7 files changed, 104 insertions, 22 deletions

diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index 7c5524675..abf562984 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -2,6 +2,7 @@
 "accelppp.py",
 "bgp.py",
 "bridge.py",
+"config_mgmt.py",
 "conntrack.py",
 "container.py",
 "cpu.py",
@@ -21,5 +22,6 @@
 "storage.py",
 "uptime.py",
 "version.py",
-"vrf.py"
+"vrf.py",
+"zone.py"
 ]
diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2
index ebff52e1f..6ea5f91d0 100644
--- a/data/templates/high-availability/keepalived.conf.j2
+++ b/data/templates/high-availability/keepalived.conf.j2
@@ -2,9 +2,30 @@
 # Do not edit this file, all your changes will be lost
 # on next commit or reboot
 
+# Global definitions configuration block
 global_defs {
     dynamic_interfaces
     script_user root
+{% if vrrp.global_parameters.startup_delay is vyos_defined %}
+    vrrp_startup_delay {{ vrrp.global_parameters.startup_delay }}
+{% endif %}
+{% if vrrp.global_parameters.garp is vyos_defined %}
+{%     if vrrp.global_parameters.garp.interval is vyos_defined %}
+    vrrp_garp_interval {{ vrrp.global_parameters.garp.interval }}
+{%     endif %}
+{%     if vrrp.global_parameters.garp.master_delay is vyos_defined %}
+    vrrp_garp_master_delay {{ vrrp.global_parameters.garp.master_delay }}
+{%     endif %}
+{%     if vrrp.global_parameters.garp.master_refresh is vyos_defined %}
+    vrrp_garp_master_refresh {{ vrrp.global_parameters.garp.master_refresh }}
+{%     endif %}
+{%     if vrrp.global_parameters.garp.master_refresh_repeat is vyos_defined %}
+    vrrp_garp_master_refresh_repeat {{ vrrp.global_parameters.garp.master_refresh_repeat }}
+{%     endif %}
+{%     if vrrp.global_parameters.garp.master_repeat is vyos_defined %}
+    vrrp_garp_master_repeat {{ vrrp.global_parameters.garp.master_repeat }}
+{%     endif %}
+{% endif %}
     notify_fifo /run/keepalived/keepalived_notify_fifo
     notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
 }
@@ -28,6 +49,23 @@ vrrp_instance {{ name }} {
     virtual_router_id {{ group_config.vrid }}
     priority {{ group_config.priority }}
     advert_int {{ group_config.advertise_interval }}
+{%         if group_config.garp is vyos_defined %}
+{%             if group_config.garp.interval is vyos_defined %}
+    garp_interval {{ group_config.garp.interval }}
+{%             endif %}
+{%             if group_config.garp.master_delay is vyos_defined %}
+    garp_master_delay {{ group_config.garp.master_delay }}
+{%             endif %}
+{%             if group_config.garp.master_repeat is vyos_defined %}
+    garp_master_repeat {{ group_config.garp.master_repeat }}
+{%             endif %}
+{%             if group_config.garp.master_refresh is vyos_defined %}
+    garp_master_refresh {{ group_config.garp.master_refresh }}
+{%             endif %}
+{%             if group_config.garp.master_refresh_repeat is vyos_defined %}
+    garp_master_refresh_repeat {{ group_config.garp.master_refresh_repeat }}
+{%             endif %}
+{%         endif %}
 {%         if group_config.track.exclude_vrrp_interface is vyos_defined %}
     dont_track_primary
 {%         endif %}
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 3194354e6..aa1073bca 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -10,6 +10,10 @@ udp-port = {{ listen_ports.udp }}
 run-as-user = nobody
 run-as-group = daemon
 
+{% if accounting.mode.radius is vyos_defined %}
+acct = "radius [config=/run/ocserv/radiusclient.conf]"
+{% endif %}
+
 {% if "radius" in authentication.mode %}
 auth = "radius [config=/run/ocserv/radiusclient.conf{{ ',groupconfig=true' if authentication.radius.groupconfig is vyos_defined else '' }}]"
 {% elif "local" in authentication.mode %}
diff --git a/data/templates/ocserv/radius_conf.j2 b/data/templates/ocserv/radius_conf.j2
index b6612fee5..1ab322f69 100644
--- a/data/templates/ocserv/radius_conf.j2
+++ b/data/templates/ocserv/radius_conf.j2
@@ -1,20 +1,34 @@
 ### generated by vpn_openconnect.py ###
 nas-identifier VyOS
-{% for srv in server %}
-{%     if not "disable" in server[srv] %}
-{%         if "port" in server[srv] %}
-authserver {{ srv }}:{{ server[srv]["port"] }}
+
+#### Accounting
+{% if accounting.mode.radius is vyos_defined %}
+{%     for acctsrv, srv_conf in accounting.radius.server.items() if 'disable' not in srv_conf %}
+{%         if srv_conf.port is vyos_defined %}
+acctserver {{ acctsrv }}:{{ srv_conf.port }}
 {%         else %}
-authserver {{ srv }}
+acctserver {{ acctsrv }}
 {%         endif %}
-{%     endif %}
-{% endfor %}
-radius_timeout {{ timeout }}
-{% if source_address %}
-bindaddr {{ source_address }}
-{% else %}
+{%     endfor %}
+{% endif %}
+
+#### Authentication
+{% if authentication.mode.radius is vyos_defined %}
+{%     for authsrv, srv_conf in authentication.radius.server.items() if 'disable' not in srv_conf %}
+{%         if srv_conf.port is vyos_defined %}
+authserver {{ authsrv }}:{{ srv_conf.port }}
+{%         else %}
+authserver {{ authsrv }}
+{%         endif %}
+{%     endfor %}
+radius_timeout {{ authentication['radius']['timeout'] }}
+{%     if source_address %}
+bindaddr {{ authentication['radius']['source_address'] }}
+{%     else %}
 bindaddr *
+{%     endif %}
 {% endif %}
+
 servers /run/ocserv/radius_servers
 dictionary /etc/radcli/dictionary
 default_realm
diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2
index 6221abb9b..f433a9b03 100644
--- a/data/templates/pppoe/peer.j2
+++ b/data/templates/pppoe/peer.j2
@@ -36,10 +36,13 @@ maxfail 0
 
