From 1795ae2c8aa67ef5d0efec50d31c1ad1917841b2 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 17 Apr 2020 22:15:21 +0200 Subject: pppoe-server: T2185: migrate from SysVinit to systemd --- src/conf_mode/service-pppoe.py | 66 +++++++++--------------------------------- 1 file changed, 14 insertions(+), 52 deletions(-) (limited to 'src') diff --git a/src/conf_mode/service-pppoe.py b/src/conf_mode/service-pppoe.py index a96249199..aee4ee61b 100755 --- a/src/conf_mode/service-pppoe.py +++ b/src/conf_mode/service-pppoe.py @@ -17,49 +17,15 @@ import os import re -from socket import socket, AF_INET, SOCK_STREAM from sys import exit -from time import sleep from vyos.config import Config from vyos import ConfigError -from vyos.util import run +from vyos.util import call from vyos.template import render - -pidfile = r'/var/run/accel_pppoe.pid' -pppoe_cnf_dir = r'/etc/accel-ppp/pppoe' -chap_secrets = pppoe_cnf_dir + '/chap-secrets' -pppoe_conf = pppoe_cnf_dir + '/pppoe.config' -# accel-pppd -d -c /etc/accel-ppp/pppoe/pppoe.config -p -# /var/run/accel_pppoe.pid - -# config path creation -if not os.path.exists(pppoe_cnf_dir): - os.makedirs(pppoe_cnf_dir) - -# -# depending on hw and threads, daemon needs a little to start -# if it takes longer than 100 * 0.5 secs, exception is being raised -# not sure if that's the best way to check it, but it worked so far quite well -# -def _chk_con(): - cnt = 0 - s = socket(AF_INET, SOCK_STREAM) - while True: - try: - s.connect(("127.0.0.1", 2001)) - break - except ConnectionRefusedError: - sleep(0.5) - cnt += 1 - if cnt == 100: - raise("failed to start pppoe server") - - -def _accel_cmd(command): - return run(f'/usr/bin/accel-cmd {command}') - +chap_secrets = r'/run/accel-pppd/chap-secrets' +pppoe_conf = r'/run/accel-pppd/pppoe.conf' def get_config(): c = Config() @@ -373,9 +339,13 @@ def verify(c): def generate(c): - if c == None: + if not c: return None + dirname = os.path.dirname(pppoe_conf) + if not os.path.exists(dirname): + os.mkdir(dirname) + # accel-cmd reload doesn't work so any change results in a restart of the # daemon try: @@ -400,22 +370,14 @@ def generate(c): def apply(c): - if c == None: - if os.path.exists(pidfile): - _accel_cmd('shutdown hard') - if os.path.exists(pidfile): - os.remove(pidfile) - return None + if not c: + call('systemctl stop accel-ppp@pppoe.service') + if os.path.exists(pppoe_conf): + os.unlink(pppoe_conf) - if not os.path.exists(pidfile): - ret = run(f'/usr/sbin/accel-pppd -c {pppoe_conf} -p {pidfile} -d') - _chk_con() - if ret != 0 and os.path.exists(pidfile): - os.remove(pidfile) - raise ConfigError('accel-pppd failed to start') - else: - _accel_cmd('restart') + return None + call('systemctl restart accel-ppp@pppoe.service') if __name__ == '__main__': try: -- cgit v1.2.3 From deed0ceac983359c3c9d27e584dd3ec8e2e18156 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 11:43:22 +0200 Subject: pppoe-server: T2314: remove boilerplate code and adjust --- data/templates/pppoe-server/chap-secrets.tmpl | 10 +- data/templates/pppoe-server/pppoe.config.tmpl | 175 +++--- interface-definitions/service-pppoe.xml.in | 671 ---------------------- interface-definitions/service_pppoe-server.xml.in | 671 ++++++++++++++++++++++ src/conf_mode/service-pppoe.py | 390 ------------- src/conf_mode/service_pppoe-server.py | 427 ++++++++++++++ 6 files changed, 1178 insertions(+), 1166 deletions(-) delete mode 100644 interface-definitions/service-pppoe.xml.in create mode 100644 interface-definitions/service_pppoe-server.xml.in delete mode 100755 src/conf_mode/service-pppoe.py create mode 100755 src/conf_mode/service_pppoe-server.py (limited to 'src') diff --git a/data/templates/pppoe-server/chap-secrets.tmpl b/data/templates/pppoe-server/chap-secrets.tmpl index 907ac6ed7..dd00d7bd0 100644 --- a/data/templates/pppoe-server/chap-secrets.tmpl +++ b/data/templates/pppoe-server/chap-secrets.tmpl @@ -1,10 +1,10 @@ # username server password acceptable local IP addresses shaper -{% for user in authentication['local-users'] %} -{% if authentication['local-users'][user]['state'] == 'enabled' %} -{% if (authentication['local-users'][user]['upload']) and (authentication['local-users'][user]['download']) %} -{{ "%-12s" | format(user) }} * {{ "%-16s" | format(authentication['local-users'][user]['passwd']) }} {{ "%-16s" | format(authentication['local-users'][user]['ip']) }} {{ authentication['local-users'][user]['download'] }} / {{ authentication['local-users'][user]['upload'] }} +{% for user in local_users %} +{% if user.state == 'enabled' %} +{% if user.upload and user.download %} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }} / {{ user.upload }} {% else %} -{{ "%-12s" | format(user) }} * {{ "%-16s" | format(authentication['local-users'][user]['passwd']) }} {{ "%-16s" | format(authentication['local-users'][user]['ip']) }} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {% endif %} {% endif %} {% endfor %} diff --git a/data/templates/pppoe-server/pppoe.config.tmpl b/data/templates/pppoe-server/pppoe.config.tmpl index d44c0aa93..f7c639f62 100644 --- a/data/templates/pppoe-server/pppoe.config.tmpl +++ b/data/templates/pppoe-server/pppoe.config.tmpl @@ -3,11 +3,11 @@ [modules] log_syslog pppoe -{% if authentication['mode'] == 'radius' %} +{% if auth_mode == 'radius' %} radius {% endif %} ippool -{% if ppp_options['ipv6'] != 'deny' %} +{% if ppp_ipv6 != 'deny' %} ipv6pool ipv6_nd ipv6_dhcp @@ -17,9 +17,8 @@ auth_pap auth_chap_md5 auth_mschap_v1 auth_mschap_v2 -#pppd_compat shaper -{% if snmp == 'enable' or snmp == 'enable-ma' %} +{% if snmp %} net-snmp {% endif %} {% if limits %} @@ -27,7 +26,7 @@ connlimit {% endif %} [core] -thread-count={{thread_cnt}} +thread-count={{ thread_cnt }} [log] syslog=accel-pppoe,daemon @@ -37,32 +36,31 @@ level=5 {% if snmp == 'enable-ma' %} [snmp] master=1 -{% endif -%} +{% endif %} [client-ip-range] disable {% if ppp_gw %} [ip-pool] -gw-ip-address={{ppp_gw}} +gw-ip-address={{ ppp_gw }} {% if client_ip_pool %} -{{client_ip_pool}} +{{ client_ip_pool }} {% endif -%} - {% if client_ip_subnets %} -{% for sn in client_ip_subnets %} -{{sn}} +{% for subnet in client_ip_subnets %} +{{ subnet }} {% endfor %} {% endif %} -{% endif -%} +{% endif %} {% if client_ipv6_pool %} [ipv6-pool] -{% for prfx in client_ipv6_pool['prefix']: %} -{{prfx}} +{% for prefix in client_ipv6_pool['prefix']: %} +{{ prefix }} {% endfor %} -{% for prfx in client_ipv6_pool['delegate-prefix']: %} -delegate={{prfx}} +{% for prefix in client_ipv6_pool['delegate-prefix']: %} +delegate={{ prefix }} {% endfor %} {% endif %} @@ -93,47 +91,39 @@ wins2={{wins[1]}} {% endif -%} {% endif -%} -{% if authentication['mode'] == 'local' %} +{% if auth_mode == 'local' %} [chap-secrets] -chap-secrets=/etc/accel-ppp/pppoe/chap-secrets -{% endif -%} - -{% if authentication['mode'] == 'radius' %} +chap-secrets={{ chap_secrets_file }} +{% elif auth_mode == 'radius' %} [radius] -{% for rsrv in authentication['radiussrv']: %} -server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\ -req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\ -fail-time={{authentication['radiussrv'][rsrv]['fail-time']}} -{% endfor %} -{% if authentication['radiusopt']['timeout'] %} -timeout={{authentication['radiusopt']['timeout']}} -{% endif %} -{% if authentication['radiusopt']['acct-timeout'] %} -acct-timeout={{authentication['radiusopt']['acct-timeout']}} -{% endif %} -{% if authentication['radiusopt']['max-try'] %} -max-try={{authentication['radiusopt']['max-try']}} -{% endif %} -{% if authentication['radiusopt']['nas-id'] %} -nas-identifier={{authentication['radiusopt']['nas-id']}} -{% endif %} -{% if authentication['radiusopt']['nas-ip'] %} -nas-ip-address={{authentication['radiusopt']['nas-ip']}} +verbose=1 +{% for r in radius_server %} +server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} +{% endfor -%} + +acct-timeout={{ radius_acct_tmo }} +timeout={{ radius_timeout }} +max-try={{ radius_max_try }} +{% if radius_nas_id %} +nas-identifier={{ radius_nas_id }} {% endif -%} -{% if authentication['radiusopt']['dae-srv'] %} -dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\ -{{authentication['radiusopt']['dae-srv']['port']}},\ -{{authentication['radiusopt']['dae-srv']['secret']}} +{% if radius_nas_ip %} +nas-ip-address={{ radius_nas_ip }} +{% endif -%} +{% if radius_source_address %} +bind={{ radius_source_address }} +{% endif -%} + +{% if radius_dynamic_author %} +dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} {% endif -%} -gw-ip-address={{ppp_gw}} -verbose=1 -{% if authentication['radiusopt']['shaper'] %} +{% if radius_shaper_attr %} [shaper] verbose=1 -attr={{authentication['radiusopt']['shaper']['attr']}} -{% if authentication['radiusopt']['shaper']['vendor'] %} -vendor={{authentication['radiusopt']['shaper']['vendor']}} +attr={{ radius_shaper_attr }} +{% if radius_shaper_vendor %} +vendor={{ radius_shaper_vendor }} {% endif -%} {% endif -%} {% endif %} @@ -144,84 +134,69 @@ check-ip=1 {% if not sesscrtl == 'disable' %} single-session={{sesscrtl}} {% endif -%} -{% if ppp_options['ccp'] %} +{% if ppp_ccp %} ccp=1 {% endif %} -{% if ppp_options['min-mtu'] %} -min-mtu={{ppp_options['min-mtu']}} -{% else %} -min-mtu={{mtu}} -{% endif %} -{% if ppp_options['mru'] %} -mru={{ppp_options['mru']}} -{% endif %} -{% if ppp_options['mppe'] %} -mppe={{ppp_options['mppe']}} +{% if ppp_min_mtu %} +min-mtu={{ ppp_min_mtu }} {% else %} -mppe=prefer +min-mtu={{ mtu }} {% endif %} -{% if ppp_options['lcp-echo-interval'] %} -lcp-echo-interval={{ppp_options['lcp-echo-interval']}} -{% else %} -lcp-echo-interval=30 -{% endif %} -{% if ppp_options['lcp-echo-timeout'] %} -lcp-echo-timeout={{ppp_options['lcp-echo-timeout']}} -{% endif %} -{% if ppp_options['lcp-echo-failure'] %} -lcp-echo-failure={{ppp_options['lcp-echo-failure']}} -{% else %} -lcp-echo-failure=3 +{% if ppp_mru %} +mru={{ ppp_mru }} {% endif %} -{% if ppp_options['ipv4'] %} -ipv4={{ppp_options['ipv4']}} +mppe={{ ppp_mppe }} +lcp-echo-interval={{ ppp_echo_interval }} +lcp-echo-timeout={{ ppp_echo_timeout }} +lcp-echo-failure={{ ppp_echo_failure }} +{% if ppp_ipv4 %} +ipv4={{ ppp_ipv4 }} {% endif %} {% if client_ipv6_pool %} ipv6=allow {% endif %} -{% if ppp_options['ipv6'] %} -ipv6={{ppp_options['ipv6']}} -{% if ppp_options['ipv6-intf-id'] %} -ipv6-intf-id={{ppp_options['ipv6-intf-id']}} +{% if ppp_ipv6 %} +ipv6={{ ppp_ipv6 }} +{% if ppp_ipv6_intf_id %} +ipv6-intf-id={{ ppp_ipv6_intf_id }} {% endif %} -{% if ppp_options['ipv6-peer-intf-id'] %} -ipv6-peer-intf-id={{ppp_options['ipv6-peer-intf-id']}} +{% if ppp_ipv6_peer_intf_id %} +ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }} {% endif %} -{% if ppp_options['ipv6-accept-peer-intf-id'] %} -ipv6-accept-peer-intf-id={{ppp_options['ipv6-accept-peer-intf-id']}} +{% if ppp_ipv6_accept_peer_intf_id %} +ipv6-accept-peer-intf-id={{ ppp_ipv6_accept_peer_intf_id }} {% endif %} {% endif %} -mtu={{mtu}} +mtu={{ mtu }} [pppoe] verbose=1 -{% if concentrator %} -ac-name={{concentrator}} -{% endif %} -{% if interface %} -{% for int in interface %} -interface={{int}} -{% if interface[int]['vlans'] %} -vlan-mon={{int}},{{interface[int]['vlans']|join(',')}} -interface=re:{{int}}\.\d+ +ac-name={{ concentrator }} + +{% if interfaces %} +{% for interface in interfaces %} +interface={{ interface.name }} +{% if interface.vlans %} +vlan-mon={{ interface.name }},{{ interface.vlans | join(',') }} +interface=re:{{ interface.name }}\.\d+ {% endif %} {% endfor -%} {% endif -%} {% if svc_name %} -service-name={{svc_name|join(',')}} +service-name={{ svc_name|join(',') }} {% endif -%} {% if pado_delay %} -pado-delay={{pado_delay}} +pado-delay={{ pado_delay }} {% endif %} -{% if limits %} +{% if limits_burst or limits_connections or limits_connections %} [connlimit] -limit={{limits['conn-limit']}} -burst={{limits['burst']}} -timeout={{limits['timeout']}} +limit={{ limits_connections }} +burst={{ limits_burst }} +timeout={{ limits_timeout }} {% endif %} [cli] diff --git a/interface-definitions/service-pppoe.xml.in b/interface-definitions/service-pppoe.xml.in deleted file mode 100644 index b4950ede1..000000000 --- a/interface-definitions/service-pppoe.xml.in +++ /dev/null @@ -1,671 +0,0 @@ - - - - - - - Point to Point over Ethernet (PPPoE) Server - 900 - - - - - Enable SNMP - - - - - enable SNMP master agent mode - - - - - - - - Access concentrator name - - [a-zA-Z0-9]{1,100} - - access-concentrator name limited to alphanumerical characters only (max. 100) - - - - - control sessions count - - (deny|disable) - - Invalid value - - disable - Disables session control - - - deny - Deny second session authorization - - - deny disable - - - - - - Authentication for remote access PPPoE Server - - - - - Local user authentication for PPPoE server - - - - - User name for authentication - - - - - Option to disable a PPPoE Server user - - - - - Password for authentication - - - - - Static client IP address - - - - - Upload/Download speed limits - - - - - Upload bandwidth limit in kbits/sec - - - - - - - - Download bandwidth limit in kbits/sec - - - - - - - - - - - - - - Authentication mode for PPPoE Server - - local - Use local username/password configuration - - - radius - Use a RADIUS server to autenticate users - - - (local|radius) - - - local radius - - - - - - IP address of RADIUS server - - ipv4 - IP address of RADIUS server - - - - - - Key for accessing the specified server - - - - - Maximum number of simultaneous requests to server (default: unlimited) - - - - - If server does not responds mark it as unavailable for this amount of time in seconds - - - - - - - RADIUS settings - - - - - Timeout to wait response from server (seconds) - - - - - Timeout to wait reply for Interim-Update packets. (default 3 seconds) - - - - - Maximum number of tries to send Access-Request/Accounting-Request queries - - - - - Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. - - - - - Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address. - - - - - IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) - - - - - IP address for Dynamic Authorization Extension server (DM/CoA) - - - - - Port for Dynamic Authorization Extension server (DM/CoA) - - - - - Secret for Dynamic Authorization Extension server (DM/CoA) - - - - - - - Upload/Download speed limits - - - - - Specifies which radius attribute contains rate information. (default is Filter-Id) - - - - - Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius) - - - - - Enables Bandwidth shaping via RADIUS - - - - - - - - - - - - Pool of client IP addresses (must be within a /24) - - - - - First IP address in the pool - - - - - - - - Last IP address in the pool - - - - - - - - Client IP subnet (CIDR notation) - - - - Not a valid CIDR formatted prefix - - - - - - - - Pool of client IPv6 addresses - - - - - Format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients) - - - - - - Format: ipv6prefix/mask,prefix_len (delegate to clients through DHCPv6 prefix delegation - rfc3633) - - - - - - - - IPv4 Domain Name Service (DNS) server - - - - - Primary DNS server - - ipv4 - IPv4 address - - - - - - - - - Secondary DNS server - - ipv4 - IPv4 address - - - - - - - - - - - IPv6 Domain Name Service (DNS) server - - - - - - ipv6 - IPv6 address - - Primary DNS server - - - - - - - - - ipv6 - IPv6 address - - Secondary DNS server - - - - - - - - - ipv6 - IPv6 address - - Tertiary DNS server - - - - - - - - - - - interface(s) to listen on - - - - - - - - VLAN monitor for the automatic creation of vlans (user per vlan) - - - - VLAN ID needs to be between 1 and 4096 - - - - - - VLAN monitor for the automatic creation of vlans (user per vlan) - - (409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})-(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2}) - - - - - - - - - local gateway address - - - - - - - - Maximum Transmission Unit (MTU) - default 1492 - - - - - - - - Limits the connection rate from a single source - - - - - Acceptable rate of connections (e.g. 1/min, 60/sec) - - [0-9]+\/(min|sec)$ - - illegal value - - - - - Burst count - - - - - Timeout in seconds - - - - - - - Service name - - [a-zA-Z0-9\-]{1,100} - - servicename can contain aplhanumerical characters and dashes only (max. 100) - - - - - - Windows Internet Name Service (WINS) server settings - - - - - Primary WINS server - - - - - - - - Secondary WINS server - - - - - - - - - - Advanced protocol options - - - - - Minimum acceptable MTU (68-65535) - - - - - - - - Preferred MRU (68-65535) - - - - - - - - CCP negotiation (default disabled) - - - - - - Specifies MPPE negotiation preference. (default prefer mppe) - - - - - Ask client for MPPE, if it rejects then drop the connection - - - - - - Ask client for MPPE, if it rejects do not fail - - - - - - Deny MPPE - - - - - - - - LCP echo-requests/sec - - - - - - - - Maximum number of Echo-Requests may be sent without valid reply - - - - - - - - Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. - - - - - - - - IPv4 (IPCP) negotiation algorithm - - (deny|allow|prefer|require) - - invalid value - - deny - Do not negotiate IPv4 - - - allow - Negotiate IPv4 only if client requests - - - prefer - Ask client for IPv4 negotiation, do not fail if it rejects - - - require - Require IPv4 negotiation - - - deny allow prefer require - - - - - - IPv6 (IPCP6) negotiation algorithm - - (deny|allow|prefer|require) - - invalid value - - deny - Do not negotiate IPv6 - - - allow - Negotiate IPv6 only if client requests - - - prefer - Ask client for IPv6 negotiation, do not fail if it rejects - - - require - Require IPv6 negotiation - - - deny allow prefer require - - - - - - Fixed or random interface identifier for IPv6 - - random - Random interface identifier for IPv6 - - - x:x:x:x - specify interface identifier for IPv6 - - - - - - Peer interface identifier for IPv6 - - x:x:x:x - Interface identifier for IPv6 - - - random - Use a random interface identifier for IPv6 - - - ipv4 - Calculate interface identifier from IPv4 address, for example 192:168:0:1 - - - calling-sid - Calculate interface identifier from calling-station-id - - - - - - Accept peer interface identifier - - - - - - - - PADO delays - - 1-999999 - Number in ms - - - - - Invalid PADO delay - - - - - Number of sessions - - 1-999999 - Number of sessions - - - - - Invalid number of delayed sessions - - - - - - - - - diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in new file mode 100644 index 000000000..39f4093a7 --- /dev/null +++ b/interface-definitions/service_pppoe-server.xml.in @@ -0,0 +1,671 @@ + + + + + + + Point to Point over Ethernet (PPPoE) Server + 900 + + + + + Enable SNMP + + + + + enable SNMP master agent mode + + + + + + + + Access concentrator name + + [a-zA-Z0-9]{1,100} + + access-concentrator name limited to alphanumerical characters only (max. 100) + + + + + control sessions count + + (deny|disable) + + Invalid value + + disable + Disables session control + + + deny + Deny second session authorization + + + deny disable + + + + + + Authentication for remote access PPPoE Server + + + + + Local user authentication for PPPoE server + + + + + User name for authentication + + + + + Option to disable a PPPoE Server user + + + + + Password for authentication + + + + + Static client IP address + + + + + Upload/Download speed limits + + + + + Upload bandwidth limit in kbits/sec + + + + + + + + Download bandwidth limit in kbits/sec + + + + + + + + + + + + + + Authentication mode for PPPoE Server + + local + Use local username/password configuration + + + radius + Use a RADIUS server to autenticate users + + + (local|radius) + + + local radius + + + + + + IP address of RADIUS server + + ipv4 + IP address of RADIUS server + + + + + + Key for accessing the specified server + + + + + Maximum number of simultaneous requests to server (default: unlimited) + + + + + If server does not responds mark it as unavailable for this amount of time in seconds + + + + + + + RADIUS settings + + + + + Timeout to wait response from server (seconds) + + + + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + + + + + Maximum number of tries to send Access-Request/Accounting-Request queries + + + + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. + + + + + Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address. + + + + + IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) + + + + + IP address for Dynamic Authorization Extension server (DM/CoA) + + + + + Port for Dynamic Authorization Extension server (DM/CoA) + + + + + Secret for Dynamic Authorization Extension server (DM/CoA) + + + + + + + Upload/Download speed limits + + + + + Specifies which radius attribute contains rate information. (default is Filter-Id) + + + + + Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius) + + + + + Enables Bandwidth shaping via RADIUS + + + + + + + + + + + + Pool of client IP addresses (must be within a /24) + + + + + First IP address in the pool + + + + + + + + Last IP address in the pool + + + + + + + + Client IP subnet (CIDR notation) + + + + Not a valid CIDR formatted prefix + + + + + + + + Pool of client IPv6 addresses + + + + + Format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients) + + + + + + Format: ipv6prefix/mask,prefix_len (delegate to clients through DHCPv6 prefix delegation - rfc3633) + + + + + + + + IPv4 Domain Name Service (DNS) server + + + + + Primary DNS server + + ipv4 + IPv4 address + + + + + + + + + Secondary DNS server + + ipv4 + IPv4 address + + + + + + + + + + + IPv6 Domain Name Service (DNS) server + + + + + + ipv6 + IPv6 address + + Primary DNS server + + + + + + + + + ipv6 + IPv6 address + + Secondary DNS server + + + + + + + + + ipv6 + IPv6 address + + Tertiary DNS server + + + + + + + + + + + interface(s) to listen on + + + + + + + + VLAN monitor for the automatic creation of vlans (user per vlan) + + + + VLAN ID needs to be between 1 and 4096 + + + + + + VLAN monitor for the automatic creation of vlans (user per vlan) + + (409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})-(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2}) + + + + + + + + + local gateway address + + + + + + + + Maximum Transmission Unit (MTU) - default 1492 + + + + + + + + Limits the connection rate from a single source + + + + + Acceptable rate of connections (e.g. 1/min, 60/sec) + + [0-9]+\/(min|sec)$ + + illegal value + + + + + Burst count + + + + + Timeout in seconds + + + + + + + Service name + + [a-zA-Z0-9\-]{1,100} + + servicename can contain aplhanumerical characters and dashes only (max. 100) + + + + + + Windows Internet Name Service (WINS) server settings + + + + + Primary WINS server + + + + + + + + Secondary WINS server + + + + + + + + + + Advanced protocol options + + + + + Minimum acceptable MTU (68-65535) + + + + + + + + Preferred MRU (68-65535) + + + + + + + + CCP negotiation (default disabled) + + + + + + Specifies MPPE negotiation preference. (default prefer mppe) + + + + + Ask client for MPPE, if it rejects then drop the connection + + + + + + Ask client for MPPE, if it rejects do not fail + + + + + + Deny MPPE + + + + + + + + LCP echo-requests/sec + + + + + + + + Maximum number of Echo-Requests may be sent without valid reply + + + + + + + + Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. + + + + + + + + IPv4 (IPCP) negotiation algorithm + + (deny|allow|prefer|require) + + invalid value + + deny + Do not negotiate IPv4 + + + allow + Negotiate IPv4 only if client requests + + + prefer + Ask client for IPv4 negotiation, do not fail if it rejects + + + require + Require IPv4 negotiation + + + deny allow prefer require + + + + + + IPv6 (IPCP6) negotiation algorithm + + (deny|allow|prefer|require) + + invalid value + + deny + Do not negotiate IPv6 + + + allow + Negotiate IPv6 only if client requests + + + prefer + Ask client for IPv6 negotiation, do not fail if it rejects + + + require + Require IPv6 negotiation + + + deny allow prefer require + + + + + + Fixed or random interface identifier for IPv6 + + random + Random interface identifier for IPv6 + + + x:x:x:x + specify interface identifier for IPv6 + + + + + + Peer interface identifier for IPv6 + + x:x:x:x + Interface identifier for IPv6 + + + random + Use a random interface identifier for IPv6 + + + ipv4 + Calculate interface identifier from IPv4 address, for example 192:168:0:1 + + + calling-sid + Calculate interface identifier from calling-station-id + + + + + + Accept peer interface identifier + + + + + + + + PADO delays + + 1-999999 + Number in ms + + + + + Invalid PADO delay + + + + + Number of sessions + + 1-999999 + Number of sessions + + + + + Invalid number of delayed sessions + + + + + + + + + diff --git a/src/conf_mode/service-pppoe.py b/src/conf_mode/service-pppoe.py deleted file mode 100755 index aee4ee61b..000000000 --- a/src/conf_mode/service-pppoe.py +++ /dev/null @@ -1,390 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re - -from sys import exit - -from vyos.config import Config -from vyos import ConfigError -from vyos.util import call -from vyos.template import render - -chap_secrets = r'/run/accel-pppd/chap-secrets' -pppoe_conf = r'/run/accel-pppd/pppoe.conf' - -def get_config(): - c = Config() - if not c.exists('service pppoe-server'): - return None - - config_data = { - 'concentrator': 'vyos-ac', - 'authentication': { - 'local-users': { - }, - 'mode': 'local', - 'radiussrv': {}, - 'radiusopt': {} - }, - 'client_ip_pool': '', - 'client_ip_subnets': [], - 'client_ipv6_pool': {}, - 'interface': {}, - 'ppp_gw': '', - 'svc_name': [], - 'dns': [], - 'dnsv6': [], - 'wins': [], - 'mtu': '1492', - 'ppp_options': {}, - 'limits': {}, - 'snmp': 'disable', - 'sesscrtl': 'replace', - 'pado_delay': '' - } - - c.set_level(['service', 'pppoe-server']) - # general options - if c.exists(['access-concentrator']): - config_data['concentrator'] = c.return_value(['access-concentrator']) - if c.exists(['service-name']): - config_data['svc_name'] = c.return_values(['service-name']) - if c.exists(['interface']): - for intfc in c.list_nodes(['interface']): - config_data['interface'][intfc] = {'vlans': []} - if c.exists(['interface', intfc, 'vlan-id']): - config_data['interface'][intfc]['vlans'] += c.return_values( - ['interface', intfc, 'vlan-id']) - if c.exists(['interface', intfc, 'vlan-range']): - config_data['interface'][intfc]['vlans'] += c.return_values( - ['interface', intfc, 'vlan-range']) - if c.exists(['local-ip']): - config_data['ppp_gw'] = c.return_value(['local-ip']) - if c.exists(['dns-servers']): - if c.return_value(['dns-servers', 'server-1']): - config_data['dns'].append( - c.return_value(['dns-servers', 'server-1'])) - if c.return_value(['dns-servers', 'server-2']): - config_data['dns'].append( - c.return_value(['dns-servers', 'server-2'])) - if c.exists(['dnsv6-servers']): - if c.return_value(['dnsv6-servers', 'server-1']): - config_data['dnsv6'].append( - c.return_value(['dnsv6-servers', 'server-1'])) - if c.return_value(['dnsv6-servers', 'server-2']): - config_data['dnsv6'].append( - c.return_value(['dnsv6-servers', 'server-2'])) - if c.return_value(['dnsv6-servers', 'server-3']): - config_data['dnsv6'].append( - c.return_value(['dnsv6-servers', 'server-3'])) - if c.exists(['wins-servers']): - if c.return_value(['wins-servers', 'server-1']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-1'])) - if c.return_value(['wins-servers', 'server-2']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-2'])) - if c.exists(['client-ip-pool']): - if c.exists(['client-ip-pool', 'start']): - config_data['client_ip_pool'] = c.return_value( - ['client-ip-pool start']) - if c.exists(['client-ip-pool stop']): - config_data['client_ip_pool'] += '-' + re.search( - '[0-9]+$', c.return_value(['client-ip-pool', 'stop'])).group(0) - else: - raise ConfigError('client ip pool stop required') - if c.exists(['client-ip-pool', 'subnet']): - config_data['client_ip_subnets'] = c.return_values( - ['client-ip-pool', 'subnet']) - if c.exists(['client-ipv6-pool', 'prefix']): - config_data['client_ipv6_pool'][ - 'prefix'] = c.return_values(['client-ipv6-pool', 'prefix']) - if c.exists(['client-ipv6-pool', 'delegate-prefix']): - config_data['client_ipv6_pool']['delegate-prefix'] = c.return_values( - ['client-ipv6-pool', 'delegate-prefix']) - if c.exists(['limits']): - if c.exists(['limits', 'burst']): - config_data['limits']['burst'] = str( - c.return_value(['limits', 'burst'])) - if c.exists(['limits', 'timeout']): - config_data['limits']['timeout'] = str( - c.return_value(['limits', 'timeout'])) - if c.exists(['limits', 'connection-limit']): - config_data['limits']['conn-limit'] = str( - c.return_value(['limits', 'connection-limit'])) - if c.exists(['snmp']): - config_data['snmp'] = 'enable' - if c.exists(['snmp', 'master-agent']): - config_data['snmp'] = 'enable-ma' - - # authentication mode local - if not c.exists(['authentication', 'mode']): - raise ConfigError('pppoe-server authentication mode required') - - if c.exists(['authentication', 'mode', 'local']): - if c.exists(['authentication', 'local-users', 'username']): - for usr in c.list_nodes(['authentication', 'local-users', 'username']): - config_data['authentication']['local-users'].update( - { - usr: { - 'passwd': None, - 'state': 'enabled', - 'ip': '*', - 'upload': None, - 'download': None - } - } - ) - if c.exists(['authentication', 'local-users', 'username', usr, 'password']): - config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'password']) - if c.exists(['authentication', 'local-users', 'username', usr, 'disable']): - config_data['authentication'][ - 'local-users'][usr]['state'] = 'disable' - if c.exists(['authentication', 'local-users', 'username', usr, 'static-ip']): - config_data['authentication']['local-users'][usr]['ip'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'static-ip']) - if c.exists(['authentication', 'local-users', 'username', usr, 'rate-limit', 'download']): - config_data['authentication']['local-users'][usr]['download'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'rate-limit', 'download']) - if c.exists(['authentication', 'local-users', 'username', usr, 'rate-limit', 'upload']): - config_data['authentication']['local-users'][usr]['upload'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'rate-limit', 'upload']) - - # authentication mode radius servers and settings - - if c.exists(['authentication', 'mode', 'radius']): - config_data['authentication']['mode'] = 'radius' - rsrvs = c.list_nodes(['authentication', 'radius-server']) - for rsrv in rsrvs: - if c.return_value(['authentication', 'radius-server', rsrv, 'fail-time']) == None: - ftime = '0' - else: - ftime = str( - c.return_value(['authentication', 'radius-server', rsrv, 'fail-time'])) - if c.return_value(['authentication', 'radius-server', rsrv, 'req-limit']) == None: - reql = '0' - else: - reql = str( - c.return_value(['authentication', 'radius-server', rsrv, 'req-limit'])) - config_data['authentication']['radiussrv'].update( - { - rsrv: { - 'secret': c.return_value(['authentication', 'radius-server', rsrv, 'secret']), - 'fail-time': ftime, - 'req-limit': reql - } - } - ) - - # advanced radius-setting - if c.exists(['authentication', 'radius-settings']): - if c.exists(['authentication', 'radius-settings', 'acct-timeout']): - config_data['authentication']['radiusopt']['acct-timeout'] = c.return_value( - ['authentication', 'radius-settings', 'acct-timeout']) - if c.exists(['authentication', 'radius-settings', 'max-try']): - config_data['authentication']['radiusopt'][ - 'max-try'] = c.return_value(['authentication', 'radius-settings', 'max-try']) - if c.exists(['authentication', 'radius-settings', 'timeout']): - config_data['authentication']['radiusopt'][ - 'timeout'] = c.return_value(['authentication', 'radius-settings', 'timeout']) - if c.exists(['authentication', 'radius-settings', 'nas-identifier']): - config_data['authentication']['radiusopt']['nas-id'] = c.return_value( - ['authentication', 'radius-settings', 'nas-identifier']) - if c.exists(['authentication', 'radius-settings', 'nas-ip-address']): - config_data['authentication']['radiusopt']['nas-ip'] = c.return_value( - ['authentication', 'radius-settings', 'nas-ip-address']) - if c.exists(['authentication', 'radius-settings', 'dae-server']): - config_data['authentication']['radiusopt'].update( - { - 'dae-srv': { - 'ip-addr': c.return_value(['authentication', 'radius-settings', 'dae-server', 'ip-address']), - 'port': c.return_value(['authentication', 'radius-settings', 'dae-server', 'port']), - 'secret': str(c.return_value(['authentication', 'radius-settings', 'dae-server', 'secret'])) - } - } - ) - # filter-id is the internal accel default if attribute is empty - # set here as default for visibility which may change in the future - if c.exists(['authentication', 'radius-settings', 'rate-limit', 'enable']): - if not c.exists(['authentication', 'radius-settings', 'rate-limit', 'attribute']): - config_data['authentication']['radiusopt']['shaper'] = { - 'attr': 'Filter-Id' - } - else: - config_data['authentication']['radiusopt']['shaper'] = { - 'attr': c.return_value(['authentication', 'radius-settings', 'rate-limit', 'attribute']) - } - if c.exists(['authentication', 'radius-settings', 'rate-limit', 'vendor']): - config_data['authentication']['radiusopt']['shaper'][ - 'vendor'] = c.return_value(['authentication', 'radius-settings', 'rate-limit', 'vendor']) - - if c.exists(['mtu']): - config_data['mtu'] = c.return_value(['mtu']) - - # ppp_options - ppp_options = {} - if c.exists(['ppp-options']): - if c.exists(['ppp-options', 'ccp']): - ppp_options['ccp'] = c.return_value(['ppp-options', 'ccp']) - if c.exists(['ppp-options', 'min-mtu']): - ppp_options['min-mtu'] = c.return_value(['ppp-options', 'min-mtu']) - if c.exists(['ppp-options', 'mru']): - ppp_options['mru'] = c.return_value(['ppp-options', 'mru']) - if c.exists(['ppp-options', 'mppe deny']): - ppp_options['mppe'] = 'deny' - if c.exists(['ppp-options', 'mppe', 