110 files changed, 2352 insertions, 2090 deletions

diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index 6c86642c7..b62603e34 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,52 +1,55 @@
 {
-  "conntrack": {"conntrack_sync": ["conntrack_sync"]},
-  "firewall": {
-                "conntrack": ["conntrack"],
-                "conntrack_sync": ["conntrack_sync"],
-                "group_resync": ["conntrack", "nat", "policy-route"]
-              },
-  "http_api": {"https": ["https"]},
-  "load_balancing_wan": {
-                          "conntrack": ["conntrack"],
-                          "conntrack_sync": ["conntrack_sync"]
-                        },
-  "nat": {
-           "conntrack": ["conntrack"],
-           "conntrack_sync": ["conntrack_sync"]
-         },
-  "nat66": {
-             "conntrack": ["conntrack"],
-             "conntrack_sync": ["conntrack_sync"]
-           },
-  "pki": {
-           "ethernet": ["interfaces-ethernet"],
-           "openvpn": ["interfaces-openvpn"],
-           "https": ["https"],
-           "ipsec": ["vpn_ipsec"],
-           "openconnect": ["vpn_openconnect"],
-           "sstp": ["vpn_sstp"]
-         },
-  "qos": {
-           "bonding": ["interfaces-bonding"],
-           "bridge": ["interfaces-bridge"],
-           "dummy": ["interfaces-dummy"],
-           "ethernet": ["interfaces-ethernet"],
-           "geneve": ["interfaces-geneve"],
-           "input": ["interfaces-input"],
-           "l2tpv3": ["interfaces-l2tpv3"],
-           "loopback": ["interfaces-loopback"],
-           "macsec": ["interfaces-macsec"],
-           "openvpn": ["interfaces-openvpn"],
-           "pppoe": ["interfaces-pppoe"],
-           "pseudo-ethernet": ["interfaces-pseudo-ethernet"],
-           "tunnel": ["interfaces-tunnel"],
-           "vti": ["interfaces-vti"],
-           "vxlan": ["interfaces-vxlan"],
-           "wireguard": ["interfaces-wireguard"],
-           "wireless": ["interfaces-wireless"],
-           "wwan": ["interfaces-wwan"]
-         },
-  "vpp": {
-           "ethernet": ["interfaces-ethernet"]
-         }
+    "system_conntrack": {
+        "conntrack_sync": ["service_conntrack-sync"]
+    },
+    "firewall": {
+        "conntrack": ["system_conntrack"],
+        "group_resync": ["system_conntrack", "nat", "policy_route"]
+    },
+    "interfaces_bonding": {
+        "ethernet": ["interfaces_ethernet"]
+    },
+    "interfaces_bridge": {
+        "vxlan": ["interfaces_vxlan"]
+    },
+    "load_balancing_wan": {
+        "conntrack": ["system_conntrack"]
+    },
+    "nat": {
+        "conntrack": ["system_conntrack"]
+    },
+    "nat66": {
+        "conntrack": ["system_conntrack"]
+    },
+    "pki": {
+        "ethernet": ["interfaces_ethernet"],
+        "openvpn": ["interfaces_openvpn"],
+        "https": ["service_https"],
+        "ipsec": ["vpn_ipsec"],
+        "openconnect": ["vpn_openconnect"],
+        "sstp": ["vpn_sstp"]
+    },
+    "vpn_l2tp": {
+        "ipsec": ["vpn_ipsec"]
+    },
+    "qos": {
+        "bonding": ["interfaces_bonding"],
+        "bridge": ["interfaces_bridge"],
+        "dummy": ["interfaces_dummy"],
+        "ethernet": ["interfaces_ethernet"],
+        "geneve": ["interfaces_geneve"],
+        "input": ["interfaces_input"],
+        "l2tpv3": ["interfaces_l2tpv3"],
+        "loopback": ["interfaces_loopback"],
+        "macsec": ["interfaces_macsec"],
+        "openvpn": ["interfaces_openvpn"],
+        "pppoe": ["interfaces_pppoe"],
+        "pseudo-ethernet": ["interfaces_pseudo-ethernet"],
+        "tunnel": ["interfaces_tunnel"],
+        "vti": ["interfaces_vti"],
+        "vxlan": ["interfaces_vxlan"],
+        "wireguard": ["interfaces_wireguard"],
+        "wireless": ["interfaces_wireless"],
+        "wwan": ["interfaces_wwan"]
+    }
 }
diff --git a/data/configd-include.json b/data/configd-include.json
index 84bc1f14e..dc00f0698 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -1,87 +1,111 @@
 [
-"arp.py",
-"bcast_relay.py",
 "container.py",
-"conntrack.py",
-"conntrack_sync.py",
-"dhcp_relay.py",
-"dhcp_server.py",
-"dhcpv6_relay.py",
-"dhcpv6_server.py",
-"dns_forwarding.py",
-"dns_dynamic.py",
 "firewall.py",
-"flow_accounting_conf.py",
 "high-availability.py",
-"host_name.py",
-"igmp_proxy.py",
-"intel_qat.py",
-"interfaces-bonding.py",
-"interfaces-bridge.py",
-"interfaces-dummy.py",
-"interfaces-ethernet.py",
-"interfaces-geneve.py",
-"interfaces-l2tpv3.py",
-"interfaces-loopback.py",
-"interfaces-macsec.py",
-"interfaces-openvpn.py",
-"interfaces-pppoe.py",
-"interfaces-pseudo-ethernet.py",
-"interfaces-sstpc.py",
-"interfaces-tunnel.py",
-"interfaces-vti.py",
-"interfaces-vxlan.py",
-"interfaces-wireguard.py",
-"interfaces-wireless.py",
-"interfaces-wwan.py",
-"lldp.py",
+"interfaces_bonding.py",
+"interfaces_bridge.py",
+"interfaces_dummy.py",
+"interfaces_ethernet.py",
+"interfaces_geneve.py",
+"interfaces_input.py",
+"interfaces_l2tpv3.py",
+"interfaces_loopback.py",
+"interfaces_macsec.py",
+"interfaces_openvpn.py",
+"interfaces_pppoe.py",
+"interfaces_pseudo-ethernet.py",
+"interfaces_sstpc.py",
+"interfaces_tunnel.py",
+"interfaces_virtual-ethernet.py",
+"interfaces_vti.py",
+"interfaces_vxlan.py",
+"interfaces_wireguard.py",
+"interfaces_wireless.py",
+"interfaces_wwan.py",
+"load-balancing_reverse-proxy.py",
+"load-balancing_wan.py",
 "nat.py",
+"nat64.py",
 "nat66.py",
 "netns.py",
-"ntp.py",
 "pki.py",
 "policy.py",
-"policy-local-route.py",
+"policy_route.py",
+"policy_local-route.py",
+"protocols_babel.py",
 "protocols_bfd.py",
 "protocols_bgp.py",
-"protocols_igmp.py",
+"protocols_eigrp.py",
+"protocols_failover.py",
+"protocols_igmp-proxy.py",
 "protocols_isis.py",
 "protocols_mpls.py",
 "protocols_nhrp.py",
 "protocols_ospf.py",
 "protocols_ospfv3.py",
 "protocols_pim.py",
+"protocols_pim6.py",
 "protocols_rip.py",
 "protocols_ripng.py",
 "protocols_rpki.py",
+"protocols_segment-routing.py",
 "protocols_static.py",
+"protocols_static_arp.py",
 "protocols_static_multicast.py",
+"protocols_static_neighbor-proxy.py",
 "qos.py",
-"salt-minion.py",
+"service_aws_glb.py",
+"service_broadcast-relay.py",
+"service_config-sync.py",
+"service_conntrack-sync.py",
 "service_console-server.py",
-"service_ids_fastnetmon.py",
+"service_dhcp-relay.py",
+"service_dhcp-server.py",
+"service_dhcpv6-relay.py",
+"service_dhcpv6-server.py",
+"service_dns_dynamic.py",
+"service_dns_forwarding.py",
+"service_event-handler.py",
+"service_https.py",
+"service_ids_ddos-protection.py",
 "service_ipoe-server.py",
-"service_mdns-repeater.py",
+"service_lldp.py",
+"service_mdns_repeater.py",
 "service_monitoring_telegraf.py",
+"service_monitoring_zabbix-agent.py",
+"service_ndp-proxy.py",
+"service_ntp.py",
 "service_pppoe-server.py",
 "service_router-advert.py",
+"service_salt-minion.py",
+"service_sla.py",
+"service_ssh.py",
+"service_tftp-server.py",
 "service_upnp.py",
-"ssh.py",
-"system-ip.py",
-"system-ipv6.py",
-"system-login-banner.py",
-"system-logs.py",
-"system-option.py",
-"system-proxy.py",
-"system_sflow.py",
-"system_sysctl.py",
-"system-syslog.py",
-"system-timezone.py",
+"service_webproxy.py",
+"system_acceleration.py",
+"system_config-management.py",
+"system_conntrack.py",
 "system_console.py",
+"system_flow-accounting.py",
+"system_frr.py",
+"system_host-name.py",
+"system_ip.py",
+"system_ipv6.py",
 "system_lcd.py",
-"task_scheduler.py",
-"tftp_server.py",
+"system_login_banner.py",
+"system_logs.py",
+"system_option.py",
+"system_proxy.py",
+"system_sflow.py",
+"system_sysctl.py",
+"system_syslog.py",
+"system_task-scheduler.py",
+"system_timezone.py",
+"system_update-check.py",
+"vpn_ipsec.py",
 "vpn_l2tp.py",
+"vpn_openconnect.py",
 "vpn_pptp.py",
 "vpn_sstp.py",
 "vrf.py",
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index ed9bb6cad..d3685caaf 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -9,21 +9,22 @@
 "dhcp.py",
 "dns.py",
 "interfaces.py",
+"ipsec.py",
 "lldp.py",
 "log.py",
 "memory.py",
+"multicast.py",
 "nat.py",
 "neighbor.py",
 "nhrp.py",
 "openconnect.py",
-"otp.py",
 "openvpn.py",
+"otp.py",
 "reset_vpn.py",
 "reverseproxy.py",
 "route.py",
-"system.py",
-"ipsec.py",
 "storage.py",
+"system.py",
 "uptime.py",
 "version.py",
 "vrf.py"
diff --git a/data/templates/accel-ppp/config_chap_secrets_radius.j2 b/data/templates/accel-ppp/config_chap_secrets_radius.j2
index a498d8186..595e3a565 100644
--- a/data/templates/accel-ppp/config_chap_secrets_radius.j2
+++ b/data/templates/accel-ppp/config_chap_secrets_radius.j2
@@ -30,7 +30,16 @@ dae-server={{ authentication.radius.dynamic_author.server }}:{{ authentication.r
 {%     endif %}
 {% endif %}
 {# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gateway_address is vyos_defined %}
+{% if authentication.mode is vyos_defined('local') or authentication.mode is vyos_defined('radius') %}
+{%     if gateway_address is vyos_defined %}
+{%         if server_type == 'ipoe' %}
+{%             for gw in gateway_address %}
+{%                 set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{%             endfor %}
+{%         else %}
 gw-ip-address={{ gateway_address }}
+{%         endif %}
+{%     endif %}
 {% endif %}
 
diff --git a/data/templates/accel-ppp/config_ip_pool.j2 b/data/templates/accel-ppp/config_ip_pool.j2
index f7511e445..8e66486e6 100644
--- a/data/templates/accel-ppp/config_ip_pool.j2
+++ b/data/templates/accel-ppp/config_ip_pool.j2
@@ -1,24 +1,32 @@
-{% if client_ip_pool is vyos_defined %}
+{% if ordered_named_pools is vyos_defined %}
 [ip-pool]
 {%     if gateway_address is vyos_defined %}
+{%         if server_type == 'ipoe' %}
+{%             for gw in gateway_address %}
+{%                 set host_address, _ = gw.split('/') %}
+gw-ip-address={{ host_address }}
+{%             endfor %}
+{%         else %}
 gw-ip-address={{ gateway_address }}
+{%         endif %}
 {%     endif %}
-{%     if client_ip_pool.start is vyos_defined and client_ip_pool.stop is vyos_defined %}
-{{ client_ip_pool.start }}-{{ client_ip_pool.stop.split('.')[3] }}
-{%     endif %}
-{%     if client_ip_pool.subnet is vyos_defined %}
-{%         for subnet in client_ip_pool.subnet %}
-{{ subnet }}
-{%         endfor %}
-{%     endif %}
-{%     if client_ip_pool.name is vyos_defined %}
-{%         for pool, pool_config in client_ip_pool.name.items() %}
-{%             if pool_config.subnet is vyos_defined %}
-{{ pool_config.subnet }},name={{ pool }}
-{%             endif %}
-{%             if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}
+{%     for pool in ordered_named_pools %}
+{%         for pool_name, pool_config in pool.items() %}
+{%             if pool_config.range is vyos_defined %}
+{%                 for range in pool_config.range %}
+{%                     set iprange_str = range %}
+{%                     set iprange_list = range.split('-') %}
+{%                     if iprange_list | length == 2 %}
+{%                         set last_ip_oct = iprange_list[1].split('.') %}
+{%                         set iprange_str = iprange_list[0] + '-' + last_ip_oct[last_ip_oct | length - 1] %}
+{%                     endif %}
+{%                     if loop.last and pool_config.next_pool is vyos_defined %}
+{{ iprange_str }},name={{ pool_name }},next={{ pool_config.next_pool }}
+{%                     else %}
+{{ iprange_str }},name={{ pool_name }}
+{%                     endif %}
+{%                 endfor %}
 {%             endif %}
 {%         endfor %}
-{%     endif %}
+{%     endfor %}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/accel-ppp/config_ipv6_pool.j2 b/data/templates/accel-ppp/config_ipv6_pool.j2
index a1562a1eb..86efdc1e1 100644
--- a/data/templates/accel-ppp/config_ipv6_pool.j2
+++ b/data/templates/accel-ppp/config_ipv6_pool.j2
@@ -3,20 +3,19 @@
 AdvAutonomousFlag=1
 verbose=1
 
-{%     if client_ipv6_pool.prefix is vyos_defined %}
 [ipv6-pool]
-{%         for prefix, options in client_ipv6_pool.prefix.items() %}
-{{ prefix }},{{ options.mask }}
-{%         endfor %}
-{%         if client_ipv6_pool.delegate is vyos_defined %}
-{%             for prefix, options in client_ipv6_pool.delegate.items() %}
-delegate={{ prefix }},{{ options.delegation_prefix }}
+{%     for pool_name, pool_config in client_ipv6_pool.items() %}
+{%         if pool_config.prefix is vyos_defined %}
+{%             for prefix, options in pool_config.prefix.items() %}
+{{ prefix }},{{ options.mask }},name={{ pool_name }}
 {%             endfor %}
 {%         endif %}
-{%     endif %}
-
-{%     if client_ipv6_pool.delegate is vyos_defined %}
+{%         if pool_config.delegate is vyos_defined %}
+{%             for prefix, options in pool_config.delegate.items() %}
+delegate={{ prefix }},{{ options.delegation_prefix }},name={{ pool_name }}
+{%             endfor %}
+{%         endif %}
+{%     endfor %}
 [ipv6-dhcp]
 verbose=1
-{%     endif %}
 {% endif %}
diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2
index 0cf6a6a92..fcd68f69e 100644
--- a/data/templates/accel-ppp/config_shaper_radius.j2
+++ b/data/templates/accel-ppp/config_shaper_radius.j2
@@ -1,6 +1,7 @@
 {% if authentication.mode is vyos_defined('radius') or shaper is vyos_defined %}
 [shaper]
 verbose=1
+down-limiter=tbf
 {%     if authentication.radius.rate_limit.enable is vyos_defined %}
 attr={{ authentication.radius.rate_limit.attribute }}
 {%         if authentication.radius.rate_limit.vendor is vyos_defined %}
@@ -13,7 +14,6 @@ rate-multiplier={{ authentication.radius.rate_limit.multiplier }}
 {%     if shaper is vyos_defined %}
 {%         if shaper.fwmark is vyos_defined %}
 fwmark={{ shaper.fwmark }}
-down-limiter=htb
 {%         endif %}
 {%     endif %}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/accel-ppp/ipoe.config.j2 b/data/templates/accel-ppp/ipoe.config.j2
index f59428509..8b022eaa5 100644
--- a/data/templates/accel-ppp/ipoe.config.j2
+++ b/data/templates/accel-ppp/ipoe.config.j2
@@ -14,6 +14,11 @@ ippool
 [core]
 thread-count={{ thread_count }}
 
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
+
 [log]
 syslog=accel-ipoe,daemon
 copy=1
@@ -50,38 +55,22 @@ noauth=1
 username=ifname
 password=csid
 {% endif %}
-{% if client_ip_pool.name is vyos_defined %}
-{%     if first_named_pool is vyos_defined %}
-ip-pool={{ first_named_pool }}
-{%     else %}
-{%         for pool, pool_options in client_ip_pool.name.items() %}
-{%             if pool_options.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{%             endif %}
-{%         endfor %}
-{%     endif %}
-{%     for pool, pool_options in client_ip_pool.name.items() %}
-{%         if pool_options.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{%         endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
+{% if gateway_address is vyos_defined %}
+{%     for gw_addr in gateway_address %}
+gw-ip-address={{ gw_addr }}
 {%     endfor %}
 {% endif %}
 proxy-arp=1
 
-{% if ordered_named_pools is vyos_defined %}
-[ip-pool]
-{%     for p in ordered_named_pools %}
-{%         for pool, pool_options in p.items() %}
-{%             set next_named_pool = ',next=' ~ pool_options.next_pool if pool_options.next_pool is vyos_defined else '' %}
-{{ pool_options.subnet }},name={{ pool }}{{ next_named_pool }}
-{%         endfor %}
-{%     endfor %}
-{%     for p in ordered_named_pools %}
-{%         for pool, pool_options in p.items() %}
-gw-ip-address={{ pool_options.gateway_address }}/{{ pool_options.subnet.split('/')[1] }}
-{%         endfor %}
-{%     endfor %}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
 {# Common IPv6 pool definitions #}
 {% include 'accel-ppp/config_ipv6_pool.j2' %}
diff --git a/data/templates/accel-ppp/l2tp.config.j2 b/data/templates/accel-ppp/l2tp.config.j2
index a2f9c9fc7..203a9772e 100644
--- a/data/templates/accel-ppp/l2tp.config.j2
+++ b/data/templates/accel-ppp/l2tp.config.j2
@@ -2,46 +2,34 @@
 [modules]
 log_syslog
 l2tp
-chap-secrets
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
-
-{% if auth_mode == 'radius' %}
-radius
-{% endif %}
-
-ippool
 shaper
-ipv6pool
-ipv6_nd
-ipv6_dhcp
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
+ippool
+{# Common IPv6 definitions #}
+{% include 'accel-ppp/config_modules_ipv6.j2' %}
+{# Common authentication protocols (pap, chap ...) #}
+{% include 'accel-ppp/config_modules_auth_protocols.j2' %}
 
 [core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-l2tp,daemon
 copy=1
 level=5
 
-{% if dnsv4 %}
-[dns]
-{%     for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{%     endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
 
-{% if dnsv6 %}
-[ipv6-dns]
-{%     for dns in dnsv6 %}
-{{ dns }}
-{%     endfor %}
-{% endif %}
-
-{% if wins %}
+{% if wins_server is vyos_defined %}
 [wins]
-{%     for server in wins %}
+{%     for server in wins_server %}
 wins{{ loop.index }}={{ server }}
 {%     endfor %}
 {% endif %}
@@ -50,118 +38,42 @@ wins{{ loop.index }}={{ server }}
 verbose=1
 ifname=l2tp%d
 ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
-{% if outside_addr %}
-bind={{ outside_addr }}
+mppe={{ ppp_options.mppe }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
+{% endif %}
+{% if lns.shared_secret is vyos_defined %}
+secret={{ lns.shared_secret }}
 {% endif %}
-{% if lns_shared_secret %}
-secret={{ lns_shared_secret }}
+{% if lns.host_name is vyos_defined %}
+host-name={{ lns.host_name }}
 {% endif %}
-{% if lns_host_name %}
-host-name={{ lns_host_name }}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
 {% endif %}
 
 [client-ip-range]
 0.0.0.0/0
 
-{% if client_ip_pool or client_ip_subnets %}
-[ip-pool]
-{%     if client_ip_pool %}
-{{ client_ip_pool }}
-{%     endif %}
-{%     if client_ip_subnets %}
-{%         for sn in client_ip_subnets %}
-{{ sn }}
-{%         endfor %}
-{%     endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{%     for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{%     endfor %}
-{%     if radius_dynamic_author.server is vyos_defined %}
-dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }}
-{%     endif %}
-{%     if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{%     endif %}
-{%     if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{%     endif %}
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
-{%     if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{%     endif %}
-{%     if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{%     endif %}
-{%     if radius_source_address %}
-bind={{ radius_source_address }}
-{%     endif %}
-{% endif %}
-{% if gateway_address %}
-gw-ip-address={{ gateway_address }}
-{% endif %}
-
-[ppp]
-verbose=1
-check-ip=1
-single-session=replace
-lcp-echo-timeout={{ ppp_echo_timeout }}
-lcp-echo-interval={{ ppp_echo_interval }}
-lcp-echo-failure={{ ppp_echo_failure }}
-{% if ccp_disable %}
-ccp=0
-{% endif %}
-{% if ppp_ipv6 is vyos_defined %}
-ipv6={{ ppp_ipv6 }}
-{% else %}
-{{ 'ipv6=allow' if client_ipv6_pool_configured else '' }}
-{% endif %}
-{% if ppp_ipv6_intf_id is vyos_defined %}
-ipv6-intf-id={{ ppp_ipv6_intf_id }}
-{% endif %}
-{% if ppp_ipv6_peer_intf_id is vyos_defined %}
-ipv6-peer-intf-id={{ ppp_ipv6_peer_intf_id }}
-{% endif %}
-ipv6-accept-peer-intf-id={{ "1" if ppp_ipv6_accept_peer_intf_id else "0" }}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-{% if client_ipv6_pool %}
-[ipv6-pool]
-{%     for p in client_ipv6_pool %}
-{{ p.prefix }},{{ p.mask }}
-{%     endfor %}
-{%     for p in client_ipv6_delegate_prefix %}
-delegate={{ p.prefix }},{{ p.mask }}
-{%     endfor %}
-{% endif %}
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
 
-{% if client_ipv6_delegate_prefix %}
-[ipv6-dhcp]
-verbose=1
-{% endif %}
+{# Common IPv6 pool definitions #}
+{% include 'accel-ppp/config_ipv6_pool.j2' %}
 
-{% if radius_shaper_attr %}
-[shaper]
-verbose=1
-attr={{ radius_shaper_attr }}
-{%     if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{%     endif %}
-{% endif %}
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
 
 [cli]
 tcp=127.0.0.1:2004
-sessions-columns=ifname,username,calling-sid,ip,{{ ip6_column | join(',') }}{{ ',' if ip6_column }}rate-limit,type,comp,state,rx-bytes,tx-bytes,uptime
 
diff --git a/data/templates/accel-ppp/ppp-options.j2 b/data/templates/accel-ppp/ppp-options.j2
new file mode 100644
index 000000000..f2d2519d9
--- /dev/null
+++ b/data/templates/accel-ppp/ppp-options.j2
@@ -0,0 +1,39 @@
+#ppp options
+[ppp]
+verbose=1
+check-ip=1
+ccp={{ "0" if ppp_options.disable_ccp is vyos_defined else "1" }}
+unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
+{% if ppp_options.min_mtu is vyos_defined %}
+min-mtu={{ ppp_options.min_mtu }}
+{% endif %}
+{% if ppp_options.mru is vyos_defined %}
+mru={{ ppp_options.mru }}
+{% endif %}
+mppe={{ ppp_options.mppe }}
+lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
+lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
+lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{% if ppp_options.ipv4 is vyos_defined %}
+ipv4={{ ppp_options.ipv4 }}
+{% endif %}
+{# IPv6 #}
+{% if ppp_options.ipv6 is vyos_defined %}
+ipv6={{ ppp_options.ipv6 }}
+{%     if ppp_options.ipv6_interface_id is vyos_defined %}
+ipv6-intf-id={{ ppp_options.ipv6_interface_id }}
+{%     endif %}
+{%     if ppp_options.ipv6_peer_interface_id is vyos_defined %}
+{%         if ppp_options.ipv6_peer_interface_id == 'ipv4-addr' %}
+ipv6-peer-intf-id=ipv4
+{%         else %}
+ipv6-peer-intf-id={{ ppp_options.ipv6_peer_interface_id }}
+{%         endif %}
+{%     endif %}
+ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_interface_id is vyos_defined else "0" }}
+{% endif %}
+{# MTU #}
+mtu={{ mtu }}
+{% if ppp_options.interface_cache is vyos_defined %}
+unit-cache={{ ppp_options.interface_cache }}
+{% endif %}
diff --git a/data/templates/accel-ppp/pppoe.config.j2 b/data/templates/accel-ppp/pppoe.config.j2
index dd53edd28..bf7b2eb72 100644
--- a/data/templates/accel-ppp/pppoe.config.j2
+++ b/data/templates/accel-ppp/pppoe.config.j2
@@ -62,50 +62,20 @@ wins{{ loop.index }}={{ server }}
 {# Common chap-secrets and RADIUS server/option definitions #}
 {% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
 [common]
+{% if session_control is vyos_defined and session_control is not vyos_defined('disable') %}
 single-session={{ session_control }}
 {% endif %}
-
-[ppp]
-verbose=1
-check-ip=1
-ccp={{ "1" if ppp_options.ccp is vyos_defined else "0" }}
-unit-preallocate={{ "1" if authentication.radius.preallocate_vif is vyos_defined else "0" }}
-{% if ppp_options.min_mtu is vyos_defined %}
-min-mtu={{ ppp_options.min_mtu }}
-{% endif %}
-{% if ppp_options.mru is vyos_defined %}
-mru={{ ppp_options.mru }}
-{% endif %}
-mppe={{ ppp_options.mppe }}
-lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
-lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
-lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
-{% if ppp_options.ipv4 is vyos_defined %}
-ipv4={{ ppp_options.ipv4 }}
-{% endif %}
-{# IPv6 #}
-{% if ppp_options.ipv6 is vyos_defined %}
-ipv6={{ ppp_options.ipv6 }}
-{%     if ppp_options.ipv6_intf_id is vyos_defined %}
-ipv6-intf-id={{ ppp_options.ipv6_intf_id }}
-{%     endif %}
-{%     if ppp_options.ipv6_peer_intf_id is vyos_defined %}
-ipv6-peer-intf-id={{ ppp_options.ipv6_peer_intf_id }}
-{%     endif %}
-ipv6-accept-peer-intf-id={{ "1" if ppp_options.ipv6_accept_peer_intf_id is vyos_defined else "0" }}
-{% endif %}
-{# MTU #}
-mtu={{ mtu }}
-{% if ppp_options.interface_cache is vyos_defined %}
-unit-cache={{ ppp_options.interface_cache }}
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
 {% endif %}
 
