Page MenuHomeVyOS Platform

Add pppoe-server CLI custom script feature
Backport candidate, Requires assessmentPublicFEATURE REQUEST

Description

This should provide the possibility to get and parse RADIUS attributes via a shell script and then execute commands. As an example add a user with a negative deposit to ipset and redirect to the captive portal.
The second scenario when it will be helpful is to create a custom shaper with some smart logic

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Dmitry renamed this task from Add pppoe CLI custom script feature to Add pppoe-server CLI custom script feature .May 14 2021, 6:40 PM
Dmitry created this task.

As I understand the needed section

[pppd-compat]
verbose=1
#ip-pre-up=/etc/ppp/ip-pre-up
ip-up=/etc/ppp/ip-up
ip-down=/etc/ppp/ip-down
#ip-change=/etc/ppp/ip-change
radattr-prefix=/var/run/radattr
#fork-limit=16

@Dmitry Do you have any idea for CLI ?

I propose something like

set service pppoe-server extended-scripts on-pre-up <path>
set service pppoe-server extended-scripts on-up <path>
set service pppoe-server extended-scripts on-down <path>
set service pppoe-server extended-scripts on-change <path>
Dmitry changed the task status from Open to In progress.Jun 1 2021, 9:02 AM
Dmitry claimed this task.

PR https://github.com/vyos/vyos-1x/pull/860
To provide the possibility to read RADIUS attribute by script, also need to define radattr=/run/radattr param

Extended scripts receive from PPPoE daemon the following variables:

$1 - Interface name
$4 - Tunnel GW IP address
$5 - Delegated IP address to the client
$6 - Calling Station ID (MAC)

For example, how to get received RADIUS attributes
note: In this case, Filter-Id attribute used as an indicator for block user adding to ipset

configure
set firewall group address-group blocked 
commit
#!/bin/sh

if [ -f /run/accel-pppd/radattr.$1 ]; then
     FILTER=`/bin/awk  '/Filter-Id/ {print $2}'  /run/accel-pppd/radattr.$1`
     if [ $FILTER ]; then
         ipset add $FILTER $5
     fi
fi

In log we will see

Jun 02 08:41:53 vyos accel-pppoe[1594]: eth1:: recv [RADIUS(1) Access-Accept id=1 <Filter-Id "blocked">]
...
Jun 02 08:41:53 vyos accel-pppoe[1594]: ppp0:20: recv [IPCP ConfReq id=3 <addr 100.64.0.11> <dns1 1.1.1.1>]
...
Jun 02 08:41:53 vyos accel-pppoe[1594]: ppp0:20: pppd_compat: ip-up started (pid 4198)
Jun 02 08:41:54 vyos accel-pppoe[1594]: ppp0:20: pppd_compat: ip-up finished (0)

Check ipset

[email protected]# run show firewall group blocked 
Name       : blocked
Type       : address
References : none
Members    :
             100.64.0.11
Dmitry changed the task status from In progress to Needs testing.Dec 2 2021, 6:07 PM
Dmitry changed the task status from Needs testing to Backport candidate.Dec 9 2021, 10:31 AM
Dmitry added a project: VyOS 1.3 Equuleus.