diff options
| author | Christian Poessinger <christian@poessinger.com> | 2020-04-18 14:33:57 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2020-04-18 14:33:57 +0200 |
| commit | 56fb2cf15b765efdad77c111bbd5294f296d7223 (patch) | |
| tree | 244c66d2e4f9b576f784fbad6d0a0c100521cb99 /src/conf_mode | |
| parent | 8d8fea6428cf7687757f14592cc345bf0804b993 (diff) | |
| parent | 267b3213ef0e6ac4501470bef797796276879421 (diff) | |
| download | vyos-1x-56fb2cf15b765efdad77c111bbd5294f296d7223.tar.gz vyos-1x-56fb2cf15b765efdad77c111bbd5294f296d7223.zip | |
Merge branch 'pppoe-server-update' of github.com:c-po/vyos-1x into current
* 'pppoe-server-update' of github.com:c-po/vyos-1x:
accel-ppp: T2314: use common tempplate for chap-secrets
pppoe-server: T2314: migrate IPv6 to common CLI nodes with embeeded validation
pppoe-server: T2313: bugfix Floating Point Exception
pppoe-server: T2314: migrate RADIUS configuration to common CLI syntax
vpn: l2tp: pptp: sstp: rename files to common pattern
pppoe-server: T2314: migrate IPv4/IPv6 name-servers to common node
vpn: l2tp: sstp: ease unlinking of configuration files
pppoe-server: T2314: remove boilerplate code and adjust
pppoe-server: T2185: migrate from SysVinit to systemd
Diffstat (limited to 'src/conf_mode')
| -rwxr-xr-x | src/conf_mode/service-pppoe.py | 428 | ||||
| -rwxr-xr-x | src/conf_mode/service_pppoe-server.py | 456 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_l2tp.py | 15 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_pptp.py (renamed from src/conf_mode/vpn-pptp.py) | 0 | ||||
| -rwxr-xr-x | src/conf_mode/vpn_sstp.py | 38 |
5 files changed, 482 insertions, 455 deletions
diff --git a/src/conf_mode/service-pppoe.py b/src/conf_mode/service-pppoe.py deleted file mode 100755 index a96249199..000000000 --- a/src/conf_mode/service-pppoe.py +++ /dev/null @@ -1,428 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018-2020 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import os -import re - -from socket import socket, AF_INET, SOCK_STREAM -from sys import exit -from time import sleep - -from vyos.config import Config -from vyos import ConfigError -from vyos.util import run -from vyos.template import render - - -pidfile = r'/var/run/accel_pppoe.pid' -pppoe_cnf_dir = r'/etc/accel-ppp/pppoe' -chap_secrets = pppoe_cnf_dir + '/chap-secrets' -pppoe_conf = pppoe_cnf_dir + '/pppoe.config' -# accel-pppd -d -c /etc/accel-ppp/pppoe/pppoe.config -p -# /var/run/accel_pppoe.pid - -# config path creation -if not os.path.exists(pppoe_cnf_dir): - os.makedirs(pppoe_cnf_dir) - -# -# depending on hw and threads, daemon needs a little to start -# if it takes longer than 100 * 0.5 secs, exception is being raised -# not sure if that's the best way to check it, but it worked so far quite well -# -def _chk_con(): - cnt = 0 - s = socket(AF_INET, SOCK_STREAM) - while True: - try: - s.connect(("127.0.0.1", 2001)) - break - except ConnectionRefusedError: - sleep(0.5) - cnt += 1 - if cnt == 100: - raise("failed to start pppoe server") - - -def _accel_cmd(command): - return run(f'/usr/bin/accel-cmd {command}') - - -def get_config(): - c = Config() - if not c.exists('service pppoe-server'): - return None - - config_data = { - 'concentrator': 'vyos-ac', - 'authentication': { - 'local-users': { - }, - 'mode': 'local', - 'radiussrv': {}, - 'radiusopt': {} - }, - 'client_ip_pool': '', - 'client_ip_subnets': [], - 'client_ipv6_pool': {}, - 'interface': {}, - 'ppp_gw': '', - 'svc_name': [], - 'dns': [], - 'dnsv6': [], - 'wins': [], - 'mtu': '1492', - 'ppp_options': {}, - 'limits': {}, - 'snmp': 'disable', - 'sesscrtl': 'replace', - 'pado_delay': '' - } - - c.set_level(['service', 'pppoe-server']) - # general options - if c.exists(['access-concentrator']): - config_data['concentrator'] = c.return_value(['access-concentrator']) - if c.exists(['service-name']): - config_data['svc_name'] = c.return_values(['service-name']) - if c.exists(['interface']): - for intfc in c.list_nodes(['interface']): - config_data['interface'][intfc] = {'vlans': []} - if c.exists(['interface', intfc, 'vlan-id']): - config_data['interface'][intfc]['vlans'] += c.return_values( - ['interface', intfc, 'vlan-id']) - if c.exists(['interface', intfc, 