diff options
483 files changed, 51583 insertions, 6273 deletions
diff --git a/.github/workflows/pull-request-management.yml b/.github/workflows/pull-request-management.yml new file mode 100644 index 000000000..3a855c107 --- /dev/null +++ b/.github/workflows/pull-request-management.yml @@ -0,0 +1,25 @@ +--- +name: Build Pull Request Package + +on: + pull_request: + branches: + - current + - crux + - equuleus + +jobs: + j2lint: + name: Validate j2 files + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + timeout-minutes: 2 + - name: Setup J2Lint + timeout-minutes: 2 + run: | + sudo pip install git+https://github.com/aristanetworks/j2lint.git@341b5d5db86e095b622f09770cb6367a1583620e + - name: Run J2lint + timeout-minutes: 2 + run: | + j2lint $GITHUB_WORKSPACE/data @@ -7,6 +7,8 @@ XDP_DIR := src/xdp LIBS := -lzmq CFLAGS := +J2LINT := $(shell command -v j2lint 2> /dev/null) + config_xml_src = $(wildcard interface-definitions/*.xml.in) config_xml_obj = $(config_xml_src:.xml.in=.xml) op_xml_src = $(wildcard op-mode-definitions/*.xml.in) @@ -58,9 +60,10 @@ op_mode_definitions: $(op_xml_obj) rm -f $(OP_TMPL_DIR)/show/node.def rm -f $(OP_TMPL_DIR)/show/system/node.def - # XXX: ping must be able to recursivly call itself as the + # XXX: ping and traceroute must be able to recursivly call itself as the # options are provided from the script itself ln -s ../node.tag $(OP_TMPL_DIR)/ping/node.tag/node.tag/ + ln -s ../node.tag $(OP_TMPL_DIR)/traceroute/node.tag/node.tag/ # XXX: test if there are empty node.def files - this is not allowed as these # could mask help strings or mandatory priority statements @@ -75,7 +78,18 @@ vyxdp: $(MAKE) -C $(XDP_DIR) .PHONY: all -all: clean interface_definitions op_mode_definitions vyshim +all: clean interface_definitions op_mode_definitions check test j2lint vyshim + +.PHONY: check +.ONESHELL: +check: + @echo "Checking which CLI scripts are not enabled to work with vyos-configd..." + @for file in `ls src/conf_mode -I__pycache__` + do + if ! grep -q $$file data/configd-include.json; then + echo "* $$file" + fi + done .PHONY: clean clean: @@ -90,6 +104,13 @@ test: set -e; python3 -m compileall -q -x '/vmware-tools/scripts/, /ppp/' . PYTHONPATH=python/ python3 -m "nose" --with-xunit src --with-coverage --cover-erase --cover-xml --cover-package src/conf_mode,src/op_mode,src/completion,src/helpers,src/validators,src/tests --verbose +.PHONY: j2lint +j2lint: +ifndef J2LINT + $(error "j2lint binary not found, consider installing: pip install git+https://github.com/aristanetworks/j2lint.git@341b5d5db86") +endif + $(J2LINT) data/ + .PHONY: sonar sonar: sonar-scanner -X -Dsonar.login=${SONAR_TOKEN} diff --git a/data/configd-include.json b/data/configd-include.json index b77d48001..5a4912e30 100644 --- a/data/configd-include.json +++ b/data/configd-include.json @@ -1,11 +1,16 @@ [ +"arp.py", "bcast_relay.py", +"container.py", "conntrack.py", "conntrack_sync.py", "dhcp_relay.py", +"dhcp_server.py", "dhcpv6_relay.py", +"dhcpv6_server.py", "dns_forwarding.py", "dynamic_dns.py", +"firewall.py", "flow_accounting_conf.py", "high-availability.py", "host_name.py", @@ -24,6 +29,7 @@ "interfaces-pppoe.py", "interfaces-pseudo-ethernet.py", "interfaces-tunnel.py", +"interfaces-vti.py", "interfaces-vxlan.py", "interfaces-wireguard.py", "interfaces-wireless.py", @@ -31,6 +37,7 @@ "lldp.py", "nat.py", "nat66.py", +"netns.py", "ntp.py", "pki.py", "policy.py", @@ -46,6 +53,7 @@ "protocols_pim.py", "protocols_rip.py", "protocols_ripng.py", +"protocols_rpki.py", "protocols_static.py", "protocols_static_multicast.py", "qos.py", @@ -54,6 +62,7 @@ "service_ids_fastnetmon.py", "service_ipoe-server.py", "service_mdns-repeater.py", +"service_monitoring_telegraf.py", "service_pppoe-server.py", "service_router-advert.py", "service_upnp.py", @@ -61,7 +70,10 @@ "system-ip.py", "system-ipv6.py", "system-login-banner.py", +"system-logs.py", "system-option.py", +"system-proxy.py", +"system_sysctl.py", "system-syslog.py", "system-timezone.py", "system_console.py", diff --git a/data/templates/accel-ppp/chap-secrets.config_dict.tmpl b/data/templates/accel-ppp/chap-secrets.config_dict.j2 index da64b64d5..51e66d57c 100644 --- a/data/templates/accel-ppp/chap-secrets.config_dict.tmpl +++ b/data/templates/accel-ppp/chap-secrets.config_dict.j2 @@ -1,12 +1,10 @@ # username server password acceptable local IP addresses shaper -{% if authentication is defined and authentication.local_users is defined and authentication.local_users.username is defined %} -{% for user, user_config in authentication.local_users.username.items() %} -{% if user_config.disabled is not defined %} -{% if user_config.rate_limit is defined %} +{% if authentication.local_users.username is vyos_defined %} +{% for user, user_config in authentication.local_users.username.items() if user_config.disabled is not vyos_defined %} +{% if user_config.rate_limit is vyos_defined %} {{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }} {{ user_config.rate_limit.download }}/{{ user_config.rate_limit.upload }} -{% else %} +{% else %} {{ "%-12s" | format(user) }} * {{ "%-16s" | format(user_config.password) }} {{ "%-16s" | format(user_config.static_ip) }} -{% endif %} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} diff --git a/data/templates/accel-ppp/chap-secrets.ipoe.tmpl b/data/templates/accel-ppp/chap-secrets.ipoe.j2 index 1df878fcf..a1430ec22 100644 --- a/data/templates/accel-ppp/chap-secrets.ipoe.tmpl +++ b/data/templates/accel-ppp/chap-secrets.ipoe.j2 @@ -1,18 +1,18 @@ # username server password acceptable local IP addresses shaper {% for interface in auth_interfaces %} -{% for mac in interface.mac %} -{% if mac.rate_upload and mac.rate_download %} -{% if mac.vlan_id %} +{% for mac in interface.mac %} +{% if mac.rate_upload and mac.rate_download %} +{% if mac.vlan_id %} {{ interface.name }}.{{ mac.vlan_id }} * {{ mac.address | lower }} * {{ mac.rate_download }}/{{ mac.rate_upload }} -{% else %} +{% else %} {{ interface.name }} * {{ mac.address | lower }} * {{ mac.rate_download }}/{{ mac.rate_upload }} -{% endif %} -{% else %} -{% if mac.vlan_id %} +{% endif %} +{% else %} +{% if mac.vlan_id %} {{ interface.name }}.{{ mac.vlan_id }} * {{ mac.address | lower }} * -{% else %} +{% else %} {{ interface.name }} * {{ mac.address | lower }} * -{% endif %} -{% endif %} -{% endfor %} +{% endif %} +{% endif %} +{% endfor %} {% endfor %} diff --git a/data/templates/accel-ppp/chap-secrets.tmpl b/data/templates/accel-ppp/chap-secrets.j2 index 6cace5401..cc3ddc28f 100644 --- a/data/templates/accel-ppp/chap-secrets.tmpl +++ b/data/templates/accel-ppp/chap-secrets.j2 @@ -1,10 +1,10 @@ # username server password acceptable local IP addresses shaper {% for user in local_users %} -{% if user.state == 'enabled' %} -{% if user.upload and user.download %} +{% if user.state == 'enabled' %} +{% if user.upload and user.download %} {{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} {{ user.download }}/{{ user.upload }} -{% else %} +{% else %} {{ "%-12s" | format(user.name) }} * {{ "%-16s" | format(user.password) }} {{ "%-16s" | format(user.ip) }} -{% endif %} -{% endif %} +{% endif %} +{% endif %} {% endfor %} diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2 index 49af3a228..bb820497b 100644 --- a/data/templates/accel-ppp/config_chap_secrets_radius.j2 +++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2 @@ -1,33 +1,33 @@ -{% if authentication.mode is defined and authentication.mode == 'local' %} +{% if authentication.mode is vyos_defined('local') %} [chap-secrets] chap-secrets={{ chap_secrets_file }} -{% elif authentication.mode is defined and authentication.mode == 'radius' %} +{% elif authentication.mode is vyos_defined('radius') %} [radius] verbose=1 -{% for server, options in authentication.radius.server.items() if not options.disable is defined %} +{% for server, options in authentication.radius.server.items() if not options.disable is vyos_defined %} server={{ server }},{{ options.key }},auth-port={{ options.port }},acct-port={{ options.acct_port }},req-limit=0,fail-time={{ options.fail_time }} -{% endfor %} -{% if authentication.radius.acct_interim_jitter is defined and authentication.radius.acct_interim_jitter is not none %} +{% endfor %} +{% if authentication.radius.acct_interim_jitter is vyos_defined %} acct-interim-jitter={{ authentication.radius.acct_interim_jitter }} -{% endif %} +{% endif %} acct-timeout={{ authentication.radius.acct_timeout }} timeout={{ authentication.radius.timeout }} max-try={{ authentication.radius.max_try }} -{% if authentication.radius.nas_identifier is defined and authentication.radius.nas_identifier is not none %} +{% if authentication.radius.nas_identifier is vyos_defined %} nas-identifier={{ authentication.radius.nas_identifier }} -{% endif %} -{% if authentication.radius.nas_ip_address is defined and authentication.radius.nas_ip_address is not none %} +{% endif %} +{% if authentication.radius.nas_ip_address is vyos_defined %} nas-ip-address={{ authentication.radius.nas_ip_address }} -{% endif %} -{% if authentication.radius.source_address is defined and authentication.radius.source_address is not none %} +{% endif %} +{% if authentication.radius.source_address is vyos_defined %} bind={{ authentication.radius.source_address }} -{% endif %} -{% if authentication.radius.dynamic_author.server is defined and authentication.radius.dynamic_author.server is not none %} +{% endif %} +{% if authentication.radius.dynamic_author.server is vyos_defined %} dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.radius.dynamic_author.port }},{{ authentication.radius.dynamic_author.key }} -{% endif %} +{% endif %} {% endif %} {# Both chap-secrets and radius block required the gw-ip-address #} -{% if gateway_address is defined and gateway_address is not none %} +{% if gateway_address is vyos_defined %} gw-ip-address={{ gateway_address }} {% endif %} diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2 index 3b0f68084..0bef4ad69 100644 --- a/data/templates/accel-ppp/config_ip_pool.j2 +++ b/data/templates/accel-ppp/config_ip_pool.j2 @@ -1,14 +1,14 @@ -{% if client_ip_pool is defined and client_ip_pool is not none %} +{% if client_ip_pool is vyos_defined %} [ip-pool] -{% if gateway_address is defined and gateway_address is not none %} +{% if gateway_address is vyos_defined %} gw-ip-address={{ gateway_address }} -{% endif %} -{% if client_ip_pool.start is defined and client_ip_pool.stop is defined and client_ip_pool.start is not none and client_ip_pool.stop is not none %} +{% endif %} +{% if client_ip_pool.start is vyos_defined and client_ip_pool.stop is vyos_defined %} {{ client_ip_pool.start }}-{{ client_ip_pool.stop.split('.')[3] }} -{% endif %} -{% if client_ip_pool.subnet is defined and client_ip_pool.subnet is not none %} -{% for subnet in client_ip_pool.subnet %} +{% endif %} +{% if client_ip_pool.subnet is vyos_defined %} +{% for subnet in client_ip_pool.subnet %} {{ subnet }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {% endif %} diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2 index f45bf9442..953469577 100644 --- a/data/templates/accel-ppp/config_ipv6_pool.j2 +++ b/data/templates/accel-ppp/config_ipv6_pool.j2 @@ -1,20 +1,20 @@ -{% if client_ipv6_pool is defined and client_ipv6_pool is not none %} +{% if client_ipv6_pool is vyos_defined %} [ipv6-nd] AdvAutonomousFlag=1 -{% if client_ipv6_pool.prefix is defined and client_ipv6_pool.prefix is not none %} +{% if client_ipv6_pool.prefix is vyos_defined %} [ipv6-pool] -{% for prefix, options in client_ipv6_pool.prefix.items() %} +{% for prefix, options in client_ipv6_pool.prefix.items() %} {{ prefix }},{{ options.mask }} -{% endfor %} -{% if client_ipv6_pool.delegate is defined and client_ipv6_pool.delegate is not none %} -{% for prefix, options in client_ipv6_pool.delegate.items() %} +{% endfor %} +{% if client_ipv6_pool.delegate is vyos_defined %} +{% for prefix, options in client_ipv6_pool.delegate.items() %} delegate={{ prefix }},{{ options.delegation_prefix }} -{% endfor %} +{% endfor %} +{% endif %} {% endif %} -{% endif %} -{% if client_ipv6_pool.delegate is defined and client_ipv6_pool.delegate is not none %} +{% if client_ipv6_pool.delegate is vyos_defined %} [ipv6-dhcp] verbose=1 -{% endif %} +{% endif %} {% endif %} diff --git a/data/templates/accel-ppp/config_modules_auth_mode.j2 b/data/templates/accel-ppp/config_modules_auth_mode.j2 index e3d578b38..3fb8a011f 100644 --- a/data/templates/accel-ppp/config_modules_auth_mode.j2 +++ b/data/templates/accel-ppp/config_modules_auth_mode.j2 @@ -1,5 +1,5 @@ -{% if authentication is defined and authentication.mode is defined and authentication.mode == 'local' %} +{% if authentication.mode is vyos_defined('local') %} chap-secrets -{% elif authentication is defined and authentication.mode is defined and authentication.mode == 'radius' %} +{% elif authentication.mode is vyos_defined('radius') %} radius {% endif %} diff --git a/data/templates/accel-ppp/config_modules_auth_protocols.j2 b/data/templates/accel-ppp/config_modules_auth_protocols.j2 index 454d37792..285468406 100644 --- a/data/templates/accel-ppp/config_modules_auth_protocols.j2 +++ b/data/templates/accel-ppp/config_modules_auth_protocols.j2 @@ -1,10 +1,10 @@ {% for protocol in authentication.protocols %} {# this should be fixed in the CLI by a migrator #} -{% if protocol == 'chap' %} +{% if protocol == 'chap' %} auth_chap_md5 -{% elif protocol == 'mschap' %} +{% elif protocol == 'mschap' %} auth_mschap_v1 -{% else %} +{% else %} auth_{{ protocol.replace('-', '_') }} -{% endif %} +{% endif %} {% endfor %} diff --git a/data/templates/accel-ppp/config_modules_ipv6.j2 b/data/templates/accel-ppp/config_modules_ipv6.j2 index 02740ce7c..6174779a5 100644 --- a/data/templates/accel-ppp/config_modules_ipv6.j2 +++ b/data/templates/accel-ppp/config_modules_ipv6.j2 @@ -1,4 +1,4 @@ -{% if ppp_options.ipv6 is defined and ppp_options.ipv6 != 'deny' %} +{% if ppp_options.ipv6 is vyos_defined and ppp_options.ipv6 is not vyos_defined('deny') %} ipv6pool ipv6_nd ipv6_dhcp diff --git a/data/templates/accel-ppp/config_name_server.j2 b/data/templates/accel-ppp/config_name_server.j2 index 2bf064f92..9c745fe62 100644 --- a/data/templates/accel-ppp/config_name_server.j2 +++ b/data/templates/accel-ppp/config_name_server.j2 @@ -1,13 +1,13 @@ -{% if name_server_ipv4 is defined and name_server_ipv4 is not none %} +{% if name_server_ipv4 is vyos_defined %} [dns] -{% for ns in name_server_ipv4 %} +{% for ns in name_server_ipv4 %} dns{{ loop.index }}={{ ns }} -{% endfor %} +{% endfor %} {% endif %} -{% if name_server_ipv6 is defined and name_server_ipv6 is not none %} +{% if name_server_ipv6 is vyos_defined %} [ipv6-dns] -{% for ns in name_server_ipv6 %} +{% for ns in name_server_ipv6 %} {{ ns }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2 index 8de5f5df3..c256647e4 100644 --- a/data/templates/accel-ppp/config_shaper_radius.j2 +++ b/data/templates/accel-ppp/config_shaper_radius.j2 @@ -1,10 +1,10 @@ -{% if authentication is defined and authentication.mode is defined and authentication.mode == 'radius' %} -{% if authentication is defined and authentication.radius is defined and authentication.radius.rate_limit is defined and authentication.radius.rate_limit.enable is defined %} +{% if authentication.mode is vyos_defined('radius') %} +{% if authentication.radius.rate_limit.enable is vyos_defined %} [shaper] verbose=1 attr={{ authentication.radius.rate_limit.attribute }} -{% if authentication.radius.rate_limit.vendor is defined and authentication.radius.rate_limit.vendor is not none %} +{% if authentication.radius.rate_limit.vendor is vyos_defined %} vendor={{ authentication.radius.rate_limit.vendor }} +{% endif %} {% endif %} -{% endif %} {% endif %} diff --git a/data/templates/accel-ppp/ipoe.config.tmpl b/data/templates/accel-ppp/ipoe.config.j2 index 92c2d5715..3c0d47b27 100644 --- a/data/templates/accel-ppp/ipoe.config.tmpl +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -1,3 +1,4 @@ +{# j2lint: disable=operator-enclosed-by-spaces #} ### generated by ipoe.py ### [modules] log_syslog @@ -24,45 +25,50 @@ level=5 [ipoe] verbose=1 {% for interface in interfaces %} -{% if interface.vlan_mon %} -interface=re:{{ interface.name }}\.\d+,{% else %}interface={{ interface.name }},{% endif %}shared={{ interface.shared }},mode={{ interface.mode }},ifcfg={{ interface.ifcfg }}{{ ',range=' + interface.range if interface.range is defined and interface.range is not none }},start={{ interface.sess_start }},ipv6=1 +{% set tmp = 'interface=' %} +{% if interface.vlan_mon %} +{% set tmp = tmp ~ 're:' ~ interface.name ~ '\.\d+' %} +{% else %} +{% set tmp = tmp ~ interface.name %} +{% endif %} +{{ tmp }},shared={{ interface.shared }},mode={{ interface.mode }},ifcfg={{ interface.ifcfg }}{{ ',range=' ~ interface.range if interface.range is defined and interface.range is not none }},start={{ interface.sess_start }},ipv6=1 {% endfor %} -{% if auth_mode == 'noauth' %} +{% if auth_mode == 'noauth' %} noauth=1 {% if client_named_ip_pool %} -{% for pool in client_named_ip_pool %} -{% if pool.subnet is defined %} +{% for pool in client_named_ip_pool %} +{% if pool.subnet is defined %} ip-pool={{ pool.name }} -{% endif %} -{% if pool.gateway_address is defined %} +{% endif %} +{% if pool.gateway_address is defined %} gw-ip-address={{ pool.gateway_address }}/{{ pool.subnet.split('/')[1] }} -{% endif %} -{% endfor%} +{% endif %} +{% endfor %} {% endif %} -{% elif auth_mode == 'local' %} +{% elif auth_mode == 'local' %} username=ifname password=csid {% endif %} proxy-arp=1 {% for interface in interfaces %} -{% if (interface.shared == '0') and (interface.vlan_mon) %} +{% if (interface.shared == '0') and (interface.vlan_mon) %} vlan-mon={{ interface.name }},{{ interface.vlan_mon | join(',') }} -{% endif %} +{% endif %} {% endfor %} {% if dnsv4 %} [dns] -{% for dns in dnsv4 %} +{% for dns in dnsv4 %} dns{{ loop.index }}={{ dns }} -{% endfor %} +{% endfor %} {% endif %} {% if dnsv6 %} [ipv6-dns] -{% for dns in dnsv6 %} +{% for dns in dnsv6 %} {{ dns }} -{% endfor %} +{% endfor %} {% endif %} [ipv6-nd] @@ -73,24 +79,24 @@ verbose=1 {% if client_named_ip_pool %} [ip-pool] -{% for pool in client_named_ip_pool %} -{% if pool.subnet is defined %} +{% for pool in client_named_ip_pool %} +{% if pool.subnet is defined %} {{ pool.subnet }},name={{ pool.name }} -{% endif %} -{% if pool.gateway_address is defined %} +{% endif %} +{% if pool.gateway_address is defined %} gw-ip-address={{ pool.gateway_address }}/{{ pool.subnet.split('/')[1] }} -{% endif %} -{% endfor%} +{% endif %} +{% endfor %} {% endif %} {% if client_ipv6_pool %} [ipv6-pool] -{% for p in client_ipv6_pool %} +{% for p in client_ipv6_pool %} {{ p.prefix }},{{ p.mask }} -{% endfor %} -{% for p in client_ipv6_delegate_prefix %} +{% endfor %} +{% for p in client_ipv6_delegate_prefix %} delegate={{ p.prefix }},{{ p.mask }} -{% endfor %} +{% endfor %} {% endif %} {% if auth_mode == 'local' %} @@ -99,39 +105,37 @@ chap-secrets={{ chap_secrets_file }} {% elif auth_mode == 'radius' %} [radius] verbose=1 -{% for r in radius_server %} +{% for r in radius_server %} server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor %} +{% endfor %} -{% if radius_acct_inter_jitter %} +{% if radius_acct_inter_jitter %} acct-interim-jitter={{ radius_acct_inter_jitter }} -{% endif %} +{% endif %} acct-timeout={{ radius_acct_tmo }} timeout={{ radius_timeout }} max-try={{ radius_max_try }} -{% if radius_nas_id %} +{% if radius_nas_id %} nas-identifier={{ radius_nas_id }} -{% endif %} -{% if radius_nas_ip %} +{% endif %} +{% if radius_nas_ip %} nas-ip-address={{ radius_nas_ip }} -{% endif %} -{% if radius_source_address %} +{% endif %} +{% if radius_source_address %} bind={{ radius_source_address }} -{% endif %} - -{% if radius_dynamic_author %} +{% endif %} +{% if radius_dynamic_author %} dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} -{% endif %} - -{% if radius_shaper_attr %} +{% endif %} +{% if radius_shaper_attr %} [shaper] verbose=1 attr={{ radius_shaper_attr }} -{% if radius_shaper_vendor %} +{% if radius_shaper_vendor %} vendor={{ radius_shaper_vendor }} -{% endif %} -{% endif %} +{% endif %} +{% endif %} {% endif %} [cli] diff --git a/data/templates/accel-ppp/l2tp.config.tmpl b/data/templates/accel-ppp/l2tp.config.j2 index 9fcda76d4..9eeaf7622 100644 --- a/data/templates/accel-ppp/l2tp.config.tmpl +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -3,9 +3,9 @@ log_syslog l2tp chap-secrets -{% for proto in auth_proto: %} -{{proto}} -{% endfor%} +{% for proto in auth_proto %} +{{ proto }} +{% endfor %} {% if auth_mode == 'radius' %} radius @@ -18,7 +18,7 @@ ipv6_nd ipv6_dhcp [core] -thread-count={{thread_cnt}} +thread-count={{ thread_cnt }} [log] syslog=accel-l2tp,daemon @@ -27,23 +27,23 @@ level=5 {% if dnsv4 %} [dns] -{% for dns in dnsv4 %} +{% for dns in dnsv4 %} dns{{ loop.index }}={{ dns }} -{% endfor %} +{% endfor %} {% endif %} {% if dnsv6 %} [ipv6-dns] -{% for dns in dnsv6 %} +{% for dns in dnsv6 %} {{ dns }} -{% endfor %} +{% endfor %} {% endif %} {% if wins %} [wins] -{% for server in wins %} +{% for server in wins %} wins{{ loop.index }}={{ server }} -{% endfor %} +{% endfor %} {% endif %} [l2tp] @@ -66,14 +66,14 @@ host-name={{ lns_host_name }} {% if client_ip_pool or client_ip_subnets %} [ip-pool] -{% if client_ip_pool %} +{% if client_ip_pool %} {{ client_ip_pool }} -{% endif %} -{% if client_ip_subnets %} -{% for sn in client_ip_subnets %} -{{sn}} -{% endfor %} -{% endif %} +{% endif %} +{% if client_ip_subnets %} +{% for sn in client_ip_subnets %} +{{ sn }} +{% endfor %} +{% endif %} {% endif %} {% if gateway_address %} gw-ip-address={{ gateway_address }} @@ -85,27 +85,24 @@ chap-secrets={{ chap_secrets_file }} {% elif auth_mode == 'radius' %} [radius] verbose=1 -{% for r in radius_server %} +{% for r in radius_server %} server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor %} - -{% if radius_acct_inter_jitter %} +{% endfor %} +{% if radius_acct_inter_jitter %} acct-interim-jitter={{ radius_acct_inter_jitter }} -{% endif %} - +{% endif %} acct-timeout={{ radius_acct_tmo }} timeout={{ radius_timeout }} max-try={{ radius_max_try }} - -{% if radius_nas_id %} +{% if radius_nas_id %} nas-identifier={{ radius_nas_id }} -{% endif %} -{% if radius_nas_ip %} +{% endif %} +{% if radius_nas_ip %} nas-ip-address={{ radius_nas_ip }} -{% endif %} -{% if radius_source_address %} +{% endif %} +{% if radius_source_address %} bind={{ radius_source_address }} -{% endif %} +{% endif %} {% endif %} {% if gateway_address %} gw-ip-address={{ gateway_address }} @@ -128,12 +125,12 @@ ipv6=allow {% if client_ipv6_pool %} [ipv6-pool] -{% for p in client_ipv6_pool %} +{% for p in client_ipv6_pool %} {{ p.prefix }},{{ p.mask }} -{% endfor %} -{% for p in client_ipv6_delegate_prefix %} +{% endfor %} +{% for p in client_ipv6_delegate_prefix %} delegate={{ p.prefix }},{{ p.mask }} -{% endfor %} +{% endfor %} {% endif %} {% if client_ipv6_delegate_prefix %} @@ -145,9 +142,9 @@ verbose=1 [shaper] verbose=1 attr={{ radius_shaper_attr }} -{% if radius_shaper_vendor %} +{% if radius_shaper_vendor %} vendor={{ radius_shaper_vendor }} -{% endif %} +{% endif %} {% endif %} [cli] diff --git a/data/templates/accel-ppp/pppoe.config.tmpl b/data/templates/accel-ppp/pppoe.config.j2 index 0a8e0079b..0a92e2d54 100644 --- a/data/templates/accel-ppp/pppoe.config.tmpl +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -11,13 +11,13 @@ ippool {# Common authentication protocols (pap, chap ...) #} {% include 'accel-ppp/config_modules_auth_protocols.j2' %} -{% if snmp is defined %} +{% if snmp is vyos_defined %} net-snmp {% endif %} -{% if limits is defined %} +{% if limits is vyos_defined %} connlimit {% endif %} -{% if extended_scripts is defined %} +{% if extended_scripts is vyos_defined %} sigchld pppd_compat {% endif %} @@ -30,7 +30,7 @@ syslog=accel-pppoe,daemon copy=1 level=5 -{% if snmp is defined and snmp.master_agent is defined %} +{% if snmp.master_agent is vyos_defined %} [snmp] master=1 {% endif %} @@ -47,17 +47,17 @@ disable {# Common DNS name-server definition #} {% include 'accel-ppp/config_name_server.j2' %} -{% if wins_server is defined and wins_server is not none %} +{% if wins_server is vyos_defined %} [wins] -{% for server in wins_server %} +{% for server in wins_server %} wins{{ loop.index }}={{ server }} -{% endfor %} +{% endfor %} {% endif %} {# Common chap-secrets and RADIUS server/option definitions #} {% include 'accel-ppp/config_chap_secrets_radius.j2' %} -{% if session_control is defined and session_control != 'disable' %} +{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %} [common] single-session={{ session_control }} {% endif %} @@ -65,37 +65,37 @@ single-session={{ session_control }} [ppp] verbose=1 check-ip=1 -ccp={{ "1" if ppp_options.ccp is defined else "0" }} -unit-preallocate={{ "1" if authentication.radius.preallocate_vif is defined else "0" }} -{% if ppp_options.min_mtu is defined and ppp_options.min_mtu is not none %} +ccp={{ "1" if ppp_options.ccp is vyos_defined else "0" }} +unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }} +{% if ppp_options.min_mtu is vyos_defined %} min-mtu={{ ppp_options.min_mtu }} {% else %} min-mtu={{ mtu }} {% endif %} -{% if ppp_options.mru is defined and ppp_options.mru is not none %} +{% if ppp_options.mru is vyos_defined %} mru={{ ppp_options.mru }} {% endif %} mppe={{ ppp_options.mppe }} lcp-echo-interval={{ ppp_options.lcp_echo_interval }} lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }} lcp-echo-failure={{ ppp_options.lcp_echo_failure }} -{% if ppp_options.ipv4 is defined and ppp_options.ipv4 is not none %} +{% if ppp_options.ipv4 is vyos_defined %} ipv4={{ ppp_options.ipv4 }} {% endif %} {# IPv6 #} -{% if ppp_options.ipv6 is defined and ppp_options.ipv6 is not none %} +{% if ppp_options.ipv6 is vyos_defined %} ipv6={{ ppp_options.ipv6 }} -{% if ppp_options.ipv6_intf_id is defined and ppp_options.ipv6_intf_id is not none %} +{% if ppp_options.ipv6_intf_id is vyos_defined %} ipv6-intf-id={{ ppp_options.ipv6_intf_id }} -{% endif %} -{% if ppp_options.ipv6_peer_intf_id is defined and ppp_options.ipv6_peer_intf_id is not none %} +{% endif %} +{% if ppp_options.ipv6_peer_intf_id is vyos_defined %} ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }} -{% endif %} -ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is defined else "0" }} +{% endif %} +ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_defined else "0" }} {% endif %} {# MTU #} mtu={{ mtu }} -{% if ppp_options.interface_cache is defined and ppp_options.interface_cache is not none %} +{% if ppp_options.interface_cache is vyos_defined %} unit-cache={{ ppp_options.interface_cache }} {% endif %} @@ -103,24 +103,24 @@ unit-cache={{ ppp_options.interface_cache }} verbose=1 ac-name={{ access_concentrator }} -{% if interface is defined and interface is not none %} -{% for iface, iface_config in interface.items() %} -{% if iface_config.vlan_id is not defined and iface_config.vlan_range is not defined %} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +{% if iface_config.vlan_id is not vyos_defined and iface_config.vlan_range is not vyos_defined %} interface={{ iface }} -{% endif %} -{% if iface_config.vlan_range is defined %} -{% for regex in iface_config.regex %} +{% endif %} +{% if iface_config.vlan_range is vyos_defined %} +{% for regex in iface_config.regex %} interface=re:^{{ iface | replace('.', '\\.') }}\.({{ regex }})$ -{% endfor %} +{% endfor %} vlan-mon={{ iface }},{{ iface_config.vlan_range | join(',') }} -{% endif %} -{% if iface_config.vlan_id is defined %} -{% for vlan in iface_config.vlan_id %} +{% endif %} +{% if iface_config.vlan_id is vyos_defined %} +{% for vlan in iface_config.vlan_id %} vlan-mon={{ iface }},{{ vlan }} interface=re:^{{ iface | replace('.', '\\.') }}\.{{ vlan }}$ -{% endfor %} -{% endif %} -{% endfor %} +{% endfor %} +{% endif %} +{% endfor %} {% endif %} {% if service_name %} @@ -128,44 +128,44 @@ service-name={{ service_name | join(',') }} {% endif %} {% if pado_delay %} -{% set pado_delay_param = namespace(value='0') %} -{% for delay in pado_delay|sort(attribute='0') %} -{% if not loop.last %} -{% set pado_delay_param.value = pado_delay_param.value + ',' + delay + ':' + pado_delay[delay].sessions %} -{% else %} -{% set pado_delay_param.value = pado_delay_param.value + ',-1:' + pado_delay[delay].sessions %} -{% endif %} -{% endfor %} +{% set pado_delay_param = namespace(value='0') %} +{% for delay in pado_delay | sort(attribute='0') %} +{% if not loop.last %} +{% set pado_delay_param.value = pado_delay_param.value + ',' + delay + ':' + pado_delay[delay].sessions %} +{% else %} +{% set pado_delay_param.value = pado_delay_param.value + ',-1:' + pado_delay[delay].sessions %} +{% endif %} +{% endfor %} pado-delay={{ pado_delay_param.value }} {% endif %} -{% if authentication.radius.called_sid_format is defined and authentication.radius.called_sid_format is not none %} +{% if authentication.radius.called_sid_format is vyos_defined %} called-sid={{ authentication.radius.called_sid_format }} {% endif %} -{% if limits is defined %} +{% if limits is vyos_defined %} [connlimit] -{% if limits.connection_limit is defined and limits.connection_limit is not none %} +{% if limits.connection_limit is vyos_defined %} limit={{ limits.connection_limit }} -{% endif %} -{% if limits.burst is defined and limits.burst %} +{% endif %} +{% if limits.burst is vyos_defined %} burst={{ limits.burst }} -{% endif %} -{% if limits.timeout is defined and limits.timeout is not none %} +{% endif %} +{% if limits.timeout is vyos_defined %} timeout={{ limits.timeout }} -{% endif %} +{% endif %} {% endif %} {# Common RADIUS shaper configuration #} {% include 'accel-ppp/config_shaper_radius.j2' %} -{% if extended_scripts is defined %} +{% if extended_scripts is vyos_defined %} [pppd-compat] verbose=1 radattr-prefix=/run/accel-pppd/radattr -{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} -{% for script in extended_scripts %} +{% set script_name = {'on_up': 'ip-up', 'on_down': 'ip-down', 'on_change':'ip-change', 'on_pre_up':'ip-pre-up'} %} +{% for script in extended_scripts %} {{ script_name[script] }}={{ extended_scripts[script] }} -{% endfor %} +{% endfor %} {% endif %} [cli] diff --git a/data/templates/accel-ppp/pptp.config.tmpl b/data/templates/accel-ppp/pptp.config.j2 index 3cfc4a906..cc1a45d6b 100644 --- a/data/templates/accel-ppp/pptp.config.tmpl +++ b/data/templates/accel-ppp/pptp.config.j2 @@ -10,7 +10,7 @@ radius {% endif %} ippool {% for proto in auth_proto %} -{{proto}} +{{ proto }} {% endfor %} [core] @@ -23,16 +23,16 @@ level=5 {% if dnsv4 %} [dns] -{% for dns in dnsv4 %} +{% for dns in dnsv4 %} dns{{ loop.index }}={{ dns }} -{% endfor %} +{% endfor %} {% endif %} {% if wins %} [wins] -{% for server in wins %} +{% for server in wins %} wins{{ loop.index }}={{ server }} -{% endfor %} +{% endfor %} {% endif %} @@ -42,7 +42,7 @@ ifname=pptp%d bind={{ outside_addr }} {% endif %} verbose=1 -ppp-max-mtu={{mtu}} +ppp-max-mtu={{ mtu }} mppe={{ ppp_mppe }} echo-interval=10 echo-failure=3 @@ -66,27 +66,27 @@ chap-secrets={{ chap_secrets_file }} {% elif auth_mode == 'radius' %} [radius] verbose=1 -{% for r in radius_server %} +{% for r in radius_server %} server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }} -{% endfor %} +{% endfor %} -{% if radius_acct_inter_jitter %} +{% if radius_acct_inter_jitter %} acct-interim-jitter={{ radius_acct_inter_jitter }} -{% endif %} +{% endif %} acct-timeout={{ radius_acct_tmo }} timeout={{ radius_timeout }} max-try={{ radius_max_try }} -{% if radius_nas_id %} +{% if radius_nas_id %} nas-identifier={{ radius_nas_id }} -{% endif %} -{% if radius_nas_ip %} +{% endif %} +{% if radius_nas_ip %} nas-ip-address={{ radius_nas_ip }} -{% endif %} -{% if radius_source_address %} +{% endif %} +{% if radius_source_address %} bind={{ radius_source_address }} -{% endif %} +{% endif %} {% endif %} {# Both chap-secrets and radius block required the gw-ip-address #} {% if gw_ip is defined and gw_ip is not none %} diff --git a/data/templates/accel-ppp/sstp.config.tmpl b/data/templates/accel-ppp/sstp.config.j2 index 8fd7d230d..5c6f19306 100644 --- a/data/templates/accel-ppp/sstp.config.tmpl +++ b/data/templates/accel-ppp/sstp.config.j2 @@ -50,7 +50,7 @@ verbose=1 check-ip=1 {# MTU #} mtu={{ mtu }} -ipv6={{ 'allow' if ppp_options.ipv6 == "deny" and client_ipv6_pool is defined else ppp_options.ipv6 }} +ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }} ipv4={{ ppp_options.ipv4 }} mppe={{ ppp_options.mppe }} diff --git a/data/templates/bcast-relay/udp-broadcast-relay.tmpl b/data/templates/bcast-relay/udp-broadcast-relay.j2 index 7b2b9b1a2..75740e04c 100644 --- a/data/templates/bcast-relay/udp-broadcast-relay.tmpl +++ b/data/templates/bcast-relay/udp-broadcast-relay.j2 @@ -2,4 +2,4 @@ # UDP broadcast relay configuration for instance {{ id }} {{ '# ' ~ description if description is vyos_defined }} -DAEMON_ARGS="{{ '-s ' ~ address if address is defined }} {{ instance }} {{ port }} {{ interface | join(' ') }}" +DAEMON_ARGS="{{ '-s ' ~ address if address is vyos_defined }} {{ instance }} {{ port }} {{ interface | join(' ') }}" diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2 new file mode 100644 index 000000000..16a03fc6e --- /dev/null +++ b/data/templates/conntrack/nftables-ct.j2 @@ -0,0 +1,48 @@ +#!/usr/sbin/nft -f + +{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %} +{% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %} + +# we first flush all chains and render the content from scratch - this makes +# any delta check obsolete +flush chain raw {{ nft_ct_ignore_name }} +flush chain raw {{ nft_ct_timeout_name }} + +table raw { + chain {{ nft_ct_ignore_name }} { +{% if ignore.rule is vyos_defined %} +{% for rule, rule_config in ignore.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} +{% set nft_command = '' %} +{% if rule_config.inbound_interface is vyos_defined %} +{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %} +{% endif %} +{% if rule_config.protocol is vyos_defined %} +{% set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %} +{% endif %} +{% if rule_config.destination.address is vyos_defined %} +{% set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %} +{% endif %} +{% if rule_config.destination.port is vyos_defined %} +{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %} +{% endif %} +{% if rule_config.source.address is vyos_defined %} +{% set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %} +{% endif %} +{% if rule_config.source.port is vyos_defined %} +{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %} +{% endif %} + {{ nft_command }} counter notrack comment ignore-{{ rule }} +{% endfor %} +{% endif %} + return + } + chain {{ nft_ct_timeout_name }} { +{% if timeout.custom.rule is vyos_defined %} +{% for rule, rule_config in timeout.custom.rule.items() %} + # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }} +{% endfor %} +{% endif %} + return + } +} diff --git a/data/templates/conntrack/nftables-ct.tmpl b/data/templates/conntrack/nftables-ct.tmpl deleted file mode 100644 index cebc1a54e..000000000 --- a/data/templates/conntrack/nftables-ct.tmpl +++ /dev/null @@ -1,48 +0,0 @@ -#!/usr/sbin/nft -f - -{% set nft_ct_ignore_name = 'VYOS_CT_IGNORE' %} -{% set nft_ct_timeout_name = 'VYOS_CT_TIMEOUT' %} - -# we first flush all chains and render the content from scratch - this makes -# any delta check obsolete -flush chain raw {{ nft_ct_ignore_name }} -flush chain raw {{ nft_ct_timeout_name }} - -table raw { - chain {{ nft_ct_ignore_name }} { -{% if ignore.rule is vyos_defined %} -{% for rule, rule_config in ignore.rule.items() %} - # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is defined and rule_config.description is not none }} -{% set nft_command = '' %} -{% if rule_config.inbound_interface is vyos_defined %} -{% set nft_command = nft_command ~ ' iifname ' ~ rule_config.inbound_interface %} -{% endif %} -{% if rule_config.protocol is vyos_defined %} -{% set nft_command = nft_command ~ ' ip protocol ' ~ rule_config.protocol %} -{% endif %} -{% if rule_config.destination.address is vyos_defined %} -{% set nft_command = nft_command ~ ' ip daddr ' ~ rule_config.destination.address %} -{% endif %} -{% if rule_config.destination.port is vyos_defined %} -{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' dport { ' ~ rule_config.destination.port ~ ' }' %} -{% endif %} -{% if rule_config.source.address is vyos_defined %} -{% set nft_command = nft_command ~ ' ip saddr ' ~ rule_config.source.address %} -{% endif %} -{% if rule_config.source.port is vyos_defined %} -{% set nft_command = nft_command ~ ' ' ~ rule_config.protocol ~ ' sport { ' ~ rule_config.source.port ~ ' }' %} -{% endif %} - {{ nft_command }} counter notrack comment ignore-{{ rule }} -{% endfor %} -{% endif %} - return - } - chain {{ nft_ct_timeout_name }} { -{% if timeout.custom.rule is vyos_defined %} -{% for rule, rule_config in timeout.custom.rule.items() %} - # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is defined and rule_config.description is not none }} -{% endfor %} -{% endif %} - return - } -} diff --git a/data/templates/conntrack/sysctl.conf.tmpl b/data/templates/conntrack/sysctl.conf.j2 index 075402c04..075402c04 100644 --- a/data/templates/conntrack/sysctl.conf.tmpl +++ b/data/templates/conntrack/sysctl.conf.j2 diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 index 111459485..111459485 100644 --- a/data/templates/conntrack/vyos_nf_conntrack.conf.tmpl +++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2 diff --git a/data/templates/conntrackd/conntrackd.conf.tmpl b/data/templates/conntrackd/conntrackd.conf.j2 index 45b7bff09..66024869d 100644 --- a/data/templates/conntrackd/conntrackd.conf.tmpl +++ b/data/templates/conntrackd/conntrackd.conf.j2 @@ -3,45 +3,45 @@ # Synchronizer settings Sync { Mode FTFW { - DisableExternalCache {{ 'on' if disable_external_cache is defined else 'off' }} + DisableExternalCache {{ 'on' if disable_external_cache is vyos_defined else 'off' }} } {% for iface, iface_config in interface.items() %} -{% if iface_config.peer is defined and iface_config.peer is not none %} +{% if iface_config.peer is vyos_defined %} UDP { -{% if listen_address is defined and listen_address is not none %} +{% if listen_address is vyos_defined %} IPv4_address {{ listen_address }} -{% endif %} +{% endif %} IPv4_Destination_Address {{ iface_config.peer }} - Port {{ iface_config.port if iface_config.port is defined else '3780' }} + Port {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} Interface {{ iface }} SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} Checksum on } -{% else %} +{% else %} Multicast { -{% set ip_address = iface | get_ipv4 %} +{% set ip_address = iface | get_ipv4 %} IPv4_address {{ mcast_group }} - Group {{ iface_config.port if iface_config.port is defined else '3780' }} + Group {{ iface_config.port if iface_config.port is vyos_defined else '3780' }} IPv4_interface {{ ip_address[0] | ip_from_cidr }} Interface {{ iface }} SndSocketBuffer {{ sync_queue_size | int *1024 *1024 }} RcvSocketBuffer {{ sync_queue_size | int *1024 *1024 }} Checksum on } -{% endif %} +{% endif %} {% endfor %} -{% if expect_sync is defined and expect_sync is not none %} +{% if expect_sync is vyos_defined %} Options { -{% if 'all' in expect_sync %} +{% if 'all' in expect_sync %} ExpectationSync on -{% else %} +{% else %} ExpectationSync { -{% for protocol in expect_sync %} +{% for protocol in expect_sync %} {{ protocol }} -{% endfor %} +{% endfor %} } -{% endif %} +{% endif %} } {% endif %} } @@ -83,29 +83,29 @@ General { NetlinkBufferSizeMaxGrowth {{ event_listen_queue_size | int *1024 *1024 }} NetlinkOverrunResync off NetlinkEventsReliable on -{% if ignore_address is defined or accept_protocol is defined %} +{% if ignore_address is vyos_defined or accept_protocol is vyos_defined %} Filter From Userspace { -{% if ignore_address is defined and ignore_address is not none %} +{% if ignore_address is vyos_defined %} Address Ignore { -{% for address in ignore_address if address | is_ipv4 %} +{% for address in ignore_address if address | is_ipv4 %} IPv4_address {{ address }} -{% endfor %} -{% for address in ignore_address if address | is_ipv6 %} +{% endfor %} +{% for address in ignore_address if address | is_ipv6 %} IPv6_address {{ address }} -{% endfor %} +{% endfor %} } -{% endif %} -{% if accept_protocol is defined and accept_protocol is not none %} +{% endif %} +{% if accept_protocol is vyos_defined %} Protocol Accept { -{% for protocol in accept_protocol %} -{% if protocol == 'icmp6' %} +{% for protocol in accept_protocol %} +{% if protocol == 'icmp6' %} IPv6-ICMP -{% else %} +{% else %} {{ protocol | upper }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} } -{% endif %} +{% endif %} } {% endif %} } diff --git a/data/templates/conntrackd/conntrackd.op-mode.j2 b/data/templates/conntrackd/conntrackd.op-mode.j2 new file mode 100644 index 000000000..82f7e2859 --- /dev/null +++ b/data/templates/conntrackd/conntrackd.op-mode.j2 @@ -0,0 +1,13 @@ +Source Destination Protocol +{% for parsed in data if parsed.flow.meta is vyos_defined %} +{% for key in parsed.flow.meta %} +{% if key['@direction'] == 'original' %} +{% set saddr = key.layer3.src | bracketize_ipv6 %} +{% set sport = key.layer4.sport %} +{% set daddr = key.layer3.dst | bracketize_ipv6 %} +{% set dport = key.layer4.dport %} +{% set protocol = key.layer4['@protoname'] %} +{{ "%-48s" | format(saddr ~ ':' ~ sport) }} {{ "%-48s" | format(daddr ~ ':' ~ dport) }} {{ protocol }} +{% endif %} +{% endfor %} +{% endfor %} diff --git a/data/templates/conntrackd/conntrackd.op-mode.tmpl b/data/templates/conntrackd/conntrackd.op-mode.tmpl deleted file mode 100644 index 82a4b09ad..000000000 --- a/data/templates/conntrackd/conntrackd.op-mode.tmpl +++ /dev/null @@ -1,13 +0,0 @@ -Source Destination Protocol -{% for parsed in data if parsed.flow is defined and parsed.flow.meta is defined %} -{% for key in parsed.flow.meta %} -{% if key['@direction'] == 'original' %} -{% set saddr = key.layer3.src | bracketize_ipv6 %} -{% set sport = key.layer4.sport %} -{% set daddr = key.layer3.dst | bracketize_ipv6 %} -{% set dport = key.layer4.dport %} -{% set protocol = key.layer4['@protoname'] %} -{{ "%-48s" | format(saddr ~ ':' ~ sport) }} {{ "%-48s" | format(daddr ~ ':' ~ dport) }} {{ protocol }} -{% endif %} -{% endfor %} -{% endfor %} diff --git a/data/templates/conserver/conserver.conf.tmpl b/data/templates/conserver/conserver.conf.j2 index 4e7b5d8d7..1823657d7 100644 --- a/data/templates/conserver/conserver.conf.tmpl +++ b/data/templates/conserver/conserver.conf.j2 @@ -17,7 +17,7 @@ default * { ## {% for key, value in device.items() %} {# Depending on our USB serial console we could require a path adjustment #} -{% set path = '/dev' if key.startswith('ttyS') else '/dev/serial/by-bus' %} +{% set path = '/dev' if key.startswith('ttyS') else '/dev/serial/by-bus' %} console {{ key }} { master localhost; type device; diff --git a/data/templates/conserver/dropbear@.service.tmpl b/data/templates/conserver/dropbear@.service.j2 index e355dab43..e355dab43 100644 --- a/data/templates/conserver/dropbear@.service.tmpl +++ b/data/templates/conserver/dropbear@.service.j2 diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2 new file mode 100644 index 000000000..2e86466a1 --- /dev/null +++ b/data/templates/container/registries.conf.j2 @@ -0,0 +1,27 @@ +### Autogenerated by container.py ### + +# For more information on this configuration file, see containers-registries.conf(5). +# +# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES +# We recommend always using fully qualified image names including the registry +# server (full dns name), namespace, image name, and tag +# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e., +# quay.io/repository/name@digest) further eliminates the ambiguity of tags. +# When using short names, there is always an inherent risk that the image being +# pulled could be spoofed. For example, a user wants to pull an image named +# `foobar` from a registry and expects it to come from myregistry.com. If +# myregistry.com is not first in the search list, an attacker could place a +# different `foobar` image at a registry earlier in the search list. The user +# would accidentally pull and run the attacker's image and code rather than the +# intended content. We recommend only adding registries which are completely +# trusted (i.e., registries which don't allow unknown or anonymous users to +# create accounts with arbitrary names). This will prevent an image from being +# spoofed, squatted or otherwise made insecure. If it is necessary to use one +# of these registries, it should be added at the end of the list. +# +# An array of host[:port] registries to try when pulling an unqualified image, in order. +# unqualified-search-registries = ["example.com"] + +{% if registry is vyos_defined %} +unqualified-search-registries = {{ registry }} +{% endif %} diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2 new file mode 100644 index 000000000..665f9bf95 --- /dev/null +++ b/data/templates/container/storage.conf.j2 @@ -0,0 +1,4 @@ +### Autogenerated by container.py ### +[storage] + driver = "vfs" + graphroot = "/usr/lib/live/mount/persistence/container/storage" diff --git a/data/templates/containers/registry.tmpl b/data/templates/containers/registry.tmpl deleted file mode 100644 index 0cbd9ecc2..000000000 --- a/data/templates/containers/registry.tmpl +++ /dev/null @@ -1,5 +0,0 @@ -### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ### - -{% if registry is vyos_defined %} -unqualified-search-registries = {{ registry }} -{% endif %} diff --git a/data/templates/containers/storage.tmpl b/data/templates/containers/storage.tmpl deleted file mode 100644 index 3a69b7252..000000000 --- a/data/templates/containers/storage.tmpl +++ /dev/null @@ -1,5 +0,0 @@ -### Autogenerated by /usr/libexec/vyos/conf_mode/containers.py ### - -[storage] - driver = "vfs" - graphroot = "/config/containers/storage" diff --git a/data/templates/dhcp-client/daemon-options.j2 b/data/templates/dhcp-client/daemon-options.j2 new file mode 100644 index 000000000..b21ad08ab --- /dev/null +++ b/data/templates/dhcp-client/daemon-options.j2 @@ -0,0 +1,4 @@ +### Autogenerated by interface.py ### +{% set if_metric = '-e IF_METRIC=' ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined else '' %} +DHCLIENT_OPTS="-nw -cf /var/lib/dhcp/dhclient_{{ ifname }}.conf -pf /var/lib/dhcp/dhclient_{{ ifname }}.pid -lf /var/lib/dhcp/dhclient_{{ ifname }}.leases {{ if_metric }} {{ ifname }}" + diff --git a/data/templates/dhcp-client/daemon-options.tmpl b/data/templates/dhcp-client/daemon-options.tmpl deleted file mode 100644 index 5b3bff73f..000000000 --- a/data/templates/dhcp-client/daemon-options.tmpl +++ /dev/null @@ -1,4 +0,0 @@ -### Autogenerated by interface.py ### - -DHCLIENT_OPTS="-nw -cf /var/lib/dhcp/dhclient_{{ ifname }}.conf -pf /var/lib/dhcp/dhclient_{{ ifname }}.pid -lf /var/lib/dhcp/dhclient_{{ ifname }}.leases{{" -e IF_METRIC=" ~ dhcp_options.default_route_distance if dhcp_options.default_route_distance is vyos_defined }} {{ ifname }}" - diff --git a/data/templates/dhcp-client/ipv4.tmpl b/data/templates/dhcp-client/ipv4.j2 index 83fb93dc1..cc5ddf09c 100644 --- a/data/templates/dhcp-client/ipv4.tmpl +++ b/data/templates/dhcp-client/ipv4.j2 @@ -8,12 +8,12 @@ initial-interval 2; interface "{{ ifname }}" { send host-name "{{ dhcp_options.host_name }}"; {% if dhcp_options.client_id is vyos_defined %} -{% set client_id = dhcp_options.client_id %} +{% set client_id = dhcp_options.client_id %} {# Use HEX representation of client-id as it is send in MAC-address style using hex characters. If not HEX, use double quotes ASCII format #} -{% if not dhcp_options.client_id.split(':') | length >= 5 %} -{% set client_id = '"' + dhcp_options.client_id + '"' %} -{% endif %} - send dhcp-client-identifier {{ client_id }}; +{% if not dhcp_options.client_id.split(':') | length >= 5 %} +{% set client_id = '"' + dhcp_options.client_id + '"' %} +{% endif %} + send dhcp-client-identifier {{ client_id }}; {% endif %} {% if dhcp_options.vendor_class_id is vyos_defined %} send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}"; diff --git a/data/templates/dhcp-client/ipv6.tmpl b/data/templates/dhcp-client/ipv6.j2 index 085cfe5a9..e136b1789 100644 --- a/data/templates/dhcp-client/ipv6.tmpl +++ b/data/templates/dhcp-client/ipv6.j2 @@ -8,53 +8,53 @@ interface {{ ifname }} { {% if address is vyos_defined and 'dhcpv6' in address %} request domain-name-servers; request domain-name; -{% if dhcpv6_options.parameters_only is vyos_defined %} +{% if dhcpv6_options.parameters_only is vyos_defined %} information-only; -{% endif %} -{% if dhcpv6_options.temporary is not vyos_defined %} +{% endif %} +{% if dhcpv6_options.temporary is not vyos_defined %} send ia-na 0; # non-temporary address -{% endif %} -{% if dhcpv6_options.rapid_commit is vyos_defined %} +{% endif %} +{% if dhcpv6_options.rapid_commit is vyos_defined %} send rapid-commit; # wait for immediate reply instead of advertisements -{% endif %} +{% endif %} {% endif %} {% if dhcpv6_options.pd is vyos_defined %} -{% for pd in dhcpv6_options.pd %} +{% for pd in dhcpv6_options.pd %} send ia-pd {{ pd }}; # prefix delegation #{{ pd }} -{% endfor %} +{% endfor %} {% endif %} }; {% if address is vyos_defined and 'dhcpv6' in address %} -{% if dhcpv6_options.temporary is not vyos_defined %} +{% if dhcpv6_options.temporary is not vyos_defined %} id-assoc na 0 { # Identity association for non temporary address }; -{% endif %} +{% endif %} {% endif %} {% if dhcpv6_options.pd is vyos_defined %} -{% for pd, pd_config in dhcpv6_options.pd.items() %} +{% for pd, pd_config in dhcpv6_options.pd.items() %} id-assoc pd {{ pd }} { {# length got a default value #} prefix ::/{{ pd_config.length }} infinity; -{% set sla_len = 64 - pd_config.length|int %} -{% set count = namespace(value=0) %} -{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} +{% set sla_len = 64 - pd_config.length | int %} +{% set count = namespace(value=0) %} +{% for interface, interface_config in pd_config.interface.items() if pd_config.interface is vyos_defined %} prefix-interface {{ interface }} { sla-len {{ sla_len }}; -{% if interface_config.sla_id is vyos_defined %} +{% if interface_config.sla_id is vyos_defined %} sla-id {{ interface_config.sla_id }}; -{% else %} +{% else %} sla-id {{ count.value }}; -{% endif %} -{% if interface_config.address is vyos_defined %} +{% endif %} +{% if interface_config.address is vyos_defined %} ifid {{ interface_config.address }}; -{% endif %} +{% endif %} }; -{% set count.value = count.value + 1 %} -{% endfor %} +{% set count.value = count.value + 1 %} +{% endfor %} }; -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/dhcp-relay/dhcrelay.conf.tmpl b/data/templates/dhcp-relay/dhcrelay.conf.j2 index 11710bd8e..11710bd8e 100644 --- a/data/templates/dhcp-relay/dhcrelay.conf.tmpl +++ b/data/templates/dhcp-relay/dhcrelay.conf.j2 diff --git a/data/templates/dhcp-relay/dhcrelay6.conf.tmpl b/data/templates/dhcp-relay/dhcrelay6.conf.j2 index 1fd5de18c..6365346b4 100644 --- a/data/templates/dhcp-relay/dhcrelay6.conf.tmpl +++ b/data/templates/dhcp-relay/dhcrelay6.conf.j2 @@ -3,18 +3,18 @@ {# upstream_interface is mandatory so it's always present #} {% set upstream = namespace(value='') %} {% for interface, config in upstream_interface.items() %} -{% for address in config.address %} -{% set upstream.value = upstream.value ~ '-u ' ~ address ~ '%' ~ interface ~ ' ' %} -{% endfor %} +{% for address in config.address %} +{% set upstream.value = upstream.value ~ '-u ' ~ address ~ '%' ~ interface ~ ' ' %} +{% endfor %} {% endfor %} {# listen_interface is mandatory so it's always present #} {% set listen = namespace(value='') %} {% for interface, config in listen_interface.items() %} -{% if config.address is vyos_defined %} -{% set listen.value = listen.value ~ '-l ' ~ config.address ~ '%' ~ interface ~ ' ' %} -{% else %} -{% set listen.value = listen.value ~ '-l ' ~ interface ~ ' ' %} -{% endif %} +{% if config.address is vyos_defined %} +{% set listen.value = listen.value ~ '-l ' ~ config.address ~ '%' ~ interface ~ ' ' %} +{% else %} +{% set listen.value = listen.value ~ '-l ' ~ interface ~ ' ' %} +{% endif %} {% endfor %} OPTIONS="{{ listen.value }} {{ upstream.value }} -c {{ max_hop_count }} {{ '-I' if use_interface_id_option is vyos_defined }}" diff --git a/data/templates/dhcp-server/dhcpd.conf.tmpl b/data/templates/dhcp-server/dhcpd.conf.j2 index b16d82f5c..4c2da0aa5 100644 --- a/data/templates/dhcp-server/dhcpd.conf.tmpl +++ b/data/templates/dhcp-server/dhcpd.conf.j2 @@ -23,24 +23,33 @@ option rfc3442-static-route code 121 = array of integer 8; option windows-static-route code 249 = array of integer 8; option wpad-url code 252 = text; +# Vendor specific options - Ubiquiti Networks +option space ubnt; +option ubnt.unifi-controller code 1 = ip-address; +class "ubnt" { + match if substring (option vendor-class-identifier , 0, 4) = "ubnt"; + option vendor-class-identifier "ubnt"; + vendor-option-space ubnt; +} + {% if global_parameters is vyos_defined %} # The following {{ global_parameters | length }} line(s) have been added as # global-parameters in the CLI and have not been validated !!! -{% for parameter in global_parameters %} +{% for parameter in global_parameters %} {{ parameter }} -{% endfor %} +{% endfor %} {% endif %} {% if failover is vyos_defined %} # DHCP failover configuration failover peer "{{ failover.name }}" { -{% if failover.status == 'primary' %} +{% if failover.status == 'primary' %} primary; mclt 1800; split 128; -{% elif failover.status == 'secondary' %} +{% elif failover.status == 'secondary' %} secondary; -{% endif %} +{% endif %} address {{ failover.source_address }}; port 647; peer address {{ failover.remote }}; @@ -53,167 +62,173 @@ failover peer "{{ failover.name }}" { {% if listen_address is vyos_defined %} # DHCP server serving relay subnet, we need a connector to the real world -{% for address in listen_address %} +{% for address in listen_address %} # Connected subnet statement for listen-address {{ address }} subnet {{ address | network_from_ipv4 }} netmask {{ address | netmask_from_ipv4 }} { } -{% endfor %} +{% endfor %} {% endif %} # Shared network configration(s) {% if shared_network_name is vyos_defined %} -{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} -shared-network {{ network | replace('_','-') }} { -{% if network_config.authoritative is vyos_defined %} +{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} +shared-network {{ network }} { +{% if network_config.authoritative is vyos_defined %} authoritative; -{% endif %} -{% if network_config.name_server is vyos_defined %} +{% endif %} +{% if network_config.name_server is vyos_defined %} option domain-name-servers {{ network_config.name_server | join(', ') }}; -{% endif %} -{% if network_config.domain_name is vyos_defined %} +{% endif %} +{% if network_config.domain_name is vyos_defined %} option domain-name "{{ network_config.domain_name }}"; -{% endif %} -{% if network_config.domain_search is vyos_defined %} +{% endif %} +{% if network_config.domain_search is vyos_defined %} option domain-search "{{ network_config.domain_search | join('", "') }}"; -{% endif %} -{% if network_config.ntp_server is vyos_defined %} +{% endif %} +{% if network_config.ntp_server is vyos_defined %} option ntp-servers {{ network_config.ntp_server | join(', ') }}; -{% endif %} -{% if network_config.ping_check is vyos_defined %} +{% endif %} +{% if network_config.ping_check is vyos_defined %} ping-check true; -{% endif %} -{% if network_config.shared_network_parameters is vyos_defined %} +{% endif %} +{% if network_config.shared_network_parameters is vyos_defined %} # The following {{ network_config.shared_network_parameters | length }} line(s) # were added as shared-network-parameters in the CLI and have not been validated -{% for parameter in network_config.shared_network_parameters %} +{% for parameter in network_config.shared_network_parameters %} {{ parameter }} -{% endfor %} -{% endif %} -{% if network_config.subnet is vyos_defined %} -{% for subnet, subnet_config in network_config.subnet.items() %} -{% if subnet_config.description is vyos_defined %} - # {{ subnet_config.description }} +{% endfor %} {% endif %} +{% if network_config.subnet is vyos_defined %} +{% for subnet, subnet_config in network_config.subnet.items() %} +{% if subnet_config.description is vyos_defined %} + # {{ subnet_config.description }} +{% endif %} subnet {{ subnet | address_from_cidr }} netmask {{ subnet | netmask_from_cidr }} { -{% if subnet_config.name_server is vyos_defined %} +{% if subnet_config.name_server is vyos_defined %} option domain-name-servers {{ subnet_config.name_server | join(', ') }}; -{% endif %} -{% if subnet_config.domain_name is vyos_defined %} +{% endif %} +{% if subnet_config.domain_name is vyos_defined %} option domain-name "{{ subnet_config.domain_name }}"; -{% endif %} -{% if subnet_config.domain_search is vyos_defined %} +{% endif %} +{% if subnet_config.domain_search is vyos_defined %} option domain-search "{{ subnet_config.domain_search | join('", "') }}"; -{% endif %} -{% if subnet_config.ntp_server is vyos_defined %} +{% endif %} +{% if subnet_config.ntp_server is vyos_defined %} option ntp-servers {{ subnet_config.ntp_server | join(', ') }}; -{% endif %} -{% if subnet_config.pop_server is vyos_defined %} +{% endif %} +{% if subnet_config.pop_server is vyos_defined %} option pop-server {{ subnet_config.pop_server | join(', ') }}; -{% endif %} -{% if subnet_config.smtp_server is vyos_defined %} +{% endif %} +{% if subnet_config.smtp_server is vyos_defined %} option smtp-server {{ subnet_config.smtp_server | join(', ') }}; -{% endif %} -{% if subnet_config.time_server is vyos_defined %} +{% endif %} +{% if subnet_config.time_server is vyos_defined %} option time-servers {{ subnet_config.time_server | join(', ') }}; -{% endif %} -{% if subnet_config.wins_server is vyos_defined %} +{% endif %} +{% if subnet_config.wins_server is vyos_defined %} option netbios-name-servers {{ subnet_config.wins_server | join(', ') }}; -{% endif %} -{% if subnet_config.static_route is vyos_defined %} -{% set static_default_route = '' %} -{% if subnet_config.default_router is vyos_defined %} -{% set static_default_route = ', ' ~ '0.0.0.0/0' | isc_static_route(subnet_config.default_router) %} -{% endif %} -{% if subnet_config.static_route is vyos_defined %} -{% set rfc3442_routes = [] %} -{% for route, route_options in subnet_config.static_route.items() %} -{% set rfc3442_routes = rfc3442_routes.append(route | isc_static_route(route_options.next_hop)) %} -{% endfor %} +{% endif %} +{% if subnet_config.static_route is vyos_defined %} +{% set static_default_route = '' %} +{% if subnet_config.default_router is vyos_defined %} +{% set static_default_route = ', ' ~ '0.0.0.0/0' | isc_static_route(subnet_config.default_router) %} +{% endif %} +{% if subnet_config.static_route is vyos_defined %} +{% set rfc3442_routes = [] %} +{% for route, route_options in subnet_config.static_route.items() %} +{% set rfc3442_routes = rfc3442_routes.append(route | isc_static_route(route_options.next_hop)) %} +{% endfor %} option rfc3442-static-route {{ rfc3442_routes | join(', ') }}{{ static_default_route }}; option windows-static-route {{ rfc3442_routes | join(', ') }}; -{% endif %} -{% endif %} -{% if subnet_config.ip_forwarding is vyos_defined %} +{% endif %} +{% endif %} +{% if subnet_config.ip_forwarding is vyos_defined %} option ip-forwarding true; -{% endif %} -{% if subnet_config.default_router is vyos_defined %} +{% endif %} +{% if subnet_config.default_router is vyos_defined %} option routers {{ subnet_config.default_router }}; -{% endif %} -{% if subnet_config.server_identifier is vyos_defined %} +{% endif %} +{% if subnet_config.server_identifier is vyos_defined %} option dhcp-server-identifier {{ subnet_config.server_identifier }}; -{% endif %} -{% if subnet_config.subnet_parameters is vyos_defined %} +{% endif %} +{% if subnet_config.subnet_parameters is vyos_defined %} # The following {{ subnet_config.subnet_parameters | length }} line(s) were added as # subnet-parameters in the CLI and have not been validated!!! -{% for parameter in subnet_config.subnet_parameters %} +{% for parameter in subnet_config.subnet_parameters %} {{ parameter }} -{% endfor %} -{% endif %} -{% if subnet_config.tftp_server_name is vyos_defined %} +{% endfor %} +{% endif %} +{% if subnet_config.tftp_server_name is vyos_defined %} option tftp-server-name "{{ subnet_config.tftp_server_name }}"; -{% endif %} -{% if subnet_config.bootfile_name is vyos_defined %} +{% endif %} +{% if subnet_config.bootfile_name is vyos_defined %} option bootfile-name "{{ subnet_config.bootfile_name }}"; filename "{{ subnet_config.bootfile_name }}"; -{% endif %} -{% if subnet_config.bootfile_server is vyos_defined %} +{% endif %} +{% if subnet_config.bootfile_server is vyos_defined %} next-server {{ subnet_config.bootfile_server }}; -{% endif %} -{% if subnet_config.time_offset is vyos_defined %} +{% endif %} +{% if subnet_config.bootfile_size is vyos_defined %} + option boot-size {{ subnet_config.bootfile_size }}; +{% endif %} +{% if subnet_config.time_offset is vyos_defined %} option time-offset {{ subnet_config.time_offset }}; -{% endif %} -{% if subnet_config.wpad_url is vyos_defined %} +{% endif %} +{% if subnet_config.wpad_url is vyos_defined %} option wpad-url "{{ subnet_config.wpad_url }}"; -{% endif %} -{% if subnet_config.client_prefix_length is vyos_defined %} +{% endif %} +{% if subnet_config.client_prefix_length is vyos_defined %} option subnet-mask {{ ('0.0.0.0/' ~ subnet_config.client_prefix_length) | netmask_from_cidr }}; -{% endif %} -{% if subnet_config.lease is vyos_defined %} +{% endif %} +{% if subnet_config.lease is vyos_defined %} default-lease-time {{ subnet_config.lease }}; max-lease-time {{ subnet_config.lease }}; -{% endif %} -{% if network_config.ping_check is not vyos_defined and subnet_config.ping_check is vyos_defined %} +{% endif %} +{% if network_config.ping_check is not vyos_defined and subnet_config.ping_check is vyos_defined %} ping-check true; -{% endif %} -{% if subnet_config.static_mapping is vyos_defined %} -{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} +{% endif %} +{% if subnet_config.static_mapping is vyos_defined %} +{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} host {{ host | replace('_','-') if host_decl_name is vyos_defined else network | replace('_','-') ~ '_' ~ host | replace('_','-') }} { -{% if host_config.ip_address is vyos_defined %} +{% if host_config.ip_address is vyos_defined %} fixed-address {{ host_config.ip_address }}; -{% endif %} +{% endif %} hardware ethernet {{ host_config.mac_address }}; -{% if host_config.static_mapping_parameters is vyos_defined %} +{% if host_config.static_mapping_parameters is vyos_defined %} # The following {{ host_config.static_mapping_parameters | length }} line(s) were added # as static-mapping-parameters in the CLI and have not been validated -{% for parameter in host_config.static_mapping_parameters %} +{% for parameter in host_config.static_mapping_parameters %} {{ parameter }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} } -{% endfor %} -{% endif %} -{% if subnet_config.range is vyos_defined %} +{% endfor %} +{% endif %} +{% if subnet_config.vendor_option.ubiquiti.unifi_controller is vyos_defined %} + option ubnt.unifi-controller {{ subnet_config.vendor_option.ubiquiti.unifi_controller }}; +{% endif %} +{% if subnet_config.range is vyos_defined %} {# pool configuration can only be used if there follows a range option #} pool { -{% endif %} -{% if subnet_config.enable_failover is vyos_defined %} +{% endif %} +{% if subnet_config.enable_failover is vyos_defined %} failover peer "{{ failover.name }}"; deny dynamic bootp clients; -{% endif %} -{% if subnet_config.range is vyos_defined %} -{% for range, range_options in subnet_config.range.items() %} +{% endif %} +{% if subnet_config.range is vyos_defined %} +{% for range, range_options in subnet_config.range.items() %} range {{ range_options.start }} {{ range_options.stop }}; -{% endfor %} -{% endif %} -{% if subnet_config.range is vyos_defined %} +{% endfor %} +{% endif %} +{% if subnet_config.range is vyos_defined %} {# pool configuration can only be used if there follows a range option #} } -{% endif %} +{% endif %} } -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} on commit { - set shared-networkname = "{{ network | replace('_','-') }}"; -{% if hostfile_update is vyos_defined %} + set shared-networkname = "{{ network }}"; +{% if hostfile_update is vyos_defined %} set ClientIp = binary-to-ascii(10, 8, ".", leased-address); set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6)); set ClientName = pick-first-value(host-decl-name, option fqdn.hostname, option host-name, "empty_hostname"); @@ -223,9 +238,9 @@ shared-network {{ network | replace('_','-') }} { } else { log(concat("Hostname is not defined for client with IP: ", ClientIP, " MAC: ", ClientMac)); } -{% endif %} +{% endif %} } } -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/dhcp-server/dhcpdv6.conf.j2 b/data/templates/dhcp-server/dhcpdv6.conf.j2 new file mode 100644 index 000000000..5c3471316 --- /dev/null +++ b/data/templates/dhcp-server/dhcpdv6.conf.j2 @@ -0,0 +1,132 @@ +### Autogenerated by dhcpv6_server.py ### + +# For options please consult the following website: +# https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html + +log-facility local7; +{% if preference is vyos_defined %} +option dhcp6.preference {{ preference }}; +{% endif %} + +{% if global_parameters.name_server is vyos_defined %} +option dhcp6.name-servers {{ global_parameters.name_server | join(', ') }}; +{% endif %} + +# Vendor specific options - Cisco +option space cisco code width 2 length width 2; +option cisco.tftp-servers code 1 = array of ip6-address; +option vsio.cisco code 9 = encapsulate cisco; + +# Shared network configration(s) +{% if shared_network_name is vyos_defined %} +{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} +shared-network {{ network }} { +{% if network_config.common_options is vyos_defined %} +{% if network_config.common_options.info_refresh_time is vyos_defined %} + option dhcp6.info-refresh-time {{ network_config.common_options.info_refresh_time }}; +{% endif %} +{% if network_config.common_options.domain_search is vyos_defined %} + option dhcp6.domain-search "{{ network_config.common_options.domain_search | join('", "') }}"; +{% endif %} +{% if network_config.common_options.name_server is vyos_defined %} + option dhcp6.name-servers {{ network_config.common_options.name_server | join(', ') }}; +{% endif %} +{% endif %} +{% if network_config.subnet is vyos_defined %} +{% for subnet, subnet_config in network_config.subnet.items() %} + subnet6 {{ subnet }} { +{% if subnet_config.address_range is vyos_defined %} +{% if subnet_config.address_range.prefix is vyos_defined %} +{% for prefix, prefix_config in subnet_config.address_range.prefix.items() %} + range6 {{ prefix }} {{ "temporary" if prefix_config.temporary is vyos_defined }}; +{% endfor %} +{% endif %} +{% if subnet_config.address_range.start is vyos_defined %} +{% for address, address_config in subnet_config.address_range.start.items() %} + range6 {{ address }} {{ address_config.stop }}; +{% endfor %} +{% endif %} +{% endif %} +{% if subnet_config.domain_search is vyos_defined %} + option dhcp6.domain-search "{{ subnet_config.domain_search | join('", "') }}"; +{% endif %} +{% if subnet_config.lease_time is vyos_defined %} +{% if subnet_config.lease_time.default is vyos_defined %} + default-lease-time {{ subnet_config.lease_time.default }}; +{% endif %} +{% if subnet_config.lease_time.maximum is vyos_defined %} + max-lease-time {{ subnet_config.lease_time.maximum }}; +{% endif %} +{% if subnet_config.lease_time.minimum is vyos_defined %} + min-lease-time {{ subnet_config.lease_time.minimum }}; +{% endif %} +{% endif %} +{% if subnet_config.name_server is vyos_defined %} + option dhcp6.name-servers {{ subnet_config.name_server | join(', ') }}; +{% endif %} +{% if subnet_config.nis_domain is vyos_defined %} + option dhcp6.nis-domain-name "{{ subnet_config.nis_domain }}"; +{% endif %} +{% if subnet_config.nis_server is vyos_defined %} + option dhcp6.nis-servers {{ subnet_config.nis_server | join(', ') }}; +{% endif %} +{% if subnet_config.nisplus_domain is vyos_defined %} + option dhcp6.nisp-domain-name "{{ subnet_config.nisplus_domain }}"; +{% endif %} +{% if subnet_config.nisplus_server is vyos_defined %} + option dhcp6.nisp-servers {{ subnet_config.nisplus_server | join(', ') }}; +{% endif %} +{% if subnet_config.sip_server is vyos_defined %} +{% set server_ip = [] %} +{% set server_fqdn = [] %} +{% for address in subnet_config.sip_server %} +{% if address | is_ipv6 %} +{% set server_ip = server_ip.append(address) %} +{% else %} +{% set server_fqdn = server_fqdn.append(address) %} +{% endif %} +{% endfor %} +{% if server_ip is vyos_defined and server_ip | length > 0 %} + option dhcp6.sip-servers-addresses {{ server_ip | join(', ') }}; +{% endif %} +{% if server_fqdn is vyos_defined and server_fqdn | length > 0 %} + option dhcp6.sip-servers-names "{{ server_fqdn | join('", "') }}"; +{% endif %} +{% endif %} +{% if subnet_config.sntp_server is vyos_defined %} + option dhcp6.sntp-servers {{ subnet_config.sntp_server | join(', ') }}; +{% endif %} +{% if subnet_config.prefix_delegation.start is vyos_defined %} +{% for prefix, prefix_config in subnet_config.prefix_delegation.start.items() %} + prefix6 {{ prefix }} {{ prefix_config.stop }} /{{ prefix_config.prefix_length }}; +{% endfor %} +{% endif %} +{% if subnet_config.static_mapping is vyos_defined %} + + # begin configuration of static client mappings +{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} + host {{ network | replace('_','-') }}_{{ host | replace('_','-') }} { +{% if host_config.identifier is vyos_defined %} + host-identifier option dhcp6.client-id {{ host_config.identifier }}; +{% endif %} +{% if host_config.ipv6_address is vyos_defined %} + fixed-address6 {{ host_config.ipv6_address }}; +{% endif %} +{% if host_config.ipv6_prefix is vyos_defined %} + fixed-prefix6 {{ host_config.ipv6_prefix }}; +{% endif %} + } +{% endfor %} +{% endif %} +{% if subnet_config.vendor_option.cisco.tftp_server is vyos_defined %} + option cisco.tftp-servers {{ subnet_config.vendor_option.cisco.tftp_server | join(', ') }}; +{% endif %} + } +{% endfor %} +{% endif %} + on commit { + set shared-networkname = "{{ network }}"; + } +} +{% endfor %} +{% endif %} diff --git a/data/templates/dhcp-server/dhcpdv6.conf.tmpl b/data/templates/dhcp-server/dhcpdv6.conf.tmpl deleted file mode 100644 index c6a4f4c92..000000000 --- a/data/templates/dhcp-server/dhcpdv6.conf.tmpl +++ /dev/null @@ -1,124 +0,0 @@ -### Autogenerated by dhcpv6_server.py ### - -# For options please consult the following website: -# https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html - -log-facility local7; -{% if preference is vyos_defined %} -option dhcp6.preference {{ preference }}; -{% endif %} - -{% if global_parameters.name_server is vyos_defined %} -option dhcp6.name-servers {{ global_parameters.name_server | join(', ') }}; -{% endif %} - -# Shared network configration(s) -{% if shared_network_name is vyos_defined %} -{% for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %} -shared-network {{ network | replace('_','-') }} { -{% if network_config.common_options is vyos_defined %} -{% if network_config.common_options.info_refresh_time is vyos_defined %} - option dhcp6.info-refresh-time {{ network_config.common_options.info_refresh_time }}; -{% endif %} -{% if network_config.common_options.domain_search is vyos_defined %} - option dhcp6.domain-search "{{ network_config.common_options.domain_search | join('", "') }}"; -{% endif %} -{% if network_config.common_options.name_server is vyos_defined %} - option dhcp6.name-servers {{ network_config.common_options.name_server | join(', ') }}; -{% endif %} -{% endif %} -{% if network_config.subnet is vyos_defined %} -{% for subnet, subnet_config in network_config.subnet.items() %} - subnet6 {{ subnet }} { -{% if subnet_config.address_range is vyos_defined %} -{% if subnet_config.address_range.prefix is vyos_defined %} -{% for prefix, prefix_config in subnet_config.address_range.prefix.items() %} - range6 {{ prefix }} {{ "temporary" if prefix_config.temporary is vyos_defined }}; -{% endfor %} -{% endif %} -{% if subnet_config.address_range.start is vyos_defined %} -{% for address, address_config in subnet_config.address_range.start.items() %} - range6 {{ address }} {{ address_config.stop }}; -{% endfor %} -{% endif %} -{% endif %} -{% if subnet_config.domain_search is vyos_defined %} - option dhcp6.domain-search "{{ subnet_config.domain_search | join('", "') }}"; -{% endif %} -{% if subnet_config.lease_time is vyos_defined %} -{% if subnet_config.lease_time.default is vyos_defined %} - default-lease-time {{ subnet_config.lease_time.default }}; -{% endif %} -{% if subnet_config.lease_time.maximum is vyos_defined %} - max-lease-time {{ subnet_config.lease_time.maximum }}; -{% endif %} -{% if subnet_config.lease_time.minimum is vyos_defined %} - min-lease-time {{ subnet_config.lease_time.minimum }}; -{% endif %} -{% endif %} -{% if subnet_config.name_server is vyos_defined %} - option dhcp6.name-servers {{ subnet_config.name_server | join(', ') }}; -{% endif %} -{% if subnet_config.nis_domain is vyos_defined %} - option dhcp6.nis-domain-name "{{ subnet_config.nis_domain }}"; -{% endif %} -{% if subnet_config.nis_server is vyos_defined %} - option dhcp6.nis-servers {{ subnet_config.nis_server | join(', ') }}; -{% endif %} -{% if subnet_config.nisplus_domain is vyos_defined %} - option dhcp6.nisp-domain-name "{{ subnet_config.nisplus_domain }}"; -{% endif %} -{% if subnet_config.nisplus_server is vyos_defined %} - option dhcp6.nisp-servers {{ subnet_config.nisplus_server | join(', ') }}; -{% endif %} -{% if subnet_config.sip_server is vyos_defined %} -{% set server_ip = [] %} -{% set server_fqdn = [] %} -{% for address in subnet_config.sip_server %} -{% if address | is_ipv6 %} -{% set server_ip = server_ip.append(address) %} -{% else %} -{% set server_fqdn = server_fqdn.append(address) %} -{% endif %} -{% endfor %} -{% if server_ip is vyos_defined and server_ip | length > 0 %} - option dhcp6.sip-servers-addresses {{ server_ip | join(', ') }}; -{% endif %} -{% if server_fqdn is vyos_defined and server_fqdn | length > 0 %} - option dhcp6.sip-servers-names "{{ server_fqdn | join('", "') }}"; -{% endif %} -{% endif %} -{% if subnet_config.sntp_server is vyos_defined %} - option dhcp6.sntp-servers {{ subnet_config.sntp_server | join(', ') }}; -{% endif %} -{% if subnet_config.prefix_delegation.start is vyos_defined %} -{% for prefix, prefix_config in subnet_config.prefix_delegation.start.items() %} - prefix6 {{ prefix }} {{ prefix_config.stop }} /{{ prefix_config.prefix_length }}; -{% endfor %} -{% endif %} -{% if subnet_config.static_mapping is vyos_defined %} - - # begin configuration of static client mappings -{% for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %} - host {{ network | replace('_','-') }}_{{ host | replace('_','-') }} { -{% if host_config.identifier is vyos_defined %} - host-identifier option dhcp6.client-id {{ host_config.identifier }}; -{% endif %} -{% if host_config.ipv6_address is vyos_defined %} - fixed-address6 {{ host_config.ipv6_address }}; -{% endif %} -{% if host_config.ipv6_prefix is vyos_defined %} - fixed-prefix6 {{ host_config.ipv6_prefix }}; -{% endif %} - } -{% endfor %} -{% endif %} - } -{% endfor %} -{% endif %} - on commit { - set shared-networkname = "{{ network | replace('_','-') }}"; - } -} -{% endfor %} -{% endif %} diff --git a/data/templates/dns-forwarding/recursor.conf.tmpl b/data/templates/dns-forwarding/recursor.conf.j2 index d4ec80a3a..c1950e1bc 100644 --- a/data/templates/dns-forwarding/recursor.conf.tmpl +++ b/data/templates/dns-forwarding/recursor.conf.j2 @@ -1,3 +1,4 @@ +{# j2lint: disable=single-statement-per-line #} ### Autogenerated by dns_forwarding.py ### # XXX: pdns recursor doesn't like whitespace near entry separators, @@ -23,7 +24,7 @@ max-negative-ttl={{ negative_ttl }} network-timeout={{ timeout }} # ignore-hosts-file -export-etc-hosts={{ 'no' if ignore_hosts_file is defined else 'yes' }} +export-etc-hosts={{ 'no' if ignore_hosts_file is vyos_defined else 'yes' }} # listen-address local-address={{ listen_address | join(',') }} @@ -32,7 +33,7 @@ local-address={{ listen_address | join(',') }} dnssec={{ dnssec }} # serve rfc1918 records -serve-rfc1918={{ 'no' if no_serve_rfc1918 is defined else 'yes' }} +serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }} # zones auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %} diff --git a/data/templates/dns-forwarding/recursor.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.conf.lua.j2 index e2506238d..e2506238d 100644 --- a/data/templates/dns-forwarding/recursor.conf.lua.tmpl +++ b/data/templates/dns-forwarding/recursor.conf.lua.j2 diff --git a/data/templates/dns-forwarding/recursor.forward-zones.conf.tmpl b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 index 3ab0c804d..de3269e47 100644 --- a/data/templates/dns-forwarding/recursor.forward-zones.conf.tmpl +++ b/data/templates/dns-forwarding/recursor.forward-zones.conf.j2 @@ -1,3 +1,4 @@ +{# j2lint: disable=operator-enclosed-by-spaces #} # Autogenerated by VyOS (vyos-hostsd) # Do not edit, your changes will get overwritten @@ -7,11 +8,11 @@ {# the order of tags, then by the order of nameservers within that tag #} {% set n = namespace(dot_zone_ns='') %} {% for tag in name_server_tags_recursor %} -{% set ns = '' %} -{% if tag in name_servers %} -{% set ns = ns + name_servers[tag]|join(', ') %} -{% set n.dot_zone_ns = (n.dot_zone_ns, ns)|join(', ') if n.dot_zone_ns != '' else ns %} -{% endif %} +{% set ns = '' %} +{% if tag in name_servers %} +{% set ns = ns + name_servers[tag] | join(', ') %} +{% set n.dot_zone_ns = (n.dot_zone_ns, ns) | join(', ') if n.dot_zone_ns != '' else ns %} +{% endif %} # {{ tag }}: {{ ns }} {% endfor %} @@ -19,10 +20,10 @@ +.={{ n.dot_zone_ns }} {% endif %} -{% if forward_zones is defined %} +{% if forward_zones is vyos_defined %} # zones added via 'service dns forwarding domain' -{% for zone, zonedata in forward_zones.items() %} -{{ "+" if zonedata['recursion_desired'] is defined }}{{ zone | replace('_', '-') }}={{ zonedata['server']|join(', ') }} -{% endfor %} +{% for zone, zonedata in forward_zones.items() %} +{{ "+" if zonedata.recursion_desired is vyos_defined }}{{ zone | replace('_', '-') }}={{ zonedata.server | join(', ') }} +{% endfor %} {% endif %} diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 new file mode 100644 index 000000000..987c7de1f --- /dev/null +++ b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.j2 @@ -0,0 +1,30 @@ +-- Autogenerated by VyOS (vyos-hostsd) -- +-- Do not edit, your changes will get overwritten -- + +{% if hosts %} +-- from 'system static-host-mapping' and DHCP server +{% for tag, taghosts in hosts.items() %} +{% for host, hostprops in taghosts.items() %} +addNTA("{{ host }}.", "{{ tag }}") +{% for a in hostprops['aliases'] %} +addNTA("{{ a }}.", "{{ tag }} alias") +{% endfor %} +{% endfor %} +{% endfor %} +{% endif %} + +{% if forward_zones is vyos_defined %} +-- from 'service dns forwarding domain' +{% for zone, zonedata in forward_zones.items() %} +{% if zonedata.addnta is vyos_defined %} +addNTA("{{ zone }}", "static") +{% endif %} +{% endfor %} +{% endif %} + +{% if authoritative_zones is vyos_defined %} +-- from 'service dns forwarding authoritative-domain' +{% for zone in authoritative_zones %} +addNTA("{{ zone }}", "static") +{% endfor %} +{% endif %} diff --git a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl b/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl deleted file mode 100644 index 7f29c387e..000000000 --- a/data/templates/dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl +++ /dev/null @@ -1,30 +0,0 @@ --- Autogenerated by VyOS (vyos-hostsd) -- --- Do not edit, your changes will get overwritten -- - -{% if hosts %} --- from 'system static-host-mapping' and DHCP server -{% for tag, taghosts in hosts.items() %} -{% for host, hostprops in taghosts.items() %} -addNTA("{{ host }}.", "{{ tag }}") -{% for a in hostprops['aliases'] %} -addNTA("{{ a }}.", "{{ tag }} alias") -{% endfor %} -{% endfor %} -{% endfor %} -{% endif %} - -{% if forward_zones is defined %} --- from 'service dns forwarding domain' -{% for zone, zonedata in forward_zones.items() %} -{% if zonedata['addnta'] is defined %} -addNTA("{{ zone }}", "static") -{% endif %} -{% endfor %} -{% endif %} - -{% if authoritative_zones is defined %} --- from 'service dns forwarding authoritative-domain' -{% for zone in authoritative_zones %} -addNTA("{{ zone }}", "static") -{% endfor %} -{% endif %} diff --git a/data/templates/dns-forwarding/recursor.zone.conf.tmpl b/data/templates/dns-forwarding/recursor.zone.conf.j2 index 758871bef..25193c2ec 100644 --- a/data/templates/dns-forwarding/recursor.zone.conf.tmpl +++ b/data/templates/dns-forwarding/recursor.zone.conf.j2 @@ -1,7 +1,6 @@ ; ; Autogenerated by dns_forwarding.py ; -; {% for r in records %} -{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }} +{{ r.name }} {{ r.ttl }} {{ r.type }} {{ r.value }} {% endfor %} diff --git a/data/templates/dynamic-dns/ddclient.conf.j2 b/data/templates/dynamic-dns/ddclient.conf.j2 new file mode 100644 index 000000000..3c2d17cbb --- /dev/null +++ b/data/templates/dynamic-dns/ddclient.conf.j2 @@ -0,0 +1,51 @@ +### Autogenerated by dynamic_dns.py ### +daemon=1m +syslog=yes +ssl=yes + +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +# ddclient configuration for interface "{{ iface }}" +{% if iface_config.use_web is vyos_defined %} +{% set web_skip = ", web-skip='" ~ iface_config.use_web.skip ~ "'" if iface_config.use_web.skip is vyos_defined else '' %} +use=web, web='{{ iface_config.use_web.url }}'{{ web_skip }} +{% else %} +{{ 'usev6=if' if iface_config.ipv6_enable is vyos_defined else 'use=if' }}, if={{ iface }} +{% endif %} + +{% if iface_config.rfc2136 is vyos_defined %} +{% for rfc2136, config in iface_config.rfc2136.items() %} +{% for dns_record in config.record if config.record is vyos_defined %} +# RFC2136 dynamic DNS configuration for {{ rfc2136 }}, {{ config.zone }}, {{ dns_record }} +server={{ config.server }} +protocol=nsupdate +password={{ config.key }} +ttl={{ config.ttl }} +zone={{ config.zone }} +{{ dns_record }} + +{% endfor %} +{% endfor %} +{% endif %} + +{% if iface_config.service is vyos_defined %} +{% for service, config in iface_config.service.items() %} +{% for dns_record in config.host_name %} +# DynDNS provider configuration for {{ service }}, {{ dns_record }} +protocol={{ config.protocol }}, +max-interval=28d, +login={{ config.login }}, +password='{{ config.password }}', +{% if config.server is vyos_defined %} +server={{ config.server }}, +{% endif %} +{% if config.zone is vyos_defined %} +zone={{ config.zone }}, +{% endif %} +{{ dns_record }} + +{% endfor %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/dynamic-dns/ddclient.conf.tmpl b/data/templates/dynamic-dns/ddclient.conf.tmpl deleted file mode 100644 index 517e4bad4..000000000 --- a/data/templates/dynamic-dns/ddclient.conf.tmpl +++ /dev/null @@ -1,49 +0,0 @@ -### Autogenerated by dynamic_dns.py ### -daemon=1m -syslog=yes -ssl=yes - -{% for iface in interface %} -# ddclient configuration for interface "{{ iface }}" -{% if interface[iface].use_web is defined and interface[iface].use_web is not none %} -{% set web_skip = ", web-skip='" + interface[iface].use_web.skip + "'" if interface[iface].use_web.skip is defined else '' %} -use=web, web='{{ interface[iface].use_web.url }}'{{ web_skip }} -{% else %} -{{ 'usev6=if' if interface[iface].ipv6_enable is defined else 'use=if' }}, if={{ iface }} -{% endif %} - -{% if interface[iface].rfc2136 is defined and interface[iface].rfc2136 is not none %} -{% for rfc2136, config in interface[iface].rfc2136.items() %} -{% for dns_record in config.record if config.record is defined %} -# RFC2136 dynamic DNS configuration for {{ rfc2136 }}, {{ config.zone }}, {{ dns_record }} -server={{ config.server }} -protocol=nsupdate -password={{ config.key }} -ttl={{ config.ttl }} -zone={{ config.zone }} -{{ dns_record }} - -{% endfor %} -{% endfor %} -{% endif %} - -{% if interface[iface].service is defined and interface[iface].service is not none %} -{% for service, config in interface[iface].service.items() %} -{% for dns_record in config.host_name %} -# DynDNS provider configuration for {{ service }}, {{ dns_record }} -protocol={{ config.protocol }}, -max-interval=28d, -login={{ config.login }}, -password='{{ config.password }}', -{% if config.server %} -server={{ config.server }}, -{% endif %} -{% if config.zone %} -zone={{ config.zone }}, -{% endif %} -{{ dns_record }} - -{% endfor %} -{% endfor %} -{% endif %} -{% endfor %} diff --git a/data/templates/ethernet/wpa_supplicant.conf.tmpl b/data/templates/ethernet/wpa_supplicant.conf.j2 index 308d777f1..8f140f6cb 100644 --- a/data/templates/ethernet/wpa_supplicant.conf.tmpl +++ b/data/templates/ethernet/wpa_supplicant.conf.j2 @@ -31,19 +31,19 @@ ap_scan=0 fast_reauth=1 network={ -{% if eapol is defined and eapol is not none %} -{% if eapol.ca_certificate is defined and eapol.ca_certificate is not none %} +{% if eapol is vyos_defined %} +{% if eapol.ca_certificate is vyos_defined %} ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem" -{% endif %} +{% endif %} client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem" private_key="/run/wpa_supplicant/{{ ifname }}_cert.key" -{% endif %} +{% endif %} # list of accepted authenticated key management protocols key_mgmt=IEEE8021X eap=TLS -{% if mac is defined and mac is not none %} +{% if mac is vyos_defined %} identity="{{ mac }}" {% else %} identity="{{ hw_id }}" diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2 new file mode 100644 index 000000000..4fa92f2e3 --- /dev/null +++ b/data/templates/firewall/nftables-defines.j2 @@ -0,0 +1,32 @@ +{% if group is vyos_defined %} +{% if group.address_group is vyos_defined %} +{% for group_name, group_conf in group.address_group.items() %} +define A_{{ group_name }} = { {{ group_conf.address | join(",") }} } +{% endfor %} +{% endif %} +{% if group.ipv6_address_group is vyos_defined %} +{% for group_name, group_conf in group.ipv6_address_group.items() %} +define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} } +{% endfor %} +{% endif %} +{% if group.mac_group is vyos_defined %} +{% for group_name, group_conf in group.mac_group.items() %} +define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} } +{% endfor %} +{% endif %} +{% if group.network_group is vyos_defined %} +{% for group_name, group_conf in group.network_group.items() %} +define N_{{ group_name }} = { {{ group_conf.network | join(",") }} } +{% endfor %} +{% endif %} +{% if group.ipv6_network_group is vyos_defined %} +{% for group_name, group_conf in group.ipv6_network_group.items() %} +define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} } +{% endfor %} +{% endif %} +{% if group.port_group is vyos_defined %} +{% for group_name, group_conf in group.port_group.items() %} +define P_{{ group_name }} = { {{ group_conf.port | join(",") }} } +{% endfor %} +{% endif %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/firewall/nftables-defines.tmpl b/data/templates/firewall/nftables-defines.tmpl deleted file mode 100644 index d9eb7c199..000000000 --- a/data/templates/firewall/nftables-defines.tmpl +++ /dev/null @@ -1,32 +0,0 @@ -{% if group is defined %} -{% if group.address_group is defined %} -{% for group_name, group_conf in group.address_group.items() %} -define A_{{ group_name }} = { {{ group_conf.address | join(",") }} } -{% endfor %} -{% endif %} -{% if group.ipv6_address_group is defined %} -{% for group_name, group_conf in group.ipv6_address_group.items() %} -define A6_{{ group_name }} = { {{ group_conf.address | join(",") }} } -{% endfor %} -{% endif %} -{% if group.mac_group is defined %} -{% for group_name, group_conf in group.mac_group.items() %} -define M_{{ group_name }} = { {{ group_conf.mac_address | join(",") }} } -{% endfor %} -{% endif %} -{% if group.network_group is defined %} -{% for group_name, group_conf in group.network_group.items() %} -define N_{{ group_name }} = { {{ group_conf.network | join(",") }} } -{% endfor %} -{% endif %} -{% if group.ipv6_network_group is defined %} -{% for group_name, group_conf in group.ipv6_network_group.items() %} -define N6_{{ group_name }} = { {{ group_conf.network | join(",") }} } -{% endfor %} -{% endif %} -{% if group.port_group is defined %} -{% for group_name, group_conf in group.port_group.items() %} -define P_{{ group_name }} = { {{ group_conf.port | join(",") }} } -{% endfor %} -{% endif %} -{% endif %}
\ No newline at end of file diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2 new file mode 100644 index 000000000..1481e9104 --- /dev/null +++ b/data/templates/firewall/nftables-nat.j2 @@ -0,0 +1,182 @@ +#!/usr/sbin/nft -f + +{% macro nat_rule(rule, config, chain) %} +{% set comment = '' %} +{% set base_log = '' %} +{% set src_addr = 'ip saddr ' ~ config.source.address.replace('!','!= ') if config.source.address is vyos_defined %} +{% set dst_addr = 'ip daddr ' ~ config.destination.address.replace('!','!= ') if config.destination.address is vyos_defined %} +{# negated port groups need special treatment, move != in front of { } group #} +{% if config.source.port is vyos_defined and config.source.port.startswith('!') %} +{% set src_port = 'sport != { ' ~ config.source.port.replace('!','') ~ ' }' %} +{% else %} +{% set src_port = 'sport { ' ~ config.source.port ~ ' }' if config.source.port is vyos_defined %} +{% endif %} +{# negated port groups need special treatment, move != in front of { } group #} +{% if config.destination.port is vyos_defined and config.destination.port.startswith('!') %} +{% set dst_port = 'dport != { ' ~ config.destination.port.replace('!','') ~ ' }' %} +{% else %} +{% set dst_port = 'dport { ' ~ config.destination.port ~ ' }' if config.destination.port is vyos_defined %} +{% endif %} +{% if chain is vyos_defined('PREROUTING') %} +{% set comment = 'DST-NAT-' ~ rule %} +{% set base_log = '[NAT-DST-' ~ rule %} +{% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} +{% if config.translation.address is vyos_defined %} +{# support 1:1 network translation #} +{% if config.translation.address | is_ip_network %} +{% set trns_addr = 'dnat ip prefix to ip daddr map { ' ~ config.destination.address ~ ' : ' ~ config.translation.address ~ ' }' %} +{# we can now clear out the dst_addr part as it's already covered in aboves map #} +{% set dst_addr = '' %} +{% else %} +{% set trns_addr = 'dnat to ' ~ config.translation.address %} +{% endif %} +{% endif %} +{% elif chain is vyos_defined('POSTROUTING') %} +{% set comment = 'SRC-NAT-' ~ rule %} +{% set base_log = '[NAT-SRC-' ~ rule %} +{% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined and config.outbound_interface is not vyos_defined('any') else '' %} +{% if config.translation.address is vyos_defined %} +{% if config.translation.address is vyos_defined('masquerade') %} +{% set trns_addr = config.translation.address %} +{% if config.translation.port is vyos_defined %} +{% set trns_addr = trns_addr ~ ' to ' %} +{% endif %} +{# support 1:1 network translation #} +{% elif config.translation.address | is_ip_network %} +{% set trns_addr = 'snat ip prefix to ip saddr map { ' ~ config.source.address ~ ' : ' ~ config.translation.address ~ ' }' %} +{# we can now clear out the src_addr part as it's already covered in aboves map #} +{% set src_addr = '' %} +{% else %} +{% set trns_addr = 'snat to ' ~ config.translation.address %} +{% endif %} +{% endif %} +{% endif %} +{% set trns_port = ':' ~ config.translation.port if config.translation.port is vyos_defined %} +{# protocol has a default value thus it is always present #} +{% if config.protocol is vyos_defined('tcp_udp') %} +{% set protocol = 'tcp' %} +{% set comment = comment ~ ' tcp_udp' %} +{% else %} +{% set protocol = config.protocol %} +{% endif %} +{% if config.log is vyos_defined %} +{% if config.exclude is vyos_defined %} +{% set log = base_log ~ '-EXCL]' %} +{% elif config.translation.address is vyos_defined('masquerade') %} +{% set log = base_log ~ '-MASQ]' %} +{% else %} +{% set log = base_log ~ ']' %} +{% endif %} +{% endif %} +{% if config.exclude is vyos_defined %} +{# rule has been marked as 'exclude' thus we simply return here #} +{% set trns_addr = 'return' %} +{% set trns_port = '' %} +{% endif %} +{# T1083: NAT address and port translation options #} +{% if config.translation.options is vyos_defined %} +{% if config.translation.options.address_mapping is vyos_defined('persistent') %} +{% set trns_opts_addr = 'persistent' %} +{% endif %} +{% if config.translation.options.port_mapping is vyos_defined('random') %} +{% set trns_opts_port = 'random' %} +{% elif config.translation.options.port_mapping is vyos_defined('fully-random') %} +{% set trns_opts_port = 'fully-random' %} +{% endif %} +{% endif %} +{% if trns_opts_addr is vyos_defined and trns_opts_port is vyos_defined %} +{% set trns_opts = trns_opts_addr ~ ',' ~ trns_opts_port %} +{% elif trns_opts_addr is vyos_defined %} +{% set trns_opts = trns_opts_addr %} +{% elif trns_opts_port is vyos_defined %} +{% set trns_opts = trns_opts_port %} +{% endif %} +{% set output = 'add rule ip nat ' ~ chain ~ interface %} +{% if protocol is not vyos_defined('all') %} +{% set output = output ~ ' ip protocol ' ~ protocol %} +{% endif %} +{% if src_addr is vyos_defined %} +{% set output = output ~ ' ' ~ src_addr %} +{% endif %} +{% if src_port is vyos_defined %} +{% set output = output ~ ' ' ~ protocol ~ ' ' ~ src_port %} +{% endif %} +{% if dst_addr is vyos_defined %} +{% set output = output ~ ' ' ~ dst_addr %} +{% endif %} +{% if dst_port is vyos_defined %} +{% set output = output ~ ' ' ~ protocol ~ ' ' ~ dst_port %} +{% endif %} +{# Count packets #} +{% set output = output ~ ' counter' %} +{# Special handling of log option, we must repeat the entire rule before the #} +{# NAT translation options are added, this is essential #} +{% if log is vyos_defined %} +{% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} +{% endif %} +{% if trns_addr is vyos_defined %} +{% set output = output ~ ' ' ~ trns_addr %} +{% endif %} +{% if trns_port is vyos_defined %} +{# Do not add a whitespace here, translation port must be directly added after IP address #} +{# e.g. 192.0.2.10:3389 #} +{% set output = output ~ trns_port %} +{% endif %} +{% if trns_opts is vyos_defined %} +{% set output = output ~ ' ' ~ trns_opts %} +{% endif %} +{% if comment is vyos_defined %} +{% set output = output ~ ' comment "' ~ comment ~ '"' %} +{% endif %} +{{ log_output if log_output is vyos_defined }} +{{ output }} +{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} +{% if config.protocol is vyos_defined('tcp_udp') %} +{# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #} +{{ log_output | replace('tcp ', 'udp ') if log_output is vyos_defined }} +{{ output | replace('tcp ', 'udp ') }} +{% endif %} +{% endmacro %} + +# Start with clean SNAT and DNAT chains +flush chain ip nat PREROUTING +flush chain ip nat POSTROUTING +{% if helper_functions is vyos_defined('remove') %} +{# NAT if going to be disabled - remove rules and targets from nftables #} +{% set base_command = 'delete rule ip raw' %} +{{ base_command }} PREROUTING handle {{ pre_ct_ignore }} +{{ base_command }} OUTPUT handle {{ out_ct_ignore }} +{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} +{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} + +delete chain ip raw NAT_CONNTRACK + +{% elif helper_functions is vyos_defined('add') %} +{# NAT if enabled - add targets to nftables #} +add chain ip raw NAT_CONNTRACK +add rule ip raw NAT_CONNTRACK counter accept +{% set base_command = 'add rule ip raw' %} +{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYOS_CT_HELPER +{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYOS_CT_HELPER +{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK +{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK +{% endif %} + +# +# Destination NAT rules build up here +# +add rule ip nat PREROUTING counter jump VYOS_PRE_DNAT_HOOK +{% if destination.rule is vyos_defined %} +{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} +{{ nat_rule(rule, config, 'PREROUTING') }} +{% endfor %} +{% endif %} +# +# Source NAT rules build up here +# +add rule ip nat POSTROUTING counter jump VYOS_PRE_SNAT_HOOK +{% if source.rule is vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} +{{ nat_rule(rule, config, 'POSTROUTING') }} +{% endfor %} +{% endif %} diff --git a/data/templates/firewall/nftables-nat.tmpl b/data/templates/firewall/nftables-nat.tmpl deleted file mode 100644 index 9ea880697..000000000 --- a/data/templates/firewall/nftables-nat.tmpl +++ /dev/null @@ -1,181 +0,0 @@ -#!/usr/sbin/nft -f - -{% macro nat_rule(rule, config, chain) %} -{% set comment = '' %} -{% set base_log = '' %} -{% set src_addr = 'ip saddr ' + config.source.address.replace('!','!= ') if config.source is defined and config.source.address is defined and config.source.address is not none %} -{% set dst_addr = 'ip daddr ' + config.destination.address.replace('!','!= ') if config.destination is defined and config.destination.address is defined and config.destination.address is not none %} -{# negated port groups need special treatment, move != in front of { } group #} -{% if config.source is defined and config.source.port is defined and config.source.port is not none and config.source.port.startswith('!=') %} -{% set src_port = 'sport != { ' + config.source.port.replace('!=','') + ' }' %} -{% else %} -{% set src_port = 'sport { ' + config.source.port + ' }' if config.source is defined and config.source.port is defined and config.source.port is not none %} -{% endif %} -{# negated port groups need special treatment, move != in front of { } group #} -{% if config.destination is defined and config.destination.port is defined and config.destination.port is not none and config.destination.port.startswith('!=') %} -{% set dst_port = 'dport != { ' + config.destination.port.replace('!=','') + ' }' %} -{% else %} -{% set dst_port = 'dport { ' + config.destination.port + ' }' if config.destination is defined and config.destination.port is defined and config.destination.port is not none %} -{% endif %} -{% if chain == 'PREROUTING' %} -{% set comment = 'DST-NAT-' + rule %} -{% set base_log = '[NAT-DST-' + rule %} -{% set interface = ' iifname "' + config.inbound_interface + '"' if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} -{# support 1:1 network translation #} -{% if config.translation.address | is_ip_network %} -{% set trns_addr = 'dnat ip prefix to ip daddr map { ' + config.destination.address + ' : ' + config.translation.address + ' }' %} -{# we can now clear out the dst_addr part as it's already covered in aboves map #} -{% set dst_addr = '' %} -{% else %} -{% set trns_addr = 'dnat to ' + config.translation.address %} -{% endif %} -{% endif %} -{% elif chain == 'POSTROUTING' %} -{% set comment = 'SRC-NAT-' + rule %} -{% set base_log = '[NAT-SRC-' + rule %} -{% set interface = ' oifname "' + config.outbound_interface + '"' if config.outbound_interface is defined and config.outbound_interface != 'any' else '' %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} -{% if config.translation.address == 'masquerade' %} -{% set trns_addr = config.translation.address %} -{% if config.translation.port is defined and config.translation.port is not none %} -{% set trns_addr = trns_addr + ' to ' %} -{% endif %} -{# support 1:1 network translation #} -{% elif config.translation.address | is_ip_network %} -{% set trns_addr = 'snat ip prefix to ip saddr map { ' + config.source.address + ' : ' + config.translation.address + ' }' %} -{# we can now clear out the src_addr part as it's already covered in aboves map #} -{% set src_addr = '' %} -{% else %} -{% set trns_addr = 'snat to ' + config.translation.address %} -{% endif %} -{% endif %} -{% endif %} -{% set trns_port = ':' + config.translation.port if config.translation is defined and config.translation.port is defined and config.translation.port is not none %} -{# protocol has a default value thus it is always present #} -{% if config.protocol == 'tcp_udp' %} -{% set protocol = 'tcp' %} -{% set comment = comment + ' tcp_udp' %} -{% else %} -{% set protocol = config.protocol %} -{% endif %} -{% if config.log is defined %} -{% if config.exclude is defined %} -{% set log = base_log + '-EXCL]' %} -{% elif config.translation is defined and config.translation.address is defined and config.translation.address == 'masquerade' %} -{% set log = base_log +'-MASQ]' %} -{% else %} -{% set log = base_log + ']' %} -{% endif %} -{% endif %} -{% if config.exclude is defined %} -{# rule has been marked as 'exclude' thus we simply return here #} -{% set trns_addr = 'return' %} -{% set trns_port = '' %} -{% endif %} -{# T1083: NAT address and port translation options #} -{% if config.translation is defined and config.translation.options is defined and config.translation.options is not none %} -{% if config.translation.options.address_mapping is defined and config.translation.options.address_mapping == "persistent" %} -{% set trns_opts_addr = 'persistent' %} -{% endif %} -{% if config.translation.options.port_mapping is defined %} -{% if config.translation.options.port_mapping == "random" %} -{% set trns_opts_port = 'random' %} -{% elif config.translation.options.port_mapping == "fully-random" %} -{% set trns_opts_port = 'fully-random' %} -{% endif %} -{% endif %} -{% endif %} -{% if trns_opts_addr and trns_opts_port %} -{% set trns_opts = trns_opts_addr + ',' + trns_opts_port %} -{% elif trns_opts_addr %} -{% set trns_opts = trns_opts_addr %} -{% elif trns_opts_port %} -{% set trns_opts = trns_opts_port %} -{% endif %} -{% set output = 'add rule ip nat ' + chain + interface %} -{% if protocol != 'all' %} -{% set output = output + ' ip protocol ' + protocol %} -{% endif %} -{% if src_addr %} -{% set output = output + ' ' + src_addr %} -{% endif %} -{% if src_port %} -{% set output = output + ' ' + protocol + ' ' + src_port %} -{% endif %} -{% if dst_addr %} -{% set output = output + ' ' + dst_addr %} -{% endif %} -{% if dst_port %} -{% set output = output + ' ' + protocol + ' ' + dst_port %} -{% endif %} -{# Count packets #} -{% set output = output + ' counter' %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential #} -{% if log %} -{% set log_output = output + ' log prefix "' + log + '" comment "' + comment + '"' %} -{% endif %} -{% if trns_addr %} -{% set output = output + ' ' + trns_addr %} -{% endif %} -{% if trns_port %} -{# Do not add a whitespace here, translation port must be directly added after IP address #} -{# e.g. 192.0.2.10:3389 #} -{% set output = output + trns_port %} -{% endif %} -{% if trns_opts %} -{% set output = output + ' ' + trns_opts %} -{% endif %} -{% if comment %} -{% set output = output + ' comment "' + comment + '"' %} -{% endif %} -{{ log_output if log_output }} -{{ output }} -{# Special handling if protocol is tcp_udp, we must repeat the entire rule with udp as protocol #} -{% if config.protocol == 'tcp_udp' %} -{# Beware of trailing whitespace, without it the comment tcp_udp will be changed to udp_udp #} -{{ log_output | replace('tcp ', 'udp ') if log_output }} -{{ output | replace('tcp ', 'udp ') }} -{% endif %} -{% endmacro %} - -# Start with clean NAT table -flush table ip nat -{% if helper_functions == 'remove' %} -{# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = 'delete rule ip raw' %} -{{ base_command }} PREROUTING handle {{ pre_ct_ignore }} -{{ base_command }} OUTPUT handle {{ out_ct_ignore }} -{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} -{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} - -delete chain ip raw NAT_CONNTRACK - -{% elif helper_functions == 'add' %} -{# NAT if enabled - add targets to nftables #} -add chain ip raw NAT_CONNTRACK -add rule ip raw NAT_CONNTRACK counter accept -{% set base_command = 'add rule ip raw' %} -{{ base_command }} PREROUTING position {{ pre_ct_ignore }} counter jump VYOS_CT_HELPER -{{ base_command }} OUTPUT position {{ out_ct_ignore }} counter jump VYOS_CT_HELPER -{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} - -# -# Destination NAT rules build up here -# -{% if destination is defined and destination.rule is defined and destination.rule is not none %} -{% for rule, config in destination.rule.items() if config.disable is not defined %} -{{ nat_rule(rule, config, 'PREROUTING') }} -{% endfor %} -{% endif %} -# -# Source NAT rules build up here -# -{% if source is defined and source.rule is defined and source.rule is not none %} -{% for rule, config in source.rule.items() if config.disable is not defined %} -{{ nat_rule(rule, config, 'POSTROUTING') }} -{% endfor %} -{% endif %} diff --git a/data/templates/firewall/nftables-nat66.j2 b/data/templates/firewall/nftables-nat66.j2 new file mode 100644 index 000000000..003b138b2 --- /dev/null +++ b/data/templates/firewall/nftables-nat66.j2 @@ -0,0 +1,102 @@ +#!/usr/sbin/nft -f + +{% macro nptv6_rule(rule,config, chain) %} +{% set comment = '' %} +{% set base_log = '' %} +{% set src_prefix = 'ip6 saddr ' ~ config.source.prefix if config.source.prefix is vyos_defined %} +{% set dest_address = 'ip6 daddr ' ~ config.destination.address if config.destination.address is vyos_defined %} +{% if chain is vyos_defined('PREROUTING') %} +{% set comment = 'DST-NAT66-' ~ rule %} +{% set base_log = '[NAT66-DST-' ~ rule %} +{% set interface = ' iifname "' ~ config.inbound_interface ~ '"' if config.inbound_interface is vyos_defined and config.inbound_interface is not vyos_defined('any') else '' %} +{% if config.translation.address | is_ip_network %} +{# support 1:1 network translation #} +{% set dnat_type = 'dnat prefix to ' %} +{% else %} +{% set dnat_type = 'dnat to ' %} +{% endif %} +{% set trns_address = dnat_type ~ config.translation.address if config.translation.address is vyos_defined %} +{% elif chain is vyos_defined('POSTROUTING') %} +{% set comment = 'SRC-NAT66-' ~ rule %} +{% set base_log = '[NAT66-SRC-' ~ rule %} +{% if config.translation.address is vyos_defined %} +{% if config.translation.address is vyos_defined('masquerade') %} +{% set trns_address = config.translation.address %} +{% else %} +{% if config.translation.address | is_ip_network %} +{# support 1:1 network translation #} +{% set snat_type = 'snat prefix to ' %} +{% else %} +{% set snat_type = 'snat to ' %} +{% endif %} +{% set trns_address = snat_type ~ config.translation.address %} +{% endif %} +{% endif %} +{% set interface = ' oifname "' ~ config.outbound_interface ~ '"' if config.outbound_interface is vyos_defined else '' %} +{% endif %} +{% if config.log is vyos_defined %} +{% if config.translation.address is vyos_defined('masquerade') %} +{% set log = base_log ~ '-MASQ]' %} +{% else %} +{% set log = base_log ~ ']' %} +{% endif %} +{% endif %} +{% set output = 'add rule ip6 nat ' ~ chain ~ interface %} +{# Count packets #} +{% set output = output ~ ' counter' %} +{# Special handling of log option, we must repeat the entire rule before the #} +{# NAT translation options are added, this is essential #} +{% if log is vyos_defined %} +{% set log_output = output ~ ' log prefix "' ~ log ~ '" comment "' ~ comment ~ '"' %} +{% endif %} +{% if src_prefix is vyos_defined %} +{% set output = output ~ ' ' ~ src_prefix %} +{% endif %} +{% if dest_address is vyos_defined %} +{% set output = output ~ ' ' ~ dest_address %} +{% endif %} +{% if trns_address is vyos_defined %} +{% set output = output ~ ' ' ~ trns_address %} +{% endif %} +{% if comment is vyos_defined %} +{% set output = output ~ ' comment "' ~ comment ~ '"' %} +{% endif %} +{{ log_output if log_output is vyos_defined }} +{{ output }} +{% endmacro %} + +# Start with clean NAT table +flush table ip6 nat +{% if helper_functions is vyos_defined('remove') %} +{# NAT if going to be disabled - remove rules and targets from nftables #} +{% set base_command = 'delete rule ip6 raw' %} +{{ base_command }} PREROUTING handle {{ pre_ct_conntrack }} +{{ base_command }} OUTPUT handle {{ out_ct_conntrack }} + +delete chain ip6 raw NAT_CONNTRACK + +{% elif helper_functions is vyos_defined('add') %} +{# NAT if enabled - add targets to nftables #} +add chain ip6 raw NAT_CONNTRACK +add rule ip6 raw NAT_CONNTRACK counter accept +{% set base_command = 'add rule ip6 raw' %} +{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK +{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK +{% endif %} + +# +# Destination NAT66 rules build up here +# +{% if destination.rule is vyos_defined %} +{% for rule, config in destination.rule.items() if config.disable is not vyos_defined %} +{{ nptv6_rule(rule, config, 'PREROUTING') }} +{% endfor %} +{% endif %} +# +# Source NAT66 rules build up here +# +{% if source.rule is vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not vyos_defined %} +{{ nptv6_rule(rule, config, 'POSTROUTING') }} +{% endfor %} +{% endif %} diff --git a/data/templates/firewall/nftables-nat66.tmpl b/data/templates/firewall/nftables-nat66.tmpl deleted file mode 100644 index e5c1b1b8d..000000000 --- a/data/templates/firewall/nftables-nat66.tmpl +++ /dev/null @@ -1,102 +0,0 @@ -#!/usr/sbin/nft -f - -{% macro nptv6_rule(rule,config, chain) %} -{% set comment = '' %} -{% set base_log = '' %} -{% set src_prefix = "ip6 saddr " + config.source.prefix if config.source is defined and config.source.prefix is defined and config.source.prefix is not none %} -{% set dest_address = "ip6 daddr " + config.destination.address if config.destination is defined and config.destination.address is defined and config.destination.address is not none %} -{% if chain == "PREROUTING" %} -{% set comment = "DST-NAT66-" + rule %} -{% set base_log = '[NAT66-DST-' + rule %} -{% set interface = " iifname \"" + config.inbound_interface + "\"" if config.inbound_interface is defined and config.inbound_interface != 'any' else '' %} -{% if config.translation.address | is_ip_network %} -{# support 1:1 network translation #} -{% set dnat_type = "dnat prefix to " %} -{% else %} -{% set dnat_type = "dnat to " %} -{% endif %} -{% set trns_address = dnat_type + config.translation.address if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} -{% elif chain == "POSTROUTING" %} -{% set comment = 'SRC-NAT66-' + rule %} -{% set base_log = '[NAT66-SRC-' + rule %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address is not none %} -{% if config.translation.address == 'masquerade' %} -{% set trns_address = config.translation.address %} -{% else %} -{% if config.translation.address | is_ip_network %} -{# support 1:1 network translation #} -{% set snat_type = "snat prefix to " %} -{% else %} -{% set snat_type = "snat to " %} -{% endif %} -{% set trns_address = snat_type + config.translation.address %} -{% endif %} -{% endif %} -{% set interface = " oifname \"" + config.outbound_interface + "\"" if config.outbound_interface is defined else '' %} -{% endif %} -{% if config.log is defined %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address == 'masquerade' %} -{% set log = base_log +'-MASQ]' %} -{% else %} -{% set log = base_log + "]" %} -{% endif %} -{% endif %} -{% set output = "add rule ip6 nat " + chain + interface %} -{# Count packets #} -{% set output = output + " counter" %} -{# Special handling of log option, we must repeat the entire rule before the #} -{# NAT translation options are added, this is essential #} -{% if log %} -{% set log_output = output + " log prefix \"" + log + "\" comment \"" + comment + "\"" %} -{% endif %} -{% if src_prefix %} -{% set output = output + " " + src_prefix %} -{% endif %} -{% if dest_address %} -{% set output = output + " " + dest_address %} -{% endif %} -{% if trns_address %} -{% set output = output + " " + trns_address %} -{% endif %} -{% if comment %} -{% set output = output + " comment \"" + comment + "\"" %} -{% endif %} -{{ log_output if log_output }} -{{ output }} -{% endmacro %} - -# Start with clean NAT table -flush table ip6 nat -{% if helper_functions == 'remove' %} -{# NAT if going to be disabled - remove rules and targets from nftables #} -{% set base_command = "delete rule ip6 raw" %} -{{base_command}} PREROUTING handle {{ pre_ct_conntrack }} -{{base_command}} OUTPUT handle {{ out_ct_conntrack }} - -delete chain ip6 raw NAT_CONNTRACK - -{% elif helper_functions == 'add' %} -{# NAT if enabled - add targets to nftables #} -add chain ip6 raw NAT_CONNTRACK -add rule ip6 raw NAT_CONNTRACK counter accept -{% set base_command = "add rule ip6 raw" %} -{{ base_command }} PREROUTING position {{ pre_ct_conntrack }} counter jump NAT_CONNTRACK -{{ base_command }} OUTPUT position {{ out_ct_conntrack }} counter jump NAT_CONNTRACK -{% endif %} - -# -# Destination NAT66 rules build up here -# -{% if destination is defined and destination.rule is defined and destination.rule is not none %} -{% for rule, config in destination.rule.items() if config.disable is not defined %} -{{ nptv6_rule(rule, config, 'PREROUTING') }} -{% endfor %} -{% endif %} -# -# Source NAT66 rules build up here -# -{% if source is defined and source.rule is defined and source.rule is not none %} -{% for rule, config in source.rule.items() if config.disable is not defined %} -{{ nptv6_rule(rule, config, 'POSTROUTING') }} -{% endfor %} -{% endif %} diff --git a/data/templates/firewall/nftables-policy.tmpl b/data/templates/firewall/nftables-policy.j2 index 905ffcd09..0154c9f7e 100644 --- a/data/templates/firewall/nftables-policy.tmpl +++ b/data/templates/firewall/nftables-policy.j2 @@ -1,15 +1,15 @@ #!/usr/sbin/nft -f -{% if cleanup_commands is defined %} -{% for command in cleanup_commands %} +{% if cleanup_commands is vyos_defined %} +{% for command in cleanup_commands %} {{ command }} -{% endfor %} +{% endfor %} {% endif %} include "/run/nftables_defines.conf" table ip mangle { -{% if first_install is defined %} +{% if first_install is vyos_defined %} chain VYOS_PBR_PREROUTING { type filter hook prerouting priority -150; policy accept; } @@ -17,22 +17,22 @@ table ip mangle { type filter hook postrouting priority -150; policy accept; } {% endif %} -{% if route is defined and route is not none -%} -{% for route_text, conf in route.items() %} +{% if route is vyos_defined %} +{% for route_text, conf in route.items() %} chain VYOS_PBR_{{ route_text }} { -{% if conf.rule is defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip') }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(route_text) }} } -{% endfor %} -{%- endif %} +{% endfor %} +{% endif %} } table ip6 mangle { -{% if first_install is defined %} +{% if first_install is vyos_defined %} chain VYOS_PBR6_PREROUTING { type filter hook prerouting priority -150; policy accept; } @@ -40,16 +40,16 @@ table ip6 mangle { type filter hook postrouting priority -150; policy accept; } {% endif %} -{% if route6 is defined and route6 is not none %} -{% for route_text, conf in route6.items() %} +{% if route6 is vyos_defined %} +{% for route_text, conf in route6.items() %} chain VYOS_PBR6_{{ route_text }} { -{% if conf.rule is defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(route_text, rule_id, 'ip6') }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {{ conf | nft_default_rule(route_text) }} } -{% endfor %} +{% endfor %} {% endif %} } diff --git a/data/templates/firewall/nftables-vrf-zones.tmpl b/data/templates/firewall/nftables-vrf-zones.j2 index eecf47b78..eecf47b78 100644 --- a/data/templates/firewall/nftables-vrf-zones.tmpl +++ b/data/templates/firewall/nftables-vrf-zones.j2 diff --git a/data/templates/firewall/nftables.tmpl b/data/templates/firewall/nftables.j2 index 0cc977cf9..fac3fad03 100644 --- a/data/templates/firewall/nftables.tmpl +++ b/data/templates/firewall/nftables.j2 @@ -1,15 +1,15 @@ #!/usr/sbin/nft -f -{% if cleanup_commands is defined %} -{% for command in cleanup_commands %} +{% if cleanup_commands is vyos_defined %} +{% for command in cleanup_commands %} {{ command }} -{% endfor %} +{% endfor %} {% endif %} include "/run/nftables_defines.conf" table ip filter { -{% if first_install is defined %} +{% if first_install is vyos_defined %} chain VYOS_FW_FORWARD { type filter hook forward priority 0; policy accept; jump VYOS_POST_FW @@ -30,47 +30,47 @@ table ip filter { ip frag-off & 0x3fff != 0 meta mark set 0xffff1 return } {% endif %} -{% if name is defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in name.items() %} +{% if name is vyos_defined %} +{% set ns = namespace(sets=[]) %} +{% for name_text, conf in name.items() %} chain NAME_{{ name_text }} { -{% if conf.rule is defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(name_text, rule_id) }} -{% if rule_conf.recent is defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} {{ conf | nft_default_rule(name_text) }} } -{% endfor %} -{% for set_name in ns.sets %} +{% endfor %} +{% for set_name in ns.sets %} set RECENT_{{ set_name }} { type ipv4_addr size 65535 flags dynamic } -{% endfor %} +{% endfor %} {% endif %} -{% if state_policy is defined %} +{% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY { -{% if state_policy.established is defined %} +{% if state_policy.established is vyos_defined %} {{ state_policy.established | nft_state_policy('established') }} -{% endif %} -{% if state_policy.invalid is defined %} +{% endif %} +{% if state_policy.invalid is vyos_defined %} {{ state_policy.invalid | nft_state_policy('invalid') }} -{% endif %} -{% if state_policy.related is defined %} +{% endif %} +{% if state_policy.related is vyos_defined %} {{ state_policy.related | nft_state_policy('related') }} -{% endif %} +{% endif %} return } {% endif %} } table ip6 filter { -{% if first_install is defined %} +{% if first_install is vyos_defined %} chain VYOS_FW6_FORWARD { type filter hook forward priority 0; policy accept; jump VYOS_POST_FW6 @@ -91,46 +91,46 @@ table ip6 filter { exthdr frag exists meta mark set 0xffff1 return } {% endif %} -{% if ipv6_name is defined %} -{% set ns = namespace(sets=[]) %} -{% for name_text, conf in ipv6_name.items() %} +{% if ipv6_name is vyos_defined %} +{% set ns = namespace(sets=[]) %} +{% for name_text, conf in ipv6_name.items() %} chain NAME6_{{ name_text }} { -{% if conf.rule is defined %} -{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not defined %} +{% if conf.rule is vyos_defined %} +{% for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %} {{ rule_conf | nft_rule(name_text, rule_id, 'ip6') }} -{% if rule_conf.recent is defined %} -{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% if rule_conf.recent is vyos_defined %} +{% set ns.sets = ns.sets + [name_text + '_' + rule_id] %} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} {{ conf | nft_default_rule(name_text) }} } -{% endfor %} -{% for set_name in ns.sets %} +{% endfor %} +{% for set_name in ns.sets %} set RECENT6_{{ set_name }} { type ipv6_addr size 65535 flags dynamic } -{% endfor %} +{% endfor %} {% endif %} -{% if state_policy is defined %} +{% if state_policy is vyos_defined %} chain VYOS_STATE_POLICY6 { -{% if state_policy.established is defined %} +{% if state_policy.established is vyos_defined %} {{ state_policy.established | nft_state_policy('established', ipv6=True) }} -{% endif %} -{% if state_policy.invalid is defined %} +{% endif %} +{% if state_policy.invalid is vyos_defined %} {{ state_policy.invalid | nft_state_policy('invalid', ipv6=True) }} -{% endif %} -{% if state_policy.related is defined %} +{% endif %} +{% if state_policy.related is vyos_defined %} {{ state_policy.related | nft_state_policy('related', ipv6=True) }} -{% endif %} +{% endif %} return } {% endif %} } -{% if first_install is defined %} +{% if first_install is vyos_defined %} table ip nat { chain PREROUTING { type nat hook prerouting priority -100; policy accept; diff --git a/data/templates/firewall/upnpd.conf.tmpl b/data/templates/firewall/upnpd.conf.j2 index 39cb21373..27573cbf9 100644 --- a/data/templates/firewall/upnpd.conf.tmpl +++ b/data/templates/firewall/upnpd.conf.j2 @@ -2,16 +2,16 @@ # WAN network interface ext_ifname={{ wan_interface }} -{% if wan_ip is defined %} +{% if wan_ip is vyos_defined %} # If the WAN interface has several IP addresses, you # can specify the one to use below -{% for addr in wan_ip %} +{% for addr in wan_ip %} ext_ip={{ addr }} -{% endfor %} +{% endfor %} {% endif %} # LAN network interfaces IPs / networks -{% if listen is defined %} +{% if listen is vyos_defined %} # There can be multiple listening IPs for SSDP traffic, in that case # use multiple 'listening_ip=...' lines, one for each network interface. # It can be IP address or network interface name (ie. "eth0") @@ -20,15 +20,15 @@ ext_ip={{ addr }} # When MULTIPLE_EXTERNAL_IP is enabled, the external IP # address associated with the subnet follows. For example: # listening_ip=192.168.0.1/24 88.22.44.13 -{% for addr in listen %} -{% if addr | is_ipv4 %} +{% for addr in listen %} +{% if addr | is_ipv4 %} listening_ip={{ addr }} -{% elif addr | is_ipv6 %} +{% elif addr | is_ipv6 %} ipv6_listening_ip={{ addr }} -{% else %} +{% else %} listening_ip={{ addr }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} # CAUTION: mixing up WAN and LAN interfaces may introduce security risks! @@ -45,7 +45,7 @@ listening_ip={{ addr }} # default is /var/run/minissdpd.sock #minissdpdsocket=/var/run/minissdpd.sock -{% if nat_pmp is defined %} +{% if nat_pmp is vyos_defined %} # Enable NAT-PMP support (default is no) enable_natpmp=yes {% endif %} @@ -53,23 +53,23 @@ enable_natpmp=yes # Enable UPNP support (default is yes) enable_upnp=yes -{% if pcp_lifetime is defined %} +{% if pcp_lifetime is vyos_defined %} # PCP # Configure the minimum and maximum lifetime of a port mapping in seconds # 120s and 86400s (24h) are suggested values from PCP-base -{% if pcp_lifetime.max is defined %} +{% if pcp_lifetime.max is vyos_defined %} max_lifetime={{ pcp_lifetime.max }} -{% endif %} -{% if pcp_lifetime.min is defined %} +{% endif %} +{% if pcp_lifetime.min is vyos_defined %} min_lifetime={{ pcp_lifetime.min }} -{% endif %} +{% endif %} {% endif %} # To enable the next few runtime options, see compile time # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h) -{% if friendly_name is defined %} +{% if friendly_name is vyos_defined %} # Name of this service, default is "`uname -s` router" friendly_name= {{ friendly_name }} {% endif %} @@ -89,7 +89,7 @@ model_description=Vyos open source enterprise router/firewall operating system # Model URL, default is URL of OS vendor model_url=https://vyos.io/ -{% if secure_mode is defined %} +{% if secure_mode is vyos_defined %} # Secure Mode, UPnP clients can only add mappings to their own IP secure_mode=yes {% else %} @@ -97,7 +97,7 @@ secure_mode=yes secure_mode=no {% endif %} -{% if presentation_url is defined %} +{% if presentation_url is vyos_defined %} # Default presentation URL is HTTP address on port 80 # If set to an empty string, no presentationURL element will appear # in the XML description of the device, which prevents MS Windows @@ -129,7 +129,7 @@ lease_file=/config/upnp.leases #serial=12345678 #model_number=1 -{% if rules is defined %} +{% if rules is vyos_defined %} # UPnP permission rules # (allow|deny) (external port range) IP/mask (internal port range) # A port range is <min port>-<max port> or <port> if there is only @@ -142,14 +142,14 @@ lease_file=/config/upnp.leases # modify the IP ranges to match their own internal networks, and # also consider implementing network-specific restrictions # CAUTION: failure to enforce any rules may permit insecure requests to be made! -{% for rule, config in rules.items() %} -{% if config.disable is defined %} -{{ config.action}} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} -{% endif %} -{% endfor %} +{% for rule, config in rules.items() %} +{% if config.disable is vyos_defined %} +{{ config.action }} {{ config.external_port_range }} {{ config.ip }} {{ config.internal_port_range }} +{% endif %} +{% endfor %} {% endif %} -{% if stun is defined %} +{% if stun is vyos_defined %} # WAN interface must have public IP address. Otherwise it is behind NAT # and port forwarding is impossible. In some cases WAN interface can be # behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and diff --git a/data/templates/frr/bfdd.frr.j2 b/data/templates/frr/bfdd.frr.j2 new file mode 100644 index 000000000..c4adeb402 --- /dev/null +++ b/data/templates/frr/bfdd.frr.j2 @@ -0,0 +1,58 @@ +{% if profile is vyos_defined or peer is vyos_defined %} +bfd +{% if profile is vyos_defined %} +{% for profile_name, profile_config in profile.items() %} + profile {{ profile_name }} + detect-multiplier {{ profile_config.interval.multiplier }} + receive-interval {{ profile_config.interval.receive }} + transmit-interval {{ profile_config.interval.transmit }} +{% if profile_config.interval.echo_interval is vyos_defined %} + echo transmit-interval {{ profile_config.interval.echo_interval }} + echo receive-interval {{ profile_config.interval.echo_interval }} +{% endif %} +{% if profile_config.echo_mode is vyos_defined %} + echo-mode +{% endif %} +{% if profile_config.passive is vyos_defined %} + passive-mode +{% endif %} +{% if profile_config.shutdown is vyos_defined %} + shutdown +{% else %} + no shutdown +{% endif %} + exit + ! +{% endfor %} +{% endif %} +{% if peer is vyos_defined %} +{% for peer_name, peer_config in peer.items() %} + peer {{ peer_name }} {{ 'multihop' if peer_config.multihop is vyos_defined }} {{ 'local-address ' ~ peer_config.source.address if peer_config.source.address is vyos_defined }} {{ 'interface ' ~ peer_config.source.interface if peer_config.source.interface is vyos_defined }} {{ 'vrf ' ~ peer_config.vrf if peer_config.vrf is vyos_defined }} + detect-multiplier {{ peer_config.interval.multiplier }} + receive-interval {{ peer_config.interval.receive }} + transmit-interval {{ peer_config.interval.transmit }} +{% if peer_config.interval.echo_interval is vyos_defined %} + echo transmit-interval {{ peer_config.interval.echo_interval }} + echo receive-interval {{ peer_config.interval.echo_interval }} +{% endif %} +{% if peer_config.echo_mode is vyos_defined %} + echo-mode +{% endif %} +{% if peer_config.passive is vyos_defined %} + passive-mode +{% endif %} +{% if peer_config.profile is vyos_defined %} + profile {{ peer_config.profile }} +{% endif %} +{% if peer_config.shutdown is vyos_defined %} + shutdown +{% else %} + no shutdown +{% endif %} + exit + ! +{% endfor %} +{% endif %} +exit +! +{% endif %} diff --git a/data/templates/frr/bfdd.frr.tmpl b/data/templates/frr/bfdd.frr.tmpl deleted file mode 100644 index ac55d4634..000000000 --- a/data/templates/frr/bfdd.frr.tmpl +++ /dev/null @@ -1,58 +0,0 @@ -{% if profile is vyos_defined or peer is vyos_defined %} -bfd -{% if profile is vyos_defined %} -{% for profile_name, profile_config in profile.items() %} - profile {{ profile_name }} - detect-multiplier {{ profile_config.interval.multiplier }} - receive-interval {{ profile_config.interval.receive }} - transmit-interval {{ profile_config.interval.transmit }} -{% if profile_config.interval.echo_interval is vyos_defined %} - echo transmit-interval {{ profile_config.interval.echo_interval }} - echo receive-interval {{ profile_config.interval.echo_interval }} -{% endif %} -{% if profile_config.echo_mode is vyos_defined %} - echo-mode -{% endif %} -{% if profile_config.passive is vyos_defined %} - passive-mode -{% endif %} -{% if profile_config.shutdown is vyos_defined %} - shutdown -{% else %} - no shutdown -{% endif %} - exit - ! -{% endfor %} -{% endif %} -{% if peer is vyos_defined %} -{% for peer_name, peer_config in peer.items() %} - peer {{ peer_name }}{{ ' multihop' if peer_config.multihop is vyos_defined }}{{ ' local-address ' + peer_config.source.address if peer_config.source.address is vyos_defined }}{{ ' interface ' + peer_config.source.interface if peer_config.source.interface is vyos_defined }} {{ ' vrf ' + peer_config.vrf if peer_config.vrf is vyos_defined }} - detect-multiplier {{ peer_config.interval.multiplier }} - receive-interval {{ peer_config.interval.receive }} - transmit-interval {{ peer_config.interval.transmit }} -{% if peer_config.interval.echo_interval is vyos_defined %} - echo transmit-interval {{ peer_config.interval.echo_interval }} - echo receive-interval {{ peer_config.interval.echo_interval }} -{% endif %} -{% if peer_config.echo_mode is vyos_defined %} - echo-mode -{% endif %} -{% if peer_config.passive is vyos_defined %} - passive-mode -{% endif %} -{% if peer_config.profile is vyos_defined %} - profile {{ peer_config.profile }} -{% endif %} -{% if peer_config.shutdown is vyos_defined %} - shutdown -{% else %} - no shutdown -{% endif %} - exit - ! -{% endfor %} -{% endif %} -exit -! -{% endif %} diff --git a/data/templates/frr/bgpd.frr.tmpl b/data/templates/frr/bgpd.frr.j2 index 8baa128a7..7029f39af 100644 --- a/data/templates/frr/bgpd.frr.tmpl +++ b/data/templates/frr/bgpd.frr.j2 @@ -1,21 +1,21 @@ {### MACRO definition for recurring peer patter, this can be either fed by a ###} {### peer-group or an individual BGP neighbor ###} {% macro bgp_neighbor(neighbor, config, peer_group=false) %} -{% if peer_group == true %} +{% if peer_group == true %} neighbor {{ neighbor }} peer-group -{% elif config.peer_group is vyos_defined %} +{% elif config.peer_group is vyos_defined %} neighbor {{ neighbor }} peer-group {{ config.peer_group }} -{% endif %} -{% if config.remote_as is vyos_defined %} +{% endif %} +{% if config.remote_as is vyos_defined %} neighbor {{ neighbor }} remote-as {{ config.remote_as }} -{% endif %} -{% if config.interface.remote_as is vyos_defined %} +{% endif %} +{% if config.interface.remote_as is vyos_defined %} neighbor {{ neighbor }} interface remote-as {{ config.interface.remote_as }} -{% endif %} -{% if config.advertisement_interval is vyos_defined %} +{% endif %} +{% if config.advertisement_interval is vyos_defined %} neighbor {{ neighbor }} advertisement-interval {{ config.advertisement_interval }} -{% endif %} -{% if config.bfd is vyos_defined %} +{% endif %} +{% if config.bfd is vyos_defined %} neighbor {{ neighbor }} bfd {% if config.bfd.check_control_plane_failure is vyos_defined %} neighbor {{ neighbor }} bfd check-control-plane-failure @@ -23,76 +23,74 @@ {% if config.bfd.profile is vyos_defined %} neighbor {{ neighbor }} bfd profile {{ config.bfd.profile }} {% endif %} -{% endif %} -{% if config.capability is vyos_defined %} +{% endif %} +{% if config.capability is vyos_defined %} {% if config.capability.dynamic is vyos_defined %} neighbor {{ neighbor }} capability dynamic {% endif %} {% if config.capability.extended_nexthop is vyos_defined %} neighbor {{ neighbor }} capability extended-nexthop {% endif %} -{% endif %} -{% if config.description is vyos_defined %} +{% endif %} +{% if config.description is vyos_defined %} neighbor {{ neighbor }} description {{ config.description }} -{% endif %} -{% if config.disable_capability_negotiation is vyos_defined %} +{% endif %} +{% if config.disable_capability_negotiation is vyos_defined %} neighbor {{ neighbor }} dont-capability-negotiate -{% endif %} -{% if config.ebgp_multihop is vyos_defined %} +{% endif %} +{% if config.ebgp_multihop is vyos_defined %} neighbor {{ neighbor }} ebgp-multihop {{ config.ebgp_multihop }} -{% endif %} -{% if config.graceful_restart is vyos_defined %} +{% endif %} +{% if config.graceful_restart is vyos_defined %} {% if config.graceful_restart is vyos_defined('enable') %} -{% set graceful_restart = 'graceful-restart' %} +{% set graceful_restart = 'graceful-restart' %} {% elif config.graceful_restart is vyos_defined('disable') %} -{% set graceful_restart = 'graceful-restart-disable' %} +{% set graceful_restart = 'graceful-restart-disable' %} {% elif config.graceful_restart is vyos_defined('restart-helper') %} -{% set graceful_restart = 'graceful-restart-helper' %} +{% set graceful_restart = 'graceful-restart-helper' %} {% endif %} neighbor {{ neighbor }} {{ graceful_restart }} -{% endif %} -{% if config.local_as is vyos_defined %} +{% endif %} +{% if config.local_as is vyos_defined %} {% for local_as, local_as_config in config.local_as.items() %} {# There can be only one local-as value, this is checked in the Python code #} neighbor {{ neighbor }} local-as {{ local_as }} {{ 'no-prepend' if local_as_config.no_prepend is vyos_defined }} {{ 'replace-as' if local_as_config.no_prepend is vyos_defined and local_as_config.no_prepend.replace_as is vyos_defined }} {% endfor %} -{% endif %} -{% if config.override_capability is vyos_defined %} +{% endif %} +{% if config.override_capability is vyos_defined %} neighbor {{ neighbor }} override-capability -{% endif %} -{% if config.passive is vyos_defined %} +{% endif %} +{% if config.passive is vyos_defined %} neighbor {{ neighbor }} passive -{% endif %} -{% if config.password is vyos_defined %} +{% endif %} +{% if config.password is vyos_defined %} neighbor {{ neighbor }} password {{ config.password }} -{% endif %} -{% if config.port is vyos_defined %} +{% endif %} +{% if config.port is vyos_defined %} neighbor {{ neighbor }} port {{ config.port }} -{% endif %} -{% if config.shutdown is vyos_defined %} +{% endif %} +{% if config.shutdown is vyos_defined %} neighbor {{ neighbor }} shutdown -{% endif %} -{% if config.solo is vyos_defined %} +{% endif %} +{% if config.solo is vyos_defined %} neighbor {{ neighbor }} solo -{% endif %} -{% if config.strict_capability_match is vyos_defined %} +{% endif %} +{% if config.strict_capability_match is vyos_defined %} neighbor {{ neighbor }} strict-capability-match -{% endif %} -{% if config.ttl_security.hops is vyos_defined %} +{% endif %} +{% if config.ttl_security.hops is vyos_defined %} neighbor {{ neighbor }} ttl-security hops {{ config.ttl_security.hops }} -{% endif %} -{% if config.timers is vyos_defined %} -{% if config.timers.connect is vyos_defined %} +{% endif %} +{% if config.timers.connect is vyos_defined %} neighbor {{ neighbor }} timers connect {{ config.timers.connect }} -{% endif %} -{% if config.timers.keepalive is vyos_defined and config.timers.holdtime is vyos_defined %} +{% endif %} +{% if config.timers.keepalive is vyos_defined and config.timers.holdtime is vyos_defined %} neighbor {{ neighbor }} timers {{ config.timers.keepalive }} {{ config.timers.holdtime }} -{% endif %} -{% endif %} -{% if config.update_source is vyos_defined %} +{% endif %} +{% if config.update_source is vyos_defined %} neighbor {{ neighbor }} update-source {{ config.update_source }} -{% endif %} -{% if config.interface is vyos_defined %} +{% endif %} +{% if config.interface is vyos_defined %} {% if config.interface.peer_group is vyos_defined %} neighbor {{ neighbor }} interface peer-group {{ config.interface.peer_group }} {% endif %} @@ -100,137 +98,137 @@ neighbor {{ neighbor }} interface {{ config.interface.source_interface }} {% endif %} {% if config.interface.v6only is vyos_defined %} -{% if config.interface.v6only.peer_group is vyos_defined %} +{% if config.interface.v6only.peer_group is vyos_defined %} neighbor {{ neighbor }} interface v6only peer-group {{ config.interface.v6only.peer_group }} -{% endif %} -{% if config.interface.v6only.remote_as is vyos_defined %} +{% endif %} +{% if config.interface.v6only.remote_as is vyos_defined %} neighbor {{ neighbor }} interface v6only remote-as {{ config.interface.v6only.remote_as }} -{% endif %} +{% endif %} {% endif %} -{% endif %} +{% endif %} ! -{% if config.address_family is vyos_defined %} +{% if config.address_family is vyos_defined %} {% for afi, afi_config in config.address_family.items() %} -{% if afi == 'ipv4_unicast' %} +{% if afi == 'ipv4_unicast' %} address-family ipv4 unicast -{% elif afi == 'ipv4_multicast' %} +{% elif afi == 'ipv4_multicast' %} address-family ipv4 multicast -{% elif afi == 'ipv4_labeled_unicast' %} +{% elif afi == 'ipv4_labeled_unicast' %} address-family ipv4 labeled-unicast -{% elif afi == 'ipv4_vpn' %} +{% elif afi == 'ipv4_vpn' %} address-family ipv4 vpn -{% elif afi == 'ipv4_flowspec' %} +{% elif afi == 'ipv4_flowspec' %} address-family ipv4 flowspec -{% elif afi == 'ipv6_unicast' %} +{% elif afi == 'ipv6_unicast' %} address-family ipv6 unicast -{% elif afi == 'ipv6_multicast' %} +{% elif afi == 'ipv6_multicast' %} address-family ipv6 multicast -{% elif afi == 'ipv6_labeled_unicast' %} +{% elif afi == 'ipv6_labeled_unicast' %} address-family ipv6 labeled-unicast -{% elif afi == 'ipv6_vpn' %} +{% elif afi == 'ipv6_vpn' %} address-family ipv6 vpn -{% elif afi == 'ipv6_flowspec' %} +{% elif afi == 'ipv6_flowspec' %} address-family ipv6 flowspec -{% elif afi == 'l2vpn_evpn' %} +{% elif afi == 'l2vpn_evpn' %} address-family l2vpn evpn -{% endif %} -{% if afi_config.addpath_tx_all is vyos_defined %} +{% endif %} +{% if afi_config.addpath_tx_all is vyos_defined %} neighbor {{ neighbor }} addpath-tx-all-paths -{% endif %} -{% if afi_config.addpath_tx_per_as is vyos_defined %} +{% endif %} +{% if afi_config.addpath_tx_per_as is vyos_defined %} neighbor {{ neighbor }} addpath-tx-bestpath-per-AS -{% endif %} -{% if afi_config.allowas_in is vyos_defined %} +{% endif %} +{% if afi_config.allowas_in is vyos_defined %} neighbor {{ neighbor }} allowas-in {{ afi_config.allowas_in.number if afi_config.allowas_in.number is vyos_defined }} -{% endif %} -{% if afi_config.as_override is vyos_defined %} +{% endif %} +{% if afi_config.as_override is vyos_defined %} neighbor {{ neighbor }} as-override -{% endif %} -{% if afi_config.conditionally_advertise is vyos_defined %} -{% if afi_config.conditionally_advertise.advertise_map is vyos_defined %} -{% set exist_non_exist_map = 'exist-map' %} -{% if afi_config.conditionally_advertise.exist_map is vyos_defined %} -{% set exist_non_exist_map = 'exist-map ' ~ afi_config.conditionally_advertise.exist_map %} -{% elif afi_config.conditionally_advertise.non_exist_map is vyos_defined %} -{% set exist_non_exist_map = 'non-exist-map ' ~ afi_config.conditionally_advertise.non_exist_map %} -{% endif %} +{% endif %} +{% if afi_config.conditionally_advertise is vyos_defined %} +{% if afi_config.conditionally_advertise.advertise_map is vyos_defined %} +{% set exist_non_exist_map = 'exist-map' %} +{% if afi_config.conditionally_advertise.exist_map is vyos_defined %} +{% set exist_non_exist_map = 'exist-map ' ~ afi_config.conditionally_advertise.exist_map %} +{% elif afi_config.conditionally_advertise.non_exist_map is vyos_defined %} +{% set exist_non_exist_map = 'non-exist-map ' ~ afi_config.conditionally_advertise.non_exist_map %} +{% endif %} neighbor {{ neighbor }} advertise-map {{ afi_config.conditionally_advertise.advertise_map }} {{ exist_non_exist_map }} +{% endif %} {% endif %} -{% endif %} -{% if afi_config.remove_private_as is vyos_defined %} +{% if afi_config.remove_private_as is vyos_defined %} neighbor {{ neighbor }} remove-private-AS -{% endif %} -{% if afi_config.route_reflector_client is vyos_defined %} +{% endif %} +{% if afi_config.route_reflector_client is vyos_defined %} neighbor {{ neighbor }} route-reflector-client -{% endif %} -{% if afi_config.weight is vyos_defined %} +{% endif %} +{% if afi_config.weight is vyos_defined %} neighbor {{ neighbor }} weight {{ afi_config.weight }} -{% endif %} -{% if afi_config.attribute_unchanged is vyos_defined %} +{% endif %} +{% if afi_config.attribute_unchanged is vyos_defined %} neighbor {{ neighbor }} attribute-unchanged {{ 'as-path ' if afi_config.attribute_unchanged.as_path is vyos_defined }}{{ 'med ' if afi_config.attribute_unchanged.med is vyos_defined }}{{ 'next-hop ' if afi_config.attribute_unchanged.next_hop is vyos_defined }} -{% endif %} -{% if afi_config.capability.orf.prefix_list.send is vyos_defined %} +{% endif %} +{% if afi_config.capability.orf.prefix_list.send is vyos_defined %} neighbor {{ neighbor }} capability orf prefix-list send -{% endif %} -{% if afi_config.capability.orf.prefix_list.receive is vyos_defined %} +{% endif %} +{% if afi_config.capability.orf.prefix_list.receive is vyos_defined %} neighbor {{ neighbor }} capability orf prefix-list receive -{% endif %} -{% if afi_config.default_originate is vyos_defined %} +{% endif %} +{% if afi_config.default_originate is vyos_defined %} neighbor {{ neighbor }} default-originate {{ 'route-map ' ~ afi_config.default_originate.route_map if afi_config.default_originate.route_map is vyos_defined }} -{% endif %} -{% if afi_config.distribute_list.export is vyos_defined %} +{% endif %} +{% if afi_config.distribute_list.export is vyos_defined %} neighbor {{ neighbor }} distribute-list {{ afi_config.distribute_list.export }} out -{% endif %} -{% if afi_config.distribute_list.import is vyos_defined %} +{% endif %} +{% if afi_config.distribute_list.import is vyos_defined %} neighbor {{ neighbor }} distribute-list {{ afi_config.distribute_list.import }} in -{% endif %} -{% if afi_config.filter_list.export is vyos_defined %} +{% endif %} +{% if afi_config.filter_list.export is vyos_defined %} neighbor {{ neighbor }} filter-list {{ afi_config.filter_list.export }} out -{% endif %} -{% if afi_config.filter_list.import is vyos_defined %} +{% endif %} +{% if afi_config.filter_list.import is vyos_defined %} neighbor {{ neighbor }} filter-list {{ afi_config.filter_list.import }} in -{% endif %} -{% if afi_config.maximum_prefix is vyos_defined %} +{% endif %} +{% if afi_config.maximum_prefix is vyos_defined %} neighbor {{ neighbor }} maximum-prefix {{ afi_config.maximum_prefix }} -{% endif %} -{% if afi_config.maximum_prefix_out is vyos_defined %} +{% endif %} +{% if afi_config.maximum_prefix_out is vyos_defined %} neighbor {{ neighbor }} maximum-prefix-out {{ afi_config.maximum_prefix_out }} -{% endif %} -{% if afi_config.nexthop_self is vyos_defined %} +{% endif %} +{% if afi_config.nexthop_self is vyos_defined %} neighbor {{ neighbor }} next-hop-self {{ 'force' if afi_config.nexthop_self.force is vyos_defined }} -{% endif %} -{% if afi_config.route_server_client is vyos_defined %} +{% endif %} +{% if afi_config.route_server_client is vyos_defined %} neighbor {{ neighbor }} route-server-client -{% endif %} -{% if afi_config.route_map.export is vyos_defined %} +{% endif %} +{% if afi_config.route_map.export is vyos_defined %} neighbor {{ neighbor }} route-map {{ afi_config.route_map.export }} out -{% endif %} -{% if afi_config.route_map.import is vyos_defined %} +{% endif %} +{% if afi_config.route_map.import is vyos_defined %} neighbor {{ neighbor }} route-map {{ afi_config.route_map.import }} in -{% endif %} -{% if afi_config.prefix_list.export is vyos_defined %} +{% endif %} +{% if afi_config.prefix_list.export is vyos_defined %} neighbor {{ neighbor }} prefix-list {{ afi_config.prefix_list.export }} out -{% endif %} -{% if afi_config.prefix_list.import is vyos_defined %} +{% endif %} +{% if afi_config.prefix_list.import is vyos_defined %} neighbor {{ neighbor }} prefix-list {{ afi_config.prefix_list.import }} in -{% endif %} -{% if afi_config.soft_reconfiguration.inbound is vyos_defined %} +{% endif %} +{% if afi_config.soft_reconfiguration.inbound is vyos_defined %} neighbor {{ neighbor }} soft-reconfiguration inbound -{% endif %} -{% if afi_config.unsuppress_map is vyos_defined %} +{% endif %} +{% if afi_config.unsuppress_map is vyos_defined %} neighbor {{ neighbor }} unsuppress-map {{ afi_config.unsuppress_map }} -{% endif %} -{% if afi_config.disable_send_community.extended is vyos_defined %} +{% endif %} +{% if afi_config.disable_send_community.extended is vyos_defined %} no neighbor {{ neighbor }} send-community extended -{% endif %} -{% if afi_config.disable_send_community.standard is vyos_defined %} +{% endif %} +{% if afi_config.disable_send_community.standard is vyos_defined %} no neighbor {{ neighbor }} send-community standard -{% endif %} +{% endif %} neighbor {{ neighbor }} activate exit-address-family ! {% endfor %} -{% endif %} +{% endif %} {% endmacro %} ! router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} @@ -244,212 +242,212 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {# Workaround for T2100 until we have decided about a migration script #} no bgp network import-check {% if address_family is vyos_defined %} -{% for afi, afi_config in address_family.items() %} +{% for afi, afi_config in address_family.items() %} ! -{% if afi == 'ipv4_unicast' %} +{% if afi == 'ipv4_unicast' %} address-family ipv4 unicast -{% elif afi == 'ipv4_multicast' %} +{% elif afi == 'ipv4_multicast' %} address-family ipv4 multicast -{% elif afi == 'ipv4_labeled_unicast' %} +{% elif afi == 'ipv4_labeled_unicast' %} address-family ipv4 labeled-unicast -{% elif afi == 'ipv4_vpn' %} +{% elif afi == 'ipv4_vpn' %} address-family ipv4 vpn -{% elif afi == 'ipv4_flowspec' %} +{% elif afi == 'ipv4_flowspec' %} address-family ipv4 flowspec -{% elif afi == 'ipv6_unicast' %} +{% elif afi == 'ipv6_unicast' %} address-family ipv6 unicast -{% elif afi == 'ipv6_multicast' %} +{% elif afi == 'ipv6_multicast' %} address-family ipv6 multicast -{% elif afi == 'ipv6_labeled_unicast' %} +{% elif afi == 'ipv6_labeled_unicast' %} address-family ipv6 labeled-unicast -{% elif afi == 'ipv6_vpn' %} +{% elif afi == 'ipv6_vpn' %} address-family ipv6 vpn -{% elif afi == 'ipv6_flowspec' %} +{% elif afi == 'ipv6_flowspec' %} address-family ipv6 flowspec -{% elif afi == 'l2vpn_evpn' %} +{% elif afi == 'l2vpn_evpn' %} address-family l2vpn evpn -{% if afi_config.rd is vyos_defined %} +{% if afi_config.rd is vyos_defined %} rd {{ afi_config.rd }} -{% endif %} -{% endif %} -{% if afi_config.aggregate_address is vyos_defined %} -{% for aggregate, aggregate_config in afi_config.aggregate_address.items() %} +{% endif %} +{% endif %} +{% if afi_config.aggregate_address is vyos_defined %} +{% for aggregate, aggregate_config in afi_config.aggregate_address.items() %} aggregate-address {{ aggregate }}{{ ' as-set' if aggregate_config.as_set is vyos_defined }}{{ ' summary-only' if aggregate_config.summary_only is vyos_defined }} -{% if aggregate_config.route_map is vyos_defined %} +{% if aggregate_config.route_map is vyos_defined %} aggregate-address {{ aggregate }} route-map {{ aggregate_config.route_map }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if afi_config.maximum_paths.ebgp is vyos_defined %} +{% if afi_config.maximum_paths.ebgp is vyos_defined %} maximum-paths {{ afi_config.maximum_paths.ebgp }} -{% endif %} -{% if afi_config.maximum_paths.ibgp is vyos_defined %} +{% endif %} +{% if afi_config.maximum_paths.ibgp is vyos_defined %} maximum-paths ibgp {{ afi_config.maximum_paths.ibgp }} -{% endif %} -{% if afi_config.redistribute is vyos_defined %} -{% for protocol in afi_config.redistribute %} -{% if protocol == 'table' %} - redistribute table {{ afi_config.redistribute[protocol].table }} -{% else %} -{% set redistribution_protocol = protocol %} -{% if protocol == 'ospfv3' %} -{% set redistribution_protocol = 'ospf6' %} -{% endif %} - redistribute {{ redistribution_protocol }}{% if afi_config.redistribute[protocol].metric is vyos_defined %} metric {{ afi_config.redistribute[protocol].metric }}{% endif %}{% if afi_config.redistribute[protocol].route_map is vyos_defined %} route-map {{ afi_config.redistribute[protocol].route_map }}{% endif %} -{####### we need this blank line!! #######} +{% endif %} +{% if afi_config.redistribute is vyos_defined %} +{% for protocol, protocol_config in afi_config.redistribute.items() %} +{% if protocol == 'table' %} + redistribute table {{ protocol_config.table }} +{% else %} +{% set redistribution_protocol = protocol %} +{% if protocol == 'ospfv3' %} +{% set redistribution_protocol = 'ospf6' %} +{% endif %} + redistribute {{ redistribution_protocol }} {{ 'metric ' ~ protocol_config.metric if protocol_config.metric is vyos_defined }} {{ 'route-map ' ~ protocol_config.route_map if protocol_config.route_map is vyos_defined }} + {####### we need this blank line!! #######} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if afi_config.network is vyos_defined %} -{% for network in afi_config.network %} - network {{ network }}{% if afi_config.network[network].route_map is vyos_defined %} route-map {{ afi_config.network[network].route_map }}{% endif %}{% if afi_config.network[network].backdoor is vyos_defined %} backdoor{% endif %}{% if afi_config.network[network].rd is vyos_defined and afi_config.network[network].label is vyos_defined %} rd {{ afi_config.network[network].rd }} label {{ afi_config.network[network].label }}{% endif %} +{% if afi_config.network is vyos_defined %} +{% for network, network_config in afi_config.network.items() %} + network {{ network }} {{ 'route-map ' ~ network_config.route_map if network_config.route_map is vyos_defined }} {{ 'backdoor' if network_config.backdoor is vyos_defined }} {{ 'rd ' ~ network_config.rd if network_config.rd is vyos_defined }} {{ 'label ' ~ network_config.label if network_config.label is vyos_defined }} {####### we need this blank line!! #######} -{% endfor %} -{% endif %} -{% if afi_config.advertise is vyos_defined %} -{% for adv_afi, adv_afi_config in afi_config.advertise.items() %} -{% if adv_afi_config.unicast is vyos_defined %} +{% endfor %} +{% endif %} +{% if afi_config.advertise is vyos_defined %} +{% for adv_afi, adv_afi_config in afi_config.advertise.items() %} +{% if adv_afi_config.unicast is vyos_defined %} advertise {{ adv_afi }} unicast {{ 'route-map ' ~ adv_afi_config.unicast.route_map if adv_afi_config.unicast.route_map is vyos_defined }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if afi_config.distance.external is vyos_defined and afi_config.distance.internal is vyos_defined and afi_config.distance.local is vyos_defined %} +{% if afi_config.distance.external is vyos_defined and afi_config.distance.internal is vyos_defined and afi_config.distance.local is vyos_defined %} distance bgp {{ afi_config.distance.external }} {{ afi_config.distance.internal }} {{ afi_config.distance.local }} -{% endif %} -{% if afi_config.distance.prefix is vyos_defined %} -{% for prefix in afi_config.distance.prefix %} +{% endif %} +{% if afi_config.distance.prefix is vyos_defined %} +{% for prefix in afi_config.distance.prefix %} distance {{ afi_config.distance.prefix[prefix].distance }} {{ prefix }} -{% endfor %} -{% endif %} -{% if afi_config.export.vpn is vyos_defined %} +{% endfor %} +{% endif %} +{% if afi_config.export.vpn is vyos_defined %} export vpn -{% endif %} -{% if afi_config.import.vpn is vyos_defined %} +{% endif %} +{% if afi_config.import.vpn is vyos_defined %} import vpn -{% endif %} -{% if afi_config.import.vrf is vyos_defined %} -{% for vrf in afi_config.import.vrf %} +{% endif %} +{% if afi_config.import.vrf is vyos_defined %} +{% for vrf in afi_config.import.vrf %} import vrf {{ vrf }} -{% endfor %} -{% endif %} -{% if afi_config.label.vpn.export is vyos_defined %} +{% endfor %} +{% endif %} +{% if afi_config.label.vpn.export is vyos_defined %} label vpn export {{ afi_config.label.vpn.export }} -{% endif %} -{% if afi_config.local_install is vyos_defined %} -{% for interface in afi_config.local_install.interface %} +{% endif %} +{% if afi_config.local_install is vyos_defined %} +{% for interface in afi_config.local_install.interface %} local-install {{ interface }} -{% endfor %} -{% endif %} -{% if afi_config.advertise_all_vni is vyos_defined %} +{% endfor %} +{% endif %} +{% if afi_config.advertise_all_vni is vyos_defined %} advertise-all-vni -{% endif %} -{% if afi_config.advertise_default_gw is vyos_defined %} +{% endif %} +{% if afi_config.advertise_default_gw is vyos_defined %} advertise-default-gw -{% endif %} -{% if afi_config.advertise_pip is vyos_defined %} +{% endif %} +{% if afi_config.advertise_pip is vyos_defined %} advertise-pip ip {{ afi_config.advertise_pip }} -{% endif %} -{% if afi_config.advertise_svi_ip is vyos_defined %} +{% endif %} +{% if afi_config.advertise_svi_ip is vyos_defined %} advertise-svi-ip -{% endif %} -{% if afi_config.rt_auto_derive is vyos_defined %} +{% endif %} +{% if afi_config.rt_auto_derive is vyos_defined %} autort rfc8365-compatible -{% endif %} -{% if afi_config.flooding.disable is vyos_defined %} +{% endif %} +{% if afi_config.flooding.disable is vyos_defined %} flooding disable -{% endif %} -{% if afi_config.flooding.head_end_replication is vyos_defined %} +{% endif %} +{% if afi_config.flooding.head_end_replication is vyos_defined %} flooding head-end-replication -{% endif %} -{% if afi_config.rd.vpn.export is vyos_defined %} +{% endif %} +{% if afi_config.rd.vpn.export is vyos_defined %} rd vpn export {{ afi_config.rd.vpn.export }} -{% endif %} -{% if afi_config.route_target.vpn.both is vyos_defined %} +{% endif %} +{% if afi_config.route_target.vpn.both is vyos_defined %} route-target vpn both {{ afi_config.route_target.vpn.both }} -{% else %} -{% if afi_config.route_target.vpn.export is vyos_defined %} +{% else %} +{% if afi_config.route_target.vpn.export is vyos_defined %} route-target vpn export {{ afi_config.route_target.vpn.export }} -{% endif %} -{% if afi_config.route_target.vpn.import is vyos_defined %} +{% endif %} +{% if afi_config.route_target.vpn.import is vyos_defined %} route-target vpn import {{ afi_config.route_target.vpn.import }} -{% endif %} -{% endif %} -{% if afi_config.route_target.both is vyos_defined %} +{% endif %} +{% endif %} +{% if afi_config.route_target.both is vyos_defined %} route-target both {{ afi_config.route_target.both }} -{% else %} -{% if afi_config.route_target.export is vyos_defined %} +{% else %} +{% if afi_config.route_target.export is vyos_defined %} route-target export {{ afi_config.route_target.export }} -{% endif %} -{% if afi_config.route_target.import is vyos_defined %} +{% endif %} +{% if afi_config.route_target.import is vyos_defined %} route-target import {{ afi_config.route_target.import }} -{% endif %} -{% endif %} -{% if afi_config.route_map.vpn.export is vyos_defined %} +{% endif %} +{% endif %} +{% if afi_config.route_map.vpn.export is vyos_defined %} route-map vpn export {{ afi_config.route_map.vpn.export }} -{% endif %} -{% if afi_config.route_map.vpn.import is vyos_defined %} +{% endif %} +{% if afi_config.route_map.vpn.import is vyos_defined %} route-map vpn import {{ afi_config.route_map.vpn.import }} -{% endif %} -{% if afi_config.vni is vyos_defined %} -{% for vni, vni_config in afi_config.vni.items() %} +{% endif %} +{% if afi_config.vni is vyos_defined %} +{% for vni, vni_config in afi_config.vni.items() %} vni {{ vni }} -{% if vni_config.advertise_default_gw is vyos_defined %} +{% if vni_config.advertise_default_gw is vyos_defined %} advertise-default-gw -{% endif %} -{% if vni_config.advertise_svi_ip is vyos_defined %} +{% endif %} +{% if vni_config.advertise_svi_ip is vyos_defined %} advertise-svi-ip -{% endif %} -{% if vni_config.rd is vyos_defined %} +{% endif %} +{% if vni_config.rd is vyos_defined %} rd {{ vni_config.rd }} -{% endif %} -{% if vni_config.route_target.both is vyos_defined %} +{% endif %} +{% if vni_config.route_target.both is vyos_defined %} route-target both {{ vni_config.route_target.both }} -{% endif %} -{% if vni_config.route_target.export is vyos_defined %} +{% endif %} +{% if vni_config.route_target.export is vyos_defined %} route-target export {{ vni_config.route_target.export }} -{% endif %} -{% if vni_config.route_target.import is vyos_defined %} +{% endif %} +{% if vni_config.route_target.import is vyos_defined %} route-target import {{ vni_config.route_target.import }} -{% endif %} +{% endif %} exit-vni -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} exit-address-family -{% endfor %} +{% endfor %} {% endif %} ! {% if peer_group is vyos_defined %} -{% for peer, config in peer_group.items() %} +{% for peer, config in peer_group.items() %} {{ bgp_neighbor(peer, config, true) }} -{% endfor %} +{% endfor %} {% endif %} ! {% if neighbor is vyos_defined %} -{% for peer, config in neighbor.items() %} +{% for peer, config in neighbor.items() %} {{ bgp_neighbor(peer, config) }} -{% endfor %} +{% endfor %} {% endif %} ! {% if listen.limit is vyos_defined %} bgp listen limit {{ listen.limit }} {% endif %} {% if listen.range is vyos_defined %} -{% for prefix, options in listen.range.items() %} -{% if options.peer_group is vyos_defined %} +{% for prefix, options in listen.range.items() %} +{% if options.peer_group is vyos_defined %} bgp listen range {{ prefix }} peer-group {{ options.peer_group }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} {% if parameters.always_compare_med is vyos_defined %} bgp always-compare-med {% endif %} {% if parameters.bestpath.as_path is vyos_defined %} -{% for option in parameters.bestpath.as_path %} +{% for option in parameters.bestpath.as_path %} {# replace is required for multipath-relax option #} - bgp bestpath as-path {{ option|replace('_', '-') }} -{% endfor %} + bgp bestpath as-path {{ option | replace('_', '-') }} +{% endfor %} {% endif %} {% if parameters.bestpath.bandwidth is vyos_defined %} bgp bestpath bandwidth {{ parameters.bestpath.bandwidth }} @@ -486,9 +484,9 @@ router bgp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} distance bgp {{ parameters.distance.global.external }} {{ parameters.distance.global.internal }} {{ parameters.distance.global.local }} {% endif %} {% if parameters.distance.prefix is vyos_defined %} -{% for prefix in parameters.distance.prefix %} +{% for prefix in parameters.distance.prefix %} distance {{ parameters.distance.prefix[prefix].distance }} {{ prefix }} -{% endfor %} +{% endfor %} {% endif %} {% if parameters.fast_convergence is vyos_defined %} bgp fast-convergence diff --git a/data/templates/frr/igmp.frr.j2 b/data/templates/frr/igmp.frr.j2 new file mode 100644 index 000000000..ce1f8fdda --- /dev/null +++ b/data/templates/frr/igmp.frr.j2 @@ -0,0 +1,41 @@ +! +{% for iface in old_ifaces %} +interface {{ iface }} +{% for group in old_ifaces[iface].gr_join %} +{% if old_ifaces[iface].gr_join[group] %} +{% for source in old_ifaces[iface].gr_join[group] %} + no ip igmp join {{ group }} {{ source }} +{% endfor %} +{% else %} + no ip igmp join {{ group }} +{% endif %} +{% endfor %} + no ip igmp +! +{% endfor %} +{% for interface, interface_config in ifaces.items() %} +interface {{ interface }} +{% if interface_config.version %} + ip igmp version {{ interface_config.version }} +{% else %} +{# IGMP default version 3 #} + ip igmp +{% endif %} +{% if interface_config.query_interval %} + ip igmp query-interval {{ interface_config.query_interval }} +{% endif %} +{% if interface_config.query_max_resp_time %} + ip igmp query-max-response-time {{ interface_config.query_max_resp_time }} +{% endif %} +{% for group in interface_config.gr_join %} +{% if ifaces[iface].gr_join[group] %} +{% for source in ifaces[iface].gr_join[group] %} + ip igmp join {{ group }} {{ source }} +{% endfor %} +{% else %} + ip igmp join {{ group }} +{% endif %} +{% endfor %} +! +{% endfor %} +! diff --git a/data/templates/frr/igmp.frr.tmpl b/data/templates/frr/igmp.frr.tmpl deleted file mode 100644 index 49b5aeaa5..000000000 --- a/data/templates/frr/igmp.frr.tmpl +++ /dev/null @@ -1,41 +0,0 @@ -! -{% for iface in old_ifaces %} -interface {{ iface }} -{% for group in old_ifaces[iface].gr_join %} -{% if old_ifaces[iface].gr_join[group] %} -{% for source in old_ifaces[iface].gr_join[group] %} - no ip igmp join {{ group }} {{ source }} -{% endfor %} -{% else %} - no ip igmp join {{ group }} -{% endif %} -{% endfor %} - no ip igmp -! -{% endfor %} -{% for iface in ifaces %} -interface {{ iface }} -{% if ifaces[iface].version %} - ip igmp version {{ ifaces[iface].version }} -{% else %} -{# IGMP default version 3 #} - ip igmp -{% endif %} -{% if ifaces[iface].query_interval %} - ip igmp query-interval {{ ifaces[iface].query_interval }} -{% endif %} -{% if ifaces[iface].query_max_resp_time %} - ip igmp query-max-response-time {{ ifaces[iface].query_max_resp_time }} -{% endif %} -{% for group in ifaces[iface].gr_join %} -{% if ifaces[iface].gr_join[group] %} -{% for source in ifaces[iface].gr_join[group] %} - ip igmp join {{ group }} {{ source }} -{% endfor %} -{% else %} - ip igmp join {{ group }} -{% endif %} -{% endfor %} -! -{% endfor %} -! diff --git a/data/templates/frr/isisd.frr.tmpl b/data/templates/frr/isisd.frr.j2 index 238541903..8e95348bc 100644 --- a/data/templates/frr/isisd.frr.tmpl +++ b/data/templates/frr/isisd.frr.j2 @@ -1,53 +1,53 @@ ! {% if interface is vyos_defined %} -{% for iface, iface_config in interface.items() %} +{% for iface, iface_config in interface.items() %} interface {{ iface }} ip router isis VyOS ipv6 router isis VyOS -{% if iface_config.bfd is vyos_defined %} +{% if iface_config.bfd is vyos_defined %} isis bfd -{% if iface_config.bfd.profile is vyos_defined %} +{% if iface_config.bfd.profile is vyos_defined %} isis bfd profile {{ iface_config.bfd.profile }} -{% endif %} -{% endif %} -{% if iface_config.network.point_to_point is vyos_defined %} +{% endif %} +{% endif %} +{% if iface_config.network.point_to_point is vyos_defined %} isis network point-to-point -{% endif %} -{% if iface_config.circuit_type is vyos_defined %} +{% endif %} +{% if iface_config.circuit_type is vyos_defined %} isis circuit-type {{ iface_config.circuit_type }} -{% endif %} -{% if iface_config.hello_interval is vyos_defined %} +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} isis hello-interval {{ iface_config.hello_interval }} -{% endif %} -{% if iface_config.hello_multiplier is vyos_defined %} +{% endif %} +{% if iface_config.hello_multiplier is vyos_defined %} isis hello-multiplier {{ iface_config.hello_multiplier }} -{% endif %} -{% if iface_config.hello_padding is vyos_defined %} +{% endif %} +{% if iface_config.hello_padding is vyos_defined %} isis hello padding -{% endif %} -{% if iface_config.metric is vyos_defined %} +{% endif %} +{% if iface_config.metric is vyos_defined %} isis metric {{ iface_config.metric }} -{% endif %} -{% if iface_config.passive is vyos_defined %} +{% endif %} +{% if iface_config.passive is vyos_defined %} isis passive -{% endif %} -{% if iface_config.password.md5 is vyos_defined %} +{% endif %} +{% if iface_config.password.md5 is vyos_defined %} isis password md5 {{ iface_config.password.md5 }} -{% elif iface_config.password.plaintext_password is vyos_defined %} +{% elif iface_config.password.plaintext_password is vyos_defined %} isis password clear {{ iface_config.password.plaintext_password }} -{% endif %} -{% if iface_config.priority is vyos_defined %} +{% endif %} +{% if iface_config.priority is vyos_defined %} isis priority {{ iface_config.priority }} -{% endif %} -{% if iface_config.psnp_interval is vyos_defined %} +{% endif %} +{% if iface_config.psnp_interval is vyos_defined %} isis psnp-interval {{ iface_config.psnp_interval }} -{% endif %} -{% if iface_config.no_three_way_handshake is vyos_defined %} +{% endif %} +{% if iface_config.no_three_way_handshake is vyos_defined %} no isis three-way-handshake -{% endif %} +{% endif %} exit ! -{% endfor %} +{% endfor %} {% endif %} ! router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} @@ -94,58 +94,58 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} mpls-te router-address {{ traffic_engineering.address }} {% endif %} {% if traffic_engineering.inter_as is vyos_defined %} -{% set level = '' %} -{% if traffic_engineering.inter_as.level_1 is vyos_defined %} -{% set level = ' level-1' %} -{% endif %} -{% if traffic_engineering.inter_as.level_1_2 is vyos_defined %} -{% set level = ' level-1-2' %} -{% endif %} -{% if traffic_engineering.inter_as.level_2 is vyos_defined %} -{% set level = ' level-2-only' %} -{% endif %} +{% set level = '' %} +{% if traffic_engineering.inter_as.level_1 is vyos_defined %} +{% set level = ' level-1' %} +{% endif %} +{% if traffic_engineering.inter_as.level_1_2 is vyos_defined %} +{% set level = ' level-1-2' %} +{% endif %} +{% if traffic_engineering.inter_as.level_2 is vyos_defined %} +{% set level = ' level-2-only' %} +{% endif %} mpls-te inter-as{{ level }} {% endif %} {% if segment_routing is vyos_defined %} -{% if segment_routing.enable is vyos_defined %} +{% if segment_routing.enable is vyos_defined %} segment-routing on -{% endif %} -{% if segment_routing.maximum_label_depth is vyos_defined %} +{% endif %} +{% if segment_routing.maximum_label_depth is vyos_defined %} segment-routing node-msd {{ segment_routing.maximum_label_depth }} -{% endif %} -{% if segment_routing.global_block is vyos_defined %} -{% if segment_routing.local_block is vyos_defined %} +{% endif %} +{% if segment_routing.global_block is vyos_defined %} +{% if segment_routing.local_block is vyos_defined %} segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} local-block {{ segment_routing.local_block.low_label_value }} {{ segment_routing.local_block.high_label_value }} -{% else %} +{% else %} segment-routing global-block {{ segment_routing.global_block.low_label_value }} {{ segment_routing.global_block.high_label_value }} -{% endif %} -{% endif %} -{% if segment_routing.prefix is vyos_defined %} -{% for prefixes in segment_routing.prefix %} -{% if segment_routing.prefix[prefixes].absolute is vyos_defined %} -{% if segment_routing.prefix[prefixes].absolute.value is vyos_defined %} - segment-routing prefix {{ prefixes }} absolute {{ segment_routing.prefix[prefixes].absolute.value }} -{% if segment_routing.prefix[prefixes].absolute.explicit_null is vyos_defined %} - segment-routing prefix {{ prefixes }} absolute {{ segment_routing.prefix[prefixes].absolute.value }} explicit-null -{% endif %} -{% if segment_routing.prefix[prefixes].absolute.no_php_flag is vyos_defined %} - segment-routing prefix {{ prefixes }} absolute {{ segment_routing.prefix[prefixes].absolute.value }} no-php-flag -{% endif %} {% endif %} -{% if segment_routing.prefix[prefixes].index is vyos_defined %} -{% if segment_routing.prefix[prefixes].index.value is vyos_defined %} - segment-routing prefix {{ prefixes }} index {{ segment_routing.prefix[prefixes].index.value }} -{% if segment_routing.prefix[prefixes].index.explicit_null is vyos_defined %} - segment-routing prefix {{ prefixes }} index {{ segment_routing.prefix[prefixes].index.value }} explicit-null -{% endif %} -{% if segment_routing.prefix[prefixes].index.no_php_flag is vyos_defined %} - segment-routing prefix {{ prefixes }} index {{ segment_routing.prefix[prefixes].index.value }} no-php-flag +{% endif %} +{% if segment_routing.prefix is vyos_defined %} +{% for prefix, prefix_config in segment_routing.prefix.items() %} +{% if prefix_config.absolute is vyos_defined %} +{% if prefix_config.absolute.value is vyos_defined %} + segment-routing prefix {{ prefixes }} absolute {{ prefix_config.absolute.value }} +{% if prefix_config.absolute.explicit_null is vyos_defined %} + segment-routing prefix {{ prefixes }} absolute {{ prefix_config.absolute.value }} explicit-null +{% endif %} +{% if prefix_config.absolute.no_php_flag is vyos_defined %} + segment-routing prefix {{ prefixes }} absolute {{ prefix_config.absolute.value }} no-php-flag +{% endif %} +{% endif %} +{% if prefix_config.index is vyos_defined %} +{% if prefix_config.index.value is vyos_defined %} + segment-routing prefix {{ prefixes }} index {{ prefix_config.index.value }} +{% if prefix_config.index.explicit_null is vyos_defined %} + segment-routing prefix {{ prefixes }} index {{ prefix_config.index.value }} explicit-null +{% endif %} +{% if prefix_config.index.no_php_flag is vyos_defined %} + segment-routing prefix {{ prefixes }} index {{ prefix_config.index.value }} no-php-flag +{% endif %} +{% endif %} +{% endif %} {% endif %} -{% endif %} -{% endif %} -{% endif %} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {% endif %} {% if spf_delay_ietf.init_delay is vyos_defined %} spf-delay-ietf init-delay {{ spf_delay_ietf.init_delay }} short-delay {{ spf_delay_ietf.short_delay }} long-delay {{ spf_delay_ietf.long_delay }} holddown {{ spf_delay_ietf.holddown }} time-to-learn {{ spf_delay_ietf.time_to_learn }} @@ -156,37 +156,37 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }} area-password clear {{ area_password.plaintext_password }} {% endif %} {% if default_information.originate is vyos_defined %} -{% for afi, afi_config in default_information.originate.items() %} -{% for level, level_config in afi_config.items() %} +{% for afi, afi_config in default_information.originate.items() %} +{% for level, level_config in afi_config.items() %} default-information originate {{ afi }} {{ level | replace('_', '-') }} {{ 'always' if level_config.always is vyos_defined }} {{ 'route-map ' ~ level_config.route_map if level_config.route_map is vyos_defined }} {{ 'metric ' ~ level_config.metric if level_config.metric is vyos_defined }} +{% endfor %} {% endfor %} -{% endfor %} {% endif %} {% if redistribute.ipv4 is vyos_defined %} -{% for protocol, protocol_options in redistribute.ipv4.items() %} -{% for level, level_config in protocol_options.items() %} -{% if level_config.metric is vyos_defined %} +{% for protocol, protocol_options in redistribute.ipv4.