diff options
Diffstat (limited to 'data')
28 files changed, 231 insertions, 125 deletions
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json index ed9bb6cad..d3685caaf 100644 --- a/data/op-mode-standardized.json +++ b/data/op-mode-standardized.json @@ -9,21 +9,22 @@ "dhcp.py", "dns.py", "interfaces.py", +"ipsec.py", "lldp.py", "log.py", "memory.py", +"multicast.py", "nat.py", "neighbor.py", "nhrp.py", "openconnect.py", -"otp.py", "openvpn.py", +"otp.py", "reset_vpn.py", "reverseproxy.py", "route.py", -"system.py", -"ipsec.py", "storage.py", +"system.py", "uptime.py", "version.py", "vrf.py" diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2 index 6ac04e1a1..8e66486e6 100644 --- a/data/templates/accel-ppp/config_ip_pool.j2 +++ b/data/templates/accel-ppp/config_ip_pool.j2 @@ -12,16 +12,20 @@ gw-ip-address={{ gateway_address }} {% endif %} {% for pool in ordered_named_pools %} {% for pool_name, pool_config in pool.items() %} -{% set iprange_str = pool_config.range %} -{% set iprange_list = pool_config.range.split('-') %} -{% if iprange_list | length == 2 %} -{% set last_ip_oct = iprange_list[1].split('.') %} -{% set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %} -{% endif %} -{% if pool_config.next_pool is vyos_defined %} +{% if pool_config.range is vyos_defined %} +{% for range in pool_config.range %} +{% set iprange_str = range %} +{% set iprange_list = range.split('-') %} +{% if iprange_list | length == 2 %} +{% set last_ip_oct = iprange_list[1].split('.') %} +{% set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %} +{% endif %} +{% if loop.last and pool_config.next_pool is vyos_defined %} {{ iprange_str }},name={{ pool_name }},next={{ pool_config.next_pool }} -{% else %} +{% else %} {{ iprange_str }},name={{ pool_name }} +{% endif %} +{% endfor %} {% endif %} {% endfor %} {% endfor %} diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2 index a1562a1eb..86efdc1e1 100644 --- a/data/templates/accel-ppp/config_ipv6_pool.j2 +++ b/data/templates/accel-ppp/config_ipv6_pool.j2 @@ -3,20 +3,19 @@ AdvAutonomousFlag=1 verbose=1 -{% if client_ipv6_pool.prefix is vyos_defined %} [ipv6-pool] -{% for prefix, options in client_ipv6_pool.prefix.items() %} -{{ prefix }},{{ options.mask }} -{% endfor %} -{% if client_ipv6_pool.delegate is vyos_defined %} -{% for prefix, options in client_ipv6_pool.delegate.items() %} -delegate={{ prefix }},{{ options.delegation_prefix }} +{% for pool_name, pool_config in client_ipv6_pool.items() %} +{% if pool_config.prefix is vyos_defined %} +{% for prefix, options in pool_config.prefix.items() %} +{{ prefix }},{{ options.mask }},name={{ pool_name }} {% endfor %} {% endif %} -{% endif %} - -{% if client_ipv6_pool.delegate is vyos_defined %} +{% if pool_config.delegate is vyos_defined %} +{% for prefix, options in pool_config.delegate.items() %} +delegate={{ prefix }},{{ options.delegation_prefix }},name={{ pool_name }} +{% endfor %} +{% endif %} +{% endfor %} [ipv6-dhcp] verbose=1 -{% endif %} {% endif %} diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2 index 588f3d462..8b022eaa5 100644 --- a/data/templates/accel-ppp/ipoe.config.j2 +++ b/data/templates/accel-ppp/ipoe.config.j2 @@ -58,6 +58,10 @@ password=csid {% if default_pool is vyos_defined %} ip-pool={{ default_pool }} {% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} {% if gateway_address is vyos_defined %} {% for gw_addr in gateway_address %} gw-ip-address={{ gw_addr }} diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2 index 49755254a..f041e278e 100644 --- a/data/templates/accel-ppp/l2tp.config.j2 +++ b/data/templates/accel-ppp/l2tp.config.j2 @@ -51,6 +51,10 @@ host-name={{ lns.host_name }} {% if default_pool is vyos_defined %} ip-pool={{ default_pool }} {% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} [client-ip-range] 0.0.0.0/0 diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2 index 4bb1c4450..fb8a11366 100644 --- a/data/templates/accel-ppp/pppoe.config.j2 +++ b/data/templates/accel-ppp/pppoe.config.j2 @@ -143,6 +143,10 @@ noauth=1 {% if default_pool is vyos_defined %} ip-pool={{ default_pool }} {% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} {% if limits is vyos_defined %} [connlimit] diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2 index 014ae1235..51f7dfca8 100644 --- a/data/templates/accel-ppp/sstp.config.j2 +++ b/data/templates/accel-ppp/sstp.config.j2 @@ -39,6 +39,10 @@ ssl-keyfile=/run/accel-pppd/sstp-cert.key {% if default_pool is vyos_defined %} ip-pool={{ default_pool }} {% endif %} +{% if default_ipv6_pool is vyos_defined %} +ipv6-pool={{ default_ipv6_pool }} +ipv6-pool-delegate={{ default_ipv6_pool }} +{% endif %} {# Common IP pool definitions #} {% include 'accel-ppp/config_ip_pool.j2' %} diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2 index d02fbf71d..e3f078fdc 100644 --- a/data/templates/chrony/chrony.conf.j2 +++ b/data/templates/chrony/chrony.conf.j2 @@ -21,7 +21,17 @@ ntsdumpdir /run/chrony pidfile {{ config_file | replace('.conf', '.pid') }} # Determine when will the next leap second occur and what is the current offset +{% if leap_second is vyos_defined('timezone') %} leapsectz right/UTC +{% elif leap_second is vyos_defined('ignore') %} +leapsecmode ignore +{% elif leap_second is vyos_defined('smear') %} +leapsecmode slew +maxslewrate 1000 +smoothtime 400 0.001024 leaponly +{% elif leap_second is vyos_defined('system') %} +leapsecmode system +{% endif %} user {{ user }} diff --git a/data/templates/container/systemd-unit.j2 b/data/templates/container/systemd-unit.j2 index fa48384ab..d379f0a07 100644 --- a/data/templates/container/systemd-unit.j2 +++ b/data/templates/container/systemd-unit.j2 @@ -13,5 +13,5 @@ ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid ExecStopPost=/bin/rm -f %t/%n.cid PIDFile=%t/%n.pid -KillMode=none +KillMode=control-group Type=forking diff --git a/data/templates/dhcp-server/kea-dhcp4.conf.j2 b/data/templates/dhcp-server/kea-dhcp4.conf.j2 index 6ab13ab27..629fa952a 100644 --- a/data/templates/dhcp-server/kea-dhcp4.conf.j2 +++ b/data/templates/dhcp-server/kea-dhcp4.conf.j2 @@ -1,8 +1,16 @@ { "Dhcp4": { "interfaces-config": { +{% if listen_address is vyos_defined %} + "interfaces": {{ listen_address | kea_address_json }}, + "dhcp-socket-type": "udp", +{% elif listen_interface is vyos_defined %} + "interfaces": {{ listen_interface | tojson }}, + "dhcp-socket-type": "raw", +{% else %} "interfaces": [ "*" ], "dhcp-socket-type": "raw", +{% endif %} "service-sockets-max-retries": 5, "service-sockets-retry-wait-time": 5000 }, diff --git a/data/templates/dhcp-server/kea-dhcp6.conf.j2 b/data/templates/dhcp-server/kea-dhcp6.conf.j2 index 3ce4e6370..3ab21551b 100644 --- a/data/templates/dhcp-server/kea-dhcp6.conf.j2 +++ b/data/templates/dhcp-server/kea-dhcp6.conf.j2 @@ -1,7 +1,11 @@ { "Dhcp6": { "interfaces-config": { +{% if listen_interface is vyos_defined %} + "interfaces": {{ listen_interface | tojson }}, +{% else %} "interfaces": [ "*" ], +{% endif %} "service-sockets-max-retries": 5, "service-sockets-retry-wait-time": 5000 }, diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2 index 6c0653a55..5538ea56c 100644 --- a/data/templates/dns-dynamic/ddclient.conf.j2 +++ b/data/templates/dns-dynamic/ddclient.conf.j2 @@ -7,7 +7,7 @@ use{{ ipv }}={{ address if address == 'web' else 'if' }}{{ ipv }}, \ web{{ ipv }}={{ web_options.url }}, \ {% endif %} {% if web_options.skip is vyos_defined %} -web-skip{{ ipv }}='{{ web_options.skip }}', \ +web{{ ipv }}-skip='{{ web_options.skip }}', \ {% endif %} {% else %} if{{ ipv }}={{ address }}, \ @@ -45,9 +45,12 @@ use=no else ['']) %} {% set password = config.key if config.protocol == 'nsupdate' else config.password %} +{% set address = 'web' if config.address.web is vyos_defined + else config.address.interface %} +{% set web_options = config.address.web | default({}) %} # Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}] -{{ render_config(host, config.address, config.web_options, ip_suffixes, +{{ render_config(host, address, web_options, ip_suffixes, protocol=config.protocol, server=config.server, zone=config.zone, login=config.username, password=password, ttl=config.ttl, min_interval=config.wait_time, max_interval=config.expiry_time) }} diff --git a/data/templates/dns-forwarding/override.conf.j2 b/data/templates/dns-forwarding/override.conf.j2 new file mode 100644 index 000000000..9d81a2977 --- /dev/null +++ b/data/templates/dns-forwarding/override.conf.j2 @@ -0,0 +1,8 @@ +[Unit] +ConditionPathExists={{ config_file }} +After=vyos-router.service + +[Service] +RuntimeDirectoryPreserve=yes +ExecStart= +ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir={{ config_dir }} diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2 index ea700406c..5ac872f19 100644 --- a/data/templates/dns-forwarding/recursor.conf.j2 +++ b/data/templates/dns-forwarding/recursor.conf.j2 @@ -12,7 +12,7 @@ allow-from={{ allow_from | join(',') }} log-common-errors=yes non-local-bind=yes query-local-address={{ source_address | join(',') }} -lua-config-file=recursor.conf.lua +lua-config-file={{ config_dir }}/recursor.conf.lua # cache-size max-cache-entries={{ cache_size }} @@ -40,10 +40,34 @@ dnssec={{ dnssec }} dns64-prefix={{ dns64_prefix }} {% endif %} +{% if exclude_throttle_address is vyos_defined %} +# dont-throttle-netmasks +dont-throttle-netmasks={{ exclude_throttle_address | join(',') }} +{% endif %} + +{% if serve_stale_extension is vyos_defined %} +# serve-stale-extensions +serve-stale-extensions={{ serve_stale_extension }} +{% endif %} + # serve rfc1918 records serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }} # zones auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %} -forward-zones-file=recursor.forward-zones.conf +forward-zones-file={{ config_dir }}/recursor.forward-zones.conf + +#ecs +{% if options.ecs_add_for is vyos_defined %} +ecs-add-for={{ options.ecs_add_for | join(',') }} +{% endif %} + +{% if options.ecs_ipv4_bits is vyos_defined %} +ecs-ipv4-bits={{ options.ecs_ipv4_bits }} +{% endif %} + +{% if options.edns_subnet_allow_list is vyos_defined %} +edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }} +{% endif %} + diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2 index 816f69160..8026442c7 100644 --- a/data/templates/dns-forwarding/recursor.conf.lua.j2 +++ b/data/templates/dns-forwarding/recursor.conf.lua.j2 @@ -5,4 +5,4 @@ dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua") -- Load lua from vyos-hostsd -- -dofile("recursor.vyos-hostsd.conf.lua") +dofile("{{ config_dir }}/recursor.vyos-hostsd.conf.lua") diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2 deleted file mode 100644 index 3bce7312d..000000000 --- a/data/templates/firewall/nftables-vrf-zones.j2 +++ /dev/null @@ -1,17 +0,0 @@ -table inet vrf_zones { - # Map of interfaces and connections tracking zones - map ct_iface_map { - typeof iifname : ct zone - } - # Assign unique zones for each VRF - # Chain for inbound traffic - chain vrf_zones_ct_in { - type filter hook prerouting priority raw; policy accept; - counter ct original zone set iifname map @ct_iface_map - } - # Chain for locally-generated traffic - chain vrf_zones_ct_out { - type filter hook output priority raw; policy accept; - counter ct original zone set oifname map @ct_iface_map - } -} diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2 index 5e55099ca..e78725079 100644 --- a/data/templates/firewall/nftables-zone.j2 +++ b/data/templates/firewall/nftables-zone.j2 @@ -1,13 +1,6 @@ - -{% macro zone_chains(zone, family, state_policy=False) %} -{% if family == 'ipv6' %} -{% set fw_name = 'ipv6_name' %} -{% set suffix = '6' %} -{% else %} -{% set fw_name = 'name' %} -{% set suffix = '' %} -{% endif %} - +{% macro zone_chains(zone, ipv6=False, state_policy=False) %} +{% set fw_name = 'ipv6_name' if ipv6 else 'name' %} +{% set suffix = '6' if ipv6 else '' %} chain VYOS_ZONE_FORWARD { type filter hook forward priority 1; policy accept; {% if state_policy %} diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2 index e0ad0e00a..833df3a67 100644 --- a/data/templates/firewall/nftables.j2 +++ b/data/templates/firewall/nftables.j2 @@ -163,7 +163,7 @@ table ip vyos_filter { {{ group_tmpl.groups(group, False, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, 'ipv4', global_options.state_policy is vyos_defined) }} +{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }} {% endif %} {% if global_options.state_policy is vyos_defined %} chain VYOS_STATE_POLICY { @@ -298,7 +298,7 @@ table ip6 vyos_filter { {% endif %} {{ group_tmpl.groups(group, True, True) }} {% if zone is vyos_defined %} -{{ zone_tmpl.zone_chains(zone, 'ipv6', global_options.state_policy is vyos_defined) }} +{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }} {% endif %} {% if global_options.state_policy is vyos_defined %} chain VYOS_STATE_POLICY6 { diff --git a/data/templates/frr/bfdd.frr.j2 b/data/templates/frr/bfdd.frr.j2 index c4adeb402..f3303e401 100644 --- a/data/templates/frr/bfdd.frr.j2 +++ b/data/templates/frr/bfdd.frr.j2 @@ -13,6 +13,9 @@ bfd {% if profile_config.echo_mode is vyos_defined %} echo-mode {% endif %} +{% if profile_config.minimum_ttl is vyos_defined %} + minimum-ttl {{ profile_config.minimum_ttl }} +{% endif %} {% if profile_config.passive is vyos_defined %} passive-mode {% endif %} @@ -38,6 +41,9 @@ bfd {% if peer_config.echo_mode is vyos_defined %} echo-mode {% endif %} +{% if peer_config.minimum_ttl is vyos_defined %} + minimum-ttl {{ peer_config.minimum_ttl }} +{% endif %} {% if peer_config.passive is vyos_defined %} passive-mode {% endif %} diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2 index 679ba8b04..e02fdd1bb 100644 --- a/data/templates/frr/bgpd.frr.j2 +++ b/data/templates/frr/bgpd.frr.j2 @@ -402,6 +402,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if afi_config.flooding.head_end_replication is vyos_defined %} flooding head-end-replication {% endif %} +{% if afi_config.nexthop.vpn.export is vyos_defined %} + nexthop vpn export {{ afi_config.nexthop.vpn.export }} +{% endif %} {% if afi_config.rd.vpn.export is vyos_defined %} rd vpn export {{ afi_config.rd.vpn.export }} {% endif %} @@ -436,6 +439,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }} {% if afi_config.route_map.vpn.import is vyos_defined %} route-map vpn import {{ afi_config.route_map.vpn.import }} {% endif %} +{% if afi_config.sid.vpn.export is vyos_defined %} + sid vpn export {{ afi_config.sid.vpn.export }} +{% endif %} {% if afi_config.vni is vyos_defined %} {% for vni, vni_config in afi_config.vni.items() %} vni {{ vni }} diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2 index 278ffbf2c..5e9b95cc0 100644 --- a/data/templates/grub/grub_common.j2 +++ b/data/templates/grub/grub_common.j2 @@ -8,9 +8,13 @@ fi function setup_serial { # initialize the first serial port by default if [ "${console_type}" == "ttyS" ]; then - serial --unit=${console_num} + if [ "${console_num}" == "0" ]; then + serial --unit=0 --speed=${console_speed} + else + serial --unit=${console_num} --speed=115200 + fi else - serial --unit=0 + serial --unit=0 --speed=${console_speed} fi terminal_output --append serial console terminal_input --append serial console diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2 index 887d5d0bd..d1085eec8 100644 --- a/data/templates/grub/grub_compat.j2 +++ b/data/templates/grub/grub_compat.j2 @@ -22,13 +22,13 @@ {%- endmacro %} {% macro console_opts(type) -%} {% if type == 'tty' -%} - console=ttyS0,115200 console=tty0 + console=ttyS0,{{ console_speed }} console=tty0 {%- elif type == 'ttyS' -%} - console=tty0 console=ttyS0,115200 + console=tty0 console=ttyS0,{{ console_speed }} {%- elif type == 'ttyUSB' -%} console=tty0 console=ttyUSB0,115200 {%- else -%} - console=tty0 console=ttyS0,115200 + console=tty0 console=ttyS0,{{ console_speed }} {%- endif %} {%- endmacro %} {% macro passwd_opts(mode) -%} @@ -39,9 +39,13 @@ set default={{ default }} set timeout={{ timeout }} {% if console_type == 'ttyS' %} +{% if console_num == '0' %} +serial --unit=0 --speed={{ console_speed }} +{% else %} serial --unit={{ console_num }} --speed=115200 +{% endif %} {% else %} -serial --unit=0 --speed=115200 +serial --unit=0 --speed={{ console_speed }} {% endif %} terminal_output --append serial terminal_input serial console diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2 index 97fbe8473..de85f1419 100644 --- a/data/templates/grub/grub_vyos_version.j2 +++ b/data/templates/grub/grub_vyos_version.j2 @@ -1,21 +1,31 @@ -{% set boot_opts_default = "boot=live rootdelay=5 noautologin net.ifnames=0 biosdevname=0 vyos-union=/boot/" + version_name %} -{% if boot_opts != '' %} +{% if boot_opts_config is vyos_defined %} +{% if boot_opts_config %} +{% set boot_opts_rendered = boot_opts_default + " " + boot_opts_config %} +{% else %} +{% set boot_opts_rendered = boot_opts_default %} +{% endif %} +{% elif boot_opts != '' %} {% set boot_opts_rendered = boot_opts %} {% else %} {% set boot_opts_rendered = boot_opts_default %} {% endif %} menuentry "{{ version_name }}" --id {{ version_uuid }} { set boot_opts="{{ boot_opts_rendered }}" + if [ "${console_type}" == "ttyS" ]; then + set console_opts="console=${console_type}${console_num},${console_speed}" + else + set console_opts="console=${console_type}${console_num}" + fi # load rootfs to RAM if [ "${boot_toram}" == "yes" ]; then set boot_opts="${boot_opts} toram" fi if [ "${bootmode}" == "pw_reset" ]; then - set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/libexec/vyos/system/standalone_root_pw_reset" + set boot_opts="${boot_opts} ${console_opts} init=/usr/libexec/vyos/system/standalone_root_pw_reset" elif [ "${bootmode}" == "recovery" ]; then - set boot_opts="${boot_opts} console=${console_type}${console_num} init=/usr/bin/busybox init" + set boot_opts="${boot_opts} ${console_opts} init=/usr/bin/busybox init" else - set boot_opts="${boot_opts} console=${console_type}${console_num}" + set boot_opts="${boot_opts} ${console_opts}" fi linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts} initrd "/boot/{{ version_name }}/initrd.img" diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2 index 80239ea56..5d17df001 100644 --- a/data/templates/https/nginx.default.j2 +++ b/data/templates/https/nginx.default.j2 @@ -1,60 +1,65 @@ ### Autogenerated by service_https.py ### -# Default server configuration -{% for server in server_block_list %} +{% if enable_http_redirect is vyos_defined %} server { - # SSL configuration - # -{% if server.address == '*' %} - listen {{ server.port }} ssl; - listen [::]:{{ server.port }} ssl; -{% else %} - listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl; -{% endif %} + listen 80 default_server; + server_name {{ hostname }}; + return 301 https://$host$request_uri; +} +{% endif %} -{% for name in server.name %} - server_name {{ name }}; +server { +{% if listen_address is vyos_defined %} +{% for address in listen_address %} + listen {{ address | bracketize_ipv6 }}:{{ port }} ssl; {% endfor %} +{% else %} + listen {{ port }} ssl; + listen [::]:{{ port }} ssl; +{% endif %} - root /srv/localui; + server_name {{ hostname }}; + root /srv/localui; -{% if server.certbot %} - ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem; - ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem; - include {{ server.certbot_dir }}/options-ssl-nginx.conf; - ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem; -{% elif server.vyos_cert %} - ssl_certificate {{ server.vyos_cert.crt }}; - ssl_certificate_key {{ server.vyos_cert.key }}; -{% else %} - # - # Self signed certs generated by the ssl-cert package - # Don't use them in a production server! - # - include snippets/snakeoil.conf; + # SSL configuration +{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %} + ssl_certificate {{ certificates.cert_path }}; + ssl_certificate_key {{ certificates.key_path }}; +{% if certificates.dh_file is vyos_defined %} + ssl_dhparam {{ certificates.dh_file }}; {% endif %} - ssl_protocols TLSv1.2 TLSv1.3; +{% else %} + # Self signed certs generated by the ssl-cert package + # Don't use them in a production server! + include snippets/snakeoil.conf; +{% endif %} - # proxy settings for HTTP API, if enabled; 503, if not - location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { -{% if server.api %} - proxy_pass http://unix:/run/api.sock; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_read_timeout 600; - proxy_buffering off; -{% else %} - return 503; -{% endif %} -{% if server.allow_client %} -{% for client in server.allow_client %} - allow {{ client }}; -{% endfor %} - deny all; -{% endif %} - } + # Improve HTTPS performance with session resumption + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }}; - error_page 497 =301 https://$host:{{ server.port }}$request_uri; -} + # From LetsEncrypt + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; -{% endfor %} + # proxy settings for HTTP API, if enabled; 503, if not + location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) { +{% if api is vyos_defined %} + proxy_pass http://unix:/run/api.sock; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_read_timeout 600; + proxy_buffering off; +{% else %} + return 503; +{% endif %} +{% if allow_client.address is vyos_defined %} +{% for address in allow_client.address %} + allow {{ address }}; +{% endfor %} + deny all; +{% endif %} + } + error_page 497 =301 https://$host:{{ port }}$request_uri; +} diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2 index f620b3248..aa4da7666 100644 --- a/data/templates/https/vyos-http-api.service.j2 +++ b/data/templates/https/vyos-http-api.service.j2 @@ -3,6 +3,7 @@ Description=VyOS HTTP API service After=vyos-router.service Requires=vyos-router.service +ConditionPathExists={{ api_config_state }} [Service] ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server @@ -20,4 +21,3 @@ Group=vyattacfg [Install] WantedBy=vyos.target - diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2 index 9d95271fe..c5841fb91 100644 --- a/data/templates/ipsec/swanctl/peer.j2 +++ b/data/templates/ipsec/swanctl/peer.j2 @@ -83,10 +83,9 @@ start_action = none {% endif %} {% if ike.dead_peer_detection is vyos_defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} - dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} + dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} + close_action = {{ ike.close_action }} } {% elif peer_conf.tunnel is vyos_defined %} {% for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %} @@ -134,10 +133,9 @@ start_action = none {% endif %} {% if ike.dead_peer_detection is vyos_defined %} -{% set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %} - dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }} + dpd_action = {{ ike.dead_peer_detection.action }} {% endif %} - close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }} + close_action = {{ ike.close_action }} {% if peer_conf.vti.bind is vyos_defined %} {# The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #} {# Thus we simply shift the key by one to also support a vti0 interface #} diff --git a/data/templates/sflow/override.conf.j2 b/data/templates/sflow/override.conf.j2 index f2a982528..73588fdb2 100644 --- a/data/templates/sflow/override.conf.j2 +++ b/data/templates/sflow/override.conf.j2 @@ -1,3 +1,4 @@ +{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %} [Unit] After= After=vyos-router.service @@ -7,7 +8,7 @@ ConditionPathExists=/run/sflow/hsflowd.conf [Service] EnvironmentFile= ExecStart= -ExecStart=/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf +ExecStart={{ vrf_command }}/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf WorkingDirectory= WorkingDirectory=/run/sflow PIDFile= diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf index cd7d5011f..5a4e03015 100644 --- a/data/vyos-firewall-init.conf +++ b/data/vyos-firewall-init.conf @@ -54,3 +54,22 @@ table ip6 raw { type filter hook prerouting priority -300; policy accept; } } + +# Required by VRF +table inet vrf_zones { + # Map of interfaces and connections tracking zones + map ct_iface_map { + typeof iifname : ct zone + } + # Assign unique zones for each VRF + # Chain for inbound traffic + chain vrf_zones_ct_in { + type filter hook prerouting priority raw; policy accept; + counter ct original zone set iifname map @ct_iface_map + } + # Chain for locally-generated traffic + chain vrf_zones_ct_out { + type filter hook output priority raw; policy accept; + counter ct original zone set oifname map @ct_iface_map + } +} |