'vlan-range']): - config_data['interface'][intfc]['vlans'] += c.return_values( - ['interface', intfc, 'vlan-range']) - if c.exists(['local-ip']): - config_data['ppp_gw'] = c.return_value(['local-ip']) - if c.exists(['dns-servers']): - if c.return_value(['dns-servers', 'server-1']): - config_data['dns'].append( - c.return_value(['dns-servers', 'server-1'])) - if c.return_value(['dns-servers', 'server-2']): - config_data['dns'].append( - c.return_value(['dns-servers', 'server-2'])) - if c.exists(['dnsv6-servers']): - if c.return_value(['dnsv6-servers', 'server-1']): - config_data['dnsv6'].append( - c.return_value(['dnsv6-servers', 'server-1'])) - if c.return_value(['dnsv6-servers', 'server-2']): - config_data['dnsv6'].append( - c.return_value(['dnsv6-servers', 'server-2'])) - if c.return_value(['dnsv6-servers', 'server-3']): - config_data['dnsv6'].append( - c.return_value(['dnsv6-servers', 'server-3'])) - if c.exists(['wins-servers']): - if c.return_value(['wins-servers', 'server-1']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-1'])) - if c.return_value(['wins-servers', 'server-2']): - config_data['wins'].append( - c.return_value(['wins-servers', 'server-2'])) - if c.exists(['client-ip-pool']): - if c.exists(['client-ip-pool', 'start']): - config_data['client_ip_pool'] = c.return_value( - ['client-ip-pool start']) - if c.exists(['client-ip-pool stop']): - config_data['client_ip_pool'] += '-' + re.search( - '[0-9]+$', c.return_value(['client-ip-pool', 'stop'])).group(0) - else: - raise ConfigError('client ip pool stop required') - if c.exists(['client-ip-pool', 'subnet']): - config_data['client_ip_subnets'] = c.return_values( - ['client-ip-pool', 'subnet']) - if c.exists(['client-ipv6-pool', 'prefix']): - config_data['client_ipv6_pool'][ - 'prefix'] = c.return_values(['client-ipv6-pool', 'prefix']) - if c.exists(['client-ipv6-pool', 'delegate-prefix']): - config_data['client_ipv6_pool']['delegate-prefix'] = c.return_values( - ['client-ipv6-pool', 'delegate-prefix']) - if c.exists(['limits']): - if c.exists(['limits', 'burst']): - config_data['limits']['burst'] = str( - c.return_value(['limits', 'burst'])) - if c.exists(['limits', 'timeout']): - config_data['limits']['timeout'] = str( - c.return_value(['limits', 'timeout'])) - if c.exists(['limits', 'connection-limit']): - config_data['limits']['conn-limit'] = str( - c.return_value(['limits', 'connection-limit'])) - if c.exists(['snmp']): - config_data['snmp'] = 'enable' - if c.exists(['snmp', 'master-agent']): - config_data['snmp'] = 'enable-ma' - - # authentication mode local - if not c.exists(['authentication', 'mode']): - raise ConfigError('pppoe-server authentication mode required') - - if c.exists(['authentication', 'mode', 'local']): - if c.exists(['authentication', 'local-users', 'username']): - for usr in c.list_nodes(['authentication', 'local-users', 'username']): - config_data['authentication']['local-users'].update( - { - usr: { - 'passwd': None, - 'state': 'enabled', - 'ip': '*', - 'upload': None, - 'download': None - } - } - ) - if c.exists(['authentication', 'local-users', 'username', usr, 'password']): - config_data['authentication']['local-users'][usr]['passwd'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'password']) - if c.exists(['authentication', 'local-users', 'username', usr, 'disable']): - config_data['authentication'][ - 'local-users'][usr]['state'] = 'disable' - if c.exists(['authentication', 'local-users', 'username', usr, 'static-ip']): - config_data['authentication']['local-users'][usr]['ip'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'static-ip']) - if c.exists(['authentication', 'local-users', 'username', usr, 'rate-limit', 'download']): - config_data['authentication']['local-users'][usr]['download'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'rate-limit', 'download']) - if c.exists(['authentication', 'local-users', 'username', usr, 'rate-limit', 'upload']): - config_data['authentication']['local-users'][usr]['upload'] = c.return_value( - ['authentication', 'local-users', 'username', usr, 'rate-limit', 'upload']) - - # authentication mode radius servers and settings - - if c.exists(['authentication', 'mode', 'radius']): - config_data['authentication']['mode'] = 