Hi,
> That's not how the attr_filter module works.
well, you COULD call a new filter instance...from a policy.
> The filter works on a realm-basis only, i.e. if it is from this realm (and if the realm does not exist in the filter, the DEFAULT section matches), let the attribute pass, if not, strip it from the request/reply. If you want to do more advanced processing, you let the attribute pass, and then write unlang statements to either remove it or leave it in the reply (or request), or don't use attr_filter at all.
being FR you should be able to call the filter whenever/whereever you like. so you could/should
be able to change policy - especially if we are using a seperate VirtualServer (which really for
ease of use and sanity) we should be doing.
> So yeah, for apc.moonshot.ja.net I would say the least we should do is provide this as standard, since Adam has pointed out that *any* RADIUS request/reply to/from the APC must be left alone.
'as standard' means in the main release... i'm not sure about that. I'd go with the 'enable it is you want it' approach.
as for 'must be left alone' - what do you mean? surely the packets are as playable as any other system - I guess what you
mean is that there are key things we must be present or it breaks. thats fair enough - in this case theres a load of attributes
in the DEFAULT list that I dont think are applicable at all - so if you define a list its probably better off as not being fall-though
I'd propose something like
attr_filter_moonshot:
attr_filter attr_filter.moonshot.post-proxy {
filename = ${confdir}/attrs.moonshot
}
attr_filter attr_filter.moonshot.pre-proxy {
filename = ${confdir}/attrs.moonshot
}
attr_filter attr_filter.moonshot.access_reject {
key = %{User-Name}
filename = ${confdir}/attrs.moonshot
}
attr_filter attr_filter.moonshot.access_challenge {
key = %{User-Name}
filename = ${confdir}/attrs.moonshot
}
or some such (the access_challenge one is interesting...it really should be a very small
subset..so we could/should(?) keep the default and not call it here.....
then in the moonshot VS we simply call
attr_filter.moonshot.post-proxy et al
then we can do what we want
alan
|