attr_filter rule evaluation

Gerald Vogt vogt at
Wed Apr 22 15:26:34 CEST 2015

On 22.04.15 13:53, Alan DeKok wrote:
> On Apr 22, 2015, at 7:19 AM, Gerald Vogt <vogt at> wrote:
>> The post-proxy file contains this:
>>        Service-Type == Framed-User,
>>        Service-Type == Login-User,
>>        Login-Service == Telnet,
>>        Login-Service == Rlogin,
>>        Login-Service == TCP-Clear,
>>        Login-TCP-Port <= 65536,
>> ...
>> But if it has to pass all the rules doesn't that mean that Service-Type
>> and Login-Service are basically always filtered out because, for
>> instance, for a single valued Service-Type attribute either the first or
>> second rule will always fail. And as there is always one rule failing it
>> will never make it past the filter.
>   Yes.
>   If you want more complex filtering, use unlang.

I don't need more complex filtering. But it would help if the files
installed would contain some useful examples. If that DEFAULT entry just
filters out any Service-Type and Login-Service attribute then that's not
what I would expect from seeing this in an unmodified file distributed
from the source.

So may I suggest that the post-proxy file only contains actually useful
and working examples.

>From the above lines I would assume it means accept Service-Type
Framed-User or Login-User but filter any other value.

There is also a commented out example which doesn't make sense then:

# These rules allow:
#       o Only Login-User Service-Type ( no framed/ppp sessions )
#       o Telnet sessions only ( no rlogin, tcp-clear )
#       o Login hosts of either or
#	Service-Type == Login-User,
#	Login-Service == Telnet,
#	Login-TCP-Port == 23,
#	Login-IP-Host ==,
#	Login-IP-Host ==

Whatever Login-IP-Host may be it will always be filtered out so actually
it does not do what the description before says...



More information about the Freeradius-Users mailing list