Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipoe_server: T6872: Add the ability to configure LUA scripts and username #4196

Open
wants to merge 1 commit into
base: current
Choose a base branch
from
Open

ipoe_server: T6872: Add the ability to configure LUA scripts and username #4196

wants to merge 1 commit into from

Conversation

natali-rs1985
Copy link
Contributor

@natali-rs1985 natali-rs1985 commented Nov 18, 2024
edited
Loading

Change Summary

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

service ipoe-server

Proposed changes

added ability to configure username with LUA script

set service ipoe-server lua-file <path_to_lua_file>
set service ipoe-server interface eth1 lua-username <username_func>

Also changed systemctl action from reload-or-restart to restart because accel-ppp doesn't apply changes to the configuration with reload-or-restart action

How to test

Example of the lua file:

vyos@vyos# cat /config/ipoe.lua
#!lua
function username_func(pkt)
    local username=pkt:hwaddr()
    return username
end

Config:

set service ipoe-server authentication mode 'radius'
set service ipoe-server authentication radius server 127.0.0.1 key 'vyos-secret'
set service ipoe-server client-ip-pool POOL range '192.168.10.5-192.168.10.100'
set service ipoe-server default-pool 'POOL'
set service ipoe-server gateway-address '192.168.10.1/24'
set service ipoe-server interface eth1 mode 'l2'
set service ipoe-server interface eth1 network 'shared'
set service ipoe-server name-server '1.1.1.1'
set service ipoe-server name-server '198.168.10.1'

set service ipoe-server interface eth1 lua-username 'username_func'
set service ipoe-server lua-file '/config/scripts/ipoe.lua'

Logs

Nov 15 20:30:18 vyos accel-ipoe[18180]: ipoe0:: send [RADIUS(1) Access-Request id=1 <User-Name "0c:dd:ab:38:00:01"> <NAS-Port 352> <NAS-Port-Id "ipoe0"> <NAS-Port-Type Ethernet> <Calling-Station-Id "0c:dd:ab:38:00:01"> <Called-Station-Id "eth1"> <User-Password 0xa6b74758d04d3f60be39e9c349fdbc8654fb4a586e8e5859b7c72c9e82937320>]
Nov 15 20:30:18 vyos accel-ipoe[18180]: ipoe0:: recv [RADIUS(1) Access-Accept id=1 <Service-Type Framed-User> <Framed-Pool "POOL"> <Stateful-IPv6-Address-Pool "IPv6-POOL"> <Delegated-IPv6-Prefix-Pool "IPv6-POOL"> <Framed-Protocol PPP>]
Nov 15 20:30:18 vyos accel-ipoe[18180]: ipoe0:0c:dd:ab:38:00:01: 0c:dd:ab:38:00:01: authentication succeeded
Nov 15 20:30:18 vyos accel-ipoe[18180]: ipoe0:0c:dd:ab:38:00:01: ipoe: no free IPv6 address
Nov 15 20:30:18 vyos accel-ipoe[18180]: ipoe0:0c:dd:ab:38:00:01: send [RADIUS(1) Accounting-Request id=1 <User-Name "0c:dd:ab:38:00:01"> <NAS-Port 352> <NAS-Port-Id "ipoe0"> <NAS-Port-Type Ethernet> <Calling-Station-Id "0c:dd:ab:38:00:01"> <Called-Station-Id "eth1"> <Acct-Status-Type Start> <Acct-Authentic RADIUS> <Acct-Session-Id "b2e7d371f7638e00"> <Acct-Session-Time 0> <Acct-Input-Octets 0> <Acct-Output-Octets 0> <Acct-Input-Packets 0> <Acct-Output-Packets 0> <Acct-Input-Gigawords 0> <Acct-Output-Gigawords 0> <Framed-IP-Address 192.168.10.5>]
Nov 15 20:30:18 vyos accel-ipoe[18180]: ipoe0:0c:dd:ab:38:00:01: recv [RADIUS(1) Accounting-Response id=1]
Nov 15 20:30:18 vyos accel-ipoe[18180]: ipoe0:0c:dd:ab:38:00:01: ipoe: session started

Smoketest result

vyos@vyos# python3 /usr/libexec/vyos/tests/smoke/cli/test_service_ipoe-server.py
test_accel_ipv4_pool (__main__.TestServiceIPoEServer.test_accel_ipv4_pool) ... ok
test_accel_ipv6_pool (__main__.TestServiceIPoEServer.test_accel_ipv6_pool) ... ok
test_accel_limits (__main__.TestServiceIPoEServer.test_accel_limits) ... ok
test_accel_local_authentication (__main__.TestServiceIPoEServer.test_accel_local_authentication) ... ok
test_accel_log_level (__main__.TestServiceIPoEServer.test_accel_log_level) ... ok
test_accel_name_servers (__main__.TestServiceIPoEServer.test_accel_name_servers) ... ok
test_accel_next_pool (__main__.TestServiceIPoEServer.test_accel_next_pool) ... ok
test_accel_ppp_options (__main__.TestServiceIPoEServer.test_accel_ppp_options) ... skipped 'PPP is not a part of IPoE'
test_accel_radius_authentication (__main__.TestServiceIPoEServer.test_accel_radius_authentication) ... ok
test_accel_shaper (__main__.TestServiceIPoEServer.test_accel_shaper) ... ok
test_accel_snmp (__main__.TestServiceIPoEServer.test_accel_snmp) ... ok
test_accel_wins_server (__main__.TestServiceIPoEServer.test_accel_wins_server) ... skipped 'WINS server is not used in IPoE'
test_ipoe_server_vlan (__main__.TestServiceIPoEServer.test_ipoe_server_vlan) ... ok

