Unlang Policy Language Overview

The server supports a simple processing language called "Unlang", which is short for "unlanguage". The original intention of using an "unlanguage" was to avoid creating yet another programming language.

Unlang allows simple conditional checks and editing of attributes and attribute lists. Where more complicated functionality is required, Perl or Python modules rlm_perl or rlm_python are recommended.

The goal of Unlang is to allow simple policies to be written with minimal effort. Conditional checks can be performed by the policies, which can then update the request or response attributes based on the results of those checks. Unlang can only be used in a processing section (e.g., authorize, authenticate, post-auth, preacct, accounting, pre-proxy, post-proxy, and session); it cannot be used anywhere else, including in configuration sections for a client or a module. The reason for this limitation is that the language is intended to perform specific actions on requests and responses. The client and module sections contain definitions for a client or module; they do not define how a request is processed.

The Unlang syntax is based on reserved words, which dictate how the text that follows should be interpreted. The syntax for each word is line oriented. Subsections are sometimes allowed, just like with other portions of radiusd.conf. Where the lines are too long, the backslash character can be used to link multiple lines together.

Note that unlike most programming languages, whitespace is important in Unlang. For example, the following two statements are not identical. Although the only difference between the two statements is the placement of the first hard return, the first will parse correctly, and the second will return a parse error:

if (foo) {
    ...
}

versus:

if (foo)
{
    ...
}