diff options
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-x | src/conf_mode/accel_pppoe.py | 300 | ||||
-rwxr-xr-x | src/conf_mode/ntp.py | 2 | ||||
-rwxr-xr-x | src/conf_mode/syslog.py | 20 |
3 files changed, 255 insertions, 67 deletions
diff --git a/src/conf_mode/accel_pppoe.py b/src/conf_mode/accel_pppoe.py index 4aea84c44..0ef22110f 100755 --- a/src/conf_mode/accel_pppoe.py +++ b/src/conf_mode/accel_pppoe.py @@ -45,15 +45,22 @@ pppoe_config = ''' log_syslog pppoe ippool +{% if client_ipv6_pool %} +ipv6pool +{% endif %} chap-secrets auth_pap auth_chap_md5 auth_mschap_v1 auth_mschap_v2 -pppd_compat -shaper +#pppd_compat +#shaper +{% if snmp == 'enable' or snmp == 'enable-ma' %} net-snmp +{% endif %} +{% if limits %} connlimit +{% endif %} {% if authentication['mode'] == 'radius' %} radius {% endif %} @@ -66,8 +73,10 @@ syslog=accel-pppoe,daemon copy=1 level=5 +{% if snmp == 'enable-ma' %} [snmp] master=1 +{% endif %} [client-ip-range] disable @@ -78,6 +87,16 @@ disable {% endif %} gw-ip-address={{ppp_gw}} +{% if client_ipv6_pool %} +[ipv6-pool] +{% for prfx in client_ipv6_pool['prefix']: %} +{{prfx}} +{% endfor %} +{% for prfx in client_ipv6_pool['delegate-prefix']: %} +delegate={{prfx}} +{% endfor %} +{% endif %} + {% if dns %} [dns] {% if dns[0] %} @@ -88,6 +107,13 @@ dns2={{dns[1]}} {% endif %} {% endif %} +{% if dnsv6 %} +[dnsv6] +{% for srv in dnsv6: %} +dns={{srv}} +{% endfor %} +{% endif %} + {% if wins %} [wins] {% if wins[0] %} @@ -106,27 +132,83 @@ chap-secrets=/etc/accel-ppp/pppoe/chap-secrets {% if authentication['mode'] == 'radius' %} [radius] {% for rsrv in authentication['radiussrv']: %} -server={{rsrv}},{{authentication['radiussrv'][rsrv]}} +server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\ +req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\ +fail-time={{authentication['radiussrv'][rsrv]['fail-time']}} {% endfor %} -timeout=10 -acct-timeout=3 +{% if authentication['radiusopt']['timeout'] %} +timeout={{authentication['radiusopt']['timeout']}} +{% endif %} +{% if authentication['radiusopt']['acct-timeout'] %} +acct-timeout={{authentication['radiusopt']['acct-timeout']}} +{% endif %} +{% if authentication['radiusopt']['max-try'] %} +max-try={{authentication['radiusopt']['max-try']}} +{% endif %} +{% if authentication['radiusopt']['nas-id'] %} +nas-identifier={{authentication['radiusopt']['nas-id']}} +{% endif %} +{% if authentication['radiusopt']['nas-ip'] %} +nas-ip-address={{authentication['radiusopt']['nas-ip']}} +{% endif %} +{% if authentication['radiusopt']['dae-srv'] %} +dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\ +{{authentication['radiusopt']['dae-srv']['port']}},\ +{{authentication['radiusopt']['dae-srv']['secret']}} +{% endif %} gw-ip-address={{ppp_gw}} verbose=1 {% endif %} [ppp] verbose=1 -min-mtu={{mtu}} -mtu={{mtu}} -mru=1400 -check-ip=1 -mppe=prefer -ipv4=require check-ip=1 single-session=replace +{% if ppp_options['ccp'] %} +ccp=1 +{% endif %} +{% if ppp_options['min-mtu'] %} +min-mtu={{ppp_options['min-mtu']}} +{% else %} +min-mtu={{mtu}} +{% endif %} +{% if ppp_options['mru'] %} +mru={{ppp_options['mru']}} +{% endif %} +{% if ppp_options['mppe'] %} +mppe={{ppp_options['mppe']}} +{% else %} mppe=prefer +{% endif %} +{% if ppp_options['lcp-echo-interval'] %} +lcp-echo-interval={{ppp_options['lcp-echo-interval']}} +{% else %} lcp-echo-interval=30 +{% endif %} +{% if ppp_options['lcp-echo-timeout'] %} +lcp-echo-timeout={{ppp_options['lcp-echo-timeout']}} +{% endif %} +{% if ppp_options['lcp-echo-failure'] %} +lcp-echo-failure={{ppp_options['lcp-echo-failure']}} +{% else %} lcp-echo-failure=3 +{% endif %} +{% if ppp_options['ipv4'] %} +ipv4={{ppp_options['ipv4']}} +{% endif %} +{% if ppp_options['ipv6'] %} +ipv6={{ppp_options['ipv6']}} +{% if ppp_options['ipv6-intf-id'] %} +ipv6-intf-id={{ppp_options['ipv6-intf-id']}} +{% endif %} +{% if ppp_options['ipv6-peer-intf-id'] %} +ipv6-peer-intf-id={{ppp_options['ipv6-peer-intf-id']}} +{% endif %} +{% if ppp_options['ipv6-accept-peer-intf-id'] %} +ipv6-accept-peer-intf-id={{ppp_options['ipv6-accept-peer-intf-id']}} +{% endif %} +{% endif %} +mtu={{mtu}} [pppoe] verbose=1 @@ -141,12 +223,15 @@ interface={{int}} {% if svc_name %} service-name={{svc_name}} {% endif %} +pado-delay=0 +# maybe: called-sid, tr101, padi-limit etc. - +{% if limits %} [connlimit] -limit=10/min -burst=3 -timeout=60 +limit={{limits['conn-limit']}} +burst={{limits['burst']}} +timeout={{limits['timeout']}} +{% endif %} [cli] tcp=127.0.0.1:2001 @@ -210,24 +295,30 @@ def get_config(): return None config_data = { - 'concentrator' : 'vyos-ac', - 'authentication' : { - 'local-users' : { + 'concentrator' : 'vyos-ac', + 'authentication' : { + 'local-users' : { }, - 'mode' : 'local', - 'radiussrv' : {} + 'mode' : 'local', + 'radiussrv' : {}, + 'radiusopt' : {} }, - 'client_ip_pool' : '', - 'interface' : [], - 'ppp_gw' : '', - 'svc_name' : '', - 'dns' : [], - 'wins' : [], - 'mtu' : '1492' + 'client_ip_pool' : '', + 'client_ipv6_pool' : {}, + 'interface' : [], + 'ppp_gw' : '', + 'svc_name' : '', + 'dns' : [], + 'dnsv6' : [], + 'wins' : [], + 'mtu' : '1492', + 'ppp_options' : {}, + 'limits' : {}, + 'snmp' : 'disable' } c.set_level('service pppoe-server') - + ### general options if c.exists('access-concentrator'): config_data['concentrator'] = c.return_value('access-concentrator') if c.exists('service-name'): @@ -241,6 +332,13 @@ def get_config(): config_data['dns'].append(c.return_value('dns-servers server-1')) if c.return_value('dns-servers server-2'): config_data['dns'].append(c.return_value('dns-servers server-2')) + if c.exists('dnsv6-servers'): + if c.return_value('dnsv6-servers server-1'): + config_data['dnsv6'].append(c.return_value('dnsv6-servers server-1')) + if c.return_value('dnsv6-servers server-2'): + config_data['dnsv6'].append(c.return_value('dnsv6-servers server-2')) + if c.return_value('dnsv6-servers server-3'): + config_data['dnsv6'].append(c.return_value('dnsv6-servers server-3')) if c.exists('wins-servers'): if c.return_value('wins-servers server-1'): config_data['wins'].append(c.return_value('wins-servers server-1')) @@ -253,42 +351,128 @@ def get_config(): config_data['client_ip_pool'] += '-' + re.search('[0-9]+$', c.return_value('client-ip-pool stop')).group(0) else: raise ConfigError('client ip pool stop required') + if c.exists('client-ipv6-pool prefix'): + config_data['client_ipv6_pool']['prefix'] = c.return_values('client-ipv6-pool prefix') + if c.exists('client-ipv6-pool delegate-prefix'): + config_data['client_ipv6_pool']['delegate-prefix'] = c.return_values('client-ipv6-pool delegate-prefix') + if c.exists('limits'): + if c.exists('limits burst'): + config_data['limits']['burst'] = str(c.return_value('limits burst')) + if c.exists('limits timeout'): + config_data['limits']['timeout'] = str(c.return_value('limits timeout')) + if c.exists('limits connection-limit'): + config_data['limits']['conn-limit'] = str(c.return_value('limits connection-limit')) + if c.exists('snmp'): + config_data['snmp'] = 'enable' + if c.exists('snmp master-agent'): + config_data['snmp'] = 'enable-ma' #### authentication mode local - if c.exists('authentication'): - if c.return_value('authentication mode') == 'local': - if c.exists('authentication local-users username'): - for usr in c.list_nodes('authentication local-users username'): - config_data['authentication']['local-users'].update( + + if c.exists('authentication mode local'): + if c.exists('authentication local-users username'): + for usr in c.list_nodes('authentication local-users username'): + config_data['authentication']['local-users'].update( + { + usr : { + 'passwd' : '', + 'state' : 'enabled', + 'ip' : '*' + } + } + ) + if c.exists('authentication local-users username ' + usr + ' password'): + config_data['authentication']['local-users'][usr]['passwd'] = c.return_value('authentication local-users username ' + usr + ' password') + if c.exists('authentication local-users username ' + usr + ' disable'): + config_data['authentication']['local-users'][usr]['state'] = 'disable' + if c.exists('authentication local-users username ' + usr + ' static-ip'): + config_data['authentication']['local-users'][usr]['ip'] = c.return_value('authentication local-users username ' + usr + ' static-ip') + + ### authentication mode radius servers and settings + + if