summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/op-mode-standardized.json7
-rw-r--r--data/templates/accel-ppp/config_ip_pool.j220
-rw-r--r--data/templates/accel-ppp/config_ipv6_pool.j221
-rw-r--r--data/templates/accel-ppp/ipoe.config.j24
-rw-r--r--data/templates/accel-ppp/l2tp.config.j24
-rw-r--r--data/templates/accel-ppp/pppoe.config.j24
-rw-r--r--data/templates/accel-ppp/sstp.config.j24
-rw-r--r--data/templates/chrony/chrony.conf.j210
-rw-r--r--data/templates/container/systemd-unit.j22
-rw-r--r--data/templates/dhcp-server/kea-dhcp4.conf.j28
-rw-r--r--data/templates/dhcp-server/kea-dhcp6.conf.j24
-rw-r--r--data/templates/dns-dynamic/ddclient.conf.j27
-rw-r--r--data/templates/dns-forwarding/override.conf.j28
-rw-r--r--data/templates/dns-forwarding/recursor.conf.j228
-rw-r--r--data/templates/dns-forwarding/recursor.conf.lua.j22
-rw-r--r--data/templates/firewall/nftables-vrf-zones.j217
-rw-r--r--data/templates/firewall/nftables-zone.j213
-rw-r--r--data/templates/firewall/nftables.j24
-rw-r--r--data/templates/frr/bfdd.frr.j26
-rw-r--r--data/templates/frr/bgpd.frr.j26
-rw-r--r--data/templates/grub/grub_common.j28
-rw-r--r--data/templates/grub/grub_compat.j212
-rw-r--r--data/templates/grub/grub_vyos_version.j220
-rw-r--r--data/templates/https/nginx.default.j2103
-rw-r--r--data/templates/https/vyos-http-api.service.j22
-rw-r--r--data/templates/ipsec/swanctl/peer.j210
-rw-r--r--data/templates/sflow/override.conf.j23
-rw-r--r--data/vyos-firewall-init.conf19
28 files changed, 231 insertions, 125 deletions
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index ed9bb6cad..d3685caaf 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -9,21 +9,22 @@
"dhcp.py",
"dns.py",
"interfaces.py",
+"ipsec.py",
"lldp.py",
"log.py",
"memory.py",
+"multicast.py",
"nat.py",
"neighbor.py",
"nhrp.py",
"openconnect.py",
-"otp.py",
"openvpn.py",
+"otp.py",
"reset_vpn.py",
"reverseproxy.py",
"route.py",
-"system.py",
-"ipsec.py",
"storage.py",
+"system.py",
"uptime.py",
"version.py",
"vrf.py"
diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2
index 6ac04e1a1..8e66486e6 100644
--- a/data/templates/accel-ppp/config_ip_pool.j2
+++ b/data/templates/accel-ppp/config_ip_pool.j2
@@ -12,16 +12,20 @@ gw-ip-address={{ gateway_address }}
{% endif %}
{% for pool in ordered_named_pools %}
{% for pool_name, pool_config in pool.items() %}
-{% set iprange_str = pool_config.range %}
-{% set iprange_list = pool_config.range.split('-') %}
-{% if iprange_list | length == 2 %}
-{% set last_ip_oct = iprange_list[1].split('.') %}
-{% set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %}
-{% endif %}
-{% if pool_config.next_pool is vyos_defined %}
+{% if pool_config.range is vyos_defined %}
+{% for range in pool_config.range %}
+{% set iprange_str = range %}
+{% set iprange_list = range.split('-') %}
+{% if iprange_list | length == 2 %}
+{% set last_ip_oct = iprange_list[1].split('.') %}
+{% set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %}
+{% endif %}
+{% if loop.last and pool_config.next_pool is vyos_defined %}
{{ iprange_str }},name={{ pool_name }},next={{ pool_config.next_pool }}
-{% else %}
+{% else %}
{{ iprange_str }},name={{ pool_name }}
+{% endif %}
+{% endfor %}
{% endif %}
{% endfor %}
{% endfor %}
diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2
index a1562a1eb..86efdc1e1 100644
--- a/data/templates/accel-ppp/config_ipv6_pool.j2
