From 8eec0b5b062b5f98a865949ac0f2a49d61b81199 Mon Sep 17 00:00:00 2001 From: aapostoliuk Date: Tue, 13 Feb 2024 18:55:13 +0200 Subject: T6029: Rewritten Accel-PPP services to an identical feature set Removed dhcp-interface option (l2tp) Added wins-server (sstp) Added description (ipoe, pppoe, sstp, pptp) Added exteded-script (l2tp, sstp, pptp) Added shaper (ipoe, pptp, sstp, l2tp) Added limits (ipoe, pptp, sstp, l2tp) Added snmp ( ipoe, pptp,sstp, l2tp) Refactoring and reformated code. (cherry picked from commit ac6a16f6c5ad7700789759e1ec093236c2e182a2) --- .../templates/accel-ppp/config_extended_scripts.j2 | 9 ++ data/templates/accel-ppp/config_limits.j2 | 12 +++ data/templates/accel-ppp/config_snmp.j2 | 4 + data/templates/accel-ppp/config_wins_server.j2 | 6 ++ data/templates/accel-ppp/ipoe.config.j2 | 18 +++- data/templates/accel-ppp/l2tp.config.j2 | 41 +++++--- data/templates/accel-ppp/pppoe.config.j2 | 76 +++++--------- data/templates/accel-ppp/pptp.config.j2 | 39 +++++--- data/templates/accel-ppp/sstp.config.j2 | 20 +++- .../include/accel-ppp/extended-scripts.xml.i | 41 ++++++++ .../include/accel-ppp/limits.xml.i | 28 ++++++ interface-definitions/include/accel-ppp/snmp.xml.i | 15 +++ .../include/version/l2tp-version.xml.i | 2 +- interface-definitions/service_ipoe-server.xml.in | 11 ++- interface-definitions/service_pppoe-server.xml.in | 110 ++++----------------- interface-definitions/vpn_l2tp.xml.in | 83 ++++++++-------- interface-definitions/vpn_pptp.xml.in | 23 +++-- interface-definitions/vpn_sstp.xml.in | 32 +++--- python/vyos/accel_ppp_util.py | 32 +++--- smoketest/scripts/cli/base_accel_ppp_test.py | 51 +++++++++- smoketest/scripts/cli/test_service_ipoe-server.py | 4 + src/conf_mode/service_ipoe-server.py | 8 +- src/conf_mode/service_pppoe-server.py | 10 +- src/conf_mode/vpn_l2tp.py | 12 +-- src/conf_mode/vpn_pptp.py | 12 +-- src/conf_mode/vpn_sstp.py | 88 +++++++++-------- src/migration-scripts/l2tp/8-to-9 | 49 +++++++++ 27 files changed, 527 insertions(+), 309 deletions(-) create mode 100644 data/templates/accel-ppp/config_extended_scripts.j2 create mode 100644 data/templates/accel-ppp/config_limits.j2 create mode 100644 data/templates/accel-ppp/config_snmp.j2 create mode 100644 data/templates/accel-ppp/config_wins_server.j2 create mode 100644 interface-definitions/include/accel-ppp/extended-scripts.xml.i create mode 100644 interface-definitions/include/accel-ppp/limits.xml.i create mode 100644 interface-definitions/include/accel-ppp/snmp.xml.i create mode 100755 src/migration-scripts/l2tp/8-to-9 diff --git a/data/templates/accel-ppp/config_extended_scripts.j2 b/data/templates/accel-ppp/config_extended_scripts.j2 new file mode 100644 index 000000000..ded0a0a39 --- /dev/null +++ b/data/templates/accel-ppp/config_extended_scripts.j2 @@ -0,0 +1,9 @@ +{% if extended_scripts is vyos_defined %} +[pppd-compat] +verbose=1 +radattr-prefix=/run/accel-pppd/radattr +{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} +{% for script in extended_scripts %} +{{ script_name[script] }}={{ extended_scripts[script] }} +{% endfor %} +{% endif %} \ No newline at end of file diff --git a/data/templates/accel-ppp/config_limits.j2 b/data/templates/accel-ppp/config_limits.j2 new file mode 100644 index 000000000..f10dfccd7 --- /dev/null +++ b/data/templates/accel-ppp/config_limits.j2 @@ -0,0 +1,12 @@ +{% if limits is vyos_defined %} +[connlimit] +{% if limits.connection_limit is vyos_defined %} +limit={{ limits.connection_limit }} +{% endif %} +{% if limits.burst is vyos_defined %} +burst={{ limits.burst }} +{% endif %} +{% if limits.timeout is vyos_defined %} +timeout={{ limits.timeout }} +{% endif %} +{% endif %} \ No newline at end of file diff --git a/data/templates/accel-ppp/config_snmp.j2 b/data/templates/accel-ppp/config_snmp.j2 new file mode 100644 index 000000000..11526dd81 --- /dev/null +++ b/data/templates/accel-ppp/config_snmp.j2 @@ -0,0 +1,4 @@ +{% if snmp.master_agent is vyos_defined %} +[snmp] +master=1 +{% endif %} diff --git a/data/templates/accel-ppp/config_wins_server.j2 