'radius' - rsrvs = c.list_nodes(['authentication', 'radius-server']) - for rsrv in rsrvs: - if c.return_value(['authentication', 'radius-server', rsrv, 'fail-time']) == None: - ftime = '0' - else: - ftime = str( - c.return_value(['authentication', 'radius-server', rsrv, 'fail-time'])) - if c.return_value(['authentication', 'radius-server', rsrv, 'req-limit']) == None: - reql = '0' - else: - reql = str( - c.return_value(['authentication', 'radius-server', rsrv, 'req-limit'])) - config_data['authentication']['radiussrv'].update( - { - rsrv: { - 'secret': c.return_value(['authentication', 'radius-server', rsrv, 'secret']), - 'fail-time': ftime, - 'req-limit': reql - } - } - ) - - # advanced radius-setting - if c.exists(['authentication', 'radius-settings']): - if c.exists(['authentication', 'radius-settings', 'acct-timeout']): - config_data['authentication']['radiusopt']['acct-timeout'] = c.return_value( - ['authentication', 'radius-settings', 'acct-timeout']) - if c.exists(['authentication', 'radius-settings', 'max-try']): - config_data['authentication']['radiusopt'][ - 'max-try'] = c.return_value(['authentication', 'radius-settings', 'max-try']) - if c.exists(['authentication', 'radius-settings', 'timeout']): - config_data['authentication']['radiusopt'][ - 'timeout'] = c.return_value(['authentication', 'radius-settings', 'timeout']) - if c.exists(['authentication', 'radius-settings', 'nas-identifier']): - config_data['authentication']['radiusopt']['nas-id'] = c.return_value( - ['authentication', 'radius-settings', 'nas-identifier']) - if c.exists(['authentication', 'radius-settings', 'nas-ip-address']): - config_data['authentication']['radiusopt']['nas-ip'] = c.return_value( - ['authentication', 'radius-settings', 'nas-ip-address']) - if c.exists(['authentication', 'radius-settings', 'dae-server']): - config_data['authentication']['radiusopt'].update( - { - 'dae-srv': { - 'ip-addr': c.return_value(['authentication', 'radius-settings', 'dae-server', 'ip-address']), - 'port': c.return_value(['authentication', 'radius-settings', 'dae-server', 'port']), - 'secret': str(c.return_value(['authentication', 'radius-settings', 'dae-server', 'secret'])) - } - } - ) - # filter-id is the internal accel default if attribute is empty - # set here as default for visibility which may change in the future - if c.exists(['authentication', 'radius-settings', 'rate-limit', 'enable']): - if not c.exists(['authentication', 'radius-settings', 'rate-limit', 'attribute']): - config_data['authentication']['radiusopt']['shaper'] = { - 'attr': 'Filter-Id' - } - else: - config_data['authentication']['radiusopt']['shaper'] = { - 'attr': c.return_value(['authentication', 'radius-settings', 'rate-limit', 'attribute']) - } - if c.exists(['authentication', 'radius-settings', 'rate-limit', 'vendor']): - config_data['authentication']['radiusopt']['shaper'][ - 'vendor'] = c.return_value(['authentication', 'radius-settings', 'rate-limit', 'vendor']) - - if c.exists(['mtu']): - config_data['mtu'] = c.return_value(['mtu']) - - # ppp_options - ppp_options = {} - if c.exists(['ppp-options']): - if c.exists(['ppp-options', 'ccp']): - ppp_options['ccp'] = c.return_value(['ppp-options', 'ccp']) - if c.exists(['ppp-options', 'min-mtu']): - ppp_options['min-mtu'] = c.return_value(['ppp-options', 'min-mtu']) - if c.exists(['ppp-options', 'mru']): - ppp_options['mru'] = c.return_value(['ppp-options', 'mru']) - if c.exists(['ppp-options', 'mppe deny']): - ppp_options['mppe'] = 'deny' - if c.exists(['ppp-options', 'mppe', 'require']): - ppp_options['mppe'] = 'require' - if c.exists(['ppp-options', 'mppe', 'prefer']): - ppp_options['mppe'] = 'prefer' - if c.exists(['ppp-options', 'lcp-echo-failure']): - ppp_options['lcp-echo-failure'] = c.return_value( - ['ppp-options', 'lcp-echo-failure']) - if c.exists(['ppp-options', 'lcp-echo-interval']): - ppp_options['lcp-echo-interval'] = c.return_value( - ['ppp-options', 'lcp-echo-interval']) - if c.exists(['ppp-options', 'ipv4']): - ppp_options['ipv4'] = c.return_value(['ppp-options', 'ipv4']) - if c.exists(['ppp-options', 'ipv6']): - ppp_options['ipv6'] = c.return_value(['ppp-options', 'ipv6']) - if c.exists(['ppp-options', 