summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorKim <kim.sidney@gmail.com>2021-10-07 16:52:56 +0200
committerGitHub <noreply@github.com>2021-10-07 16:52:56 +0200
commit2274dbf9047493a00a6f30346b38dacd8cfcf965 (patch)
treef431f5f6f1b2770c98ed9047e1cec9209e536366 /data
parent2acfffab8b98238e7d869673a858a4ae21651f0b (diff)
parentadc7ef387d40e92bd7163ee6b401e99e554394a3 (diff)
downloadvyos-1x-2274dbf9047493a00a6f30346b38dacd8cfcf965.tar.gz
vyos-1x-2274dbf9047493a00a6f30346b38dacd8cfcf965.zip
Merge branch 'current' into 2fa
Diffstat (limited to 'data')
-rw-r--r--data/configd-include.json2
-rw-r--r--data/templates/accel-ppp/l2tp.config.tmpl1
-rw-r--r--data/templates/accel-ppp/pptp.config.tmpl7
-rw-r--r--data/templates/dhcp-server/dhcpd.conf.tmpl81
-rw-r--r--data/templates/dns-forwarding/recursor.conf.tmpl3
-rw-r--r--data/templates/frr/bfdd.frr.tmpl (renamed from data/templates/frr/bfd.frr.tmpl)0
-rw-r--r--data/templates/frr/bgpd.frr.tmpl78
-rw-r--r--data/templates/frr/igmp.frr.tmpl60
-rw-r--r--data/templates/frr/isisd.frr.tmpl2
-rw-r--r--data/templates/frr/ospf6d.frr.tmpl (renamed from data/templates/frr/ospfv3.frr.tmpl)3
-rw-r--r--data/templates/frr/ospfd.frr.tmpl (renamed from data/templates/frr/ospf.frr.tmpl)35
-rw-r--r--data/templates/frr/policy.frr.tmpl15
-rw-r--r--data/templates/frr/ripd.frr.tmpl (renamed from data/templates/frr/rip.frr.tmpl)0
-rw-r--r--data/templates/frr/ripngd.frr.tmpl (renamed from data/templates/frr/ripng.frr.tmpl)0
-rw-r--r--data/templates/frr/static_routes_macro.j22
-rw-r--r--data/templates/frr/staticd.frr.tmpl (renamed from data/templates/frr/static.frr.tmpl)0
-rw-r--r--data/templates/frr/vrf-vni.frr.tmpl7
-rw-r--r--data/templates/frr/vrf.frr.tmpl9
-rw-r--r--data/templates/https/nginx.default.tmpl3
-rw-r--r--data/templates/ipsec/swanctl/l2tp.tmpl2
-rw-r--r--data/templates/ipsec/swanctl/peer.tmpl32
-rw-r--r--data/templates/ipsec/swanctl/profile.tmpl4
-rw-r--r--data/templates/ipsec/swanctl/remote_access.tmpl5
-rw-r--r--data/templates/ndppd/ndppd.conf.tmpl (renamed from data/templates/proxy-ndp/ndppd.conf.tmpl)8
-rw-r--r--data/templates/openvpn/server.conf.tmpl21
-rw-r--r--data/templates/pppoe/ipv6-up.script.tmpl37
-rw-r--r--data/templates/pppoe/peer.tmpl34
-rw-r--r--data/templates/squid/squid.conf.tmpl8
-rw-r--r--data/templates/squid/squidGuard.conf.tmpl45
-rw-r--r--data/templates/vrrp/daemon.tmpl5
-rw-r--r--data/templates/vrrp/keepalived.conf.tmpl162
31 files changed, 386 insertions, 285 deletions
diff --git a/data/configd-include.json b/data/configd-include.json
index 3b4e2925b..6893aaa86 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -6,7 +6,6 @@
"dhcpv6_relay.py",
"dns_forwarding.py",
"dynamic_dns.py",
-"firewall_options.py",
"host_name.py",
"https.py",
"igmp_proxy.py",
@@ -69,5 +68,6 @@
"vpn_pptp.py",
"vpn_sstp.py",
"vrf.py",
+"vrf_vni.py",
"vrrp.py"
]
diff --git a/data/templates/accel-ppp/l2tp.config.tmpl b/data/templates/accel-ppp/l2tp.config.tmpl
index 070a966b7..44c96b935 100644
--- a/data/templates/accel-ppp/l2tp.config.tmpl
+++ b/data/templates/accel-ppp/l2tp.config.tmpl
@@ -150,3 +150,4 @@ vendor={{ radius_shaper_vendor }}
[cli]
tcp=127.0.0.1:2004
sessions-columns=ifname,username,calling-sid,ip,{{ ip6_column | join(',') }}{{ ',' if ip6_column }}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime
+
diff --git a/data/templates/accel-ppp/pptp.config.tmpl b/data/templates/accel-ppp/pptp.config.tmpl
index 5a6cfe749..3cfc4a906 100644
--- a/data/templates/accel-ppp/pptp.config.tmpl
+++ b/data/templates/accel-ppp/pptp.config.tmpl
@@ -2,12 +2,13 @@
[modules]
log_syslog
pptp
-ippool
+shaper
{% if auth_mode == 'local' %}
chap-secrets
{% elif auth_mode == 'radius' %}
radius
{% endif %}
+ippool
{% for proto in auth_proto %}
{{proto}}
{% endfor %}
@@ -87,6 +88,10 @@ nas-ip-address={{ radius_nas_ip }}
bind={{ radius_source_address }}
{% endif %}
{% endif %}
+{# Both chap-secrets and radius block required the gw-ip-address #}
+{% if gw_ip is defined and gw_ip is not none %}
+gw-ip-address={{ gw_ip }}
+{% endif %}
[cli]
tcp=127.0.0.1:2003
diff --git a/data/templates/dhcp-server/dhcpd.conf.tmpl b/data/templates/dhcp-server/dhcpd.conf.tmpl
index f0bfa468c..233e2cc53 100644
--- a/data/templates/dhcp-server/dhcpd.conf.tmpl
+++ b/data/templates/dhcp-server/dhcpd.conf.tmpl
@@ -31,32 +31,24 @@ option wpad-url code 252 = text;
{% endfor %}
{% endif %}
-{% if shared_network_name is defined and shared_network_name is not none %}
-{% for network, network_config in shared_network_name.items() if network_config.disable is not defined %}
-{% if network_config.subnet is defined and network_config.subnet is not none %}
-{% for subnet, subnet_config in network_config.subnet.items() %}
-{% if subnet_config.failover is defined and subnet_config.failover is defined and subnet_config.failover.name is defined and subnet_config.failover.name is not none %}
-# Failover configuration for {{ subnet }}
-failover peer "{{ subnet_config.failover.name }}" {
-{% if subnet_config.failover.status == 'primary' %}
+{% if failover is defined and failover is not none %}
+# DHCP failover configuration
+failover peer "{{ failover.name }}" {
+{% if failover.status == 'primary' %}
primary;
mclt 1800;
split 128;
-{% elif subnet_config.failover.status == 'secondary' %}
+{% elif failover.status == 'secondary' %}
secondary;
-{% endif %}
- address {{ subnet_config.failover.local_address }};
+{% endif %}
+ address {{ failover.source_address }};
port 520;
- peer address {{ subnet_config.failover.peer_address }};
+ peer address {{ failover.remote }};
peer port 520;
max-response-delay 30;
max-unacked-updates 10;
load balance max seconds 3;
}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% endfor %}
{% endif %}
{% if listen_address is defined and listen_address is not none %}
@@ -74,6 +66,21 @@ shared-network {{ network | replace('_','-') }} {
{% if network_config.authoritative is defined %}
authoritative;
{% endif %}
+{% if network_config.name_server is defined and network_config.name_server is not none %}
+ option domain-name-servers {{ network_config.name_server | join(', ') }};
+{% endif %}
+{% if network_config.domain_name is defined and network_config.domain_name is not none %}
+ option domain-name "{{ network_config.domain_name }}";
+{% endif %}
+{% if network_config.domain_search is defined and network_config.domain_search is not none %}
+ option domain-search "{{ network_config.domain_search | join('", "') }}";
+{% endif %}
+{% if network_config.ntp_server is defined and network_config.ntp_server is not none %}
+ option ntp-servers {{ network_config.ntp_server | join(', ') }};
+{% endif %}
+{% if network_config.ping_check is defined %}
+ ping-check true;
+{% endif %}
{% if network_config.shared_network_parameters is defined and network_config.shared_network_parameters is not none %}
