summaryrefslogtreecommitdiff
path: root/data/templates
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates')
-rw-r--r--data/templates/dhcp-client/ipv4.tmpl7
-rw-r--r--data/templates/frr/bgp.frr.tmpl175
-rw-r--r--data/templates/frr/ldpd.frr.tmpl115
-rw-r--r--data/templates/https/nginx.default.tmpl2
-rw-r--r--data/templates/openvpn/client.conf.tmpl50
-rw-r--r--data/templates/openvpn/server.conf.tmpl363
-rw-r--r--data/templates/wifi/hostapd.conf.tmpl42
-rw-r--r--data/templates/wifi/wpa_supplicant.conf.tmpl70
-rw-r--r--data/templates/wwan/chat.tmpl4
-rw-r--r--data/templates/wwan/peer.tmpl6
10 files changed, 533 insertions, 301 deletions
diff --git a/data/templates/dhcp-client/ipv4.tmpl b/data/templates/dhcp-client/ipv4.tmpl
index 8a44a9761..71b429db6 100644
--- a/data/templates/dhcp-client/ipv4.tmpl
+++ b/data/templates/dhcp-client/ipv4.tmpl
@@ -12,8 +12,13 @@ interface "{{ ifname }}" {
{% if dhcp_options.vendor_class_id is defined and dhcp_options.vendor_class_id is not none %}
send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}";
{% endif %}
- request subnet-mask, broadcast-address, routers, domain-name-servers,
+ # The request statement causes the client to request that any server responding to the
+ # client send the client its values for the specified options.
+ request subnet-mask, broadcast-address,{{ " routers," if dhcp_options.no_default_route is not defined }} domain-name-servers,
rfc3442-classless-static-routes, domain-name, interface-mtu;
+
+ # The require statement lists options that must be sent in order for an offer to be
+ # accepted. Offers that do not contain all the listed options will be ignored!
require subnet-mask;
}
diff --git a/data/templates/frr/bgp.frr.tmpl b/data/templates/frr/bgp.frr.tmpl
index d011a1e85..d0857ac2c 100644
--- a/data/templates/frr/bgp.frr.tmpl
+++ b/data/templates/frr/bgp.frr.tmpl
@@ -14,10 +14,9 @@ router bgp {{ asn }}
{%- if type == "ipv4_unicast" %}
!
address-family ipv4 unicast
-{# need to check #}
{%- if 'aggregate_address' in bgp_afi[type] %}
{%- for ip in bgp_afi[type].aggregate_address %}
-{%- if ( ('as_set' and 'summary_only') in bgp_afi[type].aggregate_address[ip] ) %}
+{%- if ( ('as_set' in bgp_afi[type].aggregate_address[ip]) and ('summary_only' in bgp_afi[type].aggregate_address[ip] ) ) %}
aggregate-address {{ ip }} as-set summary-only
{%- elif 'as_set' in bgp_afi[type].aggregate_address[ip] %}
aggregate-address {{ ip }} as-set
@@ -28,23 +27,20 @@ router bgp {{ asn }}
{%- endif %}
{%- endfor %}
{%- endif %}
-{# END aggregate address#}
-{#- redistribute #}
-{# need to check. dont work.
- 'metric' and 'route_map' match also only 'route_map'
- 'table' parameter also include in protocol, its not what I want #}
+{#- END aggregate address ipv4 #}
+
+{#- redistribute afi ipv4 #}
{%- if 'redistribute' in bgp_afi[type] %}
-{%- if 'table' in bgp_afi[type].redistribute %}
- redistribute table {{bgp_afi[type].redistribute.table}}
-{%- endif %}
{%- for protocol in bgp_afi[type].redistribute %}
-{%- if ( ('metric' and 'route_map') in bgp_afi[type].redistribute[protocol] ) %}
+{%- if ( ('route_map' in bgp_afi[type].redistribute[protocol]) and ('metric' in bgp_afi[type].redistribute[protocol] ) ) %}
redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} route-map {{bgp_afi[type].redistribute[protocol].route_map}}
{%- elif 'metric' in bgp_afi[type].redistribute[protocol] %}
- redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}}
+ redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}}
{%- elif 'route_map' in bgp_afi[type].redistribute[protocol] %}
redistribute {{protocol}} route-map {{bgp_afi[type].redistribute[protocol].route_map}}
-{%- else %}
+{%- elif 'table' in bgp_afi[type].redistribute %}
+ redistribute table {{bgp_afi[type].redistribute.table}}
+{%- else %}
redistribute {{protocol}}
{%- endif %}
{%- endfor %}
@@ -65,7 +61,7 @@ router bgp {{ asn }}
address-family ipv6 unicast
{%- if 'aggregate_address' in bgp_afi[type] %}
{%- for ip in bgp_afi[type].aggregate_address %}
-{%- if ( ('as_set' and 'summary_only') in bgp_afi[type].aggregate_address[ip] ) %}
+{%- if ( ('as_set' in bgp_afi[type].aggregate_address[ip]) and ('summary_only' in bgp_afi[type].aggregate_address[ip] ) ) %}
aggregate-address {{ ip }} as-set summary-only
{%- elif 'as_set' in bgp_afi[type].aggregate_address[ip] %}
aggregate-address {{ ip }} as-set
@@ -76,22 +72,20 @@ router bgp {{ asn }}
{%- endif %}
{%- endfor %}
{%- endif %}
-{# END aggregate address#}
+{#- END aggregate address ipv6 #}
-{#- redistribute #}
-{# need to check. doesn't work. 'metric' and 'route_map' match also only 'route_map' #}
+{#- redistribute afi ipv6 #}
{%- if 'redistribute' in bgp_afi[type] %}
-{%- if 'table' in bgp_afi[type].redistribute %}
- redistribute table {{bgp_afi[type].redistribute.table}}
-{%- endif %}
{%- for protocol in bgp_afi[type].redistribute %}
-{%- if ( ('metric' and 'route_map') in bgp_afi[type].redistribute[protocol] ) %}
+{%- if ( ('route_map' in bgp_afi[type].redistribute[protocol]) and ('metric' in bgp_afi[type].redistribute[protocol] ) ) %}
redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}} route-map {{bgp_afi[type].redistribute[protocol].route_map}}
{%- elif 'metric' in bgp_afi[type].redistribute[protocol] %}
- redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}}
+ redistribute {{protocol}} metric {{bgp_afi[type].redistribute[protocol].metric}}
{%- elif 'route_map' in bgp_afi[type].redistribute[protocol] %}
redistribute {{protocol}} route-map {{bgp_afi[type].redistribute[protocol].route_map}}
-{%- else %}
+{%- elif 'table' in bgp_afi[type].redistribute %}
+ redistribute table {{bgp_afi[type].redistribute.table}}
+{%- else %}
redistribute {{protocol}}
{%- endif %}
{%- endfor %}
@@ -206,7 +200,7 @@ router bgp {{ asn }}
neighbor {{ pr_group }} update-source {{ conf_peer_group.update_source }}
{%- endif %}
-{# START peer-group afi; set protocols bgp xxx peer-group FOO address-family #}
+{#- START peer-group afi; set protocols bgp xxx peer-group FOO address-family #}
{%- if 'address_family' in conf_peer_group %}
{%- for afi in conf_peer_group.address_family %}
{%- if afi == "ipv4_unicast" %}
@@ -236,10 +230,19 @@ router bgp {{ asn }}
{%- endif %}
{#- END single params for peer-group #}
-{#- Checks need to be done as-path|med|next-hop #}
{%- if 'attribute_unchanged' in conf_peer_group.address_family.ipv4_unicast %}
-{%- if 'as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %}