'require']): - ppp_options['mppe'] = 'require' - if c.exists(['ppp-options', 'mppe', 'prefer']): - ppp_options['mppe'] = 'prefer' - if c.exists(['ppp-options', 'lcp-echo-failure']): - ppp_options['lcp-echo-failure'] = c.return_value( - ['ppp-options', 'lcp-echo-failure']) - if c.exists(['ppp-options', 'lcp-echo-interval']): - ppp_options['lcp-echo-interval'] = c.return_value( - ['ppp-options', 'lcp-echo-interval']) - if c.exists(['ppp-options', 'ipv4']): - ppp_options['ipv4'] = c.return_value(['ppp-options', 'ipv4']) - if c.exists(['ppp-options', 'ipv6']): - ppp_options['ipv6'] = c.return_value(['ppp-options', 'ipv6']) - if c.exists(['ppp-options', 'ipv6-accept-peer-intf-id']): - ppp_options['ipv6-accept-peer-intf-id'] = 1 - if c.exists(['ppp-options', 'ipv6-intf-id']): - ppp_options['ipv6-intf-id'] = c.return_value( - ['ppp-options', 'ipv6-intf-id']) - if c.exists(['ppp-options', 'ipv6-peer-intf-id']): - ppp_options['ipv6-peer-intf-id'] = c.return_value( - ['ppp-options', 'ipv6-peer-intf-id']) - if c.exists(['ppp-options', 'lcp-echo-timeout']): - ppp_options['lcp-echo-timeout'] = c.return_value( - ['ppp-options', 'lcp-echo-timeout']) - - if len(ppp_options) != 0: - config_data['ppp_options'] = ppp_options - - if c.exists(['session-control']): - config_data['sesscrtl'] = c.return_value(['session-control']) - - if c.exists(['pado-delay']): - config_data['pado_delay'] = '0' - a = {} - for id in c.list_nodes(['pado-delay']): - if not c.return_value(['pado-delay', id, 'sessions']): - a[id] = 0 - else: - a[id] = c.return_value(['pado-delay', id, 'sessions']) - - for k in sorted(a.keys()): - if k != sorted(a.keys())[-1]: - config_data['pado_delay'] += ",{0}:{1}".format(k, a[k]) - else: - config_data['pado_delay'] += ",{0}:{1}".format('-1', a[k]) - - return config_data - - -def verify(c): - if c == None: - return None - # vertify auth settings - if c['authentication']['mode'] == 'local': - if not c['authentication']['local-users']: - raise ConfigError( - 'pppoe-server authentication local-users required') - - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]['passwd']: - raise ConfigError('user ' + usr + ' requires a password') - # if up/download is set, check that both have a value - if c['authentication']['local-users'][usr]['upload']: - if not c['authentication']['local-users'][usr]['download']: - raise ConfigError( - 'user ' + usr + ' requires download speed value') - if c['authentication']['local-users'][usr]['download']: - if not c['authentication']['local-users'][usr]['upload']: - raise ConfigError( - 'user ' + usr + ' requires upload speed value') - - if c['authentication']['mode'] == 'radius': - if len(c['authentication']['radiussrv']) == 0: - raise ConfigError('radius server required') - for rsrv in c['authentication']['radiussrv']: - if c['authentication']['radiussrv'][rsrv]['secret'] == None: - raise ConfigError( - 'radius server ' + rsrv + ' needs a secret configured') - - # local ippool and gateway settings config checks - - if c['client_ip_subnets'] or c['client_ip_pool']: - if not c['ppp_gw']: - raise ConfigError('pppoe-server local-ip required') - - if c['ppp_gw'] and not c['client_ip_subnets'] and not c['client_ip_pool']: - print ("Warning: No pppoe client IPv4 pool defined") - - -def generate(c): - if not c: - return None - - dirname = os.path.dirname(pppoe_conf) - if not os.path.exists(dirname): - os.mkdir(dirname) - - # accel-cmd reload doesn't work so any change results in a restart of the - # daemon - try: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count() / 2) - except KeyError: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count() / 2) - - render(pppoe_conf, 'pppoe-server/pppoe.config.tmpl', c, trim_blocks=True) - - if c['authentication']['local-users']: - old_umask = os.umask(0o077) - render(chap_secrets, 'pppoe-server/chap-secrets.tmpl', c, trim_blocks=True) - os.umask(old_umask) - - return c - - -def apply(c): - if not c: - call('systemctl stop accel-ppp@pppoe.service') - if os.path.exists(pppoe_conf): - os.unlink(pppoe_conf) - - return None - - call('systemctl restart accel-ppp@pppoe.service') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py new file mode 100755 index 000000000..8b7f5a0e9 --- /dev/null +++ b/src/conf_mode/service_pppoe-server.py @@ -0,0 +1,427 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re + +from copy import deepcopy +from stat import S_IRUSR, S_IWUSR, S_IRGRP +from sys import exit + +from vyos.config import Config +from vyos import ConfigError +from vyos.util import call +from vyos.template import render + +pppoe_conf = r'/run/accel-pppd/pppoe.conf' +pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets' + +default_config_data = { + 'auth_mode': 'local', + 'chap_secrets_file': pppoe_chap_secrets, # used in Jinja2 template + 'client_ip_pool': '', + 'client_ip_subnets': [], + 'client_ipv6_pool': {}, + 'concentrator': 'vyos-ac', + 'interfaces': [], + 'local_users' : [], + + 'svc_name': [], + 'dns': [], + 'dnsv6': [], + 'wins': [], + 'mtu': '1492', + + 'limits_burst': '', + 'limits_connections': '', + 'limits_timeout': '', + + 'pado_delay': '', + 'ppp_ccp': False, + 'ppp_gw': '', + 'ppp_ipv4': '', + 'ppp_ipv6': '', + 'ppp_ipv6_accept_peer_intf_id': False, + 'ppp_ipv6_intf_id': '', + 'ppp_ipv6_peer_intf_id': '', + 'ppp_echo_failure': '3', + 'ppp_echo_interval': '30', + 'ppp_echo_timeout': '0', + 'ppp_min_mtu': '', + 'ppp_mppe': 'prefer', + 'ppp_mru': '', + + 'radius_server': [], + 'radius_acct_tmo': '3', + 'radius_max_try': '3', + 'radius_timeout': '3', + 'radius_nas_id': '', + 'radius_nas_ip': '', + 'radius_shaper_attr': '', + 'radius_shaper_vendor': '', + 'radius_dynamic_author': '', + 'sesscrtl': 'replace', + 'snmp': False, +} + +def get_config(): + conf = Config() + base_path = ['service', 'pppoe-server'] + if not conf.exists(base_path): + return None + + conf.set_level(base_path) + pppoe = deepcopy(default_config_data) + + cpu = os.cpu_count() + if cpu > 1: + pppoe['thread_cnt'] = int(cpu/2) + + # general options + if conf.exists(['access-concentrator']): + pppoe['concentrator'] = conf.return_value(['access-concentrator']) + + if conf.exists(['service-name']): + pppoe['svc_name'] = conf.return_values(['service-name']) + + if conf.exists(['interface']): + for interface in conf.list_nodes(['interface']): + conf.set_level(base_path + ['interface', interface]) + tmp = { + 'name': interface, + 'vlans': [] + } + + if conf.exists(['vlan-id']): + tmp['vlans'] += conf.return_values(['vlan-id']) + + if conf.exists(['vlan-range']): + tmp['vlans'] += conf.return_values(['vlan-range']) + + pppoe['interfaces'].append(tmp) + + conf.set_level(base_path) + + if conf.exists(['local-ip']): + pppoe['ppp_gw'] = conf.return_value(['local-ip']) + + if conf.exists(['dns-servers']): + for server in ['server-1', 'server-2']: + if conf.return_value(['dns-servers', server]): + tmp = conf.return_value(['dns-servers', server]) + pppoe['dns'].append(tmp) + + + if conf.exists(['dnsv6-servers']): + for server in ['server-1', 'server-2', 'server-3']: + if conf.return_value(['dnsv6-servers', server]): + tmp = conf.return_value(['dnsv6-servers', server]) + pppoe['dnsv6'].append(tmp) + + if conf.exists(['wins-servers']): + for server in ['server-1', 'server-2']: + if conf.return_value(['wins-servers', server]): + tmp = conf.return_value(['wins-servers', server]) + pppoe['wins'].append(tmp) + + if conf.exists(['client-ip-pool']): + if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']): + start = conf.return_value(['client-ip-pool', 'start']) + stop = conf.return_value(['client-ip-pool', 'stop']) + pppoe['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0) + + if conf.exists(['client-ip-pool', 'subnet']): + pppoe['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet']) + + if conf.exists(['client-ipv6-pool', 'prefix']): + pppoe['client_ipv6_pool']['prefix'] = conf.return_values(['client-ipv6-pool', 'prefix']) + if conf.exists(['client-ipv6-pool', 'delegate-prefix']): + pppoe['client_ipv6_pool']['delegate-prefix'] = conf.return_values(['client-ipv6-pool', 'delegate-prefix']) + + if conf.exists(['limits']): + if conf.exists(['limits', 'burst']): + pppoe['limits_burst'] = conf.return_value(['limits', 'burst']) + + if conf.exists(['limits', 'connection-limit']): + pppoe['limits_connections'] = conf.return_value(['limits', 'connection-limit']) + + if conf.exists(['limits', 'timeout']): + pppoe['limits_timeout'] = conf.return_value(['limits', 'timeout']) + + + if conf.exists(['snmp']): + pppoe['snmp'] = True + + if conf.exists(['snmp', 'master-agent']): + pppoe['snmp'] = 'enable-ma' + + # authentication mode local + if conf.exists(['authentication', 'mode']): + pppoe['auth_mode'] = conf.return_value(['authentication', 'mode']) + + if conf.exists(['authentication', 'local-users']): + for username in conf.list_nodes(['authentication', 'local-users', 'username']): + user = { + 'name' : username, + 'password' : '', + 'state' : 'enabled', + 'ip' : '*', + 'upload' : None, + 'download' : None + } + conf.set_level(base_path + ['authentication', 'local-users', 'username', username]) + + if conf.exists(['password']): + user['password'] = conf.return_value(['password']) + + if conf.exists(['disable']): + user['state'] = 'disable' + + if conf.exists(['static-ip']): + user['ip'] = conf.return_value(['static-ip']) + + if conf.exists(['rate-limit', 'download']): + user['download'] = conf.return_value(['rate-limit', 'download']) + + if conf.exists(['rate-limit', 'upload']): + user['upload'] = conf.return_value(['rate-limit', 'upload']) + + pppoe['local_users'].append(user) + + conf.set_level(base_path) + # + # authentication mode radius servers and settings + if conf.exists(['authentication', 'mode', 'radius']): + + for server in conf.list_nodes(['authentication', 'radius-server']): + radius = { + 'server' : server, + 'key' : '', + 'fail_time' : 0, + 'port' : '1812' + } + + conf.set_level(base_path + ['authentication', 'radius', 'server', server]) + + if conf.exists(['fail-time']): + radius['fail-time'] = conf.return_value(['fail-time']) + + if conf.exists(['port']): + radius['port'] = conf.return_value(['port']) + + if conf.exists(['secret']): + radius['key'] = conf.return_value(['secret']) + + if not conf.exists(['disable']): + pppoe['radius_server'].append(radius) + + # + # advanced radius-setting + conf.set_level(base_path + ['authentication', 'radius-settings']) + + if conf.exists(['acct-timeout']): + pppoe['radius_acct_tmo'] = conf.return_value(['acct-timeout']) + + if conf.exists(['max-try']): + pppoe['radius_max_try'] = conf.return_value(['max-try']) + + if conf.exists(['timeout']): + pppoe['radius_timeout'] = conf.return_value(['timeout']) + + if conf.exists(['nas-identifier']): + pppoe['radius_nas_id'] = conf.return_value(['nas-identifier']) + + if conf.exists(['nas-ip-address']): + pppoe['radius_nas_ip'] = conf.return_value(['nas-ip-address']) + + # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) + if conf.exists(['dynamic-author']): + dae = { + 'port' : '', + 'server' : '', + 'key' : '' + } + + if conf.exists(['dynamic-author', 'ip-address']): + dae['server'] = conf.return_value(['dynamic-author', 'ip-address']) + + if conf.exists(['dynamic-author', 'port']): + dae['port'] = conf.return_value(['dynamic-author', 'port']) + + if conf.exists(['dynamic-author', 'secret']): + dae['key'] = conf.return_value(['dynamic-author', 'secret']) + + pppoe['radius_dynamic_author'] = dae + + # RADIUS based rate-limiter + if conf.exists(['rate-limit', 'enable']): + pppoe['radius_shaper_attr'] = 'Filter-Id' + c_attr = ['rate-limit', 'enable', 'attribute'] + if conf.exists(c_attr): + pppoe['radius_shaper_attr'] = conf.return_value(c_attr) + + c_vendor = ['rate-limit', 'enable', 'vendor'] + if conf.exists(c_vendor): + pppoe['radius_shaper_vendor'] = conf.return_value(c_vendor) + + # re-set config level + conf.set_level(base_path) + + if conf.exists(['mtu']): + pppoe['mtu'] = conf.return_value(['mtu']) + + if conf.exists(['session-control']): + pppoe['session_control'] = conf.return_value(['session-control']) + + # ppp_options + if conf.exists(['ppp-options']): + conf.set_level(base_path + ['ppp-options']) + + if conf.exists(['ccp']): + pppoe['ppp_ccp'] = True + + if conf.exists(['ipv4']): + pppoe['ppp_ipv4'] = conf.return_value(['ipv4']) + + if conf.exists(['ipv6']): + pppoe['ppp_ipv6'] = conf.return_value(['ipv6']) + + if conf.exists(['ipv6-accept-peer-intf-id']): + pppoe['ppp_ipv6_peer_intf_id'] = True + + if conf.exists(['ipv6-intf-id']): + pppoe['ppp_ipv6_intf_id'] = conf.return_value(['ipv6-intf-id']) + + if conf.exists(['ipv6-peer-intf-id']): + pppoe['ppp_ipv6_peer_intf_id'] = conf.return_value(['ipv6-peer-intf-id']) + + if conf.exists(['lcp-echo-failure']): + pppoe['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure']) + + if conf.exists(['lcp-echo-failure']): + pppoe['ppp_echo_interval'] = conf.return_value(['lcp-echo-failure']) + + if conf.exists(['lcp-echo-timeout']): + pppoe['ppp_echo_timeout'] = conf.return_value(['lcp-echo-timeout']) + + if conf.exists(['min-mtu']): + pppoe['ppp_min_mtu'] = conf.return_value(['min-mtu']) + + if conf.exists(['mppe']): + pppoe['ppp_mppe'] = conf.return_value(['mppe']) + + if conf.exists(['mru']): + pppoe['ppp_mru'] = conf.return_value(['mru']) + + if conf.exists(['pado-delay']): + pppoe['pado_delay'] = '0' + a = {} + for id in conf.list_nodes(['pado-delay']): + if not conf.return_value(['pado-delay', id, 'sessions']): + a[id] = 0 + else: + a[id] = conf.return_value(['pado-delay', id, 'sessions']) + + for k in sorted(a.keys()): + if k != sorted(a.keys())[-1]: + pppoe['pado_delay'] += ",{0}:{1}".format(k, a[k]) + else: + pppoe['pado_delay'] += ",{0}:{1}".format('-1', a[k]) + + return pppoe + + +def verify(pppoe): + if not pppoe: + return None + + # vertify auth settings + if pppoe['auth_mode'] == 'local': + if not pppoe['local_users']: + raise ConfigError('PPPoE local auth mode requires local users to be configured!') + + for user in pppoe['local_users']: + username = user['name'] + if not user['password']: + raise ConfigError(f'Password required for local user "{username}"') + + # if up/download is set, check that both have a value + if user['upload'] and not user['download']: + raise ConfigError(f'Download speed value required for local user "{username}"') + + if user['download'] and not user['upload']: + raise ConfigError(f'Upload speed value required for local user "{username}"') + + elif pppoe['auth_mode'] == 'radius': + if len(pppoe['radius_server']) == 0: + raise ConfigError('RADIUS authentication requires at least one server') + + for radius in pppoe['radius_server']: + if not radius['key']: + server = radius['server'] + raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') + + # local ippool and gateway settings config checks + if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']: + if not pppoe['ppp_gw']: + raise ConfigError('PPPoE server requires local IP to be configured') + + if pppoe['ppp_gw'] and not pppoe['client_ip_subnets'] and not pppoe['client_ip_pool']: + print("Warning: No PPPoE client pool defined") + + return None + + +def generate(pppoe): + if not pppoe: + return None + + dirname = os.path.dirname(pppoe_conf) + if not os.path.exists(dirname): + os.mkdir(dirname) + + render(pppoe_conf, 'pppoe-server/pppoe.config.tmpl', c, trim_blocks=True) + + if pppoe['local_users']: + render(pppoe_chap_secrets, 'pppoe-server/chap-secrets.tmpl', c, trim_blocks=True) + os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) + else: + if os.path.exists(pppoe_chap_secrets): + os.unlink(pppoe_chap_secrets) + + return None + + +def apply(pppoe): + if not pppoe: + call('systemctl stop accel-ppp@pppoe.service') + for file in [pppoe_conf, pppoe_chap_secrets]: + if os.path.exists(file): + os.unlink(file) + + return None + + call('systemctl restart accel-ppp@pppoe.service') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) -- cgit v1.2.3 From 5a1a7f42b99e84fb356de646533f79fc8b4afc20 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 11:48:16 +0200 Subject: vpn: l2tp: sstp: ease unlinking of configuration files --- src/conf_mode/vpn_l2tp.py | 9 +++------ src/conf_mode/vpn_sstp.py | 34 ++++++++++++++++++---------------- 2 files changed, 21 insertions(+), 22 deletions(-) (limited to 'src') diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index a8b183bef..06803e7e0 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -364,12 +364,9 @@ def generate(l2tp): def apply(l2tp): if not l2tp: call('systemctl stop accel-ppp@l2tp.service') - - if os.path.exists(l2tp_conf): - os.unlink(l2tp_conf) - - if os.path.exists(l2tp_chap_secrets): - os.unlink(l2tp_chap_secrets) + for file in [l2tp_chap_secrets, l2tp_conf]: + if os.path.exists(file): + os.unlink(file) return None diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 438731972..7c96241b1 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -259,21 +259,22 @@ def verify(sstp): raise ConfigError('SSTP local auth mode requires