summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/accel-ppp/ipoe.config.j28
-rw-r--r--data/templates/accel-ppp/sstp.config.j21
-rw-r--r--data/templates/dns-forwarding/recursor.conf.j25
-rw-r--r--data/templates/firewall/nftables-defines.j266
-rw-r--r--data/templates/firewall/nftables-geoip-update.j233
-rw-r--r--data/templates/firewall/nftables-policy.j27
-rw-r--r--data/templates/firewall/nftables.j234
-rw-r--r--data/templates/frr/staticd.frr.j24
-rw-r--r--data/templates/monitoring/override.conf.j22
-rw-r--r--data/templates/monitoring/telegraf.j28
-rw-r--r--data/templates/ntp/ntpd.conf.j213
-rw-r--r--data/templates/pmacct/uacctd.conf.j28
-rw-r--r--data/templates/router-advert/radvd.conf.j23
-rw-r--r--data/templates/syslog/rsyslog.conf.j24
-rw-r--r--data/templates/zone_policy/nftables.j212
15 files changed, 172 insertions, 36 deletions
diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2
index 3c0d47b27..6df12db2c 100644
--- a/data/templates/accel-ppp/ipoe.config.j2
+++ b/data/templates/accel-ppp/ipoe.config.j2
@@ -128,10 +128,16 @@ bind={{ radius_source_address }}
{% if radius_dynamic_author %}
dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }}
{% endif %}
-{% if radius_shaper_attr %}
+
+{% if radius_shaper_enable %}
[shaper]
verbose=1
+{% if radius_shaper_attr %}
attr={{ radius_shaper_attr }}
+{% endif %}
+{% if radius_shaper_multiplier %}
+rate-multiplier={{ radius_shaper_multiplier }}
+{% endif %}
{% if radius_shaper_vendor %}
vendor={{ radius_shaper_vendor }}
{% endif %}
diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2
index 5c6f19306..7ee28dd21 100644
--- a/data/templates/accel-ppp/sstp.config.j2
+++ b/data/templates/accel-ppp/sstp.config.j2
@@ -28,6 +28,7 @@ disable
[sstp]
verbose=1
ifname=sstp%d
+port={{ port }}
accept=ssl
ssl-ca-file=/run/accel-pppd/sstp-ca.pem
ssl-pemfile=/run/accel-pppd/sstp-cert.pem
diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index c1950e1bc..ce1b676d1 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -32,6 +32,11 @@ local-address={{ listen_address | join(',') }}
# dnssec
dnssec={{ dnssec }}
+{% if dns64_prefix is vyos_defined %}
+# dns64-prefix
+dns64-prefix={{ dns64_prefix }}
+{% endif %}
+
# serve rfc1918 records
serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 4fa92f2e3..97fc123d5 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -1,32 +1,76 @@
+{% macro groups(group, is_ipv6) %}
{% if group is vyos_defined %}
-{% if group.address_group is vyos_defined %}
+{% set ip_type = 'ipv6_addr' if is_ipv6 else 'ipv4_addr' %}
+{% if group.address_group is vyos_defined and not is_ipv6 %}
{% for group_name, group_conf in group.address_group.items() %}
-define A_{{ group_name }} = { {{ group_conf.address | join(",") }} }
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set A_{{ group_name }} {
+ type {{ ip_type }}
+ flags interval
+{% if group_conf.address is vyos_defined or includes %}
+ elements = { {{ group_conf.address | nft_nested_group(includes, group.address_group, 'address') | join(",") }} }
+{% endif %}
+ }
{% endfor %}
{% endif %}
-{% if group.ipv6_address_group is vyos_defined %}
+{% if group.ipv6_address_group is vyos_defined and is_ipv6 %}
{% for group_name, group_conf in group.ipv6_address_group.items() %}
-define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} }
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set A6_{{ group_name }} {
+ type {{ ip_type }}
+ flags interval
