It will be helpful to use RADIUS attribute NAS-Filter-Rule to provide a possibility to define firewall rules for the client ppp interface.
I think we can use pppd_compat module to utilize this feature.
https://accel-ppp.readthedocs.io/en/latest/configuration/pppd_compat.html
The main goal to get defined via CLI firewall rules and apply these rules when the session started (or by CoA request) and delete it when stopped.
This attribute and other attributes received via RADIUS we can get from a specially created files radattr-prefix=/var/run/radattr.pppoeX