+++ b/data/templates/accel-ppp/config_ipv6_pool.j2
@@ -3,20 +3,19 @@
AdvAutonomousFlag=1
verbose=1
-{% if client_ipv6_pool.prefix is vyos_defined %}
[ipv6-pool]
-{% for prefix, options in client_ipv6_pool.prefix.items() %}
-{{ prefix }},{{ options.mask }}
-{% endfor %}
-{% if client_ipv6_pool.delegate is vyos_defined %}
-{% for prefix, options in client_ipv6_pool.delegate.items() %}
-delegate={{ prefix }},{{ options.delegation_prefix }}
+{% for pool_name, pool_config in client_ipv6_pool.items() %}
+{% if pool_config.prefix is vyos_defined %}
+{% for prefix, options in pool_config.prefix.items() %}
+{{ prefix }},{{ options.mask }},name={{ pool_name }}
{% endfor %}
{% endif %}
-{% endif %}
-
-{% if client_ipv6_pool.delegate is vyos_defined %}
+{% if pool_config.delegate is vyos_defined %}
+{% for prefix, options in pool_config.delegate.items() %}
+delegate={{ prefix }},{{ options.delegation_prefix }},name={{ pool_name }}
+{% endfor %}
+{% endif %}
+{% endfor %}
[ipv6-dhcp]
verbose=1
-{% endif %}
{% endif %}
diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2
index 588f3d462..8b022eaa5 100644
--- a/data/templates/accel-ppp/ipoe.config.j2
+++ b/data/templates/accel-ppp/ipoe.config.j2
@@ -58,6 +58,10 @@ password=csid
{% if default_pool is vyos_defined %}
ip-pool={{ default_pool }}
{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
{% if gateway_address is vyos_defined %}
{% for gw_addr in gateway_address %}
gw-ip-address={{ gw_addr }}
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index 49755254a..f041e278e 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -51,6 +51,10 @@ host-name={{ lns.host_name }}
{% if default_pool is vyos_defined %}
ip-pool={{ default_pool }}
{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
[client-ip-range]
0.0.0.0/0
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index 4bb1c4450..fb8a11366 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -143,6 +143,10 @@ noauth=1
{% if default_pool is vyos_defined %}
ip-pool={{ default_pool }}
{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
{% if limits is vyos_defined %}
[connlimit]
diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2
index 014ae1235..51f7dfca8 100644
--- a/data/templates/accel-ppp/sstp.config.j2
+++ b/data/templates/accel-ppp/sstp.config.j2
@@ -39,6 +39,10 @@ ssl-keyfile=/run/accel-pppd/sstp-cert.key
{% if default_pool is vyos_defined %}
ip-pool={{ default_pool }}
{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
{# Common IP pool definitions #}
{% include 'accel-ppp/config_ip_pool.j2' %}
diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
index d02fbf71d..e3f078fdc 100644
--- a/data/templates/chrony/chrony.conf.j2
+++ b/data/templates/chrony/chrony.conf.j2
@@ -21,7 +21,17 @@ ntsdumpdir /run/chrony
pidfile {{ config_file | replace('.conf', '.pid') }}
# Determine when will the next leap second occur and what is the current offset
+{% if leap_second is vyos_defined('timezone') %}
leapsectz right/UTC
+{% elif leap_second is vyos_defined('ignore') %}
+leapsecmode ignore
+{% elif leap_second is vyos_defined('smear') %}
+leapsecmode slew
+maxslewrate 1000
+smoothtime 400 0.001024 leaponly
+{% elif leap_second is vyos_defined('system') %}
+leapsecmode system
+{% endif %}
user {{ user }}
diff --git a/data/templates/container/systemd-unit.j2 b/data/templates/container/systemd-unit.j2
index fa48384ab..d379f0a07 100644
--- a/data/templates/container/systemd-unit.j2
