94 files changed, 1993 insertions, 1498 deletions

diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2
index a498d8186..595e3a565 100644
--- a/data/templates/accel-ppp/config_chap_secrets_radius.j2
+++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2
@@ -30,7 +30,16 @@ dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.r
 {%     endif %}
 {% endif %}
 {# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gateway_address is vyos_defined %}
+{% if authentication.mode is vyos_defined('local') or authentication.mode is vyos_defined('radius') %}
+{%     if gateway_address is vyos_defined %}
+{%         if server_type == 'ipoe' %}
+{%             for gw in gateway_address %}
+{%                 set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{%             endfor %}
+{%         else %}
 gw-ip-address={{ gateway_address }}
+{%         endif %}
+{%     endif %}
 {% endif %}
 
diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2
index f7511e445..6ac04e1a1 100644
--- a/data/templates/accel-ppp/config_ip_pool.j2
+++ b/data/templates/accel-ppp/config_ip_pool.j2
@@ -1,24 +1,28 @@
-{% if client_ip_pool is vyos_defined %}
+{% if ordered_named_pools is vyos_defined %}
 [ip-pool]
 {%     if gateway_address is vyos_defined %}
+{%         if server_type == 'ipoe' %}
+{%             for gw in gateway_address %}
+{%                 set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{%             endfor %}
+{%         else %}
 gw-ip-address={{ gateway_address }}
+{%         endif %}
 {%     endif %}
-{%     if client_ip_pool.start is vyos_defined and client_ip_pool.stop is vyos_defined %}
-{{ client_ip_pool.start }}-{{ client_ip_pool.stop.split('.')[3] }}
-{%     endif %}
-{%     if client_ip_pool.subnet is vyos_defined %}
-{%         for subnet in client_ip_pool.subnet %}
-{{ subnet }}
-{%         endfor %}
-{%     endif %}
-{%     if client_ip_pool.name is vyos_defined %}
-{%         for pool, pool_config in client_ip_pool.name.items() %}
-{%             if pool_config.subnet is vyos_defined %}
-{{ pool_config.subnet }},name={{ pool }}
+{%     for pool in ordered_named_pools %}
+{%         for pool_name, pool_config in pool.items() %}
+{%             set iprange_str = pool_config.range %}
+{%             set iprange_list = pool_config.range.split('-') %}
+{%             if iprange_list | length == 2 %}
+{%                 set last_ip_oct = iprange_list[1].split('.') %}
+{%                 set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %}
 {%             endif %}
-{%             if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}
+{%             if pool_config.next_pool is vyos_defined %}
+{{ iprange_str }},name={{ pool_name }},next={{ pool_config.next_pool }}
+{%             else %}
+{{ iprange_str }},name={{ pool_name }}
 {%             endif %}
 {%         endfor %}
-{%     endif %}
+{%     endfor %}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2
index 0cf6a6a92..fcd68f69e 100644
--- a/data/templates/accel-ppp/config_shaper_radius.j2
+++ b/data/templates/accel-ppp/config_shaper_radius.j2
@@ -1,6 +1,7 @@
 {% if authentication.mode is vyos_defined('radius') or shaper is vyos_defined %}
 [shaper]
 verbose=1
+down-limiter=tbf
 {%     if authentication.radius.rate_limit.enable is vyos_defined %}
 attr={{ authentication.radius.rate_limit.attribute }}
 {%         if authentication.radius.rate_limit.vendor is vyos_defined %}
@@ -13,7 +14,6 @@ rate-multiplier={{ authentication.radius.rate_limit.multiplier }}
 {%     if shaper is vyos_defined %}
 {%         if shaper.fwmark is vyos_defined %}
 fwmark={{ shaper.fwmark }}
-down-limiter=htb
 {%         endif %}
 {%     endif %}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2
index f59428509..588f3d462 100644
--- a/data/templates/accel-ppp/ipoe.config.j2
+++ b/data/templates/accel-ppp/ipoe.config.j2
@@ -14,6 +14,11 @@ ippool
 [core]
 thread-count={{ thread_count }}
 
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
+
 [log]
 syslog=accel-ipoe,daemon
 copy=1
@@ -50,38 +55,18 @@ noauth=1
 username=ifname
 password=csid
 {% endif %}
-{% if client_ip_pool.name is vyos_defined %}
-{%     if first_named_pool is vyos_defined %}
-ip-pool={{ first_named_pool }}
-{%     else %}
-{%         for pool, pool_options in client_ip_pool.name.items() %}
-{%             if pool_options.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{%             endif %}
-{%         endfor %}
-{%     endif %}
-{%     for pool, pool_options in client_ip_pool.name.items() %}
-{%         if pool_options.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{%         endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if gateway_address is vyos_defined %}
+{%     for gw_addr in gateway_address %}
+gw-ip-address={{ gw_addr }}
 {%     endfor %}
 {% endif %}
 proxy-arp=1
 
-{% if ordered_named_pools is vyos_defined %}
-[ip-pool]
-{%     for p in ordered_named_pools %}
-{%         for pool, pool_options in p.items() %}
-{%             set next_named_pool = ',next=' ~ pool_options.next_pool if pool_options.next_pool is vyos_defined else '' %}
-{{ pool_options.subnet }},name={{ pool }}{{ next_named_pool }}
-{%         endfor %}
-{%     endfor %}
-{%     for p in ordered_named_pools %}
-{%         for pool, pool_options in p.items() %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{%         endfor %}
-{%     endfor %}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
 {# Common IPv6 pool definitions #}
 {% include 'accel-ppp/config_ipv6_pool.j2' %}
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index a2f9c9fc7..49755254a 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -2,46 +2,34 @@
 [modules]
 log_syslog
 l2tp
-chap-secrets
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
-
-{% if auth_mode == 'radius' %}
-radius
-{% endif %}
-
-ippool
 shaper
-ipv6pool
-ipv6_nd
-ipv6_dhcp
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
+ippool
+{# Common IPv6 definitions #}
+{% include 'accel-ppp/config_modules_ipv6.j2' %}
+{# Common authentication protocols (pap, chap ...) #}
+{% include 'accel-ppp/config_modules_auth_protocols.j2' %}
 
 [core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-l2tp,daemon
 copy=1
 level=5
 
-{% if dnsv4 %}
-[dns]
-{%     for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{%     endfor %}
-{% endif %}
-
-{% if dnsv6 %}
-[ipv6-dns]
-{%     for dns in dnsv6 %}
-{{ dns }}
-{%     endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
 
-{% if wins %}
+{% if wins_server is vyos_defined %}
 [wins]
-{%     for server in wins %}
+{%     for server in wins_server %}
 wins{{ loop.index }}={{ server }}
 {%     endfor %}
 {% endif %}
@@ -50,116 +38,59 @@ wins{{ loop.index }}={{ server }}
 verbose=1
 ifname=l2tp%d
 ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
-{% if outside_addr %}
-bind={{ outside_addr }}
+mppe={{ ppp_options.mppe }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
 {% endif %}
-{% if lns_shared_secret %}
-secret={{ lns_shared_secret }}
+{% if lns.shared_secret is vyos_defined %}
+secret={{ lns.shared_secret }}
 {% endif %}
-{% if lns_host_name %}
-host-name={{ lns_host_name }}
+{% if lns.host_name is vyos_defined %}
+host-name={{ lns.host_name }}
+{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
 {% endif %}
 
 [client-ip-range]
 0.0.0.0/0
 
-{% if client_ip_pool or client_ip_subnets %}
-[ip-pool]
-{%     if client_ip_pool %}
-{{ client_ip_pool }}
-{%     endif %}
-{%     if client_ip_subnets %}
-{%         for sn in client_ip_subnets %}
-{{ sn }}
-{%         endfor %}
-{%     endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{%     for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{%     endfor %}
-{%     if radius_dynamic_author.server is vyos_defined %}
-dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }}
-{%     endif %}
-{%     if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{%     endif %}
-{%     if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{%     endif %}
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
-{%     if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{%     endif %}
-{%     if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{%     endif %}
-{%     if radius_source_address %}
-bind={{ radius_source_address }}
-{%     endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
 [ppp]
 verbose=1
 check-ip=1
 single-session=replace
-lcp-echo-timeout={{ ppp_echo_timeout }}
-lcp-echo-interval={{ ppp_echo_interval }}
-lcp-echo-failure={{ ppp_echo_failure }}
-{% if ccp_disable %}
+lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
+lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
+lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{# MTU #}
+mtu={{ mtu }}
+ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
+ipv4={{ ppp_options.ipv4 }}
+mppe={{ ppp_options.mppe }}
+{% if ccp_disable is vyos_defined %}
 ccp=0
 {% endif %}
-{% if ppp_ipv6 is vyos_defined %}
-ipv6={{ ppp_ipv6 }}
-{% else %}
-{{ 'ipv6=allow' if client_ipv6_pool_configured else '' }}
-{% endif %}
-{% if ppp_ipv6_intf_id is vyos_defined %}
-ipv6-intf-id={{ ppp_ipv6_intf_id }}
-{% endif %}
-{% if ppp_ipv6_peer_intf_id is vyos_defined %}
-ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }}
-{% endif %}
-ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
 
-{% if client_ipv6_pool %}
-[ipv6-pool]
-{%     for p in client_ipv6_pool %}
-{{ p.prefix }},{{ p.mask }}
-{%     endfor %}
-{%     for p in client_ipv6_delegate_prefix %}
-delegate={{ p.prefix }},{{ p.mask }}
-{%     endfor %}
+{% if ppp_options.ipv6_intf_id is vyos_defined %}
+ipv6-intf-id={{ ppp_options.ipv6_intf_id }}
 {% endif %}
-
-{% if client_ipv6_delegate_prefix %}
-[ipv6-dhcp]
-verbose=1
+{% if ppp_options.ipv6_peer_intf_id is vyos_defined %}
+ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }}
 {% endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_defined else "0" }}
 
-{% if radius_shaper_attr %}
-[shaper]
-verbose=1
-attr={{ radius_shaper_attr }}
-{%     if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{%     endif %}
-{% endif %}
+{# Common IPv6 pool definitions #}
+{% include 'accel-ppp/config_ipv6_pool.j2' %}
+
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
 
 [cli]
 tcp=127.0.0.1:2004
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index dd53edd28..4bb1c4450 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -62,10 +62,13 @@ wins{{ loop.index }}={{ server }}
 {# Common chap-secrets and RADIUS server/option definitions #}
 {% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
 [common]
+{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
 single-session={{ session_control }}
 {% endif %}
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [ppp]
 verbose=1
@@ -105,7 +108,6 @@ unit-cache={{ ppp_options.interface_cache }}
 [pppoe]
 verbose=1
 ac-name={{ access_concentrator }}
-
 {% if interface is vyos_defined %}
 {%     for iface, iface_config in interface.items() %}
 {%         if iface_config.vlan is not vyos_defined %}
@@ -118,11 +120,9 @@ vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }}
 {%         endif %}
 {%     endfor %}
 {% endif %}
-
 {% if service_name %}
 service-name={{ service_name | join(',') }}
 {% endif %}
-
 {% if pado_delay %}
 {%     set pado_delay_param = namespace(value='0') %}
 {%     for delay in pado_delay | sort(attribute='0') %}
@@ -137,21 +137,11 @@ pado-delay={{ pado_delay_param.value }}
 {% if authentication.radius.called_sid_format is vyos_defined %}
 called-sid={{ authentication.radius.called_sid_format }}
 {% endif %}
-
-{% if authentication.mode is vyos_defined("local") or authentication.mode is vyos_defined("noauth") %}
-{%     if authentication.mode is vyos_defined("noauth") %}
+{% if authentication.mode is vyos_defined("noauth") %}
 noauth=1
-{%     endif %}
-{%     if client_ip_pool.name is vyos_defined %}
-{%         for pool, pool_config in client_ip_pool.name.items() %}
-{%             if pool_config.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{%             endif %}
-{%             if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}/{{ pool_config.subnet.split('/')[1] }}
-{%             endif %}
-{%         endfor %}
-{%     endif %}
+{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
 {% endif %}
 
 {% if limits is vyos_defined %}
diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2
index 0082e55bf..daafd6e92 100644
--- a/data/templates/accel-ppp/pptp.config.j2
+++ b/data/templates/accel-ppp/pptp.config.j2
@@ -3,34 +3,39 @@
 log_syslog
 pptp
 shaper
-{% if auth_mode == 'local' %}
-chap-secrets
-{% elif auth_mode == 'radius' %}
-radius
-{% endif %}
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
 ippool
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
+{# Common authentication protocols (pap, chap ...) #}
+{% if authentication.require is vyos_defined %}
+{%     if authentication.require == 'chap' %}
+auth_chap_md5
+{%     elif authentication.require == 'mschap' %}
+auth_mschap_v1
+{%     else %}
+auth_{{ authentication.require.replace('-', '_') }}
+{%     endif %}
+{% endif %}
 
 [core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-pptp,daemon
 copy=1
 level=5
 
-{% if dnsv4 %}
-[dns]
-{%     for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{%     endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
 
-{% if wins %}
+{% if wins_server is vyos_defined %}
 [wins]
-{%     for server in wins %}
+{%     for server in wins_server %}
 wins{{ loop.index }}={{ server }}
 {%     endfor %}
 {% endif %}
@@ -38,77 +43,34 @@ wins{{ loop.index }}={{ server }}
 
 [pptp]
 ifname=pptp%d
-{% if outside_addr %}
-bind={{ outside_addr }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
 {% endif %}
 verbose=1
 ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
+mppe={{ authentication.mppe }}
 echo-interval=10
 echo-failure=3
-
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
 
 [client-ip-range]
 0.0.0.0/0
 
-[ip-pool]
-tunnel={{ client_ip_pool }}
-gw-ip-address={{ gw_ip }}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
 [ppp]
 verbose=5
 check-ip=1
 single-session=replace
 
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{%     for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{%     endfor %}
-
-{%     if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{%     endif %}
-{%     if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{%     endif %}
-
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-{%     if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{%     endif %}
-{%     if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{%     endif %}
-{%     if radius_source_address %}
-bind={{ radius_source_address }}
-{%     endif %}
-{% endif %}
-{# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gw_ip is defined and gw_ip is not none %}
-gw-ip-address={{ gw_ip }}
-{% endif %}
-
-{% if radius_shaper_enable %}
-[shaper]
-verbose=1
-{%     if radius_shaper_attr %}
-attr={{ radius_shaper_attr }}
-{%     endif %}
-{%     if radius_shaper_multiplier %}
-rate-multiplier={{ radius_shaper_multiplier }}
-{%     endif %}
-{%     if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{%     endif %}
-{% endif %}
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
 
 [cli]
 tcp=127.0.0.1:2003
diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2
index 7ee28dd21..014ae1235 100644
--- a/data/templates/accel-ppp/sstp.config.j2
+++ b/data/templates/accel-ppp/sstp.config.j2
@@ -16,6 +16,9 @@ thread-count={{ thread_count }}
 
 [common]
 single-session=replace
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-sstp,daemon
@@ -33,6 +36,9 @@ accept=ssl
 ssl-ca-file=/run/accel-pppd/sstp-ca.pem
 ssl-pemfile=/run/accel-pppd/sstp-cert.pem
 ssl-keyfile=/run/accel-pppd/sstp-cert.key
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
 
 {# Common IP pool definitions #}
 {% include 'accel-ppp/config_ip_pool.j2' %}
@@ -51,9 +57,9 @@ verbose=1
 check-ip=1
 {# MTU #}
 mtu={{ mtu }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
 ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
 ipv4={{ ppp_options.ipv4 }}
-
 mppe={{ ppp_options.mppe }}
 lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
 lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
diff --git a/data/templates/bcast-relay/udp-broadcast-relay.j2 b/data/templates/bcast-relay/udp-broadcast-relay.j2
index 75740e04c..3f5b5bbe3 100644
--- a/data/templates/bcast-relay/udp-broadcast-relay.j2
+++ b/data/templates/bcast-relay/udp-broadcast-relay.j2
@@ -1,4 +1,4 @@
-### Autogenerated by bcast_relay.py ###
+### Autogenerated by service_broadcast-relay.py ###
 
 # UDP broadcast relay configuration for instance {{ id }}
 {{ '# ' ~ description if description is vyos_defined }}
diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
index 0daec8fb8..d02fbf71d 100644
--- a/data/templates/chrony/chrony.conf.j2
+++ b/data/templates/chrony/chrony.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ntp.py ###
+### Autogenerated by service_ntp.py ###
 
 # This would step the system clock if the adjustment is larger than 0.1 seconds,
 # but only in the first three clock updates.
diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index 075402c04..9ea1ed2d8 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -1,4 +1,4 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
 {# all values have defaults - thus no checking required #}
 
 net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..290607662 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
 options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2
index 808a77759..8f56c8171 100644
--- a/data/templates/conntrackd/conntrackd.conf.j2
+++ b/data/templates/conntrackd/conntrackd.conf.j2
@@ -1,4 +1,4 @@
-# autogenerated by conntrack_sync.py
+### autogenerated by service_conntrack-sync.py ###
 
 # Synchronizer settings
 Sync {
@@ -111,4 +111,3 @@ General {
     }
 {% endif %}
 }
-
diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2
index c635ca213..c8b54dfbb 100644
--- a/data/templates/container/containers.conf.j2
+++ b/data/templates/container/containers.conf.j2
@@ -1,709 +1,709 @@
-### Autogenerated by container.py ###

-

-# The containers configuration file specifies all of the available configuration

-# command-line options/flags for container engine tools like Podman & Buildah,

-# but in a TOML format that can be easily modified and versioned.

-

-# Please refer to containers.conf(5) for details of all configuration options.

-# Not all container engines implement all of the options.

-# All of the options have hard coded defaults and these options will override

-# the built in defaults. Users can then override these options via the command

-# line. Container engines will read containers.conf files in up to three

-# locations in the following order:

-#  1. /usr/share/containers/containers.conf

-#  2. /etc/containers/containers.conf

-#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)

-#  Items specified in the latter containers.conf, if they exist, override the

-# previous containers.conf settings, or the default settings.

-

-[containers]

-

-# List of annotation. Specified as

-# "key = value"

-# If it is empty or commented out, no annotations will be added

-#

-#annotations = []

-

-# Used to change the name of the default AppArmor profile of container engine.

-#

-#apparmor_profile = "container-default"

-

-# The hosts entries from the base hosts file are added to the containers hosts

-# file. This must be either an absolute path or as special values "image" which

-# uses the hosts file from the container image or "none" which means

-# no base hosts file is used. The default is "" which will use /etc/hosts.

-#

-#base_hosts_file = ""

-

-# Default way to to create a cgroup namespace for the container

-# Options are:

-# `private` Create private Cgroup Namespace for the container.

-# `host`    Share host Cgroup Namespace with the container.

-#

-#cgroupns = "private"

-

-# Control container cgroup configuration

-# Determines  whether  the  container will create CGroups.

