diff options
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/vpn_l2tp.py | 133 |
1 files changed, 63 insertions, 70 deletions
diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index fb7297928..8f493ddaf 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -63,6 +63,7 @@ default_config_data = { 'ip6_column': '', 'ip6_dp_column': '', 'ppp_options': {}, + 'thread_cnt': 1 } def chk_con(): @@ -96,27 +97,31 @@ def get_config(): return None c.set_level(base) - config_data = deepcopy(default_config_data) + l2tp = deepcopy(default_config_data) + + cpu = os.cpu_count() + if cpu > 1: + l2tp['thread_cnt'] = int(cpu/2) ### general options ### if c.exists(['name-server']): for name_server in c.return_values(['name-server']): if is_ipv4(name_server): - config_data['dnsv4'].append(name_server) + l2tp['dnsv4'].append(name_server) else: - config_data['dnsv6'].append(name_server) + l2tp['dnsv6'].append(name_server) if c.exists(['wins-server']): - config_data['wins'] = c.return_values(['wins-server']) + l2tp['wins'] = c.return_values(['wins-server']) if c.exists('outside-address'): - config_data['outside_addr'] = c.return_value('outside-address') + l2tp['outside_addr'] = c.return_value('outside-address') # auth local if c.exists('authentication mode local'): if c.exists('authentication local-users username'): for usr in c.list_nodes('authentication local-users username'): - config_data['authentication']['local-users'].update( + l2tp['authentication']['local-users'].update( { usr: { 'passwd': '', @@ -129,24 +134,24 @@ def get_config(): ) if c.exists('authentication local-users username ' + usr + ' password'): - config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( + l2tp['authentication']['local-users'][usr]['passwd'] = c.return_value( 'authentication local-users username ' + usr + ' password') if c.exists('authentication local-users username ' + usr + ' disable'): - config_data['authentication']['local-users'][usr]['state'] = 'disable' + l2tp['authentication']['local-users'][usr]['state'] = 'disable' if c.exists('authentication local-users username ' + usr + ' static-ip'): - config_data['authentication']['local-users'][usr]['ip'] = c.return_value( + l2tp['authentication']['local-users'][usr]['ip'] = c.return_value( 'authentication local-users username ' + usr + ' static-ip') if c.exists('authentication local-users username ' + usr + ' rate-limit download'): - config_data['authentication']['local-users'][usr]['download'] = c.return_value( + l2tp['authentication']['local-users'][usr]['download'] = c.return_value( 'authentication local-users username ' + usr + ' rate-limit download') if c.exists('authentication local-users username ' + usr + ' rate-limit upload'): - config_data['authentication']['local-users'][usr]['upload'] = c.return_value( + l2tp['authentication']['local-users'][usr]['upload'] = c.return_value( 'authentication local-users username ' + usr + ' rate-limit upload') # authentication mode radius servers and settings if c.exists('authentication mode radius'): - config_data['authentication']['mode'] = 'radius' + l2tp['authentication']['mode'] = 'radius' rsrvs = c.list_nodes('authentication radius server') for rsrv in rsrvs: if c.return_value('authentication radius server ' + rsrv + ' fail-time') == None: @@ -160,7 +165,7 @@ def get_config(): reql = str(c.return_value( 'authentication radius server ' + rsrv + ' req-limit')) - config_data['authentication']['radiussrv'].update( + l2tp['authentication']['radiussrv'].update( { rsrv: { 'secret': c.return_value('authentication radius server ' + rsrv + ' key'), @@ -171,21 +176,21 @@ def get_config(): ) # Source ip address feature if c.exists('authentication radius source-address'): - config_data['authentication']['radius_source_address'] = c.return_value( + l2tp['authentication']['radius_source_address'] = c.return_value( 'authentication radius source-address') # advanced radius-setting if c.exists('authentication radius