Page MenuHomeVyOS Platform

pppoe-server NAS-Filter-Rule attribute
Open, Requires assessmentPublicFEATURE REQUEST

Description

It will be helpful to use RADIUS attribute NAS-Filter-Rule to provide a possibility to define firewall rules for the client ppp interface.
I think we can use pppd_compat module to utilize this feature.
https://accel-ppp.readthedocs.io/en/latest/configuration/pppd_compat.html

The main goal to get defined via CLI firewall rules and apply these rules when the session started (or by CoA request) and delete it when stopped.
This attribute and other attributes received via RADIUS we can get from a specially created files radattr-prefix=/var/run/radattr.pppoeX

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Implementation steps:

  1. Add $INCLUDE dictionary.rfc4849 to /usr/share/accel-ppp/radius/dictionary file
  2. Add required modules for use ip-pre-up/ip-up/ip-down scripts
[modules]
sigchld
pppd_compat

And pppd_compat params

[pppd-compat]
verbose=1
ip-pre-up=/path/to/ip-pre-up 
radattr-prefix=/var/run/radattr
  1. Create ip-pre-up/ip-down script which will get configured firewall names and rules from CLI or supported script

Note: When ip-pre-up return 1 then the session will not start like described in https://tools.ietf.org/html/rfc4849