local users to be configured!') for user in sstp['local_users']: + username = user['name'] if not user['password']: - raise ConfigError(f"Password required for user {user['name']}") + raise ConfigError(f'Password required for local user "{username}"') # if up/download is set, check that both have a value if user['upload'] and not user['download']: - raise ConfigError(f"Download speed value required for user {user['name']}") + raise ConfigError(f'Download speed value required for local user "{username}"') if user['download'] and not user['upload']: - raise ConfigError(f"Upload speed value required for user {user['name']}") + raise ConfigError(f'Upload speed value required for local user "{username}"') if not sstp['client_ip_pool']: - raise ConfigError("Client IP subnet required") + raise ConfigError('Client IP subnet required') if not sstp['client_gateway']: - raise ConfigError("Client gateway IP address required") + raise ConfigError('Client gateway IP address required') if len(sstp['dnsv4']) > 2: raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') @@ -282,21 +283,25 @@ def verify(sstp): raise ConfigError('One or more SSL certificates missing') if not os.path.exists(sstp['ssl_ca']): - raise ConfigError(f"CA cert file {sstp['ssl_ca']} does not exist") + file = sstp['ssl_ca'] + raise ConfigError(f'SSL CA certificate file "{file}" does not exist') if not os.path.exists(sstp['ssl_cert']): - raise ConfigError(f"SSL cert file {sstp['ssl_cert']} does not exist") + file = sstp['ssl_cert'] + raise ConfigError(f'SSL public key file "{file}" does not exist') if not os.path.exists(sstp['ssl_key']): - raise ConfigError(f"SSL key file {sstp['ssl_key']} does not exist") + file = sstp['ssl_key'] + raise ConfigError(f'SSL private key file "{file}" does not exist') if sstp['auth_mode'] == 'radius': if len(sstp['radius_server']) == 0: - raise ConfigError("RADIUS authentication requires at least one server") + raise ConfigError('RADIUS authentication requires at least one server') for radius in sstp['radius_server']: if not radius['key']: - raise ConfigError(f"Missing RADIUS secret for server {{ radius['key'] }}") + server = radius['server'] + raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') def generate(sstp): if not sstp: @@ -321,12 +326,9 @@ def generate(sstp): def apply(sstp): if not sstp: call('systemctl stop accel-ppp@sstp.service') - - if os.path.exists(sstp_conf): - os.unlink(sstp_conf) - - if os.path.exists(sstp_chap_secrets): - os.unlink(sstp_chap_secrets) + for file in [sstp_chap_secrets, sstp_conf]: + if os.path.exists(file): + os.unlink(file) return None -- cgit v1.2.3 From ee63d76964e3129e372e5c3fd8bc5bf028fc3874 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 11:57:49 +0200 Subject: pppoe-server: T2314: migrate IPv4/IPv6 name-servers to common node Instead of having "dns-server server-1|server-2" nodes and the same for IPv6 all DNS nameservers are migrated to a common name-servers node. --- data/templates/pppoe-server/pppoe.config.tmpl | 26 ++--- interface-definitions/service_pppoe-server.xml.in | 121 +++++----------------- src/conf_mode/service_pppoe-server.py | 41 ++++---- src/migration-scripts/pppoe-server/2-to-3 | 76 ++++++++++++++ 4 files changed, 134 insertions(+), 130 deletions(-) create mode 100755 src/migration-scripts/pppoe-server/2-to-3 (limited to 'src') diff --git a/data/templates/pppoe-server/pppoe.config.tmpl b/data/templates/pppoe-server/pppoe.config.tmpl index f7c639f62..66c8c37ac 100644 --- a/data/templates/pppoe-server/pppoe.config.tmpl +++ b/data/templates/pppoe-server/pppoe.config.tmpl @@ -64,32 +64,26 @@ delegate={{ prefix }} {% endfor %} {% endif %} -{% if dns %} +{% if dnsv4 %} [dns] -{% if dns[0] %} -dns1={{dns[0]}} -{% endif -%} -{% if dns[1] %} -dns2={{dns[1]}} -{% endif -%} +{% for dns in dnsv4 -%} +dns{{ loop.index }}={{ dns }} +{% endfor -%} {% endif %} {% if dnsv6 %} [ipv6-dns] -{% for srv in dnsv6: %} -{{srv}} -{% endfor %} +{% for dns in dnsv6 -%} +{{ dns }} +{% endfor -%} {% endif %} {% if wins %} [wins] -{% if wins[0] %} -wins1={{wins[0]}} +{% for server in wins -%} +wins{{ loop.index }}={{ server }} +{% endfor -%} {% endif %} -{% if wins[1] %} -wins2={{wins[1]}} -{% endif -%} -{% endif -%} {% if auth_mode == 'local' %} [chap-secrets] diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index 39f4093a7..dced54b64 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -283,81 +283,24 @@ - + - IPv4 Domain Name Service (DNS) server - - - - - Primary DNS server - - ipv4 - IPv4 address - - - - - - - - - Secondary DNS server - - ipv4 - IPv4 address - - - - - - - - - - - IPv6 Domain Name Service (DNS) server + Domain Name Server (DNS) propagated to client + + ipv4 + Domain Name Server (DNS) IPv4 address + + + ipv6 + Domain Name Server (DNS) IPv6 address + + + + + + - - - - - ipv6 - IPv6 address - - Primary DNS server - - - - - - - - - ipv6 - IPv6 address - - Secondary DNS server - - - - - - - - - ipv6 - IPv6 address - - Tertiary DNS server - - - - - - - - + interface(s) to listen on @@ -439,29 +382,19 @@ - + - Windows Internet Name Service (WINS) server settings + Windows Internet Name Service (WINS) servers propagated to client + + ipv4 + Domain Name Server (DNS) IPv4 address + + + + + - - - - Primary WINS server - - - - - - - - Secondary WINS server - - - - - - - + Advanced protocol options diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index 8b7f5a0e9..238208eff 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -22,9 +22,10 @@ from stat import S_IRUSR, S_IWUSR, S_IRGRP from sys import exit from vyos.config import Config -from vyos import ConfigError -from vyos.util import call from vyos.template import render +from vyos.util import call +from vyos.validate import is_ipv4 +from vyos import ConfigError pppoe_conf = r'/run/accel-pppd/pppoe.conf' pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets' @@ -40,7 +41,7 @@ default_config_data = { 'local_users' : [], 'svc_name': [], - 'dns': [], + 'dnsv4': [], 'dnsv6': [], 'wins': [], 'mtu': '1492', @@ -118,24 +119,15 @@ def get_config(): if conf.exists(['local-ip']): pppoe['ppp_gw'] = conf.return_value(['local-ip']) - if conf.exists(['dns-servers']): - for server in ['server-1', 'server-2']: - if conf.return_value(['dns-servers', server]): - tmp = conf.return_value(['dns-servers', server]) - pppoe['dns'].append(tmp) - - - if conf.exists(['dnsv6-servers']): - for server in ['server-1', 'server-2', 'server-3']: - if conf.return_value(['dnsv6-servers', server]): - tmp = conf.return_value(['dnsv6-servers', server]) - pppoe['dnsv6'].append(tmp) + if conf.exists(['name-server']): + for name_server in conf.return_values(['name-server']): + if is_ipv4(name_server): + pppoe['dnsv4'].append(name_server) + else: + pppoe['dnsv6'].append(name_server) - if conf.exists(['wins-servers']): - for server in ['server-1', 'server-2']: - if conf.return_value(['wins-servers', server]): - tmp = conf.return_value(['wins-servers', server]) - pppoe['wins'].append(tmp) + if conf.exists(['wins-server']): + pppoe['wins'] = conf.return_values(['wins-server']) if conf.exists(['client-ip-pool']): if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']): @@ -374,6 +366,15 @@ def verify(pppoe): server = radius['server'] raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') + if len(pppoe['wins']) > 2: + raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') + + if len(pppoe['dnsv4']) > 2: + raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') + + if len(pppoe['dnsv6']) > 3: + raise ConfigError('Not more then three IPv6 DNS name-servers can be configured') + # local ippool and gateway settings config checks if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']: if not pppoe['ppp_gw']: diff --git a/src/migration-scripts/pppoe-server/2-to-3 b/src/migration-scripts/pppoe-server/2-to-3 new file mode 100755 index 000000000..c85ada904 --- /dev/null +++ b/src/migration-scripts/pppoe-server/2-to-3 @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# - remove primary/secondary identifier from nameserver + +import os +import sys + +from sys import argv, exit +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['service', 'pppoe-server'] +if not config.exists(base): + # Nothing to do + exit(0) +else: + + # Migrate IPv4 DNS servers + dns_base = base + ['dns-servers'] + if config.exists(dns_base): + for server in ['server-1', 'server-2']: + if config.exists(dns_base + [server]): + dns = config.return_value(dns_base + [server]) + config.set(base + ['name-server'], value=dns, replace=False) + + config.delete(dns_base) + + # Migrate IPv6 DNS servers + dns_base = base + ['dnsv6-servers'] + if config.exists(dns_base): + for server in ['server-1', 'server-2', 'server-3']: + if config.exists(dns_base + [server]): + dns = config.return_value(dns_base + [server]) + config.set(base + ['name-server'], value=dns, replace=False) + + config.delete(dns_base) + + # Migrate IPv4 WINS servers + wins_base = base + ['wins-servers'] + if config.exists(wins_base): + for server in ['server-1', 'server-2']: + if config.exists(wins_base + [server]): + wins = config.return_value(wins_base + [server]) + config.set(base + ['wins-server'], value=wins, replace=False) + + config.delete(wins_base) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) -- cgit v1.2.3 From abcd7026efd8cbeb1c4db828788eda9a6dd2be41 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 12:01:44 +0200 Subject: vpn: l2tp: pptp: sstp: rename files to common pattern --- interface-definitions/vpn-l2tp.xml.in | 562 ---------------------------------- interface-definitions/vpn-pptp.xml.in | 254 --------------- interface-definitions/vpn-sstp.xml.in | 410 ------------------------- interface-definitions/vpn_l2tp.xml.in | 562 ++++++++++++++++++++++++++++++++++ interface-definitions/vpn_pptp.xml.in | 254 +++++++++++++++ interface-definitions/vpn_sstp.xml.in | 410 +++++++++++++++++++++++++ src/conf_mode/vpn-pptp.py | 257 ---------------- src/conf_mode/vpn_pptp.py | 257 ++++++++++++++++ 8 files changed, 1483 insertions(+), 1483 deletions(-) delete mode 100644 interface-definitions/vpn-l2tp.xml.in delete mode 100644 interface-definitions/vpn-pptp.xml.in delete mode 100644 interface-definitions/vpn-sstp.xml.in create mode 100644 interface-definitions/vpn_l2tp.xml.in create mode 100644 interface-definitions/vpn_pptp.xml.in create mode 100644 interface-definitions/vpn_sstp.xml.in delete mode 100755 src/conf_mode/vpn-pptp.py create mode 100755 src/conf_mode/vpn_pptp.py (limited to 'src') diff --git a/interface-definitions/vpn-l2tp.xml.in b/interface-definitions/vpn-l2tp.xml.in deleted file mode 100644 index d4286a810..000000000 --- a/interface-definitions/vpn-l2tp.xml.in +++ /dev/null @@ -1,562 +0,0 @@ - - - - - - - L2TP Virtual Private Network (VPN) - - - - - Remote access L2TP VPN - - - - - Maximum Transmission Unit (MTU) - - - - - - - - External IP address to which VPN clients will connect - - - - - - - - Gatway address uses as client tunnel termination point - - - - - - - - Domain Name Server (DNS) propagated to client - - ipv4 - Domain Name Server (DNS) IPv4 address - - - ipv6 - Domain Name Server (DNS) IPv6 address - - - - - - - - - - - L2TP Network Server (LNS) - - - - - Tunnel password used to authenticate the client (LAC) - - - - - - - Disable Compression Control Protocol (CCP) - - - - - - Internet Protocol Security (IPsec) for remote access L2TP VPN - - - - - IPsec authentication settings - - - - - Authentication mode for IPsec - - pre-shared-secret - Use pre-shared secret for IPsec authentication - - - x509 - Use X.509 certificate for IPsec authentication - - - (pre-shared-secret|x509) - - - pre-shared-secret x509 - - - - - - Pre-shared secret for IPsec - - - - - X.509 certificate - - - - - File containing the X.509 certificate for the Certificate Authority (CA) - - <text> - File in /config/auth - - - - - - File containing the X.509 Certificate Revocation List (CRL) - - <text> - File in /config/auth - - - - - - File containing the X.509 certificate for the remote access VPN server (this host) - - <text> - File in /config/auth - - - - - - File containing the private key for the X.509 certificate for the remote access VPN server (this host) - - <text> - File in /config/auth - - - - - - Password that protects the private key - - - - - - - - - IKE lifetime - - <30-86400> - IKE lifetime in seconds (default 3600) - - - - - - - - - ESP lifetime - - <30-86400> - IKE lifetime in seconds (default 3600) - - - - - - - - - - - Windows Internet Name Service (WINS) servers propagated to client - - ipv4 - Domain Name Server (DNS) IPv4 address - - - - - - - - - - Pool of client IP addresses (must be within a /24) - - - - - First IP address in the pool (will be used as gateway address) - - - - - - - - Last IP address in the pool - - - - - - - - Client IP subnet (CIDR notation) - - - - Not a valid CIDR formatted prefix - - ipv4net - IPv4 subnet address - - - - - - - - - Pool of client IPv6 addresses - - - - - Pool of addresses used to assign to clients - - ipv6net - IPv6 address and prefix length - - - - - - - - - Prefix length used for individual client - - <48-128> - Client prefix length (default: 64) - - - - - - - - - - - Subnet used to delegate prefix through DHCPv6-PD (RFC3633) - - ipv6net - IPv6 address and prefix length - - - - - - - - - Prefix length delegated to client - - <32-64> - Delegated prefix length - - - - - - - - - - - - - Description for L2TP remote-access settings - - - - - DHCP interface to listen on - - - - - PPP idle timeout - - <30-86400> - PPP idle timeout in seconds (default 1800) - - - - - - - - - Authentication for remote access L2TP VPN - - - - - Authentication protocol for remote access peer L2TP VPN - - pap - Require the peer to authenticate itself using PAP [Password Authentication Protocol]. - - - chap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap-v2 - Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. - - - (pap|chap|mschap|mschap-v2) - - - pap chap mschap mschap-v2 - - - - - - - Specifies mppe negotioation preference. (default require mppe 128-bit stateless - - deny - deny mppe - - - prefer - Ask client for mppe, if it rejects do not fail - - - require - ask client for mppe, if it rejects drop connection - - - (deny|prefer|require) - - - deny prefer require - - - - - - Authentication mode for remote access L2TP VPN - - local - Use local username/password configuration - - - radius - Use a RADIUS server to autenticate users - - - (local|radius) - - - local radius - - - - - - Local user authentication for remote access L2TP VPN - - - - - User name for authentication - - - - - Option to disable a L2TP Server user - - - - - - Password for authentication - - - - - Static client IP address - - - - - Upload/Download speed limits - - - - - Upload bandwidth limit in kbits/sec - - - - - - - - Download bandwidth limit in kbits/sec - - - - - - - - - - - - #include - - - - - - - Mark server unavailable for <n> seconds on failure - - 0-600 - Fail time penalty - - - - - Fail time must be between 0 and 600 seconds - - - - - - - Timeout to wait response from server (seconds) - - - - - Timeout to wait reply for Interim-Update packets. (default 3 seconds) - - - - - Maximum number of tries to send Access-Request/Accounting-Request queries - - - - - Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. - - - - - IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) - - - - - IP address for Dynamic Authorization Extension server (DM/CoA) - - - - - Port for Dynamic Authorization Extension server (DM/CoA) - - - - - Secret for Dynamic Authorization Extension server (DM/CoA) - - - - - - - Upload/Download speed limits - - - - - Specifies which radius attribute contains rate information. (default is Filter-Id) - - - - - Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius) - - - - - Enables Bandwidth shaping via RADIUS - - - - - - - - - - - - Advanced protocol options - - - - - LCP echo-requests/sec - - - - - - - - Maximum number of Echo-Requests may be sent without valid reply - - - - - - - - - - - - - - diff --git a/interface-definitions/vpn-pptp.xml.in b/interface-definitions/vpn-pptp.xml.in deleted file mode 100644 index 9636c3b39..000000000 --- a/interface-definitions/vpn-pptp.xml.in +++ /dev/null @@ -1,254 +0,0 @@ - - - - - - - Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN) - - - - - Remote access PPTP VPN - - - - - Maximum Transmission Unit (MTU) - - - - - - - - External IP address to which VPN clients will connect - - - - - - - - IPv4 Domain Name Service (DNS) server - - - - - Primary DNS server - - ipv4 - IPv4 address - - - - - - - - - Secondary DNS server - - ipv4 - IPv4 address - - - - - - - - - - - Windows Internet Name Service (WINS) server settings - - - - - Primary WINS server - - - - - - - - Secondary WINS server - - - - - - - - - - Pool of client IP addresses (must be within a /24) - - - - - First IP address in the pool (will be used as gateway address) - - - - - - - - Last IP address in the pool - - - - - - - - - - Gatway address uses as client tunnel termination point - - - - - - - - Authentication for remote access PPTP VPN - - - - - Authentication protocol for remote access peer PPTP VPN - - pap - Require the peer to authenticate itself using PAP [Password Authentication Protocol]. - - - chap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap - Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. - - - mschap-v2 - Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. - - - - - - Specifies mppe negotioation preference. (default require mppe 128-bit stateless - - deny - deny mppe - - - prefer - ask client for mppe, if it rejects do not fail - - - require - ask client for mppe, if it rejects drop connection - - - (deny|prefer|require) - - - deny prefer require - - - - - - Authentication mode for remote access PPTP VPN - - local - Use local username/password configuration - - - radius - Use a RADIUS server to autenticate users - - - (local|radius) - - - local radius - - - - - - Local user authentication for remote access PPTP VPN - - - - - User name for authentication - - - - - Option to disable a PPTP Server user - - - - - Password for authentication - - - - - Static client IP address - - - - - - - - - RADIUS specific configuration - - - - - IP address of radius server - - ipv4 - IP address of RADIUS server - - - - - - Key for accessing the specified server - - - - - Maximum number of simultaneous requests to server (default: unlimited) - - - - - If server does not responds mark it as unavailable for this time (seconds) - - - - - - - - - - - - - - - diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in deleted file mode 100644 index b026417b3..000000000 --- a/interface-definitions/vpn-sstp.xml.in +++ /dev/null @@ -1,410 +0,0 @@ - - - - - - - Secure Socket Tunneling Protocol (SSTP) server - 901 - - - - - Authentication for remote access SSTP Server - - - - - Local user authentication for SSTP server - - - - - User name for authentication - - - - - Option to disable a SSTP Server user - - - - - - Password for authentication - - - - - Static client IP address - - - - - Upload/Download speed limits - - - - - Upload bandwidth limit in kbits/sec - - - - - - - - Download bandwidth limit in kbits/sec - - - - - - - - - - - - - - Authentication mode for SSTP Server - - local - Use local username/password configuration - - - radius - Use a RADIUS server to autenticate users - - - (local|radius) - - - local radius - - - - - - Authentication protocol for remote access peer SSTP VPN - - pap chap mschap mschap-v2 - - - pap - Authentication via PAP (Password Authentication Protocol) - - - chap - Authentication via CHAP (Challenge Handshake Authentication Protocol) - - - mschap - Authentication via MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) - - - mschap-v2 - Authentication via MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2) - - - (pap|chap|mschap|mschap-v2) - - - - - #include - - - - - - - Mark server unavailable for <n> seconds on failure - - 0-600 - Fail time penalty - - - - - Fail time must be between 0 and 600 seconds - - - - - - - Timeout in seconds to wait response from RADIUS server - - 1-60 - Timeout in seconds - - - - - Timeout must be between 1 and 60 seconds - - - - - Timeout for Interim-Update packets, terminate session afterwards (default 3 seconds) - - 0-60 - Timeout in seconds, 0 to keep active - - - - - Timeout must be between 0 and 60 seconds - - - - - Number of tries to send Access-Request/Accounting-Request queries - - 1-20 - Maximum tries - - - - - Maximum tries must be between 1 and 20 - - - - - NAS-Identifier attribute sent to RADIUS - - - - - NAS-IP-Address attribute sent to RADIUS - - - - - ipv4 - NAS-IP-Address attribute - - - - - - Dynamic Authorization Extension/Change of Authorization server - - - - - IP address for Dynamic Authorization Extension server (DM/CoA) - - - - - ipv4 - IPv4 address for aynamic authorization server - - - - - - Port for Dynamic Authorization Extension server (DM/CoA) - - number - TCP port - - - - - - - - - Shared secret for Dynamic Authorization Extension server - - - - - - - Upload/Download speed limits - - - - - Specifies RADIUS attribute containing rate information (default 'Filter-Id') - - - - - Specifies vendor dictionary (needs to be in /usr/share/accel-ppp/radius) - - - - - Enable RADIUS bandwidth shaping - - - - - - - - - - - - SSL Certificate, SSL Key and CA (/config/user-data/sstp) - - - - - Certificate Authority certificate - - file - File in /config/auth directory - - - - - - - - - Server Certificate - - - - - - - - - - - Privat Key of the Server Certificate - - file - File in /config/auth directory - - - - - - - - - - - Network settings - - - - - Client IP pools and gateway setting - - - - - Client IP subnet (CIDR notation) - - ipv4net - IPv4 address and prefix length - - - - - Not a valid CIDR formatted prefix - - - - - - Gateway IP address - - - - invalid IPv4 address - - ipv4 - Default Gateway send to the client - - - - - - - - DNS servers propagated to clients - - ipv4 - IPv4 address - - - - - - - - #include - - - - - PPP (Point-to-Point Protocol) settings - - - - - Specifies mppe negotiation preferences - - require prefer deny - - - (^require|prefer|deny) - - - require - send mppe request, if client rejects, drop the connection - - - prefer - send mppe request, if client rejects continue - - - deny - drop all mppe - - - - - - LCP echo-requests/sec - - - - - - - - Maximum number of Echo-Requests may be sent without valid reply - - - - - - - - Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. - - - - - - - - - - - - diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in new file mode 100644 index 000000000..d4286a810 --- /dev/null +++ b/interface-definitions/vpn_l2tp.xml.in @@ -0,0 +1,562 @@ + + + + + + + L2TP Virtual Private Network (VPN) + + + + + Remote access L2TP VPN + + + + + Maximum Transmission Unit (MTU) + + + + + + + + External IP address to which VPN clients will connect + + + + + + + + Gatway address uses as client tunnel termination point + + + + + + + + Domain Name Server (DNS) propagated to client + + ipv4 + Domain Name Server (DNS) IPv4 address + + + ipv6 + Domain Name Server (DNS) IPv6 address + + + + + + + + + + + L2TP Network Server (LNS) + + + + + Tunnel password used to authenticate the client (LAC) + + + + + + + Disable Compression Control Protocol (CCP) + + + + + + Internet Protocol Security (IPsec) for remote access L2TP VPN + + + + + IPsec authentication settings + + + + + Authentication mode for IPsec + + pre-shared-secret + Use pre-shared secret for IPsec authentication + + + x509 + Use X.509 certificate for IPsec authentication + + + (pre-shared-secret|x509) + + + pre-shared-secret x509 + + + + + + Pre-shared secret for IPsec + + + + + X.509 certificate + + + + + File containing the X.509 certificate for the Certificate Authority (CA) + + <text> + File in /config/auth + + + + + + File containing the X.509 Certificate Revocation List (CRL) + + <text> + File in /config/auth + + + + + + File containing the X.509 certificate for the remote access VPN server (this host) + + <text> + File in /config/auth + + + + + + File containing the private key for the X.509 certificate for the remote access VPN server (this host) + + <text> + File in /config/auth + + + + + + Password that protects the private key + + + + + + + + + IKE lifetime + + <30-86400> + IKE lifetime in seconds (default 3600) + + + + + + + + + ESP lifetime + + <30-86400> + IKE lifetime in seconds (default 3600) + + + + + + + + + + + Windows Internet Name Service (WINS) servers propagated to client + + ipv4 + Domain Name Server (DNS) IPv4 address + + + + + + + + + + Pool of client IP addresses (must be within a /24) + + + + + First IP address in the pool (will be used as gateway address) + + + + + + + + Last IP address in the pool + + + + + + + + Client IP subnet (CIDR notation) + + + + Not a valid CIDR formatted prefix + + ipv4net + IPv4 subnet address + + + + + + + + + Pool of client IPv6 addresses + + + + + Pool of addresses used to assign to clients + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length used for individual client + + <48-128> + Client prefix length (default: 64) + + + + + + + + + + + Subnet used to delegate prefix through DHCPv6-PD (RFC3633) + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length delegated to client + + <32-64> + Delegated prefix length + + + + + + + + + + + + + Description for L2TP remote-access settings + + + + + DHCP interface to listen on + + + + + PPP idle timeout + + <30-86400> + PPP idle timeout in seconds (default 1800) + + + + + + + + + Authentication for remote access L2TP VPN + + + + + Authentication protocol for remote access peer L2TP VPN + + pap + Require the peer to authenticate itself using PAP [Password Authentication Protocol]. + + + chap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap-v2 + Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. + + + (pap|chap|mschap|mschap-v2) + + + pap chap mschap mschap-v2 + + + + + + + Specifies mppe negotioation preference. (default require mppe 128-bit stateless + + deny + deny mppe + + + prefer + Ask client for mppe, if it rejects do not fail + + + require + ask client for mppe, if it rejects drop connection + + + (deny|prefer|require) + + + deny prefer require + + + + + + Authentication mode for remote access L2TP VPN + + local + Use local username/password configuration + + + radius + Use a RADIUS server to autenticate users + + + (local|radius) + + + local radius + + + + + + Local user authentication for remote access L2TP VPN + + + + + User name for authentication + + + + + Option to disable a L2TP Server user + + + + + + Password for authentication + + + + + Static client IP address + + + + + Upload/Download speed limits + + + + + Upload bandwidth limit in kbits/sec + + + + + + + + Download bandwidth limit in kbits/sec + + + + + + + + + + + + #include + + + + + + + Mark server unavailable for <n> seconds on failure + + 0-600 + Fail time penalty + + + + + Fail time must be between 0 and 600 seconds + + + + + + + Timeout to wait response from server (seconds) + + + + + Timeout to wait reply for Interim-Update packets. (default 3 seconds) + + + + + Maximum number of tries to send Access-Request/Accounting-Request queries + + + + + Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. + + + + + IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) + + + + + IP address for Dynamic Authorization Extension server (DM/CoA) + + + + + Port for Dynamic Authorization Extension server (DM/CoA) + + + + + Secret for Dynamic Authorization Extension server (DM/CoA) + + + + + + + Upload/Download speed limits + + + + + Specifies which radius attribute contains rate information. (default is Filter-Id) + + + + + Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius) + + + + + Enables Bandwidth shaping via RADIUS + + + + + + + + + + + + Advanced protocol options + + + + + LCP echo-requests/sec + + + + + + + + Maximum number of Echo-Requests may be sent without valid reply + + + + + + + + + + + + + + diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in new file mode 100644 index 000000000..5d8ead2aa --- /dev/null +++ b/interface-definitions/vpn_pptp.xml.in @@ -0,0 +1,254 @@ + + + + + + + Point to Point Tunneling Protocol (PPTP) Virtual Private Network (VPN) + + + + + Remote access PPTP VPN + + + + + Maximum Transmission Unit (MTU) + + + + + + + + External IP address to which VPN clients will connect + + + + + + + + IPv4 Domain Name Service (DNS) server + + + + + Primary DNS server + + ipv4 + IPv4 address + + + + + + + + + Secondary DNS server + + ipv4 + IPv4 address + + + + + + + + + + + Windows Internet Name Service (WINS) server settings + + + + + Primary WINS server + + + + + + + + Secondary WINS server + + + + + + + + + + Pool of client IP addresses (must be within a /24) + + + + + First IP address in the pool (will be used as gateway address) + + + + + + + + Last IP address in the pool + + + + + + + + + + Gatway address uses as client tunnel termination point + + + + + + + + Authentication for remote access PPTP VPN + + + + + Authentication protocol for remote access peer PPTP VPN + + pap + Require the peer to authenticate itself using PAP [Password Authentication Protocol]. + + + chap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap + Require the peer to authenticate itself using CHAP [Challenge Handshake Authentication Protocol]. + + + mschap-v2 + Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2]. + + + + + + Specifies mppe negotioation preference. (default require mppe 128-bit stateless + + deny + deny mppe + + + prefer + ask client for mppe, if it rejects do not fail + + + require + ask client for mppe, if it rejects drop connection + + + (deny|prefer|require) + + + deny prefer require + + + + + + Authentication mode for remote access PPTP VPN + + local + Use local username/password configuration + + + radius + Use a RADIUS server to autenticate users + + + (local|radius) + + + local radius + + + + + + Local user authentication for remote access PPTP VPN + + + + + User name for authentication + + + + + Option to disable a PPTP Server user + + + + + Password for authentication + + + + + Static client IP address + + + + + + + + + RADIUS specific configuration + + + + + IP address of radius server + + ipv4 + IP address of RADIUS server + + + + + + Key for accessing the specified server + + + + + Maximum number of simultaneous requests to server (default: unlimited) + + + + + If server does not responds mark it as unavailable for this time (seconds) + + + + + + + + + + + + + + + diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in new file mode 100644 index 000000000..b026417b3 --- /dev/null +++ b/interface-definitions/vpn_sstp.xml.in @@ -0,0 +1,410 @@ + + + + + + + Secure Socket Tunneling Protocol (SSTP) server + 901 + + + + + Authentication for remote access SSTP Server + + + + + Local user authentication for SSTP server + + + + + User name for authentication + + + + + Option to disable a SSTP Server user + + + + + + Password for authentication + + + + + Static client IP address + + + + + Upload/Download speed limits + + + + + Upload bandwidth limit in kbits/sec + + + + + + + + Download bandwidth limit in kbits/sec + + + + + + + + + + + + + + Authentication mode for SSTP Server + + local + Use local username/password configuration + + + radius + Use a RADIUS server to autenticate users + + + (local|radius) + + + local radius + + + + + + Authentication protocol for remote access peer SSTP VPN + + pap chap mschap mschap-v2 + + + pap + Authentication via PAP (Password Authentication Protocol) + + + chap + Authentication via CHAP (Challenge Handshake Authentication Protocol) + + + mschap + Authentication via MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) + + + mschap-v2 + Authentication via MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2) + + + (pap|chap|mschap|mschap-v2) + + + + + #include + + + + + + + Mark server unavailable for <n> seconds on failure + + 0-600 + Fail time penalty + + + + + Fail time must be between 0 and 600 seconds + + + + + + + Timeout in seconds to wait response from RADIUS server + + 1-60 + Timeout in seconds + + + + + Timeout must be between 1 and 60 seconds + + + + + Timeout for Interim-Update packets, terminate session afterwards (default 3 seconds) + + 0-60 + Timeout in seconds, 0 to keep active + + + + + Timeout must be between 0 and 60 seconds + + + + + Number of tries to send Access-Request/Accounting-Request queries + + 1-20 + Maximum tries + + + + + Maximum tries must be between 1 and 20 + + + + + NAS-Identifier attribute sent to RADIUS + + + + + NAS-IP-Address attribute sent to RADIUS + + + + + ipv4 + NAS-IP-Address attribute + + + + + + Dynamic Authorization Extension/Change of Authorization server + + + + + IP address for Dynamic Authorization Extension server (DM/CoA) + + + + + ipv4 + IPv4 address for aynamic authorization server + + + + + + Port for Dynamic Authorization Extension server (DM/CoA) + + number + TCP port + + + + + + + + + Shared secret for Dynamic Authorization Extension server + + + + + + + Upload/Download speed limits + + + + + Specifies RADIUS attribute containing rate information (default 'Filter-Id') + + + + + Specifies vendor dictionary (needs to be in /usr/share/accel-ppp/radius) + + + + + Enable RADIUS bandwidth shaping + + + + + + + + + + + + SSL Certificate, SSL Key and CA (/config/user-data/sstp) + + + + + Certificate Authority certificate + + file + File in /config/auth directory + + + + + + + + + Server Certificate + + + + + + + + + + + Privat Key of the Server Certificate + + file + File in /config/auth directory + + + + + + + + + + + Network settings + + + + + Client IP pools and gateway setting + + + + + Client IP subnet (CIDR notation) + + ipv4net + IPv4 address and prefix length + + + + + Not a valid CIDR formatted prefix + + + + + + Gateway IP address + + + + invalid IPv4 