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is vyos_defined %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} -{% elif level_config.route_map is vyos_defined %} +{% elif level_config.route_map is vyos_defined %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} -{% else %} +{% else %} redistribute ipv4 {{ protocol }} {{ level | replace('_', '-') }} -{% endif %} +{% endif %} +{% endfor %} {% endfor %} -{% endfor %} {% endif %} {% if redistribute.ipv6 is vyos_defined %} -{% for protocol, protocol_options in redistribute.ipv6.items() %} -{% for level, level_config in protocol_options.items() %} -{% if level_config.metric is vyos_defined %} +{% for protocol, protocol_options in redistribute.ipv6.items() %} +{% for level, level_config in protocol_options.items() %} +{% if level_config.metric is vyos_defined %} redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} metric {{ level_config.metric }} -{% elif level_config.route_map is vyos_defined %} +{% elif level_config.route_map is vyos_defined %} redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} route-map {{ level_config.route_map }} -{% else %} +{% else %} redistribute ipv6 {{ protocol }} {{ level | replace('_', '-') }} -{% endif %} +{% endif %} +{% endfor %} {% endfor %} -{% endfor %} {% endif %} {% if level is vyos_defined('level-2') %} is-type level-2-only diff --git a/data/templates/frr/ldpd.frr.j2 b/data/templates/frr/ldpd.frr.j2 new file mode 100644 index 000000000..11aff331a --- /dev/null +++ b/data/templates/frr/ldpd.frr.j2 @@ -0,0 +1,149 @@ +! +{% if ldp is vyos_defined %} +mpls ldp +{% if ldp.router_id is vyos_defined %} + router-id {{ ldp.router_id }} +{% endif %} +{% if ldp.parameters.cisco_interop_tlv is vyos_defined %} + dual-stack cisco-interop +{% endif %} +{% if ldp.parameters.transport_prefer_ipv4 is vyos_defined %} + dual-stack transport-connection prefer ipv4 +{% endif %} +{% if ldp.parameters.ordered_control is vyos_defined %} + ordered-control +{% endif %} +{% if ldp.neighbor is vyos_defined %} +{% for neighbor, neighbor_config in ldp.neighbor %} +{% if neighbor_config.password is vyos_defined %} + neighbor {{ neighbors }} password {{ neighbor_config.password }} +{% endif %} +{% if neighbor_config.ttl_security is vyos_defined %} +{% if neighbor_config.ttl_security.disable is vyos_defined %} + neighbor {{ neighbors }} ttl-security disable +{% else %} + neighbor {{ neighbors }} ttl-security hops {{ neighbor_config.ttl_security }} +{% endif %} +{% endif %} +{% if neighbor_config.session_holdtime is vyos_defined %} + neighbor {{ neighbors }} session holdtime {{ neighbor_config.session_holdtime }} +{% endif %} +{% endfor %} +{% endif %} + ! +{% if ldp.discovery.transport_ipv4_address is vyos_defined %} + address-family ipv4 +{% if ldp.allocation.ipv4.access_list is vyos_defined %} + label local allocate for {{ ldp.allocation.ipv4.access_list }} +{% else %} + label local allocate host-routes +{% endif %} +{% if ldp.discovery.transport_ipv4_address is vyos_defined %} + discovery transport-address {{ ldp.discovery.transport_ipv4_address }} +{% endif %} +{% if ldp.discovery.hello_ipv4_holdtime is vyos_defined %} + discovery hello holdtime {{ ldp.discovery.hello_ipv4_holdtime }} +{% endif %} +{% if ldp.discovery.hello_ipv4_interval is vyos_defined %} + discovery hello interval {{ ldp.discovery.hello_ipv4_interval }} +{% endif %} +{% if ldp.discovery.session_ipv4_holdtime is vyos_defined %} + session holdtime {{ ldp.discovery.session_ipv4_holdtime }} +{% endif %} +{% if ldp.import.ipv4.import_filter.filter_access_list is vyos_defined %} +{% if ldp.import.ipv4.import_filter.neighbor_access_list is vyos_defined %} + label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} from {{ ldp.import.ipv4.import_filter.neighbor_access_list }} +{% else %} + label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} +{% endif %} +{% endif %} +{% if ldp.export.ipv4.explicit_null is vyos_defined %} + label local advertise explicit-null +{% endif %} +{% if ldp.export.ipv4.export_filter.filter_access_list is vyos_defined %} +{% if ldp.export.ipv4.export_filter.neighbor_access_list is vyos_defined %} + label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} to {{ ldp.export.ipv4.export_filter.neighbor_access_list }} +{% else %} + label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} +{% endif %} +{% endif %} +{% if ldp.targeted_neighbor is vyos_defined %} +{% if ldp.targeted_neighbor.ipv4.enable is vyos_defined %} + discovery targeted-hello accept +{% endif %} +{% if ldp.targeted_neighbor.ipv4.hello_holdtime is vyos_defined %} + discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv4.hello_holdtime }} +{% endif %} +{% if ldp.targeted_neighbor.ipv4.hello_interval is vyos_defined %} + discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv4.hello_interval }} +{% endif %} +{% for addresses in ldp.targeted_neighbor.ipv4.address %} + neighbor {{ addresses }} targeted +{% endfor %} +{% endif %} +{% if ldp.interface is vyos_defined %} +{% for interface in ldp.interface %} + interface {{ interface }} + exit +{% endfor %} +{% endif %} + exit-address-family +{% else %} + no address-family ipv4 +{% endif %} + ! +{% if ldp.discovery.transport_ipv6_address is vyos_defined %} + address-family ipv6 +{% if ldp.allocation.ipv6.access_list6 is vyos_defined %} + label local allocate for {{ ldp.allocation.ipv6.access_list6 }} +{% else %} + label local allocate host-routes +{% endif %} +{% if ldp.discovery.transport_ipv6_address is vyos_defined %} + discovery transport-address {{ ldp.discovery.transport_ipv6_address }} +{% endif %} +{% if ldp.discovery.hello_ipv6_holdtime is vyos_defined %} + discovery hello holdtime {{ ldp.discovery.hello_ipv6_holdtime }} +{% endif %} +{% if ldp.discovery.hello_ipv6_interval is vyos_defined %} + discovery hello interval {{ ldp.discovery.hello_ipv6_interval }} +{% endif %} +{% if ldp.discovery.session_ipv6_holdtime is vyos_defined %} + session holdtime {{ ldp.discovery.session_ipv6_holdtime }} +{% endif %} +{% if ldp.import.ipv6.import_filter.filter_access_list6 is vyos_defined %} + label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} {{ 'from ' ~ ldp.import.ipv6.import_filter.neighbor_access_list6 if ldp.import.ipv6.import_filter.neighbor_access_list6 is vyos_defined }} +{% endif %} +{% if ldp.export.ipv6.explicit_null is vyos_defined %} + label local advertise explicit-null +{% endif %} +{% if ldp.export.ipv6.export_filter.filter_access_list6 is vyos_defined %} + label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} {{ 'to ' ~ ldp.export.ipv6.export_filter.neighbor_access_list6 if ldp.export.ipv6.export_filter.neighbor_access_list6 is vyos_defined }} +{% endif %} +{% if ldp.targeted_neighbor is vyos_defined %} +{% if ldp.targeted_neighbor.ipv6.enable is vyos_defined %} + discovery targeted-hello accept +{% endif %} +{% if ldp.targeted_neighbor.ipv6.hello_holdtime is vyos_defined %} + discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv6.hello_holdtime }} +{% endif %} +{% if ldp.targeted_neighbor.ipv6.hello_interval is vyos_defined %} + discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv6.hello_interval }} +{% endif %} +{% for addresses in ldp.targeted_neighbor.ipv6.address %} + neighbor {{ addresses }} targeted +{% endfor %} +{% endif %} +{% if ldp.interface is vyos_defined %} +{% for interface in ldp.interface %} + interface {{ interface }} +{% endfor %} +{% endif %} + exit-address-family +{% else %} + no address-family ipv6 +{% endif %} + ! +exit +{% endif %} +! diff --git a/data/templates/frr/ldpd.frr.tmpl b/data/templates/frr/ldpd.frr.tmpl deleted file mode 100644 index 5a67b5cdf..000000000 --- a/data/templates/frr/ldpd.frr.tmpl +++ /dev/null @@ -1,157 +0,0 @@ -! -{% if ldp is vyos_defined %} -mpls ldp -{% if ldp.router_id is vyos_defined %} - router-id {{ ldp.router_id }} -{% endif %} -{% if ldp.parameters.cisco_interop_tlv is vyos_defined %} - dual-stack cisco-interop -{% endif %} -{% if ldp.parameters.transport_prefer_ipv4 is vyos_defined %} - dual-stack transport-connection prefer ipv4 -{% endif %} -{% if ldp.parameters.ordered_control is vyos_defined %} - ordered-control -{% endif %} -{% if ldp.neighbor is vyos_defined %} -{% for neighbor, neighbor_config in ldp.neighbor %} -{% if neighbor_config.password is vyos_defined %} - neighbor {{ neighbors }} password {{ neighbor_config.password }} -{% endif %} -{% if neighbor_config.ttl_security is vyos_defined %} -{% if neighbor_config.ttl_security.disable is vyos_defined%} - neighbor {{ neighbors }} ttl-security disable -{% else %} - neighbor {{ neighbors }} ttl-security hops {{ neighbor_config.ttl_security }} -{% endif %} -{% endif %} -{% if neighbor_config.session_holdtime is vyos_defined %} - neighbor {{ neighbors }} session holdtime {{ neighbor_config.session_holdtime }} -{% endif %} -{% endfor %} -{% endif %} - ! -{% if ldp.discovery.transport_ipv4_address is vyos_defined %} - address-family ipv4 -{% if ldp.allocation.ipv4.access_list is vyos_defined %} - label local allocate for {{ ldp.allocation.ipv4.access_list }} -{% else %} - label local allocate host-routes -{% endif %} -{% if ldp.discovery.transport_ipv4_address is vyos_defined %} - discovery transport-address {{ ldp.discovery.transport_ipv4_address }} -{% endif %} -{% if ldp.discovery.hello_ipv4_holdtime is vyos_defined %} - discovery hello holdtime {{ ldp.discovery.hello_ipv4_holdtime }} -{% endif %} -{% if ldp.discovery.hello_ipv4_interval is vyos_defined %} - discovery hello interval {{ ldp.discovery.hello_ipv4_interval }} -{% endif %} -{% if ldp.discovery.session_ipv4_holdtime is vyos_defined %} - session holdtime {{ ldp.discovery.session_ipv4_holdtime }} -{% endif %} -{% if ldp.import.ipv4.import_filter.filter_access_list is vyos_defined %} -{% if ldp.import.ipv4.import_filter.neighbor_access_list is vyos_defined %} - label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} from {{ ldp.import.ipv4.import_filter.neighbor_access_list }} -{% else %} - label remote accept for {{ ldp.import.ipv4.import_filter.filter_access_list }} -{% endif %} -{% endif %} -{% if ldp.export.ipv4.explicit_null is vyos_defined %} - label local advertise explicit-null -{% endif %} -{% if ldp.export.ipv4.export_filter.filter_access_list is vyos_defined %} -{% if ldp.export.ipv4.export_filter.neighbor_access_list is vyos_defined %} - label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} to {{ ldp.export.ipv4.export_filter.neighbor_access_list }} -{% else %} - label local advertise for {{ ldp.export.ipv4.export_filter.filter_access_list }} -{% endif %} -{% endif %} -{% if ldp.targeted_neighbor is vyos_defined %} -{% if ldp.targeted_neighbor.ipv4.enable is vyos_defined %} - discovery targeted-hello accept -{% endif %} -{% if ldp.targeted_neighbor.ipv4.hello_holdtime is vyos_defined %} - discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv4.hello_holdtime }} -{% endif %} -{% if ldp.targeted_neighbor.ipv4.hello_interval is vyos_defined %} - discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv4.hello_interval }} -{% endif %} -{% for addresses in ldp.targeted_neighbor.ipv4.address %} - neighbor {{ addresses }} targeted -{% endfor %} -{% endif %} -{% if ldp.interface is vyos_defined %} -{% for interface in ldp.interface %} - interface {{ interface }} - exit -{% endfor %} -{% endif %} - exit-address-family -{% else %} - no address-family ipv4 -{% endif %} - ! -{% if ldp.discovery.transport_ipv6_address is vyos_defined %} - address-family ipv6 -{% if ldp.allocation.ipv6.access_list6 is vyos_defined %} - label local allocate for {{ ldp.allocation.ipv6.access_list6 }} -{% else %} - label local allocate host-routes -{% endif %} -{% if ldp.discovery.transport_ipv6_address is vyos_defined %} - discovery transport-address {{ ldp.discovery.transport_ipv6_address }} -{% endif %} -{% if ldp.discovery.hello_ipv6_holdtime is vyos_defined %} - discovery hello holdtime {{ ldp.discovery.hello_ipv6_holdtime }} -{% endif %} -{% if ldp.discovery.hello_ipv6_interval is vyos_defined %} - discovery hello interval {{ ldp.discovery.hello_ipv6_interval }} -{% endif %} -{% if ldp.discovery.session_ipv6_holdtime is vyos_defined %} - session holdtime {{ ldp.discovery.session_ipv6_holdtime }} -{% endif %} -{% if ldp.import.ipv6.import_filter.filter_access_list6 is vyos_defined %} -{% if ldp.import.ipv6.import_filter.neighbor_access_list6 is vyos_defined %} - label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} from {{ ldp.import.ipv6.import_filter.neighbor_access_list6 }} -{% else %} - label remote accept for {{ ldp.import.ipv6.import_filter.filter_access_list6 }} -{% endif %} -{% endif %} -{% if ldp.export.ipv6.explicit_null is vyos_defined %} - label local advertise explicit-null -{% endif %} -{% if ldp.export.ipv6.export_filter.filter_access_list6 is vyos_defined %} -{% if ldp.export.ipv6.export_filter.neighbor_access_list6 is vyos_defined %} - label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} to {{ ldp.export.ipv6.export_filter.neighbor_access_list6 }} -{% else %} - label local advertise for {{ ldp.export.ipv6.export_filter.filter_access_list6 }} -{% endif %} -{% endif %} -{% if ldp.targeted_neighbor is vyos_defined %} -{% if ldp.targeted_neighbor.ipv6.enable is vyos_defined %} - discovery targeted-hello accept -{% endif %} -{% if ldp.targeted_neighbor.ipv6.hello_holdtime is vyos_defined %} - discovery targeted-hello holdtime {{ ldp.targeted_neighbor.ipv6.hello_holdtime }} -{% endif %} -{% if ldp.targeted_neighbor.ipv6.hello_interval is vyos_defined %} - discovery targeted-hello interval {{ ldp.targeted_neighbor.ipv6.hello_interval }} -{% endif %} -{% for addresses in ldp.targeted_neighbor.ipv6.address %} - neighbor {{ addresses }} targeted -{% endfor %} -{% endif %} -{% if ldp.interface is vyos_defined %} -{% for interface in ldp.interface %} - interface {{ interface }} -{% endfor %} -{% endif %} - exit-address-family -{% else %} - no address-family ipv6 -{% endif %} - ! -exit -{% endif %} -! diff --git a/data/templates/frr/ospf6d.frr.tmpl b/data/templates/frr/ospf6d.frr.j2 index 325f05213..84394ed1a 100644 --- a/data/templates/frr/ospf6d.frr.tmpl +++ b/data/templates/frr/ospf6d.frr.j2 @@ -1,84 +1,84 @@ ! {% if interface is vyos_defined %} -{% for iface, iface_config in interface.items() %} +{% for iface, iface_config in interface.items() %} interface {{ iface }} -{% if iface_config.area is vyos_defined %} +{% if iface_config.area is vyos_defined %} ipv6 ospf6 area {{ iface_config.area }} -{% endif %} -{% if iface_config.cost is vyos_defined %} +{% endif %} +{% if iface_config.cost is vyos_defined %} ipv6 ospf6 cost {{ iface_config.cost }} -{% endif %} -{% if iface_config.priority is vyos_defined %} +{% endif %} +{% if iface_config.priority is vyos_defined %} ipv6 ospf6 priority {{ iface_config.priority }} -{% endif %} -{% if iface_config.hello_interval is vyos_defined %} +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} ipv6 ospf6 hello-interval {{ iface_config.hello_interval }} -{% endif %} -{% if iface_config.retransmit_interval is vyos_defined %} +{% endif %} +{% if iface_config.retransmit_interval is vyos_defined %} ipv6 ospf6 retransmit-interval {{ iface_config.retransmit_interval }} -{% endif %} -{% if iface_config.transmit_delay is vyos_defined %} +{% endif %} +{% if iface_config.transmit_delay is vyos_defined %} ipv6 ospf6 transmit-delay {{ iface_config.transmit_delay }} -{% endif %} -{% if iface_config.dead_interval is vyos_defined %} +{% endif %} +{% if iface_config.dead_interval is vyos_defined %} ipv6 ospf6 dead-interval {{ iface_config.dead_interval }} -{% endif %} -{% if iface_config.bfd is vyos_defined %} +{% endif %} +{% if iface_config.bfd is vyos_defined %} ipv6 ospf6 bfd -{% endif %} -{% if iface_config.bfd.profile is vyos_defined %} +{% endif %} +{% if iface_config.bfd.profile is vyos_defined %} ipv6 ospf6 bfd profile {{ iface_config.bfd.profile }} -{% endif %} -{% if iface_config.mtu_ignore is vyos_defined %} +{% endif %} +{% if iface_config.mtu_ignore is vyos_defined %} ipv6 ospf6 mtu-ignore -{% endif %} -{% if iface_config.ifmtu is vyos_defined %} +{% endif %} +{% if iface_config.ifmtu is vyos_defined %} ipv6 ospf6 ifmtu {{ iface_config.ifmtu }} -{% endif %} -{% if iface_config.network is vyos_defined %} +{% endif %} +{% if iface_config.network is vyos_defined %} ipv6 ospf6 network {{ iface_config.network }} -{% endif %} -{% if iface_config.instance_id is vyos_defined %} +{% endif %} +{% if iface_config.instance_id is vyos_defined %} ipv6 ospf6 instance-id {{ iface_config.instance_id }} -{% endif %} -{% if iface_config.passive is vyos_defined %} +{% endif %} +{% if iface_config.passive is vyos_defined %} ipv6 ospf6 passive -{% endif %} +{% endif %} exit ! -{% endfor %} +{% endfor %} {% endif %} ! router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if area is vyos_defined %} -{% for area_id, area_config in area.items() %} -{% if area_config.area_type is vyos_defined %} -{% for type, type_config in area_config.area_type.items() %} +{% for area_id, area_config in area.items() %} +{% if area_config.area_type is vyos_defined %} +{% for type, type_config in area_config.area_type.items() %} area {{ area_id }} {{ type }} {{ 'default-information-originate' if type_config.default_information_originate is vyos_defined }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} -{% endfor %} -{% endif %} -{% if area_config.range is vyos_defined %} -{% for prefix, prefix_config in area_config.range.items() %} +{% endfor %} +{% endif %} +{% if area_config.range is vyos_defined %} +{% for prefix, prefix_config in area_config.range.items() %} area {{ area_id }} range {{ prefix }} {{ 'advertise' if prefix_config.advertise is vyos_defined }} {{ 'not-advertise' if prefix_config.not_advertise is vyos_defined }} -{% endfor %} -{% endif %} -{% if area_config.export_list is vyos_defined %} +{% endfor %} +{% endif %} +{% if area_config.export_list is vyos_defined %} area {{ area_id }} export-list {{ area_config.export_list }} -{% endif %} -{% if area_config.import_list is vyos_defined %} +{% endif %} +{% if area_config.import_list is vyos_defined %} area {{ area_id }} import-list {{ area_config.import_list }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }} {% if default_information.originate is vyos_defined %} - default-information originate {{ 'always' if default_information.originate.always is vyos_defined }} {{ 'metric ' + default_information.originate.metric if default_information.originate.metric is vyos_defined }} {{ 'metric-type ' + default_information.originate.metric_type if default_information.originate.metric_type is vyos_defined }} {{ 'route-map ' + default_information.originate.route_map if default_information.originate.route_map is vyos_defined }} + default-information originate {{ 'always' if default_information.originate.always is vyos_defined }} {{ 'metric ' ~ default_information.originate.metric if default_information.originate.metric is vyos_defined }} {{ 'metric-type ' ~ default_information.originate.metric_type if default_information.originate.metric_type is vyos_defined }} {{ 'route-map ' ~ default_information.originate.route_map if default_information.originate.route_map is vyos_defined }} {% endif %} {% if distance.global is vyos_defined %} distance {{ distance.global }} {% endif %} {% if distance.ospfv3 is vyos_defined %} - distance ospf6 {{ 'intra-area ' + distance.ospfv3.intra_area if distance.ospfv3.intra_area is vyos_defined }} {{ 'inter-area ' + distance.ospfv3.inter_area if distance.ospfv3.inter_area is vyos_defined }} {{ 'external ' + distance.ospfv3.external if distance.ospfv3.external is vyos_defined }} + distance ospf6 {{ 'intra-area ' ~ distance.ospfv3.intra_area if distance.ospfv3.intra_area is vyos_defined }} {{ 'inter-area ' ~ distance.ospfv3.inter_area if distance.ospfv3.inter_area is vyos_defined }} {{ 'external ' ~ distance.ospfv3.external if distance.ospfv3.external is vyos_defined }} {% endif %} {% if log_adjacency_changes is vyos_defined %} log-adjacency-changes {{ "detail" if log_adjacency_changes.detail is vyos_defined }} @@ -87,9 +87,9 @@ router ospf6 {{ 'vrf ' ~ vrf if vrf is vyos_defined }} ospf6 router-id {{ parameters.router_id }} {% endif %} {% if redistribute is vyos_defined %} -{% for protocol, options in redistribute.items() %} - redistribute {{ protocol }} {{ 'route-map ' + options.route_map if options.route_map is vyos_defined }} -{% endfor %} +{% for protocol, options in redistribute.items() %} + redistribute {{ protocol }} {{ 'route-map ' ~ options.route_map if options.route_map is vyos_defined }} +{% endfor %} {% endif %} exit ! diff --git a/data/templates/frr/ospfd.frr.tmpl b/data/templates/frr/ospfd.frr.j2 index 7c6738181..427fc8be7 100644 --- a/data/templates/frr/ospfd.frr.tmpl +++ b/data/templates/frr/ospfd.frr.j2 @@ -1,123 +1,123 @@ ! {% if interface is vyos_defined %} -{% for iface, iface_config in interface.items() %} +{% for iface, iface_config in interface.items() %} interface {{ iface }} -{% if iface_config.authentication.plaintext_password is vyos_defined %} +{% if iface_config.authentication.plaintext_password is vyos_defined %} ip ospf authentication-key {{ iface_config.authentication.plaintext_password }} -{% elif iface_config.authentication.md5 is vyos_defined %} +{% elif iface_config.authentication.md5 is vyos_defined %} ip ospf authentication message-digest -{% if iface_config.authentication.md5.key_id is vyos_defined %} -{% for key, key_config in iface_config.authentication.md5.key_id.items() %} +{% if iface_config.authentication.md5.key_id is vyos_defined %} +{% for key, key_config in iface_config.authentication.md5.key_id.items() %} ip ospf message-digest-key {{ key }} md5 {{ key_config.md5_key }} -{% endfor %} -{% endif %} -{% endif %} -{% if iface_config.area is vyos_defined %} +{% endfor %} +{% endif %} +{% endif %} +{% if iface_config.area is vyos_defined %} ip ospf area {{ iface_config.area }} -{% endif %} -{% if iface_config.bandwidth is vyos_defined %} +{% endif %} +{% if iface_config.bandwidth is vyos_defined %} bandwidth {{ iface_config.bandwidth }} -{% endif %} -{% if iface_config.cost is vyos_defined %} +{% endif %} +{% if iface_config.cost is vyos_defined %} ip ospf cost {{ iface_config.cost }} -{% endif %} -{% if iface_config.priority is vyos_defined %} +{% endif %} +{% if iface_config.priority is vyos_defined %} ip ospf priority {{ iface_config.priority }} -{% endif %} -{% if iface_config.hello_interval is vyos_defined %} +{% endif %} +{% if iface_config.hello_interval is vyos_defined %} ip ospf hello-interval {{ iface_config.hello_interval }} -{% endif %} -{% if iface_config.retransmit_interval is vyos_defined %} +{% endif %} +{% if iface_config.retransmit_interval is vyos_defined %} ip ospf retransmit-interval {{ iface_config.retransmit_interval }} -{% endif %} -{% if iface_config.transmit_delay is vyos_defined %} +{% endif %} +{% if iface_config.transmit_delay is vyos_defined %} ip ospf transmit-delay {{ iface_config.transmit_delay }} -{% endif %} -{% if iface_config.dead_interval is vyos_defined %} +{% endif %} +{% if iface_config.dead_interval is vyos_defined %} ip ospf dead-interval {{ iface_config.dead_interval }} -{% elif iface_config.hello_multiplier is vyos_defined %} +{% elif iface_config.hello_multiplier is vyos_defined %} ip ospf dead-interval minimal hello-multiplier {{ iface_config.hello_multiplier }} -{% endif %} -{% if iface_config.bfd is vyos_defined %} +{% endif %} +{% if iface_config.bfd is vyos_defined %} ip ospf bfd -{% endif %} -{% if iface_config.bfd.profile is vyos_defined %} +{% endif %} +{% if iface_config.bfd.profile is vyos_defined %} ip ospf bfd profile {{ iface_config.bfd.profile }} -{% endif %} -{% if iface_config.mtu_ignore is vyos_defined %} +{% endif %} +{% if iface_config.mtu_ignore is vyos_defined %} ip ospf mtu-ignore -{% endif %} -{% if iface_config.network is vyos_defined %} +{% endif %} +{% if iface_config.network is vyos_defined %} ip ospf network {{ iface_config.network }} -{% endif %} -{% if iface_config.passive is vyos_defined %} +{% endif %} +{% if iface_config.passive is vyos_defined %} {{ 'no ' if iface_config.passive.disable is vyos_defined }}ip ospf passive -{% endif %} +{% endif %} exit ! -{% endfor %} +{% endfor %} {% endif %} ! router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if access_list is vyos_defined %} -{% for acl, acl_config in access_list.items() %} -{% for protocol in acl_config.export if acl_config.export is vyos_defined %} +{% for acl, acl_config in access_list.items() %} +{% for protocol in acl_config.export if acl_config.export is vyos_defined %} distribute-list {{ acl }} out {{ protocol }} +{% endfor %} {% endfor %} -{% endfor %} {% endif %} {% if area is vyos_defined %} -{% for area_id, area_config in area.items() %} -{% if area_config.area_type is vyos_defined %} -{% for type, type_config in area_config.area_type.items() if type != 'normal' %} +{% for area_id, area_config in area.items() %} +{% if area_config.area_type is vyos_defined %} +{% for type, type_config in area_config.area_type.items() if type != 'normal' %} area {{ area_id }} {{ type }} {{ 'no-summary' if type_config.no_summary is vyos_defined }} -{% if type_config.default_cost is vyos_defined %} +{% if type_config.default_cost is vyos_defined %} area {{ area_id }} default-cost {{ type_config.default_cost }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if area_config.authentication is vyos_defined %} +{% if area_config.authentication is vyos_defined %} area {{ area_id }} authentication {{ 'message-digest' if area_config.authentication is vyos_defined('md5') }} -{% endif %} -{% for network in area_config.network if area_config.network is vyos_defined %} +{% endif %} +{% for network in area_config.network if area_config.network is vyos_defined %} network {{ network }} area {{ area_id }} -{% endfor %} -{% if area_config.range is vyos_defined %} -{% for range, range_config in area_config.range.items() %} -{% if range_config.cost is vyos_defined %} +{% endfor %} +{% if area_config.range is vyos_defined %} +{% for range, range_config in area_config.range.items() %} +{% if range_config.cost is vyos_defined %} area {{ area_id }} range {{ range }} cost {{ range_config.cost }} -{% endif %} -{% if range_config.not_advertise is vyos_defined %} +{% endif %} +{% if range_config.not_advertise is vyos_defined %} area {{ area_id }} range {{ range }} not-advertise -{% endif %} -{% if range_config.substitute is vyos_defined %} +{% endif %} +{% if range_config.substitute is vyos_defined %} area {{ area_id }} range {{ range }} substitute {{ range_config.substitute }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if area_config.export_list is vyos_defined %} +{% if area_config.export_list is vyos_defined %} area {{ area_id }} export-list {{ area_config.export_list }} -{% endif %} -{% if area_config.import_list is vyos_defined %} +{% endif %} +{% if area_config.import_list is vyos_defined %} area {{ area_id }} import-list {{ area_config.import_list }} -{% endif %} -{% if area_config.shortcut is vyos_defined %} +{% endif %} +{% if area_config.shortcut is vyos_defined %} area {{ area_id }} shortcut {{ area_config.shortcut }} -{% endif %} -{% if area_config.virtual_link is vyos_defined %} -{% for link, link_config in area_config.virtual_link.items() %} -{% if link_config.authentication.plaintext_password is vyos_defined %} +{% endif %} +{% if area_config.virtual_link is vyos_defined %} +{% for link, link_config in area_config.virtual_link.items() %} +{% if link_config.authentication.plaintext_password is vyos_defined %} area {{ area_id }} virtual-link {{ link }} authentication-key {{ link_config.authentication.plaintext_password }} -{% elif link_config.authentication.md5.key_id is vyos_defined %} -{% for key, key_config in link_config.authentication.md5.key_id.items() %} +{% elif link_config.authentication.md5.key_id is vyos_defined %} +{% for key, key_config in link_config.authentication.md5.key_id.items() %} area {{ area_id }} virtual-link {{ link }} message-digest-key {{ key }} md5 {{ key_config.md5_key }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {# The following values are default values #} area {{ area_id }} virtual-link {{ link }} hello-interval {{ link_config.hello_interval }} retransmit-interval {{ link_config.retransmit_interval }} transmit-delay {{ link_config.transmit_delay }} dead-interval {{ link_config.dead_interval }} -{% endfor %} -{% endif %} -{% endfor %} +{% endfor %} +{% endif %} +{% endfor %} {% endif %} {% if auto_cost.reference_bandwidth is vyos_defined %} auto-cost reference-bandwidth {{ auto_cost.reference_bandwidth }} @@ -154,9 +154,9 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} mpls-te router-address {{ mpls_te.router_address }} {% endif %} {% if neighbor is vyos_defined %} -{% for address, address_config in neighbor.items() %} +{% for address, address_config in neighbor.items() %} neighbor {{ address }} {{ 'priority ' + address_config.priority if address_config.priority is vyos_defined }} {{ 'poll-interval ' + address_config.poll_interval if address_config.poll_interval is vyos_defined }} -{% endfor %} +{% endfor %} {% endif %} {% if parameters.abr_type is vyos_defined %} ospf abr-type {{ parameters.abr_type }} @@ -168,15 +168,15 @@ router ospf {{ 'vrf ' ~ vrf if vrf is vyos_defined }} passive-interface default {% endif %} {% if redistribute is vyos_defined %} -{% for protocol, protocols_options in redistribute.items() %} -{% if protocol == 'table' %} -{% for table, table_options in protocols_options.items() %} +{% for protocol, protocols_options in redistribute.items() %} +{% if protocol == 'table' %} +{% for table, table_options in protocols_options.items() %} redistribute {{ protocol }} {{ table }} {{ 'metric ' + table_options.metric if table_options.metric is vyos_defined }} {{ 'metric-type ' + table_options.metric_type if table_options.metric_type is vyos_defined }} {{ 'route-map ' + table_options.route_map if table_options.route_map is vyos_defined }} -{% endfor %} -{% else %} +{% endfor %} +{% else %} redistribute {{ protocol }} {{ 'metric ' + protocols_options.metric if protocols_options.metric is vyos_defined }} {{ 'metric-type ' + protocols_options.metric_type if protocols_options.metric_type is vyos_defined }} {{ 'route-map ' + protocols_options.route_map if protocols_options.route_map is vyos_defined }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} {% if refresh.timers is vyos_defined %} refresh timer {{ refresh.timers }} diff --git a/data/templates/frr/pimd.frr.tmpl b/data/templates/frr/pimd.frr.j2 index a5b56223a..cb2f2aa98 100644 --- a/data/templates/frr/pimd.frr.tmpl +++ b/data/templates/frr/pimd.frr.j2 @@ -1,8 +1,8 @@ ! {% for rp_addr in old_pim.rp %} -{% for group in old_pim.rp[rp_addr] %} +{% for group in old_pim.rp[rp_addr] %} no ip pim rp {{ rp_addr }} {{ group }} -{% endfor %} +{% endfor %} {% endfor %} {% if old_pim.rp_keep_alive %} no ip pim rp keep-alive-timer {{ old_pim.rp_keep_alive }} @@ -15,18 +15,18 @@ no ip pim {% for iface in pim.ifaces %} interface {{ iface }} ip pim -{% if pim.ifaces[iface].dr_prio %} +{% if pim.ifaces[iface].dr_prio %} ip pim drpriority {{ pim.ifaces[iface].dr_prio }} -{% endif %} -{% if pim.ifaces[iface].hello %} +{% endif %} +{% if pim.ifaces[iface].hello %} ip pim hello {{ pim.ifaces[iface].hello }} -{% endif %} +{% endif %} ! {% endfor %} {% for rp_addr in pim.rp %} -{% for group in pim.rp[rp_addr] %} +{% for group in pim.rp[rp_addr] %} ip pim rp {{ rp_addr }} {{ group }} -{% endfor %} +{% endfor %} {% endfor %} {% if pim.rp_keep_alive %} ip pim rp keep-alive-timer {{ pim.rp_keep_alive }} diff --git a/data/templates/frr/policy.frr.j2 b/data/templates/frr/policy.frr.j2 new file mode 100644 index 000000000..a42b73e98 --- /dev/null +++ b/data/templates/frr/policy.frr.j2 @@ -0,0 +1,331 @@ +{% if access_list is vyos_defined %} +{% for acl, acl_config in access_list.items() | natural_sort %} +{% if acl_config.description is vyos_defined %} +access-list {{ acl }} remark {{ acl_config.description }} +{% endif %} +{% if acl_config.rule is vyos_defined %} +{% for rule, rule_config in acl_config.rule.items() | natural_sort %} +{% set ip = '' %} +{% set src = '' %} +{% set src_mask = '' %} +{% if rule_config.source.any is vyos_defined %} +{% set src = 'any' %} +{% elif rule_config.source.host is vyos_defined %} +{% set src = 'host ' ~ rule_config.source.host %} +{% elif rule_config.source.network is vyos_defined %} +{% set src = rule_config.source.network %} +{% set src_mask = rule_config.source.inverse_mask %} +{% endif %} +{% set dst = '' %} +{% set dst_mask = '' %} +{% if (acl | int >= 100 and acl | int <= 199) or (acl | int >= 2000 and acl | int <= 2699) %} +{% set ip = 'ip' %} +{% set dst = 'any' %} +{% if rule_config.destination.any is vyos_defined %} +{% set dst = 'any' %} +{% elif rule_config.destination.host is vyos_defined %} +{% set dst = 'host ' ~ rule_config.destination.host %} +{% elif rule_config.destination.network is vyos_defined %} +{% set dst = rule_config.destination.network %} +{% set dst_mask = rule_config.destination.inverse_mask %} +{% endif %} +{% endif %} +access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ ip }} {{ src }} {{ src_mask }} {{ dst }} {{ dst_mask }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if access_list6 is vyos_defined %} +{% for acl, acl_config in access_list6.items() | natural_sort %} +{% if acl_config.description is vyos_defined %} +ipv6 access-list {{ acl }} remark {{ acl_config.description }} +{% endif %} +{% if acl_config.rule is vyos_defined %} +{% for rule, rule_config in acl_config.rule.items() | natural_sort %} +{% set src = '' %} +{% if rule_config.source.any is vyos_defined %} +{% set src = 'any' %} +{% elif rule_config.source.network is vyos_defined %} +{% set src = rule_config.source.network %} +{% endif %} +ipv6 access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ src }} {{ 'exact-match' if rule_config.source.exact_match is vyos_defined }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if as_path_list is vyos_defined %} +{% for acl, acl_config in as_path_list.items() | natural_sort %} +{% if acl_config.rule is vyos_defined %} +{% for rule, rule_config in acl_config.rule.items() | natural_sort %} +bgp as-path access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if community_list is vyos_defined %} +{% for list, list_config in community_list.items() | natural_sort %} +{% if list_config.rule is vyos_defined %} +{% for rule, rule_config in list_config.rule.items() | natural_sort %} +{# by default, if casting to int fails it returns 0 #} +{% if list | int != 0 %} +bgp community-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% else %} +bgp community-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if extcommunity_list is vyos_defined %} +{% for list, list_config in extcommunity_list.items() | natural_sort %} +{% if list_config.rule is vyos_defined %} +{% for rule, rule_config in list_config.rule.items() | natural_sort %} +{# by default, if casting to int fails it returns 0 #} +{% if list | int != 0 %} +bgp extcommunity-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% else %} +bgp extcommunity-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if large_community_list is vyos_defined %} +{% for list, list_config in large_community_list.items() | natural_sort %} +{% if list_config.rule is vyos_defined %} +{% for rule, rule_config in list_config.rule.items() | natural_sort %} +{# by default, if casting to int fails it returns 0 #} +{% if list | int != 0 %} +bgp large-community-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% else %} +bgp large-community-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if prefix_list is vyos_defined %} +{% for prefix_list, prefix_list_config in prefix_list.items() | natural_sort %} +{% if prefix_list_config.description is vyos_defined %} +ip prefix-list {{ prefix_list }} description {{ prefix_list_config.description }} +{% endif %} +{% if prefix_list_config.rule is vyos_defined %} +{% for rule, rule_config in prefix_list_config.rule.items() | natural_sort %} +{% if rule_config.prefix is vyos_defined %} +ip prefix-list {{ prefix_list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.prefix }} {{ 'ge ' ~ rule_config.ge if rule_config.ge is vyos_defined }} {{ 'le ' ~ rule_config.le if rule_config.le is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if prefix_list6 is vyos_defined %} +{% for prefix_list, prefix_list_config in prefix_list6.items() | natural_sort %} +{% if prefix_list_config.description is vyos_defined %} +ipv6 prefix-list {{ prefix_list }} description {{ prefix_list_config.description }} +{% endif %} +{% if prefix_list_config.rule is vyos_defined %} +{% for rule, rule_config in prefix_list_config.rule.items() | natural_sort %} +{% if rule_config.prefix is vyos_defined %} +ipv6 prefix-list {{ prefix_list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.prefix }} {{ 'ge ' ~ rule_config.ge if rule_config.ge is vyos_defined }} {{ 'le ' ~ rule_config.le if rule_config.le is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +! +{% if route_map is vyos_defined %} +{% for route_map, route_map_config in route_map.items() | natural_sort %} +{% if route_map_config.rule is vyos_defined %} +{% for rule, rule_config in route_map_config.rule.items() | natural_sort %} +route-map {{ route_map }} {{ rule_config.action }} {{ rule }} +{% if rule_config.call is vyos_defined %} + call {{ rule_config.call }} +{% endif %} +{% if rule_config.continue is vyos_defined %} + on-match goto {{ rule_config.continue }} +{% endif %} +{% if rule_config.description is vyos_defined %} + description {{ rule_config.description }} +{% endif %} +{% if rule_config.match is vyos_defined %} +{% if rule_config.match.as_path is vyos_defined %} + match as-path {{ rule_config.match.as_path }} +{% endif %} +{% if rule_config.match.community.community_list is vyos_defined %} + match community {{ rule_config.match.community.community_list }} {{ 'exact-match' if rule_config.match.community.exact_match is vyos_defined }} +{% endif %} +{% if rule_config.match.extcommunity is vyos_defined %} + match extcommunity {{ rule_config.match.extcommunity }} +{% endif %} +{% if rule_config.match.evpn.default_route is vyos_defined %} + match evpn default-route +{% endif %} +{% if rule_config.match.evpn.rd is vyos_defined %} + match evpn rd {{ rule_config.match.evpn.rd }} +{% endif %} +{% if rule_config.match.evpn.route_type is vyos_defined %} + match evpn route-type {{ rule_config.match.evpn.route_type }} +{% endif %} +{% if rule_config.match.evpn.vni is vyos_defined %} + match evpn vni {{ rule_config.match.evpn.vni }} +{% endif %} +{% if rule_config.match.interface is vyos_defined %} + match interface {{ rule_config.match.interface }} +{% endif %} +{% if rule_config.match.ip.address.access_list is vyos_defined %} + match ip address {{ rule_config.match.ip.address.access_list }} +{% endif %} +{% if rule_config.match.ip.address.prefix_list is vyos_defined %} + match ip address prefix-list {{ rule_config.match.ip.address.prefix_list }} +{% endif %} +{% if rule_config.match.ip.nexthop.access_list is vyos_defined %} + match ip next-hop {{ rule_config.match.ip.nexthop.access_list }} +{% endif %} +{% if rule_config.match.ip.nexthop.prefix_list is vyos_defined %} + match ip next-hop prefix-list {{ rule_config.match.ip.nexthop.prefix_list }} +{% endif %} +{% if rule_config.match.ip.route_source.access_list is vyos_defined %} + match ip route-source {{ rule_config.match.ip.route_source.access_list }} +{% endif %} +{% if rule_config.match.ip.route_source.prefix_list is vyos_defined %} + match ip route-source prefix-list {{ rule_config.match.ip.route_source.prefix_list }} +{% endif %} +{% if rule_config.match.ipv6.address.access_list is vyos_defined %} + match ipv6 address {{ rule_config.match.ipv6.address.access_list }} +{% endif %} +{% if rule_config.match.ipv6.address.prefix_list is vyos_defined %} + match ipv6 address prefix-list {{ rule_config.match.ipv6.address.prefix_list }} +{% endif %} +{% if rule_config.match.ipv6.nexthop is vyos_defined %} + match ipv6 next-hop address {{ rule_config.match.ipv6.nexthop }} +{% endif %} +{% if rule_config.match.large_community.large_community_list is vyos_defined %} + match large-community {{ rule_config.match.large_community.large_community_list }} +{% endif %} +{% if rule_config.match.local_preference is vyos_defined %} + match local-preference {{ rule_config.match.local_preference }} +{% endif %} +{% if rule_config.match.metric is vyos_defined %} + match metric {{ rule_config.match.metric }} +{% endif %} +{% if rule_config.match.origin is vyos_defined %} + match origin {{ rule_config.match.origin }} +{% endif %} +{% if rule_config.match.peer is vyos_defined %} + match peer {{ rule_config.match.peer }} +{% endif %} +{% if rule_config.match.rpki is vyos_defined %} + match rpki {{ rule_config.match.rpki }} +{% endif %} +{% if rule_config.match.tag is vyos_defined %} + match tag {{ rule_config.match.tag }} +{% endif %} +{% endif %} +{% if rule_config.on_match.next is vyos_defined %} + on-match next +{% endif %} +{% if rule_config.on_match.goto is vyos_defined %} + on-match goto {{ rule_config.on_match.goto }} +{% endif %} +{% if rule_config.set is vyos_defined %} +{% if rule_config.set.aggregator.as is vyos_defined and rule_config.set.aggregator.ip is vyos_defined %} + set aggregator as {{ rule_config.set.aggregator.as }} {{ rule_config.set.aggregator.ip }} +{% endif %} +{% if rule_config.set.as_path.exclude is vyos_defined %} + set as-path exclude {{ rule_config.set.as_path.exclude }} +{% endif %} +{% if rule_config.set.as_path.prepend is vyos_defined %} + set as-path prepend {{ rule_config.set.as_path.prepend }} +{% endif %} +{% if rule_config.set.as_path.prepend_last_as is vyos_defined %} + set as-path prepend last-as {{ rule_config.set.as_path.prepend_last_as }} +{% endif %} +{% if rule_config.set.atomic_aggregate is vyos_defined %} + set atomic-aggregate +{% endif %} +{% if rule_config.set.comm_list.comm_list is vyos_defined %} + set comm-list {{ rule_config.set.comm_list.comm_list }} {{ 'delete' if rule_config.set.comm_list.delete is vyos_defined }} +{% endif %} +{% if rule_config.set.community is vyos_defined %} + set community {{ rule_config.set.community }} +{% endif %} +{% if rule_config.set.distance is vyos_defined %} + set distance {{ rule_config.set.distance }} +{% endif %} +{% if rule_config.set.evpn.gateway.ipv4 is vyos_defined %} + set evpn gateway-ip ipv4 {{ rule_config.set.evpn.gateway.ipv4 }} +{% endif %} +{% if rule_config.set.evpn.gateway.ipv6 is vyos_defined %} + set evpn gateway-ip ipv6 {{ rule_config.set.evpn.gateway.ipv6 }} +{% endif %} +{% if rule_config.set.extcommunity.bandwidth is vyos_defined %} + set extcommunity bandwidth {{ rule_config.set.extcommunity.bandwidth }} +{% endif %} +{% if rule_config.set.extcommunity.rt is vyos_defined %} + set extcommunity rt {{ rule_config.set.extcommunity.rt }} +{% endif %} +{% if rule_config.set.extcommunity.soo is vyos_defined %} + set extcommunity soo {{ rule_config.set.extcommunity.soo }} +{% endif %} +{% if rule_config.set.ip_next_hop is vyos_defined %} + set ip next-hop {{ rule_config.set.ip_next_hop }} +{% endif %} +{% if rule_config.set.ipv6_next_hop.global is vyos_defined %} + set ipv6 next-hop global {{ rule_config.set.ipv6_next_hop.global }} +{% endif %} +{% if rule_config.set.ipv6_next_hop.local is vyos_defined %} + set ipv6 next-hop local {{ rule_config.set.ipv6_next_hop.local }} +{% endif %} +{% if rule_config.set.ipv6_next_hop.peer_address is vyos_defined %} + set ipv6 next-hop peer-address +{% endif %} +{% if rule_config.set.ipv6_next_hop.prefer_global is vyos_defined %} + set ipv6 next-hop prefer-global +{% endif %} +{% if rule_config.set.large_community is vyos_defined %} + set large-community {{ rule_config.set.large_community }} +{% endif %} +{% if rule_config.set.large_comm_list_delete is vyos_defined %} + set large-comm-list {{ rule_config.set.large_comm_list_delete }} delete +{% endif %} +{% if rule_config.set.local_preference is vyos_defined %} + set local-preference {{ rule_config.set.local_preference }} +{% endif %} +{% if rule_config.set.metric is vyos_defined %} + set metric {{ rule_config.set.metric }} +{% endif %} +{% if rule_config.set.metric_type is vyos_defined %} + set metric-type {{ rule_config.set.metric_type }} +{% endif %} +{% if rule_config.set.origin is vyos_defined %} + set origin {{ rule_config.set.origin }} +{% endif %} +{% if rule_config.set.originator_id is vyos_defined %} + set originator-id {{ rule_config.set.originator_id }} +{% endif %} +{% if rule_config.set.src is vyos_defined %} + set src {{ rule_config.set.src }} +{% endif %} +{% if rule_config.set.table is vyos_defined %} + set table {{ rule_config.set.table }} +{% endif %} +{% if rule_config.set.tag is vyos_defined %} + set tag {{ rule_config.set.tag }} +{% endif %} +{% if rule_config.set.weight is vyos_defined %} + set weight {{ rule_config.set.weight }} +{% endif %} +{% endif %} +exit +! +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/frr/policy.frr.tmpl b/data/templates/frr/policy.frr.tmpl deleted file mode 100644 index 814dbf761..000000000 --- a/data/templates/frr/policy.frr.tmpl +++ /dev/null @@ -1,322 +0,0 @@ -{% if access_list is vyos_defined %} -{% for acl, acl_config in access_list.items() | natural_sort %} -{% if acl_config.description is vyos_defined %} -access-list {{ acl }} remark {{ acl_config.description }} -{% endif %} -{% if acl_config.rule is vyos_defined %} -{% for rule, rule_config in acl_config.rule.items() | natural_sort %} -{% set ip = '' %} -{% set src = '' %} -{% set src_mask = '' %} -{% if rule_config.source.any is vyos_defined %} -{% set src = 'any' %} -{% elif rule_config.source.host is vyos_defined %} -{% set src = 'host ' ~ rule_config.source.host %} -{% elif rule_config.source.network is vyos_defined %} -{% set src = rule_config.source.network %} -{% set src_mask = rule_config.source.inverse_mask %} -{% endif %} -{% set dst = '' %} -{% set dst_mask = '' %} -{% if (acl|int >= 100 and acl|int <= 199) or (acl|int >= 2000 and acl|int <= 2699) %} -{% set ip = 'ip' %} -{% set dst = 'any' %} -{% if rule_config.destination.any is vyos_defined %} -{% set dst = 'any' %} -{% elif rule_config.destination.host is vyos_defined %} -{% set dst = 'host ' ~ rule_config.destination.host %} -{% elif rule_config.destination.network is vyos_defined %} -{% set dst = rule_config.destination.network %} -{% set dst_mask = rule_config.destination.inverse_mask %} -{% endif %} -{% endif %} -access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ ip }} {{ src }} {{ src_mask }} {{ dst }} {{ dst_mask }} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if access_list6 is vyos_defined %} -{% for acl, acl_config in access_list6.items() | natural_sort %} -{% if acl_config.description is vyos_defined %} -ipv6 access-list {{ acl }} remark {{ acl_config.description }} -{% endif %} -{% if acl_config.rule is vyos_defined %} -{% for rule, rule_config in acl_config.rule.items() | natural_sort %} -{% set src = '' %} -{% if rule_config.source.any is vyos_defined %} -{% set src = 'any' %} -{% elif rule_config.source.network is vyos_defined %} -{% set src = rule_config.source.network %} -{% endif %} -ipv6 access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ src }} {{ 'exact-match' if rule_config.source.exact_match is vyos_defined }} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if as_path_list is vyos_defined %} -{% for acl, acl_config in as_path_list.items() | natural_sort %} -{% if acl_config.rule is vyos_defined %} -{% for rule, rule_config in acl_config.rule.items() | natural_sort %} -bgp as-path access-list {{ acl }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if community_list is vyos_defined %} -{% for list, list_config in community_list.items() | natural_sort %} -{% if list_config.rule is vyos_defined %} -{% for rule, rule_config in list_config.rule.items() | natural_sort %} -{# by default, if casting to int fails it returns 0 #} -{% if list|int != 0 %} -bgp community-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} -{% else %} -bgp community-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if extcommunity_list is vyos_defined %} -{% for list, list_config in extcommunity_list.items() | natural_sort %} -{% if list_config.rule is vyos_defined %} -{% for rule, rule_config in list_config.rule.items() | natural_sort %} -{# by default, if casting to int fails it returns 0 #} -{% if list|int != 0 %} -bgp extcommunity-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} -{% else %} -bgp extcommunity-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if large_community_list is vyos_defined %} -{% for list, list_config in large_community_list.items() | natural_sort %} -{% if list_config.rule is vyos_defined %} -{% for rule, rule_config in list_config.rule.items() | natural_sort %} -{# by default, if casting to int fails it returns 0 #} -{% if list|int != 0 %} -bgp large-community-list {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} -{% else %} -bgp large-community-list expanded {{ list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.regex }} -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if prefix_list is vyos_defined %} -{% for prefix_list, prefix_list_config in prefix_list.items() | natural_sort %} -{% if prefix_list_config.description is vyos_defined %} -ip prefix-list {{ prefix_list }} description {{ prefix_list_config.description }} -{% endif %} -{% if prefix_list_config.rule is vyos_defined %} -{% for rule, rule_config in prefix_list_config.rule.items() | natural_sort %} -{% if rule_config.prefix is vyos_defined %} -ip prefix-list {{ prefix_list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.prefix }} {{ 'ge ' ~ rule_config.ge if rule_config.ge is vyos_defined }} {{ 'le ' ~ rule_config.le if rule_config.le is vyos_defined }} -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if prefix_list6 is vyos_defined %} -{% for prefix_list, prefix_list_config in prefix_list6.items() | natural_sort %} -{% if prefix_list_config.description is vyos_defined %} -ipv6 prefix-list {{ prefix_list }} description {{ prefix_list_config.description }} -{% endif %} -{% if prefix_list_config.rule is vyos_defined %} -{% for rule, rule_config in prefix_list_config.rule.items() | natural_sort %} -{% if rule_config.prefix is vyos_defined %} -ipv6 prefix-list {{ prefix_list }} seq {{ rule }} {{ rule_config.action }} {{ rule_config.prefix }} {{ 'ge ' ~ rule_config.ge if rule_config.ge is vyos_defined }} {{ 'le ' ~ rule_config.le if rule_config.le is vyos_defined }} -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -! -{% if route_map is vyos_defined %} -{% for route_map, route_map_config in route_map.items() | natural_sort %} -{% if route_map_config.rule is vyos_defined %} -{% for rule, rule_config in route_map_config.rule.items() | natural_sort %} -route-map {{ route_map }} {{ rule_config.action }} {{ rule }} -{% if rule_config.call is vyos_defined %} - call {{ rule_config.call }} -{% endif %} -{% if rule_config.continue is vyos_defined %} - on-match goto {{ rule_config.continue }} -{% endif %} -{% if rule_config.description is vyos_defined %} - description {{ rule_config.description }} -{% endif %} -{% if rule_config.match is vyos_defined %} -{% if rule_config.match.as_path is vyos_defined %} - match as-path {{ rule_config.match.as_path }} -{% endif %} -{% if rule_config.match.community.community_list is vyos_defined %} - match community {{ rule_config.match.community.community_list }} {{ 'exact-match' if rule_config.match.community.exact_match is vyos_defined }} -{% endif %} -{% if rule_config.match.extcommunity is vyos_defined %} - match extcommunity {{ rule_config.match.extcommunity }} -{% endif %} -{% if rule_config.match.evpn.default_route is vyos_defined %} - match evpn default-route -{% endif %} -{% if rule_config.match.evpn.rd is vyos_defined %} - match evpn rd {{ rule_config.match.evpn.rd }} -{% endif %} -{% if rule_config.match.evpn.route_type is vyos_defined %} - match evpn route-type {{ rule_config.match.evpn.route_type }} -{% endif %} -{% if rule_config.match.evpn.vni is vyos_defined %} - match evpn vni {{ rule_config.match.evpn.vni }} -{% endif %} -{% if rule_config.match.interface is vyos_defined %} - match interface {{ rule_config.match.interface }} -{% endif %} -{% if rule_config.match.ip.address.access_list is vyos_defined %} - match ip address {{ rule_config.match.ip.address.access_list }} -{% endif %} -{% if rule_config.match.ip.address.prefix_list is vyos_defined %} - match ip address prefix-list {{ rule_config.match.ip.address.prefix_list }} -{% endif %} -{% if rule_config.match.ip.nexthop.access_list is vyos_defined %} - match ip next-hop {{ rule_config.match.ip.nexthop.access_list }} -{% endif %} -{% if rule_config.match.ip.nexthop.prefix_list is vyos_defined %} - match ip next-hop prefix-list {{ rule_config.match.ip.nexthop.prefix_list }} -{% endif %} -{% if rule_config.match.ip.route_source.access_list is vyos_defined %} - match ip route-source {{ rule_config.match.ip.route_source.access_list }} -{% endif %} -{% if rule_config.match.ip.route_source.prefix_list is vyos_defined %} - match ip route-source prefix-list {{ rule_config.match.ip.route_source.prefix_list }} -{% endif %} -{% if rule_config.match.ipv6.address.access_list is vyos_defined %} - match ipv6 address {{ rule_config.match.ipv6.address.access_list }} -{% endif %} -{% if rule_config.match.ipv6.address.prefix_list is vyos_defined %} - match ipv6 address prefix-list {{ rule_config.match.ipv6.address.prefix_list }} -{% endif %} -{% if rule_config.match.ipv6.nexthop is vyos_defined %} - match ipv6 next-hop address {{ rule_config.match.ipv6.nexthop }} -{% endif %} -{% if rule_config.match.large_community.large_community_list is vyos_defined %} - match large-community {{ rule_config.match.large_community.large_community_list }} -{% endif %} -{% if rule_config.match.local_preference is vyos_defined %} - match local-preference {{ rule_config.match.local_preference }} -{% endif %} -{% if rule_config.match.metric is vyos_defined %} - match metric {{ rule_config.match.metric }} -{% endif %} -{% if rule_config.match.origin is vyos_defined %} - match origin {{ rule_config.match.origin }} -{% endif %} -{% if rule_config.match.peer is vyos_defined %} - match peer {{ rule_config.match.peer }} -{% endif %} -{% if rule_config.match.rpki is vyos_defined %} - match rpki {{ rule_config.match.rpki }} -{% endif %} -{% if rule_config.match.tag is vyos_defined %} - match tag {{ rule_config.match.tag }} -{% endif %} -{% endif %} -{% if rule_config.on_match.next is vyos_defined %} - on-match next -{% endif %} -{% if rule_config.on_match.goto is vyos_defined %} - on-match goto {{ rule_config.on_match.goto }} -{% endif %} -{% if rule_config.set is vyos_defined %} -{% if rule_config.set.aggregator.as is vyos_defined and rule_config.set.aggregator.ip is vyos_defined %} - set aggregator as {{ rule_config.set.aggregator.as }} {{ rule_config.set.aggregator.ip }} -{% endif %} -{% if rule_config.set.as_path_exclude is vyos_defined %} - set as-path exclude {{ rule_config.set.as_path_exclude }} -{% endif %} -{% if rule_config.set.as_path_prepend is vyos_defined %} - set as-path prepend {{ rule_config.set.as_path_prepend }} -{% endif %} -{% if rule_config.set.atomic_aggregate is vyos_defined %} - set atomic-aggregate -{% endif %} -{% if rule_config.set.comm_list.comm_list is vyos_defined %} - set comm-list {{ rule_config.set.comm_list.comm_list }} {{ 'delete' if rule_config.set.comm_list.delete is vyos_defined }} -{% endif %} -{% if rule_config.set.community is vyos_defined %} - set community {{ rule_config.set.community }} -{% endif %} -{% if rule_config.set.distance is vyos_defined %} - set distance {{ rule_config.set.distance }} -{% endif %} -{% if rule_config.set.extcommunity.bandwidth is vyos_defined %} - set extcommunity bandwidth {{ rule_config.set.extcommunity.bandwidth }} -{% endif %} -{% if rule_config.set.extcommunity.rt is vyos_defined %} - set extcommunity rt {{ rule_config.set.extcommunity.rt }} -{% endif %} -{% if rule_config.set.extcommunity.soo is vyos_defined %} - set extcommunity soo {{ rule_config.set.extcommunity.soo }} -{% endif %} -{% if rule_config.set.ip_next_hop is vyos_defined %} - set ip next-hop {{ rule_config.set.ip_next_hop }} -{% endif %} -{% if rule_config.set.ipv6_next_hop.global is vyos_defined %} - set ipv6 next-hop global {{ rule_config.set.ipv6_next_hop.global }} -{% endif %} -{% if rule_config.set.ipv6_next_hop.local is vyos_defined %} - set ipv6 next-hop local {{ rule_config.set.ipv6_next_hop.local }} -{% endif %} -{% if rule_config.set.ipv6_next_hop.peer_address is vyos_defined %} - set ipv6 next-hop peer-address -{% endif %} -{% if rule_config.set.ipv6_next_hop.prefer_global is vyos_defined %} - set ipv6 next-hop prefer-global -{% endif %} -{% if rule_config.set.large_community is vyos_defined %} - set large-community {{ rule_config.set.large_community }} -{% endif %} -{% if rule_config.set.large_comm_list_delete is vyos_defined %} - set large-comm-list {{ rule_config.set.large_comm_list_delete }} delete -{% endif %} -{% if rule_config.set.local_preference is vyos_defined %} - set local-preference {{ rule_config.set.local_preference }} -{% endif %} -{% if rule_config.set.metric is vyos_defined %} - set metric {{ rule_config.set.metric }} -{% endif %} -{% if rule_config.set.metric_type is vyos_defined %} - set metric-type {{ rule_config.set.metric_type }} -{% endif %} -{% if rule_config.set.origin is vyos_defined %} - set origin {{ rule_config.set.origin }} -{% endif %} -{% if rule_config.set.originator_id is vyos_defined %} - set originator-id {{ rule_config.set.originator_id }} -{% endif %} -{% if rule_config.set.src is vyos_defined %} - set src {{ rule_config.set.src }} -{% endif %} -{% if rule_config.set.table is vyos_defined %} - set table {{ rule_config.set.table }} -{% endif %} -{% if rule_config.set.tag is vyos_defined %} - set tag {{ rule_config.set.tag }} -{% endif %} -{% if rule_config.set.weight is vyos_defined %} - set weight {{ rule_config.set.weight }} -{% endif %} -{% endif %} -exit -! -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} diff --git a/data/templates/frr/rip_ripng.frr.j2 b/data/templates/frr/rip_ripng.frr.j2 index 3732371b2..dd547bb3e 100644 --- a/data/templates/frr/rip_ripng.frr.j2 +++ b/data/templates/frr/rip_ripng.frr.j2 @@ -5,32 +5,32 @@ default-metric {{ default_metric }} {% endif %} {% if passive_interface is vyos_defined %} -{% for interface in passive_interface %} +{% for interface in passive_interface %} passive-interface {{ interface }} -{% endfor %} +{% endfor %} {% endif %} {% if network is vyos_defined %} -{% for prefix in network %} +{% for prefix in network %} network {{ prefix }} -{% endfor %} +{% endfor %} {% endif %} {% if interface is vyos_defined %} -{% for ifname in interface %} +{% for ifname in interface %} network {{ ifname }} -{% endfor %} +{% endfor %} {% endif %} {% if route is vyos_defined %} -{% for prefix in route %} +{% for prefix in route %} route {{ prefix }} -{% endfor %} +{% endfor %} {% endif %} {# timers have default values #} timers basic {{ timers['update'] }} {{ timers.timeout }} {{ timers.garbage_collection }} {% if redistribute is vyos_defined %} -{% for protocol, protocol_config in redistribute.items() %} -{% if protocol is vyos_defined('ospfv3') %} -{% set protocol = 'ospf6' %} -{% endif %} +{% for protocol, protocol_config in redistribute.items() %} +{% if protocol is vyos_defined('ospfv3') %} +{% set protocol = 'ospf6' %} +{% endif %} redistribute {{ protocol }} {{ 'metric ' ~ protocol_config.metric if protocol_config.metric is vyos_defined }} {{ 'route-map ' ~ protocol_config.route_map if protocol_config.route_map is vyos_defined }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/frr/ripd.frr.j2 b/data/templates/frr/ripd.frr.j2 new file mode 100644 index 000000000..df35150ca --- /dev/null +++ b/data/templates/frr/ripd.frr.j2 @@ -0,0 +1,92 @@ +{# RIP key-chain definition #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +{% if iface_config.authentication.md5 is vyos_defined %} +key chain {{ iface }}-rip +{% for key_id, key_options in iface_config.authentication.md5.items() %} + key {{ key_id }} +{% if key_options.password is vyos_defined %} + key-string {{ key_options.password }} +{% endif %} + exit +{% endfor %} +exit +{% endif %} +{% endfor %} +{% endif %} +! +{# Interface specific configuration #} +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} +{% if iface_config.authentication.plaintext_password is vyos_defined %} + ip rip authentication mode text + ip rip authentication string {{ iface_config.authentication.plaintext_password }} +{% elif iface_config.authentication.md5 is vyos_defined %} + ip rip authentication key-chain {{ iface }}-rip + ip rip authentication mode md5 +{% endif %} +{% if iface_config.split_horizon.disable is vyos_defined %} + no ip rip split-horizon +{% endif %} +{% if iface_config.split_horizon.poison_reverse is vyos_defined %} + ip rip split-horizon poisoned-reverse +{% endif %} +exit +! +{% endfor %} +{% endif %} +! +router rip +{% if default_distance is vyos_defined %} + distance {{ default_distance }} +{% endif %} +{% if network_distance is vyos_defined %} +{% for network, network_config in network_distance.items() %} +{% if network_config.distance is vyos_defined %} + distance {{ network_config.distance }} {{ network }} +{% endif %} +{% endfor %} +{% endif %} +{% if neighbor is vyos_defined %} +{% for address in neighbor %} + neighbor {{ address }} +{% endfor %} +{% endif %} +{% if distribute_list is vyos_defined %} +{% if distribute_list.access_list.in is vyos_defined %} + distribute-list {{ distribute_list.access_list.in }} in +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} + distribute-list {{ distribute_list.access_list.out }} out +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} + distribute-list {{ interface_config.access_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} + distribute-list {{ interface_config.access_list.out }} out {{ interface }} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} + distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.in }} in +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} + distribute-list prefix {{ distribute_list.prefix_list.out }} out +{% endif %} +{% endif %} +{% include 'frr/rip_ripng.frr.j2' %} +exit +! +{% if route_map is vyos_defined %} +ip protocol rip route-map {{ route_map }} +{% endif %} +! diff --git a/data/templates/frr/ripd.frr.tmpl b/data/templates/frr/ripd.frr.tmpl deleted file mode 100644 index 2dbb93052..000000000 --- a/data/templates/frr/ripd.frr.tmpl +++ /dev/null @@ -1,92 +0,0 @@ -{# RIP key-chain definition #} -{% if interface is vyos_defined %} -{% for iface, iface_config in interface.items() %} -{% if iface_config.authentication.md5 is vyos_defined %} -key chain {{ iface }}-rip -{% for key_id, key_options in iface_config.authentication.md5.items() %} - key {{ key_id }} -{% if key_options.password is vyos_defined %} - key-string {{ key_options.password }} -{% endif %} - exit -{% endfor %} -exit -{% endif %} -{% endfor %} -{% endif %} -! -{# Interface specific configuration #} -{% if interface is vyos_defined %} -{% for iface, iface_config in interface.items() %} -interface {{ iface }} -{% if iface_config.authentication.plaintext_password is vyos_defined %} - ip rip authentication mode text - ip rip authentication string {{ iface_config.authentication.plaintext_password }} -{% elif iface_config.authentication.md5 is vyos_defined %} - ip rip authentication key-chain {{ iface }}-rip - ip rip authentication mode md5 -{% endif %} -{% if iface_config.split_horizon.disable is vyos_defined %} - no ip rip split-horizon -{% endif %} -{% if iface_config.split_horizon.poison_reverse is vyos_defined %} - ip rip split-horizon poisoned-reverse -{% endif %} -exit -! -{% endfor %} -{% endif %} -! -router rip -{% if default_distance is vyos_defined %} - distance {{ default_distance }} -{% endif %} -{% if network_distance is vyos_defined %} -{% for network, network_config in network_distance.items() %} -{% if network_config.distance is vyos_defined %} - distance {{ network_config.distance }} {{ network }} -{% endif %} -{% endfor %} -{% endif %} -{% if neighbor is vyos_defined %} -{% for address in neighbor %} - neighbor {{ address }} -{% endfor %} -{% endif %} -{% if distribute_list is vyos_defined %} -{% if distribute_list.access_list.in is vyos_defined %} - distribute-list {{ distribute_list.access_list.in }} in -{% endif %} -{% if distribute_list.access_list.out is vyos_defined %} - distribute-list {{ distribute_list.access_list.out }} out -{% endif %} -{% if distribute_list.interface is vyos_defined %} -{% for interface, interface_config in distribute_list.interface.items() %} -{% if interface_config.access_list.in is vyos_defined %} - distribute-list {{ interface_config.access_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.access_list.out is vyos_defined %} - distribute-list {{ interface_config.access_list.out }} out {{ interface }} -{% endif %} -{% if interface_config.prefix_list.in is vyos_defined %} - distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.prefix_list.out is vyos_defined %} - distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} -{% endif %} -{% endfor %} -{% endif %} -{% if distribute_list.prefix_list.in is vyos_defined %} - distribute-list prefix {{ distribute_list.prefix_list.in }} in -{% endif %} -{% if distribute_list.prefix_list.out is vyos_defined %} - distribute-list prefix {{ distribute_list.prefix_list.out }} out -{% endif %} -{% endif %} -{% include 'frr/rip_ripng.frr.j2' %} -exit -! -{% if route_map is vyos_defined %} -ip protocol rip route-map {{ route_map }} -{% endif %} -! diff --git a/data/templates/frr/ripngd.frr.tmpl b/data/templates/frr/ripngd.frr.j2 index 06c61dd48..7919b1bad 100644 --- a/data/templates/frr/ripngd.frr.tmpl +++ b/data/templates/frr/ripngd.frr.j2 @@ -1,52 +1,52 @@ {# Interface specific configuration #} {% if interface is vyos_defined %} -{% for iface, iface_config in interface.items() %} +{% for iface, iface_config in interface.items() %} interface {{ iface }} -{% if iface_config.split_horizon.disable is vyos_defined %} +{% if iface_config.split_horizon.disable is vyos_defined %} no ipv6 rip split-horizon -{% endif %} -{% if iface_config.split_horizon.poison_reverse is vyos_defined %} +{% endif %} +{% if iface_config.split_horizon.poison_reverse is vyos_defined %} ipv6 rip split-horizon poisoned-reverse -{% endif %} +{% endif %} exit -{% endfor %} +{% endfor %} {% endif %} ! router ripng {% if aggregate_address is vyos_defined %} -{% for prefix in aggregate_address %} +{% for prefix in aggregate_address %} aggregate-address {{ prefix }} -{% endfor %} +{% endfor %} {% endif %} {% if distribute_list is vyos_defined %} -{% if distribute_list.access_list.in is vyos_defined %} +{% if distribute_list.access_list.in is vyos_defined %} ipv6 distribute-list {{ distribute_list.access_list.in }} in -{% endif %} -{% if distribute_list.access_list.out is vyos_defined %} +{% endif %} +{% if distribute_list.access_list.out is vyos_defined %} ipv6 distribute-list {{ distribute_list.access_list.out }} out -{% endif %} -{% if distribute_list.interface is vyos_defined %} -{% for interface, interface_config in distribute_list.interface.items() %} -{% if interface_config.access_list.in is vyos_defined %} +{% endif %} +{% if distribute_list.interface is vyos_defined %} +{% for interface, interface_config in distribute_list.interface.items() %} +{% if interface_config.access_list.in is vyos_defined %} ipv6 distribute-list {{ interface_config.access_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.access_list.out is vyos_defined %} +{% endif %} +{% if interface_config.access_list.out is vyos_defined %} ipv6 distribute-list {{ interface_config.access_list.out }} out {{ interface }} -{% endif %} -{% if interface_config.prefix_list.in is vyos_defined %} +{% endif %} +{% if interface_config.prefix_list.in is vyos_defined %} ipv6 distribute-list prefix {{ interface_config.prefix_list.in }} in {{ interface }} -{% endif %} -{% if interface_config.prefix_list.out is vyos_defined %} +{% endif %} +{% if interface_config.prefix_list.out is vyos_defined %} ipv6 distribute-list prefix {{ interface_config.prefix_list.out }} out {{ interface }} -{% endif %} -{% endfor %} -{% endif %} -{% if distribute_list.prefix_list.in is vyos_defined %} +{% endif %} +{% endfor %} +{% endif %} +{% if distribute_list.prefix_list.in is vyos_defined %} ipv6 distribute-list prefix {{ distribute_list.prefix_list.in }} in -{% endif %} -{% if distribute_list.prefix_list.out is vyos_defined %} +{% endif %} +{% if distribute_list.prefix_list.out is vyos_defined %} ipv6 distribute-list prefix {{ distribute_list.prefix_list.out }} out -{% endif %} +{% endif %} {% endif %} {% include 'frr/rip_ripng.frr.j2' %} exit diff --git a/data/templates/frr/rpki.frr.tmpl b/data/templates/frr/rpki.frr.j2 index 3f4fd3236..9a549d6de 100644 --- a/data/templates/frr/rpki.frr.tmpl +++ b/data/templates/frr/rpki.frr.j2 @@ -2,14 +2,14 @@ {# as FRR does not support deleting the entire rpki section we leave it in place even when it's empty #} rpki {% if cache is vyos_defined %} -{% for peer, peer_config in cache.items() %} -{# port is mandatory and preference uses a default value #} -{% if peer_config.ssh.username is vyos_defined %} +{% for peer, peer_config in cache.items() %} +{# port is mandatory and preference uses a default value #} +{% if peer_config.ssh.username is vyos_defined %} rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }} {{ peer_config.ssh.known_hosts_file }} preference {{ peer_config.preference }} -{% else %} +{% else %} rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} preference {{ peer_config.preference }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endif %} {% if polling_period is vyos_defined %} rpki polling_period {{ polling_period }} diff --git a/data/templates/frr/static_mcast.frr.tmpl b/data/templates/frr/static_mcast.frr.j2 index 4f114109a..491d4b54a 100644 --- a/data/templates/frr/static_mcast.frr.tmpl +++ b/data/templates/frr/static_mcast.frr.j2 @@ -1,20 +1,20 @@ ! {% for route_gr in old_mroute %} -{% for nh in old_mroute[route_gr] %} -{% if old_mroute[route_gr][nh] %} +{% for nh in old_mroute[route_gr] %} +{% if old_mroute[route_gr][nh] %} no ip mroute {{ route_gr }} {{ nh }} {{ old_mroute[route_gr][nh] }} -{% else %} +{% else %} no ip mroute {{ route_gr }} {{ nh }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endfor %} {% for route_gr in mroute %} -{% for nh in mroute[route_gr] %} -{% if mroute[route_gr][nh] %} +{% for nh in mroute[route_gr] %} +{% if mroute[route_gr][nh] %} ip mroute {{ route_gr }} {{ nh }} {{ mroute[route_gr][nh] }} -{% else %} +{% else %} ip mroute {{ route_gr }} {{ nh }} -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} {% endfor %} ! diff --git a/data/templates/frr/static_routes_macro.j2 b/data/templates/frr/static_routes_macro.j2 index 0b242a868..1c64ac58b 100644 --- a/data/templates/frr/static_routes_macro.j2 +++ b/data/templates/frr/static_routes_macro.j2 @@ -1,24 +1,24 @@ {% macro static_routes(ip_ipv6, prefix, prefix_config, table=None) %} -{% if prefix_config.blackhole is vyos_defined %} +{% if prefix_config.blackhole is vyos_defined %} {{ ip_ipv6 }} route {{ prefix }} blackhole {{ prefix_config.blackhole.distance if prefix_config.blackhole.distance is vyos_defined }} {{ 'tag ' ~ prefix_config.blackhole.tag if prefix_config.blackhole.tag is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined and table is not none }} -{% endif %} -{% if prefix_config.reject is vyos_defined %} +{% endif %} +{% if prefix_config.reject is vyos_defined %} {{ ip_ipv6 }} route {{ prefix }} reject {{ prefix_config.reject.distance if prefix_config.reject.distance is vyos_defined }} {{ 'tag ' ~ prefix_config.reject.tag if prefix_config.reject.tag is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined }} -{% endif %} -{% if prefix_config.dhcp_interface is vyos_defined %} +{% endif %} +{% if prefix_config.dhcp_interface is vyos_defined %} {% set next_hop = prefix_config.dhcp_interface | get_dhcp_router %} {% if next_hop is vyos_defined %} {{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ prefix_config.dhcp_interface }} {{ 'table ' ~ table if table is vyos_defined }} {% endif %} -{% endif %} -{% if prefix_config.interface is vyos_defined %} +{% endif %} +{% if prefix_config.interface is vyos_defined %} {% for interface, interface_config in prefix_config.interface.items() if interface_config.disable is not defined %} {{ ip_ipv6 }} route {{ prefix }} {{ interface }} {{ interface_config.distance if interface_config.distance is vyos_defined }} {{ 'nexthop-vrf ' ~ interface_config.vrf if interface_config.vrf is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined }} {% endfor %} -{% endif %} -{% if prefix_config.next_hop is vyos_defined and prefix_config.next_hop is not none %} +{% endif %} +{% if prefix_config.next_hop is vyos_defined and prefix_config.next_hop is not none %} {% for next_hop, next_hop_config in prefix_config.next_hop.items() if next_hop_config.disable is not defined %} -{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ next_hop_config.interface if next_hop_config.interface is vyos_defined }} {{ next_hop_config.distance if next_hop_config.distance is vyos_defined }} {{ 'nexthop-vrf ' ~ next_hop_config.vrf if next_hop_config.vrf is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined}} +{{ ip_ipv6 }} route {{ prefix }} {{ next_hop }} {{ next_hop_config.interface if next_hop_config.interface is vyos_defined }} {{ next_hop_config.distance if next_hop_config.distance is vyos_defined }} {{ 'nexthop-vrf ' ~ next_hop_config.vrf if next_hop_config.vrf is vyos_defined }} {{ 'table ' ~ table if table is vyos_defined }} {% endfor %} -{% endif %} +{% endif %} {% endmacro %} diff --git a/data/templates/frr/staticd.frr.j2 b/data/templates/frr/staticd.frr.j2 new file mode 100644 index 000000000..589f03c2c --- /dev/null +++ b/data/templates/frr/staticd.frr.j2 @@ -0,0 +1,64 @@ +{% from 'frr/static_routes_macro.j2' import static_routes %} +! +{% set ip_prefix = 'ip' %} +{% set ipv6_prefix = 'ipv6' %} +{% if vrf is vyos_defined %} +{# We need to add an additional whitespace in front of the prefix #} +{# when VRFs are in use, thus we use a variable for prefix handling #} +{% set ip_prefix = ' ip' %} +{% set ipv6_prefix = ' ipv6' %} +vrf {{ vrf }} +{% endif %} +{# IPv4 routing #} +{% if route is vyos_defined %} +{% for prefix, prefix_config in route.items() %} +{{ static_routes(ip_prefix, prefix, prefix_config) }} +{% endfor %} +{% endif %} +{# IPv4 default routes from DHCP interfaces #} +{% if dhcp is vyos_defined %} +{% for interface, interface_config in dhcp.items() %} +{% set next_hop = interface | get_dhcp_router %} +{% if next_hop is vyos_defined %} +{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.dhcp_options.default_route_distance if interface_config.dhcp_options.default_route_distance is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} +{# IPv4 default routes from PPPoE interfaces #} +{% if pppoe is vyos_defined %} +{% for interface, interface_config in pppoe.items() %} +{{ ip_prefix }} route 0.0.0.0/0 {{ interface }} tag 210 {{ interface_config.default_route_distance if interface_config.default_route_distance is vyos_defined }} +{% endfor %} +{% endif %} +{# IPv6 routing #} +{% if route6 is vyos_defined %} +{% for prefix, prefix_config in route6.items() %} +{{ static_routes(ipv6_prefix, prefix, prefix_config) }} +{% endfor %} +{% endif %} +{% if vrf is vyos_defined %} + exit-vrf +{% endif %} +! +{# Policy route tables #} +{% if table is vyos_defined %} +{% for table_id, table_config in table.items() %} +{% if table_config.route is vyos_defined %} +{% for prefix, prefix_config in table_config.route.items() %} +{{ static_routes('ip', prefix, prefix_config, table_id) }} +{% endfor %} +{% endif %} +! +{% if table_config.route6 is vyos_defined %} +{% for prefix, prefix_config in table_config.route6.items() %} +{{ static_routes('ipv6', prefix, prefix_config, table_id) }} +{% endfor %} +{% endif %} +! +{% endfor %} +{% endif %} +! +{% if route_map is vyos_defined %} +ip protocol static route-map {{ route_map }} +! +{% endif %} diff --git a/data/templates/frr/staticd.frr.tmpl b/data/templates/frr/staticd.frr.tmpl deleted file mode 100644 index c7138b12b..000000000 --- a/data/templates/frr/staticd.frr.tmpl +++ /dev/null @@ -1,58 +0,0 @@ -{% from 'frr/static_routes_macro.j2' import static_routes %} -! -{% set ip_prefix = 'ip' %} -{% set ipv6_prefix = 'ipv6' %} -{% if vrf is vyos_defined %} -{# We need to add an additional whitespace in front of the prefix #} -{# when VRFs are in use, thus we use a variable for prefix handling #} -{% set ip_prefix = ' ip' %} -{% set ipv6_prefix = ' ipv6' %} -vrf {{ vrf }} -{% endif %} -{# IPv4 routing #} -{% if route is vyos_defined %} -{% for prefix, prefix_config in route.items() %} -{{ static_routes(ip_prefix, prefix, prefix_config) }} -{%- endfor -%} -{% endif %} -{# IPv4 default routes from DHCP interfaces #} -{% if dhcp is vyos_defined %} -{% for interface, interface_config in dhcp.items() %} -{% set next_hop = interface | get_dhcp_router %} -{% if next_hop is vyos_defined %} -{{ ip_prefix }} route 0.0.0.0/0 {{ next_hop }} {{ interface }} tag 210 {{ interface_config.distance }} -{% endif %} -{% endfor %} -{% endif %} -{# IPv6 routing #} -{% if route6 is vyos_defined %} -{% for prefix, prefix_config in route6.items() %} -{{ static_routes(ipv6_prefix, prefix, prefix_config) }} -{%- endfor -%} -{% endif %} -{% if vrf is vyos_defined %} - exit-vrf -{% endif %} -! -{# Policy route tables #} -{% if table is vyos_defined %} -{% for table_id, table_config in table.items() %} -{% if table_config.route is vyos_defined %} -{% for prefix, prefix_config in table_config.route.items() %} -{{ static_routes('ip', prefix, prefix_config, table_id) }} -{%- endfor -%} -{% endif %} -! -{% if table_config.route6 is vyos_defined %} -{% for prefix, prefix_config in table_config.route6.items() %} -{{ static_routes('ipv6', prefix, prefix_config, table_id) }} -{%- endfor -%} -{% endif %} -! -{% endfor %} -{% endif %} -! -{% if route_map is vyos_defined %} -ip protocol static route-map {{ route_map }} -! -{% endif %} diff --git a/data/templates/frr/vrf-vni.frr.j2 b/data/templates/frr/vrf-vni.frr.j2 new file mode 100644 index 000000000..e5f4810a1 --- /dev/null +++ b/data/templates/frr/vrf-vni.frr.j2 @@ -0,0 +1,9 @@ +{% if name is vyos_defined %} +{% for vrf, vrf_config in name.items() %} +vrf {{ vrf }} +{% if vrf_config.vni is vyos_defined %} + vni {{ vrf_config.vni }} +{% endif %} + exit-vrf +{% endfor %} +{% endif %} diff --git a/data/templates/frr/vrf-vni.frr.tmpl b/data/templates/frr/vrf-vni.frr.tmpl deleted file mode 100644 index 916b5d05d..000000000 --- a/data/templates/frr/vrf-vni.frr.tmpl +++ /dev/null @@ -1,9 +0,0 @@ -{% if name is vyos_defined %} -{% for vrf, vrf_config in name.items() %} -vrf {{ vrf }} -{% if vrf_config.vni is vyos_defined %} - vni {{ vrf_config.vni }} -{% endif %} - exit-vrf -{% endfor %} -{% endif %} diff --git a/data/templates/frr/vrf.route-map.frr.tmpl b/data/templates/frr/vrf.route-map.frr.j2 index 5e0c56a7b..5e0c56a7b 100644 --- a/data/templates/frr/vrf.route-map.frr.tmpl +++ b/data/templates/frr/vrf.route-map.frr.j2 diff --git a/data/templates/getty/serial-getty.service.tmpl b/data/templates/getty/serial-getty.service.j2 index 0183eae7d..0183eae7d 100644 --- a/data/templates/getty/serial-getty.service.tmpl +++ b/data/templates/getty/serial-getty.service.j2 diff --git a/data/templates/high-availability/keepalived.conf.j2 b/data/templates/high-availability/keepalived.conf.j2 new file mode 100644 index 000000000..6684dbc2c --- /dev/null +++ b/data/templates/high-availability/keepalived.conf.j2 @@ -0,0 +1,169 @@ +# Autogenerated by VyOS +# Do not edit this file, all your changes will be lost +# on next commit or reboot + +global_defs { + dynamic_interfaces + script_user root + notify_fifo /run/keepalived/keepalived_notify_fifo + notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py +} + +{% if vrrp.group is vyos_defined %} +{% for name, group_config in vrrp.group.items() if group_config.disable is not vyos_defined %} +{% if group_config.health_check.script is vyos_defined %} +vrrp_script healthcheck_{{ name }} { + script "{{ group_config.health_check.script }}" + interval {{ group_config.health_check.interval }} + fall {{ group_config.health_check.failure_count }} + rise 1 +} +{% endif %} +vrrp_instance {{ name }} { +{% if group_config.description is vyos_defined %} + # {{ group_config.description }} +{% endif %} + state BACKUP + interface {{ group_config.interface }} + virtual_router_id {{ group_config.vrid }} + priority {{ group_config.priority }} + advert_int {{ group_config.advertise_interval }} +{% if group_config.track.exclude_vrrp_interface is vyos_defined %} + dont_track_primary +{% endif %} +{% if group_config.no_preempt is not vyos_defined and group_config.preempt_delay is vyos_defined %} + preempt_delay {{ group_config.preempt_delay }} +{% elif group_config.no_preempt is vyos_defined %} + nopreempt +{% endif %} +{% if group_config.peer_address is vyos_defined %} + unicast_peer { {{ group_config.peer_address }} } +{% endif %} +{% if group_config.hello_source_address is vyos_defined %} +{% if group_config.peer_address is vyos_defined %} + unicast_src_ip {{ group_config.hello_source_address }} +{% else %} + mcast_src_ip {{ group_config.hello_source_address }} +{% endif %} +{% endif %} +{% if group_config.rfc3768_compatibility is vyos_defined and group_config.peer_address is vyos_defined %} + use_vmac {{ group_config.interface }}v{{ group_config.vrid }} + vmac_xmit_base +{% elif group_config.rfc3768_compatibility is vyos_defined %} + use_vmac {{ group_config.interface }}v{{ group_config.vrid }} +{% endif %} +{% if group_config.authentication is vyos_defined %} + authentication { + auth_pass "{{ group_config.authentication.password }}" +{% if group_config.authentication.type is vyos_defined('plaintext-password') %} + auth_type PASS +{% else %} + auth_type {{ group_config.authentication.type | upper }} +{% endif %} + } +{% endif %} +{% if group_config.address is vyos_defined %} + virtual_ipaddress { +{% for addr, addr_config in group_config.address.items() %} + {{ addr }}{{ ' dev ' + addr_config.interface if addr_config.interface is vyos_defined }} +{% endfor %} + } +{% endif %} +{% if group_config.excluded_address is vyos_defined %} + virtual_ipaddress_excluded { +{% for addr in group_config.excluded_address %} + {{ addr }} +{% endfor %} + } +{% endif %} +{% if group_config.track.interface is vyos_defined %} + track_interface { +{% for interface in group_config.track.interface %} + {{ interface }} +{% endfor %} + } +{% endif %} +{% if group_config.health_check.script is vyos_defined %} + track_script { + healthcheck_{{ name }} + } +{% endif %} +} +{% endfor %} +{% endif %} + +{% if vrrp.sync_group is vyos_defined %} +{% for name, sync_group_config in vrrp.sync_group.items() if sync_group_config.disable is not vyos_defined %} +vrrp_sync_group {{ name }} { + group { +{% if sync_group_config.member is vyos_defined %} +{% for member in sync_group_config.member %} + {{ member }} +{% endfor %} +{% endif %} + } + +{# Health-check scripts should be in section sync-group if member is part of the sync-group T4081 #} +{% if vrrp.group is vyos_defined %} +{% for name, group_config in vrrp.group.items() if group_config.disable is not vyos_defined %} +{% if group_config.health_check.script is vyos_defined and name in sync_group_config.member %} + track_script { + healthcheck_{{ name }} + } +{% endif %} +{% endfor %} +{% endif %} +{% if conntrack_sync_group is vyos_defined(name) %} +{% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %} + notify_master "{{ vyos_helper }} master {{ name }}" + notify_backup "{{ vyos_helper }} backup {{ name }}" + notify_fault "{{ vyos_helper }} fault {{ name }}" +{% endif %} +} +{% endfor %} +{% endif %} + +{% if virtual_server is vyos_defined %} +# Virtual-server configuration +{% for vserver, vserver_config in virtual_server.items() %} +virtual_server {{ vserver }} {{ vserver_config.port }} { + delay_loop {{ vserver_config.delay_loop }} +{% if vserver_config.algorithm is vyos_defined('round-robin') %} + lb_algo rr +{% elif vserver_config.algorithm is vyos_defined('weighted-round-robin') %} + lb_algo wrr +{% elif vserver_config.algorithm is vyos_defined('least-connection') %} + lb_algo lc +{% elif vserver_config.algorithm is vyos_defined('weighted-least-connection') %} + lb_algo wlc +{% elif vserver_config.algorithm is vyos_defined('source-hashing') %} + lb_algo sh +{% elif vserver_config.algorithm is vyos_defined('destination-hashing') %} + lb_algo dh +{% elif vserver_config.algorithm is vyos_defined('locality-based-least-connection') %} + lb_algo lblc +{% endif %} +{% if vserver_config.forward_method is vyos_defined('nat') %} + lb_kind NAT +{% elif vserver_config.forward_method is vyos_defined('direct') %} + lb_kind DR +{% elif vserver_config.forward_method is vyos_defined('tunnel') %} + lb_kind TUN +{% endif %} + persistence_timeout {{ vserver_config.persistence_timeout }} + protocol {{ vserver_config.protocol | upper }} +{% if vserver_config.real_server is vyos_defined %} +{% for rserver, rserver_config in vserver_config.real_server.items() %} + real_server {{ rserver }} {{ rserver_config.port }} { + weight 1 + {{ vserver_config.protocol | upper }}_CHECK { +{% if rserver_config.connection_timeout is vyos_defined %} + connect_timeout {{ rserver_config.connection_timeout }} +{% endif %} + } + } +{% endfor %} +{% endif %} +} +{% endfor %} +{% endif %} diff --git a/data/templates/high-availability/keepalived.conf.tmpl b/data/templates/high-availability/keepalived.conf.tmpl deleted file mode 100644 index 68c707f17..000000000 --- a/data/templates/high-availability/keepalived.conf.tmpl +++ /dev/null @@ -1,169 +0,0 @@ -# Autogenerated by VyOS -# Do not edit this file, all your changes will be lost -# on next commit or reboot - -global_defs { - dynamic_interfaces - script_user root - notify_fifo /run/keepalived/keepalived_notify_fifo - notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py -} - -{% if vrrp is defined and vrrp.group is defined and vrrp.group is not none %} -{% for name, group_config in vrrp.group.items() if group_config.disable is not defined %} -{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none %} -vrrp_script healthcheck_{{ name }} { - script "{{ group_config.health_check.script }}" - interval {{ group_config.health_check.interval }} - fall {{ group_config.health_check.failure_count }} - rise 1 -} -{% endif %} -vrrp_instance {{ name }} { -{% if group_config.description is defined and group_config.description is not none %} - # {{ group_config.description }} -{% endif %} - state BACKUP - interface {{ group_config.interface }} - virtual_router_id {{ group_config.vrid }} - priority {{ group_config.priority }} - advert_int {{ group_config.advertise_interval }} -{% if group_config.track is defined and group_config.track.exclude_vrrp_interface is defined %} - dont_track_primary -{% endif %} -{% if group_config.no_preempt is not defined and group_config.preempt_delay is defined and group_config.preempt_delay is not none %} - preempt_delay {{ group_config.preempt_delay }} -{% elif group_config.no_preempt is defined %} - nopreempt -{% endif %} -{% if group_config.peer_address is defined and group_config.peer_address is not none %} - unicast_peer { {{ group_config.peer_address }} } -{% endif %} -{% if group_config.hello_source_address is defined and group_config.hello_source_address is not none %} -{% if group_config.peer_address is defined and group_config.peer_address is not none %} - unicast_src_ip {{ group_config.hello_source_address }} -{% else %} - mcast_src_ip {{ group_config.hello_source_address }} -{% endif %} -{% endif %} -{% if group_config.rfc3768_compatibility is defined and group_config.peer_address is defined %} - use_vmac {{ group_config.interface }}v{{ group_config.vrid }} - vmac_xmit_base -{% elif group_config.rfc3768_compatibility is defined %} - use_vmac {{ group_config.interface }}v{{ group_config.vrid }} -{% endif %} -{% if group_config.authentication is defined and group_config.authentication is not none %} - authentication { - auth_pass "{{ group_config.authentication.password }}" -{% if group_config.authentication.type == 'plaintext-password' %} - auth_type PASS -{% else %} - auth_type {{ group_config.authentication.type | upper }} -{% endif %} - } -{% endif %} -{% if group_config.address is defined and group_config.address is not none %} - virtual_ipaddress { -{% for addr, addr_config in group_config.address.items() %} - {{ addr }}{{ ' dev ' + addr_config.interface if addr_config.interface is defined }} -{% endfor %} - } -{% endif %} -{% if group_config.excluded_address is defined and group_config.excluded_address is not none %} - virtual_ipaddress_excluded { -{% for addr in group_config.excluded_address %} - {{ addr }} -{% endfor %} - } -{% endif %} -{% if group_config.track is defined and group_config.track.interface is defined and group_config.track.interface is not none %} - track_interface { -{% for interface in group_config.track.interface %} - {{ interface }} -{% endfor %} - } -{% endif %} -{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none %} - track_script { - healthcheck_{{ name }} - } -{% endif %} -} -{% endfor %} -{% endif %} - -{% if vrrp is defined and vrrp.sync_group is defined and vrrp.sync_group is not none %} -{% for name, sync_group_config in vrrp.sync_group.items() if sync_group_config.disable is not defined %} -vrrp_sync_group {{ name }} { - group { -{% if sync_group_config.member is defined and sync_group_config.member is not none %} -{% for member in sync_group_config.member %} - {{ member }} -{% endfor %} -{% endif %} - } - -{# Health-check scripts should be in section sync-group if member is part of the sync-group T4081 #} -{% if vrrp is defined and vrrp.group is defined and vrrp.group is not none %} -{% for name, group_config in vrrp.group.items() if group_config.disable is not defined %} -{% if group_config.health_check is defined and group_config.health_check.script is defined and group_config.health_check.script is not none and name in sync_group_config.member %} - track_script { - healthcheck_{{ name }} - } -{% endif %} -{% endfor %} -{% endif %} -{% if conntrack_sync_group is defined and conntrack_sync_group == name %} -{% set vyos_helper = "/usr/libexec/vyos/vyos-vrrp-conntracksync.sh" %} - notify_master "{{ vyos_helper }} master {{ name }}" - notify_backup "{{ vyos_helper }} backup {{ name }}" - notify_fault "{{ vyos_helper }} fault {{ name }}" -{% endif %} -} -{% endfor %} -{% endif %} - -{% if virtual_server is defined and virtual_server is not none %} -# Virtual-server configuration -{% for vserver, vserver_config in virtual_server.items() %} -virtual_server {{ vserver }} {{ vserver_config.port }} { - delay_loop {{ vserver_config.delay_loop }} -{% if vserver_config.algorithm == 'round-robin' %} - lb_algo rr -{% elif vserver_config.algorithm == 'weighted-round-robin' %} - lb_algo wrr -{% elif vserver_config.algorithm == 'least-connection' %} - lb_algo lc -{% elif vserver_config.algorithm == 'weighted-least-connection' %} - lb_algo wlc -{% elif vserver_config.algorithm == 'source-hashing' %} - lb_algo sh -{% elif vserver_config.algorithm == 'destination-hashing' %} - lb_algo dh -{% elif vserver_config.algorithm == 'locality-based-least-connection' %} - lb_algo lblc -{% endif %} -{% if vserver_config.forward_method == "nat" %} - lb_kind NAT -{% elif vserver_config.forward_method == "direct" %} - lb_kind DR -{% elif vserver_config.forward_method == "tunnel" %} - lb_kind TUN -{% endif %} - persistence_timeout {{ vserver_config.persistence_timeout }} - protocol {{ vserver_config.protocol | upper }} -{% if vserver_config.real_server is defined and vserver_config.real_server is not none %} -{% for rserver, rserver_config in vserver_config.real_server.items() %} - real_server {{ rserver }} {{ rserver_config.port }} { - weight 1 - {{ vserver_config.protocol | upper }}_CHECK { -{% if rserver_config.connection_timeout is defined and rserver_config.connection_timeout is not none %} - connect_timeout {{ rserver_config.connection_timeout }} -{% endif %} - } - } -{% endfor %} -{% endif %} -} -{% endfor %} -{% endif %} diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.j2 index a51505270..70e62ae7a 100644 --- a/data/templates/https/nginx.default.tmpl +++ b/data/templates/https/nginx.default.j2 @@ -1,59 +1,56 @@ ### Autogenerated by https.py ### # Default server configuration -# {% for server in server_block_list %} server { - # SSL configuration # -{% if server.address == '*' %} +{% if server.address == '*' %} listen {{ server.port }} ssl; listen [::]:{{ server.port }} ssl; -{% else %} +{% else %} listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl; -{% endif %} +{% endif %} -{% for name in server.name %} +{% for name in server.name %} server_name {{ name }}; -{% endfor %} +{% endfor %} -{% if server.certbot %} +{% if server.certbot %} ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem; include {{ server.certbot_dir }}/options-ssl-nginx.conf; ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem; -{% elif server.vyos_cert %} +{% elif server.vyos_cert %} ssl_certificate {{ server.vyos_cert.crt }}; ssl_certificate_key {{ server.vyos_cert.key }}; -{% else %} +{% else %} # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # include snippets/snakeoil.conf; -{% endif %} +{% endif %} ssl_protocols TLSv1.2 TLSv1.3; # proxy settings for HTTP API, if enabled; 503, if not location ~ /(retrieve|configure|config-file|image|generate|show|docs|openapi.json|redoc|graphql) { -{% if server.api %} -{% if server.api.socket %} +{% if server.api %} +{% if server.api.socket %} proxy_pass http://unix:/run/api.sock; -{% else %} +{% else %} proxy_pass http://localhost:{{ server.api.port }}; -{% endif %} +{% endif %} proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 600; proxy_buffering off; -{% else %} +{% else %} return 503; -{% endif %} +{% endif %} } error_page 497 =301 https://$host:{{ server.port }}$request_uri; - } {% endfor %} diff --git a/data/templates/https/override.conf.j2 b/data/templates/https/override.conf.j2 new file mode 100644 index 000000000..c2c191b06 --- /dev/null +++ b/data/templates/https/override.conf.j2 @@ -0,0 +1,15 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + +[Service] +ExecStartPre= +ExecStartPre={{ vrf_command }}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;' +ExecReload= +ExecReload={{ vrf_command }}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload +Restart=always +RestartPreventExitStatus= +RestartSec=10 diff --git a/data/templates/https/override.conf.tmpl b/data/templates/https/override.conf.tmpl deleted file mode 100644 index 824b1ba3b..000000000 --- a/data/templates/https/override.conf.tmpl +++ /dev/null @@ -1,15 +0,0 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} -[Unit] -StartLimitIntervalSec=0 -After=vyos-router.service - -[Service] -ExecStartPre= -ExecStartPre={{vrf_command}}/usr/sbin/nginx -t -q -g 'daemon on; master_process on;' -ExecStart= -ExecStart={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;' -ExecReload= -ExecReload={{vrf_command}}/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload -Restart=always -RestartPreventExitStatus= -RestartSec=10 diff --git a/data/templates/https/vyos-http-api.service.tmpl b/data/templates/https/vyos-http-api.service.j2 index 15bd80d65..fb424e06c 100644 --- a/data/templates/https/vyos-http-api.service.tmpl +++ b/data/templates/https/vyos-http-api.service.j2 @@ -1,11 +1,11 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] Description=VyOS HTTP API service After=vyos-router.service Requires=vyos-router.service [Service] -ExecStart={{vrf_command}}/usr/libexec/vyos/services/vyos-http-api-server +ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server Type=idle SyslogIdentifier=vyos-http-api diff --git a/data/templates/ids/fastnetmon.tmpl b/data/templates/ids/fastnetmon.j2 index 1f6a1c808..c482002fa 100644 --- a/data/templates/ids/fastnetmon.tmpl +++ b/data/templates/ids/fastnetmon.j2 @@ -25,36 +25,32 @@ unban_only_if_attack_finished = on # For each subnet, list track speed in bps and pps for both directions enable_subnet_counters = off -{% if "mirror" in mode %} +{% if mode.mirror is vyos_defined %} mirror_afpacket = on {% endif %} -{% if "in" in direction %} -process_incoming_traffic = on -{% endif %} -{% if "out" in direction %} -process_outgoing_traffic = on -{% endif %} -{% for th in threshold %} -{% if th == "fps" %} +process_incoming_traffic = {{ 'on' if direction is vyos_defined and 'in' in direction else 'off' }} +process_outgoing_traffic = {{ 'on' if direction is vyos_defined and 'out' in direction else 'off' }} + +{% if threshold is vyos_defined %} +{% for thr, thr_value in threshold.items() %} +{% if thr is vyos_defined('fps') %} ban_for_flows = on -threshold_flows = {{ threshold[th] }} -{% endif %} -{% if th == "mbps" %} +threshold_flows = {{ thr_value }} +{% elif thr is vyos_defined('mbps') %} ban_for_bandwidth = on -threshold_mbps = {{ threshold[th] }} -{% endif %} -{% if th == "pps" %} +threshold_mbps = {{ thr_value }} +{% elif thr is vyos_defined('pps') %} ban_for_pps = on -threshold_pps = {{ threshold[th] }} +threshold_pps = {{ thr_value }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% if listen_interface %} -{% set value = listen_interface if listen_interface is string else listen_interface | join(',') %} -interfaces = {{ value }} +{% if listen_interface is vyos_defined %} +interfaces = {{ listen_interface | join(',') }} {% endif %} -{% if alert_script %} +{% if alert_script is vyos_defined %} notify_script_path = {{ alert_script }} {% endif %} diff --git a/data/templates/ids/fastnetmon_networks_list.j2 b/data/templates/ids/fastnetmon_networks_list.j2 new file mode 100644 index 000000000..1c81180be --- /dev/null +++ b/data/templates/ids/fastnetmon_networks_list.j2 @@ -0,0 +1,7 @@ +{% if network is vyos_defined(var_type=str) %} +{{ network }} +{% else %} +{% for net in network %} +{{ net }} +{% endfor %} +{% endif %} diff --git a/data/templates/ids/fastnetmon_networks_list.tmpl b/data/templates/ids/fastnetmon_networks_list.tmpl deleted file mode 100644 index d58990053..000000000 --- a/data/templates/ids/fastnetmon_networks_list.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -{% if network is string %} -{{ network }} -{% else %} -{% for net in network %} -{{ net }} -{% endfor %} -{% endif %} diff --git a/data/templates/igmp-proxy/igmpproxy.conf.tmpl b/data/templates/igmp-proxy/igmpproxy.conf.j2 index e3966def3..ab3c9fd31 100644 --- a/data/templates/igmp-proxy/igmpproxy.conf.tmpl +++ b/data/templates/igmp-proxy/igmpproxy.conf.j2 @@ -14,27 +14,27 @@ # ######################################################## -{% if disable_quickleave is not defined %} +{% if disable_quickleave is not vyos_defined %} quickleave {% endif %} -{% if interface is defined and interface is not none %} -{% for iface, config in interface.items() %} +{% if interface is vyos_defined %} +{% for iface, config in interface.items() %} # Configuration for {{ iface }} ({{ config.role }} interface) -{% if config.role == 'disabled' %} +{% if config.role is vyos_defined('disabled') %} phyint {{ iface }} disabled -{% else %} +{% else %} phyint {{ iface }} {{ config.role }} ratelimit 0 threshold {{ config.threshold }} -{% endif %} -{% if config.alt_subnet is defined and config.alt_subnet is not none %} -{% for subnet in config.alt_subnet %} +{% endif %} +{% if config.alt_subnet is vyos_defined %} +{% for subnet in config.alt_subnet %} altnet {{ subnet }} -{% endfor %} -{% endif %} -{% if config.whitelist is defined and config.whitelist is not none %} -{% for subnet in config.whitelist %} +{% endfor %} +{% endif %} +{% if config.whitelist is vyos_defined %} +{% for subnet in config.whitelist %} whitelist {{ subnet }} -{% endfor %} -{% endif %} -{% endfor %} +{% endfor %} +{% endif %} +{% endfor %} {% endif %} diff --git a/data/templates/ipsec/charon.tmpl b/data/templates/ipsec/charon.j2 index b9b020dcd..388559af8 100644 --- a/data/templates/ipsec/charon.tmpl +++ b/data/templates/ipsec/charon.j2 @@ -1,6 +1,5 @@ # Options for the charon IKE daemon. charon { - # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. # accept_unencrypted_mainmode_messages = no @@ -21,15 +20,15 @@ charon { # cisco_unity = no # Cisco FlexVPN -{% if options is defined %} - cisco_flexvpn = {{ 'yes' if options.flexvpn is defined else 'no' }} -{% if options.virtual_ip is defined %} +{% if options is vyos_defined %} + cisco_flexvpn = {{ 'yes' if options.flexvpn is vyos_defined else 'no' }} +{% if options.virtual_ip is vyos_defined %} install_virtual_ip = yes -{% endif %} -{% if options.interface is defined and options.interface is not none %} +{% endif %} +{% if options.interface is vyos_defined %} install_virtual_ip_on = {{ options.interface }} -{% endif %} -{% endif %} +{% endif %} +{% endif %} # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. # close_ike_on_child_failure = no diff --git a/data/templates/ipsec/charon/dhcp.conf.tmpl b/data/templates/ipsec/charon/dhcp.conf.j2 index 92774b275..aaa5613fb 100644 --- a/data/templates/ipsec/charon/dhcp.conf.tmpl +++ b/data/templates/ipsec/charon/dhcp.conf.j2 @@ -1,12 +1,10 @@ dhcp { load = yes -{% if remote_access is defined and remote_access.dhcp is defined %} -{% if remote_access.dhcp.interface is defined %} +{% if remote_access.dhcp.interface is vyos_defined %} interface = {{ remote_access.dhcp.interface }} -{% endif %} -{% if remote_access.dhcp.server is defined %} +{% endif %} +{% if remote_access.dhcp.server is vyos_defined %} server = {{ remote_access.dhcp.server }} -{% endif %} {% endif %} # Always use the configured server address. diff --git a/data/templates/ipsec/charon/eap-radius.conf.tmpl b/data/templates/ipsec/charon/eap-radius.conf.j2 index 5ec35c988..8495011fe 100644 --- a/data/templates/ipsec/charon/eap-radius.conf.tmpl +++ b/data/templates/ipsec/charon/eap-radius.conf.j2 @@ -41,7 +41,7 @@ eap-radius { load = yes # NAS-Identifier to include in RADIUS messages. - nas_identifier = {{ remote_access.radius.nas_identifier if remote_access is defined and remote_access.radius is defined and remote_access.radius.nas_identifier is defined else 'strongSwan' }} + nas_identifier = {{ remote_access.radius.nas_identifier if remote_access.radius.nas_identifier is vyos_defined else 'strongSwan' }} # Port of RADIUS server (authentication). # port = 1812 @@ -94,19 +94,19 @@ eap-radius { # Section to specify multiple RADIUS servers. servers { -{% if remote_access is defined and remote_access.radius is defined and remote_access.radius.server is defined %} -{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not defined %} +{% if remote_access.radius.server is vyos_defined %} +{% for server, server_options in remote_access.radius.server.items() if server_options.disable is not vyos_defined %} {{ server | replace('.', '-') }} { address = {{ server }} secret = {{ server_options.key }} auth_port = {{ server_options.port }} -{% if server_options.disable_accounting is not defined %} - acct_port = {{ server_options.port | int +1 }} -{% endif %} +{% if server_options.disable_accounting is not vyos_defined %} + acct_port = {{ server_options.port | int + 1 }} +{% endif %} sockets = 20 } -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} } # Section to configure multiple XAuth authentication rounds via RADIUS. diff --git a/data/templates/ipsec/interfaces_use.conf.tmpl b/data/templates/ipsec/interfaces_use.conf.j2 index a77102396..c1bf8270d 100644 --- a/data/templates/ipsec/interfaces_use.conf.tmpl +++ b/data/templates/ipsec/interfaces_use.conf.j2 @@ -1,5 +1,5 @@ -{% if interface is defined %} +{% if interface is vyos_defined %} charon { interfaces_use = {{ ', '.join(interface) }} } -{% endif %}
\ No newline at end of file +{% endif %}
\ No newline at end of file diff --git a/data/templates/ipsec/ios_profile.tmpl b/data/templates/ipsec/ios_profile.j2 index af6c79d6e..c8e17729a 100644 --- a/data/templates/ipsec/ios_profile.tmpl +++ b/data/templates/ipsec/ios_profile.j2 @@ -41,7 +41,7 @@ <!-- Remote identity, can be a FQDN, a userFQDN, an IP or (theoretically) a certificate's subject DN. Can't be empty. IMPORTANT: DNs are currently not handled correctly, they are always sent as identities of type FQDN --> <key>RemoteIdentifier</key> - <string>{{ authentication.id if authentication.id is defined else 'fooo' }}</string> + <string>{{ authentication.id if authentication.id is vyos_defined else 'VyOS' }}</string> <!-- Local IKE identity, same restrictions as above. If it is empty the client's IP address will be used --> <key>LocalIdentifier</key> <string></string> diff --git a/data/templates/ipsec/ipsec.conf.j2 b/data/templates/ipsec/ipsec.conf.j2 new file mode 100644 index 000000000..f63995b38 --- /dev/null +++ b/data/templates/ipsec/ipsec.conf.j2 @@ -0,0 +1,19 @@ +# Created by VyOS - manual changes will be overwritten + +config setup +{% set charondebug = '' %} +{% if log.subsystem is vyos_defined %} +{% set subsystem = log.subsystem %} +{% if 'any' in log.subsystem %} +{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', + 'net', 'asn', 'enc', 'lib', 'esp', 'tls', 'tnc', + 'imc', 'imv', 'pts'] %} +{% endif %} +{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} +{% endif %} + charondebug = "{{ charondebug }}" + uniqueids = {{ "no" if disable_uniqreqids is vyos_defined else "yes" }} + +{% if include_ipsec_conf is vyos_defined %} +include {{ include_ipsec_conf }} +{% endif %} diff --git a/data/templates/ipsec/ipsec.conf.tmpl b/data/templates/ipsec/ipsec.conf.tmpl deleted file mode 100644 index 1cb531e76..000000000 --- a/data/templates/ipsec/ipsec.conf.tmpl +++ /dev/null @@ -1,18 +0,0 @@ -# Created by VyOS - manual changes will be overwritten - -config setup -{% set charondebug = '' %} -{% if log is defined and log.subsystem is defined and log.subsystem is not none %} -{% set subsystem = log.subsystem %} -{% if 'any' in log.subsystem %} -{% set subsystem = ['dmn', 'mgr', 'ike', 'chd','job', 'cfg', 'knl', 'net', 'asn', - 'enc', 'lib', 'esp', 'tls', 'tnc', 'imc', 'imv', 'pts'] %} -{% endif %} -{% set charondebug = subsystem | join (' ' ~ log.level ~ ', ') ~ ' ' ~ log.level %} -{% endif %} - charondebug = "{{ charondebug }}" - uniqueids = {{ "no" if disable_uniqreqids is defined else "yes" }} - -{% if include_ipsec_conf is defined %} -include {{ include_ipsec_conf }} -{% endif %} diff --git a/data/templates/ipsec/ipsec.secrets.tmpl b/data/templates/ipsec/ipsec.secrets.j2 index 057e291ed..a87ac9bc7 100644 --- a/data/templates/ipsec/ipsec.secrets.tmpl +++ b/data/templates/ipsec/ipsec.secrets.j2 @@ -1,5 +1,5 @@ # Created by VyOS - manual changes will be overwritten -{% if include_ipsec_secrets is defined %} +{% if include_ipsec_secrets is vyos_defined %} include {{ include_ipsec_secrets }} -{% endif %} +{% endif %} diff --git a/data/templates/ipsec/swanctl.conf.j2 b/data/templates/ipsec/swanctl.conf.j2 new file mode 100644 index 000000000..bf6b8259c --- /dev/null +++ b/data/templates/ipsec/swanctl.conf.j2 @@ -0,0 +1,131 @@ +### Autogenerated by vpn_ipsec.py ### +{% import 'ipsec/swanctl/l2tp.j2' as l2tp_tmpl %} +{% import 'ipsec/swanctl/profile.j2' as profile_tmpl %} +{% import 'ipsec/swanctl/peer.j2' as peer_tmpl %} +{% import 'ipsec/swanctl/remote_access.j2' as remote_access_tmpl %} + +connections { +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} +{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if remote_access.connection is vyos_defined %} +{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not vyos_defined %} +{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} +{% endfor %} +{% endif %} +{% if l2tp %} +{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }} +{% endif %} +} + +pools { +{% if remote_access.pool is vyos_defined %} +{% for pool, pool_config in remote_access.pool.items() %} + {{ pool }} { +{% if pool_config.prefix is vyos_defined %} + addrs = {{ pool_config.prefix }} +{% endif %} +{% if pool_config.name_server is vyos_defined %} + dns = {{ pool_config.name_server | join(',') }} +{% endif %} +{% if pool_config.exclude is vyos_defined %} + split_exclude = {{ pool_config.exclude | join(',') }} +{% endif %} + } +{% endfor %} +{% endif %} +} + +secrets { +{% if profile is vyos_defined %} +{% for name, profile_conf in profile.items() if profile_conf.disable is not vyos_defined and profile_conf.bind.tunnel is vyos_defined %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} +{% for interface in profile_conf.bind.tunnel %} + ike-dmvpn-{{ interface }} { + secret = {{ profile_conf.authentication.pre_shared_secret }} + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if site_to_site.peer is vyos_defined %} +{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not vyos_defined %} +{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} +{% if peer_conf.authentication.mode is vyos_defined('pre-shared-secret') %} + ike_{{ peer_name }} { +{% if peer_conf.local_address is vyos_defined %} + id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} +{% endif %} + id-remote = {{ peer }} +{% if peer_conf.authentication.id is vyos_defined %} + id-localid = {{ peer_conf.authentication.id }} +{% endif %} +{% if peer_conf.authentication.remote_id is vyos_defined %} + id-remoteid = {{ peer_conf.authentication.remote_id }} +{% endif %} + secret = "{{ peer_conf.authentication.pre_shared_secret }}" + } +{% elif peer_conf.authentication.mode is vyos_defined('x509') %} + private_{{ peer_name }} { + file = {{ peer_conf.authentication.x509.certificate }}.pem +{% if peer_conf.authentication.x509.passphrase is vyos_defined %} + secret = "{{ peer_conf.authentication.x509.passphrase }}" +{% endif %} + } +{% elif peer_conf.authentication.mode is vyos_defined('rsa') %} + rsa_{{ peer_name }}_local { + file = {{ peer_conf.authentication.rsa.local_key }}.pem +{% if peer_conf.authentication.rsa.passphrase is vyos_defined %} + secret = "{{ peer_conf.authentication.rsa.passphrase }}" +{% endif %} + } +{% endif %} +{% endfor %} +{% endif %} +{% if remote_access.connection is vyos_defined %} +{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not vyos_defined %} +{% if ra_conf.authentication.server_mode is vyos_defined('pre-shared-secret') %} + ike_{{ ra }} { +{% if ra_conf.authentication.id is vyos_defined %} + id = "{{ ra_conf.authentication.id }}" +{% elif ra_conf.local_address is vyos_defined %} + id = "{{ ra_conf.local_address }}" +{% endif %} + secret = "{{ ra_conf.authentication.pre_shared_secret }}" + } +{% endif %} +{% if ra_conf.authentication.client_mode is vyos_defined('eap-mschapv2') and ra_conf.authentication.local_users.username is vyos_defined %} +{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not vyos_defined %} + eap-{{ ra }}-{{ user }} { + secret = "{{ user_conf.password }}" + id-{{ ra }}-{{ user }} = "{{ user }}" + } +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} +{% if l2tp %} +{% if l2tp.authentication.mode is vyos_defined('pre-shared-secret') %} + ike_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + secret = "{{ l2tp.authentication.pre_shared_secret }}" + } +{% elif l2tp.authentication.mode is vyos_defined('x509') %} + private_l2tp_remote_access { + id = "{{ l2tp_outside_address }}" + file = {{ l2tp.authentication.x509.certificate }}.pem +{% if l2tp.authentication.x509.passphrase is vyos_defined %} + secret = "{{ l2tp.authentication.x509.passphrase }}" +{% endif %} + } +{% endif %} +{% endif %} +} + diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl deleted file mode 100644 index 68b108365..000000000 --- a/data/templates/ipsec/swanctl.conf.tmpl +++ /dev/null @@ -1,131 +0,0 @@ -### Autogenerated by vpn_ipsec.py ### -{% import 'ipsec/swanctl/l2tp.tmpl' as l2tp_tmpl %} -{% import 'ipsec/swanctl/profile.tmpl' as profile_tmpl %} -{% import 'ipsec/swanctl/peer.tmpl' as peer_tmpl %} -{% import 'ipsec/swanctl/remote_access.tmpl' as remote_access_tmpl %} - -connections { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{{ profile_tmpl.conn(name, profile_conf, ike_group, esp_group) }} -{% endfor %} -{% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{{ peer_tmpl.conn(peer, peer_conf, ike_group, esp_group) }} -{% endfor %} -{% endif %} -{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} -{% for rw, rw_conf in remote_access.connection.items() if rw_conf.disable is not defined %} -{{ remote_access_tmpl.conn(rw, rw_conf, ike_group, esp_group) }} -{% endfor %} -{% endif %} -{% if l2tp %} -{{ l2tp_tmpl.conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) }} -{% endif %} -} - -pools { -{% if remote_access is defined and remote_access.pool is defined and remote_access.pool is not none %} -{% for pool, pool_config in remote_access.pool.items() %} - {{ pool }} { -{% if pool_config.prefix is defined and pool_config.prefix is not none %} - addrs = {{ pool_config.prefix }} -{% endif %} -{% if pool_config.name_server is defined and pool_config.name_server is not none %} - dns = {{ pool_config.name_server | join(',') }} -{% endif %} -{% if pool_config.exclude is defined and pool_config.exclude is not none %} - split_exclude = {{ pool_config.exclude | join(',') }} -{% endif %} - } -{% endfor %} -{% endif %} -} - -secrets { -{% if profile is defined %} -{% for name, profile_conf in profile.items() if profile_conf.disable is not defined and profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} -{% if profile_conf.authentication.mode == 'pre-shared-secret' %} -{% for interface in profile_conf.bind.tunnel %} - ike-dmvpn-{{ interface }} { - secret = {{ profile_conf.authentication.pre_shared_secret }} - } -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -{% if site_to_site is defined and site_to_site.peer is defined %} -{% for peer, peer_conf in site_to_site.peer.items() if peer not in dhcp_no_address and peer_conf.disable is not defined %} -{% set peer_name = peer.replace("@", "") | dot_colon_to_dash %} -{% if peer_conf.authentication.mode == 'pre-shared-secret' %} - ike_{{ peer_name }} { -{% if peer_conf.local_address is defined %} - id-local = {{ peer_conf.local_address }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} -{% endif %} - id-remote = {{ peer }} -{% if peer_conf.authentication.id is defined %} - id-localid = {{ peer_conf.authentication.id }} -{% endif %} -{% if peer_conf.authentication.remote_id is defined %} - id-remoteid = {{ peer_conf.authentication.remote_id }} -{% endif %} - secret = "{{ peer_conf.authentication.pre_shared_secret }}" - } -{% elif peer_conf.authentication.mode == 'x509' %} - private_{{ peer_name }} { - file = {{ peer_conf.authentication.x509.certificate }}.pem -{% if peer_conf.authentication.x509.passphrase is defined %} - secret = "{{ peer_conf.authentication.x509.passphrase }}" -{% endif %} - } -{% elif peer_conf.authentication.mode == 'rsa' %} - rsa_{{ peer_name }}_local { - file = {{ peer_conf.authentication.rsa.local_key }}.pem -{% if peer_conf.authentication.rsa.passphrase is defined %} - secret = "{{ peer_conf.authentication.rsa.passphrase }}" -{% endif %} - } -{% endif %} -{% endfor %} -{% endif %} -{% if remote_access is defined and remote_access.connection is defined and remote_access.connection is not none %} -{% for ra, ra_conf in remote_access.connection.items() if ra_conf.disable is not defined %} -{% if ra_conf.authentication.server_mode == 'pre-shared-secret' %} - ike_{{ ra }} { -{% if ra_conf.authentication.id is defined %} - id = "{{ ra_conf.authentication.id }}" -{% elif ra_conf.local_address is defined %} - id = "{{ ra_conf.local_address }}" -{% endif %} - secret = "{{ ra_conf.authentication.pre_shared_secret }}" - } -{% endif %} -{% if ra_conf.authentication.client_mode == 'eap-mschapv2' and ra_conf.authentication.local_users is defined and ra_conf.authentication.local_users.username is defined %} -{% for user, user_conf in ra_conf.authentication.local_users.username.items() if user_conf.disable is not defined %} - eap-{{ ra }}-{{ user }} { - secret = "{{ user_conf.password }}" - id-{{ ra }}-{{ user }} = "{{ user }}" - } -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} -{% if l2tp %} -{% if l2tp.authentication.mode == 'pre-shared-secret' %} - ike_l2tp_remote_access { - id = "{{ l2tp_outside_address }}" - secret = "{{ l2tp.authentication.pre_shared_secret }}" - } -{% elif l2tp.authentication.mode == 'x509' %} - private_l2tp_remote_access { - id = "{{ l2tp_outside_address }}" - file = {{ l2tp.authentication.x509.certificate }}.pem -{% if l2tp.authentication.x509.passphrase is defined %} - secret = "{{ l2tp.authentication.x509.passphrase }}" -{% endif %} - } -{% endif %} -{% endif %} -} - diff --git a/data/templates/ipsec/swanctl/l2tp.tmpl b/data/templates/ipsec/swanctl/l2tp.j2 index 4cd1b4af3..7e63865cc 100644 --- a/data/templates/ipsec/swanctl/l2tp.tmpl +++ b/data/templates/ipsec/swanctl/l2tp.j2 @@ -1,6 +1,6 @@ {% macro conn(l2tp, l2tp_outside_address, l2tp_ike_default, l2tp_esp_default, ike_group, esp_group) %} -{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is defined else None %} -{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is defined else None %} +{% set l2tp_ike = ike_group[l2tp.ike_group] if l2tp.ike_group is vyos_defined else None %} +{% set l2tp_esp = esp_group[l2tp.esp_group] if l2tp.esp_group is vyos_defined else None %} l2tp_remote_access { proposals = {{ l2tp_ike | get_esp_ike_cipher | join(',') if l2tp_ike else l2tp_ike_default }} local_addrs = {{ l2tp_outside_address }} @@ -10,9 +10,9 @@ reauth_time = 0 local { auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} -{% if l2tp.authentication.mode == 'x509' %} +{% if l2tp.authentication.mode == 'x509' %} certs = {{ l2tp.authentication.x509.certificate }}.pem -{% endif %} +{% endif %} } remote { auth = {{ 'psk' if l2tp.authentication.mode == 'pre-shared-secret' else 'pubkey' }} diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 new file mode 100644 index 000000000..90d2c774f --- /dev/null +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -0,0 +1,166 @@ +{% macro conn(peer, peer_conf, ike_group, esp_group) %} +{% set name = peer.replace("@", "") | dot_colon_to_dash %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[peer_conf.ike_group] %} + peer_{{ name }} { + proposals = {{ ike | get_esp_ike_cipher | join(',') }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} +{% if peer_conf.virtual_address is vyos_defined %} + vips = {{ peer_conf.virtual_address | join(', ') }} +{% endif %} + local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} + remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} +{% if peer_conf.authentication.mode is vyos_defined('x509') %} + send_cert = always +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} + dpd_timeout = {{ ike.dead_peer_detection.timeout }} + dpd_delay = {{ ike.dead_peer_detection.interval }} +{% endif %} +{% if ike.key_exchange is vyos_defined('ikev1') and ike.mode is vyos_defined('aggressive') %} + aggressive = yes +{% endif %} + rekey_time = {{ ike.lifetime }}s + mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }} +{% if peer[0:1] == '@' %} + keyingtries = 0 + reauth_time = 0 +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} + keyingtries = 0 +{% elif peer_conf.connection_type is vyos_defined('respond') %} + keyingtries = 1 +{% endif %} +{% if peer_conf.force_encapsulation is vyos_defined('enable') %} + encap = yes +{% endif %} + local { +{% if peer_conf.authentication.id is vyos_defined %} + id = "{{ peer_conf.authentication.id }}" +{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if peer_conf.authentication.mode == 'x509' %} + certs = {{ peer_conf.authentication.x509.certificate }}.pem +{% elif peer_conf.authentication.mode == 'rsa' %} + pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem +{% endif %} + } + remote { +{% if peer_conf.authentication.remote_id is vyos_defined %} + id = "{{ peer_conf.authentication.remote_id }}" +{% else %} + id = "{{ peer }}" +{% endif %} + auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} +{% if peer_conf.authentication.mode == 'rsa' %} + pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem +{% endif %} + } + children { +{% if peer_conf.vti.bind is vyos_defined and peer_conf.tunnel is not vyos_defined %} +{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is vyos_defined else esp_group[ peer_conf.default_esp_group ] %} + peer_{{ name }}_vti { + esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if vti_esp.life_bytes is vyos_defined %} + life_bytes = {{ vti_esp.life_bytes }} +{% endif %} +{% if vti_esp.life_packets is vyos_defined %} + life_packets = {{ vti_esp.life_packets }} +{% endif %} + life_time = {{ vti_esp.lifetime }}s + local_ts = 0.0.0.0/0,::/0 + remote_ts = 0.0.0.0/0,::/0 + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" +{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} +{# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %} + if_id_in = {{ if_id }} + if_id_out = {{ if_id }} + ipcomp = {{ 'yes' if vti_esp.compression is vyos_defined('enable') else 'no' }} + mode = {{ vti_esp.mode }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} + start_action = start +{% elif peer_conf.connection_type is vyos_defined('respond') %} + start_action = trap +{% elif peer_conf.connection_type is vyos_defined('none') %} + start_action = none +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} + dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} +{% endif %} + close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} + } +{% elif peer_conf.tunnel is vyos_defined %} +{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} +{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is vyos_defined else peer_conf.default_esp_group %} +{% set tunnel_esp = esp_group[tunnel_esp_name] %} +{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is vyos_defined else '' %} +{% set local_port = tunnel_conf.local.port if tunnel_conf.local.port is vyos_defined else '' %} +{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} +{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote.port is vyos_defined else '' %} +{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} + peer_{{ name }}_tunnel_{{ tunnel_id }} { + esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} +{% if tunnel_esp.life_bytes is vyos_defined %} + life_bytes = {{ tunnel_esp.life_bytes }} +{% endif %} +{% if tunnel_esp.life_packets is vyos_defined %} + life_packets = {{ tunnel_esp.life_packets }} +{% endif %} + life_time = {{ tunnel_esp.lifetime }}s +{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} +{% if tunnel_conf.local.prefix is vyos_defined %} +{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} + local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} +{% endif %} +{% if tunnel_conf.remote.prefix is vyos_defined %} +{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} + remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} +{% endif %} +{% if tunnel_conf.priority is vyos_defined %} + priority = {{ tunnel_conf.priority }} +{% endif %} +{% elif tunnel_esp.mode == 'transport' %} + local_ts = {{ peer_conf.local_address }}{{ local_suffix }} + remote_ts = {{ peer }}{{ remote_suffix }} +{% endif %} + ipcomp = {{ 'yes' if tunnel_esp.compression is vyos_defined('enable') else 'no' }} + mode = {{ tunnel_esp.mode }} +{% if peer[0:1] == '@' %} + start_action = none +{% elif peer_conf.connection_type is not vyos_defined or peer_conf.connection_type is vyos_defined('initiate') %} + start_action = start +{% elif peer_conf.connection_type is vyos_defined('respond') %} + start_action = trap +{% elif peer_conf.connection_type is vyos_defined('none') %} + start_action = none +{% endif %} +{% if ike.dead_peer_detection is vyos_defined %} +{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} + dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} +{% endif %} + close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} +{% if peer_conf.vti.bind is vyos_defined %} +{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} +{# Thus we simply shift the key by one to also support a vti0 interface #} +{% set if_id = peer_conf.vti.bind | replace('vti', '') | int + 1 %} + updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" + if_id_in = {{ if_id }} + if_id_out = {{ if_id }} +{% endif %} + } +{% if tunnel_conf.passthrough is vyos_defined %} + peer_{{ name }}_tunnel_{{ tunnel_id }}_passthrough { + local_ts = {{ tunnel_conf.passthrough | join(",") }} + remote_ts = {{ tunnel_conf.passthrough | join(",") }} + start_action = trap + mode = pass + } +{% endif %} +{% endfor %} +{% endif %} + } + } +{% endmacro %} diff --git a/data/templates/ipsec/swanctl/peer.tmpl b/data/templates/ipsec/swanctl/peer.tmpl deleted file mode 100644 index a622cbf74..000000000 --- a/data/templates/ipsec/swanctl/peer.tmpl +++ /dev/null @@ -1,166 +0,0 @@ -{% macro conn(peer, peer_conf, ike_group, esp_group) %} -{% set name = peer.replace("@", "") | dot_colon_to_dash %} -{# peer needs to reference the global IKE configuration for certain values #} -{% set ike = ike_group[peer_conf.ike_group] %} - peer_{{ name }} { - proposals = {{ ike | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} -{% if peer_conf.virtual_address is defined and peer_conf.virtual_address is not none %} - vips = {{ peer_conf.virtual_address | join(', ') }} -{% endif %} - local_addrs = {{ peer_conf.local_address if peer_conf.local_address != 'any' else '0.0.0.0/0' }} # dhcp:{{ peer_conf.dhcp_interface if 'dhcp_interface' in peer_conf else 'no' }} - remote_addrs = {{ peer if peer not in ['any', '0.0.0.0'] and peer[0:1] != '@' else '0.0.0.0/0' }} -{% if peer_conf.authentication is defined and peer_conf.authentication.mode is defined and peer_conf.authentication.mode == 'x509' %} - send_cert = always -{% endif %} -{% if ike.dead_peer_detection is defined %} - dpd_timeout = {{ ike.dead_peer_detection.timeout }} - dpd_delay = {{ ike.dead_peer_detection.interval }} -{% endif %} -{% if ike.key_exchange is defined and ike.key_exchange == "ikev1" and ike.mode is defined and ike.mode == "aggressive" %} - aggressive = yes -{% endif %} - rekey_time = {{ ike.lifetime }}s - mobike = {{ "yes" if ike.mobike is not defined or ike.mobike == "enable" else "no" }} -{% if peer[0:1] == '@' %} - keyingtries = 0 - reauth_time = 0 -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} - keyingtries = 0 -{% elif peer_conf.connection_type is defined and peer_conf.connection_type == 'respond' %} - keyingtries = 1 -{% endif %} -{% if peer_conf.force_encapsulation is defined and peer_conf.force_encapsulation == 'enable' %} - encap = yes -{% endif %} - local { -{% if peer_conf.authentication is defined and peer_conf.authentication.id is defined and peer_conf.authentication.id is not none %} - id = "{{ peer_conf.authentication.id }}" -{% endif %} - auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} -{% if peer_conf.authentication.mode == 'x509' %} - certs = {{ peer_conf.authentication.x509.certificate }}.pem -{% elif peer_conf.authentication.mode == 'rsa' %} - pubkeys = {{ peer_conf.authentication.rsa.local_key }}.pem -{% endif %} - } - remote { -{% if peer_conf.authentication is defined and peer_conf.authentication.remote_id is defined and peer_conf.authentication.remote_id is not none %} - id = "{{ peer_conf.authentication.remote_id }}" -{% else %} - id = "{{ peer }}" -{% endif %} - auth = {{ 'psk' if peer_conf.authentication.mode == 'pre-shared-secret' else 'pubkey' }} -{% if peer_conf.authentication.mode == 'rsa' %} - pubkeys = {{ peer_conf.authentication.rsa.remote_key }}.pem -{% endif %} - } - children { -{% if peer_conf.vti is defined and peer_conf.vti.bind is defined and peer_conf.tunnel is not defined %} -{% set vti_esp = esp_group[ peer_conf.vti.esp_group ] if peer_conf.vti.esp_group is defined else esp_group[ peer_conf.default_esp_group ] %} - peer_{{ name }}_vti { - esp_proposals = {{ vti_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if vti_esp.life_bytes is defined and vti_esp.life_bytes is not none %} - life_bytes = {{ vti_esp.life_bytes }} -{% endif %} -{% if vti_esp.life_packets is defined and vti_esp.life_packets is not none %} - life_packets = {{ vti_esp.life_packets }} -{% endif %} - life_time = {{ vti_esp.lifetime }}s - local_ts = 0.0.0.0/0,::/0 - remote_ts = 0.0.0.0/0,::/0 - updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" - {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} - {# Thus we simply shift the key by one to also support a vti0 interface #} -{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} - if_id_in = {{ if_id }} - if_id_out = {{ if_id }} - ipcomp = {{ 'yes' if vti_esp.compression is defined and vti_esp.compression == 'enable' else 'no' }} - mode = {{ vti_esp.mode }} -{% if peer[0:1] == '@' %} - start_action = none -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} - start_action = start -{% elif peer_conf.connection_type == 'respond' %} - start_action = trap -{% elif peer_conf.connection_type == 'none' %} - start_action = none -{% endif %} -{% if ike.dead_peer_detection is defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} - dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} -{% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} - } -{% elif peer_conf.tunnel is defined %} -{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} -{% set tunnel_esp_name = tunnel_conf.esp_group if tunnel_conf.esp_group is defined else peer_conf.default_esp_group %} -{% set tunnel_esp = esp_group[tunnel_esp_name] %} -{% set proto = tunnel_conf.protocol if tunnel_conf.protocol is defined else '' %} -{% set local_port = tunnel_conf.local.port if tunnel_conf.local is defined and tunnel_conf.local.port is defined else '' %} -{% set local_suffix = '[{0}/{1}]'.format(proto, local_port) if proto or local_port else '' %} -{% set remote_port = tunnel_conf.remote.port if tunnel_conf.remote is defined and tunnel_conf.remote.port is defined else '' %} -{% set remote_suffix = '[{0}/{1}]'.format(proto, remote_port) if proto or remote_port else '' %} - peer_{{ name }}_tunnel_{{ tunnel_id }} { - esp_proposals = {{ tunnel_esp | get_esp_ike_cipher(ike) | join(',') }} -{% if tunnel_esp.life_bytes is defined and tunnel_esp.life_bytes is not none %} - life_bytes = {{ tunnel_esp.life_bytes }} -{% endif %} -{% if tunnel_esp.life_packets is defined and tunnel_esp.life_packets is not none %} - life_packets = {{ tunnel_esp.life_packets }} -{% endif %} - life_time = {{ tunnel_esp.lifetime }}s -{% if tunnel_esp.mode is not defined or tunnel_esp.mode == 'tunnel' %} -{% if tunnel_conf.local is defined and tunnel_conf.local.prefix is defined %} -{% set local_prefix = tunnel_conf.local.prefix if 'any' not in tunnel_conf.local.prefix else ['0.0.0.0/0', '::/0'] %} - local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} -{% endif %} -{% if tunnel_conf.remote is defined and tunnel_conf.remote.prefix is defined %} -{% set remote_prefix = tunnel_conf.remote.prefix if 'any' not in tunnel_conf.remote.prefix else ['0.0.0.0/0', '::/0'] %} - remote_ts = {{ remote_prefix | join(remote_suffix + ",") }}{{ remote_suffix }} -{% endif %} -{% if tunnel_conf.priority is defined and tunnel_conf.priority is not none %} - priority = {{ tunnel_conf.priority }} -{% endif %} -{% elif tunnel_esp.mode == 'transport' %} - local_ts = {{ peer_conf.local_address }}{{ local_suffix }} - remote_ts = {{ peer }}{{ remote_suffix }} -{% endif %} - ipcomp = {{ 'yes' if tunnel_esp.compression is defined and tunnel_esp.compression == 'enable' else 'no' }} - mode = {{ tunnel_esp.mode }} -{% if peer[0:1] == '@' %} - start_action = none -{% elif peer_conf.connection_type is not defined or peer_conf.connection_type == 'initiate' %} - start_action = start -{% elif peer_conf.connection_type == 'respond' %} - start_action = trap -{% elif peer_conf.connection_type == 'none' %} - start_action = none -{% endif %} -{% if ike.dead_peer_detection is defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} - dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} -{% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} -{% if peer_conf.vti is defined and peer_conf.vti.bind is defined %} - updown = "/etc/ipsec.d/vti-up-down {{ peer_conf.vti.bind }}" - {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} - {# Thus we simply shift the key by one to also support a vti0 interface #} -{% set if_id = peer_conf.vti.bind | replace('vti', '') | int +1 %} - if_id_in = {{ if_id }} - if_id_out = {{ if_id }} -{% endif %} - } -{% if tunnel_conf.passthrough is defined and tunnel_conf.passthrough %} - peer_{{ name }}_tunnel_{{ tunnel_id }}_passthough { - local_ts = {{ tunnel_conf.passthrough | join(",") }} - remote_ts = {{ tunnel_conf.passthrough | join(",") }} - start_action = trap - mode = pass - } -{% endif %} -{% endfor %} -{% endif %} - } - } -{% endmacro %} diff --git a/data/templates/ipsec/swanctl/profile.tmpl b/data/templates/ipsec/swanctl/profile.j2 index a5cae31c0..d4f417378 100644 --- a/data/templates/ipsec/swanctl/profile.tmpl +++ b/data/templates/ipsec/swanctl/profile.j2 @@ -1,39 +1,39 @@ {% macro conn(name, profile_conf, ike_group, esp_group) %} -{# peer needs to reference the global IKE configuration for certain values #} -{% set ike = ike_group[profile_conf.ike_group] %} -{% set esp = esp_group[profile_conf.esp_group] %} -{% if profile_conf.bind is defined and profile_conf.bind.tunnel is defined %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[profile_conf.ike_group] %} +{% set esp = esp_group[profile_conf.esp_group] %} +{% if profile_conf.bind.tunnel is vyos_defined %} {% for interface in profile_conf.bind.tunnel %} dmvpn-{{ name }}-{{ interface }} { proposals = {{ ike_group[profile_conf.ike_group] | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if profile_conf.authentication is defined and profile_conf.authentication.mode is defined and profile_conf.authentication.mode == 'pre-shared-secret' %} +{% if profile_conf.authentication.mode is vyos_defined('pre-shared-secret') %} local { auth = psk } remote { auth = psk } -{% endif %} +{% endif %} children { dmvpn { - esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }} + esp_proposals = {{ esp | get_esp_ike_cipher(ike) | join(',') }} rekey_time = {{ esp.lifetime }}s rand_time = 540s local_ts = dynamic[gre] remote_ts = dynamic[gre] mode = {{ esp.mode }} -{% if ike.dead_peer_detection is defined and ike.dead_peer_detection.action is defined %} +{% if ike.dead_peer_detection.action is vyos_defined %} dpd_action = {{ ike.dead_peer_detection.action }} -{% endif %} -{% if esp.compression is defined and esp.compression == 'enable' %} +{% endif %} +{% if esp.compression is vyos_defined('enable') %} ipcomp = yes -{% endif %} +{% endif %} } } } {% endfor %} -{% endif %} +{% endif %} {% endmacro %} diff --git a/data/templates/ipsec/swanctl/remote_access.tmpl b/data/templates/ipsec/swanctl/remote_access.j2 index 6354c60b1..d2760ec1f 100644 --- a/data/templates/ipsec/swanctl/remote_access.tmpl +++ b/data/templates/ipsec/swanctl/remote_access.j2 @@ -1,37 +1,38 @@ {% macro conn(name, rw_conf, ike_group, esp_group) %} -{# peer needs to reference the global IKE configuration for certain values #} -{% set ike = ike_group[rw_conf.ike_group] %} -{% set esp = esp_group[rw_conf.esp_group] %} +{# peer needs to reference the global IKE configuration for certain values #} +{% set ike = ike_group[rw_conf.ike_group] %} +{% set esp = esp_group[rw_conf.esp_group] %} ra-{{ name }} { remote_addrs = %any - local_addrs = {{ rw_conf.local_address if rw_conf.local_address is defined else '%any' }} + local_addrs = {{ rw_conf.local_address if rw_conf.local_address is vyos_defined else '%any' }} proposals = {{ ike_group[rw_conf.ike_group] | get_esp_ike_cipher | join(',') }} - version = {{ ike.key_exchange[4:] if ike is defined and ike.key_exchange is defined else "0" }} + version = {{ ike.key_exchange[4:] if ike.key_exchange is vyos_defined else "0" }} send_certreq = no rekey_time = {{ ike.lifetime }}s keyingtries = 0 -{% if rw_conf.unique is defined and rw_conf.unique is not none %} +{% if rw_conf.unique is vyos_defined %} unique = {{ rw_conf.unique }} -{% endif %} -{% if rw_conf.pool is defined and rw_conf.pool is not none %} +{% endif %} +{% if rw_conf.pool is vyos_defined %} pools = {{ rw_conf.pool | join(',') }} -{% endif %} +{% endif %} local { -{% if rw_conf.authentication.id is defined and rw_conf.authentication.use_x509_id is not defined %} +{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %} +{# please use " quotes - else Apple iOS goes crazy #} id = "{{ rw_conf.authentication.id }}" -{% endif %} -{% if rw_conf.authentication.server_mode == 'x509' %} +{% endif %} +{% if rw_conf.authentication.server_mode == 'x509' %} auth = pubkey certs = {{ rw_conf.authentication.x509.certificate }}.pem -{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} +{% elif rw_conf.authentication.server_mode == 'pre-shared-secret' %} auth = psk -{% endif %} +{% endif %} } remote { auth = {{ rw_conf.authentication.client_mode }} -{% if rw_conf.authentication.client_mode.startswith("eap") %} +{% if rw_conf.authentication.client_mode.startswith("eap") %} eap_id = %any -{% endif %} +{% endif %} } children { ikev2-vpn { @@ -40,9 +41,9 @@ rand_time = 540s dpd_action = clear inactivity = {{ rw_conf.timeout }} -{% set local_prefix = rw_conf.local.prefix if rw_conf.local is defined and rw_conf.local.prefix is defined else ['0.0.0.0/0', '::/0'] %} -{% set local_port = rw_conf.local.port if rw_conf.local is defined and rw_conf.local.port is defined else '' %} -{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} +{% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %} +{% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %} +{% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %} local_ts = {{ local_prefix | join(local_suffix + ",") }}{{ local_suffix }} } } diff --git a/data/templates/ipsec/windows_profile.tmpl b/data/templates/ipsec/windows_profile.j2 index 8c26944be..8c26944be 100644 --- a/data/templates/ipsec/windows_profile.tmpl +++ b/data/templates/ipsec/windows_profile.j2 diff --git a/data/templates/lcd/LCDd.conf.tmpl b/data/templates/lcd/LCDd.conf.j2 index 2c7ad920f..3631add1d 100644 --- a/data/templates/lcd/LCDd.conf.tmpl +++ b/data/templates/lcd/LCDd.conf.j2 @@ -48,14 +48,14 @@ DriverPath=/usr/lib/x86_64-linux-gnu/lcdproc/ # sed1520, serialPOS, serialVFD, shuttleVFD, sli, stv5730, svga, t6963, # text, tyan, ula200, vlsys_m428, xosd, yard2LCD -{% if model is defined %} -{% if model.startswith('cfa-') %} +{% if model is vyos_defined %} +{% if model.startswith('cfa-') %} Driver=CFontzPacket -{% elif model == 'sdec' %} +{% elif model == 'sdec' %} Driver=sdeclcd -{% elif model == 'hd44780' %} +{% elif model == 'hd44780' %} Driver=hd44780 -{% endif %} +{% endif %} {% endif %} # Tells the driver to bind to the given interface. [default: 127.0.0.1] @@ -115,8 +115,8 @@ Heartbeat=off # set title scrolling speed [default: 10; legal: 0-10] TitleSpeed=10 -{% if model is defined and model is not none %} -{% if model.startswith('cfa-') %} +{% if model is vyos_defined %} +{% if model.startswith('cfa-') %} ## CrystalFontz packet driver (for CFA533, CFA631, CFA633 & CFA635) ## [CFontzPacket] Model={{ model.split('-')[1] }} @@ -126,14 +126,14 @@ Brightness=500 OffBrightness=50 Reboot=yes USB=yes -{% elif model == 'sdec' %} +{% elif model == 'sdec' %} ## SDEC driver for Lanner, Watchguard, Sophos sppliances ## [sdeclcd] # No options -{% elif model == 'hd44780' %} +{% elif model == 'hd44780' %} [hd44780] ConnectionType=ezio Device={{ device }} Size=16x2 -{% endif %} +{% endif %} {% endif %} diff --git a/data/templates/lcd/lcdproc.conf.tmpl b/data/templates/lcd/lcdproc.conf.j2 index c79f3cd0d..c79f3cd0d 100644 --- a/data/templates/lcd/lcdproc.conf.tmpl +++ b/data/templates/lcd/lcdproc.conf.j2 diff --git a/data/templates/lldp/lldpd.j2 b/data/templates/lldp/lldpd.j2 new file mode 100644 index 000000000..3c499197d --- /dev/null +++ b/data/templates/lldp/lldpd.j2 @@ -0,0 +1,2 @@ +### Autogenerated by lldp.py ### +DAEMON_ARGS="-M 4 {{ '-x' if snmp.enable is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}" diff --git a/data/templates/lldp/lldpd.tmpl b/data/templates/lldp/lldpd.tmpl deleted file mode 100644 index 819e70c84..000000000 --- a/data/templates/lldp/lldpd.tmpl +++ /dev/null @@ -1,2 +0,0 @@ -### Autogenerated by lldp.py ### -DAEMON_ARGS="-M 4{% if snmp is defined and snmp.enable is defined %} -x{% endif %}{% if legacy_protocols is defined and legacy_protocols.cdp is defined %} -c{% endif %}{% if legacy_protocols is defined and legacy_protocols.edp is defined %} -e{% endif %}{% if legacy_protocols is defined and legacy_protocols.fdp is defined %} -f{% endif %}{% if legacy_protocols is defined and legacy_protocols.sonmp is defined %} -s{% endif %}" diff --git a/data/templates/lldp/vyos.conf.j2 b/data/templates/lldp/vyos.conf.j2 new file mode 100644 index 000000000..ec84231d8 --- /dev/null +++ b/data/templates/lldp/vyos.conf.j2 @@ -0,0 +1,25 @@ +### Autogenerated by lldp.py ### + +configure system platform VyOS +configure system description "VyOS {{ version }}" +{% if interface is vyos_defined %} +{% set tmp = [] %} +{% for iface, iface_options in interface.items() if not iface_options.disable %} +{% if iface == 'all' %} +{% set iface = '*' %} +{% endif %} +{% set _ = tmp.append(iface) %} +{% if iface_options.location is vyos_defined %} +{% if iface_options.location.elin is vyos_defined %} +configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}" +{% endif %} +{% if iface_options.location.coordinate_based is vyos_defined %} +configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}" +{% endif %} +{% endif %} +{% endfor %} +configure system interface pattern "{{ tmp | join(",") }}" +{% endif %} +{% if management_address is vyos_defined %} +configure system ip management pattern {{ management_address | join(",") }} +{% endif %} diff --git a/data/templates/lldp/vyos.conf.tmpl b/data/templates/lldp/vyos.conf.tmpl deleted file mode 100644 index 14395a223..000000000 --- a/data/templates/lldp/vyos.conf.tmpl +++ /dev/null @@ -1,25 +0,0 @@ -### Autogenerated by lldp.py ### - -configure system platform VyOS -configure system description "VyOS {{ version }}" -{% if interface is defined and interface is not none %} -{% set tmp = [] %} -{% for iface, iface_options in interface.items() if not iface_options.disable %} -{% if iface == 'all' %} -{% set iface = '*' %} -{% endif %} -{% set _ = tmp.append(iface) %} -{% if iface_options.location is defined and iface_options.location is not none %} -{% if iface_options.location.elin is defined and iface_options.location.elin is not none %} -configure ports {{ iface }} med location elin "{{ iface_options.location.elin }}" -{% endif %} -{% if iface_options.location is defined and iface_options.location.coordinate_based is defined and iface_options.location.coordinate_based is not none %} -configure ports {{ iface }} med location coordinate latitude "{{ iface_options.location.coordinate_based.latitude }}" longitude "{{ iface_options.location.coordinate_based.longitude }}" altitude "{{ iface_options.location.coordinate_based.altitude }}m" datum "{{ iface_options.location.coordinate_based.datum }}" -{% endif %} -{% endif %} -{% endfor %} -configure system interface pattern "{{ tmp | join(",") }}" -{% endif %} -{% if management_address is defined and management_address is not none %} -configure system ip management pattern {{ management_address | join(",") }} -{% endif %} diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2 new file mode 100644 index 000000000..aabca47cf --- /dev/null +++ b/data/templates/login/authorized_keys.j2 @@ -0,0 +1,9 @@ +### Automatically generated by system-login.py ### + +{% if authentication.public_keys is vyos_defined %} +{% for key, key_options in authentication.public_keys.items() %} +{# The whitespace after options is wisely chosen #} +{{ key_options.options ~ ' ' if key_options.options is vyos_defined }}{{ key_options.type }} {{ key_options.key }} {{ key }} +{% endfor %} +{% endif %} + diff --git a/data/templates/login/authorized_keys.tmpl b/data/templates/login/authorized_keys.tmpl deleted file mode 100644 index 639a80e1d..000000000 --- a/data/templates/login/authorized_keys.tmpl +++ /dev/null @@ -1,9 +0,0 @@ -### Automatically generated by system-login.py ### - -{% if authentication is defined and authentication.public_keys is defined and authentication.public_keys is not none %} -{% for key, key_options in authentication.public_keys.items() %} -{# The whitespace after options is wisely chosen #} -{{ key_options.options + ' ' if key_options.options is defined }}{{ key_options.type }} {{ key_options.key }} {{ key }} -{% endfor %} -{% endif %} - diff --git a/data/templates/login/pam_radius_auth.conf.j2 b/data/templates/login/pam_radius_auth.conf.j2 new file mode 100644 index 000000000..1105b60e5 --- /dev/null +++ b/data/templates/login/pam_radius_auth.conf.j2 @@ -0,0 +1,36 @@ +# Automatically generated by system-login.py +# RADIUS configuration file + +{% if radius is vyos_defined %} +{# RADIUS IPv6 source address must be specified in [] notation #} +{% set source_address = namespace() %} +{% if radius.source_address is vyos_defined %} +{% for address in radius.source_address %} +{% if address | is_ipv4 %} +{% set source_address.ipv4 = address %} +{% elif address | is_ipv6 %} +{% set source_address.ipv6 = "[" + address + "]" %} +{% endif %} +{% endfor %} +{% endif %} +{% if radius.server is vyos_defined %} +# server[:port] shared_secret timeout source_ip +{# .items() returns a tuple of two elements: key and value. 1 relates to the 2nd element i.e. the value and .priority relates to the key from the internal dict #} +{% for server, options in radius.server.items() | sort(attribute='1.priority') if not options.disabled %} +{# RADIUS IPv6 servers must be specified in [] notation #} +{% if server | is_ipv4 %} +{{ server }}:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv4 if source_address.ipv4 is vyos_defined }} +{% else %} +[{{ server }}]:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv6 if source_address.ipv6 is vyos_defined }} +{% endif %} +{% endfor %} +{% endif %} + +priv-lvl 15 +mapped_priv_user radius_priv_user + +{% if radius.vrf is vyos_defined %} +vrf-name {{ radius.vrf }} +{% endif %} +{% endif %} + diff --git a/data/templates/login/pam_radius_auth.conf.tmpl b/data/templates/login/pam_radius_auth.conf.tmpl deleted file mode 100644 index fad8e7dcb..000000000 --- a/data/templates/login/pam_radius_auth.conf.tmpl +++ /dev/null @@ -1,36 +0,0 @@ -# Automatically generated by system-login.py -# RADIUS configuration file - -{% if radius is defined and radius is not none %} -{# RADIUS IPv6 source address must be specified in [] notation #} -{% set source_address = namespace() %} -{% if radius.source_address is defined and radius.source_address is not none %} -{% for address in radius.source_address %} -{% if address | is_ipv4 %} -{% set source_address.ipv4 = address %} -{% elif address | is_ipv6 %} -{% set source_address.ipv6 = "[" + address + "]" %} -{% endif %} -{% endfor %} -{% endif %} -{% if radius.server is defined and radius.server is not none %} -# server[:port] shared_secret timeout source_ip -{# .items() returns a tuple of two elements: key and value. 1 relates to the 2nd element i.e. the value and .priority relates to the key from the internal dict #} -{% for server, options in radius.server.items() | sort(attribute='1.priority') if not options.disabled %} -{# RADIUS IPv6 servers must be specified in [] notation #} -{% if server | is_ipv4 %} -{{ server }}:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv4 if source_address.ipv4 is defined }} -{% else %} -[{{ server }}]:{{ options.port }} {{ "%-25s" | format(options.key) }} {{ "%-10s" | format(options.timeout) }} {{ source_address.ipv6 if source_address.ipv6 is defined }} -{% endif %} -{% endfor %} -{% endif %} - -priv-lvl 15 -mapped_priv_user radius_priv_user - -{% if radius.vrf is defined and radius.vrf is not none %} -vrf-name {{ radius.vrf }} -{% endif %} -{% endif %} - diff --git a/data/templates/logs/logrotate/vyos-atop.tmpl b/data/templates/logs/logrotate/vyos-atop.j2 index 2d078f379..2d078f379 100644 --- a/data/templates/logs/logrotate/vyos-atop.tmpl +++ b/data/templates/logs/logrotate/vyos-atop.j2 diff --git a/data/templates/logs/logrotate/vyos-rsyslog.tmpl b/data/templates/logs/logrotate/vyos-rsyslog.j2 index f2e4d2ab2..f2e4d2ab2 100644 --- a/data/templates/logs/logrotate/vyos-rsyslog.tmpl +++ b/data/templates/logs/logrotate/vyos-rsyslog.j2 diff --git a/data/templates/macsec/wpa_supplicant.conf.tmpl b/data/templates/macsec/wpa_supplicant.conf.j2 index 5b353def8..0ac7cb860 100644 --- a/data/templates/macsec/wpa_supplicant.conf.tmpl +++ b/data/templates/macsec/wpa_supplicant.conf.j2 @@ -45,10 +45,9 @@ network={ # - the key server has decided to enable MACsec # 0: Encrypt traffic (default) # 1: Integrity only - macsec_integ_only={{ '0' if security is defined and security.encrypt is defined else '1' }} + macsec_integ_only={{ '0' if security.encrypt is vyos_defined else '1' }} -{% if security is defined %} -{% if security.encrypt is defined %} +{% if security.encrypt is vyos_defined %} # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer @@ -63,9 +62,9 @@ network={ # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being # default priority mka_priority={{ security.mka.priority }} -{% endif %} +{% endif %} -{% if security.replay_window is defined %} +{% if security.replay_window is vyos_defined %} # macsec_replay_protect: IEEE 802.1X/MACsec replay protection # This setting applies only when MACsec is in use, i.e., # - macsec_policy is enabled @@ -83,7 +82,6 @@ network={ # 0: No replay window, strict check (default) # 1..2^32-1: number of packets that could be misordered macsec_replay_window={{ security.replay_window }} -{% endif %} {% endif %} } diff --git a/data/templates/mdns-repeater/avahi-daemon.tmpl b/data/templates/mdns-repeater/avahi-daemon.j2 index 65bb5a306..65bb5a306 100644 --- a/data/templates/mdns-repeater/avahi-daemon.tmpl +++ b/data/templates/mdns-repeater/avahi-daemon.j2 diff --git a/data/templates/monitoring/override.conf.tmpl b/data/templates/monitoring/override.conf.j2 index f8f150791..f8f150791 100644 --- a/data/templates/monitoring/override.conf.tmpl +++ b/data/templates/monitoring/override.conf.j2 diff --git a/data/templates/monitoring/syslog_telegraf.tmpl b/data/templates/monitoring/syslog_telegraf.j2 index cdcbd92a4..cdcbd92a4 100644 --- a/data/templates/monitoring/syslog_telegraf.tmpl +++ b/data/templates/monitoring/syslog_telegraf.j2 diff --git a/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl b/data/templates/monitoring/systemd_vyos_telegraf_service.j2 index 234ef5586..234ef5586 100644 --- a/data/templates/monitoring/systemd_vyos_telegraf_service.tmpl +++ b/data/templates/monitoring/systemd_vyos_telegraf_service.j2 diff --git a/data/templates/monitoring/telegraf.j2 b/data/templates/monitoring/telegraf.j2 new file mode 100644 index 000000000..d1a94366b --- /dev/null +++ b/data/templates/monitoring/telegraf.j2 @@ -0,0 +1,105 @@ +# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py + +[agent] + interval = "15s" + round_interval = true + metric_batch_size = 1000 + metric_buffer_limit = 10000 + collection_jitter = "5s" + flush_interval = "15s" + flush_jitter = "0s" + precision = "" + debug = false + quiet = false + logfile = "" + hostname = "" + omit_hostname = false +{% if influxdb_configured is vyos_defined %} +### InfluxDB2 ### +[[outputs.influxdb_v2]] + urls = ["{{ url }}:{{ port }}"] + insecure_skip_verify = true + token = "$INFLUX_TOKEN" + organization = "{{ authentication.organization }}" + bucket = "{{ bucket }}" +### End InfluxDB2 ### +{% endif %} +{% if prometheus_client is vyos_defined %} +### Prometheus ### +[[outputs.prometheus_client]] + ## Address to listen on + listen = "{{ prometheus_client.listen_address if prometheus_client.listen_address is vyos_defined else '' }}:{{ prometheus_client.port }}" + metric_version = {{ prometheus_client.metric_version }} +{% if prometheus_client.authentication.username is vyos_defined and prometheus_client.authentication.password is vyos_defined %} + ## Use HTTP Basic Authentication + basic_username = "{{ prometheus_client.authentication.username }}" + basic_password = "{{ prometheus_client.authentication.password }}" +{% endif %} +{% if prometheus_client.allow_from is vyos_defined %} + ip_range = {{ prometheus_client.allow_from }} +{% endif %} +### End Prometheus ### +{% endif %} +{% if splunk is vyos_defined %} +### Splunk ### +[[outputs.http]] + ## URL is the address to send metrics to + url = "{{ splunk.url }}" + ## Timeout for HTTP message + # timeout = "5s" + ## Use TLS but skip chain & host verification +{% if splunk.authentication.insecure is vyos_defined %} + insecure_skip_verify = true +{% endif %} + ## Data format to output + data_format = "splunkmetric" + ## Provides time, index, source overrides for the HEC + splunkmetric_hec_routing = true + ## Additional HTTP headers + [outputs.http.headers] + # Should be set manually to "application/json" for json data_format + Content-Type = "application/json" + Authorization = "Splunk {{ splunk.authentication.token }}" + X-Splunk-Request-Channel = "{{ splunk.authentication.token }}" +### End Splunk ### +{% endif %} +[[inputs.cpu]] + percpu = true + totalcpu = true + collect_cpu_time = false + report_active = false +[[inputs.disk]] + ignore_fs = ["devtmpfs", "devfs"] +[[inputs.diskio]] +[[inputs.mem]] +[[inputs.net]] +[[inputs.system]] +[[inputs.netstat]] +[[inputs.processes]] +[[inputs.kernel]] +[[inputs.interrupts]] +[[inputs.linux_sysctl_fs]] +[[inputs.systemd_units]] +[[inputs.conntrack]] + files = ["ip_conntrack_count","ip_conntrack_max","nf_conntrack_count","nf_conntrack_max"] + dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"] +[[inputs.ethtool]] + interface_include = {{ interfaces_ethernet }} +[[inputs.ntpq]] + dns_lookup = true +[[inputs.internal]] +[[inputs.nstat]] +[[inputs.syslog]] + server = "unixgram:///run/telegraf/telegraf_syslog.sock" + best_effort = true + syslog_standard = "RFC3164" +{% if influxdb_configured is vyos_defined %} +[[inputs.exec]] + commands = [ + "{{ custom_scripts_dir }}/show_firewall_input_filter.py", + "{{ custom_scripts_dir }}/show_interfaces_input_filter.py", + "{{ custom_scripts_dir }}/vyos_services_input_filter.py" + ] + timeout = "10s" + data_format = "influx" +{% endif %} diff --git a/data/templates/monitoring/telegraf.tmpl b/data/templates/monitoring/telegraf.tmpl deleted file mode 100644 index d3145a500..000000000 --- a/data/templates/monitoring/telegraf.tmpl +++ /dev/null @@ -1,60 +0,0 @@ -# Generated by /usr/libexec/vyos/conf_mode/service_monitoring_telegraf.py - -[agent] - interval = "10s" - round_interval = true - metric_batch_size = 1000 - metric_buffer_limit = 10000 - collection_jitter = "0s" - flush_interval = "10s" - flush_jitter = "0s" - precision = "" - debug = false - quiet = false - logfile = "" - hostname = "" - omit_hostname = false -[[outputs.influxdb_v2]] - urls = ["{{ url }}:{{ port }}"] - insecure_skip_verify = true - token = "$INFLUX_TOKEN" - organization = "{{ authentication.organization }}" - bucket = "{{ bucket }}" -[[inputs.cpu]] - percpu = true - totalcpu = true - collect_cpu_time = false - report_active = false -[[inputs.disk]] - ignore_fs = ["devtmpfs", "devfs"] -[[inputs.diskio]] -[[inputs.mem]] -[[inputs.net]] -[[inputs.system]] -[[inputs.netstat]] -[[inputs.processes]] -[[inputs.kernel]] -[[inputs.interrupts]] -[[inputs.linux_sysctl_fs]] -[[inputs.systemd_units]] -[[inputs.conntrack]] - files = ["ip_conntrack_count","ip_conntrack_max","nf_conntrack_count","nf_conntrack_max"] - dirs = ["/proc/sys/net/ipv4/netfilter","/proc/sys/net/netfilter"] -[[inputs.ethtool]] - interface_include = {{ interfaces_ethernet }} -[[inputs.ntpq]] - dns_lookup = true -[[inputs.internal]] -[[inputs.nstat]] -[[inputs.syslog]] - server = "unixgram:///run/telegraf/telegraf_syslog.sock" - best_effort = true - syslog_standard = "RFC3164" -[[inputs.exec]] - commands = [ - "{{ custom_scripts_dir }}/show_firewall_input_filter.py", - "{{ custom_scripts_dir }}/show_interfaces_input_filter.py", - "{{ custom_scripts_dir }}/vyos_services_input_filter.py" - ] - timeout = "10s" - data_format = "influx" diff --git a/data/templates/ndppd/ndppd.conf.j2 b/data/templates/ndppd/ndppd.conf.j2 new file mode 100644 index 000000000..120fa0a64 --- /dev/null +++ b/data/templates/ndppd/ndppd.conf.j2 @@ -0,0 +1,44 @@ +######################################################## +# +# autogenerated by nat66.py +# +# The configuration file must define one upstream +# interface. +# +# For some services, such as nat66, because it runs +# stateless, it needs to rely on NDP Proxy to respond +# to NDP requests. +# +# When using nat66 source rules, NDP Proxy needs +# to be enabled +# +######################################################## + +{% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %} +{% if source.rule is vyos_defined %} +{% for rule, config in source.rule.items() if config.disable is not defined %} +{% if config.outbound_interface is vyos_defined %} +{% if config.outbound_interface not in global.ndppd_interfaces %} +{% set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %} +{% endif %} +{% if config.translation.address is vyos_defined and config.translation.address | is_ip_network %} +{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %} +{% endif %} +{% endif %} +{% endfor %} +{% endif %} + +{% for interface in global.ndppd_interfaces %} +proxy {{ interface }} { + router yes + timeout 500 + ttl 30000 +{% for map in global.ndppd_prefixs %} +{% if map.interface == interface %} + rule {{ map.rule }} { + static + } +{% endif %} +{% endfor %} +} +{% endfor %} diff --git a/data/templates/ndppd/ndppd.conf.tmpl b/data/templates/ndppd/ndppd.conf.tmpl deleted file mode 100644 index 502dab5b8..000000000 --- a/data/templates/ndppd/ndppd.conf.tmpl +++ /dev/null @@ -1,44 +0,0 @@ -######################################################## -# -# autogenerated by nat66.py -# -# The configuration file must define one upstream -# interface. -# -# For some services, such as nat66, because it runs -# stateless, it needs to rely on NDP Proxy to respond -# to NDP requests. -# -# When using nat66 source rules, NDP Proxy needs -# to be enabled -# -######################################################## - -{% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %} -{% if source is defined and source.rule is defined and source.rule is not none %} -{% for rule, config in source.rule.items() if config.disable is not defined %} -{% if config.outbound_interface is defined %} -{% if config.outbound_interface not in global.ndppd_interfaces %} -{% set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %} -{% endif %} -{% if config.translation is defined and config.translation.address is defined and config.translation.address | is_ip_network %} -{% set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %} -{% endif %} -{% endif %} -{% endfor %} -{% endif %} - -{% for interface in global.ndppd_interfaces %} -proxy {{ interface }} { - router yes - timeout 500 - ttl 30000 -{% for map in global.ndppd_prefixs %} -{% if map.interface == interface %} - rule {{ map.rule }} { - static - } -{% endif %} -{% endfor %} -} -{% endfor %} diff --git a/data/templates/nhrp/opennhrp.conf.j2 b/data/templates/nhrp/opennhrp.conf.j2 new file mode 100644 index 000000000..c040a8f14 --- /dev/null +++ b/data/templates/nhrp/opennhrp.conf.j2 @@ -0,0 +1,42 @@ +{# j2lint: disable=jinja-variable-format #} +# Created by VyOS - manual changes will be overwritten + +{% if tunnel is vyos_defined %} +{% for name, tunnel_conf in tunnel.items() %} +{% set type = 'spoke' if tunnel_conf.map is vyos_defined or tunnel_conf.dynamic_map is vyos_defined else 'hub' %} +{% set profile_name = profile_map[name] if profile_map is vyos_defined and name in profile_map else '' %} +interface {{ name }} #{{ type }} {{ profile_name }} +{% if tunnel_conf.map is vyos_defined %} +{% for map, map_conf in tunnel_conf.map.items() %} +{% set cisco = ' cisco' if map_conf.cisco is vyos_defined else '' %} +{% set register = ' register' if map_conf.register is vyos_defined else '' %} + map {{ map }} {{ map_conf.nbma_address }}{{ register }}{{ cisco }} +{% endfor %} +{% endif %} +{% if tunnel_conf.dynamic_map is vyos_defined %} +{% for map, map_conf in tunnel_conf.dynamic_map.items() %} + dynamic-map {{ map }} {{ map_conf.nbma_domain_name }} +{% endfor %} +{% endif %} +{% if tunnel_conf.cisco_authentication is vyos_defined %} + cisco-authentication {{ tunnel_conf.cisco_authentication }} +{% endif %} +{% if tunnel_conf.holding_time is vyos_defined %} + holding-time {{ tunnel_conf.holding_time }} +{% endif %} +{% if tunnel_conf.multicast is vyos_defined %} + multicast {{ tunnel_conf.multicast }} +{% endif %} +{% for key in ['non_caching', 'redirect', 'shortcut', 'shortcut_destination'] %} +{% if key in tunnel_conf %} + {{ key | replace("_", "-") }} +{% endif %} +{% endfor %} +{% if tunnel_conf.shortcut_target is vyos_defined %} +{% for target, shortcut_conf in tunnel_conf.shortcut_target.items() %} + shortcut-target {{ target }}{{ ' holding-time ' + shortcut_conf.holding_time if shortcut_conf.holding_time is vyos_defined }} +{% endfor %} +{% endif %} + +{% endfor %} +{% endif %} diff --git a/data/templates/nhrp/opennhrp.conf.tmpl b/data/templates/nhrp/opennhrp.conf.tmpl deleted file mode 100644 index e9e9f692a..000000000 --- a/data/templates/nhrp/opennhrp.conf.tmpl +++ /dev/null @@ -1,41 +0,0 @@ -# Created by VyOS - manual changes will be overwritten - -{% if tunnel is defined and tunnel is not none %} -{% for name, tunnel_conf in tunnel.items() %} -{% set type = 'spoke' if tunnel_conf.map is defined or tunnel_conf.dynamic_map is defined else 'hub' %} -{% set profile_name = profile_map[name] if profile_map is defined and name in profile_map else '' %} -interface {{ name }} #{{ type }} {{ profile_name }} -{% if tunnel_conf.map is defined and tunnel_conf.map is not none %} -{% for map, map_conf in tunnel_conf.map.items() %} -{% set cisco = ' cisco' if map_conf.cisco is defined else '' %} -{% set register = ' register' if map_conf.register is defined else '' %} - map {{ map }} {{ map_conf.nbma_address }}{{ register }}{{ cisco }} -{% endfor %} -{% endif %} -{% if tunnel_conf.dynamic_map is defined and tunnel_conf.dynamic_map is not none %} -{% for map, map_conf in tunnel_conf.dynamic_map.items() %} - dynamic-map {{ map }} {{ map_conf.nbma_domain_name }} -{% endfor %} -{% endif %} -{% if tunnel_conf.cisco_authentication is defined and tunnel_conf.cisco_authentication is not none %} - cisco-authentication {{ tunnel_conf.cisco_authentication }} -{% endif %} -{% if tunnel_conf.holding_time is defined and tunnel_conf.holding_time is not none %} - holding-time {{ tunnel_conf.holding_time }} -{% endif %} -{% if tunnel_conf.multicast is defined and tunnel_conf.multicast is not none %} - multicast {{ tunnel_conf.multicast }} -{% endif %} -{% for key in ['non_caching', 'redirect', 'shortcut', 'shortcut_destination'] %} -{% if key in tunnel_conf %} - {{ key | replace("_", "-") }} -{% endif %} -{% endfor %} -{% if tunnel_conf.shortcut_target is defined and tunnel_conf.shortcut_target is not none %} -{% for target, shortcut_conf in tunnel_conf.shortcut_target.items() %} - shortcut-target {{ target }}{{ ' holding-time ' + shortcut_conf.holding_time if shortcut_conf.holding_time is defined }} -{% endfor %} -{% endif %} - -{% endfor %} -{% endif %} diff --git a/data/templates/ntp/ntpd.conf.tmpl b/data/templates/ntp/ntpd.conf.j2 index e7afcc16b..da610051e 100644 --- a/data/templates/ntp/ntpd.conf.tmpl +++ b/data/templates/ntp/ntpd.conf.j2 @@ -15,28 +15,28 @@ restrict -6 ::1 # # Configurable section # -{% if server is defined and server is not none %} -{% for server, config in server.items() %} -{% set association = 'server' %} -{% if config.pool is defined %} -{% set association = 'pool' %} -{% endif %} -{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is defined }} {{ 'preempt' if config.preempt is defined }} {{ 'prefer' if config.prefer is defined }} -{% endfor %} +{% if server is vyos_defined %} +{% for server, config in server.items() %} +{% set association = 'server' %} +{% if config.pool is vyos_defined %} +{% set association = 'pool' %} +{% endif %} +{{ association }} {{ server | replace('_', '-') }} iburst {{ 'noselect' if config.noselect is vyos_defined }} {{ 'preempt' if config.preempt is vyos_defined }} {{ 'prefer' if config.prefer is vyos_defined }} +{% endfor %} {% endif %} -{% if allow_clients is defined and allow_clients.address is defined %} +{% if allow_clients.address is vyos_defined %} # Allowed clients configuration restrict default ignore -{% for address in allow_clients.address %} -restrict {{ address|address_from_cidr }} mask {{ address|netmask_from_cidr }} nomodify notrap nopeer -{% endfor %} +{% for address in allow_clients.address %} +restrict {{ address | address_from_cidr }} mask {{ address | netmask_from_cidr }} nomodify notrap nopeer +{% endfor %} {% endif %} {% if listen_address %} # NTP should listen on configured addresses only interface ignore wildcard -{% for address in listen_address %} +{% for address in listen_address %} interface listen {{ address }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/ntp/override.conf.j2 b/data/templates/ntp/override.conf.j2 new file mode 100644 index 000000000..6fed9d7d2 --- /dev/null +++ b/data/templates/ntp/override.conf.j2 @@ -0,0 +1,14 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +ConditionPathExists={{ config_file }} +After=vyos-router.service + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/ntpd -g -p {{ config_file | replace('.conf', '.pid') }} -c {{ config_file }} -u ntp:ntp +PIDFile= +PIDFile={{ config_file | replace('.conf', '.pid') }} +Restart=always +RestartSec=10 + diff --git a/data/templates/ntp/override.conf.tmpl b/data/templates/ntp/override.conf.tmpl deleted file mode 100644 index 28eb61b21..000000000 --- a/data/templates/ntp/override.conf.tmpl +++ /dev/null @@ -1,14 +0,0 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} -[Unit] -StartLimitIntervalSec=0 -ConditionPathExists={{config_file}} -After=vyos-router.service - -[Service] -ExecStart= -ExecStart={{vrf_command}}/usr/sbin/ntpd -g -p {{config_file | replace('.conf', '.pid') }} -c {{config_file}} -u ntp:ntp -PIDFile= -PIDFile={{config_file | replace('.conf', '.pid') }} -Restart=always -RestartSec=10 - diff --git a/data/templates/ocserv/ocserv_config.tmpl b/data/templates/ocserv/ocserv_config.j2 index 0be805235..8418a2185 100644 --- a/data/templates/ocserv/ocserv_config.tmpl +++ b/data/templates/ocserv/ocserv_config.j2 @@ -8,19 +8,27 @@ run-as-group = daemon {% if "radius" in authentication.mode %} auth = "radius [config=/run/ocserv/radiusclient.conf]" +{% elif "local" in authentication.mode %} +{% if authentication.mode.local == "password-otp" %} +auth = "plain[passwd=/run/ocserv/ocpasswd,otp=/run/ocserv/users.oath]" +{% elif authentication.mode.local == "otp" %} +auth = "plain[otp=/run/ocserv/users.oath]" +{% else %} +auth = "plain[/run/ocserv/ocpasswd]" +{% endif %} {% else %} auth = "plain[/run/ocserv/ocpasswd]" {% endif %} -{% if ssl.certificate is defined %} +{% if ssl.certificate is vyos_defined %} server-cert = /run/ocserv/cert.pem server-key = /run/ocserv/cert.key -{% if ssl.passphrase is defined %} +{% if ssl.passphrase is vyos_defined %} key-pin = {{ ssl.passphrase }} -{% endif %} +{% endif %} {% endif %} -{% if ssl.ca_certificate is defined %} +{% if ssl.ca_certificate is vyos_defined %} ca-cert = /run/ocserv/ca.pem {% endif %} @@ -42,7 +50,8 @@ rekey-method = ssl try-mtu-discovery = true cisco-client-compat = true dtls-legacy = true - +max-ban-score = 80 +ban-reset-time = 300 # The name to use for the tun device device = sslvpn @@ -50,33 +59,33 @@ device = sslvpn # An alternative way of specifying the network: {% if network_settings %} # DNS settings -{% if network_settings.name_server is string %} +{% if network_settings.name_server is string %} dns = {{ network_settings.name_server }} -{% else %} -{% for dns in network_settings.name_server %} +{% else %} +{% for dns in network_settings.name_server %} dns = {{ dns }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} # IPv4 network pool -{% if network_settings.client_ip_settings %} -{% if network_settings.client_ip_settings.subnet %} +{% if network_settings.client_ip_settings %} +{% if network_settings.client_ip_settings.subnet %} ipv4-network = {{ network_settings.client_ip_settings.subnet }} +{% endif %} {% endif %} -{% endif %} # IPv6 network pool -{% if network_settings.client_ipv6_pool %} -{% if network_settings.client_ipv6_pool.prefix %} +{% if network_settings.client_ipv6_pool %} +{% if network_settings.client_ipv6_pool.prefix %} ipv6-network = {{ network_settings.client_ipv6_pool.prefix }} ipv6-subnet-prefix = {{ network_settings.client_ipv6_pool.mask }} +{% endif %} {% endif %} -{% endif %} {% endif %} {% if network_settings.push_route is string %} route = {{ network_settings.push_route }} {% else %} -{% for route in network_settings.push_route %} +{% for route in network_settings.push_route %} route = {{ route }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/ocserv/ocserv_otp_usr.j2 b/data/templates/ocserv/ocserv_otp_usr.j2 new file mode 100644 index 000000000..b2511ed94 --- /dev/null +++ b/data/templates/ocserv/ocserv_otp_usr.j2 @@ -0,0 +1,8 @@ +#<token_type> <username> <pin> <secret_hex_key> <counter> <lastpass> <time> +{% if username is vyos_defined %} +{% for user, user_config in username.items() %} +{% if user_config.disable is not vyos_defined and user_config.otp is vyos_defined %} +{{ user_config.otp.token_tmpl }} {{ user }} {{ user_config.otp.pin | default("-", true) }} {{ user_config.otp.key }} +{% endif %} +{% endfor %} +{% endif %} diff --git a/data/templates/ocserv/ocserv_passwd.j2 b/data/templates/ocserv/ocserv_passwd.j2 new file mode 100644 index 000000000..30c79d66a --- /dev/null +++ b/data/templates/ocserv/ocserv_passwd.j2 @@ -0,0 +1,8 @@ +#<username>:<group>:<hash> +{% if username is vyos_defined %} +{% for user, user_config in username.items() %} +{% if user_config.disable is not vyos_defined %} +{{ user }}:*:{{ user_config.hash }} +{% endif %} +{% endfor %} +{% endif %}
\ No newline at end of file diff --git a/data/templates/ocserv/ocserv_passwd.tmpl b/data/templates/ocserv/ocserv_passwd.tmpl deleted file mode 100644 index ffadb4860..000000000 --- a/data/templates/ocserv/ocserv_passwd.tmpl +++ /dev/null @@ -1,6 +0,0 @@ -#<username>:<group>:<hash> -{% for user in username if username is defined %} -{% if not "disable" in username[user] %} -{{ user }}:*:{{ username[user].hash }} -{% endif %} -{% endfor %}
\ No newline at end of file diff --git a/data/templates/ocserv/radius_conf.tmpl b/data/templates/ocserv/radius_conf.j2 index 1712d83ef..b6612fee5 100644 --- a/data/templates/ocserv/radius_conf.tmpl +++ b/data/templates/ocserv/radius_conf.j2 @@ -1,13 +1,13 @@ ### generated by vpn_openconnect.py ### nas-identifier VyOS {% for srv in server %} -{% if not "disable" in server[srv] %} -{% if "port" in server[srv] %} -authserver {{ srv }}:{{server[srv]["port"]}} -{% else %} +{% if not "disable" in server[srv] %} +{% if "port" in server[srv] %} +authserver {{ srv }}:{{ server[srv]["port"] }} +{% else %} authserver {{ srv }} +{% endif %} {% endif %} -{% endif %} {% endfor %} radius_timeout {{ timeout }} {% if source_address %} @@ -15,7 +15,7 @@ bindaddr {{ source_address }} {% else %} bindaddr * {% endif %} -servers /run/ocserv/radius_servers +servers /run/ocserv/radius_servers dictionary /etc/radcli/dictionary default_realm radius_retries 3 diff --git a/data/templates/ocserv/radius_servers.j2 b/data/templates/ocserv/radius_servers.j2 new file mode 100644 index 000000000..302e91600 --- /dev/null +++ b/data/templates/ocserv/radius_servers.j2 @@ -0,0 +1,7 @@ +### generated by vpn_openconnect.py ### +# server key +{% for srv in server %} +{% if not "disable" in server[srv] %} +{{ srv }} {{ server[srv].key }} +{% endif %} +{% endfor %} diff --git a/data/templates/ocserv/radius_servers.tmpl b/data/templates/ocserv/radius_servers.tmpl deleted file mode 100644 index 7bacac992..000000000 --- a/data/templates/ocserv/radius_servers.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -### generated by vpn_openconnect.py ### -# server key -{% for srv in server %} -{% if not "disable" in server[srv] %} -{{ srv }} {{ server[srv].key }} -{% endif %} -{% endfor %} diff --git a/data/templates/openvpn/auth.pw.tmpl b/data/templates/openvpn/auth.pw.j2 index 9b20c9742..218121062 100644 --- a/data/templates/openvpn/auth.pw.tmpl +++ b/data/templates/openvpn/auth.pw.j2 @@ -1,5 +1,5 @@ {# Autogenerated by interfaces-openvpn.py #} -{% if authentication is defined and authentication is not none %} +{% if authentication is vyos_defined %} {{ authentication.username }} {{ authentication.password }} {% endif %} diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.j2 index e6e15b6ad..2e327e4d3 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.j2 @@ -1,31 +1,31 @@ ### Autogenerated by interfaces-openvpn.py ### -{% if ip %} +{% if ip is vyos_defined %} ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }} {% endif %} -{% if push_route is defined and push_route is not none %} -{% for route in push_route %} +{% if push_route is vyos_defined %} +{% for route in push_route %} push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" -{% endfor %} +{% endfor %} {% endif %} -{% if subnet is defined and subnet is not none %} -{% for network in subnet %} +{% if subnet is vyos_defined %} +{% for network in subnet %} iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} -{% endfor %} +{% endfor %} {% endif %} {# ipv6_remote is only set when IPv6 server is enabled #} -{% if ipv6_remote %} +{% if ipv6_remote is vyos_defined %} # IPv6 -{% if ipv6_ip %} +{% if ipv6_ip is vyos_defined %} ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} -{% endif %} -{% for route6 in ipv6_push_route %} +{% endif %} +{% for route6 in ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{% endfor %} -{% for net6 in ipv6_subnet %} +{% endfor %} +{% for net6 in ipv6_subnet %} iroute-ipv6 {{ net6 }} -{% endfor %} +{% endfor %} {% endif %} -{% if disable is defined %} +{% if disable is vyos_defined %} disable {% endif %} diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2 new file mode 100644 index 000000000..6dd4ef88d --- /dev/null +++ b/data/templates/openvpn/server.conf.j2 @@ -0,0 +1,224 @@ +### Autogenerated by interfaces-openvpn.py ### +# +# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +# for individual keyword definition +# +# {{ description if description is vyos_defined }} +# + +verb 3 +dev-type {{ device_type }} +dev {{ ifname }} +persist-key +{% if protocol is vyos_defined('tcp-active') %} +proto tcp-client +{% elif protocol is vyos_defined('tcp-passive') %} +proto tcp-server +{% else %} +proto udp +{% endif %} +{% if local_host is vyos_defined %} +local {{ local_host }} +{% endif %} +{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %} +multihome +{% endif %} +{% if local_port is vyos_defined %} +lport {{ local_port }} +{% endif %} +{% if remote_port is vyos_defined %} +rport {{ remote_port }} +{% endif %} +{% if remote_host is vyos_defined %} +{% for remote in remote_host %} +remote {{ remote }} +{% endfor %} +{% endif %} +{% if shared_secret_key is vyos_defined %} +secret /run/openvpn/{{ ifname }}_shared.key +{% endif %} +{% if persistent_tunnel is vyos_defined %} +persist-tun +{% endif %} +{% if replace_default_route.local is vyos_defined %} +push "redirect-gateway local def1" +{% elif replace_default_route is vyos_defined %} +push "redirect-gateway def1" +{% endif %} +{% if use_lzo_compression is vyos_defined %} +compress lzo +{% endif %} + +{% if mode is vyos_defined('client') %} +# +# OpenVPN Client mode +# +client +nobind + +{% elif mode is vyos_defined('server') %} +# +# OpenVPN Server mode +# +mode server +tls-server +{% if server is vyos_defined %} +{% if server.subnet is vyos_defined %} +{% if server.topology is vyos_defined('point-to-point') %} +topology p2p +{% elif server.topology is vyos_defined %} +topology {{ server.topology }} +{% endif %} +{% for subnet in server.subnet %} +{% if subnet | is_ipv4 %} +server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool +{# First ip address is used as gateway. It's allows to use metrics #} +{% if server.push_route is vyos_defined %} +{% for route, route_config in server.push_route.items() %} +{% if route | is_ipv4 %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}" +{% elif route | is_ipv6 %} +push "route-ipv6 {{ route }}" +{% endif %} +{% endfor %} +{% endif %} +{# OpenVPN assigns the first IP address to its local interface so the pool used #} +{# in net30 topology - where each client receives a /30 must start from the second subnet #} +{% if server.topology is vyos_defined('net30') %} +ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} +{% else %} +{# OpenVPN assigns the first IP address to its local interface so the pool must #} +{# start from the second address and end on the last address #} +ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} +{% endif %} +{% elif subnet | is_ipv6 %} +server-ipv6 {{ subnet }} +{% endif %} +{% endfor %} +{% endif %} + +{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} +ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} +{% endif %} +{% if server.max_connections is vyos_defined %} +max-clients {{ server.max_connections }} +{% endif %} +{% if server.client is vyos_defined %} +client-config-dir /run/openvpn/ccd/{{ ifname }} +{% endif %} +{% endif %} +keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }} +management /run/openvpn/openvpn-mgmt-intf unix +{% if server is vyos_defined %} +{% if server.reject_unconfigured_clients is vyos_defined %} +ccd-exclusive +{% endif %} + +{% if server.name_server is vyos_defined %} +{% for nameserver in server.name_server %} +{% if nameserver | is_ipv4 %} +push "dhcp-option DNS {{ nameserver }}" +{% elif nameserver | is_ipv6 %} +push "dhcp-option DNS6 {{ nameserver }}" +{% endif %} +{% endfor %} +{% endif %} +{% if server.domain_name is vyos_defined %} +push "dhcp-option DOMAIN {{ server.domain_name }}" +{% endif %} +{% if server.mfa.totp is vyos_defined %} +{% set totp_config = server.mfa.totp %} +plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" +{% endif %} +{% endif %} +{% else %} +# +# OpenVPN site-2-site mode +# +ping {{ keep_alive.interval }} +ping-restart {{ keep_alive.failure_count }} + +{% if device_type == 'tap' %} +{% if local_address is vyos_defined %} +{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} +{% if laddr_conf.subnet_mask is vyos_defined %} +ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} +{% endif %} +{% endfor %} +{% endif %} +{% else %} +{% for laddr in local_address if laddr | is_ipv4 %} +{% for raddr in remote_address if raddr | is_ipv4 %} +ifconfig {{ laddr }} {{ raddr }} +{% endfor %} +{% endfor %} +{% for laddr in local_address if laddr | is_ipv6 %} +{% for raddr in remote_address if raddr | is_ipv6 %} +ifconfig-ipv6 {{ laddr }} {{ raddr }} +{% endfor %} +{% endfor %} +{% endif %} +{% endif %} + +{% if tls is vyos_defined %} +# TLS options +{% if tls.ca_certificate is vyos_defined %} +ca /run/openvpn/{{ ifname }}_ca.pem +{% endif %} +{% if tls.certificate is vyos_defined %} +cert /run/openvpn/{{ ifname }}_cert.pem +{% endif %} +{% if tls.private_key is vyos_defined %} +key /run/openvpn/{{ ifname }}_cert.key +{% endif %} +{% if tls.crypt_key is vyos_defined %} +tls-crypt /run/openvpn/{{ ifname }}_crypt.key +{% endif %} +{% if tls.crl is vyos_defined %} +crl-verify /run/openvpn/{{ ifname }}_crl.pem +{% endif %} +{% if tls.tls_version_min is vyos_defined %} +tls-version-min {{ tls.tls_version_min }} +{% endif %} +{% if tls.dh_params is vyos_defined %} +dh /run/openvpn/{{ ifname }}_dh.pem +{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} +dh none +{% endif %} +{% if tls.auth_key is vyos_defined %} +{% if mode == 'client' %} +tls-auth /run/openvpn/{{ ifname }}_auth.key 1 +{% elif mode == 'server' %} +tls-auth /run/openvpn/{{ ifname }}_auth.key 0 +{% endif %} +{% endif %} +{% if tls.role is vyos_defined('active') %} +tls-client +{% elif tls.role is vyos_defined('passive') %} +tls-server +{% endif %} +{% endif %} + +# Encryption options +{% if encryption is vyos_defined %} +{% if encryption.cipher is vyos_defined %} +cipher {{ encryption.cipher | openvpn_cipher }} +{% if encryption.cipher is vyos_defined('bf128') %} +keysize 128 +{% elif encryption.cipher is vyos_defined('bf256') %} +keysize 256 +{% endif %} +{% endif %} +{% if encryption.ncp_ciphers is vyos_defined %} +data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} +{% endif %} +{% endif %} + +{% if hash is vyos_defined %} +auth {{ hash }} +{% endif %} + +{% if authentication is vyos_defined %} +auth-user-pass {{ auth_user_pass_file }} +auth-retry nointeract +{% endif %} diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl deleted file mode 100644 index fb7ad9e16..000000000 --- a/data/templates/openvpn/server.conf.tmpl +++ /dev/null @@ -1,228 +0,0 @@ -### Autogenerated by interfaces-openvpn.py ### -# -# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage -# for individual keyword definition -# -# {{ description if description is defined and description is not none }} -# - -verb 3 -dev-type {{ device_type }} -dev {{ ifname }} -persist-key -{% if protocol == 'tcp-active' %} -proto tcp-client -{% elif protocol == 'tcp-passive' %} -proto tcp-server -{% else %} -proto udp -{% endif %} -{% if local_host is defined and local_host is not none %} -local {{ local_host }} -{% endif %} -{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %} -multihome -{% endif %} -{% if local_port is defined and local_port is not none %} -lport {{ local_port }} -{% endif %} -{% if remote_port is defined and remote_port is not none %} -rport {{ remote_port }} -{% endif %} -{% if remote_host is defined and remote_host is not none %} -{% for remote in remote_host %} -remote {{ remote }} -{% endfor %} -{% endif %} -{% if shared_secret_key is defined and shared_secret_key is not none %} -secret /run/openvpn/{{ ifname }}_shared.key -{% endif %} -{% if persistent_tunnel is defined %} -persist-tun -{% endif %} -{% if replace_default_route is defined and replace_default_route.local is defined %} -push "redirect-gateway local def1" -{% elif replace_default_route is defined %} -push "redirect-gateway def1" -{% endif %} -{% if use_lzo_compression is defined %} -compress lzo -{% endif %} - -{% if mode == 'client' %} -# -# OpenVPN Client mode -# -client -nobind - -{% elif mode == 'server' %} -# -# OpenVPN Server mode -# -mode server -tls-server -{% if server is defined and server is not none %} -{% if server.subnet is defined and server.subnet is not none %} -{% if server.topology is defined and server.topology == 'point-to-point' %} -topology p2p -{% elif server.topology is defined and server.topology is not none %} -topology {{ server.topology }} -{% endif %} -{% for subnet in server.subnet %} -{% if subnet | is_ipv4 %} -server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool -{# First ip address is used as gateway. It's allows to use metrics #} -{% if server.push_route is defined and server.push_route is not none %} -{% for route, route_config in server.push_route.items() %} -{% if route | is_ipv4 %} -push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" -{% elif route | is_ipv6 %} -push "route-ipv6 {{ route }}" -{% endif %} -{% endfor %} -{% endif %} -{# OpenVPN assigns the first IP address to its local interface so the pool used #} -{# in net30 topology - where each client receives a /30 must start from the second subnet #} -{% if server.topology is defined and server.topology == 'net30' %} -ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} -{% else %} -{# OpenVPN assigns the first IP address to its local interface so the pool must #} -{# start from the second address and end on the last address #} -ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} -{% endif %} -{% elif subnet | is_ipv6 %} -server-ipv6 {{ subnet }} -{% endif %} -{% endfor %} -{% endif %} - -{% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} -ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} -{% endif %} -{% if server.max_connections is defined and server.max_connections is not none %} -max-clients {{ server.max_connections }} -{% endif %} -{% if server.client is defined and server.client is not none %} -client-config-dir /run/openvpn/ccd/{{ ifname }} -{% endif %} -{% endif %} -keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }} -management /run/openvpn/openvpn-mgmt-intf unix -{% if server is defined and server is not none %} -{% if server.reject_unconfigured_clients is defined %} -ccd-exclusive -{% endif %} - -{% if server.name_server is defined and server.name_server is not none %} -{% for nameserver in server.name_server %} -{% if nameserver | is_ipv4 %} -push "dhcp-option DNS {{ nameserver }}" -{% elif nameserver | is_ipv6 %} -push "dhcp-option DNS6 {{ nameserver }}" -{% endif %} -{% endfor %} -{% endif %} -{% if server.domain_name is defined and server.domain_name is not none %} -push "dhcp-option DOMAIN {{ server.domain_name }}" -{% endif %} -{% if server.mfa is defined and server.mfa is not none %} -{% if server.mfa.totp is defined and server.mfa.totp is not none %} -{% set totp_config = server.mfa.totp %} -plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" -{% endif %} -{% endif %} -{% endif %} -{% else %} -# -# OpenVPN site-2-site mode -# -ping {{ keep_alive.interval }} -ping-restart {{ keep_alive.failure_count }} - -{% if device_type == 'tap' %} -{% if local_address is defined and local_address is not none %} -{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} -{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} -ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} -{% endif %} -{% endfor %} -{% endif %} -{% else %} -{% for laddr in local_address if laddr | is_ipv4 %} -{% for raddr in remote_address if raddr | is_ipv4 %} -ifconfig {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% for laddr in local_address if laddr | is_ipv6 %} -{% for raddr in remote_address if raddr | is_ipv6 %} -ifconfig-ipv6 {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% endif %} -{% endif %} - -{% if tls is defined and tls is not none %} -# TLS options -{% if tls.ca_certificate is defined and tls.ca_certificate is not none %} -ca /run/openvpn/{{ ifname }}_ca.pem -{% endif %} -{% if tls.certificate is defined and tls.certificate is not none %} -cert /run/openvpn/{{ ifname }}_cert.pem -{% endif %} -{% if tls.private_key is defined %} -key /run/openvpn/{{ ifname }}_cert.key -{% endif %} -{% if tls.crypt_key is defined and tls.crypt_key is not none %} -tls-crypt /run/openvpn/{{ ifname }}_crypt.key -{% endif %} -{% if tls.crl is defined %} -crl-verify /run/openvpn/{{ ifname }}_crl.pem -{% endif %} -{% if tls.tls_version_min is defined and tls.tls_version_min is not none %} -tls-version-min {{ tls.tls_version_min }} -{% endif %} -{% if tls.dh_params is defined and tls.dh_params is not none %} -dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode == 'server' and tls.private_key is defined %} -dh none -{% endif %} -{% if tls.auth_key is defined and tls.auth_key is not none %} -{% if mode == 'client' %} -tls-auth /run/openvpn/{{ ifname }}_auth.key 1 -{% elif mode == 'server' %} -tls-auth /run/openvpn/{{ ifname }}_auth.key 0 -{% endif %} -{% endif %} -{% if tls.role is defined and tls.role is not none %} -{% if tls.role == 'active' %} -tls-client -{% elif tls.role == 'passive' %} -tls-server -{% endif %} -{% endif %} -{% endif %} - -# Encryption options -{% if encryption is defined and encryption is not none %} -{% if encryption.cipher is defined and encryption.cipher is not none %} -cipher {{ encryption.cipher | openvpn_cipher }} -{% if encryption.cipher == 'bf128' %} -keysize 128 -{% elif encryption.cipher == 'bf256' %} -keysize 256 -{% endif %} -{% endif %} -{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} -data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} -{% endif %} -{% endif %} - -{% if hash is defined and hash is not none %} -auth {{ hash }} -{% endif %} - -{% if authentication is defined and authentication is not none %} -auth-user-pass {{ auth_user_pass_file }} -auth-retry nointeract -{% endif %} diff --git a/data/templates/openvpn/service-override.conf.j2 b/data/templates/openvpn/service-override.conf.j2 new file mode 100644 index 000000000..616ba3bfc --- /dev/null +++ b/data/templates/openvpn/service-override.conf.j2 @@ -0,0 +1,21 @@ +{% set options = namespace(value='') %} +{% if openvpn_option is vyos_defined %} +{% for option in openvpn_option %} +{# Remove the '--' prefix from variable if it is presented #} +{% if option.startswith('--') %} +{% set option = option.split('--', maxsplit=1)[1] %} +{% endif %} +{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} +{# But now it stopped doing this, so we need to add them for compatibility #} +{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} +{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} +{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} +{% set option = 'push \"%s\"' | format(option.split('push ', maxsplit=1)[1]) %} +{% endif %} +{% set options.value = options.value ~ ' --' ~ option %} +{% endfor %} +{% endif %} +[Service] +ExecStart= +ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid {{ options.value }} + diff --git a/data/templates/openvpn/service-override.conf.tmpl b/data/templates/openvpn/service-override.conf.tmpl deleted file mode 100644 index 069bdbd08..000000000 --- a/data/templates/openvpn/service-override.conf.tmpl +++ /dev/null @@ -1,20 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid -{%- if openvpn_option is defined and openvpn_option is not none %} -{% for option in openvpn_option %} -{# Remove the '--' prefix from variable if it is presented #} -{% if option.startswith('--') %} -{% set option = option.split('--', maxsplit=1)[1] %} -{% endif %} -{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} -{# But now it stopped doing this, so we need to add them for compatibility #} -{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} -{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} -{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} -{% set option = 'push \"%s\"'|format(option.split('push ', maxsplit=1)[1]) %} -{% endif %} - --{{ option }} -{%- endfor %} -{% endif %} - diff --git a/data/templates/pmacct/override.conf.tmpl b/data/templates/pmacct/override.conf.j2 index 216927666..213569ddc 100644 --- a/data/templates/pmacct/override.conf.tmpl +++ b/data/templates/pmacct/override.conf.j2 @@ -1,4 +1,4 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] After= After=vyos-router.service @@ -8,7 +8,7 @@ ConditionPathExists=/run/pmacct/uacctd.conf [Service] EnvironmentFile= ExecStart= -ExecStart={{vrf_command}}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf +ExecStart={{ vrf_command }}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf WorkingDirectory= WorkingDirectory=/run/pmacct PIDFile= diff --git a/data/templates/pmacct/uacctd.conf.tmpl b/data/templates/pmacct/uacctd.conf.j2 index b58f7c796..ea6247005 100644 --- a/data/templates/pmacct/uacctd.conf.tmpl +++ b/data/templates/pmacct/uacctd.conf.j2 @@ -5,12 +5,12 @@ pidfile: /run/pmacct/uacctd.pid uacctd_group: 2 uacctd_nl_size: 2097152 snaplen: {{ packet_length }} -aggregate: in_iface{{ ',out_iface' if enable_egress is defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows +aggregate: in_iface{{ ',out_iface' if enable_egress is vyos_defined }},src_mac,dst_mac,vlan,src_host,dst_host,src_port,dst_port,proto,tos,flows {% set pipe_size = buffer_size | int *1024 *1024 %} plugin_pipe_size: {{ pipe_size }} {# We need an integer division (//) without any remainder or fraction #} plugin_buffer_size: {{ pipe_size // 1000 }} -{% if syslog_facility is defined and syslog_facility is not none %} +{% if syslog_facility is vyos_defined %} syslog: {{ syslog_facility }} {% endif %} {% if disable_imt is not defined %} @@ -19,56 +19,56 @@ imt_mem_pools_number: 169 {% endif %} {% set plugin = [] %} -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} -{% for server in netflow.server %} -{% set _ = plugin.append('nfprobe[nf_' ~ server ~ ']') %} -{% endfor %} +{% if netflow.server is vyos_defined %} +{% for server in netflow.server %} +{% set _ = plugin.append('nfprobe[nf_' ~ server ~ ']') %} +{% endfor %} {% endif %} -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} -{% for server in sflow.server %} -{% set _ = plugin.append('sfprobe[sf_' ~ server ~ ']') %} -{% endfor %} +{% if sflow.server is vyos_defined %} +{% for server in sflow.server %} +{% set _ = plugin.append('sfprobe[sf_' ~ server ~ ']') %} +{% endfor %} {% endif %} {% if disable_imt is not defined %} {% set _ = plugin.append('memory') %} {% endif %} plugins: {{ plugin | join(',') }} -{% if netflow is defined and netflow.server is defined and netflow.server is not none %} +{% if netflow.server is vyos_defined %} # NetFlow servers -{% for server, server_config in netflow.server.items() %} +{% for server, server_config in netflow.server.items() %} nfprobe_receiver[nf_{{ server }}]: {{ server }}:{{ server_config.port }} nfprobe_version[nf_{{ server }}]: {{ netflow.version }} -{% if netflow.engine_id is defined and netflow.engine_id is not none %} +{% if netflow.engine_id is vyos_defined %} nfprobe_engine[nf_{{ server }}]: {{ netflow.engine_id }} -{% endif %} -{% if netflow.max_flows is defined and netflow.max_flows is not none %} +{% endif %} +{% if netflow.max_flows is vyos_defined %} nfprobe_maxflows[nf_{{ server }}]: {{ netflow.max_flows }} -{% endif %} -{% if netflow.sampling_rate is defined and netflow.sampling_rate is not none %} +{% endif %} +{% if netflow.sampling_rate is vyos_defined %} sampling_rate[nf_{{ server }}]: {{ netflow.sampling_rate }} -{% endif %} -{% if netflow.source_address is defined and netflow.source_address is not none %} +{% endif %} +{% if netflow.source_address is vyos_defined %} nfprobe_source_ip[nf_{{ server }}]: {{ netflow.source_address }} -{% endif %} -{% if netflow.timeout is defined and netflow.timeout is not none %} +{% endif %} +{% if netflow.timeout is vyos_defined %} nfprobe_timeouts[nf_{{ server }}]: expint={{ netflow.timeout.expiry_interval }}:general={{ netflow.timeout.flow_generic }}:icmp={{ netflow.timeout.icmp }}:maxlife={{ netflow.timeout.max_active_life }}:tcp.fin={{ netflow.timeout.tcp_fin }}:tcp={{ netflow.timeout.tcp_generic }}:tcp.rst={{ netflow.timeout.tcp_rst }}:udp={{ netflow.timeout.udp }} -{% endif %} +{% endif %} -{% endfor %} +{% endfor %} {% endif %} -{% if sflow is defined and sflow.server is defined and sflow.server is not none %} +{% if sflow.server is vyos_defined %} # sFlow servers -{% for server, server_config in sflow.server.items() %} +{% for server, server_config in sflow.server.items() %} sfprobe_receiver[sf_{{ server }}]: {{ server }}:{{ server_config.port }} sfprobe_agentip[sf_{{ server }}]: {{ sflow.agent_address }} -{% if sflow.sampling_rate is defined and sflow.sampling_rate is not none %} +{% if sflow.sampling_rate is vyos_defined %} sampling_rate[sf_{{ server }}]: {{ sflow.sampling_rate }} -{% endif %} -{% if sflow.source_address is defined and sflow.source_address is not none %} +{% endif %} +{% if sflow.source_address is vyos_defined %} sfprobe_source_ip[sf_{{ server }}]: {{ sflow.source_address }} -{% endif %} +{% endif %} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/pppoe/ip-down.script.tmpl b/data/templates/pppoe/ip-down.script.tmpl deleted file mode 100644 index bac4155d6..000000000 --- a/data/templates/pppoe/ip-down.script.tmpl +++ /dev/null @@ -1,38 +0,0 @@ -#!/bin/sh - -# As PPPoE is an "on demand" interface we need to re-configure it when it -# becomes up -if [ "$6" != "{{ ifname }}" ]; then - exit -fi - -# add some info to syslog -DIALER_PID=$(cat /var/run/{{ ifname }}.pid) -logger -t pppd[$DIALER_PID] "executing $0" - -{% if connect_on_demand is not defined %} -# See https://phabricator.vyos.net/T2248. Determine if we are enslaved to a -# VRF, this is needed to properly insert the default route. -VRF_NAME="" -if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then - # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) - # Remove upper_ prefix from result string - VRF=${VRF#"upper_"} - # Populate variable to run in VR context - VRF_NAME="vrf ${VRF_NAME}" -fi - -{% if default_route != 'none' %} -# Always delete default route when interface goes down if we installed it -vtysh -c "conf t" ${VRF_NAME} -c "no ip route 0.0.0.0/0 {{ ifname }} ${VRF_NAME}" -{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %} -vtysh -c "conf t" ${VRF_NAME} -c "no ipv6 route ::/0 {{ ifname }} ${VRF_NAME}" -{% endif %} -{% endif %} -{% endif %} - -{% if dhcpv6_options is defined and dhcpv6_options.pd is defined %} -# Stop wide dhcpv6 client -systemctl stop dhcp6c@{{ ifname }}.service -{% endif %} diff --git a/data/templates/pppoe/ip-pre-up.script.tmpl b/data/templates/pppoe/ip-pre-up.script.tmpl deleted file mode 100644 index a54e4e9bd..000000000 --- a/data/templates/pppoe/ip-pre-up.script.tmpl +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh - -# As PPPoE is an "on demand" interface we need to re-configure it when it -# becomes up -if [ "$6" != "{{ ifname }}" ]; then - exit -fi - -# add some info to syslog -DIALER_PID=$(cat /var/run/{{ ifname }}.pid) -logger -t pppd[$DIALER_PID] "executing $0" - -echo "{{ description }}" > /sys/class/net/{{ ifname }}/ifalias - -{% if vrf %} -logger -t pppd[$DIALER_PID] "configuring dialer interface $6 for VRF {{ vrf }}" -ip link set dev {{ ifname }} master {{ vrf }} -{% endif %} diff --git a/data/templates/pppoe/ip-up.script.tmpl b/data/templates/pppoe/ip-up.script.tmpl deleted file mode 100644 index 302756960..000000000 --- a/data/templates/pppoe/ip-up.script.tmpl +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/sh - -# As PPPoE is an "on demand" interface we need to re-configure it when it -# becomes up -if [ "$6" != "{{ ifname }}" ]; then - exit -fi - -{% if connect_on_demand is not defined %} -# add some info to syslog -DIALER_PID=$(cat /var/run/{{ ifname }}.pid) -logger -t pppd[$DIALER_PID] "executing $0" - -{% if default_route != 'none' %} -# See https://phabricator.vyos.net/T2248 & T2220. Determine if we are enslaved -# to a VRF, this is needed to properly insert the default route. - -SED_OPT="^ip route" -VRF_NAME="" -if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then - # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) - # Remove upper_ prefix from result string - VRF=${VRF#"upper_"} - # generate new SED command - SED_OPT="vrf ${VRF}" - # generate vtysh option - VRF_NAME="vrf ${VRF}" -fi - -{% if default_route == 'auto' %} -# Only insert a new default route if there is no default route configured -routes=$(vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep 0.0.0.0/0 | wc -l) -if [ "$routes" -ne 0 ]; then - exit 1 -fi - -{% elif default_route == 'force' %} -# Retrieve current static default routes and remove it from the routing table -vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep 0.0.0.0/0 | while read route ; do - vtysh -c "conf t" ${VTY_OPT} -c "no ${route} ${VRF_NAME}" -done -{% endif %} - -# Add default route to default or VRF routing table -vtysh -c "conf t" ${VTY_OPT} -c "ip route 0.0.0.0/0 {{ ifname }} ${VRF_NAME}" -logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} ${VRF_NAME}" -{% endif %} -{% endif %} diff --git a/data/templates/pppoe/ipv6-up.script.tmpl b/data/templates/pppoe/ipv6-up.script.tmpl deleted file mode 100644 index da73cb4d5..000000000 --- a/data/templates/pppoe/ipv6-up.script.tmpl +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/sh - -# As PPPoE is an "on demand" interface we need to re-configure it when it -# becomes up - -if [ "$6" != "{{ ifname }}" ]; then - exit -fi - - -{% if default_route != 'none' %} -# See https://phabricator.vyos.net/T2248 & T2220. Determine if we are enslaved -# to a VRF, this is needed to properly insert the default route. - -SED_OPT="^ipv6 route" -VRF_NAME="" -if [ -d /sys/class/net/{{ ifname }}/upper_* ]; then - # Determine upper (VRF) interface - VRF=$(basename $(ls -d /sys/class/net/{{ ifname }}/upper_*)) - # Remove upper_ prefix from result string - VRF=${VRF#"upper_"} - # generate new SED command - SED_OPT="vrf ${VRF}" - # generate vtysh option - VRF_NAME="vrf ${VRF}" -fi - -{% if default_route == 'auto' %} -# Only insert a new default route if there is no default route configured -routes=$(vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep ::/0 | wc -l) -if [ "$routes" -ne 0 ]; then - exit 1 -fi - -{% elif default_route == 'force' %} -# Retrieve current static default routes and remove it from the routing table -vtysh -c "show running-config" | sed -n "/${SED_OPT}/,/!