+{% if group_conf.address is vyos_defined or includes %}
+ elements = { {{ group_conf.address | nft_nested_group(includes, group.ipv6_address_group, 'address') | join(",") }} }
+{% endif %}
+ }
{% endfor %}
{% endif %}
{% if group.mac_group is vyos_defined %}
{% for group_name, group_conf in group.mac_group.items() %}
-define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} }
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set M_{{ group_name }} {
+ type ether_addr
+{% if group_conf.mac_address is vyos_defined or includes %}
+ elements = { {{ group_conf.mac_address | nft_nested_group(includes, group.mac_group, 'mac_address') | join(",") }} }
+{% endif %}
+ }
{% endfor %}
{% endif %}
-{% if group.network_group is vyos_defined %}
+{% if group.network_group is vyos_defined and not is_ipv6 %}
{% for group_name, group_conf in group.network_group.items() %}
-define N_{{ group_name }} = { {{ group_conf.network | join(",") }} }
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set N_{{ group_name }} {
+ type {{ ip_type }}
+ flags interval
+{% if group_conf.network is vyos_defined or includes %}
+ elements = { {{ group_conf.network | nft_nested_group(includes, group.network_group, 'network') | join(",") }} }
+{% endif %}
+ }
{% endfor %}
{% endif %}
-{% if group.ipv6_network_group is vyos_defined %}
+{% if group.ipv6_network_group is vyos_defined and is_ipv6 %}
{% for group_name, group_conf in group.ipv6_network_group.items() %}
-define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} }
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set N6_{{ group_name }} {
+ type {{ ip_type }}
+ flags interval
+{% if group_conf.network is vyos_defined or includes %}
+ elements = { {{ group_conf.network | nft_nested_group(includes, group.ipv6_network_group, 'network') | join(",") }} }
+{% endif %}
+ }
{% endfor %}
{% endif %}
{% if group.port_group is vyos_defined %}
{% for group_name, group_conf in group.port_group.items() %}
-define P_{{ group_name }} = { {{ group_conf.port | join(",") }} }
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set P_{{ group_name }} {
+ type inet_service
+ flags interval
+{% if group_conf.port is vyos_defined or includes %}
+ elements = { {{ group_conf.port | nft_nested_group(includes, group.port_group, 'port') | join(",") }} }
+{% endif %}
+ }
{% endfor %}
{% endif %}
-{% endif %} \ No newline at end of file
+{% endif %}
+{% endmacro %}
diff --git a/data/templates/firewall/nftables-geoip-update.j2 b/data/templates/firewall/nftables-geoip-update.j2
new file mode 100644
index 000000000..f9e61a274
--- /dev/null
+++ b/data/templates/firewall/nftables-geoip-update.j2
@@ -0,0 +1,33 @@
+#!/usr/sbin/nft -f
+
+{% if ipv4_sets is vyos_defined %}
+{% for setname, ip_list in ipv4_sets.items() %}
+flush set ip filter {{ setname }}
+{% endfor %}
+
+table ip filter {
+{% for setname, ip_list in ipv4_sets.items() %}
+ set {{ setname }} {
+ type ipv4_addr
+ flags interval
+ elements = { {{ ','.join(ip_list) }} }
+ }
+{% endfor %}
+}
+{% endif %}
+
+{% if ipv6_sets is vyos_defined %}
+{% for setname, ip_list in ipv6_sets.items() %}
+flush set ip6 filter {{ setname }}
+{% endfor %}
+
+table ip6 filter {
+{% for setname, ip_list in ipv6_sets.items() %}
+ set {{ setname }} {
+ type ipv6_addr
+ flags interval
+ elements = { {{ ','.join(ip_list) }} }
+ }
+{% endfor %}
+}
+{% endif %}
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 0154c9f7e..281525407 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -1,13 +1,13 @@
