Provided by: freeradius-common_2.1.10+dfsg-3_all bug

NAME

       rlm_attr_filter - FreeRADIUS Module

DESCRIPTION

       The  rlm_attr_filter module exists for filtering certain attributes and
       values in received ( or transmitted ) radius  packets.   It  gives  the
       server  a  flexible  framework  to  filter the attributes we send to or
       receive from home servers or NASes.  This makes sense, for example,  in
       an  out-sourced  dialup  situation to various policy decisions, such as
       restricting a client to certain  ranges  of  Idle-Timeout  or  Session-
       Timeout.

       Filter  rules  are  normally  defined and applied on a per-realm basis,
       where the realm is anything that is defined and matched  based  on  the
       configuration  of the rlm_realm module.  Filter rules can optionally be
       applied using another attribute, by editing the key  configuration  for
       this module.

       In  2.0.1  and  earlier versions, the "accounting" section filtered the
       Accounting-Request, even though it  was  documented  as  filtering  the
       response.   This  issue  has  been  fixed  in  version  2.0.2 and later
       versions.  The "preacct" section may now be used to filter  Accounting-
       Request  packets.   The  "accounting"  section  now filters Accounting-
       Response  packets.    Administrators   using   "attr_filter"   in   the
       "accounting"  section  SHOULD  move the reference to "attr_filter" from
       "accounting" to "preacct".

       The file that defines the attribute filtering rules follows  a  similar
       syntax to the users file.  There are a few differences however:

           There are no check-items allowed other than the name of the key.

           There can only be a single DEFAULT entry.

       The  rules for each entry are parsed to top to bottom, and an attribute
       must pass *all* the rules which affect it in order to make it past  the
       filter.   Order  of  the  rules  is important.  The operators and their
       purpose in defining the rules are as follows:

       =      THIS OPERATOR IS NOT ALLOWED.  If used, and warning  message  is
              printed and it is treated as ==

       :=     Set,  this  attribute  and  value  will  always be placed in the
              output A/V Pairs.  If the attribute exists, it is overwritten.

       ==     Equal, value must match exactly.

       =*     Always Equal, allow all values for the specified attribute.

       !*     Never Equal, disallow all values for the specified attribute.  (
              This is redundant, as any A/V Pair not explicitly permitted will
              be dropped ).

       !=     Not Equal, value must not match.

       >=     Greater Than or Equal

       <=     Less Than or Equal

       >      Greater Than

       <      Less Than

       If regular expressions are enabled the  following  operators  are  also
       possible.   (  Regular  Expressions are included by default unless your
       system doesn't support them, which should be rare ).  The  value  field
       uses standard regular expression syntax.

       =~     Regular Expression Equal

       !~     Regular Expression Not Equal

       See  the  default  /etc/raddb/attrs for working examples of sample rule
       ordering and how to use the different operators.

       The configuration items are:

       attrsfile
              This specifies the location of the file used to load the  filter
              rules.   This  file  is  used to filter the accounting response,
              packet before it  is  proxied,  proxy  response  from  the  home
              server, or our response to the NAS.

       key    Usually  %{Realm}  (the  default).  Can also be %{User-Name}, or
              other attribute that exists  in  the  request.   Note  that  the
              module  always keys off of attributes in the request, and NOT in
              any other packet.

SECTIONS

       preacct
              Filters Accounting-Request packets.

       accounting
              Filters Accounting-Response packets.

       pre-proxy
              Filters Accounting-Request or Access-Request  packets  prior  to
              proxying them.

       post-proxy
              Filters  Accounting-Response,  Access-Accept,  Access-Reject, or
              Access-Challenge responses from a home server.

       authorize
              Filters Access-Request packets.

       post-auth
              Filters Access-Accept or Access-Reject packets.

FILES

       /etc/raddb/radiusd.conf /etc/raddb/attrs

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Chris Parker, cparker@segv.org

                               12 February 2008             rlm_attr_filter(5)