address + + ipv4 + Default Gateway send to the client + + + + + + + + DNS servers propagated to clients + + ipv4 + IPv4 address + + + + + + + + #include + + + + + PPP (Point-to-Point Protocol) settings + + + + + Specifies mppe negotiation preferences + + require prefer deny + + + (^require|prefer|deny) + + + require + send mppe request, if client rejects, drop the connection + + + prefer + send mppe request, if client rejects continue + + + deny + drop all mppe + + + + + + LCP echo-requests/sec + + + + + + + + Maximum number of Echo-Requests may be sent without valid reply + + + + + + + + Timeout in seconds to wait for any peer activity. If this option specified it turns on adaptive lcp echo functionality and "lcp-echo-failure" is not used. + + + + + + + + + + + + diff --git a/src/conf_mode/vpn-pptp.py b/src/conf_mode/vpn-pptp.py deleted file mode 100755 index 15b80f984..000000000 --- a/src/conf_mode/vpn-pptp.py +++ /dev/null @@ -1,257 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -import os -import re - -from socket import socket, AF_INET, SOCK_STREAM -from sys import exit -from time import sleep - -from vyos.config import Config -from vyos import ConfigError -from vyos.util import run -from vyos.template import render - - -pidfile = r'/var/run/accel_pptp.pid' -pptp_cnf_dir = r'/etc/accel-ppp/pptp' -chap_secrets = pptp_cnf_dir + '/chap-secrets' -pptp_conf = pptp_cnf_dir + '/pptp.config' - -# config path creation -if not os.path.exists(pptp_cnf_dir): - os.makedirs(pptp_cnf_dir) - -def _chk_con(): - cnt = 0 - s = socket(AF_INET, SOCK_STREAM) - while True: - try: - s.connect(("127.0.0.1", 2003)) - break - except ConnectionRefusedError: - sleep(0.5) - cnt += 1 - if cnt == 100: - raise("failed to start pptp server") - break - - -def _accel_cmd(command): - return run('/usr/bin/accel-cmd -p 2003 {command}') - -### -# inline helper functions end -### - - -def get_config(): - c = Config() - if not c.exists(['vpn', 'pptp', 'remote-access']): - return None - - c.set_level(['vpn', 'pptp', 'remote-access']) - config_data = { - 'authentication': { - 'mode': 'local', - 'local-users': { - }, - 'radiussrv': {}, - 'auth_proto': 'auth_mschap_v2', - 'mppe': 'require' - }, - 'outside_addr': '', - 'dns': [], - 'wins': [], - 'client_ip_pool': '', - 'mtu': '1436', - } - - ### general options ### - - if c.exists(['dns-servers', 'server-1']): - config_data['dns'].append(c.return_value(['dns-servers', 'server-1'])) - if c.exists(['dns-servers', 'server-2']): - config_data['dns'].append(c.return_value(['dns-servers', 'server-2'])) - if c.exists(['wins-servers', 'server-1']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-1'])) - if c.exists(['wins-servers', 'server-2']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-2'])) - if c.exists(['outside-address']): - config_data['outside_addr'] = c.return_value(['outside-address']) - - # auth local - if c.exists(['authentication', 'mode', 'local']): - if c.exists(['authentication', 'local-users', 'username']): - for usr in c.list_nodes(['authentication', 'local-users', 'username']): - config_data['authentication']['local-users'].update( - { - usr: { - 'passwd': '', - 'state': 'enabled', - 'ip': '' - } - } - ) - - if c.exists(['authentication', 'local-users', 'username', usr, 'password']): - config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'password']) - if c.exists(['authentication', 'local-users', 'username', usr, 'disable']): - config_data['authentication']['local-users'][usr]['state'] = 'disable' - if c.exists(['authentication', 'local-users', 'username', usr, 'static-ip']): - config_data['authentication']['local-users'][usr]['ip'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'static-ip']) - - # authentication mode radius servers and settings - - if c.exists(['authentication', 'mode', 'radius']): - config_data['authentication']['mode'] = 'radius' - rsrvs = c.list_nodes(['authentication', 'radius', 'server']) - for rsrv in rsrvs: - if not c.return_value(['authentication', 'radius', 'server', rsrv, 'fail-time']): - ftime = '0' - else: - ftime = c.return_value( - ['authentication', 'radius', 'server', rsrv, 'fail-time']) - if not c.return_value(['authentication', 'radius-server', rsrv, 'req-limit']): - reql = '0' - else: - reql = c.return_value( - ['authentication', 'radius', 'server', rsrv, 'req-limit']) - - config_data['authentication']['radiussrv'].update( - { - rsrv: { - 'secret': c.return_value(['authentication', 'radius', 'server', rsrv, 'key']), - 'fail-time': ftime, - 'req-limit': reql - } - } - ) - - if c.exists(['client-ip-pool']): - if c.exists(['client-ip-pool', 'start']): - config_data['client_ip_pool'] = c.return_value( - ['client-ip-pool', 'start']) - if c.exists(['client-ip-pool', 'stop']): - config_data['client_ip_pool'] += '-' + \ - re.search( - '[0-9]+$', c.return_value(['client-ip-pool', 'stop'])).group(0) - if c.exists(['mtu']): - config_data['mtu'] = c.return_value(['mtu']) - - # gateway address - if c.exists(['gateway-address']): - config_data['gw_ip'] = c.return_value(['gateway-address']) - else: - config_data['gw_ip'] = re.sub( - '[0-9]+$', '1', config_data['client_ip_pool']) - - if c.exists(['authentication', 'require']): - if c.return_value(['authentication', 'require']) == 'pap': - config_data['authentication']['auth_proto'] = 'auth_pap' - if c.return_value(['authentication', 'require']) == 'chap': - config_data['authentication']['auth_proto'] = 'auth_chap_md5' - if c.return_value(['authentication', 'require']) == 'mschap': - config_data['authentication']['auth_proto'] = 'auth_mschap_v1' - if c.return_value(['authentication', 'require']) == 'mschap-v2': - config_data['authentication']['auth_proto'] = 'auth_mschap_v2' - - if c.exists(['authentication', 'mppe']): - config_data['authentication']['mppe'] = c.return_value( - ['authentication', 'mppe']) - - return config_data - - -def verify(c): - if c == None: - return None - - if c['authentication']['mode'] == 'local': - if not c['authentication']['local-users']: - raise ConfigError( - 'pptp-server authentication local-users required') - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]['passwd']: - raise ConfigError('user ' + usr + ' requires a password') - - if c['authentication']['mode'] == 'radius': - if len(c['authentication']['radiussrv']) == 0: - raise ConfigError('radius server required') - for rsrv in c['authentication']['radiussrv']: - if c['authentication']['radiussrv'][rsrv]['secret'] == None: - raise ConfigError('radius server ' + rsrv + - ' needs a secret configured') - - -def generate(c): - if c == None: - return None - - # accel-cmd reload doesn't work so any change results in a restart of the daemon - try: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - except KeyError: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count()/2) - - render(pptp_conf, 'pptp/pptp.config.tmpl', c, trim_blocks=True) - - if c['authentication']['local-users']: - old_umask = os.umask(0o077) - render(chap_secrets, 'pptp/chap-secrets.tmpl', c, trim_blocks=True) - os.umask(old_umask) - # return c ?? - return c - - -def apply(c): - if c == None: - if os.path.exists(pidfile): - _accel_cmd('shutdown hard') - if os.path.exists(pidfile): - os.remove(pidfile) - return None - - if not os.path.exists(pidfile): - ret = run(f'/usr/sbin/accel-pppd -c {pptp_conf} -p {pidfile} -d') - _chk_con() - if ret != 0 and os.path.exists(pidfile): - os.remove(pidfile) - raise ConfigError('accel-pppd failed to start') - else: - # if gw ip changes, only restart doesn't work - _accel_cmd('restart') - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py new file mode 100755 index 000000000..15b80f984 --- /dev/null +++ b/src/conf_mode/vpn_pptp.py @@ -0,0 +1,257 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +import re + +from socket import socket, AF_INET, SOCK_STREAM +from sys import exit +from time import sleep + +from vyos.config import Config +from vyos import ConfigError +from vyos.util import run +from vyos.template import render + + +pidfile = r'/var/run/accel_pptp.pid' +pptp_cnf_dir = r'/etc/accel-ppp/pptp' +chap_secrets = pptp_cnf_dir + '/chap-secrets' +pptp_conf = pptp_cnf_dir + '/pptp.config' + +# config path creation +if not os.path.exists(pptp_cnf_dir): + os.makedirs(pptp_cnf_dir) + +def _chk_con(): + cnt = 0 + s = socket(AF_INET, SOCK_STREAM) + while True: + try: + s.connect(("127.0.0.1", 2003)) + break + except ConnectionRefusedError: + sleep(0.5) + cnt += 1 + if cnt == 100: + raise("failed to start pptp server") + break + + +def _accel_cmd(command): + return run('/usr/bin/accel-cmd -p 2003 {command}') + +### +# inline helper functions end +### + + +def get_config(): + c = Config() + if not c.exists(['vpn', 'pptp', 'remote-access']): + return None + + c.set_level(['vpn', 'pptp', 'remote-access']) + config_data = { + 'authentication': { + 'mode': 'local', + 'local-users': { + }, + 'radiussrv': {}, + 'auth_proto': 'auth_mschap_v2', + 'mppe': 'require' + }, + 'outside_addr': '', + 'dns': [], + 'wins': [], + 'client_ip_pool': '', + 'mtu': '1436', + } + + ### general options ### + + if c.exists(['dns-servers', 'server-1']): + config_data['dns'].append(c.return_value(['dns-servers', 'server-1'])) + if c.exists(['dns-servers', 'server-2']): + config_data['dns'].append(c.return_value(['dns-servers', 'server-2'])) + if c.exists(['wins-servers', 'server-1']): + config_data['wins'].append( + c.return_value(['wins-servers', 'server-1'])) + if c.exists(['wins-servers', 'server-2']): + config_data['wins'].append( + c.return_value(['wins-servers', 'server-2'])) + if c.exists(['outside-address']): + config_data['outside_addr'] = c.return_value(['outside-address']) + + # auth local + if c.exists(['authentication', 'mode', 'local']): + if c.exists(['authentication', 'local-users', 'username']): + for usr in c.list_nodes(['authentication', 'local-users', 'username']): + config_data['authentication']['local-users'].update( + { + usr: { + 'passwd': '', + 'state': 'enabled', + 'ip': '' + } + } + ) + + if c.exists(['authentication', 'local-users', 'username', usr, 'password']): + config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( + ['authentication', 'local-users', 'username', usr, 'password']) + if c.exists(['authentication', 'local-users', 'username', usr, 'disable']): + config_data['authentication']['local-users'][usr]['state'] = 'disable' + if c.exists(['authentication', 'local-users', 'username', usr, 'static-ip']): + config_data['authentication']['local-users'][usr]['ip'] = c.return_value( + ['authentication', 'local-users', 'username', usr, 'static-ip']) + + # authentication mode radius servers and settings + + if c.exists(['authentication', 'mode', 'radius']): + config_data['authentication']['mode'] = 'radius' + rsrvs = c.list_nodes(['authentication', 'radius', 'server']) + for rsrv in rsrvs: + if not c.return_value(['authentication', 'radius', 'server', rsrv, 'fail-time']): + ftime = '0' + else: + ftime = c.return_value( + ['authentication', 'radius', 'server', rsrv, 'fail-time']) + if not c.return_value(['authentication', 'radius-server', rsrv, 'req-limit']): + reql = '0' + else: + reql = c.return_value( + ['authentication', 'radius', 'server', rsrv, 'req-limit']) + + config_data['authentication']['radiussrv'].update( + { + rsrv: { + 'secret': c.return_value(['authentication', 'radius', 'server', rsrv, 'key']), + 'fail-time': ftime, + 'req-limit': reql + } + } + ) + + if c.exists(['client-ip-pool']): + if c.exists(['client-ip-pool', 'start']): + config_data['client_ip_pool'] = c.return_value( + ['client-ip-pool', 'start']) + if c.exists(['client-ip-pool', 'stop']): + config_data['client_ip_pool'] += '-' + \ + re.search( + '[0-9]+$', c.return_value(['client-ip-pool', 'stop'])).group(0) + if c.exists(['mtu']): + config_data['mtu'] = c.return_value(['mtu']) + + # gateway address + if c.exists(['gateway-address']): + config_data['gw_ip'] = c.return_value(['gateway-address']) + else: + config_data['gw_ip'] = re.sub( + '[0-9]+$', '1', config_data['client_ip_pool']) + + if c.exists(['authentication', 'require']): + if c.return_value(['authentication', 'require']) == 'pap': + config_data['authentication']['auth_proto'] = 'auth_pap' + if c.return_value(['authentication', 'require']) == 'chap': + config_data['authentication']['auth_proto'] = 'auth_chap_md5' + if c.return_value(['authentication', 'require']) == 'mschap': + config_data['authentication']['auth_proto'] = 'auth_mschap_v1' + if c.return_value(['authentication', 'require']) == 'mschap-v2': + config_data['authentication']['auth_proto'] = 'auth_mschap_v2' + + if c.exists(['authentication', 'mppe']): + config_data['authentication']['mppe'] = c.return_value( + ['authentication', 'mppe']) + + return config_data + + +def verify(c): + if c == None: + return None + + if c['authentication']['mode'] == 'local': + if not c['authentication']['local-users']: + raise ConfigError( + 'pptp-server authentication local-users required') + for usr in c['authentication']['local-users']: + if not c['authentication']['local-users'][usr]['passwd']: + raise ConfigError('user ' + usr + ' requires a password') + + if c['authentication']['mode'] == 'radius': + if len(c['authentication']['radiussrv']) == 0: + raise ConfigError('radius server required') + for rsrv in c['authentication']['radiussrv']: + if c['authentication']['radiussrv'][rsrv]['secret'] == None: + raise ConfigError('radius server ' + rsrv + + ' needs a secret configured') + + +def generate(c): + if c == None: + return None + + # accel-cmd reload doesn't work so any change results in a restart of the daemon + try: + if os.cpu_count() == 1: + c['thread_cnt'] = 1 + else: + c['thread_cnt'] = int(os.cpu_count()/2) + except KeyError: + if os.cpu_count() == 1: + c['thread_cnt'] = 1 + else: + c['thread_cnt'] = int(os.cpu_count()/2) + + render(pptp_conf, 'pptp/pptp.config.tmpl', c, trim_blocks=True) + + if c['authentication']['local-users']: + old_umask = os.umask(0o077) + render(chap_secrets, 'pptp/chap-secrets.tmpl', c, trim_blocks=True) + os.umask(old_umask) + # return c ?? + return c + + +def apply(c): + if c == None: + if os.path.exists(pidfile): + _accel_cmd('shutdown hard') + if os.path.exists(pidfile): + os.remove(pidfile) + return None + + if not os.path.exists(pidfile): + ret = run(f'/usr/sbin/accel-pppd -c {pptp_conf} -p {pidfile} -d') + _chk_con() + if ret != 0 and os.path.exists(pidfile): + os.remove(pidfile) + raise ConfigError('accel-pppd failed to start') + else: + # if gw ip changes, only restart doesn't work + _accel_cmd('restart') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) -- cgit v1.2.3 From cda566dfde944f705244f0b9a9293d1a47c55a50 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 12:20:11 +0200 Subject: pppoe-server: T2314: migrate RADIUS configuration to common CLI syntax --- interface-definitions/service_pppoe-server.xml.in | 54 ++++++++--------------- src/conf_mode/service_pppoe-server.py | 12 +++-- src/migration-scripts/pppoe-server/2-to-3 | 7 +++ 3 files changed, 34 insertions(+), 39 deletions(-) (limited to 'src') diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index dced54b64..0d7c3568c 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -126,37 +126,26 @@ - - - IP address of RADIUS server - - ipv4 - IP address of RADIUS server - - - - - - Key for accessing the specified server - - - - - Maximum number of simultaneous requests to server (default: unlimited) - - - - - If server does not responds mark it as unavailable for this amount of time in seconds - - - - - - - RADIUS settings - + #include + + + + + + Mark server unavailable for <n> seconds on failure + + 0-600 + Fail time penalty + + + + + Fail time must be between 0 and 600 seconds + + + + Timeout to wait response from server (seconds) @@ -177,11 +166,6 @@ Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. - - - Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address. - - IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index 238208eff..52be86b14 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -71,6 +71,7 @@ default_config_data = { 'radius_timeout': '3', 'radius_nas_id': '', 'radius_nas_ip': '', + 'radius_source_address': '', 'radius_shaper_attr': '', 'radius_shaper_vendor': '', 'radius_dynamic_author': '', @@ -198,7 +199,7 @@ def get_config(): # authentication mode radius servers and settings if conf.exists(['authentication', 'mode', 'radius']): - for server in conf.list_nodes(['authentication', 'radius-server']): + for server in conf.list_nodes(['authentication', 'radius', 'server']): radius = { 'server' : server, 'key' : '', @@ -214,15 +215,15 @@ def get_config(): if conf.exists(['port']): radius['port'] = conf.return_value(['port']) - if conf.exists(['secret']): - radius['key'] = conf.return_value(['secret']) + if conf.exists(['key']): + radius['key'] = conf.return_value(['key']) if not conf.exists(['disable']): pppoe['radius_server'].append(radius) # # advanced radius-setting - conf.set_level(base_path + ['authentication', 