Semantics of !~ operator

Gerald Vogt vogt at spamcop.net
Wed Apr 29 19:57:19 CEST 2015 

On 29.04.15 15:59, Alan DeKok wrote:
> On Apr 29, 2015, at 2:01 AM, Gerald Vogt <vogt at spamcop.net> wrote:
>>>   This configuration is the same as:
>>>
>>> 	update request {
>>> 		Called-Station-SSID := "outer.request:Called-Station-SSID"
>>> 	}
>>
>> No. It's not. It definitively not the same. The former does basically nothing. Called-Station-SSID gets no value assigned. The latter assigns the string contained in quotes.
> 
>   OK... I've spent a fair bit of time looking into this.  I am interested in making FreeRADIUS better, after all.
> 
>> + 	update request {
>> + 		Called-Station-SSID !* ANY
>> + 		Called-Station-SSID := outer.Called-Station-SSID
> 
>   That's wrong.  It's not a valid attribute reference.
> 
>   Most of the rest of the changes are needlessly complicated.  You don't need to delete the Called-Station-SSID and then re-add it.  You can just use ":=", as that's it's documented behaviour.

I did that for the tests to reset the attribute. Otherwise those not
working assignments wouldn't change the attribute, i.e. the value which
was set in an assignment before would show up in the reply message...

>  You don't need to check for the existence of the Called-Station-Id, you can just use it in the Reply-Message

Which will give me an error message (at least in 3.0.4) if the attribute
does not exist.

>   And it works in my tests, with the exception of the wrong attribute reference above.\

Interesting. I have just compiled freeradius 3.0.8 from the tarball on a
CentOS 7. Now all assignments assign something.
outer.request:Called-Station-SSID and &outer.request:Called-Station-SSID
as well as outer.Called-Station-SSID and &outer.Called-Station-SSID all
assign the current value of the outer Called-Station-SSID attribute.

i.e.,

Called-Station-SSID := outer.Called-Station-SSID

is working in my tests with freeradius 3.0.8, unlike yours. Still the
identical configuration from my previous tests (except for the
allow_vulnerable_openssl flag to get it started). Just downloaded
freeradius-server-3.0.8, configured, compiled, installed, and ran... So
it puzzles me why it worked in my tests...

Either way, problem of accessing the outer attributes seems to have been
fixed between 3.0.4 and 3.0.8. As I can still access the attributes
using "%{outer.request:Called-Station-SSID}" it doesn't bother me that
much, thus I would stick with the RHEL/CentOS 7.1 3.0.4 RPM. But I guess
I could submit a bug report to RHEL and hope that they'll include an
updated version with 7.2...

-Gerald

Here is the debug output of the assignments in the inner tunnel on my
3.0.8 tests:

(9)   # Executing section authorize from file
/etc/raddb.TEST//sites-enabled/inner-tunnel
(9)     authorize {
(9)       update request {
(9)         Called-Station-SSID !* ANY
(9)         Called-Station-SSID := &Called-Station-SSID -> MYSSID
(9)       } # update request = noop
(9)       if ( Called-Station-SSID ) {
(9)       if ( Called-Station-SSID )  -> TRUE
(9)       if ( Called-Station-SSID )  {
(9)         update reply {
(9)           EXPAND 1: Called-Station-SSID = %{Called-Station-SSID}
(9)              --> 1: Called-Station-SSID = MYSSID
(9)           Reply-Message += 1: Called-Station-SSID = MYSSID
(9)         } # update reply = noop
(9)       } # if ( Called-Station-SSID )  = noop
(9)       update request {
(9)         Called-Station-SSID !* ANY
(9)         Called-Station-SSID := "outer.request:Called-Station-SSID"
(9)       } # update request = noop
(9)       if ( Called-Station-SSID ) {
(9)       if ( Called-Station-SSID )  -> TRUE
(9)       if ( Called-Station-SSID )  {
(9)         update reply {
(9)           EXPAND 1a: Called-Station-SSID = %{Called-Station-SSID}
(9)              --> 1a: Called-Station-SSID =
outer.request:Called-Station-SSID
(9)           Reply-Message += 1a: Called-Station-SSID =
outer.request:Called-Station-SSID
(9)         } # update reply = noop
(9)       } # if ( Called-Station-SSID )  = noop
(9)       update request {
(9)         Called-Station-SSID !* ANY
(9)         Called-Station-SSID := &Called-Station-SSID -> MYSSID
(9)       } # update request = noop
(9)       if ( Called-Station-SSID ) {
(9)       if ( Called-Station-SSID )  -> TRUE
(9)       if ( Called-Station-SSID )  {
(9)         update reply {
(9)           EXPAND 1b: Called-Station-SSID = %{Called-Station-SSID}
(9)              --> 1b: Called-Station-SSID = MYSSID
(9)           Reply-Message += 1b: Called-Station-SSID = MYSSID
(9)         } # update reply = noop
(9)       } # if ( Called-Station-SSID )  = noop
(9)       update request {
(9)         Called-Station-SSID !* ANY
(9)         Called-Station-SSID := &Called-Station-SSID -> MYSSID
(9)       } # update request = noop
(9)       if ( Called-Station-SSID ) {
(9)       if ( Called-Station-SSID )  -> TRUE
(9)       if ( Called-Station-SSID )  {
(9)         update reply {
(9)           EXPAND 2: Called-Station-SSID = %{Called-Station-SSID}
(9)              --> 2: Called-Station-SSID = MYSSID
(9)           Reply-Message += 2: Called-Station-SSID = MYSSID
(9)         } # update reply = noop
(9)       } # if ( Called-Station-SSID )  = noop
(9)       update request {
(9)         Called-Station-SSID !* ANY
(9)         Called-Station-SSID := "outer.Called-Station-SSID"
(9)       } # update request = noop
(9)       if ( Called-Station-SSID ) {
(9)       if ( Called-Station-SSID )  -> TRUE
(9)       if ( Called-Station-SSID )  {
(9)         update reply {
(9)           EXPAND 2a: Called-Station-SSID = %{Called-Station-SSID}
(9)              --> 2a: Called-Station-SSID = outer.Called-Station-SSID
(9)           Reply-Message += 2a: Called-Station-SSID =
outer.Called-Station-SSID
(9)         } # update reply = noop
(9)       } # if ( Called-Station-SSID )  = noop
(9)       update request {
(9)         Called-Station-SSID !* ANY
(9)         Called-Station-SSID := &Called-Station-SSID -> MYSSID
(9)       } # update request = noop
(9)       if ( Called-Station-SSID ) {
(9)       if ( Called-Station-SSID )  -> TRUE
(9)       if ( Called-Station-SSID )  {
(9)         update reply {
(9)           EXPAND 2b: Called-Station-SSID = %{Called-Station-SSID}
(9)              --> 2b: Called-Station-SSID = MYSSID
(9)           Reply-Message += 2b: Called-Station-SSID = MYSSID
(9)         } # update reply = noop
(9)       } # if ( Called-Station-SSID )  = noop
(9)       update request {
(9)         Called-Station-SSID !* ANY
(9)         EXPAND %{outer.request:Called-Station-SSID}
(9)            --> MYSSID
(9)         Called-Station-SSID := MYSSID
(9)       } # update request = noop
(9)       if ( Called-Station-SSID ) {
(9)       if ( Called-Station-SSID )  -> TRUE
(9)       if ( Called-Station-SSID )  {
(9)         update reply {
(9)           EXPAND 3: Called-Station-SSID = %{Called-Station-SSID}
(9)              --> 3: Called-Station-SSID = MYSSID
(9)           Reply-Message += 3: Called-Station-SSID = MYSSID
(9)         } # update reply = noop
(9)       } # if ( Called-Station-SSID )  = noop

More information about the Freeradius-Users mailing list