1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
.. _pppd_compat_examples:
pppd-compat examples
====================
Accel-ppp module ``[pppd-compat]`` is useful to execute scripts when **ip-up|ip-down|ip-change** event for customer's session occurs.
Examples below show how to put cusomer's IPv4 & IPv6 to specific ipsets, depending on the value of received RADIUS-attribute named ``Filter-Id``. For example, it can be useful if one needs to grant access from **customer ipset** only to **specific ipset**.
Example Accel-ppp configuration:
.. code-block:: sh
[modules]
pppd_compat
[pppd-compat]
ip-up=/etc/accel-ppp_ip-up.sh
ip-down=/etc/accel-ppp_ip-down.sh
ip-change=/etc/accel-ppp_ip-up.sh
radattr-prefix=/run/radattr
.. admonition:: Note:
**ipsets** must exist before scripts are executed.
Example ipsets creation:
.. code-block:: sh
#!/bin/sh
ipset create soc_res_v4 hash:net family inet
ipset create soc_res_v6 hash:net family inet6
ipset create blk_res_v4 hash:net family inet
ipset create blk_res_v6 hash:net family inet6
ipset create blk_usr_v4 hash:ip family inet
ipset create soc_usr_v6 hash:net family inet6
ipset create soc_usr_v4 hash:ip family inet
ipset create blk_usr_v6 hash:net family inet6
Example /etc/accel-ppp_ip-up.sh script:
.. code-block:: sh
#!/bin/sh
# Option "Active".
ACTIVE_FILTER_ID=1
# Option "Paysystems".
BLOCK_SET_V4='blk_usr_v4'
BLOCK_SET_V6='blk_usr_v6'
BLOCK_FILTER_ID=2
# Option "Social".
SOCIAL_SET_V4='soc_usr_v4'
SOCIAL_SET_V6='soc_usr_v6'
SOCIAL_FILTER_ID=3
# argv[5], contains IPv4-address,
# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
IPV4=$5
# argv[1], contains interface name.
RADATTR='/run/radattr.'$1
# Add|delete client's IPv4|IPv6 addresses to a specific ipset.
# $IPV6_PREFIX and $IPV6_DELEGATED_PREFIX are environment variables of Accel-ppp,
# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
if [ -f $RADATTR ]; then
# Get value of "Filter-Id" RADIUS-attribute.
FILTER_ID=$(awk '/Filter-Id/ {print $2}' $RADATTR)
if [ $FILTER_ID = $ACTIVE_FILTER_ID ]; then
ipset del $BLOCK_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset del $BLOCK_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset del $BLOCK_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
logger -t ip-change "Allowed: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
elif [ $FILTER_ID = $BLOCK_FILTER_ID ]; then
ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset add $BLOCK_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset add $BLOCK_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
ipset add $BLOCK_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
logger -t ip-change "Blocked: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
elif [ $FILTER_ID = $SOCIAL_FILTER_ID ]; then
ipset del $BLOCK_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset add $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset del $BLOCK_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset add $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset del $BLOCK_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
ipset add $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
logger -t ip-change "Social: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
fi
else
logger -t ip-change "radattr file not found, $CALLED_SID $CALLING_SID"
fi
Example /etc/accel-ppp_ip-down.sh script:
.. code-block:: sh
#!/bin/sh
# Option "Blocked".
BLOCK_SET_V4='blk_usr_v4'
BLOCK_SET_V6='blk_usr_v6'
# Option "Social".
SOCIAL_SET_V4='soc_usr_v4'
SOCIAL_SET_V6='soc_usr_v6'
# argv[5], contains IPv4-address,
# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
IPV4=$5
# Delete customer's IPv4|Pv6 addresses from all ipsets,
# $IPV6_PREFIX and $IPV6_DELEGATED_PREFIX are environment variables from Accel-ppp,
# (https://github.com/xebd/accel-ppp/blob/master/accel-pppd/extra/pppd_compat.c).
ipset del $BLOCK_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V4 $IPV4 -exist -quiet &> /dev/null
ipset del $BLOCK_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V6 $IPV6_PREFIX -exist -quiet &> /dev/null
ipset del $BLOCK_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
ipset del $SOCIAL_SET_V6 $IPV6_DELEGATED_PREFIX -exist -quiet &> /dev/null
logger -t ip-change "Removing from all ipsets: IPv4 $IPV4, IPv6 $IPV6_PREFIX, IPv6-DP $IPV6_DELEGATED_PREFIX"
Example iptables/ipv6tables rules:
.. code-block:: sh
iptables -t filter -A FORWARD -m set --match-set blk_usr_v4 src -m set ! --match-set blk_res_v4 dst -j DROP
iptables -t filter -A FORWARD -m set --match-set soc_usr_v4 src -m set ! --match-set soc_res_v4 dst -j DROP
iptables -t filter -A FORWARD -m set ! --match-set blk_res_v4 src -m set --match-set blk_usr_v4 dst -j DROP
iptables -t filter -A FORWARD -m set ! --match-set soc_res_v4 src -m set --match-set soc_usr_v4 dst -j DROP
ip6tables -t filter -A FORWARD -m set --match-set blk_usr_v6 src -m set ! --match-set blk_res_v6 dst -j DROP
ip6tables -t filter -A FORWARD -m set --match-set soc_usr_v6 src -m set ! --match-set soc_res_v6 dst -j DROP
ip6tables -t filter -A FORWARD -m set ! --match-set blk_res_v6 src -m set --match-set blk_usr_v6 dst -j DROP
ip6tables -t filter -A FORWARD -m set ! --match-set soc_res_v6 src -m set --match-set soc_usr_v6 dst -j DROP
|
