8 files changed, 115 insertions, 36 deletions

diff --git a/data/config-mode-dependencies.json b/data/config-mode-dependencies/vyos-1x.json
index 91a757c16..08732bd4c 100644
--- a/data/config-mode-dependencies.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,5 +1,5 @@
 {
-  "firewall": {"group_resync": ["nat", "policy-route"]},
+  "firewall": {"group_resync": ["conntrack", "nat", "policy-route"]},
   "http_api": {"https": ["https"]},
   "pki": {
            "ethernet": ["interfaces-ethernet"],
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index 042c466ab..ded934bff 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -16,6 +16,7 @@
 "neighbor.py",
 "nhrp.py",
 "openconnect.py",
+"otp.py",
 "openvpn.py",
 "reset_vpn.py",
 "reverseproxy.py",
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 16a03fc6e..970869043 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,5 +1,7 @@
 #!/usr/sbin/nft -f
 
+{% import 'firewall/nftables-defines.j2' as group_tmpl %}
+
 {% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %}
 {% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %}
 
@@ -10,29 +12,35 @@ flush chain raw {{ nft_ct_timeout_name }}
 
 table raw {
     chain {{ nft_ct_ignore_name }} {
-{% if ignore.rule is vyos_defined %}
-{%     for rule, rule_config in ignore.rule.items() %}
+{% if ignore.ipv4.rule is vyos_defined %}
+{%     for rule, rule_config in ignore.ipv4.rule.items() %}
+        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+       {{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }}
+{%     endfor %}
+{% endif %}
+        return
+    }
+    chain {{ nft_ct_timeout_name }} {
+{% if timeout.custom.rule is vyos_defined %}
+{%     for rule, rule_config in timeout.custom.rule.items() %}
+        # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+{%     endfor %}
+{% endif %}
+        return
+    }
+
+{{ group_tmpl.groups(firewall_group, False) }}
+}
+
+flush chain ip6 raw {{ nft_ct_ignore_name }}
+flush chain ip6 raw {{ nft_ct_timeout_name }}
+
+table ip6 raw {
+    chain {{ nft_ct_ignore_name }} {
+{% if ignore.ipv6.rule is vyos_defined %}
+{%     for rule, rule_config in ignore.ipv6.rule.items() %}
         # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
-{%         set nft_command = '' %}
-{%         if rule_config.inbound_interface is vyos_defined %}
-{%             set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %}
-{%         endif %}
-{%         if rule_config.protocol is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %}
-{%         endif %}
-{%         if rule_config.destination.address is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %}
-{%         endif %}
-{%         if rule_config.destination.port is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %}
-{%         endif %}
-{%         if rule_config.source.address is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %}
-{%         endif %}
-{%         if rule_config.source.port is vyos_defined %}
-{%             set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %}
-{%         endif %}
-       {{ nft_command }} counter notrack comment ignore-{{ rule }}
+       {{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }}
 {%     endfor %}
 {% endif %}
         return
@@ -45,4 +53,6 @@ table raw {
 {% endif %}
         return
     }
+
+{{ group_tmpl.groups(firewall_group, True) }}
 }
diff --git a/data/templates/dhcp-server/10-override.conf.j2 b/data/templates/dhcp-server/10-override.conf.j2
index dd5730b90..1504b6808 100644
--- a/data/templates/dhcp-server/10-override.conf.j2
+++ b/data/templates/dhcp-server/10-override.conf.j2
@@ -1,5 +1,5 @@
 ### Autogenerated by dhcp_server.py ###
-{% set lease_file = '/run/dhcp-server/dhcpd.leases' %}
+{% set lease_file = '/config/dhcpd.leases' %}
 [Unit]
 Description=ISC DHCP IPv4 server
 Documentation=man:dhcpd(8)
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index bb14609b0..87630940b 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -6,29 +6,36 @@
 flush chain raw FW_CONNTRACK
 flush chain ip6 raw FW_CONNTRACK
 
+flush chain raw vyos_global_rpfilter
+flush chain ip6 raw vyos_global_rpfilter
+
 table raw {
     chain FW_CONNTRACK {
         {{ ipv4_conntrack_action }}
     }
+
+    chain vyos_global_rpfilter {
+{% if global_options.source_validation is vyos_defined('loose') %}
+        fib saddr oif 0 counter drop
+{% elif global_options.source_validation is vyos_defined('strict') %}
+        fib saddr . iif oif 0 counter drop
+{% endif %}
+        return
+    }
 }
 
 table ip6 raw {
     chain FW_CONNTRACK {
         {{ ipv6_conntrack_action }}
     }
-}
 
-{% if first_install is not vyos_defined %}
-delete table inet vyos_global_rpfilter
-{% endif %}
-table inet vyos_global_rpfilter {
-    chain PREROUTING {
-        type filter hook prerouting priority -300; policy accept;
-{% if global_options.source_validation is vyos_defined('loose') %}
+    chain vyos_global_rpfilter {
+{% if global_options.ipv6_source_validation is vyos_defined('loose') %}
         fib saddr oif 0 counter drop
-{% elif global_options.source_validation is vyos_defined('strict') %}
+{% elif global_options.ipv6_source_validation is vyos_defined('strict') %}
         fib saddr . iif oif 0 counter drop
 {% endif %}
+        return
     }
 }
 
diff --git a/data/templates/high-availability/10-override.conf.j2 b/data/templates/high-availability/10-override.conf.j2
new file mode 100644
index 000000000..d1cb25581
--- /dev/null
+++ b/data/templates/high-availability/10-override.conf.j2
@@ -0,0 +1,16 @@
+### Autogenerated by ${vyos_conf_scripts_dir}/high-availability.py ###
+{% set snmp = '' if vrrp.disable_snmp is vyos_defined else '--snmp' %}
+[Unit]
+After=vyos-router.service
+# Only start if there is our configuration file - remove Debian default
+# config file from the condition list
+ConditionFileNotEmpty=
+ConditionFileNotEmpty=/run/keepalived/keepalived.conf
+
+[Service]
+KillMode=process
+Type=simple
+# Read configuration variable file if it is present
+ExecStart=
+ExecStart=/usr/sbin/keepalived --use-file /run/keepalived/keepalived.conf --pid /run/keepalived/keepalived.pid --dont-fork {{ snmp }}
+PIDFile=/run/keepalived/keepalived.pid
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index f8e1587f8..0a40e1ecf 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -150,13 +150,13 @@ backend {{ back }}
 {%             endfor %}
 {%         endif %}
 {%         if back_config.timeout.check is vyos_defined %}
-    timeout check {{ back_config.timeout.check }}
+    timeout check {{ back_config.timeout.check }}s
 {%         endif %}
 {%         if back_config.timeout.connect is vyos_defined %}
-    timeout connect {{ back_config.timeout.connect }}
+    timeout connect {{ back_config.timeout.connect }}s
 {%         endif %}
 {%         if back_config.timeout.server is vyos_defined %}
-    timeout server {{ back_config.timeout.server }}
+    timeout server {{ back_config.timeout.server }}s
 {%         endif %}
 
 {%     endfor %}
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index 41e7627f5..7e258e6f1 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -19,6 +19,15 @@ table raw {
         type filter hook forward priority -300; policy accept;
     }
 
+    chain vyos_global_rpfilter {
+        return
+    }
+
+    chain vyos_rpfilter {
+        type filter hook prerouting priority -300; policy accept;
+        counter jump vyos_global_rpfilter
+    }
+
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
         counter jump VYOS_CT_IGNORE
@@ -82,12 +91,19 @@ table ip6 raw {
         type filter hook forward priority -300; policy accept;
     }
 
+    chain vyos_global_rpfilter {
+        return
+    }
+
     chain vyos_rpfilter {
         type filter hook prerouting priority -300; policy accept;
+        counter jump vyos_global_rpfilter
     }
 
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_PREROUTING_HOOK
         counter jump FW_CONNTRACK
         notrack
@@ -95,11 +111,40 @@ table ip6 raw {
 
     chain OUTPUT {
         type filter hook output priority -300; policy accept;
+        counter jump VYOS_CT_IGNORE
+        counter jump VYOS_CT_TIMEOUT
         counter jump VYOS_CT_OUTPUT_HOOK
         counter jump FW_CONNTRACK
         notrack
     }
 
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+
+    chain VYOS_CT_HELPER {
+        ct helper set "rpc_tcp" tcp dport {111} return
+        ct helper set "rpc_udp" udp dport {111} return
+        ct helper set "tns_tcp" tcp dport {1521,1525,1536} return
+        return
+    }
+
+    chain VYOS_CT_IGNORE {
+        return
+    }
+
+    chain VYOS_CT_TIMEOUT {
+        return
+    }
+
     chain VYOS_CT_PREROUTING_HOOK {
         return
     }