20 files changed, 2902 insertions, 1152 deletions

diff --git a/.gitattributes b/.gitattributes
index ea2cc59e4..624e00f03 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1,80 @@
-data/templates/**/*.conf linguist-language=Jinja
-*.tmpl linguist-language=Jinja
-*.xml.i linguist-language=XML
-*.xml.in linguist-language=XML
+# Common settings that generally should always be used with your language specific settings
+
+# Auto detect text files and perform LF normalization
+*          text=auto
+
+#
+# The above will handle all files NOT found below
+#
+
+# Documents
+*.md       text diff=markdown
+*.mdx      text diff=markdown
+*.adoc     text
+*.csv      text eol=crlf
+*.rst      text
+*.txt      text
+
+# Graphics
+*.png      binary
+*.jpg      binary
+*.jpeg     binary
+*.gif      binary
+*.tif      binary
+*.tiff     binary
+*.ico      binary
+# SVG treated as text by default.
+*.svg      text
+# If you want to treat it as binary,
+# use the following line instead.
+# *.svg    binary
+
+# Scripts
+*.bash     text eol=lf diff=bash
+*.sh       text eol=lf diff=bash
+
+# Serialisation
+*.conf     text
+*.graphql  text
+*.j2       text
+*.json     text
+*.rules    text
+*.service  text
+*.toml     text
+*.tmpl     text linguist-language=Jinja
+*.xml      text
+*.xml.i    text linguist-language=XML
+*.xml.in   text linguist-language=XML
+*.yaml     text
+*.yml      text
+
+# Text files where line endings should be preserved
+*.patch    -text
+*.diff     -text
+
+# Python files
+*.pxd    text diff=python
+*.py     text diff=python
+*.py3    text diff=python
+*.pyw    text diff=python
+*.pyx    text diff=python
+*.pyz    text diff=python
+*.pyi    text diff=python
+
+# Fix syntax highlighting on GitHub to allow comments
+.vscode/*.json linguist-language=JSON-with-Comments
+
+#
+# Exclude files from exporting
+#
+
+.gitattributes        export-ignore
+.gitignore            export-ignore
+.gitkeep              export-ignore
+*.pyc          binary export-ignore
+*.pyo          binary export-ignore
+
+#
+# Enable syntax highlighting for VSCode settings
+#
+.vscode/settings.json linguist-language=jsonc
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
new file mode 100644
index 000000000..d21d151f7
--- /dev/null
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,22 @@
+name: "Issue and PR stale management"
+on:
+  schedule:
+  - cron: "0 0 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    if: github.repository == 'vyos/vyos-1x'
+    steps:
+      # Issue stale management
+    - uses: actions/stale@v6
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        days-before-stale: 90
+        days-before-close: -1
+        stale-issue-message: 'This issue is stale because it has been open 90 days with no activity. The issue will be reviewed by a maintainer and may be closed'
+        stale-issue-label: 'state: stale'
+        exempt-issue-labels: 'state: accepted, state: in-progress'
+        stale-pr-message: 'This PR is stale because it has been open 30 days with no activity. The PR will be reviewed by a maintainer and may be closed'
+        stale-pr-label: 'state: stale'
+        exempt-pr-labels: 'state: accepted, state: in-progress'
diff --git a/.vscode/settings.json b/.vscode/settings.json
index caa87ba4a..ab3af6cf1 100644
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,18 +1,26 @@
 {
-    "files.trimTrailingWhitespace": true,
-    "editor.tabSize": 4,
-    "editor.insertSpaces": true,
     "files.insertFinalNewline": true,
-    "files.eol": "\n",
-    # https://code.visualstudio.com/docs/languages/identifiers#_known-language-identifiers
+    "files.trimFinalNewlines": true,
+    "files.trimTrailingWhitespace": true,
+
+    // https://code.visualstudio.com/docs/languages/identifiers#_known-language-identifiers
     "files.associations": {
+        "*.j2": "jinja",
         "*.xml.i": "xml",
         "*.xml.in": "xml",
-        "*.j2": "jinja",
     },
-    "editor.indentSize": "tabSize",
     "[jinja]": {
-        "editor.tabSize": 4,
         "editor.wordBasedSuggestions": false
-    }
+    },
+    // https://code.visualstudio.com/docs/python/settings-reference
+    "python.analysis.extraPaths": [
+        "./python"
+    ],
+    // https://help.gitkraken.com/gitlens/gitlens-settings/#autolink-settings
+    "gitlens.autolinks": [
+        {
+            "prefix": "T",
+            "url": "https://vyos.dev/T<num>"
+        }
+    ],
 }
diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2
index c635ca213..c8b54dfbb 100644
--- a/data/templates/container/containers.conf.j2
+++ b/data/templates/container/containers.conf.j2
@@ -1,709 +1,709 @@
-### Autogenerated by container.py ###

-

-# The containers configuration file specifies all of the available configuration

-# command-line options/flags for container engine tools like Podman & Buildah,

-# but in a TOML format that can be easily modified and versioned.

-

-# Please refer to containers.conf(5) for details of all configuration options.

-# Not all container engines implement all of the options.

-# All of the options have hard coded defaults and these options will override

-# the built in defaults. Users can then override these options via the command

-# line. Container engines will read containers.conf files in up to three

-# locations in the following order:

-#  1. /usr/share/containers/containers.conf

-#  2. /etc/containers/containers.conf

-#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)

-#  Items specified in the latter containers.conf, if they exist, override the

-# previous containers.conf settings, or the default settings.

-

-[containers]

-

-# List of annotation. Specified as

-# "key = value"

-# If it is empty or commented out, no annotations will be added

-#

-#annotations = []

-

-# Used to change the name of the default AppArmor profile of container engine.

-#

-#apparmor_profile = "container-default"

-

-# The hosts entries from the base hosts file are added to the containers hosts

-# file. This must be either an absolute path or as special values "image" which

-# uses the hosts file from the container image or "none" which means

-# no base hosts file is used. The default is "" which will use /etc/hosts.

-#

-#base_hosts_file = ""

-

-# Default way to to create a cgroup namespace for the container

-# Options are:

-# `private` Create private Cgroup Namespace for the container.

-# `host`    Share host Cgroup Namespace with the container.

-#

-#cgroupns = "private"

-

-# Control container cgroup configuration

-# Determines  whether  the  container will create CGroups.

-# Options are:

-# `enabled`   Enable cgroup support within container

-# `disabled`  Disable cgroup support, will inherit cgroups from parent

-# `no-conmon` Do not create a cgroup dedicated to conmon.

-#

-#cgroups = "enabled"

-

-# List of default capabilities for containers. If it is empty or commented out,

-# the default capabilities defined in the container engine will be added.

-#

-default_capabilities = [

-  "CHOWN",

-  "DAC_OVERRIDE",

-  "FOWNER",

-  "FSETID",

-  "KILL",

-  "NET_BIND_SERVICE",

-  "SETFCAP",

-  "SETGID",

-  "SETPCAP",

-  "SETUID",

-  "SYS_CHROOT"

-]

-

-# A list of sysctls to be set in containers by default,

-# specified as "name=value",

-# for example:"net.ipv4.ping_group_range=0 0".

-#

-default_sysctls = [

-  "net.ipv4.ping_group_range=0 0",

-]

-

-# A list of ulimits to be set in containers by default, specified as

-# "<ulimit name>=<soft limit>:<hard limit>", for example:

-# "nofile=1024:2048"

-# See setrlimit(2) for a list of resource names.

-# Any limit not specified here will be inherited from the process launching the

-# container engine.

-# Ulimits has limits for non privileged container engines.

-#

-#default_ulimits = [

-#  "nofile=1280:2560",

-#]

-

-# List of devices. Specified as

-# "<device-on-host>:<device-on-container>:<permissions>", for example:

-# "/dev/sdc:/dev/xvdc:rwm".

-# If it is empty or commented out, only the default devices will be used

-#

-#devices = []

-

-# List of default DNS options to be added to /etc/resolv.conf inside of the container.

-#

-#dns_options = []

-

-# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.

-#

-#dns_searches = []

-

-# Set default DNS servers.

-# This option can be used to override the DNS configuration passed to the

-# container. The special value "none" can be specified to disable creation of

-# /etc/resolv.conf in the container.

-# The /etc/resolv.conf file in the image will be used without changes.

-#

-#dns_servers = []

-

-# Environment variable list for the conmon process; used for passing necessary

-# environment variables to conmon or the runtime.

-#

-#env = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

-#  "TERM=xterm",

-#]

-

-# Pass all host environment variables into the container.

-#

-#env_host = false

-

-# Set the ip for the host.containers.internal entry in the containers /etc/hosts

-# file. This can be set to "none" to disable adding this entry. By default it

-# will automatically choose the host ip.

-#

-# NOTE: When using podman machine this entry will never be added to the containers

-# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore

-# it is not possible to disable the entry in this case.

-#

-#host_containers_internal_ip = ""

-

-# Default proxy environment variables passed into the container.

-# The environment variables passed in include:

-# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of

-# these. This option is needed when host system uses a proxy but container

-# should not use proxy. Proxy environment variables specified for the container

-# in any other way will override the values passed from the host.

-#

-#http_proxy = true

-

-# Run an init inside the container that forwards signals and reaps processes.

-#

-#init = false

-

-# Container init binary, if init=true, this is the init binary to be used for containers.

-#

-#init_path = "/usr/libexec/podman/catatonit"

-

-# Default way to to create an IPC namespace (POSIX SysV IPC) for the container

-# Options are:

-#  "host"     Share host IPC Namespace with the container.

-#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.

-#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.

-#  "shareable" Create shareable IPC Namespace for the container.

-#

-#ipcns = "shareable"

-

-# keyring tells the container engine whether to create

-# a kernel keyring for use within the container.

-#

-#keyring = true

-

-# label tells the container engine whether to use container separation using

-# MAC(SELinux) labeling or not.

-# The label flag is ignored on label disabled systems.

-#

-#label = true

-

-# Logging driver for the container. Available options: k8s-file and journald.

-#

-#log_driver = "k8s-file"

-

-# Maximum size allowed for the container log file. Negative numbers indicate

-# that no size limit is imposed. If positive, it must be >= 8192 to match or

-# exceed conmon's read buffer. The file is truncated and re-opened so the

-# limit is never exceeded.

-#

-#log_size_max = -1

-

-# Specifies default format tag for container log messages.

-# This is useful for creating a specific tag for container log messages.

-# Containers logs default to truncated container ID as a tag.

-#

-#log_tag = ""

-

-# Default way to to create a Network namespace for the container

-# Options are:

-# `private` Create private Network Namespace for the container.

-# `host`    Share host Network Namespace with the container.

-# `none`    Containers do not use the network

-#

-#netns = "private"

-

-# Create /etc/hosts for the container.  By default, container engine manage

-# /etc/hosts, automatically adding  the container's  own  IP  address.

-#

-#no_hosts = false

-

-# Default way to to create a PID namespace for the container

-# Options are:

-# `private` Create private PID Namespace for the container.

-# `host`    Share host PID Namespace with the container.

-#

-#pidns = "private"

-

-# Maximum number of processes allowed in a container.

-#

-#pids_limit = 2048

-

-# Copy the content from the underlying image into the newly created volume

-# when the container is created instead of when it is started. If false,

-# the container engine will not copy the content until the container is started.

-# Setting it to true may have negative performance implications.

-#

-#prepare_volume_on_create = false

-

-# Path to the seccomp.json profile which is used as the default seccomp profile

-# for the runtime.

-#

-#seccomp_profile = "/usr/share/containers/seccomp.json"

-

-# Size of /dev/shm. Specified as <number><unit>.

-# Unit is optional, values:

-# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# If the unit is omitted, the system uses bytes.

-#

-#shm_size = "65536k"

-

-# Set timezone in container. Takes IANA timezones as well as "local",

-# which sets the timezone in the container to match the host machine.

-#

-#tz = ""

-

-# Set umask inside the container

-#

-#umask = "0022"

-

-# Default way to to create a User namespace for the container

-# Options are:

-# `auto`        Create unique User Namespace for the container.

-# `host`    Share host User Namespace with the container.

-#

-#userns = "host"

-

-# Number of UIDs to allocate for the automatic container creation.

-# UIDs are allocated from the "container" UIDs listed in

-# /etc/subuid & /etc/subgid

-#

-#userns_size = 65536

-

-# Default way to to create a UTS namespace for the container

-# Options are:

-# `private`        Create private UTS Namespace for the container.

-# `host`    Share host UTS Namespace with the container.

-#

-#utsns = "private"

-

-# List of volumes. Specified as

-# "<directory-on-host>:<directory-in-container>:<options>", for example:

-# "/db:/var/lib/db:ro".

