summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/config-mode-dependencies/vyos-1x.json5
-rw-r--r--data/templates/aws/override_aws_gwlbtun.conf.j236
-rw-r--r--data/templates/conntrack/nftables-ct.j2159
-rw-r--r--data/templates/dns-dynamic/ddclient.conf.j25
-rw-r--r--data/templates/firewall/nftables-nat.j221
-rw-r--r--data/templates/firewall/nftables-nat66.j217
-rw-r--r--data/templates/firewall/nftables-offload.j216
-rw-r--r--data/templates/firewall/nftables.j249
-rw-r--r--data/templates/high-availability/10-override.conf.j22
-rw-r--r--data/vyos-firewall-init.conf113
10 files changed, 207 insertions, 216 deletions
diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 08732bd4c..a433c2522 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,6 +1,9 @@
{
- "firewall": {"group_resync": ["conntrack", "nat", "policy-route"]},
+ "firewall": {"conntrack": ["conntrack"], "group_resync": ["conntrack", "nat", "policy-route"]},
"http_api": {"https": ["https"]},
+ "load_balancing_wan": {"conntrack": ["conntrack"]},
+ "nat": {"conntrack": ["conntrack"]},
+ "nat66": {"conntrack": ["conntrack"]},
"pki": {
"ethernet": ["interfaces-ethernet"],
"openvpn": ["interfaces-openvpn"],
diff --git a/data/templates/aws/override_aws_gwlbtun.conf.j2 b/data/templates/aws/override_aws_gwlbtun.conf.j2
new file mode 100644
index 000000000..4c566d852
--- /dev/null
+++ b/data/templates/aws/override_aws_gwlbtun.conf.j2
@@ -0,0 +1,36 @@
+{% set args = [] %}
+{% if script.on_create is vyos_defined %}
+{% set _ = args.append("-c " + script.on_create) %}
+{% endif %}
+{% if script.on_destroy is vyos_defined %}
+{% set _ = args.append("-r " + script.on_destroy) %}
+{% endif %}
+
+{% if status.port is vyos_defined %}
+{% set _ = args.append("-p " + status.port) %}
+{% endif %}
+
+{% if threads.tunnel is vyos_defined %}
+{% set _ = args.append("--tunthreads " + threads.tunnel) %}
+{% endif %}
+{% if threads.tunnel_affinity is vyos_defined %}
+{% set _ = args.append("--tunaffinity " + threads.tunnel_affinity) %}
+{% endif %}
+
+{% if threads.udp is vyos_defined %}
+{% set _ = args.append("--udpthreads " + threads.udp) %}
+{% endif %}
+{% if threads.udp_affinity is vyos_defined %}
+{% set _ = args.append("--udpaffinity " + threads.udp_affinity) %}
+{% endif %}
+
+[Unit]
+StartLimitIntervalSec=0
+After=vyos-router.service
+
+[Service]
+EnvironmentFile=
+ExecStart=/usr/bin/gwlbtun {{ args | join(' ') }}
+CapabilityBoundingSet=CAP_NET_ADMIN
+Restart=always
+RestartSec=10
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 3a5b5a87c..895f61a55 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -2,16 +2,11 @@
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %}
-{% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %}
-
-# we first flush all chains and render the content from scratch - this makes
-# any delta check obsolete
-flush chain raw {{ nft_ct_ignore_name }}
-flush chain raw {{ nft_ct_timeout_name }}
-
-table raw {
- chain {{ nft_ct_ignore_name }} {
+{% if first_install is not vyos_defined %}
+delete table ip vyos_conntrack
+{% endif %}
+table ip vyos_conntrack {
+ chain VYOS_CT_IGNORE {
{% if ignore.ipv4.rule is vyos_defined %}
{% for rule, rule_config in ignore.ipv4.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
@@ -20,7 +15,7 @@ table raw {
{% endif %}
return
}
- chain {{ nft_ct_timeout_name }} {
+ chain VYOS_CT_TIMEOUT {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
@@ -29,14 +24,81 @@ table raw {
return
}
-{{ group_tmpl.groups(firewall_group, False, True) }}
-}
+ chain PREROUTING {
+ type filter hook prerouting priority -300; policy accept;
+{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+ counter jump WLB_CONNTRACK
+ notrack
+ }
+
+ chain OUTPUT {
+ type filter hook output priority -300; policy accept;
+{% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+{% if wlb_local_action %}
+ counter jump WLB_CONNTRACK
+{% endif %}
+ notrack
+ }
+
+ ct helper rpc_tcp {
