summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/dhcp-server/dhcpd.conf.j24
-rw-r--r--data/templates/firewall/nftables-defines.j213
-rw-r--r--data/templates/protocols/systemd_vyos_failover_service.j211
-rw-r--r--data/templates/router-advert/radvd.conf.j27
-rw-r--r--data/templates/snmp/etc.snmpd.conf.j21
-rw-r--r--data/templates/squid/sg_acl.conf.j21
-rw-r--r--data/templates/squid/squidGuard.conf.j2122
-rw-r--r--data/templates/sstp-client/peer.j253
8 files changed, 191 insertions, 21 deletions
diff --git a/data/templates/dhcp-server/dhcpd.conf.j2 b/data/templates/dhcp-server/dhcpd.conf.j2
index 4c2da0aa5..639526532 100644
--- a/data/templates/dhcp-server/dhcpd.conf.j2
+++ b/data/templates/dhcp-server/dhcpd.conf.j2
@@ -22,6 +22,7 @@ ddns-update-style {{ 'interim' if dynamic_dns_update is vyos_defined else 'none'
option rfc3442-static-route code 121 = array of integer 8;
option windows-static-route code 249 = array of integer 8;
option wpad-url code 252 = text;
+option rfc8925-ipv6-only-preferred code 108 = unsigned integer 32;
# Vendor specific options - Ubiquiti Networks
option space ubnt;
@@ -127,6 +128,9 @@ shared-network {{ network }} {
{% if subnet_config.wins_server is vyos_defined %}
option netbios-name-servers {{ subnet_config.wins_server | join(', ') }};
{% endif %}
+{% if subnet_config.ipv6_only_preferred is vyos_defined %}
+ option rfc8925-ipv6-only-preferred {{ subnet_config.ipv6_only_preferred }};
+{% endif %}
{% if subnet_config.static_route is vyos_defined %}
{% set static_default_route = '' %}
{% if subnet_config.default_router is vyos_defined %}
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index dd06dee28..0a7e79edd 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -85,5 +85,18 @@
}
{% endfor %}
{% endif %}
+{% if group.interface_group is vyos_defined %}
+{% for group_name, group_conf in group.interface_group.items() %}
+{% set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
+ set I_{{ group_name }} {
+ type ifname
+ flags interval
+ auto-merge
+{% if group_conf.interface is vyos_defined or includes %}
+ elements = { {{ group_conf.interface | nft_nested_group(includes, group.interface_group, 'interface') | join(",") }} }
+{% endif %}
+ }
+{% endfor %}
+{% endif %}
{% endif %}
{% endmacro %}
diff --git a/data/templates/protocols/systemd_vyos_failover_service.j2 b/data/templates/protocols/systemd_vyos_failover_service.j2
new file mode 100644
index 000000000..e6501e0f5
--- /dev/null
+++ b/data/templates/protocols/systemd_vyos_failover_service.j2
@@ -0,0 +1,11 @@
+[Unit]
+Description=Failover route service
+After=vyos-router.service
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/bin/python3 /usr/libexec/vyos/vyos-failover.py --config /run/vyos-failover.conf
+
+[Install]
+WantedBy=multi-user.target
diff --git a/data/templates/router-advert/radvd.conf.j2 b/data/templates/router-advert/radvd.conf.j2
index a464795ad..4ef4751dd 100644
--- a/data/templates/router-advert/radvd.conf.j2
+++ b/data/templates/router-advert/radvd.conf.j2
@@ -43,6 +43,13 @@ interface {{ iface }} {
};
{% endfor %}
{% endif %}
+{% if iface_config.source_address is vyos_defined %}
+ AdvRASrcAddress {
+{% for source_address in iface_config.source_address %}
+ {{ source_address }};
+{% endfor %}
+ };
+{% endif %}
{% if iface_config.prefix is vyos_defined %}
{% for prefix, prefix_options in iface_config.prefix.items() %}
prefix {{ prefix }} {
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 57ad704c0..47bf6878f 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -76,6 +76,7 @@ agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vy
{% endif %}
{% if comm_config.client is not vyos_defined and comm_config.network is not vyos_defined %}
{{ comm_config.authorization }}community {{ comm }}
+{{ comm_config.authorization }}community6 {{ comm }}
{% endif %}
{% endfor %}
{% endif %}
diff --git a/data/templates/squid/sg_acl.conf.j2 b/data/templates/squid/sg_acl.conf.j2
index ce72b173a..78297a2b8 100644
--- a/data/templates/squid/sg_acl.conf.j2
+++ b/data/templates/squid/sg_acl.conf.j2
@@ -1,6 +1,5 @@
