diff options
Diffstat (limited to 'data/templates')
19 files changed, 505 insertions, 28 deletions
diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.tmpl index f444af85c..05ac31d18 100644 --- a/data/templates/accel-ppp/pppoe.config.tmpl +++ b/data/templates/accel-ppp/pppoe.config.tmpl @@ -17,6 +17,10 @@ net-snmp {% if limits is defined %} connlimit {% endif %} +{% if extended_scripts is defined %} +sigchld +pppd_compat +{% endif %} [core] thread-count={{ thread_count }} @@ -133,6 +137,9 @@ service-name={{ service_name | join(',') }} {% endfor %} pado-delay={{ pado_delay_param.value }} {% endif %} +{% if authentication.radius.called_sid_format is defined and authentication.radius.called_sid_format is not none %} +called-sid={{ authentication.radius.called_sid_format }} +{% endif %} {% if limits is defined %} [connlimit] @@ -146,12 +153,19 @@ burst={{ limits.burst }} timeout={{ limits.timeout }} {% endif %} {% endif %} -{% if authentication.radius.called_sid_format is defined and authentication.radius.called_sid_format is not none %} -called-sid={{ authentication.radius.called_sid_format }} -{% endif %} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} +{% if extended_scripts is defined %} +[pppd-compat] +verbose=1 +radattr-prefix=/run/accel-pppd/radattr +{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} +{% for script in extended_scripts %} +{{ script_name[script] }}={{ extended_scripts[script] }} +{% endfor %} +{% endif %} + [cli] tcp=127.0.0.1:2001 diff --git a/data/templates/conntrack/sysctl.conf.tmpl b/data/templates/conntrack/sysctl.conf.tmpl new file mode 100644 index 000000000..9e97c3286 --- /dev/null +++ b/data/templates/conntrack/sysctl.conf.tmpl @@ -0,0 +1,26 @@ +# Autogenerated by conntrack.py +{# all values have defaults - thus no checking required #} + +net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} +net.netfilter.nf_conntrack_max = {{ table_size }} + +net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} + +net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose == 'enable' else '0' }} +net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} + +net.netfilter.nf_conntrack_icmp_timeout = {{ timeout.icmp }} +net.netfilter.nf_conntrack_generic_timeout = {{ timeout.other }} + +net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ timeout.tcp.close_wait }} +net.netfilter.nf_conntrack_tcp_timeout_close = {{ timeout.tcp.close }} +net.netfilter.nf_conntrack_tcp_timeout_established = {{ timeout.tcp.established }} +net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ timeout.tcp.fin_wait }} +net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ timeout.tcp.last_ack }} +net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ timeout.tcp.syn_recv }} +net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ timeout.tcp.syn_sent }} +net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }} + +net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }} +net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }} + diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl b/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl new file mode 100644 index 000000000..111459485 --- /dev/null +++ b/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl @@ -0,0 +1,3 @@ +# Autogenerated by conntrack.py +options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1 + diff --git a/data/templates/conntrackd/conntrackd.conf.tmpl b/data/templates/conntrackd/conntrackd.conf.tmpl new file mode 100644 index 000000000..17ee529bf --- /dev/null +++ b/data/templates/conntrackd/conntrackd.conf.tmpl @@ -0,0 +1,109 @@ +# autogenerated by conntrack_sync.py + +# Synchronizer settings +Sync { + Mode FTFW { + DisableExternalCache {{ 'on' if disable_external_cache is defined else 'off' }} + } +{% for iface, iface_config in interface.items() %} +{% if loop.first %} +{% if iface_config.peer is defined and iface_config.peer is not none %} + UDP { +{% if listen_address is defined and listen_address is not none %} + IPv4_address {{ listen_address }} +{% endif %} + IPv4_Destination_Address {{ iface_config.peer }} + Port 3780 +{% else %} +{% set ip_address = iface | get_ipv4 %} + Multicast { + IPv4_address {{ mcast_group }} + Group 3780 + IPv4_interface {{ ip_address[0] | ip_from_cidr }} +{% endif %} + Interface {{ iface }} +{% endif %} +{% endfor %} + SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} + Checksum on + } +{% if expect_sync is defined and expect_sync is not none %} + Options { +{% if 'all' in expect_sync %} + ExpectationSync on +{% else %} + ExpectationSync { +{% for protocol in expect_sync %} + {{ protocol }} +{% endfor %} + } +{% endif %} + } +{% endif %} +} +Helper { + Type rpc inet tcp { + QueueNum 3 + Policy rpc { + ExpectMax 1 + ExpectTimeout 300 + } + } + Type rpc inet udp { + QueueNum 4 + Policy rpc { + ExpectMax 1 + ExpectTimeout 300 + } + } + Type tns inet tcp { + QueueNum 5 + Policy tns { + ExpectMax 1 + ExpectTimeout 300 + } + } +} + +# General settings +General { + HashSize {{ hash_size }} + HashLimit {{ table_size | int *2 }} + LogFile off + Syslog on + LockFile /var/lock/conntrack.lock + UNIX { + Path /var/run/conntrackd.ctl + } + NetlinkBufferSize {{ 2 *1024 *1024 }} + NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }} + NetlinkOverrunResync off + NetlinkEventsReliable on +{% if ignore_address is defined or accept_protocol is defined %} + Filter From Userspace { +{% if ignore_address is defined and ignore_address is not none %} + Address Ignore { +{% for address in ignore_address if address | is_ipv4 %} + IPv4_address {{ address }} +{% endfor %} +{% for address in ignore_address if address | is_ipv6 %} + IPv6_address {{ address }} +{% endfor %} + } +{% endif %} +{% if accept_protocol is defined and accept_protocol is not none %} + Protocol Accept { +{% for protocol in accept_protocol %} +{% if protocol == 'icmp6' %} + IPv6-ICMP +{% else %} + {{ protocol | upper }} +{% endif %} +{% endfor %} + } +{% endif %} + } +{% endif %} +} + diff --git a/data/templates/conntrackd/conntrackd.op-mode.tmpl b/data/templates/conntrackd/conntrackd.op-mode.tmpl new file mode 100644 index 000000000..82a4b09ad --- /dev/null +++ b/data/templates/conntrackd/conntrackd.op-mode.tmpl @@ -0,0 +1,13 @@ +Source Destination Protocol +{% for parsed in data if parsed.flow is defined and parsed.flow.meta is defined %} +{% for key in parsed.flow.meta %} +{% if key['@direction'] == 'original' %} +{% set saddr = key.layer3.src | bracketize_ipv6 %} +{% set sport = key.layer4.sport %} +{% set daddr = key.layer3.dst | bracketize_ipv6 %} +{% set dport = key.layer4.dport %} +{% set protocol = key.layer4['@protoname'] %} +{{ "%-48s" | format(saddr ~ ':' ~ sport) }} {{ "%-48s" | format(daddr ~ ':' ~ dport) }} {{ protocol }} +{% endif %} +{% endfor %} +{% endfor %} diff --git a/data/templates/dhcp-server/dhcpdv6.conf.tmpl b/data/templates/dhcp-server/dhcpdv6.conf.tmpl index 25e5fa592..8d653ff72 100644 --- a/data/templates/dhcp-server/dhcpdv6.conf.tmpl +++ b/data/templates/dhcp-server/dhcpdv6.conf.tmpl @@ -9,9 +9,7 @@ option dhcp6.preference {{ preference }}; {% endif %} {% if global_parameters is defined and global_parameters.name_server is defined and global_parameters.name_server