+++ b/data/templates/container/systemd-unit.j2
@@ -13,5 +13,5 @@ ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid
ExecStopPost=/bin/rm -f %t/%n.cid
PIDFile=%t/%n.pid
-KillMode=none
+KillMode=control-group
Type=forking
diff --git a/data/templates/dhcp-server/kea-dhcp4.conf.j2 b/data/templates/dhcp-server/kea-dhcp4.conf.j2
index 6ab13ab27..629fa952a 100644
--- a/data/templates/dhcp-server/kea-dhcp4.conf.j2
+++ b/data/templates/dhcp-server/kea-dhcp4.conf.j2
@@ -1,8 +1,16 @@
{
"Dhcp4": {
"interfaces-config": {
+{% if listen_address is vyos_defined %}
+ "interfaces": {{ listen_address | kea_address_json }},
+ "dhcp-socket-type": "udp",
+{% elif listen_interface is vyos_defined %}
+ "interfaces": {{ listen_interface | tojson }},
+ "dhcp-socket-type": "raw",
+{% else %}
"interfaces": [ "*" ],
"dhcp-socket-type": "raw",
+{% endif %}
"service-sockets-max-retries": 5,
"service-sockets-retry-wait-time": 5000
},
diff --git a/data/templates/dhcp-server/kea-dhcp6.conf.j2 b/data/templates/dhcp-server/kea-dhcp6.conf.j2
index 3ce4e6370..3ab21551b 100644
--- a/data/templates/dhcp-server/kea-dhcp6.conf.j2
+++ b/data/templates/dhcp-server/kea-dhcp6.conf.j2
@@ -1,7 +1,11 @@
{
"Dhcp6": {
"interfaces-config": {
+{% if listen_interface is vyos_defined %}
+ "interfaces": {{ listen_interface | tojson }},
+{% else %}
"interfaces": [ "*" ],
+{% endif %}
"service-sockets-max-retries": 5,
"service-sockets-retry-wait-time": 5000
},
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 6c0653a55..5538ea56c 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -7,7 +7,7 @@ use{{ ipv }}={{ address if address == 'web' else 'if' }}{{ ipv }}, \
web{{ ipv }}={{ web_options.url }}, \
{% endif %}
{% if web_options.skip is vyos_defined %}
-web-skip{{ ipv }}='{{ web_options.skip }}', \
+web{{ ipv }}-skip='{{ web_options.skip }}', \
{% endif %}
{% else %}
if{{ ipv }}={{ address }}, \
@@ -45,9 +45,12 @@ use=no
else ['']) %}
{% set password = config.key if config.protocol == 'nsupdate'
else config.password %}
+{% set address = 'web' if config.address.web is vyos_defined
+ else config.address.interface %}
+{% set web_options = config.address.web | default({}) %}
# Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}]
-{{ render_config(host, config.address, config.web_options, ip_suffixes,
+{{ render_config(host, address, web_options, ip_suffixes,
protocol=config.protocol, server=config.server, zone=config.zone,
login=config.username, password=password, ttl=config.ttl,
min_interval=config.wait_time, max_interval=config.expiry_time) }}
diff --git a/data/templates/dns-forwarding/override.conf.j2 b/data/templates/dns-forwarding/override.conf.j2
new file mode 100644
index 000000000..9d81a2977
--- /dev/null
+++ b/data/templates/dns-forwarding/override.conf.j2
@@ -0,0 +1,8 @@
+[Unit]
+ConditionPathExists={{ config_file }}
+After=vyos-router.service
+
+[Service]
+RuntimeDirectoryPreserve=yes
+ExecStart=
+ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir={{ config_dir }}
diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index ea700406c..5ac872f19 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -12,7 +12,7 @@ allow-from={{ allow_from | join(',') }}
log-common-errors=yes
non-local-bind=yes
query-local-address={{ source_address | join(',') }}
-lua-config-file=recursor.conf.lua
+lua-config-file={{ config_dir }}/recursor.conf.lua
# cache-size
max-cache-entries={{ cache_size }}