'ipv6-accept-peer-intf-id']): - ppp_options['ipv6-accept-peer-intf-id'] = 1 - if c.exists(['ppp-options', 'ipv6-intf-id']): - ppp_options['ipv6-intf-id'] = c.return_value( - ['ppp-options', 'ipv6-intf-id']) - if c.exists(['ppp-options', 'ipv6-peer-intf-id']): - ppp_options['ipv6-peer-intf-id'] = c.return_value( - ['ppp-options', 'ipv6-peer-intf-id']) - if c.exists(['ppp-options', 'lcp-echo-timeout']): - ppp_options['lcp-echo-timeout'] = c.return_value( - ['ppp-options', 'lcp-echo-timeout']) - - if len(ppp_options) != 0: - config_data['ppp_options'] = ppp_options - - if c.exists(['session-control']): - config_data['sesscrtl'] = c.return_value(['session-control']) - - if c.exists(['pado-delay']): - config_data['pado_delay'] = '0' - a = {} - for id in c.list_nodes(['pado-delay']): - if not c.return_value(['pado-delay', id, 'sessions']): - a[id] = 0 - else: - a[id] = c.return_value(['pado-delay', id, 'sessions']) - - for k in sorted(a.keys()): - if k != sorted(a.keys())[-1]: - config_data['pado_delay'] += ",{0}:{1}".format(k, a[k]) - else: - config_data['pado_delay'] += ",{0}:{1}".format('-1', a[k]) - - return config_data - - -def verify(c): - if c == None: - return None - # vertify auth settings - if c['authentication']['mode'] == 'local': - if not c['authentication']['local-users']: - raise ConfigError( - 'pppoe-server authentication local-users required') - - for usr in c['authentication']['local-users']: - if not c['authentication']['local-users'][usr]['passwd']: - raise ConfigError('user ' + usr + ' requires a password') - # if up/download is set, check that both have a value - if c['authentication']['local-users'][usr]['upload']: - if not c['authentication']['local-users'][usr]['download']: - raise ConfigError( - 'user ' + usr + ' requires download speed value') - if c['authentication']['local-users'][usr]['download']: - if not c['authentication']['local-users'][usr]['upload']: - raise ConfigError( - 'user ' + usr + ' requires upload speed value') - - if c['authentication']['mode'] == 'radius': - if len(c['authentication']['radiussrv']) == 0: - raise ConfigError('radius server required') - for rsrv in c['authentication']['radiussrv']: - if c['authentication']['radiussrv'][rsrv]['secret'] == None: - raise ConfigError( - 'radius server ' + rsrv + ' needs a secret configured') - - # local ippool and gateway settings config checks - - if c['client_ip_subnets'] or c['client_ip_pool']: - if not c['ppp_gw']: - raise ConfigError('pppoe-server local-ip required') - - if c['ppp_gw'] and not c['client_ip_subnets'] and not c['client_ip_pool']: - print ("Warning: No pppoe client IPv4 pool defined") - - -def generate(c): - if c == None: - return None - - # accel-cmd reload doesn't work so any change results in a restart of the - # daemon - try: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count() / 2) - except KeyError: - if os.cpu_count() == 1: - c['thread_cnt'] = 1 - else: - c['thread_cnt'] = int(os.cpu_count() / 2) - - render(pppoe_conf, 'pppoe-server/pppoe.config.tmpl', c, trim_blocks=True) - - if c['authentication']['local-users']: - old_umask = os.umask(0o077) - render(chap_secrets, 'pppoe-server/chap-secrets.tmpl', c, trim_blocks=True) - os.umask(old_umask) - - return c - - -def apply(c): - if c == None: - if os.path.exists(pidfile): - _accel_cmd('shutdown hard') - if os.path.exists(pidfile): - os.remove(pidfile) - return None - - if not os.path.exists(pidfile): - ret = run(f'/usr/sbin/accel-pppd -c {pppoe_conf} -p {pidfile} -d') - _chk_con() - if ret != 0 and os.path.exists(pidfile): - os.remove(pidfile) - raise ConfigError('accel-pppd failed to start') - else: - _accel_cmd('restart') - - -if __name__ == '__main__': - try: - c = get_config() - verify(c) - generate(c) - apply(c) - except ConfigError as e: - print(e) - exit(1) diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py new file mode 100755 index 000000000..13d0b1920 --- /dev/null +++ b/src/conf_mode/service_pppoe-server.py @@ -0,0 +1,456 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018-2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import re + +from copy import deepcopy +from stat import S_IRUSR, S_IWUSR, S_IRGRP +from sys import exit + +from vyos.config import Config +from vyos.template