-# If it is empty or commented out, no volumes will be added

-#

-#volumes = []

-

-[secrets]

-#driver = "file"

-

-[secrets.opts]

-#root = "/example/directory"

-

-[network]

-

-# Network backend determines what network driver will be used to set up and tear down container networks.

-# Valid values are "cni" and "netavark".

-# The default value is empty which means that it will automatically choose CNI or netavark. If there are

-# already containers/images or CNI networks preset it will choose CNI.

-#

-# Before changing this value all containers must be stopped otherwise it is likely that

-# iptables rules and network interfaces might leak on the host. A reboot will fix this.

-#

-network_backend = "netavark"

-

-# Path to directory where CNI plugin binaries are located.

-#

-#cni_plugin_dirs = [

-#  "/usr/local/libexec/cni",

-#  "/usr/libexec/cni",

-#  "/usr/local/lib/cni",

-#  "/usr/lib/cni",

-#  "/opt/cni/bin",

-#]

-

-# The network name of the default network to attach pods to.

-#

-#default_network = "podman"

-

-# The default subnet for the default network given in default_network.

-# If a network with that name does not exist, a new network using that name and

-# this subnet will be created.

-# Must be a valid IPv4 CIDR prefix.

-#

-#default_subnet = "10.88.0.0/16"

-

-# DefaultSubnetPools is a list of subnets and size which are used to

-# allocate subnets automatically for podman network create.

-# It will iterate through the list and will pick the first free subnet

-# with the given size. This is only used for ipv4 subnets, ipv6 subnets

-# are always assigned randomly.

-#

-#default_subnet_pools = [

-#  {"base" = "10.89.0.0/16", "size" = 24},

-#  {"base" = "10.90.0.0/15", "size" = 24},

-#  {"base" = "10.92.0.0/14", "size" = 24},

-#  {"base" = "10.96.0.0/11", "size" = 24},

-#  {"base" = "10.128.0.0/9", "size" = 24},

-#]

-

-# Path to the directory where network configuration files are located.

-# For the CNI backend the default is "/etc/cni/net.d" as root

-# and "$HOME/.config/cni/net.d" as rootless.

-# For the netavark backend "/etc/containers/networks" is used as root

-# and "$graphroot/networks" as rootless.

-#

-#network_config_dir = "/etc/cni/net.d/"

-

-# Port to use for dns forwarding daemon with netavark in rootful bridge

-# mode and dns enabled.

-# Using an alternate port might be useful if other dns services should

-# run on the machine.

-#

-#dns_bind_port = 53

-

-[engine]

-# Index to the active service

-#

-#active_service = production

-

-# The compression format to use when pushing an image.

-# Valid options are: `gzip`, `zstd` and `zstd:chunked`.

-#

-#compression_format = "gzip"

-

-

-# Cgroup management implementation used for the runtime.

-# Valid options "systemd" or "cgroupfs"

-#

-#cgroup_manager = "systemd"

-

-# Environment variables to pass into conmon

-#

-#conmon_env_vars = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

-#]

-

-# Paths to look for the conmon container manager binary

-#

-#conmon_path = [

-#  "/usr/libexec/podman/conmon",

-#  "/usr/local/libexec/podman/conmon",

-#  "/usr/local/lib/podman/conmon",

-#  "/usr/bin/conmon",

-#  "/usr/sbin/conmon",

-#  "/usr/local/bin/conmon",

-#  "/usr/local/sbin/conmon"

-#]

-

-# Enforces using docker.io for completing short names in Podman's compatibility

-# REST API. Note that this will ignore unqualified-search-registries and

-# short-name aliases defined in containers-registries.conf(5).

-#compat_api_enforce_docker_hub = true

-

-# Specify the keys sequence used to detach a container.

-# Format is a single character [a-Z] or a comma separated sequence of

-# `ctrl-<value>`, where `<value>` is one of:

-# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`

-#

-#detach_keys = "ctrl-p,ctrl-q"

-

-# Determines whether engine will reserve ports on the host when they are

-# forwarded to containers. When enabled, when ports are forwarded to containers,

-# ports are held open by as long as the container is running, ensuring that

-# they cannot be reused by other programs on the host. However, this can cause

-# significant memory usage if a container has many ports forwarded to it.

-# Disabling this can save memory.

-#

-#enable_port_reservation = true

-

-# Environment variables to be used when running the container engine (e.g., Podman, Buildah).

-# For example "http_proxy=internal.proxy.company.com".

-# Note these environment variables will not be used within the container.

-# Set the env section under [containers] table, if you want to set environment variables for the container.

-#

-#env = []

-

-# Define where event logs will be stored, when events_logger is "file".

-#events_logfile_path=""

-

-# Sets the maximum size for events_logfile_path.

-# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.

-# If no unit is included then the size will be read in bytes.

-# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.

-# If the maximum size is set to 0, then no limit will be applied,

-# and the logfile will not be rotated.

-#events_logfile_max_size = "1m"

-

-# Selects which logging mechanism to use for container engine events.

-# Valid values are `journald`, `file` and `none`.

-#

-#events_logger = "journald"

-

-# A is a list of directories which are used to search for helper binaries.

-#

-#helper_binaries_dir = [

-#  "/usr/local/libexec/podman",

-#  "/usr/local/lib/podman",

-#  "/usr/libexec/podman",

-#  "/usr/lib/podman",

-#]

-

-# Path to OCI hooks directories for automatically executed hooks.

-#

-#hooks_dir = [

-#  "/usr/share/containers/oci/hooks.d",

-#]

-

-# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building

-# container images. By default image pulled and pushed match the format of the

-# source image. Building/committing defaults to OCI.

-#

-#image_default_format = ""

-

-# Default transport method for pulling and pushing for images

-#

-#image_default_transport = "docker://"

-

-# Maximum number of image layers to be copied (pulled/pushed) simultaneously.

-# Not setting this field, or setting it to zero, will fall back to containers/image defaults.

-#

-#image_parallel_copies = 0

-

-# Tells container engines how to handle the builtin image volumes.

-#   * bind: An anonymous named volume will be created and mounted

-#     into the container.

-#   * tmpfs: The volume is mounted onto the container as a tmpfs,

-#     which allows users to create content that disappears when

-#     the container is stopped.

-#   * ignore: All volumes are just ignored and no action is taken.

-#

-#image_volume_mode = ""

-

-# Default command to run the infra container

-#

-#infra_command = "/pause"

-

-# Infra (pause) container image name for pod infra containers.  When running a

-# pod, we start a `pause` process in a container to hold open the namespaces

-# associated with the  pod.  This container does nothing other then sleep,

-# reserving the pods resources for the lifetime of the pod. By default container

-# engines run a builtin container using the pause executable. If you want override

-# specify an image to pull.

-#

-#infra_image = ""

-

-# Specify the locking mechanism to use; valid values are "shm" and "file".

-# Change the default only if you are sure of what you are doing, in general

-# "file" is useful only on platforms where cgo is not available for using the

-# faster "shm" lock type. You may need to run "podman system renumber" after

-# you change the lock type.

-#

-#lock_type** = "shm"

-

-# MultiImageArchive - if true, the container engine allows for storing archives

-# (e.g., of the docker-archive transport) with multiple images.  By default,

-# Podman creates single-image archives.

-#

-#multi_image_archive = "false"

-

-# Default engine namespace

-# If engine is joined to a namespace, it will see only containers and pods

-# that were created in the same namespace, and will create new containers and

-# pods in that namespace.

-# The default namespace is "", which corresponds to no namespace. When no

-# namespace is set, all containers and pods are visible.

-#

-#namespace = ""

-

-# Path to the slirp4netns binary

-#

-#network_cmd_path = ""

-

-# Default options to pass to the slirp4netns binary.

-# Valid options values are:

-#

-# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).

-#   Default is false.

-# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).

-# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).

-# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).

-# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).

-# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.

-# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).

-# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.

-# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.

-#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container

-#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,

-#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for

-#   rootless containers when connected to user-defined networks.

-# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but

-#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.

-#

-#network_cmd_options = []

-

-# Whether to use chroot instead of pivot_root in the runtime

-#

-#no_pivot_root = false

-

-# Number of locks available for containers and pods.

-# If this is changed, a lock renumber must be performed (e.g. with the

-# 'podman system renumber' command).

-#

-#num_locks = 2048

-

-# Set the exit policy of the pod when the last container exits.

-#pod_exit_policy = "continue"

-

-# Whether to pull new image before running a container

-#

-#pull_policy = "missing"

-

-# Indicates whether the application should be running in remote mode. This flag modifies the

-# --remote option on container engines. Setting the flag to true will default

-# `podman --remote=true` for access to the remote Podman service.

-#

-#remote = false

-

-# Default OCI runtime

-#

-#runtime = "crun"

-

-# List of the OCI runtimes that support --format=json. When json is supported

-# engine will use it for reporting nicer errors.

-#

-#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]

-

-# List of the OCI runtimes that supports running containers with KVM Separation.

-#

-#runtime_supports_kvm = ["kata", "krun"]

-

-# List of the OCI runtimes that supports running containers without cgroups.

-#

-#runtime_supports_nocgroups = ["crun", "krun"]

-

-# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment

-# variable. If you specify "storage", then the location of the

-# container/storage tmp directory will be used.

-# image_copy_tmp_dir="/var/tmp"

-

-# Number of seconds to wait without a connection

-# before the `podman system service` times out and exits

-#

-#service_timeout = 5

-

-# Directory for persistent engine files (database, etc)

-# By default, this will be configured relative to where the containers/storage

-# stores containers

-# Uncomment to change location from this default

-#

-#static_dir = "/var/lib/containers/storage/libpod"

-

-# Number of seconds to wait for container to exit before sending kill signal.

-#

-#stop_timeout = 10

-

-# Number of seconds to wait before exit command in API process is given to.

-# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).

-#

-#exit_command_delay = 300

-

-# map of service destinations

-#

-#[service_destinations]

-#  [service_destinations.production]

-#     URI to access the Podman service

-#     Examples:

-#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)

-#       rootful "unix://run/podman/podman.sock (Default)

-#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock

-#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock

-#

-#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"

-#    Path to file containing ssh identity key

-#    identity = "~/.ssh/id_rsa"

-

-# Directory for temporary files. Must be tmpfs (wiped after reboot)

-#

-#tmp_dir = "/run/libpod"

-

-# Directory for libpod named volumes.

-# By default, this will be configured relative to where containers/storage

-# stores containers.

-# Uncomment to change location from this default.

-#

-#volume_path = "/var/lib/containers/storage/volumes"

-

-# Default timeout (in seconds) for volume plugin operations.

-# Plugins are external programs accessed via a REST API; this sets a timeout

-# for requests to that API.

-# A value of 0 is treated as no timeout.

-#volume_plugin_timeout = 5

-

-# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)

-[engine.runtimes]

-#crun = [

-#  "/usr/bin/crun",

-#  "/usr/sbin/crun",

-#  "/usr/local/bin/crun",

-#  "/usr/local/sbin/crun",

-#  "/sbin/crun",

-#  "/bin/crun",

-#  "/run/current-system/sw/bin/crun",

-#]

-

-#kata = [

-#  "/usr/bin/kata-runtime",

-#  "/usr/sbin/kata-runtime",

-#  "/usr/local/bin/kata-runtime",

-#  "/usr/local/sbin/kata-runtime",

-#  "/sbin/kata-runtime",

-#  "/bin/kata-runtime",

-#  "/usr/bin/kata-qemu",

-#  "/usr/bin/kata-fc",

-#]

-

-#runc = [

-#  "/usr/bin/runc",

-#  "/usr/sbin/runc",

-#  "/usr/local/bin/runc",

-#  "/usr/local/sbin/runc",

-#  "/sbin/runc",

-#  "/bin/runc",

-#  "/usr/lib/cri-o-runc/sbin/runc",

-#]

-

-#runsc = [

-#  "/usr/bin/runsc",

-#  "/usr/sbin/runsc",

-#  "/usr/local/bin/runsc",

-#  "/usr/local/sbin/runsc",

-#  "/bin/runsc",

-#  "/sbin/runsc",

-#  "/run/current-system/sw/bin/runsc",

-#]

-

-#krun = [

-#  "/usr/bin/krun",

-#  "/usr/local/bin/krun",

-#]

-

-[engine.volume_plugins]

-#testplugin = "/run/podman/plugins/test.sock"

-

-[machine]

-# Number of CPU's a machine is created with.

-#

-#cpus=1

-

-# The size of the disk in GB created when init-ing a podman-machine VM.

-#

-#disk_size=10

-

-# Default image URI when creating a new VM using `podman machine init`.

-# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major

-# version of the OS (e.g `36`) for Fedora 36. For all platforms you can

-# alternatively specify a custom download URL to an image. Container engines

-# translate URIs $OS and $ARCH to the native OS and ARCH. URI

-# "https://example.com/$OS/$ARCH/foobar.ami" becomes

-# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.

-# The default value is `testing`.

-#

-# image = "testing"

-

-# Memory in MB a machine is created with.

-#

-#memory=2048

-

-# The username to use and create on the podman machine OS for rootless

-# container access.

-#

-#user = "core"

-

-# Host directories to be mounted as volumes into the VM by default.

-# Environment variables like $HOME as well as complete paths are supported for

-# the source and destination. An optional third field `:ro` can be used to

-# tell the container engines to mount the volume readonly.

-#

-# volumes = [

-#  "$HOME:$HOME",

-#]

-

-# The [machine] table MUST be the last entry in this file.

-# (Unless another table is added)

-# TOML does not provide a way to end a table other than a further table being

-# defined, so every key hereafter will be part of [machine] and not the

-# main config.

+### Autogenerated by container.py ###
+
+# The containers configuration file specifies all of the available configuration
+# command-line options/flags for container engine tools like Podman & Buildah,
+# but in a TOML format that can be easily modified and versioned.
+
+# Please refer to containers.conf(5) for details of all configuration options.
+# Not all container engines implement all of the options.
+# All of the options have hard coded defaults and these options will override
+# the built in defaults. Users can then override these options via the command
+# line. Container engines will read containers.conf files in up to three
+# locations in the following order:
+#  1. /usr/share/containers/containers.conf
+#  2. /etc/containers/containers.conf
+#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
+#  Items specified in the latter containers.conf, if they exist, override the
+# previous containers.conf settings, or the default settings.
+
+[containers]
+
+# List of annotation. Specified as
+# "key = value"
+# If it is empty or commented out, no annotations will be added
+#
+#annotations = []
+
+# Used to change the name of the default AppArmor profile of container engine.
+#
+#apparmor_profile = "container-default"
+
+# The hosts entries from the base hosts file are added to the containers hosts
+# file. This must be either an absolute path or as special values "image" which
+# uses the hosts file from the container image or "none" which means
+# no base hosts file is used. The default is "" which will use /etc/hosts.
+#
+#base_hosts_file = ""
+
+# Default way to to create a cgroup namespace for the container
+# Options are:
+# `private` Create private Cgroup Namespace for the container.
+# `host`    Share host Cgroup Namespace with the container.
+#
+#cgroupns = "private"
+
+# Control container cgroup configuration
+# Determines  whether  the  container will create CGroups.
+# Options are:
+# `enabled`   Enable cgroup support within container
+# `disabled`  Disable cgroup support, will inherit cgroups from parent
+# `no-conmon` Do not create a cgroup dedicated to conmon.
+#
+#cgroups = "enabled"
+
+# List of default capabilities for containers. If it is empty or commented out,
+# the default capabilities defined in the container engine will be added.
+#
+default_capabilities = [
+  "CHOWN",
+  "DAC_OVERRIDE",
+  "FOWNER",
+  "FSETID",
+  "KILL",
+  "NET_BIND_SERVICE",
+  "SETFCAP",
+  "SETGID",
+  "SETPCAP",
+  "SETUID",
+  "SYS_CHROOT"
+]
+
+# A list of sysctls to be set in containers by default,
+# specified as "name=value",
+# for example:"net.ipv4.ping_group_range=0 0".
+#
+default_sysctls = [
+  "net.ipv4.ping_group_range=0 0",
+]
+
+# A list of ulimits to be set in containers by default, specified as
+# "<ulimit name>=<soft limit>:<hard limit>", for example:
+# "nofile=1024:2048"
+# See setrlimit(2) for a list of resource names.
+# Any limit not specified here will be inherited from the process launching the
+# container engine.
+# Ulimits has limits for non privileged container engines.
+#
+#default_ulimits = [
+#  "nofile=1280:2560",
+#]
+
+# List of devices. Specified as
+# "<device-on-host>:<device-on-container>:<permissions>", for example:
+# "/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, only the default devices will be used
+#
+#devices = []
+
+# List of default DNS options to be added to /etc/resolv.conf inside of the container.
+#
+#dns_options = []
+
+# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
+#
+#dns_searches = []
+
+# Set default DNS servers.
+# This option can be used to override the DNS configuration passed to the
+# container. The special value "none" can be specified to disable creation of
+# /etc/resolv.conf in the container.
+# The /etc/resolv.conf file in the image will be used without changes.
+#
+#dns_servers = []
+
+# Environment variable list for the conmon process; used for passing necessary
+# environment variables to conmon or the runtime.
+#
+#env = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+#  "TERM=xterm",
+#]
+
+# Pass all host environment variables into the container.
+#
+#env_host = false
+
+# Set the ip for the host.containers.internal entry in the containers /etc/hosts
+# file. This can be set to "none" to disable adding this entry. By default it
+# will automatically choose the host ip.
+#
+# NOTE: When using podman machine this entry will never be added to the containers
+# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
+# it is not possible to disable the entry in this case.
+#
+#host_containers_internal_ip = ""
+
+# Default proxy environment variables passed into the container.
+# The environment variables passed in include:
+# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
+# these. This option is needed when host system uses a proxy but container
+# should not use proxy. Proxy environment variables specified for the container
+# in any other way will override the values passed from the host.
+#
+#http_proxy = true
+
+# Run an init inside the container that forwards signals and reaps processes.
+#
+#init = false
+
+# Container init binary, if init=true, this is the init binary to be used for containers.
+#
+#init_path = "/usr/libexec/podman/catatonit"
+
+# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
+# Options are:
+#  "host"     Share host IPC Namespace with the container.
+#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.
+#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.
+#  "shareable" Create shareable IPC Namespace for the container.
+#
+#ipcns = "shareable"
+
+# keyring tells the container engine whether to create
+# a kernel keyring for use within the container.
+#
+#keyring = true
+
+# label tells the container engine whether to use container separation using
+# MAC(SELinux) labeling or not.
+# The label flag is ignored on label disabled systems.
+#
+#label = true
+
+# Logging driver for the container. Available options: k8s-file and journald.
+#
+#log_driver = "k8s-file"
+
+# Maximum size allowed for the container log file. Negative numbers indicate
+# that no size limit is imposed. If positive, it must be >= 8192 to match or
+# exceed conmon's read buffer. The file is truncated and re-opened so the
+# limit is never exceeded.
+#
+#log_size_max = -1
+
+# Specifies default format tag for container log messages.
+# This is useful for creating a specific tag for container log messages.
+# Containers logs default to truncated container ID as a tag.
+#
+#log_tag = ""
+
+# Default way to to create a Network namespace for the container
+# Options are:
+# `private` Create private Network Namespace for the container.
+# `host`    Share host Network Namespace with the container.
+# `none`    Containers do not use the network
+#
+#netns = "private"
+
+# Create /etc/hosts for the container.  By default, container engine manage
+# /etc/hosts, automatically adding  the container's  own  IP  address.
+#
+#no_hosts = false
+
+# Default way to to create a PID namespace for the container
+# Options are:
+# `private` Create private PID Namespace for the container.
+# `host`    Share host PID Namespace with the container.
+#
+#pidns = "private"
+
+# Maximum number of processes allowed in a container.
+#
+#pids_limit = 2048
+
+# Copy the content from the underlying image into the newly created volume
+# when the container is created instead of when it is started. If false,
+# the container engine will not copy the content until the container is started.
+# Setting it to true may have negative performance implications.
+#
+#prepare_volume_on_create = false
+
+# Path to the seccomp.json profile which is used as the default seccomp profile
+# for the runtime.
+#
+#seccomp_profile = "/usr/share/containers/seccomp.json"
+
+# Size of /dev/shm. Specified as <number><unit>.
+# Unit is optional, values:
+# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# If the unit is omitted, the system uses bytes.
+#
+#shm_size = "65536k"
+
+# Set timezone in container. Takes IANA timezones as well as "local",
+# which sets the timezone in the container to match the host machine.
+#
+#tz = ""
+
+# Set umask inside the container
+#
+#umask = "0022"
+
+# Default way to to create a User namespace for the container
+# Options are:
+# `auto`        Create unique User Namespace for the container.
+# `host`    Share host User Namespace with the container.
+#
+#userns = "host"
+
+# Number of UIDs to allocate for the automatic container creation.
+# UIDs are allocated from the "container" UIDs listed in
+# /etc/subuid & /etc/subgid
+#
+#userns_size = 65536
+
+# Default way to to create a UTS namespace for the container
+# Options are:
+# `private`        Create private UTS Namespace for the container.
+# `host`    Share host UTS Namespace with the container.
+#
+#utsns = "private"
+
+# List of volumes. Specified as
+# "<directory-on-host>:<directory-in-container>:<options>", for example:
+# "/db:/var/lib/db:ro".
+# If it is empty or commented out, no volumes will be added
+#
+#volumes = []
+
+[secrets]
+#driver = "file"
+
+[secrets.opts]
+#root = "/example/directory"
+
+[network]
+
+# Network backend determines what network driver will be used to set up and tear down container networks.
+# Valid values are "cni" and "netavark".
+# The default value is empty which means that it will automatically choose CNI or netavark. If there are
+# already containers/images or CNI networks preset it will choose CNI.
+#
+# Before changing this value all containers must be stopped otherwise it is likely that
+# iptables rules and network interfaces might leak on the host. A reboot will fix this.
+#
+network_backend = "netavark"
+
+# Path to directory where CNI plugin binaries are located.
+#
+#cni_plugin_dirs = [
+#  "/usr/local/libexec/cni",
+#  "/usr/libexec/cni",
+#  "/usr/local/lib/cni",
+#  "/usr/lib/cni",
+#  "/opt/cni/bin",
+#]
+
+# The network name of the default network to attach pods to.
+#
+#default_network = "podman"
+
+# The default subnet for the default network given in default_network.
+# If a network with that name does not exist, a new network using that name and
+# this subnet will be created.
+# Must be a valid IPv4 CIDR prefix.
+#
+#default_subnet = "10.88.0.0/16"
+
+# DefaultSubnetPools is a list of subnets and size which are used to
+# allocate subnets automatically for podman network create.
+# It will iterate through the list and will pick the first free subnet
+# with the given size. This is only used for ipv4 subnets, ipv6 subnets
+# are always assigned randomly.
+#
+#default_subnet_pools = [
+#  {"base" = "10.89.0.0/16", "size" = 24},
+#  {"base" = "10.90.0.0/15", "size" = 24},
+#  {"base" = "10.92.0.0/14", "size" = 24},
+#  {"base" = "10.96.0.0/11", "size" = 24},
+#  {"base" = "10.128.0.0/9", "size" = 24},
+#]
+
+# Path to the directory where network configuration files are located.
+# For the CNI backend the default is "/etc/cni/net.d" as root
+# and "$HOME/.config/cni/net.d" as rootless.
+# For the netavark backend "/etc/containers/networks" is used as root
+# and "$graphroot/networks" as rootless.
+#
+#network_config_dir = "/etc/cni/net.d/"
+
+# Port to use for dns forwarding daemon with netavark in rootful bridge
+# mode and dns enabled.
+# Using an alternate port might be useful if other dns services should
+# run on the machine.
+#
+#dns_bind_port = 53
+
+[engine]
+# Index to the active service
+#
+#active_service = production
+
+# The compression format to use when pushing an image.
+# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
+#
+#compression_format = "gzip"
+
+
+# Cgroup management implementation used for the runtime.
+# Valid options "systemd" or "cgroupfs"
+#
+#cgroup_manager = "systemd"
+
+# Environment variables to pass into conmon
+#
+#conmon_env_vars = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+#]
+
+# Paths to look for the conmon container manager binary
+#
+#conmon_path = [
+#  "/usr/libexec/podman/conmon",
+#  "/usr/local/libexec/podman/conmon",
+#  "/usr/local/lib/podman/conmon",
+#  "/usr/bin/conmon",
+#  "/usr/sbin/conmon",
+#  "/usr/local/bin/conmon",
+#  "/usr/local/sbin/conmon"
+#]
+
+# Enforces using docker.io for completing short names in Podman's compatibility
+# REST API. Note that this will ignore unqualified-search-registries and
+# short-name aliases defined in containers-registries.conf(5).
+#compat_api_enforce_docker_hub = true
+
+# Specify the keys sequence used to detach a container.
+# Format is a single character [a-Z] or a comma separated sequence of
+# `ctrl-<value>`, where `<value>` is one of:
+# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
+#
+#detach_keys = "ctrl-p,ctrl-q"
+
+# Determines whether engine will reserve ports on the host when they are
+# forwarded to containers. When enabled, when ports are forwarded to containers,
+# ports are held open by as long as the container is running, ensuring that
+# they cannot be reused by other programs on the host. However, this can cause
+# significant memory usage if a container has many ports forwarded to it.
+# Disabling this can save memory.
+#
+#enable_port_reservation = true
+
+# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
+# For example "http_proxy=internal.proxy.company.com".
+# Note these environment variables will not be used within the container.
+# Set the env section under [containers] table, if you want to set environment variables for the container.
+#
+#env = []
+
+# Define where event logs will be stored, when events_logger is "file".
+#events_logfile_path=""
+
+# Sets the maximum size for events_logfile_path.
+# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
+# If no unit is included then the size will be read in bytes.
+# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
+# If the maximum size is set to 0, then no limit will be applied,
+# and the logfile will not be rotated.
+#events_logfile_max_size = "1m"
+
+# Selects which logging mechanism to use for container engine events.
+# Valid values are `journald`, `file` and `none`.
+#
+#events_logger = "journald"
+
+# A is a list of directories which are used to search for helper binaries.
+#
+#helper_binaries_dir = [
+#  "/usr/local/libexec/podman",
+#  "/usr/local/lib/podman",
+#  "/usr/libexec/podman",
+#  "/usr/lib/podman",
+#]
+
+# Path to OCI hooks directories for automatically executed hooks.
+#
+#hooks_dir = [
+#  "/usr/share/containers/oci/hooks.d",
+#]
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/committing defaults to OCI.
+#
+#image_default_format = ""
+
+# Default transport method for pulling and pushing for images
+#
+#image_default_transport = "docker://"
+
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+#
+#image_parallel_copies = 0
+
+# Tells container engines how to handle the builtin image volumes.
+#   * bind: An anonymous named volume will be created and mounted
+#     into the container.
+#   * tmpfs: The volume is mounted onto the container as a tmpfs,
+#     which allows users to create content that disappears when
+#     the container is stopped.
+#   * ignore: All volumes are just ignored and no action is taken.
+#
+#image_volume_mode = ""
+
+# Default command to run the infra container
+#
+#infra_command = "/pause"
+
+# Infra (pause) container image name for pod infra containers.  When running a
+# pod, we start a `pause` process in a container to hold open the namespaces
+# associated with the  pod.  This container does nothing other then sleep,
+# reserving the pods resources for the lifetime of the pod. By default container
+# engines run a builtin container using the pause executable. If you want override
+# specify an image to pull.
+#
+#infra_image = ""
+
+# Specify the locking mechanism to use; valid values are "shm" and "file".
+# Change the default only if you are sure of what you are doing, in general
+# "file" is useful only on platforms where cgo is not available for using the
+# faster "shm" lock type. You may need to run "podman system renumber" after
+# you change the lock type.
+#
+#lock_type** = "shm"
+
+# MultiImageArchive - if true, the container engine allows for storing archives
+# (e.g., of the docker-archive transport) with multiple images.  By default,
+# Podman creates single-image archives.
+#
+#multi_image_archive = "false"
+
+# Default engine namespace
+# If engine is joined to a namespace, it will see only containers and pods
+# that were created in the same namespace, and will create new containers and
+# pods in that namespace.
+# The default namespace is "", which corresponds to no namespace. When no
+# namespace is set, all containers and pods are visible.
+#
+#namespace = ""
+
+# Path to the slirp4netns binary
+#
+#network_cmd_path = ""
+
+# Default options to pass to the slirp4netns binary.
+# Valid options values are:
+#
+# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
+#   Default is false.
+# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
+# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
+# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
+# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
+# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
+# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
+# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
+# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
+#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
+#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
+#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
+#   rootless containers when connected to user-defined networks.
+# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
+#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+#
+#network_cmd_options = []
+
+# Whether to use chroot instead of pivot_root in the runtime
+#
+#no_pivot_root = false
+
+# Number of locks available for containers and pods.
+# If this is changed, a lock renumber must be performed (e.g. with the
+# 'podman system renumber' command).
+#
+#num_locks = 2048
+
+# Set the exit policy of the pod when the last container exits.
+#pod_exit_policy = "continue"
+
+# Whether to pull new image before running a container
+#
+#pull_policy = "missing"
+
+# Indicates whether the application should be running in remote mode. This flag modifies the
+# --remote option on container engines. Setting the flag to true will default
+# `podman --remote=true` for access to the remote Podman service.
+#
+#remote = false
+
+# Default OCI runtime
+#
+#runtime = "crun"
+
+# List of the OCI runtimes that support --format=json. When json is supported
+# engine will use it for reporting nicer errors.
+#
+#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
+
+# List of the OCI runtimes that supports running containers with KVM Separation.
+#
+#runtime_supports_kvm = ["kata", "krun"]
+
+# List of the OCI runtimes that supports running containers without cgroups.
+#
+#runtime_supports_nocgroups = ["crun", "krun"]
+
+# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment
+# variable. If you specify "storage", then the location of the
+# container/storage tmp directory will be used.
+# image_copy_tmp_dir="/var/tmp"
+
+# Number of seconds to wait without a connection
+# before the `podman system service` times out and exits
+#
+#service_timeout = 5
+
+# Directory for persistent engine files (database, etc)
+# By default, this will be configured relative to where the containers/storage
+# stores containers
+# Uncomment to change location from this default
+#
+#static_dir = "/var/lib/containers/storage/libpod"
+
+# Number of seconds to wait for container to exit before sending kill signal.
+#
+#stop_timeout = 10
+
+# Number of seconds to wait before exit command in API process is given to.
+# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
+#
+#exit_command_delay = 300
+
+# map of service destinations
+#
+#[service_destinations]
+#  [service_destinations.production]
+#     URI to access the Podman service
+#     Examples:
+#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)
+#       rootful "unix://run/podman/podman.sock (Default)
+#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
+#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
+#
+#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
+#    Path to file containing ssh identity key
+#    identity = "~/.ssh/id_rsa"
+
+# Directory for temporary files. Must be tmpfs (wiped after reboot)
+#
+#tmp_dir = "/run/libpod"
+
+# Directory for libpod named volumes.
+# By default, this will be configured relative to where containers/storage
+# stores containers.
+# Uncomment to change location from this default.
+#
+#volume_path = "/var/lib/containers/storage/volumes"
+
+# Default timeout (in seconds) for volume plugin operations.
+# Plugins are external programs accessed via a REST API; this sets a timeout
+# for requests to that API.
+# A value of 0 is treated as no timeout.
+#volume_plugin_timeout = 5
+
+# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
+[engine.runtimes]
+#crun = [
+#  "/usr/bin/crun",
+#  "/usr/sbin/crun",
+#  "/usr/local/bin/crun",
+#  "/usr/local/sbin/crun",
+#  "/sbin/crun",
+#  "/bin/crun",
+#  "/run/current-system/sw/bin/crun",
+#]
+
+#kata = [
+#  "/usr/bin/kata-runtime",
+#  "/usr/sbin/kata-runtime",
+#  "/usr/local/bin/kata-runtime",
+#  "/usr/local/sbin/kata-runtime",
+#  "/sbin/kata-runtime",
+#  "/bin/kata-runtime",
+#  "/usr/bin/kata-qemu",
+#  "/usr/bin/kata-fc",
+#]
+
+#runc = [
+#  "/usr/bin/runc",
+#  "/usr/sbin/runc",
+#  "/usr/local/bin/runc",
+#  "/usr/local/sbin/runc",
+#  "/sbin/runc",
+#  "/bin/runc",
+#  "/usr/lib/cri-o-runc/sbin/runc",
+#]
+
+#runsc = [
+#  "/usr/bin/runsc",
+#  "/usr/sbin/runsc",
+#  "/usr/local/bin/runsc",
+#  "/usr/local/sbin/runsc",
+#  "/bin/runsc",
+#  "/sbin/runsc",
+#  "/run/current-system/sw/bin/runsc",
+#]
+
+#krun = [
+#  "/usr/bin/krun",
+#  "/usr/local/bin/krun",
+#]
+
+[engine.volume_plugins]
+#testplugin = "/run/podman/plugins/test.sock"
+
+[machine]
+# Number of CPU's a machine is created with.
+#
+#cpus=1
+
+# The size of the disk in GB created when init-ing a podman-machine VM.
+#
+#disk_size=10
+
+# Default image URI when creating a new VM using `podman machine init`.
+# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
+# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
+# alternatively specify a custom download URL to an image. Container engines
+# translate URIs $OS and $ARCH to the native OS and ARCH. URI
+# "https://example.com/$OS/$ARCH/foobar.ami" becomes
+# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
+# The default value is `testing`.
+#
+# image = "testing"
+
+# Memory in MB a machine is created with.
+#
+#memory=2048
+
+# The username to use and create on the podman machine OS for rootless
+# container access.
+#
+#user = "core"
+
+# Host directories to be mounted as volumes into the VM by default.
+# Environment variables like $HOME as well as complete paths are supported for
+# the source and destination. An optional third field `:ro` can be used to
+# tell the container engines to mount the volume readonly.
+#
+# volumes = [
+#  "$HOME:$HOME",
+#]
+
+# The [machine] table MUST be the last entry in this file.
+# (Unless another table is added)
+# TOML does not provide a way to end a table other than a further table being
+# defined, so every key hereafter will be part of [machine] and not the
+# main config.
diff --git a/data/templates/frr/eigrpd.frr.j2 b/data/templates/frr/eigrpd.frr.j2
index 67f8a3ad1..3038a0b1d 100644
--- a/data/templates/frr/eigrpd.frr.j2
+++ b/data/templates/frr/eigrpd.frr.j2
@@ -1,21 +1,21 @@
-!

-router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}

-{% if maximum_paths is vyos_defined %}

-maximum-paths {{ maximum_paths }}

-{% endif %}

-{% if metric.weights is vyos_defined %}

-metric weights {{ metric.weights }}

-{% endif %}

-{% if network is vyos_defined %}

-{%     for net in network %}

-network {{ net }}

-{%     endfor %}

-{% endif %}

-{% if redistribute is vyos_defined %}

-{%     for protocol in redistribute %}

-redistribute {{ protocol }}

-{%     endfor %}

-{% endif %}

-{% if variance is vyos_defined %}

-variance {{ variance }}

+!
+router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
+{% if maximum_paths is vyos_defined %}
+maximum-paths {{ maximum_paths }}
+{% endif %}
+{% if metric.weights is vyos_defined %}
+metric weights {{ metric.weights }}
+{% endif %}
+{% if network is vyos_defined %}
+{%     for net in network %}
+network {{ net }}
+{%     endfor %}
+{% endif %}
+{% if redistribute is vyos_defined %}
+{%     for protocol in redistribute %}
+redistribute {{ protocol }}
+{%     endfor %}
+{% endif %}
+{% if variance is vyos_defined %}
+variance {{ variance }}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/system/sysctl.conf.j2 b/data/templates/system/sysctl.conf.j2
index 59a19e157..db699c3d8 100644
--- a/data/templates/system/sysctl.conf.j2
+++ b/data/templates/system/sysctl.conf.j2
@@ -1,7 +1,7 @@
-# autogenerated by system_sysctl.py

-

-{% if parameter is vyos_defined %}

-{%     for k, v in parameter.items() %}

-{{ k }} = {{ v.value }}

-{%     endfor %}

-{% endif %}

+# autogenerated by system_sysctl.py
+
+{% if parameter is vyos_defined %}
+{%     for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index 02a9656da..9623bdec6 100644
--- a/data/templates/telegraf/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2
@@ -89,6 +89,8 @@
     ignore_fs = ["devtmpfs", "devfs"]
 [[inputs.diskio]]
 [[inputs.mem]]
+[[inputs.net]]
+    ignore_protocol_stats = true
 [[inputs.nstat]]
 [[inputs.system]]
 [[inputs.netstat]]
diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 64c60a780..cd88cf60c 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -21,14 +21,6 @@ if ! grep -q '^openvpn' /etc/passwd; then
     adduser --quiet --firstuid 100 --system --group --shell /usr/sbin/nologin openvpn
 fi
 
-# Enable 2FA/MFA support for SSH and local logins
-for file in /etc/pam.d/sshd /etc/pam.d/login
-do
-    PAM_CONFIG="# Check 2FA/MFA authentication token if enabled (per user)\nauth       required     pam_google_authenticator.so nullok forward_pass\n"
-    grep -qF -- "pam_google_authenticator.so" $file || \
-    sed -i "/^# Standard Un\*x authentication\./i${PAM_CONFIG}" $file
-done
-
 # We need to have a group for RADIUS service users to use it inside PAM rules
 if ! grep -q '^radius' /etc/group; then
     addgroup --firstgid 1000 --quiet radius
diff --git a/interface-definitions/include/constraint/host-name.xml.i b/interface-definitions/include/constraint/host-name.xml.i
index cc9740c16..5943772a2 100644
--- a/interface-definitions/include/constraint/host-name.xml.i
+++ b/interface-definitions/include/constraint/host-name.xml.i
@@ -1,3 +1,3 @@
-<!-- include start from constraint/host-name.xml.i -->

-<regex>[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]</regex>

-<!-- include end -->

+<!-- include start from constraint/host-name.xml.i -->
+<regex>[A-Za-z0-9][-.A-Za-z0-9]*[A-Za-z0-9]</regex>
+<!-- include end -->
diff --git a/interface-definitions/include/policy/route-common.xml.i b/interface-definitions/include/policy/route-common.xml.i
index b8581b03e..e412fe58e 100644
--- a/interface-definitions/include/policy/route-common.xml.i
+++ b/interface-definitions/include/policy/route-common.xml.i
@@ -1,257 +1,257 @@
-<!-- include start from policy/route-common.xml.i -->

-#include <include/policy/route-rule-action.xml.i>

-#include <include/generic-description.xml.i>

-#include <include/firewall/firewall-mark.xml.i>

-#include <include/generic-disable-node.xml.i>

-<node name="fragment">

-  <properties>

-    <help>IP fragment match</help>

-  </properties>

-  <children>

-    <leafNode name="match-frag">

-      <properties>

-        <help>Second and further fragments of fragmented packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-    <leafNode name="match-non-frag">

-      <properties>

-        <help>Head fragments or unfragmented packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<node name="ipsec">

-  <properties>

-    <help>Inbound IPsec packets</help>

-  </properties>

-  <children>

-    <leafNode name="match-ipsec">

-      <properties>

-        <help>Inbound IPsec packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-    <leafNode name="match-none">

-      <properties>

-        <help>Inbound non-IPsec packets</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<node name="limit">

-  <properties>

-    <help>Rate limit using a token bucket filter</help>

-  </properties>

-  <children>

-    <leafNode name="burst">

-      <properties>

-        <help>Maximum number of packets to allow in excess of rate</help>

-        <valueHelp>

-          <format>u32:0-4294967295</format>

-          <description>Maximum number of packets to allow in excess of rate</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-4294967295"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="rate">

-      <properties>

-        <help>Maximum average matching rate</help>

-        <valueHelp>

-          <format>u32:0-4294967295</format>

-          <description>Maximum average matching rate</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-4294967295"/>

-        </constraint>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-#include <include/firewall/log.xml.i>

-<leafNode name="protocol">

-  <properties>

-    <help>Protocol to match (protocol name, number, or "all")</help>

-    <completionHelp>

-      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>

-    </completionHelp>

-    <valueHelp>

-      <format>all</format>

-      <description>All IP protocols</description>

-    </valueHelp>

-    <valueHelp>

-      <format>tcp_udp</format>

-      <description>Both TCP and UDP</description>

-    </valueHelp>

-    <valueHelp>

-      <format>0-255</format>

-      <description>IP protocol number</description>

-    </valueHelp>

-    <valueHelp>

-      <format>!&lt;protocol&gt;</format>

-      <description>IP protocol number</description>

-    </valueHelp>

-    <constraint>

-      <validator name="ip-protocol"/>

-    </constraint>

-  </properties>

-  <defaultValue>all</defaultValue>

-</leafNode>

-<node name="recent">

-  <properties>

-    <help>Parameters for matching recently seen sources</help>

-  </properties>

-  <children>

-    <leafNode name="count">

-      <properties>

-        <help>Source addresses seen more than N times</help>

-        <valueHelp>

-          <format>u32:1-255</format>

-          <description>Source addresses seen more than N times</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 1-255"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="time">

-      <properties>

-        <help>Source addresses seen in the last N seconds</help>

-        <valueHelp>

-          <format>u32:0-4294967295</format>

-          <description>Source addresses seen in the last N seconds</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-4294967295"/>

-        </constraint>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<node name="set">

-  <properties>

-    <help>Packet modifications</help>

-  </properties>

-  <children>

-    <leafNode name="connection-mark">

-      <properties>

-        <help>Connection marking</help>

-        <valueHelp>

-          <format>u32:0-2147483647</format>

-          <description>Connection marking</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-2147483647"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="dscp">

-      <properties>

-        <help>Packet Differentiated Services Codepoint (DSCP)</help>

-        <valueHelp>

-          <format>u32:0-63</format>

-          <description>DSCP number</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 0-63"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="mark">

-      <properties>

-        <help>Packet marking</help>

-        <valueHelp>

-          <format>u32:1-2147483647</format>

-          <description>Packet marking</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 1-2147483647"/>

-        </constraint>

-      </properties>

-    </leafNode>

-    <leafNode name="table">

-      <properties>

-        <help>Routing table to forward packet with</help>

-        <valueHelp>

-          <format>u32:1-200</format>

-          <description>Table number</description>

-        </valueHelp>

-        <valueHelp>

-          <format>main</format>

-          <description>Main table</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 1-200"/>

-          <regex>(main)</regex>

-        </constraint>

-        <completionHelp>

-          <list>main</list>

-          <path>protocols static table</path>

-        </completionHelp>

-      </properties>

-    </leafNode>

-    <leafNode name="tcp-mss">

-      <properties>

-        <help>TCP Maximum Segment Size</help>

-        <valueHelp>

-          <format>u32:500-1460</format>

-          <description>Explicitly set TCP MSS value</description>

-        </valueHelp>

-        <constraint>

-          <validator name="numeric" argument="--range 500-1460"/>

-        </constraint>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-#include <include/firewall/state.xml.i>

-#include <include/firewall/tcp-flags.xml.i>

-#include <include/firewall/tcp-mss.xml.i>

-<node name="time">

-  <properties>

-    <help>Time to match rule</help>

-  </properties>

-  <children>

-    <leafNode name="monthdays">

-      <properties>

-        <help>Monthdays to match rule on</help>

-      </properties>

-    </leafNode>

-    <leafNode name="startdate">

-      <properties>

-        <help>Date to start matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="starttime">

-      <properties>

-        <help>Time of day to start matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="stopdate">

-      <properties>

-        <help>Date to stop matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="stoptime">

-      <properties>

-        <help>Time of day to stop matching rule</help>

-      </properties>

-    </leafNode>

-    <leafNode name="utc">

-      <properties>

-        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>

-        <valueless/>

-      </properties>

-    </leafNode>

-    <leafNode name="weekdays">

-      <properties>

-        <help>Weekdays to match rule on</help>

-      </properties>

-    </leafNode>

-  </children>

-</node>

-<!-- include end -->

+<!-- include start from policy/route-common.xml.i -->
+#include <include/policy/route-rule-action.xml.i>
+#include <include/generic-description.xml.i>
+#include <include/firewall/firewall-mark.xml.i>
+#include <include/generic-disable-node.xml.i>
+<node name="fragment">
+  <properties>
+    <help>IP fragment match</help>
+  </properties>
+  <children>
+    <leafNode name="match-frag">
+      <properties>
+        <help>Second and further fragments of fragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-non-frag">
+      <properties>
+        <help>Head fragments or unfragmented packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="ipsec">
+  <properties>
+    <help>Inbound IPsec packets</help>
+  </properties>
+  <children>
+    <leafNode name="match-ipsec">
+      <properties>
+        <help>Inbound IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="match-none">
+      <properties>
+        <help>Inbound non-IPsec packets</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="limit">
+  <properties>
+    <help>Rate limit using a token bucket filter</help>
+  </properties>
+  <children>
+    <leafNode name="burst">
+      <properties>
+        <help>Maximum number of packets to allow in excess of rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum number of packets to allow in excess of rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="rate">
+      <properties>
+        <help>Maximum average matching rate</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Maximum average matching rate</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/log.xml.i>
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to match (protocol name, number, or "all")</help>
+    <completionHelp>
+      <script>cat /etc/protocols | sed -e '/^#.*/d' | awk '{ print $1 }'</script>
+    </completionHelp>
+    <valueHelp>
+      <format>all</format>
+      <description>All IP protocols</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp_udp</format>
+      <description>Both TCP and UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>0-255</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <valueHelp>
+      <format>!&lt;protocol&gt;</format>
+      <description>IP protocol number</description>
+    </valueHelp>
+    <constraint>
+      <validator name="ip-protocol"/>
+    </constraint>
+  </properties>
+  <defaultValue>all</defaultValue>
+</leafNode>
+<node name="recent">
+  <properties>
+    <help>Parameters for matching recently seen sources</help>
+  </properties>
+  <children>
+    <leafNode name="count">
+      <properties>
+        <help>Source addresses seen more than N times</help>
+        <valueHelp>
+          <format>u32:1-255</format>
+          <description>Source addresses seen more than N times</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-255"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="time">
+      <properties>
+        <help>Source addresses seen in the last N seconds</help>
+        <valueHelp>
+          <format>u32:0-4294967295</format>
+          <description>Source addresses seen in the last N seconds</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-4294967295"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<node name="set">
+  <properties>
+    <help>Packet modifications</help>
+  </properties>
+  <children>
+    <leafNode name="connection-mark">
+      <properties>
+        <help>Connection marking</help>
+        <valueHelp>
+          <format>u32:0-2147483647</format>
+          <description>Connection marking</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="dscp">
+      <properties>
+        <help>Packet Differentiated Services Codepoint (DSCP)</help>
+        <valueHelp>
+          <format>u32:0-63</format>
+          <description>DSCP number</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 0-63"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="mark">
+      <properties>
+        <help>Packet marking</help>
+        <valueHelp>
+          <format>u32:1-2147483647</format>
+          <description>Packet marking</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-2147483647"/>
+        </constraint>
+      </properties>
+    </leafNode>
+    <leafNode name="table">
+      <properties>
+        <help>Routing table to forward packet with</help>
+        <valueHelp>
+          <format>u32:1-200</format>
+          <description>Table number</description>
+        </valueHelp>
+        <valueHelp>
+          <format>main</format>
+          <description>Main table</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 1-200"/>
+          <regex>(main)</regex>
+        </constraint>
+        <completionHelp>
+          <list>main</list>
+          <path>protocols static table</path>
+        </completionHelp>
+      </properties>
+    </leafNode>
+    <leafNode name="tcp-mss">
+      <properties>
+        <help>TCP Maximum Segment Size</help>
+        <valueHelp>
+          <format>u32:500-1460</format>
+          <description>Explicitly set TCP MSS value</description>
+        </valueHelp>
+        <constraint>
+          <validator name="numeric" argument="--range 500-1460"/>
+        </constraint>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+#include <include/firewall/state.xml.i>
+#include <include/firewall/tcp-flags.xml.i>
+#include <include/firewall/tcp-mss.xml.i>
+<node name="time">
+  <properties>
+    <help>Time to match rule</help>
+  </properties>
+  <children>
+    <leafNode name="monthdays">
+      <properties>
+        <help>Monthdays to match rule on</help>
+      </properties>
+    </leafNode>
+    <leafNode name="startdate">
+      <properties>
+        <help>Date to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="starttime">
+      <properties>
+        <help>Time of day to start matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stopdate">
+      <properties>
+        <help>Date to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="stoptime">
+      <properties>
+        <help>Time of day to stop matching rule</help>
+      </properties>
+    </leafNode>
+    <leafNode name="utc">
+      <properties>
+        <help>Interpret times for startdate, stopdate, starttime and stoptime to be UTC</help>
+        <valueless/>
+      </properties>
+    </leafNode>
+    <leafNode name="weekdays">
+      <properties>
+        <help>Weekdays to match rule on</help>
+      </properties>
+    </leafNode>
+  </children>
+</node>
+<!-- include end -->
diff --git a/interface-definitions/include/protocol-tcp-udp.xml.i b/interface-definitions/include/protocol-tcp-udp.xml.i
index d7e6752ad..c186c026a 100644
--- a/interface-definitions/include/protocol-tcp-udp.xml.i
+++ b/interface-definitions/include/protocol-tcp-udp.xml.i
@@ -1,22 +1,22 @@
-<!-- include start from snmp/protocol.xml.i -->

-<leafNode name="protocol">

-  <properties>

-    <help>Protocol to be used (TCP/UDP)</help>

-    <completionHelp>

-      <list>udp tcp</list>

-    </completionHelp>

-    <valueHelp>

-      <format>udp</format>

-      <description>Listen protocol UDP</description>

-    </valueHelp>

-    <valueHelp>

-      <format>tcp</format>

-      <description>Listen protocol TCP</description>

-    </valueHelp>

-    <constraint>

-      <regex>(udp|tcp)</regex>

-    </constraint>

-  </properties>

-  <defaultValue>udp</defaultValue>

-</leafNode>

-<!-- include end -->

+<!-- include start from snmp/protocol.xml.i -->
+<leafNode name="protocol">
+  <properties>
+    <help>Protocol to be used (TCP/UDP)</help>
+    <completionHelp>
+      <list>udp tcp</list>
+    </completionHelp>
+    <valueHelp>
+      <format>udp</format>
+      <description>Listen protocol UDP</description>
+    </valueHelp>
+    <valueHelp>
+      <format>tcp</format>
+      <description>Listen protocol TCP</description>
+    </valueHelp>
+    <constraint>
+      <regex>(udp|tcp)</regex>
+    </constraint>
+  </properties>
+  <defaultValue>udp</defaultValue>
+</leafNode>
+<!-- include end -->
diff --git a/interface-definitions/include/rip/version.xml.i b/interface-definitions/include/rip/version.xml.i
index a35350aee..61458b28e 100644
--- a/interface-definitions/include/rip/version.xml.i
+++ b/interface-definitions/include/rip/version.xml.i
@@ -1,18 +1,18 @@
-<!-- include start from rip/version.xml.i -->

-<leafNode name="version">

-  <properties>

-    <help>Limit RIP protocol version</help>

-    <valueHelp>

-      <format>1</format>

-      <description>Allow RIPv1 only</description>

-    </valueHelp>

-    <valueHelp>

-      <format>2</format>

-      <description>Allow RIPv2 only</description>

-    </valueHelp>

-    <constraint>

-      <validator name="numeric" argument="--range 1-2"/>

-    </constraint>

-  </properties>

-</leafNode>

-<!-- include end -->

+<!-- include start from rip/version.xml.i -->
+<leafNode name="version">
+  <properties>
+    <help>Limit RIP protocol version</help>
+    <valueHelp>
+      <format>1</format>
+      <description>Allow RIPv1 only</description>
+    </valueHelp>
+    <valueHelp>
+      <format>2</format>
+      <description>Allow RIPv2 only</description>
+    </valueHelp>
+    <constraint>
+      <validator name="numeric" argument="--range 1-2"/>
+    </constraint>
+  </properties>
+</leafNode>
+<!-- include end -->
diff --git a/op-mode-definitions/generate-system-login-user.xml.in b/op-mode-definitions/generate-system-login-user.xml.in
index 237a13610..bd80840df 100755
--- a/op-mode-definitions/generate-system-login-user.xml.in
+++ b/op-mode-definitions/generate-system-login-user.xml.in
@@ -1,90 +1,90 @@
-<?xml version="1.0"?>

-<interfaceDefinition>

-  <node name="generate">

-    <children>

-      <node name="system">

-        <properties>

-          <help>Generate system related parameters</help>

-        </properties>

-        <children>

-          <node name="login">

-            <properties>

-              <help>Generate system login related parameters</help>

-            </properties>

-            <children>

-              <tagNode name="username">

-                <properties>

-                  <help>Username used for authentication</help>

-                  <completionHelp>

-                    <list>&lt;username&gt;</list>

-                  </completionHelp>

-                </properties>

-                <children>

-                  <node name="otp-key">

-                    <properties>

-                      <help>Generate OpenConnect OTP token</help>

-                    </properties>

-                    <children>

-                      <node name="hotp-time">

-                        <properties>

-                          <help>HOTP time-based token</help>

-                        </properties>

-                        <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5"</command>

-                        <children>

-                          <tagNode name="rate-limit">

-                            <properties>

-                              <help>Duration of single time interval</help>

-                            </properties>

-                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9"</command>

-                            <children>

-                              <tagNode name="rate-time">

-                                <properties>

-                                  <help>The number of digits in the one-time password</help>

-                                </properties>

-                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" </command>

-                                <children>

-                                  <tagNode name="window-size">

-                                    <properties>

-                                      <help>The number of digits in the one-time password</help>

-                                    </properties>

-                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" --window-size "${13}"</command>

-                                  </tagNode>

-                                </children>

-                              </tagNode>

-                            </children>

-                          </tagNode>

-                          <tagNode name="window-size">

-                            <properties>

-                              <help>The number of digits in the one-time password</help>

-                            </properties>

-                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window-size "${9}"</command>

-                            <children>

-                              <tagNode name="rate-limit">

-                                <properties>

-                                  <help>Duration of single time interval</help>

-                                </properties>

-                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --window-size "${9}"</command>

-                                <children>

-                                  <tagNode name="rate-time">

-                                    <properties>

-                                      <help>Duration of single time interval</help>

-                                    </properties>

-                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --rate-time "${13}" --window-size "${9}"</command>

-                                  </tagNode>

-                                </children>

-                              </tagNode>

-                            </children>

-                          </tagNode>

-                        </children>

-                      </node>

-                    </children>

-                  </node>

-                </children>

-              </tagNode>

-            </children>

-          </node>

-        </children>

-      </node>

-    </children>

-  </node>

-</interfaceDefinition>

+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="generate">
+    <children>
+      <node name="system">
+        <properties>
+          <help>Generate system related parameters</help>
+        </properties>
+        <children>
+          <node name="login">
+            <properties>
+              <help>Generate system login related parameters</help>
+            </properties>
+            <children>
+              <tagNode name="username">
+                <properties>
+                  <help>Username used for authentication</help>
+                  <completionHelp>
+                    <path>system login user</path>
+                  </completionHelp>
+                </properties>
+                <children>
+                  <node name="otp-key">
+                    <properties>
+                      <help>Generate OpenConnect OTP token</help>
+                    </properties>
+                    <children>
+                      <node name="hotp-time">
+                        <properties>
+                          <help>HOTP time-based token</help>
+                        </properties>
+                        <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5"</command>
+                        <children>
+                          <tagNode name="rate-limit">
+                            <properties>
+                              <help>Duration of single time interval</help>
+                            </properties>
+                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9"</command>
+                            <children>
+                              <tagNode name="rate-time">
+                                <properties>
+                                  <help>The number of digits in the one-time password</help>
+                                </properties>
+                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" </command>
+                                <children>
+                                  <tagNode name="window-size">
+                                    <properties>
+                                      <help>The number of digits in the one-time password</help>
+                                    </properties>
+                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "$9" --rate-time "${11}" --window-size "${13}"</command>
+                                  </tagNode>
+                                </children>
+                              </tagNode>
+                            </children>
+                          </tagNode>
+                          <tagNode name="window-size">
+                            <properties>
+                              <help>The number of digits in the one-time password</help>
+                            </properties>
+                            <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --window-size "${9}"</command>
+                            <children>
+                              <tagNode name="rate-limit">
+                                <properties>
+                                  <help>Duration of single time interval</help>
+                                </properties>
+                                <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --window-size "${9}"</command>
+                                <children>
+                                  <tagNode name="rate-time">
+                                    <properties>
+                                      <help>Duration of single time interval</help>
+                                    </properties>
+                                    <command>sudo ${vyos_op_scripts_dir}/generate_system_login_user.py --username "$5" --rate-limit "${11}" --rate-time "${13}" --window-size "${9}"</command>
+                                  </tagNode>
+                                </children>
+                              </tagNode>
+                            </children>
+                          </tagNode>
+                        </children>
+                      </node>
+                    </children>
+                  </node>
+                </children>
+              </tagNode>
+            </children>
+          </node>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
diff --git a/python/vyos/utils/network.py b/python/vyos/utils/network.py
index abc3d4e5b..997ee6309 100644
--- a/python/vyos/utils/network.py
+++ b/python/vyos/utils/network.py
@@ -201,6 +201,7 @@ def get_all_vrfs():
     return data
 
 def interface_list() -> list:
+    from vyos.ifconfig import Section
     """
     Get list of interfaces in system
     :rtype: list
diff --git a/smoketest/configs/dialup-router-wireguard-ipv6 b/smoketest/configs/dialup-router-wireguard-ipv6
new file mode 100644
index 000000000..33afb9b04
--- /dev/null
+++ b/smoketest/configs/dialup-router-wireguard-ipv6
@@ -0,0 +1,1629 @@
+firewall {
+    all-ping enable
+    broadcast-ping disable
+    config-trap disable
+    group {
+        address-group DMZ-WEBSERVER {
+            address 172.16.36.10
+            address 172.16.36.40
+            address 172.16.36.20
+        }
+        address-group DMZ-RDP-SERVER {
+            address 172.16.33.40
+        }
+        address-group DOMAIN-CONTROLLER {
+            address 172.16.100.10
+            address 172.16.100.20
+            address 172.16.110.30
+        }
+        address-group VIDEO {
+            address 172.16.33.211
+            address 172.16.33.212
+            address 172.16.33.213
+            address 172.16.33.214
+        }
+        ipv6-network-group LOCAL-ADDRESSES {
+            network ff02::/64
+            network fe80::/10
+        }
+        network-group SSH-IN-ALLOW {
+            network 100.65.150.0/23
+            network 100.64.69.205/32
+            network 100.64.8.67/32
+            network 100.64.55.1/32
+        }
+    }
+    ipv6-name ALLOW-ALL-6 {
+        default-action accept
+    }
+    ipv6-name ALLOW-BASIC-6 {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            protocol icmpv6
+        }
+    }
+    ipv6-name ALLOW-ESTABLISHED-6 {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            destination {
+                group {
+                    network-group LOCAL-ADDRESSES
+                }
+            }
+            protocol icmpv6
+            source {
+                address fe80::/10
+            }
+        }
+        rule 20 {
+            action accept
+            icmpv6 {
+                type echo-request
+            }
+            protocol icmpv6
+        }
+        rule 21 {
+            action accept
+            icmpv6 {
+                type destination-unreachable
+            }
+            protocol icmpv6
+        }
+        rule 22 {
+            action accept
+            icmpv6 {
+                type packet-too-big
+            }
+            protocol icmpv6
+        }
+        rule 23 {
+            action accept
+            icmpv6 {
+                type time-exceeded
+            }
+            protocol icmpv6
+        }
+        rule 24 {
+            action accept
+            icmpv6 {
+                type parameter-problem
+            }
+            protocol icmpv6
+        }
+    }
+    ipv6-name WAN-LOCAL-6 {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            destination {
+                address ff02::/64
+            }
+            protocol icmpv6
+            source {
+                address fe80::/10
+            }
+        }
+        rule 50 {
+            action accept
+            destination {
+                address fe80::/10
+                port 546
+            }
+            protocol udp
+            source {
+                address fe80::/10
+                port 547
+            }
+        }
+    }
+    ipv6-receive-redirects disable
+    ipv6-src-route disable
+    ip-src-route disable
+    log-martians enable
+    name DMZ-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name DMZ-LAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 100 {
+            action accept
+            destination {
+                group {
+                    address-group DOMAIN-CONTROLLER
+                }
+                port 123,389,636
+            }
+            protocol tcp_udp
+        }
+        rule 300 {
+            action accept
+            destination {
+                group {
+                    address-group DMZ-RDP-SERVER
+                }
+                port 3389
+            }
+            protocol tcp_udp
+            source {
+                address 172.16.36.20
+            }
+        }
+    }
+    name DMZ-LOCAL {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 50 {
+            action accept
+            destination {
+                address 172.16.254.30
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 123 {
+            action accept
+            destination {
+                port 123
+            }
+            protocol udp
+        }
+    }
+    name DMZ-WAN {
+        default-action accept
+    }
+    name GUEST-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name GUEST-LAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name GUEST-LOCAL {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            destination {
+                address 172.31.0.254
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 11 {
+            action accept
+            destination {
+                port 67
+            }
+            protocol udp
+        }
+        rule 15 {
+            action accept
+            destination {
+                address 172.31.0.254
+            }
+            protocol icmp
+        }
+        rule 100 {
+            action accept
+            destination {
+                address 172.31.0.254
+                port 80,443
+            }
+            protocol tcp
+        }
+    }
+    name GUEST-WAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 25 {
+            action accept
+            destination {
+                port 25,587
+            }
+            protocol tcp
+        }
+        rule 53 {
+            action accept
+            destination {
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 60 {
+            action accept
+            source {
+                address 172.31.0.200
+            }
+        }
+        rule 80 {
+            action accept
+            source {
+                address 172.31.0.200
+            }
+        }
+        rule 100 {
+            action accept
+            protocol icmp
+        }
+        rule 110 {
+            action accept
+            destination {
+                port 110,995
+            }
+            protocol tcp
+        }
+        rule 123 {
+            action accept
+            destination {
+                port 123
+            }
+            protocol udp
+        }
+        rule 143 {
+            action accept
+            destination {
+                port 143,993
+            }
+            protocol tcp
+        }
+        rule 200 {
+            action accept
+            destination {
+                port 80,443
+            }
+            protocol tcp
+        }
+        rule 500 {
+            action accept
+            destination {
+                port 500,4500
+            }
+            protocol udp
+        }
+        rule 600 {
+            action accept
+            destination {
+                port 5222-5224
+            }
+            protocol tcp
+        }
+        rule 601 {
+            action accept
+            destination {
+                port 3478-3497,4500,16384-16387,16393-16402
+            }
+            protocol udp
+        }
+        rule 1000 {
+            action accept
+            source {
+                address 172.31.0.184
+            }
+        }
+    }
+    name LAN-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 22 {
+            action accept
+            destination {
+                port 22
+            }
+            protocol tcp
+        }
+        rule 100 {
+            action accept
+            destination {
+                group {
+                    address-group DMZ-WEBSERVER
+                }
+                port 22
+            }
+            protocol tcp
+        }
+    }
+    name LAN-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+    }
+    name LAN-LOCAL {
+        default-action accept
+    }
+    name LAN-WAN {
+        default-action accept
+        rule 90 {
+            action accept
+            destination {
+                address 100.65.150.0/23
+                port 25
+            }
+            protocol tcp_udp
+            source {
+                group {
+                    address-group VIDEO
+                }
+            }
+        }
+        rule 100 {
+            action drop
+            source {
+                group {
+                    address-group VIDEO
+                }
+            }
+        }
+    }
+    name LOCAL-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 100 {
+            action accept
+            destination {
+                address 172.16.36.40
+                port 80,443
+            }
+            protocol tcp
+        }
+    }
+    name LOCAL-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 5 {
+            action accept
+            protocol icmp
+        }
+        rule 300 {
+            action accept
+            destination {
+                port 1900
+            }
+            protocol udp
+        }
+    }
+    name LOCAL-LAN {
+        default-action accept
+    }
+    name LOCAL-WAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 10 {
+            action accept
+            protocol icmp
+        }
+        rule 50 {
+            action accept
+            destination {
+                port 53
+            }
+            protocol tcp_udp
+        }
+        rule 80 {
+            action accept
+            destination {
+                port 80,443
+            }
+            protocol tcp
+        }
+        rule 123 {
+            action accept
+            destination {
+                port 123
+            }
+            protocol udp
+        }
+        rule 800 {
+            action accept
+            destination {
+                address 100.65.151.213
+            }
+            protocol udp
+        }
+        rule 805 {
+            action accept
+            destination {
+                address 100.65.151.2
+            }
+            protocol all
+        }
+        rule 1010 {
+            action accept
+            destination {
+                address 100.64.69.205
+                port 7705
+            }
+            protocol udp
+            source {
+                port 7705
+            }
+        }
+        rule 1990 {
+            action accept
+            destination {
+                address 100.64.55.1
+                port 10666
+            }
+            protocol udp
+        }
+        rule 2000 {
+            action accept
+            destination {
+                address 100.64.39.249
+            }
+        }
+        rule 10200 {
+            action accept
+            destination {
+                address 100.64.89.98
+                port 10200
+            }
+            protocol udp
+            source {
+                port 10200
+            }
+        }
+    }
+    name WAN-DMZ {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 100 {
+            action accept
+            destination {
+                address 172.16.36.10
+                port 80,443
+            }
+            protocol tcp
+        }
+    }
+    name WAN-GUEST {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 1000 {
+            action accept
+            destination {
+                address 172.31.0.184
+            }
+        }
+        rule 8000 {
+            action accept
+            destination {
+                address 172.31.0.200
+                port 10000
+            }
+            protocol udp
+        }
+    }
+    name WAN-LAN {
+        default-action drop
+        enable-default-log
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 1000 {
+            action accept
+            destination {
+                address 172.16.33.40
+                port 3389
+            }
+            protocol tcp
+            source {
+                group {
+                    network-group SSH-IN-ALLOW
+                }
+            }
+        }
+    }
+    name WAN-LOCAL {
+        default-action drop
+        rule 1 {
+            action accept
+            state {
+                established enable
+                related enable
+            }
+        }
+        rule 2 {
+            action drop
+            log enable
+            state {
+                invalid enable
+            }
+        }
+        rule 22 {
+            action accept
+            destination {
+                port 22
+            }
+            protocol tcp
+            source {
+                group {
+                    network-group SSH-IN-ALLOW
+                }
+            }
+        }
+        rule 1990 {
+            action accept
+            destination {
+                port 10666
+            }
+            protocol udp
+            source {
+                address 100.64.55.1
+            }
+        }
+        rule 10000 {
+            action accept
+            destination {
+                port 80,443
+            }
+            protocol tcp
+        }
+        rule 10100 {
+            action accept
+            destination {
+                port 10100
+            }
+            protocol udp
+            source {
+                port 10100
+            }
+        }
+        rule 10200 {
+            action accept
+            destination {
+                port 10200
+            }
+            protocol udp
+            source {
+                address 100.64.89.98
+                port 10200
+            }
+        }
+    }
+    options {
+        interface pppoe0 {
+            adjust-mss 1452
+            adjust-mss6 1432
+        }
+    }
+    receive-redirects disable
+    send-redirects enable
+    source-validation disable
+    syn-cookies enable
+    twa-hazards-protection disable
+}
+interfaces {
+    dummy dum0 {
+        address 172.16.254.30/32
+    }
+    ethernet eth0 {
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        ring-buffer {
+            rx 256
+            tx 256
+        }
+        speed auto
+        vif 5 {
+            address 172.16.37.254/24
+            ip {
+                ospf {
+                    authentication {
+                        md5 {
+                            key-id 10 {
+                                md5-key ospf
+                            }
+                        }
+                    }
+                    dead-interval 40
+                    hello-interval 10
+                    priority 1
+                    retransmit-interval 5
+                    transmit-delay 1
+                }
+            }
+        }
+        vif 10 {
+            address 172.16.33.254/24
+            address 172.16.40.254/24
+        }
+        vif 50 {
+            address 172.16.36.254/24
+        }
+    }
+    ethernet eth1 {
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        speed auto
+        vif 20 {
+            address 172.31.0.254/24
+        }
+    }
+    ethernet eth2 {
+        disable
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        speed auto
+    }
+    ethernet eth3 {
+        duplex auto
+        offload {
+            gro
+            gso
+            sg
+            tso
+        }
+        ring-buffer {
+            rx 256
+            tx 256
+        }
+        speed auto
+        vif 7 {
+        }
+    }
+    loopback lo {
+        address 172.16.254.30/32
+    }
+    pppoe pppoe0 {
+        authentication {
+            password vyos
+            user vyos
+        }
+        default-route force
+        dhcpv6-options {
+            pd 0 {
+                interface eth0.10 {
+                    address 1
+                    sla-id 10
+                }
+                interface eth1.20 {
+                    address 1
+                    sla-id 20
+                }
+                length 56
+            }
+        }
+        ipv6 {
+            address {
+                autoconf
+            }
+        }
+        no-peer-dns
+        source-interface eth3.7
+    }
+    wireguard wg100 {
+        address 172.16.252.128/31
+        mtu 1500
+        peer HR6 {
+            address 100.65.151.213
+            allowed-ips 0.0.0.0/0
+            port 10100
+            pubkey yLpi+UZuI019bmWH2h5fX3gStbpPPPLgEoYMyrdkOnQ=
+        }
+        port 10100
+    }
+    wireguard wg200 {
+        address 172.16.252.130/31
+        mtu 1500
+        peer WH56 {
+            address 80.151.69.205
+            allowed-ips 0.0.0.0/0
+            port 10200
+            pubkey XQbkj6vnKKBJfJQyThXysU0iGxCvEOEb31kpaZgkrD8=
+        }
+        port 10200
+    }
+    wireguard wg666 {
+        address 172.29.0.1/31
+        mtu 1500
+        peer WH34 {
+            address 100.65.55.1
+            allowed-ips 0.0.0.0/0
+            port 10666
+            pubkey yaTN4+xAafKM04D+Baeg5GWfbdaw35TE9HQivwRgAk0=
+        }
+        port 10666
+    }
+}
+nat {
+    destination {
+        rule 8000 {
+            destination {
+                port 10000
+            }
+            inbound-interface pppoe0
+            protocol udp
+            translation {
+                address 172.31.0.200
+            }
+        }
+    }
+    source {
+        rule 50 {
+            outbound-interface pppoe0
+            source {
+                address 100.64.0.0/24
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 100 {
+            outbound-interface pppoe0
+            source {
+                address 172.16.32.0/21
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 200 {
+            outbound-interface pppoe0
+            source {
+                address 172.16.100.0/24
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 300 {
+            outbound-interface pppoe0
+            source {
+                address 172.31.0.0/24
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 400 {
+            outbound-interface pppoe0
+            source {
+                address 172.18.200.0/21
+            }
+            translation {
+                address masquerade
+            }
+        }
+        rule 1000 {
+            destination {
+                address 192.168.189.0/24
+            }
+            outbound-interface wg666
+            source {
+                address 172.16.32.0/21
+            }
+            translation {
+                address 172.29.0.1
+            }
+        }
+        rule 1001 {
+            destination {
+                address 192.168.189.0/24
+            }
+            outbound-interface wg666
+            source {
+                address 172.16.100.0/24
+            }
+            translation {
+                address 172.29.0.1
+            }
+        }
+    }
+}
+policy {
+    route-map MAP-OSPF-CONNECTED {
+        rule 1 {
+            action deny
+            match {
+                interface eth1.20
+            }
+        }
+        rule 20 {
+            action permit
+            match {
+                interface eth0.10
+            }
+        }
+        rule 40 {
+            action permit
+            match {
+                interface eth0.50
+            }
+        }
+    }
+}
+protocols {
+    bfd {
+        peer 172.16.252.129 {
+        }
+        peer 172.16.252.131 {
+        }
+        peer 172.18.254.201 {
+        }
+    }
+    bgp 64503 {
+        address-family {
+            ipv4-unicast {
+                network 172.16.32.0/21 {
+                }
+                network 172.16.100.0/24 {
+                }
+                network 172.16.252.128/31 {
+                }
+                network 172.16.252.130/31 {
+                }
+                network 172.16.254.30/32 {
+                }
+                network 172.18.0.0/16 {
+                }
+            }
+        }
+        neighbor 172.16.252.129 {
+            peer-group WIREGUARD
+        }
+        neighbor 172.16.252.131 {
+            peer-group WIREGUARD
+        }
+        neighbor 172.18.254.201 {
+            address-family {
+                ipv4-unicast {
+                    nexthop-self {
+                    }
+                }
+            }
+            bfd {
+            }
+            remote-as 64503
+            update-source dum0
+        }
+        parameters {
+            default {
+                no-ipv4-unicast
+            }
+            log-neighbor-changes
+        }
+        peer-group WIREGUARD {
+            address-family {
+                ipv4-unicast {
+                    soft-reconfiguration {
+                        inbound
+                    }
+                }
+            }
+            bfd
+            remote-as external
+        }
+        timers {
+            holdtime 30
+            keepalive 10
+        }
+    }
+    ospf {
+        area 0 {
+            network 172.16.254.30/32
+            network 172.16.37.0/24
+            network 172.18.201.0/24
+            network 172.18.202.0/24
+            network 172.18.203.0/24
+            network 172.18.204.0/24
+        }
+        default-information {
+            originate {
+                always
+                metric-type 2
+            }
+        }
+        log-adjacency-changes {
+            detail
+        }
+        parameters {
+            abr-type cisco
+            router-id 172.16.254.30
+        }
+        passive-interface default
+        passive-interface-exclude eth0.5
+        redistribute {
+            connected {
+                metric-type 2
+                route-map MAP-OSPF-CONNECTED
+            }
+        }
+    }
+    static {
+        interface-route6 2000::/3 {
+            next-hop-interface pppoe0 {
+            }
+        }
+        route 10.0.0.0/8 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 169.254.0.0/16 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 172.16.0.0/12 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 172.16.32.0/21 {
+            blackhole {
+            }
+        }
+        route 172.18.0.0/16 {
+            blackhole {
+            }
+        }
+        route 172.29.0.2/31 {
+            next-hop 172.29.0.0 {
+            }
+        }
+        route 192.168.0.0/16 {
+            blackhole {
+                distance 254
+            }
+        }
+        route 192.168.189.0/24 {
+            next-hop 172.29.0.0 {
+            }
+        }
+    }
+}
+service {
+    dhcp-server {
+        shared-network-name BACKBONE {
+            authoritative
+            subnet 172.16.37.0/24 {
+                default-router 172.16.37.254
+                domain-name vyos.net
+                domain-search vyos.net
+                lease 86400
+                name-server 172.16.254.30
+                ntp-server 172.16.254.30
+                range 0 {
+                    start 172.16.37.120
+                    stop 172.16.37.149
+                }
+                static-mapping AP1 {
+                    ip-address 172.16.37.231
+                    mac-address 02:00:00:00:ee:18
+                }
+                static-mapping AP2 {
+                    ip-address 172.16.37.232
+                    mac-address 02:00:00:00:52:84
+                }
+                static-mapping AP3 {
+                    ip-address 172.16.37.233
+                    mac-address 02:00:00:00:51:c0
+                }
+                static-mapping AP4 {
+                    ip-address 172.16.37.234
+                    mac-address 02:00:00:00:e6:fc
+                }
+                static-mapping AP5 {
+                    ip-address 172.16.37.235
+                    mac-address 02:00:00:00:c3:50
+                }
+            }
+        }
+        shared-network-name GUEST {
+            authoritative
+            subnet 172.31.0.0/24 {
+                default-router 172.31.0.254
+                domain-name vyos.net
+                domain-search vyos.net
+                lease 86400
+                name-server 172.31.0.254
+                range 0 {
+                    start 172.31.0.101
+                    stop 172.31.0.199
+                }
+            }
+        }
+        shared-network-name LAN {
+            authoritative
+            subnet 172.16.33.0/24 {
+                default-router 172.16.33.254
+                domain-name vyos.net
+                domain-search vyos.net
+                lease 86400
+                name-server 172.16.254.30
+                ntp-server 172.16.254.30
+                range 0 {
+                    start 172.16.33.100
+                    stop 172.16.33.189
+                }
+                static-mapping one {
+                    ip-address 172.16.33.221
+                    mac-address 02:00:00:00:eb:a6
+                }
+                static-mapping two {
+                    ip-address 172.16.33.211
+                    mac-address 02:00:00:00:58:90
+                }
+                static-mapping three {
+                    ip-address 172.16.33.212
+                    mac-address 02:00:00:00:12:c7
+                }
+                static-mapping four {
+                    ip-address 172.16.33.214
+                    mac-address 02:00:00:00:c4:33
+                }
+            }
+        }
+    }
+    dns {
+        dynamic {
+            interface pppoe0 {
+                service vyos {
+                    host-name r1.vyos.net
+                    login vyos-vyos
+                    password vyos
+                    protocol dyndns2
+                    server dyndns.vyos.io
+                }
+            }
+        }
+        forwarding {
+            allow-from 172.16.0.0/12
+            domain 16.172.in-addr.arpa {
+                addnta
+                recursion-desired
+                server 172.16.100.10
+                server 172.16.100.20
+            }
+            domain 18.172.in-addr.arpa {
+                addnta
+                recursion-desired
+                server 172.16.100.10
+                server 172.16.100.20
+            }
+            domain vyos.net {
+                addnta
+                recursion-desired
+                server 172.16.100.20
+                server 172.16.100.10
+            }
+            ignore-hosts-file
+            listen-address 172.16.254.30
+            listen-address 172.31.0.254
+            negative-ttl 60
+        }
+    }
+    lldp {
+        legacy-protocols {
+            cdp
+            edp
+            fdp
+            sonmp
+        }
+        snmp {
+            enable
+        }
+    }
+    router-advert {
+        interface eth0.10 {
+            prefix ::/64 {
+                preferred-lifetime 2700
+                valid-lifetime 5400
+            }
+        }
+        interface eth1.20 {
+            prefix ::/64 {
+                preferred-lifetime 2700
+                valid-lifetime 5400
+            }
+        }
+    }
+    snmp {
+        community ro-community {
+            authorization ro
+            network 172.16.100.0/24
+        }
+        contact "VyOS"
+        listen-address 172.16.254.30 {
+            port 161
+        }
+        location "CLOUD"
+    }
+    ssh {
+        disable-host-validation
+        port 22
+    }
+}
+system {
+    config-management {
+        commit-revisions 200
+    }
+    conntrack {
+        expect-table-size 2048
+        hash-size 32768
+        modules {
+            ftp
+            h323
+            nfs
+            pptp
+            sqlnet
+            tftp
+        }
+        table-size 262144
+        timeout {
+            icmp 30
+            other 600
+            udp {
+                other 300
+                stream 300
+            }
+        }
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    domain-name vyos.net
+    host-name r1
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+                plaintext-password ""
+            }
+        }
+    }
+    name-server 172.16.254.30
+    ntp {
+        allow-clients {
+            address 172.16.0.0/12
+        }
+        server time1.vyos.net {
+        }
+        server time2.vyos.net {
+        }
+    }
+    option {
+        ctrl-alt-delete ignore
+        performance latency
+        reboot-on-panic
+        startup-beep
+    }
+    syslog {
+        global {
+            facility all {
+                level debug
+            }
+            facility protocols {
+                level debug
+            }
+        }
+        host 172.16.100.1 {
+            facility all {
+                level warning
+            }
+        }
+    }
+    time-zone Europe/Berlin
+}
+traffic-policy {
+    shaper QoS {
+        bandwidth 50mbit
+        default {
+            bandwidth 100%
+            burst 15k
+            queue-limit 1000
+            queue-type fq-codel
+        }
+    }
+}
+zone-policy {
+    zone DMZ {
+        default-action drop
+        from GUEST {
+            firewall {
+                name GUEST-DMZ
+            }
+        }
+        from LAN {
+            firewall {
+                name LAN-DMZ
+            }
+        }
+        from LOCAL {
+            firewall {
+                name LOCAL-DMZ
+            }
+        }
+        from WAN {
+            firewall {
+                name WAN-DMZ
+            }
+        }
+        interface eth0.50
+    }
+    zone GUEST {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-GUEST
+            }
+        }
+        from LAN {
+            firewall {
+                name LAN-GUEST
+            }
+        }
+        from LOCAL {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LOCAL-GUEST
+            }
+        }
+        from WAN {
+            firewall {
+                ipv6-name ALLOW-ESTABLISHED-6
+                name WAN-GUEST
+            }
+        }
+        interface eth1.20
+    }
+    zone LAN {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-LAN
+            }
+        }
+        from GUEST {
+            firewall {
+                name GUEST-LAN
+            }
+        }
+        from LOCAL {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LOCAL-LAN
+            }
+        }
+        from WAN {
+            firewall {
+                ipv6-name ALLOW-ESTABLISHED-6
+                name WAN-LAN
+            }
+        }
+        interface eth0.5
+        interface eth0.10
+        interface wg100
+        interface wg200
+    }
+    zone LOCAL {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-LOCAL
+            }
+        }
+        from GUEST {
+            firewall {
+                ipv6-name ALLOW-ESTABLISHED-6
+                name GUEST-LOCAL
+            }
+        }
+        from LAN {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LAN-LOCAL
+            }
+        }
+        from WAN {
+            firewall {
+                ipv6-name WAN-LOCAL-6
+                name WAN-LOCAL
+            }
+        }
+        local-zone
+    }
+    zone WAN {
+        default-action drop
+        from DMZ {
+            firewall {
+                name DMZ-WAN
+            }
+        }
+        from GUEST {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name GUEST-WAN
+            }
+        }
+        from LAN {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LAN-WAN
+            }
+        }
+        from LOCAL {
+            firewall {
+                ipv6-name ALLOW-ALL-6
+                name LOCAL-WAN
+            }
+        }
+        interface pppoe0
+        interface wg666
+    }
+}
+
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:container@1:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@22:ipoe-server@1:ipsec@5:isis@1:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@8:rpki@1:salt@1:snmp@2:ssh@2:sstp@3:system@21:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3.4
diff --git a/smoketest/scripts/cli/test_service_dns_dynamic.py b/smoketest/scripts/cli/test_service_dns_dynamic.py
index cb3d90593..3c7303f32 100755
--- a/smoketest/scripts/cli/test_service_dns_dynamic.py
+++ b/smoketest/scripts/cli/test_service_dns_dynamic.py
@@ -294,7 +294,7 @@ class TestServiceDDNS(VyOSUnitTestSHIM.TestCase):
 