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
+
 [pppoe]
 verbose=1
 ac-name={{ access_concentrator }}
-
 {% if interface is vyos_defined %}
 {%     for iface, iface_config in interface.items() %}
 {%         if iface_config.vlan is not vyos_defined %}
@@ -118,11 +88,9 @@ vlan-mon={{ iface }},{{ iface_config.vlan | join(',') }}
 {%         endif %}
 {%     endfor %}
 {% endif %}
-
 {% if service_name %}
 service-name={{ service_name | join(',') }}
 {% endif %}
-
 {% if pado_delay %}
 {%     set pado_delay_param = namespace(value='0') %}
 {%     for delay in pado_delay | sort(attribute='0') %}
@@ -137,21 +105,15 @@ pado-delay={{ pado_delay_param.value }}
 {% if authentication.radius.called_sid_format is vyos_defined %}
 called-sid={{ authentication.radius.called_sid_format }}
 {% endif %}
-
-{% if authentication.mode is vyos_defined("local") or authentication.mode is vyos_defined("noauth") %}
-{%     if authentication.mode is vyos_defined("noauth") %}
+{% if authentication.mode is vyos_defined("noauth") %}
 noauth=1
-{%     endif %}
-{%     if client_ip_pool.name is vyos_defined %}
-{%         for pool, pool_config in client_ip_pool.name.items() %}
-{%             if pool_config.subnet is vyos_defined %}
-ip-pool={{ pool }}
-{%             endif %}
-{%             if pool_config.gateway_address is vyos_defined %}
-gw-ip-address={{ pool_config.gateway_address }}/{{ pool_config.subnet.split('/')[1] }}
-{%             endif %}
-{%         endfor %}
-{%     endif %}
+{% endif %}
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
 {% endif %}
 
 {% if limits is vyos_defined %}
diff --git a/data/templates/accel-ppp/pptp.config.j2 b/data/templates/accel-ppp/pptp.config.j2
index 0082e55bf..7fe4b17bf 100644
--- a/data/templates/accel-ppp/pptp.config.j2
+++ b/data/templates/accel-ppp/pptp.config.j2
@@ -3,112 +3,80 @@
 log_syslog
 pptp
 shaper
-{% if auth_mode == 'local' %}
-chap-secrets
-{% elif auth_mode == 'radius' %}
-radius
-{% endif %}
+{# Common authentication backend definitions #}
+{% include 'accel-ppp/config_modules_auth_mode.j2' %}
 ippool
-{% for proto in auth_proto %}
-{{ proto }}
-{% endfor %}
+{# Common IPv6 definitions #}
+{% include 'accel-ppp/config_modules_ipv6.j2' %}
+{# Common authentication protocols (pap, chap ...) #}
+{% if authentication.require is vyos_defined %}
+{%     if authentication.require == 'chap' %}
+auth_chap_md5
+{%     elif authentication.require == 'mschap' %}
+auth_mschap_v1
+{%     else %}
+auth_{{ authentication.require.replace('-', '_') }}
+{%     endif %}
+{% endif %}
 
 [core]
-thread-count={{ thread_cnt }}
+thread-count={{ thread_count }}
+
+[common]
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-pptp,daemon
 copy=1
 level=5
 
-{% if dnsv4 %}
-[dns]
-{%     for dns in dnsv4 %}
-dns{{ loop.index }}={{ dns }}
-{%     endfor %}
-{% endif %}
+{# Common DNS name-server definition #}
+{% include 'accel-ppp/config_name_server.j2' %}
 
-{% if wins %}
+{% if wins_server is vyos_defined %}
 [wins]
-{%     for server in wins %}
+{%     for server in wins_server %}
 wins{{ loop.index }}={{ server }}
 {%     endfor %}
 {% endif %}
 
-
 [pptp]
 ifname=pptp%d
-{% if outside_addr %}
-bind={{ outside_addr }}
+{% if outside_address is vyos_defined %}
+bind={{ outside_address }}
 {% endif %}
 verbose=1
 ppp-max-mtu={{ mtu }}
-mppe={{ ppp_mppe }}
+mppe={{ authentication.mppe }}
 echo-interval=10
 echo-failure=3
-
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
 
 [client-ip-range]
 0.0.0.0/0
 
-[ip-pool]
-tunnel={{ client_ip_pool }}
-gw-ip-address={{ gw_ip }}
+{# Common IP pool definitions #}
+{% include 'accel-ppp/config_ip_pool.j2' %}
 
-[ppp]
-verbose=5
-check-ip=1
-single-session=replace
+{# Common IPv6 pool definitions #}
+{% include 'accel-ppp/config_ipv6_pool.j2' %}
 
-{% if auth_mode == 'local' %}
-[chap-secrets]
-chap-secrets={{ chap_secrets_file }}
-{% elif auth_mode == 'radius' %}
-[radius]
-verbose=1
-{%     for r in radius_server %}
-server={{ r.server }},{{ r.key }},auth-port={{ r.port }},acct-port={{ r.acct_port }},req-limit=0,fail-time={{ r.fail_time }}
-{%     endfor %}
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
 
-{%     if radius_acct_interim_interval is vyos_defined %}
-acct-interim-interval={{ radius_acct_interim_interval }}
-{%     endif %}
-{%     if radius_acct_inter_jitter %}
-acct-interim-jitter={{ radius_acct_inter_jitter }}
-{%     endif %}
-
-acct-timeout={{ radius_acct_tmo }}
-timeout={{ radius_timeout }}
-max-try={{ radius_max_try }}
+{# Common chap-secrets and RADIUS server/option definitions #}
+{% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-{%     if radius_nas_id %}
-nas-identifier={{ radius_nas_id }}
-{%     endif %}
-{%     if radius_nas_ip %}
-nas-ip-address={{ radius_nas_ip }}
-{%     endif %}
-{%     if radius_source_address %}
-bind={{ radius_source_address }}
-{%     endif %}
-{% endif %}
-{# Both chap-secrets and radius block required the gw-ip-address #}
-{% if gw_ip is defined and gw_ip is not none %}
-gw-ip-address={{ gw_ip }}
-{% endif %}
-
-{% if radius_shaper_enable %}
-[shaper]
-verbose=1
-{%     if radius_shaper_attr %}
-attr={{ radius_shaper_attr }}
-{%     endif %}
-{%     if radius_shaper_multiplier %}
-rate-multiplier={{ radius_shaper_multiplier }}
-{%     endif %}
-{%     if radius_shaper_vendor %}
-vendor={{ radius_shaper_vendor }}
-{%     endif %}
-{% endif %}
+{# Common RADIUS shaper configuration #}
+{% include 'accel-ppp/config_shaper_radius.j2' %}
 
 [cli]
 tcp=127.0.0.1:2003
diff --git a/data/templates/accel-ppp/sstp.config.j2 b/data/templates/accel-ppp/sstp.config.j2
index 7ee28dd21..c0bc62d9f 100644
--- a/data/templates/accel-ppp/sstp.config.j2
+++ b/data/templates/accel-ppp/sstp.config.j2
@@ -16,6 +16,9 @@ thread-count={{ thread_count }}
 
 [common]
 single-session=replace
+{% if max_concurrent_sessions is vyos_defined %}
+max-starting={{ max_concurrent_sessions }}
+{% endif %}
 
 [log]
 syslog=accel-sstp,daemon
@@ -33,6 +36,13 @@ accept=ssl
 ssl-ca-file=/run/accel-pppd/sstp-ca.pem
 ssl-pemfile=/run/accel-pppd/sstp-cert.pem
 ssl-keyfile=/run/accel-pppd/sstp-cert.key
+{% if default_pool is vyos_defined %}
+ip-pool={{ default_pool }}
+{% endif %}
+{% if default_ipv6_pool is vyos_defined %}
+ipv6-pool={{ default_ipv6_pool }}
+ipv6-pool-delegate={{ default_ipv6_pool }}
+{% endif %}
 
 {# Common IP pool definitions #}
 {% include 'accel-ppp/config_ip_pool.j2' %}
@@ -46,18 +56,8 @@ ssl-keyfile=/run/accel-pppd/sstp-cert.key
 {# Common chap-secrets and RADIUS server/option definitions #}
 {% include 'accel-ppp/config_chap_secrets_radius.j2' %}
 
-[ppp]
-verbose=1
-check-ip=1
-{# MTU #}
-mtu={{ mtu }}
-ipv6={{ 'allow' if ppp_options.ipv6 is vyos_defined("deny") and client_ipv6_pool is vyos_defined else ppp_options.ipv6 }}
-ipv4={{ ppp_options.ipv4 }}
-
-mppe={{ ppp_options.mppe }}
-lcp-echo-interval={{ ppp_options.lcp_echo_interval }}
-lcp-echo-timeout={{ ppp_options.lcp_echo_timeout }}
-lcp-echo-failure={{ ppp_options.lcp_echo_failure }}
+{# Common ppp-options definitions #}
+{% include 'accel-ppp/ppp-options.j2' %}
 
 {# Common RADIUS shaper configuration #}
 {% include 'accel-ppp/config_shaper_radius.j2' %}
diff --git a/data/templates/bcast-relay/udp-broadcast-relay.j2 b/data/templates/bcast-relay/udp-broadcast-relay.j2
index 75740e04c..3f5b5bbe3 100644
--- a/data/templates/bcast-relay/udp-broadcast-relay.j2
+++ b/data/templates/bcast-relay/udp-broadcast-relay.j2
@@ -1,4 +1,4 @@
-### Autogenerated by bcast_relay.py ###
+### Autogenerated by service_broadcast-relay.py ###
 
 # UDP broadcast relay configuration for instance {{ id }}
 {{ '# ' ~ description if description is vyos_defined }}
diff --git a/data/templates/chrony/chrony.conf.j2 b/data/templates/chrony/chrony.conf.j2
index 0daec8fb8..e3f078fdc 100644
--- a/data/templates/chrony/chrony.conf.j2
+++ b/data/templates/chrony/chrony.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ntp.py ###
+### Autogenerated by service_ntp.py ###
 
 # This would step the system clock if the adjustment is larger than 0.1 seconds,
 # but only in the first three clock updates.
@@ -21,7 +21,17 @@ ntsdumpdir /run/chrony
 pidfile {{ config_file | replace('.conf', '.pid') }}
 
 # Determine when will the next leap second occur and what is the current offset
+{% if leap_second is vyos_defined('timezone') %}
 leapsectz right/UTC
+{% elif leap_second is vyos_defined('ignore') %}
+leapsecmode ignore
+{% elif leap_second is vyos_defined('smear') %}
+leapsecmode slew
+maxslewrate 1000
+smoothtime 400 0.001024 leaponly
+{% elif leap_second is vyos_defined('system') %}
+leapsecmode system
+{% endif %}
 
 user {{ user }}
 
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 1e0fc8065..762a6f693 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -11,20 +11,33 @@ table ip vyos_conntrack {
 {% if ignore.ipv4.rule is vyos_defined %}
 {%     for rule, rule_config in ignore.ipv4.rule.items() %}
         # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
-       {{ rule_config | conntrack_ignore_rule(rule, ipv6=False) }}
+        {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=False) }}
 {%     endfor %}
 {% endif %}
-        return
+         return
     }
     chain VYOS_CT_TIMEOUT {
-{% if timeout.custom.rule is vyos_defined %}
-{%     for rule, rule_config in timeout.custom.rule.items() %}
+{% if timeout.custom.ipv4.rule is vyos_defined %}
+{%     for rule, rule_config in timeout.custom.ipv4.rule.items() %}
         # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+        {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=False) }}
 {%     endfor %}
 {% endif %}
         return
     }
 
+{% if timeout.custom.ipv4.rule is vyos_defined %}
+{%     for rule, rule_config in timeout.custom.ipv4.rule.items() %}
+    ct timeout ct-timeout-{{ rule }} {
+        l3proto ip;
+{%         for protocol, protocol_config in rule_config.protocol.items() %}
+        protocol {{ protocol }};
+        policy = { {{ protocol_config | conntrack_ct_policy() }} }
+{%         endfor %}
+    }
+{%     endfor %}
+{% endif %}
+
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
 {% if ipv4_firewall_action == 'accept' or ipv4_nat_action == 'accept' %}
@@ -80,20 +93,33 @@ table ip6 vyos_conntrack {
 {% if ignore.ipv6.rule is vyos_defined %}
 {%     for rule, rule_config in ignore.ipv6.rule.items() %}
         # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
-       {{ rule_config | conntrack_ignore_rule(rule, ipv6=True) }}
+       {{ rule_config | conntrack_rule(rule, 'ignore', ipv6=True) }}
 {%     endfor %}
 {% endif %}
         return
     }
     chain VYOS_CT_TIMEOUT {
-{% if timeout.custom.rule is vyos_defined %}
-{%     for rule, rule_config in timeout.custom.rule.items() %}
+{% if timeout.custom.ipv6.rule is vyos_defined %}
+{%     for rule, rule_config in timeout.custom.ipv6.rule.items() %}
         # rule-{{ rule }} {{ '- ' ~ rule_config.description if rule_config.description is vyos_defined }}
+        {{ rule_config | conntrack_rule(rule, 'timeout', ipv6=True) }}
 {%     endfor %}
 {% endif %}
         return
     }
 
+{% if timeout.custom.ipv6.rule is vyos_defined %}
+{%     for rule, rule_config in timeout.custom.ipv6.rule.items() %}
+    ct timeout ct-timeout-{{ rule }} {
+        l3proto ip;
+{%         for protocol, protocol_config in rule_config.protocol.items() %}
+        protocol {{ protocol }};
+        policy = { {{ protocol_config | conntrack_ct_policy() }} }
+{%         endfor %}
+    }
+{%     endfor %}
+{% endif %}
+
     chain PREROUTING {
         type filter hook prerouting priority -300; policy accept;
 {% if ipv6_firewall_action == 'accept' or ipv6_nat_action == 'accept' %}
diff --git a/data/templates/conntrack/sysctl.conf.j2 b/data/templates/conntrack/sysctl.conf.j2
index 3d6fc43f2..986f75c61 100644
--- a/data/templates/conntrack/sysctl.conf.j2
+++ b/data/templates/conntrack/sysctl.conf.j2
@@ -1,4 +1,4 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
 {# all values have defaults - thus no checking required #}
 
 net.netfilter.nf_conntrack_expect_max = {{ expect_table_size }}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 197155d96..1b12fec5f 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,2 +1,2 @@
-# Autogenerated by conntrack.py
+# Autogenerated by system_conntrack.py
 options nf_conntrack hashsize={{ hash_size }}
diff --git a/data/templates/conntrackd/conntrackd.conf.j2 b/data/templates/conntrackd/conntrackd.conf.j2
index 808a77759..8f56c8171 100644
--- a/data/templates/conntrackd/conntrackd.conf.j2
+++ b/data/templates/conntrackd/conntrackd.conf.j2
@@ -1,4 +1,4 @@
-# autogenerated by conntrack_sync.py
+### autogenerated by service_conntrack-sync.py ###
 
 # Synchronizer settings
 Sync {
@@ -111,4 +111,3 @@ General {
     }
 {% endif %}
 }
-
diff --git a/data/templates/container/containers.conf.j2 b/data/templates/container/containers.conf.j2
index c635ca213..c8b54dfbb 100644
--- a/data/templates/container/containers.conf.j2
+++ b/data/templates/container/containers.conf.j2
@@ -1,709 +1,709 @@
-### Autogenerated by container.py ###

-

-# The containers configuration file specifies all of the available configuration

-# command-line options/flags for container engine tools like Podman & Buildah,

-# but in a TOML format that can be easily modified and versioned.

-

-# Please refer to containers.conf(5) for details of all configuration options.

-# Not all container engines implement all of the options.

-# All of the options have hard coded defaults and these options will override

-# the built in defaults. Users can then override these options via the command

-# line. Container engines will read containers.conf files in up to three

-# locations in the following order:

-#  1. /usr/share/containers/containers.conf

-#  2. /etc/containers/containers.conf

-#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)

-#  Items specified in the latter containers.conf, if they exist, override the

-# previous containers.conf settings, or the default settings.

-

-[containers]

-

-# List of annotation. Specified as

-# "key = value"

-# If it is empty or commented out, no annotations will be added

-#

-#annotations = []

-

-# Used to change the name of the default AppArmor profile of container engine.

-#

-#apparmor_profile = "container-default"

-

-# The hosts entries from the base hosts file are added to the containers hosts

-# file. This must be either an absolute path or as special values "image" which

-# uses the hosts file from the container image or "none" which means

-# no base hosts file is used. The default is "" which will use /etc/hosts.

-#

-#base_hosts_file = ""

-

-# Default way to to create a cgroup namespace for the container

-# Options are:

-# `private` Create private Cgroup Namespace for the container.

-# `host`    Share host Cgroup Namespace with the container.

-#

-#cgroupns = "private"

-

-# Control container cgroup configuration

-# Determines  whether  the  container will create CGroups.

-# Options are:

-# `enabled`   Enable cgroup support within container

-# `disabled`  Disable cgroup support, will inherit cgroups from parent

-# `no-conmon` Do not create a cgroup dedicated to conmon.

-#

-#cgroups = "enabled"

-

-# List of default capabilities for containers. If it is empty or commented out,

-# the default capabilities defined in the container engine will be added.

-#

-default_capabilities = [

-  "CHOWN",

-  "DAC_OVERRIDE",

-  "FOWNER",

-  "FSETID",

-  "KILL",

-  "NET_BIND_SERVICE",

-  "SETFCAP",

-  "SETGID",

-  "SETPCAP",

-  "SETUID",

-  "SYS_CHROOT"

-]

-

-# A list of sysctls to be set in containers by default,

-# specified as "name=value",

-# for example:"net.ipv4.ping_group_range=0 0".

-#

-default_sysctls = [

-  "net.ipv4.ping_group_range=0 0",

-]

-

-# A list of ulimits to be set in containers by default, specified as

-# "<ulimit name>=<soft limit>:<hard limit>", for example:

-# "nofile=1024:2048"

-# See setrlimit(2) for a list of resource names.

-# Any limit not specified here will be inherited from the process launching the

-# container engine.

-# Ulimits has limits for non privileged container engines.

-#

-#default_ulimits = [

-#  "nofile=1280:2560",

-#]

-

-# List of devices. Specified as

-# "<device-on-host>:<device-on-container>:<permissions>", for example:

-# "/dev/sdc:/dev/xvdc:rwm".

-# If it is empty or commented out, only the default devices will be used

-#

-#devices = []

-

-# List of default DNS options to be added to /etc/resolv.conf inside of the container.

-#

-#dns_options = []

-

-# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.

-#

-#dns_searches = []

-

-# Set default DNS servers.

-# This option can be used to override the DNS configuration passed to the

-# container. The special value "none" can be specified to disable creation of

-# /etc/resolv.conf in the container.

-# The /etc/resolv.conf file in the image will be used without changes.

-#

-#dns_servers = []

-

-# Environment variable list for the conmon process; used for passing necessary

-# environment variables to conmon or the runtime.

-#

-#env = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

-#  "TERM=xterm",

-#]

-

-# Pass all host environment variables into the container.

-#

-#env_host = false

-

-# Set the ip for the host.containers.internal entry in the containers /etc/hosts

-# file. This can be set to "none" to disable adding this entry. By default it

-# will automatically choose the host ip.

-#

-# NOTE: When using podman machine this entry will never be added to the containers

-# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore

-# it is not possible to disable the entry in this case.

-#

-#host_containers_internal_ip = ""

-

-# Default proxy environment variables passed into the container.

-# The environment variables passed in include:

-# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of

-# these. This option is needed when host system uses a proxy but container

-# should not use proxy. Proxy environment variables specified for the container

-# in any other way will override the values passed from the host.

-#

-#http_proxy = true

-

-# Run an init inside the container that forwards signals and reaps processes.

-#

-#init = false

-

-# Container init binary, if init=true, this is the init binary to be used for containers.

-#

-#init_path = "/usr/libexec/podman/catatonit"

-

-# Default way to to create an IPC namespace (POSIX SysV IPC) for the container

-# Options are:

-#  "host"     Share host IPC Namespace with the container.

-#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.

-#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.

-#  "shareable" Create shareable IPC Namespace for the container.

-#

-#ipcns = "shareable"

-

-# keyring tells the container engine whether to create

-# a kernel keyring for use within the container.

-#

-#keyring = true

-

-# label tells the container engine whether to use container separation using

-# MAC(SELinux) labeling or not.

-# The label flag is ignored on label disabled systems.

-#

-#label = true

-

-# Logging driver for the container. Available options: k8s-file and journald.

-#

-#log_driver = "k8s-file"

-

-# Maximum size allowed for the container log file. Negative numbers indicate

-# that no size limit is imposed. If positive, it must be >= 8192 to match or

-# exceed conmon's read buffer. The file is truncated and re-opened so the

-# limit is never exceeded.

-#

-#log_size_max = -1

-

-# Specifies default format tag for container log messages.

-# This is useful for creating a specific tag for container log messages.

-# Containers logs default to truncated container ID as a tag.

-#

-#log_tag = ""

-

-# Default way to to create a Network namespace for the container

-# Options are:

-# `private` Create private Network Namespace for the container.

-# `host`    Share host Network Namespace with the container.

-# `none`    Containers do not use the network

-#

-#netns = "private"

-

-# Create /etc/hosts for the container.  By default, container engine manage

-# /etc/hosts, automatically adding  the container's  own  IP  address.

-#

-#no_hosts = false

-

-# Default way to to create a PID namespace for the container

-# Options are:

-# `private` Create private PID Namespace for the container.

-# `host`    Share host PID Namespace with the container.

-#

-#pidns = "private"

-

-# Maximum number of processes allowed in a container.

-#

-#pids_limit = 2048

-

-# Copy the content from the underlying image into the newly created volume

-# when the container is created instead of when it is started. If false,

-# the container engine will not copy the content until the container is started.

-# Setting it to true may have negative performance implications.

-#

-#prepare_volume_on_create = false

-

-# Path to the seccomp.json profile which is used as the default seccomp profile

-# for the runtime.

-#

-#seccomp_profile = "/usr/share/containers/seccomp.json"

-

-# Size of /dev/shm. Specified as <number><unit>.

-# Unit is optional, values:

-# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# If the unit is omitted, the system uses bytes.

-#

-#shm_size = "65536k"

-

-# Set timezone in container. Takes IANA timezones as well as "local",

-# which sets the timezone in the container to match the host machine.

-#

-#tz = ""

-

-# Set umask inside the container

-#

-#umask = "0022"

-

-# Default way to to create a User namespace for the container

-# Options are:

-# `auto`        Create unique User Namespace for the container.

-# `host`    Share host User Namespace with the container.

-#

-#userns = "host"

-

-# Number of UIDs to allocate for the automatic container creation.

-# UIDs are allocated from the "container" UIDs listed in

-# /etc/subuid & /etc/subgid

-#

-#userns_size = 65536

-

-# Default way to to create a UTS namespace for the container

-# Options are:

-# `private`        Create private UTS Namespace for the container.

-# `host`    Share host UTS Namespace with the container.

-#

-#utsns = "private"

-

-# List of volumes. Specified as

-# "<directory-on-host>:<directory-in-container>:<options>", for example:

-# "/db:/var/lib/db:ro".

-# If it is empty or commented out, no volumes will be added

-#

-#volumes = []

-

-[secrets]

-#driver = "file"

-

-[secrets.opts]

-#root = "/example/directory"

-

-[network]

-

-# Network backend determines what network driver will be used to set up and tear down container networks.

-# Valid values are "cni" and "netavark".

-# The default value is empty which means that it will automatically choose CNI or netavark. If there are

-# already containers/images or CNI networks preset it will choose CNI.

-#

-# Before changing this value all containers must be stopped otherwise it is likely that

-# iptables rules and network interfaces might leak on the host. A reboot will fix this.

-#

-network_backend = "netavark"

-

-# Path to directory where CNI plugin binaries are located.

-#

-#cni_plugin_dirs = [

-#  "/usr/local/libexec/cni",

-#  "/usr/libexec/cni",

-#  "/usr/local/lib/cni",

-#  "/usr/lib/cni",

-#  "/opt/cni/bin",

-#]

-

-# The network name of the default network to attach pods to.

-#

-#default_network = "podman"

-

-# The default subnet for the default network given in default_network.

-# If a network with that name does not exist, a new network using that name and

-# this subnet will be created.

-# Must be a valid IPv4 CIDR prefix.

-#

-#default_subnet = "10.88.0.0/16"

-

-# DefaultSubnetPools is a list of subnets and size which are used to

-# allocate subnets automatically for podman network create.

-# It will iterate through the list and will pick the first free subnet

-# with the given size. This is only used for ipv4 subnets, ipv6 subnets

-# are always assigned randomly.

-#

-#default_subnet_pools = [

-#  {"base" = "10.89.0.0/16", "size" = 24},

-#  {"base" = "10.90.0.0/15", "size" = 24},

-#  {"base" = "10.92.0.0/14", "size" = 24},

-#  {"base" = "10.96.0.0/11", "size" = 24},

-#  {"base" = "10.128.0.0/9", "size" = 24},

-#]

-

-# Path to the directory where network configuration files are located.

-# For the CNI backend the default is "/etc/cni/net.d" as root

-# and "$HOME/.config/cni/net.d" as rootless.

-# For the netavark backend "/etc/containers/networks" is used as root

-# and "$graphroot/networks" as rootless.

-#

-#network_config_dir = "/etc/cni/net.d/"

-

-# Port to use for dns forwarding daemon with netavark in rootful bridge

-# mode and dns enabled.

-# Using an alternate port might be useful if other dns services should

-# run on the machine.

-#

-#dns_bind_port = 53

-

-[engine]

-# Index to the active service

-#

-#active_service = production

-

-# The compression format to use when pushing an image.

-# Valid options are: `gzip`, `zstd` and `zstd:chunked`.

-#

-#compression_format = "gzip"

-

-

-# Cgroup management implementation used for the runtime.

-# Valid options "systemd" or "cgroupfs"

-#

-#cgroup_manager = "systemd"

-

-# Environment variables to pass into conmon

-#

-#conmon_env_vars = [

-#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

-#]

-

-# Paths to look for the conmon container manager binary

-#

-#conmon_path = [

-#  "/usr/libexec/podman/conmon",

-#  "/usr/local/libexec/podman/conmon",

-#  "/usr/local/lib/podman/conmon",

-#  "/usr/bin/conmon",

-#  "/usr/sbin/conmon",

-#  "/usr/local/bin/conmon",

-#  "/usr/local/sbin/conmon"

-#]

-

-# Enforces using docker.io for completing short names in Podman's compatibility

-# REST API. Note that this will ignore unqualified-search-registries and

-# short-name aliases defined in containers-registries.conf(5).

-#compat_api_enforce_docker_hub = true

-

-# Specify the keys sequence used to detach a container.

-# Format is a single character [a-Z] or a comma separated sequence of

-# `ctrl-<value>`, where `<value>` is one of:

-# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`

-#

-#detach_keys = "ctrl-p,ctrl-q"

-

-# Determines whether engine will reserve ports on the host when they are

-# forwarded to containers. When enabled, when ports are forwarded to containers,

-# ports are held open by as long as the container is running, ensuring that

-# they cannot be reused by other programs on the host. However, this can cause

-# significant memory usage if a container has many ports forwarded to it.

-# Disabling this can save memory.

-#

-#enable_port_reservation = true

-

-# Environment variables to be used when running the container engine (e.g., Podman, Buildah).

-# For example "http_proxy=internal.proxy.company.com".

-# Note these environment variables will not be used within the container.

-# Set the env section under [containers] table, if you want to set environment variables for the container.

-#

-#env = []

-

-# Define where event logs will be stored, when events_logger is "file".

-#events_logfile_path=""

-

-# Sets the maximum size for events_logfile_path.

-# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).

-# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.

-# If no unit is included then the size will be read in bytes.

-# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.

-# If the maximum size is set to 0, then no limit will be applied,

-# and the logfile will not be rotated.

-#events_logfile_max_size = "1m"

-

-# Selects which logging mechanism to use for container engine events.

-# Valid values are `journald`, `file` and `none`.

-#

-#events_logger = "journald"

-

-# A is a list of directories which are used to search for helper binaries.

-#

-#helper_binaries_dir = [

-#  "/usr/local/libexec/podman",

-#  "/usr/local/lib/podman",

-#  "/usr/libexec/podman",

-#  "/usr/lib/podman",

-#]

-

-# Path to OCI hooks directories for automatically executed hooks.

-#

-#hooks_dir = [

-#  "/usr/share/containers/oci/hooks.d",

-#]

-

-# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building

-# container images. By default image pulled and pushed match the format of the

-# source image. Building/committing defaults to OCI.