import render +from vyos.util import call +from vyos.validate import is_ipv4 +from vyos import ConfigError + +pppoe_conf = r'/run/accel-pppd/pppoe.conf' +pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets' + +default_config_data = { + 'auth_mode': 'local', + 'chap_secrets_file': pppoe_chap_secrets, # used in Jinja2 template + 'client_ip_pool': '', + 'client_ip_subnets': [], + 'client_ipv6_pool': [], + 'client_ipv6_delegate_prefix': [], + 'concentrator': 'vyos-ac', + 'interfaces': [], + 'local_users' : [], + + 'svc_name': [], + 'dnsv4': [], + 'dnsv6': [], + 'wins': [], + 'mtu': '1492', + + 'limits_burst': '', + 'limits_connections': '', + 'limits_timeout': '', + + 'pado_delay': '', + 'ppp_ccp': False, + 'ppp_gw': '', + 'ppp_ipv4': '', + 'ppp_ipv6': '', + 'ppp_ipv6_accept_peer_intf_id': False, + 'ppp_ipv6_intf_id': '', + 'ppp_ipv6_peer_intf_id': '', + 'ppp_echo_failure': '3', + 'ppp_echo_interval': '30', + 'ppp_echo_timeout': '0', + 'ppp_min_mtu': '', + 'ppp_mppe': 'prefer', + 'ppp_mru': '', + + 'radius_server': [], + 'radius_acct_tmo': '3', + 'radius_max_try': '3', + 'radius_timeout': '3', + 'radius_nas_id': '', + 'radius_nas_ip': '', + 'radius_source_address': '', + 'radius_shaper_attr': '', + 'radius_shaper_vendor': '', + 'radius_dynamic_author': '', + 'sesscrtl': 'replace', + 'snmp': False, +} + +def get_config(): + conf = Config() + base_path = ['service', 'pppoe-server'] + if not conf.exists(base_path): + return None + + conf.set_level(base_path) + pppoe = deepcopy(default_config_data) + + cpu = os.cpu_count() + if cpu > 1: + pppoe['thread_cnt'] = int(cpu/2) + + # general options + if conf.exists(['access-concentrator']): + pppoe['concentrator'] = conf.return_value(['access-concentrator']) + + if conf.exists(['service-name']): + pppoe['svc_name'] = conf.return_values(['service-name']) + + if conf.exists(['interface']): + for interface in conf.list_nodes(['interface']): + conf.set_level(base_path + ['interface', interface]) + tmp = { + 'name': interface, + 'vlans': [] + } + + if conf.exists(['vlan-id']): + tmp['vlans'] += conf.return_values(['vlan-id']) + + if conf.exists(['vlan-range']): + tmp['vlans'] += conf.return_values(['vlan-range']) + + pppoe['interfaces'].append(tmp) + + conf.set_level(base_path) + + if conf.exists(['local-ip']): + pppoe['ppp_gw'] = conf.return_value(['local-ip']) + + if conf.exists(['name-server']): + for name_server in conf.return_values(['name-server']): + if is_ipv4(name_server): + pppoe['dnsv4'].append(name_server) + else: + pppoe['dnsv6'].append(name_server) + + if conf.exists(['wins-server']): + pppoe['wins'] = conf.return_values(['wins-server']) + + + if conf.exists(['client-ip-pool']): + if conf.exists(['client-ip-pool', 'start']) and conf.exists(['client-ip-pool', 'stop']): + start = conf.return_value(['client-ip-pool', 'start']) + stop = conf.return_value(['client-ip-pool', 'stop']) + pppoe['client_ip_pool'] = start + '-' + re.search('[0-9]+$', stop).group(0) + + if conf.exists(['client-ip-pool', 'subnet']): + pppoe['client_ip_subnets'] = conf.return_values(['client-ip-pool', 'subnet']) + + + if conf.exists(['client-ipv6-pool', 'prefix']): + for prefix in conf.list_nodes(['client-ipv6-pool', 'prefix']): + tmp = { + 'prefix': prefix, + 'mask': '64' + } + + if conf.exists(['client-ipv6-pool', 'prefix', prefix, 'mask']): + tmp['mask'] = conf.return_value(['client-ipv6-pool', 'prefix', prefix, 'mask']) + + pppoe['client_ipv6_pool'].append(tmp) + + + if conf.exists(['client-ipv6-pool', 'delegate']): + for prefix in conf.list_nodes(['client-ipv6-pool', 'delegate']): + tmp = { + 'prefix': prefix, + 'mask': '' + } + + if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']): + tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']) + + pppoe['client_ipv6_delegate_prefix'].append(tmp) + + + if conf.exists(['limits']): + if conf.exists(['limits', 'burst']): + pppoe['limits_burst'] = conf.return_value(['limits', 'burst']) + + if conf.exists(['limits', 'connection-limit']): + pppoe['limits_connections'] = conf.return_value(['limits', 'connection-limit']) + + if conf.exists(['limits', 'timeout']): + pppoe['limits_timeout'] = conf.return_value(['limits', 'timeout']) + + + if conf.exists(['snmp']): + pppoe['snmp'] = True + + if conf.exists(['snmp', 'master-agent']): + pppoe['snmp'] = 'enable-ma' + + # authentication mode local + if conf.exists(['authentication', 'mode']): + pppoe['auth_mode'] = conf.return_value(['authentication', 'mode']) + + if conf.exists(['authentication', 'local-users']): + for username in conf.list_nodes(['authentication', 'local-users', 'username']): + user = { + 'name' : username, + 'password' : '', + 'state' : 'enabled', + 'ip' : '*', + 'upload' : None, + 'download' : None + } + conf.set_level(base_path + ['authentication', 'local-users', 'username', username]) + + if conf.exists(['password']): + user['password'] = conf.return_value(['password']) + + if conf.exists(['disable']): + user['state'] = 'disable' + + if conf.exists(['static-ip']): + user['ip'] = conf.return_value(['static-ip']) + + if conf.exists(['rate-limit', 'download']): + user['download'] = conf.return_value(['rate-limit', 'download']) + + if conf.exists(['rate-limit', 'upload']): + user['upload'] = conf.return_value(['rate-limit', 'upload']) + + pppoe['local_users'].append(user) + + conf.set_level(base_path) + # + # authentication mode radius servers and settings + if conf.exists(['authentication', 'mode', 'radius']): + + for server in conf.list_nodes(['authentication', 'radius', 'server']): + radius = { + 'server' : server, + 'key' : '', + 'fail_time' : 0, + 'port' : '1812' + } + + conf.set_level(base_path + ['authentication', 'radius', 'server', server]) + + if conf.exists(['fail-time']): + radius['fail-time'] = conf.return_value(['fail-time']) + + if conf.exists(['port']): + radius['port'] = conf.return_value(['port']) + + if conf.exists(['key']): + radius['key'] = conf.return_value(['key']) + + if not conf.exists(['disable']): + pppoe['radius_server'].append(radius) + + # + # advanced radius-setting + conf.set_level(base_path + ['authentication', 'radius']) + + if conf.exists(['acct-timeout']): + pppoe['radius_acct_tmo'] = conf.return_value(['acct-timeout']) + + if conf.exists(['max-try']): + pppoe['radius_max_try'] = conf.return_value(['max-try']) + + if conf.exists(['timeout']): + pppoe['radius_timeout'] = conf.return_value(['timeout']) + + if conf.exists(['nas-identifier']): + pppoe['radius_nas_id'] = conf.return_value(['nas-identifier']) + + if conf.exists(['nas-ip-address']): + pppoe['radius_nas_ip'] = conf.return_value(['nas-ip-address']) + + if conf.exists(['source-address']): + pppoe['radius_source_address'] = conf.return_value(['source-address']) + + # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) + if conf.exists(['dynamic-author']): + dae = { + 'port' : '', + 'server' : '', + 'key' : '' + } + + if conf.exists(['dynamic-author', 'ip-address']): + dae['server'] = conf.return_value(['dynamic-author', 'ip-address']) + + if conf.exists(['dynamic-author', 'port']): + dae['port'] = conf.return_value(['dynamic-author', 'port']) + + if conf.exists(['dynamic-author', 'secret']): + dae['key'] = conf.return_value(['dynamic-author', 'secret']) + + pppoe['radius_dynamic_author'] = dae + + # RADIUS based rate-limiter + if conf.exists(['rate-limit', 'enable']): + pppoe['radius_shaper_attr'] = 'Filter-Id' + c_attr = ['rate-limit', 'enable', 'attribute'] + if conf.exists(c_attr): + pppoe['radius_shaper_attr'] = conf.return_value(c_attr) + + c_vendor = ['rate-limit', 'enable', 'vendor'] + if conf.exists(c_vendor): + pppoe['radius_shaper_vendor'] = conf.return_value(c_vendor) + + # re-set config level + conf.set_level(base_path) + + if conf.exists(['mtu']): + pppoe['mtu'] = conf.return_value(['mtu']) + + if conf.exists(['session-control']): + pppoe['session_control'] = conf.return_value(['session-control']) + + # ppp_options + if conf.exists(['ppp-options']): + conf.set_level(base_path + ['ppp-options']) + + if conf.exists(['ccp']): + pppoe['ppp_ccp'] = True + + if conf.exists(['ipv4']): + pppoe['ppp_ipv4'] = conf.return_value(['ipv4']) + + if conf.exists(['ipv6']): + pppoe['ppp_ipv6'] = conf.return_value(['ipv6']) + + if conf.exists(['ipv6-accept-peer-intf-id']): + pppoe['ppp_ipv6_peer_intf_id'] = True + + if conf.exists(['ipv6-intf-id']): + pppoe['ppp_ipv6_intf_id'] = conf.return_value(['ipv6-intf-id']) + + if