[EXT] Re: warning? about attr_filter for default Debian configs
Terry Burton
tez at terryburton.co.uk
Thu Dec 10 21:50:25 CET 2020
On Thu, 10 Dec 2020 at 20:42, Brian Julin <BJulin at clarku.edu> wrote:
> Matt Zagrabelny via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> > Thanks again for the dialog - it really does help me (us) understand the
> > software better.
>
> In way of explanation, I'm going to go out on a limb and make an educated guess that
> there's a generic mechanism warning about the use of internally used attributes
> in the filter module, as those attributes have no representation on the wire, and
> that there turned out to be a use case for internally handling Access-Reject packets
> (it would seem these are timing parameters, so something to do with DoS/flood protection
> or a keepalive mechanism.) This ended up passing these attributes through
> the attribute filter module, so they were exempted as a quick fix rather than
> specially handling the internally handled packets.
This hasn't affected the official packages for some time:
$ git log raddb/mods-config/attr_filter/access_reject
commit 76e8c12fb728a3634cebeb56d36cf26f5ebf4951
Author: Matthew Newton <matthew-git at newtoncomputing.co.uk>
Date: Mon Nov 12 18:11:30 2018 +0000
attr_filter: Don't permit FreeRADIUS-Response-Delay in reject
No-op, but they're internal attributes so can't go in a reply
anyway, and cause a warning at every server start.
...
More information about the Freeradius-Users
mailing list