is not none %} -{% for nameserver in global_parameters.name_server %} -option dhcp6.name-servers {{ nameserver }}; -{% endfor %} +option dhcp6.name-servers {{ global_parameters.name_server | join(', ') }}; {% endif %} # Shared network configration(s) diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl index 5edd3f97d..158da3605 100644 --- a/data/templates/frr/bgpd.frr.tmpl +++ b/data/templates/frr/bgpd.frr.tmpl @@ -173,6 +173,9 @@ {% if afi_config.maximum_prefix is defined and afi_config.maximum_prefix is not none %} neighbor {{ neighbor }} maximum-prefix {{ afi_config.maximum_prefix }} {% endif %} +{% if afi_config.maximum_prefix_out is defined and afi_config.maximum_prefix_out is not none %} + neighbor {{ neighbor }} maximum-prefix-out {{ afi_config.maximum_prefix_out }} +{% endif %} {% if afi_config.nexthop_self is defined %} neighbor {{ neighbor }} next-hop-self {{ 'force' if afi_config.nexthop_self.force is defined }} {% endif %} @@ -420,7 +423,7 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none bgp confederation identifier {{ parameters.confederation.identifier }} {% endif %} {% if parameters.confederation.peers is defined and parameters.confederation.peers is not none %} - bgp confederation peers {{ parameters.confederation.peers }} + bgp confederation peers {{ parameters.confederation.peers | join(' ') }} {% endif %} {% endif %} {% if parameters.dampening is defined and parameters.dampening is defined and parameters.dampening.half_life is defined and parameters.dampening.half_life is not none %} diff --git a/data/templates/frr/isis.frr.tmpl b/data/templates/frr/isis.frr.tmpl index 433f10892..1e651898b 100644 --- a/data/templates/frr/isis.frr.tmpl +++ b/data/templates/frr/isis.frr.tmpl @@ -13,8 +13,15 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% if set_overload_bit is defined %} set-overload-bit {% endif %} -{% if domain_password is defined and domain_password.plaintext_password is defined and domain_password.plaintext_password is not none %} +{% if domain_password is defined and domain_password is not none %} +{% if domain_password.md5 is defined and domain_password.md5 is not none %} + domain-password md5 {{ domain_password.plaintext_password }} +{% elif domain_password.plaintext_password is defined and domain_password.plaintext_password is not none %} domain-password clear {{ domain_password.plaintext_password }} +{% endif %} +{% endif %} +{% if log_adjacency_changes is defined %} + log-adjacency-changes {% endif %} {% if lsp_gen_interval is defined and lsp_gen_interval is not none %} lsp-gen-interval {{ lsp_gen_interval }} @@ -95,17 +102,18 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% if spf_delay_ietf is defined and spf_delay_ietf.init_delay is defined and spf_delay_ietf.init_delay is not none %} spf-delay-ietf init-delay {{ spf_delay_ietf.init_delay }} {% endif %} -{% if area_password is defined and area_password.md5 is defined and area_password.md5 is not none %} +{% if area_password is defined and area_password is not none %} +{% if area_password.md5 is defined and area_password.md5 is not none %} area-password md5 {{ area_password.md5 }} -{% elif area_password is defined and area_password.plaintext_password is defined and area_password.plaintext_password is not none %} +{% elif area_password.plaintext_password is defined and area_password.plaintext_password is not none %} area-password clear {{ area_password.plaintext_password }} +{% endif %} {% endif %} {% if default_information is defined and default_information.originate is defined and default_information.originate is not none %} -{% for