b/data/templates/accel-ppp/config_wins_server.j2 new file mode 100644 index 000000000..23312f92e --- /dev/null +++ b/data/templates/accel-ppp/config_wins_server.j2 @@ -0,0 +1,6 @@ +{% if wins_server is vyos_defined %} +[wins] +{% for server in wins_server %} +wins{{ loop.index }}={{ server }} +{% endfor %} +{% endif %} diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index 8b022eaa5..c89812985 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -6,10 +6,16 @@ ipoe shaper {# Common authentication backend definitions #} {% include 'accel-ppp/config_modules_auth_mode.j2' %} +ippool ipv6pool ipv6_nd ipv6_dhcp -ippool +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -19,6 +25,7 @@ thread-count={{ thread_count }} max-starting={{ max_concurrent_sessions }} {% endif %} + [log] syslog=accel-ipoe,daemon copy=1 @@ -84,5 +91,14 @@ proxy-arp=1 {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2002 diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2 index 203a9772e..4ce9042c2 100644 --- a/data/templates/accel-ppp/l2tp.config.j2 +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -10,6 +10,12 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -24,15 +30,8 @@ syslog=accel-l2tp,daemon copy=1 level=5 -{# Common DNS name-server definition #} -{% include 'accel-ppp/config_name_server.j2' %} - -{% if wins_server is vyos_defined %} -[wins] -{% for server in wins_server %} -wins{{ loop.index }}={{ server }} -{% endfor %} -{% endif %} +[client-ip-range] +0.0.0.0/0 [l2tp] verbose=1 @@ -56,24 +55,36 @@ ipv6-pool={{ default_ipv6_pool }} ipv6-pool-delegate={{ default_ipv6_pool }} {% endif %} -[client-ip-range] -0.0.0.0/0 - {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} {# Common ppp-options definitions #} {% include 'accel-ppp/ppp-options.j2' %} -{# Common IPv6 pool definitions #} -{% include 'accel-ppp/config_ipv6_pool.j2' %} - {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2004 diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index bf7b2eb72..6b01958e5 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -10,7 +10,6 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} - {% if snmp is vyos_defined %} net-snmp {% endif %} @@ -35,32 +34,8 @@ level=5 noauth=1 {% endif %} -{% if snmp.master_agent is vyos_defined %} -[snmp] -master=1 -{% endif %} - [client-ip-range] -disable - -{# Common IP pool definitions #} -{% include 'accel-ppp/config_ip_pool.j2' %} - -{# Common IPv6 pool definitions #} -{% include 'accel-ppp/config_ipv6_pool.j2' %} - -{# Common DNS name-server definition #} -{% include 'accel-ppp/config_name_server.j2' %} - -{% if wins_server is vyos_defined %} -[wins] -{% for server in wins_server %} -wins{{ loop.index }}={{ server }} -{% endfor %} -{% endif %} - -{# Common chap-secrets and RADIUS server/option definitions #} -{% include 'accel-ppp/config_chap_secrets_radius.j2' %} +0.0.0.0/0 [common] {% if session_control is vyos_defined and session_control is not vyos_defined('disable') %} @@ -70,9 +45,6 @@ single-session={{ session_control }} max-starting={{ max_concurrent_sessions }} {% endif %} -{# Common ppp-options definitions #} -{% include 'accel-ppp/ppp-options.j2' %} - [pppoe] verbose=1 ac-name={{ access_concentrator }} @@ -116,31 +88,35 @@ ipv6-pool={{ default_ipv6_pool }} ipv6-pool-delegate={{ default_ipv6_pool }} {% endif %} -{% if limits is vyos_defined %} -[connlimit] -{% if limits.connection_limit is vyos_defined %} -limit={{ limits.connection_limit }} -{% endif %} -{% if limits.burst is vyos_defined %} -burst={{ limits.burst }} -{% endif %} -{% if limits.timeout is vyos_defined %} -timeout={{ limits.timeout }} -{% endif %} -{% endif %} +{# Common IP pool definitions #} +{% include 'accel-ppp/config_ip_pool.j2' %} + +{# Common IPv6 pool definitions #} +{% include 'accel-ppp/config_ipv6_pool.j2' %} + +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + +{# Common chap-secrets and RADIUS server/option definitions #} +{% include 'accel-ppp/config_chap_secrets_radius.j2' %} + +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} -{% if extended_scripts is vyos_defined %} -[pppd-compat] -verbose=1 -radattr-prefix=/run/accel-pppd/radattr -{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} -{% for script in extended_scripts %} -{{ script_name[script] }}={{ extended_scripts[script] }} -{% endfor %} -{% endif %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} [cli] tcp=127.0.0.1:2001 diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2 index 290e6235d..a04bd40c0 100644 --- a/data/templates/accel-ppp/pptp.config.j2 +++ b/data/templates/accel-ppp/pptp.config.j2 @@ -10,6 +10,12 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -24,15 +30,8 @@ syslog=accel-pptp,daemon copy=1 level=5 -{# Common DNS name-server definition #} -{% include 'accel-ppp/config_name_server.j2' %} - -{% if wins_server is vyos_defined %} -[wins] -{% for server in wins_server %} -wins{{ loop.index }}={{ server }} -{% endfor %} -{% endif %} +[client-ip-range] +0.0.0.0/0 [pptp] ifname=pptp%d @@ -52,24 +51,36 @@ ipv6-pool={{ default_ipv6_pool }} ipv6-pool-delegate={{ default_ipv6_pool }} {% endif %} -[client-ip-range] -0.0.0.0/0 - {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} {# Common IPv6 pool definitions #} {% include 'accel-ppp/config_ipv6_pool.j2' %} -{# Common ppp-options definitions #} -{% include 'accel-ppp/ppp-options.j2' %} +{# Common DNS name-server definition #} +{% include 'accel-ppp/config_name_server.j2' %} + +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} +{# Common ppp-options definitions #} +{% include 'accel-ppp/ppp-options.j2' %} + {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2003 diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2 index c0bc62d9f..b624f83a3 100644 --- a/data/templates/accel-ppp/sstp.config.j2 +++ b/data/templates/accel-ppp/sstp.config.j2 @@ -10,6 +10,12 @@ ippool {% include 'accel-ppp/config_modules_ipv6.j2' %} {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} +{% if snmp is vyos_defined %} +net-snmp +{% endif %} +{% if limits is vyos_defined %} +connlimit +{% endif %} [core] thread-count={{ thread_count }} @@ -26,7 +32,7 @@ copy=1 level=5 [client-ip-range] -disable +0.0.0.0/0 [sstp] verbose=1 @@ -53,6 +59,9 @@ ipv6-pool-delegate={{ default_ipv6_pool }} {# Common DNS name-server definition #} {% include 'accel-ppp/config_name_server.j2' %} +{# Common wins-server definition #} +{% include 'accel-ppp/config_wins_server.j2' %} + {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} @@ -62,5 +71,14 @@ ipv6-pool-delegate={{ default_ipv6_pool }} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{# Common Extended scripts configuration #} +{% include 'accel-ppp/config_extended_scripts.j2' %} + +{# Common Limits configuration #} +{% include 'accel-ppp/config_limits.j2' %} + +{# Common SNMP definitions #} +{% include 'accel-ppp/config_snmp.j2' %} + [cli] tcp=127.0.0.1:2005 diff --git a/interface-definitions/include/accel-ppp/extended-scripts.xml.i b/interface-definitions/include/accel-ppp/extended-scripts.xml.i new file mode 100644 index 000000000..4bba76e32 --- /dev/null +++ b/interface-definitions/include/accel-ppp/extended-scripts.xml.i @@ -0,0 +1,41 @@ + + + + Extended script execution + + + + + Script to run before PPPoE session interface comes up + + + + + + + + Script to run when PPPoE session interface is completely configured and started + + + + + + + + Script to run when PPPoE session interface going to terminate + + + + + + + + Script to run when PPPoE session interface changed by RADIUS CoA handling + + + + + + + + diff --git a/interface-definitions/include/accel-ppp/limits.xml.i b/interface-definitions/include/accel-ppp/limits.xml.i new file mode 100644 index 000000000..df72b79d4 --- /dev/null +++ b/interface-definitions/include/accel-ppp/limits.xml.i @@ -0,0 +1,28 @@ + + + + Limits the connection rate from a single source + + + + + Acceptable rate of connections (e.g. 1/min, 60/sec) + + [0-9]+\/(min|sec) + + illegal value + + + + + Burst count + + + + + Timeout in seconds + + + + + diff --git a/interface-definitions/include/accel-ppp/snmp.xml.i b/interface-definitions/include/accel-ppp/snmp.xml.i new file