summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-09-29 20:43:08 +0200
committerChristian Poessinger <christian@poessinger.com>2020-10-01 18:59:17 +0200
commit38ae3032180a3d49253237232a0e3de8d2836e7c (patch)
tree100c3bbfbcc79f8f51f8acb9d551a24576cc9438
parent5b640551fdff979275b49965801ad438938fb067 (diff)
downloadvyos-1x-38ae3032180a3d49253237232a0e3de8d2836e7c.tar.gz
vyos-1x-38ae3032180a3d49253237232a0e3de8d2836e7c.zip
pppoe-server: T2936: move to get_config_dict()
For easier configuration read in (CLI) validation and also template rendering it makes sense to drop the old, single implementation and move to the new, generic get_config_dict() approach. Recurring configuration parts like ip-pool, ipv6-pool and nameservers have also been split our into individual templates which will be included through Jinja2 - leading to a single-source of the template sections, too.
-rw-r--r--data/templates/accel-ppp/chap-secrets.pppoe.tmpl12
-rw-r--r--data/templates/accel-ppp/config_ip_pool.j214
-rw-r--r--data/templates/accel-ppp/config_ipv6_pool.j216
-rw-r--r--data/templates/accel-ppp/config_name_server.j213
-rw-r--r--data/templates/accel-ppp/pppoe.config.tmpl243
-rw-r--r--interface-definitions/include/accel-auth-mode.xml.i1
-rw-r--r--interface-definitions/include/accel-radius-additions.xml.i8
-rw-r--r--interface-definitions/include/radius-server.xml.i1
-rw-r--r--interface-definitions/service_pppoe-server.xml.in37
-rwxr-xr-xsmoketest/scripts/cli/test_service_pppoe-server.py182
-rwxr-xr-xsrc/conf_mode/service_pppoe-server.py500
11 files changed, 458 insertions, 569 deletions
diff --git a/data/templates/accel-ppp/chap-secrets.pppoe.tmpl b/data/templates/accel-ppp/chap-secrets.pppoe.tmpl
new file mode 100644
index 000000000..da64b64d5
--- /dev/null
+++ b/data/templates/accel-ppp/chap-secrets.pppoe.tmpl
@@ -0,0 +1,12 @@
+# username server password acceptable local IP addresses shaper
+{% if authentication is defined and authentication.local_users is defined and authentication.local_users.username is defined %}
+{% for user, user_config in authentication.local_users.username.items() %}
+{% if user_config.disabled is not defined %}
+{% if user_config.rate_limit is defined %}
+{{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }} {{ user_config.rate_limit.download }}/{{ user_config.rate_limit.upload }}
+{% else %}
+{{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }}
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2
new file mode 100644
index 000000000..51fe67334
--- /dev/null
+++ b/data/templates/accel-ppp/config_ip_pool.j2
@@ -0,0 +1,14 @@
+{% if client_ip_pool is defined and client_ip_pool is not none %}
+[ip-pool]
+{% if local_ip is defined and local_ip is not none %}
+gw-ip-address={{ local_ip }}
+{% endif %}
+{% if client_ip_pool.start is defined and client_ip_pool.stop is defined and client_ip_pool.start is not none and client_ip_pool.stop is not none %}
+{{ client_ip_pool.start }}-{{ client_ip_pool.stop }}
+{% endif -%}
+{% if client_ip_pool.subnet is defined and client_ip_pool.subnet is not none %}
+{% for subnet in client_ip_pool.subnet %}
+{{ subnet }}
+{% endfor %}
+{% endif %}
+{% endif %}
diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2
new file mode 100644
index 000000000..b764fc6f0
--- /dev/null
+++ b/data/templates/accel-ppp/config_ipv6_pool.j2
@@ -0,0 +1,16 @@
+{% if client_ipv6_pool is defined and client_ipv6_pool is not none %}
+[ipv6-nd]
+AdvAutonomousFlag=1
+
+{% if client_ipv6_pool.prefix is defined and client_ipv6_pool.prefix is not none %}
+[ipv6-pool]
+{% for prefix, options in client_ipv6_pool.prefix.items() %}
+{{ prefix }},{{ options.mask }}
+{% endfor %}
+{% if client_ipv6_pool.delegate is defined and client_ipv6_pool.delegate is not none %}
+{% for prefix, options in client_ipv6_pool.delegate.items() %}
+delegate={{ prefix }},{{ options.delegation_prefix }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endif %}
diff --git a/data/templates/accel-ppp/config_name_server.j2 b/data/templates/accel-ppp/config_name_server.j2
new file mode 100644
index 000000000..2bf064f92
--- /dev/null
+++ b/data/templates/accel-ppp/config_name_server.j2
@@ -0,0 +1,13 @@
+{% if name_server_ipv4 is defined and name_server_ipv4 is not none %}
+[dns]
+{% for ns in name_server_ipv4 %}
+dns{{ loop.index }}={{ ns }}
+{% endfor %}
+{% endif %}
+
+{% if name_server_ipv6 is defined and name_server_ipv6 is not none %}
+[ipv6-dns]
+{% for ns in name_server_ipv6 %}
+{{ ns }}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl
index bdbd32d33..d0331f4e2 100644
--- a/data/templates/accel-ppp/pppoe.config.tmpl
+++ b/data/templates/accel-ppp/pppoe.config.tmpl
@@ -2,36 +2,34 @@
[modules]
log_syslog
pppoe
-{% if auth_mode == 'radius' %}
-radius
-{% endif %}
+{{ "radius" if authentication.mode is defined and authentication.mode == 'radius' }}
chap-secrets
ippool
-{% if ppp_ipv6 != 'deny' %}
+{% if ppp_options.ipv6 is defined and ppp_options.ipv6 != 'deny' %}
ipv6pool
ipv6_nd
ipv6_dhcp
{% endif %}
-{% for proto in auth_proto: %}
-{{proto}}
+{% for protocol in authentication.protocols %}
+{{ protocol }}
{% endfor%}
shaper
-{% if snmp %}
+{% if snmp is defined %}
net-snmp
{% endif %}
-{% if limits %}
+{% if limits is defined %}
connlimit
{% endif %}
[core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
[log]
syslog=accel-pppoe,daemon
copy=1
level=5
-{% if snmp == 'enable-ma' %}
+{% if snmp is defined and snmp.master_agent is defined %}
[snmp]
master=1
{% endif %}
@@ -39,177 +37,130 @@ master=1
[client-ip-range]
disable
-{% if ppp_gw %}
-[ip-pool]
-gw-ip-address={{ ppp_gw }}
-{% if client_ip_pool %}
-{{ client_ip_pool }}
-{% endif -%}
-{% if client_ip_subnets %}
-{% for subnet in client_ip_subnets %}
-{{ subnet }}
-{% endfor %}
-{% endif %}
-{% endif %}
-
-{% if client_ipv6_pool %}
-[ipv6-nd]
-AdvAutonomousFlag=1
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
-[ipv6-pool]
-{% for p in client_ipv6_pool %}
-{{ p.prefix }},{{ p.mask }}
-{% endfor %}