@@ -40,10 +40,34 @@ dnssec={{ dnssec }}
dns64-prefix={{ dns64_prefix }}
{% endif %}
+{% if exclude_throttle_address is vyos_defined %}
+# dont-throttle-netmasks
+dont-throttle-netmasks={{ exclude_throttle_address | join(',') }}
+{% endif %}
+
+{% if serve_stale_extension is vyos_defined %}
+# serve-stale-extensions
+serve-stale-extensions={{ serve_stale_extension }}
+{% endif %}
+
# serve rfc1918 records
serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
# zones
auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
-forward-zones-file=recursor.forward-zones.conf
+forward-zones-file={{ config_dir }}/recursor.forward-zones.conf
+
+#ecs
+{% if options.ecs_add_for is vyos_defined %}
+ecs-add-for={{ options.ecs_add_for | join(',') }}
+{% endif %}
+
+{% if options.ecs_ipv4_bits is vyos_defined %}
+ecs-ipv4-bits={{ options.ecs_ipv4_bits }}
+{% endif %}
+
+{% if options.edns_subnet_allow_list is vyos_defined %}
+edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }}
+{% endif %}
+
diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2
index 816f69160..8026442c7 100644
--- a/data/templates/dns-forwarding/recursor.conf.lua.j2
+++ b/data/templates/dns-forwarding/recursor.conf.lua.j2
@@ -5,4 +5,4 @@
dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
-- Load lua from vyos-hostsd --
-dofile("recursor.vyos-hostsd.conf.lua")
+dofile("{{ config_dir }}/recursor.vyos-hostsd.conf.lua")
diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2
deleted file mode 100644
index 3bce7312d..000000000
--- a/data/templates/firewall/nftables-vrf-zones.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-table inet vrf_zones {
- # Map of interfaces and connections tracking zones
- map ct_iface_map {
- typeof iifname : ct zone
- }
- # Assign unique zones for each VRF
- # Chain for inbound traffic
- chain vrf_zones_ct_in {
- type filter hook prerouting priority raw; policy accept;
- counter ct original zone set iifname map @ct_iface_map
- }
- # Chain for locally-generated traffic
- chain vrf_zones_ct_out {
- type filter hook output priority raw; policy accept;
- counter ct original zone set oifname map @ct_iface_map
- }
-}
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
index 5e55099ca..e78725079 100644
--- a/data/templates/firewall/nftables-zone.j2
+++ b/data/templates/firewall/nftables-zone.j2
@@ -1,13 +1,6 @@
-
-{% macro zone_chains(zone, family, state_policy=False) %}
-{% if family == 'ipv6' %}
-{% set fw_name = 'ipv6_name' %}
-{% set suffix = '6' %}
-{% else %}
-{% set fw_name = 'name' %}
-{% set suffix = '' %}
-{% endif %}
-
+{% macro zone_chains(zone, ipv6=False, state_policy=False) %}
+{% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
+{% set suffix = '6' if ipv6 else '' %}
chain VYOS_ZONE_FORWARD {
type filter hook forward priority 1; policy accept;
{% if state_policy %}
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index e0ad0e00a..833df3a67 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -163,7 +163,7 @@ table ip vyos_filter {
{{ group_tmpl.groups(group, False, True) }}
{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, 'ipv4', global_options.state_policy is vyos_defined) }}
+{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }}
{% endif %}
{% if global_options.state_policy is vyos_defined %}
chain VYOS_STATE_POLICY {
@@ -298,7 +298,7 @@ table ip6 vyos_filter {
{% endif %}
{{ group_tmpl.groups(group, True, True) }}
