diff options
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/interfaces-wireguard.py | 66 | ||||
-rwxr-xr-x | src/conf_mode/ipoe_server.py | 435 | ||||
-rwxr-xr-x | src/conf_mode/lldp.py | 2 | ||||
-rwxr-xr-x | src/conf_mode/service-ipoe.py | 479 |
4 files changed, 512 insertions, 470 deletions
diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index cac911c8c..ff12a5172 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -53,7 +53,7 @@ def _migrate_default_keys(): def get_config(): c = Config() - if not c.exists('interfaces wireguard'): + if not c.exists(['interfaces', 'wireguard']): return None dflt_cnf = { @@ -80,57 +80,57 @@ def get_config(): print("ERROR: VYOS_TAGNODE_VALUE undefined") sys.exit(1) - c.set_level('interfaces wireguard') + c.set_level(['interfaces', 'wireguard']) # interface removal state if not c.exists(ifname) and c.exists_effective(ifname): wg['delete'] = True if not wg['delete']: - c.set_level('interfaces wireguard {}'.format(ifname)) - if c.exists('address'): - wg['addr'] = c.return_values('address') + c.set_level(['interfaces', 'wireguard', ifname]) + if c.exists(['address']): + wg['addr'] = c.return_values(['address']) # determine addresses which need to be removed - eff_addr = c.return_effective_values('address') + eff_addr = c.return_effective_values(['address']) wg['addr_remove'] = list_diff(eff_addr, wg['addr']) # ifalias description - if c.exists('description'): - wg['descr'] = c.return_value('description') + if c.exists(['description']): + wg['descr'] = c.return_value(['description']) # link state - if c.exists('disable'): + if c.exists(['disable']): wg['state'] = 'down' # local port to listen on - if c.exists('port'): - wg['lport'] = c.return_value('port') + if c.exists(['port']): + wg['lport'] = c.return_value(['port']) # fwmark value - if c.exists('fwmark'): - wg['fwmark'] = c.return_value('fwmark') + if c.exists(['fwmark']): + wg['fwmark'] = c.return_value(['fwmark']) # mtu if c.exists('mtu'): wg['mtu'] = c.return_value('mtu') # private key - if c.exists('private-key'): + if c.exists(['private-key']): wg['pk'] = "{0}/{1}/private.key".format( - kdir, c.return_value('private-key')) + kdir, c.return_value(['private-key'])) # peer removal, wg identifies peers by its pubkey - peer_eff = c.list_effective_nodes('peer') - peer_rem = list_diff(peer_eff, c.list_nodes('peer')) + peer_eff = c.list_effective_nodes(['peer']) + peer_rem = list_diff(peer_eff, c.list_nodes(['peer'])) for p in peer_rem: wg['peer_remove'].append( - c.return_effective_value('peer {} pubkey'.format(p))) + c.return_effective_value(['peer', p, 'pubkey'])) # peer settings - if c.exists('peer'): - for p in c.list_nodes('peer'): - if not c.exists('peer ' + p + ' disable'): + if c.exists(['peer']): + for p in c.list_nodes(['peer']): + if not c.exists(['peer', p, 'disable']): wg['peer'].update( { p: { @@ -141,26 +141,24 @@ def get_config(): } ) # peer allowed-ips - if c.exists('peer ' + p + ' allowed-ips'): + if c.exists(['peer', p, 'allowed-ips']): wg['peer'][p]['allowed-ips'] = c.return_values( - 'peer ' + p + ' allowed-ips') + ['peer', p, 'allowed-ips']) # peer endpoint - if c.exists('peer ' + p + ' endpoint'): + if c.exists(['peer', p, 'endpoint']): wg['peer'][p]['endpoint'] = c.return_value( - 'peer ' + p + ' endpoint') + ['peer', p, 'endpoint']) # persistent-keepalive - if c.exists('peer ' + p + ' persistent-keepalive'): + if c.exists(['peer', p, 'persistent-keepalive']): wg['peer'][p]['persistent-keepalive'] = c.return_value( - 'peer ' + p + ' persistent-keepalive') + ['peer', p, 'persistent-keepalive']) # preshared-key - if c.exists('peer ' + p + ' preshared-key'): + if c.exists(['peer', p, 'preshared-key']): wg['peer'][p]['psk'] = c.return_value( - 'peer ' + p + ' preshared-key') + ['peer', p, 'preshared-key']) # peer pubkeys - key_eff = c.return_effective_value( - 'peer {peer} pubkey'.format(peer=p)) - key_cfg = c.return_value( - 'peer {peer} pubkey'.format(peer=p)) + key_eff = c.return_effective_value(['peer', p, 'pubkey']) + key_cfg = c.return_value(['peer', p, 'pubkey']) wg['peer'][p]['pubkey'] = key_cfg # on a pubkey change we need to remove