summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/dhcp-client/daemon-options.j24
-rw-r--r--data/templates/dhcp-client/dhcp6c_daemon-options.j22
-rw-r--r--data/templates/dhcp-client/ipv6.override.conf.j212
-rw-r--r--data/templates/dhcp-client/override.conf.j215
-rw-r--r--data/templates/dns-dynamic/ddclient.conf.j22
-rw-r--r--data/templates/firewall/nftables-policy.j24
-rw-r--r--data/templates/firewall/nftables.j2311
-rw-r--r--data/templates/frr/bgpd.frr.j25
-rw-r--r--data/templates/frr/daemons.frr.tmpl1
-rw-r--r--data/templates/openvpn/server.conf.j210
-rw-r--r--data/templates/zabbix-agent/10-override.conf.j214
-rw-r--r--data/templates/zabbix-agent/zabbix-agent.conf.j273
-rw-r--r--data/vyos-firewall-init.conf4
13 files changed, 290 insertions, 167 deletions
diff --git a/data/templates/dhcp-client/daemon-options.j2 b/data/templates/dhcp-client/daemon-options.j2
deleted file mode 100644
index b21ad08ab..000000000
--- a/data/templates/dhcp-client/daemon-options.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-### Autogenerated by interface.py ###
-{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %}
-DHCLIENT_OPTS="-nw -cf /var/lib/dhcp/dhclient_{{ ifname }}.conf -pf /var/lib/dhcp/dhclient_{{ ifname }}.pid -lf /var/lib/dhcp/dhclient_{{ ifname }}.leases {{ if_metric }} {{ ifname }}"
-
diff --git a/data/templates/dhcp-client/dhcp6c_daemon-options.j2 b/data/templates/dhcp-client/dhcp6c_daemon-options.j2
deleted file mode 100644
index d33d418fc..000000000
--- a/data/templates/dhcp-client/dhcp6c_daemon-options.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %}
-DHCP6C_OPTS="-D -k /run/dhcp6c/dhcp6c.{{ ifname }}.sock -c /run/dhcp6c/dhcp6c.{{ ifname }}.conf -p /run/dhcp6c/dhcp6c.{{ ifname }}.pid {{ no_release }} {{ ifname }}"
diff --git a/data/templates/dhcp-client/ipv6.override.conf.j2 b/data/templates/dhcp-client/ipv6.override.conf.j2
new file mode 100644
index 000000000..b0c0e0544
--- /dev/null
+++ b/data/templates/dhcp-client/ipv6.override.conf.j2
@@ -0,0 +1,12 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %}
+{% set dhcp6c_options = '-D -k ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.sock -c ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.conf -p ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.pid ' ~ no_release %}
+
+[Unit]
+ConditionPathExists={{ dhcp6_client_dir }}/dhcp6c.%i.conf
+
+[Service]
+ExecStart=
+ExecStart={{ vrf_command }}/usr/sbin/dhcp6c {{ dhcp6c_options }} {{ ifname }}
+WorkingDirectory={{ dhcp6_client_dir }}
+PIDFile={{ dhcp6_client_dir }}/dhcp6c.%i.pid
diff --git a/data/templates/dhcp-client/override.conf.j2 b/data/templates/dhcp-client/override.conf.j2
new file mode 100644
index 000000000..d09320270
--- /dev/null
+++ b/data/templates/dhcp-client/override.conf.j2
@@ -0,0 +1,15 @@
+### Autogenerated by interface.py ###
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %}
+{% set dhclient_options = '-d -nw -cf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.conf -pf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.pid -lf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.leases ' ~ if_metric %}
+
+[Unit]
+ConditionPathExists={{ isc_dhclient_dir }}/dhclient_%i.conf
+
+[Service]
+ExecStart=
+ExecStart={{ vrf_command }}/sbin/dhclient -4 {{ dhclient_options }} {{ ifname }}
+ExecStop=
+ExecStop={{ vrf_command }}/sbin/dhclient -4 -r {{ dhclient_options }} {{ ifname }}
+WorkingDirectory={{ isc_dhclient_dir }}
+PIDFile={{ isc_dhclient_dir }}/dhclient_%i.pid
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 4da7153c7..3446a9d1b 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -23,7 +23,7 @@ if{{ ipv }}={{ address }}, \
{{ host }}
{% endmacro %}
### Autogenerated by dns_dynamic.py ###
-daemon=1m
+daemon={{ timeout }}
syslog=yes
ssl=yes
pid={{ config_file | replace('.conf', '.pid') }}
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 1c9bda64f..699349e2b 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -25,7 +25,7 @@ table ip vyos_mangle {
chain VYOS_PBR_UD_{{ route_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }}
+ {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }}
{% endfor %}
{% endif %}
}
@@ -54,7 +54,7 @@ table ip6 vyos_mangle {
chain VYOS_PBR6_UD_{{ route_text }} {
{% if conf.rule is vyos_defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }}
+ {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }}
{% endfor %}
{% endif %}
}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 2c7115134..10cbc68cb 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,78 +1,101 @@
#!/usr/sbin/nft -f
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
{% if first_install is not vyos_defined %}
delete table ip vyos_filter
{% endif %}
table ip vyos_filter {
- chain VYOS_FW_FORWARD {
- type filter hook forward priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.in is vyos_defined and ifconf.in.name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME_{{ ifconf.in.name }}
-{% endif %}
-{% if ifconf.out is vyos_defined and ifconf.out.name is vyos_defined %}
- oifname {{ ifname }} counter jump NAME_{{ ifconf.out.name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW
- }
- chain VYOS_FW_LOCAL {
- type filter hook input priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.local is vyos_defined and ifconf.local.name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME_{{ ifconf.local.name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW
+{% if ipv4 is vyos_defined %}
+{% set ns = namespace(sets=[]) %}
+{% if ipv4.forward is vyos_defined %}
+{% for prior, conf in ipv4.forward.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_FORWARD_{{ prior }} {
+ type filter hook forward priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_FW_OUTPUT {
- type filter hook output priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY
-{% endif %}
- jump VYOS_POST_FW
+{% endfor %}
+{% endif %}
+
+{% if ipv4.input is vyos_defined %}
+{% for prior, conf in ipv4.input.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_INPUT_{{ prior }} {
+ type filter hook input priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('INP',prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_POST_FW {
- return
+{% endfor %}
+{% endif %}
+
+{% if ipv4.output is vyos_defined %}
+{% for prior, conf in ipv4.output.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_OUTPUT_{{ prior }} {
+ type filter hook output priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('OUT', prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
+{% endfor %}
+{% endif %}
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return
}
-{% if name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
-{% for name_text, conf in name.items() %}
+{% if ipv4.prerouting is vyos_defined %}
+{% for prior, conf in ipv4.prerouting.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_PREROUTING_{{ prior }} {
+ type filter hook prerouting priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('PRE', prior, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
+ {{ conf | nft_default_rule(prior) }}
+ }
+{% endfor %}
+{% endif %}
+
+{% if ipv4.name is vyos_defined %}
+{% for name_text, conf in ipv4.name.items() %}
chain NAME_{{ name_text }} {
-{% if conf.rule is vyos_defined %}
-{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(name_text, rule_id) }}
-{% if rule_conf.recent is vyos_defined %}
-{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('NAM', name_text, rule_id) }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
-{% endfor %}
-{% for set_name in ip_fqdn %}
- set FQDN_{{ set_name }} {
- type ipv4_addr
- flags interval
- }
-{% endfor %}
+{% endfor %}
+{% endif %}
+
{% for set_name in ns.sets %}
set RECENT_{{ set_name }} {
type ipv4_addr
@@ -80,6 +103,12 @@ table ip vyos_filter {
flags dynamic
}
{% endfor %}
+{% for set_name in ip_fqdn %}
+ set FQDN_{{ set_name }} {
+ type ipv4_addr
+ flags interval
+ }
+{% endfor %}
{% if geoip_updated.name is vyos_defined %}
{% for setname in geoip_updated.name %}
set {{ setname }} {
@@ -89,99 +118,87 @@ table ip vyos_filter {
{% endfor %}
{% endif %}
{% endif %}
-
{{ group_tmpl.groups(group, False) }}
-
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }}
-{% endif %}
-
-{% if state_policy is vyos_defined %}
- chain VYOS_STATE_POLICY {
-{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established') }}
-{% endif %}
-{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid') }}
-{% endif %}
-{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related') }}
-{% endif %}
- return
- }
-{% endif %}
}
{% if first_install is not vyos_defined %}
delete table ip6 vyos_filter
{% endif %}
table ip6 vyos_filter {
- chain VYOS_FW6_FORWARD {
- type filter hook forward priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY6
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.in is vyos_defined and ifconf.in.ipv6_name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME6_{{ ifconf.in.ipv6_name }}
-{% endif %}
-{% if ifconf.out is vyos_defined and ifconf.out.ipv6_name is vyos_defined %}
- oifname {{ ifname }} counter jump NAME6_{{ ifconf.out.ipv6_name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW6
- }
- chain VYOS_FW6_LOCAL {
- type filter hook input priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY6
-{% endif %}
-{% if interface is vyos_defined %}
-{% for ifname, ifconf in interface.items() %}
-{% if ifconf.local is vyos_defined and ifconf.local.ipv6_name is vyos_defined %}
- iifname {{ ifname }} counter jump NAME6_{{ ifconf.local.ipv6_name }}
-{% endif %}
-{% endfor %}
-{% endif %}
- jump VYOS_POST_FW6
+{% if ipv6 is vyos_defined %}
+{% set ns = namespace(sets=[]) %}
+{% if ipv6.forward is vyos_defined %}
+{% for prior, conf in ipv6.forward.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_IPV6_FORWARD_{{ prior }} {
+ type filter hook forward priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_FW6_OUTPUT {
- type filter hook output priority 0; policy accept;
-{% if state_policy is vyos_defined %}
- jump VYOS_STATE_POLICY6
-{% endif %}
- jump VYOS_POST_FW6
+{% endfor %}
+{% endif %}
+
+{% if ipv6.input is vyos_defined %}
+{% for prior, conf in ipv6.input.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_IPV6_INPUT_{{ prior }} {
+ type filter hook input priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
- chain VYOS_POST_FW6 {
- return
+{% endfor %}
+{% endif %}
+
+{% if ipv6.output is vyos_defined %}
+{% for prior, conf in ipv6.output.items() %}
+{% set def_action = conf.default_action %}
+ chain VYOS_IPV6_OUTPUT_{{ prior }} {
+ type filter hook output priority {{ prior }}; policy {{ def_action }};
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
}
+{% endfor %}
+{% endif %}
+
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0xffff1 return
}
-{% if ipv6_name is vyos_defined %}
-{% set ns = namespace(sets=[]) %}
-{% for name_text, conf in ipv6_name.items() %}
+
+{% if ipv6.name is vyos_defined %}
+{% for name_text, conf in ipv6.name.items() %}
chain NAME6_{{ name_text }} {
-{% if conf.rule is vyos_defined %}
-{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
- {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
-{% if rule_conf.recent is vyos_defined %}
-{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
-{% endif %}
-{% endfor %}
-{% endif %}
+{% if conf.rule is vyos_defined %}
+{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+ {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'ip6') }}
+{% if rule_conf.recent is vyos_defined %}
+{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{% endif %}
+{% endfor %}
+{% endif %}
{{ conf | nft_default_rule(name_text, ipv6=True) }}
}
-{% endfor %}
-{% for set_name in ip6_fqdn %}
- set FQDN_{{ set_name }} {
- type ipv6_addr
- flags interval
- }
-{% endfor %}
+{% endfor %}
+{% endif %}
+
{% for set_name in ns.sets %}
set RECENT6_{{ set_name }} {
type ipv6_addr
@@ -189,6 +206,12 @@ table ip6 vyos_filter {
flags dynamic
}
{% endfor %}
+{% for set_name in ip6_fqdn %}
+ set FQDN_{{ set_name }} {
+ type ipv6_addr
+ flags interval
+ }
+{% endfor %}
{% if geoip_updated.ipv6_name is vyos_defined %}
{% for setname in geoip_updated.ipv6_name %}
set {{ setname }} {
@@ -198,25 +221,5 @@ table ip6 vyos_filter {
{% endfor %}
{% endif %}
{% endif %}
-
{{ group_tmpl.groups(group, True) }}
-
-{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }}
-{% endif %}
-
-{% if state_policy is vyos_defined %}
- chain VYOS_STATE_POLICY6 {
-{% if state_policy.established is vyos_defined %}
- {{ state_policy.established | nft_state_policy('established') }}
-{% endif %}
-{% if state_policy.invalid is vyos_defined %}
- {{ state_policy.invalid | nft_state_policy('invalid') }}
-{% endif %}
-{% if state_policy.related is vyos_defined %}
- {{ state_policy.related | nft_state_policy('related') }}
-{% endif %}
- return
- }
-{% endif %}
-}
+} \ No newline at end of file
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index ddfba2306..a41f4e280 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -349,6 +349,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
{% if afi_config.label.vpn.export is vyos_defined %}
label vpn export {{ afi_config.label.vpn.export }}
{% endif %}
+{% if afi_config.label.vpn.allocation_mode.per_nexhop is vyos_defined %}
+ label vpn export allocation-mode per-nexthop
+{% endif %}
{% if afi_config.local_install is vyos_defined %}
{% for interface in afi_config.local_install.interface %}
local-install {{ interface }}
@@ -481,7 +484,7 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
bgp bestpath compare-routerid
{% endif %}
{% if parameters.bestpath.med is vyos_defined %}
- bgp bestpath med {{ 'confed' if parameters.bestpath.med.confed is vyos_defined }} {{ 'missing-as-worst' if parameters.bestpath.med.missing_as_worst is vyos_defined }}
+ bgp bestpath med {{ parameters.bestpath.med | join(' ') | replace('_', '-') }}
{% endif %}
{% if parameters.bestpath.peer_type is vyos_defined %}
bgp bestpath peer-type {{ 'multipath-relax' if parameters.bestpath.peer_type.multipath_relax is vyos_defined }}
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index fdff9772a..3aad8e8dd 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -41,6 +41,7 @@ pimd_options=" --daemon -A 127.0.0.1"
ldpd_options=" --daemon -A 127.0.0.1
{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%}
"
+mgmtd_options=" --daemon -A 127.0.0.1"
nhrpd_options=" --daemon -A 127.0.0.1"
eigrpd_options=" --daemon -A 127.0.0.1"
babeld_options=" --daemon -A 127.0.0.1"
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index d144529f3..f76fbbe79 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -185,7 +185,7 @@ tls-version-min {{ tls.tls_version_min }}
{% endif %}
{% if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
-{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
+{% else %}
dh none
{% endif %}
{% if tls.auth_key is vyos_defined %}
@@ -200,6 +200,14 @@ tls-client
{% elif tls.role is vyos_defined('passive') %}
tls-server
{% endif %}
+
+{% if tls.peer_fingerprint is vyos_defined %}
+<peer-fingerprint>
+{% for fp in tls.peer_fingerprint %}
+{{ fp }}
+{% endfor %}
+</peer-fingerprint>
+{% endif %}
{% endif %}
# Encryption options
diff --git a/data/templates/zabbix-agent/10-override.conf.j2 b/data/templates/zabbix-agent/10-override.conf.j2
new file mode 100644
index 000000000..7c296e8fd
--- /dev/null
+++ b/data/templates/zabbix-agent/10-override.conf.j2
@@ -0,0 +1,14 @@
+[Unit]
+After=
+After=vyos-router.service
+ConditionPathExists=
+ConditionPathExists=/run/zabbix/zabbix-agent2.conf
+
+[Service]
+EnvironmentFile=
+ExecStart=
+ExecStart=/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground
+WorkingDirectory=
+WorkingDirectory=/run/zabbix
+Restart=always
+RestartSec=10
diff --git a/data/templates/zabbix-agent/zabbix-agent.conf.j2 b/data/templates/zabbix-agent/zabbix-agent.conf.j2
new file mode 100644
index 000000000..77f57f32f
--- /dev/null
+++ b/data/templates/zabbix-agent/zabbix-agent.conf.j2
@@ -0,0 +1,73 @@
+# Generated by ${vyos_conf_scripts_dir}/service_zabbix_agent.py
+
+PidFile=/run/zabbix/zabbix_agent2.pid
+LogFile=/var/log/zabbix/zabbix_agent2.log
+ControlSocket=/run/zabbix/agent.sock
+
+{% if log is vyos_defined %}
+{% if log.size is vyos_defined %}
+### Option: LogFileSize
+# Maximum size of log file in MB.
+# 0 - disable automatic log rotation.
+#
+# Range: 0-1024
+LogFileSize={{ log.size }}
+{% endif %}
+{% if log.remote_commands is vyos_defined %}
+LogRemoteCommands=1
+{% endif %}
+{% if log.debug_level is vyos_defined %}
+{% set mapping = {
+ 'basic': 0,
+ 'critical': 1,
+ 'error': 2,
+ 'warning': 3,
+ 'debug': 4,
+ 'extended-debug': 5
+ } %}
+DebugLevel={{ mapping[log.debug_level] }}
+{% endif %}
+{% endif %}
+
+{% if server is vyos_defined %}
+Server={{ server | bracketize_ipv6 | join(',') }}
+{% endif %}
+{% if server_active is vyos_defined %}
+{% set servers = [] %}
+{% for key, value in server_active.items() %}
+{% if value.port %}
+{% set serv_item = key | bracketize_ipv6 + ':' + value.port %}
+{% set _ = servers.append(serv_item) %}
+{% else %}
+{% set _ = servers.append(key | bracketize_ipv6) %}
+{% endif %}
+{% endfor %}
+ServerActive={{ servers | join(',') }}
+{% endif %}
+
+{% if port is vyos_defined %}
+ListenPort={{ port }}
+{% endif %}
+{% if listen_address is vyos_defined %}
+ListenIP={{ listen_address | join(',') }}
+{% endif %}
+
+{% if limits is vyos_defined %}
+{% if limits.buffer_flush_interval is vyos_defined %}
+BufferSend={{ limits.buffer_flush_interval }}
+{% endif %}
+{% if limits.buffer_size is vyos_defined %}
+BufferSize={{ limits.buffer_size }}
+{% endif %}
+{% endif %}
+
+{% if directory is vyos_defined %}
+### Option: Include
+# You may include individual files or all files in a directory in the configuration file.
+Include={{ directory }}/*.conf
+{% endif %}
+
+{% if timeout is vyos_defined %}
+Timeout={{ timeout }}
+{% endif %}
+
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 11a5bc7bf..36d92fe93 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -20,7 +20,7 @@ table raw {
}
chain PREROUTING {
- type filter hook prerouting priority -200; policy accept;
+ type filter hook prerouting priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_PREROUTING_HOOK
@@ -29,7 +29,7 @@ table raw {
}
chain OUTPUT {
- type filter hook output priority -200; policy accept;
+ type filter hook output priority -300; policy accept;
counter jump VYOS_CT_IGNORE
counter jump VYOS_CT_TIMEOUT
counter jump VYOS_CT_OUTPUT_HOOK