# The following {{ network_config.shared_network_parameters | length }} line(s)
# were added as shared-network-parameters in the CLI and have not been validated
@@ -83,9 +90,15 @@ shared-network {{ network | replace('_','-') }} {
{% endif %}
{% if network_config.subnet is defined and network_config.subnet is not none %}
{% for subnet, subnet_config in network_config.subnet.items() %}
+{% if subnet_config.description is defined and subnet_config.description is not none %}
+ # {{ subnet_config.description }}
+{% endif %}
subnet {{ subnet | address_from_cidr }} netmask {{ subnet | netmask_from_cidr }} {
-{% if subnet_config.dns_server is defined and subnet_config.dns_server is not none %}
- option domain-name-servers {{ subnet_config.dns_server | join(', ') }};
+{% if subnet_config.name_server is defined and subnet_config.name_server is not none %}
+ option domain-name-servers {{ subnet_config.name_server | join(', ') }};
+{% endif %}
+{% if subnet_config.domain_name is defined and subnet_config.domain_name is not none %}
+ option domain-name "{{ subnet_config.domain_name }}";
{% endif %}
{% if subnet_config.domain_search is defined and subnet_config.domain_search is not none %}
option domain-search "{{ subnet_config.domain_search | join('", "') }}";
@@ -110,9 +123,13 @@ shared-network {{ network | replace('_','-') }} {
{% if subnet_config.default_router and subnet_config.default_router is not none %}
{% set static_default_route = ', ' + '0.0.0.0/0' | isc_static_route(subnet_config.default_router) %}
{% endif %}
-{% if subnet_config.static_route.router is defined and subnet_config.static_route.router is not none and subnet_config.static_route.destination_subnet is defined and subnet_config.static_route.destination_subnet is not none %}
- option rfc3442-static-route {{ subnet_config.static_route.destination_subnet | isc_static_route(subnet_config.static_route.router) }}{{ static_default_route }};
- option windows-static-route {{ subnet_config.static_route.destination_subnet | isc_static_route(subnet_config.static_route.router) }};
+{% if subnet_config.static_route is defined and subnet_config.static_route is not none %}
+{% set rfc3442_routes = [] %}
+{% for route, route_options in subnet_config.static_route.items() %}
+{% set rfc3442_routes = rfc3442_routes.append(route | isc_static_route(route_options.next_hop)) %}
+{% endfor %}
+ option rfc3442-static-route {{ rfc3442_routes | join(', ') }}{{ static_default_route }};
+ option windows-static-route {{ rfc3442_routes | join(', ') }};
{% endif %}
{% endif %}
{% if subnet_config.ip_forwarding is defined %}
@@ -124,9 +141,6 @@ shared-network {{ network | replace('_','-') }} {
{% if subnet_config.server_identifier is defined and subnet_config.server_identifier is not none %}
option dhcp-server-identifier {{ subnet_config.server_identifier }};
{% endif %}
-{% if subnet_config.domain_name is defined and subnet_config.domain_name is not none %}
- option domain-name "{{ subnet_config.domain_name }}";
-{% endif %}
{% if subnet_config.subnet_parameters is defined and subnet_config.subnet_parameters is not none %}
# The following {{ subnet_config.subnet_parameters | length }} line(s) were added as
# subnet-parameters in the CLI and have not been validated!!!
@@ -157,6 +171,9 @@ shared-network {{ network | replace('_','-') }} {
default-lease-time {{ subnet_config.lease }};
max-lease-time {{ subnet_config.lease }};
{% endif %}
+{% if network_config.ping_check is not defined and subnet_config.ping_check is defined %}
+ ping-check true;
+{% endif %}
{% if subnet_config.static_mapping is defined and subnet_config.static_mapping is not none %}
{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not defined %}
host {{ host | replace('_','-') if host_decl_name is defined else network | replace('_','-') + '_' + host | replace('_','-') }} {
@@ -174,22 +191,22 @@ shared-network {{ network | replace('_','-') }} {
}
{% endfor %}
{% endif %}
-{% if subnet_config.failover is defined and subnet_config.failover.name is defined and subnet_config.failover.name is not none %}
+{% if subnet_config.range is defined and subnet_config.range is not none %}
+{# pool configuration can only be used if there follows a range option #}
pool {
- failover peer "{{ subnet_config.failover.name }}";
+{% endif %}
+{% if subnet_config.enable_failover is defined %}
+ failover peer "{{ failover.name }}";
deny dynamic bootp clients;
+{% endif %}
{% if subnet_config.range is defined and subnet_config.range is not none %}
{% for range, range_options in subnet_config.range.items() %}
range {{ range_options.start }} {{ range_options.stop }};
{% endfor %}
{% endif %}
+{% if subnet_config.range is defined and subnet_config.range is not none %}
+{# pool configuration can only be used if there follows a range option #}
}
-{% else %}
-{% if subnet_config.range is defined and subnet_config.range is not none %}
-{% for range, range_options in subnet_config.range.items() %}
- range {{ range_options.start }} {{ range_options.stop }};
-{% endfor %}
-{% endif %}
{% endif %}
}
{% endfor %}
diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.tmpl
index 9e0ad5d17..d44f756e8 100644
--- a/data/templates/dns-forwarding/recursor.conf.tmpl
+++ b/data/templates/dns-forwarding/recursor.conf.tmpl
@@ -10,8 +10,7 @@ threads=1
allow-from={{ allow_from | join(',') }}
log-common-errors=yes
non-local-bind=yes
-query-local-address={{ source_address_v4 | join(',') }}
-query-local-address6={{ source_address_v6 | join(',') }}
+query-local-address={{ source_address | join(',') }}
lua-config-file=recursor.conf.lua
# cache-size
diff --git a/data/templates/frr/bfd.frr.tmpl b/data/templates/frr/bfdd.frr.tmpl
index 16f8be92c..16f8be92c 100644
--- a/data/templates/frr/bfd.frr.tmpl
+++ b/data/templates/frr/bfdd.frr.tmpl
diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.tmpl
index aa297876b..a35930c93 100644
--- a/data/templates/frr/bgpd.frr.tmpl
+++ b/data/templates/frr/bgpd.frr.tmpl
@@ -46,8 +46,9 @@
neighbor {{ neighbor }} {{ graceful_restart }}
{% endif %}
{% if config.local_as is defined and config.local_as is not none %}
-{% for local_asn in config.local_as %}
- neighbor {{ neighbor }} local-as {{ local_asn }} {{ 'no-prepend' if config.local_as[local_asn].no_prepend is defined }}
+{% for local_as, local_as_config in config.local_as.items() %}
+{# There can be only one local-as value, this is checked in the Python code #}
+ neighbor {{ neighbor }} local-as {{ local_as }} {{ 'no-prepend' if local_as_config.no_prepend is defined }} {{ 'replace-as' if local_as_config.no_prepend is defined and local_as_config.no_prepend.replace_as is defined }}
{% endfor %}
{% endif %}
{% if config.override_capability is defined %}
@@ -89,6 +90,9 @@
{% if config.interface.peer_group is defined and config.interface.peer_group is not none %}
neighbor {{ neighbor }} interface peer-group {{ config.interface.peer_group }}
{% endif %}
+{% if config.interface.source_interface is defined and config.interface.source_interface is not none %}