#!/usr/sbin/nft -f
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
{% if cleanup_commands is vyos_defined %}
{% for command in cleanup_commands %}
{{ command }}
{% endfor %}
{% endif %}
-include "/run/nftables_defines.conf"
-
table ip mangle {
{% if first_install is vyos_defined %}
chain VYOS_PBR_PREROUTING {
@@ -29,6 +29,8 @@ table ip mangle {
}
{% endfor %}
{% endif %}
+
+{{ group_tmpl.groups(firewall_group, False) }}
}
table ip6 mangle {
@@ -52,4 +54,5 @@ table ip6 mangle {
}
{% endfor %}
{% endif %}
+{{ group_tmpl.groups(firewall_group, True) }}
}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index fac3fad03..b91fed615 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,13 +1,13 @@
#!/usr/sbin/nft -f
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
{% if cleanup_commands is vyos_defined %}
{% for command in cleanup_commands %}
{{ command }}
{% endfor %}
{% endif %}
-include "/run/nftables_defines.conf"
-
table ip filter {
{% if first_install is vyos_defined %}
chain VYOS_FW_FORWARD {
@@ -45,6 +45,14 @@ table ip filter {
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
+{% if group is vyos_defined and group.domain_group is vyos_defined %}
+{% for name, name_config in group.domain_group.items() %}
+ set D_{{ name }} {
+ type ipv4_addr
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% for set_name in ns.sets %}
set RECENT_{{ set_name }} {
type ipv4_addr
@@ -52,7 +60,18 @@ table ip filter {
flags dynamic
}
{% endfor %}
+{% if geoip_updated.name is vyos_defined %}
+{% for setname in geoip_updated.name %}
+ set {{ setname }} {
+ type ipv4_addr
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% endif %}
+
+{{ group_tmpl.groups(group, False) }}
+
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY {
{% if state_policy.established is vyos_defined %}
@@ -113,7 +132,18 @@ table ip6 filter {
flags dynamic
}
{% endfor %}
+{% if geoip_updated.ipv6_name is vyos_defined %}
+{% for setname in geoip_updated.ipv6_name %}
+ set {{ setname }} {
+ type ipv6_addr
+ flags interval
+ }
+{% endfor %}
+{% endif %}
{% endif %}
+
+{{ group_tmpl.groups(group, True) }}
+
{% if state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {
{% if state_policy.established is vyos_defined %}
diff --git a/data/templates/frr/staticd.frr.j2 b/data/templates/frr/staticd.frr.j2
index 589f03c2c..55c05ceb7 100644
--- a/data/templates/frr/staticd.frr.j2
+++ b/data/templates/frr/staticd.frr.j2
@@ -17,7 +17,7 @@ vrf {{ vrf }}
{% endif %}
{# IPv4 default routes from DHCP interfaces #}
{% if dhcp is vyos_defined %}
-{% for interface, interface_config in dhcp.items() %}
+{% for interface, interface_config in dhcp.items() if interface_config.dhcp_options.no_default_route is not vyos_defined %}
{% set next_hop = interface | get_dhcp_router %}
{% if next_hop is vyos_defined %}
{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.dhcp_options.default_route_distance if interface_config.dhcp_options.default_route_distance is vyos_defined }}
@@ -26,7 +26,7 @@ vrf {{ vrf }}
{% endif %}
{# IPv4 default routes from PPPoE interfaces #}
{% if pppoe is vyos_defined %}
-{% for interface, interface_config in pppoe.items() %}
+{% for interface, interface_config in pppoe.items() if interface_config.no_default_route is not vyos_defined %}
{{ ip_prefix }} route 0.0.0.0/0 {{ interface }} tag 210 {{ interface_config.default_route_distance if interface_config.default_route_distance is vyos_defined }}