+{%- if ( ('as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %}
+ neighbor {{ pr_group }} attribute-unchanged as-path med
+{%- elif ( ('as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %}
+ neighbor {{ pr_group }} attribute-unchanged as-path next-hop
+{%- elif ( ('med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged) ) %}
+ neighbor {{ pr_group }} attribute-unchanged med next-hop
+{%- elif 'as_path' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %}
neighbor {{ pr_group }} attribute-unchanged as-path
+{%- elif 'med' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %}
+ neighbor {{ pr_group }} attribute-unchanged med
+{%- elif 'next_hop' in conf_peer_group.address_family.ipv4_unicast.attribute_unchanged %}
+ neighbor {{ pr_group }} attribute-unchanged next-hop
{%- else %}
neighbor {{ pr_group }} attribute-unchanged as-path next-hop med
{%- endif %}
@@ -247,11 +250,13 @@ router bgp {{ asn }}
{#- END attribute-unchanged #}
{%- if 'capability' in conf_peer_group.address_family.ipv4_unicast %}
-{%- if 'receive' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %}
+{%- if 'orf' in conf_peer_group.address_family.ipv4_unicast.capability %}
+{%- if 'receive' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %}
neighbor {{ pr_group }} capability orf prefix-list receive
-{%- endif %}
-{%- if 'send' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %}
+{%- endif %}
+{%- if 'send' in conf_peer_group.address_family.ipv4_unicast.capability.orf.prefix_list %}
neighbor {{ pr_group }} capability orf prefix-list send
+{%- endif %}
{%- endif %}
{%- endif %}
@@ -322,7 +327,6 @@ router bgp {{ asn }}
{%- endif %}
{%- endif %}
-{#- Need to check. https://phabricator.vyos.net/T2387#73900 #}
{%- if 'unsuppress_map' in conf_peer_group.address_family.ipv4_unicast %}
neighbor {{ pr_group }} unsuppress-map {{conf_peer_group.address_family.ipv4_unicast.unsuppress_map}}
{%- endif %}
@@ -357,21 +361,39 @@ router bgp {{ asn }}
{%- endif %}
{#- END single params for peer-group afi6 #}
-{#- Checks need to be done as-path|med|next-hop #}
{%- if 'attribute_unchanged' in conf_peer_group.address_family.ipv6_unicast %}
-{%- if 'as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %}
+{%- if ( ('as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %}
+ neighbor {{ pr_group }} attribute-unchanged as-path med
+{%- elif ( ('as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %}
+ neighbor {{ pr_group }} attribute-unchanged as-path next-hop
+{%- elif ( ('med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged) ) %}
+ neighbor {{ pr_group }} attribute-unchanged med next-hop
+{%- elif 'as_path' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %}
neighbor {{ pr_group }} attribute-unchanged as-path
+{%- elif 'med' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %}
+ neighbor {{ pr_group }} attribute-unchanged med
+{%- elif 'next_hop' in conf_peer_group.address_family.ipv6_unicast.attribute_unchanged %}
+ neighbor {{ pr_group }} attribute-unchanged next-hop
{%- else %}
neighbor {{ pr_group }} attribute-unchanged as-path next-hop med
{%- endif %}
{%- endif %}
+{#- END attribute-unchanged ipv6 #}
{%- if 'capability' in conf_peer_group.address_family.ipv6_unicast %}
-{%- if 'receive' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %}
+{%- if 'dynamic' in conf_peer_group.address_family.ipv6_unicast.capability %}
+{#- exit from afi ipv6 unicast because 'dynamic' its a global parameter for peer-group in afi6. Other checks are ongoing in afi6. Also related T3037 #}
+ exit-address-family
+ neighbor {{ pr_group }} capability dynamic
+ address-family ipv6 unicast
+{%- endif %}
+{%- if 'orf' in conf_peer_group.address_family.ipv6_unicast.capability %}
+{%- if 'receive' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %}
neighbor {{ pr_group }} capability orf prefix-list receive
{%- endif %}
-{%- if 'send' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %}
+{%- if 'send' in conf_peer_group.address_family.ipv6_unicast.capability.orf.prefix_list %}
neighbor {{ pr_group }} capability orf prefix-list send
+{%- endif %}
{%- endif %}
{%- endif %}
@@ -442,7 +464,6 @@ router bgp {{ asn }}
{%- endif %}
{%- endif %}
-{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #}
{%- if 'unsuppress_map' in conf_peer_group.address_family.ipv6_unicast %}
neighbor {{ pr_group }} unsuppress-map {{conf_peer_group.address_family.ipv6_unicast.unsuppress_map}}
{%- endif %}
@@ -453,7 +474,7 @@ router bgp {{ asn }}
{%- endfor %}
{%- endif %}
-{# END peer-group afi; set protocols bgp xxx peer-group FOO address-family #}
+{#- END peer-group afi; set protocols bgp xxx peer-group FOO address-family #}
{%- endfor %}
{%- endif %}
@@ -464,7 +485,7 @@ router bgp {{ asn }}
{#- set peer-group as conf_peer #}
{%- set conf_peer = conf_bgp[asn].neighbor[peer] %}
-{#- First parameter for peer-group - remote-as #}
+{#- First parameter for peer neighbor - remote-as #}
{%- if 'remote_as' in conf_peer %}
neighbor {{ peer }} remote-as {{ conf_peer.remote_as }}
{%- endif %}
@@ -491,10 +512,6 @@ router bgp {{ asn }}
{%- endif %}
{%- endif %}
-{%- if 'description' in conf_peer %}
- neighbor {{ peer }} description {{ conf_peer.description }}
-{%- endif %}
-
{%- if 'disable_capability_negotiation' in conf_peer %}
neighbor {{ peer }} disable-capability-negotiation
{%- endif %}
@@ -564,17 +581,21 @@ router bgp {{ asn }}
neighbor {{ peer }} strict-capability-match
{%- endif %}
-{#- Need to check #}
+{#- set protocols bgp xxx neighbor x.x.x.x timers #}
{%- if 'timers' in conf_peer %}
-{%- if ( ('connect' and 'holdtime' and 'keepalive') in conf_peer.timers ) %}
+{%- if ( ('connect' in conf_peer.timers) and ('holdtime' in conf_peer.timers) and ('keepalive' in conf_peer.timers ) ) %}
neighbor {{ peer }} timers {{conf_peer.timers.keepalive}} {{conf_peer.timers.holdtime}}
- neighbor {{ peer }} timers connect {{conf_peer.timers.connect}}
+ neighbor {{ peer }} timers connect {{conf_peer.timers.connect}}
+{%- elif ( ('holdtime' in conf_peer.timers) and ('keepalive' in conf_peer.timers ) ) %}
+ neighbor {{ peer }} timers {{conf_peer.timers.keepalive}} {{conf_peer.timers.holdtime}}
+{%- elif 'connect' in conf_peer.timers %}
+ neighbor {{ peer }} timers connect {{conf_peer.timers.connect}}
{%- endif %}
{%- endif %}
{%- if 'ttl_security' in conf_peer %}
{%- if 'hops' in conf_peer.ttl_security %}
- neighbor {{ peer }} ttl-security hops {{conf_peer.ttl_security.hops}}