+ neighbor {{ neighbor }} interface {{ config.interface.source_interface }}
+{% endif %}
{% if config.interface.v6only is defined and config.interface.v6only is not none %}
{% if config.interface.v6only.peer_group is defined and config.interface.v6only.peer_group is not none %}
neighbor {{ neighbor }} interface v6only peer-group {{ config.interface.v6only.peer_group }}
@@ -226,10 +230,8 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
{% else %}
no bgp ebgp-requires-policy
{% endif %}
-{% if parameters is defined and parameters.default is defined and parameters.default.no_ipv4_unicast is defined %}
{# Option must be set before any neighbor - see https://phabricator.vyos.net/T3463 #}
no bgp default ipv4-unicast
-{% endif %}
{# Workaround for T2100 until we have decided about a migration script #}
no bgp network import-check
{% if address_family is defined and address_family is not none %}
@@ -257,6 +259,9 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
address-family ipv6 flowspec
{% elif afi == 'l2vpn_evpn' %}
address-family l2vpn evpn
+{% if afi_config.rd is defined and afi_config.rd is not none %}
+ rd {{ afi_config.rd }}
+{% endif %}
{% endif %}
{% if afi_config.aggregate_address is defined and afi_config.aggregate_address is not none %}
{% for ip in afi_config.aggregate_address %}
@@ -294,23 +299,39 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
{% if afi_config.advertise is defined and afi_config.advertise is not none %}
{% for adv_afi, adv_afi_config in afi_config.advertise.items() %}
{% if adv_afi_config.unicast is defined and adv_afi_config.unicast is not none %}
- advertise {{ adv_afi }} unicast {{ 'route-map ' ~ adv_afi_config.unicast.route_map if adv_afi_config.unicast.route_map is defined }}
+ advertise {{ adv_afi }} unicast {{ 'route-map ' ~ adv_afi_config.unicast.route_map if adv_afi_config.unicast.route_map is defined }}
{% endif %}
{% endfor %}
{% endif %}
{% if afi_config.distance is defined and afi_config.distance is not none %}
{% if afi_config.distance is defined and afi_config.distance.external is defined and afi_config.distance.internal is defined and afi_config.distance.local is defined %}
- distance bgp {{ afi_config.distance.external }} {{ afi_config.distance.internal }} {{ afi_config.distance.local }}
+ distance bgp {{ afi_config.distance.external }} {{ afi_config.distance.internal }} {{ afi_config.distance.local }}
{% endif %}
{% if afi_config.distance.prefix is defined and afi_config.distance.prefix is not none %}
{% for prefix in afi_config.distance.prefix %}
- distance {{ afi_config.distance.prefix[prefix].distance }} {{ prefix }}
+ distance {{ afi_config.distance.prefix[prefix].distance }} {{ prefix }}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if afi_config.export is defined and afi_config.export.vpn is defined %}
+ export vpn
+{% endif %}
+{% if afi_config.import is defined and afi_config.import is not none %}
+{% if afi_config.import.vpn is defined %}
+ import vpn
+{% endif %}
+{% if afi_config.import.vrf is defined and afi_config.import.vrf is not none %}
+{% for vrf in afi_config.import.vrf %}
+ import vrf {{ vrf }}
{% endfor %}
{% endif %}
{% endif %}
+{% if afi_config.label is defined and afi_config.label.vpn is defined and afi_config.label.vpn.export is defined and afi_config.label.vpn.export is not none %}
+ label vpn export {{ afi_config.label.vpn.export }}
+{% endif %}
{% if afi_config.local_install is defined and afi_config.local_install is not none %}
{% for interface in afi_config.local_install.interface %}
- local-install {{ interface }}
+ local-install {{ interface }}
{% endfor %}
{% endif %}
{% if afi_config.advertise_all_vni is defined %}
@@ -326,26 +347,47 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is defined and vrf is not none
advertise-svi-ip
{% endif %}
{% if afi_config.rt_auto_derive is defined %}
- autort rfc8365-compatible
+ autort rfc8365-compatible
{% endif %}
{% if afi_config.flooding is defined and afi_config.flooding.disable is defined %}
- flooding disable
+ flooding disable
{% endif %}
{% if afi_config.flooding is defined and afi_config.flooding.head_end_replication is defined %}
- flooding head-end-replication
+ flooding head-end-replication
{% endif %}
-{% if afi_config.rd is defined and afi_config.rd is not none %}
- rd {{ afi_config.rd }}
+{% if afi_config.rd is defined and afi_config.rd.vpn is defined and afi_config.rd.vpn.export is defined %}
+ rd vpn export {{ afi_config.rd.vpn.export }}
{% endif %}
{% if afi_config.route_target is defined and afi_config.route_target is not none %}
+{% if afi_config.route_target.vpn is defined and afi_config.route_target.vpn is not none %}
+{% if afi_config.route_target.vpn.both is defined and afi_config.route_target.vpn.both is not none %}
+ route-target vpn both {{ afi_config.route_target.vpn.both }}
+{% else %}
+{% if afi_config.route_target.vpn.export is defined and afi_config.route_target.vpn.export is not none %}
+ route-target vpn export {{ afi_config.route_target.vpn.export }}
+{% endif %}
+{% if afi_config.route_target.vpn.import is defined and afi_config.route_target.vpn.import is not none %}
+ route-target vpn import {{ afi_config.route_target.vpn.import }}
+{% endif %}
+{% endif %}
+{% endif %}
{% if afi_config.route_target.both is defined and afi_config.route_target.both is not none %}
- route-target both {{ afi_config.route_target.both }}
+ route-target both {{ afi_config.route_target.both }}
+{% else %}
+{% if afi_config.route_target.export is defined and afi_config.route_target.export is not none %}
+ route-target export {{ afi_config.route_target.export }}
+{% endif %}
+{% if afi_config.route_target.import is defined and afi_config.route_target.import is not none %}
+ route-target import {{ afi_config.route_target.import }}
+{% endif %}
{% endif %}
-{% if afi_config.route_target.export is defined and afi_config.route_target.export is not none %}
- route-target export {{ afi_config.route_target.export }}
+{% endif %}
+{% if afi_config.route_map is defined and afi_config.route_map.vpn is defined and afi_config.route_map.vpn is not none %}
+{% if afi_config.route_map.vpn.export is defined and afi_config.route_map.vpn.export is not none %}
+ route-map vpn export {{ afi_config.route_map.vpn.export }}
{% endif %}
-{% if afi_config.route_target.import is defined and afi_config.route_target.import is not none %}
- route-target import {{ afi_config.route_target.import }}
+{% if afi_config.route_map.vpn.import is defined and afi_config.route_map.vpn.import is not none %}
+ route-map vpn import {{ afi_config.route_map.vpn.import }}
{% endif %}
{% endif %}
{% if afi_config.vni is defined and afi_config.vni is not none %}
diff --git a/data/templates/frr/igmp.frr.tmpl b/data/templates/frr/igmp.frr.tmpl
index cdb7ee6cc..49b5aeaa5 100644
--- a/data/templates/frr/igmp.frr.tmpl
+++ b/data/templates/frr/igmp.frr.tmpl
@@ -1,41 +1,41 @@
!
