summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/configd-include.json1
-rw-r--r--data/templates/dhcp-server/dhcpd.conf.tmpl4
-rw-r--r--data/templates/firewall/nftables.tmpl26
-rw-r--r--data/templates/frr/isisd.frr.tmpl2
-rw-r--r--data/templates/frr/ospf6d.frr.tmpl2
-rw-r--r--data/templates/frr/ospfd.frr.tmpl8
-rw-r--r--data/templates/frr/policy.frr.tmpl5
-rw-r--r--data/templates/frr/static_routes_macro.j25
-rw-r--r--data/templates/frr/staticd.frr.tmpl4
-rw-r--r--data/templates/ipsec/charon.tmpl11
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl25
-rw-r--r--data/templates/lldp/lldpd.tmpl3
-rw-r--r--data/templates/lldp/vyos.conf.tmpl35
-rw-r--r--data/templates/monitoring/override.conf.tmpl2
-rw-r--r--data/templates/monitoring/telegraf.tmpl5
-rw-r--r--data/templates/openvpn/server.conf.tmpl10
-rw-r--r--data/templates/pmacct/override.conf.tmpl17
-rw-r--r--data/templates/pmacct/uacctd.conf.tmpl (renamed from data/templates/netflow/uacctd.conf.tmpl)10
-rw-r--r--data/templates/syslog/logrotate.tmpl9
-rw-r--r--data/templates/zone_policy/nftables.tmpl24
20 files changed, 149 insertions, 59 deletions
diff --git a/data/configd-include.json b/data/configd-include.json
index c85ab0725..b77d48001 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -48,6 +48,7 @@
"protocols_ripng.py",
"protocols_static.py",
"protocols_static_multicast.py",
+"qos.py",
"salt-minion.py",
"service_console-server.py",
"service_ids_fastnetmon.py",
diff --git a/data/templates/dhcp-server/dhcpd.conf.tmpl b/data/templates/dhcp-server/dhcpd.conf.tmpl
index da2f28ced..dbd864b5e 100644
--- a/data/templates/dhcp-server/dhcpd.conf.tmpl
+++ b/data/templates/dhcp-server/dhcpd.conf.tmpl
@@ -42,9 +42,9 @@ failover peer "{{ failover.name }}" {
secondary;
{% endif %}
address {{ failover.source_address }};
- port 520;
+ port 647;
peer address {{ failover.remote }};
- peer port 520;
+ peer port 647;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.tmpl
index 33c821e84..0cc977cf9 100644
--- a/data/templates/firewall/nftables.tmpl
+++ b/data/templates/firewall/nftables.tmpl
@@ -31,16 +31,27 @@ table ip filter {
}
{% endif %}
{% if name is defined %}
+{% set ns = namespace(sets=[]) %}
{% for name_text, conf in name.items() %}
- chain {{ name_text }} {
+ chain NAME_{{ name_text }} {
{% if conf.rule is defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
{{ rule_conf | nft_rule(name_text, rule_id) }}
+{% if rule_conf.recent is defined %}
+{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
+{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
+{% for set_name in ns.sets %}
+ set RECENT_{{ set_name }} {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ }
+{% endfor %}
{% endif %}
{% if state_policy is defined %}
chain VYOS_STATE_POLICY {
@@ -81,16 +92,27 @@ table ip6 filter {
}
{% endif %}
{% if ipv6_name is defined %}
+{% set ns = namespace(sets=[]) %}
{% for name_text, conf in ipv6_name.items() %}
- chain {{ name_text }} {
+ chain NAME6_{{ name_text }} {
{% if conf.rule is defined %}
{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %}
{{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }}
+{% if rule_conf.recent is defined %}
+{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %}
+{% endif %}
{% endfor %}
{% endif %}
{{ conf | nft_default_rule(name_text) }}
}
{% endfor %}
+{% for set_name in ns.sets %}
+ set RECENT6_{{ set_name }} {
+ type ipv6_addr
+ size 65535
+ flags dynamic
+ }
+{% endfor %}
{% endif %}
{% if state_policy is defined %}
chain VYOS_STATE_POLICY6 {
diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.tmpl
index b1e3f825b..c68dda443 100644
--- a/data/templates/frr/isisd.frr.tmpl
+++ b/data/templates/frr/isisd.frr.tmpl
@@ -1,7 +1,7 @@
!
{% if interface is defined and interface is not none %}
{% for iface, iface_config in interface.items() %}
-interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
+interface {{ iface }}
ip router isis VyOS
ipv6 router isis VyOS
{% if iface_config.bfd is defined %}
diff --git a/data/templates/frr/ospf6d.frr.tmpl b/data/templates/frr/ospf6d.frr.tmpl
index 8279e5abb..a73c6cac3 100644
--- a/data/templates/frr/ospf6d.frr.tmpl
+++ b/data/templates/frr/ospf6d.frr.tmpl
@@ -1,7 +1,7 @@
!
{% if interface is defined and interface is not none %}
{% for iface, iface_config in interface.items() %}
-interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
+interface {{ iface }}
{% if iface_config.area is defined and iface_config.area is not none %}
ipv6 ospf6 area {{ iface_config.area }}
{% endif %}
diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl
index a6618b6af..59d936b55 100644
--- a/data/templates/frr/ospfd.frr.tmpl
+++ b/data/templates/frr/ospfd.frr.tmpl
@@ -1,7 +1,7 @@
!
{% if interface is defined and interface is not none %}
{% for iface, iface_config in interface.items() %}
-interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
+interface {{ iface }}
{% if iface_config.authentication is defined and iface_config.authentication is not none %}
{% if iface_config.authentication.plaintext_password is defined and iface_config.authentication.plaintext_password is not none %}
ip ospf authentication-key {{ iface_config.authentication.plaintext_password }}
@@ -97,6 +97,12 @@ router ospf {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% endif %}
{% endfor %}
{% endif %}
+{% if area_config.export_list is defined and area_config.export_list is not none %}
+ area {{ area_id }} export-list {{ area_config.export_list }}
+{% endif %}
+{% if area_config.import_list is defined and area_config.import_list is not none %}
+ area {{ area_id }} import-list {{ area_config.import_list }}
+{% endif %}
{% if area_config.shortcut is defined and area_config.shortcut is not none %}
area {{ area_id }} shortcut {{ area_config.shortcut }}
{% endif %}
diff --git a/data/templates/frr/policy.frr.tmpl b/data/templates/frr/policy.frr.tmpl
index d3d3957a5..60e15f4fd 100644
--- a/data/templates/frr/policy.frr.tmpl
+++ b/data/templates/frr/policy.frr.tmpl
@@ -204,7 +204,7 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }}
match ipv6 address prefix-list {{ rule_config.match.ipv6.address.prefix_list }}
{% endif %}
{% if rule_config.match.ipv6 is defined and rule_config.match.ipv6.nexthop is defined and rule_config.match.ipv6.nexthop is not none %}
- match ipv6 next-hop {{ rule_config.match.ipv6.nexthop }}
+ match ipv6 next-hop address {{ rule_config.match.ipv6.nexthop }}
{% endif %}
{% if rule_config.match.large_community is defined and rule_config.match.large_community.large_community_list is defined and rule_config.match.large_community.large_community_list is not none %}
match large-community {{ rule_config.match.large_community.large_community_list }}
@@ -276,6 +276,9 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }}
{% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.local is defined and rule_config.set.ipv6_next_hop.local is not none %}
set ipv6 next-hop local {{ rule_config.set.ipv6_next_hop.local }}
{% endif %}
+{% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.peer_address is defined %}
+ set ipv6 next-hop peer-address
+{% endif %}
{% if rule_config.set.ipv6_next_hop is defined and rule_config.set.ipv6_next_hop.prefer_global is defined %}
set ipv6 next-hop prefer-global
{% endif %}
diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2
index 3b432b49b..8359357b7 100644
--- a/data/templates/frr/static_routes_macro.j2
+++ b/data/templates/frr/static_routes_macro.j2
@@ -2,10 +2,13 @@
{% if prefix_config.blackhole is defined %}
{{ ip_ipv6 }} route {{ prefix }} blackhole {{ prefix_config.blackhole.distance if prefix_config.blackhole.distance is defined }} {{ 'tag ' + prefix_config.blackhole.tag if prefix_config.blackhole.tag is defined }} {{ 'table ' + table if table is defined and table is not none }}
{% endif %}
+{% if prefix_config.reject is defined %}
+{{ ip_ipv6 }} route {{ prefix }} reject {{ prefix_config.reject.distance if prefix_config.reject.distance is defined }} {{ 'tag ' + prefix_config.reject.tag if prefix_config.reject.tag is defined }} {{ 'table ' + table if table is defined and table is not none }}
+{% endif %}
{% if prefix_config.dhcp_interface is defined and prefix_config.dhcp_interface is not none %}
{% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %}
{% if next_hop is defined and next_hop is not none %}
-{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ prefix_config.dhcp_interface }}
+{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ prefix_config.dhcp_interface }} {{ 'table ' + table if table is defined and table is not none }}
{% endif %}
{% endif %}
{% if prefix_config.interface is defined and prefix_config.interface is not none %}
diff --git a/data/templates/frr/staticd.frr.tmpl b/data/templates/frr/staticd.frr.tmpl
index bfe959c1d..5d833228a 100644
--- a/data/templates/frr/staticd.frr.tmpl
+++ b/data/templates/frr/staticd.frr.tmpl
@@ -17,10 +17,10 @@ vrf {{ vrf }}
{% endif %}
{# IPv4 default routes from DHCP interfaces #}
{% if dhcp is defined and dhcp is not none %}
-{% for interface in dhcp %}
+{% for interface, interface_config in dhcp.items() %}
{% set next_hop = interface | get_dhcp_router %}
{% if next_hop is defined and next_hop is not none %}
-{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 210
+{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.distance }}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.tmpl
index 4d710921e..b9b020dcd 100644
--- a/data/templates/ipsec/charon.tmpl
+++ b/data/templates/ipsec/charon.tmpl
@@ -20,6 +20,17 @@ charon {
# Send Cisco Unity vendor ID payload (IKEv1 only).
# cisco_unity = no
+ # Cisco FlexVPN
+{% if options is defined %}
+ cisco_flexvpn = {{ 'yes' if options.flexvpn is defined else 'no' }}
+{% if options.virtual_ip is defined %}
+ install_virtual_ip = yes
+{% endif %}
+{% if options.interface is defined and options.interface is not none %}
+ install_virtual_ip_on = {{ options.interface }}
+{% endif %}
+{% endif %}
+
# Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
# close_ike_on_child_failure = no
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index c6b71f2a1..a622cbf74 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -5,6 +5,9 @@
peer_{{ name }} {
proposals = {{ ike | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
+{% if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %}
+ vips = {{ peer_conf.virtual_address | join(', ') }}
+{% endif %}
local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }}
remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }}
{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %}
@@ -57,6 +60,12 @@
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
peer_{{ name }}_vti {
esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
+{% if vti_esp.life_bytes is defined and vti_esp.life_bytes is not none %}
+ life_bytes = {{ vti_esp.life_bytes }}
+{% endif %}
+{% if vti_esp.life_packets is defined and vti_esp.life_packets is not none %}
+ life_packets = {{ vti_esp.life_packets }}
+{% endif %}
life_time = {{ vti_esp.lifetime }}s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
@@ -74,11 +83,14 @@
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
+{% elif peer_conf.connection_type == 'none' %}
+ start_action = none
{% endif %}
{% if ike.dead_peer_detection is defined %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
+{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
+ close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
}
{% elif peer_conf.tunnel is defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
@@ -91,6 +103,12 @@
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
+{% if tunnel_esp.life_bytes is defined and tunnel_esp.life_bytes is not none %}
+ life_bytes = {{ tunnel_esp.life_bytes }}
+{% endif %}
+{% if tunnel_esp.life_packets is defined and tunnel_esp.life_packets is not none %}
+ life_packets = {{ tunnel_esp.life_packets }}
+{% endif %}
life_time = {{ tunnel_esp.lifetime }}s
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
@@ -116,11 +134,14 @@
start_action = start
{% elif peer_conf.connection_type == 'respond' %}
start_action = trap
+{% elif peer_conf.connection_type == 'none' %}
+ start_action = none
{% endif %}
{% if ike.dead_peer_detection is defined %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'start'} %}
+{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
+ close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
diff --git a/data/templates/lldp/lldpd.tmpl b/data/templates/lldp/lldpd.tmpl
index 3db955b48..819e70c84 100644
--- a/data/templates/lldp/lldpd.tmpl
+++ b/data/templates/lldp/lldpd.tmpl
@@ -1,3 +1,2 @@
### Autogenerated by lldp.py ###
-DAEMON_ARGS="-M 4{% if options.snmp %} -x{% endif %}{% if options.cdp %} -c{% endif %}{% if options.edp %} -e{% endif %}{% if options.fdp %} -f{% endif %}{% if options.sonmp %} -s{% endif %}"
-
+DAEMON_ARGS="-M 4{% if snmp is defined and snmp.enable is defined %} -x{% endif %}{% if legacy_protocols is defined and legacy_protocols.cdp is defined %} -c{% endif %}{% if legacy_protocols is defined and legacy_protocols.edp is defined %} -e{% endif %}{% if legacy_protocols is defined and legacy_protocols.fdp is defined %} -f{% endif %}{% if legacy_protocols is defined and legacy_protocols.sonmp is defined %} -s{% endif %}"
diff --git a/data/templates/lldp/vyos.conf.tmpl b/data/templates/lldp/vyos.conf.tmpl
index 07bbaf604..14395a223 100644
--- a/data/templates/lldp/vyos.conf.tmpl
+++ b/data/templates/lldp/vyos.conf.tmpl
@@ -1,20 +1,25 @@
### Autogenerated by lldp.py ###
configure system platform VyOS
-configure system description "VyOS {{ options.description }}"
-{% if options.listen_on %}
-configure system interface pattern "{{ ( options.listen_on | select('equalto','all') | map('replace','all','*') | list + options.listen_on | select('equalto','!all') | map('replace','!all','!*') | list + options.listen_on | reject('equalto','all') | reject('equalto','!all') | list ) | unique | join(",") }}"
+configure system description "VyOS {{ version }}"
+{% if interface is defined and interface is not none %}
+{% set tmp = [] %}
+{% for iface, iface_options in interface.items() if not iface_options.disable %}
+{% if iface == 'all' %}
+{% set iface = '*' %}
+{% endif %}
+{% set _ = tmp.append(iface) %}
+{% if iface_options.location is defined and iface_options.location is not none %}
+{% if iface_options.location.elin is defined and iface_options.location.elin is not none %}
+configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}"
+{% endif %}
+{% if iface_options.location is defined and iface_options.location.coordinate_based is defined and iface_options.location.coordinate_based is not none %}
+configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}"
+{% endif %}
+{% endif %}
+{% endfor %}
+configure system interface pattern "{{ tmp | join(",") }}"
{% endif %}
-{% if options.mgmt_addr %}
-configure system ip management pattern {{ options.mgmt_addr | join(",") }}
+{% if management_address is defined and management_address is not none %}
+configure system ip management pattern {{ management_address | join(",") }}
{% endif %}
-{% for loc in location %}
-{% if loc.elin %}
-configure ports {{ loc.name }} med location elin "{{ loc.elin }}"
-{% endif %}
-{% if loc.coordinate_based %}
-configure ports {{ loc.name }} med location coordinate {% if loc.coordinate_based.latitude %}latitude {{ loc.coordinate_based.latitude }}{% endif %} {% if loc.coordinate_based.longitude %}longitude {{ loc.coordinate_based.longitude }}{% endif %} {% if loc.coordinate_based.altitude %}altitude {{ loc.coordinate_based.altitude }} m{% endif %} {% if loc.coordinate_based.datum %}datum {{ loc.coordinate_based.datum }}{% endif %}
-{% endif %}
-
-
-{% endfor %}
diff --git a/data/templates/monitoring/override.conf.tmpl b/data/templates/monitoring/override.conf.tmpl
index 63f6d7391..f8f150791 100644
--- a/data/templates/monitoring/override.conf.tmpl
+++ b/data/templates/monitoring/override.conf.tmpl
@@ -3,5 +3,5 @@ After=vyos-router.service
ConditionPathExists=/run/telegraf/vyos-telegraf.conf
[Service]
Environment=INFLUX_TOKEN={{ authentication.token }}
-CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_ADMIN
AmbientCapabilities=CAP_NET_RAW CAP_NET_ADMIN
diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl
index f05396d91..d3145a500 100644
--- a/data/templates/monitoring/telegraf.tmpl
+++ b/data/templates/monitoring/telegraf.tmpl
@@ -17,7 +17,7 @@
[[outputs.influxdb_v2]]
urls = ["{{ url }}:{{ port }}"]
insecure_skip_verify = true
- token = "{{ authentication.token }}"
+ token = "$INFLUX_TOKEN"
organization = "{{ authentication.organization }}"
bucket = "{{ bucket }}"
[[inputs.cpu]]
@@ -52,8 +52,9 @@
syslog_standard = "RFC3164"
[[inputs.exec]]
commands = [
+ "{{ custom_scripts_dir }}/show_firewall_input_filter.py",
"{{ custom_scripts_dir }}/show_interfaces_input_filter.py",
- "cat /tmp/vyos_services_input_filter"
+ "{{ custom_scripts_dir }}/vyos_services_input_filter.py"
]
timeout = "10s"
data_format = "influx"
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 7a0470d0e..fb7ad9e16 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -141,11 +141,13 @@ ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}
{% if device_type == 'tap' %}
-{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
-{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
+{% if local_address is defined and local_address is not none %}
+{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
+{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
-{% endif %}
-{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
{% else %}
{% for laddr in local_address if laddr | is_ipv4 %}
{% for raddr in remote_address if raddr | is_ipv4 %}
diff --git a/data/templates/pmacct/override.conf.tmpl b/data/templates/pmacct/override.conf.tmpl
new file mode 100644
index 000000000..216927666
--- /dev/null
+++ b/data/templates/pmacct/override.conf.tmpl
@@ -0,0 +1,17 @@
+{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %}
+[Unit]
+After=
+After=vyos-router.service
+ConditionPathExists=
+ConditionPathExists=/run/pmacct/uacctd.conf
+
+[Service]
+EnvironmentFile=
+ExecStart=
+ExecStart={{vrf_command}}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf
+WorkingDirectory=
+WorkingDirectory=/run/pmacct
+PIDFile=
+PIDFile=/run/pmacct/uacctd.pid
+Restart=always
+RestartSec=10
diff --git a/data/templates/netflow/uacctd.conf.tmpl b/data/templates/pmacct/uacctd.conf.tmpl
index f81002dc1..b58f7c796 100644
--- a/data/templates/netflow/uacctd.conf.tmpl
+++ b/data/templates/pmacct/uacctd.conf.tmpl
@@ -19,19 +19,19 @@ imt_mem_pools_number: 169
{% endif %}
{% set plugin = [] %}
-{% if disable_imt is not defined %}
-{% set plugin = ['memory'] %}
-{% endif %}
{% if netflow is defined and netflow.server is defined and netflow.server is not none %}
{% for server in netflow.server %}
-{% set plugin = plugin.append('nfprobe[nf_' ~ server ~ ']') %}
+{% set _ = plugin.append('nfprobe[nf_' ~ server ~ ']') %}
{% endfor %}
{% endif %}
{% if sflow is defined and sflow.server is defined and sflow.server is not none %}
{% for server in sflow.server %}
-{% set plugin = plugin.append('sfprobe[sf_' ~ server ~ ']') %}
+{% set _ = plugin.append('sfprobe[sf_' ~ server ~ ']') %}
{% endfor %}
{% endif %}
+{% if disable_imt is not defined %}
+{% set _ = plugin.append('memory') %}
+{% endif %}
plugins: {{ plugin | join(',') }}
{% if netflow is defined and netflow.server is defined and netflow.server is not none %}
diff --git a/data/templates/syslog/logrotate.tmpl b/data/templates/syslog/logrotate.tmpl
index f758265e4..c1b951e8b 100644
--- a/data/templates/syslog/logrotate.tmpl
+++ b/data/templates/syslog/logrotate.tmpl
@@ -1,12 +1,11 @@
-{% for file in files %}
-{{files[file]['log-file']}} {
+{{ config_render['log-file'] }} {
missingok
notifempty
create
- rotate {{files[file]['max-files']}}
- size={{files[file]['max-size']//1024}}k
+ rotate {{ config_render['max-files'] }}
+ size={{ config_render['max-size'] // 1024 }}k
postrotate
invoke-rc.d rsyslog rotate > /dev/null
endscript
}
-{% endfor %}
+
diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl
index e59208a0d..4a6bd2772 100644
--- a/data/templates/zone_policy/nftables.tmpl
+++ b/data/templates/zone_policy/nftables.tmpl
@@ -13,18 +13,18 @@ table ip filter {
chain VZONE_{{ zone_name }}_IN {
iifname lo counter return
{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %}
- iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+ counter {{ zone_conf.default_action }}
}
chain VZONE_{{ zone_name }}_OUT {
oifname lo counter return
{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %}
- oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }}
+ oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+ counter {{ zone_conf.default_action }}
}
{% else %}
chain VZONE_{{ zone_name }} {
@@ -34,11 +34,11 @@ table ip filter {
{% endif %}
{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %}
{% if zone[from_zone].local_zone is not defined %}
- iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.name }}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endif %}
{% endfor %}
- counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+ counter {{ zone_conf.default_action }}
}
{% endif %}
{% endfor %}
@@ -50,18 +50,18 @@ table ip6 filter {
chain VZONE6_{{ zone_name }}_IN {
iifname lo counter return
{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %}
- iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+ counter {{ zone_conf.default_action }}
}
chain VZONE6_{{ zone_name }}_OUT {
oifname lo counter return
{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %}
- oifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }}
+ oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
oifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endfor %}
- counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+ counter {{ zone_conf.default_action }}
}
{% else %}
chain VZONE6_{{ zone_name }} {
@@ -71,11 +71,11 @@ table ip6 filter {
{% endif %}
{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %}
{% if zone[from_zone].local_zone is not defined %}
- iifname { {{ zone[from_zone].interface | join(",") }} } counter jump {{ from_conf.firewall.ipv6_name }}
+ iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }}
iifname { {{ zone[from_zone].interface | join(",") }} } counter return
{% endif %}
{% endfor %}
- counter {{ zone_conf.default_action if zone_conf.default_action is defined else 'drop' }}
+ counter {{ zone_conf.default_action }}
}
{% endif %}
{% endfor %}