host condition missing in script
naciohr opened this issue · 3 comments
Hello Marc,
I was trying to set up this script:
rule two {
enabled = yes
script {
if (member == admin ){
profile = two
}
if (host == "10.1.2.3"){
deny
}
permit
}
}
But the parser is warning host is not a recognised filter.
Expected '(', '!', 'acl', 'time', 'arg', 'cmd', 'context', 'nac', 'nas', 'nas-name', 'nac-name', 'port', 'user', 'member', 'memberof', 'password', 'service', 'protocol', 'authen-action', 'authen-type', 'authen-service', 'authen-method', 'priv-lvl', 'vrf', 'dn', 'type', 'identity-source', 'tls-conn-version', 'tls-conn-cipher', 'tls-peer-cert-issuer', 'tls-peer-cert-subject', 'tls-conn-cipher-strength', 'tls-peer-cn' or 'tls-psk-identity', but got 'host'
52: Detected fatal configuration error. Exiting.
However, according to the railroad, it is. Actually the warning provides all filters present in the picture but host.
Has been this option removed?
Thanks and regards.
Hi,
thanks for reporting this issue ... I think I've plainly forgotten to implement the parsing code for that. I hope to find the time to add that later.
"nas == 10.1.2.3" should work, however. "host" refers to a host object only, but not to an IP address.
I'm unsure about these keywords, I just don't feel this is streamlined enough, yet. I'll think about that.
Thanks,
Marc
Hi,
"host" will reference a host object only, not an IP address. "nas" can reference a host object, a net object or an IP address.
As mentioned, I've the feeling that "host" vs. "nas" vs. (possibly, in the future) "nad" (network access device) is too complex and needs to be simplified sometime.
I'll push a commit that handles "host" in a couple of minutes, but, as mentioned previously, you're likely better off just using "nas".
Cheers,
Marc