diff options
Diffstat (limited to 'data')
| -rw-r--r-- | data/config-mode-dependencies/vyos-1x.json | 4 | ||||
| -rw-r--r-- | data/templates/conntrack/sysctl.conf.j2 | 20 | ||||
| -rw-r--r-- | data/templates/firewall/nftables.j2 | 46 | ||||
| -rw-r--r-- | data/templates/firewall/sysctl-firewall.conf.j2 | 28 | ||||
| -rw-r--r-- | data/templates/ipsec/ios_profile.j2 | 18 | ||||
| -rw-r--r-- | data/templates/load-balancing/haproxy.cfg.j2 | 40 |
6 files changed, 90 insertions, 66 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json index 13de434bd..3f381169b 100644 --- a/data/config-mode-dependencies/vyos-1x.json +++ b/data/config-mode-dependencies/vyos-1x.json @@ -29,8 +29,10 @@ "https": ["service_https"], "ipsec": ["vpn_ipsec"], "openconnect": ["vpn_openconnect"], + "reverse_proxy": ["load-balancing_reverse-proxy"], "rpki": ["protocols_rpki"], - "sstp": ["vpn_sstp"] + "sstp": ["vpn_sstp"], + "sstpc": ["interfaces_sstpc"] }, "vpn_ipsec": { "nhrp": ["protocols_nhrp"] diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2 index 986f75c61..554512f4d 100644 --- a/data/templates/conntrack/sysctl.conf.j2 +++ b/data/templates/conntrack/sysctl.conf.j2 @@ -3,25 +3,7 @@ net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }} net.netfilter.nf_conntrack_max = {{ table_size }} - net.ipv4.tcp_max_syn_backlog = {{ tcp.half_open_connections }} - net.netfilter.nf_conntrack_tcp_loose = {{ '1' if tcp.loose is vyos_defined('enable') else '0' }} net.netfilter.nf_conntrack_tcp_max_retrans = {{ tcp.max_retrans }} - -net.netfilter.nf_conntrack_icmp_timeout = {{ timeout.icmp }} -net.netfilter.nf_conntrack_generic_timeout = {{ timeout.other }} - -net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ timeout.tcp.close_wait }} -net.netfilter.nf_conntrack_tcp_timeout_close = {{ timeout.tcp.close }} -net.netfilter.nf_conntrack_tcp_timeout_established = {{ timeout.tcp.established }} -net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ timeout.tcp.fin_wait }} -net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ timeout.tcp.last_ack }} -net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ timeout.tcp.syn_recv }} -net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ timeout.tcp.syn_sent }} -net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }} - -net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }} -net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }} - -net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }} +net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}
\ No newline at end of file diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index 833df3a67..343917fee 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -57,7 +57,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('FWD-filter', 'ipv4') }} + {{ conf | nft_default_rule('FWD-' + prior, 'ipv4') }} } {% endfor %} {% endif %} @@ -77,7 +77,7 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('INP-filter', 'ipv4') }} + {{ conf | nft_default_rule('INP-' + prior, 'ipv4') }} } {% endfor %} {% endif %} @@ -97,14 +97,11 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('OUT-filter', 'ipv4') }} + {{ conf | nft_default_rule('OUT-' + prior, 'ipv4') }} } {% endfor %} {% endif %} - chain VYOS_FRAG_MARK { - type filter hook prerouting priority -450; policy accept; - ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return - } + {% if ipv4.prerouting is vyos_defined %} {% for prior, conf in ipv4.prerouting.items() %} chain VYOS_PREROUTING_{{ prior }} { @@ -117,11 +114,16 @@ table ip vyos_filter { {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('PRE-filter', 'ipv4') }} + {{ conf | nft_default_rule('PRE-' + prior, 'ipv4') }} } {% endfor %} {% endif %} + chain VYOS_FRAG_MARK { + type filter hook prerouting priority -450; policy accept; + ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return + } + {% if ipv4.name is vyos_defined %} {% for name_text, conf in ipv4.name.items() %} chain NAME_{{ name_text }} { @@ -202,13 +204,13 @@ table ip6 vyos_filter { {% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }} + {{ rule_conf | nft_rule('FWD', prior, rule_id, 'ip6') }} {% if rule_conf.recent is vyos_defined %} {% set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %} {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('FWD-filter', 'ipv6') }} + {{ conf | nft_default_rule('FWD-' + prior, 'ipv6') }} } {% endfor %} {% endif %} @@ -222,13 +224,13 @@ table ip6 vyos_filter { {% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }} + {{ rule_conf | nft_rule('INP', prior, rule_id, 'ip6') }} {% if rule_conf.recent is vyos_defined %} {% set ns.sets = ns.sets + ['INP_' + prior + '_' + rule_id] %} {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('INP-filter', 'ipv6') }} + {{ conf | nft_default_rule('INP-' + prior, 'ipv6') }} } {% endfor %} {% endif %} @@ -242,17 +244,33 @@ table ip6 vyos_filter { {% endif %} {% if conf.rule is vyos_defined %} {% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} - {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }} + {{ rule_conf | nft_rule('OUT', prior, rule_id, 'ip6') }} {% if rule_conf.recent is vyos_defined %} {% set ns.sets = ns.sets + ['OUT_ ' + prior + '_' + rule_id] %} {% endif %} {% endfor %} {% endif %} - {{ conf | nft_default_rule('OUT-filter', 'ipv6') }} + {{ conf | nft_default_rule('OUT-' + prior, 'ipv6') }} } {% endfor %} {% endif %} +{% if ipv6.prerouting is vyos_defined %} +{% for prior, conf in ipv6.prerouting.items() %} + chain VYOS_IPV6_PREROUTING_{{ prior }} { + type filter hook prerouting priority {{ prior }}; policy accept; +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} + {{ rule_conf | nft_rule('PRE', prior, rule_id, 'ip6') }} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + ['PRE_' + prior + '_' + rule_id] %} +{% endif %} +{% endfor %} +{% endif %} + {{ conf | nft_default_rule('PRE-' + prior, 'ipv6') }} + } +{% endfor %} +{% endif %} chain VYOS_FRAG6_MARK { type filter hook prerouting priority -450; policy accept; exthdr frag exists meta mark set 0xffff1 return diff --git a/data/templates/firewall/sysctl-firewall.conf.j2 b/data/templates/firewall/sysctl-firewall.conf.j2 new file mode 100644 index 000000000..b9c3311e2 --- /dev/null +++ b/data/templates/firewall/sysctl-firewall.conf.j2 @@ -0,0 +1,28 @@ +# Autogenerated by firewall.py + +# gloabl options +net.ipv4.icmp_echo_ignore_all = {{ 0 if global_options.all_ping == 'enable' else 1 }} +net.ipv4.icmp_echo_ignore_broadcasts = {{ 0 if global_options.broadcast_ping == 'enable' else 1 }} +net.ipv4.conf.all.bc_forwarding = {{ 1 if global_options.directed_broadcast == 'enable' else 0 }} +net.ipv4.conf.*.accept_source_route = {{ 1 if global_options.ip_src_route == 'enable' else 0 }} +net.ipv6.conf.*.accept_redirects = {{ 1 if global_options.ipv6_receive_redirects == 'enable' else 0 }} +net.ipv6.conf.*.accept_source_route = {{ 0 if global_options.ipv6_src_route == 'enable' else -1 }} +net.ipv4.conf.all.log_martians = {{ 1 if global_options.log_martians == 'enable' else 0 }} +net.ipv4.conf.*.accept_redirects = {{ 1 if global_options.receive_redirects == 'enable' else 0 }} +net.ipv4.conf.*.send_redirects = {{ 1 if global_options.send_redirects == 'enable' else 0 }} +net.ipv4.tcp_syncookies = {{ 1 if global_options.syn_cookies == 'enable' else 0 }} +net.ipv4.tcp_rfc1337 = {{ 1 if global_options.twa_hazards_protection == 'enable' else 0 }} + +## Timeout values: +net.netfilter.nf_conntrack_icmp_timeout = {{ global_options.timeout.icmp }} +net.netfilter.nf_conntrack_generic_timeout = {{ global_options.timeout.other }} +net.netfilter.nf_conntrack_tcp_timeout_close_wait = {{ global_options.timeout.tcp.close_wait }} +net.netfilter.nf_conntrack_tcp_timeout_close = {{ global_options.timeout.tcp.close }} +net.netfilter.nf_conntrack_tcp_timeout_established = {{ global_options.timeout.tcp.established }} +net.netfilter.nf_conntrack_tcp_timeout_fin_wait = {{ global_options.timeout.tcp.fin_wait }} +net.netfilter.nf_conntrack_tcp_timeout_last_ack = {{ global_options.timeout.tcp.last_ack }} +net.netfilter.nf_conntrack_tcp_timeout_syn_recv = {{ global_options.timeout.tcp.syn_recv }} +net.netfilter.nf_conntrack_tcp_timeout_syn_sent = {{ global_options.timeout.tcp.syn_sent }} +net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ global_options.timeout.tcp.time_wait }} +net.netfilter.nf_conntrack_udp_timeout = {{ global_options.timeout.udp.other }} +net.netfilter.nf_conntrack_udp_timeout_stream = {{ global_options.timeout.udp.stream }} diff --git a/data/templates/ipsec/ios_profile.j2 b/data/templates/ipsec/ios_profile.j2 index a9ae1c7a9..935acbf8e 100644 --- a/data/templates/ipsec/ios_profile.j2 +++ b/data/templates/ipsec/ios_profile.j2 @@ -48,10 +48,10 @@ <!