----------------------------------------------------------------------
Ran 13 tests in 123.136s

OK (skipped=2)

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@natali-rs1985 natali-rs1985 requested a review from a team as a code owner November 18, 2024 11:21
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 18, 2024
edited
Loading

👍
No issues in PR Title / Commit Title

dmbaturin
dmbaturin requested changes Nov 19, 2024
View reviewed changes
interface-definitions/service_ipoe-server.xml.in Outdated
<help>Username function</help>
<valueHelp>
<format>txt</format>
<description>Name of function in lua file to construct username</description>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<description>Name of function in lua file to construct username</description>
<description>Name of the function in the Lua file to construct usernames with</description>

"Lua" is a proper name and should be capitalized.

interface-definitions/service_ipoe-server.xml.in Outdated
#include <include/accel-ppp/vlan.xml.i>
#include <include/accel-ppp/vlan-mon.xml.i>
</children>
</tagNode>
<leafNode name="lua-file">
<properties>
<help>File containing lua function for create username</help>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<help>File containing lua function for create username</help>
<help>Lua script file for constructing user names</help>

interface-definitions/service_ipoe-server.xml.in Outdated
<help>File containing lua function for create username</help>
<valueHelp>
<format>filename</format>
<description>File with LUA script</description>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<description>File with LUA script</description>
<description>File with Lua script</description>

"Lua" is not an acronym, it's a Portugese word that means "the moon".

src/conf_mode/service_ipoe-server.py Outdated
'use "client-ip-pool" instead!')
if 'vlan_mon' in iface_config and not 'vlan' in iface_config:
raise ConfigError(
'Option "client-subnet" and "vlan" are mutually exclusive, '
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'Option "client-subnet" and "vlan" are mutually exclusive, '
'Options "client-subnet" and "vlan" are mutually exclusive, '

Missed plural.

src/conf_mode/service_ipoe-server.py Outdated
raise ConfigError(f'File {ipoe["lua_file"]} does not exist')
if dict_search('authentication.mode', ipoe) != 'radius':
raise ConfigError(
'Can configure username with LUA script only for RADIUS authentication'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
'Can configure username with LUA script only for RADIUS authentication'
'Can configure username with Lua script only for RADIUS authentication'

interface-definitions/service_ipoe-server.xml.in Show resolved Hide resolved
c-po
c-po requested changes Nov 20, 2024
View reviewed changes
interface-definitions/service_ipoe-server.xml.in Show resolved Hide resolved
src/conf_mode/service_ipoe-server.py
call(f'systemctl stop {systemd_service}')
for file in [ipoe_conf, ipoe_chap_secrets]:
if os.path.exists(file):
os.unlink(file)

return None

call(f'systemctl reload-or-restart {systemd_service}')
call(f'systemctl restart {systemd_service}')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why force a restart? reload-or-restart tries if daemon soft-reload is implemented and if not it will hard-restart the daemon.

Copy link
Member

@sever-sever sever-sever Nov 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Accel-ppp does not do it correctly (not implemented in accel-pppd)
Most of the changes required restarting the service

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its restart doesn't interrupt user sessions, or does it?

Copy link
Member

@sever-sever sever-sever Nov 22, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its restart doesn't interrupt user sessions, or does it?

It will drop user sessions
otherwise, you have to drop the whole IPoE config or restart manually

dmbaturin
dmbaturin approved these changes Nov 21, 2024
View reviewed changes
Copy link
Member

@dmbaturin dmbaturin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me now. I think the motivation for hard restart should be documented in the comments, so that no one wonders about it in the future — or, when accel-ppp implements a soft reload, can spot it as untrue and change it.

@github-actions GitHub Actions
Copy link

CI integration 👍 passed!

Details

CI logs

  • CLI Smoketests (no interfaces) 👍 passed
  • CLI Smoketests (interfaces only) 👍 passed
  • Config tests 👍 passed
  • RAID1 tests 👍 passed
  • TPM tests 👍 passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sever-sever sever-sever sever-sever approved these changes

@c-po c-po c-po requested changes

@dmbaturin dmbaturin dmbaturin approved these changes

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@nicolas-fort nicolas-fort Awaiting requested review from nicolas-fort nicolas-fort is a code owner automatically assigned from vyos/reviewers

Requested changes must be addressed to merge this pull request.

Assignees

@natali-rs1985 natali-rs1985

Labels
current
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@natali-rs1985 @dmbaturin @sever-sever @c-po