-{% for p in client_ipv6_delegate_prefix %}
-delegate={{ p.prefix }},{{ p.mask }}
-{% endfor %}
-{% endif %}
+{# Common IPv6 pool definitions #}
+{% include 'accel-ppp/config_ipv6_pool.j2' %}
-{% if dnsv4 %}
-[dns]
-{% for dns in dnsv4 -%}
-dns{{ loop.index }}={{ dns }}
-{% endfor -%}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
-{% if dnsv6 %}
-[ipv6-dns]
-{% for dns in dnsv6 -%}
-{{ dns }}
-{% endfor -%}
-{% endif %}
-
-{% if wins %}
+{% if wins_server is defined and wins_server is not none %}
[wins]
-{% for server in wins -%}
+{% for server in wins_server %}
wins{{ loop.index }}={{ server }}
-{% endfor -%}
+{% endfor %}
{% endif %}
-{% if auth_mode == 'local' %}
+{% if authentication.mode is defined and authentication.mode == 'local' %}
[chap-secrets]
chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
+{% elif authentication.mode is defined and authentication.mode == 'radius' %}
[radius]
verbose=1
-{% for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{% endfor -%}
-
-{% if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{% endif %}
-
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
-
-{% if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{% endif -%}
-{% if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{% endif -%}
-{% if radius_source_address %}
-bind={{ radius_source_address }}
-{% endif -%}
-
-
-{% if radius_dynamic_author %}
-dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }}
-{% endif -%}
-{% endif %}
-{% if ppp_gw %}
-gw-ip-address={{ ppp_gw }}
-{% endif %}
-
-{% if sesscrtl != 'disable' %}
+{% for server, options in authentication.radius.server.items() if not options.disable is defined %}
+server={{ server }},{{ options.key }},auth-port={{ options.port }},acct-port={{ options.acct_port }},req-limit=0,fail-time={{ options.fail_time }}
+{% endfor %}
+{% if authentication.radius.acct_interim_jitter is defined and authentication.radius.acct_interim_jitter is not none %}
+acct-interim-jitter={{ authentication.radius.acct_interim_jitter }}
+{% endif %}
+acct-timeout={{ authentication.radius.acct_timeout }}
+timeout={{ authentication.radius.timeout }}
+max-try={{ authentication.radius.max_try }}
+{% if authentication.radius.nas_identifier is defined and authentication.radius.nas_identifier is not none %}
+nas-identifier={{ authentication.radius.nas_identifier }}
+{% endif %}
+{% if authentication.radius.nas_ip_address is defined and authentication.radius.nas_ip_address is not none %}
+nas-ip-address={{ authentication.radius.nas_ip_address }}
+{% endif %}
+{% if authentication.radius.source_address is defined and authentication.radius.source_address is not none %}
+bind={{ authentication.radius.source_address }}
+{% endif %}
+{% if authentication.radius.called_sid_format is defined and authentication.radius.called_sid_format is not none %}
+called-sid={{ authentication.radius.called_sid_format }}
+{% endif %}
+{% if authentication.radius.dynamic_author.server is defined and authentication.radius.dynamic_author.server is not none %}
+dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.radius.dynamic_author.port }},{{ authentication.radius.dynamic_author.key }}
+{% endif -%}
+{% endif %}
+
+{% if local_ip is defined and local_ip is not none %}
+gw-ip-address={{ local_ip }}
+{% endif %}
+
+{% if session_control is defined and session_control != 'disable' %}
[common]
-single-session={{ sesscrtl }}
+single-session={{ session_control }}
{% endif %}
[ppp]
verbose=1
check-ip=1
-{% if ppp_ccp %}
-ccp=1
-{% else %}
-ccp=0
-{% endif %}
-{% if ppp_preallocate_vif %}
-unit-preallocate=1
-{% else %}
-unit-preallocate=0
-{% endif %}
-{% if ppp_min_mtu %}
-min-mtu={{ ppp_min_mtu }}
+ccp={{ "1" if ppp_options.ccp is defined else "0" }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is defined else "0" }}
+{% if ppp_options.min_mtu is defined and ppp_options.min_mtu is not none %}
+min-mtu={{ ppp_options.min_mtu }}
{% else %}
min-mtu={{ mtu }}
{% endif %}
-{% if ppp_mru %}
-mru={{ ppp_mru }}
-{% endif %}
-mppe={{ ppp_mppe }}
-lcp-echo-interval={{ ppp_echo_interval }}
-lcp-echo-timeout={{ ppp_echo_timeout }}
-lcp-echo-failure={{ ppp_echo_failure }}
-{% if ppp_ipv4 %}
-ipv4={{ ppp_ipv4 }}
-{% endif %}
-{% if client_ipv6_pool %}
-ipv6=allow
-{% endif %}
-
-{% if ppp_ipv6 %}
-ipv6={{ ppp_ipv6 }}
-{% if ppp_ipv6_intf_id %}
-ipv6-intf-id={{ ppp_ipv6_intf_id }}
-{% endif %}
-{% if ppp_ipv6_peer_intf_id %}
-ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }}
-{% endif %}
-{% if ppp_ipv6_accept_peer_intf_id %}
-ipv6-accept-peer-intf-id={{ ppp_ipv6_accept_peer_intf_id }}
-{% endif %}
-{% endif %}
+{% if ppp_options.mru is defined and ppp_options.mru is not none %}
+mru={{ ppp_options.mru }}
+{% endif %}
+mppe={{ ppp_options.mppe }}
+lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
+lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
+lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{% if ppp_options.ipv4 is defined and ppp_options.ipv4 is not none %}
+ipv4={{ ppp_options.ipv4 }}
+{% endif %}
+{# IPv6 #}
+{% if ppp_options.ipv6 is defined and ppp_options.ipv6 is not none %}
+ipv6={{ ppp_options.ipv6 }}
+{% if ppp_options.ipv6_intf_id is defined and ppp_options.ipv6_intf_id is not none %}
+ipv6-intf-id={{ ppp_options.ipv6_intf_id }}
+{% endif %}
+{% if ppp_options.ipv6_peer_intf_id is defined and ppp_options.ipv6_peer_intf_id is not none %}
+ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }}
+{% endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is defined else "0" }}
+{% endif %}
+{# MTU #}
mtu={{ mtu }}
[pppoe]
verbose=1
-ac-name={{ concentrator }}
+ac-name={{ access_concentrator }}
-{% if interfaces %}
-{% for interface in interfaces %}
-interface={{ interface.name }}
-{% if interface.vlans %}
-vlan-mon={{ interface.name }},{{ interface.vlans | join(',') }}
+{% if interface %}
+{% for iface in interface %}
+interface={{ iface }}
+{% if interface[iface].vlan_id is defined or interface[iface].vlan_range is defined %}