{% for iface in old_ifaces %}
interface {{ iface }}
-{% for group in old_ifaces[iface].gr_join %}
-{% if old_ifaces[iface].gr_join[group] %}
-{% for source in old_ifaces[iface].gr_join[group] %}
-no ip igmp join {{ group }} {{ source }}
-{% endfor %}
-{% else %}
-no ip igmp join {{ group }}
-{% endif %}
-{% endfor %}
-no ip igmp
+{% for group in old_ifaces[iface].gr_join %}
+{% if old_ifaces[iface].gr_join[group] %}
+{% for source in old_ifaces[iface].gr_join[group] %}
+ no ip igmp join {{ group }} {{ source }}
+{% endfor %}
+{% else %}
+ no ip igmp join {{ group }}
+{% endif %}
+{% endfor %}
+ no ip igmp
!
{% endfor %}
{% for iface in ifaces %}
interface {{ iface }}
-{% if ifaces[iface].version %}
-ip igmp version {{ ifaces[iface].version }}
-{% else %}
+{% if ifaces[iface].version %}
+ ip igmp version {{ ifaces[iface].version }}
+{% else %}
{# IGMP default version 3 #}
-ip igmp
-{% endif %}
-{% if ifaces[iface].query_interval %}
-ip igmp query-interval {{ ifaces[iface].query_interval }}
-{% endif %}
-{% if ifaces[iface].query_max_resp_time %}
-ip igmp query-max-response-time {{ ifaces[iface].query_max_resp_time }}
-{% endif %}
-{% for group in ifaces[iface].gr_join %}
-{% if ifaces[iface].gr_join[group] %}
-{% for source in ifaces[iface].gr_join[group] %}
-ip igmp join {{ group }} {{ source }}
-{% endfor %}
-{% else %}
-ip igmp join {{ group }}
-{% endif %}
-{% endfor %}
+ ip igmp
+{% endif %}
+{% if ifaces[iface].query_interval %}
+ ip igmp query-interval {{ ifaces[iface].query_interval }}
+{% endif %}
+{% if ifaces[iface].query_max_resp_time %}
+ ip igmp query-max-response-time {{ ifaces[iface].query_max_resp_time }}
+{% endif %}
+{% for group in ifaces[iface].gr_join %}
+{% if ifaces[iface].gr_join[group] %}
+{% for source in ifaces[iface].gr_join[group] %}
+ ip igmp join {{ group }} {{ source }}
+{% endfor %}
+{% else %}
+ ip igmp join {{ group }}
+{% endif %}
+{% endfor %}
!
{% endfor %}
!
diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.tmpl
index 6cfa076d0..51ac40060 100644
--- a/data/templates/frr/isisd.frr.tmpl
+++ b/data/templates/frr/isisd.frr.tmpl
@@ -100,7 +100,7 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% endif %}
{% endif %}
{% if spf_delay_ietf is defined and spf_delay_ietf.init_delay is defined and spf_delay_ietf.init_delay is not none %}
- spf-delay-ietf init-delay {{ spf_delay_ietf.init_delay }}
+ spf-delay-ietf init-delay {{ spf_delay_ietf.init_delay }} short-delay {{ spf_delay_ietf.short_delay }} long-delay {{ spf_delay_ietf.long_delay }} holddown {{ spf_delay_ietf.holddown }} time-to-learn {{ spf_delay_ietf.time_to_learn }}
{% endif %}
{% if area_password is defined and area_password is not none %}
{% if area_password.md5 is defined and area_password.md5 is not none %}
diff --git a/data/templates/frr/ospfv3.frr.tmpl b/data/templates/frr/ospf6d.frr.tmpl
index 0026c0d2c..a8c53738f 100644
--- a/data/templates/frr/ospfv3.frr.tmpl
+++ b/data/templates/frr/ospf6d.frr.tmpl
@@ -76,6 +76,9 @@ router ospf6
distance ospf6 {{ 'intra-area ' + distance.ospfv3.intra_area if distance.ospfv3.intra_area is defined }} {{ 'inter-area ' + distance.ospfv3.inter_area if distance.ospfv3.inter_area is defined }} {{ 'external ' + distance.ospfv3.external if distance.ospfv3.external is defined }}
{% endif %}
{% endif %}
+{% if log_adjacency_changes is defined %}
+ log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is defined }}
+{% endif %}
{% if parameters is defined and parameters is not none %}
{% if parameters.router_id is defined and parameters.router_id is not none %}
ospf6 router-id {{ parameters.router_id }}
diff --git a/data/templates/frr/ospf.frr.tmpl b/data/templates/frr/ospfd.frr.tmpl
index 36aa699a9..90a6bbd56 100644
--- a/data/templates/frr/ospf.frr.tmpl
+++ b/data/templates/frr/ospfd.frr.tmpl
@@ -14,6 +14,12 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% endif %}
{% endif %}
{% endif %}
+{% if iface_config.area is defined and iface_config.area is not none %}
+ ip ospf area {{ iface_config.area }}
+{% endif %}
+{% if iface_config.bandwidth is defined and iface_config.bandwidth is not none %}
+ bandwidth {{ iface_config.bandwidth }}
+{% endif %}
{% if iface_config.cost is defined and iface_config.cost is not none %}
ip ospf cost {{ iface_config.cost }}
{% endif %}
@@ -43,9 +49,6 @@ interface {{ iface }} {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
{% if iface_config.network is defined and iface_config.network is not none %}
ip ospf network {{ iface_config.network }}
{% endif %}
-{% if iface_config.bandwidth is defined and iface_config.bandwidth is not none %}
- bandwidth {{ iface_config.bandwidth }}
-{% endif %}
!
