3 files changed, 204 insertions, 214 deletions
diff --git a/data/templates/l2tp/chap-secrets.tmpl b/data/templates/l2tp/chap-secrets.tmpl
new file mode 100644
index 000000000..ee47a583e
--- /dev/null
+++ b/data/templates/l2tp/chap-secrets.tmpl
@@ -0,0 +1,11 @@
+# username  server  password  acceptable local IP addresses shaper
+{% for user in authentication['local-users'] %}
+{% if authentication['local-users'][user]['state'] == 'enabled' %}
+{% if (authentication['local-users'][user]['upload']) and (authentication['local-users'][user]['download']) %}
+{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}\t\
+{{authentication['local-users'][user]['download']}}/{{authentication['local-users'][user]['upload']}}
+{% else %}
+{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}
+{% endif %}
+{% endif %}
+{% endfor %}
diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl
new file mode 100644
index 000000000..901b43d01
--- /dev/null
+++ b/data/templates/l2tp/l2tp.config.tmpl
@@ -0,0 +1,173 @@
+### generated by accel_l2tp.py ###
+[modules]
+log_syslog
+l2tp
+chap-secrets
+{% for proto in authentication['auth_proto']: %}
+{{proto}}
+{% endfor%}
+{% if authentication['mode'] == 'radius' %}
+radius
+{% endif -%}
+ippool
+shaper
+ipv6pool
+ipv6_nd
+ipv6_dhcp
+
+[core]
+thread-count={{thread_cnt}}
+
+[log]
+syslog=accel-l2tp,daemon
+copy=1
+level=5
+
+{% if dns %}
+[dns]
+{% if dns[0] %}
+dns1={{dns[0]}}
+{% endif %}
+{% if dns[1] %}
+dns2={{dns[1]}}
+{% endif %}
+{% endif -%}
+
+{% if dnsv6 %}
+[ipv6-dns]
+{% for srv in dnsv6: %}
+{{srv}}
+{% endfor %}
+{% endif %}
+
+{% if wins %}
+[wins]
+{% if wins[0] %}
+wins1={{wins[0]}}
+{% endif %}
+{% if wins[1] %}
+wins2={{wins[1]}}
+{% endif %}
+{% endif -%}
+
+[l2tp]
+verbose=1
+ifname=l2tp%d
+ppp-max-mtu={{mtu}}
+mppe={{authentication['mppe']}}
+{% if outside_addr %}
+bind={{outside_addr}}
+{% endif %}
+{% if lns_shared_secret %}
+secret={{lns_shared_secret}}
+{% endif %}
+
+[client-ip-range]
+0.0.0.0/0
+
+{% if (client_ip_pool) or (client_ip_subnets) %}
+[ip-pool]
+{% if client_ip_pool %}
+{{client_ip_pool}}
+{% endif -%}
+{% if client_ip_subnets %}
+{% for sn in client_ip_subnets %}
+{{sn}}
+{% endfor -%}
+{% endif %}
+{% endif %}
+{% if gateway_address %}
+gw-ip-address={{gateway_address}}
+{% endif %}
+
+{% if authentication['mode'] == 'local' %}
+[chap-secrets]
+chap-secrets=/etc/accel-ppp/l2tp/chap-secrets
+{% if gateway_address %}
+gw-ip-address={{gateway_address}}
+{% endif %}
+{% endif %}
+
+[ppp]
+verbose=1
+check-ip=1
+single-session=replace
+{% if idle_timeout %}
+lcp-echo-timeout={{idle_timeout}}
+{% endif %}
+{% if ppp_options['lcp-echo-interval'] %}