### generated by service_webproxy.py ###
dbhome {{ squidguard_db_dir }}
-
dest {{ category }}-{{ rule }} {
{% if list_type == 'domains' %}
domainlist {{ category }}/domains
diff --git a/data/templates/squid/squidGuard.conf.j2 b/data/templates/squid/squidGuard.conf.j2
index 1bc4c984f..a93f878df 100644
--- a/data/templates/squid/squidGuard.conf.j2
+++ b/data/templates/squid/squidGuard.conf.j2
@@ -1,10 +1,16 @@
### generated by service_webproxy.py ###
-{% macro sg_rule(category, log, db_dir) %}
+{% macro sg_rule(category, rule, log, db_dir) %}
+{% set domains = db_dir + '/' + category + '/domains' %}
+{% set urls = db_dir + '/' + category + '/urls' %}
{% set expressions = db_dir + '/' + category + '/expressions' %}
-dest {{ category }}-default {
+dest {{ category }}-{{ rule }}{
+{% if domains | is_file %}
domainlist {{ category }}/domains
+{% endif %}
+{% if urls | is_file %}
urllist {{ category }}/urls
+{% endif %}
{% if expressions | is_file %}
expressionlist {{ category }}/expressions
{% endif %}
@@ -17,8 +23,9 @@ dest {{ category }}-default {
{% if url_filtering is vyos_defined and url_filtering.disable is not vyos_defined %}
{% if url_filtering.squidguard is vyos_defined %}
{% set sg_config = url_filtering.squidguard %}
-{% set acl = namespace(value='local-ok-default') %}
+{% set acl = namespace(value='') %}
{% set acl.value = acl.value + ' !in-addr' if sg_config.allow_ipaddr_url is not defined else acl.value %}
+{% set ruleacls = {} %}
dbhome {{ squidguard_db_dir }}
logdir /var/log/squid
@@ -38,24 +45,28 @@ dest local-ok-default {
domainlist local-ok-default/domains
}
{% endif %}
+
{% if sg_config.local_ok_url is vyos_defined %}
{% set acl.value = acl.value + ' local-ok-url-default' %}
dest local-ok-url-default {
urllist local-ok-url-default/urls
}
{% endif %}
+
{% if sg_config.local_block is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-default' %}
dest local-block-default {
domainlist local-block-default/domains
}
{% endif %}
+
{% if sg_config.local_block_url is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-url-default' %}
dest local-block-url-default {
urllist local-block-url-default/urls
}
{% endif %}
+
{% if sg_config.local_block_keyword is vyos_defined %}
{% set acl.value = acl.value + ' !local-block-keyword-default' %}
dest local-block-keyword-default {
@@ -65,16 +76,100 @@ dest local-block-keyword-default {
{% if sg_config.block_category is vyos_defined %}
{% for category in sg_config.block_category %}
-{{ sg_rule(category, sg_config.log, squidguard_db_dir) }}
+{{ sg_rule(category, 'default', sg_config.log, squidguard_db_dir) }}
{% set acl.value = acl.value + ' !' + category + '-default' %}
{% endfor %}
{% endif %}
{% if sg_config.allow_category is vyos_defined %}
{% for category in sg_config.allow_category %}
-{{ sg_rule(category, False, squidguard_db_dir) }}
+{{ sg_rule(category, 'default', False, squidguard_db_dir) }}
{% set acl.value = acl.value + ' ' + category + '-default' %}
{% endfor %}
{% endif %}
+
+
+{% if sg_config.rule is vyos_defined %}
+{% for rule, rule_config in sg_config.rule.items() %}
+{% if rule_config.local_ok is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'local-ok-' + rule}) %}
+{% endif %}
+dest local-ok-{{ rule }} {
+ domainlist local-ok-{{ rule }}/domains
+}
+{% endif %}
+
+{% if rule_config.local_ok_url is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' local-ok-url-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'local-ok-url-' + rule}) %}
+{% endif %}
+dest local-ok-url-{{ rule }} {
+ urllist local-ok-url-{{ rule }}/urls
+}
+{% endif %}
+
+{% if rule_config.local_block is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!local-block-' + rule}) %}
+{% endif %}
+dest local-block-{{ rule }} {
+ domainlist local-block-{{ rule }}/domains
+}
+{% endif %}
+
+{% if rule_config.local_block_url is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-url-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!ocal-block-url-' + rule}) %}
+{% endif %}
+dest local-block-url-{{ rule }} {
+ urllist local-block-url-{{ rule }}/urls
+}
+{% endif %}
+
+{% if rule_config.local_block_keyword is vyos_defined %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !local-block-keyword-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!local-block-keyword-' + rule}) %}
+{% endif %}
+dest local-block-keyword-{{ rule }} {
+ expressionlist local-block-keyword-{{ rule }}/expressions
+}
+{% endif %}
+
+{% if rule_config.block_category is vyos_defined %}
+{% for b_category in rule_config.block_category %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' !' + b_category + '-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:'!' + b_category + '-' + rule}) %}
+{% endif %}
+{{ sg_rule(b_category, rule, sg_config.log, squidguard_db_dir) }}
+{% endfor %}
+{% endif %}
+
+{% if rule_config.allow_category is vyos_defined %}
+{% for a_category in rule_config.allow_category %}
+{% if rule in ruleacls %}
+{% set _dummy = ruleacls.update({rule: ruleacls[rule] + ' ' + a_category + '-' + rule}) %}
+{% else %}
+{% set _dummy = ruleacls.update({rule:a_category + '-' + rule}) %}
+{% endif %}
+{{ sg_rule(a_category, rule, sg_config.log, squidguard_db_dir) }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
+
+
{% if sg_config.source_group is vyos_defined %}
{% for sgroup, sg_config in sg_config.source_group.items() %}
{% if sg_config.address is vyos_defined %}
@@ -83,28 +178,15 @@ src {{ sgroup }} {
ip {{ address }}
{% endfor %}
}
-
{% endif %}
{% endfor %}
{% endif %}
-{% if sg_config.rule is vyos_defined %}
-{% for rule, rule_config in sg_config.rule.items() %}
-{% for b_category in rule_config.block_category %}
-dest {{ b_category }} {
- domainlist {{ b_category }}/domains
- urllist {{ b_category }}/urls
-}
-{% endfor %}
-{% endfor %}
-{% endif %}
acl {
{% if sg_config.rule is vyos_defined %}
{% for rule, rule_config in sg_config.rule.items() %}
{{ rule_config.source_group }} {
-{% for b_category in rule_config.block_category %}
- pass local-ok-1 !in-addr !{{ b_category }} all
-{% endfor %}
+ pass {{ ruleacls[rule] }} {{ 'none' if rule_config.default_action is vyos_defined('block') else 'any' }}
}
{% endfor %}
{% endif %}
@@ -113,7 +195,7 @@ acl {
{% if sg_config.enable_safe_search is vyos_defined %}
rewrite safesearch
{% endif %}
- pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'allow' }}
+ pass {{ acl.value }} {{ 'none' if sg_config.default_action is vyos_defined('block') else 'any' }}
redirect 302:http://{{ sg_config.redirect_url }}
{% if sg_config.log is vyos_defined %}
log blacklist.log
diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2
new file mode 100644
index 000000000..7a0b0e1f7
--- /dev/null
+++ b/data/templates/sstp-client/peer.j2
@@ -0,0 +1,53 @@
+### Autogenerated by interfaces-sstpc.py ###
+{{ '# ' ~ description if description is vyos_defined else '' }}
+
+# Require peer to provide the local IP address if it is not
+# specified explicitly in the config file.
+noipdefault
+
+# Don't show the password in logfiles:
+hide-password
+
+remotename {{ ifname }}
+linkname {{ ifname }}
+ipparam {{ ifname }}
+ifname {{ ifname }}
+pty "sstpc --ipparam {{ ifname }} --nolaunchpppd {{ server }}:{{ port }} --ca-cert {{ ca_file_path }}"
+
+# Override any connect script that may have been set in /etc/ppp/options.
+connect /bin/true
+
+# We don't need the server to auth itself
+noauth
+
+# We won't want EAP
+refuse-eap
+
+# Don't try to proxy ARP for the remote endpoint. User can set proxy
+# arp entries up manually if they wish. More importantly, having
+# the "proxyarp" parameter set disables the "defaultroute" option.
+noproxyarp
+
+# Unlimited connection attempts
+maxfail 0
+
+plugin sstp-pppd-plugin.so
+sstp-sock /var/run/sstpc/sstpc-{{ ifname }}
+
+persist
+debug
+
+# pppd should create a UUCP-style lock file for the serial device to ensure
+# exclusive access to the device. By default, pppd will not create a lock file.
+lock
+
+# Disables Deflate compression
+nodeflate
+
+{% if authentication is vyos_defined %}
+{{ 'user "' + authentication.user + '"' if authentication.user is vyos_defined }}
+{{ 'password "' + authentication.password + '"' if authentication.password is vyos_defined }}
+{% endif %}
+
+{{ "usepeerdns" if no_peer_dns is not vyos_defined }}
+