diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2
index bb820497b..a498d8186 100644
--- a/data/templates/accel-ppp/config_chap_secrets_radius.j2
+++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2
@@ -1,33 +1,36 @@
{% if authentication.mode is vyos_defined('local') %}
[chap-secrets]
chap-secrets={{ chap_secrets_file }}
{% elif authentication.mode is vyos_defined('radius') %}
[radius]
verbose=1
{% for server, options in authentication.radius.server.items() if not options.disable is vyos_defined %}
server={{ server }},{{ options.key }},auth-port={{ options.port }},acct-port={{ options.acct_port }},req-limit=0,fail-time={{ options.fail_time }}
{% endfor %}
+{% if authentication.radius.accounting_interim_interval is vyos_defined %}
+acct-interim-interval={{ authentication.radius.accounting_interim_interval }}
+{% endif %}
{% if authentication.radius.acct_interim_jitter is vyos_defined %}
acct-interim-jitter={{ authentication.radius.acct_interim_jitter }}
{% endif %}
acct-timeout={{ authentication.radius.acct_timeout }}
timeout={{ authentication.radius.timeout }}
max-try={{ authentication.radius.max_try }}
{% if authentication.radius.nas_identifier is vyos_defined %}
nas-identifier={{ authentication.radius.nas_identifier }}
{% endif %}
{% if authentication.radius.nas_ip_address is vyos_defined %}
nas-ip-address={{ authentication.radius.nas_ip_address }}
{% endif %}
{% if authentication.radius.source_address is vyos_defined %}
bind={{ authentication.radius.source_address }}
{% endif %}
{% if authentication.radius.dynamic_author.server is vyos_defined %}
dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.radius.dynamic_author.port }},{{ authentication.radius.dynamic_author.key }}
{% endif %}
{% endif %}
{# Both chap-secrets and radius block required the gw-ip-address #}
{% if gateway_address is vyos_defined %}
gw-ip-address={{ gateway_address }}
{% endif %}
diff --git a/interface-definitions/include/accel-ppp/radius-additions.xml.i b/interface-definitions/include/accel-ppp/radius-additions.xml.i
index 15ff5165f..cdd0bf300 100644
--- a/interface-definitions/include/accel-ppp/radius-additions.xml.i
+++ b/interface-definitions/include/accel-ppp/radius-additions.xml.i
@@ -1,138 +1,151 @@
<!-- include start from accel-ppp/radius-additions.xml.i -->
<node name="radius">
<children>
+ <leafNode name="accounting-interim-interval">
+ <properties>
+ <help>Interval in seconds to send accounting information</help>
+ <valueHelp>
+ <format>u32:1-3600</format>
+ <description>Interval in seconds to send accounting information</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-3600"/>
+ </constraint>
+ <constraintErrorMessage>Interval value must be between 1 and 3600 seconds</constraintErrorMessage>
+ </properties>
+ </leafNode>
<leafNode name="acct-interim-jitter">
<properties>
<help>Maximum jitter value in seconds to be applied to accounting information interval</help>
<valueHelp>
<format>u32:1-60</format>
<description>Maximum jitter value in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-60"/>
</constraint>
<constraintErrorMessage>Jitter value must be between 1 and 60 seconds</constraintErrorMessage>
</properties>
</leafNode>
<tagNode name="server">
<children>
<leafNode name="acct-port">
<properties>
<help>Accounting port</help>
<valueHelp>
<format>u32:1-65535</format>
<description>Numeric IP port</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
<defaultValue>1813</defaultValue>
</leafNode>
#include <include/accel-ppp/radius-additions-disable-accounting.xml.i>
<leafNode name="fail-time">
<properties>
<help>Mark server unavailable for <n> seconds on failure</help>
<valueHelp>
<format>u32:0-600</format>
<description>Fail time penalty</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-600"/>
</constraint>
<constraintErrorMessage>Fail time must be between 0 and 600 seconds</constraintErrorMessage>
</properties>
<defaultValue>0</defaultValue>
</leafNode>
</children>
</tagNode>
<leafNode name="timeout">
<properties>
<help>Timeout in seconds to wait response from RADIUS server</help>
<valueHelp>
<format>u32:1-60</format>
<description>Timeout in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-60"/>
</constraint>
<constraintErrorMessage>Timeout must be between 1 and 60 seconds</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="acct-timeout">