conf.exists(['ipv6-peer-intf-id']): + pppoe['ppp_ipv6_peer_intf_id'] = conf.return_value(['ipv6-peer-intf-id']) + + if conf.exists(['lcp-echo-failure']): + pppoe['ppp_echo_failure'] = conf.return_value(['lcp-echo-failure']) + + if conf.exists(['lcp-echo-failure']): + pppoe['ppp_echo_interval'] = conf.return_value(['lcp-echo-failure']) + + if conf.exists(['lcp-echo-timeout']): + pppoe['ppp_echo_timeout'] = conf.return_value(['lcp-echo-timeout']) + + if conf.exists(['min-mtu']): + pppoe['ppp_min_mtu'] = conf.return_value(['min-mtu']) + + if conf.exists(['mppe']): + pppoe['ppp_mppe'] = conf.return_value(['mppe']) + + if conf.exists(['mru']): + pppoe['ppp_mru'] = conf.return_value(['mru']) + + if conf.exists(['pado-delay']): + pppoe['pado_delay'] = '0' + a = {} + for id in conf.list_nodes(['pado-delay']): + if not conf.return_value(['pado-delay', id, 'sessions']): + a[id] = 0 + else: + a[id] = conf.return_value(['pado-delay', id, 'sessions']) + + for k in sorted(a.keys()): + if k != sorted(a.keys())[-1]: + pppoe['pado_delay'] += ",{0}:{1}".format(k, a[k]) + else: + pppoe['pado_delay'] += ",{0}:{1}".format('-1', a[k]) + + return pppoe + + +def verify(pppoe): + if not pppoe: + return None + + # vertify auth settings + if pppoe['auth_mode'] == 'local': + if not pppoe['local_users']: + raise ConfigError('PPPoE local auth mode requires local users to be configured!') + + for user in pppoe['local_users']: + username = user['name'] + if not user['password']: + raise ConfigError(f'Password required for local user "{username}"') + + # if up/download is set, check that both have a value + if user['upload'] and not user['download']: + raise ConfigError(f'Download speed value required for local user "{username}"') + + if user['download'] and not user['upload']: + raise ConfigError(f'Upload speed value required for local user "{username}"') + + elif pppoe['auth_mode'] == 'radius': + if len(pppoe['radius_server']) == 0: + raise ConfigError('RADIUS authentication requires at least one server') + + for radius in pppoe['radius_server']: + if not radius['key']: + server = radius['server'] + raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') + + if len(pppoe['wins']) > 2: + raise ConfigError('Not more then two IPv4 WINS name-servers can be configured') + + if len(pppoe['dnsv4']) > 2: + raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') + + if len(pppoe['dnsv6']) > 3: + raise ConfigError('Not more then three IPv6 DNS name-servers can be configured') + + # local ippool and gateway settings config checks + if pppoe['client_ip_subnets'] or pppoe['client_ip_pool']: + if not pppoe['ppp_gw']: + raise ConfigError('PPPoE server requires local IP to be configured') + + if pppoe['ppp_gw'] and not pppoe['client_ip_subnets'] and not pppoe['client_ip_pool']: + print("Warning: No PPPoE client pool defined") + + return None + + +def generate(pppoe): + if not pppoe: + return None + + dirname = os.path.dirname(pppoe_conf) + if not os.path.exists(dirname): + os.mkdir(dirname) + + render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', c, trim_blocks=True) + + if pppoe['local_users']: + render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.tmpl', c, trim_blocks=True) + os.chmod(pppoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) + else: + if os.path.exists(pppoe_chap_secrets): + os.unlink(pppoe_chap_secrets) + + return None + + +def apply(pppoe): + if not pppoe: + call('systemctl stop accel-ppp@pppoe.service') + for file in [pppoe_conf, pppoe_chap_secrets]: + if os.path.exists(file): + os.unlink(file) + + return None + + call('systemctl restart accel-ppp@pppoe.service') + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index a8b183bef..417520e09 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -252,7 +252,7 @@ def get_config(): 'mask': '' } - if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'mask']): + if conf.exists(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']): tmp['mask'] = conf.return_value(['client-ipv6-pool', 'delegate', prefix, 'delegation-prefix']) l2tp['client_ipv6_delegate_prefix'].append(tmp) @@ -348,10 +348,10 @@ def generate(l2tp): if not os.path.exists(dirname): os.mkdir(dirname) - render(l2tp_conf, 'l2tp/l2tp.config.tmpl', c, trim_blocks=True) + render(l2tp_conf, 