/p" | grep ::/0 | while read route ; do - vtysh -c "conf t" ${VTY_OPT} -c "no ${route} ${VRF_NAME}" -done -{% endif %} - -# Add default route to default or VRF routing table -vtysh -c "conf t" ${VTY_OPT} -c "ipv6 route ::/0 {{ ifname }} ${VRF_NAME}" -logger -t pppd[$DIALER_PID] "added default route via {{ ifname }} ${VRF_NAME}" -{% endif %} - diff --git a/data/templates/pppoe/peer.tmpl b/data/templates/pppoe/peer.j2 index 928ed1238..6221abb9b 100644 --- a/data/templates/pppoe/peer.tmpl +++ b/data/templates/pppoe/peer.j2 @@ -1,5 +1,5 @@ ### Autogenerated by interfaces-pppoe.py ### -{{ '# ' ~ description if description is defined else '' }} +{{ '# ' ~ description if description is vyos_defined else '' }} # Require peer to provide the local IP address if it is not # specified explicitly in the config file. @@ -35,10 +35,10 @@ noproxyarp maxfail 0 plugin rp-pppoe.so {{ source_interface }} -{% if access_concentrator is defined and access_concentrator is not none %} +{% if access_concentrator is vyos_defined %} rp_pppoe_ac '{{ access_concentrator }}' {% endif %} -{% if service_name is defined and service_name is not none %} +{% if service_name is vyos_defined %} rp_pppoe_service '{{ service_name }}' {% endif %} @@ -49,34 +49,34 @@ debug mtu {{ mtu }} mru {{ mtu }} -{% if authentication is defined %} -{{ 'user "' + authentication.user + '"' if authentication.user is defined }} -{{ 'password "' + authentication.password + '"' if authentication.password is defined }} +{% if authentication is vyos_defined %} +{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }} +{{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }} {% endif %} -{{ "usepeerdns" if no_peer_dns is not defined }} +{{ "usepeerdns" if no_peer_dns is not vyos_defined }} -{% if ipv6 is defined %} -+ipv6 {{ 'ipv6cp-use-ipaddr' if ipv6.address is defined and ipv6.address.autoconf is defined }} +{% if ipv6 is vyos_defined %} ++ipv6 {{ 'ipv6cp-use-ipaddr' if ipv6.address.autoconf is vyos_defined }} {% else %} noipv6 {% endif %} -{% if connect_on_demand is defined %} +{% if connect_on_demand is vyos_defined %} demand # See T2249. PPP default route options should only be set when in on-demand # mode. As soon as we are not in on-demand mode the default-route handling is # passed to the ip-up.d/ip-down.s scripts which is required for VRF support. -{% if 'auto' in default_route %} +{% if 'auto' in default_route %} defaultroute -{{ 'defaultroute6' if ipv6 is defined }} -{% elif 'force' in default_route %} +{{ 'defaultroute6' if ipv6 is vyos_defined }} +{% elif 'force' in default_route %} defaultroute replacedefaultroute -{{ 'defaultroute6' if ipv6 is defined }} -{% endif %} +{{ 'defaultroute6' if ipv6 is vyos_defined }} +{% endif %} {% else %} nodefaultroute noreplacedefaultroute -{{ 'nodefaultroute6' if ipv6 is defined }} +{{ 'nodefaultroute6' if ipv6 is vyos_defined }} {% endif %} diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2 new file mode 100644 index 000000000..6902dc05a --- /dev/null +++ b/data/templates/router-advert/radvd.conf.j2 @@ -0,0 +1,66 @@ +### Autogenerated by service_router-advert.py ### + +{% if interface is vyos_defined %} +{% for iface, iface_config in interface.items() %} +interface {{ iface }} { + IgnoreIfMissing on; +{% if iface_config.default_preference is vyos_defined %} + AdvDefaultPreference {{ iface_config.default_preference }}; +{% endif %} +{% if iface_config.managed_flag is vyos_defined %} + AdvManagedFlag {{ 'on' if iface_config.managed_flag is vyos_defined else 'off' }}; +{% endif %} +{% if iface_config.interval.max is vyos_defined %} + MaxRtrAdvInterval {{ iface_config.interval.max }}; +{% endif %} +{% if iface_config.interval.min is vyos_defined %} + MinRtrAdvInterval {{ iface_config.interval.min }}; +{% endif %} +{% if iface_config.reachable_time is vyos_defined %} + AdvReachableTime {{ iface_config.reachable_time }}; +{% endif %} + AdvIntervalOpt {{ 'off' if iface_config.no_send_advert is vyos_defined else 'on' }}; + AdvSendAdvert {{ 'off' if iface_config.no_send_advert is vyos_defined else 'on' }}; +{% if iface_config.default_lifetime is vyos_defined %} + AdvDefaultLifetime {{ iface_config.default_lifetime }}; +{% endif %} +{% if iface_config.link_mtu is vyos_defined %} + AdvLinkMTU {{ iface_config.link_mtu }}; +{% endif %} + AdvOtherConfigFlag {{ 'on' if iface_config.other_config_flag is vyos_defined else 'off' }}; + AdvRetransTimer {{ iface_config.retrans_timer }}; + AdvCurHopLimit {{ iface_config.hop_limit }}; +{% if iface_config.route is vyos_defined %} +{% for route, route_options in iface_config.route.items() %} + route {{ route }} { +{% if route_options.valid_lifetime is vyos_defined %} + AdvRouteLifetime {{ route_options.valid_lifetime }}; +{% endif %} +{% if route_options.route_preference is vyos_defined %} + AdvRoutePreference {{ route_options.route_preference }}; +{% endif %} + RemoveRoute {{ 'off' if route_options.no_remove_route is vyos_defined else 'on' }}; + }; +{% endfor %} +{% endif %} +{% if iface_config.prefix is vyos_defined %} +{% for prefix, prefix_options in iface_config.prefix.items() %} + prefix {{ prefix }} { + AdvAutonomous {{ 'off' if prefix_options.no_autonomous_flag is vyos_defined else 'on' }}; + AdvValidLifetime {{ prefix_options.valid_lifetime }}; + AdvOnLink {{ 'off' if prefix_options.no_on_link_flag is vyos_defined else 'on' }}; + AdvPreferredLifetime {{ prefix_options.preferred_lifetime }}; + }; +{% endfor %} +{% endif %} +{% if iface_config.name_server is vyos_defined %} + RDNSS {{ iface_config.name_server | join(" ") }} { + }; +{% endif %} +{% if iface_config.dnssl is vyos_defined %} + DNSSL {{ iface_config.dnssl | join(" ") }} { + }; +{% endif %} +}; +{% endfor %} +{% endif %} diff --git a/data/templates/router-advert/radvd.conf.tmpl b/data/templates/router-advert/radvd.conf.tmpl deleted file mode 100644 index 88d066491..000000000 --- a/data/templates/router-advert/radvd.conf.tmpl +++ /dev/null @@ -1,66 +0,0 @@ -### Autogenerated by service_router-advert.py ### - -{% if interface is defined and interface is not none %} -{% for iface, iface_config in interface.items() %} -interface {{ iface }} { - IgnoreIfMissing on; -{% if iface_config.default_preference is defined and iface_config.default_preference is not none %} - AdvDefaultPreference {{ iface_config.default_preference }}; -{% endif %} -{% if iface_config.managed_flag is defined and iface_config.managed_flag is not none %} - AdvManagedFlag {{ 'on' if iface_config.managed_flag is defined else 'off' }}; -{% endif %} -{% if iface_config.interval.max is defined and iface_config.interval.max is not none %} - MaxRtrAdvInterval {{ iface_config.interval.max }}; -{% endif %} -{% if iface_config.interval.min is defined and iface_config.interval.min is not none %} - MinRtrAdvInterval {{ iface_config.interval.min }}; -{% endif %} -{% if iface_config.reachable_time is defined and iface_config.reachable_time is not none %} - AdvReachableTime {{ iface_config.reachable_time }}; -{% endif %} - AdvIntervalOpt {{ 'off' if iface_config.no_send_advert is defined else 'on' }}; - AdvSendAdvert {{ 'off' if iface_config.no_send_advert is defined else 'on' }}; -{% if iface_config.default_lifetime is defined %} - AdvDefaultLifetime {{ iface_config.default_lifetime }}; -{% endif %} -{% if iface_config.link_mtu is defined %} - AdvLinkMTU {{ iface_config.link_mtu }}; -{% endif %} - AdvOtherConfigFlag {{ 'on' if iface_config.other_config_flag is defined else 'off' }}; - AdvRetransTimer {{ iface_config.retrans_timer }}; - AdvCurHopLimit {{ iface_config.hop_limit }}; -{% if iface_config.route is defined %} -{% for route, route_options in iface_config.route.items() %} - route {{ route }} { -{% if route_options.valid_lifetime is defined %} - AdvRouteLifetime {{ route_options.valid_lifetime }}; -{% endif %} -{% if route_options.route_preference is defined %} - AdvRoutePreference {{ route_options.route_preference }}; -{% endif %} - RemoveRoute {{ 'off' if route_options.no_remove_route is defined else 'on' }}; - }; -{% endfor %} -{% endif %} -{% if iface_config.prefix is defined and iface_config.prefix is not none %} -{% for prefix, prefix_options in iface_config.prefix.items() %} - prefix {{ prefix }} { - AdvAutonomous {{ 'off' if prefix_options.no_autonomous_flag is defined else 'on' }}; - AdvValidLifetime {{ prefix_options.valid_lifetime }}; - AdvOnLink {{ 'off' if prefix_options.no_on_link_flag is defined else 'on' }}; - AdvPreferredLifetime {{ prefix_options.preferred_lifetime }}; - }; -{% endfor %} -{% endif %} -{% if iface_config.name_server is defined %} - RDNSS {{ iface_config.name_server | join(" ") }} { - }; -{% endif %} -{% if iface_config.dnssl is defined %} - DNSSL {{ iface_config.dnssl | join(" ") }} { - }; -{% endif %} -}; -{% endfor %} -{% endif %} diff --git a/data/templates/salt-minion/minion.tmpl b/data/templates/salt-minion/minion.j2 index 99749b57a..f4001db64 100644 --- a/data/templates/salt-minion/minion.tmpl +++ b/data/templates/salt-minion/minion.j2 @@ -32,17 +32,17 @@ log_file: /var/log/salt/minion # ['garbage', 'trace', 'debug'] # # Default: 'warning' -log_level: {{ log_level }} +log_level: warning # Set the location of the salt master server, if the master server cannot be # resolved, then the minion will fail to start. master: {% for host in master %} -- {{ host }} + - {{ host | bracketize_ipv6 }} {% endfor %} # The user to run salt -user: {{ user }} +user: minion # The directory to store the pki information in pki_dir: /config/salt/pki/minion @@ -52,10 +52,16 @@ pki_dir: /config/salt/pki/minion # Since salt uses detached ids it is possible to run multiple minions on the # same machine but with different ids, this can be useful for salt compute # clusters. -id: {{ salt_id }} - +id: {{ id }} # The number of minutes between mine updates. mine_interval: {{ interval }} -verify_master_pubkey_sign: {{ verify_master_pubkey_sign }} +{% if source_interface is vyos_defined %} +# The name of the interface to use when establishing the connection to the Master. +source_interface_name: {{ source_interface }} +{% endif %} + +# Enables verification of the master-public-signature returned by the master +# in auth-replies. +verify_master_pubkey_sign: {{ 'True' if master_key is vyos_defined else 'False' }} diff --git a/data/templates/snmp/etc.snmp.conf.tmpl b/data/templates/snmp/etc.snmp.conf.j2 index f7d9a3c17..8012cf6bb 100644 --- a/data/templates/snmp/etc.snmp.conf.tmpl +++ b/data/templates/snmp/etc.snmp.conf.j2 @@ -1,4 +1,4 @@ ### Autogenerated by snmp.py ### -{% if trap_source is defined and trap_source is not none %} +{% if trap_source is vyos_defined %} clientaddr {{ trap_source }} {% endif %} diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2 new file mode 100644 index 000000000..d7dc0ba5d --- /dev/null +++ b/data/templates/snmp/etc.snmpd.conf.j2 @@ -0,0 +1,182 @@ +### Autogenerated by snmp.py ### + +# non configurable defaults +sysObjectID 1.3.6.1.4.1.44641 +sysServices 14 +master agentx +agentXPerms 0777 0777 +pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias +smuxpeer .1.3.6.1.2.1.83 +smuxpeer .1.3.6.1.2.1.157 +smuxsocket localhost + +# linkUp/Down configure the Event MIB tables to monitor +# the ifTable for network interfaces being taken up or down +# for making internal queries to retrieve any necessary information +iquerySecName {{ vyos_user }} + +# Modified from the default linkUpDownNotification +# to include more OIDs and poll more frequently +notificationEvent linkUpTrap linkUp ifIndex ifDescr ifType ifAdminStatus ifOperStatus +notificationEvent linkDownTrap linkDown ifIndex ifDescr ifType ifAdminStatus ifOperStatus +monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 +monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 + +# Remove all old ifTable entries with the same ifName as newly appeared +# interface (with different ifIndex) - this is the case on e.g. ppp interfaces +interface_replace_old yes + +######################## +# configurable section # +######################## + +# Default system description is VyOS version +sysDescr VyOS {{ version }} + +{% if description is vyos_defined %} +# Description +SysDescr {{ description }} +{% endif %} + +# Listen +{% set options = [] %} +{% if listen_address is vyos_defined %} +{% for address, address_options in listen_address.items() %} +{% if address | is_ipv6 %} +{% set protocol = protocol ~ '6' %} +{% endif %} +{% set _ = options.append(protocol ~ ':' ~ address | bracketize_ipv6 ~ ':' ~ address_options.port) %} +{% endfor %} +{% else %} +{% set _ = options.append(protocol ~ ':161') %} +{% set _ = options.append(protocol ~ '6:161') %} +{% endif %} +agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vyos_defined }} + +# SNMP communities +{% if community is vyos_defined %} +{% for comm, comm_config in community.items() %} +{% if comm_config.client is vyos_defined %} +{% for client in comm_config.client %} +{% if client | is_ipv4 %} +{{ comm_config.authorization }}community {{ comm }} {{ client }} +{% elif client | is_ipv6 %} +{{ comm_config.authorization }}community6 {{ comm }} {{ client }} +{% endif %} +{% endfor %} +{% endif %} +{% if comm_config.network is vyos_defined %} +{% for network in comm_config.network %} +{% if network | is_ipv4 %} +{{ comm_config.authorization }}community {{ comm }} {{ network }} +{% elif client | is_ipv6 %} +{{ comm_config.authorization }}community6 {{ comm }} {{ network }} +{% endif %} +{% endfor %} +{% endif %} +{% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %} +{{ comm_config.authorization }}community {{ comm }} +{% endif %} +{% endfor %} +{% endif %} + +{% if contact is vyos_defined %} +# system contact information +SysContact {{ contact }} +{% endif %} + +{% if location is vyos_defined %} +# system location information +SysLocation {{ location }} +{% endif %} + +{% if smux_peer is vyos_defined %} +# additional smux peers +{% for peer in smux_peer %} +smuxpeer {{ peer }} +{% endfor %} +{% endif %} + +{% if trap_target is vyos_defined %} +# if there is a problem - tell someone! +{% for trap, trap_config in trap_target.items() %} +trap2sink {{ trap }}:{{ trap_config.port }} {{ trap_config.community }} +{% endfor %} +{% endif %} + +{% if v3 is vyos_defined %} +# +# SNMPv3 stuff goes here +# +{% if v3.view is vyos_defined %} +# views +{% for view, view_config in v3.view.items() %} +{% if view_config.oid is vyos_defined %} +{% for oid in view_config.oid %} +view {{ view }} included .{{ oid }} +{% endfor %} +{% endif %} +{% endfor %} +{% endif %} + +# access +{% if v3.group is vyos_defined %} +# context sec.model sec.level match read write notif +{% for group, group_config in v3.group.items() %} +access {{ group }} "" usm {{ group_config.seclevel }} exact {{ group_config.view }} {{ 'none' if group_config.mode == 'ro' else group_config.view }} none +{% endfor %} +{% endif %} + +# trap-target +{% if v3.trap_target is vyos_defined %} +{% for trap, trap_config in v3.trap_target.items() %} +{% set options = '' %} +{% if trap_config.type == 'inform' %} +{% set options = options ~ ' -Ci' %} +{% endif %} +{% if v3.engineid is vyos_defined %} +{% set options = options ~ ' -e "' ~ v3.engineid ~ '"' %} +{% endif %} +{% if trap_config.user is vyos_defined %} +{% set options = options ~ ' -u ' ~ trap_config.user %} +{% endif %} +{% if trap_config.auth.plaintext_password is vyos_defined or trap_config.auth.encrypted_password is vyos_defined %} +{% set options = options ~ ' -a ' ~ trap_config.auth.type %} +{% if trap_config.auth.plaintext_password is vyos_defined %} +{% set options = options ~ ' -A ' ~ trap_config.auth.plaintext_password %} +{% elif trap_config.auth.encrypted_password is vyos_defined %} +{% set options = options ~ ' -3m ' ~ trap_config.auth.encrypted_password %} +{% endif %} +{% if trap_config.privacy.plaintext_password is vyos_defined or trap_config.privacy.encrypted_password is vyos_defined %} +{% set options = options ~ ' -x ' ~ trap_config.privacy.type %} +{% if trap_config.privacy.plaintext_password is vyos_defined %} +{% set options = options ~ ' -X ' ~ trap_config.privacy.plaintext_password %} +{% elif trap_config.privacy.encrypted_password is vyos_defined %} +{% set options = options ~ ' -3M ' ~ trap_config.privacy.encrypted_password %} +{% endif %} +{% set options = options ~ ' -l authPriv' %} +{% else %} +{% set options = options ~ ' -l authNoPriv' %} +{% endif %} +{% else %} +{% set options = options ~ ' -l noAuthNoPriv' %} +{% endif %} +trapsess -v 3 {{ options }} {{ trap }}:{{ trap_config.protocol }}:{{ trap_config.port }} +{% endfor %} +{% endif %} + +# group +{% if v3.user is vyos_defined %} +{% for user, user_config in v3.user.items() %} +group {{ user_config.group }} usm {{ user }} +{% endfor %} +{% endif %} +{# SNMPv3 end #} +{% endif %} + +{% if script_extensions.extension_name is vyos_defined %} +# extension scripts +{% for script, script_config in script_extensions.extension_name.items() | sort(attribute=script) %} +extend {{ script }} {{ script_config.script }} +{% endfor %} +{% endif %} diff --git a/data/templates/snmp/etc.snmpd.conf.tmpl b/data/templates/snmp/etc.snmpd.conf.tmpl deleted file mode 100644 index befea0122..000000000 --- a/data/templates/snmp/etc.snmpd.conf.tmpl +++ /dev/null @@ -1,184 +0,0 @@ -### Autogenerated by snmp.py ### - -# non configurable defaults -sysObjectID 1.3.6.1.4.1.44641 -sysServices 14 -master agentx -agentXPerms 0777 0777 -pass .1.3.6.1.2.1.31.1.1.1.18 /opt/vyatta/sbin/if-mib-alias -smuxpeer .1.3.6.1.2.1.83 -smuxpeer .1.3.6.1.2.1.157 -smuxsocket localhost - -# linkUp/Down configure the Event MIB tables to monitor -# the ifTable for network interfaces being taken up or down -# for making internal queries to retrieve any necessary information -iquerySecName {{ vyos_user }} - -# Modified from the default linkUpDownNotification -# to include more OIDs and poll more frequently -notificationEvent linkUpTrap linkUp ifIndex ifDescr ifType ifAdminStatus ifOperStatus -notificationEvent linkDownTrap linkDown ifIndex ifDescr ifType ifAdminStatus ifOperStatus -monitor -r 10 -e linkUpTrap "Generate linkUp" ifOperStatus != 2 -monitor -r 10 -e linkDownTrap "Generate linkDown" ifOperStatus == 2 - -# Remove all old ifTable entries with the same ifName as newly appeared -# interface (with different ifIndex) - this is the case on e.g. ppp interfaces -interface_replace_old yes - -######################## -# configurable section # -######################## - -# Default system description is VyOS version -sysDescr VyOS {{ version }} - -{% if description is defined and description is not none %} -# Description -SysDescr {{ description }} -{% endif %} - -# Listen -{% set options = [] %} -{% if listen_address is defined and listen_address is not none %} -{% for address, address_options in listen_address.items() %} -{% if address | is_ipv6 %} -{% set protocol = protocol ~ '6' %} -{% endif %} -{% set _ = options.append(protocol ~ ':' ~ address | bracketize_ipv6 ~ ':' ~ address_options.port) %} -{% endfor %} -{% else %} -{% set _ = options.append(protocol ~ ':161') %} -{% if ipv6_disabled is not defined %} -{% set _ = options.append(protocol ~ '6:161') %} -{% endif %} -{% endif %} -agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is defined and options is not none }} - -# SNMP communities -{% if community is defined and community is not none %} -{% for comm, comm_config in community.items() %} -{% if comm_config.client is defined and comm_config.client is not none %} -{% for client in comm_config.client %} -{% if client | is_ipv4 %} -{{ comm_config.authorization }}community {{ comm }} {{ client }} -{% elif client | is_ipv6 %} -{{ comm_config.authorization }}community6 {{ comm }} {{ client }} -{% endif %} -{% endfor %} -{% endif %} -{% if comm_config.network is defined and comm_config.network is not none %} -{% for network in comm_config.network %} -{% if network | is_ipv4 %} -{{ comm_config.authorization }}community {{ comm }} {{ network }} -{% elif client | is_ipv6 %} -{{ comm_config.authorization }}community6 {{ comm }} {{ network }} -{% endif %} -{% endfor %} -{% endif %} -{% if comm_config.client is not defined and comm_config.network is not defined %} -{{ comm_config.authorization }}community {{ comm }} -{% endif %} -{% endfor %} -{% endif %} - -{% if contact is defined and contact is not none %} -# system contact information -SysContact {{ contact }} -{% endif %} - -{% if location is defined and location is not none %} -# system location information -SysLocation {{ location }} -{% endif %} - -{% if smux_peer is defined and smux_peer is not none %} -# additional smux peers -{% for peer in smux_peer %} -smuxpeer {{ peer }} -{% endfor %} -{% endif %} - -{% if trap_target is defined and trap_target is not none %} -# if there is a problem - tell someone! -{% for trap, trap_config in trap_target.items() %} -trap2sink {{ trap }}:{{ trap_config.port }} {{ trap_config.community }} -{% endfor %} -{% endif %} - -{% if v3 is defined and v3 is not none %} -# -# SNMPv3 stuff goes here -# -{% if v3.view is defined and v3.view is not none %} -# views -{% for view, view_config in v3.view.items() %} -{% if view_config.oid is defined and view_config.oid is not none %} -{% for oid in view_config.oid %} -view {{ view }} included .{{ oid }} -{% endfor %} -{% endif %} -{% endfor %} -{% endif %} - -# access -{% if v3.group is defined and v3.group is not none %} -# context sec.model sec.level match read write notif -{% for group, group_config in v3.group.items() %} -access {{ group }} "" usm {{ group_config.seclevel }} exact {{ group_config.view }} {% if group_config.mode == 'ro' %}none{% else %}{{ group_config.view }}{% endif %} none -{% endfor %} -{% endif %} - -# trap-target -{% if v3.trap_target is defined and v3.trap_target is not none %} -{% for trap, trap_config in v3.trap_target.items() %} -{% set options = '' %} -{% if trap_config.type == 'inform' %} -{% set options = options ~ ' -Ci' %} -{% endif %} -{% if v3.engineid is defined and v3.engineid is not none %} -{% set options = options ~ ' -e "' ~ v3.engineid ~ '"' %} -{% endif %} -{% if trap_config.user is defined and trap_config.user is not none %} -{% set options = options ~ ' -u ' ~ trap_config.user %} -{% endif %} -{% if trap_config.auth is defined and trap_config.auth.plaintext_password is defined or trap_config.auth.encrypted_password is defined %} -{% set options = options ~ ' -a ' ~ trap_config.auth.type %} -{% if trap_config.auth.plaintext_password is defined and trap_config.auth.plaintext_password is not none %} -{% set options = options ~ ' -A ' ~ trap_config.auth.plaintext_password %} -{% elif trap_config.auth.encrypted_password is defined and trap_config.auth.encrypted_password is not none %} -{% set options = options ~ ' -3m ' ~ trap_config.auth.encrypted_password %} -{% endif %} -{% if trap_config.privacy is defined and trap_config.privacy.plaintext_password is defined or trap_config.privacy.encrypted_password is defined %} -{% set options = options ~ ' -x ' ~ trap_config.privacy.type %} -{% if trap_config.privacy.plaintext_password is defined and trap_config.privacy.plaintext_password is not none %} -{% set options = options ~ ' -X ' ~ trap_config.privacy.plaintext_password %} -{% elif trap_config.privacy.encrypted_password is defined and trap_config.privacy.encrypted_password is not none %} -{% set options = options ~ ' -3M ' ~ trap_config.privacy.encrypted_password %} -{% endif %} -{% set options = options ~ ' -l authPriv' %} -{% else %} -{% set options = options ~ ' -l authNoPriv' %} -{% endif %} -{% else %} -{% set options = options ~ ' -l noAuthNoPriv' %} -{% endif %} -trapsess -v 3 {{ options }} {{ trap }}:{{ trap_config.protocol }}:{{ trap_config.port }} -{% endfor %} -{% endif %} - -# group -{% if v3.user is defined and v3.user is not none %} -{% for user, user_config in v3.user.items() %} -group {{ user_config.group }} usm {{ user }} -{% endfor %} -{% endif %} -{# SNMPv3 end #} -{% endif %} - -{% if script_extensions is defined and script_extensions.extension_name is defined and script_extensions.extension_name is not none %} -# extension scripts -{% for script, script_config in script_extensions.extension_name.items() | sort(attribute=script) %} -extend {{ script }} {{ script_config.script }} -{% endfor %} -{% endif %} diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2 new file mode 100644 index 000000000..5d787de86 --- /dev/null +++ b/data/templates/snmp/override.conf.j2 @@ -0,0 +1,14 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +{% set oid_route_table = ' ' if oid_enable is vyos_defined('route-table') else '-I -ipCidrRouteTable,inetCidrRouteTable' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service + +[Service] +Environment= +Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs" +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp {{ oid_route_table }} -f -p /run/snmpd.pid +Restart=always +RestartSec=10 + diff --git a/data/templates/snmp/override.conf.tmpl b/data/templates/snmp/override.conf.tmpl deleted file mode 100644 index 3b00aab83..000000000 --- a/data/templates/snmp/override.conf.tmpl +++ /dev/null @@ -1,14 +0,0 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} -{% set oid_route_table = ' ' if oid_enable is defined and oid_enable == 'route-table' else '-I -ipCidrRouteTable,inetCidrRouteTable' %} -[Unit] -StartLimitIntervalSec=0 -After=vyos-router.service - -[Service] -Environment= -Environment="MIBDIRS=/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf:/usr/share/vyos/mibs" -ExecStart= -ExecStart={{vrf_command}}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp {{oid_route_table}} -f -p /run/snmpd.pid -Restart=always -RestartSec=10 - diff --git a/data/templates/snmp/usr.snmpd.conf.tmpl b/data/templates/snmp/usr.snmpd.conf.j2 index 1c688a61e..a713c1cec 100644 --- a/data/templates/snmp/usr.snmpd.conf.tmpl +++ b/data/templates/snmp/usr.snmpd.conf.j2 @@ -1,8 +1,8 @@ ### Autogenerated by snmp.py ### -{% if v3 is defined and v3.user is defined and v3.user is not none %} +{% if v3.user is vyos_defined %} {% for user, user_config in v3.user.items() %} {{ user_config.mode }}user {{ user }} {% endfor %} -{% endif %} +{% endif %} rwuser {{ vyos_user }} diff --git a/data/templates/snmp/var.snmpd.conf.tmpl b/data/templates/snmp/var.snmpd.conf.j2 index 5871a8234..012f33aeb 100644 --- a/data/templates/snmp/var.snmpd.conf.tmpl +++ b/data/templates/snmp/var.snmpd.conf.j2 @@ -1,16 +1,16 @@ ### Autogenerated by snmp.py ### # user -{% if v3 is defined and v3 is not none %} -{% if v3.user is defined and v3.user is not none %} -{% for user, user_config in v3.user.items() %} +{% if v3 is vyos_defined %} +{% if v3.user is vyos_defined %} +{% for user, user_config in v3.user.items() %} usmUser 1 3 0x{{ v3.engineid }} "{{ user }}" "{{ user }}" NULL {{ user_config.auth.type | snmp_auth_oid }} 0x{{ user_config.auth.encrypted_password }} {{ user_config.privacy.type | snmp_auth_oid }} 0x{{ user_config.privacy.encrypted_password }} 0x -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} # VyOS default user createUser {{ vyos_user }} MD5 "{{ vyos_user_pass }}" DES -{% if v3.engineid is defined and v3.engineid is not none %} +{% if v3.engineid is vyos_defined %} oldEngineID 0x{{ v3.engineid }} -{% endif %} +{% endif %} {% endif %} diff --git a/data/templates/squid/sg_acl.conf.tmpl b/data/templates/squid/sg_acl.conf.j2 index ce72b173a..ce72b173a 100644 --- a/data/templates/squid/sg_acl.conf.tmpl +++ b/data/templates/squid/sg_acl.conf.j2 diff --git a/data/templates/squid/squid.conf.j2 b/data/templates/squid/squid.conf.j2 new file mode 100644 index 000000000..a0fdeb20e --- /dev/null +++ b/data/templates/squid/squid.conf.j2 @@ -0,0 +1,111 @@ +### generated by service_webproxy.py ### + +acl net src all +acl SSL_ports port 443 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 # https +acl Safe_ports port 873 # rsync +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +{% if authentication is vyos_defined %} +{% if authentication.children is vyos_defined %} +auth_param basic children {{ authentication.children }} +{% endif %} +{% if authentication.credentials_ttl is vyos_defined %} +auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute +{% endif %} +{% if authentication.realm is vyos_defined %} +auth_param basic realm "{{ authentication.realm }}" +{% endif %} +{# LDAP based Authentication #} +{% if authentication.method is vyos_defined %} +{% if authentication.ldap is vyos_defined and authentication.method is vyos_defined('ldap') %} +auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' ~ authentication.ldap.bind_dn ~ '"' if authentication.ldap.bind_dn is vyos_defined }} {{ '-w "' ~ authentication.ldap.password ~ '"' if authentication.ldap.password is vyos_defined }} {{ '-f "' ~ authentication.ldap.filter_expression ~ '"' if authentication.ldap.filter_expression is vyos_defined }} {{ '-u "' ~ authentication.ldap.username_attribute ~ '"' if authentication.ldap.username_attribute is vyos_defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is vyos_defined }} -R -h "{{ authentication.ldap.server }}" +{% endif %} +acl auth proxy_auth REQUIRED +http_access allow auth +{% endif %} +{% endif %} + +http_access allow manager localhost +http_access deny manager +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow localhost +http_access allow net +http_access deny all + +{% if reply_block_mime is vyos_defined %} +{% for mime_type in reply_block_mime %} +acl BLOCK_MIME rep_mime_type {{ mime_type }} +{% endfor %} +http_reply_access deny BLOCK_MIME +{% endif %} + +{% if cache_size is vyos_defined %} +{% if cache_size | int > 0 %} +cache_dir ufs /var/spool/squid {{ cache_size }} 16 256 +{% else %} +# disabling disk cache +{% endif %} +{% endif %} +{% if mem_cache_size is vyos_defined %} +cache_mem {{ mem_cache_size }} MB +{% endif %} +{% if disable_access_log is vyos_defined %} +access_log none +{% else %} +access_log /var/log/squid/access.log squid +{% endif %} + +{# by default we'll disable the store log #} +cache_store_log none + +{% if append_domain is vyos_defined %} +append_domain {{ append_domain }} +{% endif %} +{% if maximum_object_size is vyos_defined %} +maximum_object_size {{ maximum_object_size }} KB +{% endif %} +{% if minimum_object_size is vyos_defined %} +minimum_object_size {{ minimum_object_size }} KB +{% endif %} +{% if reply_body_max_size is vyos_defined %} +reply_body_max_size {{ reply_body_max_size }} KB +{% endif %} +{% if outgoing_address is vyos_defined %} +tcp_outgoing_address {{ outgoing_address }} +{% endif %} + + +{% if listen_address is vyos_defined %} +{% for address, config in listen_address.items() %} +http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is vyos_defined else default_port }} {{ 'intercept' if config.disable_transparent is not vyos_defined }} +{% endfor %} +{% endif %} +http_port 127.0.0.1:{{ default_port }} + +{# NOT insert the client address in X-Forwarded-For header #} +forwarded_for off + +{# SquidGuard #} +{% if url_filtering.disable is not vyos_defined and url_filtering.squidguard is vyos_defined %} +url_rewrite_program /usr/bin/squidGuard -c {{ squidguard_conf }} +url_rewrite_children 8 +url_rewrite_bypass on +{% endif %} + +{% if cache_peer is vyos_defined %} +{% for peer, config in cache_peer.items() %} +cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }} +{% endfor %} +never_direct allow all +{% endif %} diff --git a/data/templates/squid/squid.conf.tmpl b/data/templates/squid/squid.conf.tmpl deleted file mode 100644 index 26aff90bf..000000000 --- a/data/templates/squid/squid.conf.tmpl +++ /dev/null @@ -1,113 +0,0 @@ -### generated by service_webproxy.py ### - -acl net src all -acl SSL_ports port 443 -acl Safe_ports port 80 # http -acl Safe_ports port 21 # ftp -acl Safe_ports port 443 # https -acl Safe_ports port 873 # rsync -acl Safe_ports port 70 # gopher -acl Safe_ports port 210 # wais -acl Safe_ports port 1025-65535 # unregistered ports -acl Safe_ports port 280 # http-mgmt -acl Safe_ports port 488 # gss-http -acl Safe_ports port 591 # filemaker -acl Safe_ports port 777 # multiling http -acl CONNECT method CONNECT - -{% if authentication is defined and authentication is not none %} -{% if authentication.children is defined and authentication.children is not none %} -auth_param basic children {{ authentication.children }} -{% endif %} -{% if authentication.credentials_ttl is defined and authentication.credentials_ttl is not none %} -auth_param basic credentialsttl {{ authentication.credentials_ttl }} minute -{% endif %} -{% if authentication.realm is defined and authentication.realm is not none %} -auth_param basic realm "{{ authentication.realm }}" -{% endif %} -{# LDAP based Authentication #} -{% if authentication.method is defined and authentication.method is not none %} -{% if authentication.ldap is defined and authentication.ldap is not none and authentication.method == 'ldap' %} -auth_param basic program /usr/lib/squid/basic_ldap_auth -v {{ authentication.ldap.version }} -b "{{ authentication.ldap.base_dn }}" {{ '-D "' + authentication.ldap.bind_dn + '"' if authentication.ldap.bind_dn is defined }} {{ '-w "' + authentication.ldap.password + '"' if authentication.ldap.password is defined }} {{ '-f "' + authentication.ldap.filter_expression + '"' if authentication.ldap.filter_expression is defined }} {{ '-u "' + authentication.ldap.username_attribute + '"' if authentication.ldap.username_attribute is defined }} -p {{ authentication.ldap.port }} {{ '-ZZ' if authentication.ldap.use_ssl is defined }} -R -h "{{ authentication.ldap.server }}" -{% endif %} -acl auth proxy_auth REQUIRED -http_access allow auth -{% endif %} -{% endif %} - -http_access allow manager localhost -http_access deny manager -http_access deny !Safe_ports -http_access deny CONNECT !SSL_ports -http_access allow localhost -http_access allow net -http_access deny all - -{% if reply_block_mime is defined and reply_block_mime is not none %} -{% for mime_type in reply_block_mime %} -acl BLOCK_MIME rep_mime_type {{ mime_type }} -{% endfor %} -http_reply_access deny BLOCK_MIME -{% endif %} - -{% if cache_size is defined and cache_size is not none %} -{% if cache_size | int > 0 %} -cache_dir ufs /var/spool/squid {{ cache_size }} 16 256 -{% else %} -# disabling disk cache -{% endif %} -{% endif %} -{% if mem_cache_size is defined and mem_cache_size is not none %} -cache_mem {{ mem_cache_size }} MB -{% endif %} -{% if disable_access_log is defined %} -access_log none -{% else %} -access_log /var/log/squid/access.log squid -{% endif %} - -{# by default we'll disable the store log #} -cache_store_log none - -{% if append_domain is defined and append_domain is not none %} -append_domain {{ append_domain }} -{% endif %} -{% if maximum_object_size is defined and maximum_object_size is not none %} -maximum_object_size {{ maximum_object_size }} KB -{% endif %} -{% if minimum_object_size is defined and minimum_object_size is not none %} -minimum_object_size {{ minimum_object_size }} KB -{% endif %} -{% if reply_body_max_size is defined and reply_body_max_size is not none %} -reply_body_max_size {{ reply_body_max_size }} KB -{% endif %} -{% if outgoing_address is defined and outgoing_address is not none %} -tcp_outgoing_address {{ outgoing_address }} -{% endif %} - - -{% if listen_address is defined and listen_address is not none %} -{% for address, config in listen_address.items() %} -http_port {{ address | bracketize_ipv6 }}:{{ config.port if config.port is defined else default_port }} {{ 'intercept' if config.disable_transparent is not defined }} -{% endfor %} -{% endif %} -http_port 127.0.0.1:{{ default_port }} - -{# NOT insert the client address in X-Forwarded-For header #} -forwarded_for off - -{# SquidGuard #} -{% if url_filtering is defined and url_filtering.disable is not defined %} -{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %} -url_rewrite_program /usr/bin/squidGuard -c {{ squidguard_conf }} -url_rewrite_children 8 -url_rewrite_bypass on -{% endif %} -{% endif %} - -{% if cache_peer is defined and cache_peer is not none %} -{% for peer, config in cache_peer.items() %} -cache_peer {{ config.address }} {{ config.type }} {{ config.http_port }} {{ config.icp_port }} {{ config.options }} -{% endfor %} -never_direct allow all -{% endif %} diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2 new file mode 100644 index 000000000..1bc4c984f --- /dev/null +++ b/data/templates/squid/squidGuard.conf.j2 @@ -0,0 +1,124 @@ +### generated by service_webproxy.py ### + +{% macro sg_rule(category, log, db_dir) %} +{% set expressions = db_dir + '/' + category + '/expressions' %} +dest {{ category }}-default { + domainlist {{ category }}/domains + urllist {{ category }}/urls +{% if expressions | is_file %} + expressionlist {{ category }}/expressions +{% endif %} +{% if log is vyos_defined %} + log blacklist.log +{% endif %} +} +{% endmacro %} + +{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %} +{% if url_filtering.squidguard is vyos_defined %} +{% set sg_config = url_filtering.squidguard %} +{% set acl = namespace(value='local-ok-default') %} +{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} +dbhome {{ squidguard_db_dir }} +logdir /var/log/squid + +rewrite safesearch { + s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i + s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i + s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i + s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i + s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i + s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i + log rewrite.log +} + +{% if sg_config.local_ok is vyos_defined %} +{% set acl.value = acl.value + ' local-ok-default' %} +dest local-ok-default { + domainlist local-ok-default/domains +} +{% endif %} +{% if sg_config.local_ok_url is vyos_defined %} +{% set acl.value = acl.value + ' local-ok-url-default' %} +dest local-ok-url-default { + urllist local-ok-url-default/urls +} +{% endif %} +{% if sg_config.local_block is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-default' %} +dest local-block-default { + domainlist local-block-default/domains +} +{% endif %} +{% if sg_config.local_block_url is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-url-default' %} +dest local-block-url-default { + urllist local-block-url-default/urls +} +{% endif %} +{% if sg_config.local_block_keyword is vyos_defined %} +{% set acl.value = acl.value + ' !local-block-keyword-default' %} +dest local-block-keyword-default { + expressionlist local-block-keyword-default/expressions +} +{% endif %} + +{% if sg_config.block_category is vyos_defined %} +{% for category in sg_config.block_category %} +{{ sg_rule(category, sg_config.log, squidguard_db_dir) }} +{% set acl.value = acl.value + ' !' + category + '-default' %} +{% endfor %} +{% endif %} +{% if sg_config.allow_category is vyos_defined %} +{% for category in sg_config.allow_category %} +{{ sg_rule(category, False, squidguard_db_dir) }} +{% set acl.value = acl.value + ' ' + category + '-default' %} +{% endfor %} +{% endif %} +{% if sg_config.source_group is vyos_defined %} +{% for sgroup, sg_config in sg_config.source_group.items() %} +{% if sg_config.address is vyos_defined %} +src {{ sgroup }} { +{% for address in sg_config.address %} + ip {{ address }} +{% endfor %} +} + +{% endif %} +{% endfor %} +{% endif %} +{% if sg_config.rule is vyos_defined %} +{% for rule, rule_config in sg_config.rule.items() %} +{% for b_category in rule_config.block_category %} +dest {{ b_category }} { + domainlist {{ b_category }}/domains + urllist {{ b_category }}/urls +} +{% endfor %} + +{% endfor %} +{% endif %} +acl { +{% if sg_config.rule is vyos_defined %} +{% for rule, rule_config in sg_config.rule.items() %} + {{ rule_config.source_group }} { +{% for b_category in rule_config.block_category %} + pass local-ok-1 !in-addr !{{ b_category }} all +{% endfor %} + } +{% endfor %} +{% endif %} + + default { +{% if sg_config.enable_safe_search is vyos_defined %} + rewrite safesearch +{% endif %} + pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }} + redirect 302:http://{{ sg_config.redirect_url }} +{% if sg_config.log is vyos_defined %} + log blacklist.log +{% endif %} + } +} +{% endif %} +{% endif %} diff --git a/data/templates/squid/squidGuard.conf.tmpl b/data/templates/squid/squidGuard.conf.tmpl deleted file mode 100644 index c59dc901e..000000000 --- a/data/templates/squid/squidGuard.conf.tmpl +++ /dev/null @@ -1,124 +0,0 @@ -### generated by service_webproxy.py ### - -{% macro sg_rule(category, log, db_dir) %} -{% set expressions = db_dir + '/' + category + '/expressions' %} -dest {{ category }}-default { - domainlist {{ category }}/domains - urllist {{ category }}/urls -{% if expressions | is_file %} - expressionlist {{ category }}/expressions -{% endif %} -{% if log is defined %} - log blacklist.log -{% endif %} -} -{% endmacro %} - -{% if url_filtering is defined and url_filtering.disable is not defined %} -{% if url_filtering.squidguard is defined and url_filtering.squidguard is not none %} -{% set sg_config = url_filtering.squidguard %} -{% set acl = namespace(value='local-ok-default') %} -{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %} -dbhome {{ squidguard_db_dir }} -logdir /var/log/squid - -rewrite safesearch { - s@(.*\.google\..*/(custom|search|images|groups|news)?.*q=.*)@\1\&safe=active@i - s@(.*\..*/yandsearch?.*text=.*)@\1\&fyandex=1@i - s@(.*\.yahoo\..*/search.*p=.*)@\1\&vm=r@i - s@(.*\.live\..*/.*q=.*)@\1\&adlt=strict@i - s@(.*\.msn\..*/.*q=.*)@\1\&adlt=strict@i - s@(.*\.bing\..*/search.*q=.*)@\1\&adlt=strict@i - log rewrite.log -} - -{% if sg_config.local_ok is defined and sg_config.local_ok is not none %} -{% set acl.value = acl.value + ' local-ok-default' %} -dest local-ok-default { - domainlist local-ok-default/domains -} -{% endif %} -{% if sg_config.local_ok_url is defined and sg_config.local_ok_url is not none %} -{% set acl.value = acl.value + ' local-ok-url-default' %} -dest local-ok-url-default { - urllist local-ok-url-default/urls -} -{% endif %} -{% if sg_config.local_block is defined and sg_config.local_block is not none %} -{% set acl.value = acl.value + ' !local-block-default' %} -dest local-block-default { - domainlist local-block-default/domains -} -{% endif %} -{% if sg_config.local_block_url is defined and sg_config.local_block_url is not none %} -{% set acl.value = acl.value + ' !local-block-url-default' %} -dest local-block-url-default { - urllist local-block-url-default/urls -} -{% endif %} -{% if sg_config.local_block_keyword is defined and sg_config.local_block_keyword is not none %} -{% set acl.value = acl.value + ' !local-block-keyword-default' %} -dest local-block-keyword-default { - expressionlist local-block-keyword-default/expressions -} -{% endif %} - -{% if sg_config.block_category is defined and sg_config.block_category is not none %} -{% for category in sg_config.block_category %} -{{ sg_rule(category, sg_config.log, squidguard_db_dir) }} -{% set acl.value = acl.value + ' !' + category + '-default' %} -{% endfor %} -{% endif %} -{% if sg_config.allow_category is defined and sg_config.allow_category is not none %} -{% for category in sg_config.allow_category %} -{{ sg_rule(category, False, squidguard_db_dir) }} -{% set acl.value = acl.value + ' ' + category + '-default' %} -{% endfor %} -{% endif %} -{% if sg_config.source_group is defined and sg_config.source_group is not none %} -{% for sgroup, sg_config in sg_config.source_group.items() %} -{% if sg_config.address is defined and sg_config.address is not none %} -src {{ sgroup }} { -{% for address in sg_config.address %} - ip {{ address }} -{% endfor %} -} - -{% endif %} -{% endfor %} -{% endif %} -{% if sg_config.rule is defined and sg_config.rule is not none %} -{% for rule, rule_config in sg_config.rule.items() %} -{% for b_category in rule_config.block_category%} -dest {{ b_category }} { - domainlist {{ b_category }}/domains - urllist {{ b_category }}/urls -} -{% endfor %} - -{% endfor %} -{% endif %} -acl { -{% if sg_config.rule is defined and sg_config.rule is not none %} -{% for rule, rule_config in sg_config.rule.items() %} - {{ rule_config.source_group }} { -{% for b_category in rule_config.block_category%} - pass local-ok-1 !in-addr !{{ b_category }} all -{% endfor %} - } -{% endfor %} -{% endif %} - - default { -{% if sg_config.enable_safe_search is defined %} - rewrite safesearch -{% endif %} - pass {{ acl.value }} {{ 'none' if sg_config.default_action is defined and sg_config.default_action == 'block' else 'allow' }} - redirect 302:http://{{ sg_config.redirect_url }} -{% if sg_config.log is defined and sg_config.log is not none %} - log blacklist.log -{% endif %} - } -} -{% endif %} -{% endif %} diff --git a/data/templates/ssh/override.conf.j2 b/data/templates/ssh/override.conf.j2 new file mode 100644 index 000000000..e4d6f51cb --- /dev/null +++ b/data/templates/ssh/override.conf.j2 @@ -0,0 +1,13 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} +[Unit] +StartLimitIntervalSec=0 +After=vyos-router.service +ConditionPathExists={{ config_file }} + +[Service] +ExecStart= +ExecStart={{ vrf_command }}/usr/sbin/sshd -f {{ config_file }} -D $SSHD_OPTS +Restart=always +RestartPreventExitStatus= +RestartSec=10 +RuntimeDirectoryPreserve=yes diff --git a/data/templates/ssh/override.conf.tmpl b/data/templates/ssh/override.conf.tmpl deleted file mode 100644 index 5f8f35e89..000000000 --- a/data/templates/ssh/override.conf.tmpl +++ /dev/null @@ -1,13 +0,0 @@ -{% set vrf_command = 'ip vrf exec ' + vrf + ' ' if vrf is defined else '' %} -[Unit] -StartLimitIntervalSec=0 -After=vyos-router.service -ConditionPathExists={{config_file}} - -[Service] -ExecStart= -ExecStart={{vrf_command}}/usr/sbin/sshd -f {{config_file}} -D $SSHD_OPTS -Restart=always -RestartPreventExitStatus= -RestartSec=10 -RuntimeDirectoryPreserve=yes diff --git a/data/templates/ssh/sshd_config.tmpl b/data/templates/ssh/sshd_config.j2 index 670cf85a1..e7dbca581 100644 --- a/data/templates/ssh/sshd_config.tmpl +++ b/data/templates/ssh/sshd_config.j2 @@ -37,7 +37,7 @@ DebianBanner no # Look up remote host name and check that the resolved host name for the remote IP # address maps back to the very same IP address. -UseDNS {{ "no" if disable_host_validation is defined else "yes" }} +UseDNS {{ "no" if disable_host_validation is vyos_defined else "yes" }} # Specifies the port number that sshd(8) listens on {% for value in port %} @@ -48,61 +48,50 @@ Port {{ value }} LogLevel {{ loglevel | upper }} # Specifies whether password authentication is allowed -PasswordAuthentication {{ "no" if disable_password_authentication is defined else "yes" }} +PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }} -{% if listen_address is defined and listen_address is not none %} +{% if listen_address is vyos_defined %} # Specifies the local addresses sshd should listen on -{% for address in listen_address %} +{% for address in listen_address %} ListenAddress {{ address }} -{% endfor %} +{% endfor %} {% endif %} -{% if ciphers is defined and ciphers is not none %} +{% if ciphers is vyos_defined %} # Specifies the ciphers allowed for protocol version 2 -{% set value = ciphers if ciphers is string else ciphers | join(',') %} -Ciphers {{ value }} +Ciphers {{ ciphers | join(',') }} {% endif %} -{% if mac is defined and mac is not none %} +{% if mac is vyos_defined %} # Specifies the available MAC (message authentication code) algorithms -{% set value = mac if mac is string else mac | join(',') %} -MACs {{ value }} +MACs {{ mac | join(',') }} {% endif %} -{% if key_exchange is defined and key_exchange is not none %} +{% if key_exchange is vyos_defined %} # Specifies the available Key Exchange algorithms -{% set value = key_exchange if key_exchange is string else key_exchange | join(',') %} -KexAlgorithms {{ value }} +KexAlgorithms {{ key_exchange | join(',') }} {% endif %} -{% if access_control is defined and access_control is not none %} -{% if access_control.allow is defined and access_control.allow is not none %} -{% if access_control.allow.user is defined %} +{% if access_control is vyos_defined %} +{% if access_control.allow.user is vyos_defined %} # If specified, login is allowed only for user names that match -{% set value = access_control.allow.user if access_control.allow.user is string else access_control.allow.user | join(' ') %} -AllowUsers {{ value }} +AllowUsers {{ access_control.allow.user | join(' ') }} {% endif %} -{% if access_control.allow.group is defined %} +{% if access_control.allow.group is vyos_defined %} # If specified, login is allowed only for users whose primary group or supplementary group list matches -{% set value = access_control.allow.group if access_control.allow.group is string else access_control.allow.group | join(' ') %} -AllowGroups {{ value }} +AllowGroups {{ access_control.allow.group | join(' ') }} {% endif %} -{% endif %} -{% if access_control.deny is defined and access_control.deny is not none %} -{% if access_control.deny.user is defined %} +{% if access_control.deny.user is vyos_defined %} # Login is disallowed for user names that match -{% set value = access_control.deny.user if access_control.deny.user is string else access_control.deny.user | join(' ') %} -DenyUsers {{ value }} +DenyUsers {{ access_control.deny.user | join(' ') }} {% endif %} -{% if access_control.deny.group is defined %} +{% if access_control.deny.group is vyos_defined %} # Login is disallowed for users whose primary group or supplementary group list matches -{% set value = access_control.deny.group if access_control.deny.group is string else access_control.deny.group | join(' ') %} -DenyGroups {{ value }} +DenyGroups {{ access_control.deny.group | join(' ') }} {% endif %} -{% endif %} {% endif %} -{% if client_keepalive_interval is defined and client_keepalive_interval is not none %} +{% if client_keepalive_interval is vyos_defined %} # Sets a timeout interval in seconds after which if no data has been received from the client, # sshd(8) will send a message through the encrypted channel to request a response from the client ClientAliveInterval {{ client_keepalive_interval }} diff --git a/data/templates/syslog/logrotate.tmpl b/data/templates/syslog/logrotate.j2 index c1b951e8b..c1b951e8b 100644 --- a/data/templates/syslog/logrotate.tmpl +++ b/data/templates/syslog/logrotate.j2 diff --git a/data/templates/syslog/rsyslog.conf.tmpl b/data/templates/syslog/rsyslog.conf.j2 index 2fb621760..4445d568b 100644 --- a/data/templates/syslog/rsyslog.conf.tmpl +++ b/data/templates/syslog/rsyslog.conf.j2 @@ -2,9 +2,9 @@ ## file based logging {% if files['global']['marker'] %} $ModLoad immark -{% if files['global']['marker-interval'] %} -$MarkMessagePeriod {{files['global']['marker-interval']}} -{% endif %} +{% if files['global']['marker-interval'] %} +$MarkMessagePeriod {{ files['global']['marker-interval'] }} +{% endif %} {% endif %} {% if files['global']['preserver_fqdn'] %} $PreserveFQDN on @@ -15,40 +15,40 @@ $outchannel {{ file }},{{ file_options['log-file'] }},{{ file_options['max-size' {% endfor %} {% if console is defined and console is not none %} ## console logging -{% for con, con_options in console.items() %} +{% for con, con_options in console.items() %} {{ con_options['selectors'] }} /dev/console -{% endfor %} +{% endfor %} {% endif %} {% if hosts is defined and hosts is not none %} ## remote logging -{% for host, host_options in hosts.items() %} -{% if host_options.proto == 'tcp' %} -{% if host_options.port is defined %} -{% if host_options.oct_count is defined %} +{% for host, host_options in hosts.items() %} +{% if host_options.proto == 'tcp' %} +{% if host_options.port is defined %} +{% if host_options.oct_count is defined %} {{ host_options.selectors }} @@(o){{ host | bracketize_ipv6 }}:{{ host_options.port }};RSYSLOG_SyslogProtocol23Format -{% else %} +{% else %} {{ host_options.selectors }} @@{{ host | bracketize_ipv6 }}:{{ host_options.port }} -{% endif %} -{% else %} +{% endif %} +{% else %} {{ host_options.selectors }} @@{{ host | bracketize_ipv6 }} -{% endif %} -{% elif host_options.proto == 'udp' %} -{% if host_options.port is defined %} +{% endif %} +{% elif host_options.proto == 'udp' %} +{% if host_options.port is defined %} {{ host_options.selectors }} @{{ host | bracketize_ipv6 }}:{{ host_options.port }}{{ ';RSYSLOG_SyslogProtocol23Format' if host_options.oct_count is sameas true }} -{% else %} +{% else %} {{ host_options.selectors }} @{{ host | bracketize_ipv6 }} -{% endif %} -{% else %} -{% if host_options['port'] %} +{% endif %} +{% else %} +{% if host_options['port'] %} {{ host_options.selectors }} @{{ host | bracketize_ipv6 }}:{{ host_options.port }} -{% else %} +{% else %} {{ host_options.selectors }} @{{ host | bracketize_ipv6 }} -{% endif %} -{% endif %} -{% endfor %} +{% endif %} +{% endif %} +{% endfor %} {% endif %} {% if user is defined and user is not none %} -{% for username, user_options in user.items() %} +{% for username, user_options in user.items() %} {{ user_options.selectors }} :omusrmsg:{{ username }} -{% endfor %} +{% endfor %} {% endif %} diff --git a/data/templates/system/curlrc.j2 b/data/templates/system/curlrc.j2 new file mode 100644 index 000000000..be4efe8ba --- /dev/null +++ b/data/templates/system/curlrc.j2 @@ -0,0 +1,6 @@ +{% if http_client.source_interface is vyos_defined %} +--interface "{{ http_client.source_interface }}" +{% endif %} +{% if http_client.source_address is vyos_defined %} +--interface "{{ http_client.source_address }}" +{% endif %} diff --git a/data/templates/system/curlrc.tmpl b/data/templates/system/curlrc.tmpl deleted file mode 100644 index 3e5ce801c..000000000 --- a/data/templates/system/curlrc.tmpl +++ /dev/null @@ -1,8 +0,0 @@ -{% if http_client is defined %} -{% if http_client.source_interface is defined %} ---interface "{{ http_client.source_interface }}" -{% endif %} -{% if http_client.source_address is defined %} ---interface "{{ http_client.source_address }}" -{% endif %} -{% endif %} diff --git a/data/templates/system/proxy.j2 b/data/templates/system/proxy.j2 new file mode 100644 index 000000000..215c4c5c2 --- /dev/null +++ b/data/templates/system/proxy.j2 @@ -0,0 +1,7 @@ +# generated by system-proxy.py +{% if url is vyos_defined and port is vyos_defined %} +{# remove http:// prefix so we can inject a username/password if present #} +export http_proxy=http://{{ username ~ ':' ~ password ~ '@' if username is vyos_defined and password is vyos_defined }}{{ url | replace('http://', '') }}:{{ port }} +export https_proxy=$http_proxy +export ftp_proxy=$http_proxy +{% endif %} diff --git a/data/templates/system/ssh_config.j2 b/data/templates/system/ssh_config.j2 new file mode 100644 index 000000000..1449f95b1 --- /dev/null +++ b/data/templates/system/ssh_config.j2 @@ -0,0 +1,3 @@ +{% if ssh_client.source_address is vyos_defined %} +BindAddress {{ ssh_client.source_address }} +{% endif %} diff --git a/data/templates/system/ssh_config.tmpl b/data/templates/system/ssh_config.tmpl deleted file mode 100644 index abc03f069..000000000 --- a/data/templates/system/ssh_config.tmpl +++ /dev/null @@ -1,3 +0,0 @@ -{% if ssh_client is defined and ssh_client.source_address is defined and ssh_client.source_address is not none %} -BindAddress {{ ssh_client.source_address }} -{% endif %} diff --git a/data/templates/system/sysctl.conf.j2 b/data/templates/system/sysctl.conf.j2 new file mode 100644 index 000000000..59a19e157 --- /dev/null +++ b/data/templates/system/sysctl.conf.j2 @@ -0,0 +1,7 @@ +# autogenerated by system_sysctl.py
+
+{% if parameter is vyos_defined %}
+{% for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/system/sysctl.conf.tmpl b/data/templates/system/sysctl.conf.tmpl deleted file mode 100644 index 72af82ee5..000000000 --- a/data/templates/system/sysctl.conf.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -# autogenerated by system_sysctl.py
-
-{% if parameter is defined and parameter is not none %}
-{% for k, v in parameter.items() %}
-{{ k }} = {{ v.value }}
-{% endfor %}
-{% endif %}
diff --git a/data/templates/tftp-server/default.tmpl b/data/templates/tftp-server/default.j2 index a7edf60ad..b2676e0aa 100644 --- a/data/templates/tftp-server/default.tmpl +++ b/data/templates/tftp-server/default.j2 @@ -1,6 +1,7 @@ +{# j2lint: disable=jinja-variable-format #} ### Autogenerated by tftp_server.py ### -DAEMON_ARGS="--listen --user tftp --address {{ listen_address }} {{ "--create --umask 000" if allow_upload is defined }} --secure {{ directory }}" -{% if vrf is defined %} +DAEMON_ARGS="--listen --user tftp --address {{ listen_address }} {{ "--create --umask 000" if allow_upload is vyos_defined }} --secure {{ directory }}" +{% if vrf is vyos_defined %} VRF_ARGS="ip vrf exec {{ vrf }}" {% else %} VRF_ARGS="" diff --git a/data/templates/vrf/vrf.conf.j2 b/data/templates/vrf/vrf.conf.j2 new file mode 100644 index 000000000..d31d23574 --- /dev/null +++ b/data/templates/vrf/vrf.conf.j2 @@ -0,0 +1,9 @@ +### Autogenerated by vrf.py ### +# +# Routing table ID to name mapping reference +# id vrf name comment +{% if name is vyos_defined %} +{% for vrf, vrf_config in name.items() %} +{{ "%-10s" | format(vrf_config.table) }} {{ "%-16s" | format(vrf) }} {{ '# ' ~ vrf_config.description if vrf_config.description is vyos_defined }} +{% endfor %} +{% endif %} diff --git a/data/templates/vrf/vrf.conf.tmpl b/data/templates/vrf/vrf.conf.tmpl deleted file mode 100644 index 29c0ba08d..000000000 --- a/data/templates/vrf/vrf.conf.tmpl +++ /dev/null @@ -1,9 +0,0 @@ -### Autogenerated by vrf.py ### -# -# Routing table ID to name mapping reference -# id vrf name comment -{% if name is defined and name is not none %} -{% for vrf, vrf_config in name.items() %} -{{ "%-10s" | format(vrf_config.table) }} {{ "%-16s" | format(vrf) }} {{ '# ' + vrf_config.description if vrf_config.description is defined and vrf_config.description is not none }} -{% endfor %} -{% endif %} diff --git a/data/templates/vyos-hostsd/hosts.tmpl b/data/templates/vyos-hostsd/hosts.j2 index 03662d562..5cad983b4 100644 --- a/data/templates/vyos-hostsd/hosts.tmpl +++ b/data/templates/vyos-hostsd/hosts.j2 @@ -1,3 +1,4 @@ +{# j2lint: disable=single-statement-per-line #} ### Autogenerated by VyOS ### ### Do not edit, your changes will get overwritten ### @@ -12,14 +13,14 @@ ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters -{% if hosts is defined and hosts is not none %} +{% if hosts is vyos_defined %} # From 'system static-host-mapping' and DHCP server -{% for tag, taghosts in hosts.items() %} +{% for tag, taghosts in hosts.items() %} # {{ tag }} -{% for host, hostprops in taghosts.items() if hostprops.address is defined %} -{% for addr in hostprops.address %} -{{ "%-15s" | format(addr) }} {{ host }} {{ hostprops.aliases|join(' ') if hostprops.aliases is defined }} -{% endfor %} +{% for host, hostprops in taghosts.items() if hostprops.address is vyos_defined %} +{% for addr in hostprops.address %} +{{ "%-15s" | format(addr) }} {{ host }} {{ hostprops.aliases | join(' ') if hostprops.aliases is vyos_defined }} +{% endfor %} +{% endfor %} {% endfor %} -{% endfor %} {% endif %} diff --git a/data/templates/vyos-hostsd/resolv.conf.tmpl b/data/templates/vyos-hostsd/resolv.conf.j2 index 58a5f9312..5f651f1a1 100644 --- a/data/templates/vyos-hostsd/resolv.conf.tmpl +++ b/data/templates/vyos-hostsd/resolv.conf.j2 @@ -5,12 +5,12 @@ {# the order of tags, then by the order of nameservers within that tag #} {% for tag in name_server_tags_system %} -{% if tag in name_servers %} +{% if tag in name_servers %} # {{ tag }} -{% for ns in name_servers[tag] %} +{% for ns in name_servers[tag] %} nameserver {{ ns }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {% endfor %} {% if domain_name %} @@ -18,8 +18,8 @@ domain {{ domain_name }} {% endif %} {% for tag in name_server_tags_system %} -{% if tag in search_domains %} +{% if tag in search_domains %} # {{ tag }} -search {{ search_domains[tag]|join(' ') }} -{% endif %} +search {{ search_domains[tag] | join(' ') }} +{% endif %} {% endfor %} diff --git a/data/templates/wifi/cfg80211.conf.tmpl b/data/templates/wifi/cfg80211.conf.tmpl deleted file mode 100644 index 91df57aab..000000000 --- a/data/templates/wifi/cfg80211.conf.tmpl +++ /dev/null @@ -1 +0,0 @@ -{{ 'options cfg80211 ieee80211_regdom=' + regdom if regdom is defined }} diff --git a/data/templates/wifi/crda.tmpl b/data/templates/wifi/crda.tmpl deleted file mode 100644 index 6cd125e37..000000000 --- a/data/templates/wifi/crda.tmpl +++ /dev/null @@ -1 +0,0 @@ -{{ 'REGDOMAIN=' + regdom if regdom is defined }} diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.j2 index 433e1d36f..f2312d2d4 100644 --- a/data/templates/wifi/hostapd.conf.tmpl +++ b/data/templates/wifi/hostapd.conf.j2 @@ -1,5 +1,6 @@ +{# j2lint: disable=operator-enclosed-by-spaces #} ### Autogenerated by interfaces-wireless.py ### -{% if description %} +{% if description is vyos_defined %} # Description: {{ description }} # User-friendly description of device; up to 32 octets encoded in UTF-8 device_name={{ description | truncate(32, True) }} @@ -11,7 +12,7 @@ device_name={{ description | truncate(32, True) }} # command line parameter. interface={{ ifname }} -{% if is_bridge_member is defined %} +{% if is_bridge_member is vyos_defined %} # In case of atheros and nl80211 driver interfaces, an additional # configuration parameter, bridge, may be used to notify hostapd if the # interface is included in a bridge. This parameter is not used with Host AP @@ -24,9 +25,9 @@ interface={{ ifname }} # has been started to change the interface mode). If needed, the bridge # interface is also created. {# as there can only be one bridge interface it is save to loop #} -{% for bridge in is_bridge_member %} +{% for bridge in is_bridge_member %} bridge={{ bridge }} -{% endfor %} +{% endfor %} {% endif %} # Driver interface type (hostap/wired/none/nl80211/bsd); @@ -72,7 +73,7 @@ ssid={{ ssid }} channel={{ channel }} {% endif %} -{% if mode is defined and mode is not none %} +{% if mode is vyos_defined %} # Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), # g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used # with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this @@ -81,15 +82,15 @@ channel={{ channel }} # special value "any" can be used to indicate that any support band can be used. # This special case is currently supported only with drivers with which # offloaded ACS is used. -{% if mode == 'n' %} +{% if mode is vyos_defined('n') %} hw_mode=g -{% elif mode == 'ac' %} +{% elif mode is vyos_defined('ac') %} hw_mode=a ieee80211h=1 ieee80211ac=1 -{% else %} +{% else %} hw_mode={{ mode }} -{% endif %} +{% endif %} {% endif %} # ieee80211w: Whether management frame protection (MFP) is enabled @@ -104,7 +105,7 @@ ieee80211w=1 ieee80211w=2 {% endif %} -{% if capabilities is defined and capabilities.ht is defined %} +{% if capabilities is vyos_defined %} # ht_capab: HT capabilities (list of flags) # LDPC coding capability: [LDPC] = supported # Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary @@ -138,70 +139,70 @@ ieee80211w=2 # DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) # 40 MHz intolerant [40-INTOLERANT] (not advertised if not set) # L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) -{% set output = namespace(value='') %} - -{% if capabilities.ht.fourtymhz_incapable is defined %} -{% set output.value = output.value + '[40-INTOLERANT]' %} -{% endif %} -{% if capabilities.ht.delayed_block_ack is defined %} -{% set output.value = output.value + '[DELAYED-BA]' %} -{% endif %} -{% if capabilities.ht.dsss_cck_40 is defined %} -{% set output.value = output.value + '[DSSS_CCK-40]' %} -{% endif %} -{% if capabilities.ht.greenfield is defined %} -{% set output.value = output.value + '[GF]' %} -{% endif %} -{% if capabilities.ht.ldpc is defined %} -{% set output.value = output.value + '[LDPC]' %} -{% endif %} -{% if capabilities.ht.lsig_protection is defined %} -{% set output.value = output.value + '[LSIG-TXOP-PROT]' %} -{% endif %} -{% if capabilities.ht.stbc is defined and capabilities.ht.stbc.tx is defined %} -{% set output.value = output.value + '[TX-STBC]' %} -{% endif %} -{% if capabilities.ht.stbc is defined and capabilities.ht.stbc.rx is defined %} -{% set output.value = output.value + '[RX-STBC-' + capabilities.ht.stbc.rx | upper + ']' %} -{% endif %} -{% if capabilities.ht.max_amsdu is defined %} -{% set output.value = output.value + '[MAX-AMSDU-' + capabilities.ht.max_amsdu + ']' %} -{% endif %} -{% if capabilities.ht.smps is defined %} -{% set output.value = output.value + '[SMPS-' + capabilities.ht.smps | upper + ']' %} -{% endif %} - -{% if capabilities.ht.channel_set_width is defined %} -{% for csw in capabilities.ht.channel_set_width %} -{% set output.value = output.value + '[' + csw | upper + ']' %} -{% endfor %} -{% endif %} +{% set output = namespace(value='') %} -{% if capabilities.ht.short_gi is defined %} -{% for short_gi in capabilities.ht.short_gi %} -{% set output.value = output.value + '[SHORT-GI-' + short_gi | upper + ']' %} -{% endfor %} -{% endif %} +{% if capabilities.ht.fourtymhz_incapable is vyos_defined %} +{% set output.value = output.value ~ '[40-INTOLERANT]' %} +{% endif %} +{% if capabilities.ht.delayed_block_ack is vyos_defined %} +{% set output.value = output.value ~ '[DELAYED-BA]' %} +{% endif %} +{% if capabilities.ht.dsss_cck_40 is vyos_defined %} +{% set output.value = output.value ~ '[DSSS_CCK-40]' %} +{% endif %} +{% if capabilities.ht.greenfield is vyos_defined %} +{% set output.value = output.value ~ '[GF]' %} +{% endif %} +{% if capabilities.ht.ldpc is vyos_defined %} +{% set output.value = output.value ~ '[LDPC]' %} +{% endif %} +{% if capabilities.ht.lsig_protection is vyos_defined %} +{% set output.value = output.value ~ '[LSIG-TXOP-PROT]' %} +{% endif %} +{% if capabilities.ht.stbc.tx is vyos_defined %} +{% set output.value = output.value ~ '[TX-STBC]' %} +{% endif %} +{% if capabilities.ht.stbc.rx is vyos_defined %} +{% set output.value = output.value ~ '[RX-STBC-' ~ capabilities.ht.stbc.rx | upper ~ ']' %} +{% endif %} +{% if capabilities.ht.max_amsdu is vyos_defined %} +{% set output.value = output.value ~ '[MAX-AMSDU-' ~ capabilities.ht.max_amsdu ~ ']' %} +{% endif %} +{% if capabilities.ht.smps is vyos_defined %} +{% set output.value = output.value ~ '[SMPS-' ~ capabilities.ht.smps | upper ~ ']' %} +{% endif %} + +{% if capabilities.ht.channel_set_width is vyos_defined %} +{% for csw in capabilities.ht.channel_set_width %} +{% set output.value = output.value ~ '[' ~ csw | upper ~ ']' %} +{% endfor %} +{% endif %} + +{% if capabilities.ht.short_gi is vyos_defined %} +{% for short_gi in capabilities.ht.short_gi %} +{% set output.value = output.value ~ '[SHORT-GI-' ~ short_gi | upper ~ ']' %} +{% endfor %} +{% endif %} ht_capab={{ output.value }} -{% if capabilities.ht.auto_powersave is defined %} +{% if capabilities.ht.auto_powersave is vyos_defined %} # WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] # Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) uapsd_advertisement_enabled=1 -{% endif %} +{% endif %} {% endif %} # Required for full HT and VHT functionality wme_enabled=1 -{% if capabilities is defined and capabilities.require_ht is defined %} +{% if capabilities.require_ht is vyos_defined %} # Require stations to support HT PHY (reject association if they do not) require_ht=1 {% endif %} -{% if capabilities is defined and capabilities.vht is defined %} +{% if capabilities.vht is vyos_defined %} # vht_capab: VHT capabilities (list of flags) # # vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454] @@ -297,7 +298,7 @@ require_ht=1 # Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv # This field is an integer in the range of 0 to 7. # The length defined by this field is equal to -# 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets +# 2 pow(13 ~ Maximum A-MPDU Length Exponent) -1 octets # # VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3] # Indicates whether or not the STA supports link adaptation using VHT variant @@ -320,87 +321,86 @@ require_ht=1 # 0 = Tx antenna pattern might change during the lifetime of an association # 1 = Tx antenna pattern does not change during the lifetime of an -{% if capabilities.vht.center_channel_freq is defined and capabilities.vht.center_channel_freq.freq_1 is defined %} -# center freq = 5 GHz + (5 * index) +{% if capabilities.vht.center_channel_freq.freq_1 is vyos_defined %} +# center freq = 5 GHz ~ (5 * index) # So index 42 gives center freq 5.210 GHz # which is channel 42 in 5G band vht_oper_centr_freq_seg0_idx={{ capabilities.vht.center_channel_freq.freq_1 }} -{% endif %} +{% endif %} -{% if capabilities.vht.center_channel_freq is defined and capabilities.vht.center_channel_freq.freq_2 is defined %} -# center freq = 5 GHz + (5 * index) +{% if capabilities.vht.center_channel_freq.freq_2 is vyos_defined %} +# center freq = 5 GHz ~ (5 * index) # So index 159 gives center freq 5.795 GHz # which is channel 159 in 5G band vht_oper_centr_freq_seg1_idx={{ capabilities.vht.center_channel_freq.freq_2 }} -{% endif %} +{% endif %} -{% if capabilities.vht.channel_set_width is defined %} +{% if capabilities.vht.channel_set_width is vyos_defined %} vht_oper_chwidth={{ capabilities.vht.channel_set_width }} -{% endif %} - -{% set output = namespace(value='') %} -{% if capabilities.vht.stbc is defined and capabilities.vht.stbc.tx is defined %} -{% set output.value = output.value + '[TX-STBC-2BY1]' %} -{% endif %} -{% if capabilities.vht.stbc is defined and capabilities.vht.stbc.rx is defined %} -{% set output.value = output.value + '[RX-STBC-' + capabilities.vht.stbc.rx + ']' %} -{% endif %} -{% if capabilities.vht.ldpc is defined %} -{% set output.value = output.value + '[RXLDPC]' %} -{% endif %} -{% if capabilities.vht.tx_powersave is defined %} -{% set output.value = output.value + '[VHT-TXOP-PS]' %} -{% endif %} -{% if capabilities.vht.vht_cf is defined %} -{% set output.value = output.value + '[HTC-VHT]' %} -{% endif %} -{% if capabilities.vht.antenna_pattern_fixed is defined %} -{% set output.value = output.value + '[RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]' %} -{% endif %} -{% if capabilities.vht.max_mpdu is defined %} -{% set output.value = output.value + '[MAX-MPDU-' + capabilities.vht.max_mpdu + ']' %} -{% endif %} -{% if capabilities.vht.max_mpdu_exp is defined %} -{% set output.value = output.value + '[MAX-A-MPDU-LEN-EXP-' + capabilities.vht.max_mpdu_exp + ']' %} -{% endif %} -{% if capabilities.vht.max_mpdu_exp is defined and capabilities.vht.max_mpdu_exp == '2' %} -{% set output.value = output.value + '[VHT160]' %} -{% endif %} -{% if capabilities.vht.max_mpdu_exp is defined and capabilities.vht.max_mpdu_exp == '3' %} -{% set output.value = output.value + '[VHT160-80PLUS80]' %} -{% endif %} -{% if capabilities.vht.link_adaptation is defined and capabilities.vht.link_adaptation == 'unsolicited' %} -{% set output.value = output.value + '[VHT-LINK-ADAPT2]' %} -{% endif %} -{% if capabilities.vht.link_adaptation is defined and capabilities.vht.link_adaptation == 'both' %} -{% set output.value = output.value + '[VHT-LINK-ADAPT3]' %} -{% endif %} - -{% for short_gi in capabilities.vht.short_gi if capabilities.vht.short_gi is defined %} -{% set output.value = output.value + '[SHORT-GI-' + short_gi | upper + ']' %} -{% endfor %} - -{% for beamform in capabilities.vht.beamform if capabilities.vht.beamform is defined %} -{% set output.value = output.value + '[SU-BEAMFORMER]' if beamform == 'single-user-beamformer' else '' %} -{% set output.value = output.value + '[SU-BEAMFORMEE]' if beamform == 'single-user-beamformee' else '' %} -{% set output.value = output.value + '[MU-BEAMFORMER]' if beamform == 'multi-user-beamformer' else '' %} -{% set output.value = output.value + '[MU-BEAMFORMEE]' if beamform == 'multi-user-beamformee' else '' %} -{% endfor %} - -{% if capabilities.vht.antenna_count is defined and capabilities.vht.antenna_count|int > 1 %} -{% if capabilities.vht.beamform %} -{% if beamform == 'single-user-beamformer' %} -{% if capabilities.vht.antenna_count is defined and capabilities.vht.antenna_count|int > 1 and capabilities.vht.antenna_count|int < 6 %} -{% set output.value = output.value + '[BF-ANTENNA-' + capabilities.vht.antenna_count|int -1 + ']' %} -{% set output.value = output.value + '[SOUNDING-DIMENSION-' + capabilities.vht.antenna_count|int -1 + ']' %} +{% endif %} + +{% set output = namespace(value='') %} +{% if capabilities.vht.stbc.tx is vyos_defined %} +{% set output.value = output.value ~ '[TX-STBC-2BY1]' %} +{% endif %} +{% if capabilities.vht.stbc.rx is vyos_defined %} +{% set output.value = output.value ~ '[RX-STBC-' ~ capabilities.vht.stbc.rx ~ ']' %} +{% endif %} +{% if capabilities.vht.ldpc is vyos_defined %} +{% set output.value = output.value ~ '[RXLDPC]' %} +{% endif %} +{% if capabilities.vht.tx_powersave is vyos_defined %} +{% set output.value = output.value ~ '[VHT-TXOP-PS]' %} +{% endif %} +{% if capabilities.vht.vht_cf is vyos_defined %} +{% set output.value = output.value ~ '[HTC-VHT]' %} +{% endif %} +{% if capabilities.vht.antenna_pattern_fixed is vyos_defined %} +{% set output.value = output.value ~ '[RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN]' %} +{% endif %} +{% if capabilities.vht.max_mpdu is vyos_defined %} +{% set output.value = output.value ~ '[MAX-MPDU-' ~ capabilities.vht.max_mpdu ~ ']' %} +{% endif %} +{% if capabilities.vht.max_mpdu_exp is vyos_defined %} +{% set output.value = output.value ~ '[MAX-A-MPDU-LEN-EXP-' ~ capabilities.vht.max_mpdu_exp ~ ']' %} +{% if capabilities.vht.max_mpdu_exp is vyos_defined('2') %} +{% set output.value = output.value ~ '[VHT160]' %} +{% endif %} +{% if capabilities.vht.max_mpdu_exp is vyos_defined('3') %} +{% set output.value = output.value ~ '[VHT160-80PLUS80]' %} +{% endif %} +{% endif %} +{% if capabilities.vht.link_adaptation is vyos_defined('unsolicited') %} +{% set output.value = output.value ~ '[VHT-LINK-ADAPT2]' %} +{% elif capabilities.vht.link_adaptation is vyos_defined('both') %} +{% set output.value = output.value ~ '[VHT-LINK-ADAPT3]' %} +{% endif %} + +{% for short_gi in capabilities.vht.short_gi if capabilities.vht.short_gi is vyos_defined %} +{% set output.value = output.value ~ '[SHORT-GI-' ~ short_gi | upper ~ ']' %} +{% endfor %} + +{% for beamform in capabilities.vht.beamform if capabilities.vht.beamform is vyos_defined %} +{% set output.value = output.value ~ '[SU-BEAMFORMER]' if beamform is vyos_defined('single-user-beamformer') else '' %} +{% set output.value = output.value ~ '[SU-BEAMFORMEE]' if beamform is vyos_defined('single-user-beamformee') else '' %} +{% set output.value = output.value ~ '[MU-BEAMFORMER]' if beamform is vyos_defined('multi-user-beamformer') else '' %} +{% set output.value = output.value ~ '[MU-BEAMFORMEE]' if beamform is vyos_defined('multi-user-beamformee') else '' %} +{% endfor %} + +{% if capabilities.vht.antenna_count is vyos_defined and capabilities.vht.antenna_count | int > 1 %} +{% if capabilities.vht.beamform is vyos_defined %} +{% if capabilities.vht.beamform == 'single-user-beamformer' %} +{% if capabilities.vht.antenna_count is vyos_defined and capabilities.vht.antenna_count | int > 1 and capabilities.vht.antenna_count | int < 6 %} +{% set output.value = output.value ~ '[BF-ANTENNA-' ~ capabilities.vht.antenna_count | int -1 ~ ']' %} +{% set output.value = output.value ~ '[SOUNDING-DIMENSION-' ~ capabilities.vht.antenna_count | int -1 ~ ']' %} +{% endif %} +{% endif %} +{% if capabilities.vht.antenna_count is vyos_defined and capabilities.vht.antenna_count | int > 1 and capabilities.vht.antenna_count | int < 5 %} +{% set output.value = output.value ~ '[BF-ANTENNA-' ~ capabilities.vht.antenna_count ~ ']' %} +{% set output.value = output.value ~ '[SOUNDING-DIMENSION-' ~ capabilities.vht.antenna_count ~ ']' %} +{% endif %} {% endif %} -{% endif %} -{% if capabilities.vht.antenna_count is defined and capabilities.vht.antenna_count|int > 1 and capabilities.vht.antenna_count|int < 5 %} -{% set output.value = output.value + '[BF-ANTENNA-' + capabilities.vht.antenna_count + ']' %} -{% set output.value = output.value + '[SOUNDING-DIMENSION-' + capabilities.vht.antenna_count+ ']' %} -{% endif %} {% endif %} -{% endif %} vht_capab={{ output.value }} {% endif %} @@ -410,19 +410,15 @@ vht_capab={{ output.value }} # 1 = enabled # Note: You will also need to enable WMM for full HT functionality. # Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band. -{% if capabilities is defined and capabilities.require_vht is defined %} +{% if capabilities.require_vht is vyos_defined %} ieee80211n=0 # Require stations to support VHT PHY (reject association if they do not) require_vht=1 {% else %} -{% if 'n' in mode or 'ac' in mode %} -ieee80211n=1 -{% else %} -ieee80211n=0 -{% endif %} +ieee80211n={{ '1' if 'n' in mode or 'ac' in mode else '0' }} {% endif %} -{% if disable_broadcast_ssid is defined %} +{% if disable_broadcast_ssid is vyos_defined %} # Send empty SSID in beacons and ignore probe request frames that do not # specify full SSID, i.e., require stations to know SSID. # default: disabled (0) @@ -443,7 +439,7 @@ ignore_broadcast_ssid=1 # 2 = use external RADIUS server (accept/deny lists are searched first) macaddr_acl=0 -{% if max_stations is defined %} +{% if max_stations is vyos_defined %} # Maximum number of stations allowed in station table. New stations will be # rejected after the station table is full. IEEE 802.11 has a limit of 2007 # different association IDs, so this number should not be larger than that. @@ -451,13 +447,13 @@ macaddr_acl=0 max_num_sta={{ max_stations }} {% endif %} -{% if isolate_stations is defined %} +{% if isolate_stations is vyos_defined %} # Client isolation can be used to prevent low-level bridging of frames between # associated stations in the BSS. By default, this bridging is allowed. ap_isolate=1 {% endif %} -{% if reduce_transmit_power is defined %} +{% if reduce_transmit_power is vyos_defined %} # Add Power Constraint element to Beacon and Probe Response frames # This config option adds Power Constraint element when applicable and Country # element is added. Power Constraint element is required by Transmit Power @@ -466,7 +462,7 @@ ap_isolate=1 local_pwr_constraint={{ reduce_transmit_power }} {% endif %} -{% if expunge_failing_stations is defined %} +{% if expunge_failing_stations is vyos_defined %} # Disassociate stations based on excessive transmission failures or other # indications of connection loss. This depends on the driver capabilities and # may not be available with all drivers. @@ -474,7 +470,7 @@ disassoc_low_ack=1 {% endif %} -{% if security is defined and security.wep is defined %} +{% if security.wep is vyos_defined %} # IEEE 802.11 specifies two authentication algorithms. hostapd can be # configured to allow both of these or only one. Open system authentication # should be used with IEEE 802.1X. @@ -503,14 +499,14 @@ wep_default_key=0 # digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or # 128-bit (152-bit) WEP is used. # Only the default key must be supplied; the others are optional. -{% if security.wep.key is defined %} -{% for key in sec_wep_key %} +{% if security.wep.key is vyos_defined %} +{% for key in sec_wep_key %} wep_key{{ loop.index -1 }}={{ security.wep.key }} -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} -{% elif security is defined and security.wpa is defined %} +{% elif security.wpa is vyos_defined %} ##### WPA/IEEE 802.11i configuration ########################################## # Enable WPA. Setting this variable configures the AP to require WPA (either @@ -527,17 +523,15 @@ wep_key{{ loop.index -1 }}={{ security.wep.key }} # Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2. # In other words, for WPA3, wpa 2 is used the configuration (and # wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK). -{% if security.wpa.mode is defined %} -{% if security.wpa.mode == 'wpa+wpa2' %} +{% if security.wpa.mode is vyos_defined('wpa+wpa2') %} wpa=3 -{% elif security.wpa.mode == 'wpa2' or security.wpa.mode == 'wpa3' %} +{% elif security.wpa.mode is vyos_defined('wpa2') or security.wpa.mode is vyos_defined('wpa3') %} wpa=2 -{% elif security.wpa.mode == 'wpa' %} +{% elif security.wpa.mode is vyos_defined('wpa') %} wpa=1 {% endif %} -{% endif %} -{% if security.wpa.cipher is defined %} +{% if security.wpa.cipher is vyos_defined %} # Set of accepted cipher suites (encryption algorithms) for pairwise keys # (unicast packets). This is a space separated list of algorithms: # CCMP = AES in Counter mode with CBC-MAC (CCMP-128) @@ -551,16 +545,16 @@ wpa=1 # TKIP will be used as the group cipher. The optional group_cipher parameter can # be used to override this automatic selection. -{% if security.wpa.mode is defined and security.wpa.mode == 'wpa2' %} +{% if security.wpa.mode is vyos_defined('wpa2') %} # Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) rsn_pairwise={{ security.wpa.cipher | join(" ") }} -{% else %} +{% else %} # Pairwise cipher for WPA (v1) (default: TKIP) wpa_pairwise={{ security.wpa.cipher | join(" ") }} +{% endif %} {% endif %} -{% endif %} -{% if security.wpa.group_cipher is defined %} +{% if security.wpa.group_cipher is vyos_defined %} # Optional override for automatic group cipher selection # This can be used to select a specific group cipher regardless of which # pairwise ciphers were enabled for WPA and RSN. It should be noted that @@ -568,9 +562,9 @@ wpa_pairwise={{ security.wpa.cipher | join(" ") }} # interoperability issues and in general, this parameter is mainly used for # testing purposes. group_cipher={{ security.wpa.group_cipher | join(" ") }} -{% endif %} +{% endif %} -{% if security.wpa.passphrase is defined %} +{% if security.wpa.passphrase is vyos_defined %} # IEEE 802.11 specifies two authentication algorithms. hostapd can be # configured to allow both of these or only one. Open system authentication # should be used with IEEE 802.1X. @@ -594,13 +588,13 @@ wpa_passphrase={{ security.wpa.passphrase }} # WPA-EAP-SHA256 = WPA2-Enterprise using SHA256 # SAE = SAE (WPA3-Personal) # WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite -{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %} +{% if security.wpa.mode is vyos_defined('wpa3') %} wpa_key_mgmt=SAE -{% else %} +{% else %} wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 -{% endif %} +{% endif %} -{% elif security.wpa.radius is defined %} +{% elif security.wpa.radius is vyos_defined %} ##### IEEE 802.1X-2004 related configuration ################################## # Require IEEE 802.1X authorization ieee8021x=1 @@ -614,43 +608,43 @@ ieee8021x=1 # WPA-EAP-SHA256 = WPA2-Enterprise using SHA256 # SAE = SAE (WPA3-Personal) # WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite -{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %} +{% if security.wpa.mode is vyos_defined('wpa3') %} wpa_key_mgmt=WPA-EAP-SUITE-B-192 -{% else %} +{% else %} wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 -{% endif %} +{% endif %} -{% if security.wpa.radius.server is defined %} +{% if security.wpa.radius.server is vyos_defined %} # RADIUS client forced local IP address for the access point # Normally the local IP address is determined automatically based on configured # IP addresses, but this field can be used to force a specific address to be # used, e.g., when the device has multiple IP addresses. # The own IP address of the access point (used as NAS-IP-Address) -{% if security.wpa.radius.source_address is defined %} +{% if security.wpa.radius.source_address is vyos_defined %} radius_client_addr={{ security.wpa.radius.source_address }} own_ip_addr={{ security.wpa.radius.source_address }} -{% else %} +{% else %} own_ip_addr=127.0.0.1 -{% endif %} +{% endif %} -{% for radius in security.wpa.radius.server if not radius.disabled %} +{% for radius in security.wpa.radius.server if not radius.disabled %} # RADIUS authentication server auth_server_addr={{ radius.server }} auth_server_port={{ radius.port }} auth_server_shared_secret={{ radius.key }} -{% if radius.acc_port %} +{% if radius.acc_port %} # RADIUS accounting server acct_server_addr={{ radius.server }} acct_server_port={{ radius.acc_port }} acct_server_shared_secret={{ radius.key }} -{% endif %} -{% endfor %} -{% else %} +{% endif %} +{% endfor %} +{% else %} # Open system auth_algs=1 +{% endif %} {% endif %} -{% endif %} {% endif %} # TX queue parameters (EDCF / bursting) diff --git a/data/templates/wifi/wpa_supplicant.conf.tmpl b/data/templates/wifi/wpa_supplicant.conf.j2 index 20b4f7976..01e0d632f 100644 --- a/data/templates/wifi/wpa_supplicant.conf.tmpl +++ b/data/templates/wifi/wpa_supplicant.conf.j2 @@ -18,7 +18,7 @@ network={ # this will add latency to scanning, so enable this only when needed) scan_ssid=1 -{% if security is defined and security.wpa is defined and security.wpa.passphrase is defined %} +{% if security.wpa.passphrase is vyos_defined %} # ieee80211w: whether management frame protection is enabled # 0 = disabled (default unless changed with the global pmf parameter) # 1 = optional @@ -59,11 +59,11 @@ network={ # OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open) # DPP = Device Provisioning Protocol # If not set, this defaults to: WPA-PSK WPA-EAP -{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %} +{% if security.wpa.mode is vyos_defined('wpa3') %} key_mgmt=SAE -{% else %} +{% else %} key_mgmt=WPA-PSK WPA-PSK-SHA256 -{% endif %} +{% endif %} # psk: WPA preshared key; 256-bit pre-shared key # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., diff --git a/data/templates/zone_policy/nftables.tmpl b/data/templates/zone_policy/nftables.j2 index 4a6bd2772..e4c4dd7da 100644 --- a/data/templates/zone_policy/nftables.tmpl +++ b/data/templates/zone_policy/nftables.j2 @@ -1,113 +1,113 @@ #!/usr/sbin/nft -f -{% if cleanup_commands is defined %} -{% for command in cleanup_commands %} +{% if cleanup_commands is vyos_defined %} +{% for command in cleanup_commands %} {{ command }} -{% endfor %} +{% endfor %} {% endif %} -{% if zone is defined %} +{% if zone is vyos_defined %} table ip filter { -{% for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %} -{% if zone_conf.local_zone is defined %} +{% for zone_name, zone_conf in zone.items() if zone_conf.ipv4 %} +{% if zone_conf.local_zone is vyos_defined %} chain VZONE_{{ zone_name }}_IN { iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} +{% endfor %} counter {{ zone_conf.default_action }} } chain VZONE_{{ zone_name }}_OUT { oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.name is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} +{% endfor %} counter {{ zone_conf.default_action }} } -{% else %} +{% else %} chain VZONE_{{ zone_name }} { iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=False) }} -{% if zone_conf.intra_zone_filtering is defined %} +{% if zone_conf.intra_zone_filtering is vyos_defined %} iifname { {{ zone_conf.interface | join(",") }} } counter return -{% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is defined %} -{% if zone[from_zone].local_zone is not defined %} +{% endif %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.name is vyos_defined %} +{% if zone[from_zone].local_zone is not defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME_{{ from_conf.firewall.name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} counter {{ zone_conf.default_action }} } -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} } table ip6 filter { -{% for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %} -{% if zone_conf.local_zone is defined %} +{% for zone_name, zone_conf in zone.items() if zone_conf.ipv6 %} +{% if zone_conf.local_zone is vyos_defined %} chain VZONE6_{{ zone_name }}_IN { iifname lo counter return -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} +{% endfor %} counter {{ zone_conf.default_action }} } chain VZONE6_{{ zone_name }}_OUT { oifname lo counter return -{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is defined %} +{% for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall.ipv6_name is vyos_defined %} oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} oifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endfor %} +{% endfor %} counter {{ zone_conf.default_action }} } -{% else %} +{% else %} chain VZONE6_{{ zone_name }} { iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6=True) }} -{% if zone_conf.intra_zone_filtering is defined %} +{% if zone_conf.intra_zone_filtering is vyos_defined %} iifname { {{ zone_conf.interface | join(",") }} } counter return -{% endif %} -{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is defined %} -{% if zone[from_zone].local_zone is not defined %} +{% endif %} +{% for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall.ipv6_name is vyos_defined %} +{% if zone[from_zone].local_zone is not defined %} iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME6_{{ from_conf.firewall.ipv6_name }} iifname { {{ zone[from_zone].interface | join(",") }} } counter return -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} counter {{ zone_conf.default_action }} } -{% endif %} -{% endfor %} +{% endif %} +{% endfor %} } -{% for zone_name, zone_conf in zone.items() %} -{% if zone_conf.ipv4 %} -{% if 'local_zone' in zone_conf %} +{% for zone_name, zone_conf in zone.items() %} +{% if zone_conf.ipv4 %} +{% if 'local_zone' in zone_conf %} insert rule ip filter VYOS_FW_LOCAL counter jump VZONE_{{ zone_name }}_IN insert rule ip filter VYOS_FW_OUTPUT counter jump VZONE_{{ zone_name }}_OUT -{% else %} +{% else %} insert rule ip filter VYOS_FW_FORWARD oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }} -{% endif %} -{% endif %} -{% if zone_conf.ipv6 %} -{% if 'local_zone' in zone_conf %} +{% endif %} +{% endif %} +{% if zone_conf.ipv6 %} +{% if 'local_zone' in zone_conf %} insert rule ip6 filter VYOS_FW6_LOCAL counter jump VZONE6_{{ zone_name }}_IN insert rule ip6 filter VYOS_FW6_OUTPUT counter jump VZONE6_{{ zone_name }}_OUT -{% else %} +{% else %} insert rule ip6 filter VYOS_FW6_FORWARD oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE6_{{ zone_name }} -{% endif %} -{% endif %} -{% endfor %} +{% endif %} +{% endif %} +{% endfor %} {# Ensure that state-policy rule is first in the chain #} -{% if firewall.state_policy is defined %} -{% for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'] %} +{% if firewall.state_policy is vyos_defined %} +{% for chain in ['VYOS_FW_FORWARD', 'VYOS_FW_OUTPUT', 'VYOS_FW_LOCAL'] %} insert rule ip filter {{ chain }} jump VYOS_STATE_POLICY -{% endfor %} -{% for chain in ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL'] %} +{% endfor %} +{% for chain in ['VYOS_FW6_FORWARD', 'VYOS_FW6_OUTPUT', 'VYOS_FW6_LOCAL'] %} insert rule ip6 filter {{ chain }} jump VYOS_STATE_POLICY6 -{% endfor %} -{% endif %} +{% endfor %} +{% endif %} {% endif %} diff --git a/interface-definitions/containers.xml.in b/interface-definitions/container.xml.in index 9cd2b0902..51171d881 100644 --- a/interface-definitions/containers.xml.in +++ b/interface-definitions/container.xml.in @@ -1,6 +1,6 @@ <?xml version="1.0"?> <interfaceDefinition> - <node name="container" owner="${vyos_conf_scripts_dir}/containers.py"> + <node name="container" owner="${vyos_conf_scripts_dir}/container.py"> <properties> <help>Container applications</help> <priority>1280</priority> @@ -10,7 +10,7 @@ <properties> <help>Container name</help> <constraint> - <regex>^[-a-zA-Z0-9]+$</regex> + <regex>[-a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Container name must be alphanumeric and can contain hyphens</constraintErrorMessage> </properties> @@ -52,7 +52,7 @@ <description>Permission to set system clock</description> </valueHelp> <constraint> - <regex>^(net-admin|net-bind-service|net-raw|setpcap|sys-admin|sys-time)$</regex> + <regex>(net-admin|net-bind-service|net-raw|setpcap|sys-admin|sys-time)</regex> </constraint> <multi/> </properties> @@ -88,7 +88,7 @@ <properties> <help>Add custom environment variables</help> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Environment variable name must be alphanumeric and can contain hyphen and underscores</constraintErrorMessage> </properties> @@ -194,7 +194,7 @@ <list>tcp udp</list> </completionHelp> <constraint> - <regex>^(tcp|udp)$</regex> + <regex>(tcp|udp)</regex> </constraint> </properties> </leafNode> @@ -219,7 +219,7 @@ <description>Restart containers when they exit, regardless of status, retrying indefinitely</description> </valueHelp> <constraint> - <regex>^(no|on-failure|always)$</regex> + <regex>(no|on-failure|always)</regex> </constraint> </properties> <defaultValue>on-failure</defaultValue> @@ -283,10 +283,10 @@ </tagNode> <leafNode name="registry"> <properties> - <help>Add registry</help> + <help>Registry Name</help> <multi/> </properties> - <defaultValue>docker.io</defaultValue> + <defaultValue>docker.io quay.io</defaultValue> </leafNode> </children> </node> diff --git a/interface-definitions/dhcp-relay.xml.in b/interface-definitions/dhcp-relay.xml.in index 339941e65..27d0a3e6c 100644 --- a/interface-definitions/dhcp-relay.xml.in +++ b/interface-definitions/dhcp-relay.xml.in @@ -66,7 +66,7 @@ <description>discard packet (default action if giaddr not set in packet)</description> </valueHelp> <constraint> - <regex>^(append|replace|forward|discard)$</regex> + <regex>(append|replace|forward|discard)</regex> </constraint> </properties> <defaultValue>forward</defaultValue> diff --git a/interface-definitions/dhcp-server.xml.in b/interface-definitions/dhcp-server.xml.in index 312dcd2a0..60e738e01 100644 --- a/interface-definitions/dhcp-server.xml.in +++ b/interface-definitions/dhcp-server.xml.in @@ -58,7 +58,7 @@ <description>Configure this server to be the secondary node</description> </valueHelp> <constraint> - <regex>^(primary|secondary)$</regex> + <regex>(primary|secondary)</regex> </constraint> <constraintErrorMessage>Invalid DHCP failover peer status</constraintErrorMessage> </properties> @@ -142,6 +142,11 @@ boot file is to be loaded</help> </properties> </leafNode> + <leafNode name="bootfile-size"> + <properties> + <help>Bootstrap file size in 512 byte blocks</help> + </properties> + </leafNode> <leafNode name="client-prefix-length"> <properties> <help>Specifies the clients subnet mask as per RFC 950. If unset, subnet declaration is used.</help> @@ -254,7 +259,7 @@ <properties> <help>DHCP lease range</help> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Invalid range name, may only be alphanumeric, dot and hyphen</constraintErrorMessage> </properties> @@ -289,7 +294,7 @@ <properties> <help>Name of static mapping</help> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Invalid static mapping name, may only be alphanumeric, dot and hyphen</constraintErrorMessage> </properties> @@ -369,6 +374,18 @@ <leafNode name="tftp-server-name"> <properties> <help>TFTP server name</help> + <valueHelp> + <format>ipv4</format> + <description>TFTP server IPv4 address</description> + </valueHelp> + <valueHelp> + <format>hostname</format> + <description>TFTP server FQDN</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="fqdn"/> + </constraint> </properties> </leafNode> <leafNode name="time-offset"> @@ -397,6 +414,32 @@ <multi/> </properties> </leafNode> + <node name="vendor-option"> + <properties> + <help>Vendor Specific Options</help> + </properties> + <children> + <node name="ubiquiti"> + <properties> + <help>Ubiquiti specific parameters</help> + </properties> + <children> + <leafNode name="unifi-controller"> + <properties> + <help>Address of UniFi controller</help> + <valueHelp> + <format>ipv4</format> + <description>IP address of UniFi controller</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </node> <leafNode name="wins-server"> <properties> <help>IP address for Windows Internet Name Service (WINS) server</help> diff --git a/interface-definitions/dhcpv6-server.xml.in b/interface-definitions/dhcpv6-server.xml.in index fb96571f5..10335b07e 100644 --- a/interface-definitions/dhcpv6-server.xml.in +++ b/interface-definitions/dhcpv6-server.xml.in @@ -338,6 +338,33 @@ </leafNode> </children> </tagNode> + <node name="vendor-option"> + <properties> + <help>Vendor Specific Options</help> + </properties> + <children> + <node name="cisco"> + <properties> + <help>Cisco specific parameters</help> + </properties> + <children> + <leafNode name="tftp-server"> + <properties> + <help>TFTP server name</help> + <valueHelp> + <format>ipv6</format> + <description>TFTP server IPv6 address</description> + </valueHelp> + <constraint> + <validator name="ipv6-address"/> + </constraint> + <multi/> + </properties> + </leafNode> + </children> + </node> + </children> + </node> </children> </tagNode> </children> diff --git a/interface-definitions/dns-domain-name.xml.in b/interface-definitions/dns-domain-name.xml.in index 7ae537d00..0d6418272 100644 --- a/interface-definitions/dns-domain-name.xml.in +++ b/interface-definitions/dns-domain-name.xml.in @@ -56,7 +56,7 @@ <properties> <help>DNS domain completion order</help> <constraint> - <regex>[-a-zA-Z0-9.]+$</regex> + <regex>[-a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Invalid domain name</constraintErrorMessage> <multi/> @@ -74,7 +74,7 @@ <properties> <help>Host name for static address mapping</help> <constraint> - <regex>[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]$</regex> + <regex>[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]</regex> </constraint> <constraintErrorMessage>invalid hostname</constraintErrorMessage> </properties> @@ -83,7 +83,7 @@ <properties> <help>Alias for this address</help> <constraint> - <regex>.{1,63}$</regex> + <regex>.{1,63}</regex> </constraint> <constraintErrorMessage>invalid alias hostname, needs to be between 1 and 63 charactes</constraintErrorMessage> <multi /> diff --git a/interface-definitions/dns-dynamic.xml.in b/interface-definitions/dns-dynamic.xml.in index 64826516e..6bc467b76 100644 --- a/interface-definitions/dns-dynamic.xml.in +++ b/interface-definitions/dns-dynamic.xml.in @@ -120,7 +120,7 @@ <description>zoneedit.com Services</description> </valueHelp> <constraint> - <regex>^(custom|afraid|changeip|cloudflare|dnspark|dslreports|dyndns|easydns|namecheap|noip|sitelutions|zoneedit|\w+)$</regex> + <regex>(custom|afraid|changeip|cloudflare|dnspark|dslreports|dyndns|easydns|namecheap|noip|sitelutions|zoneedit|\w+)</regex> </constraint> <constraintErrorMessage>You can use only predefined list of services or word characters (_, a-z, A-Z, 0-9) as service name</constraintErrorMessage> </properties> @@ -232,7 +232,7 @@ <description>Zoneedit protocol</description> </valueHelp> <constraint> - <regex>^(changeip|cloudflare|dnsmadeeasy|dnspark|dondominio|dslreports1|dtdns|duckdns|dyndns2|easydns|freedns|freemyip|googledomains|hammernode1|namecheap|nfsn|noip|sitelutions|woima|yandex|zoneedit1)$</regex> + <regex>(changeip|cloudflare|dnsmadeeasy|dnspark|dondominio|dslreports1|dtdns|duckdns|dyndns2|easydns|freedns|freemyip|googledomains|hammernode1|namecheap|nfsn|noip|sitelutions|woima|yandex|zoneedit1)</regex> </constraint> <constraintErrorMessage>Please choose from the list of allowed protocols</constraintErrorMessage> </properties> diff --git a/interface-definitions/dns-forwarding.xml.in b/interface-definitions/dns-forwarding.xml.in index 08501a4b5..6ead3e199 100644 --- a/interface-definitions/dns-forwarding.xml.in +++ b/interface-definitions/dns-forwarding.xml.in @@ -63,7 +63,7 @@ <description>Full blown DNSSEC validation. Send SERVFAIL to clients on bogus responses.</description> </valueHelp> <constraint> - <regex>^(off|process-no-validate|process|log-fail|validate)$</regex> + <regex>(off|process-no-validate|process|log-fail|validate)</regex> </constraint> </properties> <defaultValue>process-no-validate</defaultValue> @@ -113,7 +113,7 @@ <description>An absolute DNS name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,63}$</regex> + <regex>[-_a-zA-Z0-9.]{1,63}</regex> </constraint> </properties> <children> @@ -134,7 +134,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -167,7 +167,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -200,7 +200,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -212,7 +212,7 @@ <description>An absolute DNS name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,63}(?<!\.)$</regex> + <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> @@ -232,7 +232,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -244,7 +244,7 @@ <description>An absolute DNS name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,63}(?<!\.)$</regex> + <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> <children> @@ -279,7 +279,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -291,7 +291,7 @@ <description>An absolute DNS name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,63}(?<!\.)$</regex> + <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> @@ -311,7 +311,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -341,7 +341,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -370,7 +370,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -394,7 +394,7 @@ <description>An absolute DNS name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,63}(?<!\.)$</regex> + <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> @@ -454,7 +454,7 @@ <description>Root record</description> </valueHelp> <constraint> - <regex>^([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)$</regex> + <regex>([-_a-zA-Z0-9.]{1,63}|@)(?<!\.)</regex> </constraint> </properties> <children> @@ -523,7 +523,7 @@ <properties> <help>Service type</help> <constraint> - <regex>^[a-zA-Z][a-zA-Z0-9]{0,31}(\+[a-zA-Z][a-zA-Z0-9]{0,31})?$</regex> + <regex>[a-zA-Z][a-zA-Z0-9]{0,31}(\+[a-zA-Z][a-zA-Z0-9]{0,31})?</regex> </constraint> </properties> </leafNode> @@ -540,7 +540,7 @@ <description>An absolute DNS name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,63}(?<!\.)$</regex> + <regex>[-_a-zA-Z0-9.]{1,63}(?<!\.)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/firewall.xml.in b/interface-definitions/firewall.xml.in index f2aca4b3a..ff8d92a24 100644 --- a/interface-definitions/firewall.xml.in +++ b/interface-definitions/firewall.xml.in @@ -21,7 +21,7 @@ <description>Disable processing of all IPv4 ICMP echo requests</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> @@ -41,7 +41,7 @@ <description>Disable processing of broadcast IPv4 ICMP echo/timestamp requests</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -61,7 +61,7 @@ <description>Disable sending SNMP trap on firewall configuration change</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -75,7 +75,7 @@ <properties> <help>Firewall address-group</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -104,7 +104,7 @@ <properties> <help>Firewall ipv6-address-group</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -133,7 +133,7 @@ <properties> <help>Firewall ipv6-network-group</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -157,7 +157,7 @@ <properties> <help>Firewall mac-group</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -181,7 +181,7 @@ <properties> <help>Firewall network-group</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -205,7 +205,7 @@ <properties> <help>Firewall port-group</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -250,7 +250,7 @@ <description>Disable processing of IPv4 packets with source route option</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -259,7 +259,7 @@ <properties> <help>IPv6 firewall rule-set name</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -396,7 +396,7 @@ <description>Disable processing of received ICMPv6 redirect messages</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -416,7 +416,7 @@ <description>Disable processing of IPv6 packets with routing header</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -436,7 +436,7 @@ <description>Disable logging of Ipv4 packets with invalid addresses</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> @@ -445,7 +445,7 @@ <properties> <help>IPv4 firewall rule-set name</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -539,7 +539,7 @@ <description>Disable processing of received IPv4 ICMP redirect messages</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -559,7 +559,7 @@ <description>Disable sending IPv4 ICMP redirect messages</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> @@ -583,7 +583,7 @@ <description>No source validation</description> </valueHelp> <constraint> - <regex>^(strict|loose|disable)$</regex> + <regex>(strict|loose|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -637,7 +637,7 @@ <description>Disable use of TCP SYN cookies with IPv4</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> @@ -657,7 +657,7 @@ <description>Disable RFC1337 TIME-WAIT hazards protection</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> diff --git a/interface-definitions/flow-accounting-conf.xml.in b/interface-definitions/flow-accounting-conf.xml.in index 133e45c72..fc59f8ab3 100644 --- a/interface-definitions/flow-accounting-conf.xml.in +++ b/interface-definitions/flow-accounting-conf.xml.in @@ -146,7 +146,7 @@ <description>Authentication and authorization</description> </valueHelp> <constraint> - <regex>^(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)$</regex> + <regex>(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)</regex> </constraint> </properties> </leafNode> @@ -168,7 +168,7 @@ <description>NetFlow engine-id for v9 / IPFIX</description> </valueHelp> <constraint> - <regex>(\d|[1-9]\d{1,8}|[1-3]\d{9}|4[01]\d{8}|42[0-8]\d{7}|429[0-3]\d{6}|4294[0-8]\d{5}|42949[0-5]\d{4}|429496[0-6]\d{3}|4294967[01]\d{2}|42949672[0-8]\d|429496729[0-5])$|^(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]):(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])$</regex> + <regex>(\d|[1-9]\d{1,8}|[1-3]\d{9}|4[01]\d{8}|42[0-8]\d{7}|429[0-3]\d{6}|4294[0-8]\d{5}|42949[0-5]\d{4}|429496[0-6]\d{3}|4294967[01]\d{2}|42949672[0-8]\d|429496729[0-5])$|^(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5]):(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/high-availability.xml.in b/interface-definitions/high-availability.xml.in index 662052e12..0631acdda 100644 --- a/interface-definitions/high-availability.xml.in +++ b/interface-definitions/high-availability.xml.in @@ -63,7 +63,7 @@ <description>AH - IPSEC (not recommended)</description> </valueHelp> <constraint> - <regex>^(plaintext-password|ah)$</regex> + <regex>(plaintext-password|ah)</regex> </constraint> <constraintErrorMessage>Authentication type must be plaintext-password or ah</constraintErrorMessage> </properties> @@ -323,7 +323,7 @@ <description>Locality-Based least connection</description> </valueHelp> <constraint> - <regex>^(round-robin|weighted-round-robin|least-connection|weighted-least-connection|source-hashing|destination-hashing|locality-based-least-connection)$</regex> + <regex>(round-robin|weighted-round-robin|least-connection|weighted-least-connection|source-hashing|destination-hashing|locality-based-least-connection)</regex> </constraint> </properties> <defaultValue>least-connection</defaultValue> @@ -360,7 +360,7 @@ <description>Tunneling</description> </valueHelp> <constraint> - <regex>^(direct|nat|tunnel)$</regex> + <regex>(direct|nat|tunnel)</regex> </constraint> </properties> <defaultValue>nat</defaultValue> @@ -394,7 +394,7 @@ <description>UDP</description> </valueHelp> <constraint> - <regex>^(tcp|udp)$</regex> + <regex>(tcp|udp)</regex> </constraint> </properties> <defaultValue>tcp</defaultValue> diff --git a/interface-definitions/https.xml.in b/interface-definitions/https.xml.in index 6fea2f1f6..d2c393036 100644 --- a/interface-definitions/https.xml.in +++ b/interface-definitions/https.xml.in @@ -38,7 +38,7 @@ <constraint> <validator name="ipv4-address"/> <validator name="ipv6-address"/> - <regex>\*$</regex> + <regex>\*</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/igmp-proxy.xml.in b/interface-definitions/igmp-proxy.xml.in index c7ab60929..8e738fa7f 100644 --- a/interface-definitions/igmp-proxy.xml.in +++ b/interface-definitions/igmp-proxy.xml.in @@ -56,7 +56,7 @@ <description>Disabled interface</description> </valueHelp> <constraint> - <regex>^(upstream|downstream|disabled)$</regex> + <regex>(upstream|downstream|disabled)</regex> </constraint> </properties> <defaultValue>downstream</defaultValue> diff --git a/interface-definitions/include/accel-ppp/auth-mode.xml.i b/interface-definitions/include/accel-ppp/auth-mode.xml.i index a7711b675..c1a87cfe3 100644 --- a/interface-definitions/include/accel-ppp/auth-mode.xml.i +++ b/interface-definitions/include/accel-ppp/auth-mode.xml.i @@ -11,7 +11,7 @@ <description>Use RADIUS server for user autentication</description> </valueHelp> <constraint> - <regex>^(local|radius)$</regex> + <regex>(local|radius)</regex> </constraint> <completionHelp> <list>local radius</list> diff --git a/interface-definitions/include/accel-ppp/auth-protocols.xml.i b/interface-definitions/include/accel-ppp/auth-protocols.xml.i index 480747f53..d43266152 100644 --- a/interface-definitions/include/accel-ppp/auth-protocols.xml.i +++ b/interface-definitions/include/accel-ppp/auth-protocols.xml.i @@ -22,7 +22,7 @@ <description>Authentication via MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol, version 2)</description> </valueHelp> <constraint> - <regex>^(pap|chap|mschap|mschap-v2)$</regex> + <regex>(pap|chap|mschap|mschap-v2)</regex> </constraint> <multi/> </properties> diff --git a/interface-definitions/include/accel-ppp/ppp-mppe.xml.i b/interface-definitions/include/accel-ppp/ppp-mppe.xml.i index e8370180b..4c2e84c25 100644 --- a/interface-definitions/include/accel-ppp/ppp-mppe.xml.i +++ b/interface-definitions/include/accel-ppp/ppp-mppe.xml.i @@ -18,7 +18,7 @@ <description>drop all mppe</description> </valueHelp> <constraint> - <regex>^(require|prefer|deny)$</regex> + <regex>(require|prefer|deny)</regex> </constraint> </properties> <defaultValue>prefer</defaultValue> diff --git a/interface-definitions/include/accel-ppp/ppp-options-ipv4.xml.i b/interface-definitions/include/accel-ppp/ppp-options-ipv4.xml.i index 3e065329d..a45390f43 100644 --- a/interface-definitions/include/accel-ppp/ppp-options-ipv4.xml.i +++ b/interface-definitions/include/accel-ppp/ppp-options-ipv4.xml.i @@ -3,7 +3,7 @@ <properties> <help>IPv4 negotiation algorithm</help> <constraint> - <regex>^(deny|allow)$</regex> + <regex>(deny|allow)</regex> </constraint> <constraintErrorMessage>invalid value</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i b/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i index b9fbac5c6..98abc1111 100644 --- a/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i +++ b/interface-definitions/include/accel-ppp/ppp-options-ipv6.xml.i @@ -3,7 +3,7 @@ <properties> <help>IPv6 (IPCP6) negotiation algorithm</help> <constraint> - <regex>^(deny|allow|prefer|require)$</regex> + <regex>(deny|allow|prefer|require)</regex> </constraint> <constraintErrorMessage>invalid value</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/include/auth-local-users.xml.i b/interface-definitions/include/auth-local-users.xml.i index 8ef09554e..9fb507474 100644 --- a/interface-definitions/include/auth-local-users.xml.i +++ b/interface-definitions/include/auth-local-users.xml.i @@ -7,6 +7,10 @@ <tagNode name="username"> <properties> <help>Username used for authentication</help> + <valueHelp> + <format>txt</format> + <description>Username used for authentication</description> + </valueHelp> </properties> <children> #include <include/generic-disable-node.xml.i> diff --git a/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i b/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i index de42eeac9..34b5ec7d7 100644 --- a/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i +++ b/interface-definitions/include/bgp/afi-ipv4-prefix-list.xml.i @@ -15,7 +15,7 @@ <description>Name of IPv4 prefix-list</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -31,7 +31,7 @@ <description>Name of IPv4 prefix-list</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i b/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i index 2bf4753be..06c661a90 100644 --- a/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i +++ b/interface-definitions/include/bgp/afi-ipv6-prefix-list.xml.i @@ -15,7 +15,7 @@ <description>Name of IPv6 prefix-list</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -31,7 +31,7 @@ <description>Name of IPv6 prefix-list</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/bgp/afi-label.xml.i b/interface-definitions/include/bgp/afi-label.xml.i index f7a1f609f..9535d19e8 100644 --- a/interface-definitions/include/bgp/afi-label.xml.i +++ b/interface-definitions/include/bgp/afi-label.xml.i @@ -25,7 +25,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 0-1048575"/> - <regex>^(auto)$</regex> + <regex>(auto)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/bgp/afi-rd.xml.i b/interface-definitions/include/bgp/afi-rd.xml.i index c4d29268c..767502094 100644 --- a/interface-definitions/include/bgp/afi-rd.xml.i +++ b/interface-definitions/include/bgp/afi-rd.xml.i @@ -17,7 +17,7 @@ <description>Route Distinguisher, (x.x.x.x:yyy|xxxx:yyyy)</description> </valueHelp> <constraint> - <regex>^((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}$</regex> + <regex>((25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)(\.(25[0-5]|2[0-4][0-9]|[1][0-9][0-9]|[1-9][0-9]|[0-9]?)){3}|[0-9]{1,10}):[0-9]{1,5}</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/bgp/afi-route-map-export-import.xml.i b/interface-definitions/include/bgp/afi-route-map-export-import.xml.i index eae10d312..c218937c8 100644 --- a/interface-definitions/include/bgp/afi-route-map-export-import.xml.i +++ b/interface-definitions/include/bgp/afi-route-map-export-import.xml.i @@ -10,7 +10,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -26,7 +26,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i b/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i index f3fc4444c..75221a348 100644 --- a/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i +++ b/interface-definitions/include/bgp/neighbor-afi-ipv4-ipv6-common.xml.i @@ -27,7 +27,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -43,7 +43,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -59,7 +59,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -69,7 +69,7 @@ #include <include/bgp/afi-allowas-in.xml.i> <leafNode name="as-override"> <properties> - <help>AS for routes sent to this peer to be the local AS</help> + <help>Override ASN in outbound updates to configured neighbor local-as</help> <valueless/> </properties> </leafNode> @@ -177,7 +177,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/bgp/neighbor-graceful-restart.xml.i b/interface-definitions/include/bgp/neighbor-graceful-restart.xml.i index 25558cd5c..4399d7988 100644 --- a/interface-definitions/include/bgp/neighbor-graceful-restart.xml.i +++ b/interface-definitions/include/bgp/neighbor-graceful-restart.xml.i @@ -18,7 +18,7 @@ <description>Enable BGP graceful restart helper only functionality</description> </valueHelp> <constraint> - <regex>^(enable|disable|restart-helper)$</regex> + <regex>(enable|disable|restart-helper)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/bgp/protocol-common-config.xml.i b/interface-definitions/include/bgp/protocol-common-config.xml.i index b59ff0287..abaff5232 100644 --- a/interface-definitions/include/bgp/protocol-common-config.xml.i +++ b/interface-definitions/include/bgp/protocol-common-config.xml.i @@ -1106,7 +1106,7 @@ <description>Ignore paths without link bandwidth for ECMP (if other paths have it)</description> </valueHelp> <constraint> - <regex>^(default-weight-for-missing|ignore|skip-missing)$</regex> + <regex>(default-weight-for-missing|ignore|skip-missing)</regex> </constraint> </properties> </leafNode> @@ -1461,7 +1461,7 @@ <properties> <help>Name of peer-group</help> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> </properties> <children> diff --git a/interface-definitions/include/bgp/remote-as.xml.i b/interface-definitions/include/bgp/remote-as.xml.i index 11eb7c256..58595b3b9 100644 --- a/interface-definitions/include/bgp/remote-as.xml.i +++ b/interface-definitions/include/bgp/remote-as.xml.i @@ -19,7 +19,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 1-4294967294"/> - <regex>^(external|internal)$</regex> + <regex>(external|internal)</regex> </constraint> <constraintErrorMessage>Invalid AS number</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i index 9f8baa884..7fd52319a 100644 --- a/interface-definitions/include/firewall/action-accept-drop-reject.xml.i +++ b/interface-definitions/include/firewall/action-accept-drop-reject.xml.i @@ -18,7 +18,7 @@ <description>Action to reject</description> </valueHelp> <constraint> - <regex>^(accept|drop|reject)$</regex> + <regex>(accept|drop|reject)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/action.xml.i b/interface-definitions/include/firewall/action.xml.i index 4ba93e3aa..0f60e3c38 100644 --- a/interface-definitions/include/firewall/action.xml.i +++ b/interface-definitions/include/firewall/action.xml.i @@ -18,7 +18,7 @@ <description>Drop matching entries</description> </valueHelp> <constraint> - <regex>^(accept|reject|drop)$</regex> + <regex>(accept|reject|drop)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/common-rule.xml.i b/interface-definitions/include/firewall/common-rule.xml.i index 85e586e1b..2a5137dbf 100644 --- a/interface-definitions/include/firewall/common-rule.xml.i +++ b/interface-definitions/include/firewall/common-rule.xml.i @@ -70,7 +70,7 @@ <description>integer/unit (Example: 5/minute)</description> </valueHelp> <constraint> - <regex>^\d+/(second|minute|hour|day)$</regex> + <regex>\d+/(second|minute|hour|day)</regex> </constraint> </properties> </leafNode> @@ -91,7 +91,7 @@ <description>Disable log</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -189,7 +189,7 @@ <description>Source addresses seen COUNT times in the last hour</description> </valueHelp> <constraint> - <regex>^(second|minute|hour)$</regex> + <regex>(second|minute|hour)</regex> </constraint> </properties> </leafNode> @@ -241,7 +241,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -260,7 +260,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -279,7 +279,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -298,7 +298,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -318,7 +318,7 @@ <description>Enter date using following notation - YYYY-MM-DD</description> </valueHelp> <constraint> - <regex>^(\d{4}\-\d{2}\-\d{2})$</regex> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> </constraint> </properties> </leafNode> @@ -330,7 +330,7 @@ <description>Enter time using using 24 hour notation - hh:mm:ss</description> </valueHelp> <constraint> - <regex>^([0-2][0-9](\:[0-5][0-9]){1,2})$</regex> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> </constraint> </properties> </leafNode> @@ -342,7 +342,7 @@ <description>Enter date using following notation - YYYY-MM-DD</description> </valueHelp> <constraint> - <regex>^(\d{4}\-\d{2}\-\d{2})$</regex> + <regex>(\d{4}\-\d{2}\-\d{2})</regex> </constraint> </properties> </leafNode> @@ -354,7 +354,7 @@ <description>Enter time using using 24 hour notation - hh:mm:ss</description> </valueHelp> <constraint> - <regex>^([0-2][0-9](\:[0-5][0-9]){1,2})$</regex> + <regex>([0-2][0-9](\:[0-5][0-9]){1,2})</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/icmp-type-name.xml.i b/interface-definitions/include/firewall/icmp-type-name.xml.i index f57def3e1..d4197cf82 100644 --- a/interface-definitions/include/firewall/icmp-type-name.xml.i +++ b/interface-definitions/include/firewall/icmp-type-name.xml.i @@ -66,7 +66,7 @@ <description>ICMP type 18: address-mask-reply</description> </valueHelp> <constraint> - <regex>^(echo-reply|destination-unreachable|source-quench|redirect|echo-request|router-advertisement|router-solicitation|time-exceeded|parameter-problem|timestamp-request|timestamp-reply|info-request|info-reply|address-mask-request|address-mask-reply)$</regex> + <regex>(echo-reply|destination-unreachable|source-quench|redirect|echo-request|router-advertisement|router-solicitation|time-exceeded|parameter-problem|timestamp-request|timestamp-reply|info-request|info-reply|address-mask-request|address-mask-reply)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/icmpv6-type-name.xml.i b/interface-definitions/include/firewall/icmpv6-type-name.xml.i index b13cf02c4..a2e68abfb 100644 --- a/interface-definitions/include/firewall/icmpv6-type-name.xml.i +++ b/interface-definitions/include/firewall/icmpv6-type-name.xml.i @@ -66,7 +66,7 @@ <description>ICMPv6 type 138: router-renumbering</description> </valueHelp> <constraint> - <regex>^(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering)$</regex> + <regex>(destination-unreachable|packet-too-big|time-exceeded|echo-request|echo-reply|mld-listener-query|mld-listener-report|mld-listener-reduction|nd-router-solicit|nd-router-advert|nd-neighbor-solicit|nd-neighbor-advert|nd-redirect|parameter-problem|router-renumbering)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/firewall/name-default-action.xml.i b/interface-definitions/include/firewall/name-default-action.xml.i index 8470a29a9..512b0296f 100644 --- a/interface-definitions/include/firewall/name-default-action.xml.i +++ b/interface-definitions/include/firewall/name-default-action.xml.i @@ -18,7 +18,7 @@ <description>Accept if no prior rules are hit</description> </valueHelp> <constraint> - <regex>^(drop|reject|accept)$</regex> + <regex>(drop|reject|accept)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/interface/address-ipv4-ipv6-dhcp.xml.i b/interface-definitions/include/interface/address-ipv4-ipv6-dhcp.xml.i index 123590c08..b9dd59bea 100644 --- a/interface-definitions/include/interface/address-ipv4-ipv6-dhcp.xml.i +++ b/interface-definitions/include/interface/address-ipv4-ipv6-dhcp.xml.i @@ -23,7 +23,7 @@ </valueHelp> <constraint> <validator name="ip-host"/> - <regex>^(dhcp|dhcpv6)$</regex> + <regex>(dhcp|dhcpv6)</regex> </constraint> <multi/> </properties> diff --git a/interface-definitions/include/interface/adjust-mss.xml.i b/interface-definitions/include/interface/adjust-mss.xml.i index 57019f02c..41140ffe1 100644 --- a/interface-definitions/include/interface/adjust-mss.xml.i +++ b/interface-definitions/include/interface/adjust-mss.xml.i @@ -16,7 +16,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 500-65535"/> - <regex>^(clamp-mss-to-pmtu)$</regex> + <regex>(clamp-mss-to-pmtu)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/interface/default-route-distance.xml.i b/interface-definitions/include/interface/default-route-distance.xml.i new file mode 100644 index 000000000..6eda52c91 --- /dev/null +++ b/interface-definitions/include/interface/default-route-distance.xml.i @@ -0,0 +1,15 @@ +<!-- include start from interface/default-route-distance.xml.i --> +<leafNode name="default-route-distance"> + <properties> + <help>Distance for installed default route</help> + <valueHelp> + <format>u32:1-255</format> + <description>Distance for the default route from DHCP server</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-255"/> + </constraint> + </properties> + <defaultValue>210</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/description.xml.i b/interface-definitions/include/interface/description.xml.i index 8579cf7d1..de01d22ca 100644 --- a/interface-definitions/include/interface/description.xml.i +++ b/interface-definitions/include/interface/description.xml.i @@ -3,7 +3,7 @@ <properties> <help>Interface specific description</help> <constraint> - <regex>.{1,256}$</regex> + <regex>.{1,256}</regex> </constraint> <constraintErrorMessage>Description too long (limit 256 characters)</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/interface/dhcp-options.xml.i b/interface-definitions/include/interface/dhcp-options.xml.i index 098d02919..914b60503 100644 --- a/interface-definitions/include/interface/dhcp-options.xml.i +++ b/interface-definitions/include/interface/dhcp-options.xml.i @@ -19,25 +19,8 @@ <help>Identify the vendor client type to the DHCP server</help> </properties> </leafNode> - <leafNode name="no-default-route"> - <properties> - <help>Do not request routers from DHCP server</help> - <valueless/> - </properties> - </leafNode> - <leafNode name="default-route-distance"> - <properties> - <help>Distance for the default route from DHCP server</help> - <valueHelp> - <format>u32:1-255</format> - <description>Distance for the default route from DHCP server</description> - </valueHelp> - <constraint> - <validator name="numeric" argument="--range 1-255"/> - </constraint> - </properties> - <defaultValue>210</defaultValue> - </leafNode> + #include <include/interface/no-default-route.xml.i> + #include <include/interface/default-route-distance.xml.i> <leafNode name="reject"> <properties> <help>IP addresses or subnets from which to reject DHCP leases</help> diff --git a/interface-definitions/include/interface/no-default-route.xml.i b/interface-definitions/include/interface/no-default-route.xml.i new file mode 100644 index 000000000..307fcff1e --- /dev/null +++ b/interface-definitions/include/interface/no-default-route.xml.i @@ -0,0 +1,8 @@ +<!-- include start from interface/dhcp-options.xml.i --> +<leafNode name="no-default-route"> + <properties> + <help>Do not install default route to system</help> + <valueless/> + </properties> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/parameters-df.xml.i b/interface-definitions/include/interface/parameters-df.xml.i new file mode 100644 index 000000000..82436b5e4 --- /dev/null +++ b/interface-definitions/include/interface/parameters-df.xml.i @@ -0,0 +1,26 @@ +<!-- include start from interface/parameters-df.xml.i --> +<leafNode name="df"> + <properties> + <help>Usage of the DF (don't Fragment) bit in outgoing packets</help> + <completionHelp> + <list>set unset inherit</list> + </completionHelp> + <valueHelp> + <format>set</format> + <description>Always set DF (don't fragment) bit</description> + </valueHelp> + <valueHelp> + <format>unset</format> + <description>Always unset DF (don't fragment) bit</description> + </valueHelp> + <valueHelp> + <format>inherit</format> + <description>Copy from the original IP header</description> + </valueHelp> + <constraint> + <regex>(set|unset|inherit)</regex> + </constraint> + </properties> + <defaultValue>unset</defaultValue> +</leafNode> +<!-- include end --> diff --git a/interface-definitions/include/interface/parameters-dont-fragment.xml.i b/interface-definitions/include/interface/parameters-dont-fragment.xml.i deleted file mode 100644 index d34f0a97b..000000000 --- a/interface-definitions/include/interface/parameters-dont-fragment.xml.i +++ /dev/null @@ -1,8 +0,0 @@ -<!-- include start from interface/parameters-df.xml.i --> -<leafNode name="dont-fragment"> - <properties> - <help>Specifies the usage of the dont fragment (DF) bit</help> - <valueless/> - </properties> -</leafNode> -<!-- include end --> diff --git a/interface-definitions/include/interface/parameters-flowlabel.xml.i b/interface-definitions/include/interface/parameters-flowlabel.xml.i index bd0d1e070..b2e88215b 100644 --- a/interface-definitions/include/interface/parameters-flowlabel.xml.i +++ b/interface-definitions/include/interface/parameters-flowlabel.xml.i @@ -14,7 +14,7 @@ <description>Tunnel key, or hex value</description> </valueHelp> <constraint> - <regex>^((0x){0,1}(0?[0-9A-Fa-f]{1,5})|inherit)$</regex> + <regex>((0x){0,1}(0?[0-9A-Fa-f]{1,5})|inherit)</regex> </constraint> <constraintErrorMessage>Must be 'inherit' or a number</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/interface/source-validation.xml.i b/interface-definitions/include/interface/source-validation.xml.i index f38065f4d..fc9a7d376 100644 --- a/interface-definitions/include/interface/source-validation.xml.i +++ b/interface-definitions/include/interface/source-validation.xml.i @@ -18,7 +18,7 @@ <description>No source validation</description> </valueHelp> <constraint> - <regex>^(strict|loose|disable)$</regex> + <regex>(strict|loose|disable)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/interface/vif-s.xml.i b/interface-definitions/include/interface/vif-s.xml.i index 3b305618e..c1af9f9e3 100644 --- a/interface-definitions/include/interface/vif-s.xml.i +++ b/interface-definitions/include/interface/vif-s.xml.i @@ -35,7 +35,7 @@ <description>VLAN-tagged frame (IEEE 802.1q), ethertype 0x8100</description> </valueHelp> <constraint> - <regex>^(802.1q|802.1ad)$</regex> + <regex>(802.1q|802.1ad)</regex> </constraint> <constraintErrorMessage>Ethertype must be 802.1ad or 802.1q</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/interface/vif.xml.i b/interface-definitions/include/interface/vif.xml.i index 4e7f9b3c2..57ef8d64c 100644 --- a/interface-definitions/include/interface/vif.xml.i +++ b/interface-definitions/include/interface/vif.xml.i @@ -28,7 +28,7 @@ <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> </valueHelp> <constraint> - <regex>[:0-7 ]+$</regex> + <regex>[:0-7 ]+</regex> </constraint> <constraintErrorMessage>QoS mapping should be in the format of '0:7 2:3' with numbers 0-9</constraintErrorMessage> </properties> @@ -41,7 +41,7 @@ <description>Format for qos mapping, e.g.: '0:1 1:6 7:6'</description> </valueHelp> <constraint> - <regex>[:0-7 ]+$</regex> + <regex>[:0-7 ]+</regex> </constraint> <constraintErrorMessage>QoS mapping should be in the format of '0:7 2:3' with numbers 0-9</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/ipsec/local-address.xml.i b/interface-definitions/include/ipsec/local-address.xml.i index 2de6ecb1f..dc5653ce7 100644 --- a/interface-definitions/include/ipsec/local-address.xml.i +++ b/interface-definitions/include/ipsec/local-address.xml.i @@ -20,7 +20,7 @@ <constraint> <validator name="ipv4-address"/> <validator name="ipv6-address"/> - <regex>^(any)$</regex> + <regex>(any)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/nat-translation-options.xml.i b/interface-definitions/include/nat-translation-options.xml.i index 925f90106..6b95de045 100644 --- a/interface-definitions/include/nat-translation-options.xml.i +++ b/interface-definitions/include/nat-translation-options.xml.i @@ -19,7 +19,7 @@ <description>Random source or destination address allocation for each connection</description> </valueHelp> <constraint> - <regex>^(persistent|random)$</regex> + <regex>(persistent|random)</regex> </constraint> </properties> <defaultValue>random</defaultValue> @@ -43,7 +43,7 @@ <description>Do not apply port randomization</description> </valueHelp> <constraint> - <regex>^(random|fully-random|none)$</regex> + <regex>(random|fully-random|none)</regex> </constraint> </properties> <defaultValue>none</defaultValue> diff --git a/interface-definitions/include/ospf/authentication.xml.i b/interface-definitions/include/ospf/authentication.xml.i index 1e6050b97..8e8cad067 100644 --- a/interface-definitions/include/ospf/authentication.xml.i +++ b/interface-definitions/include/ospf/authentication.xml.i @@ -29,7 +29,7 @@ <description>MD5 Key (16 characters or less)</description> </valueHelp> <constraint> - <regex>^[^[:space:]]{1,16}$</regex> + <regex>[^[:space:]]{1,16}</regex> </constraint> <constraintErrorMessage>Password must be 16 characters or less</constraintErrorMessage> </properties> @@ -46,7 +46,7 @@ <description>Plain text password (8 characters or less)</description> </valueHelp> <constraint> - <regex>^[^[:space:]]{1,8}$</regex> + <regex>[^[:space:]]{1,8}</regex> </constraint> <constraintErrorMessage>Password must be 8 characters or less</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/ospf/protocol-common-config.xml.i b/interface-definitions/include/ospf/protocol-common-config.xml.i index 3a3372e47..c156d5b1c 100644 --- a/interface-definitions/include/ospf/protocol-common-config.xml.i +++ b/interface-definitions/include/ospf/protocol-common-config.xml.i @@ -45,7 +45,7 @@ <description>Filter static routes</description> </valueHelp> <constraint> - <regex>^(bgp|connected|isis|kernel|rip|static)$</regex> + <regex>(bgp|connected|isis|kernel|rip|static)</regex> </constraint> <constraintErrorMessage>Must be bgp, connected, kernel, rip, or static</constraintErrorMessage> <multi/> @@ -123,7 +123,7 @@ <description>Never translate LSA types</description> </valueHelp> <constraint> - <regex>^(always|candidate|never)$</regex> + <regex>(always|candidate|never)</regex> </constraint> </properties> <defaultValue>candidate</defaultValue> @@ -172,7 +172,7 @@ <description>Use MD5 authentication</description> </valueHelp> <constraint> - <regex>^(plaintext-password|md5)$</regex> + <regex>(plaintext-password|md5)</regex> </constraint> </properties> </leafNode> @@ -252,7 +252,7 @@ <description>Enable shortcutting mode</description> </valueHelp> <constraint> - <regex>^(default|disable|enable)$</regex> + <regex>(default|disable|enable)</regex> </constraint> </properties> </leafNode> @@ -432,7 +432,7 @@ <description>Point-to-point network type</description> </valueHelp> <constraint> - <regex>^(broadcast|non-broadcast|point-to-multipoint|point-to-point)$</regex> + <regex>(broadcast|non-broadcast|point-to-multipoint|point-to-point)</regex> </constraint> <constraintErrorMessage>Must be broadcast, non-broadcast, point-to-multipoint or point-to-point</constraintErrorMessage> </properties> @@ -586,7 +586,7 @@ <description>Standard ABR type</description> </valueHelp> <constraint> - <regex>^(cisco|ibm|shortcut|standard)$</regex> + <regex>(cisco|ibm|shortcut|standard)</regex> </constraint> </properties> <defaultValue>cisco</defaultValue> @@ -617,7 +617,7 @@ <description>Default to suppress routing updates on all interfaces</description> </valueHelp> <constraint> - <regex>^(default)$</regex> + <regex>(default)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/ospfv3/protocol-common-config.xml.i b/interface-definitions/include/ospfv3/protocol-common-config.xml.i index 792c873c8..630534eea 100644 --- a/interface-definitions/include/ospfv3/protocol-common-config.xml.i +++ b/interface-definitions/include/ospfv3/protocol-common-config.xml.i @@ -184,7 +184,7 @@ <description>Point-to-point network type</description> </valueHelp> <constraint> - <regex>^(broadcast|point-to-point)$</regex> + <regex>(broadcast|point-to-point)</regex> </constraint> <constraintErrorMessage>Must be broadcast or point-to-point</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/policy/action.xml.i b/interface-definitions/include/policy/action.xml.i index 3b9b458d4..0a3dc158a 100644 --- a/interface-definitions/include/policy/action.xml.i +++ b/interface-definitions/include/policy/action.xml.i @@ -14,7 +14,7 @@ <description>Deny matching entries</description> </valueHelp> <constraint> - <regex>^(permit|deny)$</regex> + <regex>(permit|deny)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i index 406125e55..cfeba1a6c 100644 --- a/interface-definitions/include/policy/route-common-rule-ipv6.xml.i +++ b/interface-definitions/include/policy/route-common-rule-ipv6.xml.i @@ -91,7 +91,7 @@ <description>Disable log</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -196,7 +196,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 1-200"/> - <regex>^(main)$</regex> + <regex>(main)</regex> </constraint> </properties> </leafNode> @@ -260,7 +260,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -279,7 +279,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -298,7 +298,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -317,7 +317,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -543,7 +543,7 @@ <description>ICMP type/code name</description> </valueHelp> <constraint> - <regex>^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)$</regex> + <regex>(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)</regex> <validator name="numeric" argument="--range 0-255"/> </constraint> </properties> diff --git a/interface-definitions/include/policy/route-common-rule.xml.i b/interface-definitions/include/policy/route-common-rule.xml.i index 33c4ba77c..5a17dbc95 100644 --- a/interface-definitions/include/policy/route-common-rule.xml.i +++ b/interface-definitions/include/policy/route-common-rule.xml.i @@ -91,7 +91,7 @@ <description>Disable log</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -196,7 +196,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 1-200"/> - <regex>^(main)$</regex> + <regex>(main)</regex> </constraint> </properties> </leafNode> @@ -260,7 +260,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -279,7 +279,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -298,7 +298,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -317,7 +317,7 @@ <description>Disable</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/policy/route-rule-action.xml.i b/interface-definitions/include/policy/route-rule-action.xml.i index 9c880579d..1217055f2 100644 --- a/interface-definitions/include/policy/route-rule-action.xml.i +++ b/interface-definitions/include/policy/route-rule-action.xml.i @@ -10,7 +10,7 @@ <description>Drop matching entries</description> </valueHelp> <constraint> - <regex>^(drop)$</regex> + <regex>(drop)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/include/route-map.xml.i b/interface-definitions/include/route-map.xml.i index 88092b7d4..019868373 100644 --- a/interface-definitions/include/route-map.xml.i +++ b/interface-definitions/include/route-map.xml.i @@ -10,7 +10,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/routing-passive-interface.xml.i b/interface-definitions/include/routing-passive-interface.xml.i index 43dfb5e44..095b683de 100644 --- a/interface-definitions/include/routing-passive-interface.xml.i +++ b/interface-definitions/include/routing-passive-interface.xml.i @@ -15,7 +15,7 @@ <description>Default to suppress routing updates on all interfaces</description> </valueHelp> <constraint> - <regex>^(default)$</regex> + <regex>(default)</regex> <validator name="interface-name"/> </constraint> <multi/> diff --git a/interface-definitions/include/snmp/access-mode.xml.i b/interface-definitions/include/snmp/access-mode.xml.i index 71c766774..7469805ac 100644 --- a/interface-definitions/include/snmp/access-mode.xml.i +++ b/interface-definitions/include/snmp/access-mode.xml.i @@ -14,7 +14,7 @@ <description>read write</description> </valueHelp> <constraint> - <regex>^(ro|rw)$</regex> + <regex>(ro|rw)</regex> </constraint> <constraintErrorMessage>Authorization type must be either 'rw' or 'ro'</constraintErrorMessage> </properties> diff --git a/interface-definitions/include/snmp/authentication-type.xml.i b/interface-definitions/include/snmp/authentication-type.xml.i index ca0bb10a6..047d8cff4 100644 --- a/interface-definitions/include/snmp/authentication-type.xml.i +++ b/interface-definitions/include/snmp/authentication-type.xml.i @@ -14,7 +14,7 @@ <description>Secure Hash Algorithm</description> </valueHelp> <constraint> - <regex>^(md5|sha)$</regex> + <regex>(md5|sha)</regex> </constraint> </properties> <defaultValue>md5</defaultValue> diff --git a/interface-definitions/include/snmp/privacy-type.xml.i b/interface-definitions/include/snmp/privacy-type.xml.i index 94029a6c6..d5fd1e811 100644 --- a/interface-definitions/include/snmp/privacy-type.xml.i +++ b/interface-definitions/include/snmp/privacy-type.xml.i @@ -14,7 +14,7 @@ <description>Advanced Encryption Standard</description> </valueHelp> <constraint> - <regex>^(des|aes)$</regex> + <regex>(des|aes)</regex> </constraint> </properties> <defaultValue>des</defaultValue> diff --git a/interface-definitions/include/snmp/protocol.xml.i b/interface-definitions/include/snmp/protocol.xml.i index ebdeef87e..d7e6752ad 100644 --- a/interface-definitions/include/snmp/protocol.xml.i +++ b/interface-definitions/include/snmp/protocol.xml.i @@ -14,7 +14,7 @@ <description>Listen protocol TCP</description>
</valueHelp>
<constraint>
- <regex>^(udp|tcp)$</regex>
+ <regex>(udp|tcp)</regex>
</constraint>
</properties>
<defaultValue>udp</defaultValue>
diff --git a/interface-definitions/include/ssh-user.xml.i b/interface-definitions/include/ssh-user.xml.i index 17ba05a90..6ac1f35bc 100644 --- a/interface-definitions/include/ssh-user.xml.i +++ b/interface-definitions/include/ssh-user.xml.i @@ -3,7 +3,7 @@ <properties> <help>Allow specific users to login</help> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,100}</regex> + <regex>[-_a-zA-Z0-9.]{1,100}</regex> </constraint> <constraintErrorMessage>Illegal characters or more than 100 characters</constraintErrorMessage> <multi/> diff --git a/interface-definitions/include/static/static-route-vrf.xml.i b/interface-definitions/include/static/static-route-vrf.xml.i index 69aba253c..e1968f04a 100644 --- a/interface-definitions/include/static/static-route-vrf.xml.i +++ b/interface-definitions/include/static/static-route-vrf.xml.i @@ -11,7 +11,7 @@ <description>Name of VRF to leak to</description> </valueHelp> <constraint> - <regex>^(default)$</regex> + <regex>(default)</regex> <validator name="vrf-name"/> </constraint> </properties> diff --git a/interface-definitions/include/version/interfaces-version.xml.i b/interface-definitions/include/version/interfaces-version.xml.i index b97971531..0a209bc3a 100644 --- a/interface-definitions/include/version/interfaces-version.xml.i +++ b/interface-definitions/include/version/interfaces-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/interfaces-version.xml.i --> -<syntaxVersion component='interfaces' version='25'></syntaxVersion> +<syntaxVersion component='interfaces' version='26'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/openconnect-version.xml.i b/interface-definitions/include/version/openconnect-version.xml.i index d7d35b321..654806278 100644 --- a/interface-definitions/include/version/openconnect-version.xml.i +++ b/interface-definitions/include/version/openconnect-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/openconnect-version.xml.i --> -<syntaxVersion component='openconnect' version='1'></syntaxVersion> +<syntaxVersion component='openconnect' version='2'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/quagga-version.xml.i b/interface-definitions/include/version/quagga-version.xml.i index bb8ad7f82..f9944acce 100644 --- a/interface-definitions/include/version/quagga-version.xml.i +++ b/interface-definitions/include/version/quagga-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/quagga-version.xml.i --> -<syntaxVersion component='quagga' version='9'></syntaxVersion> +<syntaxVersion component='quagga' version='10'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/version/system-version.xml.i b/interface-definitions/include/version/system-version.xml.i index 19591256d..3cf92001c 100644 --- a/interface-definitions/include/version/system-version.xml.i +++ b/interface-definitions/include/version/system-version.xml.i @@ -1,3 +1,3 @@ <!-- include start from include/version/system-version.xml.i --> -<syntaxVersion component='system' version='23'></syntaxVersion> +<syntaxVersion component='system' version='24'></syntaxVersion> <!-- include end --> diff --git a/interface-definitions/include/vpn-ipsec-encryption.xml.i b/interface-definitions/include/vpn-ipsec-encryption.xml.i index eb0678aa9..629e6a0b9 100644 --- a/interface-definitions/include/vpn-ipsec-encryption.xml.i +++ b/interface-definitions/include/vpn-ipsec-encryption.xml.i @@ -226,7 +226,7 @@ <description>256 bit ChaCha20/Poly1305 with 128 bit ICV</description> </valueHelp> <constraint> - <regex>^(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)$</regex> + <regex>(null|aes128|aes192|aes256|aes128ctr|aes192ctr|aes256ctr|aes128ccm64|aes192ccm64|aes256ccm64|aes128ccm96|aes192ccm96|aes256ccm96|aes128ccm128|aes192ccm128|aes256ccm128|aes128gcm64|aes192gcm64|aes256gcm64|aes128gcm96|aes192gcm96|aes256gcm96|aes128gcm128|aes192gcm128|aes256gcm128|aes128gmac|aes192gmac|aes256gmac|3des|blowfish128|blowfish192|blowfish256|camellia128|camellia192|camellia256|camellia128ctr|camellia192ctr|camellia256ctr|camellia128ccm64|camellia192ccm64|camellia256ccm64|camellia128ccm96|camellia192ccm96|camellia256ccm96|camellia128ccm128|camellia192ccm128|camellia256ccm128|serpent128|serpent192|serpent256|twofish128|twofish192|twofish256|cast128|chacha20poly1305)</regex> </constraint> </properties> <defaultValue>aes128</defaultValue> diff --git a/interface-definitions/include/vpn-ipsec-hash.xml.i b/interface-definitions/include/vpn-ipsec-hash.xml.i index d6259574a..73d19c24b 100644 --- a/interface-definitions/include/vpn-ipsec-hash.xml.i +++ b/interface-definitions/include/vpn-ipsec-hash.xml.i @@ -58,7 +58,7 @@ <description>256-bit AES-GMAC</description> </valueHelp> <constraint> - <regex>^(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)$</regex> + <regex>(md5|md5_128|sha1|sha1_160|sha256|sha256_96|sha384|sha512|aesxcbc|aescmac|aes128gmac|aes192gmac|aes256gmac)</regex> </constraint> </properties> <defaultValue>sha1</defaultValue> diff --git a/interface-definitions/include/webproxy-url-filtering.xml.i b/interface-definitions/include/webproxy-url-filtering.xml.i index 265bbff94..7763cb393 100644 --- a/interface-definitions/include/webproxy-url-filtering.xml.i +++ b/interface-definitions/include/webproxy-url-filtering.xml.i @@ -38,7 +38,7 @@ <description>Default filter action is block</description> </valueHelp> <constraint> - <regex>^(allow|block)$</regex> + <regex>(allow|block)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/interfaces-bonding.xml.in b/interface-definitions/interfaces-bonding.xml.in index 5ae67a672..96dede723 100644 --- a/interface-definitions/interfaces-bonding.xml.in +++ b/interface-definitions/interfaces-bonding.xml.in @@ -7,7 +7,7 @@ <help>Bonding Interface/Link Aggregation</help> <priority>320</priority> <constraint> - <regex>^bond[0-9]+$</regex> + <regex>bond[0-9]+</regex> </constraint> <constraintErrorMessage>Bonding interface must be named bondN</constraintErrorMessage> <valueHelp> @@ -85,7 +85,7 @@ <description>combine encapsulated IP address and port to make hash</description> </valueHelp> <constraint> - <regex>^(layer2\+3|layer3\+4|layer2|encap2\+3|encap3\+4)$</regex> + <regex>(layer2\+3|layer3\+4|layer2|encap2\+3|encap3\+4)</regex> </constraint> <constraintErrorMessage>hash-policy must be layer2 layer2+3 layer3+4 encap2+3 or encap3+4</constraintErrorMessage> </properties> @@ -122,7 +122,7 @@ <description>Request partner to transmit LACPDUs every 1 second</description> </valueHelp> <constraint> - <regex>^(slow|fast)$</regex> + <regex>(slow|fast)</regex> </constraint> </properties> <defaultValue>slow</defaultValue> @@ -162,7 +162,7 @@ <description>Distribute based on MAC address</description> </valueHelp> <constraint> - <regex>^(802.3ad|active-backup|broadcast|round-robin|transmit-load-balance|adaptive-load-balance|xor-hash)$</regex> + <regex>(802.3ad|active-backup|broadcast|round-robin|transmit-load-balance|adaptive-load-balance|xor-hash)</regex> </constraint> <constraintErrorMessage>mode must be 802.3ad, active-backup, broadcast, round-robin, transmit-load-balance, adaptive-load-balance, or xor</constraintErrorMessage> </properties> diff --git a/interface-definitions/interfaces-bridge.xml.in b/interface-definitions/interfaces-bridge.xml.in index be4c92583..60edf3ce2 100644 --- a/interface-definitions/interfaces-bridge.xml.in +++ b/interface-definitions/interfaces-bridge.xml.in @@ -7,7 +7,7 @@ <help>Bridge Interface</help> <priority>310</priority> <constraint> - <regex>^br[0-9]+$</regex> + <regex>br[0-9]+</regex> </constraint> <constraintErrorMessage>Bridge interface must be named brN</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/interfaces-dummy.xml.in b/interface-definitions/interfaces-dummy.xml.in index 7f9ae90e5..01438de31 100644 --- a/interface-definitions/interfaces-dummy.xml.in +++ b/interface-definitions/interfaces-dummy.xml.in @@ -7,7 +7,7 @@ <help>Dummy Interface</help> <priority>300</priority> <constraint> - <regex>^dum[0-9]+$</regex> + <regex>dum[0-9]+</regex> </constraint> <constraintErrorMessage>Dummy interface must be named dumN</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/interfaces-ethernet.xml.in b/interface-definitions/interfaces-ethernet.xml.in index 7fa07e9ec..c821f04b2 100644 --- a/interface-definitions/interfaces-ethernet.xml.in +++ b/interface-definitions/interfaces-ethernet.xml.in @@ -14,7 +14,7 @@ <description>Ethernet interface name</description> </valueHelp> <constraint> - <regex>^((eth|lan)[0-9]+|(eno|ens|enp|enx).+)$</regex> + <regex>((eth|lan)[0-9]+|(eno|ens|enp|enx).+)</regex> </constraint> <constraintErrorMessage>Invalid Ethernet interface name</constraintErrorMessage> </properties> @@ -52,7 +52,7 @@ <description>Full duplex</description> </valueHelp> <constraint> - <regex>^(auto|half|full)$</regex> + <regex>(auto|half|full)</regex> </constraint> <constraintErrorMessage>duplex must be auto, half or full</constraintErrorMessage> </properties> @@ -159,7 +159,7 @@ <description>100 Gbit/sec</description> </valueHelp> <constraint> - <regex>^(auto|10|100|1000|2500|5000|10000|25000|40000|50000|100000)$</regex> + <regex>(auto|10|100|1000|2500|5000|10000|25000|40000|50000|100000)</regex> </constraint> <constraintErrorMessage>Speed must be auto, 10, 100, 1000, 2500, 5000, 10000, 25000, 40000, 50000 or 100000</constraintErrorMessage> </properties> diff --git a/interface-definitions/interfaces-geneve.xml.in b/interface-definitions/interfaces-geneve.xml.in index fa5a78be5..6e8a8fee2 100644 --- a/interface-definitions/interfaces-geneve.xml.in +++ b/interface-definitions/interfaces-geneve.xml.in @@ -7,7 +7,7 @@ <help>Generic Network Virtualization Encapsulation (GENEVE) Interface</help> <priority>460</priority> <constraint> - <regex>^gnv[0-9]+$</regex> + <regex>gnv[0-9]+</regex> </constraint> <constraintErrorMessage>GENEVE interface must be named gnvN</constraintErrorMessage> <valueHelp> @@ -35,7 +35,7 @@ <help>IPv4 specific tunnel parameters</help> </properties> <children> - #include <include/interface/parameters-dont-fragment.xml.i> + #include <include/interface/parameters-df.xml.i> #include <include/interface/parameters-tos.xml.i> #include <include/interface/parameters-ttl.xml.i> </children> diff --git a/interface-definitions/interfaces-l2tpv3.xml.in b/interface-definitions/interfaces-l2tpv3.xml.in index 1f23a89a5..6a85064cd 100644 --- a/interface-definitions/interfaces-l2tpv3.xml.in +++ b/interface-definitions/interfaces-l2tpv3.xml.in @@ -7,7 +7,7 @@ <help>Layer 2 Tunnel Protocol Version 3 (L2TPv3) Interface</help> <priority>485</priority> <constraint> - <regex>^l2tpeth[0-9]+$</regex> + <regex>l2tpeth[0-9]+</regex> </constraint> <constraintErrorMessage>L2TPv3 interface must be named l2tpethN</constraintErrorMessage> <valueHelp> @@ -49,7 +49,7 @@ <description>IP encapsulation</description> </valueHelp> <constraint> - <regex>^(udp|ip)$</regex> + <regex>(udp|ip)</regex> </constraint> <constraintErrorMessage>Encapsulation must be UDP or IP</constraintErrorMessage> </properties> diff --git a/interface-definitions/interfaces-loopback.xml.in b/interface-definitions/interfaces-loopback.xml.in index 7ac0545c6..7f59db543 100644 --- a/interface-definitions/interfaces-loopback.xml.in +++ b/interface-definitions/interfaces-loopback.xml.in @@ -7,7 +7,7 @@ <help>Loopback Interface</help> <priority>300</priority> <constraint> - <regex>^lo$</regex> + <regex>lo</regex> </constraint> <constraintErrorMessage>Loopback interface must be named lo</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/interfaces-macsec.xml.in b/interface-definitions/interfaces-macsec.xml.in index cb3c489aa..dbb989588 100644 --- a/interface-definitions/interfaces-macsec.xml.in +++ b/interface-definitions/interfaces-macsec.xml.in @@ -7,7 +7,7 @@ <help>MACsec Interface (802.1ae)</help> <priority>461</priority> <constraint> - <regex>^macsec[0-9]+$</regex> + <regex>macsec[0-9]+</regex> </constraint> <constraintErrorMessage>MACsec interface must be named macsecN</constraintErrorMessage> <valueHelp> @@ -44,7 +44,7 @@ <description>Galois/Counter Mode of AES cipher with 256-bit key</description> </valueHelp> <constraint> - <regex>^(gcm-aes-128|gcm-aes-256)$</regex> + <regex>(gcm-aes-128|gcm-aes-256)</regex> </constraint> </properties> </leafNode> @@ -67,7 +67,7 @@ <description>16-byte (128-bit) hex-string (32 hex-digits)</description> </valueHelp> <constraint> - <regex>^[A-Fa-f0-9]{32}$</regex> + <regex>[A-Fa-f0-9]{32}</regex> </constraint> </properties> </leafNode> @@ -79,7 +79,7 @@ <description>32-byte (256-bit) hex-string (64 hex-digits)</description> </valueHelp> <constraint> - <regex>^[A-Fa-f0-9]{64}$</regex> + <regex>[A-Fa-f0-9]{64}</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/interfaces-openvpn.xml.in b/interface-definitions/interfaces-openvpn.xml.in index c917b9312..edcf7b37f 100644 --- a/interface-definitions/interfaces-openvpn.xml.in +++ b/interface-definitions/interfaces-openvpn.xml.in @@ -7,7 +7,7 @@ <help>OpenVPN Tunnel Interface</help> <priority>460</priority> <constraint> - <regex>^vtun[0-9]+$</regex> + <regex>vtun[0-9]+</regex> </constraint> <constraintErrorMessage>OpenVPN tunnel interface must be named vtunN</constraintErrorMessage> <valueHelp> @@ -51,7 +51,7 @@ <description>TAP device, required for OSI layer 2</description> </valueHelp> <constraint> - <regex>^(tun|tap)$</regex> + <regex>(tun|tap)</regex> </constraint> </properties> <defaultValue>tun</defaultValue> @@ -113,7 +113,7 @@ <description>AES algorithm with 256-bit key GCM</description> </valueHelp> <constraint> - <regex>^(none|des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)$</regex> + <regex>(none|des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex> </constraint> </properties> </leafNode> @@ -160,7 +160,7 @@ <description>AES algorithm with 256-bit key GCM</description> </valueHelp> <constraint> - <regex>^(none|des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)$</regex> + <regex>(none|des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex> </constraint> <multi/> </properties> @@ -196,7 +196,7 @@ <description>SHA-512 algorithm</description> </valueHelp> <constraint> - <regex>^(md5|sha1|sha256|sha384|sha512)$</regex> + <regex>(md5|sha1|sha256|sha384|sha512)</regex> </constraint> </properties> </leafNode> @@ -298,7 +298,7 @@ <description>Server in client-server mode</description> </valueHelp> <constraint> - <regex>^(site-to-site|client|server)$</regex> + <regex>(site-to-site|client|server)</regex> </constraint> </properties> </leafNode> @@ -336,7 +336,7 @@ <description>TCP and initiates connections actively</description> </valueHelp> <constraint> - <regex>^(udp|tcp-passive|tcp-active)$</regex> + <regex>(udp|tcp-passive|tcp-active)</regex> </constraint> </properties> <defaultValue>udp</defaultValue> @@ -631,7 +631,7 @@ <description>Subnet topology</description> </valueHelp> <constraint> - <regex>^(subnet|point-to-point|net30)$</regex> + <regex>(subnet|point-to-point|net30)</regex> </constraint> </properties> <defaultValue>net30</defaultValue> @@ -713,7 +713,7 @@ <description>Enable chalenge-response</description> </valueHelp> <constraint> - <regex>^(disable|enable)$</regex> + <regex>(disable|enable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> @@ -786,7 +786,7 @@ <description>TLS v1.3</description> </valueHelp> <constraint> - <regex>^(1.0|1.1|1.2|1.3)$</regex> + <regex>(1.0|1.1|1.2|1.3)</regex> </constraint> </properties> </leafNode> @@ -805,7 +805,7 @@ <description>Wait for incoming TLS connection</description> </valueHelp> <constraint> - <regex>^(active|passive)$</regex> + <regex>(active|passive)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/interfaces-pppoe.xml.in b/interface-definitions/interfaces-pppoe.xml.in index 3a0b7a40c..664914baa 100644 --- a/interface-definitions/interfaces-pppoe.xml.in +++ b/interface-definitions/interfaces-pppoe.xml.in @@ -7,7 +7,7 @@ <help>Point-to-Point Protocol over Ethernet (PPPoE)</help> <priority>322</priority> <constraint> - <regex>^pppoe[0-9]+$</regex> + <regex>pppoe[0-9]+</regex> </constraint> <constraintErrorMessage>PPPoE interface must be named pppoeN</constraintErrorMessage> <valueHelp> @@ -21,31 +21,8 @@ #include <include/interface/dial-on-demand.xml.i> #include <include/interface/interface-firewall.xml.i> #include <include/interface/interface-policy.xml.i> - <leafNode name="default-route"> - <properties> - <help>Default route insertion behaviour</help> - <completionHelp> - <list>auto none force</list> - </completionHelp> - <constraint> - <regex>^(auto|none|force)$</regex> - </constraint> - <constraintErrorMessage>PPPoE default-route option must be 'auto', 'none', or 'force'</constraintErrorMessage> - <valueHelp> - <format>auto</format> - <description>Automatically install a default route</description> - </valueHelp> - <valueHelp> - <format>none</format> - <description>Do not install a default route</description> - </valueHelp> - <valueHelp> - <format>force</format> - <description>Replace existing default route</description> - </valueHelp> - </properties> - <defaultValue>auto</defaultValue> - </leafNode> + #include <include/interface/no-default-route.xml.i> + #include <include/interface/default-route-distance.xml.i> #include <include/interface/dhcpv6-options.xml.i> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> @@ -129,7 +106,7 @@ <properties> <help>Service name, only connect to access concentrators advertising this</help> <constraint> - <regex>[a-zA-Z0-9]+$</regex> + <regex>[a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Service name must be alphanumeric only</constraintErrorMessage> </properties> diff --git a/interface-definitions/interfaces-pseudo-ethernet.xml.in b/interface-definitions/interfaces-pseudo-ethernet.xml.in index 5f5e9fdef..6b62f4c61 100644 --- a/interface-definitions/interfaces-pseudo-ethernet.xml.in +++ b/interface-definitions/interfaces-pseudo-ethernet.xml.in @@ -7,7 +7,7 @@ <help>Pseudo Ethernet</help> <priority>321</priority> <constraint> - <regex>^peth[0-9]+$</regex> + <regex>peth[0-9]+</regex> </constraint> <constraintErrorMessage>Pseudo Ethernet interface must be named pethN</constraintErrorMessage> <valueHelp> @@ -53,7 +53,7 @@ <description>Promicious mode passthrough of underlying device</description> </valueHelp> <constraint> - <regex>^(private|vepa|bridge|passthru)$</regex> + <regex>(private|vepa|bridge|passthru)</regex> </constraint> <constraintErrorMessage>mode must be private, vepa, bridge or passthru</constraintErrorMessage> </properties> diff --git a/interface-definitions/interfaces-tunnel.xml.in b/interface-definitions/interfaces-tunnel.xml.in index 42ec62775..98ff878ba 100644 --- a/interface-definitions/interfaces-tunnel.xml.in +++ b/interface-definitions/interfaces-tunnel.xml.in @@ -7,7 +7,7 @@ <help>Tunnel interface</help> <priority>380</priority> <constraint> - <regex>^tun[0-9]+$</regex> + <regex>tun[0-9]+</regex> </constraint> <constraintErrorMessage>tunnel interface must be named tunN</constraintErrorMessage> <valueHelp> @@ -102,7 +102,7 @@ <description>Simple Internet Transition (IPv6 in IPv4)</description> </valueHelp> <constraint> - <regex>^(erspan|gre|gretap|ip6erspan|ip6gre|ip6gretap|ip6ip6|ipip|ipip6|sit)$</regex> + <regex>(erspan|gre|gretap|ip6erspan|ip6gre|ip6gretap|ip6ip6|ipip|ipip6|sit)</regex> </constraint> <constraintErrorMessage>Invalid encapsulation, must be one of: erspan, gre, gretap, ip6erspan, ip6gre, ip6gretap, ipip, sit, ipip6 or ip6ip6</constraintErrorMessage> </properties> @@ -123,7 +123,7 @@ <description>Disable multicast (default)</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> <constraintErrorMessage>Must be 'disable' or 'enable'</constraintErrorMessage> </properties> @@ -153,7 +153,7 @@ <description>Mirror egress traffic</description> </valueHelp> <constraint> - <regex>^(ingress|egress)$</regex> + <regex>(ingress|egress)</regex> </constraint> </properties> </leafNode> @@ -248,7 +248,7 @@ <description>Disable encapsulation limit</description> </valueHelp> <constraint> - <regex>^(none)$</regex> + <regex>(none)</regex> <validator name="numeric" argument="--range 0-255"/> </constraint> <constraintErrorMessage>Tunnel encaplimit must be 0-255 or none</constraintErrorMessage> diff --git a/interface-definitions/interfaces-vti.xml.in b/interface-definitions/interfaces-vti.xml.in index 5893e4c4c..b471c3b92 100644 --- a/interface-definitions/interfaces-vti.xml.in +++ b/interface-definitions/interfaces-vti.xml.in @@ -7,7 +7,7 @@ <help>Virtual Tunnel interface</help> <priority>381</priority> <constraint> - <regex>^vti[0-9]+$</regex> + <regex>vti[0-9]+</regex> </constraint> <constraintErrorMessage>VTI interface must be named vtiN</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/interfaces-vxlan.xml.in b/interface-definitions/interfaces-vxlan.xml.in index 9747b1816..faa3dd5e0 100644 --- a/interface-definitions/interfaces-vxlan.xml.in +++ b/interface-definitions/interfaces-vxlan.xml.in @@ -7,7 +7,7 @@ <help>Virtual Extensible LAN (VXLAN) Interface</help> <priority>460</priority> <constraint> - <regex>^vxlan[0-9]+$</regex> + <regex>vxlan[0-9]+</regex> </constraint> <constraintErrorMessage>VXLAN interface must be named vxlanN</constraintErrorMessage> <valueHelp> @@ -69,7 +69,7 @@ <help>IPv4 specific tunnel parameters</help> </properties> <children> - #include <include/interface/parameters-dont-fragment.xml.i> + #include <include/interface/parameters-df.xml.i> #include <include/interface/parameters-tos.xml.i> #include <include/interface/parameters-ttl.xml.i> <leafNode name="ttl"> diff --git a/interface-definitions/interfaces-wireguard.xml.in b/interface-definitions/interfaces-wireguard.xml.in index eb0892f07..4a1b4ac68 100644 --- a/interface-definitions/interfaces-wireguard.xml.in +++ b/interface-definitions/interfaces-wireguard.xml.in @@ -7,7 +7,7 @@ <help>WireGuard Interface</help> <priority>459</priority> <constraint> - <regex>^wg[0-9]+$</regex> + <regex>wg[0-9]+</regex> </constraint> <constraintErrorMessage>WireGuard interface must be named wgN</constraintErrorMessage> <valueHelp> @@ -46,7 +46,7 @@ <properties> <help>Base64 encoded private key</help> <constraint> - <regex>[0-9a-zA-Z\+/]{43}=$</regex> + <regex>[0-9a-zA-Z\+/]{43}=</regex> </constraint> <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> </properties> @@ -55,7 +55,7 @@ <properties> <help>peer alias</help> <constraint> - <regex>[^ ]{1,100}$</regex> + <regex>[^ ]{1,100}</regex> </constraint> <constraintErrorMessage>peer alias too long (limit 100 characters)</constraintErrorMessage> </properties> @@ -65,7 +65,7 @@ <properties> <help>base64 encoded public key</help> <constraint> - <regex>[0-9a-zA-Z\+/]{43}=$</regex> + <regex>[0-9a-zA-Z\+/]{43}=</regex> </constraint> <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> </properties> @@ -74,7 +74,7 @@ <properties> <help>base64 encoded preshared key</help> <constraint> - <regex>[0-9a-zA-Z\+/]{43}=$</regex> + <regex>[0-9a-zA-Z\+/]{43}=</regex> </constraint> <constraintErrorMessage>Key is not valid 44-character (32-bytes) base64</constraintErrorMessage> </properties> diff --git a/interface-definitions/interfaces-wireless.xml.in b/interface-definitions/interfaces-wireless.xml.in index db01657eb..eb6107303 100644 --- a/interface-definitions/interfaces-wireless.xml.in +++ b/interface-definitions/interfaces-wireless.xml.in @@ -10,7 +10,7 @@ <script>cd /sys/class/net; if compgen -G "wlan*" > /dev/null; then ls -d wlan*; fi</script> </completionHelp> <constraint> - <regex>^wlan[0-9]+$</regex> + <regex>wlan[0-9]+</regex> </constraint> <constraintErrorMessage>Wireless interface must be named wlanN</constraintErrorMessage> <valueHelp> @@ -63,7 +63,7 @@ <description>Supported channel set width both 20 MHz and 40 MHz with secondary channel below primary channel</description> </valueHelp> <constraint> - <regex>^(ht20|ht40\+|ht40-)$</regex> + <regex>(ht20|ht40\+|ht40-)</regex> </constraint> <multi/> </properties> @@ -113,7 +113,7 @@ <description>Set maximum A-MSDU length to 7935 octets</description> </valueHelp> <constraint> - <regex>^(3839|7935)$</regex> + <regex>(3839|7935)</regex> </constraint> </properties> </leafNode> @@ -132,7 +132,7 @@ <description>Short GI for 40 MHz</description> </valueHelp> <constraint> - <regex>^(20|40)$</regex> + <regex>(20|40)</regex> </constraint> <multi/> </properties> @@ -152,7 +152,7 @@ <description>DYNAMIC Spatial Multiplexing (SM) Power Save</description> </valueHelp> <constraint> - <regex>^(static|dynamic)$</regex> + <regex>(static|dynamic)</regex> </constraint> </properties> </leafNode> @@ -169,7 +169,7 @@ <description>Number of spacial streams that can use RX STBC</description> </valueHelp> <constraint> - <regex>^[1-3]+$</regex> + <regex>[1-3]+</regex> </constraint> <constraintErrorMessage>Invalid capability item</constraintErrorMessage> </properties> @@ -248,7 +248,7 @@ <description>Support for operation as multi user beamformee</description> </valueHelp> <constraint> - <regex>^(single-user-beamformer|single-user-beamformee|multi-user-beamformer|multi-user-beamformee)$</regex> + <regex>(single-user-beamformer|single-user-beamformee|multi-user-beamformer|multi-user-beamformee)</regex> </constraint> <multi/> </properties> @@ -334,7 +334,7 @@ <description>Station can provide VHT MFB in response to VHT MRQ and unsolicited VHT MFB</description> </valueHelp> <constraint> - <regex>^(unsolicited|both)$</regex> + <regex>(unsolicited|both)</regex> </constraint> <constraintErrorMessage>Invalid capability item</constraintErrorMessage> </properties> @@ -366,7 +366,7 @@ <description>ncrease Maximum MPDU length to 11454 octets</description> </valueHelp> <constraint> - <regex>^(7991|11454)$</regex> + <regex>(7991|11454)</regex> </constraint> </properties> </leafNode> @@ -385,7 +385,7 @@ <description>Short GI for 160 MHz</description> </valueHelp> <constraint> - <regex>^(80|160)$</regex> + <regex>(80|160)</regex> </constraint> <multi/> </properties> @@ -403,7 +403,7 @@ <description>Number of spacial streams that can use RX STBC</description> </valueHelp> <constraint> - <regex>^[1-4]+$</regex> + <regex>[1-4]+</regex> </constraint> <constraintErrorMessage>Invalid capability item</constraintErrorMessage> </properties> @@ -464,7 +464,7 @@ <description>ISO/IEC 3166-1 Country Code</description> </valueHelp> <constraint> - <regex>^[a-z][a-z]$</regex> + <regex>[a-z][a-z]</regex> </constraint> <constraintErrorMessage>Invalid ISO/IEC 3166-1 Country Code</constraintErrorMessage> </properties> @@ -529,7 +529,7 @@ <description>MFP enforced</description> </valueHelp> <constraint> - <regex>^(disabled|optional|required)$</regex> + <regex>(disabled|optional|required)</regex> </constraint> </properties> <defaultValue>disabled</defaultValue> @@ -561,7 +561,7 @@ <description>802.11ac - 1300 Mbits/sec</description> </valueHelp> <constraint> - <regex>^(a|b|g|n|ac)$</regex> + <regex>(a|b|g|n|ac)</regex> </constraint> </properties> <defaultValue>g</defaultValue> @@ -650,7 +650,7 @@ <description>Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]</description> </valueHelp> <constraint> - <regex>^(GCMP-256|GCMP|CCMP-256|CCMP|TKIP)$</regex> + <regex>(GCMP-256|GCMP|CCMP-256|CCMP|TKIP)</regex> </constraint> <constraintErrorMessage>Invalid cipher selection</constraintErrorMessage> <multi/> @@ -683,7 +683,7 @@ <description>Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]</description> </valueHelp> <constraint> - <regex>^(GCMP-256|GCMP|CCMP-256|CCMP|TKIP)$</regex> + <regex>(GCMP-256|GCMP|CCMP-256|CCMP|TKIP)</regex> </constraint> <constraintErrorMessage>Invalid group cipher selection</constraintErrorMessage> <multi/> @@ -708,7 +708,7 @@ <description>Allow both WPA and WPA2</description> </valueHelp> <constraint> - <regex>^(wpa|wpa2|wpa\+wpa2|wpa3)$</regex> + <regex>(wpa|wpa2|wpa\+wpa2|wpa3)</regex> </constraint> <constraintErrorMessage>Unknown WPA mode</constraintErrorMessage> </properties> @@ -724,7 +724,7 @@ <description>Passphrase of at least 8 but not more than 63 printable characters</description> </valueHelp> <constraint> - <regex>.{8,63}$</regex> + <regex>.{8,63}</regex> </constraint> <constraintErrorMessage>Invalid WPA pass phrase, must be 8 to 63 printable characters!</constraintErrorMessage> </properties> @@ -752,7 +752,7 @@ <properties> <help>Wireless access-point service set identifier (SSID)</help> <constraint> - <regex>.{1,32}$</regex> + <regex>.{1,32}</regex> </constraint> <constraintErrorMessage>Invalid SSID</constraintErrorMessage> </properties> @@ -776,7 +776,7 @@ <description>Passively monitor all packets on the frequency/channel</description> </valueHelp> <constraint> - <regex>^(access-point|station|monitor)$</regex> + <regex>(access-point|station|monitor)</regex> </constraint> <constraintErrorMessage>Type must be access-point, station or monitor</constraintErrorMessage> </properties> diff --git a/interface-definitions/interfaces-wwan.xml.in b/interface-definitions/interfaces-wwan.xml.in index 3cb1645c4..3071e6091 100644 --- a/interface-definitions/interfaces-wwan.xml.in +++ b/interface-definitions/interfaces-wwan.xml.in @@ -10,7 +10,7 @@ <script>cd /sys/class/net; if compgen -G "wwan*" > /dev/null; then ls -d wwan*; fi</script> </completionHelp> <constraint> - <regex>^wwan[0-9]+$</regex> + <regex>wwan[0-9]+</regex> </constraint> <constraintErrorMessage>Wireless Modem interface must be named wwanN</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/nat.xml.in b/interface-definitions/nat.xml.in index f79680947..9295b631f 100644 --- a/interface-definitions/nat.xml.in +++ b/interface-definitions/nat.xml.in @@ -98,7 +98,7 @@ <validator name="ipv4-prefix"/> <validator name="ipv4-address"/> <validator name="ipv4-range"/> - <regex>^(masquerade)$</regex> + <regex>(masquerade)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/nat66.xml.in b/interface-definitions/nat66.xml.in index 11d986c96..b47f653c6 100644 --- a/interface-definitions/nat66.xml.in +++ b/interface-definitions/nat66.xml.in @@ -94,7 +94,7 @@ <constraint> <validator name="ipv6-address"/> <validator name="ipv6-prefix"/> - <regex>^(masquerade)$</regex> + <regex>(masquerade)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/netns.xml.in b/interface-definitions/netns.xml.in index 80de805fb..088985cb6 100644 --- a/interface-definitions/netns.xml.in +++ b/interface-definitions/netns.xml.in @@ -10,7 +10,7 @@ <properties> <help>Network namespace name</help> <constraint> - <regex>^[a-zA-Z0-9-_]{1,100}</regex> + <regex>[a-zA-Z0-9-_]{1,100}</regex> </constraint> <constraintErrorMessage>Netns name must be alphanumeric and can contain hyphens and underscores.</constraintErrorMessage> </properties> diff --git a/interface-definitions/policy-route.xml.in b/interface-definitions/policy-route.xml.in index a1c3b50de..a10c9b08f 100644 --- a/interface-definitions/policy-route.xml.in +++ b/interface-definitions/policy-route.xml.in @@ -6,7 +6,7 @@ <properties> <help>Policy route rule set name for IPv6</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> <priority>201</priority> </properties> @@ -55,7 +55,7 @@ <properties> <help>Policy route rule set name for IPv4</help> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> <priority>201</priority> </properties> diff --git a/interface-definitions/policy.xml.in b/interface-definitions/policy.xml.in index 1a4781397..50b7cbc84 100644 --- a/interface-definitions/policy.xml.in +++ b/interface-definitions/policy.xml.in @@ -242,7 +242,7 @@ <description>BGP extended community-list name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Should be an alphanumeric name</constraintErrorMessage> </properties> @@ -291,7 +291,7 @@ <description>BGP large-community-list name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Should be an alphanumeric name</constraintErrorMessage> </properties> @@ -340,7 +340,7 @@ <description>Name of IPv4 prefix-list</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Name of prefix-list can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -408,7 +408,7 @@ <description>Name of IPv6 prefix-list</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]+$</regex> + <regex>[-_a-zA-Z0-9]+</regex> </constraint> <constraintErrorMessage>Name of prefix-list6 can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -476,7 +476,7 @@ <description>Route map name</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9.]+$</regex> + <regex>[-_a-zA-Z0-9.]+</regex> </constraint> <constraintErrorMessage>Name of route-map can only contain alpha-numeric letters, hyphen and underscores</constraintErrorMessage> </properties> @@ -582,7 +582,7 @@ <description>Prefix route</description> </valueHelp> <constraint> - <regex>^(macip|multicast|prefix)$</regex> + <regex>(macip|multicast|prefix)</regex> </constraint> </properties> </leafNode> @@ -834,7 +834,7 @@ <description>Incomplete origin</description> </valueHelp> <constraint> - <regex>^(egp|igp|incomplete)$</regex> + <regex>(egp|igp|incomplete)</regex> </constraint> </properties> </leafNode> @@ -869,7 +869,7 @@ <description>Match valid entries</description> </valueHelp> <constraint> - <regex>^(invalid|notfound|valid)$</regex> + <regex>(invalid|notfound|valid)</regex> </constraint> </properties> </leafNode> @@ -948,24 +948,49 @@ </leafNode> </children> </node> - <leafNode name="as-path-exclude"> + <node name="as-path"> <properties> - <help>Remove ASN(s) from a Border Gateway Protocol (BGP) AS-path attribute</help> - <valueHelp> - <format>txt</format> - <description>BGP AS path exclude string (ex: "456 64500 45001")</description> - </valueHelp> - </properties> - </leafNode> - <leafNode name="as-path-prepend"> - <properties> - <help>Prepend string for a Border Gateway Protocol (BGP) AS-path attribute</help> - <valueHelp> - <format>txt</format> - <description>BGP AS path prepend string (ex: "64501 64501")</description> - </valueHelp> + <help>Transform BGP AS_PATH attribute</help> </properties> - </leafNode> + <children> + <leafNode name="exclude"> + <properties> + <help>Remove/exclude from the as-path attribute</help> + <valueHelp> + <format>u32</format> + <description>AS number</description> + </valueHelp> + <constraint> + <validator name="as-number-list"/> + </constraint> + </properties> + </leafNode> + <leafNode name="prepend"> + <properties> + <help>Prepend to the as-path</help> + <valueHelp> + <format>u32</format> + <description>AS number</description> + </valueHelp> + <constraint> + <validator name="as-number-list"/> + </constraint> + </properties> + </leafNode> + <leafNode name="prepend-last-as"> + <properties> + <help>Use the last AS-number in the as-path</help> + <valueHelp> + <format>u32:1-10</format> + <description>Number of times to insert</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-10"/> + </constraint> + </properties> + </leafNode> + </children> + </node> <leafNode name="atomic-aggregate"> <properties> <help>BGP atomic aggregate attribute</help> @@ -1045,6 +1070,44 @@ </constraint> </properties> </leafNode> + <node name="evpn"> + <properties> + <help>Ethernet Virtual Private Network</help> + </properties> + <children> + <node name="gateway"> + <properties> + <help>Set gateway IP for prefix advertisement route</help> + </properties> + <children> + <leafNode name="ipv4"> + <properties> + <help>Set gateway IPv4 address</help> + <valueHelp> + <format>ipv4</format> + <description>Gateway IPv4 address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + </leafNode> + <leafNode name="ipv6"> + <properties> + <help>Set gateway IPv6 address</help> + <valueHelp> + <format>ipv6</format> + <description>Gateway IPv6 address</description> + </valueHelp> + <constraint> + <validator name="ipv6-address"/> + </constraint> + </properties> + </leafNode> + </children> + </node> + </children> + </node> <node name="extcommunity"> <properties> <help>BGP extended community attribute</help> @@ -1070,7 +1133,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 1-25600"/> - <regex>^(cumulative|num-multipaths)$</regex> + <regex>(cumulative|num-multipaths)</regex> </constraint> </properties> </leafNode> @@ -1086,7 +1149,7 @@ <description>Based on a router-id IP address</description> </valueHelp> <constraint> - <regex>^(((\b(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.){3}(?:(?:2([0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9]))\b)|(\d+)):(\d+) ?)+$</regex> + <regex>(((\b(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.){3}(?:(?:2([0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9]))\b)|(\d+)):(\d+) ?)+</regex> </constraint> <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> </properties> @@ -1103,7 +1166,7 @@ <description>Based on a router-id IP address</description> </valueHelp> <constraint> - <regex>^((?:[0-9]{1,3}\.){3}[0-9]{1,3}|\d+):\d+$</regex> + <regex>((?:[0-9]{1,3}\.){3}[0-9]{1,3}|\d+):\d+</regex> </constraint> <constraintErrorMessage>Should be in form: ASN:NN or IPADDR:NN where ASN is autonomous system number</constraintErrorMessage> </properties> @@ -1131,7 +1194,7 @@ </valueHelp> <constraint> <validator name="ipv4-address"/> - <regex>^(unchanged|peer-address)$</regex> + <regex>(unchanged|peer-address)</regex> </constraint> </properties> </leafNode> @@ -1251,7 +1314,7 @@ <description>OSPF external type 2 metric</description> </valueHelp> <constraint> - <regex>^(type-1|type-2)$</regex> + <regex>(type-1|type-2)</regex> </constraint> </properties> </leafNode> @@ -1274,7 +1337,7 @@ <description>Incomplete origin</description> </valueHelp> <constraint> - <regex>^(igp|egp|incomplete)$</regex> + <regex>(igp|egp|incomplete)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/protocols-bfd.xml.in b/interface-definitions/protocols-bfd.xml.in index a9957d884..edbac8d0e 100644 --- a/interface-definitions/protocols-bfd.xml.in +++ b/interface-definitions/protocols-bfd.xml.in @@ -73,7 +73,7 @@ <description>Name of BFD profile</description> </valueHelp> <constraint> - <regex>^[-_a-zA-Z0-9]{1,32}$</regex> + <regex>[-_a-zA-Z0-9]{1,32}</regex> </constraint> </properties> <children> diff --git a/interface-definitions/protocols-nhrp.xml.in b/interface-definitions/protocols-nhrp.xml.in index 9dd9d3389..7de3704ce 100644 --- a/interface-definitions/protocols-nhrp.xml.in +++ b/interface-definitions/protocols-nhrp.xml.in @@ -12,7 +12,7 @@ <properties> <help>Tunnel for NHRP [REQUIRED]</help> <constraint> - <regex>^tun[0-9]+$</regex> + <regex>tun[0-9]+</regex> </constraint> <valueHelp> <format>tunN</format> @@ -85,7 +85,7 @@ <list>dynamic nhs</list> </completionHelp> <constraint> - <regex>^(dynamic|nhs)$</regex> + <regex>(dynamic|nhs)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/protocols-rip.xml.in b/interface-definitions/protocols-rip.xml.in index d3be4e1af..bbb88aef1 100644 --- a/interface-definitions/protocols-rip.xml.in +++ b/interface-definitions/protocols-rip.xml.in @@ -78,7 +78,7 @@ <description>MD5 Key (16 characters or less)</description> </valueHelp> <constraint> - <regex>^[^[:space:]]{1,16}$</regex> + <regex>[^[:space:]]{1,16}</regex> </constraint> <constraintErrorMessage>Password must be 16 characters or less</constraintErrorMessage> </properties> @@ -93,7 +93,7 @@ <description>Plain text password (16 characters or less)</description> </valueHelp> <constraint> - <regex>^[^[:space:]]{1,16}$</regex> + <regex>[^[:space:]]{1,16}</regex> </constraint> <constraintErrorMessage>Password must be 16 characters or less</constraintErrorMessage> </properties> diff --git a/interface-definitions/protocols-static-arp.xml.in b/interface-definitions/protocols-static-arp.xml.in index e5e8a9ad9..8b1b3b5e1 100644 --- a/interface-definitions/protocols-static-arp.xml.in +++ b/interface-definitions/protocols-static-arp.xml.in @@ -4,32 +4,46 @@ <children> <node name="static"> <children> - <tagNode name="arp" owner="${vyos_conf_scripts_dir}/arp.py"> + <node name="arp" owner="${vyos_conf_scripts_dir}/arp.py"> <properties> <help>Static ARP translation</help> - <valueHelp> - <format>ipv4</format> - <description>IPv4 destination address</description> - </valueHelp> - <constraint> - <validator name="ipv4-address"/> - </constraint> </properties> <children> - <leafNode name="hwaddr"> + <tagNode name="interface"> <properties> - <help>Translation MAC address</help> + <help>Interface configuration</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> <valueHelp> - <format>macaddr</format> - <description>Hardware (MAC) address</description> + <format>txt</format> + <description>Interface name</description> </valueHelp> <constraint> - <validator name="mac-address"/> + <validator name="interface-name"/> </constraint> </properties> - </leafNode> + <children> + <tagNode name="address"> + <properties> + <help>IP address for static ARP entry</help> + <valueHelp> + <format>ipv4</format> + <description>IPv4 destination address</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + </constraint> + </properties> + <children> + #include <include/generic-description.xml.i> + #include <include/interface/mac.xml.i> + </children> + </tagNode> + </children> + </tagNode> </children> - </tagNode> + </node> </children> </node> </children> diff --git a/interface-definitions/salt-minion.xml.in b/interface-definitions/salt-minion.xml.in index d3b022d12..c3219cff3 100644 --- a/interface-definitions/salt-minion.xml.in +++ b/interface-definitions/salt-minion.xml.in @@ -15,20 +15,25 @@ <list>md5 sha1 sha224 sha256 sha384 sha512</list> </completionHelp> <constraint> - <regex>^(md5|sha1|sha224|sha256|sha384|sha512)$</regex> + <regex>(md5|sha1|sha224|sha256|sha384|sha512)</regex> </constraint> </properties> + <defaultValue>sha256</defaultValue> </leafNode> <leafNode name="master"> <properties> - <help>The hostname or IP address of the master.</help> + <help>Hostname or IP address of the Salt master server</help> <valueHelp> <format>ipv4</format> - <description>Remote syslog server IPv4 address</description> + <description>Salt server IPv4 address</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>Salt server IPv6 address</description> </valueHelp> <valueHelp> <format>hostname</format> - <description>Remote syslog server FQDN</description> + <description>Salt server FQDN address</description> </valueHelp> <constraint> <validator name="ip-address"/> @@ -54,12 +59,14 @@ <validator name="numeric" argument="--range 1-1440"/> </constraint> </properties> + <defaultValue>60</defaultValue> </leafNode> <leafNode name="master-key"> <properties> <help>URL with signature of master for auth reply verification</help> </properties> </leafNode> + #include <include/source-interface.xml.i> </children> </node> </children> diff --git a/interface-definitions/service-ids-ddos-protection.xml.in b/interface-definitions/service-ids-ddos-protection.xml.in index ff4c1c24e..5e65d3106 100644 --- a/interface-definitions/service-ids-ddos-protection.xml.in +++ b/interface-definitions/service-ids-ddos-protection.xml.in @@ -25,7 +25,7 @@ <list>in out</list> </completionHelp> <constraint> - <regex>^(in|out)$</regex> + <regex>(in|out)</regex> </constraint> <multi/> </properties> diff --git a/interface-definitions/service_conntrack-sync.xml.in b/interface-definitions/service_conntrack-sync.xml.in index 584f687c7..32efa7323 100644 --- a/interface-definitions/service_conntrack-sync.xml.in +++ b/interface-definitions/service_conntrack-sync.xml.in @@ -39,7 +39,7 @@ <description>Sync Datagram Congestion Control Protocol entries</description> </valueHelp> <constraint> - <regex>^(tcp|udp|icmp|icmp6|sctp|dccp)$</regex> + <regex>(tcp|udp|icmp|icmp6|sctp|dccp)</regex> </constraint> <constraintErrorMessage>Allowed protocols: tcp udp icmp or sctp</constraintErrorMessage> <multi/> @@ -68,7 +68,7 @@ <list>all ftp sip h323 nfs sqlnet</list> </completionHelp> <constraint> - <regex>^(all|ftp|sip|h323|nfs|sqlnet)$</regex> + <regex>(all|ftp|sip|h323|nfs|sqlnet)</regex> </constraint> <constraintErrorMessage>Invalid protocol</constraintErrorMessage> <multi/> diff --git a/interface-definitions/service_console-server.xml.in b/interface-definitions/service_console-server.xml.in index 549edb813..e9591ad87 100644 --- a/interface-definitions/service_console-server.xml.in +++ b/interface-definitions/service_console-server.xml.in @@ -23,7 +23,7 @@ <description>USB based serial interface</description> </valueHelp> <constraint> - <regex>^(ttyS\d+|usb\d+b.*p.*)$</regex> + <regex>(ttyS\d+|usb\d+b.*p.*)</regex> </constraint> </properties> <children> @@ -35,7 +35,7 @@ <list>300 1200 2400 4800 9600 19200 38400 57600 115200</list> </completionHelp> <constraint> - <regex>^(300|1200|2400|4800|9600|19200|38400|57600|115200)$</regex> + <regex>(300|1200|2400|4800|9600|19200|38400|57600|115200)</regex> </constraint> </properties> </leafNode> @@ -70,7 +70,7 @@ <list>even odd none</list> </completionHelp> <constraint> - <regex>^(even|odd|none)$</regex> + <regex>(even|odd|none)</regex> </constraint> </properties> <defaultValue>none</defaultValue> diff --git a/interface-definitions/service_ipoe-server.xml.in b/interface-definitions/service_ipoe-server.xml.in index 1325ba10d..e222467b1 100644 --- a/interface-definitions/service_ipoe-server.xml.in +++ b/interface-definitions/service_ipoe-server.xml.in @@ -23,7 +23,7 @@ <list>L2 L3</list> </completionHelp> <constraint> - <regex>^(L2|L3)$</regex> + <regex>(L2|L3)</regex> </constraint> <valueHelp> <format>L2</format> @@ -42,7 +42,7 @@ <list>shared vlan</list> </completionHelp> <constraint> - <regex>^(shared|vlan)$</regex> + <regex>(shared|vlan)</regex> </constraint> <valueHelp> <format>shared</format> @@ -141,7 +141,7 @@ <list>local radius noauth</list> </completionHelp> <constraint> - <regex>^(local|radius|noauth)$</regex> + <regex>(local|radius|noauth)</regex> </constraint> <valueHelp> <format>local</format> diff --git a/interface-definitions/service_monitoring_telegraf.xml.in b/interface-definitions/service_monitoring_telegraf.xml.in index 7db9de9f8..ff4c8c55f 100644 --- a/interface-definitions/service_monitoring_telegraf.xml.in +++ b/interface-definitions/service_monitoring_telegraf.xml.in @@ -22,7 +22,7 @@ <properties> <help>Authentication organization for InfluxDB v2 [REQUIRED]</help> <constraint> - <regex>^[a-zA-Z][1-9a-zA-Z@_\-.]{2,50}$</regex> + <regex>[a-zA-Z][1-9a-zA-Z@_\-.]{2,50}</regex> </constraint> <constraintErrorMessage>Organization name must be alphanumeric and can contain hyphens, underscores and at symbol.</constraintErrorMessage> </properties> @@ -35,7 +35,7 @@ <description>Authentication token</description> </valueHelp> <constraint> - <regex>^[a-zA-Z0-9-_]{86}==$</regex> + <regex>[a-zA-Z0-9-_]{86}==</regex> </constraint> <constraintErrorMessage>Token must be 88 characters long and must contain only [a-zA-Z0-9-_] and '==' characters.</constraintErrorMessage> </properties> @@ -79,12 +79,133 @@ <description>Telegraf internal statistics</description> </valueHelp> <constraint> - <regex>^(all|hardware-utilization|logs|network|system|telegraf)$</regex> + <regex>(all|hardware-utilization|logs|network|system|telegraf)</regex> </constraint> <multi/> </properties> <defaultValue>all</defaultValue> </leafNode> + <node name="prometheus-client"> + <properties> + <help>Output plugin Prometheus client</help> + </properties> + <children> + <node name="authentication"> + <properties> + <help>HTTP basic authentication parameters</help> + </properties> + <children> + <leafNode name="username"> + <properties> + <help>Authentication username</help> + </properties> + </leafNode> + <leafNode name="password"> + <properties> + <help>Authentication password</help> + <valueHelp> + <format>txt</format> + <description>Authentication password</description> + </valueHelp> + </properties> + </leafNode> + </children> + </node> + <leafNode name="allow-from"> + <properties> + <help>Networks allowed to query this server</help> + <valueHelp> + <format>ipv4net</format> + <description>IP address and prefix length</description> + </valueHelp> + <valueHelp> + <format>ipv6net</format> + <description>IPv6 address and prefix length</description> + </valueHelp> + <multi/> + <constraint> + <validator name="ip-prefix"/> + </constraint> + </properties> + </leafNode> + <leafNode name="listen-address"> + <properties> + <help>Local IP addresses to listen on</help> + <completionHelp> + <script>${vyos_completion_dir}/list_local_ips.sh --both</script> + </completionHelp> + <valueHelp> + <format>ipv4</format> + <description>IPv4 address to listen for incoming connections</description> + </valueHelp> + <valueHelp> + <format>ipv6</format> + <description>IPv6 address to listen for incoming connections</description> + </valueHelp> + <constraint> + <validator name="ipv4-address"/> + <validator name="ipv6-address"/> + <validator name="ipv6-link-local"/> + </constraint> + </properties> + </leafNode> + <leafNode name="metric-version"> + <properties> + <help>Metric version control mapping from Telegraf to Prometheus format</help> + <valueHelp> + <format>u32:1-2</format> + <description>Metric version (default: 2)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-2"/> + </constraint> + </properties> + <defaultValue>2</defaultValue> + </leafNode> + #include <include/port-number.xml.i> + <leafNode name="port"> + <defaultValue>9273</defaultValue> + </leafNode> + </children> + </node> + <node name="splunk"> + <properties> + <help>Output plugin Splunk</help> + </properties> + <children> + <node name="authentication"> + <properties> + <help>HTTP basic authentication parameters</help> + </properties> + <children> + <leafNode name="token"> + <properties> + <help>Authorization token</help> + </properties> + </leafNode> + <leafNode name="insecure"> + <properties> + <help>Use TLS but skip host validation</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> + <leafNode name="url"> + <properties> + <help>Remote URL [REQUIRED]</help> + <valueHelp> + <format>url</format> + <description>Remote URL to Splunk collector</description> + </valueHelp> + <constraint> + <regex>^(http(s?):\/\/.