{% endfor %}
{% endif %}
@@ -155,18 +158,28 @@ router ospf {{ 'vrf ' + vrf if vrf is defined and vrf is not none }}
ospf router-id {{ parameters.router_id }}
{% endif %}
{% endif %}
-{% for interface in passive_interface if passive_interface is defined %}
+{% if passive_interface is defined and passive_interface is not none %}
+{% for interface in passive_interface %}
passive-interface {{ interface }}
-{% endfor %}
-{% for interface in passive_interface_exclude if passive_interface_exclude is defined %}
-{% if interface.startswith('vlink') %}
+{% endfor %}
+{% endif %}
+{% if passive_interface_exclude is defined and passive_interface_exclude is not none %}
+{% for interface in passive_interface_exclude if passive_interface_exclude is defined %}
+{% if interface.startswith('vlink') %}
{% set interface = interface.upper() %}
-{% endif %}
+{% endif %}
no passive-interface {{ interface }}
-{% endfor %}
+{% endfor %}
+{% endif %}
{% if redistribute is defined and redistribute is not none %}
-{% for protocol, options in redistribute.items() %}
- redistribute {{ protocol }} {{ 'metric ' + options.metric if options.metric is defined }} {{ 'metric-type ' + options.metric_type if options.metric_type is defined }} {{ 'route-map ' + options.route_map if options.route_map is defined }}
+{% for protocol, protocols_options in redistribute.items() %}
+{% if protocol == 'table' %}
+{% for table, table_options in protocols_options.items() %}
+ redistribute {{ protocol }} {{ table }} {{ 'metric ' + table_options.metric if table_options.metric is defined }} {{ 'metric-type ' + table_options.metric_type if table_options.metric_type is defined }} {{ 'route-map ' + table_options.route_map if table_options.route_map is defined }}
+{% endfor %}
+{% else %}
+ redistribute {{ protocol }} {{ 'metric ' + protocols_options.metric if protocols_options.metric is defined }} {{ 'metric-type ' + protocols_options.metric_type if protocols_options.metric_type is defined }} {{ 'route-map ' + protocols_options.route_map if protocols_options.route_map is defined }}
+{% endif %}
{% endfor %}
{% endif %}
{% if refresh is defined and refresh.timers is defined and refresh.timers is not none %}
diff --git a/data/templates/frr/policy.frr.tmpl b/data/templates/frr/policy.frr.tmpl
index b5649b44e..51adc1902 100644
--- a/data/templates/frr/policy.frr.tmpl
+++ b/data/templates/frr/policy.frr.tmpl
@@ -165,6 +165,18 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }}
{% if rule_config.match.extcommunity is defined and rule_config.match.extcommunity is not none %}
match extcommunity {{ rule_config.match.extcommunity }}
{% endif %}
+{% if rule_config.match.evpn is defined and rule_config.match.evpn.default_route is defined %}
+ match evpn default-route
+{% endif %}
+{% if rule_config.match.evpn is defined and rule_config.match.evpn.rd is defined and rule_config.match.evpn.rd is not none %}
+ match evpn rd {{ rule_config.match.evpn.rd }}
+{% endif %}
+{% if rule_config.match.evpn is defined and rule_config.match.evpn.route_type is defined and rule_config.match.evpn.route_type is not none %}
+ match evpn route-type {{ rule_config.match.evpn.route_type }}
+{% endif %}
+{% if rule_config.match.evpn is defined and rule_config.match.evpn.vni is defined and rule_config.match.evpn.vni is not none %}
+ match evpn vni {{ rule_config.match.evpn.vni }}
+{% endif %}
{% if rule_config.match.interface is defined and rule_config.match.interface is not none %}
match interface {{ rule_config.match.interface }}
{% endif %}
@@ -271,6 +283,9 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }}
{% if rule_config.set.large_community is defined and rule_config.set.large_community is not none %}
set large-community {{ rule_config.set.large_community }}
{% endif %}
+{% if rule_config.set.large_comm_list_delete is defined and rule_config.set.large_comm_list_delete is not none %}
+ set large-comm-list {{ rule_config.set.large_comm_list_delete }} delete
+{% endif %}
{% if rule_config.set.local_preference is defined and rule_config.set.local_preference is not none %}
set local-preference {{ rule_config.set.local_preference }}
{% endif %}
diff --git a/data/templates/frr/rip.frr.tmpl b/data/templates/frr/ripd.frr.tmpl
index cabc236f0..cabc236f0 100644
--- a/data/templates/frr/rip.frr.tmpl
+++ b/data/templates/frr/ripd.frr.tmpl
diff --git a/data/templates/frr/ripng.frr.tmpl b/data/templates/frr/ripngd.frr.tmpl
index 25df15121..25df15121 100644
--- a/data/templates/frr/ripng.frr.tmpl
+++ b/data/templates/frr/ripngd.frr.tmpl
diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2
index f10b58047..3b432b49b 100644
--- a/data/templates/frr/static_routes_macro.j2
+++ b/data/templates/frr/static_routes_macro.j2
@@ -5,7 +5,7 @@
{% if prefix_config.dhcp_interface is defined and prefix_config.dhcp_interface is not none %}
{% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %}
{% if next_hop is defined and next_hop is not none %}
-{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }}
+{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ prefix_config.dhcp_interface }}
{% endif %}
{% endif %}
{% if prefix_config.interface is defined and prefix_config.interface is not none %}
diff --git a/data/templates/frr/static.frr.tmpl b/data/templates/frr/staticd.frr.tmpl
index db59a44c2..db59a44c2 100644
--- a/data/templates/frr/static.frr.tmpl
+++ b/data/templates/frr/staticd.frr.tmpl
diff --git a/data/templates/frr/vrf-vni.frr.tmpl b/data/templates/frr/vrf-vni.frr.tmpl
new file mode 100644
index 000000000..51d4ede1b
--- /dev/null
+++ b/data/templates/frr/vrf-vni.frr.tmpl
@@ -0,0 +1,7 @@
+{% if vrf is defined and vrf is not none %}
+vrf {{ vrf }}
+{% if vni is defined and vni is not none %}
+ vni {{ vni }}
+{% endif %}
+ exit-vrf
+{% endif %}
diff --git a/data/templates/frr/vrf.frr.tmpl b/data/templates/frr/vrf.frr.tmpl
deleted file mode 100644
index 299c9719e..000000000
--- a/data/templates/frr/vrf.frr.tmpl
+++ /dev/null
@@ -1,9 +0,0 @@
-{% if name is defined and name is not none %}
-{% for vrf, vrf_config in name.items() %}
-vrf {{ vrf }}
-{% if vrf_config.vni is defined and vrf_config.vni is not none %}
- vni {{ vrf_config.vni }}
-{% endif %}
- exit-vrf
-{% endfor %}
-{% endif %}
diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl
index b40ddcc74..9d73baeee 100644
--- a/data/templates/https/nginx.default.tmpl
+++ b/data/templates/https/nginx.default.tmpl
@@ -17,7 +17,7 @@ server {
listen {{ server.port }} ssl;
listen [::]:{{ server.port }} ssl;
{% else %}
- listen {{ server.address }}:{{ server.port }} ssl;
+ listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
{% endif %}
{% for name in server.name %}
@@ -39,6 +39,7 @@ server {
#
include snippets/snakeoil.conf;
{% endif %}
+ ssl_protocols TLSv1.2 TLSv1.3;
# proxy settings for HTTP API, if enabled; 503, if not
location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc|graphql) {
diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.tmpl
index 2df5c2a4d..4cd1b4af3 100644
--- a/data/templates/ipsec/swanctl/l2tp.tmpl
+++ b/data/templates/ipsec/swanctl/l2tp.tmpl
@@ -20,7 +20,7 @@
children {
l2tp_remote_access_esp {
mode = transport
- esp_proposals = {{ l2tp_esp | get_esp_ike_cipher | join(',') if l2tp_esp else l2tp_esp_default }}
+ esp_proposals = {{ l2tp_esp | get_esp_ike_cipher(l2tp_ike) | join(',') if l2tp_esp else l2tp_esp_default }}
life_time = {{ l2tp_esp.lifetime if l2tp_esp else l2tp.lifetime }}s
local_ts = dynamic[/1701]
remote_ts = dynamic
diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl
index dd29ea7d4..8c3776bf1 100644
--- a/data/templates/ipsec/swanctl/peer.tmpl
+++ b/data/templates/ipsec/swanctl/peer.tmpl
@@ -17,10 +17,10 @@
{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %}
aggressive = yes
{% endif %}
+ rekey_time = {{ ike.lifetime }}s
mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }}
{% if peer[0:1] == '@' %}
keyingtries = 0
- rekey_time = 0
