 inst->filename, NULL);
119 static int str2sense(const char *str)
121 if (strcasecmp(str, "permit") == 0) return 1;
122 if (strcasecmp(str, "deny") == 0) return 0;
128 * Apply a subsection to a request.
129 * Returns permit/deny/error.
131 static int apply_subsection(rlm_protocol_filter_t *inst, REQUEST *request,
132 CONF_SECTION *cs, const char *name)
139 DEBUG2(" rlm_protocol_filter: Found subsection %s", name);
141 cp = cf_pair_find(cs, "key");
143 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: No key defined in subsection %s",
144 inst->filename, cf_section_lineno(cs), name);
145 return RLM_MODULE_FAIL;
148 radius_xlat(keybuf, sizeof(keybuf),
149 cf_pair_value(cp), request, NULL);
151 DEBUG2(" rlm_protocol_filter: %s[%d]: subsection %s, key is empty, doing nothing.",
152 inst->filename, cf_section_lineno(cs), name);
153 return RLM_MODULE_NOOP;
156 DEBUG2(" rlm_protocol_filter: %s[%d]: subsection %s, using key %s",
157 inst->filename, cf_section_lineno(cs), name, keybuf);
160 * And repeat some of the above code.
162 cp = cf_pair_find(cs, keybuf);
167 * Maybe it has a subsection, too.
169 subcs = cf_section_sub_find(cs, keybuf);
171 return apply_subsection(inst, request, subcs, keybuf);
172 } /* it was a subsection */
176 DEBUG2(" rlm_protocol_filter: %s[%d]: subsection %s, rule not found, doing nothing.",
177 inst->filename, cf_section_lineno(cs), name);
178 return RLM_MODULE_NOOP;
181 value = cf_pair_value(cp);
182 sense = str2sense(value);
184 radlog(L_ERR, "rlm_protocol_filter: %s[%d]: Unknwn directive %s",
185 inst->filename, cf_pair_lineno(cp), value);
186 return RLM_MODULE_FAIL;
189 if (!sense) return RLM_MODULE_REJECT;
191 return RLM_MODULE_OK;
196 * Authorize the user.
198 static int filter_authorize(void *instance, REQUEST *request)
205 rlm_protocol_filter_t *inst = instance;
207 radius_xlat(keybuf, sizeof(keybuf), inst->key, request, NULL);
209 DEBUG2(" rlm_protocol_filter: key is empty");
210 return RLM_MODULE_NOOP;
212 DEBUG2(" rlm_protocol_filter: Using key %s", keybuf);
214 cs = cf_section_sub_find(inst->cs, keybuf);
216 DEBUG2(" rlm_protocol_filter: No such key in %s", inst->filename);
217 return RLM_MODULE_NOTFOUND;
221 * Walk through the list of attributes, seeing if they're
224 for (vp = request->packet->vps; vp != NULL; vp = vp->next) {
228 cp = cf_pair_find(cs, vp->name);
230 value = cf_pair_value(cp);
232 sense = str2sense(value);
234 radlog(L_ERR, "rlm_protocol_filter %s[%d]: Unknown directive %s",
238 return RLM_MODULE_FAIL;
241 if (!sense) return RLM_MODULE_REJECT;
242 continue; /* was permitted */
243 } /* else no pair was found */
246 * Maybe it has a subsection
248 subcs = cf_section_sub_find(cs, vp->name);
250 sense = apply_subsection(inst, request, subcs, vp->name);
251 if ((sense == RLM_MODULE_OK) ||
252 (sense == RLM_MODULE_NOOP)) {
257 } /* it was a subsection */
260 * Not found, must be "permit"
264 return RLM_MODULE_OK;
269 * The module name should be the only globally exported symbol.
270 * That is, everything else should be 'static'.
272 * If the module needs to temporarily modify it's instantiation
273 * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE.
274 * The server will then take care of ensuring that the module
275 * is single-threaded.
277 module_t rlm_protocol_filter = {
280 RLM_TYPE_THREAD_SAFE, /* type */
281 filter_instantiate, /* instantiation */
282 filter_detach, /* detach */
284 NULL, /* authentication */
285 filter_authorize, /* authorization */
286 NULL, /* preaccounting */
287 NULL, /* accounting */
288 NULL, /* checksimul */
289 NULL, /* pre-proxy */
290 NULL, /* post-proxy */