summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/accel-ppp/l2tp.config.j28
-rw-r--r--data/templates/container/storage.conf.j22
-rw-r--r--data/templates/dhcp-server/dhcpd.conf.j24
-rw-r--r--data/templates/firewall/nftables-defines.j213
-rw-r--r--data/templates/high-availability/keepalived.conf.j212
-rw-r--r--data/templates/protocols/systemd_vyos_failover_service.j211
-rw-r--r--data/templates/router-advert/radvd.conf.j27
-rw-r--r--data/templates/snmp/etc.snmpd.conf.j21
-rw-r--r--data/templates/squid/sg_acl.conf.j21
-rw-r--r--data/templates/squid/squidGuard.conf.j2122
-rw-r--r--data/templates/sstp-client/peer.j29
-rw-r--r--data/templates/system/ssh_config.j23
12 files changed, 168 insertions, 25 deletions
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index 3d1e835a9..5914fd375 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -126,7 +126,13 @@ ipv6={{ ppp_ipv6 }}
{% else %}
{{ 'ipv6=allow' if client_ipv6_pool_configured else '' }}
{% endif %}
-
+{% if ppp_ipv6_intf_id is vyos_defined %}
+ipv6-intf-id={{ ppp_ipv6_intf_id }}
+{% endif %}
+{% if ppp_ipv6_peer_intf_id is vyos_defined %}
+ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }}
+{% endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }}
{% if client_ipv6_pool %}
[ipv6-pool]
diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2
index 665f9bf95..39a072c70 100644
--- a/data/templates/container/storage.conf.j2
+++ b/data/templates/container/storage.conf.j2
@@ -1,4 +1,4 @@
### Autogenerated by container.py ###
[storage]
- driver = "vfs"
+ driver = "overlay2"
graphroot = "/usr/lib/live/mount/persistence/container/storage"
diff --git a/data/templates/dhcp-server/dhcpd.conf.j2 b/data/templates/dhcp-server/dhcpd.conf.j2
index 4c2da0aa5..639526532 100644
--- a/data/templates/dhcp-server/dhcpd.conf.j2
+++ b/data/templates/dhcp-server/dhcpd.conf.j2
@@ -22,6 +22,7 @@ ddns-update-style {{ 'interim' if dynamic_dns_update is vyos_defined else 'none'
option rfc3442-static-route code 121 = array of integer 8;
option windows-static-route code 249 = array of integer 8;
option wpad-url code 252 = text;
+option rfc8925-ipv6-only-preferred code 108 = unsigned integer 32;
# Vendor specific options - Ubiquiti Networks
option space ubnt;
@@ -127,6 +128,9 @@ shared-network {{ network }} {
{% if subnet_config.wins_server is vyos_defined %}
option netbios-name-servers {{ subnet_config.wins_server | join(', ') }};
{% endif %}
+{% if subnet_config.ipv6_only_preferred is vyos_defined %}
+ option rfc8925-ipv6-only-preferred {{ subnet_config.ipv6_only_preferred }};
+{% endif %}
{% if subnet_config.static_route is vyos_defined %}
{% set static_default_route = '' %}
{% if subnet_config.default_router is vyos_defined %}
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index dd06dee28..0a7e79edd 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -85,5 +85,18 @@
}
{% endfor %}
{% endif %}
+{% if group.interface_group is vyos_defined %}
+{% for group_name, group_conf in group.interface_group.items() %}
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set I_{{ group_name }} {
+ type ifname
+ flags interval
+ auto-merge
+{% if group_conf.interface is vyos_defined or includes %}
+ elements = { {{ group_conf.interface | nft_nested_group(includes, group.interface_group, 'interface') | join(",") }} }
+{% endif %}
+ }
+{% endfor %}
+{% endif %}
{% endif %}
{% endmacro %}
diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2
index 706e1c5ae..ebff52e1f 100644
--- a/data/templates/high-availability/keepalived.conf.j2
+++ b/data/templates/high-availability/keepalived.conf.j2
@@ -126,7 +126,12 @@ vrrp_sync_group {{ name }} {
{% if virtual_server is vyos_defined %}
# Virtual-server configuration
{% for vserver, vserver_config in virtual_server.items() %}
+# Vserver {{ vserver }}
+{% if vserver_config.port is vyos_defined %}
virtual_server {{ vserver }} {{ vserver_config.port }} {
+{% else %}
+virtual_server fwmark {{ vserver_config.fwmark }} {
+{% endif %}
delay_loop {{ vserver_config.delay_loop }}
{% if vserver_config.algorithm is vyos_defined('round-robin') %}
lb_algo rr
@@ -156,9 +161,14 @@ virtual_server {{ vserver }} {{ vserver_config.port }} {
{% for rserver, rserver_config in vserver_config.real_server.items() %}
real_server {{ rserver }} {{ rserver_config.port }} {
weight 1
+{% if rserver_config.health_check.script is vyos_defined %}
+ MISC_CHECK {
+ misc_path {{ rserver_config.health_check.script }}
+{% else %}
{{ vserver_config.protocol | upper }}_CHECK {