*):(\d*)\/?(.*)</regex> + </constraint> + <constraintErrorMessage>Incorrect URL format</constraintErrorMessage> + </properties> + </leafNode> + </children> + </node> <leafNode name="url"> <properties> <help>Remote URL [REQUIRED]</help> @@ -93,7 +214,7 @@ <description>Remote URL to InfluxDB v2</description> </valueHelp> <constraint> - <regex>^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}?(\/.*)?$</regex> + <regex>(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}?(\/.*)?</regex> </constraint> <constraintErrorMessage>Incorrect URL format.</constraintErrorMessage> </properties> diff --git a/interface-definitions/service_pppoe-server.xml.in b/interface-definitions/service_pppoe-server.xml.in index 97952d882..50f42849b 100644 --- a/interface-definitions/service_pppoe-server.xml.in +++ b/interface-definitions/service_pppoe-server.xml.in @@ -32,7 +32,7 @@ <list>ifname ifname:mac</list> </completionHelp> <constraint> - <regex>^(ifname|ifname:mac)$</regex> + <regex>(ifname|ifname:mac)</regex> </constraint> <constraintErrorMessage>Invalid Called-Station-Id format</constraintErrorMessage> <valueHelp> @@ -108,7 +108,7 @@ <properties> <help>Acceptable rate of connections (e.g. 1/min, 60/sec)</help> <constraint> - <regex>[0-9]+\/(min|sec)$</regex> + <regex>[0-9]+\/(min|sec)</regex> </constraint> <constraintErrorMessage>illegal value</constraintErrorMessage> </properties> @@ -171,7 +171,7 @@ <properties> <help>IPv4 (IPCP) negotiation algorithm</help> <constraint> - <regex>^(deny|allow|prefer|require)$</regex> + <regex>(deny|allow|prefer|require)</regex> </constraint> <constraintErrorMessage>invalid value</constraintErrorMessage> <valueHelp> @@ -276,7 +276,7 @@ <properties> <help>control sessions count</help> <constraint> - <regex>^(deny|disable|replace)$</regex> + <regex>(deny|disable|replace)</regex> </constraint> <constraintErrorMessage>Invalid value</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/service_router-advert.xml.in b/interface-definitions/service_router-advert.xml.in index ce1da85aa..bb11e9cd0 100644 --- a/interface-definitions/service_router-advert.xml.in +++ b/interface-definitions/service_router-advert.xml.in @@ -70,7 +70,7 @@ <description>Default router has high preference</description> </valueHelp> <constraint> - <regex>^(low|medium|high)$</regex> + <regex>(low|medium|high)</regex> </constraint> <constraintErrorMessage>Default preference must be low, medium or high</constraintErrorMessage> </properties> @@ -170,7 +170,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 0-4294967295"/> - <regex>^(infinity)$</regex> + <regex>(infinity)</regex> </constraint> </properties> <defaultValue>1800</defaultValue> @@ -194,7 +194,7 @@ <description>Route has high preference</description> </valueHelp> <constraint> - <regex>^(low|medium|high)$</regex> + <regex>(low|medium|high)</regex> </constraint> <constraintErrorMessage>Route preference must be low, medium or high</constraintErrorMessage> </properties> @@ -248,7 +248,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 0-4294967295"/> - <regex>^(infinity)$</regex> + <regex>(infinity)</regex> </constraint> </properties> <defaultValue>14400</defaultValue> @@ -269,7 +269,7 @@ </valueHelp> <constraint> <validator name="numeric" argument="--range 0-4294967295"/> - <regex>^(infinity)$</regex> + <regex>(infinity)</regex> </constraint> </properties> <defaultValue>2592000</defaultValue> diff --git a/interface-definitions/service_upnp.xml.in b/interface-definitions/service_upnp.xml.in index 7cfe1f02e..a129b7260 100644 --- a/interface-definitions/service_upnp.xml.in +++ b/interface-definitions/service_upnp.xml.in @@ -211,7 +211,7 @@ <list>allow deny</list> </completionHelp> <constraint> - <regex>^(allow|deny)$</regex> + <regex>(allow|deny)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/service_webproxy.xml.in b/interface-definitions/service_webproxy.xml.in index 89c4c3910..9a75bc27d 100644 --- a/interface-definitions/service_webproxy.xml.in +++ b/interface-definitions/service_webproxy.xml.in @@ -136,7 +136,7 @@ <description>Lightweight Directory Access Protocol</description> </valueHelp> <constraint> - <regex>^(ldap)$</regex> + <regex>(ldap)</regex> </constraint> <constraintErrorMessage>The only supported method currently is LDAP</constraintErrorMessage> </properties> @@ -234,7 +234,7 @@ <description>Peer is a member of a multicast group</description> </valueHelp> <constraint> - <regex>^(parent|sibling|multicast)$</regex> + <regex>(parent|sibling|multicast)</regex> </constraint> </properties> <defaultValue>parent</defaultValue> @@ -368,7 +368,7 @@ <list>image/gif www/mime application/macbinary application/oda application/octet-stream application/pdf application/postscript application/postscript application/postscript text/rtf application/octet-stream application/octet-stream application/x-tar application/x-csh application/x-dvi application/x-hdf application/x-latex text/plain application/x-netcdf application/x-netcdf application/x-sh application/x-tcl application/x-tex application/x-texinfo application/x-texinfo application/x-troff application/x-troff application/x-troff application/x-troff-man application/x-troff-me application/x-troff-ms application/x-wais-source application/zip application/x-bcpio application/x-cpio application/x-gtar application/x-rpm application/x-shar application/x-sv4cpio application/x-sv4crc application/x-tar application/x-ustar audio/basic audio/basic audio/mpeg audio/mpeg audio/mpeg audio/x-aiff audio/x-aiff audio/x-aiff audio/x-wav image/bmp image/ief image/jpeg image/jpeg image/jpeg image/tiff image/tiff image/x-cmu-raster image/x-portable-anymap image/x-portable-bitmap image/x-portable-graymap image/x-portable-pixmap image/x-rgb image/x-xbitmap image/x-xpixmap image/x-xwindowdump text/html text/html text/css application/x-javascript text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/plain text/richtext text/tab-separated-values text/x-setext video/mpeg video/mpeg video/mpeg video/quicktime video/quicktime video/x-msvideo video/x-sgi-movie application/mac-compactpro application/mac-binhex40 application/macwriteii application/msword application/msword application/vnd.ms-excel application/vnd.ms-powerpoint application/vnd.lotus-1-2-3 application/vnd.mif application/x-stuffit application/pict application/pict application/x-arj-compressed application/x-lha-compressed application/x-lha-compressed application/x-deflate text/plain application/octet-stream application/octet-stream image/png application/octet-stream application/x-xpinstall application/octet-stream text/plain application/x-director application/x-director application/x-director image/vnd.djvu image/vnd.djvu application/octet-stream application/octet-stream application/andrew-inset x-conference/x-cooltalk model/iges model/iges audio/midi audio/midi audio/midi model/mesh model/mesh video/vnd.mpegurl chemical/x-pdb application/x-chess-pgn audio/x-realaudio audio/x-pn-realaudio audio/x-pn-realaudio text/sgml text/sgml application/x-koan application/x-koan application/x-koan application/x-koan application/smil application/smil application/octet-stream application/x-futuresplash application/x-shockwave-flash application/x-cdlink model/vrml image/vnd.wap.wbmp application/vnd.wap.wbxml application/vnd.wap.wmlc application/vnd.wap.wmlscriptc application/vnd.wap.wmlscript application/xhtml application/xhtml text/xml text/xml chemical/x-xyz text/plain</list> </completionHelp> <constraint> - <regex>^(image/gif|www/mime|application/macbinary|application/oda|application/octet-stream|application/pdf|application/postscript|application/postscript|application/postscript|text/rtf|application/octet-stream|application/octet-stream|application/x-tar|application/x-csh|application/x-dvi|application/x-hdf|application/x-latex|text/plain|application/x-netcdf|application/x-netcdf|application/x-sh|application/x-tcl|application/x-tex|application/x-texinfo|application/x-texinfo|application/x-troff|application/x-troff|application/x-troff|application/x-troff-man|application/x-troff-me|application/x-troff-ms|application/x-wais-source|application/zip|application/x-bcpio|application/x-cpio|application/x-gtar|application/x-rpm|application/x-shar|application/x-sv4cpio|application/x-sv4crc|application/x-tar|application/x-ustar|audio/basic|audio/basic|audio/mpeg|audio/mpeg|audio/mpeg|audio/x-aiff|audio/x-aiff|audio/x-aiff|audio/x-wav|image/bmp|image/ief|image/jpeg|image/jpeg|image/jpeg|image/tiff|image/tiff|image/x-cmu-raster|image/x-portable-anymap|image/x-portable-bitmap|image/x-portable-graymap|image/x-portable-pixmap|image/x-rgb|image/x-xbitmap|image/x-xpixmap|image/x-xwindowdump|text/html|text/html|text/css|application/x-javascript|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/richtext|text/tab-separated-values|text/x-setext|video/mpeg|video/mpeg|video/mpeg|video/quicktime|video/quicktime|video/x-msvideo|video/x-sgi-movie|application/mac-compactpro|application/mac-binhex40|application/macwriteii|application/msword|application/msword|application/vnd.ms-excel|application/vnd.ms-powerpoint|application/vnd.lotus-1-2-3|application/vnd.mif|application/x-stuffit|application/pict|application/pict|application/x-arj-compressed|application/x-lha-compressed|application/x-lha-compressed|application/x-deflate|text/plain|application/octet-stream|application/octet-stream|image/png|application/octet-stream|application/x-xpinstall|application/octet-stream|text/plain|application/x-director|application/x-director|application/x-director|image/vnd.djvu|image/vnd.djvu|application/octet-stream|application/octet-stream|application/andrew-inset|x-conference/x-cooltalk|model/iges|model/iges|audio/midi|audio/midi|audio/midi|model/mesh|model/mesh|video/vnd.mpegurl|chemical/x-pdb|application/x-chess-pgn|audio/x-realaudio|audio/x-pn-realaudio|audio/x-pn-realaudio|text/sgml|text/sgml|application/x-koan|application/x-koan|application/x-koan|application/x-koan|application/smil|application/smil|application/octet-stream|application/x-futuresplash|application/x-shockwave-flash|application/x-cdlink|model/vrml|image/vnd.wap.wbmp|application/vnd.wap.wbxml|application/vnd.wap.wmlc|application/vnd.wap.wmlscriptc|application/vnd.wap.wmlscript|application/xhtml|application/xhtml|text/xml|text/xml|chemical/x-xyz|text/plain)$</regex> + <regex>(image/gif|www/mime|application/macbinary|application/oda|application/octet-stream|application/pdf|application/postscript|application/postscript|application/postscript|text/rtf|application/octet-stream|application/octet-stream|application/x-tar|application/x-csh|application/x-dvi|application/x-hdf|application/x-latex|text/plain|application/x-netcdf|application/x-netcdf|application/x-sh|application/x-tcl|application/x-tex|application/x-texinfo|application/x-texinfo|application/x-troff|application/x-troff|application/x-troff|application/x-troff-man|application/x-troff-me|application/x-troff-ms|application/x-wais-source|application/zip|application/x-bcpio|application/x-cpio|application/x-gtar|application/x-rpm|application/x-shar|application/x-sv4cpio|application/x-sv4crc|application/x-tar|application/x-ustar|audio/basic|audio/basic|audio/mpeg|audio/mpeg|audio/mpeg|audio/x-aiff|audio/x-aiff|audio/x-aiff|audio/x-wav|image/bmp|image/ief|image/jpeg|image/jpeg|image/jpeg|image/tiff|image/tiff|image/x-cmu-raster|image/x-portable-anymap|image/x-portable-bitmap|image/x-portable-graymap|image/x-portable-pixmap|image/x-rgb|image/x-xbitmap|image/x-xpixmap|image/x-xwindowdump|text/html|text/html|text/css|application/x-javascript|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/plain|text/richtext|text/tab-separated-values|text/x-setext|video/mpeg|video/mpeg|video/mpeg|video/quicktime|video/quicktime|video/x-msvideo|video/x-sgi-movie|application/mac-compactpro|application/mac-binhex40|application/macwriteii|application/msword|application/msword|application/vnd.ms-excel|application/vnd.ms-powerpoint|application/vnd.lotus-1-2-3|application/vnd.mif|application/x-stuffit|application/pict|application/pict|application/x-arj-compressed|application/x-lha-compressed|application/x-lha-compressed|application/x-deflate|text/plain|application/octet-stream|application/octet-stream|image/png|application/octet-stream|application/x-xpinstall|application/octet-stream|text/plain|application/x-director|application/x-director|application/x-director|image/vnd.djvu|image/vnd.djvu|application/octet-stream|application/octet-stream|application/andrew-inset|x-conference/x-cooltalk|model/iges|model/iges|audio/midi|audio/midi|audio/midi|model/mesh|model/mesh|video/vnd.mpegurl|chemical/x-pdb|application/x-chess-pgn|audio/x-realaudio|audio/x-pn-realaudio|audio/x-pn-realaudio|text/sgml|text/sgml|application/x-koan|application/x-koan|application/x-koan|application/x-koan|application/smil|application/smil|application/octet-stream|application/x-futuresplash|application/x-shockwave-flash|application/x-cdlink|model/vrml|image/vnd.wap.wbmp|application/vnd.wap.wbxml|application/vnd.wap.wmlc|application/vnd.wap.wmlscriptc|application/vnd.wap.wmlscript|application/xhtml|application/xhtml|text/xml|text/xml|chemical/x-xyz|text/plain)</regex> </constraint> <multi/> </properties> @@ -484,7 +484,7 @@ <description>Name of source group</description> </valueHelp> <constraint> - <regex>^[^0-9]</regex> + <regex>[^0-9]</regex> </constraint> <constraintErrorMessage>URL-filter source-group cannot start with a number!</constraintErrorMessage> </properties> @@ -598,7 +598,7 @@ <description>All days of the week</description> </valueHelp> <constraint> - <regex>^(Sun|Mon|Tue|Wed|Thu|Fri|Sat|weekdays|weekend|all)$</regex> + <regex>(Sun|Mon|Tue|Wed|Thu|Fri|Sat|weekdays|weekend|all)</regex> </constraint> </properties> <children> @@ -611,7 +611,7 @@ </valueHelp> <constraint> <!-- time range example: 12:00-13:00 --> - <regex>^(\d\d:\d\d)-(\d\d:\d\d)$</regex> + <regex>(\d\d:\d\d)-(\d\d:\d\d)</regex> </constraint> <constraintErrorMessage>Expected time format hh:mm - hh:mm in 24hr time</constraintErrorMessage> </properties> diff --git a/interface-definitions/snmp.xml.in b/interface-definitions/snmp.xml.in index b9e0f4cc5..b4f72589e 100644 --- a/interface-definitions/snmp.xml.in +++ b/interface-definitions/snmp.xml.in @@ -13,7 +13,7 @@ <properties> <help>Community name</help> <constraint> - <regex>^[a-zA-Z0-9\-_]{1,100}$</regex> + <regex>[a-zA-Z0-9\-_]{1,100}</regex> </constraint> <constraintErrorMessage>Community string is limited to alphanumerical characters only with a total lenght of 100</constraintErrorMessage> </properties> @@ -33,7 +33,7 @@ <description>Read-Write</description> </valueHelp> <constraint> - <regex>^(ro|rw)$</regex> + <regex>(ro|rw)</regex> </constraint> <constraintErrorMessage>Authorization type must be either 'rw' or 'ro'</constraintErrorMessage> </properties> @@ -72,7 +72,7 @@ <properties> <help>Contact information</help> <constraint> - <regex>^.{1,255}$</regex> + <regex>.{1,255}</regex> </constraint> <constraintErrorMessage>Contact information is limited to 255 characters or less</constraintErrorMessage> </properties> @@ -81,7 +81,7 @@ <properties> <help>Description information</help> <constraint> - <regex>^.{1,255}$</regex> + <regex>.{1,255}</regex> </constraint> <constraintErrorMessage>Description is limited to 255 characters or less</constraintErrorMessage> </properties> @@ -116,7 +116,7 @@ <properties> <help>Location information</help> <constraint> - <regex>^.{1,255}$</regex> + <regex>.{1,255}</regex> </constraint> <constraintErrorMessage>Location is limited to 255 characters or less</constraintErrorMessage> </properties> @@ -132,7 +132,7 @@ <description>Enable routing table OIDs (ipCidrRouteTable inetCidrRouteTable)</description> </valueHelp> <constraint> - <regex>^(route-table)$</regex> + <regex>(route-table)</regex> </constraint> <constraintErrorMessage>OID must be 'route-table'</constraintErrorMessage> </properties> @@ -202,7 +202,7 @@ <properties> <help>Specifies the EngineID that uniquely identify an agent (e.g. 000000000000000000000002)</help> <constraint> - <regex>^([0-9a-f][0-9a-f]){1,18}$</regex> + <regex>([0-9a-f][0-9a-f]){1,18}</regex> </constraint> <constraintErrorMessage>ID must contain an even number (from 2 to 36) of hex digits</constraintErrorMessage> </properties> @@ -233,7 +233,7 @@ <description>Messages are authenticated and encrypted (authPriv)</description> </valueHelp> <constraint> - <regex>^(noauth|auth|priv)$</regex> + <regex>(noauth|auth|priv)</regex> </constraint> </properties> <defaultValue>auth</defaultValue> @@ -274,7 +274,7 @@ <properties> <help>Defines the encrypted key for authentication</help> <constraint> - <regex>^[0-9a-f]*$</regex> + <regex>[0-9a-f]*</regex> </constraint> <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> @@ -283,7 +283,7 @@ <properties> <help>Defines the clear text key for authentication</help> <constraint> - <regex>^.{8,}$</regex> + <regex>.{8,}</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -304,7 +304,7 @@ <properties> <help>Defines the encrypted key for privacy protocol</help> <constraint> - <regex>^[0-9a-f]*$</regex> + <regex>[0-9a-f]*</regex> </constraint> <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> @@ -313,7 +313,7 @@ <properties> <help>Defines the clear text key for privacy protocol</help> <constraint> - <regex>^.{8,}$</regex> + <regex>.{8,}</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -337,7 +337,7 @@ <description>Use TRAP</description> </valueHelp> <constraint> - <regex>^(inform|trap)$</regex> + <regex>(inform|trap)</regex> </constraint> </properties> <defaultValue>inform</defaultValue> @@ -356,7 +356,7 @@ <properties> <help>Specifies the user with name username</help> <constraint> - <regex>[^\(\)\|\-]+$</regex> + <regex>[^\(\)\|\-]+</regex> </constraint> <constraintErrorMessage>Illegal characters in name</constraintErrorMessage> </properties> @@ -370,7 +370,7 @@ <properties> <help>Defines the encrypted key for authentication</help> <constraint> - <regex>^[0-9a-f]*$</regex> + <regex>[0-9a-f]*</regex> </constraint> <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> @@ -379,7 +379,7 @@ <properties> <help>Defines the clear text key for authentication</help> <constraint> - <regex>^.{8,}$</regex> + <regex>.{8,}</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -405,7 +405,7 @@ <properties> <help>Defines the encrypted key for privacy protocol</help> <constraint> - <regex>^[0-9a-f]*$</regex> + <regex>[0-9a-f]*</regex> </constraint> <constraintErrorMessage>Encrypted key must only contain hex digits</constraintErrorMessage> </properties> @@ -414,7 +414,7 @@ <properties> <help>Defines the clear text key for privacy protocol</help> <constraint> - <regex>^.{8,}$</regex> + <regex>.{8,}</regex> </constraint> <constraintErrorMessage>Key must contain 8 or more characters</constraintErrorMessage> </properties> @@ -428,7 +428,7 @@ <properties> <help>Specifies the view with name viewname</help> <constraint> - <regex>[^\(\)\|\-]+$</regex> + <regex>[^\(\)\|\-]+</regex> </constraint> <constraintErrorMessage>Illegal characters in name</constraintErrorMessage> </properties> @@ -437,7 +437,7 @@ <properties> <help>Specifies the oid</help> <constraint> - <regex>^[0-9]+(\.[0-9]+)*$</regex> + <regex>[0-9]+(\.[0-9]+)*</regex> </constraint> <constraintErrorMessage>OID must start from a number</constraintErrorMessage> </properties> @@ -451,7 +451,7 @@ <properties> <help>Defines a bit-mask that is indicating which subidentifiers of the associated subtree OID should be regarded as significant</help> <constraint> - <regex>^[0-9a-f]{2}([\.:][0-9a-f]{2})*$</regex> + <regex>[0-9a-f]{2}([\.:][0-9a-f]{2})*</regex> </constraint> <constraintErrorMessage>MASK is a list of hex octets, separated by '.' or ':'</constraintErrorMessage> </properties> @@ -471,7 +471,7 @@ <properties> <help>Extension name</help> <constraint> - <regex>^[a-z0-9\.\-\_]+</regex> + <regex>[a-z0-9\.\-\_]+</regex> </constraint> <constraintErrorMessage>Script extension contains invalid characters</constraintErrorMessage> </properties> @@ -483,7 +483,7 @@ <script>ls /config/user-data</script> </completionHelp> <constraint> - <regex>^[a-z0-9\.\-\_\/]+</regex> + <regex>[a-z0-9\.\-\_\/]+</regex> </constraint> <constraintErrorMessage>Script extension contains invalid characters</constraintErrorMessage> </properties> diff --git a/interface-definitions/system-conntrack.xml.in b/interface-definitions/system-conntrack.xml.in index 65edab839..14f12b569 100644 --- a/interface-definitions/system-conntrack.xml.in +++ b/interface-definitions/system-conntrack.xml.in @@ -252,7 +252,7 @@ <description>Do not allow tracking of previously established connections</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> diff --git a/interface-definitions/system-console.xml.in b/interface-definitions/system-console.xml.in index 2897e5e97..5acd3e90b 100644 --- a/interface-definitions/system-console.xml.in +++ b/interface-definitions/system-console.xml.in @@ -28,7 +28,7 @@ <description>Xen console</description> </valueHelp> <constraint> - <regex>^(ttyS[0-9]+|hvc[0-9]+|usb[0-9]+b.*)$</regex> + <regex>(ttyS[0-9]+|hvc[0-9]+|usb[0-9]+b.*)</regex> </constraint> </properties> <children> @@ -71,7 +71,7 @@ <description>115200 bps</description> </valueHelp> <constraint> - <regex>^(1200|2400|4800|9600|19200|38400|57600|115200)$</regex> + <regex>(1200|2400|4800|9600|19200|38400|57600|115200)</regex> </constraint> </properties> <defaultValue>115200</defaultValue> diff --git a/interface-definitions/system-lcd.xml.in b/interface-definitions/system-lcd.xml.in index 4c9d5c92e..9b1a15317 100644 --- a/interface-definitions/system-lcd.xml.in +++ b/interface-definitions/system-lcd.xml.in @@ -39,7 +39,7 @@ <description>Lanner, Watchguard, Nexcom NSA, Sophos UTM appliances</description> </valueHelp> <constraint> - <regex>^(cfa-533|cfa-631|cfa-633|cfa-635|hd44780|sdec)$</regex> + <regex>(cfa-533|cfa-631|cfa-633|cfa-635|hd44780|sdec)</regex> </constraint> </properties> </leafNode> @@ -59,7 +59,7 @@ <description>TTY device name, USB based</description> </valueHelp> <constraint> - <regex>^(ttyS[0-9]+|usb[0-9]+b.*)$</regex> + <regex>(ttyS[0-9]+|usb[0-9]+b.*)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/system-login.xml.in b/interface-definitions/system-login.xml.in index a5519ee88..24eeee355 100644 --- a/interface-definitions/system-login.xml.in +++ b/interface-definitions/system-login.xml.in @@ -12,7 +12,7 @@ <properties> <help>Local user account information</help> <constraint> - <regex>^[-_a-zA-Z0-9.]{1,100}</regex> + <regex>[-_a-zA-Z0-9.]{1,100}</regex> </constraint> <constraintErrorMessage>Username contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage> </properties> @@ -27,7 +27,7 @@ <help>Encrypted password</help> <constraint> <regex>(\*|\!)</regex> - <regex>[a-zA-Z0-9\.\/]{13}$</regex> + <regex>[a-zA-Z0-9\.\/]{13}</regex> <regex>\$1\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{22}</regex> <regex>\$5\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{43}</regex> <regex>\$6\$[a-zA-Z0-9\./]*\$[a-zA-Z0-9\./]{86}</regex> @@ -90,7 +90,7 @@ <description/> </valueHelp> <constraint> - <regex>^(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519)$</regex> + <regex>(ssh-dss|ssh-rsa|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|ssh-ed25519)</regex> </constraint> </properties> </leafNode> @@ -102,7 +102,7 @@ <properties> <help>Full name of the user (use quotes for names with spaces)</help> <constraint> - <regex>[^:]*$</regex> + <regex>[^:]*</regex> </constraint> <constraintErrorMessage>Cannot use ':' in full name</constraintErrorMessage> </properties> diff --git a/interface-definitions/system-option.xml.in b/interface-definitions/system-option.xml.in index 75fa67271..8cd25799b 100644 --- a/interface-definitions/system-option.xml.in +++ b/interface-definitions/system-option.xml.in @@ -27,7 +27,7 @@ <description>Poweroff system</description> </valueHelp> <constraint> - <regex>^(ignore|reboot|poweroff)$</regex> + <regex>(ignore|reboot|poweroff)</regex> </constraint> <constraintErrorMessage>Must be ignore, reboot, or poweroff</constraintErrorMessage> </properties> @@ -84,7 +84,7 @@ <description>Tune for low network latency</description> </valueHelp> <constraint> - <regex>^(throughput|latency)$</regex> + <regex>(throughput|latency)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/system-proxy.xml.in b/interface-definitions/system-proxy.xml.in index ade168522..1c06b347f 100644 --- a/interface-definitions/system-proxy.xml.in +++ b/interface-definitions/system-proxy.xml.in @@ -11,7 +11,7 @@ <properties> <help>Proxy URL</help> <constraint> - <regex>http:\/\/[a-z0-9\.]+$</regex> + <regex>http:\/\/[a-z0-9\.]+</regex> </constraint> </properties> </leafNode> @@ -20,7 +20,7 @@ <properties> <help>Proxy username</help> <constraint> - <regex>[a-z0-9-_\.]{1,100}$</regex> + <regex>[a-z0-9-_\.]{1,100}</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/system-syslog.xml.in b/interface-definitions/system-syslog.xml.in index 9280a43c8..480cb1ca6 100644 --- a/interface-definitions/system-syslog.xml.in +++ b/interface-definitions/system-syslog.xml.in @@ -28,7 +28,7 @@ <list>auth authpriv cron daemon kern lpr mail mark news protocols security syslog user uucp local0 local1 local2 local3 local4 local5 local6 local7 all</list> </completionHelp> <constraint> - <regex>^(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)$</regex> + <regex>(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)</regex> </constraint> <constraintErrorMessage>Invalid facility type</constraintErrorMessage> <valueHelp> @@ -132,7 +132,7 @@ <list>emerg alert crit err warning notice info debug all</list> </completionHelp> <constraint> - <regex>^(emerg|alert|crit|err|warning|notice|info|debug|all)$</regex> + <regex>(emerg|alert|crit|err|warning|notice|info|debug|all)</regex> </constraint> <constraintErrorMessage>Invalid loglevel</constraintErrorMessage> <valueHelp> @@ -203,7 +203,7 @@ <list>auth authpriv cron daemon kern lpr mail mark news protocols security syslog user uucp local0 local1 local2 local3 local4 local5 local6 local7 all</list> </completionHelp> <constraint> - <regex>^(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)$</regex> + <regex>(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)</regex> </constraint> <constraintErrorMessage>Invalid facility type</constraintErrorMessage> <valueHelp> @@ -315,7 +315,7 @@ <list>udp tcp</list> </completionHelp> <constraint> - <regex>^(udp|tcp)$</regex> + <regex>(udp|tcp)</regex> </constraint> <constraintErrorMessage>invalid protocol name</constraintErrorMessage> </properties> @@ -327,7 +327,7 @@ <list>emerg alert crit err warning notice info debug all</list> </completionHelp> <constraint> - <regex>^(emerg|alert|crit|err|warning|notice|info|debug|all)$</regex> + <regex>(emerg|alert|crit|err|warning|notice|info|debug|all)</regex> </constraint> <constraintErrorMessage>Invalid loglevel</constraintErrorMessage> <valueHelp> @@ -422,7 +422,7 @@ <list>auth authpriv cron daemon kern lpr mail mark news protocols security syslog user uucp local0 local1 local2 local3 local4 local5 local6 local7 all</list> </completionHelp> <constraint> - <regex>^(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)$</regex> + <regex>(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)</regex> </constraint> <constraintErrorMessage>Invalid facility type</constraintErrorMessage> <valueHelp> @@ -526,7 +526,7 @@ <list>emerg alert crit err warning notice info debug all</list> </completionHelp> <constraint> - <regex>^(emerg|alert|crit|err|warning|notice|info|debug|all)$</regex> + <regex>(emerg|alert|crit|err|warning|notice|info|debug|all)</regex> </constraint> <constraintErrorMessage>Invalid loglevel</constraintErrorMessage> <valueHelp> @@ -633,7 +633,7 @@ <list>auth authpriv cron daemon kern lpr mail mark news protocols security syslog user uucp local0 local1 local2 local3 local4 local5 local6 local7 all</list> </completionHelp> <constraint> - <regex>^(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)$</regex> + <regex>(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)</regex> </constraint> <constraintErrorMessage>Invalid facility type</constraintErrorMessage> <valueHelp> @@ -737,7 +737,7 @@ <list>emerg alert crit err warning notice info debug all</list> </completionHelp> <constraint> - <regex>^(emerg|alert|crit|err|warning|notice|info|debug|all)$</regex> + <regex>(emerg|alert|crit|err|warning|notice|info|debug|all)</regex> </constraint> <constraintErrorMessage>Invalid loglevel</constraintErrorMessage> <valueHelp> @@ -794,7 +794,7 @@ <list>auth authpriv cron daemon kern lpr mail mark news protocols security syslog user uucp local0 local1 local2 local3 local4 local5 local6 local7 all</list> </completionHelp> <constraint> - <regex>^(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)$</regex> + <regex>(auth|authpriv|cron|daemon|kern|lpr|mail|mark|news|protocols|security|syslog|user|uucp|local0|local1|local2|local3|local4|local5|local6|local7|all)</regex> </constraint> <constraintErrorMessage>Invalid facility type</constraintErrorMessage> <valueHelp> @@ -898,7 +898,7 @@ <list>emerg alert crit err warning notice info debug all</list> </completionHelp> <constraint> - <regex>^(emerg|alert|crit|err|warning|notice|info|debug|all)$</regex> + <regex>(emerg|alert|crit|err|warning|notice|info|debug|all)</regex> </constraint> <constraintErrorMessage>Invalid loglevel</constraintErrorMessage> <valueHelp> diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in index a86951ce8..555ba689f 100644 --- a/interface-definitions/vpn_ipsec.xml.in +++ b/interface-definitions/vpn_ipsec.xml.in @@ -37,7 +37,7 @@ <description>Enable ESP compression</description> </valueHelp> <constraint> - <regex>^(disable|enable)$</regex> + <regex>(disable|enable)</regex> </constraint> </properties> <defaultValue>disable</defaultValue> @@ -94,7 +94,7 @@ <description>Transport mode</description> </valueHelp> <constraint> - <regex>^(tunnel|transport)$</regex> + <regex>(tunnel|transport)</regex> </constraint> </properties> <defaultValue>tunnel</defaultValue> @@ -202,7 +202,7 @@ <description>Disable PFS</description> </valueHelp> <constraint> - <regex>^(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)$</regex> + <regex>(enable|dh-group1|dh-group2|dh-group5|dh-group14|dh-group15|dh-group16|dh-group17|dh-group18|dh-group19|dh-group20|dh-group21|dh-group22|dh-group23|dh-group24|dh-group25|dh-group26|dh-group27|dh-group28|dh-group29|dh-group30|dh-group31|dh-group32|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> @@ -246,7 +246,7 @@ <description>Attempt to re-negotiate the connection immediately</description> </valueHelp> <constraint> - <regex>^(none|hold|restart)$</regex> + <regex>(none|hold|restart)</regex> </constraint> </properties> </leafNode> @@ -274,7 +274,7 @@ <description>Attempt to re-negotiate the connection immediately</description> </valueHelp> <constraint> - <regex>^(hold|clear|restart)$</regex> + <regex>(hold|clear|restart)</regex> </constraint> </properties> </leafNode> @@ -321,7 +321,7 @@ <description>Disable remote host re-authenticaton during an IKE rekey</description> </valueHelp> <constraint> - <regex>^(yes|no)$</regex> + <regex>(yes|no)</regex> </constraint> </properties> </leafNode> @@ -340,7 +340,7 @@ <description>Use IKEv2 for key exchange</description> </valueHelp> <constraint> - <regex>^(ikev1|ikev2)$</regex> + <regex>(ikev1|ikev2)</regex> </constraint> </properties> </leafNode> @@ -372,7 +372,7 @@ <description>Disable MOBIKE</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> <defaultValue>enable</defaultValue> @@ -392,7 +392,7 @@ <description>Use the aggressive mode (insecure, not recommended)</description> </valueHelp> <constraint> - <regex>^(main|aggressive)$</regex> + <regex>(main|aggressive)</regex> </constraint> </properties> <defaultValue>main</defaultValue> @@ -501,7 +501,7 @@ <description>Diffie-Hellman group 32 (curve448)</description> </valueHelp> <constraint> - <regex>^(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)$</regex> + <regex>(1|2|5|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31|32)</regex> </constraint> </properties> <defaultValue>2</defaultValue> @@ -628,7 +628,7 @@ <description>Any subsystem</description> </valueHelp> <constraint> - <regex>^(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)$</regex> + <regex>(dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|lib|esp|tls|tnc|imc|imv|pts|any)</regex> </constraint> <multi/> </properties> @@ -747,7 +747,7 @@ <description>Use EAP-RADIUS authentication</description> </valueHelp> <constraint> - <regex>^(eap-tls|eap-mschapv2|eap-radius)$</regex> + <regex>(eap-tls|eap-mschapv2|eap-radius)</regex> </constraint> </properties> <defaultValue>eap-mschapv2</defaultValue> @@ -768,7 +768,7 @@ <description>Use x.509 certificate</description> </valueHelp> <constraint> - <regex>^(pre-shared-secret|x509)$</regex> + <regex>(pre-shared-secret|x509)</regex> </constraint> </properties> <defaultValue>x509</defaultValue> @@ -840,7 +840,7 @@ <description>Delete any existing connection if a new one for the same user gets established</description> </valueHelp> <constraint> - <regex>^(never|keep|replace)$</regex> + <regex>(never|keep|replace)</regex> </constraint> </properties> </leafNode> @@ -976,7 +976,7 @@ <description>Use x.509 certificate</description> </valueHelp> <constraint> - <regex>^(pre-shared-secret|rsa|x509)$</regex> + <regex>(pre-shared-secret|rsa|x509)</regex> </constraint> </properties> </leafNode> @@ -1017,7 +1017,7 @@ <description>Load the connection only</description> </valueHelp> <constraint> - <regex>^(initiate|respond|none)$</regex> + <regex>(initiate|respond|none)</regex> </constraint> </properties> </leafNode> @@ -1046,7 +1046,7 @@ <description>Do not force UDP encapsulation</description> </valueHelp> <constraint> - <regex>^(enable|disable)$</regex> + <regex>(enable|disable)</regex> </constraint> </properties> </leafNode> @@ -1070,7 +1070,7 @@ <description>Inherit the reauth configuration form your IKE-group</description> </valueHelp> <constraint> - <regex>^(yes|no|inherit)$</regex> + <regex>(yes|no|inherit)</regex> </constraint> </properties> </leafNode> diff --git a/interface-definitions/vpn_l2tp.xml.in b/interface-definitions/vpn_l2tp.xml.in index 9ca7b1fad..f734283e7 100644 --- a/interface-definitions/vpn_l2tp.xml.in +++ b/interface-definitions/vpn_l2tp.xml.in @@ -72,7 +72,7 @@ <description>Use X.509 certificate for IPsec authentication</description> </valueHelp> <constraint> - <regex>^(pre-shared-secret|x509)$</regex> + <regex>(pre-shared-secret|x509)</regex> </constraint> <completionHelp> <list>pre-shared-secret x509</list> @@ -167,7 +167,7 @@ <description>Require the peer to authenticate itself using MS-CHAPv2 [Microsoft Challenge Handshake Authentication Protocol, Version 2].</description> </valueHelp> <constraint> - <regex>^(pap|chap|mschap|mschap-v2)$</regex> + <regex>(pap|chap|mschap|mschap-v2)</regex> </constraint> <completionHelp> <list>pap chap mschap mschap-v2</list> diff --git a/interface-definitions/vpn_openconnect.xml.in b/interface-definitions/vpn_openconnect.xml.in index f418f5d75..21b47125d 100644 --- a/interface-definitions/vpn_openconnect.xml.in +++ b/interface-definitions/vpn_openconnect.xml.in @@ -13,26 +13,120 @@ <help>Authentication for remote access SSL VPN Server</help> </properties> <children> - <leafNode name="mode"> + <node name="mode"> <properties> <help>Authentication mode used by this server</help> - <valueHelp> - <format>local</format> - <description>Use local username/password configuration</description> - </valueHelp> - <valueHelp> - <format>radius</format> - <description>Use RADIUS server for user autentication</description> - </valueHelp> - <constraint> - <regex>^(local|radius)$</regex> - </constraint> - <completionHelp> - <list>local radius</list> - </completionHelp> </properties> - </leafNode> + <children> + <leafNode name="local"> + <properties> + <help>Use local username/password configuration (OTP supported)</help> + <valueHelp> + <format>password</format> + <description>Password-only local authentication</description> + </valueHelp> + <valueHelp> + <format>otp</format> + <description>OTP-only local authentication</description> + </valueHelp> + <valueHelp> + <format>password-otp</format> + <description>Password (first) + OTP local authentication</description> + </valueHelp> + <constraint> + <regex>(password|otp|password-otp)</regex> + </constraint> + <constraintErrorMessage>Invalid authentication mode. Must be one of: password, otp or password-otp </constraintErrorMessage> + <completionHelp> + <list>otp password password-otp</list> + </completionHelp> + </properties> + </leafNode> + <leafNode name="radius"> + <properties> + <help>Use RADIUS server for user autentication</help> + <valueless/> + </properties> + </leafNode> + </children> + </node> #include <include/auth-local-users.xml.i> + <node name="local-users"> + <children> + <tagNode name="username"> + <children> + <node name="otp"> + <properties> + <help>2FA OTP authentication parameters</help> + </properties> + <children> + <leafNode name="key"> + <properties> + <help>Token Key Secret key for the token algorithm (see RFC 4226)</help> + <valueHelp> + <format>txt</format> + <description>OTP key in hex-encoded format</description> + </valueHelp> + <constraint> + <regex>[a-fA-F0-9]{20,10000}</regex> + </constraint> + <constraintErrorMessage>Key name must only include hex characters and be at least 20 characters long</constraintErrorMessage> + </properties> + </leafNode> + <leafNode name="otp-length"> + <properties> + <help>Number of digits in OTP code</help> + <valueHelp> + <format>u32:6-8</format> + <description>Number of digits in OTP code</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 6-8"/> + </constraint> + <constraintErrorMessage>Number of digits in OTP code must be between 6 and 8</constraintErrorMessage> + </properties> + <defaultValue>6</defaultValue> + </leafNode> + <leafNode name="interval"> + <properties> + <help>Time tokens interval in seconds</help> + <valueHelp> + <format>u32:5-86400</format> + <description>Time tokens interval in seconds.</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 5-86400"/> + </constraint> + <constraintErrorMessage>Time token interval must be between 5 and 86400 seconds</constraintErrorMessage> + </properties> + <defaultValue>30</defaultValue> + </leafNode> + <leafNode name="token-type"> + <properties> + <help>Token type</help> + <valueHelp> + <format>hotp-time</format> + <description>Time-based OTP algorithm</description> + </valueHelp> + <valueHelp> + <format>hotp-event</format> + <description>Event-based OTP algorithm</description> + </valueHelp> + <constraint> + <regex>(hotp-time|hotp-event)</regex> + </constraint> + <completionHelp> + <list>hotp-time hotp-event</list> + </completionHelp> + </properties> + <defaultValue>hotp-time</defaultValue> + </leafNode> + </children> + </node> + </children> + </tagNode> + </children> + </node> #include <include/radius-server-ipv4.xml.i> <node name="radius"> <children> diff --git a/interface-definitions/vpn_pptp.xml.in b/interface-definitions/vpn_pptp.xml.in index 0d1690013..28a53acb9 100644 --- a/interface-definitions/vpn_pptp.xml.in +++ b/interface-definitions/vpn_pptp.xml.in @@ -75,7 +75,7 @@ <description>ask client for mppe, if it rejects drop connection</description> </valueHelp> <constraint> - <regex>^(deny|prefer|require)$</regex> + <regex>(deny|prefer|require)</regex> </constraint> <completionHelp> <list>deny prefer require</list> diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 14c31fa8a..25a573887 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -28,6 +28,22 @@ <children> #include <include/interface/description.xml.i> #include <include/interface/disable.xml.i> + <node name="ip"> + <properties> + <help>IPv4 routing parameters</help> + </properties> + <children> + #include <include/interface/disable-forwarding.xml.i> + </children> + </node> + <node name="ipv6"> + <properties> + <help>IPv6 routing parameters</help> + </properties> + <children> + #include <include/interface/disable-forwarding.xml.i> + </children> + </node> <node name="protocols"> <properties> <help>Routing protocol parameters</help> diff --git a/interface-definitions/zone-policy.xml.in b/interface-definitions/zone-policy.xml.in index eac63fa6b..8af0dcfb6 100644 --- a/interface-definitions/zone-policy.xml.in +++ b/interface-definitions/zone-policy.xml.in @@ -14,7 +14,7 @@ <description>Zone name</description> </valueHelp> <constraint> - <regex>^[a-zA-Z0-9][\w\-\.]*$</regex> + <regex>[a-zA-Z0-9][\w\-\.]*</regex> </constraint> </properties> <children> @@ -34,7 +34,7 @@ <description>Drop and notify source</description> </valueHelp> <constraint> - <regex>^(drop|reject)$</regex> + <regex>(drop|reject)</regex> </constraint> </properties> <defaultValue>drop</defaultValue> @@ -105,7 +105,7 @@ <description>Drop silently</description> </valueHelp> <constraint> - <regex>^(accept|drop)$</regex> + <regex>(accept|drop)</regex> </constraint> </properties> </leafNode> diff --git a/op-mode-definitions/containers.xml.in b/op-mode-definitions/container.xml.in index b2b318786..fa66402dc 100644 --- a/op-mode-definitions/containers.xml.in +++ b/op-mode-definitions/container.xml.in @@ -11,7 +11,7 @@ <properties> <help>Pull a new image for container</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/containers_op.py --pull "${4}"</command> + <command>sudo podman image pull "${4}"</command> </tagNode> </children> </node> @@ -44,7 +44,51 @@ <script>sudo podman image ls -q</script> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/containers_op.py --remove "${4}"</command> + <command>sudo podman image rm --force "${4}"</command> + </tagNode> + </children> + </node> + </children> + </node> + <node name="generate"> + <children> + <node name="container"> + <properties> + <help>Generate Container Image</help> + </properties> + <children> + <tagNode name="image"> + <properties> + <help>Name of container image (tag)</help> + </properties> + <children> + <tagNode name="path"> + <properties> + <help>Path to Dockerfile</help> + <completionHelp> + <list><filename></list> + </completionHelp> + </properties> + <command>sudo podman build --layers --force-rm --tag "$4" $6</command> + </tagNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> + <node name="monitor"> + <children> + <node name="log"> + <children> + <tagNode name="container"> + <properties> + <help>Monitor last lines of container logs</help> + <completionHelp> + <path>container name</path> + </completionHelp> + </properties> + <command>sudo podman logs --follow --names "$4"</command> </tagNode> </children> </node> @@ -56,13 +100,13 @@ <properties> <help>Show containers</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/containers_op.py --all</command> + <command>sudo podman ps --all</command> <children> <leafNode name="image"> <properties> - <help>Delete container image</help> + <help>Show container image</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/containers_op.py --image</command> + <command>sudo podman image ls</command> </leafNode> <tagNode name="log"> <properties> @@ -77,7 +121,7 @@ <properties> <help>Show available container networks</help> </properties> - <command>sudo ${vyos_op_scripts_dir}/containers_op.py --networks</command> + <command>sudo podman network ls</command> </leafNode> </children> </node> @@ -118,12 +162,12 @@ <children> <tagNode name="image"> <properties> - <help>Delete container image</help> + <help>Update container image</help> <completionHelp> <path>container name</path> </completionHelp> </properties> - <command>sudo ${vyos_op_scripts_dir}/containers_op.py --update "${4}"</command> + <command>if cli-shell-api existsActive container name "$4"; then sudo podman pull $(cli-shell-api returnActiveValue container name "$4" image); else echo "Container $4 does not exist"; fi</command> </tagNode> </children> </node> diff --git a/op-mode-definitions/generate-openconnect-user-key.xml.in b/op-mode-definitions/generate-openconnect-user-key.xml.in new file mode 100644 index 000000000..80cdfb3d7 --- /dev/null +++ b/op-mode-definitions/generate-openconnect-user-key.xml.in @@ -0,0 +1,67 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="generate"> + <children> + <node name="openconnect"> + <properties> + <help>Generate OpenConnect client parameters</help> + </properties> + <children> + <tagNode name="username"> + <properties> + <help>Username used for authentication</help> + <completionHelp> + <list><username></list> + </completionHelp> + </properties> + <children> + <node name="otp-key"> + <properties> + <help>Generate OpenConnect OTP token</help> + </properties> + <children> + <node name="hotp-time"> + <properties> + <help>HOTP time-based token</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval 30 --digits 6</command> + <children> + <tagNode name="interval"> + <properties> + <help>Duration of single time interval</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "$8" --digits 6</command> + <children> + <tagNode name="digits"> + <properties> + <help>The number of digits in the one-time password</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "$8" --digits "${10}"</command> + </tagNode> + </children> + </tagNode> + <tagNode name="digits"> + <properties> + <help>The number of digits in the one-time password</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval 30 --digits "$8"</command> + <children> + <tagNode name="interval"> + <properties> + <help>Duration of single time interval</help> + </properties> + <command>sudo ${vyos_op_scripts_dir}/generate_openconnect_otp_key.py --username "$4" --interval "${10}" --digits $8</command> + </tagNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> diff --git a/op-mode-definitions/monitor-log.xml.in b/op-mode-definitions/monitor-log.xml.in index cbdf76fc3..6f82ce611 100644 --- a/op-mode-definitions/monitor-log.xml.in +++ b/op-mode-definitions/monitor-log.xml.in @@ -6,13 +6,96 @@ <properties> <help>Monitor last lines of messages file</help> </properties> - <command>tail --follow=name /var/log/messages</command> + <command>journalctl --no-hostname --follow --boot</command> <children> <node name="colored"> <properties> <help>Output log in a colored fashion</help> </properties> - <command>grc tail --follow=name /var/log/messages</command> + <command>grc journalctl --no-hostname --follow --boot</command> + </node> + <node name="dhcp"> + <properties> + <help>Show log for Dynamic Host Control Protocol (DHCP)</help> + </properties> + <children> + <node name="server"> + <properties> + <help>Show log for DHCP server</help> + </properties> + <command>journalctl --no-hostname --follow --boot --unit isc-dhcp-server.service</command> + </node> + <node name="client"> + <properties> + <help>Show DHCP client logs</help> + </properties> + <command>journalctl --no-hostname --follow --boot --unit "dhclient@*.service"</command> + <children> + <tagNode name="interface"> + <properties> + <help>Show DHCP client log on specific interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py --broadcast</script> + </completionHelp> + </properties> + <command>journalctl --no-hostname --follow --boot --unit "dhclient@$6.service"</command> + </tagNode> + </children> + </node> + </children> + </node> + <node name="dhcpv6"> + <properties> + <help>Show log for Dynamic Host Control Protocol IPv6 (DHCPv6)</help> + </properties> + <children> + <node name="server"> + <properties> + <help>Show log for DHCPv6 server</help> + </properties> + <command>journalctl --no-hostname --follow --boot --unit isc-dhcp-server6.service</command> + </node> + <node name="client"> + <properties> + <help>Show DHCPv6 client logs</help> + </properties> + <command>journalctl --no-hostname --follow --boot --unit "dhcp6c@*.service"</command> + <children> + <tagNode name="interface"> + <properties> + <help>Show DHCPv6 client log on specific interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + <command>journalctl --no-hostname --follow --boot --unit "dhcp6c@$6.service"</command> + </tagNode> + </children> + </node> + </children> + </node> + <leafNode name="kernel"> + <properties> + <help>Monitor last lines of Linux Kernel log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --dmesg</command> + </leafNode> + <node name="pppoe"> + <properties> + <help>Monitor last lines of PPPoE log</help> + </properties> + <command>journalctl --no-hostname --boot --follow --unit "ppp@pppoe*.service"</command> + <children> + <tagNode name="interface"> + <properties> + <help>Monitor last lines of PPPoE log for specific interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py -t pppoe</script> + </completionHelp> + </properties> + <command>journalctl --no-hostname --boot --follow --unit "ppp@$6.service"</command> + </tagNode> + </children> </node> <node name="protocol"> <properties> @@ -23,67 +106,67 @@ <properties> <help>Monitor log for OSPF</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/ospfd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/ospfd</command> </leafNode> <leafNode name="ospfv3"> <properties> <help>Monitor log for OSPF for IPv6</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/ospf6d</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/ospf6d</command> </leafNode> <leafNode name="bgp"> <properties> <help>Monitor log for BGP</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/bgpd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/bgpd</command> </leafNode> <leafNode name="rip"> <properties> <help>Monitor log for RIP</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/ripd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/ripd</command> </leafNode> <leafNode name="ripng"> <properties> <help>Monitor log for RIPng</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/ripngd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/ripngd</command> </leafNode> <leafNode name="static"> <properties> <help>Monitor log for static route</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/staticd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/staticd</command> </leafNode> <leafNode name="multicast"> <properties> <help>Monitor log for Multicast protocol</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/pimd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/pimd</command> </leafNode> <leafNode name="isis"> <properties> <help>Monitor log for ISIS</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/isisd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/isisd</command> </leafNode> <leafNode name="nhrp"> <properties> <help>Monitor log for NHRP</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/nhrpd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/nhrpd</command> </leafNode> <leafNode name="bfd"> <properties> <help>Monitor log for BFD</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/bfdd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/bfdd</command> </leafNode> <leafNode name="mpls"> <properties> <help>Monitor log for MPLS</help> </properties> - <command>journalctl --follow --boot /usr/lib/frr/ldpd</command> + <command>journalctl --follow --no-hostname --boot /usr/lib/frr/ldpd</command> </leafNode> </children> </node> diff --git a/op-mode-definitions/show-log.xml.in b/op-mode-definitions/show-log.xml.in index 15bbc7f42..954369712 100644 --- a/op-mode-definitions/show-log.xml.in +++ b/op-mode-definitions/show-log.xml.in @@ -179,9 +179,9 @@ </tagNode> <leafNode name="kernel"> <properties> - <help>Show messages in kernel ring buffer</help> + <help>Show log for Linux Kernel</help> </properties> - <command>sudo dmesg</command> + <command>journalctl --no-hostname --boot --dmesg</command> </leafNode> <leafNode name="lldp"> <properties> @@ -212,6 +212,23 @@ </tagNode> </children> </node> + <node name="pppoe"> + <properties> + <help>Show log for PPPoE</help> + </properties> + <command>journalctl --no-hostname --boot --unit "ppp@pppoe*.service"</command> + <children> + <tagNode name="interface"> + <properties> + <help>Show PPPoE log on specific interface</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py -t pppoe</script> + </completionHelp> + </properties> + <command>journalctl --no-hostname --boot --unit "ppp@$6.service"</command> + </tagNode> + </children> + </node> <node name="protocol"> <properties> <help>Show log for Routing Protocols</help> diff --git a/op-mode-definitions/traceroute.xml.in b/op-mode-definitions/traceroute.xml.in index e3217235c..aba0f45e3 100644 --- a/op-mode-definitions/traceroute.xml.in +++ b/op-mode-definitions/traceroute.xml.in @@ -2,226 +2,22 @@ <interfaceDefinition> <tagNode name="traceroute"> <properties> - <help>Track network path to node</help> - <completionHelp> - <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>/usr/bin/traceroute "$2"</command> - </tagNode> - <node name="traceroute"> - <properties> - <help>Track network path to node</help> + <help>Trace network path to node</help> <completionHelp> <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> </completionHelp> </properties> + <command>${vyos_op_scripts_dir}/traceroute.py ${@:2}</command> <children> - <tagNode name="ipv4"> + <leafNode name="node.tag"> <properties> - <help>Explicitly use IPv4 when tracing the path</help> + <help>Traceroute options</help> <completionHelp> - <list><hostname> <x.x.x.x></list> + <script>${vyos_op_scripts_dir}/traceroute.py --get-options "${COMP_WORDS[@]}"</script> </completionHelp> </properties> - <command>/usr/bin/traceroute -4 "$3"</command> - <children> - <node name="tcp"> - <properties> - <help>Route tracing and port detection using TCP</help> - </properties> - <command>sudo /usr/bin/tcptraceroute "$3" </command> - <children> - <tagNode name="port"> - <properties> - <help>TCP port to connect to for path tracing</help> - <completionHelp> - <list>0-65535</list> - </completionHelp> - </properties> - <command>sudo /usr/bin/tcptraceroute "$3" $6</command> - </tagNode> - </children> - </node> - </children> - </tagNode> - <tagNode name="ipv6"> - <properties> - <help>Explicitly use IPv6 when tracing the path</help> - <completionHelp> - <list><hostname> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>/usr/bin/traceroute -6 "$3"</command> - <children> - <node name="tcp"> - <properties> - <help>Use TCP/IPv6 packets to perform a traceroute</help> - </properties> - <command>sudo /usr/bin/tcptraceroute6 "$3" </command> - <children> - <tagNode name="port"> - <properties> - <help>TCP port to connect to for path tracing</help> - <completionHelp> - <list>0-65535</list> - </completionHelp> - </properties> - <command>sudo /usr/bin/tcptraceroute6 "$3" $6</command> - </tagNode> - </children> - </node> - </children> - </tagNode> - <tagNode name="vrf"> - <properties> - <help>Track network path to specified node via given VRF</help> - <completionHelp> - <path>vrf name</path> - </completionHelp> - </properties> - <children> - <!-- we need an empty tagNode to pass in a plain fqdn/ip address and - let traceroute decide how to handle this parameter --> - <tagNode name=""> - <properties> - <help>Track network path to specified node via given VRF</help> - <completionHelp> - <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$3" /usr/bin/traceroute "$4"</command> - </tagNode> - <tagNode name="ipv4"> - <properties> - <help>Explicitly use IPv4 when tracing the path via given VRF</help> - <completionHelp> - <list><hostname> <x.x.x.x></list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$3" /usr/bin/traceroute -4 "$5"</command> - <children> - <node name="tcp"> - <properties> - <help>Route tracing and port detection using TCP</help> - </properties> - <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute "$5" </command> - <children> - <tagNode name="port"> - <properties> - <help>TCP port to connect to for path tracing</help> - <completionHelp> - <list>0-65535</list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute "$5" $8</command> - </tagNode> - </children> - </node> - </children> - </tagNode> - <tagNode name="ipv6"> - <properties> - <help>Explicitly use IPv6 when tracing the path via given VRF</help> - <completionHelp> - <list><hostname> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$3" /usr/bin/traceroute -6 "$5"</command> - <children> - <node name="tcp"> - <properties> - <help>Use TCP/IPv6 packets to perform a traceroute</help> - </properties> - <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" </command> - <children> - <tagNode name="port"> - <properties> - <help>TCP port to connect to for path tracing</help> - <completionHelp> - <list>0-65535</list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$3" /usr/bin/tcptraceroute6 "$5" $8</command> - </tagNode> - </children> - </node> - </children> - </tagNode> - </children> - </tagNode> - </children> - </node> - <node name="monitor"> - <children> - <tagNode name="traceroute"> - <properties> - <help>Monitor path to destination in realtime</help> - <completionHelp> - <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>/usr/bin/mtr "$3"</command> - </tagNode> - <node name="traceroute"> - <children> - <tagNode name="ipv4"> - <properties> - <help>IPv4 fully qualified domain name (FQDN)</help> - <completionHelp> - <list><fqdn></list> - </completionHelp> - </properties> - <command>/usr/bin/mtr -4 "$4"</command> - </tagNode> - <tagNode name="ipv6"> - <properties> - <help>IPv6 fully qualified domain name (FQDN)</help> - <completionHelp> - <list><fqdn></list> - </completionHelp> - </properties> - <command>/usr/bin/mtr -6 "$4"</command> - </tagNode> - <tagNode name="vrf"> - <properties> - <help>Monitor path to destination in realtime via given VRF</help> - <completionHelp> - <path>vrf name</path> - </completionHelp> - </properties> - <children> - <tagNode name="ipv4"> - <properties> - <help>IPv4 fully qualified domain name (FQDN)</help> - <completionHelp> - <list><fqdn></list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$4" /usr/bin/mtr -4 "$6"</command> - </tagNode> - <tagNode name="ipv6"> - <properties> - <help>IPv6 fully qualified domain name (FQDN)</help> - <completionHelp> - <list><fqdn></list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$4" /usr/bin/mtr -6 "$6"</command> - </tagNode> - <tagNode name=""> - <properties> - <help>Track network path to specified node via given VRF</help> - <completionHelp> - <list><hostname> <x.x.x.x> <h:h:h:h:h:h:h:h></list> - </completionHelp> - </properties> - <command>sudo ip vrf exec "$4" /usr/bin/mtr "$5"</command> - </tagNode> - </children> - </tagNode> - </children> - </node> + <command>${vyos_op_scripts_dir}/traceroute.py ${@:2}</command> + </leafNode> </children> - </node> + </tagNode> </interfaceDefinition> diff --git a/python/vyos/base.py b/python/vyos/base.py index fd22eaccd..78067d5b2 100644 --- a/python/vyos/base.py +++ b/python/vyos/base.py @@ -1,4 +1,4 @@ -# Copyright 2018-2021 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2018-2022 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -15,6 +15,12 @@ from textwrap import fill +class Warning(): + def __init__(self, message): + # Reformat the message and trim it to 72 characters in length + message = fill(message, width=72) + print(f'\nWARNING: {message}') + class DeprecationWarning(): def __init__(self, message): # Reformat the message and trim it to 72 characters in length diff --git a/python/vyos/config.py b/python/vyos/config.py index a5c1ad122..287fd2ed1 100644 --- a/python/vyos/config.py +++ b/python/vyos/config.py @@ -142,31 +142,41 @@ class Config(object): def exists(self, path): """ - Checks if a node with given path exists in the running or proposed config + Checks if a node or value with given path exists in the proposed config. + + Args: + path (str): Configuration tree path Returns: - True if node exists, False otherwise + True if node or value exists in the proposed config, False otherwise Note: - This function cannot be used outside a configuration sessions. + This function should not be used outside of configuration sessions. In operational mode scripts, use ``exists_effective``. """ - if not self._session_config: + if self._session_config is None: return False + + # Assume the path is a node path first if self._session_config.exists(self._make_path(path)): return True else: + # If that check fails, it may mean the path has a value at the end. # libvyosconfig exists() works only for _nodes_, not _values_ - # libvyattacfg one also worked for values, so we emulate that case here + # libvyattacfg also worked for values, so we emulate that case here if isinstance(path, str): path = re.split(r'\s+', path) path_without_value = path[:-1] - path_str = " ".join(path_without_value) try: - value = self._session_config.return_value(self._make_path(path_str)) - return (value == path[-1]) + # return_values() is safe to use with single-value nodes, + # it simply returns a single-item list in that case. + values = self._session_config.return_values(self._make_path(path_without_value)) + + # If we got this far, the node does exist and has values, + # so we need to check if it has the value in question among its values. + return (path[-1] in values) except vyos.configtree.ConfigTreeError: - # node doesn't exist at all + # Even the parent node doesn't exist at all return False def session_changed(self): @@ -380,7 +390,7 @@ class Config(object): def exists_effective(self, path): """ - Check if a node exists in the running (effective) config + Checks if a node or value exists in the running (effective) config. Args: path (str): Configuration tree path @@ -392,10 +402,31 @@ class Config(object): This function is safe to use in operational mode. In configuration mode, it ignores uncommited changes. """ - if self._running_config: - return(self._running_config.exists(self._make_path(path))) + if self._running_config is None: + return False + + # Assume the path is a node path first + if self._running_config.exists(self._make_path(path)): + return True + else: + # If that check fails, it may mean the path has a value at the end. + # libvyosconfig exists() works only for _nodes_, not _values_ + # libvyattacfg also worked for values, so we emulate that case here + if isinstance(path, str): + path = re.split(r'\s+', path) + path_without_value = path[:-1] + try: + # return_values() is safe to use with single-value nodes, + # it simply returns a single-item list in that case. + values = self._running_config.return_values(self._make_path(path_without_value)) + + # If we got this far, the node does exist and has values, + # so we need to check if it has the value in question among its values. + return (path[-1] in values) + except vyos.configtree.ConfigTreeError: + # Even the parent node doesn't exist at all + return False - return False def return_effective_value(self, path, default=None): """ diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py index 551c27b67..04ddc10e9 100644 --- a/python/vyos/configdict.py +++ b/python/vyos/configdict.py @@ -1,4 +1,4 @@ -# Copyright 2019 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2019-2022 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -104,6 +104,11 @@ def list_diff(first, second): second = set(second) return [item for item in first if item not in second] +def is_node_changed(conf, path): + from vyos.configdiff import get_config_diff + D = get_config_diff(conf, key_mangling=('-', '_')) + return D.is_node_changed(path) + def leaf_node_changed(conf, path): """ Check if a leaf node was altered. If it has been altered - values has been @@ -114,7 +119,6 @@ def leaf_node_changed(conf, path): """ from vyos.configdiff import get_config_diff D = get_config_diff(conf, key_mangling=('-', '_')) - D.set_level(conf.get_level()) (new, old) = D.get_value_diff(path) if new != old: if isinstance(old, dict): @@ -144,12 +148,11 @@ def node_changed(conf, path, key_mangling=None, recursive=False): """ from vyos.configdiff import get_config_diff, Diff D = get_config_diff(conf, key_mangling) - D.set_level(conf.get_level()) # get_child_nodes() will return dict_keys(), mangle this into a list with PEP448 keys = D.get_child_nodes_diff(path, expand_nodes=Diff.DELETE, recursive=recursive)['delete'].keys() return list(keys) -def get_removed_vlans(conf, dict): +def get_removed_vlans(conf, path, dict): """ Common function to parse a dictionary retrieved via get_config_dict() and determine any added/removed VLAN interfaces - be it 802.1q or Q-in-Q. @@ -159,16 +162,17 @@ def get_removed_vlans(conf, dict): # Check vif, vif-s/vif-c VLAN interfaces for removal D = get_config_diff(conf, key_mangling=('-', '_')) D.set_level(conf.get_level()) + # get_child_nodes() will return dict_keys(), mangle this into a list with PEP448 - keys = D.get_child_nodes_diff(['vif'], expand_nodes=Diff.DELETE)['delete'].keys() + keys = D.get_child_nodes_diff(path + ['vif'], expand_nodes=Diff.DELETE)['delete'].keys() if keys: dict['vif_remove'] = [*keys] # get_child_nodes() will return dict_keys(), mangle this into a list with PEP448 - keys = D.get_child_nodes_diff(['vif-s'], expand_nodes=Diff.DELETE)['delete'].keys() + keys = D.get_child_nodes_diff(path + ['vif-s'], expand_nodes=Diff.DELETE)['delete'].keys() if keys: dict['vif_s_remove'] = [*keys] for vif in dict.get('vif_s', {}).keys(): - keys = D.get_child_nodes_diff(['vif-s', vif, 'vif-c'], expand_nodes=Diff.DELETE)['delete'].keys() + keys = D.get_child_nodes_diff(path + ['vif-s', vif, 'vif-c'], expand_nodes=Diff.DELETE)['delete'].keys() if keys: dict['vif_s'][vif]['vif_c_remove'] = [*keys] return dict @@ -212,10 +216,6 @@ def is_member(conf, interface, intftype=None): intftype = intftypes if intftype == None else [intftype] - # set config level to root - old_level = conf.get_level() - conf.set_level([]) - for iftype in intftype: base = ['interfaces', iftype] for intf in conf.list_nodes(base): @@ -225,7 +225,6 @@ def is_member(conf, interface, intftype=None): get_first_key=True, no_tag_node_value_mangle=True) ret_val.update({intf : tmp}) - old_level = conf.set_level(old_level) return ret_val def is_mirror_intf(conf, interface, direction=None): @@ -247,8 +246,6 @@ def is_mirror_intf(conf, interface, direction=None): direction = directions if direction == None else [direction] ret_val = None - old_level = conf.get_level() - conf.set_level([]) base = ['interfaces'] for dir in direction: @@ -262,7 +259,6 @@ def is_mirror_intf(conf, interface, direction=None): get_first_key=True) ret_val = {intf : tmp} - old_level = conf.set_level(old_level) return ret_val def has_vlan_subinterface_configured(conf, intf): @@ -276,15 +272,11 @@ def has_vlan_subinterface_configured(conf, intf): from vyos.ifconfig import Section ret = False - old_level = conf.get_level() - conf.set_level([]) - intfpath = ['interfaces', Section.section(intf), intf] if ( conf.exists(intfpath + ['vif']) or conf.exists(intfpath + ['vif-s'])): ret = True - conf.set_level(old_level) return ret def is_source_interface(conf, interface, intftype=None): @@ -306,11 +298,6 @@ def is_source_interface(conf, interface, intftype=None): 'have a source-interface') intftype = intftypes if intftype == None else [intftype] - - # set config level to root - old_level = conf.get_level() - conf.set_level([]) - for it in intftype: base = ['interfaces', it] for intf in conf.list_nodes(base): @@ -319,7 +306,6 @@ def is_source_interface(conf, interface, intftype=None): ret_val = intf break - old_level = conf.set_level(old_level) return ret_val def get_dhcp_interfaces(conf, vrf=None): @@ -330,40 +316,67 @@ def get_dhcp_interfaces(conf, vrf=None): if not dict: return dhcp_interfaces - def check_dhcp(config, ifname): + def check_dhcp(config): + ifname = config['ifname'] tmp = {} if 'address' in config and 'dhcp' in config['address']: options = {} - if 'dhcp_options' in config and 'default_route_distance' in config['dhcp_options']: - options.update({'distance' : config['dhcp_options']['default_route_distance']}) + if dict_search('dhcp_options.default_route_distance', config) != None: + options.update({'dhcp_options' : config['dhcp_options']}) if 'vrf' in config: if vrf is config['vrf']: tmp.update({ifname : options}) else: tmp.update({ifname : options}) + return tmp for section, interface in dict.items(): for ifname in interface: + # always reset config level, as get_interface_dict() will alter it + conf.set_level([]) # we already have a dict representation of the config from get_config_dict(), # but with the extended information from get_interface_dict() we also # get the DHCP client default-route-distance default option if not specified. - ifconfig = get_interface_dict(conf, ['interfaces', section], ifname) + _, ifconfig = get_interface_dict(conf, ['interfaces', section], ifname) - tmp = check_dhcp(ifconfig, ifname) + tmp = check_dhcp(ifconfig) dhcp_interfaces.update(tmp) # check per VLAN interfaces for vif, vif_config in ifconfig.get('vif', {}).items(): - tmp = check_dhcp(vif_config, f'{ifname}.{vif}') + tmp = check_dhcp(vif_config) dhcp_interfaces.update(tmp) # check QinQ VLAN interfaces - for vif_s, vif_s_config in ifconfig.get('vif-s', {}).items(): - tmp = check_dhcp(vif_s_config, f'{ifname}.{vif_s}') + for vif_s, vif_s_config in ifconfig.get('vif_s', {}).items(): + tmp = check_dhcp(vif_s_config) dhcp_interfaces.update(tmp) - for vif_c, vif_c_config in vif_s_config.get('vif-c', {}).items(): - tmp = check_dhcp(vif_c_config, f'{ifname}.{vif_s}.{vif_c}') + for vif_c, vif_c_config in vif_s_config.get('vif_c', {}).items(): + tmp = check_dhcp(vif_c_config) dhcp_interfaces.update(tmp) return dhcp_interfaces +def get_pppoe_interfaces(conf, vrf=None): + """ Common helper functions to retrieve all interfaces from current CLI + sessions that have DHCP configured. """ + pppoe_interfaces = {} + for ifname in conf.list_nodes(['interfaces', 'pppoe']): + # always reset config level, as get_interface_dict() will alter it + conf.set_level([]) + # we already have a dict representation of the config from get_config_dict(), + # but with the extended information from get_interface_dict() we also + # get the DHCP client default-route-distance default option if not specified. + ifconfig = get_interface_dict(conf, ['interfaces', 'pppoe'], ifname) + + options = {} + if 'default_route_distance' in ifconfig: + options.update({'default_route_distance' : ifconfig['default_route_distance']}) + if 'no_default_route' in ifconfig: + options.update({'no_default_route' : {}}) + if 'vrf' in ifconfig: + if vrf is ifconfig['vrf']: pppoe_interfaces.update({ifname : options}) + else: pppoe_interfaces.update({ifname : options}) + + return pppoe_interfaces + def get_interface_dict(config, base, ifname=''): """ Common utility function to retrieve and mangle the interfaces configuration @@ -373,7 +386,6 @@ def get_interface_dict(config, base, ifname=''): Return a dictionary with the necessary interface config keys. """ - if not ifname: from vyos import ConfigError # determine tagNode instance @@ -390,9 +402,8 @@ def get_interface_dict(config, base, ifname=''): for vif in ['vif', 'vif_s']: if vif in default_values: del default_values[vif] - # setup config level which is extracted in get_removed_vlans() - config.set_level(base + [ifname]) - dict = config.get_config_dict([], key_mangling=('-', '_'), get_first_key=True, + dict = config.get_config_dict(base + [ifname], key_mangling=('-', '_'), + get_first_key=True, no_tag_node_value_mangle=True) # Check if interface has been removed. We must use exists() as @@ -400,8 +411,8 @@ def get_interface_dict(config, base, ifname=''): # node like the following exists. # +macsec macsec1 { # +} - if not config.exists([]): - dict.update({'deleted' : ''}) + if not config.exists(base + [ifname]): + dict.update({'deleted' : {}}) # Add interface instance name into dictionary dict.update({'ifname': ifname}) @@ -428,7 +439,7 @@ def get_interface_dict(config, base, ifname=''): # XXX: T2665: blend in proper DHCPv6-PD default values dict = T2665_set_dhcpv6pd_defaults(dict) - address = leaf_node_changed(config, ['address']) + address = leaf_node_changed(config, base + [ifname, 'address']) if address: dict.update({'address_old' : address}) # Check if we are a member of a bridge device @@ -459,10 +470,10 @@ def get_interface_dict(config, base, ifname=''): tmp = is_member(config, dict['source_interface'], 'bonding') if tmp: dict.update({'source_interface_is_bond_member' : tmp}) - mac = leaf_node_changed(config, ['mac']) + mac = leaf_node_changed(config, base + [ifname, 'mac']) if mac: dict.update({'mac_old' : mac}) - eui64 = leaf_node_changed(config, ['ipv6', 'address', 'eui64']) + eui64 = leaf_node_changed(config, base + [ifname, 'ipv6', 'address', 'eui64']) if eui64: tmp = dict_search('ipv6.address', dict) if not tmp: @@ -474,6 +485,9 @@ def get_interface_dict(config, base, ifname=''): # identical for all types of VLAN interfaces as they all include the same # XML definitions which hold the defaults. for vif, vif_config in dict.get('vif', {}).items(): + # Add subinterface name to dictionary + dict['vif'][vif].update({'ifname' : f'{ifname}.{vif}'}) + default_vif_values = defaults(base + ['vif']) # XXX: T2665: When there is no DHCPv6-PD configuration given, we can safely # remove the default values from the dict. @@ -483,7 +497,7 @@ def get_interface_dict(config, base, ifname=''): # Only add defaults if interface is not about to be deleted - this is # to keep a cleaner config dict. if 'deleted' not in dict: - address = leaf_node_changed(config, ['vif', vif, 'address']) + address = leaf_node_changed(config, base + [ifname, 'vif', vif, 'address']) if address: dict['vif'][vif].update({'address_old' : address}) dict['vif'][vif] = dict_merge(default_vif_values, dict['vif'][vif]) @@ -505,6 +519,9 @@ def get_interface_dict(config, base, ifname=''): if dhcp: dict['vif'][vif].update({'dhcp_options_changed' : ''}) for vif_s, vif_s_config in dict.get('vif_s', {}).items(): + # Add subinterface name to dictionary + dict['vif_s'][vif_s].update({'ifname' : f'{ifname}.{vif_s}'}) + default_vif_s_values = defaults(base + ['vif-s']) # XXX: T2665: we only wan't the vif-s defaults - do not care about vif-c if 'vif_c' in default_vif_s_values: del default_vif_s_values['vif_c'] @@ -517,7 +534,7 @@ def get_interface_dict(config, base, ifname=''): # Only add defaults if interface is not about to be deleted - this is # to keep a cleaner config dict. if 'deleted' not in dict: - address = leaf_node_changed(config, ['vif-s', vif_s, 'address']) + address = leaf_node_changed(config, base + [ifname, 'vif-s', vif_s, 'address']) if address: dict['vif_s'][vif_s].update({'address_old' : address}) dict['vif_s'][vif_s] = dict_merge(default_vif_s_values, @@ -541,6 +558,9 @@ def get_interface_dict(config, base, ifname=''): if dhcp: dict['vif_s'][vif_s].update({'dhcp_options_changed' : ''}) for vif_c, vif_c_config in vif_s_config.get('vif_c', {}).items(): + # Add subinterface name to dictionary + dict['vif_s'][vif_s]['vif_c'][vif_c].update({'ifname' : f'{ifname}.{vif_s}.{vif_c}'}) + default_vif_c_values = defaults(base + ['vif-s', 'vif-c']) # XXX: T2665: When there is no DHCPv6-PD configuration given, we can safely @@ -551,7 +571,7 @@ def get_interface_dict(config, base, ifname=''): # Only add defaults if interface is not about to be deleted - this is # to keep a cleaner config dict. if 'deleted' not in dict: - address = leaf_node_changed(config, ['vif-s', vif_s, 'vif-c', vif_c, 'address']) + address = leaf_node_changed(config, base + [ifname, 'vif-s', vif_s, 'vif-c', vif_c, 'address']) if address: dict['vif_s'][vif_s]['vif_c'][vif_c].update( {'address_old' : address}) @@ -578,8 +598,8 @@ def get_interface_dict(config, base, ifname=''): if dhcp: dict['vif_s'][vif_s]['vif_c'][vif_c].update({'dhcp_options_changed' : ''}) # Check vif, vif-s/vif-c VLAN interfaces for removal - dict = get_removed_vlans(config, dict) - return dict + dict = get_removed_vlans(config, base + [ifname], dict) + return ifname, dict def get_vlan_ids(interface): """ diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py index 1062d51ee..438485d98 100644 --- a/python/vyos/configverify.py +++ b/python/vyos/configverify.py @@ -1,4 +1,4 @@ -# Copyright 2020-2021 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2020-2022 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -205,10 +205,10 @@ def verify_mirror_redirect(config): raise ConfigError(f'Requested redirect interface "{redirect_ifname}" '\ 'does not exist!') - if dict_search('traffic_policy.in', config) != None: + if ('mirror' in config or 'redirect' in config) and dict_search('traffic_policy.in', config) is not None: # XXX: support combination of limiting and redirect/mirror - this is an # artificial limitation - raise ConfigError('Can not use ingress policy tigether with mirror or redirect!') + raise ConfigError('Can not use ingress policy together with mirror or redirect!') def verify_authentication(config): """ diff --git a/python/vyos/ethtool.py b/python/vyos/ethtool.py index 672ee2cc9..2b6012a73 100644 --- a/python/vyos/ethtool.py +++ b/python/vyos/ethtool.py @@ -1,4 +1,4 @@ -# Copyright 2021 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2021-2022 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public @@ -18,8 +18,10 @@ import re from vyos.util import popen -# These drivers do not support using ethtool to change the speed, duplex, or flow control settings -_drivers_without_speed_duplex_flow = ['vmxnet3', 'virtio_net', 'xen_netfront', 'iavf', 'ice', 'i40e'] +# These drivers do not support using ethtool to change the speed, duplex, or +# flow control settings +_drivers_without_speed_duplex_flow = ['vmxnet3', 'virtio_net', 'xen_netfront', + 'iavf', 'ice', 'i40e', 'hv_netvsc'] class Ethtool: """ diff --git a/python/vyos/ifconfig/ethernet.py b/python/vyos/ifconfig/ethernet.py index 9d54dc78e..1280fc238 100644 --- a/python/vyos/ifconfig/ethernet.py +++ b/python/vyos/ifconfig/ethernet.py @@ -170,11 +170,18 @@ class EthernetIf(Interface): return cmd = f'ethtool --change {ifname}' - if speed == 'auto' or duplex == 'auto': - cmd += ' autoneg on' - else: - cmd += f' speed {speed} duplex {duplex} autoneg off' - return self._cmd(cmd) + try: + if speed == 'auto' or duplex == 'auto': + cmd += ' autoneg on' + else: + cmd += f' speed {speed} duplex {duplex} autoneg off' + return self._cmd(cmd) + except PermissionError: + # Some NICs do not tell that they don't suppport settings speed/duplex, + # but they do not actually support it either. + # In that case it's probably better to ignore the error + # than end up with a broken config. + print('Warning: could not set speed/duplex settings: operation not permitted!') def set_gro(self, state): """ diff --git a/python/vyos/ifconfig/geneve.py b/python/vyos/ifconfig/geneve.py index 7cb3968df..276c34cd7 100644 --- a/python/vyos/ifconfig/geneve.py +++ b/python/vyos/ifconfig/geneve.py @@ -42,7 +42,7 @@ class GeneveIf(Interface): # arguments used by iproute2. For more information please refer to: # - https://man7.org/linux/man-pages/man8/ip-link.8.html mapping = { - 'parameters.ip.dont_fragment': 'df set', + 'parameters.ip.df' : 'df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', 'parameters.ipv6.flowlabel' : 'flowlabel', diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py index 6b0f08fd4..22441d1d2 100755 --- a/python/vyos/ifconfig/interface.py +++ b/python/vyos/ifconfig/interface.py @@ -736,8 +736,9 @@ class Interface(Control): if all_rp_filter == 1: global_setting = 'strict' elif all_rp_filter == 2: global_setting = 'loose' - print(f'WARNING: Global source-validation is set to "{global_setting}\n"' \ - 'this overrides per interface setting!') + from vyos.base import Warning + Warning(f'Global source-validation is set to "{global_setting} '\ + f'this overrides per interface setting!') tmp = self.get_interface('rp_filter') if int(tmp) == value: @@ -1243,8 +1244,8 @@ class Interface(Control): tmp = {'dhcp_options' : { 'host_name' : hostname}} self._config = dict_merge(tmp, self._config) - render(options_file, 'dhcp-client/daemon-options.tmpl', self._config) - render(config_file, 'dhcp-client/ipv4.tmpl', self._config) + render(options_file, 'dhcp-client/daemon-options.j2', self._config) + render(config_file, 'dhcp-client/ipv4.j2', self._config) # When the DHCP client is restarted a brief outage will occur, as # the old lease is released a new one is acquired (T4203). We will @@ -1274,8 +1275,7 @@ class Interface(Control): systemd_service = f'dhcp6c@{ifname}.service' if enable and 'disable' not in self._config: - render(config_file, 'dhcp-client/ipv6.tmpl', - self._config) + render(config_file, 'dhcp-client/ipv6.j2', self._config) # We must ignore any return codes. This is required to enable # DHCPv6-PD for interfaces which are yet not up and running. @@ -1587,12 +1587,10 @@ class Interface(Control): tmp['source_interface'] = ifname tmp['vlan_id'] = vif_s_id - vif_s_ifname = f'{ifname}.{vif_s_id}' - vif_s_config['ifname'] = vif_s_ifname - # It is not possible to change the VLAN encapsulation protocol # "on-the-fly". For this "quirk" we need to actively delete and # re-create the VIF-S interface. + vif_s_ifname = f'{ifname}.{vif_s_id}' if self.exists(vif_s_ifname): cur_cfg = get_interface_config(vif_s_ifname) protocol = dict_search('linkinfo.info_data.protocol', cur_cfg).lower() @@ -1614,7 +1612,6 @@ class Interface(Control): tmp['vlan_id'] = vif_c_id vif_c_ifname = f'{vif_s_ifname}.{vif_c_id}' - vif_c_config['ifname'] = vif_c_ifname c_vlan = VLANIf(vif_c_ifname, **tmp) c_vlan.update(vif_c_config) @@ -1625,10 +1622,7 @@ class Interface(Control): # create/update 802.1q VLAN interfaces for vif_id, vif_config in config.get('vif', {}).items(): - vif_ifname = f'{ifname}.{vif_id}' - vif_config['ifname'] = vif_ifname - tmp = deepcopy(VLANIf.get_config()) tmp['source_interface'] = ifname tmp['vlan_id'] = vif_id diff --git a/python/vyos/ifconfig/pppoe.py b/python/vyos/ifconfig/pppoe.py index 1d13264bf..63ffc8069 100644 --- a/python/vyos/ifconfig/pppoe.py +++ b/python/vyos/ifconfig/pppoe.py @@ -27,12 +27,13 @@ class PPPoEIf(Interface): }, } - def _remove_routes(self, vrf=''): + def _remove_routes(self, vrf=None): # Always delete default routes when interface is removed + vrf_cmd = '' if vrf: - vrf = f'-c "vrf {vrf}"' - self._cmd(f'vtysh -c "conf t" {vrf} -c "no ip route 0.0.0.0/0 {self.ifname} tag 210"') - self._cmd(f'vtysh -c "conf t" {vrf} -c "no ipv6 route ::/0 {self.ifname} tag 210"') + vrf_cmd = f'-c "vrf {vrf}"' + self._cmd(f'vtysh -c "conf t" {vrf_cmd} -c "no ip route 0.0.0.0/0 {self.ifname} tag 210"') + self._cmd(f'vtysh -c "conf t" {vrf_cmd} -c "no ipv6 route ::/0 {self.ifname} tag 210"') def remove(self): """ @@ -44,11 +45,11 @@ class PPPoEIf(Interface): >>> i = Interface('pppoe0') >>> i.remove() """ - + vrf = None tmp = get_interface_config(self.ifname) - vrf = '' if 'master' in tmp: - self._remove_routes(tmp['master']) + vrf = tmp['master'] + self._remove_routes(vrf) # remove bond master which places members in disabled state super().remove() @@ -84,10 +85,12 @@ class PPPoEIf(Interface): self._config = config # remove old routes from an e.g. old VRF assignment - vrf = '' - if 'vrf_old' in config: - vrf = config['vrf_old'] - self._remove_routes(vrf) + if 'shutdown_required': + vrf = None + tmp = get_interface_config(self.ifname) + if 'master' in tmp: + vrf = tmp['master'] + self._remove_routes(vrf) # DHCPv6 PD handling is a bit different on PPPoE interfaces, as we do # not require an 'address dhcpv6' CLI option as with other interfaces @@ -98,54 +101,15 @@ class PPPoEIf(Interface): super().update(config) - if 'default_route' not in config or config['default_route'] == 'none': - return - - # - # Set default routes pointing to pppoe interface - # - vrf = '' - sed_opt = '^ip route' - - install_v4 = True - install_v6 = True - # generate proper configuration string when VRFs are in use + vrf = '' if 'vrf' in config: tmp = config['vrf'] vrf = f'-c "vrf {tmp}"' - sed_opt = f'vrf {tmp}' - - if config['default_route'] == 'auto': - # only add route if there is no default route present - tmp = self._cmd(f'vtysh -c "show running-config staticd no-header" | sed -n "/{sed_opt}/,/!/p"') - for line in tmp.splitlines(): - line = line.lstrip() - if line.startswith('ip route 0.0.0.0/0'): - install_v4 = False - continue - - if 'ipv6' in config and line.startswith('ipv6 route ::/0'): - install_v6 = False - continue - - elif config['default_route'] == 'force': - # Force means that all static routes are replaced with the ones from this interface - tmp = self._cmd(f'vtysh -c "show running-config staticd no-header" | sed -n "/{sed_opt}/,/!/p"') - for line in tmp.splitlines(): - if self.ifname in line: - # It makes no sense to remove a route with our interface and the later re-add it. - # This will only make traffic disappear - which is a no-no! - continue - - line = line.lstrip() - if line.startswith('ip route 0.0.0.0/0'): - self._cmd(f'vtysh -c "conf t" {vrf} -c "no {line}"') - - if 'ipv6' in config and line.startswith('ipv6 route ::/0'): - self._cmd(f'vtysh -c "conf t" {vrf} -c "no {line}"') - - if install_v4: - self._cmd(f'vtysh -c "conf t" {vrf} -c "ip route 0.0.0.0/0 {self.ifname} tag 210"') - if install_v6 and 'ipv6' in config: - self._cmd(f'vtysh -c "conf t" {vrf} -c "ipv6 route ::/0 {self.ifname} tag 210"') + + if 'no_default_route' not in config: + # Set default route(s) pointing to PPPoE interface + distance = config['default_route_distance'] + self._cmd(f'vtysh -c "conf t" {vrf} -c "ip route 0.0.0.0/0 {self.ifname} tag 210 {distance}"') + if 'ipv6' in config: + self._cmd(f'vtysh -c "conf t" {vrf} -c "ipv6 route ::/0 {self.ifname} tag 210 {distance}"') diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py index 516a19f24..5baff10a9 100644 --- a/python/vyos/ifconfig/vxlan.py +++ b/python/vyos/ifconfig/vxlan.py @@ -57,7 +57,7 @@ class VXLANIf(Interface): 'group' : 'group', 'external' : 'external', 'gpe' : 'gpe', - 'parameters.ip.dont_fragment': 'df set', + 'parameters.ip.df' : 'df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', 'parameters.ipv6.flowlabel' : 'flowlabel', diff --git a/smoketest/configs.no-load/firewall-big b/smoketest/configs.no-load/firewall-big new file mode 100644 index 000000000..94b0c6dd5 --- /dev/null +++ b/smoketest/configs.no-load/firewall-big @@ -0,0 +1,43440 @@ +firewall { + all-ping enable + broadcast-ping disable + config-trap disable + group { + address-group CENTREON_SERVERS { + address 109.228.63.82 + } + address-group CLUSTER_ADDRESSES { + address 10.255.255.4 + address 10.255.255.5 + address 77.68.76.16 + address 77.68.77.16 + address 172.16.255.254 + address 77.68.76.14 + address 77.68.77.14 + address 77.68.76.13 + address 77.68.77.13 + address 77.68.76.12 + address 77.68.77.12 + address 77.68.77.67 + address 77.68.77.103 + address 77.68.77.130 + address 77.68.76.245 + address 77.68.77.85 + address 77.68.76.45 + address 77.68.77.144 + address 77.68.77.105 + address 77.68.76.122 + address 77.68.76.104 + address 77.68.77.115 + address 77.68.77.178 + address 77.68.76.239 + address 77.68.76.30 + address 77.68.77.249 + address 77.68.76.59 + address 77.68.77.44 + address 77.68.77.200 + address 77.68.77.228 + address 77.68.76.191 + address 77.68.76.102 + address 77.68.77.26 + address 77.68.76.152 + address 77.68.77.212 + address 77.68.76.142 + address 77.68.76.60 + address 77.68.77.253 + address 77.68.76.54 + address 77.68.76.33 + address 77.68.77.114 + address 77.68.77.176 + address 77.68.77.219 + address 77.68.77.19 + address 77.68.77.22 + address 77.68.77.248 + address 77.68.76.161 + address 77.68.77.56 + address 77.68.77.129 + address 77.68.77.140 + address 77.68.76.177 + address 77.68.77.117 + address 77.68.77.108 + address 77.68.76.50 + address 77.68.76.217 + address 77.68.77.160 + address 77.68.77.30 + address 77.68.77.21 + address 77.68.76.29 + address 77.68.76.158 + address 77.68.76.203 + address 77.68.77.243 + address 77.68.77.54 + address 77.68.76.22 + address 77.68.76.25 + address 77.68.76.21 + address 77.68.77.221 + address 77.68.77.76 + address 77.68.76.127 + address 77.68.77.139 + address 77.68.77.240 + address 77.68.76.39 + address 77.68.76.149 + address 77.68.77.57 + address 77.68.77.185 + address 77.68.76.116 + address 77.68.76.160 + address 77.68.77.70 + address 77.68.77.149 + address 77.68.76.57 + address 77.68.76.115 + address 77.68.76.200 + address 77.68.76.23 + address 77.68.77.46 + address 77.68.76.198 + address 77.68.77.141 + address 77.68.77.50 + address 77.68.77.128 + address 77.68.77.88 + address 77.68.76.80 + address 77.68.76.35 + address 77.68.77.204 + address 77.68.77.201 + address 77.68.77.97 + address 77.68.76.195 + address 77.68.76.202 + address 77.68.76.157 + address 77.68.77.159 + address 77.68.76.118 + address 77.68.76.38 + address 77.68.77.203 + address 77.68.77.233 + address 77.68.77.163 + address 77.68.77.49 + address 77.68.76.58 + address 77.68.77.171 + address 77.68.77.150 + address 77.68.77.199 + address 77.68.76.220 + address 77.68.77.156 + address 77.68.76.248 + address 77.68.76.171 + address 77.68.76.212 + address 77.68.77.132 + address 77.68.77.81 + address 77.68.76.37 + address 77.68.76.197 + address 77.68.76.20 + address 77.68.76.99 + address 77.68.77.211 + address 77.68.77.236 + address 77.68.76.252 + address 77.68.77.32 + address 77.68.77.247 + address 77.68.76.209 + address 77.68.77.202 + address 77.68.76.247 + address 77.68.77.99 + address 77.68.76.169 + address 77.68.76.95 + address 77.68.76.187 + address 77.68.77.222 + address 77.68.77.53 + address 77.68.77.124 + address 77.68.76.61 + address 77.68.77.43 + address 77.68.76.94 + address 77.68.77.165 + address 77.68.77.152 + address 77.68.76.44 + address 77.68.76.47 + address 77.68.76.74 + address 77.68.76.55 + address 77.68.77.75 + address 77.68.77.239 + address 77.68.76.75 + address 77.68.77.71 + address 77.68.76.145 + address 77.68.77.145 + address 77.68.77.68 + address 77.68.76.126 + address 77.68.76.88 + address 77.68.77.181 + address 77.68.76.112 + address 77.68.77.33 + address 77.68.77.137 + address 77.68.77.92 + address 77.68.76.111 + address 77.68.76.185 + address 77.68.76.208 + address 77.68.76.150 + address 77.68.77.208 + address 77.68.76.42 + address 77.68.76.164 + address 77.68.77.207 + address 77.68.76.49 + address 77.68.77.227 + address 77.68.76.136 + address 77.68.76.77 + address 77.68.76.123 + address 77.68.76.31 + address 77.68.76.148 + address 77.68.77.120 + address 77.68.76.183 + address 77.68.77.107 + address 77.68.76.141 + address 77.68.76.105 + address 77.68.76.251 + address 77.68.76.249 + address 77.68.77.59 + address 77.68.77.37 + address 77.68.77.65 + address 77.68.76.231 + address 77.68.77.24 + address 77.68.77.63 + address 77.68.76.234 + address 77.68.76.93 + address 77.68.77.77 + address 77.68.77.151 + address 77.68.76.235 + address 77.68.77.95 + address 77.68.77.190 + address 77.68.76.91 + address 77.68.77.79 + address 77.68.77.100 + address 77.68.76.241 + address 77.68.77.209 + address 77.68.76.110 + address 77.68.76.40 + address 77.68.76.76 + address 77.68.76.124 + address 77.68.77.234 + address 77.68.76.219 + address 77.68.77.90 + address 77.68.76.107 + address 77.68.76.26 + address 77.68.76.211 + address 77.68.76.19 + address 77.68.77.231 + address 77.68.76.254 + address 77.68.77.251 + address 77.68.77.74 + address 77.68.77.192 + address 77.68.76.253 + address 77.68.77.214 + address 77.68.76.92 + address 77.68.76.250 + address 77.68.77.215 + address 77.68.76.165 + address 77.68.77.254 + address 77.68.76.120 + address 77.68.76.228 + address 77.68.77.157 + address 77.68.77.205 + address 77.68.76.138 + address 77.68.77.102 + address 77.68.76.181 + address 77.68.76.139 + address 77.68.76.243 + address 77.68.76.244 + address 77.68.76.114 + address 77.68.77.72 + address 77.68.77.161 + address 77.68.77.38 + address 77.68.77.62 + address 77.68.92.186 + address 77.68.91.195 + address 77.68.23.35 + address 77.68.84.155 + address 77.68.17.26 + address 77.68.76.96 + address 77.68.28.145 + address 77.68.76.48 + address 109.228.56.185 + address 77.68.84.147 + address 77.68.23.64 + address 77.68.26.166 + address 77.68.29.178 + address 77.68.12.195 + address 77.68.21.78 + address 77.68.5.166 + address 77.68.5.187 + address 77.68.4.111 + address 77.68.4.22 + address 77.68.7.227 + address 77.68.4.24 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.5.241 + address 77.68.7.222 + address 77.68.4.39 + address 77.68.4.25 + address 77.68.7.160 + address 77.68.27.211 + address 77.68.89.183 + address 77.68.24.59 + address 77.68.7.114 + address 77.68.75.113 + address 77.68.81.44 + address 77.68.90.106 + address 77.68.94.181 + address 77.68.30.164 + address 77.68.30.133 + address 77.68.7.67 + address 77.68.77.174 + address 77.68.27.54 + address 77.68.4.136 + address 77.68.72.202 + address 77.68.112.83 + address 77.68.85.172 + address 77.68.23.158 + address 77.68.112.75 + address 77.68.24.112 + address 77.68.112.213 + address 77.68.72.254 + address 77.68.20.161 + address 77.68.26.216 + address 77.68.112.184 + address 77.68.79.82 + address 77.68.27.57 + address 77.68.20.231 + address 77.68.118.17 + address 77.68.118.120 + address 77.68.117.51 + address 77.68.118.102 + address 77.68.116.119 + address 77.68.117.45 + address 77.68.116.220 + address 77.68.116.232 + address 77.68.117.222 + address 77.68.118.15 + address 77.68.116.221 + address 77.68.116.183 + address 77.68.119.14 + address 77.68.112.91 + address 77.68.117.202 + address 77.68.118.104 + address 77.68.7.172 + address 77.68.83.41 + address 77.68.15.95 + address 77.68.4.57 + address 77.68.85.27 + address 77.68.86.40 + address 77.68.88.164 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.112.248 + address 109.228.60.215 + address 109.228.55.82 + address 77.68.7.186 + address 77.68.6.210 + address 77.68.77.238 + address 77.68.10.142 + address 77.68.31.144 + address 77.68.93.246 + address 77.68.121.127 + address 77.68.121.94 + address 77.68.120.241 + address 77.68.121.106 + address 77.68.122.195 + address 77.68.122.89 + address 77.68.120.146 + address 77.68.120.249 + address 77.68.122.241 + address 77.68.119.92 + address 77.68.120.26 + address 77.68.81.141 + address 77.68.79.206 + address 77.68.116.52 + address 77.68.88.100 + address 77.68.6.105 + address 77.68.78.229 + address 77.68.6.32 + address 77.68.10.170 + address 77.68.76.229 + address 77.68.95.42 + address 77.68.28.207 + address 77.68.17.186 + address 77.68.4.252 + address 77.68.24.220 + address 77.68.2.215 + address 77.68.91.128 + address 77.68.22.146 + address 77.68.23.112 + address 77.68.75.245 + address 77.68.125.218 + address 77.68.125.32 + address 77.68.12.250 + address 109.228.37.174 + address 77.68.127.151 + address 109.228.37.114 + address 109.228.36.229 + address 109.228.37.240 + address 109.228.61.31 + address 109.228.35.110 + address 109.228.39.157 + address 109.228.39.249 + address 109.228.38.171 + address 109.228.40.226 + address 109.228.40.207 + address 109.228.40.247 + address 77.68.126.51 + address 77.68.117.214 + address 77.68.113.117 + address 77.68.117.142 + address 77.68.17.200 + address 77.68.4.242 + address 77.68.86.148 + address 109.228.39.151 + address 109.228.40.194 + address 77.68.114.183 + address 77.68.90.132 + address 77.68.16.247 + address 77.68.6.110 + address 109.228.36.37 + address 77.68.127.172 + address 77.68.14.88 + address 77.68.120.229 + address 213.171.212.203 + address 213.171.213.41 + address 213.171.213.175 + address 213.171.213.97 + address 213.171.212.171 + address 213.171.212.89 + address 213.171.214.96 + address 213.171.212.172 + address 213.171.215.252 + address 213.171.213.242 + address 213.171.213.31 + address 213.171.212.71 + address 213.171.208.58 + address 77.68.25.130 + address 213.171.215.184 + address 77.68.13.76 + address 109.228.56.242 + address 77.68.25.146 + address 109.228.46.81 + address 77.68.77.69 + address 213.171.210.19 + address 77.68.120.45 + address 77.68.116.36 + address 213.171.211.128 + address 77.68.25.124 + address 109.228.48.249 + address 213.171.210.59 + address 213.171.215.43 + address 109.228.40.195 + address 109.228.52.186 + address 77.68.113.164 + address 77.68.114.93 + address 77.68.75.253 + address 109.228.53.243 + address 109.228.36.194 + address 77.68.28.147 + address 77.68.123.250 + address 185.132.36.24 + address 185.132.39.129 + address 185.132.36.142 + address 185.132.39.68 + address 185.132.36.17 + address 185.132.36.148 + address 185.132.37.101 + address 185.132.39.44 + address 185.132.39.37 + address 185.132.37.102 + address 185.132.38.142 + address 185.132.38.114 + address 185.132.38.95 + address 185.132.37.83 + address 185.132.36.7 + address 109.228.40.222 + address 77.68.119.188 + address 77.68.74.85 + address 77.68.91.22 + address 213.171.212.136 + address 185.132.38.216 + address 77.68.120.31 + address 77.68.95.212 + address 109.228.42.232 + address 77.68.13.137 + address 77.68.85.73 + address 77.68.85.115 + address 109.228.36.174 + address 77.68.9.186 + address 77.68.27.18 + address 77.68.27.27 + address 77.68.27.28 + address 77.68.3.80 + address 77.68.3.121 + address 77.68.3.144 + address 77.68.3.161 + address 77.68.3.194 + address 77.68.3.247 + address 77.68.28.139 + address 77.68.81.218 + address 77.68.93.125 + address 77.68.74.39 + address 77.68.78.73 + address 77.68.5.95 + address 77.68.74.152 + address 77.68.87.212 + address 77.68.3.52 + address 77.68.114.136 + address 77.68.125.60 + address 213.171.214.167 + address 77.68.114.234 + address 213.171.213.42 + address 109.228.59.247 + address 185.132.39.99 + address 185.132.39.145 + address 109.228.35.84 + address 185.132.36.60 + address 185.132.40.11 + address 185.132.39.219 + address 77.68.26.221 + address 185.132.40.56 + address 77.68.117.29 + address 185.132.40.90 + address 109.228.38.201 + address 185.132.40.244 + address 77.68.11.140 + address 213.171.210.155 + address 185.132.37.23 + address 213.171.214.234 + address 77.68.77.29 + address 77.68.20.217 + address 185.132.40.152 + address 77.68.9.75 + address 213.171.210.177 + address 185.132.41.72 + address 185.132.41.73 + address 77.68.5.155 + address 185.132.43.6 + address 77.68.75.45 + address 109.228.46.196 + address 185.132.43.28 + address 77.68.89.72 + address 185.132.43.98 + address 77.68.76.176 + address 185.132.43.164 + address 185.132.43.157 + address 77.68.6.119 + address 77.68.92.92 + address 77.68.10.152 + address 77.68.73.73 + address 77.68.32.43 + address 185.132.38.248 + address 77.68.120.218 + address 77.68.32.31 + address 77.68.32.254 + address 77.68.32.118 + address 77.68.82.157 + address 77.68.121.119 + address 77.68.74.209 + address 77.68.33.68 + address 77.68.24.172 + address 77.68.33.197 + address 77.68.33.48 + address 77.68.34.26 + address 77.68.34.28 + address 77.68.79.89 + address 77.68.76.137 + address 77.68.33.216 + address 77.68.32.83 + address 77.68.32.86 + address 77.68.32.89 + address 77.68.34.138 + address 77.68.34.139 + address 77.68.123.177 + address 77.68.35.116 + address 77.68.33.171 + address 213.171.208.40 + address 77.68.118.86 + address 77.68.48.81 + address 77.68.48.89 + address 77.68.48.105 + address 77.68.85.18 + address 77.68.26.228 + address 77.68.49.4 + address 77.68.80.26 + address 77.68.80.97 + address 77.68.126.101 + address 77.68.126.14 + address 77.68.49.12 + address 77.68.117.173 + address 77.68.8.144 + address 77.68.82.147 + address 77.68.24.134 + address 77.68.112.167 + address 77.68.49.126 + address 77.68.49.178 + address 77.68.50.91 + address 77.68.50.90 + address 77.68.24.63 + address 109.228.37.187 + address 77.68.50.193 + address 77.68.50.198 + address 77.68.50.142 + address 77.68.114.237 + address 77.68.115.17 + address 77.68.49.159 + address 77.68.49.160 + address 213.171.208.176 + address 77.68.116.84 + address 77.68.126.160 + address 185.132.36.56 + address 77.68.49.161 + address 77.68.34.50 + address 185.132.41.240 + address 77.68.51.214 + address 77.68.51.202 + address 185.132.37.133 + address 77.68.77.42 + address 77.68.100.132 + address 77.68.100.134 + address 77.68.100.150 + address 185.132.41.148 + address 77.68.101.64 + address 213.171.210.25 + address 77.68.101.124 + address 77.68.101.125 + address 77.68.89.247 + address 185.132.39.109 + address 77.68.100.167 + address 77.68.5.125 + address 77.68.4.80 + address 77.68.49.152 + address 77.68.12.45 + address 77.68.4.180 + address 213.171.214.102 + address 77.68.126.22 + address 77.68.114.205 + address 109.228.36.119 + address 213.171.212.90 + address 77.68.33.37 + address 185.132.43.71 + address 185.132.43.113 + address 77.68.48.202 + address 185.132.40.166 + address 77.68.112.90 + address 77.68.112.175 + address 77.68.103.19 + address 77.68.103.120 + address 77.68.33.24 + address 77.68.103.147 + address 109.228.47.223 + address 109.228.58.134 + address 109.228.56.97 + address 77.68.31.96 + address 77.68.103.227 + address 88.208.196.91 + address 88.208.196.92 + address 88.208.196.154 + address 88.208.197.10 + address 77.68.87.164 + address 77.68.93.164 + address 185.132.37.47 + address 77.68.75.64 + address 88.208.197.118 + address 88.208.197.135 + address 88.208.197.150 + address 88.208.197.155 + address 88.208.197.160 + address 88.208.197.60 + address 109.228.37.10 + address 88.208.215.61 + address 77.68.102.129 + address 88.208.196.123 + address 109.228.36.79 + address 185.132.38.182 + address 88.208.215.62 + address 88.208.215.157 + address 88.208.198.251 + address 88.208.215.19 + address 88.208.198.39 + address 109.228.38.117 + address 77.68.29.65 + address 88.208.215.121 + address 77.68.115.142 + address 77.68.76.108 + address 88.208.198.64 + address 88.208.198.66 + address 77.68.3.61 + address 88.208.198.92 + address 77.68.74.232 + address 77.68.118.88 + address 77.68.100.77 + address 77.68.48.14 + address 88.208.198.69 + address 88.208.197.23 + address 88.208.199.249 + address 213.171.212.114 + address 109.228.39.41 + address 88.208.199.141 + address 77.68.21.171 + address 88.208.199.233 + address 88.208.212.31 + address 77.68.102.5 + address 88.208.212.94 + address 109.228.61.37 + address 88.208.199.46 + address 77.68.78.113 + address 88.208.212.182 + address 88.208.212.188 + address 185.132.40.124 + address 213.171.209.217 + address 77.68.103.56 + address 88.208.197.208 + address 88.208.197.129 + } + address-group CMK_SATELLITES { + address 82.223.144.252 + address 109.228.63.67 + address 109.228.63.66 + address 82.223.200.61 + address 195.20.253.14 + address 217.72.206.27 + } + address-group DHCP_SERVERS { + address 10.255.241.13 + address 10.255.241.14 + address 10.255.242.13 + address 10.255.242.14 + address 10.255.243.13 + address 10.255.243.14 + address 10.255.244.13 + address 10.255.244.14 + address 10.255.245.13 + address 10.255.245.14 + address 10.255.246.13 + address 10.255.246.14 + address 10.255.247.13 + address 10.255.247.14 + address 10.255.248.13 + address 10.255.248.14 + address 10.255.249.13 + address 10.255.249.14 + address 77.68.76.14 + address 77.68.77.14 + address 77.68.76.13 + address 77.68.77.13 + } + address-group DNSCACHE_SERVERS { + address 10.255.255.4 + address 10.255.255.5 + address 77.68.76.12 + address 77.68.77.12 + } + address-group DT_BLOCKED { + address 172.16.255.254 + } + address-group DT_FW0A5C4_1 { + address 185.132.40.56 + } + address-group DT_FW0B352_1 { + address 77.68.77.238 + } + address-group DT_FW0BB22_1 { + address 77.68.16.247 + } + address-group DT_FW0BD92_3 { + address 109.228.36.79 + } + address-group DT_FW0C2E6_4 { + address 77.68.76.110 + } + address-group DT_FW0C8E1_1 { + address 77.68.77.103 + } + address-group DT_FW0C25B_1 { + address 77.68.86.148 + } + address-group DT_FW00D98_1 { + address 77.68.76.88 + } + address-group DT_FW0E2EE_1 { + address 213.171.211.128 + } + address-group DT_FW0E383_9 { + address 77.68.77.114 + } + address-group DT_FW0EA3F_1 { + address 77.68.49.159 + } + address-group DT_FW1ACD9_2 { + address 77.68.76.108 + } + address-group DT_FW1C8F2_1 { + address 185.132.37.83 + } + address-group DT_FW1CB16_1 { + address 77.68.29.178 + } + address-group DT_FW1CC15_2 { + address 77.68.77.248 + } + address-group DT_FW1D511_2 { + address 213.171.213.175 + } + address-group DT_FW1F3D0_6 { + address 77.68.76.250 + } + address-group DT_FW1F126_1 { + address 77.68.76.137 + } + address-group DT_FW1FA8E_1 { + address 185.132.37.101 + } + address-group DT_FW1FA9E_1 { + address 77.68.118.104 + } + address-group DT_FW2ACFF_1 { + address 77.68.24.220 + } + address-group DT_FW2B4BA_1 { + address 77.68.33.68 + } + address-group DT_FW2B279_4 { + address 77.68.77.204 + } + address-group DT_FW2BB8D_1 { + address 77.68.77.181 + } + address-group DT_FW2BF20_3 { + address 77.68.76.187 + } + address-group DT_FW2C5AE_1 { + address 77.68.76.228 + } + address-group DT_FW2E8D4_1 { + address 77.68.77.249 + } + address-group DT_FW2E060_1 { + address 77.68.77.215 + } + address-group DT_FW2ED4D_2 { + address 109.228.39.151 + } + address-group DT_FW2EF2C_1 { + address 77.68.11.140 + } + address-group DT_FW2F868_6 { + address 77.68.76.254 + } + address-group DT_FW2FB61_1 { + address 109.228.38.117 + } + address-group DT_FW3A12F_1 { + address 77.68.5.95 + } + address-group DT_FW3AD6F_1 { + address 77.68.120.241 + } + address-group DT_FW03B35_1 { + address 77.68.125.60 + } + address-group DT_FW3B068_2 { + address 77.68.77.63 + } + address-group DT_FW3CAAB_1 { + address 77.68.76.234 + } + address-group DT_FW3DBF8_9 { + address 77.68.76.198 + } + address-group DT_FW3EBC8_1 { + address 77.68.13.76 + } + address-group DT_FW03F2E_1 { + address 77.68.102.5 + } + address-group DT_FW3F465_1 { + address 109.228.36.119 + } + address-group DT_FW4AE7D_1 { + address 77.68.76.60 + } + address-group DT_FW4C136_1 { + address 77.68.76.50 + } + address-group DT_FW4D3E6_1 { + address 77.68.100.77 + } + address-group DT_FW4DB0A_1 { + address 77.68.49.161 + } + address-group DT_FW4E314_1 { + address 109.228.40.222 + } + address-group DT_FW4E399_1 { + address 213.171.214.96 + } + address-group DT_FW4F5EE_10 { + address 77.68.116.220 + } + address-group DT_FW4F81F_4 { + address 77.68.77.43 + } + address-group DT_FW5A5D7_3 { + address 77.68.77.205 + } + address-group DT_FW5A77C_16 { + address 77.68.76.202 + } + address-group DT_FW5A521_3 { + address 77.68.79.89 + } + address-group DT_FW05AD0_2 { + address 77.68.77.72 + } + address-group DT_FW5AE10_1 { + address 109.228.37.114 + } + address-group DT_FW5CBB2_1 { + address 77.68.77.150 + } + address-group DT_FW5D0FA_1 { + address 185.132.43.157 + } + address-group DT_FW6A684_1 { + address 77.68.116.119 + } + address-group DT_FW6B9B9_1 { + address 185.132.41.72 + } + address-group DT_FW6B39D_1 { + address 77.68.4.111 + address 77.68.77.174 + } + address-group DT_FW6C992_1 { + address 77.68.85.27 + } + address-group DT_FW6CD7E_2 { + address 77.68.76.148 + } + address-group DT_FW6D0CD_1 { + address 77.68.76.241 + } + address-group DT_FW6ECA4_1 { + address 77.68.117.51 + } + address-group DT_FW6EFD7_1 { + address 77.68.84.147 + } + address-group DT_FW6F539_1 { + address 77.68.76.217 + } + address-group DT_FW7A9B0_9 { + address 77.68.76.47 + } + address-group DT_FW7C4D9_14 { + address 109.228.36.37 + } + address-group DT_FW7DAE2_3 { + address 185.132.38.216 + } + address-group DT_FW7F28A_1 { + address 77.68.76.31 + } + address-group DT_FW8A3FC_3 { + address 77.68.77.132 + address 77.68.76.185 + address 77.68.77.90 + } + address-group DT_FW8A49A_1 { + address 77.68.77.85 + } + address-group DT_FW8A57A_1 { + address 77.68.77.222 + address 77.68.112.83 + } + address-group DT_FW8AFF1_7 { + address 77.68.76.118 + } + address-group DT_FW8B21D_1 { + address 77.68.23.64 + } + address-group DT_FW8C72E_1 { + address 77.68.27.54 + } + address-group DT_FW8C927_1 { + address 77.68.7.160 + } + address-group DT_FW8EA04_1 { + address 77.68.20.161 + } + address-group DT_FW8ECF4_1 { + address 77.68.2.215 + } + address-group DT_FW9B6FB_1 { + address 77.68.4.242 + } + address-group DT_FW9C682_3 { + address 213.171.212.203 + } + address-group DT_FW9D5C7_1 { + address 77.68.115.17 + } + address-group DT_FW9E550_1 { + address 213.171.212.71 + } + address-group DT_FW9EEDD_1 { + address 77.68.4.80 + address 77.68.49.152 + } + address-group DT_FW10C3D_19 { + address 77.68.25.124 + } + address-group DT_FW10FEE_1 { + address 77.68.122.89 + } + address-group DT_FW12C32_1 { + address 77.68.4.25 + address 77.68.7.114 + } + address-group DT_FW013EF_2 { + address 77.68.77.26 + } + address-group DT_FW15C99_6 { + address 77.68.114.237 + } + address-group DT_FW18E6E_3 { + address 77.68.76.112 + } + address-group DT_FW21A75_2 { + address 88.208.198.66 + } + address-group DT_FW24AB7_1 { + address 213.171.213.242 + } + address-group DT_FW26F0A_1 { + address 77.68.78.73 + } + address-group DT_FW27A8F_1 { + address 77.68.76.219 + } + address-group DT_FW028C0_2 { + address 77.68.26.221 + } + address-group DT_FW28EC8_1 { + address 77.68.76.93 + } + address-group DT_FW30D21_1 { + address 77.68.95.42 + } + address-group DT_FW32EFF_16 { + address 77.68.118.120 + } + address-group DT_FW32EFF_25 { + address 77.68.27.211 + } + address-group DT_FW32EFF_49 { + address 109.228.37.187 + } + address-group DT_FW34C91_3 { + address 77.68.76.142 + } + address-group DT_FW35F7B_1 { + address 77.68.30.164 + } + address-group DT_FW37E59_5 { + address 77.68.76.37 + } + address-group DT_FW40AE4_1 { + address 77.68.79.206 + } + address-group DT_FW42BC7_1 { + address 77.68.76.95 + } + address-group DT_FW44BF9_1 { + address 77.68.77.200 + } + address-group DT_FW45BEB_1 { + address 77.68.75.245 + } + address-group DT_FW45F3D_1 { + address 109.228.40.247 + } + address-group DT_FW45F87_1 { + address 77.68.77.207 + } + address-group DT_FW46F4A_1 { + address 88.208.197.135 + } + address-group DT_FW48A55_2 { + address 109.228.39.157 + } + address-group DT_FW49C3D_4 { + address 77.68.76.149 + } + address-group DT_FW49C3D_6 { + address 77.68.76.160 + } + address-group DT_FW050AC_1 { + address 77.68.77.214 + } + address-group DT_FW52F6F_1 { + address 77.68.82.147 + } + address-group DT_FW53C72_1 { + address 88.208.197.118 + } + address-group DT_FW58C69_4 { + address 77.68.76.141 + } + address-group DT_FW59F39_1 { + address 77.68.87.212 + } + address-group DT_FW60FD6_5 { + address 77.68.92.92 + } + address-group DT_FW69D6D_2 { + address 77.68.77.221 + } + address-group DT_FW72F37_1 { + address 77.68.77.100 + } + address-group DT_FW73A64_1 { + address 77.68.118.15 + } + address-group DT_FW75CA4_6 { + address 77.68.4.22 + } + address-group DT_FW85A7C_1 { + address 77.68.6.210 + } + address-group DT_FW85E02_11 { + address 77.68.77.233 + } + address-group DT_FW90AE3_1 { + address 77.68.88.100 + } + address-group DT_FW91B7A_1 { + address 77.68.76.40 + } + address-group DT_FW138F8_1 { + address 77.68.50.193 + } + address-group DT_FW0192C_1 { + address 185.132.39.68 + } + address-group DT_FW197DB_1 { + address 77.68.77.240 + } + address-group DT_FW210E2_8 { + address 77.68.94.181 + } + address-group DT_FW274FD_1 { + address 185.132.36.24 + } + address-group DT_FW310C6_3 { + address 88.208.198.39 + } + address-group DT_FW364CF_1 { + address 77.68.76.203 + address 77.68.77.97 + } + address-group DT_FW406AB_1 { + address 109.228.47.223 + } + address-group DT_FW444AF_1 { + address 185.132.37.102 + } + address-group DT_FW481D7_1 { + address 77.68.76.243 + } + address-group DT_FW539FB_1 { + address 77.68.21.171 + } + address-group DT_FW578BE_1 { + address 109.228.56.185 + } + address-group DT_FW597A6_1 { + address 77.68.5.125 + address 88.208.196.123 + address 88.208.212.31 + } + address-group DT_FW608FA_1 { + address 77.68.74.232 + } + address-group DT_FW633DD_1 { + address 77.68.121.119 + } + address-group DT_FW672AB_1 { + address 213.171.213.41 + } + address-group DT_FW0745F_5 { + address 77.68.117.222 + } + address-group DT_FW748B7_1 { + address 77.68.120.249 + } + address-group DT_FW825C8_19 { + address 77.68.76.111 + address 77.68.76.42 + } + address-group DT_FW825C8_24 { + address 77.68.77.120 + address 77.68.76.183 + } + address-group DT_FW826BA_3 { + address 77.68.77.152 + } + address-group DT_FW856FA_1 { + address 77.68.77.151 + } + address-group DT_FW883EB_1 { + address 77.68.76.152 + } + address-group DT_FW930F3_1 { + address 77.68.85.73 + } + address-group DT_FW930F3_3 { + address 77.68.114.234 + } + address-group DT_FW934AE_1 { + address 77.68.5.166 + } + address-group DT_FW0937A_1 { + address 77.68.6.119 + } + address-group DT_FW0952B_1 { + address 77.68.93.125 + } + address-group DT_FW996B4_2 { + address 77.68.76.157 + } + address-group DT_FW1208C_1 { + address 77.68.77.33 + } + address-group DT_FW1226C_3 { + address 77.68.117.45 + } + address-group DT_FW1271A_2 { + address 77.68.76.102 + } + address-group DT_FW2379F_14 { + address 213.171.212.89 + address 77.68.76.44 + address 77.68.77.239 + address 213.171.212.114 + address 77.68.103.56 + } + address-group DT_FW4293B_1 { + address 77.68.76.57 + } + address-group DT_FW4513E_1 { + address 77.68.77.75 + } + address-group DT_FW4735F_1 { + address 77.68.77.74 + } + address-group DT_FW05064_1 { + address 213.171.210.19 + } + address-group DT_FW05339_1 { + address 185.132.40.152 + } + address-group DT_FW5658C_1 { + address 77.68.77.185 + } + address-group DT_FW5858F_1 { + address 77.68.121.127 + } + address-group DT_FW06176_1 { + address 77.68.77.38 + } + address-group DT_FW6187E_1 { + address 77.68.103.147 + } + address-group DT_FW6863A_4 { + address 77.68.7.222 + } + address-group DT_FW6906B_1 { + address 185.132.43.28 + } + address-group DT_FW06940_3 { + address 77.68.33.216 + address 77.68.33.37 + address 77.68.50.90 + } + address-group DT_FW7648D_1 { + address 77.68.76.77 + } + address-group DT_FW08061_1 { + address 77.68.76.45 + } + address-group DT_FW8428B_1 { + address 77.68.33.24 + } + address-group DT_FW8871B_1 { + address 77.68.78.113 + } + address-group DT_FW11082_1 { + address 77.68.113.117 + } + address-group DT_FW16375_5 { + address 77.68.77.171 + } + address-group DT_FW19987_4 { + address 77.68.77.54 + } + address-group DT_FW20449_2 { + address 77.68.126.101 + } + address-group DT_FW25843_1 { + address 77.68.24.59 + } + address-group DT_FW26846_1 { + address 88.208.197.10 + } + address-group DT_FW27947_1 { + address 77.68.77.102 + } + address-group DT_FW27949_2 { + address 77.68.117.214 + } + address-group DT_FW28892_1 { + address 77.68.77.144 + } + address-group DT_FW31525_6 { + address 77.68.77.46 + } + address-group DT_FW36425_1 { + address 77.68.119.14 + } + address-group DT_FW40416_1 { + address 77.68.121.94 + } + address-group DT_FW42661_3 { + address 77.68.77.202 + } + address-group DT_FW44217_2 { + address 77.68.89.247 + } + address-group DT_FW45000_1 { + address 77.68.24.172 + } + address-group DT_FW48814_3 { + address 77.68.77.219 + } + address-group DT_FW49897_1 { + address 185.132.36.7 + } + address-group DT_FW56335_2 { + address 88.208.198.92 + } + address-group DT_FW56496_1 { + address 77.68.51.202 + address 77.68.101.64 + } + address-group DT_FW62858_12 { + address 77.68.77.145 + } + address-group DT_FW63230_1 { + address 77.68.76.220 + } + address-group DT_FW66347_1 { + address 77.68.92.186 + } + address-group DT_FW73215_1 { + address 213.171.209.217 + } + address-group DT_FW73573_1 { + address 77.68.76.249 + } + address-group DT_FW73573_2 { + address 77.68.77.62 + } + address-group DT_FW78137_1 { + address 77.68.34.50 + } + address-group DT_FW81138_1 { + address 77.68.77.59 + } + address-group DT_FW81286_1 { + address 77.68.77.243 + } + address-group DT_FW85040_1 { + address 77.68.5.187 + } + address-group DT_FW85619_1 { + address 77.68.127.172 + } + address-group DT_FW89619_1 { + address 77.68.76.253 + } + address-group DT_FW98818_1 { + address 88.208.197.129 + } + address-group DT_FWA0AA0_1 { + address 77.68.113.164 + } + address-group DT_FWA0B7F_1 { + address 185.132.39.44 + } + address-group DT_FWA2FF8_4 { + address 77.68.76.231 + } + address-group DT_FWA3EA3_1 { + address 77.68.77.42 + } + address-group DT_FWA4BC8_1 { + address 77.68.112.75 + } + address-group DT_FWA5D67_1 { + address 185.132.37.133 + } + address-group DT_FWA7A50_1 { + address 77.68.27.57 + address 77.68.118.102 + } + address-group DT_FWA69A0_1 { + address 213.171.212.90 + } + address-group DT_FWA076E_1 { + address 77.68.76.19 + } + address-group DT_FWA83DF_1 { + address 77.68.7.123 + } + address-group DT_FWA86A4_1 { + address 109.228.56.97 + } + address-group DT_FWA86ED_101 { + address 77.68.85.172 + address 109.228.38.171 + address 88.208.199.233 + } + address-group DT_FWA373F_1 { + address 77.68.76.171 + } + address-group DT_FWA0531_1 { + address 213.171.215.252 + } + address-group DT_FWA884B_5 { + address 88.208.199.249 + } + address-group DT_FWA7625_1 { + address 213.171.215.43 + } + address-group DT_FWAA38E_1 { + address 77.68.93.164 + } + address-group DT_FWAB44B_1 { + address 185.132.37.47 + } + address-group DT_FWAE88B_1 { + address 77.68.125.218 + } + address-group DT_FWAF6E8_1 { + address 77.68.76.115 + } + address-group DT_FWAFF0A_1 { + address 77.68.91.195 + } + address-group DT_FWB2CD2_1 { + address 77.68.72.254 + } + address-group DT_FWB28B6_5 { + address 77.68.77.209 + } + address-group DT_FWB36A0_1 { + address 77.68.77.108 + } + address-group DT_FWB118A_1 { + address 77.68.48.14 + } + address-group DT_FWB4438_2 { + address 88.208.215.61 + } + address-group DT_FWB6101_1 { + address 88.208.215.62 + } + address-group DT_FWB9699_7 { + address 77.68.76.123 + } + address-group DT_FWB9699_11 { + address 77.68.77.165 + } + address-group DT_FWBB718_1 { + address 77.68.77.71 + } + address-group DT_FWBC8A6_1 { + address 77.68.112.175 + } + address-group DT_FWBC280_1 { + address 77.68.100.167 + } + address-group DT_FWBD9D0_1 { + address 77.68.120.31 + } + address-group DT_FWBE878_1 { + address 213.171.212.172 + } + address-group DT_FWBED52_1 { + address 77.68.112.213 + } + address-group DT_FWBF494_1 { + address 77.68.76.209 + } + address-group DT_FWBFC02_1 { + address 77.68.112.90 + } + address-group DT_FWBFDED_1 { + address 77.68.76.30 + } + address-group DT_FWC0CE0_1 { + address 77.68.112.184 + } + address-group DT_FWC1ACD_1 { + address 77.68.85.18 + } + address-group DT_FWC2D30_1 { + address 77.68.76.48 + } + address-group DT_FWC2EF2_1 { + address 77.68.17.200 + } + address-group DT_FWC2EF2_2 { + address 77.68.17.200 + } + address-group DT_FWC7D36_1 { + address 77.68.76.126 + } + address-group DT_FWC8E8E_1 { + address 77.68.28.207 + } + address-group DT_FWC32BE_1 { + address 77.68.117.173 + } + address-group DT_FWC37B9_1 { + address 77.68.28.139 + } + address-group DT_FWC055A_1 { + address 77.68.77.30 + } + address-group DT_FWC72E5_1 { + address 77.68.103.227 + } + address-group DT_FWC96A1_1 { + address 77.68.75.253 + } + address-group DT_FWC1315_1 { + address 77.68.4.57 + } + address-group DT_FWC3921_1 { + address 77.68.76.164 + } + address-group DT_FWC6301_1 { + address 77.68.34.26 + } + address-group DT_FWCA628_1 { + address 185.132.39.99 + } + address-group DT_FWCB0CF_7 { + address 77.68.77.163 + } + address-group DT_FWCB29D_1 { + address 88.208.197.23 + } + address-group DT_FWCC18F_2 { + address 77.68.76.59 + } + address-group DT_FWCD7CE_1 { + address 77.68.77.56 + } + address-group DT_FWCDBC7_1 { + address 77.68.77.141 + } + address-group DT_FWCDD8B_1 { + address 185.132.37.23 + } + address-group DT_FWCE020_1 { + address 77.68.48.202 + } + address-group DT_FWD0E22_4 { + address 77.68.77.99 + } + address-group DT_FWD4A27_1 { + address 77.68.76.244 + } + address-group DT_FWD7EAB_1 { + address 77.68.7.67 + } + address-group DT_FWD8DD1_2 { + address 213.171.210.155 + } + address-group DT_FWD42CF_1 { + address 185.132.38.114 + } + address-group DT_FWD56A2_1 { + address 213.171.213.31 + } + address-group DT_FWD61BF_1 { + address 88.208.199.46 + } + address-group DT_FWD338A_1 { + address 77.68.77.69 + } + address-group DT_FWD498E_1 { + address 109.228.39.41 + } + address-group DT_FWD2082_1 { + address 77.68.76.94 + } + address-group DT_FWD2440_1 { + address 77.68.114.136 + } + address-group DT_FWD3431_2 { + address 77.68.77.105 + } + address-group DT_FWD7382_1 { + address 185.132.40.11 + } + address-group DT_FWDA443_6 { + address 77.68.34.28 + } + address-group DT_FWDAA4F_1 { + address 77.68.76.124 + } + address-group DT_FWDAF47_1 { + address 77.68.23.35 + } + address-group DT_FWDCA36_3 { + address 77.68.77.81 + } + address-group DT_FWDD089_5 { + address 77.68.77.21 + } + address-group DT_FWDEDB9_1 { + address 77.68.22.146 + } + address-group DT_FWE2AB5_8 { + address 77.68.26.166 + } + address-group DT_FWE3E77_1 { + address 77.68.76.49 + } + address-group DT_FWE6AB2_1 { + address 185.132.40.166 + } + address-group DT_FWE9F7D_1 { + address 77.68.32.118 + } + address-group DT_FWE012D_1 { + address 77.68.77.190 + } + address-group DT_FWE30A1_4 { + address 77.68.33.48 + } + address-group DT_FWE32F2_8 { + address 77.68.82.157 + } + address-group DT_FWE47DA_1 { + address 77.68.91.128 + } + address-group DT_FWE57AD_1 { + address 109.228.56.26 + } + address-group DT_FWE928F_1 { + address 77.68.77.129 + } + address-group DT_FWE7180_1 { + address 77.68.123.177 + } + address-group DT_FWEAE53_1 { + address 77.68.26.216 + } + address-group DT_FWEB321_1 { + address 77.68.4.74 + } + address-group DT_FWECBFB_14 { + address 77.68.77.44 + } + address-group DT_FWEE03C_1 { + address 77.68.116.232 + } + address-group DT_FWEEC75_1 { + address 77.68.76.29 + } + address-group DT_FWEF92E_5 { + address 77.68.77.57 + } + address-group DT_FWEF92E_6 { + address 77.68.77.70 + } + address-group DT_FWEF92E_7 { + address 77.68.77.149 + } + address-group DT_FWF3A1B_1 { + address 109.228.52.186 + } + address-group DT_FWF7B68_1 { + address 77.68.77.231 + } + address-group DT_FWF7BFA_1 { + address 77.68.120.45 + } + address-group DT_FWF8E67_1 { + address 77.68.85.115 + } + address-group DT_FWF8F85_1 { + address 109.228.36.229 + } + address-group DT_FWF9C28_2 { + address 77.68.84.155 + } + address-group DT_FWF9C28_4 { + address 77.68.28.145 + } + address-group DT_FWF19FB_2 { + address 77.68.76.212 + } + address-group DT_FWF30BD_1 { + address 77.68.14.88 + } + address-group DT_FWF48EB_1 { + address 77.68.76.21 + } + address-group DT_FWF0221_1 { + address 185.132.36.60 + address 185.132.40.244 + } + address-group DT_FWF323F_1 { + address 185.132.39.109 + } + address-group DT_FWF699D_4 { + address 185.132.40.90 + } + address-group DT_FWF791C_1 { + address 77.68.90.132 + } + address-group DT_FWF879C_1 { + address 77.68.76.169 + } + address-group DT_FWF3574_1 { + address 77.68.76.191 + } + address-group DT_FWF4063_1 { + address 77.68.32.254 + } + address-group DT_FWFD9AF_9 { + address 77.68.77.24 + } + address-group DT_FWFDCC7_1 { + address 109.228.59.247 + } + address-group DT_FWFDD94_15 { + address 77.68.76.161 + } + address-group DT_FWFDE34_1 { + address 185.132.38.182 + } + address-group DT_FWFEF05_1 { + address 88.208.197.150 + } + address-group DT_H71F96 { + address 77.68.23.112 + } + address-group DT_SMTP_BLOCKED { + address 172.16.255.254 + address 77.68.77.209 + address 77.68.76.148 + address 77.68.77.211 + address 77.68.21.78 + address 77.68.77.247 + address 77.68.77.203 + address 77.68.77.68 + address 77.68.77.43 + address 77.68.77.165 + address 77.68.76.145 + address 77.68.76.239 + address 77.68.77.67 + address 77.68.76.177 + address 77.68.77.117 + address 77.68.76.50 + address 77.68.76.158 + address 77.68.76.22 + address 77.68.76.123 + address 77.68.76.251 + address 77.68.77.63 + address 77.68.7.186 + address 77.68.93.246 + address 77.68.4.252 + address 77.68.76.30 + address 77.68.76.77 + address 77.68.76.31 + address 77.68.77.248 + address 77.68.3.52 + address 77.68.76.88 + address 213.171.214.234 + address 185.132.39.219 + address 77.68.5.155 + address 77.68.80.97 + address 77.68.101.124 + address 77.68.76.111 + address 77.68.76.42 + address 77.68.77.120 + address 77.68.76.183 + address 88.208.197.160 + address 88.208.197.10 + address 77.68.76.250 + address 77.68.77.219 + address 77.68.77.152 + address 77.68.76.60 + } + address-group DT_VPN-2661 { + address 185.132.40.90 + } + address-group DT_VPN-3575 { + address 77.68.77.202 + } + address-group DT_VPN-6103 { + address 77.68.77.21 + } + address-group DT_VPN-7030 { + address 77.68.77.44 + } + address-group DT_VPN-7902 { + address 77.68.77.43 + } + address-group DT_VPN-8159 { + address 77.68.77.163 + } + address-group DT_VPN-8203 { + address 77.68.77.202 + } + address-group DT_VPN-8625 { + address 77.68.94.181 + } + address-group DT_VPN-9415 { + address 77.68.76.114 + } + address-group DT_VPN-9484 { + address 77.68.77.76 + address 77.68.76.120 + } + address-group DT_VPN-9727 { + address 185.132.40.90 + } + address-group DT_VPN-9749 { + address 213.171.212.89 + address 77.68.76.44 + address 77.68.77.239 + address 213.171.212.114 + address 77.68.103.56 + } + address-group DT_VPN-9765 { + address 77.68.76.50 + } + address-group DT_VPN-10131 { + address 77.68.76.110 + } + address-group DT_VPN-11083 { + address 213.171.212.89 + address 77.68.76.44 + address 77.68.77.239 + address 213.171.212.114 + address 77.68.103.56 + } + address-group DT_VPN-11913 { + address 77.68.76.60 + } + address-group DT_VPN-12870 { + address 77.68.77.163 + } + address-group DT_VPN-12899 { + address 77.68.77.95 + } + address-group DT_VPN-13261 { + address 77.68.77.76 + address 77.68.76.120 + } + address-group DT_VPN-13983 { + address 77.68.3.52 + } + address-group DT_VPN-14649 { + address 77.68.76.161 + } + address-group DT_VPN-14657 { + address 77.68.76.161 + } + address-group DT_VPN-14658 { + address 77.68.76.161 + } + address-group DT_VPN-14673 { + address 77.68.76.161 + } + address-group DT_VPN-15625 { + address 77.68.77.44 + } + address-group DT_VPN-15950 { + address 77.68.101.124 + } + address-group DT_VPN-15951 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-15960 { + address 77.68.101.124 + } + address-group DT_VPN-16402 { + address 109.228.39.151 + } + address-group DT_VPN-16450 { + address 77.68.77.163 + } + address-group DT_VPN-17207 { + address 77.68.77.163 + } + address-group DT_VPN-17558 { + address 77.68.77.163 + } + address-group DT_VPN-18646 { + address 77.68.77.163 + } + address-group DT_VPN-18647 { + address 77.68.77.163 + } + address-group DT_VPN-18830 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-19135 { + address 109.228.39.151 + } + address-group DT_VPN-19474 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-19807 { + address 77.68.76.198 + } + address-group DT_VPN-19992 { + address 77.68.25.124 + } + address-group DT_VPN-20306 { + address 77.68.77.248 + } + address-group DT_VPN-21673 { + address 77.68.15.95 + address 77.68.75.64 + } + address-group DT_VPN-21821 { + address 77.68.15.95 + address 77.68.75.64 + } + address-group DT_VPN-21822 { + address 77.68.15.95 + address 77.68.75.64 + } + address-group DT_VPN-21876 { + address 77.68.77.163 + } + address-group DT_VPN-21982 { + address 77.68.15.95 + address 77.68.75.64 + } + address-group DT_VPN-23209 { + address 77.68.77.24 + } + address-group DT_VPN-23729 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-23733 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-23734 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-23738 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-23946 { + address 77.68.77.44 + } + address-group DT_VPN-24398 { + address 77.68.76.118 + } + address-group DT_VPN-24589 { + address 77.68.76.118 + } + address-group DT_VPN-24591 { + address 77.68.76.118 + } + address-group DT_VPN-24592 { + address 77.68.76.118 + } + address-group DT_VPN-24593 { + address 77.68.76.118 + } + address-group DT_VPN-24594 { + address 77.68.76.118 + } + address-group DT_VPN-24595 { + address 77.68.76.118 + } + address-group DT_VPN-25822 { + address 77.68.15.95 + address 77.68.75.64 + } + address-group DT_VPN-26124 { + address 77.68.77.163 + } + address-group DT_VPN-26157 { + address 77.68.77.205 + } + address-group DT_VPN-26772 { + address 185.132.40.90 + } + address-group DT_VPN-28031 { + address 77.68.77.44 + } + address-group DT_VPN-28484 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-28515 { + address 77.68.82.157 + } + address-group DT_VPN-29631 { + address 77.68.77.44 + } + address-group DT_VPN-30261 { + address 77.68.77.163 + } + address-group DT_VPN-30262 { + address 77.68.77.163 + } + address-group DT_VPN-30679 { + address 77.68.77.163 + } + address-group DT_VPN-30791 { + address 77.68.118.120 + address 77.68.27.211 + address 109.228.37.187 + } + address-group DT_VPN-31002 { + address 109.228.36.119 + } + address-group DT_VPN-31301 { + address 88.208.197.10 + } + address-group DT_VPN-32528 { + address 77.68.76.118 + } + address-group DT_VPN-33204 { + address 77.68.77.163 + } + address-group DT_VPN-34006 { + address 77.68.33.216 + address 77.68.33.37 + address 77.68.50.90 + } + address-group DT_VPN-34122 { + address 77.68.114.237 + } + address-group DT_VPN-34309 { + address 77.68.77.44 + } + address-group DT_VPN-34501 { + address 77.68.50.142 + } + address-group DT_VPN-34583 { + address 77.68.77.145 + } + address-group G-ALL_OPEN { + address 172.16.255.254 + address 77.68.76.208 + address 77.68.77.251 + address 109.228.36.174 + address 77.68.89.72 + address 77.68.77.29 + address 185.132.43.6 + address 109.228.46.196 + address 185.132.43.98 + address 185.132.41.148 + address 77.68.49.126 + address 77.68.49.178 + address 77.68.116.84 + address 185.132.36.56 + address 77.68.126.160 + address 213.171.208.176 + address 88.208.197.155 + address 88.208.198.69 + address 77.68.29.65 + } + address-group G-ICMP { + address 172.16.255.254 + address 77.68.76.141 + address 77.68.76.16 + address 77.68.76.22 + address 77.68.76.241 + address 77.68.77.128 + address 77.68.77.130 + address 77.68.77.16 + address 77.68.77.201 + address 77.68.77.22 + address 77.68.77.71 + address 77.68.76.254 + address 77.68.5.187 + address 77.68.94.181 + address 77.68.76.243 + address 77.68.92.186 + address 77.68.76.23 + address 77.68.26.216 + address 77.68.76.157 + address 77.68.76.102 + address 77.68.76.169 + address 77.68.76.30 + address 109.228.39.157 + address 77.68.76.77 + address 77.68.7.67 + address 109.228.55.82 + address 77.68.95.212 + address 77.68.85.73 + address 77.68.117.222 + address 77.68.125.60 + address 185.132.43.157 + address 77.68.114.136 + address 77.68.77.105 + address 77.68.33.197 + address 77.68.23.64 + address 77.68.112.184 + address 77.68.49.161 + address 77.68.76.191 + address 109.228.56.97 + address 185.132.37.101 + address 77.68.76.112 + address 77.68.117.173 + address 77.68.33.216 + address 77.68.33.37 + address 77.68.50.90 + address 77.68.16.247 + address 77.68.76.212 + address 77.68.77.185 + address 77.68.77.238 + } + address-group G-20-TCP { + address 172.16.255.254 + address 77.68.76.80 + address 77.68.77.253 + address 77.68.86.148 + address 77.68.77.248 + address 77.68.79.206 + address 109.228.40.222 + address 77.68.24.172 + address 77.68.77.144 + address 77.68.76.112 + } + address-group G-21-TCP { + address 172.16.255.254 + address 77.68.76.104 + address 77.68.76.127 + address 77.68.76.136 + address 77.68.76.141 + address 77.68.76.187 + address 77.68.76.195 + address 77.68.76.203 + address 77.68.76.209 + address 77.68.76.217 + address 77.68.76.22 + address 77.68.76.220 + address 77.68.76.235 + address 77.68.76.245 + address 77.68.76.38 + address 77.68.76.54 + address 77.68.76.75 + address 77.68.76.80 + address 77.68.76.91 + address 77.68.76.94 + address 77.68.77.107 + address 77.68.77.128 + address 77.68.77.137 + address 77.68.77.150 + address 77.68.77.151 + address 77.68.77.171 + address 77.68.77.200 + address 77.68.77.201 + address 77.68.77.207 + address 77.68.77.22 + address 77.68.77.236 + address 77.68.77.240 + address 77.68.77.253 + address 77.68.77.32 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.56 + address 77.68.77.63 + address 77.68.77.71 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.92 + address 77.68.77.97 + address 77.68.77.99 + address 77.68.77.190 + address 77.68.77.103 + address 77.68.76.26 + address 77.68.76.107 + address 77.68.76.148 + address 77.68.76.19 + address 77.68.77.192 + address 77.68.77.157 + address 77.68.91.195 + address 77.68.77.211 + address 109.228.56.185 + address 77.68.84.147 + address 77.68.77.74 + address 77.68.4.74 + address 77.68.30.133 + address 77.68.28.145 + address 77.68.26.216 + address 77.68.77.130 + address 77.68.116.119 + address 77.68.116.220 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.84.155 + address 77.68.86.40 + address 77.68.120.241 + address 77.68.122.89 + address 77.68.10.142 + address 77.68.122.241 + address 77.68.6.105 + address 77.68.17.186 + address 77.68.95.42 + address 77.68.22.146 + address 77.68.4.252 + address 109.228.36.229 + address 109.228.40.207 + address 77.68.31.144 + address 109.228.37.174 + address 109.228.37.114 + address 77.68.112.75 + address 77.68.77.160 + address 77.68.76.152 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.86.148 + address 77.68.23.35 + address 109.228.40.194 + address 77.68.90.132 + address 77.68.77.26 + address 77.68.76.95 + address 77.68.120.26 + address 109.228.61.31 + address 77.68.120.249 + address 77.68.6.210 + address 213.171.213.41 + address 77.68.77.248 + address 213.171.215.184 + address 77.68.25.146 + address 213.171.210.19 + address 213.171.213.242 + address 109.228.48.249 + address 109.228.40.195 + address 77.68.127.172 + address 77.68.79.206 + address 77.68.28.147 + address 185.132.36.148 + address 185.132.37.83 + address 77.68.117.51 + address 77.68.25.124 + address 77.68.13.137 + address 109.228.52.186 + address 185.132.36.24 + address 77.68.77.69 + address 109.228.40.222 + address 77.68.87.212 + address 185.132.39.99 + address 109.228.38.201 + address 185.132.39.219 + address 77.68.28.139 + address 77.68.81.218 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 185.132.41.73 + address 77.68.76.45 + address 77.68.77.215 + address 77.68.77.214 + address 77.68.79.89 + address 77.68.76.21 + address 77.68.33.68 + address 77.68.80.97 + address 77.68.77.65 + address 185.132.41.148 + address 77.68.24.172 + address 77.68.5.95 + address 77.68.5.125 + address 213.171.208.40 + address 77.68.76.40 + address 77.68.113.164 + address 77.68.114.93 + address 185.132.36.60 + address 185.132.40.244 + address 213.171.214.102 + address 88.208.197.160 + address 88.208.196.123 + address 77.68.77.144 + address 77.68.126.14 + address 77.68.76.171 + address 88.208.198.69 + address 77.68.34.139 + address 88.208.212.31 + address 77.68.76.112 + address 77.68.76.228 + address 77.68.77.75 + address 88.208.198.66 + address 77.68.77.219 + address 77.68.77.204 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.123.177 + address 77.68.114.237 + address 77.68.77.222 + address 77.68.112.83 + address 185.132.37.47 + address 77.68.77.238 + } + address-group G-22-TCP { + address 172.16.255.254 + address 77.68.76.104 + address 77.68.76.105 + address 77.68.76.115 + address 77.68.76.122 + address 77.68.76.126 + address 77.68.76.127 + address 77.68.76.136 + address 77.68.76.141 + address 77.68.76.145 + address 77.68.76.148 + address 77.68.76.158 + address 77.68.76.164 + address 77.68.76.177 + address 77.68.76.187 + address 77.68.76.195 + address 77.68.76.197 + address 77.68.76.20 + address 77.68.76.200 + address 77.68.76.209 + address 77.68.76.217 + address 77.68.76.22 + address 77.68.76.235 + address 77.68.76.239 + address 77.68.76.245 + address 77.68.76.247 + address 77.68.76.25 + address 77.68.76.251 + address 77.68.76.252 + address 77.68.76.33 + address 77.68.76.37 + address 77.68.76.38 + address 77.68.76.49 + address 77.68.76.54 + address 77.68.76.55 + address 77.68.76.57 + address 77.68.76.61 + address 77.68.76.74 + address 77.68.76.80 + address 77.68.76.99 + address 77.68.77.100 + address 77.68.77.103 + address 77.68.77.107 + address 77.68.77.108 + address 77.68.77.117 + address 77.68.77.124 + address 77.68.77.128 + address 77.68.77.129 + address 77.68.77.130 + address 77.68.77.137 + address 77.68.77.139 + address 77.68.77.140 + address 77.68.77.141 + address 77.68.77.150 + address 77.68.77.151 + address 77.68.77.159 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.19 + address 77.68.77.190 + address 77.68.77.200 + address 77.68.77.201 + address 77.68.77.203 + address 77.68.77.207 + address 77.68.77.211 + address 77.68.77.212 + address 77.68.77.22 + address 77.68.77.221 + address 77.68.77.227 + address 77.68.77.240 + address 77.68.77.243 + address 77.68.77.247 + address 77.68.77.253 + address 77.68.77.32 + address 77.68.77.33 + address 77.68.77.37 + address 77.68.77.43 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.53 + address 77.68.77.56 + address 77.68.77.67 + address 77.68.77.68 + address 77.68.77.77 + address 77.68.77.79 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.88 + address 77.68.77.92 + address 77.68.77.99 + address 77.68.76.110 + address 77.68.76.76 + address 77.68.76.211 + address 77.68.76.19 + address 77.68.77.74 + address 77.68.76.165 + address 77.68.77.254 + address 77.68.77.157 + address 77.68.76.138 + address 77.68.76.139 + address 77.68.76.124 + address 77.68.76.243 + address 77.68.76.114 + address 77.68.76.244 + address 77.68.77.192 + address 77.68.77.161 + address 77.68.91.195 + address 77.68.17.26 + address 77.68.28.145 + address 77.68.84.147 + address 109.228.56.185 + address 77.68.26.166 + address 77.68.12.195 + address 77.68.29.178 + address 77.68.5.187 + address 77.68.7.227 + address 77.68.4.24 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.5.241 + address 77.68.4.39 + address 77.68.81.44 + address 77.68.90.106 + address 77.68.27.54 + address 77.68.30.133 + address 77.68.4.136 + address 77.68.24.112 + address 77.68.92.186 + address 77.68.20.161 + address 77.68.26.216 + address 77.68.20.231 + address 77.68.118.17 + address 77.68.116.119 + address 77.68.116.232 + address 77.68.7.172 + address 77.68.116.221 + address 77.68.89.183 + address 77.68.83.41 + address 77.68.86.40 + address 77.68.88.164 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.112.248 + address 109.228.60.215 + address 77.68.7.186 + address 77.68.93.246 + address 77.68.120.241 + address 77.68.121.106 + address 77.68.122.195 + address 77.68.122.89 + address 77.68.122.241 + address 77.68.81.141 + address 77.68.116.52 + address 77.68.6.32 + address 77.68.76.229 + address 77.68.28.207 + address 77.68.4.252 + address 77.68.17.186 + address 77.68.24.220 + address 77.68.22.146 + address 77.68.23.112 + address 77.68.125.32 + address 77.68.72.202 + address 109.228.36.229 + address 77.68.31.144 + address 77.68.2.215 + address 77.68.117.142 + address 77.68.5.166 + address 77.68.76.102 + address 109.228.37.174 + address 109.228.37.114 + address 77.68.76.169 + address 109.228.37.240 + address 77.68.112.75 + address 77.68.77.160 + address 109.228.39.249 + address 77.68.76.77 + address 109.228.40.226 + address 77.68.7.67 + address 77.68.126.51 + address 77.68.75.113 + address 77.68.86.148 + address 77.68.23.35 + address 77.68.114.183 + address 109.228.40.194 + address 77.68.76.31 + address 77.68.90.132 + address 77.68.77.26 + address 77.68.76.96 + address 77.68.77.30 + address 77.68.76.95 + address 77.68.10.170 + address 77.68.120.26 + address 109.228.61.31 + address 77.68.76.59 + address 213.171.213.41 + address 77.68.77.248 + address 213.171.212.171 + address 77.68.4.22 + address 77.68.119.14 + address 213.171.215.184 + address 77.68.77.202 + address 77.68.25.146 + address 213.171.213.31 + address 77.68.78.229 + address 77.68.77.102 + address 213.171.210.19 + address 77.68.24.59 + address 213.171.213.97 + address 213.171.213.242 + address 109.228.48.249 + address 109.228.40.195 + address 77.68.120.229 + address 77.68.79.206 + address 77.68.123.250 + address 77.68.28.147 + address 185.132.36.142 + address 213.171.212.172 + address 185.132.36.148 + address 213.171.208.58 + address 77.68.25.130 + address 185.132.38.142 + address 109.228.56.242 + address 109.228.46.81 + address 185.132.38.95 + address 185.132.37.83 + address 77.68.117.51 + address 77.68.116.36 + address 77.68.120.45 + address 213.171.210.59 + address 213.171.215.43 + address 185.132.37.102 + address 109.228.42.232 + address 109.228.52.186 + address 77.68.9.186 + address 77.68.13.76 + address 109.228.36.194 + address 185.132.36.24 + address 77.68.77.69 + address 185.132.39.129 + address 185.132.36.17 + address 109.228.40.222 + address 77.68.74.39 + address 77.68.118.104 + address 213.171.212.136 + address 77.68.120.31 + address 77.68.74.152 + address 185.132.39.37 + address 77.68.87.212 + address 77.68.119.188 + address 77.68.74.85 + address 77.68.91.22 + address 77.68.76.88 + address 77.68.4.242 + address 77.68.76.181 + address 77.68.76.161 + address 109.228.35.84 + address 185.132.39.99 + address 77.68.95.212 + address 77.68.85.73 + address 77.68.76.219 + address 77.68.27.27 + address 77.68.3.194 + address 77.68.3.144 + address 77.68.3.80 + address 77.68.27.28 + address 77.68.3.247 + address 77.68.3.161 + address 77.68.27.18 + address 77.68.3.121 + address 213.171.214.234 + address 185.132.39.219 + address 77.68.28.139 + address 77.68.81.218 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 213.171.211.128 + address 77.68.5.155 + address 185.132.41.73 + address 213.171.214.167 + address 185.132.43.28 + address 213.171.213.42 + address 77.68.76.45 + address 185.132.41.72 + address 185.132.43.157 + address 185.132.40.56 + address 185.132.37.23 + address 77.68.117.29 + address 77.68.75.253 + address 77.68.11.140 + address 77.68.77.215 + address 77.68.20.217 + address 77.68.76.198 + address 77.68.77.214 + address 213.171.210.177 + address 185.132.38.114 + address 77.68.33.48 + address 77.68.32.89 + address 77.68.32.86 + address 77.68.34.138 + address 77.68.32.83 + address 77.68.75.45 + address 77.68.76.176 + address 185.132.43.164 + address 77.68.76.137 + address 185.132.40.152 + address 77.68.33.68 + address 77.68.93.125 + address 77.68.24.134 + address 185.132.38.248 + address 77.68.32.43 + address 77.68.120.218 + address 77.68.112.167 + address 77.68.32.31 + address 77.68.32.254 + address 77.68.80.26 + address 77.68.80.97 + address 77.68.121.119 + address 77.68.74.209 + address 77.68.77.65 + address 185.132.43.6 + address 109.228.46.196 + address 185.132.43.98 + address 185.132.41.148 + address 77.68.24.172 + address 77.68.33.197 + address 213.171.210.25 + address 77.68.5.95 + address 77.68.23.64 + address 77.68.101.125 + address 77.68.5.125 + address 77.68.100.167 + address 109.228.59.247 + address 77.68.35.116 + address 77.68.33.171 + address 77.68.48.105 + address 77.68.48.81 + address 77.68.49.4 + address 109.228.36.119 + address 77.68.121.127 + address 77.68.82.147 + address 77.68.49.12 + address 77.68.8.144 + address 77.68.116.183 + address 77.68.103.19 + address 77.68.50.91 + address 77.68.24.63 + address 77.68.118.15 + address 77.68.50.198 + address 77.68.49.160 + address 77.68.49.161 + address 77.68.76.191 + address 77.68.76.40 + address 77.68.113.164 + address 77.68.77.42 + address 77.68.100.134 + address 77.68.100.132 + address 77.68.114.93 + address 185.132.36.60 + address 185.132.40.244 + address 77.68.85.18 + address 77.68.50.193 + address 77.68.89.247 + address 88.208.197.10 + address 77.68.102.129 + address 109.228.36.79 + address 185.132.38.182 + address 185.132.41.240 + address 77.68.51.214 + address 88.208.196.123 + address 77.68.126.22 + address 213.171.212.90 + address 77.68.114.205 + address 77.68.48.202 + address 77.68.112.175 + address 77.68.112.90 + address 185.132.40.166 + address 77.68.103.120 + address 77.68.103.147 + address 77.68.33.24 + address 109.228.58.134 + address 109.228.47.223 + address 109.228.56.97 + address 77.68.103.227 + address 88.208.196.92 + address 88.208.196.154 + address 185.132.39.44 + address 77.68.76.248 + address 88.208.198.92 + address 77.68.77.144 + address 77.68.126.14 + address 88.208.196.91 + address 77.68.100.77 + address 185.132.37.101 + address 77.68.87.164 + address 77.68.76.120 + address 77.68.93.164 + address 77.68.76.171 + address 88.208.197.135 + address 88.208.197.118 + address 88.208.197.150 + address 77.68.34.139 + address 213.171.213.175 + address 77.68.21.171 + address 88.208.197.60 + address 109.228.37.10 + address 88.208.215.61 + address 88.208.212.31 + address 109.228.53.243 + address 77.68.48.89 + address 88.208.212.188 + address 88.208.198.251 + address 88.208.215.19 + address 77.68.76.228 + address 109.228.39.41 + address 77.68.115.142 + address 77.68.78.73 + address 213.171.214.96 + address 88.208.198.66 + address 77.68.3.61 + address 77.68.77.219 + address 77.68.26.228 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.123.177 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.117.214 + address 88.208.199.141 + address 185.132.39.109 + address 185.132.37.47 + address 77.68.102.5 + address 77.68.16.247 + address 88.208.212.94 + address 77.68.72.254 + address 109.228.61.37 + address 77.68.50.142 + address 77.68.78.113 + address 88.208.212.182 + address 185.132.40.124 + address 88.208.197.208 + address 88.208.197.129 + address 77.68.77.238 + address 77.68.79.82 + address 185.132.38.216 + } + address-group G-25-TCP { + address 172.16.255.254 + address 77.68.76.115 + address 77.68.76.141 + address 77.68.76.187 + address 77.68.76.195 + address 77.68.76.197 + address 77.68.76.203 + address 77.68.76.209 + address 77.68.76.55 + address 77.68.76.57 + address 77.68.76.75 + address 77.68.76.91 + address 77.68.76.99 + address 77.68.77.107 + address 77.68.77.129 + address 77.68.77.130 + address 77.68.77.141 + address 77.68.77.150 + address 77.68.77.159 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.207 + address 77.68.77.22 + address 77.68.77.236 + address 77.68.77.240 + address 77.68.77.243 + address 77.68.77.32 + address 77.68.77.33 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.56 + address 77.68.77.63 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.92 + address 77.68.77.97 + address 77.68.77.99 + address 77.68.77.77 + address 77.68.76.19 + address 77.68.77.192 + address 77.68.77.254 + address 77.68.76.139 + address 77.68.84.147 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.81.44 + address 77.68.30.133 + address 77.68.77.74 + address 77.68.77.100 + address 77.68.92.186 + address 77.68.76.114 + address 77.68.116.119 + address 77.68.116.221 + address 77.68.116.220 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.120.241 + address 109.228.60.215 + address 77.68.7.172 + address 77.68.116.52 + address 77.68.91.128 + address 77.68.24.112 + address 77.68.76.94 + address 109.228.37.114 + address 77.68.112.75 + address 77.68.77.160 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.86.148 + address 77.68.23.35 + address 77.68.77.30 + address 77.68.76.95 + address 77.68.10.170 + address 213.171.213.41 + address 213.171.215.184 + address 77.68.25.146 + address 213.171.213.31 + address 77.68.78.229 + address 213.171.210.19 + address 77.68.79.206 + address 213.171.215.252 + address 109.228.52.186 + address 77.68.77.69 + address 109.228.40.222 + address 77.68.87.212 + address 185.132.39.99 + address 77.68.85.73 + address 77.68.28.139 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 185.132.43.28 + address 185.132.37.23 + address 77.68.77.215 + address 77.68.77.214 + address 185.132.38.114 + address 77.68.33.48 + address 77.68.79.89 + address 77.68.76.21 + address 77.68.76.137 + address 77.68.80.26 + address 77.68.5.95 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 213.171.208.40 + address 77.68.112.184 + address 77.68.115.17 + address 77.68.82.147 + address 77.68.118.15 + address 77.68.76.191 + address 77.68.50.193 + address 77.68.102.129 + address 77.68.76.118 + address 88.208.198.69 + address 77.68.34.139 + address 88.208.197.60 + address 88.208.212.188 + address 77.68.76.112 + address 77.68.77.75 + address 213.171.214.96 + address 88.208.198.66 + address 77.68.77.219 + address 77.68.77.204 + address 77.68.76.202 + address 77.68.123.177 + address 77.68.77.222 + address 77.68.112.83 + address 185.132.37.47 + address 77.68.77.152 + address 77.68.77.181 + address 77.68.77.185 + address 77.68.77.238 + address 77.68.79.82 + } + address-group G-53-TCP { + address 172.16.255.254 + address 77.68.94.181 + address 77.68.28.145 + address 77.68.84.155 + address 77.68.78.229 + address 185.132.39.99 + address 185.132.43.28 + address 77.68.77.215 + address 185.132.40.152 + address 77.68.49.161 + address 77.68.76.118 + } + address-group G-53-UDP { + address 172.16.255.254 + address 77.68.76.235 + address 77.68.76.93 + address 77.68.77.107 + address 77.68.77.151 + address 77.68.77.37 + address 77.68.76.139 + address 77.68.81.44 + address 77.68.94.181 + address 77.68.28.145 + address 77.68.81.141 + address 77.68.4.252 + address 77.68.125.32 + address 77.68.86.148 + address 77.68.78.229 + address 185.132.43.28 + address 77.68.75.45 + address 185.132.40.152 + address 77.68.4.80 + address 77.68.49.152 + address 77.68.49.161 + address 77.68.34.50 + } + address-group G-80-TCP { + address 172.16.255.254 + address 77.68.76.104 + address 77.68.76.105 + address 77.68.76.115 + address 77.68.76.116 + address 77.68.76.122 + address 77.68.76.126 + address 77.68.76.127 + address 77.68.76.136 + address 77.68.76.141 + address 77.68.76.145 + address 77.68.76.148 + address 77.68.76.150 + address 77.68.76.158 + address 77.68.76.164 + address 77.68.76.177 + address 77.68.76.187 + address 77.68.76.195 + address 77.68.76.197 + address 77.68.76.20 + address 77.68.76.200 + address 77.68.76.203 + address 77.68.76.209 + address 77.68.76.217 + address 77.68.76.22 + address 77.68.76.220 + address 77.68.76.23 + address 77.68.76.231 + address 77.68.76.235 + address 77.68.76.239 + address 77.68.76.241 + address 77.68.76.245 + address 77.68.76.247 + address 77.68.76.25 + address 77.68.76.251 + address 77.68.76.252 + address 77.68.76.33 + address 77.68.76.35 + address 77.68.76.37 + address 77.68.76.38 + address 77.68.76.39 + address 77.68.76.49 + address 77.68.76.50 + address 77.68.76.54 + address 77.68.76.55 + address 77.68.76.57 + address 77.68.76.58 + address 77.68.76.61 + address 77.68.76.74 + address 77.68.76.75 + address 77.68.76.80 + address 77.68.76.91 + address 77.68.76.93 + address 77.68.76.94 + address 77.68.76.99 + address 77.68.77.100 + address 77.68.77.103 + address 77.68.77.107 + address 77.68.77.108 + address 77.68.77.115 + address 77.68.77.117 + address 77.68.77.124 + address 77.68.77.128 + address 77.68.77.129 + address 77.68.77.130 + address 77.68.77.137 + address 77.68.77.139 + address 77.68.77.140 + address 77.68.77.141 + address 77.68.77.150 + address 77.68.77.151 + address 77.68.77.156 + address 77.68.77.159 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.178 + address 77.68.77.19 + address 77.68.77.190 + address 77.68.77.199 + address 77.68.77.200 + address 77.68.77.201 + address 77.68.77.203 + address 77.68.77.207 + address 77.68.77.211 + address 77.68.77.212 + address 77.68.77.22 + address 77.68.77.227 + address 77.68.77.228 + address 77.68.77.236 + address 77.68.77.240 + address 77.68.77.243 + address 77.68.77.247 + address 77.68.77.253 + address 77.68.77.32 + address 77.68.77.33 + address 77.68.77.37 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.53 + address 77.68.77.56 + address 77.68.77.63 + address 77.68.77.67 + address 77.68.77.68 + address 77.68.77.71 + address 77.68.77.77 + address 77.68.77.79 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.88 + address 77.68.77.92 + address 77.68.77.97 + address 77.68.77.99 + address 77.68.76.76 + address 77.68.76.124 + address 77.68.76.211 + address 77.68.76.19 + address 77.68.77.74 + address 77.68.77.192 + address 77.68.76.92 + address 77.68.76.165 + address 77.68.77.254 + address 77.68.77.157 + address 77.68.76.138 + address 77.68.76.139 + address 77.68.76.114 + address 77.68.76.244 + address 77.68.77.161 + address 77.68.77.62 + address 77.68.77.38 + address 77.68.91.195 + address 77.68.17.26 + address 77.68.28.145 + address 109.228.56.185 + address 77.68.84.147 + address 77.68.12.195 + address 77.68.21.78 + address 77.68.5.187 + address 77.68.7.227 + address 77.68.4.24 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.5.241 + address 77.68.4.39 + address 77.68.81.44 + address 77.68.90.106 + address 77.68.94.181 + address 77.68.30.164 + address 77.68.30.133 + address 77.68.4.136 + address 77.68.23.158 + address 77.68.92.186 + address 77.68.24.112 + address 77.68.112.213 + address 77.68.20.161 + address 77.68.26.216 + address 77.68.20.231 + address 77.68.118.17 + address 77.68.116.119 + address 77.68.116.220 + address 77.68.116.232 + address 77.68.76.142 + address 77.68.117.202 + address 77.68.7.172 + address 77.68.116.221 + address 77.68.89.183 + address 77.68.83.41 + address 77.68.86.40 + address 77.68.88.164 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.112.248 + address 109.228.60.215 + address 77.68.7.186 + address 77.68.93.246 + address 77.68.84.155 + address 77.68.120.241 + address 77.68.121.106 + address 77.68.122.195 + address 77.68.122.89 + address 77.68.120.146 + address 77.68.122.241 + address 77.68.119.92 + address 77.68.81.141 + address 77.68.10.142 + address 77.68.116.52 + address 77.68.6.105 + address 77.68.76.229 + address 77.68.95.42 + address 77.68.28.207 + address 77.68.4.252 + address 77.68.17.186 + address 77.68.91.128 + address 77.68.22.146 + address 77.68.23.112 + address 77.68.24.220 + address 77.68.125.32 + address 77.68.76.243 + address 77.68.12.250 + address 77.68.72.202 + address 109.228.36.229 + address 109.228.40.207 + address 77.68.31.144 + address 77.68.2.215 + address 77.68.117.142 + address 77.68.5.166 + address 109.228.37.174 + address 109.228.37.114 + address 77.68.76.169 + address 109.228.37.240 + address 77.68.112.75 + address 77.68.76.30 + address 109.228.35.110 + address 77.68.77.160 + address 77.68.77.208 + address 77.68.76.152 + address 109.228.39.249 + address 77.68.76.77 + address 109.228.40.226 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.75.113 + address 77.68.86.148 + address 77.68.23.35 + address 77.68.114.183 + address 109.228.40.194 + address 77.68.76.31 + address 77.68.77.72 + address 77.68.90.132 + address 77.68.6.110 + address 77.68.76.96 + address 77.68.77.30 + address 77.68.76.95 + address 77.68.10.170 + address 77.68.120.26 + address 109.228.61.31 + address 77.68.76.59 + address 77.68.120.249 + address 77.68.6.210 + address 213.171.213.41 + address 77.68.77.248 + address 213.171.212.171 + address 77.68.4.22 + address 77.68.119.14 + address 213.171.215.184 + address 77.68.77.202 + address 77.68.25.146 + address 213.171.213.31 + address 77.68.78.229 + address 77.68.77.102 + address 213.171.210.19 + address 77.68.24.59 + address 213.171.213.97 + address 213.171.213.242 + address 77.68.77.205 + address 109.228.48.249 + address 109.228.40.195 + address 77.68.120.229 + address 77.68.127.172 + address 77.68.79.206 + address 77.68.123.250 + address 77.68.28.147 + address 213.171.212.172 + address 185.132.36.148 + address 213.171.208.58 + address 77.68.25.130 + address 109.228.56.242 + address 109.228.46.81 + address 185.132.38.95 + address 185.132.37.83 + address 77.68.117.51 + address 77.68.116.36 + address 77.68.120.45 + address 77.68.25.124 + address 213.171.210.59 + address 213.171.215.43 + address 213.171.215.252 + address 185.132.37.102 + address 109.228.42.232 + address 109.228.52.186 + address 77.68.9.186 + address 77.68.13.76 + address 109.228.36.194 + address 185.132.36.7 + address 185.132.36.24 + address 77.68.77.69 + address 185.132.39.129 + address 185.132.36.17 + address 109.228.40.222 + address 77.68.118.104 + address 77.68.120.31 + address 77.68.74.152 + address 185.132.39.37 + address 77.68.3.52 + address 77.68.87.212 + address 77.68.76.29 + address 77.68.119.188 + address 77.68.74.85 + address 77.68.91.22 + address 77.68.76.88 + address 77.68.4.242 + address 77.68.76.181 + address 77.68.76.161 + address 185.132.39.99 + address 77.68.95.212 + address 77.68.85.73 + address 77.68.76.219 + address 77.68.27.27 + address 77.68.3.194 + address 77.68.3.144 + address 77.68.3.80 + address 77.68.27.28 + address 77.68.3.247 + address 77.68.3.161 + address 77.68.27.18 + address 77.68.3.121 + address 213.171.214.234 + address 109.228.38.201 + address 185.132.39.219 + address 77.68.28.139 + address 77.68.81.218 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 213.171.211.128 + address 77.68.5.155 + address 185.132.41.73 + address 77.68.77.231 + address 213.171.214.167 + address 185.132.43.28 + address 213.171.213.42 + address 77.68.76.45 + address 185.132.41.72 + address 77.68.92.92 + address 185.132.40.56 + address 185.132.37.23 + address 77.68.117.29 + address 77.68.75.253 + address 77.68.11.140 + address 77.68.77.215 + address 77.68.20.217 + address 77.68.10.152 + address 77.68.73.73 + address 77.68.76.198 + address 77.68.77.214 + address 77.68.9.75 + address 213.171.210.177 + address 77.68.76.160 + address 185.132.38.114 + address 77.68.33.48 + address 185.132.40.90 + address 77.68.79.89 + address 77.68.34.28 + address 77.68.76.21 + address 77.68.75.45 + address 77.68.76.176 + address 77.68.77.95 + address 185.132.39.68 + address 185.132.43.164 + address 77.68.76.137 + address 185.132.40.152 + address 77.68.77.249 + address 77.68.33.68 + address 77.68.24.134 + address 185.132.38.248 + address 77.68.32.43 + address 77.68.120.218 + address 77.68.112.167 + address 77.68.32.31 + address 77.68.32.118 + address 77.68.32.254 + address 77.68.80.26 + address 77.68.17.200 + address 77.68.80.97 + address 77.68.121.119 + address 77.68.74.209 + address 77.68.77.65 + address 185.132.43.6 + address 109.228.46.196 + address 185.132.43.98 + address 77.68.100.150 + address 185.132.41.148 + address 77.68.24.172 + address 77.68.33.197 + address 77.68.5.95 + address 77.68.23.64 + address 77.68.101.124 + address 77.68.5.125 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 109.228.59.247 + address 213.171.208.40 + address 77.68.112.184 + address 77.68.35.116 + address 77.68.33.171 + address 77.68.76.111 + address 77.68.76.42 + address 77.68.77.120 + address 77.68.76.183 + address 77.68.118.86 + address 77.68.48.105 + address 77.68.48.81 + address 77.68.49.4 + address 109.228.36.119 + address 77.68.34.26 + address 77.68.115.17 + address 77.68.121.127 + address 77.68.82.147 + address 77.68.49.12 + address 77.68.8.144 + address 77.68.116.183 + address 213.171.212.89 + address 77.68.76.44 + address 77.68.77.239 + address 77.68.51.202 + address 77.68.101.64 + address 77.68.103.19 + address 77.68.50.91 + address 77.68.24.63 + address 77.68.118.15 + address 77.68.50.198 + address 77.68.77.59 + address 77.68.49.160 + address 77.68.76.191 + address 77.68.126.101 + address 77.68.113.164 + address 77.68.77.42 + address 77.68.100.134 + address 77.68.100.132 + address 77.68.114.93 + address 185.132.36.60 + address 185.132.40.244 + address 77.68.85.18 + address 213.171.214.102 + address 77.68.50.193 + address 88.208.197.160 + address 88.208.197.10 + address 77.68.102.129 + address 109.228.36.79 + address 185.132.38.182 + address 185.132.41.240 + address 77.68.51.214 + address 88.208.196.123 + address 88.208.215.157 + address 77.68.126.22 + address 77.68.4.180 + address 213.171.212.90 + address 77.68.114.205 + address 185.132.43.71 + address 77.68.77.114 + address 77.68.48.202 + address 77.68.112.175 + address 77.68.112.90 + address 185.132.40.166 + address 77.68.76.118 + address 77.68.103.120 + address 77.68.33.24 + address 109.228.58.134 + address 109.228.47.223 + address 77.68.31.96 + address 77.68.103.227 + address 77.68.76.250 + address 213.171.212.203 + address 88.208.196.92 + address 88.208.196.154 + address 185.132.39.44 + address 77.68.76.248 + address 88.208.198.92 + address 109.228.36.37 + address 77.68.77.144 + address 77.68.126.14 + address 88.208.196.91 + address 77.68.100.77 + address 185.132.37.101 + address 77.68.87.164 + address 77.68.77.76 + address 77.68.76.120 + address 77.68.82.157 + address 77.68.93.164 + address 77.68.76.171 + address 88.208.197.135 + address 88.208.197.118 + address 88.208.197.150 + address 213.171.212.114 + address 88.208.198.69 + address 77.68.34.139 + address 77.68.21.171 + address 88.208.197.60 + address 77.68.85.27 + address 109.228.37.10 + address 88.208.215.61 + address 88.208.199.249 + address 88.208.212.31 + address 109.228.53.243 + address 77.68.48.89 + address 88.208.212.188 + address 88.208.198.251 + address 77.68.76.112 + address 77.68.48.14 + address 88.208.215.19 + address 77.68.103.56 + address 77.68.76.228 + address 77.68.77.75 + address 77.68.117.173 + address 88.208.215.121 + address 109.228.39.41 + address 77.68.88.100 + address 77.68.76.108 + address 77.68.115.142 + address 213.171.214.96 + address 88.208.198.66 + address 88.208.198.64 + address 77.68.3.61 + address 77.68.77.219 + address 77.68.77.204 + address 77.68.26.228 + address 77.68.74.232 + address 77.68.118.88 + address 77.68.76.48 + address 77.68.76.202 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.123.177 + address 88.208.197.23 + address 77.68.114.237 + address 77.68.77.222 + address 77.68.112.83 + address 88.208.199.141 + address 77.68.77.163 + address 185.132.39.109 + address 77.68.77.44 + address 185.132.37.47 + address 77.68.102.5 + address 77.68.16.247 + address 88.208.212.94 + address 77.68.72.254 + address 77.68.77.152 + address 77.68.50.142 + address 88.208.199.46 + address 77.68.78.113 + address 88.208.212.182 + address 77.68.77.181 + address 77.68.15.95 + address 77.68.75.64 + address 213.171.212.71 + address 185.132.40.124 + address 88.208.197.208 + address 88.208.197.129 + address 77.68.76.60 + address 77.68.6.119 + address 77.68.77.185 + address 77.68.77.238 + address 77.68.79.82 + address 109.228.39.151 + } + address-group G-110-TCP { + address 172.16.255.254 + address 77.68.76.187 + address 77.68.77.107 + address 77.68.77.128 + address 77.68.77.129 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.190 + address 77.68.77.207 + address 77.68.77.22 + address 77.68.77.33 + address 77.68.77.49 + address 77.68.77.92 + address 77.68.77.77 + address 77.68.76.19 + address 77.68.77.192 + address 77.68.84.147 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.116.119 + address 77.68.116.221 + address 77.68.120.241 + address 109.228.60.215 + address 77.68.116.52 + address 77.68.126.51 + address 77.68.23.35 + address 77.68.76.95 + address 213.171.215.184 + address 77.68.25.146 + address 77.68.79.206 + address 213.171.215.252 + address 109.228.52.186 + address 109.228.40.222 + address 185.132.39.99 + address 77.68.77.214 + address 185.132.38.114 + address 77.68.79.89 + address 77.68.5.95 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 213.171.208.40 + address 77.68.50.193 + address 77.68.102.129 + address 88.208.198.69 + address 88.208.212.188 + address 88.208.198.66 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.123.177 + address 77.68.77.185 + address 77.68.77.238 + } + address-group G-143-TCP { + address 172.16.255.254 + address 77.68.76.115 + address 77.68.76.123 + address 77.68.76.187 + address 77.68.77.129 + address 77.68.77.130 + address 77.68.77.141 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.207 + address 77.68.77.22 + address 77.68.77.33 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.92 + address 77.68.77.77 + address 77.68.77.192 + address 77.68.84.147 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.81.44 + address 77.68.92.186 + address 77.68.116.119 + address 77.68.116.221 + address 109.228.60.215 + address 77.68.7.172 + address 77.68.116.52 + address 77.68.24.112 + address 77.68.77.107 + address 77.68.112.75 + address 77.68.7.67 + address 77.68.126.51 + address 77.68.23.35 + address 77.68.76.95 + address 213.171.215.184 + address 77.68.25.146 + address 213.171.213.31 + address 213.171.210.19 + address 77.68.79.206 + address 77.68.77.69 + address 109.228.40.222 + address 185.132.39.99 + address 77.68.117.222 + address 77.68.33.48 + address 77.68.79.89 + address 77.68.5.95 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 213.171.208.40 + address 77.68.115.17 + address 77.68.102.129 + address 88.208.198.69 + address 77.68.34.139 + address 88.208.212.188 + address 88.208.198.66 + address 77.68.77.204 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.123.177 + address 77.68.77.222 + address 77.68.112.83 + } + address-group G-443-TCP { + address 172.16.255.254 + address 77.68.76.104 + address 77.68.76.105 + address 77.68.76.115 + address 77.68.76.116 + address 77.68.76.122 + address 77.68.76.126 + address 77.68.76.127 + address 77.68.76.136 + address 77.68.76.141 + address 77.68.76.145 + address 77.68.76.148 + address 77.68.76.150 + address 77.68.76.158 + address 77.68.76.164 + address 77.68.76.177 + address 77.68.76.187 + address 77.68.76.195 + address 77.68.76.197 + address 77.68.76.20 + address 77.68.76.200 + address 77.68.76.203 + address 77.68.76.209 + address 77.68.76.217 + address 77.68.76.22 + address 77.68.76.220 + address 77.68.76.23 + address 77.68.76.231 + address 77.68.76.235 + address 77.68.76.239 + address 77.68.76.241 + address 77.68.76.245 + address 77.68.76.25 + address 77.68.76.252 + address 77.68.76.33 + address 77.68.76.35 + address 77.68.76.37 + address 77.68.76.38 + address 77.68.76.39 + address 77.68.76.49 + address 77.68.76.50 + address 77.68.76.54 + address 77.68.76.55 + address 77.68.76.57 + address 77.68.76.58 + address 77.68.76.61 + address 77.68.76.74 + address 77.68.76.75 + address 77.68.76.80 + address 77.68.76.91 + address 77.68.76.93 + address 77.68.76.94 + address 77.68.76.99 + address 77.68.77.100 + address 77.68.77.103 + address 77.68.77.107 + address 77.68.77.108 + address 77.68.77.117 + address 77.68.77.124 + address 77.68.77.128 + address 77.68.77.129 + address 77.68.77.130 + address 77.68.77.137 + address 77.68.77.139 + address 77.68.77.140 + address 77.68.77.141 + address 77.68.77.150 + address 77.68.77.151 + address 77.68.77.156 + address 77.68.77.159 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.178 + address 77.68.77.19 + address 77.68.77.190 + address 77.68.77.199 + address 77.68.77.200 + address 77.68.77.201 + address 77.68.77.203 + address 77.68.77.207 + address 77.68.77.211 + address 77.68.77.212 + address 77.68.77.22 + address 77.68.77.221 + address 77.68.77.227 + address 77.68.77.228 + address 77.68.77.236 + address 77.68.77.240 + address 77.68.77.243 + address 77.68.77.247 + address 77.68.77.253 + address 77.68.77.32 + address 77.68.77.33 + address 77.68.77.37 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.53 + address 77.68.77.56 + address 77.68.77.63 + address 77.68.77.67 + address 77.68.77.68 + address 77.68.77.71 + address 77.68.77.77 + address 77.68.77.79 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.88 + address 77.68.77.92 + address 77.68.77.97 + address 77.68.77.99 + address 77.68.76.76 + address 77.68.76.124 + address 77.68.76.211 + address 77.68.76.19 + address 77.68.76.110 + address 77.68.77.74 + address 77.68.77.192 + address 77.68.76.92 + address 77.68.76.165 + address 77.68.77.254 + address 77.68.77.157 + address 77.68.76.138 + address 77.68.76.139 + address 77.68.76.114 + address 77.68.76.244 + address 77.68.77.161 + address 77.68.77.38 + address 77.68.91.195 + address 77.68.17.26 + address 77.68.28.145 + address 109.228.56.185 + address 77.68.84.147 + address 77.68.12.195 + address 77.68.21.78 + address 77.68.5.187 + address 77.68.7.227 + address 77.68.4.24 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.5.241 + address 77.68.4.39 + address 77.68.81.44 + address 77.68.90.106 + address 77.68.94.181 + address 77.68.30.164 + address 77.68.30.133 + address 77.68.4.136 + address 77.68.23.158 + address 77.68.24.112 + address 77.68.92.186 + address 77.68.20.161 + address 77.68.112.213 + address 77.68.26.216 + address 77.68.20.231 + address 77.68.118.17 + address 77.68.116.119 + address 77.68.116.220 + address 77.68.116.232 + address 77.68.76.142 + address 77.68.117.202 + address 77.68.7.172 + address 77.68.116.221 + address 77.68.89.183 + address 77.68.83.41 + address 77.68.86.40 + address 77.68.88.164 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.112.248 + address 109.228.60.215 + address 77.68.7.186 + address 77.68.93.246 + address 77.68.84.155 + address 77.68.120.241 + address 77.68.121.106 + address 77.68.122.195 + address 77.68.122.89 + address 77.68.120.146 + address 77.68.122.241 + address 77.68.81.141 + address 77.68.116.52 + address 77.68.6.105 + address 77.68.76.229 + address 77.68.95.42 + address 77.68.28.207 + address 77.68.4.252 + address 77.68.17.186 + address 77.68.91.128 + address 77.68.22.146 + address 77.68.23.112 + address 77.68.24.220 + address 77.68.125.32 + address 77.68.12.250 + address 77.68.76.243 + address 77.68.72.202 + address 109.228.36.229 + address 109.228.40.207 + address 77.68.31.144 + address 77.68.2.215 + address 77.68.117.142 + address 77.68.5.166 + address 77.68.76.102 + address 109.228.37.174 + address 109.228.37.114 + address 109.228.37.240 + address 77.68.112.75 + address 77.68.76.30 + address 109.228.35.110 + address 77.68.77.160 + address 77.68.77.208 + address 77.68.76.152 + address 109.228.39.249 + address 77.68.76.77 + address 77.68.7.160 + address 109.228.40.226 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.75.113 + address 77.68.86.148 + address 77.68.114.183 + address 109.228.40.194 + address 77.68.76.31 + address 77.68.77.72 + address 77.68.90.132 + address 77.68.6.110 + address 77.68.77.26 + address 77.68.76.96 + address 77.68.77.30 + address 77.68.76.95 + address 77.68.10.170 + address 77.68.76.234 + address 77.68.120.26 + address 109.228.61.31 + address 77.68.76.59 + address 77.68.120.249 + address 77.68.6.210 + address 213.171.213.41 + address 77.68.77.248 + address 213.171.212.171 + address 77.68.4.22 + address 77.68.119.14 + address 213.171.215.184 + address 77.68.77.202 + address 77.68.25.146 + address 213.171.213.31 + address 77.68.78.229 + address 77.68.77.102 + address 213.171.210.19 + address 77.68.24.59 + address 213.171.213.97 + address 213.171.213.242 + address 77.68.77.205 + address 109.228.48.249 + address 109.228.40.195 + address 77.68.120.229 + address 77.68.127.172 + address 77.68.79.206 + address 77.68.123.250 + address 77.68.28.147 + address 213.171.212.172 + address 185.132.36.148 + address 213.171.208.58 + address 77.68.25.130 + address 109.228.56.242 + address 109.228.46.81 + address 185.132.38.95 + address 185.132.37.83 + address 77.68.117.51 + address 77.68.116.36 + address 77.68.120.45 + address 77.68.25.124 + address 213.171.210.59 + address 213.171.215.43 + address 213.171.215.252 + address 185.132.37.102 + address 109.228.42.232 + address 109.228.52.186 + address 77.68.9.186 + address 77.68.13.76 + address 109.228.36.194 + address 185.132.36.7 + address 185.132.36.24 + address 77.68.77.69 + address 185.132.39.129 + address 185.132.36.17 + address 109.228.40.222 + address 77.68.118.104 + address 77.68.120.31 + address 77.68.74.152 + address 185.132.39.37 + address 77.68.3.52 + address 77.68.87.212 + address 77.68.76.29 + address 77.68.119.188 + address 77.68.74.85 + address 77.68.91.22 + address 77.68.76.88 + address 77.68.4.242 + address 77.68.76.181 + address 77.68.76.161 + address 185.132.39.99 + address 77.68.95.212 + address 77.68.76.219 + address 77.68.27.27 + address 77.68.3.194 + address 77.68.3.144 + address 77.68.3.80 + address 77.68.27.28 + address 77.68.3.247 + address 77.68.3.161 + address 77.68.27.18 + address 77.68.3.121 + address 213.171.214.234 + address 109.228.38.201 + address 185.132.39.219 + address 77.68.28.139 + address 77.68.81.218 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 213.171.211.128 + address 77.68.5.155 + address 77.68.77.231 + address 213.171.214.167 + address 185.132.43.28 + address 213.171.213.42 + address 77.68.76.45 + address 77.68.92.92 + address 77.68.77.233 + address 185.132.40.56 + address 185.132.37.23 + address 77.68.117.29 + address 77.68.75.253 + address 77.68.11.140 + address 77.68.77.215 + address 77.68.20.217 + address 77.68.10.152 + address 77.68.73.73 + address 77.68.76.198 + address 77.68.77.214 + address 77.68.9.75 + address 213.171.210.177 + address 77.68.77.70 + address 77.68.77.149 + address 77.68.76.160 + address 185.132.38.114 + address 77.68.33.48 + address 185.132.40.90 + address 77.68.79.89 + address 77.68.34.28 + address 77.68.76.21 + address 77.68.75.45 + address 77.68.76.176 + address 77.68.77.95 + address 185.132.39.68 + address 185.132.43.164 + address 77.68.76.137 + address 185.132.40.152 + address 77.68.77.249 + address 77.68.24.134 + address 185.132.38.248 + address 77.68.32.43 + address 77.68.120.218 + address 77.68.112.167 + address 77.68.32.31 + address 77.68.32.118 + address 77.68.32.254 + address 77.68.80.26 + address 77.68.17.200 + address 77.68.80.97 + address 77.68.121.119 + address 77.68.74.209 + address 77.68.77.65 + address 185.132.43.6 + address 109.228.46.196 + address 185.132.43.98 + address 77.68.100.150 + address 185.132.41.148 + address 77.68.24.172 + address 77.68.33.197 + address 77.68.5.95 + address 77.68.23.64 + address 77.68.101.124 + address 77.68.5.125 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 109.228.59.247 + address 213.171.208.40 + address 77.68.112.184 + address 77.68.35.116 + address 185.132.40.11 + address 77.68.33.171 + address 77.68.76.111 + address 77.68.76.42 + address 77.68.77.120 + address 77.68.76.183 + address 77.68.118.86 + address 77.68.48.105 + address 77.68.48.81 + address 77.68.49.4 + address 109.228.36.119 + address 77.68.34.26 + address 77.68.115.17 + address 77.68.82.147 + address 77.68.49.12 + address 77.68.8.144 + address 77.68.51.202 + address 77.68.101.64 + address 77.68.103.19 + address 77.68.50.91 + address 77.68.24.63 + address 77.68.118.15 + address 77.68.50.198 + address 77.68.77.59 + address 77.68.49.160 + address 77.68.76.191 + address 77.68.126.101 + address 77.68.76.40 + address 77.68.77.42 + address 77.68.100.134 + address 77.68.100.132 + address 77.68.114.93 + address 185.132.36.60 + address 185.132.40.244 + address 77.68.85.18 + address 213.171.214.102 + address 77.68.50.193 + address 88.208.197.160 + address 88.208.197.10 + address 77.68.102.129 + address 109.228.36.79 + address 185.132.38.182 + address 185.132.41.240 + address 77.68.51.214 + address 88.208.196.123 + address 88.208.215.157 + address 77.68.126.22 + address 77.68.4.180 + address 213.171.212.90 + address 77.68.114.205 + address 185.132.43.71 + address 88.208.215.62 + address 77.68.77.114 + address 77.68.48.202 + address 77.68.112.175 + address 77.68.112.90 + address 185.132.40.166 + address 77.68.76.118 + address 77.68.103.120 + address 77.68.33.24 + address 109.228.58.134 + address 109.228.47.223 + address 77.68.31.96 + address 77.68.103.227 + address 213.171.212.203 + address 88.208.196.92 + address 88.208.196.154 + address 185.132.39.44 + address 77.68.76.248 + address 88.208.198.92 + address 109.228.36.37 + address 77.68.77.144 + address 77.68.126.14 + address 88.208.196.91 + address 77.68.100.77 + address 185.132.37.101 + address 77.68.87.164 + address 77.68.77.76 + address 77.68.76.120 + address 77.68.82.157 + address 77.68.93.164 + address 77.68.76.171 + address 88.208.197.135 + address 88.208.197.118 + address 88.208.197.150 + address 88.208.198.69 + address 77.68.34.139 + address 77.68.21.171 + address 88.208.197.60 + address 77.68.85.27 + address 109.228.37.10 + address 88.208.215.61 + address 88.208.199.249 + address 88.208.212.31 + address 109.228.53.243 + address 77.68.48.89 + address 88.208.212.188 + address 88.208.198.251 + address 77.68.76.112 + address 77.68.48.14 + address 88.208.215.19 + address 77.68.77.75 + address 77.68.117.173 + address 88.208.215.121 + address 109.228.39.41 + address 77.68.88.100 + address 77.68.76.108 + address 77.68.115.142 + address 77.68.33.216 + address 77.68.33.37 + address 77.68.50.90 + address 213.171.214.96 + address 88.208.198.66 + address 88.208.198.64 + address 77.68.3.61 + address 77.68.77.219 + address 77.68.77.204 + address 77.68.26.228 + address 77.68.74.232 + address 77.68.118.88 + address 77.68.77.46 + address 77.68.76.48 + address 77.68.76.202 + address 77.68.4.25 + address 77.68.7.114 + address 88.208.197.23 + address 77.68.114.237 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.117.214 + address 88.208.199.141 + address 77.68.77.163 + address 185.132.39.109 + address 77.68.77.44 + address 185.132.37.47 + address 77.68.102.5 + address 77.68.16.247 + address 88.208.212.94 + address 77.68.72.254 + address 77.68.76.212 + address 77.68.77.152 + address 77.68.50.142 + address 88.208.199.46 + address 77.68.78.113 + address 88.208.212.182 + address 77.68.77.181 + address 77.68.15.95 + address 77.68.75.64 + address 213.171.212.71 + address 185.132.40.124 + address 88.208.197.208 + address 88.208.197.129 + address 77.68.76.60 + address 77.68.6.119 + address 77.68.77.185 + address 77.68.77.238 + address 77.68.27.57 + address 77.68.118.102 + address 77.68.79.82 + address 109.228.39.151 + } + address-group G-465-TCP { + address 172.16.255.254 + address 77.68.76.115 + address 77.68.76.141 + address 77.68.76.187 + address 77.68.76.197 + address 77.68.76.209 + address 77.68.76.99 + address 77.68.77.107 + address 77.68.77.129 + address 77.68.77.130 + address 77.68.77.141 + address 77.68.77.150 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.190 + address 77.68.77.207 + address 77.68.77.22 + address 77.68.77.32 + address 77.68.77.33 + address 77.68.77.63 + address 77.68.77.92 + address 77.68.77.99 + address 77.68.77.77 + address 77.68.77.192 + address 77.68.84.147 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.77.74 + address 77.68.77.100 + address 77.68.116.221 + address 109.228.60.215 + address 77.68.116.52 + address 77.68.7.172 + address 77.68.95.42 + address 77.68.91.128 + address 77.68.24.112 + address 109.228.37.114 + address 77.68.112.75 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.23.35 + address 77.68.10.170 + address 77.68.76.234 + address 213.171.213.31 + address 77.68.78.229 + address 213.171.210.19 + address 109.228.52.186 + address 77.68.77.69 + address 109.228.40.222 + address 77.68.87.212 + address 77.68.28.139 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 185.132.43.28 + address 77.68.77.214 + address 185.132.38.114 + address 77.68.33.48 + address 77.68.79.89 + address 77.68.76.21 + address 77.68.80.26 + address 77.68.5.95 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 77.68.112.184 + address 77.68.115.17 + address 77.68.82.147 + address 77.68.50.193 + address 88.208.215.61 + address 213.171.214.96 + address 88.208.198.66 + address 77.68.77.204 + address 77.68.123.177 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.77.185 + address 77.68.79.82 + } + address-group G-587-TCP { + address 172.16.255.254 + address 77.68.76.141 + address 77.68.76.187 + address 77.68.76.197 + address 77.68.76.209 + address 77.68.77.128 + address 77.68.77.129 + address 77.68.77.141 + address 77.68.77.171 + address 77.68.77.190 + address 77.68.77.207 + address 77.68.77.32 + address 77.68.77.33 + address 77.68.77.63 + address 77.68.77.85 + address 77.68.77.92 + address 77.68.77.99 + address 77.68.77.77 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.81.44 + address 77.68.77.100 + address 77.68.92.186 + address 77.68.116.119 + address 77.68.116.221 + address 77.68.120.241 + address 109.228.60.215 + address 77.68.122.241 + address 77.68.116.52 + address 77.68.91.128 + address 77.68.24.112 + address 77.68.77.107 + address 109.228.37.114 + address 77.68.112.75 + address 77.68.77.160 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.23.35 + address 77.68.76.95 + address 77.68.10.170 + address 77.68.76.234 + address 213.171.213.41 + address 213.171.213.31 + address 77.68.78.229 + address 213.171.210.19 + address 109.228.52.186 + address 109.228.40.222 + address 77.68.87.212 + address 185.132.39.219 + address 77.68.28.139 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 185.132.43.28 + address 77.68.77.215 + address 77.68.77.214 + address 185.132.38.114 + address 77.68.33.48 + address 77.68.76.21 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 77.68.112.184 + address 77.68.115.17 + address 77.68.82.147 + address 77.68.76.191 + address 77.68.50.193 + address 77.68.77.114 + address 88.208.215.61 + address 77.68.76.112 + address 77.68.33.216 + address 77.68.33.37 + address 77.68.50.90 + address 88.208.198.66 + address 77.68.77.219 + address 77.68.123.177 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.77.152 + address 77.68.79.82 + } + address-group G-993-TCP { + address 172.16.255.254 + address 77.68.76.115 + address 77.68.77.129 + address 77.68.77.130 + address 77.68.77.141 + address 77.68.77.150 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.190 + address 77.68.77.207 + address 77.68.77.22 + address 77.68.77.33 + address 77.68.77.49 + address 77.68.77.56 + address 77.68.77.77 + address 77.68.77.192 + address 77.68.84.147 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.81.44 + address 77.68.77.74 + address 77.68.77.100 + address 77.68.92.186 + address 77.68.116.119 + address 77.68.116.221 + address 77.68.120.241 + address 77.68.7.172 + address 77.68.91.128 + address 77.68.23.112 + address 77.68.24.112 + address 77.68.77.107 + address 109.228.37.114 + address 77.68.112.75 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.86.148 + address 77.68.23.35 + address 77.68.76.95 + address 213.171.215.184 + address 77.68.25.146 + address 213.171.213.31 + address 213.171.210.19 + address 77.68.79.206 + address 77.68.123.250 + address 77.68.77.69 + address 109.228.40.222 + address 77.68.87.212 + address 77.68.91.22 + address 185.132.39.99 + address 77.68.28.139 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 77.68.5.155 + address 185.132.43.28 + address 77.68.77.215 + address 77.68.10.152 + address 77.68.73.73 + address 77.68.77.214 + address 185.132.38.114 + address 77.68.33.48 + address 77.68.79.89 + address 77.68.5.95 + address 77.68.4.80 + address 77.68.49.152 + address 213.171.208.40 + address 77.68.115.17 + address 77.68.103.19 + address 185.132.36.60 + address 185.132.40.244 + address 88.208.197.10 + address 77.68.102.129 + address 88.208.215.157 + address 88.208.198.69 + address 88.208.212.188 + address 213.171.214.96 + address 88.208.198.66 + address 77.68.77.204 + address 77.68.74.232 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.123.177 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.79.82 + } + address-group G-995-TCP { + address 172.16.255.254 + address 77.68.76.115 + address 77.68.77.129 + address 77.68.77.171 + address 77.68.77.176 + address 77.68.77.190 + address 77.68.77.22 + address 77.68.77.33 + address 77.68.77.92 + address 77.68.77.77 + address 77.68.84.147 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.77.74 + address 77.68.77.100 + address 77.68.116.221 + address 77.68.120.241 + address 77.68.7.172 + address 77.68.95.42 + address 77.68.91.128 + address 77.68.23.112 + address 77.68.24.112 + address 77.68.77.107 + address 109.228.37.114 + address 77.68.7.67 + address 77.68.126.51 + address 77.68.79.206 + address 77.68.123.250 + address 109.228.52.186 + address 109.228.40.222 + address 77.68.91.22 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.5.155 + address 185.132.43.28 + address 77.68.77.214 + address 185.132.38.114 + address 77.68.79.89 + address 77.68.80.26 + address 77.68.4.80 + address 77.68.49.152 + address 77.68.103.19 + address 77.68.50.193 + address 88.208.197.10 + address 213.171.214.96 + address 88.208.198.66 + address 77.68.74.232 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.77.185 + } + address-group G-1433-TCP { + address 172.16.255.254 + address 77.68.76.94 + address 77.68.30.164 + address 77.68.10.142 + address 77.68.77.95 + address 77.68.126.101 + address 77.68.76.118 + address 77.68.77.75 + } + address-group G-3306-TCP { + address 172.16.255.254 + address 77.68.76.127 + address 77.68.76.187 + address 77.68.76.252 + address 77.68.76.55 + address 77.68.76.80 + address 77.68.77.21 + address 77.68.77.63 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.92 + address 77.68.76.241 + address 109.228.56.185 + address 77.68.28.145 + address 77.68.76.114 + address 77.68.17.26 + address 77.68.120.241 + address 77.68.6.32 + address 77.68.91.128 + address 109.228.37.114 + address 77.68.76.169 + address 77.68.76.77 + address 77.68.113.117 + address 77.68.86.148 + address 77.68.76.234 + address 77.68.76.59 + address 77.68.77.202 + address 77.68.28.147 + address 109.228.52.186 + address 77.68.117.222 + address 213.171.213.42 + address 77.68.75.253 + address 77.68.77.215 + address 77.68.79.89 + address 77.68.118.15 + address 109.228.36.79 + address 77.68.33.216 + address 77.68.33.37 + address 77.68.50.90 + address 77.68.76.48 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.77.44 + address 88.208.212.94 + } + address-group G-3389-TCP { + address 172.16.255.254 + address 77.68.76.116 + address 77.68.76.150 + address 77.68.76.203 + address 77.68.76.220 + address 77.68.76.23 + address 77.68.76.241 + address 77.68.76.35 + address 77.68.76.39 + address 77.68.76.47 + address 77.68.76.49 + address 77.68.76.50 + address 77.68.76.58 + address 77.68.76.75 + address 77.68.76.91 + address 77.68.76.93 + address 77.68.76.94 + address 77.68.76.99 + address 77.68.77.115 + address 77.68.77.156 + address 77.68.77.178 + address 77.68.77.199 + address 77.68.77.236 + address 77.68.77.63 + address 77.68.77.71 + address 77.68.77.97 + address 77.68.77.99 + address 77.68.76.107 + address 77.68.76.26 + address 77.68.76.92 + address 77.68.77.38 + address 77.68.21.78 + address 77.68.94.181 + address 77.68.30.164 + address 77.68.23.158 + address 77.68.27.54 + address 77.68.76.142 + address 77.68.117.202 + address 77.68.116.220 + address 77.68.84.155 + address 77.68.120.146 + address 77.68.119.92 + address 77.68.10.142 + address 77.68.6.105 + address 77.68.4.252 + address 77.68.127.151 + address 77.68.77.228 + address 109.228.40.207 + address 77.68.77.24 + address 109.228.35.110 + address 77.68.76.152 + address 