-#

-#image_default_format = ""

-

-# Default transport method for pulling and pushing for images

-#

-#image_default_transport = "docker://"

-

-# Maximum number of image layers to be copied (pulled/pushed) simultaneously.

-# Not setting this field, or setting it to zero, will fall back to containers/image defaults.

-#

-#image_parallel_copies = 0

-

-# Tells container engines how to handle the builtin image volumes.

-#   * bind: An anonymous named volume will be created and mounted

-#     into the container.

-#   * tmpfs: The volume is mounted onto the container as a tmpfs,

-#     which allows users to create content that disappears when

-#     the container is stopped.

-#   * ignore: All volumes are just ignored and no action is taken.

-#

-#image_volume_mode = ""

-

-# Default command to run the infra container

-#

-#infra_command = "/pause"

-

-# Infra (pause) container image name for pod infra containers.  When running a

-# pod, we start a `pause` process in a container to hold open the namespaces

-# associated with the  pod.  This container does nothing other then sleep,

-# reserving the pods resources for the lifetime of the pod. By default container

-# engines run a builtin container using the pause executable. If you want override

-# specify an image to pull.

-#

-#infra_image = ""

-

-# Specify the locking mechanism to use; valid values are "shm" and "file".

-# Change the default only if you are sure of what you are doing, in general

-# "file" is useful only on platforms where cgo is not available for using the

-# faster "shm" lock type. You may need to run "podman system renumber" after

-# you change the lock type.

-#

-#lock_type** = "shm"

-

-# MultiImageArchive - if true, the container engine allows for storing archives

-# (e.g., of the docker-archive transport) with multiple images.  By default,

-# Podman creates single-image archives.

-#

-#multi_image_archive = "false"

-

-# Default engine namespace

-# If engine is joined to a namespace, it will see only containers and pods

-# that were created in the same namespace, and will create new containers and

-# pods in that namespace.

-# The default namespace is "", which corresponds to no namespace. When no

-# namespace is set, all containers and pods are visible.

-#

-#namespace = ""

-

-# Path to the slirp4netns binary

-#

-#network_cmd_path = ""

-

-# Default options to pass to the slirp4netns binary.

-# Valid options values are:

-#

-# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).

-#   Default is false.

-# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).

-# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).

-# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).

-# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).

-# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.

-# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).

-# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.

-# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.

-#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container

-#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,

-#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for

-#   rootless containers when connected to user-defined networks.

-# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but

-#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.

-#

-#network_cmd_options = []

-

-# Whether to use chroot instead of pivot_root in the runtime

-#

-#no_pivot_root = false

-

-# Number of locks available for containers and pods.

-# If this is changed, a lock renumber must be performed (e.g. with the

-# 'podman system renumber' command).

-#

-#num_locks = 2048

-

-# Set the exit policy of the pod when the last container exits.

-#pod_exit_policy = "continue"

-

-# Whether to pull new image before running a container

-#

-#pull_policy = "missing"

-

-# Indicates whether the application should be running in remote mode. This flag modifies the

-# --remote option on container engines. Setting the flag to true will default

-# `podman --remote=true` for access to the remote Podman service.

-#

-#remote = false

-

-# Default OCI runtime

-#

-#runtime = "crun"

-

-# List of the OCI runtimes that support --format=json. When json is supported

-# engine will use it for reporting nicer errors.

-#

-#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]

-

-# List of the OCI runtimes that supports running containers with KVM Separation.

-#

-#runtime_supports_kvm = ["kata", "krun"]

-

-# List of the OCI runtimes that supports running containers without cgroups.

-#

-#runtime_supports_nocgroups = ["crun", "krun"]

-

-# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment

-# variable. If you specify "storage", then the location of the

-# container/storage tmp directory will be used.

-# image_copy_tmp_dir="/var/tmp"

-

-# Number of seconds to wait without a connection

-# before the `podman system service` times out and exits

-#

-#service_timeout = 5

-

-# Directory for persistent engine files (database, etc)

-# By default, this will be configured relative to where the containers/storage

-# stores containers

-# Uncomment to change location from this default

-#

-#static_dir = "/var/lib/containers/storage/libpod"

-

-# Number of seconds to wait for container to exit before sending kill signal.

-#

-#stop_timeout = 10

-

-# Number of seconds to wait before exit command in API process is given to.

-# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).

-#

-#exit_command_delay = 300

-

-# map of service destinations

-#

-#[service_destinations]

-#  [service_destinations.production]

-#     URI to access the Podman service

-#     Examples:

-#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)

-#       rootful "unix://run/podman/podman.sock (Default)

-#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock

-#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock

-#

-#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"

-#    Path to file containing ssh identity key

-#    identity = "~/.ssh/id_rsa"

-

-# Directory for temporary files. Must be tmpfs (wiped after reboot)

-#

-#tmp_dir = "/run/libpod"

-

-# Directory for libpod named volumes.

-# By default, this will be configured relative to where containers/storage

-# stores containers.

-# Uncomment to change location from this default.

-#

-#volume_path = "/var/lib/containers/storage/volumes"

-

-# Default timeout (in seconds) for volume plugin operations.

-# Plugins are external programs accessed via a REST API; this sets a timeout

-# for requests to that API.

-# A value of 0 is treated as no timeout.

-#volume_plugin_timeout = 5

-

-# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)

-[engine.runtimes]

-#crun = [

-#  "/usr/bin/crun",

-#  "/usr/sbin/crun",

-#  "/usr/local/bin/crun",

-#  "/usr/local/sbin/crun",

-#  "/sbin/crun",

-#  "/bin/crun",

-#  "/run/current-system/sw/bin/crun",

-#]

-

-#kata = [

-#  "/usr/bin/kata-runtime",

-#  "/usr/sbin/kata-runtime",

-#  "/usr/local/bin/kata-runtime",

-#  "/usr/local/sbin/kata-runtime",

-#  "/sbin/kata-runtime",

-#  "/bin/kata-runtime",

-#  "/usr/bin/kata-qemu",

-#  "/usr/bin/kata-fc",

-#]

-

-#runc = [

-#  "/usr/bin/runc",

-#  "/usr/sbin/runc",

-#  "/usr/local/bin/runc",

-#  "/usr/local/sbin/runc",

-#  "/sbin/runc",

-#  "/bin/runc",

-#  "/usr/lib/cri-o-runc/sbin/runc",

-#]

-

-#runsc = [

-#  "/usr/bin/runsc",

-#  "/usr/sbin/runsc",

-#  "/usr/local/bin/runsc",

-#  "/usr/local/sbin/runsc",

-#  "/bin/runsc",

-#  "/sbin/runsc",

-#  "/run/current-system/sw/bin/runsc",

-#]

-

-#krun = [

-#  "/usr/bin/krun",

-#  "/usr/local/bin/krun",

-#]

-

-[engine.volume_plugins]

-#testplugin = "/run/podman/plugins/test.sock"

-

-[machine]

-# Number of CPU's a machine is created with.

-#

-#cpus=1

-

-# The size of the disk in GB created when init-ing a podman-machine VM.

-#

-#disk_size=10

-

-# Default image URI when creating a new VM using `podman machine init`.

-# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major

-# version of the OS (e.g `36`) for Fedora 36. For all platforms you can

-# alternatively specify a custom download URL to an image. Container engines

-# translate URIs $OS and $ARCH to the native OS and ARCH. URI

-# "https://example.com/$OS/$ARCH/foobar.ami" becomes

-# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.

-# The default value is `testing`.

-#

-# image = "testing"

-

-# Memory in MB a machine is created with.

-#

-#memory=2048

-

-# The username to use and create on the podman machine OS for rootless

-# container access.

-#

-#user = "core"

-

-# Host directories to be mounted as volumes into the VM by default.

-# Environment variables like $HOME as well as complete paths are supported for

-# the source and destination. An optional third field `:ro` can be used to

-# tell the container engines to mount the volume readonly.

-#

-# volumes = [

-#  "$HOME:$HOME",

-#]

-

-# The [machine] table MUST be the last entry in this file.

-# (Unless another table is added)

-# TOML does not provide a way to end a table other than a further table being

-# defined, so every key hereafter will be part of [machine] and not the

-# main config.

+### Autogenerated by container.py ###
+
+# The containers configuration file specifies all of the available configuration
+# command-line options/flags for container engine tools like Podman & Buildah,
+# but in a TOML format that can be easily modified and versioned.
+
+# Please refer to containers.conf(5) for details of all configuration options.
+# Not all container engines implement all of the options.
+# All of the options have hard coded defaults and these options will override
+# the built in defaults. Users can then override these options via the command
+# line. Container engines will read containers.conf files in up to three
+# locations in the following order:
+#  1. /usr/share/containers/containers.conf
+#  2. /etc/containers/containers.conf
+#  3. $HOME/.config/containers/containers.conf (Rootless containers ONLY)
+#  Items specified in the latter containers.conf, if they exist, override the
+# previous containers.conf settings, or the default settings.
+
+[containers]
+
+# List of annotation. Specified as
+# "key = value"
+# If it is empty or commented out, no annotations will be added
+#
+#annotations = []
+
+# Used to change the name of the default AppArmor profile of container engine.
+#
+#apparmor_profile = "container-default"
+
+# The hosts entries from the base hosts file are added to the containers hosts
+# file. This must be either an absolute path or as special values "image" which
+# uses the hosts file from the container image or "none" which means
+# no base hosts file is used. The default is "" which will use /etc/hosts.
+#
+#base_hosts_file = ""
+
+# Default way to to create a cgroup namespace for the container
+# Options are:
+# `private` Create private Cgroup Namespace for the container.
+# `host`    Share host Cgroup Namespace with the container.
+#
+#cgroupns = "private"
+
+# Control container cgroup configuration
+# Determines  whether  the  container will create CGroups.
+# Options are:
+# `enabled`   Enable cgroup support within container
+# `disabled`  Disable cgroup support, will inherit cgroups from parent
+# `no-conmon` Do not create a cgroup dedicated to conmon.
+#
+#cgroups = "enabled"
+
+# List of default capabilities for containers. If it is empty or commented out,
+# the default capabilities defined in the container engine will be added.
+#
+default_capabilities = [
+  "CHOWN",
+  "DAC_OVERRIDE",
+  "FOWNER",
+  "FSETID",
+  "KILL",
+  "NET_BIND_SERVICE",
+  "SETFCAP",
+  "SETGID",
+  "SETPCAP",
+  "SETUID",
+  "SYS_CHROOT"
+]
+
+# A list of sysctls to be set in containers by default,
+# specified as "name=value",
+# for example:"net.ipv4.ping_group_range=0 0".
+#
+default_sysctls = [
+  "net.ipv4.ping_group_range=0 0",
+]
+
+# A list of ulimits to be set in containers by default, specified as
+# "<ulimit name>=<soft limit>:<hard limit>", for example:
+# "nofile=1024:2048"
+# See setrlimit(2) for a list of resource names.
+# Any limit not specified here will be inherited from the process launching the
+# container engine.
+# Ulimits has limits for non privileged container engines.
+#
+#default_ulimits = [
+#  "nofile=1280:2560",
+#]
+
+# List of devices. Specified as
+# "<device-on-host>:<device-on-container>:<permissions>", for example:
+# "/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, only the default devices will be used
+#
+#devices = []
+
+# List of default DNS options to be added to /etc/resolv.conf inside of the container.
+#
+#dns_options = []
+
+# List of default DNS search domains to be added to /etc/resolv.conf inside of the container.
+#
+#dns_searches = []
+
+# Set default DNS servers.
+# This option can be used to override the DNS configuration passed to the
+# container. The special value "none" can be specified to disable creation of
+# /etc/resolv.conf in the container.
+# The /etc/resolv.conf file in the image will be used without changes.
+#
+#dns_servers = []
+
+# Environment variable list for the conmon process; used for passing necessary
+# environment variables to conmon or the runtime.
+#
+#env = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+#  "TERM=xterm",
+#]
+
+# Pass all host environment variables into the container.
+#
+#env_host = false
+
+# Set the ip for the host.containers.internal entry in the containers /etc/hosts
+# file. This can be set to "none" to disable adding this entry. By default it
+# will automatically choose the host ip.
+#
+# NOTE: When using podman machine this entry will never be added to the containers
+# hosts file instead the gvproxy dns resolver will resolve this hostname. Therefore
+# it is not possible to disable the entry in this case.
+#
+#host_containers_internal_ip = ""
+
+# Default proxy environment variables passed into the container.
+# The environment variables passed in include:
+# http_proxy, https_proxy, ftp_proxy, no_proxy, and the upper case versions of
+# these. This option is needed when host system uses a proxy but container
+# should not use proxy. Proxy environment variables specified for the container
+# in any other way will override the values passed from the host.
+#
+#http_proxy = true
+
+# Run an init inside the container that forwards signals and reaps processes.
+#
+#init = false
+
+# Container init binary, if init=true, this is the init binary to be used for containers.
+#
+#init_path = "/usr/libexec/podman/catatonit"
+
+# Default way to to create an IPC namespace (POSIX SysV IPC) for the container
+# Options are:
+#  "host"     Share host IPC Namespace with the container.
+#  "none"     Create shareable IPC Namespace for the container without a private /dev/shm.
+#  "private"  Create private IPC Namespace for the container, other containers are not allowed to share it.
+#  "shareable" Create shareable IPC Namespace for the container.
+#
+#ipcns = "shareable"
+
+# keyring tells the container engine whether to create
+# a kernel keyring for use within the container.
+#
+#keyring = true
+
+# label tells the container engine whether to use container separation using
+# MAC(SELinux) labeling or not.
+# The label flag is ignored on label disabled systems.
+#
+#label = true
+
+# Logging driver for the container. Available options: k8s-file and journald.
+#
+#log_driver = "k8s-file"
+
+# Maximum size allowed for the container log file. Negative numbers indicate
+# that no size limit is imposed. If positive, it must be >= 8192 to match or
+# exceed conmon's read buffer. The file is truncated and re-opened so the
+# limit is never exceeded.
+#
+#log_size_max = -1
+
+# Specifies default format tag for container log messages.
+# This is useful for creating a specific tag for container log messages.
+# Containers logs default to truncated container ID as a tag.
+#
+#log_tag = ""
+
+# Default way to to create a Network namespace for the container
+# Options are:
+# `private` Create private Network Namespace for the container.
+# `host`    Share host Network Namespace with the container.
+# `none`    Containers do not use the network
+#
+#netns = "private"
+
+# Create /etc/hosts for the container.  By default, container engine manage
+# /etc/hosts, automatically adding  the container's  own  IP  address.
+#
+#no_hosts = false
+
+# Default way to to create a PID namespace for the container
+# Options are:
+# `private` Create private PID Namespace for the container.
+# `host`    Share host PID Namespace with the container.
+#
+#pidns = "private"
+
+# Maximum number of processes allowed in a container.
+#
+#pids_limit = 2048
+
+# Copy the content from the underlying image into the newly created volume
+# when the container is created instead of when it is started. If false,
+# the container engine will not copy the content until the container is started.
+# Setting it to true may have negative performance implications.
+#
+#prepare_volume_on_create = false
+
+# Path to the seccomp.json profile which is used as the default seccomp profile
+# for the runtime.
+#
+#seccomp_profile = "/usr/share/containers/seccomp.json"
+
+# Size of /dev/shm. Specified as <number><unit>.
+# Unit is optional, values:
+# b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# If the unit is omitted, the system uses bytes.
+#
+#shm_size = "65536k"
+
+# Set timezone in container. Takes IANA timezones as well as "local",
+# which sets the timezone in the container to match the host machine.
+#
+#tz = ""
+
+# Set umask inside the container
+#
+#umask = "0022"
+
+# Default way to to create a User namespace for the container
+# Options are:
+# `auto`        Create unique User Namespace for the container.
+# `host`    Share host User Namespace with the container.
+#
+#userns = "host"
+
+# Number of UIDs to allocate for the automatic container creation.
+# UIDs are allocated from the "container" UIDs listed in
+# /etc/subuid & /etc/subgid
+#
+#userns_size = 65536
+
+# Default way to to create a UTS namespace for the container
+# Options are:
+# `private`        Create private UTS Namespace for the container.
+# `host`    Share host UTS Namespace with the container.
+#
+#utsns = "private"
+
+# List of volumes. Specified as
+# "<directory-on-host>:<directory-in-container>:<options>", for example:
+# "/db:/var/lib/db:ro".
+# If it is empty or commented out, no volumes will be added
+#
+#volumes = []
+
+[secrets]
+#driver = "file"
+
+[secrets.opts]
+#root = "/example/directory"
+
+[network]
+
+# Network backend determines what network driver will be used to set up and tear down container networks.
+# Valid values are "cni" and "netavark".
+# The default value is empty which means that it will automatically choose CNI or netavark. If there are
+# already containers/images or CNI networks preset it will choose CNI.
+#
+# Before changing this value all containers must be stopped otherwise it is likely that
+# iptables rules and network interfaces might leak on the host. A reboot will fix this.
+#
+network_backend = "netavark"
+
+# Path to directory where CNI plugin binaries are located.
+#
+#cni_plugin_dirs = [
+#  "/usr/local/libexec/cni",
+#  "/usr/libexec/cni",
+#  "/usr/local/lib/cni",
+#  "/usr/lib/cni",
+#  "/opt/cni/bin",
+#]
+
+# The network name of the default network to attach pods to.
+#
+#default_network = "podman"
+
+# The default subnet for the default network given in default_network.
+# If a network with that name does not exist, a new network using that name and
+# this subnet will be created.
+# Must be a valid IPv4 CIDR prefix.
+#
+#default_subnet = "10.88.0.0/16"
+
+# DefaultSubnetPools is a list of subnets and size which are used to
+# allocate subnets automatically for podman network create.
+# It will iterate through the list and will pick the first free subnet
+# with the given size. This is only used for ipv4 subnets, ipv6 subnets
+# are always assigned randomly.
+#
+#default_subnet_pools = [
+#  {"base" = "10.89.0.0/16", "size" = 24},
+#  {"base" = "10.90.0.0/15", "size" = 24},
+#  {"base" = "10.92.0.0/14", "size" = 24},
+#  {"base" = "10.96.0.0/11", "size" = 24},
+#  {"base" = "10.128.0.0/9", "size" = 24},
+#]
+
+# Path to the directory where network configuration files are located.
+# For the CNI backend the default is "/etc/cni/net.d" as root
+# and "$HOME/.config/cni/net.d" as rootless.
+# For the netavark backend "/etc/containers/networks" is used as root
+# and "$graphroot/networks" as rootless.
+#
+#network_config_dir = "/etc/cni/net.d/"
+
+# Port to use for dns forwarding daemon with netavark in rootful bridge
+# mode and dns enabled.
+# Using an alternate port might be useful if other dns services should
+# run on the machine.
+#
+#dns_bind_port = 53
+
+[engine]
+# Index to the active service
+#
+#active_service = production
+
+# The compression format to use when pushing an image.
+# Valid options are: `gzip`, `zstd` and `zstd:chunked`.
+#
+#compression_format = "gzip"
+
+
+# Cgroup management implementation used for the runtime.
+# Valid options "systemd" or "cgroupfs"
+#
+#cgroup_manager = "systemd"
+
+# Environment variables to pass into conmon
+#
+#conmon_env_vars = [
+#  "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+#]
+
+# Paths to look for the conmon container manager binary
+#
+#conmon_path = [
+#  "/usr/libexec/podman/conmon",
+#  "/usr/local/libexec/podman/conmon",
+#  "/usr/local/lib/podman/conmon",
+#  "/usr/bin/conmon",
+#  "/usr/sbin/conmon",
+#  "/usr/local/bin/conmon",
+#  "/usr/local/sbin/conmon"
+#]
+
+# Enforces using docker.io for completing short names in Podman's compatibility
+# REST API. Note that this will ignore unqualified-search-registries and
+# short-name aliases defined in containers-registries.conf(5).
+#compat_api_enforce_docker_hub = true
+
+# Specify the keys sequence used to detach a container.
+# Format is a single character [a-Z] or a comma separated sequence of
+# `ctrl-<value>`, where `<value>` is one of:
+# `a-z`, `@`, `^`, `[`, `\`, `]`, `^` or `_`
+#
+#detach_keys = "ctrl-p,ctrl-q"
+
+# Determines whether engine will reserve ports on the host when they are
+# forwarded to containers. When enabled, when ports are forwarded to containers,
+# ports are held open by as long as the container is running, ensuring that
+# they cannot be reused by other programs on the host. However, this can cause
+# significant memory usage if a container has many ports forwarded to it.
+# Disabling this can save memory.
+#
+#enable_port_reservation = true
+
+# Environment variables to be used when running the container engine (e.g., Podman, Buildah).
+# For example "http_proxy=internal.proxy.company.com".
+# Note these environment variables will not be used within the container.
+# Set the env section under [containers] table, if you want to set environment variables for the container.
+#
+#env = []
+
+# Define where event logs will be stored, when events_logger is "file".
+#events_logfile_path=""
+
+# Sets the maximum size for events_logfile_path.
+# The size can be b (bytes), k (kilobytes), m (megabytes), or g (gigabytes).
+# The format for the size is `<number><unit>`, e.g., `1b` or `3g`.
+# If no unit is included then the size will be read in bytes.
+# When the limit is exceeded, the logfile will be rotated and the old one will be deleted.
+# If the maximum size is set to 0, then no limit will be applied,
+# and the logfile will not be rotated.
+#events_logfile_max_size = "1m"
+
+# Selects which logging mechanism to use for container engine events.
+# Valid values are `journald`, `file` and `none`.
+#
+#events_logger = "journald"
+
+# A is a list of directories which are used to search for helper binaries.
+#
+#helper_binaries_dir = [
+#  "/usr/local/libexec/podman",
+#  "/usr/local/lib/podman",
+#  "/usr/libexec/podman",
+#  "/usr/lib/podman",
+#]
+
+# Path to OCI hooks directories for automatically executed hooks.
+#
+#hooks_dir = [
+#  "/usr/share/containers/oci/hooks.d",
+#]
+
+# Manifest Type (oci, v2s2, or v2s1) to use when pulling, pushing, building
+# container images. By default image pulled and pushed match the format of the
+# source image. Building/committing defaults to OCI.
+#
+#image_default_format = ""
+
+# Default transport method for pulling and pushing for images
+#
+#image_default_transport = "docker://"
+
+# Maximum number of image layers to be copied (pulled/pushed) simultaneously.
+# Not setting this field, or setting it to zero, will fall back to containers/image defaults.
+#
+#image_parallel_copies = 0
+
+# Tells container engines how to handle the builtin image volumes.
+#   * bind: An anonymous named volume will be created and mounted
+#     into the container.
+#   * tmpfs: The volume is mounted onto the container as a tmpfs,
+#     which allows users to create content that disappears when
+#     the container is stopped.
+#   * ignore: All volumes are just ignored and no action is taken.
+#
+#image_volume_mode = ""
+
+# Default command to run the infra container
+#
+#infra_command = "/pause"
+
+# Infra (pause) container image name for pod infra containers.  When running a
+# pod, we start a `pause` process in a container to hold open the namespaces
+# associated with the  pod.  This container does nothing other then sleep,
+# reserving the pods resources for the lifetime of the pod. By default container
+# engines run a builtin container using the pause executable. If you want override
+# specify an image to pull.
+#
+#infra_image = ""
+
+# Specify the locking mechanism to use; valid values are "shm" and "file".
+# Change the default only if you are sure of what you are doing, in general
+# "file" is useful only on platforms where cgo is not available for using the
+# faster "shm" lock type. You may need to run "podman system renumber" after
+# you change the lock type.
+#
+#lock_type** = "shm"
+
+# MultiImageArchive - if true, the container engine allows for storing archives
+# (e.g., of the docker-archive transport) with multiple images.  By default,
+# Podman creates single-image archives.
+#
+#multi_image_archive = "false"
+
+# Default engine namespace
+# If engine is joined to a namespace, it will see only containers and pods
+# that were created in the same namespace, and will create new containers and
+# pods in that namespace.
+# The default namespace is "", which corresponds to no namespace. When no
+# namespace is set, all containers and pods are visible.
+#
+#namespace = ""
+
+# Path to the slirp4netns binary
+#
+#network_cmd_path = ""
+
+# Default options to pass to the slirp4netns binary.
+# Valid options values are:
+#
+# - allow_host_loopback=true|false: Allow the slirp4netns to reach the host loopback IP (`10.0.2.2`).
+#   Default is false.
+# - mtu=MTU: Specify the MTU to use for this network. (Default is `65520`).
+# - cidr=CIDR: Specify ip range to use for this network. (Default is `10.0.2.0/24`).
+# - enable_ipv6=true|false: Enable IPv6. Default is true. (Required for `outbound_addr6`).
+# - outbound_addr=INTERFACE: Specify the outbound interface slirp should bind to (ipv4 traffic only).
+# - outbound_addr=IPv4: Specify the outbound ipv4 address slirp should bind to.
+# - outbound_addr6=INTERFACE: Specify the outbound interface slirp should bind to (ipv6 traffic only).
+# - outbound_addr6=IPv6: Specify the outbound ipv6 address slirp should bind to.
+# - port_handler=rootlesskit: Use rootlesskit for port forwarding. Default.
+#   Note: Rootlesskit changes the source IP address of incoming packets to a IP address in the container
+#   network namespace, usually `10.0.2.100`. If your application requires the real source IP address,
+#   e.g. web server logs, use the slirp4netns port handler. The rootlesskit port handler is also used for
+#   rootless containers when connected to user-defined networks.
+# - port_handler=slirp4netns: Use the slirp4netns port forwarding, it is slower than rootlesskit but
+#   preserves the correct source IP address. This port handler cannot be used for user-defined networks.
+#
+#network_cmd_options = []
+
+# Whether to use chroot instead of pivot_root in the runtime
+#
+#no_pivot_root = false
+
+# Number of locks available for containers and pods.
+# If this is changed, a lock renumber must be performed (e.g. with the
+# 'podman system renumber' command).
+#
+#num_locks = 2048
+
+# Set the exit policy of the pod when the last container exits.
+#pod_exit_policy = "continue"
+
+# Whether to pull new image before running a container
+#
+#pull_policy = "missing"
+
+# Indicates whether the application should be running in remote mode. This flag modifies the
+# --remote option on container engines. Setting the flag to true will default
+# `podman --remote=true` for access to the remote Podman service.
+#
+#remote = false
+
+# Default OCI runtime
+#
+#runtime = "crun"
+
+# List of the OCI runtimes that support --format=json. When json is supported
+# engine will use it for reporting nicer errors.
+#
+#runtime_supports_json = ["crun", "runc", "kata", "runsc", "krun"]
+
+# List of the OCI runtimes that supports running containers with KVM Separation.
+#
+#runtime_supports_kvm = ["kata", "krun"]
+
+# List of the OCI runtimes that supports running containers without cgroups.
+#
+#runtime_supports_nocgroups = ["crun", "krun"]
+
+# Default location for storing temporary container image content. Can be overridden with the TMPDIR environment
+# variable. If you specify "storage", then the location of the
+# container/storage tmp directory will be used.
+# image_copy_tmp_dir="/var/tmp"
+
+# Number of seconds to wait without a connection
+# before the `podman system service` times out and exits
+#
+#service_timeout = 5
+
+# Directory for persistent engine files (database, etc)
+# By default, this will be configured relative to where the containers/storage
+# stores containers
+# Uncomment to change location from this default
+#
+#static_dir = "/var/lib/containers/storage/libpod"
+
+# Number of seconds to wait for container to exit before sending kill signal.
+#
+#stop_timeout = 10
+
+# Number of seconds to wait before exit command in API process is given to.
+# This mimics Docker's exec cleanup behaviour, where the default is 5 minutes (value is in seconds).
+#
+#exit_command_delay = 300
+
+# map of service destinations
+#
+#[service_destinations]
+#  [service_destinations.production]
+#     URI to access the Podman service
+#     Examples:
+#       rootless "unix://run/user/$UID/podman/podman.sock" (Default)
+#       rootful "unix://run/podman/podman.sock (Default)
+#       remote rootless ssh://engineering.lab.company.com/run/user/1000/podman/podman.sock
+#       remote rootful ssh://root@10.10.1.136:22/run/podman/podman.sock
+#
+#    uri = "ssh://user@production.example.com/run/user/1001/podman/podman.sock"
+#    Path to file containing ssh identity key
+#    identity = "~/.ssh/id_rsa"
+
+# Directory for temporary files. Must be tmpfs (wiped after reboot)
+#
+#tmp_dir = "/run/libpod"
+
+# Directory for libpod named volumes.
+# By default, this will be configured relative to where containers/storage
+# stores containers.
+# Uncomment to change location from this default.
+#
+#volume_path = "/var/lib/containers/storage/volumes"
+
+# Default timeout (in seconds) for volume plugin operations.
+# Plugins are external programs accessed via a REST API; this sets a timeout
+# for requests to that API.
+# A value of 0 is treated as no timeout.
+#volume_plugin_timeout = 5
+
+# Paths to look for a valid OCI runtime (crun, runc, kata, runsc, krun, etc)
+[engine.runtimes]
+#crun = [
+#  "/usr/bin/crun",
+#  "/usr/sbin/crun",
+#  "/usr/local/bin/crun",
+#  "/usr/local/sbin/crun",
+#  "/sbin/crun",
+#  "/bin/crun",
+#  "/run/current-system/sw/bin/crun",
+#]
+
+#kata = [
+#  "/usr/bin/kata-runtime",
+#  "/usr/sbin/kata-runtime",
+#  "/usr/local/bin/kata-runtime",
+#  "/usr/local/sbin/kata-runtime",
+#  "/sbin/kata-runtime",
+#  "/bin/kata-runtime",
+#  "/usr/bin/kata-qemu",
+#  "/usr/bin/kata-fc",
+#]
+
+#runc = [
+#  "/usr/bin/runc",
+#  "/usr/sbin/runc",
+#  "/usr/local/bin/runc",
+#  "/usr/local/sbin/runc",
+#  "/sbin/runc",
+#  "/bin/runc",
+#  "/usr/lib/cri-o-runc/sbin/runc",
+#]
+
+#runsc = [
+#  "/usr/bin/runsc",
+#  "/usr/sbin/runsc",
+#  "/usr/local/bin/runsc",
+#  "/usr/local/sbin/runsc",
+#  "/bin/runsc",
+#  "/sbin/runsc",
+#  "/run/current-system/sw/bin/runsc",
+#]
+
+#krun = [
+#  "/usr/bin/krun",
+#  "/usr/local/bin/krun",
+#]
+
+[engine.volume_plugins]
+#testplugin = "/run/podman/plugins/test.sock"
+
+[machine]
+# Number of CPU's a machine is created with.
+#
+#cpus=1
+
+# The size of the disk in GB created when init-ing a podman-machine VM.
+#
+#disk_size=10
+
+# Default image URI when creating a new VM using `podman machine init`.
+# Options: On Linux/Mac, `testing`, `stable`, `next`. On Windows, the major
+# version of the OS (e.g `36`) for Fedora 36. For all platforms you can
+# alternatively specify a custom download URL to an image. Container engines
+# translate URIs $OS and $ARCH to the native OS and ARCH. URI
+# "https://example.com/$OS/$ARCH/foobar.ami" becomes
+# "https://example.com/linux/amd64/foobar.ami" on a Linux AMD machine.
+# The default value is `testing`.
+#
+# image = "testing"
+
+# Memory in MB a machine is created with.
+#
+#memory=2048
+
+# The username to use and create on the podman machine OS for rootless
+# container access.
+#
+#user = "core"
+
+# Host directories to be mounted as volumes into the VM by default.
+# Environment variables like $HOME as well as complete paths are supported for
+# the source and destination. An optional third field `:ro` can be used to
+# tell the container engines to mount the volume readonly.
+#
+# volumes = [
+#  "$HOME:$HOME",
+#]
+
+# The [machine] table MUST be the last entry in this file.
+# (Unless another table is added)
+# TOML does not provide a way to end a table other than a further table being
+# defined, so every key hereafter will be part of [machine] and not the
+# main config.
diff --git a/data/templates/container/systemd-unit.j2 b/data/templates/container/systemd-unit.j2
index fa48384ab..d379f0a07 100644
--- a/data/templates/container/systemd-unit.j2
+++ b/data/templates/container/systemd-unit.j2
@@ -13,5 +13,5 @@ ExecStop=/usr/bin/podman stop --ignore --cidfile %t/%n.cid -t 5
 ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/%n.cid
 ExecStopPost=/bin/rm -f %t/%n.cid
 PIDFile=%t/%n.pid
-KillMode=none
+KillMode=control-group
 Type=forking
diff --git a/data/templates/dhcp-client/ipv4.j2 b/data/templates/dhcp-client/ipv4.j2
index cc5ddf09c..77905e054 100644
--- a/data/templates/dhcp-client/ipv4.j2
+++ b/data/templates/dhcp-client/ipv4.j2
@@ -9,14 +9,30 @@ interface "{{ ifname }}" {
     send host-name "{{ dhcp_options.host_name }}";
 {% if dhcp_options.client_id is vyos_defined %}
 {%     set client_id = dhcp_options.client_id %}
-{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. If not HEX, use double quotes ASCII format #}
-{%     if not dhcp_options.client_id.split(':') | length >= 5 %}
-{%         set client_id = '"' + dhcp_options.client_id + '"' %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not client_id.split(':') | length >= 3 %}
+{%         set client_id = '"' ~ dhcp_options.client_id ~ '"' %}
 {%     endif %}
     send dhcp-client-identifier {{ client_id }};
 {% endif %}
 {% if dhcp_options.vendor_class_id is vyos_defined %}
-    send vendor-class-identifier "{{ dhcp_options.vendor_class_id }}";
+{%     set vendor_class_id = dhcp_options.vendor_class_id %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not vendor_class_id.split(':') | length >= 3 %}
+{%         set vendor_class_id = '"' ~ dhcp_options.vendor_class_id ~ '"' %}
+{%     endif %}
+    send vendor-class-identifier {{ vendor_class_id }};
+{% endif %}
+{% if dhcp_options.user_class is vyos_defined %}
+{%     set user_class = dhcp_options.user_class %}
+{#   Use HEX representation of client-id as it is send in MAC-address style using hex characters. #}
+{#   If not HEX, use double quotes ASCII format #}
+{%     if not user_class.split(':') | length >= 3 %}
+{%         set user_class = '"' ~ dhcp_options.user_class ~ '"' %}
+{%     endif %}
+    send user-class {{ user_class }};
 {% endif %}
     # The request statement causes the client to request that any server responding to the
     # client send the client its values for the specified options.
diff --git a/data/templates/dhcp-relay/dhcrelay.conf.j2 b/data/templates/dhcp-relay/dhcrelay.conf.j2
index c26c263fd..71a395454 100644
--- a/data/templates/dhcp-relay/dhcrelay.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcp_relay.py ###
+### Autogenerated by service_dhcp-relay.py ###
 