the pubkey first @@ -171,7 +169,7 @@ def get_config(): # if a peer is disabled, we have to exec a remove for it's pubkey else: - peer_key = c.return_value('peer {peer} pubkey'.format(peer=p)) + peer_key = c.return_value(['peer', p, 'pubkey']) wg['peer_remove'].append(peer_key) return wg diff --git a/src/conf_mode/ipoe_server.py b/src/conf_mode/ipoe_server.py deleted file mode 100755 index 1662e45e6..000000000 --- a/src/conf_mode/ipoe_server.py +++ /dev/null @@ -1,435 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -# -# - -import sys -import os -import re -import time -import socket -import subprocess -import jinja2 -import syslog as sl - -from vyos.config import Config -from vyos import ConfigError - -ipoe_cnf_dir = r'/etc/accel-ppp/ipoe' -ipoe_cnf = ipoe_cnf_dir + r'/ipoe.config' - -pidfile = r'/var/run/accel_ipoe.pid' -cmd_port = r'2002' - -chap_secrets = ipoe_cnf_dir + '/chap-secrets' -## accel-pppd -d -c /etc/accel-ppp/pppoe/pppoe.config -p /var/run/accel_pppoe.pid - -ipoe_config = ''' -### generated by ipoe.py ### -[modules] -log_syslog -ipoe -shaper -ipv6pool -ipv6_nd -ipv6_dhcp -{% if auth['mech'] == 'radius' %} -radius -{% endif -%} -ippool -{% if auth['mech'] == 'local' %} -chap-secrets -{% endif %} - -[core] -thread-count={{thread_cnt}} - -[log] -syslog=accel-ipoe,daemon -copy=1 -level=5 - -[ipoe] -verbose=1 -{% for intfc in interfaces %} -{% if interfaces[intfc]['vlan_mon'] %} -interface=re:{{intfc}}\.\d+,\ -{% else %} -interface={{intfc}},\ -{% endif %} -shared={{interfaces[intfc]['shared']}},\ -mode={{interfaces[intfc]['mode']}},\ -ifcfg={{interfaces[intfc]['ifcfg']}},\ -range={{interfaces[intfc]['range']}},\ -start={{interfaces[intfc]['sess_start']}},\ -ipv6=1 -{% endfor %} -{% if auth['mech'] == 'noauth' %} -noauth=1 -{% endif %} -{% if auth['mech'] == 'local' %} -username=ifname -password=csid -{% endif %} - -{%- for intfc in interfaces %} -{% if (interfaces[intfc]['shared'] == '0') and (interfaces[intfc]['vlan_mon']) %} -vlan-mon={{intfc}},{{interfaces[intfc]['vlan_mon']|join(',')}} -{% endif %} -{% endfor %} - -{% if (dns['server1']) or (dns['server2']) %} -[dns] -{% if dns['server1'] %} -dns1={{dns['server1']}} -{% endif -%} -{% if dns['server2'] %} -dns2={{dns['server2']}} -{% endif -%} -{% endif -%} - -{% if (dnsv6['server1']) or (dnsv6['server2']) or (dnsv6['server3']) %} -[dnsv6] -dns={{dnsv6['server1']}} -dns={{dnsv6['server2']}} -dns={{dnsv6['server3']}} -{% endif %} - -[ipv6-nd] -verbose=1 - -[ipv6-dhcp] -verbose=1 - -{% if ipv6['prfx'] %} -[ipv6-pool] -{% for prfx in ipv6['prfx'] %} -{{prfx}} -{% endfor %} -{% for pd in ipv6['pd'] %} -delegate={{pd}} -{% endfor %} -{% endif %} - -{% if auth['mech'] == 'local' %} -[chap-secrets] -chap-secrets=/etc/accel-ppp/ipoe/chap-secrets -{% endif %} - -{% if auth['mech'] == 'radius' %} -[radius] -verbose=1 -{% for srv in auth['radius'] %} -server={{srv}},{{auth['radius'][srv]['secret']}},\ -req-limit={{auth['radius'][srv]['req-limit']}},\ -fail-time={{auth['radius'][srv]['fail-time']}} -{% endfor %} -{% if auth['radsettings']['dae-server']['ip-address'] %} -dae-server={{auth['radsettings']['dae-server']['ip-address']}}:\ -{{auth['radsettings']['dae-server']['port']}},\ -{{auth['radsettings']['dae-server']['secret']}} -{% endif -%} -{% if auth['radsettings']['acct-timeout'] %} -acct-timeout={{auth['radsettings']['acct-timeout']}} -{% endif -%} -{% if auth['radsettings']['max-try'] %} -max-try={{auth['radsettings']['max-try']}} -{% endif -%} -{% if auth['radsettings']['timeout'] %} -timeout={{auth['radsettings']['timeout']}} -{% endif -%} -{% if auth['radsettings']['nas-ip-address'] %} -nas-ip-address={{auth['radsettings']['nas-ip-address']}} -{% endif -%} -{% if auth['radsettings']['nas-identifier'] %} -nas-identifier={{auth['radsettings']['nas-identifier']}} -{% endif -%} -{% endif %} - -[cli] -tcp=127.0.0.1:2002 -''' - -### chap secrets -chap_secrets_conf = ''' -# username server password acceptable local IP addresses shaper -{% for aifc in auth['auth_if'] %} -{% for mac in auth['auth_if'][aifc] %} -{% if (auth['auth_if'][aifc][mac]['up']) and (auth['auth_if'][aifc][mac]['down']) %} -{% if auth['auth_if'][aifc][mac]['vlan'] %} -{{aifc}}.