10 files changed, 204 insertions, 105 deletions

diff --git a/data/config-mode-dependencies/vyos-1x.json b/data/config-mode-dependencies/vyos-1x.json
index a433c2522..6c86642c7 100644
--- a/data/config-mode-dependencies/vyos-1x.json
+++ b/data/config-mode-dependencies/vyos-1x.json
@@ -1,9 +1,23 @@
 {
-  "firewall": {"conntrack": ["conntrack"], "group_resync": ["conntrack", "nat", "policy-route"]},
+  "conntrack": {"conntrack_sync": ["conntrack_sync"]},
+  "firewall": {
+                "conntrack": ["conntrack"],
+                "conntrack_sync": ["conntrack_sync"],
+                "group_resync": ["conntrack", "nat", "policy-route"]
+              },
   "http_api": {"https": ["https"]},
-  "load_balancing_wan": {"conntrack": ["conntrack"]},
-  "nat": {"conntrack": ["conntrack"]},
-  "nat66": {"conntrack": ["conntrack"]},
+  "load_balancing_wan": {
+                          "conntrack": ["conntrack"],
+                          "conntrack_sync": ["conntrack_sync"]
+                        },
+  "nat": {
+           "conntrack": ["conntrack"],
+           "conntrack_sync": ["conntrack_sync"]
+         },
+  "nat66": {
+             "conntrack": ["conntrack"],
+             "conntrack_sync": ["conntrack_sync"]
+           },
   "pki": {
            "ethernet": ["interfaces-ethernet"],
            "openvpn": ["interfaces-openvpn"],
diff --git a/data/op-mode-standardized.json b/data/op-mode-standardized.json
index ded934bff..ed9bb6cad 100644
--- a/data/op-mode-standardized.json
+++ b/data/op-mode-standardized.json
@@ -26,6 +26,5 @@
 "storage.py",
 "uptime.py",
 "version.py",
-"vrf.py",
-"zone.py"
+"vrf.py"
 ]
diff --git a/data/templates/conntrack/nftables-ct.j2 b/data/templates/conntrack/nftables-ct.j2
index 895f61a55..1e0fc8065 100644
--- a/data/templates/conntrack/nftables-ct.j2
+++ b/data/templates/conntrack/nftables-ct.j2
@@ -1,5 +1,6 @@
 #!/usr/sbin/nft -f
 
+{% import 'conntrack/nftables-helpers.j2' as helper_tmpl %}
 {% import 'firewall/nftables-defines.j2' as group_tmpl %}
 
 {% if first_install is not vyos_defined %}
@@ -52,30 +53,7 @@ table ip vyos_conntrack {
         notrack
     }
 
-    ct helper rpc_tcp {
-        type "rpc" protocol tcp;
-    }
-
-    ct helper rpc_udp {
-        type "rpc" protocol udp;
-    }
-
-    ct helper tns_tcp {
-        type "tns" protocol tcp;
-    }
-
-    chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{%     if modules[module] is vyos_defined %}
-{%         if 'nftables' in module_conf %}
-{%             for rule in module_conf.nftables %}
-        {{ rule }}
-{%             endfor %}
-{%         endif %}
-{%     endif %}
-{% endfor %}
-        return
-    }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=True) }}
 
     chain FW_CONNTRACK {
         {{ ipv4_firewall_action }}
@@ -140,30 +118,7 @@ table ip6 vyos_conntrack {
         notrack
     }
 
-    ct helper rpc_tcp {
-        type "rpc" protocol tcp;
-    }
-
-    ct helper rpc_udp {
-        type "rpc" protocol udp;
-    }
-
-    ct helper tns_tcp {
-        type "tns" protocol tcp;
-    }
-
-    chain VYOS_CT_HELPER {
-{% for module, module_conf in module_map.items() %}
-{%     if modules[module] is vyos_defined %}
-{%         if 'nftables' in module_conf %}
-{%             for rule in module_conf.nftables %}
-        {{ rule }}
-{%             endfor %}
-{%         endif %}
-{%     endif %}
-{% endfor %}
-        return
-    }
+{{ helper_tmpl.conntrack_helpers(module_map, modules, ipv4=False) }}
 