+vlan-mon={{ iface }},{{ interface[iface].vlan_id | join(',') }},{{ interface[iface].vlan_range | join(',') }}
interface=re:{{ interface.name }}\.\d+
+{% endif %}
+{% endfor %}
{% endif %}
-{% endfor -%}
-{% if radius_called_sid_format %}
-called-sid={{ radius_called_sid_format }}
-{% endif %}
-{% endif -%}
-{% if svc_name %}
-service-name={{ svc_name|join(',') }}
+{% if service_name %}
+service-name={{ service_name | join(',') }}
{% endif -%}
{% if pado_delay %}
pado-delay={{ pado_delay }}
{% endif %}
-{% if limits_burst or limits_connections or limits_connections %}
+{% if limits is defined %}
[connlimit]
-{% if limits_connections %}
-limit={{ limits_connections }}
-{% endif %}
-{% if limits_burst %}
-burst={{ limits_burst }}
-{% endif %}
-{% if limits_timeout %}
-timeout={{ limits_timeout }}
-{% endif %}
+{% if limits.connection_limit is defined and limits.connection_limit is not none %}
+limit={{ limits.connection_limit }}
+{% endif %}
+{% if limits.burst is defined and limits.burst %}
+burst={{ limits.burst }}
+{% endif %}
+{% if limits.timeout is defined and limits.timeout is not none %}
+timeout={{ limits.timeout }}
+{% endif %}
{% endif %}
[cli]
diff --git a/interface-definitions/include/accel-auth-mode.xml.i b/interface-definitions/include/accel-auth-mode.xml.i
index e719112db..750c3117b 100644
--- a/interface-definitions/include/accel-auth-mode.xml.i
+++ b/interface-definitions/include/accel-auth-mode.xml.i
@@ -16,4 +16,5 @@
<list>local radius</list>
</completionHelp>
</properties>
+ <defaultValue>local</defaultValue>
</leafNode>
diff --git a/interface-definitions/include/accel-radius-additions.xml.i b/interface-definitions/include/accel-radius-additions.xml.i
index f4db51b97..43810625a 100644
--- a/interface-definitions/include/accel-radius-additions.xml.i
+++ b/interface-definitions/include/accel-radius-additions.xml.i
@@ -26,6 +26,7 @@
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
+ <defaultValue>1813</defaultValue>
</leafNode>
<leafNode name="fail-time">
<properties>
@@ -39,6 +40,7 @@
</constraint>
<constraintErrorMessage>Fail time must be between 0 and 600 seconds</constraintErrorMessage>
</properties>
+ <defaultValue>0</defaultValue>
</leafNode>
</children>
</tagNode>
@@ -54,6 +56,7 @@
</constraint>
<constraintErrorMessage>Timeout must be between 1 and 60 seconds</constraintErrorMessage>
</properties>
+ <defaultValue>3</defaultValue>
</leafNode>
<leafNode name="acct-timeout">
<properties>
@@ -67,6 +70,7 @@
</constraint>
<constraintErrorMessage>Timeout must be between 0 and 60 seconds</constraintErrorMessage>
</properties>
+ <defaultValue>3</defaultValue>
</leafNode>
<leafNode name="max-try">
<properties>
@@ -80,6 +84,7 @@
</constraint>
<constraintErrorMessage>Maximum tries must be between 1 and 20</constraintErrorMessage>
</properties>
+ <defaultValue>3</defaultValue>
</leafNode>
<leafNode name="nas-identifier">
<properties>
@@ -123,7 +128,7 @@
</leafNode>
<leafNode name="port">
<properties>
- <help>Port for Dynamic Authorization Extension server (DM/CoA)</help>
+ <help>Port for Dynamic Authorization Extension server (DM/CoA) (default: 1700)</help>
<valueHelp>
<format>number</format>
<description>TCP port</description>
@@ -132,6 +137,7 @@
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
+ <defaultValue>1700</defaultValue>
</leafNode>
<leafNode name="key">
<properties>
diff --git a/interface-definitions/include/radius-server.xml.i b/interface-definitions/include/radius-server.xml.i
index 047728233..7c2ddff80 100644
--- a/interface-definitions/include/radius-server.xml.i
+++ b/interface-definitions/include/radius-server.xml.i
@@ -49,6 +49,7 @@
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
+ <defaultValue>1812</defaultValue>
</leafNode>
</children>
</tagNode>
diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in
index eaaac0d4c..b38f692d8 100644
--- a/interface-definitions/service_pppoe-server.xml.in
+++ b/interface-definitions/service_pppoe-server.xml.in
@@ -29,12 +29,13 @@
</constraint>
<constraintErrorMessage>access-concentrator name limited to alphanumerical characters only (max. 100)</constraintErrorMessage>
</properties>
+ <defaultValue>vyos-ac</defaultValue>
</leafNode>
<leafNode name="session-control">
<properties>
<help>control sessions count</help>
<constraint>
- <regex>(deny|disable)</regex>
+ <regex>^(deny|disable|replace)$</regex>
</constraint>
<constraintErrorMessage>Invalid value</constraintErrorMessage>
<valueHelp>
@@ -45,10 +46,15 @@
<format>deny</format>
<description>Deny second session authorization</description>
</valueHelp>
+ <valueHelp>
+ <format>replace</format>
+ <description>Terminate first session when second is authorized</description>
+ </valueHelp>
<completionHelp>
- <list>deny disable</list>
+ <list>deny disable replace</list>
</completionHelp>
</properties>
+ <defaultValue>replace</defaultValue>
</leafNode>
<node name="authentication">
<properties>
@@ -68,6 +74,7 @@
<leafNode name="disable">
<properties>
<help>Option to disable a PPPoE Server user</help>
+ <valueless/>
</properties>
</leafNode>
<leafNode name="password">
@@ -79,6 +86,7 @@
<properties>
<help>Static client IP address</help>
</properties>
+ <defaultValue>*</defaultValue>
</leafNode>
<node name="rate-limit">
<properties>
@@ -182,7 +190,7 @@
<completionHelp>
<list>pap chap mschap mschap-v2</list>
</completionHelp>
- <multi />
+ <multi/>
</properties>
</leafNode>
</children>
@@ -234,10 +242,10 @@
<properties>
<help>VLAN monitor for the automatic creation of vlans (user per vlan)</help>
<constraint>
- <validator name="numeric" argument="--range 1-4096"/>
- </constraint>
- <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage>
- <multi />
+ <validator name="numeric" argument="--range 1-4096"/>
+ </constraint>
+ <constraintErrorMessage>VLAN ID needs to be between 1 and 4096</constraintErrorMessage>
+ <multi/>
</properties>
</leafNode>
<leafNode name="vlan-range">
@@ -246,7 +254,7 @@
<constraint>
<regex>(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})-(409[0-6]|40[0-8][0-9]|[1-3][0-9]{3}|[1-9][0-9]{0,2})</regex>
</constraint>
- <multi />
+ <multi/>
</properties>
</leafNode>
</children>
@@ -263,9 +271,10 @@
<properties>
<help>Maximum Transmission Unit (MTU) - default 1492</help>
<constraint>
- <validator name="numeric" argument="--range 128-16384"/>
+ <validator name="numeric" argument="--range 128-16384"/>
</constraint>
</properties>
+ <defaultValue>1492</defaultValue>
</leafNode>
<node name="limits">
<properties>
@@ -353,6 +362,7 @@
<regex>^(deny|prefer|require)$</regex>
</constraint>
</properties>
+ <defaultValue>prefer</defaultValue>
</leafNode>
<leafNode name="lcp-echo-interval">
<properties>
@@ -361,6 +371,7 @@
<validator name="numeric" argument="--positive"/>
</constraint>
</properties>
+ <defaultValue>30</defaultValue>
</leafNode>
<leafNode name="lcp-echo-failure">
<properties>
@@ -369,6 +380,7 @@
<validator name="numeric" argument="--positive"/>
</constraint>
</properties>
+ <defaultValue>3</defaultValue>
</leafNode>
<leafNode name="lcp-echo-timeout">
<properties>
@@ -377,6 +389,7 @@
<validator name="numeric" argument="--positive"/>
</constraint>
</properties>
+ <defaultValue>0</defaultValue>
</leafNode>
<leafNode name="ipv4">
<properties>
@@ -437,6 +450,9 @@
<leafNode name="ipv6-intf-id">
<properties>
<help>Fixed or random interface identifier for IPv6</help>
+ <completionHelp>
+ <list>random</list>
+ </completionHelp>
<valueHelp>
<format>random</format>
<description>Random interface identifier for IPv6</description>
@@ -450,6 +466,9 @@
<leafNode name="ipv6-peer-intf-id">
<properties>
<help>Peer interface identifier for IPv6</help>
+ <completionHelp>
+ <list>random calling-sid ipv4</list>
+ </completionHelp>
<valueHelp>
<format>x:x:x:x</format>
<description>Interface identifier for IPv6</description>
diff --git a/smoketest/scripts/cli/test_service_pppoe-server.py b/smoketest/scripts/cli/test_service_pppoe-server.py
index 3a6b12ef4..14f8316f5 100755
--- a/smoketest/scripts/cli/test_service_pppoe-server.py
+++ b/smoketest/scripts/cli/test_service_pppoe-server.py
@@ -15,12 +15,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
+import re
import unittest
from configparser import ConfigParser
from vyos.configsession import ConfigSession
from vyos.configsession import ConfigSessionError
from vyos.util import process_named_running
+from vyos.util import cmd
process_name = 'accel-pppd'
base_path = ['service', 'pppoe-server']
@@ -28,10 +30,8 @@ local_if = ['interfaces', 'dummy', 'dum667']
pppoe_conf = '/run/accel-pppd/pppoe.conf'
ac_name = 'ACN'
-subnet = '172.18.0.0/24'
gateway = '192.0.2.1'
nameserver = '9.9.9.9'
-mtu = '1492'
interface = 'eth0'
class TestServicePPPoEServer(unittest.TestCase):
@@ -48,10 +48,12 @@ class TestServicePPPoEServer(unittest.TestCase):
del self.session
def verify(self, conf):
+ mtu = '1492'
+
# validate some common values in the configuration
- for tmp in ['log_syslog', 'pppoe', 'chap-secrets', 'ippool', 'ipv6pool',
- 'ipv6_nd', 'ipv6_dhcp', 'auth_mschap_v2', 'auth_mschap_v1',
- 'auth_chap_md5', 'auth_pap', 'shaper']:
+ for tmp in ['log_syslog', 'pppoe', 'chap-secrets', 'ippool',
+ 'auth_mschap_v2', 'auth_mschap_v1', 'auth_chap_md5',
+ 'auth_pap', 'shaper']:
# Settings without values provide None
self.assertEqual(conf['modules'][tmp], None)
@@ -60,14 +62,9 @@ class TestServicePPPoEServer(unittest.TestCase):
self.assertTrue(conf['pppoe'].getboolean('verbose'))
self.assertTrue(conf['pppoe']['interface'], interface)
- # check configured subnet
- self.assertEqual(conf['ip-pool'][subnet], None)
- self.assertEqual(conf['ip-pool']['gw-ip-address'], gateway)
-
# check ppp
self.assertTrue(conf['ppp'].getboolean('verbose'))
self.assertTrue(conf['ppp'].getboolean('check-ip'))
- self.assertEqual(conf['ppp']['min-mtu'], mtu)
self.assertEqual(conf['ppp']['mtu'], mtu)
self.assertEqual(conf['ppp']['lcp-echo-interval'], '30')
self.assertEqual(conf['ppp']['lcp-echo-timeout'], '0')
@@ -76,24 +73,46 @@ class TestServicePPPoEServer(unittest.TestCase):
def basic_config(self):
self.session.set(local_if + ['address', '192.0.2.1/32'])
+ # PPPoE local auth mode requires local users to be configured!
+ self.session.set(base_path + ['authentication', 'local-users', 'username', 'vyos', 'password', 'vyos'])
+ self.session.set(base_path + ['authentication', 'mode', 'local'])
+
self.session.set(base_path + ['access-concentrator', ac_name])
self.session.set(base_path + ['authentication', 'mode', 'local'])
- self.session.set(base_path + ['client-ip-pool', 'subnet', subnet])
self.session.set(base_path + ['name-server', nameserver])
self.session.set(base_path + ['interface', interface])
self.session.set(base_path + ['local-ip', gateway])
- def test_local_auth(self):
+ def test_local_user(self):
""" Test configuration of local authentication for PPPoE server """
self.basic_config()
- # authentication
- self.session.set(base_path + ['authentication', 'local-users', 'username', 'vyos', 'password', 'vyos'])
- self.session.set(base_path + ['authentication', 'mode', 'local'])
+
# other settings
self.session.set(base_path + ['ppp-options', 'ccp'])
self.session.set(base_path + ['ppp-options', 'mppe', 'require'])
self.session.set(base_path + ['limits', 'connection-limit', '20/min'])
+ # upload / download limit
+ user = 'test'
+ password = 'test2'
+ static_ip = '100.100.100.101'
+ self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'password', password])
+ self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'static-ip', static_ip])
+ self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'rate-limit', 'upload', '5000'])
+
+ # upload rate-limit requires also download rate-limit
+ with self.assertRaises(ConfigSessionError):
+ self.session.commit()
+ self.session.set(base_path + ['authentication', 'local-users', 'username', user, 'rate-limit', 'download', '10000'])
+
+ # min-mtu
+ min_mtu = '1400'
+ self.session.set(base_path + ['ppp-options', 'min-mtu', min_mtu])
+
+ # mru
+ mru = '9000'
+ self.session.set(base_path + ['ppp-options', 'mru', mru])
+
# commit changes
self.session.commit()
@@ -108,13 +127,22 @@ class TestServicePPPoEServer(unittest.TestCase):
self.assertEqual(conf['chap-secrets']['chap-secrets'], '/run/accel-pppd/pppoe.chap-secrets')
self.assertEqual(conf['chap-secrets']['gw-ip-address'], gateway)
- # check pado
+ # check ppp
self.assertEqual(conf['ppp']['mppe'], 'require')
+ self.assertEqual(conf['ppp']['min-mtu'], min_mtu)
+ self.assertEqual(conf['ppp']['mru'], mru)
+
self.assertTrue(conf['ppp'].getboolean('ccp'))
# check other settings
self.assertEqual(conf['connlimit']['limit'], '20/min')
+ # check local users
+ tmp = cmd('sudo cat /run/accel-pppd/pppoe.chap-secrets')
+ regex = f'{user}\s+\*\s+{password}\s+{static_ip}\s+10000/5000'
+ tmp = re.findall(regex, tmp)
+ self.assertTrue(tmp)
+
# Check for running process
self.assertTrue(process_named_running(process_name))
@@ -124,12 +152,30 @@ class TestServicePPPoEServer(unittest.TestCase):
radius_key = 'secretVyOS'
radius_port = '2000'
radius_port_acc = '3000'
+ radius_acct_interim_jitter = '9'
+ radius_called_sid = 'ifname:mac'
self.basic_config()
+
+ self.session.set(base_path + ['authentication', 'mode', 'radius'])
self.session.set(base_path + ['authentication', 'radius', 'server', radius_server, 'key', radius_key])
self.session.set(base_path + ['authentication', 'radius', 'server', radius_server, 'port', radius_port])
self.session.set(base_path + ['authentication', 'radius', 'server', radius_server, 'acct-port', radius_port_acc])
- self.session.set(base_path + ['authentication', 'mode', 'radius'])
+ self.session.set(base_path + ['authentication', 'radius', 'acct-interim-jitter', radius_acct_interim_jitter])
+ self.session.set(base_path + ['authentication', 'radius', 'called-sid-format', radius_called_sid])
+
+ coa_server = '4.4.4.4'
+ coa_key = 'testCoA'
+ self.session.set(base_path + ['authentication', 'radius', 'dynamic-author', 'server', coa_server])
+ self.session.set(base_path + ['authentication', 'radius', 'dynamic-author', 'key', coa_key])
+
+ nas_id = 'VyOS-PPPoE'
+ nas_ip = '7.7.7.7'
+ self.session.set(base_path + ['authentication', 'radius', 'nas-identifier', nas_id])
+ self.session.set(base_path + ['authentication', 'radius', 'nas-ip-address', nas_ip])
+
+ source_address = '1.2.3.4'
+ self.session.set(base_path + ['authentication', 'radius', 'source-address', source_address])
# commit changes
self.session.commit()
@@ -143,10 +189,16 @@ class TestServicePPPoEServer(unittest.TestCase):
# check auth
self.assertTrue(conf['radius'].getboolean('verbose'))
- self.assertTrue(conf['radius']['acct-timeout'], '3')
- self.assertTrue(conf['radius']['timeout'], '3')
- self.assertTrue(conf['radius']['max-try'], '3')
- self.assertTrue(conf['radius']['gw-ip-address'], gateway)
+ self.assertEqual(conf['radius']['acct-timeout'], '3')
+ self.assertEqual(conf['radius']['timeout'], '3')
+ self.assertEqual(conf['radius']['max-try'], '3')
+ self.assertEqual(conf['radius']['gw-ip-address'], gateway)
+ self.assertEqual(conf['radius']['acct-interim-jitter'], radius_acct_interim_jitter)
+ self.assertEqual(conf['radius']['called-sid'], radius_called_sid)
+ self.assertEqual(conf['radius']['dae-server'], f'{coa_server}:1700,{coa_key}')
+ self.assertEqual(conf['radius']['nas-identifier'], nas_id)
+ self.assertEqual(conf['radius']['nas-ip-address'], nas_ip)
+ self.assertEqual(conf['radius']['bind'], source_address)
server = conf['radius']['server'].split(',')
self.assertEqual(radius_server, server[0])
@@ -163,5 +215,93 @@ class TestServicePPPoEServer(unittest.TestCase):
# Check for running process
self.assertTrue(process_named_running(process_name))
+ def test_auth_protocols(self):
+ """ Test configuration of local authentication for PPPoE server """
+ self.basic_config()
+ self.session.set(base_path + ['authentication', 'protocols', 'auth_mschap_v2'])
+
+ # commit changes
+ self.session.commit()
+
+ # Validate configuration values
+ conf = ConfigParser(allow_no_value=True)
+ conf.read(pppoe_conf)
+
+ self.assertEqual(conf['modules']['auth_mschap_v2'], None)
+
+ # Check for running process
+ self.assertTrue(process_named_running(process_name))
+
+
+ def test_ip_pool(self):
+ """ Test configuration of IPv6 client pools """
+ self.basic_config()
+
+ subnet = '172.18.0.0/24'
+ self.session.set(base_path + ['client-ip-pool', 'subnet', subnet])
+
+ start = '192.0.2.10'
+ stop = '192.0.2.20'
+ start_stop = f'{start}-{stop}'
+ self.session.set(base_path + ['client-ip-pool', 'start', start])
+ self.session.set(base_path + ['client-ip-pool', 'stop', stop])
+
+ # commit changes
+ self.session.commit()
+
+ # Validate configuration values
+ conf = ConfigParser(allow_no_value=True)
+ conf.read(pppoe_conf)
+
+ # check configured subnet
+ self.assertEqual(conf['ip-pool'][subnet], None)
+ self.assertEqual(conf['ip-pool'][start_stop], None)
+ self.assertEqual(conf['ip-pool']['gw-ip-address'], gateway)
+
+
+ def test_ipv6_pool(self):
+ """ Test configuration of IPv6 client pools """
+ self.basic_config()
+
+ # Enable IPv6
+ allow_ipv6 = 'allow'
+ random = 'random'
+ self.session.set(base_path + ['ppp-options', 'ipv6', allow_ipv6])
+ self.session.set(base_path + ['ppp-options', 'ipv6-intf-id', random])
+ self.session.set(base_path + ['ppp-options', 'ipv6-accept-peer-intf-id'])
+ self.session.set(base_path + ['ppp-options', 'ipv6-peer-intf-id', random])
+
+ prefix = '2001:db8:ffff::/64'
+ prefix_mask = '128'
+ client_prefix = f'{prefix},{prefix_mask}'
+ self.session.set(base_path + ['client-ipv6-pool', 'prefix', prefix, 'mask', prefix_mask])
+
+ delegate_prefix = '2001:db8::/40'
+ delegate_mask = '56'
+ self.session.set(base_path + ['client-ipv6-pool', 'delegate', delegate_prefix, 'delegation-prefix', delegate_mask])
+
+ # commit changes
+ self.session.commit()
+
+ # Validate configuration values
+ conf = ConfigParser(allow_no_value=True, delimiters='=')
+ conf.read(pppoe_conf)
+ from vyos.util import read_file
+ print(read_file(pppoe_conf))
+
+ for tmp in ['ipv6pool', 'ipv6_nd', 'ipv6_dhcp']:
+ self.assertEqual(conf['modules'][tmp], None)
+
+ self.assertEqual(conf['ppp']['ipv6'], allow_ipv6)
+ self.assertEqual(conf['ppp']['ipv6-intf-id'], random)
+ self.assertEqual(conf['ppp']['ipv6-peer-intf-id'], random)
+ self.assertTrue(conf['ppp'].getboolean('ipv6-accept-peer-intf-id'))
+
+ self.assertEqual(conf['ipv6-pool'][client_prefix], None)
+ self.assertEqual(conf['ipv6-pool']['delegate'], f'{delegate_prefix},{delegate_mask}')
+
+ # Check for running process
+ self.assertTrue(process_named_running(process_name))
+
if __name__ == '__main__':
unittest.main()
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index 9935b166f..fb2cd5a26 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -15,385 +15,93 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
-import re
-from copy import deepcopy
-from stat import S_IRUSR, S_IWUSR, S_IRGRP
from sys import exit
from vyos.config import Config
-from vyos.template import render
-from vyos.util import call, get_half_cpus
+from vyos.configdict import dict_merge
from vyos.validate import is_ipv4
+from vyos.template import render
+from vyos.util import call
+from vyos.util import get_half_cpus
+from vyos.util import vyos_dict_search
+from vyos.xml import defaults
from vyos import ConfigError
-
from vyos import airbag
airbag.enable()
pppoe_conf = r'/run/accel-pppd/pppoe.conf'
pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets'
-default_config_data = {
- 'auth_mode': 'local',
- 'auth_proto': ['auth_mschap_v2', 'auth_mschap_v1', 'auth_chap_md5', 'auth_pap'],
- 'chap_secrets_file': pppoe_chap_secrets, # used in Jinja2 template
- 'client_ip_pool': '',
- 'client_ip_subnets': [],
- 'client_ipv6_pool': [],
- 'client_ipv6_delegate_prefix': [],
- 'concentrator': 'vyos-ac',
- 'interfaces': [],
- 'local_users' : [],
-
- 'svc_name': [],
- 'dnsv4': [],
- 'dnsv6': [],
- 'wins': [],
- 'mtu': '1492',
-
- 'limits_burst': '',
- 'limits_connections': '',
- 'limits_timeout': '',
-
- 'pado_delay': '',
- 'ppp_ccp': False,
- 'ppp_gw': '',
- 'ppp_ipv4': '',
- 'ppp_ipv6': '',
- 'ppp_ipv6_accept_peer_intf_id': False,
- 'ppp_ipv6_intf_id': '',
- 'ppp_ipv6_peer_intf_id': '',
- 'ppp_echo_failure': '3',
- 'ppp_echo_interval': '30',
- 'ppp_echo_timeout': '0',
- 'ppp_min_mtu': '',
- 'ppp_mppe': 'prefer',
- 'ppp_mru': '',
- 'ppp_preallocate_vif': False,
-
- 'radius_server': [],
- 'radius_acct_inter_jitter': '',
- 'radius_acct_tmo': '3',
- 'radius_max_try': '3',
- 'radius_timeout': '3',
- 'radius_nas_id': '',
- 'radius_nas_ip': '',
- 'radius_source_address': '',
- 'radius_shaper_attr': '',
- 'radius_shaper_vendor': '',
- 'radius_dynamic_author': '',
- 'radius_called_sid_format': '',
- 'sesscrtl': 'replace',
- 'snmp': False,
- 'thread_cnt': get_half_cpus()
-}
-
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
- base_path = ['service', 'pppoe-server']
- if not conf.exists(base_path):
+ base = ['service', 'pppoe-server']
+ if not conf.exists(base):
return None
- conf.set_level(base_path)
- pppoe = deepcopy(default_config_data)
-
- # general options
- if conf.exists(['access-concentrator']):
- pppoe['concentrator'] = conf.return_value(['access-concentrator'])
-
- if conf.exists(['service-name']):
- pppoe['svc_name'] = conf.return_values(['service-name'])
-
- if conf.exists(['interface']):
- for interface in conf.list_nodes(['interface']):
- conf.set_level(base_path + ['interface', interface])
- tmp = {
- 'name': interface,
- 'vlans': []
- }
-
- if conf.exists(['vlan-id']):
- tmp['vlans'] += conf.return_values(['vlan-id'])
-
- if conf.exists(['vlan-range']):
- tmp['vlans'] += conf.return_values(['vlan-range'])
-
- pppoe['interfaces'].append(tmp)
-
- conf.set_level(base_path)
-
- if conf.exists(['local-ip']):
- pppoe['ppp_gw'] = conf.return_value(['local-ip'])
-
- if conf.exists(['name-server']):
- for name_server in conf.return_values(['name-server']):
- if is_ipv4(name_server):
- pppoe['dnsv4'].append(name_server)
- else:
- pppoe['dnsv6'].append(name_server)
-
- if conf.exists(['wins-server']):
- pppoe['wins'] = conf.return_values(['wins-server'])
-
-
- if conf.exists(['client-ip-pool']):
- if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']):
- start = conf.return_value(['client-ip-pool', 'start'])
- stop = conf.return_value(['client-ip-pool', 'stop'])
- pppoe['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0)
-
- if conf.exists(['client-ip-pool', 'subnet']):
- pppoe['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet'])
-
-
- if conf.exists(['client-ipv6-pool', 'prefix']):
- for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']):
- tmp = {
- 'prefix': prefix,
- 'mask': '64'
- }
-
- if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']):
- tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask'])
-
- pppoe['client_ipv6_pool'].append(tmp)
-
-
- if conf.exists(['client-ipv6-pool', 'delegate']):
- for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']):
- tmp = {
- 'prefix': prefix,
- 'mask': ''
- }
-
- if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']):
- tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix'])
-
- pppoe['client_ipv6_delegate_prefix'].append(tmp)
-
-
- if conf.exists(['limits']):
- if conf.exists(['limits', 'burst']):
- pppoe['limits_burst'] = conf.return_value(['limits', 'burst'])
-
- if conf.exists(['limits', 'connection-limit']):
- pppoe['limits_connections'] = conf.return_value(['limits', 'connection-limit'])
-
- if conf.exists(['limits', 'timeout']):
- pppoe['limits_timeout'] = conf.return_value(['limits', 'timeout'])
-
-
- if conf.exists(['snmp']):
- pppoe['snmp'] = True
-
- if conf.exists(['snmp', 'master-agent']):
- pppoe['snmp'] = 'enable-ma'
-
- # authentication mode local
- if conf.exists(['authentication', 'mode']):
- pppoe['auth_mode'] = conf.return_value(['authentication', 'mode'])
-
- if conf.exists(['authentication', 'local-users']):
- for username in conf.list_nodes(['authentication', 'local-users', 'username']):
- user = {
- 'name' : username,
- 'password' : '',
- 'state' : 'enabled',
- 'ip' : '*',
- 'upload' : None,
- 'download' : None
- }
- conf.set_level(base_path + ['authentication', 'local-users', 'username', username])
-
- if conf.exists(['password']):
- user['password'] = conf.return_value(['password'])
-
- if conf.exists(['disable']):
- user['state'] = 'disable'
-
- if conf.exists(['static-ip']):
- user['ip'] = conf.return_value(['static-ip'])
-
- if conf.exists(['rate-limit', 'download']):
- user['download'] = conf.return_value(['rate-limit', 'download'])
-
- if conf.exists(['rate-limit', 'upload']):
- user['upload'] = conf.return_value(['rate-limit', 'upload'])
-
- pppoe['local_users'].append(user)
-
- conf.set_level(base_path)
-
- if conf.exists(['authentication', 'protocols']):
- auth_mods = {
- 'mschap-v2': 'auth_mschap_v2',
- 'mschap': 'auth_mschap_v1',
- 'chap': 'auth_chap_md5',
- 'pap': 'auth_pap'
- }
-
- pppoe['auth_proto'] = []
- for proto in conf.return_values(['authentication', 'protocols']):
- pppoe['auth_proto'].append(auth_mods[proto])
-
- #
- # authentication mode radius servers and settings
- if conf.exists(['authentication', 'mode', 'radius']):
-
- for server in conf.list_nodes(['authentication', 'radius', 'server']):
- radius = {
- 'server' : server,
- 'key' : '',
- 'fail_time' : 0,
- 'port' : '1812',
- 'acct_port' : '1813'
- }
-
- conf.set_level(base_path + ['authentication', 'radius', 'server', server])
-
- if conf.exists(['fail-time']):
- radius['fail_time'] = conf.return_value(['fail-time'])
-
- if conf.exists(['port']):
- radius['port'] = conf.return_value(['port'])
-
- if conf.exists(['acct-port']):
- radius['acct_port'] = conf.return_value(['acct-port'])
-
- if conf.exists(['key']):
- radius['key'] = conf.return_value(['key'])
-
- if not conf.exists(['disable']):
- pppoe['radius_server'].append(radius)
-
- #
- # advanced radius-setting
- conf.set_level(base_path + ['authentication', 'radius'])
-
- if conf.exists(['acct-interim-jitter']):
- pppoe['radius_acct_inter_jitter'] = conf.return_value(['acct-interim-jitter'])
-
- if conf.exists(['acct-timeout']):
- pppoe['radius_acct_tmo'] = conf.return_value(['acct-timeout'])
-
- if conf.exists(['max-try']):
- pppoe['radius_max_try'] = conf.return_value(['max-try'])
-
- if conf.exists(['timeout']):
- pppoe['radius_timeout'] = conf.return_value(['timeout'])
-
- if conf.exists(['nas-identifier']):
- pppoe['radius_nas_id'] = conf.return_value(['nas-identifier'])
-
- if conf.exists(['nas-ip-address']):
- pppoe['radius_nas_ip'] = conf.return_value(['nas-ip-address'])
-
- if conf.exists(['preallocate-vif']):
- pppoe['ppp_preallocate_vif'] = True
-
- if conf.exists(['source-address']):
- pppoe['radius_source_address'] = conf.return_value(['source-address'])
-
- # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA)
- if conf.exists(['dynamic-author']):
- dae = {
- 'port' : '',
- 'server' : '',
- 'key' : ''
- }
-
- if conf.exists(['dynamic-author', 'server']):
- dae['server'] = conf.return_value(['dynamic-author', 'server'])
-
- if conf.exists(['dynamic-author', 'port']):
- dae['port'] = conf.return_value(['dynamic-author', 'port'])
-
- if conf.exists(['dynamic-author', 'key']):
- dae['key'] = conf.return_value(['dynamic-author', 'key'])
-
- pppoe['radius_dynamic_author'] = dae
-
- if conf.exists(['called-sid-format']):
- pppoe['radius_called_sid_format'] = conf.return_value(['called-sid-format'])
-
- # RADIUS based rate-limiter
- if conf.exists(['rate-limit', 'enable']):
- pppoe['radius_shaper_attr'] = 'Filter-Id'
- c_attr = ['rate-limit', 'enable', 'attribute']
- if conf.exists(c_attr):
- pppoe['radius_shaper_attr'] = conf.return_value(c_attr)
-
- c_vendor = ['rate-limit', 'enable', 'vendor']
- if conf.exists(c_vendor):
- pppoe['radius_shaper_vendor'] = conf.return_value(c_vendor)
-
- # re-set config level
- conf.set_level(base_path)
-
- if conf.exists(['mtu']):
- pppoe['mtu'] = conf.return_value(['mtu'])
-
- if conf.exists(['session-control']):
- pppoe['sesscrtl'] = conf.return_value(['session-control'])
-
- # ppp_options
- if conf.exists(['ppp-options']):
- conf.set_level(base_path + ['ppp-options'])
-
- if conf.exists(['ccp']):
- pppoe['ppp_ccp'] = True
-
- if conf.exists(['ipv4']):
- pppoe['ppp_ipv4'] = conf.return_value(['ipv4'])
-
- if conf.exists(['ipv6']):
- pppoe['ppp_ipv6'] = conf.return_value(['ipv6'])
-
- if conf.exists(['ipv6-accept-peer-intf-id']):
- pppoe['ppp_ipv6_peer_intf_id'] = True
-
- if conf.exists(['ipv6-intf-id']):
- pppoe['ppp_ipv6_intf_id'] = conf.return_value(['ipv6-intf-id'])
-
- if conf.exists(['ipv6-peer-intf-id']):
- pppoe['ppp_ipv6_peer_intf_id'] = conf.return_value(['ipv6-peer-intf-id'])
-
- if conf.exists(['lcp-echo-failure']):
- pppoe['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure'])
-
- if conf.exists(['lcp-echo-failure']):
- pppoe['ppp_echo_interval'] = conf.return_value(['lcp-echo-failure'])
-
- if conf.exists(['lcp-echo-timeout']):
- pppoe['ppp_echo_timeout'] = conf.return_value(['lcp-echo-timeout'])
-
- if conf.exists(['min-mtu']):
- pppoe['ppp_min_mtu'] = conf.return_value(['min-mtu'])
-
- if conf.exists(['mppe']):
- pppoe['ppp_mppe'] = conf.return_value(['mppe'])
-
- if conf.exists(['mru']):
- pppoe['ppp_mru'] = conf.return_value(['mru'])
-
- if conf.exists(['pado-delay']):
- pppoe['pado_delay'] = '0'
- a = {}
- for id in conf.list_nodes(['pado-delay']):
- if not conf.return_value(['pado-delay', id, 'sessions']):
- a[id] = 0
- else:
- a[id] = conf.return_value(['pado-delay', id, 'sessions'])
-
- for k in sorted(a.keys()):
- if k != sorted(a.keys())[-1]:
- pppoe['pado_delay'] += ",{0}:{1}".format(k, a[k])
- else:
- pppoe['pado_delay'] += ",{0}:{1}".format('-1', a[k])
-
+ pppoe = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True)
+ # We have gathered the dict representation of the CLI, but there are default
+ # options which we need to update into the dictionary retrived.