{{auth['auth_if'][aifc][mac]['vlan']}}\t*\t{{mac.lower()}}\t*\t{{auth['auth_if'][aifc][mac]['down']}}/{{auth['auth_if'][aifc][mac]['up']}} -{% else %} -{{aifc}}\t*\t{{mac.lower()}}\t*\t{{auth['auth_if'][aifc][mac]['down']}}/{{auth['auth_if'][aifc][mac]['up']}} -{% endif %} -{% else %} -{% if auth['auth_if'][aifc][mac]['vlan'] %} -{{aifc}}.{{auth['auth_if'][aifc][mac]['vlan']}}\t*\t{{mac.lower()}}\t* -{% else %} -{{aifc}}\t*\t{{mac.lower()}}\t* -{% endif %} -{% endif %} -{% endfor %} -{% endfor %} -''' - -##### Inline functions start #### -### config path creation -if not os.path.exists(ipoe_cnf_dir): - os.makedirs(ipoe_cnf_dir) - sl.syslog(sl.LOG_NOTICE, ipoe_cnf_dir + " created") - -def get_cpu(): - cpu_cnt = 1 - if os.cpu_count() == 1: - cpu_cnt = 1 - else: - cpu_cnt = int(os.cpu_count()/2) - return cpu_cnt - -def chk_con(): - cnt = 0 - s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - while True: - try: - s.connect(("127.0.0.1", int(cmd_port))) - break - except ConnectionRefusedError: - time.sleep(0.5) - cnt +=1 - if cnt == 100: - raise("failed to start pppoe server") - break - -def accel_cmd(cmd=''): - if not cmd: - return None - try: - ret = subprocess.check_output(['/usr/bin/accel-cmd', '-p', cmd_port, cmd]).decode().strip() - return ret - except: - return 1 - -### chap_secrets file if auth mode local -def gen_chap_secrets(c): - - tmpl = jinja2.Template(chap_secrets_conf, trim_blocks=True) - chap_secrets_txt = tmpl.render(c) - old_umask = os.umask(0o077) - open(chap_secrets,'w').write(chap_secrets_txt) - os.umask(old_umask) - sl.syslog(sl.LOG_NOTICE, chap_secrets + ' written') - -##### Inline functions end #### - -def get_config(): - c = Config() - if not c.exists('service ipoe-server'): - return None - - config_data = {} - - c.set_level('service ipoe-server') - config_data['interfaces'] = {} - for intfc in c.list_nodes('interface'): - config_data['interfaces'][intfc] = { - 'mode' : 'L2', - 'shared' : '1', - 'sess_start' : 'dhcpv4', ### may need a conifg option, can be dhcpv4 or up for unclassified pkts - 'range' : None, - 'ifcfg' : '1', - 'vlan_mon' : [] - } - config_data['dns'] = { - 'server1' : None, - 'server2' : None - } - config_data['dnsv6'] = { - 'server1' : None, - 'server2' : None, - 'server3' : None - } - config_data['ipv6'] = { - 'prfx' : [], - 'pd' : [], - } - config_data['auth'] = { - 'auth_if' : {}, - 'mech' : 'noauth', - 'radius' : {}, - 'radsettings' : { - 'dae-server' : {} - } - } - - if c.exists('interface ' + intfc + ' network-mode'): - config_data['interfaces'][intfc]['mode'] = c.return_value('interface ' + intfc + ' network-mode') - if c.return_value('interface ' + intfc + ' network') == 'vlan': - config_data['interfaces'][intfc]['shared'] = '0' - if c.exists('interface ' + intfc + ' vlan-id'): - config_data['interfaces'][intfc]['vlan_mon'] += c.return_values('interface ' + intfc + ' vlan-id') - if c.exists('interface ' + intfc + ' vlan-range'): - config_data['interfaces'][intfc]['vlan_mon'] += c.return_values('interface ' + intfc + ' vlan-range') - if c.exists('interface ' + intfc + ' client-subnet'): - config_data['interfaces'][intfc]['range'] = c.return_value('interface ' + intfc + ' client-subnet') - if c.exists('dns-server server-1'): - config_data['dns']['server1'] = c.return_value('dns-server server-1') - if c.exists('dns-server server-2'): - config_data['dns']['server2'] = c.return_value('dns-server server-2') - if c.exists('dnsv6-server server-1'): - config_data['dnsv6']['server1'] = c.return_value('dnsv6-server server-1') - if c.exists('dnsv6-server server-2'): - config_data['dnsv6']['server2'] = c.return_value('dnsv6-server server-2') - if c.exists('dnsv6-server server-3'): - config_data['dnsv6']['server3'] = c.return_value('dnsv6-server server-3') - if not c.exists('authentication mode noauth'): - config_data['auth']['mech'] = c.return_value('authentication mode') - if c.exists('authentication mode local'): - for auth_int in c.list_nodes('authentication interface'): - for mac in c.list_nodes('authentication interface ' + auth_int + ' mac-address'): - config_data['auth']['auth_if'][auth_int] = {} - if c.exists('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit'): - config_data['auth']['auth_if'][auth_int][mac] = {} - config_data['auth']['auth_if'][auth_int][mac]['up'] = c.return_value('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit upload') - config_data['auth']['auth_if'][auth_int][mac]['down'] = c.return_value('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit download') - else: - config_data['auth']['auth_if'][auth_int][mac] = {} - config_data['auth']['auth_if'][auth_int][mac]['up'] = None - config_data['auth']['auth_if'][auth_int][mac]['down'] = None - ## client vlan-id - if c.exists('authentication interface ' + auth_int + ' mac-address ' + mac + ' vlan-id'): - config_data['auth']['auth_if'][auth_int][mac]['vlan'] = c.return_value('authentication interface ' + auth_int + ' mac-address ' + mac + ' vlan-id') - if c.exists('authentication mode radius'): - for rsrv in c.list_nodes('authentication radius-server'): - config_data['auth']['radius'][rsrv] = {} - if c.exists('authentication radius-server ' + rsrv + ' secret'): - config_data['auth']['radius'][rsrv]['secret'] = c.return_value('authentication radius-server ' + rsrv + ' secret') - else: - config_data['auth']['radius'][rsrv]['secret'] = None - if c.exists('authentication radius-server ' + rsrv + ' fail-time'): - config_data['auth']['radius'][rsrv]['fail-time'] = c.return_value('authentication radius-server ' + rsrv + ' fail-time') - else: - config_data['auth']['radius'][rsrv]['fail-time'] = '0' - if c.exists('authentication radius-server ' + rsrv + ' req-limit'): - config_data['auth']['radius'][rsrv]['req-limit'] = c.return_value('authentication radius-server ' + rsrv + ' req-limit') - else: - config_data['auth']['radius'][rsrv]['req-limit'] = '0' - if c.exists('authentication radius-settings'): - if c.exists('authentication radius-settings timeout'): - config_data['auth']['radsettings']['timeout'] = c.return_value('authentication radius-settings timeout') - if c.exists('authentication radius-settings nas-ip-address'): - config_data['auth']['radsettings']['nas-ip-address'] = c.return_value('authentication radius-settings nas-ip-address') - if c.exists('authentication radius-settings nas-identifier'): - config_data['auth']['radsettings']['nas-identifier'] = c.return_value('authentication radius-settings nas-identifier') - if c.exists('authentication radius-settings max-try'): - config_data['auth']['radsettings']['max-try'] = c.return_value('authentication radius-settings max-try') - if c.exists('authentication radius-settings acct-timeout'): - config_data['auth']['radsettings']['acct-timeout'] = c.return_value('authentication radius-settings acct-timeout') - if c.exists('authentication radius-settings dae-server ip-address'): - config_data['auth']['radsettings']['dae-server']['ip-address'] = c.return_value('authentication radius-settings dae-server ip-address') - if c.exists('authentication radius-settings dae-server port'): - config_data['auth']['radsettings']['dae-server']['port'] = c.return_value('authentication radius-settings dae-server port') - if c.exists('authentication radius-settings dae-server secret'): - config_data['auth']['radsettings']['dae-server']['secret'] = c.return_value('authentication radius-settings dae-server secret') - - if c.exists('client-ipv6-pool prefix'): - config_data['ipv6']['prfx'] = c.return_values('client-ipv6-pool prefix') - if c.exists('client-ipv6-pool delegate-prefix'): - config_data['ipv6']['pd'] = c.return_values('client-ipv6-pool delegate-prefix') - - return config_data - -def generate(c): - if c == None or not c: - return None - - c['thread_cnt'] = get_cpu() - - if c['auth']['mech'] == 'local': - gen_chap_secrets(c) - - tmpl = jinja2.Template(ipoe_config, trim_blocks=True) - config_text = tmpl.render(c) - open(ipoe_cnf,'w').write(config_text) - return c - -def verify(c): - if c == None or not c: - return None - - if not c['interfaces']: - raise ConfigError("service ipoe-server interface requires a value") - - for intfc in c['interfaces']: - if not c['interfaces'][intfc]['range']: - raise