summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/op-mode-standardized.json1
-rw-r--r--data/templates/firewall/nftables-nat66.j241
-rw-r--r--data/templates/frr/bgpd.frr.j23
-rw-r--r--data/templates/monitoring/override.conf.j27
-rw-r--r--data/templates/monitoring/systemd_vyos_telegraf_service.j216
-rw-r--r--data/templates/telegraf/override.conf.j215
-rw-r--r--data/templates/telegraf/syslog_telegraf.j2 (renamed from data/templates/monitoring/syslog_telegraf.j2)0
-rw-r--r--data/templates/telegraf/telegraf.j2 (renamed from data/templates/monitoring/telegraf.j2)0
8 files changed, 60 insertions, 23 deletions
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index 5f49be781..db13eeb5a 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -8,6 +8,7 @@
"neighbor.py",
"openconnect.py",
"route.py",
+"ipsec.py",
"version.py",
"vrf.py"
]
diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2
index 2fe04b4ff..28714c7a7 100644
--- a/data/templates/firewall/nftables-nat66.j2
+++ b/data/templates/firewall/nftables-nat66.j2
@@ -7,6 +7,17 @@
{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix.replace('!','!= ') if config.source.prefix is vyos_defined %}
{% set source_address = 'ip6 saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %}
{% set dest_address = 'ip6 daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %}
+{# Port #}
+{% if config.source.port is vyos_defined and config.source.port.startswith('!') %}
+{% set src_port = 'sport != { ' ~ config.source.port.replace('!','') ~ ' }' %}
+{% else %}
+{% set src_port = 'sport { ' ~ config.source.port ~ ' }' if config.source.port is vyos_defined %}
+{% endif %}
+{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %}
+{% set dst_port = 'dport != { ' ~ config.destination.port.replace('!','') ~ ' }' %}
+{% else %}
+{% set dst_port = 'dport { ' ~ config.destination.port ~ ' }' if config.destination.port is vyos_defined %}
+{% endif %}
{% if chain is vyos_defined('PREROUTING') %}
{% set comment = 'DST-NAT66-' ~ rule %}
{% set base_log = '[NAT66-DST-' ~ rule %}
@@ -36,6 +47,14 @@
{% endif %}
{% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined else '' %}
{% endif %}
+{% set trns_port = ':' ~ config.translation.port if config.translation.port is vyos_defined %}
+{# protocol has a default value thus it is always present #}
+{% if config.protocol is vyos_defined('tcp_udp') %}
+{% set protocol = 'tcp' %}
+{% set comment = comment ~ ' tcp_udp' %}
+{% else %}
+{% set protocol = config.protocol %}
+{% endif %}
{% if config.log is vyos_defined %}
{% if config.translation.address is vyos_defined('masquerade') %}
{% set log = base_log ~ '-MASQ]' %}
@@ -43,6 +62,11 @@
{% set log = base_log ~ ']' %}
{% endif %}
{% endif %}
+{% if config.exclude is vyos_defined %}
+{# rule has been marked as 'exclude' thus we simply return here #}
+{% set trns_addr = 'return' %}
+{% set trns_port = '' %}
+{% endif %}
{% set output = 'add rule ip6 nat ' ~ chain ~ interface %}
{# Count packets #}
{% set output = output ~ ' counter' %}
@@ -54,12 +78,18 @@
{% if src_prefix is vyos_defined %}
{% set output = output ~ ' ' ~ src_prefix %}
{% endif %}
+{% if dst_port is vyos_defined %}
+{% set output = output ~ ' ' ~ protocol ~ ' ' ~ dst_port %}
+{% endif %}
{% if dst_prefix is vyos_defined %}
{% set output = output ~ ' ' ~ dst_prefix %}
{% endif %}
{% if source_address is vyos_defined %}
{% set output = output ~ ' ' ~ source_address %}
{% endif %}
+{% if src_port is vyos_defined %}
+{% set output = output ~ ' ' ~ protocol ~ ' ' ~ src_port %}
+{% endif %}
{% if dest_address is vyos_defined %}
{% set output = output ~ ' ' ~ dest_address %}
{% endif %}
@@ -70,11 +100,22 @@
{% if trns_address is vyos_defined %}
{% set output = output ~ ' ' ~ trns_address %}
{% endif %}
+{% if trns_port is vyos_defined %}