     chain FW_CONNTRACK {
         {{ ipv6_firewall_action }}
diff --git a/data/templates/conntrack/nftables-helpers.j2 b/data/templates/conntrack/nftables-helpers.j2
new file mode 100644
index 000000000..433931162
--- /dev/null
+++ b/data/templates/conntrack/nftables-helpers.j2
@@ -0,0 +1,70 @@
+{% macro conntrack_helpers(module_map, modules, ipv4=True) %}
+{% if modules.ftp is vyos_defined %}
+    ct helper ftp_tcp {
+        type "ftp" protocol tcp;
+    }
+{% endif %}
+
+{% if modules.h323 is vyos_defined %}
+    ct helper ras_udp {
+        type "RAS" protocol udp;
+    }
+
+    ct helper q931_tcp {
+        type "Q.931" protocol tcp;
+    }
+{% endif %}
+
+{% if modules.pptp is vyos_defined and ipv4 %}
+    ct helper pptp_tcp {
+        type "pptp" protocol tcp;
+    }
+{% endif %}
+
+{% if modules.nfs is vyos_defined %}
+    ct helper rpc_tcp {
+        type "rpc" protocol tcp;
+    }
+
+    ct helper rpc_udp {
+        type "rpc" protocol udp;
+    }
+{% endif %}
+
+{% if modules.sip is vyos_defined %}
+    ct helper sip_tcp {
+        type "sip" protocol tcp;
+    }
+
+    ct helper sip_udp {
+        type "sip" protocol udp;
+    }
+{% endif %}
+
+{% if modules.tftp is vyos_defined %}
+    ct helper tftp_udp {
+        type "tftp" protocol udp;
+    }
+{% endif %}
+
+{% if modules.sqlnet is vyos_defined %}
+    ct helper tns_tcp {
+        type "tns" protocol tcp;
+    }
+{% endif %}
+
+    chain VYOS_CT_HELPER {
+{% for module, module_conf in module_map.items() %}
+{%     if modules[module] is vyos_defined %}
+{%         if 'nftables' in module_conf %}
+{%             if module_conf.ipv4 is not vyos_defined or module_conf.ipv4 == ipv4 %}
+{%                 for rule in module_conf.nftables %}
+        {{ rule }}
+{%                 endfor %}
+{%             endif %}
+{%         endif %}
+{%     endif %}
+{% endfor %}
+        return
+    }
+{% endmacro %}
diff --git a/data/templates/conntrack/vyos_nf_conntrack.conf.j2 b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
index 111459485..197155d96 100644
--- a/data/templates/conntrack/vyos_nf_conntrack.conf.j2
+++ b/data/templates/conntrack/vyos_nf_conntrack.conf.j2
@@ -1,3 +1,2 @@
 # Autogenerated by conntrack.py
-options nf_conntrack hashsize={{ hash_size }} nf_conntrack_helper=1
-
+options nf_conntrack hashsize={{ hash_size }}
diff --git a/data/templates/dns-dynamic/ddclient.conf.j2 b/data/templates/dns-dynamic/ddclient.conf.j2
index 421daf1df..5905b19ea 100644
--- a/data/templates/dns-dynamic/ddclient.conf.j2
+++ b/data/templates/dns-dynamic/ddclient.conf.j2
@@ -28,19 +28,21 @@ syslog=yes
 ssl=yes
 pid={{ config_file | replace('.conf', '.pid') }}
 cache={{ config_file | replace('.conf', '.cache') }}
-{# Explicitly override global options for reliability #}
-web=googledomains {# ddclient default ('dyndns') doesn't support ssl and results in process lockup #}
-use=no            {# ddclient default ('ip') results in confusing warning message in log #}
+{# ddclient default (web=dyndns) doesn't support ssl and results in process lockup #}
+web=googledomains
+{# ddclient default (use=ip) results in confusing warning message in log #}
+use=no
 
 {% if address is vyos_defined %}
 {%     for address, service_cfg in address.items() %}
 {%         if service_cfg.rfc2136 is vyos_defined %}
 {%             for name, config in service_cfg.rfc2136.items() %}
 {%                 if config.description is vyos_defined %}
-# {{ config.description }}
 
+# {{ config.description }}
 {%                 endif %}
 {%                 for host in config.host_name if config.host_name is vyos_defined %}
+
 # RFC2136 dynamic DNS configuration for {{ name }}: [{{ config.zone }}, {{ host }}]
 {# Don't append 'new-style' compliant suffix ('usev4', 'usev6', 'ifv4', 'ifv6' etc.)
    to the properties since 'nsupdate' doesn't support that yet. #}
@@ -54,16 +56,17 @@ use=no            {# ddclient default ('ip') results in confusing warning messag
 {%         if service_cfg.service is vyos_defined %}
 {%             for name, config in service_cfg.service.items() %}
 {%                 if config.description is vyos_defined %}
-# {{ config.description }}
 
+# {{ config.description }}
 {%                 endif %}
 {%                 for host in config.host_name if config.host_name is vyos_defined %}
 {%                     set ip_suffixes = ['v4', 'v6'] if config.ip_version == 'both'
-                                                      else [config.ip_version[2:]] %} {# 'ipvX' -> 'vX' #}
+                                                      else [config.ip_version[2:]] %}
+
 # Web service dynamic DNS configuration for {{ name }}: [{{ config.protocol }}, {{ host }}]
 {{ render_config(host, address, service_cfg.web_options, ip_suffixes,
                  protocol=config.protocol, server=config.server, zone=config.zone,
-                 login=config.username, password=config.password) }}
+                 login=config.username, password=config.password, ttl=config.ttl) }}
 