-# Options are:

-# `enabled`   Enable cgroup support within container

-# `disabled`  Disable cgroup support, will inherit cgroups from parent

-# `no-conmon` Do not create a cgroup dedicated to conmon.

-#

-#cgroups = "enabled"

-

-# List of default capabilities for containers. If it is empty or commented out,

-# the default capabilities defined in the container engine will be added.

-#

-default_capabilities = [

-  "CHOWN",

-  "DAC_OVERRIDE",

-  "FOWNER",

-  "FSETID",

-  "KILL",

-  "NET_BIND_SERVICE",

-  "SETFCAP",

-  "SETGID",

-  "SETPCAP",

-  "SETUID",

-  "SYS_CHROOT"

-]

-

-# A list of sysctls to be set in containers by default,

-# specified as "name=value",

-# for example:"net.ipv4.ping_group_range=0 0".

-#

-default_sysctls = [

-  "net.ipv4.ping_group_range=0 0",

-]

-

-# A list of ulimits to be set in containers by default, specified as

-# "<ulimit name>=<soft limit>:<hard limit>", for example:

-# "nofile=1024:2048"

-# See setrlimit(2) for a list of resource names.

-# Any limit not specified here will be inherited from the process launching the

-# container engine.

-# Ulimits has limits for non privileged container engines.

-#

-#default_ulimits = [

-#  "nofile=1280:2560",

-#]

-

-# List of devices. Specified as

-# "<device-on-host>:<device-on-container>:<permissions>", for example:

-# "/dev/sdc:/dev/xvdc:rwm".

-# If it is empty or commented out, only the default devices will be used

-#

-#devices = []

-

-# List of default DNS options to be added to /etc/resolv.conf inside of the container.

-#

-#dns_options = []

-

-# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.

-#

-#dns_searches = []

-

-# Set default DNS servers.

-# This option can be used to override the DNS configuration passed to the

-# container. The special value "none" can be specified to disable creation of

-# /etc/resolv.conf in the container.

-# The /etc/resolv.conf file in the image will be used without changes.

-#

-#dns_servers = []

-

-# Environment variable list for the conmon process; used for passing necessary

-# environment variables to conmon or the runtime.

-#

-#env = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

-#  "TERM=xterm",

-#]

-

-# Pass all host environment variables into the container.

-#

-#env_host = false

-

-# Set the ip for the host.containers.internal entry in the containers /etc/hosts

-# file. This can be set to "none" to disable adding this entry. By default it

-# will automatically choose the host ip.

-#

-# NOTE: When using podman machine this entry will never be added to the containers

-# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore

-# it is not possible to disable the entry in this case.

-#

-#host_containers_internal_ip = ""

-

-# Default proxy environment variables passed into the container.

-# The environment variables passed in include:

-# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of

-# these. This option is needed when host system uses a proxy but container

-# should not use proxy. Proxy environment variables specified for the container

-# in any other way will override the values passed from the host.

-#

-#http_proxy = true

-

-# Run an init inside the container that forwards signals and reaps processes.

-#

-#init = false

-

-# Container init binary, if init=true, this is the init binary to be used for containers.

-#

-#init_path = "/usr/libexec/podman/catatonit"

-

-# Default way to to create an IPC namespace (POSIX SysV IPC) for the container

-# Options are:

-#  "host"     Share host IPC Namespace with the container.

-#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.

-#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.

-#  "shareable" Create shareable IPC Namespace for the container.

-#

-#ipcns = "shareable"

-

-# keyring tells the container engine whether to create

-# a kernel keyring for use within the container.

-#

-#keyring = true

-

-# label tells the container engine whether to use container separation using

-# MAC(SELinux) labeling or not.

-# The label flag is ignored on label disabled systems.

-#

-#label = true

-

-# Logging driver for the container. Available options: k8s-file and journald.

-#

-#log_driver = "k8s-file"

-

-# Maximum size allowed for the container log file. Negative numbers indicate

-# that no size limit is imposed. If positive, it must be >= 8192 to match or

-# exceed conmon's read buffer. The file is truncated and re-opened so the

-# limit is never exceeded.

-#

-#log_size_max = -1

-

-# Specifies default format tag for container log messages.

-# This is useful for creating a specific tag for container log messages.

-# Containers logs default to truncated container ID as a tag.

-#

-#log_tag = ""

-

-# Default way to to create a Network namespace for the container

-# Options are:

-# `private` Create private Network Namespace for the container.

-# `host`    Share host Network Namespace with the container.

-# `none`    Containers do not use the network

-#

-#netns = "private"

-

-# Create /etc/hosts for the container.  By default, container engine manage

-# /etc/hosts, automatically adding  the container's  own  IP  address.

-#

-#no_hosts = false

-

-# Default way to to create a PID namespace for the container

-# Options are:

-# `private` Create private PID Namespace for the container.

-# `host`    Share host PID Namespace with the container.

-#

-#pidns = "private"

-

-# Maximum number of processes allowed in a container.

-#

-#pids_limit = 2048

-

-# Copy the content from the underlying image into the newly created volume

-# when the container is created instead of when it is started. If false,

-# the container engine will not copy the content until the container is started.

-# Setting it to true may have negative performance implications.

-#

-#prepare_volume_on_create = false

-

-# Path to the seccomp.json profile which is used as the default seccomp profile

-# for the runtime.

-#

-#seccomp_profile = "/usr/share/containers/seccomp.json"

-

-# Size of /dev/shm. Specified as <number><unit>.

-# Unit is optional, values:

-# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# If the unit is omitted, the system uses bytes.

-#

-#shm_size = "65536k"

-

-# Set timezone in container. Takes IANA timezones as well as "local",

-# which sets the timezone in the container to match the host machine.

-#

-#tz = ""

-

-# Set umask inside the container

-#

-#umask = "0022"

-

-# Default way to to create a User namespace for the container

-# Options are:

-# `auto`        Create unique User Namespace for the container.

-# `host`    Share host User Namespace with the container.

-#

-#userns = "host"

-

-# Number of UIDs to allocate for the automatic container creation.

-# UIDs are allocated from the "container" UIDs listed in

-# /etc/subuid & /etc/subgid

-#

-#userns_size = 65536

-

-# Default way to to create a UTS namespace for the container

-# Options are:

-# `private`        Create private UTS Namespace for the container.

-# `host`    Share host UTS Namespace with the container.

-#

-#utsns = "private"

-

-# List of volumes. Specified as

-# "<directory-on-host>:<directory-in-container>:<options>", for example:

-# "/db:/var/lib/db:ro".

-# If it is empty or commented out, no volumes will be added

-#

-#volumes = []

-

-[secrets]

-#driver = "file"

-

-[secrets.opts]

-#root = "/example/directory"

-

-[network]

-

-# Network backend determines what network driver will be used to set up and tear down container networks.

-# Valid values are "cni" and "netavark".

-# The default value is empty which means that it will automatically choose CNI or netavark. If there are

-# already containers/images or CNI networks preset it will choose CNI.

-#

-# Before changing this value all containers must be stopped otherwise it is likely that

-# iptables rules and network interfaces might leak on the host. A reboot will fix this.

-#

-network_backend = "netavark"

-

-# Path to directory where CNI plugin binaries are located.

-#

-#cni_plugin_dirs = [

-#  "/usr/local/libexec/cni",

-#  "/usr/libexec/cni",

-#  "/usr/local/lib/cni",

-#  "/usr/lib/cni",

-#  "/opt/cni/bin",

-#]

-

-# The network name of the default network to attach pods to.

-#

-#default_network = "podman"

-

-# The default subnet for the default network given in default_network.

-# If a network with that name does not exist, a new network using that name and

-# this subnet will be created.

-# Must be a valid IPv4 CIDR prefix.

-#

-#default_subnet = "10.88.0.0/16"

-

-# DefaultSubnetPools is a list of subnets and size which are used to

-# allocate subnets automatically for podman network create.

-# It will iterate through the list and will pick the first free subnet

-# with the given size. This is only used for ipv4 subnets, ipv6 subnets

-# are always assigned randomly.

-#

-#default_subnet_pools = [

-#  {"base" = "10.89.0.0/16", "size" = 24},

-#  {"base" = "10.90.0.0/15", "size" = 24},

-#  {"base" = "10.92.0.0/14", "size" = 24},

-#  {"base" = "10.96.0.0/11", "size" = 24},

-#  {"base" = "10.128.0.0/9", "size" = 24},

-#]

-

-# Path to the directory where network configuration files are located.

-# For the CNI backend the default is "/etc/cni/net.d" as root

-# and "$HOME/.config/cni/net.d" as rootless.

-# For the netavark backend "/etc/containers/networks" is used as root

-# and "$graphroot/networks" as rootless.

-#

-#network_config_dir = "/etc/cni/net.d/"

-

-# Port to use for dns forwarding daemon with netavark in rootful bridge

-# mode and dns enabled.

-# Using an alternate port might be useful if other dns services should

-# run on the machine.

-#

-#dns_bind_port = 53

-

-[engine]

-# Index to the active service

-#

-#active_service = production

-

-# The compression format to use when pushing an image.

-# Valid options are: `gzip`, `zstd` and `zstd:chunked`.

-#

-#compression_format = "gzip"

-

-

-# Cgroup management implementation used for the runtime.

-# Valid options "systemd" or "cgroupfs"

-#

-#cgroup_manager = "systemd"

-

-# Environment variables to pass into conmon

-#

-#conmon_env_vars = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

-#]

-

-# Paths to look for the conmon container manager binary

-#

-#conmon_path = [

-#  "/usr/libexec/podman/conmon",

-#  "/usr/local/libexec/podman/conmon",

-#  "/usr/local/lib/podman/conmon",

-#  "/usr/bin/conmon",

-#  "/usr/sbin/conmon",

-#  "/usr/local/bin/conmon",

-#  "/usr/local/sbin/conmon"

-#]

-

-# Enforces using docker.io for completing short names in Podman's compatibility

-# REST API. Note that this will ignore unqualified-search-registries and

-# short-name aliases defined in containers-registries.conf(5).

-#compat_api_enforce_docker_hub = true

-

-# Specify the keys sequence used to detach a container.

-# Format is a single character [a-Z] or a comma separated sequence of

-# `ctrl-<value>`, where `<value>` is one of:

-# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`

-#

-#detach_keys = "ctrl-p,ctrl-q"

-

-# Determines whether engine will reserve ports on the host when they are

-# forwarded to containers. When enabled, when ports are forwarded to containers,

-# ports are held open by as long as the container is running, ensuring that

-# they cannot be reused by other programs on the host. However, this can cause

-# significant memory usage if a container has many ports forwarded to it.

-# Disabling this can save memory.

-#

-#enable_port_reservation = true

-

-# Environment variables to be used when running the container engine (e.g., Podman, Buildah).

-# For example "http_proxy=internal.proxy.company.com".

-# Note these environment variables will not be used within the container.

-# Set the env section under [containers] table, if you want to set environment variables for the container.

-#

-#env = []

-

-# Define where event logs will be stored, when events_logger is "file".

-#events_logfile_path=""

-

-# Sets the maximum size for events_logfile_path.

-# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.

-# If no unit is included then the size will be read in bytes.

-# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.

-# If the maximum size is set to 0, then no limit will be applied,

-# and the logfile will not be rotated.

-#events_logfile_max_size = "1m"

-

-# Selects which logging mechanism to use for container engine events.

-# Valid values are `journald`, `file` and `none`.

-#

-#events_logger = "journald"

-

-# A is a list of directories which are used to search for helper binaries.

-#

-#helper_binaries_dir = [

-#  "/usr/local/libexec/podman",

-#  "/usr/local/lib/podman",

-#  "/usr/libexec/podman",

-#  "/usr/lib/podman",

-#]

-

-# Path to OCI hooks directories for automatically executed hooks.

-#

-#hooks_dir = [

-#  "/usr/share/containers/oci/hooks.d",

-#]

-

-# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building

-# container images. By default image pulled and pushed match the format of the

-# source image. Building/committing defaults to OCI.

-#

-#image_default_format = ""

-

-# Default transport method for pulling and pushing for images

-#

-#image_default_transport = "docker://"

-

-# Maximum number of image layers to be copied (pulled/pushed) simultaneously.

-# Not setting this field, or setting it to zero, will fall back to containers/image defaults.

-#

-#image_parallel_copies = 0

-

-# Tells container engines how to handle the builtin image volumes.

-#   * bind: An anonymous named volume will be created and mounted

-#     into the container.

-#   * tmpfs: The volume is mounted onto the container as a tmpfs,

-#     which allows users to create content that disappears when

-#     the container is stopped.

-#   * ignore: All volumes are just ignored and no action is taken.

-#

-#image_volume_mode = ""

-

-# Default command to run the infra container

-#

-#infra_command = "/pause"

-

-# Infra (pause) container image name for pod infra containers.  When running a

-# pod, we start a `pause` process in a container to hold open the namespaces

-# associated with the  pod.  This container does nothing other then sleep,

-# reserving the pods resources for the lifetime of the pod. By default container

-# engines run a builtin container using the pause executable. If you want override

-# specify an image to pull.

-#

-#infra_image = ""

-

-# Specify the locking mechanism to use; valid values are "shm" and "file".

-# Change the default only if you are sure of what you are doing, in general

-# "file" is useful only on platforms where cgo is not available for using the

-# faster "shm" lock type. You may need to run "podman system renumber" after

-# you change the lock type.

-#

-#lock_type** = "shm"

-

-# MultiImageArchive - if true, the container engine allows for storing archives

-# (e.g., of the docker-archive transport) with multiple images.  By default,

-# Podman creates single-image archives.

-#

-#multi_image_archive = "false"

-

-# Default engine namespace

-# If engine is joined to a namespace, it will see only containers and pods

-# that were created in the same namespace, and will create new containers and

-# pods in that namespace.

-# The default namespace is "", which corresponds to no namespace. When no

-# namespace is set, all containers and pods are visible.

-#

-#namespace = ""

-

-# Path to the slirp4netns binary

-#

-#network_cmd_path = ""

-

-# Default options to pass to the slirp4netns binary.

-# Valid options values are:

-#

-# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).

-#   Default is false.

-# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).

-# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).

-# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).

-# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).

-# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.

-# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).

-# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.

-# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.

-#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container

-#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,

-#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for

-#   rootless containers when connected to user-defined networks.

-# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but

-#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.

-#

-#network_cmd_options = []

-

-# Whether to use chroot instead of pivot_root in the runtime

-#

-#no_pivot_root = false

-

-# Number of locks available for containers and pods.

-# If this is changed, a lock renumber must be performed (e.g. with the

-# 'podman system renumber' command).

-#

-#num_locks = 2048

-

-# Set the exit policy of the pod when the last container exits.

-#pod_exit_policy = "continue"

-

-# Whether to pull new image before running a container

-#

-#pull_policy = "missing"

-

-# Indicates whether the application should be running in remote mode. This flag modifies the

-# --remote option on container engines. Setting the flag to true will default

-# `podman --remote=true` for access to the remote Podman service.

-#

-#remote = false

-

-# Default OCI runtime

-#

-#runtime = "crun"

-

-# List of the OCI runtimes that support --format=json. When json is supported

-# engine will use it for reporting nicer errors.

-#

-#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]

-

-# List of the OCI runtimes that supports running containers with KVM Separation.

-#

-#runtime_supports_kvm = ["kata", "krun"]

-

-# List of the OCI runtimes that supports running containers without cgroups.

-#

-#runtime_supports_nocgroups = ["crun", "krun"]

-

-# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment

-# variable. If you specify "storage", then the location of the

-# container/storage tmp directory will be used.

-# image_copy_tmp_dir="/var/tmp"

-

-# Number of seconds to wait without a connection

-# before the `podman system service` times out and exits

-#

-#service_timeout = 5

-

-# Directory for persistent engine files (database, etc)

-# By default, this will be configured relative to where the containers/storage

-# stores containers

-# Uncomment to change location from this default

-#

-#static_dir = "/var/lib/containers/storage/libpod"

-

-# Number of seconds to wait for container to exit before sending kill signal.

-#

-#stop_timeout = 10

-

-# Number of seconds to wait before exit command in API process is given to.

-# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).

-#

-#exit_command_delay = 300

-

-# map of service destinations

-#

-#[service_destinations]

-#  [service_destinations.production]

-#     URI to access the Podman service

-#     Examples:

-#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)

-#       rootful "unix://run/podman/podman.sock (Default)

-#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock

-#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock

-#

-#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"

-#    Path to file containing ssh identity key

-#    identity = "~/.ssh/id_rsa"

-

-# Directory for temporary files. Must be tmpfs (wiped after reboot)

-#

-#tmp_dir = "/run/libpod"

-

-# Directory for libpod named volumes.

-# By default, this will be configured relative to where containers/storage

-# stores containers.

-# Uncomment to change location from this default.

-#

-#volume_path = "/var/lib/containers/storage/volumes"

-

-# Default timeout (in seconds) for volume plugin operations.

-# Plugins are external programs accessed via a REST API; this sets a timeout

-# for requests to that API.

-# A value of 0 is treated as no timeout.

-#volume_plugin_timeout = 5

-

-# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)

-[engine.runtimes]

-#crun = [

-#  "/usr/bin/crun",

-#  "/usr/sbin/crun",

-#  "/usr/local/bin/crun",

-#  "/usr/local/sbin/crun",

-#  "/sbin/crun",

-#  "/bin/crun",

-#  "/run/current-system/sw/bin/crun",

-#]

-

-#kata = [

-#  "/usr/bin/kata-runtime",

-#  "/usr/sbin/kata-runtime",

-#  "/usr/local/bin/kata-runtime",

-#  "/usr/local/sbin/kata-runtime",

-#  "/sbin/kata-runtime",

-#  "/bin/kata-runtime",

-#  "/usr/bin/kata-qemu",

-#  "/usr/bin/kata-fc",

-#]

-

-#runc = [

-#  "/usr/bin/runc",

-#  "/usr/sbin/runc",

-#  "/usr/local/bin/runc",

-#  "/usr/local/sbin/runc",

-#  "/sbin/runc",

-#  "/bin/runc",

-#  "/usr/lib/cri-o-runc/sbin/runc",

-#]

-

-#runsc = [

-#  "/usr/bin/runsc",

-#  "/usr/sbin/runsc",

-#  "/usr/local/bin/runsc",

-#  "/usr/local/sbin/runsc",

-#  "/bin/runsc",

-#  "/sbin/runsc",

-#  "/run/current-system/sw/bin/runsc",

-#]

-

-#krun = [

-#  "/usr/bin/krun",

-#  "/usr/local/bin/krun",

-#]

-

-[engine.volume_plugins]

-#testplugin = "/run/podman/plugins/test.sock"

-

-[machine]

-# Number of CPU's a machine is created with.

-#

-#cpus=1

-

-# The size of the disk in GB created when init-ing a podman-machine VM.