{% endfor %}
{% endif %}
diff --git a/data/templates/monitoring/override.conf.j2 b/data/templates/monitoring/override.conf.j2
index f8f150791..9f1b4ebec 100644
--- a/data/templates/monitoring/override.conf.j2
+++ b/data/templates/monitoring/override.conf.j2
@@ -2,6 +2,6 @@
After=vyos-router.service
ConditionPathExists=/run/telegraf/vyos-telegraf.conf
[Service]
-Environment=INFLUX_TOKEN={{ authentication.token }}
+Environment=INFLUX_TOKEN={{ influxdb.authentication.token }}
CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
diff --git a/data/templates/monitoring/telegraf.j2 b/data/templates/monitoring/telegraf.j2
index a732fb5de..6b395692b 100644
--- a/data/templates/monitoring/telegraf.j2
+++ b/data/templates/monitoring/telegraf.j2
@@ -31,14 +31,14 @@
{% endif %}
### End Azure Data Explorer ###
{% endif %}
-{% if influxdb_configured is vyos_defined %}
+{% if influxdb is vyos_defined %}
### InfluxDB2 ###
[[outputs.influxdb_v2]]
- urls = ["{{ url }}:{{ port }}"]
+ urls = ["{{ influxdb.url }}:{{ influxdb.port }}"]
insecure_skip_verify = true
token = "$INFLUX_TOKEN"
- organization = "{{ authentication.organization }}"
- bucket = "{{ bucket }}"
+ organization = "{{ influxdb.authentication.organization }}"
+ bucket = "{{ influxdb.bucket }}"
### End InfluxDB2 ###
{% endif %}
{% if prometheus_client is vyos_defined %}
diff --git a/data/templates/ntp/ntpd.conf.j2 b/data/templates/ntp/ntpd.conf.j2
index da610051e..8921826fa 100644
--- a/data/templates/ntp/ntpd.conf.j2
+++ b/data/templates/ntp/ntpd.conf.j2
@@ -33,10 +33,17 @@ restrict {{ address | address_from_cidr }} mask {{ address | netmask_from_cidr }
{% endfor %}
{% endif %}
-{% if listen_address %}
+{% if listen_address is vyos_defined or interface is vyos_defined %}
# NTP should listen on configured addresses only
interface ignore wildcard
-{% for address in listen_address %}
+{% if listen_address is vyos_defined %}
+{% for address in listen_address %}
interface listen {{ address }}
-{% endfor %}
+{% endfor %}
+{% endif %}
+{% if interface is vyos_defined %}
+{% for ifname in interface %}
+interface listen {{ ifname }}
+{% endfor %}
+{% endif %}
{% endif %}
diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2
index a5016691f..8fbc09e83 100644
--- a/data/templates/pmacct/uacctd.conf.j2
+++ b/data/templates/pmacct/uacctd.conf.j2
@@ -21,13 +21,13 @@ imt_mem_pools_number: 169
{% set plugin = [] %}
{% if netflow.server is vyos_defined %}
{% for server in netflow.server %}
-{% set nf_server_key = 'nf_' ~ server | replace(':', '.') %}
+{% set nf_server_key = 'nf_' ~ server | dot_colon_to_dash %}
{% set _ = plugin.append('nfprobe['~ nf_server_key ~ ']') %}
{% endfor %}
{% endif %}
{% if sflow.server is vyos_defined %}
{% for server in sflow.server %}
-{% set sf_server_key = 'sf_' ~ server | replace(':', '.') %}
+{% set sf_server_key = 'sf_' ~ server | dot_colon_to_dash %}
{% set _ = plugin.append('sfprobe[' ~ sf_server_key ~ ']') %}
{% endfor %}
{% endif %}
@@ -40,7 +40,7 @@ plugins: {{ plugin | join(',') }}
# NetFlow servers
{% for server, server_config in netflow.server.items() %}
{# # prevent pmacct syntax error when using IPv6 flow collectors #}
-{% set nf_server_key = 'nf_' ~ server | replace(':', '.') %}
+{% set nf_server_key = 'nf_' ~ server | dot_colon_to_dash %}
nfprobe_receiver[{{ nf_server_key }}]: {{ server | bracketize_ipv6 }}:{{ server_config.port }}
nfprobe_version[{{ nf_server_key }}]: {{ netflow.version }}