level in default_information.originate.ipv4 if default_information.originate.ipv4 is defined %} - default-information originate ipv4 {{ level | replace('_', '-') }} -{% endfor %} -{% for level in default_information.originate.ipv6 if default_information.originate.ipv6 is defined %} - default-information originate ipv6 {{ level | replace('_', '-') }} always +{% for afi, afi_config in default_information.originate.items() %} +{% for level, level_config in afi_config.items() %} + default-information originate {{ afi }} {{ level | replace('_', '-') }} {{ 'always' if level_config.always is defined }} {{ 'route-map ' ~ level_config.route_map if level_config.route_map is defined }} {{ 'metric ' ~ level_config.metric if level_config.metric is defined }} +{% endfor %} {% endfor %} {% endif %} {% if redistribute is defined and redistribute.ipv4 is defined and redistribute.ipv4 is not none %} @@ -122,12 +130,10 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% endfor %} {% endif %} {% if level is defined and level is not none %} -{% if level == 'level-1' %} - is-type level-1 -{% elif level == 'level-2' %} +{% if level == 'level-2' %} is-type level-2-only -{% elif level == 'level-1-2' %} - is-type level-1-2 +{% else %} + is-type {{ level }} {% endif %} {% endif %} ! @@ -135,6 +141,7 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} {% for iface, iface_config in interface.items() %} interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }} ip router isis VyOS + ipv6 router isis VyOS {% if iface_config.bfd is defined %} isis bfd {% endif %} diff --git a/data/templates/frr/ospfv3.frr.tmpl b/data/templates/frr/ospfv3.frr.tmpl index d08972a80..0026c0d2c 100644 --- a/data/templates/frr/ospfv3.frr.tmpl +++ b/data/templates/frr/ospfv3.frr.tmpl @@ -50,6 +50,11 @@ router ospf6 interface {{ interface }} area {{ area_id }} {% endfor %} {% endif %} +{% if area_config.area_type is defined and area_config.area_type is not none %} +{% for type, type_config in area_config.area_type.items() %} + area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is defined }} +{% endfor %} +{% endif %} {% if area_config.range is defined and area_config.range is not none %} {% for prefix, prefix_config in area_config.range.items() %} area {{ area_id }} range {{ prefix }} {{ 'advertise' if prefix_config.advertise is defined }} {{ 'not-advertise' if prefix_config.not_advertise is defined }} diff --git a/data/templates/ipsec/ike-esp.tmpl b/data/templates/ipsec/ike-esp.tmpl new file mode 100644 index 000000000..deeb8c80d --- /dev/null +++ b/data/templates/ipsec/ike-esp.tmpl @@ -0,0 +1,32 @@ +{% macro conn(ike, ike_ciphers, esp, esp_ciphers) -%} +{% if ike %} +{% if "key_exchange" in ike %} + keyexchange = {{ ike.key_exchange }} +{% endif %} + ike = {{ ike_ciphers }} +{% if "lifetime" in ike %} + ikelifetime = {{ ike.lifetime }}s +{% endif %} + reauth = {{ ike.ikev2_reauth if "ikev2_reauth" in ike else "no" }} + closeaction = {{ ike.close_action if "close_action" in ike else "none" }} +{% if "dead_peer_detection" in ike %} + dpdaction = {{ ike.dead_peer_detection.action }} + dpdtimeout = {{ ike.dead_peer_detection.timeout }} + dpddelay = {{ ike.dead_peer_detection.interval }} +{% endif %} +{% if "key_exchange" in ike and ike.key_exchange == "ikev1" and "mode" in ike and ike.mode == "aggressive" %} + aggressive = yes +{% endif %} +{% if "key_exchange" in ike and ike.key_exchange == "ikev2" %} + mobike = {{ "yes" if "mobike" not in ike or ike.mobike == "enable" else "no" }} +{% endif %} +{% endif %} +{% if esp %} + esp = {{ esp_ciphers }} +{% if "lifetime" in esp %} + keylife = {{ esp.lifetime }}s +{% endif %} + compress = {{ 'yes' if "compression" in esp and esp.compression == 'enable' else 'no' }} + type = {{ esp.mode if "mode" in esp else "tunnel" }} +{% endif %} +{%- endmacro %} diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.tmpl new file mode 100644 index 000000000..3d285b9be --- /dev/null +++ b/data/templates/ipsec/interfaces_use.conf.tmpl @@ -0,0 +1,6 @@ +{% if ipsec_interfaces is defined and 'interface' in ipsec_interfaces %} +{% set interfaces = ipsec_interfaces['interface'] %} +charon { + interfaces_use = {{ ', '.join(interfaces) if interfaces is not string else interfaces }} +} +{% endif %}
\ No newline at end of file diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index d0b60765b..67447366c 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -1,3 +1,121 @@ +# Created by VyOS - manual changes will be overwritten + +{% import 'ipsec/ike-esp.tmpl' as ike_esp %} + +config setup + charondebug = "{{ charondebug }}" + uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} + +{% if site_to_site is defined and "peer" in site_to_site -%} +{% for peer, peer_conf in site_to_site.peer.items() %} +{% set peer_index = loop.index %} +{% set peer_ike = ike_group[peer_conf.ike_group] %} +{% set peer_esp = esp_group[peer_conf.default_esp_group] if 'default_esp_group' in peer_conf else None %} +conn peer-{{ peer }} +{% if peer_conf.authentication.mode in authby %} + authby = {{ authby[peer_conf.authentication.mode] }} +{% endif %} +{% if peer_conf.authentication.mode == 'x509' %} +{% set cert_file = peer_conf.authentication.x509.cert_file %} + leftcert = {{ cert_file if cert_file.startswith(x509_path) else (x509_path + cert_file) }} + leftsendcert = always + rightca = %same +{% elif peer_conf.authentication.mode == 'rsa' %} + leftsigkey = localhost.pub + rightsigkey = {{ peer_conf.authentication.rsa_key_name }}.pub +{% endif %} + left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% if "id" in peer_conf.authentication and "use_x509_id" not in peer_conf.authentication %} + leftid = "{{ peer_conf.authentication.id }}" +{% endif %} + right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }} +{% if "remote_id" in peer_conf.authentication %} + rightid = "{{ peer_conf.authentication.remote_id }}" +{% elif peer[0:1] == '@' %} + rightid = "{{ peer }}" +{% endif %} + keylife = 3600s + rekeymargin = 540s +{{ ike_esp.conn(peer_ike, ciphers.ike[peer_conf.ike_group], peer_esp, ciphers.esp[peer_conf.default_esp_group] if peer_esp else None) }} +{% if "vti" in peer_conf and "bind" in peer_conf.vti %} +{% set vti_esp = esp_group[peer_conf.vti.esp_group] if "esp_group" in peer_conf.vti else None %} +conn peer-{{ peer }}-vti + also = peer-{{ peer }} + leftsubnet = 0.0.0.0/0 + leftupdown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}" + rightsubnet = 0.0.0.0/0 + mark = {{ marks[peer_conf.vti.bind] }} +{{ ike_esp.conn(None, None, vti_esp, ciphers.esp[peer_conf.vti.esp_group] if vti_esp else None) }} +{% if peer[0:1] == '@' %} + rekey = no + auto = add + keyingtries = %forever +{% else %} +{% if 'connection_type' not in peer_conf or peer_conf.connection_type == 'initiate' %} + auto = start + keyingtries = %forever +{% endif %} +{% if peer_conf.connection_type == 'respond' %} + auto = route + keyingtries = 1 +{% endif %} +{% endif %} +{% elif "tunnel" in peer_conf %} +{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() %} +{% set tunnel_esp_name = tunnel_conf.esp_group if "esp_group" in tunnel_conf else peer_conf.default_esp_group %} +{% set tunnel_esp = esp_group[tunnel_esp_name] %} +{% set proto = tunnel_conf.protocol if "protocol" in tunnel_conf else '%any' %} +conn peer-{{ peer }}-tunnel-{{tunnel_id}} + also = peer-{{ peer }} +{% if 'mode' not in tunnel_esp or tunnel_esp.mode == 'tunnel' %} +{% if 'local' in tunnel_conf and 'prefix' in tunnel_conf.local %} + leftsubnet = {{ tunnel_conf.local.prefix if tunnel_conf.local.