+lcp-echo-interval={{ppp_options['lcp-echo-interval']}}
+{% else %}
+lcp-echo-interval=30
+{% endif %}
+{% if ppp_options['lcp-echo-failure'] %}
+lcp-echo-failure={{ppp_options['lcp-echo-failure']}}
+{% else %}
+lcp-echo-failure=3
+{% endif %}
+{% if ccp_disable %}
+ccp=0
+{% endif %}
+{% if client_ipv6_pool %}
+ipv6=allow
+{% endif %}
+
+{% if authentication['mode'] == 'radius' %}
+[radius]
+{% for rsrv in authentication['radiussrv']: %}
+server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\
+req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\
+fail-time={{authentication['radiussrv'][rsrv]['fail-time']}}
+{% endfor %}
+{% if authentication['radiusopt']['timeout'] %}
+timeout={{authentication['radiusopt']['timeout']}}
+{% endif %}
+{% if authentication['radiusopt']['acct-timeout'] %}
+acct-timeout={{authentication['radiusopt']['acct-timeout']}}
+{% endif %}
+{% if authentication['radiusopt']['max-try'] %}
+max-try={{authentication['radiusopt']['max-try']}}
+{% endif %}
+{% if authentication['radiusopt']['nas-id'] %}
+nas-identifier={{authentication['radiusopt']['nas-id']}}
+{% endif %}
+{% if authentication['radius_source_address'] %}
+nas-ip-address={{authentication['radius_source_address']}}
+{% endif -%}
+{% if authentication['radiusopt']['dae-srv'] %}
+dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\
+{{authentication['radiusopt']['dae-srv']['port']}},\
+{{authentication['radiusopt']['dae-srv']['secret']}}
+{% endif -%}
+gw-ip-address={{gateway_address}}
+verbose=1
+{% endif -%}
+
+{% if client_ipv6_pool %}
+[ipv6-pool]
+{% for prfx in client_ipv6_pool.prefix: %}
+{{prfx}}
+{% endfor %}
+{% for prfx in client_ipv6_pool.delegate_prefix: %}
+delegate={{prfx}}
+{% endfor %}
+{% endif %}
+
+{% if client_ipv6_pool['delegate_prefix'] %}
+[ipv6-dhcp]
+verbose=1
+{% endif %}
+
+{% if authentication['radiusopt']['shaper'] %}
+[shaper]
+verbose=1
+attr={{authentication['radiusopt']['shaper']['attr']}}
+{% if authentication['radiusopt']['shaper']['vendor'] %}
+vendor={{authentication['radiusopt']['shaper']['vendor']}}
+{% endif -%}
+{% endif %}
+
+[cli]
+tcp=127.0.0.1:2004
+sessions-columns=ifname,username,calling-sid,ip,{{ip6_column}}{{ip6_dp_column}}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime
+
diff --git a/src/conf_mode/accel_l2tp.py b/src/conf_mode/accel_l2tp.py
index a7af9cc68..7c879f596 100755
--- a/src/conf_mode/accel_l2tp.py
+++ b/src/conf_mode/accel_l2tp.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2019 VyOS maintainers and contributors
+# Copyright (C) 2019-2020 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -13,19 +13,18 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-#
 