<properties>
<help>Timeout for Interim-Update packets, terminate session afterwards</help>
<valueHelp>
<format>u32:0-60</format>
<description>Timeout in seconds, 0 to keep active</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 0-60"/>
</constraint>
<constraintErrorMessage>Timeout must be between 0 and 60 seconds</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
<leafNode name="max-try">
<properties>
<help>Number of tries to send Access-Request/Accounting-Request queries</help>
<valueHelp>
<format>u32:1-20</format>
<description>Maximum tries</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-20"/>
</constraint>
<constraintErrorMessage>Maximum tries must be between 1 and 20</constraintErrorMessage>
</properties>
<defaultValue>3</defaultValue>
</leafNode>
#include <include/radius-nas-identifier.xml.i>
#include <include/radius-nas-ip-address.xml.i>
<leafNode name="preallocate-vif">
<properties>
<help>Enable attribute NAS-Port-Id in Access-Request</help>
<valueless/>
</properties>
</leafNode>
<node name="dynamic-author">
<properties>
<help>Dynamic Authorization Extension/Change of Authorization server</help>
</properties>
<children>
<leafNode name="server">
<properties>
<help>IP address for Dynamic Authorization Extension server (DM/CoA)</help>
<constraint>
<validator name="ipv4-address"/>
</constraint>
<valueHelp>
<format>ipv4</format>
<description>IPv4 address for aynamic authorization server</description>
</valueHelp>
</properties>
</leafNode>
<leafNode name="port">
<properties>
<help>Port for Dynamic Authorization Extension server (DM/CoA)</help>
<valueHelp>
<format>u32:1-65535</format>
<description>TCP port</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-65535"/>
</constraint>
</properties>
<defaultValue>1700</defaultValue>
</leafNode>
<leafNode name="key">
<properties>
<help>Shared secret for Dynamic Authorization Extension server</help>
</properties>
</leafNode>
</children>
</node>
</children>
</node>
<!-- include end -->
diff --git a/smoketest/scripts/cli/test_service_pppoe-server.py b/smoketest/scripts/cli/test_service_pppoe-server.py
index 4f9181704..bb6a1c1cd 100755
--- a/smoketest/scripts/cli/test_service_pppoe-server.py
+++ b/smoketest/scripts/cli/test_service_pppoe-server.py
@@ -1,285 +1,288 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2022 VyOS maintainers and contributors
+# Copyright (C) 2022-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import unittest
from base_accel_ppp_test import BasicAccelPPPTest
from configparser import ConfigParser
from vyos.util import read_file
from vyos.template import range_to_regex
local_if = ['interfaces', 'dummy', 'dum667']
ac_name = 'ACN'
interface = 'eth0'
class TestServicePPPoEServer(BasicAccelPPPTest.TestCase):
@classmethod
def setUpClass(cls):
cls._base_path = ['service', 'pppoe-server']
cls._config_file = '/run/accel-pppd/pppoe.conf'
cls._chap_secrets = '/run/accel-pppd/pppoe.chap-secrets'
# call base-classes classmethod
super(TestServicePPPoEServer, cls).setUpClass()
def tearDown(self):
self.cli_delete(local_if)
super().tearDown()
def verify(self, conf):
mtu = '1492'
# validate some common values in the configuration
for tmp in ['log_syslog', 'pppoe', 'ippool',
'auth_mschap_v2', 'auth_mschap_v1', 'auth_chap_md5',
'auth_pap', 'shaper']:
# Settings without values provide None
self.assertEqual(conf['modules'][tmp], None)
# check Access Concentrator setting
self.assertTrue(conf['pppoe']['ac-name'] == ac_name)
self.assertTrue(conf['pppoe'].getboolean('verbose'))
self.assertTrue(conf['pppoe']['interface'], interface)
# check ppp
self.assertTrue(conf['ppp'].getboolean('verbose'))
self.assertTrue(conf['ppp'].getboolean('check-ip'))
self.assertEqual(conf['ppp']['mtu'], mtu)
self.assertEqual(conf['ppp']['lcp-echo-interval'], '30')
self.assertEqual(conf['ppp']['lcp-echo-timeout'], '0')
self.assertEqual(conf['ppp']['lcp-echo-failure'], '3')
super().verify(conf)
def basic_config(self):
self.cli_set(local_if + ['address', '192.0.2.1/32'])
self.set(['access-concentrator', ac_name])
self.set(['interface', interface])
super().basic_config()
def test_pppoe_server_ppp_options(self):
# Test configuration of local authentication for PPPoE server
self.basic_config()
# other settings
mppe = 'require'
self.set(['ppp-options', 'ccp'])
