diff options
46 files changed, 318 insertions, 326 deletions
diff --git a/data/templates/bcast-relay/udp-broadcast-relay.tmpl b/data/templates/bcast-relay/udp-broadcast-relay.tmpl index 7b2b9b1a2..75740e04c 100644 --- a/data/templates/bcast-relay/udp-broadcast-relay.tmpl +++ b/data/templates/bcast-relay/udp-broadcast-relay.tmpl @@ -2,4 +2,4 @@ # UDP broadcast relay configuration for instance {{ id }} {{ '# ' ~ description if description is vyos_defined }} -DAEMON_ARGS="{{ '-s ' ~ address if address is defined }} {{ instance }} {{ port }} {{ interface | join(' ') }}" +DAEMON_ARGS="{{ '-s ' ~ address if address is vyos_defined }} {{ instance }} {{ port }} {{ interface | join(' ') }}" diff --git a/data/templates/conntrack/nftables-ct.tmpl b/data/templates/conntrack/nftables-ct.tmpl index cebc1a54e..569e73df1 100644 --- a/data/templates/conntrack/nftables-ct.tmpl +++ b/data/templates/conntrack/nftables-ct.tmpl @@ -12,7 +12,7 @@ table raw { chain {{ nft_ct_ignore_name }} { {% if ignore.rule is vyos_defined %} {% for rule, rule_config in ignore.rule.items() %} - # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is defined and rule_config.description is not none }} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} {% set nft_command = '' %} {% if rule_config.inbound_interface is vyos_defined %} {% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %} @@ -40,7 +40,7 @@ table raw { chain {{ nft_ct_timeout_name }} { {% if timeout.custom.rule is vyos_defined %} {% for rule, rule_config in timeout.custom.rule.items() %} - # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is defined and rule_config.description is not none }} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} {% endfor %} {% endif %} return diff --git a/data/templates/conntrackd/conntrackd.conf.tmpl b/data/templates/conntrackd/conntrackd.conf.tmpl index 45b7bff09..80e7254a0 100644 --- a/data/templates/conntrackd/conntrackd.conf.tmpl +++ b/data/templates/conntrackd/conntrackd.conf.tmpl @@ -3,16 +3,16 @@ # Synchronizer settings Sync { Mode FTFW { - DisableExternalCache {{ 'on' if disable_external_cache is defined else 'off' }} + DisableExternalCache {{ 'on' if disable_external_cache is vyos_defined else 'off' }} } {% for iface, iface_config in interface.items() %} -{% if iface_config.peer is defined and iface_config.peer is not none %} +{% if iface_config.peer is vyos_defined %} UDP { -{% if listen_address is defined and listen_address is not none %} +{% if listen_address is vyos_defined %} IPv4_address {{ listen_address }} {% endif %} IPv4_Destination_Address {{ iface_config.peer }} - Port {{ iface_config.port if iface_config.port is defined else '3780' }} + Port {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} Interface {{ iface }} SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} @@ -22,7 +22,7 @@ Sync { Multicast { {% set ip_address = iface | get_ipv4 %} IPv4_address {{ mcast_group }} - Group {{ iface_config.port if iface_config.port is defined else '3780' }} + Group {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} IPv4_interface {{ ip_address[0] | ip_from_cidr }} Interface {{ iface }} SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} @@ -31,7 +31,7 @@ Sync { } {% endif %} {% endfor %} -{% if expect_sync is defined and expect_sync is not none %} +{% if expect_sync is vyos_defined %} Options { {% if 'all' in expect_sync %} ExpectationSync on @@ -83,9 +83,9 @@ General { NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }} NetlinkOverrunResync off NetlinkEventsReliable on -{% if ignore_address is defined or accept_protocol is defined %} +{% if ignore_address is vyos_defined or accept_protocol is vyos_defined %} Filter From Userspace { -{% if ignore_address is defined and ignore_address is not none %} +{% if ignore_address is vyos_defined %} Address Ignore { {% for address in ignore_address if address | is_ipv4 %} IPv4_address {{ address }} @@ -95,7 +95,7 @@ General { {% endfor %} } {% endif %} -{% if accept_protocol is defined and accept_protocol is not none %} +{% if accept_protocol is vyos_defined %} Protocol Accept { {% for protocol in accept_protocol %} {% if protocol == 'icmp6' %} diff --git a/data/templates/conntrackd/conntrackd.op-mode.tmpl b/data/templates/conntrackd/conntrackd.op-mode.tmpl index 82a4b09ad..c3f6911ce 100644 --- a/data/templates/conntrackd/conntrackd.op-mode.tmpl +++ b/data/templates/conntrackd/conntrackd.op-mode.tmpl @@ -1,5 +1,5 @@ Source Destination Protocol -{% for parsed in data if parsed.flow is defined and parsed.flow.meta is defined %} +{% for parsed in data if parsed.flow.meta is vyos_defined %} {% for key in parsed.flow.meta %} {% if key['@direction'] == 'original' %} {% set saddr = key.layer3.src | bracketize_ipv6 %} diff --git a/data/templates/dhcp-server/dhcpd.conf.tmpl b/data/templates/dhcp-server/dhcpd.conf.tmpl index 00f6eba8e..efc144a1e 100644 --- a/data/templates/dhcp-server/dhcpd.conf.tmpl +++ b/data/templates/dhcp-server/dhcpd.conf.tmpl @@ -158,7 +158,7 @@ shared-network {{ network }} { {% if subnet_config.bootfile_server is vyos_defined %} next-server {{ subnet_config.bootfile_server }}; {% endif %} -{% if subnet_config.bootfile_size is defined and subnet_config.bootfile_size is not none %} +{% if subnet_config.bootfile_size is vyos_defined %} option boot-size {{ subnet_config.bootfile_size }}; {% endif %} {% if subnet_config.time_offset is vyos_defined %} diff --git a/data/templates/firewall/nftables-defines.tmpl b/data/templates/firewall/nftables-defines.tmpl index d9eb7c199..66d31093b 100644 --- a/data/templates/firewall/nftables-defines.tmpl +++ b/data/templates/firewall/nftables-defines.tmpl @@ -1,30 +1,30 @@ -{% if group is defined %} -{% if group.address_group is defined %} +{% if group is vyos_defined %} +{% if group.address_group is vyos_defined %} {% for group_name, group_conf in group.address_group.items() %} define A_{{ group_name }} = { {{ group_conf.address | join(",") }} } {% endfor %} {% endif %} -{% if group.ipv6_address_group is defined %} +{% if group.ipv6_address_group is vyos_defined %} {% for group_name, group_conf in group.ipv6_address_group.items() %} define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} } {% endfor %} {% endif %} -{% if group.mac_group is defined %} +{% if group.mac_group is vyos_defined %} {% for group_name, group_conf in group.mac_group.items() %} define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} } {% endfor %} {% endif %} -{% if group.network_group is defined %} +{% if group.network_group is vyos_defined %} {% for group_name, group_conf in group.network_group.items() %} define N_{{ group_name }} = { {{ group_conf.network | join(",") }} } {% endfor %} {% endif %} -{% if group.ipv6_network_group is defined %} +{% if group.ipv6_network_group is vyos_defined %} {% for group_name, group_conf in group.ipv6_network_group.items() %} define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} } {% endfor %} {% endif %} -{% if group.port_group is defined %} +{% if group.port_group is vyos_defined %} {% for group_name, group_conf in group.port_group.items() %} define P_{{ group_name }} = { {{ group_conf.port | join(",") }} } {% endfor %} diff --git a/data/templates/firewall/upnpd.conf.tmpl b/data/templates/firewall/upnpd.conf.tmpl index 39cb21373..6e73995fa 100644 --- a/data/templates/firewall/upnpd.conf.tmpl +++ b/data/templates/firewall/upnpd.conf.tmpl @@ -2,7 +2,7 @@ # WAN network interface ext_ifname={{ wan_interface }} -{% if wan_ip is defined %} +{% if wan_ip is vyos_defined %} # If the WAN interface has several IP addresses, you # can specify the one to use below {% for addr in wan_ip %} @@ -11,7 +11,7 @@ ext_ip={{ addr }} {% endif %} # LAN network interfaces IPs / networks -{% if listen is defined %} +{% if listen is vyos_defined %} # There can be multiple listening IPs for SSDP traffic, in that case # use multiple 'listening_ip=...' lines, one for each network interface. # It can be IP address or network interface name (ie. "eth0") @@ -45,7 +45,7 @@ listening_ip={{ addr }} # default is /var/run/minissdpd.sock #minissdpdsocket=/var/run/minissdpd.sock -{% if nat_pmp is defined %} +{% if nat_pmp is vyos_defined %} # Enable NAT-PMP support (default is no) enable_natpmp=yes {% endif %} @@ -53,14 +53,14 @@ enable_natpmp=yes # Enable UPNP support (default is yes) enable_upnp=yes -{% if pcp_lifetime is defined %} +{% if pcp_lifetime is vyos_defined %} # PCP # Configure the minimum and maximum lifetime of a port mapping in seconds # 120s and 86400s (24h) are suggested values from PCP-base -{% if pcp_lifetime.max is defined %} +{% if pcp_lifetime.max is vyos_defined %} max_lifetime={{ pcp_lifetime.max }} {% endif %} -{% if pcp_lifetime.min is defined %} +{% if pcp_lifetime.min is vyos_defined %} min_lifetime={{ pcp_lifetime.min }} {% endif %} {% endif %} @@ -69,7 +69,7 @@ min_lifetime={{ pcp_lifetime.min }} # To enable the next few runtime options, see compile time # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h) -{% if friendly_name is defined %} +{% if friendly_name is vyos_defined %} # Name of this service, default is "`uname -s` router" friendly_name= {{ friendly_name }} {% endif %} @@ -89,7 +89,7 @@ model_description=Vyos open source enterprise router/firewall operating system # Model URL, default is URL of OS vendor model_url=https://vyos.io/ -{% if secure_mode is defined %} +{% if secure_mode is vyos_defined %} # Secure Mode, UPnP clients can only add mappings to their own IP secure_mode=yes {% else %} @@ -97,7 +97,7 @@ secure_mode=yes secure_mode=no {% endif %} -{% if presentation_url is defined %} +{% if presentation_url is vyos_defined %} # Default presentation URL is HTTP address on port 80 # If set to an empty string, no presentationURL element will appear # in the XML description of the device, which prevents MS Windows @@ -129,7 +129,7 @@ lease_file=/config/upnp.leases #serial=12345678 #model_number=1 -{% if rules is defined %} +{% if rules is vyos_defined %} # UPnP permission rules # (allow|deny) (external port range) IP/mask (internal port range) # A port range is <min port>-<max port> or <port> if there is only @@ -143,13 +143,13 @@ lease_file=/config/upnp.leases # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! {% for rule, config in rules.items() %} -{% if config.disable is defined %} +{% if config.disable is vyos_defined %} {{ config.action}} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} {% endif %} {% endfor %} {% endif %} -{% if stun is defined %} +{% if stun is vyos_defined %} # WAN interface must have public IP address. Otherwise it is behind NAT # and port forwarding is impossible. In some cases WAN interface can be # behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and diff --git a/data/templates/https/override.conf.tmpl b/data/templates/https/override.conf.tmpl index 824b1ba3b..c2c191b06 100644 --- a/data/templates/https/override.conf.tmpl +++ b/data/templates/https/override.conf.tmpl @@ -1,15 +1,15 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] StartLimitIntervalSec=0 After=vyos-router.service [Service] ExecStartPre= -ExecStartPre={{vrf_command}}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ExecStartPre={{ vrf_command }}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' ExecStart= -ExecStart={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;' +ExecStart={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;' ExecReload= -ExecReload={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload +ExecReload={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload Restart=always RestartPreventExitStatus= RestartSec=10 diff --git a/data/templates/https/vyos-http-api.service.tmpl b/data/templates/https/vyos-http-api.service.tmpl index 15bd80d65..fb424e06c 100644 --- a/data/templates/https/vyos-http-api.service.tmpl +++ b/data/templates/https/vyos-http-api.service.tmpl @@ -1,11 +1,11 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] Description=VyOS HTTP API service After=vyos-router.service Requires=vyos-router.service [Service] -ExecStart={{vrf_command}}/usr/libexec/vyos/services/vyos-http-api-server +ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server Type=idle SyslogIdentifier=vyos-http-api diff --git a/data/templates/ids/fastnetmon_networks_list.tmpl b/data/templates/ids/fastnetmon_networks_list.tmpl index d58990053..ab9add22c 100644 --- a/data/templates/ids/fastnetmon_networks_list.tmpl +++ b/data/templates/ids/fastnetmon_networks_list.tmpl @@ -1,4 +1,4 @@ -{% if network is string %} +{% if network is vyos_defined(var_type=str) %} {{ network }} {% else %} {% for net in network %} diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.tmpl index b9b020dcd..2eac24eaa 100644 --- a/data/templates/ipsec/charon.tmpl +++ b/data/templates/ipsec/charon.tmpl @@ -21,12 +21,12 @@ charon { # cisco_unity = no # Cisco FlexVPN -{% if options is defined %} - cisco_flexvpn = {{ 'yes' if options.flexvpn is defined else 'no' }} -{% if options.virtual_ip is defined %} +{% if options is vyos_defined %} + cisco_flexvpn = {{ 'yes' if options.flexvpn is vyos_defined else 'no' }} +{% if options.virtual_ip is vyos_defined %} install_virtual_ip = yes {% endif %} -{% if options.interface is defined and options.interface is not none %} +{% if options.interface is vyos_defined %} install_virtual_ip_on = {{ options.interface }} {% endif %} {% endif %} diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.tmpl index 92774b275..aaa5613fb 100644 --- a/data/templates/ipsec/charon/dhcp.conf.tmpl +++ b/data/templates/ipsec/charon/dhcp.conf.tmpl @@ -1,12 +1,10 @@ dhcp { load = yes -{% if remote_access is defined and remote_access.dhcp is defined %} -{% if remote_access.dhcp.interface is defined %} +{% if remote_access.dhcp.interface is vyos_defined %} interface = {{ remote_access.dhcp.interface }} -{% endif %} -{% if remote_access.dhcp.server is defined %} +{% endif %} +{% if remote_access.dhcp.server is vyos_defined %} server = {{ remote_access.dhcp.server }} -{% endif %} {% endif %} # Always use the configured server address. diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.tmpl index 5ec35c988..b58022521 100644 --- a/data/templates/ipsec/charon/eap-radius.conf.tmpl +++ b/data/templates/ipsec/charon/eap-radius.conf.tmpl @@ -41,7 +41,7 @@ eap-radius { load = yes # NAS-Identifier to include in RADIUS messages. - nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }} + nas_identifier = {{ remote_access.radius.nas_identifier if remote_access.radius.nas_identifier is vyos_defined else 'strongSwan' }} # Port of RADIUS server (authentication). # port = 1812 @@ -94,13 +94,13 @@ eap-radius { # Section to specify multiple RADIUS servers. servers { -{% if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %} -{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %} +{% if remote_access.radius.server is vyos_defined %} +{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %} {{ server | replace('.', '-') }} { address = {{ server }} secret = {{ server_options.key }} auth_port = {{ server_options.port }} -{% if server_options.disable_accounting is not defined %} +{% if server_options.disable_accounting is not vyos_defined %} acct_port = {{ server_options.port | int +1 }} {% endif %} sockets = 20 diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.tmpl index a77102396..55c3ce4f3 100644 --- a/data/templates/ipsec/interfaces_use.conf.tmpl +++ b/data/templates/ipsec/interfaces_use.conf.tmpl @@ -1,4 +1,4 @@ -{% if interface is defined %} +{% if interface is vyos_defined %} charon { interfaces_use = {{ ', '.join(interface) }} } diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.tmpl index af6c79d6e..c8e17729a 100644 --- a/data/templates/ipsec/ios_profile.tmpl +++ b/data/templates/ipsec/ios_profile.tmpl @@ -41,7 +41,7 @@ <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> <key>RemoteIdentifier</key> - <string>{{ authentication.id if authentication.id is defined else 'fooo' }}</string> + <string>{{ authentication.id if authentication.id is vyos_defined else 'VyOS' }}</string> <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> <key>LocalIdentifier</key> <string></string> diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl index 1cb531e76..0f7131dff 100644 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ b/data/templates/ipsec/ipsec.conf.tmpl @@ -2,7 +2,7 @@ config setup {% set charondebug = '' %} -{% if log is defined and log.subsystem is defined and log.subsystem is not none %} +{% if log.subsystem is vyos_defined %} {% set subsystem = log.subsystem %} {% if 'any' in log.subsystem %} {% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', @@ -11,8 +11,8 @@ config setup {% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} {% endif %} charondebug = "{{ charondebug }}" - uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} + uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }} -{% if include_ipsec_conf is defined %} +{% if include_ipsec_conf is vyos_defined %} include {{ include_ipsec_conf }} {% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.tmpl index 057e291ed..865c1ab17 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.tmpl @@ -1,5 +1,5 @@ # Created by VyOS - manual changes will be overwritten -{% if include_ipsec_secrets is defined %} +{% if include_ipsec_secrets is vyos_defined %} include {{ include_ipsec_secrets }} {% endif %} diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl index 68b108365..6ba93dd1f 100644 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ b/data/templates/ipsec/swanctl.conf.tmpl @@ -5,18 +5,18 @@ {% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %} connections { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} {{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} {% endfor %} {% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} {{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} {% endfor %} {% endif %} -{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} -{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %} +{% if remote_access.connection is vyos_defined %} +{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %} {{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} {% endfor %} {% endif %} @@ -26,16 +26,16 @@ connections { } pools { -{% if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %} +{% if remote_access.pool is vyos_defined %} {% for pool, pool_config in remote_access.pool.items() %} {{ pool }} { -{% if pool_config.prefix is defined and pool_config.prefix is not none %} +{% if pool_config.prefix is vyos_defined %} addrs = {{ pool_config.prefix }} {% endif %} -{% if pool_config.name_server is defined and pool_config.name_server is not none %} +{% if pool_config.name_server is vyos_defined %} dns = {{ pool_config.name_server | join(',') }} {% endif %} -{% if pool_config.exclude is defined and pool_config.exclude is not none %} +{% if pool_config.exclude is vyos_defined %} split_exclude = {{ pool_config.exclude | join(',') }} {% endif %} } @@ -44,9 +44,9 @@ pools { } secrets { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{% if profile_conf.authentication.mode == 'pre-shared-secret' %} +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} {% for interface in profile_conf.bind.tunnel %} ike-dmvpn-{{ interface }} { secret = {{ profile_conf.authentication.pre_shared_secret }} @@ -55,54 +55,54 @@ secrets { {% endif %} {% endfor %} {% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} {% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} -{% if peer_conf.authentication.mode == 'pre-shared-secret' %} +{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %} ike_{{ peer_name }} { -{% if peer_conf.local_address is defined %} +{% if peer_conf.local_address is vyos_defined %} id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} {% endif %} id-remote = {{ peer }} -{% if peer_conf.authentication.id is defined %} +{% if peer_conf.authentication.id is vyos_defined %} id-localid = {{ peer_conf.authentication.id }} {% endif %} -{% if peer_conf.authentication.remote_id is defined %} +{% if peer_conf.authentication.remote_id is vyos_defined %} id-remoteid = {{ peer_conf.authentication.remote_id }} {% endif %} secret = "{{ peer_conf.authentication.pre_shared_secret }}" } -{% elif peer_conf.authentication.mode == 'x509' %} +{% elif peer_conf.authentication.mode is vyos_defined('x509') %} private_{{ peer_name }} { file = {{ peer_conf.authentication.x509.certificate }}.pem -{% if peer_conf.authentication.x509.passphrase is defined %} +{% if peer_conf.authentication.x509.passphrase is vyos_defined %} secret = "{{ peer_conf.authentication.x509.passphrase }}" {% endif %} } -{% elif peer_conf.authentication.mode == 'rsa' %} +{% elif peer_conf.authentication.mode is vyos_defined('rsa') %} rsa_{{ peer_name }}_local { file = {{ peer_conf.authentication.rsa.local_key }}.pem -{% if peer_conf.authentication.rsa.passphrase is defined %} +{% if peer_conf.authentication.rsa.passphrase is vyos_defined %} secret = "{{ peer_conf.authentication.rsa.passphrase }}" {% endif %} } {% endif %} {% endfor %} {% endif %} -{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} -{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %} -{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %} +{% if remote_access.connection is vyos_defined %} +{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} +{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} ike_{{ ra }} { -{% if ra_conf.authentication.id is defined %} +{% if ra_conf.authentication.id is vyos_defined %} id = "{{ ra_conf.authentication.id }}" -{% elif ra_conf.local_address is defined %} +{% elif ra_conf.local_address is vyos_defined %} id = "{{ ra_conf.local_address }}" {% endif %} secret = "{{ ra_conf.authentication.pre_shared_secret }}" } {% endif %} -{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} -{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %} +{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %} +{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %} eap-{{ ra }}-{{ user }} { secret = "{{ user_conf.password }}" id-{{ ra }}-{{ user }} = "{{ user }}" @@ -112,16 +112,16 @@ secrets { {% endfor %} {% endif %} {% if l2tp %} -{% if l2tp.authentication.mode == 'pre-shared-secret' %} +{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %} ike_l2tp_remote_access { id = "{{ l2tp_outside_address }}" secret = "{{ l2tp.authentication.pre_shared_secret }}" } -{% elif l2tp.authentication.mode == 'x509' %} +{% elif l2tp.authentication.mode is vyos_defined('x509') %} private_l2tp_remote_access { id = "{{ l2tp_outside_address }}" file = {{ l2tp.authentication.x509.certificate }}.pem -{% if l2tp.authentication.x509.passphrase is defined %} +{% if l2tp.authentication.x509.passphrase is vyos_defined %} secret = "{{ l2tp.authentication.x509.passphrase }}" {% endif %} } diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.tmpl index 4cd1b4af3..c0e81e0aa 100644 --- a/data/templates/ipsec/swanctl/l2tp.tmpl +++ b/data/templates/ipsec/swanctl/l2tp.tmpl @@ -1,6 +1,6 @@ {% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %} -{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is defined else None %} -{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is defined else None %} +{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %} +{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %} l2tp_remote_access { proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }} local_addrs = {{ l2tp_outside_address }} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl index a622cbf74..b21dce9f0 100644 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ b/data/templates/ipsec/swanctl/peer.tmpl @@ -4,20 +4,20 @@ {% set ike = ike_group[peer_conf.ike_group] %} peer_{{ name }} { proposals = {{ ike | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} -{% if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} +{% if peer_conf.virtual_address is vyos_defined %} vips = {{ peer_conf.virtual_address | join(', ') }} {% endif %} local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} -{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} +{% if peer_conf.authentication.mode is vyos_defined('x509') %} send_cert = always {% endif %} -{% if ike.dead_peer_detection is defined %} +{% if ike.dead_peer_detection is vyos_defined %} dpd_timeout = {{ ike.dead_peer_detection.timeout }} dpd_delay = {{ ike.dead_peer_detection.interval }} {% endif %} -{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %} +{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %} aggressive = yes {% endif %} rekey_time = {{ ike.lifetime }}s @@ -25,16 +25,16 @@ {% if peer[0:1] == '@' %} keyingtries = 0 reauth_time = 0 -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} keyingtries = 0 -{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} keyingtries = 1 {% endif %} -{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %} +{% if peer_conf.force_encapsulation is vyos_defined('enable') %} encap = yes {% endif %} local { -{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %} +{% if peer_conf.authentication.id is vyos_defined %} id = "{{ peer_conf.authentication.id }}" {% endif %} auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} @@ -45,7 +45,7 @@ {% endif %} } remote { -{% if peer_conf.authentication is defined and peer_conf.authentication.remote_id is defined and peer_conf.authentication.remote_id is not none %} +{% if peer_conf.authentication.remote_id is vyos_defined %} id = "{{ peer_conf.authentication.remote_id }}" {% else %} id = "{{ peer }}" @@ -56,14 +56,14 @@ {% endif %} } children { -{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} -{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %} +{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %} +{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %} peer_{{ name }}_vti { esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if vti_esp.life_bytes is defined and vti_esp.life_bytes is not none %} +{% if vti_esp.life_bytes is vyos_defined %} life_bytes = {{ vti_esp.life_bytes }} {% endif %} -{% if vti_esp.life_packets is defined and vti_esp.life_packets is not none %} +{% if vti_esp.life_packets is vyos_defined %} life_packets = {{ vti_esp.life_packets }} {% endif %} life_time = {{ vti_esp.lifetime }}s @@ -75,74 +75,74 @@ {% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} if_id_in = {{ if_id }} if_id_out = {{ if_id }} - ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }} + ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }} mode = {{ vti_esp.mode }} {% if peer[0:1] == '@' %} start_action = none -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} start_action = start -{% elif peer_conf.connection_type == 'respond' %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} start_action = trap -{% elif peer_conf.connection_type == 'none' %} +{% elif peer_conf.connection_type is vyos_defined('none') %} start_action = none {% endif %} -{% if ike.dead_peer_detection is defined %} +{% if ike.dead_peer_detection is vyos_defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} } -{% elif peer_conf.tunnel is defined %} +{% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} -{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %} +{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %} {% set tunnel_esp = esp_group[tunnel_esp_name] %} -{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %} -{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %} +{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %} +{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} -{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} +{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} {% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} peer_{{ name }}_tunnel_{{ tunnel_id }} { esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if tunnel_esp.life_bytes is defined and tunnel_esp.life_bytes is not none %} +{% if tunnel_esp.life_bytes is vyos_defined %} life_bytes = {{ tunnel_esp.life_bytes }} {% endif %} -{% if tunnel_esp.life_packets is defined and tunnel_esp.life_packets is not none %} +{% if tunnel_esp.life_packets is vyos_defined %} life_packets = {{ tunnel_esp.life_packets }} {% endif %} life_time = {{ tunnel_esp.lifetime }}s {% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} -{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} +{% if tunnel_conf.local.prefix is vyos_defined %} {% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} {% endif %} -{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %} +{% if tunnel_conf.remote.prefix is vyos_defined %} {% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} {% endif %} -{% if tunnel_conf.priority is defined and tunnel_conf.priority is not none %} +{% if tunnel_conf.priority is vyos_defined %} priority = {{ tunnel_conf.priority }} {% endif %} {% elif tunnel_esp.mode == 'transport' %} local_ts = {{ peer_conf.local_address }}{{ local_suffix }} remote_ts = {{ peer }}{{ remote_suffix }} {% endif %} - ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }} + ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }} mode = {{ tunnel_esp.mode }} {% if peer[0:1] == '@' %} start_action = none -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} start_action = start -{% elif peer_conf.connection_type == 'respond' %} +{% elif peer_conf.connection_type is vyos_defined('respond') %} start_action = trap -{% elif peer_conf.connection_type == 'none' %} +{% elif peer_conf.connection_type is vyos_defined('none') %} start_action = none {% endif %} -{% if ike.dead_peer_detection is defined %} +{% if ike.dead_peer_detection is vyos_defined %} {% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} {% endif %} close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} -{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} +{% if peer_conf.vti.bind is vyos_defined %} updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} @@ -151,7 +151,7 @@ if_id_out = {{ if_id }} {% endif %} } -{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %} +{% if tunnel_conf.passthrough is vyos_defined %} peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough { local_ts = {{ tunnel_conf.passthrough | join(",") }} remote_ts = {{ tunnel_conf.passthrough | join(",") }} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.tmpl index a5cae31c0..0f1c2fda2 100644 --- a/data/templates/ipsec/swanctl/profile.tmpl +++ b/data/templates/ipsec/swanctl/profile.tmpl @@ -2,14 +2,14 @@ {# peer needs to reference the global IKE configuration for certain values #} {% set ike = ike_group[profile_conf.ike_group] %} {% set esp = esp_group[profile_conf.esp_group] %} -{% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{% if profile_conf.bind.tunnel is vyos_defined %} {% for interface in profile_conf.bind.tunnel %} dmvpn-{{ name }}-{{ interface }} { proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} local { auth = psk } @@ -25,10 +25,10 @@ local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = {{ esp.mode }} -{% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %} +{% if ike.dead_peer_detection.action is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} -{% if esp.compression is defined and esp.compression == 'enable' %} +{% if esp.compression is vyos_defined('enable') %} ipcomp = yes {% endif %} } diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.tmpl index 6354c60b1..059984139 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.tmpl @@ -4,21 +4,21 @@ {% set esp = esp_group[rw_conf.esp_group] %} ra-{{ name }} { remote_addrs = %any - local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }} + local_addrs = {{ rw_conf.local_address if rw_conf.local_address is vyos_defined else '%any' }} proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if rw_conf.unique is defined and rw_conf.unique is not none %} +{% if rw_conf.unique is vyos_defined %} unique = {{ rw_conf.unique }} {% endif %} -{% if rw_conf.pool is defined and rw_conf.pool is not none %} +{% if rw_conf.pool is vyos_defined %} pools = {{ rw_conf.pool | join(',') }} {% endif %} local { -{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} - id = "{{ rw_conf.authentication.id }}" +{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} + id = '{{ rw_conf.authentication.id }}' {% endif %} {% if rw_conf.authentication.server_mode == 'x509' %} auth = pubkey @@ -40,8 +40,8 @@ rand_time = 540s dpd_action = clear inactivity = {{ rw_conf.timeout }} -{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %} -{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %} +{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } diff --git a/data/templates/lcd/LCDd.conf.tmpl b/data/templates/lcd/LCDd.conf.tmpl index 2c7ad920f..2c8c6602d 100644 --- a/data/templates/lcd/LCDd.conf.tmpl +++ b/data/templates/lcd/LCDd.conf.tmpl @@ -48,7 +48,7 @@ DriverPath=/usr/lib/x86_64-linux-gnu/lcdproc/ # sed1520, serialPOS, serialVFD, shuttleVFD, sli, stv5730, svga, t6963, # text, tyan, ula200, vlsys_m428, xosd, yard2LCD -{% if model is defined %} +{% if model is vyos_defined %} {% if model.startswith('cfa-') %} Driver=CFontzPacket {% elif model == 'sdec' %} @@ -115,7 +115,7 @@ Heartbeat=off # set title scrolling speed [default: 10; legal: 0-10] TitleSpeed=10 -{% if model is defined and model is not none %} +{% if model is vyos_defined %} {% if model.startswith('cfa-') %} ## CrystalFontz packet driver (for CFA533, CFA631, CFA633 & CFA635) ## [CFontzPacket] diff --git a/data/templates/lldp/lldpd.tmpl b/data/templates/lldp/lldpd.tmpl index 819e70c84..9ab1e4367 100644 --- a/data/templates/lldp/lldpd.tmpl +++ b/data/templates/lldp/lldpd.tmpl @@ -1,2 +1,2 @@ ### Autogenerated by lldp.py ### -DAEMON_ARGS="-M 4{% if snmp is defined and snmp.enable is defined %} -x{% endif %}{% if legacy_protocols is defined and legacy_protocols.cdp is defined %} -c{% endif %}{% if legacy_protocols is defined and legacy_protocols.edp is defined %} -e{% endif %}{% if legacy_protocols is defined and legacy_protocols.fdp is defined %} -f{% endif %}{% if legacy_protocols is defined and legacy_protocols.sonmp is defined %} -s{% endif %}" +DAEMON_ARGS="-M 4{% if snmp.enable is vyos_defined %} -x{% endif %}{% if legacy_protocols.cdp is vyos_defined %} -c{% endif %}{% if legacy_protocols.edp is vyos_defined %} -e{% endif %}{% if legacy_protocols.fdp is vyos_defined %} -f{% endif %}{% if legacy_protocols.sonmp is vyos_defined %} -s{% endif %}" diff --git a/data/templates/lldp/vyos.conf.tmpl b/data/templates/lldp/vyos.conf.tmpl index 14395a223..c34a851aa 100644 --- a/data/templates/lldp/vyos.conf.tmpl +++ b/data/templates/lldp/vyos.conf.tmpl @@ -2,24 +2,24 @@ configure system platform VyOS configure system description "VyOS {{ version }}" -{% if interface is defined and interface is not none %} +{% if interface is vyos_defined %} {% set tmp = [] %} {% for iface, iface_options in interface.items() if not iface_options.disable %} {% if iface == 'all' %} {% set iface = '*' %} {% endif %} {% set _ = tmp.append(iface) %} -{% if iface_options.location is defined and iface_options.location is not none %} -{% if iface_options.location.elin is defined and iface_options.location.elin is not none %} +{% if iface_options.location is vyos_defined %} +{% if iface_options.location.elin is vyos_defined %} configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}" {% endif %} -{% if iface_options.location is defined and iface_options.location.coordinate_based is defined and iface_options.location.coordinate_based is not none %} +{% if iface_options.location.coordinate_based is vyos_defined %} configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}" {% endif %} {% endif %} {% endfor %} configure system interface pattern "{{ tmp | join(",") }}" {% endif %} -{% if management_address is defined and management_address is not none %} +{% if management_address is vyos_defined %} configure system ip management pattern {{ management_address | join(",") }} {% endif %} diff --git a/data/templates/login/authorized_keys.tmpl b/data/templates/login/authorized_keys.tmpl index 639a80e1d..9402c8719 100644 --- a/data/templates/login/authorized_keys.tmpl +++ b/data/templates/login/authorized_keys.tmpl @@ -1,9 +1,9 @@ ### Automatically generated by system-login.py ### -{% if authentication is defined and authentication.public_keys is defined and authentication.public_keys is not none %} +{% if authentication.public_keys is vyos_defined %} {% for key, key_options in authentication.public_keys.items() %} {# The whitespace after options is wisely chosen #} -{{ key_options.options + ' ' if key_options.options is defined }}{{ key_options.type }} {{ key_options.key }} {{ key }} +{{ key_options.options ~ ' ' if key_options.options is vyos_defined }}{{ key_options.type }} {{ key_options.key }} {{ key }} {% endfor %} {% endif %} diff --git a/data/templates/login/pam_radius_auth.conf.tmpl b/data/templates/login/pam_radius_auth.conf.tmpl index fad8e7dcb..4e34ade41 100644 --- a/data/templates/login/pam_radius_auth.conf.tmpl +++ b/data/templates/login/pam_radius_auth.conf.tmpl @@ -1,10 +1,10 @@ # Automatically generated by system-login.py # RADIUS configuration file -{% if radius is defined and radius is not none %} +{% if radius is vyos_defined %} {# RADIUS IPv6 source address must be specified in [] notation #} {% set source_address = namespace() %} -{% if radius.source_address is defined and radius.source_address is not none %} +{% if radius.source_address is vyos_defined %} {% for address in radius.source_address %} {% if address | is_ipv4 %} {% set source_address.ipv4 = address %} @@ -13,15 +13,15 @@ {% endif %} {% endfor %} {% endif %} -{% if radius.server is defined and radius.server is not none %} +{% if radius.server is vyos_defined %} # server[:port] shared_secret timeout source_ip {# .items() returns a tuple of two elements: key and value. 