{% if netflow.engine_id is vyos_defined %}
@@ -66,7 +66,7 @@ nfprobe_timeouts[{{ nf_server_key }}]: expint={{ netflow.timeout.expiry_interval
# sFlow servers
{% for server, server_config in sflow.server.items() %}
{# # prevent pmacct syntax error when using IPv6 flow collectors #}
-{% set sf_server_key = 'sf_' ~ server | replace(':', '.') %}
+{% set sf_server_key = 'sf_' ~ server | dot_colon_to_dash %}
sfprobe_receiver[{{ sf_server_key }}]: {{ server | bracketize_ipv6 }}:{{ server_config.port }}
sfprobe_agentip[{{ sf_server_key }}]: {{ sflow.agent_address }}
{% if sflow.sampling_rate is vyos_defined %}
diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2
index 6902dc05a..ed15b32f0 100644
--- a/data/templates/router-advert/radvd.conf.j2
+++ b/data/templates/router-advert/radvd.conf.j2
@@ -55,6 +55,9 @@ interface {{ iface }} {
{% endif %}
{% if iface_config.name_server is vyos_defined %}
RDNSS {{ iface_config.name_server | join(" ") }} {
+{% if iface_config.name_server_lifetime is vyos_defined %}
+ AdvRDNSSLifetime {{ iface_config.name_server_lifetime }};
+{% endif %}
};
{% endif %}
{% if iface_config.dnssl is vyos_defined %}
diff --git a/data/templates/syslog/rsyslog.conf.j2 b/data/templates/syslog/rsyslog.conf.j2
index 4445d568b..abe880283 100644
--- a/data/templates/syslog/rsyslog.conf.j2
+++ b/data/templates/syslog/rsyslog.conf.j2
@@ -10,7 +10,11 @@ $MarkMessagePeriod {{ files['global']['marker-interval'] }}
$PreserveFQDN on
{% endif %}
{% for file, file_options in files.items() %}
+{% if file_options['max-size'] is vyos_defined %}
$outchannel {{ file }},{{ file_options['log-file'] }},{{ file_options['max-size'] }},{{ file_options['action-on-max-size'] }}
+{% else %}
+$outchannel {{ file }},{{ file_options['log-file'] }}
+{% endif %}
{{ file_options['selectors'] }} :omfile:${{ file }}
{% endfor %}
{% if console is defined and console is not none %}
diff --git a/data/templates/zone_policy/nftables.j2 b/data/templates/zone_policy/nftables.j2
index e4c4dd7da..fe941f9f8 100644
--- a/data/templates/zone_policy/nftables.j2
+++ b/data/templates/zone_policy/nftables.j2
@@ -16,7 +16,7 @@ table ip filter {
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action }}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
}
chain VZONE_{{ zone_name }}_OUT {
oifname lo counter return
@@ -24,7 +24,7 @@ table ip filter {
oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action }}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
}
{% else %}
chain VZONE_{{ zone_name }} {
@@ -38,7 +38,7 @@ table ip filter {
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endif %}
{% endfor %}
- counter {{ zone_conf.default_action }}
+ {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
}
{% endif %}
{% endfor %}
@@ -53,7 +53,7 @@ table ip6 filter {
iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action }}
+ {{ zone_conf | nft_default_rule('zone6_' + zone_name) }}
}
chain VZONE6_{{ zone_name }}_OUT {
oifname lo counter return
@@ -61,7 +61,7 @@ table ip6 filter {
oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action }}
+ {{ zone_conf | nft_default_rule('zone6_' + zone_name) }}
}
{% else %}
chain VZONE6_{{ zone_name }} {
@@ -75,7 +75,7 @@ table ip6 filter {
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endif %}
{% endfor %}
- counter {{ zone_conf.default_action }}
+ {{ zone_conf | nft_default_rule('zone6_' + zone_name) }}
}
{% endif %}
{% endfor %}