diff options
Diffstat (limited to 'data/templates')
-rw-r--r-- | data/templates/accel-ppp/l2tp.config.j2 | 8 | ||||
-rw-r--r-- | data/templates/container/storage.conf.j2 | 2 | ||||
-rw-r--r-- | data/templates/dhcp-server/dhcpd.conf.j2 | 4 | ||||
-rw-r--r-- | data/templates/firewall/nftables-defines.j2 | 13 | ||||
-rw-r--r-- | data/templates/high-availability/keepalived.conf.j2 | 12 | ||||
-rw-r--r-- | data/templates/protocols/systemd_vyos_failover_service.j2 | 11 | ||||
-rw-r--r-- | data/templates/router-advert/radvd.conf.j2 | 7 | ||||
-rw-r--r-- | data/templates/snmp/etc.snmpd.conf.j2 | 1 | ||||
-rw-r--r-- | data/templates/squid/sg_acl.conf.j2 | 1 | ||||
-rw-r--r-- | data/templates/squid/squidGuard.conf.j2 | 122 | ||||
-rw-r--r-- | data/templates/sstp-client/peer.j2 | 9 | ||||
-rw-r--r-- | data/templates/system/ssh_config.j2 | 3 |
12 files changed, 168 insertions, 25 deletions
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2 index 3d1e835a9..5914fd375 100644 --- a/data/templates/accel-ppp/l2tp.config.j2 +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -126,7 +126,13 @@ ipv6={{ ppp_ipv6 }} {% else %} {{ 'ipv6=allow' if client_ipv6_pool_configured else '' }} {% endif %} - +{% if ppp_ipv6_intf_id is vyos_defined %} +ipv6-intf-id={{ ppp_ipv6_intf_id }} +{% endif %} +{% if ppp_ipv6_peer_intf_id is vyos_defined %} +ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }} +{% endif %} +ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }} {% if client_ipv6_pool %} [ipv6-pool] diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2 index 665f9bf95..39a072c70 100644 --- a/data/templates/container/storage.conf.j2 +++ b/data/templates/container/storage.conf.j2 @@ -1,4 +1,4 @@ ### Autogenerated by container.py ### [storage] - driver = "vfs" + driver = "overlay2" graphroot = "/usr/lib/live/mount/persistence/container/storage" diff --git a/data/templates/dhcp-server/dhcpd.conf.j2 b/data/templates/dhcp-server/dhcpd.conf.j2 index 4c2da0aa5..639526532 100644 --- a/data/templates/dhcp-server/dhcpd.conf.j2 +++ b/data/templates/dhcp-server/dhcpd.conf.j2 @@ -22,6 +22,7 @@ ddns-update-style {{ 'interim' if dynamic_dns_update is vyos_defined else 'none' option rfc3442-static-route code 121 = array of integer 8; option windows-static-route code 249 = array of integer 8; option wpad-url code 252 = text; +option rfc8925-ipv6-only-preferred code 108 = unsigned integer 32; # Vendor specific options - Ubiquiti Networks option space ubnt; @@ -127,6 +128,9 @@ shared-network {{ network }} { {% if subnet_config.wins_server is vyos_defined %} option netbios-name-servers {{ subnet_config.wins_server | join(', ') }}; {% endif %} +{% if subnet_config.ipv6_only_preferred is vyos_defined %} + option rfc8925-ipv6-only-preferred {{ subnet_config.ipv6_only_preferred }}; +{% endif %} {% if subnet_config.static_route is vyos_defined %} {% set static_default_route = '' %} {% if subnet_config.default_router is vyos_defined %} diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2 index dd06dee28..0a7e79edd 100644 --- a/data/templates/firewall/nftables-defines.j2 +++ b/data/templates/firewall/nftables-defines.j2 @@ -85,5 +85,18 @@ } {% endfor %} {% endif %} +{% if group.interface_group is vyos_defined %} +{% for group_name, group_conf in group.interface_group.items() %} +{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %} + set I_{{ group_name }} { + type ifname + flags interval + auto-merge +{% if group_conf.interface is vyos_defined or includes %} + elements = { {{ group_conf.interface | nft_nested_group(includes, group.interface_group, 'interface') | join(",") }} } +{% endif %} + } +{% endfor %} +{% endif %} {% endif %} {% endmacro %} diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 index 706e1c5ae..ebff52e1f 100644 --- a/data/templates/high-availability/keepalived.conf.j2 +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -126,7 +126,12 @@ vrrp_sync_group {{ name }} { {% if virtual_server is vyos_defined %} # Virtual-server configuration {% for vserver, vserver_config in virtual_server.items() %} +# Vserver {{ vserver }} +{% if vserver_config.port is vyos_defined %} virtual_server {{ vserver }} {{ vserver_config.port }} { +{% else %} +virtual_server fwmark {{ vserver_config.fwmark }} { +{% endif %} delay_loop {{ vserver_config.delay_loop }} {% if vserver_config.algorithm is vyos_defined('round-robin') %} lb_algo rr @@ -156,9 +161,14 @@ virtual_server {{ vserver }} {{ vserver_config.port }} { {% for rserver, rserver_config in vserver_config.real_server.items() %} real_server {{ rserver }} {{ rserver_config.port }} { weight 1 +{% if rserver_config.health_check.script is