c.exists('authentication mode radius'): + config_data['authentication']['mode'] = 'radius' + rsrvs = c.list_nodes('authentication radius-server') + for rsrv in rsrvs: + if c.return_value('authentication radius-server ' + rsrv + ' fail-time') == None: + ftime = '0' + else: + ftime = str(c.return_value('authentication radius-server ' + rsrv + ' fail-time')) + if c.return_value('authentication radius-server ' + rsrv + ' req-limit') == None: + reql = '0' + else: + reql = str(c.return_value('authentication radius-server ' + rsrv + ' req-limit')) + config_data['authentication']['radiussrv'].update( + { + rsrv : { + 'secret' : c.return_value('authentication radius-server ' + rsrv + ' secret'), + 'fail-time' : ftime, + 'req-limit' : reql + } + } + ) + + #### advanced radius-setting + if c.exists('authentication radius-settings'): + if c.exists('authentication radius-settings acct-timeout'): + config_data['authentication']['radiusopt']['acct-timeout'] = c.return_value('authentication radius-settings acct-timeout') + if c.exists('authentication radius-settings max-try'): + config_data['authentication']['radiusopt']['max-try'] = c.return_value('authentication radius-settings max-try') + if c.exists('authentication radius-settings timeout'): + config_data['authentication']['radiusopt']['timeout'] = c.return_value('authentication radius-settings timeout') + if c.exists('authentication radius-settings nas-identifier'): + config_data['authentication']['radiusopt']['nas-id'] = c.return_value('authentication radius-settings nas-identifier') + if c.exists('authentication radius-settings nas-ip-address'): + config_data['authentication']['radiusopt']['nas-ip'] = c.return_value('authentication radius-settings nas-ip-address') + if c.exists('authentication radius-settings dae-server'): + config_data['authentication']['radiusopt'].update( { - usr : { - 'passwd' : '', - 'state' : 'enabled', - 'ip' : '*' + 'dae-srv' : { + 'ip-addr' : c.return_value('authentication radius-settings dae-server ip-address'), + 'port' : c.return_value('authentication radius-settings dae-server port'), + 'secret' : str(c.return_value('authentication radius-settings dae-server secret')) } } ) - if c.exists('authentication local-users username ' + usr + ' password'): - config_data['authentication']['local-users'][usr]['passwd'] = c.return_value('authentication local-users username ' + usr + ' password') - if c.exists('authentication local-users username ' + usr + ' disable'): - config_data['authentication']['local-users'][usr]['state'] = 'disable' - if c.exists('authentication local-users username ' + usr + ' static-ip'): - config_data['authentication']['local-users'][usr]['ip'] = c.return_value('authentication local-users username ' + usr + ' static-ip') - - ### authentication mode radius - if c.return_value('authentication mode') == 'radius': - config_data['authentication']['mode'] = 'radius' - rsrvs = c.list_nodes('authentication radius-server') - for rsrv in rsrvs: - config_data['authentication']['radiussrv'].update( - { - rsrv : str(c.return_value('authentication radius-server ' + rsrv + ' key')) - } - ) if c.exists('mtu'): config_data['mtu'] = c.return_value('mtu') + ### ppp_options + ppp_options = {} + if c.exists('ppp-options'): + if c.exists('ppp-options ccp'): + ppp_options['ccp'] = c.return_value('ppp-options ccp') + if c.exists('ppp-options min-mtu'): + ppp_options['min-mtu'] = c.return_value('ppp-options min-mtu') + if c.exists('ppp-options mru'): + ppp_options['mru'] = c.return_value('ppp-options mru') + if c.exists('ppp-options mppe deny'): + ppp_options['mppe'] = 'deny' + if c.exists('ppp-options mppe require'): + ppp_options['mppe'] = 'requre' + if c.exists('ppp-options mppe prefer'): + ppp_options['mppe'] = 'prefer' + if c.exists('ppp-options lcp-echo-failure'): + ppp_options['lcp-echo-failure'] = c.return_value('ppp-options lcp-echo-failure') + if c.exists('ppp-options lcp-echo-interval'): + ppp_options['lcp-echo-interval'] = c.return_value('ppp-options lcp-echo-interval') + if c.exists('ppp-options ipv4'): + ppp_options['ipv4'] = c.return_value('ppp-options ipv4') + if c.exists('ppp-options ipv6'): + ppp_options['ipv6'] = c.return_value('ppp-options ipv6') + if c.exists('ppp-options ipv6-accept-peer-intf-id'): + ppp_options['ipv6-accept-peer-intf-id']= 1 + if c.exists('ppp-options ipv6-intf-id'): + ppp_options['ipv6-intf-id'] = c.return_value('ppp-options ipv6-intf-id') + if c.exists('ppp-options ipv6-peer-intf-id'): + ppp_options['ipv6-peer-intf-id'] = c.return_value('ppp-options ipv6-peer-intf-id') + if c.exists('ppp-options lcp-echo-timeout'): + ppp_options['lcp-echo-timeout'] = c.return_value('ppp-options lcp-echo-timeout') + + if len(ppp_options) !=0: + config_data['ppp_options'] = ppp_options + return config_data def verify(c): @@ -305,6 +489,9 @@ def verify(c): if c['authentication']['mode'] == 'radius': if len(c['authentication']['radiussrv']) == 0: raise ConfigError('radius server required') + for rsrv in c['authentication']['radiussrv']: + if c['authentication']['radiussrv'][rsrv]['secret'] == None: + raise ConfigError('radius server ' + rsrv + ' needs a secret configured') def generate(c): if c == None: @@ -347,11 +534,6 @@ def apply(c): accel_cmd('restart') sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart") - #if c['state'] == 'update': - # accel_cmd('restart') - # sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart") - # ## check that config reload actually works - if __name__ == '__main__': try: c = get_config() diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 0abb2746a..68a046939 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -108,8 +108,6 @@ def get_config(): "name": node, "options": [] } - if conf.exists('server {0} dynamic'.format(node)): - options.append('dynamic') if conf.exists('server {0} noselect'.format(node)): options.append('noselect') if conf.exists('server {0} preempt'.format(node)): diff --git a/src/conf_mode/syslog.py b/src/conf_mode/syslog.py index f652cf3d0..f8f8d9457 100755 --- a/src/conf_mode/syslog.py +++ b/src/conf_mode/syslog.py @@ -30,6 +30,12 @@ from vyos import ConfigError configs = ''' ## generated by syslog.py ## ## file based logging +{% if files['global']['marker'] %} +$ModLoad immark +{% if files['global']['marker-interval'] %} +$MarkMessagePeriod {{files['global']['marker-interval']}} +{% endif %} +{% endif %} {% for file in files %} $outchannel {{file}},{{files[file]['log-file']}},{{files[file]['max-size']}},{{files[file]['action-on-max-size']}} {{files[file]['selectors']}} :omfile:${{file}} @@ -80,10 +86,10 @@ def get_config(): c.set_level('system syslog') config_data = { - 'files' : {}, + 'files' : {}, 'console' : {}, - 'hosts' : {}, - 'user' : {} + 'hosts' : {}, + 'user' : {} } ##### @@ -102,13 +108,16 @@ def get_config(): } ) + if c.exists('global marker'): + config_data['files']['global']['marker'] = True + if c.exists('global marker interval'): + config_data['files']['global']['marker-interval'] = c.return_value('global marker interval') if c.exists('global facility'): config_data['files']['global']['selectors'] = generate_selectors(c, 'global facility') if c.exists('global archive size'): config_data['files']['global']['max-size'] = int(c.return_value('global archive size'))* 1024 if c.exists('global archive files'): config_data['files']['global']['max-files'] = c.return_value('global archive files') - ### # set system syslog file ### @@ -217,14 +226,12 @@ def generate_selectors(c, config_node): def generate(c): tmpl = jinja2.Template(configs, trim_blocks=True) config_text = tmpl.render(c) - #print (config_text) with open('/etc/rsyslog.d/vyos-rsyslog.conf', 'w') as f: f.write(config_text) ## eventually write for each file its own logrotate file, since size is defined it shouldn't matter tmpl = jinja2.Template(logrotate_configs, trim_blocks=True) config_text = tmpl.render(c) - #print (config_text) with open('/etc/logrotate.d/vyos-rsyslog', 'w') as f: f.write(config_text) @@ -247,6 +254,7 @@ def verify(c): fac = ['*','auth','authpriv','cron','daemon','kern','lpr','mail','mark','news','protocols','security',\ 'syslog','user','uucp','local0','local1','local2','local3','local4','local5','local6','local7'] lvl = ['emerg','alert','crit','err','warning','notice','info','debug','*'] + for conf in c: if c[conf]: for item in c[conf]: |