Attribute Filtering Module -1. CAVEAT RLM_ATTR_FILTER 0. INTRODUCTION This module exists for filtering certain attributes and values in received radius packets from remote proxy servers. It gives the proxier (us) a very flexible framework to filter the attributes that proxy servers send us in their replies. This makes sense in an out-sourced dialup situation for example, where the client proxy is permitted only certain values for setting the Idle-Timeout. Filter rules are defined and applied on a per-realm basis, where the realm can be anything you have defined via the rlm_realm module. 1. MODULE CONFIGURATION The module configuration section is very simple. There is only one attribute that needs to be set, the file to read the filter rules from. As an example, here is the default configuration from radiusd.conf: modules { ... attr_filter { attrsfile = ${confdir}/attrs } ... } If attrsfile is not specified, it defaults to the above configuration. This module supports multiple named instances per the normal method. Once defined in the modules section of the config file, you must add the module instance name ( the name of the module itself by default ) into the 'authorize{}' section. It should be placed *before* the realm modules. As an example: authorize { preprocess attr_filter realm files } If the incoming packet is not a proxy reply, the module returns a NOOP, so that the rest of the 'authorize{}' is called normally. 3. MODULE OPTIONS The file that defines the attribute filter rules is layed out and parsed very similar to the users file. There are a couple main differences: o There are no "check items" on the first line of the profile other than the "realm". o There is only one DEFAULT entry. This is due to the fact that there are no "check items" beyond the realm name. Fall-Through does work though, allowing you to put the commonly allowed attribute rules into the DEFAULT entry and only put realm specific rules in the specific realm entry. o The operators used for specifying the attributes are as follows: = - NOT ALLOWED. If used, it becomes "==" := - Set ( used to ensure a specific a/v is present ) == - Equal ( exact ) =* - Always Equal ( will allow all values for attribute ) !* - Always Not Equal ( will block all values for attribute ) != - Not equal >= - Greater than or equal to <= - Less than or equal to > - Greater than < - Less than If you have regular expressions enabled you also have: =~ - Regular expression equal !~ - Regular expression not equal See the comments in the default 'attrs' file for examples and additional explanation. 4. MODULE FUNCTION The way the module works is as follows: o Build a list of a/v pair rules from the 'attrs' file at module instantiation. o When a proxy reply packet is received and passed to the module, it checks for a Realm attribute in the original request a/v pairs. ( The Realm attribute is added there by the proxy code ). o The module walks the list of a/v pair rules until it finds a match for the Realm value or it reaches the DEFAULT entry. o If there are any rules with SET operators, those attributes are added to the top of a temporary reply list. o Each a/v pair in the proxy reply is compared to the list of rules. o If an a/v pair in the proxy reply passes *ALL* of the rules that relate to the attribute, the a/v is added to a temporary list. ( Note, if it fails 1 or more rules, or is not matched, then the a/v pair will *NOT* be transferred to the temporary list. ) o When all the reply vps have been checked, the original proxy reply vps are freed and the temporary list ( containing only those a/v that passed the rules ) becomes the new proxy reply vps. o The module then returns UPDATED and the rest of the authorize block is called as usual. --- Please send corrections/input/comments/flames to