-#

-#disk_size=10

-

-# Default image URI when creating a new VM using `podman machine init`.

-# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major

-# version of the OS (e.g `36`) for Fedora 36. For all platforms you can

-# alternatively specify a custom download URL to an image. Container engines

-# translate URIs $OS and $ARCH to the native OS and ARCH. URI

-# "https://example.com/$OS/$ARCH/foobar.ami" becomes

-# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.

-# The default value is `testing`.

-#

-# image = "testing"

-

-# Memory in MB a machine is created with.

-#

-#memory=2048

-

-# The username to use and create on the podman machine OS for rootless

-# container access.

-#

-#user = "core"

-

-# Host directories to be mounted as volumes into the VM by default.

-# Environment variables like $HOME as well as complete paths are supported for

-# the source and destination. An optional third field `:ro` can be used to

-# tell the container engines to mount the volume readonly.

-#

-# volumes = [

-#  "$HOME:$HOME",

-#]

-

-# The [machine] table MUST be the last entry in this file.

-# (Unless another table is added)

-# TOML does not provide a way to end a table other than a further table being

-# defined, so every key hereafter will be part of [machine] and not the

-# main config.

+### Autogenerated by container.py ###
+
+# The containers configuration file specifies all of the available configuration
+# command-line options/flags for container engine tools like Podman & Buildah,
+# but in a TOML format that can be easily modified and versioned.
+
+# Please refer to containers.conf(5) for details of all configuration options.
+# Not all container engines implement all of the options.
+# All of the options have hard coded defaults and these options will override
+# the built in defaults. Users can then override these options via the command
+# line. Container engines will read containers.conf files in up to three
+# locations in the following order:
+#  1. /usr/share/containers/containers.conf
+#  2. /etc/containers/containers.conf
+#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
+#  Items specified in the latter containers.conf, if they exist, override the
+# previous containers.conf settings, or the default settings.
+
+[containers]
+
+# List of annotation. Specified as
+# "key = value"
+# If it is empty or commented out, no annotations will be added
+#
+#annotations = []
+
+# Used to change the name of the default AppArmor profile of container engine.
+#
+#apparmor_profile = "container-default"
+
+# The hosts entries from the base hosts file are added to the containers hosts
+# file. This must be either an absolute path or as special values "image" which
+# uses the hosts file from the container image or "none" which means
+# no base hosts file is used. The default is "" which will use /etc/hosts.
+#
+#base_hosts_file = ""
+
+# Default way to to create a cgroup namespace for the container
+# Options are:
+# `private` Create private Cgroup Namespace for the container.
+# `host`    Share host Cgroup Namespace with the container.
+#
+#cgroupns = "private"
+
+# Control container cgroup configuration
+# Determines  whether  the  container will create CGroups.
+# Options are:
+# `enabled`   Enable cgroup support within container
+# `disabled`  Disable cgroup support, will inherit cgroups from parent
+# `no-conmon` Do not create a cgroup dedicated to conmon.
+#
+#cgroups = "enabled"
+
+# List of default capabilities for containers. If it is empty or commented out,
+# the default capabilities defined in the container engine will be added.
+#
+default_capabilities = [
+  "CHOWN",
+  "DAC_OVERRIDE",
+  "FOWNER",
+  "FSETID",
+  "KILL",
+  "NET_BIND_SERVICE",
+  "SETFCAP",
+  "SETGID",
+  "SETPCAP",
+  "SETUID",
+  "SYS_CHROOT"
+]
+
+# A list of sysctls to be set in containers by default,
+# specified as "name=value",
+# for example:"net.ipv4.ping_group_range=0 0".
+#
+default_sysctls = [
+  "net.ipv4.ping_group_range=0 0",
+]
+
+# A list of ulimits to be set in containers by default, specified as
+# "<ulimit name>=<soft limit>:<hard limit>", for example:
+# "nofile=1024:2048"
+# See setrlimit(2) for a list of resource names.
+# Any limit not specified here will be inherited from the process launching the
+# container engine.
+# Ulimits has limits for non privileged container engines.
+#
+#default_ulimits = [
+#  "nofile=1280:2560",
+#]
+
+# List of devices. Specified as
+# "<device-on-host>:<device-on-container>:<permissions>", for example:
+# "/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, only the default devices will be used
+#
+#devices = []
+
+# List of default DNS options to be added to /etc/resolv.conf inside of the container.
+#
+#dns_options = []
+
+# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
+#
+#dns_searches = []
+
+# Set default DNS servers.
+# This option can be used to override the DNS configuration passed to the
+# container. The special value "none" can be specified to disable creation of
+# /etc/resolv.conf in the container.
+# The /etc/resolv.conf file in the image will be used without changes.
+#
+#dns_servers = []
+
+# Environment variable list for the conmon process; used for passing necessary
+# environment variables to conmon or the runtime.
+#
+#env = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+#  "TERM=xterm",
+#]
+
+# Pass all host environment variables into the container.
+#
+#env_host = false
+
+# Set the ip for the host.containers.internal entry in the containers /etc/hosts
+# file. This can be set to "none" to disable adding this entry. By default it
+# will automatically choose the host ip.
+#
+# NOTE: When using podman machine this entry will never be added to the containers
+# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
+# it is not possible to disable the entry in this case.
+#
+#host_containers_internal_ip = ""
+
+# Default proxy environment variables passed into the container.
+# The environment variables passed in include:
+# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
+# these. This option is needed when host system uses a proxy but container
+# should not use proxy. Proxy environment variables specified for the container
+# in any other way will override the values passed from the host.
+#
+#http_proxy = true
+
+# Run an init inside the container that forwards signals and reaps processes.
+#
+#init = false
+
+# Container init binary, if init=true, this is the init binary to be used for containers.
+#
+#init_path = "/usr/libexec/podman/catatonit"
+
+# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
+# Options are:
+#  "host"     Share host IPC Namespace with the container.
+#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.
+#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.
+#  "shareable" Create shareable IPC Namespace for the container.
+#
+#ipcns = "shareable"
+
+# keyring tells the container engine whether to create
+# a kernel keyring for use within the container.
+#
+#keyring = true
+
+# label tells the container engine whether to use container separation using
+# MAC(SELinux) labeling or not.
+# The label flag is ignored on label disabled systems.
+#
+#label = true
+
+# Logging driver for the container. Available options: k8s-file and journald.
+#
+#log_driver = "k8s-file"
+
+# Maximum size allowed for the container log file. Negative numbers indicate
+# that no size limit is imposed. If positive, it must be >= 8192 to match or
+# exceed conmon's read buffer. The file is truncated and re-opened so the
+# limit is never exceeded.
+#
+#log_size_max = -1
+
+# Specifies default format tag for container log messages.
+# This is useful for creating a specific tag for container log messages.
+# Containers logs default to truncated container ID as a tag.
+#
+#log_tag = ""
+
+# Default way to to create a Network namespace for the container
+# Options are:
+# `private` Create private Network Namespace for the container.
+# `host`    Share host Network Namespace with the container.
+# `none`    Containers do not use the network
+#
+#netns = "private"
+
+# Create /etc/hosts for the container.  By default, container engine manage
+# /etc/hosts, automatically adding  the container's  own  IP  address.
+#
+#no_hosts = false
+
+# Default way to to create a PID namespace for the container
+# Options are:
+# `private` Create private PID Namespace for the container.
+# `host`    Share host PID Namespace with the container.
+#
+#pidns = "private"
+
+# Maximum number of processes allowed in a container.
+#
+#pids_limit = 2048
+
+# Copy the content from the underlying image into the newly created volume
+# when the container is created instead of when it is started. If false,
+# the container engine will not copy the content until the container is started.
+# Setting it to true may have negative performance implications.
+#
+#prepare_volume_on_create = false
+
+# Path to the seccomp.json profile which is used as the default seccomp profile
+# for the runtime.
+#
+#seccomp_profile = "/usr/share/containers/seccomp.json"
+
+# Size of /dev/shm. Specified as <number><unit>.
+# Unit is optional, values:
+# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# If the unit is omitted, the system uses bytes.
+#
+#shm_size = "65536k"
+
+# Set timezone in container. Takes IANA timezones as well as "local",
+# which sets the timezone in the container to match the host machine.
+#
+#tz = ""
+
+# Set umask inside the container
+#
+#umask = "0022"
+
+# Default way to to create a User namespace for the container
+# Options are:
+# `auto`        Create unique User Namespace for the container.
+# `host`    Share host User Namespace with the container.
+#
+#userns = "host"
+
+# Number of UIDs to allocate for the automatic container creation.
+# UIDs are allocated from the "container" UIDs listed in
+# /etc/subuid & /etc/subgid
+#
+#userns_size = 65536
+
+# Default way to to create a UTS namespace for the container
+# Options are:
+# `private`        Create private UTS Namespace for the container.
+# `host`    Share host UTS Namespace with the container.
+#
+#utsns = "private"
+
+# List of volumes. Specified as
+# "<directory-on-host>:<directory-in-container>:<options>", for example:
+# "/db:/var/lib/db:ro".
+# If it is empty or commented out, no volumes will be added
+#
+#volumes = []
+
+[secrets]
+#driver = "file"
+
+[secrets.opts]
+#root = "/example/directory"
+
+[network]
+
+# Network backend determines what network driver will be used to set up and tear down container networks.
+# Valid values are "cni" and "netavark".
+# The default value is empty which means that it will automatically choose CNI or netavark. If there are
+# already containers/images or CNI networks preset it will choose CNI.
+#
+# Before changing this value all containers must be stopped otherwise it is likely that
+# iptables rules and network interfaces might leak on the host. A reboot will fix this.
+#
+network_backend = "netavark"
+
+# Path to directory where CNI plugin binaries are located.
+#
+#cni_plugin_dirs = [
+#  "/usr/local/libexec/cni",
+#  "/usr/libexec/cni",
+#  "/usr/local/lib/cni",
+#  "/usr/lib/cni",
+#  "/opt/cni/bin",
+#]
+
+# The network name of the default network to attach pods to.
+#
+#default_network = "podman"
+
+# The default subnet for the default network given in default_network.
+# If a network with that name does not exist, a new network using that name and
+# this subnet will be created.
+# Must be a valid IPv4 CIDR prefix.
+#
+#default_subnet = "10.88.0.0/16"
+
+# DefaultSubnetPools is a list of subnets and size which are used to
+# allocate subnets automatically for podman network create.
+# It will iterate through the list and will pick the first free subnet
+# with the given size. This is only used for ipv4 subnets, ipv6 subnets
+# are always assigned randomly.
+#
+#default_subnet_pools = [
+#  {"base" = "10.89.0.0/16", "size" = 24},
+#  {"base" = "10.90.0.0/15", "size" = 24},
+#  {"base" = "10.92.0.0/14", "size" = 24},
+#  {"base" = "10.96.0.0/11", "size" = 24},
+#  {"base" = "10.128.0.0/9", "size" = 24},
+#]
+
+# Path to the directory where network configuration files are located.
+# For the CNI backend the default is "/etc/cni/net.d" as root
+# and "$HOME/.config/cni/net.d" as rootless.
+# For the netavark backend "/etc/containers/networks" is used as root
+# and "$graphroot/networks" as rootless.
+#
+#network_config_dir = "/etc/cni/net.d/"
+
+# Port to use for dns forwarding daemon with netavark in rootful bridge
+# mode and dns enabled.
+# Using an alternate port might be useful if other dns services should
+# run on the machine.
+#
+#dns_bind_port = 53
+
+[engine]
+# Index to the active service
+#
+#active_service = production
+
+# The compression format to use when pushing an image.
+# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
+#
+#compression_format = "gzip"
+
+
+# Cgroup management implementation used for the runtime.
+# Valid options "systemd" or "cgroupfs"
+#
+#cgroup_manager = "systemd"
+
+# Environment variables to pass into conmon
+#
+#conmon_env_vars = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+#]
+
+# Paths to look for the conmon container manager binary
+#
+#conmon_path = [
+#  "/usr/libexec/podman/conmon",
+#  "/usr/local/libexec/podman/conmon",
+#  "/usr/local/lib/podman/conmon",
+#  "/usr/bin/conmon",
+#  "/usr/sbin/conmon",
+#  "/usr/local/bin/conmon",
+#  "/usr/local/sbin/conmon"
+#]
+
+# Enforces using docker.io for completing short names in Podman's compatibility
+# REST API. Note that this will ignore unqualified-search-registries and
+# short-name aliases defined in containers-registries.conf(5).
+#compat_api_enforce_docker_hub = true
+
+# Specify the keys sequence used to detach a container.
+# Format is a single character [a-Z] or a comma separated sequence of
+# `ctrl-<value>`, where `<value>` is one of:
+# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
+#
+#detach_keys = "ctrl-p,ctrl-q"
+
+# Determines whether engine will reserve ports on the host when they are
+# forwarded to containers. When enabled, when ports are forwarded to containers,
+# ports are held open by as long as the container is running, ensuring that
+# they cannot be reused by other programs on the host. However, this can cause
+# significant memory usage if a container has many ports forwarded to it.
+# Disabling this can save memory.
+#
+#enable_port_reservation = true
+
+# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
+# For example "http_proxy=internal.proxy.company.com".
+# Note these environment variables will not be used within the container.
+# Set the env section under [containers] table, if you want to set environment variables for the container.
+#
+#env = []
+
+# Define where event logs will be stored, when events_logger is "file".
+#events_logfile_path=""
+
+# Sets the maximum size for events_logfile_path.
+# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
+# If no unit is included then the size will be read in bytes.
+# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
+# If the maximum size is set to 0, then no limit will be applied,
+# and the logfile will not be rotated.
+#events_logfile_max_size = "1m"
+
+# Selects which logging mechanism to use for container engine events.
+# Valid values are `journald`, `file` and `none`.
+#
+#events_logger = "journald"
+
+# A is a list of directories which are used to search for helper binaries.
+#
+#helper_binaries_dir = [
+#  "/usr/local/libexec/podman",
+#  "/usr/local/lib/podman",
+#  "/usr/libexec/podman",
+#  "/usr/lib/podman",
+#]
+
+# Path to OCI hooks directories for automatically executed hooks.
+#
+#hooks_dir = [
+#  "/usr/share/containers/oci/hooks.d",
+#]
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/committing defaults to OCI.
+#
+#image_default_format = ""
+
+# Default transport method for pulling and pushing for images
+#
+#image_default_transport = "docker://"
+
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+#
+#image_parallel_copies = 0
+
+# Tells container engines how to handle the builtin image volumes.
+#   * bind: An anonymous named volume will be created and mounted
+#     into the container.
+#   * tmpfs: The volume is mounted onto the container as a tmpfs,
+#     which allows users to create content that disappears when
+#     the container is stopped.
+#   * ignore: All volumes are just ignored and no action is taken.
+#
+#image_volume_mode = ""
+
+# Default command to run the infra container
+#
+#infra_command = "/pause"
+
+# Infra (pause) container image name for pod infra containers.  When running a
+# pod, we start a `pause` process in a container to hold open the namespaces
+# associated with the  pod.  This container does nothing other then sleep,
+# reserving the pods resources for the lifetime of the pod. By default container
+# engines run a builtin container using the pause executable. If you want override
+# specify an image to pull.
+#
+#infra_image = ""
+
+# Specify the locking mechanism to use; valid values are "shm" and "file".
+# Change the default only if you are sure of what you are doing, in general
+# "file" is useful only on platforms where cgo is not available for using the
+# faster "shm" lock type. You may need to run "podman system renumber" after
+# you change the lock type.
+#
+#lock_type** = "shm"
+
+# MultiImageArchive - if true, the container engine allows for storing archives
+# (e.g., of the docker-archive transport) with multiple images.  By default,
+# Podman creates single-image archives.
+#
+#multi_image_archive = "false"
+
+# Default engine namespace
+# If engine is joined to a namespace, it will see only containers and pods
+# that were created in the same namespace, and will create new containers and
+# pods in that namespace.
+# The default namespace is "", which corresponds to no namespace. When no
+# namespace is set, all containers and pods are visible.
+#
+#namespace = ""
+
+# Path to the slirp4netns binary
+#
+#network_cmd_path = ""
+
+# Default options to pass to the slirp4netns binary.
+# Valid options values are:
+#
+# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
+#   Default is false.
+# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
+# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
+# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
+# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
+# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
+# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
+# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
+# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
+#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
+#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
+#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
+#   rootless containers when connected to user-defined networks.
+# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
+#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+#
+#network_cmd_options = []
+
+# Whether to use chroot instead of pivot_root in the runtime
+#
+#no_pivot_root = false
+
+# Number of locks available for containers and pods.
+# If this is changed, a lock renumber must be performed (e.g. with the
+# 'podman system renumber' command).
+#
+#num_locks = 2048
+
+# Set the exit policy of the pod when the last container exits.
+#pod_exit_policy = "continue"
+
+# Whether to pull new image before running a container
+#
+#pull_policy = "missing"
+
+# Indicates whether the application should be running in remote mode. This flag modifies the
+# --remote option on container engines. Setting the flag to true will default
+# `podman --remote=true` for access to the remote Podman service.
+#
+#remote = false
+
+# Default OCI runtime
+#
+#runtime = "crun"
+
+# List of the OCI runtimes that support --format=json. When json is supported
+# engine will use it for reporting nicer errors.
+#
+#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
+
+# List of the OCI runtimes that supports running containers with KVM Separation.
+#
+#runtime_supports_kvm = ["kata", "krun"]
+
+# List of the OCI runtimes that supports running containers without cgroups.
+#
+#runtime_supports_nocgroups = ["crun", "krun"]
+
+# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment
+# variable. If you specify "storage", then the location of the
+# container/storage tmp directory will be used.
+# image_copy_tmp_dir="/var/tmp"
+
+# Number of seconds to wait without a connection
+# before the `podman system service` times out and exits
+#
+#service_timeout = 5
+
+# Directory for persistent engine files (database, etc)
+# By default, this will be configured relative to where the containers/storage
+# stores containers
+# Uncomment to change location from this default
+#
+#static_dir = "/var/lib/containers/storage/libpod"
+
+# Number of seconds to wait for container to exit before sending kill signal.
+#
+#stop_timeout = 10
+
+# Number of seconds to wait before exit command in API process is given to.
+# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
+#
+#exit_command_delay = 300
+
+# map of service destinations
+#
+#[service_destinations]
+#  [service_destinations.production]
+#     URI to access the Podman service
+#     Examples:
+#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)
+#       rootful "unix://run/podman/podman.sock (Default)
+#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
+#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
+#
+#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
+#    Path to file containing ssh identity key
+#    identity = "~/.ssh/id_rsa"
+
+# Directory for temporary files. Must be tmpfs (wiped after reboot)
+#
+#tmp_dir = "/run/libpod"
+
+# Directory for libpod named volumes.
+# By default, this will be configured relative to where containers/storage
+# stores containers.
+# Uncomment to change location from this default.
+#
+#volume_path = "/var/lib/containers/storage/volumes"
+
+# Default timeout (in seconds) for volume plugin operations.
+# Plugins are external programs accessed via a REST API; this sets a timeout
+# for requests to that API.
+# A value of 0 is treated as no timeout.
+#volume_plugin_timeout = 5
+
+# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
+[engine.runtimes]
+#crun = [
+#  "/usr/bin/crun",
+#  "/usr/sbin/crun",
+#  "/usr/local/bin/crun",
+#  "/usr/local/sbin/crun",
+#  "/sbin/crun",
+#  "/bin/crun",
+#  "/run/current-system/sw/bin/crun",
+#]
+
+#kata = [
+#  "/usr/bin/kata-runtime",
+#  "/usr/sbin/kata-runtime",
+#  "/usr/local/bin/kata-runtime",
+#  "/usr/local/sbin/kata-runtime",
+#  "/sbin/kata-runtime",
+#  "/bin/kata-runtime",
+#  "/usr/bin/kata-qemu",
+#  "/usr/bin/kata-fc",
+#]
+
+#runc = [
+#  "/usr/bin/runc",
+#  "/usr/sbin/runc",
+#  "/usr/local/bin/runc",
+#  "/usr/local/sbin/runc",
+#  "/sbin/runc",
+#  "/bin/runc",
+#  "/usr/lib/cri-o-runc/sbin/runc",
+#]
+
+#runsc = [
+#  "/usr/bin/runsc",
+#  "/usr/sbin/runsc",
+#  "/usr/local/bin/runsc",
+#  "/usr/local/sbin/runsc",
+#  "/bin/runsc",
+#  "/sbin/runsc",
+#  "/run/current-system/sw/bin/runsc",
+#]
+
+#krun = [
+#  "/usr/bin/krun",
+#  "/usr/local/bin/krun",
+#]
+
+[engine.volume_plugins]
+#testplugin = "/run/podman/plugins/test.sock"
+
+[machine]
+# Number of CPU's a machine is created with.
+#
+#cpus=1
+
+# The size of the disk in GB created when init-ing a podman-machine VM.
+#
+#disk_size=10
+
+# Default image URI when creating a new VM using `podman machine init`.
+# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
+# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
+# alternatively specify a custom download URL to an image. Container engines
+# translate URIs $OS and $ARCH to the native OS and ARCH. URI
+# "https://example.com/$OS/$ARCH/foobar.ami" becomes
+# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
+# The default value is `testing`.
+#
+# image = "testing"
+
+# Memory in MB a machine is created with.
+#
+#memory=2048
+
+# The username to use and create on the podman machine OS for rootless
+# container access.
+#
+#user = "core"
+
+# Host directories to be mounted as volumes into the VM by default.
+# Environment variables like $HOME as well as complete paths are supported for
+# the source and destination. An optional third field `:ro` can be used to
+# tell the container engines to mount the volume readonly.
+#
+# volumes = [
+#  "$HOME:$HOME",
+#]
+
+# The [machine] table MUST be the last entry in this file.
+# (Unless another table is added)
+# TOML does not provide a way to end a table other than a further table being
+# defined, so every key hereafter will be part of [machine] and not the
+# main config.
diff --git a/data/templates/dhcp-client/ipv4.j2 b/data/templates/dhcp-client/ipv4.j2
index cc5ddf09c..77905e054 100644
--- a/data/templates/dhcp-client/ipv4.j2
+++ b/data/templates/dhcp-client/ipv4.j2
@@ -9,14 +9,30 @@ interface "{{ ifname }}" {
     send host-name "{{ dhcp_options.host_name }}";
 {% if dhcp_options.client_id is vyos_defined %}
 {%     set client_id = dhcp_options.client_id %}
-{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. If not HEX, use double quotes ASCII format #}
-{%     if not dhcp_options.client_id.split(':') | length >= 5 %}
-{%         set client_id = '"' + dhcp_options.client_id + '"' %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not client_id.split(':') | length >= 3 %}
+{%         set client_id = '"' ~ dhcp_options.client_id ~ '"' %}
 {%     endif %}
     send dhcp-client-identifier {{ client_id }};
 {% endif %}
 {% if dhcp_options.vendor_class_id is vyos_defined %}
-    send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}";
+{%     set vendor_class_id = dhcp_options.vendor_class_id %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not vendor_class_id.split(':') | length >= 3 %}
+{%         set vendor_class_id = '"' ~ dhcp_options.vendor_class_id ~ '"' %}
+{%     endif %}
+    send vendor-class-identifier {{ vendor_class_id }};
+{% endif %}
+{% if dhcp_options.user_class is vyos_defined %}
+{%     set user_class = dhcp_options.user_class %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not user_class.split(':') | length >= 3 %}
+{%         set user_class = '"' ~ dhcp_options.user_class ~ '"' %}
+{%     endif %}
+    send user-class {{ user_class }};
 {% endif %}
     # The request statement causes the client to request that any server responding to the
     # client send the client its values for the specified options.
diff --git a/data/templates/dhcp-relay/dhcrelay.conf.j2 b/data/templates/dhcp-relay/dhcrelay.conf.j2
index c26c263fd..71a395454 100644
--- a/data/templates/dhcp-relay/dhcrelay.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcp_relay.py ###
+### Autogenerated by service_dhcp-relay.py ###
 
