+
+ +
+

pppd-compat examples

+

Accel-ppp module [pppd-compat] is useful to execute scripts when ip-up|ip-down|ip-change event for customer’s session occurs.

+

Examples below show how to put cusomer’s IPv4 & IPv6 to specific ipsets, depending on the value of received RADIUS-attribute named Filter-Id. For example, it can be useful if one needs to grant access from customer ipset only to specific ipset.

+

Example Accel-ppp configuration:

+
[modules]
+pppd_compat
+
+[pppd-compat]
+ip-up=/etc/accel-ppp_ip-up.sh
+ip-down=/etc/accel-ppp_ip-down.sh
+ip-change=/etc/accel-ppp_ip-up.sh
+radattr-prefix=/run/radattr
+
+
+
+

Note:

+

ipsets must exist before scripts are executed.

+
+

Example ipsets creation:

+
#!/bin/sh
+
+ipset create soc_res_v4 hash:net family inet
+ipset create soc_res_v6 hash:net family inet6
+ipset create blk_res_v4 hash:net family inet
+ipset create blk_res_v6 hash:net family inet6
+ipset create blk_usr_v4 hash:ip family inet
+ipset create soc_usr_v6 hash:net family inet6
+ipset create soc_usr_v4 hash:ip family inet
+ipset create blk_usr_v6 hash:net family inet6
+
+
+

Example /etc/accel-ppp_ip-up.sh script:

+
#!/bin/sh
+
+# Option "Active".
+ACTIVE_FILTER_ID=1
+
+# Option "Paysystems".
+BLOCK_SET_V4='blk_usr_v4'
+BLOCK_SET_V6='blk_usr_v6'
+BLOCK_FILTER_ID=2
+
+# Option "Social".
+SOCIAL_SET_V4='soc_usr_v4'
+SOCIAL_SET_V6='soc_usr_v6'
+SOCIAL_FILTER_ID=3
+
+# argv[5], contains IPv4-address,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+IPV4=$5
+
+# argv[1], contains interface name.
+RADATTR='/run/radattr.'$1
+
+# Add|delete client's IPv4|IPv6 addresses to a specific ipset.
+# $IPV6_PREFIX and $IPV6_DELEGATED_PREFIX are environment variables of Accel-ppp,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+if [ -f $RADATTR ]; then
+  # Get value of "Filter-Id" RADIUS-attribute.
+  FILTER_ID=$(awk '/Filter-Id/ {print $2}' $RADATTR)
+  if [ $FILTER_ID = $ACTIVE_FILTER_ID ]; then
+    ipset del $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    logger -t ip-change "Allowed: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+  elif [ $FILTER_ID = $BLOCK_FILTER_ID ]; then
+    ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+    ipset add $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset add $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    ipset add $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    logger -t ip-change "Blocked: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+  elif [ $FILTER_ID = $SOCIAL_FILTER_ID ]; then
+    ipset del $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+    ipset add $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset add $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    ipset add $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    logger -t ip-change "Social: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+  fi
+else
+  logger -t ip-change "radattr file not found, $CALLED_SID $CALLING_SID"
+fi
+
+
+

Example /etc/accel-ppp_ip-down.sh script:

+
#!/bin/sh
+
+# Option "Blocked".
+BLOCK_SET_V4='blk_usr_v4'
+BLOCK_SET_V6='blk_usr_v6'
+
+# Option "Social".
+SOCIAL_SET_V4='soc_usr_v4'
+SOCIAL_SET_V6='soc_usr_v6'
+
+# argv[5], contains IPv4-address,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+IPV4=$5
+
+# Delete customer's IPv4|Pv6 addresses from all ipsets,
+# $IPV6_PREFIX and $IPV6_DELEGATED_PREFIX are environment variables from Accel-ppp,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+ipset del $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+ipset del $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+ipset del $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+logger -t ip-change "Removing from all ipsets: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+
+
+

Example iptables/ipv6tables rules:

+
iptables -t filter -A FORWARD -m set --match-set blk_usr_v4 src -m set ! --match-set blk_res_v4 dst -j DROP
+iptables -t filter -A FORWARD -m set --match-set soc_usr_v4 src -m set ! --match-set soc_res_v4 dst -j DROP
+iptables -t filter -A FORWARD -m set ! --match-set blk_res_v4 src -m set --match-set blk_usr_v4 dst -j DROP
+iptables -t filter -A FORWARD -m set ! --match-set soc_res_v4 src -m set --match-set soc_usr_v4 dst -j DROP
+
+ip6tables -t filter -A FORWARD -m set --match-set blk_usr_v6 src -m set ! --match-set blk_res_v6 dst -j DROP
+ip6tables -t filter -A FORWARD -m set --match-set soc_usr_v6 src -m set ! --match-set soc_res_v6 dst -j DROP
+ip6tables -t filter -A FORWARD -m set ! --match-set blk_res_v6 src -m set --match-set blk_usr_v6 dst -j DROP
+ip6tables -t filter -A FORWARD -m set ! --match-set soc_res_v6 src -m set --match-set soc_usr_v6 dst -j DROP
+
+
+
+ + +
+