4 files changed, 121 insertions, 116 deletions

diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 9623948c2..9361f4e7c 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -32,7 +32,8 @@
         "reverse_proxy": ["load-balancing_reverse-proxy"],
         "rpki": ["protocols_rpki"],
         "sstp": ["vpn_sstp"],
-        "sstpc": ["interfaces_sstpc"]
+        "sstpc": ["interfaces_sstpc"],
+        "stunnel": ["service_stunnel"]
     },
     "vpn_ipsec": {
         "nhrp": ["protocols_nhrp"]
diff --git a/data/configd-include.json b/data/configd-include.json
deleted file mode 100644
index b92d58c72..000000000
--- a/data/configd-include.json
+++ /dev/null
@@ -1,114 +0,0 @@
-[
-"container.py",
-"firewall.py",
-"high-availability.py",
-"interfaces_bonding.py",
-"interfaces_bridge.py",
-"interfaces_dummy.py",
-"interfaces_ethernet.py",
-"interfaces_geneve.py",
-"interfaces_input.py",
-"interfaces_l2tpv3.py",
-"interfaces_loopback.py",
-"interfaces_macsec.py",
-"interfaces_openvpn.py",
-"interfaces_pppoe.py",
-"interfaces_pseudo-ethernet.py",
-"interfaces_sstpc.py",
-"interfaces_tunnel.py",
-"interfaces_virtual-ethernet.py",
-"interfaces_vti.py",
-"interfaces_vxlan.py",
-"interfaces_wireguard.py",
-"interfaces_wireless.py",
-"interfaces_wwan.py",
-"load-balancing_reverse-proxy.py",
-"load-balancing_wan.py",
-"nat.py",
-"nat64.py",
-"nat66.py",
-"netns.py",
-"pki.py",
-"policy.py",
-"policy_route.py",
-"policy_local-route.py",
-"protocols_babel.py",
-"protocols_bfd.py",
-"protocols_bgp.py",
-"protocols_eigrp.py",
-"protocols_failover.py",
-"protocols_igmp-proxy.py",
-"protocols_isis.py",
-"protocols_mpls.py",
-"protocols_nhrp.py",
-"protocols_ospf.py",
-"protocols_ospfv3.py",
-"protocols_pim.py",
-"protocols_pim6.py",
-"protocols_rip.py",
-"protocols_ripng.py",
-"protocols_rpki.py",
-"protocols_segment-routing.py",
-"protocols_static.py",
-"protocols_static_arp.py",
-"protocols_static_multicast.py",
-"protocols_static_neighbor-proxy.py",
-"qos.py",
-"service_aws_glb.py",
-"service_broadcast-relay.py",
-"service_config-sync.py",
-"service_conntrack-sync.py",
-"service_console-server.py",
-"service_dhcp-relay.py",
-"service_dhcp-server.py",
-"service_dhcpv6-relay.py",
-"service_dhcpv6-server.py",
-"service_dns_dynamic.py",
-"service_dns_forwarding.py",
-"service_event-handler.py",
-"service_https.py",
-"service_ids_ddos-protection.py",
-"service_ipoe-server.py",
-"service_lldp.py",
-"service_mdns_repeater.py",
-"service_monitoring_telegraf.py",
-"service_monitoring_zabbix-agent.py",
-"service_ndp-proxy.py",
-"service_ntp.py",
-"service_pppoe-server.py",
-"service_router-advert.py",
-"service_salt-minion.py",
-"service_sla.py",
-"service_snmp.py",
-"service_ssh.py",
-"service_tftp-server.py",
-"service_webproxy.py",
-"system_acceleration.py",
-"system_config-management.py",
-"system_conntrack.py",
-"system_console.py",
-"system_flow-accounting.py",
-"system_frr.py",
-"system_host-name.py",
-"system_ip.py",
-"system_ipv6.py",
-"system_lcd.py",
-"system_login.py",
-"system_login_banner.py",
-"system_logs.py",
-"system_option.py",
-"system_proxy.py",
-"system_sflow.py",
-"system_sysctl.py",
-"system_syslog.py",
-"system_task-scheduler.py",
-"system_timezone.py",
-"system_update-check.py",
-"system_wireless.py",
-"vpn_ipsec.py",
-"vpn_l2tp.py",
-"vpn_openconnect.py",
-"vpn_pptp.py",
-"vpn_sstp.py",
-"vrf.py"
-]
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index ee34f58fc..68a3bfd87 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -239,7 +239,7 @@ table ip6 vyos_filter {
 {%         for prior, conf in ipv6.output.items() %}
     chain VYOS_IPV6_OUTPUT_{{ prior }} {
         type filter hook output priority {{ prior }}; policy accept;
-{%             if global_options.state_policy is vyos_defined %}
+{%             if global_options.state_policy is vyos_defined and prior == 'filter' %}
         jump VYOS_STATE_POLICY6
 {%             endif %}
 {%             if conf.rule is vyos_defined %}
diff --git a/data/templates/stunnel/stunnel_config.j2 b/data/templates/stunnel/stunnel_config.j2
new file mode 100644
index 000000000..52c289fa9
--- /dev/null
+++ b/data/templates/stunnel/stunnel_config.j2
@@ -0,0 +1,118 @@
+; Autogenerated by service_stunnel.py
+