 {% set max_size = '-A ' ~ relay_options.max_size if relay_options.max_size is vyos_defined %}
 {# hop_count and relay_agents_packets is a default option, thus it is always present #}
@@ -6,4 +6,4 @@
 OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}"
 {% else %}
 OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -id {{ listen_interface | join(' -id ') }} -iu {{ upstream_interface | join(' -iu ') }} {{ server | join(' ') }}"
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/data/templates/dhcp-relay/dhcrelay6.conf.j2 b/data/templates/dhcp-relay/dhcrelay6.conf.j2
index 6365346b4..25f7671b3 100644
--- a/data/templates/dhcp-relay/dhcrelay6.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay6.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcpv6_relay.py ###
+### Autogenerated by service_dhcpv6-relay.py ###
 
 {# upstream_interface is mandatory so it's always present #}
 {% set upstream = namespace(value='')  %}
@@ -18,4 +18,3 @@
 {% endfor %}
 
 OPTIONS="{{ listen.value }} {{ upstream.value }} -c {{ max_hop_count }} {{ '-I' if use_interface_id_option is vyos_defined }}"
-
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 3446a9d1b..6c0653a55 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -13,63 +13,44 @@ web-skip{{ ipv }}='{{ web_options.skip }}', \
 if{{ ipv }}={{ address }}, \
 {%     endif %}
 {% endfor %}
-{# Other service options #}
-{% for k,v in kwargs.items() %}
-{%     if v is vyos_defined %}
-{{ k }}={{ v }}{{ ',' if not loop.last }} \
-{%     endif %}
+{# Other service options with special treatment for password #}
+{% for k,v in kwargs.items() if v is vyos_defined %}
+{{ k | replace('_', '-') }}={{ "'%s'" % (v) if k == 'password' else v }}{{ ',' if not loop.last }} \
 {% endfor %}
 {# Actual hostname for the service #}
 {{ host }}
 {% endmacro %}
-### Autogenerated by dns_dynamic.py ###
-daemon={{ timeout }}
+### Autogenerated by service_dns_dynamic.py ###
+daemon={{ interval }}
 syslog=yes
 ssl=yes
 pid={{ config_file | replace('.conf', '.pid') }}
 cache={{ config_file | replace('.conf', '.cache') }}
-{# Explicitly override global options for reliability #}
-web=googledomains {# ddclient default ('dyndns') doesn't support ssl and results in process lockup #}
-use=no            {# ddclient default ('ip') results in confusing warning message in log #}
-
-{% if address is vyos_defined %}
-{%     for address, service_cfg in address.items() %}
-{%         if service_cfg.rfc2136 is vyos_defined %}
-{%             for name, config in service_cfg.rfc2136.items() %}
-{%                 if config.description is vyos_defined %}
-# {{ config.description }}
+{# ddclient default (web=dyndns) doesn't support ssl and results in process lockup #}
+web=googledomains
+{# ddclient default (use=ip) results in confusing warning message in log #}
+use=no
 
-{%                 endif %}
-{%                 for host in config.host_name if config.host_name is vyos_defined %}
-# RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}]
-{# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.)
-   to the properties since 'nsupdate' doesn't support that yet. #}
-{{ render_config(host, address, service_cfg.web_options,
-                 protocol='nsupdate', server=config.server, zone=config.zone,
-                 password=config.key, ttl=config.ttl) }}
+{% if name is vyos_defined %}
+{%     for service, config in name.items() %}
+{%         if config.description is vyos_defined %}
 
-{%                 endfor %}
-{%             endfor %}
-{%         endif %}
-{%         if service_cfg.service is vyos_defined %}
-{%             for name, config in service_cfg.service.items() %}
-{%                 if config.description is vyos_defined %}
 # {{ config.description }}
+{%         endif %}
+{%         for host in config.host_name if config.host_name is vyos_defined %}
+{#             ip_suffixes can be either of ['v4'], ['v6'], ['v4', 'v6'] for all protocols except 'nsupdate'
+               ip_suffixes must be [''] for nsupdate since it doesn't support usevX/wantipvX yet #}
+{%             set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
+                                 else ([config.ip_version[2:]] if config.protocol != 'nsupdate'
+                                       else ['']) %}
+{%             set password = config.key if config.protocol == 'nsupdate'
+                              else config.password %}
 
-{%                 endif %}
-{%                 for host in config.host_name if config.host_name is vyos_defined %}
-{%                     set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
-                                                      else (['v6'] if config.ip_version == 'ipv6' else ['']) %}
-# Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}]
-{# For ipv4 only setup or legacy ipv6 setup, don't append 'new-style' compliant suffix
-   ('usev4', 'ifv4', 'webv4' etc.) to the properties and instead live through the
-   deprecation warnings for better compatibility with most ddclient protocols. #}
-{{ render_config(host, address, service_cfg.web_options, ip_suffixes,
+# Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}]
+{{ render_config(host, config.address, config.web_options, ip_suffixes,
                  protocol=config.protocol, server=config.server, zone=config.zone,
-                 login=config.username, password=config.password) }}
-
-{%                 endfor %}
-{%             endfor %}
-{%         endif %}
+                 login=config.username, password=password, ttl=config.ttl,
+                 min_interval=config.wait_time, max_interval=config.expiry_time) }}
+{%         endfor %}
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/dns-dynamic/override.conf.j2 b/data/templates/dns-dynamic/override.conf.j2
index 6ca1b8a45..4a6851cef 100644
--- a/data/templates/dns-dynamic/override.conf.j2
+++ b/data/templates/dns-dynamic/override.conf.j2
@@ -7,4 +7,4 @@ After=vyos-router.service
 PIDFile={{ config_file | replace('.conf', '.pid') }}
 EnvironmentFile=
 ExecStart=
-ExecStart=/usr/bin/ddclient -file {{ config_file }}
+ExecStart={{ vrf_command }}/usr/bin/ddclient -file {{ config_file }}
diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index e02e6c13d..55b37732b 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=single-statement-per-line #}
-### Autogenerated by dns_forwarding.py ###
+### Autogenerated by service_dns_forwarding.py ###
 
 # XXX: pdns recursor doesn't like whitespace near entry separators,
 # especially in the semicolon-separated lists of name servers.
@@ -40,6 +40,16 @@ dnssec={{ dnssec }}
 dns64-prefix={{ dns64_prefix }}
 {% endif %}
 
+{% if exclude_throttle_address is vyos_defined %}
+# dont-throttle-netmasks
+dont-throttle-netmasks={{ exclude_throttle_address | join(',') }}
+{% endif %}
+
+{% if serve_stale_extension is vyos_defined %}
+# serve-stale-extensions
+serve-stale-extensions={{ serve_stale_extension }}
+{% endif %}
+
 # serve rfc1918 records
 serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 
@@ -47,4 +57,3 @@ serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
 
 forward-zones-file=recursor.forward-zones.conf
-
diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2
index e2506238d..816f69160 100644
--- a/data/templates/dns-forwarding/recursor.conf.lua.j2
+++ b/data/templates/dns-forwarding/recursor.conf.lua.j2
@@ -1,4 +1,4 @@
--- Autogenerated by VyOS (dns_forwarding.py) --
+-- Autogenerated by VyOS (service_dns_forwarding.py) --
 -- Do not edit, your changes will get overwritten --
 
 -- Load DNSSEC root keys from dns-root-data package.
@@ -6,4 +6,3 @@ dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
 
 -- Load lua from vyos-hostsd --
 dofile("recursor.vyos-hostsd.conf.lua")
-
diff --git a/data/templates/dns-forwarding/recursor.zone.conf.j2 b/data/templates/dns-forwarding/recursor.zone.conf.j2
index 25193c2ec..797068c49 100644
--- a/data/templates/dns-forwarding/recursor.zone.conf.j2
+++ b/data/templates/dns-forwarding/recursor.zone.conf.j2
@@ -1,5 +1,5 @@
 ;
-; Autogenerated by dns_forwarding.py
+; Autogenerated by service_dns_forwarding.py
 ;
 {% for r in records %}
 {{ r.name }}    {{ r.ttl }}    {{ r.type }}    {{ r.value }}
diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
index cd35d6d1e..6da2fa5e0 100644
--- a/data/templates/ethernet/wpa_supplicant.conf.j2
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-ethernet.py ###
+### Autogenerated by interfaces_ethernet.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
@@ -74,4 +74,3 @@ network={
     # does not work for VyOS' git builds of wpa_supplicant.
     phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
 }
-
diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2
new file mode 100644
index 000000000..1a4ad2ed9
--- /dev/null
+++ b/data/templates/firewall/nftables-bridge.j2
@@ -0,0 +1,35 @@
+{% macro bridge(bridge) %}
+{% set ns = namespace(sets=[]) %}
+{% if bridge.forward is vyos_defined %}
+{%     for prior, conf in bridge.forward.items() %}
+{%         set def_action = conf.default_action %}
+    chain VYOS_FORWARD_{{ prior }} {
+        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+{%         if conf.rule is vyos_defined %}
+{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+    {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
+{%                 if rule_conf.recent is vyos_defined %}
+{%                     set ns.sets = ns.sets + ['FWD_' + prior + '_' + rule_id] %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+    }
+{%     endfor %}
+{% endif %}
+
+{% if bridge.name is vyos_defined %}
+{%     for name_text, conf in bridge.name.items() %}
+    chain NAME_{{ name_text }} {
+{%         if conf.rule is vyos_defined %}
+{%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
+    {{ rule_conf | nft_rule('NAM', name_text, rule_id, 'bri') }}
+{%                 if rule_conf.recent is vyos_defined %}
+{%                     set ns.sets = ns.sets + ['NAM_' + name_text + '_' + rule_id] %}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+    {{ conf | nft_default_rule(name_text) }}
+    }
+{%     endfor %}
+{% endif %}
+{% endmacro %}
\ No newline at end of file
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index 0a7e79edd..a20c399ae 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -1,7 +1,7 @@
-{% macro groups(group, is_ipv6) %}
+{% macro groups(group, is_ipv6, is_l3) %}
 {% if group is vyos_defined %}
 {%     set ip_type = 'ipv6_addr' if is_ipv6 else 'ipv4_addr' %}
-{%     if group.address_group is vyos_defined and not is_ipv6 %}
+{%     if group.address_group is vyos_defined and not is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.address_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set A_{{ group_name }} {
@@ -14,7 +14,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.ipv6_address_group is vyos_defined and is_ipv6 %}
+{%     if group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.ipv6_address_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set A6_{{ group_name }} {
@@ -27,7 +27,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.domain_group is vyos_defined %}
+{%     if group.domain_group is vyos_defined and is_l3 %}
 {%         for name, name_config in group.domain_group.items() %}
     set D_{{ name }} {
         type {{ ip_type }}
@@ -46,7 +46,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.network_group is vyos_defined and not is_ipv6 %}
+{%     if group.network_group is vyos_defined and not is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.network_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set N_{{ group_name }} {
@@ -59,7 +59,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.ipv6_network_group is vyos_defined and is_ipv6 %}
+{%     if group.ipv6_network_group is vyos_defined and is_ipv6 and is_l3 %}
 {%         for group_name, group_conf in group.ipv6_network_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set N6_{{ group_name }} {
@@ -72,7 +72,7 @@
     }
 {%         endfor %}
 {%     endif %}
-{%     if group.port_group is vyos_defined %}
+{%     if group.port_group is vyos_defined and is_l3 %}
 {%         for group_name, group_conf in group.port_group.items() %}
 {%             set includes = group_conf.include if group_conf.include is vyos_defined else [] %}
     set P_{{ group_name }} {
diff --git a/data/templates/firewall/nftables-nat.j2 b/data/templates/firewall/nftables-nat.j2
index f0be3cf5d..dcf28da88 100644
--- a/data/templates/firewall/nftables-nat.j2
+++ b/data/templates/firewall/nftables-nat.j2
@@ -62,6 +62,6 @@ table ip vyos_nat {
         return
     }
 
-{{ group_tmpl.groups(firewall_group, False) }}
+{{ group_tmpl.groups(firewall_group, False, True) }}
 }
 {% endif %}
diff --git a/data/templates/firewall/nftables-offload.j2 b/data/templates/firewall/nftables-offload.j2
new file mode 100644
index 000000000..087fd141c
--- /dev/null
+++ b/data/templates/firewall/nftables-offload.j2
@@ -0,0 +1,9 @@
+{% macro flowtable(name, config) %}
+    flowtable VYOS_FLOWTABLE_{{ name }} {
+        hook ingress priority 0; devices = { {{ config.interface | join(', ') }} };
+{% if config.offload is vyos_defined('hardware') %}
+        flags offload;
+{% endif %}
+        counter
+    }
+{% endmacro %}
\ No newline at end of file
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index 699349e2b..9e28899b0 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -28,11 +28,14 @@ table ip vyos_mangle {
         {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv4-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
 
-{{ group_tmpl.groups(firewall_group, False) }}
+{{ group_tmpl.groups(firewall_group, False, True) }}
 }
 
 table ip6 vyos_mangle {
@@ -57,9 +60,12 @@ table ip6 vyos_mangle {
         {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv6-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
 