'accel-ppp/l2tp.config.tmpl', c, trim_blocks=True) if l2tp['auth_mode'] == 'local': - render(l2tp_chap_secrets, 'l2tp/chap-secrets.tmpl', l2tp) + render(l2tp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', l2tp) os.chmod(l2tp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: @@ -364,12 +364,9 @@ def generate(l2tp): def apply(l2tp): if not l2tp: call('systemctl stop accel-ppp@l2tp.service') - - if os.path.exists(l2tp_conf): - os.unlink(l2tp_conf) - - if os.path.exists(l2tp_chap_secrets): - os.unlink(l2tp_chap_secrets) + for file in [l2tp_chap_secrets, l2tp_conf]: + if os.path.exists(file): + os.unlink(file) return None diff --git a/src/conf_mode/vpn-pptp.py b/src/conf_mode/vpn_pptp.py index 15b80f984..15b80f984 100755 --- a/src/conf_mode/vpn-pptp.py +++ b/src/conf_mode/vpn_pptp.py diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 438731972..9ec352290 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -259,21 +259,22 @@ def verify(sstp): raise ConfigError('SSTP local auth mode requires local users to be configured!') for user in sstp['local_users']: + username = user['name'] if not user['password']: - raise ConfigError(f"Password required for user {user['name']}") + raise ConfigError(f'Password required for local user "{username}"') # if up/download is set, check that both have a value if user['upload'] and not user['download']: - raise ConfigError(f"Download speed value required for user {user['name']}") + raise ConfigError(f'Download speed value required for local user "{username}"') if user['download'] and not user['upload']: - raise ConfigError(f"Upload speed value required for user {user['name']}") + raise ConfigError(f'Upload speed value required for local user "{username}"') if not sstp['client_ip_pool']: - raise ConfigError("Client IP subnet required") + raise ConfigError('Client IP subnet required') if not sstp['client_gateway']: - raise ConfigError("Client gateway IP address required") + raise ConfigError('Client gateway IP address required') if len(sstp['dnsv4']) > 2: raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') @@ -282,21 +283,25 @@ def verify(sstp): raise ConfigError('One or more SSL certificates missing') if not os.path.exists(sstp['ssl_ca']): - raise ConfigError(f"CA cert file {sstp['ssl_ca']} does not exist") + file = sstp['ssl_ca'] + raise ConfigError(f'SSL CA certificate file "{file}" does not exist') if not os.path.exists(sstp['ssl_cert']): - raise ConfigError(f"SSL cert file {sstp['ssl_cert']} does not exist") + file = sstp['ssl_cert'] + raise ConfigError(f'SSL public key file "{file}" does not exist') if not os.path.exists(sstp['ssl_key']): - raise ConfigError(f"SSL key file {sstp['ssl_key']} does not exist") + file = sstp['ssl_key'] + raise ConfigError(f'SSL private key file "{file}" does not exist') if sstp['auth_mode'] == 'radius': if len(sstp['radius_server']) == 0: - raise ConfigError("RADIUS authentication requires at least one server") + raise ConfigError('RADIUS authentication requires at least one server') for radius in sstp['radius_server']: if not radius['key']: - raise ConfigError(f"Missing RADIUS secret for server {{ radius['key'] }}") + server = radius['server'] + raise ConfigError(f'Missing RADIUS secret key for server "{{ server }}"') def generate(sstp): if not sstp: @@ -307,10 +312,10 @@ def generate(sstp): os.mkdir(dirname) # accel-cmd reload doesn't work so any change results in a restart of the daemon - render(sstp_conf, 'sstp/sstp.config.tmpl', sstp, trim_blocks=True) + render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp, trim_blocks=True) if sstp['local_users']: - render(sstp_chap_secrets, 'sstp/chap-secrets.tmpl', sstp, trim_blocks=True) + render(sstp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', sstp, trim_blocks=True) os.chmod(sstp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: if os.path.exists(sstp_chap_secrets): @@ -321,12 +326,9 @@ def generate(sstp): def apply(sstp): if not sstp: call('systemctl stop accel-ppp@sstp.service') - - if os.path.exists(sstp_conf): - os.unlink(sstp_conf) - - if os.path.exists(sstp_chap_secrets): - os.unlink(sstp_chap_secrets) + for file in [sstp_chap_secrets, sstp_conf]: + if os.path.exists(file): + os.unlink(file) return None |