summaryrefslogtreecommitdiff
path: root/src/conf_mode/ipoe_server.py
diff options
context:
space:
mode:
authorhagbard <vyosdev@derith.de>2019-06-24 11:03:43 -0700
committerhagbard <vyosdev@derith.de>2019-06-27 10:43:03 -0700
commit1027d1c622f9d0e6a062fa1119c8bffbf12151fb (patch)
tree8a0b859ac776898ccb32d12d98900025a91f84ac /src/conf_mode/ipoe_server.py
parent745355d412ec1cd7de4303e19474d1b7c4f84489 (diff)
downloadvyos-1x-1027d1c622f9d0e6a062fa1119c8bffbf12151fb.tar.gz
vyos-1x-1027d1c622f9d0e6a062fa1119c8bffbf12151fb.zip
[IPoE] T989 - IPoE implementation
* chap-secrets file generation * noauth in accel config as option * local auth with csid implemented * radius implementation * shaper per user implemented * op comands for stats
Diffstat (limited to 'src/conf_mode/ipoe_server.py')
-rwxr-xr-xsrc/conf_mode/ipoe_server.py325
1 files changed, 325 insertions, 0 deletions
diff --git a/src/conf_mode/ipoe_server.py b/src/conf_mode/ipoe_server.py
new file mode 100755
index 000000000..39f0cb279
--- /dev/null
+++ b/src/conf_mode/ipoe_server.py
@@ -0,0 +1,325 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2018 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import re
+import time
+import socket
+import subprocess
+import jinja2
+import syslog as sl
+
+from vyos.config import Config
+from vyos import ConfigError
+
+ipoe_cnf_dir = r'/etc/accel-ppp/ipoe'
+ipoe_cnf = ipoe_cnf_dir + r'/ipoe.config'
+
+pidfile = r'/var/run/accel_ipoe.pid'
+cmd_port = r'2002'
+
+chap_secrets = ipoe_cnf_dir + '/chap-secrets'
+## accel-pppd -d -c /etc/accel-ppp/pppoe/pppoe.config -p /var/run/accel_pppoe.pid
+
+ipoe_config = '''
+### generated by ipoe.py ###
+[modules]
+log_syslog
+ippool
+ipoe
+shaper
+{% if auth == 'radius' %}
+radius
+{% endif -%}
+{% if auth == 'local' %}
+chap-secrets
+{% endif %}
+
+[core]
+thread-count={{thread_cnt}}
+
+[log]
+syslog=accel-ipoe,daemon
+copy=1
+level=5
+
+[ipoe]
+verbose=1
+{% for intfc in interfaces %}
+interface={{intfc}},\
+shared={{interfaces[intfc]['shared']}},\
+mode={{interfaces[intfc]['mode']}},\
+ifcfg={{interfaces[intfc]['ifcfg']}},\
+range={{interfaces[intfc]['range']}},\
+start={{interfaces[intfc]['sess_start']}}
+{% endfor %}
+{% if auth == 'noauth' %}
+noauth=1
+{% endif %}
+{% if auth == 'local' %}
+username=ifname
+password=csid
+{% endif %}
+
+{% if (dns['server1']) or (dns['server2']) %}
+[dns]
+{% if dns['server1'] %}
+dns1={{dns['server1']}}
+{% endif -%}
+{% if dns['server2'] %}
+dns2={{dns['server2']}}
+{% endif -%}
+{% endif %}
+
+{% if auth == 'local' %}
+[chap-secrets]
+chap-secrets=/etc/accel-ppp/ipoe/chap-secrets
+{% endif %}
+
+{% if auth == 'radius' %}
+[radius]
+verbose=1
+{% for srv in radius %}
+server={{srv}},{{radius[srv]['secret']}},\
+req-limit={{radius[srv]['req-limit']}},\
+fail-time={{radius[srv]['fail-time']}}
+{% endfor %}
+{% if radsettings['dae-server']['ip-address'] %}
+dae-server={{radsettings['dae-server']['ip-address']}}:{{radsettings['dae-server']['port']}},{{radsettings['dae-server']['secret']}}
+{% endif -%}
+{% if radsettings['acct-timeout'] %}
+acct-timeout={{radsettings['acct-timeout']}}
+{% endif -%}
+{% if radsettings['max-try'] %}
+max-try={{radsettings['max-try']}}
+{% endif -%}
+{% if radsettings['nas-ip-address'] %}
+nas-ip-address={{radsettings['nas-ip-address']}}
+{% endif -%}
+{% if radsettings['nas-identifier'] %}
+nas-identifier={{radsettings['nas-identifier']}}
+{% endif -%}
+{% endif %}
+
+[cli]
+tcp=127.0.0.1:2002
+'''
+
+### pppoe chap secrets
+chap_secrets_conf = '''