-{{ group_tmpl.groups(firewall_group, True) }}
+{{ group_tmpl.groups(firewall_group, True, True) }}
 }
diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2
index eecf47b78..3bce7312d 100644
--- a/data/templates/firewall/nftables-vrf-zones.j2
+++ b/data/templates/firewall/nftables-vrf-zones.j2
@@ -7,11 +7,11 @@ table inet vrf_zones {
   # Chain for inbound traffic
   chain vrf_zones_ct_in {
     type filter hook prerouting priority raw; policy accept;
-    counter ct zone set iifname map @ct_iface_map
+    counter ct original zone set iifname map @ct_iface_map
   }
   # Chain for locally-generated traffic
   chain vrf_zones_ct_out {
     type filter hook output priority raw; policy accept;
-    counter ct zone set oifname map @ct_iface_map
+    counter ct original zone set oifname map @ct_iface_map
   }
 }
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
new file mode 100644
index 000000000..506ad815e
--- /dev/null
+++ b/data/templates/firewall/nftables-zone.j2
@@ -0,0 +1,77 @@
+{% macro zone_chains(zone, ipv6=False, state_policy=False) %}
+{% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
+{% set suffix = '6' if ipv6 else '' %}
+    chain VYOS_ZONE_FORWARD {
+        type filter hook forward priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' not in zone_conf %}
+        oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
+{%     endif %}
+{% endfor %}
+    }
+    chain VYOS_ZONE_LOCAL {
+        type filter hook input priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' in zone_conf %}
+        counter jump VZONE_{{ zone_name }}_IN
+{%     endif %}
+{% endfor %}
+    }
+    chain VYOS_ZONE_OUTPUT {
+        type filter hook output priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' in zone_conf %}
+        counter jump VZONE_{{ zone_name }}_OUT
+{%     endif %}
+{% endfor %}
+    }
+{% for zone_name, zone_conf in zone.items() %}
+{%     if zone_conf.local_zone is vyos_defined %}
+    chain VZONE_{{ zone_name }}_IN {
+        iifname lo counter return
+{%         if zone_conf.from is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+    }
+    chain VZONE_{{ zone_name }}_OUT {
+        oifname lo counter return
+{%         if zone_conf.from_local is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+    }
+{%     else %}
+    chain VZONE_{{ zone_name }} {
+        iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6) }}
+{%         if zone_conf.intra_zone_filtering is vyos_defined %}
+        iifname { {{ zone_conf.interface | join(",") }} } counter return
+{%         endif %}
+{%         if zone_conf.from is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+{%                 if zone[from_zone].local_zone is not defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name) }}
+    }
+{%     endif %}
+{% endfor %}
+{% endmacro %}
\ No newline at end of file
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index a82a5537b..4851e3a05 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -1,6 +1,9 @@
 #!/usr/sbin/nft -f
 
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
+{% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
+{% import 'firewall/nftables-offload.j2' as offload_tmpl %}
+{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
 
 flush chain raw FW_CONNTRACK
 flush chain ip6 raw FW_CONNTRACK
@@ -43,12 +46,20 @@ delete table ip vyos_filter
 {% endif %}
 table ip vyos_filter {
 {% if ipv4 is vyos_defined %}
+{%     if flowtable is vyos_defined %}
+{%         for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{%         endfor %}
+{%     endif %}
+
 {%     set ns = namespace(sets=[]) %}
 {%     if ipv4.forward is vyos_defined %}
 {%         for prior, conf in ipv4.forward.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_FORWARD_{{ prior }} {
-        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+        type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id) }}
@@ -57,15 +68,18 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('FWD-filter') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv4.input is vyos_defined %}
 {%         for prior, conf in ipv4.input.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_INPUT_{{ prior }} {
-        type filter hook input priority {{ prior }}; policy {{ def_action }};
+        type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP',prior, rule_id) }}
@@ -74,15 +88,18 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('INP-filter') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv4.output is vyos_defined %}
 {%         for prior, conf in ipv4.output.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_OUTPUT_{{ prior }} {
-        type filter hook output priority {{ prior }}; policy {{ def_action }};
+        type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id) }}
@@ -91,6 +108,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('OUT-filter') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -100,9 +118,8 @@ table ip vyos_filter {
     }
 {%     if ipv4.prerouting is vyos_defined %}
 {%         for prior, conf in ipv4.prerouting.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_PREROUTING_{{ prior }} {
-        type filter hook prerouting priority {{ prior }}; policy {{ def_action }};
+        type filter hook prerouting priority {{ prior }}; policy accept;
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('PRE', prior, rule_id) }}
@@ -111,7 +128,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule(prior) }}
+        {{ conf | nft_default_rule('PRE-filter') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -154,7 +171,25 @@ table ip vyos_filter {
 {%         endfor %}
 {%     endif %}
 {% endif %}
-{{ group_tmpl.groups(group, False) }}
+{{ group_tmpl.groups(group, False, True) }}
+
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+{% endif %}
 }
 
 {% if first_install is not vyos_defined %}
@@ -162,12 +197,20 @@ delete table ip6 vyos_filter
 {% endif %}
 table ip6 vyos_filter {
 {% if ipv6 is vyos_defined %}
+{%     if flowtable is vyos_defined %}
+{%         for name, flowtable_conf in flowtable.items() %}
+{{ offload_tmpl.flowtable(name, flowtable_conf) }}
+{%         endfor %}
+{%     endif %}
+
 {%     set ns = namespace(sets=[]) %}
 {%     if ipv6.forward is vyos_defined %}
 {%         for prior, conf in ipv6.forward.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_FORWARD_{{ prior }} {
-        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+        type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
@@ -176,15 +219,18 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('FWD-filter', ipv6=True) }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv6.input is vyos_defined %}
 {%         for prior, conf in ipv6.input.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_INPUT_{{ prior }} {
-        type filter hook input priority {{ prior }}; policy {{ def_action }};
+        type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
@@ -193,15 +239,18 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('INP-filter', ipv6=True) }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv6.output is vyos_defined %}
 {%         for prior, conf in ipv6.output.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_OUTPUT_{{ prior }} {
-        type filter hook output priority {{ prior }}; policy {{ def_action }};
+        type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
@@ -210,6 +259,7 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('OUT-filter', ipv6=True) }}
     }
 {%         endfor %}
 {%     endif %}
@@ -257,5 +307,34 @@ table ip6 vyos_filter {
 {%         endfor %}
 {%     endif %}
 {% endif %}
-{{ group_tmpl.groups(group, True) }}
+{{ group_tmpl.groups(group, True, True) }}
+
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY6 {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+{% endif %}
+
+}
+
+## Bridge Firewall
+{% if first_install is not vyos_defined %}
+delete table bridge vyos_filter
+{% endif %}
+table bridge vyos_filter {
+{{ bridge_tmpl.bridge(bridge) }}
+{{ group_tmpl.groups(group, False, False) }}
+
 }
\ No newline at end of file
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index 7fa974254..679ba8b04 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -29,13 +29,14 @@
  neighbor {{ neighbor }} bfd profile {{ config.bfd.profile }}
 {%     endif %}
 {% endif %}
-{% if config.capability is vyos_defined %}
-{%     if config.capability.dynamic is vyos_defined %}
+{% if config.capability.dynamic is vyos_defined %}
  neighbor {{ neighbor }} capability dynamic
-{%     endif %}
-{%     if config.capability.extended_nexthop is vyos_defined %}
+{% endif %}
+{% if config.capability.extended_nexthop is vyos_defined %}
  neighbor {{ neighbor }} capability extended-nexthop
-{%     endif %}
+{% endif %}
+{% if config.capability.software_version is vyos_defined %}
+ neighbor {{ neighbor }} capability software-version
 {% endif %}
 {% if config.description is vyos_defined %}
  neighbor {{ neighbor }} description {{ config.description }}
@@ -77,6 +78,9 @@
 {% if config.path_attribute.discard is vyos_defined %}
  neighbor {{ neighbor }} path-attribute discard {{ config.path_attribute.discard }}
 {% endif %}
+{% if config.path_attribute.treat_as_withdraw is vyos_defined %}
+ neighbor {{ neighbor }} path-attribute treat-as-withdraw {{ config.path_attribute.treat_as_withdraw }}
+{% endif %}
 {% if config.port is vyos_defined %}
  neighbor {{ neighbor }} port {{ config.port }}
 {% endif %}
@@ -170,7 +174,7 @@
 {%             endif %}
 {%         endif %}
 {%         if afi_config.remove_private_as is vyos_defined %}
-  neighbor {{ neighbor }} remove-private-AS
+  neighbor {{ neighbor }} remove-private-AS {{ 'all' if afi_config.remove_private_as.all is vyos_defined }}
 {%         endif %}
 {%         if afi_config.route_reflector_client is vyos_defined %}
   neighbor {{ neighbor }} route-reflector-client
@@ -369,6 +373,26 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%         if afi_config.advertise_svi_ip is vyos_defined %}
   advertise-svi-ip
 {%         endif %}
+{%         if afi_config.default_originate.ipv4 is vyos_defined %}
+  default-originate ipv4
+{%         endif %}
+{%         if afi_config.default_originate.ipv6 is vyos_defined %}
+  default-originate ipv6
+{%         endif %}
+{%         if afi_config.disable_ead_evi_rx is vyos_defined %}
+  disable-ead-evi-rx
+{%         endif %}
+{%         if afi_config.disable_ead_evi_tx is vyos_defined %}
+  disable-ead-evi-tx
+{%         endif %}
+{%         if afi_config.ead_es_frag.evi_limit is vyos_defined %}
+  ead-es-frag evi-limit {{ afi_config.ead_es_frag.evi_limit }}
+{%         endif %}
+{%         if afi_config.ead_es_route_target.export is vyos_defined %}
+{%             for route_target in afi_config.ead_es_route_target.export %}
+ ead-es-route-target export {{ route_target }}
+{%             endfor %}
+{%         endif %}
 {%         if afi_config.rt_auto_derive is vyos_defined %}
   autort rfc8365-compatible
 {%         endif %}
@@ -446,6 +470,38 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%     endfor %}
 {% endif %}
  !
+{% if bmp is vyos_defined %}
+{%     if bmp.mirror_buffer_limit is vyos_defined %}
+ bmp mirror buffer-limit {{ bmp.mirror_buffer_limit }}
+ !
+{%     endif %}
+{%     if bmp.target is vyos_defined %}
+{%         for bmp, bmp_config in bmp.target.items() %}
+ bmp targets {{ bmp }}
+{%             if bmp_config.mirror is vyos_defined %}
+  bmp mirror
+{%             endif %}
+{%             if bmp_config.monitor is vyos_defined %}
+{%                 if bmp_config.monitor.ipv4_unicast.pre_policy is vyos_defined %}
+  bmp monitor ipv4 unicast pre-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv4_unicast.post_policy is vyos_defined %}
+  bmp monitor ipv4 unicast post-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv6_unicast.pre_policy is vyos_defined %}
+  bmp monitor ipv6 unicast pre-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv6_unicast.post_policy is vyos_defined %}
+  bmp monitor ipv6 unicast post-policy
+{%                 endif %}
+{%             endif %}
+{%             if bmp_config.address is vyos_defined %}
+  bmp connect {{ bmp_config.address }} port {{ bmp_config.port }} min-retry {{ bmp_config.min_retry }} max-retry {{ bmp_config.max_retry }}
+{%             endif %}
+{%         endfor %}
+ exit
+{%     endif %}
+{% endif %}
 {% if peer_group is vyos_defined %}
 {%     for peer, config in peer_group.items() %}
 {{ bgp_neighbor(peer, config, true) }}
@@ -564,6 +620,14 @@ bgp route-reflector allow-outbound-policy
 {% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %}
  bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }}
 {% endif %}
+{% if srv6.locator is vyos_defined %}
+ segment-routing srv6
+  locator {{ srv6.locator }}
+ exit
+{% endif %}
+{% if sid.vpn.per_vrf.export is vyos_defined %}
+ sid vpn per-vrf export {{ sid.vpn.per_vrf.export }}
+{% endif %}
 {% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %}
  timers bgp {{ timers.keepalive }} {{ timers.holdtime }}
 {% endif %}
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index 3aad8e8dd..339b4e52f 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -1,4 +1,26 @@
-zebra=yes
+#
+# The watchfrr, zebra, mgmtd and staticd daemons are always started.
+#
+# Note: The following FRR-services must be kept disabled because they are replaced by other packages in VyOS:
+#
+# pimd   Replaced by package igmpproxy.
+# nhrpd  Replaced by package opennhrp.
+# pbrd   Replaced by PBR in nftables.
+# vrrpd  Replaced by package keepalived.
+#
+# And these must be disabled aswell since they are currently missing a VyOS CLI:
+#
+# eigrp
+# sharpd
+# fabricd
+# pathd
+#
+# The zebra, mgmtd and staticd daemons are always started and can not be disabled
+#
+#zebra=yes
+#mgmtd=yes
+#staticd=yes
+
 bgpd=yes
 ospfd=yes
 ospf6d=yes
@@ -6,49 +28,86 @@ ripd=yes
 ripngd=yes
 isisd=yes
 pimd=no
+pim6d=yes
 ldpd=yes
 nhrpd=no
-eigrpd=yes
+eigrpd=no
 babeld=yes
 sharpd=no
 pbrd=no
 bfdd=yes
-staticd=yes
+fabricd=no
+vrrpd=no
+pathd=no
 
-vtysh_enable=yes
-zebra_options="  -s 90000000 --daemon -A 127.0.0.1
-{%- if irdp is defined %} -M irdp{% endif -%}
-{%- if snmp is defined and snmp.zebra is defined %} -M snmp{% endif -%}
-"
-bgpd_options="   --daemon -A 127.0.0.1
-{%- if bmp is defined %} -M bmp{% endif -%}
-{%- if snmp is defined and snmp.bgpd is defined %} -M snmp{% endif -%}
-"
-ospfd_options="  --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ospfd is defined %} -M snmp{% endif -%}
-"
-ospf6d_options=" --daemon -A ::1
-{%- if snmp is defined and snmp.ospf6d is defined %} -M snmp{% endif -%}
-"
-ripd_options="   --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ripd is defined %} -M snmp{% endif -%}
-"
+#
+# Define defaults for all services even those who shall be kept disabled.
+#
+
+zebra_options="  --daemon -A 127.0.0.1 -s 90000000{{ ' -M snmp' if snmp.zebra is vyos_defined }}{{ ' -M irdp' if irdp is vyos_defined }}"
+mgmtd_options="  --daemon -A 127.0.0.1"
+staticd_options="--daemon -A 127.0.0.1"
+bgpd_options="   --daemon -A 127.0.0.1 -M rpki{{ ' -M snmp' if snmp.bgpd is vyos_defined }}{{ ' -M bmp' if bmp is vyos_defined }}"
+ospfd_options="  --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ospfd is vyos_defined }}"
+ospf6d_options=" --daemon -A ::1{{ ' -M snmp' if snmp.ospf6d is vyos_defined }}"
+ripd_options="   --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ripd is vyos_defined }}"
 ripngd_options=" --daemon -A ::1"
-isisd_options="  --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.isisd is defined %} -M snmp{% endif -%}
-"
-pimd_options="  --daemon -A 127.0.0.1"
-ldpd_options="  --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%}
-"
-mgmtd_options=" --daemon -A 127.0.0.1"
+isisd_options="  --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.isisd is vyos_defined }}"
+pimd_options="   --daemon -A 127.0.0.1"
+pim6d_options="  --daemon -A ::1"
+ldpd_options="   --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ldpd is vyos_defined }}"
 nhrpd_options="  --daemon -A 127.0.0.1"
-eigrpd_options="  --daemon -A 127.0.0.1"
-babeld_options="  --daemon -A 127.0.0.1"
-sharpd_options="  --daemon -A 127.0.0.1"
-pbrd_options="  --daemon -A 127.0.0.1"
-staticd_options="  --daemon -A 127.0.0.1"
-bfdd_options="  --daemon -A 127.0.0.1"
-
-watchfrr_enable=no
+eigrpd_options=" --daemon -A 127.0.0.1"
+babeld_options=" --daemon -A 127.0.0.1"
+sharpd_options=" --daemon -A 127.0.0.1"
+pbrd_options="   --daemon -A 127.0.0.1"
+bfdd_options="   --daemon -A 127.0.0.1"
+fabricd_options="--daemon -A 127.0.0.1"
+vrrpd_options="  --daemon -A 127.0.0.1"
+pathd_options="  --daemon -A 127.0.0.1"
+
+#frr_global_options=""
+
+#zebra_wrap=""
+#mgmtd_wrap=""
+#staticd_wrap=""
+#bgpd_wrap=""
+#ospfd_wrap=""
+#ospf6d_wrap=""
+#ripd_wrap=""
+#ripngd_wrap=""
+#isisd_wrap=""
+#pimd_wrap=""
+#pim6d_wrap=""
+#ldpd_wrap=""
+#nhrpd_wrap=""
+#eigrpd_wrap=""
+#babeld_wrap=""
+#sharpd_wrap=""
+#pbrd_wrap=""
+#bfdd_wrap=""
+#fabricd_wrap=""
+#vrrpd_wrap=""
+#pathd_wrap=""
+
+#all_wrap=""
+
+#
+# Other options.
+#
+# For more information see:
+# https://github.com/FRRouting/frr/blob/stable/9.0/tools/etc/frr/daemons
+# https://docs.frrouting.org/en/stable-9.0/setup.html
+#
+
+vtysh_enable=yes
+watchfrr_enable=yes
 valgrind_enable=no
+
+#watchfrr_options=""
+
+frr_profile="traditional"
+
+MAX_FDS={{ descriptors }}
+
+#FRR_NO_ROOT="yes"
diff --git a/data/templates/frr/eigrpd.frr.j2 b/data/templates/frr/eigrpd.frr.j2
index 67f8a3ad1..3038a0b1d 100644
--- a/data/templates/frr/eigrpd.frr.j2
+++ b/data/templates/frr/eigrpd.frr.j2
@@ -1,21 +1,21 @@
-!