+ type "rpc" protocol tcp;
+ }
+
+ ct helper rpc_udp {
+ type "rpc" protocol udp;
+ }
+
+ ct helper tns_tcp {
+ type "tns" protocol tcp;
+ }
+
+ chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{% if modules[module] is vyos_defined %}
+{% if 'nftables' in module_conf %}
+{% for rule in module_conf.nftables %}
+ {{ rule }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endfor %}
+ return
+ }
+
+ chain FW_CONNTRACK {
+ {{ ipv4_firewall_action }}
+ }
+
+ chain NAT_CONNTRACK {
+ {{ ipv4_nat_action }}
+ }
+
+ chain WLB_CONNTRACK {
+ {{ wlb_action }}
+ }
-flush chain ip6 raw {{ nft_ct_ignore_name }}
-flush chain ip6 raw {{ nft_ct_timeout_name }}
+{% if firewall.group is vyos_defined %}
+{{ group_tmpl.groups(firewall.group, False, True) }}
+{% endif %}
+}
-table ip6 raw {
- chain {{ nft_ct_ignore_name }} {
+{% if first_install is not vyos_defined %}
+delete table ip6 vyos_conntrack
+{% endif %}
+table ip6 vyos_conntrack {
+ chain VYOS_CT_IGNORE {
{% if ignore.ipv6.rule is vyos_defined %}
{% for rule, rule_config in ignore.ipv6.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
@@ -45,7 +107,7 @@ table ip6 raw {
{% endif %}
return
}
- chain {{ nft_ct_timeout_name }} {
+ chain VYOS_CT_TIMEOUT {
{% if timeout.custom.rule is vyos_defined %}
{% for rule, rule_config in timeout.custom.rule.items() %}
# rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
@@ -54,5 +116,64 @@ table ip6 raw {
return
}
-{{ group_tmpl.groups(firewall_group, True, True) }}
+ chain PREROUTING {
+ type filter hook prerouting priority -300; policy accept;
+{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+ notrack
+ }
+
+ chain OUTPUT {
+ type filter hook output priority -300; policy accept;
+{% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
+ counter jump VYOS_CT_HELPER
+{% endif %}
+ counter jump VYOS_CT_IGNORE
+ counter jump VYOS_CT_TIMEOUT
+ counter jump FW_CONNTRACK
+ counter jump NAT_CONNTRACK
+ notrack
+ }
+
+ ct helper rpc_tcp {
+ type "rpc" protocol tcp;
+ }
+
+ ct helper rpc_udp {
+ type "rpc" protocol udp;
+ }
+
+ ct helper tns_tcp {
+ type "tns" protocol tcp;
+ }
+
+ chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{% if modules[module] is vyos_defined %}
+{% if 'nftables' in module_conf %}
+{% for rule in module_conf.nftables %}
+ {{ rule }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% endfor %}
+ return
+ }
+
+ chain FW_CONNTRACK {
+ {{ ipv6_firewall_action }}
+ }
+
+ chain NAT_CONNTRACK {
+ {{ ipv6_nat_action }}
+ }
+
+{% if firewall.group is vyos_defined %}
+{{ group_tmpl.groups(firewall.group, True, True) }}
+{% endif %}
}
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 3446a9d1b..421daf1df 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -59,11 +59,8 @@ use=no {# ddclient default ('ip') results in confusing warning messag
{% endif %}
{% for host in config.host_name if config.host_name is vyos_defined %}
{% set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
- else (['v6'] if config.ip_version == 'ipv6' else ['']) %}
+ else [config.ip_version[2:]] %} {# 'ipvX' -> 'vX' #}
# Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}]
-{# For ipv4 only setup or legacy ipv6 setup, don't append 'new-style' compliant suffix
- ('usev4', 'ifv4', 'webv4' etc.) to the properties and instead live through the
- deprecation warnings for better compatibility with most ddclient protocols. #}
{{ render_config(host, address, service_cfg.web_options, ip_suffixes,
protocol=config.protocol, server=config.server, zone=config.zone,
login=config.username, password=config.password) }}
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index dcf28da88..4254f6a0e 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -2,27 +2,6 @@
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
-{% if helper_functions is vyos_defined('remove') %}
-{# NAT if going to be disabled - remove rules and targets from nftables #}
-{% set base_command = 'delete rule ip raw' %}