+ neighbor {{ peer }} ttl-security hops {{conf_peer.ttl_security.hops}}
{%- endif %}
{%- endif %}
@@ -582,6 +603,10 @@ router bgp {{ asn }}
neighbor {{ peer }} update-source {{ conf_peer.update_source }}
{%- endif %}
+{%- if 'description' in conf_peer %}
+ neighbor {{ peer }} description {{ conf_peer.description }}
+{%- endif %}
+
{#- START address family for peer; set protocols bgp xxx neighbor x.x.x.x address-family ipvX-unicast #}
{%- if 'address_family' in conf_peer %}
{%- for afi in conf_peer.address_family %}
@@ -615,10 +640,19 @@ router bgp {{ asn }}
{%- endif %}
{#- END single params for neighbor #}
-{#- Checks need to be done as-path|med|next-hop #}
{%- if 'attribute_unchanged' in conf_peer.address_family.ipv4_unicast %}
-{%- if 'as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %}
+{%- if ( ('as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %}
+ neighbor {{ peer }} attribute-unchanged as-path med
+{%- elif ( ('as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %}
+ neighbor {{ peer }} attribute-unchanged as-path next-hop
+{%- elif ( ('med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged) ) %}
+ neighbor {{ peer }} attribute-unchanged med next-hop
+{%- elif 'as_path' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %}
neighbor {{ peer }} attribute-unchanged as-path
+{%- elif 'med' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %}
+ neighbor {{ peer }} attribute-unchanged med
+{%- elif 'next_hop' in conf_peer.address_family.ipv4_unicast.attribute_unchanged %}
+ neighbor {{ peer }} attribute-unchanged next-hop
{%- else %}
neighbor {{ peer }} attribute-unchanged as-path next-hop med
{%- endif %}
@@ -626,11 +660,13 @@ router bgp {{ asn }}
{#- END attribute-unchanged #}
{%- if 'capability' in conf_peer.address_family.ipv4_unicast %}
-{%- if 'receive' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %}
+{%- if 'orf' in conf_peer.address_family.ipv4_unicast.capability %}
+{%- if 'receive' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %}
neighbor {{ peer }} capability orf prefix-list receive
-{%- endif %}
-{%- if 'send' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %}
+{%- endif %}
+{%- if 'send' in conf_peer.address_family.ipv4_unicast.capability.orf.prefix_list %}
neighbor {{ peer }} capability orf prefix-list send
+{%- endif %}
{%- endif %}
{%- endif %}
@@ -701,7 +737,6 @@ router bgp {{ asn }}
{%- endif %}
{%- endif %}
-{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #}
{%- if 'unsuppress_map' in conf_peer.address_family.ipv4_unicast %}
neighbor {{ peer }} unsuppress-map {{conf_peer.address_family.ipv4_unicast.unsuppress_map}}
{%- endif %}
@@ -740,10 +775,19 @@ router bgp {{ asn }}
{%- endif %}
{#- END single params for neighbor #}
-{#- Checks need to be done as-path|med|next-hop #}
{%- if 'attribute_unchanged' in conf_peer.address_family.ipv6_unicast %}
-{%- if 'as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %}
+{%- if ( ('as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %}
+ neighbor {{ peer }} attribute-unchanged as-path med
+{%- elif ( ('as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %}
+ neighbor {{ peer }} attribute-unchanged as-path next-hop
+{%- elif ( ('med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) and ('next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged) ) %}
+ neighbor {{ peer }} attribute-unchanged med next-hop
+{%- elif 'as_path' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %}
neighbor {{ peer }} attribute-unchanged as-path
+{%- elif 'med' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %}
+ neighbor {{ peer }} attribute-unchanged med
+{%- elif 'next_hop' in conf_peer.address_family.ipv6_unicast.attribute_unchanged %}
+ neighbor {{ peer }} attribute-unchanged next-hop
{%- else %}
neighbor {{ peer }} attribute-unchanged as-path next-hop med
{%- endif %}
@@ -751,11 +795,13 @@ router bgp {{ asn }}
{#- END attribute-unchanged #}
{%- if 'capability' in conf_peer.address_family.ipv6_unicast %}
-{%- if 'receive' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %}
+{%- if 'orf' in conf_peer.address_family.ipv6_unicast.capability %}
+{%- if 'receive' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %}
neighbor {{ peer }} capability orf prefix-list receive
-{%- endif %}
-{%- if 'send' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %}
- neighbor {{ peer }} capability orf prefix-list send
+{%- endif %}
+{%- if 'send' in conf_peer.address_family.ipv6_unicast.capability.orf.prefix_list %}
+ neighbor {{ peer }} capability orf prefix-list send
+{%- endif %}
{%- endif %}
{%- endif %}
@@ -826,7 +872,6 @@ router bgp {{ asn }}
{%- endif %}
{%- endif %}
-{#- Checks need to be done. https://phabricator.vyos.net/T2387#73900 #}
{%- if 'unsuppress_map' in conf_peer.address_family.ipv6_unicast %}
neighbor {{ peer }} unsuppress-map {{conf_peer.address_family.ipv6_unicast.unsuppress_map}}
{%- endif %}
@@ -863,7 +908,7 @@ router bgp {{ asn }}
{%- endif %}
{%- endif %}
{%- if 'med' in bgp_params.bestpath %}
-{%- if ( ('confed' and 'missing_as_worst') in bgp_params.bestpath.med ) %}
+{%- if ( ('confed' in bgp_params.bestpath.med) and ('missing_as_worst' in bgp_params.bestpath.med ) ) %}
bgp bestpath med confed missing-as-worst
{%- elif 'confed' in bgp_params.bestpath.med %}
bgp bestpath med confed
@@ -886,9 +931,9 @@ router bgp {{ asn }}
{%- endif %}
{%- endif %}
-{#- Doesn't work in current FRR configuration (bgp dampening 16 751 2001 61) #}
+{#- Doesn't work in current FRR configuration; vtysh (bgp dampening 16 751 2001 61) #}
{%- if 'dampening' in bgp_params %}
-{%- if ( ('half_life' and 'max_suppress_time' and 're_use' and 'start_suppress_time') in bgp_params.dampening ) %}
+{%- if ( ('half_life' in bgp_params.dampening) and ('max_suppress_time' in bgp_params.dampening) and ('re_use' in bgp_params.dampening) and ('start_suppress_time' in bgp_params.dampening ) ) %}
bgp dampening {{ bgp_params.dampening.half_life }} {{ bgp_params.dampening.re_use }} {{ bgp_params.dampening.start_suppress_time }} {{ bgp_params.dampening.max_suppress_time }}
{%- endif %}
{%- endif %}
@@ -909,7 +954,7 @@ router bgp {{ asn }}
{%- if 'distance' in bgp_params %}
{%- if 'global' in bgp_params.distance %}
-{%- if ( ('external' and 'internal' and 'local') in bgp_params.distance.global ) %}
+{%- if ( ('external' in bgp_params.distance.global) and ('internal' in bgp_params.distance.global) and ('local' in bgp_params.distance.global ) ) %}
!