-router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}

-{% if maximum_paths is vyos_defined %}

-maximum-paths {{ maximum_paths }}

-{% endif %}

-{% if metric.weights is vyos_defined %}

-metric weights {{ metric.weights }}

-{% endif %}

-{% if network is vyos_defined %}

-{%     for net in network %}

-network {{ net }}

-{%     endfor %}

-{% endif %}

-{% if redistribute is vyos_defined %}

-{%     for protocol in redistribute %}

-redistribute {{ protocol }}

-{%     endfor %}

-{% endif %}

-{% if variance is vyos_defined %}

-variance {{ variance }}

+!
+router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
+{% if maximum_paths is vyos_defined %}
+maximum-paths {{ maximum_paths }}
+{% endif %}
+{% if metric.weights is vyos_defined %}
+metric weights {{ metric.weights }}
+{% endif %}
+{% if network is vyos_defined %}
+{%     for net in network %}
+network {{ net }}
+{%     endfor %}
+{% endif %}
+{% if redistribute is vyos_defined %}
+{%     for protocol in redistribute %}
+redistribute {{ protocol }}
+{%     endfor %}
+{% endif %}
+{% if variance is vyos_defined %}
+variance {{ variance }}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/frr/evpn.mh.frr.j2 b/data/templates/frr/evpn.mh.frr.j2
new file mode 100644
index 000000000..03aaac44b
--- /dev/null
+++ b/data/templates/frr/evpn.mh.frr.j2
@@ -0,0 +1,16 @@
+!
+interface {{ ifname }}
+{% if evpn.es_df_pref is vyos_defined %}
+ evpn mh es-df-pref {{ evpn.es_df_pref }}
+{% endif %}
+{% if evpn.es_id is vyos_defined %}
+ evpn mh es-id {{ evpn.es_id }}
+{% endif %}
+{% if evpn.es_sys_mac is vyos_defined %}
+ evpn mh es-sys-mac {{ evpn.es_sys_mac }}
+{% endif %}
+{% if evpn.uplink is vyos_defined %}
+ evpn mh uplink
+{% endif %}
+exit
+!
diff --git a/data/templates/frr/igmp.frr.j2 b/data/templates/frr/igmp.frr.j2
deleted file mode 100644
index b75884484..000000000
--- a/data/templates/frr/igmp.frr.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-!
-{% for iface in old_ifaces %}
-interface {{ iface }}
-{%     for group in old_ifaces[iface].gr_join %}
-{%         if old_ifaces[iface].gr_join[group] %}
-{%             for source in old_ifaces[iface].gr_join[group] %}
- no ip igmp join {{ group }} {{ source }}
-{%             endfor %}
-{%         else %}
- no ip igmp join {{ group }}
-{%         endif %}
-{%     endfor %}
- no ip igmp
-!
-{% endfor %}
-{% for interface, interface_config in ifaces.items() %}
-interface {{ interface }}
-{%     if interface_config.version %}
- ip igmp version {{ interface_config.version }}
-{%     else %}
-{# IGMP default version 3 #}
- ip igmp
-{%     endif %}
-{%     if interface_config.query_interval %}
- ip igmp query-interval {{ interface_config.query_interval }}
-{%     endif %}
-{%     if interface_config.query_max_resp_time %}
- ip igmp query-max-response-time {{ interface_config.query_max_resp_time }}
-{%     endif %}
-{%     for group, sources in interface_config.gr_join.items() %}
-{%         if sources is vyos_defined %}
-{%             for source in sources %}
- ip igmp join {{ group }} {{ source }}
-{%             endfor %}
-{%         else %}
- ip igmp join {{ group }}
-{%         endif %}
-{%     endfor %}
-!
-{% endfor %}
-!
diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2
index 3c37e28b9..1e1cc3c27 100644
--- a/data/templates/frr/isisd.frr.j2
+++ b/data/templates/frr/isisd.frr.j2
@@ -58,6 +58,12 @@ exit
 !
 router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
  net {{ net }}
+{% if advertise_high_metrics is vyos_defined %}
+advertise-high-metrics
+{% endif %}
+{% if advertise_passive_only is vyos_defined %}
+advertise-passive-only
+{% endif %}
 {% if dynamic_hostname is vyos_defined %}
  hostname dynamic
 {% endif %}
@@ -159,6 +165,48 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
 {%         endfor %}
 {%     endfor %}
 {% endif %}
+{% if fast_reroute.lfa is vyos_defined %}
+{%     if fast_reroute.lfa.local is vyos_defined %}
+{%         if fast_reroute.lfa.local.load_sharing.disable.level_1 is vyos_defined %}
+ fast-reroute load-sharing disable level-1
+{%         elif fast_reroute.lfa.local.load_sharing.disable.level_2 is vyos_defined %}
+ fast-reroute load-sharing disable level-2
+{%         elif fast_reroute.lfa.local.load_sharing.disable is vyos_defined %}
+ fast-reroute load-sharing disable
+{%         endif %}
+{%         if fast_reroute.lfa.local.priority_limit is vyos_defined %}
+{%             for priority, priority_limit_options in fast_reroute.lfa.local.priority_limit.items() %}
+{%                 for level in priority_limit_options %}
+ fast-reroute priority-limit {{ priority }} {{ level | replace('_', '-') }}
+{%                 endfor %}                   
+{%             endfor %}
+{%         endif %}
+{%         if fast_reroute.lfa.local.tiebreaker is vyos_defined %}
+{%             for tiebreaker, tiebreaker_options in fast_reroute.lfa.local.tiebreaker.items() %}
+{%                 for index, index_options in tiebreaker_options.items() %}
+{%                     for index_value, index_value_options in index_options.items() %}
+{%                         for level in index_value_options %}
+ fast-reroute lfa tiebreaker {{ tiebreaker | replace('_', '-') }} index {{ index_value }} {{ level | replace('_', '-') }}
+{%                         endfor %}
+{%                     endfor %}
+{%                 endfor %}
+{%             endfor %}
+{%         endif %}
+{%     endif %}
+{%     if fast_reroute.lfa.remote.prefix_list is vyos_defined %}
+{%         for prefix_list, prefix_list_options in fast_reroute.lfa.remote.prefix_list.items() %}
+{%             if prefix_list_options.level_1 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-1
+{%             endif %}
+{%             if prefix_list_options.level_2 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-2
+{%             endif %}
+{%             if prefix_list is vyos_defined and prefix_list_options.level_1 is not vyos_defined and prefix_list_options.level_2 is not vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }}
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+{% endif %}
 {% if redistribute.ipv4 is vyos_defined %}
 {%     for protocol, protocol_options in redistribute.ipv4.items() %}
 {%         for level, level_config in protocol_options.items() %}
@@ -191,4 +239,4 @@ router isis VyOS {{ 'vrf ' + vrf if vrf is vyos_defined }}
  is-type {{ level }}
 {% endif %}
 exit
-!
\ No newline at end of file
+!
diff --git a/data/templates/frr/ldpd.frr.j2 b/data/templates/frr/ldpd.frr.j2
index 11aff331a..9a893cc55 100644
--- a/data/templates/frr/ldpd.frr.j2
+++ b/data/templates/frr/ldpd.frr.j2
@@ -14,19 +14,19 @@ mpls ldp
  ordered-control
 {%     endif %}
 {%     if ldp.neighbor is vyos_defined %}
-{%         for neighbor, neighbor_config in ldp.neighbor %}
+{%         for neighbor, neighbor_config in ldp.neighbor.items() %}
 {%             if neighbor_config.password is vyos_defined %}
- neighbor {{ neighbors }} password {{ neighbor_config.password }}
+ neighbor {{ neighbor }} password {{ neighbor_config.password }}
 {%             endif %}
 {%             if neighbor_config.ttl_security is vyos_defined %}
 {%                 if neighbor_config.ttl_security.disable is vyos_defined %}
- neighbor {{ neighbors }} ttl-security disable
+ neighbor {{ neighbor }} ttl-security disable
 {%                 else %}
- neighbor {{ neighbors }} ttl-security hops {{ neighbor_config.ttl_security }}
+ neighbor {{ neighbor }} ttl-security hops {{ neighbor_config.ttl_security }}
 {%                 endif %}
 {%             endif %}
 {%             if neighbor_config.session_holdtime is vyos_defined %}
- neighbor {{ neighbors }} session holdtime {{ neighbor_config.session_holdtime }}
+ neighbor {{ neighbor }} session holdtime {{ neighbor_config.session_holdtime }}
 {%             endif %}
 {%         endfor %}
 {%     endif %}
diff --git a/data/templates/frr/pim6d.frr.j2 b/data/templates/frr/pim6d.frr.j2
new file mode 100644
index 000000000..bac716fcc
--- /dev/null
+++ b/data/templates/frr/pim6d.frr.j2
@@ -0,0 +1,81 @@
+!
+{% if interface is vyos_defined %}
+{%     for iface, iface_config in interface.items() %}
+!
+interface {{ iface }}
+ ipv6 pim
+{%         if iface_config.no_bsm is vyos_defined %}
+ no ipv6 pim bsm
+{%         endif %}
+{%         if iface_config.dr_priority is vyos_defined %}
+ ipv6 pim drpriority {{ iface_config.dr_priority }}
+{%         endif %}
+{%         if iface_config.hello is vyos_defined %}
+ ipv6 pim hello {{ iface_config.hello }}
+{%         endif %}
+{%         if iface_config.no_unicast_bsm is vyos_defined %}
+ no ipv6 pim unicast-bsm
+{%         endif %}
+{%         if iface_config.passive is vyos_defined %}
+ ipv6 pim passive
+{%         endif %}
+{%         if iface_config.mld is vyos_defined and iface_config.mld.disable is not vyos_defined %}
+ ipv6 mld
+{%             if iface_config.mld.version is vyos_defined %}
+ ipv6 mld version {{ iface_config.mld.version }}
+{%             endif %}
+{%             if iface_config.mld.interval is vyos_defined %}
+ ipv6 mld query-interval {{ iface_config.mld.interval }}
+{%             endif %}
+{%             if iface_config.mld.max_response_time is vyos_defined %}
+ ipv6 mld query-max-response-time {{ iface_config.mld.max_response_time // 100 }}
+{%             endif %}
+{%             if iface_config.mld.last_member_query_count is vyos_defined %}
+ ipv6 mld last-member-query-count {{ iface_config.mld.last_member_query_count }}
+{%             endif %}
+{%             if iface_config.mld.last_member_query_interval is vyos_defined %}
+ ipv6 mld last-member-query-interval {{ iface_config.mld.last_member_query_interval // 100 }}
+{%             endif %}
+{%             if iface_config.mld.join is vyos_defined %}
+{%                 for group, group_config in iface_config.mld.join.items() %}
+{%                     if group_config.source is vyos_defined %}
+{%                         for source in group_config.source %}
+ ipv6 mld join {{ group }} {{ source }}
+{%                         endfor %}
+{%                     else %}
+ ipv6 mld join {{ group }}
+{%                     endif %}
+{%                 endfor %}
+{%             endif %}
+{%         endif %}
+exit
+{%     endfor %}
+{% endif %}
+!
+{% if join_prune_interval is vyos_defined %}
+ipv6 pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ipv6 pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ipv6 pim packets {{ packets }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ipv6 pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{%     for address, address_config in rp.address.items() %}
+{%         if address_config.group is vyos_defined %}
+{%             for group in address_config.group %}
+ipv6 pim rp {{ address }} {{ group }}
+{%             endfor %}
+{%         endif %}
+{%         if address_config.prefix_list6 is vyos_defined %}
+ipv6 pim rp {{ address }} prefix-list {{ address_config.prefix_list6 }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ipv6 pim rp keep-alive-timer {{ rp.keep_alive_timer }}
+{% endif %}
diff --git a/data/templates/frr/pimd.frr.j2 b/data/templates/frr/pimd.frr.j2
index cb2f2aa98..68edf4a5c 100644
--- a/data/templates/frr/pimd.frr.j2
+++ b/data/templates/frr/pimd.frr.j2
@@ -1,34 +1,95 @@
+{% if interface is vyos_defined %}
+{%     for iface, iface_config in interface.items() %}
 !
-{% for rp_addr in old_pim.rp %}
-{%     for group in old_pim.rp[rp_addr] %}
-no ip pim rp {{ rp_addr }} {{ group }}
+interface {{ iface }}
+ ip pim
+{%         if iface_config.bfd is vyos_defined %}
+ ip pim bfd {{ 'profile ' ~ iface_config.bfd.profile if iface_config.bfd.profile is vyos_defined }}
+{%         endif %}
+{%         if iface_config.no_bsm is vyos_defined %}
+ no ip pim bsm
+{%         endif %}
+{%         if iface_config.dr_priority is vyos_defined %}
+ ip pim drpriority {{ iface_config.dr_priority }}
+{%         endif %}
+{%         if iface_config.hello is vyos_defined %}
+ ip pim hello {{ iface_config.hello }}
+{%         endif %}
+{%         if iface_config.no_unicast_bsm is vyos_defined %}
+ no ip pim unicast-bsm
+{%         endif %}
+{%         if iface_config.passive is vyos_defined %}
+ ip pim passive
+{%         endif %}
+{%         if iface_config.source_address is vyos_defined %}
+ ip pim use-source {{ iface_config.source_address }}
+{%         endif %}
+{%         if iface_config.igmp is vyos_defined and iface_config.igmp.disable is not vyos_defined %}
+ ip igmp
+{%             if iface_config.igmp.query_interval %}
+ ip igmp query-interval {{ iface_config.igmp.query_interval }}
+{%             endif %}
+{%             if iface_config.igmp.query_max_response_time %}
+ ip igmp query-max-response-time {{ iface_config.igmp.query_max_response_time }}
+{%             endif %}
+{%             if iface_config.igmp.version is vyos_defined %}
+ ip igmp version {{ iface_config.igmp.version }}
+{%             endif %}
+{%             if iface_config.igmp.join is vyos_defined %}
+{%                 for join, join_config in iface_config.igmp.join.items() %}
+{%                     if join_config.source_address is vyos_defined %}
+{%                         for source_address in join_config.source_address %}
+ ip igmp join {{ join }} {{ source_address }}
+{%                         endfor %}
+{%                     else %}
+ ip igmp join {{ join }}
+{%                     endif %}
+{%                 endfor %}
+{%             endif %}
+{%         endif %}
+exit
 {%     endfor %}
-{% endfor %}
-{% if old_pim.rp_keep_alive %}
-no ip pim rp keep-alive-timer {{ old_pim.rp_keep_alive }}
 {% endif %}
-{% for iface in old_pim.ifaces %}
-interface {{ iface }}
-no ip pim
-!
-{% endfor %}
-{% for iface in pim.ifaces %}
-interface {{ iface }}
-ip pim
-{%     if pim.ifaces[iface].dr_prio %}
-ip pim drpriority {{ pim.ifaces[iface].dr_prio }}
-{%     endif %}
-{%     if pim.ifaces[iface].hello %}
-ip pim hello {{ pim.ifaces[iface].hello }}
-{%     endif %}
 !
-{% endfor %}
-{% for rp_addr in pim.rp %}
-{%     for group in pim.rp[rp_addr] %}
-ip pim rp {{ rp_addr }} {{ group }}
+{% if ecmp is vyos_defined %}
+ip pim ecmp {{ 'rebalance' if ecmp.rebalance is vyos_defined }}
+{% endif %}
+{% if join_prune_interval is vyos_defined %}
+ip pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ip pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ip pim packets {{ packets }}
+{% endif %}
+{% if register_accept_list.prefix_list is vyos_defined %}
+ip pim register-accept-list {{ register_accept_list.prefix_list }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ip pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{%     for address, address_config in rp.address.items() %}
+{%         for group in address_config.group %}
+ip pim rp {{ address }} {{ group }}
+{%         endfor %}
 {%     endfor %}
-{% endfor %}
-{% if pim.rp_keep_alive %}
-ip pim rp keep-alive-timer {{ pim.rp_keep_alive }}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ip pim rp keep-alive-timer {{ rp.keep_alive_timer }}
+{% endif %}
+{% if no_v6_secondary is vyos_defined %}
+no ip pim send-v6-secondary
+{% endif %}
+{% if spt_switchover.infinity_and_beyond is vyos_defined %}
+ip pim spt-switchover infinity-and-beyond {{ 'prefix-list ' ~ spt_switchover.infinity_and_beyond.prefix_list if spt_switchover.infinity_and_beyond.prefix_list is defined }}
+{% endif %}
+{% if ssm.prefix_list is vyos_defined %}
+ip pim ssm prefix-list {{ ssm.prefix_list }}
+{% endif %}
+!
+{% if igmp.watermark_warning is vyos_defined %}
+ip igmp watermark-warn {{ igmp.watermark_warning }}
 {% endif %}
 !
diff --git a/data/templates/frr/zebra.segment_routing.frr.j2 b/data/templates/frr/zebra.segment_routing.frr.j2
new file mode 100644
index 000000000..7b12fcdd0
--- /dev/null
+++ b/data/templates/frr/zebra.segment_routing.frr.j2
@@ -0,0 +1,23 @@
+!
+{% if srv6.locator is vyos_defined %}
+segment-routing
+ srv6
+  locators
+{%     for locator, locator_config in srv6.locator.items() %}
+   locator {{ locator }}
+{%         if locator_config.prefix is vyos_defined %}
+    prefix {{ locator_config.prefix }} block-len {{ locator_config.block_len }} node-len {{ locator_config.node_len }} func-bits {{ locator_config.func_bits }}
+{%         endif %}
+{%         if locator_config.behavior_usid is vyos_defined %}
+    behavior usid
+{%         endif %}
+    exit
+    !
+{%     endfor %}
+  exit
+  !
+exit
+!
+exit
+!
+{% endif %}
diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2
new file mode 100644
index 000000000..278ffbf2c
--- /dev/null
+++ b/data/templates/grub/grub_common.j2
@@ -0,0 +1,23 @@
+# load EFI video modules
+if [ "${grub_platform}" == "efi" ]; then
+    insmod efi_gop
+    insmod efi_uga
+fi
+
+# create and activate serial console
+function setup_serial {
+    # initialize the first serial port by default
+    if [ "${console_type}" == "ttyS" ]; then
+        serial --unit=${console_num}
+    else
+        serial --unit=0
+    fi
+    terminal_output --append serial console
+    terminal_input --append serial console
+}
+
+setup_serial
+
+{% if search_root %}
+{{ search_root }}
+{% endif %}
diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2
new file mode 100644
index 000000000..887d5d0bd
--- /dev/null
+++ b/data/templates/grub/grub_compat.j2
@@ -0,0 +1,63 @@
+{# j2lint: disable=S6 #}
+### Generated by VyOS image-tools v.{{ tools_version }} ###
+{% macro menu_name(mode) -%}
+{% if mode == 'normal' -%}
+    VyOS
+{%- elif mode == 'pw_reset' -%}
+    Lost password change
+{%- else -%}
+    Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_name(type) -%}
+{% if type == 'tty' -%}
+    KVM
+{%- elif type == 'ttyS' -%}
+    Serial
+{%- elif type == 'ttyUSB' -%}
+    USB
+{%- else -%}
+    Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_opts(type) -%}
+{% if type == 'tty' -%}
+    console=ttyS0,115200 console=tty0
+{%- elif type == 'ttyS' -%}
+    console=tty0 console=ttyS0,115200
+{%- elif type == 'ttyUSB' -%}
+    console=tty0 console=ttyUSB0,115200
+{%- else -%}
+    console=tty0 console=ttyS0,115200
+{%- endif %}
+{%- endmacro %}
+{% macro passwd_opts(mode) -%}
+{% if mode == 'pw_reset' -%}
+    init=/opt/vyatta/sbin/standalone_root_pw_reset
+{%- endif %}
+{%- endmacro %}
+set default={{ default }}
+set timeout={{ timeout }}
+{% if console_type == 'ttyS' %}
+serial --unit={{ console_num }} --speed=115200
+{% else %}
+serial --unit=0 --speed=115200
+{% endif %}
+terminal_output --append serial
+terminal_input serial console
+{% for mod in modules %}
+insmod {{ mod }}
+{% endfor %}
+{% if root %}
+set root={{ root }}
+{% endif %}
+{% if search_root %}
+{{ search_root }}
+{% endif %}
+
+{% for v in versions %}
+menuentry "{{ menu_name(v.bootmode) }} {{ v.version }} ({{ console_name(v.console_type) }} console)" {
+    linux /boot/{{ v.version }}/vmlinuz {{ v.boot_opts }} {{ console_opts(v.console_type) }} {{ passwd_opts(v.bootmode) }}
+    initrd /boot/{{ v.version }}/initrd.img
+}
+{% endfor %}
diff --git a/data/templates/grub/grub_main.j2 b/data/templates/grub/grub_main.j2
new file mode 100644
index 000000000..0c7ea0202
--- /dev/null
+++ b/data/templates/grub/grub_main.j2
@@ -0,0 +1,7 @@
+load_env
+insmod regexp
+
+for cfgfile in ${prefix}/grub.cfg.d/*-autoload.cfg
+do
+    source ${cfgfile}
+done
diff --git a/data/templates/grub/grub_menu.j2 b/data/templates/grub/grub_menu.j2
new file mode 100644
index 000000000..e73005f5d
--- /dev/null
+++ b/data/templates/grub/grub_menu.j2
@@ -0,0 +1,5 @@
+for cfgfile in ${config_directory}/vyos-versions/*.cfg
+do
+    source "${cfgfile}"
+done
+source ${config_directory}/50-vyos-options.cfg
diff --git a/data/templates/grub/grub_modules.j2 b/data/templates/grub/grub_modules.j2
new file mode 100644
index 000000000..24b540c9d
--- /dev/null
+++ b/data/templates/grub/grub_modules.j2
@@ -0,0 +1,3 @@
+{% for mod_name in mods_list %}
+insmod {{ mod_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_options.j2 b/data/templates/grub/grub_options.j2
new file mode 100644
index 000000000..c8a1472e1
--- /dev/null
+++ b/data/templates/grub/grub_options.j2
@@ -0,0 +1,52 @@
+submenu "Boot options" {
+    submenu "Select boot mode" {
+        menuentry "Normal" {
+            set bootmode="normal"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "Password reset" {
+            set bootmode="pw_reset"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "System recovery" {
+            set bootmode="recovery"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "Load the whole root filesystem to RAM" {
+            set boot_toram="yes"
+            export boot_toram
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+    }
+    submenu "Select console type" {
+        menuentry "tty (graphical)" {
+            set console_type="tty"
+            export console_type
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "ttyS (serial)" {
+            set console_type="ttyS"
+            export console_type
+            setup_serial
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "ttyUSB (USB serial)" {
+            set console_type="ttyUSB"
+            export console_type
+            setup_serial
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+    }
+    menuentry "Enter console number" {
+        read console_num
+        export console_num
+        setup_serial
+        configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+    }
+    menuentry "Current: boot mode: ${bootmode}, console: ${console_type}${console_num}" {
+        echo
+    }
+}
diff --git a/data/templates/grub/grub_vars.j2 b/data/templates/grub/grub_vars.j2
new file mode 100644
index 000000000..e0002e8d8
--- /dev/null
+++ b/data/templates/grub/grub_vars.j2
@@ -0,0 +1,4 @@
+{% for var_name, var_value in vars.items() %}
+set {{ var_name | e }}="{{ var_value | e }}"
+export {{ var_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2
new file mode 100644
index 000000000..97fbe8473
--- /dev/null
+++ b/data/templates/grub/grub_vyos_version.j2
@@ -0,0 +1,22 @@
+{% set boot_opts_default = "boot=live rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/" + version_name %}
+{% if boot_opts != '' %}
+{%     set boot_opts_rendered = boot_opts %}
+{% else %}
+{%     set boot_opts_rendered = boot_opts_default %}
+{% endif %}
+menuentry "{{ version_name }}" --id {{ version_uuid }} {
+    set boot_opts="{{ boot_opts_rendered }}"
+    # load rootfs to RAM
+    if [ "${boot_toram}" == "yes" ]; then
+        set boot_opts="${boot_opts} toram"
+    fi
+    if [ "${bootmode}" == "pw_reset" ]; then
+        set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
+    elif [ "${bootmode}" == "recovery" ]; then
+        set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init"
+    else
+        set boot_opts="${boot_opts} console=${console_type}${console_num}"
+    fi
+    linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts}
+    initrd "/boot/{{ version_name }}/initrd.img"
+}
diff --git a/data/templates/high-availability/10-override.conf.j2 b/data/templates/high-availability/10-override.conf.j2
new file mode 100644
index 000000000..c153f09b4
--- /dev/null
+++ b/data/templates/high-availability/10-override.conf.j2
@@ -0,0 +1,16 @@
+### Autogenerated by ${vyos_conf_scripts_dir}/high-availability.py ###
+{% set snmp = '--snmp' if vrrp.snmp is vyos_defined else '' %}
+[Unit]
+After=vyos-router.service
+# Only start if there is our configuration file - remove Debian default
+# config file from the condition list
+ConditionFileNotEmpty=
+ConditionFileNotEmpty=/run/keepalived/keepalived.conf
+
+[Service]
+KillMode=process
+Type=simple
+# Read configuration variable file if it is present
+ExecStart=
+ExecStart=/usr/sbin/keepalived --use-file /run/keepalived/keepalived.conf --pid /run/keepalived/keepalived.pid --dont-fork {{ snmp }}
+PIDFile=/run/keepalived/keepalived.pid
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index b541ff309..5d17df001 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -1,64 +1,65 @@
-### Autogenerated by https.py ###
-# Default server configuration
+### Autogenerated by service_https.py ###
 