 import sys
 import os
 import re
 import subprocess
-import jinja2
 import socket
 import time
-import syslog as sl
+
+from jinja2 import FileSystemLoader, Environment
 
 from vyos.config import Config
+from vyos.defaults import directories as vyos_data_dir
 from vyos import ConfigError
 
 pidfile = r'/var/run/accel_l2tp.pid'
@@ -37,205 +36,13 @@ l2tp_conf = l2tp_cnf_dir + '/l2tp.config'
 ### config path creation
 if not os.path.exists(l2tp_cnf_dir):
   os.makedirs(l2tp_cnf_dir)
-  sl.syslog(sl.LOG_NOTICE, l2tp_cnf_dir  + " created")
-
-l2tp_config = '''
-### generated by accel_l2tp.py ###
-[modules]
-log_syslog
-l2tp
-chap-secrets
-{% for proto in authentication['auth_proto']: %}
-{{proto}}
-{% endfor%}
-{% if authentication['mode'] == 'radius' %}
-radius
-{% endif -%}
-ippool
-shaper
-ipv6pool
-ipv6_nd
-ipv6_dhcp
-
-[core]
-thread-count={{thread_cnt}}
-
-[log]
-syslog=accel-l2tp,daemon
-copy=1
-level=5
-
-{% if dns %}
-[dns]
-{% if dns[0] %}
-dns1={{dns[0]}}
-{% endif %}
-{% if dns[1] %}
-dns2={{dns[1]}}
-{% endif %}
-{% endif -%}
-
-{% if dnsv6 %}
-[ipv6-dns]
-{% for srv in dnsv6: %}
-{{srv}}
-{% endfor %}
-{% endif %}
-
-{% if wins %}
-[wins]
-{% if wins[0] %}
-wins1={{wins[0]}}
-{% endif %}
-{% if wins[1] %}
-wins2={{wins[1]}}
-{% endif %}
-{% endif -%}
-
-[l2tp]
-verbose=1
-ifname=l2tp%d
-ppp-max-mtu={{mtu}}
-mppe={{authentication['mppe']}}
-{% if outside_addr %}
-bind={{outside_addr}}
-{% endif %}
-{% if lns_shared_secret %}
-secret={{lns_shared_secret}}
-{% endif %}
-
-[client-ip-range]
-0.0.0.0/0
-
-{% if (client_ip_pool) or (client_ip_subnets) %}
-[ip-pool]
-{% if client_ip_pool %}
-{{client_ip_pool}}
-{% endif -%}
-{% if client_ip_subnets %}
-{% for sn in client_ip_subnets %}
-{{sn}}
-{% endfor -%}
-{% endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{gateway_address}}
-{% endif %}
-
-{% if authentication['mode'] == 'local' %}
-[chap-secrets]
-chap-secrets=/etc/accel-ppp/l2tp/chap-secrets
-{% if gateway_address %}
-gw-ip-address={{gateway_address}}
-{% endif %}
-{% endif %}
-
-[ppp]
-verbose=1
-check-ip=1
-single-session=replace
-{% if idle_timeout %}
-lcp-echo-timeout={{idle_timeout}}
-{% endif %}
-{% if ppp_options['lcp-echo-interval'] %}
-lcp-echo-interval={{ppp_options['lcp-echo-interval']}}
-{% else %}
-lcp-echo-interval=30
-{% endif %}
-{% if ppp_options['lcp-echo-failure'] %}
-lcp-echo-failure={{ppp_options['lcp-echo-failure']}}
-{% else %}
-lcp-echo-failure=3
-{% endif %}
-{% if ccp_disable %}
-ccp=0
-{% endif %}
-{% if client_ipv6_pool %}
-ipv6=allow
-{% endif %}
-
-{% if authentication['mode'] == 'radius' %}
-[radius]
-{% for rsrv in authentication['radiussrv']: %}
-server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\
-req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\
-fail-time={{authentication['radiussrv'][rsrv]['fail-time']}}
-{% endfor %}
-{% if authentication['radiusopt']['timeout'] %}
-timeout={{authentication['radiusopt']['timeout']}}
-{% endif %}
-{% if authentication['radiusopt']['acct-timeout'] %}
-acct-timeout={{authentication['radiusopt']['acct-timeout']}}
-{% endif %}
-{% if authentication['radiusopt']['max-try'] %}
-max-try={{authentication['radiusopt']['max-try']}}
-{% endif %}
-{% if authentication['radiusopt']['nas-id'] %}
-nas-identifier={{authentication['radiusopt']['nas-id']}}
-{% endif %}
-{% if authentication['radius_source_address'] %}
-nas-ip-address={{authentication['radius_source_address']}}
-{% endif -%}
-{% if authentication['radiusopt']['dae-srv'] %}
-dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\
-{{authentication['radiusopt']['dae-srv']['port']}},\
-{{authentication['radiusopt']['dae-srv']['secret']}}
-{% endif -%}
-gw-ip-address={{gateway_address}}
-verbose=1
-{% endif -%}
-
-{% if client_ipv6_pool %}
-[ipv6-pool]
-{% for prfx in client_ipv6_pool.prefix: %}
-{{prfx}}
-{% endfor %}
-{% for prfx in client_ipv6_pool.delegate_prefix: %}
-delegate={{prfx}}
-{% endfor %}
-{% endif %}
-
-{% if client_ipv6_pool['delegate_prefix'] %}
-[ipv6-dhcp]
-verbose=1
-{% endif %}
-
-{% if authentication['radiusopt']['shaper'] %}
-[shaper]
-verbose=1
-attr={{authentication['radiusopt']['shaper']['attr']}}
-{% if authentication['radiusopt']['shaper']['vendor'] %}
-vendor={{authentication['radiusopt']['shaper']['vendor']}}
-{% endif -%}
-{% endif %}
-
-[cli]
-tcp=127.0.0.1:2004
-sessions-columns=ifname,username,calling-sid,ip,{{ip6_column}}{{ip6_dp_column}}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime
-
-'''
-
-### l2tp chap secrets
-chap_secrets_conf = '''
-# username  server  password  acceptable local IP addresses shaper
-{% for user in authentication['local-users'] %}
-{% if authentication['local-users'][user]['state'] == 'enabled' %}
-{% if (authentication['local-users'][user]['upload']) and (authentication['local-users'][user]['download']) %}
-{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}\t\
-{{authentication['local-users'][user]['download']}}/{{authentication['local-users'][user]['upload']}}
-{% else %}
-{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}
-{% endif %}
-{% endif %}
-{% endfor %}
-'''
 