address-family ipv4 unicast
distance bgp {{ bgp_params.distance.global.external }} {{ bgp_params.distance.global.internal }} {{ bgp_params.distance.global.local }}
@@ -950,10 +995,14 @@ router bgp {{ asn }}
no bgp fast-external-failover
{%- endif %}
+{%- if 'router_id' in bgp_params %}
+ bgp router-id {{ bgp_params.router_id }}
+{%- endif %}
+
{#- END parameters; set protocols bgp xxx parameters #}
{%- if 'timers' in conf_bgp[asn] %}
-{%- if ( ('holdtime' and 'keepalive') in conf_bgp[asn].timers ) %}
+{%- if ( ('holdtime' in conf_bgp[asn].timers) and ('keepalive' in conf_bgp[asn].timers ) ) %}
timers bgp {{conf_bgp[asn].timers.keepalive}} {{conf_bgp[asn].timers.holdtime}}
{%- endif %}
{%- endif %}
diff --git a/data/templates/frr/ldpd.frr.tmpl b/data/templates/frr/ldpd.frr.tmpl
index 5f080d75f..4b7e5c5ea 100644
--- a/data/templates/frr/ldpd.frr.tmpl
+++ b/data/templates/frr/ldpd.frr.tmpl
@@ -7,12 +7,45 @@ no router-id {{ old_router_id }}
{% if router_id -%}
router-id {{ router_id }}
{% endif -%}
+{% if old_ldp.cisco_interop_tlv -%}
+no dual-stack cisco-interop
+{% endif -%}
+{% if ldp.cisco_interop_tlv -%}
+dual-stack cisco-interop
+{% endif -%}
+{% if old_ldp.transport_prefer_ipv4 -%}
+no dual-stack transport-connection prefer ipv4
+{% endif -%}
+{% if ldp.transport_prefer_ipv4 -%}
+dual-stack transport-connection prefer ipv4
+{% endif -%}
{% for neighbor_id in old_ldp.neighbors -%}
no neighbor {{neighbor_id}} password {{old_ldp.neighbors[neighbor_id].password}}
+{% if 'ttl_security' is defined -%}
+{% if 'disable' in old_ldp.neighbors[neighbor_id].ttl_security %}
+no neighbor {{neighbor_id}} ttl-security disable
+{% else -%}
+no neighbor {{neighbor_id}} ttl-security hops {{old_ldp.neighbors[neighbor_id].ttl_security}}
+{% endif -%}
+{% endif -%}
+{% if 'session_holdtime' is defined -%}
+no neighbor {{neighbor_id}} session holdtime {{old_ldp.neighbors[neighbor_id].session_holdtime}}
+{% endif -%}
{% endfor -%}
{% for neighbor_id in ldp.neighbors -%}
neighbor {{neighbor_id}} password {{ldp.neighbors[neighbor_id].password}}
+{% if 'ttl_security' is defined -%}
+{% if 'disable' in ldp.neighbors[neighbor_id].ttl_security %}
+neighbor {{neighbor_id}} ttl-security disable
+{% else -%}
+neighbor {{neighbor_id}} ttl-security hops {{ldp.neighbors[neighbor_id].ttl_security}}
+{% endif -%}
+{% endif -%}
+{% if 'session_holdtime' is defined -%}
+neighbor {{neighbor_id}} session holdtime {{ldp.neighbors[neighbor_id].session_holdtime}}
+{% endif -%}
{% endfor -%}
+!
address-family ipv4
label local allocate host-routes
{% if old_ldp.export_ipv4_exp -%}
@@ -27,24 +60,48 @@ no discovery transport-address {{ old_ldp.d_transp_ipv4 }}
{% if ldp.d_transp_ipv4 -%}
discovery transport-address {{ ldp.d_transp_ipv4 }}
{% endif -%}
-{% if old_ldp.hello_holdtime -%}
-no discovery hello holdtime {{ old_ldp.hello_holdtime }}
+{% if old_ldp.hello_ipv4_holdtime -%}
+no discovery hello holdtime {{ old_ldp.hello_ipv4_holdtime }}
{% endif -%}
-{% if ldp.hello_holdtime -%}
-discovery hello holdtime {{ ldp.hello_holdtime }}
+{% if ldp.hello_ipv4_holdtime -%}
+discovery hello holdtime {{ ldp.hello_ipv4_holdtime }}
{% endif -%}
-{% if old_ldp.hello_interval -%}
-no discovery hello interval {{ old_ldp.hello_interval }}
+{% if old_ldp.hello_ipv4_interval -%}
+no discovery hello interval {{ old_ldp.hello_ipv4_interval }}
{% endif -%}
-{% if ldp.hello_interval -%}
-discovery hello interval {{ ldp.hello_interval }}
+{% if ldp.hello_ipv4_interval -%}
+discovery hello interval {{ ldp.hello_ipv4_interval }}
{% endif -%}
{% if old_ldp.ses_ipv4_hold -%}
-no session holdtime {{ old_ldp.ses_ipv4_hold }}
+no session holdtime {{ old_ldp.ses_ipv4_hold }}
{% endif -%}
{% if ldp.ses_ipv4_hold -%}
session holdtime {{ ldp.ses_ipv4_hold }}
{% endif -%}
+{% if old_ldp.target_ipv4_enable -%}
+no discovery targeted-hello accept
+{% endif -%}
+{% if ldp.target_ipv4_enable -%}
+discovery targeted-hello accept
+{% endif -%}
+{% if old_ldp.target_ipv4_hello_int -%}
+no discovery targeted-hello interval {{ old_ldp.target_ipv4_hello_int }}
+{% endif -%}
+{% if ldp.target_ipv4_hello_int -%}
+discovery targeted-hello interval {{ ldp.target_ipv4_hello_int }}
+{% endif -%}
+{% if old_ldp.target_ipv4_hello_hold -%}
+no discovery targeted-hello holdtime {{ old_ldp.target_ipv4_hello_hold }}
+{% endif -%}
+{% if ldp.target_ipv4_hello_hold -%}
+discovery targeted-hello holdtime {{ ldp.target_ipv4_hello_hold }}
+{% endif -%}
+{% for address in old_ldp.target_ipv4_addresses -%}
+no neighbor {{address}} targeted
+{% endfor -%}
+{% for address in ldp.target_ipv4_addresses -%}
+neighbor {{address}} targeted
+{% endfor -%}
{% for interface in old_ldp.interfaces -%}
no interface {{interface}}
{% endfor -%}
@@ -65,7 +122,7 @@ no label local advertise explicit-null
label local advertise explicit-null
{% endif -%}
{% if old_ldp.ses_ipv6_hold -%}
-no session holdtime {{ old_ldp.ses_ipv6_hold }}
+no session holdtime {{ old_ldp.ses_ipv6_hold }}
{% endif -%}
{% if ldp.ses_ipv6_hold -%}
session holdtime {{ ldp.ses_ipv6_hold }}
@@ -76,6 +133,42 @@ no discovery transport-address {{ old_ldp.d_transp_ipv6 }}
{% if ldp.d_transp_ipv6 -%}
discovery transport-address {{ ldp.d_transp_ipv6 }}
{% endif -%}
+{% if old_ldp.hello_ipv6_holdtime -%}
+no discovery hello holdtime {{ old_ldp.hello_ipv6_holdtime }}
+{% endif -%}
+{% if ldp.hello_ipv6_holdtime -%}
+discovery hello holdtime {{ ldp.hello_ipv6_holdtime }}
+{% endif -%}
+{% if old_ldp.hello_ipv6_interval -%}
+no discovery hello interval {{ old_ldp.hello_ipv6_interval }}
+{% endif -%}
+{% if ldp.hello_ipv6_interval -%}
+discovery hello interval {{ ldp.hello_ipv6_interval }}
+{% endif -%}
+{% if old_ldp.target_ipv6_enable -%}
+no discovery targeted-hello accept
+{% endif -%}
+{% if ldp.target_ipv6_enable -%}
+discovery targeted-hello accept
+{% endif -%}
+{% if old_ldp.target_ipv6_hello_int -%}
+no discovery targeted-hello interval {{ old_ldp.target_ipv6_hello_int }}
+{% endif -%}
+{% if ldp.target_ipv6_hello_int -%}
+discovery targeted-hello interval {{ ldp.target_ipv6_hello_int }}
+{% endif -%}
+{% if old_ldp.target_ipv6_hello_hold -%}
+no discovery targeted-hello holdtime {{ old_ldp.target_ipv6_hello_hold }}
+{% endif -%}
+{% if ldp.target_ipv6_hello_hold -%}
+discovery targeted-hello holdtime {{ ldp.target_ipv6_hello_hold }}
+{% endif -%}
+{% for address in old_ldp.target_ipv6_addresses -%}
+no neighbor {{address}} targeted
+{% endfor -%}
+{% for address in ldp.target_ipv6_addresses -%}
+neighbor {{address}} targeted
+{% endfor -%}
{% for interface in old_ldp.interfaces -%}
no interface {{interface}}
{% endfor -%}
@@ -91,4 +184,4 @@ no address-family ipv6
{% else -%}
no mpls ldp
{% endif -%}
-!
+! \ No newline at end of file
diff --git a/data/templates/https/nginx.default.tmpl b/data/templates/https/nginx.default.tmpl
index a20be45ae..855ebff4f 100644
--- a/data/templates/https/nginx.default.tmpl
+++ b/data/templates/https/nginx.default.tmpl
@@ -5,7 +5,7 @@ server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
- return 301 https://$server_name$request_uri;
+ return 301 https://$host$request_uri;
}
{% for server in server_block_list %}
diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.tmpl
index 508d8da94..62387ef7c 100644
--- a/data/templates/openvpn/client.conf.tmpl
+++ b/data/templates/openvpn/client.conf.tmpl
@@ -1,35 +1,31 @@
### Autogenerated by interfaces-openvpn.py ###
-{% if ip -%}
-ifconfig-push {{ ip[0] }} {{ remote_netmask }}
-{% endif -%}
-
-{% for route in push_route -%}
-push "route {{ route }}"
-{% endfor -%}
-
-{% for net in subnet -%}
-iroute {{ net }}
-{% endfor -%}
-
+{% if ip %}
+ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }}
+{% endif %}
+{% if push_route is defined and push_route is not none %}
+{% for route in push_route %}
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}"
+{% endfor %}
+{% endif %}
+{% if subnet is defined and subnet is not none %}
+{% for network in subnet %}
+iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }}
+{% endfor %}
+{% endif %}
{# ipv6_remote is only set when IPv6 server is enabled #}
-{% if ipv6_remote -%}
+{% if ipv6_remote %}
# IPv6
-
-{%- if ipv6_ip %}
+{% if ipv6_ip %}
ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }}
-{%- endif %}
-
-{%- for route6 in ipv6_push_route %}
+{% endif %}
+{% for route6 in ipv6_push_route %}
push "route-ipv6 {{ route6 }}"
-{%- endfor %}
-
-{%- for net6 in ipv6_subnet %}
+{% endfor %}
+{% for net6 in ipv6_subnet %}
iroute {{ net6 }}
-{%- endfor %}
-
-{% endif -%}
-
-{% if disable -%}
+{% endfor %}
+{% endif %}
+{% if disable is defined %}
disable
-{% endif -%}
+{% endif %}
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
index fea310236..a510c3a84 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -2,246 +2,238 @@
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
-
-{% if description -%}
-# {{ description }}
-
-{% endif -%}
+#
+# {{ description if description is defined and description is not none }}
+#
verb 3
-
-user {{ uid }}
-group {{ gid }}
-
-dev-type {{ type }}
-dev {{ intf }}
+user {{ daemon_user }}
+group {{ daemon_group }}
+dev-type {{ device_type }}
+dev {{ ifname }}
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip
-
-proto {{ protocol_real }}
-
-{%- if local_host %}
+{% if protocol == 'tcp-active' %}
+proto tcp6-client
+{% elif protocol == 'tcp-passive' %}
+proto tcp6-server
+{% else %}
+proto udp6
+{% endif %}
+{% if local_host is defined and local_host is not none %}
local {{ local_host }}
-{%- endif %}
-
-{%- if mode == 'server' and protocol == 'udp' and not local_host %}
+{% endif %}
+{% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %}
multihome
-{%- endif %}
-
-{%- if local_port %}
+{% endif %}
+{% if local_port is defined and local_port is not none %}
lport {{ local_port }}
-{%- endif %}
-
-{% if remote_port -%}
+{% endif %}
+{% if remote_port is defined and remote_port is not none %}
rport {{ remote_port }}
{% endif %}
-
-{%- if remote_host %}
-{%- for remote in remote_host -%}
+{% if remote_host is defined and remote_host is not none %}
+{% for remote in remote_host %}
remote {{ remote }}
-{% endfor -%}
-{% endif -%}
-
-{% if shared_secret_file %}
-secret {{ shared_secret_file }}
-{%- endif %}
-
-{%- if persistent_tunnel %}
+{% endfor %}
+{% endif %}
+{% if shared_secret_key_file is defined and shared_secret_key_file is not none %}
+secret {{ shared_secret_key_file }}
+{% endif %}
+{% if persistent_tunnel is defined %}
persist-tun
-{%- endif %}
-
-{%- if redirect_gateway %}
-push "redirect-gateway {{ redirect_gateway }}"
-{%- endif %}
-
-{%- if compress_lzo %}
+{% endif %}
+{% if replace_default_route is defined and replace_default_route.local is defined %}
+push "redirect-gateway local def1"
+{% elif replace_default_route is defined %}
+push "redirect-gateway def1"
+{% endif %}
+{% if use_lzo_compression is defined %}
compress lzo
-{%- endif %}
+{% endif %}
-{% if 'client' in mode -%}
+{% if 'client' in mode %}
#
# OpenVPN Client mode
#
client
nobind
-
-{% elif 'server' in mode -%}
+{% elif 'server' in mode %}
#
# OpenVPN Server mode
#
-
-{%- if server_topology %}
-topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %}
-{%- endif %}
-
-{%- if is_bridge_member %}
mode server
tls-server
-{%- else %}
-server {{ server_subnet[0] }} nopool
-{%- endif %}
-
-{%- if server_pool %}
-ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %}
-{%- endif %}
-
-{%- if server_max_conn %}
-max-clients {{ server_max_conn }}
-{%- endif %}
-
-{%- if client %}
-client-config-dir /run/openvpn/ccd/{{ intf }}
-{%- endif %}
-
-{%- if server_reject_unconfigured %}
-ccd-exclusive
-{%- endif %}
-
-keepalive {{ ping_interval }} {{ ping_restart }}
+{% if server is defined and server is not none %}
+{% if server.subnet is defined and server.subnet is not none %}
+{% if server.topology is defined and server.topology == 'point-to-point' %}
+topology p2p
+{% elif server.topology is defined and server.topology is not none %}
+topology {{ server.topology }}
+{% endif %}
+{% for subnet in server.subnet if subnet | is_ipv4 %}
+server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
+{# OpenVPN assigns the first IP address to its local interface so the pool used #}
+{# in net30 topology - where each client receives a /30 must start from the second subnet #}
+{% if server.topology is defined and server.topology == 'net30' %}
+ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
+{% else %}
+{# OpenVPN assigns the first IP address to its local interface so the pool must #}
+{# start from the second address and end on the last address #}
+ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %}
+ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }}
+{% endif %}
+{% if server.max_connections is defined and server.max_connections is not none %}
+max-clients {{ server.max_connections }}
+{% endif %}
+{% if server.client is defined and server.client is not none %}
+client-config-dir /run/openvpn/ccd/{{ ifname }}
+{% endif %}
+{% endif %}
+keepalive {{ keep_alive.interval }} {{ keep_alive.failure_count }}
management /run/openvpn/openvpn-mgmt-intf unix
-
-{% for route in server_push_route -%}
+{% if server is defined and server is not none %}
+{% if server.reject_unconfigured_clients is defined %}
+ccd-exclusive
+{% endif %}
+{% if server.push_route is defined and server.push_route is not none %}
+{% for route in server.push_route %}
push "route {{ route }}"
-{% endfor -%}
-
-{% for ns in server_dns_nameserver -%}
-push "dhcp-option DNS {{ ns }}"
-{% endfor -%}
-
-{%- if server_domain -%}
-push "dhcp-option DOMAIN {{ server_domain }}"
-{% endif -%}
-
-{%- if server_ipv6_local %}
+{% endfor %}
+{% endif %}
+{% if server.name_server is defined and server.name_server is not none %}
+{% for nameserver in server.name_server %}
+push "dhcp-option DNS {{ nameserver }}"
+{% endfor %}
+{% endif %}
+{% if server.domain_name is defined and server.domain_name is not none %}
+push "dhcp-option DOMAIN {{ server.domain_name }}"
+{% endif %}
+{% endif %}
+
+{% if subnet_v6 is defined and subnet_v6 is not none %}
# IPv6
push "tun-ipv6"
ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }}
-
-{%- if server_ipv6_pool %}
+{% if server_ipv6_pool %}
ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }}
-{%- endif %}
-
-{%- for route6 in server_ipv6_push_route %}
+{% endif %}
+{% for route6 in server_ipv6_push_route %}
push "route-ipv6 {{ route6 }}"
-{%- endfor %}
-
-{%- for ns6 in server_ipv6_dns_nameserver %}
+{% endfor %}
+{% for ns6 in server_ipv6_dns_nameserver %}
push "dhcp-option DNS6 {{ ns6 }}"
-{%- endfor %}
-
-{%- endif %}
-