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
 server {
-        # SSL configuration
-        #
-{%     if server.address == '*' %}
-        listen {{ server.port }} ssl;
-        listen [::]:{{ server.port }} ssl;
-{%     else %}
-        listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{%     endif %}
+    listen 80 default_server;
+    server_name {{ hostname }};
+    return 301 https://$host$request_uri;
+}
+{% endif %}
 
-{%     for name in server.name %}
-        server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+    listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
 {%     endfor %}
+{% else %}
+    listen {{ port }} ssl;
+    listen [::]:{{ port }} ssl;
+{% endif %}
 
-        root /srv/localui;
+    server_name {{ hostname }};
+    root /srv/localui;
 
-{%     if server.certbot %}
-        ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem;
-        ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem;
-        include {{ server.certbot_dir }}/options-ssl-nginx.conf;
-        ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem;
-{%     elif server.vyos_cert %}
-        ssl_certificate {{ server.vyos_cert.crt }};
-        ssl_certificate_key {{ server.vyos_cert.key }};
-{%     else %}
-        #
-        # Self signed certs generated by the ssl-cert package
-        # Don't use them in a production server!
-        #
-        include snippets/snakeoil.conf;
+    # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+    ssl_certificate {{ certificates.cert_path }};
+    ssl_certificate_key {{ certificates.key_path }};
+{%     if certificates.dh_file is vyos_defined %}
+    ssl_dhparam {{ certificates.dh_file }};
 {%     endif %}
-        ssl_protocols TLSv1.2 TLSv1.3;
+{% else %}
+    # Self signed certs generated by the ssl-cert package
+    # Don't use them in a production server!
+    include snippets/snakeoil.conf;
+{% endif %}
 
-        # proxy settings for HTTP API, if enabled; 503, if not
-        location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) {
-{%     if server.api %}
-{%         if server.api.socket %}
-                proxy_pass http://unix:/run/api.sock;
-{%         else %}
-                proxy_pass http://localhost:{{ server.api.port }};
-{%         endif %}
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_read_timeout 600;
-                proxy_buffering off;
-{%     else %}
-                return 503;
-{%     endif %}
-{%     if server.allow_client %}
-{%         for client in server.allow_client %}
-                allow {{ client }};
-{%         endfor %}
-                deny all;
-{%     endif %}
-        }
+    # Improve HTTPS performance with session resumption
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
 
-        error_page 497 =301 https://$host:{{ server.port }}$request_uri;
-}
+    # From LetsEncrypt
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 
-{% endfor %}
+    # proxy settings for HTTP API, if enabled; 503, if not
+    location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+        proxy_pass http://unix:/run/api.sock;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600;
+        proxy_buffering off;
+{% else %}
+        return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+        allow {{ address }};
+{%     endfor %}
+        deny all;
+{% endif %}
+    }
+    error_page 497 =301 https://$host:{{ port }}$request_uri;
+}
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
index fb424e06c..aa4da7666 100644
--- a/data/templates/https/vyos-http-api.service.j2
+++ b/data/templates/https/vyos-http-api.service.j2
@@ -3,9 +3,11 @@
 Description=VyOS HTTP API service
 After=vyos-router.service
 Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
 
 [Service]
 ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
+ExecReload=kill -HUP $MAINPID
 Type=idle
 
 SyslogIdentifier=vyos-http-api
@@ -19,4 +21,3 @@ Group=vyattacfg
 
 [Install]
 WantedBy=vyos.target
-
diff --git a/data/templates/igmp-proxy/igmpproxy.conf.j2 b/data/templates/igmp-proxy/igmpproxy.conf.j2
index ab3c9fd31..85a04de7d 100644
--- a/data/templates/igmp-proxy/igmpproxy.conf.j2
+++ b/data/templates/igmp-proxy/igmpproxy.conf.j2
@@ -1,6 +1,6 @@
 ########################################################
 #
-# autogenerated by igmp_proxy.py
+# autogenerated by protocols_igmp-proxy.py
 #
 # The configuration file must define one upstream interface, and one or more
 # downstream interfaces.
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index 60d2d1807..01dc8a4a7 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -29,8 +29,10 @@
 {% endif %}
         }
         remote {
+{% if rw_conf.authentication.client_mode == 'x509' %}
+            auth = pubkey
+{% elif rw_conf.authentication.client_mode.startswith("eap") %}
             auth = {{ rw_conf.authentication.client_mode }}
-{% if rw_conf.authentication.client_mode.startswith("eap") %}
             eap_id = %any
 {% endif %}
         }
diff --git a/data/templates/lldp/lldpd.j2 b/data/templates/lldp/lldpd.j2
index 3c499197d..2238fe1c4 100644
--- a/data/templates/lldp/lldpd.j2
+++ b/data/templates/lldp/lldpd.j2
@@ -1,2 +1,2 @@
-### Autogenerated by lldp.py ###
-DAEMON_ARGS="-M 4 {{ '-x' if snmp.enable is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
+### Autogenerated by service_lldp.py ###
+DAEMON_ARGS="-M 4 {{ '-x' if snmp is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
diff --git a/data/templates/lldp/vyos.conf.j2 b/data/templates/lldp/vyos.conf.j2
index dfa422ab8..4b4228cea 100644
--- a/data/templates/lldp/vyos.conf.j2
+++ b/data/templates/lldp/vyos.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by lldp.py ###
+### Autogenerated by service_lldp.py ###
 
 configure system platform VyOS
 configure system description "VyOS {{ version }}"
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 0a40e1ecf..849cef74d 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -1,4 +1,4 @@
-# Generated by ${vyos_conf_scripts_dir}/load-balancing-haproxy.py
+### Autogenerated by load-balancing_reverse-proxy.py ###
 
 global
     log /dev/log local0
@@ -50,13 +50,19 @@ defaults
 {% if service is vyos_defined %}
 {%     for front, front_config in service.items() %}
 frontend {{ front }}
-{%         set ssl_front =  'ssl crt /run/haproxy/' ~ front_config.ssl.certificate ~ '.pem' if front_config.ssl.certificate is vyos_defined else '' %}
+{%         set ssl_front = [] %}
+{%         if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
+{%             for cert in front_config.ssl.certificate %}
+{%                 set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %}
+{%             endfor %}
+{%         endif %}
+{%         set ssl_directive = 'ssl' if ssl_front else '' %}
 {%         if front_config.listen_address is vyos_defined %}
 {%             for address in front_config.listen_address %}
-    bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_front }}
+    bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%             endfor %}
 {%         else %}
-    bind :::{{ front_config.port }} v4v6 {{ ssl_front }}
+    bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%         endif %}
 {%         if front_config.redirect_http_to_https is vyos_defined %}
     http-request redirect scheme https unless { ssl_fc }
@@ -146,7 +152,7 @@ backend {{ back }}
 {%         if back_config.server is vyos_defined %}
 {%             set ssl_back =  'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
 {%             for server, server_config in back_config.server.items() %}
-    server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
+    server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
 {%             endfor %}
 {%         endif %}
 {%         if back_config.timeout.check is vyos_defined %}
@@ -161,4 +167,3 @@ backend {{ back }}
 
 {%     endfor %}
 {% endif %}
-
diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2
index d3326b6b8..6557b6f4c 100644
--- a/data/templates/load-balancing/wlb.conf.j2
+++ b/data/templates/load-balancing/wlb.conf.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/load-balancing-wan.py
+### Autogenerated by load-balancing_wan.py ###
 
 {% if disable_source_nat is vyos_defined %}
 disable-source-nat
@@ -41,7 +41,7 @@ health {
                 test-script {{ test_config.test_script }}
 {%                     endif %}
 {%                     if test_config.target is vyos_defined %}
-                target {{ test_config.target }} 
+                target {{ test_config.target }}
 {%                     endif %}
                 resp-time {{ test_config.resp_time | int * 1000 }}
             }
diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2
index aabca47cf..695b66abe 100644
--- a/data/templates/login/authorized_keys.j2
+++ b/data/templates/login/authorized_keys.j2
@@ -1,4 +1,4 @@
-### Automatically generated by system-login.py ###
+### Automatically generated by system_login.py ###
 
 {% if authentication.public_keys is vyos_defined %}
 {%     for key, key_options in authentication.public_keys.items() %}
@@ -6,4 +6,3 @@
 {{ key_options.options ~ ' ' if key_options.options is vyos_defined }}{{ key_options.type }} {{ key_options.key }} {{ key }}
 {%     endfor %}
 {% endif %}
-
diff --git a/data/templates/login/limits.j2 b/data/templates/login/limits.j2
index 5e2c11f35..31abc85dd 100644
--- a/data/templates/login/limits.j2
+++ b/data/templates/login/limits.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/system-login.py
+# Generated by system_login.py
 
 {% if max_login_session is vyos_defined %}
 * - maxsyslogins {{ max_login_session }}
diff --git a/data/templates/login/nsswitch.conf.j2 b/data/templates/login/nsswitch.conf.j2
index 65dc88291..0adfb491c 100644
--- a/data/templates/login/nsswitch.conf.j2
+++ b/data/templates/login/nsswitch.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# automatically generated by system_login.py ###
 # /etc/nsswitch.conf
 #
 # Example configuration of GNU Name Service Switch functionality.
@@ -18,4 +18,3 @@ ethers:         db files
 rpc:            db files
 
 netgroup:       nis
-
diff --git a/data/templates/login/pam_radius_auth.conf.j2 b/data/templates/login/pam_radius_auth.conf.j2
index c61154753..75437ca71 100644
--- a/data/templates/login/pam_radius_auth.conf.j2
+++ b/data/templates/login/pam_radius_auth.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+### Automatically generated by system_login.py ###
 # RADIUS configuration file
 
 {% if radius is vyos_defined %}
diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2
index 5a65d6e68..23e8e495e 100644
--- a/data/templates/login/tacplus_servers.j2
+++ b/data/templates/login/tacplus_servers.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# Automatically generated by system_login.py
 # TACACS+ configuration file
 
 # This is a common file used by audisp-tacplus, libpam_tacplus, and
@@ -56,4 +56,3 @@ user_homedir=1
 
 service=shell
 protocol=ssh
-
diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2
index 1f7ba16f4..4bb762935 100644
--- a/data/templates/macsec/wpa_supplicant.conf.j2
+++ b/data/templates/macsec/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_macsec.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2
index e0dfd897e..cc6495817 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2
@@ -1,7 +1,7 @@
-### Autogenerated by service_mdns-repeater.py ###
+### Autogenerated by service_mdns_repeater.py ###
 [server]
-use-ipv4=yes
-use-ipv6=yes
+use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }}
+use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }}
 allow-interfaces={{ interface | join(', ') }}
 {% if browse_domain is vyos_defined and browse_domain | length %}
 browse-domains={{ browse_domain | join(', ') }}
@@ -17,6 +17,8 @@ disable-user-service-publishing=yes
 publish-addresses=no
 publish-hinfo=no
 publish-workstation=no
+publish-aaaa-on-ipv4=no
+publish-a-on-ipv6=no
 
 [reflector]
 enable-reflector=yes
diff --git a/data/templates/mdns-repeater/override.conf.j2 b/data/templates/mdns-repeater/override.conf.j2
new file mode 100644
index 000000000..8c8187489
--- /dev/null
+++ b/data/templates/mdns-repeater/override.conf.j2
@@ -0,0 +1,7 @@
+[Unit]
+After=vyos-router.service
+ConditionPathExists={{ config_file }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/avahi-daemon --syslog --file {{ config_file }}
diff --git a/data/templates/ndppd/ndppd.conf.j2 b/data/templates/ndppd/ndppd.conf.j2
index 120fa0a64..6369dbdeb 100644
--- a/data/templates/ndppd/ndppd.conf.j2
+++ b/data/templates/ndppd/ndppd.conf.j2
@@ -1,44 +1,35 @@
-########################################################
-#
-# autogenerated by nat66.py
-#
-#   The configuration file must define one upstream
-#   interface.
-#
-#   For some services, such as nat66, because it runs
-#    stateless, it needs to rely on NDP Proxy to respond
-#   to NDP requests.
-#
-#   When using nat66 source rules, NDP Proxy needs
-#   to be enabled
-#
-########################################################
+# autogenerated by service_ndp-proxy.py
 
-{% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %}
-{% if source.rule is vyos_defined %}
-{%     for rule, config in source.rule.items() if config.disable is not defined %}
-{%         if config.outbound_interface is vyos_defined %}
-{%             if config.outbound_interface not in global.ndppd_interfaces %}
-{%                 set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %}
-{%             endif   %}
-{%             if config.translation.address is vyos_defined and config.translation.address | is_ip_network %}
-{%                 set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %}
-{%             endif %}
-{%         endif %}
-{%     endfor %}
-{% endif %}
+# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
+route-ttl {{ route_refresh }}
+
+{% if interface is vyos_defined %}
+# This sets up a listener, that will listen for any Neighbor Solicitation
+# messages, and respond to them according to a set of rules
+{%     for iface, iface_config in interface.items() if iface_config.disable is not vyos_defined %}
+proxy {{ iface }} {
+    # Turn on or off the router flag for Neighbor Advertisements
+    router {{ 'yes' if iface_config.enable_router_bit is vyos_defined else 'no' }}
+    # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
+    timeout {{ iface_config.timeout }}
+    # Control how long a valid or invalid entry remains in the cache (milliseconds)
+    ttl {{ iface_config.ttl }}
 