reauth_time = 0
{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %}
keyingtries = 0
@@ -31,7 +31,7 @@
encap = yes
{% endif %}
local {
-{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.use_x509_id is not defined %}
+{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %}
id = "{{ peer_conf.authentication.id }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
@@ -42,9 +42,9 @@
{% endif %}
}
remote {
-{% if peer_conf.authentication.remote_id is defined %}
+{% if peer_conf.authentication is defined and peer_conf.authentication.remote_id is defined and peer_conf.authentication.remote_id is not none %}
id = "{{ peer_conf.authentication.remote_id }}"
-{% elif peer[0:1] == '@' %}
+{% else %}
id = "{{ peer }}"
{% endif %}
auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }}
@@ -56,12 +56,16 @@
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %}
{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %}
peer_{{ name }}_vti {
- esp_proposals = {{ vti_esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }}
+ life_time = {{ vti_esp.lifetime }}s
local_ts = 0.0.0.0/0,::/0
remote_ts = 0.0.0.0/0,::/0
- updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
- if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
+ updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
+ {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+ {# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
+ if_id_in = {{ if_id }}
+ if_id_out = {{ if_id }}
ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }}
mode = {{ vti_esp.mode }}
{% if peer[0:1] == '@' %}
@@ -86,7 +90,8 @@
{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %}
{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %}
peer_{{ name }}_tunnel_{{ tunnel_id }} {
- esp_proposals = {{ tunnel_esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }}
+ life_time = {{ tunnel_esp.lifetime }}s
{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %}
{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %}
{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %}
@@ -114,9 +119,12 @@
dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
{% endif %}
{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %}
- updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }} {{ peer_conf.dhcp_interface if peer_conf.dhcp_interface is defined else 'no' }}"
- if_id_in = {{ peer_conf.vti.bind | replace('vti', '') }}
- if_id_out = {{ peer_conf.vti.bind | replace('vti', '') }}
+ updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}"
+ {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
+ {# Thus we simply shift the key by one to also support a vti0 interface #}
+{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %}
+ if_id_in = {{ if_id }}
+ if_id_out = {{ if_id }}
{% endif %}
}
{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %}
diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl
index 0a7268405..948dd8f87 100644
--- a/data/templates/ipsec/swanctl/profile.tmpl
+++ b/data/templates/ipsec/swanctl/profile.tmpl
@@ -7,7 +7,7 @@
dmvpn-{{ name }}-{{ interface }} {
proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }}
version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }}
- rekey_time = {{ ike.lifetime }}s
+ life_time = {{ ike.lifetime }}s
keyingtries = 0
{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %}
local {
@@ -19,7 +19,7 @@
{% endif %}
children {
dmvpn {
- esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
rekey_time = {{ esp.lifetime }}s
rand_time = 540s
local_ts = dynamic[gre]
diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl
index 456842488..6354c60b1 100644
--- a/data/templates/ipsec/swanctl/remote_access.tmpl
+++ b/data/templates/ipsec/swanctl/remote_access.tmpl
@@ -10,7 +10,9 @@
send_certreq = no
rekey_time = {{ ike.lifetime }}s
keyingtries = 0
+{% if rw_conf.unique is defined and rw_conf.unique is not none %}
unique = {{ rw_conf.unique }}
+{% endif %}
{% if rw_conf.pool is defined and rw_conf.pool is not none %}
pools = {{ rw_conf.pool | join(',') }}
{% endif %}
@@ -33,10 +35,11 @@
}
children {
ikev2-vpn {
- esp_proposals = {{ esp | get_esp_ike_cipher | join(',') }}
+ esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }}
rekey_time = {{ esp.lifetime }}s
rand_time = 540s
dpd_action = clear
+ inactivity = {{ rw_conf.timeout }}
{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %}
{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %}
{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
diff --git a/data/templates/proxy-ndp/ndppd.conf.tmpl b/data/templates/ndppd/ndppd.conf.tmpl
index ccd1d37ad..502dab5b8 100644
--- a/data/templates/proxy-ndp/ndppd.conf.tmpl
+++ b/data/templates/ndppd/ndppd.conf.tmpl
@@ -6,10 +6,10 @@
# interface.
#
# For some services, such as nat66, because it runs
-# stateless, it needs to rely on NDP Proxy to respond
+# stateless, it needs to rely on NDP Proxy to respond
# to NDP requests.
#
-# When using nat66 source rules, NDP Proxy needs
+# When using nat66 source rules, NDP Proxy needs
# to be enabled
#
########################################################
@@ -21,7 +21,7 @@
{% if config.outbound_interface not in global.ndppd_interfaces %}
{% set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %}
{% endif %}
-{% if config.translation.address is defined and config.translation.address | is_ip_network %}
+{% if config.translation is defined and config.translation.address is defined and config.translation.address | is_ip_network %}
{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %}
{% endif %}
{% endif %}
@@ -41,4 +41,4 @@ proxy {{ interface }} {
{% endif %}
{% endfor %}
}
-{% endfor %}
+{% endfor %}
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index 5c78d998e..bc2790965 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -72,6 +72,16 @@ topology {{ server.topology }}
{% for subnet in server.subnet %}
{% if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
+{# First ip address is used as gateway. It's allows to use metrics #}
+{% if server.push_route is defined and server.push_route is not none %}
+{% for route, route_config in server.push_route.items() %}
+{% if route | is_ipv4 %}
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}"
+{% elif route | is_ipv6 %}
+push "route-ipv6 {{ route }}"
+{% endif %}
+{% endfor %}
+{% endif %}
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
{% if server.topology is defined and server.topology == 'net30' %}
@@ -104,15 +114,6 @@ management /run/openvpn/openvpn-mgmt-intf unix
ccd-exclusive
{% endif %}
-{% if server.push_route is defined and server.push_route is not none %}
-{% for route in server.push_route %}
-{% if route | is_ipv4 %}
-push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}"
-{% elif route | is_ipv6 %}
-push "route-ipv6 {{ route }}"
-{% endif %}
-{% endfor %}
-{% endif %}
{% if server.name_server is defined and server.name_server is not none %}
{% for nameserver in server.name_server %}
{% if nameserver | is_ipv4 %}
@@ -181,6 +182,8 @@ tls-version-min {{ tls.tls_version_min }}
{% endif %}
{% if tls.dh_params is defined and tls.dh_params is not none %}
dh /run/openvpn/{{ ifname }}_dh.pem
+{% elif mode == 'server' and tls.private_key is defined %}
+dh none
{% endif %}
{% if tls.auth_key is defined and tls.auth_key is not none %}
{% if mode == 'client' %}
diff --git a/data/templates/pppoe/ipv6-up.script.tmpl b/data/templates/pppoe/ipv6-up.script.tmpl
index 7e1bc33b4..da73cb4d5 100644
--- a/data/templates/pppoe/ipv6-up.script.tmpl
+++ b/data/templates/pppoe/ipv6-up.script.tmpl
@@ -7,43 +7,6 @@ if [ "$6" != "{{ ifname }}" ]; then
exit
fi
-{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %}
-# add some info to syslog
-DIALER_PID=$(cat /var/run/{{ ifname }}.pid)
-logger -t pppd[$DIALER_PID] "executing $0"
-logger -t pppd[$DIALER_PID] "configuring interface {{ ifname }} via {{ source_interface }}"
-
-# Configure interface-specific Host/Router behaviour.