 {% set max_size = '-A ' ~ relay_options.max_size if relay_options.max_size is vyos_defined %}
 {# hop_count and relay_agents_packets is a default option, thus it is always present #}
@@ -6,4 +6,4 @@
 OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -i {{ interface | join(' -i ') }} {{ server | join(' ') }}"
 {% else %}
 OPTIONS="-c {{ relay_options.hop_count }} -a -m {{ relay_options.relay_agents_packets }} {{ max_size }} -id {{ listen_interface | join(' -id ') }} -iu {{ upstream_interface | join(' -iu ') }} {{ server | join(' ') }}"
-{% endif %}
\ No newline at end of file
+{% endif %}
diff --git a/data/templates/dhcp-relay/dhcrelay6.conf.j2 b/data/templates/dhcp-relay/dhcrelay6.conf.j2
index 6365346b4..25f7671b3 100644
--- a/data/templates/dhcp-relay/dhcrelay6.conf.j2
+++ b/data/templates/dhcp-relay/dhcrelay6.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by dhcpv6_relay.py ###
+### Autogenerated by service_dhcpv6-relay.py ###
 
 {# upstream_interface is mandatory so it's always present #}
 {% set upstream = namespace(value='')  %}
@@ -18,4 +18,3 @@
 {% endfor %}
 
 OPTIONS="{{ listen.value }} {{ upstream.value }} -c {{ max_hop_count }} {{ '-I' if use_interface_id_option is vyos_defined }}"
-
diff --git a/data/templates/dhcp-server/10-override.conf.j2 b/data/templates/dhcp-server/10-override.conf.j2
index 1504b6808..6cf9e0a11 100644
--- a/data/templates/dhcp-server/10-override.conf.j2
+++ b/data/templates/dhcp-server/10-override.conf.j2
@@ -1,30 +1,2 @@
-### Autogenerated by dhcp_server.py ###
-{% set lease_file = '/config/dhcpd.leases' %}
 [Unit]
-Description=ISC DHCP IPv4 server
-Documentation=man:dhcpd(8)
-RequiresMountsFor=/run
-ConditionPathExists=
-ConditionPathExists=/run/dhcp-server/dhcpd.conf
-After=
-After=vyos-router.service
-
-[Service]
-Type=forking
-WorkingDirectory=
-WorkingDirectory=/run/dhcp-server
-RuntimeDirectory=dhcp-server
-RuntimeDirectoryPreserve=yes
-Environment=PID_FILE=/run/dhcp-server/dhcpd.pid CONFIG_FILE=/run/dhcp-server/dhcpd.conf LEASE_FILE={{ lease_file }}
-PIDFile=/run/dhcp-server/dhcpd.pid
-ExecStartPre=/bin/sh -ec '\
-touch ${LEASE_FILE}; \
-chown dhcpd:vyattacfg ${LEASE_FILE}* ; \
-chmod 664 ${LEASE_FILE}* ; \
-/usr/sbin/dhcpd -4 -t -T -q -user dhcpd -group vyattacfg -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} '
-ExecStart=
-ExecStart=/usr/sbin/dhcpd -4 -q -user dhcpd -group vyattacfg -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE}
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
+ConditionFileNotEmpty=
diff --git a/data/templates/dhcp-server/dhcpd.conf.j2 b/data/templates/dhcp-server/dhcpd.conf.j2
deleted file mode 100644
index 639526532..000000000
--- a/data/templates/dhcp-server/dhcpd.conf.j2
+++ /dev/null
@@ -1,250 +0,0 @@
-### Autogenerated by dhcp_server.py ###
-
-# For options please consult the following website:
-# https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html
-#
-# log-facility local7;
-{% if hostfile_update is vyos_defined %}
-on release {
-    set ClientName = pick-first-value(host-decl-name, option fqdn.hostname, option host-name);
-    set ClientIp = binary-to-ascii(10, 8, ".",leased-address);
-    execute("/usr/libexec/vyos/system/on-dhcp-event.sh", "release", "", ClientIp, "", "");
-}
-on expiry {
-    set ClientName = pick-first-value(host-decl-name, option fqdn.hostname, option host-name);
-    set ClientIp = binary-to-ascii(10, 8, ".",leased-address);
-    execute("/usr/libexec/vyos/system/on-dhcp-event.sh", "release", "", ClientIp, "", "");
-}
-{% endif %}
-
-{{ 'use-host-decl-names on;' if host_decl_name is vyos_defined }}
-ddns-update-style {{ 'interim' if dynamic_dns_update is vyos_defined else 'none' }};
-option rfc3442-static-route code 121 = array of integer 8;
-option windows-static-route code 249 = array of integer 8;
-option wpad-url code 252 = text;
-option rfc8925-ipv6-only-preferred code 108 = unsigned integer 32;
-
-# Vendor specific options - Ubiquiti Networks
-option space ubnt;
-option ubnt.unifi-controller code 1 = ip-address;
-class "ubnt" {
-    match if substring (option vendor-class-identifier , 0, 4) = "ubnt";
-    option vendor-class-identifier "ubnt";
-    vendor-option-space ubnt;
-}
-
-{% if global_parameters is vyos_defined %}
-# The following {{ global_parameters | length }} line(s) have been added as
-# global-parameters in the CLI and have not been validated !!!
-{%     for parameter in global_parameters %}
-{{ parameter }}
-{%     endfor %}
-
-{% endif %}
-{% if failover is vyos_defined %}
-# DHCP failover configuration
-failover peer "{{ failover.name }}" {
-{%     if failover.status == 'primary' %}
-    primary;
-    mclt 1800;
-    split 128;
-{%     elif failover.status == 'secondary' %}
-    secondary;
-{%     endif %}
-    address {{ failover.source_address }};
-    port 647;
-    peer address {{ failover.remote }};
-    peer port 647;
-    max-response-delay 30;
-    max-unacked-updates 10;
-    load balance max seconds 3;
-}
-{% endif %}
-{% if listen_address is vyos_defined %}
-
-# DHCP server serving relay subnet, we need a connector to the real world
-{%     for address in listen_address %}
-# Connected subnet statement for listen-address {{ address }}
-subnet {{ address | network_from_ipv4 }} netmask {{ address | netmask_from_ipv4 }} { }
-{%     endfor %}
-{% endif %}
-
-# Shared network configration(s)
-{% if shared_network_name is vyos_defined %}
-{%     for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %}
-shared-network {{ network }} {
-{%         if network_config.authoritative is vyos_defined %}
-    authoritative;
-{%         endif %}
-{%         if network_config.name_server is vyos_defined %}
-    option domain-name-servers {{ network_config.name_server | join(', ') }};
-{%         endif %}
-{%         if network_config.domain_name is vyos_defined %}
-    option domain-name "{{ network_config.domain_name }}";
-{%         endif %}
-{%         if network_config.domain_search is vyos_defined %}
-    option domain-search "{{ network_config.domain_search | join('", "') }}";
-{%         endif %}
-{%         if network_config.ntp_server is vyos_defined %}
-    option ntp-servers {{ network_config.ntp_server | join(', ') }};
-{%         endif %}
-{%         if network_config.ping_check is vyos_defined %}
-    ping-check true;
-{%         endif %}
-{%         if network_config.shared_network_parameters is vyos_defined %}
-    # The following {{ network_config.shared_network_parameters | length }} line(s)
-    # were added as shared-network-parameters in the CLI and have not been validated
-{%             for parameter in network_config.shared_network_parameters %}
-    {{ parameter }}
-{%             endfor %}
-{%         endif %}
-{%         if network_config.subnet is vyos_defined %}
-{%             for subnet, subnet_config in network_config.subnet.items() %}
-{%                 if subnet_config.description is vyos_defined %}
-    # {{ subnet_config.description }}
-{%                 endif %}
-    subnet {{ subnet | address_from_cidr }} netmask {{ subnet | netmask_from_cidr }} {
-{%                 if subnet_config.name_server is vyos_defined %}
-        option domain-name-servers {{ subnet_config.name_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.domain_name is vyos_defined %}
-        option domain-name "{{ subnet_config.domain_name }}";
-{%                 endif %}
-{%                 if subnet_config.domain_search is vyos_defined %}
-        option domain-search "{{ subnet_config.domain_search | join('", "') }}";
-{%                 endif %}
-{%                 if subnet_config.ntp_server is vyos_defined %}
-        option ntp-servers {{ subnet_config.ntp_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.pop_server is vyos_defined %}
-        option pop-server {{ subnet_config.pop_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.smtp_server is vyos_defined %}
-        option smtp-server {{ subnet_config.smtp_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.time_server is vyos_defined %}
-        option time-servers {{ subnet_config.time_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.wins_server is vyos_defined %}
-        option netbios-name-servers {{ subnet_config.wins_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.ipv6_only_preferred is vyos_defined %}
-        option rfc8925-ipv6-only-preferred {{ subnet_config.ipv6_only_preferred }};
-{%                 endif %}
-{%                 if subnet_config.static_route is vyos_defined %}
-{%                     set static_default_route = '' %}
-{%                     if subnet_config.default_router is vyos_defined %}
-{%                         set static_default_route = ', ' ~ '0.0.0.0/0' | isc_static_route(subnet_config.default_router) %}
-{%                     endif %}
-{%                     if subnet_config.static_route is vyos_defined %}
-{%                         set rfc3442_routes = [] %}
-{%                         for route, route_options in subnet_config.static_route.items() %}
-{%                             set rfc3442_routes = rfc3442_routes.append(route | isc_static_route(route_options.next_hop)) %}
-{%                         endfor %}
-        option rfc3442-static-route {{ rfc3442_routes | join(', ') }}{{ static_default_route }};
-        option windows-static-route {{ rfc3442_routes | join(', ') }};
-{%                     endif %}
-{%                 endif %}
-{%                 if subnet_config.ip_forwarding is vyos_defined %}
-        option ip-forwarding true;
-{%                 endif %}
-{%                 if subnet_config.default_router is vyos_defined %}
-        option routers {{ subnet_config.default_router }};
-{%                 endif %}
-{%                 if subnet_config.server_identifier is vyos_defined %}
-        option dhcp-server-identifier {{ subnet_config.server_identifier }};
-{%                 endif %}
-{%                 if subnet_config.subnet_parameters is vyos_defined %}
-        # The following {{ subnet_config.subnet_parameters | length }} line(s) were added as
-        # subnet-parameters in the CLI and have not been validated!!!
-{%                     for parameter in subnet_config.subnet_parameters %}
-        {{ parameter }}
-{%                     endfor %}
-{%                 endif %}
-{%                 if subnet_config.tftp_server_name is vyos_defined %}
-        option tftp-server-name "{{ subnet_config.tftp_server_name }}";
-{%                 endif %}
-{%                 if subnet_config.bootfile_name is vyos_defined %}
-        option bootfile-name "{{ subnet_config.bootfile_name }}";
-        filename "{{ subnet_config.bootfile_name }}";
-{%                 endif %}
-{%                 if subnet_config.bootfile_server is vyos_defined %}
-        next-server {{ subnet_config.bootfile_server }};
-{%                 endif %}
-{%                 if subnet_config.bootfile_size is vyos_defined %}
-        option boot-size {{ subnet_config.bootfile_size }};
-{%                 endif %}
-{%                 if subnet_config.time_offset is vyos_defined %}
-        option time-offset {{ subnet_config.time_offset }};
-{%                 endif %}
-{%                 if subnet_config.wpad_url is vyos_defined %}
-        option wpad-url "{{ subnet_config.wpad_url }}";
-{%                 endif %}
-{%                 if subnet_config.client_prefix_length is vyos_defined %}
-        option subnet-mask {{ ('0.0.0.0/' ~ subnet_config.client_prefix_length) | netmask_from_cidr }};
-{%                 endif %}
-{%                 if subnet_config.lease is vyos_defined %}
-        default-lease-time {{ subnet_config.lease }};
-        max-lease-time {{ subnet_config.lease }};
-{%                 endif %}
-{%                 if network_config.ping_check is not vyos_defined and subnet_config.ping_check is vyos_defined %}
-        ping-check true;
-{%                 endif %}
-{%                 if subnet_config.static_mapping is vyos_defined %}
-{%                     for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %}
-        host {{ host | replace('_','-') if host_decl_name is vyos_defined else network | replace('_','-') ~ '_' ~ host | replace('_','-') }} {
-{%                         if host_config.ip_address is vyos_defined %}
-            fixed-address {{ host_config.ip_address }};
-{%                         endif %}
-            hardware ethernet {{ host_config.mac_address }};
-{%                         if host_config.static_mapping_parameters is vyos_defined %}
-            # The following {{ host_config.static_mapping_parameters | length }} line(s) were added
-            # as static-mapping-parameters in the CLI and have not been validated
-{%                             for parameter in host_config.static_mapping_parameters %}
-            {{ parameter }}
-{%                             endfor %}
-{%                         endif %}
-        }
-{%                     endfor %}
-{%                 endif %}
-{%                 if subnet_config.vendor_option.ubiquiti.unifi_controller is vyos_defined %}
-        option ubnt.unifi-controller {{ subnet_config.vendor_option.ubiquiti.unifi_controller }};
-{%                 endif %}
-{%                 if subnet_config.range is vyos_defined %}
-{#           pool configuration can only be used if there follows a range option #}
-        pool {
-{%                 endif %}
-{%                 if subnet_config.enable_failover is vyos_defined %}
-            failover peer "{{ failover.name }}";
-            deny dynamic bootp clients;
-{%                 endif %}
-{%                 if subnet_config.range is vyos_defined %}
-{%                     for range, range_options in subnet_config.range.items() %}
-            range {{ range_options.start }} {{ range_options.stop }};
-{%                     endfor %}
-{%                 endif %}
-{%                 if subnet_config.range is vyos_defined %}
-{#           pool configuration can only be used if there follows a range option #}
-        }
-{%                 endif %}
-    }
-{%             endfor %}
-{%         endif %}
-    on commit {
-        set shared-networkname = "{{ network }}";
-{%         if hostfile_update is vyos_defined %}
-        set ClientIp = binary-to-ascii(10, 8, ".", leased-address);
-        set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
-        set ClientName = pick-first-value(host-decl-name, option fqdn.hostname, option host-name, "empty_hostname");
-        if not (ClientName = "empty_hostname") {
-            set ClientDomain = pick-first-value(config-option domain-name, "..YYZ!");
-            execute("/usr/libexec/vyos/system/on-dhcp-event.sh", "commit", ClientName, ClientIp, ClientMac, ClientDomain);
-        } else {
-            log(concat("Hostname is not defined for client with IP: ", ClientIP, " MAC: ", ClientMac));
-        }
-{%         endif %}
-    }
-}
-
-{%     endfor %}
-{% endif %}
diff --git a/data/templates/dhcp-server/dhcpdv6.conf.j2 b/data/templates/dhcp-server/dhcpdv6.conf.j2
deleted file mode 100644
index 5c3471316..000000000
--- a/data/templates/dhcp-server/dhcpdv6.conf.j2
+++ /dev/null
@@ -1,132 +0,0 @@
-### Autogenerated by dhcpv6_server.py ###
-
-# For options please consult the following website:
-# https://www.isc.org/wp-content/uploads/2017/08/dhcp43options.html
-
-log-facility local7;
-{% if preference is vyos_defined %}
-option dhcp6.preference {{ preference }};
-{% endif %}
-
-{% if global_parameters.name_server is vyos_defined %}
-option dhcp6.name-servers {{ global_parameters.name_server | join(', ') }};
-{% endif %}
-
-# Vendor specific options - Cisco
-option space cisco code width 2 length width 2;
-option cisco.tftp-servers code 1 = array of ip6-address;
-option vsio.cisco code 9 = encapsulate cisco;
-
-# Shared network configration(s)
-{% if shared_network_name is vyos_defined %}
-{%     for network, network_config in shared_network_name.items() if network_config.disable is not vyos_defined %}
-shared-network {{ network }} {
-{%         if network_config.common_options is vyos_defined %}
-{%             if network_config.common_options.info_refresh_time is vyos_defined %}
-    option dhcp6.info-refresh-time {{ network_config.common_options.info_refresh_time }};
-{%             endif %}
-{%             if network_config.common_options.domain_search is vyos_defined %}
-    option dhcp6.domain-search "{{ network_config.common_options.domain_search | join('", "') }}";
-{%             endif %}
-{%             if network_config.common_options.name_server is vyos_defined %}
-    option dhcp6.name-servers {{ network_config.common_options.name_server | join(', ') }};
-{%             endif %}
-{%         endif %}
-{%         if network_config.subnet is vyos_defined %}
-{%             for subnet, subnet_config in network_config.subnet.items() %}
-    subnet6 {{ subnet }} {
-{%                 if subnet_config.address_range is vyos_defined %}
-{%                     if subnet_config.address_range.prefix is vyos_defined %}
-{%                         for prefix, prefix_config in subnet_config.address_range.prefix.items() %}
-        range6 {{ prefix }} {{ "temporary" if prefix_config.temporary is vyos_defined }};
-{%                         endfor %}
-{%                     endif %}
-{%                     if subnet_config.address_range.start is vyos_defined %}
-{%                         for address, address_config in subnet_config.address_range.start.items() %}
-        range6 {{ address }} {{ address_config.stop }};
-{%                         endfor %}
-{%                     endif %}
-{%                 endif %}
-{%                 if subnet_config.domain_search is vyos_defined %}
-        option dhcp6.domain-search "{{ subnet_config.domain_search | join('", "') }}";
-{%                 endif %}
-{%                 if subnet_config.lease_time is vyos_defined %}
-{%                     if subnet_config.lease_time.default is vyos_defined %}
-        default-lease-time {{ subnet_config.lease_time.default }};
-{%                     endif %}
-{%                     if subnet_config.lease_time.maximum is vyos_defined %}
-        max-lease-time {{ subnet_config.lease_time.maximum }};
-{%                     endif %}
-{%                     if subnet_config.lease_time.minimum is vyos_defined %}
-        min-lease-time {{ subnet_config.lease_time.minimum }};
-{%                     endif %}
-{%                 endif %}
-{%                 if subnet_config.name_server is vyos_defined %}
-        option dhcp6.name-servers {{ subnet_config.name_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.nis_domain is vyos_defined %}
-        option dhcp6.nis-domain-name "{{ subnet_config.nis_domain }}";
-{%                 endif %}
-{%                 if subnet_config.nis_server is vyos_defined %}
-        option dhcp6.nis-servers {{ subnet_config.nis_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.nisplus_domain is vyos_defined %}
-        option dhcp6.nisp-domain-name "{{ subnet_config.nisplus_domain }}";
-{%                 endif %}
-{%                 if subnet_config.nisplus_server is vyos_defined %}
-        option dhcp6.nisp-servers {{ subnet_config.nisplus_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.sip_server is vyos_defined %}
-{%                     set server_ip = [] %}
-{%                     set server_fqdn = [] %}
-{%                     for address in subnet_config.sip_server %}
-{%                         if address | is_ipv6 %}
-{%                             set server_ip = server_ip.append(address) %}
-{%                         else %}
-{%                             set server_fqdn = server_fqdn.append(address) %}
-{%                         endif %}
-{%                     endfor %}
-{%                     if server_ip is vyos_defined and server_ip | length > 0 %}
-        option dhcp6.sip-servers-addresses {{ server_ip | join(', ') }};
-{%                     endif %}
-{%                     if server_fqdn is vyos_defined and server_fqdn | length > 0 %}
-        option dhcp6.sip-servers-names "{{ server_fqdn | join('", "') }}";
-{%                     endif %}
-{%                 endif %}
-{%                 if subnet_config.sntp_server is vyos_defined %}
-        option dhcp6.sntp-servers {{ subnet_config.sntp_server | join(', ') }};
-{%                 endif %}
-{%                 if subnet_config.prefix_delegation.start is vyos_defined %}
-{%                     for prefix, prefix_config in subnet_config.prefix_delegation.start.items() %}
-        prefix6 {{ prefix }} {{ prefix_config.stop }} /{{ prefix_config.prefix_length }};
-{%                     endfor %}
-{%                 endif %}
-{%                 if subnet_config.static_mapping is vyos_defined %}
-
-        # begin configuration of static client mappings
-{%                     for host, host_config in subnet_config.static_mapping.items() if host_config.disable is not vyos_defined %}
-        host {{ network | replace('_','-') }}_{{ host | replace('_','-') }} {
-{%                         if host_config.identifier is vyos_defined %}
-            host-identifier option dhcp6.client-id {{ host_config.identifier }};
-{%                         endif %}
-{%                         if host_config.ipv6_address is vyos_defined %}
-            fixed-address6 {{ host_config.ipv6_address }};
-{%                         endif %}
-{%                         if host_config.ipv6_prefix is vyos_defined %}
-            fixed-prefix6 {{ host_config.ipv6_prefix }};
-{%                         endif %}
-        }
-{%                     endfor %}
-{%                 endif %}
-{%                 if subnet_config.vendor_option.cisco.tftp_server is vyos_defined %}
-        option cisco.tftp-servers {{ subnet_config.vendor_option.cisco.tftp_server | join(', ') }};
-{%                 endif %}
-    }
-{%             endfor %}
-{%         endif %}
-    on commit {
-        set shared-networkname = "{{ network }}";
-    }
-}
-{%     endfor %}
-{% endif %}
diff --git a/data/templates/dhcp-server/kea-ctrl-agent.conf.j2 b/data/templates/dhcp-server/kea-ctrl-agent.conf.j2
new file mode 100644
index 000000000..74c63a7a0
--- /dev/null
+++ b/data/templates/dhcp-server/kea-ctrl-agent.conf.j2
@@ -0,0 +1,14 @@
+{
+    "Control-agent": {
+{% if failover is vyos_defined %}
+        "http-host": "{{ failover.source_address }}",
+        "http-port": 647,
+        "control-sockets": {
+            "dhcp4": {
+                "socket-type": "unix",
+                "socket-name": "/run/kea/dhcp4-ctrl-socket"
+            }
+        }
+{% endif %}
+    }
+}
diff --git a/data/templates/dhcp-server/kea-dhcp4.conf.j2 b/data/templates/dhcp-server/kea-dhcp4.conf.j2
new file mode 100644
index 000000000..629fa952a
--- /dev/null
+++ b/data/templates/dhcp-server/kea-dhcp4.conf.j2
@@ -0,0 +1,80 @@
+{
+    "Dhcp4": {
+        "interfaces-config": {
+{% if listen_address is vyos_defined %}
+            "interfaces": {{ listen_address | kea_address_json }},
+            "dhcp-socket-type": "udp",
+{% elif listen_interface is vyos_defined %}
+            "interfaces": {{ listen_interface | tojson }},
+            "dhcp-socket-type": "raw",
+{% else %}
+            "interfaces": [ "*" ],
+            "dhcp-socket-type": "raw",
+{% endif %}
+            "service-sockets-max-retries": 5,
+            "service-sockets-retry-wait-time": 5000
+        },
+        "control-socket": {
+            "socket-type": "unix",
+            "socket-name": "/run/kea/dhcp4-ctrl-socket"
+        },
+        "lease-database": {
+            "type": "memfile",
+            "persist": true,
+            "name": "{{ lease_file }}"
+        },
+        "option-def": [
+            {
+                "name": "rfc3442-static-route",
+                "code": 121,
+                "type": "record",
+                "array": true,
+                "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8,uint8"
+            },
+            {
+                "name": "windows-static-route",
+                "code": 249,
+                "type": "record",
+                "array": true,
+                "record-types": "uint8,uint8,uint8,uint8,uint8,uint8,uint8,uint8"
+            },
+            {
+                "name": "wpad-url",
+                "code": 252,
+                "type": "string"
+            },
+            {
+                "name": "unifi-controller",
+                "code": 1,
+                "type": "ipv4-address",
+                "space": "ubnt"
+            }
+        ],
+        "hooks-libraries": [
+{% if failover is vyos_defined %}
+            {
+                "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_ha.so",
+                "parameters": {
+                    "high-availability": [{{ failover | kea_failover_json }}]
+                }
+            },
+{% endif %}
+{% if hostfile_update is vyos_defined %}
+            {
+                "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_run_script.so",
+                "parameters": {
+                    "name": "/usr/libexec/vyos/system/on-dhcp-event.sh",
+                    "sync": false
+                }
+            },
+{% endif %}
+            {
+                "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_lease_cmds.so",
+                "parameters": {}
+            }
+        ],
+{% if shared_network_name is vyos_defined %}
+        "shared-networks": {{ shared_network_name | kea_shared_network_json }}
+{% endif %}
+    }
+}
diff --git a/data/templates/dhcp-server/kea-dhcp6.conf.j2 b/data/templates/dhcp-server/kea-dhcp6.conf.j2
new file mode 100644
index 000000000..2f0de6b30
--- /dev/null
+++ b/data/templates/dhcp-server/kea-dhcp6.conf.j2
@@ -0,0 +1,61 @@
+{
+    "Dhcp6": {
+        "interfaces-config": {
+{% if listen_interface is vyos_defined %}
+            "interfaces": {{ listen_interface | tojson }},
+{% else %}
+            "interfaces": [ "*" ],
+{% endif %}
+            "service-sockets-max-retries": 5,
+            "service-sockets-retry-wait-time": 5000
+        },
+        "control-socket": {
+            "socket-type": "unix",
+            "socket-name": "/run/kea/dhcp6-ctrl-socket"
+        },
+        "lease-database": {
+            "type": "memfile",
+            "persist": true,
+            "name": "{{ lease_file }}"
+        },
+        "hooks-libraries": [
+{% if disable_route_autoinstall is not vyos_defined %}
+            {
+                "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_run_script.so",
+                "parameters": {
+                    "name": "/usr/libexec/vyos/system/on-dhcpv6-event.sh",
+                    "sync": false
+                }
+            },
+{% endif %}
+            {
+                "library": "/usr/lib/{{ machine }}-linux-gnu/kea/hooks/libdhcp_lease_cmds.so",
+                "parameters": {}
+            }
+        ],
+        "option-data": [
+{% if global_parameters.name_server is vyos_defined %}
+            {
+                "name": "dns-servers",
+                "code": 23,
+                "space": "dhcp6",
+                "csv-format": true,
+                "data": "{{ global_parameters.name_server | join(", ") }}"
+            }{{ ',' if preference is vyos_defined else '' }}
+{% endif %}
+{% if preference is vyos_defined %}
+            {
+                "name": "preference",
+                "code": 7,
+                "space": "dhcp6",
+                "csv-format": true,
+                "data": "{{ preference }}"
+            }
+{% endif %}
+        ],
+{% if shared_network_name is vyos_defined %}
+        "shared-networks": {{ shared_network_name | kea6_shared_network_json }}
+{% endif %}
+
+    }
+}
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 6e77abdb5..5538ea56c 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -7,21 +7,21 @@ use{{ ipv }}={{ address if address == 'web' else 'if' }}{{ ipv }}, \
 web{{ ipv }}={{ web_options.url }}, \
 {%         endif %}
 {%         if web_options.skip is vyos_defined %}
-web-skip{{ ipv }}='{{ web_options.skip }}', \
+web{{ ipv }}-skip='{{ web_options.skip }}', \
 {%         endif %}
 {%     else %}
 if{{ ipv }}={{ address }}, \
 {%     endif %}
 {% endfor %}
-{# Other service options #}
+{# Other service options with special treatment for password #}
 {% for k,v in kwargs.items() if v is vyos_defined %}
-{{ k | replace('_', '-') }}={{ v }}{{ ',' if not loop.last }} \
+{{ k | replace('_', '-') }}={{ "'%s'" % (v) if k == 'password' else v }}{{ ',' if not loop.last }} \
 {% endfor %}
 {# Actual hostname for the service #}
 {{ host }}
 {% endmacro %}
-### Autogenerated by dns_dynamic.py ###
-daemon={{ timeout }}
+### Autogenerated by service_dns_dynamic.py ###
+daemon={{ interval }}
 syslog=yes
 ssl=yes
 pid={{ config_file | replace('.conf', '.pid') }}
@@ -31,42 +31,29 @@ web=googledomains
 {# ddclient default (use=ip) results in confusing warning message in log #}
 use=no
 