-- Optional, if it matches the CN of the root CA certificate (not the full subject DN) a certificate request will be sent NOTE: If this is not configured make sure to configure leftsendcert=always on the server, otherwise it won't send its certificate --> <key>ServerCertificateIssuerCommonName</key> - <string>{{ ca_cn }}</string> + <string>{{ ca_common_name }}</string> <!-- Optional, the CN or one of the subjectAltNames of the server certificate to verify it, if not set RemoteIdentifier will be used --> <key>ServerCertificateCommonName</key> - <string>{{ cert_cn }}</string> + <string>{{ cert_common_name }}</string> <!-- The server is authenticated using a certificate --> <key>AuthenticationMethod</key> <string>Certificate</string> @@ -83,24 +83,22 @@ </dict> </dict> </dict> -{% if certs is vyos_defined %} +{% if ca_certificates is vyos_defined %} <!-- This payload is optional but it provides an easy way to install the CA certificate together with the configuration --> -{% for cert in certs %} - <!-- Payload for: {{ cert.ca_cn }} --> +{% for ca in ca_certificates %} + <!-- Payload for: {{ ca.ca_name }} --> <dict> <key>PayloadIdentifier</key> - <string>org.{{ cert.ca_cn | lower | replace(' ', '.') | replace('_', '.') }}</string> + <string>org.{{ ca.ca_name | lower | replace(' ', '.') | replace('_', '.') }}</string> <key>PayloadUUID</key> - <string>{{ cert.ca_cn | generate_uuid4 }}</string> + <string>{{ ca.ca_name | get_uuid }}</string> <key>PayloadType</key> <string>com.apple.security.root</string> <key>PayloadVersion</key> <integer>1</integer> <!-- This is the Base64 (PEM) encoded CA certificate --> <key>PayloadContent</key> - <data> - {{ cert.ca_cert }} - </data> + <data>{{ ca.ca_chain }}</data> </dict> {% endfor %} {% endif %} diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2 index c6027e09b..c18a998b8 100644 --- a/data/templates/load-balancing/haproxy.cfg.j2 +++ b/data/templates/load-balancing/haproxy.cfg.j2 @@ -67,25 +67,23 @@ frontend {{ front }} {% if front_config.redirect_http_to_https is vyos_defined %} http-request redirect scheme https unless { ssl_fc } {% endif %} -{% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} -{% if front_config.tcp_request.inspect_delay is vyos_defined %} +{% if front_config.tcp_request.inspect_delay is vyos_defined %} tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }} -{% endif %} -{# add tcp-request related directive if ssl is configed #} -{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} -{% for rule, rule_config in front_config.rule.items() %} -{% if rule_config.ssl is vyos_defined %} +{% endif %} +{# add tcp-request related directive if ssl is configured #} +{% if front_config.mode == 'tcp' and front_config.rule is vyos_defined %} +{% for rule, rule_config in front_config.rule.items() %} +{% if rule_config.ssl is vyos_defined %} tcp-request content accept if { req_ssl_hello_type 1 } -{% break %} -{% endif %} -{% endfor %} -{% endif %} -{% if front_config.http_response_headers is vyos_defined %} -{% for header, header_config in front_config.http_response_headers.items() %} +{% break %} +{% endif %} +{% endfor %} +{% endif %} +{% if front_config.http_response_headers is vyos_defined %} +{% for header, header_config in front_config.http_response_headers.items() %} http-response set-header {{ header }} '{{ header_config['value'] }}' -{% endfor %} -{% endif %} +{% endfor %} {% endif %} {% if front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} @@ -162,19 +160,17 @@ backend {{ back }} {% set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %} balance {{ balance_translate[back_config.balance] }} {% endif %} -{# If mode is not TCP skip Forwarded #} -{% if back_config.mode is not vyos_defined('tcp') %} +{# If mode is HTTP add X-Forwarded headers #} +{% if back_config.mode == 'http' %} option forwardfor http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } {% endif %} -{% if back_config.mode is vyos_defined %} mode {{ back_config.mode }} -{% if back_config.http_response_headers is vyos_defined %} -{% for header, header_config in back_config.http_response_headers.items() %} +{% if back_config.http_response_headers is vyos_defined %} +{% for header, header_config in back_config.http_response_headers.items() %} http-response set-header {{ header }} '{{ header_config['value'] }}' -{% endfor %} -{% endif %} +{% endfor %} {% endif %} {% if back_config.rule is vyos_defined %} {% for rule, rule_config in back_config.rule.items() %} |