-# Note: It is recommended to have the same setting on all interfaces; mixed
-# router/host scenarios are rather uncommon. Possible values are:
-#
-# 0 Forwarding disabled
-# 1 Forwarding enabled
-#
-echo 1 > /proc/sys/net/ipv6/conf/{{ ifname }}/forwarding
-
-# Accept Router Advertisements; autoconfigure using them.
-#
-# It also determines whether or not to transmit Router
-# Solicitations. If and only if the functional setting is to
-# accept Router Advertisements, Router Solicitations will be
-# transmitted. Possible values are:
-#
-# 0 Do not accept Router Advertisements.
-# 1 Accept Router Advertisements if forwarding is disabled.
-# 2 Overrule forwarding behaviour. Accept Router Advertisements
-# even if forwarding is enabled.
-#
-echo 2 > /proc/sys/net/ipv6/conf/{{ ifname }}/accept_ra
-
-# Autoconfigure addresses using Prefix Information in Router Advertisements.
-echo 1 > /proc/sys/net/ipv6/conf/{{ ifname }}/autoconf
-{% endif %}
-
-{% if dhcpv6_options is defined and dhcpv6_options.pd is defined %}
-# Start wide dhcpv6 client
-systemctl restart dhcp6c@{{ ifname }}.service
-{% endif %}
{% if default_route != 'none' %}
# See https://phabricator.vyos.net/T2248 & T2220. Determine if we are enslaved
diff --git a/data/templates/pppoe/peer.tmpl b/data/templates/pppoe/peer.tmpl
index 0f78f9384..928ed1238 100644
--- a/data/templates/pppoe/peer.tmpl
+++ b/data/templates/pppoe/peer.tmpl
@@ -1,8 +1,5 @@
### Autogenerated by interfaces-pppoe.py ###
-
-{% if description %}
-# {{ description }}
-{% endif %}
+{{ '# ' ~ description if description is defined else '' }}
# Require peer to provide the local IP address if it is not
# specified explicitly in the config file.
@@ -30,15 +27,21 @@ connect /bin/true
noauth
# Don't try to proxy ARP for the remote endpoint. User can set proxy
-# arp entries up manually if they wish. More importantly, having
+# arp entries up manually if they wish. More importantly, having
# the "proxyarp" parameter set disables the "defaultroute" option.
noproxyarp
# Unlimited connection attempts
maxfail 0
-plugin rp-pppoe.so
-{{ source_interface }}
+plugin rp-pppoe.so {{ source_interface }}
+{% if access_concentrator is defined and access_concentrator is not none %}
+rp_pppoe_ac '{{ access_concentrator }}'
+{% endif %}
+{% if service_name is defined and service_name is not none %}
+rp_pppoe_service '{{ service_name }}'
+{% endif %}
+
persist
ifname {{ ifname }}
ipparam {{ ifname }}
@@ -54,14 +57,9 @@ mru {{ mtu }}
{{ "usepeerdns" if no_peer_dns is not defined }}
{% if ipv6 is defined %}
-+ipv6
-{% if ipv6.address is defined and ipv6.address.autoconf is defined %}
-ipv6cp-use-ipaddr
-{% endif %}
-{% endif %}
-
-{% if service_name is defined %}
-rp_pppoe_service "{{ service_name }}"
++ipv6 {{ 'ipv6cp-use-ipaddr' if ipv6.address is defined and ipv6.address.autoconf is defined }}
+{% else %}
+noipv6
{% endif %}
{% if connect_on_demand is defined %}
@@ -71,8 +69,14 @@ demand
# passed to the ip-up.d/ip-down.s scripts which is required for VRF support.
{% if 'auto' in default_route %}
defaultroute
+{{ 'defaultroute6' if ipv6 is defined }}
{% elif 'force' in default_route %}
defaultroute
replacedefaultroute
+{{ 'defaultroute6' if ipv6 is defined }}
{% endif %}
+{% else %}
+nodefaultroute
+noreplacedefaultroute
+{{ 'nodefaultroute6' if ipv6 is defined }}
{% endif %}
diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl
index 8754e762d..80826fc75 100644
--- a/data/templates/squid/squid.conf.tmpl
+++ b/data/templates/squid/squid.conf.tmpl
@@ -1,7 +1,5 @@
### generated by service_webproxy.py ###
-acl localhost src 127.0.0.1/32
-acl to_localhost dst 127.0.0.0/8
acl net src all
acl SSL_ports port 443
acl Safe_ports port 80 # http
@@ -101,9 +99,9 @@ forwarded_for off
{# SquidGuard #}
{% if url_filtering is defined and url_filtering.disable is not defined %}
{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %}
-redirect_program /usr/bin/squidGuard -c {{ squidguard_conf }}
-redirect_children 8
-redirector_bypass on
+url_rewrite_program /usr/bin/squidGuard -c {{ squidguard_conf }}
+url_rewrite_children 8
+url_rewrite_bypass on
{% endif %}
{% endif %}
diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl
index f530d1072..c59dc901e 100644
--- a/data/templates/squid/squidGuard.conf.tmpl
+++ b/data/templates/squid/squidGuard.conf.tmpl
@@ -75,17 +75,50 @@ dest local-block-keyword-default {
{% set acl.value = acl.value + ' ' + category + '-default' %}
{% endfor %}
{% endif %}
+{% if sg_config.source_group is defined and sg_config.source_group is not none %}
+{% for sgroup, sg_config in sg_config.source_group.items() %}
+{% if sg_config.address is defined and sg_config.address is not none %}
+src {{ sgroup }} {
+{% for address in sg_config.address %}
+ ip {{ address }}
+{% endfor %}
+}
+
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if sg_config.rule is defined and sg_config.rule is not none %}
+{% for rule, rule_config in sg_config.rule.items() %}
+{% for b_category in rule_config.block_category%}
+dest {{ b_category }} {
+ domainlist {{ b_category }}/domains
+ urllist {{ b_category }}/urls
+}
+{% endfor %}
+
+{% endfor %}
+{% endif %}
acl {
- default {
+{% if sg_config.rule is defined and sg_config.rule is not none %}
+{% for rule, rule_config in sg_config.rule.items() %}
+ {{ rule_config.source_group }} {
+{% for b_category in rule_config.block_category%}
+ pass local-ok-1 !in-addr !{{ b_category }} all
+{% endfor %}
+ }
+{% endfor %}
+{% endif %}
+
+ default {
{% if sg_config.enable_safe_search is defined %}
- rewrite safesearch
+ rewrite safesearch
{% endif %}
- pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }}
- redirect 302:http://{{ sg_config.redirect_url }}
+ pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }}
+ redirect 302:http://{{ sg_config.redirect_url }}
{% if sg_config.log is defined and sg_config.log is not none %}
- log blacklist.log
+ log blacklist.log
{% endif %}
- }
+ }
}
{% endif %}
{% endif %}
diff --git a/data/templates/vrrp/daemon.tmpl b/data/templates/vrrp/daemon.tmpl
deleted file mode 100644
index c9dbea72d..000000000
--- a/data/templates/vrrp/daemon.tmpl
+++ /dev/null
@@ -1,5 +0,0 @@
-# Autogenerated by VyOS
-# Options to pass to keepalived
-
-# DAEMON_ARGS are appended to the keepalived command-line
-DAEMON_ARGS="--snmp"
diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl
index c01101d85..b4824a994 100644
--- a/data/templates/vrrp/keepalived.conf.tmpl
+++ b/data/templates/vrrp/keepalived.conf.tmpl
@@ -5,102 +5,102 @@
global_defs {
dynamic_interfaces
script_user root
- notify_fifo /run/keepalived_notify_fifo
+ # Don't run scripts configured to be run as root if any part of the path
+ # is writable by a non-root user.