 {%                 endfor %}
 {%             endfor %}
diff --git a/data/templates/dns-dynamic/override.conf.j2 b/data/templates/dns-dynamic/override.conf.j2
index 6ca1b8a45..4a6851cef 100644
--- a/data/templates/dns-dynamic/override.conf.j2
+++ b/data/templates/dns-dynamic/override.conf.j2
@@ -7,4 +7,4 @@ After=vyos-router.service
 PIDFile={{ config_file | replace('.conf', '.pid') }}
 EnvironmentFile=
 ExecStart=
-ExecStart=/usr/bin/ddclient -file {{ config_file }}
+ExecStart={{ vrf_command }}/usr/bin/ddclient -file {{ config_file }}
diff --git a/data/templates/frr/daemons.frr.tmpl b/data/templates/frr/daemons.frr.tmpl
index fe2610724..a65f0868a 100644
--- a/data/templates/frr/daemons.frr.tmpl
+++ b/data/templates/frr/daemons.frr.tmpl
@@ -1,4 +1,26 @@
-zebra=yes
+#
+# The watchfrr, zebra, mgmtd and staticd daemons are always started.
+#
+# Note: The following FRR-services must be kept disabled because they are replaced by other packages in VyOS:
+#
+# pimd   Replaced by package igmpproxy.
+# nhrpd  Replaced by package opennhrp.
+# pbrd   Replaced by PBR in nftables.
+# vrrpd  Replaced by package keepalived.
+#
+# And these must be disabled aswell since they are currently missing a VyOS CLI:
+#
+# eigrp
+# sharpd
+# fabricd
+# pathd
+#
+# The zebra, mgmtd and staticd daemons are always started and can not be disabled
+#
+#zebra=yes
+#mgmtd=yes
+#staticd=yes
+
 bgpd=yes
 ospfd=yes
 ospf6d=yes
@@ -9,49 +31,84 @@ pimd=no
 pim6d=yes
 ldpd=yes
 nhrpd=no
-eigrpd=yes
+eigrpd=no
 babeld=yes
 sharpd=no
 pbrd=no
 bfdd=yes
-staticd=yes
+fabricd=no
+vrrpd=no
+pathd=no
 
-vtysh_enable=yes
-zebra_options="   --daemon -A 127.0.0.1 -s 90000000
-{%- if irdp is defined %} -M irdp{% endif -%}
-{%- if snmp is defined and snmp.zebra is defined %} -M snmp{% endif -%}
-"
-bgpd_options="    --daemon -A 127.0.0.1 -M rpki
-{%- if bmp is defined %} -M bmp{% endif -%}
-{%- if snmp is defined and snmp.bgpd is defined %} -M snmp{% endif -%}
-"
-ospfd_options="   --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ospfd is defined %} -M snmp{% endif -%}
-"
-ospf6d_options="  --daemon -A ::1
-{%- if snmp is defined and snmp.ospf6d is defined %} -M snmp{% endif -%}
-"
-ripd_options="    --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ripd is defined %} -M snmp{% endif -%}
-"
-ripngd_options="  --daemon -A ::1"
-isisd_options="   --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.isisd is defined %} -M snmp{% endif -%}
-"
-pimd_options="    --daemon -A 127.0.0.1"
-pim6d_options="   --daemon -A ::1"
-ldpd_options="    --daemon -A 127.0.0.1
-{%- if snmp is defined and snmp.ldpd is defined %} -M snmp{% endif -%}
-"
-mgmtd_options="   --daemon -A 127.0.0.1"
-nhrpd_options="   --daemon -A 127.0.0.1"
-eigrpd_options="  --daemon -A 127.0.0.1"
-babeld_options="  --daemon -A 127.0.0.1"
-sharpd_options="  --daemon -A 127.0.0.1"
-pbrd_options="    --daemon -A 127.0.0.1"
-staticd_options=" --daemon -A 127.0.0.1"
-bfdd_options="    --daemon -A 127.0.0.1"
+#
+# Define defaults for all services even those who shall be kept disabled.
+#
+
+zebra_options="  --daemon -A 127.0.0.1 -s 90000000{{ ' -M snmp' if snmp.zebra is vyos_defined }}{{ ' -M irdp' if irdp is vyos_defined }}"
+mgmtd_options="  --daemon -A 127.0.0.1"
+staticd_options="--daemon -A 127.0.0.1"
+bgpd_options="   --daemon -A 127.0.0.1 -M rpki{{ ' -M snmp' if snmp.bgpd is vyos_defined }}{{ ' -M bmp' if bmp is vyos_defined }}"
+ospfd_options="  --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ospfd is vyos_defined }}"
+ospf6d_options=" --daemon -A ::1{{ ' -M snmp' if snmp.ospf6d is vyos_defined }}"
+ripd_options="   --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ripd is vyos_defined }}"
+ripngd_options=" --daemon -A ::1"
+isisd_options="  --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.isisd is vyos_defined }}"
+pimd_options="   --daemon -A 127.0.0.1"
+pim6d_options="  --daemon -A ::1"
+ldpd_options="   --daemon -A 127.0.0.1{{ ' -M snmp' if snmp.ldpd is vyos_defined }}"
+nhrpd_options="  --daemon -A 127.0.0.1"
+eigrpd_options=" --daemon -A 127.0.0.1"
+babeld_options=" --daemon -A 127.0.0.1"
+sharpd_options=" --daemon -A 127.0.0.1"
+pbrd_options="   --daemon -A 127.0.0.1"
+bfdd_options="   --daemon -A 127.0.0.1"
+fabricd_options="--daemon -A 127.0.0.1"
+vrrpd_options="  --daemon -A 127.0.0.1"
+pathd_options="  --daemon -A 127.0.0.1"
+
+#frr_global_options=""
+
+#zebra_wrap=""
+#mgmtd_wrap=""
+#staticd_wrap=""
+#bgpd_wrap=""
+#ospfd_wrap=""
+#ospf6d_wrap=""
+#ripd_wrap=""
+#ripngd_wrap=""
+#isisd_wrap=""
+#pimd_wrap=""
+#pim6d_wrap=""
+#ldpd_wrap=""
+#nhrpd_wrap=""
+#eigrpd_wrap=""
+#babeld_wrap=""
+#sharpd_wrap=""
+#pbrd_wrap=""
+#bfdd_wrap=""
+#fabricd_wrap=""
+#vrrpd_wrap=""
+#pathd_wrap=""
+
+#all_wrap=""
 