77.68.76.77 + address 77.68.113.117 + address 77.68.6.110 + address 77.68.76.96 + address 77.68.127.172 + address 185.132.37.83 + address 77.68.25.124 + address 77.68.3.52 + address 77.68.114.234 + address 77.68.85.73 + address 109.228.38.201 + address 77.68.26.221 + address 77.68.10.152 + address 77.68.73.73 + address 77.68.76.198 + address 77.68.9.75 + address 77.68.79.89 + address 77.68.77.95 + address 77.68.77.65 + address 77.68.100.150 + address 77.68.101.125 + address 77.68.101.124 + address 213.171.208.40 + address 77.68.12.45 + address 77.68.118.86 + address 77.68.77.59 + address 77.68.126.101 + address 213.171.214.102 + address 88.208.197.160 + address 88.208.215.157 + address 77.68.4.180 + address 185.132.43.71 + address 77.68.31.96 + address 109.228.36.37 + address 77.68.77.76 + address 77.68.82.157 + address 109.228.37.10 + address 77.68.77.75 + address 77.68.117.173 + address 88.208.215.121 + address 77.68.115.142 + address 77.68.33.216 + address 77.68.33.37 + address 77.68.50.90 + address 88.208.198.64 + address 77.68.118.88 + address 77.68.114.237 + address 77.68.50.142 + address 77.68.15.95 + address 77.68.75.64 + address 77.68.77.238 + } + address-group G-8080-TCP { + address 172.16.255.254 + address 77.68.76.57 + address 77.68.76.243 + address 77.68.28.145 + address 77.68.76.114 + address 77.68.76.157 + address 77.68.77.248 + address 77.68.77.202 + address 77.68.24.59 + address 77.68.81.218 + address 77.68.77.105 + address 185.132.40.152 + address 109.228.36.119 + address 77.68.121.127 + address 77.68.116.183 + address 77.68.34.139 + address 77.68.88.100 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.77.163 + address 88.208.212.94 + address 77.68.78.113 + address 77.68.15.95 + address 213.171.212.71 + } + address-group G-8443-TCP { + address 172.16.255.254 + address 77.68.76.104 + address 77.68.76.105 + address 77.68.76.127 + address 77.68.76.136 + address 77.68.76.141 + address 77.68.76.148 + address 77.68.76.150 + address 77.68.76.158 + address 77.68.76.187 + address 77.68.76.195 + address 77.68.76.197 + address 77.68.76.20 + address 77.68.76.200 + address 77.68.76.209 + address 77.68.76.217 + address 77.68.76.22 + address 77.68.76.231 + address 77.68.76.235 + address 77.68.76.239 + address 77.68.76.245 + address 77.68.76.247 + address 77.68.76.249 + address 77.68.76.25 + address 77.68.76.251 + address 77.68.76.252 + address 77.68.76.33 + address 77.68.76.37 + address 77.68.76.57 + address 77.68.76.61 + address 77.68.76.74 + address 77.68.76.80 + address 77.68.76.93 + address 77.68.77.100 + address 77.68.77.103 + address 77.68.77.107 + address 77.68.77.108 + address 77.68.77.115 + address 77.68.77.117 + address 77.68.77.128 + address 77.68.77.130 + address 77.68.77.137 + address 77.68.77.139 + address 77.68.77.140 + address 77.68.77.141 + address 77.68.77.151 + address 77.68.77.159 + address 77.68.77.176 + address 77.68.77.190 + address 77.68.77.200 + address 77.68.77.201 + address 77.68.77.207 + address 77.68.77.211 + address 77.68.77.22 + address 77.68.77.227 + address 77.68.77.240 + address 77.68.77.247 + address 77.68.77.253 + address 77.68.77.32 + address 77.68.77.37 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.56 + address 77.68.77.68 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.88 + address 77.68.77.92 + address 77.68.77.99 + address 77.68.76.211 + address 77.68.76.19 + address 77.68.77.192 + address 77.68.77.254 + address 77.68.77.157 + address 77.68.76.138 + address 77.68.76.139 + address 77.68.76.243 + address 77.68.77.38 + address 77.68.77.62 + address 77.68.91.195 + address 77.68.17.26 + address 77.68.84.147 + address 109.228.56.185 + address 77.68.5.187 + address 77.68.4.24 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.5.241 + address 77.68.77.74 + address 77.68.76.115 + address 77.68.81.44 + address 77.68.90.106 + address 77.68.94.181 + address 77.68.30.133 + address 77.68.4.136 + address 77.68.28.145 + address 77.68.24.112 + address 77.68.92.186 + address 77.68.26.216 + address 77.68.20.231 + address 77.68.118.17 + address 77.68.116.119 + address 77.68.76.142 + address 77.68.7.172 + address 77.68.116.221 + address 77.68.89.183 + address 77.68.83.41 + address 77.68.86.40 + address 77.68.88.164 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.116.220 + address 109.228.60.215 + address 77.68.7.186 + address 77.68.93.246 + address 77.68.120.241 + address 77.68.122.195 + address 77.68.122.89 + address 77.68.81.141 + address 77.68.116.52 + address 77.68.6.105 + address 77.68.76.229 + address 77.68.4.252 + address 77.68.17.186 + address 77.68.91.128 + address 77.68.22.146 + address 77.68.125.32 + address 109.228.36.229 + address 77.68.31.144 + address 77.68.117.142 + address 109.228.37.174 + address 109.228.37.114 + address 77.68.76.169 + address 77.68.112.75 + address 77.68.77.160 + address 109.228.39.249 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.86.148 + address 77.68.114.183 + address 109.228.40.194 + address 77.68.90.132 + address 77.68.77.26 + address 77.68.76.96 + address 77.68.77.30 + address 77.68.76.95 + address 77.68.10.170 + address 77.68.120.26 + address 109.228.61.31 + address 77.68.76.59 + address 77.68.120.249 + address 213.171.213.41 + address 77.68.119.14 + address 213.171.215.184 + address 77.68.77.202 + address 77.68.25.146 + address 213.171.213.31 + address 77.68.77.102 + address 213.171.210.19 + address 213.171.213.97 + address 109.228.48.249 + address 109.228.40.195 + address 77.68.127.172 + address 77.68.79.206 + address 109.228.56.242 + address 109.228.46.81 + address 185.132.38.95 + address 77.68.116.36 + address 77.68.120.45 + address 185.132.37.102 + address 77.68.13.137 + address 109.228.36.194 + address 185.132.36.7 + address 185.132.36.24 + address 77.68.77.69 + address 185.132.39.129 + address 77.68.87.212 + address 77.68.76.29 + address 77.68.76.88 + address 77.68.76.181 + address 77.68.76.161 + address 77.68.85.73 + address 77.68.76.219 + address 109.228.38.201 + address 185.132.39.219 + address 77.68.28.139 + address 77.68.81.218 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 77.68.76.45 + address 185.132.40.56 + address 77.68.75.253 + address 77.68.10.152 + address 77.68.73.73 + address 77.68.77.214 + address 185.132.38.114 + address 185.132.40.90 + address 77.68.79.89 + address 77.68.76.21 + address 77.68.75.45 + address 77.68.24.134 + address 77.68.32.43 + address 77.68.80.26 + address 77.68.17.200 + address 77.68.80.97 + address 77.68.74.209 + address 77.68.77.65 + address 77.68.33.197 + address 77.68.5.95 + address 77.68.23.64 + address 77.68.5.125 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 77.68.48.105 + address 77.68.48.81 + address 77.68.49.12 + address 213.171.212.89 + address 77.68.76.44 + address 77.68.77.239 + address 77.68.77.59 + address 77.68.126.101 + address 77.68.76.40 + address 77.68.114.93 + address 77.68.50.193 + address 88.208.197.160 + address 109.228.36.79 + address 185.132.38.182 + address 88.208.196.123 + address 88.208.215.157 + address 77.68.76.118 + address 77.68.103.227 + address 88.208.196.92 + address 185.132.39.44 + address 88.208.198.92 + address 77.68.126.14 + address 88.208.196.91 + address 77.68.100.77 + address 185.132.37.101 + address 77.68.76.120 + address 213.171.212.114 + address 77.68.34.139 + address 88.208.215.61 + address 88.208.212.31 + address 109.228.53.243 + address 77.68.103.56 + address 213.171.214.96 + address 88.208.198.66 + address 77.68.77.219 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.77.44 + address 77.68.72.254 + address 77.68.78.113 + address 213.171.212.71 + address 185.132.40.124 + address 88.208.197.208 + address 77.68.77.238 + address 77.68.79.82 + } + address-group G-8447-TCP { + address 172.16.255.254 + address 77.68.76.104 + address 77.68.76.105 + address 77.68.76.127 + address 77.68.76.136 + address 77.68.76.141 + address 77.68.76.148 + address 77.68.76.150 + address 77.68.76.158 + address 77.68.76.187 + address 77.68.76.195 + address 77.68.76.197 + address 77.68.76.20 + address 77.68.76.209 + address 77.68.76.22 + address 77.68.76.231 + address 77.68.76.235 + address 77.68.76.239 + address 77.68.76.245 + address 77.68.76.25 + address 77.68.76.252 + address 77.68.76.33 + address 77.68.76.37 + address 77.68.76.57 + address 77.68.76.61 + address 77.68.76.74 + address 77.68.76.93 + address 77.68.77.100 + address 77.68.77.103 + address 77.68.77.107 + address 77.68.77.108 + address 77.68.77.117 + address 77.68.77.128 + address 77.68.77.130 + address 77.68.77.137 + address 77.68.77.139 + address 77.68.77.141 + address 77.68.77.151 + address 77.68.77.159 + address 77.68.77.176 + address 77.68.77.190 + address 77.68.77.200 + address 77.68.77.201 + address 77.68.77.207 + address 77.68.77.211 + address 77.68.77.22 + address 77.68.77.227 + address 77.68.77.240 + address 77.68.77.247 + address 77.68.77.253 + address 77.68.77.32 + address 77.68.77.37 + address 77.68.77.49 + address 77.68.77.50 + address 77.68.77.56 + address 77.68.77.68 + address 77.68.77.81 + address 77.68.77.85 + address 77.68.77.88 + address 77.68.77.92 + address 77.68.77.99 + address 77.68.76.211 + address 77.68.76.19 + address 77.68.77.192 + address 77.68.77.254 + address 77.68.77.157 + address 77.68.76.138 + address 77.68.76.139 + address 77.68.91.195 + address 77.68.17.26 + address 109.228.56.185 + address 77.68.84.147 + address 77.68.5.187 + address 77.68.4.24 + address 77.68.4.74 + address 77.68.6.202 + address 77.68.5.241 + address 77.68.77.74 + address 77.68.81.44 + address 77.68.90.106 + address 77.68.94.181 + address 77.68.4.136 + address 77.68.28.145 + address 77.68.24.112 + address 77.68.92.186 + address 77.68.26.216 + address 77.68.20.231 + address 77.68.118.17 + address 77.68.116.119 + address 77.68.76.142 + address 77.68.7.172 + address 77.68.83.41 + address 77.68.116.221 + address 77.68.86.40 + address 77.68.88.164 + address 109.228.56.26 + address 77.68.7.123 + address 77.68.116.220 + address 109.228.60.215 + address 77.68.7.186 + address 77.68.93.246 + address 77.68.120.241 + address 77.68.122.195 + address 77.68.122.89 + address 77.68.81.141 + address 77.68.116.52 + address 77.68.6.105 + address 77.68.76.229 + address 77.68.4.252 + address 77.68.17.186 + address 77.68.91.128 + address 77.68.22.146 + address 77.68.125.32 + address 109.228.36.229 + address 77.68.31.144 + address 77.68.117.142 + address 109.228.37.174 + address 109.228.37.114 + address 77.68.112.75 + address 77.68.77.160 + address 109.228.39.249 + address 77.68.7.67 + address 77.68.113.117 + address 77.68.126.51 + address 77.68.86.148 + address 77.68.114.183 + address 109.228.40.194 + address 77.68.90.132 + address 77.68.76.96 + address 77.68.77.30 + address 77.68.76.95 + address 77.68.10.170 + address 109.228.61.31 + address 77.68.76.59 + address 77.68.120.249 + address 213.171.213.41 + address 213.171.215.184 + address 77.68.25.146 + address 213.171.213.31 + address 77.68.77.102 + address 213.171.210.19 + address 213.171.213.97 + address 109.228.48.249 + address 77.68.127.172 + address 77.68.79.206 + address 109.228.56.242 + address 109.228.46.81 + address 185.132.38.95 + address 77.68.116.36 + address 109.228.36.194 + address 185.132.36.7 + address 185.132.36.24 + address 77.68.77.69 + address 185.132.39.129 + address 77.68.87.212 + address 77.68.76.88 + address 77.68.76.181 + address 77.68.76.219 + address 185.132.39.219 + address 77.68.28.139 + address 77.68.4.111 + address 77.68.77.174 + address 77.68.117.222 + address 77.68.77.231 + address 77.68.76.45 + address 185.132.40.56 + address 77.68.10.152 + address 77.68.73.73 + address 77.68.77.214 + address 185.132.38.114 + address 185.132.40.90 + address 77.68.79.89 + address 77.68.76.21 + address 77.68.75.45 + address 77.68.24.134 + address 77.68.32.43 + address 77.68.80.26 + address 77.68.17.200 + address 77.68.80.97 + address 77.68.74.209 + address 77.68.33.197 + address 77.68.5.95 + address 77.68.5.125 + address 77.68.100.167 + address 77.68.4.80 + address 77.68.49.152 + address 77.68.48.105 + address 77.68.48.81 + address 77.68.49.12 + address 213.171.212.89 + address 77.68.76.44 + address 77.68.77.239 + address 77.68.77.59 + address 77.68.126.101 + address 77.68.114.93 + address 77.68.50.193 + address 88.208.197.160 + address 109.228.36.79 + address 185.132.38.182 + address 88.208.196.123 + address 88.208.215.157 + address 77.68.76.118 + address 77.68.103.227 + address 88.208.196.92 + address 185.132.39.44 + address 88.208.198.92 + address 77.68.126.14 + address 88.208.196.91 + address 77.68.100.77 + address 185.132.37.101 + address 77.68.76.120 + address 213.171.212.114 + address 77.68.34.139 + address 88.208.215.61 + address 88.208.212.31 + address 109.228.53.243 + address 77.68.103.56 + address 213.171.214.96 + address 88.208.198.66 + address 77.68.77.219 + address 77.68.77.204 + address 77.68.76.48 + address 77.68.4.25 + address 77.68.7.114 + address 77.68.77.222 + address 77.68.112.83 + address 77.68.72.254 + address 77.68.78.113 + address 213.171.212.71 + address 185.132.40.124 + address 88.208.197.208 + address 77.68.79.82 + } + address-group G-10000-TCP { + address 172.16.255.254 + address 77.68.76.177 + address 77.68.76.54 + address 77.68.30.133 + address 77.68.76.114 + address 77.68.11.140 + address 77.68.76.112 + address 77.68.78.113 + } + address-group LAN_ADDRESSES { + address 10.255.255.2 + address 10.255.255.3 + } + address-group MANAGEMENT_ADDRESSES { + address 82.223.200.175 + address 82.223.200.177 + } + address-group NAGIOS_PROBES { + address 77.68.76.16 + address 77.68.77.16 + } + address-group NAS_ARRAYS { + address 10.7.197.251 + address 10.7.197.252 + address 10.7.197.253 + address 10.7.197.254 + } + address-group NAS_DOMAIN_CONTROLLERS { + address 10.7.197.16 + address 10.7.197.17 + } + address-group NLB_ADDRESSES { + address 109.228.63.15 + address 109.228.63.16 + address 109.228.63.132 + address 109.228.63.133 + } + network-group NAS_NETWORKS { + network 10.7.197.0/24 + } + network-group RFC1918 { + network 10.0.0.0/8 + network 172.16.0.0/12 + network 192.168.0.0/16 + } + network-group TRANSFER_NETS { + network 109.228.63.128/25 + } + } + ipv6-receive-redirects disable + ipv6-src-route disable + ip-src-route disable + log-martians enable + name LAN-INBOUND { + default-action drop + rule 10 { + action drop + description "Anti-spoofing non-cluster addresses" + source { + group { + address-group !CLUSTER_ADDRESSES + } + } + } + rule 20 { + action drop + description "Drop traffic to datacenter transfer net" + destination { + group { + network-group TRANSFER_NETS + } + } + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + rule 400 { + action drop + description Anti-spoofing_10.255.255.2 + source { + address 10.255.255.2 + mac-address !00:50:56:af:61:20 + } + } + rule 401 { + action drop + description Anti-spoofing_77.68.126.51 + source { + address 77.68.126.51 + mac-address !00:50:56:03:df:06 + } + } + rule 402 { + action drop + description Anti-spoofing_109.228.36.37 + source { + address 109.228.36.37 + mac-address !00:50:56:38:c4:2c + } + } + rule 403 { + action drop + description Anti-spoofing_77.68.117.214 + source { + address 77.68.117.214 + mac-address !00:50:56:00:28:c3 + } + } + rule 404 { + action drop + description Anti-spoofing_77.68.127.172 + source { + address 77.68.127.172 + mac-address !00:50:56:08:ce:ec + } + } + rule 405 { + action drop + description Anti-spoofing_77.68.117.142 + source { + address 77.68.117.142 + mac-address !00:50:56:1a:02:40 + } + } + rule 406 { + action drop + description Anti-spoofing_77.68.14.88 + source { + address 77.68.14.88 + mac-address !00:50:56:3c:79:85 + } + } + rule 407 { + action drop + description Anti-spoofing_77.68.17.200 + source { + address 77.68.17.200 + mac-address !00:50:56:0c:1b:57 + } + } + rule 408 { + action drop + description Anti-spoofing_77.68.120.229 + source { + address 77.68.120.229 + mac-address !00:50:56:18:af:65 + } + } + rule 410 { + action drop + description Anti-spoofing_10.255.255.3 + source { + address 10.255.255.3 + mac-address !00:50:56:af:cd:42 + } + } + rule 411 { + action drop + description Anti-spoofing_77.68.4.242 + source { + address 77.68.4.242 + mac-address !00:50:56:25:d9:34 + } + } + rule 412 { + action drop + description Anti-spoofing_77.68.113.117 + source { + address 77.68.113.117 + mac-address !00:50:56:36:ea:1d + } + } + rule 413 { + action drop + description Anti-spoofing_213.171.213.242 + source { + address 213.171.213.242 + mac-address !00:50:56:29:dd:5c + } + } + rule 414 { + action drop + description Anti-spoofing_77.68.86.148 + source { + address 77.68.86.148 + mac-address !00:50:56:01:91:19 + } + } + rule 418 { + action drop + description Anti-spoofing_213.171.212.203 + source { + address 213.171.212.203 + mac-address !00:50:56:01:c3:39 + } + } + rule 419 { + action drop + description Anti-spoofing_77.68.114.234 + source { + address 77.68.114.234 + mac-address !00:50:56:1b:72:cd + } + } + rule 420 { + action drop + description Anti-spoofing_10.255.255.4 + source { + address 10.255.255.4 + mac-address !00:50:56:af:09:7d + } + } + rule 421 { + action drop + description Anti-spoofing_213.171.212.171 + source { + address 213.171.212.171 + mac-address !00:50:56:12:54:58 + } + } + rule 422 { + action drop + description Anti-spoofing_77.68.114.183 + source { + address 77.68.114.183 + mac-address !00:50:56:3d:9b:eb + } + } + rule 423 { + action drop + description Anti-spoofing_213.171.213.41 + source { + address 213.171.213.41 + mac-address !00:50:56:2a:ef:a2 + } + } + rule 424 { + action drop + description Anti-spoofing_77.68.90.132 + source { + address 77.68.90.132 + mac-address !00:50:56:28:04:1e + } + } + rule 425 { + action drop + description Anti-spoofing_10.255.255.5 + source { + address 10.255.255.5 + mac-address !00:50:56:af:3b:bb + } + } + rule 426 { + action drop + description Anti-spoofing_213.171.213.175 + source { + address 213.171.213.175 + mac-address !00:50:56:0d:d4:b1 + } + } + rule 427 { + action drop + description Anti-spoofing_109.228.39.151 + source { + address 109.228.39.151 + mac-address !00:50:56:39:67:8d + } + } + rule 428 { + action drop + description Anti-spoofing_77.68.112.167 + source { + address 77.68.112.167 + mac-address !00:50:56:32:24:c9 + } + } + rule 429 { + action drop + description Anti-spoofing_109.228.40.194 + source { + address 109.228.40.194 + mac-address !00:50:56:19:49:71 + } + } + rule 430 { + action drop + description Anti-spoofing_77.68.76.12 + source { + address 77.68.76.12 + mac-address !00:50:56:af:09:7d + } + } + rule 431 { + action drop + description Anti-spoofing_213.171.213.97 + source { + address 213.171.213.97 + mac-address !00:50:56:15:d9:89 + } + } + rule 432 { + action drop + description Anti-spoofing_77.68.16.247 + source { + address 77.68.16.247 + mac-address !00:50:56:01:49:07 + } + } + rule 433 { + action drop + description Anti-spoofing_77.68.33.48 + source { + address 77.68.33.48 + mac-address !00:50:56:11:0e:07 + } + } + rule 434 { + action drop + description Anti-spoofing_77.68.6.110 + source { + address 77.68.6.110 + mac-address !00:50:56:31:76:8a + } + } + rule 435 { + action drop + description Anti-spoofing_77.68.77.12 + source { + address 77.68.77.12 + mac-address !00:50:56:af:3b:bb + } + } + rule 436 { + action drop + description Anti-spoofing_213.171.215.252 + source { + address 213.171.215.252 + mac-address !00:50:56:11:88:0a + } + } + rule 437 { + action drop + description Anti-spoofing_88.208.197.208 + source { + address 88.208.197.208 + mac-address !00:50:56:1d:97:93 + } + } + rule 438 { + action drop + description Anti-spoofing_213.171.212.89 + source { + address 213.171.212.89 + mac-address !00:50:56:36:8d:bf + } + } + rule 439 { + action drop + description Anti-spoofing_77.68.93.125 + source { + address 77.68.93.125 + mac-address !00:50:56:19:f1:6f + } + } + rule 440 { + action drop + description Anti-spoofing_probe_77.68.76.16 + source { + address 77.68.76.16 + mac-address !00:50:56:aa:48:d4 + } + } + rule 441 { + action drop + description Anti-spoofing_213.171.214.96 + source { + address 213.171.214.96 + mac-address !00:50:56:0c:45:b5 + } + } + rule 442 { + action drop + description Anti-spoofing_77.68.76.176 + source { + address 77.68.76.176 + mac-address !00:50:56:2b:e6:f7 + } + } + rule 444 { + action drop + description Anti-spoofing_213.171.212.172 + source { + address 213.171.212.172 + mac-address !00:50:56:35:ab:43 + } + } + rule 446 { + action drop + description Anti-spoofing_185.132.38.95 + source { + address 185.132.38.95 + mac-address !00:50:56:07:a6:f7 + } + } + rule 447 { + action drop + description Anti-spoofing_185.132.38.248 + source { + address 185.132.38.248 + mac-address !00:50:56:19:e5:16 + } + } + rule 448 { + action drop + description Anti-spoofing_109.228.52.186 + source { + address 109.228.52.186 + mac-address !00:50:56:20:80:4f + } + } + rule 449 { + action drop + description Anti-spoofing_213.171.213.31 + source { + address 213.171.213.31 + mac-address !00:50:56:34:e3:61 + } + } + rule 450 { + action drop + description Anti-spoofing_probe_77.68.77.16 + source { + address 77.68.77.16 + mac-address !00:50:56:aa:4a:32 + } + } + rule 451 { + action drop + description Anti-spoofing_213.171.210.59 + source { + address 213.171.210.59 + mac-address !00:50:56:10:74:b6 + } + } + rule 452 { + action drop + description Anti-spoofing_185.132.36.7 + source { + address 185.132.36.7 + mac-address !00:50:56:17:24:16 + } + } + rule 453 { + action drop + description Anti-spoofing_213.171.212.71 + source { + address 213.171.212.71 + mac-address !00:50:56:1d:50:e0 + } + } + rule 454 { + action drop + description Anti-spoofing_213.171.208.58 + source { + address 213.171.208.58 + mac-address !00:50:56:05:1c:70 + } + } + rule 455 { + action drop + description Anti-spoofing_77.68.77.69 + source { + address 77.68.77.69 + mac-address !00:50:56:17:f9:d1 + } + } + rule 456 { + action drop + description Anti-spoofing_77.68.25.130 + source { + address 77.68.25.130 + mac-address !00:50:56:3c:92:ff + } + } + rule 457 { + action drop + description Anti-spoofing_213.171.215.184 + source { + address 213.171.215.184 + mac-address !00:50:56:18:84:ff + } + } + rule 458 { + action drop + description Anti-spoofing_77.68.74.39 + source { + address 77.68.74.39 + mac-address !00:50:56:0a:41:ee + } + } + rule 459 { + action drop + description Anti-spoofing_109.228.56.242 + source { + address 109.228.56.242 + mac-address !00:50:56:28:8c:ff + } + } + rule 460 { + action drop + description Anti-spoofing_77.68.76.13 + source { + address 77.68.76.13 + mac-address !00:50:56:8f:62:1e + } + } + rule 461 { + action drop + description Anti-spoofing_77.68.13.76 + source { + address 77.68.13.76 + mac-address !00:50:56:2c:c7:38 + } + } + rule 462 { + action drop + description Anti-spoofing_77.68.119.188 + source { + address 77.68.119.188 + mac-address !00:50:56:02:1c:16 + } + } + rule 463 { + action drop + description Anti-spoofing_109.228.46.81 + source { + address 109.228.46.81 + mac-address !00:50:56:31:1f:8a + } + } + rule 464 { + action drop + description Anti-spoofing_77.68.25.146 + source { + address 77.68.25.146 + mac-address !00:50:56:07:cc:76 + } + } + rule 465 { + action drop + description Anti-spoofing_77.68.76.14 + source { + address 77.68.76.14 + mac-address !00:50:56:8f:6a:24 + } + } + rule 466 { + action drop + description Anti-spoofing_77.68.116.36 + source { + address 77.68.116.36 + mac-address !00:50:56:1c:c9:83 + } + } + rule 467 { + action drop + description Anti-spoofing_185.132.43.113 + source { + address 185.132.43.113 + mac-address !00:50:56:22:79:ac + } + } + rule 468 { + action drop + description Anti-spoofing_213.171.210.19 + source { + address 213.171.210.19 + mac-address !00:50:56:32:6c:19 + } + } + rule 469 { + action drop + description Anti-spoofing_77.68.113.164 + source { + address 77.68.113.164 + mac-address !00:50:56:07:28:41 + } + } + rule 470 { + action drop + description Anti-spoofing_77.68.77.13 + source { + address 77.68.77.13 + mac-address !00:50:56:8f:62:1e + } + } + rule 471 { + action drop + description Anti-spoofing_213.171.211.128 + source { + address 213.171.211.128 + mac-address !00:50:56:37:b2:85 + } + } + rule 472 { + action drop + description Anti-spoofing_77.68.120.45 + source { + address 77.68.120.45 + mac-address !00:50:56:13:5e:ca + } + } + rule 473 { + action drop + description Anti-spoofing_77.68.25.124 + source { + address 77.68.25.124 + mac-address !00:50:56:2f:27:08 + } + } + rule 474 { + action drop + description Anti-spoofing_77.68.33.68 + source { + address 77.68.33.68 + mac-address !00:50:56:1c:96:48 + } + } + rule 475 { + action drop + description Anti-spoofing_77.68.77.14 + source { + address 77.68.77.14 + mac-address !00:50:56:8f:6a:24 + } + } + rule 476 { + action drop + description Anti-spoofing_109.228.48.249 + source { + address 109.228.48.249 + mac-address !00:50:56:06:32:ac + } + } + rule 477 { + action drop + description Anti-spoofing_109.228.40.195 + source { + address 109.228.40.195 + mac-address !00:50:56:21:46:3e + } + } + rule 478 { + action drop + description Anti-spoofing_213.171.215.43 + source { + address 213.171.215.43 + mac-address !00:50:56:24:c0:53 + } + } + rule 479 { + action drop + description Anti-spoofing_185.132.37.101 + source { + address 185.132.37.101 + mac-address !00:50:56:2c:08:73 + } + } + rule 480 { + action drop + description Anti-spoofing_109.228.53.243 + source { + address 109.228.53.243 + mac-address !00:50:56:31:d1:1a + } + } + rule 481 { + action drop + description Anti-spoofing_77.68.81.218 + source { + address 77.68.81.218 + mac-address !00:50:56:03:e1:62 + } + } + rule 482 { + action drop + description Anti-spoofing_77.68.102.5 + source { + address 77.68.102.5 + mac-address !00:50:56:12:a3:05 + } + } + rule 483 { + action drop + description Anti-spoofing_77.68.114.93 + source { + address 77.68.114.93 + mac-address !00:50:56:3c:d8:18 + } + } + rule 485 { + action drop + description Anti-spoofing_77.68.76.137 + source { + address 77.68.76.137 + mac-address !00:50:56:25:38:78 + } + } + rule 486 { + action drop + description Anti-spoofing_77.68.75.253 + source { + address 77.68.75.253 + mac-address !00:50:56:32:f9:d7 + } + } + rule 487 { + action drop + description Anti-spoofing_77.68.6.119 + source { + address 77.68.6.119 + mac-address !00:50:56:2a:06:e0 + } + } + rule 488 { + action drop + description Anti-spoofing_185.132.39.68 + source { + address 185.132.39.68 + mac-address !00:50:56:22:2e:b5 + } + } + rule 489 { + action drop + description Anti-spoofing_77.68.5.95 + source { + address 77.68.5.95 + mac-address !00:50:56:34:d6:94 + } + } + rule 490 { + action drop + description Anti-spoofing_109.228.36.194 + source { + address 109.228.36.194 + mac-address !00:50:56:02:d4:bb + } + } + rule 491 { + action drop + description Anti-spoofing_77.68.34.50 + source { + address 77.68.34.50 + mac-address !00:50:56:07:df:24 + } + } + rule 492 { + action drop + description Anti-spoofing_77.68.27.18 + source { + address 77.68.27.18 + mac-address !00:50:56:1c:9d:9e + } + } + rule 493 { + action drop + description Anti-spoofing_77.68.28.147 + source { + address 77.68.28.147 + mac-address !00:50:56:29:e0:70 + } + } + rule 494 { + action drop + description Anti-spoofing_77.68.123.250 + source { + address 77.68.123.250 + mac-address !00:50:56:0d:49:c0 + } + } + rule 495 { + action drop + description Anti-spoofing_185.132.39.129 + source { + address 185.132.39.129 + mac-address !00:50:56:29:5a:4c + } + } + rule 496 { + action drop + description Anti-spoofing_185.132.36.24 + source { + address 185.132.36.24 + mac-address !00:50:56:12:df:2d + } + } + rule 497 { + action drop + description Anti-spoofing_185.132.38.114 + source { + address 185.132.38.114 + mac-address !00:50:56:1d:ce:df + } + } + rule 498 { + action drop + description Anti-spoofing_185.132.36.148 + source { + address 185.132.36.148 + mac-address !00:50:56:04:d1:7e + } + } + rule 499 { + action drop + description Anti-spoofing_185.132.36.142 + source { + address 185.132.36.142 + mac-address !00:50:56:13:22:d1 + } + } + rule 500 { + action drop + description Anti-spoofing_77.68.77.67 + source { + address 77.68.77.67 + mac-address !00:50:56:26:3e:0a + } + } + rule 501 { + action drop + description Anti-spoofing_185.132.39.44 + source { + address 185.132.39.44 + mac-address !00:50:56:32:a0:22 + } + } + rule 502 { + action drop + description Anti-spoofing_77.68.76.114 + source { + address 77.68.76.114 + mac-address !00:50:56:32:42:42 + } + } + rule 503 { + action drop + description Anti-spoofing_77.68.77.103 + source { + address 77.68.77.103 + mac-address !00:50:56:1e:6d:9b + } + } + rule 504 { + action drop + description Anti-spoofing_77.68.77.130 + source { + address 77.68.77.130 + mac-address !00:50:56:24:79:76 + } + } + rule 505 { + action drop + description Anti-spoofing_77.68.76.245 + source { + address 77.68.76.245 + mac-address !00:50:56:1d:0f:83 + } + } + rule 506 { + action drop + description Anti-spoofing_77.68.118.17 + source { + address 77.68.118.17 + mac-address !00:50:56:18:d3:d1 + } + } + rule 507 { + action drop + description Anti-spoofing_77.68.79.82 + source { + address 77.68.79.82 + mac-address !00:50:56:22:e9:9e + } + } + rule 509 { + action drop + description Anti-spoofing_77.68.77.85 + source { + address 77.68.77.85 + mac-address !00:50:56:1d:40:33 + } + } + rule 510 { + action drop + description Anti-spoofing_77.68.76.45 + source { + address 77.68.76.45 + mac-address !00:50:56:18:dc:fe + } + } + rule 511 { + action drop + description Anti-spoofing_77.68.77.144 + source { + address 77.68.77.144 + mac-address !00:50:56:3c:9a:1a + } + } + rule 512 { + action drop + description Anti-spoofing_77.68.77.105 + source { + address 77.68.77.105 + mac-address !00:50:56:1f:f9:c9 + } + } + rule 513 { + action drop + description Anti-spoofing_77.68.12.250 + source { + address 77.68.12.250 + mac-address !00:50:56:3e:06:ca + } + } + rule 514 { + action drop + description Anti-spoofing_77.68.76.76 + source { + address 77.68.76.76 + mac-address !00:50:56:03:1f:db + } + } + rule 515 { + action drop + description Anti-spoofing_185.132.36.17 + source { + address 185.132.36.17 + mac-address !00:50:56:36:7a:94 + } + } + rule 516 { + action drop + description Anti-spoofing_77.68.76.122 + source { + address 77.68.76.122 + mac-address !00:50:56:20:3d:43 + } + } + rule 517 { + action drop + description Anti-spoofing_77.68.76.104 + source { + address 77.68.76.104 + mac-address !00:50:56:3c:80:ff + } + } + rule 518 { + action drop + description Anti-spoofing_77.68.114.136 + source { + address 77.68.114.136 + mac-address !00:50:56:38:34:6e + } + } + rule 519 { + action drop + description Anti-spoofing_77.68.77.115 + source { + address 77.68.77.115 + mac-address !00:50:56:2c:ad:ee + } + } + rule 520 { + action drop + description Anti-spoofing_77.68.77.178 + source { + address 77.68.77.178 + mac-address !00:50:56:14:c1:42 + } + } + rule 521 { + action drop + description Anti-spoofing_77.68.76.239 + source { + address 77.68.76.239 + mac-address !00:50:56:0d:5a:47 + } + } + rule 522 { + action drop + description Anti-spoofing_77.68.87.164 + source { + address 77.68.87.164 + mac-address !00:50:56:11:19:46 + } + } + rule 523 { + action drop + description Anti-spoofing_77.68.15.95 + source { + address 77.68.15.95 + mac-address !00:50:56:16:04:4e + } + } + rule 524 { + action drop + description Anti-spoofing_77.68.4.39 + source { + address 77.68.4.39 + mac-address !00:50:56:06:57:b6 + } + } + rule 525 { + action drop + description Anti-spoofing_77.68.76.30 + source { + address 77.68.76.30 + mac-address !00:50:56:25:b8:e3 + } + } + rule 526 { + action drop + description Anti-spoofing_77.68.77.249 + source { + address 77.68.77.249 + mac-address !00:50:56:36:5f:b3 + } + } + rule 527 { + action drop + description Anti-spoofing_77.68.76.59 + source { + address 77.68.76.59 + mac-address !00:50:56:06:e8:bb + } + } + rule 528 { + action drop + description Anti-spoofing_77.68.8.144 + source { + address 77.68.8.144 + mac-address !00:50:56:28:58:e5 + } + } + rule 529 { + action drop + description Anti-spoofing_77.68.77.44 + source { + address 77.68.77.44 + mac-address !00:50:56:31:c0:9d + } + } + rule 530 { + action drop + description Anti-spoofing_77.68.77.200 + source { + address 77.68.77.200 + mac-address !00:50:56:15:2e:a4 + } + } + rule 531 { + action drop + description Anti-spoofing_77.68.77.228 + source { + address 77.68.77.228 + mac-address !00:50:56:23:e4:44 + } + } + rule 532 { + action drop + description Anti-spoofing_77.68.4.25 + source { + address 77.68.4.25 + mac-address !00:50:56:33:0d:5e + } + } + rule 534 { + action drop + description Anti-spoofing_77.68.76.191 + source { + address 77.68.76.191 + mac-address !00:50:56:10:72:7c + } + } + rule 535 { + action drop + description Anti-spoofing_77.68.117.29 + source { + address 77.68.117.29 + mac-address !00:50:56:0c:e4:e3 + } + } + rule 536 { + action drop + description Anti-spoofing_213.171.212.90 + source { + address 213.171.212.90 + mac-address !00:50:56:35:fc:da + } + } + rule 537 { + action drop + description Anti-spoofing_77.68.76.102 + source { + address 77.68.76.102 + mac-address !00:50:56:35:87:43 + } + } + rule 538 { + action drop + description Anti-spoofing_185.132.39.37 + source { + address 185.132.39.37 + mac-address !00:50:56:21:72:64 + } + } + rule 539 { + action drop + description Anti-spoofing_185.132.38.142 + source { + address 185.132.38.142 + mac-address !00:50:56:09:e8:30 + } + } + rule 540 { + action drop + description Anti-spoofing_77.68.77.26 + source { + address 77.68.77.26 + mac-address !00:50:56:10:ec:c2 + } + } + rule 541 { + action drop + description Anti-spoofing_77.68.76.152 + source { + address 77.68.76.152 + mac-address !00:50:56:2b:79:48 + } + } + rule 542 { + action drop + description Anti-spoofing_185.132.37.83 + source { + address 185.132.37.83 + mac-address !00:50:56:09:b3:41 + } + } + rule 543 { + action drop + description Anti-spoofing_77.68.77.212 + source { + address 77.68.77.212 + mac-address !00:50:56:07:ab:f2 + } + } + rule 544 { + action drop + description Anti-spoofing_77.68.75.64 + source { + address 77.68.75.64 + mac-address !00:50:56:07:e2:85 + } + } + rule 546 { + action drop + description Anti-spoofing_77.68.85.73 + source { + address 77.68.85.73 + mac-address !00:50:56:14:68:9c + } + } + rule 547 { + action drop + description Anti-spoofing_77.68.116.119 + source { + address 77.68.116.119 + mac-address !00:50:56:0f:68:91 + } + } + rule 548 { + action drop + description Anti-spoofing_77.68.76.142 + source { + address 77.68.76.142 + mac-address !50:9a:4c:74:07:ea + } + } + rule 549 { + action drop + description Anti-spoofing_77.68.76.211 + source { + address 77.68.76.211 + mac-address !00:50:56:18:9d:15 + } + } + rule 550 { + action drop + description Anti-spoofing_77.68.76.60 + source { + address 77.68.76.60 + mac-address !00:50:56:2b:07:02 + } + } + rule 551 { + action drop + description Anti-spoofing_77.68.77.253 + source { + address 77.68.77.253 + mac-address !00:50:56:30:a5:77 + } + } + rule 552 { + action drop + description Anti-spoofing_77.68.75.245 + source { + address 77.68.75.245 + mac-address !00:50:56:12:00:e9 + } + } + rule 553 { + action drop + description Anti-spoofing_185.132.37.102 + source { + address 185.132.37.102 + mac-address !00:50:56:3d:ae:26 + } + } + rule 554 { + action drop + description Anti-spoofing_77.68.120.31 + source { + address 77.68.120.31 + mac-address !00:50:56:1f:29:84 + } + } + rule 555 { + action drop + description Anti-spoofing_77.68.76.54 + source { + address 77.68.76.54 + mac-address !00:50:56:30:b4:74 + } + } + rule 556 { + action drop + description Anti-spoofing_88.208.196.154 + source { + address 88.208.196.154 + mac-address !00:50:56:14:6f:a8 + } + } + rule 557 { + action drop + description Anti-spoofing_185.132.40.152 + source { + address 185.132.40.152 + mac-address !00:50:56:24:25:3c + } + } + rule 558 { + action drop + description Anti-spoofing_77.68.76.33 + source { + address 77.68.76.33 + mac-address !00:50:56:3c:9b:bc + } + } + rule 559 { + action drop + description Anti-spoofing_77.68.12.195 + source { + address 77.68.12.195 + mac-address !00:50:56:3d:52:1a + } + } + rule 560 { + action drop + description Anti-spoofing_77.68.77.114 + source { + address 77.68.77.114 + mac-address !00:50:56:06:80:89 + } + } + rule 561 { + action drop + description Anti-spoofing_77.68.77.176 + source { + address 77.68.77.176 + mac-address !00:50:56:3e:2b:da + } + } + rule 562 { + action drop + description Anti-spoofing_109.228.40.222 + source { + address 109.228.40.222 + mac-address !00:50:56:0a:dc:63 + } + } + rule 563 { + action drop + description Anti-spoofing_77.68.77.219 + source { + address 77.68.77.219 + mac-address !00:50:56:13:82:67 + } + } + rule 564 { + action drop + description Anti-spoofing_77.68.77.19 + source { + address 77.68.77.19 + mac-address !00:50:56:36:e3:b1 + } + } + rule 565 { + action drop + description Anti-spoofing_77.68.74.85 + source { + address 77.68.74.85 + mac-address !00:50:56:13:b7:2d + } + } + rule 566 { + action drop + description Anti-spoofing_77.68.116.221 + source { + address 77.68.116.221 + mac-address !00:50:56:24:67:bd + } + } + rule 567 { + action drop + description Anti-spoofing_77.68.77.22 + source { + address 77.68.77.22 + mac-address !00:50:56:07:09:ae + } + } + rule 568 { + action drop + description Anti-spoofing_77.68.112.184 + source { + address 77.68.112.184 + mac-address !00:50:56:2a:db:d3 + } + } + rule 569 { + action drop + description Anti-spoofing_77.68.77.248 + source { + address 77.68.77.248 + mac-address !00:50:56:18:03:92 + } + } + rule 570 { + action drop + description Anti-spoofing_77.68.76.161 + source { + address 77.68.76.161 + mac-address !00:50:56:34:57:75 + } + } + rule 571 { + action drop + description Anti-spoofing_77.68.77.56 + source { + address 77.68.77.56 + mac-address !00:50:56:38:22:ae + } + } + rule 572 { + action drop + description Anti-spoofing_77.68.77.129 + source { + address 77.68.77.129 + mac-address !00:50:56:08:d9:20 + } + } + rule 573 { + action drop + description Anti-spoofing_77.68.77.205 + source { + address 77.68.77.205 + mac-address !00:50:56:35:f1:c3 + } + } + rule 574 { + action drop + description Anti-spoofing_77.68.77.140 + source { + address 77.68.77.140 + mac-address !00:50:56:1b:2d:c7 + } + } + rule 575 { + action drop + description Anti-spoofing_77.68.120.146 + source { + address 77.68.120.146 + mac-address !00:50:56:0d:fb:7b + } + } + rule 576 { + action drop + description Anti-spoofing_77.68.78.73 + source { + address 77.68.78.73 + mac-address !00:50:56:14:4b:f4 + } + } + rule 577 { + action drop + description Anti-spoofing_77.68.76.177 + source { + address 77.68.76.177 + mac-address !00:50:56:26:ac:11 + } + } + rule 578 { + action drop + description Anti-spoofing_77.68.77.117 + source { + address 77.68.77.117 + mac-address !00:50:56:09:4d:ce + } + } + rule 579 { + action drop + description Anti-spoofing_77.68.77.108 + source { + address 77.68.77.108 + mac-address !00:50:56:3a:b7:59 + } + } + rule 580 { + action drop + description Anti-spoofing_77.68.7.222 + source { + address 77.68.7.222 + mac-address !00:50:56:36:cc:37 + } + } + rule 581 { + action drop + description Anti-spoofing_77.68.76.50 + source { + address 77.68.76.50 + mac-address !00:50:56:34:78:88 + } + } + rule 582 { + action drop + description Anti-spoofing_77.68.77.192 + source { + address 77.68.77.192 + mac-address !00:50:56:0f:eb:a4 + } + } + rule 583 { + action drop + description Anti-spoofing_77.68.76.217 + source { + address 77.68.76.217 + mac-address !00:50:56:29:6d:a9 + } + } + rule 584 { + action drop + description Anti-spoofing_77.68.92.186 + source { + address 77.68.92.186 + mac-address !00:50:56:08:8b:d0 + } + } + rule 585 { + action drop + description Anti-spoofing_77.68.76.165 + source { + address 77.68.76.165 + mac-address !00:50:56:19:74:17 + } + } + rule 586 { + action drop + description Anti-spoofing_77.68.91.22 + source { + address 77.68.91.22 + mac-address !00:50:56:2e:2c:cb + } + } + rule 587 { + action drop + description Anti-spoofing_77.68.77.160 + source { + address 77.68.77.160 + mac-address !00:50:56:27:75:65 + } + } + rule 588 { + action drop + description Anti-spoofing_77.68.77.30 + source { + address 77.68.77.30 + mac-address !00:50:56:3b:95:8f + } + } + rule 589 { + action drop + description Anti-spoofing_77.68.77.21 + source { + address 77.68.77.21 + mac-address !00:50:56:34:cd:82 + } + } + rule 590 { + action drop + description Anti-spoofing_77.68.76.29 + source { + address 77.68.76.29 + mac-address !00:50:56:2f:a3:ef + } + } + rule 591 { + action drop + description Anti-spoofing_213.171.212.136 + source { + address 213.171.212.136 + mac-address !00:50:56:19:fb:be + } + } + rule 592 { + action drop + description Anti-spoofing_77.68.76.158 + source { + address 77.68.76.158 + mac-address !00:50:56:36:97:69 + } + } + rule 593 { + action drop + description Anti-spoofing_77.68.76.203 + source { + address 77.68.76.203 + mac-address !00:50:56:2f:48:47 + } + } + rule 594 { + action drop + description Anti-spoofing_77.68.77.243 + source { + address 77.68.77.243 + mac-address !00:50:56:20:1f:c4 + } + } + rule 595 { + action drop + description Anti-spoofing_77.68.77.54 + source { + address 77.68.77.54 + mac-address !00:50:56:0e:da:e1 + } + } + rule 596 { + action drop + description Anti-spoofing_77.68.76.22 + source { + address 77.68.76.22 + mac-address !00:50:56:1b:a3:e6 + } + } + rule 597 { + action drop + description Anti-spoofing_77.68.103.120 + source { + address 77.68.103.120 + mac-address !00:50:56:1f:cb:8e + } + } + rule 598 { + action drop + description Anti-spoofing_109.228.37.174 + source { + address 109.228.37.174 + mac-address !00:50:56:1d:0f:a0 + } + } + rule 599 { + action drop + description Anti-spoofing_77.68.17.26 + source { + address 77.68.17.26 + mac-address !00:50:56:13:4a:e1 + } + } + rule 600 { + action drop + description Anti-spoofing_77.68.76.25 + source { + address 77.68.76.25 + mac-address !00:50:56:1f:54:d9 + } + } + rule 601 { + action drop + description Anti-spoofing_77.68.76.21 + source { + address 77.68.76.21 + mac-address !00:50:56:15:a8:33 + } + } + rule 602 { + action drop + description Anti-spoofing_77.68.77.221 + source { + address 77.68.77.221 + mac-address !00:50:56:06:2a:ae + } + } + rule 603 { + action drop + description Anti-spoofing_77.68.77.76 + source { + address 77.68.77.76 + mac-address !00:50:56:18:01:78 + } + } + rule 604 { + action drop + description Anti-spoofing_77.68.76.127 + source { + address 77.68.76.127 + mac-address !00:50:56:24:a4:85 + } + } + rule 605 { + action drop + description Anti-spoofing_77.68.77.139 + source { + address 77.68.77.139 + mac-address !00:50:56:3b:1e:be + } + } + rule 606 { + action drop + description Anti-spoofing_77.68.77.240 + source { + address 77.68.77.240 + mac-address !00:50:56:2b:d5:dd + } + } + rule 607 { + action drop + description Anti-spoofing_185.132.38.216 + source { + address 185.132.38.216 + mac-address !00:50:56:26:a7:47 + } + } + rule 608 { + action drop + description Anti-spoofing_77.68.76.39 + source { + address 77.68.76.39 + mac-address !00:50:56:1e:0d:c1 + } + } + rule 609 { + action drop + description Anti-spoofing_77.68.76.149 + source { + address 77.68.76.149 + mac-address !00:50:56:32:30:e7 + } + } + rule 610 { + action drop + description Anti-spoofing_77.68.77.57 + source { + address 77.68.77.57 + mac-address !00:50:56:26:33:75 + } + } + rule 611 { + action drop + description Anti-spoofing_77.68.77.185 + source { + address 77.68.77.185 + mac-address !00:50:56:22:72:c9 + } + } + rule 612 { + action drop + description Anti-spoofing_77.68.76.116 + source { + address 77.68.76.116 + mac-address !00:50:56:09:f2:df + } + } + rule 613 { + action drop + description Anti-spoofing_77.68.95.212 + source { + address 77.68.95.212 + mac-address !00:50:56:21:4b:e6 + } + } + rule 614 { + action drop + description Anti-spoofing_77.68.76.160 + source { + address 77.68.76.160 + mac-address !00:50:56:3a:fa:b3 + } + } + rule 615 { + action drop + description Anti-spoofing_77.68.77.70 + source { + address 77.68.77.70 + mac-address !00:50:56:37:9d:47 + } + } + rule 616 { + action drop + description Anti-spoofing_77.68.77.149 + source { + address 77.68.77.149 + mac-address !00:50:56:2c:f8:51 + } + } + rule 617 { + action drop + description Anti-spoofing_77.68.76.57 + source { + address 77.68.76.57 + mac-address !00:50:56:32:d9:0f + } + } + rule 618 { + action drop + description Anti-spoofing_77.68.76.115 + source { + address 77.68.76.115 + mac-address !00:50:56:09:67:90 + } + } + rule 619 { + action drop + description Anti-spoofing_185.132.41.72 + source { + address 185.132.41.72 + mac-address !00:50:56:2b:aa:79 + } + } + rule 620 { + action drop + description Anti-spoofing_77.68.84.155 + source { + address 77.68.84.155 + mac-address !00:50:56:05:52:76 + } + } + rule 621 { + action drop + description Anti-spoofing_77.68.76.200 + source { + address 77.68.76.200 + mac-address !00:50:56:00:5f:48 + } + } + rule 622 { + action drop + description Anti-spoofing_77.68.76.23 + source { + address 77.68.76.23 + mac-address !00:50:56:27:eb:9b + } + } + rule 623 { + action drop + description Anti-spoofing_77.68.77.46 + source { + address 77.68.77.46 + mac-address !00:50:56:22:73:37 + } + } + rule 624 { + action drop + description Anti-spoofing_77.68.91.195 + source { + address 77.68.91.195 + mac-address !00:50:56:09:f1:74 + } + } + rule 625 { + action drop + description Anti-spoofing_77.68.76.198 + source { + address 77.68.76.198 + mac-address !00:50:56:05:4b:16 + } + } + rule 626 { + action drop + description Anti-spoofing_77.68.77.141 + source { + address 77.68.77.141 + mac-address !00:50:56:0c:04:05 + } + } + rule 627 { + action drop + description Anti-spoofing_77.68.77.50 + source { + address 77.68.77.50 + mac-address !00:50:56:2d:5b:c6 + } + } + rule 628 { + action drop + description Anti-spoofing_77.68.77.128 + source { + address 77.68.77.128 + mac-address !00:50:56:27:0f:74 + } + } + rule 629 { + action drop + description Anti-spoofing_77.68.115.142 + source { + address 77.68.115.142 + mac-address !00:50:56:1b:e1:25 + } + } + rule 630 { + action drop + description Anti-spoofing_77.68.77.88 + source { + address 77.68.77.88 + mac-address !00:50:56:2b:db:7e + } + } + rule 631 { + action drop + description Anti-spoofing_77.68.4.74 + source { + address 77.68.4.74 + mac-address !00:50:56:0f:22:a5 + } + } + rule 632 { + action drop + description Anti-spoofing_77.68.76.80 + source { + address 77.68.76.80 + mac-address !00:50:56:1f:17:01 + } + } + rule 633 { + action drop + description Anti-spoofing_77.68.76.35 + source { + address 77.68.76.35 + mac-address !00:50:56:30:e3:a1 + } + } + rule 634 { + action drop + description Anti-spoofing_77.68.77.204 + source { + address 77.68.77.204 + mac-address !00:50:56:23:70:3a + } + } + rule 635 { + action drop + description Anti-spoofing_77.68.77.201 + source { + address 77.68.77.201 + mac-address !50:9a:4c:74:06:06 + } + } + rule 636 { + action drop + description Anti-spoofing_77.68.77.97 + source { + address 77.68.77.97 + mac-address !00:50:56:2f:48:47 + } + } + rule 637 { + action drop + description Anti-spoofing_77.68.76.195 + source { + address 77.68.76.195 + mac-address !00:50:56:14:c5:49 + } + } + rule 638 { + action drop + description Anti-spoofing_77.68.76.202 + source { + address 77.68.76.202 + mac-address !00:50:56:07:3c:3c + } + } + rule 640 { + action drop + description Anti-spoofing_77.68.76.157 + source { + address 77.68.76.157 + mac-address !00:50:56:35:c8:20 + } + } + rule 641 { + action drop + description Anti-spoofing_213.171.212.114 + source { + address 213.171.212.114 + mac-address !00:50:56:11:7f:32 + } + } + rule 642 { + action drop + description Anti-spoofing_77.68.77.159 + source { + address 77.68.77.159 + mac-address !00:50:56:14:d8:f0 + } + } + rule 643 { + action drop + description Anti-spoofing_213.171.214.234 + source { + address 213.171.214.234 + mac-address !00:50:56:29:94:38 + } + } + rule 644 { + action drop + description Anti-spoofing_77.68.76.48 + source { + address 77.68.76.48 + mac-address !00:50:56:33:38:d6 + } + } + rule 645 { + action drop + description Anti-spoofing_77.68.76.118 + source { + address 77.68.76.118 + mac-address !00:50:56:1c:cd:d3 + } + } + rule 646 { + action drop + description Anti-spoofing_77.68.76.38 + source { + address 77.68.76.38 + mac-address !00:50:56:01:59:2a + } + } + rule 647 { + action drop + description Anti-spoofing_77.68.31.144 + source { + address 77.68.31.144 + mac-address !00:50:56:01:89:fb + } + } + rule 648 { + action drop + description Anti-spoofing_77.68.23.35 + source { + address 77.68.23.35 + mac-address !00:50:56:3b:1f:ee + } + } + rule 649 { + action drop + description Anti-spoofing_77.68.4.80 + source { + address 77.68.4.80 + mac-address !00:50:56:1a:06:95 + } + } + rule 650 { + action drop + description Anti-spoofing_77.68.127.151 + source { + address 77.68.127.151 + mac-address !00:50:56:32:48:a6 + } + } + rule 651 { + action drop + description Anti-spoofing_77.68.77.203 + source { + address 77.68.77.203 + mac-address !00:50:56:11:05:40 + } + } + rule 652 { + action drop + description Anti-spoofing_77.68.77.233 + source { + address 77.68.77.233 + mac-address !00:50:56:37:0e:b3 + } + } + rule 653 { + action drop + description Anti-spoofing_77.68.77.163 + source { + address 77.68.77.163 + mac-address !00:50:56:08:a3:b4 + } + } + rule 654 { + action drop + description Anti-spoofing_77.68.77.49 + source { + address 77.68.77.49 + mac-address !00:50:56:03:ba:26 + } + } + rule 655 { + action drop + description Anti-spoofing_77.68.76.58 + source { + address 77.68.76.58 + mac-address !00:50:56:03:bd:d2 + } + } + rule 656 { + action drop + description Anti-spoofing_77.68.77.171 + source { + address 77.68.77.171 + mac-address !00:50:56:22:3d:21 + } + } + rule 657 { + action drop + description Anti-spoofing_77.68.116.220 + source { + address 77.68.116.220 + mac-address !00:50:56:2e:06:02 + } + } + rule 658 { + action drop + description Anti-spoofing_77.68.77.150 + source { + address 77.68.77.150 + mac-address !00:50:56:23:ac:01 + } + } + rule 659 { + action drop + description Anti-spoofing_77.68.121.106 + source { + address 77.68.121.106 + mac-address !00:50:56:38:2f:3f + } + } + rule 660 { + action drop + description Anti-spoofing_77.68.77.199 + source { + address 77.68.77.199 + mac-address !00:50:56:37:e8:23 + } + } + rule 661 { + action drop + description Anti-spoofing_77.68.76.220 + source { + address 77.68.76.220 + mac-address !00:50:56:26:27:93 + } + } + rule 662 { + action drop + description Anti-spoofing_77.68.85.172 + source { + address 77.68.85.172 + mac-address !00:50:56:24:a5:72 + } + } + rule 663 { + action drop + description Anti-spoofing_109.228.42.232 + source { + address 109.228.42.232 + mac-address !00:50:56:2c:34:e5 + } + } + rule 664 { + action drop + description Anti-spoofing_77.68.33.216 + source { + address 77.68.33.216 + mac-address !00:50:56:08:a3:d8 + } + } + rule 665 { + action drop + description Anti-spoofing_109.228.35.110 + source { + address 109.228.35.110 + mac-address !00:50:56:20:bc:f6 + } + } + rule 666 { + action drop + description Anti-spoofing_77.68.87.212 + source { + address 77.68.87.212 + mac-address !00:50:56:20:7a:5b + } + } + rule 667 { + action drop + description Anti-spoofing_109.228.36.174 + source { + address 109.228.36.174 + mac-address !00:50:56:05:73:0a + } + } + rule 668 { + action drop + description Anti-spoofing_77.68.122.241 + source { + address 77.68.122.241 + mac-address !00:50:56:3d:34:86 + } + } + rule 669 { + action drop + description Anti-spoofing_77.68.10.170 + source { + address 77.68.10.170 + mac-address !00:50:56:2e:a7:d6 + } + } + rule 670 { + action drop + description Anti-spoofing_109.228.59.247 + source { + address 109.228.59.247 + mac-address !00:50:56:11:77:61 + } + } + rule 671 { + action drop + description Anti-spoofing_77.68.77.156 + source { + address 77.68.77.156 + mac-address !00:50:56:37:e8:23 + } + } + rule 672 { + action drop + description Anti-spoofing_77.68.76.248 + source { + address 77.68.76.248 + mac-address !00:50:56:22:40:ae + } + } + rule 673 { + action drop + description Anti-spoofing_77.68.76.19 + source { + address 77.68.76.19 + mac-address !00:50:56:26:ce:06 + } + } + rule 674 { + action drop + description Anti-spoofing_77.68.77.29 + source { + address 77.68.77.29 + mac-address !00:50:56:11:83:b8 + } + } + rule 675 { + action drop + description Anti-spoofing_77.68.76.250 + source { + address 77.68.76.250 + mac-address !00:50:56:2d:ca:5b + } + } + rule 676 { + action drop + description Anti-spoofing_77.68.76.110 + source { + address 77.68.76.110 + mac-address !00:50:56:1e:db:08 + } + } + rule 677 { + action drop + description Anti-spoofing_77.68.76.171 + source { + address 77.68.76.171 + mac-address !00:50:56:01:8b:92 + } + } + rule 678 { + action drop + description Anti-spoofing_77.68.76.212 + source { + address 77.68.76.212 + mac-address !00:50:56:2b:28:99 + } + } + rule 679 { + action drop + description Anti-spoofing_77.68.112.248 + source { + address 77.68.112.248 + mac-address !00:50:56:35:e3:48 + } + } + rule 680 { + action drop + description Anti-spoofing_77.68.77.132 + source { + address 77.68.77.132 + mac-address !00:50:56:21:ab:ff + } + } + rule 681 { + action drop + description Anti-spoofing_77.68.120.218 + source { + address 77.68.120.218 + mac-address !00:50:56:10:a8:be + } + } + rule 682 { + action drop + description Anti-spoofing_77.68.120.249 + source { + address 77.68.120.249 + mac-address !00:50:56:2f:70:ed + } + } + rule 683 { + action drop + description Anti-spoofing_77.68.77.81 + source { + address 77.68.77.81 + mac-address !00:50:56:1e:9f:f8 + } + } + rule 684 { + action drop + description Anti-spoofing_77.68.76.37 + source { + address 77.68.76.37 + mac-address !00:50:56:07:f8:48 + } + } + rule 685 { + action drop + description Anti-spoofing_77.68.76.197 + source { + address 77.68.76.197 + mac-address !00:50:56:31:a0:ee + } + } + rule 686 { + action drop + description Anti-spoofing_77.68.76.20 + source { + address 77.68.76.20 + mac-address !00:50:56:18:a2:03 + } + } + rule 687 { + action drop + description Anti-spoofing_77.68.76.108 + source { + address 77.68.76.108 + mac-address !00:50:56:0d:4d:25 + } + } + rule 688 { + action drop + description Anti-spoofing_77.68.76.139 + source { + address 77.68.76.139 + mac-address !00:50:56:1c:52:a8 + } + } + rule 689 { + action drop + description Anti-spoofing_77.68.76.99 + source { + address 77.68.76.99 + mac-address !00:50:56:2e:8d:48 + } + } + rule 690 { + action drop + description Anti-spoofing_77.68.77.211 + source { + address 77.68.77.211 + mac-address !00:50:56:30:37:77 + } + } + rule 691 { + action drop + description Anti-spoofing_77.68.77.236 + source { + address 77.68.77.236 + mac-address !00:50:56:18:13:8b + } + } + rule 692 { + action drop + description Anti-spoofing_77.68.76.252 + source { + address 77.68.76.252 + mac-address !00:50:56:16:03:6e + } + } + rule 693 { + action drop + description Anti-spoofing_77.68.122.89 + source { + address 77.68.122.89 + mac-address !00:50:56:25:66:5d + } + } + rule 694 { + action drop + description Anti-spoofing_77.68.76.120 + source { + address 77.68.76.120 + mac-address !00:50:56:39:de:31 + } + } + rule 695 { + action drop + description Anti-spoofing_77.68.77.234 + source { + address 77.68.77.234 + mac-address !00:50:56:26:a1:9a + } + } + rule 696 { + action drop + description Anti-spoofing_77.68.77.32 + source { + address 77.68.77.32 + mac-address !00:50:56:38:e8:59 + } + } + rule 697 { + action drop + description Anti-spoofing_77.68.77.247 + source { + address 77.68.77.247 + mac-address !00:50:56:27:8a:8b + } + } + rule 698 { + action drop + description Anti-spoofing_77.68.76.229 + source { + address 77.68.76.229 + mac-address !00:50:56:16:56:30 + } + } + rule 699 { + action drop + description Anti-spoofing_77.68.76.209 + source { + address 77.68.76.209 + mac-address !00:50:56:19:24:73 + } + } + rule 700 { + action drop + description Anti-spoofing_77.68.125.32 + source { + address 77.68.125.32 + mac-address !00:50:56:00:07:47 + } + } + rule 701 { + action drop + description Anti-spoofing_77.68.76.219 + source { + address 77.68.76.219 + mac-address !00:50:56:2d:04:90 + } + } + rule 702 { + action drop + description Anti-spoofing_77.68.76.253 + source { + address 77.68.76.253 + mac-address !00:50:56:12:7b:d8 + } + } + rule 703 { + action drop + description Anti-spoofing_77.68.13.137 + source { + address 77.68.13.137 + mac-address !00:50:56:16:c6:86 + } + } + rule 704 { + action drop + description Anti-spoofing_77.68.85.115 + source { + address 77.68.85.115 + mac-address !00:50:56:3c:51:df + } + } + rule 705 { + action drop + description Anti-spoofing_77.68.77.202 + source { + address 77.68.77.202 + mac-address !00:50:56:0c:94:82 + } + } + rule 706 { + action drop + description Anti-spoofing_77.68.76.247 + source { + address 77.68.76.247 + mac-address !00:50:56:1b:f1:83 + } + } + rule 707 { + action drop + description Anti-spoofing_77.68.9.75 + source { + address 77.68.9.75 + mac-address !00:50:56:21:9b:fe + } + } + rule 708 { + action drop + description Anti-spoofing_109.228.39.157 + source { + address 109.228.39.157 + mac-address !00:50:56:2b:55:32 + } + } + rule 709 { + action drop + description Anti-spoofing_77.68.77.99 + source { + address 77.68.77.99 + mac-address !00:50:56:09:d5:e8 + } + } + rule 710 { + action drop + description Anti-spoofing_77.68.23.158 + source { + address 77.68.23.158 + mac-address !00:50:56:15:8f:75 + } + } + rule 711 { + action drop + description Anti-spoofing_77.68.76.169 + source { + address 77.68.76.169 + mac-address !00:50:56:0b:6d:e4 + } + } + rule 712 { + action drop + description Anti-spoofing_77.68.76.95 + source { + address 77.68.76.95 + mac-address !00:50:56:17:08:c9 + } + } + rule 713 { + action drop + description Anti-spoofing_77.68.76.187 + source { + address 77.68.76.187 + mac-address !00:50:56:14:79:08 + } + } + rule 714 { + action drop + description Anti-spoofing_109.228.37.114 + source { + address 109.228.37.114 + mac-address !00:50:56:15:3d:4b + } + } + rule 715 { + action drop + description Anti-spoofing_77.68.5.187 + source { + address 77.68.5.187 + mac-address !00:50:56:07:60:de + } + } + rule 716 { + action drop + description Anti-spoofing_77.68.77.222 + source { + address 77.68.77.222 + mac-address !00:50:56:38:03:ce + } + } + rule 717 { + action drop + description Anti-spoofing_77.68.77.53 + source { + address 77.68.77.53 + mac-address !00:50:56:18:cc:5a + } + } + rule 718 { + action drop + description Anti-spoofing_77.68.77.124 + source { + address 77.68.77.124 + mac-address !00:50:56:21:67:74 + } + } + rule 719 { + action drop + description Anti-spoofing_77.68.76.61 + source { + address 77.68.76.61 + mac-address !00:50:56:10:fa:46 + } + } + rule 720 { + action drop + description Anti-spoofing_109.228.37.240 + source { + address 109.228.37.240 + mac-address !00:50:56:0a:d3:2d + } + } + rule 721 { + action drop + description Anti-spoofing_77.68.27.27 + source { + address 77.68.27.27 + mac-address !00:50:56:14:b0:2a + } + } + rule 722 { + action drop + description Anti-spoofing_77.68.77.43 + source { + address 77.68.77.43 + mac-address !00:50:56:30:92:94 + } + } + rule 723 { + action drop + description Anti-spoofing_77.68.76.94 + source { + address 77.68.76.94 + mac-address !00:50:56:00:10:ce + } + } + rule 724 { + action drop + description Anti-spoofing_77.68.77.165 + source { + address 77.68.77.165 + mac-address !00:50:56:26:5f:42 + } + } + rule 725 { + action drop + description Anti-spoofing_77.68.77.251 + source { + address 77.68.77.251 + mac-address !00:50:56:39:db:9e + } + } + rule 726 { + action drop + description Anti-spoofing_77.68.77.152 + source { + address 77.68.77.152 + mac-address !00:50:56:12:68:ca + } + } + rule 727 { + action drop + description Anti-spoofing_185.132.43.164 + source { + address 185.132.43.164 + mac-address !00:50:56:2f:98:9b + } + } + rule 728 { + action drop + description Anti-spoofing_77.68.9.186 + source { + address 77.68.9.186 + mac-address !00:50:56:06:07:22 + } + } + rule 729 { + action drop + description Anti-spoofing_77.68.27.28 + source { + address 77.68.27.28 + mac-address !00:50:56:27:c6:2d + } + } + rule 730 { + action drop + description Anti-spoofing_77.68.84.147 + source { + address 77.68.84.147 + mac-address !00:50:56:28:d5:4d + } + } + rule 731 { + action drop + description Anti-spoofing_77.68.3.80 + source { + address 77.68.3.80 + mac-address !00:50:56:35:66:85 + } + } + rule 732 { + action drop + description Anti-spoofing_77.68.76.44 + source { + address 77.68.76.44 + mac-address !00:50:56:2b:8f:62 + } + } + rule 733 { + action drop + description Anti-spoofing_77.68.76.47 + source { + address 77.68.76.47 + mac-address !50:9a:4c:74:52:56 + } + } + rule 734 { + action drop + description Anti-spoofing_77.68.76.74 + source { + address 77.68.76.74 + mac-address !00:50:56:30:a0:57 + } + } + rule 735 { + action drop + description Anti-spoofing_77.68.5.166 + source { + address 77.68.5.166 + mac-address !00:50:56:17:e2:18 + } + } + rule 736 { + action drop + description Anti-spoofing_77.68.76.55 + source { + address 77.68.76.55 + mac-address !00:50:56:0f:46:86 + } + } + rule 737 { + action drop + description Anti-spoofing_77.68.10.142 + source { + address 77.68.10.142 + mac-address !00:50:56:19:04:d3 + } + } + rule 738 { + action drop + description Anti-spoofing_77.68.77.75 + source { + address 77.68.77.75 + mac-address !00:50:56:0e:a6:a8 + } + } + rule 739 { + action drop + description Anti-spoofing_77.68.77.239 + source { + address 77.68.77.239 + mac-address !00:50:56:26:f4:c8 + } + } + rule 740 { + action drop + description Anti-spoofing_213.171.208.176 + source { + address 213.171.208.176 + mac-address !00:50:56:34:50:f7 + } + } + rule 741 { + action drop + description Anti-spoofing_77.68.4.111 + source { + address 77.68.4.111 + mac-address !00:50:56:2a:61:0b + } + } + rule 742 { + action drop + description Anti-spoofing_77.68.118.120 + source { + address 77.68.118.120 + mac-address !00:50:56:3c:35:39 + } + } + rule 743 { + action drop + description Anti-spoofing_77.68.76.75 + source { + address 77.68.76.75 + mac-address !00:50:56:2a:42:ca + } + } + rule 744 { + action drop + description Anti-spoofing_77.68.77.71 + source { + address 77.68.77.71 + mac-address !00:50:56:38:ae:bf + } + } + rule 745 { + action drop + description Anti-spoofing_77.68.76.138 + source { + address 77.68.76.138 + mac-address !00:50:56:14:c0:d8 + } + } + rule 746 { + action drop + description Anti-spoofing_77.68.76.145 + source { + address 77.68.76.145 + mac-address !00:50:56:3b:e8:48 + } + } + rule 747 { + action drop + description Anti-spoofing_77.68.77.145 + source { + address 77.68.77.145 + mac-address !00:50:56:12:b0:43 + } + } + rule 748 { + action drop + description Anti-spoofing_77.68.3.121 + source { + address 77.68.3.121 + mac-address !00:50:56:03:7b:9d + } + } + rule 749 { + action drop + description Anti-spoofing_77.68.3.144 + source { + address 77.68.3.144 + mac-address !00:50:56:18:a0:ed + } + } + rule 750 { + action drop + description Anti-spoofing_77.68.77.68 + source { + address 77.68.77.68 + mac-address !00:50:56:3c:dc:4f + } + } + rule 751 { + action drop + description Anti-spoofing_77.68.76.126 + source { + address 77.68.76.126 + mac-address !00:50:56:0f:d0:ae + } + } + rule 752 { + action drop + description Anti-spoofing_77.68.76.88 + source { + address 77.68.76.88 + mac-address !00:50:56:15:d6:12 + } + } + rule 753 { + action drop + description Anti-spoofing_77.68.77.254 + source { + address 77.68.77.254 + mac-address !00:50:56:0e:5e:74 + } + } + rule 754 { + action drop + description Anti-spoofing_185.132.40.124 + source { + address 185.132.40.124 + mac-address !00:50:56:08:f8:6a + } + } + rule 755 { + action drop + description Anti-spoofing_77.68.20.231 + source { + address 77.68.20.231 + mac-address !00:50:56:05:35:ce + } + } + rule 756 { + action drop + description Anti-spoofing_77.68.77.181 + source { + address 77.68.77.181 + mac-address !00:50:56:20:03:6f + } + } + rule 757 { + action drop + description Anti-spoofing_77.68.22.146 + source { + address 77.68.22.146 + mac-address !00:50:56:0e:85:95 + } + } + rule 758 { + action drop + description Anti-spoofing_77.68.112.75 + source { + address 77.68.112.75 + mac-address !00:50:56:09:33:e6 + } + } + rule 759 { + action drop + description Anti-spoofing_77.68.4.22 + source { + address 77.68.4.22 + mac-address !00:50:56:14:be:3f + } + } + rule 760 { + action drop + description Anti-spoofing_77.68.76.96 + source { + address 77.68.76.96 + mac-address !00:50:56:32:91:fb + } + } + rule 761 { + action drop + description Anti-spoofing_77.68.3.161 + source { + address 77.68.3.161 + mac-address !00:50:56:12:82:40 + } + } + rule 762 { + action drop + description Anti-spoofing_109.228.37.10 + source { + address 109.228.37.10 + mac-address !00:50:56:0a:ef:ab + } + } + rule 763 { + action drop + description Anti-spoofing_77.68.76.228 + source { + address 77.68.76.228 + mac-address !00:50:56:2b:39:b1 + } + } + rule 764 { + action drop + description Anti-spoofing_77.68.121.94 + source { + address 77.68.121.94 + mac-address !00:50:56:0a:d7:68 + } + } + rule 765 { + action drop + description Anti-spoofing_77.68.3.194 + source { + address 77.68.3.194 + mac-address !00:50:56:10:90:6a + } + } + rule 766 { + action drop + description Anti-spoofing_77.68.76.112 + source { + address 77.68.76.112 + mac-address !00:50:56:24:e2:52 + } + } + rule 767 { + action drop + description Anti-spoofing_77.68.100.77 + source { + address 77.68.100.77 + mac-address !00:50:56:0e:f3:7a + } + } + rule 768 { + action drop + description Anti-spoofing_77.68.3.247 + source { + address 77.68.3.247 + mac-address !00:50:56:29:30:8a + } + } + rule 769 { + action drop + description Anti-spoofing_77.68.77.157 + source { + address 77.68.77.157 + mac-address !00:50:56:36:39:a5 + } + } + rule 770 { + action drop + description Anti-spoofing_77.68.29.65 + source { + address 77.68.29.65 + mac-address !00:50:56:2e:1b:f9 + } + } + rule 771 { + action drop + description Anti-spoofing_77.68.74.152 + source { + address 77.68.74.152 + mac-address !00:50:56:16:1d:31 + } + } + rule 772 { + action drop + description Anti-spoofing_185.132.39.145 + source { + address 185.132.39.145 + mac-address !00:50:56:03:77:75 + } + } + rule 773 { + action drop + description Anti-spoofing_77.68.28.139 + source { + address 77.68.28.139 + mac-address !00:50:56:25:a9:de + } + } + rule 774 { + action drop + description Anti-spoofing_77.68.77.33 + source { + address 77.68.77.33 + mac-address !00:50:56:09:16:76 + } + } + rule 775 { + action drop + description Anti-spoofing_77.68.77.137 + source { + address 77.68.77.137 + mac-address !00:50:56:15:b6:84 + } + } + rule 776 { + action drop + description Anti-spoofing_77.68.76.244 + source { + address 77.68.76.244 + mac-address !00:50:56:21:11:27 + } + } + rule 777 { + action drop + description Anti-spoofing_77.68.77.92 + source { + address 77.68.77.92 + mac-address !00:50:56:11:58:f5 + } + } + rule 778 { + action drop + description Anti-spoofing_77.68.7.227 + source { + address 77.68.7.227 + mac-address !00:50:56:34:a8:22 + } + } + rule 779 { + action drop + description Anti-spoofing_77.68.76.111 + source { + address 77.68.76.111 + mac-address !00:50:56:3e:44:ea + } + } + rule 780 { + action drop + description Anti-spoofing_77.68.76.185 + source { + address 77.68.76.185 + mac-address !00:50:56:1b:75:e8 + } + } + rule 781 { + action drop + description Anti-spoofing_77.68.76.208 + source { + address 77.68.76.208 + mac-address !50:9a:4c:98:c2:68 + } + } + rule 782 { + action drop + description Anti-spoofing_77.68.76.150 + source { + address 77.68.76.150 + mac-address !50:9a:4c:98:5c:c0 + } + } + rule 783 { + action drop + description Anti-spoofing_77.68.77.208 + source { + address 77.68.77.208 + mac-address !50:9a:4c:98:5c:c0 + } + } + rule 784 { + action drop + description Anti-spoofing_77.68.103.56 + source { + address 77.68.103.56 + mac-address !00:50:56:05:2f:9e + } + } + rule 785 { + action drop + description Anti-spoofing_77.68.125.60 + source { + address 77.68.125.60 + mac-address !00:50:56:2a:4a:20 + } + } + rule 786 { + action drop + description Anti-spoofing_77.68.76.42 + source { + address 77.68.76.42 + mac-address !00:50:56:3e:44:ea + } + } + rule 787 { + action drop + description Anti-spoofing_77.68.26.216 + source { + address 77.68.26.216 + mac-address !00:50:56:07:56:c4 + } + } + rule 788 { + action drop + description Anti-spoofing_77.68.76.164 + source { + address 77.68.76.164 + mac-address !00:50:56:1c:df:57 + } + } + rule 789 { + action drop + description Anti-spoofing_77.68.89.72 + source { + address 77.68.89.72 + mac-address !00:50:56:1b:84:5c + } + } + rule 790 { + action drop + description Anti-spoofing_77.68.76.181 + source { + address 77.68.76.181 + mac-address !00:50:56:36:5d:1e + } + } + rule 791 { + action drop + description Anti-spoofing_77.68.3.52 + source { + address 77.68.3.52 + mac-address !00:50:56:12:e2:00 + } + } + rule 792 { + action drop + description Anti-spoofing_77.68.77.207 + source { + address 77.68.77.207 + mac-address !00:50:56:16:24:34 + } + } + rule 793 { + action drop + description Anti-spoofing_77.68.81.44 + source { + address 77.68.81.44 + mac-address !00:50:56:1a:2f:81 + } + } + rule 794 { + action drop + description Anti-spoofing_77.68.28.145 + source { + address 77.68.28.145 + mac-address !00:50:56:39:78:a6 + } + } + rule 795 { + action drop + description Anti-spoofing_77.68.76.49 + source { + address 77.68.76.49 + mac-address !00:50:56:08:ae:5e + } + } + rule 796 { + action drop + description Anti-spoofing_77.68.77.227 + source { + address 77.68.77.227 + mac-address !ac:1f:6b:93:59:d4 + } + } + rule 797 { + action drop + description Anti-spoofing_77.68.76.136 + source { + address 77.68.76.136 + mac-address !00:50:56:0b:b2:b0 + } + } + rule 798 { + action drop + description Anti-spoofing_77.68.77.102 + source { + address 77.68.77.102 + mac-address !00:50:56:3d:91:75 + } + } + rule 799 { + action drop + description Anti-spoofing_77.68.5.155 + source { + address 77.68.5.155 + mac-address !00:50:56:13:33:02 + } + } + rule 801 { + action drop + description Anti-spoofing_77.68.88.100 + source { + address 77.68.88.100 + mac-address !00:50:56:08:dc:d0 + } + } + rule 802 { + action drop + description Anti-spoofing_77.68.72.254 + source { + address 77.68.72.254 + mac-address !00:50:56:0c:c2:8d + } + } + rule 803 { + action drop + description Anti-spoofing_77.68.77.74 + source { + address 77.68.77.74 + mac-address !00:50:56:18:d8:12 + } + } + rule 804 { + action drop + description Anti-spoofing_77.68.76.77 + source { + address 77.68.76.77 + mac-address !ac:1f:6b:4d:bd:60 + } + } + rule 805 { + action drop + description Anti-spoofing_77.68.76.123 + source { + address 77.68.76.123 + mac-address !00:50:56:38:5b:9d + } + } + rule 806 { + action drop + description Anti-spoofing_77.68.4.24 + source { + address 77.68.4.24 + mac-address !00:50:56:16:54:a8 + } + } + rule 807 { + action drop + description Anti-spoofing_213.171.214.167 + source { + address 213.171.214.167 + mac-address !00:50:56:13:7d:80 + } + } + rule 808 { + action drop + description Anti-spoofing_77.68.112.213 + source { + address 77.68.112.213 + mac-address !00:50:56:0b:ec:f2 + } + } + rule 809 { + action drop + description Anti-spoofing_185.132.40.166 + source { + address 185.132.40.166 + mac-address !00:50:56:22:c7:e0 + } + } + rule 810 { + action drop + description Anti-spoofing_77.68.76.31 + source { + address 77.68.76.31 + mac-address !00:50:56:38:22:33 + } + } + rule 811 { + action drop + description Anti-spoofing_77.68.76.148 + source { + address 77.68.76.148 + mac-address !00:50:56:16:6c:9c + } + } + rule 812 { + action drop + description Anti-spoofing_77.68.93.246 + source { + address 77.68.93.246 + mac-address !00:50:56:29:2c:65 + } + } + rule 813 { + action drop + description Anti-spoofing_77.68.77.120 + source { + address 77.68.77.120 + mac-address !00:50:56:39:92:1c + } + } + rule 814 { + action drop + description Anti-spoofing_77.68.7.123 + source { + address 77.68.7.123 + mac-address !00:50:56:33:46:a6 + } + } + rule 815 { + action drop + description Anti-spoofing_77.68.76.183 + source { + address 77.68.76.183 + mac-address !00:50:56:39:92:1c + } + } + rule 816 { + action drop + description Anti-spoofing_77.68.112.90 + source { + address 77.68.112.90 + mac-address !00:50:56:29:f8:91 + } + } + rule 817 { + action drop + description Anti-spoofing_77.68.50.90 + source { + address 77.68.50.90 + mac-address !00:50:56:11:d5:cb + } + } + rule 818 { + action drop + description Anti-spoofing_77.68.3.61 + source { + address 77.68.3.61 + mac-address !00:50:56:03:0b:87 + } + } + rule 819 { + action drop + description Anti-spoofing_213.171.213.42 + source { + address 213.171.213.42 + mac-address !00:50:56:37:90:bd + } + } + rule 820 { + action drop + description Anti-spoofing_77.68.77.107 + source { + address 77.68.77.107 + mac-address !00:50:56:1e:74:40 + } + } + rule 821 { + action drop + description Anti-spoofing_77.68.89.183 + source { + address 77.68.89.183 + mac-address !00:50:56:04:b9:ce + } + } + rule 822 { + action drop + description Anti-spoofing_77.68.112.83 + source { + address 77.68.112.83 + mac-address !00:50:56:38:03:ce + } + } + rule 823 { + action drop + description Anti-spoofing_77.68.76.141 + source { + address 77.68.76.141 + mac-address !00:50:56:12:2e:7c + } + } + rule 825 { + action drop + description Anti-spoofing_77.68.76.105 + source { + address 77.68.76.105 + mac-address !00:50:56:00:0b:f6 + } + } + rule 826 { + action drop + description Anti-spoofing_77.68.76.251 + source { + address 77.68.76.251 + mac-address !00:50:56:34:1e:f4 + } + } + rule 827 { + action drop + description Anti-spoofing_77.68.6.202 + source { + address 77.68.6.202 + mac-address !00:50:56:17:65:5f + } + } + rule 828 { + action drop + description Anti-spoofing_88.208.198.92 + source { + address 88.208.198.92 + mac-address !00:50:56:0c:5d:98 + } + } + rule 829 { + action drop + description Anti-spoofing_77.68.76.249 + source { + address 77.68.76.249 + mac-address !00:50:56:01:18:09 + } + } + rule 830 { + action drop + description Anti-spoofing_77.68.30.164 + source { + address 77.68.30.164 + mac-address !00:50:56:3c:2a:3a + } + } + rule 831 { + action drop + description Anti-spoofing_77.68.77.59 + source { + address 77.68.77.59 + mac-address !00:50:56:18:09:81 + } + } + rule 832 { + action drop + description Anti-spoofing_77.68.76.40 + source { + address 77.68.76.40 + mac-address !00:50:56:13:e6:96 + } + } + rule 833 { + action drop + description Anti-spoofing_77.68.88.164 + source { + address 77.68.88.164 + mac-address !00:50:56:07:f9:c8 + } + } + rule 834 { + action drop + description Anti-spoofing_77.68.77.37 + source { + address 77.68.77.37 + mac-address !00:50:56:2f:1e:7b + } + } + rule 835 { + action drop + description Anti-spoofing_185.132.39.99 + source { + address 185.132.39.99 + mac-address !00:50:56:1d:4e:dd + } + } + rule 836 { + action drop + description Anti-spoofing_77.68.121.127 + source { + address 77.68.121.127 + mac-address !00:50:56:29:fd:29 + } + } + rule 837 { + action drop + description Anti-spoofing_77.68.77.65 + source { + address 77.68.77.65 + mac-address !00:50:56:30:1f:8b + } + } + rule 838 { + action drop + description Anti-spoofing_77.68.27.211 + source { + address 77.68.27.211 + mac-address !00:50:56:25:b4:d1 + } + } + rule 839 { + action drop + description Anti-spoofing_77.68.24.112 + source { + address 77.68.24.112 + mac-address !00:50:56:06:50:e8 + } + } + rule 840 { + action drop + description Anti-spoofing_109.228.38.201 + source { + address 109.228.38.201 + mac-address !00:50:56:36:33:0c + } + } + rule 841 { + action drop + description Anti-spoofing_77.68.115.17 + source { + address 77.68.115.17 + mac-address !00:50:56:16:da:60 + } + } + rule 842 { + action drop + description Anti-spoofing_185.132.36.60 + source { + address 185.132.36.60 + mac-address !00:50:56:14:a7:b2 + } + } + rule 843 { + action drop + description Anti-spoofing_77.68.76.231 + source { + address 77.68.76.231 + mac-address !00:50:56:03:c5:bc + } + } + rule 844 { + action drop + description Anti-spoofing_185.132.37.23 + source { + address 185.132.37.23 + mac-address !00:50:56:27:46:b8 + } + } + rule 845 { + action drop + description Anti-spoofing_109.228.35.84 + source { + address 109.228.35.84 + mac-address !00:50:56:17:74:b7 + } + } + rule 846 { + action drop + description Anti-spoofing_77.68.11.140 + source { + address 77.68.11.140 + mac-address !00:50:56:08:ce:61 + } + } + rule 848 { + action drop + description Anti-spoofing_77.68.77.24 + source { + address 77.68.77.24 + mac-address !00:50:56:28:65:cb + } + } + rule 849 { + action drop + description Anti-spoofing_77.68.78.113 + source { + address 77.68.78.113 + mac-address !00:50:56:2c:5a:e3 + } + } + rule 850 { + action drop + description Anti-spoofing_185.132.39.219 + source { + address 185.132.39.219 + mac-address !00:50:56:11:0d:fd + } + } + rule 851 { + action drop + description Anti-spoofing_185.132.40.11 + source { + address 185.132.40.11 + mac-address !00:50:56:27:50:a3 + } + } + rule 852 { + action drop + description Anti-spoofing_77.68.23.64 + source { + address 77.68.23.64 + mac-address !00:50:56:0a:b2:3c + } + } + rule 853 { + action drop + description Anti-spoofing_185.132.37.133 + source { + address 185.132.37.133 + mac-address !00:50:56:0b:0a:21 + } + } + rule 854 { + action drop + description Anti-spoofing_77.68.85.27 + source { + address 77.68.85.27 + mac-address !00:50:56:34:82:24 + } + } + rule 855 { + action drop + description Anti-spoofing_77.68.26.221 + source { + address 77.68.26.221 + mac-address !00:50:56:30:56:a2 + } + } + rule 856 { + action drop + description Anti-spoofing_77.68.76.243 + source { + address 77.68.76.243 + mac-address !00:50:56:1c:a0:2d + } + } + rule 857 { + action drop + description Anti-spoofing_77.68.116.52 + source { + address 77.68.116.52 + mac-address !00:50:56:2b:59:35 + } + } + rule 858 { + action drop + description Anti-spoofing_77.68.120.26 + source { + address 77.68.120.26 + mac-address !00:50:56:07:3b:2b + } + } + rule 859 { + action drop + description Anti-spoofing_185.132.40.56 + source { + address 185.132.40.56 + mac-address !00:50:56:21:cb:e3 + } + } + rule 860 { + action drop + description Anti-spoofing_213.171.210.155 + source { + address 213.171.210.155 + mac-address !00:50:56:2a:53:9f + } + } + rule 861 { + action drop + description Anti-spoofing_185.132.43.157 + source { + address 185.132.43.157 + mac-address !00:50:56:27:e6:d5 + } + } + rule 862 { + action drop + description Anti-spoofing_77.68.4.252 + source { + address 77.68.4.252 + mac-address !00:50:56:08:ff:66 + } + } + rule 863 { + action drop + description Anti-spoofing_77.68.77.63 + source { + address 77.68.77.63 + mac-address !00:50:56:10:9c:ca + } + } + rule 864 { + action drop + description Anti-spoofing_77.68.20.161 + source { + address 77.68.20.161 + mac-address !00:50:56:0d:06:6f + } + } + rule 865 { + action drop + description Anti-spoofing_77.68.117.45 + source { + address 77.68.117.45 + mac-address !00:50:56:05:e0:11 + } + } + rule 866 { + action drop + description Anti-spoofing_77.68.76.234 + source { + address 77.68.76.234 + mac-address !00:50:56:3a:d3:9e + } + } + rule 867 { + action drop + description Anti-spoofing_185.132.40.90 + source { + address 185.132.40.90 + mac-address !00:50:56:2c:90:4f + } + } + rule 868 { + action drop + description Anti-spoofing_77.68.77.90 + source { + address 77.68.77.90 + mac-address !00:50:56:1d:ec:a2 + } + } + rule 869 { + action drop + description Anti-spoofing_77.68.76.93 + source { + address 77.68.76.93 + mac-address !00:50:56:19:cb:e8 + } + } + rule 870 { + action drop + description Anti-spoofing_77.68.26.166 + source { + address 77.68.26.166 + mac-address !00:50:56:1e:34:14 + } + } + rule 871 { + action drop + description Anti-spoofing_185.132.40.244 + source { + address 185.132.40.244 + mac-address !00:50:56:14:a7:b2 + } + } + rule 872 { + action drop + description Anti-spoofing_77.68.77.77 + source { + address 77.68.77.77 + mac-address !00:50:56:0c:9b:e1 + } + } + rule 873 { + action drop + description Anti-spoofing_77.68.27.57 + source { + address 77.68.27.57 + mac-address !00:50:56:3e:06:ca + } + } + rule 874 { + action drop + description Anti-spoofing_77.68.7.114 + source { + address 77.68.7.114 + mac-address !00:50:56:33:0d:5e + } + } + rule 875 { + action drop + description Anti-spoofing_109.228.36.229 + source { + address 109.228.36.229 + mac-address !00:50:56:32:a6:83 + } + } + rule 876 { + action drop + description Anti-spoofing_77.68.77.151 + source { + address 77.68.77.151 + mac-address !00:50:56:0a:e4:20 + } + } + rule 877 { + action drop + description Anti-spoofing_77.68.76.92 + source { + address 77.68.76.92 + mac-address !00:50:56:2b:a5:38 + } + } + rule 878 { + action drop + description Anti-spoofing_77.68.49.159 + source { + address 77.68.49.159 + mac-address !00:50:56:16:4f:24 + } + } + rule 879 { + action drop + description Anti-spoofing_77.68.77.38 + source { + address 77.68.77.38 + mac-address !00:50:56:2c:fe:a1 + } + } + rule 880 { + action drop + description Anti-spoofing_77.68.20.217 + source { + address 77.68.20.217 + mac-address !00:50:56:3a:61:47 + } + } + rule 881 { + action drop + description Anti-spoofing_77.68.92.92 + source { + address 77.68.92.92 + mac-address !00:50:56:1b:64:85 + } + } + rule 882 { + action drop + description Anti-spoofing_77.68.76.124 + source { + address 77.68.76.124 + mac-address !00:50:56:0e:c1:e4 + } + } + rule 884 { + action drop + description Anti-spoofing_77.68.126.101 + source { + address 77.68.126.101 + mac-address !00:50:56:31:d1:a3 + } + } + rule 885 { + action drop + description Anti-spoofing_77.68.76.235 + source { + address 77.68.76.235 + mac-address !00:50:56:15:d1:66 + } + } + rule 886 { + action drop + description Anti-spoofing_77.68.77.95 + source { + address 77.68.77.95 + mac-address !00:50:56:39:c6:52 + } + } + rule 887 { + action drop + description Anti-spoofing_77.68.26.228 + source { + address 77.68.26.228 + mac-address !00:50:56:03:ab:9e + } + } + rule 888 { + action drop + description Anti-spoofing_77.68.32.118 + source { + address 77.68.32.118 + mac-address !00:50:56:0e:db:9d + } + } + rule 889 { + action drop + description Anti-spoofing_77.68.24.172 + source { + address 77.68.24.172 + mac-address !00:50:56:0e:2a:9c + } + } + rule 891 { + action drop + description Anti-spoofing_77.68.77.190 + source { + address 77.68.77.190 + mac-address !00:50:56:31:e8:fb + } + } + rule 892 { + action drop + description Anti-spoofing_77.68.33.197 + source { + address 77.68.33.197 + mac-address !00:50:56:2b:27:c4 + } + } + rule 893 { + action drop + description Anti-spoofing_213.171.210.177 + source { + address 213.171.210.177 + mac-address !00:50:56:04:96:31 + } + } + rule 894 { + action drop + description Anti-spoofing_185.132.41.73 + source { + address 185.132.41.73 + mac-address !00:50:56:35:b4:a5 + } + } + rule 895 { + action drop + description Anti-spoofing_77.68.21.78 + source { + address 77.68.21.78 + mac-address !00:50:56:23:87:f2 + } + } + rule 896 { + action drop + description Anti-spoofing_77.68.77.209 + source { + address 77.68.77.209 + mac-address !00:50:56:3b:95:06 + } + } + rule 897 { + action drop + description Anti-spoofing_88.208.215.19 + source { + address 88.208.215.19 + mac-address !00:50:56:1f:e1:4b + } + } + rule 898 { + action drop + description Anti-spoofing_77.68.77.214 + source { + address 77.68.77.214 + mac-address !00:50:56:2b:03:2b + } + } + rule 899 { + action drop + description Anti-spoofing_77.68.76.91 + source { + address 77.68.76.91 + mac-address !00:50:56:3b:3c:fb + } + } + rule 900 { + action drop + description Anti-spoofing_77.68.119.92 + source { + address 77.68.119.92 + mac-address !00:50:56:25:ba:8c + } + } + rule 901 { + action drop + description Anti-spoofing_77.68.77.79 + source { + address 77.68.77.79 + mac-address !00:50:56:28:f5:72 + } + } + rule 902 { + action drop + description Anti-spoofing_77.68.75.45 + source { + address 77.68.75.45 + mac-address !00:50:56:04:51:74 + } + } + rule 903 { + action drop + description Anti-spoofing_109.228.56.185 + source { + address 109.228.56.185 + mac-address !00:50:56:13:e5:07 + } + } + rule 904 { + action drop + description Anti-spoofing_185.132.43.6 + source { + address 185.132.43.6 + mac-address !00:50:56:38:d1:d5 + } + } + rule 905 { + action drop + description Anti-spoofing_77.68.117.202 + source { + address 77.68.117.202 + mac-address !00:50:56:01:b2:9f + } + } + rule 906 { + action drop + description Anti-spoofing_77.68.86.40 + source { + address 77.68.86.40 + mac-address !00:50:56:03:e2:49 + } + } + rule 907 { + action drop + description Anti-spoofing_77.68.49.126 + source { + address 77.68.49.126 + mac-address !00:50:56:3b:47:f3 + } + } + rule 909 { + action drop + description Anti-spoofing_77.68.77.100 + source { + address 77.68.77.100 + mac-address !00:50:56:34:d7:5b + } + } + rule 910 { + action drop + description Anti-spoofing_109.228.46.196 + source { + address 109.228.46.196 + mac-address !00:50:56:1a:a0:0e + } + } + rule 911 { + action drop + description Anti-spoofing_77.68.77.72 + source { + address 77.68.77.72 + mac-address !00:50:56:1e:67:f7 + } + } + rule 912 { + action drop + description Anti-spoofing_185.132.43.28 + source { + address 185.132.43.28 + mac-address !00:50:56:35:a5:36 + } + } + rule 913 { + action drop + description Anti-spoofing_77.68.103.19 + source { + address 77.68.103.19 + mac-address !00:50:56:27:34:a3 + } + } + rule 914 { + action drop + description Anti-spoofing_77.68.118.104 + source { + address 77.68.118.104 + mac-address !00:50:56:2d:f8:d7 + } + } + rule 915 { + action drop + description Anti-spoofing_77.68.116.183 + source { + address 77.68.116.183 + mac-address !00:50:56:17:23:d4 + } + } + rule 916 { + action drop + description Anti-spoofing_77.68.76.107 + source { + address 77.68.76.107 + mac-address !00:50:56:36:c0:da + } + } + rule 917 { + action drop + description Anti-spoofing_77.68.93.164 + source { + address 77.68.93.164 + mac-address !00:50:56:36:cd:1a + } + } + rule 918 { + action drop + description Anti-spoofing_77.68.5.241 + source { + address 77.68.5.241 + mac-address !00:50:56:11:2d:22 + } + } + rule 919 { + action drop + description Anti-spoofing_185.132.43.98 + source { + address 185.132.43.98 + mac-address !00:50:56:20:7b:87 + } + } + rule 920 { + action drop + description Anti-spoofing_77.68.76.241 + source { + address 77.68.76.241 + mac-address !00:50:56:00:50:f6 + } + } + rule 921 { + action drop + description Anti-spoofing_77.68.74.232 + source { + address 77.68.74.232 + mac-address !00:50:56:19:df:41 + } + } + rule 922 { + action drop + description Anti-spoofing_77.68.76.26 + source { + address 77.68.76.26 + mac-address !00:50:56:36:c0:da + } + } + rule 923 { + action drop + description Anti-spoofing_77.68.28.207 + source { + address 77.68.28.207 + mac-address !00:50:56:36:41:da + } + } + rule 924 { + action drop + description Anti-spoofing_77.68.29.178 + source { + address 77.68.29.178 + mac-address !00:50:56:21:81:be + } + } + rule 925 { + action drop + description Anti-spoofing_77.68.121.119 + source { + address 77.68.121.119 + mac-address !00:50:56:0b:d8:e1 + } + } + rule 926 { + action drop + description Anti-spoofing_77.68.126.22 + source { + address 77.68.126.22 + mac-address !00:50:56:32:62:56 + } + } + rule 927 { + action drop + description Anti-spoofing_109.228.61.31 + source { + address 109.228.61.31 + mac-address !00:50:56:21:a0:04 + } + } + rule 928 { + action drop + description Anti-spoofing_77.68.114.205 + source { + address 77.68.114.205 + mac-address !00:50:56:2a:f1:3f + } + } + rule 929 { + action drop + description Anti-spoofing_77.68.75.113 + source { + address 77.68.75.113 + mac-address !00:50:56:33:6c:b9 + } + } + rule 930 { + action drop + description Anti-spoofing_77.68.79.206 + source { + address 77.68.79.206 + mac-address !00:50:56:36:86:66 + } + } + rule 931 { + action drop + description Anti-spoofing_88.208.198.64 + source { + address 88.208.198.64 + mac-address !00:50:56:39:2c:fe + } + } + rule 932 { + action drop + description Anti-spoofing_77.68.77.161 + source { + address 77.68.77.161 + mac-address !00:50:56:0a:7e:6c + } + } + rule 933 { + action drop + description Anti-spoofing_77.68.114.237 + source { + address 77.68.114.237 + mac-address !00:50:56:16:f4:39 + } + } + rule 934 { + action drop + description Anti-spoofing_109.228.36.119 + source { + address 109.228.36.119 + mac-address !00:50:56:28:63:37 + } + } + rule 935 { + action drop + description Anti-spoofing_77.68.76.254 + source { + address 77.68.76.254 + mac-address !00:50:56:3b:49:08 + } + } + rule 936 { + action drop + description Anti-spoofing_77.68.77.231 + source { + address 77.68.77.231 + mac-address !00:50:56:36:78:72 + } + } + rule 937 { + action drop + description Anti-spoofing_77.68.7.172 + source { + address 77.68.7.172 + mac-address !00:50:56:19:39:45 + } + } + rule 938 { + action drop + description Anti-spoofing_77.68.77.62 + source { + address 77.68.77.62 + mac-address !00:50:56:04:8c:b4 + } + } + rule 939 { + action drop + description Anti-spoofing_77.68.77.215 + source { + address 77.68.77.215 + mac-address !00:50:56:35:f3:5a + } + } + rule 940 { + action drop + description Anti-spoofing_77.68.6.105 + source { + address 77.68.6.105 + mac-address !00:50:56:03:0e:07 + } + } + rule 941 { + action drop + description Anti-spoofing_77.68.33.37 + source { + address 77.68.33.37 + mac-address !00:50:56:00:6b:a3 + } + } + rule 942 { + action drop + description Anti-spoofing_77.68.4.180 + source { + address 77.68.4.180 + mac-address !00:50:56:11:6c:dc + } + } + rule 943 { + action drop + description Anti-spoofing_77.68.78.229 + source { + address 77.68.78.229 + mac-address !00:50:56:1e:58:2f + } + } + rule 944 { + action drop + description Anti-spoofing_77.68.73.73 + source { + address 77.68.73.73 + mac-address !00:50:56:38:d7:1a + } + } + rule 945 { + action drop + description Anti-spoofing_77.68.2.215 + source { + address 77.68.2.215 + mac-address !00:50:56:31:3c:87 + } + } + rule 946 { + action drop + description Anti-spoofing_77.68.48.81 + source { + address 77.68.48.81 + mac-address !00:50:56:3a:13:df + } + } + rule 947 { + action drop + description Anti-spoofing_213.171.214.102 + source { + address 213.171.214.102 + mac-address !00:50:56:00:60:5a + } + } + rule 948 { + action drop + description Anti-spoofing_77.68.123.177 + source { + address 77.68.123.177 + mac-address !00:50:56:3c:07:ef + } + } + rule 949 { + action drop + description Anti-spoofing_77.68.7.160 + source { + address 77.68.7.160 + mac-address !00:50:56:09:6e:79 + } + } + rule 950 { + action drop + description Anti-spoofing_77.68.24.59 + source { + address 77.68.24.59 + mac-address !00:50:56:3c:b7:c1 + } + } + rule 951 { + action drop + description Anti-spoofing_77.68.80.97 + source { + address 77.68.80.97 + mac-address !00:50:56:15:cc:c6 + } + } + rule 952 { + action drop + description Anti-spoofing_77.68.7.67 + source { + address 77.68.7.67 + mac-address !00:50:56:13:92:b7 + } + } + rule 953 { + action drop + description Anti-spoofing_109.228.36.79 + source { + address 109.228.36.79 + mac-address !00:50:56:17:c9:65 + } + } + rule 954 { + action drop + description Anti-spoofing_77.68.32.43 + source { + address 77.68.32.43 + mac-address !00:50:56:13:6d:02 + } + } + rule 955 { + action drop + description Anti-spoofing_77.68.90.106 + source { + address 77.68.90.106 + mac-address !00:50:56:1b:6d:fb + } + } + rule 956 { + action drop + description Anti-spoofing_77.68.77.174 + source { + address 77.68.77.174 + mac-address !00:50:56:2a:61:0b + } + } + rule 957 { + action drop + description Anti-spoofing_77.68.94.181 + source { + address 77.68.94.181 + mac-address !00:50:56:0b:7c:cc + } + } + rule 958 { + action drop + description Anti-spoofing_77.68.4.136 + source { + address 77.68.4.136 + mac-address !00:50:56:10:4d:5c + } + } + rule 959 { + action drop + description Anti-spoofing_77.68.32.31 + source { + address 77.68.32.31 + mac-address !00:50:56:0a:f5:03 + } + } + rule 960 { + action drop + description Anti-spoofing_77.68.30.133 + source { + address 77.68.30.133 + mac-address !00:50:56:3a:96:4e + } + } + rule 961 { + action drop + description Anti-spoofing_77.68.72.202 + source { + address 77.68.72.202 + mac-address !00:50:56:2e:ca:a2 + } + } + rule 962 { + action drop + description Anti-spoofing_77.68.81.141 + source { + address 77.68.81.141 + mac-address !00:50:56:00:07:47 + } + } + rule 963 { + action drop + description Anti-spoofing_77.68.27.54 + source { + address 77.68.27.54 + mac-address !00:50:56:37:ad:51 + } + } + rule 964 { + action drop + description Anti-spoofing_77.68.32.254 + source { + address 77.68.32.254 + mac-address !00:50:56:2d:d0:36 + } + } + rule 965 { + action drop + description Anti-spoofing_77.68.10.152 + source { + address 77.68.10.152 + mac-address !00:50:56:38:d7:1a + } + } + rule 967 { + action drop + description Anti-spoofing_109.228.47.223 + source { + address 109.228.47.223 + mac-address !00:50:56:02:f7:24 + } + } + rule 968 { + action drop + description Anti-spoofing_77.68.5.125 + source { + address 77.68.5.125 + mac-address !00:50:56:16:21:98 + } + } + rule 969 { + action drop + description Anti-spoofing_77.68.119.14 + source { + address 77.68.119.14 + mac-address !00:50:56:2e:87:33 + } + } + rule 970 { + action drop + description Anti-spoofing_77.68.117.51 + source { + address 77.68.117.51 + mac-address !00:50:56:17:c0:6c + } + } + rule 971 { + action drop + description Anti-spoofing_77.68.118.102 + source { + address 77.68.118.102 + mac-address !00:50:56:3e:06:ca + } + } + rule 972 { + action drop + description Anti-spoofing_185.132.43.71 + source { + address 185.132.43.71 + mac-address !00:50:56:2d:6a:8d + } + } + rule 973 { + action drop + description Anti-spoofing_77.68.112.91 + source { + address 77.68.112.91 + mac-address !00:50:56:2b:c3:9f + } + } + rule 974 { + action drop + description Anti-spoofing_77.68.116.232 + source { + address 77.68.116.232 + mac-address !00:50:56:2a:f9:fd + } + } + rule 976 { + action drop + description Anti-spoofing_77.68.82.157 + source { + address 77.68.82.157 + mac-address !00:50:56:3d:81:41 + } + } + rule 977 { + action drop + description Anti-spoofing_77.68.117.222 + source { + address 77.68.117.222 + mac-address !00:50:56:16:92:58 + } + } + rule 978 { + action drop + description Anti-spoofing_77.68.118.15 + source { + address 77.68.118.15 + mac-address !00:50:56:28:28:de + } + } + rule 979 { + action drop + description Anti-spoofing_77.68.117.173 + source { + address 77.68.117.173 + mac-address !00:50:56:12:7a:57 + } + } + rule 980 { + action drop + description Anti-spoofing_77.68.83.41 + source { + address 77.68.83.41 + mac-address !00:50:56:13:ef:0e + } + } + rule 981 { + action drop + description Anti-spoofing_77.68.4.57 + source { + address 77.68.4.57 + mac-address !00:50:56:23:f0:c3 + } + } + rule 983 { + action drop + description Anti-spoofing_77.68.118.86 + source { + address 77.68.118.86 + mac-address !00:50:56:03:73:3d + } + } + rule 984 { + action drop + description Anti-spoofing_109.228.56.26 + source { + address 109.228.56.26 + mac-address !00:50:56:36:47:8c + } + } + rule 985 { + action drop + description Anti-spoofing_109.228.38.171 + source { + address 109.228.38.171 + mac-address !00:50:56:18:da:1c + } + } + rule 986 { + action drop + description Anti-spoofing_77.68.91.128 + source { + address 77.68.91.128 + mac-address !00:50:56:34:d0:41 + } + } + rule 987 { + action drop + description Anti-spoofing_77.68.79.89 + source { + address 77.68.79.89 + mac-address !00:50:56:14:67:52 + } + } + rule 988 { + action drop + description Anti-spoofing_88.208.198.66 + source { + address 88.208.198.66 + mac-address !00:50:56:3c:e0:8d + } + } + rule 989 { + action drop + description Anti-spoofing_77.68.118.88 + source { + address 77.68.118.88 + mac-address !00:50:56:2f:ac:5f + } + } + rule 990 { + action drop + description Anti-spoofing_109.228.60.215 + source { + address 109.228.60.215 + mac-address !00:50:56:2b:59:35 + } + } + rule 991 { + action drop + description Anti-spoofing_109.228.55.82 + source { + address 109.228.55.82 + mac-address !00:50:56:32:15:bc + } + } + rule 992 { + action drop + description Anti-spoofing_77.68.48.14 + source { + address 77.68.48.14 + mac-address !00:50:56:2e:2e:5a + } + } + rule 993 { + action drop + description Anti-spoofing_77.68.7.186 + source { + address 77.68.7.186 + mac-address !00:50:56:06:63:ae + } + } + rule 994 { + action drop + description Anti-spoofing_77.68.74.209 + source { + address 77.68.74.209 + mac-address !00:50:56:01:c5:88 + } + } + rule 995 { + action drop + description Anti-spoofing_77.68.6.32 + source { + address 77.68.6.32 + mac-address !00:50:56:19:b2:9e + } + } + rule 996 { + action drop + description Anti-spoofing_77.68.6.210 + source { + address 77.68.6.210 + mac-address !00:50:56:03:16:58 + } + } + rule 997 { + action drop + description Anti-spoofing_77.68.34.26 + source { + address 77.68.34.26 + mac-address !00:50:56:16:f0:f3 + } + } + rule 998 { + action drop + description Anti-spoofing_77.68.77.238 + source { + address 77.68.77.238 + mac-address !00:50:56:25:b8:e7 + } + } + rule 999 { + action drop + description Anti-spoofing_77.68.35.116 + source { + address 77.68.35.116 + mac-address !00:50:56:22:c6:b9 + } + } + rule 1000 { + action drop + description Anti-spoofing_77.68.23.112 + source { + address 77.68.23.112 + mac-address !00:50:56:1f:06:9f + } + } + rule 1001 { + action drop + description Anti-spoofing_77.68.120.241 + source { + address 77.68.120.241 + mac-address !00:50:56:18:1e:aa + } + } + rule 1002 { + action drop + description Anti-spoofing_77.68.34.28 + source { + address 77.68.34.28 + mac-address !00:50:56:24:5e:9a + } + } + rule 1003 { + action drop + description Anti-spoofing_77.68.122.195 + source { + address 77.68.122.195 + mac-address !00:50:56:0d:fd:66 + } + } + rule 1004 { + action drop + description Anti-spoofing_77.68.126.14 + source { + address 77.68.126.14 + mac-address !00:50:56:02:46:82 + } + } + rule 1005 { + action drop + description Anti-spoofing_109.228.38.117 + source { + address 109.228.38.117 + mac-address !00:50:56:05:55:f0 + } + } + rule 1006 { + action drop + description Anti-spoofing_77.68.33.171 + source { + address 77.68.33.171 + mac-address !00:50:56:07:69:46 + } + } + rule 1007 { + action drop + description Anti-spoofing_77.68.24.220 + source { + address 77.68.24.220 + mac-address !00:50:56:1f:53:df + } + } + rule 1008 { + action drop + description Anti-spoofing_88.208.197.23 + source { + address 88.208.197.23 + mac-address !00:50:56:23:fa:2f + } + } + rule 1009 { + action drop + description Anti-spoofing_77.68.80.26 + source { + address 77.68.80.26 + mac-address !00:50:56:21:23:8e + } + } + rule 1010 { + action drop + description Anti-spoofing_77.68.32.83 + source { + address 77.68.32.83 + mac-address !00:50:56:26:5d:1a + } + } + rule 1011 { + action drop + description Anti-spoofing_77.68.95.42 + source { + address 77.68.95.42 + mac-address !00:50:56:00:77:9a + } + } + rule 1012 { + action drop + description Anti-spoofing_213.171.209.217 + source { + address 213.171.209.217 + mac-address !00:50:56:18:7b:c2 + } + } + rule 1014 { + action drop + description Anti-spoofing_109.228.39.249 + source { + address 109.228.39.249 + mac-address !00:50:56:0e:4b:f9 + } + } + rule 1015 { + action drop + description Anti-spoofing_77.68.32.86 + source { + address 77.68.32.86 + mac-address !00:50:56:29:ff:6f + } + } + rule 1016 { + action drop + description Anti-spoofing_77.68.125.218 + source { + address 77.68.125.218 + mac-address !00:50:56:2f:4d:38 + } + } + rule 1017 { + action drop + description Anti-spoofing_77.68.17.186 + source { + address 77.68.17.186 + mac-address !00:50:56:2e:6b:f3 + } + } + rule 1018 { + action drop + description Anti-spoofing_77.68.12.45 + source { + address 77.68.12.45 + mac-address !00:50:56:15:e4:38 + } + } + rule 1019 { + action drop + description Anti-spoofing_109.228.40.247 + source { + address 109.228.40.247 + mac-address !00:50:56:20:62:b7 + } + } + rule 1020 { + action drop + description Anti-spoofing_77.68.32.89 + source { + address 77.68.32.89 + mac-address !00:50:56:2e:21:46 + } + } + rule 1022 { + action drop + description Anti-spoofing_77.68.34.138 + source { + address 77.68.34.138 + mac-address !00:50:56:10:0a:08 + } + } + rule 1023 { + action drop + description Anti-spoofing_77.68.34.139 + source { + address 77.68.34.139 + mac-address !00:50:56:0d:24:2f + } + } + rule 1024 { + action drop + description Anti-spoofing_213.171.208.40 + source { + address 213.171.208.40 + mac-address !00:50:56:07:df:6e + } + } + rule 1026 { + action drop + description Anti-spoofing_109.228.40.226 + source { + address 109.228.40.226 + mac-address !00:50:56:2d:c8:2a + } + } + rule 1028 { + action drop + description Anti-spoofing_185.132.39.109 + source { + address 185.132.39.109 + mac-address !00:50:56:2c:3e:98 + } + } + rule 1029 { + action drop + description Anti-spoofing_109.228.40.207 + source { + address 109.228.40.207 + mac-address !00:50:56:04:ba:9c + } + } + rule 1030 { + action drop + description Anti-spoofing_77.68.48.89 + source { + address 77.68.48.89 + mac-address !00:50:56:33:b3:05 + } + } + rule 1031 { + action drop + description Anti-spoofing_77.68.48.105 + source { + address 77.68.48.105 + mac-address !00:50:56:13:8d:55 + } + } + rule 1032 { + action drop + description Anti-spoofing_77.68.50.142 + source { + address 77.68.50.142 + mac-address !00:50:56:2e:58:85 + } + } + rule 1033 { + action drop + description Anti-spoofing_77.68.49.12 + source { + address 77.68.49.12 + mac-address !00:50:56:0f:ed:da + } + } + rule 1034 { + action drop + description Anti-spoofing_77.68.85.18 + source { + address 77.68.85.18 + mac-address !00:50:56:3b:0a:8b + } + } + rule 1035 { + action drop + description Anti-spoofing_77.68.49.4 + source { + address 77.68.49.4 + mac-address !00:50:56:05:e5:05 + } + } + rule 1036 { + action drop + description Anti-spoofing_109.228.37.187 + source { + address 109.228.37.187 + mac-address !00:50:56:37:21:f0 + } + } + rule 1037 { + action drop + description Anti-spoofing_77.68.49.178 + source { + address 77.68.49.178 + mac-address !00:50:56:26:00:f7 + } + } + rule 1038 { + action drop + description Anti-spoofing_77.68.82.147 + source { + address 77.68.82.147 + mac-address !00:50:56:13:75:25 + } + } + rule 1040 { + action drop + description Anti-spoofing_77.68.24.134 + source { + address 77.68.24.134 + mac-address !00:50:56:29:0b:02 + } + } + rule 1041 { + action drop + description Anti-spoofing_77.68.24.63 + source { + address 77.68.24.63 + mac-address !00:50:56:08:7e:4a + } + } + rule 1042 { + action drop + description Anti-spoofing_77.68.50.91 + source { + address 77.68.50.91 + mac-address !00:50:56:35:b6:4f + } + } + rule 1043 { + action drop + description Anti-spoofing_77.68.49.160 + source { + address 77.68.49.160 + mac-address !00:50:56:0e:29:ce + } + } + rule 1044 { + action drop + description Anti-spoofing_77.68.116.84 + source { + address 77.68.116.84 + mac-address !00:50:56:2d:e7:75 + } + } + rule 1045 { + action drop + description Anti-spoofing_77.68.126.160 + source { + address 77.68.126.160 + mac-address !00:50:56:19:a1:cf + } + } + rule 1046 { + action drop + description Anti-spoofing_185.132.41.240 + source { + address 185.132.41.240 + mac-address !00:50:56:08:f6:7c + } + } + rule 1047 { + action drop + description Anti-spoofing_77.68.50.193 + source { + address 77.68.50.193 + mac-address !00:50:56:0f:44:05 + } + } + rule 1048 { + action drop + description Anti-spoofing_77.68.49.161 + source { + address 77.68.49.161 + mac-address !00:50:56:09:4a:87 + } + } + rule 1049 { + action drop + description Anti-spoofing_109.228.58.134 + source { + address 109.228.58.134 + mac-address !00:50:56:06:82:eb + } + } + rule 1050 { + action drop + description Anti-spoofing_185.132.36.56 + source { + address 185.132.36.56 + mac-address !00:50:56:11:89:a1 + } + } + rule 1051 { + action drop + description Anti-spoofing_77.68.50.198 + source { + address 77.68.50.198 + mac-address !00:50:56:21:8f:66 + } + } + rule 1052 { + action drop + description Anti-spoofing_77.68.100.150 + source { + address 77.68.100.150 + mac-address !00:50:56:3a:15:0a + } + } + rule 1053 { + action drop + description Anti-spoofing_88.208.196.91 + source { + address 88.208.196.91 + mac-address !00:50:56:0a:06:31 + } + } + rule 1054 { + action drop + description Anti-spoofing_185.132.41.148 + source { + address 185.132.41.148 + mac-address !00:50:56:3b:d9:ec + } + } + rule 1055 { + action drop + description Anti-spoofing_213.171.210.25 + source { + address 213.171.210.25 + mac-address !00:50:56:0a:b8:6c + } + } + rule 1056 { + action drop + description Anti-spoofing_77.68.51.214 + source { + address 77.68.51.214 + mac-address !00:50:56:16:29:41 + } + } + rule 1057 { + action drop + description Anti-spoofing_77.68.51.202 + source { + address 77.68.51.202 + mac-address !00:50:56:24:5a:0f + } + } + rule 1058 { + action drop + description Anti-spoofing_77.68.100.132 + source { + address 77.68.100.132 + mac-address !00:50:56:27:18:b7 + } + } + rule 1059 { + action drop + description Anti-spoofing_77.68.77.42 + source { + address 77.68.77.42 + mac-address !00:50:56:34:d1:d5 + } + } + rule 1060 { + action drop + description Anti-spoofing_109.228.39.41 + source { + address 109.228.39.41 + mac-address !00:50:56:2e:6a:41 + } + } + rule 1061 { + action drop + description Anti-spoofing_77.68.100.134 + source { + address 77.68.100.134 + mac-address !00:50:56:19:a0:13 + } + } + rule 1062 { + action drop + description Anti-spoofing_77.68.89.247 + source { + address 77.68.89.247 + mac-address !00:50:56:2b:ed:68 + } + } + rule 1063 { + action drop + description Anti-spoofing_77.68.101.64 + source { + address 77.68.101.64 + mac-address !00:50:56:24:5a:0f + } + } + rule 1064 { + action drop + description Anti-spoofing_88.208.199.249 + source { + address 88.208.199.249 + mac-address !00:50:56:16:3e:ed + } + } + rule 1065 { + action drop + description Anti-spoofing_77.68.101.124 + source { + address 77.68.101.124 + mac-address !00:50:56:15:0e:e0 + } + } + rule 1066 { + action drop + description Anti-spoofing_77.68.101.125 + source { + address 77.68.101.125 + mac-address !00:50:56:33:ce:ff + } + } + rule 1068 { + action drop + description Anti-spoofing_77.68.100.167 + source { + address 77.68.100.167 + mac-address !00:50:56:34:b3:5d + } + } + rule 1069 { + action drop + description Anti-spoofing_77.68.49.152 + source { + address 77.68.49.152 + mac-address !00:50:56:1a:06:95 + } + } + rule 1070 { + action drop + description Anti-spoofing_77.68.103.147 + source { + address 77.68.103.147 + mac-address !00:50:56:2e:52:7f + } + } + rule 1071 { + action drop + description Anti-spoofing_77.68.48.202 + source { + address 77.68.48.202 + mac-address !00:50:56:0b:da:01 + } + } + rule 1072 { + action drop + description Anti-spoofing_77.68.112.175 + source { + address 77.68.112.175 + mac-address !00:50:56:05:9e:e5 + } + } + rule 1073 { + action drop + description Anti-spoofing_109.228.56.97 + source { + address 109.228.56.97 + mac-address !00:50:56:36:cd:04 + } + } + rule 1074 { + action drop + description Anti-spoofing_185.132.37.47 + source { + address 185.132.37.47 + mac-address !00:50:56:3a:de:38 + } + } + rule 1075 { + action drop + description Anti-spoofing_77.68.31.96 + source { + address 77.68.31.96 + mac-address !00:50:56:07:d0:cf + } + } + rule 1076 { + action drop + description Anti-spoofing_109.228.61.37 + source { + address 109.228.61.37 + mac-address !00:50:56:1a:93:80 + } + } + rule 1077 { + action drop + description Anti-spoofing_77.68.33.24 + source { + address 77.68.33.24 + mac-address !00:50:56:0d:ae:e8 + } + } + rule 1078 { + action drop + description Anti-spoofing_88.208.197.135 + source { + address 88.208.197.135 + mac-address !00:50:56:3b:39:6b + } + } + rule 1079 { + action drop + description Anti-spoofing_77.68.103.227 + source { + address 77.68.103.227 + mac-address !00:50:56:28:cd:95 + } + } + rule 1080 { + action drop + description Anti-spoofing_185.132.38.182 + source { + address 185.132.38.182 + mac-address !00:50:56:39:4b:e3 + } + } + rule 1081 { + action drop + description Anti-spoofing_88.208.197.118 + source { + address 88.208.197.118 + mac-address !00:50:56:2c:cd:e3 + } + } + rule 1082 { + action drop + description Anti-spoofing_88.208.196.92 + source { + address 88.208.196.92 + mac-address !00:50:56:05:77:19 + } + } + rule 1083 { + action drop + description Anti-spoofing_88.208.197.150 + source { + address 88.208.197.150 + mac-address !00:50:56:0c:ae:6c + } + } + rule 1084 { + action drop + description Anti-spoofing_88.208.215.121 + source { + address 88.208.215.121 + mac-address !00:50:56:16:0b:60 + } + } + rule 1085 { + action drop + description Anti-spoofing_88.208.197.10 + source { + address 88.208.197.10 + mac-address !00:50:56:1c:8b:fb + } + } + rule 1086 { + action drop + description Anti-spoofing_88.208.198.69 + source { + address 88.208.198.69 + mac-address !00:50:56:06:e7:eb + } + } + rule 1087 { + action drop + description Anti-spoofing_88.208.197.155 + source { + address 88.208.197.155 + mac-address !00:50:56:39:39:8e + } + } + rule 1088 { + action drop + description Anti-spoofing_88.208.198.39 + source { + address 88.208.198.39 + mac-address !00:50:56:22:2d:07 + } + } + rule 1089 { + action drop + description Anti-spoofing_88.208.197.160 + source { + address 88.208.197.160 + mac-address !00:50:56:2e:03:9a + } + } + rule 1090 { + action drop + description Anti-spoofing_88.208.197.60 + source { + address 88.208.197.60 + mac-address !00:50:56:3e:59:7c + } + } + rule 1091 { + action drop + description Anti-spoofing_77.68.102.129 + source { + address 77.68.102.129 + mac-address !00:50:56:2c:9d:a5 + } + } + rule 1092 { + action drop + description Anti-spoofing_88.208.196.123 + source { + address 88.208.196.123 + mac-address !00:50:56:21:ac:31 + } + } + rule 1093 { + action drop + description Anti-spoofing_88.208.215.61 + source { + address 88.208.215.61 + mac-address !00:50:56:05:91:dd + } + } + rule 1094 { + action drop + description Anti-spoofing_88.208.215.62 + source { + address 88.208.215.62 + mac-address !00:50:56:2d:ff:f4 + } + } + rule 1095 { + action drop + description Anti-spoofing_88.208.199.141 + source { + address 88.208.199.141 + mac-address !00:50:56:10:8f:10 + } + } + rule 1096 { + action drop + description Anti-spoofing_88.208.215.157 + source { + address 88.208.215.157 + mac-address !00:50:56:38:d7:1a + } + } + rule 1097 { + action drop + description Anti-spoofing_77.68.21.171 + source { + address 77.68.21.171 + mac-address !00:50:56:29:e0:5f + } + } + rule 1098 { + action drop + description Anti-spoofing_88.208.198.251 + source { + address 88.208.198.251 + mac-address !00:50:56:2b:2a:6a + } + } + rule 1099 { + action drop + description Anti-spoofing_88.208.199.233 + source { + address 88.208.199.233 + mac-address !00:50:56:1e:bf:95 + } + } + rule 1100 { + action drop + description Anti-spoofing_88.208.212.31 + source { + address 88.208.212.31 + mac-address !00:50:56:28:f4:aa + } + } + rule 1101 { + action drop + description Anti-spoofing_88.208.197.129 + source { + address 88.208.197.129 + mac-address !00:50:56:1f:71:bf + } + } + rule 1102 { + action drop + description Anti-spoofing_88.208.199.46 + source { + address 88.208.199.46 + mac-address !00:50:56:34:dc:e5 + } + } + rule 1103 { + action drop + description Anti-spoofing_88.208.212.94 + source { + address 88.208.212.94 + mac-address !00:50:56:3d:f5:16 + } + } + rule 1105 { + action drop + description Anti-spoofing_88.208.212.182 + source { + address 88.208.212.182 + mac-address !00:50:56:12:e4:1b + } + } + rule 1108 { + action drop + description Anti-spoofing_88.208.212.188 + source { + address 88.208.212.188 + mac-address !00:50:56:36:a8:9e + } + } + rule 1500 { + action drop + description "Block port 11211-udp" + protocol udp + source { + group { + address-group CLUSTER_ADDRESSES + } + port 11211 + } + } + rule 1510 { + action drop + description "Test Drive - Outgoing traffic blocked" + destination { + group { + network-group !NAS_NETWORKS + } + } + source { + group { + address-group DT_BLOCKED + } + } + } + rule 1520 { + action drop + description "Deny outgoing SMTP to new contracts" + destination { + port smtp + } + protocol tcp + source { + group { + address-group DT_SMTP_BLOCKED + } + } + } + rule 1600 { + action accept + description "Allow unicast requests to DHCP servers" + destination { + group { + address-group DHCP_SERVERS + } + port bootps + } + protocol tcp_udp + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + rule 1610 { + action accept + description "Allow DNS queries to dnscache servers" + destination { + group { + address-group DNSCACHE_SERVERS + } + port 53 + } + protocol tcp_udp + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + rule 1620 { + action accept + destination { + group { + address-group NAS_ARRAYS + } + } + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + rule 1630 { + action accept + description "Kerberos authentication to Domain Controllers" + destination { + group { + address-group NAS_DOMAIN_CONTROLLERS + } + port 88 + } + protocol tcp_udp + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + rule 1640 { + action drop + description "Deny rest of the traffic to NAS" + destination { + group { + network-group NAS_NETWORKS + } + } + } + rule 2000 { + action accept + description "TOP port - SSH" + destination { + group { + address-group G-22-TCP + } + port ssh + } + protocol tcp + } + rule 2001 { + action accept + description "TOP port - RDESKTOP" + destination { + group { + address-group G-3389-TCP + } + port 3389 + } + protocol tcp + } + rule 2002 { + action accept + description "TOP port - HTTP" + destination { + group { + address-group G-80-TCP + } + port http + } + protocol tcp + } + rule 2003 { + action accept + description "TOP port - HTTPS" + destination { + group { + address-group G-443-TCP + } + port https + } + protocol tcp + } + rule 2004 { + action accept + description "TOP port - DOMAIN TCP" + destination { + group { + address-group G-53-TCP + } + port domain + } + protocol tcp + } + rule 2005 { + action accept + description "TOP port - DOMAIN UDP" + destination { + group { + address-group G-53-UDP + } + port domain + } + protocol udp + } + rule 2006 { + action accept + description "TOP port - SMTP" + destination { + group { + address-group G-25-TCP + } + port smtp + } + protocol tcp + } + rule 2007 { + action accept + description "TOP port - IMAP" + destination { + group { + address-group G-143-TCP + } + port imap2 + } + protocol tcp + } + rule 2008 { + action accept + description "TOP port - POP3" + destination { + group { + address-group G-110-TCP + } + port pop3 + } + protocol tcp + } + rule 2009 { + action accept + description "TOP port - MSSQL TCP" + destination { + group { + address-group G-1433-TCP + } + port ms-sql-s + } + protocol tcp + } + rule 2010 { + action accept + description "TOP port - MYSQL TCP" + destination { + group { + address-group G-3306-TCP + } + port mysql + } + protocol tcp + } + rule 2011 { + action accept + description "TOP port - FTPDATA" + destination { + group { + address-group G-20-TCP + } + port ftp-data + } + protocol tcp + } + rule 2012 { + action accept + description "TOP port - FTP" + destination { + group { + address-group G-21-TCP + } + port ftp + } + protocol tcp + } + rule 2013 { + action accept + description "TOP port - SSMTP" + destination { + group { + address-group G-465-TCP + } + port ssmtp + } + protocol tcp + } + rule 2014 { + action accept + description "TOP port - SMTPS" + destination { + group { + address-group G-587-TCP + } + port 587 + } + protocol tcp + } + rule 2015 { + action accept + description "TOP port - IMAPS" + destination { + group { + address-group G-993-TCP + } + port imaps + } + protocol tcp + } + rule 2016 { + action accept + description "TOP port - POP3S" + destination { + group { + address-group G-995-TCP + } + port pop3s + } + protocol tcp + } + rule 2017 { + action accept + description "TOP port - TOMCAT" + destination { + group { + address-group G-8080-TCP + } + port 8080 + } + protocol tcp + } + rule 2018 { + action accept + description "TOP port - Alternative HTTPS" + destination { + group { + address-group G-8443-TCP + } + port 8443 + } + protocol tcp + } + rule 2019 { + action accept + description "TOP port - 10000/TCP" + destination { + group { + address-group G-10000-TCP + } + port 10000 + } + protocol tcp + } + rule 2020 { + action accept + description "TOP port - 8447/TCP" + destination { + group { + address-group G-8447-TCP + } + port 8447 + } + protocol tcp + } + rule 2040 { + action accept + description "TOP port - All ports open" + destination { + group { + address-group G-ALL_OPEN + } + } + } + rule 2050 { + action accept + description "ICMP group" + destination { + group { + address-group G-ICMP + } + } + protocol icmp + } + rule 2100 { + action accept + description FW2BB8D_1-TCP-ALLOW-104.192.143.2 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 7999,22 + } + protocol tcp + source { + address 104.192.143.2 + } + } + rule 2101 { + action accept + description FW19987_4-TCP-ALLOW-77.68.74.54 + destination { + group { + address-group DT_FW19987_4 + } + port 443 + } + protocol tcp + source { + address 77.68.74.54 + } + } + rule 2102 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-109.72.210.46 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 109.72.210.46 + } + } + rule 2103 { + action accept + description FW5A77C_16-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW5A77C_16 + } + port 22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2104 { + action accept + description FW826BA_3-TCP-ALLOW-164.177.156.192 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 164.177.156.192 + } + } + rule 2105 { + action accept + description FWDAA4F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDAA4F_1 + } + port 22335 + } + protocol tcp + } + rule 2106 { + action accept + description FW6D0CD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6D0CD_1 + } + port 6900,7000 + } + protocol tcp + } + rule 2107 { + action accept + description FW6D0CD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6D0CD_1 + } + port 9001 + } + protocol tcp_udp + } + rule 2108 { + action accept + description FW06176_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW06176_1 + } + port 5900 + } + protocol tcp + } + rule 2109 { + action accept + description FW19987_4-TCP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FW19987_4 + } + port 443 + } + protocol tcp + source { + address 77.68.77.70 + } + } + rule 2110 { + action accept + description FWF7B68_1-TCP-ALLOW-54.221.251.224 + destination { + group { + address-group DT_FWF7B68_1 + } + port 8443,3306,22,21,20 + } + protocol tcp + source { + address 54.221.251.224 + } + } + rule 2111 { + action accept + description FW05AD0_2-TCP-ALLOW-178.251.181.41 + destination { + group { + address-group DT_FW05AD0_2 + } + port 3389,1433,21 + } + protocol tcp + source { + address 178.251.181.41 + } + } + rule 2112 { + action accept + description FW05AD0_2-TCP-ALLOW-178.251.181.6 + destination { + group { + address-group DT_FW05AD0_2 + } + port 3389,1433,21 + } + protocol tcp + source { + address 178.251.181.6 + } + } + rule 2113 { + action accept + description VPN-7030-ANY-ALLOW-10.4.58.119 + destination { + group { + address-group DT_VPN-7030 + } + } + source { + address 10.4.58.119 + } + } + rule 2114 { + action accept + description FW58C69_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW58C69_4 + } + port 5666 + } + protocol tcp + } + rule 2115 { + action accept + description FW2BB8D_1-TCP-ALLOW-185.201.180.35 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000,22 + } + protocol tcp + source { + address 185.201.180.35 + } + } + rule 2116 { + action accept + description FW19987_4-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FW19987_4 + } + port 3389,445,443 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2117 { + action accept + description FW19987_4-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FW19987_4 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2118 { + action accept + description FW5658C_1-TCP-ALLOW-212.159.160.65 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443,3389,3306,22,21 + } + protocol tcp + source { + address 212.159.160.65 + } + } + rule 2119 { + action accept + description FW5658C_1-TCP-ALLOW-79.78.20.149 + destination { + group { + address-group DT_FW5658C_1 + } + port 8447,8443,3389,3306,993,143,22,21 + } + protocol tcp + source { + address 79.78.20.149 + } + } + rule 2120 { + action accept + description FW5658C_1-TCP-ALLOW-77.68.77.185 + destination { + group { + address-group DT_FW5658C_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.77.185 + } + } + rule 2121 { + action accept + description FW5658C_1-TCP-ALLOW-82.165.232.19 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443,3389 + } + protocol tcp + source { + address 82.165.232.19 + } + } + rule 2122 { + action accept + description FW2C5AE_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2C5AE_1 + } + port 30303,5717 + } + protocol tcp_udp + } + rule 2123 { + action accept + description VPN-12899-ANY-ALLOW-10.4.58.207 + destination { + group { + address-group DT_VPN-12899 + } + } + source { + address 10.4.58.207 + } + } + rule 2124 { + action accept + description FW7648D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW7648D_1 + } + port 8501,8050,7801,4444,1443 + } + protocol tcp + } + rule 2125 { + action accept + description FW0C2E6_4-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0C2E6_4 + } + port 1194 + } + protocol udp + } + rule 2126 { + action accept + description FW5658C_1-TCP-ALLOW-39.37.175.132 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.37.175.132 + } + } + rule 2127 { + action accept + description FW826BA_3-TCP-ALLOW-165.255.242.223 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 165.255.242.223 + } + } + rule 2128 { + action accept + description VPN-10131-ANY-ALLOW-10.4.56.51 + destination { + group { + address-group DT_VPN-10131 + } + } + source { + address 10.4.56.51 + } + } + rule 2129 { + action accept + description FW2BB8D_1-TCP-ALLOW-212.227.84.142 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 22 + } + protocol tcp + source { + address 212.227.84.142 + } + } + rule 2130 { + action accept + description FW2BB8D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2BB8D_1 + } + port 53 + } + protocol tcp_udp + } + rule 2131 { + action accept + description FWFDD94_15-TCP-ALLOW-90.29.180.234 + destination { + group { + address-group DT_FWFDD94_15 + } + port 5683,1883 + } + protocol tcp + source { + address 90.29.180.234 + } + } + rule 2132 { + action accept + description VPN-10131-ANY-ALLOW-10.4.57.51 + destination { + group { + address-group DT_VPN-10131 + } + } + source { + address 10.4.57.51 + } + } + rule 2133 { + action accept + description FW2BB8D_1-TCP-ALLOW-109.228.49.193 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 5000 + } + protocol tcp + source { + address 109.228.49.193 + } + } + rule 2134 { + action accept + description FW81138_1-ICMP-ALLOW-3.10.221.168 + destination { + group { + address-group DT_FW81138_1 + } + } + protocol icmp + source { + address 3.10.221.168 + } + } + rule 2135 { + action accept + description FWB28B6_5-AH-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol ah + source { + address 77.68.36.46 + } + } + rule 2136 { + action accept + description FWB28B6_5-ESP-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol esp + source { + address 77.68.36.46 + } + } + rule 2137 { + action accept + description FW825C8_24-TCP-ALLOW-77.68.87.201 + destination { + group { + address-group DT_FW825C8_24 + } + port 1433 + } + protocol tcp + source { + address 77.68.87.201 + } + } + rule 2138 { + action accept + description FWB28B6_5-AH-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol ah + source { + address 213.171.196.146 + } + } + rule 2139 { + action accept + description FWB28B6_5-ESP-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol esp + source { + address 213.171.196.146 + } + } + rule 2140 { + action accept + description FWB28B6_5-UDP-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + port 500,4500 + } + protocol udp + source { + address 213.171.196.146 + } + } + rule 2141 { + action accept + description FWB28B6_5-TCP_UDP-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + port 1701 + } + protocol tcp_udp + source { + address 213.171.196.146 + } + } + rule 2142 { + action accept + description FWB28B6_5-TCP_UDP-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + port 1701 + } + protocol tcp_udp + source { + address 77.68.36.46 + } + } + rule 2143 { + action accept + description FWB28B6_5-UDP-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + port 500,4500 + } + protocol udp + source { + address 77.68.36.46 + } + } + rule 2144 { + action accept + description VPN-12899-ANY-ALLOW-10.4.59.207 + destination { + group { + address-group DT_VPN-12899 + } + } + source { + address 10.4.59.207 + } + } + rule 2145 { + action accept + description FWB28B6_5-TCP-ALLOW-81.130.141.175 + destination { + group { + address-group DT_FWB28B6_5 + } + port 3389 + } + protocol tcp + source { + address 81.130.141.175 + } + } + rule 2146 { + action accept + description FWB28B6_5-UDP-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + port 4500,500 + } + protocol udp + source { + address 77.68.38.195 + } + } + rule 2147 { + action accept + description FWB28B6_5-AH-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol ah + source { + address 77.68.38.195 + } + } + rule 2148 { + action accept + description FWB28B6_5-ESP-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol esp + source { + address 77.68.38.195 + } + } + rule 2149 { + action accept + description FWB28B6_5-TCP_UDP-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + port 1701 + } + protocol tcp_udp + source { + address 77.68.38.195 + } + } + rule 2150 { + action accept + description FW5658C_1-TCP-ALLOW-39.37.178.77 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.37.178.77 + } + } + rule 2151 { + action accept + description FW5A77C_16-TCP-ALLOW-51.241.139.56 + destination { + group { + address-group DT_FW5A77C_16 + } + port 22 + } + protocol tcp + source { + address 51.241.139.56 + } + } + rule 2152 { + action accept + description FWA86ED_101-TCP-ALLOW-150.143.57.138 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389 + } + protocol tcp + source { + address 150.143.57.138 + } + } + rule 2153 { + action accept + description FW6ECA4_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6ECA4_1 + } + port 3939,3335,3334,3333,3000,999,444 + } + protocol tcp_udp + } + rule 2154 { + action accept + description FW5658C_1-TCP-ALLOW-39.45.13.20 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.45.13.20 + } + } + rule 2155 { + action accept + description FW481D7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW481D7_1 + } + port 3478 + } + protocol tcp_udp + } + rule 2156 { + action accept + description FW5A5D7_3-GRE-ALLOW-51.219.222.28 + destination { + group { + address-group DT_FW5A5D7_3 + } + } + protocol gre + source { + address 51.219.222.28 + } + } + rule 2157 { + action accept + description FWA86ED_101-TCP-ALLOW-94.195.127.217 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 94.195.127.217 + } + } + rule 2158 { + action accept + description FW2E060_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2E060_1 + } + port 49152-65535,8443-8447 + } + protocol tcp + } + rule 2159 { + action accept + description FWFDD94_15-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWFDD94_15 + } + port 9090,5080,1935 + } + protocol tcp + } + rule 2160 { + action accept + description FW5658C_1-TCP-ALLOW-39.45.190.224 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.45.190.224 + } + } + rule 2161 { + action accept + description FW9E550_1-TCP-ALLOW-109.249.187.56 + destination { + group { + address-group DT_FW9E550_1 + } + port 3389 + } + protocol tcp + source { + address 109.249.187.56 + } + } + rule 2162 { + action accept + description FW89619_1-TCP-ALLOW-81.133.80.114 + destination { + group { + address-group DT_FW89619_1 + } + port 22 + } + protocol tcp + source { + address 81.133.80.114 + } + } + rule 2163 { + action accept + description FW8A3FC_3-TCP-ALLOW-212.227.72.218 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 212.227.72.218 + } + } + rule 2164 { + action accept + description FW0E383_9-TCP-ALLOW-151.229.59.51 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 151.229.59.51 + } + } + rule 2165 { + action accept + description FW8AFF1_7-TCP-ALLOW-178.251.181.41 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433,21 + } + protocol tcp + source { + address 178.251.181.41 + } + } + rule 2166 { + action accept + description FW3CAAB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3CAAB_1 + } + port 49152-65535,30000-30400,8443-8447,5432,80-110,21-25 + } + protocol tcp + } + rule 2167 { + action accept + description FW91B7A_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW91B7A_1 + } + port 3389,80 + } + protocol tcp_udp + } + rule 2168 { + action accept + description FW40416_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW40416_1 + } + port 1-65535 + } + protocol tcp + } + rule 2169 { + action accept + description FW5A77C_16-TCP-ALLOW-81.151.24.216 + destination { + group { + address-group DT_FW5A77C_16 + } + port 10000,22 + } + protocol tcp + source { + address 81.151.24.216 + } + } + rule 2170 { + action accept + description VPN-7030-ANY-ALLOW-10.4.59.119 + destination { + group { + address-group DT_VPN-7030 + } + } + source { + address 10.4.59.119 + } + } + rule 2171 { + action accept + description FW0E383_9-TCP-ALLOW-62.252.94.138 + destination { + group { + address-group DT_FW0E383_9 + } + port 3389,1433 + } + protocol tcp + source { + address 62.252.94.138 + } + } + rule 2172 { + action accept + description FW89619_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW89619_1 + } + port 5015,5001,5000 + } + protocol tcp + } + rule 2173 { + action accept + description FW89619_1-TCP_UDP-ALLOW-167.98.162.142 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 167.98.162.142 + } + } + rule 2174 { + action accept + description FW013EF_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW013EF_2 + } + port 44445,7770-7800,5090,5060-5070,5015,5001,2000-2500 + } + protocol tcp + } + rule 2175 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.12 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.12 + } + } + rule 2176 { + action accept + description VPN-15625-ANY-ALLOW-10.4.88.79 + destination { + group { + address-group DT_VPN-15625 + } + } + source { + address 10.4.88.79 + } + } + rule 2177 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.228.53.128 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 109.228.53.128 + } + } + rule 2178 { + action accept + description FW8AFF1_7-TCP-ALLOW-178.251.181.6 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 3389,1433,21 + } + protocol tcp + source { + address 178.251.181.6 + } + } + rule 2179 { + action accept + description FW578BE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW578BE_1 + } + port 23,1521,1522 + } + protocol tcp + } + rule 2180 { + action accept + description FWE012D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE012D_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2181 { + action accept + description FW8AFF1_7-TCP-ALLOW-213.171.209.161 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 3389,1433,21 + } + protocol tcp + source { + address 213.171.209.161 + } + } + rule 2182 { + action accept + description VPN-8203-ANY-ALLOW-10.4.58.109 + destination { + group { + address-group DT_VPN-8203 + } + } + source { + address 10.4.58.109 + } + } + rule 2183 { + action accept + description VPN-9415-ANY-ALLOW-10.4.58.168 + destination { + group { + address-group DT_VPN-9415 + } + } + source { + address 10.4.58.168 + } + } + rule 2184 { + action accept + description VPN-9415-ANY-ALLOW-10.4.59.168 + destination { + group { + address-group DT_VPN-9415 + } + } + source { + address 10.4.59.168 + } + } + rule 2185 { + action accept + description FW27A8F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW27A8F_1 + } + port 9990,8458,8090,6543,5432 + } + protocol tcp + } + rule 2186 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.11.224 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 5000 + } + protocol tcp + source { + address 77.68.11.224 + } + } + rule 2187 { + action accept + description VPN-15625-ANY-ALLOW-10.4.89.79 + destination { + group { + address-group DT_VPN-15625 + } + } + source { + address 10.4.89.79 + } + } + rule 2188 { + action accept + description VPN-14649-ANY-ALLOW-10.4.86.35 + destination { + group { + address-group DT_VPN-14649 + } + } + source { + address 10.4.86.35 + } + } + rule 2189 { + action accept + description VPN-14649-ANY-ALLOW-10.4.87.35 + destination { + group { + address-group DT_VPN-14649 + } + } + source { + address 10.4.87.35 + } + } + rule 2190 { + action accept + description VPN-14657-ANY-ALLOW-10.4.86.38 + destination { + group { + address-group DT_VPN-14657 + } + } + source { + address 10.4.86.38 + } + } + rule 2191 { + action accept + description VPN-14657-ANY-ALLOW-10.4.87.38 + destination { + group { + address-group DT_VPN-14657 + } + } + source { + address 10.4.87.38 + } + } + rule 2192 { + action accept + description VPN-14658-ANY-ALLOW-10.4.88.38 + destination { + group { + address-group DT_VPN-14658 + } + } + source { + address 10.4.88.38 + } + } + rule 2193 { + action accept + description VPN-14658-ANY-ALLOW-10.4.89.38 + destination { + group { + address-group DT_VPN-14658 + } + } + source { + address 10.4.89.38 + } + } + rule 2194 { + action accept + description FW0BB22_1-GRE-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + } + protocol gre + } + rule 2195 { + action accept + description FW0BB22_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + } + protocol esp + } + rule 2196 { + action accept + description FW1CC15_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1CC15_2 + } + port 8089,8085,990,81 + } + protocol tcp + } + rule 2197 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.124 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.124 + } + } + rule 2198 { + action accept + description FW5A5D7_3-TCP-ALLOW-51.219.222.28 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 8172,3389,1723,1701,47 + } + protocol tcp + source { + address 51.219.222.28 + } + } + rule 2199 { + action accept + description FW1CB16_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1CB16_1 + } + port 3306,27017,53 + } + protocol tcp_udp + } + rule 2200 { + action accept + description FWE47DA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE47DA_1 + } + port 7770-7800,44445 + } + protocol tcp + } + rule 2201 { + action accept + description FW37E59_5-TCP-ALLOW-77.68.20.244 + destination { + group { + address-group DT_FW37E59_5 + } + port 30303 + } + protocol tcp + source { + address 77.68.20.244 + } + } + rule 2202 { + action accept + description FW274FD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW274FD_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2203 { + action accept + description FW6CD7E_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6CD7E_2 + } + port 49152-65535 + } + protocol tcp + } + rule 2204 { + action accept + description FW826BA_3-TCP-ALLOW-178.17.252.59 + destination { + group { + address-group DT_FW826BA_3 + } + port 21 + } + protocol tcp + source { + address 178.17.252.59 + } + } + rule 2205 { + action accept + description FW89619_1-TCP_UDP-ALLOW-185.83.64.108 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 185.83.64.108 + } + } + rule 2206 { + action accept + description FW0937A_1-TCP-ALLOW-83.135.134.13 + destination { + group { + address-group DT_FW0937A_1 + } + port 22 + } + protocol tcp + source { + address 83.135.134.13 + } + } + rule 2207 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.112.64 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.112.64 + } + } + rule 2208 { + action accept + description FW6CD7E_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6CD7E_2 + } + port 53 + } + protocol tcp_udp + } + rule 2209 { + action accept + description FW1F3D0_6-TCP-ALLOW-194.73.17.47 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 194.73.17.47 + } + } + rule 2210 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.115.33 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.115.33 + } + } + rule 2211 { + action accept + description FWA3EA3_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA3EA3_1 + } + port 943 + } + protocol tcp + } + rule 2212 { + action accept + description FW6863A_4-TCP-ALLOW-82.165.100.25 + destination { + group { + address-group DT_FW6863A_4 + } + port 21-10000 + } + protocol tcp + source { + address 82.165.100.25 + } + } + rule 2213 { + action accept + description FWECBFB_14-TCP-ALLOW-109.228.59.50 + destination { + group { + address-group DT_FWECBFB_14 + } + port 22 + } + protocol tcp + source { + address 109.228.59.50 + } + } + rule 2214 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.100 + destination { + group { + address-group DT_FW2F868_6 + } + port 22 + } + protocol tcp + source { + address 213.171.217.100 + } + } + rule 2215 { + action accept + description FWD7EAB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD7EAB_1 + } + port 60000-60100 + } + protocol tcp + } + rule 2216 { + action accept + description FWEB321_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWEB321_1 + } + port 113,4190 + } + protocol tcp + } + rule 2217 { + action accept + description FW9C682_3-TCP-ALLOW-195.206.180.132 + destination { + group { + address-group DT_FW9C682_3 + } + port 8443,22 + } + protocol tcp + source { + address 195.206.180.132 + } + } + rule 2218 { + action accept + description VPN-8159-ANY-ALLOW-10.4.58.91 + destination { + group { + address-group DT_VPN-8159 + } + } + source { + address 10.4.58.91 + } + } + rule 2219 { + action accept + description VPN-21673-ANY-ALLOW-10.4.88.187 + destination { + group { + address-group DT_VPN-21673 + } + } + source { + address 10.4.88.187 + } + } + rule 2220 { + action accept + description VPN-21673-ANY-ALLOW-10.4.89.187 + destination { + group { + address-group DT_VPN-21673 + } + } + source { + address 10.4.89.187 + } + } + rule 2221 { + action accept + description VPN-21821-ANY-ALLOW-10.4.88.49 + destination { + group { + address-group DT_VPN-21821 + } + } + source { + address 10.4.88.49 + } + } + rule 2222 { + action accept + description VPN-21821-ANY-ALLOW-10.4.89.49 + destination { + group { + address-group DT_VPN-21821 + } + } + source { + address 10.4.89.49 + } + } + rule 2223 { + action accept + description FWECBFB_14-TCP-ALLOW-81.133.80.58 + destination { + group { + address-group DT_FWECBFB_14 + } + port 22 + } + protocol tcp + source { + address 81.133.80.58 + } + } + rule 2224 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.238 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.238 + } + } + rule 2225 { + action accept + description FW826BA_3-TCP-ALLOW-185.212.168.51 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 185.212.168.51 + } + } + rule 2226 { + action accept + description FW8B21D_1-ANY-ALLOW-212.187.250.2 + destination { + group { + address-group DT_FW8B21D_1 + } + } + source { + address 212.187.250.2 + } + } + rule 2227 { + action accept + description FW35F7B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW35F7B_1 + } + port 1434 + } + protocol tcp_udp + } + rule 2228 { + action accept + description FWD338A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD338A_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2229 { + action accept + description FW35F7B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW35F7B_1 + } + port 56791 + } + protocol tcp + } + rule 2230 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.77.114 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.77.114 + } + } + rule 2231 { + action accept + description FW90AE3_1-TCP-ALLOW-194.74.137.17 + destination { + group { + address-group DT_FW90AE3_1 + } + port 22 + } + protocol tcp + source { + address 194.74.137.17 + } + } + rule 2232 { + action accept + description FW52F6F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW52F6F_1 + } + port 53 + } + protocol tcp_udp + } + rule 2233 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.23.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 77.68.23.109 + } + } + rule 2234 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.247 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.247 + } + } + rule 2235 { + action accept + description FW4E314_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4E314_1 + } + port 53 + } + protocol tcp_udp + } + rule 2236 { + action accept + description FW73573_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73573_2 + } + port 25 + } + protocol tcp_udp + } + rule 2237 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.93.89 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.93.89 + } + } + rule 2238 { + action accept + description FW856FA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW856FA_1 + } + port 6003 + } + protocol tcp + } + rule 2239 { + action accept + description FWECBFB_14-TCP-ALLOW-81.19.214.155 + destination { + group { + address-group DT_FWECBFB_14 + } + port 22 + } + protocol tcp + source { + address 81.19.214.155 + } + } + rule 2240 { + action accept + description FW826BA_3-TCP-ALLOW-51.219.168.170 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 51.219.168.170 + } + } + rule 2241 { + action accept + description FW30D21_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW30D21_1 + } + port 2083-2087,53,2812,2096,25,993,587 + } + protocol tcp_udp + } + rule 2242 { + action accept + description FWA076E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA076E_1 + } + port 2199,2197 + } + protocol tcp + } + rule 2243 { + action accept + description FWA076E_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA076E_1 + } + port 8000-8010 + } + protocol tcp_udp + } + rule 2244 { + action accept + description FW8A3FC_3-TCP-ALLOW-82.165.166.41 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 8447,8443,443,80,22 + } + protocol tcp + source { + address 82.165.166.41 + } + } + rule 2245 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.180 + destination { + group { + address-group DT_FW2F868_6 + } + port 22,80 + } + protocol tcp + source { + address 213.171.217.180 + } + } + rule 2246 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FW2F868_6 + } + port 22 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2247 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.185 + destination { + group { + address-group DT_FW2F868_6 + } + port 22 + } + protocol tcp + source { + address 213.171.217.185 + } + } + rule 2248 { + action accept + description FW2F868_6-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2F868_6 + } + port 161 + } + protocol udp + } + rule 2249 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.102 + destination { + group { + address-group DT_FW2F868_6 + } + port 22,24 + } + protocol tcp + source { + address 213.171.217.102 + } + } + rule 2250 { + action accept + description FW9C682_3-TCP-ALLOW-80.194.78.162 + destination { + group { + address-group DT_FW9C682_3 + } + port 8443,22 + } + protocol tcp + source { + address 80.194.78.162 + } + } + rule 2251 { + action accept + description VPN-21822-ANY-ALLOW-10.4.54.47 + destination { + group { + address-group DT_VPN-21822 + } + } + source { + address 10.4.54.47 + } + } + rule 2252 { + action accept + description FW825C8_19-TCP-ALLOW-77.68.75.244 + destination { + group { + address-group DT_FW825C8_19 + } + port 1433 + } + protocol tcp + source { + address 77.68.75.244 + } + } + rule 2253 { + action accept + description FW2B279_4-TCP-ALLOW-195.147.173.92 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 195.147.173.92 + } + } + rule 2254 { + action accept + description FW1D511_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1D511_2 + } + port 8090 + } + protocol tcp + } + rule 2255 { + action accept + description FW8A3FC_3-TCP-ALLOW-85.17.25.47 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 85.17.25.47 + } + } + rule 2256 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.89.209 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 77.68.89.209 + } + } + rule 2257 { + action accept + description FWE2AB5_8-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FWE2AB5_8 + } + port 7000 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2258 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.94.177 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.94.177 + } + } + rule 2259 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.95.129 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 77.68.95.129 + } + } + rule 2260 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.118.136 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.118.136 + } + } + rule 2261 { + action accept + description FW1FA9E_1-TCP-ALLOW-78.88.254.99 + destination { + group { + address-group DT_FW1FA9E_1 + } + port 9000,8200,5601,4444 + } + protocol tcp + source { + address 78.88.254.99 + } + } + rule 2262 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.46.27 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.46.27 + } + } + rule 2263 { + action accept + description FWA7A50_1-TCP-ALLOW-81.110.192.198 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp + source { + address 81.110.192.198 + } + } + rule 2264 { + action accept + description VPN-21822-ANY-ALLOW-10.4.55.47 + destination { + group { + address-group DT_VPN-21822 + } + } + source { + address 10.4.55.47 + } + } + rule 2265 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.31.195 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.31.195 + } + } + rule 2266 { + action accept + description FW45BEB_1-TCP-ALLOW-62.3.71.238 + destination { + group { + address-group DT_FW45BEB_1 + } + port 3389 + } + protocol tcp + source { + address 62.3.71.238 + } + } + rule 2267 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.113 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.113 + } + } + rule 2268 { + action accept + description VPN-23946-ANY-ALLOW-10.4.58.13 + destination { + group { + address-group DT_VPN-23946 + } + } + source { + address 10.4.58.13 + } + } + rule 2269 { + action accept + description FW98818_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW98818_1 + } + port 27015 + } + protocol tcp + } + rule 2270 { + action accept + description VPN-23946-ANY-ALLOW-10.4.59.13 + destination { + group { + address-group DT_VPN-23946 + } + } + source { + address 10.4.59.13 + } + } + rule 2271 { + action accept + description VPN-28031-ANY-ALLOW-10.4.88.197 + destination { + group { + address-group DT_VPN-28031 + } + } + source { + address 10.4.88.197 + } + } + rule 2272 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.118.231 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.118.231 + } + } + rule 2273 { + action accept + description FW5A5D7_3-TCP_UDP-ALLOW-51.219.222.28 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 500 + } + protocol tcp_udp + source { + address 51.219.222.28 + } + } + rule 2274 { + action accept + description FW32EFF_25-TCP-ALLOW-185.106.220.231 + destination { + group { + address-group DT_FW32EFF_25 + } + port 443 + } + protocol tcp + source { + address 185.106.220.231 + } + } + rule 2275 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.118.66 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.118.66 + } + } + rule 2276 { + action accept + description FW934AE_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW934AE_1 + } + port 1194 + } + protocol udp + } + rule 2277 { + action accept + description VPN-28031-ANY-ALLOW-10.4.89.197 + destination { + group { + address-group DT_VPN-28031 + } + } + source { + address 10.4.89.197 + } + } + rule 2278 { + action accept + description FW6863A_4-TCP_UDP-ALLOW-82.165.166.41 + destination { + group { + address-group DT_FW6863A_4 + } + port 21-10000 + } + protocol tcp_udp + source { + address 82.165.166.41 + } + } + rule 2279 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.119.162 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.119.162 + } + } + rule 2280 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.74.199.143 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.74.199.143 + } + } + rule 2281 { + action accept + description FW1F3D0_6-TCP-ALLOW-185.92.25.48 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 185.92.25.48 + } + } + rule 2282 { + action accept + description FW1F3D0_6-TCP-ALLOW-207.148.2.40 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 207.148.2.40 + } + } + rule 2283 { + action accept + description FW1F3D0_6-TCP-ALLOW-45.76.235.62 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 45.76.235.62 + } + } + rule 2284 { + action accept + description FW1F3D0_6-TCP-ALLOW-45.76.236.93 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 45.76.236.93 + } + } + rule 2285 { + action accept + description FW1F3D0_6-TCP-ALLOW-45.76.59.5 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 45.76.59.5 + } + } + rule 2286 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.15.134 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 77.68.15.134 + } + } + rule 2287 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.22.208 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 77.68.22.208 + } + } + rule 2288 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.23.108 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.23.108 + } + } + rule 2289 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.23.54 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.23.54 + } + } + rule 2290 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.30.45 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.30.45 + } + } + rule 2291 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.7.198 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.7.198 + } + } + rule 2292 { + action accept + description VPN-29631-ANY-ALLOW-10.4.54.76 + destination { + group { + address-group DT_VPN-29631 + } + } + source { + address 10.4.54.76 + } + } + rule 2293 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.89.200 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 77.68.89.200 + } + } + rule 2294 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.91.50 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.91.50 + } + } + rule 2295 { + action accept + description FW1F3D0_6-TCP-ALLOW-82.165.206.230 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 82.165.206.230 + } + } + rule 2296 { + action accept + description FW1F3D0_6-TCP-ALLOW-82.165.207.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 82.165.207.109 + } + } + rule 2297 { + action accept + description FW1F3D0_6-TCP-ALLOW-94.196.156.5 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 94.196.156.5 + } + } + rule 2298 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.15.134 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.15.134 + } + } + rule 2299 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.22.208 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.22.208 + } + } + rule 2300 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.23.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.23.109 + } + } + rule 2301 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.89.200 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.89.200 + } + } + rule 2302 { + action accept + description FW05339_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW05339_1 + } + port 8085,5055,5013,5005,444 + } + protocol tcp + } + rule 2303 { + action accept + description FW32EFF_25-TCP-ALLOW-217.169.61.164 + destination { + group { + address-group DT_FW32EFF_25 + } + port 443 + } + protocol tcp + source { + address 217.169.61.164 + } + } + rule 2304 { + action accept + description FW89619_1-TCP_UDP-ALLOW-185.83.65.45 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 185.83.65.45 + } + } + rule 2305 { + action accept + description VPN-13983-ANY-ALLOW-10.4.58.176 + destination { + group { + address-group DT_VPN-13983 + } + } + source { + address 10.4.58.176 + } + } + rule 2306 { + action accept + description FWDAF47_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWDAF47_1 + } + port 8090,7080,443,53 + } + protocol tcp_udp + } + rule 2307 { + action accept + description VPN-29631-ANY-ALLOW-10.4.55.77 + destination { + group { + address-group DT_VPN-29631 + } + } + source { + address 10.4.55.77 + } + } + rule 2308 { + action accept + description VPN-34309-ANY-ALLOW-10.4.58.142 + destination { + group { + address-group DT_VPN-34309 + } + } + source { + address 10.4.58.142 + } + } + rule 2309 { + action accept + description FW27949_2-TCP-ALLOW-138.124.142.180 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 138.124.142.180 + } + } + rule 2310 { + action accept + description FWF8F85_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF8F85_1 + } + port 3306 + } + protocol tcp_udp + } + rule 2311 { + action accept + description FWDAF47_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDAF47_1 + } + port 40110-40210 + } + protocol tcp + } + rule 2312 { + action accept + description VPN-34309-ANY-ALLOW-10.4.59.142 + destination { + group { + address-group DT_VPN-34309 + } + } + source { + address 10.4.59.142 + } + } + rule 2313 { + action accept + description FWA0531_1-TCP-ALLOW-87.224.39.220 + destination { + group { + address-group DT_FWA0531_1 + } + port 22 + } + protocol tcp + source { + address 87.224.39.220 + } + } + rule 2314 { + action accept + description FW5A5D7_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5A5D7_3 + } + port 1334 + } + protocol tcp + } + rule 2315 { + action accept + description FW8C927_1-TCP_UDP-ALLOW-84.92.125.78 + destination { + group { + address-group DT_FW8C927_1 + } + port 3306,22 + } + protocol tcp_udp + source { + address 84.92.125.78 + } + } + rule 2316 { + action accept + description FW8C927_1-TCP_UDP-ALLOW-88.208.238.152 + destination { + group { + address-group DT_FW8C927_1 + } + port 3306,22 + } + protocol tcp_udp + source { + address 88.208.238.152 + } + } + rule 2317 { + action accept + description FW81138_1-ICMP-ALLOW-82.165.232.19 + destination { + group { + address-group DT_FW81138_1 + } + } + protocol icmp + source { + address 82.165.232.19 + } + } + rule 2318 { + action accept + description FW28892_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW28892_1 + } + port 7000 + } + protocol tcp + } + rule 2319 { + action accept + description FWC96A1_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC96A1_1 + } + port 222 + } + protocol tcp + } + rule 2320 { + action accept + description VPN-13983-ANY-ALLOW-10.4.59.176 + destination { + group { + address-group DT_VPN-13983 + } + } + source { + address 10.4.59.176 + } + } + rule 2321 { + action accept + description FW2FB61_1-TCP-ALLOW-5.183.104.15 + destination { + group { + address-group DT_FW2FB61_1 + } + port 22 + } + protocol tcp + source { + address 5.183.104.15 + } + } + rule 2322 { + action accept + description FW81138_1-ICMP-ALLOW-82.20.69.137 + destination { + group { + address-group DT_FW81138_1 + } + } + protocol icmp + source { + address 82.20.69.137 + } + } + rule 2323 { + action accept + description FW72F37_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW72F37_1 + } + port 7770-7800,44445 + } + protocol tcp + } + rule 2324 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-81.111.155.34 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 81.111.155.34 + } + } + rule 2325 { + action accept + description VPN-20306-ANY-ALLOW-10.4.88.173 + destination { + group { + address-group DT_VPN-20306 + } + } + source { + address 10.4.88.173 + } + } + rule 2326 { + action accept + description FW6C992_1-TCP-ALLOW-89.33.185.0_24 + destination { + group { + address-group DT_FW6C992_1 + } + port 8447,8443,22 + } + protocol tcp + source { + address 89.33.185.0/24 + } + } + rule 2327 { + action accept + description FW2FB61_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2FB61_1 + } + port 45000 + } + protocol tcp + } + rule 2328 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.46.202 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 175.157.46.202 + } + } + rule 2329 { + action accept + description FWF9C28_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF9C28_2 + } + port 7770-7800,44445 + } + protocol tcp + } + rule 2330 { + action accept + description FW3DBF8_9-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3DBF8_9 + } + port 8088,8080,5090,5060,3478,1935 + } + protocol tcp_udp + } + rule 2331 { + action accept + description FW3DBF8_9-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3DBF8_9 + } + port 5062,5061,5015,5001 + } + protocol tcp + } + rule 2332 { + action accept + description VPN-16402-ANY-ALLOW-10.4.88.60 + destination { + group { + address-group DT_VPN-16402 + } + } + source { + address 10.4.88.60 + } + } + rule 2333 { + action accept + description FWC1315_1-TCP-ALLOW-62.3.71.238 + destination { + group { + address-group DT_FWC1315_1 + } + port 3389 + } + protocol tcp + source { + address 62.3.71.238 + } + } + rule 2334 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA7A50_1 + } + port 8001,80 + } + protocol tcp_udp + } + rule 2335 { + action accept + description FWAFF0A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWAFF0A_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2336 { + action accept + description FW2B279_4-TCP-ALLOW-195.20.253.19 + destination { + group { + address-group DT_FW2B279_4 + } + port 22 + } + protocol tcp + source { + address 195.20.253.19 + } + } + rule 2337 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.73 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.73 + } + } + rule 2338 { + action accept + description VPN-16402-ANY-ALLOW-10.4.89.60 + destination { + group { + address-group DT_VPN-16402 + } + } + source { + address 10.4.89.60 + } + } + rule 2339 { + action accept + description VPN-15951-ANY-ALLOW-10.4.86.90 + destination { + group { + address-group DT_VPN-15951 + } + } + source { + address 10.4.86.90 + } + } + rule 2340 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.77.181 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.77.181 + } + } + rule 2341 { + action accept + description FWE9F7D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE9F7D_1 + } + port 4035 + } + protocol tcp + } + rule 2342 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.131 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.131 + } + } + rule 2343 { + action accept + description VPN-15951-ANY-ALLOW-10.4.87.90 + destination { + group { + address-group DT_VPN-15951 + } + } + source { + address 10.4.87.90 + } + } + rule 2344 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.93.190 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.93.190 + } + } + rule 2345 { + action accept + description VPN-8159-ANY-ALLOW-10.4.59.91 + destination { + group { + address-group DT_VPN-8159 + } + } + source { + address 10.4.59.91 + } + } + rule 2346 { + action accept + description VPN-12870-ANY-ALLOW-10.4.54.67 + destination { + group { + address-group DT_VPN-12870 + } + } + source { + address 10.4.54.67 + } + } + rule 2347 { + action accept + description FW930F3_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW930F3_1 + } + port 53 + } + protocol tcp_udp + } + rule 2348 { + action accept + description FW12C32_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW12C32_1 + } + port 465,53,25 + } + protocol tcp_udp + } + rule 2349 { + action accept + description FW28EC8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW28EC8_1 + } + port 20443 + } + protocol tcp + } + rule 2350 { + action accept + description VPN-12870-ANY-ALLOW-10.4.55.68 + destination { + group { + address-group DT_VPN-12870 + } + } + source { + address 10.4.55.68 + } + } + rule 2351 { + action accept + description FW934AE_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW934AE_1 + } + port 32401,32400,8081 + } + protocol tcp_udp + } + rule 2352 { + action accept + description FW6863A_4-TCP-ALLOW-185.173.161.154 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 185.173.161.154 + } + } + rule 2353 { + action accept + description FW013EF_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW013EF_2 + } + port 10600-10998,9000-9398,5090,5060-5070 + } + protocol udp + } + rule 2354 { + action accept + description FW85040_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85040_1 + } + port 3210 + } + protocol tcp_udp + } + rule 2355 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-131.153.100.98 + destination { + group { + address-group DT_FW8B21D_1 + } + port 22 + } + protocol tcp_udp + source { + address 131.153.100.98 + } + } + rule 2356 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-213.133.99.176 + destination { + group { + address-group DT_FW8B21D_1 + } + port 22 + } + protocol tcp_udp + source { + address 213.133.99.176 + } + } + rule 2357 { + action accept + description FW6EFD7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6EFD7_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2358 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-62.253.153.163 + destination { + group { + address-group DT_FW8B21D_1 + } + port 8443,22 + } + protocol tcp_udp + source { + address 62.253.153.163 + } + } + rule 2359 { + action accept + description FWCB0CF_7-TCP-ALLOW-212.159.153.201 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 6443,5432-5434,5000-5100,3306-3308,990,989,22,21 + } + protocol tcp + source { + address 212.159.153.201 + } + } + rule 2360 { + action accept + description FW75CA4_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW75CA4_6 + } + port 51472,3747,3420 + } + protocol tcp + } + rule 2361 { + action accept + description FWF9C28_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF9C28_4 + } + port 23,7770-7800,44445,6109 + } + protocol tcp + } + rule 2362 { + action accept + description FW6B39D_1-TCP-ALLOW-120.72.95.88_29 + destination { + group { + address-group DT_FW6B39D_1 + } + port 3306 + } + protocol tcp + source { + address 120.72.95.88/29 + } + } + rule 2363 { + action accept + description FW934AE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW934AE_1 + } + port 20000 + } + protocol tcp + } + rule 2364 { + action accept + description FW12C32_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW12C32_1 + } + port 2323,953 + } + protocol tcp + } + rule 2365 { + action accept + description FW49897_1-TCP-ALLOW-2.121.90.207 + destination { + group { + address-group DT_FW49897_1 + } + port 22 + } + protocol tcp + source { + address 2.121.90.207 + } + } + rule 2366 { + action accept + description FW6B39D_1-TCP-ALLOW-120.72.91.104_29 + destination { + group { + address-group DT_FW6B39D_1 + } + port 3306 + } + protocol tcp + source { + address 120.72.91.104/29 + } + } + rule 2367 { + action accept + description FW4F5EE_10-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4F5EE_10 + } + port 83,86,82 + } + protocol tcp + } + rule 2368 { + action accept + description FWF791C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF791C_1 + } + port 6001 + } + protocol tcp + } + rule 2369 { + action accept + description FWEF92E_5-ESP-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 109.228.37.19 + } + } + rule 2370 { + action accept + description FWE57AD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE57AD_1 + } + port 57000-58000 + } + protocol tcp + } + rule 2371 { + action accept + description FWC0CE0_1-TCP-ALLOW-62.232.209.221 + destination { + group { + address-group DT_FWC0CE0_1 + } + port 49152-65535,8447,8443,22,21 + } + protocol tcp + source { + address 62.232.209.221 + } + } + rule 2372 { + action accept + description FW0192C_1-TCP-ALLOW-41.140.242.86 + destination { + group { + address-group DT_FW0192C_1 + } + port 3306,22 + } + protocol tcp + source { + address 41.140.242.86 + } + } + rule 2373 { + action accept + description FWEEC75_1-TCP-ALLOW-54.171.71.110 + destination { + group { + address-group DT_FWEEC75_1 + } + port 21 + } + protocol tcp + source { + address 54.171.71.110 + } + } + rule 2374 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-95.149.182.69 + destination { + group { + address-group DT_FW8B21D_1 + } + port 22 + } + protocol tcp_udp + source { + address 95.149.182.69 + } + } + rule 2375 { + action accept + description FW8B21D_1-TCP-ALLOW-185.201.16.0_22 + destination { + group { + address-group DT_FW8B21D_1 + } + port 25 + } + protocol tcp + source { + address 185.201.16.0/22 + } + } + rule 2376 { + action accept + description FW8B21D_1-TCP-ALLOW-213.133.99.176 + destination { + group { + address-group DT_FW8B21D_1 + } + port 25 + } + protocol tcp + source { + address 213.133.99.176 + } + } + rule 2377 { + action accept + description FW8B21D_1-TCP-ALLOW-95.211.160.147 + destination { + group { + address-group DT_FW8B21D_1 + } + port 25 + } + protocol tcp + source { + address 95.211.160.147 + } + } + rule 2378 { + action accept + description FW6863A_4-TCP-ALLOW-212.227.9.72 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 212.227.9.72 + } + } + rule 2379 { + action accept + description FW8B21D_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + } + protocol esp + } + rule 2380 { + action accept + description FW8B21D_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + } + protocol ah + } + rule 2381 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + port 8181,4500,1194,993,941,500,53 + } + protocol tcp_udp + } + rule 2382 { + action accept + description FW6863A_4-TCP-ALLOW-85.17.25.47 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 85.17.25.47 + } + } + rule 2383 { + action accept + description FW6863A_4-TCP-ALLOW-91.232.105.39 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 91.232.105.39 + } + } + rule 2384 { + action accept + description FW6863A_4-TCP-ALLOW-93.190.142.120 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 93.190.142.120 + } + } + rule 2385 { + action accept + description FW6863A_4-TCP-ALLOW-95.168.171.130 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.168.171.130 + } + } + rule 2386 { + action accept + description FW6863A_4-TCP-ALLOW-95.168.171.157 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.168.171.157 + } + } + rule 2387 { + action accept + description FWD4A27_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD4A27_1 + } + port 32400 + } + protocol tcp + } + rule 2388 { + action accept + description FW2ACFF_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2ACFF_1 + } + port 10299,60050-60055 + } + protocol tcp_udp + } + rule 2389 { + action accept + description FWCB0CF_7-TCP-ALLOW-193.248.62.45 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 22 + } + protocol tcp + source { + address 193.248.62.45 + } + } + rule 2390 { + action accept + description FWCB0CF_7-TCP-ALLOW-78.249.208.17 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 22 + } + protocol tcp + source { + address 78.249.208.17 + } + } + rule 2391 { + action accept + description FWC8E8E_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC8E8E_1 + } + port 6000 + } + protocol tcp_udp + } + rule 2392 { + action accept + description FW30D21_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW30D21_1 + } + port 2476 + } + protocol tcp + } + rule 2393 { + action accept + description FW0192C_1-TCP-ALLOW-41.140.242.94 + destination { + group { + address-group DT_FW0192C_1 + } + port 3306,22 + } + protocol tcp + source { + address 41.140.242.94 + } + } + rule 2394 { + action accept + description FW59F39_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW59F39_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2395 { + action accept + description FWEF92E_7-ESP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_7 + } + } + protocol esp + source { + address 77.68.77.57 + } + } + rule 2396 { + action accept + description FW826BA_3-TCP-ALLOW-51.219.47.177 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,21 + } + protocol tcp + source { + address 51.219.47.177 + } + } + rule 2397 { + action accept + description FW826BA_3-TCP-ALLOW-86.172.128.50 + destination { + group { + address-group DT_FW826BA_3 + } + port 1433,21 + } + protocol tcp + source { + address 86.172.128.50 + } + } + rule 2398 { + action accept + description FW826BA_3-TCP-ALLOW-88.105.1.20 + destination { + group { + address-group DT_FW826BA_3 + } + port 21 + } + protocol tcp + source { + address 88.105.1.20 + } + } + rule 2399 { + action accept + description FW6863A_4-TCP-ALLOW-95.211.243.198 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.211.243.198 + } + } + rule 2400 { + action accept + description FW25843_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW25843_1 + } + port 9001,7070,5500,5488,5000,4500,4000,3500,3000,1883,1880 + } + protocol tcp + } + rule 2401 { + action accept + description FW89619_1-TCP_UDP-ALLOW-185.83.65.46 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 185.83.65.46 + } + } + rule 2402 { + action accept + description FW5858F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5858F_1 + } + port 1883 + } + protocol tcp + } + rule 2403 { + action accept + description FW826BA_3-TCP-ALLOW-95.147.108.173 + destination { + group { + address-group DT_FW826BA_3 + } + port 21 + } + protocol tcp + source { + address 95.147.108.173 + } + } + rule 2404 { + action accept + description FW9C682_3-TCP-ALLOW-52.56.193.88 + destination { + group { + address-group DT_FW9C682_3 + } + port 3306 + } + protocol tcp + source { + address 52.56.193.88 + } + } + rule 2405 { + action accept + description FW0745F_5-TCP-ALLOW-109.228.63.82 + destination { + group { + address-group DT_FW0745F_5 + } + port 5666 + } + protocol tcp + source { + address 109.228.63.82 + } + } + rule 2406 { + action accept + description FWC0CE0_1-TCP-ALLOW-90.255.228.213 + destination { + group { + address-group DT_FWC0CE0_1 + } + port 49152-65535,8443,21 + } + protocol tcp + source { + address 90.255.228.213 + } + } + rule 2407 { + action accept + description FW210E2_8-AH-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + } + protocol ah + } + rule 2408 { + action accept + description FW210E2_8-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + } + protocol esp + } + rule 2409 { + action accept + description FW210E2_8-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + port 41,62000,23,4500,50,9876,3391,88,135 + } + protocol tcp + } + rule 2410 { + action accept + description FW210E2_8-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + port 500 + } + protocol udp + } + rule 2411 { + action accept + description VPN-8625-ANY-ALLOW-10.4.54.103 + destination { + group { + address-group DT_VPN-8625 + } + } + source { + address 10.4.54.103 + } + } + rule 2412 { + action accept + description VPN-8625-ANY-ALLOW-10.4.55.104 + destination { + group { + address-group DT_VPN-8625 + } + } + source { + address 10.4.55.104 + } + } + rule 2413 { + action accept + description FW73A64_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW73A64_1 + } + port 61616,8181,8161,8082,4244,4243,4242,4241 + } + protocol tcp + } + rule 2414 { + action accept + description VPN-19135-ANY-ALLOW-10.4.86.165 + destination { + group { + address-group DT_VPN-19135 + } + } + source { + address 10.4.86.165 + } + } + rule 2415 { + action accept + description FWCB0CF_7-TCP-ALLOW-82.65.107.3 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 22 + } + protocol tcp + source { + address 82.65.107.3 + } + } + rule 2416 { + action accept + description FWCB0CF_7-TCP-ALLOW-195.2.139.221 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 5432-5434,3306-3308 + } + protocol tcp + source { + address 195.2.139.221 + } + } + rule 2417 { + action accept + description VPN-19135-ANY-ALLOW-10.4.87.165 + destination { + group { + address-group DT_VPN-19135 + } + } + source { + address 10.4.87.165 + } + } + rule 2418 { + action accept + description FW2BB8D_1-TCP-ALLOW-87.75.109.83 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 87.75.109.83 + } + } + rule 2419 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.83 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.83 + } + } + rule 2420 { + action accept + description FW2ED4D_2-TCP-ALLOW-84.92.65.192 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 22 + } + protocol tcp + source { + address 84.92.65.192 + } + } + rule 2421 { + action accept + description FW73A64_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73A64_1 + } + port 9200,5601,4247,4246,4245 + } + protocol tcp_udp + } + rule 2422 { + action accept + description FW4735F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4735F_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2423 { + action accept + description FW2ED4D_2-TCP-ALLOW-109.176.154.238 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 7990,3389 + } + protocol tcp + source { + address 109.176.154.238 + } + } + rule 2424 { + action accept + description FW6863A_4-TCP-ALLOW-95.211.243.206 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.211.243.206 + } + } + rule 2425 { + action accept + description FW89619_1-TCP_UDP-ALLOW-81.133.80.114 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 81.133.80.114 + } + } + rule 2426 { + action accept + description FW89619_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW89619_1 + } + port 5090 + } + protocol tcp_udp + } + rule 2427 { + action accept + description FW8A57A_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8A57A_1 + } + port 49155,49154,7700,53,43 + } + protocol tcp_udp + } + rule 2428 { + action accept + description FW8C72E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8C72E_1 + } + port 500,4500 + } + protocol udp + } + rule 2429 { + action accept + description FW2ED4D_2-TCP-ALLOW-18.135.66.162 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 18.135.66.162 + } + } + rule 2430 { + action accept + description FW2C5AE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2C5AE_1 + } + port 58080,58008,8545,7175 + } + protocol tcp + } + rule 2431 { + action accept + description FW2ED4D_2-TCP-ALLOW-80.209.144.52 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 80.209.144.52 + } + } + rule 2432 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.153.21.103 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 7990,3389 + } + protocol tcp + source { + address 82.153.21.103 + } + } + rule 2433 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.41 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.41 + } + } + rule 2434 { + action accept + description FW0745F_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0745F_5 + } + port 32770,8001,7801 + } + protocol tcp + } + rule 2435 { + action accept + description FW85E02_11-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85E02_11 + } + port 5090,5060 + } + protocol tcp_udp + } + rule 2436 { + action accept + description VPN-21982-ANY-ALLOW-10.4.58.43 + destination { + group { + address-group DT_VPN-21982 + } + } + source { + address 10.4.58.43 + } + } + rule 2437 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.17.52.191 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.17.52.191 + } + } + rule 2438 { + action accept + description FW66347_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW66347_1 + } + port 53 + } + protocol tcp_udp + } + rule 2439 { + action accept + description FW11082_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW11082_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2440 { + action accept + description VPN-21982-ANY-ALLOW-10.4.59.43 + destination { + group { + address-group DT_VPN-21982 + } + } + source { + address 10.4.59.43 + } + } + rule 2441 { + action accept + description FW2BB8D_1-TCP-ALLOW-92.207.193.203 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 5000 + } + protocol tcp + source { + address 92.207.193.203 + } + } + rule 2442 { + action accept + description FWC2D30_1-TCP-ALLOW-77.99.253.161 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,22,21 + } + protocol tcp + source { + address 77.99.253.161 + } + } + rule 2443 { + action accept + description FW0E383_9-TCP-ALLOW-77.99.245.103 + destination { + group { + address-group DT_FW0E383_9 + } + port 3389 + } + protocol tcp + source { + address 77.99.245.103 + } + } + rule 2444 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.19.19.52 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 7990,3389 + } + protocol tcp + source { + address 82.19.19.52 + } + } + rule 2445 { + action accept + description FWEF92E_7-AH-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_7 + } + } + protocol ah + source { + address 77.68.77.57 + } + } + rule 2446 { + action accept + description VPN-16450-ANY-ALLOW-10.4.88.99 + destination { + group { + address-group DT_VPN-16450 + } + } + source { + address 10.4.88.99 + } + } + rule 2447 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.2.186.129 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.2.186.129 + } + } + rule 2448 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.157 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.215.157 + } + } + rule 2449 { + action accept + description FW8EA04_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8EA04_1 + } + port 1194 + } + protocol udp + } + rule 2450 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.21.59.207 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.21.59.207 + } + } + rule 2451 { + action accept + description FWC2D30_1-TCP-ALLOW-82.9.22.158 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 82.9.22.158 + } + } + rule 2452 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF3A1B_1 + } + port 1981,53 + } + protocol tcp_udp + } + rule 2453 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.11.54 + } + } + rule 2454 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.40.177.186 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.40.177.186 + } + } + rule 2455 { + action accept + description FW0C25B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0C25B_1 + } + port 49152-65535,5224 + } + protocol tcp + } + rule 2456 { + action accept + description FW85A7C_1-TCP-ALLOW-82.24.242.137 + destination { + group { + address-group DT_FW85A7C_1 + } + port 22 + } + protocol tcp + source { + address 82.24.242.137 + } + } + rule 2457 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.68.25.66 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.68.25.66 + } + } + rule 2458 { + action accept + description FW826BA_3-TCP-ALLOW-51.89.148.173 + destination { + group { + address-group DT_FW826BA_3 + } + port 1433 + } + protocol tcp + source { + address 51.89.148.173 + } + } + rule 2459 { + action accept + description FWA69A0_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA69A0_1 + } + port 48402 + } + protocol udp + } + rule 2460 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.69.79.85 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.69.79.85 + } + } + rule 2461 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.77.149 + } + } + rule 2462 { + action accept + description FWEF92E_6-ESP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_6 + } + } + protocol esp + source { + address 77.68.77.57 + } + } + rule 2463 { + action accept + description FWEF92E_7-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FWEF92E_7 + } + port 3389,445 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2464 { + action accept + description FW49C3D_4-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445,443,80 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2465 { + action accept + description FW49C3D_6-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2466 { + action accept + description FW34C91_3-TCP-ALLOW-77.68.121.4 + destination { + group { + address-group DT_FW34C91_3 + } + port 1433 + } + protocol tcp + source { + address 77.68.121.4 + } + } + rule 2467 { + action accept + description VPN-16450-ANY-ALLOW-10.4.89.99 + destination { + group { + address-group DT_VPN-16450 + } + } + source { + address 10.4.89.99 + } + } + rule 2468 { + action accept + description FW0BB22_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + } + protocol ah + } + rule 2469 { + action accept + description FW2ED4D_2-TCP-ALLOW-86.139.57.116 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 86.139.57.116 + } + } + rule 2470 { + action accept + description FW9E550_1-TCP-ALLOW-86.142.67.13 + destination { + group { + address-group DT_FW9E550_1 + } + port 3389 + } + protocol tcp + source { + address 86.142.67.13 + } + } + rule 2471 { + action accept + description FW8B21D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + port 2096,2095,2087,2086,2083,2082 + } + protocol tcp + } + rule 2472 { + action accept + description FW050AC_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW050AC_1 + } + port 2087 + } + protocol tcp + } + rule 2473 { + action accept + description FW1FA9E_1-TCP-ALLOW-109.228.50.206 + destination { + group { + address-group DT_FW1FA9E_1 + } + port 5432 + } + protocol tcp + source { + address 109.228.50.206 + } + } + rule 2474 { + action accept + description FW8A3FC_3-TCP-ALLOW-217.23.11.155 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 217.23.11.155 + } + } + rule 2475 { + action accept + description FW2ED4D_2-TCP-ALLOW-88.96.110.198 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 88.96.110.198 + } + } + rule 2476 { + action accept + description FWEAE53_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWEAE53_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2477 { + action accept + description VPN-19474-ANY-ALLOW-10.4.88.161 + destination { + group { + address-group DT_VPN-19474 + } + } + source { + address 10.4.88.161 + } + } + rule 2478 { + action accept + description VPN-19474-ANY-ALLOW-10.4.89.161 + destination { + group { + address-group DT_VPN-19474 + } + } + source { + address 10.4.89.161 + } + } + rule 2479 { + action accept + description FW90AE3_1-TCP-ALLOW-68.33.220.233 + destination { + group { + address-group DT_FW90AE3_1 + } + port 22 + } + protocol tcp + source { + address 68.33.220.233 + } + } + rule 2480 { + action accept + description FWC2D30_1-TCP-ALLOW-86.10.163.127 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 86.10.163.127 + } + } + rule 2481 { + action accept + description FW2FB61_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2FB61_1 + } + port 60182 + } + protocol udp + } + rule 2482 { + action accept + description FW85A7C_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85A7C_1 + } + port 2457,2456 + } + protocol tcp_udp + } + rule 2483 { + action accept + description FWBED52_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBED52_1 + } + port 1221,9000 + } + protocol tcp + } + rule 2484 { + action accept + description FWA86ED_101-TCP-ALLOW-90.250.2.109 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 90.250.2.109 + } + } + rule 2485 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.49 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.213.49 + } + } + rule 2486 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.77.70 + } + } + rule 2487 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.250 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.250 + } + } + rule 2488 { + action accept + description FW8A3FC_3-TCP-ALLOW-95.168.171.131 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 95.168.171.131 + } + } + rule 2489 { + action accept + description FW2379F_14-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2379F_14 + } + port 48030,10997,10993,10992,10991,10902,1723,1701 + } + protocol tcp + } + rule 2490 { + action accept + description FW8C927_1-TCP-ALLOW-84.92.125.78 + destination { + group { + address-group DT_FW8C927_1 + } + port 80 + } + protocol tcp + source { + address 84.92.125.78 + } + } + rule 2491 { + action accept + description FWC2D30_1-TCP-ALLOW-86.146.220.229 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 86.146.220.229 + } + } + rule 2492 { + action accept + description FW2B279_4-TCP-ALLOW-2.218.5.59 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 2.218.5.59 + } + } + rule 2493 { + action accept + description VPN-18830-ANY-ALLOW-10.4.86.156 + destination { + group { + address-group DT_VPN-18830 + } + } + source { + address 10.4.86.156 + } + } + rule 2494 { + action accept + description VPN-18830-ANY-ALLOW-10.4.87.156 + destination { + group { + address-group DT_VPN-18830 + } + } + source { + address 10.4.87.156 + } + } + rule 2495 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.92.33 + } + } + rule 2496 { + action accept + description FWA86ED_101-TCP-ALLOW-146.198.100.105 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 146.198.100.105 + } + } + rule 2497 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.55 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.211.55 + } + } + rule 2498 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.84.113 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 123.231.84.113 + } + } + rule 2499 { + action accept + description FW8C72E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8C72E_1 + } + port 60134,60135 + } + protocol tcp + } + rule 2500 { + action accept + description FWAB44B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAB44B_1 + } + port 3306 + } + protocol tcp_udp + } + rule 2501 { + action accept + description FW2379F_14-TCP-ALLOW-51.148.87.29 + destination { + group { + address-group DT_FW2379F_14 + } + port 3389,21 + } + protocol tcp + source { + address 51.148.87.29 + } + } + rule 2502 { + action accept + description VPN-23738-ANY-ALLOW-10.4.56.13 + destination { + group { + address-group DT_VPN-23738 + } + } + source { + address 10.4.56.13 + } + } + rule 2503 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.100 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.100 + } + } + rule 2504 { + action accept + description FW996B4_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW996B4_2 + } + port 43595,30160 + } + protocol tcp + } + rule 2505 { + action accept + description FW8871B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8871B_1 + } + port 15672,8083,8082,8081,5672 + } + protocol tcp + } + rule 2506 { + action accept + description