diff options
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/dhcp-client/ipv4.tmpl | 17 | ||||
-rw-r--r-- | data/templates/dhcp-client/ipv6.tmpl | 4 | ||||
-rw-r--r-- | data/templates/dhcp-relay/config.tmpl | 17 | ||||
-rw-r--r-- | data/templates/dhcp-server/daemon.tmpl | 8 | ||||
-rw-r--r-- | data/templates/dhcpv6-relay/config.tmpl | 4 | ||||
-rw-r--r-- | data/templates/dhcpv6-server/daemon.tmpl | 8 | ||||
-rw-r--r-- | data/templates/dynamic-dns/ddclient.conf.tmpl | 3 | ||||
-rw-r--r-- | data/templates/https/nginx.default.tmpl | 1 | ||||
-rw-r--r-- | data/templates/l2tp/chap-secrets.tmpl | 12 | ||||
-rw-r--r-- | data/templates/l2tp/l2tp.config.tmpl | 140 | ||||
-rw-r--r-- | data/templates/openvpn/server.conf.tmpl | 186 | ||||
-rw-r--r-- | data/templates/pppoe/ip-down.script.tmpl | 6 | ||||
-rw-r--r-- | data/templates/pppoe/ip-up.script.tmpl | 12 | ||||
-rw-r--r-- | data/templates/pppoe/peer.tmpl | 9 | ||||
-rw-r--r-- | data/templates/sstp/sstp.config.tmpl | 3 | ||||
-rw-r--r-- | data/templates/wifi/hostapd.conf.tmpl | 7 |
16 files changed, 217 insertions, 220 deletions
diff --git a/data/templates/dhcp-client/ipv4.tmpl b/data/templates/dhcp-client/ipv4.tmpl new file mode 100644 index 000000000..43f273077 --- /dev/null +++ b/data/templates/dhcp-client/ipv4.tmpl @@ -0,0 +1,17 @@ +# generated by ifconfig.py +option rfc3442-classless-static-routes code 121 = array of unsigned integer 8; +timeout 60; +retry 300; + +interface "{{ ifname }}" { + send host-name "{{ hostname }}"; + {% if client_id -%} + send dhcp-client-identifier "{{ client_id }}"; + {% endif -%} + {% if vendor_class_id -%} + send vendor-class-identifier "{{ vendor_class_id }}"; + {% endif -%} + request subnet-mask, broadcast-address, routers, domain-name-servers, + rfc3442-classless-static-routes, domain-name, interface-mtu; + require subnet-mask; +} diff --git a/data/templates/dhcp-client/ipv6.tmpl b/data/templates/dhcp-client/ipv6.tmpl new file mode 100644 index 000000000..83db40c5f --- /dev/null +++ b/data/templates/dhcp-client/ipv6.tmpl @@ -0,0 +1,4 @@ +# generated by ifconfig.py +interface "{{ ifname }}" { + request routers, domain-name-servers, domain-name; +} diff --git a/data/templates/dhcp-relay/config.tmpl b/data/templates/dhcp-relay/config.tmpl index 7203ae9fb..b223807cf 100644 --- a/data/templates/dhcp-relay/config.tmpl +++ b/data/templates/dhcp-relay/config.tmpl @@ -1,17 +1,4 @@ ### Autogenerated by dhcp_relay.py ### -# Defaults for isc-dhcp-relay initscript -# sourced by /etc/init.d/isc-dhcp-relay - -# -# This is a POSIX shell fragment -# - -# What servers should the DHCP relay forward requests to? -SERVERS="{{ server | join(' ') }}" - -# On what interfaces should the DHCP relay (dhrelay) serve DHCP requests? -INTERFACES="{{ interface | join(' ') }}" - -# Additional options that are passed to the DHCP relay daemon? -OPTIONS="-4 {{ options | join(' ') }}" +# Defaults for isc-dhcp-relay6.service +OPTIONS="{{ options | join(' ') }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}" diff --git a/data/templates/dhcp-server/daemon.tmpl b/data/templates/dhcp-server/daemon.tmpl deleted file mode 100644 index f88032d38..000000000 --- a/data/templates/dhcp-server/daemon.tmpl +++ /dev/null @@ -1,8 +0,0 @@ -### Autogenerated by dhcp_server.py ### - -# sourced by /etc/init.d/isc-dhcpv4-server - -DHCPD_CONF={{ config_file }} -DHCPD_PID={{ pid_file }} -OPTIONS="-4 -lf {{ lease_file }}" -INTERFACES="" diff --git a/data/templates/dhcpv6-relay/config.tmpl b/data/templates/dhcpv6-relay/config.tmpl index 28f7a1a58..55035ae6c 100644 --- a/data/templates/dhcpv6-relay/config.tmpl +++ b/data/templates/dhcpv6-relay/config.tmpl @@ -1,4 +1,4 @@ ### Autogenerated by dhcpv6_relay.py ### -# Defaults for isc-dhcpv6-relay initscript sourced by /etc/init.d/isc-dhcpv6-relay -OPTIONS="-6 -l {{ listen_addr | join(' -l ') }} -u {{ upstream_addr | join(' -u ') }} {{ options | join(' ') }}" +# Defaults for isc-dhcp-relay6.service +OPTIONS="-l {{ listen_addr | join(' -l ') }} -u {{ upstream_addr | join(' -u ') }} {{ options | join(' ') }}" diff --git a/data/templates/dhcpv6-server/daemon.tmpl b/data/templates/dhcpv6-server/daemon.tmpl deleted file mode 100644 index a4967e7c3..000000000 --- a/data/templates/dhcpv6-server/daemon.tmpl +++ /dev/null @@ -1,8 +0,0 @@ -### Autogenerated by dhcpv6_server.py ### - -# sourced by /etc/init.d/isc-dhcpv6-server - -DHCPD_CONF={{ config_file }} -DHCPD_PID={{ pid_file }} -OPTIONS="-6 -lf {{ lease_file }}" -INTERFACES="" diff --git a/data/templates/dynamic-dns/ddclient.conf.tmpl b/data/templates/dynamic-dns/ddclient.conf.tmpl index 22cb38f4e..9c7219230 100644 --- a/data/templates/dynamic-dns/ddclient.conf.tmpl +++ b/data/templates/dynamic-dns/ddclient.conf.tmpl @@ -1,10 +1,7 @@ - ### Autogenerated by dynamic_dns.py ### daemon=1m syslog=yes ssl=yes -pid={{ pid_file }} -cache={{ cache_file }} {% for interface in interfaces -%} diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl index 33f7b2820..f4f2c1848 100644 --- a/data/templates/https/nginx.default.tmpl +++ b/data/templates/https/nginx.default.tmpl @@ -43,6 +43,7 @@ server { location ~ /(retrieve|configure|config-file|image|generate|show) { {% if server.api %} proxy_pass http://localhost:{{ server.api.port }}; + proxy_read_timeout 600; proxy_buffering off; {% else %} return 503; diff --git a/data/templates/l2tp/chap-secrets.tmpl b/data/templates/l2tp/chap-secrets.tmpl index 0db295fdc..dd00d7bd0 100644 --- a/data/templates/l2tp/chap-secrets.tmpl +++ b/data/templates/l2tp/chap-secrets.tmpl @@ -1,10 +1,10 @@ -# username server password acceptable local IP addresses shaper -{% for user in authentication['local-users'] %} -{% if authentication['local-users'][user]['state'] == 'enabled' %} -{% if authentication['local-users'][user]['upload'] and authentication['local-users'][user]['download'] %} -{{ "%-12s" | format(user) }} * {{ "%-16s" | format(authentication['local-users'][user]['passwd']) }} {{ "%-16s" | format(authentication['local-users'][user]['ip']) }} {{ authentication['local-users'][user]['download'] }} / {{ authentication['local-users'][user]['upload'] }} +# username server password acceptable local IP addresses shaper +{% for user in local_users %} +{% if user.state == 'enabled' %} +{% if user.upload and user.download %} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }} / {{ user.upload }} {% else %} -{{ "%-12s" | format(user) }} * {{ "%-16s" | format(authentication['local-users'][user]['passwd']) }} {{ "%-16s" | format(authentication['local-users'][user]['ip']) }} +{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {% endif %} {% endif %} {% endfor %} diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl index b8637e256..ba78cadcd 100644 --- a/data/templates/l2tp/l2tp.config.tmpl +++ b/data/templates/l2tp/l2tp.config.tmpl @@ -3,12 +3,14 @@ log_syslog l2tp chap-secrets -{% for proto in authentication['auth_proto']: %} +{% for proto in auth_proto: %} {{proto}} {% endfor%} -{% if authentication['mode'] == 'radius' %} + +{% if auth_mode == 'radius' %} radius {% endif -%} + ippool shaper ipv6pool @@ -23,52 +25,46 @@ syslog=accel-l2tp,daemon copy=1 level=5 -{% if dns %} +{% if dnsv4 %} [dns] -{% if dns[0] %} -dns1={{dns[0]}} -{% endif %} -{% if dns[1] %} -dns2={{dns[1]}} +{% for dns in dnsv4 -%} +dns{{ loop.index }}={{ dns }} +{% endfor -%} {% endif %} -{% endif -%} {% if dnsv6 %} [ipv6-dns] -{% for srv in dnsv6: %} -{{srv}} -{% endfor %} +{% for dns in dnsv6 -%} +{{ dns }} +{% endfor -%} {% endif %} {% if wins %} [wins] -{% if wins[0] %} -wins1={{wins[0]}} -{% endif %} -{% if wins[1] %} -wins2={{wins[1]}} +{% for server in wins -%} +wins{{ loop.index }}={{ server }} +{% endfor -%} {% endif %} -{% endif -%} [l2tp] verbose=1 ifname=l2tp%d -ppp-max-mtu={{mtu}} -mppe={{authentication['mppe']}} +ppp-max-mtu={{ mtu }} +mppe={{ ppp_mppe }} {% if outside_addr %} -bind={{outside_addr}} +bind={{ outside_addr }} {% endif %} {% if lns_shared_secret %} -secret={{lns_shared_secret}} +secret={{ lns_shared_secret }} {% endif %} [client-ip-range] 0.0.0.0/0 -{% if (client_ip_pool) or (client_ip_subnets) %} +{% if client_ip_pool or client_ip_subnets %} [ip-pool] {% if client_ip_pool %} -{{client_ip_pool}} +{{ client_ip_pool }} {% endif -%} {% if client_ip_subnets %} {% for sn in client_ip_subnets %} @@ -77,34 +73,41 @@ secret={{lns_shared_secret}} {% endif %} {% endif %} {% if gateway_address %} -gw-ip-address={{gateway_address}} +gw-ip-address={{ gateway_address }} {% endif %} -{% if authentication['mode'] == 'local' %} +{% if auth_mode == 'local' %} [chap-secrets] -chap-secrets=/etc/accel-ppp/l2tp/chap-secrets -{% if gateway_address %} -gw-ip-address={{gateway_address}} -{% endif %} +chap-secrets={{ chap_secrets_file }} +{% elif auth_mode == 'radius' %} +[radius] +verbose=1 +{% for r in radius_server %} +server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} +{% endfor -%} {% endif %} +acct-timeout={{ radius_acct_tmo }} +timeout={{ radius_timeout }} +max-try={{ radius_max_try }} + +{% if radius_nas_id %} +nas-identifier={{ radius_nas_id }} +{% endif -%} +{% if radius_nas_ip %} +nas-ip-address={{ radius_nas_ip }} +{% endif -%} +{% if radius_source_address %} +bind={{ radius_source_address }} +{% endif -%} + [ppp] verbose=1 check-ip=1 single-session=replace -{% if idle_timeout %} -lcp-echo-timeout={{idle_timeout}} -{% endif %} -{% if ppp_options['lcp-echo-interval'] %} -lcp-echo-interval={{ppp_options['lcp-echo-interval']}} -{% else %} -lcp-echo-interval=30 -{% endif %} -{% if ppp_options['lcp-echo-failure'] %} -lcp-echo-failure={{ppp_options['lcp-echo-failure']}} -{% else %} -lcp-echo-failure=3 -{% endif %} +lcp-echo-timeout={{ ppp_echo_timeout }} +lcp-echo-interval={{ ppp_echo_interval }} +lcp-echo-failure={{ ppp_echo_failure }} {% if ccp_disable %} ccp=0 {% endif %} @@ -112,62 +115,33 @@ ccp=0 ipv6=allow {% endif %} -{% if authentication['mode'] == 'radius' %} -[radius] -{% for rsrv in authentication['radiussrv']: %} -server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\ -req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\ -fail-time={{authentication['radiussrv'][rsrv]['fail-time']}} -{% endfor %} -{% if authentication['radiusopt']['timeout'] %} -timeout={{authentication['radiusopt']['timeout']}} -{% endif %} -{% if authentication['radiusopt']['acct-timeout'] %} -acct-timeout={{authentication['radiusopt']['acct-timeout']}} -{% endif %} -{% if authentication['radiusopt']['max-try'] %} -max-try={{authentication['radiusopt']['max-try']}} -{% endif %} -{% if authentication['radiusopt']['nas-id'] %} -nas-identifier={{authentication['radiusopt']['nas-id']}} -{% endif %} -{% if authentication['radius_source_address'] %} -nas-ip-address={{authentication['radius_source_address']}} -{% endif -%} -{% if authentication['radiusopt']['dae-srv'] %} -dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\ -{{authentication['radiusopt']['dae-srv']['port']}},\ -{{authentication['radiusopt']['dae-srv']['secret']}} -{% endif -%} -gw-ip-address={{gateway_address}} -verbose=1 -{% endif -%} {% if client_ipv6_pool %} [ipv6-pool] -{% for prfx in client_ipv6_pool.prefix: %} -{{prfx}} +{% for p in client_ipv6_pool %} +{{ p.prefix }},{{ p.mask }} {% endfor %} -{% for prfx in client_ipv6_pool.delegate_prefix: %} -delegate={{prfx}} +{% for p in client_ipv6_delegate_prefix %} +delegate={{ p.prefix }},{{ p.mask }} {% endfor %} + {% endif %} -{% if client_ipv6_pool['delegate_prefix'] %} +{% if client_ipv6_delegate_prefix %} [ipv6-dhcp] verbose=1 {% endif %} -{% if authentication['radiusopt']['shaper'] %} +{% if radius_shaper_attr %} [shaper] verbose=1 -attr={{authentication['radiusopt']['shaper']['attr']}} -{% if authentication['radiusopt']['shaper']['vendor'] %} -vendor={{authentication['radiusopt']['shaper']['vendor']}} +attr={{ radius_shaper_attr }} +{% if radius_shaper_vendor %} +vendor={{ radius_shaper_vendor }} {% endif -%} {% endif %} [cli] tcp=127.0.0.1:2004 -sessions-columns=ifname,username,calling-sid,ip,{{ip6_column}}{{ip6_dp_column}}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime +sessions-columns=ifname,username,calling-sid,ip,{{ ip6_column | join(',') }}{{ ',' if ip6_column }}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index e7715dfb5..a9dacd36e 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -3,18 +3,18 @@ # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition -{% if description %} +{% if description -%} # {{ description }} -{% endif %} + +{% endif -%} verb 3 -status /opt/vyatta/etc/openvpn/status/{{ intf }}.status 30 -writepid /var/run/openvpn/{{ intf }}.pid -dev-type {{ type }} -dev {{ intf }} user {{ uid }} group {{ gid }} + +dev-type {{ type }} +dev {{ intf }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip @@ -22,187 +22,197 @@ proto {% if 'tcp-active' in protocol -%}tcp-client{% elif 'tcp-passive' in proto {%- if local_host %} local {{ local_host }} -{% endif %} +{%- endif %} {%- if mode == 'server' and protocol == 'udp' and not local_host %} multihome -{% endif %} +{%- endif %} {%- if local_port %} lport {{ local_port }} -{% endif %} +{%- endif %} -{%- if remote_port %} +{% if remote_port -%} rport {{ remote_port }} {% endif %} {%- if remote_host %} -{% for remote in remote_host -%} +{%- for remote in remote_host -%} remote {{ remote }} {% endfor -%} -{% endif %} +{% endif -%} -{%- if shared_secret_file %} +{% if shared_secret_file %} secret {{ shared_secret_file }} -{% endif %} +{%- endif %} {%- if persistent_tunnel %} persist-tun -{% endif %} +{%- endif %} + +{%- if redirect_gateway %} +push "redirect-gateway {{ redirect_gateway }}" +{%- endif %} -{%- if mode %} -{%- if 'client' in mode %} +{%- if compress_lzo %} +compress lzo +{%- endif %} + +{% if 'client' in mode -%} # # OpenVPN Client mode # client nobind -{%- elif 'server' in mode %} + +{% elif 'server' in mode -%} # # OpenVPN Server mode # -mode server -tls-server -keepalive {{ ping_interval }} {{ ping_restart }} -management /tmp/openvpn-mgmt-intf unix {%- if server_topology %} -topology {% if 'point-to-point' in server_topology %}p2p{% else %}subnet{% endif %} -{% endif %} - -{% for ns in server_dns_nameserver -%} -push "dhcp-option DNS {{ ns }}" -{% endfor -%} +topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %} +{%- endif %} -{% for route in server_push_route -%} -push "route {{ route }}" -{% endfor -%} +{%- if bridge_member %} +mode server +tls-server +{%- else %} +server {{ server_subnet }}{% if server_pool_start %} nopool{% endif %} +{%- endif %} -{%- if server_domain %} -push "dhcp-option DOMAIN {{ server_domain }}" -{% endif %} +{%- if server_pool_start %} +ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %} +{%- endif %} {%- if server_max_conn %} max-clients {{ server_max_conn }} -{% endif %} +{%- endif %} -{%- if bridge_member %} -server-bridge nogw -{%- else %} -server {{ server_subnet }} -{% endif %} +{%- if client %} +client-config-dir /run/openvpn/ccd/{{ intf }} +{%- endif %} {%- if server_reject_unconfigured %} ccd-exclusive +{%- endif %} + +keepalive {{ ping_interval }} {{ ping_restart }} +management /tmp/openvpn-mgmt-intf unix + +{% for route in server_push_route -%} +push "route {{ route }}" +{% endfor -%} + +{% for ns in server_dns_nameserver -%} +push "dhcp-option DNS {{ ns }}" +{% endfor -%} + +{%- if server_domain -%} +push "dhcp-option DOMAIN {{ server_domain }}" {% endif %} -{%- else %} +{% else -%} # # OpenVPN site-2-site mode # ping {{ ping_interval }} ping-restart {{ ping_restart }} -{%- if local_address_subnet %} +{% if local_address_subnet -%} ifconfig {{ local_address }} {{ local_address_subnet }} -{% elif remote_address %} +{%- elif remote_address -%} ifconfig {{ local_address }} {{ remote_address }} -{% endif %} +{%- endif %} -{% endif %} -{% endif %} +{% endif -%} +{% if tls -%} +# TLS options {%- if tls_ca_cert %} ca {{ tls_ca_cert }} -{% endif %} +{%- endif %} {%- if tls_cert %} cert {{ tls_cert }} -{% endif %} +{%- endif %} {%- if tls_key %} key {{ tls_key }} -{% endif %} +{%- endif %} {%- if tls_crypt %} tls-crypt {{ tls_crypt }} -{% endif %} +{%- endif %} {%- if tls_crl %} crl-verify {{ tls_crl }} -{% endif %} +{%- endif %} {%- if tls_version_min %} tls-version-min {{tls_version_min}} -{% endif %} +{%- endif %} {%- if tls_dh %} dh {{ tls_dh }} -{% endif %} +{%- endif %} {%- if tls_auth %} tls-auth {{tls_auth}} -{% endif %} +{%- endif %} +{%- if tls_role %} {%- if 'active' in tls_role %} tls-client {%- elif 'passive' in tls_role %} tls-server -{% endif %} +{%- endif %} +{%- endif %} -{%- if redirect_gateway %} -push "redirect-gateway {{ redirect_gateway }}" -{% endif %} - -{%- if compress_lzo %} -compress lzo -{% endif %} - -{%- if hash %} -auth {{ hash }} -{% endif %} +{%- endif %} +# Encryption options {%- if encryption %} -{%- if 'des' in encryption %} +{% if encryption == 'des' -%} cipher des-cbc -{%- elif '3des' in encryption %} +{%- elif encryption == '3des' -%} cipher des-ede3-cbc -{%- elif 'bf128' in encryption %} +{%- elif encryption == 'bf128' -%} cipher bf-cbc keysize 128 -{%- elif 'bf256' in encryption %} +{%- elif encryption == 'bf256' -%} cipher bf-cbc keysize 25 -{%- elif 'aes128gcm' in encryption %} +{%- elif encryption == 'aes128gcm' -%} cipher aes-128-gcm -{%- elif 'aes128' in encryption %} +{%- elif encryption == 'aes128' -%} cipher aes-128-cbc -{%- elif 'aes192gcm' in encryption %} +{%- elif encryption == 'aes192gcm' -%} cipher aes-192-gcm -{%- elif 'aes192' in encryption %} +{%- elif encryption == 'aes192' -%} cipher aes-192-cbc -{%- elif 'aes256gcm' in encryption %} +{%- elif encryption == 'aes256gcm' -%} cipher aes-256-gcm -{%- elif 'aes256' in encryption %} +{%- elif encryption == 'aes256' -%} cipher aes-256-cbc -{% endif %} -{% endif %} +{%- endif -%} +{%- endif %} {%- if ncp_ciphers %} ncp-ciphers {{ncp_ciphers}} -{% endif %} +{%- endif %} {%- if disable_ncp %} ncp-disable -{% endif %} +{%- endif %} + +{% if hash -%} +auth {{ hash }} +{%- endif -%} {%- if auth %} auth-user-pass /tmp/openvpn-{{ intf }}-pw auth-retry nointeract -{% endif %} - -{%- if client %} -client-config-dir /opt/vyatta/etc/openvpn/ccd/{{ intf }} -{% endif %} +{%- endif %} # DEPRECATED This option will be removed in OpenVPN 2.5 # Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: @@ -218,6 +228,12 @@ client-config-dir /opt/vyatta/etc/openvpn/ccd/{{ intf }} # See https://phabricator.vyos.net/T1512 compat-names +{% if options -%} +# +# Custom options added by user (not validated) +# + {% for option in options -%} {{ option }} {% endfor -%} +{%- endif %} diff --git a/data/templates/pppoe/ip-down.script.tmpl b/data/templates/pppoe/ip-down.script.tmpl index e76875f12..a68fc099c 100644 --- a/data/templates/pppoe/ip-down.script.tmpl +++ b/data/templates/pppoe/ip-down.script.tmpl @@ -10,8 +10,9 @@ fi DIALER_PID=$(cat /var/run/{{ intf }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -# Determine if we are enslaved to a VRF, this is needed to properly insert -# the default route +{% if not on_demand %} +# See https://phabricator.vyos.net/T2248. Determine if we are enslaved to a +# VRF, this is needed to properly insert the default route. VRF_NAME="" if [ -d /sys/class/net/{{ intf }}/upper_* ]; then # Determine upper (VRF) interface @@ -24,3 +25,4 @@ fi # Always delete default route when interface goes down vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}" +{% endif %} diff --git a/data/templates/pppoe/ip-up.script.tmpl b/data/templates/pppoe/ip-up.script.tmpl index 4cc779914..697ebcc20 