ConfigError("service ipoe-server interface " + intfc + " client-subnet needs a value") - - if c['auth']['mech'] == 'radius': - if not c['auth']['radius']: - raise ConfigError("service ipoe-server authentication radius-server requires a value for authentication mode radius") - else: - for radsrv in c['auth']['radius']: - if not c['auth']['radius'][radsrv]['secret']: - raise ConfigError("service ipoe-server authentication radius-server " + radsrv + " secret requires a value") - - if c['auth']['radsettings']['dae-server']: - try: - if c['auth']['radsettings']['dae-server']['ip-address']: - pass - except: - raise ConfigError("service ipoe-server authentication radius-settings dae-server ip-address value required") - try: - if c['auth']['radsettings']['dae-server']['secret']: - pass - except: - raise ConfigError("service ipoe-server authentication radius-settings dae-server secret value required") - try: - if c['auth']['radsettings']['dae-server']['port']: - pass - except: - raise ConfigError("service ipoe-server authentication radius-settings dae-server port value required") - - if len(c['ipv6']['pd']) != 0 and len(c['ipv6']['prfx']) == 0: - raise ConfigError("service ipoe-server client-ipv6-pool prefix needs a value") - - return c - -def apply(c): - if c == None: - if os.path.exists(pidfile): - accel_cmd('shutdown hard') - if os.path.exists(pidfile): - os.remove(pidfile) - return None - - if not os.path.exists(pidfile): - ret = subprocess.call(['/usr/sbin/accel-pppd', '-c', ipoe_cnf, '-p', pidfile, '-d']) - chk_con() - if ret !=0 and os.path.exists(pidfile): - os.remove(pidfile) - raise ConfigError('accel-pppd failed to start') - else: - accel_cmd('restart') - sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart") - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - sys.exit(1) diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py index 978297b56..26a653ec0 100755 --- a/src/conf_mode/lldp.py +++ b/src/conf_mode/lldp.py @@ -38,7 +38,7 @@ vyos_tmpl = """ configure system platform VyOS configure system description "VyOS {{ options.description }}" -{%- if listen_on -%} +{% if options.listen_on -%} configure system interface pattern "{{ options.listen_on | join(",") }}" {%- endif %} {% if options.mgmt_addr -%} diff --git a/src/conf_mode/service-ipoe.py b/src/conf_mode/service-ipoe.py new file mode 100755 index 000000000..bd7a898d0 --- /dev/null +++ b/src/conf_mode/service-ipoe.py @@ -0,0 +1,479 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# +# + +import sys +import os +import re +import time +import socket +import subprocess +import jinja2 +import syslog as sl + +from vyos.config import Config +from vyos import ConfigError + +ipoe_cnf_dir = r'/etc/accel-ppp/ipoe' +ipoe_cnf = ipoe_cnf_dir + r'/ipoe.config' + +pidfile = r'/var/run/accel_ipoe.pid' +cmd_port = r'2002' + +chap_secrets = ipoe_cnf_dir + '/chap-secrets' +## accel-pppd -d -c /etc/accel-ppp/pppoe/pppoe.config -p /var/run/accel_pppoe.pid + +ipoe_config = ''' +### generated by ipoe.py ### +[modules] +log_syslog +ipoe +shaper +ipv6pool +ipv6_nd +ipv6_dhcp +{% if auth['mech'] == 'radius' %} +radius +{% endif -%} +ippool +{% if auth['mech'] == 'local' %} +chap-secrets +{% endif %} + +[core] +thread-count={{thread_cnt}} + +[log] +syslog=accel-ipoe,daemon +copy=1 +level=5 + +[ipoe] +verbose=1 +{% for intfc in interfaces %} +{% if interfaces[intfc]['vlan_mon'] %} +interface=re:{{intfc}}\.\d+,\ +{% else %} +interface={{intfc}},\ +{% endif %} +shared={{interfaces[intfc]['shared']}},\ +mode={{interfaces[intfc]['mode']}},\ +ifcfg={{interfaces[intfc]['ifcfg']}},\ +range={{interfaces[intfc]['range']}},\ +start={{interfaces[intfc]['sess_start']}},\ +ipv6=1 +{% endfor %} +{% if auth['mech'] == 'noauth' %} +noauth=1 +{% endif %} +{% if auth['mech'] == 'local' %} +username=ifname +password=csid +{% endif %} + +{%- for intfc in interfaces %} +{% if (interfaces[intfc]['shared'] == '0') and (interfaces[intfc]['vlan_mon']) %} +vlan-mon={{intfc}},{{interfaces[intfc]['vlan_mon']|join(',')}} +{% endif %} +{% endfor %} + +{% if (dns['server1']) or (dns['server2']) %} +[dns] +{% if dns['server1'] %} +dns1={{dns['server1']}} +{% endif -%} +{% if dns['server2'] %} +dns2={{dns['server2']}} +{% endif -%} +{% endif -%} + +{% if (dnsv6['server1']) or (dnsv6['server2']) or (dnsv6['server3']) %} +[dnsv6] +dns={{dnsv6['server1']}} +dns={{dnsv6['server2']}} +dns={{dnsv6['server3']}} +{% endif %} + +[ipv6-nd] +verbose=1 + +[ipv6-dhcp] +verbose=1 + +{% if ipv6['prfx'] %} +[ipv6-pool] +{% for prfx in ipv6['prfx'] %} +{{prfx}} +{% endfor %} +{% for pd in ipv6['pd'] %} +delegate={{pd}} +{% endfor %} +{% endif %} + +{% if auth['mech'] == 'local' %} +[chap-secrets] +chap-secrets=/etc/accel-ppp/ipoe/chap-secrets +{% endif %} + +{% if auth['mech'] == 'radius' %} +[radius] +verbose=1 +{% for srv in auth['radius'] %} +server={{srv}},{{auth['radius'][srv]['secret']}},\ +req-limit={{auth['radius'][srv]['req-limit']}},\ +fail-time={{auth['radius'][srv]['fail-time']}} +{% endfor %} +{% if auth['radsettings']['dae-server']['ip-address'] %} +dae-server={{auth['radsettings']['dae-server']['ip-address']}}:\ +{{auth['radsettings']['dae-server']['port']}},\ +{{auth['radsettings']['dae-server']['secret']}} +{% endif -%} +{% if auth['radsettings']['acct-timeout'] %} +acct-timeout={{auth['radsettings']['acct-timeout']}} +{% endif -%} +{% if auth['radsettings']['max-try'] %} +max-try={{auth['radsettings']['max-try']}} +{% endif -%} +{% if auth['radsettings']['timeout'] %} +timeout={{auth['radsettings']['timeout']}} +{% endif -%} +{% if auth['radsettings']['nas-ip-address'] %} +nas-ip-address={{auth['radsettings']['nas-ip-address']}} +{% endif -%} +{% if auth['radsettings']['nas-identifier'] %} +nas-identifier={{auth['radsettings']['nas-identifier']}} +{% endif -%} +{% endif %} + +[cli] +tcp=127.0.0.1:2002 +''' + +# chap secrets +chap_secrets_conf = ''' +# username server password acceptable local IP addresses shaper +{% for aifc in auth['auth_if'] %} +{% for mac in auth['auth_if'][aifc] %} +{% if (auth['auth_if'][aifc][mac]['up']) and (auth['auth_if'][aifc][mac]['down']) %} +{% if auth['auth_if'][aifc][mac]['vlan'] %} +{{aifc}}.{{auth['auth_if'][aifc][mac]['vlan']}}\t*\t{{mac.lower()}}\t*\t{{auth['auth_if'][aifc][mac]['down']}}/{{auth['auth_if'][aifc][mac]['up']}} +{% else %} +{{aifc}}\t*\t{{mac.lower()}}\t*\t{{auth['auth_if'][aifc][mac]['down']}}/{{auth['auth_if'][aifc][mac]['up']}} +{% endif %} +{% else %} +{% if auth['auth_if'][aifc][mac]['vlan'] %} +{{aifc}}.{{auth['auth_if'][aifc][mac]['vlan']}}\t*\t{{mac.lower()}}\t* +{% else %} +{{aifc}}\t*\t{{mac.lower()}}\t* +{% endif %} +{% endif %} +{% endfor %} +{% endfor %} +''' + +if not os.path.exists(ipoe_cnf_dir): + os.makedirs(ipoe_cnf_dir) + sl.syslog(sl.LOG_NOTICE, ipoe_cnf_dir + " created") + + +def _get_cpu(): + cpu_cnt = 1 + if os.cpu_count() == 1: + cpu_cnt = 1 + else: + cpu_cnt = int(os.cpu_count()/2) + return cpu_cnt + + +def _chk_con(): + cnt = 0 + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + while True: + try: + s.connect(("127.0.0.1", int(cmd_port))) + break + except ConnectionRefusedError: + time.sleep(0.5) + cnt += 1 + if cnt == 100: + raise("failed to start pppoe server") + break + + +def _accel_cmd(cmd=''): + if not cmd: + return None + try: + ret = subprocess.check_output( + ['/usr/bin/accel-cmd', '-p', cmd_port, cmd]).decode().strip() + return ret + except: + return 1 + +# chap_secrets file if auth mode local + + +def _gen_chap_secrets(c): + + tmpl = jinja2.Template(chap_secrets_conf, trim_blocks=True) + chap_secrets_txt = tmpl.render(c) + old_umask = os.umask(0o077) + open(chap_secrets, 'w').write(chap_secrets_txt) + os.umask(old_umask) + sl.syslog(sl.LOG_NOTICE, chap_secrets + ' written') + +##### Inline functions end #### + + +def get_config(): + c = Config() + if not c.exists(['service', 'ipoe-server']): + return None + + config_data = {} + + c.set_level(['service', 'ipoe-server']) + config_data['interfaces'] = {} + for intfc in c.list_nodes(['interface']): + config_data['interfaces'][intfc] = { + 'mode': 'L2', + 'shared': '1', + # may need a conifg option, can be dhcpv4 or up for unclassified pkts + 'sess_start': 'dhcpv4', + 'range': None, + 'ifcfg': '1', + 'vlan_mon': [] + } + config_data['dns'] = { + 'server1': None, + 