+; Example https://www.stunnel.org/config_unix.html#
+; **************************************************************************
+; * Global options                                                         *
+; **************************************************************************
+
+; PID file is created inside the chroot jail (if enabled)
+pid = {{ config_file | replace('.conf', '.pid') }}
+
+; Debugging stuff (may be useful for troubleshooting)
+;foreground = yes
+
+{% if log is vyos_defined %}
+debug = {{ log.level }}
+{% endif %}
+
+;output = /usr/local/var/log/stunnel.log
+
+
+; **************************************************************************
+; * Service definitions                                                    *
+; **************************************************************************
+
+; ***************************************** Client mode services ***********
+
+{% if client is vyos_defined %}
+{%     for name, config in client.items() %}
+[{{ name }}]
+client = yes
+{%         if config.listen.address is vyos_defined %}
+accept = {{ config.listen.address }}:{{ config.listen.port }}
+{%         else %}
+accept = {{ config.listen.port }}
+{%         endif %}
+{%         if config.connect is vyos_defined %}
+{%             if config.connect.address is vyos_defined %}
+connect = {{ config.connect.address }}:{{ config.connect.port }}
+{%             else %}
+connect = {{ config.connect.port }}
+{%             endif %}
+{%         endif %}
+{%         if config.protocol is vyos_defined %}
+protocol = {{ config.protocol }}
+{%         endif %}
+{%         if config.options is vyos_defined %}
+{%             if config.options.authentication is vyos_defined %}
+protocolAuthentication = {{ config.options.authentication }}
+{%             endif %}
+{%             if config.options.domain is vyos_defined %}
+protocolDomain = {{ config.options.domain }}
+{%             endif %}
+{%             if config.options.host is vyos_defined %}
+protocolHost = {{ config.options.host.address }}:{{ config.options.host.port }}
+{%             endif %}
+{%             if config.options.password is vyos_defined %}
+protocolPassword = {{ config.options.password }}
+{%             endif %}
+{%             if config.options.username is vyos_defined %}
+protocolUsername = {{ config.options.username }}
+{%             endif %}
+{%         endif %}
+{%         if config.ssl.ca_path is vyos_defined %}
+CApath = {{ config.ssl.ca_path }}
+{%         endif %}
+{%         if config.ssl.ca_file is vyos_defined %}
+CAfile = {{ config.ssl.ca_file }}
+{%         endif %}
+{%         if config.ssl.cert is vyos_defined %}
+cert = {{ config.ssl.cert }}
+{%         endif %}
+{%         if config.ssl.cert_key is vyos_defined %}
+key = {{ config.ssl.cert_key }}
+{%         endif %}
+{%         if config.psk.file is vyos_defined %}
+PSKsecrets = {{ config.psk.file }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+
+
+; ***************************************** Server mode services ***********
+
+{% if server is vyos_defined %}
+{%     for name, config in server.items() %}
+[{{ name }}]
+{%         if config.listen.address is vyos_defined %}
+accept = {{ config.listen.address }}:{{ config.listen.port }}
+{%         else %}
+accept = {{ config.listen.port }}
+{%         endif %}
+{%         if config.connect is vyos_defined %}
+{%             if config.connect.address is vyos_defined %}
+connect = {{ config.connect.address }}:{{ config.connect.port }}
+{%             else %}
+connect = {{ config.connect.port }}
+{%             endif %}
+{%         endif %}
+{%         if config.protocol is vyos_defined %}
+protocol = {{ config.protocol }}
+{%         endif %}
+{%         if config.ssl.ca_path is vyos_defined %}
+CApath = {{ config.ssl.ca_path }}
+{%         endif %}
+{%         if config.ssl.ca_file is vyos_defined %}
+CAfile = {{ config.ssl.ca_file }}
+{%         endif %}
+{%         if config.ssl.cert is vyos_defined %}
+cert = {{ config.ssl.cert }}
+{%         endif %}
+{%         if config.ssl.cert_key is vyos_defined %}
+key = {{ config.ssl.cert_key }}
+{%         endif %}
+{%         if config.psk.file is vyos_defined %}
+PSKsecrets = {{ config.psk.file }}
+{%         endif %}
+{%     endfor %}
+{% endif %}