-{{ base_command }} PREROUTING handle {{ pre_ct_ignore }}
-{{ base_command }} OUTPUT handle {{ out_ct_ignore }}
-{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
-{{ base_command }} OUTPUT handle {{ out_ct_conntrack }}
-
-delete chain ip raw NAT_CONNTRACK
-
-{% elif helper_functions is vyos_defined('add') %}
-{# NAT if enabled - add targets to nftables #}
-add chain ip raw NAT_CONNTRACK
-add rule ip raw NAT_CONNTRACK counter accept
-{% set base_command = 'add rule ip raw' %}
-{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYOS_CT_HELPER
-{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYOS_CT_HELPER
-{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-{% endif %}
-
{% if first_install is not vyos_defined %}
delete table ip vyos_nat
{% endif %}
diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2
index 27b3eec88..67eb2c109 100644
--- a/data/templates/firewall/nftables-nat66.j2
+++ b/data/templates/firewall/nftables-nat66.j2
@@ -1,22 +1,5 @@
#!/usr/sbin/nft -f
-{% if helper_functions is vyos_defined('remove') %}
-{# NAT if going to be disabled - remove rules and targets from nftables #}
-{% set base_command = 'delete rule ip6 raw' %}
-{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }}
-{{ base_command }} OUTPUT handle {{ out_ct_conntrack }}
-
-delete chain ip6 raw NAT_CONNTRACK
-
-{% elif helper_functions is vyos_defined('add') %}
-{# NAT if enabled - add targets to nftables #}
-add chain ip6 raw NAT_CONNTRACK
-add rule ip6 raw NAT_CONNTRACK counter accept
-{% set base_command = 'add rule ip6 raw' %}
-{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK
-{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK
-{% endif %}
-
{% if first_install is not vyos_defined %}
delete table ip6 vyos_nat
{% endif %}
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2
index 6afcd79f7..a893e05b2 100644
--- a/data/templates/firewall/nftables-offload.j2
+++ b/data/templates/firewall/nftables-offload.j2
@@ -1,11 +1,9 @@
-{% macro render_flowtable(name, devices, priority='filter', hardware_offload=false, with_counter=true) %}
-flowtable {{ name }} {
- hook ingress priority {{ priority }}; devices = { {{ devices | join(', ') }} };
-{% if hardware_offload %}
- flags offload;
+{% macro flowtable(name, config) %}
+ flowtable VYOS_FLOWTABLE_{{ name }} {
+ hook ingress priority 0; devices = { {{ config.interface | join(', ') }} };
+{% if config.offload is vyos_defined('hardware') %}
+ flags offload;
{% endif %}
-{% if with_counter %}
- counter
-{% endif %}
-}
+ counter
+ }
{% endmacro %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 723c9c3a2..75800ee3d 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -2,19 +2,12 @@
{% import 'firewall/nftables-defines.j2' as group_tmpl %}
{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
-{% import 'firewall/nftables-offload.j2' as offload %}
-
-flush chain raw FW_CONNTRACK
-flush chain ip6 raw FW_CONNTRACK
+{% import 'firewall/nftables-offload.j2' as offload_tmpl %}
flush chain raw vyos_global_rpfilter
flush chain ip6 raw vyos_global_rpfilter
table raw {
- chain FW_CONNTRACK {
- {{ ipv4_conntrack_action }}
- }
-
chain vyos_global_rpfilter {
{% if global_options.source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
@@ -26,10 +19,6 @@ table raw {
}
table ip6 raw {
- chain FW_CONNTRACK {
- {{ ipv6_conntrack_action }}
- }
-
chain vyos_global_rpfilter {
{% if global_options.ipv6_source_validation is vyos_defined('loose') %}
fib saddr oif 0 counter drop
@@ -45,6 +34,12 @@ delete table ip vyos_filter
{% endif %}
table ip vyos_filter {
{% if ipv4 is vyos_defined %}
+{% if flowtable is vyos_defined %}
+{% for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{% endfor %}
+{% endif %}
+
{% set ns = namespace(sets=[]) %}
{% if ipv4.forward is vyos_defined %}
{% for prior, conf in ipv4.forward.items() %}
@@ -164,6 +159,12 @@ delete table ip6 vyos_filter
{% endif %}
table ip6 vyos_filter {