-{% if address is vyos_defined %}
-{%     for address, service_cfg in address.items() %}
-{%         if service_cfg.rfc2136 is vyos_defined %}
-{%             for name, config in service_cfg.rfc2136.items() %}
-{%                 if config.description is vyos_defined %}
+{% if name is vyos_defined %}
+{%     for service, config in name.items() %}
+{%         if config.description is vyos_defined %}
 
 # {{ config.description }}
-{%                 endif %}
-{%                 for host in config.host_name if config.host_name is vyos_defined %}
-
-# RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}]
-{# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.)
-   to the properties since 'nsupdate' doesn't support that yet. #}
-{{ render_config(host, address, service_cfg.web_options,
-                 protocol='nsupdate', server=config.server, zone=config.zone,
-                 password=config.key, ttl=config.ttl) }}
-{%                 endfor %}
-{%             endfor %}
 {%         endif %}
-{%         if service_cfg.service is vyos_defined %}
-{%             for name, config in service_cfg.service.items() %}
-{%                 if config.description is vyos_defined %}
-
-# {{ config.description }}
-{%                 endif %}
-{%                 for host in config.host_name if config.host_name is vyos_defined %}
-{%                     set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
-                                                      else [config.ip_version[2:]] %}
+{%         for host in config.host_name if config.host_name is vyos_defined %}
+{#             ip_suffixes can be either of ['v4'], ['v6'], ['v4', 'v6'] for all protocols except 'nsupdate'
+               ip_suffixes must be [''] for nsupdate since it doesn't support usevX/wantipvX yet #}
+{%             set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
+                                 else ([config.ip_version[2:]] if config.protocol != 'nsupdate'
+                                       else ['']) %}
+{%             set password = config.key if config.protocol == 'nsupdate'
+                              else config.password %}
+{%             set address = 'web' if config.address.web is vyos_defined
+                              else config.address.interface %}
+{%             set web_options = config.address.web | default({}) %}
 
-# Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}]
-{{ render_config(host, address, service_cfg.web_options, ip_suffixes,
+# Web service dynamic DNS configuration for {{ service }}: [{{ config.protocol }}, {{ host }}]
+{{ render_config(host, address, web_options, ip_suffixes,
                  protocol=config.protocol, server=config.server, zone=config.zone,
-                 login=config.username, password=config.password, ttl=config.ttl,
+                 login=config.username, password=password, ttl=config.ttl,
                  min_interval=config.wait_time, max_interval=config.expiry_time) }}
-{%                 endfor %}
-{%             endfor %}
-{%         endif %}
+{%         endfor %}
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/dns-forwarding/override.conf.j2 b/data/templates/dns-forwarding/override.conf.j2
new file mode 100644
index 000000000..9d81a2977
--- /dev/null
+++ b/data/templates/dns-forwarding/override.conf.j2
@@ -0,0 +1,8 @@
+[Unit]
+ConditionPathExists={{ config_file }}
+After=vyos-router.service
+
+[Service]
+RuntimeDirectoryPreserve=yes
+ExecStart=
+ExecStart=/usr/sbin/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no --config-dir={{ config_dir }}
diff --git a/data/templates/dns-forwarding/recursor.conf.j2 b/data/templates/dns-forwarding/recursor.conf.j2
index e02e6c13d..5ac872f19 100644
--- a/data/templates/dns-forwarding/recursor.conf.j2
+++ b/data/templates/dns-forwarding/recursor.conf.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=single-statement-per-line #}
-### Autogenerated by dns_forwarding.py ###
+### Autogenerated by service_dns_forwarding.py ###
 
 # XXX: pdns recursor doesn't like whitespace near entry separators,
 # especially in the semicolon-separated lists of name servers.
@@ -12,7 +12,7 @@ allow-from={{ allow_from | join(',') }}
 log-common-errors=yes
 non-local-bind=yes
 query-local-address={{ source_address | join(',') }}
-lua-config-file=recursor.conf.lua
+lua-config-file={{ config_dir }}/recursor.conf.lua
 
 # cache-size
 max-cache-entries={{ cache_size }}
@@ -40,11 +40,34 @@ dnssec={{ dnssec }}
 dns64-prefix={{ dns64_prefix }}
 {% endif %}
 
+{% if exclude_throttle_address is vyos_defined %}
+# dont-throttle-netmasks
+dont-throttle-netmasks={{ exclude_throttle_address | join(',') }}
+{% endif %}
+
+{% if serve_stale_extension is vyos_defined %}
+# serve-stale-extensions
+serve-stale-extensions={{ serve_stale_extension }}
+{% endif %}
+
 # serve rfc1918 records
 serve-rfc1918={{ 'no' if no_serve_rfc1918 is vyos_defined else 'yes' }}
 
 # zones
 auth-zones={% for z in authoritative_zones %}{{ z.name }}={{ z.file }}{{- "," if not loop.last -}}{% endfor %}
 
-forward-zones-file=recursor.forward-zones.conf
+forward-zones-file={{ config_dir }}/recursor.forward-zones.conf
+
+#ecs
+{% if options.ecs_add_for is vyos_defined %}
+ecs-add-for={{ options.ecs_add_for | join(',') }}
+{% endif %}
+
+{% if options.ecs_ipv4_bits is vyos_defined %}
+ecs-ipv4-bits={{ options.ecs_ipv4_bits }}
+{% endif %}
+
+{% if options.edns_subnet_allow_list is vyos_defined %}
+edns-subnet-allow-list={{ options.edns_subnet_allow_list | join(',') }}
+{% endif %}
 
diff --git a/data/templates/dns-forwarding/recursor.conf.lua.j2 b/data/templates/dns-forwarding/recursor.conf.lua.j2
index e2506238d..8026442c7 100644
--- a/data/templates/dns-forwarding/recursor.conf.lua.j2
+++ b/data/templates/dns-forwarding/recursor.conf.lua.j2
@@ -1,9 +1,8 @@
--- Autogenerated by VyOS (dns_forwarding.py) --
+-- Autogenerated by VyOS (service_dns_forwarding.py) --
 -- Do not edit, your changes will get overwritten --
 
 -- Load DNSSEC root keys from dns-root-data package.
 dofile("/usr/share/pdns-recursor/lua-config/rootkeys.lua")
 
 -- Load lua from vyos-hostsd --
-dofile("recursor.vyos-hostsd.conf.lua")
-
+dofile("{{ config_dir }}/recursor.vyos-hostsd.conf.lua")
diff --git a/data/templates/dns-forwarding/recursor.zone.conf.j2 b/data/templates/dns-forwarding/recursor.zone.conf.j2
index 25193c2ec..797068c49 100644
--- a/data/templates/dns-forwarding/recursor.zone.conf.j2
+++ b/data/templates/dns-forwarding/recursor.zone.conf.j2
@@ -1,5 +1,5 @@
 ;
-; Autogenerated by dns_forwarding.py
+; Autogenerated by service_dns_forwarding.py
 ;
 {% for r in records %}
 {{ r.name }}    {{ r.ttl }}    {{ r.type }}    {{ r.value }}
diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
index cd35d6d1e..6da2fa5e0 100644
--- a/data/templates/ethernet/wpa_supplicant.conf.j2
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-ethernet.py ###
+### Autogenerated by interfaces_ethernet.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
@@ -74,4 +74,3 @@ network={
     # does not work for VyOS' git builds of wpa_supplicant.
     phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
 }
-
diff --git a/data/templates/firewall/nftables-bridge.j2 b/data/templates/firewall/nftables-bridge.j2
index 7f94e10d6..dec027bf9 100644
--- a/data/templates/firewall/nftables-bridge.j2
+++ b/data/templates/firewall/nftables-bridge.j2
@@ -2,9 +2,8 @@
 {% set ns = namespace(sets=[]) %}
 {% if bridge.forward is vyos_defined %}
 {%     for prior, conf in bridge.forward.items() %}
-{%         set def_action = conf.default_action %}
     chain VYOS_FORWARD_{{ prior }} {
-        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+        type filter hook forward priority {{ prior }}; policy accept;
 {%         if conf.rule is vyos_defined %}
 {%             for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
     {{ rule_conf | nft_rule('FWD', prior, rule_id, 'bri') }}
@@ -13,6 +12,7 @@
 {%                 endif %}
 {%             endfor %}
 {%         endif %}
+    {{ conf | nft_default_rule('FWD-filter', 'bri') }}
     }
 {%     endfor %}
 {% endif %}
@@ -28,7 +28,7 @@
 {%                 endif %}
 {%             endfor %}
 {%         endif %}
-    {{ conf | nft_default_rule(name_text) }}
+    {{ conf | nft_default_rule(name_text, 'bri') }}
     }
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/firewall/nftables-defines.j2 b/data/templates/firewall/nftables-defines.j2
index a20c399ae..8a75ab2d6 100644
--- a/data/templates/firewall/nftables-defines.j2
+++ b/data/templates/firewall/nftables-defines.j2
@@ -98,5 +98,26 @@
     }
 {%         endfor %}
 {%     endif %}
+
+{%     if group.dynamic_group is vyos_defined %}
+{%         if group.dynamic_group.address_group is vyos_defined and not is_ipv6 and is_l3 %}
+{%             for group_name, group_conf in group.dynamic_group.address_group.items() %}
+    set DA_{{ group_name }} {
+        type {{ ip_type }}
+        flags dynamic, timeout
+    }
+{%             endfor %}
+{%         endif %}
+
+{%         if group.dynamic_group.ipv6_address_group is vyos_defined and is_ipv6 and is_l3 %}
+{%             for group_name, group_conf in group.dynamic_group.ipv6_address_group.items() %}
+    set DA6_{{ group_name }} {
+        type {{ ip_type }}
+        flags dynamic, timeout
+    }
+{%             endfor %}
+{%         endif %}
+{%     endif %}
+
 {% endif %}
 {% endmacro %}
diff --git a/data/templates/firewall/nftables-policy.j2 b/data/templates/firewall/nftables-policy.j2
index d77e3f6e9..9e28899b0 100644
--- a/data/templates/firewall/nftables-policy.j2
+++ b/data/templates/firewall/nftables-policy.j2
@@ -28,6 +28,9 @@ table ip vyos_mangle {
         {{ rule_conf | nft_rule('route', route_text, rule_id, 'ip') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv4-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
@@ -57,6 +60,9 @@ table ip6 vyos_mangle {
         {{ rule_conf | nft_rule('route6', route_text, rule_id, 'ip6') }}
 {%             endfor %}
 {%         endif %}
+{%         if conf.default_log is vyos_defined %}
+        counter log prefix "[ipv6-{{ (route_text)[:19] }}-default]"
+{%         endif %}
     }
 {%     endfor %}
 {% endif %}
diff --git a/data/templates/firewall/nftables-vrf-zones.j2 b/data/templates/firewall/nftables-vrf-zones.j2
deleted file mode 100644
index 3bce7312d..000000000
--- a/data/templates/firewall/nftables-vrf-zones.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-table inet vrf_zones {
-  # Map of interfaces and connections tracking zones
-  map ct_iface_map {
-    typeof iifname : ct zone
-  }
-  # Assign unique zones for each VRF
-  # Chain for inbound traffic
-  chain vrf_zones_ct_in {
-    type filter hook prerouting priority raw; policy accept;
-    counter ct original zone set iifname map @ct_iface_map
-  }
-  # Chain for locally-generated traffic
-  chain vrf_zones_ct_out {
-    type filter hook output priority raw; policy accept;
-    counter ct original zone set oifname map @ct_iface_map
-  }
-}
diff --git a/data/templates/firewall/nftables-zone.j2 b/data/templates/firewall/nftables-zone.j2
new file mode 100644
index 000000000..e78725079
--- /dev/null
+++ b/data/templates/firewall/nftables-zone.j2
@@ -0,0 +1,77 @@
+{% macro zone_chains(zone, ipv6=False, state_policy=False) %}
+{% set fw_name = 'ipv6_name' if ipv6 else 'name' %}
+{% set suffix = '6' if ipv6 else '' %}
+    chain VYOS_ZONE_FORWARD {
+        type filter hook forward priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' not in zone_conf %}
+        oifname { {{ zone_conf.interface | join(',') }} } counter jump VZONE_{{ zone_name }}
+{%     endif %}
+{% endfor %}
+    }
+    chain VYOS_ZONE_LOCAL {
+        type filter hook input priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' in zone_conf %}
+        counter jump VZONE_{{ zone_name }}_IN
+{%     endif %}
+{% endfor %}
+    }
+    chain VYOS_ZONE_OUTPUT {
+        type filter hook output priority 1; policy accept;
+{% if state_policy %}
+        jump VYOS_STATE_POLICY{{ suffix }}
+{% endif %}
+{% for zone_name, zone_conf in zone.items() %}
+{%     if 'local_zone' in zone_conf %}
+        counter jump VZONE_{{ zone_name }}_OUT
+{%     endif %}
+{% endfor %}
+    }
+{% for zone_name, zone_conf in zone.items() %}
+{%     if zone_conf.local_zone is vyos_defined %}
+    chain VZONE_{{ zone_name }}_IN {
+        iifname lo counter return
+{%         if zone_conf.from is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }}
+    }
+    chain VZONE_{{ zone_name }}_OUT {
+        oifname lo counter return
+{%         if zone_conf.from_local is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from_local.items() if from_conf.firewall[fw_name] is vyos_defined %}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        oifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }}
+    }
+{%     else %}
+    chain VZONE_{{ zone_name }} {
+        iifname { {{ zone_conf.interface | join(",") }} } counter {{ zone_conf | nft_intra_zone_action(ipv6) }}
+{%         if zone_conf.intra_zone_filtering is vyos_defined %}
+        iifname { {{ zone_conf.interface | join(",") }} } counter return
+{%         endif %}
+{%         if zone_conf.from is vyos_defined %}
+{%             for from_zone, from_conf in zone_conf.from.items() if from_conf.firewall[fw_name] is vyos_defined %}
+{%                 if zone[from_zone].local_zone is not defined %}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter jump NAME{{ suffix }}_{{ from_conf.firewall[fw_name] }}
+        iifname { {{ zone[from_zone].interface | join(",") }} } counter return
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+        {{ zone_conf | nft_default_rule('zone_' + zone_name, family) }}
+    }
+{%     endif %}
+{% endfor %}
+{% endmacro %}
\ No newline at end of file
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 75800ee3d..833df3a67 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -3,6 +3,7 @@
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
 {% import 'firewall/nftables-bridge.j2' as bridge_tmpl %}
 {% import 'firewall/nftables-offload.j2' as offload_tmpl %}
+{% import 'firewall/nftables-zone.j2' as zone_tmpl %}
 
 flush chain raw vyos_global_rpfilter
 flush chain ip6 raw vyos_global_rpfilter
@@ -43,9 +44,11 @@ table ip vyos_filter {
 {%     set ns = namespace(sets=[]) %}
 {%     if ipv4.forward is vyos_defined %}
 {%         for prior, conf in ipv4.forward.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_FORWARD_{{ prior }} {
-        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+        type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id) }}
@@ -54,15 +57,18 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('FWD-filter', 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv4.input is vyos_defined %}
 {%         for prior, conf in ipv4.input.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_INPUT_{{ prior }} {
-        type filter hook input priority {{ prior }}; policy {{ def_action }};
+        type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP',prior, rule_id) }}
@@ -71,15 +77,18 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('INP-filter', 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv4.output is vyos_defined %}
 {%         for prior, conf in ipv4.output.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_OUTPUT_{{ prior }} {
-        type filter hook output priority {{ prior }}; policy {{ def_action }};
+        type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id) }}
@@ -88,6 +97,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('OUT-filter', 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -97,9 +107,8 @@ table ip vyos_filter {
     }
 {%     if ipv4.prerouting is vyos_defined %}
 {%         for prior, conf in ipv4.prerouting.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_PREROUTING_{{ prior }} {
-        type filter hook prerouting priority {{ prior }}; policy {{ def_action }};
+        type filter hook prerouting priority {{ prior }}; policy accept;
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('PRE', prior, rule_id) }}
@@ -108,7 +117,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule(prior) }}
+        {{ conf | nft_default_rule('PRE-filter', 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -124,7 +133,7 @@ table ip vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule(name_text) }}
+        {{ conf | nft_default_rule(name_text, 'ipv4') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -152,6 +161,24 @@ table ip vyos_filter {
 {%     endif %}
 {% endif %}
 {{ group_tmpl.groups(group, False, True) }}
+
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, False, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+{% endif %}
 }
 
 {% if first_install is not vyos_defined %}
@@ -168,9 +195,11 @@ table ip6 vyos_filter {
 {%     set ns = namespace(sets=[]) %}
 {%     if ipv6.forward is vyos_defined %}
 {%         for prior, conf in ipv6.forward.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_FORWARD_{{ prior }} {
-        type filter hook forward priority {{ prior }}; policy {{ def_action }};
+        type filter hook forward priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('FWD', prior, rule_id ,'ip6') }}
@@ -179,15 +208,18 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('FWD-filter', 'ipv6') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv6.input is vyos_defined %}
 {%         for prior, conf in ipv6.input.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_INPUT_{{ prior }} {
-        type filter hook input priority {{ prior }}; policy {{ def_action }};
+        type filter hook input priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('INP', prior, rule_id ,'ip6') }}
@@ -196,15 +228,18 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('INP-filter', 'ipv6') }}
     }
 {%         endfor %}
 {%     endif %}
 
 {%     if ipv6.output is vyos_defined %}
 {%         for prior, conf in ipv6.output.items() %}
-{%             set def_action = conf.default_action %}
     chain VYOS_IPV6_OUTPUT_{{ prior }} {
-        type filter hook output priority {{ prior }}; policy {{ def_action }};
+        type filter hook output priority {{ prior }}; policy accept;
+{%             if global_options.state_policy is vyos_defined %}
+        jump VYOS_STATE_POLICY6
+{%             endif %}
 {%             if conf.rule is vyos_defined %}
 {%                 for rule_id, rule_conf in conf.rule.items() if rule_conf.disable is not vyos_defined %}
         {{ rule_conf | nft_rule('OUT', prior, rule_id ,'ip6') }}
@@ -213,6 +248,7 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
+        {{ conf | nft_default_rule('OUT-filter', 'ipv6') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -233,7 +269,7 @@ table ip6 vyos_filter {
 {%                     endif %}
 {%                 endfor %}
 {%             endif %}
-        {{ conf | nft_default_rule(name_text, ipv6=True) }}
+        {{ conf | nft_default_rule(name_text, 'ipv6') }}
     }
 {%         endfor %}
 {%     endif %}
@@ -261,6 +297,23 @@ table ip6 vyos_filter {
 {%     endif %}
 {% endif %}
 {{ group_tmpl.groups(group, True, True) }}
+{% if zone is vyos_defined %}
+{{ zone_tmpl.zone_chains(zone, True, global_options.state_policy is vyos_defined) }}
+{% endif %}
+{% if global_options.state_policy is vyos_defined %}
+    chain VYOS_STATE_POLICY6 {
+{%     if global_options.state_policy.established is vyos_defined %}
+        {{ global_options.state_policy.established | nft_state_policy('established') }}
+{%     endif %}
+{%     if global_options.state_policy.invalid is vyos_defined %}
+        {{ global_options.state_policy.invalid | nft_state_policy('invalid') }}
+{%     endif %}
+{%     if global_options.state_policy.related is vyos_defined %}
+        {{ global_options.state_policy.related | nft_state_policy('related') }}
+{%     endif %}
+        return
+    }
+{% endif %}
 }
 
 ## Bridge Firewall
@@ -270,4 +323,5 @@ delete table bridge vyos_filter
 table bridge vyos_filter {
 {{ bridge_tmpl.bridge(bridge) }}
 {{ group_tmpl.groups(group, False, False) }}
+
 }
diff --git a/data/templates/firewall/upnpd.conf.j2 b/data/templates/firewall/upnpd.conf.j2
index e964fc696..616e8869f 100644
--- a/data/templates/firewall/upnpd.conf.j2
+++ b/data/templates/firewall/upnpd.conf.j2
@@ -3,13 +3,42 @@
 # WAN network interface
 ext_ifname={{ wan_interface }}
 {% if wan_ip is vyos_defined %}
+
+# if the WAN network interface for IPv6 is different than for IPv4,
+# set ext_ifname6
+#ext_ifname6=eth2
+
 # If the WAN interface has several IP addresses, you
-# can specify the one to use below
+# can specify the one to use below.
+# Setting ext_ip is also useful in double NAT setup, you can declare here
+# the public IP address.
 {%     for addr in wan_ip %}
 ext_ip={{ addr }}
 {%     endfor  %}
 {% endif %}
 