+#
+# Other options.
+#
+# For more information see:
+# https://github.com/FRRouting/frr/blob/stable/9.0/tools/etc/frr/daemons
+# https://docs.frrouting.org/en/stable-9.0/setup.html
+#
+
+vtysh_enable=yes
 watchfrr_enable=no
 valgrind_enable=no
 
+#watchfrr_options=""
+
+frr_profile="traditional"
+
+#MAX_FDS=1024
+
+#FRR_NO_ROOT="yes"
+
diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 0a40e1ecf..a75ee9904 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -146,7 +146,7 @@ backend {{ back }}
 {%         if back_config.server is vyos_defined %}
 {%             set ssl_back =  'ssl ca-file /run/haproxy/' ~ back_config.ssl.ca_certificate ~ '.pem' if back_config.ssl.ca_certificate is vyos_defined else '' %}
 {%             for server, server_config in back_config.server.items() %}
-    server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
+    server {{ server }} {{ server_config.address }}:{{ server_config.port }}{{ ' check' if server_config.check is vyos_defined }}{{ ' backup' if server_config.backup is vyos_defined }}{{ ' send-proxy' if server_config.send_proxy is vyos_defined }}{{ ' send-proxy-v2' if server_config.send_proxy_v2 is vyos_defined }} {{ ssl_back }}
 {%             endfor %}
 {%         endif %}
 {%         if back_config.timeout.check is vyos_defined %}
diff --git a/data/templates/mdns-repeater/avahi-daemon.j2 b/data/templates/mdns-repeater/avahi-daemon.conf.j2
index e0dfd897e..d562c048f 100644
--- a/data/templates/mdns-repeater/avahi-daemon.j2
+++ b/data/templates/mdns-repeater/avahi-daemon.conf.j2
@@ -1,7 +1,7 @@
 ### Autogenerated by service_mdns-repeater.py ###
 [server]
-use-ipv4=yes
-use-ipv6=yes
+use-ipv4={{ 'yes' if ip_version in ['ipv4', 'both'] else 'no' }}
+use-ipv6={{ 'yes' if ip_version in ['ipv6', 'both'] else 'no' }}
 allow-interfaces={{ interface | join(', ') }}
 {% if browse_domain is vyos_defined and browse_domain | length %}
 browse-domains={{ browse_domain | join(', ') }}
@@ -17,6 +17,8 @@ disable-user-service-publishing=yes
 publish-addresses=no
 publish-hinfo=no
 publish-workstation=no
+publish-aaaa-on-ipv4=no
+publish-a-on-ipv6=no
 
 [reflector]
 enable-reflector=yes