self.set(['ppp-options', 'mppe', mppe])
self.set(['limits', 'connection-limit', '20/min'])
# min-mtu
min_mtu = '1400'
self.set(['ppp-options', 'min-mtu', min_mtu])
# mru
mru = '9000'
self.set(['ppp-options', 'mru', mru])
# interface-cache
interface_cache = '128000'
self.set(['ppp-options', 'interface-cache', interface_cache])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters='=')
conf.read(self._config_file)
# basic verification
self.verify(conf)
self.assertEqual(conf['chap-secrets']['gw-ip-address'], self._gateway)
# check ppp
self.assertEqual(conf['ppp']['mppe'], mppe)
self.assertEqual(conf['ppp']['min-mtu'], min_mtu)
self.assertEqual(conf['ppp']['mru'], mru)
self.assertTrue(conf['ppp'].getboolean('ccp'))
# check other settings
self.assertEqual(conf['connlimit']['limit'], '20/min')
# check interface-cache
self.assertEqual(conf['ppp']['unit-cache'], interface_cache)
def test_pppoe_server_authentication_protocols(self):
# Test configuration of local authentication for PPPoE server
self.basic_config()
# explicitly test mschap-v2 - no special reason
self.set( ['authentication', 'protocols', 'mschap-v2'])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True)
conf.read(self._config_file)
self.assertEqual(conf['modules']['auth_mschap_v2'], None)
def test_pppoe_server_client_ip_pool(self):
# Test configuration of IPv6 client pools
self.basic_config()
subnet = '172.18.0.0/24'
fwmark = '223'
limiter = 'htb'
self.set(['client-ip-pool', 'subnet', subnet])
start = '192.0.2.10'
stop = '192.0.2.20'
stop_octet = stop.split('.')[3]
start_stop = f'{start}-{stop_octet}'
self.set(['client-ip-pool', 'start', start])
self.set(['client-ip-pool', 'stop', stop])
self.set(['shaper', 'fwmark', fwmark])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True)
conf.read(self._config_file)
# check configured subnet
self.assertEqual(conf['ip-pool'][subnet], None)
self.assertEqual(conf['ip-pool'][start_stop], None)
self.assertEqual(conf['ip-pool']['gw-ip-address'], self._gateway)
self.assertEqual(conf['shaper']['fwmark'], fwmark)
self.assertEqual(conf['shaper']['down-limiter'], limiter)
def test_pppoe_server_client_ip_pool_name(self):
# Test configuration of named client pools
self.basic_config()
subnet = '192.0.2.0/24'
gateway = '192.0.2.1'
pool = 'VYOS'
subnet_name = f'{subnet},name'
gw_ip_prefix = f'{gateway}/24'
self.set(['client-ip-pool', 'name', pool, 'subnet', subnet])
self.set(['client-ip-pool', 'name', pool, 'gateway-address', gateway])
self.cli_delete(self._base_path + ['gateway-address'])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters='=')
conf.read(self._config_file)
# Validate configuration
self.assertEqual(conf['ip-pool'][subnet_name], pool)
self.assertEqual(conf['ip-pool']['gw-ip-address'], gateway)
self.assertEqual(conf['pppoe']['ip-pool'], pool)
self.assertEqual(conf['pppoe']['gw-ip-address'], gw_ip_prefix)
def test_pppoe_server_client_ipv6_pool(self):
# Test configuration of IPv6 client pools
self.basic_config()
# Enable IPv6
allow_ipv6 = 'allow'
random = 'random'
self.set(['ppp-options', 'ipv6', allow_ipv6])
self.set(['ppp-options', 'ipv6-intf-id', random])
self.set(['ppp-options', 'ipv6-accept-peer-intf-id'])
self.set(['ppp-options', 'ipv6-peer-intf-id', random])
prefix = '2001:db8:ffff::/64'
prefix_mask = '128'
client_prefix = f'{prefix},{prefix_mask}'
self.set(['client-ipv6-pool', 'prefix', prefix, 'mask', prefix_mask])
delegate_prefix = '2001:db8::/40'
delegate_mask = '56'
self.set(['client-ipv6-pool', 'delegate', delegate_prefix, 'delegation-prefix', delegate_mask])
# commit changes
self.cli_commit()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters='=')
conf.read(self._config_file)
for tmp in ['ipv6pool', 'ipv6_nd', 'ipv6_dhcp']:
self.assertEqual(conf['modules'][tmp], None)
self.assertEqual(conf['ppp']['ipv6'], allow_ipv6)
self.assertEqual(conf['ppp']['ipv6-intf-id'], random)
self.assertEqual(conf['ppp']['ipv6-peer-intf-id'], random)
self.assertTrue(conf['ppp'].getboolean('ipv6-accept-peer-intf-id'))
self.assertEqual(conf['ipv6-pool'][client_prefix], None)
self.assertEqual(conf['ipv6-pool']['delegate'], f'{delegate_prefix},{delegate_mask}')
def test_accel_radius_authentication(self):
radius_called_sid = 'ifname:mac'
radius_acct_interim_jitter = '9'
+ radius_acct_interim_interval = '60'
self.set(['authentication', 'radius', 'called-sid-format', radius_called_sid])