mode 100644 index 000000000..373ced16f --- /dev/null +++ b/interface-definitions/include/accel-ppp/snmp.xml.i @@ -0,0 +1,15 @@ + + + + Enable SNMP + + + + + Enable SNMP master agent mode + + + + + + diff --git a/interface-definitions/include/version/l2tp-version.xml.i b/interface-definitions/include/version/l2tp-version.xml.i index 01004c5a0..5397407fb 100644 --- a/interface-definitions/include/version/l2tp-version.xml.i +++ b/interface-definitions/include/version/l2tp-version.xml.i @@ -1,3 +1,3 @@ - + diff --git a/interface-definitions/service_ipoe-server.xml.in b/interface-definitions/service_ipoe-server.xml.in index 23d6e54d1..414c9a731 100644 --- a/interface-definitions/service_ipoe-server.xml.in +++ b/interface-definitions/service_ipoe-server.xml.in @@ -177,13 +177,18 @@ #include - #include - #include #include - #include #include #include #include + #include + #include + #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index 477ed115f..9b5e4d3fb 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -49,9 +49,6 @@ - #include - #include - #include interface(s) to listen on @@ -63,35 +60,6 @@ #include - #include - #include - #include - - - Limits the connection rate from a single source - - - - - Acceptable rate of connections (e.g. 1/min, 60/sec) - - [0-9]+\/(min|sec) - - illegal value - - - - - Burst count - - - - - Timeout in seconds - - - - Service name @@ -102,15 +70,6 @@ - #include - #include - - - - 1280 - - - PADO delays @@ -164,61 +123,28 @@ replace - #include - - - Enable SNMP - - - - - enable SNMP master agent mode - - - - - - - - Extended script execution - + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + - - - Script to run before PPPoE session interface comes up - - - - - - - - Script to run when PPPoE session interface is completely configured and started - - - - - - - - Script to run when PPPoE session interface going to terminate - - - - - - - - Script to run when PPPoE session interface changed by RADIUS CoA handling - - - - + + 1280 - #include - #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index 6148e3269..85a375db4 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -30,42 +30,6 @@ - #include - #include - - 1436 - - - - External IP address to which VPN clients will connect - - - - - - #include - #include - - - L2TP Network Server (LNS) - - - - - Tunnel password used to authenticate the client (LAC) - - - - - Sent to the client (LAC) in the Host-Name attribute - - #include - - Host-name must be alphanumeric and can contain hyphens - - - - Internet Protocol Security (IPsec) for remote access L2TP VPN @@ -129,14 +93,53 @@ #include - #include + + + L2TP Network Server (LNS) + + + + + Tunnel password used to authenticate the client (LAC) + + + + + Sent to the client (LAC) in the Host-Name attribute + + #include + + Host-name must be alphanumeric and can contain hyphens + + + + + + + External IP address to which VPN clients will connect + + + + + #include #include - #include - #include - #include #include #include + #include + #include + #include + #include + #include + + 1436 + + #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in index 2e2a3bec4..a63633f57 100644 --- a/interface-definitions/vpn_pptp.xml.in +++ b/interface-definitions/vpn_pptp.xml.in @@ -30,11 +30,6 @@ - #include - #include - - 1436 - External IP address to which VPN clients will connect @@ -43,14 +38,24 @@ - #include - #include - #include #include - #include #include + #include #include + #include + #include + #include + #include + #include + + 1436 + #include + #include + #include + #include + #include + #include diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in index 0d5d53301..d23a001d5 100644 --- a/interface-definitions/vpn_sstp.xml.in +++ b/interface-definitions/vpn_sstp.xml.in @@ -25,19 +25,6 @@ - #include - #include - #include - #include - #include - #include - #include - - 443 - - #include - #include - #include SSL Certificate, SSL Key and CA @@ -47,6 +34,25 @@ #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + #include + + 443 + + #include + #include + #include + #include + #include + #include diff --git a/python/vyos/accel_ppp_util.py b/python/vyos/accel_ppp_util.py index bd0c46a19..845b2f5f0 100644 --- a/python/vyos/accel_ppp_util.py +++ b/python/vyos/accel_ppp_util.py @@ -106,7 +106,26 @@ def get_pools_in_order(data: dict) -> list: return pools -def verify_accel_ppp_base_service(config, local_users=True): +def verify_accel_ppp_name_servers(config): + if "name_server_ipv4" in config: + if len(config["name_server_ipv4"]) > 2: + raise ConfigError( + "Not more then two IPv4 DNS name-servers " "can be configured" + ) + if "name_server_ipv6" in config: + if len(config["name_server_ipv6"]) > 3: + raise ConfigError( + "Not more then three IPv6 DNS name-servers " "can be configured" + ) + + +def verify_accel_ppp_wins_servers(config): + if 'wins_server' in config and len(config['wins_server']) > 2: + raise ConfigError( + 'Not more then two WINS name-servers can be configured') + + +def verify_accel_ppp_authentication(config, local_users=True): """ Common helper function which must be used by all Accel-PPP services based on get_config_dict() @@ -148,17 +167,6 @@ def verify_accel_ppp_base_service(config, local_users=True): if not dict_search('authentication.radius.dynamic_author.key', config): raise ConfigError('DAE/CoA server key required!') - if "name_server_ipv4" in config: - if len(config["name_server_ipv4"]) > 2: - raise ConfigError( - "Not more then two IPv4 DNS name-servers " "can be configured" - ) - - if "name_server_ipv6" in config: - if len(config["name_server_ipv6"]) > 3: - raise ConfigError( - "Not more then three IPv6 DNS name-servers " "can be configured" - ) diff --git a/smoketest/scripts/cli/base_accel_ppp_test.py b/smoketest/scripts/cli/base_accel_ppp_test.py index 0e6e522b9..ac4bbcfe5 100644 --- a/smoketest/scripts/cli/base_accel_ppp_test.py +++ b/smoketest/scripts/cli/base_accel_ppp_test.py @@ -558,4 +558,53 @@ delegate={delegate_2_prefix},{delegate_mask},name={pool_name}""" self.assertTrue(conf['ppp'].getboolean('ipv6-accept-peer-intf-id')) self.assertEqual(conf['ppp']['lcp-echo-failure'], lcp_failure) self.assertEqual(conf['ppp']['lcp-echo-interval'], lcp_interval) - self.assertEqual(conf['ppp']['lcp-echo-timeout'], lcp_timeout) \ No newline at end of file + self.assertEqual(conf['ppp']['lcp-echo-timeout'], lcp_timeout) + + + def test_accel_wins_server(self): + self.basic_config() + winsservers = ["192.0.2.1", "192.0.2.2"] + for wins in winsservers: + self.set(["wins-server", wins]) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + for ws in winsservers: + self.assertIn(ws, [conf["wins"]["wins1"], conf["wins"]["wins2"]]) + + def test_accel_snmp(self): + self.basic_config() + self.set(['snmp', 'master-agent']) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + self.assertEqual(conf['modules']['net-snmp'], None) + self.assertEqual(conf['snmp']['master'],'1') + + def test_accel_shaper(self): + self.basic_config() + fwmark = '2' + self.set(['shaper', 'fwmark', fwmark]) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + self.assertEqual(conf['modules']['shaper'], None) + self.assertEqual(conf['shaper']['verbose'], '1') + self.assertEqual(conf['shaper']['down-limiter'], 'tbf') + self.assertEqual(conf['shaper']['fwmark'], fwmark) + + def test_accel_limits(self): + self.basic_config() + burst = '100' + timeout = '20' + limits = '1/min' + self.set(['limits', 'connection-limit', limits]) + self.set(['limits', 'timeout', timeout]) + self.set(['limits', 'burst', burst]) + self.cli_commit() + conf = ConfigParser(allow_no_value=True, delimiters="=", strict=False) + conf.read(self._config_file) + self.assertEqual(conf['modules']['connlimit'], None) + self.assertEqual(conf['connlimit']['limit'], limits) + self.assertEqual(conf['connlimit']['burst'], burst) + self.assertEqual(conf['connlimit']['timeout'], timeout) diff --git a/smoketest/scripts/cli/test_service_ipoe-server.py b/smoketest/scripts/cli/test_service_ipoe-server.py index 20a168b58..5f1cf9ad1 100755 --- a/smoketest/scripts/cli/test_service_ipoe-server.py +++ b/smoketest/scripts/cli/test_service_ipoe-server.py @@ -232,5 +232,9 @@ delegate={delegate_2_prefix},{delegate_mask},name={pool_name}""" def test_accel_ppp_options(self): pass + @unittest.skip("WINS server is not used in IPoE") + def test_accel_wins_server(self): + pass + if __name__ == "__main__": unittest.main(verbosity=2) diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 5f72b983c..852b714eb 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -25,8 +25,10 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search from vyos.accel_ppp_util import get_pools_in_order +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers from vyos.accel_ppp_util import verify_accel_ppp_ip_pool -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos import ConfigError from vyos import airbag airbag.enable() @@ -69,8 +71,10 @@ def verify(ipoe): raise ConfigError('Option "client-subnet" incompatible with "vlan"!' 'Use "ipoe client-ip-pool" instead.') - verify_accel_ppp_base_service(ipoe, local_users=False) + verify_accel_ppp_authentication(ipoe, local_users=False) verify_accel_ppp_ip_pool(ipoe) + verify_accel_ppp_name_servers(ipoe) + verify_accel_ppp_wins_servers(ipoe) return None diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index c2dfbdb44..c9d1e805f 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -25,7 +25,9 @@ from vyos.configverify import verify_interface_exists from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -67,11 +69,11 @@ def verify(pppoe): if not pppoe: return None - verify_accel_ppp_base_service(pppoe) + verify_accel_ppp_authentication(pppoe) verify_accel_ppp_ip_pool(pppoe) + verify_accel_ppp_name_servers(pppoe) + verify_accel_ppp_wins_servers(pppoe) - if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2: - raise ConfigError('Not more then two WINS name-servers can be configured') if 'interface' not in pppoe: raise ConfigError('At least one listen interface must be defined!') diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 266381754..04ccbcec3 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -24,7 +24,9 @@ from vyos.configdict import get_accel_dict from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -62,12 +64,10 @@ def verify(l2tp): if not l2tp: return None - verify_accel_ppp_base_service(l2tp) + verify_accel_ppp_authentication(l2tp) verify_accel_ppp_ip_pool(l2tp) - - if 'wins_server' in l2tp and len(l2tp['wins_server']) > 2: - raise ConfigError( - 'Not more then two WINS name-servers can be configured') + verify_accel_ppp_name_servers(l2tp) + verify_accel_ppp_wins_servers(l2tp) return None diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py index b1d5067d5..c0d8330bd 100755 --- a/src/conf_mode/vpn_pptp.py +++ b/src/conf_mode/vpn_pptp.py @@ -22,7 +22,9 @@ from vyos.config import Config from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos import ConfigError @@ -60,12 +62,10 @@ def verify(pptp): if not pptp: return None - verify_accel_ppp_base_service(pptp) + verify_accel_ppp_authentication(pptp) verify_accel_ppp_ip_pool(pptp) - - if 'wins_server' in pptp and len(pptp['wins_server']) > 2: - raise ConfigError( - 'Not more then two WINS name-servers can be configured') + verify_accel_ppp_name_servers(pptp) + verify_accel_ppp_wins_servers(pptp) def generate(pptp): diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 5c229fe62..8661a8aff 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -26,7 +26,9 @@ from vyos.template import render from vyos.utils.process import call from vyos.utils.network import check_port_availability from vyos.utils.dict import dict_search -from vyos.accel_ppp_util import verify_accel_ppp_base_service +from vyos.accel_ppp_util import verify_accel_ppp_name_servers +from vyos.accel_ppp_util import verify_accel_ppp_wins_servers +from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import get_pools_in_order from vyos.utils.network import is_listen_port_bind_service @@ -43,48 +45,18 @@ cert_file_path = os.path.join(cfg_dir, 'sstp-cert.pem') cert_key_path = os.path.join(cfg_dir, 'sstp-cert.key') ca_cert_file_path = os.path.join(cfg_dir, 'sstp-ca.pem') -def