From cce97b21745987f88228cf0ea8c147243f3aec4f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 5 Apr 2020 16:40:32 +0200 Subject: l2tp: T2230: move inlined templates to dedicated files --- data/templates/l2tp/chap-secrets.tmpl | 11 ++ data/templates/l2tp/l2tp.config.tmpl | 173 +++++++++++++++++++++++++ src/conf_mode/accel_l2tp.py | 234 +++------------------------------- 3 files changed, 204 insertions(+), 214 deletions(-) create mode 100644 data/templates/l2tp/chap-secrets.tmpl create mode 100644 data/templates/l2tp/l2tp.config.tmpl diff --git a/data/templates/l2tp/chap-secrets.tmpl b/data/templates/l2tp/chap-secrets.tmpl new file mode 100644 index 000000000..ee47a583e --- /dev/null +++ b/data/templates/l2tp/chap-secrets.tmpl @@ -0,0 +1,11 @@ +# username server password acceptable local IP addresses shaper +{% for user in authentication['local-users'] %} +{% if authentication['local-users'][user]['state'] == 'enabled' %} +{% if (authentication['local-users'][user]['upload']) and (authentication['local-users'][user]['download']) %} +{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}\t\ +{{authentication['local-users'][user]['download']}}/{{authentication['local-users'][user]['upload']}} +{% else %} +{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}} +{% endif %} +{% endif %} +{% endfor %} diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl new file mode 100644 index 000000000..901b43d01 --- /dev/null +++ b/data/templates/l2tp/l2tp.config.tmpl @@ -0,0 +1,173 @@ +### generated by accel_l2tp.py ### +[modules] +log_syslog +l2tp +chap-secrets +{% for proto in authentication['auth_proto']: %} +{{proto}} +{% endfor%} +{% if authentication['mode'] == 'radius' %} +radius +{% endif -%} +ippool +shaper +ipv6pool +ipv6_nd +ipv6_dhcp + +[core] +thread-count={{thread_cnt}} + +[log] +syslog=accel-l2tp,daemon +copy=1 +level=5 + +{% if dns %} +[dns] +{% if dns[0] %} +dns1={{dns[0]}} +{% endif %} +{% if dns[1] %} +dns2={{dns[1]}} +{% endif %} +{% endif -%} + +{% if dnsv6 %} +[ipv6-dns] +{% for srv in dnsv6: %} +{{srv}} +{% endfor %} +{% endif %} + +{% if wins %} +[wins] +{% if wins[0] %} +wins1={{wins[0]}} +{% endif %} +{% if wins[1] %} +wins2={{wins[1]}} +{% endif %} +{% endif -%} + +[l2tp] +verbose=1 +ifname=l2tp%d +ppp-max-mtu={{mtu}} +mppe={{authentication['mppe']}} +{% if outside_addr %} +bind={{outside_addr}} +{% endif %} +{% if lns_shared_secret %} +secret={{lns_shared_secret}} +{% endif %} + +[client-ip-range] +0.0.0.0/0 + +{% if (client_ip_pool) or (client_ip_subnets) %} +[ip-pool] +{% if client_ip_pool %} +{{client_ip_pool}} +{% endif -%} +{% if client_ip_subnets %} +{% for sn in client_ip_subnets %} +{{sn}} +{% endfor -%} +{% endif %} +{% endif %} +{% if gateway_address %} +gw-ip-address={{gateway_address}} +{% endif %} + +{% if authentication['mode'] == 'local' %} +[chap-secrets] +chap-secrets=/etc/accel-ppp/l2tp/chap-secrets +{% if gateway_address %} +gw-ip-address={{gateway_address}} +{% endif %} +{% endif %} + +[ppp] +verbose=1 +check-ip=1 +single-session=replace +{% if idle_timeout %} +lcp-echo-timeout={{idle_timeout}} +{% endif %} +{% if ppp_options['lcp-echo-interval'] %} +lcp-echo-interval={{ppp_options['lcp-echo-interval']}} +{% else %} +lcp-echo-interval=30 +{% endif %} +{% if ppp_options['lcp-echo-failure'] %} +lcp-echo-failure={{ppp_options['lcp-echo-failure']}} +{% else %} +lcp-echo-failure=3 +{% endif %} +{% if ccp_disable %} +ccp=0 +{% endif %} +{% if client_ipv6_pool %} +ipv6=allow +{% endif %} + +{% if authentication['mode'] == 'radius' %} +[radius] +{% for rsrv in authentication['radiussrv']: %} +server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\ +req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\ +fail-time={{authentication['radiussrv'][rsrv]['fail-time']}} +{% endfor %} +{% if authentication['radiusopt']['timeout'] %} +timeout={{authentication['radiusopt']['timeout']}} +{% endif %} +{% if authentication['radiusopt']['acct-timeout'] %} +acct-timeout={{authentication['radiusopt']['acct-timeout']}} +{% endif %} +{% if authentication['radiusopt']['max-try'] %} +max-try={{authentication['radiusopt']['max-try']}} +{% endif %} +{% if authentication['radiusopt']['nas-id'] %} +nas-identifier={{authentication['radiusopt']['nas-id']}} +{% endif %} +{% if authentication['radius_source_address'] %} +nas-ip-address={{authentication['radius_source_address']}} +{% endif -%} +{% if authentication['radiusopt']['dae-srv'] %} +dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\ +{{authentication['radiusopt']['dae-srv']['port']}},\ +{{authentication['radiusopt']['dae-srv']['secret']}} +{% endif -%} +gw-ip-address={{gateway_address}} +verbose=1 +{% endif -%} + +{% if client_ipv6_pool %} +[ipv6-pool] +{% for prfx in client_ipv6_pool.prefix: %} +{{prfx}} +{% endfor %} +{% for prfx in client_ipv6_pool.delegate_prefix: %} +delegate={{prfx}} +{% endfor %} +{% endif %} + +{% if client_ipv6_pool['delegate_prefix'] %} +[ipv6-dhcp] +verbose=1 +{% endif %} + +{% if authentication['radiusopt']['shaper'] %} +[shaper] +verbose=1 +attr={{authentication['radiusopt']['shaper']['attr']}} +{% if authentication['radiusopt']['shaper']['vendor'] %} +vendor={{authentication['radiusopt']['shaper']['vendor']}} +{% endif -%} +{% endif %} + +[cli] +tcp=127.0.0.1:2004 +sessions-columns=ifname,username,calling-sid,ip,{{ip6_column}}{{ip6_dp_column}}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime + diff --git a/src/conf_mode/accel_l2tp.py b/src/conf_mode/accel_l2tp.py index a7af9cc68..7c879f596 100755 --- a/src/conf_mode/accel_l2tp.py +++ b/src/conf_mode/accel_l2tp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019 VyOS maintainers and contributors +# Copyright (C) 2019-2020 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,19 +13,18 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -# -# import sys import os import re import subprocess -import jinja2 import socket import time -import syslog as sl + +from jinja2 import FileSystemLoader, Environment from vyos.config import Config +from vyos.defaults import directories as vyos_data_dir from vyos import ConfigError pidfile = r'/var/run/accel_l2tp.pid' @@ -37,205 +36,13 @@ l2tp_conf = l2tp_cnf_dir + '/l2tp.config' ### config path creation if not os.path.exists(l2tp_cnf_dir): os.makedirs(l2tp_cnf_dir) - sl.syslog(sl.LOG_NOTICE, l2tp_cnf_dir + " created") - -l2tp_config = ''' -### generated by accel_l2tp.py ### -[modules] -log_syslog -l2tp -chap-secrets -{% for proto in authentication['auth_proto']: %} -{{proto}} -{% endfor%} -{% if authentication['mode'] == 'radius' %} -radius -{% endif -%} -ippool -shaper -ipv6pool -ipv6_nd -ipv6_dhcp - -[core] -thread-count={{thread_cnt}} - -[log] -syslog=accel-l2tp,daemon -copy=1 -level=5 - -{% if dns %} -[dns] -{% if dns[0] %} -dns1={{dns[0]}} -{% endif %} -{% if dns[1] %} -dns2={{dns[1]}} -{% endif %} -{% endif -%} - -{% if dnsv6 %} -[ipv6-dns] -{% for srv in dnsv6: %} -{{srv}} -{% endfor %} -{% endif %} - -{% if wins %} -[wins] -{% if wins[0] %} -wins1={{wins[0]}} -{% endif %} -{% if wins[1] %} -wins2={{wins[1]}} -{% endif %} -{% endif -%} - -[l2tp] -verbose=1 -ifname=l2tp%d -ppp-max-mtu={{mtu}} -mppe={{authentication['mppe']}} -{% if outside_addr %} -bind={{outside_addr}} -{% endif %} -{% if lns_shared_secret %} -secret={{lns_shared_secret}} -{% endif %} - -[client-ip-range] -0.0.0.0/0 - -{% if (client_ip_pool) or (client_ip_subnets) %} -[ip-pool] -{% if client_ip_pool %} -{{client_ip_pool}} -{% endif -%} -{% if client_ip_subnets %} -{% for sn in client_ip_subnets %} -{{sn}} -{% endfor -%} -{% endif %} -{% endif %} -{% if gateway_address %} -gw-ip-address={{gateway_address}} -{% endif %} - -{% if authentication['mode'] == 'local' %} -[chap-secrets] -chap-secrets=/etc/accel-ppp/l2tp/chap-secrets -{% if gateway_address %} -gw-ip-address={{gateway_address}} -{% endif %} -{% endif %} - -[ppp] -verbose=1 -check-ip=1 -single-session=replace -{% if idle_timeout %} -lcp-echo-timeout={{idle_timeout}} -{% endif %} -{% if ppp_options['lcp-echo-interval'] %} -lcp-echo-interval={{ppp_options['lcp-echo-interval']}} -{% else %} -lcp-echo-interval=30 -{% endif %} -{% if ppp_options['lcp-echo-failure'] %} -lcp-echo-failure={{ppp_options['lcp-echo-failure']}} -{% else %} -lcp-echo-failure=3 -{% endif %} -{% if ccp_disable %} -ccp=0 -{% endif %} -{% if client_ipv6_pool %} -ipv6=allow -{% endif %} - -{% if authentication['mode'] == 'radius' %} -[radius] -{% for rsrv in authentication['radiussrv']: %} -server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\ -req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\ -fail-time={{authentication['radiussrv'][rsrv]['fail-time']}} -{% endfor %} -{% if authentication['radiusopt']['timeout'] %} -timeout={{authentication['radiusopt']['timeout']}} -{% endif %} -{% if authentication['radiusopt']['acct-timeout'] %} -acct-timeout={{authentication['radiusopt']['acct-timeout']}} -{% endif %} -{% if authentication['radiusopt']['max-try'] %} -max-try={{authentication['radiusopt']['max-try']}} -{% endif %} -{% if authentication['radiusopt']['nas-id'] %} -nas-identifier={{authentication['radiusopt']['nas-id']}} -{% endif %} -{% if authentication['radius_source_address'] %} -nas-ip-address={{authentication['radius_source_address']}} -{% endif -%} -{% if authentication['radiusopt']['dae-srv'] %} -dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\ -{{authentication['radiusopt']['dae-srv']['port']}},\ -{{authentication['radiusopt']['dae-srv']['secret']}} -{% endif -%} -gw-ip-address={{gateway_address}} -verbose=1 -{% endif -%} - -{% if client_ipv6_pool %} -[ipv6-pool] -{% for prfx in client_ipv6_pool.prefix: %} -{{prfx}} -{% endfor %} -{% for prfx in client_ipv6_pool.delegate_prefix: %} -delegate={{prfx}} -{% endfor %} -{% endif %} - -{% if client_ipv6_pool['delegate_prefix'] %} -[ipv6-dhcp] -verbose=1 -{% endif %} - -{% if authentication['radiusopt']['shaper'] %} -[shaper] -verbose=1 -attr={{authentication['radiusopt']['shaper']['attr']}} -{% if authentication['radiusopt']['shaper']['vendor'] %} -vendor={{authentication['radiusopt']['shaper']['vendor']}} -{% endif -%} -{% endif %} - -[cli] -tcp=127.0.0.1:2004 -sessions-columns=ifname,username,calling-sid,ip,{{ip6_column}}{{ip6_dp_column}}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime - -''' - -### l2tp chap secrets -chap_secrets_conf = ''' -# username server password acceptable local IP addresses shaper -{% for user in authentication['local-users'] %} -{% if authentication['local-users'][user]['state'] == 'enabled' %} -{% if (authentication['local-users'][user]['upload']) and (authentication['local-users'][user]['download']) %} -{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}}\t\ -{{authentication['local-users'][user]['download']}}/{{authentication['local-users'][user]['upload']}} -{% else %} -{{user}}\t*\t{{authentication['local-users'][user]['passwd']}}\t{{authentication['local-users'][user]['ip']}} -{% endif %} -{% endif %} -{% endfor %} -''' ### # inline helper functions ### # depending on hw and threads, daemon needs a little to start # if it takes longer than 100 * 0.5 secs, exception is being raised -# not sure if that's the best way to check it, but it worked so far quite well +# not sure if that's the best way to check it, but it worked so far quite well ### def chk_con(): cnt = 0 @@ -251,15 +58,6 @@ def chk_con(): raise("failed to start l2tp server") break -### chap_secrets file if auth mode local -def write_chap_secrets(c): - tmpl = jinja2.Template(chap_secrets_conf, trim_blocks=True) - chap_secrets_txt = tmpl.render(c) - old_umask = os.umask(0o077) - open(chap_secrets,'w').write(chap_secrets_txt) - os.umask(old_umask) - sl.syslog(sl.LOG_NOTICE, chap_secrets + ' written') - def accel_cmd(cmd=''): if not cmd: return None @@ -269,7 +67,7 @@ def accel_cmd(cmd=''): except: return 1 -### +### # inline helper functions end ### @@ -319,7 +117,7 @@ def get_config(): if c.exists('outside-address'): config_data['outside_addr'] = c.return_value('outside-address') - ### auth local + ### auth local if c.exists('authentication mode local'): if c.exists('authentication local-users username'): for usr in c.list_nodes('authentication local-users username'): @@ -429,7 +227,7 @@ def get_config(): if c.exists('mtu'): config_data['mtu'] = c.return_value('mtu') - ### gateway address + ### gateway address if c.exists('gateway-address'): config_data['gateway_address'] = c.return_value('gateway-address') else: @@ -507,7 +305,12 @@ def verify(c): def generate(c): if c == None: return None - + + # Prepare Jinja2 template loader from files + tmpl_path = os.path.join(vyos_data_dir['data'], 'templates', 'l2tp') + fs_loader = FileSystemLoader(tmpl_path) + env = Environment(loader=fs_loader) + ### accel-cmd reload doesn't work so any change results in a restart of the daemon try: if os.cpu_count() == 1: @@ -520,12 +323,16 @@ def generate(c): else: c['thread_cnt'] = int(os.cpu_count()/2) - tmpl = jinja2.Template(l2tp_config, trim_blocks=True) + tmpl = env.get_template('l2tp.config.tmpl') config_text = tmpl.render(c) open(l2tp_conf,'w').write(config_text) if c['authentication']['local-users']: - write_chap_secrets(c) + tmpl = env.get_template('chap-secrets.tmpl') + chap_secrets_txt = tmpl.render(c) + old_umask = os.umask(0o077) + open(chap_secrets,'w').write(chap_secrets_txt) + os.umask(old_umask) return c @@ -546,7 +353,6 @@ def apply(c): else: ### if gw ip changes, only restart doesn't work accel_cmd('restart') - sl.syslog(sl.LOG_NOTICE, "reloading config via daemon restart") if __name__ == '__main__': try: -- cgit v1.2.3