{% if zone is vyos_defined %}
-{{ zone_tmpl.zone_chains(zone, 'ipv6', global_options.state_policy is vyos_defined) }}
+{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
{% endif %}
{% if global_options.state_policy is vyos_defined %}
chain VYOS_STATE_POLICY6 {
diff --git a/data/templates/frr/bfdd.frr.j2 b/data/templates/frr/bfdd.frr.j2
index c4adeb402..f3303e401 100644
--- a/data/templates/frr/bfdd.frr.j2
+++ b/data/templates/frr/bfdd.frr.j2
@@ -13,6 +13,9 @@ bfd
{% if profile_config.echo_mode is vyos_defined %}
echo-mode
{% endif %}
+{% if profile_config.minimum_ttl is vyos_defined %}
+ minimum-ttl {{ profile_config.minimum_ttl }}
+{% endif %}
{% if profile_config.passive is vyos_defined %}
passive-mode
{% endif %}
@@ -38,6 +41,9 @@ bfd
{% if peer_config.echo_mode is vyos_defined %}
echo-mode
{% endif %}
+{% if peer_config.minimum_ttl is vyos_defined %}
+ minimum-ttl {{ peer_config.minimum_ttl }}
+{% endif %}
{% if peer_config.passive is vyos_defined %}
passive-mode
{% endif %}
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index 679ba8b04..e02fdd1bb 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -402,6 +402,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
{% if afi_config.flooding.head_end_replication is vyos_defined %}
flooding head-end-replication
{% endif %}
+{% if afi_config.nexthop.vpn.export is vyos_defined %}
+ nexthop vpn export {{ afi_config.nexthop.vpn.export }}
+{% endif %}
{% if afi_config.rd.vpn.export is vyos_defined %}
rd vpn export {{ afi_config.rd.vpn.export }}
{% endif %}
@@ -436,6 +439,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
{% if afi_config.route_map.vpn.import is vyos_defined %}
route-map vpn import {{ afi_config.route_map.vpn.import }}
{% endif %}
+{% if afi_config.sid.vpn.export is vyos_defined %}
+ sid vpn export {{ afi_config.sid.vpn.export }}
+{% endif %}
{% if afi_config.vni is vyos_defined %}
{% for vni, vni_config in afi_config.vni.items() %}
vni {{ vni }}
diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2
index 278ffbf2c..5e9b95cc0 100644
--- a/data/templates/grub/grub_common.j2
+++ b/data/templates/grub/grub_common.j2
@@ -8,9 +8,13 @@ fi
function setup_serial {
# initialize the first serial port by default
if [ "${console_type}" == "ttyS" ]; then
- serial --unit=${console_num}
+ if [ "${console_num}" == "0" ]; then
+ serial --unit=0 --speed=${console_speed}
+ else
+ serial --unit=${console_num} --speed=115200
+ fi
else
- serial --unit=0
+ serial --unit=0 --speed=${console_speed}
fi
terminal_output --append serial console
terminal_input --append serial console
diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2
index 887d5d0bd..d1085eec8 100644
--- a/data/templates/grub/grub_compat.j2
+++ b/data/templates/grub/grub_compat.j2
@@ -22,13 +22,13 @@
{%- endmacro %}
{% macro console_opts(type) -%}
{% if type == 'tty' -%}
- console=ttyS0,115200 console=tty0
+ console=ttyS0,{{ console_speed }} console=tty0
{%- elif type == 'ttyS' -%}
- console=tty0 console=ttyS0,115200
+ console=tty0 console=ttyS0,{{ console_speed }}
{%- elif type == 'ttyUSB' -%}
console=tty0 console=ttyUSB0,115200
{%- else -%}
- console=tty0 console=ttyS0,115200
+ console=tty0 console=ttyS0,{{ console_speed }}
{%- endif %}
{%- endmacro %}
{% macro passwd_opts(mode) -%}
@@ -39,9 +39,13 @@
set default={{ default }}
set timeout={{ timeout }}
{% if console_type == 'ttyS' %}
+{% if console_num == '0' %}
+serial --unit=0 --speed={{ console_speed }}
