summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/templates/accel-ppp/config_shaper_radius.j23
-rw-r--r--data/templates/container/registries.conf.j22
-rw-r--r--data/templates/container/storage.conf.j25
-rw-r--r--data/templates/frr/policy.frr.j26
-rw-r--r--data/templates/ipsec/swanctl/remote_access.j23
-rw-r--r--data/templates/ssh/sshguard_config.j227
-rw-r--r--data/templates/ssh/sshguard_whitelist.j27
7 files changed, 48 insertions, 5 deletions
diff --git a/data/templates/accel-ppp/config_shaper_radius.j2 b/data/templates/accel-ppp/config_shaper_radius.j2
index c256647e4..942cdf132 100644
--- a/data/templates/accel-ppp/config_shaper_radius.j2
+++ b/data/templates/accel-ppp/config_shaper_radius.j2
@@ -6,5 +6,8 @@ attr={{ authentication.radius.rate_limit.attribute }}
{% if authentication.radius.rate_limit.vendor is vyos_defined %}
vendor={{ authentication.radius.rate_limit.vendor }}
{% endif %}
+{% if authentication.radius.rate_limit.multiplier is vyos_defined %}
+rate-multiplier={{ authentication.radius.rate_limit.multiplier }}
+{% endif %}
{% endif %}
{% endif %}
diff --git a/data/templates/container/registries.conf.j2 b/data/templates/container/registries.conf.j2
index 6a3be58d0..2e86466a1 100644
--- a/data/templates/container/registries.conf.j2
+++ b/data/templates/container/registries.conf.j2
@@ -1,4 +1,4 @@
-### Autogenerated by /usr/libexec/vyos/conf_mode/container.py ###
+### Autogenerated by container.py ###
# For more information on this configuration file, see containers-registries.conf(5).
#
diff --git a/data/templates/container/storage.conf.j2 b/data/templates/container/storage.conf.j2
index 97e1a9d0c..665f9bf95 100644
--- a/data/templates/container/storage.conf.j2
+++ b/data/templates/container/storage.conf.j2
@@ -1,5 +1,4 @@
-### Autogenerated by /usr/libexec/vyos/conf_mode/container.py ###
-
+### Autogenerated by container.py ###
[storage]
driver = "vfs"
- graphroot = "/config/containers/storage"
+ graphroot = "/usr/lib/live/mount/persistence/container/storage"
diff --git a/data/templates/frr/policy.frr.j2 b/data/templates/frr/policy.frr.j2
index f0a64cb89..a42b73e98 100644
--- a/data/templates/frr/policy.frr.j2
+++ b/data/templates/frr/policy.frr.j2
@@ -259,6 +259,12 @@ route-map {{ route_map }} {{ rule_config.action }} {{ rule }}
{% if rule_config.set.distance is vyos_defined %}
set distance {{ rule_config.set.distance }}
{% endif %}
+{% if rule_config.set.evpn.gateway.ipv4 is vyos_defined %}
+ set evpn gateway-ip ipv4 {{ rule_config.set.evpn.gateway.ipv4 }}
+{% endif %}
+{% if rule_config.set.evpn.gateway.ipv6 is vyos_defined %}
+ set evpn gateway-ip ipv6 {{ rule_config.set.evpn.gateway.ipv6 }}
+{% endif %}
{% if rule_config.set.extcommunity.bandwidth is vyos_defined %}
set extcommunity bandwidth {{ rule_config.set.extcommunity.bandwidth }}
{% endif %}
diff --git a/data/templates/ipsec/swanctl/remote_access.j2 b/data/templates/ipsec/swanctl/remote_access.j2
index 676ad88b3..d2760ec1f 100644
--- a/data/templates/ipsec/swanctl/remote_access.j2
+++ b/data/templates/ipsec/swanctl/remote_access.j2
@@ -18,7 +18,8 @@
{% endif %}
local {
{% if rw_conf.authentication.id is vyos_defined and rw_conf.authentication.use_x509_id is not vyos_defined %}
- id = '{{ rw_conf.authentication.id }}'
+{# please use " quotes - else Apple iOS goes crazy #}
+ id = "{{ rw_conf.authentication.id }}"
{% endif %}
{% if rw_conf.authentication.server_mode == 'x509' %}
auth = pubkey
diff --git a/data/templates/ssh/sshguard_config.j2 b/data/templates/ssh/sshguard_config.j2
new file mode 100644
index 000000000..58c6ad48d
--- /dev/null
+++ b/data/templates/ssh/sshguard_config.j2
@@ -0,0 +1,27 @@
+### Autogenerated by ssh.py ###
+
+{% if dynamic_protection is vyos_defined %}
+# Full path to backend executable (required, no default)
+BACKEND="/usr/libexec/sshguard/sshg-fw-nft-sets"
+
+# Shell command that provides logs on standard output. (optional, no default)
+# Example 1: ssh and sendmail from systemd journal:
+LOGREADER="LANG=C journalctl -afb -p info -n1 -t sshd -o cat"
+
+#### OPTIONS ####
+# Block attackers when their cumulative attack score exceeds THRESHOLD.
+# Most attacks have a score of 10. (optional, default 30)
+THRESHOLD={{ dynamic_protection.threshold }}
+
+# Block attackers for initially BLOCK_TIME seconds after exceeding THRESHOLD.
+# Subsequent blocks increase by a factor of 1.5. (optional, default 120)
+BLOCK_TIME={{ dynamic_protection.block_time }}
+
+# Remember potential attackers for up to DETECTION_TIME seconds before
+# resetting their score. (optional, default 1800)
+DETECTION_TIME={{ dynamic_protection.detect_time }}
+
+# IP addresses listed in the WHITELIST_FILE are considered to be
+# friendlies and will never be blocked.
+WHITELIST_FILE=/etc/sshguard/whitelist
+{% endif %}
diff --git a/data/templates/ssh/sshguard_whitelist.j2 b/data/templates/ssh/sshguard_whitelist.j2
new file mode 100644
index 000000000..47a950a2b
--- /dev/null
+++ b/data/templates/ssh/sshguard_whitelist.j2
@@ -0,0 +1,7 @@
+### Autogenerated by ssh.py ###
+
+{% if dynamic_protection.allow_from is vyos_defined %}
+{% for address in dynamic_protection.allow_from %}
+{{ address }}
+{% endfor %}
+{% endif %}