1 relates to the 2nd element i.e. the value and .priority relates to the key from the internal dict #} {% for server, options in radius.server.items() | sort(attribute='1.priority') if not options.disabled %} {# RADIUS IPv6 servers must be specified in [] notation #} {% if server | is_ipv4 %} -{{ server }}:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv4 if source_address.ipv4 is defined }} +{{ server }}:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv4 if source_address.ipv4 is vyos_defined }} {% else %} -[{{ server }}]:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv6 if source_address.ipv6 is defined }} +[{{ server }}]:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv6 if source_address.ipv6 is vyos_defined }} {% endif %} {% endfor %} {% endif %} @@ -29,7 +29,7 @@ priv-lvl 15 mapped_priv_user radius_priv_user -{% if radius.vrf is defined and radius.vrf is not none %} +{% if radius.vrf is vyos_defined %} vrf-name {{ radius.vrf }} {% endif %} {% endif %} diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.tmpl index 5b353def8..0ac7cb860 100644 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ b/data/templates/macsec/wpa_supplicant.conf.tmpl @@ -45,10 +45,9 @@ network={ # - the key server has decided to enable MACsec # 0: Encrypt traffic (default) # 1: Integrity only - macsec_integ_only={{ '0' if security is defined and security.encrypt is defined else '1' }} + macsec_integ_only={{ '0' if security.encrypt is vyos_defined else '1' }} -{% if security is defined %} -{% if security.encrypt is defined %} +{% if security.encrypt is vyos_defined %} # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer @@ -63,9 +62,9 @@ network={ # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority mka_priority={{ security.mka.priority }} -{% endif %} +{% endif %} -{% if security.replay_window is defined %} +{% if security.replay_window is vyos_defined %} # macsec_replay_protect: IEEE 802.1X/MACsec replay protection # This setting applies only when MACsec is in use, i.e., # - macsec_policy is enabled @@ -83,7 +82,6 @@ network={ # 0: No replay window, strict check (default) # 1..2^32-1: number of packets that could be misordered macsec_replay_window={{ security.replay_window }} -{% endif %} {% endif %} } diff --git a/data/templates/ndppd/ndppd.conf.tmpl b/data/templates/ndppd/ndppd.conf.tmpl index 502dab5b8..c41392cc7 100644 --- a/data/templates/ndppd/ndppd.conf.tmpl +++ b/data/templates/ndppd/ndppd.conf.tmpl @@ -15,13 +15,13 @@ ######################################################## {% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %} -{% if source is defined and source.rule is defined and source.rule is not none %} +{% if source.rule is vyos_defined %} {% for rule, config in source.rule.items() if config.disable is not defined %} -{% if config.outbound_interface is defined %} +{% if config.outbound_interface is vyos_defined %} {% if config.outbound_interface not in global.ndppd_interfaces %} {% set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %} {% endif %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address | is_ip_network %} +{% if config.translation.address is vyos_defined and config.translation.address | is_ip_network %} {% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %} {% endif %} {% endif %} diff --git a/data/templates/nhrp/opennhrp.conf.tmpl b/data/templates/nhrp/opennhrp.conf.tmpl index e9e9f692a..721d41e49 100644 --- a/data/templates/nhrp/opennhrp.conf.tmpl +++ b/data/templates/nhrp/opennhrp.conf.tmpl @@ -1,29 +1,29 @@ # Created by VyOS - manual changes will be overwritten -{% if tunnel is defined and tunnel is not none %} +{% if tunnel is vyos_defined %} {% for name, tunnel_conf in tunnel.items() %} -{% set type = 'spoke' if tunnel_conf.map is defined or tunnel_conf.dynamic_map is defined else 'hub' %} -{% set profile_name = profile_map[name] if profile_map is defined and name in profile_map else '' %} +{% set type = 'spoke' if tunnel_conf.map is vyos_defined or tunnel_conf.dynamic_map is vyos_defined else 'hub' %} +{% set profile_name = profile_map[name] if profile_map is vyos_defined and name in profile_map else '' %} interface {{ name }} #{{ type }} {{ profile_name }} -{% if tunnel_conf.map is defined and tunnel_conf.map is not none %} +{% if tunnel_conf.map is vyos_defined %} {% for map, map_conf in tunnel_conf.map.items() %} -{% set cisco = ' cisco' if map_conf.cisco is defined else '' %} -{% set register = ' register' if map_conf.register is defined else '' %} +{% set cisco = ' cisco' if map_conf.cisco is vyos_defined else '' %} +{% set register = ' register' if map_conf.register is vyos_defined else '' %} map {{ map }} {{ map_conf.nbma_address }}{{ register }}{{ cisco }} {% endfor %} {% endif %} -{% if tunnel_conf.dynamic_map is defined and tunnel_conf.dynamic_map is not none %} +{% if tunnel_conf.dynamic_map is vyos_defined %} {% for map, map_conf in tunnel_conf.dynamic_map.items() %} dynamic-map {{ map }} {{ map_conf.nbma_domain_name }} {% endfor %} {% endif %} -{% if tunnel_conf.cisco_authentication is defined and tunnel_conf.cisco_authentication is not none %} +{% if tunnel_conf.cisco_authentication is vyos_defined %} cisco-authentication {{ tunnel_conf.cisco_authentication }} {% endif %} -{% if tunnel_conf.holding_time is defined and tunnel_conf.holding_time is not none %} +{% if tunnel_conf.holding_time is vyos_defined %} holding-time {{ tunnel_conf.holding_time }} {% endif %} -{% if tunnel_conf.multicast is defined and tunnel_conf.multicast is not none %} +{% if tunnel_conf.multicast is vyos_defined %} multicast {{ tunnel_conf.multicast }} {% endif %} {% for key in ['non_caching', 'redirect', 'shortcut', 'shortcut_destination'] %} @@ -31,9 +31,9 @@ interface {{ name }} #{{ type }} {{ profile_name }} {{ key | replace("_", "-") }} {% endif %} {% endfor %} -{% if tunnel_conf.shortcut_target is defined and tunnel_conf.shortcut_target is not none %} +{% if tunnel_conf.shortcut_target is vyos_defined %} {% for target, shortcut_conf in tunnel_conf.shortcut_target.items() %} - shortcut-target {{ target }}{{ ' holding-time ' + shortcut_conf.holding_time if shortcut_conf.holding_time is defined }} + shortcut-target {{ target }}{{ ' holding-time ' + shortcut_conf.holding_time if shortcut_conf.holding_time is vyos_defined }} {% endfor %} {% endif %} diff --git a/data/templates/ntp/ntpd.conf.tmpl b/data/templates/ntp/ntpd.conf.tmpl index e7afcc16b..3123fdf19 100644 --- a/data/templates/ntp/ntpd.conf.tmpl +++ b/data/templates/ntp/ntpd.conf.tmpl @@ -15,17 +15,17 @@ restrict -6 ::1 # # Configurable section # -{% if server is defined and server is not none %} +{% if server is vyos_defined %} {% for server, config in server.items() %} {% set association = 'server' %} -{% if config.pool is defined %} +{% if config.pool is vyos_defined %} {% set association = 'pool' %} {% endif %} -{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is defined }} {{ 'preempt' if config.preempt is defined }} {{ 'prefer' if config.prefer is defined }} +{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is vyos_defined }} {{ 'preempt' if config.preempt is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }} {% endfor %} {% endif %} -{% if allow_clients is defined and allow_clients.address is defined %} +{% if allow_clients.address is vyos_defined %} # Allowed clients configuration restrict default ignore {% for address in allow_clients.address %} diff --git a/data/templates/ntp/override.conf.tmpl b/data/templates/ntp/override.conf.tmpl index 28eb61b21..dbfdc4545 100644 --- a/data/templates/ntp/override.conf.tmpl +++ b/data/templates/ntp/override.conf.tmpl @@ -1,4 +1,4 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] StartLimitIntervalSec=0 ConditionPathExists={{config_file}} @@ -6,7 +6,7 @@ After=vyos-router.service [Service] ExecStart= -ExecStart={{vrf_command}}/usr/sbin/ntpd -g -p {{config_file | replace('.conf', '.pid') }} -c {{config_file}} -u ntp:ntp +ExecStart={{vrf_command}}/usr/sbin/ntpd -g -p {{ config_file | replace('.conf', '.pid') }} -c {{ config_file }} -u ntp:ntp PIDFile= PIDFile={{config_file | replace('.conf', '.pid') }} Restart=always diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.tmpl index 19045c4b4..05b85a610 100644 --- a/data/templates/ocserv/ocserv_config.tmpl +++ b/data/templates/ocserv/ocserv_config.tmpl @@ -20,15 +20,15 @@ auth = "plain[/run/ocserv/ocpasswd]" auth = "plain[/run/ocserv/ocpasswd]" {% endif %} -{% if ssl.certificate is defined %} +{% if ssl.certificate is vyos_defined %} server-cert = /run/ocserv/cert.pem server-key = /run/ocserv/cert.key -{% if ssl.passphrase is defined %} +{% if ssl.passphrase is vyos_defined %} key-pin = {{ ssl.passphrase }} {% endif %} {% endif %} -{% if ssl.ca_certificate is defined %} +{% if ssl.ca_certificate is vyos_defined %} ca-cert = /run/ocserv/ca.pem {% endif %} diff --git a/data/templates/ocserv/ocserv_otp_usr.tmpl b/data/templates/ocserv/ocserv_otp_usr.tmpl index fea9af5d5..18de5fec6 100644 --- a/data/templates/ocserv/ocserv_otp_usr.tmpl +++ b/data/templates/ocserv/ocserv_otp_usr.tmpl @@ -1,7 +1,7 @@ #<token_type> <username> <pin> <secret_hex_key> <counter> <lastpass> <time> -{% if username is defined %} +{% if username is vyos_defined %} {% for user, user_config in username.items() %} -{% if user_config.disable is not defined and user_config.otp is defined and user_config.otp is not none %} +{% if user_config.disable is not vyos_defined and user_config.otp is vyos_defined %} {{ user_config.otp.token_tmpl }} {{ user }} {{ user_config.otp.pin | default("-", true) }} {{ user_config.otp.key }} {% endif %} {% endfor %} diff --git a/data/templates/ocserv/ocserv_passwd.tmpl b/data/templates/ocserv/ocserv_passwd.tmpl index ffadb4860..30c79d66a 100644 --- a/data/templates/ocserv/ocserv_passwd.tmpl +++ b/data/templates/ocserv/ocserv_passwd.tmpl @@ -1,6 +1,8 @@ #<username>:<group>:<hash> -{% for user in username if username is defined %} -{% if not "disable" in username[user] %} -{{ user }}:*:{{ username[user].hash }} -{% endif %} -{% endfor %}