     def test_07_dyndns_vrf(self):
         # Table number randomized, but should be within range 100-65535
-        vrf_table = "".join(random.choices(string.digits, k=4))
+        vrf_table = '58710'
         vrf_name = f'vyos-test-{vrf_table}'
         svc_path = name_path + ['cloudflare']
         proto = 'cloudflare'
diff --git a/src/conf_mode/system-login.py b/src/conf_mode/system-login.py
index 3bee961fc..aeac82462 100755
--- a/src/conf_mode/system-login.py
+++ b/src/conf_mode/system-login.py
@@ -306,6 +306,7 @@ def generate(login):
 
 
 def apply(login):
+    enable_otp = False
     if 'user' in login:
         for user, user_config in login['user'].items():
             # make new user using vyatta shell and make home directory (-m),
@@ -350,6 +351,7 @@ def apply(login):
 
             # Generate 2FA/MFA One-Time-Pad configuration
             if dict_search('authentication.otp.key', user_config):
+                enable_otp = True
                 render(f'{home_dir}/.google_authenticator', 'login/pam_otp_ga.conf.j2',
                        user_config, permission=0o400, user=user, group='users')
             else:
@@ -398,6 +400,11 @@ def apply(login):
             pam_profile = 'tacplus-optional'
         cmd(f'pam-auth-update --enable {pam_profile}')
 
+    # Enable/disable Google authenticator
+    cmd('pam-auth-update --disable mfa-google-authenticator')
+    if enable_otp:
+        cmd(f'pam-auth-update --enable mfa-google-authenticator')
+
     return None
 
 
diff --git a/src/init/vyos-router b/src/init/vyos-router
index 35095afe4..711681a8e 100755
--- a/src/init/vyos-router
+++ b/src/init/vyos-router
@@ -260,6 +260,8 @@ EOF
     rm -f /etc/pam_radius_auth.conf
     pam-auth-update --disable tacplus-mandatory tacplus-optional
     rm -f /etc/tacplus_nss.conf /etc/tacplus_servers
+    # and no Google authenticator for 2FA/MFA
+    pam-auth-update --disable mfa-google-authenticator
 
     # Certain configuration files are re-generated by the configuration
     # subsystem and must reside under /etc and can not easily be moved to /run.
diff --git a/src/migration-scripts/interfaces/29-to-30 b/src/migration-scripts/interfaces/29-to-30
index 97e1b329c..04e023e77 100755
--- a/src/migration-scripts/interfaces/29-to-30
+++ b/src/migration-scripts/interfaces/29-to-30
@@ -35,16 +35,19 @@ if __name__ == '__main__':
         # Nothing to do
         sys.exit(0)
     for interface in config.list_nodes(base):
+        if not config.exists(base + [interface, 'private-key']):
+            continue
         private_key = config.return_value(base + [interface, 'private-key'])
         interface_base = base + [interface]
         if config.exists(interface_base + ['peer']):
             for peer in config.list_nodes(interface_base + ['peer']):
                 peer_base = interface_base + ['peer', peer]
+                if not config.exists(peer_base + ['public-key']):
+                    continue
                 peer_public_key = config.return_value(peer_base + ['public-key'])
-                if config.exists(peer_base + ['public-key']):
-                    if not config.exists(peer_base + ['disable']) \
-                            and is_wireguard_key_pair(private_key, peer_public_key):
-                        config.set(peer_base + ['disable'])
+                if not config.exists(peer_base + ['disable']) \
+                        and is_wireguard_key_pair(private_key, peer_public_key):
+                    config.set(peer_base + ['disable'])
 
     try:
         with open(file_name, 'w') as f:
diff --git a/src/pam-configs/mfa-google-authenticator b/src/pam-configs/mfa-google-authenticator
new file mode 100644
index 000000000..9e49e5ef9
--- /dev/null
+++ b/src/pam-configs/mfa-google-authenticator
@@ -0,0 +1,8 @@
+Name: Google Authenticator PAM module (2FA/MFA)
+Default: no
+Priority: 384
+
+Auth-Type: Primary
+Auth:
+    [default=ignore success=ok auth_err=die] pam_google_authenticator.so nullok forward_pass
+