7 files changed, 53 insertions, 14 deletions

diff --git a/data/configd-include.json b/data/configd-include.json
index dc00f0698..0c767f987 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -108,6 +108,5 @@
 "vpn_openconnect.py",
 "vpn_pptp.py",
 "vpn_sstp.py",
-"vrf.py",
-"vrf_vni.py"
+"vrf.py"
 ]
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index ddf0da518..42bc8440c 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -67,7 +67,7 @@ service-name={{ service_name | join(',') }}
 {%     set delay_without_sessions = pado_delay.delays_without_sessions[0] | default('0') %}
 {%     set pado_delay_param = namespace(value=delay_without_sessions) %}
 {%     for delay, sessions in pado_delay.delays_with_sessions | sort(attribute='1') %}
-{%         if not loop.last %}
+{%         if not delay == 'disable' %}
 {%             set pado_delay_param.value = pado_delay_param.value + ',' + delay + ':' + sessions | string %}
 {%         else %}
 {%             set pado_delay_param.value = pado_delay_param.value + ',-1:' + sessions | string %}
diff --git a/data/templates/frr/zebra.vrf.route-map.frr.j2 b/data/templates/frr/zebra.vrf.route-map.frr.j2
index f1cc6fe66..8ebb82511 100644
--- a/data/templates/frr/zebra.vrf.route-map.frr.j2
+++ b/data/templates/frr/zebra.vrf.route-map.frr.j2
@@ -1,10 +1,6 @@
 !
 {% if name is vyos_defined %}
 {%     for vrf, vrf_config in name.items() %}
-{#         code path required for vrf_vni.py as we will only render the required VR configuration and not all of them #}
-{%         if only_vrf is vyos_defined and vrf is not vyos_defined(only_vrf) %}
-{%             continue %}
-{%         endif %}
 vrf {{ vrf }}
 {%         if vrf_config.ip.nht.no_resolve_via_default is vyos_defined %}
  no ip nht resolve-via-default
@@ -25,7 +21,7 @@ vrf {{ vrf }}
  ipv6 protocol {{ protocol_name }} route-map {{ protocol_config.route_map }}
 {%             endfor %}
 {%         endif %}
-{%         if vrf_config.vni is vyos_defined and no_vni is not vyos_defined %}
+{%         if vrf_config.vni is vyos_defined %}
  vni {{ vrf_config.vni }}
 {%         endif %}
 exit-vrf
diff --git a/data/templates/iproute2/static.conf.j2 b/data/templates/iproute2/static.conf.j2
index 10c9bdab7..249483ab3 100644
--- a/data/templates/iproute2/static.conf.j2
+++ b/data/templates/iproute2/static.conf.j2
@@ -2,7 +2,7 @@
 {% if table is vyos_defined %}
 {%     for t, t_options in table.items() %}
 {%         if t_options.description is vyos_defined %}
-{{ "%-6s" | format(t) }} {{ "%-40s" | format(t_options.description) }}
+{{ "%-6s" | format(t) }} {{ "%-40s" | format(t_options.description | replace(" ", "_")) }}
 {%         endif %}
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index adfa32bde..6bced88c7 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -33,7 +33,7 @@
             auth = pubkey
 {% elif rw_conf.authentication.client_mode.startswith("eap") %}
             auth = {{ rw_conf.authentication.client_mode }}
-            eap_id = %any
+            eap_id = {{ '%any' if rw_conf.authentication.eap_id == 'any' else rw_conf.authentication.eap_id }}
 {% endif %}
 {% if rw_conf.authentication.client_mode is vyos_defined('eap-tls') or rw_conf.authentication.client_mode is vyos_defined('x509') %}
 {#          pass all configured CAs as filenames, separated by commas #}
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 849cef74d..7917c8257 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -69,11 +69,23 @@ frontend {{ front }}
 {%         endif %}
 {%         if front_config.mode is vyos_defined %}
     mode {{ front_config.mode }}
+{%             if front_config.tcp_request.inspect_delay is vyos_defined %}
+    tcp-request inspect-delay {{ front_config.tcp_request.inspect_delay }}
+{%             endif %}
+{# add tcp-request related directive if ssl is configed #}
+{%             if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %}
+{%                 for rule, rule_config in front_config.rule.items() %}
+{%                     if rule_config.ssl is vyos_defined %}
+    tcp-request content accept if { req_ssl_hello_type 1 }
+{%                         break %}
+{%                     endif %}
+{%                 endfor %}
+{%             endif %}
 {%         endif %}
 {%         if front_config.rule is vyos_defined %}