100644 --- a/data/templates/pppoe/ip-up.script.tmpl +++ b/data/templates/pppoe/ip-up.script.tmpl @@ -6,13 +6,15 @@ if [ "$6" != "{{ intf }}" ]; then exit fi -set -x +{% if not on_demand %} +# See https://phabricator.vyos.net/T2248 & T2220. Determine if we are enslaved +# to a VRF, this is needed to properly insert the default route. # add some info to syslog DIALER_PID=$(cat /var/run/{{ intf }}.pid) logger -t pppd[$DIALER_PID] "executing $0" -SED_OPT="ip route" +SED_OPT="^ip route" VRF_NAME="" if [ -d /sys/class/net/{{ intf }}/upper_* ]; then # Determine upper (VRF) interface @@ -25,10 +27,8 @@ if [ -d /sys/class/net/{{ intf }}/upper_* ]; then VRF_NAME="vrf ${VRF}" fi -# Debian PPP version has no support for replacing an existing default route -# thus we emulate this ba an ip-up script https://phabricator.vyos.net/T2220. {% if 'auto' in default_route -%} -# only insert a new default route if there is no default route configured +# Only insert a new default route if there is no default route configured routes=$(vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep 0.0.0.0/0 | wc -l) if [ "$routes" -ne 0 ]; then exit 1 @@ -44,4 +44,4 @@ done # Add default route to default or VRF routing table vtysh -c "conf t" ${VTY_OPT} -c "ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}" logger -t pppd[$DIALER_PID] "added default route via {{ intf }} ${VRF_NAME}" - +{% endif %} diff --git a/data/templates/pppoe/peer.tmpl b/data/templates/pppoe/peer.tmpl index 8651f12a5..36d108cee 100644 --- a/data/templates/pppoe/peer.tmpl +++ b/data/templates/pppoe/peer.tmpl @@ -60,4 +60,13 @@ rp_pppoe_service "{{ service_name }}" {% endif %} {% if on_demand %} demand +# See T2249. PPP default route options should only be set when in on-demand +# mode. As soon as we are not in on-demand mode the default-route handling is +# passed to the ip-up.d/ip-down.s scripts which is required for VRF support. +{% if 'auto' in default_route -%} +defaultroute +{% elif 'force' in default_route -%} +defaultroute +replacedefaultroute +{% endif %} {% endif %} diff --git a/data/templates/sstp/sstp.config.tmpl b/data/templates/sstp/sstp.config.tmpl index 19805358e..acdb6c76b 100644 --- a/data/templates/sstp/sstp.config.tmpl +++ b/data/templates/sstp/sstp.config.tmpl @@ -30,6 +30,7 @@ disable [sstp] verbose=1 +ifname=sstp%d accept=ssl ssl-ca-file={{ ssl_ca }} ssl-pemfile={{ ssl_cert }} @@ -52,7 +53,7 @@ dns{{ loop.index }}={{ dns }} {% if auth_mode == 'local' %} [chap-secrets] -chap-secrets=/etc/accel-ppp/sstp/chap-secrets +chap-secrets={{ chap_secrets_file }} {% elif auth_mode == 'radius' %} [radius] verbose=1 diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.tmpl index 031fb6c90..e2fb9ca8f 100644 --- a/data/templates/wifi/hostapd.conf.tmpl +++ b/data/templates/wifi/hostapd.conf.tmpl @@ -73,7 +73,6 @@ channel={{ channel }} # offloaded ACS is used. {% if 'n' in mode -%} hw_mode=g -ieee80211n=1 {% elif 'ac' in mode -%} hw_mode=a ieee80211h=1 @@ -421,6 +420,12 @@ vht_capab= ieee80211n=0 # Require stations to support VHT PHY (reject association if they do not) require_vht=1 +{% else -%} +{% if 'n' in mode or 'ac' in mode -%} +ieee80211n=1 +{% else -%} +ieee80211n=0 +{%- endif %} {% endif %} {% if cap_vht_center_freq_1 -%} |