self.set(['authentication', 'radius', 'acct-interim-jitter', radius_acct_interim_jitter])
+ self.set(['authentication', 'radius', 'accounting-interim-interval', radius_acct_interim_interval])
# run common tests
super().test_accel_radius_authentication()
# Validate configuration values
conf = ConfigParser(allow_no_value=True, delimiters='=')
conf.read(self._config_file)
# Validate configuration
self.assertEqual(conf['pppoe']['called-sid'], radius_called_sid)
self.assertEqual(conf['radius']['acct-interim-jitter'], radius_acct_interim_jitter)
+ self.assertEqual(conf['radius']['acct-interim-interval'], radius_acct_interim_interval)
def test_pppoe_server_vlan(self):
vlans = ['100', '200', '300-310']
# Test configuration of local authentication for PPPoE server
self.basic_config()
for vlan in vlans:
self.set(['interface', interface, 'vlan', vlan])
# commit changes
self.cli_commit()
# Validate configuration values
config = read_file(self._config_file)
for vlan in vlans:
tmp = range_to_regex(vlan)
self.assertIn(f'interface=re:^{interface}\.{tmp}$', config)
tmp = ','.join(vlans)
self.assertIn(f'vlan-mon={interface},{tmp}', config)
if __name__ == '__main__':
unittest.main(verbosity=2)
diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py
index 600ba4e92..adeefaa37 100755
--- a/src/conf_mode/service_pppoe-server.py
+++ b/src/conf_mode/service_pppoe-server.py
@@ -1,119 +1,120 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2018-2022 VyOS maintainers and contributors
+# Copyright (C) 2018-2023 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
from sys import exit
from vyos.config import Config
from vyos.configdict import get_accel_dict
from vyos.configdict import is_node_changed
from vyos.configverify import verify_accel_ppp_base_service
from vyos.configverify import verify_interface_exists
from vyos.template import render
from vyos.util import call
from vyos.util import dict_search
from vyos import ConfigError
from vyos import airbag
airbag.enable()
pppoe_conf = r'/run/accel-pppd/pppoe.conf'
pppoe_chap_secrets = r'/run/accel-pppd/pppoe.chap-secrets'
def get_config(config=None):
if config:
conf = config
else:
conf = Config()
base = ['service', 'pppoe-server']
if not conf.exists(base):
return None
# retrieve common dictionary keys
pppoe = get_accel_dict(conf, base, pppoe_chap_secrets)
# reload-or-restart does not implemented in accel-ppp
# use this workaround until it will be implemented
# https://phabricator.accel-ppp.org/T3
if is_node_changed(conf, base + ['client-ip-pool']) or is_node_changed(
conf, base + ['client-ipv6-pool']):
pppoe.update({'restart_required': {}})
return pppoe
def verify(pppoe):
if not pppoe:
return None
verify_accel_ppp_base_service(pppoe)
if 'wins_server' in pppoe and len(pppoe['wins_server']) > 2:
raise ConfigError('Not more then two WINS name-servers can be configured')
if 'interface' not in pppoe:
raise ConfigError('At least one listen interface must be defined!')
# Check is interface exists in the system
for interface in pppoe['interface']:
verify_interface_exists(interface)
# local ippool and gateway settings config checks
if not (dict_search('client_ip_pool.subnet', pppoe) or
+ (dict_search('client_ip_pool.name', pppoe) or
(dict_search('client_ip_pool.start', pppoe) and
- dict_search('client_ip_pool.stop', pppoe))):
+ dict_search('client_ip_pool.stop', pppoe)))):
print('Warning: No PPPoE client pool defined')
if dict_search('authentication.radius.dynamic_author.server', pppoe):
if not dict_search('authentication.radius.dynamic_author.key', pppoe):
raise ConfigError('DA/CoE server key required!')
return None
def generate(pppoe):
if not pppoe:
return None
render(pppoe_conf, 'accel-ppp/pppoe.config.j2', pppoe)
if dict_search('authentication.mode', pppoe) == 'local':
render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.config_dict.j2',
pppoe, permission=0o640)
return None
def apply(pppoe):
systemd_service = 'accel-ppp@pppoe.service'
if not pppoe:
call(f'systemctl stop {systemd_service}')
for file in [pppoe_conf, pppoe_chap_secrets]:
if os.path.exists(file):
os.unlink(file)
return None
if 'restart_required' in pppoe:
call(f'systemctl restart {systemd_service}')
else:
call(f'systemctl reload-or-restart {systemd_service}')
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)