rlm_attr_filter for proxied accounting packets

Thor Spruyt thor.spruyt at telenet.be
Sat Aug 27 23:31:56 CEST 2005


Hi,

I noticed that rlm_attr_filter.c contains the following in the
attr_filter_preproxy function:
        if (request->packet->code != PW_AUTHENTICATION_REQUEST) {
                return (RLM_MODULE_NOOP);
        }
This means that accounting packets are not handled by this function.
Instead, the accounting packets are handled by the attr_filter_accounting
function.

I have a problem with this, because I'm rewriting attributes with the
preproxy_users file.
That module's function will change attributes in both proxied authentication
requests and proxied accounting requests.

Now, for authentication everything works fine:
- I don't do any attribute changing in the "authenticate" stage, so
everything stays the same here
- then we go to the "pre-proxy" stage, where first I use rlm_files for some
changing and then rlm_attr_filter to filter some attributes out

For accounting however, the following happens:
- in the "accounting" stage, rlm_attr_filter filters some attributes out
because I don't want them to be sent to the home radius
- in the "pre-proxy" stage, rlm_files wants to change some attribute based
on another attribute which was filtered out already by rlm_attr_filter in
the "accounting" stage
- in the "pre-proxy" stage, rlm_attr_filter returns NOOP, since it's coded
not to do anything here for accounting packets.


To be clear: I think that the pre-proxy functions should always act on both
Access-Request and Account-Request packets, the configuration in
radiusd.conf should take care if you want to differentiate between the two.
Obviously, for post-proxy this would apply too, but the need is not there,
since Accounting-Reply packets generally do not contain any attributes, but
even then it would be nice to be able to tell the server to filter them our
or not.

Since rlm_attr_filter should only be used for proxied packets, the
attr_filter_accounting function is obsolete, just like the
attr_filter_authenticate function was!

If you want, I can supply a patch for rlm_attr_filter.c to also accept
accounting packets in the attr_filter_preproxy function, just let me know.


--
Groeten, Regards, Salutations,

Thor Spruyt
M: +32 (0)475 67 22 65
E: thor.spruyt at telenet.be
W: www.thor-spruyt.com

www.salesguide.be
www.telenethotspot.be




More information about the Freeradius-Users mailing list