Forcing Return Codes

In some cases, it is useful to force a particular return code for a section. Due to the way that the server is designed, these return codes are not special keywords, but are instead just instances of the always module/

Forcing a return code allows a policy to reject a request immediately, or to perform another action on it.

The return codes which can be forced are:

disallow
fail
handled
invalid
noop
notfound
ok
reject
updated

See the next section for the meaning of each return code.

Note that it is not possible to force a timeout return code, as there is already a timeout keyword, which enforces a timeout on a section. In order to force a timeout rcode, you should specify a timeout section with 0 as the timeout value.

Example of forcing reject

if (!User-Name) {
    reply += {
        Reply-Message = "We don't know who you are"
    }
    reject
}

Example of forcing timeout

timeout 0 {}

Module Return Codes

The following table defines the meaning of each module return code.

Return code Description

Return code	Description
`disallow`	Access to a particular resource is denied. This is similar to `reject` but is the result of an authorization check failing, as opposed to credentials being incorrect.
`fail`	The operation failed. Usually as a result of an external dependency like a database being unavailable or an internal error.
`handled`	The request has been "handled", no further policies in the current section should be called, and the section should immediately exit.
`invalid`	The request, or operation, was invalid. In the case of requests this usually indicates absent or malformed attribute values.
`noop`	The operation did nothing.
`notfound`	A 'lookup' operation returned no results.
`ok`	Operation completed successfully.
`reject`	The operation indicates the current request should be 'rejected'. What this actually means is different from protocol to protocol. It usually means that access to the requested resource should be denied, or that the current request should be NAKd. Usually returned when provided credentials were invalid.
`timeout`	The operation failed due to a timeout.
`updated`	The operation completed successfully and updated one or more attributes in the request.

disallow

Access to a particular resource is denied. This is similar to reject but is the result of an authorization check failing, as opposed to credentials being incorrect.

fail

The operation failed. Usually as a result of an external dependency like a database being unavailable or an internal error.

handled

The request has been "handled", no further policies in the current section should be called, and the section should immediately exit.

invalid

The request, or operation, was invalid. In the case of requests this usually indicates absent or malformed attribute values.

noop

The operation did nothing.

notfound

A 'lookup' operation returned no results.

ok

Operation completed successfully.

reject

The operation indicates the current request should be 'rejected'. What this actually means is different from protocol to protocol. It usually means that access to the requested resource should be denied, or that the current request should be NAKd. Usually returned when provided credentials were invalid.

timeout

The operation failed due to a timeout.

updated

The operation completed successfully and updated one or more attributes in the request.

There is an additional internal rcode which has a "not set" value. It is used by the interpreter and generally not visible. You cannot check for this value, or use it in any situation where an rcode is allowed. If this rcode is returned by a module, it indicates an internal problem in the server.

In versions before 4.0, the disallow rcode was called userlock. The terms disallow and userlock have an identical meaning. disallow will be returned in any instance where userlock was returned in v3.0.x or v3.2.x