Matching a prefix in huntgroups file
Alan DeKok
aland at deployingradius.com
Mon Nov 7 17:03:49 CET 2016
>
> On Nov 4, 2016, at 5:56 PM, Brian Candler <b.candler at pobox.com> wrote:
>
> On 04/11/2016 16:59, Alan DeKok wrote:
>>> But does that mean you can test for an IP address being within a prefix? If so, which operator would you use? I tried:
>>>
>>>>
>>>>
>>> if (&NAS-IP-Address == 10.254.0.0/16) { ...
>>>
>> That should work. There are tests for it.
> Doesn't seem to. Here's a testing entry in policy.d/foo
OK... going back and reading the code helped. That should really be documented somewhere...
NAS-IP-Address is an IP address, not a network. So equality comparisons won't work. You have to do:
if (&NAS-IP-Address < 10.254.0.0/16) {
Which checks that the IP is "within" the network. ASCII doesn't have a "set contains" character, so "<" is the best we can do.
>> Or, just cast NAS-IP-Address to <ipv4prefix>
>>
>>
> That doesn't seem to work either:
>
>
> (0) policy foo {
> (0) if (<ipv4prefix>10.254.1.1 == 10.254.0.0/16) {
> (0) if (<ipv4prefix>10.254.1.1 == 10.254.0.0/16) -> FALSE
Because the LHS is a /32, and the RHS is a /16.
Alan DeKok.
More information about the Freeradius-Users
mailing list