 plugin rp-pppoe.so {{ source_interface }}
 {% if access_concentrator is vyos_defined %}
-rp_pppoe_ac '{{ access_concentrator }}'
+pppoe-ac "{{ access_concentrator }}"
 {% endif %}
 {% if service_name is vyos_defined %}
-rp_pppoe_service '{{ service_name }}'
+pppoe-service "{{ service_name }}"
+{% endif %}
+{% if host_uniq is vyos_defined %}
+pppoe-host-uniq "{{ host_uniq }}"
 {% endif %}
 
 persist
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 47bf6878f..793facc3f 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -26,6 +26,9 @@ monitor  -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2
 # interface (with different ifIndex) - this is the case on e.g. ppp interfaces
 interface_replace_old yes
 
+# T4902: exclude container storage from monitoring
+ignoreDisk /usr/lib/live/mount/persistence/container
+
 ########################
 # configurable section #
 ########################
@@ -59,28 +62,47 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy
 {%         if comm_config.client is vyos_defined %}
 {%             for client in comm_config.client %}
 {%                 if client | is_ipv4 %}
-{{ comm_config.authorization }}community {{ comm }} {{ client }}
+{{ comm_config.authorization }}community {{ comm }} {{ client }} -V RESTRICTED
 {%                 elif client | is_ipv6 %}
-{{ comm_config.authorization }}community6 {{ comm }} {{ client }}
+{{ comm_config.authorization }}community6 {{ comm }} {{ client }} -V RESTRICTED
 {%                 endif %}
 {%             endfor %}
 {%         endif %}
 {%         if comm_config.network is vyos_defined %}
 {%             for network in comm_config.network %}
 {%                 if network | is_ipv4 %}
-{{ comm_config.authorization }}community {{ comm }} {{ network }}
+{{ comm_config.authorization }}community {{ comm }} {{ network }} -V RESTRICTED
 {%                 elif network | is_ipv6 %}
-{{ comm_config.authorization }}community6 {{ comm }} {{ network }}
+{{ comm_config.authorization }}community6 {{ comm }} {{ network }} -V RESTRICTED
 {%                 endif %}
 {%             endfor %}
 {%         endif %}
 {%         if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %}
-{{ comm_config.authorization }}community {{ comm }}
-{{ comm_config.authorization }}community6 {{ comm }}
+{{ comm_config.authorization }}community {{ comm }} -V RESTRICTED
+{{ comm_config.authorization }}community6 {{ comm }} -V RESTRICTED
 {%         endif %}
 {%     endfor %}
 {% endif %}
 
+# Default RESTRICTED view
+view RESTRICTED    included .1 80
+{% if 'ip-route-table' not in oid_enable %}
+# ipRouteTable oid: excluded
+view RESTRICTED    excluded  .1.3.6.1.2.1.4.21
+{% endif %}
+{% if 'ip-net-to-media-table' not in oid_enable %}
+# ipNetToMediaTable oid: excluded
+view RESTRICTED    excluded  .1.3.6.1.2.1.4.22
+{% endif %}
+{% if 'ip-net-to-physical-phys-address' not in oid_enable %}
+# ipNetToPhysicalPhysAddress oid: excluded
+view RESTRICTED    excluded  .1.3.6.1.2.1.4.35
+{% endif %}
+{% if 'ip-forward' not in oid_enable %}
+# ipForward oid: excluded
+view RESTRICTED    excluded  .1.3.6.1.2.1.4.24
+{% endif %}
+
 {% if contact is vyos_defined %}
 # system contact information
 SysContact {{ contact }}
diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2
index 5d787de86..443ee64db 100644
--- a/data/templates/snmp/override.conf.j2
+++ b/data/templates/snmp/override.conf.j2
@@ -1,5 +1,4 @@
 {% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
-{% set oid_route_table = ' ' if oid_enable is vyos_defined('route-table') else '-I -ipCidrRouteTable,inetCidrRouteTable' %}
 [Unit]
 StartLimitIntervalSec=0
 After=vyos-router.service
@@ -8,7 +7,7 @@ After=vyos-router.service
 Environment=
 Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs"
 ExecStart=
-ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp {{ oid_route_table }} -f -p /run/snmpd.pid
+ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid
 Restart=always
 RestartSec=10