+# username server password acceptable local IP addresses shaper
+{% for aifc in auth_if %}
+{% for mac in auth_if[aifc] %}
+{% if (auth_if[aifc][mac]['up']) and (auth_if[aifc][mac]['down']) %}
+{{aifc}}\t*\t{{mac}}\t*\t{{auth_if[aifc][mac]['down']}}/{{auth_if[aifc][mac]['up']}}
+{% else %}
+{{aifc}}\t*\t{{mac}}\t*
+{% endif %}
+{% endfor %}
+{% endfor %}
+'''
+
+##### Inline functions start ####
+### config path creation
+if not os.path.exists(ipoe_cnf_dir):
+ os.makedirs(ipoe_cnf_dir)
+ sl.syslog(sl.LOG_NOTICE, ipoe_cnf_dir + " created")
+
+def get_cpu():
+ cpu_cnt = 1
+ if os.cpu_count() == 1:
+ cpu_cnt = 1
+ else:
+ cpu_cnt = int(os.cpu_count()/2)
+ return cpu_cnt
+
+def chk_con():
+ cnt = 0
+ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+ while True:
+ try:
+ s.connect(("127.0.0.1", int(cmd_port)))
+ break
+ except ConnectionRefusedError:
+ time.sleep(0.5)
+ cnt +=1
+ if cnt == 100:
+ raise("failed to start pppoe server")
+ break
+
+def accel_cmd(cmd=''):
+ if not cmd:
+ return None
+ try:
+ ret = subprocess.check_output(['/usr/bin/accel-cmd', '-p', cmd_port, cmd]).decode().strip()
+ return ret
+ except:
+ return 1
+
+### chap_secrets file if auth mode local
+def gen_chap_secrets(c):
+ tmpl = jinja2.Template(chap_secrets_conf, trim_blocks=True)
+ chap_secrets_txt = tmpl.render(c)
+ old_umask = os.umask(0o077)
+ open(chap_secrets,'w').write(chap_secrets_txt)
+ os.umask(old_umask)
+ sl.syslog(sl.LOG_NOTICE, chap_secrets + ' written')
+
+##### Inline functions end ####
+
+def get_config():
+ c = Config()
+ if not c.exists('service ipoe-server'):
+ return None
+
+ config_data = {}
+
+ c.set_level('service ipoe-server')
+ for intfc in c.list_nodes('interface'):
+ config_data.update(
+ {
+ 'interfaces' : {
+ intfc : {
+ 'mode' : 'L2',
+ 'shared' : '1',
+ 'sess_start' : 'dhcpv4', ### may need a conifg option, can be dhcpv4 or up for unclassified pkts
+ 'range' : '',
+ 'ifcfg' : '1'
+ }
+ },
+ 'dns' : {
+ 'server1' : None,
+ 'server2' : None
+ },
+ 'auth' : 'noauth',
+ 'auth_if' : {},
+ 'radius' : {},
+ 'radsettings' : {
+ 'dae-server' : {}
+ }
+ }
+ )
+
+ if c.exists('interface ' + intfc + ' network-mode'):
+ config_data['interfaces'][intfc]['mode'] = c.return_value('interface ' + intfc + ' network-mode')
+ if c.return_value('interface ' + intfc + ' network') == 'vlan':
+ config_data['interfaces'][intfc]['shared'] = '0'
+ if c.exists('interface ' + intfc + ' client-subnet'):
+ config_data['interfaces'][intfc]['range'] = c.return_value('interface ' + intfc + ' client-subnet')
+ if c.exists('dns-server server-1'):
+ config_data['dns']['server1'] = c.return_value('dns-server server-1')
+ if c.exists('dns-server server-2'):
+ config_data['dns']['server2'] = c.return_value('dns-server server-2')
+ if not c.exists('authentication mode noauth'):
+ config_data['auth'] = c.return_value('authentication mode')
+ if c.exists('authentication mode local'):
+ for auth_int in c.list_nodes('authentication interface'):
+ for mac in c.list_nodes('authentication interface ' + auth_int + ' mac-address'):
+ config_data['auth_if'][auth_int] = {}
+ if c.exists('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit'):
+ config_data['auth_if'][auth_int][mac] = {}
+ config_data['auth_if'][auth_int][mac]['up'] = c.return_value('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit upload')
+ config_data['auth_if'][auth_int][mac]['down'] = c.return_value('authentication interface ' + auth_int + ' mac-address ' + mac + ' rate-limit download')
