summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/dhcp-client/ipv4.tmpl17
-rw-r--r--data/templates/dhcp-client/ipv6.tmpl4
-rw-r--r--data/templates/dhcp-relay/config.tmpl17
-rw-r--r--data/templates/dhcp-server/daemon.tmpl8
-rw-r--r--data/templates/dhcpv6-relay/config.tmpl4
-rw-r--r--data/templates/dhcpv6-server/daemon.tmpl8
-rw-r--r--data/templates/dynamic-dns/ddclient.conf.tmpl3
-rw-r--r--data/templates/https/nginx.default.tmpl1
-rw-r--r--data/templates/l2tp/chap-secrets.tmpl12
-rw-r--r--data/templates/l2tp/l2tp.config.tmpl140
-rw-r--r--data/templates/openvpn/server.conf.tmpl186
-rw-r--r--data/templates/pppoe/ip-down.script.tmpl6
-rw-r--r--data/templates/pppoe/ip-up.script.tmpl12
-rw-r--r--data/templates/pppoe/peer.tmpl9
-rw-r--r--data/templates/sstp/sstp.config.tmpl3
-rw-r--r--data/templates/wifi/hostapd.conf.tmpl7
16 files changed, 217 insertions, 220 deletions
diff --git a/data/templates/dhcp-client/ipv4.tmpl b/data/templates/dhcp-client/ipv4.tmpl
new file mode 100644
index 000000000..43f273077
--- /dev/null
+++ b/data/templates/dhcp-client/ipv4.tmpl
@@ -0,0 +1,17 @@
+# generated by ifconfig.py
+option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
+timeout 60;
+retry 300;
+
+interface "{{ ifname }}" {
+ send host-name "{{ hostname }}";
+ {% if client_id -%}
+ send dhcp-client-identifier "{{ client_id }}";
+ {% endif -%}
+ {% if vendor_class_id -%}
+ send vendor-class-identifier "{{ vendor_class_id }}";
+ {% endif -%}
+ request subnet-mask, broadcast-address, routers, domain-name-servers,
+ rfc3442-classless-static-routes, domain-name, interface-mtu;
+ require subnet-mask;
+}
diff --git a/data/templates/dhcp-client/ipv6.tmpl b/data/templates/dhcp-client/ipv6.tmpl
new file mode 100644
index 000000000..83db40c5f
--- /dev/null
+++ b/data/templates/dhcp-client/ipv6.tmpl
@@ -0,0 +1,4 @@
+# generated by ifconfig.py
+interface "{{ ifname }}" {
+ request routers, domain-name-servers, domain-name;
+}
diff --git a/data/templates/dhcp-relay/config.tmpl b/data/templates/dhcp-relay/config.tmpl
index 7203ae9fb..b223807cf 100644
--- a/data/templates/dhcp-relay/config.tmpl
+++ b/data/templates/dhcp-relay/config.tmpl
@@ -1,17 +1,4 @@
### Autogenerated by dhcp_relay.py ###
-# Defaults for isc-dhcp-relay initscript
-# sourced by /etc/init.d/isc-dhcp-relay
-
-#
-# This is a POSIX shell fragment
-#
-
-# What servers should the DHCP relay forward requests to?
-SERVERS="{{ server | join(' ') }}"
-
-# On what interfaces should the DHCP relay (dhrelay) serve DHCP requests?
-INTERFACES="{{ interface | join(' ') }}"
-
-# Additional options that are passed to the DHCP relay daemon?