-{% else -%}
+{% endfor %}
+{% endif %}
+{% else %}
#
# OpenVPN site-2-site mode
#
-ping {{ ping_interval }}
-ping-restart {{ ping_restart }}
-
-{% if local_address_subnet -%}
-ifconfig {{ local_address[0] }} {{ local_address_subnet }}
-{%- elif remote_address -%}
-ifconfig {{ local_address[0] }} {{ remote_address[0] }}
-{%- endif %}
-
-{% if ipv6_local_address -%}
-ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }}
-{%- endif %}
-
-{% endif -%}
+ping {{ keep_alive.interval }}
+ping-restart {{ keep_alive.failure_count }}
+
+{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
+{% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %}
+ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
+{% else %}
+{% for raddr in remote_address %}
+{% if raddr | is_ipv4 %}
+ifconfig {{ laddr }} {{ raddr }}
+{% else %}
+ifconfig-ipv6 {{ laddr }} {{ raddr }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endif %}
-{% if tls -%}
+{% if tls is defined and tls is not none %}
# TLS options
-{%- if tls_ca_cert %}
-ca {{ tls_ca_cert }}
-{%- endif %}
-
-{%- if tls_cert %}
-cert {{ tls_cert }}
-{%- endif %}
-
-{%- if tls_key %}
-key {{ tls_key }}
-{%- endif %}
-
-{%- if tls_crypt %}
-tls-crypt {{ tls_crypt }}
-{%- endif %}
-
-{%- if tls_crl %}
-crl-verify {{ tls_crl }}
-{%- endif %}
-
-{%- if tls_version_min %}
-tls-version-min {{tls_version_min}}
-{%- endif %}
-
-{%- if tls_dh %}
-dh {{ tls_dh }}
-{%- endif %}
-
-{%- if tls_auth %}
-{%- if mode == 'client' %}
-tls-auth {{tls_auth}} 1
-{%- elif mode == 'server' %}
-tls-auth {{tls_auth}} 0
-{%- endif %}
-{%- endif %}
-
-{%- if tls_role %}
-{%- if 'active' in tls_role %}
+{% if tls.ca_cert_file is defined and tls.ca_cert_file is not none %}
+ca {{ tls.ca_cert_file }}
+{% endif %}
+{% if tls.cert_file is defined and tls.cert_file is not none %}
+cert {{ tls.cert_file }}
+{% endif %}
+{% if tls.key_file is defined and tls.key_file is not none %}
+key {{ tls.key_file }}
+{% endif %}
+{% if tls.crypt_file is defined and tls.crypt_file is not none %}
+tls-crypt {{ tls.crypt_file }}
+{% endif %}
+{% if tls.crl_file is defined and tls.crl_file is not none %}
+crl-verify {{ tls.crl_file }}
+{% endif %}
+{% if tls.tls_version_min is defined and tls.tls_version_min is not none %}
+tls-version-min {{ tls.tls_version_min }}
+{% endif %}
+{% if tls.dh_file is defined and tls.dh_file is not none %}
+dh {{ tls.dh_file }}
+{% endif %}
+{% if tls.auth_file is defined and tls.auth_file is not none %}
+{% if mode == 'client' %}
+tls-auth {{ tls.auth_file }} 1
+{% elif mode == 'server' %}
+tls-auth {{ tls.auth_file }} 0
+{% endif %}
+{% endif %}
+{% if tls.role is defined and tls.role is not none %}
+{% if tls.role == 'active' %}
tls-client
-{%- elif 'passive' in tls_role %}
+{% elif tls.role == 'passive' %}
tls-server
-{%- endif %}
-{%- endif %}
-
-{%- endif %}
+{% endif %}
+{% endif %}
+{% endif %}
# Encryption options
-{%- if encryption %}
-{% if encryption == 'none' -%}
+{% if encryption is defined and encryption is not none %}
+{% if encryption.cipher is defined and encryption.cipher is not none %}
+{% if encryption.cipher == 'none' %}
cipher none
-{%- elif encryption == 'des' -%}
+{% elif encryption.cipher == 'des' %}
cipher des-cbc
-{%- elif encryption == '3des' -%}
+{% elif encryption.cipher == '3des' %}
cipher des-ede3-cbc
-{%- elif encryption == 'bf128' -%}
+{% elif encryption.cipher == 'bf128' %}
cipher bf-cbc
keysize 128
-{%- elif encryption == 'bf256' -%}
+{% elif encryption.cipher == 'bf256' %}
cipher bf-cbc
keysize 25
-{%- elif encryption == 'aes128gcm' -%}
+{% elif encryption.cipher == 'aes128gcm' %}
cipher aes-128-gcm
-{%- elif encryption == 'aes128' -%}
+{% elif encryption.cipher == 'aes128' %}
cipher aes-128-cbc
-{%- elif encryption == 'aes192gcm' -%}
+{% elif encryption.cipher == 'aes192gcm' %}
cipher aes-192-gcm
-{%- elif encryption == 'aes192' -%}
+{% elif encryption.cipher == 'aes192' %}
cipher aes-192-cbc
-{%- elif encryption == 'aes256gcm' -%}
+{% elif encryption.cipher == 'aes256gcm' %}
cipher aes-256-gcm
-{%- elif encryption == 'aes256' -%}
+{% elif encryption.cipher == 'aes256' %}
cipher aes-256-cbc
-{%- endif -%}
-{%- endif %}
-
-{%- if ncp_ciphers %}
-ncp-ciphers {{ncp_ciphers}}
-{%- endif %}
-{%- if disable_ncp %}
+{% endif %}
+{% endif %}
+{% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %}
+ncp-ciphers {{ encryption.ncp_ciphers | join(':') }}
+{% elif encryption.disable_ncp is defined %}
ncp-disable
-{%- endif %}
+{% endif %}
+{% endif %}
-{% if hash -%}
+{% if hash is defined and hash is not none %}
auth {{ hash }}
-{%- endif -%}
+{% endif %}
-{%- if auth %}
+{% if authentication is defined and authentication is not none %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
-{%- endif %}
+{% endif %}
# DEPRECATED This option will be removed in OpenVPN 2.5
# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this:
