sstp: T2392: add initial IPv6 support

New commands added: * set vpn sstp network-settings client-ipv6-pool prefix 2001:db8::/64 mask 112 * set vpn sstp network-settings client-ipv6-pool delegate 2001:db8:100::/48 delegation-prefix 64
author: Christian Poessinger <christian@poessinger.com> 2020-05-06 21:41:15 +0200
committer: Christian Poessinger <christian@poessinger.com> 2020-05-06 21:43:51 +0200
commit: d55050dcb8806a982b0394dcde00c1814499d9f3 (patch)
tree: 7c2bdd02fe973d8a450be7fbaf6c518eee2efc64
parent: 142a6b99f0da5cf474f03572e1e6c2f8772c77c9 (diff)
download: vyos-1x-d55050dcb8806a982b0394dcde00c1814499d9f3.tar.gz
vyos-1x-d55050dcb8806a982b0394dcde00c1814499d9f3.zip
3 files changed, 62 insertions, 3 deletions
diff --git a/data/templates/accel-ppp/sstp.config.tmpl b/data/templates/accel-ppp/sstp.config.tmpl
index c3dc83429..e0a48a44e 100644
--- a/data/templates/accel-ppp/sstp.config.tmpl
+++ b/data/templates/accel-ppp/sstp.config.tmpl
@@ -9,6 +9,9 @@ chap-secrets
 radius
 {% endif -%}
 ippool
+ipv6pool
+ipv6_nd
+ipv6_dhcp
 
 {% for proto in auth_proto %}
 {{proto}}
@@ -87,6 +90,9 @@ check-ip=1
 {% if mtu %}
 mtu={{ mtu }}
 {% endif -%}
+{% if client_ipv6_pool %}
+ipv6=allow
+{% endif %}
 
 {% if ppp_mppe %}
 mppe={{ ppp_mppe }}
@@ -101,6 +107,21 @@ lcp-echo-failure={{ ppp_echo_failure }}
 lcp-echo-timeout={{ ppp_echo_timeout }}
 {% endif %}
 
+{% if client_ipv6_pool %}
+[ipv6-pool]
+{% for p in client_ipv6_pool %}
+{{ p.prefix }},{{ p.mask }}
+{% endfor %}
+{% for p in client_ipv6_delegate_prefix %}
+delegate={{ p.prefix }},{{ p.mask }}
+{% endfor %}
+{% endif %}
+
+{% if client_ipv6_delegate_prefix %}
+[ipv6-dhcp]
+verbose=1
+{% endif %}
+
 {% if radius_shaper_attr %}
 [shaper]
 verbose=1
diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in
index 7e4471015..4ce231e0f 100644
--- a/interface-definitions/vpn_sstp.xml.in
+++ b/interface-definitions/vpn_sstp.xml.in
@@ -220,6 +220,7 @@
                       <multi/>
                 </properties>
               </leafNode>
+              #include <include/accel-client-ipv6-pool.xml.in>
               #include <include/interface-mtu-68-1500.xml.i>
             </children>
           </node>
diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py
index d250cd3b0..6d9496012 100755
--- a/src/conf_mode/vpn_sstp.py
+++ b/src/conf_mode/vpn_sstp.py
@@ -35,7 +35,11 @@ default_config_data = {
     'auth_mode' : 'local',
     'auth_proto' : ['auth_mschap_v2'],
     'chap_secrets_file': sstp_chap_secrets, # used in Jinja2 template
+    'client_ip_pool' : [],
+    'client_ipv6_pool': [],
+    'client_ipv6_delegate_prefix': [],
     'client_gateway': '',
+    'dnsv4' : [],
     'radius_server' : [],
     'radius_acct_tmo' : '3',
     'radius_max_try' : '3',
@@ -49,8 +53,6 @@ default_config_data = {
     'ssl_ca' : '',
     'ssl_cert' : '',
     'ssl_key' : '',
-    'client_ip_pool' : [],
-    'dnsv4' : [],
     'mtu' : '',
     'ppp_mppe' : 'prefer',
     'ppp_echo_failure' : '',
@@ -210,7 +212,7 @@ def get_config():
 
 
     #
-    # read in client ip pool settings
+    # read in client IPv4 pool
     conf.set_level(base_path + ['network-settings', 'client-ip-settings'])
     if conf.exists(['subnet']):
         sstp['client_ip_pool'] = conf.return_values(['subnet'])
@@ -219,6 +221,33 @@ def get_config():
         sstp['client_gateway'] = conf.return_value(['gateway-address'])
 
     #
+    # read in client IPv6 pool
+    conf.set_level(base_path + ['network-settings', 'client-ipv6-pool'])
+    if conf.exists(['prefix']):
+        for prefix in conf.list_nodes(['prefix']):
+            tmp = {
+                'prefix': prefix,
+                'mask': '64'
+            }
+
+            if conf.exists(['prefix', prefix, 'mask']):
+                tmp['mask'] = conf.return_value(['prefix', prefix, 'mask'])
+
+            sstp['client_ipv6_pool'].append(tmp)
+
+    if conf.exists(['delegate']):
+        for prefix in conf.list_nodes(['delegate']):
+            tmp = {
+                'prefix': prefix,
+                'mask': ''
+            }
+
+            if conf.exists(['delegate', prefix, 'delegation-prefix']):
+                tmp['mask'] = conf.return_value(['delegate', prefix, 'delegation-prefix'])
+
+            sstp['client_ipv6_delegate_prefix'].append(tmp)
+
+    #
     # read in network settings
     conf.set_level(base_path + ['network-settings'])
     if conf.exists(['name-server']):
@@ -275,6 +304,14 @@ def verify(sstp):
     if len(sstp['dnsv4']) > 2:
         raise ConfigError('Not more then two IPv4 DNS name-servers can be configured')
 
+    # check ipv6
+    if sstp['client_ipv6_delegate_prefix'] and not sstp['client_ipv6_pool']:
+        raise ConfigError('IPv6 prefix delegation requires client-ipv6-pool prefix')
+
+    for prefix in sstp['client_ipv6_delegate_prefix']:
+        if not prefix['mask']:
+            raise ConfigError('Delegation-prefix required for individual delegated networks')
+
     if not sstp['ssl_ca'] or not sstp['ssl_cert'] or not sstp['ssl_key']:
         raise ConfigError('One or more SSL certificates missing')
author	Christian Poessinger <christian@poessinger.com>	2020-05-06 21:41:15 +0200
committer	Christian Poessinger <christian@poessinger.com>	2020-05-06 21:43:51 +0200
commit	d55050dcb8806a982b0394dcde00c1814499d9f3 (patch)
tree	7c2bdd02fe973d8a450be7fbaf6c518eee2efc64
parent	142a6b99f0da5cf474f03572e1e6c2f8772c77c9 (diff)
download	vyos-1x-d55050dcb8806a982b0394dcde00c1814499d9f3.tar.gz vyos-1x-d55050dcb8806a982b0394dcde00c1814499d9f3.zip