+{% else %}
serial --unit={{ console_num }} --speed=115200
+{% endif %}
{% else %}
-serial --unit=0 --speed=115200
+serial --unit=0 --speed={{ console_speed }}
{% endif %}
terminal_output --append serial
terminal_input serial console
diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2
index 97fbe8473..de85f1419 100644
--- a/data/templates/grub/grub_vyos_version.j2
+++ b/data/templates/grub/grub_vyos_version.j2
@@ -1,21 +1,31 @@
-{% set boot_opts_default = "boot=live rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/" + version_name %}
-{% if boot_opts != '' %}
+{% if boot_opts_config is vyos_defined %}
+{% if boot_opts_config %}
+{% set boot_opts_rendered = boot_opts_default + " " + boot_opts_config %}
+{% else %}
+{% set boot_opts_rendered = boot_opts_default %}
+{% endif %}
+{% elif boot_opts != '' %}
{% set boot_opts_rendered = boot_opts %}
{% else %}
{% set boot_opts_rendered = boot_opts_default %}
{% endif %}
menuentry "{{ version_name }}" --id {{ version_uuid }} {
set boot_opts="{{ boot_opts_rendered }}"
+ if [ "${console_type}" == "ttyS" ]; then
+ set console_opts="console=${console_type}${console_num},${console_speed}"
+ else
+ set console_opts="console=${console_type}${console_num}"
+ fi
# load rootfs to RAM
if [ "${boot_toram}" == "yes" ]; then
set boot_opts="${boot_opts} toram"
fi
if [ "${bootmode}" == "pw_reset" ]; then
- set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
+ set boot_opts="${boot_opts} ${console_opts} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
elif [ "${bootmode}" == "recovery" ]; then
- set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init"
+ set boot_opts="${boot_opts} ${console_opts} init=/usr/bin/busybox init"
else
- set boot_opts="${boot_opts} console=${console_type}${console_num}"
+ set boot_opts="${boot_opts} ${console_opts}"
fi
linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts}
initrd "/boot/{{ version_name }}/initrd.img"
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index 80239ea56..5d17df001 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -1,60 +1,65 @@
### Autogenerated by service_https.py ###
-# Default server configuration
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
server {
- # SSL configuration
- #
-{% if server.address == '*' %}
- listen {{ server.port }} ssl;
- listen [::]:{{ server.port }} ssl;
-{% else %}
- listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{% endif %}
+ listen 80 default_server;
+ server_name {{ hostname }};
+ return 301 https://$host$request_uri;
+}
+{% endif %}
-{% for name in server.name %}
- server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{% for address in listen_address %}
+ listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
{% endfor %}
+{% else %}
+ listen {{ port }} ssl;
+ listen [::]:{{ port }} ssl;
+{% endif %}
- root /srv/localui;
+ server_name {{ hostname }};
+ root /srv/localui;
-{% if server.certbot %}
- ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem;
- ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem;
- include {{ server.certbot_dir }}/options-ssl-nginx.conf;
- ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem;
-{% elif server.vyos_cert %}
- ssl_certificate {{ server.vyos_cert.crt }};
- ssl_certificate_key {{ server.vyos_cert.key }};
-{% else %}
- #
- # Self signed certs generated by the ssl-cert package
- # Don't use them in a production server!
