Page MenuHomeVyOS Platform
Create Task
Maniphest T2584

pppoe-server NAS-Filter-Rule attribute
Open, NormalPublicFEATURE REQUEST
Actions

Description

It will be helpful to use RADIUS attribute NAS-Filter-Rule to provide a possibility to define firewall rules for the client ppp interface.
I think we can use pppd_compat module to utilize this feature.
https://accel-ppp.readthedocs.io/en/latest/configuration/pppd_compat.html

The main goal to get defined via CLI firewall rules and apply these rules when the session started (or by CoA request) and delete it when stopped.
This attribute and other attributes received via RADIUS we can get from a specially created files radattr-prefix=/var/run/radattr.pppoeX

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Unknown Object (User) created this task.Jun 11 2020, 11:07 AM
Unknown Object (User) added a comment.Jun 16 2020, 7:45 PM

Implementation steps:

  1. Add $INCLUDE dictionary.rfc4849 to /usr/share/accel-ppp/radius/dictionary file
  2. Add required modules for use ip-pre-up/ip-up/ip-down scripts
[modules]
sigchld
pppd_compat

And pppd_compat params

[pppd-compat]
verbose=1
ip-pre-up=/path/to/ip-pre-up 
radattr-prefix=/var/run/radattr
  1. Create ip-pre-up/ip-down script which will get configured firewall names and rules from CLI or supported script

Note: When ip-pre-up return 1 then the session will not start like described in https://tools.ietf.org/html/rfc4849

erkin set Issue type to Feature (new functionality).Aug 30 2021, 5:33 AM
erkin removed a subscriber: Active contributors.
syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus.Nov 6 2021, 11:24 AM
Unknown Object (User) added a comment.Dec 3 2021, 5:39 PM

Related task https://phabricator.vyos.net/T3546

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:05 AM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:41 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:30 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:37 PM
dmbaturin triaged this task as Normal priority.Jan 9 2024, 7:55 PM
dmbaturin edited projects, added VyOS 1.5 Circinus, VyOS 1.4 Sagitta; removed VyOS 1.3 Equuleus (1.3.6).
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin removed a subscriber: Unknown Object (User).