I was going to knock out a quick concept patch but I see it's not a trivial patch; before I make the effort to code it I thought I'd check: It seems useful for the sql module to set the return code to RLM_MODULE_REJECT if the Auth-Type gets set to reject - the specific use case I have is an unlang policy like so: authorize { preprocess sql if ("%{reply:MyStatus}" !~ /Active|Guest/) { reject } # ...some more stuff } ...however inside the SQL I have groups with id | groupname | attribute | op | value ----+-----------+-----------+----+-------- 2 | staff | MyStatus | = | Active 3 | banned | Auth-Type | := | Reject ...and it would be nice if members of the "banned" group stopped processing early. At the moment the SQL module only returns FAIL, NOTFOUND or OK. Thoughts?