attr_filter rule evaluation

Gerald Vogt vogt at
Wed Apr 22 13:19:48 CEST 2015


>From the documentation I find it a little bit confusing how filter rules
work exactly.

The manual page rlm_attr_filter says:

"The rules for each entry are parsed to top to bottom, and an attribute
must pass *all* the rules which affect it in order to make it past the

The post-proxy file contains this:

        Service-Type == Framed-User,
        Service-Type == Login-User,
        Login-Service == Telnet,
        Login-Service == Rlogin,
        Login-Service == TCP-Clear,
        Login-TCP-Port <= 65536,

But if it has to pass all the rules doesn't that mean that Service-Type
and Login-Service are basically always filtered out because, for
instance, for a single valued Service-Type attribute either the first or
second rule will always fail. And as there is always one rule failing it
will never make it past the filter.



More information about the Freeradius-Users mailing list