'radius-settings']) + conf.set_level(base_path + ['authentication', 'radius']) if conf.exists(['acct-timeout']): pppoe['radius_acct_tmo'] = conf.return_value(['acct-timeout']) @@ -239,6 +240,9 @@ def get_config(): if conf.exists(['nas-ip-address']): pppoe['radius_nas_ip'] = conf.return_value(['nas-ip-address']) + if conf.exists(['source-address']): + pppoe['radius_source_address'] = conf.return_value(['source-address']) + # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) if conf.exists(['dynamic-author']): dae = { diff --git a/src/migration-scripts/pppoe-server/2-to-3 b/src/migration-scripts/pppoe-server/2-to-3 index c85ada904..977f1ef43 100755 --- a/src/migration-scripts/pppoe-server/2-to-3 +++ b/src/migration-scripts/pppoe-server/2-to-3 @@ -68,6 +68,13 @@ else: config.delete(wins_base) + # Remove RADIUS server req-limit node + radius_base = base + ['authentication', 'radius'] + if config.exists(radius_base): + for server in config.list_nodes(radius_base + ['server']): + if config.exists(radius_base + ['server', server, 'req-limit']): + config.delete(radius_base + ['server', server, 'req-limit']) + try: with open(file_name, 'w') as f: f.write(config.to_string()) -- cgit v1.2.3 From 901d5e89ec6e3fb0f3d13f90f0495a4dda592454 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 12:35:10 +0200 Subject: pppoe-server: T2314: migrate IPv6 to common CLI nodes with embeeded validation --- data/templates/l2tp/l2tp.config.tmpl | 1 - data/templates/pppoe-server/pppoe.config.tmpl | 8 +-- .../include/accel-client-ipv6-pool.xml.in | 59 +++++++++++++++++++++ interface-definitions/service_pppoe-server.xml.in | 20 +------- interface-definitions/vpn_l2tp.xml.in | 60 +--------------------- src/conf_mode/service_pppoe-server.py | 32 ++++++++++-- src/conf_mode/vpn_l2tp.py | 2 +- src/migration-scripts/l2tp/2-to-3 | 6 +-- src/migration-scripts/pppoe-server/2-to-3 | 31 +++++++++++ 9 files changed, 128 insertions(+), 91 deletions(-) create mode 100644 interface-definitions/include/accel-client-ipv6-pool.xml.in (limited to 'src') diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl index ba78cadcd..84f544203 100644 --- a/data/templates/l2tp/l2tp.config.tmpl +++ b/data/templates/l2tp/l2tp.config.tmpl @@ -124,7 +124,6 @@ ipv6=allow {% for p in client_ipv6_delegate_prefix %} delegate={{ p.prefix }},{{ p.mask }} {% endfor %} - {% endif %} {% if client_ipv6_delegate_prefix %} diff --git a/data/templates/pppoe-server/pppoe.config.tmpl b/data/templates/pppoe-server/pppoe.config.tmpl index 8bc6b5f4b..325b75adc 100644 --- a/data/templates/pppoe-server/pppoe.config.tmpl +++ b/data/templates/pppoe-server/pppoe.config.tmpl @@ -56,11 +56,11 @@ gw-ip-address={{ ppp_gw }} {% if client_ipv6_pool %} [ipv6-pool] -{% for prefix in client_ipv6_pool['prefix']: %} -{{ prefix }} +{% for p in client_ipv6_pool %} +{{ p.prefix }},{{ p.mask }} {% endfor %} -{% for prefix in client_ipv6_pool['delegate-prefix']: %} -delegate={{ prefix }} +{% for p in client_ipv6_delegate_prefix %} +delegate={{ p.prefix }},{{ p.mask }} {% endfor %} {% endif %} diff --git a/interface-definitions/include/accel-client-ipv6-pool.xml.in b/interface-definitions/include/accel-client-ipv6-pool.xml.in new file mode 100644 index 000000000..455ada6ef --- /dev/null +++ b/interface-definitions/include/accel-client-ipv6-pool.xml.in @@ -0,0 +1,59 @@ + + + Pool of client IPv6 addresses + + + + + Pool of addresses used to assign to clients + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length used for individual client + + <48-128> + Client prefix length (default: 64) + + + + + + + + + + + Subnet used to delegate prefix through DHCPv6-PD (RFC3633) + + ipv6net + IPv6 address and prefix length + + + + + + + + + Prefix length delegated to client + + <32-64> + Delegated prefix length + + + + + + + + + + diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index 0d7c3568c..e42de4f90 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -248,25 +248,7 @@ - - - Pool of client IPv6 addresses - - - - - Format: ipv6prefix/mask,prefix_len (e.g.: fc00:0:1::/48,64 - divides prefix into /64 subnets for clients) - - - - - - Format: ipv6prefix/mask,prefix_len (delegate to clients through DHCPv6 prefix delegation - rfc3633) - - - - - + #include Domain Name Server (DNS) propagated to client diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index d4286a810..d92817ca0 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -232,65 +232,7 @@ - - - Pool of client IPv6 addresses - - - - - Pool of addresses used to assign to clients - - ipv6net - IPv6 address and prefix length - - - - - - - - - Prefix length used for individual client - - <48-128> - Client prefix length (default: 64) - - - - - - - - - - - Subnet used to delegate prefix through DHCPv6-PD (RFC3633) - - ipv6net - IPv6 address and prefix length - - - - - - - - - Prefix length delegated to client - - <32-64> - Delegated prefix length - - - - - - - - - - + #include Description for L2TP remote-access settings diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index 52be86b14..aa8b9d141 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -35,7 +35,8 @@ default_config_data = { 'chap_secrets_file': pppoe_chap_secrets, # used in Jinja2 template 'client_ip_pool': '', 'client_ip_subnets': [], - 'client_ipv6_pool': {}, + 'client_ipv6_pool': [], + 'client_ipv6_delegate_prefix': [], 'concentrator': 'vyos-ac', 'interfaces': [], 'local_users' : [], @@ -130,6 +131,7 @@ def get_config(): if conf.exists(['wins-server']): pppoe['wins'] = conf.return_values(['wins-server']) + if conf.exists(['client-ip-pool']): if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']): start = conf.return_value(['client-ip-pool', 'start']) @@ -139,10 +141,32 @@ def get_config(): if conf.exists(['client-ip-pool', 'subnet']): pppoe['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet']) + if conf.exists(['client-ipv6-pool', 'prefix']): - pppoe['client_ipv6_pool']['prefix'] = conf.return_values(['client-ipv6-pool', 'prefix']) - if conf.exists(['client-ipv6-pool', 'delegate-prefix']): - pppoe['client_ipv6_pool']['delegate-prefix'] = conf.return_values(['client-ipv6-pool', 'delegate-prefix']) + for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']): + tmp = { + 'prefix': prefix, + 'mask': '64' + } + + if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']): + tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask']) + + pppoe['client_ipv6_pool'].append(tmp) + + + if conf.exists(['client-ipv6-pool', 'delegate']): + for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']): + tmp = { + 'prefix': prefix, + 'mask': '' + } + + if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']): + tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']) + + pppoe['client_ipv6_delegate_prefix'].append(tmp) + if conf.exists(['limits']): if conf.exists(['limits', 'burst']): diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 06803e7e0..331f22465 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -252,7 +252,7 @@ def get_config(): 'mask': '' } - if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'mask']): + if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']): tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']) l2tp['client_ipv6_delegate_prefix'].append(tmp) diff --git a/src/migration-scripts/l2tp/2-to-3 b/src/migration-scripts/l2tp/2-to-3 index bd0839e03..3472ee3ed 100755 --- a/src/migration-scripts/l2tp/2-to-3 +++ b/src/migration-scripts/l2tp/2-to-3 @@ -95,13 +95,13 @@ else: # delete old delegate prefix CLI nodes config.delete(ipv6_base + ['delegate-prefix']) # create ned delegation tag node - config.set(ipv6_base + ['delegate ']) - config.set_tag(ipv6_base + ['delegate ']) + config.set(ipv6_base + ['delegate']) + config.set_tag(ipv6_base + ['delegate']) for p in prefix_old: prefix = p.split(',')[0] mask = p.split(',')[1] - config.set(ipv6_base + ['delegate', prefix, 'mask'], value=mask) + config.set(ipv6_base + ['delegate', prefix, 'delegate-prefix'], value=mask) try: with open(file_name, 'w') as f: diff --git a/src/migration-scripts/pppoe-server/2-to-3 b/src/migration-scripts/pppoe-server/2-to-3 index 977f1ef43..eb3e00b8b 100755 --- a/src/migration-scripts/pppoe-server/2-to-3 +++ b/src/migration-scripts/pppoe-server/2-to-3 @@ -75,6 +75,37 @@ else: if config.exists(radius_base + ['server', server, 'req-limit']): config.delete(radius_base + ['server', server, 'req-limit']) + # Migrate IPv6 prefixes + ipv6_base = base + ['client-ipv6-pool'] + if config.exists(ipv6_base + ['prefix']): + prefix_old = config.return_values(ipv6_base + ['prefix']) + # delete old prefix CLI nodes + config.delete(ipv6_base + ['prefix']) + # create ned prefix tag node + config.set(ipv6_base + ['prefix']) + config.set_tag(ipv6_base + ['prefix']) + + for p in prefix_old: + prefix = p.split(',')[0] + mask = p.split(',')[1] + config.set(ipv6_base + ['prefix', prefix, 'mask'], value=mask) + + if config.exists(ipv6_base + ['delegate-prefix']): + prefix_old = config.return_values(ipv6_base + ['delegate-prefix']) + # delete old delegate prefix CLI nodes + config.delete(ipv6_base + ['delegate-prefix']) + # create ned delegation tag node + config.set(ipv6_base + ['delegate']) + config.set_tag(ipv6_base + ['delegate']) + + for p in prefix_old: + prefix = p.split(',')[0] + mask = p.split(',')[1] + config.set(ipv6_base + ['delegate', prefix, 'delegation-prefix'], value=mask) + + print(config.to_string()) + exit(1) + try: with open(file_name, 'w') as f: f.write(config.to_string()) -- cgit v1.2.3 From 267b3213ef0e6ac4501470bef797796276879421 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sat, 18 Apr 2020 12:38:47 +0200 Subject: accel-ppp: T2314: use common tempplate for chap-secrets --- data/templates/accel-ppp/chap-secrets.tmpl | 10 ++ data/templates/accel-ppp/l2tp.config.tmpl | 145 ++++++++++++++++++ data/templates/accel-ppp/pppoe.config.tmpl | 203 ++++++++++++++++++++++++++ data/templates/accel-ppp/sstp.config.tmpl | 114 +++++++++++++++ data/templates/l2tp/chap-secrets.tmpl | 10 -- data/templates/l2tp/l2tp.config.tmpl | 146 ------------------ data/templates/pppoe-server/chap-secrets.tmpl | 10 -- data/templates/pppoe-server/pppoe.config.tmpl | 203 -------------------------- data/templates/sstp/chap-secrets.tmpl | 10 -- data/templates/sstp/sstp.config.tmpl | 115 --------------- src/conf_mode/service_pppoe-server.py | 4 +- src/conf_mode/vpn_l2tp.py | 4 +- src/conf_mode/vpn_sstp.py | 4 +- 13 files changed, 478 insertions(+), 500 deletions(-) create mode 100644 data/templates/accel-ppp/chap-secrets.tmpl create mode 100644 data/templates/accel-ppp/l2tp.config.tmpl create mode 100644 data/templates/accel-ppp/pppoe.config.tmpl create mode 100644 data/templates/accel-ppp/sstp.config.tmpl delete mode 100644 data/templates/l2tp/chap-secrets.tmpl delete mode 100644 data/templates/l2tp/l2tp.config.tmpl delete mode 100644 data/templates/pppoe-server/chap-secrets.tmpl delete mode 100644 data/templates/pppoe-server/pppoe.config.tmpl delete mode 100644 data/templates/sstp/chap-secrets.tmpl delete mode 100644 data/templates/sstp/sstp.config.tmpl (limited to 'src') diff --git a/data/templates/accel-ppp/chap-secrets.tmpl b/data/templates/accel-ppp/chap-secrets.tmpl new file mode 100644 index 000000000..dd00d7bd0 --- /dev/null +++ b/data/templates/accel-ppp/chap-secrets.tmpl @@ -0,0 +1,10 @@ +# username server password acceptable local IP addresses shaper +{% for user in local_users %} +{% if user.state == 'enabled' %} +{% if user.upload and user.download %} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }} / {{ user.upload }} +{% else %} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} +{% endif %} +{% endif %} +{% endfor %} diff --git a/data/templates/accel-ppp/l2tp.config.tmpl b/data/templates/accel-ppp/l2tp.config.tmpl new file mode 100644 index 000000000..ebe3aca29 --- /dev/null +++ b/data/templates/accel-ppp/l2tp.config.tmpl @@ -0,0 +1,145 @@ +### generated by accel_l2tp.py ### +[modules] +log_syslog +l2tp +chap-secrets +{% for proto in auth_proto: %} +{{proto}} +{% endfor%} + +{% if auth_mode == 'radius' %} +radius +{% endif -%} + +ippool +shaper +ipv6pool +ipv6_nd +ipv6_dhcp + +[core] +thread-count={{thread_cnt}} + +[log] +syslog=accel-l2tp,daemon +copy=1 +level=5 + +{% if dnsv4 %} +[dns] +{% for dns in dnsv4 -%} +dns{{ loop.index }}={{ dns }} +{% endfor -%} +{% endif %} + +{% if dnsv6 %} +[ipv6-dns] +{% for dns in dnsv6 -%} +{{ dns }} +{% endfor -%} +{% endif %} + +{% if wins %} +[wins] +{% for server in wins -%} +wins{{ loop.index }}={{ server }} +{% endfor -%} +{% endif %} + +[l2tp] +verbose=1 +ifname=l2tp%d +ppp-max-mtu={{ mtu }} +mppe={{ ppp_mppe }} +{% if outside_addr %} +bind={{ outside_addr }} +{% endif %} +{% if lns_shared_secret %} +secret={{ lns_shared_secret }} +{% endif %} + +[client-ip-range] +0.0.0.0/0 + +{% if client_ip_pool or client_ip_subnets %} +[ip-pool] +{% if client_ip_pool %} +{{ client_ip_pool }} +{% endif -%} +{% if client_ip_subnets %} +{% for sn in client_ip_subnets %} +{{sn}} +{% endfor -%} +{% endif %} +{% endif %} +{% if gateway_address %} +gw-ip-address={{ gateway_address }} +{% endif %} + +{% if auth_mode == 'local' %} +[chap-secrets] +chap-secrets={{ chap_secrets_file }} +{% elif auth_mode == 'radius' %} +[radius] +verbose=1 +{% for r in radius_server %} +server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} +{% endfor -%} +{% endif %} + +acct-timeout={{ radius_acct_tmo }} +timeout={{ radius_timeout }} +max-try={{ radius_max_try }} + +{% if radius_nas_id %} +nas-identifier={{ radius_nas_id }} +{% endif -%} +{% if radius_nas_ip %} +nas-ip-address={{ radius_nas_ip }} +{% endif -%} +{% if radius_source_address %} +bind={{ radius_source_address }} +{% endif -%} + +[ppp] +verbose=1 +check-ip=1 +single-session=replace +lcp-echo-timeout={{ ppp_echo_timeout }} +lcp-echo-interval={{ ppp_echo_interval }} +lcp-echo-failure={{ ppp_echo_failure }} +{% if ccp_disable %} +ccp=0 +{% endif %} +{% if client_ipv6_pool %} +ipv6=allow +{% endif %} + + +{% if client_ipv6_pool %} +[ipv6-pool] +{% for p in client_ipv6_pool %} +{{ p.prefix }},{{ p.mask }} +{% endfor %} +{% for p in client_ipv6_delegate_prefix %} +delegate={{ p.prefix }},{{ p.mask }} +{% endfor %} +{% endif %} + +{% if client_ipv6_delegate_prefix %} +[ipv6-dhcp] +verbose=1 +{% endif %} + +{% if radius_shaper_attr %} +[shaper] +verbose=1 +attr={{ radius_shaper_attr }} +{% if radius_shaper_vendor %} +vendor={{ radius_shaper_vendor }} +{% endif -%} +{% endif %} + +[cli] +tcp=127.0.0.1:2004 +sessions-columns=ifname,username,calling-sid,ip,{{ ip6_column | join(',') }}{{ ',' if ip6_column }}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl new file mode 100644 index 000000000..325b75adc --- /dev/null +++ b/data/templates/accel-ppp/pppoe.config.tmpl @@ -0,0 +1,203 @@ + +### generated by accel_pppoe.py ### +[modules] +log_syslog +pppoe +{% if auth_mode == 'radius' %} +radius +{% endif %} +ippool +{% if ppp_ipv6 != 'deny' %} +ipv6pool +ipv6_nd +ipv6_dhcp +{% endif %} +chap-secrets +auth_pap +auth_chap_md5 +auth_mschap_v1 +auth_mschap_v2 +shaper +{% if snmp %} +net-snmp +{% endif %} +{% if limits %} +connlimit +{% endif %} + +[core] +thread-count={{ thread_cnt }} + +[log] +syslog=accel-pppoe,daemon +copy=1 +level=5 + +{% if snmp == 'enable-ma' %} +[snmp] +master=1 +{% endif %} + +[client-ip-range] +disable + +{% if ppp_gw %} +[ip-pool] +gw-ip-address={{ ppp_gw }} +{% if client_ip_pool %} +{{ client_ip_pool }} +{% endif -%} +{% if client_ip_subnets %} +{% for subnet in client_ip_subnets %} +{{ subnet }} +{% endfor %} +{% endif %} +{% endif %} + +{% if client_ipv6_pool %} +[ipv6-pool] +{% for p in client_ipv6_pool %} +{{ p.prefix }},{{ p.mask }} +{% endfor %} +{% for p in client_ipv6_delegate_prefix %} +delegate={{ p.prefix }},{{ p.mask }} +{% endfor %} +{% endif %} + +{% if dnsv4 %} +[dns] +{% for dns in dnsv4 -%} +dns{{ loop.index }}={{ dns }} +{% endfor -%} +{% endif %} + +{% if dnsv6 %} +[ipv6-dns] +{% for dns in dnsv6 -%} +{{ dns }} +{% endfor -%} +{% endif %} + +{% if wins %} +[wins] +{% for server in wins -%} +wins{{ loop.index }}={{ server }} +{% endfor -%} +{% endif %} + +{% if auth_mode == 'local' %} +[chap-secrets] +chap-secrets={{ chap_secrets_file }} +{% elif auth_mode == 'radius' %} +[radius] +verbose=1 +{% for r in radius_server %} +server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} +{% endfor -%} + +acct-timeout={{ radius_acct_tmo }} +timeout={{ radius_timeout }} +max-try={{ radius_max_try }} +{% if radius_nas_id %} +nas-identifier={{ radius_nas_id }} +{% endif -%} +{% if radius_nas_ip %} +nas-ip-address={{ radius_nas_ip }} +{% endif -%} +{% if radius_source_address %} +bind={{ radius_source_address }} +{% endif -%} + +{% if radius_dynamic_author %} +dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} +{% endif -%} + +{% if radius_shaper_attr %} +[shaper] +verbose=1 +attr={{ radius_shaper_attr }} +{% if radius_shaper_vendor %} +vendor={{ radius_shaper_vendor }} +{% endif -%} +{% endif -%} +{% endif %} + +[ppp] +verbose=1 +check-ip=1 +{% if not sesscrtl == 'disable' %} +single-session={{sesscrtl}} +{% endif -%} +{% if ppp_ccp %} +ccp=1 +{% endif %} +{% if ppp_min_mtu %} +min-mtu={{ ppp_min_mtu }} +{% else %} +min-mtu={{ mtu }} +{% endif %} +{% if ppp_mru %} +mru={{ ppp_mru }} +{% endif %} +mppe={{ ppp_mppe }} +lcp-echo-interval={{ ppp_echo_interval }} +lcp-echo-timeout={{ ppp_echo_timeout }} +lcp-echo-failure={{ ppp_echo_failure }} +{% if ppp_ipv4 %} +ipv4={{ ppp_ipv4 }} +{% endif %} +{% if client_ipv6_pool %} +ipv6=allow +{% endif %} + +{% if ppp_ipv6 %} +ipv6={{ ppp_ipv6 }} +{% if ppp_ipv6_intf_id %} +ipv6-intf-id={{ ppp_ipv6_intf_id }} +{% endif %} +{% if ppp_ipv6_peer_intf_id %} +ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }} +{% endif %} +{% if ppp_ipv6_accept_peer_intf_id %} +ipv6-accept-peer-intf-id={{ ppp_ipv6_accept_peer_intf_id }} +{% endif %} +{% endif %} +mtu={{ mtu }} + +[pppoe] +verbose=1 +ac-name={{ concentrator }} + +{% if interfaces %} +{% for interface in interfaces %} +interface={{ interface.name }} +{% if interface.vlans %} +vlan-mon={{ interface.name }},{{ interface.vlans | join(',') }} +interface=re:{{ interface.name }}\.