-{% if rserver_config.connection_timeout is vyos_defined %}
+{% if rserver_config.connection_timeout is vyos_defined %}
connect_timeout {{ rserver_config.connection_timeout }}
+{% endif %}
{% endif %}
}
}
diff --git a/data/templates/protocols/systemd_vyos_failover_service.j2 b/data/templates/protocols/systemd_vyos_failover_service.j2
new file mode 100644
index 000000000..e6501e0f5
--- /dev/null
+++ b/data/templates/protocols/systemd_vyos_failover_service.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=Failover route service
+After=vyos-router.service
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/bin/python3 /usr/libexec/vyos/vyos-failover.py --config /run/vyos-failover.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2
index a464795ad..4ef4751dd 100644
--- a/data/templates/router-advert/radvd.conf.j2
+++ b/data/templates/router-advert/radvd.conf.j2
@@ -43,6 +43,13 @@ interface {{ iface }} {
};
{% endfor %}
{% endif %}
+{% if iface_config.source_address is vyos_defined %}
+ AdvRASrcAddress {
+{% for source_address in iface_config.source_address %}
+ {{ source_address }};
+{% endfor %}
+ };
+{% endif %}
{% if iface_config.prefix is vyos_defined %}
{% for prefix, prefix_options in iface_config.prefix.items() %}
prefix {{ prefix }} {
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 57ad704c0..47bf6878f 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -76,6 +76,7 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy
{% endif %}
{% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %}
{{ comm_config.authorization }}community {{ comm }}
+{{ comm_config.authorization }}community6 {{ comm }}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/data/templates/squid/sg_acl.conf.j2 b/data/templates/squid/sg_acl.conf.j2
index ce72b173a..78297a2b8 100644
--- a/data/templates/squid/sg_acl.conf.j2
+++ b/data/templates/squid/sg_acl.conf.j2
@@ -1,6 +1,5 @@
### generated by service_webproxy.py ###
dbhome {{ squidguard_db_dir }}
-
dest {{ category }}-{{ rule }} {
{% if list_type == 'domains' %}
domainlist {{ category }}/domains
diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2
index 1bc4c984f..a93f878df 100644
--- a/data/templates/squid/squidGuard.conf.j2
+++ b/data/templates/squid/squidGuard.conf.j2
@@ -1,10 +1,16 @@
### generated by service_webproxy.py ###
-{% macro sg_rule(category, log, db_dir) %}
+{% macro sg_rule(category, rule, log, db_dir) %}
+{% set domains = db_dir + '/' + category + '/domains' %}
+{% set urls = db_dir + '/' + category + '/urls' %}
{% set expressions = db_dir + '/' + category + '/expressions' %}
-dest {{ category }}-default {
+dest {{ category }}-{{ rule }}{
+{% if domains | is_file %}
domainlist {{ category }}/domains
+{% endif %}
+{% if urls | is_file %}
urllist {{ category }}/urls
+{% endif %}
{% if expressions | is_file %}
expressionlist {{ category }}/expressions
{% endif %}
@@ -17,8 +23,9 @@ dest {{ category }}-default {
{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %}
{% if url_filtering.squidguard is vyos_defined %}
{% set sg_config = url_filtering.squidguard %}
-{% set acl = namespace(value='local-ok-default') %}
+{% set acl = namespace(value='') %}
{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
+{% set ruleacls = {} %}
dbhome {{ squidguard_db_dir }}
logdir /var/log/squid
@@ -38,24 +45,28 @@ dest local-ok-default {
domainlist local-ok-default/domains
}
{% endif %}
+
{% if sg_config.local_ok_url is vyos_defined %}
{% set acl.value = acl.value + ' local-ok-url-default' %}
dest local-ok-url-default {
urllist local-ok-url-default/urls
}
{% endif %}
+
{% if sg_config.local_block is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-default' %}
dest local-block-default {
domainlist local-block-default/domains
}
{% endif %}
+
{% if sg_config.local_block_url is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-url-default' %}
dest local-block-url-default {
urllist local-block-url-default/urls
}
{% endif %}
+
{% if sg_config.local_block_keyword is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-keyword-default' %}
dest local-block-keyword-default {
@@ -65,16 +76,100 @@ dest local-block-keyword-default {
{% if sg_config.block_category is vyos_defined %}
{% for category in sg_config.block_category %}
-{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}
+{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }}
{% set acl.value = acl.value + ' !' + category + '-default' %}
{% endfor %}
{% endif %}