-{% for interface in global.ndppd_interfaces %}
-proxy {{ interface }} {
-    router yes
-    timeout 500
-    ttl 30000
-{%     for map in global.ndppd_prefixs %}
-{%         if map.interface == interface %}
-    rule {{ map.rule }} {
-        static
+{%         if iface_config.prefix is vyos_defined %}
+    # This is a rule that the target address is to match against. If no netmask
+    # is provided, /128 is assumed. You may have several rule sections, and the
+    # addresses may or may not overlap.
+{%             for prefix, prefix_config in iface_config.prefix.items() if prefix_config.disable is not vyos_defined %}
+    rule {{ prefix }} {
+{%                 if prefix_config.mode is vyos_defined('interface') %}
+        iface {{ prefix_config.interface }}
+{%                 else %}
+        {{ prefix_config.mode }}
+{%                 endif %}
     }
-{%         endif  %}
-{%     endfor   %}
+{%             endfor %}
+{%         endif %}
 }
-{% endfor %}
+
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 1401b8b26..b5e890c32 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -119,4 +119,21 @@ split-dns = {{ tmp }}
 {%     for grp in authentication.group %}
 select-group = {{ grp }}
 {%     endfor %}
-{% endif %}
\ No newline at end of file
+{% endif %}
+
+{% if http_security_headers is vyos_defined %}
+# HTTP security headers
+included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
+included-http-headers = X-Frame-Options: deny
+included-http-headers = X-Content-Type-Options: nosniff
+included-http-headers = Content-Security-Policy: default-src "none"
+included-http-headers = X-Permitted-Cross-Domain-Policies: none
+included-http-headers = Referrer-Policy: no-referrer
+included-http-headers = Clear-Site-Data: "cache","cookies","storage"
+included-http-headers = Cross-Origin-Embedder-Policy: require-corp
+included-http-headers = Cross-Origin-Opener-Policy: same-origin
+included-http-headers = Cross-Origin-Resource-Policy: same-origin
+included-http-headers = X-XSS-Protection: 0
+included-http-headers = Pragma: no-cache
+included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/data/templates/openvpn/auth.pw.j2 b/data/templates/openvpn/auth.pw.j2
index 218121062..9f9b31e7a 100644
--- a/data/templates/openvpn/auth.pw.j2
+++ b/data/templates/openvpn/auth.pw.j2
@@ -1,4 +1,4 @@
-{# Autogenerated by interfaces-openvpn.py #}
+{# Autogenerated by interfaces_openvpn.py #}
 {% if authentication is vyos_defined %}
 {{ authentication.username }}
 {{ authentication.password }}
diff --git a/data/templates/openvpn/client.conf.j2 b/data/templates/openvpn/client.conf.j2
index 2e327e4d3..9edcdc8ae 100644
--- a/data/templates/openvpn/client.conf.j2
+++ b/data/templates/openvpn/client.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
 
 {% if ip is vyos_defined %}
 ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }}
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index f76fbbe79..64c8e8086 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
 #
 # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 # for individual keyword definition
@@ -74,26 +74,17 @@ topology {{ server.topology }}
 {%             endif %}
 {%             for subnet in server.subnet %}
 {%                 if subnet | is_ipv4 %}
-server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
+server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nopool' if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined else '' }}
 {# First ip address is used as gateway. It's allows to use metrics #}
 {%                     if server.push_route is vyos_defined %}
 {%                         for route, route_config in server.push_route.items() %}
 {%                             if route | is_ipv4 %}
-push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
 {%                             elif route | is_ipv6 %}
 push "route-ipv6 {{ route }}"
 {%                             endif %}
 {%                         endfor %}
 {%                     endif %}
-{# OpenVPN assigns the first IP address to its local interface so the pool used #}
-{# in net30 topology - where each client receives a /30 must start from the second subnet #}
-{%                     if server.topology is vyos_defined('net30') %}
-ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
-{%                     else %}
-{# OpenVPN assigns the first IP address to its local interface so the pool must #}
-{# start from the second address and end on the last address #}
-ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
-{%                     endif %}
 {%                 elif subnet | is_ipv6 %}
 server-ipv6 {{ subnet }}
 {%                 endif %}
diff --git a/data/templates/pmacct/override.conf.j2 b/data/templates/pmacct/override.conf.j2
index 213569ddc..44a100bb6 100644
--- a/data/templates/pmacct/override.conf.j2
+++ b/data/templates/pmacct/override.conf.j2
@@ -9,9 +9,9 @@ ConditionPathExists=/run/pmacct/uacctd.conf
 EnvironmentFile=
 ExecStart=
 ExecStart={{ vrf_command }}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf
+ExecStop=/usr/libexec/vyos/system/uacctd_stop.py $MAINPID 60
 WorkingDirectory=
 WorkingDirectory=/run/pmacct
-PIDFile=
-PIDFile=/run/pmacct/uacctd.pid
 Restart=always
 RestartSec=10
+KillMode=mixed
diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2
index 1370f8121..aae0a0619 100644
--- a/data/templates/pmacct/uacctd.conf.j2
+++ b/data/templates/pmacct/uacctd.conf.j2
@@ -1,7 +1,7 @@
 # Genereated from VyOS configuration
 daemonize: true
 promisc: false
-pidfile: /run/pmacct/uacctd.pid
+syslog: daemon
 uacctd_group: 2
 uacctd_nl_size: 2097152
 snaplen: {{ packet_length }}
diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2
index f30cefe63..efe47f369 100644
--- a/data/templates/pppoe/peer.j2
+++ b/data/templates/pppoe/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-pppoe.py ###
+### Autogenerated by interfaces_pppoe.py ###
 {{ '# ' ~ description if description is vyos_defined else '' }}
 
 # Require peer to provide the local IP address if it is not
@@ -50,7 +50,7 @@ ifname {{ ifname }}
 ipparam {{ ifname }}
 debug
 mtu {{ mtu }}
-mru {{ mtu }}
+mru {{ mru }}
 
 {% if authentication is vyos_defined %}
 {{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }}
diff --git a/data/templates/rsyslog/logrotate.j2 b/data/templates/rsyslog/logrotate.j2
index cc535c48f..ea33fea4f 100644
--- a/data/templates/rsyslog/logrotate.j2
+++ b/data/templates/rsyslog/logrotate.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
 /var/log/messages {
   missingok
   notifempty
diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2
index dff904129..97e0ee0b7 100644
--- a/data/templates/rsyslog/rsyslog.conf.j2
+++ b/data/templates/rsyslog/rsyslog.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
 
 {% if global.marker is vyos_defined %}
 $ModLoad immark
@@ -15,7 +15,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
 {% if global.facility is vyos_defined %}
 {%     set tmp = [] %}
 {%     for facility, facility_options in global.facility.items() %}
-{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%     endfor %}
 {{ tmp | join(';') }} :omfile:$global
 {% endif %}
@@ -27,7 +27,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
 $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archive.size }},/usr/sbin/logrotate {{ logrotate }}
 {%         if file_options.facility is vyos_defined %}
 {%             for facility, facility_options in file_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {{ tmp | join(';') }} :omfile:${{ file }}
@@ -38,7 +38,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 # Console logging
 {%     set tmp = [] %}
 {%     for facility, facility_options in console.facility.items() %}
-{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%     endfor %}
 {{ tmp | join(';') }} /dev/console
 {% endif %}
@@ -49,7 +49,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 {%         set tmp = [] %}
 {%         if host_options.facility is vyos_defined %}
 {%             for facility, facility_options in host_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {%         if host_options.protocol is vyos_defined('tcp') %}
@@ -70,7 +70,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 {%         set tmp = [] %}
 {%         if user_options.facility is vyos_defined %}
 {%             for facility, facility_options in user_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {{ tmp | join(';') }} :omusrmsg:{{ username }}
diff --git a/data/templates/salt-minion/minion.j2 b/data/templates/salt-minion/minion.j2
index f4001db64..a69438f0b 100644
--- a/data/templates/salt-minion/minion.j2
+++ b/data/templates/salt-minion/minion.j2
@@ -1,4 +1,4 @@
-### Autogenerated by salt-minion.py ###
+### Autogenerated by service_salt-minion.py ###
 
 ##### Primary configuration settings #####
 ##########################################
diff --git a/data/templates/snmp/etc.snmp.conf.j2 b/data/templates/snmp/etc.snmp.conf.j2
index 8012cf6bb..c214b2266 100644
--- a/data/templates/snmp/etc.snmp.conf.j2
+++ b/data/templates/snmp/etc.snmp.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 {% if trap_source is vyos_defined %}
 clientaddr {{ trap_source }}
 {% endif %}
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 9d78d479a..b1ceb0451 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 
 # non configurable defaults
 sysObjectID 1.3.6.1.4.1.44641
@@ -56,6 +56,16 @@ SysDescr {{ description }}
 {% endif %}
 agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vyos_defined }}
 
+{% if mib is vyos_defined %}
+# Interface MIB limits
+{%     if mib.interface_max is vyos_defined %}
+ifmib_max_num_ifaces {{ mib.interface_max }}
+{%     endif %}
+{%     if mib.interface is vyos_defined %}
+include_ifmib_iface_prefix {{ mib.interface | join(' ') }}
+{%     endif %}
+{% endif %}
+
 # SNMP communities
 {% if community is vyos_defined %}
 {%     for comm, comm_config in community.items() %}
diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2
index 443ee64db..42dc7a9d2 100644
--- a/data/templates/snmp/override.conf.j2
+++ b/data/templates/snmp/override.conf.j2
@@ -10,4 +10,3 @@ ExecStart=
 ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid
 Restart=always
 RestartSec=10
-
diff --git a/data/templates/snmp/usr.snmpd.conf.j2 b/data/templates/snmp/usr.snmpd.conf.j2
index a713c1cec..189032bb0 100644
--- a/data/templates/snmp/usr.snmpd.conf.j2
+++ b/data/templates/snmp/usr.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 {% if v3.user is vyos_defined %}
 {%     for user, user_config in v3.user.items() %}
 {{ user_config.mode }}user {{ user }}
diff --git a/data/templates/snmp/var.snmpd.conf.j2 b/data/templates/snmp/var.snmpd.conf.j2
index 012f33aeb..afab88abc 100644
--- a/data/templates/snmp/var.snmpd.conf.j2
+++ b/data/templates/snmp/var.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 # user
 {% if v3 is vyos_defined %}
 {%     if v3.user is vyos_defined %}
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 422969ed8..650fd25e6 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 # https://linux.die.net/man/5/sshd_config
 
diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2
index 58c6ad48d..2e7507416 100644
--- a/data/templates/ssh/sshguard_config.j2
+++ b/data/templates/ssh/sshguard_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 {% if dynamic_protection is vyos_defined %}
 # Full path to backend executable (required, no default)
diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2
index 47a950a2b..194fa29df 100644
--- a/data/templates/ssh/sshguard_whitelist.j2
+++ b/data/templates/ssh/sshguard_whitelist.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 {% if dynamic_protection.allow_from is vyos_defined %}
 {%     for address in dynamic_protection.allow_from %}
diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2
index 745a09e14..d38e53f15 100644
--- a/data/templates/sstp-client/peer.j2
+++ b/data/templates/sstp-client/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-sstpc.py ###
+### Autogenerated by interfaces_sstpc.py ###
 {{ '# ' ~ description if description is vyos_defined else '' }}
 
 # Require peer to provide the local IP address if it is not
diff --git a/data/templates/system/proxy.j2 b/data/templates/system/proxy.j2
index 215c4c5c2..0737cd3f8 100644
--- a/data/templates/system/proxy.j2
+++ b/data/templates/system/proxy.j2
@@ -1,4 +1,4 @@
-# generated by system-proxy.py
+### autogenerated by system_proxy.py ###
 {% if url is vyos_defined and port is vyos_defined %}
 {# remove http:// prefix so we can inject a username/password if present #}
 export http_proxy=http://{{ username ~ ':' ~ password ~ '@' if username is vyos_defined and password is vyos_defined }}{{ url | replace('http://', '') }}:{{ port }}
diff --git a/data/templates/system/sysctl.conf.j2 b/data/templates/system/sysctl.conf.j2
index 59a19e157..db699c3d8 100644
--- a/data/templates/system/sysctl.conf.j2
+++ b/data/templates/system/sysctl.conf.j2
@@ -1,7 +1,7 @@
-# autogenerated by system_sysctl.py

-

-{% if parameter is vyos_defined %}

-{%     for k, v in parameter.items() %}

-{{ k }} = {{ v.value }}

-{%     endfor %}

-{% endif %}

+# autogenerated by system_sysctl.py
+
+{% if parameter is vyos_defined %}
+{%     for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index 5852d6232..9623bdec6 100644
--- a/data/templates/telegraf/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2
@@ -90,6 +90,8 @@
 [[inputs.diskio]]
 [[inputs.mem]]
 [[inputs.net]]
+    ignore_protocol_stats = true
+[[inputs.nstat]]
 [[inputs.system]]
 [[inputs.netstat]]
 [[inputs.processes]]
diff --git a/data/templates/tftp-server/default.j2 b/data/templates/tftp-server/default.j2
index b2676e0aa..d9ce847de 100644
--- a/data/templates/tftp-server/default.j2
+++ b/data/templates/tftp-server/default.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=jinja-variable-format #}
-### Autogenerated by tftp_server.py ###
+### Autogenerated by service_tftp-server.py ###
 DAEMON_ARGS="--listen --user tftp --address {{ listen_address }} {{ "--create --umask 000" if allow_upload is vyos_defined }} --secure {{ directory }}"
 {% if vrf is vyos_defined %}
 VRF_ARGS="ip vrf exec {{ vrf }}"
diff --git a/data/templates/vpp/override.conf.j2 b/data/templates/vpp/override.conf.j2
deleted file mode 100644
index a2c2b04ed..000000000
--- a/data/templates/vpp/override.conf.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-ConditionPathExists=
-ConditionPathExists=/run/vpp/vpp.conf
-
-[Service]
-EnvironmentFile=
-ExecStart=
-ExecStart=/usr/bin/vpp -c /run/vpp/vpp.conf
-WorkingDirectory=
-WorkingDirectory=/run/vpp
-Restart=always
-RestartSec=10
diff --git a/data/templates/vpp/startup.conf.j2 b/data/templates/vpp/startup.conf.j2
deleted file mode 100644
index f33539fba..000000000
--- a/data/templates/vpp/startup.conf.j2
+++ /dev/null
@@ -1,116 +0,0 @@
-# Generated by /usr/libexec/vyos/conf_mode/vpp.py
-
-unix {
-    nodaemon
-    log /var/log/vpp.log
-    full-coredump
-    cli-listen /run/vpp/cli.sock
-    gid vpp
-    # exec /etc/vpp/bootstrap.vpp
-{% if unix is vyos_defined %}
-{%     if unix.poll_sleep_usec is vyos_defined %}
-    poll-sleep-usec {{ unix.poll_sleep_usec }}
-{%     endif %}
-{% endif %}
-}
-
-{% if cpu is vyos_defined %}
-cpu {
-{%     if cpu.main_core is vyos_defined %}
-    main-core {{ cpu.main_core }}
-{%     endif %}
-{%     if cpu.corelist_workers is vyos_defined %}
-    corelist-workers {{ cpu.corelist_workers | join(',') }}
-{%     endif %}
-{%     if cpu.skip_cores is vyos_defined %}
-    skip-cores {{ cpu.skip_cores }}
-{%     endif %}
-{%     if cpu.workers is vyos_defined %}
-    workers {{ cpu.workers }}
-{%     endif %}
-}
-{% endif %}
-
-{# ip heap-size does not work now (23.06-rc2~1-g3a4e62ad4) #}
-{# vlib_call_all_config_functions: unknown input `ip  heap-size 32M ' #}
-{% if ip is vyos_defined %}
-#ip {
-#{%     if ip.heap_size is vyos_defined %}
-#    heap-size {{ ip.heap_size }}M
-#{%     endif %}
-#}
-{% endif %}
-
-{% if ip6 is vyos_defined %}
-ip6 {
-{%     if ip6.hash_buckets is vyos_defined %}
-    hash-buckets {{ ip6.hash_buckets }}
-{%     endif %}
-{%     if ip6.heap_size is vyos_defined %}
-    heap-size {{ ip6.heap_size }}M
-{%     endif %}
-}
-{% endif %}
-
-{% if l2learn is vyos_defined %}
-l2learn {
-{%     if l2learn.limit is vyos_defined %}
-    limit {{ l2learn.limit }}
-{%     endif %}
-}
-{% endif %}
-
-{% if logging is vyos_defined %}
-logging {
-{%     if logging.default_log_level is vyos_defined %}
-    default-log-level {{ logging.default_log_level }}
-{%     endif %}
-}
-{% endif %}
-
-{% if physmem is vyos_defined %}
-physmem {
-{%     if physmem.max_size is vyos_defined %}
-    max-size {{ physmem.max_size.upper() }}
-{%     endif %}
-}
-{% endif %}
-
-plugins {
-    path /usr/lib/x86_64-linux-gnu/vpp_plugins/
-    plugin default { disable }
-    plugin dpdk_plugin.so { enable }
-    plugin linux_cp_plugin.so { enable }
-    plugin linux_nl_plugin.so { enable }
-}
-
-linux-cp {
-    lcp-sync
-    lcp-auto-subint
-}
-
-dpdk {
-    # Whitelist the fake PCI address 0000:00:00.0
-    # This prevents all devices from being added to VPP-DPDK by default
-    dev 0000:00:00.0
-{% for iface, iface_config in interface.items() %}
-{%     if iface_config.pci is vyos_defined %}
-    dev {{ iface_config.pci }} {
-        name {{ iface }}
-{%         if iface_config.num_rx_desc is vyos_defined %}
-        num-rx-desc {{ iface_config.num_rx_desc }}
-{%         endif %}
-{%         if iface_config.num_tx_desc is vyos_defined %}
-        num-tx-desc {{ iface_config.num_tx_desc }}
-{%         endif %}
-{%         if iface_config.num_rx_queues is vyos_defined %}
-        num-rx-queues {{ iface_config.num_rx_queues }}
-{%         endif %}
-{%         if iface_config.num_tx_queues is vyos_defined %}
-        num-tx-queues {{ iface_config.num_tx_queues }}
-{%         endif %}
-        }
-{%     endif %}
-{% endfor %}
-    uio-bind-force
-}
diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2
index c3f32da72..83009242b 100644
--- a/data/templates/wifi/hostapd.conf.j2
+++ b/data/templates/wifi/hostapd.conf.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=operator-enclosed-by-spaces #}
-### Autogenerated by interfaces-wireless.py ###
+### Autogenerated by interfaces_wireless.py ###
 {% if description is vyos_defined %}
 # Description: {{ description }}
 # User-friendly description of device; up to 32 octets encoded in UTF-8
diff --git a/data/templates/wifi/wpa_supplicant.conf.j2 b/data/templates/wifi/wpa_supplicant.conf.j2
index 01e0d632f..ac857a04a 100644
--- a/data/templates/wifi/wpa_supplicant.conf.j2
+++ b/data/templates/wifi/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_wireless.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf