summaryrefslogtreecommitdiff
path: root/python/vyos/template.py
AgeCommit message (Collapse)Author
2022-06-14firewall: T4147: Use named sets for firewall groupssarthurdev
* Refactor nftables clean-up code * Adds policy route test for using firewall groups
2022-06-10firewall: T478: Add support for nesting groupssarthurdev
2022-05-27Firewall: T3907: Revert migration script 6-to-7 and add new 7-to-8Nicolas Fort
2022-05-11Firewall: T3907: add log-level options in firewallNicolas Fort
2022-04-01vyos.template: T4333: add Jinja2 plugin to test if a variable is defined and ↵Christian Poessinger
not none We have a lot of boiler plate template code like {% if config.interface is defined and config.interface.remote_as is defined and config.interface.remote_as is not none %} ... {% endif %} This can be stripped down using a custom test to: {% if config.interface.remote_as is vyos_defined %} ... {% endif %} In addition the new vyos_defined test supports comparison {% if foo.bar.baz is vyos_defined('zoo') %} ... {% endif %} So the above will only evaluate to true if the variable foo.bar.baz is defined and its content is zoo This is inspired from https://github.com/aristanetworks/ansible-avd/ which make heavy use of it. All new templates should be written in this new style.
2022-01-31Merge pull request #1199 from sarthurdev/T4218Christian Poessinger
firewall: T4218: T4216: Add prefix to user defined chains, support negated groups, fixes
2022-01-31T4221: add force_to_list Jinja2 filterDaniil Baturin
2022-01-29firewall: T4218: Adds a prefix to all user defined chainssarthurdev
2022-01-20firewall: T2199: Add log prefix to match legacy perl behavioursarthurdev
Example syslog: [FWNAME-default-D] ... * Also clean-up firewall default-action
2022-01-05firewall: zone-policy: T2199: T4130: Fixes for firewall, state-policy and ↵sarthurdev
zone-policy
2022-01-04Merge pull request #1130 from sarthurdev/firewallChristian Poessinger
firewall: T4130: Fix firewall state-policy errors
2022-01-04firewall: T4130: Fix firewall state-policy errorssarthurdev
Also fixes: * Issue with multiple state-policy rules being created on firewall updates * Prevents interface rules being inserted before state-policy
2021-12-31Merge branch 'firewall' of https://github.com/sarthurdev/vyos-1x into currentChristian Poessinger
* 'firewall' of https://github.com/sarthurdev/vyos-1x: zone_policy: T3873: Implement intra-zone-filtering policy: T2199: Migrate policy route op-mode to XML/Python policy: T2199: Migrate policy route to XML/Python zone-policy: T2199: Migrate zone-policy op-mode to XML/Python zone-policy: T2199: Migrate zone-policy to XML/Python firewall: T2199: Migrate firewall op-mode to XML/Python firewall: T2199: Migrate firewall to XML/Python
2021-12-30snmp: T4124: migrate to get_config_dict()Christian Poessinger
2021-12-28ipsec: T4111: Fix for swanctl configuration IPV6 peersViacheslav
Peer name must not contain dots and colons, otherwise swanct can't generate correct configuration for swanctl.conf This is used in connection names and child SA names Add filter 'dot_colon_to_dash' which replace dots and colons
2021-12-06zone_policy: T3873: Implement intra-zone-filteringsarthurdev
2021-12-06firewall: T2199: Migrate firewall to XML/Pythonsarthurdev
2021-11-07dhcp: T3680: fix lease filename for Vlan interfacesChristian Poessinger
2021-09-13ipsec: T3828: Use IKE dh-group when ESP dh-group is set to `enable`sarthurdev
2021-08-25ipsec: T3775: Diffie Hellman Group 21 uses NIST Elliptic Curve "ecp521"Christian Poessinger
... there was a type setting ecp512 instead of ecp521.
2021-08-06vyos.template: T2720: allow setting template directoryJohn Estabrook
2021-07-21pki: openvpn: T3642: Migrate OpenVPN to PKI and refactorsarthurdev
2021-07-20ipsec: T1210: add op-mode command for macOS and iOS profile generationChristian Poessinger
generate ipsec mac-ios-profile <connection> remote <ip|fqdn> will generate a matching IPSec profile which can be loaded on an iOS device.
2021-07-03ipsec: T2816: add Jinja2 converter for ESP/IKE groups to stringChristian Poessinger
2021-06-20T3268: remote: Determine source address from given network interfaceerkin
2021-05-14vyos.template: T3535: add helper for IP address conversionChristian Poessinger
Support getting the IPv4 addresses from a given interface and support to strip CIDR mask from address.