+{# Do not add a whitespace here, translation port must be directly added after IP address #}
+{# e.g. 2001:db8::1:3389 #}
+{% set output = output ~ trns_port %}
+{% endif %}
{% if comment is vyos_defined %}
{% set output = output ~ ' comment "' ~ comment ~ '"' %}
{% endif %}
{{ log_output if log_output is vyos_defined }}
{{ output }}
+{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #}
+{% if config.protocol is vyos_defined('tcp_udp') %}
+{# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #}
+{{ log_output | replace('tcp ', 'udp ') if log_output is vyos_defined }}
+{{ output | replace('tcp ', 'udp ') }}
+{% endif %}
{% endmacro %}
# Start with clean NAT table
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index 2ab7c8596..808e9dbe7 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -38,6 +38,9 @@
{% if config.disable_capability_negotiation is vyos_defined %}
neighbor {{ neighbor }} dont-capability-negotiate
{% endif %}
+{% if config.disable_connected_check is vyos_defined %}
+ neighbor {{ neighbor }} disable-connected-check
+{% endif %}
{% if config.ebgp_multihop is vyos_defined %}
neighbor {{ neighbor }} ebgp-multihop {{ config.ebgp_multihop }}
{% endif %}
diff --git a/data/templates/monitoring/override.conf.j2 b/data/templates/monitoring/override.conf.j2
deleted file mode 100644
index 9f1b4ebec..000000000
--- a/data/templates/monitoring/override.conf.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-[Unit]
-After=vyos-router.service
-ConditionPathExists=/run/telegraf/vyos-telegraf.conf
-[Service]
-Environment=INFLUX_TOKEN={{ influxdb.authentication.token }}
-CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN
-AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
diff --git a/data/templates/monitoring/systemd_vyos_telegraf_service.j2 b/data/templates/monitoring/systemd_vyos_telegraf_service.j2
deleted file mode 100644
index 234ef5586..000000000
--- a/data/templates/monitoring/systemd_vyos_telegraf_service.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-[Unit]
-Description=The plugin-driven server agent for reporting metrics into InfluxDB
-Documentation=https://github.com/influxdata/telegraf
-After=network.target
-
-[Service]
-EnvironmentFile=-/etc/default/telegraf
-User=telegraf
-ExecStart=/usr/bin/telegraf -config /run/telegraf/vyos-telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS
-ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
-RestartForceExitStatus=SIGPIPE
-KillMode=control-group
-
-[Install]
-WantedBy=multi-user.target
diff --git a/data/templates/telegraf/override.conf.j2 b/data/templates/telegraf/override.conf.j2
new file mode 100644
index 000000000..d30bb19de
--- /dev/null
+++ b/data/templates/telegraf/override.conf.j2
@@ -0,0 +1,15 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
+[Unit]
+After=
+After=vyos-router.service
+ConditionPathExists=/run/telegraf/telegraf.conf
+
+[Service]
+ExecStart=
+ExecStart={{ vrf_command }}/usr/bin/telegraf --config /run/telegraf/telegraf.conf --config-directory /etc/telegraf/telegraf.d --pidfile /run/telegraf/telegraf.pid
+PIDFile=/run/telegraf/telegraf.pid
+EnvironmentFile=
+Environment=INFLUX_TOKEN={{ influxdb.authentication.token }}
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN CAP_BPF CAP_DAC_OVERRIDE
+AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
+
diff --git a/data/templates/monitoring/syslog_telegraf.j2 b/data/templates/telegraf/syslog_telegraf.j2
index cdcbd92a4..cdcbd92a4 100644
--- a/data/templates/monitoring/syslog_telegraf.j2
+++ b/data/templates/telegraf/syslog_telegraf.j2
diff --git a/data/templates/monitoring/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index 6b395692b..6b395692b 100644
--- a/data/templates/monitoring/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2