accel-ppp: T5688: Standardized pool configuration in accel-ppp

[aapostoliuk]

Change Summary

Standardized pool configuration for all accel-ppp services.

1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
4. Allows to use in ipoe gw-ip-address without pool configuration which allows to use Fraimed-IP-Address attribute by radius.
5. Default pool name should be explicidly configured with default-pool.
6. In ipoe netmask and range subnet can be different.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T5688

Related PR(s)

Component(s) name

l2tp, sstp, pptp, pppoe, ipoe

Proposed changes

Standardized pool configuration for all accel-ppp services.

1. Only named pools are used now.
2. Allows all services to use range in x.x.x.x/mask and x.x.x.x-x.x.x.y format
3. next-pool can be used in all services
4. Allows to use in ipoe gw-ip-address without pool configuration which allows to use Fraimed-IP-Address attribute by radius.
5. Default pool name should be explicidly configured with default-pool.
6. In ipoe netmask and range subnet can be different.
   New cli to configure client-ip-pool
   For l2tp, sstp, pptp, pppoe:
   For example:

set vpn sstp client-ip-pool TEST next-pool 'TEST2'
set vpn sstp client-ip-pool TEST range '10.0.0.1/24'
set vpn sstp client-ip-pool TEST2 range '10.0.1.2-10.0.1.10'
set vpn sstp default-pool 'TEST'
set vpn sstp gateway-address '10.0.10.1'

For ipoe:
Allows multiple gateway-address
For example:

set service ipoe-server client-ip-pool TEST next-pool 'TEST2'
set service ipoe-server client-ip-pool TEST range '10.0.0.3-10.0.0.7'
set service ipoe-server client-ip-pool TEST2 range '10.0.1.2/25'
set service ipoe-server default-pool 'TEST'
set service ipoe-server gateway-address '10.0.0.100/24'
set service ipoe-server gateway-address '10.0.1.1/24'

Smoketests were added
Migration scripts were added

How to test

Smoketest result

vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_service_ipoe-server.py
test_accel_ipv4_pool (__main__.TestServiceIPoEServer.test_accel_ipv4_pool) ... ok
test_accel_local_authentication (__main__.TestServiceIPoEServer.test_accel_local_authentication) ...
No IPoE interface configured

ok
test_accel_name_servers (__main__.TestServiceIPoEServer.test_accel_name_servers) ... ok
test_accel_next_pool (__main__.TestServiceIPoEServer.test_accel_next_pool) ... ok
test_accel_radius_authentication (__main__.TestServiceIPoEServer.test_accel_radius_authentication) ... ok

----------------------------------------------------------------------
Ran 5 tests in 17.198s

OK
vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_service_pppoe-server.py
test_accel_ipv4_pool (__main__.TestServicePPPoEServer.test_accel_ipv4_pool) ... ok
test_accel_local_authentication (__main__.TestServicePPPoEServer.test_accel_local_authentication) ...
User "test" has rate-limit configured for only one direction but both
upload and download must be given!

ok
test_accel_name_servers (__main__.TestServicePPPoEServer.test_accel_name_servers) ... ok
test_accel_next_pool (__main__.TestServicePPPoEServer.test_accel_next_pool) ... ok
test_accel_radius_authentication (__main__.TestServicePPPoEServer.test_accel_radius_authentication) ... ok
test_pppoe_server_authentication_protocols (__main__.TestServicePPPoEServer.test_pppoe_server_authentication_protocols) ... ok
test_pppoe_server_client_ipv6_pool (__main__.TestServicePPPoEServer.test_pppoe_server_client_ipv6_pool) ... ok
test_pppoe_server_ppp_options (__main__.TestServicePPPoEServer.test_pppoe_server_ppp_options) ... ok
test_pppoe_server_shaper (__main__.TestServicePPPoEServer.test_pppoe_server_shaper) ... ok
test_pppoe_server_vlan (__main__.TestServicePPPoEServer.test_pppoe_server_vlan) ... ok

----------------------------------------------------------------------
Ran 10 tests in 35.494s

OK
vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_l2tp.py
test_accel_ipv4_pool (__main__.TestVPNL2TPServer.test_accel_ipv4_pool) ... ok
test_accel_local_authentication (__main__.TestVPNL2TPServer.test_accel_local_authentication) ... ok
test_accel_name_servers (__main__.TestVPNL2TPServer.test_accel_name_servers) ... ok
test_accel_next_pool (__main__.TestVPNL2TPServer.test_accel_next_pool) ... ok
test_accel_radius_authentication (__main__.TestVPNL2TPServer.test_accel_radius_authentication) ... ok

----------------------------------------------------------------------
Ran 5 tests in 15.934s

OK
vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_pptp.py
test_accel_ipv4_pool (__main__.TestVPNPPTPServer.test_accel_ipv4_pool) ... ok
test_accel_local_authentication (__main__.TestVPNPPTPServer.test_accel_local_authentication) ... ok
test_accel_name_servers (__main__.TestVPNPPTPServer.test_accel_name_servers) ... ok
test_accel_next_pool (__main__.TestVPNPPTPServer.test_accel_next_pool) ... ok
test_accel_radius_authentication (__main__.TestVPNPPTPServer.test_accel_radius_authentication) ... ok

----------------------------------------------------------------------
Ran 5 tests in 15.801s

OK
vyos@vyos:~$ /usr/libexec/vyos/tests/smoke/cli/test_vpn_sstp.py
test_accel_ipv4_pool (__main__.TestVPNSSTPServer.test_accel_ipv4_pool) ... ok
test_accel_local_authentication (__main__.TestVPNSSTPServer.test_accel_local_authentication) ...
User "test" has rate-limit configured for only one direction but both
upload and download must be given!

ok
test_accel_name_servers (__main__.TestVPNSSTPServer.test_accel_name_servers) ... ok
test_accel_next_pool (__main__.TestVPNSSTPServer.test_accel_next_pool) ... ok
test_accel_radius_authentication (__main__.TestVPNSSTPServer.test_accel_radius_authentication) ... ok

----------------------------------------------------------------------
Ran 5 tests in 21.661s

OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[dmbaturin]

I like the idea but I pointed out a few things that can be improved.

[dmbaturin]

accel-ppp disallows larger ranges?

[aapostoliuk]

yes. I took it from their manual

x.x.x.x/mask[,name=pool_name][,next=next_pool_name]     or     x.x.x.x-y[,name=pool_name][,next=next_pool_name]
              Also specifies range of remote address of ppp interfaces.

[dmbaturin]

Could you link me to the relevant section? The part you quote doesn't say anything about /24 specifically.

[aapostoliuk]

https://docs.accel-ppp.org/configuration/ip-pool.html
But these docs are with old info. The latest docs are in manuals from sources of accel-ppp

[dmbaturin]

I can't remember if accel-ppp has constraints on pool names, but this regex feels too lax, e.g., it allows ... or -._.- as valid pool names.

[aapostoliuk]

I have just copied it from
https://github.com/vyos/vyos-1x/blob/current/interface-definitions/include/accel-ppp/client-ip-pool-name.xml.i
to proceed with compatibility.

[dmbaturin]

Do we really allow network addresses like 192.0.2.0/25 as gateway addresses? Technically, in peer-to-peer networks, it may work, but I'd like to clarify that.

[aapostoliuk]

Accel-PPP allows it. I have checked it on ipoe and it works.

set service ipoe-server authentication mode 'noauth'
set service ipoe-server client-ip-pool TEST range '10.0.0.3-10.0.0.7'
set service ipoe-server gateway-address '10.0.0.0/25'

On client side:

PC2> ip dhcp
DORA IP 10.0.0.3/25 GW 10.0.0.0

PC2> show ip

NAME        : PC2[1]
IP/MASK     : 10.0.0.3/25
GATEWAY     : 10.0.0.0
DNS         :
DHCP SERVER : 10.0.0.0
DHCP LEASE  : 595, 600/300/525
MAC         : 00:50:79:66:68:01
LPORT       : 20025
RHOST:PORT  : 127.0.0.1:20026
MTU         : 1500

PC2> ping 1.1.1.1

84 bytes from 1.1.1.1 icmp_seq=1 ttl=64 time=0.833 ms
84 bytes from 1.1.1.1 icmp_seq=2 ttl=64 time=1.421 ms

I think it is a network engineer's responsibility to set a proper IP address.

[dmbaturin]

I believe I should add range option to ipaddrcheck. I'll look into it, if it takes a while, we can merge this first, then replace the validator part.

[c-po]

Whats the usecase of a smoketest asserting True all the time?

[aapostoliuk]

I have changed to skip this test.

[aapostoliuk]

I have created test.

[c-po]

Whats the usecase of a smoketest asserting True all the time?

[aapostoliuk]

I have changed to skip this test.

[aapostoliuk]

I have created test.

[c-po]

Whats the usecase of a smoketest asserting True all the time?

[aapostoliuk]

I have changed to skip this test.

[aapostoliuk]

I have created test.

[c-po]

@Mergifyio backport sagitta

[mergify]

backport sagitta

✅ Backports have been created

• #2700 accel-ppp: T5688: Standardized pool configuration in accel-ppp (backport #2501) has been created for branch sagitta