+{% if stun is vyos_defined %}
+# WAN interface must have public IP address. Otherwise it is behind NAT
+# and port forwarding is impossible. In some cases WAN interface can be
+# behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and
+# routed to WAN interfaces without any filtering. In this cases miniupnpd
+# needs to know public IP address and it can be learnt by asking external
+# server via STUN protocol. Following option enable retrieving external
+# public IP address from STUN server and detection of NAT type. You need
+# to specify also external STUN server in stun_host option below.
+# This option is disabled by default.
+ext_perform_stun=yes
+# Specify STUN server, either hostname or IP address
+# Some public STUN servers:
+#  stun.stunprotocol.org
+#  stun.sipgate.net
+#  stun.xten.com
+#  stun.l.google.com (on non standard port 19302)
+ext_stun_host={{ stun.host }}
+# Specify STUN UDP port, by default it is standard port 3478.
+ext_stun_port={{ stun.port }}
+{% endif %}
+
 # LAN network interfaces IPs / networks
 {% if listen is vyos_defined %}
 # There can be multiple listening IPs for SSDP traffic, in that case
@@ -20,6 +49,9 @@ ext_ip={{ addr }}
 # When MULTIPLE_EXTERNAL_IP is enabled, the external IP
 # address associated with the subnet follows. For example:
 #  listening_ip=192.168.0.1/24 88.22.44.13
+# When MULTIPLE_EXTERNAL_IP is disabled, you can list associated network
+# interfaces (for bridges)
+#  listening_ip=bridge0 em0 wlan0
 {%     for addr in listen %}
 {%         if addr | is_ipv4  %}
 listening_ip={{ addr }}
@@ -65,6 +97,18 @@ min_lifetime={{ pcp_lifetime.min }}
 {%     endif %}
 {% endif %}
 
+# table names for netfilter nft. Default is "filter" for both
+#upnp_table_name=
+#upnp_nat_table_name=
+# chain names for netfilter and netfilter nft
+# netfilter : default are MINIUPNPD, MINIUPNPD, MINIUPNPD-POSTROUTING
+# netfilter nft : default are miniupnpd, prerouting_miniupnpd, postrouting_miniupnpd
+#upnp_forward_chain=forwardUPnP
+#upnp_nat_chain=UPnP
+#upnp_nat_postrouting_chain=UPnP-Postrouting
+
+# Lease file location
+lease_file=/config/upnp.leases
 
 # To enable the next few runtime options, see compile time
 # ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
@@ -89,6 +133,11 @@ model_description=Vyos open source enterprise router/firewall operating system
 # Model URL, default is URL of OS vendor
 model_url=https://vyos.io/
 
+# Bitrates reported by daemon in bits per second
+# by default miniupnpd tries to get WAN interface speed
+#bitrate_up=1000000
+#bitrate_down=10000000
+
 {% if secure_mode is vyos_defined %}
 # Secure Mode, UPnP clients can only add mappings to their own IP
 secure_mode=yes
@@ -108,6 +157,10 @@ secure_mode=no
 # Report system uptime instead of daemon uptime
 system_uptime=yes
 
+# Notify interval in seconds. default is 30 seconds.
+#notify_interval=240
+notify_interval=60
+
 # Unused rules cleaning.
 # never remove any rule before this threshold for the number
 # of redirections is exceeded. default to 20
@@ -116,25 +169,46 @@ clean_ruleset_threshold=10
 # a 600 seconds (10 minutes) interval makes sense
 clean_ruleset_interval=600
 
+############################################################################
+## The next 5 config parameters (packet_log, anchor, queue, tag, quickrules)
+## are specific to BSD's pf(4) packet filter and hence cannot be enabled in
+## VyOS.
+# Log packets in pf (default is no)
+#packet_log=no
+
 # Anchor name in pf (default is miniupnpd)
-# Something wrong with this option "anchor", comment it out
-#   vyos@r14# miniupnpd -vv -f /run/upnp/miniupnp.conf
-#   invalid option in file /run/upnp/miniupnp.conf line 74 : anchor=VyOS
-#anchor=VyOS
+#anchor=miniupnpd
 
-uuid={{ uuid }}
+# ALTQ queue in pf
+# Filter rules must be used for this to be used.
+# compile with PF_ENABLE_FILTER_RULES (see config.h file)
+#queue=queue_name1
 
-# Lease file location
-lease_file=/config/upnp.leases
+# Tag name in pf
+#tag=tag_name1
+
+# Make filter rules in pf quick or not. default is yes
+# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
+#quickrules=no
+##
+## End of pf(4)-specific configuration not to be set in VyOS.
+############################################################################
+
+# UUID, generate your own UUID with "make genuuid"
+uuid={{ uuid }}
 
 # Daemon's serial and model number when reporting to clients
 # (in XML description)
 #serial=12345678
 #model_number=1
 
+# If compiled with IGD_V2 defined, force reporting IGDv1 in rootDesc (default
+# is no)
+#force_igd_desc_v1=no
+
 {% if rule is vyos_defined %}
-# UPnP permission rules
-# (allow|deny) (external port range) IP/mask (internal port range)
+# UPnP permission rules (also enforced for NAT-PMP and PCP)
+# (allow|deny) (external port range) IP/mask (internal port range) (optional regex filter)
 # A port range is <min port>-<max port> or <port> if there is only
 # one port in the range.
 # IP/mask format must be nnn.nnn.nnn.nnn/nn
@@ -151,25 +225,3 @@ lease_file=/config/upnp.leases
 {%         endif %}
 {%     endfor %}
 {% endif %}
-
-{% if stun is vyos_defined %}
-# WAN interface must have public IP address. Otherwise it is behind NAT
-# and port forwarding is impossible. In some cases WAN interface can be
-# behind unrestricted NAT 1:1 when all incoming traffic is NAT-ed and
-# routed to WAN interfaces without any filtering. In this cases miniupnpd
-# needs to know public IP address and it can be learnt by asking external
-# server via STUN protocol. Following option enable retrieving external
-# public IP address from STUN server and detection of NAT type. You need
-# to specify also external STUN server in stun_host option below.
-# This option is disabled by default.
-ext_perform_stun=yes
-# Specify STUN server, either hostname or IP address
-# Some public STUN servers:
-#  stun.stunprotocol.org
-#  stun.sipgate.net
-#  stun.xten.com
-#  stun.l.google.com (on non standard port 19302)
-ext_stun_host={{ stun.host }}
-# Specify STUN UDP port, by default it is standard port 3478.
-ext_stun_port={{ stun.port }}
-{% endif %}
diff --git a/data/templates/frr/bfdd.frr.j2 b/data/templates/frr/bfdd.frr.j2
index c4adeb402..f3303e401 100644
--- a/data/templates/frr/bfdd.frr.j2
+++ b/data/templates/frr/bfdd.frr.j2
@@ -13,6 +13,9 @@ bfd
 {%             if profile_config.echo_mode is vyos_defined %}
   echo-mode
 {%             endif %}
+{%             if profile_config.minimum_ttl is vyos_defined %}
+  minimum-ttl {{ profile_config.minimum_ttl }}
+{%             endif %}
 {%             if profile_config.passive is vyos_defined %}
   passive-mode
 {%             endif %}
@@ -38,6 +41,9 @@ bfd
 {%             if peer_config.echo_mode is vyos_defined %}
   echo-mode
 {%             endif %}
+{%             if peer_config.minimum_ttl is vyos_defined %}
+  minimum-ttl {{ peer_config.minimum_ttl }}
+{%             endif %}
 {%             if peer_config.passive is vyos_defined %}
   passive-mode
 {%             endif %}
diff --git a/data/templates/frr/bgpd.frr.j2 b/data/templates/frr/bgpd.frr.j2
index d724dbd79..23f81348b 100644
--- a/data/templates/frr/bgpd.frr.j2
+++ b/data/templates/frr/bgpd.frr.j2
@@ -225,10 +225,10 @@
   neighbor {{ neighbor }} route-map {{ afi_config.route_map.import }} in
 {%         endif %}
 {%         if afi_config.prefix_list.export is vyos_defined %}
-  neighbor {{ neighbor }} prefix-list  {{ afi_config.prefix_list.export }} out
+  neighbor {{ neighbor }} prefix-list {{ afi_config.prefix_list.export }} out
 {%         endif %}
 {%         if afi_config.prefix_list.import is vyos_defined %}
-  neighbor {{ neighbor }} prefix-list  {{ afi_config.prefix_list.import }} in
+  neighbor {{ neighbor }} prefix-list {{ afi_config.prefix_list.import }} in
 {%         endif %}
 {%         if afi_config.soft_reconfiguration.inbound is vyos_defined %}
   neighbor {{ neighbor }} soft-reconfiguration inbound
@@ -237,10 +237,10 @@
   neighbor {{ neighbor }} unsuppress-map {{ afi_config.unsuppress_map }}
 {%         endif %}
 {%         if afi_config.disable_send_community.extended is vyos_defined %}
- no neighbor {{ neighbor }} send-community extended
+  no neighbor {{ neighbor }} send-community extended
 {%         endif %}
 {%         if afi_config.disable_send_community.standard is vyos_defined %}
- no neighbor {{ neighbor }} send-community standard
+  no neighbor {{ neighbor }} send-community standard
 {%         endif %}
   neighbor {{ neighbor }} activate
  exit-address-family
@@ -373,6 +373,26 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%         if afi_config.advertise_svi_ip is vyos_defined %}
   advertise-svi-ip
 {%         endif %}
+{%         if afi_config.default_originate.ipv4 is vyos_defined %}
+  default-originate ipv4
+{%         endif %}
+{%         if afi_config.default_originate.ipv6 is vyos_defined %}
+  default-originate ipv6
+{%         endif %}
+{%         if afi_config.disable_ead_evi_rx is vyos_defined %}
+  disable-ead-evi-rx
+{%         endif %}
+{%         if afi_config.disable_ead_evi_tx is vyos_defined %}
+  disable-ead-evi-tx
+{%         endif %}
+{%         if afi_config.ead_es_frag.evi_limit is vyos_defined %}
+  ead-es-frag evi-limit {{ afi_config.ead_es_frag.evi_limit }}
+{%         endif %}
+{%         if afi_config.ead_es_route_target.export is vyos_defined %}
+{%             for route_target in afi_config.ead_es_route_target.export %}
+ ead-es-route-target export {{ route_target }}
+{%             endfor %}
+{%         endif %}
 {%         if afi_config.rt_auto_derive is vyos_defined %}
   autort rfc8365-compatible
 {%         endif %}
@@ -382,6 +402,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%         if afi_config.flooding.head_end_replication is vyos_defined %}
   flooding head-end-replication
 {%         endif %}
+{%         if afi_config.nexthop.vpn.export is vyos_defined %}
+  nexthop vpn export {{ afi_config.nexthop.vpn.export }}
+{%         endif %}
 {%         if afi_config.rd.vpn.export is vyos_defined %}
   rd vpn export {{ afi_config.rd.vpn.export }}
 {%         endif %}
@@ -416,6 +439,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%         if afi_config.route_map.vpn.import is vyos_defined %}
   route-map vpn import {{ afi_config.route_map.vpn.import }}
 {%         endif %}
+{%         if afi_config.sid.vpn.export is vyos_defined %}
+ sid vpn export {{ afi_config.sid.vpn.export }}
+{%         endif %}
 {%         if afi_config.vni is vyos_defined %}
 {%             for vni, vni_config in afi_config.vni.items() %}
   vni {{ vni }}
@@ -447,9 +473,42 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%             endfor %}
 {%         endif %}
  exit-address-family
+ !
 {%     endfor %}
 {% endif %}
  !
+{% if bmp is vyos_defined %}
+{%     if bmp.mirror_buffer_limit is vyos_defined %}
+ bmp mirror buffer-limit {{ bmp.mirror_buffer_limit }}
+ !
+{%     endif %}
+{%     if bmp.target is vyos_defined %}
+{%         for bmp, bmp_config in bmp.target.items() %}
+ bmp targets {{ bmp }}
+{%             if bmp_config.mirror is vyos_defined %}
+  bmp mirror
+{%             endif %}
+{%             if bmp_config.monitor is vyos_defined %}
+{%                 if bmp_config.monitor.ipv4_unicast.pre_policy is vyos_defined %}
+  bmp monitor ipv4 unicast pre-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv4_unicast.post_policy is vyos_defined %}
+  bmp monitor ipv4 unicast post-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv6_unicast.pre_policy is vyos_defined %}
+  bmp monitor ipv6 unicast pre-policy
+{%                 endif %}
+{%                 if bmp_config.monitor.ipv6_unicast.post_policy is vyos_defined %}
+  bmp monitor ipv6 unicast post-policy
+{%                 endif %}
+{%             endif %}
+{%             if bmp_config.address is vyos_defined %}
+  bmp connect {{ bmp_config.address }} port {{ bmp_config.port }} min-retry {{ bmp_config.min_retry }} max-retry {{ bmp_config.max_retry }}
+{%             endif %}
+{%         endfor %}
+ exit
+{%     endif %}
+{% endif %}
 {% if peer_group is vyos_defined %}
 {%     for peer, config in peer_group.items() %}
 {{ bgp_neighbor(peer, config, true) }}
@@ -472,6 +531,9 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {%         endif %}
 {%     endfor %}
 {% endif %}
+{% if parameters.allow_martian_nexthop is vyos_defined %}
+ bgp allow-martian-nexthop
+{% endif %}
 {% if parameters.always_compare_med is vyos_defined %}
  bgp always-compare-med
 {% endif %}
@@ -532,6 +594,12 @@ router bgp {{ system_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
 {% if parameters.graceful_shutdown is vyos_defined %}
  bgp graceful-shutdown
 {% endif %}
+{% if parameters.no_hard_administrative_reset is vyos_defined %}
+ no bgp hard-administrative-reset
+{% endif %}
+{% if parameters.labeled_unicast is vyos_defined %}
+ bgp labeled-unicast {{ parameters.labeled_unicast }}
+{% endif %}
 {% if parameters.log_neighbor_changes is vyos_defined %}
  bgp log-neighbor-changes
 {% endif %}
@@ -568,6 +636,14 @@ bgp route-reflector allow-outbound-policy
 {% if parameters.tcp_keepalive.idle is vyos_defined and parameters.tcp_keepalive.interval is vyos_defined and parameters.tcp_keepalive.probes is vyos_defined %}
  bgp tcp-keepalive {{ parameters.tcp_keepalive.idle }} {{ parameters.tcp_keepalive.interval }} {{ parameters.tcp_keepalive.probes }}
 {% endif %}
+{% if srv6.locator is vyos_defined %}
+ segment-routing srv6
+  locator {{ srv6.locator }}
+ exit
+{% endif %}
+{% if sid.vpn.per_vrf.export is vyos_defined %}
+ sid vpn per-vrf export {{ sid.vpn.per_vrf.export }}
+{% endif %}
 {% if timers.keepalive is vyos_defined and timers.holdtime is vyos_defined %}
  timers bgp {{ timers.keepalive }} {{ timers.holdtime }}
 {% endif %}
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index a65f0868a..339b4e52f 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -101,14 +101,13 @@ pathd_options="  --daemon -A 127.0.0.1"
 #
 
 vtysh_enable=yes
-watchfrr_enable=no
+watchfrr_enable=yes
 valgrind_enable=no
 
 #watchfrr_options=""
 
 frr_profile="traditional"
 
-#MAX_FDS=1024
+MAX_FDS={{ descriptors }}
 
 #FRR_NO_ROOT="yes"
-
diff --git a/data/templates/frr/eigrpd.frr.j2 b/data/templates/frr/eigrpd.frr.j2
index 67f8a3ad1..3038a0b1d 100644
--- a/data/templates/frr/eigrpd.frr.j2
+++ b/data/templates/frr/eigrpd.frr.j2
@@ -1,21 +1,21 @@
-!

