+ +

Lua examples

Important that accel-ppp was built with lua support cmake -DLUA=TRUE or if system has more modern lua version, need this sets, for example cmake -DLUA=5.3

Example accel-ppp configuration:

[ipoe]
+  lua-file=/etc/accel-ppp.lua
+  username=lua:username_func
+

+

Create /etc/accel-ppp.lua and edit. Example for D-link switches with Option 82:

#!lua
+  function username_func(pkt)
+    v,b1,b2,b3,b4=string.unpack(pkt:agent_remote_id():sub(-4),'bbbb')
+    ip=b1..'.'..b2..'.'..b3..'.'..b4
+    v,port=string.unpack(string.sub(pkt:agent_circuit_id(),'-1'),'b')
+    local username=ip..'-'..port
+--  print(username)
+    return username
+end
+

+

Object pkt has next functions:

hdr(name): Will return value which contained in DHCP packet header. name may receive next params: xid, ciaddr, giaddr, chaddr.
+
ifname(): Will return interface name which received packet.
+
ipaddr(): Will return client ip address exist in packet header.
+
hwaddr(): Will return client MAC address.
+
vlan(): Will return client VLAN.
+

local vlan = pkt:vlan()
+local svid = bit.rshift(vlan,16)
+local cvid = bit.band(vlan,0xffff)
+

+

options(): Will return table which contains number of DHCP option in received packet.
+
option(num): Will return value with option number num.
+
agent_circuit_id(): Will return agent_circuit_id option 82.
+
agent_remote_id(): Will return agent_remote_id option 82.
+

Note:

All function return type string, except for options()

Also to accel-ppp includes packet lpack for disassemble binary data. +It add to object string additional function unpack(binary, fmt), where binary is string which contain binary data, and fmt is data format. To fmt may be sets next data types:

z - zero terminated string

p - string precended by length byte

P - string precended by length word

f - float

d - double

c - int8_t

b - uint8_t

h - int16_t

H - uint16_t

i - int32_t

I - uint32_t

l - int64_t

L - uint64_t

< - little endian

> - big endian

= - native endian

+ + +

+ +

pppd-compat examples

Accel-ppp module [pppd-compat] is useful to execute scripts when ip-up|ip-down|ip-change event for customer’s session occurs.

Examples below show how to put cusomer’s IPv4 & IPv6 to specific ipsets, depending on the value of received RADIUS-attribute named Filter-Id. For example, it can be useful if one needs to grant access from customer ipset only to specific ipset.

Example Accel-ppp configuration:

[modules]
+pppd_compat
+
+[pppd-compat]
+ip-up=/etc/accel-ppp_ip-up.sh
+ip-down=/etc/accel-ppp_ip-down.sh
+ip-change=/etc/accel-ppp_ip-up.sh
+radattr-prefix=/run/radattr
+

+

Note:

ipsets must exist before scripts are executed.

Example ipsets creation:

#!/bin/sh
+
+ipset create soc_res_v4 hash:net family inet
+ipset create soc_res_v6 hash:net family inet6
+ipset create blk_res_v4 hash:net family inet
+ipset create blk_res_v6 hash:net family inet6
+ipset create blk_usr_v4 hash:ip family inet
+ipset create soc_usr_v6 hash:net family inet6
+ipset create soc_usr_v4 hash:ip family inet
+ipset create blk_usr_v6 hash:net family inet6
+

+

Example /etc/accel-ppp_ip-up.sh script:

#!/bin/sh
+
+# Option "Active".
+ACTIVE_FILTER_ID=1
+
+# Option "Paysystems".
+BLOCK_SET_V4='blk_usr_v4'
+BLOCK_SET_V6='blk_usr_v6'
+BLOCK_FILTER_ID=2
+
+# Option "Social".
+SOCIAL_SET_V4='soc_usr_v4'
+SOCIAL_SET_V6='soc_usr_v6'
+SOCIAL_FILTER_ID=3
+
+# argv[5], contains IPv4-address,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+IPV4=$5
+
+# argv[1], contains interface name.
+RADATTR='/run/radattr.'$1
+
+# Add|delete client's IPv4|IPv6 addresses to a specific ipset.
+# $IPV6_PREFIX and $IPV6_DELEGATED_PREFIX are environment variables of Accel-ppp,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+if [ -f $RADATTR ]; then
+  # Get value of "Filter-Id" RADIUS-attribute.
+  FILTER_ID=$(awk '/Filter-Id/ {print $2}' $RADATTR)
+  if [ $FILTER_ID = $ACTIVE_FILTER_ID ]; then
+    ipset del $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    logger -t ip-change "Allowed: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+  elif [ $FILTER_ID = $BLOCK_FILTER_ID ]; then
+    ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+    ipset add $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset add $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    ipset add $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    logger -t ip-change "Blocked: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+  elif [ $FILTER_ID = $SOCIAL_FILTER_ID ]; then
+    ipset del $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+    ipset add $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset add $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+    ipset del $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    ipset add $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+    logger -t ip-change "Social: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+  fi
+else
+  logger -t ip-change "radattr file not found, $CALLED_SID $CALLING_SID"
+fi
+

+

Example /etc/accel-ppp_ip-down.sh script:

#!/bin/sh
+
+# Option "Blocked".
+BLOCK_SET_V4='blk_usr_v4'
+BLOCK_SET_V6='blk_usr_v6'
+
+# Option "Social".
+SOCIAL_SET_V4='soc_usr_v4'
+SOCIAL_SET_V6='soc_usr_v6'
+
+# argv[5], contains IPv4-address,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+IPV4=$5
+
+# Delete customer's IPv4|Pv6 addresses from all ipsets,
+# $IPV6_PREFIX and $IPV6_DELEGATED_PREFIX are environment variables from Accel-ppp,
+# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
+ipset del $BLOCK_SET_V4  $IPV4 -exist -quiet &> /dev/null
+ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
+ipset del $BLOCK_SET_V6  $IPV6_PREFIX -exist -quiet &> /dev/null
+ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
+ipset del $BLOCK_SET_V6  $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
+logger -t ip-change "Removing from all ipsets: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
+

+

Example iptables/ipv6tables rules:

iptables -t filter -A FORWARD -m set --match-set blk_usr_v4 src -m set ! --match-set blk_res_v4 dst -j DROP
+iptables -t filter -A FORWARD -m set --match-set soc_usr_v4 src -m set ! --match-set soc_res_v4 dst -j DROP
+iptables -t filter -A FORWARD -m set ! --match-set blk_res_v4 src -m set --match-set blk_usr_v4 dst -j DROP
+iptables -t filter -A FORWARD -m set ! --match-set soc_res_v4 src -m set --match-set soc_usr_v4 dst -j DROP
+
+ip6tables -t filter -A FORWARD -m set --match-set blk_usr_v6 src -m set ! --match-set blk_res_v6 dst -j DROP
+ip6tables -t filter -A FORWARD -m set --match-set soc_usr_v6 src -m set ! --match-set soc_res_v6 dst -j DROP
+ip6tables -t filter -A FORWARD -m set ! --match-set blk_res_v6 src -m set --match-set blk_usr_v6 dst -j DROP
+ip6tables -t filter -A FORWARD -m set ! --match-set soc_res_v6 src -m set --match-set soc_usr_v6 dst -j DROP
+

+

+ + +

+ +

Examples

Lua examples

pppd-compat examples