 ###
 # inline helper functions
 ###
 # depending on hw and threads, daemon needs a little to start
 # if it takes longer than 100 * 0.5 secs, exception is being raised
-# not sure if that's the best way to check it, but it worked so far quite well 
+# not sure if that's the best way to check it, but it worked so far quite well
 ###
 def chk_con():
   cnt = 0
@@ -251,15 +58,6 @@ def chk_con():
         raise("failed to start l2tp server")
         break
 
-### chap_secrets file if auth mode local
-def write_chap_secrets(c):
-  tmpl = jinja2.Template(chap_secrets_conf, trim_blocks=True)
-  chap_secrets_txt = tmpl.render(c)
-  old_umask = os.umask(0o077)
-  open(chap_secrets,'w').write(chap_secrets_txt)
-  os.umask(old_umask)
-  sl.syslog(sl.LOG_NOTICE, chap_secrets + ' written')
-
 def accel_cmd(cmd=''):
   if not cmd:
     return None
@@ -269,7 +67,7 @@ def accel_cmd(cmd=''):
   except:
     return 1
 
-### 
+###
 # inline helper functions end
 ###
 
@@ -319,7 +117,7 @@ def get_config():
   if c.exists('outside-address'):
     config_data['outside_addr'] = c.return_value('outside-address')
 
-  ### auth local 
+  ### auth local
   if c.exists('authentication mode local'):
     if c.exists('authentication local-users username'):
       for usr in c.list_nodes('authentication local-users username'):
@@ -429,7 +227,7 @@ def get_config():
   if c.exists('mtu'):
     config_data['mtu'] = c.return_value('mtu')
 
-  ### gateway address 
+  ### gateway address
   if c.exists('gateway-address'):
     config_data['gateway_address'] = c.return_value('gateway-address')
   else:
@@ -507,7 +305,12 @@ def verify(c):
 def generate(c):
   if c == None:
     return None
-  
+
+  # Prepare Jinja2 template loader from files
+  tmpl_path = os.path.join(vyos_data_dir['data'], 'templates', 'l2tp')
+  fs_loader = FileSystemLoader(tmpl_path)
+  env = Environment(loader=fs_loader)
+
   ### accel-cmd reload doesn't work so any change results in a restart of the daemon
   try:
     if os.cpu_count() == 1:
@@ -520,12 +323,16 @@ def generate(c):
     else:
       c['thread_cnt'] = int(os.cpu_count()/2)
 
-  tmpl = jinja2.Template(l2tp_config, trim_blocks=True)
+  tmpl = env.get_template('l2tp.config.tmpl')
   config_text = tmpl.render(c)
   open(l2tp_conf,'w').write(config_text)
 
   if c['authentication']['local-users']:
-    write_chap_secrets(c)
+    tmpl = env.get_template('chap-secrets.tmpl')
+    chap_secrets_txt = tmpl.render(c)
+    old_umask = os.umask(0o077)
+    open(chap_secrets,'w').write(chap_secrets_txt)
+    os.umask(old_umask)
 
   return c
 
@@ -546,7 +353,6 @@ def apply(c):
   else:
     ### if gw ip changes, only restart doesn't work
     accel_cmd('restart')
-    sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart")
 
 if __name__ == '__main__':
   try: