diff options
Diffstat (limited to 'data')
-rw-r--r-- | data/templates/dhcp-client/daemon-options.j2 | 4 | ||||
-rw-r--r-- | data/templates/dhcp-client/dhcp6c_daemon-options.j2 | 2 | ||||
-rw-r--r-- | data/templates/dhcp-client/ipv6.override.conf.j2 | 12 | ||||
-rw-r--r-- | data/templates/dhcp-client/override.conf.j2 | 15 | ||||
-rw-r--r-- | data/templates/dns-dynamic/ddclient.conf.j2 | 2 | ||||
-rw-r--r-- | data/templates/firewall/nftables-policy.j2 | 4 | ||||
-rw-r--r-- | data/templates/firewall/nftables.j2 | 311 | ||||
-rw-r--r-- | data/templates/frr/bgpd.frr.j2 | 5 | ||||
-rw-r--r-- | data/templates/frr/daemons.frr.tmpl | 1 | ||||
-rw-r--r-- | data/templates/openvpn/server.conf.j2 | 10 | ||||
-rw-r--r-- | data/templates/zabbix-agent/10-override.conf.j2 | 14 | ||||
-rw-r--r-- | data/templates/zabbix-agent/zabbix-agent.conf.j2 | 73 | ||||
-rw-r--r-- | data/vyos-firewall-init.conf | 4 |
13 files changed, 290 insertions, 167 deletions
diff --git a/data/templates/dhcp-client/daemon-options.j2 b/data/templates/dhcp-client/daemon-options.j2 deleted file mode 100644 index b21ad08ab..000000000 --- a/data/templates/dhcp-client/daemon-options.j2 +++ /dev/null @@ -1,4 +0,0 @@ -### Autogenerated by interface.py ### -{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %} -DHCLIENT_OPTS="-nw -cf /var/lib/dhcp/dhclient_{{ ifname }}.conf -pf /var/lib/dhcp/dhclient_{{ ifname }}.pid -lf /var/lib/dhcp/dhclient_{{ ifname }}.leases {{ if_metric }} {{ ifname }}" - diff --git a/data/templates/dhcp-client/dhcp6c_daemon-options.j2 b/data/templates/dhcp-client/dhcp6c_daemon-options.j2 deleted file mode 100644 index d33d418fc..000000000 --- a/data/templates/dhcp-client/dhcp6c_daemon-options.j2 +++ /dev/null @@ -1,2 +0,0 @@ -{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %} -DHCP6C_OPTS="-D -k /run/dhcp6c/dhcp6c.{{ ifname }}.sock -c /run/dhcp6c/dhcp6c.{{ ifname }}.conf -p /run/dhcp6c/dhcp6c.{{ ifname }}.pid {{ no_release }} {{ ifname }}" diff --git a/data/templates/dhcp-client/ipv6.override.conf.j2 b/data/templates/dhcp-client/ipv6.override.conf.j2 new file mode 100644 index 000000000..b0c0e0544 --- /dev/null +++ b/data/templates/dhcp-client/ipv6.override.conf.j2 @@ -0,0 +1,12 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +{% set no_release = '-n' if dhcpv6_options.no_release is vyos_defined else '' %} +{% set dhcp6c_options = '-D -k ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.sock -c ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.conf -p ' ~ dhcp6_client_dir ~ '/dhcp6c.' ~ ifname ~ '.pid ' ~ no_release %} + +[Unit] +ConditionPathExists={{ dhcp6_client_dir }}/dhcp6c.%i.conf + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/dhcp6c {{ dhcp6c_options }} {{ ifname }} +WorkingDirectory={{ dhcp6_client_dir }} +PIDFile={{ dhcp6_client_dir }}/dhcp6c.%i.pid diff --git a/data/templates/dhcp-client/override.conf.j2 b/data/templates/dhcp-client/override.conf.j2 new file mode 100644 index 000000000..d09320270 --- /dev/null +++ b/data/templates/dhcp-client/override.conf.j2 @@ -0,0 +1,15 @@ +### Autogenerated by interface.py ### +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %} +{% set dhclient_options = '-d -nw -cf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.conf -pf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.pid -lf ' ~ isc_dhclient_dir ~ '/dhclient_' ~ ifname ~ '.leases ' ~ if_metric %} + +[Unit] +ConditionPathExists={{ isc_dhclient_dir }}/dhclient_%i.conf + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/sbin/dhclient -4 {{ dhclient_options }} {{ ifname }} +ExecStop= +ExecStop={{ vrf_command }}/sbin/dhclient -4 -r {{ dhclient_options }} {{ ifname }} +WorkingDirectory={{ isc_dhclient_dir }} +PIDFile={{ isc_dhclient_dir }}/dhclient_%i.pid diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2 index 4da7153c7..3446a9d1b 100644 --- a/data/templates/dns-dynamic/ddclient.conf.j2 +++ b/data/templates/dns-dynamic/ddclient.conf.j2 @@ -23,7 +23,7 @@ if{{ ipv }}={{ address }}, \ {{ host }} {% endmacro %} ### Autogenerated by dns_dynamic.py ### -daemon=1m +daemon={{ timeout }} syslog=yes ssl=yes pid={{ config_file | replace('.conf', '.pid') }} diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2 index 1c9bda64f..699349e2b 100644 --- a/data/templates/firewall/nftables-policy.j2 +++ b/data/templates/firewall/nftables-policy.j2 @@ -25,7 +25,7 @@ table ip vyos_mangle { chain VYOS_PBR_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} + {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }} {% endfor %} {% endif %} } @@ -54,7 +54,7 @@ table ip6 vyos_mangle { chain VYOS_PBR6_UD_{{ route_text }} { {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }} + {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }} {% endfor %} {% endif %} } diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 2c7115134..10cbc68cb 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -1,78 +1,101 @@ #!/usr/sbin/nft -f {% import 'firewall/nftables-defines.j2' as group_tmpl %} -{% import 'firewall/nftables-zone.j2' as zone_tmpl %} {% if first_install is not vyos_defined %} delete table ip vyos_filter {% endif %} table ip vyos_filter { - chain VYOS_FW_FORWARD { - type filter hook forward priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.in is vyos_defined and ifconf.in.name is vyos_defined %} - iifname {{ ifname }} counter jump NAME_{{ ifconf.in.name }} -{% endif %} -{% if ifconf.out is vyos_defined and ifconf.out.name is vyos_defined %} - oifname {{ ifname }} counter jump NAME_{{ ifconf.out.name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW - } - chain VYOS_FW_LOCAL { - type filter hook input priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.local is vyos_defined and ifconf.local.name is vyos_defined %} - iifname {{ ifname }} counter jump NAME_{{ ifconf.local.name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW +{% if ipv4 is vyos_defined %} +{% set ns = namespace(sets=[]) %} +{% if ipv4.forward is vyos_defined %} +{% for prior, conf in ipv4.forward.items() %} +{% set def_action = conf.default_action %} + chain VYOS_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_FW_OUTPUT { - type filter hook output priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY -{% endif %} - jump VYOS_POST_FW +{% endfor %} +{% endif %} + +{% if ipv4.input is vyos_defined %} +{% for prior, conf in ipv4.input.items() %} +{% set def_action = conf.default_action %} + chain VYOS_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP',prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_POST_FW { - return +{% endfor %} +{% endif %} + +{% if ipv4.output is vyos_defined %} +{% for prior, conf in ipv4.output.items() %} +{% set def_action = conf.default_action %} + chain VYOS_OUTPUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['OUT_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } +{% endfor %} +{% endif %} chain VYOS_FRAG_MARK { type filter hook prerouting priority -450; policy accept; ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return } -{% if name is vyos_defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in name.items() %} +{% if ipv4.prerouting is vyos_defined %} +{% for prior, conf in ipv4.prerouting.items() %} +{% set def_action = conf.default_action %} + chain VYOS_PREROUTING_{{ prior }} { + type filter hook prerouting priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('PRE', prior, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule(prior) }} + } +{% endfor %} +{% endif %} + +{% if ipv4.name is vyos_defined %} +{% for name_text, conf in ipv4.name.items() %} chain NAME_{{ name_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(name_text, rule_id) }} -{% if rule_conf.recent is vyos_defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} -{% endif %} -{% endfor %} -{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id) }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(name_text) }} } -{% endfor %} -{% for set_name in ip_fqdn %} - set FQDN_{{ set_name }} { - type ipv4_addr - flags interval - } -{% endfor %} +{% endfor %} +{% endif %} + {% for set_name in ns.sets %} set RECENT_{{ set_name }} { type ipv4_addr @@ -80,6 +103,12 @@ table ip vyos_filter { flags dynamic } {% endfor %} +{% for set_name in ip_fqdn %} + set FQDN_{{ set_name }} { + type ipv4_addr + flags interval + } +{% endfor %} {% if geoip_updated.name is vyos_defined %} {% for setname in geoip_updated.name %} set {{ setname }} { @@ -89,99 +118,87 @@ table ip vyos_filter { {% endfor %} {% endif %} {% endif %} - {{ group_tmpl.groups(group, False) }} - -{% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, False) }} -{% endif %} - -{% if state_policy is vyos_defined %} - chain VYOS_STATE_POLICY { -{% if state_policy.established is vyos_defined %} - {{ state_policy.established | nft_state_policy('established') }} -{% endif %} -{% if state_policy.invalid is vyos_defined %} - {{ state_policy.invalid | nft_state_policy('invalid') }} -{% endif %} -{% if state_policy.related is vyos_defined %} - {{ state_policy.related | nft_state_policy('related') }} -{% endif %} - return - } -{% endif %} } {% if first_install is not vyos_defined %} delete table ip6 vyos_filter {% endif %} table ip6 vyos_filter { - chain VYOS_FW6_FORWARD { - type filter hook forward priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.in is vyos_defined and ifconf.in.ipv6_name is vyos_defined %} - iifname {{ ifname }} counter jump NAME6_{{ ifconf.in.ipv6_name }} -{% endif %} -{% if ifconf.out is vyos_defined and ifconf.out.ipv6_name is vyos_defined %} - oifname {{ ifname }} counter jump NAME6_{{ ifconf.out.ipv6_name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW6 - } - chain VYOS_FW6_LOCAL { - type filter hook input priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 -{% endif %} -{% if interface is vyos_defined %} -{% for ifname, ifconf in interface.items() %} -{% if ifconf.local is vyos_defined and ifconf.local.ipv6_name is vyos_defined %} - iifname {{ ifname }} counter jump NAME6_{{ ifconf.local.ipv6_name }} -{% endif %} -{% endfor %} -{% endif %} - jump VYOS_POST_FW6 +{% if ipv6 is vyos_defined %} +{% set ns = namespace(sets=[]) %} +{% if ipv6.forward is vyos_defined %} +{% for prior, conf in ipv6.forward.items() %} +{% set def_action = conf.default_action %} + chain VYOS_IPV6_FORWARD_{{ prior }} { + type filter hook forward priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_FW6_OUTPUT { - type filter hook output priority 0; policy accept; -{% if state_policy is vyos_defined %} - jump VYOS_STATE_POLICY6 -{% endif %} - jump VYOS_POST_FW6 +{% endfor %} +{% endif %} + +{% if ipv6.input is vyos_defined %} +{% for prior, conf in ipv6.input.items() %} +{% set def_action = conf.default_action %} + chain VYOS_IPV6_INPUT_{{ prior }} { + type filter hook input priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } - chain VYOS_POST_FW6 { - return +{% endfor %} +{% endif %} + +{% if ipv6.output is vyos_defined %} +{% for prior, conf in ipv6.output.items() %} +{% set def_action = conf.default_action %} + chain VYOS_IPV6_OUTPUT_{{ prior }} { + type filter hook output priority {{ prior }}; policy {{ def_action }}; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} } +{% endfor %} +{% endif %} + chain VYOS_FRAG6_MARK { type filter hook prerouting priority -450; policy accept; exthdr frag exists meta mark set 0xffff1 return } -{% if ipv6_name is vyos_defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in ipv6_name.items() %} + +{% if ipv6.name is vyos_defined %} +{% for name_text, conf in ipv6.name.items() %} chain NAME6_{{ name_text }} { -{% if conf.rule is vyos_defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} -{% if rule_conf.recent is vyos_defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} -{% endif %} -{% endfor %} -{% endif %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(name_text, ipv6=True) }} } -{% endfor %} -{% for set_name in ip6_fqdn %} - set FQDN_{{ set_name }} { - type ipv6_addr - flags interval - } -{% endfor %} +{% endfor %} +{% endif %} + {% for set_name in ns.sets %} set RECENT6_{{ set_name }} { type ipv6_addr @@ -189,6 +206,12 @@ table ip6 vyos_filter { flags dynamic } {% endfor %} +{% for set_name in ip6_fqdn %} + set FQDN_{{ set_name }} { + type ipv6_addr + flags interval + } +{% endfor %} {% if geoip_updated.ipv6_name is vyos_defined %} {% for setname in geoip_updated.ipv6_name %} set {{ setname }} { @@ -198,25 +221,5 @@ table ip6 vyos_filter { {% endfor %} {% endif %} {% endif %} - {{ group_tmpl.groups(group, True) }} - -{% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, state_policy is vyos_defined, True) }} -{% endif %} - -{% if state_policy is vyos_defined %} - chain VYOS_STATE_POLICY6 { -{% if state_policy.established is vyos_defined %} - {{ state_policy.established | nft_state_policy('established') }} -{% endif %} -{% if state_policy.invalid is vyos_defined %} - {{ state_policy.invalid | nft_state_policy('invalid') }} -{% endif %} -{% if state_policy.related is vyos_defined %} - {{ state_policy.related | nft_state_policy('related') }} -{% endif %} - return - } -{% endif %} -} +}
\ No newline at end of file diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index ddfba2306..a41f4e280 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -349,6 +349,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if afi_config.label.vpn.export is vyos_defined %} label vpn export {{ afi_config.label.vpn.export }} {% endif %} +{% if afi_config.label.vpn.allocation_mode.per_nexhop is vyos_defined %} + label vpn export allocation-mode per-nexthop +{% endif %} {% if afi_config.local_install is vyos_defined %} {% for interface in afi_config.local_install.interface %} local-install {{ interface }} @@ -481,7 +484,7 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} bgp bestpath compare-routerid {% endif %} {% if parameters.bestpath.med is vyos_defined %} - bgp bestpath med {{ 'confed' if parameters.bestpath.med.confed is vyos_defined }} {{ 'missing-as-worst' if parameters.bestpath.med.missing_as_worst is vyos_defined }} + bgp bestpath med {{ parameters.bestpath.med | join(' ') | replace('_', '-') }} {% endif %} {% if parameters.bestpath.peer_type is vyos_defined %} bgp bestpath peer-type {{ 'multipath-relax' if parameters.bestpath.peer_type.multipath_relax is vyos_defined }} diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl index fdff9772a..3aad8e8dd 100644 --- a/data/templates/frr/daemons.frr.tmpl +++ b/data/templates/frr/daemons.frr.tmpl @@ -41,6 +41,7 @@ pimd_options=" --daemon -A 127.0.0.1" ldpd_options=" --daemon -A 127.0.0.1 {%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%} " +mgmtd_options=" --daemon -A 127.0.0.1" nhrpd_options=" --daemon -A 127.0.0.1" eigrpd_options=" --daemon -A 127.0.0.1" babeld_options=" --daemon -A 127.0.0.1" diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 index d144529f3..f76fbbe79 100644 --- a/data/templates/openvpn/server.conf.j2 +++ b/data/templates/openvpn/server.conf.j2 @@ -185,7 +185,7 @@ tls-version-min {{ tls.tls_version_min }} {% endif %} {% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} +{% else %} dh none {% endif %} {% if tls.auth_key is vyos_defined %} @@ -200,6 +200,14 @@ tls-client {% elif tls.role is vyos_defined('passive') %} tls-server {% endif %} + +{% if tls.peer_fingerprint is vyos_defined %} +<peer-fingerprint> +{% for fp in tls.peer_fingerprint %} +{{ fp }} +{% endfor %} +</peer-fingerprint> +{% endif %} {% endif %} # Encryption options diff --git a/data/templates/zabbix-agent/10-override.conf.j2 b/data/templates/zabbix-agent/10-override.conf.j2 new file mode 100644 index 000000000..7c296e8fd --- /dev/null +++ b/data/templates/zabbix-agent/10-override.conf.j2 @@ -0,0 +1,14 @@ +[Unit] +After= +After=vyos-router.service +ConditionPathExists= +ConditionPathExists=/run/zabbix/zabbix-agent2.conf + +[Service] +EnvironmentFile= +ExecStart= +ExecStart=/usr/sbin/zabbix_agent2 --config /run/zabbix/zabbix-agent2.conf --foreground +WorkingDirectory= +WorkingDirectory=/run/zabbix +Restart=always +RestartSec=10 diff --git a/data/templates/zabbix-agent/zabbix-agent.conf.j2 b/data/templates/zabbix-agent/zabbix-agent.conf.j2 new file mode 100644 index 000000000..77f57f32f --- /dev/null +++ b/data/templates/zabbix-agent/zabbix-agent.conf.j2 @@ -0,0 +1,73 @@ +# Generated by ${vyos_conf_scripts_dir}/service_zabbix_agent.py + +PidFile=/run/zabbix/zabbix_agent2.pid +LogFile=/var/log/zabbix/zabbix_agent2.log +ControlSocket=/run/zabbix/agent.sock + +{% if log is vyos_defined %} +{% if log.size is vyos_defined %} +### Option: LogFileSize +# Maximum size of log file in MB. +# 0 - disable automatic log rotation. +# +# Range: 0-1024 +LogFileSize={{ log.size }} +{% endif %} +{% if log.remote_commands is vyos_defined %} +LogRemoteCommands=1 +{% endif %} +{% if log.debug_level is vyos_defined %} +{% set mapping = { + 'basic': 0, + 'critical': 1, + 'error': 2, + 'warning': 3, + 'debug': 4, + 'extended-debug': 5 + } %} +DebugLevel={{ mapping[log.debug_level] }} +{% endif %} +{% endif %} + +{% if server is vyos_defined %} +Server={{ server | bracketize_ipv6 | join(',') }} +{% endif %} +{% if server_active is vyos_defined %} +{% set servers = [] %} +{% for key, value in server_active.items() %} +{% if value.port %} +{% set serv_item = key | bracketize_ipv6 + ':' + value.port %} +{% set _ = servers.append(serv_item) %} +{% else %} +{% set _ = servers.append(key | bracketize_ipv6) %} +{% endif %} +{% endfor %} +ServerActive={{ servers | join(',') }} +{% endif %} + +{% if port is vyos_defined %} +ListenPort={{ port }} +{% endif %} +{% if listen_address is vyos_defined %} +ListenIP={{ listen_address | join(',') }} +{% endif %} + +{% if limits is vyos_defined %} +{% if limits.buffer_flush_interval is vyos_defined %} +BufferSend={{ limits.buffer_flush_interval }} +{% endif %} +{% if limits.buffer_size is vyos_defined %} +BufferSize={{ limits.buffer_size }} +{% endif %} +{% endif %} + +{% if directory is vyos_defined %} +### Option: Include +# You may include individual files or all files in a directory in the configuration file. +Include={{ directory }}/*.conf +{% endif %} + +{% if timeout is vyos_defined %} +Timeout={{ timeout }} +{% endif %} + diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index 11a5bc7bf..36d92fe93 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -20,7 +20,7 @@ table raw { } chain PREROUTING { - type filter hook prerouting priority -200; policy accept; + type filter hook prerouting priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_PREROUTING_HOOK @@ -29,7 +29,7 @@ table raw { } chain OUTPUT { - type filter hook output priority -200; policy accept; + type filter hook output priority -300; policy accept; counter jump VYOS_CT_IGNORE counter jump VYOS_CT_TIMEOUT counter jump VYOS_CT_OUTPUT_HOOK |