2021-04-17policy: T2425: re-implement "policy" tree from vyatta-cfg-quagga in XML/PythonChristian Poessinger
2021-04-05vyos.template: T3418: add new is_interface helper functionChristian Poessinger
2021-03-10syslog: T3396: Fix remote IPv6 hostsever-sever
2021-02-24route: static: T2450: add missing "dhcp-interface" route optionChristian Poessinger
As thought in the beginning the dhcp-interface route option can not be superseeded by the interface option. When a route is installed for a DHCP interface, that interface is usually a broadcast interface which can not be used for plain interface-based routes. The old Vyatta logic was migrated to Python where the current received next-hop address from the DHCP interface is installed as next-hop address.
2021-01-19nat: T2947: add many-many translationChristian Poessinger
Support a 1:1 or 1:n prefix translation. The following configuration will NAT source addresses from the 10.2.0.0/16 range to an address from 192.0.2.0/29. For this feature to work a Linux Kernel 5.8 or higher is required! vyos@vyos# show nat source { rule 100 { outbound-interface eth1 source { address 10.2.0.0/16 } translation { address 192.0.2.0/29 } } } This results in the nftables configuration: chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; oifname "eth1" counter packets 0 bytes 0 snat ip prefix to ip saddr map { 10.2.0.0/16 : 192.0.2.0/29 } comment "SRC-NAT-100" }
2020-12-28webproxy: T563: squidguard: support default rulesetChristian Poessinger
2020-12-06dhcp: T2562: add "listen-address" CLI node for better DHCP relay supportChristian Poessinger
Running ISC DHCP server as backend server for multiple pools served to relay agents requires DHCPd to explicitly listen on give interfaces or a "transit" subnet declaration facing the network where we receive the DHCPREQ messages on. This implements a new "listen-address" CLI node, the given address is validated if it is assigned to the system and upon success, a proper "subnet { }" statement is added into dhcpd.conf
2020-12-04dhcp: T3100: migrate server configuration to get_config_dict()Christian Poessinger
2020-11-27vyos.template: T2720: always enable Jinja2 trim_blocks featureChristian Poessinger
2020-11-23vyos.template: fix is_ipv6 Jinja2 filterChristian Poessinger
Commit 6962bc53 ("vyos.template: provide general is_ip(v4|v6) helpers") introduced new Jinja2 template filters, but the one for checking an address if it is an IPv6 address was broken as it was yet unused.
2020-11-13vyos.template: provide general is_ip(v4|v6) helpersChristian Poessinger
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined. All places now have been converged into vyos.template as they are used both in the Jinja2 templates and also in our scripts.
2020-11-13openvpn: T3051: fix creation of ifconfig-pool for client communicationChristian Poessinger
2020-11-01vyos.template: consolidate is_ipv(4|6) functionalityChristian Poessinger
2020-11-01openvpn: T2994: re-add ifconfig-pool statement in server configChristian Poessinger
Re-organize the template code and add addtitional Jinja2 filters for processing the ifconfig-pool statement. This reverts the changes from commit 7e546be9 ("openvpn: T2994: temporary revert to 1.2 crux behavior for client pools").
2020-11-01openvpn: T2994: remove workarounds for individual ipv4 and ipv6 keysChristian Poessinger
Remove workaround which split (local|remote)_address and also subnet keys into individual keys for the assigned IP address family (4/6). During template rendering check IP version by introducing new ipv4 and ipv6 Jinja2 filters {% if foo | ipv4 %} or {% if bar | ipv6 %} options.
2020-10-25test: vyos.template: add testcase for vyos_*_from_cidr() convertersChristian Poessinger
2020-07-21 vyos.template: T2720: Rework vyos.template Python libraryRobert Schindler
Apart from code cleanup, this allows any module that wants to render a template to register custom jinja2 template filters by using the new @register_filter decorator. Examples can be found in vyos.template itself. Using the new render_to_string function, the rendered template can also be returned as a string instead of being written to a file.
2020-07-03ntp: T2676: mive to get_config_dict()Christian Poessinger
2020-07-03vyos.template: T2676: add custom Jinja2 filter for IP handlingChristian Poessinger
NTP configuration file requires the IP address and a netmask for client subnets but the CLI will only provide a prefix based ntoation. Use custom, reusable JInja2 template to transform a CIDR based prefix into its address and netmask portion for IPv4 and IPv6. Jinja2 custom filters are regular python functions - thus they can be re-used directly when e.g. verifying the configuration in vyos-smoketests.
2020-04-27template: T2388: move mkdir/chmod/chown within render()Thomas Mangin
2020-04-12template: T2230: use render to generate templatesThomas Mangin
convert all call to jinja to use template.render
2020-04-11template: T2230: helper to generate templatesThomas Mangin
Currently the pattern is to import jinja2 and re-generate the template in every file. Dimitriy reported a reduction in performance (1s) when commiting. This code provide an helper function which caches the Environment and template renderer, and can generate template from one line (instead of the few currently)