- #
- include snippets/snakeoil.conf;
+ # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+ ssl_certificate {{ certificates.cert_path }};
+ ssl_certificate_key {{ certificates.key_path }};
+{% if certificates.dh_file is vyos_defined %}
+ ssl_dhparam {{ certificates.dh_file }};
{% endif %}
- ssl_protocols TLSv1.2 TLSv1.3;
+{% else %}
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ include snippets/snakeoil.conf;
+{% endif %}
- # proxy settings for HTTP API, if enabled; 503, if not
- location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
-{% if server.api %}
- proxy_pass http://unix:/run/api.sock;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_read_timeout 600;
- proxy_buffering off;
-{% else %}
- return 503;
-{% endif %}
-{% if server.allow_client %}
-{% for client in server.allow_client %}
- allow {{ client }};
-{% endfor %}
- deny all;
-{% endif %}
- }
+ # Improve HTTPS performance with session resumption
+ ssl_session_cache shared:SSL:10m;
+ ssl_session_timeout 10m;
+ ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
- error_page 497 =301 https://$host:{{ server.port }}$request_uri;
-}
+ # From LetsEncrypt
+ ssl_prefer_server_ciphers on;
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
-{% endfor %}
+ # proxy settings for HTTP API, if enabled; 503, if not
+ location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+ proxy_pass http://unix:/run/api.sock;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 600;
+ proxy_buffering off;
+{% else %}
+ return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{% for address in allow_client.address %}
+ allow {{ address }};
+{% endfor %}
+ deny all;
+{% endif %}
+ }
+ error_page 497 =301 https://$host:{{ port }}$request_uri;
+}
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
index f620b3248..aa4da7666 100644
--- a/data/templates/https/vyos-http-api.service.j2
+++ b/data/templates/https/vyos-http-api.service.j2
@@ -3,6 +3,7 @@
Description=VyOS HTTP API service
After=vyos-router.service
Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
[Service]
ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
@@ -20,4 +21,3 @@ Group=vyattacfg
[Install]
WantedBy=vyos.target
-
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 9d95271fe..c5841fb91 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -83,10 +83,9 @@
start_action = none
{% endif %}
{% if ike.dead_peer_detection is vyos_defined %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
- dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
+ dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
- close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
+ close_action = {{ ike.close_action }}
}
{% elif peer_conf.tunnel is vyos_defined %}
{% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
@@ -134,10 +133,9 @@
start_action = none
{% endif %}
{% if ike.dead_peer_detection is vyos_defined %}
-{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
- dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
+ dpd_action = {{ ike.dead_peer_detection.action }}
{% endif %}
- close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
+ close_action = {{ ike.close_action }}
{% if peer_conf.vti.bind is vyos_defined %}
{# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
{# Thus we simply shift the key by one to also support a vti0 interface #}
diff --git a/data/templates/sflow/override.conf.j2 b/data/templates/sflow/override.conf.j2
index f2a982528..73588fdb2 100644
--- a/data/templates/sflow/override.conf.j2
+++ b/data/templates/sflow/override.conf.j2
@@ -1,3 +1,4 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
[Unit]
After=
After=vyos-router.service
@@ -7,7 +8,7 @@ ConditionPathExists=/run/sflow/hsflowd.conf
[Service]
EnvironmentFile=
ExecStart=
-ExecStart=/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf
+ExecStart={{ vrf_command }}/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf
WorkingDirectory=
WorkingDirectory=/run/sflow
PIDFile=
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index cd7d5011f..5a4e03015 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -54,3 +54,22 @@ table ip6 raw {
type filter hook prerouting priority -300; policy accept;
}
}
+
+# Required by VRF
+table inet vrf_zones {
+ # Map of interfaces and connections tracking zones
+ map ct_iface_map {
+ typeof iifname : ct zone
+ }
+ # Assign unique zones for each VRF
+ # Chain for inbound traffic
+ chain vrf_zones_ct_in {
+ type filter hook prerouting priority raw; policy accept;
+ counter ct original zone set iifname map @ct_iface_map
+ }
+ # Chain for locally-generated traffic
+ chain vrf_zones_ct_out {
+ type filter hook output priority raw; policy accept;
+ counter ct original zone set oifname map @ct_iface_map
+ }
+}