{% if sg_config.allow_category is vyos_defined %}
{% for category in sg_config.allow_category %}
-{{ sg_rule(category, False, squidguard_db_dir) }}
+{{ sg_rule(category, 'default', False, squidguard_db_dir) }}
{% set acl.value = acl.value + ' ' + category + '-default' %}
{% endfor %}
{% endif %}
+
+
+{% if sg_config.rule is vyos_defined %}
+{% for rule, rule_config in sg_config.rule.items() %}
+{% if rule_config.local_ok is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %}
+{% endif %}
+dest local-ok-{{ rule }} {
+ domainlist local-ok-{{ rule }}/domains
+}
+{% endif %}
+
+{% if rule_config.local_ok_url is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %}
+{% endif %}
+dest local-ok-url-{{ rule }} {
+ urllist local-ok-url-{{ rule }}/urls
+}
+{% endif %}
+
+{% if rule_config.local_block is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %}
+{% endif %}
+dest local-block-{{ rule }} {
+ domainlist local-block-{{ rule }}/domains
+}
+{% endif %}
+
+{% if rule_config.local_block_url is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %}
+{% endif %}
+dest local-block-url-{{ rule }} {
+ urllist local-block-url-{{ rule }}/urls
+}
+{% endif %}
+
+{% if rule_config.local_block_keyword is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %}
+{% endif %}
+dest local-block-keyword-{{ rule }} {
+ expressionlist local-block-keyword-{{ rule }}/expressions
+}
+{% endif %}
+
+{% if rule_config.block_category is vyos_defined %}
+{% for b_category in rule_config.block_category %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %}
+{% endif %}
+{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }}
+{% endfor %}
+{% endif %}
+
+{% if rule_config.allow_category is vyos_defined %}
+{% for a_category in rule_config.allow_category %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %}
+{% endif %}
+{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+
{% if sg_config.source_group is vyos_defined %}
{% for sgroup, sg_config in sg_config.source_group.items() %}
{% if sg_config.address is vyos_defined %}
@@ -83,28 +178,15 @@ src {{ sgroup }} {
ip {{ address }}
{% endfor %}
}
-
{% endif %}
{% endfor %}
{% endif %}
-{% if sg_config.rule is vyos_defined %}
-{% for rule, rule_config in sg_config.rule.items() %}
-{% for b_category in rule_config.block_category %}
-dest {{ b_category }} {
- domainlist {{ b_category }}/domains
- urllist {{ b_category }}/urls
-}
-{% endfor %}
-{% endfor %}
-{% endif %}
acl {
{% if sg_config.rule is vyos_defined %}
{% for rule, rule_config in sg_config.rule.items() %}
{{ rule_config.source_group }} {
-{% for b_category in rule_config.block_category %}
- pass local-ok-1 !in-addr !{{ b_category }} all
-{% endfor %}
+ pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }}
}
{% endfor %}
{% endif %}
@@ -113,7 +195,7 @@ acl {
{% if sg_config.enable_safe_search is vyos_defined %}
rewrite safesearch
{% endif %}
- pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }}
+ pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }}
redirect 302:http://{{ sg_config.redirect_url }}
{% if sg_config.log is vyos_defined %}
log blacklist.log
diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2
index 1127d0564..7a0b0e1f7 100644
--- a/data/templates/sstp-client/peer.j2
+++ b/data/templates/sstp-client/peer.j2
@@ -17,7 +17,7 @@ pty "sstpc --ipparam {{ ifname }} --nolaunchpppd {{ server }}:{{ port }} --ca-ce
# Override any connect script that may have been set in /etc/ppp/options.
connect /bin/true
-# Don't try to authenticate the remote node
+# We don't need the server to auth itself
noauth
# We won't want EAP
@@ -37,6 +37,13 @@ sstp-sock /var/run/sstpc/sstpc-{{ ifname }}
persist
debug
+# pppd should create a UUCP-style lock file for the serial device to ensure
+# exclusive access to the device. By default, pppd will not create a lock file.
+lock
+
+# Disables Deflate compression
+nodeflate
+
{% if authentication is vyos_defined %}
{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }}
{{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }}
diff --git a/data/templates/system/ssh_config.j2 b/data/templates/system/ssh_config.j2
index 1449f95b1..d3ede0971 100644
--- a/data/templates/system/ssh_config.j2
+++ b/data/templates/system/ssh_config.j2
@@ -1,3 +1,6 @@
{% if ssh_client.source_address is vyos_defined %}
BindAddress {{ ssh_client.source_address }}
{% endif %}
+{% if ssh_client.source_interface is vyos_defined %}
+BindInterface {{ ssh_client.source_interface }}
+{% endif %}