+ enable_script_security
+ notify_fifo /run/keepalived/keepalived_notify_fifo
notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
}
-{% for group in groups %}
-
-{% if group.health_check_script %}
-vrrp_script healthcheck_{{ group.name }} {
- script "{{ group.health_check_script }}"
- interval {{ group.health_check_interval }}
- fall {{ group.health_check_count }}
+{% if group is defined and group is not none %}
+{% for name, group_config in group.items() if group_config.disable is not defined %}
+{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none %}
+vrrp_script healthcheck_{{ name }} {
+ script "{{ group_config.health_check.script }}"
+ interval {{ group_config.health_check.interval }}
+ fall {{ group_config.health_check.failure_count }}
rise 1
-
}
-{% endif %}
-
-vrrp_instance {{ group.name }} {
- {% if group.description %}
- # {{ group.description }}
- {% endif %}
-
+{% endif %}
+vrrp_instance {{ name }} {
+{% if group_config.description is defined and group_config.description is not none %}
+ # {{ group_config.description }}
+{% endif %}
state BACKUP
- interface {{ group.interface }}
- virtual_router_id {{ group.vrid }}
- priority {{ group.priority }}
- advert_int {{ group.advertise_interval }}
-
- {% if group.preempt %}
- preempt_delay {{ group.preempt_delay }}
- {% else %}
+ interface {{ group_config.interface }}
+ virtual_router_id {{ group_config.vrid }}
+ priority {{ group_config.priority }}
+ advert_int {{ group_config.advertise_interval }}
+{% if group_config.no_preempt is not defined and group_config.preempt_delay is defined and group_config.preempt_delay is not none %}
+ preempt_delay {{ group_config.preempt_delay }}
+{% elif group_config.no_preempt is defined %}
nopreempt
- {% endif %}
-
- {% if group.peer_address %}
- unicast_peer { {{ group.peer_address }} }
- {% endif %}
-
- {% if group.hello_source %}
- {% if group.peer_address %}
- unicast_src_ip {{ group.hello_source }}
- {% else %}
- mcast_src_ip {{ group.hello_source }}
- {% endif %}
- {% endif %}
-
- {% if group.use_vmac and group.peer_address %}
- use_vmac {{group.interface}}v{{group.vrid}}
- vmac_xmit_base
- {% elif group.use_vmac %}
- use_vmac {{group.interface}}v{{group.vrid}}
- {% endif %}
-
- {% if group.auth_password %}
- authentication {
- auth_pass "{{ group.auth_password }}"
- auth_type {{ group.auth_type }}
- }
- {% endif %}
-
+{% endif %}
+{% if group_config.peer_address is defined and group_config.peer_address is not none %}
+ unicast_peer { {{ group_config.peer_address }} }
+{% endif %}
+{% if group_config.hello_source_address is defined and group_config.hello_source_address is not none %}
+{% if group_config.peer_address is defined and group_config.peer_address is not none %}
+ unicast_src_ip {{ group_config.hello_source_address }}
+{% else %}
+ mcast_src_ip {{ group_config.hello_source_address }}
+{% endif %}
+{% endif %}
+{% if group_config.rfc3768_compatibility is defined and group_config.peer_address is defined %}
+ use_vmac {{ group_config.interface }}v{{ group_config.vrid }}
+ vmac_xmit_base
+{% elif group_config.rfc3768_compatibility is defined %}
+ use_vmac {{ group_config.interface }}v{{ group_config.vrid }}
+{% endif %}
+{% if group_config.authentication is defined and group_config.authentication is not none %}
+ authentication {
+ auth_pass "{{ group_config.authentication.password }}"
+{% if group_config.authentication.type == 'plaintext-password' %}
+ auth_type PASS
+{% else %}
+ auth_type {{ group_config.authentication.type | upper }}
+{% endif %}
+ }
+{% endif %}
+{% if group_config.address is defined and group_config.address is not none %}
virtual_ipaddress {
- {% for addr in group.virtual_addresses %}
+{% for addr in group_config.address %}
{{ addr }}
- {% endfor %}
+{% endfor %}
}
-
- {% if group.virtual_addresses_excluded %}
+{% endif %}
+{% if group_config.excluded_address is defined and group_config.excluded_address is not none %}
virtual_ipaddress_excluded {
- {% for addr in group.virtual_addresses_excluded %}
+{% for addr in group_config.excluded_address %}
{{ addr }}
- {% endfor %}
+{% endfor %}
}
- {% endif %}
-
- {% if group.health_check_script %}
+{% endif %}
+{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none %}
track_script {
- healthcheck_{{ group.name }}
+ healthcheck_{{ name }}
}
- {% endif %}
+{% endif %}
}
+{% endfor %}
+{% endif %}
-{% endfor %}
-
-{% for sync_group in sync_groups %}
-vrrp_sync_group {{ sync_group.name }} {
- group {
- {% for member in sync_group.members %}
- {{ member }}
- {% endfor %}
- }
-
- {% if sync_group.conntrack_sync %}
- {% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %}
- notify_master "{{ vyos_helper }} master {{ sync_group.name }}"
- notify_backup "{{ vyos_helper }} backup {{ sync_group.name }}"
- notify_fault "{{ vyos_helper }} fault {{ sync_group.name }}"
- {% endif %}
+{% if sync_group is defined and sync_group is not none %}
+{% for name, group_config in sync_group.items() if group_config.disable is not defined %}
+vrrp_sync_group {{ name }} {
+ group {
+{% if group_config.member is defined and group_config.member is not none %}
+{% for member in group_config.member %}
+ {{ member }}
+{% endfor %}
+{% endif %}
+ }
+{% if conntrack_sync_group is defined and conntrack_sync_group == name %}
+{% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %}
+ notify_master "{{ vyos_helper }} master {{ name }}"
+ notify_backup "{{ vyos_helper }} backup {{ name }}"
+ notify_fault "{{ vyos_helper }} fault {{ name }}"
+{% endif %}
}
-
-{% endfor %}
+{% endfor %}
+{% endif %}