\d+ +{% endif %} +{% endfor -%} +{% endif -%} + +{% if svc_name %} +service-name={{ svc_name|join(',') }} +{% endif -%} + +{% if pado_delay %} +pado-delay={{ pado_delay }} +{% endif %} + +{% if limits_burst or limits_connections or limits_connections %} +[connlimit] +{% if limits_connections %} +limit={{ limits_connections }} +{% endif %} +{% if limits_burst %} +burst={{ limits_burst }} +{% endif %} +{% if limits_timeout %} +timeout={{ limits_timeout }} +{% endif %} +{% endif %} + +[cli] +tcp=127.0.0.1:2001 diff --git a/data/templates/accel-ppp/sstp.config.tmpl b/data/templates/accel-ppp/sstp.config.tmpl new file mode 100644 index 000000000..c3dc83429 --- /dev/null +++ b/data/templates/accel-ppp/sstp.config.tmpl @@ -0,0 +1,114 @@ +### generated by vpn_sstp.py ### +[modules] +log_syslog +sstp +shaper +{% if auth_mode == 'local' %} +chap-secrets +{% elif auth_mode == 'radius' %} +radius +{% endif -%} +ippool + +{% for proto in auth_proto %} +{{proto}} +{% endfor %} + +[core] +thread-count={{thread_cnt}} + +[common] +single-session=replace + +[log] +syslog=accel-sstp,daemon +copy=1 +level=5 + +[client-ip-range] +disable + +[sstp] +verbose=1 +ifname=sstp%d +accept=ssl +ssl-ca-file={{ ssl_ca }} +ssl-pemfile={{ ssl_cert }} +ssl-keyfile={{ ssl_key }} + +{% if client_ip_pool %} +[ip-pool] +gw-ip-address={{ client_gateway }} +{% for subnet in client_ip_pool %} +{{ subnet }} +{% endfor %} +{% endif %} + +{% if dnsv4 %} +[dns] +{% for dns in dnsv4 -%} +dns{{ loop.index }}={{ dns }} +{% endfor -%} +{% endif %} + +{% if auth_mode == 'local' %} +[chap-secrets] +chap-secrets={{ chap_secrets_file }} +{% elif auth_mode == 'radius' %} +[radius] +verbose=1 +{% for r in radius_server %} +server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} +{% endfor -%} + +acct-timeout={{ radius_acct_tmo }} +timeout={{ radius_timeout }} +max-try={{ radius_max_try }} + +{% if radius_nas_id %} +nas-identifier={{ radius_nas_id }} +{% endif -%} +{% if radius_nas_ip %} +nas-ip-address={{ radius_nas_ip }} +{% endif -%} +{% if radius_source_address %} +bind={{ radius_source_address }} +{% endif -%} + + +{% if radius_dynamic_author %} +dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} +{% endif -%} +{% endif %} + +[ppp] +verbose=1 +check-ip=1 +{% if mtu %} +mtu={{ mtu }} +{% endif -%} + +{% if ppp_mppe %} +mppe={{ ppp_mppe }} +{% endif -%} +{% if ppp_echo_interval %} +lcp-echo-interval={{ ppp_echo_interval }} +{% endif -%} +{% if ppp_echo_failure %} +lcp-echo-failure={{ ppp_echo_failure }} +{% endif -%} +{% if ppp_echo_timeout %} +lcp-echo-timeout={{ ppp_echo_timeout }} +{% endif %} + +{% if radius_shaper_attr %} +[shaper] +verbose=1 +attr={{ radius_shaper_attr }} +{% if radius_shaper_vendor %} +vendor={{ radius_shaper_vendor }} +{% endif -%} +{% endif %} + +[cli] +tcp=127.0.0.1:2005 diff --git a/data/templates/l2tp/chap-secrets.tmpl b/data/templates/l2tp/chap-secrets.tmpl deleted file mode 100644 index dd00d7bd0..000000000 --- a/data/templates/l2tp/chap-secrets.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -# username server password acceptable local IP addresses shaper -{% for user in local_users %} -{% if user.state == 'enabled' %} -{% if user.upload and user.download %} -{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }} / {{ user.upload }} -{% else %} -{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} -{% endif %} -{% endif %} -{% endfor %} diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl deleted file mode 100644 index 84f544203..000000000 --- a/data/templates/l2tp/l2tp.config.tmpl +++ /dev/null @@ -1,146 +0,0 @@ -### generated by accel_l2tp.py ### -[modules] -log_syslog -l2tp -chap-secrets -{% for proto in auth_proto: %} -{{proto}} -{% endfor%} - -{% if auth_mode == 'radius' %} -radius -{% endif -%} - -ippool -shaper -ipv6pool -ipv6_nd -ipv6_dhcp - -[core] -thread-count={{thread_cnt}} - -[log] -syslog=accel-l2tp,daemon -copy=1 -level=5 - -{% if dnsv4 %} -[dns] -{% for dns in dnsv4 -%} -dns{{ loop.index }}={{ dns }} -{% endfor -%} -{% endif %} - -{% if dnsv6 %} -[ipv6-dns] -{% for dns in dnsv6 -%} -{{ dns }} -{% endfor -%} -{% endif %} - -{% if wins %} -[wins] -{% for server in wins -%} -wins{{ loop.index }}={{ server }} -{% endfor -%} -{% endif %} - -[l2tp] -verbose=1 -ifname=l2tp%d -ppp-max-mtu={{ mtu }} -mppe={{ ppp_mppe }} -{% if outside_addr %} -bind={{ outside_addr }} -{% endif %} -{% if lns_shared_secret %} -secret={{ lns_shared_secret }} -{% endif %} - -[client-ip-range] -0.0.0.0/0 - -{% if client_ip_pool or client_ip_subnets %} -[ip-pool] -{% if client_ip_pool %} -{{ client_ip_pool }} -{% endif -%} -{% if client_ip_subnets %} -{% for sn in client_ip_subnets %} -{{sn}} -{% endfor -%} -{% endif %} -{% endif %} -{% if gateway_address %} -gw-ip-address={{ gateway_address }} -{% endif %} - -{% if auth_mode == 'local' %} -[chap-secrets] -chap-secrets={{ chap_secrets_file }} -{% elif auth_mode == 'radius' %} -[radius] -verbose=1 -{% for r in radius_server %} -server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor -%} -{% endif %} - -acct-timeout={{ radius_acct_tmo }} -timeout={{ radius_timeout }} -max-try={{ radius_max_try }} - -{% if radius_nas_id %} -nas-identifier={{ radius_nas_id }} -{% endif -%} -{% if radius_nas_ip %} -nas-ip-address={{ radius_nas_ip }} -{% endif -%} -{% if radius_source_address %} -bind={{ radius_source_address }} -{% endif -%} - -[ppp] -verbose=1 -check-ip=1 -single-session=replace -lcp-echo-timeout={{ ppp_echo_timeout }} -lcp-echo-interval={{ ppp_echo_interval }} -lcp-echo-failure={{ ppp_echo_failure }} -{% if ccp_disable %} -ccp=0 -{% endif %} -{% if client_ipv6_pool %} -ipv6=allow -{% endif %} - - -{% if client_ipv6_pool %} -[ipv6-pool] -{% for p in client_ipv6_pool %} -{{ p.prefix }},{{ p.mask }} -{% endfor %} -{% for p in client_ipv6_delegate_prefix %} -delegate={{ p.prefix }},{{ p.mask }} -{% endfor %} -{% endif %} - -{% if client_ipv6_delegate_prefix %} -[ipv6-dhcp] -verbose=1 -{% endif %} - -{% if radius_shaper_attr %} -[shaper] -verbose=1 -attr={{ radius_shaper_attr }} -{% if radius_shaper_vendor %} -vendor={{ radius_shaper_vendor }} -{% endif -%} -{% endif %} - -[cli] -tcp=127.0.0.1:2004 -sessions-columns=ifname,username,calling-sid,ip,{{ ip6_column | join(',') }}{{ ',' if ip6_column }}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime - diff --git a/data/templates/pppoe-server/chap-secrets.tmpl b/data/templates/pppoe-server/chap-secrets.tmpl deleted file mode 100644 index dd00d7bd0..000000000 --- a/data/templates/pppoe-server/chap-secrets.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -# username server password acceptable local IP addresses shaper -{% for user in local_users %} -{% if user.state == 'enabled' %} -{% if user.upload and user.download %} -{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }} / {{ user.upload }} -{% else %} -{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} -{% endif %} -{% endif %} -{% endfor %} diff --git a/data/templates/pppoe-server/pppoe.config.tmpl b/data/templates/pppoe-server/pppoe.config.tmpl deleted file mode 100644 index 325b75adc..000000000 --- a/data/templates/pppoe-server/pppoe.config.tmpl +++ /dev/null @@ -1,203 +0,0 @@ - -### generated by accel_pppoe.py ### -[modules] -log_syslog -pppoe -{% if auth_mode == 'radius' %} -radius -{% endif %} -ippool -{% if ppp_ipv6 != 'deny' %} -ipv6pool -ipv6_nd -ipv6_dhcp -{% endif %} -chap-secrets -auth_pap -auth_chap_md5 -auth_mschap_v1 -auth_mschap_v2 -shaper -{% if snmp %} -net-snmp -{% endif %} -{% if limits %} -connlimit -{% endif %} - -[core] -thread-count={{ thread_cnt }} - -[log] -syslog=accel-pppoe,daemon -copy=1 -level=5 - -{% if snmp == 'enable-ma' %} -[snmp] -master=1 -{% endif %} - -[client-ip-range] -disable - -{% if ppp_gw %} -[ip-pool] -gw-ip-address={{ ppp_gw }} -{% if client_ip_pool %} -{{ client_ip_pool }} -{% endif -%} -{% if client_ip_subnets %} -{% for subnet in client_ip_subnets %} -{{ subnet }} -{% endfor %} -{% endif %} -{% endif %} - -{% if client_ipv6_pool %} -[ipv6-pool] -{% for p in client_ipv6_pool %} -{{ p.prefix }},{{ p.mask }} -{% endfor %} -{% for p in client_ipv6_delegate_prefix %} -delegate={{ p.prefix }},{{ p.mask }} -{% endfor %} -{% endif %} - -{% if dnsv4 %} -[dns] -{% for dns in dnsv4 -%} -dns{{ loop.index }}={{ dns }} -{% endfor -%} -{% endif %} - -{% if dnsv6 %} -[ipv6-dns] -{% for dns in dnsv6 -%} -{{ dns }} -{% endfor -%} -{% endif %} - -{% if wins %} -[wins] -{% for server in wins -%} -wins{{ loop.index }}={{ server }} -{% endfor -%} -{% endif %} - -{% if auth_mode == 'local' %} -[chap-secrets] -chap-secrets={{ chap_secrets_file }} -{% elif auth_mode == 'radius' %} -[radius] -verbose=1 -{% for r in radius_server %} -server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor -%} - -acct-timeout={{ radius_acct_tmo }} -timeout={{ radius_timeout }} -max-try={{ radius_max_try }} -{% if radius_nas_id %} -nas-identifier={{ radius_nas_id }} -{% endif -%} -{% if radius_nas_ip %} -nas-ip-address={{ radius_nas_ip }} -{% endif -%} -{% if radius_source_address %} -bind={{ radius_source_address }} -{% endif -%} - -{% if radius_dynamic_author %} -dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} -{% endif -%} - -{% if radius_shaper_attr %} -[shaper] -verbose=1 -attr={{ radius_shaper_attr }} -{% if radius_shaper_vendor %} -vendor={{ radius_shaper_vendor }} -{% endif -%} -{% endif -%} -{% endif %} - -[ppp] -verbose=1 -check-ip=1 -{% if not sesscrtl == 'disable' %} -single-session={{sesscrtl}} -{% endif -%} -{% if ppp_ccp %} -ccp=1 -{% endif %} -{% if ppp_min_mtu %} -min-mtu={{ ppp_min_mtu }} -{% else %} -min-mtu={{ mtu }} -{% endif %} -{% if ppp_mru %} -mru={{ ppp_mru }} -{% endif %} -mppe={{ ppp_mppe }} -lcp-echo-interval={{ ppp_echo_interval }} -lcp-echo-timeout={{ ppp_echo_timeout }} -lcp-echo-failure={{ ppp_echo_failure }} -{% if ppp_ipv4 %} -ipv4={{ ppp_ipv4 }} -{% endif %} -{% if client_ipv6_pool %} -ipv6=allow -{% endif %} - -{% if ppp_ipv6 %} -ipv6={{ ppp_ipv6 }} -{% if ppp_ipv6_intf_id %} -ipv6-intf-id={{ ppp_ipv6_intf_id }} -{% endif %} -{% if ppp_ipv6_peer_intf_id %} -ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }} -{% endif %} -{% if ppp_ipv6_accept_peer_intf_id %} -ipv6-accept-peer-intf-id={{ ppp_ipv6_accept_peer_intf_id }} -{% endif %} -{% endif %} -mtu={{ mtu }} - -[pppoe] -verbose=1 -ac-name={{ concentrator }} - -{% if interfaces %} -{% for interface in interfaces %} -interface={{ interface.name }} -{% if interface.vlans %} -vlan-mon={{ interface.name }},{{ interface.vlans | join(',') }} -interface=re:{{ interface.name }}\.\d+ -{% endif %} -{% endfor -%} -{% endif -%} - -{% if svc_name %} -service-name={{ svc_name|join(',') }} -{% endif -%} - -{% if pado_delay %} -pado-delay={{ pado_delay }} -{% endif %} - -{% if limits_burst or limits_connections or limits_connections %} -[connlimit] -{% if limits_connections %} -limit={{ limits_connections }} -{% endif %} -{% if limits_burst %} -burst={{ limits_burst }} -{% endif %} -{% if limits_timeout %} -timeout={{ limits_timeout }} -{% endif %} -{% endif %} - -[cli] -tcp=127.0.0.1:2001 diff --git a/data/templates/sstp/chap-secrets.tmpl b/data/templates/sstp/chap-secrets.tmpl deleted file mode 100644 index dd00d7bd0..000000000 --- a/data/templates/sstp/chap-secrets.tmpl +++ /dev/null @@ -1,10 +0,0 @@ -# username server password acceptable local IP addresses shaper -{% for user in local_users %} -{% if user.state == 'enabled' %} -{% if user.upload and user.download %} -{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }} / {{ user.upload }} -{% else %} -{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} -{% endif %} -{% endif %} -{% endfor %} diff --git a/data/templates/sstp/sstp.config.tmpl b/data/templates/sstp/sstp.config.tmpl deleted file mode 100644 index acdb6c76b..000000000 --- a/data/templates/sstp/sstp.config.tmpl +++ /dev/null @@ -1,115 +0,0 @@ -### generated by vpn_sstp.py ### -[modules] -log_syslog -sstp -shaper -{% if auth_mode == 'local' %} -chap-secrets -{% elif auth_mode == 'radius' %} -radius -{% endif -%} -ippool - -{% for proto in auth_proto %} -{{proto}} -{% endfor %} - -[core] -thread-count={{thread_cnt}} - -[common] -single-session=replace - -[log] -syslog=accel-sstp,daemon -copy=1 -level=5 - -[client-ip-range] -disable - -[sstp] -verbose=1 -ifname=sstp%d -accept=ssl -ssl-ca-file={{ ssl_ca }} -ssl-pemfile={{ ssl_cert }} -ssl-keyfile={{ ssl_key }} - -{% if client_ip_pool %} -[ip-pool] -gw-ip-address={{ client_gateway }} -{% for subnet in client_ip_pool %} -{{ subnet }} -{% endfor %} -{% endif %} - -{% if dnsv4 %} -[dns] -{% for dns in dnsv4 -%} -dns{{ loop.index }}={{ dns }} -{% endfor -%} -{% endif %} - -{% if auth_mode == 'local' %} -[chap-secrets] -chap-secrets={{ chap_secrets_file }} -{% elif auth_mode == 'radius' %} -[radius] -verbose=1 -{% for r in radius_server %} -server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor -%} - -acct-timeout={{ radius_acct_tmo }} -timeout={{ radius_timeout }} -max-try={{ radius_max_try }} - -{% if radius_nas_id %} -nas-identifier={{ radius_nas_id }} -{% endif -%} -{% if radius_nas_ip %} -nas-ip-address={{ radius_nas_ip }} -{% endif -%} -{% if radius_source_address %} -bind={{ radius_source_address }} -{% endif -%} - - -{% if radius_dynamic_author %} -dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} -{% endif -%} -{% endif %} - -[ppp] -verbose=1 -check-ip=1 -{% if mtu %} -mtu={{ mtu }} -{% endif -%} - -{% if ppp_mppe %} -mppe={{ ppp_mppe }} -{% endif -%} -{% if ppp_echo_interval %} -lcp-echo-interval={{ ppp_echo_interval }} -{% endif -%} -{% if ppp_echo_failure %} -lcp-echo-failure={{ ppp_echo_failure }} -{% endif -%} -{% if ppp_echo_timeout %} -lcp-echo-timeout={{ ppp_echo_timeout }} -{% endif %} - -{% if radius_shaper_attr %} -[shaper] -verbose=1 -attr={{ radius_shaper_attr }} -{% if radius_shaper_vendor %} -vendor={{ radius_shaper_vendor }} -{% endif -%} -{% endif %} - -[cli] -tcp=127.0.0.1:2005 - diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index aa8b9d141..13d0b1920 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -422,10 +422,10 @@ def generate(pppoe): if not os.path.exists(dirname): os.mkdir(dirname) - render(pppoe_conf, 'pppoe-server/pppoe.config.tmpl', c, trim_blocks=True) + render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', c, trim_blocks=True) if pppoe['local_users']: - render(pppoe_chap_secrets, 'pppoe-server/chap-secrets.tmpl', c, trim_blocks=True) + render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', c, trim_blocks=True) os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: if os.path.exists(pppoe_chap_secrets): diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 331f22465..417520e09 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -348,10 +348,10 @@ def generate(l2tp): if not os.path.exists(dirname): os.mkdir(dirname) - render(l2tp_conf, 'l2tp/l2tp.config.tmpl', c, trim_blocks=True) + render(l2tp_conf, 'accel-ppp/l2tp.config.tmpl', c, trim_blocks=True) if l2tp['auth_mode'] == 'local': - render(l2tp_chap_secrets, 'l2tp/chap-secrets.tmpl', l2tp) + render(l2tp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', l2tp) os.chmod(l2tp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 7c96241b1..9ec352290 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -312,10 +312,10 @@ def generate(sstp): os.mkdir(dirname) # accel-cmd reload doesn't work so any change results in a restart of the daemon - render(sstp_conf, 'sstp/sstp.config.tmpl', sstp, trim_blocks=True) + render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp, trim_blocks=True) if sstp['local_users']: - render(sstp_chap_secrets, 'sstp/chap-secrets.tmpl', sstp, trim_blocks=True) + render(sstp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', sstp, trim_blocks=True) os.chmod(sstp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: if os.path.exists(sstp_chap_secrets): -- cgit v1.2.3