FWAB44B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWAB44B_1 + } + port 9090,8069,5432 + } + protocol tcp + } + rule 2507 { + action accept + description FW6187E_1-ICMP-ALLOW-85.214.201.250 + destination { + group { + address-group DT_FW6187E_1 + } + } + protocol icmp + source { + address 85.214.201.250 + } + } + rule 2508 { + action accept + description FW8A3FC_3-TCP-ALLOW-217.23.11.126 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 217.23.11.126 + } + } + rule 2509 { + action accept + description FW78137_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW78137_1 + } + port 1-65535 + } + protocol tcp + } + rule 2510 { + action accept + description FW32EFF_25-TCP-ALLOW-46.252.65.10 + destination { + group { + address-group DT_FW32EFF_25 + } + port 443 + } + protocol tcp + source { + address 46.252.65.10 + } + } + rule 2511 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.50 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.50 + } + } + rule 2512 { + action accept + description FW6A684_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6A684_1 + } + port 53 + } + protocol tcp_udp + } + rule 2513 { + action accept + description FWF48EB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF48EB_1 + } + port 9204,9202,3395 + } + protocol tcp + } + rule 2514 { + action accept + description FW44217_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW44217_2 + } + port 443,80 + } + protocol tcp_udp + } + rule 2515 { + action accept + description FW6187E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6187E_1 + } + port 2282 + } + protocol tcp + } + rule 2516 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.58 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.58 + } + } + rule 2517 { + action accept + description VPN-34501-ANY-ALLOW-10.4.86.235 + destination { + group { + address-group DT_VPN-34501 + } + } + source { + address 10.4.86.235 + } + } + rule 2518 { + action accept + description FW1271A_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1271A_2 + } + port 5090,5061,5060,5015,5001 + } + protocol tcp + } + rule 2519 { + action accept + description FW1271A_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1271A_2 + } + port 9000-10999,5090,5060 + } + protocol udp + } + rule 2520 { + action accept + description FW1226C_3-TCP-ALLOW-216.113.160.71 + destination { + group { + address-group DT_FW1226C_3 + } + port 80,22 + } + protocol tcp + source { + address 216.113.160.71 + } + } + rule 2521 { + action accept + description FW32EFF_16-TCP-ALLOW-84.19.45.82 + destination { + group { + address-group DT_FW32EFF_16 + } + port 33888 + } + protocol tcp + source { + address 84.19.45.82 + } + } + rule 2522 { + action accept + description FW03F2E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW03F2E_1 + } + port 1194 + } + protocol udp + } + rule 2523 { + action accept + description FW03F2E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW03F2E_1 + } + port 4432,4431,4430 + } + protocol tcp + } + rule 2524 { + action accept + description FW1226C_3-TCP-ALLOW-216.113.162.65 + destination { + group { + address-group DT_FW1226C_3 + } + port 80,22 + } + protocol tcp + source { + address 216.113.162.65 + } + } + rule 2525 { + action accept + description VPN-20306-ANY-ALLOW-10.4.89.173 + destination { + group { + address-group DT_VPN-20306 + } + } + source { + address 10.4.89.173 + } + } + rule 2526 { + action accept + description FW8A49A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8A49A_1 + } + port 2525,8448-65535 + } + protocol tcp + } + rule 2527 { + action accept + description FWD3431_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD3431_2 + } + port 43595,30377,30289 + } + protocol tcp + } + rule 2528 { + action accept + description FW1226C_3-TCP-ALLOW-66.135.200.200 + destination { + group { + address-group DT_FW1226C_3 + } + port 80,22 + } + protocol tcp + source { + address 66.135.200.200 + } + } + rule 2529 { + action accept + description FW1226C_3-TCP-ALLOW-193.28.178.38 + destination { + group { + address-group DT_FW1226C_3 + } + port 80 + } + protocol tcp + source { + address 193.28.178.38 + } + } + rule 2530 { + action accept + description FWAE88B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAE88B_1 + } + port 65432,8080,7300,1195,1194,993,587,465,443,442,143,110,80,53,22 + } + protocol tcp_udp + } + rule 2531 { + action accept + description FW1226C_3-TCP-ALLOW-195.234.136.80 + destination { + group { + address-group DT_FW1226C_3 + } + port 80 + } + protocol tcp + source { + address 195.234.136.80 + } + } + rule 2532 { + action accept + description FW1226C_3-TCP-ALLOW-93.94.41.83 + destination { + group { + address-group DT_FW1226C_3 + } + port 80 + } + protocol tcp + source { + address 93.94.41.83 + } + } + rule 2533 { + action accept + description VPN-6103-ANY-ALLOW-10.4.56.102 + destination { + group { + address-group DT_VPN-6103 + } + } + source { + address 10.4.56.102 + } + } + rule 2534 { + action accept + description VPN-6103-ANY-ALLOW-10.4.57.102 + destination { + group { + address-group DT_VPN-6103 + } + } + source { + address 10.4.57.102 + } + } + rule 2535 { + action accept + description FW9E550_1-TCP-ALLOW-86.198.190.104 + destination { + group { + address-group DT_FW9E550_1 + } + port 3389 + } + protocol tcp + source { + address 86.198.190.104 + } + } + rule 2536 { + action accept + description FW34C91_3-TCP-ALLOW-81.149.71.244 + destination { + group { + address-group DT_FW34C91_3 + } + port 1433 + } + protocol tcp + source { + address 81.149.71.244 + } + } + rule 2537 { + action accept + description FW0BB22_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + port 27917,27017,9592,9092,1080,587 + } + protocol tcp_udp + } + rule 2538 { + action accept + description FWC2D30_1-TCP-ALLOW-89.213.26.156 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 89.213.26.156 + } + } + rule 2539 { + action accept + description FW34C91_3-UDP-ALLOW-81.149.71.244 + destination { + group { + address-group DT_FW34C91_3 + } + port 1434 + } + protocol udp + source { + address 81.149.71.244 + } + } + rule 2540 { + action accept + description VPN-17207-ANY-ALLOW-10.4.86.121 + destination { + group { + address-group DT_VPN-17207 + } + } + source { + address 10.4.86.121 + } + } + rule 2541 { + action accept + description FW0B352_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0B352_1 + } + port 4500,500 + } + protocol udp + } + rule 2542 { + action accept + description FW85E02_11-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW85E02_11 + } + port 5854,5853,5061 + } + protocol tcp + } + rule 2543 { + action accept + description FW0BB22_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + port 9200,8082 + } + protocol tcp + } + rule 2544 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.140 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.140 + } + } + rule 2545 { + action accept + description FWC2D30_1-TCP-ALLOW-91.125.244.28 + destination { + group { + address-group DT_FWC2D30_1 + } + port 21 + } + protocol tcp + source { + address 91.125.244.28 + } + } + rule 2546 { + action accept + description FWA86ED_101-TCP-ALLOW-86.172.252.221 + destination { + group { + address-group DT_FWA86ED_101 + } + port 80-3389 + } + protocol tcp + source { + address 86.172.252.221 + } + } + rule 2547 { + action accept + description FWC2D30_1-TCP-ALLOW-92.207.184.106 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 92.207.184.106 + } + } + rule 2548 { + action accept + description FW45F3D_1-ANY-ALLOW-146.255.0.198 + destination { + group { + address-group DT_FW45F3D_1 + } + } + source { + address 146.255.0.198 + } + } + rule 2549 { + action accept + description FWBFDED_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBFDED_1 + } + port 1723,445 + } + protocol tcp + } + rule 2550 { + action accept + description FW8A3FC_3-TCP-ALLOW-212.227.9.72 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 212.227.9.72 + } + } + rule 2551 { + action accept + description FWE928F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE928F_1 + } + port 2082,2083,2086,2087,2096 + } + protocol tcp + } + rule 2552 { + action accept + description FW5CBB2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5CBB2_1 + } + port 2082,2083,2086,2087 + } + protocol tcp + } + rule 2553 { + action accept + description FW63230_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW63230_1 + } + port 445,139 + } + protocol tcp_udp + } + rule 2554 { + action accept + description FW90AE3_1-TCP-ALLOW-71.244.176.5 + destination { + group { + address-group DT_FW90AE3_1 + } + port 22 + } + protocol tcp + source { + address 71.244.176.5 + } + } + rule 2555 { + action accept + description FWA4BC8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA4BC8_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2556 { + action accept + description VPN-17207-ANY-ALLOW-10.4.87.121 + destination { + group { + address-group DT_VPN-17207 + } + } + source { + address 10.4.87.121 + } + } + rule 2557 { + action accept + description VPN-17558-ANY-ALLOW-10.4.86.143 + destination { + group { + address-group DT_VPN-17558 + } + } + source { + address 10.4.86.143 + } + } + rule 2558 { + action accept + description FWB2CD2_1-TCP-ALLOW-86.167.68.241 + destination { + group { + address-group DT_FWB2CD2_1 + } + port 21 + } + protocol tcp + source { + address 86.167.68.241 + } + } + rule 2559 { + action accept + description FW32EFF_25-TCP-ALLOW-84.19.45.82 + destination { + group { + address-group DT_FW32EFF_25 + } + port 33888,443 + } + protocol tcp + source { + address 84.19.45.82 + } + } + rule 2560 { + action accept + description FW44217_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW44217_2 + } + port 9001,7946,2376 + } + protocol tcp + } + rule 2561 { + action accept + description FW7DAE2_3-TCP-ALLOW-212.227.253.11 + destination { + group { + address-group DT_FW7DAE2_3 + } + port 25,22 + } + protocol tcp + source { + address 212.227.253.11 + } + } + rule 2562 { + action accept + description FW7DAE2_3-TCP-ALLOW-217.160.126.118 + destination { + group { + address-group DT_FW7DAE2_3 + } + port 25,22 + } + protocol tcp + source { + address 217.160.126.118 + } + } + rule 2563 { + action accept + description FWAF6E8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWAF6E8_1 + } + port 2082,2083,2086,2087,2096 + } + protocol tcp + } + rule 2564 { + action accept + description FWCD7CE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCD7CE_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2565 { + action accept + description FW32EFF_16-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW32EFF_16 + } + port 47779,47778,47777,47776 + } + protocol tcp + } + rule 2566 { + action accept + description FW0745F_5-TCP-ALLOW-77.68.117.222 + destination { + group { + address-group DT_FW0745F_5 + } + port 49170 + } + protocol tcp + source { + address 77.68.117.222 + } + } + rule 2567 { + action accept + description FWC2D30_1-TCP-ALLOW-92.207.199.107 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,22,21 + } + protocol tcp + source { + address 92.207.199.107 + } + } + rule 2568 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.89 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.89 + } + } + rule 2569 { + action accept + description FW8A3FC_3-TCP-ALLOW-190.2.130.41 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 190.2.130.41 + } + } + rule 2570 { + action accept + description FWFDCC7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWFDCC7_1 + } + port 10000 + } + protocol tcp_udp + } + rule 2571 { + action accept + description FWF19FB_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF19FB_2 + } + port 43595,40001,30616-30631,30531,30204-30435 + } + protocol tcp + } + rule 2572 { + action accept + description FW2B279_4-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2573 { + action accept + description FW4E314_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4E314_1 + } + port 21543,888 + } + protocol tcp + } + rule 2574 { + action accept + description FW73215_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73215_1 + } + port 4380 + } + protocol udp + } + rule 2575 { + action accept + description VPN-31301-ANY-ALLOW-10.4.86.223 + destination { + group { + address-group DT_VPN-31301 + } + } + source { + address 10.4.86.223 + } + } + rule 2576 { + action accept + description FW8428B_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8428B_1 + } + port 48402 + } + protocol udp + } + rule 2577 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-185.195.124.169 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 185.195.124.169 + } + } + rule 2578 { + action accept + description FW34C91_3-UDP-ALLOW-77.68.121.4 + destination { + group { + address-group DT_FW34C91_3 + } + port 1434 + } + protocol udp + source { + address 77.68.121.4 + } + } + rule 2579 { + action accept + description FW73215_1-TCP-ALLOW-82.38.58.135 + destination { + group { + address-group DT_FW73215_1 + } + port 10685 + } + protocol tcp + source { + address 82.38.58.135 + } + } + rule 2580 { + action accept + description FW52F6F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW52F6F_1 + } + port 8888 + } + protocol tcp + } + rule 2581 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.86 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.86 + } + } + rule 2582 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.125.13 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.125.13 + } + } + rule 2583 { + action accept + description FWEE03C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWEE03C_1 + } + port 2087,2083 + } + protocol tcp + } + rule 2584 { + action accept + description FW748B7_1-TCP-ALLOW-157.231.123.154 + destination { + group { + address-group DT_FW748B7_1 + } + port 22 + } + protocol tcp + source { + address 157.231.123.154 + } + } + rule 2585 { + action accept + description VPN-34501-ANY-ALLOW-10.4.87.235 + destination { + group { + address-group DT_VPN-34501 + } + } + source { + address 10.4.87.235 + } + } + rule 2586 { + action accept + description FWE47DA_1-TCP-ALLOW-81.134.85.245 + destination { + group { + address-group DT_FWE47DA_1 + } + port 22 + } + protocol tcp + source { + address 81.134.85.245 + } + } + rule 2587 { + action accept + description FWD61BF_1-ANY-ALLOW-193.237.81.213_32 + destination { + group { + address-group DT_FWD61BF_1 + } + } + source { + address 193.237.81.213/32 + } + } + rule 2588 { + action accept + description FW2B279_4-TCP-ALLOW-23.106.238.241 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,3306,22 + } + protocol tcp + source { + address 23.106.238.241 + } + } + rule 2589 { + action accept + description FW2B279_4-TCP-ALLOW-35.204.202.196 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,3306,22 + } + protocol tcp + source { + address 35.204.202.196 + } + } + rule 2590 { + action accept + description FW2B279_4-TCP-ALLOW-35.242.141.128 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,3306,22 + } + protocol tcp + source { + address 35.242.141.128 + } + } + rule 2591 { + action accept + description FWC2EF2_2-TCP-ALLOW-90.251.221.19 + destination { + group { + address-group DT_FWC2EF2_2 + } + port 995,993,587,465,143,110,25,22 + } + protocol tcp + source { + address 90.251.221.19 + } + } + rule 2592 { + action accept + description VPN-14673-ANY-ALLOW-10.4.88.44 + destination { + group { + address-group DT_VPN-14673 + } + } + source { + address 10.4.88.44 + } + } + rule 2593 { + action accept + description FWA83DF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA83DF_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2594 { + action accept + description FW31525_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW31525_6 + } + port 35467 + } + protocol tcp + } + rule 2595 { + action accept + description FW4293B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4293B_1 + } + port 9080,8888,8881,7815,8419 + } + protocol tcp + } + rule 2596 { + action accept + description FW4AE7D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4AE7D_1 + } + port 8083,81 + } + protocol tcp + } + rule 2597 { + action accept + description FWC2D30_1-TCP-ALLOW-143.52.53.22 + destination { + group { + address-group DT_FWC2D30_1 + } + port 22 + } + protocol tcp + source { + address 143.52.53.22 + } + } + rule 2598 { + action accept + description FW44217_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW44217_2 + } + port 7946,4789 + } + protocol udp + } + rule 2599 { + action accept + description FW2B279_4-TCP-ALLOW-46.249.82.162 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 46.249.82.162 + } + } + rule 2600 { + action accept + description FW27949_2-TCP-ALLOW-80.95.202.106 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 80.95.202.106 + } + } + rule 2601 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.93.82 + } + } + rule 2602 { + action accept + description FW2ACFF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2ACFF_1 + } + port 8082,5093 + } + protocol tcp + } + rule 2603 { + action accept + description FWC2EF2_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC2EF2_2 + } + port 10000,953,53 + } + protocol tcp_udp + } + rule 2604 { + action accept + description FW0C8E1_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0C8E1_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2605 { + action accept + description FWA86ED_101-TCP_UDP-ALLOW-82.5.189.5 + destination { + group { + address-group DT_FWA86ED_101 + } + port 1-65535 + } + protocol tcp_udp + source { + address 82.5.189.5 + } + } + rule 2606 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.179 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.179 + } + } + rule 2607 { + action accept + description FWEF92E_5-ESP-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 88.208.198.93 + } + } + rule 2608 { + action accept + description FW5658C_1-TCP-ALLOW-39.45.43.109 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.45.43.109 + } + } + rule 2609 { + action accept + description FW5658C_1-TCP-ALLOW-5.67.3.195 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 5.67.3.195 + } + } + rule 2610 { + action accept + description FWDCA36_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDCA36_3 + } + port 49152-65534,5901 + } + protocol tcp + } + rule 2611 { + action accept + description FWE928F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE928F_1 + } + port 53 + } + protocol tcp_udp + } + rule 2612 { + action accept + description FW69D6D_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW69D6D_2 + } + port 5001,5090,5060,5015 + } + protocol tcp + } + rule 2613 { + action accept + description FW69D6D_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW69D6D_2 + } + port 5090,5060,9000-9500 + } + protocol udp + } + rule 2614 { + action accept + description VPN-9765-ANY-ALLOW-10.4.56.45 + destination { + group { + address-group DT_VPN-9765 + } + } + source { + address 10.4.56.45 + } + } + rule 2615 { + action accept + description VPN-9765-ANY-ALLOW-10.4.57.45 + destination { + group { + address-group DT_VPN-9765 + } + } + source { + address 10.4.57.45 + } + } + rule 2616 { + action accept + description FW4C136_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4C136_1 + } + port 1194 + } + protocol tcp_udp + } + rule 2617 { + action accept + description FW6F539_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6F539_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2618 { + action accept + description FWDD089_5-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWDD089_5 + } + port 5666-5667,12489 + } + protocol tcp_udp + } + rule 2619 { + action accept + description FWDD089_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDD089_5 + } + port 161-162 + } + protocol tcp + } + rule 2620 { + action accept + description FWEF92E_5-AH-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 109.228.37.19 + } + } + rule 2621 { + action accept + description FW0A5C4_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0A5C4_1 + } + port 9000,6697,6667,5000 + } + protocol tcp + } + rule 2622 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.11.54 + } + } + rule 2623 { + action accept + description FW2BB8D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2BB8D_1 + } + port 7990 + } + protocol tcp + } + rule 2624 { + action accept + description FWAF6E8_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAF6E8_1 + } + port 7770-7800,44445,53 + } + protocol tcp_udp + } + rule 2625 { + action accept + description FW81286_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW81286_1 + } + port 2082,2083,2086,2087,2096 + } + protocol tcp + } + rule 2626 { + action accept + description FW05064_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW05064_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2627 { + action accept + description FWD7382_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWD7382_1 + } + port 4500,1701,500 + } + protocol udp + } + rule 2628 { + action accept + description FWD7382_1-TCP-ALLOW-174.91.7.198 + destination { + group { + address-group DT_FWD7382_1 + } + port 3389 + } + protocol tcp + source { + address 174.91.7.198 + } + } + rule 2629 { + action accept + description VPN-9484-ANY-ALLOW-10.4.56.164 + destination { + group { + address-group DT_VPN-9484 + } + } + source { + address 10.4.56.164 + } + } + rule 2630 { + action accept + description VPN-9484-ANY-ALLOW-10.4.57.164 + destination { + group { + address-group DT_VPN-9484 + } + } + source { + address 10.4.57.164 + } + } + rule 2631 { + action accept + description VPN-9749-ANY-ALLOW-10.4.58.144 + destination { + group { + address-group DT_VPN-9749 + } + } + source { + address 10.4.58.144 + } + } + rule 2632 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.77.149 + } + } + rule 2633 { + action accept + description FW10FEE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW10FEE_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2634 { + action accept + description FW5658C_1-TCP-ALLOW-5.71.30.141 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 5.71.30.141 + } + } + rule 2635 { + action accept + description VPN-9749-ANY-ALLOW-10.4.59.144 + destination { + group { + address-group DT_VPN-9749 + } + } + source { + address 10.4.59.144 + } + } + rule 2636 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.77.70 + } + } + rule 2637 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.92.33 + } + } + rule 2638 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.93.82 + } + } + rule 2639 { + action accept + description FWEF92E_6-AH-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_6 + } + } + protocol ah + source { + address 77.68.77.57 + } + } + rule 2640 { + action accept + description FWEF92E_6-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FWEF92E_6 + } + port 3389,445 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2641 { + action accept + description FWEF92E_5-AH-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 88.208.198.93 + } + } + rule 2642 { + action accept + description FWEF92E_7-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FWEF92E_7 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2643 { + action accept + description FWEF92E_7-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FWEF92E_7 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 2644 { + action accept + description FWEF92E_5-TCP-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 109.228.37.19 + } + } + rule 2645 { + action accept + description FW49C3D_4-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445,80 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2646 { + action accept + description FW49C3D_4-TCP-ALLOW-82.0.198.226 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445 + } + protocol tcp + source { + address 82.0.198.226 + } + } + rule 2647 { + action accept + description FW49C3D_6-TCP-ALLOW-82.0.198.226 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 82.0.198.226 + } + } + rule 2648 { + action accept + description FW49C3D_6-TCP-ALLOW-83.100.136.74 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 83.100.136.74 + } + } + rule 2649 { + action accept + description FWEF92E_6-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FWEF92E_6 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2650 { + action accept + description FWEF92E_5-TCP-ALLOW-194.145.189.162 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 194.145.189.162 + } + } + rule 2651 { + action accept + description FW3DBF8_9-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3DBF8_9 + } + port 9000-10999 + } + protocol udp + } + rule 2652 { + action accept + description VPN-19807-ANY-ALLOW-10.4.86.172 + destination { + group { + address-group DT_VPN-19807 + } + } + source { + address 10.4.86.172 + } + } + rule 2653 { + action accept + description FWEEC75_1-TCP-ALLOW-82.8.245.40 + destination { + group { + address-group DT_FWEEC75_1 + } + port 21 + } + protocol tcp + source { + address 82.8.245.40 + } + } + rule 2654 { + action accept + description FW3AD6F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3AD6F_1 + } + port 53,465 + } + protocol tcp_udp + } + rule 2655 { + action accept + description FWCDBC7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWCDBC7_1 + } + port 53 + } + protocol tcp_udp + } + rule 2656 { + action accept + description FWA373F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA373F_1 + } + port 2087,2086,2083,2082 + } + protocol tcp + } + rule 2657 { + action accept + description FW2B279_4-TCP-ALLOW-94.155.221.50 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 94.155.221.50 + } + } + rule 2658 { + action accept + description FWC2D30_1-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2659 { + action accept + description VPN-30791-ANY-ALLOW-10.4.88.215 + destination { + group { + address-group DT_VPN-30791 + } + } + source { + address 10.4.88.215 + } + } + rule 2660 { + action accept + description VPN-30791-ANY-ALLOW-10.4.89.215 + destination { + group { + address-group DT_VPN-30791 + } + } + source { + address 10.4.89.215 + } + } + rule 2661 { + action accept + description FW2EF2C_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2EF2C_1 + } + port 10000,3478 + } + protocol udp + } + rule 2662 { + action accept + description FW32EFF_49-TCP-ALLOW-195.217.232.0_26 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 195.217.232.0/26 + } + } + rule 2663 { + action accept + description FW4AE7D_1-TCP-ALLOW-81.136.8.24 + destination { + group { + address-group DT_FW4AE7D_1 + } + port 3389 + } + protocol tcp + source { + address 81.136.8.24 + } + } + rule 2664 { + action accept + description FW2EF2C_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2EF2C_1 + } + port 5222 + } + protocol tcp_udp + } + rule 2665 { + action accept + description FW48A55_2-TCP-ALLOW-86.29.225.60 + destination { + group { + address-group DT_FW48A55_2 + } + port 443,80,22 + } + protocol tcp + source { + address 86.29.225.60 + } + } + rule 2666 { + action accept + description FW48A55_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW48A55_2 + } + port 1337 + } + protocol udp + } + rule 2667 { + action accept + description VPN-11913-ANY-ALLOW-10.4.56.191 + destination { + group { + address-group DT_VPN-11913 + } + } + source { + address 10.4.56.191 + } + } + rule 2668 { + action accept + description FWEF92E_5-TCP-ALLOW-194.145.189.163 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 194.145.189.163 + } + } + rule 2669 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.90 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.90 + } + } + rule 2670 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.24.66 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.24.66 + } + } + rule 2671 { + action accept + description VPN-11913-ANY-ALLOW-10.4.57.191 + destination { + group { + address-group DT_VPN-11913 + } + } + source { + address 10.4.57.191 + } + } + rule 2672 { + action accept + description FW73573_2-TCP-ALLOW-86.9.185.195 + destination { + group { + address-group DT_FW73573_2 + } + port 22 + } + protocol tcp + source { + address 86.9.185.195 + } + } + rule 2673 { + action accept + description VPN-17558-ANY-ALLOW-10.4.87.143 + destination { + group { + address-group DT_VPN-17558 + } + } + source { + address 10.4.87.143 + } + } + rule 2674 { + action accept + description FW748B7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW748B7_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2675 { + action accept + description FW16375_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW16375_5 + } + port 2082,2083,2086,2087 + } + protocol tcp + } + rule 2676 { + action accept + description FW5A77C_16-TCP-ALLOW-88.98.204.68 + destination { + group { + address-group DT_FW5A77C_16 + } + port 22 + } + protocol tcp + source { + address 88.98.204.68 + } + } + rule 2677 { + action accept + description FW73573_1-TCP-ALLOW-86.9.185.195 + destination { + group { + address-group DT_FW73573_1 + } + port 22 + } + protocol tcp + source { + address 86.9.185.195 + } + } + rule 2678 { + action accept + description FWEF92E_5-TCP-ALLOW-194.145.190.4 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 194.145.190.4 + } + } + rule 2679 { + action accept + description FWC2D30_1-TCP-ALLOW-140.82.112.0_20 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 140.82.112.0/20 + } + } + rule 2680 { + action accept + description FW62858_12-ICMP-ALLOW-77.68.122.41 + destination { + group { + address-group DT_FW62858_12 + } + } + protocol icmp + source { + address 77.68.122.41 + } + } + rule 2681 { + action accept + description FWB118A_1-TCP-ALLOW-147.148.96.136 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 147.148.96.136 + } + } + rule 2682 { + action accept + description FW5A77C_16-TCP-ALLOW-92.207.237.42 + destination { + group { + address-group DT_FW5A77C_16 + } + port 10000,22 + } + protocol tcp + source { + address 92.207.237.42 + } + } + rule 2683 { + action accept + description FW364CF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW364CF_1 + } + port 4022,8099 + } + protocol tcp + } + rule 2684 { + action accept + description VPN-25822-ANY-ALLOW-10.4.54.42 + destination { + group { + address-group DT_VPN-25822 + } + } + source { + address 10.4.54.42 + } + } + rule 2685 { + action accept + description FW7F28A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW7F28A_1 + } + port 10051,10050 + } + protocol tcp + } + rule 2686 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.53.159 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.53.159 + } + } + rule 2687 { + action accept + description FWE47DA_1-TCP-ALLOW-185.22.211.0_24 + destination { + group { + address-group DT_FWE47DA_1 + } + port 22 + } + protocol tcp + source { + address 185.22.211.0/24 + } + } + rule 2688 { + action accept + description FWC6301_1-TCP-ALLOW-95.34.208.4 + destination { + group { + address-group DT_FWC6301_1 + } + port 22 + } + protocol tcp + source { + address 95.34.208.4 + } + } + rule 2689 { + action accept + description FW45000_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW45000_1 + } + port 990 + } + protocol tcp + } + rule 2690 { + action accept + description FW481D7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW481D7_1 + } + port 6789 + } + protocol tcp + } + rule 2691 { + action accept + description VPN-8203-ANY-ALLOW-10.4.59.109 + destination { + group { + address-group DT_VPN-8203 + } + } + source { + address 10.4.59.109 + } + } + rule 2692 { + action accept + description VPN-3575-ANY-ALLOW-10.4.54.124 + destination { + group { + address-group DT_VPN-3575 + } + } + source { + address 10.4.54.124 + } + } + rule 2693 { + action accept + description VPN-3575-ANY-ALLOW-10.4.55.125 + destination { + group { + address-group DT_VPN-3575 + } + } + source { + address 10.4.55.125 + } + } + rule 2694 { + action accept + description FW42661_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW42661_3 + } + port 44445,25672,15672,9876,7770-7800 + } + protocol tcp + } + rule 2695 { + action accept + description FWBF494_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBF494_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2696 { + action accept + description FWD0E22_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD0E22_4 + } + port 8000,19005 + } + protocol tcp + } + rule 2697 { + action accept + description FW98818_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW98818_1 + } + port 27015 + } + protocol udp + } + rule 2698 { + action accept + description FW62858_12-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW62858_12 + } + port 5001,5000 + } + protocol tcp + } + rule 2699 { + action accept + description VPN-34006-ANY-ALLOW-10.4.86.242 + destination { + group { + address-group DT_VPN-34006 + } + } + source { + address 10.4.86.242 + } + } + rule 2700 { + action accept + description VPN-34006-ANY-ALLOW-10.4.87.242 + destination { + group { + address-group DT_VPN-34006 + } + } + source { + address 10.4.87.242 + } + } + rule 2701 { + action accept + description FWF879C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF879C_1 + } + port 8888 + } + protocol tcp + } + rule 2702 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.11.54 + } + } + rule 2703 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.74.89 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.74.89 + } + } + rule 2704 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.77.149 + } + } + rule 2705 { + action accept + description FW8A57A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8A57A_1 + } + port 49153,5666 + } + protocol tcp + } + rule 2706 { + action accept + description FW62858_12-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW62858_12 + } + port 5090,5061,5060 + } + protocol tcp_udp + } + rule 2707 { + action accept + description FW62858_12-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW62858_12 + } + port 9000-10999 + } + protocol udp + } + rule 2708 { + action accept + description FW0E2EE_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0E2EE_1 + } + port 1024-65535 + } + protocol tcp_udp + } + rule 2709 { + action accept + description FWEEC75_1-TCP-ALLOW-82.5.80.210 + destination { + group { + address-group DT_FWEEC75_1 + } + port 22 + } + protocol tcp + source { + address 82.5.80.210 + } + } + rule 2710 { + action accept + description FW4F81F_4-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4F81F_4 + } + port 26900,27005,27015,51000,51005,51030 + } + protocol tcp_udp + } + rule 2711 { + action accept + description VPN-7902-ANY-ALLOW-10.4.56.78 + destination { + group { + address-group DT_VPN-7902 + } + } + source { + address 10.4.56.78 + } + } + rule 2712 { + action accept + description VPN-7902-ANY-ALLOW-10.4.57.78 + destination { + group { + address-group DT_VPN-7902 + } + } + source { + address 10.4.57.78 + } + } + rule 2713 { + action accept + description FWB36A0_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWB36A0_1 + } + port 20-21,990 + } + protocol tcp_udp + } + rule 2714 { + action accept + description FWD2082_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD2082_1 + } + port 8001,8002 + } + protocol tcp + } + rule 2715 { + action accept + description FW8A3FC_3-TCP-ALLOW-212.8.242.171 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 212.8.242.171 + } + } + rule 2716 { + action accept + description FWB9699_11-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FWB9699_11 + } + port 443,80,8800,22 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2717 { + action accept + description VPN-11083-ANY-ALLOW-10.4.54.186 + destination { + group { + address-group DT_VPN-11083 + } + } + source { + address 10.4.54.186 + } + } + rule 2718 { + action accept + description VPN-11083-ANY-ALLOW-10.4.55.187 + destination { + group { + address-group DT_VPN-11083 + } + } + source { + address 10.4.55.187 + } + } + rule 2719 { + action accept + description VPN-34583-ANY-ALLOW-10.4.86.243 + destination { + group { + address-group DT_VPN-34583 + } + } + source { + address 10.4.86.243 + } + } + rule 2720 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.84.155 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.84.155 + } + } + rule 2721 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.117 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.117 + } + } + rule 2722 { + action accept + description FW7A9B0_9-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW7A9B0_9 + } + port 11112 + } + protocol tcp + } + rule 2723 { + action accept + description FW3F465_1-TCP-ALLOW-77.68.127.177 + destination { + group { + address-group DT_FW3F465_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.127.177 + } + } + rule 2724 { + action accept + description VPN-34583-ANY-ALLOW-10.4.87.243 + destination { + group { + address-group DT_VPN-34583 + } + } + source { + address 10.4.87.243 + } + } + rule 2725 { + action accept + description FW930F3_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW930F3_1 + } + port 9089,5900,5666,5272 + } + protocol tcp + } + rule 2726 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.165 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.165 + } + } + rule 2727 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.140 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.140 + } + } + rule 2728 { + action accept + description FW90AE3_1-TCP-ALLOW-82.11.114.136 + destination { + group { + address-group DT_FW90AE3_1 + } + port 3306,22 + } + protocol tcp + source { + address 82.11.114.136 + } + } + rule 2729 { + action accept + description FW73215_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73215_1 + } + port 27015 + } + protocol tcp_udp + } + rule 2730 { + action accept + description FWC2EF2_1-TCP-ALLOW-18.130.156.250 + destination { + group { + address-group DT_FWC2EF2_1 + } + port 22 + } + protocol tcp + source { + address 18.130.156.250 + } + } + rule 2731 { + action accept + description FWC2EF2_1-TCP-ALLOW-90.251.221.19 + destination { + group { + address-group DT_FWC2EF2_1 + } + port 22 + } + protocol tcp + source { + address 90.251.221.19 + } + } + rule 2732 { + action accept + description FW90AE3_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW90AE3_1 + } + port 8765,8001,8000 + } + protocol tcp + } + rule 2733 { + action accept + description FWC2EF2_1-TCP-ALLOW-87.74.110.191 + destination { + group { + address-group DT_FWC2EF2_1 + } + port 8443 + } + protocol tcp + source { + address 87.74.110.191 + } + } + rule 2734 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.77.70 + } + } + rule 2735 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.93 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.93 + } + } + rule 2736 { + action accept + description FW81138_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW81138_1 + } + port 123 + } + protocol udp + } + rule 2737 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.64 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.64 + } + } + rule 2738 { + action accept + description FW03B35_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW03B35_1 + } + port 1-65535 + } + protocol tcp_udp + } + rule 2739 { + action accept + description VPN-19807-ANY-ALLOW-10.4.87.172 + destination { + group { + address-group DT_VPN-19807 + } + } + source { + address 10.4.87.172 + } + } + rule 2740 { + action accept + description FW5658C_1-TCP-ALLOW-94.12.73.154 + destination { + group { + address-group DT_FW5658C_1 + } + port 8447 + } + protocol tcp + source { + address 94.12.73.154 + } + } + rule 2741 { + action accept + description FW5658C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5658C_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2742 { + action accept + description FW0B352_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0B352_1 + } + port 3443 + } + protocol tcp_udp + } + rule 2743 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FWEF92E_5 + } + port 3389,445,443 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2744 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.92.33 + } + } + rule 2745 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.93.82 + } + } + rule 2746 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.44 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.44 + } + } + rule 2747 { + action accept + description FW34C91_3-TCP-ALLOW-188.220.176.104 + destination { + group { + address-group DT_FW34C91_3 + } + port 1433 + } + protocol tcp + source { + address 188.220.176.104 + } + } + rule 2748 { + action accept + description FW3F465_1-TCP-ALLOW-77.68.16.101 + destination { + group { + address-group DT_FW3F465_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.16.101 + } + } + rule 2749 { + action accept + description FWEF92E_5-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FWEF92E_5 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2750 { + action accept + description FW34C91_3-UDP-ALLOW-188.220.176.104 + destination { + group { + address-group DT_FW34C91_3 + } + port 1434 + } + protocol udp + source { + address 188.220.176.104 + } + } + rule 2751 { + action accept + description FWE47DA_1-TCP-ALLOW-185.22.208.0_25 + destination { + group { + address-group DT_FWE47DA_1 + } + port 22 + } + protocol tcp + source { + address 185.22.208.0/25 + } + } + rule 2752 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.187 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.187 + } + } + rule 2753 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.84 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.84 + } + } + rule 2754 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.52 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 116.206.246.52 + } + } + rule 2755 { + action accept + description FW8AFF1_7-TCP-ALLOW-77.68.92.154 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 77.68.92.154 + } + } + rule 2756 { + action accept + description FW8AFF1_7-TCP-ALLOW-77.68.93.156 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 77.68.93.156 + } + } + rule 2757 { + action accept + description VPN-24398-ANY-ALLOW-10.4.88.151 + destination { + group { + address-group DT_VPN-24398 + } + } + source { + address 10.4.88.151 + } + } + rule 2758 { + action accept + description VPN-24398-ANY-ALLOW-10.4.89.151 + destination { + group { + address-group DT_VPN-24398 + } + } + source { + address 10.4.89.151 + } + } + rule 2759 { + action accept + description VPN-24589-ANY-ALLOW-10.4.56.9 + destination { + group { + address-group DT_VPN-24589 + } + } + source { + address 10.4.56.9 + } + } + rule 2760 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.29 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.29 + } + } + rule 2761 { + action accept + description FWC7D36_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC7D36_1 + } + port 27017,11080 + } + protocol tcp + } + rule 2762 { + action accept + description FWBB718_1-TCP_UDP-ALLOW-77.68.73.116 + destination { + group { + address-group DT_FWBB718_1 + } + port 1433 + } + protocol tcp_udp + source { + address 77.68.73.116 + } + } + rule 2763 { + action accept + description FWBB718_1-UDP-ALLOW-77.68.73.116 + destination { + group { + address-group DT_FWBB718_1 + } + port 1434 + } + protocol udp + source { + address 77.68.73.116 + } + } + rule 2764 { + action accept + description FWB9699_11-TCP-ALLOW-213.171.217.102 + destination { + group { + address-group DT_FWB9699_11 + } + port 22,80,443,8800 + } + protocol tcp + source { + address 213.171.217.102 + } + } + rule 2765 { + action accept + description FW18E6E_3-TCP-ALLOW-103.8.164.5 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 103.8.164.5 + } + } + rule 2766 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.193 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.193 + } + } + rule 2768 { + action accept + description FW26F0A_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW26F0A_1 + } + port 53 + } + protocol tcp_udp + } + rule 2769 { + action accept + description FWCC18F_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCC18F_2 + } + port 8883,1883 + } + protocol tcp + } + rule 2771 { + action accept + description FW633DD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW633DD_1 + } + port 28967,14002,9984,9983,9982,9981,8888,8884 + } + protocol tcp + } + rule 2772 { + action accept + description FWDEDB9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDEDB9_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2773 { + action accept + description VPN-18646-ANY-ALLOW-10.4.88.109 + destination { + group { + address-group DT_VPN-18646 + } + } + source { + address 10.4.88.109 + } + } + rule 2774 { + action accept + description VPN-18646-ANY-ALLOW-10.4.89.109 + destination { + group { + address-group DT_VPN-18646 + } + } + source { + address 10.4.89.109 + } + } + rule 2775 { + action accept + description FWA0531_1-TCP-ALLOW-87.224.39.221 + destination { + group { + address-group DT_FWA0531_1 + } + port 8082,3003,22 + } + protocol tcp + source { + address 87.224.39.221 + } + } + rule 2776 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.94 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.94 + } + } + rule 2777 { + action accept + description FWA0531_1-TCP-ALLOW-92.237.97.92 + destination { + group { + address-group DT_FWA0531_1 + } + port 8082,3003,22 + } + protocol tcp + source { + address 92.237.97.92 + } + } + rule 2778 { + action accept + description VPN-25822-ANY-ALLOW-10.4.55.42 + destination { + group { + address-group DT_VPN-25822 + } + } + source { + address 10.4.55.42 + } + } + rule 2779 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.88 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.88 + } + } + rule 2780 { + action accept + description FWC2D30_1-TCP-ALLOW-143.55.64.0_20 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 143.55.64.0/20 + } + } + rule 2781 { + action accept + description FW18E6E_3-TCP-ALLOW-194.176.78.206 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 194.176.78.206 + } + } + rule 2782 { + action accept + description FW18E6E_3-TCP-ALLOW-195.243.221.50 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 195.243.221.50 + } + } + rule 2783 { + action accept + description FW18E6E_3-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2784 { + action accept + description FW18E6E_3-TCP-ALLOW-81.150.168.54 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306,22 + } + protocol tcp + source { + address 81.150.168.54 + } + } + rule 2785 { + action accept + description FW18E6E_3-TCP-ALLOW-89.197.133.235 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 89.197.133.235 + } + } + rule 2786 { + action accept + description FW18E6E_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW18E6E_3 + } + port 60000-60100,873 + } + protocol tcp + } + rule 2787 { + action accept + description FW2BF20_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2BF20_3 + } + port 49152-65534,990 + } + protocol tcp + } + rule 2788 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.98 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.98 + } + } + rule 2789 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.65 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.65 + } + } + rule 2791 { + action accept + description FW197DB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW197DB_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2792 { + action accept + description FW1208C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1208C_1 + } + port 2087,2083,2096 + } + protocol tcp + } + rule 2793 { + action accept + description FW00D98_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW00D98_1 + } + port 4430 + } + protocol tcp + } + rule 2794 { + action accept + description FW03B35_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW03B35_1 + } + } + protocol esp + } + rule 2795 { + action accept + description FW03B35_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FW03B35_1 + } + } + protocol ah + } + rule 2796 { + action accept + description FWEF92E_5-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FWEF92E_5 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 2797 { + action accept + description FW825C8_19-TCP-ALLOW-159.253.51.74 + destination { + group { + address-group DT_FW825C8_19 + } + port 3389,1433,995 + } + protocol tcp + source { + address 159.253.51.74 + } + } + rule 2798 { + action accept + description FW825C8_19-TCP-ALLOW-77.68.76.111 + destination { + group { + address-group DT_FW825C8_19 + } + port 1433 + } + protocol tcp + source { + address 77.68.76.111 + } + } + rule 2799 { + action accept + description FW825C8_19-TCP-ALLOW-77.68.28.63 + destination { + group { + address-group DT_FW825C8_19 + } + port 995 + } + protocol tcp + source { + address 77.68.28.63 + } + } + rule 2801 { + action accept + description FW2EF2C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2EF2C_1 + } + port 5349 + } + protocol tcp + } + rule 2802 { + action accept + description FWEF92E_5-TCP-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 88.208.198.93 + } + } + rule 2803 { + action accept + description FWC3921_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC3921_1 + } + port 25000,25001-25005,26000-26006 + } + protocol tcp + } + rule 2804 { + action accept + description FWEF92E_5-UDP-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 109.228.37.19 + } + } + rule 2805 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.11.54 + } + } + rule 2806 { + action accept + description FW5AE10_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW5AE10_1 + } + port 53 + } + protocol tcp_udp + } + rule 2810 { + action accept + description FW45F87_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW45F87_1 + } + port 60000-60100 + } + protocol tcp + } + rule 2811 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.108.158 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 123.231.108.158 + } + } + rule 2813 { + action accept + description FW825C8_19-TCP-ALLOW-109.228.1.233 + destination { + group { + address-group DT_FW825C8_19 + } + port 1433 + } + protocol tcp + source { + address 109.228.1.233 + } + } + rule 2814 { + action accept + description FW20449_2-ICMP-ALLOW-3.10.221.168 + destination { + group { + address-group DT_FW20449_2 + } + } + protocol icmp + source { + address 3.10.221.168 + } + } + rule 2815 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.100 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.100 + } + } + rule 2816 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.180 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.180 + } + } + rule 2817 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2818 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.185 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.185 + } + } + rule 2819 { + action accept + description FWB9699_7-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWB9699_7 + } + port 161 + } + protocol udp + } + rule 2820 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.102 + destination { + group { + address-group DT_FWB9699_7 + } + port 22,8443 + } + protocol tcp + source { + address 213.171.217.102 + } + } + rule 2821 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.103 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.103 + } + } + rule 2824 { + action accept + description FWE3E77_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE3E77_1 + } + port 10010,10009 + } + protocol tcp + } + rule 2825 { + action accept + description FW8A3FC_3-TCP-ALLOW-93.190.142.120 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 93.190.142.120 + } + } + rule 2826 { + action accept + description FW20449_2-ICMP-ALLOW-82.20.69.137 + destination { + group { + address-group DT_FW20449_2 + } + } + protocol icmp + source { + address 82.20.69.137 + } + } + rule 2827 { + action accept + description FW8A3FC_3-TCP-ALLOW-46.101.232.93 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 21-10000 + } + protocol tcp + source { + address 46.101.232.93 + } + } + rule 2828 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.5 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.5 + } + } + rule 2829 { + action accept + description FWD2440_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + port 1-65535 + } + protocol tcp + } + rule 2831 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.105 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.105 + } + } + rule 2833 { + action accept + description FW825C8_24-TCP-ALLOW-159.253.51.74 + destination { + group { + address-group DT_FW825C8_24 + } + port 3389,1433,995 + } + protocol tcp + source { + address 159.253.51.74 + } + } + rule 2834 { + action accept + description FW825C8_24-TCP-ALLOW-77.68.77.120 + destination { + group { + address-group DT_FW825C8_24 + } + port 1433 + } + protocol tcp + source { + address 77.68.77.120 + } + } + rule 2839 { + action accept + description FWD2440_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + port 1-65535 + } + protocol udp + } + rule 2840 { + action accept + description FW1C8F2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1C8F2_1 + } + port 7000-10000,5554,5443,5080,1935,1111 + } + protocol tcp + } + rule 2843 { + action accept + description FWE7180_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE7180_1 + } + port 443,53 + } + protocol tcp_udp + } + rule 2844 { + action accept + description FWC6301_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC6301_1 + } + port 2456 + } + protocol tcp_udp + } + rule 2845 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.113 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.113 + } + } + rule 2846 { + action accept + description VPN-24589-ANY-ALLOW-10.4.57.9 + destination { + group { + address-group DT_VPN-24589 + } + } + source { + address 10.4.57.9 + } + } + rule 2847 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.237 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.212.237 + } + } + rule 2849 { + action accept + description FWFD9AF_9-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWFD9AF_9 + } + port 445 + } + protocol tcp_udp + } + rule 2850 { + action accept + description VPN-23209-ANY-ALLOW-10.4.58.8 + destination { + group { + address-group DT_VPN-23209 + } + } + source { + address 10.4.58.8 + } + } + rule 2851 { + action accept + description VPN-23209-ANY-ALLOW-10.4.59.8 + destination { + group { + address-group DT_VPN-23209 + } + } + source { + address 10.4.59.8 + } + } + rule 2853 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.29 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.29 + } + } + rule 2854 { + action accept + description FW16375_5-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW16375_5 + } + port 2096 + } + protocol tcp_udp + } + rule 2856 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.173 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.173 + } + } + rule 2858 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.35 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.35 + } + } + rule 2859 { + action accept + description FW73573_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73573_1 + } + port 25 + } + protocol tcp_udp + } + rule 2860 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.242 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.242 + } + } + rule 2861 { + action accept + description FW8ECF4_1-TCP-ALLOW-77.68.2.215 + destination { + group { + address-group DT_FW8ECF4_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.2.215 + } + } + rule 2862 { + action accept + description FW8A3FC_3-TCP_UDP-ALLOW-82.165.100.25 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 21-10000 + } + protocol tcp_udp + source { + address 82.165.100.25 + } + } + rule 2863 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.235 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.235 + } + } + rule 2864 { + action accept + description VPN-18647-ANY-ALLOW-10.4.86.114 + destination { + group { + address-group DT_VPN-18647 + } + } + source { + address 10.4.86.114 + } + } + rule 2865 { + action accept + description VPN-18647-ANY-ALLOW-10.4.87.114 + destination { + group { + address-group DT_VPN-18647 + } + } + source { + address 10.4.87.114 + } + } + rule 2867 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.107 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.107 + } + } + rule 2868 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.239 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.239 + } + } + rule 2869 { + action accept + description FWF699D_4-TCP-ALLOW-164.39.151.3 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 164.39.151.3 + } + } + rule 2870 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.245 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.245 + } + } + rule 2873 { + action accept + description FWEF92E_6-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FWEF92E_6 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 2874 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.130 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.130 + } + } + rule 2875 { + action accept + description FW44BF9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW44BF9_1 + } + port 49160-49200 + } + protocol tcp + } + rule 2876 { + action accept + description VPN-24591-ANY-ALLOW-10.4.86.4 + destination { + group { + address-group DT_VPN-24591 + } + } + source { + address 10.4.86.4 + } + } + rule 2877 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.60 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.60 + } + } + rule 2879 { + action accept + description FWEF92E_6-UDP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_6 + } + port 500 + } + protocol udp + source { + address 77.68.77.57 + } + } + rule 2880 { + action accept + description FWF699D_4-TCP-ALLOW-185.132.38.110 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 185.132.38.110 + } + } + rule 2881 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.216 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.216 + } + } + rule 2882 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.77.149 + } + } + rule 2883 { + action accept + description FWA2FF8_4-TCP-ALLOW-80.229.18.102 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21,22 + } + protocol tcp + source { + address 80.229.18.102 + } + } + rule 2884 { + action accept + description FWA2FF8_4-TCP-ALLOW-109.169.33.69 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21,22 + } + protocol tcp + source { + address 109.169.33.69 + } + } + rule 2885 { + action accept + description FWA2FF8_4-TCP-ALLOW-46.102.209.35 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21 + } + protocol tcp + source { + address 46.102.209.35 + } + } + rule 2886 { + action accept + description FWA2FF8_4-TCP-ALLOW-90.213.48.16 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21 + } + protocol tcp + source { + address 90.213.48.16 + } + } + rule 2887 { + action accept + description FWA2FF8_4-TCP-ALLOW-77.68.76.129 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 22 + } + protocol tcp + source { + address 77.68.76.129 + } + } + rule 2888 { + action accept + description FWA2FF8_4-TCP-ALLOW-109.228.50.145 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 22 + } + protocol tcp + source { + address 109.228.50.145 + } + } + rule 2889 { + action accept + description FWA2FF8_4-TCP-ALLOW-77.68.76.231 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 22 + } + protocol tcp + source { + address 77.68.76.231 + } + } + rule 2890 { + action accept + description FW4513E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4513E_1 + } + port 50000-50020,990 + } + protocol tcp + } + rule 2893 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.40.7 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.40.7 + } + } + rule 2894 { + action accept + description VPN-21876-ANY-ALLOW-10.4.88.96 + destination { + group { + address-group DT_VPN-21876 + } + } + source { + address 10.4.88.96 + } + } + rule 2895 { + action accept + description VPN-21876-ANY-ALLOW-10.4.89.96 + destination { + group { + address-group DT_VPN-21876 + } + } + source { + address 10.4.89.96 + } + } + rule 2896 { + action accept + description VPN-26124-ANY-ALLOW-10.4.54.75 + destination { + group { + address-group DT_VPN-26124 + } + } + source { + address 10.4.54.75 + } + } + rule 2897 { + action accept + description VPN-26124-ANY-ALLOW-10.4.55.76 + destination { + group { + address-group DT_VPN-26124 + } + } + source { + address 10.4.55.76 + } + } + rule 2898 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.21 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.21 + } + } + rule 2899 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.213 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.213 + } + } + rule 2901 { + action accept + description FWC6301_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC6301_1 + } + port 5555 + } + protocol udp + } + rule 2902 { + action accept + description VPN-13261-ANY-ALLOW-10.4.56.173 + destination { + group { + address-group DT_VPN-13261 + } + } + source { + address 10.4.56.173 + } + } + rule 2903 { + action accept + description VPN-13261-ANY-ALLOW-10.4.57.173 + destination { + group { + address-group DT_VPN-13261 + } + } + source { + address 10.4.57.173 + } + } + rule 2909 { + action accept + description VPN-24591-ANY-ALLOW-10.4.87.4 + destination { + group { + address-group DT_VPN-24591 + } + } + source { + address 10.4.87.4 + } + } + rule 2911 { + action accept + description FWE7180_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE7180_1 + } + port 40110-40210,8090 + } + protocol tcp + } + rule 2914 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.247 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.247 + } + } + rule 2915 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.129 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.129 + } + } + rule 2916 { + action accept + description FWCB29D_1-TCP-ALLOW-51.146.16.162 + destination { + group { + address-group DT_FWCB29D_1 + } + port 8447,8443,22 + } + protocol tcp + source { + address 51.146.16.162 + } + } + rule 2917 { + action accept + description FW4E399_1-TCP-ALLOW-51.155.19.77 + destination { + group { + address-group DT_FW4E399_1 + } + port 3306 + } + protocol tcp + source { + address 51.155.19.77 + } + } + rule 2919 { + action accept + description FWC72E5_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC72E5_1 + } + port 9000-9100,6667 + } + protocol tcp + } + rule 2922 { + action accept + description FW21A75_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW21A75_2 + } + port 3000 + } + protocol tcp + } + rule 2923 { + action accept + description FW3B068_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3B068_2 + } + port 990,60000-65000 + } + protocol tcp + } + rule 2924 { + action accept + description FW48814_3-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW48814_3 + } + port 3306 + } + protocol tcp_udp + } + rule 2925 { + action accept + description FW48814_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW48814_3 + } + port 49152-65534 + } + protocol tcp + } + rule 2926 { + action accept + description FW2B279_4-TCP-ALLOW-178.128.39.210 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443 + } + protocol tcp + source { + address 178.128.39.210 + } + } + rule 2927 { + action accept + description FW2B279_4-TCP-ALLOW-82.165.232.19 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443 + } + protocol tcp + source { + address 82.165.232.19 + } + } + rule 2928 { + action accept + description FW2B279_4-TCP-ALLOW-84.64.186.31 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443 + } + protocol tcp + source { + address 84.64.186.31 + } + } + rule 2929 { + action accept + description FW1C8F2_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1C8F2_1 + } + port 5000-65000 + } + protocol udp + } + rule 2930 { + action accept + description FW2B279_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2B279_4 + } + port 49152-65535 + } + protocol tcp + } + rule 2931 { + action accept + description FW608FA_1-TCP-ALLOW-195.10.106.114 + destination { + group { + address-group DT_FW608FA_1 + } + port 22 + } + protocol tcp + source { + address 195.10.106.114 + } + } + rule 2932 { + action accept + description FW608FA_1-TCP-ALLOW-213.137.25.134 + destination { + group { + address-group DT_FW608FA_1 + } + port 22 + } + protocol tcp + source { + address 213.137.25.134 + } + } + rule 2933 { + action accept + description FW608FA_1-TCP-ALLOW-92.39.202.189 + destination { + group { + address-group DT_FW608FA_1 + } + port 22 + } + protocol tcp + source { + address 92.39.202.189 + } + } + rule 2935 { + action accept + description FWC37B9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC37B9_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2936 { + action accept + description FW15C99_6-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW15C99_6 + } + port 32410-32414,1900 + } + protocol udp + } + rule 2937 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.244.146 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 116.206.244.146 + } + } + rule 2938 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.158 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.211.158 + } + } + rule 2939 { + action accept + description FW15C99_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW15C99_6 + } + port 32469,32400 + } + protocol tcp + } + rule 2940 { + action accept + description FW0192C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0192C_1 + } + port 2053 + } + protocol tcp + } + rule 2941 { + action accept + description FW27949_2-TCP-ALLOW-86.179.23.119 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 86.179.23.119 + } + } + rule 2942 { + action accept + description FW27949_2-TCP-ALLOW-92.15.208.193 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 92.15.208.193 + } + } + rule 2943 { + action accept + description VPN-34122-ANY-ALLOW-10.4.56.122 + destination { + group { + address-group DT_VPN-34122 + } + } + source { + address 10.4.56.122 + } + } + rule 2944 { + action accept + description VPN-34122-ANY-ALLOW-10.4.57.122 + destination { + group { + address-group DT_VPN-34122 + } + } + source { + address 10.4.57.122 + } + } + rule 2945 { + action accept + description FWF323F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF323F_1 + } + port 25565,9999,8080,5001,3306 + } + protocol tcp_udp + } + rule 2946 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.132 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.132 + } + } + rule 2948 { + action accept + description VPN-30261-ANY-ALLOW-10.4.86.110 + destination { + group { + address-group DT_VPN-30261 + } + } + source { + address 10.4.86.110 + } + } + rule 2949 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.246 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.246 + } + } + rule 2951 { + action accept + description FWC2D30_1-TCP-ALLOW-157.231.100.222 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 157.231.100.222 + } + } + rule 2952 { + action accept + description FWC2D30_1-TCP-ALLOW-164.39.131.31 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 164.39.131.31 + } + } + rule 2953 { + action accept + description FWC2D30_1-TCP-ALLOW-185.199.108.0_22 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 185.199.108.0/22 + } + } + rule 2954 { + action accept + description FWC2D30_1-TCP-ALLOW-192.30.252.0_22 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 192.30.252.0/22 + } + } + rule 2955 { + action accept + description FWC2D30_1-TCP-ALLOW-80.252.78.202 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 80.252.78.202 + } + } + rule 2956 { + action accept + description FWC2D30_1-TCP-ALLOW-86.15.158.234 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 86.15.158.234 + } + } + rule 2957 { + action accept + description VPN-30261-ANY-ALLOW-10.4.87.110 + destination { + group { + address-group DT_VPN-30261 + } + } + source { + address 10.4.87.110 + } + } + rule 2958 { + action accept + description VPN-30262-ANY-ALLOW-10.4.88.36 + destination { + group { + address-group DT_VPN-30262 + } + } + source { + address 10.4.88.36 + } + } + rule 2961 { + action accept + description VPN-15950-ANY-ALLOW-10.4.88.89 + destination { + group { + address-group DT_VPN-15950 + } + } + source { + address 10.4.88.89 + } + } + rule 2962 { + action accept + description FWBFDED_1-TCP-ALLOW-78.141.24.164 + destination { + group { + address-group DT_FWBFDED_1 + } + port 3389 + } + protocol tcp + source { + address 78.141.24.164 + } + } + rule 2963 { + action accept + description VPN-30262-ANY-ALLOW-10.4.89.36 + destination { + group { + address-group DT_VPN-30262 + } + } + source { + address 10.4.89.36 + } + } + rule 2964 { + action accept + description FW1F126_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1F126_1 + } + port 2087,2083 + } + protocol tcp + } + rule 2965 { + action accept + description FWA7A50_1-ANY-ALLOW-40.120.53.80 + destination { + group { + address-group DT_FWA7A50_1 + } + } + source { + address 40.120.53.80 + } + } + rule 2967 { + action accept + description VPN-23729-ANY-ALLOW-10.4.54.10 + destination { + group { + address-group DT_VPN-23729 + } + } + source { + address 10.4.54.10 + } + } + rule 2968 { + action accept + description VPN-23729-ANY-ALLOW-10.4.55.10 + destination { + group { + address-group DT_VPN-23729 + } + } + source { + address 10.4.55.10 + } + } + rule 2969 { + action accept + description VPN-23733-ANY-ALLOW-10.4.58.12 + destination { + group { + address-group DT_VPN-23733 + } + } + source { + address 10.4.58.12 + } + } + rule 2970 { + action accept + description VPN-23733-ANY-ALLOW-10.4.59.12 + destination { + group { + address-group DT_VPN-23733 + } + } + source { + address 10.4.59.12 + } + } + rule 2971 { + action accept + description VPN-23734-ANY-ALLOW-10.4.56.29 + destination { + group { + address-group DT_VPN-23734 + } + } + source { + address 10.4.56.29 + } + } + rule 2972 { + action accept + description VPN-23734-ANY-ALLOW-10.4.57.29 + destination { + group { + address-group DT_VPN-23734 + } + } + source { + address 10.4.57.29 + } + } + rule 2975 { + action accept + description VPN-23738-ANY-ALLOW-10.4.57.13 + destination { + group { + address-group DT_VPN-23738 + } + } + source { + address 10.4.57.13 + } + } + rule 2976 { + action accept + description FWD8DD1_2-TCP-ALLOW-77.153.164.226 + destination { + group { + address-group DT_FWD8DD1_2 + } + port 3306,22 + } + protocol tcp + source { + address 77.153.164.226 + } + } + rule 2977 { + action accept + description FWE012D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE012D_1 + } + port 143,25 + } + protocol tcp_udp + } + rule 2978 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.120.196 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.120.196 + } + } + rule 2981 { + action accept + description FW24AB7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW24AB7_1 + } + port 40110-40210 + } + protocol tcp_udp + } + rule 2985 { + action accept + description FW2379F_14-TCP-ALLOW-194.72.140.178 + destination { + group { + address-group DT_FW2379F_14 + } + port 3389,21 + } + protocol tcp + source { + address 194.72.140.178 + } + } + rule 2986 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.97 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.97 + } + } + rule 2988 { + action accept + description FW883EB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW883EB_1 + } + port 5005,5004,5003,5002,5001 + } + protocol tcp + } + rule 2992 { + action accept + description FW310C6_3-ANY-ALLOW-62.30.207.232 + destination { + group { + address-group DT_FW310C6_3 + } + } + source { + address 62.30.207.232 + } + } + rule 2993 { + action accept + description VPN-15950-ANY-ALLOW-10.4.89.89 + destination { + group { + address-group DT_VPN-15950 + } + } + source { + address 10.4.89.89 + } + } + rule 2994 { + action accept + description VPN-15960-ANY-ALLOW-10.4.88.90 + destination { + group { + address-group DT_VPN-15960 + } + } + source { + address 10.4.88.90 + } + } + rule 2995 { + action accept + description FWEF92E_7-UDP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_7 + } + port 500 + } + protocol udp + source { + address 77.68.77.57 + } + } + rule 2996 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.135 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.135 + } + } + rule 2998 { + action accept + description VPN-31002-ANY-ALLOW-10.4.88.126 + destination { + group { + address-group DT_VPN-31002 + } + } + source { + address 10.4.88.126 + } + } + rule 2999 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.110 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 116.206.246.110 + } + } + rule 3000 { + action accept + description FW08061_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW08061_1 + } + port 49152-65535 + } + protocol tcp + } + rule 3001 { + action accept + description VPN-15960-ANY-ALLOW-10.4.89.90 + destination { + group { + address-group DT_VPN-15960 + } + } + source { + address 10.4.89.90 + } + } + rule 3003 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.56 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.56 + } + } + rule 3004 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.47.47 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 175.157.47.47 + } + } + rule 3005 { + action accept + description FW10C3D_19-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW10C3D_19 + } + port 49152-65535,14147 + } + protocol tcp + } + rule 3006 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.136 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.136 + } + } + rule 3009 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.44.109 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.44.109 + } + } + rule 3010 { + action accept + description VPN-24592-ANY-ALLOW-10.4.88.9 + destination { + group { + address-group DT_VPN-24592 + } + } + source { + address 10.4.88.9 + } + } + rule 3011 { + action accept + description FW05AD0_2-TCP-ALLOW-213.171.209.161 + destination { + group { + address-group DT_FW05AD0_2 + } + port 3389,1433,21 + } + protocol tcp + source { + address 213.171.209.161 + } + } + rule 3012 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.86.254 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.86.254 + } + } + rule 3014 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.16 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.16 + } + } + rule 3018 { + action accept + description VPN-24592-ANY-ALLOW-10.4.89.9 + destination { + group { + address-group DT_VPN-24592 + } + } + source { + address 10.4.89.9 + } + } + rule 3019 { + action accept + description VPN-24593-ANY-ALLOW-10.4.54.6 + destination { + group { + address-group DT_VPN-24593 + } + } + source { + address 10.4.54.6 + } + } + rule 3020 { + action accept + description VPN-24593-ANY-ALLOW-10.4.55.6 + destination { + group { + address-group DT_VPN-24593 + } + } + source { + address 10.4.55.6 + } + } + rule 3021 { + action accept + description VPN-24594-ANY-ALLOW-10.4.58.6 + destination { + group { + address-group DT_VPN-24594 + } + } + source { + address 10.4.58.6 + } + } + rule 3022 { + action accept + description VPN-24594-ANY-ALLOW-10.4.59.6 + destination { + group { + address-group DT_VPN-24594 + } + } + source { + address 10.4.59.6 + } + } + rule 3023 { + action accept + description VPN-24595-ANY-ALLOW-10.4.56.14 + destination { + group { + address-group DT_VPN-24595 + } + } + source { + address 10.4.56.14 + } + } + rule 3024 { + action accept + description VPN-24595-ANY-ALLOW-10.4.57.14 + destination { + group { + address-group DT_VPN-24595 + } + } + source { + address 10.4.57.14 + } + } + rule 3025 { + action accept + description VPN-32528-ANY-ALLOW-10.4.58.67 + destination { + group { + address-group DT_VPN-32528 + } + } + source { + address 10.4.58.67 + } + } + rule 3026 { + action accept + description VPN-32528-ANY-ALLOW-10.4.59.67 + destination { + group { + address-group DT_VPN-32528 + } + } + source { + address 10.4.59.67 + } + } + rule 3027 { + action accept + description FW6187E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6187E_1 + } + port 51195 + } + protocol udp + } + rule 3028 { + action accept + description FW406AB_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW406AB_1 + } + port 37013,25461,8881,8080,2095,2082,1992 + } + protocol tcp_udp + } + rule 3029 { + action accept + description FWA86A4_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA86A4_1 + } + port 30333,5666 + } + protocol tcp + } + rule 3032 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.52 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.52 + } + } + rule 3033 { + action accept + description FWC055A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC055A_1 + } + port 2195 + } + protocol tcp + } + rule 3035 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.81 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.81 + } + } + rule 3039 { + action accept + description FW42BC7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW42BC7_1 + } + port 53 + } + protocol tcp_udp + } + rule 3040 { + action accept + description FW42BC7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW42BC7_1 + } + port 49152-65535 + } + protocol tcp + } + rule 3041 { + action accept + description FW310C6_3-ANY-ALLOW-88.208.198.39 + destination { + group { + address-group DT_FW310C6_3 + } + } + source { + address 88.208.198.39 + } + } + rule 3042 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.235 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.235 + } + } + rule 3043 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.205 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.212.205 + } + } + rule 3044 { + action accept + description FWBE878_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBE878_1 + } + port 8989,5003,3000 + } + protocol tcp_udp + } + rule 3045 { + action accept + description VPN-30679-ANY-ALLOW-10.4.58.195 + destination { + group { + address-group DT_VPN-30679 + } + } + source { + address 10.4.58.195 + } + } + rule 3046 { + action accept + description FW6B9B9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6B9B9_1 + } + port 30006-65000,27017,7101,4200,2990-3009 + } + protocol tcp + } + rule 3047 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.212 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.212 + } + } + rule 3049 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.125.4 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 123.231.125.4 + } + } + rule 3050 { + action accept + description FW49C3D_4-TCP-ALLOW-83.100.136.74 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445 + } + protocol tcp + source { + address 83.100.136.74 + } + } + rule 3051 { + action accept + description FW49C3D_6-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 3053 { + action accept + description FW89619_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW89619_1 + } + port 9000-10999 + } + protocol udp + } + rule 3054 { + action accept + description FWBD9D0_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBD9D0_1 + } + port 9090 + } + protocol tcp + } + rule 3055 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.47.236 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 175.157.47.236 + } + } + rule 3056 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.46.226 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.46.226 + } + } + rule 3058 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.205 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.205 + } + } + rule 3060 { + action accept + description FWF7B68_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF7B68_1 + } + port 49152-65535 + } + protocol tcp + } + rule 3061 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.253 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.253 + } + } + rule 3063 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.0 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.210.0 + } + } + rule 3065 { + action accept + description FW85619_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW85619_1 + } + port 6433 + } + protocol tcp + } + rule 3066 { + action accept + description FW5A5D7_3-TCP-ALLOW-188.66.79.94 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 8172,3389 + } + protocol tcp + source { + address 188.66.79.94 + } + } + rule 3067 { + action accept + description FWF30BD_1-TCP-ALLOW-81.133.80.114 + destination { + group { + address-group DT_FWF30BD_1 + } + port 22 + } + protocol tcp + source { + address 81.133.80.114 + } + } + rule 3068 { + action accept + description FWF30BD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF30BD_1 + } + port 5061,5015,5001 + } + protocol tcp + } + rule 3069 { + action accept + description FWBD9D0_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBD9D0_1 + } + port 51820 + } + protocol udp + } + rule 3070 { + action accept + description FW7C4D9_14-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW7C4D9_14 + } + port 25565,2456-2458 + } + protocol tcp_udp + } + rule 3071 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.23 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.23 + } + } + rule 3072 { + action accept + description FWEEC75_1-TCP-ALLOW-81.96.100.32 + destination { + group { + address-group DT_FWEEC75_1 + } + port 8447 + } + protocol tcp + source { + address 81.96.100.32 + } + } + rule 3073 { + action accept + description FW8A3FC_3-TCP-ALLOW-95.168.164.208 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 95.168.164.208 + } + } + rule 3074 { + action accept + description VPN-19992-ANY-ALLOW-10.4.86.158 + destination { + group { + address-group DT_VPN-19992 + } + } + source { + address 10.4.86.158 + } + } + rule 3075 { + action accept + description FWF30BD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF30BD_1 + } + port 5090,5060 + } + protocol tcp_udp + } + rule 3076 { + action accept + description VPN-30679-ANY-ALLOW-10.4.59.195 + destination { + group { + address-group DT_VPN-30679 + } + } + source { + address 10.4.59.195 + } + } + rule 3077 { + action accept + description FW930F3_3-ANY-ALLOW-77.68.112.254 + destination { + group { + address-group DT_FW930F3_3 + } + } + source { + address 77.68.112.254 + } + } + rule 3078 { + action accept + description FW672AB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW672AB_1 + } + port 5432 + } + protocol tcp + } + rule 3079 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.252 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.252 + } + } + rule 3080 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.86.192 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.86.192 + } + } + rule 3081 { + action accept + description VPN-33204-ANY-ALLOW-10.4.56.176 + destination { + group { + address-group DT_VPN-33204 + } + } + source { + address 10.4.56.176 + } + } + rule 3083 { + action accept + description FW1FA8E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1FA8E_1 + } + port 33434 + } + protocol udp + } + rule 3084 { + action accept + description FWD2440_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + } + protocol esp + } + rule 3085 { + action accept + description FWA0531_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0531_1 + } + port 53 + } + protocol tcp_udp + } + rule 3090 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.70 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.70 + } + } + rule 3091 { + action accept + description FWF7BFA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF7BFA_1 + } + port 8000,5901,5479,5478 + } + protocol tcp + } + rule 3092 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.212 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.212 + } + } + rule 3094 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.125 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.212.125 + } + } + rule 3096 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.89 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.89 + } + } + rule 3097 { + action accept + description FWD56A2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD56A2_1 + } + port 8001,8000 + } + protocol tcp + } + rule 3098 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.109 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.109 + } + } + rule 3099 { + action accept + description FW36425_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW36425_1 + } + port 44445,7770-7800 + } + protocol tcp + } + rule 3100 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.238 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.238 + } + } + rule 3102 { + action accept + description FW6B39D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6B39D_1 + } + port 49216,49215 + } + protocol tcp_udp + } + rule 3103 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.121 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.121 + } + } + rule 3105 { + action accept + description FW2379F_14-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2379F_14 + } + port 443 + } + protocol tcp_udp + } + rule 3107 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.38 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.38 + } + } + rule 3109 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.191 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.191 + } + } + rule 3111 { + action accept + description FW27947_1-TCP-ALLOW-213.229.100.148 + destination { + group { + address-group DT_FW27947_1 + } + port 3306 + } + protocol tcp + source { + address 213.229.100.148 + } + } + rule 3112 { + action accept + description FWD42CF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD42CF_1 + } + port 5432,5001,5000 + } + protocol tcp + } + rule 3114 { + action accept + description FW3A12F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3A12F_1 + } + port 53 + } + protocol tcp_udp + } + rule 3116 { + action accept + description FW5A5D7_3-TCP-ALLOW-194.62.184.87 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 3389 + } + protocol tcp + source { + address 194.62.184.87 + } + } + rule 3117 { + action accept + description FW5A5D7_3-TCP-ALLOW-51.219.31.78 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 8172,3389 + } + protocol tcp + source { + address 51.219.31.78 + } + } + rule 3118 { + action accept + description VPN-26157-ANY-ALLOW-10.4.86.57 + destination { + group { + address-group DT_VPN-26157 + } + } + source { + address 10.4.86.57 + } + } + rule 3119 { + action accept + description VPN-26157-ANY-ALLOW-10.4.87.57 + destination { + group { + address-group DT_VPN-26157 + } + } + source { + address 10.4.87.57 + } + } + rule 3120 { + action accept + description FWA7625_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA7625_1 + } + port 943 + } + protocol tcp + } + rule 3121 { + action accept + description FWC96A1_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC96A1_1 + } + port 1194 + } + protocol udp + } + rule 3122 { + action accept + description FWA7625_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA7625_1 + } + port 1194 + } + protocol udp + } + rule 3123 { + action accept + description FWA7625_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA7625_1 + } + port 32400,10108 + } + protocol tcp_udp + } + rule 3125 { + action accept + description FW8A3FC_3-TCP-ALLOW-185.173.161.154 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 185.173.161.154 + } + } + rule 3127 { + action accept + description FW05339_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW05339_1 + } + port 46961 + } + protocol udp + } + rule 3130 { + action accept + description FWA0AA0_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0AA0_1 + } + port 1194 + } + protocol udp + } + rule 3132 { + action accept + description FWD8DD1_2-TCP_UDP-ALLOW-77.153.164.226 + destination { + group { + address-group DT_FWD8DD1_2 + } + port 443,80 + } + protocol tcp_udp + source { + address 77.153.164.226 + } + } + rule 3134 { + action accept + description FW19987_4-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FW19987_4 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 3135 { + action accept + description FW40AE4_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW40AE4_1 + } + port 53 + } + protocol tcp_udp + } + rule 3136 { + action accept + description VPN-33204-ANY-ALLOW-10.4.57.176 + destination { + group { + address-group DT_VPN-33204 + } + } + source { + address 10.4.57.176 + } + } + rule 3137 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-86.132.125.4 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 86.132.125.4 + } + } + rule 3138 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-91.205.173.51 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 91.205.173.51 + } + } + rule 3143 { + action accept + description FWA86ED_101-TCP-ALLOW-109.149.121.73 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 109.149.121.73 + } + } + rule 3144 { + action accept + description FWA0AA0_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0AA0_1 + } + port 28083,28015-28016,1935 + } + protocol tcp_udp + } + rule 3146 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-92.233.27.144 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 92.233.27.144 + } + } + rule 3148 { + action accept + description FWA86ED_101-TCP-ALLOW-151.228.194.190 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 151.228.194.190 + } + } + rule 3149 { + action accept + description FW9B6FB_1-ICMP-ALLOW-77.68.89.115_32 + destination { + group { + address-group DT_FW9B6FB_1 + } + } + protocol icmp + source { + address 77.68.89.115/32 + } + } + rule 3153 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.199 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.199 + } + } + rule 3155 { + action accept + description FW45F3D_1-ANY-ALLOW-195.224.110.168 + destination { + group { + address-group DT_FW45F3D_1 + } + } + source { + address 195.224.110.168 + } + } + rule 3156 { + action accept + description FWF8E67_1-TCP-ALLOW-82.14.188.35 + destination { + group { + address-group DT_FWF8E67_1 + } + port 22 + } + protocol tcp + source { + address 82.14.188.35 + } + } + rule 3157 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.58 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.58 + } + } + rule 3158 { + action accept + description VPN-19992-ANY-ALLOW-10.4.87.158 + destination { + group { + address-group DT_VPN-19992 + } + } + source { + address 10.4.87.158 + } + } + rule 3159 { + action accept + description FWA86ED_101-TCP-ALLOW-5.66.24.185 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 5.66.24.185 + } + } + rule 3160 { + action accept + description FWF8E67_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF8E67_1 + } + port 3001 + } + protocol tcp + } + rule 3161 { + action accept + description FWD2440_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + } + protocol ah + } + rule 3166 { + action accept + description FW3EBC8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3EBC8_1 + } + port 9001-9900,9000 + } + protocol tcp + } + rule 3167 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.244 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.244 + } + } + rule 3168 { + action accept + description FWA0531_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA0531_1 + } + port 3000 + } + protocol tcp + } + rule 3170 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.137 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.137 + } + } + rule 3173 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.104 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.104 + } + } + rule 3176 { + action accept + description FW6906B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6906B_1 + } + port 4190 + } + protocol tcp + } + rule 3177 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.230 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 116.206.246.230 + } + } + rule 3178 { + action accept + description FW444AF_1-TCP-ALLOW-91.135.10.140 + destination { + group { + address-group DT_FW444AF_1 + } + port 27017 + } + protocol tcp + source { + address 91.135.10.140 + } + } + rule 3180 { + action accept + description FWA86ED_101-TCP-ALLOW-81.150.13.34 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 81.150.13.34 + } + } + rule 3181 { + action accept + description FWA86ED_101-TCP-ALLOW-82.10.14.73 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 82.10.14.73 + } + } + rule 3183 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.25 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.25 + } + } + rule 3184 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.224 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.224 + } + } + rule 3185 { + action accept + description FW9B6FB_1-TCP-ALLOW-77.68.89.115_32 + destination { + group { + address-group DT_FW9B6FB_1 + } + port 10050 + } + protocol tcp + source { + address 77.68.89.115/32 + } + } + rule 3186 { + action accept + description VPN-14673-ANY-ALLOW-10.4.89.44 + destination { + group { + address-group DT_VPN-14673 + } + } + source { + address 10.4.89.44 + } + } + rule 3187 { + action accept + description FWCA628_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCA628_1 + } + port 2096,2095,2087,2086,2083,2082 + } + protocol tcp + } + rule 3189 { + action accept + description VPN-28484-ANY-ALLOW-10.4.58.159 + destination { + group { + address-group DT_VPN-28484 + } + } + source { + address 10.4.58.159 + } + } + rule 3190 { + action accept + description FW028C0_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW028C0_2 + } + port 44491-44498,44474 + } + protocol tcp + } + rule 3191 { + action accept + description VPN-28484-ANY-ALLOW-10.4.59.159 + destination { + group { + address-group DT_VPN-28484 + } + } + source { + address 10.4.59.159 + } + } + rule 3192 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.119 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.119 + } + } + rule 3194 { + action accept + description FWF699D_4-TCP-ALLOW-195.74.108.130 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 195.74.108.130 + } + } + rule 3195 { + action accept + description FWF699D_4-TCP-ALLOW-31.54.149.143 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 31.54.149.143 + } + } + rule 3196 { + action accept + description FWF699D_4-TCP-ALLOW-35.204.243.120 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 35.204.243.120 + } + } + rule 3197 { + action accept + description FWF699D_4-TCP-ALLOW-81.150.55.65 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 81.150.55.65 + } + } + rule 3198 { + action accept + description FWF699D_4-TCP-ALLOW-81.150.55.70 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 81.150.55.70 + } + } + rule 3199 { + action accept + description FWF699D_4-TCP-ALLOW-86.142.112.4 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 86.142.112.4 + } + } + rule 3200 { + action accept + description FWF699D_4-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF699D_4 + } + port 8983 + } + protocol tcp_udp + } + rule 3201 { + action accept + description FWF699D_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF699D_4 + } + port 11009,10009 + } + protocol tcp + } + rule 3202 { + action accept + description VPN-2661-ANY-ALLOW-10.4.54.24 + destination { + group { + address-group DT_VPN-2661 + } + } + source { + address 10.4.54.24 + } + } + rule 3203 { + action accept + description VPN-2661-ANY-ALLOW-10.4.55.24 + destination { + group { + address-group DT_VPN-2661 + } + } + source { + address 10.4.55.24 + } + } + rule 3204 { + action accept + description VPN-9727-ANY-ALLOW-10.4.54.118 + destination { + group { + address-group DT_VPN-9727 + } + } + source { + address 10.4.54.118 + } + } + rule 3205 { + action accept + description VPN-9727-ANY-ALLOW-10.4.55.119 + destination { + group { + address-group DT_VPN-9727 + } + } + source { + address 10.4.55.119 + } + } + rule 3207 { + action accept + description FWF0221_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF0221_1 + } + port 65000,8099,8080 + } + protocol tcp_udp + } + rule 3208 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.180 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.180 + } + } + rule 3209 { + action accept + description FWA86ED_101-TCP-ALLOW-82.5.189.5 + destination { + group { + address-group DT_FWA86ED_101 + } + port 443 + } + protocol tcp + source { + address 82.5.189.5 + } + } + rule 3210 { + action accept + description FW60FD6_5-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW60FD6_5 + } + port 1194 + } + protocol udp + } + rule 3211 { + action accept + description FW60FD6_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW60FD6_5 + } + port 9500,9191,9090,8090,2222 + } + protocol tcp + } + rule 3212 { + action accept + description FWA86ED_101-TCP-ALLOW-84.65.217.114 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 84.65.217.114 + } + } + rule 3213 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.43.21 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.43.21 + } + } + rule 3214 { + action accept + description FW45F3D_1-ANY-ALLOW-77.68.126.251 + destination { + group { + address-group DT_FW45F3D_1 + } + } + source { + address 77.68.126.251 + } + } + rule 3215 { + action accept + description FWA86ED_101-TCP-ALLOW-86.14.23.23 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 86.14.23.23 + } + } + rule 3217 { + action accept + description FW85E02_11-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85E02_11 + } + port 9000-10999 + } + protocol udp + } + rule 3218 { + action accept + description FW5D0FA_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW5D0FA_1 + } + port 53 + } + protocol tcp_udp + } + rule 3222 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.141 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.141 + } + } + rule 3223 { + action accept + description FWCDD8B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCDD8B_1 + } + port 2222 + } + protocol tcp + } + rule 3224 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.185 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.185 + } + } + rule 3225 { + action accept + description FW06940_3-TCP_UDP-ALLOW-213.171.210.153 + destination { + group { + address-group DT_FW06940_3 + } + port 1-65535 + } + protocol tcp_udp + source { + address 213.171.210.153 + } + } + rule 3226 { + action accept + description FW06940_3-TCP_UDP-ALLOW-70.29.113.102 + destination { + group { + address-group DT_FW06940_3 + } + port 1-65535 + } + protocol tcp_udp + source { + address 70.29.113.102 + } + } + rule 3227 { + action accept + description FWC32BE_1-ANY-ALLOW-3.127.0.177 + destination { + group { + address-group DT_FWC32BE_1 + } + } + source { + address 3.127.0.177 + } + } + rule 3228 { + action accept + description FWA86ED_101-TCP-ALLOW-93.115.195.58 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 93.115.195.58 + } + } + rule 3229 { + action accept + description FWE32F2_8-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE32F2_8 + } + port 40120,30120,30110 + } + protocol tcp + } + rule 3230 { + action accept + description VPN-28515-ANY-ALLOW-10.4.56.162 + destination { + group { + address-group DT_VPN-28515 + } + } + source { + address 10.4.56.162 + } + } + rule 3231 { + action accept + description FW06940_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW06940_3 + } + port 30000-30400,8443-8447,445,80-110,21-25 + } + protocol tcp + } + rule 3232 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.134 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.134 + } + } + rule 3236 { + action accept + description VPN-28515-ANY-ALLOW-10.4.57.162 + destination { + group { + address-group DT_VPN-28515 + } + } + source { + address 10.4.57.162 + } + } + rule 3237 { + action accept + description FWF4063_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF4063_1 + } + port 3000 + } + protocol tcp + } + rule 3240 { + action accept + description FW06940_3-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW06940_3 + } + port 49152-65535,6379,5666,5432-5454 + } + protocol tcp_udp + } + rule 3242 { + action accept + description FW2E8D4_1-TCP-ALLOW-63.35.92.185 + destination { + group { + address-group DT_FW2E8D4_1 + } + port 3389 + } + protocol tcp + source { + address 63.35.92.185 + } + } + rule 3244 { + action accept + description FWF30BD_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF30BD_1 + } + port 9000-10999 + } + protocol udp + } + rule 3245 { + action accept + description FWE30A1_4-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE30A1_4 + } + port 65057 + } + protocol tcp_udp + } + rule 3246 { + action accept + description VPN-26772-ANY-ALLOW-10.4.54.123 + destination { + group { + address-group DT_VPN-26772 + } + } + source { + address 10.4.54.123 + } + } + rule 3249 { + action accept + description FW56496_1-ANY-ALLOW-77.68.82.49 + destination { + group { + address-group DT_FW56496_1 + } + } + source { + address 77.68.82.49 + } + } + rule 3251 { + action accept + description FWDA443_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDA443_6 + } + port 30175,12050 + } + protocol tcp + } + rule 3253 { + action accept + description FW5A521_3-TCP-ALLOW-88.98.75.17 + destination { + group { + address-group DT_FW5A521_3 + } + port 22 + } + protocol tcp + source { + address 88.98.75.17 + } + } + rule 3254 { + action accept + description FW5A521_3-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW5A521_3 + } + port 161-162 + } + protocol udp + } + rule 3255 { + action accept + description FW5A521_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5A521_3 + } + port 5900 + } + protocol tcp + } + rule 3259 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.178 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.214.178 + } + } + rule 3260 { + action accept + description VPN-26772-ANY-ALLOW-10.4.55.124 + destination { + group { + address-group DT_VPN-26772 + } + } + source { + address 10.4.55.124 + } + } + rule 3262 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.114 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.114 + } + } + rule 3272 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.30 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 116.206.246.30 + } + } + rule 3273 { + action accept + description FW2B4BA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2B4BA_1 + } + port 30000-31000 + } + protocol tcp + } + rule 3284 { + action accept + description FW06940_3-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW06940_3 + } + port 8443 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 3285 { + action accept + description FW0952B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0952B_1 + } + port 9030,9001 + } + protocol tcp + } + rule 3286 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.85.35 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.85.35 + } + } + rule 3290 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.232 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.232 + } + } + rule 3294 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.21 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.21 + } + } + rule 3295 { + action accept + description FW0EA3F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0EA3F_1 + } + port 1-65535 + } + protocol tcp_udp + } + rule 3296 { + action accept + description FW9D5C7_1-TCP-ALLOW-209.97.176.108 + destination { + group { + address-group DT_FW9D5C7_1 + } + port 8447,8443,22 + } + protocol tcp + source { + address 209.97.176.108 + } + } + rule 3297 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.188 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.188 + } + } + rule 3298 { + action accept + description FW9D5C7_1-TCP-ALLOW-165.227.231.227 + destination { + group { + address-group DT_FW9D5C7_1 + } + port 9117,9113,9104,9100 + } + protocol tcp + source { + address 165.227.231.227 + } + } + rule 3299 { + action accept + description FW4DB0A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4DB0A_1 + } + port 953 + } + protocol tcp + } + rule 3300 { + action accept + description FW4DB0A_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4DB0A_1 + } + port 953 + } + protocol udp + } + rule 3301 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.91 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.91 + } + } + rule 3303 { + action accept + description FW56496_1-TCP-ALLOW-176.255.93.149 + destination { + group { + address-group DT_FW56496_1 + } + port 3389 + } + protocol tcp + source { + address 176.255.93.149 + } + } + rule 3304 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.79 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.79 + } + } + rule 3305 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.43 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.43 + } + } + rule 3306 { + action accept + description FW310C6_3-ANY-ALLOW-88.208.198.40 + destination { + group { + address-group DT_FW310C6_3 + } + } + source { + address 88.208.198.40 + } + } + rule 3307 { + action accept + description FW597A6_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW597A6_1 + } + port 49152-65535,990 + } + protocol tcp + } + rule 3308 { + action accept + description FW597A6_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW597A6_1 + } + port 3306 + } + protocol tcp_udp + } + rule 3309 { + action accept + description FWBC280_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBC280_1 + } + port 49152-65535,20-21 + } + protocol tcp + } + rule 3310 { + action accept + description VPN-31301-ANY-ALLOW-10.4.87.223 + destination { + group { + address-group DT_VPN-31301 + } + } + source { + address 10.4.87.223 + } + } + rule 3311 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.243 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.243 + } + } + rule 3312 { + action accept + description FW9EEDD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW9EEDD_1 + } + port 990,197,20-23 + } + protocol tcp + } + rule 3313 { + action accept + description FW9EEDD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW9EEDD_1 + } + port 49152-65535 + } + protocol tcp_udp + } + rule 3314 { + action accept + description VPN-31002-ANY-ALLOW-10.4.89.126 + destination { + group { + address-group DT_VPN-31002 + } + } + source { + address 10.4.89.126 + } + } + rule 3316 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.11 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.11 + } + } + rule 3317 { + action accept + description FW32EFF_49-TCP-ALLOW-195.59.191.128_25 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 195.59.191.128/25 + } + } + rule 3318 { + action accept + description FW32EFF_49-TCP-ALLOW-213.71.130.0_26 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 213.71.130.0/26 + } + } + rule 3319 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.88 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.88 + } + } + rule 3320 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.173 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.173 + } + } + rule 3321 { + action accept + description FW32EFF_49-TCP-ALLOW-84.19.45.82 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 84.19.45.82 + } + } + rule 3322 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.43.122 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.43.122 + } + } + rule 3323 { + action accept + description FWC1ACD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC1ACD_1 + } + port 28061,28060,8080 + } + protocol tcp_udp + } + rule 3324 { + action accept + description FWA5D67_1-TCP_UDP-ALLOW-84.74.32.74 + destination { + group { + address-group DT_FWA5D67_1 + } + port 3389 + } + protocol tcp_udp + source { + address 84.74.32.74 + } + } + rule 3325 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.169 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.169 + } + } + rule 3326 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.89 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.89 + } + } + rule 3329 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.35 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.35 + } + } + rule 3330 { + action accept + description FWCE020_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWCE020_1 + } + port 48402 + } + protocol udp + } + rule 3333 { + action accept + description FWF3574_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF3574_1 + } + port 8060,445,139 + } + protocol tcp + } + rule 3334 { + action accept + description FWE6AB2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE6AB2_1 + } + port 44158,945,943 + } + protocol tcp + } + rule 3335 { + action accept + description FWBFC02_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBFC02_1 + } + port 44158,945,943 + } + protocol tcp + } + rule 3336 { + action accept + description FWBFC02_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBFC02_1 + } + port 1194 + } + protocol udp + } + rule 3337 { + action accept + description FWE6AB2_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE6AB2_1 + } + port 1194 + } + protocol udp + } + rule 3338 { + action accept + description FWBC8A6_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBC8A6_1 + } + port 44158,945,943 + } + protocol tcp + } + rule 3339 { + action accept + description FWBC8A6_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBC8A6_1 + } + port 1194 + } + protocol udp + } + rule 3340 { + action accept + description FWA0AA0_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA0AA0_1 + } + port 2302 + } + protocol tcp + } + rule 3342 { + action accept + description FW56496_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW56496_1 + } + port 22 + } + protocol tcp_udp + } + rule 3343 { + action accept + description FW56496_1-TCP-ALLOW-157.231.178.162 + destination { + group { + address-group DT_FW56496_1 + } + port 21 + } + protocol tcp + source { + address 157.231.178.162 + } + } + rule 3344 { + action accept + description FW56496_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW56496_1 + } + port 2443,1022 + } + protocol tcp + } + rule 3345 { + action accept + description FW56496_1-TCP_UDP-ALLOW-46.16.211.142 + destination { + group { + address-group DT_FW56496_1 + } + port 3389,21 + } + protocol tcp_udp + source { + address 46.16.211.142 + } + } + rule 3347 { + action accept + description FW2379F_14-GRE-ALLOW-ANY + destination { + group { + address-group DT_FW2379F_14 + } + } + protocol gre + } + rule 3348 { + action accept + description FW0E383_9-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0E383_9 + } + port 52000 + } + protocol tcp + } + rule 3350 { + action accept + description FWB4438_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWB4438_2 + } + port 993-995,7 + } + protocol tcp + } + rule 3351 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-82.165.207.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 82.165.207.109 + } + } + rule 3352 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.77 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.77 + } + } + rule 3358 { + action accept + description FW46F4A_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW46F4A_1 + } + port 51820 + } + protocol udp + } + rule 3359 { + action accept + description FW53C72_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW53C72_1 + } + port 48402 + } + protocol udp + } + rule 3360 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.251 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.251 + } + } + rule 3362 { + action accept + description FWAA38E_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAA38E_1 + } + port 1001-65535 + } + protocol tcp_udp + } + rule 3363 { + action accept + description FW138F8_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW138F8_1 + } + port 21,20 + } + protocol tcp_udp + } + rule 3364 { + action accept + description FW0BD92_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0BD92_3 + } + port 18081,18080 + } + protocol tcp + } + rule 3365 { + action accept + description FWFEF05_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWFEF05_1 + } + port 1935 + } + protocol tcp_udp + } + rule 3367 { + action accept + description FW26846_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW26846_1 + } + port 8000 + } + protocol tcp + } + rule 3368 { + action accept + description FWB4438_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWB4438_2 + } + port 53 + } + protocol tcp_udp + } + rule 3369 { + action accept + description FWA884B_5-TCP-ALLOW-51.146.16.162 + destination { + group { + address-group DT_FWA884B_5 + } + port 8447,8443,22 + } + protocol tcp + source { + address 51.146.16.162 + } + } + rule 3370 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.22 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.22 + } + } + rule 3371 { + action accept + description FWFDE34_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWFDE34_1 + } + port 18081,18080 + } + protocol tcp + } + rule 3373 { + action accept + description FWB6101_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWB6101_1 + } + port 2280 + } + protocol tcp + } + rule 3377 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.84.203 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.84.203 + } + } + rule 3378 { + action accept + description FW1D511_2-TCP-ALLOW-92.29.46.47 + destination { + group { + address-group DT_FW1D511_2 + } + port 9090 + } + protocol tcp + source { + address 92.29.46.47 + } + } + rule 3386 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.175 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.208.175 + } + } + rule 3387 { + action accept + description FW1ACD9_2-TCP-ALLOW-89.197.148.38 + destination { + group { + address-group DT_FW1ACD9_2 + } + port 5015,22 + } + protocol tcp + source { + address 89.197.148.38 + } + } + rule 3388 { + action accept + description FW1ACD9_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1ACD9_2 + } + port 9000-10999,5090,5060 + } + protocol udp + } + rule 3389 { + action accept + description FW1ACD9_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1ACD9_2 + } + port 5090,5060-5062 + } + protocol tcp + } + rule 3391 { + action accept + description FWA0B7F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0B7F_1 + } + port 53 + } + protocol tcp_udp + } + rule 3392 { + action accept + description FW56335_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW56335_2 + } + port 18081,18080 + } + protocol tcp + } + rule 3395 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.90 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.212.90 + } + } + rule 3396 { + action accept + description FW4D3E6_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4D3E6_1 + } + port 18081,18080 + } + protocol tcp + } + rule 3397 { + action accept + description FWB118A_1-TCP-ALLOW-188.65.177.58 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 188.65.177.58 + } + } + rule 3398 { + action accept + description FWB118A_1-TCP-ALLOW-77.68.103.13 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 77.68.103.13 + } + } + rule 3399 { + action accept + description FWB118A_1-TCP-ALLOW-80.5.71.130 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 80.5.71.130 + } + } + rule 3402 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.205 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.205 + } + } + rule 3408 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.31 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.31 + } + } + rule 3409 { + action accept + description FW539FB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW539FB_1 + } + port 389 + } + protocol tcp + } + rule 3411 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.185 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.185 + } + } + rule 3415 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.245.124 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 116.206.245.124 + } + } + rule 3416 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.75 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.75 + } + } + rule 3417 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.34 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.214.34 + } + } + rule 3418 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.77.70 + } + } + rule 3419 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.92.33 + } + } + rule 3420 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.93.82 + } + } + rule 3421 { + action accept + description FWEF92E_5-UDP-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 88.208.198.93 + } + } + rule 3422 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.94 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.94 + } + } + rule 3424 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.244 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.244 + } + } + rule 3425 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.246 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.246 + } + } + rule 3426 { + action accept + description FW18E6E_3-TCP-ALLOW-195.97.222.122 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 195.97.222.122 + } + } + rule 3431 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.111 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.111 + } + } + rule 3432 { + action accept + description FW06940_3-TCP_UDP-ALLOW-74.208.41.119 + destination { + group { + address-group DT_FW06940_3 + } + port 1-65535 + } + protocol tcp_udp + source { + address 74.208.41.119 + } + } + rule 3438 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.252 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.252 + } + } + rule 3440 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.118 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.118 + } + } + rule 3442 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.15 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.15 + } + } + rule 3446 { + action accept + description FWC32BE_1-ANY-ALLOW-3.65.3.75 + destination { + group { + address-group DT_FWC32BE_1 + } + } + source { + address 3.65.3.75 + } + } + rule 3447 { + action accept + description FWC32BE_1-TCP-ALLOW-217.155.2.52 + destination { + group { + address-group DT_FWC32BE_1 + } + port 22 + } + protocol tcp + source { + address 217.155.2.52 + } + } + rule 3448 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.243 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.243 + } + } + rule 3449 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.117 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.214.117 + } + } + rule 3450 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.4 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.4 + } + } + rule 3452 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.177 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.177 + } + } + rule 3454 { + action accept + description FWD498E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD498E_1 + } + port 44158 + } + protocol tcp + } + rule 3455 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.147 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.147 + } + } + rule 8500 { + action drop + description "Deny traffic to any private address" + destination { + group { + network-group RFC1918 + } + } + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + rule 8510 { + action accept + description "Default allow rule" + destination { + group { + address-group !CLUSTER_ADDRESSES + } + } + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + } + name LOCAL-LAN { + default-action drop + rule 2 { + action accept + destination { + address 10.255.255.1 + } + protocol icmp + source { + group { + address-group CLUSTER_ADDRESSES + } + } + } + rule 4 { + action accept + destination { + group { + address-group LAN_ADDRESSES + } + } + source { + group { + address-group LAN_ADDRESSES + } + } + } + rule 10 { + action accept + description "Multicast para VRRP" + destination { + address 224.0.0.18 + } + source { + group { + address-group LAN_ADDRESSES + } + } + } + } + name LOCAL-SYNC { + default-action drop + rule 5 { + action accept + description "Permitir trafico sync entre nodos" + destination { + address 10.4.51.132/30 + } + source { + address 10.4.51.132/30 + } + } + } + name LOCAL-WAN { + default-action drop + description "External connections from VLAN2701 to this system" + rule 10 { + action accept + description "Allow intra-vlan connections" + destination { + address 109.228.63.128/25 + } + source { + address 109.228.63.128/25 + } + } + rule 20 { + action accept + description "Allow Arsys desktops to contact this system" + source { + group { + address-group MANAGEMENT_ADDRESSES + } + } + } + } + name WAN-INBOUND { + default-action drop + rule 10 { + action accept + description "Management from HN-ES" + source { + group { + address-group MANAGEMENT_ADDRESSES + } + } + } + rule 20 { + action accept + description "Connections from Load Balancer to Frontends - TCP Proxy" + destination { + group { + address-group CLUSTER_ADDRESSES + } + } + source { + group { + address-group NLB_ADDRESSES + } + } + } + rule 30 { + action accept + description "Allow external probes" + destination { + group { + address-group NAGIOS_PROBES + } + } + protocol icmp + } + rule 40 { + action accept + description "Allow Centreon servers traffic to VMs" + destination { + group { + address-group CLUSTER_ADDRESSES + } + } + source { + group { + address-group CENTREON_SERVERS + } + } + } + rule 50 { + action accept + description "Allow CMK to check dnscache servers - TCP" + destination { + group { + address-group DNSCACHE_SERVERS + } + port 22,53,6556 + } + protocol tcp + source { + group { + address-group CMK_SATELLITES + } + } + } + rule 65 { + action accept + description "Allow CMK to check dnscache servers - UDP" + destination { + group { + address-group DNSCACHE_SERVERS + } + port 53 + } + protocol udp + source { + group { + address-group CMK_SATELLITES + } + } + } + rule 70 { + action accept + description "Allow CMK to check dnscache servers - ICMP" + destination { + group { + address-group DNSCACHE_SERVERS + } + } + protocol icmp + source { + group { + address-group CMK_SATELLITES + } + } + } + rule 80 { + action accept + description "Allow CMK to check monitoring sensors - TCP" + destination { + group { + address-group NAGIOS_PROBES + } + port 6556 + } + protocol tcp + source { + group { + address-group CMK_SATELLITES + } + } + } + rule 90 { + action accept + description "Allow CMK to check monitoring sensors - ICMP" + destination { + group { + address-group NAGIOS_PROBES + } + } + protocol icmp + source { + group { + address-group CMK_SATELLITES + } + } + } + rule 2000 { + action accept + description "TOP port - SSH" + destination { + group { + address-group G-22-TCP + } + port ssh + } + protocol tcp + } + rule 2001 { + action accept + description "TOP port - RDESKTOP" + destination { + group { + address-group G-3389-TCP + } + port 3389 + } + protocol tcp + } + rule 2002 { + action accept + description "TOP port - HTTP" + destination { + group { + address-group G-80-TCP + } + port http + } + protocol tcp + } + rule 2003 { + action accept + description "TOP port - HTTPS" + destination { + group { + address-group G-443-TCP + } + port https + } + protocol tcp + } + rule 2004 { + action accept + description "TOP port - DOMAIN TCP" + destination { + group { + address-group G-53-TCP + } + port domain + } + protocol tcp + } + rule 2005 { + action accept + description "TOP port - DOMAIN UDP" + destination { + group { + address-group G-53-UDP + } + port domain + } + protocol udp + } + rule 2006 { + action accept + description "TOP port - SMTP" + destination { + group { + address-group G-25-TCP + } + port smtp + } + protocol tcp + } + rule 2007 { + action accept + description "TOP port - IMAP" + destination { + group { + address-group G-143-TCP + } + port imap2 + } + protocol tcp + } + rule 2008 { + action accept + description "TOP port - POP3" + destination { + group { + address-group G-110-TCP + } + port pop3 + } + protocol tcp + } + rule 2009 { + action accept + description "TOP port - MSSQL TCP" + destination { + group { + address-group G-1433-TCP + } + port ms-sql-s + } + protocol tcp + } + rule 2010 { + action accept + description "TOP port - MYSQL TCP" + destination { + group { + address-group G-3306-TCP + } + port mysql + } + protocol tcp + } + rule 2011 { + action accept + description "TOP port - FTPDATA" + destination { + group { + address-group G-20-TCP + } + port ftp-data + } + protocol tcp + } + rule 2012 { + action accept + description "TOP port - FTP" + destination { + group { + address-group G-21-TCP + } + port ftp + } + protocol tcp + } + rule 2013 { + action accept + description "TOP port - SSMTP" + destination { + group { + address-group G-465-TCP + } + port ssmtp + } + protocol tcp + } + rule 2014 { + action accept + description "TOP port - SMTPS" + destination { + group { + address-group G-587-TCP + } + port 587 + } + protocol tcp + } + rule 2015 { + action accept + description "TOP port - IMAPS" + destination { + group { + address-group G-993-TCP + } + port imaps + } + protocol tcp + } + rule 2016 { + action accept + description "TOP port - POP3S" + destination { + group { + address-group G-995-TCP + } + port pop3s + } + protocol tcp + } + rule 2017 { + action accept + description "TOP port - TOMCAT" + destination { + group { + address-group G-8080-TCP + } + port 8080 + } + protocol tcp + } + rule 2018 { + action accept + description "TOP port - Alternative HTTPS" + destination { + group { + address-group G-8443-TCP + } + port 8443 + } + protocol tcp + } + rule 2019 { + action accept + description "TOP port - 10000/TCP" + destination { + group { + address-group G-10000-TCP + } + port 10000 + } + protocol tcp + } + rule 2020 { + action accept + description "TOP port - 8447/TCP" + destination { + group { + address-group G-8447-TCP + } + port 8447 + } + protocol tcp + } + rule 2040 { + action accept + description "TOP port - All ports open" + destination { + group { + address-group G-ALL_OPEN + } + } + } + rule 2050 { + action accept + description "ICMP group" + destination { + group { + address-group G-ICMP + } + } + protocol icmp + } + rule 2100 { + action accept + description FW2BB8D_1-TCP-ALLOW-104.192.143.2 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 7999,22 + } + protocol tcp + source { + address 104.192.143.2 + } + } + rule 2101 { + action accept + description FW19987_4-TCP-ALLOW-77.68.74.54 + destination { + group { + address-group DT_FW19987_4 + } + port 443 + } + protocol tcp + source { + address 77.68.74.54 + } + } + rule 2102 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-109.72.210.46 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 109.72.210.46 + } + } + rule 2103 { + action accept + description FW5A77C_16-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW5A77C_16 + } + port 22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2104 { + action accept + description FW826BA_3-TCP-ALLOW-164.177.156.192 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 164.177.156.192 + } + } + rule 2105 { + action accept + description FWDAA4F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDAA4F_1 + } + port 22335 + } + protocol tcp + } + rule 2106 { + action accept + description FW6D0CD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6D0CD_1 + } + port 6900,7000 + } + protocol tcp + } + rule 2107 { + action accept + description FW6D0CD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6D0CD_1 + } + port 9001 + } + protocol tcp_udp + } + rule 2108 { + action accept + description FW06176_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW06176_1 + } + port 5900 + } + protocol tcp + } + rule 2109 { + action accept + description FW19987_4-TCP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FW19987_4 + } + port 443 + } + protocol tcp + source { + address 77.68.77.70 + } + } + rule 2110 { + action accept + description FWF7B68_1-TCP-ALLOW-54.221.251.224 + destination { + group { + address-group DT_FWF7B68_1 + } + port 8443,3306,22,21,20 + } + protocol tcp + source { + address 54.221.251.224 + } + } + rule 2111 { + action accept + description FW05AD0_2-TCP-ALLOW-178.251.181.41 + destination { + group { + address-group DT_FW05AD0_2 + } + port 3389,1433,21 + } + protocol tcp + source { + address 178.251.181.41 + } + } + rule 2112 { + action accept + description FW05AD0_2-TCP-ALLOW-178.251.181.6 + destination { + group { + address-group DT_FW05AD0_2 + } + port 3389,1433,21 + } + protocol tcp + source { + address 178.251.181.6 + } + } + rule 2113 { + action accept + description VPN-7030-ANY-ALLOW-10.4.58.119 + destination { + group { + address-group DT_VPN-7030 + } + } + source { + address 10.4.58.119 + } + } + rule 2114 { + action accept + description FW58C69_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW58C69_4 + } + port 5666 + } + protocol tcp + } + rule 2115 { + action accept + description FW2BB8D_1-TCP-ALLOW-185.201.180.35 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000,22 + } + protocol tcp + source { + address 185.201.180.35 + } + } + rule 2116 { + action accept + description FW19987_4-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FW19987_4 + } + port 3389,445,443 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2117 { + action accept + description FW19987_4-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FW19987_4 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2118 { + action accept + description FW5658C_1-TCP-ALLOW-212.159.160.65 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443,3389,3306,22,21 + } + protocol tcp + source { + address 212.159.160.65 + } + } + rule 2119 { + action accept + description FW5658C_1-TCP-ALLOW-79.78.20.149 + destination { + group { + address-group DT_FW5658C_1 + } + port 8447,8443,3389,3306,993,143,22,21 + } + protocol tcp + source { + address 79.78.20.149 + } + } + rule 2120 { + action accept + description FW5658C_1-TCP-ALLOW-77.68.77.185 + destination { + group { + address-group DT_FW5658C_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.77.185 + } + } + rule 2121 { + action accept + description FW5658C_1-TCP-ALLOW-82.165.232.19 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443,3389 + } + protocol tcp + source { + address 82.165.232.19 + } + } + rule 2122 { + action accept + description FW2C5AE_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2C5AE_1 + } + port 30303,5717 + } + protocol tcp_udp + } + rule 2123 { + action accept + description VPN-12899-ANY-ALLOW-10.4.58.207 + destination { + group { + address-group DT_VPN-12899 + } + } + source { + address 10.4.58.207 + } + } + rule 2124 { + action accept + description FW7648D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW7648D_1 + } + port 8501,8050,7801,4444,1443 + } + protocol tcp + } + rule 2125 { + action accept + description FW0C2E6_4-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0C2E6_4 + } + port 1194 + } + protocol udp + } + rule 2126 { + action accept + description FW5658C_1-TCP-ALLOW-39.37.175.132 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.37.175.132 + } + } + rule 2127 { + action accept + description FW826BA_3-TCP-ALLOW-165.255.242.223 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 165.255.242.223 + } + } + rule 2128 { + action accept + description VPN-10131-ANY-ALLOW-10.4.56.51 + destination { + group { + address-group DT_VPN-10131 + } + } + source { + address 10.4.56.51 + } + } + rule 2129 { + action accept + description FW2BB8D_1-TCP-ALLOW-212.227.84.142 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 22 + } + protocol tcp + source { + address 212.227.84.142 + } + } + rule 2130 { + action accept + description FW2BB8D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2BB8D_1 + } + port 53 + } + protocol tcp_udp + } + rule 2131 { + action accept + description FWFDD94_15-TCP-ALLOW-90.29.180.234 + destination { + group { + address-group DT_FWFDD94_15 + } + port 5683,1883 + } + protocol tcp + source { + address 90.29.180.234 + } + } + rule 2132 { + action accept + description VPN-10131-ANY-ALLOW-10.4.57.51 + destination { + group { + address-group DT_VPN-10131 + } + } + source { + address 10.4.57.51 + } + } + rule 2133 { + action accept + description FW2BB8D_1-TCP-ALLOW-109.228.49.193 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 5000 + } + protocol tcp + source { + address 109.228.49.193 + } + } + rule 2134 { + action accept + description FW81138_1-ICMP-ALLOW-3.10.221.168 + destination { + group { + address-group DT_FW81138_1 + } + } + protocol icmp + source { + address 3.10.221.168 + } + } + rule 2135 { + action accept + description FWB28B6_5-AH-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol ah + source { + address 77.68.36.46 + } + } + rule 2136 { + action accept + description FWB28B6_5-ESP-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol esp + source { + address 77.68.36.46 + } + } + rule 2137 { + action accept + description FW825C8_24-TCP-ALLOW-77.68.87.201 + destination { + group { + address-group DT_FW825C8_24 + } + port 1433 + } + protocol tcp + source { + address 77.68.87.201 + } + } + rule 2138 { + action accept + description FWB28B6_5-AH-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol ah + source { + address 213.171.196.146 + } + } + rule 2139 { + action accept + description FWB28B6_5-ESP-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol esp + source { + address 213.171.196.146 + } + } + rule 2140 { + action accept + description FWB28B6_5-UDP-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + port 500,4500 + } + protocol udp + source { + address 213.171.196.146 + } + } + rule 2141 { + action accept + description FWB28B6_5-TCP_UDP-ALLOW-213.171.196.146 + destination { + group { + address-group DT_FWB28B6_5 + } + port 1701 + } + protocol tcp_udp + source { + address 213.171.196.146 + } + } + rule 2142 { + action accept + description FWB28B6_5-TCP_UDP-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + port 1701 + } + protocol tcp_udp + source { + address 77.68.36.46 + } + } + rule 2143 { + action accept + description FWB28B6_5-UDP-ALLOW-77.68.36.46 + destination { + group { + address-group DT_FWB28B6_5 + } + port 500,4500 + } + protocol udp + source { + address 77.68.36.46 + } + } + rule 2144 { + action accept + description VPN-12899-ANY-ALLOW-10.4.59.207 + destination { + group { + address-group DT_VPN-12899 + } + } + source { + address 10.4.59.207 + } + } + rule 2145 { + action accept + description FWB28B6_5-TCP-ALLOW-81.130.141.175 + destination { + group { + address-group DT_FWB28B6_5 + } + port 3389 + } + protocol tcp + source { + address 81.130.141.175 + } + } + rule 2146 { + action accept + description FWB28B6_5-UDP-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + port 4500,500 + } + protocol udp + source { + address 77.68.38.195 + } + } + rule 2147 { + action accept + description FWB28B6_5-AH-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol ah + source { + address 77.68.38.195 + } + } + rule 2148 { + action accept + description FWB28B6_5-ESP-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + } + protocol esp + source { + address 77.68.38.195 + } + } + rule 2149 { + action accept + description FWB28B6_5-TCP_UDP-ALLOW-77.68.38.195 + destination { + group { + address-group DT_FWB28B6_5 + } + port 1701 + } + protocol tcp_udp + source { + address 77.68.38.195 + } + } + rule 2150 { + action accept + description FW5658C_1-TCP-ALLOW-39.37.178.77 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.37.178.77 + } + } + rule 2151 { + action accept + description FW5A77C_16-TCP-ALLOW-51.241.139.56 + destination { + group { + address-group DT_FW5A77C_16 + } + port 22 + } + protocol tcp + source { + address 51.241.139.56 + } + } + rule 2152 { + action accept + description FWA86ED_101-TCP-ALLOW-150.143.57.138 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389 + } + protocol tcp + source { + address 150.143.57.138 + } + } + rule 2153 { + action accept + description FW6ECA4_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6ECA4_1 + } + port 3939,3335,3334,3333,3000,999,444 + } + protocol tcp_udp + } + rule 2154 { + action accept + description FW5658C_1-TCP-ALLOW-39.45.13.20 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.45.13.20 + } + } + rule 2155 { + action accept + description FW481D7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW481D7_1 + } + port 3478 + } + protocol tcp_udp + } + rule 2156 { + action accept + description FW5A5D7_3-GRE-ALLOW-51.219.222.28 + destination { + group { + address-group DT_FW5A5D7_3 + } + } + protocol gre + source { + address 51.219.222.28 + } + } + rule 2157 { + action accept + description FWA86ED_101-TCP-ALLOW-94.195.127.217 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 94.195.127.217 + } + } + rule 2158 { + action accept + description FW2E060_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2E060_1 + } + port 49152-65535,8443-8447 + } + protocol tcp + } + rule 2159 { + action accept + description FWFDD94_15-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWFDD94_15 + } + port 9090,5080,1935 + } + protocol tcp + } + rule 2160 { + action accept + description FW5658C_1-TCP-ALLOW-39.45.190.224 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.45.190.224 + } + } + rule 2161 { + action accept + description FW9E550_1-TCP-ALLOW-109.249.187.56 + destination { + group { + address-group DT_FW9E550_1 + } + port 3389 + } + protocol tcp + source { + address 109.249.187.56 + } + } + rule 2162 { + action accept + description FW89619_1-TCP-ALLOW-81.133.80.114 + destination { + group { + address-group DT_FW89619_1 + } + port 22 + } + protocol tcp + source { + address 81.133.80.114 + } + } + rule 2163 { + action accept + description FW8A3FC_3-TCP-ALLOW-212.227.72.218 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 212.227.72.218 + } + } + rule 2164 { + action accept + description FW0E383_9-TCP-ALLOW-151.229.59.51 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 151.229.59.51 + } + } + rule 2165 { + action accept + description FW8AFF1_7-TCP-ALLOW-178.251.181.41 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433,21 + } + protocol tcp + source { + address 178.251.181.41 + } + } + rule 2166 { + action accept + description FW3CAAB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3CAAB_1 + } + port 49152-65535,30000-30400,8443-8447,5432,80-110,21-25 + } + protocol tcp + } + rule 2167 { + action accept + description FW91B7A_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW91B7A_1 + } + port 3389,80 + } + protocol tcp_udp + } + rule 2168 { + action accept + description FW40416_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW40416_1 + } + port 1-65535 + } + protocol tcp + } + rule 2169 { + action accept + description FW5A77C_16-TCP-ALLOW-81.151.24.216 + destination { + group { + address-group DT_FW5A77C_16 + } + port 10000,22 + } + protocol tcp + source { + address 81.151.24.216 + } + } + rule 2170 { + action accept + description VPN-7030-ANY-ALLOW-10.4.59.119 + destination { + group { + address-group DT_VPN-7030 + } + } + source { + address 10.4.59.119 + } + } + rule 2171 { + action accept + description FW0E383_9-TCP-ALLOW-62.252.94.138 + destination { + group { + address-group DT_FW0E383_9 + } + port 3389,1433 + } + protocol tcp + source { + address 62.252.94.138 + } + } + rule 2172 { + action accept + description FW89619_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW89619_1 + } + port 5015,5001,5000 + } + protocol tcp + } + rule 2173 { + action accept + description FW89619_1-TCP_UDP-ALLOW-167.98.162.142 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 167.98.162.142 + } + } + rule 2174 { + action accept + description FW013EF_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW013EF_2 + } + port 44445,7770-7800,5090,5060-5070,5015,5001,2000-2500 + } + protocol tcp + } + rule 2175 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.12 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.12 + } + } + rule 2176 { + action accept + description VPN-15625-ANY-ALLOW-10.4.88.79 + destination { + group { + address-group DT_VPN-15625 + } + } + source { + address 10.4.88.79 + } + } + rule 2177 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.228.53.128 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 109.228.53.128 + } + } + rule 2178 { + action accept + description FW8AFF1_7-TCP-ALLOW-178.251.181.6 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 3389,1433,21 + } + protocol tcp + source { + address 178.251.181.6 + } + } + rule 2179 { + action accept + description FW578BE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW578BE_1 + } + port 23,1521,1522 + } + protocol tcp + } + rule 2180 { + action accept + description FWE012D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE012D_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2181 { + action accept + description FW8AFF1_7-TCP-ALLOW-213.171.209.161 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 3389,1433,21 + } + protocol tcp + source { + address 213.171.209.161 + } + } + rule 2182 { + action accept + description VPN-8203-ANY-ALLOW-10.4.58.109 + destination { + group { + address-group DT_VPN-8203 + } + } + source { + address 10.4.58.109 + } + } + rule 2183 { + action accept + description VPN-9415-ANY-ALLOW-10.4.58.168 + destination { + group { + address-group DT_VPN-9415 + } + } + source { + address 10.4.58.168 + } + } + rule 2184 { + action accept + description VPN-9415-ANY-ALLOW-10.4.59.168 + destination { + group { + address-group DT_VPN-9415 + } + } + source { + address 10.4.59.168 + } + } + rule 2185 { + action accept + description FW27A8F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW27A8F_1 + } + port 9990,8458,8090,6543,5432 + } + protocol tcp + } + rule 2186 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.11.224 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 5000 + } + protocol tcp + source { + address 77.68.11.224 + } + } + rule 2187 { + action accept + description VPN-15625-ANY-ALLOW-10.4.89.79 + destination { + group { + address-group DT_VPN-15625 + } + } + source { + address 10.4.89.79 + } + } + rule 2188 { + action accept + description VPN-14649-ANY-ALLOW-10.4.86.35 + destination { + group { + address-group DT_VPN-14649 + } + } + source { + address 10.4.86.35 + } + } + rule 2189 { + action accept + description VPN-14649-ANY-ALLOW-10.4.87.35 + destination { + group { + address-group DT_VPN-14649 + } + } + source { + address 10.4.87.35 + } + } + rule 2190 { + action accept + description VPN-14657-ANY-ALLOW-10.4.86.38 + destination { + group { + address-group DT_VPN-14657 + } + } + source { + address 10.4.86.38 + } + } + rule 2191 { + action accept + description VPN-14657-ANY-ALLOW-10.4.87.38 + destination { + group { + address-group DT_VPN-14657 + } + } + source { + address 10.4.87.38 + } + } + rule 2192 { + action accept + description VPN-14658-ANY-ALLOW-10.4.88.38 + destination { + group { + address-group DT_VPN-14658 + } + } + source { + address 10.4.88.38 + } + } + rule 2193 { + action accept + description VPN-14658-ANY-ALLOW-10.4.89.38 + destination { + group { + address-group DT_VPN-14658 + } + } + source { + address 10.4.89.38 + } + } + rule 2194 { + action accept + description FW0BB22_1-GRE-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + } + protocol gre + } + rule 2195 { + action accept + description FW0BB22_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + } + protocol esp + } + rule 2196 { + action accept + description FW1CC15_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1CC15_2 + } + port 8089,8085,990,81 + } + protocol tcp + } + rule 2197 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.124 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.124 + } + } + rule 2198 { + action accept + description FW5A5D7_3-TCP-ALLOW-51.219.222.28 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 8172,3389,1723,1701,47 + } + protocol tcp + source { + address 51.219.222.28 + } + } + rule 2199 { + action accept + description FW1CB16_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1CB16_1 + } + port 3306,27017,53 + } + protocol tcp_udp + } + rule 2200 { + action accept + description FWE47DA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE47DA_1 + } + port 7770-7800,44445 + } + protocol tcp + } + rule 2201 { + action accept + description FW37E59_5-TCP-ALLOW-77.68.20.244 + destination { + group { + address-group DT_FW37E59_5 + } + port 30303 + } + protocol tcp + source { + address 77.68.20.244 + } + } + rule 2202 { + action accept + description FW274FD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW274FD_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2203 { + action accept + description FW6CD7E_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6CD7E_2 + } + port 49152-65535 + } + protocol tcp + } + rule 2204 { + action accept + description FW826BA_3-TCP-ALLOW-178.17.252.59 + destination { + group { + address-group DT_FW826BA_3 + } + port 21 + } + protocol tcp + source { + address 178.17.252.59 + } + } + rule 2205 { + action accept + description FW89619_1-TCP_UDP-ALLOW-185.83.64.108 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 185.83.64.108 + } + } + rule 2206 { + action accept + description FW0937A_1-TCP-ALLOW-83.135.134.13 + destination { + group { + address-group DT_FW0937A_1 + } + port 22 + } + protocol tcp + source { + address 83.135.134.13 + } + } + rule 2207 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.112.64 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.112.64 + } + } + rule 2208 { + action accept + description FW6CD7E_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6CD7E_2 + } + port 53 + } + protocol tcp_udp + } + rule 2209 { + action accept + description FW1F3D0_6-TCP-ALLOW-194.73.17.47 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 194.73.17.47 + } + } + rule 2210 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.115.33 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.115.33 + } + } + rule 2211 { + action accept + description FWA3EA3_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA3EA3_1 + } + port 943 + } + protocol tcp + } + rule 2212 { + action accept + description FW6863A_4-TCP-ALLOW-82.165.100.25 + destination { + group { + address-group DT_FW6863A_4 + } + port 21-10000 + } + protocol tcp + source { + address 82.165.100.25 + } + } + rule 2213 { + action accept + description FWECBFB_14-TCP-ALLOW-109.228.59.50 + destination { + group { + address-group DT_FWECBFB_14 + } + port 22 + } + protocol tcp + source { + address 109.228.59.50 + } + } + rule 2214 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.100 + destination { + group { + address-group DT_FW2F868_6 + } + port 22 + } + protocol tcp + source { + address 213.171.217.100 + } + } + rule 2215 { + action accept + description FWD7EAB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD7EAB_1 + } + port 60000-60100 + } + protocol tcp + } + rule 2216 { + action accept + description FWEB321_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWEB321_1 + } + port 113,4190 + } + protocol tcp + } + rule 2217 { + action accept + description FW9C682_3-TCP-ALLOW-195.206.180.132 + destination { + group { + address-group DT_FW9C682_3 + } + port 8443,22 + } + protocol tcp + source { + address 195.206.180.132 + } + } + rule 2218 { + action accept + description VPN-8159-ANY-ALLOW-10.4.58.91 + destination { + group { + address-group DT_VPN-8159 + } + } + source { + address 10.4.58.91 + } + } + rule 2219 { + action accept + description VPN-21673-ANY-ALLOW-10.4.88.187 + destination { + group { + address-group DT_VPN-21673 + } + } + source { + address 10.4.88.187 + } + } + rule 2220 { + action accept + description VPN-21673-ANY-ALLOW-10.4.89.187 + destination { + group { + address-group DT_VPN-21673 + } + } + source { + address 10.4.89.187 + } + } + rule 2221 { + action accept + description VPN-21821-ANY-ALLOW-10.4.88.49 + destination { + group { + address-group DT_VPN-21821 + } + } + source { + address 10.4.88.49 + } + } + rule 2222 { + action accept + description VPN-21821-ANY-ALLOW-10.4.89.49 + destination { + group { + address-group DT_VPN-21821 + } + } + source { + address 10.4.89.49 + } + } + rule 2223 { + action accept + description FWECBFB_14-TCP-ALLOW-81.133.80.58 + destination { + group { + address-group DT_FWECBFB_14 + } + port 22 + } + protocol tcp + source { + address 81.133.80.58 + } + } + rule 2224 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.238 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.238 + } + } + rule 2225 { + action accept + description FW826BA_3-TCP-ALLOW-185.212.168.51 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 185.212.168.51 + } + } + rule 2226 { + action accept + description FW8B21D_1-ANY-ALLOW-212.187.250.2 + destination { + group { + address-group DT_FW8B21D_1 + } + } + source { + address 212.187.250.2 + } + } + rule 2227 { + action accept + description FW35F7B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW35F7B_1 + } + port 1434 + } + protocol tcp_udp + } + rule 2228 { + action accept + description FWD338A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD338A_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2229 { + action accept + description FW35F7B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW35F7B_1 + } + port 56791 + } + protocol tcp + } + rule 2230 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.77.114 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.77.114 + } + } + rule 2231 { + action accept + description FW90AE3_1-TCP-ALLOW-194.74.137.17 + destination { + group { + address-group DT_FW90AE3_1 + } + port 22 + } + protocol tcp + source { + address 194.74.137.17 + } + } + rule 2232 { + action accept + description FW52F6F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW52F6F_1 + } + port 53 + } + protocol tcp_udp + } + rule 2233 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.23.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 77.68.23.109 + } + } + rule 2234 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.247 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.247 + } + } + rule 2235 { + action accept + description FW4E314_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4E314_1 + } + port 53 + } + protocol tcp_udp + } + rule 2236 { + action accept + description FW73573_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73573_2 + } + port 25 + } + protocol tcp_udp + } + rule 2237 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.93.89 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.93.89 + } + } + rule 2238 { + action accept + description FW856FA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW856FA_1 + } + port 6003 + } + protocol tcp + } + rule 2239 { + action accept + description FWECBFB_14-TCP-ALLOW-81.19.214.155 + destination { + group { + address-group DT_FWECBFB_14 + } + port 22 + } + protocol tcp + source { + address 81.19.214.155 + } + } + rule 2240 { + action accept + description FW826BA_3-TCP-ALLOW-51.219.168.170 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,1433,21 + } + protocol tcp + source { + address 51.219.168.170 + } + } + rule 2241 { + action accept + description FW30D21_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW30D21_1 + } + port 2083-2087,53,2812,2096,25,993,587 + } + protocol tcp_udp + } + rule 2242 { + action accept + description FWA076E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA076E_1 + } + port 2199,2197 + } + protocol tcp + } + rule 2243 { + action accept + description FWA076E_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA076E_1 + } + port 8000-8010 + } + protocol tcp_udp + } + rule 2244 { + action accept + description FW8A3FC_3-TCP-ALLOW-82.165.166.41 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 8447,8443,443,80,22 + } + protocol tcp + source { + address 82.165.166.41 + } + } + rule 2245 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.180 + destination { + group { + address-group DT_FW2F868_6 + } + port 22,80 + } + protocol tcp + source { + address 213.171.217.180 + } + } + rule 2246 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FW2F868_6 + } + port 22 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2247 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.185 + destination { + group { + address-group DT_FW2F868_6 + } + port 22 + } + protocol tcp + source { + address 213.171.217.185 + } + } + rule 2248 { + action accept + description FW2F868_6-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2F868_6 + } + port 161 + } + protocol udp + } + rule 2249 { + action accept + description FW2F868_6-TCP-ALLOW-213.171.217.102 + destination { + group { + address-group DT_FW2F868_6 + } + port 22,24 + } + protocol tcp + source { + address 213.171.217.102 + } + } + rule 2250 { + action accept + description FW9C682_3-TCP-ALLOW-80.194.78.162 + destination { + group { + address-group DT_FW9C682_3 + } + port 8443,22 + } + protocol tcp + source { + address 80.194.78.162 + } + } + rule 2251 { + action accept + description VPN-21822-ANY-ALLOW-10.4.54.47 + destination { + group { + address-group DT_VPN-21822 + } + } + source { + address 10.4.54.47 + } + } + rule 2252 { + action accept + description FW825C8_19-TCP-ALLOW-77.68.75.244 + destination { + group { + address-group DT_FW825C8_19 + } + port 1433 + } + protocol tcp + source { + address 77.68.75.244 + } + } + rule 2253 { + action accept + description FW2B279_4-TCP-ALLOW-195.147.173.92 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 195.147.173.92 + } + } + rule 2254 { + action accept + description FW1D511_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1D511_2 + } + port 8090 + } + protocol tcp + } + rule 2255 { + action accept + description FW8A3FC_3-TCP-ALLOW-85.17.25.47 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 85.17.25.47 + } + } + rule 2256 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.89.209 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 77.68.89.209 + } + } + rule 2257 { + action accept + description FWE2AB5_8-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FWE2AB5_8 + } + port 7000 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2258 { + action accept + description FW0E383_9-TCP-ALLOW-77.68.94.177 + destination { + group { + address-group DT_FW0E383_9 + } + port 1433 + } + protocol tcp + source { + address 77.68.94.177 + } + } + rule 2259 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.95.129 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306,22 + } + protocol tcp + source { + address 77.68.95.129 + } + } + rule 2260 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.118.136 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.118.136 + } + } + rule 2261 { + action accept + description FW1FA9E_1-TCP-ALLOW-78.88.254.99 + destination { + group { + address-group DT_FW1FA9E_1 + } + port 9000,8200,5601,4444 + } + protocol tcp + source { + address 78.88.254.99 + } + } + rule 2262 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.46.27 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.46.27 + } + } + rule 2263 { + action accept + description FWA7A50_1-TCP-ALLOW-81.110.192.198 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp + source { + address 81.110.192.198 + } + } + rule 2264 { + action accept + description VPN-21822-ANY-ALLOW-10.4.55.47 + destination { + group { + address-group DT_VPN-21822 + } + } + source { + address 10.4.55.47 + } + } + rule 2265 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.31.195 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.31.195 + } + } + rule 2266 { + action accept + description FW45BEB_1-TCP-ALLOW-62.3.71.238 + destination { + group { + address-group DT_FW45BEB_1 + } + port 3389 + } + protocol tcp + source { + address 62.3.71.238 + } + } + rule 2267 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.113 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.113 + } + } + rule 2268 { + action accept + description VPN-23946-ANY-ALLOW-10.4.58.13 + destination { + group { + address-group DT_VPN-23946 + } + } + source { + address 10.4.58.13 + } + } + rule 2269 { + action accept + description FW98818_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW98818_1 + } + port 27015 + } + protocol tcp + } + rule 2270 { + action accept + description VPN-23946-ANY-ALLOW-10.4.59.13 + destination { + group { + address-group DT_VPN-23946 + } + } + source { + address 10.4.59.13 + } + } + rule 2271 { + action accept + description VPN-28031-ANY-ALLOW-10.4.88.197 + destination { + group { + address-group DT_VPN-28031 + } + } + source { + address 10.4.88.197 + } + } + rule 2272 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.118.231 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.118.231 + } + } + rule 2273 { + action accept + description FW5A5D7_3-TCP_UDP-ALLOW-51.219.222.28 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 500 + } + protocol tcp_udp + source { + address 51.219.222.28 + } + } + rule 2274 { + action accept + description FW32EFF_25-TCP-ALLOW-185.106.220.231 + destination { + group { + address-group DT_FW32EFF_25 + } + port 443 + } + protocol tcp + source { + address 185.106.220.231 + } + } + rule 2275 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.118.66 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.118.66 + } + } + rule 2276 { + action accept + description FW934AE_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW934AE_1 + } + port 1194 + } + protocol udp + } + rule 2277 { + action accept + description VPN-28031-ANY-ALLOW-10.4.89.197 + destination { + group { + address-group DT_VPN-28031 + } + } + source { + address 10.4.89.197 + } + } + rule 2278 { + action accept + description FW6863A_4-TCP_UDP-ALLOW-82.165.166.41 + destination { + group { + address-group DT_FW6863A_4 + } + port 21-10000 + } + protocol tcp_udp + source { + address 82.165.166.41 + } + } + rule 2279 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.104.119.162 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.104.119.162 + } + } + rule 2280 { + action accept + description FW1F3D0_6-TCP-ALLOW-109.74.199.143 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 109.74.199.143 + } + } + rule 2281 { + action accept + description FW1F3D0_6-TCP-ALLOW-185.92.25.48 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 185.92.25.48 + } + } + rule 2282 { + action accept + description FW1F3D0_6-TCP-ALLOW-207.148.2.40 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 207.148.2.40 + } + } + rule 2283 { + action accept + description FW1F3D0_6-TCP-ALLOW-45.76.235.62 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 45.76.235.62 + } + } + rule 2284 { + action accept + description FW1F3D0_6-TCP-ALLOW-45.76.236.93 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 45.76.236.93 + } + } + rule 2285 { + action accept + description FW1F3D0_6-TCP-ALLOW-45.76.59.5 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 45.76.59.5 + } + } + rule 2286 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.15.134 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 77.68.15.134 + } + } + rule 2287 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.22.208 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 77.68.22.208 + } + } + rule 2288 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.23.108 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.23.108 + } + } + rule 2289 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.23.54 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.23.54 + } + } + rule 2290 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.30.45 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.30.45 + } + } + rule 2291 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.7.198 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.7.198 + } + } + rule 2292 { + action accept + description VPN-29631-ANY-ALLOW-10.4.54.76 + destination { + group { + address-group DT_VPN-29631 + } + } + source { + address 10.4.54.76 + } + } + rule 2293 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.89.200 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 77.68.89.200 + } + } + rule 2294 { + action accept + description FW1F3D0_6-TCP-ALLOW-77.68.91.50 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 77.68.91.50 + } + } + rule 2295 { + action accept + description FW1F3D0_6-TCP-ALLOW-82.165.206.230 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 82.165.206.230 + } + } + rule 2296 { + action accept + description FW1F3D0_6-TCP-ALLOW-82.165.207.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4444,3306 + } + protocol tcp + source { + address 82.165.207.109 + } + } + rule 2297 { + action accept + description FW1F3D0_6-TCP-ALLOW-94.196.156.5 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 3306 + } + protocol tcp + source { + address 94.196.156.5 + } + } + rule 2298 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.15.134 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.15.134 + } + } + rule 2299 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.22.208 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.22.208 + } + } + rule 2300 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.23.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.23.109 + } + } + rule 2301 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-77.68.89.200 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 77.68.89.200 + } + } + rule 2302 { + action accept + description FW05339_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW05339_1 + } + port 8085,5055,5013,5005,444 + } + protocol tcp + } + rule 2303 { + action accept + description FW32EFF_25-TCP-ALLOW-217.169.61.164 + destination { + group { + address-group DT_FW32EFF_25 + } + port 443 + } + protocol tcp + source { + address 217.169.61.164 + } + } + rule 2304 { + action accept + description FW89619_1-TCP_UDP-ALLOW-185.83.65.45 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 185.83.65.45 + } + } + rule 2305 { + action accept + description VPN-13983-ANY-ALLOW-10.4.58.176 + destination { + group { + address-group DT_VPN-13983 + } + } + source { + address 10.4.58.176 + } + } + rule 2306 { + action accept + description FWDAF47_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWDAF47_1 + } + port 8090,7080,443,53 + } + protocol tcp_udp + } + rule 2307 { + action accept + description VPN-29631-ANY-ALLOW-10.4.55.77 + destination { + group { + address-group DT_VPN-29631 + } + } + source { + address 10.4.55.77 + } + } + rule 2308 { + action accept + description VPN-34309-ANY-ALLOW-10.4.58.142 + destination { + group { + address-group DT_VPN-34309 + } + } + source { + address 10.4.58.142 + } + } + rule 2309 { + action accept + description FW27949_2-TCP-ALLOW-138.124.142.180 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 138.124.142.180 + } + } + rule 2310 { + action accept + description FWF8F85_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF8F85_1 + } + port 3306 + } + protocol tcp_udp + } + rule 2311 { + action accept + description FWDAF47_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDAF47_1 + } + port 40110-40210 + } + protocol tcp + } + rule 2312 { + action accept + description VPN-34309-ANY-ALLOW-10.4.59.142 + destination { + group { + address-group DT_VPN-34309 + } + } + source { + address 10.4.59.142 + } + } + rule 2313 { + action accept + description FWA0531_1-TCP-ALLOW-87.224.39.220 + destination { + group { + address-group DT_FWA0531_1 + } + port 22 + } + protocol tcp + source { + address 87.224.39.220 + } + } + rule 2314 { + action accept + description FW5A5D7_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5A5D7_3 + } + port 1334 + } + protocol tcp + } + rule 2315 { + action accept + description FW8C927_1-TCP_UDP-ALLOW-84.92.125.78 + destination { + group { + address-group DT_FW8C927_1 + } + port 3306,22 + } + protocol tcp_udp + source { + address 84.92.125.78 + } + } + rule 2316 { + action accept + description FW8C927_1-TCP_UDP-ALLOW-88.208.238.152 + destination { + group { + address-group DT_FW8C927_1 + } + port 3306,22 + } + protocol tcp_udp + source { + address 88.208.238.152 + } + } + rule 2317 { + action accept + description FW81138_1-ICMP-ALLOW-82.165.232.19 + destination { + group { + address-group DT_FW81138_1 + } + } + protocol icmp + source { + address 82.165.232.19 + } + } + rule 2318 { + action accept + description FW28892_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW28892_1 + } + port 7000 + } + protocol tcp + } + rule 2319 { + action accept + description FWC96A1_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC96A1_1 + } + port 222 + } + protocol tcp + } + rule 2320 { + action accept + description VPN-13983-ANY-ALLOW-10.4.59.176 + destination { + group { + address-group DT_VPN-13983 + } + } + source { + address 10.4.59.176 + } + } + rule 2321 { + action accept + description FW2FB61_1-TCP-ALLOW-5.183.104.15 + destination { + group { + address-group DT_FW2FB61_1 + } + port 22 + } + protocol tcp + source { + address 5.183.104.15 + } + } + rule 2322 { + action accept + description FW81138_1-ICMP-ALLOW-82.20.69.137 + destination { + group { + address-group DT_FW81138_1 + } + } + protocol icmp + source { + address 82.20.69.137 + } + } + rule 2323 { + action accept + description FW72F37_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW72F37_1 + } + port 7770-7800,44445 + } + protocol tcp + } + rule 2324 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-81.111.155.34 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 81.111.155.34 + } + } + rule 2325 { + action accept + description VPN-20306-ANY-ALLOW-10.4.88.173 + destination { + group { + address-group DT_VPN-20306 + } + } + source { + address 10.4.88.173 + } + } + rule 2326 { + action accept + description FW6C992_1-TCP-ALLOW-89.33.185.0_24 + destination { + group { + address-group DT_FW6C992_1 + } + port 8447,8443,22 + } + protocol tcp + source { + address 89.33.185.0/24 + } + } + rule 2327 { + action accept + description FW2FB61_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2FB61_1 + } + port 45000 + } + protocol tcp + } + rule 2328 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.46.202 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 175.157.46.202 + } + } + rule 2329 { + action accept + description FWF9C28_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF9C28_2 + } + port 7770-7800,44445 + } + protocol tcp + } + rule 2330 { + action accept + description FW3DBF8_9-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3DBF8_9 + } + port 8088,8080,5090,5060,3478,1935 + } + protocol tcp_udp + } + rule 2331 { + action accept + description FW3DBF8_9-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3DBF8_9 + } + port 5062,5061,5015,5001 + } + protocol tcp + } + rule 2332 { + action accept + description VPN-16402-ANY-ALLOW-10.4.88.60 + destination { + group { + address-group DT_VPN-16402 + } + } + source { + address 10.4.88.60 + } + } + rule 2333 { + action accept + description FWC1315_1-TCP-ALLOW-62.3.71.238 + destination { + group { + address-group DT_FWC1315_1 + } + port 3389 + } + protocol tcp + source { + address 62.3.71.238 + } + } + rule 2334 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA7A50_1 + } + port 8001,80 + } + protocol tcp_udp + } + rule 2335 { + action accept + description FWAFF0A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWAFF0A_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2336 { + action accept + description FW2B279_4-TCP-ALLOW-195.20.253.19 + destination { + group { + address-group DT_FW2B279_4 + } + port 22 + } + protocol tcp + source { + address 195.20.253.19 + } + } + rule 2337 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.73 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.73 + } + } + rule 2338 { + action accept + description VPN-16402-ANY-ALLOW-10.4.89.60 + destination { + group { + address-group DT_VPN-16402 + } + } + source { + address 10.4.89.60 + } + } + rule 2339 { + action accept + description VPN-15951-ANY-ALLOW-10.4.86.90 + destination { + group { + address-group DT_VPN-15951 + } + } + source { + address 10.4.86.90 + } + } + rule 2340 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.77.181 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.77.181 + } + } + rule 2341 { + action accept + description FWE9F7D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE9F7D_1 + } + port 4035 + } + protocol tcp + } + rule 2342 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.131 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.131 + } + } + rule 2343 { + action accept + description VPN-15951-ANY-ALLOW-10.4.87.90 + destination { + group { + address-group DT_VPN-15951 + } + } + source { + address 10.4.87.90 + } + } + rule 2344 { + action accept + description FW2BB8D_1-TCP-ALLOW-77.68.93.190 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 77.68.93.190 + } + } + rule 2345 { + action accept + description VPN-8159-ANY-ALLOW-10.4.59.91 + destination { + group { + address-group DT_VPN-8159 + } + } + source { + address 10.4.59.91 + } + } + rule 2346 { + action accept + description VPN-12870-ANY-ALLOW-10.4.54.67 + destination { + group { + address-group DT_VPN-12870 + } + } + source { + address 10.4.54.67 + } + } + rule 2347 { + action accept + description FW930F3_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW930F3_1 + } + port 53 + } + protocol tcp_udp + } + rule 2348 { + action accept + description FW12C32_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW12C32_1 + } + port 465,53,25 + } + protocol tcp_udp + } + rule 2349 { + action accept + description FW28EC8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW28EC8_1 + } + port 20443 + } + protocol tcp + } + rule 2350 { + action accept + description VPN-12870-ANY-ALLOW-10.4.55.68 + destination { + group { + address-group DT_VPN-12870 + } + } + source { + address 10.4.55.68 + } + } + rule 2351 { + action accept + description FW934AE_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW934AE_1 + } + port 32401,32400,8081 + } + protocol tcp_udp + } + rule 2352 { + action accept + description FW6863A_4-TCP-ALLOW-185.173.161.154 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 185.173.161.154 + } + } + rule 2353 { + action accept + description FW013EF_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW013EF_2 + } + port 10600-10998,9000-9398,5090,5060-5070 + } + protocol udp + } + rule 2354 { + action accept + description FW85040_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85040_1 + } + port 3210 + } + protocol tcp_udp + } + rule 2355 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-131.153.100.98 + destination { + group { + address-group DT_FW8B21D_1 + } + port 22 + } + protocol tcp_udp + source { + address 131.153.100.98 + } + } + rule 2356 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-213.133.99.176 + destination { + group { + address-group DT_FW8B21D_1 + } + port 22 + } + protocol tcp_udp + source { + address 213.133.99.176 + } + } + rule 2357 { + action accept + description FW6EFD7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6EFD7_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2358 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-62.253.153.163 + destination { + group { + address-group DT_FW8B21D_1 + } + port 8443,22 + } + protocol tcp_udp + source { + address 62.253.153.163 + } + } + rule 2359 { + action accept + description FWCB0CF_7-TCP-ALLOW-212.159.153.201 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 6443,5432-5434,5000-5100,3306-3308,990,989,22,21 + } + protocol tcp + source { + address 212.159.153.201 + } + } + rule 2360 { + action accept + description FW75CA4_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW75CA4_6 + } + port 51472,3747,3420 + } + protocol tcp + } + rule 2361 { + action accept + description FWF9C28_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF9C28_4 + } + port 23,7770-7800,44445,6109 + } + protocol tcp + } + rule 2362 { + action accept + description FW6B39D_1-TCP-ALLOW-120.72.95.88_29 + destination { + group { + address-group DT_FW6B39D_1 + } + port 3306 + } + protocol tcp + source { + address 120.72.95.88/29 + } + } + rule 2363 { + action accept + description FW934AE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW934AE_1 + } + port 20000 + } + protocol tcp + } + rule 2364 { + action accept + description FW12C32_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW12C32_1 + } + port 2323,953 + } + protocol tcp + } + rule 2365 { + action accept + description FW49897_1-TCP-ALLOW-2.121.90.207 + destination { + group { + address-group DT_FW49897_1 + } + port 22 + } + protocol tcp + source { + address 2.121.90.207 + } + } + rule 2366 { + action accept + description FW6B39D_1-TCP-ALLOW-120.72.91.104_29 + destination { + group { + address-group DT_FW6B39D_1 + } + port 3306 + } + protocol tcp + source { + address 120.72.91.104/29 + } + } + rule 2367 { + action accept + description FW4F5EE_10-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4F5EE_10 + } + port 83,86,82 + } + protocol tcp + } + rule 2368 { + action accept + description FWF791C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF791C_1 + } + port 6001 + } + protocol tcp + } + rule 2369 { + action accept + description FWEF92E_5-ESP-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 109.228.37.19 + } + } + rule 2370 { + action accept + description FWE57AD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE57AD_1 + } + port 57000-58000 + } + protocol tcp + } + rule 2371 { + action accept + description FWC0CE0_1-TCP-ALLOW-62.232.209.221 + destination { + group { + address-group DT_FWC0CE0_1 + } + port 49152-65535,8447,8443,22,21 + } + protocol tcp + source { + address 62.232.209.221 + } + } + rule 2372 { + action accept + description FW0192C_1-TCP-ALLOW-41.140.242.86 + destination { + group { + address-group DT_FW0192C_1 + } + port 3306,22 + } + protocol tcp + source { + address 41.140.242.86 + } + } + rule 2373 { + action accept + description FWEEC75_1-TCP-ALLOW-54.171.71.110 + destination { + group { + address-group DT_FWEEC75_1 + } + port 21 + } + protocol tcp + source { + address 54.171.71.110 + } + } + rule 2374 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-95.149.182.69 + destination { + group { + address-group DT_FW8B21D_1 + } + port 22 + } + protocol tcp_udp + source { + address 95.149.182.69 + } + } + rule 2375 { + action accept + description FW8B21D_1-TCP-ALLOW-185.201.16.0_22 + destination { + group { + address-group DT_FW8B21D_1 + } + port 25 + } + protocol tcp + source { + address 185.201.16.0/22 + } + } + rule 2376 { + action accept + description FW8B21D_1-TCP-ALLOW-213.133.99.176 + destination { + group { + address-group DT_FW8B21D_1 + } + port 25 + } + protocol tcp + source { + address 213.133.99.176 + } + } + rule 2377 { + action accept + description FW8B21D_1-TCP-ALLOW-95.211.160.147 + destination { + group { + address-group DT_FW8B21D_1 + } + port 25 + } + protocol tcp + source { + address 95.211.160.147 + } + } + rule 2378 { + action accept + description FW6863A_4-TCP-ALLOW-212.227.9.72 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 212.227.9.72 + } + } + rule 2379 { + action accept + description FW8B21D_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + } + protocol esp + } + rule 2380 { + action accept + description FW8B21D_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + } + protocol ah + } + rule 2381 { + action accept + description FW8B21D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + port 8181,4500,1194,993,941,500,53 + } + protocol tcp_udp + } + rule 2382 { + action accept + description FW6863A_4-TCP-ALLOW-85.17.25.47 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 85.17.25.47 + } + } + rule 2383 { + action accept + description FW6863A_4-TCP-ALLOW-91.232.105.39 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 91.232.105.39 + } + } + rule 2384 { + action accept + description FW6863A_4-TCP-ALLOW-93.190.142.120 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 93.190.142.120 + } + } + rule 2385 { + action accept + description FW6863A_4-TCP-ALLOW-95.168.171.130 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.168.171.130 + } + } + rule 2386 { + action accept + description FW6863A_4-TCP-ALLOW-95.168.171.157 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.168.171.157 + } + } + rule 2387 { + action accept + description FWD4A27_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD4A27_1 + } + port 32400 + } + protocol tcp + } + rule 2388 { + action accept + description FW2ACFF_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2ACFF_1 + } + port 10299,60050-60055 + } + protocol tcp_udp + } + rule 2389 { + action accept + description FWCB0CF_7-TCP-ALLOW-193.248.62.45 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 22 + } + protocol tcp + source { + address 193.248.62.45 + } + } + rule 2390 { + action accept + description FWCB0CF_7-TCP-ALLOW-78.249.208.17 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 22 + } + protocol tcp + source { + address 78.249.208.17 + } + } + rule 2391 { + action accept + description FWC8E8E_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC8E8E_1 + } + port 6000 + } + protocol tcp_udp + } + rule 2392 { + action accept + description FW30D21_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW30D21_1 + } + port 2476 + } + protocol tcp + } + rule 2393 { + action accept + description FW0192C_1-TCP-ALLOW-41.140.242.94 + destination { + group { + address-group DT_FW0192C_1 + } + port 3306,22 + } + protocol tcp + source { + address 41.140.242.94 + } + } + rule 2394 { + action accept + description FW59F39_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW59F39_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2395 { + action accept + description FWEF92E_7-ESP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_7 + } + } + protocol esp + source { + address 77.68.77.57 + } + } + rule 2396 { + action accept + description FW826BA_3-TCP-ALLOW-51.219.47.177 + destination { + group { + address-group DT_FW826BA_3 + } + port 3389,21 + } + protocol tcp + source { + address 51.219.47.177 + } + } + rule 2397 { + action accept + description FW826BA_3-TCP-ALLOW-86.172.128.50 + destination { + group { + address-group DT_FW826BA_3 + } + port 1433,21 + } + protocol tcp + source { + address 86.172.128.50 + } + } + rule 2398 { + action accept + description FW826BA_3-TCP-ALLOW-88.105.1.20 + destination { + group { + address-group DT_FW826BA_3 + } + port 21 + } + protocol tcp + source { + address 88.105.1.20 + } + } + rule 2399 { + action accept + description FW6863A_4-TCP-ALLOW-95.211.243.198 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.211.243.198 + } + } + rule 2400 { + action accept + description FW25843_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW25843_1 + } + port 9001,7070,5500,5488,5000,4500,4000,3500,3000,1883,1880 + } + protocol tcp + } + rule 2401 { + action accept + description FW89619_1-TCP_UDP-ALLOW-185.83.65.46 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 185.83.65.46 + } + } + rule 2402 { + action accept + description FW5858F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5858F_1 + } + port 1883 + } + protocol tcp + } + rule 2403 { + action accept + description FW826BA_3-TCP-ALLOW-95.147.108.173 + destination { + group { + address-group DT_FW826BA_3 + } + port 21 + } + protocol tcp + source { + address 95.147.108.173 + } + } + rule 2404 { + action accept + description FW9C682_3-TCP-ALLOW-52.56.193.88 + destination { + group { + address-group DT_FW9C682_3 + } + port 3306 + } + protocol tcp + source { + address 52.56.193.88 + } + } + rule 2405 { + action accept + description FW0745F_5-TCP-ALLOW-109.228.63.82 + destination { + group { + address-group DT_FW0745F_5 + } + port 5666 + } + protocol tcp + source { + address 109.228.63.82 + } + } + rule 2406 { + action accept + description FWC0CE0_1-TCP-ALLOW-90.255.228.213 + destination { + group { + address-group DT_FWC0CE0_1 + } + port 49152-65535,8443,21 + } + protocol tcp + source { + address 90.255.228.213 + } + } + rule 2407 { + action accept + description FW210E2_8-AH-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + } + protocol ah + } + rule 2408 { + action accept + description FW210E2_8-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + } + protocol esp + } + rule 2409 { + action accept + description FW210E2_8-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + port 41,62000,23,4500,50,9876,3391,88,135 + } + protocol tcp + } + rule 2410 { + action accept + description FW210E2_8-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW210E2_8 + } + port 500 + } + protocol udp + } + rule 2411 { + action accept + description VPN-8625-ANY-ALLOW-10.4.54.103 + destination { + group { + address-group DT_VPN-8625 + } + } + source { + address 10.4.54.103 + } + } + rule 2412 { + action accept + description VPN-8625-ANY-ALLOW-10.4.55.104 + destination { + group { + address-group DT_VPN-8625 + } + } + source { + address 10.4.55.104 + } + } + rule 2413 { + action accept + description FW73A64_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW73A64_1 + } + port 61616,8181,8161,8082,4244,4243,4242,4241 + } + protocol tcp + } + rule 2414 { + action accept + description VPN-19135-ANY-ALLOW-10.4.86.165 + destination { + group { + address-group DT_VPN-19135 + } + } + source { + address 10.4.86.165 + } + } + rule 2415 { + action accept + description FWCB0CF_7-TCP-ALLOW-82.65.107.3 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 22 + } + protocol tcp + source { + address 82.65.107.3 + } + } + rule 2416 { + action accept + description FWCB0CF_7-TCP-ALLOW-195.2.139.221 + destination { + group { + address-group DT_FWCB0CF_7 + } + port 5432-5434,3306-3308 + } + protocol tcp + source { + address 195.2.139.221 + } + } + rule 2417 { + action accept + description VPN-19135-ANY-ALLOW-10.4.87.165 + destination { + group { + address-group DT_VPN-19135 + } + } + source { + address 10.4.87.165 + } + } + rule 2418 { + action accept + description FW2BB8D_1-TCP-ALLOW-87.75.109.83 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 27017,5000 + } + protocol tcp + source { + address 87.75.109.83 + } + } + rule 2419 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.83 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.83 + } + } + rule 2420 { + action accept + description FW2ED4D_2-TCP-ALLOW-84.92.65.192 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 22 + } + protocol tcp + source { + address 84.92.65.192 + } + } + rule 2421 { + action accept + description FW73A64_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73A64_1 + } + port 9200,5601,4247,4246,4245 + } + protocol tcp_udp + } + rule 2422 { + action accept + description FW4735F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4735F_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2423 { + action accept + description FW2ED4D_2-TCP-ALLOW-109.176.154.238 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 7990,3389 + } + protocol tcp + source { + address 109.176.154.238 + } + } + rule 2424 { + action accept + description FW6863A_4-TCP-ALLOW-95.211.243.206 + destination { + group { + address-group DT_FW6863A_4 + } + port 465 + } + protocol tcp + source { + address 95.211.243.206 + } + } + rule 2425 { + action accept + description FW89619_1-TCP_UDP-ALLOW-81.133.80.114 + destination { + group { + address-group DT_FW89619_1 + } + port 5060 + } + protocol tcp_udp + source { + address 81.133.80.114 + } + } + rule 2426 { + action accept + description FW89619_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW89619_1 + } + port 5090 + } + protocol tcp_udp + } + rule 2427 { + action accept + description FW8A57A_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8A57A_1 + } + port 49155,49154,7700,53,43 + } + protocol tcp_udp + } + rule 2428 { + action accept + description FW8C72E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8C72E_1 + } + port 500,4500 + } + protocol udp + } + rule 2429 { + action accept + description FW2ED4D_2-TCP-ALLOW-18.135.66.162 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 18.135.66.162 + } + } + rule 2430 { + action accept + description FW2C5AE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2C5AE_1 + } + port 58080,58008,8545,7175 + } + protocol tcp + } + rule 2431 { + action accept + description FW2ED4D_2-TCP-ALLOW-80.209.144.52 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 80.209.144.52 + } + } + rule 2432 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.153.21.103 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 7990,3389 + } + protocol tcp + source { + address 82.153.21.103 + } + } + rule 2433 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.41 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.41 + } + } + rule 2434 { + action accept + description FW0745F_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0745F_5 + } + port 32770,8001,7801 + } + protocol tcp + } + rule 2435 { + action accept + description FW85E02_11-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85E02_11 + } + port 5090,5060 + } + protocol tcp_udp + } + rule 2436 { + action accept + description VPN-21982-ANY-ALLOW-10.4.58.43 + destination { + group { + address-group DT_VPN-21982 + } + } + source { + address 10.4.58.43 + } + } + rule 2437 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.17.52.191 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.17.52.191 + } + } + rule 2438 { + action accept + description FW66347_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW66347_1 + } + port 53 + } + protocol tcp_udp + } + rule 2439 { + action accept + description FW11082_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW11082_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2440 { + action accept + description VPN-21982-ANY-ALLOW-10.4.59.43 + destination { + group { + address-group DT_VPN-21982 + } + } + source { + address 10.4.59.43 + } + } + rule 2441 { + action accept + description FW2BB8D_1-TCP-ALLOW-92.207.193.203 + destination { + group { + address-group DT_FW2BB8D_1 + } + port 5000 + } + protocol tcp + source { + address 92.207.193.203 + } + } + rule 2442 { + action accept + description FWC2D30_1-TCP-ALLOW-77.99.253.161 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,22,21 + } + protocol tcp + source { + address 77.99.253.161 + } + } + rule 2443 { + action accept + description FW0E383_9-TCP-ALLOW-77.99.245.103 + destination { + group { + address-group DT_FW0E383_9 + } + port 3389 + } + protocol tcp + source { + address 77.99.245.103 + } + } + rule 2444 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.19.19.52 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 7990,3389 + } + protocol tcp + source { + address 82.19.19.52 + } + } + rule 2445 { + action accept + description FWEF92E_7-AH-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_7 + } + } + protocol ah + source { + address 77.68.77.57 + } + } + rule 2446 { + action accept + description VPN-16450-ANY-ALLOW-10.4.88.99 + destination { + group { + address-group DT_VPN-16450 + } + } + source { + address 10.4.88.99 + } + } + rule 2447 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.2.186.129 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.2.186.129 + } + } + rule 2448 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.157 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.215.157 + } + } + rule 2449 { + action accept + description FW8EA04_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8EA04_1 + } + port 1194 + } + protocol udp + } + rule 2450 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.21.59.207 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.21.59.207 + } + } + rule 2451 { + action accept + description FWC2D30_1-TCP-ALLOW-82.9.22.158 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 82.9.22.158 + } + } + rule 2452 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF3A1B_1 + } + port 1981,53 + } + protocol tcp_udp + } + rule 2453 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.11.54 + } + } + rule 2454 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.40.177.186 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.40.177.186 + } + } + rule 2455 { + action accept + description FW0C25B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0C25B_1 + } + port 49152-65535,5224 + } + protocol tcp + } + rule 2456 { + action accept + description FW85A7C_1-TCP-ALLOW-82.24.242.137 + destination { + group { + address-group DT_FW85A7C_1 + } + port 22 + } + protocol tcp + source { + address 82.24.242.137 + } + } + rule 2457 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.68.25.66 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.68.25.66 + } + } + rule 2458 { + action accept + description FW826BA_3-TCP-ALLOW-51.89.148.173 + destination { + group { + address-group DT_FW826BA_3 + } + port 1433 + } + protocol tcp + source { + address 51.89.148.173 + } + } + rule 2459 { + action accept + description FWA69A0_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA69A0_1 + } + port 48402 + } + protocol udp + } + rule 2460 { + action accept + description FW2ED4D_2-TCP-ALLOW-82.69.79.85 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 82.69.79.85 + } + } + rule 2461 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.77.149 + } + } + rule 2462 { + action accept + description FWEF92E_6-ESP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_6 + } + } + protocol esp + source { + address 77.68.77.57 + } + } + rule 2463 { + action accept + description FWEF92E_7-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FWEF92E_7 + } + port 3389,445 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2464 { + action accept + description FW49C3D_4-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445,443,80 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2465 { + action accept + description FW49C3D_6-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2466 { + action accept + description FW34C91_3-TCP-ALLOW-77.68.121.4 + destination { + group { + address-group DT_FW34C91_3 + } + port 1433 + } + protocol tcp + source { + address 77.68.121.4 + } + } + rule 2467 { + action accept + description VPN-16450-ANY-ALLOW-10.4.89.99 + destination { + group { + address-group DT_VPN-16450 + } + } + source { + address 10.4.89.99 + } + } + rule 2468 { + action accept + description FW0BB22_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + } + protocol ah + } + rule 2469 { + action accept + description FW2ED4D_2-TCP-ALLOW-86.139.57.116 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 86.139.57.116 + } + } + rule 2470 { + action accept + description FW9E550_1-TCP-ALLOW-86.142.67.13 + destination { + group { + address-group DT_FW9E550_1 + } + port 3389 + } + protocol tcp + source { + address 86.142.67.13 + } + } + rule 2471 { + action accept + description FW8B21D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8B21D_1 + } + port 2096,2095,2087,2086,2083,2082 + } + protocol tcp + } + rule 2472 { + action accept + description FW050AC_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW050AC_1 + } + port 2087 + } + protocol tcp + } + rule 2473 { + action accept + description FW1FA9E_1-TCP-ALLOW-109.228.50.206 + destination { + group { + address-group DT_FW1FA9E_1 + } + port 5432 + } + protocol tcp + source { + address 109.228.50.206 + } + } + rule 2474 { + action accept + description FW8A3FC_3-TCP-ALLOW-217.23.11.155 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 217.23.11.155 + } + } + rule 2475 { + action accept + description FW2ED4D_2-TCP-ALLOW-88.96.110.198 + destination { + group { + address-group DT_FW2ED4D_2 + } + port 3389 + } + protocol tcp + source { + address 88.96.110.198 + } + } + rule 2476 { + action accept + description FWEAE53_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWEAE53_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2477 { + action accept + description VPN-19474-ANY-ALLOW-10.4.88.161 + destination { + group { + address-group DT_VPN-19474 + } + } + source { + address 10.4.88.161 + } + } + rule 2478 { + action accept + description VPN-19474-ANY-ALLOW-10.4.89.161 + destination { + group { + address-group DT_VPN-19474 + } + } + source { + address 10.4.89.161 + } + } + rule 2479 { + action accept + description FW90AE3_1-TCP-ALLOW-68.33.220.233 + destination { + group { + address-group DT_FW90AE3_1 + } + port 22 + } + protocol tcp + source { + address 68.33.220.233 + } + } + rule 2480 { + action accept + description FWC2D30_1-TCP-ALLOW-86.10.163.127 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 86.10.163.127 + } + } + rule 2481 { + action accept + description FW2FB61_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2FB61_1 + } + port 60182 + } + protocol udp + } + rule 2482 { + action accept + description FW85A7C_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85A7C_1 + } + port 2457,2456 + } + protocol tcp_udp + } + rule 2483 { + action accept + description FWBED52_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBED52_1 + } + port 1221,9000 + } + protocol tcp + } + rule 2484 { + action accept + description FWA86ED_101-TCP-ALLOW-90.250.2.109 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 90.250.2.109 + } + } + rule 2485 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.49 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.213.49 + } + } + rule 2486 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.77.70 + } + } + rule 2487 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.250 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.250 + } + } + rule 2488 { + action accept + description FW8A3FC_3-TCP-ALLOW-95.168.171.131 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 95.168.171.131 + } + } + rule 2489 { + action accept + description FW2379F_14-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2379F_14 + } + port 48030,10997,10993,10992,10991,10902,1723,1701 + } + protocol tcp + } + rule 2490 { + action accept + description FW8C927_1-TCP-ALLOW-84.92.125.78 + destination { + group { + address-group DT_FW8C927_1 + } + port 80 + } + protocol tcp + source { + address 84.92.125.78 + } + } + rule 2491 { + action accept + description FWC2D30_1-TCP-ALLOW-86.146.220.229 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 86.146.220.229 + } + } + rule 2492 { + action accept + description FW2B279_4-TCP-ALLOW-2.218.5.59 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 2.218.5.59 + } + } + rule 2493 { + action accept + description VPN-18830-ANY-ALLOW-10.4.86.156 + destination { + group { + address-group DT_VPN-18830 + } + } + source { + address 10.4.86.156 + } + } + rule 2494 { + action accept + description VPN-18830-ANY-ALLOW-10.4.87.156 + destination { + group { + address-group DT_VPN-18830 + } + } + source { + address 10.4.87.156 + } + } + rule 2495 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.92.33 + } + } + rule 2496 { + action accept + description FWA86ED_101-TCP-ALLOW-146.198.100.105 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 146.198.100.105 + } + } + rule 2497 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.55 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.211.55 + } + } + rule 2498 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.84.113 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 123.231.84.113 + } + } + rule 2499 { + action accept + description FW8C72E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8C72E_1 + } + port 60134,60135 + } + protocol tcp + } + rule 2500 { + action accept + description FWAB44B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAB44B_1 + } + port 3306 + } + protocol tcp_udp + } + rule 2501 { + action accept + description FW2379F_14-TCP-ALLOW-51.148.87.29 + destination { + group { + address-group DT_FW2379F_14 + } + port 3389,21 + } + protocol tcp + source { + address 51.148.87.29 + } + } + rule 2502 { + action accept + description VPN-23738-ANY-ALLOW-10.4.56.13 + destination { + group { + address-group DT_VPN-23738 + } + } + source { + address 10.4.56.13 + } + } + rule 2503 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.100 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.100 + } + } + rule 2504 { + action accept + description FW996B4_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW996B4_2 + } + port 43595,30160 + } + protocol tcp + } + rule 2505 { + action accept + description FW8871B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8871B_1 + } + port 15672,8083,8082,8081,5672 + } + protocol tcp + } + rule 2506 { + action accept + description FWAB44B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWAB44B_1 + } + port 9090,8069,5432 + } + protocol tcp + } + rule 2507 { + action accept + description FW6187E_1-ICMP-ALLOW-85.214.201.250 + destination { + group { + address-group DT_FW6187E_1 + } + } + protocol icmp + source { + address 85.214.201.250 + } + } + rule 2508 { + action accept + description FW8A3FC_3-TCP-ALLOW-217.23.11.126 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 217.23.11.126 + } + } + rule 2509 { + action accept + description FW78137_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW78137_1 + } + port 1-65535 + } + protocol tcp + } + rule 2510 { + action accept + description FW32EFF_25-TCP-ALLOW-46.252.65.10 + destination { + group { + address-group DT_FW32EFF_25 + } + port 443 + } + protocol tcp + source { + address 46.252.65.10 + } + } + rule 2511 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.50 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.50 + } + } + rule 2512 { + action accept + description FW6A684_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6A684_1 + } + port 53 + } + protocol tcp_udp + } + rule 2513 { + action accept + description FWF48EB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF48EB_1 + } + port 9204,9202,3395 + } + protocol tcp + } + rule 2514 { + action accept + description FW44217_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW44217_2 + } + port 443,80 + } + protocol tcp_udp + } + rule 2515 { + action accept + description FW6187E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6187E_1 + } + port 2282 + } + protocol tcp + } + rule 2516 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.58 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.58 + } + } + rule 2517 { + action accept + description VPN-34501-ANY-ALLOW-10.4.86.235 + destination { + group { + address-group DT_VPN-34501 + } + } + source { + address 10.4.86.235 + } + } + rule 2518 { + action accept + description FW1271A_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1271A_2 + } + port 5090,5061,5060,5015,5001 + } + protocol tcp + } + rule 2519 { + action accept + description FW1271A_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1271A_2 + } + port 9000-10999,5090,5060 + } + protocol udp + } + rule 2520 { + action accept + description FW1226C_3-TCP-ALLOW-216.113.160.71 + destination { + group { + address-group DT_FW1226C_3 + } + port 80,22 + } + protocol tcp + source { + address 216.113.160.71 + } + } + rule 2521 { + action accept + description FW32EFF_16-TCP-ALLOW-84.19.45.82 + destination { + group { + address-group DT_FW32EFF_16 + } + port 33888 + } + protocol tcp + source { + address 84.19.45.82 + } + } + rule 2522 { + action accept + description FW03F2E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW03F2E_1 + } + port 1194 + } + protocol udp + } + rule 2523 { + action accept + description FW03F2E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW03F2E_1 + } + port 4432,4431,4430 + } + protocol tcp + } + rule 2524 { + action accept + description FW1226C_3-TCP-ALLOW-216.113.162.65 + destination { + group { + address-group DT_FW1226C_3 + } + port 80,22 + } + protocol tcp + source { + address 216.113.162.65 + } + } + rule 2525 { + action accept + description VPN-20306-ANY-ALLOW-10.4.89.173 + destination { + group { + address-group DT_VPN-20306 + } + } + source { + address 10.4.89.173 + } + } + rule 2526 { + action accept + description FW8A49A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8A49A_1 + } + port 2525,8448-65535 + } + protocol tcp + } + rule 2527 { + action accept + description FWD3431_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD3431_2 + } + port 43595,30377,30289 + } + protocol tcp + } + rule 2528 { + action accept + description FW1226C_3-TCP-ALLOW-66.135.200.200 + destination { + group { + address-group DT_FW1226C_3 + } + port 80,22 + } + protocol tcp + source { + address 66.135.200.200 + } + } + rule 2529 { + action accept + description FW1226C_3-TCP-ALLOW-193.28.178.38 + destination { + group { + address-group DT_FW1226C_3 + } + port 80 + } + protocol tcp + source { + address 193.28.178.38 + } + } + rule 2530 { + action accept + description FWAE88B_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAE88B_1 + } + port 65432,8080,7300,1195,1194,993,587,465,443,442,143,110,80,53,22 + } + protocol tcp_udp + } + rule 2531 { + action accept + description FW1226C_3-TCP-ALLOW-195.234.136.80 + destination { + group { + address-group DT_FW1226C_3 + } + port 80 + } + protocol tcp + source { + address 195.234.136.80 + } + } + rule 2532 { + action accept + description FW1226C_3-TCP-ALLOW-93.94.41.83 + destination { + group { + address-group DT_FW1226C_3 + } + port 80 + } + protocol tcp + source { + address 93.94.41.83 + } + } + rule 2533 { + action accept + description VPN-6103-ANY-ALLOW-10.4.56.102 + destination { + group { + address-group DT_VPN-6103 + } + } + source { + address 10.4.56.102 + } + } + rule 2534 { + action accept + description VPN-6103-ANY-ALLOW-10.4.57.102 + destination { + group { + address-group DT_VPN-6103 + } + } + source { + address 10.4.57.102 + } + } + rule 2535 { + action accept + description FW9E550_1-TCP-ALLOW-86.198.190.104 + destination { + group { + address-group DT_FW9E550_1 + } + port 3389 + } + protocol tcp + source { + address 86.198.190.104 + } + } + rule 2536 { + action accept + description FW34C91_3-TCP-ALLOW-81.149.71.244 + destination { + group { + address-group DT_FW34C91_3 + } + port 1433 + } + protocol tcp + source { + address 81.149.71.244 + } + } + rule 2537 { + action accept + description FW0BB22_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + port 27917,27017,9592,9092,1080,587 + } + protocol tcp_udp + } + rule 2538 { + action accept + description FWC2D30_1-TCP-ALLOW-89.213.26.156 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 89.213.26.156 + } + } + rule 2539 { + action accept + description FW34C91_3-UDP-ALLOW-81.149.71.244 + destination { + group { + address-group DT_FW34C91_3 + } + port 1434 + } + protocol udp + source { + address 81.149.71.244 + } + } + rule 2540 { + action accept + description VPN-17207-ANY-ALLOW-10.4.86.121 + destination { + group { + address-group DT_VPN-17207 + } + } + source { + address 10.4.86.121 + } + } + rule 2541 { + action accept + description FW0B352_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0B352_1 + } + port 4500,500 + } + protocol udp + } + rule 2542 { + action accept + description FW85E02_11-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW85E02_11 + } + port 5854,5853,5061 + } + protocol tcp + } + rule 2543 { + action accept + description FW0BB22_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0BB22_1 + } + port 9200,8082 + } + protocol tcp + } + rule 2544 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.140 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.140 + } + } + rule 2545 { + action accept + description FWC2D30_1-TCP-ALLOW-91.125.244.28 + destination { + group { + address-group DT_FWC2D30_1 + } + port 21 + } + protocol tcp + source { + address 91.125.244.28 + } + } + rule 2546 { + action accept + description FWA86ED_101-TCP-ALLOW-86.172.252.221 + destination { + group { + address-group DT_FWA86ED_101 + } + port 80-3389 + } + protocol tcp + source { + address 86.172.252.221 + } + } + rule 2547 { + action accept + description FWC2D30_1-TCP-ALLOW-92.207.184.106 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,21 + } + protocol tcp + source { + address 92.207.184.106 + } + } + rule 2548 { + action accept + description FW45F3D_1-ANY-ALLOW-146.255.0.198 + destination { + group { + address-group DT_FW45F3D_1 + } + } + source { + address 146.255.0.198 + } + } + rule 2549 { + action accept + description FWBFDED_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBFDED_1 + } + port 1723,445 + } + protocol tcp + } + rule 2550 { + action accept + description FW8A3FC_3-TCP-ALLOW-212.227.9.72 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 212.227.9.72 + } + } + rule 2551 { + action accept + description FWE928F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE928F_1 + } + port 2082,2083,2086,2087,2096 + } + protocol tcp + } + rule 2552 { + action accept + description FW5CBB2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5CBB2_1 + } + port 2082,2083,2086,2087 + } + protocol tcp + } + rule 2553 { + action accept + description FW63230_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW63230_1 + } + port 445,139 + } + protocol tcp_udp + } + rule 2554 { + action accept + description FW90AE3_1-TCP-ALLOW-71.244.176.5 + destination { + group { + address-group DT_FW90AE3_1 + } + port 22 + } + protocol tcp + source { + address 71.244.176.5 + } + } + rule 2555 { + action accept + description FWA4BC8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA4BC8_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2556 { + action accept + description VPN-17207-ANY-ALLOW-10.4.87.121 + destination { + group { + address-group DT_VPN-17207 + } + } + source { + address 10.4.87.121 + } + } + rule 2557 { + action accept + description VPN-17558-ANY-ALLOW-10.4.86.143 + destination { + group { + address-group DT_VPN-17558 + } + } + source { + address 10.4.86.143 + } + } + rule 2558 { + action accept + description FWB2CD2_1-TCP-ALLOW-86.167.68.241 + destination { + group { + address-group DT_FWB2CD2_1 + } + port 21 + } + protocol tcp + source { + address 86.167.68.241 + } + } + rule 2559 { + action accept + description FW32EFF_25-TCP-ALLOW-84.19.45.82 + destination { + group { + address-group DT_FW32EFF_25 + } + port 33888,443 + } + protocol tcp + source { + address 84.19.45.82 + } + } + rule 2560 { + action accept + description FW44217_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW44217_2 + } + port 9001,7946,2376 + } + protocol tcp + } + rule 2561 { + action accept + description FW7DAE2_3-TCP-ALLOW-212.227.253.11 + destination { + group { + address-group DT_FW7DAE2_3 + } + port 25,22 + } + protocol tcp + source { + address 212.227.253.11 + } + } + rule 2562 { + action accept + description FW7DAE2_3-TCP-ALLOW-217.160.126.118 + destination { + group { + address-group DT_FW7DAE2_3 + } + port 25,22 + } + protocol tcp + source { + address 217.160.126.118 + } + } + rule 2563 { + action accept + description FWAF6E8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWAF6E8_1 + } + port 2082,2083,2086,2087,2096 + } + protocol tcp + } + rule 2564 { + action accept + description FWCD7CE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCD7CE_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2565 { + action accept + description FW32EFF_16-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW32EFF_16 + } + port 47779,47778,47777,47776 + } + protocol tcp + } + rule 2566 { + action accept + description FW0745F_5-TCP-ALLOW-77.68.117.222 + destination { + group { + address-group DT_FW0745F_5 + } + port 49170 + } + protocol tcp + source { + address 77.68.117.222 + } + } + rule 2567 { + action accept + description FWC2D30_1-TCP-ALLOW-92.207.199.107 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,22,21 + } + protocol tcp + source { + address 92.207.199.107 + } + } + rule 2568 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.89 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.89 + } + } + rule 2569 { + action accept + description FW8A3FC_3-TCP-ALLOW-190.2.130.41 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 190.2.130.41 + } + } + rule 2570 { + action accept + description FWFDCC7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWFDCC7_1 + } + port 10000 + } + protocol tcp_udp + } + rule 2571 { + action accept + description FWF19FB_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF19FB_2 + } + port 43595,40001,30616-30631,30531,30204-30435 + } + protocol tcp + } + rule 2572 { + action accept + description FW2B279_4-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2573 { + action accept + description FW4E314_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4E314_1 + } + port 21543,888 + } + protocol tcp + } + rule 2574 { + action accept + description FW73215_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73215_1 + } + port 4380 + } + protocol udp + } + rule 2575 { + action accept + description VPN-31301-ANY-ALLOW-10.4.86.223 + destination { + group { + address-group DT_VPN-31301 + } + } + source { + address 10.4.86.223 + } + } + rule 2576 { + action accept + description FW8428B_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW8428B_1 + } + port 48402 + } + protocol udp + } + rule 2577 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-185.195.124.169 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 185.195.124.169 + } + } + rule 2578 { + action accept + description FW34C91_3-UDP-ALLOW-77.68.121.4 + destination { + group { + address-group DT_FW34C91_3 + } + port 1434 + } + protocol udp + source { + address 77.68.121.4 + } + } + rule 2579 { + action accept + description FW73215_1-TCP-ALLOW-82.38.58.135 + destination { + group { + address-group DT_FW73215_1 + } + port 10685 + } + protocol tcp + source { + address 82.38.58.135 + } + } + rule 2580 { + action accept + description FW52F6F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW52F6F_1 + } + port 8888 + } + protocol tcp + } + rule 2581 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.86 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.86 + } + } + rule 2582 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.125.13 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.125.13 + } + } + rule 2583 { + action accept + description FWEE03C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWEE03C_1 + } + port 2087,2083 + } + protocol tcp + } + rule 2584 { + action accept + description FW748B7_1-TCP-ALLOW-157.231.123.154 + destination { + group { + address-group DT_FW748B7_1 + } + port 22 + } + protocol tcp + source { + address 157.231.123.154 + } + } + rule 2585 { + action accept + description VPN-34501-ANY-ALLOW-10.4.87.235 + destination { + group { + address-group DT_VPN-34501 + } + } + source { + address 10.4.87.235 + } + } + rule 2586 { + action accept + description FWE47DA_1-TCP-ALLOW-81.134.85.245 + destination { + group { + address-group DT_FWE47DA_1 + } + port 22 + } + protocol tcp + source { + address 81.134.85.245 + } + } + rule 2587 { + action accept + description FWD61BF_1-ANY-ALLOW-193.237.81.213_32 + destination { + group { + address-group DT_FWD61BF_1 + } + } + source { + address 193.237.81.213/32 + } + } + rule 2588 { + action accept + description FW2B279_4-TCP-ALLOW-23.106.238.241 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,3306,22 + } + protocol tcp + source { + address 23.106.238.241 + } + } + rule 2589 { + action accept + description FW2B279_4-TCP-ALLOW-35.204.202.196 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,3306,22 + } + protocol tcp + source { + address 35.204.202.196 + } + } + rule 2590 { + action accept + description FW2B279_4-TCP-ALLOW-35.242.141.128 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,3306,22 + } + protocol tcp + source { + address 35.242.141.128 + } + } + rule 2591 { + action accept + description FWC2EF2_2-TCP-ALLOW-90.251.221.19 + destination { + group { + address-group DT_FWC2EF2_2 + } + port 995,993,587,465,143,110,25,22 + } + protocol tcp + source { + address 90.251.221.19 + } + } + rule 2592 { + action accept + description VPN-14673-ANY-ALLOW-10.4.88.44 + destination { + group { + address-group DT_VPN-14673 + } + } + source { + address 10.4.88.44 + } + } + rule 2593 { + action accept + description FWA83DF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA83DF_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2594 { + action accept + description FW31525_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW31525_6 + } + port 35467 + } + protocol tcp + } + rule 2595 { + action accept + description FW4293B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4293B_1 + } + port 9080,8888,8881,7815,8419 + } + protocol tcp + } + rule 2596 { + action accept + description FW4AE7D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4AE7D_1 + } + port 8083,81 + } + protocol tcp + } + rule 2597 { + action accept + description FWC2D30_1-TCP-ALLOW-143.52.53.22 + destination { + group { + address-group DT_FWC2D30_1 + } + port 22 + } + protocol tcp + source { + address 143.52.53.22 + } + } + rule 2598 { + action accept + description FW44217_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW44217_2 + } + port 7946,4789 + } + protocol udp + } + rule 2599 { + action accept + description FW2B279_4-TCP-ALLOW-46.249.82.162 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 46.249.82.162 + } + } + rule 2600 { + action accept + description FW27949_2-TCP-ALLOW-80.95.202.106 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 80.95.202.106 + } + } + rule 2601 { + action accept + description FWEF92E_5-ESP-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 77.68.93.82 + } + } + rule 2602 { + action accept + description FW2ACFF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2ACFF_1 + } + port 8082,5093 + } + protocol tcp + } + rule 2603 { + action accept + description FWC2EF2_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC2EF2_2 + } + port 10000,953,53 + } + protocol tcp_udp + } + rule 2604 { + action accept + description FW0C8E1_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0C8E1_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2605 { + action accept + description FWA86ED_101-TCP_UDP-ALLOW-82.5.189.5 + destination { + group { + address-group DT_FWA86ED_101 + } + port 1-65535 + } + protocol tcp_udp + source { + address 82.5.189.5 + } + } + rule 2606 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.179 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.179 + } + } + rule 2607 { + action accept + description FWEF92E_5-ESP-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol esp + source { + address 88.208.198.93 + } + } + rule 2608 { + action accept + description FW5658C_1-TCP-ALLOW-39.45.43.109 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 39.45.43.109 + } + } + rule 2609 { + action accept + description FW5658C_1-TCP-ALLOW-5.67.3.195 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 5.67.3.195 + } + } + rule 2610 { + action accept + description FWDCA36_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDCA36_3 + } + port 49152-65534,5901 + } + protocol tcp + } + rule 2611 { + action accept + description FWE928F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE928F_1 + } + port 53 + } + protocol tcp_udp + } + rule 2612 { + action accept + description FW69D6D_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW69D6D_2 + } + port 5001,5090,5060,5015 + } + protocol tcp + } + rule 2613 { + action accept + description FW69D6D_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW69D6D_2 + } + port 5090,5060,9000-9500 + } + protocol udp + } + rule 2614 { + action accept + description VPN-9765-ANY-ALLOW-10.4.56.45 + destination { + group { + address-group DT_VPN-9765 + } + } + source { + address 10.4.56.45 + } + } + rule 2615 { + action accept + description VPN-9765-ANY-ALLOW-10.4.57.45 + destination { + group { + address-group DT_VPN-9765 + } + } + source { + address 10.4.57.45 + } + } + rule 2616 { + action accept + description FW4C136_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4C136_1 + } + port 1194 + } + protocol tcp_udp + } + rule 2617 { + action accept + description FW6F539_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6F539_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2618 { + action accept + description FWDD089_5-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWDD089_5 + } + port 5666-5667,12489 + } + protocol tcp_udp + } + rule 2619 { + action accept + description FWDD089_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDD089_5 + } + port 161-162 + } + protocol tcp + } + rule 2620 { + action accept + description FWEF92E_5-AH-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 109.228.37.19 + } + } + rule 2621 { + action accept + description FW0A5C4_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0A5C4_1 + } + port 9000,6697,6667,5000 + } + protocol tcp + } + rule 2622 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.11.54 + } + } + rule 2623 { + action accept + description FW2BB8D_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2BB8D_1 + } + port 7990 + } + protocol tcp + } + rule 2624 { + action accept + description FWAF6E8_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAF6E8_1 + } + port 7770-7800,44445,53 + } + protocol tcp_udp + } + rule 2625 { + action accept + description FW81286_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW81286_1 + } + port 2082,2083,2086,2087,2096 + } + protocol tcp + } + rule 2626 { + action accept + description FW05064_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW05064_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2627 { + action accept + description FWD7382_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWD7382_1 + } + port 4500,1701,500 + } + protocol udp + } + rule 2628 { + action accept + description FWD7382_1-TCP-ALLOW-174.91.7.198 + destination { + group { + address-group DT_FWD7382_1 + } + port 3389 + } + protocol tcp + source { + address 174.91.7.198 + } + } + rule 2629 { + action accept + description VPN-9484-ANY-ALLOW-10.4.56.164 + destination { + group { + address-group DT_VPN-9484 + } + } + source { + address 10.4.56.164 + } + } + rule 2630 { + action accept + description VPN-9484-ANY-ALLOW-10.4.57.164 + destination { + group { + address-group DT_VPN-9484 + } + } + source { + address 10.4.57.164 + } + } + rule 2631 { + action accept + description VPN-9749-ANY-ALLOW-10.4.58.144 + destination { + group { + address-group DT_VPN-9749 + } + } + source { + address 10.4.58.144 + } + } + rule 2632 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.77.149 + } + } + rule 2633 { + action accept + description FW10FEE_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW10FEE_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2634 { + action accept + description FW5658C_1-TCP-ALLOW-5.71.30.141 + destination { + group { + address-group DT_FW5658C_1 + } + port 8443 + } + protocol tcp + source { + address 5.71.30.141 + } + } + rule 2635 { + action accept + description VPN-9749-ANY-ALLOW-10.4.59.144 + destination { + group { + address-group DT_VPN-9749 + } + } + source { + address 10.4.59.144 + } + } + rule 2636 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.77.70 + } + } + rule 2637 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.92.33 + } + } + rule 2638 { + action accept + description FWEF92E_5-AH-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 77.68.93.82 + } + } + rule 2639 { + action accept + description FWEF92E_6-AH-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_6 + } + } + protocol ah + source { + address 77.68.77.57 + } + } + rule 2640 { + action accept + description FWEF92E_6-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FWEF92E_6 + } + port 3389,445 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2641 { + action accept + description FWEF92E_5-AH-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + } + protocol ah + source { + address 88.208.198.93 + } + } + rule 2642 { + action accept + description FWEF92E_7-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FWEF92E_7 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2643 { + action accept + description FWEF92E_7-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FWEF92E_7 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 2644 { + action accept + description FWEF92E_5-TCP-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 109.228.37.19 + } + } + rule 2645 { + action accept + description FW49C3D_4-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445,80 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2646 { + action accept + description FW49C3D_4-TCP-ALLOW-82.0.198.226 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445 + } + protocol tcp + source { + address 82.0.198.226 + } + } + rule 2647 { + action accept + description FW49C3D_6-TCP-ALLOW-82.0.198.226 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 82.0.198.226 + } + } + rule 2648 { + action accept + description FW49C3D_6-TCP-ALLOW-83.100.136.74 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 83.100.136.74 + } + } + rule 2649 { + action accept + description FWEF92E_6-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FWEF92E_6 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2650 { + action accept + description FWEF92E_5-TCP-ALLOW-194.145.189.162 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 194.145.189.162 + } + } + rule 2651 { + action accept + description FW3DBF8_9-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3DBF8_9 + } + port 9000-10999 + } + protocol udp + } + rule 2652 { + action accept + description VPN-19807-ANY-ALLOW-10.4.86.172 + destination { + group { + address-group DT_VPN-19807 + } + } + source { + address 10.4.86.172 + } + } + rule 2653 { + action accept + description FWEEC75_1-TCP-ALLOW-82.8.245.40 + destination { + group { + address-group DT_FWEEC75_1 + } + port 21 + } + protocol tcp + source { + address 82.8.245.40 + } + } + rule 2654 { + action accept + description FW3AD6F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3AD6F_1 + } + port 53,465 + } + protocol tcp_udp + } + rule 2655 { + action accept + description FWCDBC7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWCDBC7_1 + } + port 53 + } + protocol tcp_udp + } + rule 2656 { + action accept + description FWA373F_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA373F_1 + } + port 2087,2086,2083,2082 + } + protocol tcp + } + rule 2657 { + action accept + description FW2B279_4-TCP-ALLOW-94.155.221.50 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443,22 + } + protocol tcp + source { + address 94.155.221.50 + } + } + rule 2658 { + action accept + description FWC2D30_1-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443,22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2659 { + action accept + description VPN-30791-ANY-ALLOW-10.4.88.215 + destination { + group { + address-group DT_VPN-30791 + } + } + source { + address 10.4.88.215 + } + } + rule 2660 { + action accept + description VPN-30791-ANY-ALLOW-10.4.89.215 + destination { + group { + address-group DT_VPN-30791 + } + } + source { + address 10.4.89.215 + } + } + rule 2661 { + action accept + description FW2EF2C_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2EF2C_1 + } + port 10000,3478 + } + protocol udp + } + rule 2662 { + action accept + description FW32EFF_49-TCP-ALLOW-195.217.232.0_26 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 195.217.232.0/26 + } + } + rule 2663 { + action accept + description FW4AE7D_1-TCP-ALLOW-81.136.8.24 + destination { + group { + address-group DT_FW4AE7D_1 + } + port 3389 + } + protocol tcp + source { + address 81.136.8.24 + } + } + rule 2664 { + action accept + description FW2EF2C_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2EF2C_1 + } + port 5222 + } + protocol tcp_udp + } + rule 2665 { + action accept + description FW48A55_2-TCP-ALLOW-86.29.225.60 + destination { + group { + address-group DT_FW48A55_2 + } + port 443,80,22 + } + protocol tcp + source { + address 86.29.225.60 + } + } + rule 2666 { + action accept + description FW48A55_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW48A55_2 + } + port 1337 + } + protocol udp + } + rule 2667 { + action accept + description VPN-11913-ANY-ALLOW-10.4.56.191 + destination { + group { + address-group DT_VPN-11913 + } + } + source { + address 10.4.56.191 + } + } + rule 2668 { + action accept + description FWEF92E_5-TCP-ALLOW-194.145.189.163 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 194.145.189.163 + } + } + rule 2669 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.0.90 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.0.90 + } + } + rule 2670 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.24.66 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.24.66 + } + } + rule 2671 { + action accept + description VPN-11913-ANY-ALLOW-10.4.57.191 + destination { + group { + address-group DT_VPN-11913 + } + } + source { + address 10.4.57.191 + } + } + rule 2672 { + action accept + description FW73573_2-TCP-ALLOW-86.9.185.195 + destination { + group { + address-group DT_FW73573_2 + } + port 22 + } + protocol tcp + source { + address 86.9.185.195 + } + } + rule 2673 { + action accept + description VPN-17558-ANY-ALLOW-10.4.87.143 + destination { + group { + address-group DT_VPN-17558 + } + } + source { + address 10.4.87.143 + } + } + rule 2674 { + action accept + description FW748B7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW748B7_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2675 { + action accept + description FW16375_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW16375_5 + } + port 2082,2083,2086,2087 + } + protocol tcp + } + rule 2676 { + action accept + description FW5A77C_16-TCP-ALLOW-88.98.204.68 + destination { + group { + address-group DT_FW5A77C_16 + } + port 22 + } + protocol tcp + source { + address 88.98.204.68 + } + } + rule 2677 { + action accept + description FW73573_1-TCP-ALLOW-86.9.185.195 + destination { + group { + address-group DT_FW73573_1 + } + port 22 + } + protocol tcp + source { + address 86.9.185.195 + } + } + rule 2678 { + action accept + description FWEF92E_5-TCP-ALLOW-194.145.190.4 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 194.145.190.4 + } + } + rule 2679 { + action accept + description FWC2D30_1-TCP-ALLOW-140.82.112.0_20 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 140.82.112.0/20 + } + } + rule 2680 { + action accept + description FW62858_12-ICMP-ALLOW-77.68.122.41 + destination { + group { + address-group DT_FW62858_12 + } + } + protocol icmp + source { + address 77.68.122.41 + } + } + rule 2681 { + action accept + description FWB118A_1-TCP-ALLOW-147.148.96.136 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 147.148.96.136 + } + } + rule 2682 { + action accept + description FW5A77C_16-TCP-ALLOW-92.207.237.42 + destination { + group { + address-group DT_FW5A77C_16 + } + port 10000,22 + } + protocol tcp + source { + address 92.207.237.42 + } + } + rule 2683 { + action accept + description FW364CF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW364CF_1 + } + port 4022,8099 + } + protocol tcp + } + rule 2684 { + action accept + description VPN-25822-ANY-ALLOW-10.4.54.42 + destination { + group { + address-group DT_VPN-25822 + } + } + source { + address 10.4.54.42 + } + } + rule 2685 { + action accept + description FW7F28A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW7F28A_1 + } + port 10051,10050 + } + protocol tcp + } + rule 2686 { + action accept + description FW8AFF1_7-TCP-ALLOW-109.228.53.159 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 109.228.53.159 + } + } + rule 2687 { + action accept + description FWE47DA_1-TCP-ALLOW-185.22.211.0_24 + destination { + group { + address-group DT_FWE47DA_1 + } + port 22 + } + protocol tcp + source { + address 185.22.211.0/24 + } + } + rule 2688 { + action accept + description FWC6301_1-TCP-ALLOW-95.34.208.4 + destination { + group { + address-group DT_FWC6301_1 + } + port 22 + } + protocol tcp + source { + address 95.34.208.4 + } + } + rule 2689 { + action accept + description FW45000_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW45000_1 + } + port 990 + } + protocol tcp + } + rule 2690 { + action accept + description FW481D7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW481D7_1 + } + port 6789 + } + protocol tcp + } + rule 2691 { + action accept + description VPN-8203-ANY-ALLOW-10.4.59.109 + destination { + group { + address-group DT_VPN-8203 + } + } + source { + address 10.4.59.109 + } + } + rule 2692 { + action accept + description VPN-3575-ANY-ALLOW-10.4.54.124 + destination { + group { + address-group DT_VPN-3575 + } + } + source { + address 10.4.54.124 + } + } + rule 2693 { + action accept + description VPN-3575-ANY-ALLOW-10.4.55.125 + destination { + group { + address-group DT_VPN-3575 + } + } + source { + address 10.4.55.125 + } + } + rule 2694 { + action accept + description FW42661_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW42661_3 + } + port 44445,25672,15672,9876,7770-7800 + } + protocol tcp + } + rule 2695 { + action accept + description FWBF494_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBF494_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2696 { + action accept + description FWD0E22_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD0E22_4 + } + port 8000,19005 + } + protocol tcp + } + rule 2697 { + action accept + description FW98818_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW98818_1 + } + port 27015 + } + protocol udp + } + rule 2698 { + action accept + description FW62858_12-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW62858_12 + } + port 5001,5000 + } + protocol tcp + } + rule 2699 { + action accept + description VPN-34006-ANY-ALLOW-10.4.86.242 + destination { + group { + address-group DT_VPN-34006 + } + } + source { + address 10.4.86.242 + } + } + rule 2700 { + action accept + description VPN-34006-ANY-ALLOW-10.4.87.242 + destination { + group { + address-group DT_VPN-34006 + } + } + source { + address 10.4.87.242 + } + } + rule 2701 { + action accept + description FWF879C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF879C_1 + } + port 8888 + } + protocol tcp + } + rule 2702 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.11.54 + } + } + rule 2703 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.74.89 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.74.89 + } + } + rule 2704 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.77.149 + } + } + rule 2705 { + action accept + description FW8A57A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW8A57A_1 + } + port 49153,5666 + } + protocol tcp + } + rule 2706 { + action accept + description FW62858_12-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW62858_12 + } + port 5090,5061,5060 + } + protocol tcp_udp + } + rule 2707 { + action accept + description FW62858_12-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW62858_12 + } + port 9000-10999 + } + protocol udp + } + rule 2708 { + action accept + description FW0E2EE_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0E2EE_1 + } + port 1024-65535 + } + protocol tcp_udp + } + rule 2709 { + action accept + description FWEEC75_1-TCP-ALLOW-82.5.80.210 + destination { + group { + address-group DT_FWEEC75_1 + } + port 22 + } + protocol tcp + source { + address 82.5.80.210 + } + } + rule 2710 { + action accept + description FW4F81F_4-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4F81F_4 + } + port 26900,27005,27015,51000,51005,51030 + } + protocol tcp_udp + } + rule 2711 { + action accept + description VPN-7902-ANY-ALLOW-10.4.56.78 + destination { + group { + address-group DT_VPN-7902 + } + } + source { + address 10.4.56.78 + } + } + rule 2712 { + action accept + description VPN-7902-ANY-ALLOW-10.4.57.78 + destination { + group { + address-group DT_VPN-7902 + } + } + source { + address 10.4.57.78 + } + } + rule 2713 { + action accept + description FWB36A0_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWB36A0_1 + } + port 20-21,990 + } + protocol tcp_udp + } + rule 2714 { + action accept + description FWD2082_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD2082_1 + } + port 8001,8002 + } + protocol tcp + } + rule 2715 { + action accept + description FW8A3FC_3-TCP-ALLOW-212.8.242.171 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 212.8.242.171 + } + } + rule 2716 { + action accept + description FWB9699_11-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FWB9699_11 + } + port 443,80,8800,22 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2717 { + action accept + description VPN-11083-ANY-ALLOW-10.4.54.186 + destination { + group { + address-group DT_VPN-11083 + } + } + source { + address 10.4.54.186 + } + } + rule 2718 { + action accept + description VPN-11083-ANY-ALLOW-10.4.55.187 + destination { + group { + address-group DT_VPN-11083 + } + } + source { + address 10.4.55.187 + } + } + rule 2719 { + action accept + description VPN-34583-ANY-ALLOW-10.4.86.243 + destination { + group { + address-group DT_VPN-34583 + } + } + source { + address 10.4.86.243 + } + } + rule 2720 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.84.155 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.84.155 + } + } + rule 2721 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.117 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.117 + } + } + rule 2722 { + action accept + description FW7A9B0_9-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW7A9B0_9 + } + port 11112 + } + protocol tcp + } + rule 2723 { + action accept + description FW3F465_1-TCP-ALLOW-77.68.127.177 + destination { + group { + address-group DT_FW3F465_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.127.177 + } + } + rule 2724 { + action accept + description VPN-34583-ANY-ALLOW-10.4.87.243 + destination { + group { + address-group DT_VPN-34583 + } + } + source { + address 10.4.87.243 + } + } + rule 2725 { + action accept + description FW930F3_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW930F3_1 + } + port 9089,5900,5666,5272 + } + protocol tcp + } + rule 2726 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.165 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.165 + } + } + rule 2727 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.140 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.140 + } + } + rule 2728 { + action accept + description FW90AE3_1-TCP-ALLOW-82.11.114.136 + destination { + group { + address-group DT_FW90AE3_1 + } + port 3306,22 + } + protocol tcp + source { + address 82.11.114.136 + } + } + rule 2729 { + action accept + description FW73215_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73215_1 + } + port 27015 + } + protocol tcp_udp + } + rule 2730 { + action accept + description FWC2EF2_1-TCP-ALLOW-18.130.156.250 + destination { + group { + address-group DT_FWC2EF2_1 + } + port 22 + } + protocol tcp + source { + address 18.130.156.250 + } + } + rule 2731 { + action accept + description FWC2EF2_1-TCP-ALLOW-90.251.221.19 + destination { + group { + address-group DT_FWC2EF2_1 + } + port 22 + } + protocol tcp + source { + address 90.251.221.19 + } + } + rule 2732 { + action accept + description FW90AE3_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW90AE3_1 + } + port 8765,8001,8000 + } + protocol tcp + } + rule 2733 { + action accept + description FWC2EF2_1-TCP-ALLOW-87.74.110.191 + destination { + group { + address-group DT_FWC2EF2_1 + } + port 8443 + } + protocol tcp + source { + address 87.74.110.191 + } + } + rule 2734 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.77.70 + } + } + rule 2735 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.93 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.93 + } + } + rule 2736 { + action accept + description FW81138_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW81138_1 + } + port 123 + } + protocol udp + } + rule 2737 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.64 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.64 + } + } + rule 2738 { + action accept + description FW03B35_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW03B35_1 + } + port 1-65535 + } + protocol tcp_udp + } + rule 2739 { + action accept + description VPN-19807-ANY-ALLOW-10.4.87.172 + destination { + group { + address-group DT_VPN-19807 + } + } + source { + address 10.4.87.172 + } + } + rule 2740 { + action accept + description FW5658C_1-TCP-ALLOW-94.12.73.154 + destination { + group { + address-group DT_FW5658C_1 + } + port 8447 + } + protocol tcp + source { + address 94.12.73.154 + } + } + rule 2741 { + action accept + description FW5658C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5658C_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2742 { + action accept + description FW0B352_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0B352_1 + } + port 3443 + } + protocol tcp_udp + } + rule 2743 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.8.74 + destination { + group { + address-group DT_FWEF92E_5 + } + port 3389,445,443 + } + protocol tcp + source { + address 77.68.8.74 + } + } + rule 2744 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.92.33 + } + } + rule 2745 { + action accept + description FWEF92E_5-TCP-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 77.68.93.82 + } + } + rule 2746 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.44 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.44 + } + } + rule 2747 { + action accept + description FW34C91_3-TCP-ALLOW-188.220.176.104 + destination { + group { + address-group DT_FW34C91_3 + } + port 1433 + } + protocol tcp + source { + address 188.220.176.104 + } + } + rule 2748 { + action accept + description FW3F465_1-TCP-ALLOW-77.68.16.101 + destination { + group { + address-group DT_FW3F465_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.16.101 + } + } + rule 2749 { + action accept + description FWEF92E_5-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FWEF92E_5 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 2750 { + action accept + description FW34C91_3-UDP-ALLOW-188.220.176.104 + destination { + group { + address-group DT_FW34C91_3 + } + port 1434 + } + protocol udp + source { + address 188.220.176.104 + } + } + rule 2751 { + action accept + description FWE47DA_1-TCP-ALLOW-185.22.208.0_25 + destination { + group { + address-group DT_FWE47DA_1 + } + port 22 + } + protocol tcp + source { + address 185.22.208.0/25 + } + } + rule 2752 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.187 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.187 + } + } + rule 2753 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.84 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.84 + } + } + rule 2754 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.52 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 116.206.246.52 + } + } + rule 2755 { + action accept + description FW8AFF1_7-TCP-ALLOW-77.68.92.154 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 77.68.92.154 + } + } + rule 2756 { + action accept + description FW8AFF1_7-TCP-ALLOW-77.68.93.156 + destination { + group { + address-group DT_FW8AFF1_7 + } + port 1433 + } + protocol tcp + source { + address 77.68.93.156 + } + } + rule 2757 { + action accept + description VPN-24398-ANY-ALLOW-10.4.88.151 + destination { + group { + address-group DT_VPN-24398 + } + } + source { + address 10.4.88.151 + } + } + rule 2758 { + action accept + description VPN-24398-ANY-ALLOW-10.4.89.151 + destination { + group { + address-group DT_VPN-24398 + } + } + source { + address 10.4.89.151 + } + } + rule 2759 { + action accept + description VPN-24589-ANY-ALLOW-10.4.56.9 + destination { + group { + address-group DT_VPN-24589 + } + } + source { + address 10.4.56.9 + } + } + rule 2760 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.29 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.29 + } + } + rule 2761 { + action accept + description FWC7D36_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC7D36_1 + } + port 27017,11080 + } + protocol tcp + } + rule 2762 { + action accept + description FWBB718_1-TCP_UDP-ALLOW-77.68.73.116 + destination { + group { + address-group DT_FWBB718_1 + } + port 1433 + } + protocol tcp_udp + source { + address 77.68.73.116 + } + } + rule 2763 { + action accept + description FWBB718_1-UDP-ALLOW-77.68.73.116 + destination { + group { + address-group DT_FWBB718_1 + } + port 1434 + } + protocol udp + source { + address 77.68.73.116 + } + } + rule 2764 { + action accept + description FWB9699_11-TCP-ALLOW-213.171.217.102 + destination { + group { + address-group DT_FWB9699_11 + } + port 22,80,443,8800 + } + protocol tcp + source { + address 213.171.217.102 + } + } + rule 2765 { + action accept + description FW18E6E_3-TCP-ALLOW-103.8.164.5 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 103.8.164.5 + } + } + rule 2766 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.193 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.193 + } + } + rule 2768 { + action accept + description FW26F0A_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW26F0A_1 + } + port 53 + } + protocol tcp_udp + } + rule 2769 { + action accept + description FWCC18F_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCC18F_2 + } + port 8883,1883 + } + protocol tcp + } + rule 2771 { + action accept + description FW633DD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW633DD_1 + } + port 28967,14002,9984,9983,9982,9981,8888,8884 + } + protocol tcp + } + rule 2772 { + action accept + description FWDEDB9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDEDB9_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2773 { + action accept + description VPN-18646-ANY-ALLOW-10.4.88.109 + destination { + group { + address-group DT_VPN-18646 + } + } + source { + address 10.4.88.109 + } + } + rule 2774 { + action accept + description VPN-18646-ANY-ALLOW-10.4.89.109 + destination { + group { + address-group DT_VPN-18646 + } + } + source { + address 10.4.89.109 + } + } + rule 2775 { + action accept + description FWA0531_1-TCP-ALLOW-87.224.39.221 + destination { + group { + address-group DT_FWA0531_1 + } + port 8082,3003,22 + } + protocol tcp + source { + address 87.224.39.221 + } + } + rule 2776 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.94 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.94 + } + } + rule 2777 { + action accept + description FWA0531_1-TCP-ALLOW-92.237.97.92 + destination { + group { + address-group DT_FWA0531_1 + } + port 8082,3003,22 + } + protocol tcp + source { + address 92.237.97.92 + } + } + rule 2778 { + action accept + description VPN-25822-ANY-ALLOW-10.4.55.42 + destination { + group { + address-group DT_VPN-25822 + } + } + source { + address 10.4.55.42 + } + } + rule 2779 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.88 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.88 + } + } + rule 2780 { + action accept + description FWC2D30_1-TCP-ALLOW-143.55.64.0_20 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 143.55.64.0/20 + } + } + rule 2781 { + action accept + description FW18E6E_3-TCP-ALLOW-194.176.78.206 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 194.176.78.206 + } + } + rule 2782 { + action accept + description FW18E6E_3-TCP-ALLOW-195.243.221.50 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 195.243.221.50 + } + } + rule 2783 { + action accept + description FW18E6E_3-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 2784 { + action accept + description FW18E6E_3-TCP-ALLOW-81.150.168.54 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306,22 + } + protocol tcp + source { + address 81.150.168.54 + } + } + rule 2785 { + action accept + description FW18E6E_3-TCP-ALLOW-89.197.133.235 + destination { + group { + address-group DT_FW18E6E_3 + } + port 22 + } + protocol tcp + source { + address 89.197.133.235 + } + } + rule 2786 { + action accept + description FW18E6E_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW18E6E_3 + } + port 60000-60100,873 + } + protocol tcp + } + rule 2787 { + action accept + description FW2BF20_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2BF20_3 + } + port 49152-65534,990 + } + protocol tcp + } + rule 2788 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.98 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.98 + } + } + rule 2789 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.65 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.65 + } + } + rule 2791 { + action accept + description FW197DB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW197DB_1 + } + port 49152-65534 + } + protocol tcp + } + rule 2792 { + action accept + description FW1208C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1208C_1 + } + port 2087,2083,2096 + } + protocol tcp + } + rule 2793 { + action accept + description FW00D98_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW00D98_1 + } + port 4430 + } + protocol tcp + } + rule 2794 { + action accept + description FW03B35_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FW03B35_1 + } + } + protocol esp + } + rule 2795 { + action accept + description FW03B35_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FW03B35_1 + } + } + protocol ah + } + rule 2796 { + action accept + description FWEF92E_5-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FWEF92E_5 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 2797 { + action accept + description FW825C8_19-TCP-ALLOW-159.253.51.74 + destination { + group { + address-group DT_FW825C8_19 + } + port 3389,1433,995 + } + protocol tcp + source { + address 159.253.51.74 + } + } + rule 2798 { + action accept + description FW825C8_19-TCP-ALLOW-77.68.76.111 + destination { + group { + address-group DT_FW825C8_19 + } + port 1433 + } + protocol tcp + source { + address 77.68.76.111 + } + } + rule 2799 { + action accept + description FW825C8_19-TCP-ALLOW-77.68.28.63 + destination { + group { + address-group DT_FW825C8_19 + } + port 995 + } + protocol tcp + source { + address 77.68.28.63 + } + } + rule 2801 { + action accept + description FW2EF2C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2EF2C_1 + } + port 5349 + } + protocol tcp + } + rule 2802 { + action accept + description FWEF92E_5-TCP-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + port 443 + } + protocol tcp + source { + address 88.208.198.93 + } + } + rule 2803 { + action accept + description FWC3921_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC3921_1 + } + port 25000,25001-25005,26000-26006 + } + protocol tcp + } + rule 2804 { + action accept + description FWEF92E_5-UDP-ALLOW-109.228.37.19 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 109.228.37.19 + } + } + rule 2805 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.11.54 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.11.54 + } + } + rule 2806 { + action accept + description FW5AE10_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW5AE10_1 + } + port 53 + } + protocol tcp_udp + } + rule 2810 { + action accept + description FW45F87_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW45F87_1 + } + port 60000-60100 + } + protocol tcp + } + rule 2811 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.108.158 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 123.231.108.158 + } + } + rule 2813 { + action accept + description FW825C8_19-TCP-ALLOW-109.228.1.233 + destination { + group { + address-group DT_FW825C8_19 + } + port 1433 + } + protocol tcp + source { + address 109.228.1.233 + } + } + rule 2814 { + action accept + description FW20449_2-ICMP-ALLOW-3.10.221.168 + destination { + group { + address-group DT_FW20449_2 + } + } + protocol icmp + source { + address 3.10.221.168 + } + } + rule 2815 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.100 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.100 + } + } + rule 2816 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.180 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.180 + } + } + rule 2817 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.184 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.184 + } + } + rule 2818 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.185 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.185 + } + } + rule 2819 { + action accept + description FWB9699_7-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWB9699_7 + } + port 161 + } + protocol udp + } + rule 2820 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.102 + destination { + group { + address-group DT_FWB9699_7 + } + port 22,8443 + } + protocol tcp + source { + address 213.171.217.102 + } + } + rule 2821 { + action accept + description FWB9699_7-TCP-ALLOW-213.171.217.103 + destination { + group { + address-group DT_FWB9699_7 + } + port 22 + } + protocol tcp + source { + address 213.171.217.103 + } + } + rule 2824 { + action accept + description FWE3E77_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE3E77_1 + } + port 10010,10009 + } + protocol tcp + } + rule 2825 { + action accept + description FW8A3FC_3-TCP-ALLOW-93.190.142.120 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 93.190.142.120 + } + } + rule 2826 { + action accept + description FW20449_2-ICMP-ALLOW-82.20.69.137 + destination { + group { + address-group DT_FW20449_2 + } + } + protocol icmp + source { + address 82.20.69.137 + } + } + rule 2827 { + action accept + description FW8A3FC_3-TCP-ALLOW-46.101.232.93 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 21-10000 + } + protocol tcp + source { + address 46.101.232.93 + } + } + rule 2828 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.5 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.5 + } + } + rule 2829 { + action accept + description FWD2440_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + port 1-65535 + } + protocol tcp + } + rule 2831 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.105 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.105 + } + } + rule 2833 { + action accept + description FW825C8_24-TCP-ALLOW-159.253.51.74 + destination { + group { + address-group DT_FW825C8_24 + } + port 3389,1433,995 + } + protocol tcp + source { + address 159.253.51.74 + } + } + rule 2834 { + action accept + description FW825C8_24-TCP-ALLOW-77.68.77.120 + destination { + group { + address-group DT_FW825C8_24 + } + port 1433 + } + protocol tcp + source { + address 77.68.77.120 + } + } + rule 2839 { + action accept + description FWD2440_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + port 1-65535 + } + protocol udp + } + rule 2840 { + action accept + description FW1C8F2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1C8F2_1 + } + port 7000-10000,5554,5443,5080,1935,1111 + } + protocol tcp + } + rule 2843 { + action accept + description FWE7180_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE7180_1 + } + port 443,53 + } + protocol tcp_udp + } + rule 2844 { + action accept + description FWC6301_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC6301_1 + } + port 2456 + } + protocol tcp_udp + } + rule 2845 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.113 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.113 + } + } + rule 2846 { + action accept + description VPN-24589-ANY-ALLOW-10.4.57.9 + destination { + group { + address-group DT_VPN-24589 + } + } + source { + address 10.4.57.9 + } + } + rule 2847 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.237 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.212.237 + } + } + rule 2849 { + action accept + description FWFD9AF_9-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWFD9AF_9 + } + port 445 + } + protocol tcp_udp + } + rule 2850 { + action accept + description VPN-23209-ANY-ALLOW-10.4.58.8 + destination { + group { + address-group DT_VPN-23209 + } + } + source { + address 10.4.58.8 + } + } + rule 2851 { + action accept + description VPN-23209-ANY-ALLOW-10.4.59.8 + destination { + group { + address-group DT_VPN-23209 + } + } + source { + address 10.4.59.8 + } + } + rule 2853 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.29 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.29 + } + } + rule 2854 { + action accept + description FW16375_5-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW16375_5 + } + port 2096 + } + protocol tcp_udp + } + rule 2856 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.173 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.173 + } + } + rule 2858 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.35 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.35 + } + } + rule 2859 { + action accept + description FW73573_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW73573_1 + } + port 25 + } + protocol tcp_udp + } + rule 2860 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.242 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.242 + } + } + rule 2861 { + action accept + description FW8ECF4_1-TCP-ALLOW-77.68.2.215 + destination { + group { + address-group DT_FW8ECF4_1 + } + port 3306 + } + protocol tcp + source { + address 77.68.2.215 + } + } + rule 2862 { + action accept + description FW8A3FC_3-TCP_UDP-ALLOW-82.165.100.25 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 21-10000 + } + protocol tcp_udp + source { + address 82.165.100.25 + } + } + rule 2863 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.235 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.235 + } + } + rule 2864 { + action accept + description VPN-18647-ANY-ALLOW-10.4.86.114 + destination { + group { + address-group DT_VPN-18647 + } + } + source { + address 10.4.86.114 + } + } + rule 2865 { + action accept + description VPN-18647-ANY-ALLOW-10.4.87.114 + destination { + group { + address-group DT_VPN-18647 + } + } + source { + address 10.4.87.114 + } + } + rule 2867 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.107 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.107 + } + } + rule 2868 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.239 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.239 + } + } + rule 2869 { + action accept + description FWF699D_4-TCP-ALLOW-164.39.151.3 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 164.39.151.3 + } + } + rule 2870 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.245 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.245 + } + } + rule 2873 { + action accept + description FWEF92E_6-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FWEF92E_6 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 2874 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.130 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.130 + } + } + rule 2875 { + action accept + description FW44BF9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW44BF9_1 + } + port 49160-49200 + } + protocol tcp + } + rule 2876 { + action accept + description VPN-24591-ANY-ALLOW-10.4.86.4 + destination { + group { + address-group DT_VPN-24591 + } + } + source { + address 10.4.86.4 + } + } + rule 2877 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.60 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.60 + } + } + rule 2879 { + action accept + description FWEF92E_6-UDP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_6 + } + port 500 + } + protocol udp + source { + address 77.68.77.57 + } + } + rule 2880 { + action accept + description FWF699D_4-TCP-ALLOW-185.132.38.110 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 185.132.38.110 + } + } + rule 2881 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.216 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.216 + } + } + rule 2882 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.77.149 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.77.149 + } + } + rule 2883 { + action accept + description FWA2FF8_4-TCP-ALLOW-80.229.18.102 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21,22 + } + protocol tcp + source { + address 80.229.18.102 + } + } + rule 2884 { + action accept + description FWA2FF8_4-TCP-ALLOW-109.169.33.69 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21,22 + } + protocol tcp + source { + address 109.169.33.69 + } + } + rule 2885 { + action accept + description FWA2FF8_4-TCP-ALLOW-46.102.209.35 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21 + } + protocol tcp + source { + address 46.102.209.35 + } + } + rule 2886 { + action accept + description FWA2FF8_4-TCP-ALLOW-90.213.48.16 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 3306,21 + } + protocol tcp + source { + address 90.213.48.16 + } + } + rule 2887 { + action accept + description FWA2FF8_4-TCP-ALLOW-77.68.76.129 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 22 + } + protocol tcp + source { + address 77.68.76.129 + } + } + rule 2888 { + action accept + description FWA2FF8_4-TCP-ALLOW-109.228.50.145 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 22 + } + protocol tcp + source { + address 109.228.50.145 + } + } + rule 2889 { + action accept + description FWA2FF8_4-TCP-ALLOW-77.68.76.231 + destination { + group { + address-group DT_FWA2FF8_4 + } + port 22 + } + protocol tcp + source { + address 77.68.76.231 + } + } + rule 2890 { + action accept + description FW4513E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4513E_1 + } + port 50000-50020,990 + } + protocol tcp + } + rule 2893 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.40.7 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.40.7 + } + } + rule 2894 { + action accept + description VPN-21876-ANY-ALLOW-10.4.88.96 + destination { + group { + address-group DT_VPN-21876 + } + } + source { + address 10.4.88.96 + } + } + rule 2895 { + action accept + description VPN-21876-ANY-ALLOW-10.4.89.96 + destination { + group { + address-group DT_VPN-21876 + } + } + source { + address 10.4.89.96 + } + } + rule 2896 { + action accept + description VPN-26124-ANY-ALLOW-10.4.54.75 + destination { + group { + address-group DT_VPN-26124 + } + } + source { + address 10.4.54.75 + } + } + rule 2897 { + action accept + description VPN-26124-ANY-ALLOW-10.4.55.76 + destination { + group { + address-group DT_VPN-26124 + } + } + source { + address 10.4.55.76 + } + } + rule 2898 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.21 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.21 + } + } + rule 2899 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.213 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.213 + } + } + rule 2901 { + action accept + description FWC6301_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC6301_1 + } + port 5555 + } + protocol udp + } + rule 2902 { + action accept + description VPN-13261-ANY-ALLOW-10.4.56.173 + destination { + group { + address-group DT_VPN-13261 + } + } + source { + address 10.4.56.173 + } + } + rule 2903 { + action accept + description VPN-13261-ANY-ALLOW-10.4.57.173 + destination { + group { + address-group DT_VPN-13261 + } + } + source { + address 10.4.57.173 + } + } + rule 2909 { + action accept + description VPN-24591-ANY-ALLOW-10.4.87.4 + destination { + group { + address-group DT_VPN-24591 + } + } + source { + address 10.4.87.4 + } + } + rule 2911 { + action accept + description FWE7180_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE7180_1 + } + port 40110-40210,8090 + } + protocol tcp + } + rule 2914 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.247 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.247 + } + } + rule 2915 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.129 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.129 + } + } + rule 2916 { + action accept + description FWCB29D_1-TCP-ALLOW-51.146.16.162 + destination { + group { + address-group DT_FWCB29D_1 + } + port 8447,8443,22 + } + protocol tcp + source { + address 51.146.16.162 + } + } + rule 2917 { + action accept + description FW4E399_1-TCP-ALLOW-51.155.19.77 + destination { + group { + address-group DT_FW4E399_1 + } + port 3306 + } + protocol tcp + source { + address 51.155.19.77 + } + } + rule 2919 { + action accept + description FWC72E5_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC72E5_1 + } + port 9000-9100,6667 + } + protocol tcp + } + rule 2922 { + action accept + description FW21A75_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW21A75_2 + } + port 3000 + } + protocol tcp + } + rule 2923 { + action accept + description FW3B068_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3B068_2 + } + port 990,60000-65000 + } + protocol tcp + } + rule 2924 { + action accept + description FW48814_3-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW48814_3 + } + port 3306 + } + protocol tcp_udp + } + rule 2925 { + action accept + description FW48814_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW48814_3 + } + port 49152-65534 + } + protocol tcp + } + rule 2926 { + action accept + description FW2B279_4-TCP-ALLOW-178.128.39.210 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443 + } + protocol tcp + source { + address 178.128.39.210 + } + } + rule 2927 { + action accept + description FW2B279_4-TCP-ALLOW-82.165.232.19 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443 + } + protocol tcp + source { + address 82.165.232.19 + } + } + rule 2928 { + action accept + description FW2B279_4-TCP-ALLOW-84.64.186.31 + destination { + group { + address-group DT_FW2B279_4 + } + port 8443 + } + protocol tcp + source { + address 84.64.186.31 + } + } + rule 2929 { + action accept + description FW1C8F2_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1C8F2_1 + } + port 5000-65000 + } + protocol udp + } + rule 2930 { + action accept + description FW2B279_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2B279_4 + } + port 49152-65535 + } + protocol tcp + } + rule 2931 { + action accept + description FW608FA_1-TCP-ALLOW-195.10.106.114 + destination { + group { + address-group DT_FW608FA_1 + } + port 22 + } + protocol tcp + source { + address 195.10.106.114 + } + } + rule 2932 { + action accept + description FW608FA_1-TCP-ALLOW-213.137.25.134 + destination { + group { + address-group DT_FW608FA_1 + } + port 22 + } + protocol tcp + source { + address 213.137.25.134 + } + } + rule 2933 { + action accept + description FW608FA_1-TCP-ALLOW-92.39.202.189 + destination { + group { + address-group DT_FW608FA_1 + } + port 22 + } + protocol tcp + source { + address 92.39.202.189 + } + } + rule 2935 { + action accept + description FWC37B9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC37B9_1 + } + port 49152-65535 + } + protocol tcp + } + rule 2936 { + action accept + description FW15C99_6-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW15C99_6 + } + port 32410-32414,1900 + } + protocol udp + } + rule 2937 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.244.146 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 116.206.244.146 + } + } + rule 2938 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.158 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.211.158 + } + } + rule 2939 { + action accept + description FW15C99_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW15C99_6 + } + port 32469,32400 + } + protocol tcp + } + rule 2940 { + action accept + description FW0192C_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0192C_1 + } + port 2053 + } + protocol tcp + } + rule 2941 { + action accept + description FW27949_2-TCP-ALLOW-86.179.23.119 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 86.179.23.119 + } + } + rule 2942 { + action accept + description FW27949_2-TCP-ALLOW-92.15.208.193 + destination { + group { + address-group DT_FW27949_2 + } + port 443,80 + } + protocol tcp + source { + address 92.15.208.193 + } + } + rule 2943 { + action accept + description VPN-34122-ANY-ALLOW-10.4.56.122 + destination { + group { + address-group DT_VPN-34122 + } + } + source { + address 10.4.56.122 + } + } + rule 2944 { + action accept + description VPN-34122-ANY-ALLOW-10.4.57.122 + destination { + group { + address-group DT_VPN-34122 + } + } + source { + address 10.4.57.122 + } + } + rule 2945 { + action accept + description FWF323F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF323F_1 + } + port 25565,9999,8080,5001,3306 + } + protocol tcp_udp + } + rule 2946 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.132 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.132 + } + } + rule 2948 { + action accept + description VPN-30261-ANY-ALLOW-10.4.86.110 + destination { + group { + address-group DT_VPN-30261 + } + } + source { + address 10.4.86.110 + } + } + rule 2949 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.246 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.246 + } + } + rule 2951 { + action accept + description FWC2D30_1-TCP-ALLOW-157.231.100.222 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 157.231.100.222 + } + } + rule 2952 { + action accept + description FWC2D30_1-TCP-ALLOW-164.39.131.31 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 164.39.131.31 + } + } + rule 2953 { + action accept + description FWC2D30_1-TCP-ALLOW-185.199.108.0_22 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 185.199.108.0/22 + } + } + rule 2954 { + action accept + description FWC2D30_1-TCP-ALLOW-192.30.252.0_22 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 192.30.252.0/22 + } + } + rule 2955 { + action accept + description FWC2D30_1-TCP-ALLOW-80.252.78.202 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 80.252.78.202 + } + } + rule 2956 { + action accept + description FWC2D30_1-TCP-ALLOW-86.15.158.234 + destination { + group { + address-group DT_FWC2D30_1 + } + port 8443 + } + protocol tcp + source { + address 86.15.158.234 + } + } + rule 2957 { + action accept + description VPN-30261-ANY-ALLOW-10.4.87.110 + destination { + group { + address-group DT_VPN-30261 + } + } + source { + address 10.4.87.110 + } + } + rule 2958 { + action accept + description VPN-30262-ANY-ALLOW-10.4.88.36 + destination { + group { + address-group DT_VPN-30262 + } + } + source { + address 10.4.88.36 + } + } + rule 2961 { + action accept + description VPN-15950-ANY-ALLOW-10.4.88.89 + destination { + group { + address-group DT_VPN-15950 + } + } + source { + address 10.4.88.89 + } + } + rule 2962 { + action accept + description FWBFDED_1-TCP-ALLOW-78.141.24.164 + destination { + group { + address-group DT_FWBFDED_1 + } + port 3389 + } + protocol tcp + source { + address 78.141.24.164 + } + } + rule 2963 { + action accept + description VPN-30262-ANY-ALLOW-10.4.89.36 + destination { + group { + address-group DT_VPN-30262 + } + } + source { + address 10.4.89.36 + } + } + rule 2964 { + action accept + description FW1F126_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1F126_1 + } + port 2087,2083 + } + protocol tcp + } + rule 2965 { + action accept + description FWA7A50_1-ANY-ALLOW-40.120.53.80 + destination { + group { + address-group DT_FWA7A50_1 + } + } + source { + address 40.120.53.80 + } + } + rule 2967 { + action accept + description VPN-23729-ANY-ALLOW-10.4.54.10 + destination { + group { + address-group DT_VPN-23729 + } + } + source { + address 10.4.54.10 + } + } + rule 2968 { + action accept + description VPN-23729-ANY-ALLOW-10.4.55.10 + destination { + group { + address-group DT_VPN-23729 + } + } + source { + address 10.4.55.10 + } + } + rule 2969 { + action accept + description VPN-23733-ANY-ALLOW-10.4.58.12 + destination { + group { + address-group DT_VPN-23733 + } + } + source { + address 10.4.58.12 + } + } + rule 2970 { + action accept + description VPN-23733-ANY-ALLOW-10.4.59.12 + destination { + group { + address-group DT_VPN-23733 + } + } + source { + address 10.4.59.12 + } + } + rule 2971 { + action accept + description VPN-23734-ANY-ALLOW-10.4.56.29 + destination { + group { + address-group DT_VPN-23734 + } + } + source { + address 10.4.56.29 + } + } + rule 2972 { + action accept + description VPN-23734-ANY-ALLOW-10.4.57.29 + destination { + group { + address-group DT_VPN-23734 + } + } + source { + address 10.4.57.29 + } + } + rule 2975 { + action accept + description VPN-23738-ANY-ALLOW-10.4.57.13 + destination { + group { + address-group DT_VPN-23738 + } + } + source { + address 10.4.57.13 + } + } + rule 2976 { + action accept + description FWD8DD1_2-TCP-ALLOW-77.153.164.226 + destination { + group { + address-group DT_FWD8DD1_2 + } + port 3306,22 + } + protocol tcp + source { + address 77.153.164.226 + } + } + rule 2977 { + action accept + description FWE012D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE012D_1 + } + port 143,25 + } + protocol tcp_udp + } + rule 2978 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.120.196 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.120.196 + } + } + rule 2981 { + action accept + description FW24AB7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW24AB7_1 + } + port 40110-40210 + } + protocol tcp_udp + } + rule 2985 { + action accept + description FW2379F_14-TCP-ALLOW-194.72.140.178 + destination { + group { + address-group DT_FW2379F_14 + } + port 3389,21 + } + protocol tcp + source { + address 194.72.140.178 + } + } + rule 2986 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.97 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.97 + } + } + rule 2988 { + action accept + description FW883EB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW883EB_1 + } + port 5005,5004,5003,5002,5001 + } + protocol tcp + } + rule 2992 { + action accept + description FW310C6_3-ANY-ALLOW-62.30.207.232 + destination { + group { + address-group DT_FW310C6_3 + } + } + source { + address 62.30.207.232 + } + } + rule 2993 { + action accept + description VPN-15950-ANY-ALLOW-10.4.89.89 + destination { + group { + address-group DT_VPN-15950 + } + } + source { + address 10.4.89.89 + } + } + rule 2994 { + action accept + description VPN-15960-ANY-ALLOW-10.4.88.90 + destination { + group { + address-group DT_VPN-15960 + } + } + source { + address 10.4.88.90 + } + } + rule 2995 { + action accept + description FWEF92E_7-UDP-ALLOW-77.68.77.57 + destination { + group { + address-group DT_FWEF92E_7 + } + port 500 + } + protocol udp + source { + address 77.68.77.57 + } + } + rule 2996 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.135 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.135 + } + } + rule 2998 { + action accept + description VPN-31002-ANY-ALLOW-10.4.88.126 + destination { + group { + address-group DT_VPN-31002 + } + } + source { + address 10.4.88.126 + } + } + rule 2999 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.110 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 116.206.246.110 + } + } + rule 3000 { + action accept + description FW08061_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW08061_1 + } + port 49152-65535 + } + protocol tcp + } + rule 3001 { + action accept + description VPN-15960-ANY-ALLOW-10.4.89.90 + destination { + group { + address-group DT_VPN-15960 + } + } + source { + address 10.4.89.90 + } + } + rule 3003 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.56 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.56 + } + } + rule 3004 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.47.47 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 175.157.47.47 + } + } + rule 3005 { + action accept + description FW10C3D_19-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW10C3D_19 + } + port 49152-65535,14147 + } + protocol tcp + } + rule 3006 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.136 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.136 + } + } + rule 3009 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.44.109 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.44.109 + } + } + rule 3010 { + action accept + description VPN-24592-ANY-ALLOW-10.4.88.9 + destination { + group { + address-group DT_VPN-24592 + } + } + source { + address 10.4.88.9 + } + } + rule 3011 { + action accept + description FW05AD0_2-TCP-ALLOW-213.171.209.161 + destination { + group { + address-group DT_FW05AD0_2 + } + port 3389,1433,21 + } + protocol tcp + source { + address 213.171.209.161 + } + } + rule 3012 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.86.254 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.86.254 + } + } + rule 3014 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.16 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.16 + } + } + rule 3018 { + action accept + description VPN-24592-ANY-ALLOW-10.4.89.9 + destination { + group { + address-group DT_VPN-24592 + } + } + source { + address 10.4.89.9 + } + } + rule 3019 { + action accept + description VPN-24593-ANY-ALLOW-10.4.54.6 + destination { + group { + address-group DT_VPN-24593 + } + } + source { + address 10.4.54.6 + } + } + rule 3020 { + action accept + description VPN-24593-ANY-ALLOW-10.4.55.6 + destination { + group { + address-group DT_VPN-24593 + } + } + source { + address 10.4.55.6 + } + } + rule 3021 { + action accept + description VPN-24594-ANY-ALLOW-10.4.58.6 + destination { + group { + address-group DT_VPN-24594 + } + } + source { + address 10.4.58.6 + } + } + rule 3022 { + action accept + description VPN-24594-ANY-ALLOW-10.4.59.6 + destination { + group { + address-group DT_VPN-24594 + } + } + source { + address 10.4.59.6 + } + } + rule 3023 { + action accept + description VPN-24595-ANY-ALLOW-10.4.56.14 + destination { + group { + address-group DT_VPN-24595 + } + } + source { + address 10.4.56.14 + } + } + rule 3024 { + action accept + description VPN-24595-ANY-ALLOW-10.4.57.14 + destination { + group { + address-group DT_VPN-24595 + } + } + source { + address 10.4.57.14 + } + } + rule 3025 { + action accept + description VPN-32528-ANY-ALLOW-10.4.58.67 + destination { + group { + address-group DT_VPN-32528 + } + } + source { + address 10.4.58.67 + } + } + rule 3026 { + action accept + description VPN-32528-ANY-ALLOW-10.4.59.67 + destination { + group { + address-group DT_VPN-32528 + } + } + source { + address 10.4.59.67 + } + } + rule 3027 { + action accept + description FW6187E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6187E_1 + } + port 51195 + } + protocol udp + } + rule 3028 { + action accept + description FW406AB_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW406AB_1 + } + port 37013,25461,8881,8080,2095,2082,1992 + } + protocol tcp_udp + } + rule 3029 { + action accept + description FWA86A4_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA86A4_1 + } + port 30333,5666 + } + protocol tcp + } + rule 3032 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.52 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.52 + } + } + rule 3033 { + action accept + description FWC055A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWC055A_1 + } + port 2195 + } + protocol tcp + } + rule 3035 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.81 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.81 + } + } + rule 3039 { + action accept + description FW42BC7_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW42BC7_1 + } + port 53 + } + protocol tcp_udp + } + rule 3040 { + action accept + description FW42BC7_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW42BC7_1 + } + port 49152-65535 + } + protocol tcp + } + rule 3041 { + action accept + description FW310C6_3-ANY-ALLOW-88.208.198.39 + destination { + group { + address-group DT_FW310C6_3 + } + } + source { + address 88.208.198.39 + } + } + rule 3042 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.235 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.235 + } + } + rule 3043 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.205 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.212.205 + } + } + rule 3044 { + action accept + description FWBE878_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBE878_1 + } + port 8989,5003,3000 + } + protocol tcp_udp + } + rule 3045 { + action accept + description VPN-30679-ANY-ALLOW-10.4.58.195 + destination { + group { + address-group DT_VPN-30679 + } + } + source { + address 10.4.58.195 + } + } + rule 3046 { + action accept + description FW6B9B9_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6B9B9_1 + } + port 30006-65000,27017,7101,4200,2990-3009 + } + protocol tcp + } + rule 3047 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.212 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.212 + } + } + rule 3049 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.125.4 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 123.231.125.4 + } + } + rule 3050 { + action accept + description FW49C3D_4-TCP-ALLOW-83.100.136.74 + destination { + group { + address-group DT_FW49C3D_4 + } + port 3389,445 + } + protocol tcp + source { + address 83.100.136.74 + } + } + rule 3051 { + action accept + description FW49C3D_6-TCP-ALLOW-87.224.33.215 + destination { + group { + address-group DT_FW49C3D_6 + } + port 3389,445 + } + protocol tcp + source { + address 87.224.33.215 + } + } + rule 3053 { + action accept + description FW89619_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW89619_1 + } + port 9000-10999 + } + protocol udp + } + rule 3054 { + action accept + description FWBD9D0_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBD9D0_1 + } + port 9090 + } + protocol tcp + } + rule 3055 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.47.236 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 175.157.47.236 + } + } + rule 3056 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.46.226 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.46.226 + } + } + rule 3058 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.205 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.205 + } + } + rule 3060 { + action accept + description FWF7B68_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF7B68_1 + } + port 49152-65535 + } + protocol tcp + } + rule 3061 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.253 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.253 + } + } + rule 3063 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.0 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.210.0 + } + } + rule 3065 { + action accept + description FW85619_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW85619_1 + } + port 6433 + } + protocol tcp + } + rule 3066 { + action accept + description FW5A5D7_3-TCP-ALLOW-188.66.79.94 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 8172,3389 + } + protocol tcp + source { + address 188.66.79.94 + } + } + rule 3067 { + action accept + description FWF30BD_1-TCP-ALLOW-81.133.80.114 + destination { + group { + address-group DT_FWF30BD_1 + } + port 22 + } + protocol tcp + source { + address 81.133.80.114 + } + } + rule 3068 { + action accept + description FWF30BD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF30BD_1 + } + port 5061,5015,5001 + } + protocol tcp + } + rule 3069 { + action accept + description FWBD9D0_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBD9D0_1 + } + port 51820 + } + protocol udp + } + rule 3070 { + action accept + description FW7C4D9_14-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW7C4D9_14 + } + port 25565,2456-2458 + } + protocol tcp_udp + } + rule 3071 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.23 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.23 + } + } + rule 3072 { + action accept + description FWEEC75_1-TCP-ALLOW-81.96.100.32 + destination { + group { + address-group DT_FWEEC75_1 + } + port 8447 + } + protocol tcp + source { + address 81.96.100.32 + } + } + rule 3073 { + action accept + description FW8A3FC_3-TCP-ALLOW-95.168.164.208 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 95.168.164.208 + } + } + rule 3074 { + action accept + description VPN-19992-ANY-ALLOW-10.4.86.158 + destination { + group { + address-group DT_VPN-19992 + } + } + source { + address 10.4.86.158 + } + } + rule 3075 { + action accept + description FWF30BD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF30BD_1 + } + port 5090,5060 + } + protocol tcp_udp + } + rule 3076 { + action accept + description VPN-30679-ANY-ALLOW-10.4.59.195 + destination { + group { + address-group DT_VPN-30679 + } + } + source { + address 10.4.59.195 + } + } + rule 3077 { + action accept + description FW930F3_3-ANY-ALLOW-77.68.112.254 + destination { + group { + address-group DT_FW930F3_3 + } + } + source { + address 77.68.112.254 + } + } + rule 3078 { + action accept + description FW672AB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW672AB_1 + } + port 5432 + } + protocol tcp + } + rule 3079 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.252 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.252 + } + } + rule 3080 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.86.192 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.86.192 + } + } + rule 3081 { + action accept + description VPN-33204-ANY-ALLOW-10.4.56.176 + destination { + group { + address-group DT_VPN-33204 + } + } + source { + address 10.4.56.176 + } + } + rule 3083 { + action accept + description FW1FA8E_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1FA8E_1 + } + port 33434 + } + protocol udp + } + rule 3084 { + action accept + description FWD2440_1-ESP-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + } + protocol esp + } + rule 3085 { + action accept + description FWA0531_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0531_1 + } + port 53 + } + protocol tcp_udp + } + rule 3090 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.70 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.70 + } + } + rule 3091 { + action accept + description FWF7BFA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF7BFA_1 + } + port 8000,5901,5479,5478 + } + protocol tcp + } + rule 3092 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.212 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.212 + } + } + rule 3094 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.125 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.212.125 + } + } + rule 3096 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.89 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.89 + } + } + rule 3097 { + action accept + description FWD56A2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD56A2_1 + } + port 8001,8000 + } + protocol tcp + } + rule 3098 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.109 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.109 + } + } + rule 3099 { + action accept + description FW36425_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW36425_1 + } + port 44445,7770-7800 + } + protocol tcp + } + rule 3100 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.238 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.238 + } + } + rule 3102 { + action accept + description FW6B39D_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW6B39D_1 + } + port 49216,49215 + } + protocol tcp_udp + } + rule 3103 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.121 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.121 + } + } + rule 3105 { + action accept + description FW2379F_14-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW2379F_14 + } + port 443 + } + protocol tcp_udp + } + rule 3107 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.38 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.38 + } + } + rule 3109 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.191 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.191 + } + } + rule 3111 { + action accept + description FW27947_1-TCP-ALLOW-213.229.100.148 + destination { + group { + address-group DT_FW27947_1 + } + port 3306 + } + protocol tcp + source { + address 213.229.100.148 + } + } + rule 3112 { + action accept + description FWD42CF_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD42CF_1 + } + port 5432,5001,5000 + } + protocol tcp + } + rule 3114 { + action accept + description FW3A12F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW3A12F_1 + } + port 53 + } + protocol tcp_udp + } + rule 3116 { + action accept + description FW5A5D7_3-TCP-ALLOW-194.62.184.87 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 3389 + } + protocol tcp + source { + address 194.62.184.87 + } + } + rule 3117 { + action accept + description FW5A5D7_3-TCP-ALLOW-51.219.31.78 + destination { + group { + address-group DT_FW5A5D7_3 + } + port 8172,3389 + } + protocol tcp + source { + address 51.219.31.78 + } + } + rule 3118 { + action accept + description VPN-26157-ANY-ALLOW-10.4.86.57 + destination { + group { + address-group DT_VPN-26157 + } + } + source { + address 10.4.86.57 + } + } + rule 3119 { + action accept + description VPN-26157-ANY-ALLOW-10.4.87.57 + destination { + group { + address-group DT_VPN-26157 + } + } + source { + address 10.4.87.57 + } + } + rule 3120 { + action accept + description FWA7625_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA7625_1 + } + port 943 + } + protocol tcp + } + rule 3121 { + action accept + description FWC96A1_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC96A1_1 + } + port 1194 + } + protocol udp + } + rule 3122 { + action accept + description FWA7625_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA7625_1 + } + port 1194 + } + protocol udp + } + rule 3123 { + action accept + description FWA7625_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA7625_1 + } + port 32400,10108 + } + protocol tcp_udp + } + rule 3125 { + action accept + description FW8A3FC_3-TCP-ALLOW-185.173.161.154 + destination { + group { + address-group DT_FW8A3FC_3 + } + port 465 + } + protocol tcp + source { + address 185.173.161.154 + } + } + rule 3127 { + action accept + description FW05339_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW05339_1 + } + port 46961 + } + protocol udp + } + rule 3130 { + action accept + description FWA0AA0_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0AA0_1 + } + port 1194 + } + protocol udp + } + rule 3132 { + action accept + description FWD8DD1_2-TCP_UDP-ALLOW-77.153.164.226 + destination { + group { + address-group DT_FWD8DD1_2 + } + port 443,80 + } + protocol tcp_udp + source { + address 77.153.164.226 + } + } + rule 3134 { + action accept + description FW19987_4-TCP-ALLOW-87.224.6.174 + destination { + group { + address-group DT_FW19987_4 + } + port 3389,445,443 + } + protocol tcp + source { + address 87.224.6.174 + } + } + rule 3135 { + action accept + description FW40AE4_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW40AE4_1 + } + port 53 + } + protocol tcp_udp + } + rule 3136 { + action accept + description VPN-33204-ANY-ALLOW-10.4.57.176 + destination { + group { + address-group DT_VPN-33204 + } + } + source { + address 10.4.57.176 + } + } + rule 3137 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-86.132.125.4 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 86.132.125.4 + } + } + rule 3138 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-91.205.173.51 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 91.205.173.51 + } + } + rule 3143 { + action accept + description FWA86ED_101-TCP-ALLOW-109.149.121.73 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 109.149.121.73 + } + } + rule 3144 { + action accept + description FWA0AA0_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0AA0_1 + } + port 28083,28015-28016,1935 + } + protocol tcp_udp + } + rule 3146 { + action accept + description FWF3A1B_1-TCP_UDP-ALLOW-92.233.27.144 + destination { + group { + address-group DT_FWF3A1B_1 + } + port 2222 + } + protocol tcp_udp + source { + address 92.233.27.144 + } + } + rule 3148 { + action accept + description FWA86ED_101-TCP-ALLOW-151.228.194.190 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 151.228.194.190 + } + } + rule 3149 { + action accept + description FW9B6FB_1-ICMP-ALLOW-77.68.89.115_32 + destination { + group { + address-group DT_FW9B6FB_1 + } + } + protocol icmp + source { + address 77.68.89.115/32 + } + } + rule 3153 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.199 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.199 + } + } + rule 3155 { + action accept + description FW45F3D_1-ANY-ALLOW-195.224.110.168 + destination { + group { + address-group DT_FW45F3D_1 + } + } + source { + address 195.224.110.168 + } + } + rule 3156 { + action accept + description FWF8E67_1-TCP-ALLOW-82.14.188.35 + destination { + group { + address-group DT_FWF8E67_1 + } + port 22 + } + protocol tcp + source { + address 82.14.188.35 + } + } + rule 3157 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.58 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.58 + } + } + rule 3158 { + action accept + description VPN-19992-ANY-ALLOW-10.4.87.158 + destination { + group { + address-group DT_VPN-19992 + } + } + source { + address 10.4.87.158 + } + } + rule 3159 { + action accept + description FWA86ED_101-TCP-ALLOW-5.66.24.185 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 5.66.24.185 + } + } + rule 3160 { + action accept + description FWF8E67_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF8E67_1 + } + port 3001 + } + protocol tcp + } + rule 3161 { + action accept + description FWD2440_1-AH-ALLOW-ANY + destination { + group { + address-group DT_FWD2440_1 + } + } + protocol ah + } + rule 3166 { + action accept + description FW3EBC8_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW3EBC8_1 + } + port 9001-9900,9000 + } + protocol tcp + } + rule 3167 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.244 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.244 + } + } + rule 3168 { + action accept + description FWA0531_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA0531_1 + } + port 3000 + } + protocol tcp + } + rule 3170 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.137 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.137 + } + } + rule 3173 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.104 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.104 + } + } + rule 3176 { + action accept + description FW6906B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW6906B_1 + } + port 4190 + } + protocol tcp + } + rule 3177 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.230 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 116.206.246.230 + } + } + rule 3178 { + action accept + description FW444AF_1-TCP-ALLOW-91.135.10.140 + destination { + group { + address-group DT_FW444AF_1 + } + port 27017 + } + protocol tcp + source { + address 91.135.10.140 + } + } + rule 3180 { + action accept + description FWA86ED_101-TCP-ALLOW-81.150.13.34 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 81.150.13.34 + } + } + rule 3181 { + action accept + description FWA86ED_101-TCP-ALLOW-82.10.14.73 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 82.10.14.73 + } + } + rule 3183 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.25 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.25 + } + } + rule 3184 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.224 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.224 + } + } + rule 3185 { + action accept + description FW9B6FB_1-TCP-ALLOW-77.68.89.115_32 + destination { + group { + address-group DT_FW9B6FB_1 + } + port 10050 + } + protocol tcp + source { + address 77.68.89.115/32 + } + } + rule 3186 { + action accept + description VPN-14673-ANY-ALLOW-10.4.89.44 + destination { + group { + address-group DT_VPN-14673 + } + } + source { + address 10.4.89.44 + } + } + rule 3187 { + action accept + description FWCA628_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCA628_1 + } + port 2096,2095,2087,2086,2083,2082 + } + protocol tcp + } + rule 3189 { + action accept + description VPN-28484-ANY-ALLOW-10.4.58.159 + destination { + group { + address-group DT_VPN-28484 + } + } + source { + address 10.4.58.159 + } + } + rule 3190 { + action accept + description FW028C0_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW028C0_2 + } + port 44491-44498,44474 + } + protocol tcp + } + rule 3191 { + action accept + description VPN-28484-ANY-ALLOW-10.4.59.159 + destination { + group { + address-group DT_VPN-28484 + } + } + source { + address 10.4.59.159 + } + } + rule 3192 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.119 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.119 + } + } + rule 3194 { + action accept + description FWF699D_4-TCP-ALLOW-195.74.108.130 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 195.74.108.130 + } + } + rule 3195 { + action accept + description FWF699D_4-TCP-ALLOW-31.54.149.143 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 31.54.149.143 + } + } + rule 3196 { + action accept + description FWF699D_4-TCP-ALLOW-35.204.243.120 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 35.204.243.120 + } + } + rule 3197 { + action accept + description FWF699D_4-TCP-ALLOW-81.150.55.65 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 81.150.55.65 + } + } + rule 3198 { + action accept + description FWF699D_4-TCP-ALLOW-81.150.55.70 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 81.150.55.70 + } + } + rule 3199 { + action accept + description FWF699D_4-TCP-ALLOW-86.142.112.4 + destination { + group { + address-group DT_FWF699D_4 + } + port 3389 + } + protocol tcp + source { + address 86.142.112.4 + } + } + rule 3200 { + action accept + description FWF699D_4-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF699D_4 + } + port 8983 + } + protocol tcp_udp + } + rule 3201 { + action accept + description FWF699D_4-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF699D_4 + } + port 11009,10009 + } + protocol tcp + } + rule 3202 { + action accept + description VPN-2661-ANY-ALLOW-10.4.54.24 + destination { + group { + address-group DT_VPN-2661 + } + } + source { + address 10.4.54.24 + } + } + rule 3203 { + action accept + description VPN-2661-ANY-ALLOW-10.4.55.24 + destination { + group { + address-group DT_VPN-2661 + } + } + source { + address 10.4.55.24 + } + } + rule 3204 { + action accept + description VPN-9727-ANY-ALLOW-10.4.54.118 + destination { + group { + address-group DT_VPN-9727 + } + } + source { + address 10.4.54.118 + } + } + rule 3205 { + action accept + description VPN-9727-ANY-ALLOW-10.4.55.119 + destination { + group { + address-group DT_VPN-9727 + } + } + source { + address 10.4.55.119 + } + } + rule 3207 { + action accept + description FWF0221_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF0221_1 + } + port 65000,8099,8080 + } + protocol tcp_udp + } + rule 3208 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.180 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.180 + } + } + rule 3209 { + action accept + description FWA86ED_101-TCP-ALLOW-82.5.189.5 + destination { + group { + address-group DT_FWA86ED_101 + } + port 443 + } + protocol tcp + source { + address 82.5.189.5 + } + } + rule 3210 { + action accept + description FW60FD6_5-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW60FD6_5 + } + port 1194 + } + protocol udp + } + rule 3211 { + action accept + description FW60FD6_5-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW60FD6_5 + } + port 9500,9191,9090,8090,2222 + } + protocol tcp + } + rule 3212 { + action accept + description FWA86ED_101-TCP-ALLOW-84.65.217.114 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 84.65.217.114 + } + } + rule 3213 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.43.21 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.43.21 + } + } + rule 3214 { + action accept + description FW45F3D_1-ANY-ALLOW-77.68.126.251 + destination { + group { + address-group DT_FW45F3D_1 + } + } + source { + address 77.68.126.251 + } + } + rule 3215 { + action accept + description FWA86ED_101-TCP-ALLOW-86.14.23.23 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 86.14.23.23 + } + } + rule 3217 { + action accept + description FW85E02_11-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW85E02_11 + } + port 9000-10999 + } + protocol udp + } + rule 3218 { + action accept + description FW5D0FA_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW5D0FA_1 + } + port 53 + } + protocol tcp_udp + } + rule 3222 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.141 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.141 + } + } + rule 3223 { + action accept + description FWCDD8B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWCDD8B_1 + } + port 2222 + } + protocol tcp + } + rule 3224 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.185 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.185 + } + } + rule 3225 { + action accept + description FW06940_3-TCP_UDP-ALLOW-213.171.210.153 + destination { + group { + address-group DT_FW06940_3 + } + port 1-65535 + } + protocol tcp_udp + source { + address 213.171.210.153 + } + } + rule 3226 { + action accept + description FW06940_3-TCP_UDP-ALLOW-70.29.113.102 + destination { + group { + address-group DT_FW06940_3 + } + port 1-65535 + } + protocol tcp_udp + source { + address 70.29.113.102 + } + } + rule 3227 { + action accept + description FWC32BE_1-ANY-ALLOW-3.127.0.177 + destination { + group { + address-group DT_FWC32BE_1 + } + } + source { + address 3.127.0.177 + } + } + rule 3228 { + action accept + description FWA86ED_101-TCP-ALLOW-93.115.195.58 + destination { + group { + address-group DT_FWA86ED_101 + } + port 3389,443 + } + protocol tcp + source { + address 93.115.195.58 + } + } + rule 3229 { + action accept + description FWE32F2_8-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE32F2_8 + } + port 40120,30120,30110 + } + protocol tcp + } + rule 3230 { + action accept + description VPN-28515-ANY-ALLOW-10.4.56.162 + destination { + group { + address-group DT_VPN-28515 + } + } + source { + address 10.4.56.162 + } + } + rule 3231 { + action accept + description FW06940_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW06940_3 + } + port 30000-30400,8443-8447,445,80-110,21-25 + } + protocol tcp + } + rule 3232 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.134 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.211.134 + } + } + rule 3236 { + action accept + description VPN-28515-ANY-ALLOW-10.4.57.162 + destination { + group { + address-group DT_VPN-28515 + } + } + source { + address 10.4.57.162 + } + } + rule 3237 { + action accept + description FWF4063_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF4063_1 + } + port 3000 + } + protocol tcp + } + rule 3240 { + action accept + description FW06940_3-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW06940_3 + } + port 49152-65535,6379,5666,5432-5454 + } + protocol tcp_udp + } + rule 3242 { + action accept + description FW2E8D4_1-TCP-ALLOW-63.35.92.185 + destination { + group { + address-group DT_FW2E8D4_1 + } + port 3389 + } + protocol tcp + source { + address 63.35.92.185 + } + } + rule 3244 { + action accept + description FWF30BD_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWF30BD_1 + } + port 9000-10999 + } + protocol udp + } + rule 3245 { + action accept + description FWE30A1_4-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE30A1_4 + } + port 65057 + } + protocol tcp_udp + } + rule 3246 { + action accept + description VPN-26772-ANY-ALLOW-10.4.54.123 + destination { + group { + address-group DT_VPN-26772 + } + } + source { + address 10.4.54.123 + } + } + rule 3249 { + action accept + description FW56496_1-ANY-ALLOW-77.68.82.49 + destination { + group { + address-group DT_FW56496_1 + } + } + source { + address 77.68.82.49 + } + } + rule 3251 { + action accept + description FWDA443_6-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWDA443_6 + } + port 30175,12050 + } + protocol tcp + } + rule 3253 { + action accept + description FW5A521_3-TCP-ALLOW-88.98.75.17 + destination { + group { + address-group DT_FW5A521_3 + } + port 22 + } + protocol tcp + source { + address 88.98.75.17 + } + } + rule 3254 { + action accept + description FW5A521_3-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW5A521_3 + } + port 161-162 + } + protocol udp + } + rule 3255 { + action accept + description FW5A521_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW5A521_3 + } + port 5900 + } + protocol tcp + } + rule 3259 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.178 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.214.178 + } + } + rule 3260 { + action accept + description VPN-26772-ANY-ALLOW-10.4.55.124 + destination { + group { + address-group DT_VPN-26772 + } + } + source { + address 10.4.55.124 + } + } + rule 3262 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.114 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.114 + } + } + rule 3272 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.246.30 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 116.206.246.30 + } + } + rule 3273 { + action accept + description FW2B4BA_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW2B4BA_1 + } + port 30000-31000 + } + protocol tcp + } + rule 3284 { + action accept + description FW06940_3-TCP-ALLOW-213.171.217.107 + destination { + group { + address-group DT_FW06940_3 + } + port 8443 + } + protocol tcp + source { + address 213.171.217.107 + } + } + rule 3285 { + action accept + description FW0952B_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0952B_1 + } + port 9030,9001 + } + protocol tcp + } + rule 3286 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.85.35 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.85.35 + } + } + rule 3290 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.232 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.208.232 + } + } + rule 3294 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.21 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.21 + } + } + rule 3295 { + action accept + description FW0EA3F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW0EA3F_1 + } + port 1-65535 + } + protocol tcp_udp + } + rule 3296 { + action accept + description FW9D5C7_1-TCP-ALLOW-209.97.176.108 + destination { + group { + address-group DT_FW9D5C7_1 + } + port 8447,8443,22 + } + protocol tcp + source { + address 209.97.176.108 + } + } + rule 3297 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.188 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.188 + } + } + rule 3298 { + action accept + description FW9D5C7_1-TCP-ALLOW-165.227.231.227 + destination { + group { + address-group DT_FW9D5C7_1 + } + port 9117,9113,9104,9100 + } + protocol tcp + source { + address 165.227.231.227 + } + } + rule 3299 { + action accept + description FW4DB0A_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4DB0A_1 + } + port 953 + } + protocol tcp + } + rule 3300 { + action accept + description FW4DB0A_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW4DB0A_1 + } + port 953 + } + protocol udp + } + rule 3301 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.91 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.91 + } + } + rule 3303 { + action accept + description FW56496_1-TCP-ALLOW-176.255.93.149 + destination { + group { + address-group DT_FW56496_1 + } + port 3389 + } + protocol tcp + source { + address 176.255.93.149 + } + } + rule 3304 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.79 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.79 + } + } + rule 3305 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.43 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.43 + } + } + rule 3306 { + action accept + description FW310C6_3-ANY-ALLOW-88.208.198.40 + destination { + group { + address-group DT_FW310C6_3 + } + } + source { + address 88.208.198.40 + } + } + rule 3307 { + action accept + description FW597A6_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW597A6_1 + } + port 49152-65535,990 + } + protocol tcp + } + rule 3308 { + action accept + description FW597A6_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW597A6_1 + } + port 3306 + } + protocol tcp_udp + } + rule 3309 { + action accept + description FWBC280_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBC280_1 + } + port 49152-65535,20-21 + } + protocol tcp + } + rule 3310 { + action accept + description VPN-31301-ANY-ALLOW-10.4.87.223 + destination { + group { + address-group DT_VPN-31301 + } + } + source { + address 10.4.87.223 + } + } + rule 3311 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.243 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.243 + } + } + rule 3312 { + action accept + description FW9EEDD_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW9EEDD_1 + } + port 990,197,20-23 + } + protocol tcp + } + rule 3313 { + action accept + description FW9EEDD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW9EEDD_1 + } + port 49152-65535 + } + protocol tcp_udp + } + rule 3314 { + action accept + description VPN-31002-ANY-ALLOW-10.4.89.126 + destination { + group { + address-group DT_VPN-31002 + } + } + source { + address 10.4.89.126 + } + } + rule 3316 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.11 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.11 + } + } + rule 3317 { + action accept + description FW32EFF_49-TCP-ALLOW-195.59.191.128_25 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 195.59.191.128/25 + } + } + rule 3318 { + action accept + description FW32EFF_49-TCP-ALLOW-213.71.130.0_26 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 213.71.130.0/26 + } + } + rule 3319 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.88 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.215.88 + } + } + rule 3320 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.215.173 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.215.173 + } + } + rule 3321 { + action accept + description FW32EFF_49-TCP-ALLOW-84.19.45.82 + destination { + group { + address-group DT_FW32EFF_49 + } + port 5589 + } + protocol tcp + source { + address 84.19.45.82 + } + } + rule 3322 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-175.157.43.122 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 175.157.43.122 + } + } + rule 3323 { + action accept + description FWC1ACD_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWC1ACD_1 + } + port 28061,28060,8080 + } + protocol tcp_udp + } + rule 3324 { + action accept + description FWA5D67_1-TCP_UDP-ALLOW-84.74.32.74 + destination { + group { + address-group DT_FWA5D67_1 + } + port 3389 + } + protocol tcp_udp + source { + address 84.74.32.74 + } + } + rule 3325 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.169 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.169 + } + } + rule 3326 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.89 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.89 + } + } + rule 3329 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.35 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.35 + } + } + rule 3330 { + action accept + description FWCE020_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWCE020_1 + } + port 48402 + } + protocol udp + } + rule 3333 { + action accept + description FWF3574_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWF3574_1 + } + port 8060,445,139 + } + protocol tcp + } + rule 3334 { + action accept + description FWE6AB2_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWE6AB2_1 + } + port 44158,945,943 + } + protocol tcp + } + rule 3335 { + action accept + description FWBFC02_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBFC02_1 + } + port 44158,945,943 + } + protocol tcp + } + rule 3336 { + action accept + description FWBFC02_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBFC02_1 + } + port 1194 + } + protocol udp + } + rule 3337 { + action accept + description FWE6AB2_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWE6AB2_1 + } + port 1194 + } + protocol udp + } + rule 3338 { + action accept + description FWBC8A6_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWBC8A6_1 + } + port 44158,945,943 + } + protocol tcp + } + rule 3339 { + action accept + description FWBC8A6_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FWBC8A6_1 + } + port 1194 + } + protocol udp + } + rule 3340 { + action accept + description FWA0AA0_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWA0AA0_1 + } + port 2302 + } + protocol tcp + } + rule 3342 { + action accept + description FW56496_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW56496_1 + } + port 22 + } + protocol tcp_udp + } + rule 3343 { + action accept + description FW56496_1-TCP-ALLOW-157.231.178.162 + destination { + group { + address-group DT_FW56496_1 + } + port 21 + } + protocol tcp + source { + address 157.231.178.162 + } + } + rule 3344 { + action accept + description FW56496_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW56496_1 + } + port 2443,1022 + } + protocol tcp + } + rule 3345 { + action accept + description FW56496_1-TCP_UDP-ALLOW-46.16.211.142 + destination { + group { + address-group DT_FW56496_1 + } + port 3389,21 + } + protocol tcp_udp + source { + address 46.16.211.142 + } + } + rule 3347 { + action accept + description FW2379F_14-GRE-ALLOW-ANY + destination { + group { + address-group DT_FW2379F_14 + } + } + protocol gre + } + rule 3348 { + action accept + description FW0E383_9-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0E383_9 + } + port 52000 + } + protocol tcp + } + rule 3350 { + action accept + description FWB4438_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWB4438_2 + } + port 993-995,7 + } + protocol tcp + } + rule 3351 { + action accept + description FW1F3D0_6-TCP_UDP-ALLOW-82.165.207.109 + destination { + group { + address-group DT_FW1F3D0_6 + } + port 4567-4568 + } + protocol tcp_udp + source { + address 82.165.207.109 + } + } + rule 3352 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.77 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.77 + } + } + rule 3358 { + action accept + description FW46F4A_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW46F4A_1 + } + port 51820 + } + protocol udp + } + rule 3359 { + action accept + description FW53C72_1-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW53C72_1 + } + port 48402 + } + protocol udp + } + rule 3360 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.251 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.210.251 + } + } + rule 3362 { + action accept + description FWAA38E_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWAA38E_1 + } + port 1001-65535 + } + protocol tcp_udp + } + rule 3363 { + action accept + description FW138F8_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FW138F8_1 + } + port 21,20 + } + protocol tcp_udp + } + rule 3364 { + action accept + description FW0BD92_3-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW0BD92_3 + } + port 18081,18080 + } + protocol tcp + } + rule 3365 { + action accept + description FWFEF05_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWFEF05_1 + } + port 1935 + } + protocol tcp_udp + } + rule 3367 { + action accept + description FW26846_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW26846_1 + } + port 8000 + } + protocol tcp + } + rule 3368 { + action accept + description FWB4438_2-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWB4438_2 + } + port 53 + } + protocol tcp_udp + } + rule 3369 { + action accept + description FWA884B_5-TCP-ALLOW-51.146.16.162 + destination { + group { + address-group DT_FWA884B_5 + } + port 8447,8443,22 + } + protocol tcp + source { + address 51.146.16.162 + } + } + rule 3370 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.22 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.22 + } + } + rule 3371 { + action accept + description FWFDE34_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWFDE34_1 + } + port 18081,18080 + } + protocol tcp + } + rule 3373 { + action accept + description FWB6101_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWB6101_1 + } + port 2280 + } + protocol tcp + } + rule 3377 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-123.231.84.203 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 123.231.84.203 + } + } + rule 3378 { + action accept + description FW1D511_2-TCP-ALLOW-92.29.46.47 + destination { + group { + address-group DT_FW1D511_2 + } + port 9090 + } + protocol tcp + source { + address 92.29.46.47 + } + } + rule 3386 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.208.175 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.208.175 + } + } + rule 3387 { + action accept + description FW1ACD9_2-TCP-ALLOW-89.197.148.38 + destination { + group { + address-group DT_FW1ACD9_2 + } + port 5015,22 + } + protocol tcp + source { + address 89.197.148.38 + } + } + rule 3388 { + action accept + description FW1ACD9_2-UDP-ALLOW-ANY + destination { + group { + address-group DT_FW1ACD9_2 + } + port 9000-10999,5090,5060 + } + protocol udp + } + rule 3389 { + action accept + description FW1ACD9_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW1ACD9_2 + } + port 5090,5060-5062 + } + protocol tcp + } + rule 3391 { + action accept + description FWA0B7F_1-TCP_UDP-ALLOW-ANY + destination { + group { + address-group DT_FWA0B7F_1 + } + port 53 + } + protocol tcp_udp + } + rule 3392 { + action accept + description FW56335_2-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW56335_2 + } + port 18081,18080 + } + protocol tcp + } + rule 3395 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.90 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.212.90 + } + } + rule 3396 { + action accept + description FW4D3E6_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW4D3E6_1 + } + port 18081,18080 + } + protocol tcp + } + rule 3397 { + action accept + description FWB118A_1-TCP-ALLOW-188.65.177.58 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 188.65.177.58 + } + } + rule 3398 { + action accept + description FWB118A_1-TCP-ALLOW-77.68.103.13 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 77.68.103.13 + } + } + rule 3399 { + action accept + description FWB118A_1-TCP-ALLOW-80.5.71.130 + destination { + group { + address-group DT_FWB118A_1 + } + port 49152-65534,8447,8443,22,21,20 + } + protocol tcp + source { + address 80.5.71.130 + } + } + rule 3402 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.205 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.205 + } + } + rule 3408 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.211.31 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.211.31 + } + } + rule 3409 { + action accept + description FW539FB_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FW539FB_1 + } + port 389 + } + protocol tcp + } + rule 3411 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.185 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.213.185 + } + } + rule 3415 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-116.206.245.124 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 116.206.245.124 + } + } + rule 3416 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.213.75 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.213.75 + } + } + rule 3417 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.34 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.214.34 + } + } + rule 3418 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.77.70 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.77.70 + } + } + rule 3419 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.92.33 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.92.33 + } + } + rule 3420 { + action accept + description FWEF92E_5-UDP-ALLOW-77.68.93.82 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 77.68.93.82 + } + } + rule 3421 { + action accept + description FWEF92E_5-UDP-ALLOW-88.208.198.93 + destination { + group { + address-group DT_FWEF92E_5 + } + port 500 + } + protocol udp + source { + address 88.208.198.93 + } + } + rule 3422 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.94 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.94 + } + } + rule 3424 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.244 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.244 + } + } + rule 3425 { + action accept + description FW18E6E_3-TCP-ALLOW-148.253.173.246 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 148.253.173.246 + } + } + rule 3426 { + action accept + description FW18E6E_3-TCP-ALLOW-195.97.222.122 + destination { + group { + address-group DT_FW18E6E_3 + } + port 3306 + } + protocol tcp + source { + address 195.97.222.122 + } + } + rule 3431 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.111 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.209.111 + } + } + rule 3432 { + action accept + description FW06940_3-TCP_UDP-ALLOW-74.208.41.119 + destination { + group { + address-group DT_FW06940_3 + } + port 1-65535 + } + protocol tcp_udp + source { + address 74.208.41.119 + } + } + rule 3438 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.252 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.252 + } + } + rule 3440 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.118 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.214.118 + } + } + rule 3442 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.209.15 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.209.15 + } + } + rule 3446 { + action accept + description FWC32BE_1-ANY-ALLOW-3.65.3.75 + destination { + group { + address-group DT_FWC32BE_1 + } + } + source { + address 3.65.3.75 + } + } + rule 3447 { + action accept + description FWC32BE_1-TCP-ALLOW-217.155.2.52 + destination { + group { + address-group DT_FWC32BE_1 + } + port 22 + } + protocol tcp + source { + address 217.155.2.52 + } + } + rule 3448 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.243 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.214.243 + } + } + rule 3449 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.214.117 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000,3389 + } + protocol tcp_udp + source { + address 112.134.214.117 + } + } + rule 3450 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.4 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.4 + } + } + rule 3452 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.210.177 + destination { + group { + address-group DT_FWA7A50_1 + } + port 9000 + } + protocol tcp_udp + source { + address 112.134.210.177 + } + } + rule 3454 { + action accept + description FWD498E_1-TCP-ALLOW-ANY + destination { + group { + address-group DT_FWD498E_1 + } + port 44158 + } + protocol tcp + } + rule 3455 { + action accept + description FWA7A50_1-TCP_UDP-ALLOW-112.134.212.147 + destination { + group { + address-group DT_FWA7A50_1 + } + port 3389 + } + protocol tcp_udp + source { + address 112.134.212.147 + } + } + } + receive-redirects disable + send-redirects disable + source-validation disable + state-policy { + established { + action accept + } + invalid { + action drop + } + related { + action accept + } + } + syn-cookies enable + twa-hazards-protection disable +} +high-availability { + vrrp { + group eth3-90 { + advertise-interval 3 + authentication { + password Ng-1p90 + type plaintext-password + } + interface eth3 + preempt-delay 30 + priority 10 + virtual-address 10.255.255.1/32 + virtual-address 169.254.169.254/32 + vrid 90 + } + sync-group VRRP-GROUP { + member eth3-90 + } + } +} +interfaces { + ethernet eth0 { + address 10.4.35.105/24 + description Management + duplex auto + smp-affinity auto + speed auto + } + ethernet eth1 { + description MicroVLANs + duplex auto + smp-affinity auto + speed auto + vif 3201 { + address 109.228.63.251/25 + description "MicroVLAN publica" + firewall { + in { + name WAN-INBOUND + } + local { + name LOCAL-WAN + } + } + } + } + ethernet eth2 { + address 10.4.51.133/30 + description Sync + duplex auto + firewall { + local { + name LOCAL-SYNC + } + } + smp-affinity auto + speed auto + } + ethernet eth3 { + address 10.255.255.2/20 + description "Customers LAN" + duplex auto + firewall { + in { + name LAN-INBOUND + } + local { + name LOCAL-LAN + } + } + smp-affinity auto + speed auto + } + loopback lo { + address 10.4.35.105/32 + } +} +nat { + destination { + rule 5 { + description cloud-init + destination { + address 169.254.169.254 + port http + } + inbound-interface eth3 + protocol tcp + translation { + address 82.223.45.35 + } + } + rule 20 { + description "TEMPORARY NAT for dnscache removal in favor of anycns" + destination { + address 77.68.76.12 + port domain + } + inbound-interface eth3 + protocol tcp_udp + translation { + address 212.227.123.16 + } + } + rule 25 { + description "TEMPORARY NAT for dnscache removal in favor of anycns" + destination { + address 77.68.77.12 + port domain + } + inbound-interface eth3 + protocol tcp_udp + translation { + address 212.227.123.17 + } + } + } +} +policy { + community-list 100 { + rule 10 { + action permit + regex 65500:1001 + } + } + community-list 200 { + rule 10 { + action permit + regex "65500:10**" + } + } + prefix-list Service-NETs { + rule 1 { + action permit + ge 32 + prefix 0.0.0.0/0 + } + } + route-map Any-Site-1 { + rule 10 { + action permit + match { + community { + community-list 200 + } + } + } + rule 20 { + action deny + } + } + route-map CLOUD-Service-NETs { + rule 10 { + action permit + match { + ip { + address { + prefix-list Service-NETs + } + } + } + set { + community 65500:1027 + } + } + rule 20 { + action deny + } + } + route-map None { + rule 10 { + action deny + } + } +} +protocols { + bgp 8560 { + address-family { + ipv4-unicast { + redistribute { + static { + } + } + } + } + neighbor 109.228.63.134 { + address-family { + ipv4-unicast { + route-map { + export CLOUD-Service-NETs + import Any-Site-1 + } + weight 150 + } + } + description RouteServer1-vyos + password VyOS123 + remote-as 8560 + timers { + holdtime 5 + keepalive 1 + } + } + neighbor 109.228.63.135 { + address-family { + ipv4-unicast { + route-map { + export CLOUD-Service-NETs + import Any-Site-1 + } + weight 125 + } + } + description RouteServer2-quagga + password VyOS123 + remote-as 8560 + } + neighbor 109.228.63.136 { + address-family { + ipv4-unicast { + route-map { + export CLOUD-Service-NETs + import Any-Site-1 + } + weight 100 + } + } + description RouteServer3-bird + password VyOS123 + remote-as 8560 + } + parameters { + log-neighbor-changes + router-id 10.4.35.105 + } + } + static { + interface-route 77.68.2.215/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.52/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.61/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.80/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.121/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.144/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.161/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.194/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.3.247/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.22/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.24/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.25/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.39/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.57/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.74/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.80/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.111/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.136/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.180/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.242/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.4.252/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.5.95/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.5.125/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.5.155/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.5.166/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.5.187/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.5.241/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.6.32/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.6.105/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.6.110/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.6.119/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.6.202/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.6.210/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.67/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.114/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.123/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.160/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.172/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.186/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.222/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.7.227/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.8.144/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.9.75/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.9.186/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.10.142/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.10.152/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.10.170/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.11.140/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.12.45/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.12.195/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.12.250/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.13.76/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.13.137/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.14.88/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.15.95/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.16.247/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.17.26/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.17.186/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.17.200/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.20.161/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.20.217/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.20.231/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.21.78/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.21.171/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.22.146/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.23.35/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.23.64/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.23.112/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.23.158/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.24.59/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.24.63/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.24.112/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.24.134/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.24.172/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.24.220/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.25.124/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.25.130/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.25.146/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.26.166/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.26.216/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.26.221/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.26.228/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.27.18/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.27.27/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.27.28/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.27.54/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.27.57/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.27.211/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.28.139/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.28.145/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.28.147/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.28.207/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.29.65/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.29.178/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.30.133/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.30.164/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.31.96/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.31.144/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.32.31/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.32.43/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.32.83/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.32.86/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.32.89/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.32.118/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.32.254/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.33.24/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.33.37/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.33.48/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.33.68/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.33.171/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.33.197/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.33.216/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.34.26/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.34.28/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.34.50/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.34.138/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.34.139/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.35.116/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.48.14/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.48.81/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.48.89/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.48.105/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.48.202/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.4/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.12/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.126/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.152/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.159/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.160/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.161/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.49.178/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.50.90/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.50.91/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.50.142/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.50.193/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.50.198/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.51.202/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.51.214/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.72.202/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.72.254/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.73.73/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.74.39/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.74.85/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.74.152/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.74.209/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.74.232/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.75.45/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.75.64/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.75.113/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.75.245/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.75.253/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.12/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.13/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.14/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.16/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.19/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.20/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.21/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.22/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.23/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.25/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.26/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.29/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.30/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.31/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.33/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.35/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.37/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.38/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.39/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.40/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.42/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.44/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.45/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.47/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.48/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.49/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.50/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.54/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.55/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.57/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.58/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.59/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.60/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.61/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.74/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.75/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.76/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.77/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.80/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.88/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.91/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.92/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.93/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.94/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.95/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.96/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.99/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.102/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.104/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.105/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.107/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.108/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.110/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.111/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.112/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.114/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.115/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.116/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.118/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.120/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.122/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.123/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.124/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.126/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.127/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.136/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.137/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.138/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.139/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.141/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.142/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.145/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.148/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.149/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.150/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.152/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.157/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.158/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.160/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.161/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.164/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.165/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.169/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.171/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.176/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.177/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.181/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.183/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.185/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.187/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.191/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.195/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.197/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.198/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.200/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.202/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.203/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.208/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.209/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.211/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.212/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.217/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.219/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.220/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.228/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.229/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.231/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.234/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.235/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.239/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.241/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.243/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.244/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.245/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.247/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.248/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.249/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.250/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.251/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.252/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.253/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.76.254/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.12/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.13/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.14/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.16/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.19/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.21/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.22/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.24/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.26/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.29/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.30/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.32/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.33/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.37/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.38/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.42/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.43/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.44/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.46/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.49/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.50/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.53/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.54/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.56/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.57/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.59/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.62/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.63/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.65/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.67/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.68/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.69/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.70/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.71/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.72/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.74/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.75/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.76/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.77/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.79/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.81/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.85/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.88/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.90/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.92/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.95/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.97/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.99/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.100/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.102/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.103/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.105/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.107/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.108/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.114/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.115/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.117/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.120/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.124/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.128/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.129/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.130/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.132/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.137/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.139/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.140/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.141/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.144/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.145/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.149/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.150/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.151/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.152/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.156/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.157/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.159/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.160/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.161/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.163/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.165/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.171/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.174/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.176/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.178/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.181/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.185/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.190/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.192/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.199/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.200/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.201/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.202/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.203/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.204/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.205/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.207/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.208/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.209/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.211/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.212/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.214/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.215/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.219/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.221/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.222/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.227/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.228/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.231/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.233/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.234/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.236/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.238/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.239/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.240/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.243/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.247/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.248/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.249/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.251/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.253/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.77.254/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.78.73/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.78.113/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.78.229/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.79.82/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.79.89/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.79.206/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.80.26/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.80.97/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.81.44/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.81.141/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.81.218/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.82.147/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.82.157/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.83.41/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.84.147/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.84.155/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.85.18/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.85.27/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.85.73/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.85.115/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.85.172/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.86.40/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.86.148/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.87.164/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.87.212/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.88.100/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.88.164/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.89.72/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.89.183/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.89.247/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.90.106/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.90.132/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.91.22/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.91.128/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.91.195/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.92.92/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.92.186/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.93.125/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.93.164/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.93.246/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.94.181/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.95.42/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.95.212/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.100.77/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.100.132/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.100.134/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.100.150/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.100.167/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.101.64/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.101.124/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.101.125/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.102.5/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.102.129/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.103.19/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.103.56/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.103.120/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.103.147/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.103.227/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.75/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.83/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.90/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.91/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.167/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.175/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.184/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.213/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.112.248/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.113.117/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.113.164/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.114.93/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.114.136/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.114.183/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.114.205/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.114.234/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.114.237/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.115.17/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.115.142/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.36/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.52/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.84/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.119/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.183/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.220/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.221/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.116.232/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.29/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.45/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.51/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.142/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.173/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.202/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.214/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.117.222/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.118.15/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.118.17/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.118.86/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.118.88/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.118.102/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.118.104/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.118.120/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.119.14/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.119.92/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.119.188/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.26/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.31/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.45/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.146/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.218/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.229/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.241/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.120.249/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.121.94/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.121.106/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.121.119/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.121.127/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.122.89/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.122.195/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.122.241/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.123.177/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.123.250/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.125.32/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.125.60/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.125.218/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.126.14/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.126.22/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.126.51/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.126.101/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.126.160/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.127.151/32 { + next-hop-interface eth3 { + } + } + interface-route 77.68.127.172/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.196.91/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.196.92/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.196.123/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.196.154/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.10/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.23/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.60/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.118/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.129/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.135/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.150/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.155/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.160/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.197.208/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.198.39/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.198.64/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.198.66/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.198.69/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.198.92/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.198.251/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.199.46/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.199.141/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.199.233/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.199.249/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.212.31/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.212.94/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.212.182/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.212.188/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.215.19/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.215.61/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.215.62/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.215.121/32 { + next-hop-interface eth3 { + } + } + interface-route 88.208.215.157/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.35.84/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.35.110/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.36.37/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.36.79/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.36.119/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.36.174/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.36.194/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.36.229/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.37.10/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.37.114/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.37.174/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.37.187/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.37.240/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.38.117/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.38.171/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.38.201/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.39.41/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.39.151/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.39.157/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.39.249/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.40.194/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.40.195/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.40.207/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.40.222/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.40.226/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.40.247/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.42.232/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.46.81/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.46.196/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.47.223/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.48.249/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.52.186/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.53.243/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.55.82/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.56.26/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.56.97/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.56.185/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.56.242/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.58.134/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.59.247/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.60.215/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.61.31/32 { + next-hop-interface eth3 { + } + } + interface-route 109.228.61.37/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.36.7/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.36.17/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.36.24/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.36.56/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.36.60/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.36.142/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.36.148/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.37.23/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.37.47/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.37.83/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.37.101/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.37.102/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.37.133/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.38.95/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.38.114/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.38.142/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.38.182/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.38.216/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.38.248/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.37/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.44/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.68/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.99/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.109/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.129/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.145/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.39.219/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.40.11/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.40.56/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.40.90/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.40.124/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.40.152/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.40.166/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.40.244/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.41.72/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.41.73/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.41.148/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.41.240/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.43.6/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.43.28/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.43.71/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.43.98/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.43.113/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.43.157/32 { + next-hop-interface eth3 { + } + } + interface-route 185.132.43.164/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.208.40/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.208.58/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.208.176/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.209.217/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.210.19/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.210.25/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.210.59/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.210.155/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.210.177/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.211.128/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.71/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.89/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.90/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.114/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.136/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.171/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.172/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.212.203/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.213.31/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.213.41/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.213.42/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.213.97/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.213.175/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.213.242/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.214.96/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.214.102/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.214.167/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.214.234/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.215.43/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.215.184/32 { + next-hop-interface eth3 { + } + } + interface-route 213.171.215.252/32 { + next-hop-interface eth3 { + } + } + route 0.0.0.0/0 { + next-hop 109.228.63.129 { + } + } + route 10.0.0.0/8 { + next-hop 10.4.35.1 { + } + } + route 10.7.197.0/24 { + next-hop 109.228.63.240 { + } + } + route 172.16.0.0/12 { + next-hop 10.4.35.1 { + } + } + route 192.168.0.0/16 { + next-hop 10.4.35.1 { + } + } + } +} +service { + lldp { + legacy-protocols { + cdp + } + snmp { + enable + } + } + snmp { + community 1Trpq25 { + authorization ro + } + contact network@arsys.es + description gb-glo-sg4ng1fw27-01 + listen-address 10.4.35.105 { + port 161 + } + location NGCS + trap-target 10.4.36.64 { + community 1Trpq25 + port 162 + } + trap-target 172.21.15.200 { + community 1Trpq25 + port 162 + } + } + ssh { + listen-address 10.4.35.105 + listen-address 10.4.51.133 + port 22 + } +} +system { + config-management { + commit-revisions 20 + } + conntrack { + expect-table-size 8192 + hash-size 262144 + modules { + sip { + disable + } + } + table-size 2097152 + timeout { + icmp 30 + other 120 + tcp { + close 10 + close-wait 60 + established 3600 + fin-wait 30 + last-ack 30 + syn-recv 5 + syn-sent 5 + time-wait 5 + } + udp { + other 10 + stream 10 + } + } + } + console { + device ttyS0 { + speed 115200 + } + } + host-name gb-glo-sg4ng1fw27-01 + ip { + arp { + table-size 2048 + } + } + ipv6 { + disable + } + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + } + } + name-server 10.4.36.16 + name-server 10.4.37.16 + ntp { + server glo-ntp1.por-ngcs.lan { + } + server glo-ntp2.por-ngcs.lan { + } + } + syslog { + global { + facility all { + level notice + } + facility protocols { + level info + } + } + host 10.4.36.23 { + facility all { + level all + } + facility protocols { + level info + } + facility user { + level err + } + } + user all { + facility all { + level emerg + } + } + } + time-zone Europe/Madrid +} + + +/* Warning: Do not remove the following line. */ +/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@10:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */ +/* Release version: 1.2.6-S1 */ + diff --git a/smoketest/configs/basic-vyos b/smoketest/configs/basic-vyos index 493feed5b..e6f89954f 100644 --- a/smoketest/configs/basic-vyos +++ b/smoketest/configs/basic-vyos @@ -6,16 +6,68 @@ interfaces { speed auto } ethernet eth1 { - address 100.64.0.0/31 duplex auto smp-affinity auto speed auto } + ethernet eth2 { + duplex auto + smp-affinity auto + speed auto + vif 100 { + address 100.100.0.1/24 + } + vif-s 200 { + address 100.64.200.254/24 + vif-c 201 { + address 100.64.201.254/24 + } + vif-c 202 { + address 100.64.202.254/24 + } + } + } loopback lo { } } protocols { static { + arp 192.168.0.20 { + hwaddr 00:50:00:00:00:20 + } + arp 192.168.0.30 { + hwaddr 00:50:00:00:00:30 + } + arp 192.168.0.40 { + hwaddr 00:50:00:00:00:40 + } + arp 100.100.0.2 { + hwaddr 00:50:00:00:02:02 + } + arp 100.100.0.3 { + hwaddr 00:50:00:00:02:03 + } + arp 100.100.0.4 { + hwaddr 00:50:00:00:02:04 + } + arp 100.64.200.1 { + hwaddr 00:50:00:00:00:01 + } + arp 100.64.200.2 { + hwaddr 00:50:00:00:00:02 + } + arp 100.64.201.10 { + hwaddr 00:50:00:00:00:10 + } + arp 100.64.201.20 { + hwaddr 00:50:00:00:00:20 + } + arp 100.64.202.30 { + hwaddr 00:50:00:00:00:30 + } + arp 100.64.202.40 { + hwaddr 00:50:00:00:00:40 + } route 0.0.0.0/0 { next-hop 100.64.0.1 { } diff --git a/smoketest/configs/bgp-big-as-cloud b/smoketest/configs/bgp-big-as-cloud index 10660ec87..65819256e 100644 --- a/smoketest/configs/bgp-big-as-cloud +++ b/smoketest/configs/bgp-big-as-cloud @@ -982,6 +982,10 @@ policy { } } } + set { + as-path-exclude "100 200 300" + as-path-prepend "64512 64512 64512" + } } rule 100 { action deny diff --git a/smoketest/configs/qos-basic b/smoketest/configs/qos-basic new file mode 100644 index 000000000..f94a5650d --- /dev/null +++ b/smoketest/configs/qos-basic @@ -0,0 +1,205 @@ +interfaces { + ethernet eth0 { + address 10.1.1.100/24 + traffic-policy { + out FS + } + } + ethernet eth1 { + address 10.2.1.1/24 + traffic-policy { + out M2 + } + } + ethernet eth2 { + address 10.9.9.1/24 + traffic-policy { + out MY-HTB + } + } + loopback lo { + } +} +protocols { + static { + route 0.0.0.0/0 { + next-hop 10.9.9.2 { + } + next-hop 10.1.1.1 { + } + } + } +} +system { + config-management { + commit-revisions 10 + } + conntrack { + modules { + ftp + h323 + nfs + pptp + sip + sqlnet + tftp + } + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$r/Yw/07NXNY$/ZB.Rjf9jxEV.BYoDyLdH.kH14rU52pOBtrX.4S34qlPt77chflCHvpTCq9a6huLzwaMR50rEICzA5GoIRZlM0 + plaintext-password "" + } + } + } + ntp { + server time1.vyos.net { + } + server time2.vyos.net { + } + server time3.vyos.net { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } +} +traffic-policy { + shaper M2 { + bandwidth auto + class 10 { + bandwidth 100% + burst 15k + match ADDRESS10 { + ip { + dscp CS4 + } + } + queue-type fair-queue + set-dscp CS5 + } + default { + bandwidth 10mbit + burst 15k + queue-type fair-queue + } + } + shaper MY-HTB { + bandwidth 10mbit + class 30 { + bandwidth 10% + burst 15k + ceiling 50% + match ADDRESS30 { + ip { + source { + address 10.1.1.0/24 + } + } + } + priority 5 + queue-type fair-queue + } + class 40 { + bandwidth 90% + burst 15k + ceiling 100% + match ADDRESS40 { + ip { + dscp CS4 + source { + address 10.2.1.0/24 + } + } + } + priority 5 + queue-type fair-queue + } + class 50 { + bandwidth 100% + burst 15k + match ADDRESS50 { + ip { + dscp CS5 + } + } + queue-type fair-queue + set-dscp CS7 + } + default { + bandwidth 10% + burst 15k + ceiling 100% + priority 7 + queue-type fair-queue + set-dscp CS1 + } + } + shaper FS { + bandwidth auto + class 10 { + bandwidth 100% + burst 15k + match ADDRESS10 { + ip { + source { + address 172.17.1.2/32 + } + } + } + queue-type fair-queue + set-dscp CS4 + } + class 20 { + bandwidth 100% + burst 15k + match ADDRESS20 { + ip { + source { + address 172.17.1.3/32 + } + } + } + queue-type fair-queue + set-dscp CS5 + } + class 30 { + bandwidth 100% + burst 15k + match ADDRESS30 { + ip { + source { + address 172.17.1.4/32 + } + } + } + queue-type fair-queue + set-dscp CS6 + } + default { + bandwidth 10% + burst 15k + ceiling 100% + priority 7 + queue-type fair-queue + } + } +} +// Warning: Do not remove the following line. +// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1" +// Release version: 1.3.1 + diff --git a/smoketest/scripts/cli/base_interfaces_test.py b/smoketest/scripts/cli/base_interfaces_test.py index ba5acf5d6..816ba6dcd 100644 --- a/smoketest/scripts/cli/base_interfaces_test.py +++ b/smoketest/scripts/cli/base_interfaces_test.py @@ -78,18 +78,25 @@ class BasicInterfaceTest: # choose IPv6 minimum MTU value for tests - this must always work _mtu = '1280' - def setUp(self): + @classmethod + def setUpClass(cls): + super(BasicInterfaceTest.TestCase, cls).setUpClass() + # Setup mirror interfaces for SPAN (Switch Port Analyzer) - for span in self._mirror_interfaces: + for span in cls._mirror_interfaces: section = Section.section(span) - self.cli_set(['interfaces', section, span]) + cls.cli_set(cls, ['interfaces', section, span]) - def tearDown(self): + @classmethod + def tearDownClass(cls): # Tear down mirror interfaces for SPAN (Switch Port Analyzer) - for span in self._mirror_interfaces: + for span in cls._mirror_interfaces: section = Section.section(span) - self.cli_delete(['interfaces', section, span]) + cls.cli_delete(cls, ['interfaces', section, span]) + super(BasicInterfaceTest.TestCase, cls).tearDownClass() + + def tearDown(self): self.cli_delete(self._base_path) self.cli_commit() @@ -232,6 +239,7 @@ class BasicInterfaceTest: self.cli_commit() for interface in self._interfaces: + self.assertIn(AF_INET6, ifaddresses(interface)) for addr in ifaddresses(interface)[AF_INET6]: self.assertTrue(is_ipv6_link_local(addr['addr'])) diff --git a/smoketest/scripts/cli/base_vyostest_shim.py b/smoketest/scripts/cli/base_vyostest_shim.py index 1652aa0d6..7cfb53045 100644 --- a/smoketest/scripts/cli/base_vyostest_shim.py +++ b/smoketest/scripts/cli/base_vyostest_shim.py @@ -16,6 +16,7 @@ import os import unittest from time import sleep +from typing import Type from vyos.configsession import ConfigSession from vyos.configsession import ConfigSessionError @@ -85,3 +86,17 @@ class VyOSUnitTestSHIM: print(f'\n\ncommand "{command}" returned:\n') pprint.pprint(out) return out + +# standard construction; typing suggestion: https://stackoverflow.com/a/70292317 +def ignore_warning(warning: Type[Warning]): + import warnings + from functools import wraps + + def inner(f): + @wraps(f) + def wrapped(*args, **kwargs): + with warnings.catch_warnings(): + warnings.simplefilter("ignore", category=warning) + return f(*args, **kwargs) + return wrapped + return inner diff --git a/smoketest/scripts/cli/test_firewall.py b/smoketest/scripts/cli/test_firewall.py index f72dfb1f4..b8f944575 100755 --- a/smoketest/scripts/cli/test_firewall.py +++ b/smoketest/scripts/cli/test_firewall.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -36,12 +36,23 @@ sysfs_config = { } class TestFirewall(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self.cli_set(['interfaces', 'ethernet', 'eth0', 'address', '172.16.10.1/24']) + @classmethod + def setUpClass(cls): + super(TestFirewall, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, ['firewall']) + + cls.cli_set(cls, ['interfaces', 'ethernet', 'eth0', 'address', '172.16.10.1/24']) + + @classmethod + def tearDownClass(cls): + cls.cli_delete(cls, ['interfaces', 'ethernet', 'eth0', 'address', '172.16.10.1/24']) + super(TestFirewall, cls).tearDownClass() def tearDown(self): - self.cli_delete(['interfaces', 'ethernet', 'eth0']) - self.cli_commit() + self.cli_delete(['interfaces', 'ethernet', 'eth0', 'firewall']) self.cli_delete(['firewall']) self.cli_commit() diff --git a/smoketest/scripts/cli/test_interfaces_bonding.py b/smoketest/scripts/cli/test_interfaces_bonding.py index 4f2fe979a..237abb487 100755 --- a/smoketest/scripts/cli/test_interfaces_bonding.py +++ b/smoketest/scripts/cli/test_interfaces_bonding.py @@ -55,7 +55,7 @@ class BondingInterfaceTest(BasicInterfaceTest.TestCase): cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(BondingInterfaceTest, cls).setUpClass() def test_add_single_ip_address(self): super().test_add_single_ip_address() @@ -165,5 +165,27 @@ class BondingInterfaceTest(BasicInterfaceTest.TestCase): self.cli_commit() + def test_bonding_uniq_member_description(self): + ethernet_path = ['interfaces', 'ethernet'] + for interface in self._interfaces: + for option in self._options.get(interface, []): + self.cli_set(self._base_path + [interface] + option.split()) + + self.cli_commit() + + # Add any changes on bonding members + # For example add description on separate ethX interfaces + for interface in self._interfaces: + for member in self._members: + self.cli_set(ethernet_path + [member, 'description', member + '_interface']) + + self.cli_commit() + + # verify config + for interface in self._interfaces: + slaves = read_file(f'/sys/class/net/{interface}/bonding/slaves').split() + for member in self._members: + self.assertIn(member, slaves) + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_bridge.py b/smoketest/scripts/cli/test_interfaces_bridge.py index f2e111425..ca0ead9e8 100755 --- a/smoketest/scripts/cli/test_interfaces_bridge.py +++ b/smoketest/scripts/cli/test_interfaces_bridge.py @@ -56,7 +56,7 @@ class BridgeInterfaceTest(BasicInterfaceTest.TestCase): cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(BridgeInterfaceTest, cls).setUpClass() def tearDown(self): for intf in self._interfaces: diff --git a/smoketest/scripts/cli/test_interfaces_dummy.py b/smoketest/scripts/cli/test_interfaces_dummy.py index dedc6fe05..d96ec2c5d 100755 --- a/smoketest/scripts/cli/test_interfaces_dummy.py +++ b/smoketest/scripts/cli/test_interfaces_dummy.py @@ -24,7 +24,7 @@ class DummyInterfaceTest(BasicInterfaceTest.TestCase): cls._base_path = ['interfaces', 'dummy'] cls._interfaces = ['dum435', 'dum8677', 'dum0931', 'dum089'] # call base-classes classmethod - super(cls, cls).setUpClass() + super(DummyInterfaceTest, cls).setUpClass() if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_ethernet.py b/smoketest/scripts/cli/test_interfaces_ethernet.py index ee7649af8..05d2ae5f5 100755 --- a/smoketest/scripts/cli/test_interfaces_ethernet.py +++ b/smoketest/scripts/cli/test_interfaces_ethernet.py @@ -18,13 +18,19 @@ import os import re import unittest +from netifaces import AF_INET +from netifaces import AF_INET6 +from netifaces import ifaddresses + from base_interfaces_test import BasicInterfaceTest from vyos.configsession import ConfigSessionError from vyos.ifconfig import Section from vyos.pki import CERT_BEGIN +from vyos.template import is_ipv6 from vyos.util import cmd from vyos.util import process_named_running from vyos.util import read_file +from vyos.validate import is_ipv6_link_local server_ca_root_cert_data = """ MIIBcTCCARagAwIBAgIUDcAf1oIQV+6WRaW7NPcSnECQ/lUwCgYIKoZIzj0EAwIw @@ -128,7 +134,7 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase): cls._macs[interface] = read_file(f'/sys/class/net/{interface}/address') # call base-classes classmethod - super(cls, cls).setUpClass() + super(EthernetInterfaceTest, cls).setUpClass() def tearDown(self): for interface in self._interfaces: @@ -140,13 +146,20 @@ class EthernetInterfaceTest(BasicInterfaceTest.TestCase): self.cli_set(self._base_path + [interface, 'speed', 'auto']) self.cli_set(self._base_path + [interface, 'hw-id', self._macs[interface]]) - # Tear down mirror interfaces for SPAN (Switch Port Analyzer) - for span in self._mirror_interfaces: - section = Section.section(span) - self.cli_delete(['interfaces', section, span]) - self.cli_commit() + # Verify that no address remains on the system as this is an eternal + # interface. + for intf in self._interfaces: + self.assertNotIn(AF_INET, ifaddresses(intf)) + # required for IPv6 link-local address + self.assertIn(AF_INET6, ifaddresses(intf)) + for addr in ifaddresses(intf)[AF_INET6]: + # checking link local addresses makes no sense + if is_ipv6_link_local(addr['addr']): + continue + self.assertFalse(is_intf_addr_assigned(intf, addr['addr'])) + def test_offloading_rps(self): # enable RPS on all available CPUs, RPS works woth a CPU bitmask, # where each bit represents a CPU (core/thread). The formula below diff --git a/smoketest/scripts/cli/test_interfaces_geneve.py b/smoketest/scripts/cli/test_interfaces_geneve.py index 6233ade6e..0e5098aa7 100755 --- a/smoketest/scripts/cli/test_interfaces_geneve.py +++ b/smoketest/scripts/cli/test_interfaces_geneve.