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.local.port if "port" in tunnel_conf.local else '%any' }}] +{% endif %} +{% if 'remote' in tunnel_conf and 'prefix' in tunnel_conf.remote %} + rightsubnet = {{ tunnel_conf.remote.prefix if tunnel_conf.remote.prefix != 'any' else '0.0.0.0/0' }}[{{ proto }}/{{ tunnel_conf.remote.port if "port" in tunnel_conf.remote else '%any' }}] +{% endif %} +{% elif tunnel_esp.mode == 'transport' %} + leftsubnet = {{ peer_conf.local_address }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}] + rightsubnet = {{ peer }}[{{ proto }}/{{ tunnel_conf.local.port if "local" in tunnel_conf and "port" in tunnel_conf.local else '%any' }}] +{% endif %} +{% if 'esp_group' in tunnel_conf %} +{{ ike_esp.conn(None, None, tunnel_esp, ciphers.esp[tunnel_esp_name]) }} +{% endif %} +{% if peer[0:1] == '@' %} + rekey = no + auto = add + keyingtries = %forever +{% else %} +{% if 'connection_type' not in peer_conf or peer_conf.connection_type == 'initiate' %} + auto = start + keyingtries = %forever +{% endif %} +{% if peer_conf.connection_type == 'respond' %} + auto = route + keyingtries = 1 +{% endif %} +{% endif %} +{% if 'passthrough' in tunnel_conf and tunnel_conf.passthrough %} +conn peer-{{ peer }}-tunnel-{{ tunnel_id }}-passthough + left = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '%defaultroute' }} + right = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '%any' }} + leftsubnet = {{ tunnel_conf.local.prefix }} + rightsubnet = {{ tunnel_conf.local.prefix }} + type = passthrough + authby = never + auto = route +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{%- endif %} + +{% if include_ipsec_conf is defined %} +include {{ include_ipsec_conf }} +{% endif %} + +{% if delim_ipsec_l2tp_begin is defined -%} {{delim_ipsec_l2tp_begin}} include {{ipsec_ra_conn_file}} {{delim_ipsec_l2tp_end}} +{%- endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl index 55c010a3b..a1432de57 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.tmpl @@ -1,7 +1,34 @@ +# Created by VyOS - manual changes will be overwritten + +{% if site_to_site is defined and "peer" in site_to_site %} +{% set ns = namespace(local_key_set=False) %} +{% for peer, peer_conf in site_to_site.peer.items() %} +{% if peer_conf.authentication.mode == 'pre-shared-secret' %} +{{ (peer_conf.local_address if "local_address" in peer_conf else "%any") ~ + (" " ~ peer) ~ + ((" " ~ peer_conf.authentication.id) if "id" in peer_conf.authentication else "") ~ + ((" " ~ peer_conf.authentication.remote_id) if "remote_id" in peer_conf.authentication else "") +}} : PSK "{{ peer_conf.authentication.pre_shared_secret }}" # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% elif peer_conf.authentication.mode == 'x509' %} +{% set key_file = peer_conf.authentication.x509.key.file %} +: RSA {{ key_file if key_file.startswith(x509_path) else (x509_path + key_file) }}{% if "password" in peer_conf.authentication.x509.key and peer_conf.authentication.x509.key.password %} "{{ peer_conf.authentication.x509.key.password}}"{% endif %} +{% elif peer_conf.authentication.mode == 'rsa' and not ns.local_key_set %} +{% set ns.local_key_set = True %} +: RSA {{ rsa_local_key }} +{% endif %} +{% endfor %} +{% endif %} + +{% if include_ipsec_secrets is defined %} +include {{ include_ipsec_secrets }} +{% endif %} + +{% if delim_ipsec_l2tp_begin is defined %} {{delim_ipsec_l2tp_begin}} -{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} +{% if ipsec_l2tp_auth_mode == 'pre-shared-secret' %} {{outside_addr}} %any : PSK "{{ipsec_l2tp_secret}}" -{% elif ipsec_l2tp_auth_mode == 'x509' %} +{% elif ipsec_l2tp_auth_mode == 'x509' %} : RSA {{server_key_file_copied}} -{% endif%} +{% endif %} {{delim_ipsec_l2tp_end}} +{% endif %} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl new file mode 100644 index 000000000..0ce703f20 --- /dev/null +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -0,0 +1,54 @@ +# Created by VyOS - manual changes will be overwritten + +{% if profile is defined %} +connections { +{% for name, profile_conf in profile.items() if "bind" in profile_conf and "tunnel" in profile_conf.bind %} +{% set dmvpn_ike = ike_group[profile_conf.ike_group] %} +{% set dmvpn_esp = esp_group[profile_conf.esp_group] %} +{% for interface in profile_conf.bind.tunnel %} + dmvpn-{{ name }}-{{ interface }} { + proposals = {{ ciphers.ike[profile_conf.ike_group][:-1] }} + version = {{ dmvpn_ike.key_exchange[4:] if "key_exchange" in dmvpn_ike else "0" }} + rekey_time = {{ dmvpn_ike.lifetime if 'lifetime' in dmvpn_ike else '28800' }}s + keyingtries = 0 +{% if profile_conf.authentication.mode == 'pre-shared-secret' %} + local { + auth = psk + } + remote { + auth = psk + } +{% endif %} + children { + dmvpn { + esp_proposals = {{ ciphers.esp[profile_conf.esp_group][:-1] }} + rekey_time = {{ dmvpn_esp.lifetime if 'lifetime' in dmvpn_esp else '3600' }}s + rand_time = 540s + local_ts = dynamic[gre] + remote_ts = dynamic[gre] + mode = {{ dmvpn_esp.mode if "mode" in dmvpn_esp else "transport" }} +{% if 'dead_peer_detection' in dmvpn_ike and 'action' in dmvpn_ike.dead_peer_detection %} + dpd_action = {{ dmvpn_ike.dead_peer_detection.action }} +{% endif %} +{% if 'compression' in dmvpn_esp and dmvpn_esp['compression'] == 'enable' %} + ipcomp = yes +{% endif %} + } + } + } +{% endfor %} +{% endfor %} +} + +secrets { +{% for name, profile_conf in profile.items() if "bind" in profile_conf and "tunnel" in profile_conf.bind %} +{% if profile_conf.authentication.mode == 'pre-shared-secret' %} +{% for interface in profile_conf.bind.tunnel %} + ike-dmvpn-{{ interface }} { + secret = {{ profile_conf.authentication.pre_shared_secret }} + } +{% endfor %} +{% endif %} +{% endfor %} +} +{% endif %} diff --git a/data/templates/nhrp/opennhrp.conf.tmpl b/data/templates/nhrp/opennhrp.conf.tmpl new file mode 100644 index 000000000..308459407 --- /dev/null +++ b/data/templates/nhrp/opennhrp.conf.tmpl @@ -0,0 +1,41 @@ +# Created by VyOS - manual changes will be overwritten + +{% if tunnel is defined %} +{% for name, tunnel_conf in tunnel.items() %} +{% set type = 'spoke' if 'map' in tunnel_conf or 'dynamic_map' in tunnel_conf else 'hub' %} +{% set profile_name = profile_map[name] if profile_map is defined and name in profile_map else '' %} +interface {{ name }} #{{ type }} {{ profile_name }} +{% if 'map' in tunnel_conf %} +{% for map, map_conf in tunnel_conf.map.items() %} +{% set cisco = ' cisco' if 'cisco' in map_conf else '' %} +{% set register = ' register' if 'register' in map_conf else '' %} + map {{ map }} {{ map_conf.nbma_address }}{{ register }}{{ cisco }} +{% endfor %} +{% endif %} +{% if 'dynamic_map' in tunnel_conf %} +{% for map, map_conf in tunnel_conf.dynamic_map.items() %} + dynamic-map {{ map }} {{ map_conf.nbma_domain_name }} +{% endfor %} +{% endif %} +{% if 'cisco_authentication' in tunnel_conf %} + cisco-authentication {{ tunnel_conf.cisco_authentication }} +{% endif %} +{% if 'holding_time' in tunnel_conf %} + holding-time {{ tunnel_conf.holding_time }} +{% endif %} +{% if 'multicast' in tunnel_conf %} + multicast {{ tunnel_conf.multicast }} +{% endif %} +{% for key in ['non_caching', 'redirect', 'shortcut', 'shortcut_destination'] %} +{% if key in tunnel_conf %} + {{ key | replace("_", "-") }} +{% endif %} +{% endfor %} +{% if 'shortcut_target' in tunnel_conf %} +{% for target, shortcut_conf in tunnel_conf.shortcut_target.items() %} + shortcut-target {{ target }} {{ shortcut_conf.holding_time if 'holding_time' in shortcut_conf else '' }} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/proxy-ndp/ndppd.conf.tmpl index 0137d8135..ccd1d37ad 100644 --- a/data/templates/proxy-ndp/ndppd.conf.tmpl +++ b/data/templates/proxy-ndp/ndppd.conf.tmpl @@ -21,8 +21,8 @@ {% if config.outbound_interface not in global.ndppd_interfaces %} {% set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %} {% endif %} -{% if config.translation.prefix is defined %} -{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.prefix}] %} +{% if config.translation.address is defined and config.translation.address | is_ip_network %} +{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %} {% endif %} {% endif %} {% endfor %} diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl index 2fde78fec..9cc237512 100644 --- a/data/templates/router-advert/radvd.conf.tmpl +++ b/data/templates/router-advert/radvd.conf.tmpl @@ -30,6 +30,19 @@ interface {{ iface }} { AdvOtherConfigFlag {{ 'on' if interface[iface].other_config_flag is defined else 'off' }}; AdvRetransTimer {{ interface[iface].retrans_timer }}; AdvCurHopLimit {{ interface[iface].hop_limit }}; +{% if interface[iface].route is defined %} +{% for route in interface[iface].route %} + route {{ route }} { +{% if interface[iface].route[route].valid_lifetime is defined %} + AdvRouteLifetime {{ interface[iface].route[route].valid_lifetime }}; +{% endif %} +{% if interface[iface].route[route].route_preference is defined %} + AdvRoutePreference {{ interface[iface].route[route].route_preference }}; +{% endif %} + RemoveRoute {{ 'off' if interface[iface].route[route].no_remove_route is defined else 'on' }}; + }; +{% endfor %} +{% endif %} {% for prefix in interface[iface].prefix %} prefix {{ prefix }} { AdvAutonomous {{ 'off' if interface[iface].prefix[prefix].no_autonomous_flag is defined else 'on' }}; diff --git a/data/templates/system/sysctl.conf.tmpl b/data/templates/system/sysctl.conf.tmpl new file mode 100644 index 000000000..72af82ee5 --- /dev/null +++ b/data/templates/system/sysctl.conf.tmpl @@ -0,0 +1,7 @@ +# autogenerated by system_sysctl.py
+
+{% if parameter is defined and parameter is not none %}
+{% for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl index d51522e45..c01101d85 100644 --- a/data/templates/vrrp/keepalived.conf.tmpl +++ b/data/templates/vrrp/keepalived.conf.tmpl @@ -96,9 +96,10 @@ vrrp_sync_group {{ sync_group.name }} { } {% if sync_group.conntrack_sync %} - notify_master "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh master {{ sync_group.name }}" - notify_backup "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh backup {{ sync_group.name }}" - notify_fault "/opt/vyatta/sbin/vyatta-vrrp-conntracksync.sh fault {{ sync_group.name }}" + {% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %} + notify_master "{{ vyos_helper }} master {{ sync_group.name }}" + notify_backup "{{ vyos_helper }} backup {{ sync_group.name }}" + notify_fault "{{ vyos_helper }} fault {{ sync_group.name }}" {% endif %} } |