summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/vpn_l2tp.py133
1 files changed, 63 insertions, 70 deletions
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py
index fb7297928..8f493ddaf 100755
--- a/src/conf_mode/vpn_l2tp.py
+++ b/src/conf_mode/vpn_l2tp.py
@@ -63,6 +63,7 @@ default_config_data = {
'ip6_column': '',
'ip6_dp_column': '',
'ppp_options': {},
+ 'thread_cnt': 1
}
def chk_con():
@@ -96,27 +97,31 @@ def get_config():
return None
c.set_level(base)
- config_data = deepcopy(default_config_data)
+ l2tp = deepcopy(default_config_data)
+
+ cpu = os.cpu_count()
+ if cpu > 1:
+ l2tp['thread_cnt'] = int(cpu/2)
### general options ###
if c.exists(['name-server']):
for name_server in c.return_values(['name-server']):
if is_ipv4(name_server):
- config_data['dnsv4'].append(name_server)
+ l2tp['dnsv4'].append(name_server)
else:
- config_data['dnsv6'].append(name_server)
+ l2tp['dnsv6'].append(name_server)
if c.exists(['wins-server']):
- config_data['wins'] = c.return_values(['wins-server'])
+ l2tp['wins'] = c.return_values(['wins-server'])
if c.exists('outside-address'):
- config_data['outside_addr'] = c.return_value('outside-address')
+ l2tp['outside_addr'] = c.return_value('outside-address')
# auth local
if c.exists('authentication mode local'):
if c.exists('authentication local-users username'):
for usr in c.list_nodes('authentication local-users username'):
- config_data['authentication']['local-users'].update(
+ l2tp['authentication']['local-users'].update(
{
usr: {
'passwd': '',
@@ -129,24 +134,24 @@ def get_config():
)
if c.exists('authentication local-users username ' + usr + ' password'):
- config_data['authentication']['local-users'][usr]['passwd'] = c.return_value(
+ l2tp['authentication']['local-users'][usr]['passwd'] = c.return_value(
'authentication local-users username ' + usr + ' password')
if c.exists('authentication local-users username ' + usr + ' disable'):
- config_data['authentication']['local-users'][usr]['state'] = 'disable'
+ l2tp['authentication']['local-users'][usr]['state'] = 'disable'
if c.exists('authentication local-users username ' + usr + ' static-ip'):
- config_data['authentication']['local-users'][usr]['ip'] = c.return_value(
+ l2tp['authentication']['local-users'][usr]['ip'] = c.return_value(
'authentication local-users username ' + usr + ' static-ip')
if c.exists('authentication local-users username ' + usr + ' rate-limit download'):
- config_data['authentication']['local-users'][usr]['download'] = c.return_value(
+ l2tp['authentication']['local-users'][usr]['download'] = c.return_value(
'authentication local-users username ' + usr + ' rate-limit download')
if c.exists('authentication local-users username ' + usr + ' rate-limit upload'):
- config_data['authentication']['local-users'][usr]['upload'] = c.return_value(
+ l2tp['authentication']['local-users'][usr]['upload'] = c.return_value(
'authentication local-users username ' + usr + ' rate-limit upload')
# authentication mode radius servers and settings
if c.exists('authentication mode radius'):
- config_data['authentication']['mode'] = 'radius'
+ l2tp['authentication']['mode'] = 'radius'
rsrvs = c.list_nodes('authentication radius server')
for rsrv in rsrvs:
if c.return_value('authentication radius server ' + rsrv + ' fail-time') == None:
@@ -160,7 +165,7 @@ def get_config():
reql = str(c.return_value(
'authentication radius server ' + rsrv + ' req-limit'))
- config_data['authentication']['radiussrv'].update(
+ l2tp['authentication']['radiussrv'].update(
{
rsrv: {
'secret': c.return_value('authentication radius server ' + rsrv + ' key'),
@@ -171,21 +176,21 @@ def get_config():
)
# Source ip address feature
if c.exists('authentication radius source-address'):
- config_data['authentication']['radius_source_address'] = c.return_value(
+ l2tp['authentication']['radius_source_address'] = c.return_value(
'authentication radius source-address')
# advanced radius-setting
if c.exists('authentication radius acct-timeout'):
- config_data['authentication']['radiusopt']['acct-timeout'] = c.return_value(
+ l2tp['authentication']['radiusopt']['acct-timeout'] = c.return_value(
'authentication radius acct-timeout')
if c.exists('authentication radius max-try'):
- config_data['authentication']['radiusopt']['max-try'] = c.return_value(
+ l2tp['authentication']['radiusopt']['max-try'] = c.return_value(
'authentication radius max-try')
if c.exists('authentication radius timeout'):
- config_data['authentication']['radiusopt']['timeout'] = c.return_value(
+ l2tp['authentication']['radiusopt']['timeout'] = c.return_value(
'authentication radius timeout')
if c.exists('authentication radius nas-identifier'):
- config_data['authentication']['radiusopt']['nas-id'] = c.return_value(
+ l2tp['authentication']['radiusopt']['nas-id'] = c.return_value(
'authentication radius nas-identifier')
if c.exists('authentication radius dae-server'):
# Set default dae-server port if not defined
@@ -194,7 +199,7 @@ def get_config():
'authentication radius dae-server port')
else:
dae_server_port = "3799"
- config_data['authentication']['radiusopt'].update(
+ l2tp['authentication']['radiusopt'].update(
{
'dae-srv': {
'ip-addr': c.return_value('authentication radius dae-server ip-address'),
@@ -207,75 +212,75 @@ def get_config():
# set here as default for visibility which may change in the future
if c.exists('authentication radius rate-limit enable'):
if not c.exists('authentication radius rate-limit attribute'):
- config_data['authentication']['radiusopt']['shaper'] = {
+ l2tp['authentication']['radiusopt']['shaper'] = {
'attr': 'Filter-Id'
}
else:
- config_data['authentication']['radiusopt']['shaper'] = {
+ l2tp['authentication']['radiusopt']['shaper'] = {
'attr': c.return_value('authentication radius rate-limit attribute')
}
if c.exists('authentication radius rate-limit vendor'):
- config_data['authentication']['radiusopt']['shaper']['vendor'] = c.return_value(
+ l2tp['authentication']['radiusopt']['shaper']['vendor'] = c.return_value(
'authentication radius rate-limit vendor')
if c.exists('client-ip-pool'):
if c.exists('client-ip-pool start') and c.exists('client-ip-pool stop'):
- config_data['client_ip_pool'] = c.return_value(
+ l2tp['client_ip_pool'] = c.return_value(
'client-ip-pool start') + '-' + re.search('[0-9]+$', c.return_value('client-ip-pool stop')).group(0)
if c.exists('client-ip-pool subnet'):
- config_data['client_ip_subnets'] = c.return_values(
+ l2tp['client_ip_subnets'] = c.return_values(
'client-ip-pool subnet')
if c.exists('client-ipv6-pool prefix'):
- config_data['client_ipv6_pool']['prefix'] = c.return_values(
+ l2tp['client_ipv6_pool']['prefix'] = c.return_values(
'client-ipv6-pool prefix')
- config_data['ip6_column'] = 'ip6,'
+ l2tp['ip6_column'] = 'ip6,'
if c.exists('client-ipv6-pool delegate-prefix'):
- config_data['client_ipv6_pool']['delegate_prefix'] = c.return_values(
+ l2tp['client_ipv6_pool']['delegate_prefix'] = c.return_values(
'client-ipv6-pool delegate-prefix')
- config_data['ip6_dp_column'] = 'ip6-dp,'
+ l2tp['ip6_dp_column'] = 'ip6-dp,'
if c.exists('mtu'):
- config_data['mtu'] = c.return_value('mtu')
+ l2tp['mtu'] = c.return_value('mtu')
# gateway address
if c.exists('gateway-address'):
- config_data['gateway_address'] = c.return_value('gateway-address')
+ l2tp['gateway_address'] = c.return_value('gateway-address')
else:
# calculate gw-ip-address
if c.exists('client-ip-pool start'):
# use start ip as gw-ip-address
- config_data['gateway_address'] = c.return_value(
+ l2tp['gateway_address'] = c.return_value(
'client-ip-pool start')
elif c.exists('client-ip-pool subnet'):
# use first ip address from first defined pool
lst_ip = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", c.return_values(
'client-ip-pool subnet')[0])
- config_data['gateway_address'] = lst_ip[0]
+ l2tp['gateway_address'] = lst_ip[0]
if c.exists('authentication require'):
auth_mods = {'pap': 'pap', 'chap': 'auth_chap_md5',
'mschap': 'auth_mschap_v1', 'mschap-v2': 'auth_mschap_v2'}
for proto in c.return_values('authentication require'):
- config_data['authentication']['auth_proto'].append(
+ l2tp['authentication']['auth_proto'].append(
auth_mods[proto])
else:
- config_data['authentication']['auth_proto'] = ['auth_mschap_v2']
+ l2tp['authentication']['auth_proto'] = ['auth_mschap_v2']
if c.exists('authentication mppe'):
- config_data['authentication']['mppe'] = c.return_value(
+ l2tp['authentication']['mppe'] = c.return_value(
'authentication mppe')
if c.exists('idle'):
- config_data['idle_timeout'] = c.return_value('idle')
+ l2tp['idle_timeout'] = c.return_value('idle')
# LNS secret
if c.exists('lns shared-secret'):
- config_data['lns_shared_secret'] = c.return_value('lns shared-secret')
+ l2tp['lns_shared_secret'] = c.return_value('lns shared-secret')
if c.exists('ccp-disable'):
- config_data['ccp_disable'] = True
+ l2tp['ccp_disable'] = True
# ppp_options
ppp_options = {}
@@ -288,53 +293,53 @@ def get_config():
'ppp-options lcp-echo-interval')
if len(ppp_options) != 0:
- config_data['ppp_options'] = ppp_options
+ l2tp['ppp_options'] = ppp_options
- return config_data
+ return l2tp
-def verify(c):
- if c == None:
+def verify(l2tp):
+ if l2tp == None:
return None
- if c['authentication']['mode'] == 'local':
- if not c['authentication']['local-users']:
+ if l2tp['authentication']['mode'] == 'local':
+ if not l2tp['authentication']['local-users']:
raise ConfigError(
'l2tp-server authentication local-users required')
- for usr in c['authentication']['local-users']:
- if not c['authentication']['local-users'][usr]['passwd']:
+ for usr in l2tp['authentication']['local-users']:
+ if not l2tp['authentication']['local-users'][usr]['passwd']:
raise ConfigError('user ' + usr + ' requires a password')
- if c['authentication']['mode'] == 'radius':
- if len(c['authentication']['radiussrv']) == 0:
+ if l2tp['authentication']['mode'] == 'radius':
+ if len(l2tp['authentication']['radiussrv']) == 0:
raise ConfigError('radius server required')
- for rsrv in c['authentication']['radiussrv']:
- if c['authentication']['radiussrv'][rsrv]['secret'] == None:
+ for rsrv in l2tp['authentication']['radiussrv']:
+ if l2tp['authentication']['radiussrv'][rsrv]['secret'] == None:
raise ConfigError('radius server ' + rsrv +
' needs a secret configured')
# check for the existence of a client ip pool
- if not c['client_ip_pool'] and not c['client_ip_subnets']:
+ if not l2tp['client_ip_pool'] and not l2tp['client_ip_subnets']:
raise ConfigError(
"set vpn l2tp remote-access client-ip-pool requires subnet or start/stop IP pool")
# check ipv6
- if 'delegate_prefix' in c['client_ipv6_pool'] and not 'prefix' in c['client_ipv6_pool']:
+ if 'delegate_prefix' in l2tp['client_ipv6_pool'] and not 'prefix' in l2tp['client_ipv6_pool']:
raise ConfigError(
"\"set vpn l2tp remote-access client-ipv6-pool prefix\" required for delegate-prefix ")
- if len(c['wins']) > 2:
+ if len(l2tp['wins']) > 2:
raise ConfigError('Not more then two IPv4 WINS name-servers can be configured')
- if len(c['dnsv4']) > 2:
+ if len(l2tp['dnsv4']) > 2:
raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
- if len(c['dnsv6']) > 3:
+ if len(l2tp['dnsv6']) > 3:
raise ConfigError('Not more then three IPv6 DNS name-servers can be configured')
-def generate(c):
- if c == None:
+def generate(l2tp):
+ if l2tp == None:
return None
# Prepare Jinja2 template loader from files
@@ -342,23 +347,11 @@ def generate(c):
fs_loader = FileSystemLoader(tmpl_path)
env = Environment(loader=fs_loader, trim_blocks=True)
- # accel-cmd reload doesn't work so any change results in a restart of the daemon
- try:
- if os.cpu_count() == 1:
- c['thread_cnt'] = 1
- else:
- c['thread_cnt'] = int(os.cpu_count()/2)
- except KeyError:
- if os.cpu_count() == 1:
- c['thread_cnt'] = 1
- else:
- c['thread_cnt'] = int(os.cpu_count()/2)
-
tmpl = env.get_template('l2tp.config.tmpl')
config_text = tmpl.render(c)
open(l2tp_conf, 'w').write(config_text)
- if c['authentication']['local-users']:
+ if l2tp['authentication']['local-users']:
tmpl = env.get_template('chap-secrets.tmpl')
chap_secrets_txt = tmpl.render(c)
old_umask = os.umask(0o077)