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020-2021 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -34,7 +34,7 @@ class GeneveInterfaceTest(BasicInterfaceTest.TestCase): } cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(GeneveInterfaceTest, cls).setUpClass() def test_geneve_parameters(self): tos = '40' @@ -43,7 +43,7 @@ class GeneveInterfaceTest(BasicInterfaceTest.TestCase): for option in self._options.get(intf, []): self.cli_set(self._base_path + [intf] + option.split()) - self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'dont-fragment']) + self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'df', 'set']) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'tos', tos]) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'ttl', str(ttl)]) ttl += 10 diff --git a/smoketest/scripts/cli/test_interfaces_l2tpv3.py b/smoketest/scripts/cli/test_interfaces_l2tpv3.py index 06ced5c40..aed8e6f15 100755 --- a/smoketest/scripts/cli/test_interfaces_l2tpv3.py +++ b/smoketest/scripts/cli/test_interfaces_l2tpv3.py @@ -39,7 +39,7 @@ class L2TPv3InterfaceTest(BasicInterfaceTest.TestCase): } cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(L2TPv3InterfaceTest, cls).setUpClass() def test_add_single_ip_address(self): super().test_add_single_ip_address() diff --git a/smoketest/scripts/cli/test_interfaces_loopback.py b/smoketest/scripts/cli/test_interfaces_loopback.py index 85b5ca6d6..5ff9c250e 100755 --- a/smoketest/scripts/cli/test_interfaces_loopback.py +++ b/smoketest/scripts/cli/test_interfaces_loopback.py @@ -29,7 +29,7 @@ class LoopbackInterfaceTest(BasicInterfaceTest.TestCase): cls._base_path = ['interfaces', 'loopback'] cls._interfaces = ['lo'] # call base-classes classmethod - super(cls, cls).setUpClass() + super(LoopbackInterfaceTest, cls).setUpClass() def tearDown(self): self.cli_delete(self._base_path) diff --git a/smoketest/scripts/cli/test_interfaces_macsec.py b/smoketest/scripts/cli/test_interfaces_macsec.py index 5b10bfa44..e5e5a558e 100755 --- a/smoketest/scripts/cli/test_interfaces_macsec.py +++ b/smoketest/scripts/cli/test_interfaces_macsec.py @@ -53,7 +53,7 @@ class MACsecInterfaceTest(BasicInterfaceTest.TestCase): cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(MACsecInterfaceTest, cls).setUpClass() def test_macsec_encryption(self): # MACsec can be operating in authentication and encryption mode - both diff --git a/smoketest/scripts/cli/test_interfaces_openvpn.py b/smoketest/scripts/cli/test_interfaces_openvpn.py index f8a6ae986..b2143d16e 100755 --- a/smoketest/scripts/cli/test_interfaces_openvpn.py +++ b/smoketest/scripts/cli/test_interfaces_openvpn.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -37,10 +37,46 @@ PROCESS_NAME = 'openvpn' base_path = ['interfaces', 'openvpn'] -cert_data = 'MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIwWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIxMDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu+JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3LftzngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93+dm/LDnp7C0=' -key_data = 'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww' -dh_data = 'MIIBCAKCAQEApzGAPcQlLJiOyfGZgl1qxNgufXkdpjG7lMaOrO4TGr1giFe3jIFOFxJNC/G9Dn+KSukaWssVVR+Jwr/JesZFPawihS03wC7cZsccykNRIjiteqJDwYJZUHieOxyCuCeY4pqOUCl1uswRGjLvIFtwynpnXKKuz2YtjNifma90PEgv/vVWKix+Q0TAbdbzJzO5xp8UVn9DuYfSr10k3LbDqDM7w5ezHZxFk24S5pN/yoOpdbxB8TS67q3IYXxR3F+RseKu4J3AvkxXSP1j7COXddPpLnvbJT/SW8NrjuC/n0eKGvmeyqNv108Y89jnT79MxMMRQk66iwlsd1m4pa/OYwIBAg==' -ovpn_key_data = '443f2a710ac411c36894b2531e62c4550b079b8f3f08997f4be57c64abfdaaa431d2396b01ecec3a2c0618959e8186d99f489742d25673ffb3268841ebb2e7042a2daabe584e79d51d2b1d7409bf8840f7e42efa3e660a521719b04ee88b9043e6315ae12da7c9abd55f67eeed71a9ee8c6e163b5d2661fc332cf90cb45658b4adf892f79537d37d3a3d90da283ce885adf325ffd2b5be92067cdf0345c7712c9d36b642c170351b6d9ce9f6230c7a2617b0c181121bce7d5373404fb68e65210b36e6d40ef2769cf8990503859f6f2db3c85ba74420430a6250d6a74ca51ece4b85124bfdfec0c8a530cefa7350378d81a4539f74bed832a902ae4798142e4a' +cert_data = """ +MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIw +WTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv +bWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIx +MDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNV +BAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlP +UzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3 +QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E +BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu ++JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3Lftz +ngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93 ++dm/LDnp7C0= +""" + +key_data = """ +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx +2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7 +u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww +""" + +dh_data = """ +MIIBCAKCAQEApzGAPcQlLJiOyfGZgl1qxNgufXkdpjG7lMaOrO4TGr1giFe3jIFO +FxJNC/G9Dn+KSukaWssVVR+Jwr/JesZFPawihS03wC7cZsccykNRIjiteqJDwYJZ +UHieOxyCuCeY4pqOUCl1uswRGjLvIFtwynpnXKKuz2YtjNifma90PEgv/vVWKix+ +Q0TAbdbzJzO5xp8UVn9DuYfSr10k3LbDqDM7w5ezHZxFk24S5pN/yoOpdbxB8TS6 +7q3IYXxR3F+RseKu4J3AvkxXSP1j7COXddPpLnvbJT/SW8NrjuC/n0eKGvmeyqNv +108Y89jnT79MxMMRQk66iwlsd1m4pa/OYwIBAg== +""" + +ovpn_key_data = """ +443f2a710ac411c36894b2531e62c4550b079b8f3f08997f4be57c64abfdaaa4 +31d2396b01ecec3a2c0618959e8186d99f489742d25673ffb3268841ebb2e704 +2a2daabe584e79d51d2b1d7409bf8840f7e42efa3e660a521719b04ee88b9043 +e6315ae12da7c9abd55f67eeed71a9ee8c6e163b5d2661fc332cf90cb45658b4 +adf892f79537d37d3a3d90da283ce885adf325ffd2b5be92067cdf0345c7712c +9d36b642c170351b6d9ce9f6230c7a2617b0c181121bce7d5373404fb68e6521 +0b36e6d40ef2769cf8990503859f6f2db3c85ba74420430a6250d6a74ca51ece +4b85124bfdfec0c8a530cefa7350378d81a4539f74bed832a902ae4798142e4a +""" remote_port = '1194' protocol = 'udp' @@ -59,20 +95,28 @@ def get_vrf(interface): return tmp class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self.cli_set(['interfaces', 'dummy', dummy_if, 'address', '192.0.2.1/32']) - self.cli_set(['vrf', 'name', vrf_name, 'table', '12345']) + @classmethod + def setUpClass(cls): + super(TestInterfacesOpenVPN, cls).setUpClass() - self.cli_set(['pki', 'ca', 'ovpn_test', 'certificate', cert_data]) - self.cli_set(['pki', 'certificate', 'ovpn_test', 'certificate', cert_data]) - self.cli_set(['pki', 'certificate', 'ovpn_test', 'private', 'key', key_data]) - self.cli_set(['pki', 'dh', 'ovpn_test', 'parameters', dh_data]) - self.cli_set(['pki', 'openvpn', 'shared-secret', 'ovpn_test', 'key', ovpn_key_data]) + cls.cli_set(cls, ['interfaces', 'dummy', dummy_if, 'address', '192.0.2.1/32']) + cls.cli_set(cls, ['vrf', 'name', vrf_name, 'table', '12345']) + + cls.cli_set(cls, ['pki', 'ca', 'ovpn_test', 'certificate', cert_data.replace('\n','')]) + cls.cli_set(cls, ['pki', 'certificate', 'ovpn_test', 'certificate', cert_data.replace('\n','')]) + cls.cli_set(cls, ['pki', 'certificate', 'ovpn_test', 'private', 'key', key_data.replace('\n','')]) + cls.cli_set(cls, ['pki', 'dh', 'ovpn_test', 'parameters', dh_data.replace('\n','')]) + cls.cli_set(cls, ['pki', 'openvpn', 'shared-secret', 'ovpn_test', 'key', ovpn_key_data.replace('\n','')]) + + @classmethod + def tearDownClass(cls): + cls.cli_delete(cls, ['interfaces', 'dummy', dummy_if]) + cls.cli_delete(cls, ['vrf']) + + super(TestInterfacesOpenVPN, cls).tearDownClass() def tearDown(self): self.cli_delete(base_path) - self.cli_delete(['interfaces', 'dummy', dummy_if]) - self.cli_delete(['vrf']) self.cli_commit() def test_openvpn_client_verify(self): @@ -532,6 +576,46 @@ class TestInterfacesOpenVPN(VyOSUnitTestSHIM.TestCase): self.cli_commit() + def test_openvpn_options(self): + # Ensure OpenVPN process restart on openvpn-option CLI node change + + interface = 'vtun5001' + path = base_path + [interface] + + self.cli_set(path + ['mode', 'site-to-site']) + self.cli_set(path + ['local-address', '10.0.0.2']) + self.cli_set(path + ['remote-address', '192.168.0.3']) + self.cli_set(path + ['shared-secret-key', 'ovpn_test']) + + self.cli_commit() + + # Now verify the OpenVPN "raw" option passing. Once an openvpn-option is + # added, modified or deleted from the CLI, OpenVPN daemon must be restarted + cur_pid = process_named_running('openvpn') + self.cli_set(path + ['openvpn-option', '--persist-tun']) + self.cli_commit() + + # PID must be different as OpenVPN Must be restarted + new_pid = process_named_running('openvpn') + self.assertNotEqual(cur_pid, new_pid) + cur_pid = new_pid + + self.cli_set(path + ['openvpn-option', '--persist-key']) + self.cli_commit() + + # PID must be different as OpenVPN Must be restarted + new_pid = process_named_running('openvpn') + self.assertNotEqual(cur_pid, new_pid) + cur_pid = new_pid + + self.cli_delete(path + ['openvpn-option']) + self.cli_commit() + + # PID must be different as OpenVPN Must be restarted + new_pid = process_named_running('openvpn') + self.assertNotEqual(cur_pid, new_pid) + cur_pid = new_pid + def test_openvpn_site2site_interfaces_tun(self): # Create two OpenVPN site-to-site interfaces diff --git a/smoketest/scripts/cli/test_interfaces_pppoe.py b/smoketest/scripts/cli/test_interfaces_pppoe.py index 4f1e1ee99..8927121a8 100755 --- a/smoketest/scripts/cli/test_interfaces_pppoe.py +++ b/smoketest/scripts/cli/test_interfaces_pppoe.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2021 VyOS maintainers and contributors +# Copyright (C) 2019-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -34,9 +34,12 @@ def get_config_value(interface, key): # add a classmethod to setup a temporaray PPPoE server for "proper" validation class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self._interfaces = ['pppoe10', 'pppoe20', 'pppoe30'] - self._source_interface = 'eth0' + @classmethod + def setUpClass(cls): + super(PPPoEInterfaceTest, cls).setUpClass() + + cls._interfaces = ['pppoe10', 'pppoe20', 'pppoe30'] + cls._source_interface = 'eth0' def tearDown(self): # Validate PPPoE client process @@ -60,7 +63,6 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): self.cli_set(base_path + [interface, 'authentication', 'user', user]) self.cli_set(base_path + [interface, 'authentication', 'password', passwd]) - self.cli_set(base_path + [interface, 'default-route', 'auto']) self.cli_set(base_path + [interface, 'mtu', mtu]) self.cli_set(base_path + [interface, 'no-peer-dns']) @@ -136,7 +138,7 @@ class PPPoEInterfaceTest(VyOSUnitTestSHIM.TestCase): for interface in self._interfaces: self.cli_set(base_path + [interface, 'authentication', 'user', 'vyos']) self.cli_set(base_path + [interface, 'authentication', 'password', 'vyos']) - self.cli_set(base_path + [interface, 'default-route', 'none']) + self.cli_set(base_path + [interface, 'no-default-route']) self.cli_set(base_path + [interface, 'no-peer-dns']) self.cli_set(base_path + [interface, 'source-interface', self._source_interface]) self.cli_set(base_path + [interface, 'ipv6', 'address', 'autoconf']) diff --git a/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py b/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py index adcadc5eb..a51b8d52c 100755 --- a/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py +++ b/smoketest/scripts/cli/test_interfaces_pseudo_ethernet.py @@ -48,7 +48,7 @@ class PEthInterfaceTest(BasicInterfaceTest.TestCase): cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(PEthInterfaceTest, cls).setUpClass() if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_interfaces_tunnel.py b/smoketest/scripts/cli/test_interfaces_tunnel.py index 99c25c374..44bfbb5f0 100755 --- a/smoketest/scripts/cli/test_interfaces_tunnel.py +++ b/smoketest/scripts/cli/test_interfaces_tunnel.py @@ -42,7 +42,7 @@ class TunnelInterfaceTest(BasicInterfaceTest.TestCase): } cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(TunnelInterfaceTest, cls).setUpClass() # create some test interfaces cls.cli_set(cls, ['interfaces', 'dummy', source_if, 'address', cls.local_v4 + '/32']) diff --git a/smoketest/scripts/cli/test_interfaces_vxlan.py b/smoketest/scripts/cli/test_interfaces_vxlan.py index f34b99ea4..058f13721 100755 --- a/smoketest/scripts/cli/test_interfaces_vxlan.py +++ b/smoketest/scripts/cli/test_interfaces_vxlan.py @@ -39,7 +39,7 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase): } cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(VXLANInterfaceTest, cls).setUpClass() def test_vxlan_parameters(self): tos = '40' @@ -48,7 +48,7 @@ class VXLANInterfaceTest(BasicInterfaceTest.TestCase): for option in self._options.get(intf, []): self.cli_set(self._base_path + [intf] + option.split()) - self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'dont-fragment']) + self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'df', 'set']) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'tos', tos]) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'ttl', str(ttl)]) ttl += 10 diff --git a/smoketest/scripts/cli/test_interfaces_wireguard.py b/smoketest/scripts/cli/test_interfaces_wireguard.py index aaf27a2c4..f3e9670f7 100755 --- a/smoketest/scripts/cli/test_interfaces_wireguard.py +++ b/smoketest/scripts/cli/test_interfaces_wireguard.py @@ -23,10 +23,13 @@ from vyos.configsession import ConfigSessionError base_path = ['interfaces', 'wireguard'] class WireGuardInterfaceTest(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self._test_addr = ['192.0.2.1/26', '192.0.2.255/31', '192.0.2.64/32', + @classmethod + def setUpClass(cls): + super(WireGuardInterfaceTest, cls).setUpClass() + + cls._test_addr = ['192.0.2.1/26', '192.0.2.255/31', '192.0.2.64/32', '2001:db8:1::ffff/64', '2001:db8:101::1/112'] - self._interfaces = ['wg0', 'wg1'] + cls._interfaces = ['wg0', 'wg1'] def tearDown(self): self.cli_delete(base_path) diff --git a/smoketest/scripts/cli/test_interfaces_wireless.py b/smoketest/scripts/cli/test_interfaces_wireless.py index 4f539a23c..a24f37d8d 100755 --- a/smoketest/scripts/cli/test_interfaces_wireless.py +++ b/smoketest/scripts/cli/test_interfaces_wireless.py @@ -48,7 +48,7 @@ class WirelessInterfaceTest(BasicInterfaceTest.TestCase): } cls._interfaces = list(cls._options) # call base-classes classmethod - super(cls, cls).setUpClass() + super(WirelessInterfaceTest, cls).setUpClass() def test_wireless_add_single_ip_address(self): # derived method to check if member interfaces are enslaved properly diff --git a/smoketest/scripts/cli/test_nat.py b/smoketest/scripts/cli/test_nat.py index 75c628244..408facfb3 100755 --- a/smoketest/scripts/cli/test_nat.py +++ b/smoketest/scripts/cli/test_nat.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -14,7 +14,6 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -import os import jmespath import json import unittest @@ -29,10 +28,13 @@ src_path = base_path + ['source'] dst_path = base_path + ['destination'] class TestNAT(VyOSUnitTestSHIM.TestCase): - def setUp(self): + @classmethod + def setUpClass(cls): + super(TestNAT, cls).setUpClass() + # ensure we can also run this test on a live system - so lets clean # out the current configuration :) - self.cli_delete(base_path) + cls.cli_delete(cls, base_path) def tearDown(self): self.cli_delete(base_path) @@ -57,36 +59,44 @@ class TestNAT(VyOSUnitTestSHIM.TestCase): self.cli_commit() - tmp = cmd('sudo nft -j list table nat') + tmp = cmd('sudo nft -j list chain ip nat POSTROUTING') data_json = jmespath.search('nftables[?rule].rule[?chain]', json.loads(tmp)) for idx in range(0, len(data_json)): - rule = str(rules[idx]) data = data_json[idx] - network = f'192.168.{rule}.0/24' - - self.assertEqual(data['chain'], 'POSTROUTING') - self.assertEqual(data['comment'], f'SRC-NAT-{rule}') - self.assertEqual(data['family'], 'ip') - self.assertEqual(data['table'], 'nat') - - iface = dict_search('match.right', data['expr'][0]) - direction = dict_search('match.left.payload.field', data['expr'][1]) - address = dict_search('match.right.prefix.addr', data['expr'][1]) - mask = dict_search('match.right.prefix.len', data['expr'][1]) + if idx == 0: + self.assertEqual(data['chain'], 'POSTROUTING') + self.assertEqual(data['family'], 'ip') + self.assertEqual(data['table'], 'nat') - if int(rule) < 200: - self.assertEqual(direction, 'saddr') - self.assertEqual(iface, outbound_iface_100) - # check for masquerade keyword - self.assertIn('masquerade', data['expr'][3]) + jump_target = dict_search('jump.target', data['expr'][1]) + self.assertEqual(jump_target,'VYOS_PRE_SNAT_HOOK') else: - self.assertEqual(direction, 'daddr') - self.assertEqual(iface, outbound_iface_200) - # check for return keyword due to 'exclude' - self.assertIn('return', data['expr'][3]) - - self.assertEqual(f'{address}/{mask}', network) + rule = str(rules[idx - 1]) + network = f'192.168.{rule}.0/24' + + self.assertEqual(data['chain'], 'POSTROUTING') + self.assertEqual(data['comment'], f'SRC-NAT-{rule}') + self.assertEqual(data['family'], 'ip') + self.assertEqual(data['table'], 'nat') + + iface = dict_search('match.right', data['expr'][0]) + direction = dict_search('match.left.payload.field', data['expr'][1]) + address = dict_search('match.right.prefix.addr', data['expr'][1]) + mask = dict_search('match.right.prefix.len', data['expr'][1]) + + if int(rule) < 200: + self.assertEqual(direction, 'saddr') + self.assertEqual(iface, outbound_iface_100) + # check for masquerade keyword + self.assertIn('masquerade', data['expr'][3]) + else: + self.assertEqual(direction, 'daddr') + self.assertEqual(iface, outbound_iface_200) + # check for return keyword due to 'exclude' + self.assertIn('return', data['expr'][3]) + + self.assertEqual(f'{address}/{mask}', network) def test_dnat(self): rules = ['100', '110', '120', '130', '200', '210', '220', '230'] @@ -109,33 +119,42 @@ class TestNAT(VyOSUnitTestSHIM.TestCase): self.cli_commit() - tmp = cmd('sudo nft -j list table nat') + tmp = cmd('sudo nft -j list chain ip nat PREROUTING') data_json = jmespath.search('nftables[?rule].rule[?chain]', json.loads(tmp)) for idx in range(0, len(data_json)): - rule = str(rules[idx]) data = data_json[idx] - port = int(f'10{rule}') - - self.assertEqual(data['chain'], 'PREROUTING') - self.assertEqual(data['comment'].split()[0], f'DST-NAT-{rule}') - self.assertEqual(data['family'], 'ip') - self.assertEqual(data['table'], 'nat') - - iface = dict_search('match.right', data['expr'][0]) - direction = dict_search('match.left.payload.field', data['expr'][1]) - protocol = dict_search('match.left.payload.protocol', data['expr'][1]) - dnat_addr = dict_search('dnat.addr', data['expr'][3]) - dnat_port = dict_search('dnat.port', data['expr'][3]) - - self.assertEqual(direction, 'sport') - self.assertEqual(dnat_addr, '192.0.2.1') - self.assertEqual(dnat_port, port) - if int(rule) < 200: - self.assertEqual(iface, inbound_iface_100) - self.assertEqual(protocol, inbound_proto_100) + if idx == 0: + self.assertEqual(data['chain'], 'PREROUTING') + self.assertEqual(data['family'], 'ip') + self.assertEqual(data['table'], 'nat') + + jump_target = dict_search('jump.target', data['expr'][1]) + self.assertEqual(jump_target,'VYOS_PRE_DNAT_HOOK') else: - self.assertEqual(iface, inbound_iface_200) + + rule = str(rules[idx - 1]) + port = int(f'10{rule}') + + self.assertEqual(data['chain'], 'PREROUTING') + self.assertEqual(data['comment'].split()[0], f'DST-NAT-{rule}') + self.assertEqual(data['family'], 'ip') + self.assertEqual(data['table'], 'nat') + + iface = dict_search('match.right', data['expr'][0]) + direction = dict_search('match.left.payload.field', data['expr'][1]) + protocol = dict_search('match.left.payload.protocol', data['expr'][1]) + dnat_addr = dict_search('dnat.addr', data['expr'][3]) + dnat_port = dict_search('dnat.port', data['expr'][3]) + + self.assertEqual(direction, 'sport') + self.assertEqual(dnat_addr, '192.0.2.1') + self.assertEqual(dnat_port, port) + if int(rule) < 200: + self.assertEqual(iface, inbound_iface_100) + self.assertEqual(protocol, inbound_proto_100) + else: + self.assertEqual(iface, inbound_iface_200) def test_snat_required_translation_address(self): # T2813: Ensure translation address is specified diff --git a/smoketest/scripts/cli/test_nat66.py b/smoketest/scripts/cli/test_nat66.py index 6b7b49792..aac6a30f9 100755 --- a/smoketest/scripts/cli/test_nat66.py +++ b/smoketest/scripts/cli/test_nat66.py @@ -32,7 +32,7 @@ dst_path = base_path + ['destination'] class TestNAT66(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestNAT66, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) diff --git a/smoketest/scripts/cli/test_pki.py b/smoketest/scripts/cli/test_pki.py index 45a4bd61e..e92123dbc 100755 --- a/smoketest/scripts/cli/test_pki.py +++ b/smoketest/scripts/cli/test_pki.py @@ -129,8 +129,13 @@ xGsJxVHfSKeooUQn6q76sg== """ class TestPKI(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self.cli_delete(base_path) + @classmethod + def setUpClass(cls): + super(TestPKI, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) def tearDown(self): self.cli_delete(base_path) diff --git a/smoketest/scripts/cli/test_policy.py b/smoketest/scripts/cli/test_policy.py index b232a2241..e8c6ff19b 100755 --- a/smoketest/scripts/cli/test_policy.py +++ b/smoketest/scripts/cli/test_policy.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -800,27 +800,28 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): '10' : { 'action' : 'deny', 'set' : { - 'aggregator-as' : '1234567890', - 'aggregator-ip' : '10.255.255.0', - 'as-path-exclude' : '1234', - 'as-path-prepend' : '1234567890 987654321', - 'atomic-aggregate' : '', - 'distance' : '110', - 'extcommunity-bw' : '20000', - 'extcommunity-rt' : '123:456', - 'extcommunity-soo' : '456:789', - 'ipv6-next-hop-global': '2001::1', - 'ipv6-next-hop-local' : 'fe80::1', - 'ip-next-hop' : '192.168.1.1', - 'large-community' : '100:200:300', - 'local-preference' : '500', - 'metric' : '150', - 'metric-type' : 'type-1', - 'origin' : 'incomplete', - 'originator-id' : '172.16.10.1', - 'src' : '100.0.0.1', - 'tag' : '65530', - 'weight' : '2', + 'aggregator-as' : '1234567890', + 'aggregator-ip' : '10.255.255.0', + 'as-path-exclude' : '1234', + 'as-path-prepend' : '1234567890 987654321', + 'as-path-prepend-last-as' : '5', + 'atomic-aggregate' : '', + 'distance' : '110', + 'extcommunity-bw' : '20000', + 'extcommunity-rt' : '123:456', + 'extcommunity-soo' : '456:789', + 'ipv6-next-hop-global' : '2001::1', + 'ipv6-next-hop-local' : 'fe80::1', + 'ip-next-hop' : '192.168.1.1', + 'large-community' : '100:200:300', + 'local-preference' : '500', + 'metric' : '150', + 'metric-type' : 'type-1', + 'origin' : 'incomplete', + 'originator-id' : '172.16.10.1', + 'src' : '100.0.0.1', + 'tag' : '65530', + 'weight' : '2', }, }, }, @@ -848,6 +849,13 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): 'evpn-vni' : '1234', }, }, + '20' : { + 'action' : 'permit', + 'set' : { + 'evpn-gateway-ipv4' : '192.0.2.99', + 'evpn-gateway-ipv6' : '2001:db8:f00::1', + }, + }, }, }, } @@ -958,9 +966,9 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): if 'aggregator-ip' in rule_config['set']: self.cli_set(path + ['rule', rule, 'set', 'aggregator', 'ip', rule_config['set']['aggregator-ip']]) if 'as-path-exclude' in rule_config['set']: - self.cli_set(path + ['rule', rule, 'set', 'as-path-exclude', rule_config['set']['as-path-exclude']]) + self.cli_set(path + ['rule', rule, 'set', 'as-path', 'exclude', rule_config['set']['as-path-exclude']]) if 'as-path-prepend' in rule_config['set']: - self.cli_set(path + ['rule', rule, 'set', 'as-path-prepend', rule_config['set']['as-path-prepend']]) + self.cli_set(path + ['rule', rule, 'set', 'as-path', 'prepend', rule_config['set']['as-path-prepend']]) if 'atomic-aggregate' in rule_config['set']: self.cli_set(path + ['rule', rule, 'set', 'atomic-aggregate']) if 'distance' in rule_config['set']: @@ -995,6 +1003,10 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): self.cli_set(path + ['rule', rule, 'set', 'tag', rule_config['set']['tag']]) if 'weight' in rule_config['set']: self.cli_set(path + ['rule', rule, 'set', 'weight', rule_config['set']['weight']]) + if 'evpn-gateway-ipv4' in rule_config['set']: + self.cli_set(path + ['rule', rule, 'set', 'evpn', 'gateway', 'ipv4', rule_config['set']['evpn-gateway-ipv4']]) + if 'evpn-gateway-ipv6' in rule_config['set']: + self.cli_set(path + ['rule', rule, 'set', 'evpn', 'gateway', 'ipv6', rule_config['set']['evpn-gateway-ipv6']]) self.cli_commit() @@ -1118,6 +1130,8 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): tmp += 'as-path exclude ' + rule_config['set']['as-path-exclude'] elif 'as-path-prepend' in rule_config['set']: tmp += 'as-path prepend ' + rule_config['set']['as-path-prepend'] + elif 'as-path-prepend-last-as' in rule_config['set']: + tmp += 'as-path prepend last-as' + rule_config['set']['as-path-prepend-last-as'] elif 'atomic-aggregate' in rule_config['set']: tmp += 'atomic-aggregate' elif 'distance' in rule_config['set']: @@ -1152,6 +1166,10 @@ class TestPolicy(VyOSUnitTestSHIM.TestCase): tmp += 'tag ' + rule_config['set']['tag'] elif 'weight' in rule_config['set']: tmp += 'weight ' + rule_config['set']['weight'] + elif 'vpn-gateway-ipv4' in rule_config['set']: + tmp += 'evpn gateway ipv4 ' + rule_config['set']['vpn-gateway-ipv4'] + elif 'vpn-gateway-ipv6' in rule_config['set']: + tmp += 'evpn gateway ipv6 ' + rule_config['set']['vpn-gateway-ipv6'] self.assertIn(tmp, config) diff --git a/smoketest/scripts/cli/test_policy_route.py b/smoketest/scripts/cli/test_policy_route.py index 9035f0832..e2d70f289 100755 --- a/smoketest/scripts/cli/test_policy_route.py +++ b/smoketest/scripts/cli/test_policy_route.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -23,15 +23,26 @@ from vyos.util import cmd mark = '100' table_mark_offset = 0x7fffffff table_id = '101' +interface = 'eth0' +interface_ip = '172.16.10.1/24' class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self.cli_set(['interfaces', 'ethernet', 'eth0', 'address', '172.16.10.1/24']) - self.cli_set(['protocols', 'static', 'table', '101', 'route', '0.0.0.0/0', 'interface', 'eth0']) + @classmethod + def setUpClass(cls): + super(TestPolicyRoute, cls).setUpClass() + + cls.cli_set(cls, ['interfaces', 'ethernet', interface, 'address', interface_ip]) + cls.cli_set(cls, ['protocols', 'static', 'table', table_id, 'route', '0.0.0.0/0', 'interface', interface]) + + @classmethod + def tearDownClass(cls): + cls.cli_delete(cls, ['interfaces', 'ethernet', interface, 'address', interface_ip]) + cls.cli_delete(cls, ['protocols', 'static', 'table', table_id]) + + super(TestPolicyRoute, cls).tearDownClass() def tearDown(self): - self.cli_delete(['interfaces', 'ethernet', 'eth0']) - self.cli_delete(['protocols', 'static']) + self.cli_delete(['interfaces', 'ethernet', interface, 'policy']) self.cli_delete(['policy', 'route']) self.cli_delete(['policy', 'route6']) self.cli_commit() @@ -41,14 +52,14 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'destination', 'address', '172.16.10.10']) self.cli_set(['policy', 'route', 'smoketest', 'rule', '1', 'set', 'mark', mark]) - self.cli_set(['interfaces', 'ethernet', 'eth0', 'policy', 'route', 'smoketest']) + self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route', 'smoketest']) self.cli_commit() mark_hex = "{0:#010x}".format(int(mark)) nftables_search = [ - ['iifname "eth0"', 'jump VYOS_PBR_smoketest'], + [f'iifname "{interface}"','jump VYOS_PBR_smoketest'], ['ip daddr 172.16.10.10', 'ip saddr 172.16.20.10', 'meta mark set ' + mark_hex], ] @@ -72,8 +83,8 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'destination', 'port', '8888']) self.cli_set(['policy', 'route6', 'smoketest6', 'rule', '1', 'set', 'table', table_id]) - self.cli_set(['interfaces', 'ethernet', 'eth0', 'policy', 'route', 'smoketest']) - self.cli_set(['interfaces', 'ethernet', 'eth0', 'policy', 'route6', 'smoketest6']) + self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route', 'smoketest']) + self.cli_set(['interfaces', 'ethernet', interface, 'policy', 'route6', 'smoketest6']) self.cli_commit() @@ -82,7 +93,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv4 nftables_search = [ - ['iifname "eth0"', 'jump VYOS_PBR_smoketest'], + [f'iifname "{interface}"', 'jump VYOS_PBR_smoketest'], ['tcp flags & (syn | ack) == syn', 'tcp dport { 8888 }', 'meta mark set ' + mark_hex] ] @@ -99,7 +110,7 @@ class TestPolicyRoute(VyOSUnitTestSHIM.TestCase): # IPv6 nftables6_search = [ - ['iifname "eth0"', 'jump VYOS_PBR6_smoketest'], + [f'iifname "{interface}"', 'jump VYOS_PBR6_smoketest'], ['meta l4proto { tcp, udp }', 'th dport { 8888 }', 'meta mark set ' + mark_hex] ] diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py index f1db5350a..9c0c93779 100755 --- a/smoketest/scripts/cli/test_protocols_bgp.py +++ b/smoketest/scripts/cli/test_protocols_bgp.py @@ -154,7 +154,7 @@ peer_group_config = { class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestProtocolsBGP, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) @@ -882,5 +882,44 @@ class TestProtocolsBGP(VyOSUnitTestSHIM.TestCase): self.assertIn(f' rt vpn import {rt_import}', afi_config) self.assertIn(f' exit-address-family', afi_config) + def test_bgp_14_remote_as_peer_group_override(self): + # Peer-group member cannot override remote-as of peer-group + remote_asn = str(int(ASN) + 150) + neighbor = '192.0.2.1' + peer_group = 'bar' + interface = 'eth0' + + self.cli_set(base_path + ['local-as', ASN]) + self.cli_set(base_path + ['neighbor', neighbor, 'remote-as', remote_asn]) + self.cli_set(base_path + ['neighbor', neighbor, 'peer-group', peer_group]) + self.cli_set(base_path + ['peer-group', peer_group, 'remote-as', remote_asn]) + + # Peer-group member cannot override remote-as of peer-group + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base_path + ['neighbor', neighbor, 'remote-as']) + + # re-test with interface based peer-group + self.cli_set(base_path + ['neighbor', interface, 'interface', 'peer-group', peer_group]) + self.cli_set(base_path + ['neighbor', interface, 'interface', 'remote-as', 'external']) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base_path + ['neighbor', interface, 'interface', 'remote-as']) + + # re-test with interface based v6only peer-group + self.cli_set(base_path + ['neighbor', interface, 'interface', 'v6only', 'peer-group', peer_group]) + self.cli_set(base_path + ['neighbor', interface, 'interface', 'v6only', 'remote-as', 'external']) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(base_path + ['neighbor', interface, 'interface', 'v6only', 'remote-as']) + + self.cli_commit() + + frrconfig = self.getFRRconfig(f'router bgp {ASN}') + self.assertIn(f'router bgp {ASN}', frrconfig) + self.assertIn(f' neighbor {neighbor} peer-group {peer_group}', frrconfig) + self.assertIn(f' neighbor {peer_group} peer-group', frrconfig) + self.assertIn(f' neighbor {peer_group} remote-as {remote_asn}', frrconfig) + if __name__ == '__main__': - unittest.main(verbosity=2, failfast=True) + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_protocols_isis.py b/smoketest/scripts/cli/test_protocols_isis.py index 11c765793..ee4be0b37 100755 --- a/smoketest/scripts/cli/test_protocols_isis.py +++ b/smoketest/scripts/cli/test_protocols_isis.py @@ -33,7 +33,7 @@ class TestProtocolsISIS(VyOSUnitTestSHIM.TestCase): cls._interfaces = Section.interfaces('ethernet') # call base-classes classmethod - super(cls, cls).setUpClass() + super(TestProtocolsISIS, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) diff --git a/smoketest/scripts/cli/test_protocols_mpls.py b/smoketest/scripts/cli/test_protocols_mpls.py index c6751cc42..76e6ca35a 100755 --- a/smoketest/scripts/cli/test_protocols_mpls.py +++ b/smoketest/scripts/cli/test_protocols_mpls.py @@ -68,7 +68,7 @@ profiles = { class TestProtocolsMPLS(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestProtocolsMPLS, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) diff --git a/smoketest/scripts/cli/test_protocols_ospf.py b/smoketest/scripts/cli/test_protocols_ospf.py index e433d06d0..e15ea478b 100755 --- a/smoketest/scripts/cli/test_protocols_ospf.py +++ b/smoketest/scripts/cli/test_protocols_ospf.py @@ -35,7 +35,7 @@ log = logging.getLogger('TestProtocolsOSPF') class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestProtocolsOSPF, cls).setUpClass() cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit']) cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '20', 'action', 'permit']) @@ -47,7 +47,7 @@ class TestProtocolsOSPF(VyOSUnitTestSHIM.TestCase): @classmethod def tearDownClass(cls): cls.cli_delete(cls, ['policy', 'route-map', route_map]) - super(cls, cls).tearDownClass() + super(TestProtocolsOSPF, cls).tearDownClass() def tearDown(self): # Check for running process diff --git a/smoketest/scripts/cli/test_protocols_ospfv3.py b/smoketest/scripts/cli/test_protocols_ospfv3.py index 944190089..fa80ad555 100755 --- a/smoketest/scripts/cli/test_protocols_ospfv3.py +++ b/smoketest/scripts/cli/test_protocols_ospfv3.py @@ -33,7 +33,7 @@ default_area = '0' class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestProtocolsOSPFv3, cls).setUpClass() cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '10', 'action', 'permit']) cls.cli_set(cls, ['policy', 'route-map', route_map, 'rule', '20', 'action', 'permit']) @@ -45,7 +45,7 @@ class TestProtocolsOSPFv3(VyOSUnitTestSHIM.TestCase): @classmethod def tearDownClass(cls): cls.cli_delete(cls, ['policy', 'route-map', route_map]) - super(cls, cls).tearDownClass() + super(TestProtocolsOSPFv3, cls).tearDownClass() def tearDown(self): # Check for running process diff --git a/smoketest/scripts/cli/test_protocols_static.py b/smoketest/scripts/cli/test_protocols_static.py index 3ef9c76d8..19efe7786 100755 --- a/smoketest/scripts/cli/test_protocols_static.py +++ b/smoketest/scripts/cli/test_protocols_static.py @@ -94,13 +94,13 @@ tables = ['80', '81', '82'] class TestProtocolsStatic(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestProtocolsStatic, cls).setUpClass() cls.cli_set(cls, ['vrf', 'name', 'black', 'table', '43210']) @classmethod def tearDownClass(cls): cls.cli_delete(cls, ['vrf']) - super(cls, cls).tearDownClass() + super(TestProtocolsStatic, cls).tearDownClass() def tearDown(self): for route, route_config in routes.items(): diff --git a/smoketest/scripts/cli/test_protocols_static_arp.py b/smoketest/scripts/cli/test_protocols_static_arp.py new file mode 100755 index 000000000..b61d8f854 --- /dev/null +++ b/smoketest/scripts/cli/test_protocols_static_arp.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import json +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM + +from vyos.util import cmd + +base_path = ['protocols', 'static', 'arp'] +interface = 'eth0' +address = '192.0.2.1/24' + +class TestARP(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + super(TestARP, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) + + # we need a L2 interface with a L3 address to properly configure ARP entries + cls.cli_set(cls, ['interfaces', 'ethernet', interface, 'address', address]) + + @classmethod + def tearDownClass(cls): + # cleanuop L2 interface + cls.cli_delete(cls, ['interfaces', 'ethernet', interface, 'address', address]) + cls.cli_commit(cls) + + super(TestARP, cls).tearDownClass() + + def tearDown(self): + # delete test config + self.cli_delete(base_path) + self.cli_commit() + + def test_static_arp(self): + test_data = { + '192.0.2.10' : { 'mac' : '00:01:02:03:04:0a' }, + '192.0.2.11' : { 'mac' : '00:01:02:03:04:0b' }, + '192.0.2.12' : { 'mac' : '00:01:02:03:04:0c' }, + '192.0.2.13' : { 'mac' : '00:01:02:03:04:0d' }, + '192.0.2.14' : { 'mac' : '00:01:02:03:04:0e' }, + '192.0.2.15' : { 'mac' : '00:01:02:03:04:0f' }, + } + + for host, host_config in test_data.items(): + self.cli_set(base_path + ['interface', interface, 'address', host, 'mac', host_config['mac']]) + + self.cli_commit() + + arp_table = json.loads(cmd('ip -j -4 neigh show')) + for host, host_config in test_data.items(): + # As we search within a list of hosts we need to mark if it was + # found or not. This ensures all hosts from test_data are processed + found = False + for entry in arp_table: + # Other ARP entry - not related to this testcase + if entry['dst'] not in list(test_data): + continue + + if entry['dst'] == host: + self.assertEqual(entry['lladdr'], host_config['mac']) + self.assertEqual(entry['dev'], interface) + found = True + + if found == False: + print(entry) + self.assertTrue(found) + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_dhcp-server.py b/smoketest/scripts/cli/test_service_dhcp-server.py index 9adb9c042..9c9d6d9f1 100755 --- a/smoketest/scripts/cli/test_service_dhcp-server.py +++ b/smoketest/scripts/cli/test_service_dhcp-server.py @@ -38,7 +38,7 @@ domain_name = 'vyos.net' class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestServiceDHCPServer, cls).setUpClass() cidr_mask = subnet.split('/')[-1] cls.cli_set(cls, ['interfaces', 'dummy', 'dum8765', 'address', f'{router}/{cidr_mask}']) @@ -46,7 +46,7 @@ class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase): @classmethod def tearDownClass(cls): cls.cli_delete(cls, ['interfaces', 'dummy', 'dum8765']) - super(cls, cls).tearDownClass() + super(TestServiceDHCPServer, cls).tearDownClass() def tearDown(self): self.cli_delete(base_path) diff --git a/smoketest/scripts/cli/test_service_dhcpv6-server.py b/smoketest/scripts/cli/test_service_dhcpv6-server.py index 7177f1505..f83453323 100755 --- a/smoketest/scripts/cli/test_service_dhcpv6-server.py +++ b/smoketest/scripts/cli/test_service_dhcpv6-server.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2020 VyOS maintainers and contributors +# Copyright (C) 2020-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -32,16 +32,24 @@ dns_1 = '2001:db8::1' dns_2 = '2001:db8::2' domain = 'vyos.net' nis_servers = ['2001:db8:ffff::1', '2001:db8:ffff::2'] -interface = 'eth1' +interface = 'eth0' interface_addr = inc_ip(subnet, 1) + '/64' -class TestServiceDHCPServer(VyOSUnitTestSHIM.TestCase): - def setUp(self): - self.cli_set(['interfaces', 'ethernet', interface, 'address', interface_addr]) +class TestServiceDHCPv6Server(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + super(TestServiceDHCPv6Server, cls).setUpClass() + cls.cli_set(cls, ['interfaces', 'ethernet', interface, 'address', interface_addr]) + + @classmethod + def tearDownClass(cls): + cls.cli_delete(cls, ['interfaces', 'ethernet', interface, 'address', interface_addr]) + cls.cli_commit(cls) + + super(TestServiceDHCPv6Server, cls).tearDownClass() def tearDown(self): self.cli_delete(base_path) - self.cli_delete(['interfaces', 'ethernet', interface, 'address', interface_addr]) self.cli_commit() def test_single_pool(self): diff --git a/smoketest/scripts/cli/test_service_https.py b/smoketest/scripts/cli/test_service_https.py index 9413d22d1..71fb3e177 100755 --- a/smoketest/scripts/cli/test_service_https.py +++ b/smoketest/scripts/cli/test_service_https.py @@ -15,16 +15,15 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import unittest -import urllib3 from requests import request +from urllib3.exceptions import InsecureRequestWarning from base_vyostest_shim import VyOSUnitTestSHIM +from base_vyostest_shim import ignore_warning from vyos.util import read_file from vyos.util import run -urllib3.disable_warnings() - base_path = ['service', 'https'] pki_base = ['pki'] @@ -100,6 +99,7 @@ class TestHTTPSService(VyOSUnitTestSHIM.TestCase): ret = run('sudo /usr/sbin/nginx -t') self.assertEqual(ret, 0) + @ignore_warning(InsecureRequestWarning) def test_api_auth(self): vhost_id = 'example' address = '127.0.0.1' diff --git a/smoketest/scripts/cli/test_service_ids.py b/smoketest/scripts/cli/test_service_ids.py new file mode 100755 index 000000000..18f1b8ec5 --- /dev/null +++ b/smoketest/scripts/cli/test_service_ids.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import unittest + +from base_vyostest_shim import VyOSUnitTestSHIM + +from vyos.configsession import ConfigSessionError +from vyos.util import process_named_running +from vyos.util import read_file + +PROCESS_NAME = 'fastnetmon' +FASTNETMON_CONF = '/etc/fastnetmon.conf' +base_path = ['service', 'ids', 'ddos-protection'] + +class TestServiceIDS(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + super(TestServiceIDS, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) + + def tearDown(self): + # Check for running process + self.assertTrue(process_named_running(PROCESS_NAME)) + + # delete test config + self.cli_delete(base_path) + self.cli_commit() + + self.assertFalse(os.path.exists(FASTNETMON_CONF)) + self.assertFalse(process_named_running(PROCESS_NAME)) + + def test_fastnetmon(self): + networks = ['10.0.0.0/24', '10.5.5.0/24'] + interfaces = ['eth0', 'eth1'] + fps = '3500' + mbps = '300' + pps = '60000' + + self.cli_set(base_path + ['mode', 'mirror']) + # Required network! + with self.assertRaises(ConfigSessionError): + self.cli_commit() + for tmp in networks: + self.cli_set(base_path + ['network', tmp]) + + # Required interface(s)! + with self.assertRaises(ConfigSessionError): + self.cli_commit() + for tmp in interfaces: + self.cli_set(base_path + ['listen-interface', tmp]) + + self.cli_set(base_path + ['direction', 'in']) + self.cli_set(base_path + ['threshold', 'fps', fps]) + self.cli_set(base_path + ['threshold', 'pps', pps]) + self.cli_set(base_path + ['threshold', 'mbps', mbps]) + + # commit changes + self.cli_commit() + + # Check configured port + config = read_file(FASTNETMON_CONF) + self.assertIn(f'mirror_afpacket = on', config) + self.assertIn(f'process_incoming_traffic = on', config) + self.assertIn(f'process_outgoing_traffic = off', config) + self.assertIn(f'ban_for_flows = on', config) + self.assertIn(f'threshold_flows = {fps}', config) + self.assertIn(f'ban_for_bandwidth = on', config) + self.assertIn(f'threshold_mbps = {mbps}', config) + self.assertIn(f'ban_for_pps = on', config) + self.assertIn(f'threshold_pps = {pps}', config) + + tmp = ','.join(interfaces) + self.assertIn(f'interfaces = {tmp}', config) + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_lldp.py b/smoketest/scripts/cli/test_service_lldp.py index 64fdd9d1b..439c96c33 100755 --- a/smoketest/scripts/cli/test_service_lldp.py +++ b/smoketest/scripts/cli/test_service_lldp.py @@ -37,7 +37,7 @@ class TestServiceLLDP(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): # call base-classes classmethod - super(cls, cls).setUpClass() + super(TestServiceLLDP, cls).setUpClass() # create a test interfaces for addr in mgmt_addr: @@ -50,7 +50,7 @@ class TestServiceLLDP(VyOSUnitTestSHIM.TestCase): @classmethod def tearDownClass(cls): cls.cli_delete(cls, ['interfaces', 'dummy', mgmt_if]) - super().tearDownClass() + super(TestServiceLLDP, cls).tearDownClass() def tearDown(self): # service must be running after it was configured diff --git a/smoketest/scripts/cli/test_service_salt.py b/smoketest/scripts/cli/test_service_salt.py new file mode 100755 index 000000000..00a4f2020 --- /dev/null +++ b/smoketest/scripts/cli/test_service_salt.py @@ -0,0 +1,105 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import unittest + +from socket import gethostname +from base_vyostest_shim import VyOSUnitTestSHIM + +from vyos.util import process_named_running +from vyos.util import read_file +from vyos.util import cmd + +PROCESS_NAME = 'salt-minion' +SALT_CONF = '/etc/salt/minion' +base_path = ['service', 'salt-minion'] + +interface = 'dum4456' + +class TestServiceSALT(VyOSUnitTestSHIM.TestCase): + @classmethod + def setUpClass(cls): + super(TestServiceSALT, cls).setUpClass() + + # ensure we can also run this test on a live system - so lets clean + # out the current configuration :) + cls.cli_delete(cls, base_path) + + cls.cli_set(cls, ['interfaces', 'dummy', interface, 'address', '100.64.0.1/16']) + + @classmethod + def tearDownClass(cls): + cls.cli_delete(cls, ['interfaces', 'dummy', interface]) + super(TestServiceSALT, cls).tearDownClass() + + def tearDown(self): + # Check for running process + self.assertTrue(process_named_running(PROCESS_NAME)) + + # delete testing SALT config + self.cli_delete(base_path) + self.cli_commit() + + # For an unknown reason on QEMU systems (e.g. where smoketests are executed + # from the CI) salt-minion process is not killed by systemd. Apparently + # no issue on VMWare. + if cmd('systemd-detect-virt') != 'kvm': + self.assertFalse(process_named_running(PROCESS_NAME)) + + def test_default(self): + servers = ['192.0.2.1', '192.0.2.2'] + + for server in servers: + self.cli_set(base_path + ['master', server]) + + self.cli_commit() + + # commiconf = read_file() Check configured port + conf = read_file(SALT_CONF) + self.assertIn(f' - {server}', conf) + + # defaults + hostname = gethostname() + self.assertIn(f'hash_type: sha256', conf) + self.assertIn(f'id: {hostname}', conf) + self.assertIn(f'mine_interval: 60', conf) + + def test_options(self): + server = '192.0.2.3' + hash = 'sha1' + id = 'foo' + interval = '120' + + self.cli_set(base_path + ['master', server]) + self.cli_set(base_path + ['hash', hash]) + self.cli_set(base_path + ['id', id]) + self.cli_set(base_path + ['interval', interval]) + self.cli_set(base_path + ['source-interface', interface]) + + self.cli_commit() + + # commiconf = read_file() Check configured port + conf = read_file(SALT_CONF) + self.assertIn(f'- {server}', conf) + + # defaults + self.assertIn(f'hash_type: {hash}', conf) + self.assertIn(f'id: {id}', conf) + self.assertIn(f'mine_interval: {interval}', conf) + self.assertIn(f'source_interface_name: {interface}', conf) + +if __name__ == '__main__': + unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_service_snmp.py b/smoketest/scripts/cli/test_service_snmp.py index fc24fd54e..e80c689cc 100755 --- a/smoketest/scripts/cli/test_service_snmp.py +++ b/smoketest/scripts/cli/test_service_snmp.py @@ -49,7 +49,7 @@ def get_config_value(key): class TestSNMPService(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestSNMPService, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py index 9ed263655..77ad5bc0d 100755 --- a/smoketest/scripts/cli/test_service_ssh.py +++ b/smoketest/scripts/cli/test_service_ssh.py @@ -46,7 +46,7 @@ def get_config_value(key): class TestServiceSSH(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestServiceSSH, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) diff --git a/smoketest/scripts/cli/test_service_upnp.py b/smoketest/scripts/cli/test_service_upnp.py index c3e9b600f..e4df88c1e 100755 --- a/smoketest/scripts/cli/test_service_upnp.py +++ b/smoketest/scripts/cli/test_service_upnp.py @@ -37,7 +37,7 @@ ipv6_addr = '2001:db8::1/64' class TestServiceUPnP(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestServiceUPnP, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) @@ -51,7 +51,7 @@ class TestServiceUPnP(VyOSUnitTestSHIM.TestCase): cls.cli_delete(cls, address_base) cls._session.commit() - super(cls, cls).tearDownClass() + super(TestServiceUPnP, cls).tearDownClass() def tearDown(self): # Check for running process diff --git a/smoketest/scripts/cli/test_service_webproxy.py b/smoketest/scripts/cli/test_service_webproxy.py index ebbd9fe55..772d6ab16 100755 --- a/smoketest/scripts/cli/test_service_webproxy.py +++ b/smoketest/scripts/cli/test_service_webproxy.py @@ -33,14 +33,14 @@ class TestServiceWebProxy(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): # call base-classes classmethod - super(cls, cls).setUpClass() + super(TestServiceWebProxy, cls).setUpClass() # create a test interfaces cls.cli_set(cls, ['interfaces', 'dummy', listen_if, 'address', listen_ip + '/32']) @classmethod def tearDownClass(cls): cls.cli_delete(cls, ['interfaces', 'dummy', listen_if]) - super().tearDownClass() + super(TestServiceWebProxy, cls).tearDownClass() def tearDown(self): self.cli_delete(base_path) diff --git a/smoketest/scripts/cli/test_system_flow-accounting.py b/smoketest/scripts/cli/test_system_flow-accounting.py index 84f17bcb0..5a73ebc7d 100755 --- a/smoketest/scripts/cli/test_system_flow-accounting.py +++ b/smoketest/scripts/cli/test_system_flow-accounting.py @@ -32,7 +32,7 @@ uacctd_conf = '/run/pmacct/uacctd.conf' class TestSystemFlowAccounting(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestSystemFlowAccounting, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) diff --git a/smoketest/scripts/cli/test_system_ntp.py b/smoketest/scripts/cli/test_system_ntp.py index c8cf04b7d..e2821687c 100755 --- a/smoketest/scripts/cli/test_system_ntp.py +++ b/smoketest/scripts/cli/test_system_ntp.py @@ -31,7 +31,7 @@ base_path = ['system', 'ntp'] class TestSystemNTP(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestSystemNTP, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) diff --git a/smoketest/scripts/cli/test_vpn_ipsec.py b/smoketest/scripts/cli/test_vpn_ipsec.py index 1338fe81c..8a6514d57 100755 --- a/smoketest/scripts/cli/test_vpn_ipsec.py +++ b/smoketest/scripts/cli/test_vpn_ipsec.py @@ -114,7 +114,7 @@ rgiyCHemtMepq57Pl1Nmj49eEA== class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestVPNIPsec, cls).setUpClass() # ensure we can also run this test on a live system - so lets clean # out the current configuration :) cls.cli_delete(cls, base_path) @@ -123,8 +123,7 @@ class TestVPNIPsec(VyOSUnitTestSHIM.TestCase): @classmethod def tearDownClass(cls): - super(cls, cls).tearDownClass() - + super(TestVPNIPsec, cls).tearDownClass() cls.cli_delete(cls, base_path + ['interface', f'{interface}.{vif}']) def setUp(self): diff --git a/smoketest/scripts/cli/test_vpn_openconnect.py b/smoketest/scripts/cli/test_vpn_openconnect.py index b0e859b5c..bda279342 100755 --- a/smoketest/scripts/cli/test_vpn_openconnect.py +++ b/smoketest/scripts/cli/test_vpn_openconnect.py @@ -24,8 +24,27 @@ OCSERV_CONF = '/run/ocserv/ocserv.conf' base_path = ['vpn', 'openconnect'] pki_path = ['pki'] -cert_data = 'MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIwWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIxMDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu+JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3LftzngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93+dm/LDnp7C0=' -key_data = 'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww' + +cert_data = """ +MIICFDCCAbugAwIBAgIUfMbIsB/ozMXijYgUYG80T1ry+mcwCgYIKoZIzj0EAwIw +WTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNv +bWUtQ2l0eTENMAsGA1UECgwEVnlPUzESMBAGA1UEAwwJVnlPUyBUZXN0MB4XDTIx +MDcyMDEyNDUxMloXDTI2MDcxOTEyNDUxMlowWTELMAkGA1UEBhMCR0IxEzARBgNV +BAgMClNvbWUtU3RhdGUxEjAQBgNVBAcMCVNvbWUtQ2l0eTENMAsGA1UECgwEVnlP +UzESMBAGA1UEAwwJVnlPUyBUZXN0MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +01HrLcNttqq4/PtoMua8rMWEkOdBu7vP94xzDO7A8C92ls1v86eePy4QllKCzIw3 +QxBIoCuH2peGRfWgPRdFsKNhMF8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E +BAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBSu ++JnU5ZC4mkuEpqg2+Mk4K79oeDAKBggqhkjOPQQDAgNHADBEAiBEFdzQ/Bc3Lftz +ngrY605UhA6UprHhAogKgROv7iR4QgIgEFUxTtW3xXJcnUPWhhUFhyZoqfn8dE93 ++dm/LDnp7C0= +""" + +key_data = """ +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgPLpD0Ohhoq0g4nhx +2KMIuze7ucKUt/lBEB2wc03IxXyhRANCAATTUestw222qrj8+2gy5rysxYSQ50G7 +u8/3jHMM7sDwL3aWzW/zp54/LhCWUoLMjDdDEEigK4fal4ZF9aA9F0Ww +""" class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase): def tearDown(self): @@ -37,18 +56,21 @@ class TestVpnOpenconnect(VyOSUnitTestSHIM.TestCase): def test_vpn(self): user = 'vyos_user' password = 'vyos_pass' + otp = '37500000026900000000200000000000' + self.cli_delete(pki_path) self.cli_delete(base_path) - self.cli_set(pki_path + ['ca', 'openconnect', 'certificate', cert_data]) - self.cli_set(pki_path + ['certificate', 'openconnect', 'certificate', cert_data]) - self.cli_set(pki_path + ['certificate', 'openconnect', 'private', 'key', key_data]) + self.cli_set(pki_path + ['ca', 'openconnect', 'certificate', cert_data.replace('\n','')]) + self.cli_set(pki_path + ['certificate', 'openconnect', 'certificate', cert_data.replace('\n','')]) + self.cli_set(pki_path + ['certificate', 'openconnect', 'private', 'key', key_data.replace('\n','')]) - self.cli_set(base_path + ["authentication", "local-users", "username", user, "password", password]) - self.cli_set(base_path + ["authentication", "mode", "local"]) - self.cli_set(base_path + ["network-settings", "client-ip-settings", "subnet", "192.0.2.0/24"]) - self.cli_set(base_path + ["ssl", "ca-certificate", 'openconnect']) - self.cli_set(base_path + ["ssl", "certificate", 'openconnect']) + self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'password', password]) + self.cli_set(base_path + ['authentication', 'local-users', 'username', user, 'otp', 'key', otp]) + self.cli_set(base_path + ['authentication', 'mode', 'local', 'password-otp']) + self.cli_set(base_path + ['network-settings', 'client-ip-settings', 'subnet', '192.0.2.0/24']) + self.cli_set(base_path + ['ssl', 'ca-certificate', 'openconnect']) + self.cli_set(base_path + ['ssl', 'certificate', 'openconnect']) self.cli_commit() diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py index c591d6cf5..176c095fb 100755 --- a/smoketest/scripts/cli/test_vrf.py +++ b/smoketest/scripts/cli/test_vrf.py @@ -49,7 +49,7 @@ class VRFTest(VyOSUnitTestSHIM.TestCase): if not '.' in tmp: cls._interfaces.append(tmp) # call base-classes classmethod - super(cls, cls).setUpClass() + super(VRFTest, cls).setUpClass() def tearDown(self): # delete all VRFs @@ -127,6 +127,9 @@ class VRFTest(VyOSUnitTestSHIM.TestCase): for vrf in vrfs: # Ensure VRF was created self.assertIn(vrf, interfaces()) + # Verify IP forwarding is 1 (enabled) + self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '1') + self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '1') # Test for proper loopback IP assignment for addr in loopbacks: self.assertTrue(is_intf_addr_assigned(vrf, addr)) @@ -267,5 +270,26 @@ class VRFTest(VyOSUnitTestSHIM.TestCase): self.cli_delete(['interfaces', 'dummy', interface]) self.cli_commit() + def test_vrf_disable_forwarding(self): + table = '2000' + for vrf in vrfs: + base = base_path + ['name', vrf] + self.cli_set(base + ['table', table]) + self.cli_set(base + ['ip', 'disable-forwarding']) + self.cli_set(base + ['ipv6', 'disable-forwarding']) + table = str(int(table) + 1) + + # commit changes + self.cli_commit() + + # Verify VRF configuration + loopbacks = ['127.0.0.1', '::1'] + for vrf in vrfs: + # Ensure VRF was created + self.assertIn(vrf, interfaces()) + # Verify IP forwarding is 0 (disabled) + self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '0') + self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '0') + if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/smoketest/scripts/cli/test_zone_policy.py b/smoketest/scripts/cli/test_zone_policy.py index 6e34f3179..2c580e2f1 100755 --- a/smoketest/scripts/cli/test_zone_policy.py +++ b/smoketest/scripts/cli/test_zone_policy.py @@ -23,13 +23,13 @@ from vyos.util import cmd class TestZonePolicy(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): - super(cls, cls).setUpClass() + super(TestZonePolicy, cls).setUpClass() cls.cli_set(cls, ['firewall', 'name', 'smoketest', 'default-action', 'drop']) @classmethod def tearDownClass(cls): cls.cli_delete(cls, ['firewall']) - super(cls, cls).tearDownClass() + super(TestZonePolicy, cls).tearDownClass() def tearDown(self): self.cli_delete(['zone-policy']) diff --git a/src/conf_mode/arp.py b/src/conf_mode/arp.py index aac07bd80..1cd8f5451 100755 --- a/src/conf_mode/arp.py +++ b/src/conf_mode/arp.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,92 +13,62 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -# -# -import sys -import os -import re -import syslog as sl +from sys import exit from vyos.config import Config +from vyos.configdict import node_changed from vyos.util import call from vyos import ConfigError - from vyos import airbag airbag.enable() -arp_cmd = '/usr/sbin/arp' - -def get_config(): - c = Config() - if not c.exists('protocols static arp'): - return None - - c.set_level('protocols static') - config_data = {} - - for ip_addr in c.list_nodes('arp'): - config_data.update( - { - ip_addr : c.return_value('arp ' + ip_addr + ' hwaddr') - } - ) +def get_config(config=None): + if config: + conf = config + else: + conf = Config() - return config_data + base = ['protocols', 'static', 'arp'] + arp = conf.get_config_dict(base, get_first_key=True) -def generate(c): - c_eff = Config() - c_eff.set_level('protocols static') - c_eff_cnf = {} - for ip_addr in c_eff.list_effective_nodes('arp'): - c_eff_cnf.update( - { - ip_addr : c_eff.return_effective_value('arp ' + ip_addr + ' hwaddr') - } - ) + if 'interface' in arp: + for interface in arp['interface']: + tmp = node_changed(conf, base + ['interface', interface, 'address'], recursive=True) + if tmp: arp['interface'][interface].update({'address_old' : tmp}) - config_data = { - 'remove' : [], - 'update' : {} - } - ### removal - if c == None: - for ip_addr in c_eff_cnf: - config_data['remove'].append(ip_addr) - else: - for ip_addr in c_eff_cnf: - if not ip_addr in c or c[ip_addr] == None: - config_data['remove'].append(ip_addr) + return arp - ### add/update - if c != None: - for ip_addr in c: - if not ip_addr in c_eff_cnf: - config_data['update'][ip_addr] = c[ip_addr] - if ip_addr in c_eff_cnf: - if c[ip_addr] != c_eff_cnf[ip_addr] and c[ip_addr] != None: - config_data['update'][ip_addr] = c[ip_addr] +def verify(arp): + pass - return config_data +def generate(arp): + pass -def apply(c): - for ip_addr in c['remove']: - sl.syslog(sl.LOG_NOTICE, "arp -d " + ip_addr) - call(f'{arp_cmd} -d {ip_addr} >/dev/null 2>&1') +def apply(arp): + if not arp: + return None - for ip_addr in c['update']: - sl.syslog(sl.LOG_NOTICE, "arp -s " + ip_addr + " " + c['update'][ip_addr]) - updated = c['update'][ip_addr] - call(f'{arp_cmd} -s {ip_addr} {updated}') + if 'interface' in arp: + for interface, interface_config in arp['interface'].items(): + # Delete old static ARP assignments first + if 'address_old' in interface_config: + for address in interface_config['address_old']: + call(f'ip neigh del {address} dev {interface}') + # Add new static ARP entries to interface + if 'address' not in interface_config: + continue + for address, address_config in interface_config['address'].items(): + mac = address_config['mac'] + call(f'ip neigh add {address} lladdr {mac} dev {interface}') if __name__ == '__main__': - try: - c = get_config() - ## syntax verification is done via cli - config = generate(c) - apply(config) - except ConfigError as e: - print(e) - sys.exit(1) + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/conf_mode/bcast_relay.py b/src/conf_mode/bcast_relay.py index d93a2a8f4..39a2971ce 100755 --- a/src/conf_mode/bcast_relay.py +++ b/src/conf_mode/bcast_relay.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2017-2020 VyOS maintainers and contributors +# Copyright (C) 2017-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -78,7 +78,7 @@ def generate(relay): continue config['instance'] = instance - render(config_file_base + instance, 'bcast-relay/udp-broadcast-relay.tmpl', + render(config_file_base + instance, 'bcast-relay/udp-broadcast-relay.j2', config) return None diff --git a/src/conf_mode/conntrack.py b/src/conf_mode/conntrack.py index aabf2bdf5..82289526f 100755 --- a/src/conf_mode/conntrack.py +++ b/src/conf_mode/conntrack.py @@ -101,9 +101,9 @@ def verify(conntrack): return None def generate(conntrack): - render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.tmpl', conntrack) - render(sysctl_file, 'conntrack/sysctl.conf.tmpl', conntrack) - render(nftables_ct_file, 'conntrack/nftables-ct.tmpl', conntrack) + render(conntrack_config, 'conntrack/vyos_nf_conntrack.conf.j2', conntrack) + render(sysctl_file, 'conntrack/sysctl.conf.j2', conntrack) + render(nftables_ct_file, 'conntrack/nftables-ct.j2', conntrack) # dry-run newly generated configuration tmp = run(f'nft -c -f {nftables_ct_file}') diff --git a/src/conf_mode/conntrack_sync.py b/src/conf_mode/conntrack_sync.py index 34d1f7398..311e01529 100755 --- a/src/conf_mode/conntrack_sync.py +++ b/src/conf_mode/conntrack_sync.py @@ -111,7 +111,7 @@ def generate(conntrack): os.unlink(config_file) return None - render(config_file, 'conntrackd/conntrackd.conf.tmpl', conntrack) + render(config_file, 'conntrackd/conntrackd.conf.j2', conntrack) return None diff --git a/src/conf_mode/containers.py b/src/conf_mode/container.py index 516671844..7e1dc5911 100755 --- a/src/conf_mode/containers.py +++ b/src/conf_mode/container.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -28,7 +28,6 @@ from vyos.configdict import node_changed from vyos.util import call from vyos.util import cmd from vyos.util import run -from vyos.util import read_file from vyos.util import write_file from vyos.template import inc_ip from vyos.template import is_ipv4 @@ -42,6 +41,20 @@ airbag.enable() config_containers_registry = '/etc/containers/registries.conf' config_containers_storage = '/etc/containers/storage.conf' +def _run_rerun(container_cmd): + counter = 0 + while True: + if counter >= 10: + break + try: + _cmd(container_cmd) + break + except: + counter = counter +1 + sleep(0.5) + + return None + def _cmd(command): if os.path.exists('/tmp/vyos.container.debug'): print(command) @@ -77,10 +90,10 @@ def get_config(config=None): container['name'][name] = dict_merge(default_values, container['name'][name]) # Delete container network, delete containers - tmp = node_changed(conf, ['container', 'network']) + tmp = node_changed(conf, base + ['container', 'network']) if tmp: container.update({'network_remove' : tmp}) - tmp = node_changed(conf, ['container', 'name']) + tmp = node_changed(conf, base + ['container', 'name']) if tmp: container.update({'container_remove' : tmp}) return container @@ -93,6 +106,20 @@ def verify(container): # Add new container if 'name' in container: for name, container_config in container['name'].items(): + # Container image is a mandatory option + if 'image' not in container_config: + raise ConfigError(f'Container image for "{name}" is mandatory!') + + # verify container image exists locally + image = container_config['image'] + + # Check if requested container image exists locally. If it does not + # exist locally - inform the user. + if run(f'podman image exists {image}') != 0: + raise ConfigError(f'Image "{image}" used in contianer "{name}" does not exist '\ + f'locally.\nPlease use "add container image {image}" to add it '\ + 'to the system!') + if 'network' in container_config: if len(container_config['network']) > 1: raise ConfigError(f'Only one network can be specified for container "{name}"!') @@ -151,10 +178,6 @@ def verify(container): if not os.path.exists(source): raise ConfigError(f'Volume "{volume}" source path "{source}" does not exist!') - # Container image is a mandatory option - if 'image' not in container_config: - raise ConfigError(f'Container image for "{name}" is mandatory!') - # If 'allow-host-networks' or 'network' not set. if 'allow_host_networks' not in container_config and 'network' not in container_config: raise ConfigError(f'Must either set "network" or "allow-host-networks" for container "{name}"!') @@ -194,6 +217,10 @@ def verify(container): def generate(container): # bail out early - looks like removal from running config if not container: + if os.path.exists(config_containers_registry): + os.unlink(config_containers_registry) + if os.path.exists(config_containers_storage): + os.unlink(config_containers_storage) return None if 'network' in container: @@ -227,8 +254,8 @@ def generate(container): write_file(f'/etc/cni/net.d/{network}.conflist', json_write(tmp, indent=2)) - render(config_containers_registry, 'containers/registry.tmpl', container) - render(config_containers_storage, 'containers/storage.tmpl', container) + render(config_containers_registry, 'container/registries.conf.j2', container) + render(config_containers_storage, 'container/storage.conf.j2', container) return None @@ -263,13 +290,6 @@ def apply(container): memory = container_config['memory'] restart = container_config['restart'] - # Check if requested container image exists locally. If it does not, we - # pull it. print() is the best way to have a good response from the - # polling process to the user to display progress. If the image exists - # locally, a user can update it running `update container image <name>` - tmp = run(f'podman image exists {image}') - if tmp != 0: print(os.system(f'podman pull {image}')) - # Add capability options. Should be in uppercase cap_add = '' if 'cap_add' in container_config: @@ -318,7 +338,7 @@ def apply(container): f'--memory {memory}m --memory-swap 0 --restart {restart} ' \ f'--name {name} {device} {port} {volume} {env_opt}' if 'allow_host_networks' in container_config: - run(f'{container_base_cmd} --net host {image}') + _run_rerun(f'{container_base_cmd} --net host {image}') else: for network in container_config['network']: ipparam = '' @@ -326,25 +346,10 @@ def apply(container): address = container_config['network'][network]['address'] ipparam = f'--ip {address}' - run(f'{container_base_cmd} --net {network} {ipparam} {image}') + _run_rerun(f'{container_base_cmd} --net {network} {ipparam} {image}') return None -def run(container_cmd): - counter = 0 - while True: - if counter >= 10: - break - try: - _cmd(container_cmd) - break - except: - counter = counter +1 - sleep(0.5) - - return None - - if __name__ == '__main__': try: c = get_config() diff --git a/src/conf_mode/dhcp_relay.py b/src/conf_mode/dhcp_relay.py index 6352e0b4a..4de2ca2f3 100755 --- a/src/conf_mode/dhcp_relay.py +++ b/src/conf_mode/dhcp_relay.py @@ -66,18 +66,19 @@ def generate(relay): if not relay: return None - render(config_file, 'dhcp-relay/dhcrelay.conf.tmpl', relay) + render(config_file, 'dhcp-relay/dhcrelay.conf.j2', relay) return None def apply(relay): # bail out early - looks like removal from running config + service_name = 'isc-dhcp-relay.service' if not relay: - call('systemctl stop isc-dhcp-relay.service') + call(f'systemctl stop {service_name}') if os.path.exists(config_file): os.unlink(config_file) return None - call('systemctl restart isc-dhcp-relay.service') + call(f'systemctl restart {service_name}') return None diff --git a/src/conf_mode/dhcp_server.py b/src/conf_mode/dhcp_server.py index a8cef5ebf..52b682d6d 100755 --- a/src/conf_mode/dhcp_server.py +++ b/src/conf_mode/dhcp_server.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2021 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -109,7 +109,7 @@ def get_config(config=None): if not conf.exists(base): return None - dhcp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + dhcp = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) # T2665: defaults include lease time per TAG node which need to be added to # individual subnet definitions default_values = defaults(base + ['shared-network-name', 'subnet']) @@ -286,7 +286,7 @@ def generate(dhcp): # Please see: https://phabricator.vyos.net/T1129 for quoting of the raw # parameters we can pass to ISC DHCPd tmp_file = '/tmp/dhcpd.conf' - render(tmp_file, 'dhcp-server/dhcpd.conf.tmpl', dhcp, + render(tmp_file, 'dhcp-server/dhcpd.conf.j2', dhcp, formater=lambda _: _.replace(""", '"')) # XXX: as we have the ability for a user to pass in "raw" options via VyOS # CLI (see T3544) we now ask ISC dhcpd to test the newly rendered @@ -299,7 +299,7 @@ def generate(dhcp): # Now that we know that the newly rendered configuration is "good" we can # render the "real" configuration - render(config_file, 'dhcp-server/dhcpd.conf.tmpl', dhcp, + render(config_file, 'dhcp-server/dhcpd.conf.j2', dhcp, formater=lambda _: _.replace(""", '"')) return None diff --git a/src/conf_mode/dhcpv6_relay.py b/src/conf_mode/dhcpv6_relay.py index aea2c3b73..c1bd51f62 100755 --- a/src/conf_mode/dhcpv6_relay.py +++ b/src/conf_mode/dhcpv6_relay.py @@ -82,19 +82,20 @@ def generate(relay): if not relay: return None - render(config_file, 'dhcp-relay/dhcrelay6.conf.tmpl', relay) + render(config_file, 'dhcp-relay/dhcrelay6.conf.j2', relay) return None def apply(relay): # bail out early - looks like removal from running config + service_name = 'isc-dhcp-relay6.service' if not relay: # DHCPv6 relay support is removed in the commit - call('systemctl stop isc-dhcp-relay6.service') + call(f'systemctl stop {service_name}') if os.path.exists(config_file): os.unlink(config_file) return None - call('systemctl restart isc-dhcp-relay6.service') + call(f'systemctl restart {service_name}') return None diff --git a/src/conf_mode/dhcpv6_server.py b/src/conf_mode/dhcpv6_server.py index e6a2e4486..078ff327c 100755 --- a/src/conf_mode/dhcpv6_server.py +++ b/src/conf_mode/dhcpv6_server.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -41,7 +41,9 @@ def get_config(config=None): if not conf.exists(base): return None - dhcpv6 = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + dhcpv6 = conf.get_config_dict(base, key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) return dhcpv6 def verify(dhcpv6): @@ -51,7 +53,7 @@ def verify(dhcpv6): # If DHCP is enabled we need one share-network if 'shared_network_name' not in dhcpv6: - raise ConfigError('No DHCPv6 shared networks configured. At least\n' \ + raise ConfigError('No DHCPv6 shared networks configured. At least '\ 'one DHCPv6 shared network must be configured.') # Inspect shared-network/subnet @@ -60,8 +62,9 @@ def verify(dhcpv6): for network, network_config in dhcpv6['shared_network_name'].items(): # A shared-network requires a subnet definition if 'subnet' not in network_config: - raise ConfigError(f'No DHCPv6 lease subnets configured for "{network}". At least one\n' \ - 'lease subnet must be configured for each shared network!') + raise ConfigError(f'No DHCPv6 lease subnets configured for "{network}". '\ + 'At least one lease subnet must be configured for '\ + 'each shared network!') for subnet, subnet_config in network_config['subnet'].items(): if 'address_range' in subnet_config: @@ -83,20 +86,20 @@ def verify(dhcpv6): # Stop address must be greater or equal to start address if not ip_address(stop) >= ip_address(start): - raise ConfigError(f'address-range stop address "{stop}" must be greater or equal\n' \ + raise ConfigError(f'address-range stop address "{stop}" must be greater then or equal ' \ f'to the range start address "{start}"!') # DHCPv6 range start address must be unique - two ranges can't # start with the same address - makes no sense if start in range6_start: - raise ConfigError(f'Conflicting DHCPv6 lease range:\n' \ + raise ConfigError(f'Conflicting DHCPv6 lease range: '\ f'Pool start address "{start}" defined multipe times!') range6_start.append(start) # DHCPv6 range stop address must be unique - two ranges can't # end with the same address - makes no sense if stop in range6_stop: - raise ConfigError(f'Conflicting DHCPv6 lease range:\n' \ + raise ConfigError(f'Conflicting DHCPv6 lease range: '\ f'Pool stop address "{stop}" defined multipe times!') range6_stop.append(stop) @@ -112,7 +115,7 @@ def verify(dhcpv6): for prefix, prefix_config in subnet_config['prefix_delegation']['start'].items(): if 'stop' not in prefix_config: - raise ConfigError(f'Stop address of delegated IPv6 prefix range "{prefix}"\n' + raise ConfigError(f'Stop address of delegated IPv6 prefix range "{prefix}" '\ f'must be configured') if 'prefix_length' not in prefix_config: @@ -126,6 +129,10 @@ def verify(dhcpv6): if ip_address(mapping_config['ipv6_address']) not in ip_network(subnet): raise ConfigError(f'static-mapping address for mapping "{mapping}" is not in subnet "{subnet}"!') + if 'vendor_option' in subnet_config: + if len(dict_search('vendor_option.cisco.tftp_server', subnet_config)) > 2: + raise ConfigError(f'No more then two Cisco tftp-servers should be defined for subnet "{subnet}"!') + # Subnets must be unique if subnet in subnets: raise ConfigError(f'DHCPv6 subnets must be unique! Subnet {subnet} defined multiple times!') @@ -149,8 +156,8 @@ def verify(dhcpv6): raise ConfigError('DHCPv6 conflicting subnet ranges: {0} overlaps {1}'.format(net, net2)) if not listen_ok: - raise ConfigError('None of the DHCPv6 subnets are connected to a subnet6 on\n' \ - 'this machine. At least one subnet6 must be connected such that\n' \ + raise ConfigError('None of the DHCPv6 subnets are connected to a subnet6 on '\ + 'this machine. At least one subnet6 must be connected such that '\ 'DHCPv6 listens on an interface!') @@ -161,20 +168,20 @@ def generate(dhcpv6): if not dhcpv6 or 'disable' in dhcpv6: return None - render(config_file, 'dhcp-server/dhcpdv6.conf.tmpl', dhcpv6) + render(config_file, 'dhcp-server/dhcpdv6.conf.j2', dhcpv6) return None def apply(dhcpv6): # bail out early - looks like removal from running config + service_name = 'isc-dhcp-server6.service' if not dhcpv6 or 'disable' in dhcpv6: # DHCP server is removed in the commit - call('systemctl stop isc-dhcp-server6.service') + call(f'systemctl stop {service_name}') if os.path.exists(config_file): os.unlink(config_file) - return None - call('systemctl restart isc-dhcp-server6.service') + call(f'systemctl restart {service_name}') return None if __name__ == '__main__': diff --git a/src/conf_mode/dns_forwarding.py b/src/conf_mode/dns_forwarding.py index fa9b21f20..f1c2d1f43 100755 --- a/src/conf_mode/dns_forwarding.py +++ b/src/conf_mode/dns_forwarding.py @@ -279,10 +279,10 @@ def generate(dns): if not dns: return None - render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.tmpl', + render(pdns_rec_config_file, 'dns-forwarding/recursor.conf.j2', dns, user=pdns_rec_user, group=pdns_rec_group) - render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.tmpl', + render(pdns_rec_lua_conf_file, 'dns-forwarding/recursor.conf.lua.j2', dns, user=pdns_rec_user, group=pdns_rec_group) for zone_filename in glob(f'{pdns_rec_run_dir}/zone.*.conf'): @@ -290,7 +290,7 @@ def generate(dns): if 'authoritative_zones' in dns: for zone in dns['authoritative_zones']: - render(zone['file'], 'dns-forwarding/recursor.zone.conf.tmpl', + render(zone['file'], 'dns-forwarding/recursor.zone.conf.j2', zone, user=pdns_rec_user, group=pdns_rec_group) diff --git a/src/conf_mode/dynamic_dns.py b/src/conf_mode/dynamic_dns.py index a31e5ed75..06a2f7e15 100755 --- a/src/conf_mode/dynamic_dns.py +++ b/src/conf_mode/dynamic_dns.py @@ -131,7 +131,7 @@ def generate(dyndns): if not dyndns: return None - render(config_file, 'dynamic-dns/ddclient.conf.tmpl', dyndns) + render(config_file, 'dynamic-dns/ddclient.conf.j2', dyndns) return None def apply(dyndns): diff --git a/src/conf_mode/firewall.py b/src/conf_mode/firewall.py index f33198a49..6924bf555 100755 --- a/src/conf_mode/firewall.py +++ b/src/conf_mode/firewall.py @@ -21,6 +21,7 @@ from glob import glob from json import loads from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed @@ -225,7 +226,7 @@ def verify_rule(firewall, rule_conf, ipv6): raise ConfigError(f'Invalid {error_group} "{group_name}" on firewall rule') if not group_obj: - print(f'WARNING: {error_group} "{group_name}" has no members') + Warning(f'{error_group} "{group_name}" has no members!') if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'): if 'protocol' not in rule_conf: @@ -326,8 +327,8 @@ def generate(firewall): else: firewall['cleanup_commands'] = cleanup_commands(firewall) - render(nftables_conf, 'firewall/nftables.tmpl', firewall) - render(nftables_defines_conf, 'firewall/nftables-defines.tmpl', firewall) + render(nftables_conf, 'firewall/nftables.j2', firewall) + render(nftables_defines_conf, 'firewall/nftables-defines.j2', firewall) return None def apply_sysfs(firewall): @@ -395,7 +396,7 @@ def resync_policy_route(): # Update policy route as firewall groups were updated tmp = run(policy_route_conf_script) if tmp > 0: - print('Warning: Failed to re-apply policy route configuration') + Warning('Failed to re-apply policy route configuration!') def apply(firewall): if 'first_install' in firewall: diff --git a/src/conf_mode/flow_accounting_conf.py b/src/conf_mode/flow_accounting_conf.py index 25bf54790..7f7a98b04 100755 --- a/src/conf_mode/flow_accounting_conf.py +++ b/src/conf_mode/flow_accounting_conf.py @@ -239,8 +239,8 @@ def generate(flow_config): if not flow_config: return None - render(uacctd_conf_path, 'pmacct/uacctd.conf.tmpl', flow_config) - render(systemd_override, 'pmacct/override.conf.tmpl', flow_config) + render(uacctd_conf_path, 'pmacct/uacctd.conf.j2', flow_config) + render(systemd_override, 'pmacct/override.conf.j2', flow_config) # Reload systemd manager configuration call('systemctl daemon-reload') diff --git a/src/conf_mode/high-availability.py b/src/conf_mode/high-availability.py index 7d51bb393..f939f9469 100755 --- a/src/conf_mode/high-availability.py +++ b/src/conf_mode/high-availability.py @@ -152,7 +152,7 @@ def generate(ha): if not ha: return None - render(VRRP.location['config'], 'high-availability/keepalived.conf.tmpl', ha) + render(VRRP.location['config'], 'high-availability/keepalived.conf.j2', ha) return None def apply(ha): diff --git a/src/conf_mode/host_name.py b/src/conf_mode/host_name.py index 87bad0dc6..93f244f42 100755 --- a/src/conf_mode/host_name.py +++ b/src/conf_mode/host_name.py @@ -21,13 +21,14 @@ import copy import vyos.util import vyos.hostsd_client -from vyos import ConfigError +from vyos.base import Warning from vyos.config import Config from vyos.ifconfig import Section from vyos.template import is_ip from vyos.util import cmd from vyos.util import call from vyos.util import process_named_running +from vyos import ConfigError from vyos import airbag airbag.enable() @@ -113,7 +114,7 @@ def verify(hosts): for interface, interface_config in hosts['nameservers_dhcp_interfaces'].items(): # Warnin user if interface does not have DHCP or DHCPv6 configured if not set(interface_config).intersection(['dhcp', 'dhcpv6']): - print(f'WARNING: "{interface}" is not a DHCP interface but uses DHCP name-server option!') + Warning(f'"{interface}" is not a DHCP interface but uses DHCP name-server option!') return None diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py index 00f3d4f7f..4a7906c17 100755 --- a/src/conf_mode/http-api.py +++ b/src/conf_mode/http-api.py @@ -117,7 +117,7 @@ def generate(http_api): with open(api_conf_file, 'w') as f: json.dump(http_api, f, indent=2) - render(systemd_service, 'https/vyos-http-api.service.tmpl', http_api) + render(systemd_service, 'https/vyos-http-api.service.j2', http_api) return None def apply(http_api): diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py index 37fa36797..3057357fc 100755 --- a/src/conf_mode/https.py +++ b/src/conf_mode/https.py @@ -214,8 +214,8 @@ def generate(https): 'certbot': certbot } - render(config_file, 'https/nginx.default.tmpl', data) - render(systemd_override, 'https/override.conf.tmpl', https) + render(config_file, 'https/nginx.default.j2', data) + render(systemd_override, 'https/override.conf.j2', https) return None def apply(https): diff --git a/src/conf_mode/igmp_proxy.py b/src/conf_mode/igmp_proxy.py index fb030c9f3..de6a51c64 100755 --- a/src/conf_mode/igmp_proxy.py +++ b/src/conf_mode/igmp_proxy.py @@ -19,6 +19,7 @@ import os from sys import exit from netifaces import interfaces +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.template import render @@ -92,10 +93,10 @@ def generate(igmp_proxy): # bail out early - service is disabled, but inform user if 'disable' in igmp_proxy: - print('WARNING: IGMP Proxy will be deactivated because it is disabled') + Warning('IGMP Proxy will be deactivated because it is disabled') return None - render(config_file, 'igmp-proxy/igmpproxy.conf.tmpl', igmp_proxy) + render(config_file, 'igmp-proxy/igmpproxy.conf.j2', igmp_proxy) return None diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py index ad5a0f499..4167594e3 100755 --- a/src/conf_mode/interfaces-bonding.py +++ b/src/conf_mode/interfaces-bonding.py @@ -68,7 +68,7 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'bonding'] - bond = get_interface_dict(conf, base) + ifname, bond = get_interface_dict(conf, base) # To make our own life easier transfor the list of member interfaces # into a dictionary - we will use this to add additional information @@ -81,14 +81,14 @@ def get_config(config=None): if 'mode' in bond: bond['mode'] = get_bond_mode(bond['mode']) - tmp = leaf_node_changed(conf, ['mode']) + tmp = leaf_node_changed(conf, base + [ifname, 'mode']) if tmp: bond.update({'shutdown_required': {}}) - tmp = leaf_node_changed(conf, ['lacp-rate']) + tmp = leaf_node_changed(conf, base + [ifname, 'lacp-rate']) if tmp: bond.update({'shutdown_required': {}}) # determine which members have been removed - interfaces_removed = leaf_node_changed(conf, ['member', 'interface']) + interfaces_removed = leaf_node_changed(conf, base + [ifname, 'member', 'interface']) if interfaces_removed: bond.update({'shutdown_required': {}}) if 'member' not in bond: diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py index b1f7e6d7c..38ae727c1 100755 --- a/src/conf_mode/interfaces-bridge.py +++ b/src/conf_mode/interfaces-bridge.py @@ -50,15 +50,15 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'bridge'] - bridge = get_interface_dict(conf, base) + ifname, bridge = get_interface_dict(conf, base) # determine which members have been removed - tmp = node_changed(conf, ['member', 'interface'], key_mangling=('-', '_')) + tmp = node_changed(conf, base + [ifname, 'member', 'interface'], key_mangling=('-', '_')) if tmp: if 'member' in bridge: - bridge['member'].update({'interface_remove': tmp }) + bridge['member'].update({'interface_remove' : tmp }) else: - bridge.update({'member': {'interface_remove': tmp }}) + bridge.update({'member' : {'interface_remove' : tmp }}) if dict_search('member.interface', bridge): # XXX: T2665: we need a copy of the dict keys for iteration, else we will get: diff --git a/src/conf_mode/interfaces-dummy.py b/src/conf_mode/interfaces-dummy.py index 4a1eb7b93..e771581e1 100755 --- a/src/conf_mode/interfaces-dummy.py +++ b/src/conf_mode/interfaces-dummy.py @@ -37,7 +37,7 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'dummy'] - dummy = get_interface_dict(conf, base) + _, dummy = get_interface_dict(conf, base) return dummy def verify(dummy): diff --git a/src/conf_mode/interfaces-ethernet.py b/src/conf_mode/interfaces-ethernet.py index 6aea7a80e..fec4456fb 100755 --- a/src/conf_mode/interfaces-ethernet.py +++ b/src/conf_mode/interfaces-ethernet.py @@ -19,6 +19,7 @@ import os from glob import glob from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configverify import verify_address @@ -64,7 +65,7 @@ def get_config(config=None): get_first_key=True, no_tag_node_value_mangle=True) base = ['interfaces', 'ethernet'] - ethernet = get_interface_dict(conf, base) + _, ethernet = get_interface_dict(conf, base) if 'deleted' not in ethernet: if pki: ethernet['pki'] = pki @@ -142,8 +143,8 @@ def verify(ethernet): raise ConfigError('XDP requires additional TX queues, too few available!') if {'is_bond_member', 'mac'} <= set(ethernet): - print(f'WARNING: changing mac address "{mac}" will be ignored as "{ifname}" ' - f'is a member of bond "{is_bond_member}"'.format(**ethernet)) + Warning(f'changing mac address "{mac}" will be ignored as "{ifname}" ' \ + f'is a member of bond "{is_bond_member}"'.format(**ethernet)) # use common function to verify VLAN configuration verify_vlan_config(ethernet) @@ -152,7 +153,7 @@ def verify(ethernet): def generate(ethernet): if 'eapol' in ethernet: render(wpa_suppl_conf.format(**ethernet), - 'ethernet/wpa_supplicant.conf.tmpl', ethernet) + 'ethernet/wpa_supplicant.conf.j2', ethernet) ifname = ethernet['ifname'] cert_file_path = os.path.join(cfg_dir, f'{ifname}_cert.pem') diff --git a/src/conf_mode/interfaces-geneve.py b/src/conf_mode/interfaces-geneve.py index 3a668226b..b9cf2fa3c 100755 --- a/src/conf_mode/interfaces-geneve.py +++ b/src/conf_mode/interfaces-geneve.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2019-2020 VyOS maintainers and contributors +# Copyright (C) 2019-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -21,6 +21,8 @@ from netifaces import interfaces from vyos.config import Config from vyos.configdict import get_interface_dict +from vyos.configdict import leaf_node_changed +from vyos.configdict import is_node_changed from vyos.configverify import verify_address from vyos.configverify import verify_mtu_ipv6 from vyos.configverify import verify_bridge_delete @@ -41,7 +43,18 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'geneve'] - geneve = get_interface_dict(conf, base) + ifname, geneve = get_interface_dict(conf, base) + + # GENEVE interfaces are picky and require recreation if certain parameters + # change. But a GENEVE interface should - of course - not be re-created if + # it's description or IP address is adjusted. Feels somehow logic doesn't it? + for cli_option in ['remote', 'vni']: + if leaf_node_changed(conf, base + [ifname, cli_option]): + geneve.update({'rebuild_required': {}}) + + if is_node_changed(conf, base + [ifname, 'parameters']): + geneve.update({'rebuild_required': {}}) + return geneve def verify(geneve): @@ -67,11 +80,12 @@ def generate(geneve): def apply(geneve): # Check if GENEVE interface already exists - if geneve['ifname'] in interfaces(): - g = GeneveIf(geneve['ifname']) - # GENEVE is super picky and the tunnel always needs to be recreated, - # thus we can simply always delete it first. - g.remove() + if 'rebuild_required' in geneve or 'delete' in geneve: + if geneve['ifname'] in interfaces(): + g = GeneveIf(geneve['ifname']) + # GENEVE is super picky and the tunnel always needs to be recreated, + # thus we can simply always delete it first. + g.remove() if 'deleted' not in geneve: # Finally create the new interface diff --git a/src/conf_mode/interfaces-l2tpv3.py b/src/conf_mode/interfaces-l2tpv3.py index 22256bf4f..6a486f969 100755 --- a/src/conf_mode/interfaces-l2tpv3.py +++ b/src/conf_mode/interfaces-l2tpv3.py @@ -45,15 +45,15 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'l2tpv3'] - l2tpv3 = get_interface_dict(conf, base) + ifname, l2tpv3 = get_interface_dict(conf, base) # To delete an l2tpv3 interface we need the current tunnel and session-id if 'deleted' in l2tpv3: - tmp = leaf_node_changed(conf, ['tunnel-id']) + tmp = leaf_node_changed(conf, base + [ifname, 'tunnel-id']) # leaf_node_changed() returns a list l2tpv3.update({'tunnel_id': tmp[0]}) - tmp = leaf_node_changed(conf, ['session-id']) + tmp = leaf_node_changed(conf, base + [ifname, 'session-id']) l2tpv3.update({'session_id': tmp[0]}) return l2tpv3 diff --git a/src/conf_mode/interfaces-loopback.py b/src/conf_mode/interfaces-loopback.py index e4bc15bb5..08d34477a 100755 --- a/src/conf_mode/interfaces-loopback.py +++ b/src/conf_mode/interfaces-loopback.py @@ -36,7 +36,7 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'loopback'] - loopback = get_interface_dict(conf, base) + _, loopback = get_interface_dict(conf, base) return loopback def verify(loopback): diff --git a/src/conf_mode/interfaces-macsec.py b/src/conf_mode/interfaces-macsec.py index 96fc1c41c..279dd119b 100755 --- a/src/conf_mode/interfaces-macsec.py +++ b/src/conf_mode/interfaces-macsec.py @@ -48,7 +48,7 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'macsec'] - macsec = get_interface_dict(conf, base) + ifname, macsec = get_interface_dict(conf, base) # Check if interface has been removed if 'deleted' in macsec: @@ -98,7 +98,7 @@ def verify(macsec): def generate(macsec): render(wpa_suppl_conf.format(**macsec), - 'macsec/wpa_supplicant.conf.tmpl', macsec) + 'macsec/wpa_supplicant.conf.j2', macsec) return None diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py index 83d1c6d9b..4750ca3e8 100755 --- a/src/conf_mode/interfaces-openvpn.py +++ b/src/conf_mode/interfaces-openvpn.py @@ -32,7 +32,7 @@ from shutil import rmtree from vyos.config import Config from vyos.configdict import get_interface_dict -from vyos.configdict import leaf_node_changed +from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mirror_redirect @@ -85,13 +85,12 @@ def get_config(config=None): tmp_pki = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) - openvpn = get_interface_dict(conf, base) + ifname, openvpn = get_interface_dict(conf, base) if 'deleted' not in openvpn: openvpn['pki'] = tmp_pki - - tmp = leaf_node_changed(conf, ['openvpn-option']) - if tmp: openvpn['restart_required'] = '' + if is_node_changed(conf, base + [ifname, 'openvpn-option']): + openvpn.update({'restart_required': {}}) # We have to get the dict using 'get_config_dict' instead of 'get_interface_dict' # as 'get_interface_dict' merges the defaults in, so we can not check for defaults in there. @@ -608,7 +607,7 @@ def generate(openvpn): # Generate User/Password authentication file if 'authentication' in openvpn: - render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.tmpl', openvpn, + render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.j2', openvpn, user=user, group=group, permission=0o600) else: # delete old auth file if present @@ -624,16 +623,16 @@ def generate(openvpn): # Our client need's to know its subnet mask ... client_config['server_subnet'] = dict_search('server.subnet', openvpn) - render(client_file, 'openvpn/client.conf.tmpl', client_config, + render(client_file, 'openvpn/client.conf.j2', client_config, user=user, group=group) # we need to support quoting of raw parameters from OpenVPN CLI # see https://phabricator.vyos.net/T1632 - render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn, + render(cfg_file.format(**openvpn), 'openvpn/server.conf.j2', openvpn, formater=lambda _: _.replace(""", '"'), user=user, group=group) # Render 20-override.conf for OpenVPN service - render(service_file.format(**openvpn), 'openvpn/service-override.conf.tmpl', openvpn, + render(service_file.format(**openvpn), 'openvpn/service-override.conf.j2', openvpn, formater=lambda _: _.replace(""", '"'), user=user, group=group) # Reload systemd services config to apply an override call(f'systemctl daemon-reload') diff --git a/src/conf_mode/interfaces-pppoe.py b/src/conf_mode/interfaces-pppoe.py index bfb1fadd5..e2fdc7a42 100755 --- a/src/conf_mode/interfaces-pppoe.py +++ b/src/conf_mode/interfaces-pppoe.py @@ -22,7 +22,9 @@ from netifaces import interfaces from vyos.config import Config from vyos.configdict import get_interface_dict +from vyos.configdict import is_node_changed from vyos.configdict import leaf_node_changed +from vyos.configdict import get_pppoe_interfaces from vyos.configverify import verify_authentication from vyos.configverify import verify_source_interface from vyos.configverify import verify_interface_exists @@ -47,33 +49,17 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'pppoe'] - pppoe = get_interface_dict(conf, base) + ifname, pppoe = get_interface_dict(conf, base) # We should only terminate the PPPoE session if critical parameters change. # All parameters that can be changed on-the-fly (like interface description) # should not lead to a reconnect! - tmp = leaf_node_changed(conf, ['access-concentrator']) - if tmp: pppoe.update({'shutdown_required': {}}) - - tmp = leaf_node_changed(conf, ['connect-on-demand']) - if tmp: pppoe.update({'shutdown_required': {}}) - - tmp = leaf_node_changed(conf, ['service-name']) - if tmp: pppoe.update({'shutdown_required': {}}) - - tmp = leaf_node_changed(conf, ['source-interface']) - if tmp: pppoe.update({'shutdown_required': {}}) - - tmp = leaf_node_changed(conf, ['vrf']) - # leaf_node_changed() returns a list, as VRF is a non-multi node, there - # will be only one list element - if tmp: pppoe.update({'vrf_old': tmp[0]}) - - tmp = leaf_node_changed(conf, ['authentication', 'user']) - if tmp: pppoe.update({'shutdown_required': {}}) - - tmp = leaf_node_changed(conf, ['authentication', 'password']) - if tmp: pppoe.update({'shutdown_required': {}}) + for options in ['access-concentrator', 'connect-on-demand', 'service-name', + 'source-interface', 'vrf', 'no-default-route', 'authentication']: + if is_node_changed(conf, base + [ifname, options]): + pppoe.update({'shutdown_required': {}}) + # bail out early - no need to further process other nodes + break return pppoe @@ -106,7 +92,7 @@ def generate(pppoe): return None # Create PPP configuration files - render(config_pppoe, 'pppoe/peer.tmpl', pppoe, permission=0o640) + render(config_pppoe, 'pppoe/peer.j2', pppoe, permission=0o640) return None @@ -120,7 +106,7 @@ def apply(pppoe): return None # reconnect should only be necessary when certain config options change, - # like ACS name, authentication, no-peer-dns, source-interface + # like ACS name, authentication ... (see get_config() for details) if ((not is_systemd_service_running(f'ppp@{ifname}.service')) or 'shutdown_required' in pppoe): @@ -130,6 +116,9 @@ def apply(pppoe): p.remove() call(f'systemctl restart ppp@{ifname}.service') + # When interface comes "live" a hook is called: + # /etc/ppp/ip-up.d/99-vyos-pppoe-callback + # which triggers PPPoEIf.update() else: if os.path.isdir(f'/sys/class/net/{ifname}'): p = PPPoEIf(ifname) diff --git a/src/conf_mode/interfaces-pseudo-ethernet.py b/src/conf_mode/interfaces-pseudo-ethernet.py index f2c85554f..1cd3fe276 100755 --- a/src/conf_mode/interfaces-pseudo-ethernet.py +++ b/src/conf_mode/interfaces-pseudo-ethernet.py @@ -18,7 +18,7 @@ from sys import exit from vyos.config import Config from vyos.configdict import get_interface_dict -from vyos.configdict import leaf_node_changed +from vyos.configdict import is_node_changed from vyos.configverify import verify_vrf from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete @@ -42,14 +42,14 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'pseudo-ethernet'] - peth = get_interface_dict(conf, base) + ifname, peth = get_interface_dict(conf, base) - mode = leaf_node_changed(conf, ['mode']) - if mode: peth.update({'mode_old' : mode}) + mode = is_node_changed(conf, ['mode']) + if mode: peth.update({'shutdown_required' : {}}) if 'source_interface' in peth: - peth['parent'] = get_interface_dict(conf, ['interfaces', 'ethernet'], - peth['source_interface']) + _, peth['parent'] = get_interface_dict(conf, ['interfaces', 'ethernet'], + peth['source_interface']) return peth def verify(peth): diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py index f4668d976..eff7f373c 100755 --- a/src/conf_mode/interfaces-tunnel.py +++ b/src/conf_mode/interfaces-tunnel.py @@ -48,10 +48,10 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'tunnel'] - tunnel = get_interface_dict(conf, base) + ifname, tunnel = get_interface_dict(conf, base) if 'deleted' not in tunnel: - tmp = leaf_node_changed(conf, ['encapsulation']) + tmp = leaf_node_changed(conf, base + [ifname, 'encapsulation']) if tmp: tunnel.update({'encapsulation_changed': {}}) # We also need to inspect other configured tunnels as there are Kernel diff --git a/src/conf_mode/interfaces-vti.py b/src/conf_mode/interfaces-vti.py index f06fdff1b..f4b0436af 100755 --- a/src/conf_mode/interfaces-vti.py +++ b/src/conf_mode/interfaces-vti.py @@ -36,7 +36,7 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'vti'] - vti = get_interface_dict(conf, base) + _, vti = get_interface_dict(conf, base) return vti def verify(vti): diff --git a/src/conf_mode/interfaces-vxlan.py b/src/conf_mode/interfaces-vxlan.py index 0a9b51cac..f44d754ba 100755 --- a/src/conf_mode/interfaces-vxlan.py +++ b/src/conf_mode/interfaces-vxlan.py @@ -19,9 +19,11 @@ import os from sys import exit from netifaces import interfaces +from vyos.base import Warning from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import leaf_node_changed +from vyos.configdict import is_node_changed from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 @@ -44,18 +46,19 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'vxlan'] - vxlan = get_interface_dict(conf, base) + ifname, vxlan = get_interface_dict(conf, base) # VXLAN interfaces are picky and require recreation if certain parameters # change. But a VXLAN interface should - of course - not be re-created if # it's description or IP address is adjusted. Feels somehow logic doesn't it? for cli_option in ['external', 'gpe', 'group', 'port', 'remote', - 'source-address', 'source-interface', 'vni', - 'parameters ip dont-fragment', 'parameters ip tos', - 'parameters ip ttl']: - if leaf_node_changed(conf, cli_option.split()): + 'source-address', 'source-interface', 'vni']: + if leaf_node_changed(conf, base + [ifname, cli_option]): vxlan.update({'rebuild_required': {}}) + if is_node_changed(conf, base + [ifname, 'parameters']): + vxlan.update({'rebuild_required': {}}) + # We need to verify that no other VXLAN tunnel is configured when external # mode is in use - Linux Kernel limitation conf.set_level(base) @@ -78,7 +81,7 @@ def verify(vxlan): return None if int(vxlan['mtu']) < 1500: - print('WARNING: RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU') + Warning('RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU') if 'group' in vxlan: if 'source_interface' not in vxlan: diff --git a/src/conf_mode/interfaces-wireguard.py b/src/conf_mode/interfaces-wireguard.py index b404375d6..180ffa507 100755 --- a/src/conf_mode/interfaces-wireguard.py +++ b/src/conf_mode/interfaces-wireguard.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -46,17 +46,17 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'wireguard'] - wireguard = get_interface_dict(conf, base) + ifname, wireguard = get_interface_dict(conf, base) # Check if a port was changed - wireguard['port_changed'] = leaf_node_changed(conf, ['port']) + wireguard['port_changed'] = leaf_node_changed(conf, base + [ifname, 'port']) # Determine which Wireguard peer has been removed. # Peers can only be removed with their public key! dict = {} - tmp = node_changed(conf, ['peer'], key_mangling=('-', '_')) + tmp = node_changed(conf, base + [ifname, 'peer'], key_mangling=('-', '_')) for peer in (tmp or []): - public_key = leaf_node_changed(conf, ['peer', peer, 'public_key']) + public_key = leaf_node_changed(conf, base + [ifname, 'peer', peer, 'public_key']) if public_key: dict = dict_merge({'peer_remove' : {peer : {'public_key' : public_key[0]}}}, dict) wireguard.update(dict) diff --git a/src/conf_mode/interfaces-wireless.py b/src/conf_mode/interfaces-wireless.py index 500952df1..d34297063 100755 --- a/src/conf_mode/interfaces-wireless.py +++ b/src/conf_mode/interfaces-wireless.py @@ -76,15 +76,19 @@ def get_config(config=None): conf = Config() base = ['interfaces', 'wireless'] - wifi = get_interface_dict(conf, base) + ifname, wifi = get_interface_dict(conf, base) # Cleanup "delete" default values when required user selectable values are # not defined at all - tmp = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True) + tmp = conf.get_config_dict(base + [ifname], key_mangling=('-', '_'), + get_first_key=True) if not (dict_search('security.wpa.passphrase', tmp) or dict_search('security.wpa.radius', tmp)): if 'deleted' not in wifi: del wifi['security']['wpa'] + # if 'security' key is empty, drop it too + if len(wifi['security']) == 0: + del wifi['security'] # defaults include RADIUS server specifics per TAG node which need to be # added to individual RADIUS servers instead - so we can simply delete them @@ -244,11 +248,11 @@ def generate(wifi): # render appropriate new config files depending on access-point or station mode if wifi['type'] == 'access-point': - render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.tmpl', + render(hostapd_conf.format(**wifi), 'wifi/hostapd.conf.j2', wifi) elif wifi['type'] == 'station': - render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.tmpl', + render(wpa_suppl_conf.format(**wifi), 'wifi/wpa_supplicant.conf.j2', wifi) return None diff --git a/src/conf_mode/interfaces-wwan.py b/src/conf_mode/interfaces-wwan.py index 9a33039a3..e275ace84 100755 --- a/src/conf_mode/interfaces-wwan.py +++ b/src/conf_mode/interfaces-wwan.py @@ -21,7 +21,7 @@ from time import sleep from vyos.config import Config from vyos.configdict import get_interface_dict -from vyos.configdict import leaf_node_changed +from vyos.configdict import is_node_changed from vyos.configverify import verify_authentication from vyos.configverify import verify_interface_exists from vyos.configverify import verify_mirror_redirect @@ -50,42 +50,36 @@ def get_config(config=None): else: conf = Config() base = ['interfaces', 'wwan'] - wwan = get_interface_dict(conf, base) + ifname, wwan = get_interface_dict(conf, base) # We should only terminate the WWAN session if critical parameters change. # All parameters that can be changed on-the-fly (like interface description) # should not lead to a reconnect! - tmp = leaf_node_changed(conf, ['address']) + tmp = is_node_changed(conf, base + [ifname, 'address']) if tmp: wwan.update({'shutdown_required': {}}) - tmp = leaf_node_changed(conf, ['apn']) + tmp = is_node_changed(conf, base + [ifname, 'apn']) if tmp: wwan.update({'shutdown_required': {}}) - tmp = leaf_node_changed(conf, ['disable']) + tmp = is_node_changed(conf, base + [ifname, 'disable']) if tmp: wwan.update({'shutdown_required': {}}) - tmp = leaf_node_changed(conf, ['vrf']) - # leaf_node_changed() returns a list, as VRF is a non-multi node, there - # will be only one list element - if tmp: wwan.update({'vrf_old': tmp[0]}) - - tmp = leaf_node_changed(conf, ['authentication', 'user']) + tmp = is_node_changed(conf, base + [ifname, 'vrf']) if tmp: wwan.update({'shutdown_required': {}}) - tmp = leaf_node_changed(conf, ['authentication', 'password']) + tmp = is_node_changed(conf, base + [ifname, 'authentication']) if tmp: wwan.update({'shutdown_required': {}}) - tmp = leaf_node_changed(conf, ['ipv6', 'address', 'autoconf']) + tmp = is_node_changed(conf, base + [ifname, 'ipv6', 'address', 'autoconf']) if tmp: wwan.update({'shutdown_required': {}}) # We need to know the amount of other WWAN interfaces as ModemManager needs # to be started or stopped. conf.set_level(base) - wwan['other_interfaces'] = conf.get_config_dict([], key_mangling=('-', '_'), - get_first_key=True, - no_tag_node_value_mangle=True) + _, wwan['other_interfaces'] = conf.get_config_dict([], key_mangling=('-', '_'), + get_first_key=True, + no_tag_node_value_mangle=True) - ifname = wwan['ifname'] # This if-clause is just to be sure - it will always evaluate to true if ifname in wwan['other_interfaces']: del wwan['other_interfaces'][ifname] diff --git a/src/conf_mode/lldp.py b/src/conf_mode/lldp.py index db8328259..c703c1fe0 100755 --- a/src/conf_mode/lldp.py +++ b/src/conf_mode/lldp.py @@ -18,6 +18,7 @@ import os from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.validate import is_addr_assigned @@ -84,11 +85,11 @@ def verify(lldp): if 'management_address' in lldp: for address in lldp['management_address']: - message = f'WARNING: LLDP management address "{address}" is invalid' + message = f'LLDP management address "{address}" is invalid' if is_loopback_addr(address): - print(f'{message} - loopback address') + Warning(f'{message} - loopback address') elif not is_addr_assigned(address): - print(f'{message} - not assigned to any interface') + Warning(f'{message} - not assigned to any interface') if 'interface' in lldp: for interface, interface_config in lldp['interface'].items(): @@ -110,8 +111,8 @@ def generate(lldp): if lldp is None: return - render(config_file, 'lldp/lldpd.tmpl', lldp) - render(vyos_config_file, 'lldp/vyos.conf.tmpl', lldp) + render(config_file, 'lldp/lldpd.j2', lldp) + render(vyos_config_file, 'lldp/vyos.conf.j2', lldp) def apply(lldp): systemd_service = 'lldpd.service' diff --git a/src/conf_mode/nat.py b/src/conf_mode/nat.py index 9f319fc8a..85819a77e 100755 --- a/src/conf_mode/nat.py +++ b/src/conf_mode/nat.py @@ -23,6 +23,7 @@ from platform import release as kernel_version from sys import exit from netifaces import interfaces +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.template import render @@ -142,14 +143,14 @@ def verify(nat): raise ConfigError(f'{err_msg} outbound-interface not specified') if config['outbound_interface'] not in 'any' and config['outbound_interface'] not in interfaces(): - print(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') + Warning(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') addr = dict_search('translation.address', config) if addr != None: if addr != 'masquerade' and not is_ip_network(addr): for ip in addr.split('-'): if not is_addr_assigned(ip): - print(f'WARNING: IP address {ip} does not exist on the system!') + Warning(f'IP address {ip} does not exist on the system!') elif 'exclude' not in config: raise ConfigError(f'{err_msg}\n' \ 'translation address not specified') @@ -167,7 +168,7 @@ def verify(nat): 'inbound-interface not specified') else: if config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): - print(f'WARNING: rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') + Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') if dict_search('translation.address', config) == None and 'exclude' not in config: @@ -180,13 +181,13 @@ def verify(nat): return None def generate(nat): - render(nftables_nat_config, 'firewall/nftables-nat.tmpl', nat) + render(nftables_nat_config, 'firewall/nftables-nat.j2', nat) # dry-run newly generated configuration tmp = run(f'nft -c -f {nftables_nat_config}') if tmp > 0: - if os.path.exists(nftables_ct_file): - os.unlink(nftables_ct_file) + if os.path.exists(nftables_nat_config): + os.unlink(nftables_nat_config) raise ConfigError('Configuration file errors encountered!') return None diff --git a/src/conf_mode/nat66.py b/src/conf_mode/nat66.py index 8bf2e8073..0972151a0 100755 --- a/src/conf_mode/nat66.py +++ b/src/conf_mode/nat66.py @@ -21,6 +21,7 @@ import os from sys import exit from netifaces import interfaces +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.template import render @@ -117,12 +118,12 @@ def verify(nat): raise ConfigError(f'{err_msg} outbound-interface not specified') if config['outbound_interface'] not in interfaces(): - raise ConfigError(f'WARNING: rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') + raise ConfigError(f'rule "{rule}" interface "{config["outbound_interface"]}" does not exist on this system') addr = dict_search('translation.address', config) if addr != None: if addr != 'masquerade' and not is_ipv6(addr): - raise ConfigError(f'Warning: IPv6 address {addr} is not a valid address') + raise ConfigError(f'IPv6 address {addr} is not a valid address') else: raise ConfigError(f'{err_msg} translation address not specified') @@ -140,13 +141,13 @@ def verify(nat): 'inbound-interface not specified') else: if config['inbound_interface'] not in 'any' and config['inbound_interface'] not in interfaces(): - print(f'WARNING: rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') + Warning(f'rule "{rule}" interface "{config["inbound_interface"]}" does not exist on this system') return None def generate(nat): - render(nftables_nat66_config, 'firewall/nftables-nat66.tmpl', nat, permission=0o755) - render(ndppd_config, 'ndppd/ndppd.conf.tmpl', nat, permission=0o755) + render(nftables_nat66_config, 'firewall/nftables-nat66.j2', nat, permission=0o755) + render(ndppd_config, 'ndppd/ndppd.conf.j2', nat, permission=0o755) return None def apply(nat): diff --git a/src/conf_mode/ntp.py b/src/conf_mode/ntp.py index 52070aabc..0d6ec9ace 100755 --- a/src/conf_mode/ntp.py +++ b/src/conf_mode/ntp.py @@ -56,8 +56,8 @@ def generate(ntp): if not ntp: return None - render(config_file, 'ntp/ntpd.conf.tmpl', ntp) - render(systemd_override, 'ntp/override.conf.tmpl', ntp) + render(config_file, 'ntp/ntpd.conf.j2', ntp) + render(systemd_override, 'ntp/override.conf.j2', ntp) return None diff --git a/src/conf_mode/policy-route.py b/src/conf_mode/policy-route.py index 3d1d7d8c5..5de341beb 100755 --- a/src/conf_mode/policy-route.py +++ b/src/conf_mode/policy-route.py @@ -20,6 +20,7 @@ import re from json import loads from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.template import render from vyos.util import cmd @@ -135,7 +136,7 @@ def verify_rule(policy, name, rule_conf, ipv6): raise ConfigError(f'Invalid {error_group} "{group_name}" on policy route rule') if not group_obj: - print(f'WARNING: {error_group} "{group_name}" has no members') + Warning(f'{error_group} "{group_name}" has no members') if 'port' in side_conf or dict_search_args(side_conf, 'group', 'port_group'): if 'protocol' not in rule_conf: @@ -203,7 +204,7 @@ def generate(policy): else: policy['cleanup_commands'] = cleanup_commands(policy) - render(nftables_conf, 'firewall/nftables-policy.tmpl', policy) + render(nftables_conf, 'firewall/nftables-policy.j2', policy) return None def apply_table_marks(policy): diff --git a/src/conf_mode/policy.py b/src/conf_mode/policy.py index 9d8fcfa36..ef6008140 100755 --- a/src/conf_mode/policy.py +++ b/src/conf_mode/policy.py @@ -177,7 +177,7 @@ def verify(policy): def generate(policy): if not policy: return None - policy['new_frr_config'] = render_to_string('frr/policy.frr.tmpl', policy) + policy['new_frr_config'] = render_to_string('frr/policy.frr.j2', policy) return None def apply(policy): diff --git a/src/conf_mode/protocols_bfd.py b/src/conf_mode/protocols_bfd.py index 4ebc0989c..0436abaf9 100755 --- a/src/conf_mode/protocols_bfd.py +++ b/src/conf_mode/protocols_bfd.py @@ -98,7 +98,7 @@ def verify(bfd): def generate(bfd): if not bfd: return None - bfd['new_frr_config'] = render_to_string('frr/bfdd.frr.tmpl', bfd) + bfd['new_frr_config'] = render_to_string('frr/bfdd.frr.j2', bfd) def apply(bfd): bfd_daemon = 'bfdd' diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index dace53d37..cd46cbcb4 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -138,13 +138,20 @@ def verify(bgp): if asn == bgp['local_as']: raise ConfigError('Cannot have local-as same as BGP AS number') + # Neighbor AS specified for local-as and remote-as can not be the same + if dict_search('remote_as', peer_config) == asn: + raise ConfigError(f'Neighbor "{peer}" has local-as specified which is '\ + 'the same as remote-as, this is not allowed!') + # ttl-security and ebgp-multihop can't be used in the same configration if 'ebgp_multihop' in peer_config and 'ttl_security' in peer_config: raise ConfigError('You can not set both ebgp-multihop and ttl-security hops') - # Check if neighbor has both override capability and strict capability match configured at the same time. + # Check if neighbor has both override capability and strict capability match + # configured at the same time. if 'override_capability' in peer_config and 'strict_capability_match' in peer_config: - raise ConfigError(f'Neighbor "{peer}" cannot have both override-capability and strict-capability-match configured at the same time!') + raise ConfigError(f'Neighbor "{peer}" cannot have both override-capability and '\ + 'strict-capability-match configured at the same time!') # Check spaces in the password if 'password' in peer_config and ' ' in peer_config['password']: @@ -157,6 +164,22 @@ def verify(bgp): if not verify_remote_as(peer_config, bgp): raise ConfigError(f'Neighbor "{peer}" remote-as must be set!') + # Peer-group member cannot override remote-as of peer-group + if 'peer_group' in peer_config: + peer_group = peer_config['peer_group'] + if 'remote_as' in peer_config and 'remote_as' in bgp['peer_group'][peer_group]: + raise ConfigError(f'Peer-group member "{peer}" cannot override remote-as of peer-group "{peer_group}"!') + if 'interface' in peer_config: + if 'peer_group' in peer_config['interface']: + peer_group = peer_config['interface']['peer_group'] + if 'remote_as' in peer_config['interface'] and 'remote_as' in bgp['peer_group'][peer_group]: + raise ConfigError(f'Peer-group member "{peer}" cannot override remote-as of peer-group "{peer_group}"!') + if 'v6only' in peer_config['interface']: + if 'peer_group' in peer_config['interface']['v6only']: + peer_group = peer_config['interface']['v6only']['peer_group'] + if 'remote_as' in peer_config['interface']['v6only'] and 'remote_as' in bgp['peer_group'][peer_group]: + raise ConfigError(f'Peer-group member "{peer}" cannot override remote-as of peer-group "{peer_group}"!') + # Only checks for ipv4 and ipv6 neighbors # Check if neighbor address is assigned as system interface address vrf = None @@ -297,9 +320,9 @@ def generate(bgp): if not bgp or 'deleted' in bgp: return None - bgp['protocol'] = 'bgp' # required for frr/vrf.route-map.frr.tmpl - bgp['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.tmpl', bgp) - bgp['frr_bgpd_config'] = render_to_string('frr/bgpd.frr.tmpl', bgp) + bgp['protocol'] = 'bgp' # required for frr/vrf.route-map.frr.j2 + bgp['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.j2', bgp) + bgp['frr_bgpd_config'] = render_to_string('frr/bgpd.frr.j2', bgp) return None diff --git a/src/conf_mode/protocols_igmp.py b/src/conf_mode/protocols_igmp.py index 28d560d03..65cc2beba 100755 --- a/src/conf_mode/protocols_igmp.py +++ b/src/conf_mode/protocols_igmp.py @@ -108,7 +108,7 @@ def generate(igmp): if igmp is None: return None - render(config_file, 'frr/igmp.frr.tmpl', igmp) + render(config_file, 'frr/igmp.frr.j2', igmp) return None def apply(igmp): diff --git a/src/conf_mode/protocols_isis.py b/src/conf_mode/protocols_isis.py index f2501e38a..5dafd26d0 100755 --- a/src/conf_mode/protocols_isis.py +++ b/src/conf_mode/protocols_isis.py @@ -210,9 +210,9 @@ def generate(isis): if not isis or 'deleted' in isis: return None - isis['protocol'] = 'isis' # required for frr/vrf.route-map.frr.tmpl - isis['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.tmpl', isis) - isis['frr_isisd_config'] = render_to_string('frr/isisd.frr.tmpl', isis) + isis['protocol'] = 'isis' # required for frr/vrf.route-map.frr.j2 + isis['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.j2', isis) + isis['frr_isisd_config'] = render_to_string('frr/isisd.frr.j2', isis) return None def apply(isis): diff --git a/src/conf_mode/protocols_mpls.py b/src/conf_mode/protocols_mpls.py index 933e23065..5da8e7b06 100755 --- a/src/conf_mode/protocols_mpls.py +++ b/src/conf_mode/protocols_mpls.py @@ -68,7 +68,7 @@ def generate(mpls): if not mpls or 'deleted' in mpls: return None - mpls['frr_ldpd_config'] = render_to_string('frr/ldpd.frr.tmpl', mpls) + mpls['frr_ldpd_config'] = render_to_string('frr/ldpd.frr.j2', mpls) return None def apply(mpls): diff --git a/src/conf_mode/protocols_nhrp.py b/src/conf_mode/protocols_nhrp.py index 7eeb5cd30..92b335085 100755 --- a/src/conf_mode/protocols_nhrp.py +++ b/src/conf_mode/protocols_nhrp.py @@ -84,7 +84,7 @@ def verify(nhrp): return None def generate(nhrp): - render(opennhrp_conf, 'nhrp/opennhrp.conf.tmpl', nhrp) + render(opennhrp_conf, 'nhrp/opennhrp.conf.j2', nhrp) return None def apply(nhrp): @@ -104,7 +104,7 @@ def apply(nhrp): if rule_handle: remove_nftables_rule('ip filter', 'VYOS_FW_OUTPUT', rule_handle) - action = 'restart' if nhrp and 'tunnel' in nhrp else 'stop' + action = 'reload-or-restart' if nhrp and 'tunnel' in nhrp else 'stop' run(f'systemctl {action} opennhrp') return None diff --git a/src/conf_mode/protocols_ospf.py b/src/conf_mode/protocols_ospf.py index 26d491838..5b4874ba2 100755 --- a/src/conf_mode/protocols_ospf.py +++ b/src/conf_mode/protocols_ospf.py @@ -160,7 +160,7 @@ def verify(ospf): route_map_name = dict_search('default_information.originate.route_map', ospf) if route_map_name: verify_route_map(route_map_name, ospf) - # Validate if configured Access-list exists + # Validate if configured Access-list exists if 'area' in ospf: for area, area_config in ospf['area'].items(): if 'import_list' in area_config: @@ -204,9 +204,9 @@ def generate(ospf): if not ospf or 'deleted' in ospf: return None - ospf['protocol'] = 'ospf' # required for frr/vrf.route-map.frr.tmpl - ospf['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.tmpl', ospf) - ospf['frr_ospfd_config'] = render_to_string('frr/ospfd.frr.tmpl', ospf) + ospf['protocol'] = 'ospf' # required for frr/vrf.route-map.frr.j2 + ospf['frr_zebra_config'] = render_to_string('frr/vrf.route-map.frr.j2', ospf) + ospf['frr_ospfd_config'] = render_to_string('frr/ospfd.frr.j2', ospf) return None def apply(ospf): diff --git a/src/conf_mode/protocols_ospfv3.py b/src/conf_mode/protocols_ospfv3.py index f8e733ba5..ee4eaf59d 100755 --- a/src/conf_mode/protocols_ospfv3.py +++ b/src/conf_mode/protocols_ospfv3.py @@ -142,7 +142,7 @@ def generate(ospfv3): if not ospfv3 or 'deleted' in ospfv3: return None - ospfv3['new_frr_config'] = render_to_string('frr/ospf6d.frr.tmpl', ospfv3) + ospfv3['new_frr_config'] = render_to_string('frr/ospf6d.frr.j2', ospfv3) return None def apply(ospfv3): diff --git a/src/conf_mode/protocols_pim.py b/src/conf_mode/protocols_pim.py index df2e6f941..78df9b6f8 100755 --- a/src/conf_mode/protocols_pim.py +++ b/src/conf_mode/protocols_pim.py @@ -135,7 +135,7 @@ def generate(pim): if pim is None: return None - render(config_file, 'frr/pimd.frr.tmpl', pim) + render(config_file, 'frr/pimd.frr.j2', pim) return None def apply(pim): diff --git a/src/conf_mode/protocols_rip.py b/src/conf_mode/protocols_rip.py index 300f56489..a76c1ce76 100755 --- a/src/conf_mode/protocols_rip.py +++ b/src/conf_mode/protocols_rip.py @@ -102,7 +102,7 @@ def generate(rip): if not rip or 'deleted' in rip: return None - rip['new_frr_config'] = render_to_string('frr/ripd.frr.tmpl', rip) + rip['new_frr_config'] = render_to_string('frr/ripd.frr.j2', rip) return None def apply(rip): diff --git a/src/conf_mode/protocols_ripng.py b/src/conf_mode/protocols_ripng.py index d9b8c0b30..21ff710b3 100755 --- a/src/conf_mode/protocols_ripng.py +++ b/src/conf_mode/protocols_ripng.py @@ -93,7 +93,7 @@ def generate(ripng): ripng['new_frr_config'] = '' return None - ripng['new_frr_config'] = render_to_string('frr/ripngd.frr.tmpl', ripng) + ripng['new_frr_config'] = render_to_string('frr/ripngd.frr.j2', ripng) return None def apply(ripng): diff --git a/src/conf_mode/protocols_rpki.py b/src/conf_mode/protocols_rpki.py index 51ad0d315..62ea9c878 100755 --- a/src/conf_mode/protocols_rpki.py +++ b/src/conf_mode/protocols_rpki.py @@ -81,7 +81,7 @@ def verify(rpki): def generate(rpki): if not rpki: return - rpki['new_frr_config'] = render_to_string('frr/rpki.frr.tmpl', rpki) + rpki['new_frr_config'] = render_to_string('frr/rpki.frr.j2', rpki) return None def apply(rpki): diff --git a/src/conf_mode/protocols_static.py b/src/conf_mode/protocols_static.py index f0ec48de4..58e202928 100755 --- a/src/conf_mode/protocols_static.py +++ b/src/conf_mode/protocols_static.py @@ -22,6 +22,7 @@ from sys import argv from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import get_dhcp_interfaces +from vyos.configdict import get_pppoe_interfaces from vyos.configverify import verify_common_route_maps from vyos.configverify import verify_vrf from vyos.template import render_to_string @@ -59,7 +60,9 @@ def get_config(config=None): # T3680 - get a list of all interfaces currently configured to use DHCP tmp = get_dhcp_interfaces(conf, vrf) - if tmp: static['dhcp'] = tmp + if tmp: static.update({'dhcp' : tmp}) + tmp = get_pppoe_interfaces(conf, vrf) + if tmp: static.update({'pppoe' : tmp}) return static @@ -91,7 +94,7 @@ def verify(static): def generate(static): if not static: return None - static['new_frr_config'] = render_to_string('frr/staticd.frr.tmpl', static) + static['new_frr_config'] = render_to_string('frr/staticd.frr.j2', static) return None def apply(static): diff --git a/src/conf_mode/protocols_static_multicast.py b/src/conf_mode/protocols_static_multicast.py index 99157835a..6afdf31f3 100755 --- a/src/conf_mode/protocols_static_multicast.py +++ b/src/conf_mode/protocols_static_multicast.py @@ -96,7 +96,7 @@ def generate(mroute): if mroute is None: return None - render(config_file, 'frr/static_mcast.frr.tmpl', mroute) + render(config_file, 'frr/static_mcast.frr.j2', mroute) return None def apply(mroute): diff --git a/src/conf_mode/salt-minion.py b/src/conf_mode/salt-minion.py index 841bf6a39..00b889a11 100755 --- a/src/conf_mode/salt-minion.py +++ b/src/conf_mode/salt-minion.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018-2020 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -16,14 +16,18 @@ import os -from copy import deepcopy from socket import gethostname from sys import exit from urllib3 import PoolManager +from vyos.base import Warning from vyos.config import Config +from vyos.configdict import dict_merge +from vyos.configverify import verify_interface_exists from vyos.template import render -from vyos.util import call, chown +from vyos.util import call +from vyos.util import chown +from vyos.xml import defaults from vyos import ConfigError from vyos import airbag @@ -32,20 +36,10 @@ airbag.enable() config_file = r'/etc/salt/minion' master_keyfile = r'/opt/vyatta/etc/config/salt/pki/minion/master_sign.pub' -default_config_data = { - 'hash': 'sha256', - 'log_level': 'warning', - 'master' : 'salt', - 'user': 'minion', - 'group': 'vyattacfg', - 'salt_id': gethostname(), - 'mine_interval': '60', - 'verify_master_pubkey_sign': 'false', - 'master_key': '' -} +user='minion' +group='vyattacfg' def get_config(config=None): - salt = deepcopy(default_config_data) if config: conf = config else: @@ -54,44 +48,44 @@ def get_config(config=None): if not conf.exists(base): return None - else: - conf.set_level(base) - if conf.exists(['hash']): - salt['hash'] = conf.return_value(['hash']) + salt = conf.get_config_dict(base, key_mangling=('-', '_'), get_first_key=True) + # ID default is dynamic thus we can not use defaults() + if 'id' not in salt: + salt['id'] = gethostname() + # We have gathered the dict representation of the CLI, but there are default + # options which we need to update into the dictionary retrived. + default_values = defaults(base) + salt = dict_merge(default_values, salt) - if conf.exists(['master']): - salt['master'] = conf.return_values(['master']) - - if conf.exists(['id']): - salt['salt_id'] = conf.return_value(['id']) + if not conf.exists(base): + return None + else: + conf.set_level(base) - if conf.exists(['user']): - salt['user'] = conf.return_value(['user']) + return salt - if conf.exists(['interval']): - salt['interval'] = conf.return_value(['interval']) +def verify(salt): + if not salt: + return None - if conf.exists(['master-key']): - salt['master_key'] = conf.return_value(['master-key']) - salt['verify_master_pubkey_sign'] = 'true' + if 'hash' in salt and salt['hash'] == 'sha1': + Warning('Do not use sha1 hashing algorithm, upgrade to sha256 or later!') - return salt + if 'source_interface' in salt: + verify_interface_exists(salt['source_interface']) -def verify(salt): return None def generate(salt): if not salt: return None - render(config_file, 'salt-minion/minion.tmpl', salt, - user=salt['user'], group=salt['group']) + render(config_file, 'salt-minion/minion.j2', salt, user=user, group=group) if not os.path.exists(master_keyfile): - if salt['master_key']: + if 'master_key' in salt: req = PoolManager().request('GET', salt['master_key'], preload_content=False) - with open(master_keyfile, 'wb') as f: while True: data = req.read(1024) @@ -100,18 +94,19 @@ def generate(salt): f.write(data) req.release_conn() - chown(master_keyfile, salt['user'], salt['group']) + chown(master_keyfile, user, group) return None def apply(salt): + service_name = 'salt-minion.service' if not salt: # Salt removed from running config - call('systemctl stop salt-minion.service') + call(f'systemctl stop {service_name}') if os.path.exists(config_file): os.unlink(config_file) else: - call('systemctl restart salt-minion.service') + call(f'systemctl restart {service_name}') return None diff --git a/src/conf_mode/service_console-server.py b/src/conf_mode/service_console-server.py index 51050e702..a2e411e49 100755 --- a/src/conf_mode/service_console-server.py +++ b/src/conf_mode/service_console-server.py @@ -81,7 +81,7 @@ def generate(proxy): if not proxy: return None - render(config_file, 'conserver/conserver.conf.tmpl', proxy) + render(config_file, 'conserver/conserver.conf.j2', proxy) if 'device' in proxy: for device, device_config in proxy['device'].items(): if 'ssh' not in device_config: @@ -92,7 +92,7 @@ def generate(proxy): 'port' : device_config['ssh']['port'], } render(dropbear_systemd_file.format(**tmp), - 'conserver/dropbear@.service.tmpl', tmp) + 'conserver/dropbear@.service.j2', tmp) return None diff --git a/src/conf_mode/service_ids_fastnetmon.py b/src/conf_mode/service_ids_fastnetmon.py index 67edeb630..ae7e582ec 100755 --- a/src/conf_mode/service_ids_fastnetmon.py +++ b/src/conf_mode/service_ids_fastnetmon.py @@ -67,8 +67,8 @@ def generate(fastnetmon): return - render(config_file, 'ids/fastnetmon.tmpl', fastnetmon) - render(networks_list, 'ids/fastnetmon_networks_list.tmpl', fastnetmon) + render(config_file, 'ids/fastnetmon.j2', fastnetmon) + render(networks_list, 'ids/fastnetmon_networks_list.j2', fastnetmon) return None diff --git a/src/conf_mode/service_ipoe-server.py b/src/conf_mode/service_ipoe-server.py index 2ebee8018..559d1bcd5 100755 --- a/src/conf_mode/service_ipoe-server.py +++ b/src/conf_mode/service_ipoe-server.py @@ -296,10 +296,10 @@ def generate(ipoe): if not ipoe: return None - render(ipoe_conf, 'accel-ppp/ipoe.config.tmpl', ipoe) + render(ipoe_conf, 'accel-ppp/ipoe.config.j2', ipoe) if ipoe['auth_mode'] == 'local': - render(ipoe_chap_secrets, 'accel-ppp/chap-secrets.ipoe.tmpl', ipoe) + render(ipoe_chap_secrets, 'accel-ppp/chap-secrets.ipoe.j2', ipoe) os.chmod(ipoe_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: diff --git a/src/conf_mode/service_mdns-repeater.py b/src/conf_mode/service_mdns-repeater.py index d31a0c49e..2383a53fb 100755 --- a/src/conf_mode/service_mdns-repeater.py +++ b/src/conf_mode/service_mdns-repeater.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2017-2020 VyOS maintainers and contributors +# Copyright (C) 2017-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -92,7 +92,7 @@ def generate(mdns): if len(mdns['interface']) < 2: return None - render(config_file, 'mdns-repeater/avahi-daemon.tmpl', mdns) + render(config_file, 'mdns-repeater/avahi-daemon.j2', mdns) return None def apply(mdns): diff --git a/src/conf_mode/service_monitoring_telegraf.py b/src/conf_mode/service_monitoring_telegraf.py index 8a972b9fe..102a87318 100755 --- a/src/conf_mode/service_monitoring_telegraf.py +++ b/src/conf_mode/service_monitoring_telegraf.py @@ -99,6 +99,15 @@ def get_config(config=None): monitoring['interfaces_ethernet'] = get_interfaces('ethernet', vlan=False) monitoring['nft_chains'] = get_nft_filter_chains() + if 'authentication' in monitoring or \ + 'url' in monitoring: + monitoring['influxdb_configured'] = True + + # Ignore default XML values if config doesn't exists + # Delete key from dict + if not conf.exists(base + ['prometheus-client']): + del monitoring['prometheus_client'] + return monitoring def verify(monitoring): @@ -106,13 +115,23 @@ def verify(monitoring): if not monitoring: return None - if 'authentication' not in monitoring or \ - 'organization' not in monitoring['authentication'] or \ - 'token' not in monitoring['authentication']: - raise ConfigError(f'Authentication "organization and token" are mandatory!') + if 'influxdb_configured' in monitoring: + if 'authentication' not in monitoring or \ + 'organization' not in monitoring['authentication'] or \ + 'token' not in monitoring['authentication']: + raise ConfigError(f'Authentication "organization and token" are mandatory!') + + if 'url' not in monitoring: + raise ConfigError(f'Monitoring "url" is mandatory!') + + # Verify Splunk + if 'splunk' in monitoring: + if 'authentication' not in monitoring['splunk'] or \ + 'token' not in monitoring['splunk']['authentication']: + raise ConfigError(f'Authentication "organization and token" are mandatory!') - if 'url' not in monitoring: - raise ConfigError(f'Monitoring "url" is mandatory!') + if 'url' not in monitoring['splunk']: + raise ConfigError(f'Monitoring splunk "url" is mandatory!') return None @@ -145,10 +164,10 @@ def generate(monitoring): os.mkdir(custom_scripts_dir) # Render telegraf configuration and systemd override - render(config_telegraf, 'monitoring/telegraf.tmpl', monitoring) - render(systemd_telegraf_service, 'monitoring/systemd_vyos_telegraf_service.tmpl', monitoring) - render(systemd_override, 'monitoring/override.conf.tmpl', monitoring, permission=0o640) - render(syslog_telegraf, 'monitoring/syslog_telegraf.tmpl', monitoring) + render(config_telegraf, 'monitoring/telegraf.j2', monitoring) + render(systemd_telegraf_service, 'monitoring/systemd_vyos_telegraf_service.j2', monitoring) + render(systemd_override, 'monitoring/override.conf.j2', monitoring, permission=0o640) + render(syslog_telegraf, 'monitoring/syslog_telegraf.j2', monitoring) chown(base_dir, 'telegraf', 'telegraf') diff --git a/src/conf_mode/service_pppoe-server.py b/src/conf_mode/service_pppoe-server.py index 1f31d132d..6086ef859 100755 --- a/src/conf_mode/service_pppoe-server.py +++ b/src/conf_mode/service_pppoe-server.py @@ -88,10 +88,10 @@ def generate(pppoe): for vlan_range in pppoe['interface'][iface]['vlan_range']: pppoe['interface'][iface]['regex'].append(range_to_regex(vlan_range)) - render(pppoe_conf, 'accel-ppp/pppoe.config.tmpl', pppoe) + render(pppoe_conf, 'accel-ppp/pppoe.config.j2', pppoe) if dict_search('authentication.mode', pppoe) == 'local': - render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.config_dict.tmpl', + render(pppoe_chap_secrets, 'accel-ppp/chap-secrets.config_dict.j2', pppoe, permission=0o640) else: if os.path.exists(pppoe_chap_secrets): diff --git a/src/conf_mode/service_router-advert.py b/src/conf_mode/service_router-advert.py index 9afcdd63e..71b758399 100755 --- a/src/conf_mode/service_router-advert.py +++ b/src/conf_mode/service_router-advert.py @@ -101,7 +101,7 @@ def generate(rtradv): if not rtradv: return None - render(config_file, 'router-advert/radvd.conf.tmpl', rtradv, permission=0o644) + render(config_file, 'router-advert/radvd.conf.j2', rtradv, permission=0o644) return None def apply(rtradv): diff --git a/src/conf_mode/service_upnp.py b/src/conf_mode/service_upnp.py index d21b31990..36f3e18a7 100755 --- a/src/conf_mode/service_upnp.py +++ b/src/conf_mode/service_upnp.py @@ -135,7 +135,7 @@ def generate(upnpd): if os.path.isfile(config_file): os.unlink(config_file) - render(config_file, 'firewall/upnpd.conf.tmpl', upnpd) + render(config_file, 'firewall/upnpd.conf.j2', upnpd) def apply(upnpd): systemd_service_name = 'miniupnpd.service' diff --git a/src/conf_mode/service_webproxy.py b/src/conf_mode/service_webproxy.py index a16cc4aeb..32af31bde 100755 --- a/src/conf_mode/service_webproxy.py +++ b/src/conf_mode/service_webproxy.py @@ -61,7 +61,7 @@ def generate_sg_localdb(category, list_type, role, proxy): user=user_group, group=user_group) # temporary config file, deleted after generation - render(sg_tmp_file, 'squid/sg_acl.conf.tmpl', tmp, + render(sg_tmp_file, 'squid/sg_acl.conf.j2', tmp, user=user_group, group=user_group) call(f'su - {user_group} -c "squidGuard -d -c {sg_tmp_file} -C {db_file}"') @@ -166,8 +166,8 @@ def generate(proxy): if not proxy: return None - render(squid_config_file, 'squid/squid.conf.tmpl', proxy) - render(squidguard_config_file, 'squid/squidGuard.conf.tmpl', proxy) + render(squid_config_file, 'squid/squid.conf.j2', proxy) + render(squidguard_config_file, 'squid/squidGuard.conf.j2', proxy) cat_dict = { 'local-block' : 'domains', diff --git a/src/conf_mode/snmp.py b/src/conf_mode/snmp.py index 8ce48780b..ae060580d 100755 --- a/src/conf_mode/snmp.py +++ b/src/conf_mode/snmp.py @@ -18,6 +18,7 @@ import os from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.configverify import verify_vrf @@ -57,9 +58,6 @@ def get_config(config=None): if conf.exists(['service', 'lldp', 'snmp', 'enable']): snmp.update({'lldp_snmp' : ''}) - if conf.exists(['system', 'ipv6', 'disable']): - snmp.update({'ipv6_disabled' : ''}) - if 'deleted' in snmp: return snmp @@ -100,9 +98,8 @@ def get_config(config=None): snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) if '::1' not in snmp['listen_address']: - if 'ipv6_disabled' not in snmp: - tmp = {'::1': {'port': '161'}} - snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) + tmp = {'::1': {'port': '161'}} + snmp['listen_address'] = dict_merge(tmp, snmp['listen_address']) if 'community' in snmp: default_values = defaults(base + ['community']) @@ -153,7 +150,7 @@ def verify(snmp): tmp = extension_opt['script'] if not os.path.isfile(tmp): - print(f'WARNING: script "{tmp}" does not exist!') + Warning(f'script "{tmp}" does not exist!') else: chmod_755(extension_opt['script']) @@ -162,7 +159,7 @@ def verify(snmp): # We only wan't to configure addresses that exist on the system. # Hint the user if they don't exist if not is_addr_assigned(address): - print(f'WARNING: SNMP listen address "{address}" not configured!') + Warning(f'SNMP listen address "{address}" not configured!') if 'trap_target' in snmp: for trap, trap_config in snmp['trap_target'].items(): @@ -273,15 +270,15 @@ def generate(snmp): call(f'/opt/vyatta/sbin/my_delete service snmp v3 user "{user}" privacy plaintext-password > /dev/null') # Write client config file - render(config_file_client, 'snmp/etc.snmp.conf.tmpl', snmp) + render(config_file_client, 'snmp/etc.snmp.conf.j2', snmp) # Write server config file - render(config_file_daemon, 'snmp/etc.snmpd.conf.tmpl', snmp) + render(config_file_daemon, 'snmp/etc.snmpd.conf.j2', snmp) # Write access rights config file - render(config_file_access, 'snmp/usr.snmpd.conf.tmpl', snmp) + render(config_file_access, 'snmp/usr.snmpd.conf.j2', snmp) # Write access rights config file - render(config_file_user, 'snmp/var.snmpd.conf.tmpl', snmp) + render(config_file_user, 'snmp/var.snmpd.conf.j2', snmp) # Write daemon configuration file - render(systemd_override, 'snmp/override.conf.tmpl', snmp) + render(systemd_override, 'snmp/override.conf.j2', snmp) return None diff --git a/src/conf_mode/ssh.py b/src/conf_mode/ssh.py index 67724b043..487e8c229 100755 --- a/src/conf_mode/ssh.py +++ b/src/conf_mode/ssh.py @@ -84,8 +84,8 @@ def generate(ssh): syslog(LOG_INFO, 'SSH ed25519 host key not found, generating new key!') call(f'ssh-keygen -q -N "" -t ed25519 -f {key_ed25519}') - render(config_file, 'ssh/sshd_config.tmpl', ssh) - render(systemd_override, 'ssh/override.conf.tmpl', ssh) + render(config_file, 'ssh/sshd_config.j2', ssh) + render(systemd_override, 'ssh/override.conf.j2', ssh) # Reload systemd manager configuration call('systemctl daemon-reload') diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py index c9c6aa187..c717286ae 100755 --- a/src/conf_mode/system-login.py +++ b/src/conf_mode/system-login.py @@ -197,7 +197,7 @@ def generate(login): pass if 'radius' in login: - render(radius_config_file, 'login/pam_radius_auth.conf.tmpl', login, + render(radius_config_file, 'login/pam_radius_auth.conf.j2', login, permission=0o600, user='root', group='root') else: if os.path.isfile(radius_config_file): @@ -241,7 +241,7 @@ def apply(login): # # XXX: Should we deny using root at all? home_dir = getpwnam(user).pw_dir - render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.tmpl', + render(f'{home_dir}/.ssh/authorized_keys', 'login/authorized_keys.j2', user_config, permission=0o600, formater=lambda _: _.replace(""", '"'), user=user, group='users') diff --git a/src/conf_mode/system-logs.py b/src/conf_mode/system-logs.py index e6296656d..c71938a79 100755 --- a/src/conf_mode/system-logs.py +++ b/src/conf_mode/system-logs.py @@ -57,13 +57,13 @@ def generate(logs_config): logrotate_atop = dict_search('logrotate.atop', logs_config) # generate new config file for atop syslog.debug('Adding logrotate config for atop') - render(logrotate_atop_file, 'logs/logrotate/vyos-atop.tmpl', logrotate_atop) + render(logrotate_atop_file, 'logs/logrotate/vyos-atop.j2', logrotate_atop) # get configuration for logrotate rsyslog logrotate_rsyslog = dict_search('logrotate.messages', logs_config) # generate new config file for rsyslog syslog.debug('Adding logrotate config for rsyslog') - render(logrotate_rsyslog_file, 'logs/logrotate/vyos-rsyslog.tmpl', + render(logrotate_rsyslog_file, 'logs/logrotate/vyos-rsyslog.j2', logrotate_rsyslog) diff --git a/src/conf_mode/system-option.py b/src/conf_mode/system-option.py index b1c63e316..36dbf155b 100755 --- a/src/conf_mode/system-option.py +++ b/src/conf_mode/system-option.py @@ -74,8 +74,8 @@ def verify(options): return None def generate(options): - render(curlrc_config, 'system/curlrc.tmpl', options) - render(ssh_config, 'system/ssh_config.tmpl', options) + render(curlrc_config, 'system/curlrc.j2', options) + render(ssh_config, 'system/ssh_config.j2', options) return None def apply(options): diff --git a/src/conf_mode/system-proxy.py b/src/conf_mode/system-proxy.py index 02536c2ab..079c43e7e 100755 --- a/src/conf_mode/system-proxy.py +++ b/src/conf_mode/system-proxy.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2018 VyOS maintainers and contributors +# Copyright (C) 2018-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -13,83 +13,59 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. -# -# -import sys import os -import re -from vyos import ConfigError -from vyos.config import Config +from sys import exit +from vyos.config import Config +from vyos.template import render +from vyos import ConfigError from vyos import airbag airbag.enable() proxy_def = r'/etc/profile.d/vyos-system-proxy.sh' - -def get_config(): - c = Config() - if not c.exists('system proxy'): +def get_config(config=None): + if config: + conf = config + else: + conf = Config() + base = ['system', 'proxy'] + if not conf.exists(base): return None - c.set_level('system proxy') + proxy = conf.get_config_dict(base, get_first_key=True) + return proxy - cnf = { - 'url': None, - 'port': None, - 'usr': None, - 'passwd': None - } +def verify(proxy): + if not proxy: + return - if c.exists('url'): - cnf['url'] = c.return_value('url') - if c.exists('port'): - cnf['port'] = c.return_value('port') - if c.exists('username'): - cnf['usr'] = c.return_value('username') - if c.exists('password'): - cnf['passwd'] = c.return_value('password') + if 'url' not in proxy or 'port' not in proxy: + raise ConfigError('Proxy URL and port require a value') - return cnf + if ('username' in proxy and 'password' not in proxy) or \ + ('username' not in proxy and 'password' in proxy): + raise ConfigError('Both username and password need to be defined!') +def generate(proxy): + if not proxy: + if os.path.isfile(proxy_def): + os.unlink(proxy_def) + return -def verify(c): - if not c: - return None - if not c['url'] or not c['port']: - raise ConfigError("proxy url and port requires a value") - elif c['usr'] and not c['passwd']: - raise ConfigError("proxy password requires a value") - elif not c['usr'] and c['passwd']: - raise ConfigError("proxy username requires a value") - + render(proxy_def, 'system/proxy.j2', proxy, permission=0o755) -def generate(c): - if not c: - return None - if not c['usr']: - return str("export http_proxy={url}:{port}\nexport https_proxy=$http_proxy\nexport ftp_proxy=$http_proxy" - .format(url=c['url'], port=c['port'])) - else: - return str("export http_proxy=http://{usr}:{passwd}@{url}:{port}\nexport https_proxy=$http_proxy\nexport ftp_proxy=$http_proxy" - .format(url=re.sub('http://', '', c['url']), port=c['port'], usr=c['usr'], passwd=c['passwd'])) - - -def apply(ln): - if not ln and os.path.exists(proxy_def): - os.remove(proxy_def) - else: - open(proxy_def, 'w').write( - "# generated by system-proxy.py\n{}\n".format(ln)) +def apply(proxy): + pass if __name__ == '__main__': try: c = get_config() verify(c) - ln = generate(c) - apply(ln) + generate(c) + apply(c) except ConfigError as e: print(e) - sys.exit(1) + exit(1) diff --git a/src/conf_mode/system-syslog.py b/src/conf_mode/system-syslog.py index 309b4bdb0..a9d3bbe31 100755 --- a/src/conf_mode/system-syslog.py +++ b/src/conf_mode/system-syslog.py @@ -204,7 +204,7 @@ def generate(c): return None conf = '/etc/rsyslog.d/vyos-rsyslog.conf' - render(conf, 'syslog/rsyslog.conf.tmpl', c) + render(conf, 'syslog/rsyslog.conf.j2', c) # cleanup current logrotate config files logrotate_files = Path('/etc/logrotate.d/').glob('vyos-rsyslog-generated-*') @@ -216,7 +216,7 @@ def generate(c): for filename, fileconfig in c.get('files', {}).items(): if fileconfig['log-file'].startswith('/var/log/user/'): conf = '/etc/logrotate.d/vyos-rsyslog-generated-' + filename - render(conf, 'syslog/logrotate.tmpl', { 'config_render': fileconfig }) + render(conf, 'syslog/logrotate.j2', { 'config_render': fileconfig }) def verify(c): diff --git a/src/conf_mode/system_console.py b/src/conf_mode/system_console.py index 19b252513..86985d765 100755 --- a/src/conf_mode/system_console.py +++ b/src/conf_mode/system_console.py @@ -103,7 +103,7 @@ def generate(console): config_file = base_dir + f'/serial-getty@{device}.service' getty_wants_symlink = base_dir + f'/getty.target.wants/serial-getty@{device}.service' - render(config_file, 'getty/serial-getty.service.tmpl', device_config) + render(config_file, 'getty/serial-getty.service.j2', device_config) os.symlink(config_file, getty_wants_symlink) # GRUB diff --git a/src/conf_mode/system_lcd.py b/src/conf_mode/system_lcd.py index b5ce32beb..3341dd738 100755 --- a/src/conf_mode/system_lcd.py +++ b/src/conf_mode/system_lcd.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright 2020 VyOS maintainers and contributors <maintainers@vyos.io> +# Copyright 2020-2022 VyOS maintainers and contributors <maintainers@vyos.io> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -61,9 +61,9 @@ def generate(lcd): lcd['device'] = find_device_file(lcd['device']) # Render config file for daemon LCDd - render(lcdd_conf, 'lcd/LCDd.conf.tmpl', lcd) + render(lcdd_conf, 'lcd/LCDd.conf.j2', lcd) # Render config file for client lcdproc - render(lcdproc_conf, 'lcd/lcdproc.conf.tmpl', lcd) + render(lcdproc_conf, 'lcd/lcdproc.conf.j2', lcd) return None diff --git a/src/conf_mode/system_sysctl.py b/src/conf_mode/system_sysctl.py index 4f16d1ed6..2e0004ffa 100755 --- a/src/conf_mode/system_sysctl.py +++ b/src/conf_mode/system_sysctl.py @@ -50,7 +50,7 @@ def generate(sysctl): os.unlink(config_file) return None - render(config_file, 'system/sysctl.conf.tmpl', sysctl) + render(config_file, 'system/sysctl.conf.j2', sysctl) return None def apply(sysctl): diff --git a/src/conf_mode/tftp_server.py b/src/conf_mode/tftp_server.py index ef726670c..c5daccb7f 100755 --- a/src/conf_mode/tftp_server.py +++ b/src/conf_mode/tftp_server.py @@ -22,6 +22,7 @@ from copy import deepcopy from glob import glob from sys import exit +from vyos.base import Warning from vyos.config import Config from vyos.configdict import dict_merge from vyos.configverify import verify_vrf @@ -68,8 +69,8 @@ def verify(tftpd): for address, address_config in tftpd['listen_address'].items(): if not is_addr_assigned(address): - print(f'WARNING: TFTP server listen address "{address}" not ' \ - 'assigned to any interface!') + Warning(f'TFTP server listen address "{address}" not ' \ + 'assigned to any interface!') verify_vrf(address_config) return None @@ -97,7 +98,7 @@ def generate(tftpd): config['vrf'] = address_config['vrf'] file = config_file + str(idx) - render(file, 'tftp-server/default.tmpl', config) + render(file, 'tftp-server/default.j2', config) idx = idx + 1 return None diff --git a/src/conf_mode/vpn_ipsec.py b/src/conf_mode/vpn_ipsec.py index 99b82ca2d..bad9cfbd8 100755 --- a/src/conf_mode/vpn_ipsec.py +++ b/src/conf_mode/vpn_ipsec.py @@ -503,7 +503,7 @@ def generate(ipsec): charon_radius_conf, interface_conf, swanctl_conf]: if os.path.isfile(config_file): os.unlink(config_file) - render(charon_conf, 'ipsec/charon.tmpl', {'install_routes': default_install_routes}) + render(charon_conf, 'ipsec/charon.j2', {'install_routes': default_install_routes}) return if ipsec['dhcp_no_address']: @@ -553,25 +553,27 @@ def generate(ipsec): if not local_prefixes or not remote_prefixes: continue - passthrough = [] + passthrough = None for local_prefix in local_prefixes: for remote_prefix in remote_prefixes: local_net = ipaddress.ip_network(local_prefix) remote_net = ipaddress.ip_network(remote_prefix) if local_net.overlaps(remote_net): + if passthrough is None: + passthrough = [] passthrough.append(local_prefix) ipsec['site_to_site']['peer'][peer]['tunnel'][tunnel]['passthrough'] = passthrough - render(ipsec_conf, 'ipsec/ipsec.conf.tmpl', ipsec) - render(ipsec_secrets, 'ipsec/ipsec.secrets.tmpl', ipsec) - render(charon_conf, 'ipsec/charon.tmpl', ipsec) - render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.tmpl', ipsec) - render(charon_radius_conf, 'ipsec/charon/eap-radius.conf.tmpl', ipsec) - render(interface_conf, 'ipsec/interfaces_use.conf.tmpl', ipsec) - render(swanctl_conf, 'ipsec/swanctl.conf.tmpl', ipsec) + render(ipsec_conf, 'ipsec/ipsec.conf.j2', ipsec) + render(ipsec_secrets, 'ipsec/ipsec.secrets.j2', ipsec) + render(charon_conf, 'ipsec/charon.j2', ipsec) + render(charon_dhcp_conf, 'ipsec/charon/dhcp.conf.j2', ipsec) + render(charon_radius_conf, 'ipsec/charon/eap-radius.conf.j2', ipsec) + render(interface_conf, 'ipsec/interfaces_use.conf.j2', ipsec) + render(swanctl_conf, 'ipsec/swanctl.conf.j2', ipsec) def resync_nhrp(ipsec): if ipsec and not ipsec['nhrp_exists']: diff --git a/src/conf_mode/vpn_l2tp.py b/src/conf_mode/vpn_l2tp.py index 818e8fa0b..fd5a4acd8 100755 --- a/src/conf_mode/vpn_l2tp.py +++ b/src/conf_mode/vpn_l2tp.py @@ -358,10 +358,10 @@ def generate(l2tp): if not l2tp: return None - render(l2tp_conf, 'accel-ppp/l2tp.config.tmpl', l2tp) + render(l2tp_conf, 'accel-ppp/l2tp.config.j2', l2tp) if l2tp['auth_mode'] == 'local': - render(l2tp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', l2tp) + render(l2tp_chap_secrets, 'accel-ppp/chap-secrets.j2', l2tp) os.chmod(l2tp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: diff --git a/src/conf_mode/vpn_openconnect.py b/src/conf_mode/vpn_openconnect.py index 51ea1f223..8e0e30bbf 100755 --- a/src/conf_mode/vpn_openconnect.py +++ b/src/conf_mode/vpn_openconnect.py @@ -24,6 +24,7 @@ from vyos.pki import wrap_private_key from vyos.template import render from vyos.util import call from vyos.util import is_systemd_service_running +from vyos.util import dict_search from vyos.xml import defaults from vyos import ConfigError from crypt import crypt, mksalt, METHOD_SHA512 @@ -35,6 +36,7 @@ airbag.enable() cfg_dir = '/run/ocserv' ocserv_conf = cfg_dir + '/ocserv.conf' ocserv_passwd = cfg_dir + '/ocpasswd' +ocserv_otp_usr = cfg_dir + '/users.oath' radius_cfg = cfg_dir + '/radiusclient.conf' radius_servers = cfg_dir + '/radius_servers' @@ -54,6 +56,16 @@ def get_config(): default_values = defaults(base) ocserv = dict_merge(default_values, ocserv) + # workaround a "know limitation" - https://phabricator.vyos.net/T2665 + del ocserv['authentication']['local_users']['username']['otp'] + if not ocserv["authentication"]["local_users"]["username"]: + raise ConfigError('openconnect mode local required at least one user') + default_ocserv_usr_values = default_values['authentication']['local_users']['username']['otp'] + for user, params in ocserv['authentication']['local_users']['username'].items(): + # Not every configuration requires OTP settings + if ocserv['authentication']['local_users']['username'][user].get('otp'): + ocserv['authentication']['local_users']['username'][user]['otp'] = dict_merge(default_ocserv_usr_values, ocserv['authentication']['local_users']['username'][user]['otp']) + if ocserv: ocserv['pki'] = conf.get_config_dict(['pki'], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) @@ -63,17 +75,34 @@ def get_config(): def verify(ocserv): if ocserv is None: return None - # Check authentication if "authentication" in ocserv: if "mode" in ocserv["authentication"]: if "local" in ocserv["authentication"]["mode"]: - if not ocserv["authentication"]["local_users"] or not ocserv["authentication"]["local_users"]["username"]: - raise ConfigError('openconnect mode local required at leat one user') + if "radius" in ocserv["authentication"]["mode"]: + raise ConfigError('OpenConnect authentication modes are mutually-exclusive, remove either local or radius from your configuration') + if not ocserv["authentication"]["local_users"]: + raise ConfigError('openconnect mode local required at least one user') + if not ocserv["authentication"]["local_users"]["username"]: + raise ConfigError('openconnect mode local required at least one user') else: - for user in ocserv["authentication"]["local_users"]["username"]: - if not "password" in ocserv["authentication"]["local_users"]["username"][user]: - raise ConfigError(f'password required for user {user}') + # For OTP mode: verify that each local user has an OTP key + if "otp" in ocserv["authentication"]["mode"]["local"]: + users_wo_key = [] + for user, user_config in ocserv["authentication"]["local_users"]["username"].items(): + # User has no OTP key defined + if dict_search('otp.key', user_config) == None: + users_wo_key.append(user) + if users_wo_key: + raise ConfigError(f'OTP enabled, but no OTP key is configured for these users:\n{users_wo_key}') + # For password (and default) mode: verify that each local user has password + if "password" in ocserv["authentication"]["mode"]["local"] or "otp" not in ocserv["authentication"]["mode"]["local"]: + users_wo_pswd = [] + for user in ocserv["authentication"]["local_users"]["username"]: + if not "password" in ocserv["authentication"]["local_users"]["username"][user]: + users_wo_pswd.append(user) + if users_wo_pswd: + raise ConfigError(f'password required for users:\n{users_wo_pswd}') else: raise ConfigError('openconnect authentication mode required') else: @@ -122,22 +151,57 @@ def verify(ocserv): else: raise ConfigError('openconnect network settings required') - def generate(ocserv): if not ocserv: return None if "radius" in ocserv["authentication"]["mode"]: # Render radius client configuration - render(radius_cfg, 'ocserv/radius_conf.tmpl', ocserv["authentication"]["radius"]) + render(radius_cfg, 'ocserv/radius_conf.j2', ocserv["authentication"]["radius"]) # Render radius servers - render(radius_servers, 'ocserv/radius_servers.tmpl', ocserv["authentication"]["radius"]) + render(radius_servers, 'ocserv/radius_servers.j2', ocserv["authentication"]["radius"]) + elif "local" in ocserv["authentication"]["mode"]: + # if mode "OTP", generate OTP users file parameters + if "otp" in ocserv["authentication"]["mode"]["local"]: + if "local_users" in ocserv["authentication"]: + for user in ocserv["authentication"]["local_users"]["username"]: + # OTP token type from CLI parameters: + otp_interval = str(ocserv["authentication"]["local_users"]["username"][user]["otp"].get("interval")) + token_type = ocserv["authentication"]["local_users"]["username"][user]["otp"].get("token_type") + otp_length = str(ocserv["authentication"]["local_users"]["username"][user]["otp"].get("otp_length")) + if token_type == "hotp-time": + otp_type = "HOTP/T" + otp_interval + elif token_type == "hotp-event": + otp_type = "HOTP/E" + else: + otp_type = "HOTP/T" + otp_interval + ocserv["authentication"]["local_users"]["username"][user]["otp"]["token_tmpl"] = otp_type + "/" + otp_length + # if there is a password, generate hash + if "password" in ocserv["authentication"]["mode"]["local"] or not "otp" in ocserv["authentication"]["mode"]["local"]: + if "local_users" in ocserv["authentication"]: + for user in ocserv["authentication"]["local_users"]["username"]: + ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"]) + + if "password-otp" in ocserv["authentication"]["mode"]["local"]: + # Render local users ocpasswd + render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) + # Render local users OTP keys + render(ocserv_otp_usr, 'ocserv/ocserv_otp_usr.j2', ocserv["authentication"]["local_users"]) + elif "password" in ocserv["authentication"]["mode"]["local"]: + # Render local users ocpasswd + render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) + elif "otp" in ocserv["authentication"]["mode"]["local"]: + # Render local users OTP keys + render(ocserv_otp_usr, 'ocserv/ocserv_otp_usr.j2', ocserv["authentication"]["local_users"]) + else: + # Render local users ocpasswd + render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) else: if "local_users" in ocserv["authentication"]: for user in ocserv["authentication"]["local_users"]["username"]: ocserv["authentication"]["local_users"]["username"][user]["hash"] = get_hash(ocserv["authentication"]["local_users"]["username"][user]["password"]) # Render local users - render(ocserv_passwd, 'ocserv/ocserv_passwd.tmpl', ocserv["authentication"]["local_users"]) + render(ocserv_passwd, 'ocserv/ocserv_passwd.j2', ocserv["authentication"]["local_users"]) if "ssl" in ocserv: cert_file_path = os.path.join(cfg_dir, 'cert.pem') @@ -163,13 +227,13 @@ def generate(ocserv): f.write(wrap_certificate(pki_ca_cert['certificate'])) # Render config - render(ocserv_conf, 'ocserv/ocserv_config.tmpl', ocserv) + render(ocserv_conf, 'ocserv/ocserv_config.j2', ocserv) def apply(ocserv): if not ocserv: call('systemctl stop ocserv.service') - for file in [ocserv_conf, ocserv_passwd]: + for file in [ocserv_conf, ocserv_passwd, ocserv_otp_usr]: if os.path.exists(file): os.unlink(file) else: diff --git a/src/conf_mode/vpn_pptp.py b/src/conf_mode/vpn_pptp.py index 30abe4782..7550c411e 100755 --- a/src/conf_mode/vpn_pptp.py +++ b/src/conf_mode/vpn_pptp.py @@ -264,10 +264,10 @@ def generate(pptp): if not pptp: return None - render(pptp_conf, 'accel-ppp/pptp.config.tmpl', pptp) + render(pptp_conf, 'accel-ppp/pptp.config.j2', pptp) if pptp['local_users']: - render(pptp_chap_secrets, 'accel-ppp/chap-secrets.tmpl', pptp) + render(pptp_chap_secrets, 'accel-ppp/chap-secrets.j2', pptp) os.chmod(pptp_chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP) else: if os.path.exists(pptp_chap_secrets): diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 68980e5ab..db53463cf 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -114,7 +114,7 @@ def generate(sstp): return None # accel-cmd reload doesn't work so any change results in a restart of the daemon - render(sstp_conf, 'accel-ppp/sstp.config.tmpl', sstp) + render(sstp_conf, 'accel-ppp/sstp.config.j2', sstp) cert_name = sstp['ssl']['certificate'] pki_cert = sstp['pki']['certificate'][cert_name] @@ -127,7 +127,7 @@ def generate(sstp): write_file(ca_cert_file_path, wrap_certificate(pki_ca['certificate'])) if dict_search('authentication.mode', sstp) == 'local': - render(sstp_chap_secrets, 'accel-ppp/chap-secrets.config_dict.tmpl', + render(sstp_chap_secrets, 'accel-ppp/chap-secrets.config_dict.j2', sstp, permission=0o640) else: if os.path.exists(sstp_chap_secrets): diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index f79c8a21e..972d0289b 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -83,7 +83,8 @@ def get_config(config=None): conf = Config() base = ['vrf'] - vrf = conf.get_config_dict(base, get_first_key=True) + vrf = conf.get_config_dict(base, key_mangling=('-', '_'), + no_tag_node_value_mangle=True, get_first_key=True) # determine which VRF has been removed for name in node_changed(conf, base + ['name']): @@ -133,10 +134,10 @@ def verify(vrf): def generate(vrf): - render(config_file, 'vrf/vrf.conf.tmpl', vrf) + render(config_file, 'vrf/vrf.conf.j2', vrf) # Render nftables zones config - render(nft_vrf_config, 'firewall/nftables-vrf-zones.tmpl', vrf) + render(nft_vrf_config, 'firewall/nftables-vrf-zones.j2', vrf) return None @@ -152,7 +153,7 @@ def apply(vrf): # set the default VRF global behaviour bind_all = '0' - if 'bind-to-all' in vrf: + if 'bind_to_all' in vrf: bind_all = '1' sysctl_write('net.ipv4.tcp_l3mdev_accept', bind_all) sysctl_write('net.ipv4.udp_l3mdev_accept', bind_all) @@ -222,6 +223,15 @@ def apply(vrf): # add VRF description if available vrf_if.set_alias(config.get('description', '')) + # Enable/Disable IPv4 forwarding + tmp = dict_search('ip.disable_forwarding', config) + value = '0' if (tmp != None) else '1' + vrf_if.set_ipv4_forwarding(value) + # Enable/Disable IPv6 forwarding + tmp = dict_search('ipv6.disable_forwarding', config) + value = '0' if (tmp != None) else '1' + vrf_if.set_ipv6_forwarding(value) + # Enable/Disable of an interface must always be done at the end of the # derived class to make use of the ref-counting set_admin_state() # function. We will only enable the interface if 'up' was called as diff --git a/src/conf_mode/vrf_vni.py b/src/conf_mode/vrf_vni.py index 1a7bd1f09..585fdbebf 100755 --- a/src/conf_mode/vrf_vni.py +++ b/src/conf_mode/vrf_vni.py @@ -40,7 +40,7 @@ def verify(vrf): return None def generate(vrf): - vrf['new_frr_config'] = render_to_string('frr/vrf-vni.frr.tmpl', vrf) + vrf['new_frr_config'] = render_to_string('frr/vrf-vni.frr.j2', vrf) return None def apply(vrf): diff --git a/src/conf_mode/zone_policy.py b/src/conf_mode/zone_policy.py index dc0617353..070a4deea 100755 --- a/src/conf_mode/zone_policy.py +++ b/src/conf_mode/zone_policy.py @@ -192,7 +192,7 @@ def generate(zone_policy): if 'local_zone' in zone_conf: zone_conf['from_local'] = get_local_from(data, zone) - render(nftables_conf, 'zone_policy/nftables.tmpl', data) + render(nftables_conf, 'zone_policy/nftables.j2', data) return None def apply(zone_policy): diff --git a/src/etc/ppp/ip-up.d/99-vyos-pppoe-callback b/src/etc/ppp/ip-up.d/99-vyos-pppoe-callback index bb918a468..fa1917ab1 100755 --- a/src/etc/ppp/ip-up.d/99-vyos-pppoe-callback +++ b/src/etc/ppp/ip-up.d/99-vyos-pppoe-callback @@ -1,6 +1,6 @@ #!/usr/bin/env python3 # -# Copyright (C) 2021 VyOS maintainers and contributors +# Copyright (C) 2021-2022 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as @@ -23,14 +23,9 @@ from sys import argv from sys import exit -from syslog import syslog -from syslog import openlog -from syslog import LOG_PID -from syslog import LOG_INFO - from vyos.configquery import ConfigTreeQuery +from vyos.configdict import get_interface_dict from vyos.ifconfig import PPPoEIf -from vyos.util import read_file # When the ppp link comes up, this script is called with the following # parameters @@ -45,15 +40,10 @@ if (len(argv) < 7): exit(1) interface = argv[6] -dialer_pid = read_file(f'/var/run/{interface}.pid') - -openlog(ident=f'pppd[{dialer_pid}]', facility=LOG_INFO) -syslog('executing ' + argv[0]) conf = ConfigTreeQuery() -pppoe = conf.get_config_dict(['interfaces', 'pppoe', argv[6]], - get_first_key=True, key_mangling=('-', '_')) -pppoe['ifname'] = argv[6] +_, pppoe = get_interface_dict(conf.config, ['interfaces', 'pppoe'], interface) -p = PPPoEIf(pppoe['ifname']) +# Update the config +p = PPPoEIf(interface) p.update(pppoe) diff --git a/src/migration-scripts/interfaces/25-to-26 b/src/migration-scripts/interfaces/25-to-26 new file mode 100755 index 000000000..a8936235e --- /dev/null +++ b/src/migration-scripts/interfaces/25-to-26 @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# T4384: pppoe: replace default-route CLI option with common CLI nodes already +# present for DHCP + +from sys import argv + +from vyos.ethtool import Ethtool +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['interfaces', 'pppoe'] +config = ConfigTree(config_file) + +if not config.exists(base): + exit(0) + +for ifname in config.list_nodes(base): + tmp_config = base + [ifname, 'default-route'] + if config.exists(tmp_config): + # Retrieve current config value + value = config.return_value(tmp_config) + # Delete old Config node + config.delete(tmp_config) + if value == 'none': + config.set(base + [ifname, 'no-default-route']) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print(f'Failed to save the modified config: {e}') + exit(1) diff --git a/src/migration-scripts/openconnect/1-to-2 b/src/migration-scripts/openconnect/1-to-2 new file mode 100755 index 000000000..7031fb252 --- /dev/null +++ b/src/migration-scripts/openconnect/1-to-2 @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Delete depricated outside-nexthop address + +import sys + +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +cfg_base = ['vpn', 'openconnect'] + +if not config.exists(cfg_base): + # Nothing to do + sys.exit(0) +else: + if config.exists(cfg_base + ['authentication', 'mode']): + if config.return_value(cfg_base + ['authentication', 'mode']) == 'radius': + # if "mode value radius", change to "tag node mode + valueless node radius" + config.delete(cfg_base + ['authentication','mode', 'radius']) + config.set(cfg_base + ['authentication', 'mode', 'radius'], value=None, replace=True) + elif not config.exists(cfg_base + ['authentication', 'mode', 'local']): + # if "mode local", change to "tag node mode + node local value password" + config.delete(cfg_base + ['authentication', 'mode', 'local']) + config.set(cfg_base + ['authentication', 'mode', 'local'], value='password', replace=True) + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) diff --git a/src/migration-scripts/quagga/9-to-10 b/src/migration-scripts/quagga/9-to-10 new file mode 100755 index 000000000..249738822 --- /dev/null +++ b/src/migration-scripts/quagga/9-to-10 @@ -0,0 +1,62 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# re-organize route-map as-path + +from sys import argv +from sys import exit + +from vyos.configtree import ConfigTree + +if (len(argv) < 2): + print("Must specify file name!") + exit(1) + +file_name = argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['policy', 'route-map'] + +config = ConfigTree(config_file) +if not config.exists(base): + # Nothing to do + exit(0) + +for route_map in config.list_nodes(base): + # Bail out Early + if not config.exists(base + [route_map, 'rule']): + continue + + for rule in config.list_nodes(base + [route_map, 'rule']): + rule_base = base + [route_map, 'rule', rule] + if config.exists(rule_base + ['set', 'as-path-exclude']): + tmp = config.return_value(rule_base + ['set', 'as-path-exclude']) + config.delete(rule_base + ['set', 'as-path-exclude']) + config.set(rule_base + ['set', 'as-path', 'exclude'], value=tmp) + + if config.exists(rule_base + ['set', 'as-path-prepend']): + tmp = config.return_value(rule_base + ['set', 'as-path-prepend']) + config.delete(rule_base + ['set', 'as-path-prepend']) + config.set(rule_base + ['set', 'as-path', 'prepend'], value=tmp) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print("Failed to save the modified config: {}".format(e)) + exit(1) diff --git a/src/migration-scripts/system/23-to-24 b/src/migration-scripts/system/23-to-24 new file mode 100755 index 000000000..5ea71d51a --- /dev/null +++ b/src/migration-scripts/system/23-to-24 @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from ipaddress import ip_interface +from ipaddress import ip_address +from sys import exit, argv +from vyos.configtree import ConfigTree + +if (len(argv) < 1): + print("Must specify file name!") + exit(1) + +file_name = argv[1] +with open(file_name, 'r') as f: + config_file = f.read() + +base = ['protocols', 'static', 'arp'] +tmp_base = ['protocols', 'static', 'arp-tmp'] +config = ConfigTree(config_file) + +def fixup_cli(config, path, interface): + if config.exists(path + ['address']): + for address in config.return_values(path + ['address']): + tmp = ip_interface(address) + if ip_address(host) in tmp.network.hosts(): + mac = config.return_value(tmp_base + [host, 'hwaddr']) + iface_path = ['protocols', 'static', 'arp', 'interface'] + config.set(iface_path + [interface, 'address', host, 'mac'], value=mac) + config.set_tag(iface_path) + config.set_tag(iface_path + [interface, 'address']) + continue + +if not config.exists(base): + # Nothing to do + exit(0) + +# We need a temporary copy of the config tree as the original one needs to be +# deleted first due to a change iun thge tagNode structure. +config.copy(base, tmp_base) +config.delete(base) + +for host in config.list_nodes(tmp_base): + for type in config.list_nodes(['interfaces']): + for interface in config.list_nodes(['interfaces', type]): + if_base = ['interfaces', type, interface] + fixup_cli(config, if_base, interface) + + if config.exists(if_base + ['vif']): + for vif in config.list_nodes(if_base + ['vif']): + vif_base = ['interfaces', type, interface, 'vif', vif] + fixup_cli(config, vif_base, f'{interface}.{vif}') + + if config.exists(if_base + ['vif-s']): + for vif_s in config.list_nodes(if_base + ['vif-s']): + vif_s_base = ['interfaces', type, interface, 'vif-s', vif_s] + fixup_cli(config, vif_s_base, f'{interface}.{vif_s}') + + if config.exists(if_base + ['vif-s', vif_s, 'vif-c']): + for vif_c in config.list_nodes(if_base + ['vif-s', vif_s, 'vif-c']): + vif_c_base = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c', vif_c] + fixup_cli(config, vif_c_base, f'{interface}.{vif_s}.{vif_c}') + +config.delete(tmp_base) + +try: + with open(file_name, 'w') as f: + f.write(config.to_string()) +except OSError as e: + print(f'Failed to save the modified config: {e}') + exit(1) diff --git a/src/op_mode/conntrack_sync.py b/src/op_mode/conntrack_sync.py index 89f6df4b9..e45c38f07 100755 --- a/src/op_mode/conntrack_sync.py +++ b/src/op_mode/conntrack_sync.py @@ -77,7 +77,7 @@ def xml_to_stdout(xml): parsed = xmltodict.parse(line) out.append(parsed) - print(render_to_string('conntrackd/conntrackd.op-mode.tmpl', {'data' : out})) + print(render_to_string('conntrackd/conntrackd.op-mode.j2', {'data' : out})) if __name__ == '__main__': args = parser.parse_args() diff --git a/src/op_mode/containers_op.py b/src/op_mode/containers_op.py deleted file mode 100755 index bc317029c..000000000 --- a/src/op_mode/containers_op.py +++ /dev/null @@ -1,78 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2021 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import argparse - -from getpass import getuser -from vyos.configquery import ConfigTreeQuery -from vyos.util import cmd - -parser = argparse.ArgumentParser() -parser.add_argument("-a", "--all", action="store_true", help="Show all containers") -parser.add_argument("-i", "--image", action="store_true", help="Show container images") -parser.add_argument("-n", "--networks", action="store_true", help="Show container images") -parser.add_argument("-p", "--pull", action="store", help="Pull image for container") -parser.add_argument("-d", "--remove", action="store", help="Delete container image") -parser.add_argument("-u", "--update", action="store", help="Update given container image") - -config = ConfigTreeQuery() -base = ['container'] -if not config.exists(base): - print('Containers not configured') - exit(0) - -if getuser() != 'root': - raise OSError('This functions needs to be run as root to return correct results!') - -if __name__ == '__main__': - args = parser.parse_args() - - if args.all: - print(cmd('podman ps --all')) - - elif args.image: - print(cmd('podman image ls')) - - elif args.networks: - print(cmd('podman network ls')) - - elif args.pull: - image = args.pull - try: - print(cmd(f'podman image pull {image}')) - except: - print(f'Can\'t find or download image "{image}"') - - elif args.remove: - image = args.remove - try: - print(cmd(f'podman image rm {image}')) - except: - print(f'Can\'t delete image "{image}"') - - elif args.update: - tmp = config.get_config_dict(base + ['name', args.update], - key_mangling=('-', '_'), get_first_key=True) - try: - image = tmp['image'] - print(cmd(f'podman image pull {image}')) - except: - print(f'Can\'t find or download image "{image}"') - else: - parser.print_help() - exit(1) - - exit(0) diff --git a/src/op_mode/generate_openconnect_otp_key.py b/src/op_mode/generate_openconnect_otp_key.py new file mode 100755 index 000000000..363bcf3ea --- /dev/null +++ b/src/op_mode/generate_openconnect_otp_key.py @@ -0,0 +1,65 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import argparse +import os + +from vyos.util import popen +from secrets import token_hex +from base64 import b32encode + +if os.geteuid() != 0: + exit("You need to have root privileges to run this script.\nPlease try again, this time using 'sudo'. Exiting.") + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument("-u", "--username", type=str, help='Username used for authentication', required=True) + parser.add_argument("-i", "--interval", type=str, help='Duration of single time interval', default="30", required=False) + parser.add_argument("-d", "--digits", type=str, help='The number of digits in the one-time password', default="6", required=False) + args = parser.parse_args() + + hostname = os.uname()[1] + username = args.username + digits = args.digits + period = args.interval + + # check variables: + if int(digits) < 6 or int(digits) > 8: + print("") + quit("The number of digits in the one-time password must be between '6' and '8'") + + if int(period) < 5 or int(period) > 86400: + print("") + quit("Time token interval must be between '5' and '86400' seconds") + + # generate OTP key, URL & QR: + key_hex = token_hex(20) + key_base32 = b32encode(bytes.fromhex(key_hex)).decode() + + otp_url=''.join(["otpauth://totp/",username,"@",hostname,"?secret=",key_base32,"&digits=",digits,"&period=",period]) + qrcode,err = popen('qrencode -t ansiutf8', input=otp_url) + + print("# You can share it with the user, he just needs to scan the QR in his OTP app") + print("# username: ", username) + print("# OTP KEY: ", key_base32) + print("# OTP URL: ", otp_url) + print(qrcode) + print('# To add this OTP key to configuration, run the following commands:') + print(f"set vpn openconnect authentication local-users username {username} otp key '{key_hex}'") + if period != "30": + print(f"set vpn openconnect authentication local-users username {username} otp interval '{period}'") + if digits != "6": + print(f"set vpn openconnect authentication local-users username {username} otp otp-length '{digits}'") diff --git a/src/op_mode/generate_ovpn_client_file.py b/src/op_mode/generate_ovpn_client_file.py index 29db41e37..0628e6135 100755 --- a/src/op_mode/generate_ovpn_client_file.py +++ b/src/op_mode/generate_ovpn_client_file.py @@ -18,6 +18,7 @@ import argparse import os from jinja2 import Template +from textwrap import fill from vyos.configquery import ConfigTreeQuery from vyos.ifconfig import Section @@ -117,8 +118,11 @@ if __name__ == '__main__': exit(f'OpenVPN certificate key "{key}" does not exist!') ca = config.value(['pki', 'ca', ca, 'certificate']) + ca = fill(ca, width=64) cert = config.value(['pki', 'certificate', cert, 'certificate']) + cert = fill(cert, width=64) key = config.value(['pki', 'certificate', key, 'private', 'key']) + key = fill(key, width=64) remote_host = config.value(base + [interface, 'local-host']) ovpn_conf = config.get_config_dict(base + [interface], key_mangling=('-', '_'), get_first_key=True) diff --git a/src/op_mode/ikev2_profile_generator.py b/src/op_mode/ikev2_profile_generator.py index 990b06c12..21561d16f 100755 --- a/src/op_mode/ikev2_profile_generator.py +++ b/src/op_mode/ikev2_profile_generator.py @@ -222,9 +222,9 @@ except KeyboardInterrupt: print('\n\n==== <snip> ====') if args.os == 'ios': - print(render_to_string('ipsec/ios_profile.tmpl', data)) + print(render_to_string('ipsec/ios_profile.j2', data)) print('==== </snip> ====\n') print('Save the XML from above to a new file named "vyos.mobileconfig" and E-Mail it to your phone.') elif args.os == 'windows': - print(render_to_string('ipsec/windows_profile.tmpl', data)) + print(render_to_string('ipsec/windows_profile.j2', data)) print('==== </snip> ====\n') diff --git a/src/op_mode/restart_frr.py b/src/op_mode/restart_frr.py index e5014452f..91b25567a 100755 --- a/src/op_mode/restart_frr.py +++ b/src/op_mode/restart_frr.py @@ -22,6 +22,7 @@ import psutil from logging.handlers import SysLogHandler from shutil import rmtree +from vyos.base import Warning from vyos.util import call from vyos.util import ask_yes_no from vyos.util import process_named_running @@ -163,7 +164,7 @@ if cmd_args.action == 'restart': if cmd_args.daemon != ['']: for daemon in cmd_args.daemon: if not process_named_running(daemon): - print('WARNING: some of listed daemons are not running!') + Warning('some of listed daemons are not running!') # run command to restart daemon for daemon in cmd_args.daemon: diff --git a/src/op_mode/show_dhcp.py b/src/op_mode/show_dhcp.py index cd6e8ed43..4b1758eea 100755 --- a/src/op_mode/show_dhcp.py +++ b/src/op_mode/show_dhcp.py @@ -26,6 +26,7 @@ from datetime import datetime from isc_dhcp_leases import Lease, IscDhcpLeases +from vyos.base import Warning from vyos.config import Config from vyos.util import is_systemd_service_running @@ -213,7 +214,7 @@ if __name__ == '__main__': # if dhcp server is down, inactive leases may still be shown as active, so warn the user. if not is_systemd_service_running('isc-dhcp-server.service'): - print("WARNING: DHCP server is configured but not started. Data may be stale.") + Warning('DHCP server is configured but not started. Data may be stale.') if args.leases: leases = get_leases(conf, lease_file, args.state, args.pool, args.sort) diff --git a/src/op_mode/show_dhcpv6.py b/src/op_mode/show_dhcpv6.py index 1f987ff7b..b34b730e6 100755 --- a/src/op_mode/show_dhcpv6.py +++ b/src/op_mode/show_dhcpv6.py @@ -26,6 +26,7 @@ from datetime import datetime from isc_dhcp_leases import Lease, IscDhcpLeases +from vyos.base import Warning from vyos.config import Config from vyos.util import is_systemd_service_running @@ -203,7 +204,7 @@ if __name__ == '__main__': # if dhcp server is down, inactive leases may still be shown as active, so warn the user. if not is_systemd_service_running('isc-dhcp-server6.service'): - print("WARNING: DHCPv6 server is configured but not started. Data may be stale.") + Warning('DHCPv6 server is configured but not started. Data may be stale.') if args.leases: leases = get_leases(conf, lease_file, args.state, args.pool, args.sort) diff --git a/src/op_mode/show_openvpn.py b/src/op_mode/show_openvpn.py index f7b99cc0d..9a5adcffb 100755 --- a/src/op_mode/show_openvpn.py +++ b/src/op_mode/show_openvpn.py @@ -26,10 +26,10 @@ outp_tmpl = """ {% if clients %} OpenVPN status on {{ intf }} -Client CN Remote Host Local Host TX bytes RX bytes Connected Since ---------- ----------- ---------- -------- -------- --------------- +Client CN Remote Host Tunnel IP Local Host TX bytes RX bytes Connected Since +--------- ----------- --------- ---------- -------- -------- --------------- {% for c in clients %} -{{ "%-15s"|format(c.name) }} {{ "%-21s"|format(c.remote) }} {{ "%-21s"|format(local) }} {{ "%-9s"|format(c.tx_bytes) }} {{ "%-9s"|format(c.rx_bytes) }} {{ c.online_since }} +{{ "%-15s"|format(c.name) }} {{ "%-21s"|format(c.remote) }} {{ "%-15s"|format(c.tunnel) }} {{ "%-21s"|format(local) }} {{ "%-9s"|format(c.tx_bytes) }} {{ "%-9s"|format(c.rx_bytes) }} {{ c.online_since }} {% endfor %} {% endif %} """ @@ -50,6 +50,19 @@ def bytes2HR(size): output="{0:.1f} {1}".format(size, suff[suffIdx]) return output +def get_vpn_tunnel_address(peer, interface): + lst = [] + status_file = '/var/run/openvpn/{}.status'.format(interface) + + with open(status_file, 'r') as f: + lines = f.readlines() + for line in lines: + if peer in line: + lst.append(line) + tunnel_ip = lst[1].split(',')[0] + + return tunnel_ip + def get_status(mode, interface): status_file = '/var/run/openvpn/{}.status'.format(interface) # this is an empirical value - I assume we have no more then 999999 @@ -110,7 +123,7 @@ def get_status(mode, interface): 'tx_bytes': bytes2HR(line.split(',')[3]), 'online_since': line.split(',')[4] } - + client["tunnel"] = get_vpn_tunnel_address(client['remote'], interface) data['clients'].append(client) continue else: @@ -173,5 +186,7 @@ if __name__ == '__main__': if len(remote_host) >= 1: client['remote'] = str(remote_host[0]) + ':' + remote_port + client['tunnel'] = 'N/A' + tmpl = jinja2.Template(outp_tmpl) print(tmpl.render(data)) diff --git a/src/op_mode/traceroute.py b/src/op_mode/traceroute.py new file mode 100755 index 000000000..4299d6e5f --- /dev/null +++ b/src/op_mode/traceroute.py @@ -0,0 +1,207 @@ +#! /usr/bin/env python3 + +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +import sys +import socket +import ipaddress + +options = { + 'backward-hops': { + 'traceroute': '{command} --back', + 'type': 'noarg', + 'help': 'Display number of backward hops when they different from the forwarded path' + }, + 'bypass': { + 'traceroute': '{command} -r', + 'type': 'noarg', + 'help': 'Bypass the normal routing tables and send directly to a host on an attached network' + }, + 'do-not-fragment': { + 'traceroute': '{command} -F', + 'type': 'noarg', + 'help': 'Do not fragment probe packets.' + }, + 'first-ttl': { + 'traceroute': '{command} -f {value}', + 'type': '<ttl>', + 'help': 'Specifies with what TTL to start. Defaults to 1.' + }, + 'icmp': { + 'traceroute': '{command} -I', + 'type': 'noarg', + 'help': 'Use ICMP ECHO for tracerouting' + }, + 'interface': { + 'traceroute': '{command} -i {value}', + 'type': '<interface>', + 'help': 'Source interface' + }, + 'lookup-as': { + 'traceroute': '{command} -A', + 'type': 'noarg', + 'help': 'Perform AS path lookups' + }, + 'mark': { + 'traceroute': '{command} --fwmark={value}', + 'type': '<fwmark>', + 'help': 'Set the firewall mark for outgoing packets' + }, + 'no-resolve': { + 'traceroute': '{command} -n', + 'type': 'noarg', + 'help': 'Do not resolve hostnames' + }, + 'port': { + 'traceroute': '{command} -p {value}', + 'type': '<port>', + 'help': 'Destination port' + }, + 'source-address': { + 'traceroute': '{command} -s {value}', + 'type': '<x.x.x.x> <h:h:h:h:h:h:h:h>', + 'help': 'Specify source IP v4/v6 address' + }, + 'tcp': { + 'traceroute': '{command} -T', + 'type': 'noarg', + 'help': 'Use TCP SYN for tracerouting (default port is 80)' + }, + 'tos': { + 'traceroute': '{commad} -t {value}', + 'type': '<tos>', + 'help': 'Mark packets with specified TOS' + }, + 'ttl': { + 'traceroute': '{command} -m {value}', + 'type': '<ttl>', + 'help': 'Maximum number of hops' + }, + 'udp': { + 'traceroute': '{command} -U', + 'type': 'noarg', + 'help': 'Use UDP to particular port for tracerouting (default port is 53)' + }, + 'vrf': { + 'traceroute': 'sudo ip vrf exec {value} {command}', + 'type': '<vrf>', + 'help': 'Use specified VRF table', + 'dflt': 'default'} +} + +traceroute = { + 4: '/bin/traceroute -4', + 6: '/bin/traceroute -6', +} + + +class List (list): + def first (self): + return self.pop(0) if self else '' + + def last(self): + return self.pop() if self else '' + + def prepend(self,value): + self.insert(0,value) + + +def expension_failure(option, completions): + reason = 'Ambiguous' if completions else 'Invalid' + sys.stderr.write('\n\n {} command: {} [{}]\n\n'.format(reason,' '.join(sys.argv), option)) + if completions: + sys.stderr.write(' Possible completions:\n ') + sys.stderr.write('\n '.join(completions)) + sys.stderr.write('\n') + sys.stdout.write('<nocomps>') + sys.exit(1) + + +def complete(prefix): + return [o for o in options if o.startswith(prefix)] + + +def convert(command, args): + while args: + shortname = args.first() + longnames = complete(shortname) + if len(longnames) != 1: + expension_failure(shortname, longnames) + longname = longnames[0] + if options[longname]['type'] == 'noarg': + command = options[longname]['traceroute'].format( + command=command, value='') + elif not args: + sys.exit(f'traceroute: missing argument for {longname} option') + else: + command = options[longname]['traceroute'].format( + command=command, value=args.first()) + return command + + +if __name__ == '__main__': + args = List(sys.argv[1:]) + host = args.first() + + if not host: + sys.exit("traceroute: Missing host") + + if host == '--get-options': + args.first() # pop traceroute + args.first() # pop IP + while args: + option = args.first() + + matched = complete(option) + if not args: + sys.stdout.write(' '.join(matched)) + sys.exit(0) + + if len(matched) > 1 : + sys.stdout.write(' '.join(matched)) + sys.exit(0) + + if options[matched[0]]['type'] == 'noarg': + continue + + value = args.first() + if not args: + matched = complete(option) + sys.stdout.write(options[matched[0]]['type']) + sys.exit(0) + + for name,option in options.items(): + if 'dflt' in option and name not in args: + args.append(name) + args.append(option['dflt']) + + try: + ip = socket.gethostbyname(host) + except UnicodeError: + sys.exit(f'tracroute: Unknown host: {host}') + except socket.gaierror: + ip = host + + try: + version = ipaddress.ip_address(ip).version + except ValueError: + sys.exit(f'traceroute: Unknown host: {host}') + + command = convert(traceroute[version],args) + + # print(f'{command} {host}') + os.system(f'{command} {host}') + diff --git a/src/op_mode/vpn_ipsec.py b/src/op_mode/vpn_ipsec.py index 40854fa8f..8955e5a59 100755 --- a/src/op_mode/vpn_ipsec.py +++ b/src/op_mode/vpn_ipsec.py @@ -88,7 +88,22 @@ def reset_profile(profile, tunnel): def debug_peer(peer, tunnel): if not peer or peer == "all": - call('sudo /usr/sbin/ipsec statusall') + debug_commands = [ + "sudo ipsec statusall", + "sudo swanctl -L", + "sudo swanctl -l", + "sudo swanctl -P", + "sudo ip x sa show", + "sudo ip x policy show", + "sudo ip tunnel show", + "sudo ip address", + "sudo ip rule show", + "sudo ip route | head -100", + "sudo ip route show table 220" + ] + for debug_cmd in debug_commands: + print(f'\n### {debug_cmd} ###') + call(debug_cmd) return if not tunnel or tunnel == 'all': diff --git a/src/services/vyos-hostsd b/src/services/vyos-hostsd index df9f18d2d..9ae7b1ea9 100755 --- a/src/services/vyos-hostsd +++ b/src/services/vyos-hostsd @@ -421,12 +421,12 @@ def pdns_rec_control(command): def make_resolv_conf(state): logger.info(f"Writing {RESOLV_CONF_FILE}") - render(RESOLV_CONF_FILE, 'vyos-hostsd/resolv.conf.tmpl', state, + render(RESOLV_CONF_FILE, 'vyos-hostsd/resolv.conf.j2', state, user='root', group='root') def make_hosts(state): logger.info(f"Writing {HOSTS_FILE}") - render(HOSTS_FILE, 'vyos-hostsd/hosts.tmpl', state, + render(HOSTS_FILE, 'vyos-hostsd/hosts.j2', state, user='root', group='root') def make_pdns_rec_conf(state): @@ -437,12 +437,12 @@ def make_pdns_rec_conf(state): chmod_755(PDNS_REC_RUN_DIR) render(PDNS_REC_LUA_CONF_FILE, - 'dns-forwarding/recursor.vyos-hostsd.conf.lua.tmpl', + 'dns-forwarding/recursor.vyos-hostsd.conf.lua.j2', state, user=PDNS_REC_USER, group=PDNS_REC_GROUP) logger.info(f"Writing {PDNS_REC_ZONES_FILE}") render(PDNS_REC_ZONES_FILE, - 'dns-forwarding/recursor.forward-zones.conf.tmpl', + 'dns-forwarding/recursor.forward-zones.conf.j2', state, user=PDNS_REC_USER, group=PDNS_REC_GROUP) def set_host_name(state, data): diff --git a/src/validators/as-number-list b/src/validators/as-number-list new file mode 100755 index 000000000..432d44180 --- /dev/null +++ b/src/validators/as-number-list @@ -0,0 +1,29 @@ +#!/bin/sh +# +# Copyright (C) 2022 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +if [ $# -lt 1 ]; then + echo "Illegal number of parameters" + exit 1 +fi + +for var in "$@"; do + ${vyos_validators_dir}/numeric --range 1-4294967294 $var + if [ $? -ne 0 ]; then + exit 1 + fi +done + +exit 0 diff --git a/src/validators/port-multi b/src/validators/port-multi index cef371563..bd6f0ef60 100755 --- a/src/validators/port-multi +++ b/src/validators/port-multi @@ -1,6 +1,7 @@ #!/usr/bin/python3 -import sys +from sys import argv +from sys import exit import re from vyos.util import read_file @@ -13,12 +14,18 @@ def get_services(): for line in service_data.split("\n"): if not line or line[0] == '#': continue - names.append(line.split(None, 1)[0]) + tmp = line.split() + names.append(tmp[0]) + if len(tmp) > 2: + # Add port aliases to service list, too + names.extend(tmp[2:]) + # remove duplicate entries (e.g. echo) from list + names = list(dict.fromkeys(names)) return names if __name__ == '__main__': - if len(sys.argv)>1: - ports = sys.argv[1].split(",") + if len(argv)>1: + ports = argv[1].split(",") services = get_services() for port in ports: @@ -28,18 +35,18 @@ if __name__ == '__main__': port_1, port_2 = port.split('-') if int(port_1) not in range(1, 65536) or int(port_2) not in range(1, 65536): print(f'Error: {port} is not a valid port range') - sys.exit(1) + exit(1) if int(port_1) > int(port_2): print(f'Error: {port} is not a valid port range') - sys.exit(1) + exit(1) elif port.isnumeric(): if int(port) not in range(1, 65536): print(f'Error: {port} is not a valid port') - sys.exit(1) + exit(1) elif port not in services: print(f'Error: {port} is not a valid service name') - sys.exit(1) + exit(1) else: - sys.exit(2) + exit(2) - sys.exit(0) + exit(0) |