get_config(config=None): - if config: - conf = config - else: - conf = Config() - base = ['vpn', 'sstp'] - if not conf.exists(base): - return None - - # retrieve common dictionary keys - sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) - if dict_search('client_ip_pool', sstp): - # Multiple named pools require ordered values T5099 - sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) - - sstp['server_type'] = 'sstp' - return sstp - - -def verify(sstp): - if not sstp: - return None - - port = sstp.get('port') - proto = 'tcp' - if check_port_availability('0.0.0.0', int(port), proto) is not True and \ - not is_listen_port_bind_service(int(port), 'accel-pppd'): - raise ConfigError(f'"{proto}" port "{port}" is used by another service') - - verify_accel_ppp_base_service(sstp) - verify_accel_ppp_ip_pool(sstp) +def verify_certificate(config): # # SSL certificate checks # - if not sstp['pki']: + if not config['pki']: raise ConfigError('PKI is not configured') - if 'ssl' not in sstp: + if 'ssl' not in config: raise ConfigError('SSL missing on SSTP config') - ssl = sstp['ssl'] + ssl = config['ssl'] # CA if 'ca_certificate' not in ssl: @@ -92,10 +64,10 @@ def verify(sstp): ca_name = ssl['ca_certificate'] - if ca_name not in sstp['pki']['ca']: + if ca_name not in config['pki']['ca']: raise ConfigError('Invalid CA certificate on SSTP config') - if 'certificate' not in sstp['pki']['ca'][ca_name]: + if 'certificate' not in config['pki']['ca'][ca_name]: raise ConfigError('Missing certificate data for CA certificate on SSTP config') # Certificate @@ -104,10 +76,10 @@ def verify(sstp): cert_name = ssl['certificate'] - if cert_name not in sstp['pki']['certificate']: + if cert_name not in config['pki']['certificate']: raise ConfigError('Invalid certificate on SSTP config') - pki_cert = sstp['pki']['certificate'][cert_name] + pki_cert = config['pki']['certificate'][cert_name] if 'certificate' not in pki_cert: raise ConfigError('Missing certificate data for certificate on SSTP config') @@ -118,6 +90,43 @@ def verify(sstp): if 'password_protected' in pki_cert['private']: raise ConfigError('Encrypted private key is not supported on SSTP config') + +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['vpn', 'sstp'] + if not conf.exists(base): + return None + + # retrieve common dictionary keys + sstp = get_accel_dict(conf, base, sstp_chap_secrets, with_pki=True) + if dict_search('client_ip_pool', sstp): + # Multiple named pools require ordered values T5099 + sstp['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', sstp)) + + sstp['server_type'] = 'sstp' + return sstp + + +def verify(sstp): + if not sstp: + return None + + port = sstp.get('port') + proto = 'tcp' + if check_port_availability('0.0.0.0', int(port), proto) is not True and \ + not is_listen_port_bind_service(int(port), 'accel-pppd'): + raise ConfigError(f'"{proto}" port "{port}" is used by another service') + + verify_accel_ppp_authentication(sstp) + verify_accel_ppp_ip_pool(sstp) + verify_accel_ppp_name_servers(sstp) + verify_accel_ppp_wins_servers(sstp) + verify_certificate(sstp) + + def generate(sstp): if not sstp: return None @@ -143,6 +152,7 @@ def generate(sstp): return sstp + def apply(sstp): if not sstp: call('systemctl stop accel-ppp@sstp.service') diff --git a/src/migration-scripts/l2tp/8-to-9 b/src/migration-scripts/l2tp/8-to-9 new file mode 100755 index 000000000..e85a3892b --- /dev/null +++ b/src/migration-scripts/l2tp/8-to-9 @@ -0,0 +1,49 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2024 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# Deleted 'dhcp-interface' from l2tp + +import os + +from sys import argv +from sys import exit +from vyos.configtree import ConfigTree + + +if len(argv) < 2: + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +base = ['vpn', 'l2tp', 'remote-access'] +if not config.exists(base): + exit(0) + +#deleting unused dhcp-interface +if config.exists(base + ['dhcp-interface']): + config.delete(base + ['dhcp-interface']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) -- cgit v1.2.3