+ else:
+ config_data['auth_if'][auth_int][mac] = {}
+ config_data['auth_if'][auth_int][mac]['up'] = None
+ config_data['auth_if'][auth_int][mac]['down'] = None
+ if c.exists('authentication mode radius'):
+ for rsrv in c.list_nodes('authentication radius-server'):
+ config_data['radius'][rsrv] = {}
+ if c.exists('authentication radius-server ' + rsrv + ' secret'):
+ config_data['radius'][rsrv]['secret'] = c.return_value('authentication radius-server ' + rsrv + ' secret')
+ if c.exists('authentication radius-server ' + rsrv + ' fail-time'):
+ config_data['radius'][rsrv]['fail-time'] = c.return_value('authentication radius-server ' + rsrv + ' fail-time')
+ else:
+ config_data['radius'][rsrv]['fail-time'] = '0'
+ if c.exists('authentication radius-server ' + rsrv + ' req-limit'):
+ config_data['radius'][rsrv]['req-limit'] = c.return_value('authentication radius-server ' + rsrv + ' req-limit')
+ else:
+ config_data['radius'][rsrv]['req-limit'] = '0'
+ if c.exists('authentication radius-settings'):
+ if c.exists('authentication radius-settings timeout'):
+ config_data['radsettings']['timeout'] = c.return_value('authentication radius-settings timeout')
+ if c.exists('authentication radius-settings nas-ip-address'):
+ config_data['radsettings']['nas-ip-address'] = c.return_value('authentication radius-settings nas-ip-address')
+ if c.exists('authentication radius-settings nas-identifier'):
+ config_data['radsettings']['nas-identifier'] = c.return_value('authentication radius-settings nas-identifier')
+ if c.exists('authentication radius-settings max-try'):
+ config_data['radsettings']['max-try'] = c.return_value('authentication radius-settings max-try')
+ if c.exists('authentication radius-settings acct-timeout'):
+ config_data['radsettings']['acct-timeout'] = c.return_value('authentication radius-settings acct-timeout')
+ if c.exists('authentication radius-settings dae-server ip-address'):
+ config_data['radsettings']['dae-server']['ip-address'] = c.return_value('authentication radius-settings dae-server ip-address')
+ if c.exists('authentication radius-settings dae-server port'):
+ config_data['radsettings']['dae-server']['port'] = c.return_value('authentication radius-settings dae-server port')
+ if c.exists('authentication radius-settings dae-server secret'):
+ config_data['radsettings']['dae-server']['secret'] = c.return_value('authentication radius-settings dae-server secret')
+
+ return config_data
+
+def generate(c):
+ if c == None or not c:
+ return None
+
+ c['thread_cnt'] = get_cpu()
+
+ if c['auth'] == 'local':
+ gen_chap_secrets(c)
+
+ tmpl = jinja2.Template(ipoe_config, trim_blocks=True)
+ config_text = tmpl.render(c)
+
+ open(ipoe_cnf,'w').write(config_text)
+ return c
+
+def verify(c):
+ if c == None or not c:
+ return None
+
+ for intfc in c['interfaces']:
+ if not c['interfaces'][intfc]['range']:
+ raise ConfigError("service ipoe-server interface eth2 client-subnet needs a value")
+
+def apply(c):
+ if c == None:
+ if os.path.exists(pidfile):
+ accel_cmd('shutdown hard')
+ if os.path.exists(pidfile):
+ os.remove(pidfile)
+ return None
+
+ if not os.path.exists(pidfile):
+ ret = subprocess.call(['/usr/sbin/accel-pppd', '-c', ipoe_cnf, '-p', pidfile, '-d'])
+ chk_con()
+ if ret !=0 and os.path.exists(pidfile):
+ os.remove(pidfile)
+ raise ConfigError('accel-pppd failed to start')
+ else:
+ accel_cmd('restart')
+ sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart")
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)