At 06:20 PM 3/11/2002 -0700, Charlie Watts wrote:
>On Mon, 11 Mar 2002, Chris Parker wrote:
> > At 10:18 AM 3/11/2002 -0700, Charlie Watts wrote:
> >
> > Hmmm, perhaps try using the += operator there.
>
>I don't get them back at all when I use +=. And looking at the docs &
>source, += doesn't seem to be supported.
Right, just a thought. := *is* the correct operator for you there.
>So is it in rlm_attr_filter or the core that the attributes are getting
>mangled?
Neither.
> > >And here's what I get back: Vendor-Specific =
> > >"V529:T242:L34::T1:L1::T1:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:
> :T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0::T0:L0:"
> >
> > What is this output from?
>
>Hrm, that's a non-freeradius "radtest" client. I was assuming that was the
>non-decoded binary Ascend-Data-Filter, but it might just be garbage. The
>freeradius "radtest" returns the same thing that the debug log shows.
I would hazzard that your radtest is interpreting the filters incorrectly.
>I uncommented your DEBUG2 lines in rlm_attr_filter.c and re-compiled.
>Here's an example of what I see when using the := syntax:
>
>modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> attr_filter: Matched entry realm.test at line 79
> attr_filter: creating vp Service-Type - 1 - 2
> attr_filter: creating vp Login-Service - 1 - 1
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> attr_filter: creating vp Ascend-Data-Filter - 4 - 0
> modcall[authorize]: module "attr_filter" returns updated
That tells you that 'attr_filter' created 6 a/v pairs and added them
to the reply. They are all separate vp's at this point.
> Ascend-Data-Filter = "ip input forward 0"
> Ascend-Data-Filter = "ip input forward 0"
> Ascend-Data-Filter = "ip output drop 0"
> Ascend-Data-Filter = "ip input forward 0"
>Finished request 0
Hmm, now that is a problem, as it shouldn't be setting 0.
The problem is *possibly* in src/lib/filters.c, as that is where Data-Filters
are parsed from text into binary data.
>It doesn't work even if I just use one Ascend-Data-Filter:
>
>realm.test
> Ascend-Data-Filter := "ip in forward dstip 199.45.141.0/24"
>
>Still comes out as "ip input forward 0".
Right, it's either not building the binary data properly, or not decoding
it properly.
If you aren't already, I'd upgrade to the latest CVS version, as there
has been some work done at some point in the handling of Data-Filters,
but I don't recall if that was before or after the 0.4 release.
>(I see some comments in the source about Fall-Through being incomplete. I
>notice that it -always- falls through, despite Fall-Through = No being
>set.)
Hmmm, I'll take a look at that today, and get Fall-Through = No to be
respected.
-Chris
--
\\\|||/// \ StarNet Inc. \ Chris Parker
\ ~ ~ / \ WX *is* Wireless! \ Director, Engineering
| @ @ | \ http://www.starnetwx.net \ (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
\ Wholesale Internet Services - http://www.megapop.net
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
