summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/conntrack/sysctl.conf.j21
-rw-r--r--data/templates/firewall/nftables-offload.j211
-rw-r--r--data/templates/firewall/nftables.j224
-rw-r--r--data/templates/frr/bgpd.frr.j22
-rw-r--r--data/templates/frr/daemons.frr.tmpl31
-rw-r--r--data/templates/openvpn/server.conf.j211
6 files changed, 54 insertions, 26 deletions
diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index 075402c04..3d6fc43f2 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -24,3 +24,4 @@ net.netfilter.nf_conntrack_tcp_timeout_time_wait = {{ timeout.tcp.time_wait }}
net.netfilter.nf_conntrack_udp_timeout = {{ timeout.udp.other }}
net.netfilter.nf_conntrack_udp_timeout_stream = {{ timeout.udp.stream }}
+net.netfilter.nf_conntrack_acct = {{ '1' if flow_accounting is vyos_defined else '0' }}
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2
new file mode 100644
index 000000000..6afcd79f7
--- /dev/null
+++ b/data/templates/firewall/nftables-offload.j2
@@ -0,0 +1,11 @@
+{% macro render_flowtable(name, devices, priority='filter', hardware_offload=false, with_counter=true) %}
+flowtable {{ name }} {
+ hook ingress priority {{ priority }}; devices = { {{ devices | join(', ') }} };
+{% if hardware_offload %}
+ flags offload;
+{% endif %}
+{% if with_counter %}
+ counter
+{% endif %}
+}
+{% endmacro %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 87630940b..1b764c9da 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -2,6 +2,7 @@
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
+{% import 'firewall/nftables-offload.j2' as offload %}
flush chain raw FW_CONNTRACK
flush chain ip6 raw FW_CONNTRACK
@@ -271,3 +272,26 @@ table bridge vyos_filter {
{{ group_tmpl.groups(group, False, False) }}
}
{% endif %}
+{{ group_tmpl.groups(group, True) }}
+}
+
+table inet vyos_offload
+delete table inet vyos_offload
+table inet vyos_offload {
+{% if flowtable_enabled %}
+{% if global_options.flow_offload.hardware.interface is vyos_defined %}
+ {{- offload.render_flowtable('VYOS_FLOWTABLE_hardware', global_options.flow_offload.hardware.interface | list, priority='filter - 2', hardware_offload=true) }}
+ chain VYOS_OFFLOAD_hardware {
+ type filter hook forward priority filter - 2; policy accept;
+ ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_hardware
+ }
+{% endif %}
+{% if global_options.flow_offload.software.interface is vyos_defined %}
+ {{- offload.render_flowtable('VYOS_FLOWTABLE_software', global_options.flow_offload.software.interface | list, priority='filter - 1') }}
+ chain VYOS_OFFLOAD_software {
+ type filter hook forward priority filter - 1; policy accept;
+ ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
+ }
+{% endif %}
+{% endif %}
+}
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index 7fa974254..e1c102e16 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -170,7 +170,7 @@
{% endif %}
{% endif %}
{% if afi_config.remove_private_as is vyos_defined %}
- neighbor {{ neighbor }} remove-private-AS
+ neighbor {{ neighbor }} remove-private-AS {{ 'all' if afi_config.remove_private_as.all is vyos_defined }}
{% endif %}
{% if afi_config.route_reflector_client is vyos_defined %}
neighbor {{ neighbor }} route-reflector-client
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index e09c7d1d2..fe2610724 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -17,40 +17,41 @@ bfdd=yes
staticd=yes
vtysh_enable=yes
-zebra_options=" -s 90000000 --daemon -A 127.0.0.1
+zebra_options=" --daemon -A 127.0.0.1 -s 90000000
{%- if irdp is defined %} -M irdp{% endif -%}
{%- if snmp is defined and snmp.zebra is defined %} -M snmp{% endif -%}
"
-bgpd_options=" --daemon -A 127.0.0.1
+bgpd_options=" --daemon -A 127.0.0.1 -M rpki
{%- if bmp is defined %} -M bmp{% endif -%}
{%- if snmp is defined and snmp.bgpd is defined %} -M snmp{% endif -%}
"
-ospfd_options=" --daemon -A 127.0.0.1
+ospfd_options=" --daemon -A 127.0.0.1
{%- if snmp is defined and snmp.ospfd is defined %} -M snmp{% endif -%}
"
-ospf6d_options=" --daemon -A ::1
+ospf6d_options=" --daemon -A ::1
{%- if snmp is defined and snmp.ospf6d is defined %} -M snmp{% endif -%}
"
-ripd_options=" --daemon -A 127.0.0.1
+ripd_options=" --daemon -A 127.0.0.1
{%- if snmp is defined and snmp.ripd is defined %} -M snmp{% endif -%}
"
-ripngd_options=" --daemon -A ::1"
-isisd_options=" --daemon -A 127.0.0.1
+ripngd_options=" --daemon -A ::1"
+isisd_options=" --daemon -A 127.0.0.1
{%- if snmp is defined and snmp.isisd is defined %} -M snmp{% endif -%}
"
-pimd_options=" --daemon -A 127.0.0.1"
-pim6d_options=" --daemon -A ::1"
-ldpd_options=" --daemon -A 127.0.0.1
+pimd_options=" --daemon -A 127.0.0.1"
+pim6d_options=" --daemon -A ::1"
+ldpd_options=" --daemon -A 127.0.0.1
{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%}
"
-mgmtd_options=" --daemon -A 127.0.0.1"
-nhrpd_options=" --daemon -A 127.0.0.1"
+mgmtd_options=" --daemon -A 127.0.0.1"
+nhrpd_options=" --daemon -A 127.0.0.1"
eigrpd_options=" --daemon -A 127.0.0.1"
babeld_options=" --daemon -A 127.0.0.1"
sharpd_options=" --daemon -A 127.0.0.1"
-pbrd_options=" --daemon -A 127.0.0.1"
-staticd_options=" --daemon -A 127.0.0.1"
-bfdd_options=" --daemon -A 127.0.0.1"
+pbrd_options=" --daemon -A 127.0.0.1"
+staticd_options=" --daemon -A 127.0.0.1"
+bfdd_options=" --daemon -A 127.0.0.1"
watchfrr_enable=no
valgrind_enable=no
+
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index f76fbbe79..2eb9416fe 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -74,7 +74,7 @@ topology {{ server.topology }}
{% endif %}
{% for subnet in server.subnet %}
{% if subnet | is_ipv4 %}
-server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
+server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }}
{# First ip address is used as gateway. It's allows to use metrics #}
{% if server.push_route is vyos_defined %}
{% for route, route_config in server.push_route.items() %}
@@ -85,15 +85,6 @@ push "route-ipv6 {{ route }}"
{% endif %}
{% endfor %}
{% endif %}
-{# OpenVPN assigns the first IP address to its local interface so the pool used #}
-{# in net30 topology - where each client receives a /30 must start from the second subnet #}
-{% if server.topology is vyos_defined('net30') %}
-ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
-{% else %}
-{# OpenVPN assigns the first IP address to its local interface so the pool must #}
-{# start from the second address and end on the last address #}
-ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
-{% endif %}
{% elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{% endif %}