'server2': None + } + config_data['dnsv6'] = { + 'server1': None, + 'server2': None, + 'server3': None + } + config_data['ipv6'] = { + 'prfx': [], + 'pd': [], + } + config_data['auth'] = { + 'auth_if': {}, + 'mech': 'noauth', + 'radius': {}, + 'radsettings': { + 'dae-server': {} + } + } + + if c.exists(['interface', intfc, 'network-mode']): + config_data['interfaces'][intfc]['mode'] = c.return_value( + ['interface', intfc, 'network-mode']) + if c.return_value(['interface', intfc, 'network']) == 'vlan': + config_data['interfaces'][intfc]['shared'] = '0' + if c.exists(['interface', intfc, 'vlan-id']): + config_data['interfaces'][intfc]['vlan_mon'] += c.return_values( + ['interface', intfc, 'vlan-id']) + if c.exists(['interface', intfc, 'vlan-range']): + config_data['interfaces'][intfc]['vlan_mon'] += c.return_values( + ['interface', intfc, 'vlan-range']) + if c.exists(['interface', intfc, 'client-subnet']): + config_data['interfaces'][intfc]['range'] = c.return_value( + ['interface', intfc, 'client-subnet']) + if c.exists(['dns-server', 'server-1']): + config_data['dns']['server1'] = c.return_value( + ['dns-server', 'server-1']) + if c.exists(['dns-server', 'server-2']): + config_data['dns']['server2'] = c.return_value( + ['dns-server', 'server-2']) + if c.exists(['dnsv6-server', 'server-1']): + config_data['dnsv6']['server1'] = c.return_value( + ['dnsv6-server', 'server-1']) + if c.exists(['dnsv6-server', 'server-2']): + config_data['dnsv6']['server2'] = c.return_value( + ['dnsv6-server', 'server-2']) + if c.exists(['dnsv6-server', 'server-3']): + config_data['dnsv6']['server3'] = c.return_value( + ['dnsv6-server', 'server-3']) + if not c.exists(['authentication', 'mode', 'noauth']): + config_data['auth']['mech'] = c.return_value( + ['authentication', 'mode']) + if c.exists(['authentication', 'mode', 'local']): + for auth_int in c.list_nodes(['authentication', 'interface']): + for mac in c.list_nodes(['authentication', 'interface', auth_int, 'mac-address']): + config_data['auth']['auth_if'][auth_int] = {} + if c.exists(['authentication', 'interface', auth_int, 'mac-address', mac, 'rate-limit']): + config_data['auth']['auth_if'][auth_int][mac] = {} + config_data['auth']['auth_if'][auth_int][mac]['up'] = c.return_value( + ['authentication', 'interface', auth_int, 'mac-address', mac, 'rate-limit upload']) + config_data['auth']['auth_if'][auth_int][mac]['down'] = c.return_value( + ['authentication', 'interface', auth_int, 'mac-address', 'mac', 'rate-limit download']) + else: + config_data['auth']['auth_if'][auth_int][mac] = {} + config_data['auth']['auth_if'][auth_int][mac]['up'] = None + config_data['auth']['auth_if'][auth_int][mac]['down'] = None + # client vlan-id + if c.exists(['authentication', 'interface', auth_int, 'mac-address', mac, 'vlan-id']): + config_data['auth']['auth_if'][auth_int][mac]['vlan'] = c.return_value( + ['authentication', 'interface', auth_int, 'mac-address', mac, 'vlan-id']) + if c.exists(['authentication', 'mode', 'radius']): + for rsrv in c.list_nodes(['authentication', 'radius-server']): + config_data['auth']['radius'][rsrv] = {} + if c.exists(['authentication', 'radius-server', rsrv, 'secret']): + config_data['auth']['radius'][rsrv]['secret'] = c.return_value( + ['authentication', 'radius-server', rsrv, 'secret']) + else: + config_data['auth']['radius'][rsrv]['secret'] = None + if c.exists(['authentication', 'radius-server', rsrv, 'fail-time']): + config_data['auth']['radius'][rsrv]['fail-time'] = c.return_value( + ['authentication', 'radius-server', rsrv, 'fail-time']) + else: + config_data['auth']['radius'][rsrv]['fail-time'] = '0' + if c.exists(['authentication', 'radius-server', rsrv, 'req-limit']): + config_data['auth']['radius'][rsrv]['req-limit'] = c.return_value( + ['authentication', 'radius-server', rsrv, 'req-limit']) + else: + config_data['auth']['radius'][rsrv]['req-limit'] = '0' + if c.exists(['authentication', 'radius-settings']): + if c.exists(['authentication', 'radius-settings', 'timeout']): + config_data['auth']['radsettings']['timeout'] = c.return_value( + ['authentication', 'radius-settings', 'timeout']) + if