 {%             for rule, rule_config in front_config.rule.items() %}
     # rule {{ rule }}
-{%                 if rule_config.domain_name is vyos_defined and rule_config.set.backend is vyos_defined %}
+{%                 if rule_config.domain_name is vyos_defined %}
 {%                     set rule_options = 'hdr(host)' %}
 {%                     if rule_config.ssl is vyos_defined %}
 {%                         set ssl_rule_translate = {'req-ssl-sni': 'req_ssl_sni', 'ssl-fc-sni': 'ssl_fc_sni', 'ssl-fc-sni-end': 'ssl_fc_sni_end'} %}
@@ -82,16 +94,20 @@ frontend {{ front }}
 {%                     for domain in rule_config.domain_name %}
     acl {{ rule }} {{ rule_options }} -i {{ domain }}
 {%                     endfor %}
-    use_backend {{ rule_config.set.backend }} if {{ rule }}
 {%                 endif %}
 {# path url #}
-{%                 if rule_config.url_path is vyos_defined and rule_config.set.redirect_location is vyos_defined %}
+{%                 if rule_config.url_path is vyos_defined %}
 {%                     set path_mod_translate = {'begin': '-i -m beg', 'end': '-i -m end', 'exact': ''} %}
 {%                     for path, path_config in rule_config.url_path.items() %}
 {%                         for url in path_config %}
     acl {{ rule }} path {{ path_mod_translate[path] }} {{ url }}
 {%                         endfor %}
 {%                     endfor %}
+{%                 endif %}
+{%                 if rule_config.set.backend is vyos_defined %}
+    use_backend {{ rule_config.set.backend }} if {{ rule }}
+{%                 endif %}
+{%                 if rule_config.set.redirect_location is vyos_defined %}
     http-request redirect location {{ rule_config.set.redirect_location }} code 301 if {{ rule }}
 {%                 endif %}
 {# endpath #}
@@ -110,6 +126,26 @@ frontend {{ front }}
 {% if backend is vyos_defined %}
 {%     for back, back_config in backend.items() %}
 backend {{ back }}
+{%         if back_config.http_check is vyos_defined %}
+    option httpchk
+{%         endif %}
+{%         set send = '' %}
+{%         if back_config.http_check.method is vyos_defined %}
+{%             set send = send + ' meth ' + back_config.http_check.method | upper %}
+{%         endif %}
+{%         if back_config.http_check.uri is vyos_defined %}
+{%             set send = send + ' uri ' + back_config.http_check.uri %}
+{%         endif %}
+{%         if send != '' %}
+    http-check send{{ send }}
+{%         endif %}
+{%         if back_config.http_check.expect is vyos_defined %}
+{%             if back_config.http_check.expect.status is vyos_defined %}
+    http-check expect status {{ back_config.http_check.expect.status }}
+{%             elif back_config.http_check.expect.string is vyos_defined %}
+    http-check expect string {{ back_config.http_check.expect.string }}
+{%             endif %}
+{%         endif %}
 {%         if back_config.balance is vyos_defined %}
 {%             set balance_translate = {'least-connection': 'leastconn', 'round-robin': 'roundrobin', 'source-address': 'source'} %}
     balance {{ balance_translate[back_config.balance] }}
@@ -150,7 +186,7 @@ backend {{ back }}
 {%             endfor %}
 {%         endif %}
 {%         if back_config.server is vyos_defined %}
-{%             set ssl_back =  'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
+{%             set ssl_back =  'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else ('ssl verify none' if back_config.ssl.no_verify is vyos_defined else '') %}
 {%             for server, server_config in back_config.server.items() %}
     server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
 {%             endfor %}
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index b5e890c32..81f777031 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -61,7 +61,15 @@ keepalive = 300
 dpd = 60
 mobile-dpd = 300
 switch-to-tcp-timeout = 30
+{% if tls_version_min == '1.0' %}
 tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
+{% elif tls_version_min == '1.1' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0"
+{% elif tls_version_min == '1.2' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1"
+{% elif tls_version_min == '1.3' %}
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2"
+{% endif %}
 auth-timeout = 240
 idle-timeout = 1200
 mobile-idle-timeout = 1800