+ default_values = defaults(base)
+
+ # defaults include RADIUS server specifics per TAG node which need to be
+ # added to individual RADIUS servers instead - so we can simply delete them
+ if vyos_dict_search('authentication.radius.server', default_values):
+ del default_values['authentication']['radius']['server']
+ # defaults include static-ip address per TAG node which need to be added to
+ # individual local users instead - so we can simply delete them
+ if vyos_dict_search('authentication.local_users.username', default_values):
+ del default_values['authentication']['local_users']['username']
+
+ pppoe = dict_merge(default_values, pppoe)
+
+ # set CPUs cores to process requests
+ pppoe.update({'thread_count' : get_half_cpus()})
+ # we need to store the path to the secrets file
+ pppoe.update({'chap_secrets_file' : pppoe_chap_secrets})
+
+ if not vyos_dict_search('authentication.protocols', pppoe):
+ if not 'authentication' in pppoe:
+ pppoe.update({'authentication' : ''})
+
+ pppoe['authentication'].update(
+ {'protocols' : ['auth_mschap_v2', 'auth_mschap_v1',
+ 'auth_chap_md5', 'auth_pap']})
+
+ # We can only have two IPv4 and three IPv6 nameservers - also they are
+ # configured in a different way in the configuration, this is why we split
+ # the configuration
+ if 'name_server' in pppoe:
+ for ns in pppoe['name_server']:
+ ns_v4 = []
+ ns_v6 = []
+ if is_ipv4(ns): ns_v4.append(ns)
+ else: ns_v6.append(ns)
+
+ pppoe.update({'name_server_ipv4' : ns_v4, 'name_server_ipv6' : ns_v6})
+ del pppoe['name_server']
+
+ # Add individual RADIUS server default values
+ if vyos_dict_search('authentication.radius.server', pppoe):
+ default_values = defaults(base + ['authentication', 'radius', 'server'])
+
+ for server in vyos_dict_search('authentication.radius.server', pppoe):
+ pppoe['authentication']['radius']['server'][server] = dict_merge(
+ default_values, pppoe['authentication']['radius']['server'][server])
+
+ # Add individual local-user default values
+ if vyos_dict_search('authentication.local_users.username', pppoe):
+ default_values = defaults(base + ['authentication', 'local_users', 'username'])
+
+ for username in vyos_dict_search('authentication.local_users.username', pppoe):
+ pppoe['authentication']['local_users']['username'][username] = dict_merge(
+ default_values, pppoe['authentication']['local_users']['username'][username])
+
+ import pprint
+ pprint.pprint(pppoe)
return pppoe
@@ -402,50 +110,59 @@ def verify(pppoe):
return None
# vertify auth settings
- if pppoe['auth_mode'] == 'local':
- if not pppoe['local_users']:
+ if vyos_dict_search('authentication.mode', pppoe) == 'local':
+ if not vyos_dict_search('authentication.local_users', pppoe):
raise ConfigError('PPPoE local auth mode requires local users to be configured!')
- for user in pppoe['local_users']:
- username = user['name']
- if not user['password']:
- raise ConfigError(f'Password required for local user "{username}"')
+ for user in vyos_dict_search('authentication.local_users.username', pppoe):
+ user_config = pppoe['authentication']['local_users']['username'][user]
- # if up/download is set, check that both have a value
- if user['upload'] and not user['download']:
- raise ConfigError(f'Download speed value required for local user "{username}"')
+ if 'password' not in user_config:
+ raise ConfigError(f'Password required for local user "{user}"')
- if user['download'] and not user['upload']:
- raise ConfigError(f'Upload speed value required for local user "{username}"')
+ if 'rate_limit' in user_config:
+ # if up/download is set, check that both have a value
+ if not {'upload', 'download'} <= set(user_config['rate_limit']):
+ raise ConfigError(f'User "{user}" has rate-limit configured for only one ' \
+ 'direction but both upload and download must be given!')
- elif pppoe['auth_mode'] == 'radius':
- if len(pppoe['radius_server']) == 0:
+ elif vyos_dict_search('authentication.mode', pppoe) == 'radius':
+ if not vyos_dict_search('authentication.radius.server', pppoe):
raise ConfigError('RADIUS authentication requires at least one server')
- for radius in pppoe['radius_server']:
- if not radius['key']:
- server = radius['server']
- raise ConfigError(f'Missing RADIUS secret key for server "{ server }"')
+ for server in vyos_dict_search('authentication.radius.server', pppoe):
+ radius_config = pppoe['authentication']['radius']['server'][server]
+ if 'key' not in radius_config:
+ raise ConfigError(f'Missing RADIUS secret key for server "{server}"')
- if len(pppoe['wins']) > 2:
+ if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2:
raise ConfigError('Not more then two IPv4 WINS name-servers can be configured')
- if len(pppoe['dnsv4']) > 2:
- raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
+ if 'name_server_ipv4' in pppoe:
+ if len(pppoe['name_server_ipv4']) > 2:
+ raise ConfigError('Not more then two IPv4 DNS name-servers ' \
+ 'can be configured')
- if len(pppoe['dnsv6']) > 3:
- raise ConfigError('Not more then three IPv6 DNS name-servers can be configured')
+ if 'name_server_ipv6' in pppoe:
+ if len(pppoe['name_server_ipv6']) > 2:
+ raise ConfigError('Not more then three IPv6 DNS name-servers ' \
+ 'can be configured')
- if not pppoe['interfaces']:
+ if 'interface' not in pppoe:
raise ConfigError('At least one listen interface must be defined!')
+ if 'local_ip' not in pppoe:
+ raise ConfigError('PPPoE server requires local-ip to be configured!')
+
# local ippool and gateway settings config checks
- if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']:
- if not pppoe['ppp_gw']:
- raise ConfigError('PPPoE server requires local IP to be configured')
+ if not (vyos_dict_search('client_ip_pool.subnet', pppoe) or
+ (vyos_dict_search('client_ip_pool.start', pppoe) and
+ vyos_dict_search('client_ip_pool.stop', pppoe))):
+ print('Warning: No PPPoE client pool defined')
- if pppoe['ppp_gw'] and not pppoe['client_ip_subnets'] and not pppoe['client_ip_pool']:
- print("Warning: No PPPoE client pool defined")
+ if vyos_dict_search('authentication.radius.dynamic_author.server', pppoe):
+ if not vyos_dict_search('authentication.radius.dynamic_author.key', pppoe):
+ raise ConfigError('DA/CoE server key required!')
return None
@@ -456,12 +173,11 @@ def generate(pppoe):
render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', pppoe, trim_blocks=True)
- if pppoe['local_users']:
- render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', pppoe, trim_blocks=True)
- os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP)
+ if vyos_dict_search('authentication.mode', pppoe) == 'local':
+ render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.pppoe.tmpl', pppoe, trim_blocks=True, permission=0o640)
else:
if os.path.exists(pppoe_chap_secrets):
- os.unlink(pppoe_chap_secrets)
+ os.unlink(pppoe_chap_secrets)
return None