c.exists(['authentication', 'radius-settings', 'nas-ip-address']): + config_data['auth']['radsettings']['nas-ip-address'] = c.return_value( + ['authentication', 'radius-settings', 'nas-ip-address']) + if c.exists(['authentication', 'radius-settings', 'nas-identifier']): + config_data['auth']['radsettings']['nas-identifier'] = c.return_value( + ['authentication', 'radius-settings', 'nas-identifier']) + if c.exists(['authentication', 'radius-settings', 'max-try']): + config_data['auth']['radsettings']['max-try'] = c.return_value( + ['authentication', 'radius-settings', 'max-try']) + if c.exists(['authentication', 'radius-settings', 'acct-timeout']): + config_data['auth']['radsettings']['acct-timeout'] = c.return_value( + ['authentication', 'radius-settings', 'acct-timeout']) + if c.exists(['authentication', 'radius-settings', 'dae-server', 'ip-address']): + config_data['auth']['radsettings']['dae-server']['ip-address'] = c.return_value( + ['authentication', 'radius-settings', 'dae-server', 'ip-address']) + if c.exists(['authentication', 'radius-settings', 'dae-server', 'port']): + config_data['auth']['radsettings']['dae-server']['port'] = c.return_value( + ['authentication', 'radius-settings', 'dae-server', 'port']) + if c.exists(['authentication', 'radius-settings', 'dae-server', 'secret']): + config_data['auth']['radsettings']['dae-server']['secret'] = c.return_value( + ['authentication', 'radius-settings', 'dae-server', 'secret']) + + if c.exists(['client-ipv6-pool', 'prefix']): + config_data['ipv6']['prfx'] = c.return_values( + ['client-ipv6-pool', 'prefix']) + if c.exists(['client-ipv6-pool', 'delegate-prefix']): + config_data['ipv6']['pd'] = c.return_values( + ['client-ipv6-pool', 'delegate-prefix']) + + return config_data + + +def generate(c): + if c == None or not c: + return None + + c['thread_cnt'] = _get_cpu() + + if c['auth']['mech'] == 'local': + _gen_chap_secrets(c) + + tmpl = jinja2.Template(ipoe_config, trim_blocks=True) + config_text = tmpl.render(c) + open(ipoe_cnf, 'w').write(config_text) + return c + + +def verify(c): + if c == None or not c: + return None + + if not c['interfaces']: + raise ConfigError("service ipoe-server interface requires a value") + + for intfc in c['interfaces']: + if not c['interfaces'][intfc]['range']: + raise ConfigError("service ipoe-server interface " + + intfc + " client-subnet needs a value") + + if c['auth']['mech'] == 'radius': + if not c['auth']['radius']: + raise ConfigError( + "service ipoe-server authentication radius-server requires a value for authentication mode radius") + else: + for radsrv in c['auth']['radius']: + if not c['auth']['radius'][radsrv]['secret']: + raise ConfigError( + "service ipoe-server authentication radius-server " + radsrv + " secret requires a value") + + if c['auth']['radsettings']['dae-server']: + try: + if c['auth']['radsettings']['dae-server']['ip-address']: + pass + except: + raise ConfigError( + "service ipoe-server authentication radius-settings dae-server ip-address value required") + try: + if c['auth']['radsettings']['dae-server']['secret']: + pass + except: + raise ConfigError( + "service ipoe-server authentication radius-settings dae-server secret value required") + try: + if c['auth']['radsettings']['dae-server']['port']: + pass + except: + raise ConfigError( + "service ipoe-server authentication radius-settings dae-server port value required") + + if len(c['ipv6']['pd']) != 0 and len(c['ipv6']['prfx']) == 0: + raise ConfigError( + "service ipoe-server client-ipv6-pool prefix needs a value") + + return c + + +def apply(c): + if c == None: + if os.path.exists(pidfile): + _accel_cmd('shutdown hard') + if os.path.exists(pidfile): + os.remove(pidfile) + return None + + if not os.path.exists(pidfile): + ret = subprocess.call( + ['/usr/sbin/accel-pppd', '-c', ipoe_cnf, '-p', pidfile, '-d']) + _chk_con() + if ret != 0 and os.path.exists(pidfile): + os.remove(pidfile) + raise ConfigError('accel-pppd failed to start') + else: + _accel_cmd('restart') + sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart") + + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + sys.exit(1) |