Rewrite Rule

Alan DeKok aland at deployingradius.com
Thu Nov 1 02:14:29 CET 2018 


> On Oct 31, 2018, at 9:03 PM, Maile Halatuituia <maile.halatuituia at tcc.to> wrote:
> 
> Hi Alan
> Here is the packet
> ...
> (4)   Cisco-AVPair = "connect-progress=LAN Ses Up"
> (4)   Cisco-AVPair = "nas-tx-speed=1000000000"
> (4)   Cisco-AVPair = "nas-rx-speed=1000000000"
> ...
> (4)   Cisco-AVPair = "acct-input-octets-ipv6=2586"
> (4)   Cisco-AVPair = "acct-output-octets-ipv6=4914"
> ...
> (4)   Cisco-AVPair = "acct-input-packets-ipv6=41"
> (4)   Cisco-AVPair = "acct-output-packets-ipv6=50"
> ...
> (4)   Cisco-AVPair = "client-mac-address=ae6e.0e71.2d61"

  So lots of Cisco-AVPAirs.

  To be honest, "unlang" isn't well suited for picking specific attributes based on specific contents.  You can use "foreach", which should work.  But it's a bit awkward.

> I have three take away from your reply below.
> 1. I need to look at what value should I use for this particular Cisco AVP attribute for my filter.

  You should test the regular expression in isolation.  i.e. with packets containing ONE Cisco-AVPair.  And use "radclient" to send test packets.

  It also would be good to fix the regular expression.  You have the brackets escaped, which doesn't seem right.

> We use the same for the MAC address and seems to rewrite the MAC address received on the packet and it is working but not for the ipv6 counter.

  Well, if the MAC regex works, and this one doesn't, then they're not the same, are they?

> 2. any suggestion how to do this or particular documentation is very much appreciated

  Use the correct regex.  Do *small* tests, with *small* packets.  There is no simple way in unlang to do this kind of thing.  Cisco has made it very hard, by burying names inside of values.

  You should be able to do something like this:

	foreach &Cisco-AVPair {
		if ("%{Foreach-Variable-0}" =~ /^acct-input-octets-ipv6=(.*)$/) {
			update request {
				... something ...
			}
		}
	}

   You will need to use a *real* attribute name instead of "something".  As I said before, you can't just invent a "acct-input-octets-ipv6" attribute, and expect it to do what you want.  If you do that, the server will fail to start.  So you have to create the attribute.  See raddb/dictionary for documentation.

  Alan DeKok.

More information about the Freeradius-Users mailing list