{% if ipv6 is vyos_defined %}
+{% if flowtable is vyos_defined %}
+{% for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{% endfor %}
+{% endif %}
+
{% set ns = namespace(sets=[]) %}
{% if ipv6.forward is vyos_defined %}
{% for prior, conf in ipv6.forward.items() %}
@@ -266,31 +267,7 @@ table ip6 vyos_filter {
{% if first_install is not vyos_defined %}
delete table bridge vyos_filter
{% endif %}
-{% if bridge is vyos_defined %}
table bridge vyos_filter {
{{ bridge_tmpl.bridge(bridge) }}
{{ group_tmpl.groups(group, False, False) }}
}
-{% endif %}
-{{ group_tmpl.groups(group, True) }}
-
-table inet vyos_offload
-delete table inet vyos_offload
-table inet vyos_offload {
-{% if flowtable_enabled %}
-{% if global_options.flow_offload.hardware.interface is vyos_defined %}
- {{- offload.render_flowtable('VYOS_FLOWTABLE_hardware', global_options.flow_offload.hardware.interface | list, priority='filter - 2', hardware_offload=true) }}
- chain VYOS_OFFLOAD_hardware {
- type filter hook forward priority filter - 2; policy accept;
- ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_hardware
- }
-{% endif %}
-{% if global_options.flow_offload.software.interface is vyos_defined %}
- {{- offload.render_flowtable('VYOS_FLOWTABLE_software', global_options.flow_offload.software.interface | list, priority='filter - 1') }}
- chain VYOS_OFFLOAD_software {
- type filter hook forward priority filter - 1; policy accept;
- ct state { established, related } meta l4proto { tcp, udp } flow add @VYOS_FLOWTABLE_software
- }
-{% endif %}
-{% endif %}
-}
diff --git a/data/templates/high-availability/10-override.conf.j2 b/data/templates/high-availability/10-override.conf.j2
index d1cb25581..c153f09b4 100644
--- a/data/templates/high-availability/10-override.conf.j2
+++ b/data/templates/high-availability/10-override.conf.j2
@@ -1,5 +1,5 @@
### Autogenerated by ${vyos_conf_scripts_dir}/high-availability.py ###
-{% set snmp = '' if vrrp.disable_snmp is vyos_defined else '--snmp' %}
+{% set snmp = '--snmp' if vrrp.snmp is vyos_defined else '' %}
[Unit]
After=vyos-router.service
# Only start if there is our configuration file - remove Debian default
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 7e258e6f1..cd7d5011f 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -9,6 +9,7 @@ table ip nat {
}
table inet mangle {
+ # Used by system flow-accounting
chain FORWARD {
type filter hook forward priority -150; policy accept;
}
@@ -28,61 +29,9 @@ table raw {
counter jump vyos_global_rpfilter
}
- chain PREROUTING {
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
- ct helper set "rpc_tcp" tcp dport {111} return
- ct helper set "rpc_udp" udp dport {111} return
- ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
- return
- }
-
- chain VYOS_CT_IGNORE {
- return
- }
-
- chain VYOS_CT_TIMEOUT {
- return
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- return
}
}
@@ -100,60 +49,8 @@ table ip6 raw {
counter jump vyos_global_rpfilter
}
- chain PREROUTING {
+ # Used by system flow-accounting
+ chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_PREROUTING_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- chain OUTPUT {
- type filter hook output priority -300; policy accept;
- counter jump VYOS_CT_IGNORE
- counter jump VYOS_CT_TIMEOUT
- counter jump VYOS_CT_OUTPUT_HOOK
- counter jump FW_CONNTRACK
- notrack
- }
-
- ct helper rpc_tcp {
- type "rpc" protocol tcp;
- }
-
- ct helper rpc_udp {
- type "rpc" protocol udp;
- }
-
- ct helper tns_tcp {
- type "tns" protocol tcp;
- }
-
- chain VYOS_CT_HELPER {
- ct helper set "rpc_tcp" tcp dport {111} return
- ct helper set "rpc_udp" udp dport {111} return
- ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
- return
- }
-
- chain VYOS_CT_IGNORE {
- return
- }
-
- chain VYOS_CT_TIMEOUT {
- return
- }
-
- chain VYOS_CT_PREROUTING_HOOK {
- return
- }
-
- chain VYOS_CT_OUTPUT_HOOK {
- return
- }
-
- chain FW_CONNTRACK {
- return
}
}