attr_filter rule evaluation

Alan DeKok aland at
Wed Apr 22 13:53:26 CEST 2015

On Apr 22, 2015, at 7:19 AM, Gerald Vogt <vogt at> wrote:
> From the documentation I find it a little bit confusing how filter rules
> work exactly.

  It's pretty simple.  Unfortunately simple, in fact.

> The post-proxy file contains this:
>        Service-Type == Framed-User,
>        Service-Type == Login-User,
>        Login-Service == Telnet,
>        Login-Service == Rlogin,
>        Login-Service == TCP-Clear,
>        Login-TCP-Port <= 65536,
> ...
> But if it has to pass all the rules doesn't that mean that Service-Type
> and Login-Service are basically always filtered out because, for
> instance, for a single valued Service-Type attribute either the first or
> second rule will always fail. And as there is always one rule failing it
> will never make it past the filter.


  If you want more complex filtering, use unlang.

  Alan DeKok.

More information about the Freeradius-Users mailing list