\ No newline at end of file +{% if username is vyos_defined %} +{% for user, user_config in username.items() %} +{% if user_config.disable is not vyos_defined %} +{{ user }}:*:{{ user_config.hash }} +{% endif %} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/openvpn/auth.pw.tmpl b/data/templates/openvpn/auth.pw.tmpl index 9b20c9742..218121062 100644 --- a/data/templates/openvpn/auth.pw.tmpl +++ b/data/templates/openvpn/auth.pw.tmpl @@ -1,5 +1,5 @@ {# Autogenerated by interfaces-openvpn.py #} -{% if authentication is defined and authentication is not none %} +{% if authentication is vyos_defined %} {{ authentication.username }} {{ authentication.password }} {% endif %} diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.tmpl index e6e15b6ad..98c8b0273 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.tmpl @@ -3,12 +3,12 @@ {% if ip %} ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }} {% endif %} -{% if push_route is defined and push_route is not none %} +{% if push_route is vyos_defined %} {% for route in push_route %} push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" {% endfor %} {% endif %} -{% if subnet is defined and subnet is not none %} +{% if subnet is vyos_defined %} {% for network in subnet %} iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} {% endfor %} @@ -26,6 +26,6 @@ push "route-ipv6 {{ route6 }}" iroute-ipv6 {{ net6 }} {% endfor %} {% endif %} -{% if disable is defined %} +{% if disable is vyos_defined %} disable {% endif %} diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index fb7ad9e16..f26680fa3 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -3,7 +3,7 @@ # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # -# {{ description if description is defined and description is not none }} +# {{ description if description is vyos_defined }} # verb 3 @@ -17,35 +17,35 @@ proto tcp-server {% else %} proto udp {% endif %} -{% if local_host is defined and local_host is not none %} +{% if local_host is vyos_defined %} local {{ local_host }} {% endif %} -{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %} +{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %} multihome {% endif %} -{% if local_port is defined and local_port is not none %} +{% if local_port is vyos_defined %} lport {{ local_port }} {% endif %} -{% if remote_port is defined and remote_port is not none %} +{% if remote_port is vyos_defined %} rport {{ remote_port }} {% endif %} -{% if remote_host is defined and remote_host is not none %} +{% if remote_host is vyos_defined %} {% for remote in remote_host %} remote {{ remote }} {% endfor %} {% endif %} -{% if shared_secret_key is defined and shared_secret_key is not none %} +{% if shared_secret_key is vyos_defined %} secret /run/openvpn/{{ ifname }}_shared.key {% endif %} -{% if persistent_tunnel is defined %} +{% if persistent_tunnel is vyos_defined %} persist-tun {% endif %} -{% if replace_default_route is defined and replace_default_route.local is defined %} +{% if replace_default_route.local is vyos_defined %} push "redirect-gateway local def1" -{% elif replace_default_route is defined %} +{% elif replace_default_route is vyos_defined %} push "redirect-gateway def1" {% endif %} -{% if use_lzo_compression is defined %} +{% if use_lzo_compression is vyos_defined %} compress lzo {% endif %} @@ -62,21 +62,21 @@ nobind # mode server tls-server -{% if server is defined and server is not none %} -{% if server.subnet is defined and server.subnet is not none %} -{% if server.topology is defined and server.topology == 'point-to-point' %} +{% if server is vyos_defined %} +{% if server.subnet is vyos_defined %} +{% if server.topology is vyos_defined('point-to-point') %} topology p2p -{% elif server.topology is defined and server.topology is not none %} +{% elif server.topology is vyos_defined %} topology {{ server.topology }} {% endif %} {% for subnet in server.subnet %} {% if subnet | is_ipv4 %} server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool {# First ip address is used as gateway. It's allows to use metrics #} -{% if server.push_route is defined and server.push_route is not none %} +{% if server.push_route is vyos_defined %} {% for route, route_config in server.push_route.items() %} {% if route | is_ipv4 %} -push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is vyos_defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" {% elif route | is_ipv6 %} push "route-ipv6 {{ route }}" {% endif %} @@ -84,7 +84,7 @@ push "route-ipv6 {{ route }}" {% endif %} {# OpenVPN assigns the first IP address to its local interface so the pool used #} {# in net30 topology - where each client receives a /30 must start from the second subnet #} -{% if server.topology is defined and server.topology == 'net30' %} +{% if server.topology is vyos_defined('net30') %} ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} {% else %} {# OpenVPN assigns the first IP address to its local interface so the pool must #} @@ -97,24 +97,24 @@ server-ipv6 {{ subnet }} {% endfor %} {% endif %} -{% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} -ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} +{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} +ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} {% endif %} -{% if server.max_connections is defined and server.max_connections is not none %} +{% if server.max_connections is vyos_defined %} max-clients {{ server.max_connections }} {% endif %} -{% if server.client is defined and server.client is not none %} +{% if server.client is vyos_defined %} client-config-dir /run/openvpn/ccd/{{ ifname }} {% endif %} {% endif %} keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }} management /run/openvpn/openvpn-mgmt-intf unix -{% if server is defined and server is not none %} -{% if server.reject_unconfigured_clients is defined %} +{% if server is vyos_defined %} +{% if server.reject_unconfigured_clients is vyos_defined %} ccd-exclusive {% endif %} -{% if server.name_server is defined and server.name_server is not none %} +{% if server.name_server is vyos_defined %} {% for nameserver in server.name_server %} {% if nameserver | is_ipv4 %} push "dhcp-option DNS {{ nameserver }}" @@ -123,14 +123,12 @@ push "dhcp-option DNS6 {{ nameserver }}" {% endif %} {% endfor %} {% endif %} -{% if server.domain_name is defined and server.domain_name is not none %} +{% if server.domain_name is vyos_defined %} push "dhcp-option DOMAIN {{ server.domain_name }}" {% endif %} -{% if server.mfa is defined and server.mfa is not none %} -{% if server.mfa.totp is defined and server.mfa.totp is not none %} -{% set totp_config = server.mfa.totp %} +{% if server.mfa.totp is vyos_defined %} +{% set totp_config = server.mfa.totp %} plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" -{% endif %} {% endif %} {% endif %} {% else %} @@ -141,9 +139,9 @@ ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} {% if device_type == 'tap' %} -{% if local_address is defined and local_address is not none %} +{% if local_address is vyos_defined %} {% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} -{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} +{% if laddr_conf.subnet_mask is vyos_defined %} ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} {% endif %} {% endfor %} @@ -162,67 +160,65 @@ ifconfig-ipv6 {{ laddr }} {{ raddr }} {% endif %} {% endif %} -{% if tls is defined and tls is not none %} +{% if tls is vyos_defined %} # TLS options -{% if tls.ca_certificate is defined and tls.ca_certificate is not none %} +{% if tls.ca_certificate is vyos_defined %} ca /run/openvpn/{{ ifname }}_ca.pem {% endif %} -{% if tls.certificate is defined and tls.certificate is not none %} +{% if tls.certificate is vyos_defined %} cert /run/openvpn/{{ ifname }}_cert.pem {% endif %} -{% if tls.private_key is defined %} +{% if tls.private_key is vyos_defined %} key /run/openvpn/{{ ifname }}_cert.key {% endif %} -{% if tls.crypt_key is defined and tls.crypt_key is not none %} +{% if tls.crypt_key is vyos_defined %} tls-crypt /run/openvpn/{{ ifname }}_crypt.key {% endif %} -{% if tls.crl is defined %} +{% if tls.crl is vyos_defined %} crl-verify /run/openvpn/{{ ifname }}_crl.pem {% endif %} -{% if tls.tls_version_min is defined and tls.tls_version_min is not none %} +{% if tls.tls_version_min is vyos_defined %} tls-version-min {{ tls.tls_version_min }} {% endif %} -{% if tls.dh_params is defined and tls.dh_params is not none %} +{% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode == 'server' and tls.private_key is defined %} +{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} dh none {% endif %} -{% if tls.auth_key is defined and tls.auth_key is not none %} +{% if tls.auth_key is vyos_defined %} {% if mode == 'client' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 1 {% elif mode == 'server' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 0 {% endif %} {% endif %} -{% if tls.role is defined and tls.role is not none %} -{% if tls.role == 'active' %} +{% if tls.role is vyos_defined('active') %} tls-client -{% elif tls.role == 'passive' %} +{% elif tls.role is vyos_defined('passive') %} tls-server -{% endif %} {% endif %} {% endif %} # Encryption options -{% if encryption is defined and encryption is not none %} -{% if encryption.cipher is defined and encryption.cipher is not none %} +{% if encryption is vyos_defined %} +{% if encryption.cipher is vyos_defined %} cipher {{ encryption.cipher | openvpn_cipher }} -{% if encryption.cipher == 'bf128' %} +{% if encryption.cipher is vyos_defined('bf128') %} keysize 128 -{% elif encryption.cipher == 'bf256' %} +{% elif encryption.cipher is vyos_defined('bf256') %} keysize 256 {% endif %} {% endif %} -{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} +{% if encryption.ncp_ciphers is vyos_defined %} data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} {% endif %} {% endif %} -{% if hash is defined and hash is not none %} +{% if hash is vyos_defined %} auth {{ hash }} {% endif %} -{% if authentication is defined and authentication is not none %} +{% if authentication is vyos_defined %} auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract {% endif %} diff --git a/data/templates/openvpn/service-override.conf.tmpl b/data/templates/openvpn/service-override.conf.tmpl index 069bdbd08..cba652223 100644 --- a/data/templates/openvpn/service-override.conf.tmpl +++ b/data/templates/openvpn/service-override.conf.tmpl @@ -1,7 +1,7 @@ [Service] ExecStart= ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid -{%- if openvpn_option is defined and openvpn_option is not none %} +{%- if openvpn_option is vyos_defined %} {% for option in openvpn_option %} {# Remove the '--' prefix from variable if it is presented #} {% if option.startswith('--') %} diff --git a/data/templates/pmacct/override.conf.tmpl b/data/templates/pmacct/override.conf.tmpl index 216927666..213569ddc 100644 --- a/data/templates/pmacct/override.conf.tmpl +++ b/data/templates/pmacct/override.conf.tmpl @@ -1,4 +1,4 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] After= After=vyos-router.service @@ -8,7 +8,7 @@ ConditionPathExists=/run/pmacct/uacctd.conf [Service] EnvironmentFile= ExecStart= -ExecStart={{vrf_command}}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf +ExecStart={{ vrf_command }}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf WorkingDirectory= WorkingDirectory=/run/pmacct PIDFile= diff --git a/data/templates/pmacct/uacctd.conf.tmpl b/data/templates/pmacct/uacctd.conf.tmpl index b58f7c796..7e4f80e95 100644 --- a/data/templates/pmacct/uacctd.conf.tmpl +++ b/data/templates/pmacct/uacctd.conf.tmpl @@ -5,12 +5,12 @@ pidfile: /run/pmacct/uacctd.pid uacctd_group: 2 uacctd_nl_size: 2097152 snaplen: {{ packet_length }} -aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows +aggregate: in_iface{{ ',out_iface' if enable_egress is vyos_defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows {% set pipe_size = buffer_size | int *1024 *1024 %} plugin_pipe_size: {{ pipe_size }} {# We need an integer division (//) without any remainder or fraction #} plugin_buffer_size: {{ pipe_size // 1000 }} -{% if syslog_facility is defined and syslog_facility is not none %} +{% if syslog_facility is vyos_defined %} syslog: {{ syslog_facility }} {% endif %} {% if disable_imt is not defined %} @@ -19,12 +19,12 @@ imt_mem_pools_number: 169 {% endif %} {% set plugin = [] %} -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +{% if netflow.server is vyos_defined %} {% for server in netflow.server %} {% set _ = plugin.append('nfprobe[nf_' ~ server ~ ']') %} {% endfor %} {% endif %} -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +{% if sflow.server is vyos_defined %} {% for server in sflow.server %} {% set _ = plugin.append('sfprobe[sf_' ~ server ~ ']') %} {% endfor %} @@ -34,39 +34,39 @@ imt_mem_pools_number: 169 {% endif %} plugins: {{ plugin | join(',') }} -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +{% if netflow.server is vyos_defined %} # NetFlow servers {% for server, server_config in netflow.server.items() %} nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }} nfprobe_version[nf_{{ server }}]: {{ netflow.version }} -{% if netflow.engine_id is defined and netflow.engine_id is not none %} +{% if netflow.engine_id is vyos_defined %} nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }} {% endif %} -{% if netflow.max_flows is defined and netflow.max_flows is not none %} +{% if netflow.max_flows is vyos_defined %} nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }} {% endif %} -{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %} +{% if netflow.sampling_rate is vyos_defined %} sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }} {% endif %} -{% if netflow.source_address is defined and netflow.source_address is not none %} +{% if netflow.source_address is vyos_defined %} nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }} {% endif %} -{% if netflow.timeout is defined and netflow.timeout is not none %} +{% if netflow.timeout is vyos_defined %} nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} {% endif %} {% endfor %} {% endif %} -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +{% if sflow.server is vyos_defined %} # sFlow servers {% for server, server_config in sflow.server.items() %} sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }} sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }} -{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %} +{% if sflow.sampling_rate is vyos_defined %} sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }} {% endif %} -{% if sflow.source_address is defined and sflow.source_address is not none %} +{% if sflow.source_address is vyos_defined %} sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }} {% endif %} diff --git a/data/templates/pppoe/ip-down.script.tmpl b/data/templates/pppoe/ip-down.script.tmpl index bac4155d6..0be7b03c8 100644 --- a/data/templates/pppoe/ip-down.script.tmpl +++ b/data/templates/pppoe/ip-down.script.tmpl @@ -26,13 +26,13 @@ fi {% if default_route != 'none' %} # Always delete default route when interface goes down if we installed it vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ ifname }} ${VRF_NAME}" -{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %} +{% if ipv6.address.autoconf is vyos_defined %} vtysh -c "conf t" ${VRF_NAME} -c "no ipv6 route ::/0 {{ ifname }} ${VRF_NAME}" {% endif %} {% endif %} {% endif %} -{% if dhcpv6_options is defined and dhcpv6_options.pd is defined %} +{% if dhcpv6_options.pd is vyos_defined %} # Stop wide dhcpv6 client systemctl stop dhcp6c@{{ ifname }}.service {% endif %} diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl index 26aff90bf..e8627b022 100644 --- a/data/templates/squid/squid.conf.tmpl +++ b/data/templates/squid/squid.conf.tmpl @@ -15,20 +15,20 @@ acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT -{% if authentication is defined and authentication is not none %} -{% if authentication.children is defined and authentication.children is not none %} +{% if authentication is vyos_defined %} +{% if authentication.children is vyos_defined %} auth_param basic children {{ authentication.children }} {% endif %} -{% if authentication.credentials_ttl is defined and authentication.credentials_ttl is not none %} +{% if authentication.credentials_ttl is vyos_defined %} auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute {% endif %} -{% if authentication.realm is defined and authentication.realm is not none %} +{% if authentication.realm is vyos_defined %} auth_param basic realm "{{ authentication.realm }}" {% endif %} {# LDAP based Authentication #} -{% if authentication.method is defined and authentication.method is not none %} -{% if authentication.ldap is defined and authentication.ldap is not none and authentication.method == 'ldap' %} -auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' + authentication.ldap.bind_dn + '"' if authentication.ldap.bind_dn is defined }} {{ '-w "' + authentication.ldap.password + '"' if authentication.ldap.password is defined }} {{ '-f "' + authentication.ldap.filter_expression + '"' if authentication.ldap.filter_expression is defined }} {{ '-u "' + authentication.ldap.username_attribute + '"' if authentication.ldap.username_attribute is defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is defined }} -R -h "{{ authentication.ldap.server }}" +{% if authentication.method is vyos_defined %} +{% if authentication.ldap is vyos_defined and authentication.method is vyos_defined('ldap') %} +auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' ~ authentication.ldap.bind_dn ~ '"' if authentication.ldap.bind_dn is vyos_defined }} {{ '-w "' ~ authentication.ldap.password ~ '"' if authentication.ldap.password is vyos_defined }} {{ '-f "' ~ authentication.ldap.filter_expression ~ '"' if authentication.ldap.filter_expression is vyos_defined }} {{ '-u "' ~ authentication.ldap.username_attribute ~ '"' if authentication.ldap.username_attribute is vyos_defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is vyos_defined }} -R -h "{{ authentication.ldap.server }}" {% endif %} acl auth proxy_auth REQUIRED http_access allow auth @@ -43,24 +43,24 @@ http_access allow localhost http_access allow net http_access deny all -{% if reply_block_mime is defined and reply_block_mime is not none %} +{% if reply_block_mime is vyos_defined %} {% for mime_type in reply_block_mime %} acl BLOCK_MIME rep_mime_type {{ mime_type }} {% endfor %} http_reply_access deny BLOCK_MIME {% endif %} -{% if cache_size is defined and cache_size is not none %} +{% if cache_size is vyos_defined %} {% if cache_size | int > 0 %} cache_dir ufs /var/spool/squid {{ cache_size }} 16 256 {% else %} # disabling disk cache {% endif %} {% endif %} -{% if mem_cache_size is defined and mem_cache_size is not none %} +{% if mem_cache_size is vyos_defined %} cache_mem {{ mem_cache_size }} MB {% endif %} -{% if disable_access_log is defined %} +{% if disable_access_log is vyos_defined %} access_log none {% else %} access_log /var/log/squid/access.log squid @@ -69,26 +69,26 @@ access_log /var/log/squid/access.log squid {# by default we'll disable the store log #} cache_store_log none -{% if append_domain is defined and append_domain is not none %} +{% if append_domain is vyos_defined %} append_domain {{ append_domain }} {% endif %} -{% if maximum_object_size is defined and maximum_object_size is not none %} +{% if maximum_object_size is vyos_defined %} maximum_object_size {{ maximum_object_size }} KB {% endif %} -{% if minimum_object_size is defined and minimum_object_size is not none %} +{% if minimum_object_size is vyos_defined %} minimum_object_size {{ minimum_object_size }} KB {% endif %} -{% if reply_body_max_size is defined and reply_body_max_size is not none %} +{% if reply_body_max_size is vyos_defined %} reply_body_max_size {{ reply_body_max_size }} KB {% endif %} -{% if outgoing_address is defined and outgoing_address is not none %} +{% if outgoing_address is vyos_defined %} tcp_outgoing_address {{ outgoing_address }} {% endif %} -{% if listen_address is defined and listen_address is not none %} +{% if listen_address is vyos_defined %} {% for address, config in listen_address.items() %} -http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }} +http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is vyos_defined else default_port }} {{ 'intercept' if config.disable_transparent is not vyos_defined }} {% endfor %} {% endif %} http_port 127.0.0.1:{{ default_port }} @@ -97,15 +97,13 @@ http_port 127.0.0.1:{{ default_port }} forwarded_for off {# SquidGuard #} -{% if url_filtering is defined and url_filtering.disable is not defined %} -{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %} +{% if url_filtering.disable is not vyos_defined and url_filtering.squidguard is vyos_defined %} url_rewrite_program /usr/bin/squidGuard -c {{ squidguard_conf }} url_rewrite_children 8 url_rewrite_bypass on -{% endif %} {% endif %} -{% if cache_peer is defined and cache_peer is not none %} +{% if cache_peer is vyos_defined %} {% for peer, config in cache_peer.items() %} cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }} {% endfor %} diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl index c59dc901e..5e877f01f 100644 --- a/data/templates/squid/squidGuard.conf.tmpl +++ b/data/templates/squid/squidGuard.conf.tmpl @@ -8,14 +8,14 @@ dest {{ category }}-default { {% if expressions | is_file %} expressionlist {{ category }}/expressions {% endif %} -{% if log is defined %} +{% if log is vyos_defined %} log blacklist.log {% endif %} } {% endmacro %} -{% if url_filtering is defined and url_filtering.disable is not defined %} -{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %} +{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} +{% if url_filtering.squidguard is vyos_defined %} {% set sg_config = url_filtering.squidguard %} {% set acl = namespace(value='local-ok-default') %} {% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} @@ -32,52 +32,52 @@ rewrite safesearch { log rewrite.log } -{% if sg_config.local_ok is defined and sg_config.local_ok is not none %} +{% if sg_config.local_ok is vyos_defined %} {% set acl.value = acl.value + ' local-ok-default' %} dest local-ok-default { domainlist local-ok-default/domains } {% endif %} -{% if sg_config.local_ok_url is defined and sg_config.local_ok_url is not none %} +{% if sg_config.local_ok_url is vyos_defined %} {% set acl.value = acl.value + ' local-ok-url-default' %} dest local-ok-url-default { urllist local-ok-url-default/urls } {% endif %} -{% if sg_config.local_block is defined and sg_config.local_block is not none %} +{% if sg_config.local_block is vyos_defined %} {% set acl.value = acl.value + ' !local-block-default' %} dest local-block-default { domainlist local-block-default/domains } {% endif %} -{% if sg_config.local_block_url is defined and sg_config.local_block_url is not none %} +{% if sg_config.local_block_url is vyos_defined %} {% set acl.value = acl.value + ' !local-block-url-default' %} dest local-block-url-default { urllist local-block-url-default/urls } {% endif %} -{% if sg_config.local_block_keyword is defined and sg_config.local_block_keyword is not none %} +{% if sg_config.local_block_keyword is vyos_defined %} {% set acl.value = acl.value + ' !local-block-keyword-default' %} dest local-block-keyword-default { expressionlist local-block-keyword-default/expressions } {% endif %} -{% if sg_config.block_category is defined and sg_config.block_category is not none %} +{% if sg_config.block_category is vyos_defined %} {% for category in sg_config.block_category %} {{ sg_rule(category, sg_config.log, squidguard_db_dir) }} {% set acl.value = acl.value + ' !' + category + '-default' %} {% endfor %} {% endif %} -{% if sg_config.allow_category is defined and sg_config.allow_category is not none %} +{% if sg_config.allow_category is vyos_defined %} {% for category in sg_config.allow_category %} {{ sg_rule(category, False, squidguard_db_dir) }} {% set acl.value = acl.value + ' ' + category + '-default' %} {% endfor %} {% endif %} -{% if sg_config.source_group is defined and sg_config.source_group is not none %} +{% if sg_config.source_group is vyos_defined %} {% for sgroup, sg_config in sg_config.source_group.items() %} -{% if sg_config.address is defined and sg_config.address is not none %} +{% if sg_config.address is vyos_defined %} src {{ sgroup }} { {% for address in sg_config.address %} ip {{ address }} @@ -87,7 +87,7 @@ src {{ sgroup }} { {% endif %} {% endfor %} {% endif %} -{% if sg_config.rule is defined and sg_config.rule is not none %} +{% if sg_config.rule is vyos_defined %} {% for rule, rule_config in sg_config.rule.items() %} {% for b_category in rule_config.block_category%} dest {{ b_category }} { @@ -99,7 +99,7 @@ dest {{ b_category }} { {% endfor %} {% endif %} acl { -{% if sg_config.rule is defined and sg_config.rule is not none %} +{% if sg_config.rule is vyos_defined %} {% for rule, rule_config in sg_config.rule.items() %} {{ rule_config.source_group }} { {% for b_category in rule_config.block_category%} @@ -110,12 +110,12 @@ acl { {% endif %} default { -{% if sg_config.enable_safe_search is defined %} +{% if sg_config.enable_safe_search is vyos_defined %} rewrite safesearch {% endif %} - pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }} + pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }} redirect 302:http://{{ sg_config.redirect_url }} -{% if sg_config.log is defined and sg_config.log is not none %} +{% if sg_config.log is vyos_defined %} log blacklist.log {% endif %} } diff --git a/data/templates/vyos-hostsd/hosts.tmpl b/data/templates/vyos-hostsd/hosts.tmpl index 03662d562..bc75d384e 100644 --- a/data/templates/vyos-hostsd/hosts.tmpl +++ b/data/templates/vyos-hostsd/hosts.tmpl @@ -12,13 +12,13 @@ ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters -{% if hosts is defined and hosts is not none %} +{% if hosts is vyos_defined %} # From 'system static-host-mapping' and DHCP server {% for tag, taghosts in hosts.items() %} # {{ tag }} -{% for host, hostprops in taghosts.items() if hostprops.address is defined %} +{% for host, hostprops in taghosts.items() if hostprops.address is vyos_defined %} {% for addr in hostprops.address %} -{{ "%-15s" | format(addr) }} {{ host }} {{ hostprops.aliases|join(' ') if hostprops.aliases is defined }} +{{ "%-15s" | format(addr) }} {{ host }} {{ hostprops.aliases|join(' ') if hostprops.aliases is vyos_defined }} {% endfor %} {% endfor %} {% endfor %} diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.tmpl index 4a6bd2772..9e532b79e 100644 --- a/data/templates/zone_policy/nftables.tmpl +++ b/data/templates/zone_policy/nftables.tmpl @@ -1,18 +1,18 @@ #!/usr/sbin/nft -f -{% if cleanup_commands is defined %} +{% if cleanup_commands is vyos_defined %} {% for command in cleanup_commands %} {{ command }} {% endfor %} {% endif %} -{% if zone is defined %} +{% if zone is vyos_defined %} table ip filter { {% for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %} -{% if zone_conf.local_zone is defined %} +{% if zone_conf.local_zone is vyos_defined %} chain VZONE_{{ zone_name }}_IN { iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -20,7 +20,7 @@ table ip filter { } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -29,10 +29,10 @@ table ip filter { {% else %} chain VZONE_{{ zone_name }} { iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=False) }} -{% if zone_conf.intra_zone_filtering is defined %} +{% if zone_conf.intra_zone_filtering is vyos_defined %} iifname { {{ zone_conf.interface | join(",") }} } counter return {% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} {% if zone[from_zone].local_zone is not defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return @@ -46,10 +46,10 @@ table ip filter { table ip6 filter { {% for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %} -{% if zone_conf.local_zone is defined %} +{% if zone_conf.local_zone is vyos_defined %} chain VZONE6_{{ zone_name }}_IN { iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -57,7 +57,7 @@ table ip6 filter { } chain VZONE6_{{ zone_name }}_OUT { oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return {% endfor %} @@ -66,10 +66,10 @@ table ip6 filter { {% else %} chain VZONE6_{{ zone_name }} { iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=True) }} -{% if zone_conf.intra_zone_filtering is defined %} +{% if zone_conf.intra_zone_filtering is vyos_defined %} iifname { {{ zone_conf.interface | join(",") }} } counter return {% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} {% if zone[from_zone].local_zone is not defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return @@ -101,7 +101,7 @@ insert rule ip6 filter VYOS_FW6_FORWARD oifname { {{ zone_conf.interface | join( {% endfor %} {# Ensure that state-policy rule is first in the chain #} -{% if firewall.state_policy is defined %} +{% if firewall.state_policy is vyos_defined %} {% for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'] %} insert rule ip filter {{ chain }} jump VYOS_STATE_POLICY {% endfor %} |