-router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}

-{% if maximum_paths is vyos_defined %}

-maximum-paths {{ maximum_paths }}

-{% endif %}

-{% if metric.weights is vyos_defined %}

-metric weights {{ metric.weights }}

-{% endif %}

-{% if network is vyos_defined %}

-{%     for net in network %}

-network {{ net }}

-{%     endfor %}

-{% endif %}

-{% if redistribute is vyos_defined %}

-{%     for protocol in redistribute %}

-redistribute {{ protocol }}

-{%     endfor %}

-{% endif %}

-{% if variance is vyos_defined %}

-variance {{ variance }}

+!
+router eigrp {{ local_as }} {{ 'vrf ' ~ vrf if vrf is vyos_defined }}
+{% if maximum_paths is vyos_defined %}
+maximum-paths {{ maximum_paths }}
+{% endif %}
+{% if metric.weights is vyos_defined %}
+metric weights {{ metric.weights }}
+{% endif %}
+{% if network is vyos_defined %}
+{%     for net in network %}
+network {{ net }}
+{%     endfor %}
+{% endif %}
+{% if redistribute is vyos_defined %}
+{%     for protocol in redistribute %}
+redistribute {{ protocol }}
+{%     endfor %}
+{% endif %}
+{% if variance is vyos_defined %}
+variance {{ variance }}
 {% endif %}
\ No newline at end of file
diff --git a/data/templates/frr/evpn.mh.frr.j2 b/data/templates/frr/evpn.mh.frr.j2
new file mode 100644
index 000000000..03aaac44b
--- /dev/null
+++ b/data/templates/frr/evpn.mh.frr.j2
@@ -0,0 +1,16 @@
+!
+interface {{ ifname }}
+{% if evpn.es_df_pref is vyos_defined %}
+ evpn mh es-df-pref {{ evpn.es_df_pref }}
+{% endif %}
+{% if evpn.es_id is vyos_defined %}
+ evpn mh es-id {{ evpn.es_id }}
+{% endif %}
+{% if evpn.es_sys_mac is vyos_defined %}
+ evpn mh es-sys-mac {{ evpn.es_sys_mac }}
+{% endif %}
+{% if evpn.uplink is vyos_defined %}
+ evpn mh uplink
+{% endif %}
+exit
+!
diff --git a/data/templates/frr/igmp.frr.j2 b/data/templates/frr/igmp.frr.j2
deleted file mode 100644
index b75884484..000000000
--- a/data/templates/frr/igmp.frr.j2
+++ /dev/null
@@ -1,41 +0,0 @@
-!
-{% for iface in old_ifaces %}
-interface {{ iface }}
-{%     for group in old_ifaces[iface].gr_join %}
-{%         if old_ifaces[iface].gr_join[group] %}
-{%             for source in old_ifaces[iface].gr_join[group] %}
- no ip igmp join {{ group }} {{ source }}
-{%             endfor %}
-{%         else %}
- no ip igmp join {{ group }}
-{%         endif %}
-{%     endfor %}
- no ip igmp
-!
-{% endfor %}
-{% for interface, interface_config in ifaces.items() %}
-interface {{ interface }}
-{%     if interface_config.version %}
- ip igmp version {{ interface_config.version }}
-{%     else %}
-{# IGMP default version 3 #}
- ip igmp
-{%     endif %}
-{%     if interface_config.query_interval %}
- ip igmp query-interval {{ interface_config.query_interval }}
-{%     endif %}
-{%     if interface_config.query_max_resp_time %}
- ip igmp query-max-response-time {{ interface_config.query_max_resp_time }}
-{%     endif %}
-{%     for group, sources in interface_config.gr_join.items() %}
-{%         if sources is vyos_defined %}
-{%             for source in sources %}
- ip igmp join {{ group }} {{ source }}
-{%             endfor %}
-{%         else %}
- ip igmp join {{ group }}
-{%         endif %}
-{%     endfor %}
-!
-{% endfor %}
-!
diff --git a/data/templates/frr/isisd.frr.j2 b/data/templates/frr/isisd.frr.j2
index dbb8c7305..1e1cc3c27 100644
--- a/data/templates/frr/isisd.frr.j2
+++ b/data/templates/frr/isisd.frr.j2
@@ -165,6 +165,48 @@ advertise-passive-only
 {%         endfor %}
 {%     endfor %}
 {% endif %}
+{% if fast_reroute.lfa is vyos_defined %}
+{%     if fast_reroute.lfa.local is vyos_defined %}
+{%         if fast_reroute.lfa.local.load_sharing.disable.level_1 is vyos_defined %}
+ fast-reroute load-sharing disable level-1
+{%         elif fast_reroute.lfa.local.load_sharing.disable.level_2 is vyos_defined %}
+ fast-reroute load-sharing disable level-2
+{%         elif fast_reroute.lfa.local.load_sharing.disable is vyos_defined %}
+ fast-reroute load-sharing disable
+{%         endif %}
+{%         if fast_reroute.lfa.local.priority_limit is vyos_defined %}
+{%             for priority, priority_limit_options in fast_reroute.lfa.local.priority_limit.items() %}
+{%                 for level in priority_limit_options %}
+ fast-reroute priority-limit {{ priority }} {{ level | replace('_', '-') }}
+{%                 endfor %}                   
+{%             endfor %}
+{%         endif %}
+{%         if fast_reroute.lfa.local.tiebreaker is vyos_defined %}
+{%             for tiebreaker, tiebreaker_options in fast_reroute.lfa.local.tiebreaker.items() %}
+{%                 for index, index_options in tiebreaker_options.items() %}
+{%                     for index_value, index_value_options in index_options.items() %}
+{%                         for level in index_value_options %}
+ fast-reroute lfa tiebreaker {{ tiebreaker | replace('_', '-') }} index {{ index_value }} {{ level | replace('_', '-') }}
+{%                         endfor %}
+{%                     endfor %}
+{%                 endfor %}
+{%             endfor %}
+{%         endif %}
+{%     endif %}
+{%     if fast_reroute.lfa.remote.prefix_list is vyos_defined %}
+{%         for prefix_list, prefix_list_options in fast_reroute.lfa.remote.prefix_list.items() %}
+{%             if prefix_list_options.level_1 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-1
+{%             endif %}
+{%             if prefix_list_options.level_2 is vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }} level-2
+{%             endif %}
+{%             if prefix_list is vyos_defined and prefix_list_options.level_1 is not vyos_defined and prefix_list_options.level_2 is not vyos_defined %}
+fast-reroute remote-lfa prefix-list {{ prefix_list }}
+{%             endif %}
+{%         endfor %}
+{%     endif %}
+{% endif %}
 {% if redistribute.ipv4 is vyos_defined %}
 {%     for protocol, protocol_options in redistribute.ipv4.items() %}
 {%         for level, level_config in protocol_options.items() %}
diff --git a/data/templates/frr/ldpd.frr.j2 b/data/templates/frr/ldpd.frr.j2
index 11aff331a..9a893cc55 100644
--- a/data/templates/frr/ldpd.frr.j2
+++ b/data/templates/frr/ldpd.frr.j2
@@ -14,19 +14,19 @@ mpls ldp
  ordered-control
 {%     endif %}
 {%     if ldp.neighbor is vyos_defined %}
-{%         for neighbor, neighbor_config in ldp.neighbor %}
+{%         for neighbor, neighbor_config in ldp.neighbor.items() %}
 {%             if neighbor_config.password is vyos_defined %}
- neighbor {{ neighbors }} password {{ neighbor_config.password }}
+ neighbor {{ neighbor }} password {{ neighbor_config.password }}
 {%             endif %}
 {%             if neighbor_config.ttl_security is vyos_defined %}
 {%                 if neighbor_config.ttl_security.disable is vyos_defined %}
- neighbor {{ neighbors }} ttl-security disable
+ neighbor {{ neighbor }} ttl-security disable
 {%                 else %}
- neighbor {{ neighbors }} ttl-security hops {{ neighbor_config.ttl_security }}
+ neighbor {{ neighbor }} ttl-security hops {{ neighbor_config.ttl_security }}
 {%                 endif %}
 {%             endif %}
 {%             if neighbor_config.session_holdtime is vyos_defined %}
- neighbor {{ neighbors }} session holdtime {{ neighbor_config.session_holdtime }}
+ neighbor {{ neighbor }} session holdtime {{ neighbor_config.session_holdtime }}
 {%             endif %}
 {%         endfor %}
 {%     endif %}
diff --git a/data/templates/frr/pim6d.frr.j2 b/data/templates/frr/pim6d.frr.j2
index 8e430541d..bac716fcc 100644
--- a/data/templates/frr/pim6d.frr.j2
+++ b/data/templates/frr/pim6d.frr.j2
@@ -1,7 +1,24 @@
 !
 {% if interface is vyos_defined %}
 {%     for iface, iface_config in interface.items() %}
+!
 interface {{ iface }}
+ ipv6 pim
+{%         if iface_config.no_bsm is vyos_defined %}
+ no ipv6 pim bsm
+{%         endif %}
+{%         if iface_config.dr_priority is vyos_defined %}
+ ipv6 pim drpriority {{ iface_config.dr_priority }}
+{%         endif %}
+{%         if iface_config.hello is vyos_defined %}
+ ipv6 pim hello {{ iface_config.hello }}
+{%         endif %}
+{%         if iface_config.no_unicast_bsm is vyos_defined %}
+ no ipv6 pim unicast-bsm
+{%         endif %}
+{%         if iface_config.passive is vyos_defined %}
+ ipv6 pim passive
+{%         endif %}
 {%         if iface_config.mld is vyos_defined and iface_config.mld.disable is not vyos_defined %}
  ipv6 mld
 {%             if iface_config.mld.version is vyos_defined %}
@@ -32,7 +49,33 @@ interface {{ iface }}
 {%             endif %}
 {%         endif %}
 exit
-!
 {%     endfor %}
+{% endif %}
 !
+{% if join_prune_interval is vyos_defined %}
+ipv6 pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ipv6 pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ipv6 pim packets {{ packets }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ipv6 pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{%     for address, address_config in rp.address.items() %}
+{%         if address_config.group is vyos_defined %}
+{%             for group in address_config.group %}
+ipv6 pim rp {{ address }} {{ group }}
+{%             endfor %}
+{%         endif %}
+{%         if address_config.prefix_list6 is vyos_defined %}
+ipv6 pim rp {{ address }} prefix-list {{ address_config.prefix_list6 }}
+{%         endif %}
+{%     endfor %}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ipv6 pim rp keep-alive-timer {{ rp.keep_alive_timer }}
 {% endif %}
diff --git a/data/templates/frr/pimd.frr.j2 b/data/templates/frr/pimd.frr.j2
index cb2f2aa98..68edf4a5c 100644
--- a/data/templates/frr/pimd.frr.j2
+++ b/data/templates/frr/pimd.frr.j2
@@ -1,34 +1,95 @@
+{% if interface is vyos_defined %}
+{%     for iface, iface_config in interface.items() %}
 !
-{% for rp_addr in old_pim.rp %}
-{%     for group in old_pim.rp[rp_addr] %}
-no ip pim rp {{ rp_addr }} {{ group }}
+interface {{ iface }}
+ ip pim
+{%         if iface_config.bfd is vyos_defined %}
+ ip pim bfd {{ 'profile ' ~ iface_config.bfd.profile if iface_config.bfd.profile is vyos_defined }}
+{%         endif %}
+{%         if iface_config.no_bsm is vyos_defined %}
+ no ip pim bsm
+{%         endif %}
+{%         if iface_config.dr_priority is vyos_defined %}
+ ip pim drpriority {{ iface_config.dr_priority }}
+{%         endif %}
+{%         if iface_config.hello is vyos_defined %}
+ ip pim hello {{ iface_config.hello }}
+{%         endif %}
+{%         if iface_config.no_unicast_bsm is vyos_defined %}
+ no ip pim unicast-bsm
+{%         endif %}
+{%         if iface_config.passive is vyos_defined %}
+ ip pim passive
+{%         endif %}
+{%         if iface_config.source_address is vyos_defined %}
+ ip pim use-source {{ iface_config.source_address }}
+{%         endif %}
+{%         if iface_config.igmp is vyos_defined and iface_config.igmp.disable is not vyos_defined %}
+ ip igmp
+{%             if iface_config.igmp.query_interval %}
+ ip igmp query-interval {{ iface_config.igmp.query_interval }}
+{%             endif %}
+{%             if iface_config.igmp.query_max_response_time %}
+ ip igmp query-max-response-time {{ iface_config.igmp.query_max_response_time }}
+{%             endif %}
+{%             if iface_config.igmp.version is vyos_defined %}
+ ip igmp version {{ iface_config.igmp.version }}
+{%             endif %}
+{%             if iface_config.igmp.join is vyos_defined %}
+{%                 for join, join_config in iface_config.igmp.join.items() %}
+{%                     if join_config.source_address is vyos_defined %}
+{%                         for source_address in join_config.source_address %}
+ ip igmp join {{ join }} {{ source_address }}
+{%                         endfor %}
+{%                     else %}
+ ip igmp join {{ join }}
+{%                     endif %}
+{%                 endfor %}
+{%             endif %}
+{%         endif %}
+exit
 {%     endfor %}
-{% endfor %}
-{% if old_pim.rp_keep_alive %}
-no ip pim rp keep-alive-timer {{ old_pim.rp_keep_alive }}
 {% endif %}
-{% for iface in old_pim.ifaces %}
-interface {{ iface }}
-no ip pim
-!
-{% endfor %}
-{% for iface in pim.ifaces %}
-interface {{ iface }}
-ip pim
-{%     if pim.ifaces[iface].dr_prio %}
-ip pim drpriority {{ pim.ifaces[iface].dr_prio }}
-{%     endif %}
-{%     if pim.ifaces[iface].hello %}
-ip pim hello {{ pim.ifaces[iface].hello }}
-{%     endif %}
 !
-{% endfor %}
-{% for rp_addr in pim.rp %}
-{%     for group in pim.rp[rp_addr] %}
-ip pim rp {{ rp_addr }} {{ group }}
+{% if ecmp is vyos_defined %}
+ip pim ecmp {{ 'rebalance' if ecmp.rebalance is vyos_defined }}
+{% endif %}
+{% if join_prune_interval is vyos_defined %}
+ip pim join-prune-interval {{ join_prune_interval }}
+{% endif %}
+{% if keep_alive_timer is vyos_defined %}
+ip pim keep-alive-timer {{ keep_alive_timer }}
+{% endif %}
+{% if packets is vyos_defined %}
+ip pim packets {{ packets }}
+{% endif %}
+{% if register_accept_list.prefix_list is vyos_defined %}
+ip pim register-accept-list {{ register_accept_list.prefix_list }}
+{% endif %}
+{% if register_suppress_time is vyos_defined %}
+ip pim register-suppress-time {{ register_suppress_time }}
+{% endif %}
+{% if rp.address is vyos_defined %}
+{%     for address, address_config in rp.address.items() %}
+{%         for group in address_config.group %}
+ip pim rp {{ address }} {{ group }}
+{%         endfor %}
 {%     endfor %}
-{% endfor %}
-{% if pim.rp_keep_alive %}
-ip pim rp keep-alive-timer {{ pim.rp_keep_alive }}
+{% endif %}
+{% if rp.keep_alive_timer is vyos_defined %}
+ip pim rp keep-alive-timer {{ rp.keep_alive_timer }}
+{% endif %}
+{% if no_v6_secondary is vyos_defined %}
+no ip pim send-v6-secondary
+{% endif %}
+{% if spt_switchover.infinity_and_beyond is vyos_defined %}
+ip pim spt-switchover infinity-and-beyond {{ 'prefix-list ' ~ spt_switchover.infinity_and_beyond.prefix_list if spt_switchover.infinity_and_beyond.prefix_list is defined }}
+{% endif %}
+{% if ssm.prefix_list is vyos_defined %}
+ip pim ssm prefix-list {{ ssm.prefix_list }}
+{% endif %}
+!
+{% if igmp.watermark_warning is vyos_defined %}
+ip igmp watermark-warn {{ igmp.watermark_warning }}
 {% endif %}
 !
diff --git a/data/templates/frr/rpki.frr.j2 b/data/templates/frr/rpki.frr.j2
index 9a549d6de..384cbbe52 100644
--- a/data/templates/frr/rpki.frr.j2
+++ b/data/templates/frr/rpki.frr.j2
@@ -5,7 +5,7 @@ rpki
 {%     for peer, peer_config in cache.items() %}
 {#         port is mandatory and preference uses a default value #}
 {%         if peer_config.ssh.username is vyos_defined %}
- rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }} {{ peer_config.ssh.known_hosts_file }} preference {{ peer_config.preference }}
+ rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }} preference {{ peer_config.preference }}
 {%         else %}
  rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} preference {{ peer_config.preference }}
 {%         endif %}
diff --git a/data/templates/frr/zebra.segment_routing.frr.j2 b/data/templates/frr/zebra.segment_routing.frr.j2
new file mode 100644
index 000000000..7b12fcdd0
--- /dev/null
+++ b/data/templates/frr/zebra.segment_routing.frr.j2
@@ -0,0 +1,23 @@
+!
+{% if srv6.locator is vyos_defined %}
+segment-routing
+ srv6
+  locators
+{%     for locator, locator_config in srv6.locator.items() %}
+   locator {{ locator }}
+{%         if locator_config.prefix is vyos_defined %}
+    prefix {{ locator_config.prefix }} block-len {{ locator_config.block_len }} node-len {{ locator_config.node_len }} func-bits {{ locator_config.func_bits }}
+{%         endif %}
+{%         if locator_config.behavior_usid is vyos_defined %}
+    behavior usid
+{%         endif %}
+    exit
+    !
+{%     endfor %}
+  exit
+  !
+exit
+!
+exit
+!
+{% endif %}
diff --git a/data/templates/grub/grub_common.j2 b/data/templates/grub/grub_common.j2
new file mode 100644
index 000000000..5e9b95cc0
--- /dev/null
+++ b/data/templates/grub/grub_common.j2
@@ -0,0 +1,27 @@
+# load EFI video modules
+if [ "${grub_platform}" == "efi" ]; then
+    insmod efi_gop
+    insmod efi_uga
+fi
+
+# create and activate serial console
+function setup_serial {
+    # initialize the first serial port by default
+    if [ "${console_type}" == "ttyS" ]; then
+        if [ "${console_num}" == "0" ]; then
+          serial --unit=0 --speed=${console_speed}
+        else
+          serial --unit=${console_num} --speed=115200
+        fi
+    else
+        serial --unit=0 --speed=${console_speed}
+    fi
+    terminal_output --append serial console
+    terminal_input --append serial console
+}
+
+setup_serial
+
+{% if search_root %}
+{{ search_root }}
+{% endif %}
diff --git a/data/templates/grub/grub_compat.j2 b/data/templates/grub/grub_compat.j2
new file mode 100644
index 000000000..d1085eec8
--- /dev/null
+++ b/data/templates/grub/grub_compat.j2
@@ -0,0 +1,67 @@
+{# j2lint: disable=S6 #}
+### Generated by VyOS image-tools v.{{ tools_version }} ###
+{% macro menu_name(mode) -%}
+{% if mode == 'normal' -%}
+    VyOS
+{%- elif mode == 'pw_reset' -%}
+    Lost password change
+{%- else -%}
+    Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_name(type) -%}
+{% if type == 'tty' -%}
+    KVM
+{%- elif type == 'ttyS' -%}
+    Serial
+{%- elif type == 'ttyUSB' -%}
+    USB
+{%- else -%}
+    Unknown
+{%- endif %}
+{%- endmacro %}
+{% macro console_opts(type) -%}
+{% if type == 'tty' -%}
+    console=ttyS0,{{ console_speed }} console=tty0
+{%- elif type == 'ttyS' -%}
+    console=tty0 console=ttyS0,{{ console_speed }}
+{%- elif type == 'ttyUSB' -%}
+    console=tty0 console=ttyUSB0,115200
+{%- else -%}
+    console=tty0 console=ttyS0,{{ console_speed }}
+{%- endif %}
+{%- endmacro %}
+{% macro passwd_opts(mode) -%}
+{% if mode == 'pw_reset' -%}
+    init=/opt/vyatta/sbin/standalone_root_pw_reset
+{%- endif %}
+{%- endmacro %}
+set default={{ default }}
+set timeout={{ timeout }}
+{% if console_type == 'ttyS' %}
+{%     if console_num == '0' %}
+serial --unit=0 --speed={{ console_speed }}
+{%     else %}
+serial --unit={{ console_num }} --speed=115200
+{%     endif %}
+{% else %}
+serial --unit=0 --speed={{ console_speed }}
+{% endif %}
+terminal_output --append serial
+terminal_input serial console
+{% for mod in modules %}
+insmod {{ mod }}
+{% endfor %}
+{% if root %}
+set root={{ root }}
+{% endif %}
+{% if search_root %}
+{{ search_root }}
+{% endif %}
+
+{% for v in versions %}
+menuentry "{{ menu_name(v.bootmode) }} {{ v.version }} ({{ console_name(v.console_type) }} console)" {
+    linux /boot/{{ v.version }}/vmlinuz {{ v.boot_opts }} {{ console_opts(v.console_type) }} {{ passwd_opts(v.bootmode) }}
+    initrd /boot/{{ v.version }}/initrd.img
+}
+{% endfor %}
diff --git a/data/templates/grub/grub_main.j2 b/data/templates/grub/grub_main.j2
new file mode 100644
index 000000000..0c7ea0202
--- /dev/null
+++ b/data/templates/grub/grub_main.j2
@@ -0,0 +1,7 @@
+load_env
+insmod regexp
+
+for cfgfile in ${prefix}/grub.cfg.d/*-autoload.cfg
+do
+    source ${cfgfile}
+done
diff --git a/data/templates/grub/grub_menu.j2 b/data/templates/grub/grub_menu.j2
new file mode 100644
index 000000000..e73005f5d
--- /dev/null
+++ b/data/templates/grub/grub_menu.j2
@@ -0,0 +1,5 @@
+for cfgfile in ${config_directory}/vyos-versions/*.cfg
+do
+    source "${cfgfile}"
+done
+source ${config_directory}/50-vyos-options.cfg
diff --git a/data/templates/grub/grub_modules.j2 b/data/templates/grub/grub_modules.j2
new file mode 100644
index 000000000..24b540c9d
--- /dev/null
+++ b/data/templates/grub/grub_modules.j2
@@ -0,0 +1,3 @@
+{% for mod_name in mods_list %}
+insmod {{ mod_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_options.j2 b/data/templates/grub/grub_options.j2
new file mode 100644
index 000000000..c8a1472e1
--- /dev/null
+++ b/data/templates/grub/grub_options.j2
@@ -0,0 +1,52 @@
+submenu "Boot options" {
+    submenu "Select boot mode" {
+        menuentry "Normal" {
+            set bootmode="normal"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "Password reset" {
+            set bootmode="pw_reset"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "System recovery" {
+            set bootmode="recovery"
+            export bootmode
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "Load the whole root filesystem to RAM" {
+            set boot_toram="yes"
+            export boot_toram
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+    }
+    submenu "Select console type" {
+        menuentry "tty (graphical)" {
+            set console_type="tty"
+            export console_type
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "ttyS (serial)" {
+            set console_type="ttyS"
+            export console_type
+            setup_serial
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+        menuentry "ttyUSB (USB serial)" {
+            set console_type="ttyUSB"
+            export console_type
+            setup_serial
+            configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+        }
+    }
+    menuentry "Enter console number" {
+        read console_num
+        export console_num
+        setup_serial
+        configfile ${prefix}/grub.cfg.d/*vyos-menu*.cfg
+    }
+    menuentry "Current: boot mode: ${bootmode}, console: ${console_type}${console_num}" {
+        echo
+    }
+}
diff --git a/data/templates/grub/grub_vars.j2 b/data/templates/grub/grub_vars.j2
new file mode 100644
index 000000000..e0002e8d8
--- /dev/null
+++ b/data/templates/grub/grub_vars.j2
@@ -0,0 +1,4 @@
+{% for var_name, var_value in vars.items() %}
+set {{ var_name | e }}="{{ var_value | e }}"
+export {{ var_name | e }}
+{% endfor %}
diff --git a/data/templates/grub/grub_vyos_version.j2 b/data/templates/grub/grub_vyos_version.j2
new file mode 100644
index 000000000..de85f1419
--- /dev/null
+++ b/data/templates/grub/grub_vyos_version.j2
@@ -0,0 +1,32 @@
+{% if boot_opts_config is vyos_defined %}
+{%     if boot_opts_config %}
+{%         set boot_opts_rendered = boot_opts_default + " " + boot_opts_config %}
+{%     else %}
+{%         set boot_opts_rendered = boot_opts_default %}
+{%     endif %}
+{% elif boot_opts != '' %}
+{%     set boot_opts_rendered = boot_opts %}
+{% else %}
+{%     set boot_opts_rendered = boot_opts_default %}
+{% endif %}
+menuentry "{{ version_name }}" --id {{ version_uuid }} {
+    set boot_opts="{{ boot_opts_rendered }}"
+    if [ "${console_type}" == "ttyS" ]; then
+        set console_opts="console=${console_type}${console_num},${console_speed}"
+    else
+        set console_opts="console=${console_type}${console_num}"
+    fi
+    # load rootfs to RAM
+    if [ "${boot_toram}" == "yes" ]; then
+        set boot_opts="${boot_opts} toram"
+    fi
+    if [ "${bootmode}" == "pw_reset" ]; then
+        set boot_opts="${boot_opts} ${console_opts} init=/usr/libexec/vyos/system/standalone_root_pw_reset"
+    elif [ "${bootmode}" == "recovery" ]; then
+        set boot_opts="${boot_opts} ${console_opts} init=/usr/bin/busybox init"
+    else
+        set boot_opts="${boot_opts} ${console_opts}"
+    fi
+    linux "/boot/{{ version_name }}/vmlinuz" ${boot_opts}
+    initrd "/boot/{{ version_name }}/initrd.img"
+}
diff --git a/data/templates/https/nginx.default.j2 b/data/templates/https/nginx.default.j2
index b541ff309..5d17df001 100644
--- a/data/templates/https/nginx.default.j2
+++ b/data/templates/https/nginx.default.j2
@@ -1,64 +1,65 @@
-### Autogenerated by https.py ###
-# Default server configuration
+### Autogenerated by service_https.py ###
 
-{% for server in server_block_list %}
+{% if enable_http_redirect is vyos_defined %}
 server {
-        # SSL configuration
-        #
-{%     if server.address == '*' %}
-        listen {{ server.port }} ssl;
-        listen [::]:{{ server.port }} ssl;
-{%     else %}
-        listen {{ server.address | bracketize_ipv6 }}:{{ server.port }} ssl;
-{%     endif %}
+    listen 80 default_server;
+    server_name {{ hostname }};
+    return 301 https://$host$request_uri;
+}
+{% endif %}
 
-{%     for name in server.name %}
-        server_name {{ name }};
+server {
+{% if listen_address is vyos_defined %}
+{%     for address in listen_address %}
+    listen {{ address | bracketize_ipv6 }}:{{ port }} ssl;
 {%     endfor %}
+{% else %}
+    listen {{ port }} ssl;
+    listen [::]:{{ port }} ssl;
+{% endif %}
 
-        root /srv/localui;
+    server_name {{ hostname }};
+    root /srv/localui;
 
-{%     if server.certbot %}
-        ssl_certificate {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/fullchain.pem;
-        ssl_certificate_key {{ server.certbot_dir }}/live/{{ server.certbot_domain_dir }}/privkey.pem;
-        include {{ server.certbot_dir }}/options-ssl-nginx.conf;
-        ssl_dhparam {{ server.certbot_dir }}/ssl-dhparams.pem;
-{%     elif server.vyos_cert %}
-        ssl_certificate {{ server.vyos_cert.crt }};
-        ssl_certificate_key {{ server.vyos_cert.key }};
-{%     else %}
-        #
-        # Self signed certs generated by the ssl-cert package
-        # Don't use them in a production server!
-        #
-        include snippets/snakeoil.conf;
+    # SSL configuration
+{% if certificates.cert_path is vyos_defined and certificates.key_path is vyos_defined %}
+    ssl_certificate {{ certificates.cert_path }};
+    ssl_certificate_key {{ certificates.key_path }};
+{%     if certificates.dh_file is vyos_defined %}
+    ssl_dhparam {{ certificates.dh_file }};
 {%     endif %}
-        ssl_protocols TLSv1.2 TLSv1.3;
+{% else %}
+    # Self signed certs generated by the ssl-cert package
+    # Don't use them in a production server!
+    include snippets/snakeoil.conf;
+{% endif %}
 
-        # proxy settings for HTTP API, if enabled; 503, if not
-        location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reset|docs|openapi.json|redoc|graphql) {
-{%     if server.api %}
-{%         if server.api.socket %}
-                proxy_pass http://unix:/run/api.sock;
-{%         else %}
-                proxy_pass http://localhost:{{ server.api.port }};
-{%         endif %}
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_read_timeout 600;
-                proxy_buffering off;
-{%     else %}
-                return 503;
-{%     endif %}
-{%     if server.allow_client %}
-{%         for client in server.allow_client %}
-                allow {{ client }};
-{%         endfor %}
-                deny all;
-{%     endif %}
-        }
+    # Improve HTTPS performance with session resumption
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols {{ 'TLSv' ~ ' TLSv'.join(tls_version) }};
 
-        error_page 497 =301 https://$host:{{ server.port }}$request_uri;
-}
+    # From LetsEncrypt
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
 
-{% endfor %}
+    # proxy settings for HTTP API, if enabled; 503, if not
+    location ~ ^/(retrieve|configure|config-file|image|container-image|generate|show|reboot|reset|poweroff|docs|openapi.json|redoc|graphql) {
+{% if api is vyos_defined %}
+        proxy_pass http://unix:/run/api.sock;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 600;
+        proxy_buffering off;
+{% else %}
+        return 503;
+{% endif %}
+{% if allow_client.address is vyos_defined %}
+{%     for address in allow_client.address %}
+        allow {{ address }};
+{%     endfor %}
+        deny all;
+{% endif %}
+    }
+    error_page 497 =301 https://$host:{{ port }}$request_uri;
+}
diff --git a/data/templates/https/vyos-http-api.service.j2 b/data/templates/https/vyos-http-api.service.j2
index fb424e06c..aa4da7666 100644
--- a/data/templates/https/vyos-http-api.service.j2
+++ b/data/templates/https/vyos-http-api.service.j2
@@ -3,9 +3,11 @@
 Description=VyOS HTTP API service
 After=vyos-router.service
 Requires=vyos-router.service
+ConditionPathExists={{ api_config_state }}
 
 [Service]
 ExecStart={{ vrf_command }}/usr/libexec/vyos/services/vyos-http-api-server
+ExecReload=kill -HUP $MAINPID
 Type=idle
 
 SyslogIdentifier=vyos-http-api
@@ -19,4 +21,3 @@ Group=vyattacfg
 
 [Install]
 WantedBy=vyos.target
-
diff --git a/data/templates/igmp-proxy/igmpproxy.conf.j2 b/data/templates/igmp-proxy/igmpproxy.conf.j2
index ab3c9fd31..85a04de7d 100644
--- a/data/templates/igmp-proxy/igmpproxy.conf.j2
+++ b/data/templates/igmp-proxy/igmpproxy.conf.j2
@@ -1,6 +1,6 @@
 ########################################################
 #
-# autogenerated by igmp_proxy.py
+# autogenerated by protocols_igmp-proxy.py
 #
 # The configuration file must define one upstream interface, and one or more
 # downstream interfaces.
diff --git a/data/templates/ipsec/swanctl/peer.j2 b/data/templates/ipsec/swanctl/peer.j2
index 9d95271fe..58f0199fa 100644
--- a/data/templates/ipsec/swanctl/peer.j2
+++ b/data/templates/ipsec/swanctl/peer.j2
@@ -83,10 +83,12 @@
                 start_action = none
 {%     endif %}
 {%     if ike.dead_peer_detection is vyos_defined %}
-{%         set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
-                dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
+                dpd_action = {{ ike.dead_peer_detection.action }}
+{%     endif %}
+                close_action = {{ ike.close_action }}
+{%     if peer_conf.replay_window is vyos_defined %}
+                replay_window = {{ peer_conf.replay_window }}
 {%     endif %}
-                close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
             }
 {% elif peer_conf.tunnel is vyos_defined %}
 {%     for tunnel_id, tunnel_conf in peer_conf.tunnel.items() if tunnel_conf.disable is not defined %}
@@ -134,10 +136,12 @@
                 start_action = none
 {%         endif %}
 {%         if ike.dead_peer_detection is vyos_defined %}
-{%             set dpd_translate = {'clear': 'clear', 'hold': 'trap', 'restart': 'restart'} %}
-                dpd_action = {{ dpd_translate[ike.dead_peer_detection.action] }}
+                dpd_action = {{ ike.dead_peer_detection.action }}
+{%         endif %}
+                close_action = {{ ike.close_action }}
+{%         if peer_conf.replay_window is vyos_defined %}
+                replay_window = {{ peer_conf.replay_window }}
 {%         endif %}
-                close_action = {{ {'none': 'none', 'hold': 'trap', 'restart': 'start'}[ike.close_action] }}
 {%         if peer_conf.vti.bind is vyos_defined %}
 {#             The key defaults to 0 and will match any policies which similarly do not have a lookup key configuration. #}
 {#             Thus we simply shift the key by one to also support a vti0 interface #}
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index 60d2d1807..bce8684fe 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -29,8 +29,10 @@
 {% endif %}
         }
         remote {
+{% if rw_conf.authentication.client_mode == 'x509' %}
+            auth = pubkey
+{% elif rw_conf.authentication.client_mode.startswith("eap") %}
             auth = {{ rw_conf.authentication.client_mode }}
-{% if rw_conf.authentication.client_mode.startswith("eap") %}
             eap_id = %any
 {% endif %}
         }
@@ -41,6 +43,9 @@
                 rand_time = 540s
                 dpd_action = clear
                 inactivity = {{ rw_conf.timeout }}
+{% if rw_conf.replay_window is vyos_defined %}
+                replay_window = {{ rw_conf.replay_window }}
+{% endif %}
 {% set local_prefix = rw_conf.local.prefix if rw_conf.local.prefix is vyos_defined else ['0.0.0.0/0', '::/0'] %}
 {% set local_port = rw_conf.local.port if rw_conf.local.port is vyos_defined else '' %}
 {% set local_suffix = '[%any/{1}]'.format(local_port) if local_port else '' %}
diff --git a/data/templates/lldp/lldpd.j2 b/data/templates/lldp/lldpd.j2
index 3c499197d..2238fe1c4 100644
--- a/data/templates/lldp/lldpd.j2
+++ b/data/templates/lldp/lldpd.j2
@@ -1,2 +1,2 @@
-### Autogenerated by lldp.py ###
-DAEMON_ARGS="-M 4 {{ '-x' if snmp.enable is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
+### Autogenerated by service_lldp.py ###
+DAEMON_ARGS="-M 4 {{ '-x' if snmp is vyos_defined }} {{ '-c' if legacy_protocols.cdp is vyos_defined }} {{ '-e' if legacy_protocols.edp is vyos_defined }} {{ '-f' if legacy_protocols.fdp is vyos_defined }} {{ '-s' if legacy_protocols.sonmp is vyos_defined }}"
diff --git a/data/templates/lldp/vyos.conf.j2 b/data/templates/lldp/vyos.conf.j2
index dfa422ab8..4b4228cea 100644
--- a/data/templates/lldp/vyos.conf.j2
+++ b/data/templates/lldp/vyos.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by lldp.py ###
+### Autogenerated by service_lldp.py ###
 
 configure system platform VyOS
 configure system description "VyOS {{ version }}"
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index a75ee9904..849cef74d 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -1,4 +1,4 @@
-# Generated by ${vyos_conf_scripts_dir}/load-balancing-haproxy.py
+### Autogenerated by load-balancing_reverse-proxy.py ###
 
 global
     log /dev/log local0
@@ -50,13 +50,19 @@ defaults
 {% if service is vyos_defined %}
 {%     for front, front_config in service.items() %}
 frontend {{ front }}
-{%         set ssl_front =  'ssl crt /run/haproxy/' ~ front_config.ssl.certificate ~ '.pem' if front_config.ssl.certificate is vyos_defined else '' %}
+{%         set ssl_front = [] %}
+{%         if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
+{%             for cert in front_config.ssl.certificate %}
+{%                 set _ = ssl_front.append('crt /run/haproxy/' ~ cert ~ '.pem') %}
+{%             endfor %}
+{%         endif %}
+{%         set ssl_directive = 'ssl' if ssl_front else '' %}
 {%         if front_config.listen_address is vyos_defined %}
 {%             for address in front_config.listen_address %}
-    bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_front }}
+    bind {{ address | bracketize_ipv6 }}:{{ front_config.port }} {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%             endfor %}
 {%         else %}
-    bind :::{{ front_config.port }} v4v6 {{ ssl_front }}
+    bind :::{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%         endif %}
 {%         if front_config.redirect_http_to_https is vyos_defined %}
     http-request redirect scheme https unless { ssl_fc }
@@ -161,4 +167,3 @@ backend {{ back }}
 
 {%     endfor %}
 {% endif %}
-
diff --git a/data/templates/load-balancing/wlb.conf.j2 b/data/templates/load-balancing/wlb.conf.j2
index d3326b6b8..6557b6f4c 100644
--- a/data/templates/load-balancing/wlb.conf.j2
+++ b/data/templates/load-balancing/wlb.conf.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/load-balancing-wan.py
+### Autogenerated by load-balancing_wan.py ###
 
 {% if disable_source_nat is vyos_defined %}
 disable-source-nat
@@ -41,7 +41,7 @@ health {
                 test-script {{ test_config.test_script }}
 {%                     endif %}
 {%                     if test_config.target is vyos_defined %}
-                target {{ test_config.target }} 
+                target {{ test_config.target }}
 {%                     endif %}
                 resp-time {{ test_config.resp_time | int * 1000 }}
             }
diff --git a/data/templates/login/authorized_keys.j2 b/data/templates/login/authorized_keys.j2
index aabca47cf..695b66abe 100644
--- a/data/templates/login/authorized_keys.j2
+++ b/data/templates/login/authorized_keys.j2
@@ -1,4 +1,4 @@
-### Automatically generated by system-login.py ###
+### Automatically generated by system_login.py ###
 
 {% if authentication.public_keys is vyos_defined %}
 {%     for key, key_options in authentication.public_keys.items() %}
@@ -6,4 +6,3 @@
 {{ key_options.options ~ ' ' if key_options.options is vyos_defined }}{{ key_options.type }} {{ key_options.key }} {{ key }}
 {%     endfor %}
 {% endif %}
-
diff --git a/data/templates/login/limits.j2 b/data/templates/login/limits.j2
index 5e2c11f35..31abc85dd 100644
--- a/data/templates/login/limits.j2
+++ b/data/templates/login/limits.j2
@@ -1,4 +1,4 @@
-# Generated by /usr/libexec/vyos/conf_mode/system-login.py
+# Generated by system_login.py
 
 {% if max_login_session is vyos_defined %}
 * - maxsyslogins {{ max_login_session }}
diff --git a/data/templates/login/nsswitch.conf.j2 b/data/templates/login/nsswitch.conf.j2
index 65dc88291..0adfb491c 100644
--- a/data/templates/login/nsswitch.conf.j2
+++ b/data/templates/login/nsswitch.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# automatically generated by system_login.py ###
 # /etc/nsswitch.conf
 #
 # Example configuration of GNU Name Service Switch functionality.
@@ -18,4 +18,3 @@ ethers:         db files
 rpc:            db files
 
 netgroup:       nis
-
diff --git a/data/templates/login/pam_radius_auth.conf.j2 b/data/templates/login/pam_radius_auth.conf.j2
index c61154753..75437ca71 100644
--- a/data/templates/login/pam_radius_auth.conf.j2
+++ b/data/templates/login/pam_radius_auth.conf.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+### Automatically generated by system_login.py ###
 # RADIUS configuration file
 
 {% if radius is vyos_defined %}
diff --git a/data/templates/login/tacplus_servers.j2 b/data/templates/login/tacplus_servers.j2
index 5a65d6e68..23e8e495e 100644
--- a/data/templates/login/tacplus_servers.j2
+++ b/data/templates/login/tacplus_servers.j2
@@ -1,4 +1,4 @@
-# Automatically generated by system-login.py
+# Automatically generated by system_login.py
 # TACACS+ configuration file
 
 # This is a common file used by audisp-tacplus, libpam_tacplus, and
@@ -56,4 +56,3 @@ user_homedir=1
 
 service=shell
 protocol=ssh
-
diff --git a/data/templates/macsec/wpa_supplicant.conf.j2 b/data/templates/macsec/wpa_supplicant.conf.j2
index 1f7ba16f4..4bb762935 100644
--- a/data/templates/macsec/wpa_supplicant.conf.j2
+++ b/data/templates/macsec/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_macsec.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
diff --git a/data/templates/mdns-repeater/avahi-daemon.conf.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2
index d562c048f..cc6495817 100644
--- a/data/templates/mdns-repeater/avahi-daemon.conf.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by service_mdns-repeater.py ###
+### Autogenerated by service_mdns_repeater.py ###
 [server]
 use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }}
 use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }}
diff --git a/data/templates/mdns-repeater/override.conf.j2 b/data/templates/mdns-repeater/override.conf.j2
new file mode 100644
index 000000000..8c8187489
--- /dev/null
+++ b/data/templates/mdns-repeater/override.conf.j2
@@ -0,0 +1,7 @@
+[Unit]
+After=vyos-router.service
+ConditionPathExists={{ config_file }}
+
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/avahi-daemon --syslog --file {{ config_file }}
diff --git a/data/templates/ndppd/ndppd.conf.j2 b/data/templates/ndppd/ndppd.conf.j2
index 120fa0a64..6369dbdeb 100644
--- a/data/templates/ndppd/ndppd.conf.j2
+++ b/data/templates/ndppd/ndppd.conf.j2
@@ -1,44 +1,35 @@
-########################################################
-#
-# autogenerated by nat66.py
-#
-#   The configuration file must define one upstream
-#   interface.
-#
-#   For some services, such as nat66, because it runs
-#    stateless, it needs to rely on NDP Proxy to respond
-#   to NDP requests.
-#
-#   When using nat66 source rules, NDP Proxy needs
-#   to be enabled
-#
-########################################################
+# autogenerated by service_ndp-proxy.py
 
-{% set global = namespace(ndppd_interfaces = [],ndppd_prefixs = []) %}
-{% if source.rule is vyos_defined %}
-{%     for rule, config in source.rule.items() if config.disable is not defined %}
-{%         if config.outbound_interface is vyos_defined %}
-{%             if config.outbound_interface not in global.ndppd_interfaces %}
-{%                 set global.ndppd_interfaces = global.ndppd_interfaces + [config.outbound_interface] %}
-{%             endif   %}
-{%             if config.translation.address is vyos_defined and config.translation.address | is_ip_network %}
-{%                 set global.ndppd_prefixs = global.ndppd_prefixs + [{'interface':config.outbound_interface,'rule':config.translation.address}] %}
-{%             endif %}
-{%         endif %}
-{%     endfor %}
-{% endif %}
+# This tells 'ndppd' how often to reload the route file /proc/net/ipv6_route
+route-ttl {{ route_refresh }}
+
+{% if interface is vyos_defined %}
+# This sets up a listener, that will listen for any Neighbor Solicitation
+# messages, and respond to them according to a set of rules
+{%     for iface, iface_config in interface.items() if iface_config.disable is not vyos_defined %}
+proxy {{ iface }} {
+    # Turn on or off the router flag for Neighbor Advertisements
+    router {{ 'yes' if iface_config.enable_router_bit is vyos_defined else 'no' }}
+    # Control how long to wait for a Neighbor Advertisment message before invalidating the entry (milliseconds)
+    timeout {{ iface_config.timeout }}
+    # Control how long a valid or invalid entry remains in the cache (milliseconds)
+    ttl {{ iface_config.ttl }}
 
-{% for interface in global.ndppd_interfaces %}
-proxy {{ interface }} {
-    router yes
-    timeout 500
-    ttl 30000
-{%     for map in global.ndppd_prefixs %}
-{%         if map.interface == interface %}
-    rule {{ map.rule }} {
-        static
+{%         if iface_config.prefix is vyos_defined %}
+    # This is a rule that the target address is to match against. If no netmask
+    # is provided, /128 is assumed. You may have several rule sections, and the
+    # addresses may or may not overlap.
+{%             for prefix, prefix_config in iface_config.prefix.items() if prefix_config.disable is not vyos_defined %}
+    rule {{ prefix }} {
+{%                 if prefix_config.mode is vyos_defined('interface') %}
+        iface {{ prefix_config.interface }}
+{%                 else %}
+        {{ prefix_config.mode }}
+{%                 endif %}
     }
-{%         endif  %}
-{%     endfor   %}
+{%             endfor %}
+{%         endif %}
 }
-{% endfor %}
+
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/ocserv/ocserv_config.j2 b/data/templates/ocserv/ocserv_config.j2
index 1401b8b26..b5e890c32 100644
--- a/data/templates/ocserv/ocserv_config.j2
+++ b/data/templates/ocserv/ocserv_config.j2
@@ -119,4 +119,21 @@ split-dns = {{ tmp }}
 {%     for grp in authentication.group %}
 select-group = {{ grp }}
 {%     endfor %}
-{% endif %}
\ No newline at end of file
+{% endif %}
+
+{% if http_security_headers is vyos_defined %}
+# HTTP security headers
+included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
+included-http-headers = X-Frame-Options: deny
+included-http-headers = X-Content-Type-Options: nosniff
+included-http-headers = Content-Security-Policy: default-src "none"
+included-http-headers = X-Permitted-Cross-Domain-Policies: none
+included-http-headers = Referrer-Policy: no-referrer
+included-http-headers = Clear-Site-Data: "cache","cookies","storage"
+included-http-headers = Cross-Origin-Embedder-Policy: require-corp
+included-http-headers = Cross-Origin-Opener-Policy: same-origin
+included-http-headers = Cross-Origin-Resource-Policy: same-origin
+included-http-headers = X-XSS-Protection: 0
+included-http-headers = Pragma: no-cache
+included-http-headers = Cache-control: no-store, no-cache
+{% endif %}
diff --git a/data/templates/openvpn/auth.pw.j2 b/data/templates/openvpn/auth.pw.j2
index 218121062..9f9b31e7a 100644
--- a/data/templates/openvpn/auth.pw.j2
+++ b/data/templates/openvpn/auth.pw.j2
@@ -1,4 +1,4 @@
-{# Autogenerated by interfaces-openvpn.py #}
+{# Autogenerated by interfaces_openvpn.py #}
 {% if authentication is vyos_defined %}
 {{ authentication.username }}
 {{ authentication.password }}
diff --git a/data/templates/openvpn/client.conf.j2 b/data/templates/openvpn/client.conf.j2
index 2e327e4d3..9edcdc8ae 100644
--- a/data/templates/openvpn/client.conf.j2
+++ b/data/templates/openvpn/client.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
 
 {% if ip is vyos_defined %}
 ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }}
diff --git a/data/templates/openvpn/server.conf.j2 b/data/templates/openvpn/server.conf.j2
index 2eb9416fe..6ac525443 100644
--- a/data/templates/openvpn/server.conf.j2
+++ b/data/templates/openvpn/server.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-openvpn.py ###
+### Autogenerated by interfaces_openvpn.py ###
 #
 # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 # for individual keyword definition
@@ -79,7 +79,7 @@ server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} {{ 'nop
 {%                     if server.push_route is vyos_defined %}
 {%                         for route, route_config in server.push_route.items() %}
 {%                             if route | is_ipv4 %}
-push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ 'vpn_gateway' ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
 {%                             elif route | is_ipv6 %}
 push "route-ipv6 {{ route }}"
 {%                             endif %}
@@ -205,19 +205,12 @@ tls-server
 {% if encryption is vyos_defined %}
 {%     if encryption.cipher is vyos_defined %}
 cipher {{ encryption.cipher | openvpn_cipher }}
-{%         if encryption.cipher is vyos_defined('bf128') %}
-keysize 128
-{%         elif encryption.cipher is vyos_defined('bf256') %}
-keysize 256
-{%         endif %}
 {%     endif %}
 {%     if encryption.ncp_ciphers is vyos_defined %}
 data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
 {%     endif %}
 {% endif %}
-# https://vyos.dev/T5027
-# Required to support BF-CBC (default ciphername when none given)
-providers legacy default
+providers default
 
 {% if hash is vyos_defined %}
 auth {{ hash }}
diff --git a/data/templates/pmacct/override.conf.j2 b/data/templates/pmacct/override.conf.j2
index 213569ddc..44a100bb6 100644
--- a/data/templates/pmacct/override.conf.j2
+++ b/data/templates/pmacct/override.conf.j2
@@ -9,9 +9,9 @@ ConditionPathExists=/run/pmacct/uacctd.conf
 EnvironmentFile=
 ExecStart=
 ExecStart={{ vrf_command }}/usr/sbin/uacctd -f /run/pmacct/uacctd.conf
+ExecStop=/usr/libexec/vyos/system/uacctd_stop.py $MAINPID 60
 WorkingDirectory=
 WorkingDirectory=/run/pmacct
-PIDFile=
-PIDFile=/run/pmacct/uacctd.pid
 Restart=always
 RestartSec=10
+KillMode=mixed
diff --git a/data/templates/pmacct/uacctd.conf.j2 b/data/templates/pmacct/uacctd.conf.j2
index 1370f8121..aae0a0619 100644
--- a/data/templates/pmacct/uacctd.conf.j2
+++ b/data/templates/pmacct/uacctd.conf.j2
@@ -1,7 +1,7 @@
 # Genereated from VyOS configuration
 daemonize: true
 promisc: false
-pidfile: /run/pmacct/uacctd.pid
+syslog: daemon
 uacctd_group: 2
 uacctd_nl_size: 2097152
 snaplen: {{ packet_length }}
diff --git a/data/templates/pppoe/peer.j2 b/data/templates/pppoe/peer.j2
index f30cefe63..efe47f369 100644
--- a/data/templates/pppoe/peer.j2
+++ b/data/templates/pppoe/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-pppoe.py ###
+### Autogenerated by interfaces_pppoe.py ###
 {{ '# ' ~ description if description is vyos_defined else '' }}
 
 # Require peer to provide the local IP address if it is not
@@ -50,7 +50,7 @@ ifname {{ ifname }}
 ipparam {{ ifname }}
 debug
 mtu {{ mtu }}
-mru {{ mtu }}
+mru {{ mru }}
 
 {% if authentication is vyos_defined %}
 {{ 'user "' + authentication.username + '"' if authentication.username is vyos_defined }}
diff --git a/data/templates/rsyslog/logrotate.j2 b/data/templates/rsyslog/logrotate.j2
index cc535c48f..ea33fea4f 100644
--- a/data/templates/rsyslog/logrotate.j2
+++ b/data/templates/rsyslog/logrotate.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
 /var/log/messages {
   missingok
   notifempty
diff --git a/data/templates/rsyslog/rsyslog.conf.j2 b/data/templates/rsyslog/rsyslog.conf.j2
index dff904129..97e0ee0b7 100644
--- a/data/templates/rsyslog/rsyslog.conf.j2
+++ b/data/templates/rsyslog/rsyslog.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by system-syslog.py ###
+### Autogenerated by system_syslog.py ###
 
 {% if global.marker is vyos_defined %}
 $ModLoad immark
@@ -15,7 +15,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
 {% if global.facility is vyos_defined %}
 {%     set tmp = [] %}
 {%     for facility, facility_options in global.facility.items() %}
-{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%     endfor %}
 {{ tmp | join(';') }} :omfile:$global
 {% endif %}
@@ -27,7 +27,7 @@ $outchannel global,/var/log/messages,262144,/usr/sbin/logrotate {{ logrotate }}
 $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archive.size }},/usr/sbin/logrotate {{ logrotate }}
 {%         if file_options.facility is vyos_defined %}
 {%             for facility, facility_options in file_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {{ tmp | join(';') }} :omfile:${{ file }}
@@ -38,7 +38,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 # Console logging
 {%     set tmp = [] %}
 {%     for facility, facility_options in console.facility.items() %}
-{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%         set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%     endfor %}
 {{ tmp | join(';') }} /dev/console
 {% endif %}
@@ -49,7 +49,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 {%         set tmp = [] %}
 {%         if host_options.facility is vyos_defined %}
 {%             for facility, facility_options in host_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {%         if host_options.protocol is vyos_defined('tcp') %}
@@ -70,7 +70,7 @@ $outchannel {{ file_name }},/var/log/user/{{ file_name }},{{ file_options.archiv
 {%         set tmp = [] %}
 {%         if user_options.facility is vyos_defined %}
 {%             for facility, facility_options in user_options.facility.items() %}
-{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level) %}
+{%                 set _ = tmp.append(facility.replace('all', '*') + '.' + facility_options.level.replace('all', '*')) %}
 {%             endfor %}
 {%         endif %}
 {{ tmp | join(';') }} :omusrmsg:{{ username }}
diff --git a/data/templates/salt-minion/minion.j2 b/data/templates/salt-minion/minion.j2
index f4001db64..a69438f0b 100644
--- a/data/templates/salt-minion/minion.j2
+++ b/data/templates/salt-minion/minion.j2
@@ -1,4 +1,4 @@
-### Autogenerated by salt-minion.py ###
+### Autogenerated by service_salt-minion.py ###
 
 ##### Primary configuration settings #####
 ##########################################
diff --git a/data/templates/sflow/override.conf.j2 b/data/templates/sflow/override.conf.j2
index f2a982528..73588fdb2 100644
--- a/data/templates/sflow/override.conf.j2
+++ b/data/templates/sflow/override.conf.j2
@@ -1,3 +1,4 @@
+{% set vrf_command = 'ip vrf exec ' ~ vrf ~ ' ' if vrf is vyos_defined else '' %}
 [Unit]
 After=
 After=vyos-router.service
@@ -7,7 +8,7 @@ ConditionPathExists=/run/sflow/hsflowd.conf
 [Service]
 EnvironmentFile=
 ExecStart=
-ExecStart=/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf
+ExecStart={{ vrf_command }}/usr/sbin/hsflowd -m %m -d -f /run/sflow/hsflowd.conf
 WorkingDirectory=
 WorkingDirectory=/run/sflow
 PIDFile=
diff --git a/data/templates/snmp/etc.snmp.conf.j2 b/data/templates/snmp/etc.snmp.conf.j2
index 8012cf6bb..c214b2266 100644
--- a/data/templates/snmp/etc.snmp.conf.j2
+++ b/data/templates/snmp/etc.snmp.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 {% if trap_source is vyos_defined %}
 clientaddr {{ trap_source }}
 {% endif %}
diff --git a/data/templates/snmp/etc.snmpd.conf.j2 b/data/templates/snmp/etc.snmpd.conf.j2
index 9d78d479a..b1ceb0451 100644
--- a/data/templates/snmp/etc.snmpd.conf.j2
+++ b/data/templates/snmp/etc.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 
 # non configurable defaults
 sysObjectID 1.3.6.1.4.1.44641
@@ -56,6 +56,16 @@ SysDescr {{ description }}
 {% endif %}
 agentaddress unix:/run/snmpd.socket{{ ',' ~ options | join(',') if options is vyos_defined }}
 
+{% if mib is vyos_defined %}
+# Interface MIB limits
+{%     if mib.interface_max is vyos_defined %}
+ifmib_max_num_ifaces {{ mib.interface_max }}
+{%     endif %}
+{%     if mib.interface is vyos_defined %}
+include_ifmib_iface_prefix {{ mib.interface | join(' ') }}
+{%     endif %}
+{% endif %}
+
 # SNMP communities
 {% if community is vyos_defined %}
 {%     for comm, comm_config in community.items() %}
diff --git a/data/templates/snmp/override.conf.j2 b/data/templates/snmp/override.conf.j2
index 443ee64db..42dc7a9d2 100644
--- a/data/templates/snmp/override.conf.j2
+++ b/data/templates/snmp/override.conf.j2
@@ -10,4 +10,3 @@ ExecStart=
 ExecStart={{ vrf_command }}/usr/sbin/snmpd -LS0-5d -Lf /dev/null -u Debian-snmp -g Debian-snmp -f -p /run/snmpd.pid
 Restart=always
 RestartSec=10
-
diff --git a/data/templates/snmp/usr.snmpd.conf.j2 b/data/templates/snmp/usr.snmpd.conf.j2
index a713c1cec..189032bb0 100644
--- a/data/templates/snmp/usr.snmpd.conf.j2
+++ b/data/templates/snmp/usr.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 {% if v3.user is vyos_defined %}
 {%     for user, user_config in v3.user.items() %}
 {{ user_config.mode }}user {{ user }}
diff --git a/data/templates/snmp/var.snmpd.conf.j2 b/data/templates/snmp/var.snmpd.conf.j2
index 012f33aeb..afab88abc 100644
--- a/data/templates/snmp/var.snmpd.conf.j2
+++ b/data/templates/snmp/var.snmpd.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by snmp.py ###
+### Autogenerated by service_snmp.py ###
 # user
 {% if v3 is vyos_defined %}
 {%     if v3.user is vyos_defined %}
diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 422969ed8..650fd25e6 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 # https://linux.die.net/man/5/sshd_config
 
diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2
index 58c6ad48d..2e7507416 100644
--- a/data/templates/ssh/sshguard_config.j2
+++ b/data/templates/ssh/sshguard_config.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 {% if dynamic_protection is vyos_defined %}
 # Full path to backend executable (required, no default)
diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2
index 47a950a2b..194fa29df 100644
--- a/data/templates/ssh/sshguard_whitelist.j2
+++ b/data/templates/ssh/sshguard_whitelist.j2
@@ -1,4 +1,4 @@
-### Autogenerated by ssh.py ###
+### Autogenerated by service_ssh.py ###
 
 {% if dynamic_protection.allow_from is vyos_defined %}
 {%     for address in dynamic_protection.allow_from %}
diff --git a/data/templates/sstp-client/peer.j2 b/data/templates/sstp-client/peer.j2
index 745a09e14..d38e53f15 100644
--- a/data/templates/sstp-client/peer.j2
+++ b/data/templates/sstp-client/peer.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-sstpc.py ###
+### Autogenerated by interfaces_sstpc.py ###
 {{ '# ' ~ description if description is vyos_defined else '' }}
 
 # Require peer to provide the local IP address if it is not
diff --git a/data/templates/system/proxy.j2 b/data/templates/system/proxy.j2
index 215c4c5c2..0737cd3f8 100644
--- a/data/templates/system/proxy.j2
+++ b/data/templates/system/proxy.j2
@@ -1,4 +1,4 @@
-# generated by system-proxy.py
+### autogenerated by system_proxy.py ###
 {% if url is vyos_defined and port is vyos_defined %}
 {# remove http:// prefix so we can inject a username/password if present #}
 export http_proxy=http://{{ username ~ ':' ~ password ~ '@' if username is vyos_defined and password is vyos_defined }}{{ url | replace('http://', '') }}:{{ port }}
diff --git a/data/templates/system/sysctl.conf.j2 b/data/templates/system/sysctl.conf.j2
index 59a19e157..db699c3d8 100644
--- a/data/templates/system/sysctl.conf.j2
+++ b/data/templates/system/sysctl.conf.j2
@@ -1,7 +1,7 @@
-# autogenerated by system_sysctl.py

-

-{% if parameter is vyos_defined %}

-{%     for k, v in parameter.items() %}

-{{ k }} = {{ v.value }}

-{%     endfor %}

-{% endif %}

+# autogenerated by system_sysctl.py
+
+{% if parameter is vyos_defined %}
+{%     for k, v in parameter.items() %}
+{{ k }} = {{ v.value }}
+{%     endfor %}
+{% endif %}
diff --git a/data/templates/telegraf/telegraf.j2 b/data/templates/telegraf/telegraf.j2
index 5852d6232..9623bdec6 100644
--- a/data/templates/telegraf/telegraf.j2
+++ b/data/templates/telegraf/telegraf.j2
@@ -90,6 +90,8 @@
 [[inputs.diskio]]
 [[inputs.mem]]
 [[inputs.net]]
+    ignore_protocol_stats = true
+[[inputs.nstat]]
 [[inputs.system]]
 [[inputs.netstat]]
 [[inputs.processes]]
diff --git a/data/templates/tftp-server/default.j2 b/data/templates/tftp-server/default.j2
index b2676e0aa..d9ce847de 100644
--- a/data/templates/tftp-server/default.j2
+++ b/data/templates/tftp-server/default.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=jinja-variable-format #}
-### Autogenerated by tftp_server.py ###
+### Autogenerated by service_tftp-server.py ###
 DAEMON_ARGS="--listen --user tftp --address {{ listen_address }} {{ "--create --umask 000" if allow_upload is vyos_defined }} --secure {{ directory }}"
 {% if vrf is vyos_defined %}
 VRF_ARGS="ip vrf exec {{ vrf }}"
diff --git a/data/templates/vpp/override.conf.j2 b/data/templates/vpp/override.conf.j2
deleted file mode 100644
index a2c2b04ed..000000000
--- a/data/templates/vpp/override.conf.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-After=
-After=vyos-router.service
-ConditionPathExists=
-ConditionPathExists=/run/vpp/vpp.conf
-
-[Service]
-EnvironmentFile=
-ExecStart=
-ExecStart=/usr/bin/vpp -c /run/vpp/vpp.conf
-WorkingDirectory=
-WorkingDirectory=/run/vpp
-Restart=always
-RestartSec=10
diff --git a/data/templates/vpp/startup.conf.j2 b/data/templates/vpp/startup.conf.j2
deleted file mode 100644
index f33539fba..000000000
--- a/data/templates/vpp/startup.conf.j2
+++ /dev/null
@@ -1,116 +0,0 @@
-# Generated by /usr/libexec/vyos/conf_mode/vpp.py
-
-unix {
-    nodaemon
-    log /var/log/vpp.log
-    full-coredump
-    cli-listen /run/vpp/cli.sock
-    gid vpp
-    # exec /etc/vpp/bootstrap.vpp
-{% if unix is vyos_defined %}
-{%     if unix.poll_sleep_usec is vyos_defined %}
-    poll-sleep-usec {{ unix.poll_sleep_usec }}
-{%     endif %}
-{% endif %}
-}
-
-{% if cpu is vyos_defined %}
-cpu {
-{%     if cpu.main_core is vyos_defined %}
-    main-core {{ cpu.main_core }}
-{%     endif %}
-{%     if cpu.corelist_workers is vyos_defined %}
-    corelist-workers {{ cpu.corelist_workers | join(',') }}
-{%     endif %}
-{%     if cpu.skip_cores is vyos_defined %}
-    skip-cores {{ cpu.skip_cores }}
-{%     endif %}
-{%     if cpu.workers is vyos_defined %}
-    workers {{ cpu.workers }}
-{%     endif %}
-}
-{% endif %}
-
-{# ip heap-size does not work now (23.06-rc2~1-g3a4e62ad4) #}
-{# vlib_call_all_config_functions: unknown input `ip  heap-size 32M ' #}
-{% if ip is vyos_defined %}
-#ip {
-#{%     if ip.heap_size is vyos_defined %}
-#    heap-size {{ ip.heap_size }}M
-#{%     endif %}
-#}
-{% endif %}
-
-{% if ip6 is vyos_defined %}
-ip6 {
-{%     if ip6.hash_buckets is vyos_defined %}
-    hash-buckets {{ ip6.hash_buckets }}
-{%     endif %}
-{%     if ip6.heap_size is vyos_defined %}
-    heap-size {{ ip6.heap_size }}M
-{%     endif %}
-}
-{% endif %}
-
-{% if l2learn is vyos_defined %}
-l2learn {
-{%     if l2learn.limit is vyos_defined %}
-    limit {{ l2learn.limit }}
-{%     endif %}
-}
-{% endif %}
-
-{% if logging is vyos_defined %}
-logging {
-{%     if logging.default_log_level is vyos_defined %}
-    default-log-level {{ logging.default_log_level }}
-{%     endif %}
-}
-{% endif %}
-
-{% if physmem is vyos_defined %}
-physmem {
-{%     if physmem.max_size is vyos_defined %}
-    max-size {{ physmem.max_size.upper() }}
-{%     endif %}
-}
-{% endif %}
-
-plugins {
-    path /usr/lib/x86_64-linux-gnu/vpp_plugins/
-    plugin default { disable }
-    plugin dpdk_plugin.so { enable }
-    plugin linux_cp_plugin.so { enable }
-    plugin linux_nl_plugin.so { enable }
-}
-
-linux-cp {
-    lcp-sync
-    lcp-auto-subint
-}
-
-dpdk {
-    # Whitelist the fake PCI address 0000:00:00.0
-    # This prevents all devices from being added to VPP-DPDK by default
-    dev 0000:00:00.0
-{% for iface, iface_config in interface.items() %}
-{%     if iface_config.pci is vyos_defined %}
-    dev {{ iface_config.pci }} {
-        name {{ iface }}
-{%         if iface_config.num_rx_desc is vyos_defined %}
-        num-rx-desc {{ iface_config.num_rx_desc }}
-{%         endif %}
-{%         if iface_config.num_tx_desc is vyos_defined %}
-        num-tx-desc {{ iface_config.num_tx_desc }}
-{%         endif %}
-{%         if iface_config.num_rx_queues is vyos_defined %}
-        num-rx-queues {{ iface_config.num_rx_queues }}
-{%         endif %}
-{%         if iface_config.num_tx_queues is vyos_defined %}
-        num-tx-queues {{ iface_config.num_tx_queues }}
-{%         endif %}
-        }
-{%     endif %}
-{% endfor %}
-    uio-bind-force
-}
diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2
index c3f32da72..83009242b 100644
--- a/data/templates/wifi/hostapd.conf.j2
+++ b/data/templates/wifi/hostapd.conf.j2
@@ -1,5 +1,5 @@
 {# j2lint: disable=operator-enclosed-by-spaces #}
-### Autogenerated by interfaces-wireless.py ###
+### Autogenerated by interfaces_wireless.py ###
 {% if description is vyos_defined %}
 # Description: {{ description }}
 # User-friendly description of device; up to 32 octets encoded in UTF-8
diff --git a/data/templates/wifi/wpa_supplicant.conf.j2 b/data/templates/wifi/wpa_supplicant.conf.j2
index 01e0d632f..ac857a04a 100644
--- a/data/templates/wifi/wpa_supplicant.conf.j2
+++ b/data/templates/wifi/wpa_supplicant.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by interfaces-macsec.py ###
+### Autogenerated by interfaces_wireless.py ###
 
 # see full documentation:
 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
diff --git a/data/vyos-firewall-init.conf b/data/vyos-firewall-init.conf
index cd7d5011f..5a4e03015 100644
--- a/data/vyos-firewall-init.conf
+++ b/data/vyos-firewall-init.conf
@@ -54,3 +54,22 @@ table ip6 raw {
         type filter hook prerouting priority -300; policy accept;
     }
 }
+
+# Required by VRF
+table inet vrf_zones {
+    # Map of interfaces and connections tracking zones
+    map ct_iface_map {
+        typeof iifname : ct zone
+    }
+    # Assign unique zones for each VRF
+    # Chain for inbound traffic
+    chain vrf_zones_ct_in {
+        type filter hook prerouting priority raw; policy accept;
+        counter ct original zone set iifname map @ct_iface_map
+    }
+    # Chain for locally-generated traffic
+    chain vrf_zones_ct_out {
+        type filter hook output priority raw; policy accept;
+        counter ct original zone set oifname map @ct_iface_map
+    }
+}