acct-timeout'): - config_data['authentication']['radiusopt']['acct-timeout'] = c.return_value( + l2tp['authentication']['radiusopt']['acct-timeout'] = c.return_value( 'authentication radius acct-timeout') if c.exists('authentication radius max-try'): - config_data['authentication']['radiusopt']['max-try'] = c.return_value( + l2tp['authentication']['radiusopt']['max-try'] = c.return_value( 'authentication radius max-try') if c.exists('authentication radius timeout'): - config_data['authentication']['radiusopt']['timeout'] = c.return_value( + l2tp['authentication']['radiusopt']['timeout'] = c.return_value( 'authentication radius timeout') if c.exists('authentication radius nas-identifier'): - config_data['authentication']['radiusopt']['nas-id'] = c.return_value( + l2tp['authentication']['radiusopt']['nas-id'] = c.return_value( 'authentication radius nas-identifier') if c.exists('authentication radius dae-server'): # Set default dae-server port if not defined @@ -194,7 +199,7 @@ def get_config(): 'authentication radius dae-server port') else: dae_server_port = "3799" - config_data['authentication']['radiusopt'].update( + l2tp['authentication']['radiusopt'].update( { 'dae-srv': { 'ip-addr': c.return_value('authentication radius dae-server ip-address'), @@ -207,75 +212,75 @@ def get_config(): # set here as default for visibility which may change in the future if c.exists('authentication radius rate-limit enable'): if not c.exists('authentication radius rate-limit attribute'): - config_data['authentication']['radiusopt']['shaper'] = { + l2tp['authentication']['radiusopt']['shaper'] = { 'attr': 'Filter-Id' } else: - config_data['authentication']['radiusopt']['shaper'] = { + l2tp['authentication']['radiusopt']['shaper'] = { 'attr': c.return_value('authentication radius rate-limit attribute') } if c.exists('authentication radius rate-limit vendor'): - config_data['authentication']['radiusopt']['shaper']['vendor'] = c.return_value( + l2tp['authentication']['radiusopt']['shaper']['vendor'] = c.return_value( 'authentication radius rate-limit vendor') if c.exists('client-ip-pool'): if c.exists('client-ip-pool start') and c.exists('client-ip-pool stop'): - config_data['client_ip_pool'] = c.return_value( + l2tp['client_ip_pool'] = c.return_value( 'client-ip-pool start') + '-' + re.search('[0-9]+$', c.return_value('client-ip-pool stop')).group(0) if c.exists('client-ip-pool subnet'): - config_data['client_ip_subnets'] = c.return_values( + l2tp['client_ip_subnets'] = c.return_values( 'client-ip-pool subnet') if c.exists('client-ipv6-pool prefix'): - config_data['client_ipv6_pool']['prefix'] = c.return_values( + l2tp['client_ipv6_pool']['prefix'] = c.return_values( 'client-ipv6-pool prefix') - config_data['ip6_column'] = 'ip6,' + l2tp['ip6_column'] = 'ip6,' if c.exists('client-ipv6-pool delegate-prefix'): - config_data['client_ipv6_pool']['delegate_prefix'] = c.return_values( + l2tp['client_ipv6_pool']['delegate_prefix'] = c.return_values( 'client-ipv6-pool delegate-prefix') - config_data['ip6_dp_column'] = 'ip6-dp,' + l2tp['ip6_dp_column'] = 'ip6-dp,' if c.exists('mtu'): - config_data['mtu'] = c.return_value('mtu') + l2tp['mtu'] = c.return_value('mtu') # gateway address if c.exists('gateway-address'): - config_data['gateway_address'] = c.return_value('gateway-address') + l2tp['gateway_address'] = c.return_value('gateway-address') else: # calculate gw-ip-address if c.exists('client-ip-pool start'): # use start ip as gw-ip-address - config_data['gateway_address'] = c.return_value( + l2tp['gateway_address'] = c.return_value( 'client-ip-pool start') elif c.exists('client-ip-pool subnet'): # use first ip address from first defined pool lst_ip = re.findall("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", c.return_values( 'client-ip-pool subnet')[0]) - config_data['gateway_address'] = lst_ip[0] + l2tp['gateway_address'] = lst_ip[0] if c.exists('authentication require'): auth_mods = {'pap': 'pap', 'chap': 'auth_chap_md5', 'mschap': 'auth_mschap_v1', 'mschap-v2': 'auth_mschap_v2'} for proto in c.return_values('authentication require'): - config_data['authentication']['auth_proto'].append( + l2tp['authentication']['auth_proto'].append( auth_mods[proto]) else: - config_data['authentication']['auth_proto'] = ['auth_mschap_v2'] + l2tp['authentication']['auth_proto'] = ['auth_mschap_v2'] if c.exists('authentication mppe'): - config_data['authentication']['mppe'] = c.return_value( + l2tp['authentication']['mppe'] = c.return_value( 'authentication mppe') if c.exists('idle'): - config_data['idle_timeout'] = c.return_value('idle') + l2tp['idle_timeout'] = c.return_value('idle') # LNS secret if c.exists('lns shared-secret'): - config_data['lns_shared_secret'] = c.return_value('lns shared-secret') + l2tp['lns_shared_secret'] = c.return_value('lns shared-secret') if c.exists('ccp-disable'): - config_data['ccp_disable'] = True + l2tp['ccp_disable'] = True # ppp_options ppp_options = {} @@ -288,53 +293,53 @@ def get_config(): 'ppp-options lcp-echo-interval') if len(ppp_options) != 0: - config_data['ppp_options'] = ppp_options + l2tp['ppp_options'] = ppp_options - return config_data + return l2tp -def verify(c): - if c == None: +def verify(l2tp): + if l2tp == None: return None - if c['authentication']['mode'] == 'local': - if not c['authentication']['local-users']: + if l2tp['authentication']['mode'] == 'local': + if not l2tp['authentication']['local-users']: raise ConfigError( 'l2tp-server authentication local-users required') - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]['passwd']: + for usr in l2tp['authentication']['local-users']: + if not l2tp['authentication']['local-users'][usr]['passwd']: raise ConfigError('user ' + usr + ' requires a password') - if c['authentication']['mode'] == 'radius': - if len(c['authentication']['radiussrv']) == 0: + if l2tp['authentication']['mode'] == 'radius': + if len(l2tp['authentication']['radiussrv']) == 0: raise ConfigError('radius server required') - for rsrv in c['authentication']['radiussrv']: - if c['authentication']['radiussrv'][rsrv]['secret'] == None: + for rsrv in l2tp['authentication']['radiussrv']: + if l2tp['authentication']['radiussrv'][rsrv]['secret'] == None: raise ConfigError('radius server ' + rsrv + ' needs a secret configured') # check for the existence of a client ip pool - if not c['client_ip_pool'] and not c['client_ip_subnets']: + if not l2tp['client_ip_pool'] and not l2tp['client_ip_subnets']: raise ConfigError( "set vpn l2tp remote-access client-ip-pool requires subnet or start/stop IP pool") # check ipv6 - if 'delegate_prefix' in c['client_ipv6_pool'] and not 'prefix' in c['client_ipv6_pool']: + if 'delegate_prefix' in l2tp['client_ipv6_pool'] and not 'prefix' in l2tp['client_ipv6_pool']: raise ConfigError( "\"set vpn l2tp remote-access client-ipv6-pool prefix\" required for delegate-prefix ") - if len(c['wins']) > 2: + if len(l2tp['wins']) > 2: raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') - if len(c['dnsv4']) > 2: + if len(l2tp['dnsv4']) > 2: raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') - if len(c['dnsv6']) > 3: + if len(l2tp['dnsv6']) > 3: raise ConfigError('Not more then three IPv6 DNS name-servers can be configured') -def generate(c): - if c == None: +def generate(l2tp): + if l2tp == None: return None # Prepare Jinja2 template loader from files @@ -342,23 +347,11 @@ def generate(c): fs_loader = FileSystemLoader(tmpl_path) env = Environment(loader=fs_loader, trim_blocks=True) - # accel-cmd reload doesn't work so any change results in a restart of the daemon - try: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - except KeyError: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - tmpl = env.get_template('l2tp.config.tmpl') config_text = tmpl.render(c) open(l2tp_conf, 'w').write(config_text) - if c['authentication']['local-users']: + if l2tp['authentication']['local-users']: tmpl = env.get_template('chap-secrets.tmpl') chap_secrets_txt = tmpl.render(c) old_umask = os.umask(0o077) |