-OPTIONS="-4 {{ options | join(' ') }}"
+# Defaults for isc-dhcp-relay6.service
+OPTIONS="{{ options | join(' ') }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}"
diff --git a/data/templates/dhcp-server/daemon.tmpl b/data/templates/dhcp-server/daemon.tmpl
deleted file mode 100644
index f88032d38..000000000
--- a/data/templates/dhcp-server/daemon.tmpl
+++ /dev/null
@@ -1,8 +0,0 @@
-### Autogenerated by dhcp_server.py ###
-
-# sourced by /etc/init.d/isc-dhcpv4-server
-
-DHCPD_CONF={{ config_file }}
-DHCPD_PID={{ pid_file }}
-OPTIONS="-4 -lf {{ lease_file }}"
-INTERFACES=""
diff --git a/data/templates/dhcpv6-relay/config.tmpl b/data/templates/dhcpv6-relay/config.tmpl
index 28f7a1a58..55035ae6c 100644
--- a/data/templates/dhcpv6-relay/config.tmpl
+++ b/data/templates/dhcpv6-relay/config.tmpl
@@ -1,4 +1,4 @@
### Autogenerated by dhcpv6_relay.py ###
-# Defaults for isc-dhcpv6-relay initscript sourced by /etc/init.d/isc-dhcpv6-relay
-OPTIONS="-6 -l {{ listen_addr | join(' -l ') }} -u {{ upstream_addr | join(' -u ') }} {{ options | join(' ') }}"
+# Defaults for isc-dhcp-relay6.service
+OPTIONS="-l {{ listen_addr | join(' -l ') }} -u {{ upstream_addr | join(' -u ') }} {{ options | join(' ') }}"
diff --git a/data/templates/dhcpv6-server/daemon.tmpl b/data/templates/dhcpv6-server/daemon.tmpl
deleted file mode 100644
index a4967e7c3..000000000
--- a/data/templates/dhcpv6-server/daemon.tmpl
+++ /dev/null
@@ -1,8 +0,0 @@
-### Autogenerated by dhcpv6_server.py ###
-
-# sourced by /etc/init.d/isc-dhcpv6-server
-
-DHCPD_CONF={{ config_file }}
-DHCPD_PID={{ pid_file }}
-OPTIONS="-6 -lf {{ lease_file }}"
-INTERFACES=""
diff --git a/data/templates/dynamic-dns/ddclient.conf.tmpl b/data/templates/dynamic-dns/ddclient.conf.tmpl
index 22cb38f4e..9c7219230 100644
--- a/data/templates/dynamic-dns/ddclient.conf.tmpl
+++ b/data/templates/dynamic-dns/ddclient.conf.tmpl
@@ -1,10 +1,7 @@
-
### Autogenerated by dynamic_dns.py ###
daemon=1m
syslog=yes
ssl=yes
-pid={{ pid_file }}
-cache={{ cache_file }}
{% for interface in interfaces -%}
diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl
index 33f7b2820..f4f2c1848 100644
--- a/data/templates/https/nginx.default.tmpl
+++ b/data/templates/https/nginx.default.tmpl
@@ -43,6 +43,7 @@ server {
location ~ /(retrieve|configure|config-file|image|generate|show) {
{% if server.api %}
proxy_pass http://localhost:{{ server.api.port }};
+ proxy_read_timeout 600;
proxy_buffering off;
{% else %}
return 503;
diff --git a/data/templates/l2tp/chap-secrets.tmpl b/data/templates/l2tp/chap-secrets.tmpl
index 0db295fdc..dd00d7bd0 100644
--- a/data/templates/l2tp/chap-secrets.tmpl
+++ b/data/templates/l2tp/chap-secrets.tmpl
@@ -1,10 +1,10 @@
-# username server password acceptable local IP addresses shaper
-{% for user in authentication['local-users'] %}
-{% if authentication['local-users'][user]['state'] == 'enabled' %}
-{% if authentication['local-users'][user]['upload'] and authentication['local-users'][user]['download'] %}
-{{ "%-12s" | format(user) }} * {{ "%-16s" | format(authentication['local-users'][user]['passwd']) }} {{ "%-16s" | format(authentication['local-users'][user]['ip']) }} {{ authentication['local-users'][user]['download'] }} / {{ authentication['local-users'][user]['upload'] }}
+# username server password acceptable local IP addresses shaper
+{% for user in local_users %}
+{% if user.state == 'enabled' %}
+{% if user.upload and user.download %}
+{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }} / {{ user.upload }}
{% else %}
-{{ "%-12s" | format(user) }} * {{ "%-16s" | format(authentication['local-users'][user]['passwd']) }} {{ "%-16s" | format(authentication['local-users'][user]['ip']) }}
+{{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }}
{% endif %}
{% endif %}
{% endfor %}
diff --git a/data/templates/l2tp/l2tp.config.tmpl b/data/templates/l2tp/l2tp.config.tmpl
index b8637e256..ba78cadcd 100644
--- a/data/templates/l2tp/l2tp.config.tmpl
+++ b/data/templates/l2tp/l2tp.config.tmpl
@@ -3,12 +3,14 @@
log_syslog
l2tp
chap-secrets
-{% for proto in authentication['auth_proto']: %}
+{% for proto in auth_proto: %}
{{proto}}
{% endfor%}
-{% if authentication['mode'] == 'radius' %}
+
+{% if auth_mode == 'radius' %}
radius
{% endif -%}
+
ippool
shaper
ipv6pool
@@ -23,52 +25,46 @@ syslog=accel-l2tp,daemon
copy=1
level=5
-{% if dns %}
+{% if dnsv4 %}
[dns]
-{% if dns[0] %}
-dns1={{dns[0]}}
-{% endif %}
-{% if dns[1] %}
-dns2={{dns[1]}}
+{% for dns in dnsv4 -%}
+dns{{ loop.index }}={{ dns }}
+{% endfor -%}
{% endif %}
-{% endif -%}
{% if dnsv6 %}
[ipv6-dns]
-{% for srv in dnsv6: %}
-{{srv}}
-{% endfor %}
+{% for dns in dnsv6 -%}
+{{ dns }}
+{% endfor -%}
{% endif %}
{% if wins %}
[wins]
-{% if wins[0] %}
-wins1={{wins[0]}}
-{% endif %}
-{% if wins[1] %}
-wins2={{wins[1]}}
+{% for server in wins -%}
+wins{{ loop.index }}={{ server }}
+{% endfor -%}
{% endif %}
-{% endif -%}
[l2tp]
verbose=1
ifname=l2tp%d
-ppp-max-mtu={{mtu}}
-mppe={{authentication['mppe']}}
+ppp-max-mtu={{ mtu }}
+mppe={{ ppp_mppe }}
{% if outside_addr %}
-bind={{outside_addr}}
+bind={{ outside_addr }}
{% endif %}
{% if lns_shared_secret %}
-secret={{lns_shared_secret}}
+secret={{ lns_shared_secret }}
{% endif %}
[client-ip-range]
0.0.0.0/0
-{% if (client_ip_pool) or (client_ip_subnets) %}
+{% if client_ip_pool or client_ip_subnets %}
[ip-pool]
{% if client_ip_pool %}
-{{client_ip_pool}}
+{{ client_ip_pool }}
{% endif -%}
{% if client_ip_subnets %}
{% for sn in client_ip_subnets %}
@@ -77,34 +73,41 @@ secret={{lns_shared_secret}}
{% endif %}
{% endif %}
{% if gateway_address %}
-gw-ip-address={{gateway_address}}
+gw-ip-address={{ gateway_address }}
{% endif %}
-{% if authentication['mode'] == 'local' %}
+{% if auth_mode == 'local' %}
[chap-secrets]
-chap-secrets=/etc/accel-ppp/l2tp/chap-secrets
-{% if gateway_address %}
-gw-ip-address={{gateway_address}}
-{% endif %}
+chap-secrets={{ chap_secrets_file }}
+{% elif auth_mode == 'radius' %}
+[radius]
+verbose=1
+{% for r in radius_server %}
+server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }}
+{% endfor -%}
{% endif %}
+acct-timeout={{ radius_acct_tmo }}
+timeout={{ radius_timeout }}
+max-try={{ radius_max_try }}
+
+{% if radius_nas_id %}
+nas-identifier={{ radius_nas_id }}
+{% endif -%}
+{% if radius_nas_ip %}
+nas-ip-address={{ radius_nas_ip }}
+{% endif -%}
+{% if radius_source_address %}
+bind={{ radius_source_address }}
+{% endif -%}
+
[ppp]
verbose=1
check-ip=1
single-session=replace
-{% if idle_timeout %}
-lcp-echo-timeout={{idle_timeout}}
-{% endif %}
-{% if ppp_options['lcp-echo-interval'] %}
-lcp-echo-interval={{ppp_options['lcp-echo-interval']}}
-{% else %}
-lcp-echo-interval=30
-{% endif %}
-{% if ppp_options['lcp-echo-failure'] %}
-lcp-echo-failure={{ppp_options['lcp-echo-failure']}}
-{% else %}
-lcp-echo-failure=3
-{% endif %}
+lcp-echo-timeout={{ ppp_echo_timeout }}
+lcp-echo-interval={{ ppp_echo_interval }}
+lcp-echo-failure={{ ppp_echo_failure }}
{% if ccp_disable %}
ccp=0
{% endif %}
@@ -112,62 +115,33 @@ ccp=0
ipv6=allow
{% endif %}
-{% if authentication['mode'] == 'radius' %}
-[radius]
-{% for rsrv in authentication['radiussrv']: %}
-server={{rsrv}},{{authentication['radiussrv'][rsrv]['secret']}},\
-req-limit={{authentication['radiussrv'][rsrv]['req-limit']}},\
-fail-time={{authentication['radiussrv'][rsrv]['fail-time']}}
-{% endfor %}
-{% if authentication['radiusopt']['timeout'] %}
-timeout={{authentication['radiusopt']['timeout']}}
-{% endif %}
-{% if authentication['radiusopt']['acct-timeout'] %}
-acct-timeout={{authentication['radiusopt']['acct-timeout']}}
-{% endif %}
-{% if authentication['radiusopt']['max-try'] %}
-max-try={{authentication['radiusopt']['max-try']}}
-{% endif %}
-{% if authentication['radiusopt']['nas-id'] %}
-nas-identifier={{authentication['radiusopt']['nas-id']}}
-{% endif %}
-{% if authentication['radius_source_address'] %}
-nas-ip-address={{authentication['radius_source_address']}}
-{% endif -%}
-{% if authentication['radiusopt']['dae-srv'] %}
-dae-server={{authentication['radiusopt']['dae-srv']['ip-addr']}}:\
-{{authentication['radiusopt']['dae-srv']['port']}},\
-{{authentication['radiusopt']['dae-srv']['secret']}}
-{% endif -%}
-gw-ip-address={{gateway_address}}
-verbose=1
-{% endif -%}
{% if client_ipv6_pool %}
[ipv6-pool]
-{% for prfx in client_ipv6_pool.prefix: %}
-{{prfx}}
+{% for p in client_ipv6_pool %}
+{{ p.prefix }},{{ p.mask }}
{% endfor %}
-{% for prfx in client_ipv6_pool.delegate_prefix: %}
-delegate={{prfx}}
+{% for p in client_ipv6_delegate_prefix %}
+delegate={{ p.prefix }},{{ p.mask }}
{% endfor %}
+
{% endif %}
-{% if client_ipv6_pool['delegate_prefix'] %}
+{% if client_ipv6_delegate_prefix %}
[ipv6-dhcp]
verbose=1
{% endif %}
-{% if authentication['radiusopt']['shaper'] %}
+{% if radius_shaper_attr %}
[shaper]
verbose=1
-attr={{authentication['radiusopt']['shaper']['attr']}}
-{% if authentication['radiusopt']['shaper']['vendor'] %}
-vendor={{authentication['radiusopt']['shaper']['vendor']}}
+attr={{ radius_shaper_attr }}
+{% if radius_shaper_vendor %}
+vendor={{ radius_shaper_vendor }}
{% endif -%}
{% endif %}
[cli]
tcp=127.0.0.1:2004
-sessions-columns=ifname,username,calling-sid,ip,{{ip6_column}}{{ip6_dp_column}}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime
+sessions-columns=ifname,username,calling-sid,ip,{{ ip6_column | join(',') }}{{ ',' if ip6_column }}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index e7715dfb5..a9dacd36e 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -3,18 +3,18 @@
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
-{% if description %}
+{% if description -%}
# {{ description }}
-{% endif %}
+
+{% endif -%}
verb 3
-status /opt/vyatta/etc/openvpn/status/{{ intf }}.status 30
-writepid /var/run/openvpn/{{ intf }}.pid
-dev-type {{ type }}
-dev {{ intf }}
user {{ uid }}
group {{ gid }}
+
+dev-type {{ type }}
+dev {{ intf }}
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip
@@ -22,187 +22,197 @@ proto {% if 'tcp-active' in protocol -%}tcp-client{% elif 'tcp-passive' in proto
{%- if local_host %}
local {{ local_host }}
-{% endif %}
+{%- endif %}
{%- if mode == 'server' and protocol == 'udp' and not local_host %}
multihome
-{% endif %}
+{%- endif %}
{%- if local_port %}
lport {{ local_port }}
-{% endif %}
+{%- endif %}
-{%- if remote_port %}
+{% if remote_port -%}
rport {{ remote_port }}
{% endif %}
{%- if remote_host %}
-{% for remote in remote_host -%}
+{%- for remote in remote_host -%}
remote {{ remote }}
{% endfor -%}
-{% endif %}
+{% endif -%}
-{%- if shared_secret_file %}
+{% if shared_secret_file %}
secret {{ shared_secret_file }}
-{% endif %}
+{%- endif %}
{%- if persistent_tunnel %}
persist-tun
-{% endif %}
+{%- endif %}
+
+{%- if redirect_gateway %}
+push "redirect-gateway {{ redirect_gateway }}"
+{%- endif %}
-{%- if mode %}
-{%- if 'client' in mode %}
+{%- if compress_lzo %}
+compress lzo
+{%- endif %}
+
+{% if 'client' in mode -%}
#
# OpenVPN Client mode
#
client
nobind
-{%- elif 'server' in mode %}
+
+{% elif 'server' in mode -%}
#
# OpenVPN Server mode
#
-mode server
-tls-server
-keepalive {{ ping_interval }} {{ ping_restart }}
-management /tmp/openvpn-mgmt-intf unix
{%- if server_topology %}
-topology {% if 'point-to-point' in server_topology %}p2p{% else %}subnet{% endif %}
-{% endif %}
-
-{% for ns in server_dns_nameserver -%}
-push "dhcp-option DNS {{ ns }}"
-{% endfor -%}
+topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %}
+{%- endif %}
-{% for route in server_push_route -%}
-push "route {{ route }}"
-{% endfor -%}
+{%- if bridge_member %}
+mode server
+tls-server
+{%- else %}
+server {{ server_subnet }}{% if server_pool_start %} nopool{% endif %}
+{%- endif %}
-{%- if server_domain %}
-push "dhcp-option DOMAIN {{ server_domain }}"
-{% endif %}
+{%- if server_pool_start %}
+ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %}
+{%- endif %}
{%- if server_max_conn %}
max-clients {{ server_max_conn }}
-{% endif %}
+{%- endif %}
-{%- if bridge_member %}
-server-bridge nogw
-{%- else %}
-server {{ server_subnet }}
-{% endif %}
+{%- if client %}
+client-config-dir /run/openvpn/ccd/{{ intf }}
+{%- endif %}
{%- if server_reject_unconfigured %}
ccd-exclusive
+{%- endif %}
+
+keepalive {{ ping_interval }} {{ ping_restart }}
+management /tmp/openvpn-mgmt-intf unix
+
+{% for route in server_push_route -%}
+push "route {{ route }}"
+{% endfor -%}
+
+{% for ns in server_dns_nameserver -%}
+push "dhcp-option DNS {{ ns }}"
+{% endfor -%}
+
+{%- if server_domain -%}
+push "dhcp-option DOMAIN {{ server_domain }}"
{% endif %}
-{%- else %}
+{% else -%}
#
# OpenVPN site-2-site mode
#
ping {{ ping_interval }}
ping-restart {{ ping_restart }}
-{%- if local_address_subnet %}
+{% if local_address_subnet -%}
ifconfig {{ local_address }} {{ local_address_subnet }}
-{% elif remote_address %}
+{%- elif remote_address -%}
ifconfig {{ local_address }} {{ remote_address }}
-{% endif %}
+{%- endif %}
-{% endif %}
-{% endif %}
+{% endif -%}
+{% if tls -%}
+# TLS options
{%- if tls_ca_cert %}
ca {{ tls_ca_cert }}
-{% endif %}
+{%- endif %}
{%- if tls_cert %}
cert {{ tls_cert }}
-{% endif %}
+{%- endif %}
{%- if tls_key %}
key {{ tls_key }}
-{% endif %}
+{%- endif %}
{%- if tls_crypt %}
tls-crypt {{ tls_crypt }}
-{% endif %}
+{%- endif %}
{%- if tls_crl %}
crl-verify {{ tls_crl }}
-{% endif %}
+{%- endif %}
{%- if tls_version_min %}
tls-version-min {{tls_version_min}}
-{% endif %}
+{%- endif %}
{%- if tls_dh %}
dh {{ tls_dh }}
-{% endif %}
+{%- endif %}
{%- if tls_auth %}
tls-auth {{tls_auth}}
-{% endif %}
+{%- endif %}
+{%- if tls_role %}
{%- if 'active' in tls_role %}
tls-client
{%- elif 'passive' in tls_role %}
tls-server
-{% endif %}
+{%- endif %}
+{%- endif %}
-{%- if redirect_gateway %}
-push "redirect-gateway {{ redirect_gateway }}"
-{% endif %}
-
-{%- if compress_lzo %}
-compress lzo
-{% endif %}
-
-{%- if hash %}
-auth {{ hash }}
-{% endif %}
+{%- endif %}
+# Encryption options
{%- if encryption %}
-{%- if 'des' in encryption %}
+{% if encryption == 'des' -%}
cipher des-cbc
-{%- elif '3des' in encryption %}
+{%- elif encryption == '3des' -%}
cipher des-ede3-cbc
-{%- elif 'bf128' in encryption %}
+{%- elif encryption == 'bf128' -%}
cipher bf-cbc
keysize 128
-{%- elif 'bf256' in encryption %}
+{%- elif encryption == 'bf256' -%}
cipher bf-cbc
keysize 25
-{%- elif 'aes128gcm' in encryption %}
+{%- elif encryption == 'aes128gcm' -%}
cipher aes-128-gcm
-{%- elif 'aes128' in encryption %}
+{%- elif encryption == 'aes128' -%}
cipher aes-128-cbc
-{%- elif 'aes192gcm' in encryption %}
+{%- elif encryption == 'aes192gcm' -%}
cipher aes-192-gcm
-{%- elif 'aes192' in encryption %}
+{%- elif encryption == 'aes192' -%}
cipher aes-192-cbc
-{%- elif 'aes256gcm' in encryption %}
+{%- elif encryption == 'aes256gcm' -%}
cipher aes-256-gcm
-{%- elif 'aes256' in encryption %}
+{%- elif encryption == 'aes256' -%}
cipher aes-256-cbc
-{% endif %}
-{% endif %}
+{%- endif -%}
+{%- endif %}
{%- if ncp_ciphers %}
ncp-ciphers {{ncp_ciphers}}
-{% endif %}
+{%- endif %}
{%- if disable_ncp %}
ncp-disable
-{% endif %}
+{%- endif %}
+
+{% if hash -%}
+auth {{ hash }}
+{%- endif -%}
{%- if auth %}
auth-user-pass /tmp/openvpn-{{ intf }}-pw
auth-retry nointeract
-{% endif %}
-
-{%- if client %}
-client-config-dir /opt/vyatta/etc/openvpn/ccd/{{ intf }}
-{% endif %}
+{%- endif %}
# DEPRECATED This option will be removed in OpenVPN 2.5
# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this:
@@ -218,6 +228,12 @@ client-config-dir /opt/vyatta/etc/openvpn/ccd/{{ intf }}
# See https://phabricator.vyos.net/T1512
compat-names
+{% if options -%}
+#
+# Custom options added by user (not validated)
+#
+
{% for option in options -%}
{{ option }}
{% endfor -%}
+{%- endif %}
diff --git a/data/templates/pppoe/ip-down.script.tmpl b/data/templates/pppoe/ip-down.script.tmpl
index e76875f12..a68fc099c 100644
--- a/data/templates/pppoe/ip-down.script.tmpl
+++ b/data/templates/pppoe/ip-down.script.tmpl
@@ -10,8 +10,9 @@ fi
DIALER_PID=$(cat /var/run/{{ intf }}.pid)
logger -t pppd[$DIALER_PID] "executing $0"
-# Determine if we are enslaved to a VRF, this is needed to properly insert
-# the default route
+{% if not on_demand %}
+# See https://phabricator.vyos.net/T2248. Determine if we are enslaved to a
+# VRF, this is needed to properly insert the default route.
VRF_NAME=""
if [ -d /sys/class/net/{{ intf }}/upper_* ]; then
# Determine upper (VRF) interface
@@ -24,3 +25,4 @@ fi
# Always delete default route when interface goes down
vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}"
+{% endif %}
diff --git a/data/templates/pppoe/ip-up.script.tmpl b/data/templates/pppoe/ip-up.script.tmpl
index 4cc779914..697ebcc20 100644
--- a/data/templates/pppoe/ip-up.script.tmpl
+++ b/data/templates/pppoe/ip-up.script.tmpl
@@ -6,13 +6,15 @@ if [ "$6" != "{{ intf }}" ]; then
exit
fi
-set -x
+{% if not on_demand %}
+# See https://phabricator.vyos.net/T2248 & T2220. Determine if we are enslaved
+# to a VRF, this is needed to properly insert the default route.
# add some info to syslog
DIALER_PID=$(cat /var/run/{{ intf }}.pid)
logger -t pppd[$DIALER_PID] "executing $0"
-SED_OPT="ip route"
+SED_OPT="^ip route"
VRF_NAME=""
if [ -d /sys/class/net/{{ intf }}/upper_* ]; then
# Determine upper (VRF) interface
@@ -25,10 +27,8 @@ if [ -d /sys/class/net/{{ intf }}/upper_* ]; then
VRF_NAME="vrf ${VRF}"
fi
-# Debian PPP version has no support for replacing an existing default route
-# thus we emulate this ba an ip-up script https://phabricator.vyos.net/T2220.
{% if 'auto' in default_route -%}
-# only insert a new default route if there is no default route configured
+# Only insert a new default route if there is no default route configured
routes=$(vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep 0.0.0.0/0 | wc -l)
if [ "$routes" -ne 0 ]; then
exit 1
@@ -44,4 +44,4 @@ done
# Add default route to default or VRF routing table
vtysh -c "conf t" ${VTY_OPT} -c "ip route 0.0.0.0/0 {{ intf }} ${VRF_NAME}"
logger -t pppd[$DIALER_PID] "added default route via {{ intf }} ${VRF_NAME}"
-
+{% endif %}
diff --git a/data/templates/pppoe/peer.tmpl b/data/templates/pppoe/peer.tmpl
index 8651f12a5..36d108cee 100644
--- a/data/templates/pppoe/peer.tmpl
+++ b/data/templates/pppoe/peer.tmpl
@@ -60,4 +60,13 @@ rp_pppoe_service "{{ service_name }}"
{% endif %}
{% if on_demand %}
demand
+# See T2249. PPP default route options should only be set when in on-demand
+# mode. As soon as we are not in on-demand mode the default-route handling is
+# passed to the ip-up.d/ip-down.s scripts which is required for VRF support.
+{% if 'auto' in default_route -%}
+defaultroute
+{% elif 'force' in default_route -%}
+defaultroute
+replacedefaultroute
+{% endif %}
{% endif %}
diff --git a/data/templates/sstp/sstp.config.tmpl b/data/templates/sstp/sstp.config.tmpl
index 19805358e..acdb6c76b 100644
--- a/data/templates/sstp/sstp.config.tmpl
+++ b/data/templates/sstp/sstp.config.tmpl
@@ -30,6 +30,7 @@ disable
[sstp]
verbose=1
+ifname=sstp%d
accept=ssl
ssl-ca-file={{ ssl_ca }}
ssl-pemfile={{ ssl_cert }}
@@ -52,7 +53,7 @@ dns{{ loop.index }}={{ dns }}
{% if auth_mode == 'local' %}
[chap-secrets]
-chap-secrets=/etc/accel-ppp/sstp/chap-secrets
+chap-secrets={{ chap_secrets_file }}
{% elif auth_mode == 'radius' %}
[radius]
verbose=1
diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.tmpl
index 031fb6c90..e2fb9ca8f 100644
--- a/data/templates/wifi/hostapd.conf.tmpl
+++ b/data/templates/wifi/hostapd.conf.tmpl
@@ -73,7 +73,6 @@ channel={{ channel }}
# offloaded ACS is used.
{% if 'n' in mode -%}
hw_mode=g
-ieee80211n=1
{% elif 'ac' in mode -%}
hw_mode=a
ieee80211h=1
@@ -421,6 +420,12 @@ vht_capab=
ieee80211n=0
# Require stations to support VHT PHY (reject association if they do not)
require_vht=1
+{% else -%}
+{% if 'n' in mode or 'ac' in mode -%}
+ieee80211n=1
+{% else -%}
+ieee80211n=0
+{%- endif %}
{% endif %}
{% if cap_vht_center_freq_1 -%}