vyos_defined %} + MISC_CHECK { + misc_path {{ rserver_config.health_check.script }} +{% else %} {{ vserver_config.protocol | upper }}_CHECK { -{% if rserver_config.connection_timeout is vyos_defined %} +{% if rserver_config.connection_timeout is vyos_defined %} connect_timeout {{ rserver_config.connection_timeout }} +{% endif %} {% endif %} } } diff --git a/data/templates/protocols/systemd_vyos_failover_service.j2 b/data/templates/protocols/systemd_vyos_failover_service.j2 new file mode 100644 index 000000000..e6501e0f5 --- /dev/null +++ b/data/templates/protocols/systemd_vyos_failover_service.j2 @@ -0,0 +1,11 @@ +[Unit] +Description=Failover route service +After=vyos-router.service + +[Service] +Type=simple +Restart=always +ExecStart=/usr/bin/python3 /usr/libexec/vyos/vyos-failover.py --config /run/vyos-failover.conf + +[Install] +WantedBy=multi-user.target diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2 index a464795ad..4ef4751dd 100644 --- a/data/templates/router-advert/radvd.conf.j2 +++ b/data/templates/router-advert/radvd.conf.j2 @@ -43,6 +43,13 @@ interface {{ iface }} { }; {% endfor %} {% endif %} +{% if iface_config.source_address is vyos_defined %} + AdvRASrcAddress { +{% for source_address in iface_config.source_address %} + {{ source_address }}; +{% endfor %} + }; +{% endif %} {% if iface_config.prefix is vyos_defined %} {% for prefix, prefix_options in iface_config.prefix.items() %} prefix {{ prefix }} { diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2 index 57ad704c0..47bf6878f 100644 --- a/data/templates/snmp/etc.snmpd.conf.j2 +++ b/data/templates/snmp/etc.snmpd.conf.j2 @@ -76,6 +76,7 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy {% endif %} {% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %} {{ comm_config.authorization }}community {{ comm }} +{{ comm_config.authorization }}community6 {{ comm }} {% endif %} {% endfor %} {% endif %} diff --git a/data/templates/squid/sg_acl.conf.j2 b/data/templates/squid/sg_acl.conf.j2 index ce72b173a..78297a2b8 100644 --- a/data/templates/squid/sg_acl.conf.j2 +++ b/data/templates/squid/sg_acl.conf.j2 @@ -1,6 +1,5 @@ ### generated by service_webproxy.py ### dbhome {{ squidguard_db_dir }} - dest {{ category }}-{{ rule }} { {% if list_type == 'domains' %} domainlist {{ category }}/domains diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2 index 1bc4c984f..a93f878df 100644 --- a/data/templates/squid/squidGuard.conf.j2 +++ b/data/templates/squid/squidGuard.conf.j2 @@ -1,10 +1,16 @@ ### generated by service_webproxy.py ### -{% macro sg_rule(category, log, db_dir) %} +{% macro sg_rule(category, rule, log, db_dir) %} +{% set domains = db_dir + '/' + category + '/domains' %} +{% set urls = db_dir + '/' + category + '/urls' %} {% set expressions = db_dir + '/' + category + '/expressions' %} -dest {{ category }}-default { +dest {{ category }}-{{ rule }}{ +{% if domains | is_file %} domainlist {{ category }}/domains +{% endif %} +{% if urls | is_file %} urllist {{ category }}/urls +{% endif %} {% if expressions | is_file %} expressionlist {{ category }}/expressions {% endif %} @@ -17,8 +23,9 @@ dest {{ category }}-default { {% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} {% if url_filtering.squidguard is vyos_defined %} {% set sg_config = url_filtering.squidguard %} -{% set acl = namespace(value='local-ok-default') %} +{% set acl = namespace(value='') %} {% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} +{% set ruleacls = {} %} dbhome {{ squidguard_db_dir }} logdir /var/log/squid @@ -38,24 +45,28 @@ dest local-ok-default { domainlist local-ok-default/domains } {% endif %} + {% if sg_config.local_ok_url is vyos_defined %} {% set acl.value = acl.value + ' local-ok-url-default' %} dest local-ok-url-default { urllist local-ok-url-default/urls } {% endif %} + {% if sg_config.local_block is vyos_defined %} {% set acl.value = acl.value + ' !local-block-default' %} dest local-block-default { domainlist local-block-default/domains } {% endif %} + {% if sg_config.local_block_url is vyos_defined %} {% set acl.value = acl.value + ' !local-block-url-default' %} dest local-block-url-default { urllist local-block-url-default/urls } {% endif %} + {% if sg_config.local_block_keyword is vyos_defined %} {% set acl.value = acl.value + ' !local-block-keyword-default' %} dest local-block-keyword-default { @@ -65,16 +76,100 @@ dest local-block-keyword-default { {% if sg_config.block_category is vyos_defined %} {% for category in sg_config.block_category %} -{{ sg_rule(category, sg_config.log, squidguard_db_dir) }} +{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }} {% set acl.value = acl.value + ' !' + category + '-default' %} {% endfor %} {% endif %} {% if sg_config.allow_category is vyos_defined %} {% for category in sg_config.allow_category %} -{{ sg_rule(category, False, squidguard_db_dir) }} +{{ sg_rule(category, 'default', False, squidguard_db_dir) }} {% set acl.value = acl.value + ' ' + category + '-default' %} {% endfor %} {% endif %} + + +{% if sg_config.rule is vyos_defined %} +{% for rule, rule_config in sg_config.rule.items() %} +{% if rule_config.local_ok is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %} +{% endif %} +dest local-ok-{{ rule }} { + domainlist local-ok-{{ rule }}/domains +} +{% endif %} + +{% if rule_config.local_ok_url is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %} +{% endif %} +dest local-ok-url-{{ rule }} { + urllist local-ok-url-{{ rule }}/urls +} +{% endif %} + +{% if rule_config.local_block is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %} +{% endif %} +dest local-block-{{ rule }} { + domainlist local-block-{{ rule }}/domains +} +{% endif %} + +{% if rule_config.local_block_url is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %} +{% endif %} +dest local-block-url-{{ rule }} { + urllist local-block-url-{{ rule }}/urls +} +{% endif %} + +{% if rule_config.local_block_keyword is vyos_defined %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %} +{% endif %} +dest local-block-keyword-{{ rule }} { + expressionlist local-block-keyword-{{ rule }}/expressions +} +{% endif %} + +{% if rule_config.block_category is vyos_defined %} +{% for b_category in rule_config.block_category %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %} +{% endif %} +{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }} +{% endfor %} +{% endif %} + +{% if rule_config.allow_category is vyos_defined %} +{% for a_category in rule_config.allow_category %} +{% if rule in ruleacls %} +{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %} +{% else %} +{% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %} +{% endif %} +{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} + + {% if sg_config.source_group is vyos_defined %} {% for sgroup, sg_config in sg_config.source_group.items() %} {% if sg_config.address is vyos_defined %} @@ -83,28 +178,15 @@ src {{ sgroup }} { ip {{ address }} {% endfor %} } - {% endif %} {% endfor %} {% endif %} -{% if sg_config.rule is vyos_defined %} -{% for rule, rule_config in sg_config.rule.items() %} -{% for b_category in rule_config.block_category %} -dest {{ b_category }} { - domainlist {{ b_category }}/domains - urllist {{ b_category }}/urls -} -{% endfor %} -{% endfor %} -{% endif %} acl { {% if sg_config.rule is vyos_defined %} {% for rule, rule_config in sg_config.rule.items() %} {{ rule_config.source_group }} { -{% for b_category in rule_config.block_category %} - pass local-ok-1 !in-addr !{{ b_category }} all -{% endfor %} + pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }} } {% endfor %} {% endif %} @@ -113,7 +195,7 @@ acl { {% if sg_config.enable_safe_search is vyos_defined %} rewrite safesearch {% endif %} - pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }} + pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }} redirect 302:http://{{ sg_config.redirect_url }} {% if sg_config.log is vyos_defined %} log blacklist.log diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2 index 1127d0564..7a0b0e1f7 100644 --- a/data/templates/sstp-client/peer.j2 +++ b/data/templates/sstp-client/peer.j2 @@ -17,7 +17,7 @@ pty "sstpc --ipparam {{ ifname }} --nolaunchpppd {{ server }}:{{ port }} --ca-ce # Override any connect script that may have been set in /etc/ppp/options. connect /bin/true -# Don't try to authenticate the remote node +# We don't need the server to auth itself noauth # We won't want EAP @@ -37,6 +37,13 @@ sstp-sock /var/run/sstpc/sstpc-{{ ifname }} persist debug +# pppd should create a UUCP-style lock file for the serial device to ensure +# exclusive access to the device. By default, pppd will not create a lock file. +lock + +# Disables Deflate compression +nodeflate + {% if authentication is vyos_defined %} {{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }} {{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} diff --git a/data/templates/system/ssh_config.j2 b/data/templates/system/ssh_config.j2 index 1449f95b1..d3ede0971 100644 --- a/data/templates/system/ssh_config.j2 +++ b/data/templates/system/ssh_config.j2 @@ -1,3 +1,6 @@ {% if ssh_client.source_address is vyos_defined %} BindAddress {{ ssh_client.source_address }} {% endif %} +{% if ssh_client.source_interface is vyos_defined %} +BindInterface {{ ssh_client.source_interface }} +{% endif %} |