diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index 81f63c53b..a10dcf2c1 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -1,109 +1,113 @@ {# j2lint: disable=operator-enclosed-by-spaces #} ### generated by ipoe.py ### [modules] log_syslog ipoe shaper {# Common authentication backend definitions #} {% include 'accel-ppp/config_modules_auth_mode.j2' %} ippool ipv6pool ipv6_nd ipv6_dhcp {% if snmp is vyos_defined %} net-snmp {% endif %} {% if limits is vyos_defined %} connlimit {% endif %} {% if extended_scripts is vyos_defined %} pppd_compat {% endif %} [core] thread-count={{ thread_count }} [common] {% if max_concurrent_sessions is vyos_defined %} max-starting={{ max_concurrent_sessions }} {% endif %} [log] syslog=accel-ipoe,daemon copy=1 {% if log.level is vyos_defined %} level={{ log.level }} {% endif %} [ipoe] verbose=1 +{% if lua_file is vyos_defined %} +lua-file={{ lua_file }} +{% endif %} {% if interface is vyos_defined %} {% for iface, iface_config in interface.items() %} {% set tmp = 'interface=' %} {% if iface_config.vlan is vyos_defined %} {% set tmp = tmp ~ 're:^' ~ iface ~ '\.' ~ iface_config.vlan | range_to_regex ~ '$' %} {% else %} {% set tmp = tmp ~ iface %} {% endif %} {% set shared = '' %} {% if iface_config.network is vyos_defined('shared') %} {% set shared = 'shared=1,' %} {% elif iface_config.network is vyos_defined('vlan') %} {% set shared = 'shared=0,' %} {% endif %} {% set range = 'range=' ~ iface_config.client_subnet ~ ',' if iface_config.client_subnet is vyos_defined else '' %} {% set relay = ',' ~ 'relay=' ~ iface_config.external_dhcp.dhcp_relay if iface_config.external_dhcp.dhcp_relay is vyos_defined else '' %} {% set giaddr = ',' ~ 'giaddr=' ~ iface_config.external_dhcp.giaddr if iface_config.external_dhcp.giaddr is vyos_defined else '' %} -{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,{{ range }}start=dhcpv4,ipv6=1{{ relay }}{{ giaddr }} +{% set username = ',' ~ 'username=lua:' ~ iface_config.lua_username if iface_config.lua_username is vyos_defined else '' %} +{{ tmp }},{{ shared }}mode={{ iface_config.mode | upper }},ifcfg=1,{{ range }}start=dhcpv4,ipv6=1{{ relay }}{{ giaddr }}{{ username }} {% if iface_config.vlan_mon is vyos_defined %} vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }} {% endif %} {% endfor %} {% endif %} {% if authentication.mode is vyos_defined('noauth') %} noauth=1 {% elif authentication.mode is vyos_defined('local') %} username=ifname password=csid {% endif %} {% if default_pool is vyos_defined %} ip-pool={{ default_pool }} {% endif %} {% if default_ipv6_pool is vyos_defined %} ipv6-pool={{ default_ipv6_pool }} ipv6-pool-delegate={{ default_ipv6_pool }} {% endif %} {% if gateway_address is vyos_defined %} {% for gw_addr in gateway_address %} gw-ip-address={{ gw_addr }} {% endfor %} {% endif %} proxy-arp=1 {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} {# Common IPv6 pool definitions #} {% include 'accel-ppp/config_ipv6_pool.j2' %} {# Common DNS name-server definition #} {% include 'accel-ppp/config_name_server.j2' %} {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} {# Common Extended scripts configuration #} {% include 'accel-ppp/config_extended_scripts.j2' %} {# Common Limits configuration #} {% include 'accel-ppp/config_limits.j2' %} {# Common SNMP definitions #} {% include 'accel-ppp/config_snmp.j2' %} [cli] tcp=127.0.0.1:2002 diff --git a/interface-definitions/service_ipoe-server.xml.in b/interface-definitions/service_ipoe-server.xml.in index 25bc43cc6..27a654f92 100644 --- a/interface-definitions/service_ipoe-server.xml.in +++ b/interface-definitions/service_ipoe-server.xml.in @@ -1,198 +1,222 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="service"> <children> <node name="ipoe-server" owner="${vyos_conf_scripts_dir}/service_ipoe-server.py"> <properties> <help>Internet Protocol over Ethernet (IPoE) Server</help> <priority>900</priority> </properties> <children> <node name="authentication"> <properties> <help>Client authentication methods</help> </properties> <children> #include <include/accel-ppp/auth-mode.xml.i> <tagNode name="interface"> <properties> <help>Network interface for client MAC addresses</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> <children> <tagNode name="mac"> <properties> <help>Media Access Control (MAC) address</help> <valueHelp> <format>macaddr</format> <description>Hardware (MAC) address</description> </valueHelp> <constraint> <validator name="mac-address"/> </constraint> </properties> <children> <node name="rate-limit"> <properties> <help>Upload/Download speed limits</help> </properties> <children> <leafNode name="upload"> <properties> <help>Upload bandwidth limit in kbits/sec</help> <constraint> <validator name="numeric" argument="--range 1-4294967295"/> </constraint> </properties> </leafNode> <leafNode name="download"> <properties> <help>Download bandwidth limit in kbits/sec</help> <constraint> <validator name="numeric" argument="--range 1-4294967295"/> </constraint> </properties> </leafNode> </children> </node> <leafNode name="vlan"> <properties> <help>VLAN monitor for automatic creation of VLAN interfaces</help> <valueHelp> <format>u32:1-4094</format> <description>Client VLAN id</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-4094"/> </constraint> <constraintErrorMessage>VLAN IDs need to be in range 1-4094</constraintErrorMessage> </properties> </leafNode> </children> </tagNode> </children> </tagNode> #include <include/radius-auth-server-ipv4.xml.i> #include <include/accel-ppp/radius-additions.xml.i> <node name="radius"> <children> #include <include/accel-ppp/radius-additions-rate-limit.xml.i> </children> </node> </children> </node> <tagNode name="interface"> <properties> <help>Interface to listen dhcp or unclassified packets</help> <completionHelp> <script>${vyos_completion_dir}/list_interfaces</script> </completionHelp> </properties> <children> <leafNode name="mode"> <properties> <help>Client connectivity mode</help> <completionHelp> <list>l2 l3</list> </completionHelp> <valueHelp> <format>l2</format> <description>Client located on same interface as server</description> </valueHelp> <valueHelp> <format>l3</format> <description>Client located behind a router</description> </valueHelp> <constraint> <regex>(l2|l3)</regex> </constraint> </properties> <defaultValue>l2</defaultValue> </leafNode> <leafNode name="network"> <properties> <help>Enables clients to share the same network or each client has its own vlan</help> <completionHelp> <list>shared vlan</list> </completionHelp> <constraint> <regex>(shared|vlan)</regex> </constraint> <valueHelp> <format>shared</format> <description>Multiple clients share the same network</description> </valueHelp> <valueHelp> <format>vlan</format> <description>One VLAN per client</description> </valueHelp> </properties> <defaultValue>shared</defaultValue> </leafNode> <leafNode name="client-subnet"> <properties> <help>Client address pool</help> <valueHelp> <format>ipv4net</format> <description>IPv4 address and prefix length</description> </valueHelp> <constraint> <validator name="ipv4-prefix"/> </constraint> </properties> </leafNode> <node name="external-dhcp"> <properties> <help>DHCP requests will be forwarded</help> </properties> <children> <leafNode name="dhcp-relay"> <properties> <help>DHCP Server the request will be redirected to.</help> <valueHelp> <format>ipv4</format> <description>IPv4 address of the DHCP Server</description> </valueHelp> <constraint> <validator name="ipv4-address"/> </constraint> </properties> </leafNode> <leafNode name="giaddr"> <properties> <help>Relay Agent IPv4 Address</help> <valueHelp> <format>ipv4</format> <description>Gateway IP address</description> </valueHelp> <constraint> <validator name="ipv4-address"/> </constraint> </properties> </leafNode> </children> </node> + <leafNode name="lua-username"> + <properties> + <help>Username function</help> + <valueHelp> + <format>txt</format> + <description>Name of the function in the Lua file to construct usernames with</description> + </valueHelp> + <constraint> + #include <include/constraint/alpha-numeric-hyphen-underscore.xml.i> + </constraint> + </properties> + </leafNode> #include <include/accel-ppp/vlan.xml.i> #include <include/accel-ppp/vlan-mon.xml.i> </children> </tagNode> + <leafNode name="lua-file"> + <properties> + <help>Lua script file for constructing user names</help> + <valueHelp> + <format>filename</format> + <description>File with Lua script in /config/scripts directory</description> + </valueHelp> + <constraint> + <validator name="file-path" argument="--strict --parent-dir /config/scripts"/> + </constraint> + </properties> + </leafNode> #include <include/accel-ppp/client-ip-pool.xml.i> #include <include/accel-ppp/client-ipv6-pool.xml.i> #include <include/accel-ppp/default-pool.xml.i> #include <include/accel-ppp/default-ipv6-pool.xml.i> #include <include/accel-ppp/extended-scripts.xml.i> #include <include/accel-ppp/gateway-address-multi.xml.i> #include <include/accel-ppp/limits.xml.i> #include <include/accel-ppp/max-concurrent-sessions.xml.i> #include <include/accel-ppp/shaper.xml.i> #include <include/accel-ppp/snmp.xml.i> #include <include/generic-description.xml.i> #include <include/name-server-ipv4-ipv6.xml.i> #include <include/accel-ppp/log.xml.i> </children> </node> </children> </node> </interfaceDefinition> diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index c7e3ef033..a14d4b5b6 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -1,116 +1,135 @@ #!/usr/bin/env python3 # # Copyright (C) 2018-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os from sys import exit from vyos.config import Config from vyos.configdict import get_accel_dict from vyos.configverify import verify_interface_exists from vyos.template import render from vyos.utils.process import call from vyos.utils.dict import dict_search from vyos.accel_ppp_util import get_pools_in_order from vyos.accel_ppp_util import verify_accel_ppp_name_servers from vyos.accel_ppp_util import verify_accel_ppp_wins_servers from vyos.accel_ppp_util import verify_accel_ppp_ip_pool from vyos.accel_ppp_util import verify_accel_ppp_authentication from vyos import ConfigError from vyos import airbag + airbag.enable() ipoe_conf = '/run/accel-pppd/ipoe.conf' ipoe_chap_secrets = '/run/accel-pppd/ipoe.chap-secrets' def get_config(config=None): if config: conf = config else: conf = Config() base = ['service', 'ipoe-server'] if not conf.exists(base): return None # retrieve common dictionary keys ipoe = get_accel_dict(conf, base, ipoe_chap_secrets) if dict_search('client_ip_pool', ipoe): # Multiple named pools require ordered values T5099 - ipoe['ordered_named_pools'] = get_pools_in_order(dict_search('client_ip_pool', ipoe)) + ipoe['ordered_named_pools'] = get_pools_in_order( + dict_search('client_ip_pool', ipoe) + ) ipoe['server_type'] = 'ipoe' return ipoe def verify(ipoe): if not ipoe: return None if 'interface' not in ipoe: raise ConfigError('No IPoE interface configured') for interface, iface_config in ipoe['interface'].items(): verify_interface_exists(ipoe, interface, warning_only=True) if 'client_subnet' in iface_config and 'vlan' in iface_config: - raise ConfigError('Option "client-subnet" and "vlan" are mutually exclusive, ' - 'use "client-ip-pool" instead!') - if 'vlan_mon' in iface_config and not 'vlan' in iface_config: + raise ConfigError( + 'Options "client-subnet" and "vlan" are mutually exclusive, ' + 'use "client-ip-pool" instead!' + ) + if 'vlan_mon' in iface_config and 'vlan' not in iface_config: raise ConfigError('Option "vlan-mon" requires "vlan" to be set!') + if 'lua_username' in iface_config: + if 'lua_file' not in ipoe: + raise ConfigError( + 'Option "lua-username" requires "lua-file" to be set!' + ) + if dict_search('authentication.mode', ipoe) != 'radius': + raise ConfigError( + 'Can configure username with Lua script only for RADIUS authentication' + ) + verify_accel_ppp_authentication(ipoe, local_users=False) verify_accel_ppp_ip_pool(ipoe) verify_accel_ppp_name_servers(ipoe) verify_accel_ppp_wins_servers(ipoe) return None def generate(ipoe): if not ipoe: return None render(ipoe_conf, 'accel-ppp/ipoe.config.j2', ipoe) if dict_search('authentication.mode', ipoe) == 'local': - render(ipoe_chap_secrets, 'accel-ppp/chap-secrets.ipoe.j2', - ipoe, permission=0o640) + render( + ipoe_chap_secrets, 'accel-ppp/chap-secrets.ipoe.j2', ipoe, permission=0o640 + ) return None def apply(ipoe): systemd_service = 'accel-ppp@ipoe.service' - if ipoe == None: + if ipoe is None: call(f'systemctl stop {systemd_service}') for file in [ipoe_conf, ipoe_chap_secrets]: if os.path.exists(file): os.unlink(file) return None - call(f'systemctl reload-or-restart {systemd_service}') + # Accel-pppd does not do soft-reload correctly. + # Most of the changes require restarting the service + call(f'systemctl restart {systemd_service}') + if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1)