@@ -257,12 +249,11 @@ auth-retry nointeract
# See https://phabricator.vyos.net/T1512
compat-names
-{% if options -%}
+{% if openvpn_option is defined and openvpn_option is not none %}
#
# Custom options added by user (not validated)
#
-
-{% for option in options -%}
+{% for option in openvpn_option %}
{{ option }}
-{% endfor -%}
-{%- endif %}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.tmpl
index c5e4240d1..16d9f7c98 100644
--- a/data/templates/wifi/hostapd.conf.tmpl
+++ b/data/templates/wifi/hostapd.conf.tmpl
@@ -23,7 +23,10 @@ interface={{ ifname }}
# added to the bridge automatically (brctl may refuse to do this before hostapd
# has been started to change the interface mode). If needed, the bridge
# interface is also created.
-bridge={{ is_bridge_member }}
+{# as there can only be one bridge interface it is save to loop #}
+{% for bridge in is_bridge_member %}
+bridge={{ bridge }}
+{% endfor %}
{% endif %}
# Driver interface type (hostap/wired/none/nl80211/bsd);
@@ -69,18 +72,18 @@ ssid={{ ssid }}
channel={{ channel }}
{% endif %}
-{% if mode %}
+{% if mode is defined and mode is not none %}
# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz),
# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used
# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this
-# needs to be set to hw_mode=a. For IEEE 802.11ax (HE) on 6 GHz this needs
-# to be set to hw_mode=a. When using ACS (see channel parameter), a
+# needs to be set to hw_mode a. For IEEE 802.11ax (HE) on 6 GHz this needs
+# to be set to hw_mode a. When using ACS (see channel parameter), a
# special value "any" can be used to indicate that any support band can be used.
# This special case is currently supported only with drivers with which
# offloaded ACS is used.
-{% if 'n' in mode %}
+{% if mode == 'n' %}
hw_mode=g
-{% elif 'ac' in mode %}
+{% elif mode == 'ac' %}
hw_mode=a
ieee80211h=1
ieee80211ac=1
@@ -529,10 +532,13 @@ wep_key{{ loop.index -1 }}={{ security.wep.key }}
# and/or WPA2 (full IEEE 802.11i/RSN):
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
+# Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
+# In other words, for WPA3, wpa 2 is used the configuration (and
+# wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
{% if security.wpa.mode is defined %}
-{% if security.wpa.mode == 'both' %}
+{% if security.wpa.mode == 'wpa+wpa2' %}
wpa=3
-{% elif security.wpa.mode == 'wpa2' %}
+{% elif security.wpa.mode == 'wpa2' or security.wpa.mode == 'wpa3' %}
wpa=2
{% elif security.wpa.mode == 'wpa' %}
wpa=1
@@ -592,7 +598,15 @@ wpa_passphrase={{ security.wpa.passphrase }}
# added to enable SHA256-based stronger algorithms.
# WPA-PSK = WPA-Personal / WPA2-Personal
# WPA-PSK-SHA256 = WPA2-Personal using SHA256
-wpa_key_mgmt=WPA-PSK
+# WPA-EAP = WPA-Enterprise / WPA2-Enterprise
+# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256
+# SAE = SAE (WPA3-Personal)
+# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite
+{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %}
+wpa_key_mgmt=SAE
+{% else %}
+wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+{% endif %}
{% elif security.wpa.radius is defined %}
##### IEEE 802.1X-2004 related configuration ##################################
@@ -602,9 +616,17 @@ ieee8021x=1
# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
# added to enable SHA256-based stronger algorithms.
+# WPA-PSK = WPA-Personal / WPA2-Personal
+# WPA-PSK-SHA256 = WPA2-Personal using SHA256
# WPA-EAP = WPA-Enterprise / WPA2-Enterprise
# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256
-wpa_key_mgmt=WPA-EAP
+# SAE = SAE (WPA3-Personal)
+# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite
+{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %}
+wpa_key_mgmt=WPA-EAP-SUITE-B-192
+{% else %}
+wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256
+{% endif %}
{% if security.wpa.radius.server is defined %}
# RADIUS client forced local IP address for the access point
diff --git a/data/templates/wifi/wpa_supplicant.conf.tmpl b/data/templates/wifi/wpa_supplicant.conf.tmpl
index f84892dc0..20b4f7976 100644
--- a/data/templates/wifi/wpa_supplicant.conf.tmpl
+++ b/data/templates/wifi/wpa_supplicant.conf.tmpl
@@ -4,10 +4,78 @@
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
network={
+ # ssid: SSID (mandatory); network name in one of the optional formats:
+ # - an ASCII string with double quotation
+ # - a hex string (two characters per octet of SSID)
+ # - a printf-escaped ASCII string P"<escaped string>"
+ #
ssid="{{ ssid }}"
+
+ # scan_ssid:
+ # 0 = do not scan this SSID with specific Probe Request frames (default)
+ # 1 = scan with SSID-specific Probe Request frames (this can be used to
+ # find APs that do not accept broadcast SSID or use multiple SSIDs;
+ # this will add latency to scanning, so enable this only when needed)
scan_ssid=1
+
{% if security is defined and security.wpa is defined and security.wpa.passphrase is defined %}
- key_mgmt=WPA-PSK
+ # ieee80211w: whether management frame protection is enabled
+ # 0 = disabled (default unless changed with the global pmf parameter)
+ # 1 = optional
+ # 2 = required
+ # The most common configuration options for this based on the PMF (protected
+ # management frames) certification program are:
+ # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
+ # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
+ # (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used)
+ # WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE
+ ieee80211w=1
+
+ # key_mgmt: list of accepted authenticated key management protocols
+ # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
+ # WPA-EAP = WPA using EAP authentication
+ # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
+ # generated WEP keys
+ # NONE = WPA is not used; plaintext or static WEP could be used
+ # WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
+ # instead)
+ # FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
+ # FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
+ # FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication
+ # and using SHA384
+ # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
+ # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
+ # SAE = Simultaneous authentication of equals; pre-shared key/password -based
+ # authentication with stronger security than WPA-PSK especially when using
+ # not that strong password; a.k.a. WPA3-Personal
+ # FT-SAE = SAE with FT
+ # WPA-EAP-SUITE-B = Suite B 128-bit level
+ # WPA-EAP-SUITE-B-192 = Suite B 192-bit level
+ # OSEN = Hotspot 2.0 Rel 2 online signup connection
+ # FILS-SHA256 = Fast Initial Link Setup with SHA256
+ # FILS-SHA384 = Fast Initial Link Setup with SHA384
+ # FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256
+ # FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384
+ # OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open)
+ # DPP = Device Provisioning Protocol
+ # If not set, this defaults to: WPA-PSK WPA-EAP
+{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %}
+ key_mgmt=SAE
+{% else %}
+ key_mgmt=WPA-PSK WPA-PSK-SHA256
+{% endif %}
+
+ # psk: WPA preshared key; 256-bit pre-shared key
+ # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
+ # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
+ # generated using the passphrase and SSID). ASCII passphrase must be between
+ # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
+ # be used to indicate that the PSK/passphrase is stored in external storage.
+ # This field is not needed, if WPA-EAP is used.
+ # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
+ # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
+ # startup and reconfiguration time can be optimized by generating the PSK only
+ # only when the passphrase or SSID has actually changed.
psk="{{ security.wpa.passphrase }}"
{% else %}
key_mgmt=NONE
diff --git a/data/templates/wwan/chat.tmpl b/data/templates/wwan/chat.tmpl
index a3395c057..386af37e6 100644
--- a/data/templates/wwan/chat.tmpl
+++ b/data/templates/wwan/chat.tmpl
@@ -1,6 +1,10 @@
ABORT 'NO DIAL TONE' ABORT 'NO ANSWER' ABORT 'NO CARRIER' ABORT DELAYED
'' AT
OK ATZ
+{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %}
+OK 'AT+CGDCONT=1,"IPV4V6","{{ apn }}"'
+{% else %}
OK 'AT+CGDCONT=1,"IP","{{ apn }}"'
+{% endif %}
OK ATD*99#
CONNECT ''
diff --git a/data/templates/wwan/peer.tmpl b/data/templates/wwan/peer.tmpl
index e23881bf8..2807a79a4 100644
--- a/data/templates/wwan/peer.tmpl
+++ b/data/templates/wwan/peer.tmpl
@@ -4,15 +4,19 @@
ifname {{ ifname }}
ipparam {{ ifname }}
linkname {{ ifname }}
+
{{ "usepeerdns" if no_peer_dns is defined }}
# physical device
{{ device }}
lcp-echo-failure 0
115200
debug
-debug
mtu {{ mtu }}
mru {{ mtu }}
+{% if ipv6 is defined and ipv6.address is defined and ipv6.address.autoconf is defined %}
++ipv6
+ipv6cp-use-ipaddr
+{% endif %}
nodefaultroute
ipcp-max-failure 4
ipcp-accept-local