Python support

Customize the MAG-c behavior by applying user-defined Python scripts to inspect and modify control protocol packets.

Python scripts

Sending or receiving specific control protocol packets can trigger a user-defined Python script. Using the packet as input, the script applies a set of Nokia API calls to inspect and modify the packet. The script outputs the modified packet.

The direction of the triggering protocol message defines when the Python script runs:

ingress – before the subscriber management processing
egress – after the subscriber management processing

For example, when the MAG-c receives a RADIUS Access-Accept message, a user-defined Python script can update the Alc-SLA-Prof-Str attribute in the message to a new SLA profile name. The system processes the modified packet and creates the session with the new SLA profile.

Python version and libraries

MAG-c Python support is based on MicroPython version 3.4. The software includes Nokia-provided APIs and the following standard libraries:

MicroPython libraries
- sys
- uarray
- ubinascii
- ucollections
- uhashlib
- uio
- ure
- ustruct
- utime
  Note: Nokia has modified the implementation of this module. For more information about the use of this module, see the pySROS API documentation provided with the SR OS (nokia.com) documentation.
standard libraries
- datetime
- ipaddress

For more information about the Nokia-provided APIs, see MAG-c TPSDA Python 3 API.

Supported protocol messages

Python is supported for the following HTTP/2 protocols:

Request (ingress and egress)
Response (ingress and egress)

The following tables list the supported protocol message types and direction.

Table 1. Supported direction for RADIUS messages
Message type	Ingress	Egress
Access-Request		✓
Access-Accept	✓
Access-Reject	✓
Account-Request		✓
Account-Response	✓
Access-Challenge	✓

Table 2. Supported direction for RADIUS CoA messages
Message type	Ingress	Egress
CoA Request	✓
DM Request	✓
CoA/DM Reply		✓

Table 3. Supported direction for PPPoE messages
Message type	Ingress	Egress
PADI	✓
PADO		✓
PADR	✓
PADS		✓
PADT	✓	✓
LCP	✓	✓
PAP	✓	✓
CHAP	✓	✓
IPCP	✓	✓
IPv6CP	✓	✓

Table 4. Supported direction for DHCPv4 messages
Message type	Ingress	Egress
Discover	✓	✓ (relay)
Offer	✓ (relay)	✓
Request	✓	✓ (relay)
Ack	✓ (relay)	✓
Decline	✓	✓ (relay)
Nak	✓ (relay)	✓
Release	✓	✓ (relay)
Inform	✓	✓ (relay)
Lease-Query	✓	✓ (relay)

Note: (relay) means supported only for relayed messages.

Table 5. Supported direction for DHCPv6 messages
Message type	Ingress	Egress
Solicit	✓	✓ (relay)
Advertise	✓ (relay)	✓
Request	✓	✓ (relay)
Confirm	✓	✓ (relay)
Renew	✓	✓ (relay)
Rebind	✓	✓ (relay)
Reply	✓ (relay)	✓
Release	✓	✓ (relay)
Decline	✓	✓ (relay)
Info-Request	✓	✓ (relay)
Relay-Forward	✓ (LDRA)	✓ (relay)
Relay-Reply	✓ (relay)	✓ (LDRA)

Note:

(relay) means supported only for relayed messages.
(LDRA) means supported only for lightweight DHCPv6 relay agent (LDRA).

Operational commands

To check if a Python script is in service, use the following command.

show python python-script

To enable debugging for Python, use the following commands.

debug mobile-gateway call-insight bng
debug python python-script

To bring a modified script in service, reload it using one of the following options:

Use the following command.
```
tools perform python-script reload
```
Use the shutdown and no shutdown commands for the modified Python script.

Note: When you modify a signed script, use the following command to sign it again.

tools perform python-script protect

Configuring a Python script

You can customize the MAG-c behavior with a Python script.

Create a Python script file. Save the file on local storage or an FTP server.
Configure the URL of the script file.
```
configure python python-script
```
Note: Because the MAG-c supports only Python 3, you need to specify version python3 when you configure the Python script.
Specify the trigger packet type, the direction, and the corresponding Python script in a Python policy.
```
configure python python-policy
```
Reference the Python policy in the corresponding protocol configuration; for example, inside the RADIUS group for the RADIUS messages.

The following example configures to run the cf3:/test.py Python script file upon sending the RADIUS Access-Request message.

config>python# info
----------------------------------------------
        python-script "test" create version python3
            primary-url "cf3:/test.py"
            no shutdown
        exit
        python-policy "test" create
            radius access-request direction egress script "test"
        exit
----------------------------------------------
config>mobile>profile>radius-group
----------------------------------------------
                server-type both
                interface "toRADIUS"
                radius-profile "default"
                python-policy "test"
                peer 172.16.20.100
                    secret "KrbVPnF6Dg13PM/biw6ErJsxP6jP" hash2
                    no shutdown
                exit
                supported-features
                exit
----------------------------------------------

Protecting a Python script file

You can use a password to protect a Python script file against unauthorized changes. Only a user with the password can load the Python script file.

This procedure provides integrity protection for a Python script. It does not provide confidentiality, that is, a signed file is not encrypted.

Create a plain Python script file.
Sign the Python script file using the HMAC-SHA-256 algorithm.
```
tools perform python-script protect
```
Note:
- Remember the chosen password for the following step and to update the script later.
- If you later modify the script, you must sign the updated script again using this command, and you need to reload the script to bring it in service.
Use the signed script file.
```
configure python python-script protection
```
Use the output file and password of the preceding step.